- Add support for EDE 20 (Not Authoritative)
- Support was added for EDE codes 20 (Not Authoritative) when client
+ Support was added for EDE codes 20 (Not Authoritative) when the client
requests recursion (RD) but the server has recursion disabled.
- RFC 8914 mention EDE 20 should also be returned if the client doesn't
- have the RD bit set (and recursion is needed) but it doesn't apply for
- BIND as BIND would try to resolve from the "deepest" referral in
- AUTHORITY section. For example, if the client asks for "www.isc.org/A"
- but the server only knows the root domain, it will return NOERROR but
- no answer for "www.isc.og/A", just the list of other servers to ask.
- :gl:`#1836`
+ :rfc:`8914` indicates that EDE 20 should also be returned if the
+ client does not have the RD bit set (and recursion is needed), but it
+ does not apply for BIND; BIND would try to resolve from the "deepest"
+ referral in the AUTHORITY section. For example, if the client asks for
+ ``www.isc.org/A`` but the server only knows the root domain, it will
+ return NOERROR but no answer for ``www.isc.org/A``, just the list of
+ other servers to ask. :gl:`#1836`
- Add support for EDE 7 and EDE 8.
Support was added for EDE codes 7 (Signature Expired) and 8 (Signature
- Not Yet Valid) which might occur during DNSSEC validation. :gl:`#2715`
+ Not Yet Valid), which might occur during DNSSEC validation.
+ :gl:`#2715`
-- Dig can now display the received BADVERS message during negotiation.
+- :iscman:`dig` can now display the received BADVERS message during
+ negotiation.
- Dig +showbadvers now displays the received BADVERS message and
- continues the EDNS version negotiation. Previously to see the BADVERS
- message +noednsneg had to be specified which terminated the EDNS
- negotiation. Additionally the specified EDNS value (+edns=value) is
- now used when making all the initial queries with +trace. i.e EDNS
- version negotiation will be performed with each server when performing
- the trace. :gl:`#5234`
+ :option:`dig +showbadvers` now displays the received BADVERS message
+ and continues the EDNS version negotiation. Previously, to see the
+ BADVERS message :option:`dig +noednsnegotiation` had to be specified,
+ which terminated the EDNS negotiation. Additionally, the specified
+ EDNS value (``+edns=value``) is now used when making all the initial
+ queries with :option:`dig +trace`, i.e. EDNS version negotiation is
+ performed with each server when performing the trace. :gl:`#5234`
-- Add an rndc command to reset some statistics counters.
+- Add an :iscman:`rndc` command to reset some statistics counters.
- The new ``reset-stats`` command for ``rndc`` allows some statistics
+ The new :option:`rndc reset-stats` command allows some statistics
counters to be reset during runtime. At the moment only two
"high-water" counters are supported, so the ability to reset them
after the initial peaks during the server's "warm-up" phase may be
Bug Fixes
~~~~~~~~~
-- Restore NSEC3 closest encloser lookup improvements.
+- Restore NSEC3 closest-encloser lookup improvements.
A performance improvement for finding the closest encloser when
generating authoritative responses from NSEC3 zones was previously
reverted after a bug was found that could trigger an assertion
- failure. ( :gl:`#4460`, #4950, and #5108 for details.) The bug has
- now been fixed, and the performance improvement has been restored.
+ failure. (:gl:`#4460`, :gl:`#4950`, and :gl:`#5108`) The bug has now
+ been fixed, and the performance improvement has been restored.
:gl:`#5204`
- Stop caching lack of EDNS support.
- `named` could falsely learn that a server doesn't support EDNS when a
- spoofed response was received; that subsequently prevented DNSSEC
- lookups from being made. This has been fixed. :gl:`#3949` :gl:`#5066`
+ :iscman:`named` could falsely learn that a server did not support EDNS
+ when a spoofed response was received; that subsequently prevented
+ DNSSEC lookups from being made. This has been fixed. :gl:`#3949`
+ :gl:`#5066`
-- Fix resolver statistics counters for timed out responses.
