From: Michał Kępień Date: Mon, 11 Oct 2021 12:39:06 +0000 (+0200) Subject: Tweak and reword release notes X-Git-Tag: v9.17.20~18^2~4^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3f8dcef5a81b2f22fb71d6929ec541b0f02ad382;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f38347a0e49..3b484e88be8 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -38,17 +38,28 @@ Known Issues New Features ~~~~~~~~~~~~ -- Ability to specify supported TLS protocol versions within ``tls`` - clauses (e.g. ``protocols { TLSv1.2; TLSv1.3; };``). :gl:`#2795` - -- New options within ``tls`` clauses were implemented, namely: - - ``dhparam-file "";`` to specify Diffie-Hellman parameters; - - ``ciphers "";`` to specify OpenSSL ciphers list; - - ``prefer-server-ciphers yes|no;`` to assert server or client ciphers preference; - - ``session-tickets yes|no;`` to explicitly enable or disable stateless TLS session tickets (see RFC5077). - These options allow finer control over TLS protocol features and make it - possible to achieve perfect forward secrecy for DNS-over-TLS and - DNS-over-HTTPS. :gl:`#2796` +- It is now possible to specify the TLS protocol versions to support for + each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2; + TLSv1.3; };``). :gl:`#2795` + +- New options for ``tls`` configuration clauses were implemented, + namely: + + - ``dhparam-file "";`` for specifying Diffie-Hellman + parameters, + + - ``ciphers "";`` for specifying OpenSSL ciphers to use, + + - ``prefer-server-ciphers ;`` for specifying whether server + ciphers or client ciphers should be preferred (this controls + OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option), + + - ``session-tickets ;`` for enabling/disabling stateless TLS + session tickets (see :rfc:`5077`). + + These options allow finer control over TLS protocol configuration and + make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS + (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796` - Implement incremental resizing of RBT hash tables to perform the rehashing gradually instead all-at-once to be able to grow the memory usage gradually @@ -62,8 +73,9 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the - OpenSC project. :gl:`#2691` +- Native PKCS#11 support has been removed; BIND 9 now :ref:`uses + engine_pkcs11 for PKCS#11`. engine_pkcs11 is an OpenSSL engine + which is part of the `OpenSC`_ project. :gl:`#2691` - Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. If OpenSSL 3.0.0 has been built without support for deprecated functionality @@ -71,39 +83,44 @@ Removed Features there is no replacement ``provider`` for pkcs11 which is the replacement to the ``engine API``. :gl:`#2843` -- The ``masterfile-format`` format ``map`` has removed. If you are using the - ``map`` format, you are advised to convert the zones to ``raw`` format with - ``named-compilezone`` and change the configuration prior to BIND 9 - upgrade. :gl:`#2882` +- Support for the ``map`` zone file format (``masterfile-format map;``) + has been removed. Users relying on the ``map`` format are advised to + convert their zones to the ``raw`` format with ``named-compilezone`` + and change the configuration appropriately prior to upgrading BIND 9. + :gl:`#2882` -- Remove old-style DLZ drivers that had to be enabled in ``named`` during the - compile time. The new-style dynamically loaded DLZ modules should be used - as a replacement. :gl:`#2814` +- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be + enabled in ``named`` at build time have been removed. New-style DLZ + modules should be used as a replacement. :gl:`#2814` + +.. _OpenSC: https://github.com/OpenSC/libp11 Feature Changes ~~~~~~~~~~~~~~~ -- ``named`` and ``named-checkconf`` now issue a warning when there is a single - configured port in the ``query-source``, ``transfer-source``, - ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts. +- ``named`` and ``named-checkconf`` now issue a warning when there is a + single port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or for their respective + IPv6 counterparts. :gl:`#2888` + +- ``named`` and ``named-checkconf`` now exit with an error when a single + port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or their respective IPv6 + counterparts clashes with a global listening port. This configuration + has not been supported since BIND 9.16.0, but no error was reported + until now (even though sending UDP messages such as NOTIFY failed). :gl:`#2888` -- ``named`` and ``named-checkconf`` now return an error when the single configured - port in the ``query-source``, ``transfer-source``, ``notify-source``, - ``parental-source``, and/or their respective IPv6 counterparts clashes with the - global listening port. This configuration is no longer supported as of BIND - 9.16.0 but no error was reported, although sending UDP messages - (such as notifies) would fail. :gl:`#2888` - -- The network manager API is now used by ``named`` and related tools, - including ``nsupdate``, ``delv``, ``mdig``, to send all outgoing DNS - queries and requests. :gl:`#2401` +- The network manager API is now used for sending all outgoing DNS + queries and requests from ``named`` and related tools, including + ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401` - Because the old socket manager API has been removed, "socketmgr" statistics are no longer reported by the statistics channel. :gl:`#2926` -- Zone transfers over TLS (XoT) now need "dot" Application-Layer Protocol - Negotiation (ALPN) tag to be negotiated, as required by the RFC 9103. :gl: `#2794` +- Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer + Protocol Negotiation (ALPN) token to be selected in the TLS handshake, + as required by :rfc:`9103` section 7.1. :gl:`#2794` - `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional validation rules for domains and hostnames within dig. :gl:`#1610` @@ -127,15 +144,16 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- When new IP addresses were added to the system during ``named`` - startup, ``named`` failed to listen on TCP for the newly added - interfaces. :gl:`#2852` +- When new IP addresses were set up by the operating system during + ``named`` startup, it could fail to listen for TCP connections on the + newly added interfaces. :gl:`#2852` - Under specific circumstances, zone transfers over TCP and TLS could be interrupted prematurely. This has been fixed. :gl:`#2917` -- Reloading a catalog zone that referenced a missing/deleted zone - caused a crash. This has been fixed. :gl:`#2308` +- Reloading a catalog zone which referenced a missing/deleted member + zone triggered a runtime check failure, causing ``named`` to exit + prematurely. This has been fixed. :gl:`#2308` - Logfiles using ``timestamp``-style suffixes were not always correctly removed when the number of files exceeded the limit set by ``versions``.