3535. [func] Add support for setting Differentiated Services Code
Point (DSCP) values in named. Most configuration
options which take a "port" option (e.g.,
listen-on, forwarders, also-notify, masters,
notify-source, etc) can now also take a "dscp"
option specifying a code point for use with
outgoing traffic, if supported by the underlying
OS. [RT #27596]
3528. [func] New "dnssec-coverage" command scans the timing
metadata for a set of DNSSEC keys and reports if a
lapse in signing coverage has been scheduled
inadvertently. (Note: This tool depends on python;
it will not be built or installed on systems that
do not have a python interpreter.) [RT #28098]
3525. [func] Support for additional signing algorithms in rndc:
hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
The -A option to rndc-confgen can be used to
select the algorithm for the generated key.
(The default is still hmac-md5; this may
change in a future release.) [RT #20363]
- check for NSEC3 in empty nodes when not due to optout delegations
- fixed typo in output ("Bad record NSEC record")
- incidentally fixed an error in signzone that caused an
incorrect warning about missing DNSKEYs when using -S
and -3 together
3473. [bug] dnssec-signzone/verify could incorrectly report
an error condition due to an empty node above an
opt-out delegation lacking an NSEC3. [RT #32072]
[RT #31951]
Squashed commit of the following:
commit 7369da0369e1de1fe6c5b5f84df8848b9a0984eb
Author: Mark Andrews <marka@isc.org>
Date: Fri Nov 23 17:24:04 2012 +1100
dupped/created reversed in log message
commit 0cef5faaf3ac22b00ed0f95b6bb7a146cf4cac15
Author: Mark Andrews <marka@isc.org>
Date: Fri Nov 23 13:40:14 2012 +1100
remove space from DS hash
[RT #31916]
Squashed commit of the following:
commit f47af0ca6793687b9c8d08fd44b0c091ba5a4f9a
Author: Mark Andrews <marka@isc.org>
Date: Wed Nov 21 17:45:21 2012 +1100
dns_dns_zonediff_t -> dns_zonediff_t, clarify comment
commit 344edefc3ee90856a7ff990abe7971925ba843b2
Author: Mark Andrews <marka@isc.org>
Date: Tue Nov 20 13:12:26 2012 +1100
commit the zone changes if a keep was marked as being offline
commit cad2c2446ebfc20b6d8c4f6dd0d6596d7106cc0f
Author: Mark Andrews <marka@isc.org>
Date: Tue Nov 20 13:08:29 2012 +1100
check for looping when re-signing expiring.example
3404. [bug] dnssec-signzone: When re-signing a zone, remove
RRSIG and NSEC records from nodes that used to be
in-zone but are now below a zone cut. [RT #31556]
3329. [bug] Handle RRSIG signer-name case consistently: We
generate RRSIG records with the signer-name in
lower case. We accept them with any case, but if
they fail to validate, we try again in lower case.
[RT #27451]
include the serial number of the zone from which
they were generated, if different (as in the case
of inline-signing zones). This is to be used in
inline-signing zones, to track changes between the
unsigned and signed versions of the zone, which may
have different serial numbers.
(Note: raw zonefiles generated by this version of
BIND are no longer compatble with prior versions.
To generate a backward-compatible raw zonefile
using dnssec-signzone or named-compilezone, specify
output format "raw=0" instead of simply "raw".)
[RT #26587]
- 'rndc signing -list' displays the current
state of signing operations
- 'rndc signing -clear' clears the signing state
records for keys that have fully signed the zone
- 'rndc signing -nsec3param' sets the NSEC3
parameters for the zone
The 'rndc keydone' syntax is removed. [RT #23729]
