.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.16.0
---------------------

.. note::

   This section only lists changes from BIND 9.14 (the previous
   stable branch of BIND).

New Features
~~~~~~~~~~~~

-  A new asynchronous network communications system based on ``libuv``
   is now used by ``named`` for listening for incoming requests and
   responding to them. This change will make it easier to improve
   performance and implement new protocol layers (for example, DNS over
   TLS) in the future. :gl:`#29`

-  The new ``dnssec-policy`` option allows the configuration of a key
   and signing policy (KASP) for zones. This option enables ``named`` to
   generate new keys as needed and automatically roll both ZSK and KSK
   keys. (Note that the syntax for this statement differs from the
   DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134`

-  In order to clarify the configuration of DNSSEC keys, the
   ``trusted-keys`` and ``managed-keys`` statements have been
   deprecated, and the new ``trust-anchors`` statement should now be
   used for both types of key.

   When used with the keyword ``initial-key``, ``trust-anchors`` has the
   same behavior as ``managed-keys``, i.e., it configures a trust anchor
   that is to be maintained via :rfc:`5011`.

   When used with the new keyword ``static-key``, ``trust-anchors`` has
   the same behavior as ``trusted-keys``, i.e., it configures a
   permanent trust anchor that will not automatically be updated. (This
   usage is not recommended for the root key.) :gl:`#6`

-  Two new keywords have been added to the ``trust-anchors`` statement:
   ``initial-ds`` and ``static-ds``. These allow the use of trust
   anchors in DS format instead of DNSKEY format. DS format allows trust
   anchors to be configured for keys that have not yet been published;
   this is the format used by IANA when announcing future root keys.

   As with the ``initial-key`` and ``static-key`` keywords,
   ``initial-ds`` configures a dynamic trust anchor to be maintained via
   :rfc:`5011`, and ``static-ds`` configures a permanent trust anchor.
   :gl:`#6` :gl:`#622`

-  ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to
   print output in a detailed YAML format. :gl:`#1145`

-  ``dig`` now has a new command line option: ``+[no]unexpected``. By
   default, ``dig`` won't accept a reply from a source other than the
   one to which it sent the query. Add the ``+unexpected`` argument to
   enable it to process replies from unexpected sources. [RT #44978]

-  ``dig`` now accepts a new command line option, ``+[no]expandaaaa``,
   which causes the IPv6 addresses in AAAA records to be printed in full
   128-bit notation rather than the default :rfc:`5952` format.
   :gl:`#765`

-  Statistics channel groups can now be toggled. :gl:`#1030`

Feature Changes
~~~~~~~~~~~~~~~

-  When static and managed DNSSEC keys were both configured for the same
   name, or when a static key was used to configure a trust anchor for
   the root zone and ``dnssec-validation`` was set to the default value
   of ``auto``, automatic :rfc:`5011` key rollovers would be disabled.
   This combination of settings was never intended to work, but there
   was no check for it in the parser. This has been corrected, and it is
   now a fatal configuration error. :gl:`#868`

-  DS and CDS records are now generated with SHA-256 digests only,
   instead of both SHA-1 and SHA-256. This affects the default output of
   ``dnssec-dsfromkey``, the ``dsset`` files generated by
   ``dnssec-signzone``, the DS records added to a zone by
   ``dnssec-signzone`` based on ``keyset`` files, the CDS records added
   to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing
   parameters in key files, and the checks performed by
   ``dnssec-checkds``. :gl:`#1015`

-  ``named`` will now log a warning if a static key is configured for
   the root zone. :gl:`#6`

-  A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added
   and made default. Old non-default HMAC-SHA based DNS Cookie
   algorithms have been removed, and only the default AES algorithm is
   being kept for legacy reasons. This change has no operational impact
   in most common scenarios. :gl:`#605`

   If you are running multiple DNS servers (different versions of BIND 9
   or DNS servers from multiple vendors) responding from the same IP
   address (anycast or load-balancing scenarios), make sure that all the
   servers are configured with the same DNS Cookie algorithm and same
   Server Secret for the best performance.

-  The information from the ``dnssec-signzone`` and ``dnssec-verify``
   commands is now printed to standard output. The standard error output
   is only used to print warnings and errors, and in case the user
   requests the signed zone to be printed to standard output with the
   ``-f -`` option. A new configuration option ``-q`` has been added to
   silence all output on standard output except for the name of the
   signed zone. :gl:`#1151`

-  The DNSSEC validation code has been refactored for clarity and to
   reduce code duplication. :gl:`#622`

-  Compile-time settings enabled by the ``--with-tuning=large`` option
   for ``configure`` are now in effect by default. Previously used
   default compile-time settings can be enabled by passing
   ``--with-tuning=small`` to ``configure``. :gl:`!2989`

-  JSON-C is now the only supported library for enabling JSON support
   for BIND statistics. The ``configure`` option has been renamed from
   ``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH``
   environment variable accordingly to specify a custom path to the
   ``json-c`` library, as the new ``configure`` option does not take the
   library installation path as an optional argument. :gl:`#855`

-  ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or
   ``--localstatedir`` to ``/var`` when ``--prefix`` is not specified
   and the aforementioned options are not specified explicitly. Instead,
   Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
   respected. :gl:`#658`

Removed Features
~~~~~~~~~~~~~~~~

-  The ``dnssec-enable`` option has been obsoleted and no longer has any
   effect. DNSSEC responses are always enabled if signatures and other
   DNSSEC data are present. :gl:`#866`

-  DNSSEC Lookaside Validation (DLV) is now obsolete. The
   ``dnssec-lookaside`` option has been marked as deprecated; when used
   in ``named.conf``, it will generate a warning but will otherwise be
   ignored. All code enabling the use of lookaside validation has been
   removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7`

-  The ``cleaning-interval`` option has been removed. :gl:`!1731`