blob: ab484a158b3055fa274d651e048372c11a29e2b7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.2
---------------------
Security Fixes
~~~~~~~~~~~~~~
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. :gl:`#1574`
Known Issues
~~~~~~~~~~~~
- We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated.
:gl:`#1685`
- See :ref:`above <relnotes_known_issues>` for a list of all known
issues affecting this BIND 9 branch.
Feature Changes
~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
for 99% of all signed zones. :gl:`#1179`
Bug Fixes
~~~~~~~~~
- When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, ``named`` could become nonresponsive
for a short period while deleted names were removed from the RPZ
summary database. This database cleanup is now done incrementally
over a longer period of time, reducing such delays. :gl:`#1447`
- When trying to migrate an already-signed zone from
``auto-dnssec maintain`` to one based on ``dnssec-policy``, the
existing keys were immediately deleted and replaced with new ones. As
the key rollover timing constraints were not being followed, it was
possible that some clients would not have been able to validate
responses until all old DNSSEC information had timed out from caches.
BIND now looks at the time metadata of the existing keys and
incorporates it into its DNSSEC policy operation. :gl:`#1706`
|
