PDFOBJS = Bv9ARM.pdf notes.pdf
-NOTESXML = notes-bug-fixes.xml notes-download.xml notes-eol.xml \
- notes-feature-changes.xml notes-intro.xml notes-license.xml \
- notes-new-features.xml notes-numbering.xml notes-platforms.xml \
- notes-removed.xml notes-sec-fixes.xml notes-thankyou.xml \
+NOTESXML = notes-download.xml notes-eol.xml notes-intro.xml notes-license.xml \
+ notes-numbering.xml notes-platforms.xml notes-thankyou.xml \
+ notes-9.15.0.xml \
+ notes-9.15.1.xml \
+ notes-9.15.2.xml \
+ notes-9.15.3.xml \
+ notes-9.15.4.xml \
+ notes-9.15.5.xml \
notes.xml
doc man:: ${MANOBJS} ${TXTOBJS} ${PDFOBJS}
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.0"><info><title>Notes for BIND 9.15.0</title></info>
+
+ <section xml:id="relnotes-9.15.0-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ In certain configurations, <command>named</command> could crash
+ with an assertion failure if <command>nxdomain-redirect</command>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The TCP client quota set using the <command>tcp-clients</command>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.0-new"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The new <command>add-soa</command> option specifies whether
+ or not the <command>response-policy</command> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.0-removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>dnssec-enable</command> option has been obsoleted and
+ no longer has any effect. DNSSEC responses are always enabled
+ if signatures and other DNSSEC data are present. [GL #866]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.0-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ <command>dnssec-validation</command> was set to the default
+ value of <literal>auto</literal>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <command>dnssec-dsfromkey</command>, the
+ <filename>dsset</filename> files generated by
+ <command>dnssec-signzone</command>, the DS records added to
+ a zone by <command>dnssec-signzone</command> based on
+ <filename>keyset</filename> files, the CDS records added to
+ a zone by <command>named</command> and
+ <command>dnssec-signzone</command> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <command>dnssec-checkds</command>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.0-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>allow-update</command> and
+ <command>allow-update-forwarding</command> options were
+ inadvertently treated as configuration errors when used at the
+ <command>options</command> or <command>view</command> level.
+ This has now been corrected.
+ [GL #913]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.1"><info><title>Notes for BIND 9.15.1</title></info>
+
+ <section xml:id="relnotes-9.15.1-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.1-new"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ In order to clarify the configuration of DNSSEC keys,
+ the <command>trusted-keys</command> and
+ <command>managed-keys</command> statements have been
+ deprecated, and the new <command>dnssec-keys</command>
+ statement should now be used for both types of key.
+ </para>
+ <para>
+ When used with the keyword <command>initial-key</command>,
+ <command>dnssec-keys</command> has the same behavior as
+ <command>managed-keys</command>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </para>
+ <para>
+ When used with the new keyword <command>static-key</command>, it
+ has the same behavior as <command>trusted-keys</command>,
+ configuring a permanent trust anchor that will not automatically
+ be updated. (This usage is not recommended for the root key.)
+ [GL #6]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.1-removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>cleaning-interval</command> option has been
+ removed. [GL !1731]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.1-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> will now log a warning if
+ a static key is configured for the root zone. [GL #6]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <command>configure</command>
+ option has been renamed from <command>--with-libjson</command>
+ to <command>--with-json-c</command>. Use
+ <command>PKG_CONFIG_PATH</command> to specify a custom path to
+ the <command>json-c</command> library as the new
+ <command>configure</command> option does not take the library
+ installation path as an optional argument.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.2"><info><title>Notes for BIND 9.15.2</title></info>
+
+ <section xml:id="relnotes-9.15.2-new"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The GeoIP2 API from MaxMind is now supported. Geolocation support
+ will be compiled in by default if the <command>libmaxminddb</command>
+ library is found at compile time, but can be turned off by using
+ <command>configure --disable-geoip</command>.
