Introduction
------------
-BIND 9.19 is an unstable development release of BIND. This document
-summarizes new features and functional changes that have been introduced
-on this branch. With each development release leading up to the stable
-BIND 9.20 release, this document will be updated with additional
-features added and bugs fixed. Please see the CHANGES file for a more
-detailed list of changes and bug fixes.
+BIND 9.20 is a stable branch, suitable for production use. This
+document summarizes significant changes since the last production
+release on the 9.18 branch.
Supported Platforms
-------------------
.. include:: ../notes/notes-known-issues.rst
-.. include:: ../notes/notes-9.19.25.rst
-.. include:: ../notes/notes-9.19.24.rst
-.. include:: ../notes/notes-9.19.23.rst
-.. include:: ../notes/notes-9.19.22.rst
-.. include:: ../notes/notes-9.19.21.rst
-.. include:: ../notes/notes-9.19.20.rst
-.. include:: ../notes/notes-9.19.19.rst
-.. include:: ../notes/notes-9.19.18.rst
-.. include:: ../notes/notes-9.19.17.rst
-.. include:: ../notes/notes-9.19.16.rst
-.. include:: ../notes/notes-9.19.15.rst
-.. include:: ../notes/notes-9.19.14.rst
-.. include:: ../notes/notes-9.19.13.rst
-.. include:: ../notes/notes-9.19.12.rst
-.. include:: ../notes/notes-9.19.11.rst
-.. include:: ../notes/notes-9.19.10.rst
-.. include:: ../notes/notes-9.19.9.rst
-.. include:: ../notes/notes-9.19.8.rst
-.. include:: ../notes/notes-9.19.7.rst
-.. include:: ../notes/notes-9.19.6.rst
-.. include:: ../notes/notes-9.19.5.rst
-.. include:: ../notes/notes-9.19.4.rst
-.. include:: ../notes/notes-9.19.3.rst
-.. include:: ../notes/notes-9.19.2.rst
-.. include:: ../notes/notes-9.19.1.rst
-.. include:: ../notes/notes-9.19.0.rst
+.. include:: ../notes/notes-9.20.0.rst
.. _relnotes_license:
End of Life
-----------
-BIND 9.19 is an unstable development branch. When its development is
-complete, it will be renamed to BIND 9.20, which will be a stable
-branch. The end-of-life date for BIND 9.20 has not yet been determined.
-For those needing long-term stability, the current Extended Support
-Version (ESV) is BIND 9.18, which will be supported until at least
-December 2025. See https://kb.isc.org/docs/aa-00896 for details of
-ISC's software support policy.
+BIND 9.20 is a stable branch, suitable for production use. After it has
+been in production use for a while it will be designated as an Extended
+Support Version (ESV). Until then, the current ESV is BIND 9.18, which
+will be supported until at least December 2025. See
+https://kb.isc.org/docs/aa-00896 for details of ISC's software support
+policy.
Thank You
---------
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.0
----------------------
-
-Known Issues
-~~~~~~~~~~~~
-
-- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
- be inspected when verifying a remote certificate while establishing a
- DNS-over-TLS connection. Only ``subjectAltName`` must be checked
- instead. Unfortunately, some quite old versions of cryptographic
- libraries might lack the ability to ignore the ``Subject`` field. This
- should have minimal production-use consequences, as most of the
- production-ready certificates issued by certificate authorities will
- have ``subjectAltName`` set. In such cases, the ``Subject`` field is
- ignored. Only old platforms are affected by this, e.g. those supplied
- with OpenSSL versions older than 1.1.1. :gl:`#3163`
-
-- See :ref:`above <relnotes_known_issues>` for a list of all known
- issues affecting this BIND 9 branch.
-
-New Features
-~~~~~~~~~~~~
-
-- Add support for remote TLS certificate verification, both to
- :iscman:`named` and :iscman:`dig`, making it possible to implement
- Strict and Mutual TLS authentication, as described in :rfc:`9103`,
- Section 9.3. :gl:`#3163`
-
-- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a
- ``-J`` option to specify a journal file to read when loading the zone
- to be verified or signed. :gl:`#2486`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The ``keep-response-order`` option has been declared obsolete and the
- functionality has been removed. :iscman:`named` expects DNS clients to
- be fully compliant with :rfc:`7766`. :gl:`#3140`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Run RPZ updates on the specialized "offload" threads to reduce the
- amount of time they block query processing on the main networking
- threads. This should increase the responsiveness of :iscman:`named`
- when RPZ updates are being applied after an RPZ zone has been
- successfully transferred. :gl:`#3190`
-
-- The catalog zone implementation has been optimized to work with
- hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.1
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Previously, TLS socket objects could be destroyed prematurely, which
- triggered assertion failures in :iscman:`named` instances serving
- DNS-over-HTTPS (DoH) clients. This has been fixed.
-
- ISC would like to thank Thomas Amgarten from arcade solutions ag for
- bringing this vulnerability to our attention. :cve:`2022-1183`
- :gl:`#3216`
-
-New Features
-~~~~~~~~~~~~
-
-- Catalog Zones schema version 2, as described in the
- "DNS Catalog Zones" IETF draft version 5 document, is now supported by
- :iscman:`named`. All of the previously supported BIND-specific catalog
- zone custom properties (:any:`primaries`, :any:`allow-query`, and
- :any:`allow-transfer`), as well as the new Change of Ownership (``coo``)
- property, are now implemented. Schema version 1 is still supported,
- with some additional validation rules applied from schema version 2:
- for example, the :any:`version` property is mandatory, and a member zone
- PTR RRset must not contain more than one record. In the event of a
- validation error, a corresponding error message is logged to help with
- diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223`
- :gl:`#3224` :gl:`#3225`
-
-- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and
- ``Stale NXDOMAIN Answer`` when stale answers are returned from cache.
- :gl:`#2267`
-
-- The Object Identifier (OID) embedded at the start of a PRIVATEOID
- public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now
- checked to ensure that it is valid when reading from zone files or
- receiving data on the wire. The Object Identifier is now printed when
- the ``dig +rrcomments`` option is used. Similarly, the name embedded
- at the start of a PRIVATEDNS public key is also checked for validity.
- :gl:`#3234`
-
-- The Object Identifier (OID) embedded at the start of a PRIVATEOID
- signature in a SIG, or RRSIG resource records is now checked to
- ensure that it is valid when reading from zone files or receiving
- data on the wire. Similarly, the name embedded at the start of
- a PRIVATEDNS public key is also checked for validity. :gl:`#3296`
-
-Bug Fixes
-~~~~~~~~~
-
-- Previously, CDS and CDNSKEY DELETE records were removed from the zone
- when configured with the ``auto-dnssec maintain;`` option. This has
- been fixed. :gl:`#2931`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.10
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- The :any:`forwarders` statement now supports the :any:`tls` argument,
- to be used to forward queries to DoT-enabled servers. :gl:`#3726`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Specifying a ``port`` when configuring source addresses (i.e., as an
- argument to :any:`query-source`, :any:`query-source-v6`,
- :any:`transfer-source`, :any:`transfer-source-v6`,
- :any:`notify-source`, :any:`notify-source-v6`, :any:`parental-source`,
- or :any:`parental-source-v6`, or in the ``source`` or ``source-v6``
- arguments to :any:`primaries`, :any:`parental-agents`,
- :any:`also-notify`, or :any:`catalog-zones`) has been deprecated. In
- addition, the :any:`use-v4-udp-ports`, :any:`use-v6-udp-ports`,
- :any:`avoid-v4-udp-ports`, and :any:`avoid-v6-udp-ports` options have
- also been deprecated.
-
- Warnings are now logged when any of these options are encountered in
- ``named.conf``. In a future release, they will be made nonfunctional.
- :gl:`#3781`
-
-- The Differentiated Services Code Point (DSCP) feature has been
- removed: configuring DSCP values in ``named.conf`` is now a
- configuration error. :gl:`#3789`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The memory statistics have been reduced to a single counter,
- ``InUse``; ``Malloced`` is an alias that holds the same value. The
- other counters were usable with the old BIND 9 internal memory
- allocator, but they are unnecessary now that the latter has been
- removed. :gl:`#3718`
-
-Bug Fixes
-~~~~~~~~~
-
-- A constant stream of zone additions and deletions via ``rndc
- reconfig`` could cause increased memory consumption due to delayed
- cleaning of view memory. This has been fixed. :gl:`#3801`
-
-- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
- NSEC3 hashing, has been improved. :gl:`#3795`
-
-- Pointing :any:`parental-agents` to a resolver did not work because the
- RD bit was not set on DS requests. This has been fixed. :gl:`#3783`
-
-- Building BIND 9 failed when the ``--enable-dnsrps`` switch for
- ``./configure`` was used. This has been fixed. :gl:`#3827`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.11
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- When using :any:`dnssec-policy`, it is now possible to configure the
- digest type to use when ``CDS`` records need to be published with
- :any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS
- records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Support for Red Hat Enterprise Linux version 7 (and clones) has been
- dropped. A C11-compliant compiler is now required to compile BIND 9.
- :gl:`#3729`
-
-- The functions that were in the ``libbind9`` shared library have been
- moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty
- ``libbind9`` has been removed and is no longer installed. :gl:`#3903`
-
-- The ``irs_resconf`` module has been moved to the ``libdns`` shared
- library. The now-empty ``libirs`` library has been removed and is no
- longer installed. :gl:`#3904`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Catalog zone updates are now run on specialized "offload" threads to
- reduce the amount of time they block query processing on the main
- networking threads. This increases the responsiveness of
- :iscman:`named` when catalog zone updates are being applied after a
- catalog zone has been successfully transferred. :gl:`#3881`
-
-- libuv support for receiving multiple UDP messages in a single
- ``recvmmsg()`` system call has been tweaked several times between
- libuv versions 1.35.0 and 1.40.0; the current recommended libuv
- version is 1.40.0 or higher. New rules are now in effect for running
- with a different version of libuv than the one used at compilation
- time. These rules may trigger a fatal error at startup:
-
- - Building against or running with libuv versions 1.35.0 and 1.36.0 is
- now a fatal error.
