bind9/doc/notes/notes-9.16.10.rst

.. 
   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
   
   This Source Code Form is subject to the terms of the Mozilla Public
   License, v. 2.0. If a copy of the MPL was not distributed with this
   file, you can obtain one at https://mozilla.org/MPL/2.0/.
   
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.

Notes for BIND 9.16.10
----------------------

New Features
~~~~~~~~~~~~

- NSEC3 support was added to KASP. A new option for ``dnssec-policy``,
  ``nsec3param``, can be used to set the desired NSEC3 parameters.
  NSEC3 salt collisions are automatically prevented during resalting.
  [GL #1620]

Feature Changes
~~~~~~~~~~~~~~~

- The default value of ``max-recursion-queries`` was increased from 75
  to 100. Since the queries sent towards root and TLD servers are now
  included in the count (as a result of the fix for CVE-2020-8616),
  ``max-recursion-queries`` has a higher chance of being exceeded by
  non-attack queries, which is the main reason for increasing its
  default value. [GL #2305]

- The default value of ``nocookie-udp-size`` was restored back to 4096
  bytes. Since ``max-udp-size`` is the upper bound for
  ``nocookie-udp-size``, this change relieves the operator from having
  to change ``nocookie-udp-size`` together with ``max-udp-size`` in
  order to increase the default EDNS buffer size limit.
  ``nocookie-udp-size`` can still be set to a value lower than
  ``max-udp-size``, if desired. [GL #2250]

Bug Fixes
~~~~~~~~~

- Handling of missing DNS COOKIE responses over UDP was tightened by
  falling back to TCP. [GL #2275]

- The CNAME synthesized from a DNAME was incorrectly followed when the
  QTYPE was CNAME or ANY. [GL #2280]

- Building with native PKCS#11 support for AEP Keyper has been broken
  since BIND 9.16.6. This has been fixed. [GL #2315]