Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
BIND
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
635
Issues
635
List
Boards
Labels
Service Desk
Milestones
Merge Requests
108
Merge Requests
108
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ISC Open Source Projects
BIND
Commits
db955e6f
Commit
db955e6f
authored
Feb 18, 2014
by
Evan Hunt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[master] add SIT and the new stats counters to README
parent
6a3fa181
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
26 additions
and
11 deletions
+26
-11
README
README
+26
-11
No files found.
README
View file @
db955e6f
...
@@ -57,9 +57,20 @@ BIND 9.10.0
...
@@ -57,9 +57,20 @@ BIND 9.10.0
releases. New features include:
releases. New features include:
- DNS Response-rate limiting (DNS RRL), which blunts the
- DNS Response-rate limiting (DNS RRL), which blunts the
impact of reflection and amplification attacks, is
impact of reflection and amplification attacks, is always
always compiled in and no longer requires a compile-time
compiled in and no longer requires a compile-time option
option to enable it.
to enable it.
- An experimental "Source Identity Token" (SIT) EDNS option
is now available. Similar to DNS Cookies as invented by
Donald Eastlake 3rd, these are designed to enable clients
to detect off-path spoofed responses, and to enable servers
to detect spoofed-source queries. Servers can be configured
to send smaller responses to clients that have not identified
themselves using a SIT option, reducing the effectiveness of
amplification attacks. RRL processing has also been updated;
clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this
feature in BIND.
- A new zone file format, "map", stores zone data in a
- A new zone file format, "map", stores zone data in a
format that can be mapped directly into memory, allowing
format that can be mapped directly into memory, allowing
significantly faster zone loading.
significantly faster zone loading.
...
@@ -87,27 +98,31 @@ BIND 9.10.0
...
@@ -87,27 +98,31 @@ BIND 9.10.0
- New "rpz-client-ip" triggers and drop policies allowing
- New "rpz-client-ip" triggers and drop policies allowing
response policies based on the IP address of the client.
response policies based on the IP address of the client.
- ACLs can now be specified based on geographic location
- ACLs can now be specified based on geographic location
using the MaxMind GeoIP databases.
using the MaxMind GeoIP databases. Use "configure
--with-geoip" to enable.
- Zone data can now be shared between views, allowing
- Zone data can now be shared between views, allowing
multiple views to serve the same zones authoritatively
multiple views to serve the same zones authoritatively
without storing multiple copies in memory.
without storing multiple copies in memory.
- New XML schema (version 3) for the statistics channel
- New XML schema (version 3) for the statistics channel
includes many new statistics and uses a flattened XML tree
includes many new statistics and uses a flattened XML tree
for faster parsing.
for faster parsing.
The older schema is now deprecated.
- A new stylesheet, based on the Google Charts API, displays
- A new stylesheet, based on the Google Charts API, displays
XML statistics in charts and graphs on javascript-enabled
XML statistics in charts and graphs on javascript-enabled
browsers.
browsers.
- The statistics channel can now provide data in JSON
- The statistics channel can now provide data in JSON
format as well as XML.
format as well as XML.
- New stats counters track TCP and UDP queries on a
per-zone basis.
- The internal and export versions of the BIND libraries
- The internal and export versions of the BIND libraries
(libisc, libdns, etc) have been unified so that external
(libisc, libdns, etc) have been unified so that external
library clients can use the same libraries as BIND itself.
library clients can use the same libraries as BIND itself.
- A new compile-time option allows the BIND 9 cryptography
- A new compile-time option, "configure --enable-native-pkcs11",
functions to use the PKCS#11 API natively, so that BIND
allows BIND 9 cryptography functions to use the PKCS#11 API
can drive a cryptographic hardware service module directly
natively, so that BIND can drive a cryptographic hardware
instead of using a modified OpenSSL as an intermediary.
service module (HSM) directly instead of using a modified
This has been tested with the Thales nShield HSM and with
OpenSSL as an intermediary. This has been tested with the
SoftHSMv2 from the Open DNSSEC project.
Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC
project.
- New "dnssec-coverage" tool to check DNSSEC key coverage
- New "dnssec-coverage" tool to check DNSSEC key coverage
for a zone and report if a lapse in signing coverage has
for a zone and report if a lapse in signing coverage has
been inadvertently scheduled.
been inadvertently scheduled.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment