upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 12:59:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'prep-release-v9_15_7' into 'master'

Browse source 
Prep 9.15.7

See merge request isc-projects/bind9!2771
This commit is contained in:
Evan Hunt 2019-12-13 00:00:45 +00:00
commit de42a7aa9f
71 changed files with 533 additions and 342 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,3 +1,5 @@
--- 9.15.7 released ---
5336. [bug] The TCP high-water statistic could report an
incorrect value on startup. [GL #1392]

13
README
View file

@ -115,9 +115,9 @@ of changes from BIND 9.14 and earlier releases. New features include:
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using dnssec-keys,
permitting configuration of trust anchors in DS as well as DNSKEY
format.
* Improved DNSSEC trust anchor configuration using the trust-anchors
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for dig, mdig, and delv.
Building BIND
@ -180,9 +180,10 @@ Dependencies
Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the
argparse and ply modules to be available. argparse is a standard module as
of Python 2.7 and Python 3.2. ply is available from https://
pypi.python.org/pypi/ply.
argparse, ply and distutils.core modules to be available. argparse is a
standard module as of Python 2.7 and Python 3.2. ply is available from
https://pypi.python.org/pypi/ply. distutils.core is required for
installation.
Compile-time options

2
bin/delv/delv.1
View file

@ -144,7 +144,7 @@ options\&.
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBdnssec\-keys\fR\fBinitial\-key\fR
\fBtrust\-anchors\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with

2
bin/delv/delv.html
View file

@ -197,7 +197,7 @@
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
<span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is

42
bin/named/named.conf.5
View file

@ -97,20 +97,6 @@ dlz \fIstring\fR {
.if n \{\
.RE
.\}
.SH "DNSSEC-KEYS"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds )
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
.\}
.SH "DYNDB"
.sp
.if n \{\
@ -164,7 +150,7 @@ logging {
.\}
.SH "MANAGED-KEYS"
.PP
Deprecated \- see DNSSEC\-KEYS\&.
Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
@ -565,9 +551,23 @@ statistics\-channels {
.if n \{\
.RE
.\}
.SH "TRUST-ANCHORS"
.sp
.if n \{\
.RS 4
.\}
.nf
trust\-anchors { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds )
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
.\}
.SH "TRUSTED-KEYS"
.PP
Deprecated \- see DNSSEC\-KEYS\&.
Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
@ -655,10 +655,6 @@ view \fIstring\fR [ \fIclass\fR ] {
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
@ -849,6 +845,10 @@ view \fIstring\fR [ \fIclass\fR ] {
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ];
trust\-anchor\-telemetry \fIboolean\fR; // experimental
trust\-anchors { \fIstring\fR ( static\-key |
initial\-key | static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR
\fIinteger\fR
@ -1074,7 +1074,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
.\}
.nf
dnssec\-policy \fIstring\fR {
dnskey\-ttl \fIttlval\fR;
dnskey\-ttl \fIduration\fR;
keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
parent\-ds\-ttl \fIduration\fR;
parent\-propagation\-delay \fIduration\fR;

52
bin/named/named.conf.html
View file

@ -92,17 +92,7 @@ dlz
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>DYNDB</h2>
<a name="id-1.11"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -110,7 +100,7 @@ dyndb
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>KEY</h2>
<a name="id-1.12"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -120,7 +110,7 @@ key
</div>
<div class="refsection">
<a name="id-1.14"></a><h2>LOGGING</h2>
<a name="id-1.13"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -141,8 +131,8 @@ logging
</div>
<div class="refsection">
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
@ -152,7 +142,7 @@ managed-keys
</div>
<div class="refsection">
<a name="id-1.16"></a><h2>MASTERS</h2>
<a name="id-1.15"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -162,7 +152,7 @@ masters
</div>
<div class="refsection">
<a name="id-1.17"></a><h2>OPTIONS</h2>
<a name="id-1.16"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -461,7 +451,7 @@ options
</div>
<div class="refsection">
<a name="id-1.18"></a><h2>PLUGIN</h2>
<a name="id-1.17"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
@ -469,7 +459,7 @@ plugin
</div>
<div class="refsection">
<a name="id-1.19"></a><h2>SERVER</h2>
<a name="id-1.18"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -507,7 +497,7 @@ server
</div>
<div class="refsection">
<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -518,9 +508,19 @@ statistics-channels
</p></div>
</div>
<div class="refsection">
<a name="id-1.20"></a><h2>TRUST-ANCHORS</h2>
<div class="literallayout"><p><br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
@ -600,10 +600,6 @@ view
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@ -794,6 +790,10 @@ view
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
@ -1012,7 +1012,7 @@ zone
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>

