Set a limit on the number of concurrently served pipelined TCP queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]

A new asynchronous network communications system based on libuv is now used by named for listening for incoming requests and responding to them. This change will make it easier to improve performance and implement new protocol layers (for example, DNS over TLS) in the future. [GL #29] The new dnssec-policy option allows the configuration key and signing policy (KASP) for zones. This option enables named to generate new keys as needed and automatically roll both ZSK and KSK keys. (Note that the syntax for this statement differs from the DNSSEC policy used by dnssec-keymgr.) [GL #1134] Two new keywords have been added to the dnssec-keys statement: initial-ds and static-ds. These allow the use of trust anchors in DS format instead of DNSKEY format. DS format allows trust anchors to be configured for keys that have not yet been published; this is the format used by IANA when announcing future root keys. As with the initial-key and static-key keywords, initial-ds configures a dynamic trust anchor to be maintained via RFC 5011, and static-ds configures a permanent trust anchor. (Note: Currently, DNSKEY-format and DS-format trust anchors cannot both be used for the same domain name.) [GL #6] [GL #622] Added a new statistics variable tcp-highwater that reports the maximum number of simultaneous TCP clients BIND has handled while running. [GL #1206]

NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default because it was found to have a significant performance impact on the recursive service. The NSEC Aggressive Cache will be enable by default in the future releases. [GL #1265] The DNSSEC validation code has been refactored for clarity and to reduce code duplication. [GL #622]