Feature Changes
~~~~~~~~~~~~~~~
-- The GSSAPI no longer uses the ISC implementation of the SPNEGO
- mechanism and instead relies on the SPNEGO implementation from the
- system Kerberos library. All major Kerberos libraries contain the SPNEGO
- mechanism implementation. [GL #2607]
+- The ISC implementation of SPNEGO was removed from BIND 9 source code.
+ Instead, BIND 9 now always uses the SPNEGO implementation provided by
+ the system GSSAPI library when it is built with GSSAPI support. All
+ major contemporary Kerberos/GSSAPI libraries contain an implementation
+ of the SPNEGO mechanism. [GL #2607]
- The default value for the ``stale-answer-client-timeout`` option was
changed from ``1800`` (ms) to ``off``. The default value may be
Bug Fixes
~~~~~~~~~
-- Previously, a memory leak could occur when ``named`` failed to bind a UDP
- socket to a network interface, caused by an interface shutdown routine that
- was missing in the error handling block. This has been fixed. [GL #2575]
+- Previously, a memory leak could occur when ``named`` failed to bind a
+ UDP socket to a network interface. This has been fixed. [GL #2575]
-- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``,
- ``named`` now updates the keys immediately, avoiding unnecessary rollover
- delays. [#2488]
+- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
+ ``named`` now immediately attempts to reconfigure zone keys. This
+ change prevents unnecessary key rollover delays. [GL #2488]
-- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
- This has been fixed. [GL #2523]
+- Zones using KASP could not be thawed after they were frozen using
+ ``rndc freeze``. This has been fixed. [GL #2523]
-- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from
- secure to insecure. "named-checkzone" no longer complains if such records
- exist in an unsigned zone. [GL #2517]
+- CDS/CDNSKEY DELETE records are now removed when a zone transitions
+ from a secure to an insecure state. ``named-checkzone`` also no longer
+ reports an error when such records are found in an unsigned zone.
+ [GL #2517]
-- It was discovered that the TCP idle and initial timeouts were incorrectly
- applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout``
- was applied on the whole connection, even if the connection were still active,
- which could cause a large zone transfer to be sent back to the client. The
- default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that
- any TCP connection taking more than 30 seconds was abruptly terminated. This
- has been fixed. [GL #2573]
+- TCP idle and initial timeouts were being incorrectly applied: only the
+ ``tcp-initial-timeout`` was applied on the whole connection, even if
+ the connection were still active, which could prevent a large zone
+ transfer from being sent back to the client. The default setting for
+ ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
+ connection taking more than 30 seconds was abruptly terminated. This
+ has been fixed. [GL #2583]
- When ``stale-answer-client-timeout`` was set to a positive value and
- recursion for a client query completed when ``named`` was about to look for
- a stale answer, an assertion could fail in ``query_respond()``, resulting in
- a crash. This has been fixed. [GL #2594]
-
-- After upgrading to the previous release, journal files for trust anchor
- databases (e.g., ``managed-keys.bind.jnl``) could be left in a corrupt
- state. (Other zone journal files were not affected.) This has been
- fixed. If a corrupt journal file is detected, ``named`` can now recover
- from it. [GL #2600]
+ recursion for a client query completed when ``named`` was about to
+ look for a stale answer, an assertion could fail in
+ ``query_respond()``, resulting in a crash. This has been fixed.
+ [GL #2594]
+
+- After upgrading to the previous release, journal files for trust
+ anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
+ corrupt state. (Other zone journal files were not affected.) This has
+ been fixed. If a corrupt journal file is detected, ``named`` can now
+ recover from it. [GL #2600]
- When dumping the cache to file, TTLs were being increased with
``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
projects / thirdparty / bind9.git / commitdiff
