New Features
~~~~~~~~~~~~
-- Automatic KSK rollover: A new configuration option ``parental-agents`` is
- added to add a list of servers to a zone that can be used for checking DS
- presence. :gl:`#1126`
+- Using a new configuration option, ``parental-agents``, each zone can
+ now be associated with a list of servers that can be used to check the
+ DS RRset in the parent zone. This enables automatic KSK rollovers.
+ :gl:`#1126`
Removed Features
~~~~~~~~~~~~~~~~
Feature Changes
~~~~~~~~~~~~~~~
-- IP fragmentation on outgoing UDP sockets has been disabled. Errors from
- sending DNS messages larger than the specified path MTU are properly handled;
- ``named`` now sends back empty DNS messages with the TC (TrunCated) bit set,
- forcing the DNS client to fall back to TCP. :gl:`#2790`
-
- ``named`` now sets the DON'T FRAGMENT flag on outgoing UDP packets. According
- to the measurements done by multiple parties this should not be causing any
- operational problems as most of the Internet "core" is able to cope with IP
- message sizes between 1400-1500 bytes, the 1232 size was picked as a
- conservative minimal number that could be changed by the DNS operator to a
- estimated path MTU minus the estimated header space. In practice, the smallest
- MTU witnessed in the operational DNS community is 1500 octets, the Ethernet
- maximum payload size, so a a useful default for maximum DNS/UDP payload size
- on reliable networks would be 1432. [GL #2183]
+- IP fragmentation has been disabled for outgoing UDP sockets. Errors
+ triggered by sending DNS messages larger than the specified path MTU
+ are properly handled by sending empty DNS replies with the ``TC``
+ (TrunCated) bit set, which forces DNS clients to fall back to TCP.
+ :gl:`#2790`
- CDS and CDNSKEY records may now be published in a zone without the
requirement that they exactly match an existing DNSKEY record, so long
Bug Fixes
~~~~~~~~~
-- Fixed a bug that caused the NSEC salt to be changed for KASP zones on
- every startup. :gl:`#2725`
+- A bug that caused the NSEC3 salt to be changed on every restart for
+ zones using KASP has been fixed. :gl:`#2725`
- Signed, insecure delegation responses prepared by ``named`` either
lacked the necessary NSEC records or contained duplicate NSEC records
when both wildcard expansion and CNAME chaining were required to
prepare the response. This has been fixed. :gl:`#2759`
-- Checking of ``dnssec-policy`` was broken. The checks failed to account for
- ``dnssec-policy`` inheritance. :gl:`#2780`
+- The configuration-checking code failed to account for the inheritance
+ rules of the ``dnssec-policy`` option. This has been fixed.
+ :gl:`#2780`
-- A deadlock at startup was introduced when fixing :gl:`#1875` because when
- locking key files for reading and writing, "in-view" logic was not taken into
- account. This has been fixed. :gl:`#2783`
+- The fix for :gl:`#1875` inadvertently introduced a deadlock: when
+ locking key files for reading and writing, the ``in-view`` logic was
+ not considered. This has been fixed. :gl:`#2783`
-- Fix a race condition where two threads are competing for the same set of key
- file locks, that could lead to a deadlock. This has been fixed. :gl:`#2786`
+- A race condition could occur where two threads were competing for the
+ same set of key file locks, leading to a deadlock. This has been
+ fixed. :gl:`#2786`
- Testing revealed that setting the thread affinity on both the netmgr
and netthread threads led to inconsistent recursive performance, as
projects / thirdparty / bind9.git / commitdiff
