upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 12:20:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'each-notes-914' into 'v9_14'

Browse source 
clear out 9.14.0 release notes

See merge request isc-projects/bind9!1622
This commit is contained in:
Evan Hunt 2019-03-07 14:34:27 -05:00
commit b3e152610d
1 changed files with 11 additions and 454 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

465
doc/arm/notes.xml
View file

@ -21,10 +21,9 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
<para>
BIND 9.14.0 is the first release of a new stable branch of BIND.
This document summarizes new features and functional changes
that have been introduced, as well as features that have been
deprecated or removed, since the last stable branch, 9.12.
BIND 9.14 is a stable branch of BIND.
This document summarizes significant changes since the last
production release on that branch.
<para>
</para>
Please see the file <filename>CHANGES</filename> for a more
@ -91,334 +90,7 @@
<itemizedlist>
<listitem>
<para>
Task manager and socket code have been substantially modified.
The manager uses per-cpu queues for tasks and network stack runs
multiple event loops in CPU-affinitive threads. This greatly
improves performance on large systems, especially when using
multi-queue NICs.
</para>
</listitem>
<listitem>
<para>
Support for QNAME minimization was added and enabled by default
in <command>relaxed</command> mode, in which BIND will fall back
to normal resolution if the remote server returns something
unexpected during the query minimization process. This default
setting might change to <command>strict</command> in the future.
</para>
</listitem>
<listitem>
<para>
A new <command>plugin</command> mechanism has been added to allow
extension of query processing functionality through the use of
external libraries. The new <filename>filter-aaaa.so</filename>
plugin replaces the <command>filter-aaaa</command> feature that
was formerly implemented as a native part of BIND.
</para>
<para>
The plugin API is a work in progress and is likely to evolve
as further plugins are implemented. [GL #15]
</para>
</listitem>
<listitem>
<para>
A new secondary zone option, <command>mirror</command>,
enables <command>named</command> to serve a transferred copy
of a zone's contents without acting as an authority for the
zone. A zone must be fully validated against an active trust
anchor before it can be used as a mirror zone. DNS responses
from mirror zones do not set the AA bit ("authoritative answer"),
but do set the AD bit ("authenticated data"). This feature is
meant to facilitate deployment of a local copy of the root zone,
as described in RFC 7706. [GL #33]
</para>
</listitem>
<listitem>
<para>
BIND now can be compiled against the <command>libidn2</command>
library to add IDNA2008 support. Previously, BIND supported
IDNA2003 using the (now obsolete and unsupported)
<command>idnkit-1</command> library.
</para>
</listitem>
<listitem>
<para>
<command>named</command> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<command>root-key-sentinel no;</command> to
<filename>named.conf</filename>. [GL #37]
</para>
</listitem>
<listitem>
<para>
The <command>dnskey-sig-validity</command> option allows the
<command>sig-validity-interval</command> to be overriden for
signatures covering DNSKEY RRsets. [GL #145]
</para>
</listitem>
<listitem>
<para>
When built on Linux, BIND now requires the <command>libcap</command>
library to set process privileges. The adds a new compile-time
dependency, which can be met on most Linux platforms by installing the
<command>libcap-dev</command> or <command>libcap-devel</command>
package. BIND can also be built without capability support by using
<command>configure --disable-linux-caps</command>, at the cost of some
loss of security.
</para>
</listitem>
<listitem>
<para>
The <command>validate-except</command> option specifies a list of
domains beneath which DNSSEC validation should not be performed,
regardless of whether a trust anchor has been configured above
them. [GL #237]
</para>
</listitem>
<listitem>
<para>
Two new update policy rule types have been added
<command>krb5-selfsub</command> and <command>ms-selfsub</command>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</para>
</listitem>
<listitem>
<para>
The new configure option <command>--enable-fips-mode</command>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
</para>
</listitem>
<listitem>
<para>
Two new configuration options <command>min-cache-ttl</command> and
<command>min-ncache-ttl</command> has been added to allow the BIND 9
administrator to override the minimum TTL in the received DNS records
(positive caching) and for storing the information about non-existent
records (negative caching). The configured minimum TTL for both
configuration options cannot exceed 90 seconds.
</para>
</listitem>
<listitem>
<para>
<command>rndc status</command> output now includes a
<command>reconfig/reload in progress</command> status line if named
configuration is being reloaded.
</para>
</listitem>
<listitem>
<para>
The new <command>answer-cookie</command> option, if set to
<literal>no</literal>, prevents <command>named</command> from
returning a DNS COOKIE option to a client, even if such an
option was present in the request. This is only intended as
a temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the same
address is not expected to cause operational problems, but the
option to disable COOKIE responses so that all servers have the
same behavior is provided out of an abundance of caution.
