root key being present. Warn about dlv.isc.org's
key being present. Warn about both managed and
trusted root keys being present. [RT #43670]
(cherry picked from commit baef0ca988)
4867. [cleanup] Normalize rndc on/off commands (validation and
querylog) so they accept the same synonyms
for on/off (yes/no, true/false, enable/disable).
Thanks to Tony Finch. [RT #47022]
(cherry picked from commit cf8f4241e7)
(cherry picked from commit 4221d9cd1d)
4836. [bug] Zones created using "rndc addzone" could
temporarily fail to inherit an "allow-transfer"
ACL that had been configured in the options
statement. [RT #46603]
(cherry picked from commit e197a2bd15)
(cherry picked from commit f53e0bda46)
4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
trust-anchor dlv.isc.org;' now elicit warnings rather
than being fatal configuration errors. [RT #46410]
(cherry picked from commit f5e1b555c5)
4777. [cleanup] Removed a redundant call to configure_view_acl().
[RT #46369]
(cherry picked from commit 89636d8f30)
(cherry picked from commit a06198688f)
4769. [bug] Enforce the requirement that the managed keys
directory (specified by "managed-keys-directory",
and defaulting to the working directory if not
specified) must be writable. [RT #46077]
(cherry picked from commit 56e30ebae6)
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4722. [cleanup] Clean up uses of strcpy() and strcat() in favor of
strlcpy() and strlcat() for safety. [RT #45981]
(cherry picked from commit 114f95089c)
(cherry picked from commit 7cd594b842)
4521. [cleanup] Log it as an error if an entropy source is not
found and there is no fallback available. [RT #43659]
(cherry picked from commit 6bdb70057d)
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
(cherry picked from commit f20179857a)
4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service
is scheduled to be disabled in 2017. A warning is
now logged when named is configured to use it,
either explicitly or via "dnssec-lookaside auto;"
[RT #42207]
3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
These options are not available by default;
use "configure --enable-fetchlimit" (or
--enable-developer) to include them in the build.
See the ARM for details of these options. [RT #37125]
4120. [bug] A bug in RPZ could cause the server to crash if
policy zones were updated while recursion was
pending for RPZ processing of an active query.
[RT #39415]
(cherry picked from commit 7e6cf6fc6e)
