upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'v9_17_0-release' into 'master'

Browse source 
Apply 9.17.0 release branch

See merge request isc-projects/bind9!3262
This commit is contained in:
Matthijs Mekking 2020-03-20 10:22:12 +00:00
commit 5efc35f517
15 changed files with 3508 additions and 2158 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitattributes vendored
View file

@ -7,4 +7,5 @@
/doc/dev export-ignore
/util/** export-ignore
/util/bindkeys.pl -export-ignore
/util/check-make-install.in -export-ignore
/util/mksymtbl.pl -export-ignore

14
CHANGES
View file

@ -8,20 +8,21 @@
5367. [placeholder]
--- 9.17.0 released ---
5366. [bug] Fix a race condition with the keymgr when the same
zone plus dnssec-policy is configured in multiple
views. [GL #1653]
5365. [bug] Algorithm rollover was stuck on submitting DS
because keymgr thought it would move to an invalid
state. Fixed by when checking the current key,
check it against the desired state, not the existing
state. [GL #1626]
state. Fixed by checking the current key against
the desired state, not the existing state. [GL #1626]
5364. [bug] Algorithm rollover waited too long before introducing
zone signatures. It waited to make sure all signatures
were resigned, but when introducing a new algorithm,
all signatures are resigned immediately. Only
were regenerated, but when introducing a new algorithm,
all signatures are regenerated immediately. Only
add the sign delay if there is a predecessor key.
[GL #1625]
@ -53,7 +54,8 @@
5357. [bug] Newly added RRSIG records with expiry times before
the previous earliest expiry times might not be
re-signed in time. The was a side effect of 5315.
re-signed in time. This was a side effect of 5315.
[GL !3137]
5356. [func] Update dnssec-policy configuration statements:
- Rename "zone-max-ttl" dnssec-policy option to

9
README
View file

@ -112,7 +112,12 @@ format-patch.
BIND 9.17 features
BIND 9.17 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.16 and earlier releases.
of changes from BIND 9.16 and earlier releases. New features include:
* New option "max-ixfr-ratio" to limit the size of outgoing IXFR
responses before falling back to full zone transfers.
* "rndc nta -d" and "rndc secroots" now include "validate-except"
entries when listing negative trust anchors.
Building BIND
@ -227,7 +232,7 @@ github.com/farsightsec/fstrm and libprotobuf-c https://
developers.google.com/protocol-buffers, and BIND must be configured with
--enable-dnstap.
Certain compiled-in constants and default settings can be increased to
Certain compiled-in constants and default settings can be decreased to
values better suited to small machines, e.g. OpenWRT boxes, by specifying
--with-tuning=small on the configure command line. This will decrease
memory usage by using smaller structures, but will degrade performance.

9
README.md
View file

@ -128,7 +128,12 @@ including your patch as an attachment, preferably generated by
### <a name="features"/> BIND 9.17 features
BIND 9.17 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.16 and earlier releases.
number of changes from BIND 9.16 and earlier releases. New features include:
* New option "max-ixfr-ratio" to limit the size of outgoing IXFR responses
before falling back to full zone transfers.
* "rndc nta -d" and "rndc secroots" now include "validate-except" entries
when listing negative trust anchors.
### <a name="build"/> Building BIND
@ -244,7 +249,7 @@ and `libprotobuf-c`
[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
and BIND must be configured with `--enable-dnstap`.
Certain compiled-in constants and default settings can be increased to
Certain compiled-in constants and default settings can be decreased to
values better suited to small machines, e.g. OpenWRT boxes, by specifying
`--with-tuning=small` on the `configure` command line. This will decrease
memory usage by using smaller structures, but will degrade performance.

