From: Tinderbox User Date: Thu, 12 Mar 2020 10:25:49 +0000 (+0000) Subject: regen master X-Git-Tag: v9.17.0~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f2d9949d45f3a13d84a52b9cbed88a75d91e7f5;p=thirdparty%2Fbind9.git regen master --- diff --git a/README b/README index 167a78d8997..3baa076473a 100644 --- a/README +++ b/README @@ -112,7 +112,12 @@ format-patch. BIND 9.17 features BIND 9.17 is the newest development branch of BIND 9. It includes a number -of changes from BIND 9.16 and earlier releases. +of changes from BIND 9.16 and earlier releases. New features include: + + * New option "max-ixfr-ratio" to limit the size of outgoing IXFR + responses before falling back to full zone transfers. + * "rndc nta -d" and "rndc secroots" now include "validate-except" + entries when listing negative trust anchors. Building BIND diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index ee71bd54e09..297cd1ec8b5 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -75,7 +75,7 @@ BIND version 9 software package for system administrators.

-

This version of the manual corresponds to BIND version 9.15.

+

This version of the manual corresponds to BIND version 9.17.

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 331cc2ee022..a35ee56e17f 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -271,30 +271,43 @@

The incremental zone transfer (IXFR) protocol is a way for - slave servers to transfer only changed data, instead of having to + secondary servers to transfer only changed data, instead of having to transfer the entire zone. The IXFR protocol is specified in RFC 1995. See Proposed Standards.

- When acting as a master, BIND 9 + When acting as a primary server, BIND 9 supports IXFR for those zones where the necessary change history information is available. These - include master zones maintained by dynamic update and slave zones + include primary zones maintained by dynamic update and secondary zones whose data was obtained by IXFR. For manually maintained master - zones, and for slave zones obtained by performing a full zone + zones, and for secondary zones obtained by performing a full zone transfer (AXFR), IXFR is supported only if the option ixfr-from-differences is set to yes.

- When acting as a slave, BIND 9 will + When acting as a secondary server, BIND 9 will attempt to use IXFR unless it is explicitly disabled. For more information about disabling IXFR, see the description of the request-ixfr clause of the server statement.

+ +

+ When a secondary server receives a zone via AXFR, it creates a + new copy of the zone database and then swaps it into place; during + the loading process, queries continue to be served from the old + database with no interference. When receiving a zone via IXFR, + however, changes are applied to the running zone, which may + degrade query performance during the transfer. If a server + receiving an IXFR request determines that the response size would + be similar in size to an AXFR response, it may wish to send AXFR + instead. The threshold at which this determination is made can + be configured using the max-ixfr-ratio option. +

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 0bda4b40ee9..4ddb87f226e 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -1220,7 +1220,8 @@

The include statement inserts the - specified file at the point where the include + specified file (or files if a valid glob expression is detected) + at the point where the include statement is encountered. The include statement facilitates the administration of configuration files @@ -3115,6 +3116,22 @@ badresp:1,adberr:0,findfail:0,valfail:0] of the new format.)

+
max-ixfr-ratio
+
+

+ Sets the size threshold (expressed as a percentage + of the size of the full zone) beyond which + named will choose to use an AXFR + response rather than IXFR when answering zone transfer + requests. See the section called “Incremental Zone Transfers (IXFR)”. +

+

+ The minimum value is 1%. The keyword + unlimited disables ratio checking and + allows IXFRs of any size. The default is + 100%. +

+
new-zones-directory

@@ -9125,6 +9142,13 @@ example.com CNAME rpz-tcp-only. roll, which cryptographic algorithms to use, and how often RRSIG records need to be refreshed.

+

+ Keys are not shared among zones, which means that one set of keys + per zone will be generated even if they have the same policy. + If multiple views are configured with different versions of the + same zone, each separate version will use the same set of signing + keys. +

Multiple key and signing policies can be configured. To attach a policy to a zone, add a dnssec-policy @@ -10607,6 +10631,15 @@ view "external" { This is applicable to master and slave zones.

+
max-ixfr-ratio
+
+

+ See the description of + max-ixfr-ratio in + the section called “options Statement Definition and + Usage”. +

+
max-journal-size

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 4d5d81d7a8e..3db76a58c5a 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -109,6 +109,89 @@

Notes for BIND 9.17.0

+
+

+Known Issues

+
  • +

    + UDP network ports used for listening can no longer simultaneously be + used for sending traffic. An example configuration which triggers + this issue would be one which uses the same + address:port pair for + listen-on(-v6) statements as for + notify-source(-v6) or + transfer-source(-v6). While this issue affects all + operating systems, it only triggers log messages (e.g. "unable to + create dispatch for reserved port") on some of them. There are + currently no plans to make such a combination of settings work again. +

