From 45d6379135504814ab723b57f0eb8be23393a51d Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 09:24:22 +0200 Subject: Adding upstream version 1:9.16.44. Signed-off-by: Daniel Baumann --- doc/notes/notes-9.16.0.rst | 152 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 doc/notes/notes-9.16.0.rst (limited to 'doc/notes/notes-9.16.0.rst') diff --git a/doc/notes/notes-9.16.0.rst b/doc/notes/notes-9.16.0.rst new file mode 100644 index 0000000..1b4e92f --- /dev/null +++ b/doc/notes/notes-9.16.0.rst @@ -0,0 +1,152 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.0 +--------------------- + +.. note:: + + This section only lists changes from BIND 9.14 (the previous + stable branch of BIND). + +New Features +~~~~~~~~~~~~ + +- A new asynchronous network communications system based on ``libuv`` + is now used by ``named`` for listening for incoming requests and + responding to them. This change will make it easier to improve + performance and implement new protocol layers (for example, DNS over + TLS) in the future. :gl:`#29` + +- The new ``dnssec-policy`` option allows the configuration of a key + and signing policy (KASP) for zones. This option enables ``named`` to + generate new keys as needed and automatically roll both ZSK and KSK + keys. (Note that the syntax for this statement differs from the + DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134` + +- In order to clarify the configuration of DNSSEC keys, the + ``trusted-keys`` and ``managed-keys`` statements have been + deprecated, and the new ``trust-anchors`` statement should now be + used for both types of key. + + When used with the keyword ``initial-key``, ``trust-anchors`` has the + same behavior as ``managed-keys``, i.e., it configures a trust anchor + that is to be maintained via :rfc:`5011`. + + When used with the new keyword ``static-key``, ``trust-anchors`` has + the same behavior as ``trusted-keys``, i.e., it configures a + permanent trust anchor that will not automatically be updated. (This + usage is not recommended for the root key.) :gl:`#6` + +- Two new keywords have been added to the ``trust-anchors`` statement: + ``initial-ds`` and ``static-ds``. These allow the use of trust + anchors in DS format instead of DNSKEY format. DS format allows trust + anchors to be configured for keys that have not yet been published; + this is the format used by IANA when announcing future root keys. + + As with the ``initial-key`` and ``static-key`` keywords, + ``initial-ds`` configures a dynamic trust anchor to be maintained via + :rfc:`5011`, and ``static-ds`` configures a permanent trust anchor. + :gl:`#6` :gl:`#622` + +- ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to + print output in a detailed YAML format. :gl:`#1145` + +- ``dig`` now has a new command line option: ``+[no]unexpected``. By + default, ``dig`` won't accept a reply from a source other than the + one to which it sent the query. Add the ``+unexpected`` argument to + enable it to process replies from unexpected sources. [RT #44978] + +- ``dig`` now accepts a new command line option, ``+[no]expandaaaa``, + which causes the IPv6 addresses in AAAA records to be printed in full + 128-bit notation rather than the default :rfc:`5952` format. + :gl:`#765` + +- Statistics channel groups can now be toggled. :gl:`#1030` + +Feature Changes +~~~~~~~~~~~~~~~ + +- When static and managed DNSSEC keys were both configured for the same + name, or when a static key was used to configure a trust anchor for + the root zone and ``dnssec-validation`` was set to the default value + of ``auto``, automatic :rfc:`5011` key rollovers would be disabled. + This combination of settings was never intended to work, but there + was no check for it in the parser. This has been corrected, and it is + now a fatal configuration error. :gl:`#868` + +- DS and CDS records are now generated with SHA-256 digests only, + instead of both SHA-1 and SHA-256. This affects the default output of + ``dnssec-dsfromkey``, the ``dsset`` files generated by + ``dnssec-signzone``, the DS records added to a zone by + ``dnssec-signzone`` based on ``keyset`` files, the CDS records added + to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing + parameters in key files, and the checks performed by + ``dnssec-checkds``. :gl:`#1015` + +- ``named`` will now log a warning if a static key is configured for + the root zone. :gl:`#6` + +- A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added + and made default. Old non-default HMAC-SHA based DNS Cookie + algorithms have been removed, and only the default AES algorithm is + being kept for legacy reasons. This change has no operational impact + in most common scenarios. :gl:`#605` + + If you are running multiple DNS servers (different versions of BIND 9 + or DNS servers from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), make sure that all the + servers are configured with the same DNS Cookie algorithm and same + Server Secret for the best performance. + +- The information from the ``dnssec-signzone`` and ``dnssec-verify`` + commands is now printed to standard output. The standard error output + is only used to print warnings and errors, and in case the user + requests the signed zone to be printed to standard output with the + ``-f -`` option. A new configuration option ``-q`` has been added to + silence all output on standard output except for the name of the + signed zone. :gl:`#1151` + +- The DNSSEC validation code has been refactored for clarity and to + reduce code duplication. :gl:`#622` + +- Compile-time settings enabled by the ``--with-tuning=large`` option + for ``configure`` are now in effect by default. Previously used + default compile-time settings can be enabled by passing + ``--with-tuning=small`` to ``configure``. :gl:`!2989` + +- JSON-C is now the only supported library for enabling JSON support + for BIND statistics. The ``configure`` option has been renamed from + ``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH`` + environment variable accordingly to specify a custom path to the + ``json-c`` library, as the new ``configure`` option does not take the + library installation path as an optional argument. :gl:`#855` + +- ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or + ``--localstatedir`` to ``/var`` when ``--prefix`` is not specified + and the aforementioned options are not specified explicitly. Instead, + Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are + respected. :gl:`#658` + +Removed Features +~~~~~~~~~~~~~~~~ + +- The ``dnssec-enable`` option has been obsoleted and no longer has any + effect. DNSSEC responses are always enabled if signatures and other + DNSSEC data are present. :gl:`#866` + +- DNSSEC Lookaside Validation (DLV) is now obsolete. The + ``dnssec-lookaside`` option has been marked as deprecated; when used + in ``named.conf``, it will generate a warning but will otherwise be + ignored. All code enabling the use of lookaside validation has been + removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7` + +- The ``cleaning-interval`` option has been removed. :gl:`!1731` -- cgit v1.2.3