Merge branch 'prep-release-v9_15_7' into 'master'

Prep 9.15.7 See merge request isc-projects/bind9!2771

Merge branch 'prep-release-v9_15_7' into 'master'
Prep 9.15.7 See merge request isc-projects/bind9!2771
de42a7aa · Evan Hunt · a3dc0210 · 67bac2bc · de42a7aa · de42a7aa
Commit de42a7aa authored Dec 13, 2019 by Evan Hunt
71 changed files
--- a/CHANGES
+++ b/CHANGES
+	--- 9.15.7 released ---
+
 5336.	[bug]		The TCP high-water statistic could report an
 			incorrect value on startup. [GL #1392]


--- a/README
+++ b/README
@@ -115,9 +115,9 @@ of changes from BIND 9.14 and earlier releases. New features include:
    for zones, enabling automatic key regeneration and rollover.
  * New new network manager based on libuv.
  * Support for the new GeoIP2 geolocation API
-  * Improved DNSSEC trust anchor configuration using dnssec-keys,
-    permitting configuration of trust anchors in DS as well as DNSKEY
-    format.
+  * Improved DNSSEC trust anchor configuration using the trust-anchors
+    statement, permitting configuration of trust anchors in DS as well as
+    DNSKEY format.
  * YAML output for dig, mdig, and delv.

 Building BIND
@@ -180,9 +180,10 @@ Dependencies

 Portions of BIND that are written in Python, including dnssec-keymgr,
 dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-argparse and ply modules to be available. argparse is a standard module as
-of Python 2.7 and Python 3.2. ply is available from https://
-pypi.python.org/pypi/ply.
+argparse, ply and distutils.core modules to be available. argparse is a
+standard module as of Python 2.7 and Python 3.2. ply is available from
+https://pypi.python.org/pypi/ply. distutils.core is required for
+installation.

 Compile-time options


--- a/bin/delv/delv.1
+++ b/bin/delv/delv.1
@@ -144,7 +144,7 @@ options\&.
 Note: When reading the trust anchor file,
 \fBdelv\fR
 treats
-\fBdnssec\-keys\fR\fBinitial\-key\fR
+\fBtrust\-anchors\fR\fBinitial\-key\fR
 and
 \fBstatic\-key\fR
 entries identically\&. That is, even if a key is configured with

--- a/bin/delv/delv.html
+++ b/bin/delv/delv.html
@@ -197,7 +197,7 @@
 	  </p>
 	  <p>
 	    Note: When reading the trust anchor file,
-	    <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
+	    <span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
 	    <code class="option">initial-key</code> and <code class="option">static-key</code>
 	    entries identically.  That is, even if a key is configured
 	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is

--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -97,20 +97,6 @@ dlz \fIstring\fR {
 .if n \{\
 .RE
 .\}
-.SH "DNSSEC-KEYS"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-dnssec\-keys { \fIstring\fR ( static\-key |
-    initial\-key | static\-ds | initial\-ds )
-    \fIinteger\fR \fIinteger\fR \fIinteger\fR
-    \fIquoted_string\fR; \&.\&.\&. };
-.fi
-.if n \{\
-.RE
-.\}
 .SH "DYNDB"
 .sp
 .if n \{\
@@ -164,7 +150,7 @@ logging {
 .\}
 .SH "MANAGED-KEYS"
 .PP
-Deprecated \- see DNSSEC\-KEYS\&.
+Deprecated \- see TRUST\-ANCHORS\&.
 .sp
 .if n \{\
 .RS 4
@@ -565,9 +551,23 @@ statistics\-channels {
 .if n \{\
 .RE
 .\}
+.SH "TRUST-ANCHORS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+trust\-anchors { \fIstring\fR ( static\-key |
+    initial\-key | static\-ds | initial\-ds )
+    \fIinteger\fR \fIinteger\fR \fIinteger\fR
+    \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
 .SH "TRUSTED-KEYS"
 .PP
-Deprecated \- see DNSSEC\-KEYS\&.
+Deprecated \- see TRUST\-ANCHORS\&.
 .sp
 .if n \{\
 .RS 4
@@ -655,10 +655,6 @@ view \fIstring\fR [ \fIclass\fR ] {
 	dnsrps\-options { \fIunspecified\-text\fR };
 	dnssec\-accept\-expired \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	dnssec\-keys { \fIstring\fR ( static\-key |
-	    initial\-key | static\-ds | initial\-ds
-	    ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
-	    \fIquoted_string\fR; \&.\&.\&. };
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
@@ -849,6 +845,10 @@ view \fIstring\fR [ \fIclass\fR ] {
 	transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
 	    ] [ dscp \fIinteger\fR ];
 	trust\-anchor\-telemetry \fIboolean\fR; // experimental
+	trust\-anchors { \fIstring\fR ( static\-key |
+	    initial\-key | static\-ds | initial\-ds
+	    ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+	    \fIquoted_string\fR; \&.\&.\&. };
 	trusted\-keys { \fIstring\fR
 	    \fIinteger\fR \fIinteger\fR
 	    \fIinteger\fR
@@ -1074,7 +1074,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
 .\}
 .nf
 dnssec\-policy \fIstring\fR {
-	dnskey\-ttl \fIttlval\fR;
+	dnskey\-ttl \fIduration\fR;
 	keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
 	parent\-ds\-ttl \fIduration\fR;
 	parent\-propagation\-delay \fIduration\fR;

