~~~~~~~~~~~~
- A new option, ``stale-answer-client-timeout``, has been added to
- improve ``named``'s behavior with respect to serving stale data. The option
- defines the amount of time ``named`` waits before attempting
- to answer the query with a stale RRset from cache. If a stale answer
- is found, ``named`` continues the ongoing fetches, attempting to
- refresh the RRset in cache until the ``resolver-query-timeout`` interval is
+ improve ``named``'s behavior with respect to serving stale data. The
+ option defines the amount of time ``named`` waits before attempting to
+ answer the query with a stale RRset from cache. If a stale answer is
+ found, ``named`` continues the ongoing fetches, attempting to refresh
+ the RRset in cache until the ``resolver-query-timeout`` interval is
reached.
- The default value is ``1800`` (in milliseconds) and the maximum value is
- bounded to ``resolver-query-timeout`` minus one second. A value of
- ``0`` immediately returns a cached RRset if available, and still
- attempts a refresh of the data in cache.
+ The default value is ``1800`` (in milliseconds) and the maximum value
+ is limited to ``resolver-query-timeout`` minus one second. A value of
+ ``0`` causes any available cached RRset to immediately be returned
+ while still triggering a refresh of the data in cache.
- The option can be disabled by setting the value to ``off`` or
- ``disabled``. It also has no effect if ``stale-answer-enable`` is
- disabled. [GL #2247]
+ This new behavior can be disabled by setting
+ ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
+ option has no effect if ``stale-answer-enable`` is disabled.
+ [GL #2247]
-- Also return stale data if an error occurred and we are not resuming a
- query (and serve-stale is enabled). This may happen for example if
- ``fetches-per-server`` or ``fetches-per-zone` limits are reached. In this
- case, we will try to answer DNS requests with stale data, but not start
- the ``stale-refresh-time`` window. [GL #2434]
+- When serve-stale is enabled and stale data is available, ``named`` now
+ returns stale answers upon encountering any unexpected error in the
+ query resolution process. This may happen, for example, if the
+ ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
+ this case, ``named`` attempts to answer DNS requests with stale data,
+ but does not start the ``stale-refresh-time`` window. [GL #2434]
- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
- outgoing zone transfers. Addresses in a ``primaries`` list can take
- an optional ``tls`` option which specifies either a previously configured
- ``tls`` statement or ``ephemeral``. [GL #2392]
+ outgoing zone transfers. Addresses in a ``primaries`` list can now be
+ accompanied by an optional ``tls`` keyword, followed by either the
+ name of a previously configured ``tls`` statement or ``ephemeral``.
+ [GL #2392]
- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of
this, the ``nghttp2`` HTTP/2 library is now required for building the
HTTP/2 connections are supported (the latter may be used to offload
encryption to other software).
- Note that there is no client-side support for HTTPS as yet; this will be
- added to ``dig`` in a future release. [GL #1144]
+ Note that there is no client-side support for HTTPS as yet; this will
+ be added to ``dig`` in a future release. [GL #1144]
Removed Features
~~~~~~~~~~~~~~~~
-- A number of non-working configuration options that had been marked
- as obsolete in previous releases have now been removed completely.
- Using any of the following options is now considered a configuration
- failure:
- ``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``,
- ``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``,
- ``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``,
- ``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
+- A number of non-working configuration options that had been marked as
+ obsolete in previous releases have now been removed completely. Using
+ any of the following options is now considered a configuration
+ failure: ``acache-cleaning-interval``, ``acache-enable``,
+ ``additional-from-auth``, ``additional-from-cache``,
+ ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``,
+ ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``,
+ ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086]
binaries from silently loading wrong versions of shared libraries (or
multiple versions of the same shared library) at startup. [GL #2387]
-- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
- day, and the default value of ``stale-answer-ttl`` has been changed from 1
- second to 30 seconds, following :rfc:`8767` recommendations. [GL #2248]
+- The default value of ``max-stale-ttl`` has been changed from 12 hours
+ to 1 day and the default value of ``stale-answer-ttl`` has been
+ changed from 1 second to 30 seconds, following :rfc:`8767`
+ recommendations. [GL #2248]
-- When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate``
- and ``_spf_verify`` labels (which are employed by the ``exists`` SPF
- mechanism defined inr:rfc:`7208` section 5.7/appendix D1) are no longer
- reported as warnings/errors. [GL #2377]
+- When ``check-names`` is in effect, A records below an ``_spf``,
+ ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
+ ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
+ D.1) are no longer reported as warnings/errors. [GL #2377]
Bug Fixes
~~~~~~~~~
-- KASP incorrectly set signature validity to the value of the DNSKEY signature
- validity. This is now fixed. [GL #2383]
+- KASP incorrectly set signature validity to the value of the DNSKEY
+ signature validity. This has been fixed. [GL #2383]
-- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key.
- This has been fixed. [GL #2178]
+- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
+ key. This has been fixed. [GL #2178]
-- The use of named ACLs in ``allow-update`` was broken in BIND 9.17.9 and
- BIND 9.16.11, preventing ``named`` from starting. [GL #2413]
+- ``named`` failed to start when its configuration included a zone with
+ a non-builtin ``allow-update`` ACL attached. [GL #2413]
-- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive"
- and/or "Delete" timing metadata as possible active keys. This has been fixed.
- [GL #2406]
+- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
+ and/or ``Delete`` timing metadata to be possible active keys. This has
+ been fixed. [GL #2406]
-- Fixed the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys
- rolled faster than the time required to finish the rollover procedure, the
- successor relation equation failed because it assumed only two keys were
- taking part in a rollover. This could lead to premature removal of
- predecessor keys. BIND 9 now implements a recursive successor relation, as
- described in the paper "Flexible and Robust Key Rollover" (Equation (2)).
- [GL #2375]
+- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
+ faster than the time required to finish the rollover procedure, the
+ successor relation equation failed because it assumed only two keys
+ were taking part in a rollover. This could lead to premature removal
+ of predecessor keys. BIND 9 now implements a recursive successor
+ relation, as described in the paper "Flexible and Robust Key Rollover"
+ (Equation (2)). [GL #2375]
- If an invalid key name (e.g. "a..b") was specified in a ``primaries``
list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``,
projects / thirdparty / bind9.git / commitdiff
