From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Tue, 28 Jan 2020 13:33:24 +0000 (+0100)
Subject: changelog, upgrade notes, secpoll for auth-4.3.0-beta1
X-Git-Tag: auth-4.3.0-beta2~52^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47fff195dc425f91e9a52aec593b21486ddfc23a;p=thirdparty%2Fpdns.git

changelog, upgrade notes, secpoll for auth-4.3.0-beta1
---

diff --git a/docs/changelog/4.3.rst b/docs/changelog/4.3.rst
index b8b0f391c7..fb07a6e235 100644
--- a/docs/changelog/4.3.rst
+++ b/docs/changelog/4.3.rst
@@ -1,6 +1,89 @@
 Changelogs for 4.3.x
 ====================
 
+.. changelog::
+  :version: 4.3.0-beta1
+  :released: 31st of January 2020
+
+  This is the first beta for version 4.3.0 of the Authoritative Server.
+  Please see :doc:`the upgrade notes <../upgrading>` for some minor breaking changes.
+
+  Some minor fixes have been left out from the list below; some other bugs may have been fixed accidentally as a result of the tremendous amount of work that goes into each of our major releases.
+
+  As announced in `Backend removals in the upcoming Authoritative Server release <https://blog.powerdns.com/2019/10/17/backend-removals-in-the-upcoming-authoritative-server-release/>`_, we have removed five backends.
+
+  .. change::
+    :tags: Changes
+    :pullreq: 8754
+
+    remove the implicit 5->7 algorithm upgrade
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 8749
+
+    allow local-ipv6 until 4.4.0
+
+  .. change::
+    :tags: New Features
+    :pullreq: 8594
+
+    add default-publish-{cds|cdnskey} options
+
+  .. change::
+    :tags: Changes
+    :pullreq: 8744
+
+    Make Lua mandatory for Auth (Chris Hofstaedtler)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 8681
+
+    Add metrics about the size of our in-memory rings
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 8628
+
+    make sure records from LMDB backend end up in the right packet section (Kees Monshouwer)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 8627
+
+    gpgsqlbackend: stop using prepared statements (Chris Hofstaedtler)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 8713
+
+    Enforce a strict maximum size for the packet and records caches
+
+  .. change::
+    :tags: New Features
+    :pullreq: 8701, 8732
+
+    remotebackend: Support alsoNotifies, setFresh, getUnfreshSlaveInfos
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 8649
+
+    Clear the TSIG algo between iterations in the API
+
+  .. change::
+    :tags: New Features
+    :pullreq: 8177
+
+    Add support for managing unpublished DNSSEC keys (Robin Geuze, TransIP)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 8668
+
+    HTTP API: Allow DNAME in apex with SOA and NS records
+
 .. changelog::
   :version: 4.3.0-alpha1
   :released: 10th of December 2019
@@ -8,9 +91,7 @@ Changelogs for 4.3.x
   This is the first alpha for version 4.3.0 of the Authoritative Server.
   Please see :doc:`the upgrade notes <../upgrading>` for some minor breaking changes.
 
-  Some minor fixes have been left out from the list below; some other bugs may have been fixed accidentally as a result of the tremendous amount of work that goes into each of our major releases.
 
-  As announced in `Backend removals in the upcoming Authoritative Server release <https://blog.powerdns.com/2019/10/17/backend-removals-in-the-upcoming-authoritative-server-release/>`_, we have removed five backends.
 
   .. change::
     :tags: Removed Features
diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index a50ffc6445..82c9d37578 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020011600 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020013100 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -60,7 +60,8 @@ auth-4.2.0-rc2.security-status                          60 IN TXT "2 Unsupported
 auth-4.2.0-rc3.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
 auth-4.2.0.security-status                              60 IN TXT "1 OK"
 auth-4.2.1.security-status                              60 IN TXT "1 OK"
-auth-4.3.0-alpha1.security-status                       60 IN TXT "1 OK"
+auth-4.3.0-alpha1.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
+auth-4.3.0-beta1.security-status                        60 IN TXT "1 OK"
 
 ; Auth Debian
 auth-3.4.1-2.debian.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
diff --git a/docs/settings.rst b/docs/settings.rst
index a0da00d98e..3ecb23beae 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -818,7 +818,7 @@ big problems if you have multiple IP addresses.
 ----------------------------
 
 .. versionchanged:: 4.3.0
-  This setting has been removed, use :ref:`setting-localaddress-nonexist-fail`
+  This setting has been removed, use :ref:`setting-local-address-nonexist-fail`
 
 -  Boolean
 -  Default: no
diff --git a/docs/upgrading.rst b/docs/upgrading.rst
index 35ebbc3dad..b48c1dbf58 100644
--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -52,6 +52,14 @@ Removed settings
 
 - :ref:`setting-local-ipv6` has been deprecated, and will be removed in 4.4.0. IPv4 and IPv6 listen addresses can now be set with :ref:`setting-local-address`. The default for the latter has been changed to ``0.0.0.0, ::``.
 
+Schema changes
+^^^^^^^^^^^^^^
+- The new 'unpublished DNSSEC keys' feature comes with a mandatory schema change for all database backends (including BIND with a DNSSEC database). Please find files named "4.2.0_to_4.3.0_schema.X.sql" for your database backend in our Git repo, tarball, or distro-specific documentation path. For the LMDB backend, please review :ref:`setting-lmdb-schema-version`.
+
+Implicit 5->7 algorithm upgrades
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Since version 3.0 (the first version of the PowerDNS Authoritative Server that supported DNSSEC signing), we have automatically, silently, upgraded algorithm 5 (RSASHA1) keys to algorithm 7 (RSASHA1-NSEC3-SHA1) when the user enabled DNSSEC. This has been a source of confusion, and because of that, we introduced warnings for users of this feature in 4.0 and 4.1. To see if you are affected, run ``pdnsutil check-all-zones`` from version 4.0 or up. In this release, the automatic upgrade is gone, and affected zones will break if no action is taken.
 
 4.1.X to 4.2.0
 --------------