diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index ad4b34c77d..79c499b7b4 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -19,10 +19,13 @@
Introduction
- This document summarizes changes since the last production
- release on the BIND 9.11 (Extended Support Version) branch.
- Please see the CHANGES file for a further
- list of bug fixes and other changes.
+ BIND 9.11 (Extended Support Version) is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+
+
+ Please see the file CHANGES for a more
+ detailed list of changes and bug fixes.
@@ -66,69 +69,11 @@
- Legacy Windows No Longer Supported
-
- As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
- platforms for BIND; "XP" binaries are no longer available for download
- from ISC.
-
-
-
Security Fixes
- named could crash during recursive processing
- of DNAME records when deny-answer-aliases was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-
-
-
-
- When recursion is enabled but the allow-recursion
- and allow-query-cache ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default allow-query, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-
-
-
-
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
-
-
-
-
- named could crash if it managed a DNSSEC
- security root with managed-keys and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
-
-
-
-
- named leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
-
-
-
-
- Zone transfer controls for writable DLZ zones were not
- effective as the allowzonexfr method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
+ None.
@@ -138,55 +83,7 @@
- named now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- root-key-sentinel no; to
- named.conf.
-
-
-
-
- Added the ability not to return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned,
- add answer-cookie no; to
- named.conf. [GL #173]
-
-
- answer-cookie no is only intended as a
- temporary measure, for use when named
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the
- same address is not expected to cause operational problems,
- but the option to disable COOKIE responses so that all
- servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security
- mechanism, and should not be disabled unless absolutely
- necessary.
-
-
-
-
- Two new update policy rule types have been added
- krb5-selfsub and ms-selfsub
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
-
-
-
-
-
- Removed Features
-
-
-
- named will now log a warning if the old
- BIND now can be compiled against libidn2 library to add
- IDNA2008 support. Previously BIND only supported IDNA2003
- using (now obsolete) idnkit-1 library.
+ None.
@@ -196,37 +93,7 @@
- dig +noidnin can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
-
-
-
-
- Multiple cookie-secret clause are now
- supported. The first cookie-secret in
- named.conf is used to generate new
- server cookies. Any others are used to accept old server
- cookies or those generated by other servers using the
- matching cookie-secret.
-
-
-
-
- The rndc nta command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a -class
- option. [GL #105]
-
-
-
-
- When compiled with IDN support, the dig and the
- nslookup commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when dig or nslookup
- is used from the shell scripts.
+ None.
@@ -236,27 +103,7 @@
- When a negative trust anchor was added to multiple views
- using rndc nta, the text returned via
- rndc was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
-
-
-
-
- named now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- named to abort when loading zones. [GL #339]
-
-
-
-
- rndc reload could cause named
- to leak memory if it was invoked before the zone loading actions
- from a previous rndc reload command were
- completed. [RT #47076]
+ None.