From: Michał Kępień Date: Thu, 2 Oct 2025 16:12:18 +0000 (+0200) Subject: Reorder release notes X-Git-Tag: v9.21.14~4^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e60dbe424013cb876bb286697243148286d44e4;p=thirdparty%2Fbind9.git Reorder release notes --- diff --git a/doc/notes/notes-9.21.13.rst b/doc/notes/notes-9.21.13.rst index 5fb5d95a418..9ce8efb07ce 100644 --- a/doc/notes/notes-9.21.13.rst +++ b/doc/notes/notes-9.21.13.rst @@ -63,10 +63,17 @@ Security Fixes New Features ~~~~~~~~~~~~ -- Support for additional tokens in the zone file name template. +- Add :any:`dnssec-policy` keys configuration check to + :iscman:`named-checkconf`. - See :any:`file` for a complete list of currently supported tokens. - :gl:`#85` + A new option :option:`-k ` was added to + :iscman:`named-checkconf` that allows checking the + :any:`dnssec-policy` :any:`keys` configuration against the configured + key stores. If the found key files are not in sync with the given + :any:`dnssec-policy`, the check will fail. + + This is useful to run before migrating to :any:`dnssec-policy`. + :gl:`#5486` - Add support for synthetic records. @@ -98,17 +105,10 @@ New Features enable quicker responses, since plugins are only called when they are needed. :gl:`#5356` -- Add :any:`dnssec-policy` keys configuration check to - :iscman:`named-checkconf`. - - A new option :option:`-k ` was added to - :iscman:`named-checkconf` that allows checking the - :any:`dnssec-policy` :any:`keys` configuration against the configured - key stores. If the found key files are not in sync with the given - :any:`dnssec-policy`, the check will fail. +- Support for additional tokens in the zone file name template. - This is useful to run before migrating to :any:`dnssec-policy`. - :gl:`#5486` + See :any:`file` for a complete list of currently supported tokens. + :gl:`#85` Removed Features ~~~~~~~~~~~~~~~~ @@ -123,16 +123,10 @@ Removed Features Bug Fixes ~~~~~~~~~ -- Use signer name when disabling DNSSEC algorithms. - - :any:`disable-algorithms` could cause DNSSEC validation failures when - the parent zone was signed with the algorithms that were being - disabled for the child zone. This has been fixed; - :any:`disable-algorithms` now works on a whole-of-zone basis. +- Missing DNSSEC information when CD bit is set in query. - If the zone's name is at or below the :any:`disable-algorithms` name - the algorithm is disabled for that zone, using deepest match when - there are multiple :any:`disable-algorithms` clauses. :gl:`#5165` + The RRSIGs for glue records were not being cached correctly for CD=1 + queries. This has been fixed. :gl:`#5502` - :option:`rndc sign` during ZSK rollover will now replace signatures. @@ -141,16 +135,22 @@ Bug Fixes successor key, replacing all zone signatures from the predecessor key with new ones. :gl:`#5483` -- Missing DNSSEC information when CD bit is set in query. - - The RRSIGs for glue records were not being cached correctly for CD=1 - queries. This has been fixed. :gl:`#5502` - - Add a check for ``chroot()`` to the build system. The Meson build procedure was not checking for the existence of the ``chroot()`` function. This has been fixed. :gl:`#5519` +- Use signer name when disabling DNSSEC algorithms. + + :any:`disable-algorithms` could cause DNSSEC validation failures when + the parent zone was signed with the algorithms that were being + disabled for the child zone. This has been fixed; + :any:`disable-algorithms` now works on a whole-of-zone basis. + + If the zone's name is at or below the :any:`disable-algorithms` name + the algorithm is disabled for that zone, using deepest match when + there are multiple :any:`disable-algorithms` clauses. :gl:`#5165` + - Preserve cache when reload fails and reload the server again. This fixes an issue where failing to reconfigure/reload the server