Commit 11d8177c authored by Michał Kępień's avatar Michał Kępień
Browse files

Reorder release notes

parent 2c90cfdc
......@@ -63,54 +63,31 @@ New Features
first. Extra attention is also needed when using non-standard
``./configure`` options. [GL #4]
- Added a new logging category ``rpz-passthru`` which allows RPZ
passthru actions to be logged into a separate channel. [GL #54]
- Zone timers are now exported via statistics channel. For primary
zones, only the load time is exported. For secondary zones, exported
timers also include expire and refresh times. Contributed by Paul
Frieden, Verizon Media. [GL #1232]
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or response. [GL #1834]
- Per-type record count limits can now be specified in ``update-policy``
statements, to limit the number of records of a particular type
that can be added to a domain name via dynamic update. [GL #1657]
- ``named`` and ``named-checkzone`` now reject master zones that
have a DS RRset at the zone apex. Attempts to add DS records
at the zone apex via UPDATE will be logged but otherwise ignored.
DS records belong in the parent zone, not at the zone apex. [GL #1798]
Feature Changes
~~~~~~~~~~~~~~~
- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
relying on system defaults instead. [GL #1713]
- The default rwlock implementation has been changed back to the native
BIND 9 rwlock implementation. [GL #1753]
- Per-type record count limits can now be specified in ``update-policy``
statements, to limit the number of records of a particular type
that can be added to a domain name via dynamic update. [GL #1657]
- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
v3.0 and thus made operational again. Contributed by Aaron Thompson.
[GL !3326]
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or response. [GL #1834]
- The OpenSSL ECDSA implementation has been updated to support PKCS#11
via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
#1534]
- ``dig +qid=<num>`` allows the user to specify a particular query ID
for testing purposes. [GL #1851]
- The OpenSSL EdDSA implementation has been updated to support PKCS#11
via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
is required and thus this code is only a proof-of-concept for the
time being. Contributed by Aaron Thompson. [GL #1763]
- Added a new logging category ``rpz-passthru`` which allows RPZ
passthru actions to be logged into a separate channel. [GL #54]
- Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
- Zone timers are now exported via statistics channel. For primary
zones, only the load time is exported. For secondary zones, exported
timers also include expire and refresh times. Contributed by Paul
Frieden, Verizon Media. [GL #1232]
- ``dig +qid=<num>`` allows the user to specify a particular query ID
for testing purposes. [GL #1851]
Feature Changes
~~~~~~~~~~~~~~~
- The default value of ``max-stale-ttl`` has changed from 1 week to 12 hours.
This option controls how long named retains expired RRsets in cache as a
......@@ -129,6 +106,12 @@ Feature Changes
option ``max-stale-ttl 1w;`` to named.conf to keep the previous behavior
of named.
- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
relying on system defaults instead. [GL #1713]
- The default rwlock implementation has been changed back to the native
BIND 9 rwlock implementation. [GL #1753]
- BIND binaries which are neither daemons nor administrative programs
were moved to ``$bindir``. Only ``ddns-confgen``, ``named``,
``rndc``, ``rndc-confgen``, and ``tsig-confgen`` were left in
......@@ -139,14 +122,32 @@ Feature Changes
:rfc:`3493` and :rfc:`3542`, this change was introduced in 9.16.0
but accudently ommited from documentation.
- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
v3.0 and thus made operational again. Contributed by Aaron Thompson.
[GL !3326]
- The OpenSSL ECDSA implementation has been updated to support PKCS#11
via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
#1534]
- The OpenSSL EdDSA implementation has been updated to support PKCS#11
via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
is required and thus this code is only a proof-of-concept for the
time being. Contributed by Aaron Thompson. [GL #1763]
- Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
- The question section is now checked when processing AXFR, IXFR
and SOA replies while transferring a zone in. [GL #1683]
Bug Fixes
~~~~~~~~~
- A bug in dnstap initialization could prevent some dnstap data from
being logged, especially on recursive resolvers. [GL #1795]
- ``named`` could crash with an assertion failure if the name of a
database node was looked up while the database was being modified.
[GL #1857]
- When running on a system with support for Linux capabilities,
``named`` drops root privileges very soon after system startup. This
......@@ -154,22 +155,14 @@ Bug Fixes
0: Operation not permitted*, which has now been silenced. [GL #1042]
[GL #1090]
- When ``named-checkconf -z`` was run, it would sometimes incorrectly
set its exit code. It reflected the status of the last view found; if
zone-loading errors were found in earlier configured views but not in
the last one, the exit code indicated success. Thanks to Graham
Clinch. [GL #1807]
- When built without LMDB support, ``named`` failed to restart after a
zone with a double quote (") in its name was added with ``rndc
addzone``. Thanks to Alberto Fernández. [GL #1695]
- Missing mutex and conditional destruction in netmgr code leads to a
memory leak on BSD systems. [GL #1893]
- ``named`` could crash with an assertion failure if the name of a
database node was looked up while the database was being modified.
[GL #1857]
- Fix a data race in resolver.c:formerr() that could lead to assertion
failure. [GL #1808]
- A bug in dnstap initialization could prevent some dnstap data from
being logged, especially on recursive resolvers. [GL #1795]
- Fix a bug in dnssec-policy keymgr where the check if a key has a
successor would return a false positive if any other key in the
......@@ -179,8 +172,12 @@ Bug Fixes
the current active key (the predecessor) was not changed and thus was
never is removed from the zone. [GL #1846]
- Fix a data race in resolver.c:formerr() that could lead to assertion
failure. [GL #1808]
- When ``named-checkconf -z`` was run, it would sometimes incorrectly
set its exit code. It reflected the status of the last view found; if
zone-loading errors were found in earlier configured views but not in
the last one, the exit code indicated success. Thanks to Graham
Clinch. [GL #1807]
- The dsset returned by dns_keynode_dsset() was not thread safe. This
could result in a INSIST being triggered. [GL #1926]
- When built without LMDB support, ``named`` failed to restart after a
zone with a double quote (") in its name was added with ``rndc
addzone``. Thanks to Alberto Fernández. [GL #1695]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment