From: Petr Špaček Date: Thu, 4 Sep 2025 06:26:57 +0000 (+0200) Subject: Tweak and reword release notes X-Git-Tag: v9.21.12~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eaa543e770091320ca5067d3e1b9cc207e4a9bde;p=thirdparty%2Fbind9.git Tweak and reword release notes Two inconsequential bug fixes are not release note worthy. Use more user-centric terminology about dnssec-policy manual-mode. Add links, shorten notes. --- diff --git a/doc/notes/notes-9.21.12.rst b/doc/notes/notes-9.21.12.rst index ea15c81a532..283feb4ce57 100644 --- a/doc/notes/notes-9.21.12.rst +++ b/doc/notes/notes-9.21.12.rst @@ -15,21 +15,20 @@ Notes for BIND 9.21.12 New Features ~~~~~~~~~~~~ -- Add manual mode configuration option to dnsec-policy. +- Add a new option ``manual-mode`` to :any:`dnssec-policy`. - Add a new option ``manual-mode`` to :any:`dnssec-policy`. The intended - use is that if it is enabled, it will not automatically move to the - next state transition, but instead the transition is logged. Only - after manual confirmation with ``rndc dnssec -step`` the transition is - made. :gl:`#4606` + When enabled, :iscman:`named` will not modify DNSSEC keys or key states + automatically. The proposed change will be logged and only after manual + confirmation with ``rndc dnssec -step`` will the modification be made. + :gl:`#4606` -- Add a new 'servfail-until-ready' configuration option for RPZ. +- Add a new option ``servfail-until-ready`` to :namedconf:ref:`response-policy` + zones. - By default, when :iscman:`named` is started it may start answering to - queries before the response policy zones are completely loaded and - processed. This new feature gives an option to the users to tell - :iscman:`named` that incoming requests should result in SERVFAIL - answer until all the response policy zones are processed and ready. + By default, when :iscman:`named` is started, it starts answering + queries before all response policy zones are completely loaded and + processed. This new option instructs :iscman:`named` to respond with + SERVFAIL until all the response policy zones are processed and ready. Note that if one or more response policy zones fail to load, :iscman:`named` starts responding to queries according to those zones that did load. :gl:`#5222` @@ -41,7 +40,7 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- Deprecate the "tkey-gssapi-credential" statement. +- Deprecate the :namedconf:ref:`tkey-gssapi-credential` statement. The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in a simpler and more reliable way than using the @@ -58,7 +57,7 @@ Removed Features - Obsolete the "tkey-domain" statement. - Mark the ``tkey-domain`` statement as obsolete, since it has not had + Mark the ``tkey-domain`` statement as obsolete because it has not had any effect on server behavior since support for TKEY Mode 2 (Diffie-Hellman) was removed (in BIND 9.20.0). :gl:`#4204` @@ -68,26 +67,13 @@ Bug Fixes - Prevent spurious SERVFAILs for certain 0-TTL resource records. Under certain circumstances, BIND 9 can return SERVFAIL when updating - existing entries in the cache with new NS, A, AAAA, or DS records with - 0-TTL. :gl:`#5294` + existing entries in the cache with new NS, A, AAAA, or DS records that have a + TTL of zero. :gl:`#5294` -- Batch minor meson fixes. +- Fix unexpected termination if :namedconf:ref:`catalog-zones` had undefined + ``default-primaries``. - This MR fixes various meson issues that are found after the first - meson release and are too small to have a MR on their own. :gl:`#5379` - -- RPZ canonical warning displays zone entry incorrectly. - - When an IPv6 rpz prefix entry is entered incorrectly the log message - was just displaying the prefix rather than the full entry. This has - been corrected. :gl:`#5491` - -- Fix a catalog zone issue when having an unset 'default-primaries' - configuration clause. - - A catalog zone with an unset ``default-primaries`` clause could cause - an unexpected termination of the :iscman:`named` process after two - reloading or reconfiguration commands. This has been fixed. + The issue manifested only if the server was reloaded or reconfigured twice. :gl:`#5494`