2
bin/rndc/rndc.8
View file

@ -516,7 +516,7 @@ timer\&.
\fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
\fBdnssec\-keys\fR
\fBtrust\-anchors\fR
statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp

2
bin/rndc/rndc.html
View file

@ -654,7 +654,7 @@
<dd>
<p>
Dump the security roots (i.e., trust anchors
configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
configured via <span class="command"><strong>trust-anchors</strong></span> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all

2
doc/arm/Bv9ARM.ch01.html
View file

@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch02.html
View file

@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch03.html
View file

@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

14
doc/arm/Bv9ARM.ch04.html
View file

@ -1042,7 +1042,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
using a <span class="command"><strong>trust-anchors</strong></span> statement (or the
<span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
statements, both deprecated).
</p>
@ -1057,7 +1057,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<p>
The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
The keys specified in <span class="command"><strong>trust-anchors</strong></span>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <span class="command"><strong>static-key</strong></span> or
@ -1071,7 +1071,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<p>
<span class="command"><strong>dnssec-keys</strong></span> is described in more detail
<span class="command"><strong>trust-anchors</strong></span> is described in more detail
later in this document.
</p>
@ -1094,7 +1094,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<pre class="programlisting">
dnssec-keys {
trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@ -1586,10 +1586,10 @@ options {
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>dnssec-keys</strong></span> statement and the
<span class="command"><strong>trust-anchors</strong></span> statement and the
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
keyword. Information about this can be found in
<a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
<a class="xref" href="Bv9ARM.ch05.html#trust-anchors" title="trust-anchors Statement Definition and Usage">the section called &#8220;<span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage&#8221;</a>.</p>
</div>
<div class="section">
@ -2915,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

163
doc/arm/Bv9ARM.ch05.html
View file

@ -67,8 +67,8 @@
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust_anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
@ -899,7 +899,7 @@
</tr>
<tr>
<td>
<p><span class="command"><strong>dnssec-keys</strong></span></p>
<p><span class="command"><strong>trust-anchors</strong></span></p>
</td>
<td>
<p>
@ -920,9 +920,9 @@
</td>
<td>
<p>
is identical to <span class="command"><strong>dnssec-keys</strong></span>;
is identical to <span class="command"><strong>trust-anchors</strong></span>;
this option is deprecated in favor
of <span class="command"><strong>dnssec-keys</strong></span> with
of <span class="command"><strong>trust-anchors</strong></span> with
the <span class="command"><strong>initial-key</strong></span> keyword,
and may be removed in a future release.
</p>
@ -936,7 +936,7 @@
<p>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
of <span class="command"><strong>dnssec-keys</strong></span> with
of <span class="command"><strong>trust-anchors</strong></span> with
the <span class="command"><strong>static-key</strong></span> keyword,
and may be removed in a future release.
</p>
@ -2950,9 +2950,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The number of seconds to wait between attempts to
reopen a closed output stream. The minimum is 1 second,
the maximum is 600 seconds (10 minutes), and the default
is 5 seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
is 5 seconds. For convenience, TTL-style time unit
suffixes may be used to specify the value. It also
accepts ISO 8601 duration formats.
</li>
</ul></div>
@ -3087,7 +3087,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
track managed DNSSEC keys (i.e., those configured using
the <span class="command"><strong>initial-key</strong></span> or
<span class="command"><strong>initial-ds</strong></span> keywords in a
<span class="command"><strong>dnssec-keys</strong></span> statement). By default,
<span class="command"><strong>trust-anchors</strong></span> statement). By default,
this is the working directory. The directory
<span class="emphasis"><em>must</em></span> be writable by the effective
user ID of the <span class="command"><strong>named</strong></span> process.
@ -3455,7 +3455,7 @@ options {
as insecure.
</p>
<p>
Configured trust anchors in <span class="command"><strong>dnssec-keys</strong></span>
Configured trust anchors in <span class="command"><strong>trust-anchors</strong></span>
(or <span class="command"><strong>managed-keys</strong></span> or
<span class="command"><strong>trusted-keys</strong></span>, both deprecated)
that match a disabled algorithm will be ignored and treated
@ -3487,7 +3487,7 @@ options {
they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be defined as a
trust anchor, for instance in a <span class="command"><strong>dnssec-keys</strong></span>
trust anchor, for instance in a <span class="command"><strong>trust-anchors</strong></span>
statement, or <span class="command"><strong>dnssec-validation auto</strong></span> must
be active.
</p>
@ -3646,8 +3646,11 @@ options {
<p>
For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes
or hours. <code class="option">nta-lifetime</code> defaults to
one hour. It cannot exceed one week.
or hours. It also accepts ISO 8601 duration formats.
</p>
<p>
<code class="option">nta-lifetime</code> defaults to one hour. It
cannot exceed one week.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>nta-recheck</strong></span></span></dt>
@ -3677,9 +3680,13 @@ options {
<p>
For convenience, TTL-style time unit suffixes can be
used to specify the NTA recheck interval in seconds,
minutes or hours. The default is five minutes. It
cannot be longer than <code class="option">nta-lifetime</code>
(which cannot be longer than a week).
minutes or hours. It also accepts ISO 8601 duration
formats.
</p>
<p>
The default is five minutes. It cannot be longer than
<code class="option">nta-lifetime</code> (which cannot be longer
than a week).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
@ -3687,7 +3694,10 @@ options {
<p>
Specifies a maximum permissible TTL value in seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the maximum value.
used to specify the maximum value. It also
accepts ISO 8601 duration formats.
</p>
<p>
When loading a zone file using a
<code class="option">masterfile-format</code> of
<code class="constant">text</code> or <code class="constant">raw</code>,
@ -4500,7 +4510,7 @@ options {
Causes <span class="command"><strong>named</strong></span> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via, e.g.,
<span class="command"><strong>dnssec-keys</strong></span> or
<span class="command"><strong>trust-anchors</strong></span> or
<span class="command"><strong>dnssec-validation auto</strong></span>.
</p>
<p>
@ -4691,7 +4701,7 @@ options {
<p>
If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or
using a <span class="command"><strong>trust-anchors</strong></span> statement (or
the <span class="command"><strong>managed-keys</strong></span> or the
<span class="command"><strong>trusted-keys</strong></span> statements, both deprecated).
If there is no configured trust anchor, validation will
@ -6515,7 +6525,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<span class="command"><strong>listen-on</strong></span> configuration), and
will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601
duration formats.
</p>
</dd>
</dl></div>
@ -6795,9 +6806,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
stores negative answers. <span class="command"><strong>min-ncache-ttl</strong></span> is
used to set a minimum retention time for these answers in the
server in seconds. For convenience, TTL-style time unit
suffixes may be used to specify the value. The default
<span class="command"><strong>min-ncache-ttl</strong></span> is <code class="literal">0</code>
seconds. <span class="command"><strong>min-ncache-ttl</strong></span> cannot exceed 90
suffixes may be used to specify the value. It also
accepts ISO 8601 duration formats.
</p>
<p>
The default <span class="command"><strong>min-ncache-ttl</strong></span> is
<code class="literal">0</code> seconds.
<span class="command"><strong>min-ncache-ttl</strong></span> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
</p>
@ -6806,10 +6821,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<dd>
<p>
Sets the minimum time for which the server will cache ordinary
(positive) answers in seconds. For convenience, TTL-style time
unit suffixes may be used to specify the value. The default
<span class="command"><strong>min-cache-ttl</strong></span> is <code class="literal">0</code>
seconds. <span class="command"><strong>min-cache-ttl</strong></span> cannot exceed 90
(positive) answers in seconds. For convenience, TTL-style
time unit suffixes may be used to specify the value. It also
accepts ISO 8601 duration formats.
</p>
<p>
The default <span class="command"><strong>min-cache-ttl</strong></span> is
<code class="literal">0</code> seconds.
<span class="command"><strong>min-cache-ttl</strong></span> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
</p>
@ -6818,15 +6837,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<dd>
<p>
To reduce network traffic and increase performance,
the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is
the server stores negative answers.
<span class="command"><strong>max-ncache-ttl</strong></span> is
used to set a maximum retention time for these answers in
the server in seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value. The default
<span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed
7 days and will
be silently truncated to 7 days if set to a greater value.
the server in seconds. For convenience, TTL-style time unit
suffixes may be used to specify the value. It also accepts
ISO 8601 duration formats.
</p>
<p>
The default <span class="command"><strong>max-ncache-ttl</strong></span> is
<code class="literal">10800</code> seconds (3 hours).
<span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed 7 days and
will be silently truncated to 7 days if set to a greater
value.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt>
@ -6835,7 +6858,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Sets the maximum time for which the server will
cache ordinary (positive) answers in seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601
duration formats.
</p>
<p>
The default is 604800 (one week).
A value of zero may cause all queries to return
SERVFAIL, because of lost caches of intermediate
@ -8043,7 +8069,9 @@ deny-answer-aliases { "example.net"; };
The <span class="command"><strong>max-policy-ttl</strong></span> clause changes the
maximum seconds from its default of 5.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601 duration
formats.
</p>
<p>
@ -8139,7 +8167,8 @@ example.com CNAME rpz-tcp-only.
recent update, then the changes will not be carried out until this
