ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
f609bdbc0cc1763cf79fa9d4a1dfd8bedfbf6552
bind9/doc/arm/notes-9.16.0.xml
Michał Kępień 5eded8d66e Prepare release notes for BIND 9.16.0 
- Merge release notes from all 9.15.x releases, leaving only those
    which do not apply to BIND 9.14.

  - Add missing GitLab/RT issue identifiers.

  - Update "Introduction", "Note on Version Numbering", and "End of
    Life" sections with BIND 9.16 information.
2020-02-12 16:04:04 +01:00

250 lines
11 KiB
XML
Raw Blame History

<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes-9.16.0"><info><title>Notes for BIND 9.16.0</title></info>
<para>
<emphasis>Note: this section only lists changes from BIND 9.14 (the
previous stable branch of BIND).</emphasis>
</para>
<section xml:id="relnotes-9.16.0-new"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
A new asynchronous network communications system based on
<command>libuv</command> is now used by <command>named</command>
for listening for incoming requests and responding to them.
This change will make it easier to improve performance and
implement new protocol layers (for example, DNS over TLS) in
the future. [GL #29]
</para>
</listitem>
<listitem>
<para>
The new <command>dnssec-policy</command> option allows the
configuration of a key and signing policy (KASP) for zones. This
option enables <command>named</command> to generate new keys
as needed and automatically roll both ZSK and KSK keys.
(Note that the syntax for this statement differs from the DNSSEC
policy used by <command>dnssec-keymgr</command>.) [GL #1134]
</para>
</listitem>
<listitem>
<para>
In order to clarify the configuration of DNSSEC keys,
the <command>trusted-keys</command> and
<command>managed-keys</command> statements have been
deprecated, and the new <command>trust-anchors</command>
statement should now be used for both types of key.
</para>
<para>
When used with the keyword <command>initial-key</command>,
<command>trust-anchors</command> has the same behavior as
<command>managed-keys</command>, i.e., it configures
a trust anchor that is to be maintained via RFC 5011.
</para>
<para>
When used with the new keyword <command>static-key</command>,
<command>trust-anchors</command> has the same behavior as
<command>trusted-keys</command>, i.e., it configures a permanent
trust anchor that will not automatically be updated. (This usage
is not recommended for the root key.) [GL #6]
</para>
</listitem>
<listitem>
<para>
Two new keywords have been added to the
<command>trust-anchors</command> statement:
<command>initial-ds</command> and <command>static-ds</command>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</para>
<para>
As with the <command>initial-key</command> and
<command>static-key</command> keywords, <command>initial-ds</command>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<command>static-ds</command> configures a permanent trust anchor.
[GL #6] [GL #622]
</para>
</listitem>
<listitem>
<para>
<command>dig</command>, <command>mdig</command> and
<command>delv</command> can all now take a <command>+yaml</command>
option to print output in a detailed YAML format. [GL #1145]
</para>
</listitem>
<listitem>
<para>
<command>dig</command> now has a new command line option:
<command>+[no]unexpected</command>. By default, <command>dig</command>
won't accept a reply from a source other than the one to which
it sent the query. Add the <command>+unexpected</command> argument
to enable it to process replies from unexpected sources. [RT #44978]
</para>
</listitem>
<listitem>
<para>
<command>dig</command> now accepts a new command line option,
<command>+[no]expandaaaa</command>, which causes the IPv6
addresses in AAAA records to be printed in full 128-bit
notation rather than the default RFC 5952 format. [GL #765]
</para>
</listitem>
<listitem>
<para>
Statistics channel groups can now be toggled. [GL #1030]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.16.0-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<command>dnssec-validation</command> was set to the default
value of <literal>auto</literal>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</para>
</listitem>
<listitem>
<para>
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <command>dnssec-dsfromkey</command>, the
<filename>dsset</filename> files generated by
<command>dnssec-signzone</command>, the DS records added to
a zone by <command>dnssec-signzone</command> based on
<filename>keyset</filename> files, the CDS records added to
a zone by <command>named</command> and
<command>dnssec-signzone</command> based on "sync" timing
parameters in key files, and the checks performed by
<command>dnssec-checkds</command>. [GL #1015]
</para>
</listitem>
<listitem>
<para>
<command>named</command> will now log a warning if
a static key is configured for the root zone. [GL #6]
</para>
</listitem>
<listitem>
<para>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This change has no operational impact in most
common scenarios. [GL #605]
</para>
<para>
If you are running multiple DNS servers (different versions of BIND 9
or DNS servers from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), make sure that all the
servers are configured with the same DNS Cookie algorithm and same
Server Secret for the best performance.
</para>
</listitem>
<listitem>
<para>
The information from the <command>dnssec-signzone</command> and
<command>dnssec-verify</command> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with the <command>-f -</command> option. A new
configuration option <command>-q</command> has been added to silence
all output on standard output except for the name of the signed zone.
[GL #1151]
</para>
</listitem>
<listitem>
<para>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</para>
</listitem>
<listitem>
<para>
Compile-time settings enabled by the
<command>--with-tuning=large</command> option for
<command>configure</command> are now in effect by default.
Previously used default compile-time settings can be enabled
by passing <command>--with-tuning=small</command> to
<command>configure</command>. [GL !2989]
</para>
</listitem>
<listitem>
<para>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <command>configure</command>
option has been renamed from <command>--with-libjson</command>
to <command>--with-json-c</command>. Set the
<command>PKG_CONFIG_PATH</command> environment variable
accordingly to specify a custom path to the
<command>json-c</command> library, as the new
<command>configure</command> option does not take the library
installation path as an optional argument. [GL #855]
</para>
</listitem>
<listitem>
<para>
<command>./configure</command> no longer sets
<command>--sysconfdir</command> to <command>/etc</command> or
<command>--localstatedir</command> to <command>/var</command>
when <command>--prefix</command> is not specified and the
aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of <command>$prefix/etc</command> and
<command>$prefix/var</command> are respected. [GL #658]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.16.0-removed"><info><title>Removed Features</title></info>
<itemizedlist>
<listitem>
<para>
The <command>dnssec-enable</command> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</para>
</listitem>
<listitem>
<para>
DNSSEC Lookaside Validation (DLV) is now obsolete.
The <command>dnssec-lookaside</command> option has been
marked as deprecated; when used in <filename>named.conf</filename>,
it will generate a warning but will otherwise be ignored.
All code enabling the use of lookaside validation has been removed
from the validator, <command>delv</command>, and the DNSSEC tools.
[GL #7]
</para>
</listitem>
<listitem>
<para>
The <command>cleaning-interval</command> option has been
removed. [GL !1731]
</para>
</listitem>
</itemizedlist>
</section>
</section>
View Git Blame Copy Permalink