summaryrefslogtreecommitdiffstats
path: root/doc/notes/notes-9.16.16.rst
blob: 721546c2836516ec43b4b5b3471b07a67da23ad0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.16.16
----------------------

Feature Changes
~~~~~~~~~~~~~~~

- DNSSEC responses containing NSEC3 records with iteration counts
  greater than 150 are now treated as insecure. :gl:`#2445`

- The maximum supported number of NSEC3 iterations that can be
  configured for a zone has been reduced to 150. :gl:`#2642`

- The default value of the ``max-ixfr-ratio`` option was changed to
  ``unlimited``, for better backwards compatibility in the stable
  release series. :gl:`#2671`

- Zones that want to transition from secure to insecure mode without
  becoming bogus in the process must now have their ``dnssec-policy``
  changed first to ``insecure``, rather than ``none``. After the DNSSEC
  records have been removed from the zone, the ``dnssec-policy`` can be
  set to ``none`` or removed from the configuration. Setting the
  ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
  records to be published. :gl:`#2645`

- The implementation of the ZONEMD RR type has been updated to match
  :rfc:`8976`. :gl:`#2658`

- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
  NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
  or the SOA TTL. :gl:`#2347`

Bug Fixes
~~~~~~~~~

- It was possible for corrupt journal files generated by an earlier
  version of ``named`` to cause problems after an upgrade. This has been
  fixed. :gl:`#2670`

- TTL values in cache dumps were reported incorrectly when
  ``stale-cache-enable`` was set to ``yes``. This has been fixed.
  :gl:`#389` :gl:`#2289`

- A deadlock could occur when multiple ``rndc addzone``, ``rndc
  delzone``, and/or ``rndc modzone`` commands were invoked
  simultaneously for different zones. This has been fixed. :gl:`#2626`

- ``named`` and ``named-checkconf`` did not report an error when
  multiple zones with the ``dnssec-policy`` option set were using the
  same zone file. This has been fixed. :gl:`#2603`

- If ``dnssec-policy`` was active and a private key file was temporarily
  offline during a rekey event, ``named`` could incorrectly introduce
  replacement keys and break a signed zone. This has been fixed.
  :gl:`#2596`

- When generating zone signing keys, KASP now also checks for key ID
  conflicts among newly created keys, rather than just between new and
  existing ones. :gl:`#2628`

Known Issues
~~~~~~~~~~~~

- There are no new known issues with this release. See :ref:`above
  <relnotes_known_issues>` for a list of all known issues affecting this
  BIND 9 branch.