+ </para>
+ <para>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <command>libmaxminddb</command> library;
+ for example, if it is in <filename>/usr/local/lib</filename>,
+ then the default path will be
+ <filename>/usr/local/share/GeoIP</filename>.
+ This value can be overridden in <filename>named.conf</filename>
+ using the <command>geoip-directory</command> option.
+ </para>
+ <para>
+ Some <command>geoip</command> ACL settings that were available with
+ legacy GeoIP, including searches for <command>netspeed</command>,
+ <command>org</command>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <command>country</command>, <command>city</command>,
+ <command>domain</command>, <command>isp</command>, and
+ <command>as</command>. All of these databases support both IPv4
+ and IPv6 lookups. [GL #182] [GL #1112]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Two new metrics have been added to the
+ <command>statistics-channel</command> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <command>dnssec-sign</command> counter indicates the total
+ number of signatures <command>named</command> has generated
+ using that key since server startup, and the
+ <command>dnssec-refresh</command> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.2-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When <command>qname-minimization</command> was set to
+ <command>relaxed</command>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <command>named</command> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>./configure</command> no longer sets
+ <command>--sysconfdir</command> to <command>/etc</command> or
+ <command>--localstatedir</command> to <command>/var</command>
+ when <command>--prefix</command> is not specified and the
+ aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of <command>$prefix/etc</command> and
+ <command>$prefix/var</command> are respected.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.3"><info><title>Notes for BIND 9.15.3</title></info>
+
+ <section xml:id="relnotes-9.15.3-new"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Statistics channel groups are now toggleable. [GL #1030]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.3-removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The <command>dnssec-lookaside</command> option has been
+ marked as deprecated; when used in <filename>named.conf</filename>,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, <command>delv</command>, and the DNSSEC tools.
+ [GL #7]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.3-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
+ made default. Old non-default HMAC-SHA based DNS Cookie algorithms
+ have been removed, and only the default AES algorithm is being kept
+ for legacy reasons. This change doesn't have any operational impact
+ in most common scenarios. [GL #605]
+ </para>
+ <para>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The information from the <command>dnssec-signzone</command> and
+ <command>dnssec-verify</command> commands is now printed to standard
+ output. The standard error output is only used to print warnings and
+ errors, and in case the user requests the signed zone to be printed to
+ standard output with <command>-f -</command> option. A new
+ configuration option <command>-q</command> has been added to silence
+ all output on standard output except for the name of the signed zone.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.3-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Cache database statistics counters could report invalid values
+ when stale answers were enabled, because of a bug in counter
+ maintenance when cache data becomes stale. The statistics counters
+ have been corrected to report the number of RRsets for each
+ RR type that are active, stale but still potentially served,
+ or stale and marked for deletion. [GL #602]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named-checkconf</command> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named-checkconf</command> now correctly reports a missing
+ <command>dnstap-output</command> option when
+ <command>dnstap</command> is set. [GL #1136]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig</command> now correctly expands the IPv6 address
+ when run with <command>+expandaaaa +short</command>. [GL #1152]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.4"><info><title>Notes for BIND 9.15.4</title></info>
+
+ <section xml:id="relnotes-9.15.4-new"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Added a new command line option to <command>dig</command>:
+ <command>+[no]unexpected</command>. By default, <command>dig</command>
+ won't accept a reply from a source other than the one to which
+ it sent the query. Add the <command>+unexpected</command> argument
+ to enable it to process replies from unexpected sources.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig</command>, <command>mdig</command> and
+ <command>delv</command> can all now take a <command>+yaml</command>
+ option to print output in a a detailed YAML format. [RT #1145]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.4-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When a <command>response-policy</command> zone expires, ensure
+ that its policies are removed from the RPZ summary database.
