diff options
Diffstat (limited to 'HISTORY')
| -rw-r--r-- | HISTORY | 600 |
1 files changed, 600 insertions, 0 deletions
@@ -0,0 +1,600 @@ +HISTORY + +Functional enhancements from prior major releases of BIND 9 + +BIND 9.14 + +BIND 9.14 (a stable branch based on the 9.13 development branch) includes +a number of changes from BIND 9.12 and earlier releases. New features +include: + + * A new "plugin" mechanism has been added to allow query functionality + to be extended using dynamically loadable libraries. The "filter-aaaa" + feature has been removed from named and is now implemented as a + plugin. + * Socket and task code has been refactored to improve performance. + * QNAME minimization, as described in RFC 7816, is now supported. + * "Root key sentinel" support, enabling validating resolvers to indicate + via a special query which trust anchors are configured for the root + zone. + * Secondary zones can now be configured as "mirror" zones; their + contents are transferred in as with traditional slave zones, but are + subject to DNSSEC validation and are not treated as authoritative data + when answering. This makes it easier to configure a local copy of the + root zone as described in RFC 7706. + * The "validate-except" option allows configuration of domains below + which DNSSEC validation should not be performed. + * The default value of "dnssec-validation" is now "auto". + * IDNA2008 is now supported when linking with libidn2. + * "named -V" now outputs the default paths for files used by named and + other tools. + +In addition, workarounds that were formerly in place to enable resolution +of domains whose authoritative servers did not respond to EDNS queries +have been removed. See https://dnsflagday.net for more details. + +Cryptographic support has been modernized. BIND now uses the best +available pseudo-random number generator for the platform on which it's +built. Very old versions of OpenSSL are no longer supported. Cryptography +is now mandatory: building BIND without DNSSEC is no longer supported. + +Special code to support certain legacy operating systems has also been +removed; see the doc/arm/platforms.rst file for details of supported +platforms. In addition to OpenSSL, BIND now requires support for IPv6, +threads, and standard atomic operations provided by the C compiler. + +BIND 9.12 + +BIND 9.12 includes a number of changes from BIND 9.11 and earlier +releases. New features include: + + * named and related libraries have been substantially refactored for + improved query performance -- particularly on delegation heavy zones + -- and for improved readability, maintainability, and testability. + * Code implementing the name server query processing logic has been + moved into a new libns library, for easier testing and use in tools + other than named. + * Cached, validated NSEC and other records can now be used to synthesize + NXDOMAIN responses. + * The DNS Response Policy Service API (DNSRPS) is now supported. + * Setting 'max-journal-size default' now limits the size of journal + files to twice the size of the zone. + * dnstap-read -x prints a hex dump of the wire format of each logged DNS + message. + * dnstap output files can now be configured to roll automatically when + reaching a given size. + * Log file timestamps can now also be formatted in ISO 8601 (local) or + ISO 8601 (UTC) formats. + * Logging channels and dnstap output files can now be configured to use + a timestamp as the suffix when rolling to a new file. + * 'named-checkconf -l' lists zones found in named.conf. + * Added support for the EDNS Padding and Keepalive options. + * 'new-zones-directory' option sets the location where the configuration + data for zones added by rndc addzone is stored. + * The default key algorithm in rndc-confgen is now hmac-sha256. + * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by + default without a configure option. + * The obsolete isc-hmac-fixup command has been removed. + +BIND 9.11 + +BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier +releases. New features include: + + * Added support for Catalog Zones, a new method for provisioning + servers: a list of zones to be served is stored in a DNS zone, along + with their configuration parameters. Changes to the catalog zone are + propagated to slaves via normal AXFR/IXFR, whereupon the zones that + are listed in it are automatically added, deleted or reconfigured. + * Added support for "dnstap", a fast and flexible method of capturing + and logging DNS traffic. + * Added support for "dyndb", a new API for loading zone data from an + external database, developed by Red Hat for the FreeIPA project. + * "fetchlimit" quotas are now compiled in by default. These are for the + use of recursive resolvers that are are under high query load for + domains whose authoritative servers are nonresponsive or are + experiencing a denial of service attack: + + "fetches-per-server" limits the number of simultaneous queries + that can be sent to any single authoritative server. The + configured value is a starting point; it is automatically adjusted + downward if the server is partially or completely non-responsive. + The algorithm used to adjust the quota can be configured via the + "fetch-quota-params" option. + + "fetches-per-zone" limits