https://www.isc.org/download/. There you will find additional
information about each release, and source code.
-.. include:: ../notes/notes-current.rst
-.. include:: ../notes/notes-9.17.22.rst
-.. include:: ../notes/notes-9.17.21.rst
-.. include:: ../notes/notes-9.17.20.rst
-.. include:: ../notes/notes-9.17.19.rst
-.. include:: ../notes/notes-9.17.18.rst
-.. include:: ../notes/notes-9.17.17.rst
-.. include:: ../notes/notes-9.17.16.rst
-.. include:: ../notes/notes-9.17.15.rst
-.. include:: ../notes/notes-9.17.14.rst
-.. include:: ../notes/notes-9.17.13.rst
-.. include:: ../notes/notes-9.17.12.rst
-.. include:: ../notes/notes-9.17.11.rst
-.. include:: ../notes/notes-9.17.10.rst
-.. include:: ../notes/notes-9.17.9.rst
-.. include:: ../notes/notes-9.17.8.rst
-.. include:: ../notes/notes-9.17.7.rst
-.. include:: ../notes/notes-9.17.6.rst
-.. include:: ../notes/notes-9.17.5.rst
-.. include:: ../notes/notes-9.17.4.rst
-.. include:: ../notes/notes-9.17.3.rst
-.. include:: ../notes/notes-9.17.2.rst
-.. include:: ../notes/notes-9.17.1.rst
-.. include:: ../notes/notes-9.17.0.rst
+.. include:: ../notes/notes-9.18.0.rst
.. _relnotes_license:
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.0
----------------------
-
-Known Issues
-~~~~~~~~~~~~
-
-- UDP network ports used for listening can no longer simultaneously be
- used for sending traffic. An example configuration which triggers
- this issue would be one which uses the same ``address:port`` pair for
- ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or
- ``transfer-source(-v6)``. While this issue affects all operating
- systems, it only triggers log messages (e.g. "unable to create
- dispatch for reserved port") on some of them. There are currently no
- plans to make such a combination of settings work again.
-
-New Features
-~~~~~~~~~~~~
-
-- When a secondary server receives a large incremental zone transfer
- (IXFR), it can have a negative impact on query performance while the
- incremental changes are applied to the zone. To address this,
- ``named`` can now limit the size of IXFR responses it sends in
- response to zone transfer requests. If an IXFR response would be
- larger than an AXFR of the entire zone, it will send an AXFR response
- instead.
-
- This behavior is controlled by the ``max-ixfr-ratio`` option - a
- percentage value representing the ratio of IXFR size to the size of a
- full zone transfer. The default is ``100%``. :gl:`#1515`
-
-- A new RPZ option ``nsdname-wait-recurse`` controls whether
- RPZ-NSDNAME rules should always be applied even if the names of
- authoritative name servers for the query name need to be looked up
- recurively first. The default is ``yes``. Setting it to ``no`` speeds
- up initial responses by skipping RPZ-NSDNAME rules when name server
- domain names are not yet in the cache. The names will be looked up in
- the background and the rule will be applied for subsequent queries.
- :gl:`#1138`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The system-provided POSIX Threads read-write lock implementation is
- now used by default instead of the native BIND 9 implementation.
- Please be aware that glibc versions 2.26 through 2.29 had a bug_ that
- could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and
- most current Linux distributions have patched or updated glibc, with
- the notable exception of Ubuntu 18.04 (Bionic) which is a work in
- progress. If you are running on an affected operating system, compile
- BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
- glibc is available. :gl:`!3125`
-
-.. _bug: https://sourceware.org/bugzilla/show_bug.cgi?id=23844
-
-- The ``rndc nta -dump`` and ``rndc secroots`` commands now both
- include ``validate-except`` entries when listing negative trust
- anchors. These are indicated by the keyword ``permanent`` in place of
- the expiry date. :gl:`#1532`
-
-Bug Fixes
-~~~~~~~~~
-
-- Fixed re-signing issues with inline zones which resulted in records
- being re-signed late or not at all.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.1
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- DNS rebinding protection was ineffective when BIND 9 is configured as
- a forwarding DNS server. Found and responsibly reported by Tobias
- Klein. :gl:`#1574`
-
-Known Issues
-~~~~~~~~~~~~
-
-- We have received reports that in some circumstances, receipt of an
- IXFR can cause the processing of queries to slow significantly. Some
- of these were related to RPZ processing, which has been fixed in this
- release (see below). Others appear to occur where there are
- NSEC3-related changes (such as an operator changing the NSEC3 salt
- used in the hash calculation). These are being investigated.
- :gl:`#1685`
-
-New Features
-~~~~~~~~~~~~
-
-- A new option, ``nsdname-wait-recurse``, has been added to the
- ``response-policy`` clause in the configuration file. When set to
- ``no``, RPZ NSDNAME rules are only applied if the authoritative
- nameservers for the query name have been looked up and are present in
- the cache. If this information is not present, the RPZ NSDNAME rules
- are ignored, but the information is looked up in the background and
- applied to subsequent queries. The default is ``yes``, meaning that
- RPZ NSDNAME rules should always be applied, even if the information
- needs to be looked up first. :gl:`#1138`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The previous DNSSEC sign statistics used lots of memory. The number
- of keys to track is reduced to four per zone, which should be enough
- for 99% of all signed zones. :gl:`#1179`
-
-Bug Fixes
-~~~~~~~~~
-
-- When an RPZ policy zone was updated via zone transfer and a large
- number of records was deleted, ``named`` could become nonresponsive
- for a short period while deleted names were removed from the RPZ
- summary database. This database cleanup is now done incrementally
- over a longer period of time, reducing such delays. :gl:`#1447`
-
-- When trying to migrate an already-signed zone from ``auto-dnssec
- maintain`` to one based on ``dnssec-policy``, the existing keys were
- immediately deleted and replaced with new ones. As the key rollover
- timing constraints were not being followed, it was possible that some
- clients would not have been able to validate responses until all old
- DNSSEC information had timed out from caches. BIND now looks at the
- time metadata of the existing keys and incorporates it into its
- DNSSEC policy operation. :gl:`#1706`
-
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.10
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of
- this, the ``nghttp2`` HTTP/2 library is now required for building the
- development branch of BIND 9. Both TLS-encrypted and unencrypted
- HTTP/2 connections are supported (the latter may be used to offload
- encryption to other software).
-
- Note that there is no client-side support for HTTPS as yet; this will
- be added to ``dig`` in a future release. :gl:`#1144`
-
-- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
- outgoing zone transfers. Addresses in a ``primaries`` list can now be
- accompanied by an optional ``tls`` keyword, followed by either the
- name of a previously configured ``tls`` statement or ``ephemeral``.
- :gl:`#2392`
-
-- A new option, ``stale-answer-client-timeout``, has been added to
- improve ``named``'s behavior with respect to serving stale data. The
- option defines the amount of time ``named`` waits before attempting to
- answer the query with a stale RRset from cache. If a stale answer is
- found, ``named`` continues the ongoing fetches, attempting to refresh
- the RRset in cache until the ``resolver-query-timeout`` interval is
- reached.
-
- The default value is ``1800`` (in milliseconds) and the maximum value
- is limited to ``resolver-query-timeout`` minus one second. A value of
- ``0`` causes any available cached RRset to immediately be returned
- while still triggering a refresh of the data in cache.
-
- This new behavior can be disabled by setting
- ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
- option has no effect if ``stale-answer-enable`` is disabled.
- :gl:`#2247`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- A number of non-working configuration options that had been marked as
- obsolete in previous releases have now been removed completely. Using
- any of the following options is now considered a configuration
- failure: ``acache-cleaning-interval``, ``acache-enable``,
- ``additional-from-auth``, ``additional-from-cache``,
- ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``,
- ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``,
- ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
- ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
- ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
- ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- When serve-stale is enabled and stale data is available, ``named`` now
- returns stale answers upon encountering any unexpected error in the
- query resolution process. This may happen, for example, if the
- ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
- this case, ``named`` attempts to answer DNS requests with stale data,
- but does not start the ``stale-refresh-time`` window. :gl:`#2434`
-
-- The default value of ``max-stale-ttl`` has been changed from 12 hours
- to 1 day and the default value of ``stale-answer-ttl`` has been
- changed from 1 second to 30 seconds, following :rfc:`8767`
- recommendations. :gl:`#2248`
-
-- The SONAMEs for BIND 9 libraries now include the current BIND 9
- version number, in an effort to tightly couple internal libraries with
- a specific release. This change makes the BIND 9 release process both
- simpler and more consistent while also unequivocally preventing BIND 9
- binaries from silently loading wrong versions of shared libraries (or
- multiple versions of the same shared library) at startup. :gl:`#2387`
-
-- When ``check-names`` is in effect, A records below an ``_spf``,
- ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
- ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
- D.1) are no longer reported as warnings/errors. :gl:`#2377`
-
-Bug Fixes
-~~~~~~~~~
-
-- ``named`` failed to start when its configuration included a zone with
- a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
-
-- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
- key. This has been fixed. :gl:`#2178`
-
-- KASP incorrectly set signature validity to the value of the DNSKEY
- signature validity. This has been fixed. :gl:`#2383`
-
-- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
- and/or ``Delete`` timing metadata to be possible active keys. This has
- been fixed. :gl:`#2406`
-
-- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
- faster than the time required to finish the rollover procedure, the
- successor relation equation failed because it assumed only two keys
- were taking part in a rollover. This could lead to premature removal
- of predecessor keys. BIND 9 now implements a recursive successor
- relation, as described in the paper "Flexible and Robust Key Rollover"
- (Equation (2)). :gl:`#2375`
-
-- Performance of the DNSSEC verification code (used by
- ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
- improved. :gl:`#2073`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.11
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- ``dig`` has been extended to support DNS-over-HTTPS (DoH) queries,
- using ``dig +https`` and related options. :gl:`#1641`
-
-- A new ``purge-keys`` option has been added to ``dnssec-policy``. It
- sets the period of time that key files are retained after becoming
- obsolete due to a key rollover; the default is 90 days. This feature
- can be disabled by setting ``purge-keys`` to 0. :gl:`#2408`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- To prevent users from inadvertently configuring unencrypted
- DNS-over-HTTPS (DoH) in BIND 9, ``listen-on`` and ``listen-on-v6``
- statements using the ``http`` parameter must now also specify the
- ``tls`` parameter. ``tls none`` can be used to explicitly allow
- unencrypted HTTP connections. :gl:`#2472`
-
-- ``http default`` can now be specified in ``listen-on`` and
- ``listen-on-v6`` statements to use the default HTTP endpoint of
- ``/dns-query``. It is no longer necessary to include an ``http``
- statement in ``named.conf`` unless overriding this value. :gl:`#2472`
-
-Bug Fixes
-~~~~~~~~~
-
-- Zone journal (``.jnl``) files created by versions of ``named`` prior
- to 9.16.12 were no longer compatible; this could cause problems when
- upgrading if journal files were not synchronized first. This has been
- corrected: older journal files can now be read when starting up. When
- an old-style journal file is detected, it is updated to the new format
- immediately after loading.
-
- Note that journals created by the current version of ``named`` are not
- usable by versions prior to 9.16.12. Before downgrading to a prior
- release, users are advised to ensure that all dynamic zones have been
- synchronized using ``rndc sync -clean``.
-
- A journal file's format can be changed manually by running
- ``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
- (upgrade). Note that this *must not* be done while ``named`` is
- running. :gl:`#2505`
-
-- ``named`` crashed when it was allowed to serve stale answers and
- ``stale-answer-client-timeout`` was triggered without any (stale) data
- available in the cache to answer the query. :gl:`#2503`
-
-- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
- instead of sending back a proper response. To prevent this problem,
- the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
- been happening since BIND 9.17.6. :gl:`#2466`
-
-- NSEC3 records were not immediately created when signing a dynamic zone
- using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
- :gl:`#2498`
-
-- A memory leak occurred when ``named`` was reconfigured after adding an
- inline-signed zone with ``auto-dnssec maintain`` enabled. This has
- been fixed. :gl:`#2041`
-
-- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
- a LOC record resulted in an INSIST failure when a zone file containing
- such a record was loaded. :gl:`#2499`
-
-- If an invalid key name (e.g. ``a..b``) was specified in a
- ``primaries`` list in ``named.conf``, the wrong size was passed to
- ``isc_mem_put()``, which resulted in the returned memory being put on
- the wrong free list and prevented ``named`` from starting up. This has
- been fixed. :gl:`#2460`
-
-- ``libtool`` was inadvertently introduced as a build-time requirement
- when the build system was revamped in BIND 9.17.2. This unnecessarily
- prevented hosts without that tool from building BIND 9 from source
- tarballs. A standalone ``libtool`` script no longer needs to be
- present in ``PATH`` to build BIND 9 from a source tarball. :gl:`#2504`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.12
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- A malformed incoming IXFR transfer could trigger an assertion failure
- in ``named``, causing it to quit abnormally. (CVE-2021-25214)
-
- ISC would like to thank Greg Kuechle of SaskTel for bringing this
- vulnerability to our attention. :gl:`#2467`
-
-- ``named`` crashed when a DNAME record placed in the ANSWER section
- during DNAME chasing turned out to be the final answer to a client
- query. (CVE-2021-25215)
-
- ISC would like to thank `Siva Kakarla`_ for bringing this
- vulnerability to our attention. :gl:`#2540`
-
-.. _Siva Kakarla: https://github.com/sivakesava1
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The ISC implementation of SPNEGO was removed from BIND 9 source code.
- Instead, BIND 9 now always uses the SPNEGO implementation provided by
- the system GSSAPI library when it is built with GSSAPI support. All
- major contemporary Kerberos/GSSAPI libraries contain an implementation
- of the SPNEGO mechanism. This change was introduced in BIND 9.17.2,
- but it was not included in the release notes at the time. :gl:`#2607`
-
-- The default value for the ``stale-answer-client-timeout`` option was
- changed from ``1800`` (ms) to ``off``. The default value may be
- changed again in future releases as this feature matures. :gl:`#2608`
-
-Bug Fixes
-~~~~~~~~~
-
-- TCP idle and initial timeouts were being incorrectly applied: only the
- ``tcp-initial-timeout`` was applied on the whole connection, even if
- the connection were still active, which could prevent a large zone
- transfer from being sent back to the client. The default setting for
- ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
- connection taking more than 30 seconds was abruptly terminated. This
- has been fixed. :gl:`#2583`
-
-- When ``stale-answer-client-timeout`` was set to a positive value and
- recursion for a client query completed when ``named`` was about to
- look for a stale answer, an assertion could fail in
- ``query_respond()``, resulting in a crash. This has been fixed.
- :gl:`#2594`
-
-- After upgrading to the previous release, journal files for trust
- anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
- corrupt state. (Other zone journal files were not affected.) This has
- been fixed. If a corrupt journal file is detected, ``named`` can now
- recover from it. :gl:`#2600`
-
-- When sending queries over TCP, ``dig`` now properly handles ``+tries=1
- +retry=0`` by not retrying the connection when the remote server
- closes the connection prematurely. :gl:`#2490`
-
-- CDS/CDNSKEY DELETE records are now removed when a zone transitions
- from a secure to an insecure state. ``named-checkzone`` also no longer
- reports an error when such records are found in an unsigned zone.
- :gl:`#2517`
-
-- Zones using KASP could not be thawed after they were frozen using
- ``rndc freeze``. This has been fixed. :gl:`#2523`
-
-- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
- ``named`` now immediately attempts to reconfigure zone keys. This
- change prevents unnecessary key rollover delays. :gl:`#2488`
-
-- ``named`` crashed after skipping a primary server while transferring a
- zone over TLS. This has been fixed. :gl:`#2562`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.13
-----------------------
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- DNSSEC responses containing NSEC3 records with iteration counts
- greater than 150 are now treated as insecure. :gl:`#2445`
-
-- The maximum supported number of NSEC3 iterations that can be
- configured for a zone has been reduced to 150. :gl:`#2642`
-
-- After the network manager was introduced to ``named`` to handle
- incoming traffic, it was discovered that recursive performance had
- degraded compared to previous BIND 9 versions. This has now been
- fixed by processing internal tasks inside network manager worker
- threads, preventing resource contention among two sets of threads.
- :gl:`#2638`
-
-- Zones that want to transition from secure to insecure mode without
- becoming bogus in the process must now have their ``dnssec-policy``
- changed first to ``insecure``, rather than ``none``. After the DNSSEC
- records have been removed from the zone, the ``dnssec-policy`` can be
- set to ``none`` or removed from the configuration. Setting the
- ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
- records to be published. :gl:`#2645`
-
-- The implementation of the ZONEMD RR type has been updated to match
- :rfc:`8976`. :gl:`#2658`
-
-- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
- NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
- or the SOA TTL. :gl:`#2347`
-
-Bug Fixes
-~~~~~~~~~
-
-- If zone journal files written by BIND 9.16.11 or earlier were present
- when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file
- for that zone could have been inadvertently rewritten with the current
- zone contents. This caused the original zone file structure (e.g.
- comments, ``$INCLUDE`` directives) to be lost, although the zone data
- itself was preserved. :gl:`#2623`
-
-- It was possible for corrupt journal files generated by an earlier
- version of ``named`` to cause problems after an upgrade. This has been
- fixed. :gl:`#2670`
-
-- TTL values in cache dumps were reported incorrectly when
- ``stale-cache-enable`` was set to ``yes``. This has been fixed.
- :gl:`#389` :gl:`#2289`
-
-- A deadlock could occur when multiple ``rndc addzone``, ``rndc
- delzone``, and/or ``rndc modzone`` commands were invoked
- simultaneously for different zones. This has been fixed. :gl:`#2626`
-
-- ``inline-signing`` was incorrectly described as being inherited from
- the ``options``/``view`` levels and was incorrectly accepted at those
- levels without effect. This has been fixed; ``named.conf`` files with
- ``inline-signing`` at those levels no longer load. :gl:`#2536`
-
-- ``named`` and ``named-checkconf`` did not report an error when
- multiple zones with the ``dnssec-policy`` option set were using the
- same zone file. This has been fixed. :gl:`#2603`
-
-- If ``dnssec-policy`` was active and a private key file was temporarily
- offline during a rekey event, ``named`` could incorrectly introduce
- replacement keys and break a signed zone. This has been fixed.
- :gl:`#2596`
-
-- When generating zone signing keys, KASP now also checks for key ID
- conflicts among newly created keys, rather than just between new and
- existing ones. :gl:`#2628`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.14
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- New configuration options, ``tcp-receive-buffer``,
- ``tcp-send-buffer``, ``udp-receive-buffer``, and ``udp-send-buffer``,
- have been added. These options allow the operator to fine-tune the
- receiving and sending buffers in the operating system. On busy
- servers, increasing the size of the receive buffers can prevent the
- server from dropping packets during short traffic spikes, and
- decreasing it can prevent the server from becoming clogged with
- queries that are too old and have already timed out. :gl:`#2313`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Zone dumping tasks are now run on separate asynchronous thread pools.
- This change prevents zone dumping from blocking network I/O.
