.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
-Notes for BIND 9.19.22
+Notes for BIND 9.19.23
----------------------
Security Fixes
New Features
~~~~~~~~~~~~
-- The ``tls`` block was extended with a new ``cipher-suites`` option
- that allows setting allowed cipher suites for TLSv1.3. Please
- consult the documentation for additional details.
- :gl:`#3504`
-
-- The statistics channel now includes counters that indicate the number
- of currently connected TCP IPv4/IPv6 clients. :gl:`#4425`
-
-- The statistics channel's incoming zone transfers information now also shows
- the zones' "first refresh" flag, which indicates that a zone is not fully
- ready yet, and its first ever refresh is pending or is in-progress. The number
- of such zones is now also exposed by the ``rndc status`` command. :gl:`#4241`
-
-- Add HSM support to :any:`dnssec-policy`. You can now configure keys with a
- ``key-store`` that allows you to set the directory to store the key files and
- set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11
- provider to be configured for OpenSSL. :gl`#1129`.
+- None.
Removed Features
~~~~~~~~~~~~~~~~
-- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` values,
- when the feature is turned on. When using a non-zero value, ``named`` now
- generates a warning log message, and treats the value as ``0``. :gl:`#4447`
+- None.
Feature Changes
~~~~~~~~~~~~~~~
-- The ``dnssec-validation yes`` option now requires an explicitly configured
- :any:`trust-anchors` statement. If using manual trust anchors is not
- operationally required, then please consider using ``dnssec-validation auto``
- instead. :gl:`#4373`
-
-- The red-black tree data structure used in the RBTDB (the default
- database implementation for cache and zone databases),
- has been replaced with QP-tries. This is expected to improve
- performance and scalability, though in the current implementation
- it is known to have larger memory consumption.
-
- A side effect of this change is that zone files that are created with
- :any:`masterfile-style` ``relative`` - for example, the output of
- :any:`dnssec-signzone` - will no longer have multiple different
- `$ORIGIN` statements. There should be no other changes to server
- behavior.
-
- The old RBT-based database still exists for now, and can be used by
- specifying ``database rbt`` in a ``zone`` statement in ``named.conf``,
- or by compiling with ``configure --with-zonedb=rbt --with-cachedb=rbt``.
- :gl:`#4411`.
+- None.
Bug Fixes
~~~~~~~~~
-- Changes to ``listen-on`` statements were ignored on reconfiguration
- unless the port or interface address was changed, making it
- impossible to change a related listener transport type. That issue
- has been fixed.
-
- ISC would like to thank Thomas Amgarten for bringing this issue to
- our attention. :gl:`#4518`, :gl:`#4528`
-
-- A use-after-free assertion might get triggered when the overmem cache
- cleaning triggers. :gl:`#4595`
-
- ISC would like to thank to Jinmei Tatuya from Infoblox for bringing
- this issue to our attention.
-
-- A regression in cache-cleaning code enabled memory use to grow
- significantly more quickly than before, until the configured
- :any:`max-cache-size` limit was reached. This has been fixed.
- :gl:`#4596`
-
-- Using :option:`rndc flush` inadvertently caused cache cleaning to
- become less effective. This could ultimately lead to the configured
- :any:`max-cache-size` limit being exceeded and has now been fixed.
- :gl:`#4621`
+- None.
Known Issues
~~~~~~~~~~~~
projects / thirdparty / bind9.git / commitdiff
