From a0829e49422abda9a22aa76b23d819dab34c91ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:07:44 +0200 Subject: [PATCH] Generate release notes --- doc/notes/notes-9.20.2.rst | 87 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 doc/notes/notes-9.20.2.rst diff --git a/doc/notes/notes-9.20.2.rst b/doc/notes/notes-9.20.2.rst new file mode 100644 index 0000000000..7c8df734e3 --- /dev/null +++ b/doc/notes/notes-9.20.2.rst @@ -0,0 +1,87 @@ +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Support for Offline KSK implemented. + + Add a new configuration option `offline-ksk` to enable Offline KSK key + management. Signed Key Response (SKR) files created with `dnssec-ksr` + (or other program) can now be imported into `named` with the new `rndc + skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY + records and generating signatures covering these types, these records + are loaded from the currently active bundle from the imported SKR. + + The implementation is loosely based on: + https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- + keymgmt-01.txt :gl:`#1128` + +- Print the full path of the working directory in startup log messages. + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + +- Support restricted key tag range when generating new keys. + + It is useful when multiple signers are being used to sign a zone to + able to specify a restricted range of range of key tags that will be + used by an operator to sign the zone. This adds controls to named + (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr + (dnssec-policy) to specify such ranges. :gl:`#4830` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Exempt prefetches from the fetches-per-zone and fetches-per-server + quotas. + + Fetches generated automatically as a result of 'prefetch' are now + exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. + This should help in maintaining the cache from which query responses + can be given. :gl:`#4219` + +- Follow the number of CPU set by taskset/cpuset. + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` + +Bug Fixes +~~~~~~~~~ + +- Delay release of root privileges until after configuring controls. + + Delay relinquishing root privileges until the control channel has been + configured, for the benefit of systems that require root to use + privileged port numbers. This mostly affects systems without fine- + grained privilege systems (i.e., other than Linux). :gl:`#4793` + +- Fix rare assertion failure when shutting down incoming transfer. + + A very rare assertion failure can be triggered when the incoming + transfer is either forcefully shut down or it is finished during + printing the details about the statistics channel. This has been + fixed. :gl:`#4860` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` + +- Fix an assertion failure in validate_dnskey_dsset_done() + + Under rare circumstances, named could terminate unexpectedly when + validating a DNSKEY resource record if the validation was canceled in + the meantime. This has been fixed. :gl:`#4911` + +