mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-22 23:01:43 -04:00
Tweak and reword release notes
This commit is contained in:
Nicki Křížek
parent
000b63ad21
commit
a7d1c96b9d
1 changed files with 52 additions and 46 deletions
|
|
@ -17,83 +17,89 @@ New Features
|
|||
|
||||
- Support for Offline KSK implemented.
|
||||
|
||||
Add a new configuration option `offline-ksk` to enable Offline KSK key
|
||||
management. Signed Key Response (SKR) files created with `dnssec-ksr`
|
||||
(or other program) can now be imported into `named` with the new `rndc
|
||||
skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY
|
||||
records and generating signatures covering these types, these records
|
||||
are loaded from the currently active bundle from the imported SKR.
|
||||
Add a new configuration option :any:`offline-ksk` to enable Offline
|
||||
KSK key management. Signed Key Response (SKR) files created with
|
||||
:iscman:`dnssec-ksr` (or other programs) can now be imported into
|
||||
:iscman:`named` with the new :option:`rndc skr -import <rndc skr>`
|
||||
command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and
|
||||
generating signatures covering these types, these records are loaded
|
||||
from the currently active bundle from the imported SKR.
|
||||
|
||||
The implementation is loosely based on:
|
||||
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-
|
||||
keymgmt-01.txt :gl:`#1128`
|
||||
The implementation is loosely based on
|
||||
`draft-icann-dnssec-keymgmt-01.txt
|
||||
<https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt>`_.
|
||||
:gl:`#1128`
|
||||
|
||||
- Print the full path of the working directory in startup log messages.
|
||||
|
||||
named now prints its initial working directory during startup and the
|
||||
changed working directory when loading or reloading its configuration
|
||||
file if it has a valid 'directory' option defined. :gl:`#4731`
|
||||
:iscman:`named` now prints its initial working directory during
|
||||
startup, and the changed working directory when loading or reloading
|
||||
its configuration file, if it has a valid :any:`directory` option
|
||||
defined. :gl:`#4731`
|
||||
|
||||
- Support restricted key tag range when generating new keys.
|
||||
- Support a restricted key tag range when generating new keys.
|
||||
|
||||
When multiple signers are being used to sign a zone, it is useful to
|
||||
be able to specify a restricted range of key tags to be used by an
|
||||
operator to sign the zone. The range can be specified with
|
||||
``tag-range`` in :any:`dnssec-policy`'s :ref:`keys
|
||||
<dnssec-policy-keys>` (for :iscman:`named` and :iscman:`dnssec-ksr`)
|
||||
and with the new options :option:`dnssec-keyfromlabel -M` and
|
||||
:option:`dnssec-keygen -M`. :gl:`#4830`
|
||||
|
||||
It is useful when multiple signers are being used to sign a zone to
|
||||
able to specify a restricted range of range of key tags that will be
|
||||
used by an operator to sign the zone. This adds controls to named
|
||||
(dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr
|
||||
(dnssec-policy) to specify such ranges. :gl:`#4830`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Exempt prefetches from the fetches-per-zone and fetches-per-server
|
||||
quotas.
|
||||
- Exempt prefetches from the :any:`fetches-per-zone` and
|
||||
:any:`fetches-per-server` quotas.
|
||||
|
||||
Fetches generated automatically as a result of 'prefetch' are now
|
||||
exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas.
|
||||
This should help in maintaining the cache from which query responses
|
||||
can be given. :gl:`#4219`
|
||||
Fetches generated automatically as a result of :any:`prefetch` are now
|
||||
exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server`
|
||||
quotas. This should help in maintaining the cache from which query
|
||||
responses can be given. :gl:`#4219`
|
||||
|
||||
- Follow the number of CPU set by taskset/cpuset.
|
||||
- Follow the number of CPUs set by ``taskset``/``cpuset``.
|
||||
|
||||
Administrators may wish to constrain the set of cores that BIND 9 runs
|
||||
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
|
||||
other O/S).
|
||||
Administrators may wish to constrain the set of cores that
|
||||
:iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl``
|
||||
programs (or equivalents on other OSes).
|
||||
|
||||
If the admin has used taskset, the `named` will now follow to
|
||||
automatically use the given number of CPUs rather than the system wide
|
||||
count. :gl:`#4884`
|
||||
If the admin has used ``taskset``, :iscman:`named` now automatically
|
||||
uses the given number of CPUs rather than the system-wide count.
|
||||
:gl:`#4884`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Delay release of root privileges until after configuring controls.
|
||||
- Delay the release of root privileges until after configuring controls.
|
||||
|
||||
Delay relinquishing root privileges until the control channel has been
|
||||
configured, for the benefit of systems that require root to use
|
||||
privileged port numbers. This mostly affects systems without fine-
|
||||
grained privilege systems (i.e., other than Linux). :gl:`#4793`
|
||||
|
||||
- Fix rare assertion failure when shutting down incoming transfer.
|
||||
- Fix a rare assertion failure when shutting down incoming transfer.
|
||||
|
||||
A very rare assertion failure can be triggered when the incoming
|
||||
transfer is either forcefully shut down or it is finished during
|
||||
printing the details about the statistics channel. This has been
|
||||
A very rare assertion failure could be triggered when the incoming
|
||||
transfer was either forcefully shut down, or it finished during the
|
||||
printing of the details about the statistics channel. This has been
|
||||
fixed. :gl:`#4860`
|
||||
|
||||
- Fix algoritm rollover bug when there are two keys with the same
|
||||
- Fix algorithm rollover bug when there are two keys with the same
|
||||
keytag.
|
||||
|
||||
If there is an algorithm rollover and two keys of different algorithm
|
||||
share the same keytags, then there is a possibility that if we check
|
||||
that a key matches a specific state, we are checking against the wrong
|
||||
key. This has been fixed by not only checking for matching key tag but
|
||||
also key algorithm. :gl:`#4878`
|
||||
If there was an algorithm rollover and two keys of different
|
||||
algorithms shared the same keytags, there was the possibility that the
|
||||
check of whether the key matched a specific state could be performed
|
||||
against the wrong key. This has been fixed by not only checking for
|
||||
the matching key tag but also the key algorithm. :gl:`#4878`
|
||||
|
||||
- Fix an assertion failure in validate_dnskey_dsset_done()
|
||||
- Fix an assertion failure in ``validate_dnskey_dsset_done()``.
|
||||
|
||||
Under rare circumstances, named could terminate unexpectedly when
|
||||
validating a DNSKEY resource record if the validation was canceled in
|
||||
the meantime. This has been fixed. :gl:`#4911`
|
||||
Under rare circumstances, :iscman:`named` could terminate unexpectedly
|
||||
when validating a DNSKEY resource record if the validation had been
|
||||
canceled in the meantime. This has been fixed. :gl:`#4911`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
|
|
|||
Loading…
Reference in a new issue