--- /dev/null
+(-dev)
+------
+
+New Features
+~~~~~~~~~~~~
+
+- Support for Offline KSK implemented.
+
+ Add a new configuration option `offline-ksk` to enable Offline KSK key
+ management. Signed Key Response (SKR) files created with `dnssec-ksr`
+ (or other program) can now be imported into `named` with the new `rndc
+ skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY
+ records and generating signatures covering these types, these records
+ are loaded from the currently active bundle from the imported SKR.
+
+ The implementation is loosely based on:
+ https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-
+ keymgmt-01.txt :gl:`#1128`
+
+- Print the full path of the working directory in startup log messages.
+
+ named now prints its initial working directory during startup and the
+ changed working directory when loading or reloading its configuration
+ file if it has a valid 'directory' option defined. :gl:`#4731`
+
+- Support restricted key tag range when generating new keys.
+
+ It is useful when multiple signers are being used to sign a zone to
+ able to specify a restricted range of range of key tags that will be
+ used by an operator to sign the zone. This adds controls to named
+ (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr
+ (dnssec-policy) to specify such ranges. :gl:`#4830`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Exempt prefetches from the fetches-per-zone and fetches-per-server
+ quotas.
+
+ Fetches generated automatically as a result of 'prefetch' are now
+ exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas.
+ This should help in maintaining the cache from which query responses
+ can be given. :gl:`#4219`
+
+- Follow the number of CPU set by taskset/cpuset.
+
+ Administrators may wish to constrain the set of cores that BIND 9 runs
+ on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
+ other O/S).
+
+ If the admin has used taskset, the `named` will now follow to
+ automatically use the given number of CPUs rather than the system wide
+ count. :gl:`#4884`
+
+Bug Fixes
+~~~~~~~~~
+
+- Delay release of root privileges until after configuring controls.
+
+ Delay relinquishing root privileges until the control channel has been
+ configured, for the benefit of systems that require root to use
+ privileged port numbers. This mostly affects systems without fine-
+ grained privilege systems (i.e., other than Linux). :gl:`#4793`
+
+- Fix rare assertion failure when shutting down incoming transfer.
+
+ A very rare assertion failure can be triggered when the incoming
+ transfer is either forcefully shut down or it is finished during
+ printing the details about the statistics channel. This has been
+ fixed. :gl:`#4860`
+
+- Fix algoritm rollover bug when there are two keys with the same
+ keytag.
+
+ If there is an algorithm rollover and two keys of different algorithm
+ share the same keytags, then there is a possibility that if we check
+ that a key matches a specific state, we are checking against the wrong
+ key. This has been fixed by not only checking for matching key tag but
+ also key algorithm. :gl:`#4878`
+
+- Fix an assertion failure in validate_dnskey_dsset_done()
+
+ Under rare circumstances, named could terminate unexpectedly when
+ validating a DNSKEY resource record if the validation was canceled in
+ the meantime. This has been fixed. :gl:`#4911`
+
+
projects / thirdparty / bind9.git / commitdiff
