From 5d0922387490efb6e8f8d78b104e1a23b2b6f2e7 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 7 Mar 2019 11:11:15 -0800 Subject: [PATCH] clear out release notes from 9.14.0 to prepare the ground for 9.14.1 --- doc/arm/notes.xml | 465 ++-------------------------------------------- 1 file changed, 11 insertions(+), 454 deletions(-) diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index eb3a5db973..e9b1b91202 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -21,10 +21,9 @@
Introduction - BIND 9.14.0 is the first release of a new stable branch of BIND. - This document summarizes new features and functional changes - that have been introduced, as well as features that have been - deprecated or removed, since the last stable branch, 9.12. + BIND 9.14 is a stable branch of BIND. + This document summarizes significant changes since the last + production release on that branch. Please see the file CHANGES for a more @@ -91,334 +90,7 @@ - Task manager and socket code have been substantially modified. - The manager uses per-cpu queues for tasks and network stack runs - multiple event loops in CPU-affinitive threads. This greatly - improves performance on large systems, especially when using - multi-queue NICs. - - - - - Support for QNAME minimization was added and enabled by default - in relaxed mode, in which BIND will fall back - to normal resolution if the remote server returns something - unexpected during the query minimization process. This default - setting might change to strict in the future. - - - - - A new plugin mechanism has been added to allow - extension of query processing functionality through the use of - external libraries. The new filter-aaaa.so - plugin replaces the filter-aaaa feature that - was formerly implemented as a native part of BIND. - - - The plugin API is a work in progress and is likely to evolve - as further plugins are implemented. [GL #15] - - - - - A new secondary zone option, mirror, - enables named to serve a transferred copy - of a zone's contents without acting as an authority for the - zone. A zone must be fully validated against an active trust - anchor before it can be used as a mirror zone. DNS responses - from mirror zones do not set the AA bit ("authoritative answer"), - but do set the AD bit ("authenticated data"). This feature is - meant to facilitate deployment of a local copy of the root zone, - as described in RFC 7706. [GL #33] - - - - - BIND now can be compiled against the libidn2 - library to add IDNA2008 support. Previously, BIND supported - IDNA2003 using the (now obsolete and unsupported) - idnkit-1 library. - - - - - named now supports the "root key sentinel" - mechanism. This enables validating resolvers to indicate - which trust anchors are configured for the root, so that - information about root key rollover status can be gathered. - To disable this feature, add - root-key-sentinel no; to - named.conf. [GL #37] - - - - - The dnskey-sig-validity option allows the - sig-validity-interval to be overriden for - signatures covering DNSKEY RRsets. [GL #145] - - - - - When built on Linux, BIND now requires the libcap - library to set process privileges. The adds a new compile-time - dependency, which can be met on most Linux platforms by installing the - libcap-dev or libcap-devel - package. BIND can also be built without capability support by using - configure --disable-linux-caps, at the cost of some - loss of security. - - - - - The validate-except option specifies a list of - domains beneath which DNSSEC validation should not be performed, - regardless of whether a trust anchor has been configured above - them. [GL #237] - - - - - Two new update policy rule types have been added - krb5-selfsub and ms-selfsub - which allow machines with Kerberos principals to update - the name space at or below the machine names identified - in the respective principals. - - - - - The new configure option --enable-fips-mode - can be used to make BIND enable and enforce FIPS mode in the - OpenSSL library. When compiled with such option the BIND will - refuse to run if FIPS mode can't be enabled, thus this option - must be only enabled for the systems where FIPS mode is available. - - - - - Two new configuration options min-cache-ttl and - min-ncache-ttl has been added to allow the BIND 9 - administrator to override the minimum TTL in the received DNS records - (positive caching) and for storing the information about non-existent - records (negative caching). The configured minimum TTL for both - configuration options cannot exceed 90 seconds. - - - - - rndc status output now includes a - reconfig/reload in progress status line if named - configuration is being reloaded. - - - - - The new answer-cookie option, if set to - no, prevents named from - returning a DNS COOKIE option to a client, even if such an - option was present in the request. This is only intended as - a temporary measure, for use when named - shares an IP address with other servers that do not yet - support DNS COOKIE. A mismatch between servers on the same - address is not expected to cause operational problems, but the - option to disable COOKIE responses so that all servers have the - same behavior is provided out of an abundance of caution. - DNS COOKIE is an important security mechanism, and this option - should not be used to disable it unless absolutely necessary. - - - -
- -
Removed Features - - - - Workarounds for servers that misbehave when queried with EDNS - have been removed, because these broken servers and the - workarounds for their noncompliance cause unnecessary delays, - increase code complexity, and prevent deployment of new DNS - features. See https://dnsflagday.net - for further details. - - - In particular, resolution will no longer fall back to - plain DNS when there was no response from an authoritative - server. This will cause some domains to become non-resolvable - without manual intervention. In these cases, resolution can - be restored by adding server clauses for the - offending servers, specifying edns no or - send-cookie no, depending on the specific - noncompliance. - - - To determine which server clause to use, run - the following commands to send queries to the authoritative - servers for the broken domain: - - - dig soa <zone> @<server> +dnssec - dig soa <zone> @<server> +dnssec +nocookie - dig soa <zone> @<server> +noedns - - - If the first command fails but the second succeeds, the - server most likely needs send-cookie no. - If the first two fail but the third succeeds, then the server - needs EDNS to be fully disabled with edns no. - - - Please contact the administrators of noncompliant domains - and encourage them to upgrade their broken DNS servers. [GL #150] - - - - - Previously, it was possible to build BIND without thread support - for old architectures and systems without threads support. - BIND now requires threading support (either POSIX or Windows) from - the operating system, and it cannot be built without threads. - - - - - The filter-aaaa, - filter-aaaa-on-v4, and - filter-aaaa-on-v6 options have been removed - from named, and can no longer be - configured using native named.conf syntax. - However, loading the new filter-aaaa.so - plugin and setting its parameters provides identical - functionality. - - - - - named can no longer use the EDNS CLIENT-SUBNET - option for view selection. In its existing form, the authoritative - ECS feature was not fully RFC-compliant, and could not realistically - have been deployed in production for an authoritative server; its - only practical use was for testing and experimentation. In the - interest of code simplification, this feature has now been removed. - - - The ECS option is still supported in dig and - mdig via the +subnet argument, and can be parsed - and logged when received by named, but - it is no longer used for ACL processing. The - geoip-use-ecs option is now obsolete; - a warning will be logged if it is used in - named.conf. - ecs tags in an ACL definition are - also obsolete, and will cause the configuration to fail to - load if they are used. [GL #32] - - - - - dnssec-keygen can no longer generate HMAC - keys for TSIG authentication. Use tsig-keygen - to generate these keys. [RT #46404] - - - - - Support for OpenSSL 0.9.x has been removed. OpenSSL version - 1.0.0 or greater, or LibreSSL is now required. - - - - - The configure --enable-seccomp option, - which formerly turned on system-call filtering on Linux, has - been removed. [GL #93] - - - - - IPv4 addresses in forms other than dotted-quad are no longer - accepted in master files. [GL #13] [GL #56] - - - - - IDNA2003 support via (bundled) idnkit-1.0 has been removed. - - - - - The "rbtdb64" database implementation (a parallel - implementation of "rbt") has been removed. [GL #217] - - - - - The -r randomdev option to explicitly select - random device has been removed from the - ddns-confgen, - rndc-confgen, - nsupdate, - dnssec-confgen, and - dnssec-signzone commands. - - - The -p option to use pseudo-random data - has been removed from the dnssec-signzone - command. - - - - - Support for the RSAMD5 algorithm has been removed freom BIND as - the usage of the RSAMD5 algorithm for DNSSEC has been deprecated - in RFC6725, the security of the MD5 algorithm has been compromised, - and its usage is considered harmful. - - - - - Support for the ECC-GOST (GOST R 34.11-94) algorithm has been - removed from BIND, as the algorithm has been superseded by - GOST R 34.11-2012 in RFC6986 and it must not be used in new - deployments. BIND will neither create new DNSSEC keys, - signatures and digests, nor it will validate them. - - - - - Support for DSA and DSA-NSEC3-SHA1 algorithms has been - removed from BIND as the DSA key length is limited to 1024 - bits and this is not considered secure enough. - - - - - named will no longer ignore "no-change" deltas - when processing an IXFR stream. This had previously been - permitted for compatibility with BIND 8, but now "no-change" - deltas will trigger a fallback to AXFR as the recovery mechanism. - - - - - BIND 9 will no longer build on platforms that don't have - proper IPv6 support. BIND 9 now also requires POSIX-compatible - pthread support. Most of the platforms that lack these featuers - are long past their end-of-lifew dates, and they are neither - developed nor supported by their respective vendors. - - - - - The incomplete support for internationalization message catalogs has - been removed from BIND. Since the internationalization was never - completed, and no localized message catalogs were ever made available - for the portions of BIND in which they could have been used, this - change will have no effect except to simplify the source code. BIND's - log messages and other output were already only available in English. + None. @@ -428,132 +100,17 @@ - BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where - it is compiled. It will use the arc4random() - family of functions on BSD operating systems, - getrandom() on Linux and Solaris, - CryptGenRandom on Windows, and the selected - cryptography provider library (OpenSSL or PKCS#11) as the last - resort. [GL #221] + None. + +
+ +
Bug Fixes + - The default setting for dnssec-validation is - now auto, which activates DNSSEC - validation using the IANA root key. (The default can be changed - back to yes, which activates DNSSEC - validation only when keys are explicitly configured in - named.conf, by building BIND with - configure --disable-auto-validation.) [GL #30] - - - - - BIND can no longer be built without DNSSEC support. A cryptography - provider (i.e., OpenSSL or a hardware service module with - PKCS#11 support) must be available. [GL #244] - - - - - Zone types primary and - secondary are now available as synonyms for - master and slave, - respectively, in named.conf. - - - - - named will now log a warning if the old - root DNSSEC key is explicitly configured and has not been updated. - [RT #43670] - - - - - dig +nssearch will now list name servers - that have timed out, in addition to those that respond. [GL #64] - - - - - Up to 64 response-policy zones are now - supported by default; previously the limit was 32. [GL #123] - - - - - Several configuration options for time periods can now use - TTL value suffixes (for example, 2h or - 1d) in addition to an integer number of - seconds. These include - fstrm-set-reopen-interval, - interface-interval, - max-cache-ttl, - max-ncache-ttl, - max-policy-ttl, and - min-update-interval. - [GL #203] - - - - - NSID logging (enabled by the request-nsid - option) now has its own nsid category, - instead of using the resolver category. - - - - - The rndc nta command could not differentiate - between views of the same name but different class; this - has been corrected with the addition of a -class - option. [GL #105] - - - - - allow-recursion-on and - allow-query-cache-on each now default to - the other if only one of them is set, in order to be consistent - with the way allow-recursion and - allow-query-cache work. [GL #319] - - - - - When compiled with IDN support, the dig and - nslookup commands now disable IDN processing - when the standard output is not a TTY (i.e., when the output - is not being read by a human). When running from a shell - script, the command line options +idnin and - +idnout may be used to enable IDN - processing of input and output domain names, respectively. - When running on a TTY, the +noidnin and - +noidnout options may be used to disable - IDN processing of input and output domain names. - - - - - The configuration option max-ncache-ttl cannot - exceed seven days. Previously, larger values than this were silently - lowered; now, they trigger a configuration error. - - - - - The new dig -r command line option - disables reading of the file $HOME/.digrc. - - - - - Zone signing and key maintenance events are now logged to the - dnssec category rather than - zone. + None.