Commit e0882721 authored by Tinderbox User's avatar Tinderbox User

prep 9.15.7

parent a3dc0210
--- 9.15.7 released ---
5336. [bug] The TCP high-water statistic could report an
incorrect value on startup. [GL #1392]
......
......@@ -115,9 +115,9 @@ of changes from BIND 9.14 and earlier releases. New features include:
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using dnssec-keys,
permitting configuration of trust anchors in DS as well as DNSKEY
format.
* Improved DNSSEC trust anchor configuration using the trust-anchors
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for dig, mdig, and delv.
Building BIND
......@@ -180,9 +180,10 @@ Dependencies
Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the
argparse and ply modules to be available. argparse is a standard module as
of Python 2.7 and Python 3.2. ply is available from https://
pypi.python.org/pypi/ply.
argparse, ply and distutils.core modules to be available. argparse is a
standard module as of Python 2.7 and Python 3.2. ply is available from
https://pypi.python.org/pypi/ply. distutils.core is required for
installation.
Compile-time options
......
......@@ -144,7 +144,7 @@ options\&.
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBdnssec\-keys\fR\fBinitial\-key\fR
\fBtrust\-anchors\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
......
......@@ -197,7 +197,7 @@
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
<span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
......
......@@ -97,20 +97,6 @@ dlz \fIstring\fR {
.if n \{\
.RE
.\}
.SH "DNSSEC-KEYS"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds )
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
.\}
.SH "DYNDB"
.sp
.if n \{\
......@@ -164,7 +150,7 @@ logging {
.\}
.SH "MANAGED-KEYS"
.PP
Deprecated \- see DNSSEC\-KEYS\&.
Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
......@@ -565,9 +551,23 @@ statistics\-channels {
.if n \{\
.RE
.\}
.SH "TRUST-ANCHORS"
.sp
.if n \{\
.RS 4
.\}
.nf
trust\-anchors { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds )
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
.\}
.SH "TRUSTED-KEYS"
.PP
Deprecated \- see DNSSEC\-KEYS\&.
Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
......@@ -655,10 +655,6 @@ view \fIstring\fR [ \fIclass\fR ] {
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
......@@ -849,6 +845,10 @@ view \fIstring\fR [ \fIclass\fR ] {
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ];
trust\-anchor\-telemetry \fIboolean\fR; // experimental
trust\-anchors { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR
\fIinteger\fR
......@@ -1074,7 +1074,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
.\}
.nf
dnssec\-policy \fIstring\fR {
dnskey\-ttl \fIttlval\fR;
dnskey\-ttl \fIduration\fR;
keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
parent\-ds\-ttl \fIduration\fR;
parent\-propagation\-delay \fIduration\fR;
......
......@@ -92,17 +92,7 @@ dlz
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
initial-key|static-ds|initial-ds)<br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>DYNDB</h2>
<a name="id-1.11"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb<em class="replaceable"><code>string</code></em><em class="replaceable"><code>quoted_string</code></em>{<br>
<em class="replaceable"><code>unspecified-text</code></em>};<br>
......@@ -110,7 +100,7 @@ dyndb
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>KEY</h2>
<a name="id-1.12"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key<em class="replaceable"><code>string</code></em>{<br>
algorithm<em class="replaceable"><code>string</code></em>;<br>
......@@ -120,7 +110,7 @@ key
</div>
<div class="refsection">
<a name="id-1.14"></a><h2>LOGGING</h2>
<a name="id-1.13"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging{<br>
category<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>string</code></em>;...};<br>
......@@ -141,8 +131,8 @@ logging
</div>
<div class="refsection">
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
managed-keys{<em class="replaceable"><code>string</code></em>(static-key<br>
|initial-key|static-ds|<br>
......@@ -152,7 +142,7 @@ managed-keys
</div>
<div class="refsection">
<a name="id-1.16"></a><h2>MASTERS</h2>
<a name="id-1.15"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters<em class="replaceable"><code>string</code></em>[port<em class="replaceable"><code>integer</code></em>][dscp<br>
<em class="replaceable"><code>integer</code></em>]{(<em class="replaceable"><code>masters</code></em>|<em class="replaceable"><code>ipv4_address</code></em>[<br>
......@@ -162,7 +152,7 @@ masters
</div>
<div class="refsection">
<a name="id-1.17"></a><h2>OPTIONS</h2>
<a name="id-1.16"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options{<br>
allow-new-zones<em class="replaceable"><code>boolean</code></em>;<br>
......@@ -461,7 +451,7 @@ options
</div>
<div class="refsection">
<a name="id-1.18"></a><h2>PLUGIN</h2>
<a name="id-1.17"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin(query)<em class="replaceable"><code>string</code></em>[{<em class="replaceable"><code>unspecified-text</code></em><br>
}];<br>
......@@ -469,7 +459,7 @@ plugin
</div>
<div class="refsection">
<a name="id-1.19"></a><h2>SERVER</h2>
<a name="id-1.18"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server<em class="replaceable"><code>netprefix</code></em>{<br>
bogus<em class="replaceable"><code>boolean</code></em>;<br>
......@@ -507,7 +497,7 @@ server
</div>
<div class="refsection">
<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels{<br>
inet(<em class="replaceable"><code>ipv4_address</code></em>|<em class="replaceable"><code>ipv6_address</code></em>|<br>
......@@ -518,9 +508,19 @@ statistics-channels
</p></div>
</div>
<div class="refsection">
<a name="id-1.20"></a><h2>TRUST-ANCHORS</h2>
<div class="literallayout"><p><br>
trust-anchors{<em class="replaceable"><code>string</code></em>(static-key|<br>
initial-key|static-ds|initial-ds)<br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
trusted-keys{<em class="replaceable"><code>string</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
......@@ -600,10 +600,6 @@ view
dnsrps-options{<em class="replaceable"><code>unspecified-text</code></em>};<br>
dnssec-accept-expired<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
initial-key|static-ds|initial-ds<br>
)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};<br>
dnssec-loadkeys-interval<em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure<em class="replaceable"><code>string</code></em><em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure<em class="replaceable"><code>boolean</code></em>;<br>
