diff options
Diffstat (limited to '')
-rw-r--r-- | doc/notes/notes-9.16.16.rst | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.16.rst b/doc/notes/notes-9.16.16.rst new file mode 100644 index 0000000..721546c --- /dev/null +++ b/doc/notes/notes-9.16.16.rst @@ -0,0 +1,76 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.16 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- DNSSEC responses containing NSEC3 records with iteration counts + greater than 150 are now treated as insecure. :gl:`#2445` + +- The maximum supported number of NSEC3 iterations that can be + configured for a zone has been reduced to 150. :gl:`#2642` + +- The default value of the ``max-ixfr-ratio`` option was changed to + ``unlimited``, for better backwards compatibility in the stable + release series. :gl:`#2671` + +- Zones that want to transition from secure to insecure mode without + becoming bogus in the process must now have their ``dnssec-policy`` + changed first to ``insecure``, rather than ``none``. After the DNSSEC + records have been removed from the zone, the ``dnssec-policy`` can be + set to ``none`` or removed from the configuration. Setting the + ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE + records to be published. :gl:`#2645` + +- The implementation of the ZONEMD RR type has been updated to match + :rfc:`8976`. :gl:`#2658` + +- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: + NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value + or the SOA TTL. :gl:`#2347` + +Bug Fixes +~~~~~~~~~ + +- It was possible for corrupt journal files generated by an earlier + version of ``named`` to cause problems after an upgrade. This has been + fixed. :gl:`#2670` + +- TTL values in cache dumps were reported incorrectly when + ``stale-cache-enable`` was set to ``yes``. This has been fixed. + :gl:`#389` :gl:`#2289` + +- A deadlock could occur when multiple ``rndc addzone``, ``rndc + delzone``, and/or ``rndc modzone`` commands were invoked + simultaneously for different zones. This has been fixed. :gl:`#2626` + +- ``named`` and ``named-checkconf`` did not report an error when + multiple zones with the ``dnssec-policy`` option set were using the + same zone file. This has been fixed. :gl:`#2603` + +- If ``dnssec-policy`` was active and a private key file was temporarily + offline during a rekey event, ``named`` could incorrectly introduce + replacement keys and break a signed zone. This has been fixed. + :gl:`#2596` + +- When generating zone signing keys, KASP now also checks for key ID + conflicts among newly created keys, rather than just between new and + existing ones. :gl:`#2628` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. |