+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes-9.17.1"><info><title>Notes for BIND 9.17.1</title></info>
-
- <section xml:id="relnotes-9.17.1-security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- DNS rebinding protection was ineffective when BIND 9 is configured as
- a forwarding DNS server. Found and responsibly reported by Tobias
- Klein. [GL #1574]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.17.1-known"><info><title>Known Issues</title></info>
- <itemizedlist>
- <listitem>
- <para>
- We have received reports that in some circumstances, receipt of an
- IXFR can cause the processing of queries to slow significantly. Some
- of these were related to RPZ processing, which has been fixed in this
- release (see below). Others appear to occur where there are
- NSEC3-related changes (such as an operator changing the NSEC3 salt
- used in the hash calculation). These are being investigated.
- [GL #1685]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.17.1-new"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- A new option, <command>nsdname-wait-recurse</command>, has been added
- to the <command>response-policy</command> clause in the configuration
- file. When set to <command>no</command>, RPZ NSDNAME rules are only
- applied if the authoritative nameservers for the query name have been
- looked up and are present in the cache. If this information is not
- present, the RPZ NSDNAME rules are ignored, but the information is
- looked up in the background and applied to subsequent queries. The
- default is <command>yes</command>, meaning that RPZ NSDNAME rules
- should always be applied, even if the information needs to be looked
- up first. [GL #1138]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.17.1-changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The previous DNSSEC sign statistics used lots of memory. The number of
- keys to track is reduced to four per zone, which should be enough for
- 99% of all signed zones. [GL #1179]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes-9.17.1-bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- When an RPZ policy zone was updated via zone transfer and a large
- number of records was deleted, <command>named</command> could become
- nonresponsive for a short period while deleted names were removed from
- the RPZ summary database. This database cleanup is now done
- incrementally over a longer period of time, reducing such delays.
- [GL #1447]
- </para>
- </listitem>
- <listitem>
- <para>
- When trying to migrate an already-signed zone from
- <command>auto-dnssec maintain</command> to one based on
- <command>dnssec-policy</command>, the existing keys were immediately
- deleted and replaced with new ones. As the key rollover timing
- constraints were not being followed, it was possible that some clients
- would not have been able to validate responses until all old DNSSEC
- information had timed out from caches. BIND now looks at the time
- metadata of the existing keys and incorporates it into its DNSSEC
- policy operation. [GL #1706]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-</section>
inadvertently treated as configuration errors when used at the
``options`` or ``view`` level. This has now been corrected. [GL #913]
+.. include:: ../notes/notes-9.17.1.rst
.. include:: ../notes/notes-9.17.0.rst
.. _relnotes_license:
--- /dev/null
+..
+ Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+ This Source Code Form is subject to the terms of the Mozilla Public
+ License, v. 2.0. If a copy of the MPL was not distributed with this
+ file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+ See the COPYRIGHT file distributed with this work for additional
+ information regarding copyright ownership.
+
+Notes for BIND 9.17.1
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- DNS rebinding protection was ineffective when BIND 9 is configured as
+ a forwarding DNS server. Found and responsibly reported by Tobias
+ Klein. [GL #1574]
+
+Known Issues
+~~~~~~~~~~~~
+
+- We have received reports that in some circumstances, receipt of an
+ IXFR can cause the processing of queries to slow significantly. Some
+ of these were related to RPZ processing, which has been fixed in this
+ release (see below). Others appear to occur where there are
+ NSEC3-related changes (such as an operator changing the NSEC3 salt
+ used in the hash calculation). These are being investigated. [GL
+ #1685]
+
+New Features
+~~~~~~~~~~~~
+
+- A new option, ``nsdname-wait-recurse``, has been added to the
+ ``response-policy`` clause in the configuration file. When set to
+ ``no``, RPZ NSDNAME rules are only applied if the authoritative
+ nameservers for the query name have been looked up and are present in
+ the cache. If this information is not present, the RPZ NSDNAME rules
+ are ignored, but the information is looked up in the background and
+ applied to subsequent queries. The default is ``yes``, meaning that
+ RPZ NSDNAME rules should always be applied, even if the information
+ needs to be looked up first. [GL #1138]
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The previous DNSSEC sign statistics used lots of memory. The number
+ of keys to track is reduced to four per zone, which should be enough
+ for 99% of all signed zones. [GL #1179]
+
+Bug Fixes
+~~~~~~~~~
+
+- When an RPZ policy zone was updated via zone transfer and a large
+ number of records was deleted, ``named`` could become nonresponsive
+ for a short period while deleted names were removed from the RPZ
+ summary database. This database cleanup is now done incrementally
+ over a longer period of time, reducing such delays. [GL #1447]
+
+- When trying to migrate an already-signed zone from ``auto-dnssec
+ maintain`` to one based on ``dnssec-policy``, the existing keys were
+ immediately deleted and replaced with new ones. As the key rollover
+ timing constraints were not being followed, it was possible that some
+ clients would not have been able to validate responses until all old
+ DNSSEC information had timed out from caches. BIND now looks at the
+ time metadata of the existing keys and incorporates it into its
+ DNSSEC policy operation. [GL #1706]
+
./doc/arm/logging-categories.rst RST 2020
./doc/arm/managed-keys.rst RST 2020
./doc/arm/manpages.rst RST 2020
-./doc/arm/notes-9.17.1.xml SGML 2020
./doc/arm/notes-9.17.2.xml SGML 2020
./doc/arm/notes.rst RST 2020
./doc/arm/pkcs11.rst RST 2020
./doc/misc/static-stub.zoneopt X 2018,2019,2020
./doc/misc/stub.zoneopt X 2018,2019,2020
./doc/notes/notes-9.17.0.rst RST 2020
+./doc/notes/notes-9.17.1.rst RST 2020
./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020
projects / thirdparty / bind9.git / commitdiff