-
- - Running with libuv version higher than 1.34.2 is now a fatal error
- when :iscman:`named` is built against libuv version 1.34.2 or lower.
-
- - Running with libuv version higher than 1.39.0 is now a fatal error
- when :iscman:`named` is built against libuv version 1.37.0, 1.38.0,
- 1.38.1, or 1.39.0.
-
- This prevents the use of libuv versions that may trigger an assertion
- failure when receiving multiple UDP messages in a single system call.
- :gl:`#3840`
-
-Bug Fixes
-~~~~~~~~~
-
-- :iscman:`named` could crash with an assertion failure when adding a
- new zone into the configuration file for a name which was already
- configured as a member zone for a catalog zone. This has been fixed.
- :gl:`#3911`
-
-- When :iscman:`named` starts up, it sends a query for the DNSSEC key
- for each configured trust anchor to determine whether the key has
- changed. In some unusual cases, the query might depend on a zone for
- which the server is itself authoritative, and would have failed if it
- were sent before the zone was fully loaded. This has now been fixed by
- delaying the key queries until all zones have finished loading.
- :gl:`#3673`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.12
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- An error in DNS message processing introduced in development version
- 9.19.11 could cause BIND and its utilities to crash if the maximum
- permissible number of DNS labels were present. This has been fixed.
- :gl:`#3998`
-
-Known Issues
-~~~~~~~~~~~~
-
-- Loading a large number of zones is significantly slower in BIND
- 9.19.12 than in the previous development releases due to a new data
- structure being used for storing information about the zones to serve.
- This slowdown is considered to be a bug and will be addressed in a
- future BIND 9.19.x development release. :gl:`#4006`
-
-- A flaw in reworked code responsible for accepting TCP connections may
- cause a visible performance drop for TCP queries on some platforms,
- notably FreeBSD. This issue will be fixed in a future BIND 9.19.x
- development release. :gl:`#3985`
-
-- See :ref:`above <relnotes_known_issues>` for a list of all known issues
- affecting this BIND 9 branch.
-
-New Features
-~~~~~~~~~~~~
-
-- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data
- structures. :gl:`#3934`
-
-- The new command-line :option:`delv +ns` option activates name server
- mode, to more accurately reproduce the behavior of :iscman:`named`
- when resolving a query. In this mode, :iscman:`delv` uses an internal
- recursive resolver rather than an external server. All messages sent
- and received during the resolution and validation process are logged.
- This can be used in place of :option:`dig +trace`. :gl:`#3842`
-
-- A new configuration option, :any:`checkds`, has been introduced. When
- set to ``yes``, it detects :any:`parental-agents` automatically by
- resolving the parent NS records. These name servers are queried to
- check the DS RRset during a KSK rollover initiated by
- :any:`dnssec-policy`. :gl:`#3901`
-
-.. _`liburcu`: https://liburcu.org/
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been
- removed and using TKEY Mode 2 is now a fatal error. Users are advised
- to switch to TKEY Mode 3 (GSS-API). :gl:`#3905`
-
-- Zone type ``delegation-only``, and the ``delegation-only`` and
- ``root-delegation-only`` statements, have been removed. Using them is
- a configuration error.
-
- These statements were created to address the SiteFinder controversy,
- in which certain top-level domains redirected misspelled queries to
- other sites instead of returning NXDOMAIN responses. Since top-level
- domains are now DNSSEC-signed, and DNSSEC validation is active by
- default, the statements are no longer needed. :gl:`#3953`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The log message ``resolver priming query complete`` has been moved
- from the INFO log level to the DEBUG(1) log level, to prevent
- :iscman:`delv` from emitting that message when setting up its internal
- resolver. :gl:`#3842`
-
-Bug Fixes
-~~~~~~~~~
-
-- Several bugs which could cause :iscman:`named` to crash during catalog
- zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997`
-
-- Performance of DNSSEC validation in zones with many DNSKEY records has
- been improved. :gl:`#3981`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.13
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- :iscman:`dnstap-read` can now print long timestamps with millisecond
- precision. :gl:`#2360`
-
-Bug Fixes
-~~~~~~~~~
-
-- When the same :any:`notify-source` address and port number was
- configured for multiple destinations and zones, an unresponsive server
- could tie up the relevant network socket until it timed out; in the
- meantime, NOTIFY messages for other servers silently failed.
- :iscman:`named` will now retry sending such NOTIFY messages over TCP.
- Furthermore, NOTIFY failures are now logged at the INFO level.
- :gl:`#4001` :gl:`#4002`
-
-- The :any:`max-transfer-time-in` and :any:`max-transfer-idle-in`
- statements have not had any effect since the BIND 9 networking stack
- was refactored in version 9.16. The missing functionality has been
- re-implemented and incoming zone transfers now time out properly when
- not progressing. :gl:`#4004`
-
-- The read timeout in :iscman:`rndc` is now 60 seconds, matching the
- behavior in BIND 9.16 and earlier. It had previously been lowered to
- 30 seconds by mistake. :gl:`#4046`
-
-- When the ``ISC_R_INVALIDPROTO`` (``ENOPROTOOPT``, ``EPROTONOSUPPORT``)
- error code is returned by libuv, it is now treated as a network
- failure: the server for which that error code is returned gets marked
- as broken and is not contacted again during a given resolution
- process. :gl:`#4005`
-
-- When removing delegations from an opt-out range, empty-non-terminal
- NSEC3 records generated by those delegations were not cleaned up. This
- has been fixed. :gl:`#4027`
-
-- A flaw in reworked code responsible for accepting TCP connections has
- been addressed. This issue could cause a visible performance drop for
- TCP queries on some platforms, notably FreeBSD, and has now been
- fixed. :gl:`#3985`
-
-- Log file rotation code did not clean up older versions of log files
- when the logging :any:`channel` had an absolute path configured as a
- ``file`` destination. This has been fixed. :gl:`#3991`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.14
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- The overmem cleaning process has been improved, to prevent the cache from
- significantly exceeding the configured :any:`max-cache-size` limit.
- :cve:`2023-2828`
-
- ISC would like to thank Shoham Danino from Reichman University, Anat
- Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University,
- and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to
- our attention. :gl:`#4055`
-
-New Features
-~~~~~~~~~~~~
-
-- The read timeout in :iscman:`rndc` can now be specified on the command
- line using the :option:`-t <rndc -t>` option, allowing commands that
- take a long time to complete sufficient time to do so. :gl:`#4046`
-
-- Support for multi-signer model 2 (:rfc:`8901`) when using
- :any:`inline-signing` was added. :gl:`#2710`
-
-- A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`,
- that allows users to enable or disable the publication of CDNSKEY
- records. :gl:`#4050`
-
-- The system test suite can now be executed with pytest (along with
- pytest-xdist for parallel execution). :gl:`#3978`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Special-case code that was originally added to allow GSS-TSIG to work
- around bugs in the Windows 2000 version of Active Directory has now
- been removed, since Windows 2000 is long past end-of-life. The
- :option:`-o <nsupdate -o>` option and the ``oldgsstsig`` command to
- :iscman:`nsupdate` have been deprecated, and are now treated as
- synonyms for :option:`-g <nsupdate -g>` and ``gsstsig`` respectively.
- :gl:`#4012`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- If a response from an authoritative server has its RCODE set to
- FORMERR and contains an echoed EDNS COOKIE option that was present in
- the query, :iscman:`named` now retries sending the query to the
- same server without an EDNS COOKIE option. :gl:`#4049`
-
-- The responsiveness of :iscman:`named` was improved, when serving as an
- authoritative DNS server for a delegation-heavy zone(s) shortly after
- loading such zone(s). :gl:`#4045`
-
-Bug Fixes
-~~~~~~~~~
-
-- When the :any:`stale-answer-enable` option was enabled and the
- :any:`stale-answer-client-timeout` option was enabled and larger than
- 0, :iscman:`named` previously allocated two slots from the
- :any:`clients-per-query` limit for each client and failed to gradually
- auto-tune its value, as configured. This has been fixed. :gl:`#4074`
-
-- Previously, it was possible for a delegation from cache to be returned
- to the client after the :any:`stale-answer-client-timeout` duration.
- This has been fixed. :gl:`#3950`
-
-- BIND could allocate too big buffers when sending data via
- stream-based DNS transports, leading to increased memory usage.