......@@ -794,6 +790,10 @@ view
transfer-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[port(<em class="replaceable"><code>integer</code></em>|*)<br>
][dscp<em class="replaceable"><code>integer</code></em>];<br>
trust-anchor-telemetry<em class="replaceable"><code>boolean</code></em>;//experimental<br>
trust-anchors{<em class="replaceable"><code>string</code></em>(static-key|<br>
initial-key|static-ds|initial-ds<br>
)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};<br>
trusted-keys{<em class="replaceable"><code>string</code></em><br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><br>
......@@ -1012,7 +1012,7 @@ zone
<div class="literallayout"><p><br>
dnssec-policy<em class="replaceable"><code>string</code></em>{<br>
dnskey-ttl<em class="replaceable"><code>ttlval</code></em>;<br>
dnskey-ttl<em class="replaceable"><code>duration</code></em>;<br>
keys{(csk|ksk|zsk)key-directorylifetime<em class="replaceable"><code>duration</code></em>algorithm<em class="replaceable"><code>integer</code></em>[<em class="replaceable"><code>integer</code></em>];...};<br>
parent-ds-ttl<em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay<em class="replaceable"><code>duration</code></em>;<br>
......
......@@ -516,7 +516,7 @@ timer\&.
\fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
\fBdnssec\-keys\fR
\fBtrust\-anchors\fR
statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp
......
......@@ -654,7 +654,7 @@
<dd>
<p>
Dump the security roots (i.e., trust anchors
configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
configured via <span class="command"><strong>trust-anchors</strong></span> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
......
......@@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -1042,7 +1042,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
using a <span class="command"><strong>trust-anchors</strong></span> statement (or the
<span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
statements, both deprecated).
</p>
......@@ -1057,7 +1057,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<p>
The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
The keys specified in <span class="command"><strong>trust-anchors</strong></span>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <span class="command"><strong>static-key</strong></span> or
......@@ -1071,7 +1071,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<p>
<span class="command"><strong>dnssec-keys</strong></span> is described in more detail
<span class="command"><strong>trust-anchors</strong></span> is described in more detail
later in this document.
</p>
......@@ -1094,7 +1094,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<pre class="programlisting">
dnssec-keys {
trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
......@@ -1586,10 +1586,10 @@ options {
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>dnssec-keys</strong></span> statement and the
<span class="command"><strong>trust-anchors</strong></span> statement and the
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
keyword. Information about this can be found in
<a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
<a class="xref" href="Bv9ARM.ch05.html#trust-anchors" title="trust-anchors Statement Definition and Usage">the section called &#8220;<span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage&#8221;</a>.</p>
</div>
<div class="section">
......@@ -2915,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
This diff is collapsed.
......@@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -36,12 +36,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
......@@ -57,7 +58,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
......@@ -101,11 +102,12 @@
C compiler.
</p>
<p>
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
The <code class="filename">libuv</code> asynchronous I/O library and the
OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead of OpenSSL for
Public Key cryptography (i.e., DNSSEC signing and validation),
but OpenSSL is still required for general cryptography operations
such as hashing and random number generation.
</p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
......@@ -130,10 +132,73 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
which was introduced in 9.15.1 and revised in 9.15.6, has now
been renamed to the more descriptive
<span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
</p>
<p>
(See release notes for
<a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
and
<a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
for prior discussion of this feature.)
</p>
</li>
<li class="listitem">
<p>
Added support for multithreaded listening for TCP connections
in the network manager [GL !2659]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
on reconfiguration when any GeoIP2 database was in use. [GL #1445]
</p>
</li>
<li class="listitem">
<p>
Fixed several possible race conditions discovered by Thread
Sanitizer.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
......@@ -157,25 +222,32 @@
</p>
</li>
<li class="listitem">
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
</li>
<li class="listitem">
<p>
Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
that reports the maximum number of simultaneous TCP clients BIND
has handled while running. [GL #1206]
</p>
</li>
</ul></div>
</div>
......@@ -193,27 +265,14 @@
</p>
</li>
<li class="listitem">
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Too many simultaneous pipelined TCP queries could cause
resource overuse. We now prevent this by enforcing a limit
on the number of simultaneous requests per active connection.
This flaw`is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
......@@ -719,9 +778,6 @@
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>
......@@ -744,6 +800,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -538,6 +538,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.15.6</p></div>
<div><p class="releaseinfo">BIND Version 9.15.7</p></div>
<div><p class="copyright">Copyright 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
......@@ -192,8 +192,8 @@
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust_anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
......@@ -248,12 +248,13 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
......@@ -448,6 +449,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
No preview for this file type
......@@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>
......@@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>