3867. [func] "rndc nta" can now be used to set a temporary
negative trust anchor, which disables DNSSEC
validation below a specified name for a specified
period of time (not exceeding 24 hours). This
can be used when validation for a domain is known
to be failing due to a configuration error on
the part of the domain owner rather than a
spoofing attack. [RT #29358]
information will be automatically updated if the
OS supports routing sockets. Use
"automatic-interface-scan no;" to disable.
Add "rndc scan" to trigger a scan. [RT #23027]
report the files that were being used so they can
be cleaned up if desired. [RT #27899]
Squashed commit of the following:
commit 0e4e69d0c3153fe94aaa375b908cf7e3e45b5059
Author: Mark Andrews <marka@isc.org>
Date: Thu Feb 21 17:01:44 2013 +1100
report the zones to be removed rather than removing them
commit 5d247ac592eef64c4c467d99af4983b8c1ff998f
Author: Mark Andrews <marka@isc.org>
Date: Wed Feb 20 15:05:47 2013 +1100
remove slave/stub files when deleting a zone using delzone
- 'rndc signing -list' displays the current
state of signing operations
- 'rndc signing -clear' clears the signing state
records for keys that have fully signed the zone
- 'rndc signing -nsec3param' sets the NSEC3
parameters for the zone
The 'rndc keydone' syntax is removed. [RT #23729]
a dynamic zone to disk; "rndc sync -clean" also
removes the journal file after syncing. Also,
"rndc freeze" no longer removes journal files.
[RT #22473]
allow dynamic addition and deletion of zones.
To enable this feature, specify a "new-zone-file"
option at the view or options level in named.conf.
Zone configuration information for the new zones
will be written into that file. To make the new
zones persist after a restart, "include" the file
into named.conf in the appropriate view. (Note:
This feature is not yet documented, and its syntax
is expected to change.) [RT #19447]
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
to be signed by creating keys for it in the
key-directory and using 'rndc sign <zone>'.
'auto-dnssec maintain;' allows that too, plus it
also keeps the zone's DNSSEC keys up to date
according to their timing metadata. [RT #19943]
validation from rndc. This is useful for the
mobile hosts where the current connection point
breaks DNSSEC (firewall/proxy). [RT #15592]
rndc validation newstate [view]
replay protection requires both rndc and named to
be updated. Partial replay protection (limited
exposure after restart) is provided if just named
is updated.
states.
1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
1377. [func] dns_zone_load{new}() now reports if the zone was
loaded, queued for loading to up to date.
1376. [func] New function dns_zone_logc() to log to specified
category.
[RT #2394]
Basically, "freeze" disables dynamic updates to a zone, syncs the journal
file into the master file, and removes the journal. This allows manual
edits of a dynamic zone file without stopping the server, since the
zone is temporarily considered non-dynamic. "unfreeze" re-enables dynamic
updates to a zone.
So, instead of the old:
rndc stop
edit master file
remove journal
restart server
you can now do:
rndc freeze zone
edit master file
rndc reload zone
rndc unfreeze zone
which doesn't require stopping the server.
About everyone here at the secure dynamic update workshop wanted this.
It will be documented soon.
