first. Extra attention is also needed when using non-standard
``./configure`` options. [GL #4]
-- Added a new logging category ``rpz-passthru`` which allows RPZ
- passthru actions to be logged into a separate channel. [GL #54]
-
-- Zone timers are now exported via statistics channel. For primary
- zones, only the load time is exported. For secondary zones, exported
- timers also include expire and refresh times. Contributed by Paul
- Frieden, Verizon Media. [GL #1232]
-
-- ``dig`` and other tools can now print the Extended DNS Error (EDE)
- option when it appears in a request or response. [GL #1834]
-
-- Per-type record count limits can now be specified in ``update-policy``
- statements, to limit the number of records of a particular type
- that can be added to a domain name via dynamic update. [GL #1657]
-
- ``named`` and ``named-checkzone`` now reject master zones that
have a DS RRset at the zone apex. Attempts to add DS records
at the zone apex via UPDATE will be logged but otherwise ignored.
DS records belong in the parent zone, not at the zone apex. [GL #1798]
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
- relying on system defaults instead. [GL #1713]
-
-- The default rwlock implementation has been changed back to the native
- BIND 9 rwlock implementation. [GL #1753]
+- Per-type record count limits can now be specified in ``update-policy``
+ statements, to limit the number of records of a particular type
+ that can be added to a domain name via dynamic update. [GL #1657]
-- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
- v3.0 and thus made operational again. Contributed by Aaron Thompson.
- [GL !3326]
+- ``dig`` and other tools can now print the Extended DNS Error (EDE)
+ option when it appears in a request or response. [GL #1834]
-- The OpenSSL ECDSA implementation has been updated to support PKCS#11
- via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
- #1534]
+- ``dig +qid=<num>`` allows the user to specify a particular query ID
+ for testing purposes. [GL #1851]
-- The OpenSSL EdDSA implementation has been updated to support PKCS#11
- via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
- is required and thus this code is only a proof-of-concept for the
- time being. Contributed by Aaron Thompson. [GL #1763]
+- Added a new logging category ``rpz-passthru`` which allows RPZ
+ passthru actions to be logged into a separate channel. [GL #54]
-- Message IDs in inbound AXFR transfers are now checked for
- consistency. Log messages are emitted for streams with inconsistent
- message IDs. [GL #1674]
+- Zone timers are now exported via statistics channel. For primary
+ zones, only the load time is exported. For secondary zones, exported
+ timers also include expire and refresh times. Contributed by Paul
+ Frieden, Verizon Media. [GL #1232]
-- ``dig +qid=<num>`` allows the user to specify a particular query ID
- for testing purposes. [GL #1851]
+Feature Changes
+~~~~~~~~~~~~~~~
- The default value of ``max-stale-ttl`` has changed from 1 week to 12 hours.
This option controls how long named retains expired RRsets in cache as a
option ``max-stale-ttl 1w;`` to named.conf to keep the previous behavior
of named.
+- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
+ relying on system defaults instead. [GL #1713]
+
+- The default rwlock implementation has been changed back to the native
+ BIND 9 rwlock implementation. [GL #1753]
+
- BIND binaries which are neither daemons nor administrative programs
were moved to ``$bindir``. Only ``ddns-confgen``, ``named``,
``rndc``, ``rndc-confgen``, and ``tsig-confgen`` were left in
:rfc:`3493` and :rfc:`3542`, this change was introduced in 9.16.0
but accudently ommited from documentation.
+- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
+ v3.0 and thus made operational again. Contributed by Aaron Thompson.
+ [GL !3326]
+
+- The OpenSSL ECDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
+ #1534]
+
+- The OpenSSL EdDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
+ is required and thus this code is only a proof-of-concept for the
+ time being. Contributed by Aaron Thompson. [GL #1763]
+
+- Message IDs in inbound AXFR transfers are now checked for
+ consistency. Log messages are emitted for streams with inconsistent
+ message IDs. [GL #1674]
+
- The question section is now checked when processing AXFR, IXFR
and SOA replies while transferring a zone in. [GL #1683]
Bug Fixes
~~~~~~~~~
-- A bug in dnstap initialization could prevent some dnstap data from
- being logged, especially on recursive resolvers. [GL #1795]
+- ``named`` could crash with an assertion failure if the name of a
+ database node was looked up while the database was being modified.
+ [GL #1857]
- When running on a system with support for Linux capabilities,
``named`` drops root privileges very soon after system startup. This
0: Operation not permitted*, which has now been silenced. [GL #1042]
[GL #1090]
-- When ``named-checkconf -z`` was run, it would sometimes incorrectly
- set its exit code. It reflected the status of the last view found; if
- zone-loading errors were found in earlier configured views but not in
- the last one, the exit code indicated success. Thanks to Graham
- Clinch. [GL #1807]
-
-- When built without LMDB support, ``named`` failed to restart after a
- zone with a double quote (") in its name was added with ``rndc
- addzone``. Thanks to Alberto Fernández. [GL #1695]
-
- Missing mutex and conditional destruction in netmgr code leads to a
memory leak on BSD systems. [GL #1893]
-- ``named`` could crash with an assertion failure if the name of a
- database node was looked up while the database was being modified.
- [GL #1857]
+- Fix a data race in resolver.c:formerr() that could lead to assertion
+ failure. [GL #1808]
+
+- A bug in dnstap initialization could prevent some dnstap data from
+ being logged, especially on recursive resolvers. [GL #1795]
- Fix a bug in dnssec-policy keymgr where the check if a key has a
successor would return a false positive if any other key in the
the current active key (the predecessor) was not changed and thus was
never is removed from the zone. [GL #1846]
-- Fix a data race in resolver.c:formerr() that could lead to assertion
- failure. [GL #1808]
+- When ``named-checkconf -z`` was run, it would sometimes incorrectly
+ set its exit code. It reflected the status of the last view found; if
+ zone-loading errors were found in earlier configured views but not in
+ the last one, the exit code indicated success. Thanks to Graham
+ Clinch. [GL #1807]
-- The dsset returned by dns_keynode_dsset() was not thread safe. This
- could result in a INSIST being triggered. [GL #1926]
+- When built without LMDB support, ``named`` failed to restart after a
+ zone with a double quote (") in its name was added with ``rndc
+ addzone``. Thanks to Alberto Fernández. [GL #1695]
projects / thirdparty / bind9.git / commitdiff
