- Add separate query counters for new protocols.
Add query counters for DoT, DoH, unencrypted DoH and their proxied
- counterparts. The new protocols do not update their respective TCP/UDP
+ counterparts. The new :namedconf:`protocols` do not update their respective TCP/UDP
transport counter and is now for TCP/UDP over plain 53 only.
:gl:`#598`
- Implement RFC 9567: EDNS Report-Channel option.
- Add new `send-report-channel` and `log-report-channel` options.
- `send-report-channel` specifies an agent domain, to which error
+ Add new :namedconf:`send-report-channel` and :namedconf:`log-report-channel` options.
+ :namedconf:`send-report-channel` specifies an agent domain, to which error
reports can be sent by querying a specially constructed name within
- the agent domain. EDNS Report-Channel options will be added to
- outgoing authoritative responses, to inform clients where to send such
+ the agent domain. EDNS Report-Channel :FIXME-rndcconf-namedconf:`options` will be added to
+ outgoing authoritative responses, to inform :namedconf:`clients` where to send such
queries in the event of a problem.
- If a zone is configured which matches the agent domain and has
- `log-report-channel` set to `yes`, error-reporting queries will be
- logged at level `info` to the `dns-reporting-agent` logging channel.
+ If a :namedconf:`zone` is configured which matches the agent domain and has
+ :namedconf:`log-report-channel` set to `yes`, error-reporting queries will be
+ logged at level `info` to the `dns-reporting-agent` :namedconf:`logging` channel.
:gl:`#3659`
-- Add detailed debugging of update-policy rule matching.
+- Add detailed debugging of :namedconf:`update-policy` rule matching.
- This logs how named determines if an update request is granted or
+ This logs how :iscman:`named` determines if an update request is granted or
denied when using update-policy. :gl:`#4751`
- Update bind.keys with the new 2025 IANA root key.
- Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696,
+ Add an 'initial-ds' entry to bind.keys for the new root :FIXME-rndcconf-namedconf:`key`, ID 38696,
which is scheduled for publication in January 2025. :gl:`#4896`
-- Enable runtime selection of FIPS mode in dig and delv.
+- Enable runtime selection of FIPS mode in :iscman:`dig` and delv.
- 'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime.
+ ':iscman:`dig` -F' and ':iscman:`delv` -F' can now be used to select FIPS mode at runtime.
:gl:`#5046`
Removed Features
The DLZ modules are poorly maintained as we only ensure they can still
be compiled, the DLZ interface is blocking, so anything that blocks
- the query to the database blocks the whole server and they should not
+ the query to the :namedconf:`database` blocks the whole :FIXME-rndcconf-namedconf:`server` and they should not
be used except in testing. The DLZ interface itself is going to be
scheduled for removal.
- Remove RBTDB implementation.
- Remove the RBTDB database implementation, and only leave the QPDB
- based implementations of zone and cache databases. This means it's no
+ Remove the RBTDB :namedconf:`database` implementation, and only leave the QPDB
+ based implementations of :namedconf:`zone` and cache databases. This means it's no
longer possible to choose the RBTDB to be default at the compilation
- time and it's not possible to configure RBTDB as the database backend
+ time and it's not possible to configure RBTDB as the :namedconf:`database` backend
in the configuration file. :gl:`#5027`
Feature Changes
- Dnssec-ksr now supports KSK rollovers.
- The tool 'dnssec-ksr' now allows for KSK generation, as well as
+ The tool ':iscman:`dnssec-ksr`' now allows for KSK generation, as well as
planned KSK rollovers. When signing a bundle from a Key Signing
- Request (KSR), only the key that is active in that time frame is being
+ Request (KSR), only the :FIXME-rndcconf-namedconf:`key` that is active in that time frame is being
used for signing. Also, the CDS and CDNSKEY records are now added and
removed at the correct time. :gl:`#4697` :gl:`#4705`
-- Add none parameter to query-source and query-source-v6 to disable IPv4
+- Add none parameter to :namedconf:`query-source` and :namedconf:`query-source-v6` to disable IPv4
or IPv6 upstream queries.
- Add a none parameter to named configuration option `query-source`
- (respectively `query-source-v6`) which forbid usage of IPv4
- (respectively IPv6) addresses when named is doing an upstream query.
+ Add a none parameter to :iscman:`named` configuration option :namedconf:`query-source`
+ (respectively :namedconf:`query-source-v6`) which forbid usage of IPv4
+ (respectively IPv6) :rndcconf:`addresses` when :iscman:`named` is doing an upstream query.
:gl:`#4981` Turning-off upstream IPv6 queries while still listening to
downstream queries on IPv6.
- Print expire option in transfer summary.
- The zone transfer summary will now print the expire option value in
- the zone transfer summary. :gl:`#5013`
+ The :namedconf:`zone` transfer summary will now print the expire option value in
+ the :namedconf:`zone` transfer summary. :gl:`#5013`
- Add missing EDNS option mnemonics.
- The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent
+ The `Report-Channel` and `ZONEVERSION` EDNS :FIXME-rndcconf-namedconf:`options` can now be sent
using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short),
and `dig +ednsopt=zoneversion`.
spelled with a hyphen in both text and YAML formats; previously, text
format used a space.
-- Add new logging module for logging crypto errors in libisc.
+- Add new :namedconf:`logging` module for :namedconf:`logging` crypto errors in libisc.
