New Features
~~~~~~~~~~~~
-- Ability to specify supported TLS protocol versions within ``tls``
- clauses (e.g. ``protocols { TLSv1.2; TLSv1.3; };``). :gl:`#2795`
-
-- New options within ``tls`` clauses were implemented, namely:
- - ``dhparam-file "<path_to_file>";`` to specify Diffie-Hellman parameters;
- - ``ciphers "<cipher_list>";`` to specify OpenSSL ciphers list;
- - ``prefer-server-ciphers yes|no;`` to assert server or client ciphers preference;
- - ``session-tickets yes|no;`` to explicitly enable or disable stateless TLS session tickets (see RFC5077).
- These options allow finer control over TLS protocol features and make it
- possible to achieve perfect forward secrecy for DNS-over-TLS and
- DNS-over-HTTPS. :gl:`#2796`
+- It is now possible to specify the TLS protocol versions to support for
+ each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2;
+ TLSv1.3; };``). :gl:`#2795`
+
+- New options for ``tls`` configuration clauses were implemented,
+ namely:
+
+ - ``dhparam-file "<path_to_file>";`` for specifying Diffie-Hellman
+ parameters,
+
+ - ``ciphers "<cipher_list>";`` for specifying OpenSSL ciphers to use,
+
+ - ``prefer-server-ciphers <yes|no>;`` for specifying whether server
+ ciphers or client ciphers should be preferred (this controls
+ OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option),
+
+ - ``session-tickets <yes|no>;`` for enabling/disabling stateless TLS
+ session tickets (see :rfc:`5077`).
+
+ These options allow finer control over TLS protocol configuration and
+ make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS
+ (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796`
- Implement incremental resizing of RBT hash tables to perform the rehashing
gradually instead all-at-once to be able to grow the memory usage gradually
Removed Features
~~~~~~~~~~~~~~~~
-- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the
- OpenSC project. :gl:`#2691`
+- Native PKCS#11 support has been removed; BIND 9 now :ref:`uses
+ engine_pkcs11 for PKCS#11<pkcs11>`. engine_pkcs11 is an OpenSSL engine
+ which is part of the `OpenSC`_ project. :gl:`#2691`
- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support.
If OpenSSL 3.0.0 has been built without support for deprecated functionality
there is no replacement ``provider`` for pkcs11 which is the replacement to
the ``engine API``. :gl:`#2843`
-- The ``masterfile-format`` format ``map`` has removed. If you are using the
- ``map`` format, you are advised to convert the zones to ``raw`` format with
- ``named-compilezone`` and change the configuration prior to BIND 9
- upgrade. :gl:`#2882`
+- Support for the ``map`` zone file format (``masterfile-format map;``)
+ has been removed. Users relying on the ``map`` format are advised to
+ convert their zones to the ``raw`` format with ``named-compilezone``
+ and change the configuration appropriately prior to upgrading BIND 9.
+ :gl:`#2882`
-- Remove old-style DLZ drivers that had to be enabled in ``named`` during the
- compile time. The new-style dynamically loaded DLZ modules should be used
- as a replacement. :gl:`#2814`
+- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
+ enabled in ``named`` at build time have been removed. New-style DLZ
+ modules should be used as a replacement. :gl:`#2814`
+
+.. _OpenSC: https://github.com/OpenSC/libp11
Feature Changes
~~~~~~~~~~~~~~~
-- ``named`` and ``named-checkconf`` now issue a warning when there is a single
- configured port in the ``query-source``, ``transfer-source``,
- ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts.
+- ``named`` and ``named-checkconf`` now issue a warning when there is a
+ single port configured for ``query-source``, ``transfer-source``,
+ ``notify-source``, ``parental-source``, and/or for their respective
+ IPv6 counterparts. :gl:`#2888`
+
+- ``named`` and ``named-checkconf`` now exit with an error when a single
+ port configured for ``query-source``, ``transfer-source``,
+ ``notify-source``, ``parental-source``, and/or their respective IPv6
+ counterparts clashes with a global listening port. This configuration
+ has not been supported since BIND 9.16.0, but no error was reported
+ until now (even though sending UDP messages such as NOTIFY failed).
:gl:`#2888`
-- ``named`` and ``named-checkconf`` now return an error when the single configured
- port in the ``query-source``, ``transfer-source``, ``notify-source``,
- ``parental-source``, and/or their respective IPv6 counterparts clashes with the
- global listening port. This configuration is no longer supported as of BIND
- 9.16.0 but no error was reported, although sending UDP messages
- (such as notifies) would fail. :gl:`#2888`
-
-- The network manager API is now used by ``named`` and related tools,
- including ``nsupdate``, ``delv``, ``mdig``, to send all outgoing DNS
- queries and requests. :gl:`#2401`
+- The network manager API is now used for sending all outgoing DNS
+ queries and requests from ``named`` and related tools, including
+ ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401`
- Because the old socket manager API has been removed, "socketmgr"
statistics are no longer reported by the statistics channel. :gl:`#2926`
-- Zone transfers over TLS (XoT) now need "dot" Application-Layer Protocol
- Negotiation (ALPN) tag to be negotiated, as required by the RFC 9103. :gl: `#2794`
+- Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer
+ Protocol Negotiation (ALPN) token to be selected in the TLS handshake,
+ as required by :rfc:`9103` section 7.1. :gl:`#2794`
- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional
validation rules for domains and hostnames within dig. :gl:`#1610`
Bug Fixes
~~~~~~~~~
-- When new IP addresses were added to the system during ``named``
- startup, ``named`` failed to listen on TCP for the newly added
- interfaces. :gl:`#2852`
+- When new IP addresses were set up by the operating system during
+ ``named`` startup, it could fail to listen for TCP connections on the
+ newly added interfaces. :gl:`#2852`
- Under specific circumstances, zone transfers over TCP and TLS could be
interrupted prematurely. This has been fixed. :gl:`#2917`
-- Reloading a catalog zone that referenced a missing/deleted zone
- caused a crash. This has been fixed. :gl:`#2308`
+- Reloading a catalog zone which referenced a missing/deleted member
+ zone triggered a runtime check failure, causing ``named`` to exit
+ prematurely. This has been fixed. :gl:`#2308`
- Logfiles using ``timestamp``-style suffixes were not always correctly
removed when the number of files exceeded the limit set by ``versions``.
projects / thirdparty / bind9.git / commitdiff
