Skip to content

GitLab

Commit 37eb17dd authored by Michał Kępień's avatar Michał Kępień
Browse files
Options

Merge branch 'michal/misc-doc-fixes' into 'master' 

Miscellaneous documentation fixes

See merge request !3357
parents 69e3ec9c 623b6c94
Hide whitespace changes
Inline Side-by-side
Showing with 68 additions and 51 deletions
CHANGES
View file @ 37eb17dd
5384. [bug] Deactivate the handle before sending the async close
callback. [GL #1700]
5383. [func] Add a quota attach function with a callback, cleanup
5383. [func] Add a quota attach function with a callback and clean up
the isc_quota API. [GL !3280]
5382. [bug] Use clock_gettime() instead of gettimeofday() for
isc_stdtime() function. [GL #1679]
5381. [bug] Fix logging API data race by adding rwlock and cache
the logging levels in stdatomic variables to restore
the performance to original levels. [GL #1675, #1717]
5381. [bug] Fix logging API data race by adding rwlock and caching
logging levels in stdatomic variables to restore
performance to original levels. [GL #1675] [GL #1717]
5380. [contrib] Fix building the MySQL DLZ modules against MySQL 8
5380. [contrib] Fix building MySQL DLZ modules against MySQL 8
libraries. [GL #1678]
5379. [placeholder]
5378. [bug] Fix assertion in nslookup when receiving invalid DNS
data. [GL #1652]
5378. [bug] Receiving invalid DNS data was triggering an assertion
failure in nslookup. [GL #1652]
5377. [placeholder]
5376. [bug] Fix DNS ineffective rebinding protection when BIND 9
is configured as a forwarding DNS server. [GL #1574]
(Thanks to Tobias Klein)
5376. [bug] Fix ineffective DNS rebinding protection when BIND is
configured as a forwarding DNS server. Thanks to Tobias
Klein. [GL #1574]
5375. [test] Fix timing issue in kasp test. [GL #1669]
5375. [test] Fix timing issues in the "kasp" system test. [GL #1669]
5374. [bug] Statistics counters counting recursive clients and
5374. [bug] Statistics counters tracking recursive clients and
active connections could underflow. [GL #1087]
5373. [bug] Collecting DNSSEC signing operations introduced by
GL #513 (change 5254) allocated counters for every
possible key id per zone which results in a lot of
wasted memory. Fix by tracking up to four keys
per zone, rotate counters when keys are replaced.
This fixes the immediate problem of the high
memory usage, but should be improved in a future
release by growing and shrinking the number of
keys to track triggered by key rollover events.
[GL #1179]
5372. [bug] Fix migration from existing DNSSEC key files using
auto-dnssec maintain to dnssec-policy. [GL #1706]
5373. [bug] Collecting statistics for DNSSEC signing operations
(change 5254) caused an array of significant size (over
100 kB) to be allocated for each configured zone. Each
of these arrays is tracking all possible key IDs; this
could trigger an out-of-memory condition on servers with
a high enough number of zones configured. Fixed by
tracking up to four keys per zone and rotating counters
when keys are replaced. This fixes the immediate problem
of high memory usage, but should be improved in a future
release by growing or shrinking the number of keys to
track upon key rollover events. [GL #1179]
5372. [bug] Fix migration from existing DNSSEC key files
("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
5371. [bug] Improve incremental updates of the RPZ summary
database to reduce delays that could occur when
......@@ -54,10 +52,9 @@
Fixed by deactivating the netmgr handle before
scheduling the asynchronous close routine. [GL #1700]
5369. [func] Add the ability to specify whether or not to wait
for nameserver domain names to be looked up, with
a new RPZ modifying directive 'nsdname-wait-recurse'.
[GL #1138]
5369. [func] Add the ability to specify whether to wait for
nameserver domain names to be looked up, with a new RPZ
modifying directive 'nsdname-wait-recurse'. [GL #1138]
5368. [bug] Named failed to restart if 'rndc addzone' names
contained special characters (e.g. '/'). [GL #1655]
......
doc/arm/notes-9.17.1.xml
View file @ 37eb17dd
......@@ -15,9 +15,9 @@
<itemizedlist>
<listitem>
<para>
DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
</para>
</listitem>
</itemizedlist>
......@@ -27,7 +27,13 @@
<itemizedlist>
<listitem>
<para>
None.
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated.
[GL #1685]
</para>
</listitem>
</itemizedlist>
......@@ -37,8 +43,17 @@
<itemizedlist>
<listitem>
<para>
None.
</para>
A new option, <command>nsdname-wait-recurse</command>, has been added
to the <command>response-policy</command> clause in the configuration
file. When set to <command>no</command>, RPZ NSDNAME rules are only
applied if the authoritative nameservers for the query name have been
looked up and are present in the cache. If this information is not
present, the RPZ NSDNAME rules are ignored, but the information is
looked up in the background and applied to subsequent queries. The
default is <command>yes</command>, meaning that RPZ NSDNAME rules
should always be applied, even if the information needs to be looked
up first. [GL #1138]
</para>
</listitem>
</itemizedlist>
</section>
......@@ -47,9 +62,9 @@
<itemizedlist>
<listitem>
<para>
The DNSSEC sign statistics used lots of memory. The number of keys
to track is reduced to four per zone, which should be enough for
99% of all signed zones. [GL #1179]
The previous DNSSEC sign statistics used lots of memory. The number of
keys to track is reduced to four per zone, which should be enough for
99% of all signed zones. [GL #1179]
</para>
</listitem>
</itemizedlist>
......@@ -59,20 +74,25 @@
<itemizedlist>
<listitem>
<para>
When an RPZ policy zone was updated via zone transfer
and a large number of records were deleted, <command>named</command>
could become nonresponsive for a short period while deleted
names were removed from the RPZ summary database. This database
cleanup is now done incrementally over a longer period of time,
reducing such delays. [GL #1447]
When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, <command>named</command> could become
nonresponsive for a short period while deleted names were removed from
the RPZ summary database. This database cleanup is now done
incrementally over a longer period of time, reducing such delays.
[GL #1447]
</para>
</listitem>
<listitem>
<para>
Migration to dnssec-policy from existing DNSSEC strategy with
auto-dnssec maintain did not work due to bad initializing of the
key states. Fixed by looking closely at the time metadata to
set the key states to the correct values. [GL #1706]
When trying to migrate an already-signed zone from
<command>auto-dnssec maintain</command> to one based on
<command>dnssec-policy</command>, the existing keys were immediately
deleted and replaced with new ones. As the key rollover timing
constraints were not being followed, it was possible that some clients
would not have been able to validate responses until all old DNSSEC
information had timed out from caches. BIND now looks at the time
metadata of the existing keys and incorporates it into its DNSSEC
policy operation. [GL #1706]
</para>
</listitem>
</itemizedlist>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment