diff options
Diffstat (limited to '')
-rw-r--r-- | doc/notes/notes-9.16.2.rst | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.2.rst b/doc/notes/notes-9.16.2.rst new file mode 100644 index 0000000..ab484a1 --- /dev/null +++ b/doc/notes/notes-9.16.2.rst @@ -0,0 +1,59 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.2 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- DNS rebinding protection was ineffective when BIND 9 is configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. :gl:`#1574` + +Known Issues +~~~~~~~~~~~~ + +- We have received reports that in some circumstances, receipt of an + IXFR can cause the processing of queries to slow significantly. Some + of these were related to RPZ processing, which has been fixed in this + release (see below). Others appear to occur where there are + NSEC3-related changes (such as an operator changing the NSEC3 salt + used in the hash calculation). These are being investigated. + :gl:`#1685` + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +Feature Changes +~~~~~~~~~~~~~~~ + +- The previous DNSSEC sign statistics used lots of memory. The number + of keys to track is reduced to four per zone, which should be enough + for 99% of all signed zones. :gl:`#1179` + +Bug Fixes +~~~~~~~~~ + +- When an RPZ policy zone was updated via zone transfer and a large + number of records was deleted, ``named`` could become nonresponsive + for a short period while deleted names were removed from the RPZ + summary database. This database cleanup is now done incrementally + over a longer period of time, reducing such delays. :gl:`#1447` + +- When trying to migrate an already-signed zone from + ``auto-dnssec maintain`` to one based on ``dnssec-policy``, the + existing keys were immediately deleted and replaced with new ones. As + the key rollover timing constraints were not being followed, it was + possible that some clients would not have been able to validate + responses until all old DNSSEC information had timed out from caches. + BIND now looks at the time metadata of the existing keys and + incorporates it into its DNSSEC policy operation. :gl:`#1706` |