interval has elapsed. The default is <code class="literal">60</code> seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601 duration
formats.
</p>
</div>
@ -8849,9 +8878,9 @@ example.com CNAME rpz-tcp-only.
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</h3></div></div></div>
<a name="trust_anchors"></a><span class="command"><strong>trust-anchors</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>dnssec-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
<span class="command"><strong>trust-anchors</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
<span class="command"><strong>initial-key</strong></span> | static-ds | initial-ds )
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };
@ -8859,11 +8888,11 @@ example.com CNAME rpz-tcp-only.
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec-keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
<a name="trust-anchors"></a><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-keys</strong></span> statement defines DNSSEC
The <span class="command"><strong>trust-anchors</strong></span> statement defines DNSSEC
trust anchors. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>.
</p>
<p>
@ -8882,21 +8911,21 @@ example.com CNAME rpz-tcp-only.
the <span class="command"><strong>validate-except</strong></span> option).
</p>
<p>
All keys listed in <span class="command"><strong>dnssec-keys</strong></span>, and
All keys listed in <span class="command"><strong>trust-anchors</strong></span>, and
their corresponding zones, are deemed to exist regardless
of what parent zones say. Only keys configured as trust anchors
are used to validate the DNSKEY RRset for the corresponding
name. The parent's DS RRset will not be used.
</p>
<p>
<span class="command"><strong>dnssec-keys</strong></span> may be set at the top level
<span class="command"><strong>trust-anchors</strong></span> may be set at the top level
of <code class="filename">named.conf</code> or within a view. If it is
set in both places, the configurations are additive: keys
defined at the top level are inherited by all views, but keys
defined in a view are only used within that view.
</p>
<p>
The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
The <span class="command"><strong>trust-anchors</strong></span> statement can contain
multiple trust anchor entries, each consisting of a
domain name, followed by an "anchor type" keyword indicating
the trust anchor's format, followed by the key or digest data.
@ -8936,7 +8965,7 @@ example.com CNAME rpz-tcp-only.
<span class="command"><strong>static-ds</strong></span> would be unable to validate
this zone any longer; it would reply with a SERVFAIL response
code. This would continue until the resolver operator had
updated the <span class="command"><strong>dnssec-keys</strong></span> statement with
updated the <span class="command"><strong>trust-anchors</strong></span> statement with
the new key.
</p>
<p>
@ -8972,7 +9001,7 @@ example.com CNAME rpz-tcp-only.
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
configured in <code class="filename">named.conf</code>, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
using the trust anchor specified in <span class="command"><strong>dnssec-keys</strong></span>.
using the trust anchor specified in <span class="command"><strong>trust-anchors</strong></span>.
If the DNSKEY RRset is validly signed by a key matching
the trust anchor, then it is used as the basis for a new
managed keys database.
@ -8981,10 +9010,10 @@ example.com CNAME rpz-tcp-only.
From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
sees the <span class="command"><strong>initial-key</strong></span> or
<span class="command"><strong>initial-ds</strong></span> listed in
<span class="command"><strong>dnssec-keys</strong></span>, checks to
<span class="command"><strong>trust-anchors</strong></span>, checks to
make sure RFC 5011 key maintenance has already been initialized
for the specified domain, and if so, it simply moves on. The
key specified in the <span class="command"><strong>dnssec-keys</strong></span>
key specified in the <span class="command"><strong>trust-anchors</strong></span>
statement is not used to validate answers; it is
superseded by the key or keys stored in the managed keys
database.
@ -8993,7 +9022,7 @@ example.com CNAME rpz-tcp-only.
The next time <span class="command"><strong>named</strong></span> runs after an
<span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>initial-ds</strong></span>
trust anchor has been <span class="emphasis"><em>removed</em></span> from the
<span class="command"><strong>dnssec-keys</strong></span> statement (or changed to
<span class="command"><strong>trust-anchors</strong></span> statement (or changed to
a <span class="command"><strong>static-key</strong></span> or <span class="command"><strong>static-ds</strong></span>),
the corresponding keys will be removed from the managed keys
database, and RFC 5011 key maintenance will no longer be used
@ -9045,8 +9074,8 @@ example.com CNAME rpz-tcp-only.
<a name="dnssec_policy_grammar"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em> {
<span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory <em class="replaceable"><code>duration</code></em> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
<span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
<span class="command"><strong>parent-ds-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-registration-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
@ -9136,8 +9165,8 @@ example.com CNAME rpz-tcp-only.
<p>
A margin that is added to the publish interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <code class="constant">PT5M</code>
(5 minutes).
unforeseen events. Default is <code class="constant">PT1H</code>
(1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>retire-safety</strong></span></span></dt>
@ -9145,8 +9174,8 @@ example.com CNAME rpz-tcp-only.
<p>
A margin that is added to the retire interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <code class="constant">PT5M</code>
(5 minutes).
unforeseen events. Default is <code class="constant">PT1H</code>
(1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-refresh</strong></span></span></dt>
@ -9220,7 +9249,7 @@ example.com CNAME rpz-tcp-only.
<dd>
<p>
The TTL of the DS RRset that the parent uses. Default is
<code class="constant">PT1H</code> (1 hour).
<code class="constant">P1D</code> (1 day).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-propagation-delay</strong></span></span></dt>
@ -9261,7 +9290,7 @@ example.com CNAME rpz-tcp-only.
<p>
The <span class="command"><strong>managed-keys</strong></span> statement has been
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar&#8221;</a>
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#trust_anchors" title="trust-anchors Statement Grammar">the section called &#8220;<span class="command"><strong>trust-anchors</strong></span> Statement Grammar&#8221;</a>
with the <span class="command"><strong>initial-key</strong></span> keyword.
</p>
</div>
@ -9282,7 +9311,7 @@ example.com CNAME rpz-tcp-only.
<p>
The <span class="command"><strong>trusted-keys</strong></span> statement has been
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar&#8221;</a>
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#trust_anchors" title="trust-anchors Statement Grammar">the section called &#8220;<span class="command"><strong>trust-anchors</strong></span> Statement Grammar&#8221;</a>
with the <span class="command"><strong>static-key</strong></span> keyword.
</p>
</div>
@ -9919,7 +9948,7 @@ view "external" {
(KSK) for the zone must be configured as a trust
anchor in <code class="filename">named.conf</code>: that
is, a key for the zone must be specified in
<span class="command"><strong>dnssec-keys</strong></span>. In the case
<span class="command"><strong>trust-anchors</strong></span>. In the case
of the root zone, you may also rely on the
built-in root trust anchor, which is enabled
when <a class="xref" href="Bv9ARM.ch05.html#dnssec_validation"><span class="command"><strong>dnssec-validation</strong></span></a> is set to the
@ -10338,9 +10367,13 @@ view "external" {
<dt><span class="term"><span class="command"><strong>dnssec-policy</strong></span></span></dt>
<dd>
<p>
The key and signing policy for this zone. Set to
<strong class="userinput"><code>"default"</code></strong> if you want to make use
of the default policy.
The key and signing policy for this zone. This is a string
referring to a <span class="command"><strong>dnssec-policy</strong></span> statement.
There are two built-in policies:
<strong class="userinput"><code>"default"</code></strong> allows you to use the
default policy, and <strong class="userinput"><code>"none"</code></strong> means
not to use any DNSSEC policy, keeping the zone unsigned.
The default is <strong class="userinput"><code>"none"</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
@ -15188,6 +15221,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch06.html
View file

@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch07.html
View file

@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

150
doc/arm/Bv9ARM.ch08.html
View file

@ -36,12 +36,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
@ -57,7 +58,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -101,11 +102,12 @@
C compiler.
</p>
<p>
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
The <code class="filename">libuv</code> asynchronous I/O library and the
OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead of OpenSSL for
Public Key cryptography (i.e., DNSSEC signing and validation),
but OpenSSL is still required for general cryptography operations
such as hashing and random number generation.
</p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
@ -130,10 +132,73 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
which was introduced in 9.15.1 and revised in 9.15.6, has now
been renamed to the more descriptive
<span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
</p>
<p>
(See release notes for
<a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
and
<a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
for prior discussion of this feature.)
</p>
</li>
<li class="listitem">
<p>
Added support for multithreaded listening for TCP connections
in the network manager [GL !2659]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
on reconfiguration when any GeoIP2 database was in use. [GL #1445]
</p>
</li>
<li class="listitem">
<p>
Fixed several possible race conditions discovered by Thread
Sanitizer.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
@ -157,25 +222,32 @@
</p>
</li>
<li class="listitem">
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
</li>
<li class="listitem">
<p>
Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
that reports the maximum number of simultaneous TCP clients BIND
has handled while running. [GL #1206]
</p>
</li>
</ul></div>
</div>
@ -193,27 +265,14 @@
</p>
</li>
<li class="listitem">
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Too many simultaneous pipelined TCP queries could cause
resource overuse. We now prevent this by enforcing a limit
on the number of simultaneous requests per active connection.
This flaw`is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -719,9 +778,6 @@
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>
@ -744,6 +800,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch09.html
View file

