ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
fd01889b8aedcb1b6ec84ee96090242df81dfb6e
bind9/doc/notes/notes-current.rst
Matthijs Mekking 305fc213a0 Release notes and changes for [#2645] 
The feature "going insecure gracefully" has been changed.

(cherry picked from commit 75024736a4)
2021-04-30 13:58:22 +02:00

70 lines
2.1 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.16.16
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- None.
Removed Features
~~~~~~~~~~~~~~~~
- None.
Feature Changes
~~~~~~~~~~~~~~~
- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
- Reduce the supported maximum number of iterations that can be
configured in an NSEC3 zones to 150. :gl:`#2642`
- Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure.
:gl:`#2445`
- Zones that want to transition from secure to insecure mode without making it
bogus in the process should now first change their ``dnssec-policy`` to
``insecure`` (as opposed to ``none``). Only after the DNSSEC records have
been removed from the zone (in a timely manner), the ``dnssec-policy`` can
be set to ``none`` (or be removed from the configuration). Setting the
``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
to be published. :gl:`#2645`
Bug Fixes
~~~~~~~~~
- When dumping the cache to file, TTLs were being increased with
``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
values if the RRset was still marked a stale but the ``max-stale-ttl`` has
passed (and is actually an RRset awaiting cleanup). Both issues have now
been fixed. :gl:`#389` :gl:`#2289`
- ``named`` would overwrite a zone file unconditionally when it recovered from
a corrupted journal. :gl:`#2623`
- With ``dnssec-policy``, when creating new keys also check for keyid conflicts
between the new keys too. :gl:`#2628`
- Update ZONEMD to match RFC 8976. :gl:`#2658`
View Git Blame Copy Permalink