1581. [func] Disable DNSSEC support by default. To enable
DNSSEC specify "enable-dnssec yes;" in named.conf.
1565. [bug] CD flag should be copied to outgoing queries unless
the query is under a secure entry point in which case
CD should be set.
1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
child zones for which we don't have a supported
algorithm. Such child zones are treated as unsigned.
1557. [func] Implement missing DNSSEC tests for
* NOQNAME proof with wildcard answers.
* NOWILDARD proof with NXDOMAIN.
Cache and return NOQNAME with wildcard answers.
1541. [func] NSEC now uses new bitmap format.
1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
length of the new bitmap.
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
delegation-only check to all TLDs and root.
Note there are some TLDs that are NOT delegation
only (e.g. DE and MUSEUM) these can be excluded
from the checks buy using exclude.
root-delegation-only exclude { "DE"; "MUSEUM"; };
zone should not accept delegation-only.
1508. [bug] Don't apply delegation-only checks to answers from
forwarders.
1507. [bug] Handle BIND 8 style returns to NS queries to parents
when making delegation-only checks.
1506. [bug] Wrong return type for dns_view_isdelegationonly().
1505. [bug] Uninitialised rdataset in sdb. [RT #8750]
1504. [func] New zone type "delegation-only".
only binds the rdataset when returning ISC_R_SUCCESS, because that's not the case -
for example, if the root hints are '. 300 IN CNAME .', DNS_R_CNAME is returned and
the rdataset is bound
and make the rbtdb, zone, and view objects use it.
This should reduce contention on other locks, since (in the normal)
implementation, the reference count has its own lock. In the future, it
should also be possible to implement an isc_refcount_t with atomic operations
instead of mutexes, which should also help performance.
removes some unused code in view.c and uncomments some code in cache.c.
This still isn't really usable, since the trust level of cached data is
not persistent, so all data in the persistent cache will be promoted to
"ultimate" trust on reload.
and changed header comments to make it clear that it is for debugging/analysis purposes and may
dump other stuff in addition to the cache in the future. Also changed the dump style to the
'explict TTL' one, which makes more sense than usin when dumping cache files since the TTLs
tend to be different in each rrset, and added a comment banner at the top of each cache dump
containing the view name.
with yes being the default. These control searching in the cache and
other zones we are authorative for. This is mostly for gdib, but
may be useful elsewhere.
The config changes are renaming from glue-from-* to additional-from-*,
since this also prevents DNAME, CNAME, NS, MX, etc. additional data
from being followed.