@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch10.html
View file

@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch11.html
View file

@ -538,6 +538,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch12.html
View file

@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

11
doc/arm/Bv9ARM.html
View file

@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.15.6</p></div>
<div><p class="releaseinfo">BIND Version 9.15.7</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
@ -192,8 +192,8 @@
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust_anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
@ -248,12 +248,13 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
@ -448,6 +449,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View file

Binary file not shown.

2
doc/arm/man.arpaname.html
View file

@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.ddns-confgen.html
View file

@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

4
doc/arm/man.delv.html
View file

@ -215,7 +215,7 @@
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
<span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
@ -621,6 +621,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dig.html
View file

@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-cds.html
View file

@ -376,6 +376,6 @@ nsupdate -l
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-checkds.html
View file

@ -156,6 +156,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-coverage.html
View file

@ -270,6 +270,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-dsfromkey.html
View file

@ -341,6 +341,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-importkey.html
View file

@ -250,6 +250,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -498,6 +498,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keygen.html
View file

@ -589,6 +589,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keymgr.html
View file

@ -405,6 +405,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-revoke.html
View file

@ -171,6 +171,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-settime.html
View file

@ -424,6 +424,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-signzone.html
View file

@ -707,6 +707,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-verify.html
View file

@ -214,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.dnstap-read.html
View file

@ -143,6 +143,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.filter-aaaa.html
View file

@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.host.html
View file

@ -366,6 +366,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.mdig.html
View file

@ -610,6 +610,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkconf.html
View file

@ -214,6 +214,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-checkzone.html
View file

@ -463,6 +463,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-journalprint.html
View file

@ -117,6 +117,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-nzd2nzf.html
View file

@ -119,6 +119,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named-rrchecker.html
View file

@ -121,6 +121,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

54
doc/arm/man.named.conf.html
View file

@ -110,17 +110,7 @@ dlz
</div>
<div class="refsection">
<a name="id-1.13.27.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.12"></a><h2>DYNDB</h2>
<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
@ -128,7 +118,7 @@ dyndb
</div>
<div class="refsection">
<a name="id-1.13.27.13"></a><h2>KEY</h2>
<a name="id-1.13.27.12"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -138,7 +128,7 @@ key
</div>
<div class="refsection">
<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
@ -159,8 +149,8 @@ logging
</div>
<div class="refsection">
<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
<p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
@ -170,7 +160,7 @@ managed-keys
</div>
<div class="refsection">
<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
@ -180,7 +170,7 @@ masters
</div>
<div class="refsection">
<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
@ -479,7 +469,7 @@ options
</div>
<div class="refsection">
<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
@ -487,7 +477,7 @@ plugin
</div>
<div class="refsection">
<a name="id-1.13.27.19"></a><h2>SERVER</h2>
<a name="id-1.13.27.18"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -525,7 +515,7 @@ server
</div>
<div class="refsection">
<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
@ -536,9 +526,19 @@ statistics-channels
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.20"></a><h2>TRUST-ANCHORS</h2>
<div class="literallayout"><p><br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
<p>Deprecated - see DNSSEC-KEYS.</p>
<p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
@ -618,10 +618,6 @@ view
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@ -812,6 +808,10 @@ view
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds<br>
    ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
trusted-keys { <em class="replaceable"><code>string</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em><br>
@ -1030,7 +1030,7 @@ zone
<div class="literallayout"><p><br>
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
dnskey-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
@ -1095,6 +1095,6 @@ dnssec-policy
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.named.html
View file

@ -492,6 +492,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsec3hash.html
View file

@ -155,6 +155,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nslookup.html
View file

@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.nsupdate.html
View file

@ -818,6 +818,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-destroy.html
View file

@ -162,6 +162,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-keygen.html
View file

