Commit 30419509 authored by Evan Hunt's avatar Evan Hunt

[master] README and relnote fixes

parent 2361003a
...@@ -56,12 +56,12 @@ General bug reports can be sent to bind9-bugs@isc.org. ...@@ -56,12 +56,12 @@ General bug reports can be sent to bind9-bugs@isc.org.
Feature requests can be sent to bind-suggest@isc.org. Feature requests can be sent to bind-suggest@isc.org.
Please note that, while ISC's ticketing system is not currently publicly Please note that, while tickets submitted to ISC's ticketing system are
readable, this may change in the future. Please do not include information not initially publicly readable by default, they can be made publicly
in bug reports that you consider to be confidential. For example, when acessible afterward. Please do not include information in bug reports that
sending the contents of your configuration file, it is advisable to you consider to be confidential. In particular, when sending the contents
obscure key secrets; this can be done automatically by using of your configuration file, it is advisable to obscure key secrets: this
named-checkconf -px. can be done automatically by using named-checkconf -px.
Professional support and training for BIND are available from ISC at Professional support and training for BIND are available from ISC at
https://www.isc.org/support. https://www.isc.org/support.
...@@ -75,8 +75,9 @@ mailman/listinfo/bind-workers. ...@@ -75,8 +75,9 @@ mailman/listinfo/bind-workers.
Contributing to BIND Contributing to BIND
A public git repository for BIND is maintained at http://www.isc.org/git/, ISC maintains a public git repository for BIND; details can be found at
and also on Github at https://github.com/isc-projects. http://www.isc.org/git/, and also on Github at https://github.com/
isc-projects.
Information for BIND contributors can be found in the following files: - Information for BIND contributors can be found in the following files: -
General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/ General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
...@@ -103,10 +104,8 @@ include: ...@@ -103,10 +104,8 @@ include:
* Cached, validated NSEC and other records can now be used to synthesize * Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses. NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported. * The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting max-journal-size default now limits the size of journal files * Setting 'max-journal-size default' now limits the size of journal
to twice the size of the zone. files to twice the size of the zone.
* The query handling code has been substantially refactored for improved
readability, maintainability and testability .
* dnstap-read -x prints a hex dump of the wire format of each logged DNS * dnstap-read -x prints a hex dump of the wire format of each logged DNS
message. message.
* dnstap output files can now be configured to roll automatically when * dnstap output files can now be configured to roll automatically when
...@@ -115,7 +114,7 @@ include: ...@@ -115,7 +114,7 @@ include:
ISO 8601 (UTC) formats. ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use * Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file. a timestamp as the suffix when rolling to a new file.
* named-checkconf -l lists zones found in named.conf. * 'named-checkconf -l' lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options. * Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration * 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored data for zones added by rndc addzone is stored
...@@ -189,10 +188,11 @@ smaller systems. ...@@ -189,10 +188,11 @@ smaller systems.
For the server to support DNSSEC, you need to build it with crypto For the server to support DNSSEC, you need to build it with crypto
support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
installed. If the OpenSSL library is installed in a nonstandard location, installed. If the OpenSSL library is installed in a nonstandard location,
specify the prefix using "--with-openssl=/prefix" on the configure command specify the prefix using "--with-openssl=<PREFIX>" on the configure
line. To use a PKCS#11 hardware service module for cryptographic command line. To use a PKCS#11 hardware service module for cryptographic
operations, specify the path to the PKCS#11 provider library using operations, specify the path to the PKCS#11 provider library using
"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11". "--with-pkcs11=<PREFIX>", and configure BIND with
"--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https:// least one of the following: libxml2 http://xmlsoft.org or json-c https://
...@@ -212,13 +212,16 @@ libGeoIP. This is not turned on by default; BIND must be configured with ...@@ -212,13 +212,16 @@ libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use "--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix". specify the prefix using "--with-geoip=/prefix".
For DNSTAP packet logging, you must have libfstrm https://github.com/ For DNSTAP packet logging, you must have installed libfstrm https://
farsightsec/fstrm and libprotobuf-c https://developers.google.com/ github.com/farsightsec/fstrm and libprotobuf-c https://
protocol-buffers, and BIND must be configured with "--enable-dnstap". developers.google.com/protocol-buffers, and BIND must be configured with
"--enable-dnstap".
Python requires the 'argparse' and 'ply' modules to be available. Portions of BIND that are written in Python, including dnssec-keymgr,
'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is dnssec-coverage, dnssec-checkds, and some of the system tests, require the
available from https://pypi.python.org/pypi/ply. 'argparse' and 'ply' modules to be available. 'argparse' is a standard
module as of Python 2.7 and Python 3.2. 'ply' is available from https://
pypi.python.org/pypi/ply.
