diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
commit | 45d6379135504814ab723b57f0eb8be23393a51d (patch) | |
tree | d4f2ec4acca824a8446387a758b0ce4238a4dffa /HISTORY.md | |
parent | Initial commit. (diff) | |
download | bind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip |
Adding upstream version 1:9.16.44.upstream/1%9.16.44
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'HISTORY.md')
-rw-r--r-- | HISTORY.md | 617 |
1 files changed, 617 insertions, 0 deletions
diff --git a/HISTORY.md b/HISTORY.md new file mode 100644 index 0000000..3a0f897 --- /dev/null +++ b/HISTORY.md @@ -0,0 +1,617 @@ +<!-- + - Copyright (C) Internet Systems Consortium, Inc. ("ISC") + - + - This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. + - + - See the COPYRIGHT file distributed with this work for additional + - information regarding copyright ownership. +--> +### Functional enhancements from prior major releases of BIND 9 + +#### BIND 9.14 + +BIND 9.14 (a stable branch based on the 9.13 development branch) +includes a number of changes from BIND 9.12 and earlier releases. +New features include: + +* A new "plugin" mechanism has been added to allow query functionality + to be extended using dynamically loadable libraries. The "filter-aaaa" + feature has been removed from named and is now implemented as a plugin. +* Socket and task code has been refactored to improve performance. +* QNAME minimization, as described in RFC 7816, is now supported. +* "Root key sentinel" support, enabling validating resolvers to indicate + via a special query which trust anchors are configured for the root zone. +* Secondary zones can now be configured as "mirror" zones; their contents + are transferred in as with traditional slave zones, but are subject to + DNSSEC validation and are not treated as authoritative data when + answering. This makes it easier to configure a local copy of the root + zone as described in RFC 7706. +* The "validate-except" option allows configuration of domains below which + DNSSEC validation should not be performed. +* The default value of "dnssec-validation" is now "auto". +* IDNA2008 is now supported when linking with `libidn2`. +* "named -V" now outputs the default paths for files used by named + and other tools. + +In addition, workarounds that were formerly in place to enable resolution +of domains whose authoritative servers did not respond to EDNS queries +have been removed. See [https://dnsflagday.net](https://dnsflagday.net) +for more details. + +Cryptographic support has been modernized. BIND now uses the +best available pseudo-random number generator for the platform on which +it's built. Very old versions of OpenSSL are no longer supported. +Cryptography is now mandatory: building BIND without DNSSEC is no +longer supported. + +Special code to support certain legacy operating systems has also +been removed; see the [doc/arm/platforms.rst](platforms) file for details +of supported platforms. In addition to OpenSSL, BIND now requires +support for IPv6, threads, and standard atomic operations provided +by the C compiler. + +#### BIND 9.12 + +BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases. +New features include: + +* `named` and related libraries have been substantially refactored for + improved query performance -- particularly on delegation heavy zones -- + and for improved readability, maintainability, and testability. +* Code implementing the name server query processing logic has been moved + into a new `libns` library, for easier testing and use in tools other + than `named`. +* Cached, validated NSEC and other records can now be used to synthesize + NXDOMAIN responses. +* The DNS Response Policy Service API (DNSRPS) is now supported. +* Setting `'max-journal-size default'` now limits the size of journal files + to twice the size of the zone. +* `dnstap-read -x` prints a hex dump of the wire format of each logged + DNS message. +* `dnstap` output files can now be configured to roll automatically when + reaching a given size. +* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO + 8601 (UTC) formats. +* Logging channels and `dnstap` output files can now be configured to use a + timestamp as the suffix when rolling to a new file. +* `'named-checkconf -l'` lists zones found in `named.conf`. +* Added support for the EDNS Padding and Keepalive options. +* 'new-zones-directory' option sets the location where the configuration + data for zones added by rndc addzone is stored. +* The default key algorithm in `rndc-confgen` is now hmac-sha256. +* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available + by default without a configure