Having a value higher than signatures-validity does not make sense
and should be treated as a configuration error.
(cherry picked from commit c3d8932f79)
The specification was implemented (#1132) when it was a draft. Now that
it is RFC, add the RFC to the list of supported RFCs.
(cherry picked from commit 5b5f43babc)
This commit improves the documentation on the ephemeral TLS
configuration and describes in more detail what is happening with TLS
configurations on reconfiguration in general.
(cherry picked from commit 1ab0f6d918)
"A parental agent is the entity that is allowed to change a zone's
delegation information" is untrue, because it is possible to use some
hidden server or a validating resolver.
Also the new text makes it more clear that named sends DS queries to
these servers.
(cherry picked from commit 604f8e7797)
Support for FreeBSD 12.4, the last FreeBSD 12.x release, ended on
December 31, 2023.
Link: https://www.freebsd.org/security/unsupported/
Move the --with-readline=editline ./configure option to FreeBSD 14.
(cherry picked from commit 98bfa22381)
these options control default timing of retries in the resolver
for experimental purposes; they are not known to useful in production
environments. they will be removed in the future; for now, we
only log a warning if they are used.
(cherry picked from commit 4aaa4f7dca)
The system tests on OpenBSD consistently exhibit lower stability
compared to our other CI platforms. Some of these challenges are
intrinsic to the system test itself and require attention. However,
there are OpenBSD issues, which seem to be more widespread on this
platform than others. In our daily CI pipelines, OpenBSD system tests
often bear the brunt of all failed CI jobs.
It's possible that our OpenBSD CI image could be optimized, but we
currently lack the domain-specific knowledge needed to make
improvements.
(cherry picked from commit 2ab292c169)
Move i386 and other less common or ancient CPU architectures to
Community-Maintened category. Move armhf and arm64 to the Best-Effort
category as we do test them as part of development work (new MacBooks
are all arm64), we don't really do full set of tests in the CI.
(cherry picked from commit db94c7526c)
Basically all local data is considered trusted, and proper ACLs and
limits need to be explicitly configured. We are also free to let
protocol non-compliant servers burn in flames.
(cherry picked from commit fc907baa7f)
The new :cve: Sphinx role takes a CVE number as an argument and creates
a hyperlink to the relevant ISC Knowledgebase document that might have
more up-to-date or verbose information than the relevant release note.
This makes reaching ISC Knowledgebase pages directly from the release
notes easier.
Make all CVE references in the release notes use the new Sphinx role.
(cherry picked from commit 41b857e567)
Update Sphinx-related Python packages to their current versions pulled
in by "pip install sphinx-rtd-theme" run in a fresh virtual environment.
(cherry picked from commit 2f879cdec3)
The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.
Remove the feature to simplify the code.
(cherry picked from commit 9e0b348a2b)
Add the text "TTL-style unit suffixes or ISO 8601 duration formats",
just like we do at other places that are duration option types.
Also, in the dnssec-policy "keys" example, use a TTL-style unit too.
(cherry picked from commit b5a757c452)
There's a statement that says: "Here is an example (for illustration
purposes only) of some possible entries in a [keys] list:", and that
links to the wrong "keys" statement (it links to the TSIG keys section).
Remove the reference, as we are already in the right section.
(cherry picked from commit 07c70ea2bd)
these options concentrate zone maintenance actions into
bursts for the benefit of servers with intermittent connections.
that's no longer something we really need to optimize.
(cherry picked from commit eeeccec67c)