On some platforms it is necessary to explicitly request large file support On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using to handle files bigger than 2GB. This can be done by using
...@@ -250,7 +253,7 @@ Automated testing ...@@ -250,7 +253,7 @@ Automated testing
A system test suite can be run with make test. The system tests require A system test suite can be run with make test. The system tests require
you to configure a set of virtual IP addresses on your system (this allows you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These multiple servers to run locally and communicate with one another). These
IP addresses can be configured by by running the script bin/tests/system/ IP addresses can be configured by running the command bin/tests/system/
ifconfig.sh up as root. ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules, Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
......
...@@ -66,12 +66,12 @@ General bug reports can be sent to ...@@ -66,12 +66,12 @@ General bug reports can be sent to
Feature requests can be sent to Feature requests can be sent to
[bind-suggest@isc.org](mailto:bind-suggest@isc.org). [bind-suggest@isc.org](mailto:bind-suggest@isc.org).
Please note that, while ISC's ticketing system is not currently publicly Please note that, while tickets submitted to ISC's ticketing system
readable, this may change in the future. Please do not include information are not initially publicly readable by default, they can be made publicly
in bug reports that you consider to be confidential. For example, when acessible afterward. Please do not include information in bug reports that
sending the contents of your configuration file, it is advisable to obscure you consider to be confidential. In particular, when sending the contents of
key secrets; this can be done automatically by using `named-checkconf your configuration file, it is advisable to obscure key secrets: this can
-px`. be done automatically by using `named-checkconf -px`.
Professional support and training for BIND are available from Professional support and training for BIND are available from
ISC at [https://www.isc.org/support](https://www.isc.org/support). ISC at [https://www.isc.org/support](https://www.isc.org/support).
...@@ -85,8 +85,8 @@ may also want to join the __BIND Workers__ mailing list, at ...@@ -85,8 +85,8 @@ may also want to join the __BIND Workers__ mailing list, at
### <a name="contrib"/> Contributing to BIND ### <a name="contrib"/> Contributing to BIND
A public git repository for BIND is maintained at ISC maintains a public git repository for BIND; details can be found
[http://www.isc.org/git/](http://www.isc.org/git/), and also on Github at [http://www.isc.org/git/](http://www.isc.org/git/), and also on Github
at [https://github.com/isc-projects](https://github.com/isc-projects). at [https://github.com/isc-projects](https://github.com/isc-projects).
Information for BIND contributors can be found in the following files: Information for BIND contributors can be found in the following files:
...@@ -116,10 +116,8 @@ include: ...@@ -116,10 +116,8 @@ include:
* Cached, validated NSEC and other records can now be used to synthesize * Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses. NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported. * The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting `max-journal-size default` now limits the size of journal files * Setting `'max-journal-size default'` now limits the size of journal files
to twice the size of the zone. to twice the size of the zone.
* The query handling code has been substantially refactored for improved
readability, maintainability and testability .
* `dnstap-read -x` prints a hex dump of the wire format of each logged * `dnstap-read -x` prints a hex dump of the wire format of each logged
DNS message. DNS message.
* `dnstap` output files can now be configured to roll automatically when * `dnstap` output files can now be configured to roll automatically when
...@@ -128,7 +126,7 @@ include: ...@@ -128,7 +126,7 @@ include:
8601 (UTC) formats. 8601 (UTC) formats.
* Logging channels and `dnstap` output files can now be configured to use a * Logging channels and `dnstap` output files can now be configured to use a
timestamp as the suffix when rolling to a new file. timestamp as the suffix when rolling to a new file.
* `named-checkconf -l` lists zones found in `named.conf`. * `'named-checkconf -l'` lists zones found in `named.conf`.
* Added support for the EDNS Padding and Keepalive options. * Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration * 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored data for zones added by rndc addzone is stored
...@@ -195,9 +193,9 @@ performance on smaller systems. ...@@ -195,9 +193,9 @@ performance on smaller systems.
