From: Michał Kępień Date: Thu, 4 Feb 2021 09:40:25 +0000 (+0100) Subject: Reorder release notes X-Git-Tag: v9.17.11~43^2~3^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=fc4b7e72cc28f72f65c2688c570f37c4db453be8;p=thirdparty%2Fbind9.git Reorder release notes --- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index a94c2fa00e4..63666954587 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,6 +24,21 @@ Known Issues New Features ~~~~~~~~~~~~ +- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of + this, the ``nghttp2`` HTTP/2 library is now required for building the + development branch of BIND 9. Both TLS-encrypted and unencrypted + HTTP/2 connections are supported (the latter may be used to offload + encryption to other software). + + Note that there is no client-side support for HTTPS as yet; this will + be added to ``dig`` in a future release. [GL #1144] + +- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as + outgoing zone transfers. Addresses in a ``primaries`` list can now be + accompanied by an optional ``tls`` keyword, followed by either the + name of a previously configured ``tls`` statement or ``ephemeral``. + [GL #2392] + - A new option, ``stale-answer-client-timeout``, has been added to improve ``named``'s behavior with respect to serving stale data. The option defines the amount of time ``named`` waits before attempting to @@ -42,28 +57,6 @@ New Features option has no effect if ``stale-answer-enable`` is disabled. [GL #2247] -- When serve-stale is enabled and stale data is available, ``named`` now - returns stale answers upon encountering any unexpected error in the - query resolution process. This may happen, for example, if the - ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In - this case, ``named`` attempts to answer DNS requests with stale data, - but does not start the ``stale-refresh-time`` window. [GL #2434] - -- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as - outgoing zone transfers. Addresses in a ``primaries`` list can now be - accompanied by an optional ``tls`` keyword, followed by either the - name of a previously configured ``tls`` statement or ``ephemeral``. - [GL #2392] - -- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of - this, the ``nghttp2`` HTTP/2 library is now required for building the - development branch of BIND 9. Both TLS-encrypted and unencrypted - HTTP/2 connections are supported (the latter may be used to offload - encryption to other software). - - Note that there is no client-side support for HTTPS as yet; this will - be added to ``dig`` in a future release. [GL #1144] - Removed Features ~~~~~~~~~~~~~~~~ @@ -82,6 +75,18 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ +- When serve-stale is enabled and stale data is available, ``named`` now + returns stale answers upon encountering any unexpected error in the + query resolution process. This may happen, for example, if the + ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In + this case, ``named`` attempts to answer DNS requests with stale data, + but does not start the ``stale-refresh-time`` window. [GL #2434] + +- The default value of ``max-stale-ttl`` has been changed from 12 hours + to 1 day and the default value of ``stale-answer-ttl`` has been + changed from 1 second to 30 seconds, following :rfc:`8767` + recommendations. [GL #2248] + - The SONAMEs for BIND 9 libraries now include the current BIND 9 version number, in an effort to tightly couple internal libraries with a specific release. This change makes the BIND 9 release process both @@ -89,11 +94,6 @@ Feature Changes binaries from silently loading wrong versions of shared libraries (or multiple versions of the same shared library) at startup. [GL #2387] -- The default value of ``max-stale-ttl`` has been changed from 12 hours - to 1 day and the default value of ``stale-answer-ttl`` has been - changed from 1 second to 30 seconds, following :rfc:`8767` - recommendations. [GL #2248] - - When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate``, or ``_spf_verify`` label (which are employed by the ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix @@ -102,14 +102,14 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- KASP incorrectly set signature validity to the value of the DNSKEY - signature validity. This has been fixed. [GL #2383] +- ``named`` failed to start when its configuration included a zone with + a non-builtin ``allow-update`` ACL attached. [GL #2413] - Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key. This has been fixed. [GL #2178] -- ``named`` failed to start when its configuration included a zone with - a non-builtin ``allow-update`` ACL attached. [GL #2413] +- KASP incorrectly set signature validity to the value of the DNSKEY + signature validity. This has been fixed. [GL #2383] - When migrating to KASP, BIND 9 considered keys with the ``Inactive`` and/or ``Delete`` timing metadata to be possible active keys. This has