From: Evan Hunt Date: Fri, 8 Jun 2018 20:23:21 +0000 (-0700) Subject: prepare 9.11.4rc1 X-Git-Tag: v9.11.4rc1^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37f469d329d1bceb9a0cd6e1f7be90b7c1935a3f;p=thirdparty%2Fbind9.git prepare 9.11.4rc1 --- diff --git a/CHANGES b/CHANGES index 7e6beb6d6c2..cd1b6cc1b8e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.11.4rc1 released --- + 4968. [bug] If glue records are signed, attempt to validate them. [GL #209] diff --git a/HISTORY b/HISTORY index 19af311c9ff..f3df8d02cd8 100644 --- a/HISTORY +++ b/HISTORY @@ -394,4 +394,3 @@ BIND 9.2.0 DNSSEC implementation is still considered experimental. For detailed information about the state of the DNSSEC implementation, see the file doc/misc/dnssec. - diff --git a/OPTIONS b/OPTIONS index 0b12540301b..d934a0505c0 100644 --- a/OPTIONS +++ b/OPTIONS @@ -30,4 +30,3 @@ Setting Description Disable the use of inline functions to implement -DISC_BUFFER_USEINLINE=0 the isc_buffer API: this reduces performance but may be useful when debugging - diff --git a/README b/README index aca1a8e0a4f..1c55d37547e 100644 --- a/README +++ b/README @@ -245,6 +245,11 @@ BIND 9.11.3 BIND 9.11.3 is a maintenance release, and addresses the security flaw disclosed in CVE-2017-3145. +BIND 9.11.4 + +BIND 9.11.3 is a maintenance release, and addresses the security flaw +disclosed in CVE-2018-5738. + Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff --git a/README.md b/README.md index 197022faa3a..cc036b823a2 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,11 @@ store data related to zones added via `rndc addzone` or catalog zones. BIND 9.11.3 is a maintenance release, and addresses the security flaw disclosed in CVE-2017-3145. +#### BIND 9.11.4 + +BIND 9.11.3 is a maintenance release, and addresses the security flaw +disclosed in CVE-2018-5738. + ### Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 68755b35aa6..705a9731884 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" This Source Code Form is subject to the terms of the Mozilla Public .\" License, v. 2.0. If a copy of the MPL was not distributed with this @@ -131,5 +131,5 @@ BIND 9 Administrator Reference Manual\&. \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index f85080a5404..927b9e77d78 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -1,6 +1,6 @@ + @@ -14,14 +15,14 @@

-Release Notes for BIND Version 9.11.3

+Release Notes for BIND Version 9.11.4rc1

Introduction

This document summarizes changes since the last production - release on the BIND 9.11 branch. + release on the BIND 9.11 (Extended Support Version) branch. Please see the CHANGES file for a further list of bug fixes and other changes.

@@ -41,35 +42,6 @@

-New DNSSEC Root Key

-

- ICANN is in the process of introducing a new Key Signing Key (KSK) for - the global root zone. BIND has multiple methods for managing DNSSEC - trust anchors, with somewhat different behaviors. If the root - key is configured using the managed-keys - statement, or if the pre-configured root key is enabled by using - dnssec-validation auto, then BIND can keep keys up - to date automatically. Servers configured in this way should have - begun the process of rolling to the new key when it was published in - the root zone in July 2017. However, keys configured using the - trusted-keys statement are not automatically - maintained. If your server is performing DNSSEC validation and is - configured using trusted-keys, you are advised to - change your configuration before the root zone begins signing with - the new KSK. This is currently scheduled for October 11, 2017. -

-

- This release includes an updated version of the - bind.keys file containing the new root - key. This file can also be downloaded from - - https://www.isc.org/bind-keys - . -

