56 | | Documentation was converted from DocBook to reStructuredText. The BIND 9 ARM is now generated using Sphinx and published on Read the Docs. Release notes are no longer available as a separate document accompanying a release. [GL #83] |
57 | | named and named-checkzone now reject master zones that have a DS RRset at the zone apex. Attempts to add DS records at the zone apex via UPDATE will be logged but otherwise ignored. DS records belong in the parent zone, not at the zone apex. [GL #1798] |
58 | | dig and other tools can now print the Extended DNS Error (EDE) option when it appears in a request or a response. [GL #1835] |
| 53 | Documentation was converted from DocBook to reStructuredText. The BIND 9 ARM is now generated using Sphinx and published on Read the Docs. Release notes are no longer available as a separate document accompanying a release. |
| 54 | |
| 55 | named and named-checkzone now reject master zones that have a DS RRset at the |
| 56 | zone apex. Attempts to add DS records at the zone apex via UPDATE will be |
| 57 | logged but otherwise ignored. DS records belong in the parent zone, not |
| 58 | at the zone apex. |
| 59 | |
| 60 | dig and other tools can now print the Extended DNS Error (EDE) |
| 61 | option when it appears in a request or a response. |
62 | | The default value of max-stale-ttl has changed from 1 week to 12 hours. This option controls how long named retains expired RRsets in cache as a potential mitigation mechanism, should there be a problem with one or more domains. Note that cache content retention is independent of whether stale answers are used in response to client queries (stale-answer-enable yes|no and rndc serve-stale on|off). Serving of stale answers when the authoritative servers are not responding must be explicitly enabled, whereas the retention of expired cache content takes place automatically on all versions of BIND 9 that have this feature available. [GL #1877] |
| 65 | The default value of max-stale-ttl has changed from 1 week to 12 hours. |
| 66 | This option controls how long named retains expired RRsets in cache as a |
| 67 | potential mitigation mechanism, should there be a problem with one or more |
| 68 | domains. Note that cache content retention is independent of whether stale |
| 69 | answers are used in response to client queries (stale-answer-enable yes|no and |
| 70 | rndc serve-stale on|off). Serving of stale answers when the authoritative |
| 71 | servers are not responding must be explicitly enabled, whereas the retention |
| 72 | of expired cache content takes place automatically on all versions of BIND 9 |
| 73 | that have this feature available. |
72 | | When fully updating the NSEC3 chain for a large zone via IXFR, a temporary loss of performance could be experienced on the secondary server when answering queries for nonexistent data that required DNSSEC proof of non-existence (in other words, queries that required the server to find and to return NSEC3 data). The unnecessary processing step that was causing this delay has now been removed. [GL #1834] |
73 | | named could crash with an assertion failure if the name of a database node was looked up while the database was being modified. [GL #1857] |
74 | | A possible deadlock in lib/isc/unix/socket.c was fixed. [GL #1859] |
75 | | Previously, named did not destroy some mutexes and conditional variables in netmgr code, which caused a memory leak on FreeBSD. This has been fixed. [GL #1893] |
76 | | A data race in lib/dns/resolver.c:log_formerr() that could lead to an assertion failure was fixed. [GL #1808] |
77 | | Previously, provide-ixfr no; failed to return up-to-date responses when the serial number was greater than or equal to the current serial number. [GL #1714] |
78 | | A bug in dnssec-policy keymgr was fixed, where the check for the existence of a given key’s successor would incorrectly return true if any other key in the keyring had a successor. [GL #1845] |
79 | | With dnssec-policy, when creating a successor key, the “goal” state of the current active key (the predecessor) was not changed and thus never removed from the zone. [GL #1846] |
80 | | named-checkconf -p could include spurious text in server-addresses statements due to an uninitialized DSCP value. This has been fixed. [GL #1812] |
81 | | The ARM has been updated to indicate that the TSIG session key is generated when named starts, regardless of whether it is needed. [GL #1842] |
82 | | }}} |
| 89 | When fully updating the NSEC3 chain for a large zone via IXFR, a temporary |
| 90 | loss of performance could be experienced on the secondary server when |
| 91 | answering queries for nonexistent data that required DNSSEC proof of non- |
| 92 | existence (in other words, queries that required the server to find and to |
| 93 | return NSEC3 data). The unnecessary processing step that was causing this |
| 94 | delay has now been removed. |
| 95 | |
| 96 | named could crash with an assertion failure if the name of a |
| 97 | database node was looked up while the database was being modified. |
| 98 | |
| 99 | A possible deadlock in lib/isc/unix/socket.c was fixed. |
| 100 | |
| 101 | Previously, named did not destroy some mutexes and conditional variables in |
| 102 | netmgr code, which caused a memory leak on FreeBSD. This has been fixed. |
| 103 | |
| 104 | A data race in lib/dns/resolver.c:log_formerr() that could lead to an |
| 105 | assertion failure was fixed. |
| 106 | |
| 107 | Previously, provide-ixfr no; failed to return up-to-date responses when the serial |
| 108 | number was greater than or equal to the current serial number. |
| 109 | |
| 110 | A bug in dnssec-policy keymgr was fixed, where the check for the existence of a |
| 111 | given key’s successor would incorrectly return true if any other key in the |
| 112 | keyring had a successor. |
| 113 | |
| 114 | With dnssec-policy, when creating a successor key, the “goal” state of the |
| 115 | current active key (the predecessor) was not changed and thus never removed |
| 116 | from the zone. |
| 117 | |
| 118 | named-checkconf -p could include spurious text in server-addresses |
| 119 | statements due to an uninitialized DSCP value. This has been fixed. |
| 120 | |
| 121 | The ARM has been updated to indicate that the TSIG session key is generated |
| 122 | when named starts, regardless of whether it is needed. |
| 123 | |