DNS COOKIE is an important security mechanism, and this option
should not be used to disable it unless absolutely necessary.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
<itemizedlist>
<listitem>
<para>
Workarounds for servers that misbehave when queried with EDNS
have been removed, because these broken servers and the
workarounds for their noncompliance cause unnecessary delays,
increase code complexity, and prevent deployment of new DNS
features. See <link xmlns:xlink="http://www.w3.org/1999/xlink"
xlink:href="https://dnsflagday.net">https://dnsflagday.net</link>
for further details.
</para>
<para>
In particular, resolution will no longer fall back to
plain DNS when there was no response from an authoritative
server. This will cause some domains to become non-resolvable
without manual intervention. In these cases, resolution can
be restored by adding <command>server</command> clauses for the
offending servers, specifying <command>edns no</command> or
<command>send-cookie no</command>, depending on the specific
noncompliance.
</para>
<para>
To determine which <command>server</command> clause to use, run
the following commands to send queries to the authoritative
servers for the broken domain:
</para>
<literallayout>
dig soa &lt;zone&gt; @&lt;server&gt; +dnssec
dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie
dig soa &lt;zone&gt; @&lt;server&gt; +noedns
</literallayout>
<para>
If the first command fails but the second succeeds, the
server most likely needs <command>send-cookie no</command>.
If the first two fail but the third succeeds, then the server
needs EDNS to be fully disabled with <command>edns no</command>.
</para>
<para>
Please contact the administrators of noncompliant domains
and encourage them to upgrade their broken DNS servers. [GL #150]
</para>
</listitem>
<listitem>
<para>
Previously, it was possible to build BIND without thread support
for old architectures and systems without threads support.
BIND now requires threading support (either POSIX or Windows) from
the operating system, and it cannot be built without threads.
</para>
</listitem>
<listitem>
<para>
The <command>filter-aaaa</command>,
<command>filter-aaaa-on-v4</command>, and
<command>filter-aaaa-on-v6</command> options have been removed
from <command>named</command>, and can no longer be
configured using native <filename>named.conf</filename> syntax.
However, loading the new <filename>filter-aaaa.so</filename>
plugin and setting its parameters provides identical
functionality.
</para>
</listitem>
<listitem>
<para>
<command>named</command> can no longer use the EDNS CLIENT-SUBNET
option for view selection. In its existing form, the authoritative
ECS feature was not fully RFC-compliant, and could not realistically
have been deployed in production for an authoritative server; its
only practical use was for testing and experimentation. In the
interest of code simplification, this feature has now been removed.
</para>
<para>
The ECS option is still supported in <command>dig</command> and
<command>mdig</command> via the +subnet argument, and can be parsed
and logged when received by <command>named</command>, but
it is no longer used for ACL processing. The
<command>geoip-use-ecs</command> option is now obsolete;
a warning will be logged if it is used in
<filename>named.conf</filename>.
<command>ecs</command> tags in an ACL definition are
also obsolete, and will cause the configuration to fail to
load if they are used. [GL #32]
</para>
</listitem>
<listitem>
<para>
<command>dnssec-keygen</command> can no longer generate HMAC
keys for TSIG authentication. Use <command>tsig-keygen</command>
to generate these keys. [RT #46404]
</para>
</listitem>
<listitem>
<para>
Support for OpenSSL 0.9.x has been removed. OpenSSL version
1.0.0 or greater, or LibreSSL is now required.
</para>
</listitem>
<listitem>
<para>
The <command>configure --enable-seccomp</command> option,
which formerly turned on system-call filtering on Linux, has
been removed. [GL #93]
</para>
</listitem>
<listitem>
<para>
IPv4 addresses in forms other than dotted-quad are no longer
accepted in master files. [GL #13] [GL #56]
</para>
</listitem>
<listitem>
<para>
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
</para>
</listitem>
<listitem>
<para>
The "rbtdb64" database implementation (a parallel
implementation of "rbt") has been removed. [GL #217]
</para>
</listitem>
<listitem>
<para>
The <command>-r randomdev</command> option to explicitly select
random device has been removed from the
<command>ddns-confgen</command>,
<command>rndc-confgen</command>,
<command>nsupdate</command>,
<command>dnssec-confgen</command>, and
<command>dnssec-signzone</command> commands.
</para>
<para>
The <command>-p</command> option to use pseudo-random data
has been removed from the <command>dnssec-signzone</command>
command.
</para>
</listitem>
<listitem>
<para>
Support for the RSAMD5 algorithm has been removed freom BIND as
the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
in RFC6725, the security of the MD5 algorithm has been compromised,
and its usage is considered harmful.
</para>
</listitem>
<listitem>
<para>
Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND, as the algorithm has been superseded by
GOST R 34.11-2012 in RFC6986 and it must not be used in new
deployments. BIND will neither create new DNSSEC keys,
signatures and digests, nor it will validate them.
</para>
</listitem>
<listitem>
<para>
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
removed from BIND as the DSA key length is limited to 1024
bits and this is not considered secure enough.