-
- -
-

License Change

With the release of BIND 9.11.0, ISC changed to the open @@ -111,72 +83,51 @@

Security Fixes

-
    -
  • -

    - An error in TSIG handling could permit unauthorized zone - transfers or zone updates. These flaws are disclosed in - CVE-2017-3142 and CVE-2017-3143. [RT #45383] -

    -
    • -
  • -

    - The BIND installer on Windows used an unquoted service path, - which can enable privilege escalation. This flaw is disclosed - in CVE-2017-3141. [RT #45229] -

    -
    • -
  • +

    • - With certain RPZ configurations, a response with TTL 0 - could cause named to go into an infinite - query loop. This flaw is disclosed in CVE-2017-3140. - [RT #45181] + When recursion is enabled but the allow-recursion + and allow-query-cache ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default allow-query, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]

      -
      • -
    • -

      - Addresses could be referenced after being freed during resolver - processing, causing an assertion failure. The chances of this - happening were remote, but the introduction of a delay in - resolution increased them. This bug is disclosed in - CVE-2017-3145. [RT #46839] -

      -
      • -
    • -

      - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. If the name field was omitted - from the rule declaration and a type list was present it wouldn't - be interpreted as expected. -

      -
      • -
    +

-Removed Features

+New Features
@@ -184,29 +135,15 @@

-Protocol Changes

-
    -
  • -

    - BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC - signing algorithms described in RFC 8080. Note, however, that - these algorithms must be supported in OpenSSL; - currently they are only available in the development branch - of OpenSSL at - - https://github.com/openssl/openssl. - [RT #44696] -

    -
    • -
  • +Removed Features
+
+
@@ -215,47 +152,19 @@

  • - named will no longer start or accept - reconfiguration if managed-keys or - dnssec-validation auto are in use and - the managed-keys directory (specified by - managed-keys-directory, and defaulting - to the working directory if not specified), - is not writable by the effective user ID. [RT #46077] -

    -
    • -
  • -

    - Previously, update-policy local; accepted - updates from any source so long as they were signed by the - locally-generated session key. This has been further restricted; - updates are now only accepted from locally configured addresses. - [RT #45492] -

    -
    • -
  • -

    - dig +ednsopt now accepts the names - for EDNS options in addition to numeric values. For example, - an EDNS Client-Subnet option could be sent using - dig +ednsopt=ecs:.... Thanks to - John Worley of Secure64 for the contribution. [RT #44461] -

    -
    • -
  • -

    - Threads in named are now set to human-readable - names to assist debugging on operating systems that support that. - Threads will have names such as "isc-timer", "isc-sockmgr", - "isc-worker0001", and so on. This will affect the reporting of - subsidiary thread names in ps and - top, but not the main thread. [RT #43234] + dig +noidnin can be used to disable IDN + processing on the input domain name, when BIND is compiled + with IDN support.

  • - DiG now warns about .local queries which are reserved for - Multicast DNS. [RT #44783] + Multiple cookie-secret clause are now + supported. The first cookie-secret in + named.conf is used to generate new + server cookies. Any others are used to accept old server + cookies or those generated by other servers using the + matching cookie-secret.

@@ -264,100 +173,23 @@

Bug Fixes

-
    -
  • -

    - Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] -

    -
    • -
  • -

    - When named was reconfigured, failure of some - zones to load correctly could leave the system in an inconsistent - state; while generally harmless, this could lead to a crash later - when using rndc addzone. Reconfiguration changes - are now fully rolled back in the event of failure. [RT #45841] -

    -
    • -
  • -

    - Fixed a bug that was introduced in an earlier development - release which caused multi-packet AXFR and IXFR messages to fail - validation if not all packets contained TSIG records; this - caused interoperability problems with some other DNS - implementations. [RT #45509] -

    -
    • -
  • +

    • - Reloading or reconfiguring named could - fail on some platforms when LMDB was in use. [RT #45203] + rndc reload could cause named + to leak memory if it was invoked before the zone loading actions + from a previous rndc reload command were + completed. [RT #47076]

      -
      • -
    • -

      - Due to some incorrectly deleted code, when BIND was - built with LMDB, zones that were deleted via - rndc delzone were removed from the - running server but were not removed from the new zone - database, so that deletion did not persist after a - server restart. This has been corrected. [RT #45185] -

      -
      • -
    • -

      - Semicolons are no longer escaped when printing CAA and - URI records. This may break applications that depend on the - presence of the backslash before the semicolon. [RT #45216] -

      -
      • -
    • -

      - AD could be set on truncated answer with no records present - in the answer and authority sections. [RT #45140] -

      -
      • -
    • -

      - Some header files included <isc/util.h> incorrectly as - it pollutes with namespace with non ISC_ macros and this should - only be done by explicitly including <isc/util.h>. This - has been corrected. Some code may depend on <isc/util.h> - being implicitly included via other header files. Such - code should explicitly include <isc/util.h>. -

      -
      • -
    • -

      - Zones created with rndc addzone could - temporarily fail to inherit the allow-transfer - ACL set in the options section of - named.conf. [RT #46603] -

      -
      • -
    • -

      - named failed to properly determine whether - there were active KSK and ZSK keys for an algorithm when - update-check-ksk was true (which is the - default setting). This could leave records unsigned - when rolling keys. [RT #46743] [RT #46754] [RT #46774] -