--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -92,17 +92,7 @@ dlz
  </div>

  <div class="refsection">
-<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
-    <div class="literallayout"><p><br>
-dnssec-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
-initial-key|static-ds|initial-ds)<br>
-<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
-<em class="replaceable"><code>quoted_string</code></em>;...};<br>
-</p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>DYNDB</h2>
+<a name="id-1.11"></a><h2>DYNDB</h2>
    <div class="literallayout"><p><br>
 dyndb<em class="replaceable"><code>string</code></em><em class="replaceable"><code>quoted_string</code></em>{<br>
 <em class="replaceable"><code>unspecified-text</code></em>};<br>
@@ -110,7 +100,7 @@ dyndb
  </div>

  <div class="refsection">
-<a name="id-1.13"></a><h2>KEY</h2>
+<a name="id-1.12"></a><h2>KEY</h2>
    <div class="literallayout"><p><br>
 key<em class="replaceable"><code>string</code></em>{<br>
 	algorithm<em class="replaceable"><code>string</code></em>;<br>
@@ -120,7 +110,7 @@ key
  </div>

  <div class="refsection">
-<a name="id-1.14"></a><h2>LOGGING</h2>
+<a name="id-1.13"></a><h2>LOGGING</h2>
    <div class="literallayout"><p><br>
 logging{<br>
 	category<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>string</code></em>;...};<br>
@@ -141,8 +131,8 @@ logging
  </div>

  <div class="refsection">
-<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
-  <p>Deprecated - see DNSSEC-KEYS.</p>
+<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
+  <p>Deprecated - see TRUST-ANCHORS.</p>
    <div class="literallayout"><p><br>
 managed-keys{<em class="replaceable"><code>string</code></em>(static-key<br>
 |initial-key|static-ds|<br>
@@ -152,7 +142,7 @@ managed-keys
  </div>

  <div class="refsection">
-<a name="id-1.16"></a><h2>MASTERS</h2>
+<a name="id-1.15"></a><h2>MASTERS</h2>
    <div class="literallayout"><p><br>
 masters<em class="replaceable"><code>string</code></em>[port<em class="replaceable"><code>integer</code></em>][dscp<br>
 <em class="replaceable"><code>integer</code></em>]{(<em class="replaceable"><code>masters</code></em>|<em class="replaceable"><code>ipv4_address</code></em>[<br>
@@ -162,7 +152,7 @@ masters
  </div>

  <div class="refsection">
-<a name="id-1.17"></a><h2>OPTIONS</h2>
+<a name="id-1.16"></a><h2>OPTIONS</h2>
    <div class="literallayout"><p><br>
 options{<br>
 	allow-new-zones<em class="replaceable"><code>boolean</code></em>;<br>
@@ -461,7 +451,7 @@ options
  </div>

  <div class="refsection">
-<a name="id-1.18"></a><h2>PLUGIN</h2>
+<a name="id-1.17"></a><h2>PLUGIN</h2>
    <div class="literallayout"><p><br>
 plugin(query)<em class="replaceable"><code>string</code></em>[{<em class="replaceable"><code>unspecified-text</code></em><br>
 }];<br>
@@ -469,7 +459,7 @@ plugin
  </div>

  <div class="refsection">
-<a name="id-1.19"></a><h2>SERVER</h2>
+<a name="id-1.18"></a><h2>SERVER</h2>
    <div class="literallayout"><p><br>
 server<em class="replaceable"><code>netprefix</code></em>{<br>
 	bogus<em class="replaceable"><code>boolean</code></em>;<br>
@@ -507,7 +497,7 @@ server
  </div>

  <div class="refsection">
-<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
    <div class="literallayout"><p><br>
 statistics-channels{<br>
 	inet(<em class="replaceable"><code>ipv4_address</code></em>|<em class="replaceable"><code>ipv6_address</code></em>|<br>
@@ -518,9 +508,19 @@ statistics-channels
 </p></div>
  </div>

+  <div class="refsection">
+<a name="id-1.20"></a><h2>TRUST-ANCHORS</h2>
+    <div class="literallayout"><p><br>
+trust-anchors{<em class="replaceable"><code>string</code></em>(static-key|<br>
+initial-key|static-ds|initial-ds)<br>
+<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
+<em class="replaceable"><code>quoted_string</code></em>;...};<br>
+</p></div>
+  </div>
+
  <div class="refsection">
 <a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
-  <p>Deprecated - see DNSSEC-KEYS.</p>
+  <p>Deprecated - see TRUST-ANCHORS.</p>
    <div class="literallayout"><p><br>
 trusted-keys{<em class="replaceable"><code>string</code></em><em class="replaceable"><code>integer</code></em><br>
 <em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
@@ -600,10 +600,6 @@ view
 	dnsrps-options{<em class="replaceable"><code>unspecified-text</code></em>};<br>
 	dnssec-accept-expired<em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
-	initial-key|static-ds|initial-ds<br>
-	)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
-	<em class="replaceable"><code>quoted_string</code></em>;...};<br>
 	dnssec-loadkeys-interval<em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-must-be-secure<em class="replaceable"><code>string</code></em><em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-secure-to-insecure<em class="replaceable"><code>boolean</code></em>;<br>
@@ -794,6 +790,10 @@ view
 	transfer-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[port(<em class="replaceable"><code>integer</code></em>|*)<br>
 	][dscp<em class="replaceable"><code>integer</code></em>];<br>
 	trust-anchor-telemetry<em class="replaceable"><code>boolean</code></em>;//experimental<br>
+	trust-anchors{<em class="replaceable"><code>string</code></em>(static-key|<br>
+	initial-key|static-ds|initial-ds<br>
+	)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
+	<em class="replaceable"><code>quoted_string</code></em>;...};<br>
 	trusted-keys{<em class="replaceable"><code>string</code></em><br>
 	<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
 	<em class="replaceable"><code>integer</code></em><br>
@@ -1012,7 +1012,7 @@ zone

    <div class="literallayout"><p><br>
 dnssec-policy<em class="replaceable"><code>string</code></em>{<br>
-	dnskey-ttl<em class="replaceable"><code>ttlval</code></em>;<br>
+	dnskey-ttl<em class="replaceable"><code>duration</code></em>;<br>
 	keys{(csk|ksk|zsk)key-directorylifetime<em class="replaceable"><code>duration</code></em>algorithm<em class="replaceable"><code>integer</code></em>[<em class="replaceable"><code>integer</code></em>];...};<br>
 	parent-ds-ttl<em class="replaceable"><code>duration</code></em>;<br>
 	parent-propagation-delay<em class="replaceable"><code>duration</code></em>;<br>

--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -516,7 +516,7 @@ timer\&.
 \fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
 .RS 4
 Dump the security roots (i\&.e\&., trust anchors configured via
-\fBdnssec\-keys\fR
+\fBtrust\-anchors\fR
 statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via
 \fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
 .sp

--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -654,7 +654,7 @@
 <dd>
 	  <p>
 	    Dump the security roots (i.e., trust anchors
-	    configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
+	    configured via <span class="command"><strong>trust-anchors</strong></span> statements, or the
 	    managed-keys or trusted-keys statements (both deprecated), or
 	    via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
 	    anchors for the specified views.  If no view is specified, all

--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -1042,7 +1042,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
          <strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
          if at least one trust anchor has been explicitly configured
          in <code class="filename">named.conf</code>
-          using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
+          using a <span class="command"><strong>trust-anchors</strong></span> statement (or the
          <span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
          statements, both deprecated).
        </p>
@@ -1057,7 +1057,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
        </p>

        <p>
-          The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
+          The keys specified in <span class="command"><strong>trust-anchors</strong></span>
          copies of DNSKEY RRs for zones that are used to form the
          first link in the cryptographic chain of trust.  Keys configured
          with the keyword <span class="command"><strong>static-key</strong></span> or
@@ -1071,7 +1071,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
        </p>

        <p>
-          <span class="command"><strong>dnssec-keys</strong></span> is described in more detail
+          <span class="command"><strong>trust-anchors</strong></span> is described in more detail
          later in this document.
        </p>

@@ -1094,7 +1094,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
        </p>

 <pre class="programlisting">
-dnssec-keys {
+trust-anchors {
        /* Root Key */
        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@@ -1586,10 +1586,10 @@ options {
    
    <p>To configure a validating resolver to use RFC 5011 to
    maintain a trust anchor, configure the trust anchor using a
-    <span class="command"><strong>dnssec-keys</strong></span> statement and the
+    <span class="command"><strong>trust-anchors</strong></span> statement and the
    <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
    keyword. Information about this can be found in
-    <a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
+    <a class="xref" href="Bv9ARM.ch05.html#trust-anchors" title="trust-anchors Statement Definition and Usage">the section called &#8220;<span class="command"><strong>trust-anchors</strong></span> Statement Definition
            and Usage&#8221;</a>.</p>
  </div>
  <div class="section">
@@ -2915,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
 </body>
 </html>
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,12 +36,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.7</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
@@ -57,7 +58,7 @@
 </div>
      <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.7</h2></div></div></div>
  
