4757. [func] New "dnssec-cds" command creates a new parent DS
RRset based on CDS or CDNSKEY RRsets found in
a child zone, and generates either a dsset file
or stream of nsupdate commands to update the
parent. Thanks to Tony Finch. [RT #46090]
4751. [func] "dnssec-signzone -S" can now automatically add parent
synchronization records (CDS and CDNSKEY) according
to key metadata set using the -Psync and -Dsync
options to dnssec-keygen and dnssec-settime.
[RT #46149]
4750. [func] "rndc managed-keys destroy" shuts down RFC 5011 key
maintenance and deletes the managed-keys database.
If followed by "rndc reconfig" or a server restart,
key maintenance is reinitialized from scratch.
This is primarily intended for testing. [RT #32456]
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4724. [func] By default, BIND now uses the random number
functions provided by the crypto library (i.e.,
OpenSSL or a PKCS#11 provider) as a source of
randomness rather than /dev/random. This is
suitable for virtual machine environments
which have limited entropy pools and lack
hardware random number generators.
This can be overridden by specifying another
entropy source via the "random-device" option
in named.conf, or via the -r command line option;
however, for functions requiring full cryptographic
strength, such as DNSSEC key generation, this
cannot be overridden. In particular, the -r
command line option no longer has any effect on
dnssec-keygen.
This can be disabled by building with
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
Stage 2 - synthesis of records from wildcard data.
If the dns64 or filter-aaaa* is configured then the
involved lookups are currently excluded. [RT #40138]
4726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN
from being logged on FreeBSD if the kernel does not
support it. Notify the user when the kernel does
support TCP_FASTOPEN, but it is disabled by sysctl.
Add a new configure option, --disable-tcp-fastopen, to
disable use of TCP_FASTOPEN altogether. [RT #44754]
4721. [func] 'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
options now apply to CDNSKEY and DS records as well
as DNSKEY. Thanks to Tony Finch. [RT #45689]
4713. [func] Added support for the DNS Response Policy Service
(DNSRPS) API, which allows named to use an external
response policy daemon when built with
"configure --enable-dnsrps". Thanks to Vernon
Schryver and Farsight Security. [RT #43376]
4708. [cleanup] Legacy Windows builds (i.e. for XP and earlier)
are no longer supported. [RT #45186]
4707. [func] The lightweight resolver daemon and library (lwresd
and liblwres) have been removed. [RT #45186]
4706. [func] Code implementing name server query processing has
been moved from bin/named to a new library "libns".
Functions remaining in bin/named are now prefixed
with "named_" rather than "ns_". This will make it
easier to write unit tests for name server code, or
link name server functionality into new tools.
[RT #45186]
allows named to provide stale cached answers when
the authoritative server is under attack.
See max-stale-ttl, stale-answer-enable,
stale-answer-ttl. [RT #44790]