    +
+
+ +
+

+New Features

+
  • +

    + When a secondary server receives a large incremental zone + transfer (IXFR), it can have a negative impact on query + performance while the incremental changes are applied to + the zone. To address this, named can now + limit the size of IXFR responses it sends in response to zone + transfer requests. If an IXFR response would be larger than an + AXFR of the entire zone, it will send an AXFR response instead. +

    +

    + This behavior is controlled by the max-ixfr-ratio + option - a percentage value representing the ratio of IXFR size + to the size of a full zone transfer. The default is + 100%. [GL #1515] +

    +
+
+ +
+

+Feature Changes

+
    +
  • +

    + The system-provided POSIX Threads read-write lock implementation is + now used by default instead of the native BIND 9 implementation. + Please be aware that glibc versions 2.26 through 2.29 had a + bug + that could cause BIND 9 to deadlock. A fix was released in glibc 2.30, + and most current Linux distributions have patched or updated glibc, + with the notable exception of Ubuntu 18.04 (Bionic) which is a work in + progress. If you are running on an affected operating system, compile + BIND 9 with --disable-pthread-rwlock until a fixed + version of glibc is available. [GL !3125] +

    +
    • +
  • +

    + The rndc nta -dump and + rndc secroots commands now both include + validate-except entries when listing negative + trust anchors. These are indicated by the keyword + permanent in place of the expiry + date. [GL #1532] +

    +
    • +
+
+ +
+

+Bug Fixes

+
  • +

    + Fixed re-signing issues with inline zones which resulted in + records being re-signed late or not at all. +

    +
+
+
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 7995603a72a..601873735a5 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/notes.html b/doc/arm/notes.html index e368b3198da..094a0cbef81 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -74,6 +74,89 @@

Notes for BIND 9.17.0

+
+

+Known Issues

+
  • +

    + UDP network ports used for listening can no longer simultaneously be + used for sending traffic. An example configuration which triggers + this issue would be one which uses the same + address:port pair for + listen-on(-v6) statements as for + notify-source(-v6) or + transfer-source(-v6). While this issue affects all + operating systems, it only triggers log messages (e.g. "unable to + create dispatch for reserved port") on some of them. There are + currently no plans to make such a combination of settings work again. +

    +
+
+ +
+

+New Features

+
  • +

    + When a secondary server receives a large incremental zone + transfer (IXFR), it can have a negative impact on query + performance while the incremental changes are applied to + the zone. To address this, named can now + limit the size of IXFR responses it sends in response to zone + transfer requests. If an IXFR response would be larger than an + AXFR of the entire zone, it will send an AXFR response instead. +

    +

    + This behavior is controlled by the max-ixfr-ratio + option - a percentage value representing the ratio of IXFR size + to the size of a full zone transfer. The default is + 100%. [GL #1515] +

    +
+
+ +
+

+Feature Changes

+
    +
  • +

    + The system-provided POSIX Threads read-write lock implementation is + now used by default instead of the native BIND 9 implementation. + Please be aware that glibc versions 2.26 through 2.29 had a + bug + that could cause BIND 9 to deadlock. A fix was released in glibc 2.30, + and most current Linux distributions have patched or updated glibc, + with the notable exception of Ubuntu 18.04 (Bionic) which is a work in + progress. If you are running on an affected operating system, compile + BIND 9 with --disable-pthread-rwlock until a fixed + version of glibc is available. [GL !3125] +

    +
    • +
  • +

    + The rndc nta -dump and + rndc secroots commands now both include + validate-except entries when listing negative + trust anchors. These are indicated by the keyword + permanent in place of the expiry + date. [GL #1532] +

    +
    • +
+
+ +
+

+Bug Fixes

+
  • +

    + Fixed re-signing issues with inline zones which resulted in + records being re-signed late or not at all. +

    +
+
+
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 920fe3ac6c2..b04e5e57b86 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index c0906231c6d..061d585d68b 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -38,6 +38,52 @@ operating systems. Notes for BIND 9.17.0 +Known Issues + + * UDP network ports used for listening can no longer simultaneously be + used for sending traffic. An example configuration which triggers this + issue would be one which uses the same address:port pair for listen-on + (-v6) statements as for notify-source(-v6) or transfer-source(-v6). + While this issue affects all operating systems, it only triggers log + messages (e.g. "unable to create dispatch for reserved port") on some + of them. There are currently no plans to make such a combination of + settings work again. + +New Features + + * When a secondary server receives a large incremental zone transfer + (IXFR), it can have a negative impact on query performance while the + incremental changes are applied to the zone. To address this, named + can now limit the size of IXFR responses it sends in response to zone + transfer requests. If an IXFR response would be larger than an AXFR of + the entire zone, it will send an AXFR response instead. + + This behavior is controlled by the max-ixfr-ratio option - a + percentage value representing the ratio of IXFR size to the size of a + full zone transfer. The default is 100%. [GL #1515] + +Feature Changes + + * The system-provided POSIX Threads read-write lock implementation is + now used by default instead of the native BIND 9 implementation. + Please be aware that glibc versions 2.26 through 2.29 had a bug that + could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and + most current Linux distributions have patched or updated glibc, with + the notable exception of Ubuntu 18.04 (Bionic) which is a work in + progress. If you are running on an affected operating system, compile + BIND 9 with --disable-pthread-rwlock until a fixed version of glibc is + available. [GL !3125] + + * The rndc nta -dump and rndc secroots commands now both include + validate-except entries when listing negative trust anchors. These are + indicated by the keyword permanent in place of the expiry date. [GL + #1532] + +Bug Fixes + + * Fixed re-signing issues with inline zones which resulted in records + being re-signed late or not at all. + License BIND 9 is open source software licensed under the terms of the Mozilla diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt index 335306f210f..3ad1147bcf6 100644 --- a/doc/misc/master.zoneopt +++ b/doc/misc/master.zoneopt @@ -35,6 +35,7 @@ zone [ ] { key-directory ; masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; max-transfer-idle-out ; diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt index 6184d371d5a..1c916df0002 100644 --- a/doc/misc/mirror.zoneopt +++ b/doc/misc/mirror.zoneopt @@ -16,6 +16,7 @@ zone [ ] { masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); masters [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; max-refresh-time ; diff --git a/doc/misc/options b/doc/misc/options index cf66ac3a974..da91545acaa 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -23,8 +23,8 @@ dlz { dnssec-policy { dnskey-ttl ; - keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( | unlimited ) - algorithm [ ]; ... }; + keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime + algorithm [ ]; ... }; max-zone-ttl ; parent-ds-ttl ; parent-propagation-delay ; @@ -206,7 +206,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); + geoip-directory ( | none ); // not configured geoip-use-ecs ; // obsolete glue-cache ; has-old-clients ; // ancient @@ -227,7 +227,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); maintain-ixfr-base ; // ancient managed-keys-directory ; @@ -239,6 +239,7 @@ options { max-cache-ttl ; max-clients-per-query ; max-ixfr-log-size ( default | unlimited | ); // ancient + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-records ; @@ -581,7 +582,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; + lmdb-mapsize ; // non-operational maintain-ixfr-base ; // ancient managed-keys { ( static-key | initial-key @@ -599,6 +600,7 @@ view [ ] { max-cache-ttl ; max-clients-per-query ; max-ixfr-log-size ( default | unlimited | ); // ancient + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-records ; @@ -823,6 +825,7 @@ view [ ] { port ] ) [ key ]; ... }; max-ixfr-log-size ( default | unlimited | ); // ancient + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; max-refresh-time ; @@ -927,6 +930,7 @@ zone [ ] { [ port ] | [ port ] ) [ key ]; ... }; max-ixfr-log-size ( default | unlimited | ); // ancient + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; max-refresh-time ; diff --git a/doc/misc/options.active b/doc/misc/options.active index 20fc8d3b371..a73efddc885 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -23,8 +23,8 @@ dlz { dnssec-policy { dnskey-ttl ; - keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( | unlimited ) - algorithm [ ]; ... }; + keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime + algorithm [ ]; ... }; max-zone-ttl ; parent-ds-ttl ; parent-propagation-delay ; @@ -188,7 +188,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); + geoip-directory ( | none ); // not configured glue-cache ; heartbeat-interval ; hostname ( | none ); @@ -205,7 +205,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); managed-keys-directory ; masterfile-format ( map | raw | text ); @@ -214,6 +214,7 @@ options { max-cache-size ( default | unlimited | | ); max-cache-ttl ; max-clients-per-query ; + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-records ; @@ -522,7 +523,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; + lmdb-mapsize ; // non-operational managed-keys { ( static-key | initial-key | static-ds | initial-ds @@ -537,6 +538,7 @@ view [ ] { max-cache-size ( default | unlimited | | ); max-cache-ttl ; max-clients-per-query ; + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-records ; @@ -744,6 +746,7 @@ view [ ] { masters [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; max-refresh-time ; @@ -841,6 +844,7 @@ zone [ ] { masters [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; max-refresh-time ; diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt index 2dc3fd535c0..c8ce2e23fe1 100644 --- a/doc/misc/slave.zoneopt +++ b/doc/misc/slave.zoneopt @@ -28,6 +28,7 @@ zone [ ] { masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); masters [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; + max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; max-refresh-time ;