      -
      • -
    +

End of Life

- The end of life for BIND 9.11 is yet to be determined but - will not be before BIND 9.13.0 has been released for 6 months. - https://www.isc.org/downloads/software-support-policy/ + BIND 9.11 (Extended Support Version) will be supported until at + least December, 2021. + See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 56f1bb6336b..1a5491f832a 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index be47b989765..abdab2f4149 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,28 +1,10 @@ -Release Notes for BIND Version 9.13.0 +Release Notes for BIND Version 9.11.4rc1 Introduction -BIND 9.13 is an unstable development release of BIND. This document -summarizes new features and functional changes that have been introduced -on this branch. With each development release leading up to the stable -BIND 9.14 release, this document will be updated with additional features -added and bugs fixed. - -Note on Version Numbering - -Prior to BIND 9.13, new feature development releases were tagged as -"alpha" and "beta", leading up to the first stable release for a given -development branch, which always ended in ".0". - -Now, however, BIND has adopted the "odd-unstable/even-stable" release -numbering convention. There will be no "alpha" or "beta" releases in the -9.13 branch, only increasing version numbers. So, for example, what would -previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will -instead be called 9.13.0, 9.13.1, 9.13.2, etc. - -The first stable release from this development branch will be renamed as -9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch, -while unstable feature development proceeds in 9.15. +This document summarizes changes since the last production release on the +BIND 9.11 (Extended Support Version) branch. Please see the CHANGES file +for a further list of bug fixes and other changes. Download @@ -31,114 +13,88 @@ www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -Security Fixes +License Change - * None. +With the release of BIND 9.11.0, ISC changed to the open source license +for BIND from the ISC license to the Mozilla Public License (MPL 2.0). -New Features +The MPL-2.0 license requires that if you make changes to licensed software +(e.g. BIND) and distribute them outside your organization, that you +publish those changes under that same license. It does not require that +you publish or disclose anything other than the changes you made to our +software. - * BIND now can be compiled against the libidn2 library to add IDNA2008 - support. Previously, BIND supported IDNA2003 using the (now obsolete - and unsupported) idnkit-1 library. +This requirement will not affect anyone who is using BIND, with or without +modifications, without redistributing it, nor anyone redistributing it +without changes. Therefore, this change will be without consequence for +most individuals and organizations who are using BIND. - * named now supports the "root key sentinel" mechanism. This enables - validating resolvers to indicate to which trust anchors are configured - for the root, so that information about root key rollover status can - be gathered. To disable this feature, add root-key-sentinel no; to - named.conf. +Those unsure whether or not the license change affects their use of BIND, +or who wish to discuss how to comply with the license may contact ISC at +https://www.isc.org/mission/contact/. - * The dnskey-sig-validity option allows the sig-validity-interval to be - overriden for signatures covering DNSKEY RRsets. [GL #145] +Legacy Windows No Longer Supported -Removed Features +As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported +platforms for BIND; "XP" binaries are no longer available for download +from ISC. - * dnssec-keygen can no longer generate HMAC keys for TSIG - authentication. Use tsig-keygen to generate these keys. [RT #46404] +Security Fixes - * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or - greater, or LibreSSL is now required. + * When recursion is enabled but the allow-recursion and + allow-query-cache ACLs are not specified, they should be limited to + local networks, but they were inadvertently set to match the default + allow-query, thus allowing remote queries. This flaw is disclosed in + CVE-2018-5738. [GL #309] - * The configure --enable-seccomp option, which formerly turned on - system-call filtering on Linux, has been removed. [GL #93] +New Features - * IPv4 addresses in forms other than dotted-quad are no longer accepted - in master files. [GL #13] [GL #56] + * named now supports the "root key sentinel" mechanism. This enables + validating resolvers to indicate which trust anchors are configured + for the root, so that information about root key rollover status can + be gathered. To disable this feature, add root-key-sentinel no; to + named.conf. - * IDNA2003 support via (bundled) idnkit-1.0 has been removed. + * Added the ability not to return a DNS COOKIE option when one is + present in the request. To prevent a cookie being returned, add + answer-cookie no; to named.conf. [GL #173] - * The "rbtdb64" database implementation (a parallel implementation of - "rbt") has been removed. [GL #217] + answer-cookie is only available as a temporary measure, for use when + named shares an IP address with other servers that do not yet support + DNS COOKIE. A mismatch between servers on the same address is not + expected to cause operational problems, but the option to disable + COOKIE responses so that all servers have the same behavior is + provided out of an abundance of caution. DNS COOKIE is an important + security mechanism and should not be disabled unless absolutely + necessary. The answer-cookie option is obsolete as of BIND 9.13. - * The -r randomdev option to explicitly select random device has been - removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen, - and dnssec-signzone commands. +Removed Features - The -p option to use pseudo-random data has been removed from the - dnssec-signzone command. + * named will now log a warning if the old BIND now can be compiled + against libidn2 library to add IDNA2008 support. Previously BIND only + supported IDNA2003 using (now obsolete) idnkit-1 library. Feature Changes - * BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where it is - compiled. It will use arc4random() family of functions on BSD - operating systems, getrandom() on Linux and Solaris, CryptGenRandom on - Windows, and the selected cryptography provider library (OpenSSL or - PKCS#11) as the last resort. [GL #221] - - * BIND can no longer be built without DNSSEC support. A cryptography - provder (i.e., OpenSSL or a hardware service module with PKCS#11 - support) must be available. [GL #244] - - * Zone types primary and secondary are now available as synonyms for - master and slave, respectively, in named.conf. - - * named will now log a warning if the old root DNSSEC key is explicitly - configured and has not been updated. [RT #43670] - - * dig +nssearch will now list name servers that have timed out, in - addition to those that respond. [GL #64] - * dig +noidnin can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support. - * Up to 64 response-policy zones are now supported by default; - previously the limit was 32. [GL #123] - - * Several configuration options for time periods can now use TTL value - suffixes (for example, 2h or 1d) in addition to an integer number of - seconds. These include fstrm-set-reopen-interval, interface-interval, - max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval - . [GL #203] + * Multiple cookie-secret clause are now supported. The first + cookie-secret in named.conf is used to generate new server cookies. + Any others are used to accept old server cookies or those generated by + other servers using the matching cookie-secret. Bug Fixes - * None. - -License - -BIND is open source software licenced under the terms of the Mozilla -Public License, version 2.0 (see the LICENSE file for the full text). - -The license requires that if you make changes to BIND and distribute them -outside your organization, those changes must be published under the same -license. It does not require that you publish or disclose anything other -than the changes you have made to our software. This requirement does not -affect anyone who is using BIND, with or without modifications, without -redistributing it, nor anyone redistributing BIND without changes. - -Those wishing to discuss license compliance may contact ISC at https:// -www.isc.org/mission/contact/. + * rndc reload could cause named to leak memory if it was invoked before + the zone loading actions from a previous rndc reload command were + completed. [RT #47076] End of Life -BIND 9.13 is an unstable development branch. When its development is -complete, it will be renamed to BIND 9.14, which will be a stable branch. - -The end of life date for BIND 9.14 has not yet been determined. For those -needing long term support, the current Extended Support Version (ESV) is -BIND 9.11, which will be supported until at least December 2021. See -https://www.isc.org/downloads/software-support-policy/ for details of -ISC's software support policy. +BIND 9.11 (Extended Support Version) will be supported until at least +December, 2021. See https://www.isc.org/downloads/software-support-policy/ +for details of ISC's software support policy. Thank You diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 1e72e2b21c3..5b24aac9949 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -92,16 +92,21 @@ - Add root key sentinel support which enables resolvers to test - which trust anchors are configured for the root. To disable, add - 'root-key-sentinel no;' to named.conf. [GL #37] + named now supports the "root key sentinel" + mechanism. This enables validating resolvers to indicate + which trust anchors are configured for the root, so that + information about root key rollover status can be gathered. + To disable this feature, add + root-key-sentinel no; to + named.conf. - Add the ability to not return a DNS COOKIE option when one - is present in the request. To prevent a cookie being returned - add 'answer-cookie no;' to named.conf. [GL #173] + Added the ability not to return a DNS COOKIE option when one + is present in the request. To prevent a cookie being returned, + add answer-cookie no; to + named.conf. [GL #173] answer-cookie is only available as a @@ -122,26 +127,6 @@
Removed Features - - - The ISC DNSSEC Lookaside Validation (DLV) service has - been shut down; all DLV records in the dlv.isc.org zone - have been removed. References to the service have been - removed from BIND documentation. Lookaside validation - is no longer used by default by delv. - The DLV key has been removed from bind.keys. - Setting dnssec-lookaside to - auto or to use dlv.isc.org as a trust - anchor results in a warning being issued. - - - - - named will now log a warning if the old - root DNSSEC key is explicitly configured and has not been updated. - [RT #43670] - - named will now log a warning if the old @@ -153,87 +138,8 @@
-
