1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.0
---------------------
.. note::
This section only lists changes from BIND 9.14 (the previous
stable branch of BIND).
New Features
~~~~~~~~~~~~
- A new asynchronous network communications system based on ``libuv``
is now used by ``named`` for listening for incoming requests and
responding to them. This change will make it easier to improve
performance and implement new protocol layers (for example, DNS over
TLS) in the future. :gl:`#29`
- The new ``dnssec-policy`` option allows the configuration of a key
and signing policy (KASP) for zones. This option enables ``named`` to
generate new keys as needed and automatically roll both ZSK and KSK
keys. (Note that the syntax for this statement differs from the
DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134`
- In order to clarify the configuration of DNSSEC keys, the
``trusted-keys`` and ``managed-keys`` statements have been
deprecated, and the new ``trust-anchors`` statement should now be
used for both types of key.
When used with the keyword ``initial-key``, ``trust-anchors`` has the
same behavior as ``managed-keys``, i.e., it configures a trust anchor
that is to be maintained via :rfc:`5011`.
When used with the new keyword ``static-key``, ``trust-anchors`` has
the same behavior as ``trusted-keys``, i.e., it configures a
permanent trust anchor that will not automatically be updated. (This
usage is not recommended for the root key.) :gl:`#6`
- Two new keywords have been added to the ``trust-anchors`` statement:
``initial-ds`` and ``static-ds``. These allow the use of trust
anchors in DS format instead of DNSKEY format. DS format allows trust
anchors to be configured for keys that have not yet been published;
this is the format used by IANA when announcing future root keys.
As with the ``initial-key`` and ``static-key`` keywords,
``initial-ds`` configures a dynamic trust anchor to be maintained via
:rfc:`5011`, and ``static-ds`` configures a permanent trust anchor.
:gl:`#6` :gl:`#622`
- ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to
print output in a detailed YAML format. :gl:`#1145`
- ``dig`` now has a new command line option: ``+[no]unexpected``. By
default, ``dig`` won't accept a reply from a source other than the
one to which it sent the query. Add the ``+unexpected`` argument to
enable it to process replies from unexpected sources. [RT #44978]
- ``dig`` now accepts a new command line option, ``+[no]expandaaaa``,
which causes the IPv6 addresses in AAAA records to be printed in full
128-bit notation rather than the default :rfc:`5952` format.
:gl:`#765`
- Statistics channel groups can now be toggled. :gl:`#1030`
Feature Changes
~~~~~~~~~~~~~~~
- When static and managed DNSSEC keys were both configured for the same
name, or when a static key was used to configure a trust anchor for
the root zone and ``dnssec-validation`` was set to the default value
of ``auto``, automatic :rfc:`5011` key rollovers would be disabled.
This combination of settings was never intended to work, but there
was no check for it in the parser. This has been corrected, and it is
now a fatal configuration error. :gl:`#868`
- DS and CDS records are now generated with SHA-256 digests only,
instead of both SHA-1 and SHA-256. This affects the default output of
``dnssec-dsfromkey``, the ``dsset`` files generated by
``dnssec-signzone``, the DS records added to a zone by
``dnssec-signzone`` based on ``keyset`` files, the CDS records added
to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing
parameters in key files, and the checks performed by
``dnssec-checkds``. :gl:`#1015`
- ``named`` will now log a warning if a static key is configured for
the root zone. :gl:`#6`
- A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added
and made default. Old non-default HMAC-SHA based DNS Cookie
algorithms have been removed, and only the default AES algorithm is
being kept for legacy reasons. This change has no operational impact
in most common scenarios. :gl:`#605`
If you are running multiple DNS servers (different versions of BIND 9
or DNS servers from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), make sure that all the
servers are configured with the same DNS Cookie algorithm and same
Server Secret for the best performance.
- The information from the ``dnssec-signzone`` and ``dnssec-verify``
commands is now printed to standard output. The standard error output
is only used to print warnings and errors, and in case the user
requests the signed zone to be printed to standard output with the
``-f -`` option. A new configuration option ``-q`` has been added to
silence all output on standard output except for the name of the
signed zone. :gl:`#1151`
- The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. :gl:`#622`
- Compile-time settings enabled by the ``--with-tuning=large`` option
for ``configure`` are now in effect by default. Previously used
default compile-time settings can be enabled by passing
``--with-tuning=small`` to ``configure``. :gl:`!2989`
- JSON-C is now the only supported library for enabling JSON support
for BIND statistics. The ``configure`` option has been renamed from
``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH``
environment variable accordingly to specify a custom path to the
``json-c`` library, as the new ``configure`` option does not take the
library installation path as an optional argument. :gl:`#855`
- ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or
``--localstatedir`` to ``/var`` when ``--prefix`` is not specified
and the aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
respected. :gl:`#658`
Removed Features
~~~~~~~~~~~~~~~~
- The ``dnssec-enable`` option has been obsoleted and no longer has any
effect. DNSSEC responses are always enabled if signatures and other
DNSSEC data are present. :gl:`#866`
- DNSSEC Lookaside Validation (DLV) is now obsolete. The
``dnssec-lookaside`` option has been marked as deprecated; when used
in ``named.conf``, it will generate a warning but will otherwise be
ignored. All code enabling the use of lookaside validation has been
removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7`
- The ``cleaning-interval`` option has been removed. :gl:`!1731`
|
