Commit 1a849dab authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] add missing functional changes to README

parent 756c6433
......@@ -944,7 +944,7 @@
Also, the managed keys data file has easier-to-read
comments. [RT #38458]
4054. [func] Added a new tool 'mdig', a light weight clone of
4054. [func] Added a new tool 'mdig', a lightweight clone of
dig able to send multiple pipelined queries.
[RT #38261]
......@@ -1204,7 +1204,7 @@
zone to be updated via "rndc signing -serial".
[RT #37404]
3987. [func] Handle future Visual Studio 14 incompatible changes.
3987. [port] Handle future Visual Studio 14 incompatible changes.
[RT #37380]
3986. [doc] Add the BIND version number to page footers
......
......@@ -56,11 +56,11 @@ BIND 9.11.0
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
- Added support for "dnstap", a fast and flexible method of
capturing and logging DNS traffic.
- Added support for "dyndb", a new API for loading zone data
from an external database, developed by Red Hat for the FreeIPA
project.
- Added support for "dnstap", a fast and flexible method of
capturing and logging DNS traffic.
- Added support for "dyndb", a new API for loading zone data
from an external database, developed by Red Hat for the FreeIPA
project.
- New "fetchlimit" quotas are now available for the use of
recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
......@@ -74,23 +74,44 @@ BIND 9.11.0
+ "fetches-per-zone" limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
+ New stats counters have been added to count
+ New stats counters have been added to count
queries spilled due to these quotas.
- The zone serial number of a dynamically updatable zone
can now be set via "rndc signing -serial <number> <zonename>".
This allows inline-signing zones to be set to a specific
serial number.
- The experimental "SIT" feature in BIND 9.10 has been renamed
"COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
enabling clients to detect off-path spoofed responses, and
servers to detect spoofed-source queries. Clients that identify
themselves using COOKIE options are not subject to response rate
limiting (RRL) and can receive larger UDP responses.
- SERVFAIL responses can now be cached for a limited time
(defaulting to 10 seconds, with an upper limit of 30).
(defaulting to 1 second, with an upper limit of 30).
This can reduce the frequency of retries when a query is
persistently failing.
- The new "rndc nta" command can be used to set a "negative
trust anchor", disabling DNSSEC validation for a specific
domain; this can be used when responses from a domain are
known to be failing validation due to administrative error
rather than because of a spoofing attack. Negative trust
anchors are strictly temporary; by default they expire after
one hour, but can be configured to last up to one week.
- The "controls" block in named.conf can now grand read-only
"rndc" access to specified clients or keys. Read-only clients
could, for example, check "rndc status" but could not
reconfigure or shut down the server.
- "rndc" commands can now return arbitrarily large amounts of
text to the caller.
- The zone serial number of a dynamically updatable zone
can now be set via "rndc signing -serial <number> <zonename>".
This allows inline-signing zones to be set to a specific
serial number.
- The new "rndc nta" command can be used to set a Negative
Trust Anchor (NTA), disabling DNSSEC validation for a
specific domain; this can be used when responses from a
domain are known to be failing validation due to administrative
error rather than because of a spoofing attack. Negative
trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
- "rndc delzone" can now be used on zones that were not originally
created by "rndc addzone".
- "rndc modzone" reconfigures a single zone, without requiring
the entire server to be reconfigured.
- "rndc showzone" displays the current configuration of a zone.
- "rndc managed-keys" can be used to check the status of RFC 5001
managed trust anchors, or to force trust anchors to be refreshed.
- "max-cache-size" can now be set to a percentage of available
memory. The default is 90%.
- Update forwarding performance has been improved by allowing
a single TCP connection to be shared by multiple updates.
- The EDNS Client Subnet (ECS) option is now supported for
......@@ -103,24 +124,55 @@ BIND 9.11.0
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
server.
- The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
take "-Psync" and "-Dsync" options to set the publication
and deletion times of CDS and CDNSKEY parent-synchronization
records. Both named and dnssec-signzone can now publish and
remove these records at the scheduled times.
- A new "masterfile-style" zone option controls the formatting
of text zone files: When set to "full", a zone file is dumped
in single-line-per-record format.
- "dig +ttlunits" causes dig to print TTL values with time-unit
suffixes: w, d, h, m, s for weeks, days, hours, minutes, and
seconds.
- "serial-update-method" can now be set to "date". On update,
the serial number will be set to the current date in YYYYMMDDNN
format.
- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- "named -L <filename>" causes named to send log messages to
the specified file by default instead of to the system log.
- dig can now set arbitrary EDNS options on requests (+ednsopt).
- dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags).
- serial-query-rate no longer covers NOTIFY messages. These are
separately controlled by notify-rate and startup-notify-rate.
- nsupdate now performs check-names processing by default on records
to be added. This can be disabled with "check-names no".
- "dig +ttlunits" prints TTL values with time-unit suffixes:
w, d, h, m, s for weeks, days, hours, minutes, and seconds.
- "dig +unknownformat" prints dig output in RFC 3597 "unknown
record" presentation format.
- "dig +ednsopt" allows dig to set arbitrary EDNS options on
requests.
- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
flags on requests.
- "mdig" is an alternate version of dig which sends multiple
pipelined TCP queries to a server. Instead of waiting for a
response after sending a query, it sends all queries
immediately and displays responses in the order received.
- "serial-query-rate" no longer controls NOTIFY messages.
These are separately controlled by "notify-rate" and
"startup-notify-rate".
- "nsupdate" now performs "check-names" processing by default
on records to be added. This can be disabled with
"check-names no".
- The statistics channel now supports DEFLATE compression,
reducing the size of the data sent over the network when
querying statistics.
- New counters have been added to the statistics channel
to track the sizes of incoming queries and outgoing responses in
histogram buckets, as specified in RSSAC002.
- An new NXDOMAIN redirect method (option "nxdomain-redirect")
has been added, allowing redirection to a specified DNS
namespace instead of a single redirect zone.
- When starting up, named now ensures that no other named
process is already running.
- Files created by named to store information, including "mkeys"
and "nzf" files, are now named after their corresponding views
unless the view name contains characters incompatible with use
as a filename. Old style filenames (based on the hash of the
view name) will still work.
This release addresses the security flaws described in
CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment