+ --- 9.15.7 released ---
+
5336. [bug] The TCP high-water statistic could report an
incorrect value on startup. [GL #1392]
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
- * Improved DNSSEC trust anchor configuration using dnssec-keys,
- permitting configuration of trust anchors in DS as well as DNSKEY
- format.
+ * Improved DNSSEC trust anchor configuration using the trust-anchors
+ statement, permitting configuration of trust anchors in DS as well as
+ DNSKEY format.
* YAML output for dig, mdig, and delv.
Building BIND
Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-argparse and ply modules to be available. argparse is a standard module as
-of Python 2.7 and Python 3.2. ply is available from https://
-pypi.python.org/pypi/ply.
+argparse, ply and distutils.core modules to be available. argparse is a
+standard module as of Python 2.7 and Python 3.2. ply is available from
+https://pypi.python.org/pypi/ply. distutils.core is required for
+installation.
Compile-time options
Note: When reading the trust anchor file,
\fBdelv\fR
treats
-\fBdnssec\-keys\fR\fBinitial\-key\fR
+\fBtrust\-anchors\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
</p>
<p>
Note: When reading the trust anchor file,
- <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
+ <span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
.if n \{\
.RE
.\}
-.SH "DNSSEC-KEYS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-dnssec\-keys { \fIstring\fR ( static\-key |
- initial\-key | static\-ds | initial\-ds )
- \fIinteger\fR \fIinteger\fR \fIinteger\fR
- \fIquoted_string\fR; \&.\&.\&. };
-.fi
-.if n \{\
-.RE
-.\}
.SH "DYNDB"
.sp
.if n \{\
.\}
.SH "MANAGED-KEYS"
.PP
-Deprecated \- see DNSSEC\-KEYS\&.
+Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
.if n \{\
.RE
.\}
+.SH "TRUST-ANCHORS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+trust\-anchors { \fIstring\fR ( static\-key |
+ initial\-key | static\-ds | initial\-ds )
+ \fIinteger\fR \fIinteger\fR \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
.SH "TRUSTED-KEYS"
.PP
-Deprecated \- see DNSSEC\-KEYS\&.
+Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
- dnssec\-keys { \fIstring\fR ( static\-key |
- initial\-key | static\-ds | initial\-ds
- ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
- \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ];
trust\-anchor\-telemetry \fIboolean\fR; // experimental
+ trust\-anchors { \fIstring\fR ( static\-key |
+ initial\-key | static\-ds | initial\-ds
+ ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. };
trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR
\fIinteger\fR
.\}
.nf
dnssec\-policy \fIstring\fR {
- dnskey\-ttl \fIttlval\fR;
+ dnskey\-ttl \fIduration\fR;
keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
parent\-ds\-ttl \fIduration\fR;
parent\-propagation\-delay \fIduration\fR;
</div>
<div class="refsection">
-<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
- <div class="literallayout"><p><br>
-dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    initial-key | static-ds | initial-ds )<br>
-Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.12"></a><h2>DYNDB</h2>
+<a name="id-1.11"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
</div>
<div class="refsection">
-<a name="id-1.13"></a><h2>KEY</h2>
+<a name="id-1.12"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.14"></a><h2>LOGGING</h2>
+<a name="id-1.13"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
</div>
<div class="refsection">
-<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
</div>
<div class="refsection">
-<a name="id-1.16"></a><h2>MASTERS</h2>
+<a name="id-1.15"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
</div>
<div class="refsection">
-<a name="id-1.17"></a><h2>OPTIONS</h2>
+<a name="id-1.16"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.18"></a><h2>PLUGIN</h2>
+<a name="id-1.17"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
</div>
<div class="refsection">
-<a name="id-1.19"></a><h2>SERVER</h2>
+<a name="id-1.18"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
</p></div>
</div>
+ <div class="refsection">
+<a name="id-1.20"></a><h2>TRUST-ANCHORS</h2>
+ <div class="literallayout"><p><br>
+trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+    initial-key | static-ds | initial-ds )<br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+ </div>
+
<div class="refsection">
<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-     initial-key | static-ds | initial-ds<br>
- Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+ trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+     initial-key | static-ds | initial-ds<br>
+ Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
- dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
\fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
-\fBdnssec\-keys\fR
+\fBtrust\-anchors\fR
statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp
<dd>
<p>
Dump the security roots (i.e., trust anchors
- configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
+ configured via <span class="command"><strong>trust-anchors</strong></span> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
<strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
- using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
+ using a <span class="command"><strong>trust-anchors</strong></span> statement (or the
<span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
statements, both deprecated).
</p>
</p>
<p>
- The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
+ The keys specified in <span class="command"><strong>trust-anchors</strong></span>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <span class="command"><strong>static-key</strong></span> or
</p>
<p>
- <span class="command"><strong>dnssec-keys</strong></span> is described in more detail
+ <span class="command"><strong>trust-anchors</strong></span> is described in more detail
later in this document.
</p>
</p>
<pre class="programlisting">
-dnssec-keys {
+trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
- <span class="command"><strong>dnssec-keys</strong></span> statement and the
+ <span class="command"><strong>trust-anchors</strong></span> statement and the
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
keyword. Information about this can be found in
- <a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
+ <a class="xref" href="Bv9ARM.ch05.html#trust-anchors" title="trust-anchors Statement Definition and Usage">the section called “<span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage”</a>.</p>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trust_anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
</tr>
<tr>
<td>
- <p><span class="command"><strong>dnssec-keys</strong></span></p>
+ <p><span class="command"><strong>trust-anchors</strong></span></p>
</td>
<td>
<p>
</td>
<td>
<p>
- is identical to <span class="command"><strong>dnssec-keys</strong></span>;
+ is identical to <span class="command"><strong>trust-anchors</strong></span>;
this option is deprecated in favor
- of <span class="command"><strong>dnssec-keys</strong></span> with
+ of <span class="command"><strong>trust-anchors</strong></span> with
the <span class="command"><strong>initial-key</strong></span> keyword,
and may be removed in a future release.
</p>
<p>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
- of <span class="command"><strong>dnssec-keys</strong></span> with
+ of <span class="command"><strong>trust-anchors</strong></span> with
the <span class="command"><strong>static-key</strong></span> keyword,
and may be removed in a future release.
</p>
The number of seconds to wait between attempts to
reopen a closed output stream. The minimum is 1 second,
the maximum is 600 seconds (10 minutes), and the default
- is 5 seconds.
- For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ is 5 seconds. For convenience, TTL-style time unit
+ suffixes may be used to specify the value. It also
+ accepts ISO 8601 duration formats.
</li>
</ul></div>
track managed DNSSEC keys (i.e., those configured using
the <span class="command"><strong>initial-key</strong></span> or
<span class="command"><strong>initial-ds</strong></span> keywords in a
- <span class="command"><strong>dnssec-keys</strong></span> statement). By default,
+ <span class="command"><strong>trust-anchors</strong></span> statement). By default,
this is the working directory. The directory
<span class="emphasis"><em>must</em></span> be writable by the effective
user ID of the <span class="command"><strong>named</strong></span> process.
as insecure.
</p>
<p>
- Configured trust anchors in <span class="command"><strong>dnssec-keys</strong></span>
+ Configured trust anchors in <span class="command"><strong>trust-anchors</strong></span>
(or <span class="command"><strong>managed-keys</strong></span> or
<span class="command"><strong>trusted-keys</strong></span>, both deprecated)
that match a disabled algorithm will be ignored and treated
they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be defined as a
- trust anchor, for instance in a <span class="command"><strong>dnssec-keys</strong></span>
+ trust anchor, for instance in a <span class="command"><strong>trust-anchors</strong></span>
statement, or <span class="command"><strong>dnssec-validation auto</strong></span> must
be active.
</p>
<p>
For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes
- or hours. <code class="option">nta-lifetime</code> defaults to
- one hour. It cannot exceed one week.
+ or hours. It also accepts ISO 8601 duration formats.
+ </p>
+ <p>
+ <code class="option">nta-lifetime</code> defaults to one hour. It
+ cannot exceed one week.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>nta-recheck</strong></span></span></dt>
<p>
For convenience, TTL-style time unit suffixes can be
used to specify the NTA recheck interval in seconds,
- minutes or hours. The default is five minutes. It
- cannot be longer than <code class="option">nta-lifetime</code>
- (which cannot be longer than a week).
+ minutes or hours. It also accepts ISO 8601 duration
+ formats.
+ </p>
+ <p>
+ The default is five minutes. It cannot be longer than
+ <code class="option">nta-lifetime</code> (which cannot be longer
+ than a week).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
<p>
Specifies a maximum permissible TTL value in seconds.
For convenience, TTL-style time unit suffixes may be
- used to specify the maximum value.
+ used to specify the maximum value. It also
+ accepts ISO 8601 duration formats.
+ </p>
+ <p>
When loading a zone file using a
<code class="option">masterfile-format</code> of
<code class="constant">text</code> or <code class="constant">raw</code>,
Causes <span class="command"><strong>named</strong></span> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via, e.g.,
- <span class="command"><strong>dnssec-keys</strong></span> or
+ <span class="command"><strong>trust-anchors</strong></span> or
<span class="command"><strong>dnssec-validation auto</strong></span>.
</p>
<p>
<p>
If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
- using a <span class="command"><strong>dnssec-keys</strong></span> statement (or
+ using a <span class="command"><strong>trust-anchors</strong></span> statement (or
the <span class="command"><strong>managed-keys</strong></span> or the
<span class="command"><strong>trusted-keys</strong></span> statements, both deprecated).
If there is no configured trust anchor, validation will
<span class="command"><strong>listen-on</strong></span> configuration), and
will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601
+ duration formats.
</p>
</dd>
</dl></div>
stores negative answers. <span class="command"><strong>min-ncache-ttl</strong></span> is
used to set a minimum retention time for these answers in the
server in seconds. For convenience, TTL-style time unit
- suffixes may be used to specify the value. The default
- <span class="command"><strong>min-ncache-ttl</strong></span> is <code class="literal">0</code>
- seconds. <span class="command"><strong>min-ncache-ttl</strong></span> cannot exceed 90
+ suffixes may be used to specify the value. It also
+ accepts ISO 8601 duration formats.
+ </p>
+ <p>
+ The default <span class="command"><strong>min-ncache-ttl</strong></span> is
+ <code class="literal">0</code> seconds.
+ <span class="command"><strong>min-ncache-ttl</strong></span> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
</p>
<dd>
<p>
Sets the minimum time for which the server will cache ordinary
- (positive) answers in seconds. For convenience, TTL-style time
- unit suffixes may be used to specify the value. The default
- <span class="command"><strong>min-cache-ttl</strong></span> is <code class="literal">0</code>
- seconds. <span class="command"><strong>min-cache-ttl</strong></span> cannot exceed 90
+ (positive) answers in seconds. For convenience, TTL-style
+ time unit suffixes may be used to specify the value. It also
+ accepts ISO 8601 duration formats.
+ </p>
+ <p>
+ The default <span class="command"><strong>min-cache-ttl</strong></span> is
+ <code class="literal">0</code> seconds.
+ <span class="command"><strong>min-cache-ttl</strong></span> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
</p>
<dd>
<p>
To reduce network traffic and increase performance,
- the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is
+ the server stores negative answers.
+ <span class="command"><strong>max-ncache-ttl</strong></span> is
used to set a maximum retention time for these answers in
- the server in seconds.
- For convenience, TTL-style time unit suffixes may be
- used to specify the value. The default
- <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
- <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed
- 7 days and will
- be silently truncated to 7 days if set to a greater value.
+ the server in seconds. For convenience, TTL-style time unit
+ suffixes may be used to specify the value. It also accepts
+ ISO 8601 duration formats.
+ </p>
+ <p>
+ The default <span class="command"><strong>max-ncache-ttl</strong></span> is
+ <code class="literal">10800</code> seconds (3 hours).
+ <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed 7 days and
+ will be silently truncated to 7 days if set to a greater
+ value.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt>
Sets the maximum time for which the server will
cache ordinary (positive) answers in seconds.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601
+ duration formats.
+ </p>
+ <p>
The default is 604800 (one week).
A value of zero may cause all queries to return
SERVFAIL, because of lost caches of intermediate
The <span class="command"><strong>max-policy-ttl</strong></span> clause changes the
maximum seconds from its default of 5.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601 duration
+ formats.
+
</p>
<p>
recent update, then the changes will not be carried out until this
interval has elapsed. The default is <code class="literal">60</code> seconds.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601 duration
+ formats.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="trust_anchors"></a><span class="command"><strong>trust-anchors</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
-<span class="command"><strong>dnssec-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
+<span class="command"><strong>trust-anchors</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
<span class="command"><strong>initial-key</strong></span> | static-ds | initial-ds )
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec-keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
+<a name="trust-anchors"></a><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
- The <span class="command"><strong>dnssec-keys</strong></span> statement defines DNSSEC
+ The <span class="command"><strong>trust-anchors</strong></span> statement defines DNSSEC
trust anchors. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>.
</p>
<p>
the <span class="command"><strong>validate-except</strong></span> option).
</p>
<p>
- All keys listed in <span class="command"><strong>dnssec-keys</strong></span>, and
+ All keys listed in <span class="command"><strong>trust-anchors</strong></span>, and
their corresponding zones, are deemed to exist regardless
of what parent zones say. Only keys configured as trust anchors
are used to validate the DNSKEY RRset for the corresponding
name. The parent's DS RRset will not be used.
</p>
<p>
- <span class="command"><strong>dnssec-keys</strong></span> may be set at the top level
+ <span class="command"><strong>trust-anchors</strong></span> may be set at the top level
of <code class="filename">named.conf</code> or within a view. If it is
set in both places, the configurations are additive: keys
defined at the top level are inherited by all views, but keys
defined in a view are only used within that view.
</p>
<p>
- The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
+ The <span class="command"><strong>trust-anchors</strong></span> statement can contain
multiple trust anchor entries, each consisting of a
domain name, followed by an "anchor type" keyword indicating
the trust anchor's format, followed by the key or digest data.
<span class="command"><strong>static-ds</strong></span> would be unable to validate
this zone any longer; it would reply with a SERVFAIL response
code. This would continue until the resolver operator had
- updated the <span class="command"><strong>dnssec-keys</strong></span> statement with
+ updated the <span class="command"><strong>trust-anchors</strong></span> statement with
the new key.
</p>
<p>
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
configured in <code class="filename">named.conf</code>, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
- using the trust anchor specified in <span class="command"><strong>dnssec-keys</strong></span>.
+ using the trust anchor specified in <span class="command"><strong>trust-anchors</strong></span>.
If the DNSKEY RRset is validly signed by a key matching
the trust anchor, then it is used as the basis for a new
managed keys database.
From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
sees the <span class="command"><strong>initial-key</strong></span> or
<span class="command"><strong>initial-ds</strong></span> listed in
- <span class="command"><strong>dnssec-keys</strong></span>, checks to
+ <span class="command"><strong>trust-anchors</strong></span>, checks to
make sure RFC 5011 key maintenance has already been initialized
for the specified domain, and if so, it simply moves on. The
- key specified in the <span class="command"><strong>dnssec-keys</strong></span>
+ key specified in the <span class="command"><strong>trust-anchors</strong></span>
statement is not used to validate answers; it is
superseded by the key or keys stored in the managed keys
database.
The next time <span class="command"><strong>named</strong></span> runs after an
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
trust anchor has been <span class="emphasis"><em>removed</em></span> from the
- <span class="command"><strong>dnssec-keys</strong></span> statement (or changed to
+ <span class="command"><strong>trust-anchors</strong></span> statement (or changed to
a <span class="command"><strong>static-key</strong></span> or <span class="command"><strong>static-ds</strong></span>),
the corresponding keys will be removed from the managed keys
database, and RFC 5011 key maintenance will no longer be used
<a name="dnssec_policy_grammar"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em> {
- <span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
- <span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory <em class="replaceable"><code>duration</code></em> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
+ <span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
+ <span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
<span class="command"><strong>parent-ds-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-registration-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<p>
A margin that is added to the publish interval in key
timing equations to give some extra time to cover
- unforeseen events. Default is <code class="constant">PT5M</code>
- (5 minutes).
+ unforeseen events. Default is <code class="constant">PT1H</code>
+ (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>retire-safety</strong></span></span></dt>
<p>
A margin that is added to the retire interval in key
timing equations to give some extra time to cover
- unforeseen events. Default is <code class="constant">PT5M</code>
- (5 minutes).
+ unforeseen events. Default is <code class="constant">PT1H</code>
+ (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-refresh</strong></span></span></dt>
<dd>
<p>
The TTL of the DS RRset that the parent uses. Default is
- <code class="constant">PT1H</code> (1 hour).
+ <code class="constant">P1D</code> (1 day).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-propagation-delay</strong></span></span></dt>
<p>
The <span class="command"><strong>managed-keys</strong></span> statement has been
- deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar”</a>
+ deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#trust_anchors" title="trust-anchors Statement Grammar">the section called “<span class="command"><strong>trust-anchors</strong></span> Statement Grammar”</a>
with the <span class="command"><strong>initial-key</strong></span> keyword.
</p>
</div>
<p>
The <span class="command"><strong>trusted-keys</strong></span> statement has been
- deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar”</a>
+ deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#trust_anchors" title="trust-anchors Statement Grammar">the section called “<span class="command"><strong>trust-anchors</strong></span> Statement Grammar”</a>
with the <span class="command"><strong>static-key</strong></span> keyword.
</p>
</div>
(KSK) for the zone must be configured as a trust
anchor in <code class="filename">named.conf</code>: that
is, a key for the zone must be specified in
- <span class="command"><strong>dnssec-keys</strong></span>. In the case
+ <span class="command"><strong>trust-anchors</strong></span>. In the case
of the root zone, you may also rely on the
built-in root trust anchor, which is enabled
when <a class="xref" href="Bv9ARM.ch05.html#dnssec_validation"><span class="command"><strong>dnssec-validation</strong></span></a> is set to the
<dt><span class="term"><span class="command"><strong>dnssec-policy</strong></span></span></dt>
<dd>
<p>
- The key and signing policy for this zone. Set to
- <strong class="userinput"><code>"default"</code></strong> if you want to make use
- of the default policy.
+ The key and signing policy for this zone. This is a string
+ referring to a <span class="command"><strong>dnssec-policy</strong></span> statement.
+ There are two built-in policies:
+ <strong class="userinput"><code>"default"</code></strong> allows you to use the
+ default policy, and <strong class="userinput"><code>"none"</code></strong> means
+ not to use any DNSSEC policy, keeping the zone unsigned.
+ The default is <strong class="userinput"><code>"none"</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
C compiler.
</p>
<p>
- The OpenSSL cryptography library must be available for the target
- platform. A PKCS#11 provider can be used instead for Public Key
- cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
- still required for general cryptography operations such as hashing
- and random number generation.
+ The <code class="filename">libuv</code> asynchronous I/O library and the
+ OpenSSL cryptography library must be available for the target
+ platform. A PKCS#11 provider can be used instead of OpenSSL for
+ Public Key cryptography (i.e., DNSSEC signing and validation),
+ but OpenSSL is still required for general cryptography operations
+ such as hashing and random number generation.
</p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
+ which was introduced in 9.15.1 and revised in 9.15.6, has now
+ been renamed to the more descriptive
+ <span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
+ </p>
+ <p>
+ (See release notes for
+ <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
+ and
+ <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
+ for prior discussion of this feature.)
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Added support for multithreaded listening for TCP connections
+ in the network manager [GL !2659]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
+ on reconfiguration when any GeoIP2 database was in use. [GL #1445]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Fixed several possible race conditions discovered by Thread
+ Sanitizer.
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Set a limit on the number of concurrently served pipelined TCP
+ queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
</p>
</li>
<li class="listitem">
- <p>
- Two new keywords have been added to the
- <span class="command"><strong>dnssec-keys</strong></span> statement:
- <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
- These allow the use of trust anchors in DS format instead of
- DNSKEY format. DS format allows trust anchors to be configured
- for keys that have not yet been published; this is the format
- used by IANA when announcing future root keys.
- </p>
- <p>
- As with the <span class="command"><strong>initial-key</strong></span> and
- <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
- configures a dynamic trust anchor to be maintained via RFC 5011, and
- <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
- </p>
- <p>
- (Note: Currently, DNSKEY-format and DS-format trust anchors
- cannot both be used for the same domain name.) [GL #6] [GL #622]
- </p>
+ <p>
+ Two new keywords have been added to the
+ <span class="command"><strong>dnssec-keys</strong></span> statement:
+ <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
+ These allow the use of trust anchors in DS format instead of
+ DNSKEY format. DS format allows trust anchors to be configured
+ for keys that have not yet been published; this is the format
+ used by IANA when announcing future root keys.
+ </p>
+ <p>
+ As with the <span class="command"><strong>initial-key</strong></span> and
+ <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
+ configures a dynamic trust anchor to be maintained via RFC 5011, and
+ <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
+ </p>
+ <p>
+ (Note: Currently, DNSKEY-format and DS-format trust anchors
+ cannot both be used for the same domain name.) [GL #6] [GL #622]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
+ that reports the maximum number of simultaneous TCP clients BIND
+ has handled while running. [GL #1206]
+ </p>
</li>
</ul></div>
</div>
</p>
</li>
<li class="listitem">
- <p>
- The DNSSEC validation code has been refactored for clarity and to
- reduce code duplication. [GL #622]
- </p>
+ The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
+ </p>
</li>
</ul></div>
</div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- Too many simultaneous pipelined TCP queries could cause
- resource overuse. We now prevent this by enforcing a limit
- on the number of simultaneous requests per active connection.
- This flaw`is disclosed in CVE-2019-6477. [GL #1264]
- </p>
- </li></ul></div>
- </div>
-
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- <a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.6</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.7</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trust_anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</p>
<p>
Note: When reading the trust anchor file,
- <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
+ <span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</div>
<div class="refsection">
-<a name="id-1.13.27.11"></a><h2>DNSSEC-KEYS</h2>
- <div class="literallayout"><p><br>
-dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-    initial-key | static-ds | initial-ds )<br>
-Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.13.27.12"></a><h2>DYNDB</h2>
+<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.13"></a><h2>KEY</h2>
+<a name="id-1.13.27.12"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
+<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
+<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
+<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
+<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.19"></a><h2>SERVER</h2>
+<a name="id-1.13.27.18"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
</p></div>
</div>
+ <div class="refsection">
+<a name="id-1.13.27.20"></a><h2>TRUST-ANCHORS</h2>
+ <div class="literallayout"><p><br>
+trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+    initial-key | static-ds | initial-ds )<br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+ </div>
+
<div class="refsection">
<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
-     initial-key | static-ds | initial-ds<br>
- Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
+ trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+     initial-key | static-ds | initial-ds<br>
+ Â Â Â Â )Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
- dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
+ dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
<dd>
<p>
Dump the security roots (i.e., trust anchors
- configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
+ configured via <span class="command"><strong>trust-anchors</strong></span> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
for prior discussion of this feature.)
</para>
</listitem>
+ <listitem>
+ <para>
+ Added support for multithreaded listening for TCP connections
+ in the network manager [GL !2659]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.15.7-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Fixed a bug that caused <command>named</command> to leak memory
+ on reconfiguration when any GeoIP2 database was in use. [GL #1445]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Fixed several possible race conditions discovered by Thread
+ Sanitizer.
+ </para>
+ </listitem>
</itemizedlist>
</section>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
C compiler.
</p>
<p>
- The OpenSSL cryptography library must be available for the target
- platform. A PKCS#11 provider can be used instead for Public Key
- cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
- still required for general cryptography operations such as hashing
- and random number generation.
+ The <code class="filename">libuv</code> asynchronous I/O library and the
+ OpenSSL cryptography library must be available for the target
+ platform. A PKCS#11 provider can be used instead of OpenSSL for
+ Public Key cryptography (i.e., DNSSEC signing and validation),
+ but OpenSSL is still required for general cryptography operations
+ such as hashing and random number generation.
</p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
+ which was introduced in 9.15.1 and revised in 9.15.6, has now
+ been renamed to the more descriptive
+ <span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
+ </p>
+ <p>
+ (See release notes for
+ <a class="xref" href="#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
+ and
+ <a class="xref" href="#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
+ for prior discussion of this feature.)
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Added support for multithreaded listening for TCP connections
+ in the network manager [GL !2659]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
+ on reconfiguration when any GeoIP2 database was in use. [GL #1445]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Fixed several possible race conditions discovered by Thread
+ Sanitizer.
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Set a limit on the number of concurrently served pipelined TCP
+ queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
</p>
</li>
<li class="listitem">
- <p>
- Two new keywords have been added to the
- <span class="command"><strong>dnssec-keys</strong></span> statement:
- <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
- These allow the use of trust anchors in DS format instead of
- DNSKEY format. DS format allows trust anchors to be configured
- for keys that have not yet been published; this is the format
- used by IANA when announcing future root keys.
- </p>
- <p>
- As with the <span class="command"><strong>initial-key</strong></span> and
- <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
- configures a dynamic trust anchor to be maintained via RFC 5011, and
- <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
- </p>
- <p>
- (Note: Currently, DNSKEY-format and DS-format trust anchors
- cannot both be used for the same domain name.) [GL #6] [GL #622]
- </p>
+ <p>
+ Two new keywords have been added to the
+ <span class="command"><strong>dnssec-keys</strong></span> statement:
+ <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
+ These allow the use of trust anchors in DS format instead of
+ DNSKEY format. DS format allows trust anchors to be configured
+ for keys that have not yet been published; this is the format
+ used by IANA when announcing future root keys.
+ </p>
+ <p>
+ As with the <span class="command"><strong>initial-key</strong></span> and
+ <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
+ configures a dynamic trust anchor to be maintained via RFC 5011, and
+ <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
+ </p>
+ <p>
+ (Note: Currently, DNSKEY-format and DS-format trust anchors
+ cannot both be used for the same domain name.) [GL #6] [GL #622]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
+ that reports the maximum number of simultaneous TCP clients BIND
+ has handled while running. [GL #1206]
+ </p>
</li>
</ul></div>
</div>
</p>
</li>
<li class="listitem">
- <p>
- The DNSSEC validation code has been refactored for clarity and to
- reduce code duplication. [GL #622]
- </p>
+ The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
+ </p>
</li>
</ul></div>
</div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- Too many simultaneous pipelined TCP queries could cause
- resource overuse. We now prevent this by enforcing a limit
- on the number of simultaneous requests per active connection.
- This flaw`is disclosed in CVE-2019-6477. [GL #1264]
- </p>
- </li></ul></div>
- </div>
-
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- <a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>
-Release Notes for BIND Version 9.15.6
+Release Notes for BIND Version 9.15.7
Introduction
(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
standard atomic operations provided by the C compiler.
-The OpenSSL cryptography library must be available for the target
-platform. A PKCS#11 provider can be used instead for Public Key
-cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still
-required for general cryptography operations such as hashing and random
-number generation.
+The libuv asynchronous I/O library and the OpenSSL cryptography library
+must be available for the target platform. A PKCS#11 provider can be used
+instead of OpenSSL for Public Key cryptography (i.e., DNSSEC signing and
+validation), but OpenSSL is still required for general cryptography
+operations such as hashing and random number generation.
More information can be found in the PLATFORMS.md file that is included in
the source distribution of BIND 9. If your compiler and system libraries
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
+Notes for BIND 9.15.7
+
+Feature Changes
+
+ * The dnssec-keys configuration statement, which was introduced in
+ 9.15.1 and revised in 9.15.6, has now been renamed to the more
+ descriptive trust-anchors. [GL !2702]
+
+ (See release notes for BIND 9.15.1 and BIND 9.15.6 for prior
+ discussion of this feature.)
+
+ * Added support for multithreaded listening for TCP connections in the
+ network manager [GL !2659]
+
+Bug Fixes
+
+ * Fixed a bug that caused named to leak memory on reconfiguration when
+ any GeoIP2 database was in use. [GL #1445]
+
+ * Fixed several possible race conditions discovered by Thread Sanitizer.
+
Notes for BIND 9.15.6
+Security Fixes
+
+ * Set a limit on the number of concurrently served pipelined TCP
+ queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+
New Features
* A new asynchronous network communications system based on libuv is now
(Note: Currently, DNSKEY-format and DS-format trust anchors cannot
both be used for the same domain name.) [GL #6] [GL #622]
+ * Added a new statistics variable tcp-highwater that reports the maximum
+ number of simultaneous TCP clients BIND has handled while running. [GL
+ #1206]
+
Feature Changes
* NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
* The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
-Security Fixes
-
- * Too many simultaneous pipelined TCP queries could cause resource
- overuse. We now prevent this by enforcing a limit on the number of
- simultaneous requests per active connection. This flaw`is disclosed in
- CVE-2019-6477. [GL #1264]
-
Notes for BIND 9.15.5
Security Fixes
Thank You
-Thank you to everyone who assisted us in making this release possible. If
-you would like to contribute to ISC to assist us in continuing to make
-quality open source software, please visit our donations page at https://
-www.isc.org/donate/.
+Thank you to everyone who assisted us in making this release possible.
search <boolean>;
}; // may occur multiple times
-dnssec-keys { <string> ( static-key |
- initial-key | static-ds | initial-ds )
- <integer> <integer> <integer>
- <quoted_string>; ... }; // may occur multiple times
-
dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
} ]; // may occur multiple times
}; // may occur multiple times
+trust-anchors { <string> ( static-key |
+ initial-key | static-ds | initial-ds )
+ <integer> <integer> <integer>
+ <quoted_string>; ... }; // may occur multiple times
+
trusted-keys { <string> <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>; // obsolete
- dnssec-keys { <string> ( static-key |
- initial-key | static-ds | initial-ds
- ) <integer> <integer> <integer>
- <quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string>
trust-anchor <string> |
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
trust-anchor-telemetry <boolean>; // experimental
+ trust-anchors { <string> ( static-key |
+ initial-key | static-ds | initial-ds
+ ) <integer> <integer> <integer>
+ <quoted_string>; ... }; // may occur multiple times
trusted-keys { <string>
<integer> <integer>
<integer>
search <boolean>;
}; // may occur multiple times
-dnssec-keys { <string> ( static-key |
- initial-key | static-ds | initial-ds )
- <integer> <integer> <integer>
- <quoted_string>; ... }; // may occur multiple times
-
dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
} ]; // may occur multiple times
}; // may occur multiple times
+trust-anchors { <string> ( static-key |
+ initial-key | static-ds | initial-ds )
+ <integer> <integer> <integer>
+ <quoted_string>; ... }; // may occur multiple times
+
trusted-keys { <string> <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
- dnssec-keys { <string> ( static-key |
- initial-key | static-ds | initial-ds
- ) <integer> <integer> <integer>
- <quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
trust-anchor-telemetry <boolean>; // experimental
+ trust-anchors { <string> ( static-key |
+ initial-key | static-ds | initial-ds
+ ) <integer> <integer> <integer>
+ <quoted_string>; ... }; // may occur multiple times
trusted-keys { <string>
<integer> <integer>
<integer>
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1501
-LIBREVISION = 1
+LIBINTERFACE = 1502
+LIBREVISION = 0
LIBAGE = 0
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1501
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1504
+LIBINTERFACE = 1505
LIBREVISION = 0
LIBAGE = 0
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1502
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1502
+LIBINTERFACE = 1503
LIBREVISION = 0
LIBAGE = 0
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
-PATCHVER=6
+PATCHVER=7
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
