New Features
~~~~~~~~~~~~
-- Support for additional tokens in the zone file name template.
+- Add :any:`dnssec-policy` keys configuration check to
+ :iscman:`named-checkconf`.
- See :any:`file` for a complete list of currently supported tokens.
- :gl:`#85`
+ A new option :option:`-k <named-checkconf -k>` was added to
+ :iscman:`named-checkconf` that allows checking the
+ :any:`dnssec-policy` :any:`keys` configuration against the configured
+ key stores. If the found key files are not in sync with the given
+ :any:`dnssec-policy`, the check will fail.
+
+ This is useful to run before migrating to :any:`dnssec-policy`.
+ :gl:`#5486`
- Add support for synthetic records.
enable quicker responses, since plugins are only called when they are
needed. :gl:`#5356`
-- Add :any:`dnssec-policy` keys configuration check to
- :iscman:`named-checkconf`.
-
- A new option :option:`-k <named-checkconf -k>` was added to
- :iscman:`named-checkconf` that allows checking the
- :any:`dnssec-policy` :any:`keys` configuration against the configured
- key stores. If the found key files are not in sync with the given
- :any:`dnssec-policy`, the check will fail.
+- Support for additional tokens in the zone file name template.
- This is useful to run before migrating to :any:`dnssec-policy`.
- :gl:`#5486`
+ See :any:`file` for a complete list of currently supported tokens.
+ :gl:`#85`
Removed Features
~~~~~~~~~~~~~~~~
Bug Fixes
~~~~~~~~~
-- Use signer name when disabling DNSSEC algorithms.
-
- :any:`disable-algorithms` could cause DNSSEC validation failures when
- the parent zone was signed with the algorithms that were being
- disabled for the child zone. This has been fixed;
- :any:`disable-algorithms` now works on a whole-of-zone basis.
+- Missing DNSSEC information when CD bit is set in query.
- If the zone's name is at or below the :any:`disable-algorithms` name
- the algorithm is disabled for that zone, using deepest match when
- there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
+ The RRSIGs for glue records were not being cached correctly for CD=1
+ queries. This has been fixed. :gl:`#5502`
- :option:`rndc sign` during ZSK rollover will now replace signatures.
successor key, replacing all zone signatures from the predecessor key
with new ones. :gl:`#5483`
-- Missing DNSSEC information when CD bit is set in query.
-
- The RRSIGs for glue records were not being cached correctly for CD=1
- queries. This has been fixed. :gl:`#5502`
-
- Add a check for ``chroot()`` to the build system.
The Meson build procedure was not checking for the existence of the
``chroot()`` function. This has been fixed. :gl:`#5519`
+- Use signer name when disabling DNSSEC algorithms.
+
+ :any:`disable-algorithms` could cause DNSSEC validation failures when
+ the parent zone was signed with the algorithms that were being
+ disabled for the child zone. This has been fixed;
+ :any:`disable-algorithms` now works on a whole-of-zone basis.
+
+ If the zone's name is at or below the :any:`disable-algorithms` name
+ the algorithm is disabled for that zone, using deepest match when
+ there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
+
- Preserve cache when reload fails and reload the server again.
This fixes an issue where failing to reconfigure/reload the server
projects / thirdparty / bind9.git / commitdiff