+- Fix resolver statistics counters for timed-out responses.
When query responses timed out, the resolver could incorrectly
- increase the regular responses counters, even if no response was
+ increase the regular response counters, even if no response was
received. This has been fixed. :gl:`#5193`
-- Nested DNS validation could cause assertion failure.
+- Nested DNS validation could cause an assertion failure.
When multiple nested DNS validations were destroyed out of order, the
EDE context could be freed before all EDE codes were copied, which
could cause an assertion failure. This has been fixed. :gl:`#5213`
-- [9.20] Wait for memory reclamation to finish in named-checkconf.
+- Wait for memory reclamation to finish in :iscman:`named-checkconf`.
- Previously, when named-checkzone loaded the zone to the QP database,
- the delayed memory reclamation could cause an assertion check on exit.
- This has been fixed. :gl:`#5220`
+ Previously, when :iscman:`named-checkzone` loaded the zone to the QP
+ database, the delayed memory reclamation could cause an assertion
+ check on exit. This has been fixed. :gl:`#5220`
-- Ensure max-clients-per-query is at least clients-per-query.
+- Ensure :any:`max-clients-per-query` is at least
+ :any:`clients-per-query`.
- If the `max-clients-per-query` option is set to a lower value than
- `clients-per-query`, the value is adjusted to match
- `clients-per-query`. :gl:`#5224`
+ If the :any:`max-clients-per-query` option is set to a lower value
+ than :any:`clients-per-query`, the value is adjusted to match
+ :any:`clients-per-query`. :gl:`#5224`
- Fix write after free in validator code.
Raw integer pointers were being used for the validator's nvalidations
- and nfails values but the memory holding them could be freed before
- they ceased to be used. Use reference counted counters instead.
- :gl:`#5239`
+ and nfails values, but the memory holding them could be freed while
+ they were still being used. Reference counted counters are now used
+ instead. :gl:`#5239`
- Don't enforce NOAUTH/NOCONF flags in DNSKEYs.
- All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH`
- (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type,
- and are not applicable to DNSKEY. Previously, however, because the
- DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag
- prevented authentication in DNSKEYs as well. This has been corrected.
- :gl:`#5240`
+ All DNSKEY keys are able to authenticate. The ``DNS_KEYTYPE_NOAUTH``
+ (and ``DNS_KEYTYPE_NOCONF``) flags were defined for the KEY rdata
+ type, and are not applicable to DNSKEY. Previously, however, because
+ the DNSKEY implementation was built on top of KEY, the ``_NOAUTH``
+ flag prevented authentication in DNSKEYs as well. This has been
+ corrected. :gl:`#5240`
- Fix several small DNSSEC timing issues.
- The following small issues related to `dnssec-policy` have been fixed:
- - In some cases the key manager inside BIND 9 could run every hour,
- while it could have run less often. - While `CDS` and `CDNSKEY`
- records will be removed correctly from the zone when the corresponding
- `DS` record needs to be updated, the expected timing metadata when
- this will happen was never set. - There were a couple of cases where
- the safety intervals are added inappropriately, delaying key rollovers
- longer than necessary. - If you have identical `keys` in your
- `dnssec-policy`, they may be retired inappropriately. Note that having
- keys with identical properties is discouraged in all cases.
- :gl:`#5242`
-
+ The following small issues related to :any:`dnssec-policy` have been
+ fixed:
+
+ - In some cases the key manager inside BIND 9 would run every hour,
+ while in other cases it would run less often.
+ - While ``CDS`` and ``CDNSKEY`` records will be removed correctly from
+ the zone when the corresponding ``DS`` record needs to be updated,
+ the expected timing metadata for when this should happen was never
+ set.
+ - There were a couple of cases where the safety intervals were added
+ inappropriately, delaying key rollovers longer than necessary.
+ - Identical keys in a :any:`dnssec-policy` may have been
+ retired inappropriately. Note that having `keys` with identical
+ properties is discouraged in all cases.
+ :gl:`#5242`
projects / thirdparty / bind9.git / commitdiff