- :gl:`#2732`
-
-- The interface handling code has been refactored to use fewer
- resources, which should lead to less memory fragmentation and better
- startup performance. :gl:`#2433`
-
-Bug Fixes
-~~~~~~~~~
-
-- The calculation of the estimated IXFR transaction size in
- ``dns_journal_iter_init()`` was invalid. This resulted in excessive
- AXFR-style IXFR responses. :gl:`#2685`
-
-- Fixed an assertion failure that could occur if stale data was used to
- answer a query, and then a prefetch was triggered after the query was
- restarted (for example, to follow a CNAME). :gl:`#2733`
-
-- If a query was answered with stale data on a server with DNS64
- enabled, an assertion could occur if a non-stale answer arrived
- afterward. This has been fixed. :gl:`#2731`
-
-- Fixed an error which caused the ``IP_DONTFRAG`` socket option to be
- enabled instead of disabled, leading to errors when sending oversized
- UDP packets. :gl:`#2746`
-
-- Zones which are configured in multiple views, with different values
- set for ``dnssec-policy`` and with identical values set for
- ``key-directory``, are now detected and treated as a configuration
- error. :gl:`#2463`
-
-- A race condition could occur when reading and writing key files for
- zones using KASP and configured in multiple views. This has been
- fixed. :gl:`#1875`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.15
-----------------------
-
-Bug Fixes
-~~~~~~~~~
-
-- When preparing DNS responses, ``named`` could replace the letters
- ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been
- fixed. :gl:`#2779`
-
-- The configuration-checking code failed to account for the inheritance
- rules of the ``key-directory`` option. As a side effect of this flaw,
- the code detecting ``key-directory`` conflicts for zones using KASP
- incorrectly reported unique key directories as being reused. This has
- been fixed. :gl:`#2778`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.16
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Sending DNS messages with the OPCODE field set to anything other than
- QUERY (0) via DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) channels
- triggered an assertion failure in ``named``. This has been fixed.
-
- ISC would like to thank Ville Heikkila of Synopsys Cybersecurity
- Research Center for bringing this vulnerability to our attention.
- :gl:`#2787`
-
-New Features
-~~~~~~~~~~~~
-
-- Using a new configuration option, ``parental-agents``, each zone can
- now be associated with a list of servers that can be used to check the
- DS RRset in the parent zone. This enables automatic KSK rollovers.
- :gl:`#1126`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Support for compiling and running BIND 9 natively on Windows has been
- completely removed. The last stable release branch that has working
- Windows support is BIND 9.16. :gl:`#2690`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- IP fragmentation has been disabled for outgoing UDP sockets. Errors
- triggered by sending DNS messages larger than the specified path MTU
- are properly handled by sending empty DNS replies with the ``TC``
- (TrunCated) bit set, which forces DNS clients to fall back to TCP.
- :gl:`#2790`
-
-Bug Fixes
-~~~~~~~~~
-
-- The code managing :rfc:`5011` trust anchors created an invalid
- placeholder keydata record upon a refresh failure, which prevented the
- database of managed keys from subsequently being read back. This has
- been fixed. :gl:`#2686`
-
-- Signed, insecure delegation responses prepared by ``named`` either
- lacked the necessary NSEC records or contained duplicate NSEC records
- when both wildcard expansion and CNAME chaining were required to
- prepare the response. This has been fixed. :gl:`#2759`
-
-- If ``nsupdate`` sends an SOA request and receives a REFUSED response,
- it now fails over to the next available server. :gl:`#2758`
-
-- A bug that caused the NSEC3 salt to be changed on every restart for
- zones using KASP has been fixed. :gl:`#2725`
-
-- The configuration-checking code failed to account for the inheritance
- rules of the ``dnssec-policy`` option. This has been fixed.
- :gl:`#2780`
-
-- The fix for :gl:`#1875` inadvertently introduced a deadlock: when
- locking key files for reading and writing, the ``in-view`` logic was
- not considered. This has been fixed. :gl:`#2783`
-
-- A race condition could occur where two threads were competing for the
- same set of key file locks, leading to a deadlock. This has been
- fixed. :gl:`#2786`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.17
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Fixed an assertion failure that occurred in ``named`` when it
- attempted to send a UDP packet that exceeded the MTU size, if
- Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
-
-- ``named`` failed to check the opcode of responses when performing zone
- refreshes, stub zone updates, and UPDATE forwarding. This could lead
- to an assertion failure under certain conditions and has been
- addressed by rejecting responses whose opcode does not match the
- expected value. :gl:`#2762`
-
-New Features
-~~~~~~~~~~~~
-
-- DNS-over-HTTPS (DoH) support can now be disabled at compile time using
- a new build-time option, ``--disable-doh``. This allows BIND 9 to be
- built without the libnghttp2 library. :gl:`#2478`
-
-- It is now possible to set a hard quota on both the number of
- concurrent DNS-over-HTTPS (DoH) connections and the number of active
- HTTP/2 streams per connection, by using the ``http-listener-clients``
- and ``http-streams-per-connection`` options, or the
- ``listener-clients`` and ``streams-per-connection`` parameters in an
- ``http`` statement. The defaults are 300 and 100, respectively.
- :gl:`#2809`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Previously, ``named`` accepted FORMERR responses both with and without
- an OPT record, as an indication that a given server did not support
- EDNS. To implement full compliance with :rfc:`6891`, only FORMERR
- responses without an OPT record are now accepted. This intentionally
- breaks communication with servers that do not support EDNS and that
- incorrectly echo back the query message with the RCODE field set to
- FORMERR and the QR bit set to 1. :gl:`#2249`
-
-- Memory allocation has been substantially refactored; it is now based
- on the memory allocation API provided by the jemalloc library, on
- platforms where it is available. Use of this library is now
- recommended when building BIND 9; although it is optional, it is
- enabled by default. :gl:`#2433`
-
-- Testing revealed that setting the thread affinity for various types of
- ``named`` threads led to inconsistent recursive performance, as
- sometimes multiple sets of threads competed over a single resource.
-
- Due to the above, ``named`` no longer sets thread affinity. This
- causes a slight dip of around 5% in authoritative performance, but
- recursive performance is now consistently improved. :gl:`#2822`
-
-- CDS and CDNSKEY records can now be published in a zone without the
- requirement that they exactly match an existing DNSKEY record, as long
- as the zone is signed with an algorithm represented in the CDS or
- CDNSKEY record. This allows a clean rollover from one DNS provider to
- another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
-
-Bug Fixes
-~~~~~~~~~
-
-- Authentication of ``rndc`` messages could fail if a ``controls``
- statement was configured with multiple key algorithms for the same
- listener. This has been fixed. :gl:`#2756`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.18
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Support for HTTPS and SVCB record types has been added. :gl:`#1132`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- When ``dnssec-signzone`` signs a zone using a successor key whose
- predecessor is still published, it now only refreshes signatures for
- RRsets which have an invalid signature, an expired signature, or a
- signature which expires within the provided cycle interval. This
- allows ``dnssec-signzone`` to gradually replace signatures in a zone
- whose ZSK is being rolled over (similarly to what ``auto-dnssec
- maintain;`` does). :gl:`#1551`
-
-- ``dnssec-cds`` now only generates SHA-2 DS records by default and
- avoids copying deprecated SHA-1 records from a child zone to its
- delegation in the parent. If the child zone does not publish SHA-2 CDS
- records, ``dnssec-cds`` will generate them from the CDNSKEY records.
- The ``-a algorithm`` option now affects the process of generating DS
- digest records from both CDS and CDNSKEY records. Thanks to Tony
- Finch. :gl:`#2871`
-
-- When reporting zone types in the statistics channel, the terms
- ``primary`` and ``secondary`` are now used instead of ``master`` and
- ``slave``, respectively. :gl:`#1944`
-
-Bug Fixes
-~~~~~~~~~
-
-- A recent change to the internal memory structure of zone databases
- inadvertently neglected to update the MAPAPI value for zone files in
- ``map`` format. This caused version 9.17.17 of ``named`` to attempt to
- load files into memory that were no longer compatible, triggering an
- assertion failure on startup. The MAPAPI value has now been updated,
- so ``named`` rejects outdated files when encountering them.
- :gl:`#2872`
-
-- Zone files in ``map`` format whose size exceeded 2 GB failed to load.
- This has been fixed. :gl:`#2878`
-
-- Stale data in the cache could cause ``named`` to send non-minimized
- queries despite QNAME minimization being enabled. This has been fixed.
- :gl:`#2665`
-
-- When a DNSSEC-signed zone which only has a single signing key
- available is migrated to ``dnssec-policy``, that key is now treated as
- a Combined Signing Key (CSK). :gl:`#2857`
-
-- When a dynamic zone was made available in another view using the
- ``in-view`` statement, running ``rndc freeze`` always reported an
- ``already frozen`` error even though the zone was successfully
- frozen. This has been fixed. :gl:`#2844`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.19
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- The ``lame-ttl`` option controls how long ``named`` caches certain
- types of broken responses from authoritative servers (see the
- `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
- details). This caching mechanism could be abused by an attacker to
- significantly degrade resolver performance. The vulnerability has been
- mitigated by changing the default value of ``lame-ttl`` to ``0`` and
- overriding any explicitly set value with ``0``, effectively disabling
- this mechanism altogether. ISC's testing has determined that doing
- that has a negligible impact on resolver performance while also
- preventing abuse. Administrators may observe more traffic towards
- servers issuing certain types of broken responses than in previous
- BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
-
- ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
- bringing this vulnerability to our attention. :gl:`#2899`
-
-New Features
-~~~~~~~~~~~~
-
-- It is now possible to specify the TLS protocol versions to support for
- each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2;
- TLSv1.3; };``). :gl:`#2795`
-
-- New options for ``tls`` configuration clauses were implemented,
- namely:
-
- - ``dhparam-file "<path_to_file>";`` for specifying Diffie-Hellman
- parameters,
-
- - ``ciphers "<cipher_list>";`` for specifying OpenSSL ciphers to use,
-
- - ``prefer-server-ciphers <yes|no>;`` for specifying whether server
- ciphers or client ciphers should be preferred (this controls
- OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option),
-
- - ``session-tickets <yes|no>;`` for enabling/disabling stateless TLS
- session tickets (see :rfc:`5077`).
-
- These options allow finer control over TLS protocol configuration and
- make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS
- (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Native PKCS#11 support has been removed; BIND 9 now :ref:`uses
- engine_pkcs11 for PKCS#11<pkcs11>`. engine_pkcs11 is an OpenSSL engine
- which is part of the `OpenSC`_ project. :gl:`#2691`
-
-- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
- enabled in ``named`` at build time have been removed. New-style DLZ
- modules should be used as a replacement. :gl:`#2814`
-
-- Support for the ``map`` zone file format (``masterfile-format map;``)
- has been removed. Users relying on the ``map`` format are advised to
- convert their zones to the ``raw`` format with ``named-compilezone``
- and change the configuration appropriately prior to upgrading BIND 9.
- :gl:`#2882`
-
-.. _OpenSC: https://github.com/OpenSC/libp11
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The network manager API is now used for sending all outgoing DNS
- queries and requests from ``named`` and related tools, including
- ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401`
-
-- ``named`` and ``named-checkconf`` now exit with an error when a single
- port configured for ``query-source``, ``transfer-source``,
- ``notify-source``, ``parental-source``, and/or their respective IPv6
- counterparts clashes with a global listening port. This configuration
- has not been supported since BIND 9.16.0, but no error was reported
- until now (even though sending UDP messages such as NOTIFY failed).
- :gl:`#2888`
-
-- ``named`` and ``named-checkconf`` now issue a warning when there is a
- single port configured for ``query-source``, ``transfer-source``,
- ``notify-source``, ``parental-source``, and/or for their respective
- IPv6 counterparts. :gl:`#2888`
-
-- Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer
- Protocol Negotiation (ALPN) token to be selected in the TLS handshake,
- as required by :rfc:`9103` section 7.1. :gl:`#2794`
-
-Bug Fixes
-~~~~~~~~~
-
-- A recent change introduced in BIND 9.17.18 inadvertently broke
- backward compatibility for the ``check-names master ...`` and
- ``check-names slave ...`` options, causing them to be silently
- ignored. This has been fixed and these options now work properly
- again. :gl:`#2911`
-
-- When new IP addresses were set up by the operating system during
- ``named`` startup, it could fail to listen for TCP connections on the
- newly added interfaces. :gl:`#2852`
-
-- Under specific circumstances, zone transfers over TCP and TLS could be
- interrupted prematurely. This has been fixed. :gl:`#2917`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.2
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- To prevent exhaustion of server resources by a maliciously configured
- domain, the number of recursive queries that can be triggered by a
- request before aborting recursion has been further limited. Root and
- top-level domain servers are no longer exempt from the
- ``max-recursion-queries`` limit. Fetches for missing name server
- address records are limited to 4 for any domain. This issue was
- disclosed in CVE-2020-8616. :gl:`#1388`
-
-- Replaying a TSIG BADTIME response as a request could trigger an
- assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
-
-- It was possible to trigger an assertion when attempting to fill an
- oversized TCP buffer. This was disclosed in CVE-2020-8618.
- :gl:`#1850`
-
-- It was possible to trigger an INSIST failure when a zone with an
- interior wildcard label was queried in a certain pattern. This was
- disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
-
-Known Issues
-~~~~~~~~~~~~
-
-- In this release, the build system has been significantly changed (see
- below) and there are several unresolved issues to be aware of when
- using a development release. Please refer to :gl:`GitLab issue #4
- <#4>` for a list of not-yet-resolved issues that will be fixed in
- future releases. :gl:`#4`
-
-- BIND crashes on startup when linked against libuv 1.36. This issue
- is related to ``recvmmsg()`` support in libuv, which was first
- included in libuv 1.35. The problem was addressed in libuv 1.37, but
- the relevant libuv code change requires a special flag to be set
- during library initialization in order for ``recvmmsg()`` support to
- be enabled. This BIND release sets that special flag when required,
- so ``recvmmsg()`` support is now enabled when BIND is compiled
- against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not
- usable with BIND. :gl:`#1761` :gl:`#1797`
-
-New Features
-~~~~~~~~~~~~
-
-- The BIND 9 build system has been changed to use a typical
- autoconf+automake+libtool stack. This should not make any difference
- for people building BIND 9 from release tarballs, but when building
- BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run
- first. Extra attention is also needed when using non-standard
- ``./configure`` options. :gl:`#4`
-
-- Documentation was converted from DocBook to reStructuredText. The
- BIND 9 ARM is now generated using Sphinx and published on `Read the
- Docs`_. Release notes are no longer available as a separate document
- accompanying a release. :gl:`#83`
-
-- ``named`` and ``named-checkzone`` now reject master zones that have a
- DS RRset at the zone apex. Attempts to add DS records at the zone
- apex via UPDATE will be logged but otherwise ignored. DS records
- belong in the parent zone, not at the zone apex. :gl:`#1798`
-
-- Per-type record count limits can now be specified in
- ``update-policy`` statements, to limit the number of records of a
- particular type that can be added to a domain name via dynamic
- update. :gl:`#1657`
-
-- ``dig`` and other tools can now print the Extended DNS Error (EDE)
- option when it appears in a request or a response. :gl:`#1835`
-
-- ``dig +qid=<num>`` allows the user to specify a particular query ID
- for testing purposes. :gl:`#1851`
-
-- A new logging category, ``rpz-passthru``, was added, which allows RPZ
- passthru actions to be logged into a separate channel. :gl:`#54`
-
-- Zone timers are now exported via statistics channel. For primary
- zones, only the load time is exported. For secondary zones, exported
- timers also include expire and refresh times. Contributed by Paul
- Frieden, Verizon Media. :gl:`#1232`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The default value of ``max-stale-ttl`` has changed from 1 week to 12
- hours. This option controls how long ``named`` retains expired RRsets
- in cache as a potential mitigation mechanism, should there be a
- problem with one or more domains. Note that cache content retention
- is independent of whether stale answers are used in response to
- client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale
- on|off``). Serving of stale answers when the authoritative servers
- are not responding must be explicitly enabled, whereas the retention
- of expired cache content takes place automatically on all versions of
- BIND 9 that have this feature available. :gl:`#1877`
-
- .. warning::
- This change may be significant for administrators who expect that
- stale cache content will be automatically retained for up to 1
- week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep
- the previous behavior of ``named``.
-
-- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
- relying on system defaults instead. :gl:`#1713`
-
-- The default rwlock implementation has been changed back to the native
- BIND 9 rwlock implementation. :gl:`#1753`
-
-- BIND 9 binaries which are neither daemons nor administrative programs
- were moved to ``$bindir``. Only ``ddns-confgen``, ``named``,
- ``rndc``, ``rndc-confgen``, and ``tsig-confgen`` were left in
- ``$sbindir``. :gl:`#1724`
-
-- ``listen-on-v6 { any; }`` creates a separate socket for each
- interface. Previously, just one socket was created on systems
- conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
- in BIND 9.16.0, but it was accidentally omitted from documentation.
- :gl:`#1782`
-
-- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
- v3.0 and thus made operational again. Contributed by Aaron Thompson.
- :gl:`!3326`
-
-- The OpenSSL ECDSA implementation has been updated to support PKCS#11
- via OpenSSL engine (see engine_pkcs11 from libp11 project).
- :gl:`#1534`
-
-- The OpenSSL EdDSA implementation has been updated to support PKCS#11
- via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
- is required and thus this code is only a proof-of-concept for the
- time being. Contributed by Aaron Thompson. :gl:`#1763`
-
-- Message IDs in inbound AXFR transfers are now checked for
- consistency. Log messages are emitted for streams with inconsistent
- message IDs. :gl:`#1674`
-
-- The question section is now checked when processing AXFR, IXFR,
- and SOA replies while transferring a zone in. :gl:`#1683`
-
-Bug Fixes
-~~~~~~~~~
-
-- When fully updating the NSEC3 chain for a large zone via IXFR, a
- temporary loss of performance could be experienced on the secondary
- server when answering queries for nonexistent data that required
- DNSSEC proof of non-existence (in other words, queries that required
- the server to find and to return NSEC3 data). The unnecessary
- processing step that was causing this delay has now been removed.
- :gl:`#1834`
-
-- ``named`` could crash with an assertion failure if the name of a
- database node was looked up while the database was being modified.
- :gl:`#1857`
-
-- When running on a system with support for Linux capabilities,
- ``named`` drops root privileges very soon after system startup. This
- was causing a spurious log message, ``unable to set effective uid to
- 0: Operation not permitted``, which has now been silenced.
- :gl:`#1042` :gl:`#1090`
-
-- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
- :gl:`#1859`
-
-- Previously, ``named`` did not destroy some mutexes and conditional
- variables in netmgr code, which caused a memory leak on FreeBSD. This
- has been fixed. :gl:`#1893`
-
-- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
- to an assertion failure was fixed. :gl:`#1808`
-
-- Previously, ``provide-ixfr no;`` failed to return up-to-date
- responses when the serial number was greater than or equal to the
- current serial number. :gl:`#1714`
-
-- A bug in dnstap initialization could prevent some dnstap data from
- being logged, especially on recursive resolvers. :gl:`#1795`
-
-- A bug in dnssec-policy keymgr was fixed, where the check for the
- existence of a given key's successor would incorrectly return
- ``true`` if any other key in the keyring had a successor. :gl:`#1845`
-
-- With dnssec-policy, when creating a successor key, the "goal" state
- of the current active key (the predecessor) was not changed and thus
- never removed from the zone. :gl:`#1846`
-
-- When ``named-checkconf -z`` was run, it would sometimes incorrectly
- set its exit code. It reflected the status of the last view found; if
- zone-loading errors were found in earlier configured views but not in
- the last one, the exit code indicated success. Thanks to Graham
- Clinch. :gl:`#1807`
-
-- ``named-checkconf -p`` could include spurious text in
- ``server-addresses`` statements due to an uninitialized DSCP value.
