NOTESXML = notes-download.xml notes-eol.xml notes-intro.xml notes-license.xml \
notes-numbering.xml notes-platforms.xml notes-thankyou.xml \
- notes-9.15.0.xml \
- notes-9.15.1.xml \
- notes-9.15.2.xml \
- notes-9.15.3.xml \
- notes-9.15.4.xml \
- notes-9.15.5.xml \
- notes-9.15.6.xml \
- notes-9.15.7.xml \
- notes-9.15.8.xml \
+ notes-9.16.0.xml \
notes.xml
doc man:: ${MANOBJS} ${TXTOBJS} ${PDFOBJS}
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.0"><info><title>Notes for BIND 9.15.0</title></info>
-
- <section xml:id="relnotes-9.15.0-security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- In certain configurations, <command>named</command> could crash
- with an assertion failure if <command>nxdomain-redirect</command>
- was in use and a redirected query resulted in an NXDOMAIN from the
- cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
- </para>
- </listitem>
- <listitem>
- <para>
- The TCP client quota set using the <command>tcp-clients</command>
- option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
- CVE-2018-5743. [GL #615]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.0-new"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The new <command>add-soa</command> option specifies whether
- or not the <command>response-policy</command> zone's SOA record
- should be included in the additional section of RPZ responses.
- [GL #865]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.0-removed"><info><title>Removed Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>dnssec-enable</command> option has been obsoleted and
- no longer has any effect. DNSSEC responses are always enabled
- if signatures and other DNSSEC data are present. [GL #866]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.0-changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- <command>dnssec-validation</command> was set to the default
- value of <literal>auto</literal>, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
- </para>
- </listitem>
- <listitem>
- <para>
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of <command>dnssec-dsfromkey</command>, the
- <filename>dsset</filename> files generated by
- <command>dnssec-signzone</command>, the DS records added to
- a zone by <command>dnssec-signzone</command> based on
- <filename>keyset</filename> files, the CDS records added to
- a zone by <command>named</command> and
- <command>dnssec-signzone</command> based on "sync" timing
- parameters in key files, and the checks performed by
- <command>dnssec-checkds</command>.
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.0-bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>allow-update</command> and
- <command>allow-update-forwarding</command> options were
- inadvertently treated as configuration errors when used at the
- <command>options</command> or <command>view</command> level.
- This has now been corrected.
- [GL #913]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.1"><info><title>Notes for BIND 9.15.1</title></info>
-
- <section xml:id="relnotes-9.15.1-security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.1-new"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- In order to clarify the configuration of DNSSEC keys,
- the <command>trusted-keys</command> and
- <command>managed-keys</command> statements have been
- deprecated, and the new <command>dnssec-keys</command>
- statement should now be used for both types of key.
- </para>
- <para>
- When used with the keyword <command>initial-key</command>,
- <command>dnssec-keys</command> has the same behavior as
- <command>managed-keys</command>, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
- </para>
- <para>
- When used with the new keyword <command>static-key</command>, it
- has the same behavior as <command>trusted-keys</command>,
- configuring a permanent trust anchor that will not automatically
- be updated. (This usage is not recommended for the root key.)
- [GL #6]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.1-removed"><info><title>Removed Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>cleaning-interval</command> option has been
- removed. [GL !1731]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.1-changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- <command>named</command> will now log a warning if
- a static key is configured for the root zone. [GL #6]
- </para>
- </listitem>
- <listitem>
- <para>
- JSON-C is now the only supported library for enabling JSON
- support for BIND statistics. The <command>configure</command>
- option has been renamed from <command>--with-libjson</command>
- to <command>--with-json-c</command>. Use
- <command>PKG_CONFIG_PATH</command> to specify a custom path to
- the <command>json-c</command> library as the new
- <command>configure</command> option does not take the library
- installation path as an optional argument.
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.2"><info><title>Notes for BIND 9.15.2</title></info>
-
- <section xml:id="relnotes-9.15.2-new"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The GeoIP2 API from MaxMind is now supported. Geolocation support
- will be compiled in by default if the <command>libmaxminddb</command>
- library is found at compile time, but can be turned off by using
- <command>configure --disable-geoip</command>.
- </para>
- <para>
- The default path to the GeoIP2 databases will be set based
- on the location of the <command>libmaxminddb</command> library;
- for example, if it is in <filename>/usr/local/lib</filename>,
- then the default path will be
- <filename>/usr/local/share/GeoIP</filename>.
