- Support for Offline KSK implemented.
- Add a new configuration option `offline-ksk` to enable Offline KSK key
- management. Signed Key Response (SKR) files created with `dnssec-ksr`
- (or other program) can now be imported into `named` with the new `rndc
- skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY
- records and generating signatures covering these types, these records
- are loaded from the currently active bundle from the imported SKR.
-
- The implementation is loosely based on:
- https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-
- keymgmt-01.txt :gl:`#1128`
+ Add a new configuration option :any:`offline-ksk` to enable Offline
+ KSK key management. Signed Key Response (SKR) files created with
+ :iscman:`dnssec-ksr` (or other programs) can now be imported into
+ :iscman:`named` with the new :option:`rndc skr -import <rndc skr>`
+ command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and
+ generating signatures covering these types, these records are loaded
+ from the currently active bundle from the imported SKR.
+
+ The implementation is loosely based on
+ `draft-icann-dnssec-keymgmt-01.txt
+ <https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt>`_.
+ :gl:`#1128`
- Print the full path of the working directory in startup log messages.
- named now prints its initial working directory during startup and the
- changed working directory when loading or reloading its configuration
- file if it has a valid 'directory' option defined. :gl:`#4731`
+ :iscman:`named` now prints its initial working directory during
+ startup, and the changed working directory when loading or reloading
+ its configuration file, if it has a valid :any:`directory` option
+ defined. :gl:`#4731`
+
+- Support a restricted key tag range when generating new keys.
-- Support restricted key tag range when generating new keys.
+ When multiple signers are being used to sign a zone, it is useful to
+ be able to specify a restricted range of key tags to be used by an
+ operator to sign the zone. The range can be specified with
+ ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys
+ <dnssec-policy-keys>` (for :iscman:`named` and :iscman:`dnssec-ksr`)
+ and with the new options :option:`dnssec-keyfromlabel -M` and
+ :option:`dnssec-keygen -M`. :gl:`#4830`
- It is useful when multiple signers are being used to sign a zone to
- able to specify a restricted range of range of key tags that will be
- used by an operator to sign the zone. This adds controls to named
- (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr
- (dnssec-policy) to specify such ranges. :gl:`#4830`
Feature Changes
~~~~~~~~~~~~~~~
-- Exempt prefetches from the fetches-per-zone and fetches-per-server
- quotas.
+- Exempt prefetches from the :any:`fetches-per-zone` and
+ :any:`fetches-per-server` quotas.
- Fetches generated automatically as a result of 'prefetch' are now
- exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas.
- This should help in maintaining the cache from which query responses
- can be given. :gl:`#4219`
+ Fetches generated automatically as a result of :any:`prefetch` are now
+ exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server`
+ quotas. This should help in maintaining the cache from which query
+ responses can be given. :gl:`#4219`
-- Follow the number of CPU set by taskset/cpuset.
+- Follow the number of CPUs set by ``taskset``/``cpuset``.
- Administrators may wish to constrain the set of cores that BIND 9 runs
- on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
- other O/S).
+ Administrators may wish to constrain the set of cores that
+ :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl``
+ programs (or equivalents on other OSes).
- If the admin has used taskset, the `named` will now follow to
- automatically use the given number of CPUs rather than the system wide
- count. :gl:`#4884`
+ If the admin has used ``taskset``, :iscman:`named` now automatically
+ uses the given number of CPUs rather than the system-wide count.
+ :gl:`#4884`
Bug Fixes
~~~~~~~~~
-- Delay release of root privileges until after configuring controls.
+- Delay the release of root privileges until after configuring controls.
Delay relinquishing root privileges until the control channel has been
configured, for the benefit of systems that require root to use
privileged port numbers. This mostly affects systems without fine-
grained privilege systems (i.e., other than Linux). :gl:`#4793`
-- Fix rare assertion failure when shutting down incoming transfer.
+- Fix a rare assertion failure when shutting down incoming transfer.
- A very rare assertion failure can be triggered when the incoming
- transfer is either forcefully shut down or it is finished during
- printing the details about the statistics channel. This has been
+ A very rare assertion failure could be triggered when the incoming
+ transfer was either forcefully shut down, or it finished during the
+ printing of the details about the statistics channel. This has been
fixed. :gl:`#4860`
-- Fix algoritm rollover bug when there are two keys with the same
+- Fix algorithm rollover bug when there are two keys with the same
keytag.
- If there is an algorithm rollover and two keys of different algorithm
- share the same keytags, then there is a possibility that if we check
- that a key matches a specific state, we are checking against the wrong
- key. This has been fixed by not only checking for matching key tag but
- also key algorithm. :gl:`#4878`
+ If there was an algorithm rollover and two keys of different
+ algorithms shared the same keytags, there was the possibility that the
+ check of whether the key matched a specific state could be performed
+ against the wrong key. This has been fixed by not only checking for
+ the matching key tag but also the key algorithm. :gl:`#4878`
-- Fix an assertion failure in validate_dnskey_dsset_done()
+- Fix an assertion failure in ``validate_dnskey_dsset_done()``.
- Under rare circumstances, named could terminate unexpectedly when
- validating a DNSKEY resource record if the validation was canceled in
- the meantime. This has been fixed. :gl:`#4911`
+ Under rare circumstances, :iscman:`named` could terminate unexpectedly
+ when validating a DNSKEY resource record if the validation had been
+ canceled in the meantime. This has been fixed. :gl:`#4911`
Known Issues
~~~~~~~~~~~~
projects / thirdparty / bind9.git / commitdiff