- This has been fixed. :gl:`#4038`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.15
-----------------------
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The ``relaxed`` QNAME minimization mode now uses NS records. This
- reduces the number of queries :iscman:`named` makes when resolving, as
- it allows the non-existence of NS RRsets at non-referral nodes to be
- cached in addition to the normally cached referrals. :gl:`#3325`
-
-Bug Fixes
-~~~~~~~~~
-
-- The ability to read HMAC-MD5 key files, which was accidentally lost in
- BIND 9.19.6 and BIND 9.18.8, has been restored. :gl:`#3668`
- :gl:`#4154`
-
-- Several minor stability issues with the catalog zone implementation
- have been fixed. :gl:`#4132` :gl:`#4136` :gl:`#4171`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.16
-----------------------
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The ``auto-dnssec`` configuration statement has been removed. Please
- use :any:`dnssec-policy` or manual signing instead. The following
- statements have become obsolete: :any:`dnskey-sig-validity`,
- :any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`,
- :any:`sig-validity-interval`, and :any:`update-check-ksk`. :gl:`#3672`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- BIND now returns BADCOOKIE for out-of-date or otherwise bad but
- well-formed DNS server cookies. :gl:`#4194`
-
-- When a primary server for a zone responds to an SOA query, but the
- subsequent TCP connection required to transfer the zone is refused,
- that server is marked as temporarily unreachable. This now also
- happens if the TCP connection attempt times out, preventing too many
- zones from queuing up on an unreachable server and allowing the
- refresh process to move on to the next configured primary more
- quickly. :gl:`#4215`
-
-- The :any:`inline-signing` statement can now also be set inside
- :any:`dnssec-policy`. The built-in policies ``default`` and
- ``insecure`` enable the use of :any:`inline-signing`. If
- :any:`inline-signing` is set at the ``zone`` level, it overrides the
- value set in :any:`dnssec-policy`. :gl:`#3677`
-
-- To improve query-processing latency under load, the uninterrupted time
- spent on resolving long chains of cached domain names has been
- reduced. :gl:`#4185`
-
-- The :any:`dialup` and :any:`heartbeat-interval` options have been
- deprecated and will be removed in a future BIND 9 release. :gl:`#3700`
-
-Bug Fixes
-~~~~~~~~~
-
-- Setting :any:`dnssec-policy` to ``insecure`` prevented zones
- containing resource records with a TTL value larger than 86400 seconds
- (1 day) from being loaded. This has been fixed by ignoring the TTL
- values in the zone and using a value of 604800 seconds (1 week) as the
- maximum zone TTL in key rollover timing calculations. :gl:`#4032`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.17
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Previously, sending a specially crafted message over the control
- channel could cause the packet-parsing code to run out of available
- stack memory, causing :iscman:`named` to terminate unexpectedly.
- This has been fixed. :cve:`2023-3341`
-
- ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
- bringing this vulnerability to our attention. :gl:`#4152`
-
-New Features
-~~~~~~~~~~~~
-
-- Support for User Statically Defined Tracing (USDT) probes has been
- added. These probes enable fine-grained application tracing and
- introduce no overhead when they are not enabled. :gl:`#4041`
-
-- The client-side support of the EDNS EXPIRE option has been expanded to
- include IXFR and AXFR query types. This enhancement enables
- :iscman:`named` to perform AXFR and IXFR queries while incorporating
- the EDNS EXPIRE option. :gl:`#4170`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The :any:`dnssec-must-be-secure` option has been deprecated and will
- be removed in a future release. :gl:`#4263`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Compiling with jemalloc versions older than 4.0.0 is no longer
- supported; those versions do not provide the features required by
- current BIND 9 releases. :gl:`#4296`
-
-- If the ``server`` command is specified, :iscman:`nsupdate` now honors
- the :option:`nsupdate -v` option for SOA queries by sending both the
- UPDATE request and the initial query over TCP. :gl:`#1181`
-
-Bug Fixes
-~~~~~~~~~
-
-- The value of the If-Modified-Since header in the statistics channel
- was not being correctly validated for its length, potentially allowing
- an authorized user to trigger a buffer overflow. Ensuring the
- statistics channel is configured correctly to grant access exclusively
- to authorized users is essential (see the :any:`statistics-channels`
- block definition and usage section). :gl:`#4124`
-
- This issue was reported independently by Eric Sesterhenn of X41 D-Sec
- GmbH and Cameron Whitehead.
-
-- The Content-Length header in the statistics channel was lacking proper
- bounds checking. A negative or excessively large value could
- potentially trigger an integer overflow and result in an assertion
- failure. :gl:`#4125`
-
- This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
-
-- Several memory leaks caused by not clearing the OpenSSL error stack
- were fixed. :gl:`#4159`
-
- This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
-
-- The introduction of ``krb5-subdomain-self-rhs`` and
- ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
- :iscman:`named` to return SERVFAIL responses to deletion requests for
- non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
-
-- The :any:`stale-refresh-time` feature was mistakenly disabled when the
- server cache was flushed by :option:`rndc flush`. This has been fixed.
- :gl:`#4278`
-
-- BIND's memory consumption has been improved by implementing dedicated
- jemalloc memory arenas for sending buffers. This optimization ensures
- that memory usage is more efficient and better manages the return of
- memory pages to the operating system. :gl:`#4038`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.18
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- The statistics channel now includes information about incoming zone
- transfers that are currently in progress. :gl:`#3883`
-
-- The new :any:`resolver-use-dns64` option enables :iscman:`named` to
- apply :any:`dns64` rules to IPv4 server addresses when sending
- recursive queries, so that resolution can be performed over a NAT64
- connection. :gl:`#608`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Support for the ``lock-file`` statement and the ``named -X``
- command-line option has been removed. An external process supervisor
- should be used instead. :gl:`#4391`
-
- Alternatively, the ``flock`` utility (part of util-linux) can be used
- on Linux systems to achieve the same effect as ``lock-file`` or
- ``named -X``:
-
- ::
-
- flock -n -x <directory>/named.lock <path>/named <arguments>
-
-- Configuring the control channel to use a Unix domain socket has been a
- fatal error since BIND 9.18. The feature has now been completely
- removed and :iscman:`named-checkconf` now reports it as a
- configuration error. :gl:`#4311`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Processing large incremental transfers (IXFR) has been offloaded to a
- separate work thread so that it does not prevent networking threads
- from processing regular traffic in the meantime. :gl:`#4367`
-
-- QNAME minimization is now used when looking up the addresses of name
- servers during the recursive resolution process. :gl:`#4209`
-
-- The :any:`inline-signing` zone option is now ignored if there is no
- :any:`dnssec-policy` configured for the zone. This means that unsigned
- zones no longer create redundant signed versions of the zone.
- :gl:`#4349`
-
-- The IP addresses for B.ROOT-SERVERS.NET have been updated to
- 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101`
-
-Bug Fixes
-~~~~~~~~~
-
-- :any:`max-cache-size` accidentally became ineffective in BIND 9.19.16.
- This has been fixed and the option now behaves as documented again.
- :gl:`#4340`
-
-- If the unsigned version of an inline-signed zone contained DNSSEC
- records, it was incorrectly scheduled for resigning. This has been
- fixed. :gl:`#4350`
-
-- Looking up stale data from the cache did not take local authoritative
- data into account. This has been fixed. :gl:`#4355`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.19
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Initial support for the PROXYv2 protocol was added. :iscman:`named`
- can now accept PROXYv2 headers over all currently implemented DNS
- transports and :iscman:`dig` can insert these headers into the queries
- it sends. Please consult the related documentation
- (:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and
- :any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and
- :option:`dig +proxy-plain` for :iscman:`dig`) for additional details.
- :gl:`#4388`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
- aes;``) has been removed. The only supported DNS COOKIE algorithm is
- now the current default, SipHash-2-4. :gl:`#4421`
-
-- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval``
- statements have been removed. Using them is now a fatal error.
- :gl:`#4405`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The maximum number of NSEC3 iterations allowed for validation purposes
- has been lowered from 150 to 50. DNSSEC responses containing NSEC3
- records with iteration counts greater than 50 are now treated as
- insecure. :gl:`#4363`
-
-- Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only
- allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using
- NSEC3 that the policy manages. :gl:`#4363`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.2
----------------------
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- New :any:`dnssec-policy` configuration checks have been added to detect
- unusual policies, such as missing KSK and/or ZSK and too-short key
- lifetimes and re-sign periods. :gl:`#1611`
-
-Bug Fixes
-~~~~~~~~~
-
-- The :any:`fetches-per-server` quota is designed to adjust itself downward
- automatically when an authoritative server times out too frequently.
- Due to a coding error, that adjustment was applied incorrectly, so
- that the quota for a congested server was always set to 1. This has
- been fixed. :gl:`#3327`
-
-- DNSSEC-signed catalog zones were not being processed correctly. This
- has been fixed. :gl:`#3380`
-
-- Key files were updated every time the :any:`dnssec-policy` key manager
- ran, whether the metadata had changed or not. :iscman:`named` now
- checks whether changes were applied before writing out the key files.
- :gl:`#3302`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.20
-----------------------
-
-.. note::
-
- The BIND 9.19.20 release was withdrawn after the discovery of a
- regression in a security fix in it during pre-release testing. ISC
- would like to acknowledge the assistance of Curtis Tuplin of SaskTel.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.21
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Validating DNS messages containing a lot of DNSSEC signatures could
- cause excessive CPU load, leading to a denial-of-service condition.
- This has been fixed. :cve:`2023-50387`
-
- ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
- and Michael Waidner from the German National Research Center for
- Applied Cybersecurity ATHENE for bringing this vulnerability to our
- attention. :gl:`#4424`
-
-- Preparing an NSEC3 closest encloser proof could cause excessive CPU
- load, leading to a denial-of-service condition. This has been fixed.
- :cve:`2023-50868` :gl:`#4459`
-
-- Parsing DNS messages with many different names could cause excessive
- CPU load. This has been fixed. :cve:`2023-4408`
-
- ISC would like to thank Shoham Danino from Reichman University, Anat
- Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
- University, and Yuval Shavitt from Tel-Aviv University for bringing
- this vulnerability to our attention. :gl:`#4234`
-
-- Specific queries could cause :iscman:`named` to crash with an
- assertion failure when :any:`nxdomain-redirect` was enabled. This has
- been fixed. :cve:`2023-5517` :gl:`#4281`
-
-- A bad interaction between DNS64 and serve-stale could cause
- :iscman:`named` to crash with an assertion failure, when both of these
- features were enabled. This has been fixed. :cve:`2023-5679`
- :gl:`#4334`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- :iscman:`named-compilezone` no longer performs zone integrity checks
- by default; this allows faster conversion of a zone file from one
- format to another. :gl:`#4364`
-
- Zone checks can be performed by running :iscman:`named-checkzone`
- separately, or the previous default behavior can be restored by using:
-
- ::
-
- named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
-
-Bug Fixes
-~~~~~~~~~
-
-- The counters exported via the statistics channel were changed back to
- 64-bit signed values; they were being inadvertently truncated to
- unsigned 32-bit values since BIND 9.15.0. :gl:`#4467`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.22
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Information on incoming zone transfers in the statistics channel now also shows
- the zones' "first refresh" flag, which indicates that a zone is not fully
- ready and that its first ever refresh is pending or is in progress. The number
- of such zones is now also exposed by the ``rndc status`` command. :gl:`#4241`
-
-- The statistics channel now includes counters that indicate the number
- of currently connected TCP IPv4/IPv6 clients. :gl:`#4425`
-
-- HSM support was added to :any:`dnssec-policy`. Keys can now be configured with a
- ``key-store`` that allows users to set the directory where key files are stored and to
- set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11
- provider to be configured for OpenSSL. :gl:`#1129`
-
-- The ``tls`` block was extended with a new ``cipher-suites`` option
- that allows permitted cipher suites for TLSv1.3 to be set. Please
- consult the documentation for additional details.
- :gl:`#3504`
-
-- Support for the RESINFO record type was added. :gl:`#4413`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` values,
- when the feature is turned on. When using a non-zero value, :iscman:`named` now
- generates a warning log message, and treats the value as ``0``. :gl:`#4447`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The ``dnssec-validation yes`` option now requires an explicitly configured
- :any:`trust-anchors` statement. If using manual trust anchors is not
- operationally required, then please consider using ``dnssec-validation auto``
- instead. :gl:`#4373`
-
-- The red-black tree data structure used in the RBTDB (the default
- database implementation for cache and zone databases),
- has been replaced with QP-tries. This is expected to improve
- performance and scalability, though in the current implementation
- it is known to have larger memory consumption.
-
- A side effect of this change is that zone files that are created with
- :any:`masterfile-style` ``relative`` - for example, the output of
- :any:`dnssec-signzone` - will no longer have multiple different
- `$ORIGIN` statements. There should be no other changes to server
- behavior.
-
- The old RBT-based database still exists for now, and can be used by
- specifying ``database rbt`` in a ``zone`` statement in ``named.conf``,
- or by compiling with ``configure --with-zonedb=rbt --with-cachedb=rbt``.
- :gl:`#4411`
-
-Bug Fixes
-~~~~~~~~~
-
-- A regression in cache-cleaning code enabled memory use to grow
- significantly more quickly than before, until the configured
- :any:`max-cache-size` limit was reached. This has been fixed.
- :gl:`#4596`
-
-- Using :option:`rndc flush` inadvertently caused cache cleaning to
- become less effective. This could ultimately lead to the configured
- :any:`max-cache-size` limit being exceeded and has now been fixed.
- :gl:`#4621`
-
-- The logic for cleaning up expired cached DNS records was
- tweaked to be more aggressive. This change helps with enforcing
- :any:`max-cache-ttl` and :any:`max-ncache-ttl` in a timely manner.
- :gl:`#4591`
-
-- Changes to ``listen-on`` statements were ignored on reconfiguration
- unless the port or interface address was changed, making it
- impossible to change a related listener transport type. That issue
- has been fixed.
-
- ISC would like to thank Thomas Amgarten for bringing this issue to
- our attention. :gl:`#4518` :gl:`#4528`
-
-- It was possible to trigger a use-after-free assertion when the overmem cache
- cleaning was initiated. This has been fixed. :gl:`#4595`
-
- ISC would like to thank Jinmei Tatuya of Infoblox for bringing
- this issue to our attention.
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.23
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- Added RESOLVER.ARPA to the built in empty zones. :gl:`#4580`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Memory consumption of the new QP-trie database has been optimized. Large
- zones, which used to require significantly more memory with QP-trie, now only
- require roughly 15% more memory than the old red-black tree data structure.
- :gl:`#4614`
-
-- The :any:`sortlist` option has been deprecated and will be removed in a
- future BIND 9.21.x release. Users should not rely on a specific order of
- resource records in DNS messages. :gl:`#4593`
-
-- The ``fixed`` value for the :any:`rrset-order` option and the corresponding
- ``configure`` script option have been deprecated and will be removed in a
- future BIND 9.21.x release. Users should not rely on a specific order of
- resource records in DNS messages. :gl:`#4446`
-
-
-Bug Fixes
-~~~~~~~~~
-
-- A bug in the keymgr code unintentionally slowed down some DNSSEC key
- rollovers. This has been fixed. :gl:`#4552`
-
-- Two bugs that could have caused resolvers configured with the new cache data
- structure to crash or hang have been fixed. :gl:`#4622` :gl:`#4652`
-
-- Some ISO 8601 durations were accepted erroneously, leading to shorter
- durations than expected. This has been fixed. :gl:`#4624`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.24
-----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- A new option :any:`signatures-jitter` has been added to :any:`dnssec-policy`
- to allow signature expirations to be spread out over a period of time.
- :gl:`#4554`
-
-- A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key Signing
- Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128`
-
-- Queries and responses now emit distinct dnstap entries for DNS-over-TLS (DoT)
- and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands these entries.
- :gl:`#4523`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The :iscman:`named` command-line option :option:`-U <named -U>`, which
- specified the number of UDP dispatches, has been removed. Using it now
- returns a warning. :gl:`#1879`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Querying the statistics channel no longer blocks DNS communication on the
- networking event loop level. :gl:`#4680`
-
-- DNSSEC signatures that are not valid because the current time falls outside
- the signature inception and expiration dates no longer count towards maximum
- validation and maximum validation failure limits. :gl:`#4586`
-
-- Multiple RNDC messages are now processed when sent in a single TCP message.
-
- ISC would like to thank Dominik Thalhammer for reporting the issue and
- preparing the initial patch. :gl:`#4416`
-
-- :iscman:`dnssec-keygen` now allows the options :option:`-k <dnssec-keygen
- -k>` and :option:`-f <dnssec-keygen -f>` to be used together. This allows the
- creation of keys for a given :any:`dnssec-policy` that match only the KSK
- (``-fK``) or ZSK (``-fZ``) roles. :gl:`#1128`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.25
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- A malicious DNS client that sent many queries over TCP but never read
- the responses could cause a server to respond slowly or not at all for
- other clients. This has been fixed. :cve:`2024-0760` :gl:`#4481`
-
-- Excessively large resource record sets can be crafted to slow down
- database processing. This has been addressed by adding a configurable
- limit to the number of records that can be stored per name and type in
- a cache or zone database. The default is 100, but it can be tuned with
- the new :any:`max-records-per-type` option. :gl:`#497` :gl:`#3405`
-
- An excessively large number of resource record types for a single owner
- name can be crafted to slow down database processing. This has been
- addressed by adding a configurable limit to the number of records that
- can be stored per name and type in a cache or zone database. The
- default is 100, and can be tuned with the new :any:`max-types-per-name`
- option. :cve:`2024-1737` :gl:`#3403`
-
- ISC would like to thank Toshifumi Sakaguchi who independently
- discovered and responsibly reported the issue to ISC. :gl:`#4548`
-
-- A malicious DNS client that sends many queries with a SIG(0)-signed
- message can cause server to respond slowly or not respond at all for
- other clients. This has been fixed. :cve:`2024-1975` :gl:`#4480`
-
-- Due to a logic error, lookups that triggered serving stale data and
- required lookups in local authoritative zone data could have resulted
- in an assertion failure. This has been fixed. :cve:`2024-4076`
- :gl:`#4507`
-
-New Features
-~~~~~~~~~~~~
-
-- Added a new statistics variable ``recursive high-water`` that reports
- the maximum number of simultaneous recursive clients BIND has handled
- while running. :gl:`#4668`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Outgoing zone transfers are no longer enabled by default. An explicit
- :any:`allow-transfer` ACL must now be set at the :any:`zone`,
- :any:`view`, or :namedconf:ref:`options` level to enable outgoing
- transfers. :gl:`#4728`
-
-Bug Fixes
-~~~~~~~~~
-
-- Potential data races were found in our DoH implementation, related to
- HTTP/2 session object management and endpoints set object management
- after reconfiguration. These issues have been fixed. :gl:`#4473`
-
- ISC would like to thank Dzintars and Ivo from nic.lv for bringing this
- to our attention.
-
-- Command-line options for IPv4-only (:option:`named -4`) and IPv6-only
- (:option:`named -6`) modes are now respected for zone :any:`primaries`,
- :any:`also-notify`, and :any:`parental-agents`. :gl:`#3472`
-
-- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL,
- if ``add-soa`` was used. This has been fixed. :gl:`#3323`
-
-- Some servers which could not be reached due to EHOSTDOWN or ENETDOWN
- conditions were incorrectly prioritized during server selection. These
- are now properly handled as unreachable. :gl:`#4736`
-
-- On some systems the libuv call may return an error code when sending a
- TCP reset for a connection, which triggers an assertion failure in
- :iscman:`named`. This error condition is now dealt with in a more
- graceful manner, by logging the incident and shutting down the
- connection. :gl:`#4708`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.3
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- A new command, :option:`rndc fetchlimit`, prints a list of name server
- addresses that are currently rate-limited due to
- :any:`fetches-per-server` and domain names that are rate-limited due
- to :any:`fetches-per-zone`. :gl:`#665`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The ``glue-cache`` *option* has been removed. The glue cache *feature*
- still works and is now permanently *enabled*. :gl:`#2147`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- To reduce unnecessary memory consumption in the cache, NXDOMAIN
- records are no longer retained past the normal negative cache TTL,
- even if :any:`stale-cache-enable` is set to ``yes``. :gl:`#3386`
-
-- The :option:`dnssec-signzone -H` default value has been changed to 0
- additional NSEC3 iterations. This change aligns the
- :iscman:`dnssec-signzone` default with the default used by the
- :any:`dnssec-policy` feature. At the same
- time, documentation about NSEC3 has been aligned with the `Best
- Current Practice`_. :gl:`#3395`
-
-.. _Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10
-
-Bug Fixes
-~~~~~~~~~
-
-- An assertion failure caused by a TCP connection closing between a
- connect (or accept) and a read from a socket has been fixed.