option. +* The obsolete `isc-hmac-fixup` command has been removed. + +#### BIND 9.11 + +BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier +releases. New features include: + +- Added support for Catalog Zones, a new method for provisioning servers: a + list of zones to be served is stored in a DNS zone, along with their + configuration parameters. Changes to the catalog zone are propagated to + slaves via normal AXFR/IXFR, whereupon the zones that are listed in it + are automatically added, deleted or reconfigured. +- Added support for "dnstap", a fast and flexible method of capturing and + logging DNS traffic. +- Added support for "dyndb", a new API for loading zone data from an + external database, developed by Red Hat for the FreeIPA project. +- "fetchlimit" quotas are now compiled in by default. These are for the + use of recursive resolvers that are are under high query load for domains + whose authoritative servers are nonresponsive or are experiencing a + denial of service attack: + - "fetches-per-server" limits the number of simultaneous queries that + can be sent to any single authoritative server. The configured value + is a starting point; it is automatically adjusted downward if the + server is partially or completely non-responsive. The algorithm used + to adjust the quota can be configured via the "fetch-quota-params" + option. + - "fetches-per-zone" limits the number of simultaneous queries that can + be sent for names within a single domain. (Note: Unlike + "fetches-per-server", this value is not self-tuning.) + - New stats counters have been added to count queries spilled due to + these quotas. +- Added a new "dnssec-keymgr" key mainenance utility, which can generate or + update keys as needed to ensure that a zone's keys match a defined DNSSEC + policy. +- The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and + is no longer optional. EDNS COOKIE is a mechanism enabling clients to + detect off-path spoofed responses, and servers to detect spoofed-source + queries. Clients that identify themselves using COOKIE options are not + subject to response rate limiting (RRL) and can receive larger UDP + responses. +- SERVFAIL responses can now be cached for a limited time (defaulting to 1 + second, with an upper limit of 30). This can reduce the frequency of + retries when a query is persistently failing. +- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to be + skipped if a name server IP address isn't in the cache yet; the address + will be looked up and the rule will be applied on future queries. +- Added a Python RNDC module. This allows multiple commands to sent over a + persistent RNDC channel, which saves time. +- The "controls" block in named.conf can now grant read-only "rndc" access + to specified clients or keys. Read-only clients could, for example, check + "rndc status" but could not reconfigure or shut down the server. +- "rndc" commands can now return arbitrarily large amounts of text to the + caller. +- The zone serial number of a dynamically updatable zone can now be set via + "rndc signing -serial <number> <zonename>". This allows inline-signing + zones to be set to a specific serial number. +- The new "rndc nta" command can be used to set a Negative Trust Anchor + (NTA), disabling DNSSEC validation for a specific domain; this can be + used when responses from a domain are known to be failing validation due + to administrative error rather than because of a spoofing attack. + Negative trust anchors are strictly temporary; by default they expire + after one hour, but can be configured to last up to one week. +- "rndc delzone" can now be used on zones that were not originally created + by "rndc addzone". +- "rndc modzone" reconfigures a single zone, without requiring the entire + server to be reconfigured. +- "rndc showzone" displays the current configuration of a zone. +- "rndc managed-keys" can be used to check the status of RFC 5011 managed + trust anchors, or to force trust anchors to be refreshed. +- "max-cache-size" can now be set to a percentage of available memory. The + default is 90%. +- Update forwarding performance has been improved by allowing a single TCP + connection to be shared by multiple updates. +- The EDNS Client Subnet (ECS) option is now supported for authoritative + servers; if a query contains an ECS option then ACLs containing "geoip" + or "ecs" elements can match against the the address encoded in the + option. This can be used to select a view for a query, so that different + answers can be provided depending on the client network. +- The EDNS EXPIRE option has been implemented on the client side, allowing + a slave server to set the expiration timer correctly when transferring + zone data from another slave server. +- The key generation and manipulation tools (dnssec-keygen, dnssec-settime, + dnssec-importkey, dnssec-keyfromlabel) now take "-Psync" and "-Dsync" + options to set the publication and deletion times of CDS and CDNSKEY + parent-synchronization records. Both named and dnssec-signzone can now + publish and remove these records at the scheduled times. +- A new "minimal-any" option reduces the size of UDP responses for query + type ANY by returning a single arbitrarily selected RRset instead of all + RRsets. +- A new "masterfile-style" zone option controls the formatting of text zone + files: When set to "full", a zone file is dumped in + single-line-per-record format. +- "serial-update-method" can now be set to "date". On update, the serial + number will be set to the current date in YYYYMMDDNN format. +- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. +- "named -L <filename>" causes named to send log messages to the specified + file by default instead of to the system log. +- "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, s + for weeks, days, hours, minutes, and seconds. +- "dig +unknownformat" prints dig output in RFC 3597 "unknown record" + presentation format. +- "dig +ednsopt" allows dig to set arbitrary EDNS options on requests. +- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on + requests. +- "mdig" is an alternate version of dig which sends multiple pipelined TCP + queries to a server. Instead of waiting for a response after sending a + query, it sends all queries immediately and displays responses in the + order received. +- "serial-query-rate" no longer controls NOTIFY messages. These are + separately controlled by "notify-rate" and "startup-notify-rate". +- "nsupdate" now performs "check-names" processing by default on records to + be added. This can be disabled with "check-names no". +- The statistics channel now supports DEFLATE compression, reducing the + size of the data sent over the network when querying statistics. +- New counters have been added to the statistics channel to track the sizes + of incoming queries and outgoing responses in histogram buckets, as + specified in RSSAC002. +- A new NXDOMAIN redirect method (option "nxdomain-redirect") has been + added, allowing redirection to a specified DNS namespace instead of a + single redirect zone. +- When starting up, named now ensures that no other named process is + already running. +- Files created by named to store information, including "mkeys" and "nzf" + files, are now named after their corresponding views unless the view name + contains characters incompatible with use as a filename. Old style + filenames (based on the hash of the view name) will still work. + +#### BIND 9.10.0 + +BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier +releases. New features include: + + - DNS Response-rate limiting (DNS RRL), which blunts the + impact of reflection and amplification attacks, is always + compiled in and no longer requires a compile-time option + to enable it. + - An experimental "Source Identity Token" (SIT) EDNS option + is now available. Similar to DNS Cookies as invented by + Donald Eastlake 3rd, these are designed to enable clients + to detect off-path spoofed responses, and to enable servers + to detect spoofed-source queries. Servers can be configured + to send smaller responses to clients that have not identified + themselves using a SIT option, reducing the effectiveness of + amplification attacks. RRL processing has also been updated; + clients proven to be legitimate via SIT are not subject to + rate limiting. Use "configure --enable-sit" to enable this + feature in BIND. + - A new zone file format, "map", stores zone data in a + format that can be mapped directly into memory, allowing + significantly faster zone loading. + - "delv" (domain entity lookup and validation) is a new tool + with dig-like semantics for looking up DNS data and performing + internal DNSSEC validation. This allows easy validation in + environments where the resolver may not be trustworthy, and + assists with troubleshooting of DNSSEC problems. (NOTE: + In previous development releases of BIND 9.10, this utility + was called "delve". The spelling has been changed to avoid + confusion with the "delve" utility included with the Xapian + search engine.) + - Improved EDNS(0) processing for better resolver performance + and reliability over slow or lossy connections. + - A new "configure --with-tuning=large" option tunes certain + compiled-in constants and default settings to values better + suited to large servers with abundant memory. This can + improve performance on such servers, but will consume more + memory and may degrade performance on smaller systems. + - Substantial improvement in response-policy zone (RPZ) + performance. Up to 32 response-policy zones can be + configured with minimal performance loss. + - To improve recursive resolver performance, cache records + which are still being requested by clients can now be + automatically refreshed from the authoritative server + before they expire, reducing or eliminating the time + window in which no answer is available in the cache. + - New "rpz-client-ip" triggers and drop policies allowing + response policies based on the IP address of the client. + - ACLs can now be specified based on geographic location + using the MaxMind GeoIP databases. Use "configure + --with-geoip" to enable. + - Zone data can now be shared between views, allowing + multiple views to serve the same zones authoritatively + without storing multiple copies in memory. + - New XML schema (version 3) for the statistics channel + includes many new statistics and uses a flattened XML tree + for faster parsing. The older schema is now deprecated. + - A new stylesheet, based on the Google Charts API, displays + XML statistics in charts and graphs on javascript-enabled + browsers. + - The statistics channel can now provide data in JSON + format as well as XML. + - New stats counters track TCP and UDP queries received + per zone, and EDNS options received in total. + - The internal and export versions of the BIND libraries + (libisc, libdns, etc) have been unified so that external + library clients can use the same libraries as BIND itself. + - A new compile-time option, "configure --enable-native-pkcs11", + allows BIND 9 cryptography functions to use the PKCS#11 API + natively, so that BIND can drive a cryptographic hardware + service module (HSM) directly instead of using a modified + OpenSSL as an intermediary. (Note: This feature requires an + HSM to have a full implementation of the PKCS#11 API; many + current HSMs only have partial implementations. The new + "pkcs11-tokens" command can be used to check API completeness. + Native PKCS#11 is known to work with the Thales nShield HSM + and with SoftHSM version 2 from the Open DNSSEC project.) + - The new "max-zone-ttl" option enforces maximum TTLs for + zones. This can simplify the process of rolling DNSSEC keys + by guaranteeing that cached signatures will have expired + within the specified amount of time. + - "dig +subnet" sends an EDNS CLIENT-SUBNET option when + querying. + - "dig +expire" sends an EDNS EXPIRE option when querying. + When this option is sent with an SOA query to a server + that supports it, it will report the expiry time of + a slave zone. + - New "dnssec-coverage" tool to check DNSSEC key coverage + for a zone and report if a lapse in signing coverage has + been inadvertently scheduled. + - Signing algorithm flexibility and other improvements + for the "rndc" control channel. + - "named-checkzone" and "named-compilezone" can now read + journal files, allowing them to process dynamic zones. + - Multiple DLZ databases can now be configured. Individual + zones can be configured to be served from a specific DLZ + database. DLZ databases now serve zones of type "master" + and "redirect". + - "rndc zonestatus" reports information about a specified zone. + - "named" now listens on IPv6 as well as IPv4 interfaces + by default. + - "named" now preserves the capitalization of names + when responding to queries: for instance, a query for + "example.com" may be answered with "example.COM" if the + name was configured that way in the zone file. Some + clients have a bug causing them to depend on the older + behavior, in which the case of the answer always matched + the case of the query, rather than the case of the name + configured in the DNS. Such clients can now be specified + in the new "no-case-compress" ACL; this will restore the + older behavior of "named" for those clients only. + - new "dnssec-importkey" command allows the use of offline + DNSSEC keys with automatic DNSKEY management. + - New "named-rrchecker" tool to verify the syntactic + correctness of individual resource records. + - When re-signing a zone, the new "dnssec-signzone -Q" option + drops signatures from keys that are still published but are + no longer active. + - "named-checkconf -px" will print the contents of configuration + files with the shared secrets obscured, making it easier to + share configuration (e.g. when submitting a bug report) + without revealing private information. + - "rndc scan" causes named to re-scan network interfaces for + changes in local addresses. + - On operating systems with support for routing sockets, + network interfaces are re-scanned automatically whenever + they change. + - "tsig-keygen" is now available as an alternate command + name to use for "ddns-confgen". + +#### BIND 9.9.0 + +BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier +releases. New features include: + +- Inline signing, allowing automatic DNSSEC signing of + master zones without modification of the zonefile, or + "bump in the wire" signing in slaves. +- NXDOMAIN redirection. +- New 'rndc flushtree' command clears all data under a given + name from the DNS cache. +- New 'rndc sync' command dumps pending changes in a dynamic + zone to disk without a freeze/thaw cycle. +- New 'rndc signing' command displays or clears signing status + records in 'auto-dnssec' zones. +- NSEC3 parameters for 'auto-dnssec' zones can now be set prior + to signing, eliminating the need to initially sign with NSEC. +- Startup time improvements on large authoritative servers. +- Slave zones are now saved in raw format by default. +- Several improvements to response policy zones (RPZ). +- Improved hardware scalability by using multiple threads + to listen for queries and using finer-grained client locking +- The 'also-notify' option now takes the same syntax as + 'masters', so it can used named masterlists and TSIG keys. +- 'dnssec-signzone -D' writes an output file containing only DNSSEC + data, which can be included by the primary zone file. +- 'dnssec-signzone -R' forces removal of signatures that are + not expired but were created by a key which no longer exists. +- 'dnssec-signzone -X' allows a separate expiration date to + be specified for DNSKEY signatures from other signatures. +- New '-L' option to dnssec-keygen, dnssec-settime, and + dnssec-keyfromlabel sets the default TTL for the key. +- dnssec-dsfromkey now supports reading from standard input, + to make it easier to convert DNSKEY to DS. +- RFC 1918 reverse zones have been added to the empty-zones + table per RFC 6303. +- Dynamic updates can now optionally set the zone's SOA serial + number to the current UNIX time. +- DLZ modules can now retrieve the source IP address of + the querying client. +- 'request-ixfr' option can now be set at the per-zone level. +- 'dig +rrcomments' turns on comments about DNSKEY records, + indicating their key ID, algorithm and function +- Simplified nsupdate syntax and added readline support + +#### BIND 9.8.0 + +BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier +releases. New features include: + +- Built-in trust anchor for the root zone, which can be + switched on via "dnssec-validation auto;" +- Support for DNS64. +- Support for response policy zones (RPZ). +- Support for writable DLZ zones. +- Improved ease of configuration of GSS/TSIG for + interoperability with Active Directory +- Support for GOST signing algorithm for DNSSEC. +- Removed RTT Banding from server selection algorithm. +- New "static-stub" zone type. +- Allow configuration of resolver timeouts via + "resolver-query-timeout" option. +- The DLZ "dlopen" driver is now built by default. +- Added a new include file with function typedefs + for the DLZ "dlopen" driver. +- Made "--with-gssapi" default. +- More verbose error reporting from DLZ LDAP. + +#### BIND 9.7.0 + +BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier +releases. Most are intended to simplify DNSSEC configuration. +New features include: + +- Fully automatic signing of zones by "named". +- Simplified configuration of DNSSEC Lookaside Validation (DLV). +- Simplified configuration of Dynamic DNS, using the "ddns-confgen" + command line tool or the "local" update-policy option. (As a side + effect, this also makes it easier to configure automatic zone + re-signing.) +- New named option "attach-cache" that allows multiple views to + share a single cache. +- DNS rebinding attack prevention. +- New default values for dnssec-keygen parameters. +- Support for RFC 5011 automated trust anchor maintenance +- Smart signing: simplified tools for zone signing and key + maintenance. +- The "statistics-channels" option is now available on Windows. +- A new DNSSEC-aware libdns API for use by non-BIND9 applications +- On some platforms, named and other binaries can now print out + a stack backtrace on assertion failure, to aid in debugging. +- A "tools only" installation mode on Windows, which only installs + dig, host, nslookup and nsupdate. +- Improved PKCS#11 support, including Keyper support and explicit + OpenSSL engine selection. + +#### BIND 9.6.0 + +- Full NSEC3 support +- Automatic zone re-signing +- New update-policy methods tcp-self and 6to4-self +- The BIND 8 resolver library, libbind, has been removed from the BIND 9 + distribution and is now available as a separate download. +- Change the default pid file location from /var/run to + /var/run/{named,lwresd} for improved chroot/setuid support. + +#### BIND 9.5.0 + +- GSS-TSIG support (RFC 3645). +- DHCID support. +- Experimental http server and statistics support for named via xml. +- More detailed statistics counters including those supported in BIND 8. +- Faster ACL processing. +- Use Doxygen to generate internal documentation. +- Efficient LRU cache-cleaning mechanism. +- NSID support. + +BIND 9.4.0 + +- Implemented "additional section caching (or acache)", an internal cache + framework for additional section content to improve response performance. + Several configuration options were provided to control the behavior. +- New notify type 'master-only'. Enable notify for master zones only. +- Accept 'notify-source' style syntax for query-source. +- rndc now allows addresses to be set in the server clauses. +- New option "allow-query-cache". This lets "allow-query" be used to + specify the default zone access level rather than having to have every + zone override the global value. "allow-query-cache" can be set at both + the options and view levels. If "allow-query-cache" is not set then + "allow-recursion" is used if set, otherwise "allow-query" is used if set + unless "recursion no;" is set in which case "none;" is used, otherwise + the default (localhost; localnets;) is used. +- rndc: the source address can now be specified. +- ixfr-from-differences now takes master and slave in addition to yes and + no at the options and view levels. +- Allow the journal's name to be changed via named.conf. +- 'rndc notify zone [class [view]]' resend the NOTIFY messages for the + specified zone. +- 'dig +trace' now randomly selects the next servers to try. Report if + there is a bad delegation. +- Improve check-names error messages. +- Make public the function to read a key file, dst_key_read_public(). +- dig now returns the byte count for axfr/ixfr. +- allow-update is now settable at the options / view level. +- named-checkconf now checks the logging configuration. +- host now can turn on memory debugging flags with '-m'. +- Don't send notify messages to self. +- Perform sanity checks on NS records which refer to 'in zone' names. +- New zone option "notify-delay". Specify a minimum delay between sets of + NOTIFY messages. +- Extend adjusting TTL warning messages. +- Named and named-checkzone can now both check for non-terminal wildcard + records. +- "rndc freeze/thaw" now freezes/thaws all zones. +- named-checkconf now check acls to verify that they only refer to existing + acls. +- The server syntax has been extended to support a range of servers. +- Report differences between hints and real NS rrset and associated address + records. +- Preserve the case of domain names in rdata during zone transfers. +- Restructured the data locking framework using architecture dependent + atomic operations (when available), improving response performance on + multi-processor machines significantly. x86, x86_64, alpha, powerpc, and + mips are currently supported. +- UNIX domain controls are now supported. +- Add support for additional zone file formats for improving loading + performance. The masterfile-format option in named.conf can be used to + specify a non-default format. A separate command named-compilezone was + provided to generate zone files in the new format. Additionally, the -I + and -O options for dnssec-signzone specify the input and output formats. +- dnssec-signzone can now randomize signature end times (dnssec-signzone -j + jitter). +- Add support for CH A record. +- Add additional zone data constancy checks. named-checkzone has extended + checking of NS, MX and SRV record and the hosts they reference. named + has extended post zone load checks. New zone options: check-mx and + integrity-check. +- edns-udp-size can now be overridden on a per server basis. +- dig can now specify the EDNS version when making a query. +- Added framework for handling multiple EDNS versions. +- Additional memory debugging support to track size and mctx arguments. +- Detect duplicates of UDP queries we are recursing on and drop them. New + stats category "duplicates". +- "USE INTERNAL MALLOC" is now runtime selectable. +- The lame cache is now done on a <qname,qclass,qtype> basis as some + servers only appear to be lame for certain query types. +- Limit the number of recursive