New Features
~~~~~~~~~~~~
-- Implement incremental resizing of RBT hash tables to perform the rehashing
- gradually instead all-at-once to be able to grow the memory usage gradually
- while keeping steady response rate during the rehashing. :gl:`#2941`
+- Internal data structures maintained for each cache database are now
+ grown incrementally when they need to be expanded. This helps maintain
+ a steady response rate on a loaded resolver while these internal data
+ structures are resized. :gl:`#2941`
-- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs``
- and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records
- so that their content can only match the machine name embedded in the
- Kerberos principal making the change. :gl:`#481`
+- New finer-grained ``update-policy`` rule types,
+ ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
+ These rule types restrict updates to SRV and PTR records so that their
+ content can only match the machine name embedded in the Kerberos
+ principal making the change. :gl:`#481`
+
+- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843`
Removed Features
~~~~~~~~~~~~~~~~
-- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support.
- If OpenSSL 3.0.0 has been built without support for deprecated functionality
- pkcs11 via engine_pkcs11 is no longer available. At this point in time
- there is no replacement ``provider`` for pkcs11 which is the replacement to
- the ``engine API``. :gl:`#2843`
+- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9
+ currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an
+ OpenSSL 3.0.0 build which does not retain support for deprecated APIs
+ makes it impossible to use PKCS#11 in BIND 9. A replacement for
+ engine_pkcs11 which employs the new "provider" approach introduced in
+ OpenSSL 3.0.0 is in the making. :gl:`#2843`
Feature Changes
~~~~~~~~~~~~~~~
-- Because the old socket manager API has been removed, "socketmgr"
- statistics are no longer reported by the
- :ref:`statistics channel <statschannels>`. :gl:`#2926`
-
-- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional
- validation rules for domains and hostnames within dig. :gl:`#1610`
+- Since the old socket manager API has been removed, "socketmgr"
+ statistics are no longer reported by the :ref:`statistics channel
+ <statschannels>`. :gl:`#2926`
-.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
+- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls.
+ This enables additional validation rules for IDN domains and hostnames
+ in ``dig``. :gl:`#1610`
-- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means
- that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by
- default. The additional signatures from the ZSK that are added if the option
- is set to ``no`` add to the DNS response payload without offering added value.
- :gl:`#1316`
+- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This
+ means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
+ the KSK by default. The additional signatures prepared using the ZSK
+ when the option is set to ``no`` add to the DNS response payload
+ without offering added value. :gl:`#1316`
- The output of ``rndc serve-stale status`` has been clarified. It now
- explicitly reports whether retention of stale data in the cache is enabled
- (``stale-cache-enable``), and whether returning of such data in responses is
- enabled (``stale-answer-enable``). :gl:`#2742`
+ explicitly reports whether retention of stale data in the cache is
+ enabled (``stale-cache-enable``), and whether returning such data in
+ responses is enabled (``stale-answer-enable``). :gl:`#2742`
-- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use
- no extra iterations and no salt. :gl:`#2956`.
+- The default NSEC3 parameters for ``dnssec-policy`` were updated to no
+ extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``).
+ :gl:`#2956`
+
+.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
Bug Fixes
~~~~~~~~~
-- Reloading a catalog zone that referenced a missing/deleted zone
- caused a crash. This has been fixed. :gl:`#2308`
+- Reloading a catalog zone which referenced a missing/deleted member
+ zone triggered a runtime check failure, causing ``named`` to exit
+ prematurely. This has been fixed. :gl:`#2308`
-- Logfiles using ``timestamp``-style suffixes were not always correctly
- removed when the number of files exceeded the limit set by ``versions``.
- :gl:`#828`
+- Log files using ``timestamp``-style suffixes were not always correctly
+ removed when the number of files exceeded the limit set by
+ ``versions``. This has been fixed. :gl:`#828`
- Some lame delegations could trigger a dependency loop, in which a
- resolver fetch was waiting for a name server address lookup which was
- waiting for the same resolver fetch. This could cause a recursive lookup
- to hang until timing out. This now detected and avoided. :gl:`#2927`
+ resolver fetch waited for a name server address lookup which was
+ waiting for the same resolver fetch. This could cause a recursive
+ lookup to hang until timing out. This situation is now detected and
+ prevented. :gl:`#2927`
projects / thirdparty / bind9.git / commitdiff
