From: Tinderbox User Date: Mon, 12 Aug 2019 14:08:12 +0000 (+0000) Subject: prep 9.15.3 X-Git-Tag: v9.15.3^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b9b826518d12daee5418f46ed076faeb106eca9;p=thirdparty%2Fbind9.git prep 9.15.3 --- diff --git a/bin/delv/delv.1 b/bin/delv/delv.1 index 7155b70c1d0..14ed98d2a95 100644 --- a/bin/delv/delv.1 +++ b/bin/delv/delv.1 @@ -53,7 +53,7 @@ is a tool for sending DNS queries and validating the results, using the same int \fBnamed\fR\&. .PP \fBdelv\fR -will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&. +will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&. .PP By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by \fBdelv\fR @@ -139,9 +139,7 @@ BIND .sp Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the \fB+root=NAME\fR -options\&. DNSSEC Lookaside Validation can also be turned on by using the -\fB+dlv=NAME\fR -to specify the name of a zone containing DLV records\&. +options\&. .sp Note: When reading the trust anchor file, \fBdelv\fR @@ -392,25 +390,16 @@ output\&. The default is to do so\&. Note that (unlike in control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of \fB\-i\fR or -\fB+noroot\fR -and -\fB+nodlv\fR\&. +\fB+noroot\fR\&. .RE .PP \fB+[no]root[=ROOT]\fR .RS 4 -Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then +Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then \fB\-a\fR must be used to specify a file containing the key\&. .RE .PP -\fB+[no]dlv[=DLV]\fR -.RS 4 -Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The -\fB\-a\fR -option must also be used to specify a file containing the DLV key\&. -.RE -.PP \fB+[no]tcp\fR .RS 4 Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&. diff --git a/bin/delv/delv.html b/bin/delv/delv.html index 6fe88403295..2c00605c637 100644 --- a/bin/delv/delv.html +++ b/bin/delv/delv.html @@ -83,7 +83,7 @@ delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow - CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records + CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and @@ -193,10 +193,7 @@

Keys that do not match the root zone name are ignored. An alternate key name can be specified using the - +root=NAME options. DNSSEC Lookaside - Validation can also be turned on by using the - +dlv=NAME to specify the name of a - zone containing DLV records. + +root=NAME options.

Note: When reading the trust anchor file, @@ -520,14 +517,13 @@ request DNSSEC records or whether to validate them. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of - -i or +noroot and - +nodlv. + -i or +noroot.

+[no]root[=ROOT]

- Indicates whether to perform conventional (non-lookaside) + Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is @@ -536,15 +532,6 @@ containing the key.

-
+[no]dlv[=DLV]
-
-

- Indicates whether to perform DNSSEC lookaside validation, - and if so, specifies the name of the DLV trust anchor. - The -a option must also be used to specify - a file containing the DLV key. -

-
+[no]tcp

diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 7da5c5693af..c17d9a65597 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -361,14 +361,20 @@ Display [do not display] the CLASS when printing the record\&. .PP \fB+[no]cmd\fR .RS 4 -Toggles the printing of the initial comment in the output identifying the version of +Toggles the printing of the initial comment in the output, identifying the version of \fBdig\fR -and the query options that have been applied\&. This comment is printed by default\&. +and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&. .RE .PP \fB+[no]comments\fR .RS 4 -Toggle the display of comment lines in the output\&. The default is to print comments\&. +Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&. +.sp +Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include +\fB+[no]cmd\fR, +\fB+[no]question\fR, +\fB+[no]stats\fR, and +\fB+[no]rrcomments\fR\&. .RE .PP \fB+[no]cookie\fR\fB[=####]\fR @@ -566,12 +572,12 @@ would cause a 48\-byte query to be padded to 64 bytes\&. The default block size .PP \fB+[no]qr\fR .RS 4 -Print [do not print] the query as it is sent\&. By default, the query is not printed\&. +Toggles the display of the query message as it is sent\&. By default, the query is not printed\&. .RE .PP \fB+[no]question\fR .RS 4 -Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&. +Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&. .RE .PP \fB+[no]raflag\fR @@ -624,7 +630,7 @@ determines if the name will be treated as relative or not and hence whether a se .PP \fB+[no]short\fR .RS 4 -Provide a terse answer\&. The default is to print the answer in a verbose form\&. +Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. .RE .PP \fB+[no]showsearch\fR @@ -654,7 +660,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char .PP \fB+[no]stats\fR .RS 4 -This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&. +Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&. .RE .PP \fB+[no]subnet=addr[/prefix\-length]\fR diff --git a/bin/dig/dig.html b/bin/dig/dig.html index d191d7a6b5f..a078616f01e 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -481,16 +481,28 @@

Toggles the printing of the initial comment in the - output identifying the version of dig - and the query options that have been applied. This - comment is printed by default. + output, identifying the version of dig + and the query options that have been applied. This option + always has global effect; it cannot be set globally + and then overridden on a per-lookup basis. The default + is to print this comment.

+[no]comments

- Toggle the display of comment lines in the output. - The default is to print comments. + Toggles the display of some comment lines in the output, + containing information about the packet header and + OPT pseudosection, and the names of the response + section. The default is to print these comments. +

+

+ Other types of comments in the output are not affected by + this option, but can be controlled using other command + line switches. These include +[no]cmd, + +[no]question, + +[no]stats, and + +[no]rrcomments.

+[no]cookie[=####]
@@ -764,14 +776,14 @@
+[no]qr

- Print [do not print] the query as it is sent. By - default, the query is not printed. + Toggles the display of the query message as it is sent. + By default, the query is not printed.

+[no]question

- Print [do not print] the question section of a query + Toggles the display of the question section of a query when an answer is returned. The default is to print the question section as a comment.

@@ -841,7 +853,9 @@

Provide a terse answer. The default is to print the - answer in a verbose form. + answer in a verbose form. This option always has global + effect; it cannot be set globally and then overridden on + a per-lookup basis.

+[no]showsearch
@@ -874,10 +888,9 @@
+[no]stats

- This query option toggles the printing of statistics: - when the query was made, the size of the reply and - so on. The default behavior is to print the query - statistics. + Toggles the printing of statistics: when the query was made, + the size of the reply and so on. The default behavior is to + print the query statistics as a comment after each lookup.

+[no]subnet=addr[/prefix-length]
diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 index 3cfb1f3f675..9abc825d246 100644 --- a/bin/dnssec/dnssec-dsfromkey.8 +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -50,11 +50,9 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool .PP The \fBdnssec\-dsfromkey\fR -command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the -\fB\-l\fR -option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the +command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the \fB\-C\fR -it outputs CDS (Child DS) RRs\&. +option\&. .PP The input keys can be specified in a number of ways: .PP @@ -119,9 +117,7 @@ zone file mode\&. .PP \-C .RS 4 -Generate CDS records rather than DS records\&. This is mutually exclusive with the -\fB\-l\fR -option for generating DLV records\&. +Generate CDS records rather than DS records\&. .RE .PP \-f \fIfile\fR @@ -156,15 +152,6 @@ files in \fBdirectory\fR\&. .RE .PP -\-l \fIdomain\fR -.RS 4 -Generate a DLV set instead of a DS set\&. The specified -\fIdomain\fR -is appended to the name for each record in the set\&. This is mutually exclusive with the -\fB\-C\fR -option for generating CDS records\&. -.RE -.PP \-s .RS 4 Keyset mode: @@ -224,8 +211,6 @@ A keyfile error can give a "file not found" even if the file exists\&. BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), -RFC 4431 -(DLV RRs), RFC 4509 (SHA\-256 for DS RRs), RFC 6605 diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index cdeb5d5011a..b0dc41c4fd2 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -97,10 +97,8 @@

The dnssec-dsfromkey command outputs DS (Delegation - Signer) resource records (RRs) and other similarly-constructed RRs: - with the -l option it outputs DLV (DNSSEC Lookaside - Validation) RRs; or with the -C it outputs CDS (Child - DS) RRs. + Signer) resource records (RRs), or CDS (Child DS) RRs with the + -C option.

@@ -182,9 +180,7 @@

-C

- Generate CDS records rather than DS records. This is mutually - exclusive with the -l option for generating DLV - records. + Generate CDS records rather than DS records.

-f file
@@ -219,16 +215,6 @@ directory.

-
-l domain
-
-

- Generate a DLV set instead of a DS set. The specified - domain is appended to the name for each - record in the set. - This is mutually exclusive with the -C option - for generating CDS records. -

-
-s

@@ -311,7 +297,6 @@ , BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), - RFC 4431 (DLV RRs), RFC 4509 (SHA-256 for DS RRs), RFC 6605 (SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs). diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index 7a099ecf138..3a0db6862ce 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -39,7 +39,7 @@ dnssec-signzone \- DNSSEC zone signing tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-signzone\fR\ 'u -\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP \fBdnssec\-signzone\fR @@ -113,11 +113,6 @@ Key repository: Specify a directory to search for DNSSEC keys\&. If not specifie Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&. .RE .PP -\-l \fIdomain\fR -.RS 4 -Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&. -.RE -.PP \-M \fImaxttl\fR .RS 4 Sets the maximum TTL for the signed zone\&. Any TTL higher than @@ -296,6 +291,13 @@ forces to remove signatures from keys that are no longer active\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.1 ("Pre\-Publish Key Rollover")\&. .RE .PP +\-q +.RS 4 +Quiet mode: Suppresses unnecessary output\&. Without this option, when +\fBdnssec\-signzone\fR +is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information, and finally the filename containing the signed zone\&. With it, that output is suppressed, leaving only the filename\&. +.RE +.PP \-R .RS 4 Remove signatures from keys that are no longer published\&. diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index ffd4c77e2f0..fe7cb3c0281 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -55,6 +55,7 @@ [-O output-format] [-P] [-Q] + [-q] [-R] [-S] [-s start-time] @@ -173,13 +174,6 @@ key flags. This option may be specified multiple times.

-
-l domain
-
-

- Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. -

-
-M maxttl

@@ -429,6 +423,18 @@ RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").

+
-q
+
+

+ Quiet mode: Suppresses unnecessary output. Without this + option, when dnssec-signzone is run it + will print to standard output the number of keys in use, + the algorithms used to verify the zone was signed correctly + and other status information, and finally the filename + containing the signed zone. With it, that output is + suppressed, leaving only the filename. +

+
-R

diff --git a/bin/dnssec/dnssec-verify.8 b/bin/dnssec/dnssec-verify.8 index 592dd0890f7..bedf131cdfe 100644 --- a/bin/dnssec/dnssec-verify.8 +++ b/bin/dnssec/dnssec-verify.8 @@ -39,7 +39,7 @@ dnssec-verify \- DNSSEC zone verification tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-verify\fR\ 'u -\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile} +\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-q\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile} .SH "DESCRIPTION" .PP \fBdnssec\-verify\fR @@ -81,6 +81,13 @@ Sets the debugging level\&. Prints version information\&. .RE .PP +\-q +.RS 4 +Quiet mode: Suppresses output\&. Without this option, when +\fBdnssec\-verify\fR +is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information\&. With it, all non\-error output is suppressed, and only the exit code will indicate success\&. +.RE +.PP \-x .RS 4 Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the diff --git a/bin/dnssec/dnssec-verify.html b/bin/dnssec/dnssec-verify.html index aff7f8483e7..b62ca618255 100644 --- a/bin/dnssec/dnssec-verify.html +++ b/bin/dnssec/dnssec-verify.html @@ -37,6 +37,7 @@ [-E engine] [-I input-format] [-o origin] + [-q] [-v level] [-V] [-x] @@ -112,6 +113,17 @@ Prints version information.

+
-q
+
+

+ Quiet mode: Suppresses output. Without this option, when + dnssec-verify is run it will print to + standard output the number of keys in use, the algorithms + used to verify the zone was signed correctly and other + status information. With it, all non-error output is + suppressed, and only the exit code will indicate success. +

+
-x

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 3d8965df1ce..510e2b5c0ae 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -10,12 +10,12 @@ .\" Title: named.conf .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2019-06-28 +.\" Date: 2019-08-07 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "NAMED\&.CONF" "5" "2019\-06\-28" "ISC" "BIND9" +.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -243,7 +243,7 @@ options { check\-srv\-cname ( fail | warn | ignore ); check\-wildcard \fIboolean\fR; clients\-per\-query \fIinteger\fR; - cookie\-algorithm ( aes | sha1 | sha256 ); + cookie\-algorithm ( aes | siphash24 ); cookie\-secret \fIstring\fR; coresize ( default | unlimited | \fIsizeval\fR ); datasize ( default | unlimited | \fIsizeval\fR ); @@ -274,9 +274,6 @@ options { dnssec\-accept\-expired \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-loadkeys\-interval \fIinteger\fR; - dnssec\-lookaside ( \fIstring\fR - trust\-anchor \fIstring\fR | - auto | no ); deprecated dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); @@ -661,9 +658,6 @@ view \fIstring\fR [ \fIclass\fR ] { initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; dnssec\-loadkeys\-interval \fIinteger\fR; - dnssec\-lookaside ( \fIstring\fR - trust\-anchor \fIstring\fR | - auto | no ); deprecated dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); @@ -913,7 +907,6 @@ view \fIstring\fR [ \fIclass\fR ] { masters [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. }; - max\-ixfr\-log\-size ( default | unlimited | max\-journal\-size ( default | unlimited | \fIsizeval\fR ); max\-records \fIinteger\fR; max\-refresh\-time \fIinteger\fR; @@ -933,7 +926,6 @@ view \fIstring\fR [ \fIclass\fR ] { notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; notify\-to\-soa \fIboolean\fR; - pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR request\-expire \fIboolean\fR; request\-ixfr \fIboolean\fR; serial\-update\-method ( date | increment | unixtime ); diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index cb94491af83..a34d5b0e063 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -139,7 +139,6 @@ logging

-

MANAGED-KEYS

Deprecated - see DNSSEC-KEYS.

@@ -210,7 +209,7 @@ options check-srv-cname ( fail | warn | ignore );
check-wildcard boolean;
clients-per-query integer;
- cookie-algorithm ( aes | sha1 | sha256 );
+ cookie-algorithm ( aes | siphash24 );
cookie-secret string;
coresize ( default | unlimited | sizeval );
datasize ( default | unlimited | sizeval );
@@ -241,9 +240,6 @@ options dnssec-accept-expired boolean;
dnssec-dnskey-kskonly boolean;
dnssec-loadkeys-interval integer;
- dnssec-lookaside ( string
-     trust-anchor string |
-     auto | no ); deprecated
dnssec-must-be-secure string boolean;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
@@ -607,9 +603,6 @@ view     initial-key ) integer integer
    integer quoted_string; ... };
dnssec-loadkeys-interval integer;
- dnssec-lookaside ( string
-     trust-anchor string |
-     auto | no ); deprecated
dnssec-must-be-secure string boolean;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
@@ -859,7 +852,6 @@ view masters [ port integer ] [ dscp integer ] { ( masters
    | ipv4_address [ port integer ] | ipv6_address [
    port integer ] ) [ key string ]; ... };
- max-ixfr-log-size ( default | unlimited |
max-journal-size ( default | unlimited | sizeval );
max-records integer;
max-refresh-time integer;
@@ -879,7 +871,6 @@ view notify-source-v6 ( ipv6_address | * ) [ port ( integer
    | * ) ] [ dscp integer ];
notify-to-soa boolean;
- pubkey integer integer integer
request-expire boolean;
request-ixfr boolean;
serial-update-method ( date | increment | unixtime );
diff --git a/bin/python/dnssec-checkds.8 b/bin/python/dnssec-checkds.8 index 4506a8b87de..12166f88baf 100644 --- a/bin/python/dnssec-checkds.8 +++ b/bin/python/dnssec-checkds.8 @@ -43,12 +43,12 @@ dnssec-checkds \- DNSSEC delegation consistency checking tool .SH "DESCRIPTION" .PP \fBdnssec\-checkds\fR -verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone\&. +verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone\&. .SH "OPTIONS" .PP \-a \fIalgorithm\fR .RS 4 -Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS or DLV records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&. +Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&. .sp The \fIalgorithm\fR @@ -62,11 +62,6 @@ If a is specified, then the zone is read from that file to find the DNSKEY records\&. If not, then the DNSKEY records for the zone are looked up in the DNS\&. .RE .PP -\-l \fIdomain\fR -.RS 4 -Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone\*(Aqs parent\&. -.RE -.PP \-s \fIfile\fR .RS 4 Specifies a prepared dsset file, such as would be generated by diff --git a/bin/python/dnssec-checkds.html b/bin/python/dnssec-checkds.html index ea55d4573cc..7bd7ccf7afe 100644 --- a/bin/python/dnssec-checkds.html +++ b/bin/python/dnssec-checkds.html @@ -46,9 +46,8 @@

DESCRIPTION

dnssec-checkds - verifies the correctness of Delegation Signer (DS) or DNSSEC - Lookaside Validation (DLV) resource records for keys in a specified - zone. + verifies the correctness of Delegation Signer (DS) + resource records for keys in a specified zone.