- :gl:`#3400`
-
-- When grafting non-delegated namespace onto delegated namespace,
- :any:`synth-from-dnssec` could incorrectly synthesize non-existence of
- records within the non-delegated namespace using NSEC records from
- higher zones. :gl:`#3402`
-
-- Previously, :iscman:`named` immediately returned a SERVFAIL response
- to the client when it received a FORMERR response from an
- authoritative server during recursive resolution. This has been fixed:
- :iscman:`named` acting as a resolver now attempts to contact other
- authoritative servers for a given domain when it receives a FORMERR
- response from one of them. :gl:`#3152`
-
-- Previously, :option:`rndc reconfig` did not pick up changes to
- :any:`endpoints` statements in :any:`http` blocks. This has been
- fixed. :gl:`#3415`
-
-- It was possible for a catalog zone consumer to process a catalog zone
- member zone when there was a configured pre-existing forward-only
- forward zone with the same name. This has been fixed. :gl:`#2506`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.4
----------------------
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options`
- and :namedconf:ref:`zone` blocks has been deprecated; it should now be
- configured as part of :any:`dnssec-policy`. A warning is logged if
- this option is used in :namedconf:ref:`options` or :any:`zone` blocks.
- In a future release, it will become nonoperational. :gl:`#2918`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
- disabled on systems where they are disallowed by the security policy
- (e.g. Red Hat Enterprise Linux 9). Primary zones using those
- algorithms need to be migrated to new algorithms prior to running on
- these systems, as graceful migration to different DNSSEC algorithms is
- not possible when RSASHA1 is disallowed by the operating system.
- :gl:`#3469`
-
-- Log messages related to fetch limiting have been improved to provide
- more complete information. Specifically, the final counts of allowed
- and spilled fetches are now logged before the counter object is
- destroyed. :gl:`#3461`
-
-Bug Fixes
-~~~~~~~~~
-
-- When running as a validating resolver forwarding all queries to
- another resolver, :iscman:`named` could crash with an assertion
- failure. These crashes occurred when the configured forwarder sent a
- broken DS response and :iscman:`named` failed its attempts to find a
- proper one instead. This has been fixed. :gl:`#3439`
-
-- DNS compression is no longer applied to the root name (``.``) if it is
- repeatedly used in the same RRset. :gl:`#3423`
-
-- Non-dynamic zones that inherit :any:`dnssec-policy` from the
- :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not
- marked as inline-signed and therefore never scheduled to be re-signed.
- This has been fixed. :gl:`#3438`
-
-- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
- expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
- the cache-cleaning time window has passed. :gl:`#3462`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.5
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Previously, there was no limit to the number of database lookups
- performed while processing large delegations, which could be abused to
- severely impact the performance of :iscman:`named` running as a
- recursive resolver. This has been fixed. :cve:`2022-2795`
-
- ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
- Bremler-Barr & Shani Stajnrod from Reichman University for bringing
- this vulnerability to our attention. :gl:`#3394`
-
-- When an HTTP connection was reused to request statistics from the
- stats channel, the content length of successive responses could grow
- in size past the end of the allocated buffer. This has been fixed.
- :cve:`2022-2881` :gl:`#3493`
-
-- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
- could be externally triggered, when using TKEY records in DH mode with
- OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491`
-
-- :iscman:`named` running as a resolver with the
- :any:`stale-answer-client-timeout` option set to ``0`` could crash
- with an assertion failure, when there was a stale CNAME in the cache
- for the incoming query. This has been fixed. :cve:`2022-3080`
- :gl:`#3517`
-
-- Memory leaks were fixed that could be externally triggered in the
- DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178`
- :gl:`#3487`
-
-New Features
-~~~~~~~~~~~~
-
-- A new Response Policy Zone (RPZ) :ref:`option<rpz>`, ``ede``, was
- added. It enables an :rfc:`8914` Extended DNS Error (EDE) code of
- choice to be set for responses which have been modified by a given
- RPZ. :gl:`#3410`
-
-- Worker threads' event loops are now managed by a new "loop manager"
- API, significantly changing the architecture of the task, timer, and
- networking subsystems for improved performance and code flow.
- :gl:`#3508`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Response Rate Limiting (RRL) code now treats all QNAMEs that are
- subject to wildcard processing within a given zone as the same name,
- to prevent circumventing the limits enforced by RRL. :gl:`#3459`
-
-- Zones using :any:`dnssec-policy` now require dynamic DNS or
- :any:`inline-signing` to be configured explicitly. :gl:`#3381`
-
-- When reconfiguring :any:`dnssec-policy` from using NSEC with an
- NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
- BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC
- until the offending DNSKEY records have been removed from the zone,
- then switches to using NSEC3. :gl:`#3486`
-
-- A backward-compatible approach was implemented for encoding
- internationalized domain names (IDN) in :iscman:`dig` and converting
- the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
- conversion. :gl:`#3485`
-
-Bug Fixes
-~~~~~~~~~
-
-- A serve-stale bug was fixed, where BIND would try to return stale data
- from cache for lookups that received duplicate queries or queries that
- would be dropped. This bug resulted in premature SERVFAIL responses,
- and has now been resolved. :gl:`#2982`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.6
----------------------
-
-Known Issues
-~~~~~~~~~~~~
-
-- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may
- require a manual configuration change. The following configurations
- are affected:
-
- - :any:`type primary` zones configured with :any:`dnssec-policy` but
- without either :any:`allow-update` or :any:`update-policy`,
- - :any:`type secondary` zones configured with :any:`dnssec-policy`.
-
- In these cases please add :namedconf:ref:`inline-signing yes;
- <inline-signing>` to the individual zone configuration(s). Without
- applying this change, :iscman:`named` will fail to start. For more
- details, see
- https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
-
-- See :ref:`above <relnotes_known_issues>` for a list of all known
- issues affecting this BIND 9 branch.
-
-New Features
-~~~~~~~~~~~~
-
-- Support for parsing and validating the ``dohpath`` service parameter
- in SVCB records was added. :gl:`#3544`
-
-- :iscman:`named` now supports forwarding Dynamic DNS updates through
- DNS-over-TLS (DoT). :gl:`#3512`
-
-- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT).
- :gl:`#1781`
-
-- :iscman:`named` now logs the supported cryptographic algorithms during
- startup and in the output of :option:`named -V`. :gl:`#3541`
-
-- A new configuration option :any:`require-cookie` has been introduced.
- It specifies whether there should be a DNS COOKIE in the response for
- a given prefix; if not, :iscman:`named` falls back to TCP. This is
- useful if it is known that a given server supports DNS COOKIE. It can
- also be used to force all non-DNS COOKIE responses to fall back to
- TCP. :gl:`#2295`
-
-- Support for libsystemd's ``sd_notify()`` function was added, enabling
- :iscman:`named` to report its status to the init system. This allows
- systemd to wait until :iscman:`named` is fully ready before starting
- other services that depend on name resolution. :gl:`#1176`
-
-- The ``recursion not available`` and ``query (cache) '...' denied`` log
- messages were extended to include the name of the ACL that caused a
- given query to be denied. :gl:`#3587`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- When an international domain name is not valid according to IDNA2008,
- :iscman:`dig` now tries to convert it according to IDNA2003 rules, or
- pass it through unchanged, instead of stopping with an error message.
- The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527`
-
-- The DNSSEC signing data included in zone statistics identified
- keys only by the key ID; this caused confusion when two keys using
- different algorithms had the same ID. Zone statistics now identify
- keys using the algorithm number, followed by "+", followed by the
- key ID: for example, ``8+54274``. :gl:`#3525`
-
-- The ability to use PKCS#11 via engine_pkcs11 has been restored, by
- using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be
- compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS
- environment variable at compile time. :gl:`#3578`
-
-- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher.
- libuv should be available on all supported platforms either as a
- native package or as a backport. :gl:`#3567`
-
-Bug Fixes
-~~~~~~~~~
-
-- An assertion failure was fixed in :iscman:`named` that was caused by
- aborting the statistics channel connection while sending statistics
- data to the client. :gl:`#3542`
-
-- :iscman:`named` could incorrectly return non-truncated, glueless
- referrals for responses whose size was close to the UDP packet size
- limit. This has been fixed. :gl:`#1967`
-
-- Changing just the TSIG key names for primaries in catalog zones'
- member zones was not effective. This has been fixed. :gl:`#3557`
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.7
----------------------
-
-New Features
-~~~~~~~~~~~~
-
-- The :any:`check-svcb` option has been added to control the checking of
- additional constraints on SVCB records. This change affects
- :iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`,
- :iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- On Linux, libcap is now a required dependency to help :iscman:`named`
- keep needed privileges. :gl:`#3583`
-
-- The DNS name compression algorithm used in BIND 9 has been revised: it
- now compresses more thoroughly than before, so responses containing
- names with many labels might have a smaller encoding than before.
- :gl:`#3661`
-
-Bug Fixes
-~~~~~~~~~
-
-- A crash was fixed that happened when a :any:`dnssec-policy` zone that
- used NSEC3 was reconfigured to enable :any:`inline-signing`.
- :gl:`#3591`
-
-- In certain resolution scenarios, quotas could be erroneously reached
- for servers, including any configured forwarders, resulting in
- SERVFAIL answers being sent to clients. This has been fixed.
- :gl:`#3598`
-
-- ``rpz-ip`` rules in :any:`response-policy` zones could be ineffective
- in some cases if a query had the CD (Checking Disabled) bit set to 1.
- This has been fixed. :gl:`#3247`
-
-- Previously, if Internet connectivity issues were experienced during
- the initial startup of :iscman:`named`, a BIND resolver with
- :any:`dnssec-validation` set to ``auto`` could enter into a state
- where it would not recover without stopping :iscman:`named`, manually
- deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl``
- files, and starting :iscman:`named` again. This has been fixed.
- :gl:`#2895`
-
-- Previously, the port in remote servers such as in :any:`primaries` and
- :any:`parental-agents` could be wrongly configured because of an
- inheritance bug. This has been fixed. :gl:`#3627`
-
-- Previously, BIND failed to start on Solaris-based systems with
- hundreds of CPUs. This has been fixed. :gl:`#3563`
-
-- When a DNS resource record's TTL value was equal to the resolver's
- configured :any:`prefetch` "eligibility" value, the record was
- erroneously not treated as eligible for prefetching. This has been
- fixed. :gl:`#3603`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.8
----------------------
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options
- have been removed. The limits these options set should be enforced
- externally, either by manual configuration (e.g. using ``ulimit``) or
- via the process supervisor (e.g. ``systemd``). :gl:`#3676`
-
-- Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no
- longer trigger key rollovers and denial-of-existence operations. This
- also means that the :any:`dnssec-secure-to-insecure` option has been
- obsoleted. :gl:`#3686`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The TTL of the NSEC3PARAM record for every NSEC3-signed zone was
- previously set to 0. It is now changed to match the SOA MINIMUM value
- for the given zone. :gl:`#3570`
-
-- The ``--with-tuning`` option for ``configure`` has been removed. Each
- of the compile-time settings that required different values based on
- the "workload" (which were previously affected by the value of the
- ``--with-tuning`` option) has either been removed or changed to a
- sensible default. :gl:`#3664`
-
-- The ``auto-dnssec`` option has been deprecated and will be removed
- in a future BIND 9.19.x release. Please migrate to
- :any:`dnssec-policy`. :gl:`#3667`
-
-- Setting alternate local addresses for inbound zone transfers has been
- deprecated. The relevant options (``alt-transfer-source``,
- ``alt-transfer-source-v6``, and ``use-alt-transfer-source``) will be
- removed in a future BIND 9.19.x release. :gl:`#3694`
-
-- On startup, :iscman:`named` now sets the limit on the number of open
- files to the maximum allowed by the operating system, instead of
- trying to set it to "unlimited". :gl:`#3676`
-
-- The number of HTTP headers allowed in requests sent to
- :iscman:`named`'s statistics channel has been increased from 10 to
- 100, to accommodate some browsers that send more than 10 headers
- by default. :gl:`#3670`
-
-Bug Fixes
-~~~~~~~~~
-
-- :iscman:`named` could crash due to an assertion failure when an HTTP
- connection to the statistics channel was closed prematurely (due to a
- connection error, shutdown, etc.). This has been fixed. :gl:`#3693`
-
-- When a catalog zone was removed from the configuration, in some cases
- a dangling pointer could cause the :iscman:`named` process to crash.
- This has been fixed. :gl:`#3683`
-
-- When a zone was deleted from a server, a key management object related
- to that zone was inadvertently kept in memory and only released upon
- shutdown. This could lead to constantly increasing memory use on
- servers with a high rate of changes affecting the set of zones being
- served. This has been fixed. :gl:`#3727`
-
-- TLS configuration for primary servers was not applied for zones that
- were members of a catalog zone. This has been fixed. :gl:`#3638`
-
-- In certain cases, :iscman:`named` waited for the resolution of
- outstanding recursive queries to finish before shutting down. This was
- unintended and has been fixed. :gl:`#3183`
-
-- :iscman:`host` and :iscman:`nslookup` command-line options setting the
- custom TCP/UDP port to use were ignored for ANY queries (which are
- sent over TCP). This has been fixed. :gl:`#3721`
-
-- The new name compression code in BIND 9.19.7 was not compressing
- names in zone transfers that should have been compressed, so zone
- transfers were larger than before. This has been fixed. :gl:`#3706`
-
-- The ``zone <name>/<class>: final reference detached`` log message was
- moved from the INFO log level to the DEBUG(1) log level to prevent the
- :iscman:`named-checkzone` tool from superfluously logging this message
- in non-debug mode. :gl:`#3707`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.19.9
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- An UPDATE message flood could cause :iscman:`named` to exhaust all
- available memory. This flaw was addressed by adding a new
- :any:`update-quota` option that controls the maximum number of
- outstanding DNS UPDATE messages that :iscman:`named` can hold in a
- queue at any given time (default: 100). :cve:`2022-3094`
-
- ISC would like to thank Rob Schulhof from Infoblox for bringing this
- vulnerability to our attention. :gl:`#3523`
-
-- :iscman:`named` could crash with an assertion failure when an RRSIG
- query was received and :any:`stale-answer-client-timeout` was set to a
- non-zero value. This has been fixed. :cve:`2022-3736`
-
- ISC would like to thank Borja Marcos from Sarenet (with assistance by
- Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
- our attention. :gl:`#3622`
-
-- :iscman:`named` running as a resolver with the
- :any:`stale-answer-client-timeout` option set to any value greater
- than ``0`` could crash with an assertion failure, when the
- :any:`recursive-clients` soft quota was reached. This has been fixed.
- :cve:`2022-3924`
-
- ISC would like to thank Maksym Odinintsev from AWS for bringing this
- vulnerability to our attention. :gl:`#3619`
-
-New Features
-~~~~~~~~~~~~
-
-- The new :any:`update-quota` option can be used to control the number
- of simultaneous DNS UPDATE messages that can be processed to update an
- authoritative zone on a primary server, or forwarded to the primary
- server by a secondary server. The default is 100. A new statistics
- counter has also been added to record events when this quota is
- exceeded, and the version numbers for the XML and JSON statistics
- schemas have been updated. :gl:`#3523`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- The statements setting alternate local addresses for inbound zone
- transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and
- ``use-alt-transfer-source``) have been removed. :gl:`#3714`
-
-- The Differentiated Services Code Point (DSCP) feature in BIND has been
- non-operational since the new Network Manager was introduced in BIND
- 9.16. It is now marked as obsolete, and vestigial code implementing it
- has been removed. Configuring DSCP values in ``named.conf`` now causes
- a warning to be logged. :gl:`#3773`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- A new way of configuring the preferred source address when talking to
- remote servers, such as :any:`primaries` and :any:`parental-agents`,
- has been added: setting the ``source`` and/or ``source-v6`` arguments
- for a given statement is now possible. This new approach is intended
- to eventually replace statements such as :any:`parental-source`,
- :any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762`
-
-- The code for DNS over TCP and DNS over TLS transports has been
- replaced with a new, unified transport implementation. :gl:`#3374`
-
-Bug Fixes
-~~~~~~~~~
-
-- A rare assertion failure was fixed in outgoing TCP DNS connection
- handling. :gl:`#3178` :gl:`#3636`
-
-- In addition to a previously fixed bug, another similar issue was
- discovered where quotas could be erroneously reached for servers,
- including any configured forwarders, resulting in SERVFAIL answers
- being sent to clients. This has been fixed. :gl:`#3752`
-
-- In certain query resolution scenarios (e.g. when following CNAME
- records), :iscman:`named` configured to answer from stale cache could
- return a SERVFAIL response despite a usable, non-stale answer being
- present in the cache. This has been fixed. :gl:`#3678`
-
-- When an outgoing request timed out, :iscman:`named` would retry up to
- three times with the same server instead of trying the next available
- name server. This has been fixed. :gl:`#3637`
-
-- Recently used ADB names and ADB entries (IP addresses) could get
- cleaned when ADB was under memory pressure. To mitigate this, only
- actual ADB names and ADB entries are now counted (excluding internal
- memory structures used for "housekeeping") and recently used (<= 10
- seconds) ADB names and entries are excluded from the overmem memory
- cleaner. :gl:`#3739`
-
-- The "Prohibited" Extended DNS Error was inadvertently set in some
- NOERROR responses. This has been fixed. :gl:`#3743`
-
-- Previously, TLS session resumption could have led to handshake
- failures when client certificates were used for authentication (Mutual
- TLS). This has been fixed. :gl:`#3725`
-
-Known Issues
-~~~~~~~~~~~~
-
-- There are no new known issues with this release. See :ref:`above
- <relnotes_known_issues>` for a list of all known issues affecting this
- BIND 9 branch.
--- /dev/null
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.20.0
+---------------------
+
+.. note:: This section only lists changes since BIND 9.18.28, the most
+ recent release on the previous stable branch of BIND at the
+ time of the publication of BIND 9.20.0.
+
+New Features
+~~~~~~~~~~~~
+
+- The :any:`forwarders` statement now supports the :any:`tls` argument,
+ to be used to forward queries to DoT-enabled servers. :gl:`#3726`
+
+- :iscman:`named` now supports forwarding Dynamic DNS updates through
+ DNS-over-TLS (DoT). :gl:`#3512`
+
+- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT).
+ :gl:`!6752`
+
+- The :any:`tls` block was extended with a new :any:`cipher-suites` option
+ that allows permitted cipher suites for TLSv1.3 to be set. Please
+ consult the documentation for additional details.
+ :gl:`#3504`
+
+- Initial support for the PROXYv2 protocol was added. :iscman:`named`
+ can now accept PROXYv2 headers over all currently implemented DNS
+ transports and :iscman:`dig` can insert these headers into the queries
+ it sends. Please consult the related documentation
+ (:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and
+ :any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and
+ :option:`dig +proxy-plain` for :iscman:`dig`) for additional details.
+ :gl:`#4388`
+
+- The client-side support of the EDNS EXPIRE option has been expanded to
+ include IXFR and AXFR query types. This enhancement enables
+ :iscman:`named` to perform AXFR and IXFR queries while incorporating
+ the EDNS EXPIRE option. :gl:`#4170`
+
+- A new configuration option :any:`require-cookie` has been introduced.
+ It specifies whether there should be a DNS COOKIE in the response for
+ a given prefix; if not, :iscman:`named` falls back to TCP. This is
+ useful if it is known that a given server supports DNS COOKIE. It can
+ also be used to force all non-DNS COOKIE responses to fall back to
+ TCP. :gl:`#2295`
+
+- The :any:`check-svcb` option has been added to control the checking of
+ additional constraints on SVCB records. This change affects
+ :iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`,
+ :iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576`
+
+- The new :any:`resolver-use-dns64` option enables :iscman:`named` to
+ apply :any:`dns64` rules to IPv4 server addresses when sending
+ recursive queries, so that resolution can be performed over a NAT64
+ connection. :gl:`#608`
+
+- A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`,
+ that allows users to enable or disable the publication of CDNSKEY
+ records. :gl:`#4050`
+
+- When using :any:`dnssec-policy`, it is now possible to configure the
+ digest type to use when CDS records need to be published with
+ :any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS
+ records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837`
+
+- Support for multi-signer model 2 (:rfc:`8901`) when using
+ :any:`inline-signing` was added. :gl:`#2710`
+
+- HSM support was added to :any:`dnssec-policy`. Keys can now be
+ configured with a ``key-store`` that allows users to set the directory
+ where key files are stored and to set a PKCS#11 URI string. The latter
+ requires OpenSSL 3 and a valid PKCS#11 provider to be configured for
+ OpenSSL. :gl:`#1129`
+
+- A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key
+ Signing Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128`
+
+- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a
+ ``-J`` option to specify a journal file to read when loading the zone
+ to be verified or signed. :gl:`#2486`
+
+- :iscman:`dnssec-keygen` now allows the options :option:`-k
+ <dnssec-keygen -k>` and :option:`-f <dnssec-keygen -f>` to be used
+ together. This allows the creation of keys for a given
+ :any:`dnssec-policy` that match only the KSK (``-fK``) or ZSK (``-fZ``)
+ roles. :gl:`#1128`
+
+- The :any:`response-policy` statement was extended with a new argument
+ ``ede``. It enables an :rfc:`8914` Extended DNS Error (EDE) code of choice to
+ be set for responses which have been modified by a given RPZ. :gl:`#3410`
+
+- A new way of configuring the preferred source address when talking to
+ remote servers, such as :any:`primaries` and :any:`parental-agents`,
+ has been added: setting the ``source`` and/or ``source-v6`` arguments
+ for a given statement is now possible. This new approach is intended
+ to eventually replace statements such as :any:`parental-source`,
+ :any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762`
+
+- The new command-line :option:`delv +ns` option activates name server
+ mode, to more accurately reproduce the behavior of :iscman:`named`
+ when resolving a query. In this mode, :iscman:`delv` uses an internal
+ recursive resolver rather than an external server. All messages sent
+ and received during the resolution and validation process are logged.
+ This can be used in place of :option:`dig +trace`. :gl:`#3842`
+
+- The read timeout in :iscman:`rndc` can now be specified on the command
+ line using the :option:`-t <rndc -t>` option, allowing commands that
+ take a long time to complete sufficient time to do so. :gl:`#4046`
+
+- The statistics channel now includes information about incoming zone
+ transfers that are currently in progress. :gl:`#3883`
+
+- Information on incoming zone transfers in the statistics channel now
+ also shows the zones' "first refresh" flag, which indicates that a zone
+ is not fully ready and that its first ever refresh is pending or is in
+ progress. The number of such zones is now also exposed by the
+ :option:`rndc status` command. :gl:`#4241`
+
+- Added a new statistics variable ``recursive high-water`` that reports
+ the maximum number of simultaneous recursive clients BIND has handled
+ while running. :gl:`#4668`
+
+- A new command, :option:`rndc fetchlimit`, prints a list of name server
+ addresses that are currently rate-limited due to
+ :any:`fetches-per-server` and domain names that are rate-limited due
+ to :any:`fetches-per-zone`. :gl:`#665`
+
+- Queries and responses now emit distinct dnstap entries for DNS-over-TLS
+ (DoT) and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands
+ these entries. :gl:`#4523`
+
+- :iscman:`dnstap-read` can now print long timestamps with millisecond
+ precision. :gl:`#2360`
+
+- Support for libsystemd's ``sd_notify()`` function was added, enabling
+ :iscman:`named` to report its status to the init system. This allows
+ systemd to wait until :iscman:`named` is fully ready before starting
+ other services that depend on name resolution. :gl:`#1176`
+
+- Support for User Statically Defined Tracing (USDT) probes has been
+ added. These probes enable fine-grained application tracing and
+ introduce no overhead when they are not enabled. :gl:`#4041`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for Red Hat Enterprise Linux version 7 (and clones) has been
+ dropped. A C11-compliant compiler is now required to compile BIND 9.
+ :gl:`#3729`
+
+- Compiling with `jemalloc`_ versions older than 4.0.0 is no longer
+ supported; those versions do not provide the features required by
+ current BIND 9 releases. :gl:`#4296`
+
+- The ``auto-dnssec`` configuration statement has been removed. Please
+ use :any:`dnssec-policy` or manual signing instead.
+ See article `how to migrate <https://kb.isc.org/docs/dnssec-key-and-signing-policy#migrate-to-dnssecpolicy>`_
+ from ``auto-dnssec`` to :any:`dnssec-policy`.
+
+ The following
+ statements have become obsolete: :any:`dnskey-sig-validity`,
+ :any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`,
+ :any:`sig-validity-interval`, and :any:`update-check-ksk`.
+ :gl:`#3672`
+
+- Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no
+ longer trigger key rollovers and denial-of-existence operations. This
+ also means that the :any:`dnssec-secure-to-insecure` option has been
+ obsoleted. :gl:`#3686`
+
+- The ``glue-cache`` *option* has been removed. The glue cache *feature*
+ still works and is now permanently *enabled*. :gl:`#2147`
+
+- Configuring the control channel to use a Unix domain socket has been a
+ fatal error since BIND 9.18. The feature has now been completely
+ removed and :iscman:`named-checkconf` now reports it as a
+ configuration error. :gl:`#4311`
+
+- The statements setting alternate local addresses for inbound zone
+ transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and
+ ``use-alt-transfer-source``) have been removed. :gl:`#3714`
+
+- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval``
+ statements have been removed. Using them is now a fatal error.
+ :gl:`#4405`
+
+- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout`
+ values, when the feature is turned on. When using a non-zero value,
+ :iscman:`named` now generates a warning log message, and treats the
+ value as ``0``. :gl:`#4447`
+
+- The Differentiated Services Code Point (DSCP) feature has been
+ removed: configuring DSCP values in ``named.conf`` is now a
+ configuration error. :gl:`#3789`
+
+- The ``keep-response-order`` option has been declared obsolete and the
+ functionality has been removed. :iscman:`named` expects DNS clients to
+ be fully compliant with :rfc:`7766`. :gl:`#3140`
+
+- Zone type ``delegation-only``, and the ``delegation-only`` and
+ ``root-delegation-only`` statements, have been removed. Using them is
+ a configuration error.
+
+ These statements were created to address the SiteFinder controversy,
+ in which certain top-level domains redirected misspelled queries to
+ other sites instead of returning NXDOMAIN responses. Since top-level
+ domains are now DNSSEC-signed, and DNSSEC validation is active by
+ default, the statements are no longer needed. :gl:`#3953`
+
+- The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options
+ have been removed. The limits these options set should be enforced
+ externally, either by manual configuration (e.g. using ``ulimit``) or
+ via the process supervisor (e.g. ``systemd``). :gl:`#3676`
+
+- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
+ aes;``) has been removed. The only supported DNS COOKIE algorithm is
+ now the current default, SipHash-2-4. :gl:`#4421`
+
+- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been
+ removed and using TKEY Mode 2 is now a fatal error. Users are advised
+ to switch to TKEY Mode 3 (GSS-API). :gl:`#3905`
+
+- Special-case code that was originally added to allow GSS-TSIG to work
+ around bugs in the Windows 2000 version of Active Directory has now
+ been removed, since Windows 2000 is long past end-of-life. The
+ :option:`-o <nsupdate -o>` option and the ``oldgsstsig`` command to
+ :iscman:`nsupdate` have been deprecated, and are now treated as
+ synonyms for :option:`-g <nsupdate -g>` and ``gsstsig`` respectively.
+ :gl:`#4012`
+
+- Support for the ``lock-file`` statement and the ``named -X``
+ command-line option has been removed. An external process supervisor
+ should be used instead. :gl:`#4391`
+
+ Alternatively, the ``flock`` utility (part of util-linux) can be used
+ on Linux systems to achieve the same effect as ``lock-file`` or
+ ``named -X``:
+
+ ::
+
+ flock -n -x <directory>/named.lock <path>/named <arguments>
+
+- The :iscman:`named` command-line option :option:`-U <named -U>`, which
+ specified the number of UDP dispatches, has been removed. Using it now
+ returns a warning. :gl:`#1879`
+
+- The ``--with-tuning`` option for ``configure`` has been removed. Each
+ of the compile-time settings that required different values based on
+ the "workload" (which were previously affected by the value of the
+ ``--with-tuning`` option) has either been removed or changed to a
+ sensible default. :gl:`#3664`
+
+- The functions that were in the ``libbind9`` shared library have been
+ moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty
+ ``libbind9`` has been removed and is no longer installed. :gl:`#3903`
+
+- The ``irs_resconf`` module has been moved to the ``libdns`` shared
+ library. The now-empty ``libirs`` library has been removed and is no
+ longer installed. :gl:`#3904`
+
+.. _`jemalloc`: https://jemalloc.net/
+
+Deprecated Features
+~~~~~~~~~~~~~~~~~~~
+
+Features listed in this section still work but are scheduled for eventual
+removal.
+
+- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options`
+ and :namedconf:ref:`zone` blocks has been deprecated; it should now be
+ configured as part of :any:`dnssec-policy`. A warning is logged if
+ this option is used in :namedconf:ref:`options` or :any:`zone` blocks.
+ In a future release, it will become nonoperational. :gl:`#2918`
+
+- The :any:`sortlist` option has been deprecated and will be removed in a
+ future BIND 9.21.x release. Users should not rely on a specific order
+ of resource records in DNS messages. :gl:`#4593`
+
+- The ``fixed`` value for the :any:`rrset-order` option and the
+ corresponding ``configure`` script option have been deprecated and will
+ be removed in a future BIND 9.21.x release. Users should not rely on a
+ specific order of resource records in DNS messages. :gl:`#4446`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data
+ structures. :gl:`#3934`
+
+- On Linux, `libcap`_ is now a required dependency to help :iscman:`named`
+ keep needed privileges. :gl:`#3583`
+
+- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher.
+ libuv should be available on all supported platforms either as a
+ native package or as a backport. :gl:`#3567`
+
+- Outgoing zone transfers are no longer enabled by default. An explicit
+ :any:`allow-transfer` ACL must now be set at the :any:`zone`,
+ :any:`view`, or :namedconf:ref:`options` level to enable outgoing
+ transfers. :gl:`#4728`
+
+- DNS zones signed using :any:`dnssec-policy` now automatically detect
+ their parent servers, and BIND queries them to check the content of the
+ DS RRset. This allows DNSSEC key rollovers to safely and automatically
+ proceed when the parent zone is updated with new DNSSEC keys, i.e.
+ using the CDS/CDNSKEY mechanism. This behavior is facilitated by the
+ new :any:`checkds` feature, which automatically populates
+ :any:`parental-agents` by resolving the parent NS records. These parent
+ name servers are queried to check the DS RRset during a KSK rollover
+ initiated by :any:`dnssec-policy`. :gl:`#3901`
+
+- The responsiveness of :iscman:`named` was improved, when serving as an
+ authoritative DNS server for a delegation-heavy zone(s) shortly after
+ loading such zone(s). :gl:`#4045`
+
+- To improve query-processing latency under load, the uninterrupted time
+ spent on resolving long chains of cached domain names has been
+ reduced. :gl:`#4185`
+
+- QNAME minimization is now used when looking up the addresses of name
+ servers during the recursive resolution process. :gl:`#4209`
+
+- BIND now returns BADCOOKIE for out-of-date or otherwise bad but
+ well-formed DNS server cookies. :gl:`#4194`
+
+- The DNS name compression algorithm used in BIND 9 has been revised: it
+ now compresses more thoroughly than before, so responses containing
+ names with many labels might have a smaller encoding than before.
+ :gl:`#3661`
+
+- Processing large incremental transfers (IXFR) has been offloaded to a
+ separate work thread so that it does not prevent networking threads
+ from processing regular traffic in the meantime. :gl:`#4367`
+
+- Querying the statistics channel no longer blocks DNS communication on
+ the networking event loop level. :gl:`#4680`
+
+- The :any:`inline-signing` zone option is now ignored if there is no
+ :any:`dnssec-policy` configured for the zone. This means that unsigned
+ zones no longer create redundant signed versions of the zone.
+ :gl:`#4349`
+
+- The :any:`inline-signing` statement can now also be set inside
+ :any:`dnssec-policy`. The built-in policies ``default`` and
+ ``insecure`` enable the use of :any:`inline-signing`. If
+ :any:`inline-signing` is set at the ``zone`` level, it overrides the
+ value set in :any:`dnssec-policy`. :gl:`#3677`
+
+- Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only
+ allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using
+ NSEC3 that the policy manages. :gl:`#4363`
+
+- The maximum number of NSEC3 iterations allowed for validation purposes
+ has been lowered from 150 to 50. DNSSEC responses containing NSEC3
+ records with iteration counts greater than 50 are now treated as
+ insecure. :gl:`#4363`
+
+- The ``dnssec-validation yes`` option now requires an explicitly
+ configured :any:`trust-anchors` statement. If using manual trust
+ anchors is not operationally required, then please consider using
+ ``dnssec-validation auto`` instead. :gl:`#4373`
+
+- :iscman:`named-compilezone` no longer performs zone integrity checks
+ by default; this allows faster conversion of a zone file from one
+ format to another. :gl:`#4364`
+
+ Zone checks can be performed by running :iscman:`named-checkzone`
+ separately, or the previous default behavior can be restored by using:
+
+ ::
+
+ named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
+
+- The red-black tree data structure used in the RBTDB (the default
+ database implementation for cache and zone databases), has been
+ replaced with QP-tries. This is expected to improve performance and
+ scalability, though in the current implementation large zones require
+ roughly 15% more memory than the old red-black tree data structure.
+
+ A side effect of this change is that zone files that are created with
+ :any:`masterfile-style` ``relative`` - for example, the output of
+ :any:`dnssec-signzone` - will no longer have multiple different
+ `$ORIGIN` statements. There should be no other changes to server
+ behavior.
+
+ The old RBT-based database still exists for now, and can be used by
+ specifying ``database rbt`` in a ``zone`` statement in ``named.conf``,
+ or by compiling with ``configure --with-zonedb=rbt
+ --with-cachedb=rbt``. :gl:`#4411` :gl:`#4614`
+
+- Multiple RNDC messages are now processed when sent in a single TCP
+ message.
+
+ ISC would like to thank Dominik Thalhammer for reporting the issue and
+ preparing the initial patch. :gl:`#4416`
+
+- The DNSSEC signing data included in zone statistics identified
+ keys only by the key ID; this caused confusion when two keys using
+ different algorithms had the same ID. Zone statistics now identify
+ keys using the algorithm number, followed by "+", followed by the
+ key ID: for example, ``8+54274``. :gl:`#3525`
+
+- The TTL of the NSEC3PARAM record for every NSEC3-signed zone was
+ previously set to 0. It is now changed to match the SOA MINIMUM value
+ for the given zone. :gl:`#3570`
+
+- On startup, :iscman:`named` now sets the limit on the number of open
+ files to the maximum allowed by the operating system, instead of
+ trying to set it to "unlimited". :gl:`#3676`
+
+- When an international domain name is not valid according to IDNA2008,
+ :iscman:`dig` now tries to convert it according to IDNA2003 rules, or
+ pass it through unchanged, instead of stopping with an error message.
+ The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527`
+
+- The memory statistics have been reduced to a single counter,
+ ``InUse``; ``Malloced`` is an alias that holds the same value. The
+ other counters were usable with the old BIND 9 internal memory
+ allocator, but they are unnecessary now that the latter has been
+ removed. :gl:`#3718`
+
+- The log message ``resolver priming query complete`` has been moved
+ from the INFO log level to the DEBUG(1) log level, to prevent
+ :iscman:`delv` from emitting that message when setting up its internal
+ resolver. :gl:`#3842`
+
+- Worker threads' event loops are now managed by a new "loop manager"
+ API, significantly changing the architecture of the task, timer, and
+ networking subsystems for improved performance and code flow.
+ :gl:`#3508`
+
+- The code for DNS over TCP and DNS over TLS transports has been
+ replaced with a new, unified transport implementation. :gl:`#3374`
+
+.. _`liburcu`: https://liburcu.org/
+.. _`libcap`: https://sites.google.com/site/fullycapable/
+
+Bug Fixes
+~~~~~~~~~
+
+- When the same :any:`notify-source` address and port number was
+ configured for multiple destinations and zones, an unresponsive server
+ could tie up the relevant network socket until it timed out; in the
+ meantime, NOTIFY messages for other servers silently failed.
+ :iscman:`named` will now retry sending such NOTIFY messages over TCP.
+ Furthermore, NOTIFY failures are now logged at the INFO level.
+ :gl:`#4001` :gl:`#4002`
+
+- DNS compression is no longer applied to the root name (``.``) if it is
+ repeatedly used in the same RRset. :gl:`#3423`
+
+- :iscman:`named` could incorrectly return non-truncated, glueless
+ referrals for responses whose size was close to the UDP packet size
+ limit. This has been fixed. :gl:`#1967`
+
+Known Issues
+~~~~~~~~~~~~
+
+- On some platforms, including FreeBSD, :iscman:`named` must be run as
+ root to use the :iscman:`rndc` control channel on a privileged port
+ (i.e., with a port number less than 1024; this includes the default
+ :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the
+ :option:`named -u` option to switch to an unprivileged user makes
+ :iscman:`rndc` unusable. This will be fixed in a future release; in
+ the meantime, ``mac_portacl`` can be used as a workaround, as
+ documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known issues
+ affecting this BIND 9 branch.
Known Issues
------------
-- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may
- require a manual configuration change. The following configurations
- are affected:
-
- - :any:`type primary` zones configured with :any:`dnssec-policy` but
- without either :any:`allow-update` or :any:`update-policy`,
- - :any:`type secondary` zones configured with :any:`dnssec-policy`.
-
- In these cases please add :namedconf:ref:`inline-signing yes;
- <inline-signing>` to the individual zone configuration(s). Without
- applying this change, :iscman:`named` will fail to start. For more
- details, see
- https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
-
-- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
- be inspected when verifying a remote certificate while establishing a
- DNS-over-TLS connection. Only ``subjectAltName`` must be checked
- instead. Unfortunately, some quite old versions of cryptographic
- libraries might lack the ability to ignore the ``Subject`` field. This
- should have minimal production-use consequences, as most of the
- production-ready certificates issued by certificate authorities will
- have ``subjectAltName`` set. In such cases, the ``Subject`` field is
- ignored. Only old platforms are affected by this, e.g. those supplied
- with OpenSSL versions older than 1.1.1. :gl:`#3163`
+- On some platforms, including FreeBSD, :iscman:`named` must be run as
+ root to use the :iscman:`rndc` control channel on a privileged port
+ (i.e., with a port number less than 1024; this includes the default
+ :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the
+ :option:`named -u` option to switch to an unprivileged user makes
+ :iscman:`rndc` unusable. This will be fixed in a future release; in
+ the meantime, ``mac_portacl`` can be used as a workaround, as
+ documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793`
projects / thirdparty / bind9.git / commitdiff
