upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-28 09:37:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-current.rst
Mark Andrews 72e2c6e4b8 add release note for [GL #2762] 
(cherry picked from commit 36720fb4a6)
2021-07-21 12:41:19 +10:00

91 lines
3.5 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.16.19
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
- Named failed to check the opcode of responses when performing refresh,
stub updates, and UPDATE forwarding. This could lead to an assertion
failure under particular conditions. This has been addressed by checking
the opcode of those responses and rejecting the messages if they don't
match the expected value. :gl:`#2762`
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- Automatic KSK rollover: A new configuration option ``parental-agents`` is
added to add a list of servers to a zone that can be used for checking DS
presence. :gl:`#1126`
Removed Features
~~~~~~~~~~~~~~~~
- None.
Feature Changes
~~~~~~~~~~~~~~~
- IP fragmentation on outgoing UDP sockets has been disabled. Errors from
sending DNS messages larger than the specified path MTU are properly handled;
``named`` now sends back empty DNS messages with the TC (TrunCated) bit set,
forcing the DNS client to fall back to TCP. :gl:`#2790`
``named`` now sets the DON'T FRAGMENT flag on outgoing UDP packets. According
to the measurements done by multiple parties this should not be causing any
operational problems as most of the Internet "core" is able to cope with IP
message sizes between 1400-1500 bytes, the 1232 size was picked as a
conservative minimal number that could be changed by the DNS operator to a
estimated path MTU minus the estimated header space. In practice, the smallest
MTU witnessed in the operational DNS community is 1500 octets, the Ethernet
maximum payload size, so a a useful default for maximum DNS/UDP payload size
on reliable networks would be 1432. [GL #2183]
- CDS and CDNSKEY records may now be published in a zone without the
requirement that they exactly match an existing DNSKEY record, so long
the zone is signed with an algorithm represented in the CDS or CDNSKEY
record. This allows a clean rollover from one DNS provider to another
when using a multiple-signer DNSSEC configuration. :gl:`#2710`
Bug Fixes
~~~~~~~~~
- Fixed a bug that caused the NSEC salt to be changed for KASP zones on
every startup. :gl:`#2725`
- Signed, insecure delegation responses prepared by ``named`` either
lacked the necessary NSEC records or contained duplicate NSEC records
when both wildcard expansion and CNAME chaining were required to
prepare the response. This has been fixed. :gl:`#2759`
- A deadlock at startup was introduced when fixing :gl:`#1875` because when
locking key files for reading and writing, "in-view" logic was not taken into
account. This has been fixed. :gl:`#2783`
- Fix a race condition where two threads are competing for the same set of key
file locks, that could lead to a deadlock. This has been fixed. :gl:`#2786`
- Testing revealed that setting the thread affinity on both the netmgr
and netthread threads led to inconsistent recursive performance, as
sometimes the netmgr and netthread threads competed over a single
resource.
When the affinity is not set, tests show a slight dip in the authoritative
performance of around 5% (ranging from 3.8% to 7.8%), but
the recursive performance is now consistently improved. :gl:`#2822`
Reference in a new issue View git blame Copy permalink