the number of simultaneous queries that + can be sent for names within a single domain. (Note: Unlike + "fetches-per-server", this value is not self-tuning.) + + New stats counters have been added to count queries spilled due to + these quotas. + * Added a new "dnssec-keymgr" key mainenance utility, which can generate + or update keys as needed to ensure that a zone's keys match a defined + DNSSEC policy. + * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" + and is no longer optional. EDNS COOKIE is a mechanism enabling clients + to detect off-path spoofed responses, and servers to detect + spoofed-source queries. Clients that identify themselves using COOKIE + options are not subject to response rate limiting (RRL) and can + receive larger UDP responses. + * SERVFAIL responses can now be cached for a limited time (defaulting to + 1 second, with an upper limit of 30). This can reduce the frequency of + retries when a query is persistently failing. + * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to + be skipped if a name server IP address isn't in the cache yet; the + address will be looked up and the rule will be applied on future + queries. + * Added a Python RNDC module. This allows multiple commands to sent over + a persistent RNDC channel, which saves time. + * The "controls" block in named.conf can now grant read-only "rndc" + access to specified clients or keys. Read-only clients could, for + example, check "rndc status" but could not reconfigure or shut down + the server. + * "rndc" commands can now return arbitrarily large amounts of text to + the caller. + * The zone serial number of a dynamically updatable zone can now be set + via "rndc signing -serial ". This allows inline-signing zones to be + set to a specific serial number. + * The new "rndc nta" command can be used to set a Negative Trust Anchor + (NTA), disabling DNSSEC validation for a specific domain; this can be + used when responses from a domain are known to be failing validation + due to administrative error rather than because of a spoofing attack. + Negative trust anchors are strictly temporary; by default they expire + after one hour, but can be configured to last up to one week. + * "rndc delzone" can now be used on zones that were not originally + created by "rndc addzone". + * "rndc modzone" reconfigures a single zone, without requiring the + entire server to be reconfigured. + * "rndc showzone" displays the current configuration of a zone. + * "rndc managed-keys" can be used to check the status of RFC 5011 + managed trust anchors, or to force trust anchors to be refreshed. + * "max-cache-size" can now be set to a percentage of available memory. + The default is 90%. + * Update forwarding performance has been improved by allowing a single + TCP connection to be shared by multiple updates. + * The EDNS Client Subnet (ECS) option is now supported for authoritative + servers; if a query contains an ECS option then ACLs containing + "geoip" or "ecs" elements can match against the the address encoded in + the option. This can be used to select a view for a query, so that + different answers can be provided depending on the client network. + * The EDNS EXPIRE option has been implemented on the client side, + allowing a slave server to set the expiration timer correctly when + transferring zone data from another slave server. + * The key generation and manipulation tools (dnssec-keygen, + dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take + "-Psync" and "-Dsync" options to set the publication and deletion + times of CDS and CDNSKEY parent-synchronization records. Both named + and dnssec-signzone can now publish and remove these records at the + scheduled times. + * A new "minimal-any" option reduces the size of UDP responses for query + type ANY by returning a single arbitrarily selected RRset instead of + all RRsets. + * A new "masterfile-style" zone option controls the formatting of text + zone files: When set to "full", a zone file is dumped in + single-line-per-record format. + * "serial-update-method" can now be set to "date". On update, the serial + number will be set to the current date in YYYYMMDDNN format. + * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. + * "named -L " causes named to send log messages to the specified file by + default instead of to the system log. + * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, + s for weeks, days, hours, minutes, and seconds. + * "dig +unknownformat" prints dig output in RFC 3597 "unknown record" + presentation format. + * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests. + * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on + requests. + * "mdig" is an alternate version of dig which sends multiple pipelined + TCP queries to a server. Instead of waiting for a response after + sending a query, it sends all queries immediately and displays + responses in the order received. + * "serial-query-rate" no longer controls NOTIFY messages. These are + separately controlled by "notify-rate" and "startup-notify-rate". + * "nsupdate" now performs "check-names" processing by default on records + to be added. This can be disabled with "check-names no". + * The statistics channel now supports DEFLATE compression, reducing the + size of the data sent