- This has been fixed. :gl:`#1812`
-
-- When built without LMDB support, ``named`` failed to restart after a
- zone with a double quote (") in its name was added with ``rndc
- addzone``. Thanks to Alberto Fernández. :gl:`#1695`
-
-- The ARM has been updated to indicate that the TSIG session key is
- generated when named starts, regardless of whether it is needed.
- :gl:`#1842`
-
-.. _Read the Docs: https://bind9.readthedocs.io/
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.20
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- New finer-grained ``update-policy`` rule types,
- ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
- These rule types restrict updates to SRV and PTR records so that their
- content can only match the machine name embedded in the Kerberos
- principal making the change. :gl:`#481`
-
-- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9
- currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an
- OpenSSL 3.0.0 build which does not retain support for deprecated APIs
- makes it impossible to use PKCS#11 in BIND 9. A replacement for
- engine_pkcs11 which employs the new "provider" approach introduced in
- OpenSSL 3.0.0 is in the making. :gl:`#2843`
-
-- Since the old socket manager API has been removed, "socketmgr"
- statistics are no longer reported by the :ref:`statistics channel
- <statschannels>`. :gl:`#2926`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This
- means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
- the KSK by default. The additional signatures prepared using the ZSK
- when the option is set to ``no`` add to the DNS response payload
- without offering added value. :gl:`#1316`
-
-- The default NSEC3 parameters for ``dnssec-policy`` were updated to no
- extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``).
- :gl:`#2956`
-
-- Internal data structures maintained for each cache database are now
- grown incrementally when they need to be expanded. This helps maintain
- a steady response rate on a loaded resolver while these internal data
- structures are resized. :gl:`#2941`
-
-- The output of ``rndc serve-stale status`` has been clarified. It now
- explicitly reports whether retention of stale data in the cache is
- enabled (``stale-cache-enable``), and whether returning such data in
- responses is enabled (``stale-answer-enable``). :gl:`#2742`
-
-- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls.
- This enables additional validation rules for IDN domains and hostnames
- in ``dig``. :gl:`#1610`
-
-.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
-
-Bug Fixes
-~~~~~~~~~
-
-- Reloading a catalog zone which referenced a missing/deleted member
- zone triggered a runtime check failure, causing ``named`` to exit
- prematurely. This has been fixed. :gl:`#2308`
-
-- Some lame delegations could trigger a dependency loop, in which a
- resolver fetch waited for a name server address lookup which was
- waiting for the same resolver fetch. This could cause a recursive
- lookup to hang until timing out. This situation is now detected and
- prevented. :gl:`#2927`
-
-- Log files using ``timestamp``-style suffixes were not always correctly
- removed when the number of files exceeded the limit set by
- ``versions``. This has been fixed. :gl:`#828`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.21
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- The ``allow-transfer`` option was extended to accept additional
- ``port`` and ``transport`` parameters, to further restrict zone
- transfers to a particular port and/or DNS transport protocol.
- :gl:`#2776`
-
-- Extended DNS Error Code 18 - Prohibited (see :rfc:`8194` section
- 4.19) is now set if query access is denied to the specific client.
- :gl:`#1836`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Aggressive Use of DNSSEC-Validated Cache (``synth-from-dnssec``, see
- :rfc:`8198`) is now enabled by default again, after having been
- disabled in BIND 9.14.8. The implementation of this feature was
- reworked to achieve better efficiency and tuned to ignore certain
- types of broken NSEC records. Negative answer synthesis is currently
- only supported for zones using NSEC. :gl:`#1265`
-
-- The `UseSTD3ASCIIRules`_ flag is now disabled again for libidn2
- function calls. Applying additional validation rules for domain names
- in ``dig`` (a change introduced in the previous BIND 9 release) caused
- characters which are disallowed in hostnames (e.g. underscore ``_``,
- wildcard ``*``) to be silently stripped. That change was reverted.
- :gl:`#1610`
-
-- Previously, when an incoming TCP connection could not be accepted
- because the client closed the connection early, an error message of
- ``TCP connection failed: socket is not connected`` was logged. This
- message has been changed to ``Accepting TCP connection failed: socket
- is not connected``. The severity level at which this type of message
- is logged has also been changed from ``error`` to ``info`` for the
- following triggering events: ``socket is not connected``, ``quota
- reached``, and ``soft quota reached``. :gl:`#2700`
-
-- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys.
- :gl:`#853`
-
-.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
-
-Bug Fixes
-~~~~~~~~~
-
-- Removing a configured ``catalog-zone`` clause from the configuration,
- running ``rndc reconfig``, then bringing back the removed
- ``catalog-zone`` clause and running ``rndc reconfig`` again caused
- ``named`` to crash. This has been fixed. :gl:`#1608`
-
-- The resolver could hang on shutdown due to dispatch resources not
- being cleaned up when a TCP connection was reset, or due to dependency
- loops in the ADB or the DNSSEC validator. This has been fixed.
- :gl:`#3026` :gl:`#3040`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.22
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- ``named`` now logs TLS pre-master secrets for debugging purposes when
- the ``SSLKEYLOGFILE`` environment variable is set. This enables
- troubleshooting issues with encrypted DNS traffic. :gl:`#2723`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Overall memory use by ``named`` has been optimized and reduced,
- especially on systems with many CPU cores. :gl:`#2398` :gl:`#3048`
-
-- ``named`` formerly generated an ephemeral key and certificate for the
- ``tls ephemeral`` configuration using the RSA algorithm with 4096-bit
- keys. This has been changed to the ECDSA P-256 algorithm. :gl:`#2264`
-
-Bug Fixes
-~~~~~~~~~
-
-- On FreeBSD, TCP connections leaked a small amount of heap memory,
- leading to an eventual out-of-memory problem. This has been fixed.
- :gl:`#3051`
-
-- If signatures created by the ZSK were expired and the ZSK private key
- was offline, the signatures were not replaced. This behavior has been
- amended to replace the expired signatures with new signatures created
- using the KSK. :gl:`#3049`
-
-- Under certain circumstances, the signed version of an inline-signed
- zone could be dumped to disk without the serial number of the unsigned
- version of the zone. This prevented resynchronization of the zone
- contents after ``named`` restarted, if the unsigned zone file was
- modified while ``named`` was not running. This has been fixed.
- :gl:`#3071`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.3
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- New ``rndc`` command ``rndc dnssec -status`` shows the current DNSSEC
- policy and keys in use, the key states, and rollover status.
- :gl:`#1612`
-
-- Added support in the network manager for initiating outgoing TCP
- connections. :gl:`#1958`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Disable and disallow static linking of BIND 9 binaries and libraries
- as BIND 9 modules require ``dlopen()`` support and static linking also
- prevents using security features like read-only relocations (RELRO) or
- address space layout randomization (ASLR) which are important for
- programs that interact with the network and process arbitrary user
- input. :gl:`#1933`
-
-- As part of an ongoing effort to use :rfc:`8499` terminology,
- ``primaries`` can now be used as a synonym for ``masters`` in
- ``named.conf``. Similarly, ``notify primary-only`` can now be used as
- a synonym for ``notify master-only``. The output of ``rndc
- zonestatus`` now uses ``primary`` and ``secondary`` terminology.
- :gl:`#1948`
-
-Bug Fixes
-~~~~~~~~~
-
-- A race condition could occur if a TCP socket connection was closed
- while ``named`` was waiting for a recursive response. The attempt to
- send a response over the closing connection triggered an assertion
- failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937`
-
-- A race condition could occur when ``named`` attempted to use a UDP
- interface that was shutting down. This triggered an assertion failure
- in ``uv__udp_finish_close()``. :gl:`#1938`
-
-- Fix assertion failure when server was under load and root zone had not
- yet been loaded. :gl:`#1862`
-
-- ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c``
- that were being reused. :gl:`#1968`
-
-- ``named`` crashed on shutdown when a new ``rndc`` connection was
- received during shutdown. This has been fixed. :gl:`#1747`
-
-- The DS RRset returned by ``dns_keynode_dsset()`` was used in a
- non-thread-safe manner. This could result in an INSIST being
- triggered. :gl:`#1926`
-
-- The ``primary`` and ``secondary`` keywords, when used as parameters
- for ``check-names``, were not processed correctly and were being
- ignored. :gl:`#1949`
-
-- ``rndc dnstap -roll <value>`` did not limit the number of saved files
- to ``<value>``. :gl:`!3728`
-
-- The validator could fail to accept a properly signed RRset if an
- unsupported algorithm appeared earlier in the DNSKEY RRset than a
- supported algorithm. It could also stop if it detected a malformed
- public key. :gl:`#1689`
-
-- The ``blackhole`` ACL was inadvertently disabled for client queries.
- Blocked IP addresses were not used for upstream queries but queries
- from those addresses could still be answered. :gl:`#1936`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.4
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- It was possible to trigger an assertion failure by sending a specially
- crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
-
- ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
- bringing this vulnerability to our attention. :gl:`#1996`
-
-- ``named`` could crash after failing an assertion check in certain
- query resolution scenarios where QNAME minimization and forwarding
- were both enabled. To prevent such crashes, QNAME minimization is now
- always disabled for a given query resolution process, if forwarders
- are used at any point. This was disclosed in CVE-2020-8621.
-
- ISC would like to thank Joseph Gullo for bringing this vulnerability
- to our attention. :gl:`#1997`
-
-- It was possible to trigger an assertion failure when verifying the
- response to a TSIG-signed request. This was disclosed in
- CVE-2020-8622.
-
- ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
- of Oracle for bringing this vulnerability to our attention.
- :gl:`#2028`
-
-- When BIND 9 was compiled with native PKCS#11 support, it was possible
- to trigger an assertion failure in code determining the number of bits
- in the PKCS#11 RSA public key with a specially crafted packet. This
- was disclosed in CVE-2020-8623.
-
- ISC would like to thank Lyu Chiy for bringing this vulnerability to
- our attention. :gl:`#2037`
-
-- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
- as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
- to update names outside of the specified subdomains. The problem was
- fixed by making sure ``subdomain`` rules are again processed as
- described in the ARM. This was disclosed in CVE-2020-8624.
-
- ISC would like to thank Joop Boonen of credativ GmbH for bringing this
- vulnerability to our attention. :gl:`#2055`
-
-New Features
-~~~~~~~~~~~~
-
-- A new configuration option ``stale-cache-enable`` has been introduced
- to enable or disable keeping stale answers in cache. :gl:`#1712`
-
-- ``rndc`` has been updated to use the new BIND network manager API.
- This change had the side effect of altering the TCP timeout for RNDC
- connections from 60 seconds to the ``tcp-idle-timeout`` value, which
- defaults to 30 seconds. Also, because the network manager currently
- has no support for UNIX-domain sockets, those cannot now be used
- with ``rndc``. This will be addressed in a future release, either by
- restoring UNIX-domain socket support or by formally declaring them
- to be obsolete in the control channel. :gl:`#1759`
-
-- Statistics channels have also been updated to use the new BIND network
- manager API. :gl:`#2022`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- BIND's cache database implementation has been updated to use a faster
- hash function with better distribution. In addition, the effective
- ``max-cache-size`` (configured explicitly, defaulting to a value based
- on system memory or set to ``unlimited``) now pre-allocates fixed-size
- hash tables. This prevents interruption to query resolution when the
- hash table sizes need to be increased. :gl:`#1775`
-
-- Keeping stale answers in cache has been disabled by default.
- :gl:`#1712`
-
-- Resource records received with 0 TTL are no longer kept in the cache
- to be used for stale answers. :gl:`#1829`
-
-Bug Fixes
-~~~~~~~~~
-
-- Wildcard RPZ passthru rules could incorrectly be overridden by other
- rules that were loaded from RPZ zones which appeared later in the
- ``response-policy`` statement. This has been fixed. :gl:`#1619`
-
-- The IPv6 Duplicate Address Detection (DAD) mechanism could
- inadvertently prevent ``named`` from binding to new IPv6 interfaces,
- by causing multiple route socket messages to be sent for each IPv6
- address. ``named`` monitors for new interfaces to ``bind()`` to when
- it is configured to listen on ``any`` or on a specific range of
- addresses. New IPv6 interfaces can be in a "tentative" state before
- they are fully available for use. When DAD is in use, two messages are
- emitted by the route socket: one when the interface first appears and
- then a second one when it is fully "up." An attempt by ``named`` to
- ``bind()`` to the new interface prematurely would fail, causing it
- thereafter to ignore that address/interface. The problem was worked
- around by setting the ``IP_FREEBIND`` option on the socket and trying
- to ``bind()`` to each IPv6 address again if the first ``bind()`` call
- for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038`
-
-- Addressed an error in recursive clients stats reporting which could
- cause underflow, and even negative statistics. There were occasions
- when an incoming query could trigger a prefetch for some eligible
- RRset, and if the prefetch code were executed before recursion, no
- increment in recursive clients stats would take place. Conversely,
- when processing the answers, if the recursion code were executed
- before the prefetch, the same counter would be decremented without a
- matching increment. :gl:`#1719`
-
-- The introduction of KASP support inadvertently caused the second field
- of ``sig-validity-interval`` to always be calculated in hours, even in
- cases when it should have been calculated in days. This has been
- fixed. (Thanks to Tony Finch.) :gl:`!3735`
-
-- LMDB locking code was revised to make ``rndc reconfig`` work properly
- on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.5
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to
- ``named`` that a DS record for a given zone or key has been published
- or withdrawn from the parent. This command replaces the time-based
- ``parent-registration-delay`` configuration option. :gl:`#1613`
-
-- Log when ``named`` adds a CDS/CDNSKEY to the zone. :gl:`#1748`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The ``--with-gperftools-profiler`` ``configure`` option was removed.
- To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro
- now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to
- be present in ``LDFLAGS``. :gl:`!4045`
-
-- The ``glue-cache`` *option* has been marked as deprecated. The glue
- cache *feature* still works and will be permanently *enabled* in a
- future release. :gl:`#2146`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Previously, using ``dig +bufsize=0`` had the side effect of disabling
- EDNS, and there was no way to test the remote server's behavior when
- it had received a packet with EDNS0 buffer size set to 0. This is no
- longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS
- version 0 and buffer size set to 0. To disable EDNS, use ``dig
- +noedns``. :gl:`#2054`
-
-Bug Fixes
-~~~~~~~~~
-
-- In rare circumstances, ``named`` would exit with an assertion failure
- when the number of nodes stored in the red-black tree exceeded the
- maximum allowed size of the internal hash table. :gl:`#2104`
-
-- Silence spurious system log messages for an EPROTO(71) error code that
- was seen on older operating systems, where unhandled ICMPv6 errors
- resulted in a generic protocol error being returned instead of a more
- specific error code. :gl:`#1928`
-
-- With query name minimization enabled, ``named`` failed to resolve
- ``ip6.arpa.`` names that had extra labels to the left of the IPv6
- part. For example, when ``named`` attempted query name minimization on
- a name like ``A.B.1.2.3.4.(...).ip6.arpa.``, it stopped at the
- leftmost IPv6 label, i.e. ``1.2.3.4.(...).ip6.arpa.``, without
- considering the extra labels (``A.B``). That caused a query loop when
- resolving the name: if ``named`` received NXDOMAIN answers, then the
- same query was repeatedly sent until the number of queries sent
- reached the value of the ``max-recursion-queries`` configuration
- option. :gl:`#1847`
-
-- Parsing of LOC records was made more strict by rejecting a sole period
- (``.``) and/or ``m`` as a value. These changes prevent zone files
- using such values from being loaded. Handling of negative altitudes
- which are not integers was also corrected. :gl:`#2074`
-
-- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are
- security issues.) :gl:`!3953` :gl:`!3975`
-
-.. _OSS-Fuzz: https://github.com/google/oss-fuzz
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.6
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Add a new ``rndc`` command, ``rndc dnssec -rollover``, which triggers
- a manual rollover for a specific key. :gl:`#1749`
-
-- Add a new ``rndc`` command, ``rndc dumpdb -expired``, which dumps the
- cache database, including expired RRsets that are awaiting cleanup, to
- the ``dump-file`` for diagnostic purposes. :gl:`#1870`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The ``glue-cache`` *option* has been marked as deprecated. The glue
- cache *feature* still works and will be permanently *enabled* in a
- future release. :gl:`#2146`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- DNS Flag Day 2020: The default EDNS buffer size has been changed from
- 4096 to 1232 bytes, the EDNS buffer size probing has been removed, and
- ``named`` now sets the DF (Don't Fragment) flag on outgoing UDP
- packets. According to measurements done by multiple parties, this
- should not cause any operational problems as most of the Internet
- "core" is able to cope with IP message sizes between 1400-1500 bytes;
- the 1232 size was picked as a conservative minimal number that could
- be changed by the DNS operator to an estimated path MTU minus the
- estimated header space. In practice, the smallest MTU witnessed in the
- operational DNS community is 1500 octets, the maximum Ethernet payload
- size, so a useful default for maximum DNS/UDP payload size on reliable
- networks would be 1432 bytes. :gl:`#2183`
-
-Bug Fixes
-~~~~~~~~~
-
-- ``named`` reported an invalid memory size when running in an
- environment that did not properly report the number of available
- memory pages and/or the size of each memory page. :gl:`#2166`
-
-- With multiple forwarders configured, ``named`` could fail the
- ``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``,
- causing it to crash. This has been fixed. :gl:`#2124`
-
-- ``named`` erroneously performed continuous key rollovers for KASP
- policies that used algorithm Ed25519 or Ed448 due to a mismatch
- between created key size and expected key size. :gl:`#2171`
-
-- Updating contents of an RPZ zone which contained names spelled using
- varying letter case could cause some processing rules in that RPZ zone
- to be erroneously ignored. :gl:`#2169`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.7
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Support for DNS over TLS (DoT) has been added: the ``dig`` tool is now
- able to send DoT queries (``+tls`` option) and ``named`` can handle
- DoT queries (``listen-on tls ...`` option). ``named`` can use either a
- certificate provided by the user or an ephemeral certificate generated
- automatically upon startup. :gl:`#1840`
-
-- A new configuration option, ``stale-refresh-time``, has been
- introduced. It allows a stale RRset to be served directly from cache
- for a period of time after a failed lookup, before a new attempt to
- refresh it is made. :gl:`#2066`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The ``dig``, ``host``, and ``nslookup`` tools have been converted to
- use the new network manager API rather than the older ISC socket API.
