Feature Changes
~~~~~~~~~~~~~~~
-- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
- NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
- or the SOA TTL. :gl:`#2347`
+- DNSSEC responses containing NSEC3 records with iteration counts
+ greater than 150 are now treated as insecure. :gl:`#2445`
- The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. :gl:`#2642`
-- DNSSEC responses containing NSEC3 records with iteration counts
- greater than 150 are now treated as insecure. :gl:`#2445`
+- After the network manager was introduced to ``named`` to handle
+ incoming traffic, it was discovered that recursive performance had
+ degraded compared to previous BIND 9 versions. This has now been
+ fixed by processing internal tasks inside network manager worker
+ threads, preventing resource contention among two sets of threads.
+ :gl:`#2638`
- Zones that want to transition from secure to insecure mode without
becoming bogus in the process must now have their ``dnssec-policy``
``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
records to be published. :gl:`#2645`
-- ``inline-signing`` was incorrectly described as being inherited from
- the ``options``/``view`` levels and was incorrectly accepted at those
- levels without effect. This has been fixed; ``named.conf`` files with
- ``inline-signing`` at those levels no longer load. :gl:`#2536`
+- The implementation of the ZONEMD RR type has been updated to match
+ :rfc:`8976`. :gl:`#2658`
+
+- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
+ NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
+ or the SOA TTL. :gl:`#2347`
Bug Fixes
~~~~~~~~~
-- Fix a race condition in reading and writing key files for KASP zones in
- multiple views. :gl:`#1875`
-
-- TTL values in cache dumps were reported incorrectly when
- ``stale-cache-enable`` was set to ``yes``. This has been fixed.
- :gl:`#389` :gl:`#2289`
-
- If zone journal files written by BIND 9.16.11 or earlier were present
when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file
for that zone could have been inadvertently rewritten with the current
comments, ``$INCLUDE`` directives) to be lost, although the zone data
itself was preserved. :gl:`#2623`
-- After the network manager was introduced to ``named`` to handle
- incoming traffic, it was discovered that recursive performance had
- degraded compared to previous BIND 9 versions. This has now been
- fixed by processing internal tasks inside network manager worker
- threads, preventing resource contention among two sets of threads.
- :gl:`#2638`
-
-- When generating zone signing keys, KASP now also checks for key ID
- conflicts among newly created keys, rather than just between new and
- existing ones. :gl:`#2628`
-
-- The implementation of the ZONEMD RR type has been updated to match
- :rfc:`8976`. :gl:`#2658`
-
-- If ``dnssec-policy`` was active and the private key file was
- temporarily offline during a rekey event, ``named`` could introduce
- replacement keys and break a signed zone. This has been fixed.
- :gl:`#2596`
-
- It was possible for corrupt journal files generated by an earlier
version of ``named`` to cause problems after an upgrade. This has been
fixed. :gl:`#2670`
+- TTL values in cache dumps were reported incorrectly when
+ ``stale-cache-enable`` was set to ``yes``. This has been fixed.
+ :gl:`#389` :gl:`#2289`
+
+- ``inline-signing`` was incorrectly described as being inherited from
+ the ``options``/``view`` levels and was incorrectly accepted at those
+ levels without effect. This has been fixed; ``named.conf`` files with
+ ``inline-signing`` at those levels no longer load. :gl:`#2536`
+
- ``named`` and ``named-checkconf`` did not report an error when
multiple zones with the ``dnssec-policy`` option set were using the
same zone file. This has been fixed. :gl:`#2603`
+- If ``dnssec-policy`` was active and a private key file was temporarily
+ offline during a rekey event, ``named`` could incorrectly introduce
+ replacement keys and break a signed zone. This has been fixed.
+ :gl:`#2596`
+
+- When generating zone signing keys, KASP now also checks for key ID
+ conflicts among newly created keys, rather than just between new and
+ existing ones. :gl:`#2628`
+
+- Fix a race condition in reading and writing key files for KASP zones in
+ multiple views. :gl:`#1875`
+
- Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple
views with different ``dnssec-policy``. Using the same ``key-directory`` for
such zones is not allowed. :gl:`#2463`
projects / thirdparty / bind9.git / commitdiff