@ -200,6 +200,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-list.html
View file

@ -158,6 +158,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-tokens.html
View file

@ -123,6 +123,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc-confgen.html
View file

@ -260,6 +260,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

2
doc/arm/man.rndc.conf.html
View file

@ -268,6 +268,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

4
doc/arm/man.rndc.html
View file

@ -670,7 +670,7 @@
<dd>
<p>
Dump the security roots (i.e., trust anchors
configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
configured via <span class="command"><strong>trust-anchors</strong></span> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
@ -1021,6 +1021,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.6 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.7 (Development Release)</p>
</body>
</html>

23
doc/arm/notes-9.15.7.xml
View file

@ -28,6 +28,29 @@
for prior discussion of this feature.)
</para>
</listitem>
<listitem>
<para>
Added support for multithreaded listening for TCP connections
in the network manager [GL !2659]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.15.7-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
Fixed a bug that caused <command>named</command> to leak memory
on reconfiguration when any GeoIP2 database was in use. [GL #1445]
</para>
</listitem>
<listitem>
<para>
Fixed several possible race conditions discovered by Thread
Sanitizer.
</para>
</listitem>
</itemizedlist>
</section>

145
doc/arm/notes.html
View file

@ -15,7 +15,7 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.6</h2></div></div></div>
<a name="id-1.2"></a>Release Notes for BIND Version 9.15.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -59,11 +59,12 @@
C compiler.
</p>
<p>
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
The <code class="filename">libuv</code> asynchronous I/O library and the
OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead of OpenSSL for
Public Key cryptography (i.e., DNSSEC signing and validation),
but OpenSSL is still required for general cryptography operations
such as hashing and random number generation.
</p>
<p>
More information can be found in the <code class="filename">PLATFORMS.md</code>
@ -88,10 +89,73 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
which was introduced in 9.15.1 and revised in 9.15.6, has now
been renamed to the more descriptive
<span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
</p>
<p>
(See release notes for
<a class="xref" href="#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
and
<a class="xref" href="#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
for prior discussion of this feature.)
</p>
</li>
<li class="listitem">
<p>
Added support for multithreaded listening for TCP connections
in the network manager [GL !2659]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
on reconfiguration when any GeoIP2 database was in use. [GL #1445]
</p>
</li>
<li class="listitem">
<p>
Fixed several possible race conditions discovered by Thread
Sanitizer.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
@ -115,25 +179,32 @@
</p>
</li>
<li class="listitem">
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
<p>
Two new keywords have been added to the
<span class="command"><strong>dnssec-keys</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
for keys that have not yet been published; this is the format
used by IANA when announcing future root keys.
</p>
<p>
As with the <span class="command"><strong>initial-key</strong></span> and
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
</p>
<p>
(Note: Currently, DNSKEY-format and DS-format trust anchors
cannot both be used for the same domain name.) [GL #6] [GL #622]
</p>
</li>
<li class="listitem">
<p>
Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
that reports the maximum number of simultaneous TCP clients BIND
has handled while running. [GL #1206]
</p>
</li>
</ul></div>
</div>
@ -151,27 +222,14 @@
</p>
</li>
<li class="listitem">
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
<p>
The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Too many simultaneous pipelined TCP queries could cause
resource overuse. We now prevent this by enforcing a limit
on the number of simultaneous requests per active connection.
This flaw`is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -677,9 +735,6 @@
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>

BIN
doc/arm/notes.pdf
View file

Binary file not shown.

