Removed Features
~~~~~~~~~~~~~~~~
-- The :any:`dnssec-must-be-secure` option has been deprecated and will be
- removed in a future release. :gl:`#4263`
+- The :any:`dnssec-must-be-secure` option has been deprecated and will
+ be removed in a future release. :gl:`#4263`
Feature Changes
~~~~~~~~~~~~~~~
-- Make :iscman:`nsupdate` honor the ``-v`` option. If set, and the server is
- specified, SOA queries are now send over TCP as well. :gl:`#1181`
+- If the ``server`` command is specified, :iscman:`nsupdate` now honors
+ the :option:`nsupdate -v` option for SOA queries by sending both the
+ UPDATE request and the initial query over TCP. :gl:`#1181`
Bug Fixes
~~~~~~~~~
-- The value of If-Modified-Since header in statistics channel was not checked
- for length leading to possible buffer overflow by an authorized user. We
- would like to emphasize that statistics channel must be properly setup to
- allow access only from authorized users of the system. :gl:`#4124`
+- The value of the If-Modified-Since header in the statistics channel
+ was not being correctly validated for its length, potentially allowing
+ an authorized user to trigger a buffer overflow. Ensuring the
+ statistics channel is configured correctly to grant access exclusively
+ to authorized users is essential (see the :any:`statistics-channels`
+ block definition and usage section). :gl:`#4124`
- This issue was reported independently by Eric Sesterhenn of X41 D-SEC and
- Cameron Whitehead.
+ This issue was reported independently by Eric Sesterhenn of X41 D-Sec
+ GmbH and Cameron Whitehead.
-- The value of Content-Length header in statistics channel was not
- bound checked and negative or large enough value could lead to
- overflow and assertion failure. :gl:`#4125`
+- The Content-Length header in the statistics channel was lacking proper
+ bounds checking. A negative or excessively large value could
+ potentially trigger an integer overflow and result in an assertion
+ failure. :gl:`#4125`
- This issue was reported by Eric Sesterhenn of X41 D-SEC.
+ This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
-- Address memory leaks due to not clearing OpenSSL error stack. :gl:`#4159`
+- Several memory leaks caused by not clearing the OpenSSL error stack
+ were fixed. :gl:`#4159`
- This issue was reported by Eric Sesterhenn of X41 D-SEC.
+ This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
-- Following the introduction of krb5-subdomain-self-rhs and
- ms-subdomain-self-rhs update rules, removal of nonexistent PTR
- and SRV records via UPDATE could fail. This has been fixed. :gl:`#4280`
+- The introduction of ``krb5-subdomain-self-rhs`` and
+ ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
+ :iscman:`named` to return SERVFAIL responses to deletion requests for
+ non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
-- The value of :any:`stale-refresh-time` was set to zero after ``rndc flush``.
- This has been fixed. :gl:`#4278`
+- The :any:`stale-refresh-time` feature was mistakenly disabled when the
+ server cache was flushed by :option:`rndc flush`. This has been fixed.
+ :gl:`#4278`
-- BIND could consume more memory than it needs. That has been fixed by
- using specialised jemalloc memory arenas dedicated to sending buffers. It
- allowed us to optimize the process of returning memory pages back to
- the operating system. :gl:`#4038`
+- BIND's memory consumption has been improved by implementing dedicated
+ jemalloc memory arenas for sending buffers. This optimization ensures
+ that memory usage is more efficient and better manages the return of
+ memory pages to the operating system. :gl:`#4038`
-- Prevent DNS message corruption on long DNS over TLS streams. :gl:`#4255`
+- Previously, partial writes in the TLS DNS code were not accounted for
+ correctly, which could have led to DNS message corruption. This has
+ been fixed. :gl:`#4255`
Known Issues
~~~~~~~~~~~~
projects / thirdparty / bind9.git / commitdiff