- This value can be overridden in <filename>named.conf</filename>
- using the <command>geoip-directory</command> option.
- </para>
- <para>
- Some <command>geoip</command> ACL settings that were available with
- legacy GeoIP, including searches for <command>netspeed</command>,
- <command>org</command>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <command>country</command>, <command>city</command>,
- <command>domain</command>, <command>isp</command>, and
- <command>as</command>. All of these databases support both IPv4
- and IPv6 lookups. [GL #182] [GL #1112]
- </para>
- </listitem>
- <listitem>
- <para>
- Two new metrics have been added to the
- <command>statistics-channel</command> to report DNSSEC
- signing operations. For each key in each zone, the
- <command>dnssec-sign</command> counter indicates the total
- number of signatures <command>named</command> has generated
- using that key since server startup, and the
- <command>dnssec-refresh</command> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.2-bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- When <command>qname-minimization</command> was set to
- <command>relaxed</command>, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. <command>named</command> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>./configure</command> no longer sets
- <command>--sysconfdir</command> to <command>/etc</command> or
- <command>--localstatedir</command> to <command>/var</command>
- when <command>--prefix</command> is not specified and the
- aforementioned options are not specified explicitly. Instead,
- Autoconf's defaults of <command>$prefix/etc</command> and
- <command>$prefix/var</command> are respected.
- </para>
- </listitem>
- <listitem>
- <para>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.3"><info><title>Notes for BIND 9.15.3</title></info>
-
- <section xml:id="relnotes-9.15.3-new"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Statistics channel groups are now toggleable. [GL #1030]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.3-removed"><info><title>Removed Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The <command>dnssec-lookaside</command> option has been
- marked as deprecated; when used in <filename>named.conf</filename>,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, <command>delv</command>, and the DNSSEC tools.
- [GL #7]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.3-changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
- made default. Old non-default HMAC-SHA based DNS Cookie algorithms
- have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact
- in most common scenarios. [GL #605]
- </para>
- <para>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </para>
- </listitem>
- <listitem>
- <para>
- The information from the <command>dnssec-signzone</command> and
- <command>dnssec-verify</command> commands is now printed to standard
- output. The standard error output is only used to print warnings and
- errors, and in case the user requests the signed zone to be printed to
- standard output with <command>-f -</command> option. A new
- configuration option <command>-q</command> has been added to silence
- all output on standard output except for the name of the signed zone.
- </para>
- </listitem>
- <listitem>
- <para>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.3-bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </para>
- </listitem>
- <listitem>
- <para>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now correctly reports a missing
- <command>dnstap-output</command> option when
- <command>dnstap</command> is set. [GL #1136]
- </para>
- </listitem>
- <listitem>
- <para>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>dig</command> now correctly expands the IPv6 address
- when run with <command>+expandaaaa +short</command>. [GL #1152]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.4"><info><title>Notes for BIND 9.15.4</title></info>
-
- <section xml:id="relnotes-9.15.4-new"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Added a new command line option to <command>dig</command>:
- <command>+[no]unexpected</command>. By default, <command>dig</command>
- won't accept a reply from a source other than the one to which
- it sent the query. Add the <command>+unexpected</command> argument
- to enable it to process replies from unexpected sources.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>dig</command>, <command>mdig</command> and
- <command>delv</command> can all now take a <command>+yaml</command>
- option to print output in a a detailed YAML format. [RT #1145]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.4-bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- When a <command>response-policy</command> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.5"><info><title>Notes for BIND 9.15.5</title></info>
-
- <section xml:id="relnotes-9.15.5-security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- <command>named</command> could crash with an assertion failure
- if a forwarder returned a referral, rather than resolving the
- query, when QNAME minimization was enabled. This flaw is
- disclosed in CVE-2019-6476. [GL #1051]
- </para>
- </listitem>
- <listitem>
- <para>
- A flaw in DNSSEC verification when transferring mirror zones
- could allow data to be incorrectly marked valid. This flaw
- is disclosed in CVE-2019-6475. [GL #1252]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.6"><info><title>Notes for BIND 9.15.6</title></info>
-
- <section xml:id="relnotes-9.15.6-security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Set a limit on the number of concurrently served pipelined TCP
- queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.6-new"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- A new asynchronous network communications system based on
- <command>libuv</command> is now used by <command>named</command>
- for listening for incoming requests and responding to them.
- This change will make it easier to improve performance and
- implement new protocol layers (for example, DNS over TLS) in
- the future. [GL #29]
- </para>
- </listitem>
- <listitem>
- <para>
- The new <command>dnssec-policy</command> option allows the
- configuration key and signing policy (KASP) for zones. This
- option enables <command>named</command> to generate new keys
- as needed and automatically roll both ZSK and KSK keys.
- (Note that the syntax for this statement differs from the DNSSEC
- policy used by <command>dnssec-keymgr</command>.) [GL #1134]
- </para>
- </listitem>
- <listitem>
- <para>
- Two new keywords have been added to the
- <command>dnssec-keys</command> statement:
- <command>initial-ds</command> and <command>static-ds</command>.
- These allow the use of trust anchors in DS format instead of
- DNSKEY format. DS format allows trust anchors to be configured
- for keys that have not yet been published; this is the format
- used by IANA when announcing future root keys.
- </para>
- <para>
- As with the <command>initial-key</command> and
- <command>static-key</command> keywords, <command>initial-ds</command>
- configures a dynamic trust anchor to be maintained via RFC 5011, and
- <command>static-ds</command> configures a permanent trust anchor.
- </para>
- <para>
- (Note: Currently, DNSKEY-format and DS-format trust anchors
- cannot both be used for the same domain name.) [GL #6] [GL #622]
- </para>
- </listitem>
- <listitem>
- <para>
- Added a new statistics variable <command>tcp-highwater</command>
- that reports the maximum number of simultaneous TCP clients BIND
- has handled while running. [GL #1206]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.6-changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
- because it was found to have a significant performance impact on the
- recursive service. The NSEC Aggressive Cache will be enable by default
- in the future releases. [GL #1265]
- </para>
- </listitem>
- <listitem>
- <para>
- The DNSSEC validation code has been refactored for clarity and to
- reduce code duplication. [GL #622]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.7"><info><title>Notes for BIND 9.15.7</title></info>
-
- <section xml:id="relnotes-9.15.7-changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>dnssec-keys</command> configuration statement,
- which was introduced in 9.15.1 and revised in 9.15.6, has now
- been renamed to the more descriptive
- <command>trust-anchors</command>. [GL !2702]
- </para>
- <para>
- (See release notes for
- <xref linkend="relnotes-9.15.1-new" xrefstyle="template:BIND 9.15.1"/>
- and
- <xref linkend="relnotes-9.15.6-new" xrefstyle="template:BIND 9.15.6"/>
- for prior discussion of this feature.)
- </para>
- </listitem>
- <listitem>
- <para>
- Added support for multithreaded listening for TCP connections
- in the network manager. [GL !2659]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.7-bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Fixed a bug that caused <command>named</command> to leak memory
- on reconfiguration when any GeoIP2 database was in use. [GL #1445]
- </para>
- </listitem>
- <listitem>
- <para>
- Fixed several possible race conditions discovered by
- ThreadSanitizer.
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.15.8"><info><title>Notes for BIND 9.15.8</title></info>
-
- <section xml:id="relnotes-9.15.8-changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>trust-anchors</command> statement no longer rejects
- a mix of both key-style and DS-style trust anchor entries for the
- same name. [GL #1237]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.15.8-bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Fixed an intermittent crash in the validator that could occur
- when validating negative answers from the cache. [GL #1561]
- </para>
- </listitem>
- <listitem>
- <para>
- Fixed a bug that could cause <command>named</command> to crash on
- machines with more than 40 CPUs. [GL #1493]
- </para>
- </listitem>
- <listitem>
- <para>
- Socket-related statistics counters were not being updated by
- network manager sockets, but are now fully functional. [GL #1311]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.16.0"><info><title>Notes for BIND 9.16.0</title></info>
+
+ <para>
+ <emphasis>Note: this section only lists changes from BIND 9.14 (the
+ previous stable branch of BIND).</emphasis>
+ </para>
+
+ <section xml:id="relnotes-9.16.0-new"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A new asynchronous network communications system based on
+ <command>libuv</command> is now used by <command>named</command>
+ for listening for incoming requests and responding to them.
+ This change will make it easier to improve performance and
+ implement new protocol layers (for example, DNS over TLS) in
+ the future. [GL #29]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The new <command>dnssec-policy</command> option allows the
+ configuration of a key and signing policy (KASP) for zones. This
+ option enables <command>named</command> to generate new keys
+ as needed and automatically roll both ZSK and KSK keys.
+ (Note that the syntax for this statement differs from the DNSSEC
+ policy used by <command>dnssec-keymgr</command>.) [GL #1134]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In order to clarify the configuration of DNSSEC keys,
+ the <command>trusted-keys</command> and
+ <command>managed-keys</command> statements have been
+ deprecated, and the new <command>trust-anchors</command>
+ statement should now be used for both types of key.
+ </para>
+ <para>
+ When used with the keyword <command>initial-key</command>,
+ <command>trust-anchors</command> has the same behavior as
+ <command>managed-keys</command>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </para>
+ <para>
+ When used with the new keyword <command>static-key</command>,
+ <command>trust-anchors</command> has the same behavior as
+ <command>trusted-keys</command>, i.e., it configures a permanent
+ trust anchor that will not automatically be updated. (This usage
+ is not recommended for the root key.) [GL #6]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Two new keywords have been added to the
+ <command>trust-anchors</command> statement:
+ <command>initial-ds</command> and <command>static-ds</command>.
+ These allow the use of trust anchors in DS format instead of
+ DNSKEY format. DS format allows trust anchors to be configured
+ for keys that have not yet been published; this is the format
+ used by IANA when announcing future root keys.
+ </para>
+ <para>
+ As with the <command>initial-key</command> and
+ <command>static-key</command> keywords, <command>initial-ds</command>
+ configures a dynamic trust anchor to be maintained via RFC 5011, and
+ <command>static-ds</command> configures a permanent trust anchor.
+ [GL #6] [GL #622]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig</command>, <command>mdig</command> and
+ <command>delv</command> can all now take a <command>+yaml</command>
+ option to print output in a detailed YAML format. [GL #1145]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig</command> now has a new command line option:
+ <command>+[no]unexpected</command>. By default, <command>dig</command>
+ won't accept a reply from a source other than the one to which
+ it sent the query. Add the <command>+unexpected</command> argument
+ to enable it to process replies from unexpected sources. [RT #44978]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig</command> now accepts a new command line option,
+ <command>+[no]expandaaaa</command>, which causes the IPv6
+ addresses in AAAA records to be printed in full 128-bit
+ notation rather than the default RFC 5952 format. [GL #765]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Statistics channel groups can now be toggled. [GL #1030]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.16.0-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ <command>dnssec-validation</command> was set to the default
+ value of <literal>auto</literal>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <command>dnssec-dsfromkey</command>, the
+ <filename>dsset</filename> files generated by
+ <command>dnssec-signzone</command>, the DS records added to
+ a zone by <command>dnssec-signzone</command> based on
+ <filename>keyset</filename> files, the CDS records added to
+ a zone by <command>named</command> and
+ <command>dnssec-signzone</command> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <command>dnssec-checkds</command>. [GL #1015]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> will now log a warning if
+ a static key is configured for the root zone. [GL #6]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
+ made default. Old non-default HMAC-SHA based DNS Cookie algorithms
+ have been removed, and only the default AES algorithm is being kept
+ for legacy reasons. This change has no operational impact in most
+ common scenarios. [GL #605]
+ </para>
+ <para>
+ If you are running multiple DNS servers (different versions of BIND 9
+ or DNS servers from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), make sure that all the
+ servers are configured with the same DNS Cookie algorithm and same
+ Server Secret for the best performance.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The information from the <command>dnssec-signzone</command> and
+ <command>dnssec-verify</command> commands is now printed to standard
+ output. The standard error output is only used to print warnings and
+ errors, and in case the user requests the signed zone to be printed to
+ standard output with the <command>-f -</command> option. A new
+ configuration option <command>-q</command> has been added to silence
+ all output on standard output except for the name of the signed zone.
+ [GL #1151]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Compile-time settings enabled by the
+ <command>--with-tuning=large</command> option for
+ <command>configure</command> are now in effect by default.
+ Previously used default compile-time settings can be enabled
+ by passing <command>--with-tuning=small</command> to
+ <command>configure</command>. [GL !2989]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <command>configure</command>
+ option has been renamed from <command>--with-libjson</command>
+ to <command>--with-json-c</command>. Set the
+ <command>PKG_CONFIG_PATH</command> environment variable
+ accordingly to specify a custom path to the
+ <command>json-c</command> library, as the new
+ <command>configure</command> option does not take the library
+ installation path as an optional argument. [GL #855]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>./configure</command> no longer sets
+ <command>--sysconfdir</command> to <command>/etc</command> or
+ <command>--localstatedir</command> to <command>/var</command>
+ when <command>--prefix</command> is not specified and the
+ aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of <command>$prefix/etc</command> and
+ <command>$prefix/var</command> are respected. [GL #658]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.16.0-removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>dnssec-enable</command> option has been obsoleted and
+ no longer has any effect. DNSSEC responses are always enabled
+ if signatures and other DNSSEC data are present. [GL #866]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The <command>dnssec-lookaside</command> option has been
+ marked as deprecated; when used in <filename>named.conf</filename>,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, <command>delv</command>, and the DNSSEC tools.
