--- /dev/null
+Release Notes for BIND Version 9.13.0
+
+Introduction
+
+BIND 9.13 is an unstable development release of BIND. This document
+summarizes new features and functional changes that have been introduced
+on this branch. With each development release leading up to the stable
+BIND 9.14 release, this document will be updated with additional features
+added and bugs fixed.
+
+Note on Version Numbering
+
+Prior to BIND 9.13, new feature development releases were tagged as
+"alpha" and "beta", leading up to the first stable release for a given
+development branch, which always ended in ".0".
+
+Now, however, BIND has adopted the "odd-unstable/even-stable" release
+numbering convention. There will be no "alpha" or "beta" releases in the
+9.13 branch, only increasing version numbers. So, for example, what would
+previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will
+instead be called 9.13.0, 9.13.1, 9.13.2, etc.
+
+The first stable release from this development branch will be renamed as
+9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch,
+while unstable feature development proceeds in 9.15.
+
+Download
+
+The latest versions of BIND 9 software can always be found at http://
+www.isc.org/downloads/. There you will find additional information about
+each release, source code, and pre-compiled versions for Microsoft Windows
+operating systems.
+
+Security Fixes
+
+ * None.
+
+New Features
+
+ * BIND now can be compiled against the libidn2 library to add IDNA2008
+ support. Previously, BIND supported IDNA2003 using the (now obsolete
+ and unsupported) idnkit-1 library.
+
+ * named now supports the "root key sentinel" mechanism. This enables
+ validating resolvers to indicate to which trust anchors are configured
+ for the root, so that information about root key rollover status can
+ be gathered. To disable this feature, add root-key-sentinel no; to
+ named.conf.
+
+ * The dnskey-sig-validity option allows the sig-validity-interval to be
+ overriden for signatures covering DNSKEY RRsets. [GL #145]
+
+Removed Features
+
+ * dnssec-keygen can no longer generate HMAC keys for TSIG
+ authentication. Use tsig-keygen to generate these keys. [RT #46404]
+
+ * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
+ greater, or LibreSSL is now required.
+
+ * The configure --enable-seccomp option, which formerly turned on
+ system-call filtering on Linux, has been removed. [GL #93]
+
+ * IPv4 addresses in forms other than dotted-quad are no longer accepted
+ in master files. [GL #13] [GL #56]
+
+ * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
+
+ * The "rbtdb64" database implementation (a parallel implementation of
+ "rbt") has been removed. [GL #217]
+
+ * The -r randomdev option to explicitly select random device has been
+ removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
+ and dnssec-signzone commands.
+
+ The -p option to use pseudo-random data has been removed from the
+ dnssec-signzone command.
+
+Feature Changes
+
+ * BIND will now always use the best CSPRNG (cryptographically-secure
+ pseudo-random number generator) available on the platform where it is
+ compiled. It will use arc4random() family of functions on BSD
+ operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
+ Windows, and the selected cryptography provider library (OpenSSL or
+ PKCS#11) as the last resort. [GL #221]
+
+ * BIND can no longer be built without DNSSEC support. A cryptography
+ provder (i.e., OpenSSL or a hardware service module with PKCS#11
+ support) must be available. [GL #244]
+
+ * Zone types primary and secondary are now available as synonyms for
+ master and slave, respectively, in named.conf.
+
+ * named will now log a warning if the old root DNSSEC key is explicitly
+ configured and has not been updated. [RT #43670]
+
+ * dig +nssearch will now list name servers that have timed out, in
+ addition to those that respond. [GL #64]
+
+ * dig +noidnin can be used to disable IDN processing on the input domain
+ name, when BIND is compiled with IDN support.
+
+ * Up to 64 response-policy zones are now supported by default;
+ previously the limit was 32. [GL #123]
+
+ * Several configuration options for time periods can now use TTL value
+ suffixes (for example, 2h or 1d) in addition to an integer number of
+ seconds. These include fstrm-set-reopen-interval, interface-interval,
+ max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
+ . [GL #203]
+
+Bug Fixes
+
+ * None.
+
+License
+
+BIND is open source software licenced under the terms of the Mozilla
+Public License, version 2.0 (see the LICENSE file for the full text).
+
+The license requires that if you make changes to BIND and distribute them
+outside your organization, those changes must be published under the same
+license. It does not require that you publish or disclose anything other
+than the changes you have made to our software. This requirement does not
+affect anyone who is using BIND, with or without modifications, without
+redistributing it, nor anyone redistributing BIND without changes.
+
+Those wishing to discuss license compliance may contact ISC at https://
+www.isc.org/mission/contact/.
+
+End of Life
+
+BIND 9.13 is an unstable development branch. When its development is
+complete, it will be renamed to BIND 9.14, which will be a stable branch.
+
+The end of life date for BIND 9.14 has not yet been determined. For those
+needing long term support, the current Extended Support Version (ESV) is
+BIND 9.11, which will be supported until at least December 2021. See
+https://www.isc.org/downloads/software-support-policy/ for details of
+ISC's software support policy.
+
+Thank You
+
+Thank you to everyone who assisted us in making this release possible. If
+you would like to contribute to ISC to assist us in continuing to make
+quality open source software, please visit our donations page at http://
+www.isc.org/donate/.
projects / thirdparty / bind9.git / commitdiff