193
doc/arm/Bv9ARM.ch01.html
View file

@ -10,7 +10,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 1. Introduction</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
@ -50,7 +50,8 @@
</dl></dd>
</dl>
</div>
<p>
<p>
The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
consists of the syntax
to specify the names of entities in the Internet in a hierarchical
@ -60,10 +61,12 @@
group of distributed
hierarchical databases.
</p>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="doc_scope"></a>Scope of Document</h2></div></div></div>
<p>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
domain name server for a number of operating systems. This
@ -72,12 +75,14 @@
<acronym class="acronym">BIND</acronym> version 9 software package for
system administrators.
</p>
<p>This version of the manual corresponds to BIND version 9.17.</p>
</div>
<div class="section">
<p>This version of the manual corresponds to BIND version 9.17.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="organization"></a>Organization of This Document</h2></div></div></div>
<p>
<p>
In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
@ -100,15 +105,18 @@
and the Domain Name
System.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="conventions"></a>Conventions Used in This Document</h2></div></div></div>
<p>
<p>
In this document, we use the following general typographic
conventions:
</p>
<div class="informaltable"><table class="informaltable" border="1">
<div class="informaltable">
<table border="1">
<colgroup>
<col width="3.000in" class="1">
<col width="2.625in" class="2">
@ -165,11 +173,14 @@
</td>
</tr>
</tbody>
</table></div>
<p>
</table>
</div>
<p>
The following conventions are used in descriptions of the
<acronym class="acronym">BIND</acronym> configuration file:</p>
<div class="informaltable"><table class="informaltable" border="1">
<div class="informaltable">
<table border="1">
<colgroup>
<col width="3.000in" class="1">
<col width="2.625in" class="2">
@ -224,31 +235,36 @@
</td>
</tr>
</tbody>
</table></div>
</table>
</div>
<p>
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="dns_overview"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
Name Domain) software package, and we
begin by reviewing the fundamentals of the Domain Name System
(<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
</p>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dns_fundamentals"></a>DNS Fundamentals</h3></div></div></div>
<p>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
IP
addresses and vice versa, mail routing information, and other data
used by Internet applications.
</p>
<p>
<p>
Clients look up information in the DNS by calling a
<span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
@ -256,11 +272,13 @@
contains a name server, <span class="command"><strong>named</strong></span>, and a set
of associated tools.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="domain_names"></a>Domains and Domain Names</h3></div></div></div>
<p>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
@ -271,7 +289,8 @@
separated by dots. A label need only be unique within its parent
domain.
</p>
<p>
<p>
For example, a domain name for a host at the
company <span class="emphasis"><em>Example, Inc.</em></span> could be
<code class="literal">ourhost.example.com</code>,
@ -283,7 +302,8 @@
<code class="literal">ourhost</code> is the
name of the host.
</p>
<p>
<p>
For administrative purposes, the name space is partitioned into
areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
extending down to the leaf nodes or to nodes where other zones
@ -291,27 +311,32 @@
The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
<span class="emphasis"><em>DNS protocol</em></span>.
</p>
<p>
<p>
The data associated with each domain name is stored in the
form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
Some of the supported resource record types are described in
<a class="xref" href="Bv9ARM.ch05.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
</p>
<p>
<p>
For more detailed information about the design of the DNS and
the DNS protocol, please refer to the standards documents listed in
<a class="xref" href="Bv9ARM.ch10.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="zones"></a>Zones</h3></div></div></div>
<p>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
and a <span class="emphasis"><em>domain</em></span>.
</p>
<p>
<p>
As stated previously, a zone is a point of delegation in
the <acronym class="acronym">DNS</acronym> tree. A zone consists of
those contiguous parts of the domain
@ -323,7 +348,8 @@
parent zone, which should be matched by equivalent NS records at
the root of the delegated zone.
</p>
<p>
<p>
For instance, consider the <code class="literal">example.com</code>
domain which includes names
such as <code class="literal">host.aaa.example.com</code> and
@ -345,7 +371,8 @@
gain a complete understanding of this difficult and subtle
topic.
</p>
<p>
<p>
Though <acronym class="acronym">BIND</acronym> is called a "domain name
server",
it deals primarily in terms of zones. The master and slave
@ -355,11 +382,13 @@
be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
actually asking for slave service for some collection of zones.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="auth_servers"></a>Authoritative Name Servers</h3></div></div></div>
<p>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
which contains the complete data for the zone.
@ -367,16 +396,19 @@
most zones have two or more authoritative servers, on
different networks.
</p>
<p>
<p>
Responses from authoritative servers have the "authoritative
answer" (AA) bit set in the response packets. This makes them
easy to identify when debugging DNS configurations using tools like
<span class="command"><strong>dig</strong></span> (<a class="xref" href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
</p>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="primary_master"></a>The Primary Master</h4></div></div></div>
<p>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
<span class="emphasis"><em>primary master</em></span> server, or simply the
@ -387,16 +419,19 @@
<span class="emphasis"><em>zone file</em></span> or
<span class="emphasis"><em>master file</em></span>.
</p>
<p>
<p>
In some cases, however, the master file may not be edited
by humans at all, but may instead be the result of
<span class="emphasis"><em>dynamic update</em></span> operations.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="slave_server"></a>Slave Servers</h4></div></div></div>
<p>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
load the zone contents from another server using a replication
@ -406,7 +441,7 @@
slave. In other words, a slave server may itself act as a
master to a subordinate slave server.
</p>
<p>
<p>
Periodically, the slave server must send a refresh query to
determine whether the zone contents have been updated. This
is done by sending a query for the zone's SOA record and
@ -419,17 +454,19 @@
<span class="command"><strong>max-retry-time</strong></span>, and
<span class="command"><strong>min-retry-time</strong></span> options.
</p>
<p>
<p>
If the zone data cannot be updated within the time specified
by the SOA EXPIRE option (up to a hard-coded maximum of
24 weeks) then the slave zone expires and will no longer
respond to queries.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="stealth_server"></a>Stealth Servers</h4></div></div></div>
<p>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
@ -440,7 +477,8 @@
list servers in the parent's delegation that are not present at
the zone's top level.
</p>
<p>
<p>
A <span class="emphasis"><em>stealth server</em></span> is a server that is
authoritative for a zone but is not listed in that zone's NS
records. Stealth servers can be used for keeping a local copy of
@ -451,7 +489,8 @@
are
inaccessible.
</p>
<p>
<p>
A configuration where the primary master server itself is a
stealth server is often referred to as a "hidden primary"
configuration. One use for this configuration is when the primary
@ -459,12 +498,17 @@
is behind a firewall and therefore unable to communicate directly
with the outside world.
</p>
</div>
</div>
<div class="section">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="cache_servers"></a>Caching Name Servers</h3></div></div></div>
<p>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
capable of
@ -476,22 +520,26 @@
is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
<span class="emphasis"><em>recursive lookups</em></span> for local clients.
</p>
<p>
<p>
To improve performance, recursive servers cache the results of
the lookups they perform. Since the processes of recursion and
caching are intimately connected, the terms
<span class="emphasis"><em>recursive server</em></span> and
<span class="emphasis"><em>caching server</em></span> are often used synonymously.
</p>
<p>
<p>
The length of time for which a record may be retained in
the cache of a caching name server is controlled by the
Time To Live (TTL) field associated with each resource record.
</p>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="forwarder"></a>Forwarding</h4></div></div></div>
<p>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
<span class="emphasis"><em>forward</em></span> some or all of the queries
@ -499,7 +547,8 @@
server,
commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
</p>
<p>
<p>
There may be one or more forwarders,
and they are queried in turn until the list is exhausted or an
answer
@ -513,18 +562,22 @@
that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
on the internal server's behalf.
</p>
</div>
</div>
<div class="section">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="multi_role"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
a master for some zones, a slave for other zones, and as a caching
(recursive) server for a set of local clients.
</p>
<p>
<p>
However, since the functions of authoritative name service
and caching/recursive name service are logically separate, it is
often advantageous to run them on separate server machines.
@ -539,9 +592,11 @@
does not need to be reachable from the Internet at large and can
be placed inside a firewall.
</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">

1144
doc/arm/Bv9ARM.ch04.html
View file

File diff suppressed because it is too large Load diff

3973
doc/arm/Bv9ARM.ch05.html
View file

File diff suppressed because it is too large Load diff

180
doc/arm/Bv9ARM.ch08.html
View file

@ -10,7 +10,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Appendix A. Release Notes</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. Troubleshooting">
@ -48,34 +48,35 @@
</dl></dd>
</dl>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.17.0</h2></div></div></div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
<p>
BIND 9.17 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
leading up to the stable BIND 9.18 release, this document will be
updated with additional features added and bugs fixed.
</p>
<p>
<p>
Please see the file <code class="filename">CHANGES</code> for a more
detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
<p>
<p>
To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
</p>
<p>
<p>
The <code class="filename">libuv</code> asynchronous I/O library and the
OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead of OpenSSL for
@ -83,7 +84,7 @@
but OpenSSL is still required for general cryptography operations
such as hashing and random number generation.
</p>
<p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
file that is included in the source distribution of BIND 9. If your
compiler and system libraries provide the above features, BIND 9
@ -92,10 +93,10 @@
for systems that are still supported by their respective vendors.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
<p>
The latest versions of BIND 9 software can always be found at
<a class="link" href="https://www.isc.org/download/" target="_top">https://www.isc.org/download/</a>.
There you will find additional information about each release,
@ -103,72 +104,105 @@
operating systems.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
<p>
System-provided pthread rwlocks implementation is used by default instead of
built-in ISC implementation of rwlocks. Please be aware that unpatched glibc
version from 2.26 had a <a class="link" href="https://sourceware.org/bugzilla/show_bug.cgi?id=23844" target="_top">bug</a>
that could cause BIND 9 to deadlock. The fix has been released as part of
glibc release 2.30, and various Linux distributions have patched their glibc
version with a notable exception of Ubuntu 18.04 (Bionic) which is work in
progress. If you are running on affected system (e.g. Ubuntu 18.04) you need
to compile BIND 9 with --disable-pthread-rwlock until Canonical releases
<a class="link" href="https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1864864" target="_top">fixed
version</a>.
</p>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
The <span class="command"><strong>rndc nta -dump</strong></span> and
<span class="command"><strong>rndc secroots</strong></span> commands now both include
<span class="command"><strong>validate-except</strong></span> entries when listing negative
trust anchors. These are indicated by the keyword
<code class="literal">permanent</code> in place of the expiry
date. [GL #1532]
</p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Fixed re-signing issues with inline zones which resulted in
records being re-signed late or not at all.
</p></li></ul></div>
</div>
<div class="section">
<a name="relnotes-9.17.0-known"></a>Known Issues</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
UDP network ports used for listening can no longer simultaneously be
used for sending traffic. An example configuration which triggers
this issue would be one which uses the same
<em class="replaceable"><code>address:port</code></em> pair for
<span class="command"><strong>listen-on(-v6)</strong></span> statements as for
<span class="command"><strong>notify-source(-v6)</strong></span> or
<span class="command"><strong>transfer-source(-v6)</strong></span>. While this issue affects all
operating systems, it only triggers log messages (e.g. "unable to
create dispatch for reserved port") on some of them. There are
