mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-22 17:30:44 -05:00
316 lines
11 KiB
XML
316 lines
11 KiB
XML
<!DOCTYPE book [
|
|
<!ENTITY Scaron "Š">
|
|
<!ENTITY scaron "š">
|
|
<!ENTITY ccaron "č">
|
|
<!ENTITY aacute "á">
|
|
<!ENTITY iacute "í">
|
|
<!ENTITY mdash "—">
|
|
<!ENTITY ouml "ö">]>
|
|
<!--
|
|
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
-
|
|
- See the COPYRIGHT file distributed with this work for additional
|
|
- information regarding copyright ownership.
|
|
-->
|
|
|
|
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
|
|
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
|
|
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
|
|
<para>
|
|
BIND 9.13 is an unstable development release of BIND.
|
|
This document summarizes new features and functional changes that
|
|
have been introduced on this branch. With each development release
|
|
leading up to the stable BIND 9.14 release, this document will be
|
|
updated with additional features added and bugs fixed.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_versions"><info><title>Note on Version Numbering</title></info>
|
|
<para>
|
|
Prior to BIND 9.13, new feature development releases were tagged
|
|
as "alpha" and "beta", leading up to the first stable release
|
|
for a given development branch, which always ended in ".0".
|
|
</para>
|
|
<para>
|
|
Now, however, BIND has adopted the "odd-unstable/even-stable"
|
|
release numbering convention. There will be no "alpha" or "beta"
|
|
releases in the 9.13 branch, only increasing version numbers.
|
|
So, for example, what would previously have been called 9.13.0a1,
|
|
9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
|
|
9.13.1, 9.13.2, etc.
|
|
</para>
|
|
<para>
|
|
The first stable release from this development branch will be
|
|
renamed as 9.14.0. Thereafter, maintenance releases will continue
|
|
on the 9.14 branch, while unstable feature development proceeds in
|
|
9.15.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_download"><info><title>Download</title></info>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
None.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_features"><info><title>New Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
BIND now can be compiled against the <command>libidn2</command>
|
|
library to add IDNA2008 support. Previously, BIND supported
|
|
IDNA2003 using the (now obsolete and unsupported)
|
|
<command>idnkit-1</command> library.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> now supports the "root key sentinel"
|
|
mechanism. This enables validating resolvers to indicate
|
|
which trust anchors are configured for the root, so that
|
|
information about root key rollover status can be gathered.
|
|
To disable this feature, add
|
|
<command>root-key-sentinel no;</command> to
|
|
<filename>named.conf</filename>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>dnskey-sig-validity</command> option allows the
|
|
<command>sig-validity-interval</command> to be overriden for
|
|
signatures covering DNSKEY RRsets. [GL #145]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> can no longer use the EDNS CLIENT-SUBNET
|
|
option for view selection. In its existing form, the authoritative
|
|
ECS feature was not fully RFC-compliant, and could not realistically
|
|
have been deployed in production for an authoritative server; its
|
|
only practical use was for testing and experimentation. In the
|
|
interest of code simplification, this feature has now been removed.
|
|
</para>
|
|
<para>
|
|
The ECS option is still supported in <command>dig</command> and
|
|
<command>mdig</command> via the +subnet argument, and can be parsed
|
|
and logged when received by <command>named</command>, but
|
|
it is no longer used for ACL processing. The
|
|
<command>geoip-use-ecs</command> option is now obsolete;
|
|
a warning will be logged if it is used in
|
|
<filename>named.conf</filename>.
|
|
<command>ecs</command> tags in an ACL definition are
|
|
also obsolete, and will cause the configuration to fail to
|
|
load if they are used. [GL #32]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dnssec-keygen</command> can no longer generate HMAC
|
|
keys for TSIG authentication. Use <command>tsig-keygen</command>
|
|
to generate these keys. [RT #46404]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Support for OpenSSL 0.9.x has been removed. OpenSSL version
|
|
1.0.0 or greater, or LibreSSL is now required.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>configure --enable-seccomp</command> option,
|
|
which formerly turned on system-call filtering on Linux, has
|
|
been removed. [GL #93]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
IPv4 addresses in forms other than dotted-quad are no longer
|
|
accepted in master files. [GL #13] [GL #56]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The "rbtdb64" database implementation (a parallel
|
|
implementation of "rbt") has been removed. [GL #217]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>-r randomdev</command> option to explicitly select
|
|
random device has been removed from the
|
|
<command>ddns-confgen</command>,
|
|
<command>rndc-confgen</command>,
|
|
<command>nsupdate</command>,
|
|
<command>dnssec-confgen</command>, and
|
|
<command>dnssec-signzone</command> commands.