For the server to support DNSSEC, you need to build it with crypto support. For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix OpenSSL library is installed in a nonstandard location, specify the prefix
using "--with-openssl=/prefix" on the configure command line. To use a using "--with-openssl=&lt;PREFIX&gt;" on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the PKCS#11 hardware service module for cryptographic operations, specify the
path to the PKCS#11 provider library using "--with-pkcs11=/prefix", and path to the PKCS#11 provider library using "--with-pkcs11=&lt;PREFIX&gt;", and
configure BIND with "--enable-native-pkcs11". configure BIND with "--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at To support the HTTP statistics channel, the server must be linked with at
...@@ -220,13 +218,15 @@ libGeoIP. This is not turned on by default; BIND must be configured with ...@@ -220,13 +218,15 @@ libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use "--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix". specify the prefix using "--with-geoip=/prefix".
For DNSTAP packet logging, you must have libfstrm For DNSTAP packet logging, you must have installed libfstrm
[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm) [https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
and libprotobuf-c and libprotobuf-c
[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers), [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
and BIND must be configured with "--enable-dnstap". and BIND must be configured with "--enable-dnstap".
Python requires the 'argparse' and 'ply' modules to be available. Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
system tests, require the 'argparse' and 'ply' modules to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2. 'argparse' is a standard module as of Python 2.7 and Python 3.2.
'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply). 'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
...@@ -260,7 +260,7 @@ localstatedir defaults to `$prefix/var`. ...@@ -260,7 +260,7 @@ localstatedir defaults to `$prefix/var`.
A system test suite can be run with `make test`. The system tests require A system test suite can be run with `make test`. The system tests require
you to configure a set of virtual IP addresses on your system (this allows you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These multiple servers to run locally and communicate with one another). These
IP addresses can be configured by by running the script IP addresses can be configured by running the command
`bin/tests/system/ifconfig.sh up` as root. `bin/tests/system/ifconfig.sh up` as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules, Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
......
...@@ -646,6 +646,26 @@ ...@@ -646,6 +646,26 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<listitem>
<para>
If key's sync publication date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are
created.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If key's sync deletion date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are
removed.
</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -3815,17 +3815,17 @@ notrace</command>. All debugging messages in the server have a debug ...@@ -3815,17 +3815,17 @@ notrace</command>. All debugging messages in the server have a debug
<command>print-time</command> can be set to <command>print-time</command> can be set to
<userinput>yes</userinput>, <userinput>no</userinput>, <userinput>yes</userinput>, <userinput>no</userinput>,
or a time format specifier, which may be one of or a time format specifier, which may be one of
<option>local</option>, <option>iso8601</option> or <userinput>local</userinput>, <userinput>iso8601</userinput> or
<option>iso8601-utc</option>. If set to <userinput>iso8601-utc</userinput>. If set to
<userinput>no</userinput>, then the date and time will <userinput>no</userinput>, then the date and time will
not be logged. If set to <userinput>yes</userinput> not be logged. If set to <userinput>yes</userinput>
or <option>local</option>, the date and time are logged or <userinput>local</userinput>, the date and time are logged
in a human readable format, using the local time zone. in a human readable format, using the local time zone.
If set to <option>iso8601</option> the local time is If set to <userinput>iso8601</userinput> the local time is
logged in ISO8601 format. If set to logged in ISO8601 format. If set to
<option>iso8601-utc</option>, then the date and time <userinput>iso8601-utc</userinput>, then the date and time
are logged in ISO8601 format, with time zone set to are logged in ISO8601 format, with time zone set to
UTC. The default is <option>local</option>. UTC. The default is <userinput>local</userinput>.
</para> </para>
<para> <para>
<command>print-time</command> may <command>print-time</command> may
...@@ -4987,7 +4987,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] ...@@ -4987,7 +4987,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<para> <para>
Specifies the directory in which to store the configuration Specifies the directory in which to store the configuration
parameters for zones added via <command>rndc addzone</command>. parameters for zones added via <command>rndc addzone</command>.
By default, this is the working directory. By default, this is the working directory. If set to a relative
path, it will be relative to the working directory.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -5710,12 +5711,14 @@ options { ...@@ -5710,12 +5711,14 @@ options {
<listitem> <listitem>
<para> <para>
Specifies the TTL to be returned on stale answers. Specifies the TTL to be returned on stale answers.
