To prevent spoofed unsigned DNAME responses being accepted retry
response with unsigned DNAMEs over TCP if the response is not TSIG
signed or there isn't a good DNS CLIENT COOKIE.
(cherry picked from commit 2e40705c06)
Sphinx's smartquotes feature was rewriting -- to en-dash, "" to proper
English quotes etc. This was messing up syntax at unpredictable places.
Disable this feature instead of attempting to escape all the places in
the manual.
(cherry picked from commit 66e58d3315)
The new order hopefully reflects likelihood of someone reading from start
to the end:
DNSSEC Guide
Manual Pages
General DNS Reference Information
Release Notes
Changelog
A Brief History of the DNS and BIND
(cherry picked from commit ed0db245be)
Two inconsequential bug fixes are not release note worthy.
Use more user-centric terminology about dnssec-policy manual-mode.
Add links, shorten notes.
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
(cherry picked from commit 369c8dc388)
The "tkey-domain" statement has effectively been a no-op since commit
bd4576b3ce, which removed the only bit of
code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman).
A subsequent cleanup commit, 885c132f4a,
also missed the opportunity to remove the "tkey-domain" statement
altogether.
Mark the "tkey-domain" statement as obsolete and remove all code and
documentation related to it.
(cherry picked from commit 805f1c0f65)
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).
Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named. Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
(cherry picked from commit 6de435c528)
Clarify that forwarding points to a resolver and stub to auths.
Add cross-links. Rewrite stub zone type description.
(cherry picked from commit e84b98a9fc)
When a DNS Response Policy Service (DNSRPS) interface is used, the
'servfail-until-ready yes' option is ignored, because RPZ zones are
not processed by BIND.
By default, when named is started it may start answering to
queries before the response policy zones are completely loaded
and processed. This new feature gives an option to the users to
tell named that incoming requests should result in SERVFAIL anwser
until all the response policy zones are procesed and ready.
(cherry picked from commit 41387b8d30)
Add a new option 'manual-mode' to 'dnssec-policy'. The intended
use is that if it is enabled, it will not automatically move to the
next state transition (RUMOURED, UNRETENTIVE), only after manual
confirmation. The intended state transition should be logged.
(cherry picked from commit 63c5b453e0)
