upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-06 23:40:25 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/arm/notes-9.15.0.xml
Michał Kępień 2f37ab1dac Split release notes into per-version sections 
Intertwining release notes from different BIND releases in a single XML
file has caused confusion in the past due to different (and often
arbitrary) approaches to keeping/removing release notes from older
releases on different BIND branches.  Divide doc/arm/notes.xml into
per-version sections to simplify determining the set of changes
introduced by a given release and to make adding/reviewing release notes
less error-prone.
2019-11-08 12:05:52 +01:00

108 lines
4.1 KiB
XML
Raw Blame History

<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes-9.15.0"><info><title>Notes for BIND 9.15.0</title></info>
<section xml:id="relnotes-9.15.0-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
In certain configurations, <command>named</command> could crash
with an assertion failure if <command>nxdomain-redirect</command>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</para>
</listitem>
<listitem>
<para>
The TCP client quota set using the <command>tcp-clients</command>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.15.0-new"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
The new <command>add-soa</command> option specifies whether
or not the <command>response-policy</command> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.15.0-removed"><info><title>Removed Features</title></info>
<itemizedlist>
<listitem>
<para>
The <command>dnssec-enable</command> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.15.0-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<command>dnssec-validation</command> was set to the default
value of <literal>auto</literal>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</para>
</listitem>
<listitem>
<para>
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <command>dnssec-dsfromkey</command>, the
<filename>dsset</filename> files generated by
<command>dnssec-signzone</command>, the DS records added to
a zone by <command>dnssec-signzone</command> based on
<filename>keyset</filename> files, the CDS records added to
a zone by <command>named</command> and
<command>dnssec-signzone</command> based on "sync" timing
parameters in key files, and the checks performed by
<command>dnssec-checkds</command>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.15.0-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
The <command>allow-update</command> and
<command>allow-update-forwarding</command> options were
inadvertently treated as configuration errors when used at the
<command>options</command> or <command>view</command> level.
This has now been corrected.
[GL #913]
</para>
</listitem>
</itemizedlist>
</section>
</section>
Reference in a new issue View git blame Copy permalink