The default is 1 second. The minimal allowed is The default is 1 second. The minimum allowed is
also 1 second; a value of 0 will be updated silently also 1 second; a value of 0 will be updated silently
to 1 second. For stale answers to be returned to 1 second. For stale answers to be returned,
they must be enabled (either in the configuration file
using <command>stale-answer-enable</command> or via
<command>rndc</command>), and
<option>max-stale-ttl</option> must be set to a <option>max-stale-ttl</option> must be set to a
non zero value and they must not have been disabled nonzero value.
by <command>rndc</command>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -6448,17 +6451,21 @@ options { ...@@ -6448,17 +6451,21 @@ options {
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><command>serve-stale-enable</command></term> <term><command>stale-answer-enable</command></term>
<listitem> <listitem>
<para> <para>
Enable the returning of stale answers when the Enable the returning of stale answers when the
nameservers for the zone are not answering. This nameservers for the zone are not answering. This
is off by default but can be enabled/disabled via is off by default, but can be enabled/disabled via
<command>rndc server-stale on</command> and <command>rndc serve-stale on</command> and
<command>rndc server-stale off</command> which <command>rndc serve-stale off</command>, which
override the named.conf setting. <command>rndc override the <filename>named.conf</filename>
server-stale reset</command> will restore control setting. <command>rndc serve-stale reset</command>
via named.conf. restores the setting to the one specified in
<filename>named.conf</filename>. Note that
reloading or reconfiguring <command>named</command>
will not re-enable serving of stale records if they
have been disabled via <command>rndc</command>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -50,10 +50,11 @@ ...@@ -50,10 +50,11 @@
anything other than the changes you made to our software. anything other than the changes you made to our software.
</para> </para>
<para> <para>
This requirement will not affect anyone who is using BIND This requirement will not affect anyone who is using BIND, with
without redistributing it, nor anyone redistributing it without or without modifications, without redistributing it, nor anyone
changes, therefore this change will be without consequence redistributing it without changes. Therefore, this change will be
for most individuals and organizations who are using BIND. without consequence for most individuals and organizations who are
using BIND.
</para> </para>
<para> <para>
Those unsure whether or not the license change affects their Those unsure whether or not the license change affects their
...@@ -65,10 +66,10 @@ ...@@ -65,10 +66,10 @@
</para> </para>
</section> </section>
<section xml:id="win_support"><info><title>Windows XP No Longer Supported</title></info> <section xml:id="win_support"><info><title>Legacy Windows No Longer Supported</title></info>
<para> <para>
As of BIND 9.11.2, Windows XP is no longer a supported platform for As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
BIND, and Windows XP binaries are no longer available for download platforms for BIND; "XP" binaries are no longer available for download
from ISC. from ISC.
</para> </para>
</section> </section>
...@@ -294,13 +295,14 @@ ...@@ -294,13 +295,14 @@
zone's validated CDS or CDNSKEY records. It can produce a zone's validated CDS or CDNSKEY records. It can produce a
<filename>dsset</filename> file suitable for input to <filename>dsset</filename> file suitable for input to
<command>dnssec-signzone</command>, or a series of <command>dnssec-signzone</command>, or a series of
<command>nsupdate</command> to update the parent zone via dynamic <command>nsupdate</command> commands to update the parent zone
DNS. Thanks to Tony Finch for the contribution. [RT #46090] via dynamic DNS. Thanks to Tony Finch for the contribution.
[RT #46090]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<command>nsupdate</command> and <command>rndc</command> now accepts <command>nsupdate</command> and <command>rndc</command> now accept
command line options <command>-4</command> and <command>-6</command> command line options <command>-4</command> and <command>-6</command>
which force using only IPv4 or only IPv6, respectively. [RT #45632] which force using only IPv4 or only IPv6, respectively. [RT #45632]
</para> </para>
...@@ -481,13 +483,18 @@ ...@@ -481,13 +483,18 @@
these algorithms must be supported in OpenSSL; these algorithms must be supported in OpenSSL;
currently they are only available in the development branch currently they are only available in the development branch
of OpenSSL at of OpenSSL at
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://github.com/openssl/openssl">https://github.com/openssl/openssl</link>. <link xmlns:xlink="http://www.w3.org/1999/xlink"
xlink:href="https://github.com/openssl/openssl">
https://github.com/openssl/openssl</link>.
[RT #44696] [RT #44696]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
EDNS KEY TAG options are verified and printed. When parsing DNS messages, EDNS KEY TAG options are checked
for correctness. When printing messages (for example, in
<command>dig</command>), EDNS KEY TAG options are printed
in readable format.
</para> </para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
...@@ -624,15 +631,6 @@ ...@@ -624,15 +631,6 @@
are now fully rolled back in the event of failure. [RT #45841] are now fully rolled back in the event of failure. [RT #45841]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Fixed a bug that was introduced in an earlier development
release which caused multi-packet AXFR and IXFR messages to fail
validation if not all packets contained TSIG records; this
caused interoperability problems with some other DNS
implementations. [RT #45509]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Multiple <command>cookie-secret</command> clauses are now Multiple <command>cookie-secret</command> clauses are now
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment