Introduction
------------
-BIND 9.16 is a stable branch of BIND. This document summarizes significant
-changes since the last production release on that branch. Please see the
-file CHANGES for a more detailed list of changes and bug fixes.
+BIND 9.16 is a stable branch of BIND. This document summarizes
+significant changes since the last production release on that branch.
+Please see the file CHANGES for a more detailed list of changes and bug
+fixes.
Note on Version Numbering
-------------------------
As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
-release numbering convention. BIND 9.16 contains new features that
-were added during the BIND 9.15 development process. Henceforth, the
-9.16 branch will be limited to bug fixes, and new feature development
-will proceed in the unstable 9.17 branch.
+release numbering convention. BIND 9.16 contains new features that were
+added during the BIND 9.15 development process. Henceforth, the 9.16
+branch will be limited to bug fixes, and new feature development will
+proceed in the unstable 9.17 branch.
Supported Platforms
-------------------
-To build on UNIX-like systems, BIND requires support for POSIX.1c threads
-(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6
-(:rfc:`3542`), and standard atomic operations provided by the C compiler.
+To build on UNIX-like systems, BIND requires support for POSIX.1c
+threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6
+(:rfc:`3542`), and standard atomic operations provided by the C
+compiler.
The libuv asynchronous I/O library and the OpenSSL cryptography library
-must be available for the target platform. A PKCS#11 provider can be used
-instead of OpenSSL for Public Key cryptography (i.e., DNSSEC signing and
-validation), but OpenSSL is still required for general cryptography
-operations such as hashing and random number generation.
-
-More information can be found in the ``PLATFORMS.md`` file that is included
-in the source distribution of BIND 9. If your compiler and system libraries
-provide the above features, BIND 9 should compile and run. If that isn't
-the case, the BIND development team will generally accept patches that add
-support for systems that are still supported by their respective vendors.
+must be available for the target platform. A PKCS#11 provider can be
+used instead of OpenSSL for Public Key cryptography (i.e., DNSSEC
+signing and validation), but OpenSSL is still required for general
+cryptography operations such as hashing and random number generation.
+
+More information can be found in the ``PLATFORMS.md`` file that is
+included in the source distribution of BIND 9. If your compiler and
+system libraries provide the above features, BIND 9 should compile and
+run. If that is not the case, the BIND development team will generally
+accept patches that add support for systems that are still supported by
+their respective vendors.
Download
--------
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.16.4.rst
.. include:: ../notes/notes-9.16.3.rst
.. include:: ../notes/notes-9.16.2.rst
.. include:: ../notes/notes-9.16.1.rst
https://kb.isc.org/docs/aa-00896 for details of ISC's software support
policy.
-
Thank You
---------
Thank you to everyone who assisted us in making this release possible.
-License
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-.. _relnotes-9.16.0:
-
Notes for BIND 9.16.0
-=====================
+---------------------
*Note: this section only lists changes from BIND 9.14 (the previous
stable branch of BIND).*
-.. _relnotes-9.16.0-new:
-
New Features
-------------
+~~~~~~~~~~~~
- A new asynchronous network communications system based on ``libuv``
is now used by ``named`` for listening for incoming requests and
- Statistics channel groups can now be toggled. [GL #1030]
-.. _relnotes-9.16.0-changes:
-
Feature Changes
----------------
+~~~~~~~~~~~~~~~
- When static and managed DNSSEC keys were both configured for the same
name, or when a static key was used to configure a trust anchor for
Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
respected. [GL #658]
-.. _relnotes-9.16.0-removed:
-
Removed Features
-----------------
+~~~~~~~~~~~~~~~~
- The ``dnssec-enable`` option has been obsoleted and no longer has any
effect. DNSSEC responses are always enabled if signatures and other
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-.. _relnotes-9.16.1:
-
Notes for BIND 9.16.1
-=====================
-
-.. _relnotes-9.16.1-known:
+---------------------
Known Issues
-------------
+~~~~~~~~~~~~
- UDP network ports used for listening can no longer simultaneously be
used for sending traffic. An example configuration which triggers
dispatch for reserved port") on some of them. There are currently no
plans to make such a combination of settings work again.
-.. _relnotes-9.16.1-changes:
-
Feature Changes
----------------
+~~~~~~~~~~~~~~~
- The system-provided POSIX Threads read-write lock implementation is
now used by default instead of the native BIND 9 implementation.
BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
glibc is available. [GL !3125]
-.. _relnotes-9.16.1-bugs:
-
Bug Fixes
----------
+~~~~~~~~~
- Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-.. _relnotes-9.16.2:
-
Notes for BIND 9.16.2
-=====================
-
-.. _relnotes-9.16.2-security:
+---------------------
Security Fixes
---------------
+~~~~~~~~~~~~~~
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
-.. _relnotes-9.16.2-known:
-
Known Issues
-------------
+~~~~~~~~~~~~
- We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
used in the hash calculation). These are being investigated. [GL
#1685]
-.. _relnotes-9.16.2-changes:
-
Feature Changes
----------------
+~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
for 99% of all signed zones. [GL #1179]
-.. _relnotes-9.16.2-bugs:
-
Bug Fixes
----------
+~~~~~~~~~
- When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, ``named`` could become nonresponsive
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-.. _relnotes-9.16.3:
-
Notes for BIND 9.16.3
-=====================
-
-.. _relnotes-9.16.3-security:
-
-Security Fixes
---------------
-
-- None.
-
-.. _relnotes-9.16.3-known:
+---------------------
Known Issues
-------------
+~~~~~~~~~~~~
- BIND crashes on startup when linked against libuv 1.36. This issue is
related to recvmmsg() support in libuv which was first included in
1.35 or libuv >= 1.37; libuv 1.36 is still not usable with BIND. [GL
#1761] [GL #1797]
-.. _relnotes-9.16.3-changes:
-
Feature Changes
----------------
+~~~~~~~~~~~~~~~
- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
relying on system defaults instead. [GL #1713]
zones, the exported timers also include expire and refresh times.
Contributed by Paul Frieden, Verizon Media. [GL #1232]
-.. _relnotes-9.16.3-bugs:
-
Bug Fixes
----------
+~~~~~~~~~
- A bug in dnstap initialization could prevent some dnstap data from
being logged, especially on recursive resolvers. [GL #1795]
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-.. _relnotes-9.16.4:
-
Notes for BIND 9.16.4
-=====================
-
-.. _relnotes-9.16.4-security:
+---------------------
Security Fixes
---------------
-
-- None.
-
-.. _relnotes-9.16.4-known:
+~~~~~~~~~~~~~~
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
-Known Issues
-------------
-
-- None
-
-.. _relnotes-9.16.4-changes:
+New Features
+~~~~~~~~~~~~
- ``named`` and ``named-checkzone`` now reject master zones that
have a DS RRset at the zone apex. Attempts to add DS records
at the zone apex via UPDATE will be logged but otherwise ignored.
DS records belong in the parent zone, not at the zone apex. [GL #1798]
-Feature Changes
----------------
-
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or response. [GL #1834]
-.. _relnotes-9.16.4-bugs:
+Feature Changes
+~~~~~~~~~~~~~~~
- The default value of ``max-stale-ttl`` has changed from 1 week to 12 hours.
This option controls how long named retains expired RRsets in cache as a
but accudently ommited from documentation.
Bug Fixes
----------
+~~~~~~~~~
- ``named`` could crash with an assertion failure if the name of a
database node was looked up while the database was being modified.
[GL #1857]
+
- Missing mutex and conditional destruction in netmgr code leads to a memory
leak on BSD systems. [GL #1893].
+
- Fix a bug in dnssec-policy keymgr where the check if a key has a
successor would return a false positive if any other key in the
keyring has a successor. [GL #1845]
./doc/notes/notes-9.16.1.rst RST 2020
./doc/notes/notes-9.16.2.rst RST 2020
./doc/notes/notes-9.16.3.rst RST 2020
-./doc/notes/notes-current.rst RST 2020
+./doc/notes/notes-9.16.4.rst RST 2020
./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020
projects / thirdparty / bind9.git / commitdiff
