mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-22 17:30:44 -05:00
599 lines
23 KiB
XML
599 lines
23 KiB
XML
<!DOCTYPE book [
|
|
<!ENTITY Scaron "Š">
|
|
<!ENTITY scaron "š">
|
|
<!ENTITY ccaron "č">
|
|
<!ENTITY aacute "á">
|
|
<!ENTITY iacute "í">
|
|
<!ENTITY mdash "—">
|
|
<!ENTITY ouml "ö">]>
|
|
<!--
|
|
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
-
|
|
- See the COPYRIGHT file distributed with this work for additional
|
|
- information regarding copyright ownership.
|
|
-->
|
|
|
|
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
|
|
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
|
|
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
|
|
<para>
|
|
BIND 9.13 is an unstable development release of BIND.
|
|
This document summarizes new features and functional changes that
|
|
have been introduced on this branch. With each development release
|
|
leading up to the stable BIND 9.14 release, this document will be
|
|
updated with additional features added and bugs fixed.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_versions"><info><title>Note on Version Numbering</title></info>
|
|
<para>
|
|
Prior to BIND 9.13, new feature development releases were tagged
|
|
as "alpha" and "beta", leading up to the first stable release
|
|
for a given development branch, which always ended in ".0".
|
|
</para>
|
|
<para>
|
|
Now, however, BIND has adopted the "odd-unstable/even-stable"
|
|
release numbering convention. There will be no "alpha" or "beta"
|
|
releases in the 9.13 branch, only increasing version numbers.
|
|
So, for example, what would previously have been called 9.13.0a1,
|
|
9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
|
|
9.13.1, 9.13.2, etc.
|
|
</para>
|
|
<para>
|
|
The first stable release from this development branch will be
|
|
renamed as 9.14.0. Thereafter, maintenance releases will continue
|
|
on the 9.14 branch, while unstable feature development proceeds in
|
|
9.15.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_platforms"><info><title>Supported Platforms</title></info>
|
|
<para>
|
|
BIND 9.13 has undergone substantial code refactoring and cleanup,
|
|
and some very old code has been removed that was needed to support
|
|
legacy platforms which are no longer supported by their vendors
|
|
and for which ISC is no longer able to perform quality assurance
|
|
testing. Specifically, workarounds for old versions of UnixWare,
|
|
BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
|
|
On UNIX-like systems, BIND now requires support for POSIX.1c
|
|
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
|
|
IPv6 (RFC 3542), and standard atomic operations provided by the
|
|
C compiler.
|
|
</para>
|
|
<para>
|
|
More information can be found in the <filename>PLATFORM.md</filename>
|
|
file that is included in the source distribution of BIND 9. If your
|
|
platform compiler and system libraries provide the above features,
|
|
BIND 9 should compile and run. If that isn't the case, the BIND
|
|
development team will generally accept patches that add support
|
|
for systems that are still supported by their respective vendors.
|
|
</para>
|
|
<para>
|
|
As of BIND 9.13, the BIND development team has also made cryptography
|
|
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The
|
|
OpenSSL cryptography library must be available for the target
|
|
platform. A PKCS#11 provider can be used instead for Public Key
|
|
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
|
|
still required for general cryptography operations such as hashing
|
|
and random number generation.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_download"><info><title>Download</title></info>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
There was a long-existing flaw in the documentation for
|
|
<command>ms-self</command>, <command>krb5-self</command>,
|
|
<command>ms-subdomain</command>, and <command>krb5-subdomain</command>
|
|
rules in <command>update-policy</command> statements. Though
|
|
the policies worked as intended, operators who configured their
|
|
servers according to the misleading documentation may have
|
|
thought zone updates were more restricted than they were;
|
|
users of these rule types are advised to review the documentation
|
|
and correct their configurations if necessary. New rule types
|
|
matching the previously documented behavior will be introduced
|
|
in a future maintenance release. [GL !708]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When recursion is enabled but the <command>allow-recursion</command>
|
|
and <command>allow-query-cache</command> ACLs are not specified, they
|
|
should be limited to local networks, but they were inadvertently set
|
|
to match the default <command>allow-query</command>, thus allowing
|
|
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> could crash during recursive processing
|
|
of DNAME records when <command>deny-answer-aliases</command> was
|
|
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_features"><info><title>New Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
A new secondary zone option, <command>mirror</command>,
|
|
enables <command>named</command> to serve a transferred copy
|
|
of a zone's contents without acting as an authority for the
|
|
zone. A zone must be fully validated against an active trust
|
|
anchor before it can be used as a mirror zone. DNS responses
|
|
from mirror zones do not set the AA bit ("authoritative answer"),
|
|
but do set the AD bit ("authenticated data"). This feature is
|
|
meant to facilitate deployment of a local copy of the root zone,
|
|
as described in RFC 7706. [GL #33]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
BIND now can be compiled against the <command>libidn2</command>
|
|
library to add IDNA2008 support. Previously, BIND supported
|
|
IDNA2003 using the (now obsolete and unsupported)
|
|
<command>idnkit-1</command> library.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> now supports the "root key sentinel"
|
|
mechanism. This enables validating resolvers to indicate
|
|
which trust anchors are configured for the root, so that
|
|
information about root key rollover status can be gathered.
|
|
To disable this feature, add
|
|
<command>root-key-sentinel no;</command> to
|
|
<filename>named.conf</filename>. [GL #37]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>dnskey-sig-validity</command> option allows the
|
|
<command>sig-validity-interval</command> to be overriden for
|
|
signatures covering DNSKEY RRsets. [GL #145]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Support for QNAME minimization was added and enabled by default
|
|
in <command>relaxed</command> mode, in which BIND will fall back
|
|
to normal resolution if the remote server returns something
|
|
unexpected during the query minimization process. This default
|
|
setting might change to <command>strict</command> in the future.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When built on Linux, BIND now requires the <command>libcap</command>
|
|
library to set process privileges. The adds a new compile-time
|
|
dependency, which can be met on most Linux platforms by installing the
|
|
<command>libcap-dev</command> or <command>libcap-devel</command>
|
|
package. BIND can also be built without capability support by using
|
|
<command>configure --disable-linux-caps</command>, at the cost of some
|
|
loss of security.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>validate-except</command> option specifies a list of
|
|
domains beneath which DNSSEC validation should not be performed,
|
|
regardless of whether a trust anchor has been configured above
|
|
them. [GL #237]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Two new update policy rule types have been added
|
|
<command>krb5-selfsub</command> and <command>ms-selfsub</command>
|
|
which allow machines with Kerberos principals to update
|
|
the name space at or below the machine names identified
|
|
in the respective principals.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The new configure option <command>--enable-fips-mode</command>
|
|
can be used to make BIND enable and enforce FIPS mode in the
|
|
OpenSSL library. When compiled with such option the BIND will
|
|
refuse to run if FIPS mode can't be enabled, thus this option
|
|
must be only enabled for the systems where FIPS mode is available.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Workarounds for servers that misbehave when queried with EDNS
|
|
have been removed, because these broken servers and the
|
|
workarounds for their noncompliance cause unnecessary delays,
|
|
increase code complexity, and prevent deployment of new DNS
|
|
features. See <link xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xlink:href="https://dnsflagday.net">https://dnsflagday.net</link>
|
|
for further details.
|
|
</para>
|
|
<para>
|
|
In particular, resolution will no longer fall back to
|
|
plain DNS when there was no response from an authoritative
|
|
server. This will cause some domains to become non-resolvable
|
|
without manual intervention. In these cases, resolution can
|
|
be restored by adding <command>server</command> clauses for the
|
|
offending servers, specifying <command>edns no</command> or
|
|
<command>send-cookie no</command>, depending on the specific
|
|
noncompliance.
|
|
</para>
|
|
<para>
|
|
To determine which <command>server</command> clause to use, run
|
|
the following commands to send queries to the authoritative
|
|
servers for the broken domain:
|
|
</para>
|
|
<literallayout>
|
|
dig soa <zone> @<server> +dnssec
|
|
dig soa <zone> @<server> +dnssec +nocookie
|
|
dig soa <zone> @<server> +noedns
|
|
</literallayout>
|
|
<para>
|
|
If the first command fails but the second succeeds, the
|
|
server most likely needs <command>send-cookie no</command>.
|
|
If the first two fail but the third succeeds, then the server
|
|
needs EDNS to be fully disabled with <command>edns no</command>.
|
|
</para>
|
|
<para>
|
|
Please contact the administrators of noncompliant domains
|
|
and encourage them to upgrade their broken DNS servers. [GL #150]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Previously, it was possible to build BIND without thread support
|
|
for old architectures and systems without threads support.
|
|
BIND now requires threading support (either POSIX or Windows) from
|
|
the operating system, and it cannot be built without threads.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> can no longer use the EDNS CLIENT-SUBNET
|
|
option for view selection. In its existing form, the authoritative
|
|
ECS feature was not fully RFC-compliant, and could not realistically
|
|
have been deployed in production for an authoritative server; its
|
|
only practical use was for testing and experimentation. In the
|
|
interest of code simplification, this feature has now been removed.
|
|
</para>
|
|
<para>
|
|
The ECS option is still supported in <command>dig</command> and
|
|
<command>mdig</command> via the +subnet argument, and can be parsed
|
|
and logged when received by <command>named</command>, but
|
|
it is no longer used for ACL processing. The
|
|
<command>geoip-use-ecs</command> option is now obsolete;
|
|
a warning will be logged if it is used in
|
|
<filename>named.conf</filename>.
|
|
<command>ecs</command> tags in an ACL definition are
|
|
also obsolete, and will cause the configuration to fail to
|
|
load if they are used. [GL #32]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dnssec-keygen</command> can no longer generate HMAC
|
|
keys for TSIG authentication. Use <command>tsig-keygen</command>
|
|
to generate these keys. [RT #46404]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Support for OpenSSL 0.9.x has been removed. OpenSSL version
|
|
1.0.0 or greater, or LibreSSL is now required.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>configure --enable-seccomp</command> option,
|
|
which formerly turned on system-call filtering on Linux, has
|
|
been removed. [GL #93]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
IPv4 addresses in forms other than dotted-quad are no longer
|
|
accepted in master files. [GL #13] [GL #56]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The "rbtdb64" database implementation (a parallel
|
|
implementation of "rbt") has been removed. [GL #217]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>-r randomdev</command> option to explicitly select
|
|
random device has been removed from the
|
|
<command>ddns-confgen</command>,
|
|
<command>rndc-confgen</command>,
|
|
<command>nsupdate</command>,
|
|
<command>dnssec-confgen</command>, and
|
|
<command>dnssec-signzone</command> commands.
|
|
</para>
|
|
<para>
|
|
The <command>-p</command> option to use pseudo-random data
|
|
has been removed from the <command>dnssec-signzone</command>
|
|
command.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Support for ECC-GOST (GOST R 34.11-94) algorithm has been
|
|
removed from BIND as the algorithm has been superseded by
|
|
GOST R 34.11-2012 in RFC6986 and it must not be used in new
|
|
deployments. BIND will neither create new DNSSEC keys,
|
|
signatures and digest, nor it will validate them.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Add the ability to not return a DNS COOKIE option when one
|
|
is present in the request. To prevent a cookie being returned
|
|
add 'answer-cookie no;' to named.conf. [GL #173]
|
|
</para>
|
|
<para>
|
|
<command>answer-cookie</command> is only intended as a temporary
|
|
measure, for use when <command>named</command> shares an IP address
|
|
with other servers that do not yet support DNS COOKIE. A mismatch
|
|
between servers on the same address is not expected to cause
|
|
operational problems, but the option to disable COOKIE responses so
|
|
that all servers have the same behavior is provided out of an
|
|
abundance of caution. DNS COOKIE is an important security mechanism,
|
|
and should not be disabled unless absolutely necessary.
|
|
</para>
|
|
<para>
|
|
Remove support for silently ignoring 'no-change' deltas from
|
|
BIND 8 when processing an IXFR stream. 'no-change' deltas
|
|
will now trigger a fallback to AXFR as the recovery mechanism.
|
|
</para>
|
|
<para>
|
|
BIND 9 will no longer build on platforms that doesn't have
|
|
proper IPv6 support. BIND 9 now also requires non-broken
|
|
POSIX-compatible pthread support. Such platforms are
|
|
usually long after their end-of-life date and they are
|
|
neither developed nor supported by their respective vendors.
|
|
</para>
|
|
<para>
|
|
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
|
|
removed from BIND as the DSA key length is limited to 1024
|
|
bits and this is not considered secure enough.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
BIND will now always use the best CSPRNG (cryptographically-secure
|
|
pseudo-random number generator) available on the platform where
|
|
it is compiled. It will use <command>arc4random()</command>
|
|
family of functions on BSD operating systems,
|
|
<command>getrandom()</command> on Linux and Solaris,
|
|
<command>CryptGenRandom</command> on Windows, and the selected
|
|
cryptography provider library (OpenSSL or PKCS#11) as the last
|
|
resort. [GL #221]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default setting for <command>dnssec-validation</command> is
|
|
now <userinput>auto</userinput>, which activates DNSSEC
|
|
validation using the IANA root key. (The default can be changed
|
|
back to <userinput>yes</userinput>, which activates DNSSEC
|
|
validation only when keys are explicitly configured in
|
|
<filename>named.conf</filename>, by building BIND with
|
|
<command>configure --disable-auto-validation</command>.) [GL #30]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
BIND can no longer be built without DNSSEC support. A cryptography
|
|
provider (i.e., OpenSSL or a hardware service module with
|
|
PKCS#11 support) must be available. [GL #244]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Zone types <command>primary</command> and
|
|
<command>secondary</command> are now available as synonyms for
|
|
<command>master</command> and <command>slave</command>,
|
|
respectively, in <filename>named.conf</filename>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> will now log a warning if the old
|
|
root DNSSEC key is explicitly configured and has not been updated.