+ [GL #1146]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.5"><info><title>Notes for BIND 9.15.5</title></info>
+
+ <section xml:id="relnotes-9.15.5-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> could crash with an assertion failure
+ if a forwarder returned a referral, rather than resolving the
+ query, when QNAME minimization was enabled. This flaw is
+ disclosed in CVE-2019-6476. [GL #1051]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A flaw in DNSSEC verification when transferring mirror zones
+ could allow data to be incorrectly marked valid. This flaw
+ is disclosed in CVE-2019-6475. [GL #1252]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.6"><info><title>Notes for BIND 9.15.6</title></info>
+
+ <section xml:id="relnotes-9.15.6-new"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A new asynchronous network communications system based on
+ <command>libuv</command> is now used by <command>named</command>
+ for listening for incoming requests and responding to them.
+ This change will make it easier to improve performance and
+ implement new protocol layers (for example, DNS over TLS) in
+ the future. [GL #29]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The new <command>dnssec-policy</command> option allows the
+ configuration key and signing policy (KASP) for zones. This
+ option enables <command>named</command> to generate new keys
+ as needed and automatically roll both ZSK and KSK keys.
+ (Note that the syntax for this statement differs from the DNSSEC
+ policy used by <command>dnssec-keymgr</command>.) [GL #1134]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.6-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
+ because it was found to have a significant performance impact on the
+ recursive service. The NSEC Aggressive Cache will be enable by default
+ in the future releases. [GL #1265]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>allow-update</command> and
- <command>allow-update-forwarding</command> options were
- inadvertently treated as configuration errors when used at the
- <command>options</command> or <command>view</command> level.
- This has now been corrected.
- [GL #913]
- </para>
- </listitem>
- <listitem>
- <para>
- When <command>qname-minimization</command> was set to
- <command>relaxed</command>, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. <command>named</command> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>./configure</command> no longer sets
- <command>--sysconfdir</command> to <command>/etc</command> or
- <command>--localstatedir</command> to <command>/var</command>
- when <command>--prefix</command> is not specified and the
- aforementioned options are not specified explicitly. Instead,
- Autoconf's defaults of <command>$prefix/etc</command> and
- <command>$prefix/var</command> are respected.
- </para>
- </listitem>
- <listitem>
- <para>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </para>
- </listitem>
- <listitem>
- <para>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now correctly reports a missing
- <command>dnstap-output</command> option when
- <command>dnstap</command> is set. [GL #1136]
- </para>
- </listitem>
- <listitem>
- <para>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </para>
- </listitem>
- <listitem>
- <para>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>dig</command> now correctly expands the IPv6 address
- when run with <command>+expandaaaa +short</command>. [GL #1152]
- </para>
- </listitem>
- <listitem>
- <para>
- When a <command>response-policy</command> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </para>
- </listitem>
- </itemizedlist>
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- A new asynchronous network communications system based on
- <command>libuv</command> is now used by <command>named</command>
- for listening for incoming requests and responding to them.
- This change will make it easier to improve performance and
- implement new protocol layers (for example, DNS over TLS) in
- the future. [GL #29]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> will now log a warning if
- a static key is configured for the root zone. [GL #6]
- </para>
- </listitem>
- <listitem>
- <para>
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- <command>dnssec-validation</command> was set to the default
- value of <literal>auto</literal>, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
- </para>
- </listitem>
- <listitem>
- <para>
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of <command>dnssec-dsfromkey</command>, the
- <filename>dsset</filename> files generated by
- <command>dnssec-signzone</command>, the DS records added to
- a zone by <command>dnssec-signzone</command> based on
- <filename>keyset</filename> files, the CDS records added to
- a zone by <command>named</command> and
- <command>dnssec-signzone</command> based on "sync" timing
- parameters in key files, and the checks performed by
- <command>dnssec-checkds</command>.
- </para>
- </listitem>
- <listitem>
- <para>
- JSON-C is now the only supported library for enabling JSON
- support for BIND statistics. The <command>configure</command>
- option has been renamed from <command>--with-libjson</command>
- to <command>--with-json-c</command>. Use
- <command>PKG_CONFIG_PATH</command> to specify a custom path to
- the <command>json-c</command> library as the new
- <command>configure</command> option does not take the library
- installation path as an optional argument.
- </para>
- </listitem>
- <listitem>
- <para>
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
- made default. Old non-default HMAC-SHA based DNS Cookie algorithms
- have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact
- in most common scenarios. [GL #605]
- </para>
- <para>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </para>
- </listitem>
- <listitem>
- <para>
- The information from the <command>dnssec-signzone</command> and
- <command>dnssec-verify</command> commands is now printed to standard
- output. The standard error output is only used to print warnings and
- errors, and in case the user requests the signed zone to be printed to
- standard output with <command>-f -</command> option. A new
- configuration option <command>-q</command> has been added to silence
- all output on standard output except for the name of the signed zone.
- </para>
- </listitem>
- <listitem>
- <para>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </para>
- </listitem>
- <listitem>
- <para>
- NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
- because it was found to have a significant performance impact on the
- recursive service. The NSEC Aggressive Cache will be enable by default
- in the future releases. [GL #1265]
- </para>
- </listitem>
- </itemizedlist>
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes_features"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The new <command>dnssec-policy</command> option allows the
- configuration key and signing policy (KASP) for zones. This
- option enables <command>named</command> to generate new keys
- as needed and automatically roll both ZSK and KSK keys.
- (Note that the syntax for this statement differs from the dnssec
- policy used by <command>dnssec-keymgr</command>.) [GL #1134]
- </para>
- </listitem>
- <listitem>
- <para>
- Added a new statistics variable <command>tcp-highwater</command>
- that reports the maximum number of simultaneous TCP clients BIND
- has handled while running. [GL #1206]
- </para>
- </listitem>
- <listitem>
- <para>
- Added a new command line option to <command>dig</command>:
- <command>+[no]unexpected</command>. By default, <command>dig</command>
- won't accept a reply from a source other than the one to which
- it sent the query. Add the <command>+unexpected</command> argument
- to enable it to process replies from unexpected sources.
- </para>
- </listitem>
- <listitem>
- <para>
- The GeoIP2 API from MaxMind is now supported. Geolocation support
- will be compiled in by default if the <command>libmaxminddb</command>
- library is found at compile time, but can be turned off by using
- <command>configure --disable-geoip</command>.
- </para>
- <para>
- The default path to the GeoIP2 databases will be set based
- on the location of the <command>libmaxminddb</command> library;
- for example, if it is in <filename>/usr/local/lib</filename>,
- then the default path will be
- <filename>/usr/local/share/GeoIP</filename>.
- This value can be overridden in <filename>named.conf</filename>
- using the <command>geoip-directory</command> option.
- </para>
- <para>
- Some <command>geoip</command> ACL settings that were available with
- legacy GeoIP, including searches for <command>netspeed</command>,
- <command>org</command>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <command>country</command>, <command>city</command>,
- <command>domain</command>, <command>isp</command>, and
- <command>as</command>. All of these databases support both IPv4
- and IPv6 lookups. [GL #182] [GL #1112]
- </para>
- </listitem>
- <listitem>
- <para>
- In order to clarify the configuration of DNSSEC keys,
- the <command>trusted-keys</command> and
- <command>managed-keys</command> statements have been
- deprecated, and the new <command>dnssec-keys</command>
- statement should now be used for both types of key.
- </para>
- <para>
- When used with the keyword <command>initial-key</command>,
- <command>dnssec-keys</command> has the same behavior as
- <command>managed-keys</command>, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
- </para>
- <para>
- When used with the new keyword <command>static-key</command>, it
- has the same behavior as <command>trusted-keys</command>,
- configuring a permanent trust anchor that will not automatically
- be updated. (This usage is not recommended for the root key.)
- [GL #6]
- </para>
- </listitem>
- <listitem>
- <para>
- The new <command>add-soa</command> option specifies whether
- or not the <command>response-policy</command> zone's SOA record
- should be included in the additional section of RPZ responses.
