From: Michał Kępień Date: Thu, 4 Feb 2021 09:40:25 +0000 (+0100) Subject: Tweak and reword release notes X-Git-Tag: v9.17.11~43^2~3^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3799e66f04185afe3836982b25bb34ed0456f1c0;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 6972f080f7f..a94c2fa00e4 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -25,32 +25,35 @@ New Features ~~~~~~~~~~~~ - A new option, ``stale-answer-client-timeout``, has been added to - improve ``named``'s behavior with respect to serving stale data. The option - defines the amount of time ``named`` waits before attempting - to answer the query with a stale RRset from cache. If a stale answer - is found, ``named`` continues the ongoing fetches, attempting to - refresh the RRset in cache until the ``resolver-query-timeout`` interval is + improve ``named``'s behavior with respect to serving stale data. The + option defines the amount of time ``named`` waits before attempting to + answer the query with a stale RRset from cache. If a stale answer is + found, ``named`` continues the ongoing fetches, attempting to refresh + the RRset in cache until the ``resolver-query-timeout`` interval is reached. - The default value is ``1800`` (in milliseconds) and the maximum value is - bounded to ``resolver-query-timeout`` minus one second. A value of - ``0`` immediately returns a cached RRset if available, and still - attempts a refresh of the data in cache. + The default value is ``1800`` (in milliseconds) and the maximum value + is limited to ``resolver-query-timeout`` minus one second. A value of + ``0`` causes any available cached RRset to immediately be returned + while still triggering a refresh of the data in cache. - The option can be disabled by setting the value to ``off`` or - ``disabled``. It also has no effect if ``stale-answer-enable`` is - disabled. [GL #2247] + This new behavior can be disabled by setting + ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new + option has no effect if ``stale-answer-enable`` is disabled. + [GL #2247] -- Also return stale data if an error occurred and we are not resuming a - query (and serve-stale is enabled). This may happen for example if - ``fetches-per-server`` or ``fetches-per-zone` limits are reached. In this - case, we will try to answer DNS requests with stale data, but not start - the ``stale-refresh-time`` window. [GL #2434] +- When serve-stale is enabled and stale data is available, ``named`` now + returns stale answers upon encountering any unexpected error in the + query resolution process. This may happen, for example, if the + ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In + this case, ``named`` attempts to answer DNS requests with stale data, + but does not start the ``stale-refresh-time`` window. [GL #2434] - ``named`` now supports XFR-over-TLS (XoT) for incoming as well as - outgoing zone transfers. Addresses in a ``primaries`` list can take - an optional ``tls`` option which specifies either a previously configured - ``tls`` statement or ``ephemeral``. [GL #2392] + outgoing zone transfers. Addresses in a ``primaries`` list can now be + accompanied by an optional ``tls`` keyword, followed by either the + name of a previously configured ``tls`` statement or ``ephemeral``. + [GL #2392] - Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of this, the ``nghttp2`` HTTP/2 library is now required for building the @@ -58,20 +61,20 @@ New Features HTTP/2 connections are supported (the latter may be used to offload encryption to other software). - Note that there is no client-side support for HTTPS as yet; this will be - added to ``dig`` in a future release. [GL #1144] + Note that there is no client-side support for HTTPS as yet; this will + be added to ``dig`` in a future release. [GL #1144] Removed Features ~~~~~~~~~~~~~~~~ -- A number of non-working configuration options that had been marked - as obsolete in previous releases have now been removed completely. - Using any of the following options is now considered a configuration - failure: - ``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``, - ``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``, - ``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``, - ``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, +- A number of non-working configuration options that had been marked as + obsolete in previous releases have now been removed completely. Using + any of the following options is now considered a configuration + failure: ``acache-cleaning-interval``, ``acache-enable``, + ``additional-from-auth``, ``additional-from-cache``, + ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``, + ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``, + ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086] @@ -86,38 +89,39 @@ Feature Changes binaries from silently loading wrong versions of shared libraries (or multiple versions of the same shared library) at startup. [GL #2387] -- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 - day, and the default value of ``stale-answer-ttl`` has been changed from 1 - second to 30 seconds, following :rfc:`8767` recommendations. [GL #2248] +- The default value of ``max-stale-ttl`` has been changed from 12 hours + to 1 day and the default value of ``stale-answer-ttl`` has been + changed from 1 second to 30 seconds, following :rfc:`8767` + recommendations. [GL #2248] -- When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate`` - and ``_spf_verify`` labels (which are employed by the ``exists`` SPF - mechanism defined inr:rfc:`7208` section 5.7/appendix D1) are no longer - reported as warnings/errors. [GL #2377] +- When ``check-names`` is in effect, A records below an ``_spf``, + ``_spf_rate``, or ``_spf_verify`` label (which are employed by the + ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix + D.1) are no longer reported as warnings/errors. [GL #2377] Bug Fixes ~~~~~~~~~ -- KASP incorrectly set signature validity to the value of the DNSKEY signature - validity. This is now fixed. [GL #2383] +- KASP incorrectly set signature validity to the value of the DNSKEY + signature validity. This has been fixed. [GL #2383] -- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key. - This has been fixed. [GL #2178] +- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA + key. This has been fixed. [GL #2178] -- The use of named ACLs in ``allow-update`` was broken in BIND 9.17.9 and - BIND 9.16.11, preventing ``named`` from starting. [GL #2413] +- ``named`` failed to start when its configuration included a zone with + a non-builtin ``allow-update`` ACL attached. [GL #2413] -- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive" - and/or "Delete" timing metadata as possible active keys. This has been fixed. - [GL #2406] +- When migrating to KASP, BIND 9 considered keys with the ``Inactive`` + and/or ``Delete`` timing metadata to be possible active keys. This has + been fixed. [GL #2406] -- Fixed the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys - rolled faster than the time required to finish the rollover procedure, the - successor relation equation failed because it assumed only two keys were - taking part in a rollover. This could lead to premature removal of - predecessor keys. BIND 9 now implements a recursive successor relation, as - described in the paper "Flexible and Robust Key Rollover" (Equation (2)). - [GL #2375] +- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled + faster than the time required to finish the rollover procedure, the + successor relation equation failed because it assumed only two keys + were taking part in a rollover. This could lead to premature removal + of predecessor keys. BIND 9 now implements a recursive successor + relation, as described in the paper "Flexible and Robust Key Rollover" + (Equation (2)). [GL #2375] - If an invalid key name (e.g. "a..b") was specified in a ``primaries`` list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``,