Feature Changes
~~~~~~~~~~~~~~~
-- Update requirements for system test suite.
+- Enable minimal ANY answers by default.
- Python 3.10 or newer is now required for running the system test
- suite. The required python packages and their version requirements are
- now tracked in `bin/tests/system/requirements.txt`.
+ ANY queries are widely abused by attackers in reflection attacks, as
+ they result in large answers. The :namedconf:ref:`minimal-any` feature
+ is now enabled by default to reduce the attack surface. :gl:`#5723`
- Support for pytest 9.0.0 has been added its minimum supported version
- has been raised to 7.0.0. The minimum supported dnspython version has
- been raised to 2.3.0. :gl:`#5690` :gl:`#5614`
+- Lowercase the NSEC Next Domain Name field.
-- Lowercase the NSEC next owner name when signing.
+ When building an NSEC record, the next owner name is now converted to lowercase
+ before storing it in the Next Domain Name field.
- When building the NSEC rdata, lowercase the next owner name before
- storing it in the Next Domain Name Field.
+ This is not required according to :rfc:`6840#section-5.1`, but since
+ inconsistencies have been introduced to the specification over time, having
+ "next owner" names in only lowercase in the NSEC records improves compatibility with
+ software that does not follow the latest version of the DNSSEC
+ specification. :gl:`#5702`
- Note that this is not required according to RFC 6840, but since there
- is inconsistency in the documents over time, having uppercase next
- owner names in the NSEC records may cause validation failures if
- validators are not following RFC 6840. :gl:`#5702`
+- Update requirements for system test suite.
-- Enable minimal ANY answers by default.
+ Python 3.10 or newer is now required for running the system test suite. The
+ required Python packages and their version requirements are now tracked in the
+ file `bin/tests/system/requirements.txt`. :gl:`#5690` :gl:`#5614`
- ANY queries are widely abused by attackers doing reflection attacks as
- they return the largest answers. Enable minimal ANY answers by
- default to reduce the attack surface of the DNS servers. :gl:`#5723`
Bug Fixes
~~~~~~~~~
- Make catalog zone names and member zones' entry names
- case-insensitive.
-
- Previously, the catalog zone names and their member zones' entry names
- were unintentionally case-sensitive. This has been fixed. :gl:`#5693`
-
-- Fix brid and hhit implementation.
-
- Fix bugs in BRID and HHIT implementation and enable the unit tests.
- :gl:`#5710`
-
-- DSYNC record incorrectly used two octets for the Scheme Field.
-
- When creating the `DSYNC` record from a structure, `uint16_tobuffer`
- was used instead of `uint8_tobuffer` when adding the scheme, causing a
- `DSYNC` record that was one octet too long. This has been fixed.
- :gl:`#5711`
+ case-insensitive. :gl:`#5693`
-- Fix a possible issue with reponse policy zones and catalog zones.
+- Fix implementation of BRID and HHIT record types. :gl:`#5710`
- If a response policy zone (RPZ) or a catalog zone contained an
- `$INCLUDE` directive, then manually reloading that zone could fail to
- process the changes in the response policy or in the catalog,
- respectively. This has been fixed. :gl:`#5714`
+- Fix implementation of DSYNC record type. :gl:`#5711`
+- Fix response policy and catalog zones to work with `$INCLUDE` directive.
+ Reloading a RPZ or a catalog zone could have failed when `$INCLUDE` was in use. :gl:`#5714`
projects / thirdparty / bind9.git / commitdiff