over the network when querying statistics. + * New counters have been added to the statistics channel to track the + sizes of incoming queries and outgoing responses in histogram buckets, + as specified in RSSAC002. + * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been + added, allowing redirection to a specified DNS namespace instead of a + single redirect zone. + * When starting up, named now ensures that no other named process is + already running. + * Files created by named to store information, including "mkeys" and + "nzf" files, are now named after their corresponding views unless the + view name contains characters incompatible with use as a filename. Old + style filenames (based on the hash of the view name) will still work. + +BIND 9.10.0 + +BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier +releases. New features include: + + * DNS Response-rate limiting (DNS RRL), which blunts the impact of + reflection and amplification attacks, is always compiled in and no + longer requires a compile-time option to enable it. + * An experimental "Source Identity Token" (SIT) EDNS option is now + available. Similar to DNS Cookies as invented by Donald Eastlake 3rd, + these are designed to enable clients to detect off-path spoofed + responses, and to enable servers to detect spoofed-source queries. + Servers can be configured to send smaller responses to clients that + have not identified themselves using a SIT option, reducing the + effectiveness of amplification attacks. RRL processing has also been + updated; clients proven to be legitimate via SIT are not subject to + rate limiting. Use "configure --enable-sit" to enable this feature in + BIND. + * A new zone file format, "map", stores zone data in a format that can + be mapped directly into memory, allowing significantly faster zone + loading. + * "delv" (domain entity lookup and validation) is a new tool with + dig-like semantics for looking up DNS data and performing internal + DNSSEC validation. This allows easy validation in environments where + the resolver may not be trustworthy, and assists with troubleshooting + of DNSSEC problems. (NOTE: In previous development releases of BIND + 9.10, this utility was called "delve". The spelling has been changed + to avoid confusion with the "delve" utility included with the Xapian + search engine.) + * Improved EDNS(0) processing for better resolver performance and + reliability over slow or lossy connections. + * A new "configure --with-tuning=large" option tunes certain compiled-in + constants and default settings to values better suited to large + servers with abundant memory. This can improve performance on such + servers, but will consume more memory and may degrade performance on + smaller systems. + * Substantial improvement in response-policy zone (RPZ) performance. Up + to 32 response-policy zones can be configured with minimal performance + loss. + * To improve recursive resolver performance, cache records which are + still being requested by clients can now be automatically refreshed + from the authoritative server before they expire, reducing or + eliminating the time window in which no answer is available in the + cache. + * New "rpz-client-ip" triggers and drop policies allowing response + policies based on the IP address of the client. + * ACLs can now be specified based on geographic location using the + MaxMind GeoIP databases. Use "configure --with-geoip" to enable. + * Zone data can now be shared between views, allowing multiple views to + serve the same zones authoritatively without storing multiple copies + in memory. + * New XML schema (version 3) for the statistics channel includes many + new statistics and uses a flattened XML tree for faster parsing. The + older schema is now deprecated. + * A new stylesheet, based on the Google Charts API, displays XML + statistics in charts and graphs on javascript-enabled browsers. + * The statistics channel can now provide data in JSON format as well as + XML. + * New stats counters track TCP and UDP queries received per zone, and + EDNS options received in total. + * The internal and export versions of the BIND libraries (libisc, + libdns, etc) have been unified so that external library clients can + use the same libraries as BIND itself. + * A new compile-time option, "configure --enable-native-pkcs11", allows + BIND 9 cryptography functions to use the PKCS#11 API natively, so that + BIND can drive a cryptographic hardware service module (HSM) directly + instead of using a modified OpenSSL as an intermediary. (Note: This + feature requires an HSM to have a full implementation of the PKCS#11 + API; many current HSMs only have partial implementations. The new + "pkcs11-tokens" command can be used to check API completeness. Native + PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM + version 2 from the Open DNSSEC project.) + * The new "max-zone-ttl" option enforces maximum TTLs for zones. This + can simplify the process of rolling DNSSEC keys by guaranteeing that + cached signatures will have expired within the specified amount of + time. + * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying. + * "dig +expire" sends an EDNS EXPIRE option when querying. When this + option is sent with an SOA query to a server that supports it, it will + report the expiry time of a slave zone. + * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and + report if a lapse in signing coverage has been inadvertently + scheduled. + * Signing algorithm flexibility and other improvements for the "rndc" + control channel. + * "named-checkzone" and "named-compilezone" can now read journal files, + allowing them to process dynamic zones. + * Multiple DLZ databases can now be configured. Individual zones can be + configured to be served from a specific DLZ database. DLZ databases + now serve zones of type "master" and "redirect". + * "rndc zonestatus" reports information about a specified zone. + * "named" now listens on IPv6 as well as IPv4 interfaces by default. + * "named" now preserves the capitalization of names when responding to + queries: for instance, a query for "example.com" may be answered with + "example.COM" if the name was configured that way in the zone file. + Some clients have a bug causing them to depend on the older behavior, + in which the case of the answer always matched the case of the query, + rather than the case of the name configured in the DNS. Such clients + can now be specified in the new "no-case-compress" ACL; this will + restore the older behavior of "named" for those clients only. + * new "dnssec-importkey" command allows the use of offline DNSSEC keys + with automatic DNSKEY management. + * New "named-rrchecker" tool to verify the syntactic correctness of + individual resource records. + * When re-signing a zone, the new "dnssec-signzone -Q" option drops + signatures from keys that are still published but are no longer + active. + * "named-checkconf -px" will print the contents of configuration files + with the shared secrets obscured, making it easier to share + configuration (e.g. when submitting a bug report) without revealing + private information. + * "rndc scan" causes named to re-scan network interfaces for changes in + local addresses. + * On operating systems with support for routing sockets, network + interfaces are re-scanned automatically whenever they change. + * "tsig-keygen" is now available as an alternate command name to use for + "ddns-confgen". + +BIND 9.9.0 + +BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier +releases. New features include: + + * Inline signing, allowing automatic DNSSEC signing of master zones + without modification of the zonefile, or "bump in the wire" signing in + slaves. + * NXDOMAIN redirection. + * New 'rndc flushtree' command clears all data under a given name from + the DNS cache. + * New 'rndc sync' command dumps pending changes in a dynamic zone to + disk without a freeze/thaw cycle. + * New 'rndc signing' command displays or clears signing status records + in 'auto-dnssec' zones. + * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to + signing, eliminating the need to initially sign with NSEC. + * Startup time improvements on large authoritative servers. + * Slave zones are now saved in raw format by default. + * Several improvements to response policy zones (RPZ). + * Improved hardware scalability by using multiple threads to listen for + queries and using finer-grained client locking + * The 'also-notify' option now takes the same syntax as 'masters', so it + can used named masterlists and TSIG keys. + * 'dnssec-signzone -D' writes an output file containing only DNSSEC + data, which can be included by the primary zone file. + * 'dnssec-signzone -R' forces removal of signatures that are not expired + but were created by a key which no longer exists. + * 'dnssec-signzone -X' allows a separate expiration date to be specified + for DNSKEY signatures from other signatures. + * New '-L' option to dnssec-keygen, dnssec-settime, and + dnssec-keyfromlabel sets the default TTL for the key. + * dnssec-dsfromkey now supports reading from standard input, to make it + easier to convert DNSKEY to DS. + * RFC 1918 reverse zones have been added to the empty-zones table per + RFC 6303. + * Dynamic updates can now optionally set the zone's SOA serial number to + the current UNIX time. + * DLZ modules can now retrieve the source IP address of the querying + client. + * 'request-ixfr' option can now be set at the per-zone level. + * 'dig +rrcomments' turns on comments about DNSKEY records, indicating + their key ID, algorithm and function + * Simplified nsupdate syntax and added readline support + +BIND 9.8.0 + +BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier +releases. New features include: + + * Built-in trust anchor for the root zone, which can be switched on via + "dnssec-validation auto;" + * Support for DNS64. + * Support for response policy zones (RPZ). + * Support for writable DLZ zones. + * Improved ease of configuration of GSS/TSIG for interoperability with + Active Directory + * Support for GOST signing algorithm for DNSSEC. + * Removed RTT Banding from server selection algorithm. + * New "static-stub" zone type. + * Allow configuration of resolver timeouts via "resolver-query-timeout" + option. + * The DLZ "dlopen" driver is now built by default. + * Added a new include file with function typedefs for the DLZ "dlopen" + driver. + * Made "--with-gssapi" default. + * More verbose error reporting from DLZ LDAP. + +BIND 9.7.0 + +BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier +releases. Most are intended to simplify DNSSEC configuration. New features +include: + + * Fully automatic signing of zones by "named". + * Simplified configuration of DNSSEC Lookaside Validation (DLV). + * Simplified configuration of Dynamic DNS, using the "ddns-confgen" + command line tool or the "local" update-policy option. (As a side + effect, this also makes it easier to configure automatic zone + re-signing.) + * New named option "attach-cache" that allows multiple views to share a + single cache. + * DNS rebinding attack prevention. + * New default values for dnssec-keygen parameters. + * Support for RFC 5011 automated trust anchor maintenance + * Smart signing: simplified tools for zone signing and key maintenance. + * The "statistics-channels" option is now available on Windows. + * A new DNSSEC-aware libdns API for use by non-BIND9 applications + * On some platforms, named and other binaries can now print out a stack + backtrace on assertion failure, to aid in debugging. + * A "tools only" installation mode on Windows, which only installs dig, + host, nslookup and nsupdate. + * Improved PKCS#11 support, including Keyper support and explicit + OpenSSL engine selection. + +BIND 9.6.0 + + * Full NSEC3 support + * Automatic zone re-signing + * New update-policy methods tcp-self and 6to4-self + * The BIND 8 resolver library, libbind, has been removed from the BIND 9 + distribution and is now available as a separate download. + * Change the default pid file location from /var/run to /var/run/ + {named,lwresd} for improved chroot/setuid support. + +BIND 9.5.0 + + * GSS-TSIG support (RFC 3645). + * DHCID support. + * Experimental http server and statistics support for named via xml. + * More detailed statistics counters including those supported in BIND 8. + * Faster ACL processing. + * Use Doxygen to generate internal documentation. + * Efficient LRU cache-cleaning mechanism. + * NSID support. + +BIND 9.4.0 + + * Implemented "additional section caching (or acache)", an internal + cache framework for additional section content to improve response + performance. Several configuration options were provided to control + the behavior. + * New notify type 'master-only'. Enable notify for master zones only. + * Accept 'notify-source' style syntax for query-source. + * rndc now allows addresses to be set in the server clauses. + * New option "allow-query-cache". This lets "allow-query" be used to + specify the default zone access level rather than having to have every + zone override the global value. "allow-query-cache" can be set at both + the options and view levels. If "allow-query-cache" is not set then + "allow-recursion" is used if set, otherwise "allow-query" is used if + set unless "recursion no;" is set in which case "none;" is used, + otherwise the default (localhost; localnets;) is used. + * rndc: the source address can now be specified. + * ixfr-from-differences now takes master and slave in addition to yes + and no at the options and view levels. + * Allow the journal's name to be changed via named.conf. + * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the + specified zone. + * 'dig +trace' now randomly selects the next servers to try. Report if + there is a bad delegation. + * Improve check-names error messages. + * Make public the function to read a key file, dst_key_read_public(). + * dig now returns the byte count for axfr/ixfr. + * allow-update is now settable at the options / view level. + * named-checkconf now checks the logging configuration. + * host now can turn on memory debugging flags with '-m'. + * Don't send notify messages to self. + * Perform sanity checks on NS records which refer to 'in zone' names. + * New zone option "notify-delay". Specify a minimum delay between sets + of NOTIFY messages. + * Extend adjusting TTL warning messages. + * Named and named-checkzone can now both check for non-terminal wildcard + records. + * "rndc freeze/thaw" now freezes/thaws all zones. + * named-checkconf now check acls to verify that they only refer to + existing acls. + * The server syntax has been extended to support a range of servers. + * Report differences between hints and real NS rrset and associated + address records. + * Preserve the case of domain names in rdata during zone transfers. + * Restructured the data locking framework using architecture dependent + atomic operations (when available), improving response performance on + multi-processor machines significantly. x86, x86_64, alpha, powerpc, + and mips are currently supported. + * UNIX domain controls are now supported. + * Add support for additional zone file formats for improving loading + performance. The masterfile-format option in named.conf can be used to + specify a non-default format. A separate command named-compilezone was + provided to generate zone files in the new format. Additionally, the + -I and -O options for dnssec-signzone specify the input and output + formats. + * dnssec-signzone can now randomize signature end times (dnssec-signzone + -j jitter). + * Add support for CH A record. + * Add additional zone data constancy checks. named-checkzone has + extended checking of NS, MX and SRV record and the hosts they + reference. named has extended post zone load checks. New