cause trouble. Reported by Kees Monshouwer and fixed by him in
`commit 25cee6b9448744d3b6428ceb38cda9de0efd327c <https://github.com/PowerDNS/pdns/commit/25cee6b9448744d3b6428ceb38cda9de0efd327c>`__.
- When a name is matched only by a wildcard, but the type in the query
- is not present, we would be lacking one NSEC(3) record to prove the
+ is not present, we would be lacking one NSEC/NSEC3 record to prove the
existence of the wildcard. Fixed by Kees Monshouwer in `commit 7bb8e2026c204f3356bfde3634a297f05aad0b4e <https://github.com/PowerDNS/pdns/commit/7bb8e2026c204f3356bfde3634a297f05aad0b4e>`__ and
`commit 1012b0399b0353b04edaa61b8a42be10da4290f7 <https://github.com/PowerDNS/pdns/commit/1012b0399b0353b04edaa61b8a42be10da4290f7>`__.
- Luuk Hendriks spotted that our PolarSSL RSA key generation code was
Presumably fixed in `commit b87bd70860f12824262b995dd791423661f68182 <https://github.com/PowerDNS/pdns/commit/b87bd70860f12824262b995dd791423661f68182>`__.
- Updated a bunch of internal counters to be threadsafe. Code in
`commit 16f7d28d81099077def2b44436a4942893afc306 <https://github.com/PowerDNS/pdns/commit/16f7d28d81099077def2b44436a4942893afc306>`__.
-- NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael
+- NSEC/NSEC3 bitmaps can now cover RRtypes above 255. Reported by Michael
Braunoeder, patch by Aki Tuomi in `commit 5b7f65461b656ce554d392e903c92091370a0dfd <https://github.com/PowerDNS/pdns/commit/5b7f65461b656ce554d392e903c92091370a0dfd>`__.
- pdnssec check-zone now reports MBOXFW and URL records (as those are
unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch
automatically.
.. warning::
- Right now, you will also need to configure NSEC(3) settings
+ Right now, you will also need to configure NSEC/NSEC3 settings
for pre-signed zones using ``pdnsutil set-nsec3``. Default is NSEC, in
which case no further configuration is necessary.
signing mode, or can be pre-signed using tools like OpenDNSSEC, ldns-signzone,
and dnssec-signzone.
-Even in this mode, PowerDNS will synthesize NSEC(3) records itself
-because of its architecture. RRSIGs of these NSEC(3) will still need to
+Even in this mode, PowerDNS will synthesize NSEC/NSEC3 records itself
+because of its architecture. RRSIGs of these NSEC/NSEC3 will still need to
be imported. See the :ref:`Presigned migration guide <dnssec-migration-presigned>`.
Front-signing
.. note::
This behaviour was changed in version 4.3.0.
- We believe the language in RFC 4034 and 5155 about the NSEC(3) TTL is a mistake, and we have chosen to honour its spirit instead of its words.
+ We believe the language in RFC 4034 and 5155 about the NSEC/NSEC3 TTL is a mistake, and we have chosen to honour its spirit instead of its words.
This unfortunate wording was eventually corrected in :rfc:`RFC 9077 <9077#section-3>`.
- NSEC(3) records now get the negative TTL (which is the lowest of the SOA TTL and the SOA minimum), which means their TTL matches that of an error such as NXDOMAIN.
+ NSEC/NSEC3 records now get the negative TTL (which is the lowest of the SOA TTL and the SOA minimum), which means their TTL matches that of an error such as NXDOMAIN.
This conforms to RFC9077.
4.2.x to 4.3.0
--------------
-NSEC(3) TTL changed
-^^^^^^^^^^^^^^^^^^^
+NSEC/NSEC3 TTL changed
+^^^^^^^^^^^^^^^^^^^^^^
-NSEC(3) records now use the negative TTL, instead of the SOA minimum TTL.
+NSEC/NSEC3 records now use the negative TTL, instead of the SOA minimum TTL.
See :ref:`the DNSSEC TTL notes <dnssec-ttl-notes>` for more information.
Lua Netmask class methods changed
- RPZ aka Response Policy Zone support
- IXFR slaving in the PowerDNS Recursor for RPZ
- DNSSEC processing in Recursor (Authoritative has had this for years)
-- DNSSEC validation (without NSEC(3) proof validation)
+- DNSSEC validation (without NSEC/NSEC3 proof validation)
- EDNS Client Subnet support in PowerDNS Recursor (Authoritative has
had this for years)
- Lua asynchronous queries for per-IP/per-domain status
:tags: Bug Fixes
:pullreq: 10519
- Make sure that we pass the SOA along the NSEC(3) proof for DS queries.
+ Make sure that we pass the SOA along the NSEC/NSEC3 proof for DS queries.
.. changelog::
:version: 4.5.2
projects / thirdparty / pdns.git / commitdiff
