summaryrefslogtreecommitdiffstats
path: root/doc/notes/notes-9.16.16.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/notes/notes-9.16.16.rst')
-rw-r--r--doc/notes/notes-9.16.16.rst76
1 files changed, 76 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.16.rst b/doc/notes/notes-9.16.16.rst
new file mode 100644
index 0000000..721546c
--- /dev/null
+++ b/doc/notes/notes-9.16.16.rst
@@ -0,0 +1,76 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.16
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DNSSEC responses containing NSEC3 records with iteration counts
+ greater than 150 are now treated as insecure. :gl:`#2445`
+
+- The maximum supported number of NSEC3 iterations that can be
+ configured for a zone has been reduced to 150. :gl:`#2642`
+
+- The default value of the ``max-ixfr-ratio`` option was changed to
+ ``unlimited``, for better backwards compatibility in the stable
+ release series. :gl:`#2671`
+
+- Zones that want to transition from secure to insecure mode without
+ becoming bogus in the process must now have their ``dnssec-policy``
+ changed first to ``insecure``, rather than ``none``. After the DNSSEC
+ records have been removed from the zone, the ``dnssec-policy`` can be
+ set to ``none`` or removed from the configuration. Setting the
+ ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
+ records to be published. :gl:`#2645`
+
+- The implementation of the ZONEMD RR type has been updated to match
+ :rfc:`8976`. :gl:`#2658`
+
+- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
+ NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
+ or the SOA TTL. :gl:`#2347`
+
+Bug Fixes
+~~~~~~~~~
+
+- It was possible for corrupt journal files generated by an earlier
+ version of ``named`` to cause problems after an upgrade. This has been
+ fixed. :gl:`#2670`
+
+- TTL values in cache dumps were reported incorrectly when
+ ``stale-cache-enable`` was set to ``yes``. This has been fixed.
+ :gl:`#389` :gl:`#2289`
+
+- A deadlock could occur when multiple ``rndc addzone``, ``rndc
+ delzone``, and/or ``rndc modzone`` commands were invoked
+ simultaneously for different zones. This has been fixed. :gl:`#2626`
+
+- ``named`` and ``named-checkconf`` did not report an error when
+ multiple zones with the ``dnssec-policy`` option set were using the
+ same zone file. This has been fixed. :gl:`#2603`
+
+- If ``dnssec-policy`` was active and a private key file was temporarily
+ offline during a rekey event, ``named`` could incorrectly introduce
+ replacement keys and break a signed zone. This has been fixed.
+ :gl:`#2596`
+
+- When generating zone signing keys, KASP now also checks for key ID
+ conflicts among newly created keys, rather than just between new and
+ existing ones. :gl:`#2628`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.