From: Michał Kępień Date: Mon, 11 Oct 2021 12:39:06 +0000 (+0200) Subject: Prepare release notes for BIND 9.17.19 X-Git-Tag: v9.17.20~18^2~4^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08a2f4c0b750554bac85ea43717eac49caf8850d;p=thirdparty%2Fbind9.git Prepare release notes for BIND 9.17.19 --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ceebf58f1c5..ee4f0a9731c 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.19.rst .. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst .. include:: ../notes/notes-9.17.16.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.19.rst similarity index 64% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.19.rst index 5c07bfb9188..7c1273f43df 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.19.rst @@ -8,7 +8,7 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -Notes for BIND 9.17.18 +Notes for BIND 9.17.19 ---------------------- Security Fixes @@ -30,11 +30,6 @@ Security Fixes ISC would like to thank Kishore Kumar Kothapalli of Infoblox for bringing this vulnerability to our attention. :gl:`#2899` -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -61,15 +56,6 @@ New Features make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796` -- Implement incremental resizing of RBT hash tables to perform the rehashing - gradually instead all-at-once to be able to grow the memory usage gradually - while keeping steady response rate during the rehashing. :gl:`#2941` - -- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` - and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records - so that their content can only match the machine name embedded in the - Kerberos principal making the change. :gl:`#481` - Removed Features ~~~~~~~~~~~~~~~~ @@ -81,12 +67,6 @@ Removed Features enabled in ``named`` at build time have been removed. New-style DLZ modules should be used as a replacement. :gl:`#2814` -- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. - If OpenSSL 3.0.0 has been built without support for deprecated functionality - pkcs11 via engine_pkcs11 is no longer available. At this point in time - there is no replacement ``provider`` for pkcs11 which is the replacement to - the ``engine API``. :gl:`#2843` - - Support for the ``map`` zone file format (``masterfile-format map;``) has been removed. Users relying on the ``map`` format are advised to convert their zones to the ``raw`` format with ``named-compilezone`` @@ -115,32 +95,10 @@ Feature Changes ``notify-source``, ``parental-source``, and/or for their respective IPv6 counterparts. :gl:`#2888` -- Because the old socket manager API has been removed, "socketmgr" - statistics are no longer reported by the statistics channel. :gl:`#2926` - - Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer Protocol Negotiation (ALPN) token to be selected in the TLS handshake, as required by :rfc:`9103` section 7.1. :gl:`#2794` -- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional - validation rules for domains and hostnames within dig. :gl:`#1610` - -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means - that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by - default. The additional signatures from the ZSK that are added if the option - is set to ``no`` add to the DNS response payload without offering added value. - :gl:`#1316` - -- The output of ``rndc serve-stale status`` has been clarified. It now - explicitly reports whether retention of stale data in the cache is enabled - (``stale-cache-enable``), and whether returning of such data in responses is - enabled (``stale-answer-enable``). :gl:`#2742` - -- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use - no extra iterations and no salt. :gl:`#2956`. - Bug Fixes ~~~~~~~~~ @@ -154,18 +112,5 @@ Bug Fixes ``named`` startup, it could fail to listen for TCP connections on the newly added interfaces. :gl:`#2852` -- Reloading a catalog zone which referenced a missing/deleted member - zone triggered a runtime check failure, causing ``named`` to exit - prematurely. This has been fixed. :gl:`#2308` - - Under specific circumstances, zone transfers over TCP and TLS could be interrupted prematurely. This has been fixed. :gl:`#2917` - -- Logfiles using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by ``versions``. - :gl:`#828` - -- Some lame delegations could trigger a dependency loop, in which a - resolver fetch was waiting for a name server address lookup which was - waiting for the same resolver fetch. This could cause a recursive lookup - to hang until timing out. This now detected and avoided. :gl:`#2927`