+ [GL #7]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>cleaning-interval</command> option has been
+ removed. [GL !1731]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
<section xml:id="end_of_life"><info><title>End of Life</title></info>
<para>
- BIND 9.15 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.16, which will be a
- stable branch.
+ The end of life date for BIND 9.16 has not yet been determined.
+ At some point in the future BIND 9.16 will be designated as an
+ Extended Support Version (ESV). Until then, the current ESV is
+ BIND 9.11, which will be supported until at least December 2021.
</para>
<para>
- The end of life date for BIND 9.16 has not yet been determined.
- For those needing long term support, the current Extended Support
- Version (ESV) is BIND 9.11, which will be supported until at
- least December 2021. See
+ See
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://kb.isc.org/docs/aa-00896">https://kb.isc.org/docs/aa-00896</link>
for details of ISC's software support policy.
</para>
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
<para>
- BIND 9.15 is an unstable development release of BIND.
- This document summarizes new features and functional changes that
- have been introduced on this branch. With each development release
- leading up to the stable BIND 9.16 release, this document will be
- updated with additional features added and bugs fixed.
+ BIND 9.16 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+ </para>
+ <para>
+ Please see the file <filename>CHANGES</filename> for a more
+ detailed list of changes and bug fixes.
</para>
</section>
<section xml:id="relnotes_license"><info><title>License</title></info>
<para>
- BIND is open source software licensed under the terms of the Mozilla
+ BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <filename>LICENSE</filename>
file for the full text).
</para>
Those wishing to discuss license compliance may contact ISC at
<link
xmlns:xlink="http://www.w3.org/1999/xlink"
- xlink:href="https://www.isc.org/mission/contact/">
- https://www.isc.org/mission/contact/</link>.
+ xlink:href="https://www.isc.org/contact/">
+ https://www.isc.org/contact/</link>.
</para>
</section>
<section xml:id="relnotes_versions"><info><title>Note on Version Numbering</title></info>
<para>
- Until BIND 9.12, new feature development releases were tagged
- as "alpha" and "beta", leading up to the first stable release
- for a given development branch, which always ended in ".0".
- More recently, BIND adopted the "odd-unstable/even-stable"
- release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.15 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.15.0a1,
- 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
- 9.15.1, 9.15.2, etc.
- </para>
- <para>
- The first stable release from this development branch will be
- renamed as 9.16.0. Thereafter, maintenance releases will continue
- on the 9.16 branch, while unstable feature development proceeds in
- 9.17.
+ As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+ release numbering convention. BIND 9.16 contains new features added
+ during the BIND 9.15 development process. Henceforth, the 9.16 branch
+ will be limited to bug fixes and new feature development will proceed
+ in the unstable 9.17 branch.
</para>
</section>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-platforms.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-download.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.8.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.7.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.6.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.5.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.4.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.3.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.2.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.1.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.15.0.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.16.0.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-license.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
./doc/arm/master.zoneopt.xml SGML 2018,2019,2020
./doc/arm/masters.grammar.xml SGML 2018,2019,2020
./doc/arm/mirror.zoneopt.xml SGML 2018,2019,2020
-./doc/arm/notes-9.15.0.xml SGML 2019,2020
-./doc/arm/notes-9.15.1.xml SGML 2019,2020
-./doc/arm/notes-9.15.2.xml SGML 2019,2020
-./doc/arm/notes-9.15.3.xml SGML 2019,2020
-./doc/arm/notes-9.15.4.xml SGML 2019,2020
-./doc/arm/notes-9.15.5.xml SGML 2019,2020
-./doc/arm/notes-9.15.6.xml SGML 2019,2020
-./doc/arm/notes-9.15.7.xml SGML 2019,2020
-./doc/arm/notes-9.15.8.xml SGML 2020
+./doc/arm/notes-9.16.0.xml SGML 2020
./doc/arm/notes-download.xml SGML 2019,2020
./doc/arm/notes-eol.xml SGML 2019,2020
./doc/arm/notes-intro.xml SGML 2019,2020
projects / thirdparty / bind9.git / commitdiff