zone options: + check-mx and integrity-check. + * edns-udp-size can now be overridden on a per server basis. + * dig can now specify the EDNS version when making a query. + * Added framework for handling multiple EDNS versions. + * Additional memory debugging support to track size and mctx arguments. + * Detect duplicates of UDP queries we are recursing on and drop them. + New stats category "duplicates". + * "USE INTERNAL MALLOC" is now runtime selectable. + * The lame cache is now done on a <qname,qclass,qtype> basis as some + servers only appear to be lame for certain query types. + * Limit the number of recursive clients that can be waiting for a single + query (<qname,qtype,qclass>) to resolve. New options clients-per-query + and max-clients-per-query. + * dig: report the number of extra bytes still left in the packet after + processing all the records. + * Support for IPSECKEY rdata type. + * Raise the UDP receive buffer size to 32k if it is less than 32k. + * x86 and x86_64 now have separate atomic locking implementations. + * named-checkconf now validates update-policy entries. + * Attempt to make the amount of work performed in a iteration self + tuning. The covers nodes clean from the cache per iteration, nodes + written to disk when rewriting a master file and nodes destroyed per + iteration when destroying a zone or a cache. + * ISC string copy API. + * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC + 1918 zones are not yet covered by this but are likely to be in a + future release. + * New options: empty-server, empty-contact, empty-zones-enable and + disable-empty-zone. + * dig now has a '-q queryname' and '+showsearch' options. + * host/nslookup now continue (default)/fail on SERVFAIL. + * dig now warns if 'RA' is not set in the answer when 'RD' was set in + the query. host/nslookup skip servers that fail to set 'RA' when 'RD' + is set unless a server is explicitly set. + * Integrate contributed DLZ code into named. + * Integrate contributed IDN code from JPNIC. + * libbind: corresponds to that from BIND 8.4.7. + +BIND 9.3.0 + + * DNSSEC is now DS based (RFC 3658). + * DNSSEC lookaside validation. + * check-names is now implemented. + * rrset-order is more complete. + * IPv4/IPv6 transition support, dual-stack-servers. + * IXFR deltas can now be generated when loading master files, + ixfr-from-differences. + * It is now possible to specify the size of a journal, max-journal-size. + * It is now possible to define a named set of master servers to be used + in masters clause, masters. + * The advertised EDNS UDP size can now be set, edns-udp-size. + * allow-v6-synthesis has been obsoleted. + * Zones containing MD and MF will now be rejected. + * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than + NOTIMPL. This will have impact on scripts that are looking for + NOTIMPL. + * libbind: corresponds to that from BIND 8.4.5. + +BIND 9.2.0 + + * The size of the cache can now be limited using the "max-cache-size" + option. + * The server can now automatically convert RFC1886-style recursive + lookup requests into RFC2874-style lookups, when enabled using the new + option "allow-v6-synthesis". This allows stub resolvers that support + AAAA records but not A6 record chains or binary labels to perform + lookups in domains that make use of these IPv6 DNS features. + * Performance has been improved. + * The man pages now use the more portable "man" macros rather than the + "mandoc" macros, and are installed by "make install". + * The named.conf parser has been completely rewritten. It now supports + "include" directives in more places such as inside "view" statements, + and it no longer has any reserved words. + * The "rndc status" command is now implemented. + * rndc can now be configured automatically. + * A BIND 8 compatible stub resolver library is now included in lib/bind. + * OpenSSL has been removed from the distribution. This means that to use + DNSSEC, OpenSSL must be installed and the --with-openssl option must + be supplied to configure. This does not apply to the use of TSIG, + which does not require OpenSSL. + * The source distribution now builds on Windows. See win32utils/ + readme1.txt and win32utils/win32-build.txt for details. + * This distribution also includes a new lightweight stub resolver + library and associated resolver daemon that fully support forward and + reverse lookups of both IPv4 and IPv6 addresses. This library is + considered experimental and is not a complete replacement for the BIND + 8 resolver library. Applications that use the BIND 8 res_* functions + to perform DNS lookups or dynamic updates still need to be linked + against the BIND 8 libraries. For DNS lookups, they can also use the + new "getrrsetbyname()" API. + * BIND 9.2 is capable of acting as an authoritative server for DNSSEC + secured zones. This functionality is believed to be stable and + complete except for lacking support for verifications involving + wildcard records in secure zones. + * When acting as a caching server, BIND 9.2 can be configured to perform + DNSSEC secure resolution on behalf of its clients. This part of the + DNSSEC implementation is still considered experimental. For detailed + information about the state of the DNSSEC implementation, see the file + doc/misc/dnssec. |