Feature Changes
~~~~~~~~~~~~~~~
-- Fix network manager issue when both success and timeout callbacks can
- be called for the same read request.
-
- This commit simplifies code flow in the tls_cycle_input() and makes
- the incoming data processing similar to that in TCP DNS. In
- particular, now we decipher all the the incoming data before making a
- single isc__nm_process_sock_buffer() call. Previously we would try to
- decipher data bit-by-bit before trying to process the deciphered bit
- via isc__nm_process_sock_buffer(). Doing like before made the code
- much less predictable, in particular in the areas like when reading is
- paused or resumed.
-
- The newer approach also allowed us to get rid of some old kludges.
+- Make TLS data processing more reliable in various network conditions.
+
+ BIND now deciphers incoming TLS data before processing it, making it
+ more similar to the handling of TCP. This results in a more
+ predictable behavior, particularly when reading from the stream is
+ paused or resumed. Previously, this could result in an assertion
+ failure when using XFR over TLS (XoT). This has been fixed.
:gl:`#5247`
Bug Fixes
- Stop caching lack of EDNS support.
- `named` could falsely learn that a server doesn't support EDNS when a
- spoofed response was received; that subsequently prevented DNSSEC
- lookups from being made. This has been fixed. :gl:`#3949` :gl:`#5066`
+ :iscman:`named` could falsely learn that a server did not support EDNS
+ when a spoofed response was received; that subsequently prevented
+ DNSSEC lookups from being made. This has been fixed. :gl:`#3949`
+ :gl:`#5066`
-- Fix resolver statistics counters for timed out responses.
+- Fix resolver statistics counters for timed-out responses.
When query responses timed out, the resolver could incorrectly
- increase the regular responses counters, even if no response was
+ increase the regular response counters, even if no response was
received. This has been fixed. :gl:`#5193`
- Don't enforce NOAUTH/NOCONF flags in DNSKEYs.
- All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH`
- (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type,
- and are not applicable to DNSKEY. Previously, however, because the
- DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag
- prevented authentication in DNSKEYs as well. This has been corrected.
- :gl:`#5240`
-
-
+ All DNSKEY keys are able to authenticate. The ``DNS_KEYTYPE_NOAUTH``
+ (and ``DNS_KEYTYPE_NOCONF``) flags were defined for the KEY rdata
+ type, and are not applicable to DNSKEY. Previously, however, because
+ the DNSKEY implementation was built on top of KEY, the ``_NOAUTH``
+ flag prevented authentication in DNSKEYs as well. This has been
+ corrected. :gl:`#5240`
projects / thirdparty / bind9.git / commitdiff