|
|
</para>
|
|
<para>
|
|
The <command>-p</command> option to use pseudo-random data
|
|
has been removed from the <command>dnssec-signzone</command>
|
|
command.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
BIND will now always use the best CSPRNG (cryptographically-secure
|
|
pseudo-random number generator) available on the platform where
|
|
it is compiled. It will use <command>arc4random()</command>
|
|
family of functions on BSD operating systems,
|
|
<command>getrandom()</command> on Linux and Solaris,
|
|
<command>CryptGenRandom</command> on Windows, and the selected
|
|
cryptography provider library (OpenSSL or PKCS#11) as the last
|
|
resort. [GL #221]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
BIND can no longer be built without DNSSEC support. A cryptography
|
|
provder (i.e., OpenSSL or a hardware service module with
|
|
PKCS#11 support) must be available. [GL #244]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Zone types <command>primary</command> and
|
|
<command>secondary</command> are now available as synonyms for
|
|
<command>master</command> and <command>slave</command>,
|
|
respectively, in <filename>named.conf</filename>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> will now log a warning if the old
|
|
root DNSSEC key is explicitly configured and has not been updated.
|
|
[RT #43670]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dig +nssearch</command> will now list name servers
|
|
that have timed out, in addition to those that respond. [GL #64]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dig +noidnin</command> can be used to disable IDN
|
|
processing on the input domain name, when BIND is compiled
|
|
with IDN support.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Up to 64 <command>response-policy</command> zones are now
|
|
supported by default; previously the limit was 32. [GL #123]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Several configuration options for time periods can now use
|
|
TTL value suffixes (for example, <literal>2h</literal> or
|
|
<literal>1d</literal>) in addition to an integer number of
|
|
seconds. These include
|
|
<command>fstrm-set-reopen-interval</command>,
|
|
<command>interface-interval</command>,
|
|
<command>max-cache-ttl</command>,
|
|
<command>max-ncache-ttl</command>,
|
|
<command>max-policy-ttl</command>, and
|
|
<command>min-update-interval</command>.
|
|
[GL #203]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
None.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_license"><info><title>License</title></info>
|
|
<para>
|
|
BIND is open source software licenced under the terms of the Mozilla
|
|
Public License, version 2.0 (see the <filename>LICENSE</filename>
|
|
file for the full text).
|
|
</para>
|
|
<para>
|
|
The license requires that if you make changes to BIND and distribute
|
|
them outside your organization, those changes must be published under
|
|
the same license. It does not require that you publish or disclose
|
|
anything other than the changes you have made to our software. This
|
|
requirement does not affect anyone who is using BIND, with or without
|
|
modifications, without redistributing it, nor anyone redistributing
|
|
BIND without changes.
|
|
</para>
|
|
<para>
|
|
Those wishing to discuss license compliance may contact ISC at
|
|
<link
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xlink:href="https://www.isc.org/mission/contact/">
|
|
https://www.isc.org/mission/contact/</link>.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="end_of_life"><info><title>End of Life</title></info>
|
|
<para>
|
|
BIND 9.13 is an unstable development branch. When its development
|
|
is complete, it will be renamed to BIND 9.14, which will be a
|
|
stable branch.
|
|
</para>
|
|
<para>
|
|
The end of life date for BIND 9.14 has not yet been determined.
|
|
For those needing long term support, the current Extended Support
|
|
Version (ESV) is BIND 9.11, which will be supported until at
|
|
least December 2021. See
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
|
|
for details of ISC's software support policy.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
|
|
</para>
|
|
</section>
|
|
</section>
|