ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
ff1ac20e0f742e6ef8afff71d2ee3d69b85dd299
bind9/doc/arm/notes-9.17.1.xml
Stephen Morris 623b6c94c0 Tweak release notes for BIND 9.17.1
2020-04-08 22:12:57 +02:00

102 lines
4.1 KiB
XML
Raw Blame History

<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes-9.17.1"><info><title>Notes for BIND 9.17.1</title></info>
<section xml:id="relnotes-9.17.1-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-known"><info><title>Known Issues</title></info>
<itemizedlist>
<listitem>
<para>
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated.
[GL #1685]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-new"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
A new option, <command>nsdname-wait-recurse</command>, has been added
to the <command>response-policy</command> clause in the configuration
file. When set to <command>no</command>, RPZ NSDNAME rules are only
applied if the authoritative nameservers for the query name have been
looked up and are present in the cache. If this information is not
present, the RPZ NSDNAME rules are ignored, but the information is
looked up in the background and applied to subsequent queries. The
default is <command>yes</command>, meaning that RPZ NSDNAME rules
should always be applied, even if the information needs to be looked
up first. [GL #1138]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
The previous DNSSEC sign statistics used lots of memory. The number of
keys to track is reduced to four per zone, which should be enough for
99% of all signed zones. [GL #1179]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, <command>named</command> could become
nonresponsive for a short period while deleted names were removed from
the RPZ summary database. This database cleanup is now done
incrementally over a longer period of time, reducing such delays.
[GL #1447]
</para>
</listitem>
<listitem>
<para>
When trying to migrate an already-signed zone from
<command>auto-dnssec maintain</command> to one based on
<command>dnssec-policy</command>, the existing keys were immediately
deleted and replaced with new ones. As the key rollover timing
constraints were not being followed, it was possible that some clients
would not have been able to validate responses until all old DNSSEC
information had timed out from caches. BIND now looks at the time
metadata of the existing keys and incorporates it into its DNSSEC
policy operation. [GL #1706]
</para>
</listitem>
</itemizedlist>
</section>
</section>
View Git Blame Copy Permalink