clients that can be waiting for a single + query (<qname,qtype,qclass>) to resolve. New options clients-per-query + and max-clients-per-query. +- dig: report the number of extra bytes still left in the packet after + processing all the records. +- Support for IPSECKEY rdata type. +- Raise the UDP receive buffer size to 32k if it is less than 32k. +- x86 and x86_64 now have separate atomic locking implementations. +- named-checkconf now validates update-policy entries. +- Attempt to make the amount of work performed in a iteration self tuning. + The covers nodes clean from the cache per iteration, nodes written to + disk when rewriting a master file and nodes destroyed per iteration when + destroying a zone or a cache. +- ISC string copy API. +- Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC + 1918 zones are not yet covered by this but are likely to be in a future + release. +- New options: empty-server, empty-contact, empty-zones-enable and + disable-empty-zone. +- dig now has a '-q queryname' and '+showsearch' options. +- host/nslookup now continue (default)/fail on SERVFAIL. +- dig now warns if 'RA' is not set in the answer when 'RD' was set in the + query. host/nslookup skip servers that fail to set 'RA' when 'RD' is set + unless a server is explicitly set. +- Integrate contributed DLZ code into named. +- Integrate contributed IDN code from JPNIC. +- libbind: corresponds to that from BIND 8.4.7. + +#### BIND 9.3.0 + +- DNSSEC is now DS based (RFC 3658). +- DNSSEC lookaside validation. +- check-names is now implemented. +- rrset-order is more complete. +- IPv4/IPv6 transition support, dual-stack-servers. +- IXFR deltas can now be generated when loading master files, + ixfr-from-differences. +- It is now possible to specify the size of a journal, max-journal-size. +- It is now possible to define a named set of master servers to be used in + masters clause, masters. +- The advertised EDNS UDP size can now be set, edns-udp-size. +- allow-v6-synthesis has been obsoleted. +- Zones containing MD and MF will now be rejected. +- dig, nslookup name. now report "Not Implemented" as NOTIMP rather than + NOTIMPL. This will have impact on scripts that are looking for NOTIMPL. +- libbind: corresponds to that from BIND 8.4.5. + +#### BIND 9.2.0 + +- The size of the cache can now be limited using the "max-cache-size" + option. +- The server can now automatically convert RFC1886-style recursive lookup + requests into RFC2874-style lookups, when enabled using the new option + "allow-v6-synthesis". This allows stub resolvers that support AAAA + records but not A6 record chains or binary labels to perform lookups in + domains that make use of these IPv6 DNS features. +- Performance has been improved. +- The man pages now use the more portable "man" macros rather than the + "mandoc" macros, and are installed by "make install". +- The named.conf parser has been completely rewritten. It now supports + "include" directives in more places such as inside "view" statements, and + it no longer has any reserved words. +- The "rndc status" command is now implemented. +- rndc can now be configured automatically. +- A BIND 8 compatible stub resolver library is now included in lib/bind. +- OpenSSL has been removed from the distribution. This means that to use + DNSSEC, OpenSSL must be installed and the --with-openssl option must be + supplied to configure. This does not apply to the use of TSIG, which + does not require OpenSSL. +- The source distribution now builds on Windows. See + win32utils/readme1.txt and win32utils/win32-build.txt for details. +- This distribution also includes a new lightweight stub resolver library + and associated resolver daemon that fully support forward and reverse + lookups of both IPv4 and IPv6 addresses. This library is considered + experimental and is not a complete replacement for the BIND 8 resolver + library. Applications that use the BIND 8 `res_*` functions to perform + DNS lookups or dynamic updates still need to be linked against the BIND 8 + libraries. For DNS lookups, they can also use the new "getrrsetbyname()" + API. +- BIND 9.2 is capable of acting as an authoritative server for DNSSEC + secured zones. This functionality is believed to be stable and complete + except for lacking support for verifications involving wildcard records + in secure zones. +- When acting as a caching server, BIND 9.2 can be configured to perform + DNSSEC secure resolution on behalf of its clients. This part of the + DNSSEC implementation is still considered experimental. For detailed + information about the state of the DNSSEC implementation, see the file + doc/misc/dnssec. |