-
- As a side effect of this change, the ``dig +unexpected`` option no
- longer works. This could previously be used to diagnose broken servers
- or network configurations by listening for replies from servers other
- than the one that was queried. With the new API, such answers are
- filtered before they ever reach ``dig``, so the option has been
- removed. :gl:`#2140`
-
-- The network manager API is now used by ``named`` to send zone transfer
- requests. :gl:`#2016`
-
-Bug Fixes
-~~~~~~~~~
-
-- ``named`` could crash with an assertion failure if a TCP connection
- were closed while a request was still being processed. :gl:`#2227`
-
-- ``named`` acting as a resolver could incorrectly treat signed zones
- with no DS record at the parent as bogus. Such zones should be treated
- as insecure. This has been fixed. :gl:`#2236`
-
-- After a Negative Trust Anchor (NTA) is added, BIND performs periodic
- checks to see if it is still necessary. If BIND encountered a failure
- while creating a query to perform such a check, it attempted to
- dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244`
-
-- A problem obtaining glue records could prevent a stub zone from
- functioning properly, if the authoritative server for the zone were
- configured for minimal responses. :gl:`#1736`
-
-- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a
- ``TCP6RecvErr``. :gl:`#2208`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.8
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- NSEC3 support was added to KASP. A new option for ``dnssec-policy``,
- ``nsec3param``, can be used to set the desired NSEC3 parameters.
- NSEC3 salt collisions are automatically prevented during resalting.
- :gl:`#1620`
-
-- ``dig`` output now includes the transport protocol used (UDP, TCP, or
- TLS). :gl:`#1816`
-
-- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``).
- This is useful when the host on which ``dig`` is run is behind an
- IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
- Service). :gl:`#1154`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The new networking code introduced in BIND 9.16 (netmgr) was
- overhauled in order to make it more stable, testable, and
- maintainable. :gl:`#2321`
-
-- Earlier releases of BIND versions 9.16 and newer required the
- operating system to support load-balanced sockets in order for
- ``named`` to be able to achieve high performance (by distributing
- incoming queries among multiple threads). However, the only operating
- systems currently known to support load-balanced sockets are Linux and
- FreeBSD 12, which means both UDP and TCP performance were limited to a
- single thread on other systems. As of BIND 9.17.8, ``named`` attempts
- to distribute incoming queries among multiple threads on systems which
- lack support for load-balanced sockets (except Windows). :gl:`#2137`
-
-- The default value of ``max-recursion-queries`` was increased from 75
- to 100. Since the queries sent towards root and TLD servers are now
- included in the count (as a result of the fix for CVE-2020-8616),
- ``max-recursion-queries`` has a higher chance of being exceeded by
- non-attack queries, which is the main reason for increasing its
- default value. :gl:`#2305`
-
-- The default value of ``nocookie-udp-size`` was restored back to 4096
- bytes. Since ``max-udp-size`` is the upper bound for
- ``nocookie-udp-size``, this change relieves the operator from having
- to change ``nocookie-udp-size`` together with ``max-udp-size`` in
- order to increase the default EDNS buffer size limit.
- ``nocookie-udp-size`` can still be set to a value lower than
- ``max-udp-size``, if desired. :gl:`#2250`
-
-Bug Fixes
-~~~~~~~~~
-
-- Handling of missing DNS COOKIE responses over UDP was tightened by
- falling back to TCP. :gl:`#2275`
-
-- The CNAME synthesized from a DNAME was incorrectly followed when the
- QTYPE was CNAME or ANY. :gl:`#2280`
-
-- Building with native PKCS#11 support for AEP Keyper has been broken
- since BIND 9.17.4. This has been fixed. :gl:`#2315`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.17.9
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- It is now possible to transition a zone from secure to insecure mode
- without making it bogus in the process; changing to ``dnssec-policy
- none;`` also causes CDS and CDNSKEY DELETE records to be published, to
- signal that the entire DS RRset at the parent must be removed, as
- described in :rfc:`8078`. :gl:`#1750`
-
-- When using the ``unixtime`` or ``date`` method to update the SOA
- serial number, ``named`` and ``dnssec-signzone`` silently fell back to
- the ``increment`` method to prevent the new serial number from being
- smaller than the old serial number (using serial number arithmetics).
- ``dnssec-signzone`` now prints a warning message, and ``named`` logs a
- warning, when such a fallback happens. :gl:`#2058`
-
-Bug Fixes
-~~~~~~~~~
-
-- Multiple threads could attempt to destroy a single RBTDB instance at
- the same time, resulting in an unpredictable but low-probability
- assertion failure in ``free_rbtdb()``. This has been fixed. :gl:`#2317`
-
-- ``named`` no longer attempts to assign threads to CPUs outside the CPU
- affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245`
-
-- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
- off DNSSEC maintenance. This has been fixed. :gl:`#2341`
-
-- The report of intermittent BIND assertion failures triggered in
- ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
- without further action. Our initial response to this was to add
- diagnostic logging instead of terminating ``named``, anticipating that
- we would receive further useful troubleshooting input. This workaround
- first appeared in BIND releases 9.17.5 and 9.16.7. However, since
- those releases were published, there have been no new reports of
- assertion failures matching this issue, but also no further diagnostic
- input, so we have closed the issue. :gl:`#2091`
--- /dev/null
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.0
+---------------------
+
+.. note:: This section only lists changes since BIND 9.16.25, the most
+ recent release on the previous stable branch of BIND before
+ the publication of BIND 9.18.0.
+
+Known Issues
+~~~~~~~~~~~~
+
+- ``rndc`` has been updated to use the new BIND network manager API. As
+ the network manager currently has no support for UNIX-domain sockets,
+ those cannot now be used with ``rndc``. This will be addressed in a
+ future release, either by restoring UNIX-domain socket support or by
+ formally declaring them to be obsolete in the control channel.
+ :gl:`#1759`
+
+New Features
+~~~~~~~~~~~~
+
+- ``named`` now supports securing DNS traffic using Transport Layer
+ Security (TLS). TLS is used by both DNS over TLS (DoT) and
+ DNS over HTTPS (DoH).
+
+ ``named`` can use either a certificate provided by the user or an
+ ephemeral certificate generated automatically upon startup. The
+ :ref:`tls statement <tls>` allows fine-grained control over TLS
+ parameters. :gl:`#1840` :gl:`#2795` :gl:`#2796`
+
+ For debugging purposes, ``named`` logs TLS pre-master secrets when the
+ ``SSLKEYLOGFILE`` environment variable is set. This enables
+ troubleshooting of issues with encrypted traffic. :gl:`#2723`
+
+- Support for DNS over TLS (DoT) has been added to ``named``. Network
+ interfaces for DoT are configured using the existing
+ :ref:`listen-on <interfaces>` directive, while TLS parameters are
+ configured using the new :ref:`tls statement <tls>`. :gl:`#1840`
+
+ ``named`` supports :rfc:`zone transfers over TLS <9103>`
+ (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers.
+
+ Incoming zone transfers over TLS are enabled by adding the ``tls``
+ keyword, followed by either the name of a previously configured
+ :ref:`tls statement <tls>` or the string ``ephemeral``, to the
+ addresses included in :ref:`primaries <primaries_grammar>` lists.
+ :gl:`#2392`
+
+ Similarly, the :ref:`allow-transfer <allow-transfer-access>` option
+ was extended to accept additional ``port`` and ``transport``
+ parameters, to further restrict outgoing zone transfers to a
+ particular port and/or DNS transport protocol. :gl:`#2776`
+
+ Note that zone transfers over TLS (XoT) require the ``dot``
+ Application-Layer Protocol Negotiation (ALPN) token to be selected in
+ the TLS handshake, as required by :rfc:`9103` section 7.1. This might
+ cause issues with non-compliant XoT servers. :gl:`#2794`
+
+ The ``dig`` tool is now able to send DoT queries (``+tls`` option).
+ :gl:`#1840`
+
+ There is currently no support for forwarding DNS queries via DoT.
+
+- Support for DNS over HTTPS (DoH) has been added to ``named``. Both
+ TLS-encrypted and unencrypted connections are supported (the latter
+ may be used to offload encryption to other software). Network
+ interfaces for DoH are configured using the existing
+ :ref:`listen-on <interfaces>` directive, while TLS parameters are
+ configured using the new :ref:`tls statement <tls>` and HTTP
+ parameters are configured using the new :ref:`http statement <http>`.
+ :gl:`#1144` :gl:`#2472`
+
+ Server-side quotas on both the number of concurrent DoH connections
+ and the number of active HTTP/2 streams per connection can be
+ configured using the global ``http-listener-clients`` and
+ ``http-streams-per-connection`` options, or the ``listener-clients``
+ and ``streams-per-connection`` parameters in an
+ :ref:`http statement <http>`. :gl:`#2809`
+
+ The ``dig`` tool is now able to send DoH queries (``+https`` option).
+ :gl:`#1641`
+
+ There is currently no support for forwarding DNS queries via DoH.
