Security Fixes
~~~~~~~~~~~~~~
-- Named failed to check the opcode of responses when performing refresh,
- stub updates, and UPDATE forwarding. This could lead to an assertion
- failure under particular conditions. This has been addressed by checking
- the opcode of those responses and rejecting the messages if they don't
- match the expected value. :gl:`#2762`
+- ``named`` failed to check the opcode of responses when performing zone
+ refreshes, stub zone updates, and UPDATE forwarding. This could lead
+ to an assertion failure under certain conditions and has been
+ addressed by rejecting responses whose opcode does not match the
+ expected value. :gl:`#2762`
-- Fix an assertion failure that occured in ``named`` when attempting to send
- a UDP packet exceeding the MTU size if rate-limiting was enabled.
- (CVE-2021-25218) :gl:`#2839`
+- Fixed an assertion failure that occurred in ``named`` when it
+ attempted to send a UDP packet that exceeded the MTU size, if
+ Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
Known Issues
~~~~~~~~~~~~
New Features
~~~~~~~~~~~~
-- It is now possible to set a hard quota on the number of concurrent DoH
- connections, and the number of active HTTP/2 streams per connection,
- by using the ``http-listener-clients`` and ``http-streams-per-connection``
- options, or the ``listener-clients`` and ``streams-per-connection``
- parameters to an ``http`` statement. The defaults are 300 and 100
- respectively. :gl:`#2809`
+- It is now possible to set a hard quota on both the number of
+ concurrent DNS-over-HTTPS (DoH) connections and the number of active
+ HTTP/2 streams per connection, by using the ``http-listener-clients``
+ and ``http-streams-per-connection`` options, or the
+ ``listener-clients`` and ``streams-per-connection`` parameters in an
+ ``http`` statement. The defaults are 300 and 100, respectively.
+ :gl:`#2809`
Removed Features
~~~~~~~~~~~~~~~~
Feature Changes
~~~~~~~~~~~~~~~
-- DNS over HTTPS support can be disabled at the compile time via the new
- configuration option ``--disable-doh``. This allows BIND 9 to be
- compiled without libnghttp2 library. :gl:`#2478`
+- DNS-over-HTTPS (DoH) support can now be disabled at compile time using
+ a new build-time option, ``--disable-doh``. This allows BIND 9 to be
+ built without the libnghttp2 library. :gl:`#2478`
-- Memory allocation has been substantially refactored, and is now based on
- the memory allocation API provided by the `jemalloc` library on platforms
- where it is available. This library is now recommended for building BIND 9.
- :gl:`#2433`
+- Memory allocation has been substantially refactored; it is now based
+ on the memory allocation API provided by the jemalloc library, on
+ platforms where it is available. Use of this library is now
+ recommended when building BIND 9; although it is optional, it is
+ enabled by default. :gl:`#2433`
-- Previously, named accepted FORMERR responses both with and without
+- Previously, ``named`` accepted FORMERR responses both with and without
an OPT record, as an indication that a given server did not support
- EDNS. To implement full compliance with RFC 6891, only FORMERR
+ EDNS. To implement full compliance with :rfc:`6891`, only FORMERR
responses without an OPT record are now accepted. This intentionally
- breaks communication with servers that do not support EDNS and
- that incorrectly echo back the query message with the RCODE field
- set to FORMERR and the QR bit set to 1. :gl:`#2249`
+ breaks communication with servers that do not support EDNS and that
+ incorrectly echo back the query message with the RCODE field set to
+ FORMERR and the QR bit set to 1. :gl:`#2249`
-- CDS and CDNSKEY records may now be published in a zone without the
- requirement that they exactly match an existing DNSKEY record, so long
- the zone is signed with an algorithm represented in the CDS or CDNSKEY
- record. This allows a clean rollover from one DNS provider to another
- when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+- CDS and CDNSKEY records can now be published in a zone without the
+ requirement that they exactly match an existing DNSKEY record, as long
+ as the zone is signed with an algorithm represented in the CDS or
+ CDNSKEY record. This allows a clean rollover from one DNS provider to
+ another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
Bug Fixes
~~~~~~~~~
-- Testing revealed that setting the thread affinity on both the netmgr
- and netthread threads led to inconsistent recursive performance, as
- sometimes the netmgr and netthread threads competed over a single
- resource.
+- Testing revealed that setting the thread affinity for various types of
+ ``named`` threads led to inconsistent recursive performance, as
+ sometimes multiple sets of threads competed over a single resource.
- When the affinity is not set, tests show a slight dip in the authoritative
- performance of around 5% (ranging from 3.8% to 7.8%), but
- the recursive performance is now consistently improved. :gl:`#2822`
+ Due to the above, ``named`` no longer sets thread affinity. This
+ causes a slight dip of around 5% in authoritative performance, but
+ recursive performance is now consistently improved. :gl:`#2822`
projects / thirdparty / bind9.git / commitdiff