Protocol Changes - - - - BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC - signing algorithms described in RFC 8080. Note, however, that - these algorithms must be supported in OpenSSL; - currently they are only available in the development branch - of OpenSSL at - - https://github.com/openssl/openssl. - [RT #44696] - - - - - When parsing DNS messages, EDNS KEY TAG options are checked - for correctness. When printing messages (for example, in - dig), EDNS KEY TAG options are printed - in readable format. - - - - - rndc reload could cause named - to leak memory if it was invoked before the zone loading actions - from a previous rndc reload command were - completed. [RT #47076] - - - -
-
Feature Changes - - - named will no longer start or accept - reconfiguration if managed-keys or - dnssec-validation auto are in use and - the managed-keys directory (specified by - managed-keys-directory, and defaulting - to the working directory if not specified), - is not writable by the effective user ID. [RT #46077] - - - - - Previously, update-policy local; accepted - updates from any source so long as they were signed by the - locally-generated session key. This has been further restricted; - updates are now only accepted from locally configured addresses. - [RT #45492] - - - - - dig +ednsopt now accepts the names - for EDNS options in addition to numeric values. For example, - an EDNS Client-Subnet option could be sent using - dig +ednsopt=ecs:.... Thanks to - John Worley of Secure64 for the contribution. [RT #44461] - - - - - Threads in named are now set to human-readable - names to assist debugging on operating systems that support that. - Threads will have names such as "isc-timer", "isc-sockmgr", - "isc-worker0001", and so on. This will affect the reporting of - subsidiary thread names in ps and - top, but not the main thread. [RT #43234] - - - - - DiG now warns about .local queries which are reserved for - Multicast DNS. [RT #44783] - - dig +noidnin can be used to disable IDN @@ -258,85 +164,10 @@ - Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] - - - - - When named was reconfigured, failure of some - zones to load correctly could leave the system in an inconsistent - state; while generally harmless, this could lead to a crash later - when using rndc addzone. Reconfiguration changes - are now fully rolled back in the event of failure. [RT #45841] - - - - - Fixed a bug that was introduced in an earlier development - release which caused multi-packet AXFR and IXFR messages to fail - validation if not all packets contained TSIG records; this - caused interoperability problems with some other DNS - implementations. [RT #45509] - - - - - Reloading or reconfiguring named could - fail on some platforms when LMDB was in use. [RT #45203] - - - - - Due to some incorrectly deleted code, when BIND was - built with LMDB, zones that were deleted via - rndc delzone were removed from the - running server but were not removed from the new zone - database, so that deletion did not persist after a - server restart. This has been corrected. [RT #45185] - - - - - Semicolons are no longer escaped when printing CAA and - URI records. This may break applications that depend on the - presence of the backslash before the semicolon. [RT #45216] - - - - - AD could be set on truncated answer with no records present - in the answer and authority sections. [RT #45140] - - - - - Some header files included <isc/util.h> incorrectly as - it pollutes with namespace with non ISC_ macros and this should - only be done by explicitly including <isc/util.h>. This - has been corrected. Some code may depend on <isc/util.h> - being implicitly included via other header files. Such - code should explicitly include <isc/util.h>. - - - - - Zones created with rndc addzone could - temporarily fail to inherit the allow-transfer - ACL set in the options section of - named.conf. [RT #46603] - - - - - named failed to properly determine whether - there were active KSK and ZSK keys for an algorithm when - update-check-ksk was true (which is the - default setting). This could leave records unsigned - when rolling keys. [RT #46743] [RT #46754] [RT #46774] + rndc reload could cause named + to leak memory if it was invoked before the zone loading actions + from a previous rndc reload command were + completed. [RT #47076] diff --git a/doc/misc/options b/doc/misc/options index 3b251521d72..a3f9b6c6472 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -87,6 +87,7 @@ options { ] [ dscp ]; alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; + answer-cookie ; attach-cache ; auth-nxdomain ; // default changed auto-dnssec ( allow | maintain | off ); @@ -114,7 +115,7 @@ options { cleaning-interval ; clients-per-query ; cookie-algorithm ( aes | sha1 | sha256 ); - cookie-secret ; + cookie-secret ; // may occur multiple times coresize ( default | unlimited | ); datasize ( default | unlimited | ); deallocate-on-exit ; // obsolete @@ -608,8 +609,8 @@ view [ ] { min-ns-dots ] [ nsip-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ]; rfc2308-type1 ; // not yet implemented - root-key-sentinel ; root-delegation-only [ exclude { ; ... } ]; + root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; send-cookie ; diff --git a/isc-config.sh.1 b/isc-config.sh.1 index 70d53416ed6..8bec2c7927f 100644 --- a/isc-config.sh.1 +++ b/isc-config.sh.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" This Source Code Form is subject to the terms of the Mozilla Public .\" License, v. 2.0. If a copy of the MPL was not distributed with this @@ -91,5 +91,5 @@ returns an exit status of 1 if invoked with invalid arguments or no arguments at \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/isc-config.sh.html b/isc-config.sh.html index e298a5ffe2f..937e7226398 100644 --- a/isc-config.sh.html +++ b/isc-config.sh.html @@ -1,6 +1,6 @@