Commit 9448aaca authored by Tinderbox User's avatar Tinderbox User

regen master

parent 56376458
......@@ -5,13 +5,14 @@ Contents
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
4. BIND 9.12 features
4. BIND 9.13 features
5. Building BIND
6. Compile-time options
7. Automated testing
8. Documentation
9. Change log
10. Acknowledgments
6. MacOS
7. Compile-time options
8. Automated testing
9. Documentation
10. Change log
11. Acknowledgments
Introduction
......@@ -89,39 +90,13 @@ header with "[PATCH]" so it will be easier for us to find. If your patch
introduces a new feature in BIND, please submit it to bind-suggest@isc.org
; if it fixes a bug, please submit it to bind9-bugs@isc.org.
BIND 9.12 features
BIND 9.13 features
BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features
BIND 9.13.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.12 and earlier releases. New features
include:
* named and related libraries have been substantially refactored for
improved query performance -- particularly on delegation heavy zones
-- and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been
moved into a new libns library, for easier testing and use in tools
other than named.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting 'max-journal-size default' now limits the size of journal
files to twice the size of the zone.
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file.
* 'named-checkconf -l' lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored.
* The default key algorithm in rndc-confgen is now hmac-sha256.
* filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
default without a configure option.
* The obsolete isc-hmac-fixup command has been removed.
* TBD
Building BIND
......@@ -165,6 +140,14 @@ BUILD_CPPFLAGS
BUILD_LDFLAGS
BUILD_LIBS
MacOS
Building on MacOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from https://developer.apple.com/download/more/ or
if you have Xcode already installed you can run "xcode-select --install".
This will add /usr/include to the system and install the compiler and
other tools so that they can be easily found.
Compile-time options
To see a full list of configuration options, run configure --help.
......
......@@ -4668,13 +4668,13 @@ options {
difference set.
</p>
<p><span class="command"><strong>ixfr-from-differences</strong></span>
also accepts <span class="command"><strong>master</strong></span> and
<span class="command"><strong>slave</strong></span> at the view and options
levels which causes
also accepts <span class="command"><strong>master</strong></span> (or
<span class="command"><strong>primary</strong></span>) and
<span class="command"><strong>slave</strong></span> (or <span class="command"><strong>secondary</strong></span>)
at the view and options levels, which causes
<span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for
all <span class="command"><strong>master</strong></span> or
<span class="command"><strong>slave</strong></span> zones respectively.
It is off by default.
all primary or secondary zones, respectively.
It is off for all zones by default.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
......@@ -9219,7 +9219,7 @@ view "external" {
Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
<span class="command"><strong>type</strong></span> master ;
<span class="command"><strong>type</strong></span> ( master | primary );
[ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
[ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
[ <span class="command"><strong>allow-transfer</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
......@@ -9278,7 +9278,7 @@ view "external" {
<span class="command"><strong>}</strong></span> ;
<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
<span class="command"><strong>type</strong></span> slave ;
<span class="command"><strong>type</strong></span> (slave | secondary);
[ <span class="command"><strong>allow-notify</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
[ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
[ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
......@@ -9442,10 +9442,14 @@ view "external" {
The <span class="command"><strong>type</strong></span> keyword is required
for the <span class="command"><strong>zone</strong></span> configuration unless
it is an <span class="command"><strong>in-view</strong></span> configuration. Its
acceptable values include: <code class="varname">delegation-only</code>,
<code class="varname">forward</code>, <code class="varname">hint</code>,
<code class="varname">master</code>, <code class="varname">redirect</code>,
<code class="varname">slave</code>, <code class="varname">static-stub</code>,
acceptable values include:
<code class="varname">master</code> (or <code class="varname">primary</code>),
<code class="varname">slave</code> (or <code class="varname">secondary</code>),
<code class="varname">delegation-only</code>,
<code class="varname">forward</code>,
<code class="varname">hint</code>,
<code class="varname">redirect</code>,
<code class="varname">static-stub</code>,
and <code class="varname">stub</code>.
</p>
......@@ -9466,8 +9470,8 @@ view "external" {
<p>
The server has a master copy of the data
for the zone and will be able to provide authoritative
answers for
it.
answers for it. Type <code class="varname">primary</code> is
a synonym for <code class="varname">master</code>.
</p>
</td>
</tr>
......@@ -9480,7 +9484,9 @@ view "external" {
<td>
<p>
A slave zone is a replica of a master
zone. The <span class="command"><strong>masters</strong></span> list
zone. Type <code class="varname">secondary</code> is a
synonym for <code class="varname">slave</code>.
The <span class="command"><strong>masters</strong></span> list
specifies one or more IP addresses
of master servers that the slave contacts to update
its copy of the zone.
......
......@@ -40,14 +40,11 @@
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
</dl></dd>
......@@ -61,10 +58,10 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
BIND 9.12.0 is a new feature release of BIND, still under development.
BIND 9.13 is unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development
release leading up to the final BIND 9.12.0 release, this document
release leading up to the stable BIND 9.14 release, this document
will be updated with additional features added and bugs fixed.
</p>
</div>
......@@ -83,46 +80,6 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License Change</h3></div></div></div>
<p>
With the release of BIND 9.11.0, ISC changed to the open
source license for BIND from the ISC license to the Mozilla
Public License (MPL 2.0).
</p>
<p>
The MPL-2.0 license requires that if you make changes to
licensed software (e.g. BIND) and distribute them outside
your organization, that you publish those changes under that
same license. It does not require that you publish or disclose
anything other than the changes you made to our software.
</p>
<p>
This requirement will not affect anyone who is using BIND, with
or without modifications, without redistributing it, nor anyone
redistributing it without changes. Therefore, this change will be
without consequence for most individuals and organizations who are
using BIND.
</p>
<p>
Those unsure whether or not the license change affects their
use of BIND, or who wish to discuss how to comply with the
license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
https://www.isc.org/mission/contact/</a>.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
<p>
As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
platforms for BIND; "XP" binaries are no longer available for download
from ISC.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
......@@ -134,712 +91,81 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Many aspects of <span class="command"><strong>named</strong></span> have been modified
to improve query performance, and in particular, performance
for delegation-heavy zones:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
The additional cache ("acache") was found not to
significantly improve performance and has been removed.
As a result, the <span class="command"><strong>acache-enable</strong></span> and
<span class="command"><strong>acache-cleaning-interval</strong></span> options no longer
have any effect. For backwards compatibility, BIND will
accept their presence in a configuration file, but
will log a warning.
</p>
</li>
<li class="listitem">
<p>
In place of the acache, <span class="command"><strong>named</strong></span> can now use
a glue cache to speed up retrieval of glue records when sending
delegation responses. Unlike acache, this feature is on by
default; use <span class="command"><strong>glue-cache no;</strong></span> to disable it.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>minimal-responses</strong></span> is now set
to <code class="literal">no-auth-recursive</code> by default.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>additional-from-cache</strong></span>
and <span class="command"><strong>additional-from-auth</strong></span> options no longer
have any effect. <span class="command"><strong>named</strong></span> will log a warning
if they are set.
</p>
</li>
<li class="listitem">
<p>
Several functions have been refactored to improve
performance, including name compression, owner name
case restoration, hashing, and buffers.
</p>
</li>
<li class="listitem">
<p>
When built with default <span class="command"><strong>configure</strong></span> options,
<span class="command"><strong>named</strong></span> no longer fills memory with tag
values when allocating or freeing it. This improves performance,
but makes it more difficult to debug certain memory-related
errors. The default is reversed if building with developer
options. <span class="command"><strong>named -M fill</strong></span> or
<span class="command"><strong>named -M nofill</strong></span> will set the behavior
accordingly regardless of build options.
</p>
</li>
</ul></div>
</li>
<li class="listitem">
<p>
Several areas of code have been refactored for improved
readability, maintainability, and testability:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
The <span class="command"><strong>named</strong></span> query logic implemented in
<span class="command"><strong>query_find()</strong></span> has been split into
smaller functions with a context structure to maintain state
between them, and extensive comments have been added.
[RT #43929]
</p>
</li>
<li class="listitem">
<p>
Similarly the iterative query logic implemented in
<span class="command"><strong>resquery_response()</strong></span> function has been
split into smaller functions and comments added. [RT #45362]
</p>
</li>
</ul></div>
</li>
<li class="listitem">
<p>
Code implementing name server query processing has been moved
from <span class="command"><strong>named</strong></span> to an external library,
<span class="command"><strong>libns</strong></span>. This will make it easier to
write unit tests for the code, or to link it into new tools.
[RT #45186]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can now synthesize negative responses
(NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
records that were returned in negative or wildcard responses from
authoritative servers.
</p>
<p>
This will reduce query loads on authoritative servers for signed
domains: when existing cached records can be used by the resolver
to determine that a name does not exist in the authorittive domain,
no query needs to be sent. Reducing the number of iterative queries
should also improve resolver performance.
</p>
<p>
This behavior is controlled by the new
<code class="filename">named.conf</code> option
<span class="command"><strong>synth-from-dnssec</strong></span>. It is enabled by
default.
</p>
<p>
Note: this currently only works for zones signed using NSEC.
Support for zones signed using NSEC3 (without opt-out) is
planned for the future.
</p>
<p>
Thanks to APNIC for sponsoring this work.
