mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-26 19:41:04 -05:00
902e4482e0
Define a :gl: Sphinx role that takes a GitLab issue/MR number as an
argument and creates a hyperlink to the relevant ISC GitLab URL. This
makes it easy to reach ISC GitLab pages directly from the release notes.
Make all GitLab references in the release notes use the new Sphinx role.
(cherry picked from commit 2fadf29e6b)
55 lines
2.2 KiB
ReStructuredText
55 lines
2.2 KiB
ReStructuredText
..
|
|
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
See the COPYRIGHT file distributed with this work for additional
|
|
information regarding copyright ownership.
|
|
|
|
Notes for BIND 9.16.2
|
|
---------------------
|
|
|
|
Security Fixes
|
|
~~~~~~~~~~~~~~
|
|
|
|
- DNS rebinding protection was ineffective when BIND 9 is configured as
|
|
a forwarding DNS server. Found and responsibly reported by Tobias
|
|
Klein.:gl:`#1574`
|
|
|
|
Known Issues
|
|
~~~~~~~~~~~~
|
|
|
|
- We have received reports that in some circumstances, receipt of an
|
|
IXFR can cause the processing of queries to slow significantly. Some
|
|
of these were related to RPZ processing, which has been fixed in this
|
|
release (see below). Others appear to occur where there are
|
|
NSEC3-related changes (such as an operator changing the NSEC3 salt
|
|
used in the hash calculation). These are being investigated.
|
|
:gl:`#1685`
|
|
|
|
Feature Changes
|
|
~~~~~~~~~~~~~~~
|
|
|
|
- The previous DNSSEC sign statistics used lots of memory. The number
|
|
of keys to track is reduced to four per zone, which should be enough
|
|
for 99% of all signed zones. :gl:`#1179`
|
|
|
|
Bug Fixes
|
|
~~~~~~~~~
|
|
|
|
- When an RPZ policy zone was updated via zone transfer and a large
|
|
number of records was deleted, ``named`` could become nonresponsive
|
|
for a short period while deleted names were removed from the RPZ
|
|
summary database. This database cleanup is now done incrementally
|
|
over a longer period of time, reducing such delays. :gl:`#1447`
|
|
|
|
- When trying to migrate an already-signed zone from
|
|
``auto-dnssec maintain`` to one based on ``dnssec-policy``, the
|
|
existing keys were immediately deleted and replaced with new ones. As
|
|
the key rollover timing constraints were not being followed, it was
|
|
possible that some clients would not have been able to validate
|
|
responses until all old DNSSEC information had timed out from caches.
|
|
BIND now looks at the time metadata of the existing keys and
|
|
incorporates it into its DNSSEC policy operation. :gl:`#1706`
|