summaryrefslogtreecommitdiffstats
path: root/doc/notes/notes-9.16.0.rst
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/notes/notes-9.16.0.rst152
1 files changed, 152 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.0.rst b/doc/notes/notes-9.16.0.rst
new file mode 100644
index 0000000..1b4e92f
--- /dev/null
+++ b/doc/notes/notes-9.16.0.rst
@@ -0,0 +1,152 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.0
+---------------------
+
+.. note::
+
+ This section only lists changes from BIND 9.14 (the previous
+ stable branch of BIND).
+
+New Features
+~~~~~~~~~~~~
+
+- A new asynchronous network communications system based on ``libuv``
+ is now used by ``named`` for listening for incoming requests and
+ responding to them. This change will make it easier to improve
+ performance and implement new protocol layers (for example, DNS over
+ TLS) in the future. :gl:`#29`
+
+- The new ``dnssec-policy`` option allows the configuration of a key
+ and signing policy (KASP) for zones. This option enables ``named`` to
+ generate new keys as needed and automatically roll both ZSK and KSK
+ keys. (Note that the syntax for this statement differs from the
+ DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134`
+
+- In order to clarify the configuration of DNSSEC keys, the
+ ``trusted-keys`` and ``managed-keys`` statements have been
+ deprecated, and the new ``trust-anchors`` statement should now be
+ used for both types of key.
+
+ When used with the keyword ``initial-key``, ``trust-anchors`` has the
+ same behavior as ``managed-keys``, i.e., it configures a trust anchor
+ that is to be maintained via :rfc:`5011`.
+
+ When used with the new keyword ``static-key``, ``trust-anchors`` has
+ the same behavior as ``trusted-keys``, i.e., it configures a
+ permanent trust anchor that will not automatically be updated. (This
+ usage is not recommended for the root key.) :gl:`#6`
+
+- Two new keywords have been added to the ``trust-anchors`` statement:
+ ``initial-ds`` and ``static-ds``. These allow the use of trust
+ anchors in DS format instead of DNSKEY format. DS format allows trust
+ anchors to be configured for keys that have not yet been published;
+ this is the format used by IANA when announcing future root keys.
+
+ As with the ``initial-key`` and ``static-key`` keywords,
+ ``initial-ds`` configures a dynamic trust anchor to be maintained via
+ :rfc:`5011`, and ``static-ds`` configures a permanent trust anchor.
+ :gl:`#6` :gl:`#622`
+
+- ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to
+ print output in a detailed YAML format. :gl:`#1145`
+
+- ``dig`` now has a new command line option: ``+[no]unexpected``. By
+ default, ``dig`` won't accept a reply from a source other than the
+ one to which it sent the query. Add the ``+unexpected`` argument to
+ enable it to process replies from unexpected sources. [RT #44978]
+
+- ``dig`` now accepts a new command line option, ``+[no]expandaaaa``,
+ which causes the IPv6 addresses in AAAA records to be printed in full
+ 128-bit notation rather than the default :rfc:`5952` format.
+ :gl:`#765`
+
+- Statistics channel groups can now be toggled. :gl:`#1030`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When static and managed DNSSEC keys were both configured for the same
+ name, or when a static key was used to configure a trust anchor for
+ the root zone and ``dnssec-validation`` was set to the default value
+ of ``auto``, automatic :rfc:`5011` key rollovers would be disabled.
+ This combination of settings was never intended to work, but there
+ was no check for it in the parser. This has been corrected, and it is
+ now a fatal configuration error. :gl:`#868`
+
+- DS and CDS records are now generated with SHA-256 digests only,
+ instead of both SHA-1 and SHA-256. This affects the default output of
+ ``dnssec-dsfromkey``, the ``dsset`` files generated by
+ ``dnssec-signzone``, the DS records added to a zone by
+ ``dnssec-signzone`` based on ``keyset`` files, the CDS records added
+ to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing
+ parameters in key files, and the checks performed by
+ ``dnssec-checkds``. :gl:`#1015`
+
+- ``named`` will now log a warning if a static key is configured for
+ the root zone. :gl:`#6`
+
+- A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added
+ and made default. Old non-default HMAC-SHA based DNS Cookie
+ algorithms have been removed, and only the default AES algorithm is
+ being kept for legacy reasons. This change has no operational impact
+ in most common scenarios. :gl:`#605`
+
+ If you are running multiple DNS servers (different versions of BIND 9
+ or DNS servers from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), make sure that all the
+ servers are configured with the same DNS Cookie algorithm and same
+ Server Secret for the best performance.
+
+- The information from the ``dnssec-signzone`` and ``dnssec-verify``
+ commands is now printed to standard output. The standard error output
+ is only used to print warnings and errors, and in case the user
+ requests the signed zone to be printed to standard output with the
+ ``-f -`` option. A new configuration option ``-q`` has been added to
+ silence all output on standard output except for the name of the
+ signed zone. :gl:`#1151`
+
+- The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. :gl:`#622`
+
+- Compile-time settings enabled by the ``--with-tuning=large`` option
+ for ``configure`` are now in effect by default. Previously used
+ default compile-time settings can be enabled by passing
+ ``--with-tuning=small`` to ``configure``. :gl:`!2989`
+
+- JSON-C is now the only supported library for enabling JSON support
+ for BIND statistics. The ``configure`` option has been renamed from
+ ``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH``
+ environment variable accordingly to specify a custom path to the
+ ``json-c`` library, as the new ``configure`` option does not take the
+ library installation path as an optional argument. :gl:`#855`
+
+- ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or
+ ``--localstatedir`` to ``/var`` when ``--prefix`` is not specified
+ and the aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
+ respected. :gl:`#658`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- The ``dnssec-enable`` option has been obsoleted and no longer has any
+ effect. DNSSEC responses are always enabled if signatures and other
+ DNSSEC data are present. :gl:`#866`
+
+- DNSSEC Lookaside Validation (DLV) is now obsolete. The
+ ``dnssec-lookaside`` option has been marked as deprecated; when used
+ in ``named.conf``, it will generate a warning but will otherwise be
+ ignored. All code enabling the use of lookaside validation has been
+ removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7`
+
+- The ``cleaning-interval`` option has been removed. :gl:`!1731`