</p>
</li>
<li class="listitem">
<p>
When acting as a recursive resolver, <span class="command"><strong>named</strong></span>
can now continue returning answers whose TTLs have expired
when the authoritative server is under attack and unable to
respond. This is controlled by the
<span class="command"><strong>stale-answer-enable</strong></span>,
<span class="command"><strong>stale-answer-ttl</strong></span> and
<span class="command"><strong>max-stale-ttl</strong></span> options. [RT #44790]
</p>
</li>
<li class="listitem">
<p>
The DNS Response Policy Service (DNSRPS) API, a mechanism to
allow <span class="command"><strong>named</strong></span> to use an external response policy
provider, is now supported. (One example of such a provider is
"FastRPZ" from Farsight Security, Inc.) This allows the same
types of policy filtering as standard RPZ, but can reduce the
workload for <span class="command"><strong>named</strong></span>, particularly when using
large and frequently-updated policy zones. It also enables
<span class="command"><strong>named</strong></span> to share response policy providers
with other DNS implementations such as Unbound.
</p>
<p>
This feature is avaiable if BIND is built with
<span class="command"><strong>configure --enable-dnsrps</strong></span>, if a DNSRPS
provider is installed, and if <span class="command"><strong>dnsrps-enable</strong></span>
is set to "yes" in <code class="filename">named.conf</code>. Standard
built-in RPZ is used otherwise.
</p>
<p>
Thanks to Vernon Schryver and Farsight Security for the
contribution. [RT #43376]
</p>
</li>
<li class="listitem">
<p>
Setting <span class="command"><strong>max-journal-size</strong></span> to
<code class="literal">default</code> limits journal sizes to twice the
size of the zone contents. This can be overridden by setting
<span class="command"><strong>max-journal-size</strong></span> to <code class="literal">unlimited</code>
or to an explicit value up to 2G. Thanks to Tony Finch for
the contribution. [RT #38324]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
automatically roll when they reach a specified size. If
<span class="command"><strong>dnstap-output</strong></span> is configured with mode
<code class="literal">file</code>, then it can take optional
<span class="command"><strong>size</strong></span> and <span class="command"><strong>versions</strong></span>
key-value arguments to set the logfile rolling parameters.
(These have the same semantics as the corresponding
options in a <span class="command"><strong>logging</strong></span> channel statement.)
[RT #44502]
</p>
</li>
<li class="listitem">
<p>
Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
now be configured with a <span class="command"><strong>suffix</strong></span> option,
set to either <code class="literal">increment</code> or
<code class="literal">timestamp</code>, indicating whether log files
should be given incrementing suffixes when they roll
over (e.g., <code class="filename">logfile.0</code>,
<code class="filename">.1</code>, <code class="filename">.2</code>, etc)
or suffixes indicating the time of the roll. The default
is <code class="literal">increment</code>. [RT #42838]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>print-time</strong></span> option in the
<span class="command"><strong>logging</strong></span> configuration can now take arguments
<strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
<strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
which the date and time should be logged. For backward
compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
<strong class="userinput"><code>local</code></strong>. [RT #42585]
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>dnssec-cds</strong></span> command generates a new DS
set to place in a parent zone, based on the contents of a child
zone's validated CDS or CDNSKEY records. It can produce a
<code class="filename">dsset</code> file suitable for input to
<span class="command"><strong>dnssec-signzone</strong></span>, or a series of
<span class="command"><strong>nsupdate</strong></span> commands to update the parent zone
via dynamic DNS. Thanks to Tony Finch for the contribution.
[RT #46090]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accept
command line options <span class="command"><strong>-4</strong></span> and <span class="command"><strong>-6</strong></span>
which force using only IPv4 or only IPv6, respectively. [RT #45632]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>nsec3hash -r</strong></span> ("rdata order") takes arguments
in the same order as they appear in NSEC3 or NSEC3PARAM records.
This makes it easier to generate an NSEC3 hash using values cut
and pasted from an existing record. Thanks to Tony Finch for
the contribution. [RT #45183]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>new-zones-directory</strong></span> option allows
<span class="command"><strong>named</strong></span> to store configuration parameters
for zones added via <span class="command"><strong>rndc addzone</strong></span> in a
location other than the working directory. Thanks to Petr
Men&#353;k of Red Hat for the contribution.
[RT #44853]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
dump of the wire format DNS message encapsulated in each
<span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>host -A</strong></span> option returns most
records for a name, but omits types RRSIG, NSEC and NSEC3.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
for EDNS options in addition to numeric values. For example,
an EDNS Client-Subnet option could be sent using
<span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
John Worley of Secure64 for the contribution. [RT #44461]
</p>
</li>
<li class="listitem">
<p>
Added support for the EDNS TCP Keepalive option (RFC 7828);
this allows negotiation of longer-lived TCP sessions
to reduce the overhead of setting up TCP for individual
queries. [RT #42126]
</p>
</li>
<li class="listitem">
<p>
Added support for the EDNS Padding option (RFC 7830),
which obfuscates packet size analysis when DNS queries
are sent over an encrypted channel. [RT #42094]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc</strong></span> commands which refer to zone names
can now reference a zone of type <span class="command"><strong>redirect</strong></span>
by using the special zone name "-redirect". (Previously this
was not possible because <span class="command"><strong>redirect</strong></span> zones
always have the name ".", which can be ambiguous.)