@@ -60,7 +59,7 @@

Specify a digest algorithm to use when converting the - zone's DNSKEY records to expected DS or DLV records. This + zone's DNSKEY records to expected DS records. This option can be repeated, so that multiple records are checked for each DNSKEY record.

@@ -79,13 +78,6 @@ then the DNSKEY records for the zone are looked up in the DNS.

-
-l domain
-
-

- Check for a DLV record in the specified lookaside domain, - instead of checking for a DS record in the zone's parent. -

-
-s file

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index f27750b36b7..388ae8dd6b4 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.15.2 (Development Release)

+

BIND 9.15.3 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 2efd90166d7..15ed3e87c26 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.15.2 (Development Release)

+

BIND 9.15.3 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 2036f8175a3..d005bb6178e 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls { -

BIND 9.15.2 (Development Release)

+

BIND 9.15.3 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 01c686dbd28..97123a818d1 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1012,11 +1012,11 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

dnssec-signzone - will also produce a keyset and dsset files and optionally a - dlvset file. These are used to provide the parent zone - administrators with the DNSKEYs (or their - corresponding DS records) that are the - secure entry point to the zone. + will also produce a keyset and dsset files. These are used + to provide the parent zone administrators with the + DNSKEYs (or their corresponding + DS records) that are the secure entry + point to the zone.

@@ -2840,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.15.2 (Development Release)

+

BIND 9.15.3 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index e615e7f27ab..f231deb5104 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -2431,7 +2431,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] check-srv-cname ( fail | warn | ignore ); check-wildcard boolean; clients-per-query integer; - cookie-algorithm ( aes | sha1 | sha256 ); + cookie-algorithm ( aes | siphash24 ); cookie-secret string; coresize ( default | unlimited | sizeval ); datasize ( default | unlimited | sizeval ); @@ -2462,9 +2462,6 @@ badresp:1,adberr:0,findfail:0,valfail:0] dnssec-accept-expired boolean; dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; - dnssec-lookaside ( string - trust-anchor string | - auto | no ); deprecated dnssec-must-be-secure string boolean; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); @@ -3450,7 +3447,7 @@ options {
disable-ds-digests

- Disable the specified DS/DLV digest types at and below the + Disable the specified DS digest types at and below the specified name. Multiple disable-ds-digests statements are allowed. @@ -3463,37 +3460,6 @@ options { as insecure.

-
dnssec-lookaside
-
-

- When set, dnssec-lookaside provides the - validator with an alternate method to validate DNSKEY - records at the top of a zone. When a DNSKEY is at or - below a domain specified by the deepest - dnssec-lookaside, and the normal DNSSEC - validation has left the key untrusted, the trust-anchor - will be appended to the key name and a DLV record will be - looked up to see if it can validate the key. If the DLV - record validates a DNSKEY (similarly to the way a DS - record does) the DNSKEY RRset is deemed to be trusted. -

-

- If dnssec-lookaside is set to - no, then dnssec-lookaside - is not used. -

-

- This option is deprecated and its use is discouraged. -

-

- NOTE: The ISC-provided DLV service at - dlv.isc.org, has been shut down. - The dnssec-lookaside auto; - configuration option, which set named - up to use ISC DLV with minimal configuration, has - accordingly been removed. -

-
dnssec-must-be-secure

@@ -3520,7 +3486,9 @@ options {

Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, - 64 and 96 as per RFC 6052. + 64 and 96 as per RFC 6052. Bits 64..71 inclusive must + be zero with the most significate bit of the prefix in + position 0.

Additionally a reverse IP6.ARPA zone will be created for @@ -6729,8 +6697,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; appear, they are not combined — the last one applies.

- By default, records are returned in indeterminate but - consistent order (see none above). + By default, records are returned in random order.

@@ -7653,6 +7620,14 @@ deny-answer-aliases { "example.net"; }; than that is a configuration error.

+

+ Rules encoded in response policy zones are processed after + Access Control Lists + (ACLs). All queries from clients which are not + permitted access to the resolver will be answered with a + status code of REFUSED, regardless of configured RPZ rules. +

+

Five policy triggers can be encoded in RPZ records.

@@ -11463,7 +11438,7 @@ view external {

- A DNS Look-aside Validation record which contains + A DNS Lookaside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431.

@@ -13413,14 +13388,29 @@ HOST-127.EXAMPLE. MX 0 .

- The number of RRsets per RR type and nonexistent - names stored in the cache database. - If the exclamation mark (!) is printed for a RR - type, it means that particular type of RRset is - known to be nonexistent (this is also known as - "NXRRSET"). If a hash mark (#) is present then - the RRset is marked for garbage collection. - Maintained per view. + Statistics counters related to cache contents; + maintained per view. +

+

+ The "NXDOMAIN" counter is the number of names + that have been cached as nonexistent. + Counters named for RR types indicate the + number of active RRsets for each type in the cache + database. +

+

+ If an RR type name is preceded by an exclamation + mark (!), it represents the number of records in the + cache which indicate that the type does not exist + for a particular name (this is also known as "NXRRSET"). + If an RR type name is preceded by a hash mark (#), it + represents the number of RRsets for this type that are + present in the cache but whose TTLs have expired; these + RRsets may only be used if stale answers are enabled. + If an RR type name is preceded by a tilde (~), it + represents the number of RRsets for this type that are + present in the cache database but are marked for garbage + collection; these RRsets cannot be used.