|
|
[RT #43670]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dig +nssearch</command> will now list name servers
|
|
that have timed out, in addition to those that respond. [GL #64]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dig +noidnin</command> can be used to disable IDN
|
|
processing on the input domain name, when BIND is compiled
|
|
with IDN support.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Up to 64 <command>response-policy</command> zones are now
|
|
supported by default; previously the limit was 32. [GL #123]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Several configuration options for time periods can now use
|
|
TTL value suffixes (for example, <literal>2h</literal> or
|
|
<literal>1d</literal>) in addition to an integer number of
|
|
seconds. These include
|
|
<command>fstrm-set-reopen-interval</command>,
|
|
<command>interface-interval</command>,
|
|
<command>max-cache-ttl</command>,
|
|
<command>max-ncache-ttl</command>,
|
|
<command>max-policy-ttl</command>, and
|
|
<command>min-update-interval</command>.
|
|
[GL #203]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
NSID logging (enabled by the <command>request-nsid</command>
|
|
option) now has its own <command>nsid</command> category,
|
|
instead of using the <command>resolver</command> category.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>rndc nta</command> command could not differentiate
|
|
between views of the same name but different class; this
|
|
has been corrected with the addition of a <command>-class</command>
|
|
option. [GL #105]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>allow-recursion-on</command> and
|
|
<command>allow-query-cache-on</command> each now default to
|
|
the other if only one of them is set, in order to be consistent
|
|
with the way <command>allow-recursion</command> and
|
|
<command>allow-query-cache</command> work. [GL #319]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Running <command>rndc reconfig</command> could cause
|
|
<command>inline-signing</command> zones to stop signing.
|
|
[GL #439]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Reloading all zones caused zone maintenance to stop for
|
|
<command>inline-signing</command> zones. [GL #435]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Signatures loaded from the journal for the signed version
|
|
of an <command>inline-signing</command> zone were not scheduled
|
|
for refresh. [GL #482]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A referral response with a non-empty ANSWER section was
|
|
incorrectly treated as an error; this caused certain domains
|
|
to be non-resolvable. [GL #390]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When a negative trust anchor was added to multiple views
|
|
using <command>rndc nta</command>, the text returned via
|
|
<command>rndc</command> was incorrectly truncated after the
|
|
first line, making it appear that only one NTA had been
|
|
added. This has been fixed. [GL #105]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> now rejects excessively large
|
|
incremental (IXFR) zone transfers in order to prevent
|
|
possible corruption of journal files which could cause
|
|
<command>named</command> to abort when loading zones. [GL #339]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_license"><info><title>License</title></info>
|
|
<para>
|
|
BIND is open source software licenced under the terms of the Mozilla
|
|
Public License, version 2.0 (see the <filename>LICENSE</filename>
|
|
file for the full text).
|
|
</para>
|
|
<para>
|
|
The license requires that if you make changes to BIND and distribute
|
|
them outside your organization, those changes must be published under
|
|
the same license. It does not require that you publish or disclose
|
|
anything other than the changes you have made to our software. This
|
|
requirement does not affect anyone who is using BIND, with or without
|
|
modifications, without redistributing it, nor anyone redistributing
|
|
BIND without changes.
|
|
</para>
|
|
<para>
|
|
Those wishing to discuss license compliance may contact ISC at
|
|
<link
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xlink:href="https://www.isc.org/mission/contact/">
|
|
https://www.isc.org/mission/contact/</link>.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="end_of_life"><info><title>End of Life</title></info>
|
|
<para>
|
|
BIND 9.13 is an unstable development branch. When its development
|
|
is complete, it will be renamed to BIND 9.14, which will be a
|
|
stable branch.
|
|
</para>
|
|
<para>
|
|
The end of life date for BIND 9.14 has not yet been determined.
|
|
For those needing long term support, the current Extended Support
|
|
Version (ESV) is BIND 9.11, which will be supported until at
|
|
least December 2021. See
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
|
|
for details of ISC's software support policy.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
|
|
</para>
|
|
</section>
|
|
</section>
|