- [GL #865]
- </para>
- </listitem>
- <listitem>
- <para>
- Two new metrics have been added to the
- <command>statistics-channel</command> to report DNSSEC
- signing operations. For each key in each zone, the
- <command>dnssec-sign</command> counter indicates the total
- number of signatures <command>named</command> has generated
- using that key since server startup, and the
- <command>dnssec-refresh</command> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
- </para>
- </listitem>
- <listitem>
- <para>
- Statistics channel groups are now toggleable. [GL #1030]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>dig</command>, <command>mdig</command> and
- <command>delv</command> can all now take a <command>+yaml</command>
- option to print output in a a detailed YAML format. [RT #1145]
- </para>
- </listitem>
- </itemizedlist>
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>dnssec-enable</command> option has been obsoleted and
- no longer has any effect. DNSSEC responses are always enabled
- if signatures and other DNSSEC data are present. [GL #866]
- </para>
- </listitem>
- <listitem>
- <para>
- The <command>cleaning-interval</command> option has been
- removed. [GL !1731]
- </para>
- </listitem>
- <listitem>
- <para>
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The <command>dnssec-lookaside</command> option has been
- marked as deprecated; when used in <filename>named.conf</filename>,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, <command>delv</command>, and the DNSSEC tools.
- [GL #7]
- </para>
- </listitem>
- </itemizedlist>
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The TCP client quota set using the <command>tcp-clients</command>
- option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
- CVE-2018-5743. [GL #615]
- </para>
- </listitem>
- <listitem>
- <para>
- In certain configurations, <command>named</command> could crash
- with an assertion failure if <command>nxdomain-redirect</command>
- was in use and a redirected query resulted in an NXDOMAIN from the
- cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
- </para>
- </listitem>
- <listitem>
- <para>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> could crash with an assertion failure
- if a forwarder returned a referral, rather than resolving the
- query, when QNAME minimization was enabled. This flaw is
- disclosed in CVE-2019-6476. [GL #1051]
- </para>
- </listitem>
- <listitem>
- <para>
- A flaw in DNSSEC verification when transferring mirror zones
- could allow data to be incorrectly marked valid. This flaw
- is disclosed in CVE-2019-6475. [GL #1252]
- </para>
- </listitem>
- </itemizedlist>
-</section>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-numbering.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-platforms.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-download.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-sec-fixes.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-new-features.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-removed.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-feature-changes.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-bug-fixes.xml"/>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.6.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.5.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.4.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.3.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.2.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.1.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.0.xml"/>
+
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-license.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
./doc/arm/master.zoneopt.xml SGML 2018,2019
./doc/arm/masters.grammar.xml SGML 2018,2019
./doc/arm/mirror.zoneopt.xml SGML 2018,2019
-./doc/arm/notes-bug-fixes.xml SGML 2019
+./doc/arm/notes-9.15.0.xml SGML 2019
+./doc/arm/notes-9.15.1.xml SGML 2019
+./doc/arm/notes-9.15.2.xml SGML 2019
+./doc/arm/notes-9.15.3.xml SGML 2019
+./doc/arm/notes-9.15.4.xml SGML 2019
+./doc/arm/notes-9.15.5.xml SGML 2019
+./doc/arm/notes-9.15.6.xml SGML 2019
./doc/arm/notes-download.xml SGML 2019
./doc/arm/notes-eol.xml SGML 2019
-./doc/arm/notes-feature-changes.xml SGML 2019
./doc/arm/notes-intro.xml SGML 2019
./doc/arm/notes-license.xml SGML 2019
-./doc/arm/notes-new-features.xml SGML 2019
./doc/arm/notes-numbering.xml SGML 2019
./doc/arm/notes-platforms.xml SGML 2019
-./doc/arm/notes-removed.xml SGML 2019
-./doc/arm/notes-sec-fixes.xml SGML 2019
./doc/arm/notes-thankyou.xml SGML 2019
./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018,2019
./doc/arm/notes.conf X 2015,2018,2019
projects / thirdparty / bind9.git / commitdiff