currently no plans to make such a combination of settings work again.
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When a secondary server receives a large incremental zone
transfer (IXFR), it can have a negative impact on query
performance while the incremental changes are applied to
the zone. To address this, <span class="command"><strong>named</strong></span> can now
limit the size of IXFR responses it sends in response to zone
transfer requests. If an IXFR response would be larger than an
AXFR of the entire zone, it will send an AXFR resonse instead.
</p>
<p>
This behavior is controlled by the <span class="command"><strong>max-ixfr-ratio</strong></span>
option - a percentage value representing the ratio of IXFR size
to the size of a full zone transfer. This value cannot exceed
100%, which is also the default. [GL #1515]
</p>
</li></ul></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When a secondary server receives a large incremental zone
transfer (IXFR), it can have a negative impact on query
performance while the incremental changes are applied to
the zone. To address this, <span class="command"><strong>named</strong></span> can now
limit the size of IXFR responses it sends in response to zone
transfer requests. If an IXFR response would be larger than an
AXFR of the entire zone, it will send an AXFR response instead.
</p>
<p>
This behavior is controlled by the <span class="command"><strong>max-ixfr-ratio</strong></span>
option - a percentage value representing the ratio of IXFR size
to the size of a full zone transfer. The default is
<code class="literal">100%</code>. [GL #1515]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The system-provided POSIX Threads read-write lock implementation is
now used by default instead of the native BIND 9 implementation.
Please be aware that glibc versions 2.26 through 2.29 had a
<a class="link" href="https://sourceware.org/bugzilla/show_bug.cgi?id=23844" target="_top">bug</a>
that could cause BIND 9 to deadlock. A fix was released in glibc 2.30,
and most current Linux distributions have patched or updated glibc,
with the notable exception of Ubuntu 18.04 (Bionic) which is a work in
progress. If you are running on an affected operating system, compile
BIND 9 with <span class="command"><strong>--disable-pthread-rwlock</strong></span> until a fixed
version of glibc is available. [GL !3125]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>rndc nta -dump</strong></span> and
<span class="command"><strong>rndc secroots</strong></span> commands now both include
<span class="command"><strong>validate-except</strong></span> entries when listing negative
trust anchors. These are indicated by the keyword
<code class="literal">permanent</code> in place of the expiry
date. [GL #1532]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Fixed re-signing issues with inline zones which resulted in
records being re-signed late or not at all.
</p>
</li></ul></div>
</div>
</div>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
<p>
BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
<p>
<p>
The license requires that if you make changes to BIND and distribute
them outside your organization, those changes must be published under
the same license. It does not require that you publish or disclose
@ -177,41 +211,41 @@
modifications, without redistributing it, nor anyone redistributing
BIND without changes.
</p>
<p>
<p>
Those wishing to discuss license compliance may contact ISC at
<a class="link" href="https://www.isc.org/contact/" target="_top">
https://www.isc.org/contact/</a>.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
<p>
BIND 9.17 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.18, which will be a
stable branch.
</p>
<p>
<p>
The end of life date for BIND 9.18 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021.
</p>
<p>
<p>
See
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
<p>
Thank you to everyone who assisted us in making this release possible.
</p>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">