Add a new 'crypto' log module that will be used for a low-level
cryptographic operations. The DNS related cryptography logs are still
- Emit more helpful log for exceeding max-records-per-type.
The new log message is emitted when adding or updating an RRset fails
- due to exceeding the max-records-per-type limit. The log includes the
- owner name and type, corresponding zone name, and the limit value. It
- will be emitted on loading a zone file, inbound zone transfer (both
+ due to exceeding the :namedconf:`max-records-per-type` limit. The log includes the
+ owner name and :namedconf:`type`, corresponding :namedconf:`zone` name, and the limit value. It
+ will be emitted on loading a :namedconf:`zone` :namedconf:`file`, inbound :namedconf:`zone` transfer (both
AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's
- especially helpful in the case of zone transfer, since the secondary
- side doesn't have direct access to the offending zone data.
+ especially helpful in the case of :namedconf:`zone` transfer, since the secondary
+ side doesn't have direct access to the offending :namedconf:`zone` data.
- It could also be used for max-types-per-name, but this change doesn't
+ It could also be used for :namedconf:`max-types-per-name`, but this change doesn't
implement it yet as it's much less likely to happen in practice.
-- Harden key management when key files have become unavailabe.
+- Harden :FIXME-rndcconf-namedconf:`key` management when :FIXME-rndcconf-namedconf:`key` files have become unavailabe.
- Prior to doing key management, BIND 9 will check if the key files on
- disk match the expected keys. If key files for previously observed
- keys have become unavailable, this will prevent the internal key
+ Prior to doing :FIXME-rndcconf-namedconf:`key` management, BIND 9 will check if the :FIXME-rndcconf-namedconf:`key` files on
+ disk match the expected keys. If :FIXME-rndcconf-namedconf:`key` files for previously observed
+ :namedconf:`keys` have become unavailable, this will prevent the internal :FIXME-rndcconf-namedconf:`key`
manager from running.
Bug Fixes
Notifies configured to use TLS will now be sent over TLS, instead of
plaintext UDP or TCP. Also, failing to load the TLS configuration for
- notify now also results in an error. :gl:`#4821`
+ :namedconf:`notify` now also results in an error. :gl:`#4821`
- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath.
- `dig` fails to parse a valid (as far as I can tell, and accepted by
+ :iscman:`dig` fails to parse a valid (as far as I can tell, and accepted by
`kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template
- containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If
- the URI template contains a `{?dns}` instead `dig` is happy, but my
+ containing a `{&dns}`, like `dohpath=/some/path?:FIXME-rndcconf-namedconf:`key`=value{&dns}"`. If
+ the URI template contains a `{?dns}` instead :iscman:`dig` is happy, but my
understanding of rfc9461 and section 1.2. "Levels and Expression
Types" of rfc6570 is that `{&dns}` is valid. See for example section
1.2. "Levels and Expression Types" of rfc6570.
Note that Peter van Dijk suggested that `{dns}` and
`{dns,someothervar}` might be valid forms as well, so my patch might
- be too restrictive, although it's anyone's guess how DoH clients would
+ be too restrictive, although it's anyone's guess how DoH :namedconf:`clients` would
handle complex templates. :gl:`#4922`
- Fix NSEC3 closest encloser lookup for names with empty non-terminals.
incorrect NSEC3 records in some cases. This has been fixed.
:gl:`#4950`
-- Report client transport in 'rndc recursing'
+- Report client transport in ':iscman:`rndc` recursing'
- When `rndc recursing` is used to dump the list of recursing clients,
+ When `rndc recursing` is used to dump the list of recursing :namedconf:`clients`,
it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP.
:gl:`#4971`
BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed.
:gl:`#4987`
-- Parsing of hostnames in rndc.conf was broken.
+- Parsing of hostnames in :iscman:`rndc.conf` was broken.
- When DSCP support was removed, parsing of hostnames in rndc.conf was
+ When DSCP support was removed, parsing of hostnames in :iscman:`rndc.conf` was
accidentally broken, resulting in an assertion failure. This has been
fixed. :gl:`#4991`
-- Restore values when dig prints command line.
+- Restore values when :iscman:`dig` prints command line.
Options of the form `[+-]option=<value>` failed to display the value
on the printed command line. This has been fixed. :gl:`#4993`
- Provide more visibility into configuration errors.
- by logging SSL_CTX_use_certificate_chain_file and
+ by :namedconf:`logging` SSL_CTX_use_certificate_chain_file and
SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008`
- Fix race condition when canceling ADB find.
old SERVFAIL cache entries was implemented only in opportunistic
manner. Improve the memory cleaning of the SERVFAIL cache to be more
aggressive, so it doesn't consume a lot of memory in the case the
- server encounters many SERVFAILs at once. :gl:`#5025`
+ :FIXME-rndcconf-namedconf:`server` encounters many SERVFAILs at once. :gl:`#5025`
-- Fix trying the next primary server when the preivous one was marked as
+- Fix trying the next primary :FIXME-rndcconf-namedconf:`server` when the preivous one was marked as
unreachable.
- In some cases (there is evidence only when XoT was used) `named`
- failed to try the next primary server in the list when the previous
+ In some cases (there is evidence only when XoT was used) :iscman:`named`
+ failed to try the next primary :FIXME-rndcconf-namedconf:`server` in the list when the previous
one was marked as unreachable. This has been fixed. :gl:`#5038`
projects / thirdparty / bind9.git / commitdiff