</p>
<p>
In the event you need to manipulate a zone actually
called "-redirect", use a trailing dot: "-redirect."
</p>
<p>
Note: This change does not appply to the
<span class="command"><strong>rndc addzone</strong></span> or
<span class="command"><strong>rndc modzone</strong></span> commands.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
in <code class="filename">named.conf</code>. [RT #43154]
</p>
</li>
<li class="listitem">
<p>
Query logging now includes the ECS option, if one was
present in the query, in the format
"[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
</p>
</li>
<li class="listitem">
<p>
By default, BIND now uses the random number generation functions
in the cryptographic library (i.e., OpenSSL or a PKCS#11
provider) as a source of high-quality randomness rather than
<code class="filename">/dev/random</code>. This is suitable for virtual
machine environments, which may have limited entropy pools and
lack hardware random number generators.
</p>
<p>
This can be overridden by specifying another entropy source via
the <span class="command"><strong>random-device</strong></span> option in
<code class="filename">named.conf</code>, or via the <span class="command"><strong>-r</strong></span>
command line option. However, for functions requiring full
cryptographic strength, such as DNSSEC key generation, this
<span class="emphasis"><em>cannot</em></span> be overridden. In particular, the
<span class="command"><strong>-r</strong></span> command line option no longer has any
effect on <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
<p>
This can be disabled by building with
<span class="command"><strong>configure --disable-crypto-rand</strong></span>, in which
case <code class="filename">/dev/random</code> will be the default
entropy source. [RT #31459] [RT #46047]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc managed-keys destroy</strong></span> shuts down all
RFC 5011 DNSSEC trust anchor maintenance, and deletes any
existing managed keys database. If immediately followed by
<span class="command"><strong>rndc reconfig</strong></span>, this will reinitialize
key maintenance just as if the server was being started for
the first time.
</p>
<p>
This is intended for testing purposes, but can be used -- with
extreme caution -- as a brute-force repair for unrecoverable
problems with a managed keys database, to jumpstart the key
acquisition process if <code class="filename">bind.keys</code> is updated,
etc. [RT #32456]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-signzone -S</strong></span> can now add or remove
synchronization records (CDS and CDNSKEY) based on key metadata
set by the <span class="command"><strong>-Psync</strong></span> and <span class="command"><strong>-Dsync</strong></span>
options to <span class="command"><strong>dnssec-keygen</strong></span>,
<span class="command"><strong>dnssec-settime</strong></span>, etc. [RT #46149]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-checkds -s</strong></span> specifies a file from
which to read a DS set rather than querying the parent zone.
This can be used to check zone correctness prior to
publication. Thanks to Niall O'Reilly [RT #44667]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The ISC DNSSEC Lookaside Validation (DLV) service has
been shut down; all DLV records in the dlv.isc.org zone
have been removed. References to the service have been
removed from BIND documentation. Lookaside validation
is no longer used by default by <span class="command"><strong>delv</strong></span>.
The DLV key has been removed from <code class="filename">bind.keys</code>.
Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
<span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
anchor results in a warning being issued.
</p>
</li>
<li class="listitem">
<p>
As noted above, the <span class="command"><strong>acache-enable</strong></span>,
<span class="command"><strong>acache-cleaning-interval</strong></span>,
<span class="command"><strong>additional-from-cache</strong></span> and
<span class="command"><strong>additional-from-auth</strong></span> options are no longer
effective and <span class="command"><strong>named</strong></span> will log a warning if
they are set.
</p>
</li>
<li class="listitem">
<p>
The use of <span class="command"><strong>dnssec-keygen</strong></span> to generate
HMAC keys for TSIG authentication has been deprecated in favor
of <span class="command"><strong>tsig-keygen</strong></span>. If the algorithms HMAC-MD5,
HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or
HMAC-SHA512 are specified, <span class="command"><strong>dnssec-keygen</strong></span>
will print a warning message. These algorithms will be
removed from <span class="command"><strong>dnssec-keygen</strong></span> entirely in
a future release. [RT #42272]
</p>
</li>
<li class="listitem">
<p>
The use of HMAC-MD5 for RNDC keys is no longer recommended.
The default algorithm generated by <span class="command"><strong>rndc-confgen</strong></span>
is now HMAC-SHA256. [RT #42272]
</p>
</li>
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">