BIN
doc/arm/Bv9ARM.pdf
View file

Binary file not shown.

2
doc/arm/notes-9.17.0.xml
View file

@ -40,7 +40,7 @@
the zone. To address this, <command>named</command> can now
limit the size of IXFR responses it sends in response to zone
transfer requests. If an IXFR response would be larger than an
AXFR of the entire zone, it will send an AXFR resonse instead.
AXFR of the entire zone, it will send an AXFR response instead.
</para>
<para>
This behavior is controlled by the <command>max-ixfr-ratio</command>

83
doc/arm/notes.html
View file

@ -74,6 +74,89 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-known"></a>Known Issues</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
UDP network ports used for listening can no longer simultaneously be
used for sending traffic. An example configuration which triggers
this issue would be one which uses the same
<em class="replaceable"><code>address:port</code></em> pair for
<span class="command"><strong>listen-on(-v6)</strong></span> statements as for
<span class="command"><strong>notify-source(-v6)</strong></span> or
<span class="command"><strong>transfer-source(-v6)</strong></span>. While this issue affects all
operating systems, it only triggers log messages (e.g. "unable to
create dispatch for reserved port") on some of them. There are
currently no plans to make such a combination of settings work again.
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When a secondary server receives a large incremental zone
transfer (IXFR), it can have a negative impact on query
performance while the incremental changes are applied to
the zone. To address this, <span class="command"><strong>named</strong></span> can now
limit the size of IXFR responses it sends in response to zone
transfer requests. If an IXFR response would be larger than an
AXFR of the entire zone, it will send an AXFR response instead.
</p>
<p>
This behavior is controlled by the <span class="command"><strong>max-ixfr-ratio</strong></span>
option - a percentage value representing the ratio of IXFR size
to the size of a full zone transfer. The default is
<code class="literal">100%</code>. [GL #1515]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The system-provided POSIX Threads read-write lock implementation is
now used by default instead of the native BIND 9 implementation.
Please be aware that glibc versions 2.26 through 2.29 had a
<a class="link" href="https://sourceware.org/bugzilla/show_bug.cgi?id=23844" target="_top">bug</a>
that could cause BIND 9 to deadlock. A fix was released in glibc 2.30,
and most current Linux distributions have patched or updated glibc,
with the notable exception of Ubuntu 18.04 (Bionic) which is a work in
progress. If you are running on an affected operating system, compile
BIND 9 with <span class="command"><strong>--disable-pthread-rwlock</strong></span> until a fixed
version of glibc is available. [GL !3125]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>rndc nta -dump</strong></span> and
<span class="command"><strong>rndc secroots</strong></span> commands now both include
<span class="command"><strong>validate-except</strong></span> entries when listing negative
trust anchors. These are indicated by the keyword
<code class="literal">permanent</code> in place of the expiry
date. [GL #1532]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.17.0-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Fixed re-signing issues with inline zones which resulted in
records being re-signed late or not at all.
</p>
</li></ul></div>
</div>
</div>
<div class="section">

BIN
doc/arm/notes.pdf
View file

Binary file not shown.

46
doc/arm/notes.txt
View file

@ -38,6 +38,52 @@ operating systems.
Notes for BIND 9.17.0
Known Issues
* UDP network ports used for listening can no longer simultaneously be
used for sending traffic. An example configuration which triggers this
issue would be one which uses the same address:port pair for listen-on
(-v6) statements as for notify-source(-v6) or transfer-source(-v6).
While this issue affects all operating systems, it only triggers log
messages (e.g. "unable to create dispatch for reserved port") on some
of them. There are currently no plans to make such a combination of
settings work again.
New Features
* When a secondary server receives a large incremental zone transfer
(IXFR), it can have a negative impact on query performance while the
incremental changes are applied to the zone. To address this, named
can now limit the size of IXFR responses it sends in response to zone
transfer requests. If an IXFR response would be larger than an AXFR of
the entire zone, it will send an AXFR response instead.
This behavior is controlled by the max-ixfr-ratio option - a
percentage value representing the ratio of IXFR size to the size of a
full zone transfer. The default is 100%. [GL #1515]
Feature Changes
* The system-provided POSIX Threads read-write lock implementation is
now used by default instead of the native BIND 9 implementation.
Please be aware that glibc versions 2.26 through 2.29 had a bug that
could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and
most current Linux distributions have patched or updated glibc, with
the notable exception of Ubuntu 18.04 (Bionic) which is a work in
progress. If you are running on an affected operating system, compile
BIND 9 with --disable-pthread-rwlock until a fixed version of glibc is
available. [GL !3125]
* The rndc nta -dump and rndc secroots commands now both include
validate-except entries when listing negative trust anchors. These are
indicated by the keyword permanent in place of the expiry date. [GL
#1532]
Bug Fixes
* Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all.
License
BIND 9 is open source software licensed under the terms of the Mozilla

6
doc/misc/options
View file

@ -206,7 +206,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
geoip-directory ( <quoted_string> | none );
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
@ -227,7 +227,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
@ -582,7 +582,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key

6
doc/misc/options.active
View file

@ -188,7 +188,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
geoip-directory ( <quoted_string> | none );
geoip-directory ( <quoted_string> | none ); // not configured
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
@ -205,7 +205,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
@ -523,7 +523,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
lmdb-mapsize <sizeval>;
lmdb-mapsize <sizeval>; // non-operational
managed-keys { <string> (
static-key | initial-key
| static-ds | initial-ds