mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-06 23:40:25 -05:00
c428479d6d
- Add a GitLab merge request number to the "trust-anchors" release
note and slightly rephrase its second half.
- Replace tabs with spaces in doc/arm/notes-9.15.7.xml to retain
consistency with other XML files containing release notes.
- Move the "Security Fixes" section for BIND 9.15.6 higher up, for
consistency with release notes for other versions.
97 lines
3.8 KiB
XML
97 lines
3.8 KiB
XML
<!--
|
|
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
-
|
|
- See the COPYRIGHT file distributed with this work for additional
|
|
- information regarding copyright ownership.
|
|
-->
|
|
|
|
<section xml:id="relnotes-9.15.6"><info><title>Notes for BIND 9.15.6</title></info>
|
|
|
|
<section xml:id="relnotes-9.15.6-security"><info><title>Security Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Set a limit on the number of concurrently served pipelined TCP
|
|
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes-9.15.6-new"><info><title>New Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
A new asynchronous network communications system based on
|
|
<command>libuv</command> is now used by <command>named</command>
|
|
for listening for incoming requests and responding to them.
|
|
This change will make it easier to improve performance and
|
|
implement new protocol layers (for example, DNS over TLS) in
|
|
the future. [GL #29]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The new <command>dnssec-policy</command> option allows the
|
|
configuration key and signing policy (KASP) for zones. This
|
|
option enables <command>named</command> to generate new keys
|
|
as needed and automatically roll both ZSK and KSK keys.
|
|
(Note that the syntax for this statement differs from the DNSSEC
|
|
policy used by <command>dnssec-keymgr</command>.) [GL #1134]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Two new keywords have been added to the
|
|
<command>dnssec-keys</command> statement:
|
|
<command>initial-ds</command> and <command>static-ds</command>.
|
|
These allow the use of trust anchors in DS format instead of
|
|
DNSKEY format. DS format allows trust anchors to be configured
|
|
for keys that have not yet been published; this is the format
|
|
used by IANA when announcing future root keys.
|
|
</para>
|
|
<para>
|
|
As with the <command>initial-key</command> and
|
|
<command>static-key</command> keywords, <command>initial-ds</command>
|
|
configures a dynamic trust anchor to be maintained via RFC 5011, and
|
|
<command>static-ds</command> configures a permanent trust anchor.
|
|
</para>
|
|
<para>
|
|
(Note: Currently, DNSKEY-format and DS-format trust anchors
|
|
cannot both be used for the same domain name.) [GL #6] [GL #622]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Added a new statistics variable <command>tcp-highwater</command>
|
|
that reports the maximum number of simultaneous TCP clients BIND
|
|
has handled while running. [GL #1206]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes-9.15.6-changes"><info><title>Feature Changes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
|
|
because it was found to have a significant performance impact on the
|
|
recursive service. The NSEC Aggressive Cache will be enable by default
|
|
in the future releases. [GL #1265]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The DNSSEC validation code has been refactored for clarity and to
|
|
reduce code duplication. [GL #622]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
</section>
|