54
doc/arm/notes.txt
View file

@ -1,4 +1,4 @@
Release Notes for BIND Version 9.15.6
Release Notes for BIND Version 9.15.7
Introduction
@ -29,11 +29,11 @@ To build on UNIX-like systems, BIND requires support for POSIX.1c threads
(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
standard atomic operations provided by the C compiler.
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still
required for general cryptography operations such as hashing and random
number generation.
The libuv asynchronous I/O library and the OpenSSL cryptography library
must be available for the target platform. A PKCS#11 provider can be used
instead of OpenSSL for Public Key cryptography (i.e., DNSSEC signing and
validation), but OpenSSL is still required for general cryptography
operations such as hashing and random number generation.
More information can be found in the PLATFORMS.md file that is included in
the source distribution of BIND 9. If your compiler and system libraries
@ -48,8 +48,34 @@ www.isc.org/download/. There you will find additional information about
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
Notes for BIND 9.15.7
Feature Changes
* The dnssec-keys configuration statement, which was introduced in
9.15.1 and revised in 9.15.6, has now been renamed to the more
descriptive trust-anchors. [GL !2702]
(See release notes for BIND 9.15.1 and BIND 9.15.6 for prior
discussion of this feature.)
* Added support for multithreaded listening for TCP connections in the
network manager [GL !2659]
Bug Fixes
* Fixed a bug that caused named to leak memory on reconfiguration when
any GeoIP2 database was in use. [GL #1445]
* Fixed several possible race conditions discovered by Thread Sanitizer.
Notes for BIND 9.15.6
Security Fixes
* Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
New Features
* A new asynchronous network communications system based on libuv is now
@ -77,6 +103,10 @@ New Features
(Note: Currently, DNSKEY-format and DS-format trust anchors cannot
both be used for the same domain name.) [GL #6] [GL #622]
* Added a new statistics variable tcp-highwater that reports the maximum
number of simultaneous TCP clients BIND has handled while running. [GL
#1206]
Feature Changes
* NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
@ -87,13 +117,6 @@ Feature Changes
* The DNSSEC validation code has been refactored for clarity and to
reduce code duplication. [GL #622]
Security Fixes
* Too many simultaneous pipelined TCP queries could cause resource
overuse. We now prevent this by enforcing a limit on the number of
simultaneous requests per active connection. This flaw`is disclosed in
CVE-2019-6477. [GL #1264]
Notes for BIND 9.15.5
Security Fixes
@ -347,7 +370,4 @@ policy.
Thank You
Thank you to everyone who assisted us in making this release possible. If
you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at https://
www.isc.org/donate/.
Thank you to everyone who assisted us in making this release possible.

18
doc/misc/options
View file

@ -21,11 +21,6 @@ dlz <string> {
search <boolean>;
}; // may occur multiple times
dnssec-keys { <string> ( static-key |
initial-key | static-ds | initial-ds )
<integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
@ -459,6 +454,11 @@ statistics-channels {
} ]; // may occur multiple times
}; // may occur multiple times
trust-anchors { <string> ( static-key |
initial-key | static-ds | initial-ds )
<integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
trusted-keys { <string> <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
@ -539,10 +539,6 @@ view <string> [ <class> ] {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>; // obsolete
dnssec-keys { <string> ( static-key |
initial-key | static-ds | initial-ds
) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string>
trust-anchor <string> |
@ -755,6 +751,10 @@ view <string> [ <class> ] {
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
trust-anchor-telemetry <boolean>; // experimental
trust-anchors { <string> ( static-key |
initial-key | static-ds | initial-ds
) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
trusted-keys { <string>
<integer> <integer>
<integer>

18
doc/misc/options.active
View file

@ -21,11 +21,6 @@ dlz <string> {
search <boolean>;
}; // may occur multiple times
dnssec-keys { <string> ( static-key |
initial-key | static-ds | initial-ds )
<integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
@ -414,6 +409,11 @@ statistics-channels {
} ]; // may occur multiple times
}; // may occur multiple times
trust-anchors { <string> ( static-key |
initial-key | static-ds | initial-ds )
<integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
trusted-keys { <string> <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
@ -487,10 +487,6 @@ view <string> [ <class> ] {
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-keys { <string> ( static-key |
initial-key | static-ds | initial-ds
) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
@ -682,6 +678,10 @@ view <string> [ <class> ] {
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
trust-anchor-telemetry <boolean>; // experimental
trust-anchors { <string> ( static-key |
initial-key | static-ds | initial-ds
) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
trusted-keys { <string>
<integer> <integer>
<integer>

4
lib/bind9/api
View file

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1501
LIBREVISION = 1
LIBINTERFACE = 1502
LIBREVISION = 0
LIBAGE = 0

2
lib/irs/api
View file

@ -11,5 +11,5 @@
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1501
LIBREVISION = 1
LIBREVISION = 2
LIBAGE = 0

2
lib/isc/api
View file

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1504
LIBINTERFACE = 1505
LIBREVISION = 0
LIBAGE = 0

2
lib/isccfg/api
View file

@ -11,5 +11,5 @@
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1502
LIBREVISION = 0
LIBREVISION = 1
LIBAGE = 0

2
lib/ns/api
View file

@ -10,6 +10,6 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1502
LIBINTERFACE = 1503
LIBREVISION = 0
LIBAGE = 0

2
version
View file

@ -5,7 +5,7 @@ PRODUCT=BIND
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
PATCHVER=6
PATCHVER=7
RELEASETYPE=
RELEASEVER=
EXTENSIONS=