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -101,11 +102,12 @@
    C compiler.
  </p>
  <p>
-    The OpenSSL cryptography library must be available for the target
-    platform.  A PKCS#11 provider can be used instead for Public Key
-    cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
-    still required for general cryptography operations such as hashing
-    and random number generation.
+    The <code class="filename">libuv</code> asynchronous I/O library and the
+    OpenSSL cryptography library must be available for the target
+    platform.  A PKCS#11 provider can be used instead of OpenSSL for
+    Public Key cryptography (i.e., DNSSEC signing and validation),
+    but OpenSSL is still required for general cryptography operations
+    such as hashing and random number generation.
  </p>
  <p>
    More information can be found in the <code class="filename">PLATFORMS.md</code>
@@ -130,10 +132,73 @@

  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+          The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
+          which was introduced in 9.15.1 and revised in 9.15.6, has now
+          been renamed to the more descriptive
+          <span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
+        </p>
+        <p>
+          (See release notes for
+          <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
+          and
+          <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
+          for prior discussion of this feature.)
+        </p>
+      </li>
+<li class="listitem">
+        <p>
+          Added support for multithreaded listening for TCP connections
+	  in the network manager [GL !2659]
+        </p>
+      </li>
+</ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+          Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
+          on reconfiguration when any GeoIP2 database was in use. [GL #1445]
+        </p>
+      </li>
+<li class="listitem">
+        <p>
+          Fixed several possible race conditions discovered by Thread
+          Sanitizer.
+        </p>
+      </li>
+</ul></div>
+  </div>
+
+</div>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>

  <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+        <p>
+          Set a limit on the number of concurrently served pipelined TCP
+          queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
@@ -157,25 +222,32 @@
        </p>
      </li>
 <li class="listitem">
-	<p>
-	  Two new keywords have been added to the
-	  <span class="command"><strong>dnssec-keys</strong></span> statement:
-	  <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
-	  These allow the use of trust anchors in DS format instead of
-	  DNSKEY format.  DS format allows trust anchors to be configured
-	  for keys that have not yet been published; this is the format
-	  used by IANA when announcing future root keys.
-	</p>
-	<p>
-	  As with the <span class="command"><strong>initial-key</strong></span> and
-	  <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
-	  configures a dynamic trust anchor to be maintained via RFC 5011, and
-	  <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
-	</p>
-	<p>
-	  (Note: Currently, DNSKEY-format and DS-format trust anchors
-	  cannot both be used for the same domain name.) [GL #6] [GL #622]
-	</p>
+        <p>
+          Two new keywords have been added to the
+          <span class="command"><strong>dnssec-keys</strong></span> statement:
+          <span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
+          These allow the use of trust anchors in DS format instead of
+          DNSKEY format.  DS format allows trust anchors to be configured
+          for keys that have not yet been published; this is the format
+          used by IANA when announcing future root keys.
+        </p>
+        <p>
+          As with the <span class="command"><strong>initial-key</strong></span> and
+          <span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
+          configures a dynamic trust anchor to be maintained via RFC 5011, and
+          <span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
+        </p>
+        <p>
+          (Note: Currently, DNSKEY-format and DS-format trust anchors
+          cannot both be used for the same domain name.) [GL #6] [GL #622]
+        </p>
+      </li>
+<li class="listitem">
+        <p>
+          Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
+          that reports the maximum number of simultaneous TCP clients BIND
+          has handled while running. [GL #1206]
+        </p>
      </li>
 </ul></div>
  </div>
@@ -193,27 +265,14 @@
        </p>
      </li>
 <li class="listitem">
-	<p>
-	  The DNSSEC validation code has been refactored for clarity and to
-	  reduce code duplication.  [GL #622]
-	</p>
+        <p>
+          The DNSSEC validation code has been refactored for clarity and to
+          reduce code duplication.  [GL #622]
+        </p>
      </li>
 </ul></div>
  </div>

-  <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-	<p>
-	  Too many simultaneous pipelined TCP queries could cause
-	  resource overuse. We now prevent this by enforcing a limit
-	  on the number of simultaneous requests per active connection.
-	  This flaw`is disclosed in CVE-2019-6477. [GL #1264]
-	</p>
-      </li></ul></div>
-  </div>
-
 </div>
  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -719,9 +778,6 @@
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
  <p>
    Thank you to everyone who assisted us in making this release possible.
-    If you would like to contribute to ISC to assist us in continuing to
-    make quality open source software, please visit our donations page at
-    <a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
  </p>
 </div>
 </div>
@@ -744,6 +800,6 @@