upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-26 11:32:01 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-9.16.16.rst
Michał Kępień cc503db304 Prepare release notes for BIND 9.16.16
2021-05-20 12:24:21 +02:00

68 lines
2.7 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.16.16
----------------------
Feature Changes
~~~~~~~~~~~~~~~
- DNSSEC responses containing NSEC3 records with iteration counts
greater than 150 are now treated as insecure. :gl:`#2445`
- The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. :gl:`#2642`
- The default value of the ``max-ixfr-ratio`` option was changed to
``unlimited``, for better backwards compatibility in the stable
release series. :gl:`#2671`
- Zones that want to transition from secure to insecure mode without
becoming bogus in the process must now have their ``dnssec-policy``
changed first to ``insecure``, rather than ``none``. After the DNSSEC
records have been removed from the zone, the ``dnssec-policy`` can be
set to ``none`` or removed from the configuration. Setting the
``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
records to be published. :gl:`#2645`
- The implementation of the ZONEMD RR type has been updated to match
:rfc:`8976`. :gl:`#2658`
- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
or the SOA TTL. :gl:`#2347`
Bug Fixes
~~~~~~~~~
- It was possible for corrupt journal files generated by an earlier
version of ``named`` to cause problems after an upgrade. This has been
fixed. :gl:`#2670`
- TTL values in cache dumps were reported incorrectly when
``stale-cache-enable`` was set to ``yes``. This has been fixed.
:gl:`#389` :gl:`#2289`
- A deadlock could occur when multiple ``rndc addzone``, ``rndc
delzone``, and/or ``rndc modzone`` commands were invoked
simultaneously for different zones. This has been fixed. :gl:`#2626`
- ``named`` and ``named-checkconf`` did not report an error when
multiple zones with the ``dnssec-policy`` option set were using the
same zone file. This has been fixed. :gl:`#2603`
- If ``dnssec-policy`` was active and a private key file was temporarily
offline during a rekey event, ``named`` could incorrectly introduce
replacement keys and break a signed zone. This has been fixed.
:gl:`#2596`
- When generating zone signing keys, KASP now also checks for key ID
conflicts among newly created keys, rather than just between new and
existing ones. :gl:`#2628`
Reference in a new issue View git blame Copy permalink