notes.xml 23.7 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2
<!DOCTYPE book [
<!ENTITY Scaron "&#x160;">
3
<!ENTITY scaron "&#x161;">
Evan Hunt's avatar
Evan Hunt committed
4
<!ENTITY ccaron "&#x10D;">
Evan Hunt's avatar
Evan Hunt committed
5
<!ENTITY aacute "&#x0E1;">
6
<!ENTITY iacute "&#x0ED;">
Evan Hunt's avatar
Evan Hunt committed
7 8
<!ENTITY mdash "&#8212;">
<!ENTITY ouml "&#xf6;">]>
Evan Hunt's avatar
Evan Hunt committed
9
<!--
Tinderbox User's avatar
Tinderbox User committed
10
 - Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
11
 -
12 13 14
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Evan Hunt's avatar
Evan Hunt committed
15
-->
16

17
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
Evan Hunt's avatar
Evan Hunt committed
18 19
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
  <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
Evan Hunt's avatar
Evan Hunt committed
20
    <para>
Evan Hunt's avatar
Evan Hunt committed
21
      BIND 9.12.0 is a new feature release of BIND, still under development.
Evan Hunt's avatar
Evan Hunt committed
22
      This document summarizes new features and functional changes that
Tinderbox User's avatar
Tinderbox User committed
23
      have been introduced on this branch.  With each development
Evan Hunt's avatar
Evan Hunt committed
24
      release leading up to the final BIND 9.12.0 release, this document
Evan Hunt's avatar
Evan Hunt committed
25
      will be updated with additional features added and bugs fixed.
Evan Hunt's avatar
Evan Hunt committed
26
    </para>
Evan Hunt's avatar
Evan Hunt committed
27
  </section>
28

Evan Hunt's avatar
Evan Hunt committed
29
  <section xml:id="relnotes_download"><info><title>Download</title></info>
Evan Hunt's avatar
Evan Hunt committed
30 31
    <para>
      The latest versions of BIND 9 software can always be found at
Evan Hunt's avatar
Evan Hunt committed
32
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
Evan Hunt's avatar
Evan Hunt committed
33 34 35 36
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </para>
Evan Hunt's avatar
Evan Hunt committed
37
  </section>
38

39 40 41 42 43 44 45 46 47 48 49 50 51 52
  <section xml:id="relnotes_license"><info><title>License Change</title></info>
    <para>
      With the release of BIND 9.11.0, ISC changed to the open
      source license for BIND from the ISC license to the Mozilla
      Public License (MPL 2.0).
    </para>
    <para>
      The MPL-2.0 license requires that if you make changes to
      licensed software (e.g. BIND) and distribute them outside
      your organization, that you publish those changes under that
      same license. It does not require that you publish or disclose
      anything other than the changes you made to our software.
    </para>
    <para>
53
      This requirement will not affect anyone who is using BIND
54 55 56 57 58 59 60 61 62 63 64 65 66 67
      without redistributing it, nor anyone redistributing it without
      changes, therefore this change will be without consequence
      for most individuals and organizations who are using BIND.
    </para>
    <para>
      Those unsure whether or not the license change affects their
      use of BIND, or who wish to discuss how to comply with the
      license may contact ISC at <link
      xmlns:xlink="http://www.w3.org/1999/xlink"
      xlink:href="https://www.isc.org/mission/contact/">
      https://www.isc.org/mission/contact/</link>.
    </para>
  </section>

68 69 70 71 72 73 74 75
  <section xml:id="win_support"><info><title>Windows XP No Longer Supported</title></info>
    <para>
      As of BIND 9.11.2, Windows XP is no longer a supported platform for
      BIND, and Windows XP binaries are no longer available for download
      from ISC.
    </para>
  </section>

Evan Hunt's avatar
Evan Hunt committed
76
  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
77
    <itemizedlist>
78 79
      <listitem>
	<para>
80
	  None.
81 82
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
83
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
84
  </section>
85