+
+ DoH support can be disabled at compile time using a new build-time
+ option, ``--disable-doh``. This allows BIND 9 to be built without the
+ `libnghttp2`_ library. :gl:`#2478`
+
+- A new logging category, ``rpz-passthru``, was added, which allows RPZ
+ passthru actions to be logged into a separate channel. :gl:`#54`
+
+- A new option, ``nsdname-wait-recurse``, has been added to the
+ ``response-policy`` clause in the configuration file. When set to
+ ``no``, RPZ NSDNAME rules are only applied if the authoritative
+ nameservers for the query name have been looked up and are present in
+ the cache. If this information is not present, the RPZ NSDNAME rules
+ are ignored, but the information is looked up in the background and
+ applied to subsequent queries. The default is ``yes``, meaning that
+ RPZ NSDNAME rules should always be applied, even if the information
+ needs to be looked up first. :gl:`#1138`
+
+- Support for HTTPS and SVCB record types now also includes ADDITIONAL
+ section processing for these record types. :gl:`#1132`
+
+- New configuration options, ``tcp-receive-buffer``,
+ ``tcp-send-buffer``, ``udp-receive-buffer``, and ``udp-send-buffer``,
+ have been added. These options allow the operator to fine-tune the
+ receiving and sending buffers in the operating system. On busy
+ servers, increasing the size of the receive buffers can prevent the
+ server from dropping packets during short traffic spikes, and
+ decreasing it can prevent the server from becoming clogged with
+ queries that are too old and have already timed out. :gl:`#2313`
+
+- New finer-grained ``update-policy`` rule types,
+ ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
+ These rule types restrict updates to SRV and PTR records so that their
+ content can only match the machine name embedded in the Kerberos
+ principal making the change. :gl:`#481`
+
+- Per-type record count limits can now be specified in ``update-policy``
+ statements, to limit the number of records of a particular type that
+ can be added to a domain name via dynamic update. :gl:`#1657`
+
+- Support for OpenSSL 3.0 APIs was added. :gl:`#2843` :gl:`#3057`
+
+- Extended DNS Error Code 18 - Prohibited (see :rfc:`8914` section
+ 4.19) is now set if query access is denied to the specific client.
+ :gl:`#1836`
+
+- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385`
+
+- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``).
+ This is useful when the host on which ``dig`` is run is behind an
+ IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
+ Service). :gl:`#1154`
+
+- ``dig`` output now includes the transport protocol used (UDP, TCP,
+ TLS, HTTPS). :gl:`#1144` :gl:`#1816`
+
+- ``dig +qid=<num>`` allows the user to specify a particular query ID
+ for testing purposes. :gl:`#1851`
+
+.. _libnghttp2: https://nghttp2.org/
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for the ``map`` zone file format (``masterfile-format map;``)
+ has been removed. Users relying on the ``map`` format are advised to
+ convert their zones to the ``raw`` format with ``named-compilezone``
+ and change the configuration appropriately prior to upgrading BIND 9.
+ :gl:`#2882`
+
+- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
+ enabled in ``named`` at build time have been removed. New-style DLZ
+ modules should be used as a replacement. :gl:`#2814`
+
+- Support for compiling and running BIND 9 natively on Windows has been
+ completely removed. The last stable release branch that has working
+ Windows support is BIND 9.16. :gl:`#2690`
+
+- Native PKCS#11 support has been removed. :gl:`#2691`
+
+ When built against OpenSSL 1.x, BIND 9 now
+ :ref:`uses engine_pkcs11 for PKCS#11 <pkcs11>`. engine_pkcs11 is an
+ OpenSSL engine which is part of the `OpenSC`_ project.
+
+ As support for so-called "engines" was deprecated in OpenSSL 3.x,
+ compiling BIND 9 against an OpenSSL 3.x build which does not retain
+ support for deprecated APIs makes it impossible to use PKCS#11 in BIND
+ 9. A replacement for engine_pkcs11 which employs the new "provider"
+ approach introduced in OpenSSL 3.x is in the making. :gl:`#2843`
+
+- Since the old socket manager API has been removed, "socketmgr"
+ statistics are no longer reported by the
+ :ref:`statistics channel <statschannels>`. :gl:`#2926`
+
+- The ``glue-cache`` *option* has been marked as deprecated. The glue
+ cache *feature* still works and will be permanently *enabled* in a
+ future release. :gl:`#2146`
+
+- A number of non-working configuration options that had been marked as
+ obsolete in previous releases have now been removed completely. Using
+ any of the following options is now considered a configuration
+ failure: ``acache-cleaning-interval``, ``acache-enable``,
+ ``additional-from-auth``, ``additional-from-cache``,
+ ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``,
+ ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``,
+ ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
+ ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
+ ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
+ ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086`
+
+- The ``dig`` option ``+unexpected`` has been removed. :gl:`#2140`
+
+- IPv6 sockets are now explicitly restricted to sending and receiving
+ IPv6 packets only. As this breaks the ``+mapped`` option for ``dig``,
+ the option has been removed. :gl:`#3093`
+
+- Disable and disallow static linking of BIND 9 binaries and libraries
+ as BIND 9 modules require ``dlopen()`` support and static linking also
+ prevents using security features like read-only relocations (RELRO) or
+ address space layout randomization (ASLR) which are important for
+ programs that interact with the network and process arbitrary user
+ input. :gl:`#1933`
+
+- The ``--with-gperftools-profiler`` ``configure`` option was removed.
+ To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro
+ now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to
+ be present in ``LDFLAGS``. :gl:`!4045`
+
+.. _OpenSC: https://github.com/OpenSC/libp11
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Aggressive Use of DNSSEC-Validated Cache (``synth-from-dnssec``, see
+ :rfc:`8198`) is now enabled by default again, after having been
+ disabled in BIND 9.14.8. The implementation of this feature was
+ reworked to achieve better efficiency and tuned to ignore certain
+ types of broken NSEC records. Negative answer synthesis is currently
+ only supported for zones using NSEC. :gl:`#1265`
+
+- The default NSEC3 parameters for ``dnssec-policy`` were updated to no
+ extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). This
+ change is in line with the `latest NSEC3 recommendations`_.
+ :gl:`#2956`
+
+- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This
+ means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
+ the KSK by default. The additional signatures prepared using the ZSK
+ when the option is set to ``no`` add to the DNS response payload
+ without offering added value. :gl:`#1316`
+
+- ``dnssec-cds`` now only generates SHA-2 DS records by default and
+ avoids copying deprecated SHA-1 records from a child zone to its
+ delegation in the parent. If the child zone does not publish SHA-2 CDS
+ records, ``dnssec-cds`` will generate them from the CDNSKEY records.
+ The ``-a algorithm`` option now affects the process of generating DS
+ digest records from both CDS and CDNSKEY records. Thanks to Tony
+ Finch. :gl:`#2871`
+
+- Previously, ``named`` accepted FORMERR responses both with and without
+ an OPT record, as an indication that a given server did not support
+ EDNS. To implement full compliance with :rfc:`6891`, only FORMERR
+ responses without an OPT record are now accepted. This intentionally
+ breaks communication with servers that do not support EDNS and that
+ incorrectly echo back the query message with the RCODE field set to
+ FORMERR and the QR bit set to 1. :gl:`#2249`
+
+- The question section is now checked when processing AXFR, IXFR, and
+ SOA replies while transferring a zone in. :gl:`#1683`
+
+- DNS Flag Day 2020: the EDNS buffer size probing code, which made the
+ resolver adjust the EDNS buffer size used for outgoing queries based
+ on the successful query responses and timeouts observed, was removed.
+ The resolver now always uses the EDNS buffer size set in
+ ``edns-udp-size`` for all outgoing queries. :gl:`#2183`
+
+- Keeping stale answers in cache (``stale-cache-enable``) has been
+ disabled by default. :gl:`#1712`
+
+- Overall memory use by ``named`` has been optimized and significantly
+ reduced, especially for resolver workloads. :gl:`#2398` :gl:`#3048`
+
+- Memory allocation is now based on the memory allocation API provided
+ by the `jemalloc`_ library, on platforms where it is available. Use of
+ this library is now recommended when building BIND 9; although it is
+ optional, it is enabled by default. :gl:`#2433`
+
+- Internal data structures maintained for each cache database are now
+ grown incrementally when they need to be expanded. This helps maintain
+ a steady response rate on a loaded resolver while these internal data
+ structures are resized. :gl:`#2941`
+
+- The interface handling code has been refactored to use fewer
+ resources, which should lead to less memory fragmentation and better
+ startup performance. :gl:`#2433`
+
+- When reporting zone types in the statistics channel, the terms
+ ``primary`` and ``secondary`` are now used instead of ``master`` and
+ ``slave``, respectively. :gl:`#1944`
+
+- The ``rndc nta -dump`` and ``rndc secroots`` commands now both include
+ ``validate-except`` entries when listing negative trust anchors. These
+ are indicated by the keyword ``permanent`` in place of the expiry
+ date. :gl:`#1532`
+
+- The output of ``rndc serve-stale status`` has been clarified. It now
+ explicitly reports whether retention of stale data in the cache is
+ enabled (``stale-cache-enable``), and whether returning such data in
+ responses is enabled (``stale-answer-enable``). :gl:`#2742`
+
+- Previously, using ``dig +bufsize=0`` had the side effect of disabling
+ EDNS, and there was no way to test the remote server's behavior when
+ it had received a packet with EDNS0 buffer size set to 0. This is no
+ longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS
+ version 0 and buffer size set to 0. To disable EDNS, use ``dig
+ +noedns``. :gl:`#2054`
+
+- BIND 9 binaries which are neither daemons nor administrative programs
+ were moved to ``$bindir``. Only ``ddns-confgen``, ``named``, ``rndc``,
+ ``rndc-confgen``, and ``tsig-confgen`` were left in ``$sbindir``.
+ :gl:`#1724`
+
+- The BIND 9 build system has been changed to use a typical
+ autoconf+automake+libtool stack. This should not make any difference
+ for people building BIND 9 from release tarballs, but when building
+ BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run
+ first. Extra attention is also needed when using non-standard
+ ``configure`` options. :gl:`#4`
+
+.. _latest NSEC3 recommendations: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-02
+
+.. _jemalloc: http://jemalloc.net/
+
+Bug Fixes
+~~~~~~~~~
+
+- Log files using ``timestamp``-style suffixes were not always correctly
+ removed when the number of files exceeded the limit set by
+ ``versions``. This has been fixed. :gl:`#828`
projects / thirdparty / bind9.git / commitdiff
