ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
ffc5e54fd844cfafb604de6b240064642d6f99cd
bind9/doc/notes/notes-current.rst
Matthijs Mekking 4170288a91 Correctly initialize old key with state file 
The 'key_init()' function is used to initialize a state file for keys
that don't have one yet. This can happen if you are migrating from a
'auto-dnssec' or 'inline-signing' to a 'dnssec-policy' configuration.

It did not look at the "Inactive" and "Delete" timing metadata and so
old keys left behind in the key directory would also be considered as
a possible active key. This commit fixes this and now explicitly sets
the key goal to OMNIPRESENT for keys that have their "Active/Publish"
timing metadata in the past, but their "Inactive/Delete" timing
metadata in the future. If the "Inactive/Delete" timing metadata is
also in the past, the key goal is set to HIDDEN.

If the "Inactive/Delete" timing metadata is in the past, also the
key states are adjusted to either UNRETENTIVE or HIDDEN, depending on
how far in the past the metadata is set.

(cherry picked from commit 76cf72e65a)
2021-02-03 08:42:32 +01:00

98 lines
3.6 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.16.12
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- When a secondary server receives a large incremental zone
transfer (IXFR), it can have a negative impact on query
performance while the incremental changes are applied to
the zone. To address this, ``named`` can now
limit the size of IXFR responses it sends in response to zone
transfer requests. If an IXFR response would be larger than an
AXFR of the entire zone, it will send an AXFR resonse instead.
This behavior is controlled by the ``max-ixfr-ratio``
option - a percentage value representing the ratio of IXFR size
to the size of a full zone transfer. This value cannot exceed
100%, which is also the default. [GL #1515]
- A new option, ```stale-answer-client-timeout``, has been added to
improve ``named``'s behavior with respect to serving stale data. The option
defines the amount of time ``named`` waits before attempting
to answer the query with a stale RRset from cache. If a stale answer
is found, ``named`` continues the ongoing fetches, attempting to
refresh the RRset in cache until the ``resolver-query-timeout`` interval is
reached.
The default value is ``1800`` (in milliseconds) and the maximum value is
bounded to ``resolver-query-timeout`` minus one second. A value of
``0`` immediately returns a cached RRset if available, and still
attempts a refresh of the data in cache.
The option can be disabled by setting the value to ``off`` or
``disabled``. It also has no effect if ``stale-answer-enable`` is
disabled.
Removed Features
~~~~~~~~~~~~~~~~
- None.
Feature Changes
~~~~~~~~~~~~~~~
- The SONAMEs for BIND 9 libraries now include the current BIND 9
version number, in an effort to tightly couple internal libraries with
a specific release. This change makes the BIND 9 release process both
simpler and more consistent while also unequivocally preventing BIND 9
binaries from silently loading wrong versions of shared libraries (or
multiple versions of the same shared library) at startup. [GL #2387]
- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
day and the default value of ``stale-answer-ttl`` has been changed from 1
second to 30 seconds, following RFC 8767 recommendations. [GL #2248]
- As part of an ongoing effort to use RFC 8499 terminology,
``primaries`` can now be used as a synonym for ``masters`` in
``named.conf``. Similarly, ``notify primary-only`` can now be used as
a synonym for ``notify master-only``. The output of ``rndc
zonestatus`` now uses ``primary`` and ``secondary`` terminology.
[GL #1948]
Bug Fixes
~~~~~~~~~
- KASP incorrectly set signature validity to the value of the DNSKEY signature
validity. This is now fixed. [GL #2383]
- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key.
This has been fixed. [GL #2178]
- Named ``allow-update`` acls where broken in BIND 9.17.9 and BIND 9.16.11
preventing ``named`` starting. [GL #2413]
- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive"
and/or "Delete" timing metadata as possible active keys. This has been fixed.
[GL #2406]
View Git Blame Copy Permalink