Evan Hunt's avatar
Evan Hunt committed
86
  <section xml:id="relnotes_features"><info><title>New Features</title></info>
Evan Hunt's avatar
Evan Hunt committed
87
    <itemizedlist>
88
      <listitem>
Evan Hunt's avatar
Evan Hunt committed
89
	<para>
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
	  Many aspects of <command>named</command> have been modified
	  to improve query performance, and in particular, performance
	  for delegation-heavy zones:
	</para>
	<itemizedlist>
	  <listitem>
	    <para>
	      The additional cache ("acache") was found not to
	      significantly improve performance and has been removed;
	      the <command>acache-enable</command> and
	      <command>acache-cleaning-interval</command> options are now
	      deprecated.
	    </para>
	  </listitem>
	  <listitem>
	    <para>
Evan Hunt's avatar
Evan Hunt committed
106
	      In place of the acache, <command>named</command> can now use
107
	      a glue cache to speed up retrieval of glue records when sending
108 109
	      delegation responses.  Unlike acache, this feature is on by
	      default; use <command>glue-cache no;</command> to disable it.
110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      The <command>additional-from-cache</command>
	      and <command>additional-from-auth</command> options have been
	      deprecated.
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      <command>minimal-responses</command> is now set
	      to <literal>yes</literal> by default.
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      Several functions have been refactored to improve
	      performance, including name compression, owner name
	      case restoration, hashing, and buffers.
	    </para>
	  </listitem>
	</itemizedlist>
      </listitem>
134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157
      <listitem>
	<para>
	  Several areas of code have been refactored for improved
	  readability, maintainability, and testability:
	</para>
	<itemizedlist>
	  <listitem>
	    <para>
	      The <command>named</command> query logic implemented in
	      <command>query_find()</command> has been split into
	      smaller functions with a context structure to maintain state
	      between them, and extensive comments have been added.
	      [RT #43929]
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      Similarly the iterative query logic implemented in
	      <command>resquery_response()</command> function has been
	      split into smaller functions and comments added. [RT #45362]
	    </para>
	  </listitem>
	</itemizedlist>
      </listitem>
158 159 160 161 162 163 164 165 166 167 168
      <listitem>
	<para>
	  Code implementing name server query processing has been moved
	  from <command>named</command> to an external library,
	  <command>libns</command>. This will make it easier to
	  write unit tests for the code, or to link it into new tools.
	  [RT #45186]
	</para>
      </listitem>
      <listitem>
	<para>
169 170 171 172 173 174 175 176 177 178 179
	  <command>named</command> can now synthesize negative responses
	  (NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
	  records that were returned in negative or wildcard responses from
	  authoritative servers.
	</para>
	<para>
	  This will reduce query loads on authoritative servers for signed
	  domains: when existing cached records can be used by the resolver
	  to determine that a name does not exist in the authorittive domain,
	  no query needs to be sent. Reducing the number of iterative queries
	  should also improve resolver performance.
180 181 182 183 184 185 186
	</para>
	<para>
	  This behavior is controlled by the new
	  <filename>named.conf</filename> option
	  <command>synth-from-dnssec</command>.  It is enabled by
	  default.
	</para>
187 188 189 190 191
	<para>
	  Note: this currently only works for zones signed using NSEC.
	  Support for zones signed using NSEC3 (without opt-out) is
	  planned for the future.
	</para>
192
	<para>
193 194 195 196 197 198 199 200 201 202 203 204
	  Thanks to APNIC for sponsoring this work.
	</para>
      </listitem>
      <listitem>
	<para>
	  When acting as a recursive resolver, <command>named</command>
	  can now continue returning answers whose TTLs have expired
	  when the authoritative server is under attack and unable to
	  respond. This is controlled by the
	  <command>stale-answer-enable</command>,
	  <command>stale-answer-ttl</command> and
	  <command>max-stale-ttl</command> options. [RT #44790]
205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240
	</para>
      </listitem>
      <listitem>
	<para>
	  The DNS Response Policy Service (DNSRPS) API, a mechanism to
	  allow <command>named</command> to use an external response policy
	  provider, is now supported. (One example of such a provider is
	  "FastRPZ" from Farsight Security, Inc.) This allows the same
	  types of policy filtering as standard RPZ, but can reduce the
	  workload for <command>named</command>, particularly when using
	  large and frequently-updated policy zones. It also enables
	  <command>named</command> to share response policy providers
	  with other DNS implementations such as Unbound.
	</para>
	<para>
	  This feature is avaiable if BIND is built with
	  <command>configure --enable-dnsrps</command>, if a DNSRPS
	  provider is installed, and if <command>dnsrps-enable</command>
	  is set to "yes" in <filename>named.conf</filename>. Standard
	  built-in RPZ is used otherwise.
	</para>
	<para>
	  Thanks to Vernon Schryver and Farsight Security for the
	  contribution. [RT #43376]
	</para>
      </listitem>
      <listitem>
	<para>
	  Setting <command>max-journal-size</command> to
	  <literal>default</literal> limits journal sizes to twice the
	  size of the zone contents.  This can be overridden by setting
	  <command>max-journal-size</command> to <literal>unlimited</literal>
	  or to an explicit value up to 2G. Thanks to Tony Finch for
	  the contribution. [RT #38324]
	</para>
      </listitem>
241 242 243 244 245
      <listitem>
	<para>
	  <command>dnstap</command> logfiles can now be configured to
	  automatically roll when they reach a specified size. If
	  <command>dnstap-output</command> is configured with mode
Evan Hunt's avatar
Evan Hunt committed
246
	  <literal>file</literal>, then it can take optional
247 248 249 250 251 252 253
	  <command>size</command> and <command>versions</command>
	  key-value arguments to set the logfile rolling parameters.
	  (These have the same semantics as the corresponding
	  options in a <command>logging</command> channel statement.)
	  [RT #44502]
	</para>
      </listitem>
254 255 256 257 258 259 260 261 262 263 264 265 266
      <listitem>
	<para>
	  Logging channels and <command>dnstap-output</command> files can
	  now be configured with a <command>suffix</command> option,
	  set to either <literal>increment</literal> or
	  <literal>timestamp</literal>, indicating whether log files
	  should be given incrementing suffixes when they roll
	  over (e.g., <filename>logfile.0</filename>,
	  <filename>.1</filename>, <filename>.2</filename>, etc)
	  or suffixes indicating the time of the roll. The default
	  is <literal>increment</literal>.  [RT #42838]
	</para>
      </listitem>
267 268
      <listitem>
	<para>
269 270
	  The <command>print-time</command> option in the
	  <command>logging</command> configuration can now take arguments
271 272 273 274 275 276 277
	  <userinput>local</userinput>, <userinput>iso8601</userinput> or
	  <userinput>iso8601-utc</userinput> to indicate the format in
	  which the date and time should be logged. For backward
	  compatibility, <userinput>yes</userinput> is a synonym for
	  <userinput>local</userinput>.  [RT #42585]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
278 279 280 281 282 283 284 285 286 287 288
      <listitem>
	<para>
	  The new <command>dnssec-cds</command> command generates a new DS
	  set to place in a parent zone, based on the contents of a child
	  zone's validated CDS or CDNSKEY records. It can produce a
	  <filename>dsset</filename> file suitable for input to
	  <command>dnssec-signzone</command>, or a series of
	  <command>nsupdate</command> to update the parent zone via dynamic
	  DNS. Thanks to Tony Finch for the contribution.  [RT #46090]
	</para>
      </listitem>
289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327
      <listitem>
	<para>
	  <command>nsupdate</command> and <command>rndc</command> now accepts
	  command line options <command>-4</command> and <command>-6</command>
	  which force using only IPv4 or only IPv6, respectively. [RT #45632]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>nsec3hash -r</command> ("rdata order") takes arguments
	  in the same order as they appear in NSEC3 or NSEC3PARAM records.
	  This makes it easier to generate an NSEC3 hash using values cut
	  and pasted from an existing record. Thanks to Tony Finch for
	  the contribution. [RT #45183]
	</para>
      </listitem>
      <listitem>
	<para>
	  The <command>new-zones-directory</command> option allows
	  <command>named</command> to store configuration parameters
	  for zones added via <command>rndc addzone</command> in a
	  location other than the working directory. Thanks to Petr
	  Men&scaron;&iacute;k of Red Hat for the contribution.
	  [RT #44853]
	</para>
      </listitem>
      <listitem>
	<para>
	  The <command>dnstap-read -x</command> option prints a hex
	  dump of the wire format DNS message encapsulated in each
	  <command>dnstap</command> log entry. [RT #44816]
	</para>
      </listitem>
      <listitem>
	<para>
	  The <command>host -A</command> option returns most
	  records for a name, but omits types RRSIG, NSEC and NSEC3.
	</para>
      </listitem>
328 329 330
      <listitem>
	<para>
	  <command>dig +ednsopt</command> now accepts the names
331
	  for EDNS options in addition to numeric values. For example,
332 333 334 335 336
	  an EDNS Client-Subnet option could be sent using
	  <command>dig +ednsopt=ecs:...</command>. Thanks to
	  John Worley of Secure64 for the contribution. [RT #44461]
	</para>
      </listitem>
337 338 339 340 341 342 343 344 345 346 347 348 349 350 351
      <listitem>
	<para>
	  Added support for the EDNS TCP Keepalive option (RFC 7828);
	  this allows negotiation of longer-lived TCP sessions
	  to reduce the overhead of setting up TCP for individual
	  queries. [RT #42126]
	</para>
      </listitem>
      <listitem>
	<para>
	  Added support for the EDNS Padding option (RFC 7830),
	  which obfuscates packet size analysis when DNS queries
	  are sent over an encrypted channel. [RT #42094]
	</para>
      </listitem>
352 353
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
354 355 356 357 358 359 360
	  <command>rndc</command> commands which refer to zone names
	  can now reference a zone of type <command>redirect</command>
	  by using the special zone name "-redirect". (Previously this
	  was not possible because <command>redirect</command> zones
	  always have the name ".", which can be ambiguous.)
	</para>
	<para>
Evan Hunt's avatar
Evan Hunt committed
361
	  In the event you need to manipulate a zone actually
Evan Hunt's avatar
Evan Hunt committed
362 363 364 365 366 367
	  called "-redirect", use a trailing dot: "-redirect."
	</para>
	<para>
	  Note: This change does not appply to the
	  <command>rndc addzone</command> or
	  <command>rndc modzone</command> commands.
368 369
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
370 371 372 373 374 375
      <listitem>
	<para>
	  <command>named-checkconf -l</command> lists the zones found
	  in <filename>named.conf</filename>. [RT #43154]
	</para>
      </listitem>
376 377 378 379 380 381 382
      <listitem>
	<para>
	  Query logging now includes the ECS option, if one was
	  present in the query, in the format
	  "[ECS <replaceable>address/source/scope</replaceable>]".
	</para>
      </listitem>
383 384
      <listitem>
	<para>
385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406
	  By default, BIND now uses the random number generation functions
	  in the cryptographic library (i.e., OpenSSL or a PKCS#11
	  provider) as a source of high-quality randomness rather than
	  <filename>/dev/random</filename>.  This is suitable for virtual
	  machine environments, which may have limited entropy pools and
	  lack hardware random number generators.
	</para>
	<para>
	  This can be overridden by specifying another entropy source via
	  the <command>random-device</command> option in
	  <filename>named.conf</filename>, or via the <command>-r</command>
	  command line option.  However, for functions requiring full
	  cryptographic strength, such as DNSSEC key generation, this
	  <emphasis>cannot</emphasis> be overridden. In particular, the
	  <command>-r</command> command line option no longer has any
	  effect on <command>dnssec-keygen</command>.
	</para>
	<para>
	  This can be disabled by building with
	  <command>configure --disable-crypto-rand</command>, in which
	  case <filename>/dev/random</filename> will be the default
	  entropy source.  [RT #31459] [RT #46047]
407 408
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425
      <listitem>
	<para>
	  <command>rndc managed-keys destroy</command> shuts down all
	  RFC 5011 DNSSEC trust anchor maintenance, and deletes any
	  existing managed keys database. If immediately followed by
	  <command>rndc reconfig</command>, this will reinitialize
	  key maintenance just as if the server was being started for
	  the first time.
	</para>
	<para>
	  This is intended for testing purposes, but can be used -- with
	  extreme caution -- as a brute-force repair for unrecoverable
	  problems with a managed keys database, to jumpstart the key
	  acquisition process if <filename>bind.keys</filename> is updated,
	  etc. [RT #32456]
	</para>
      </listitem>
426 427 428 429 430 431 432 433 434
      <listitem>
	<para>
	  <command>dnssec-signzone -S</command> can now add or remove
	  synchronization records (CDS and CDNSKEY) based on key metadata
	  set by the <command>-Psync</command> and <command>-Dsync</command>
	  options to <command>dnssec-keygen</command>,
	  <command>dnssec-settime</command>, etc. [RT #46149]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
435
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
436
  </section>
437

438 439 440 441 442 443 444 445 446 447 448 449 450
  <section xml:id="proto_changes"><info><title>Protocol Changes</title></info>
    <itemizedlist>
      <listitem>
	<para>
	  BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
	  signing algorithms described in RFC 8080. Note, however, that
	  these algorithms must be supported in OpenSSL;
	  currently they are only available in the development branch
	  of OpenSSL at
	  <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://github.com/openssl/openssl">https://github.com/openssl/openssl</link>.
	  [RT #44696]
	</para>
      </listitem>
451 452 453 454 455
      <listitem>
	<para>
	  EDNS KEY TAG options are verified and printed.
	</para>
      </listitem>
456 457 458
    </itemizedlist>
  </section>

Evan Hunt's avatar
Evan Hunt committed
459
  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
Evan Hunt's avatar
Evan Hunt committed
460
    <itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
461 462 463 464 465 466 467
      <listitem>
	<para>
	  The ISC DNSSEC Lookaside Validation (DLV) service has been shut
	  down; all DLV records in the dlv.isc.org zone have been removed.
	  References to the service have been removed from BIND documentation.
	  Lookaside validation is no longer used by default by
	  <command>delv</command>. The DLV key has been removed from
Evan Hunt's avatar
Evan Hunt committed
468
	  <filename>bind.keys</filename>. Setting
Evan Hunt's avatar
Evan Hunt committed
469 470 471 472 473
	  <command>dnssec-lookaside</command> set to
	  <command>auto</command> or to use dlv.isc.org as a trust
	  anchor is now a fatal configuration error. [RT #46155]
	</para>
      </listitem>
474 475 476 477 478 479 480 481 482
      <listitem>
	<para>
	  Previously, <command>update-policy local;</command> accepted
	  updates from any source so long as they were signed by the
	  locally-generated session key. This has been further restricted;
	  updates are now only accepted from locally configured addresses.
	  [RT #45492]
	</para>
      </listitem>
483 484
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
485
	  The lightweight resolver daemon and library (<command>lwresd</command>
486 487 488
	  and <command>liblwres</command>) have been removed. [RT #45186]
	</para>
      </listitem>
489 490 491 492
      <listitem>
	<para>
	  <command>dnssec-keygen</command> no longer has default
	  algorithm settings. It is necessary to explicitly specify the
493
	  algorithm on the command line with the <command>-a</command> option
494 495 496 497 498 499
	  when generating keys. This may cause errors with existing signing
	  scripts if they rely on current defaults. The intent is to
	  reduce the long-term cost of transitioning to newer algorithms in
	  the event of RSASHA1 being deprecated. [RT #44755]
	</para>
      </listitem>
500 501
      <listitem>
	<para>
502 503 504 505 506
	  <command>dig +sigchase</command> and related options
	  <command>+trusted-keys</command> and <command>+topdown</command>
	  have been removed. <command>delv</command> is now the recommended
	  command for looking up records with DNSSEC validation.
	  [RT #42793]
507 508
	</para>
      </listitem>
509 510
      <listitem>
	<para>
511 512 513 514 515 516 517 518 519 520 521 522
	  The Response Policy Zone (RPZ) implementation has been
	  substantially refactored: updates to the RPZ summary
	  database are no longer directly performed by the zone
	  database but by a separate function that is called when
	  a policy zone is updated.  This improves both performance
	  and reliability when policy zones receive frequent updates.
	  Summary database updates can be rate-limited by using the
	  <command>min-update-interval</command> option in a
	  <command>response-policy</command> statement. [RT #43449]
	</para>
      </listitem>
      <listitem>
Evan Hunt's avatar
Evan Hunt committed
523
	<para>
524 525 526 527 528
	  <command>dnstap</command> now stores both the local and remote
	  addresses for all messages, instead of only the remote address.
	  The default output format for <command>dnstap-read</command> has
	  been updated to include these addresses, with the initiating
	  address first and the responding address second, separated by
Evan Hunt's avatar
Evan Hunt committed
529
	  "-&gt;" or "&lt;-" to indicate in which direction the message
530 531 532
	  was sent. [RT #43595]
	</para>
      </listitem>
533
      <listitem>
534
	<para>
Evan Hunt's avatar
Evan Hunt committed
535 536 537 538
	  Expanded and improved the YAML output from
	  <command>dnstap-read -y</command>: it now includes packet
	  size and a detailed breakdown of message contents.
	  [RT #43622] [RT #43642]
539 540
	</para>
      </listitem>
541 542 543 544 545 546 547 548 549 550
      <listitem>
	<para>
	  Threads in <command>named</command> are now set to human-readable
	  names to assist debugging on operating systems that support that.
	  Threads will have names such as "isc-timer", "isc-sockmgr",
	  "isc-worker0001", and so on. This will affect the reporting of
	  subsidiary thread names in <command>ps</command> and
	  <command>top</command>, but not the main thread. [RT #43234]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
551 552 553 554 555 556 557 558
      <listitem>
	<para>
	  If an ACL is specified with an address prefix in which the
	  prefix length is longer than the address portion (for example,
	  192.0.2.1/8), it will now be treated as a fatal error during
	  configuration. [RT #43367]
	</para>
      </listitem>
Mark Andrews's avatar
Mark Andrews committed
559 560
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
561 562 563 564
	  <command>dig</command> now warns about .local queries which are
	  reserved for Multicast DNS. [RT #44783]
	</para>
      </listitem>
565 566 567
      <listitem>
	<para>
	  The view associated with the query is now logged unless it
Mark Andrews's avatar
Mark Andrews committed
568 569
	  it is "_default/IN" or "_dnsclient/IN" when logging DNSSEC
	  validator messages.
570
	</para>
571
      </listitem>
572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589
      <listitem>
	<para>
	  When <command>named</command> was reconfigured, failure of some
	  zones to load correctly could leave the system in an inconsistent
	  state; while generally harmless, this could lead to a crash later
	  when using <command>rndc addzone</command>.  Reconfiguration changes
	  are now fully rolled back in the event of failure. [RT #45841]
	</para>
      </listitem>
      <listitem>
	<para>
	  Fixed a bug that was introduced in an earlier development
	  release which caused multi-packet AXFR and IXFR messages to fail
	  validation if not all packets contained TSIG records; this
	  caused interoperability problems with some other DNS
	  implementations. [RT #45509]
	</para>
      </listitem>
590 591
      <listitem>
	<para>
592
	  Multiple <command>cookie-secret</command> clauses are now
593 594 595 596 597 598
	  supported.  The first <command>cookie-secret</command> in
	  <filename>named.conf</filename> is used to generate new
	  server cookies.  Any others are used to accept old server
	  cookies or those generated by other servers using the
	  matching <command>cookie-secret</command>.
	</para>
Mark Andrews's avatar
Mark Andrews committed
599
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
600 601 602 603 604 605
      <listitem>
	<para>
	  A new statistics counter has been added to track prefetch
	  queries. [RT #45847]
	</para>
      </listitem>
606 607 608 609 610 611 612 613 614 615
      <listitem>
	<para>
	  The <command>dnssec-signzone -x</command> flag and the
	  <command>dnssec-dnskey-kskonly</command> option in
	  <command>named.conf</command>, which suppress the use of
	  the ZSK when signing DNSKEY records, now also apply to
	  CDNSKEY and CDS records. Thanks to Tony Finch for the
	  contribution. [RT #45689]
	</para>
      </listitem>
616
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
617
  </section>
Evan Hunt's avatar
Evan Hunt committed
618

Evan Hunt's avatar
Evan Hunt committed
619
  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
620
    <itemizedlist>
621 622
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
623 624 625
	  The introduction of <command>libns</command> caused a bug
	  in which TCP client objects were not recycled after use,
	  leading to unconstrained memory growth. [RT #46029]
626 627
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
628
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
629
  </section>
630

Evan Hunt's avatar
Evan Hunt committed
631
  <section xml:id="end_of_life"><info><title>End of Life</title></info>
Mark Andrews's avatar
Mark Andrews committed
632
    <para>
Evan Hunt's avatar
Evan Hunt committed
633 634
      The end of life for BIND 9.12 is yet to be determined but
      will not be before BIND 9.14.0 has been released for 6 months.
Evan Hunt's avatar
Evan Hunt committed
635
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
Mark Andrews's avatar
Mark Andrews committed
636
    </para>
Evan Hunt's avatar
Evan Hunt committed
637 638
  </section>
  <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
639

Evan Hunt's avatar
Evan Hunt committed
640 641 642 643
    <para>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
Evan Hunt's avatar
Evan Hunt committed
644
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
Evan Hunt's avatar
Evan Hunt committed
645
    </para>
Evan Hunt's avatar
Evan Hunt committed
646 647
  </section>
</section>