</para>
</listitem>
<listitem>
<para>
<command>named</command> will no longer ignore "no-change" deltas
when processing an IXFR stream. This had previously been
permitted for compatibility with BIND 8, but now "no-change"
deltas will trigger a fallback to AXFR as the recovery mechanism.
</para>
</listitem>
<listitem>
<para>
BIND 9 will no longer build on platforms that don't have
proper IPv6 support. BIND 9 now also requires POSIX-compatible
pthread support. Most of the platforms that lack these featuers
are long past their end-of-lifew dates, and they are neither
developed nor supported by their respective vendors.
</para>
</listitem>
<listitem>
<para>
The incomplete support for internationalization message catalogs has
been removed from BIND. Since the internationalization was never
completed, and no localized message catalogs were ever made available
for the portions of BIND in which they could have been used, this
change will have no effect except to simplify the source code. BIND's
log messages and other output were already only available in English.
None.
</para>
</listitem>
</itemizedlist>
@ -428,132 +100,17 @@
<itemizedlist>
<listitem>
<para>
BIND will now always use the best CSPRNG (cryptographically-secure
pseudo-random number generator) available on the platform where
it is compiled. It will use the <command>arc4random()</command>
family of functions on BSD operating systems,
<command>getrandom()</command> on Linux and Solaris,
<command>CryptGenRandom</command> on Windows, and the selected
cryptography provider library (OpenSSL or PKCS#11) as the last
resort. [GL #221]
None.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
The default setting for <command>dnssec-validation</command> is
now <userinput>auto</userinput>, which activates DNSSEC
validation using the IANA root key. (The default can be changed
back to <userinput>yes</userinput>, which activates DNSSEC
validation only when keys are explicitly configured in
<filename>named.conf</filename>, by building BIND with
<command>configure --disable-auto-validation</command>.) [GL #30]
</para>
</listitem>
<listitem>
<para>
BIND can no longer be built without DNSSEC support. A cryptography
provider (i.e., OpenSSL or a hardware service module with
PKCS#11 support) must be available. [GL #244]
</para>
</listitem>
<listitem>
<para>
Zone types <command>primary</command> and
<command>secondary</command> are now available as synonyms for
<command>master</command> and <command>slave</command>,
respectively, in <filename>named.conf</filename>.
</para>
</listitem>
<listitem>
<para>
<command>named</command> will now log a warning if the old
root DNSSEC key is explicitly configured and has not been updated.
[RT #43670]
</para>
</listitem>
<listitem>
<para>
<command>dig +nssearch</command> will now list name servers
that have timed out, in addition to those that respond. [GL #64]
</para>
</listitem>
<listitem>
<para>
Up to 64 <command>response-policy</command> zones are now
supported by default; previously the limit was 32. [GL #123]
</para>
</listitem>
<listitem>
<para>
Several configuration options for time periods can now use
TTL value suffixes (for example, <literal>2h</literal> or
<literal>1d</literal>) in addition to an integer number of
seconds. These include
<command>fstrm-set-reopen-interval</command>,
<command>interface-interval</command>,
<command>max-cache-ttl</command>,
<command>max-ncache-ttl</command>,
<command>max-policy-ttl</command>, and
<command>min-update-interval</command>.
[GL #203]
</para>
</listitem>
<listitem>
<para>
NSID logging (enabled by the <command>request-nsid</command>
option) now has its own <command>nsid</command> category,
instead of using the <command>resolver</command> category.
</para>
</listitem>
<listitem>
<para>
The <command>rndc nta</command> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <command>-class</command>
option. [GL #105]
</para>
</listitem>
<listitem>
<para>
<command>allow-recursion-on</command> and
<command>allow-query-cache-on</command> each now default to
the other if only one of them is set, in order to be consistent
with the way <command>allow-recursion</command> and
<command>allow-query-cache</command> work. [GL #319]
</para>
</listitem>
<listitem>
<para>
When compiled with IDN support, the <command>dig</command> and
<command>nslookup</command> commands now disable IDN processing
when the standard output is not a TTY (i.e., when the output
is not being read by a human). When running from a shell
script, the command line options <command>+idnin</command> and
<command>+idnout</command> may be used to enable IDN
processing of input and output domain names, respectively.
When running on a TTY, the <command>+noidnin</command> and
<command>+noidnout</command> options may be used to disable
IDN processing of input and output domain names.
</para>
</listitem>
<listitem>
<para>
The configuration option <command>max-ncache-ttl</command> cannot
exceed seven days. Previously, larger values than this were silently
lowered; now, they trigger a configuration error.
</para>
</listitem>
<listitem>
<para>
The new <command>dig -r</command> command line option
disables reading of the file <filename>$HOME/.digrc</filename>.
</para>
</listitem>
<listitem>
<para>
Zone signing and key maintenance events are now logged to the
<command>dnssec</command> category rather than
<command>zone</command>.
None.
</para>
</listitem>
</itemizedlist>