From: Nicki Křížek Date: Thu, 5 Sep 2024 11:13:30 +0000 (+0200) Subject: Tweak and reword release notes X-Git-Tag: v9.21.1~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd944476d2e1498fe29637c2b581688a566c2791;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-9.21.1.rst b/doc/notes/notes-9.21.1.rst index fa3dc441928..68cc258c8ec 100644 --- a/doc/notes/notes-9.21.1.rst +++ b/doc/notes/notes-9.21.1.rst @@ -17,114 +17,120 @@ New Features - Support for Offline KSK implemented. - Add a new configuration option `offline-ksk` to enable Offline KSK key - management. Signed Key Response (SKR) files created with `dnssec-ksr` - (or other program) can now be imported into `named` with the new `rndc - skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY - records and generating signatures covering these types, these records - are loaded from the currently active bundle from the imported SKR. - - The implementation is loosely based on: - https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- - keymgmt-01.txt :gl:`#1128` - -- Implement the 'request-ixfr-max-diffs' configuration option. - - The new 'request-ixfr-max-diffs' configuration option sets the maximum - number of incoming incremental zone transfer (IXFR) differences, - exceeding which triggers a full zone transfer (AXFR). :gl:`#4389` + Add a new configuration option :any:`offline-ksk` to enable Offline + KSK key management. Signed Key Response (SKR) files created with + :iscman:`dnssec-ksr` (or other programs) can now be imported into + :iscman:`named` with the new :option:`rndc skr -import ` + command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and + generating signatures covering these types, these records are loaded + from the currently active bundle from the imported SKR. + + The implementation is loosely based on + `draft-icann-dnssec-keymgmt-01.txt + `_. + :gl:`#1128` + +- Allow limiting the number of differences in IXFR. + + A new :any:`request-ixfr-max-diffs` configuration option can set the + maximum number of incoming incremental zone transfer (IXFR) + differences. Exceeding it triggers a full zone transfer (AXFR). + :gl:`#4389` - Print the full path of the working directory in startup log messages. - named now prints its initial working directory during startup and the - changed working directory when loading or reloading its configuration - file if it has a valid 'directory' option defined. :gl:`#4731` + :iscman:`named` now prints its initial working directory during + startup, and the changed working directory when loading or reloading + its configuration file, if it has a valid :any:`directory` option + defined. :gl:`#4731` -- Support restricted key tag range when generating new keys. +- Support a restricted key tag range when generating new keys. - It is useful when multiple signers are being used to sign a zone to - able to specify a restricted range of range of key tags that will be - used by an operator to sign the zone. This adds controls to named - (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr - (dnssec-policy) to specify such ranges. :gl:`#4830` + When multiple signers are being used to sign a zone, it is useful to + be able to specify a restricted range of key tags to be used by an + operator to sign the zone. The range can be specified with + ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys + ` (for :iscman:`named` and :iscman:`dnssec-ksr`) + and with the new options :option:`dnssec-keyfromlabel -M` and + :option:`dnssec-keygen -M`. :gl:`#4830` Removed Features ~~~~~~~~~~~~~~~~ -- Remove the 'dialup' and 'heartbeat-interval' options. +- Remove the ``dialup`` and ``heartbeat-interval`` options. - The `dialup` and `heartbeat-interval` options have been removed, along - with all code implementing them. Using these options is now a fatal - error. :gl:`#4237` + The ``dialup`` and ``heartbeat-interval`` options have been removed, + along with all code implementing them. Using these options is now a + fatal error. :gl:`#4237` Feature Changes ~~~~~~~~~~~~~~~ -- Use deterministic ecdsa for openssl >= 3.2. +- Use deterministic ECDSA for OpenSSL >= 3.2. - OpenSSL has added support for deterministic ECDSA (RFC 6979) with + OpenSSL has added support for deterministic ECDSA (:rfc:`6979`) with version 3.2. - Use it by default as it removes arguably its most fragile side of - ECDSA. The derandomization doesn't pose a risk for DNS usecases and is + It is used by default, as it removes arguably its most fragile side of + ECDSA. The derandomization does not pose a risk for DNS usecases and is allowed by FIPS 186-5. :gl:`#299` -- Exempt prefetches from the fetches-per-zone and fetches-per-server - quotas. +- Exempt prefetches from the :any:`fetches-per-zone` and + :any:`fetches-per-server` quotas. - Fetches generated automatically as a result of 'prefetch' are now - exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. - This should help in maintaining the cache from which query responses - can be given. :gl:`#4219` + Fetches generated automatically as a result of :any:`prefetch` are now + exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server` + quotas. This should help in maintaining the cache from which query + responses can be given. :gl:`#4219` -- Follow the number of CPU set by taskset/cpuset. +- Follow the number of CPUs set by ``taskset``/``cpuset``. - Administrators may wish to constrain the set of cores that BIND 9 runs - on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on - other O/S). + Administrators may wish to constrain the set of cores that + :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl`` + programs (or equivalents on other OSes). - If the admin has used taskset, the `named` will now follow to - automatically use the given number of CPUs rather than the system wide - count. :gl:`#4884` + If the admin has used ``taskset``, :iscman:`named` now automatically + uses the given number of CPUs rather than the system-wide count. + :gl:`#4884` Bug Fixes ~~~~~~~~~ -- Delay release of root privileges until after configuring controls. +- Delay the release of root privileges until after configuring controls. Delay relinquishing root privileges until the control channel has been configured, for the benefit of systems that require root to use privileged port numbers. This mostly affects systems without fine- grained privilege systems (i.e., other than Linux). :gl:`#4793` -- Fix rare assertion failure when shutting down incoming transfer. +- Fix a rare assertion failure when shutting down incoming transfer. - A very rare assertion failure can be triggered when the incoming - transfer is either forcefully shut down or it is finished during - printing the details about the statistics channel. This has been + A very rare assertion failure could be triggered when the incoming + transfer was either forcefully shut down, or it finished during the + printing of the details about the statistics channel. This has been fixed. :gl:`#4860` -- Fix algoritm rollover bug when there are two keys with the same +- Fix algorithm rollover bug when there are two keys with the same keytag. - If there is an algorithm rollover and two keys of different algorithm - share the same keytags, then there is a possibility that if we check - that a key matches a specific state, we are checking against the wrong - key. This has been fixed by not only checking for matching key tag but - also key algorithm. :gl:`#4878` + If there was an algorithm rollover and two keys of different + algorithms shared the same keytags, there was the possibility that the + check of whether the key matched a specific state could be performed + against the wrong key. This has been fixed by not only checking for + the matching key tag but also the key algorithm. :gl:`#4878` -- Fix an assertion failure in validate_dnskey_dsset_done() +- Fix an assertion failure in ``validate_dnskey_dsset_done()``. - Under rare circumstances, named could terminate unexpectedly when - validating a DNSKEY resource record if the validation was canceled in - the meantime. This has been fixed. :gl:`#4911` + Under rare circumstances, :iscman:`named` could terminate unexpectedly + when validating a DNSKEY resource record if the validation had been + canceled in the meantime. This has been fixed. :gl:`#4911` Known Issues ~~~~~~~~~~~~ -- Long-running tasks in offloaded threads (e.g. the loading of RPZ zones - or processing zone transfers) may block the resolution of queries - during these operations and cause the queries to time out. +- Long-running tasks in offloaded threads (e.g. loading RPZ zones or + processing zone transfers) may block the resolution of queries during + these operations and cause the queries to time out. To work around the issue, the ``UV_THREADPOOL_SIZE`` environment variable can be set to a larger value before starting :iscman:`named`.