@@ -14934,6 +14924,6 @@ HOST-127.EXAMPLE. MX 0 .
-

BIND 9.15.2 (Development Release)

+

BIND 9.15.3 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 0b0e02960c5..2ef3708ea16 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.15.2 (Development Release)

+

BIND 9.15.3 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 23d9a96853e..d432c3e6318 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

BIND 9.15.2 (Development Release)

+

BIND 9.15.3 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index bf5f28224b2..3d699109b8b 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,7 +36,7 @@

Table of Contents

-
Release Notes for BIND Version 9.15.2
+
Release Notes for BIND Version 9.15.3
Introduction
Note on Version Numbering
@@ -55,7 +55,7 @@

-Release Notes for BIND Version 9.15.2

+Release Notes for BIND Version 9.15.3

@@ -234,6 +234,11 @@ as a result of a zone update. [GL #513]

+
  • +

    + Statistics channel groups are now toggleable. [GL #1030] +

    +

    • @@ -256,8 +261,13 @@

  • - The dnssec-lookaside option has been deprecated. - The feature still works, but it is discouraged to use it. [GL #7] + DNSSEC Lookaside Validation (DLV) is now obsolete. + The dnssec-lookaside option has been + marked as deprecated; when used in named.conf, + it will generate a warning but will otherwise be ignored. + All code enabling the use of lookaside validation has been removed + from the validator, delv, and the DNSSEC tools. + [GL #7]

    • @@ -270,9 +280,7 @@

  • named will now log a warning if - a static key is configured for the root zone, or if - any key is configured for "dlv.isc.org", which has been shut - down. [GL #6] + a static key is configured for the root zone. [GL #6]

  • @@ -315,6 +323,40 @@ installation path as an optional argument.

    • +
  • +

    + A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and + made default. Old non-default HMAC-SHA based DNS Cookie algorithms + have been removed, and only the default AES algorithm is being kept + for legacy reasons. This changes doesn't have any operational impact + in most common scenarios. [GL #605] +

    +

    + If you are running multiple DNS Servers (different versions of BIND 9 + or DNS server from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), you'll have to make + sure that all the servers are configured with the same DNS Cookie + algorithm and same Server Secret for the best performance. +

    +
    • +
  • +

    + The information from the dnssec-signzone and + dnssec-verify commands is now printed to standard + output. The standard error output is only used to print warnings and + errors, and in case the user requests the signed zone to be printed to + standard output with -f - option. A new + configuration option -q has been added to silence + all output on standard output except for the name of the signed zone. +

    +
    • +
  • +

    + DS records included in DNS referral messages can now be validated + and cached immediately, reducing the number of queries needed for + a DNSSEC validation. [GL #964] +

    +
    • @@ -360,6 +402,47 @@ to root priming queries; this has been corrected. [GL #1092]

    +
  • +

    + Cache database statistics counters could report invalid values + when stale answers were enabled, because of a bug in counter + maintenance when cache data becomes stale. The statistics counters + have been corrected to report the number of RRsets for each + RR type that are active, stale but still potentially served, + or stale and marked for deletion. [GL #602] +

    +
    • +
  • +

    + Interaction between DNS64 and RPZ No Data rule (CNAME *.) could + cause unexpected results; this has been fixed. [GL #1106] +

    +
    • +
  • +

    + named-checkconf now checks DNS64 prefixes + to ensure bits 64-71 are zero. [GL #1159] +

    +
    • +
  • +

    + named-checkconf now correctly reports missing + dnstap-output option when + dnstap is set. [GL #1136] +

    +
    • +
  • +

    + Handle ETIMEDOUT error on connect() with a non-blocking + socket. [GL #1133] +

    +
    • +
  • +

    + dig now correctly expands the IPv6 address + when run with +expandaaaa +short. [GL #1152] +

    +
    • @@ -435,6 +518,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 645faa11f98..f448321ef9e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index fba79d362ba..3e324a182d4 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 5816d8c2994..b77839528e0 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -537,6 +537,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index aa49467c004..e587f54fa30 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 6aefbb76f50..4a6d9086fb5 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

    BIND 9 Administrator Reference Manual

    -

    BIND Version 9.15.2

    +

    BIND Version 9.15.3

    Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")

    @@ -245,7 +245,7 @@
    A. Release Notes
    -
    Release Notes for BIND Version 9.15.2
    +
    Release Notes for BIND Version 9.15.3
    Introduction
    Note on Version Numbering
    @@ -443,6 +443,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 6b4cbd7d8b5..596f06cbaa5 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index e1b46d1f74f..11f1d0db1b8 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index ea3af069246..a5a6303eae2 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 91606a9d536..9e42f2bf9b1 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -101,7 +101,7 @@ delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow - CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records + CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and @@ -211,10 +211,7 @@

    Keys that do not match the root zone name are ignored. An alternate key name can be specified using the - +root=NAME options. DNSSEC Lookaside - Validation can also be turned on by using the - +dlv=NAME to specify the name of a - zone containing DLV records. + +root=NAME options.

    Note: When reading the trust anchor file, @@ -538,14 +535,13 @@ request DNSSEC records or whether to validate them. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of - -i or +noroot and - +nodlv. + -i or +noroot.

    +[no]root[=ROOT]

    - Indicates whether to perform conventional (non-lookaside) + Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is @@ -554,15 +550,6 @@ containing the key.

    -
    +[no]dlv[=DLV]
    -
    -

    - Indicates whether to perform DNSSEC lookaside validation, - and if so, specifies the name of the DLV trust anchor. - The -a option must also be used to specify - a file containing the DLV key. -

    -
    +[no]tcp

    @@ -628,6 +615,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index bacfbabe3b8..421d213a624 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -499,16 +499,28 @@

    Toggles the printing of the initial comment in the - output identifying the version of dig - and the query options that have been applied. This - comment is printed by default. + output, identifying the version of dig + and the query options that have been applied. This option + always has global effect; it cannot be set globally + and then overridden on a per-lookup basis. The default + is to print this comment.

    +[no]comments

    - Toggle the display of comment lines in the output. - The default is to print comments. + Toggles the display of some comment lines in the output, + containing information about the packet header and + OPT pseudosection, and the names of the response + section. The default is to print these comments. +

    +

    + Other types of comments in the output are not affected by + this option, but can be controlled using other command + line switches. These include +[no]cmd, + +[no]question, + +[no]stats, and + +[no]rrcomments.

    +[no]cookie[=####]
    @@ -782,14 +794,14 @@
    +[no]qr

    - Print [do not print] the query as it is sent. By - default, the query is not printed. + Toggles the display of the query message as it is sent. + By default, the query is not printed.

    +[no]question

    - Print [do not print] the question section of a query + Toggles the display of the question section of a query when an answer is returned. The default is to print the question section as a comment.

    @@ -859,7 +871,9 @@

    Provide a terse answer. The default is to print the - answer in a verbose form. + answer in a verbose form. This option always has global + effect; it cannot be set globally and then overridden on + a per-lookup basis.

    +[no]showsearch
    @@ -892,10 +906,9 @@
    +[no]stats

    - This query option toggles the printing of statistics: - when the query was made, the size of the reply and - so on. The default behavior is to print the query - statistics. + Toggles the printing of statistics: when the query was made, + the size of the reply and so on. The default behavior is to + print the query statistics as a comment after each lookup.

    +[no]subnet=addr[/prefix-length]
    @@ -1160,6 +1173,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index 03ad0c27c14..01ab2e26849 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 34697166b20..046c9fc714d 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -64,9 +64,8 @@

    DESCRIPTION

    dnssec-checkds - verifies the correctness of Delegation Signer (DS) or DNSSEC - Lookaside Validation (DLV) resource records for keys in a specified - zone. + verifies the correctness of Delegation Signer (DS) + resource records for keys in a specified zone.

    @@ -78,7 +77,7 @@

    Specify a digest algorithm to use when converting the - zone's DNSKEY records to expected DS or DLV records. This + zone's DNSKEY records to expected DS records. This option can be repeated, so that multiple records are checked for each DNSKEY record.

    @@ -97,13 +96,6 @@ then the DNSKEY records for the zone are looked up in the DNS.

    -
    -l domain
    -
    -

    - Check for a DLV record in the specified lookaside domain, - instead of checking for a DS record in the zone's parent. -

    -
    -s file

    @@ -164,6 +156,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 2025f5445bd..41a8bd5d36b 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 681dc2f576a..afab0097927 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -115,10 +115,8 @@

    The dnssec-dsfromkey command outputs DS (Delegation - Signer) resource records (RRs) and other similarly-constructed RRs: - with the -l option it outputs DLV (DNSSEC Lookaside - Validation) RRs; or with the -C it outputs CDS (Child - DS) RRs. + Signer) resource records (RRs), or CDS (Child DS) RRs with the + -C option.

    @@ -200,9 +198,7 @@

    -C

    - Generate CDS records rather than DS records. This is mutually - exclusive with the -l option for generating DLV - records. + Generate CDS records rather than DS records.

    -f file
    @@ -237,16 +233,6 @@ directory.

    -
    -l domain
    -
    -

    - Generate a DLV set instead of a DS set. The specified - domain is appended to the name for each - record in the set. - This is mutually exclusive with the -C option - for generating CDS records. -

    -
    -s

    @@ -329,7 +315,6 @@ , BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), - RFC 4431 (DLV RRs), RFC 4509 (SHA-256 for DS RRs), RFC 6605 (SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs). @@ -356,6 +341,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 4af7389105c..277d47e322c 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 5cdb1c7cc38..fae9624d214 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -498,6 +498,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 681b6006e71..aa51c19e1ff 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -555,6 +555,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index dcd80611d06..a852d7d1d64 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -405,6 +405,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index e643822847f..836e556bfba 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index e12f2f04b22..ae4d75fcdb5 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 85c05a4e2c7..9ee84c9c2fe 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -73,6 +73,7 @@ [-O output-format] [-P] [-Q] + [-q] [-R] [-S] [-s start-time] @@ -191,13 +192,6 @@ key flags. This option may be specified multiple times.

    -
    -l domain
    -
    -

    - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. -

    -
    -M maxttl

    @@ -447,6 +441,18 @@ RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").

    +
    -q
    +
    +

    + Quiet mode: Suppresses unnecessary output. Without this + option, when dnssec-signzone is run it + will print to standard output the number of keys in use, + the algorithms used to verify the zone was signed correctly + and other status information, and finally the filename + containing the signed zone. With it, that output is + suppressed, leaving only the filename. +

    +
    -R

    @@ -701,6 +707,6 @@ db.example.com.signed -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 1d43e7862f1..e7c8dfe36de 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -55,6 +55,7 @@ [-E engine] [-I input-format] [-o origin] + [-q] [-v level] [-V] [-x] @@ -130,6 +131,17 @@ Prints version information.

    +
    -q
    +
    +

    + Quiet mode: Suppresses output. Without this option, when + dnssec-verify is run it will print to + standard output the number of keys in use, the algorithms + used to verify the zone was signed correctly and other + status information. With it, all non-error output is + suppressed, and only the exit code will indicate success. +

    +
    -x

    @@ -202,6 +214,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 026f5aee554..aa026c985b3 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 336db83a2ec..1c141aeacbc 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index e5ba905b7bb..e877b34d88d 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 8901ea0f6b1..4fc655a7064 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -604,6 +604,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 24c6740cbfc..432855a55e1 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -214,6 +214,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index e3191372c10..35875aa335d 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 621d56ccdd4..a21a7db81b7 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 98e0e284823..41ec8298fc8 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index f595264f9e4..96b6c00f7b9 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 91db3c2a128..62937c856c2 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -157,7 +157,6 @@ logging

    -

    MANAGED-KEYS

    Deprecated - see DNSSEC-KEYS.

    @@ -228,7 +227,7 @@ options check-srv-cname ( fail | warn | ignore );
    check-wildcard boolean;
    clients-per-query integer;
    - cookie-algorithm ( aes | sha1 | sha256 );
    + cookie-algorithm ( aes | siphash24 );
    cookie-secret string;
    coresize ( default | unlimited | sizeval );
    datasize ( default | unlimited | sizeval );
    @@ -259,9 +258,6 @@ options dnssec-accept-expired boolean;
    dnssec-dnskey-kskonly boolean;
    dnssec-loadkeys-interval integer;
    - dnssec-lookaside ( string
    -     trust-anchor string |
    -     auto | no ); deprecated
    dnssec-must-be-secure string boolean;
    dnssec-secure-to-insecure boolean;
    dnssec-update-mode ( maintain | no-resign );
    @@ -625,9 +621,6 @@ view     initial-key ) integer integer
        integer quoted_string; ... };
    dnssec-loadkeys-interval integer;
    - dnssec-lookaside ( string
    -     trust-anchor string |
    -     auto | no ); deprecated
    dnssec-must-be-secure string boolean;
    dnssec-secure-to-insecure boolean;
    dnssec-update-mode ( maintain | no-resign );
    @@ -877,7 +870,6 @@ view masters [ port integer ] [ dscp integer ] { ( masters
        | ipv4_address [ port integer ] | ipv6_address [
        port integer ] ) [ key string ]; ... };
    - max-ixfr-log-size ( default | unlimited |
    max-journal-size ( default | unlimited | sizeval );
    max-records integer;
    max-refresh-time integer;
    @@ -897,7 +889,6 @@ view notify-source-v6 ( ipv6_address | * ) [ port ( integer
        | * ) ] [ dscp integer ];
    notify-to-soa boolean;
    - pubkey integer integer integer
    request-expire boolean;
    request-ixfr boolean;
    serial-update-method ( date | increment | unixtime );
    @@ -1078,6 +1069,6 @@ zone
    -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 9cf4c5995ff..fded4b86d46 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index fa3b03f9b6c..60a2864f064 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index ebd6b28ece7..5cb59265384 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10 -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 593835652f8..6bed8666eb5 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index da69a368af6..0ea382049d5 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index c8e69aaed61..331e5931cf4 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 256cbfae57c..cdc7c7445b7 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index 1b61529db40..25cbdda6988 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index bcff2d6822d..c376895c3a0 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 970e3c97591..3d2bde23f5c 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 340416aabe6..f113c42d60e 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -1017,6 +1017,6 @@ -

    BIND 9.15.2 (Development Release)

    +

    BIND 9.15.3 (Development Release)

    diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 5557461d722..6e6493cbf0b 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

    -Release Notes for BIND Version 9.15.2

    +Release Notes for BIND Version 9.15.3

    @@ -194,6 +194,11 @@ as a result of a zone update. [GL #513]

    +
  • +

    + Statistics channel groups are now toggleable. [GL #1030] +

    +

    • @@ -216,8 +221,13 @@

  • - The dnssec-lookaside option has been deprecated. - The feature still works, but it is discouraged to use it. [GL #7] + DNSSEC Lookaside Validation (DLV) is now obsolete. + The dnssec-lookaside option has been + marked as deprecated; when used in named.conf, + it will generate a warning but will otherwise be ignored. + All code enabling the use of lookaside validation has been removed + from the validator, delv, and the DNSSEC tools. + [GL #7]

    • @@ -230,9 +240,7 @@

  • named will now log a warning if - a static key is configured for the root zone, or if - any key is configured for "dlv.isc.org", which has been shut - down. [GL #6] + a static key is configured for the root zone. [GL #6]

  • @@ -275,6 +283,40 @@ installation path as an optional argument.

    • +
  • +

    + A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and + made default. Old non-default HMAC-SHA based DNS Cookie algorithms + have been removed, and only the default AES algorithm is being kept + for legacy reasons. This changes doesn't have any operational impact + in most common scenarios. [GL #605] +

    +

    + If you are running multiple DNS Servers (different versions of BIND 9 + or DNS server from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), you'll have to make + sure that all the servers are configured with the same DNS Cookie + algorithm and same Server Secret for the best performance. +

    +
    • +
  • +

    + The information from the dnssec-signzone and + dnssec-verify commands is now printed to standard + output. The standard error output is only used to print warnings and + errors, and in case the user requests the signed zone to be printed to + standard output with -f - option. A new + configuration option -q has been added to silence + all output on standard output except for the name of the signed zone. +

    +
    • +
  • +

    + DS records included in DNS referral messages can now be validated + and cached immediately, reducing the number of queries needed for + a DNSSEC validation. [GL #964] +

    +
    • @@ -320,6 +362,47 @@ to root priming queries; this has been corrected. [GL #1092]

    +
  • +

    + Cache database statistics counters could report invalid values + when stale answers were enabled, because of a bug in counter + maintenance when cache data becomes stale. The statistics counters + have been corrected to report the number of RRsets for each + RR type that are active, stale but still potentially served, + or stale and marked for deletion. [GL #602] +

    +
    • +
  • +

    + Interaction between DNS64 and RPZ No Data rule (CNAME *.) could + cause unexpected results; this has been fixed. [GL #1106] +

    +
    • +
  • +

    + named-checkconf now checks DNS64 prefixes + to ensure bits 64-71 are zero. [GL #1159] +

    +
    • +
  • +

    + named-checkconf now correctly reports missing + dnstap-output option when + dnstap is set. [GL #1136] +

    +
    • +
  • +

    + Handle ETIMEDOUT error on connect() with a non-blocking + socket. [GL #1133] +

    +
    • +
  • +

    + dig now correctly expands the IPv6 address + when run with +expandaaaa +short. [GL #1152] +

    +
    • diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 31392670750..c2090f9e100 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index ce9239ec647..896a7ad6463 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.15.2 +Release Notes for BIND Version 9.15.3 Introduction @@ -107,6 +107,8 @@ New Features maintenance, as opposed to having been generated as a result of a zone update. [GL #513] + * Statistics channel groups are now toggleable. [GL #1030] + Removed Features * The dnssec-enable option has been obsoleted and no longer has any @@ -115,14 +117,16 @@ Removed Features * The cleaning-interval option has been removed. [GL !1731] - * The dnssec-lookaside option has been deprecated. The feature still - works, but it is discouraged to use it. [GL #7] + * DNSSEC Lookaside Validation (DLV) is now obsolete. The + dnssec-lookaside option has been marked as deprecated; when used in + named.conf, it will generate a warning but will otherwise be ignored. + All code enabling the use of lookaside validation has been removed + from the validator, delv, and the DNSSEC tools. [GL #7] Feature Changes * named will now log a warning if a static key is configured for the - root zone, or if any key is configured for "dlv.isc.org", which has - been shut down. [GL #6] + root zone. [GL #6] * When static and managed DNSSEC keys were both configured for the same name, or when a static key was used to configure a trust anchor for @@ -146,6 +150,29 @@ Feature Changes custom path to the json-c library as the new configure option does not take the library installation path as an optional argument. + * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and + made default. Old non-default HMAC-SHA based DNS Cookie algorithms + have been removed, and only the default AES algorithm is being kept + for legacy reasons. This changes doesn't have any operational impact + in most common scenarios. [GL #605] + + If you are running multiple DNS Servers (different versions of BIND 9 + or DNS server from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), you'll have to make + sure that all the servers are configured with the same DNS Cookie + algorithm and same Server Secret for the best performance. + + * The information from the dnssec-signzone and dnssec-verify commands is + now printed to standard output. The standard error output is only used + to print warnings and errors, and in case the user requests the signed + zone to be printed to standard output with -f - option. A new + configuration option -q has been added to silence all output on + standard output except for the name of the signed zone. + + * DS records included in DNS referral messages can now be validated and + cached immediately, reducing the number of queries needed for a DNSSEC + validation. [GL #964] + Bug Fixes * The allow-update and allow-update-forwarding options were @@ -167,6 +194,28 @@ Bug Fixes * Glue address records were not being returned in responses to root priming queries; this has been corrected. [GL #1092] + * Cache database statistics counters could report invalid values when + stale answers were enabled, because of a bug in counter maintenance + when cache data becomes stale. The statistics counters have been + corrected to report the number of RRsets for each RR type that are + active, stale but still potentially served, or stale and marked for + deletion. [GL #602] + + * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause + unexpected results; this has been fixed. [GL #1106] + + * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are + zero. [GL #1159] + + * named-checkconf now correctly reports missing dnstap-output option + when dnstap is set. [GL #1136] + + * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL # + 1133] + + * dig now correctly expands the IPv6 address when run with +expandaaaa + +short. [GL #1152] + License BIND is open source software licensed under the terms of the Mozilla diff --git a/doc/misc/options b/doc/misc/options index f06de0a369a..509cc38cf9a 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -193,7 +193,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); + geoip-directory ( | none ); // not configured geoip-use-ecs ; // obsolete glue-cache ; has-old-clients ; // ancient @@ -214,7 +214,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); maintain-ixfr-base ; // ancient managed-keys-directory ; @@ -565,7 +565,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; + lmdb-mapsize ; // non-operational maintain-ixfr-base ; // ancient managed-keys { ( static-key | initial-key diff --git a/doc/misc/options.active b/doc/misc/options.active index 9820f026ac0..21e47dc1528 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -175,7 +175,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); + geoip-directory ( | none ); // not configured glue-cache ; heartbeat-interval ; hostname ( | none ); @@ -192,7 +192,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); managed-keys-directory ; masterfile-format ( map | raw | text ); @@ -506,7 +506,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; + lmdb-mapsize ; // non-operational managed-keys { ( static-key | initial-key )