diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index eb3a5db973..e9b1b91202 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -21,10 +21,9 @@
Introduction
- BIND 9.14.0 is the first release of a new stable branch of BIND.
- This document summarizes new features and functional changes
- that have been introduced, as well as features that have been
- deprecated or removed, since the last stable branch, 9.12.
+ BIND 9.14 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
Please see the file CHANGES for a more
@@ -91,334 +90,7 @@
- Task manager and socket code have been substantially modified.
- The manager uses per-cpu queues for tasks and network stack runs
- multiple event loops in CPU-affinitive threads. This greatly
- improves performance on large systems, especially when using
- multi-queue NICs.
-
-
-
-
- Support for QNAME minimization was added and enabled by default
- in relaxed mode, in which BIND will fall back
- to normal resolution if the remote server returns something
- unexpected during the query minimization process. This default
- setting might change to strict in the future.
-
-
-
-
- A new plugin mechanism has been added to allow
- extension of query processing functionality through the use of
- external libraries. The new filter-aaaa.so
- plugin replaces the filter-aaaa feature that
- was formerly implemented as a native part of BIND.
-
-
- The plugin API is a work in progress and is likely to evolve
- as further plugins are implemented. [GL #15]
-
-
-
-
- A new secondary zone option, mirror,
- enables named to serve a transferred copy
- of a zone's contents without acting as an authority for the
- zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses
- from mirror zones do not set the AA bit ("authoritative answer"),
- but do set the AD bit ("authenticated data"). This feature is
- meant to facilitate deployment of a local copy of the root zone,
- as described in RFC 7706. [GL #33]
-
-
-
-
- BIND now can be compiled against the libidn2
- library to add IDNA2008 support. Previously, BIND supported
- IDNA2003 using the (now obsolete and unsupported)
- idnkit-1 library.
-
-
-
-
- named now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- root-key-sentinel no; to
- named.conf. [GL #37]
-
-
-
-
- The dnskey-sig-validity option allows the
- sig-validity-interval to be overriden for
- signatures covering DNSKEY RRsets. [GL #145]
-
-
-
-
- When built on Linux, BIND now requires the libcap
- library to set process privileges. The adds a new compile-time
- dependency, which can be met on most Linux platforms by installing the
- libcap-dev or libcap-devel
- package. BIND can also be built without capability support by using
- configure --disable-linux-caps, at the cost of some
- loss of security.
-
-
-
-
- The validate-except option specifies a list of
- domains beneath which DNSSEC validation should not be performed,
- regardless of whether a trust anchor has been configured above
- them. [GL #237]
-
-
-
-
- Two new update policy rule types have been added
- krb5-selfsub and ms-selfsub
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
-
-
-
-
- The new configure option --enable-fips-mode
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
-
-
-
-
- Two new configuration options min-cache-ttl and
- min-ncache-ttl has been added to allow the BIND 9
- administrator to override the minimum TTL in the received DNS records
- (positive caching) and for storing the information about non-existent
- records (negative caching). The configured minimum TTL for both
- configuration options cannot exceed 90 seconds.
-
-
-
-
- rndc status output now includes a
- reconfig/reload in progress status line if named
- configuration is being reloaded.
-
-
-
-
- The new answer-cookie option, if set to
- no, prevents named from
- returning a DNS COOKIE option to a client, even if such an
- option was present in the request. This is only intended as
- a temporary measure, for use when named
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the same
- address is not expected to cause operational problems, but the
- option to disable COOKIE responses so that all servers have the
- same behavior is provided out of an abundance of caution.
- DNS COOKIE is an important security mechanism, and this option
- should not be used to disable it unless absolutely necessary.
-
-
-
-
-
- Removed Features
-
-
-
- Workarounds for servers that misbehave when queried with EDNS
- have been removed, because these broken servers and the
- workarounds for their noncompliance cause unnecessary delays,
- increase code complexity, and prevent deployment of new DNS
- features. See https://dnsflagday.net
- for further details.
-
-
- In particular, resolution will no longer fall back to
- plain DNS when there was no response from an authoritative
- server. This will cause some domains to become non-resolvable
- without manual intervention. In these cases, resolution can
- be restored by adding server clauses for the
- offending servers, specifying edns no or
- send-cookie no, depending on the specific
- noncompliance.
-
-
- To determine which server clause to use, run
- the following commands to send queries to the authoritative
- servers for the broken domain:
-
-
- dig soa <zone> @<server> +dnssec
- dig soa <zone> @<server> +dnssec +nocookie
- dig soa <zone> @<server> +noedns
-
-
- If the first command fails but the second succeeds, the
- server most likely needs send-cookie no.
- If the first two fail but the third succeeds, then the server
- needs EDNS to be fully disabled with edns no.
-
-
- Please contact the administrators of noncompliant domains
- and encourage them to upgrade their broken DNS servers. [GL #150]
-
-
-
-
- Previously, it was possible to build BIND without thread support
- for old architectures and systems without threads support.
- BIND now requires threading support (either POSIX or Windows) from
- the operating system, and it cannot be built without threads.
-
-
-
-
- The filter-aaaa,
- filter-aaaa-on-v4, and
- filter-aaaa-on-v6 options have been removed
- from named, and can no longer be
- configured using native named.conf syntax.
- However, loading the new filter-aaaa.so
- plugin and setting its parameters provides identical
- functionality.
-
-
-
-
- named can no longer use the EDNS CLIENT-SUBNET
- option for view selection. In its existing form, the authoritative
- ECS feature was not fully RFC-compliant, and could not realistically
- have been deployed in production for an authoritative server; its
- only practical use was for testing and experimentation. In the
- interest of code simplification, this feature has now been removed.
-
-
- The ECS option is still supported in dig and
- mdig via the +subnet argument, and can be parsed
- and logged when received by named, but
- it is no longer used for ACL processing. The
- geoip-use-ecs option is now obsolete;
- a warning will be logged if it is used in
- named.conf.
- ecs tags in an ACL definition are
- also obsolete, and will cause the configuration to fail to
- load if they are used. [GL #32]
-
-
-
-
- dnssec-keygen can no longer generate HMAC
- keys for TSIG authentication. Use tsig-keygen
- to generate these keys. [RT #46404]
-
-
-
-
- Support for OpenSSL 0.9.x has been removed. OpenSSL version
- 1.0.0 or greater, or LibreSSL is now required.
-
-
-
-
- The configure --enable-seccomp option,
- which formerly turned on system-call filtering on Linux, has
- been removed. [GL #93]
-
-
-
-
- IPv4 addresses in forms other than dotted-quad are no longer
- accepted in master files. [GL #13] [GL #56]
-
-
-
-
- IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-
-
-
-
- The "rbtdb64" database implementation (a parallel
- implementation of "rbt") has been removed. [GL #217]
-
-
-
-
- The -r randomdev option to explicitly select
- random device has been removed from the
- ddns-confgen,
- rndc-confgen,
- nsupdate,
- dnssec-confgen, and
- dnssec-signzone commands.
-
-
- The -p option to use pseudo-random data
- has been removed from the dnssec-signzone
- command.
-
-
-
-
- Support for the RSAMD5 algorithm has been removed freom BIND as
- the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
- in RFC6725, the security of the MD5 algorithm has been compromised,
- and its usage is considered harmful.
-
-
-
-
- Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
- removed from BIND, as the algorithm has been superseded by
- GOST R 34.11-2012 in RFC6986 and it must not be used in new
- deployments. BIND will neither create new DNSSEC keys,
- signatures and digests, nor it will validate them.
-
-
-
-
- Support for DSA and DSA-NSEC3-SHA1 algorithms has been
- removed from BIND as the DSA key length is limited to 1024
- bits and this is not considered secure enough.
-
-
-
-
- named will no longer ignore "no-change" deltas
- when processing an IXFR stream. This had previously been
- permitted for compatibility with BIND 8, but now "no-change"
- deltas will trigger a fallback to AXFR as the recovery mechanism.
-
-
-
-
- BIND 9 will no longer build on platforms that don't have
- proper IPv6 support. BIND 9 now also requires POSIX-compatible
- pthread support. Most of the platforms that lack these featuers
- are long past their end-of-lifew dates, and they are neither
- developed nor supported by their respective vendors.
-
-
-
-
- The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
+ None.
@@ -428,132 +100,17 @@
- BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where
- it is compiled. It will use the arc4random()
- family of functions on BSD operating systems,
- getrandom() on Linux and Solaris,
- CryptGenRandom on Windows, and the selected
- cryptography provider library (OpenSSL or PKCS#11) as the last
- resort. [GL #221]
+ None.
+
+
+
+ Bug Fixes
+
- The default setting for dnssec-validation is
- now auto, which activates DNSSEC
- validation using the IANA root key. (The default can be changed
- back to yes, which activates DNSSEC
- validation only when keys are explicitly configured in
- named.conf, by building BIND with
- configure --disable-auto-validation.) [GL #30]
-
-
-
-
- BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with
- PKCS#11 support) must be available. [GL #244]
-
-
-
-
- Zone types primary and
- secondary are now available as synonyms for
- master and slave,
- respectively, in named.conf.
-
-
-
-
- named will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
-
-
-
-
- dig +nssearch will now list name servers
- that have timed out, in addition to those that respond. [GL #64]
-
-
-
-
- Up to 64 response-policy zones are now
- supported by default; previously the limit was 32. [GL #123]
-
-
-
-
- Several configuration options for time periods can now use
- TTL value suffixes (for example, 2h or
- 1d) in addition to an integer number of
- seconds. These include
- fstrm-set-reopen-interval,
- interface-interval,
- max-cache-ttl,
- max-ncache-ttl,
- max-policy-ttl, and
- min-update-interval.
- [GL #203]
-
-
-
-
- NSID logging (enabled by the request-nsid
- option) now has its own nsid category,
- instead of using the resolver category.
-
-
-
-
- The rndc nta command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a -class
- option. [GL #105]
-
-
-
-
- allow-recursion-on and
- allow-query-cache-on each now default to
- the other if only one of them is set, in order to be consistent
- with the way allow-recursion and
- allow-query-cache work. [GL #319]
-
-
-
-
- When compiled with IDN support, the dig and
- nslookup commands now disable IDN processing
- when the standard output is not a TTY (i.e., when the output
- is not being read by a human). When running from a shell
- script, the command line options +idnin and
- +idnout may be used to enable IDN
- processing of input and output domain names, respectively.
- When running on a TTY, the +noidnin and
- +noidnout options may be used to disable
- IDN processing of input and output domain names.
-
-
-
-
- The configuration option max-ncache-ttl cannot
- exceed seven days. Previously, larger values than this were silently
- lowered; now, they trigger a configuration error.
-
-
-
-
- The new dig -r command line option
- disables reading of the file $HOME/.digrc.
-
-
-
-
- Zone signing and key maintenance events are now logged to the
- dnssec category rather than
- zone.
+ None.