in the "refactor tcpquota and pipeline refs" commit, the counting
of active interfaces was tightened in such a way that named could
fail to listen on an interface if there were more interfaces than
tcp-clients. when checking the quota to start accepting on an
interface, if the number of active clients was above zero, then
it was presumed that some other client was able to handle accepting
new connections. this, however, ignored the fact that the current client
could be included in that count, so if the quota was already exceeded
before all the interfaces were listening, some interfaces would never
listen.
we now check whether the current client has been marked active; if so,
then the number of active clients on the interface must be greater
than 1, not 0.
(cherry picked from commit 02365b87ea0b1ea5ea8b17376f6734c811c95e61)
(cherry picked from commit cae79e1bab)
More specifically: ignore configured trusted and managed keys that
match a disabled algorithm. The behavioral change is that
associated responses no longer SERVFAIL, but return insecure.
removed the SDB databases in contrib/sdb as they hadn't been
maintained in some time, and were no longer able to link to named
without modification. also:
- cleaned up contrib/README, which still referred to contrib
subdirectores that were removed already, and linked to an obsolete URL.
- removed references to sdb in doc/misc/roadmap and doc/misc/sdb.
Add a warning about potential performance implications of configuring a
non-root zone as a mirror zone. Explain in more detail how each mirror
zone version is validated and how validation failures are handled. Move
the paragraphs describing how to set up IANA root zone mirroring higher
up, so that they can be more easily found by the reader. Explicitly
state that the "masters" option needs to be present for any mirror zone
which is not the root zone. Tweak the description of the interaction
between the "dnssec-validation" setting and root zone mirroring to make
it less ambiguous. Specify what the default "notify" setting is for
mirror zones.
- options that were flagged as obsolete or not implemented in 9.0.0
are now flagged as "ancient", and are a fatal error
- the ARM has been updated to remove these, along with other
obsolete descriptions of BIND 8 behavior
- the log message for obsolete options explicitly recommends removal
- "hook" is now used only for hook points and hook actions
- the "hook" statement in named.conf is now "plugin"
- ns_module and ns_modlist are now ns_plugin and ns_plugins
- ns_module_load is renamed ns_plugin_register
- the mandatory functions in plugin modules (hook_register,
hook_check, hook_version, hook_destroy) have been renamed
- added a 'hookdata' array to qctx to store pointers to up to
16 blobs of data which are allocated by modules as needed.
each module is assigned an ID number as it's loaded, and this
is the index into the hook data array. this is to be used for
holding persistent state between calls to a hook module for a
specific query.
- instead of using qctx->filter_aaaa, we now use qctx->hookdata.
(this was the last piece of filter-aaaa specific code outside the
module.)
- added hook points for qctx initialization and destruction. we get
a filter-aaaa data pointer from the mempool when initializing and
store it in the qctx->hookdata table; return to to the mempool
when destroying the qctx.
- link the view to the qctx so that detaching the client doesn't cause
hooks to fail
- added a qctx_destroy() function which must be called after qctx_init;
this calls the QCTX_DESTROY hook and detaches the view
- general cleanup and comments
Rather than overloading dns_zone_slave and discerning between a slave
zone and a mirror zone using a zone option, define a separate enum
value, dns_zone_mirror, to be used exclusively by mirror zones. Update
code handling slave zones to ensure it also handles mirror zones where
applicable.
Contrary to what the documentation states, the "server-addresses"
static-stub zone option does not accept custom port numbers. Fix the
configuration type used by the "server-addresses" option to ensure
documentation matches source code. Remove a check_zoneconf() test which
is unnecessary with this fix in place.
- if dnssec-enable is no, then dnssec-validation now also defaults to
no. if dnssec-enable is yes, dnssec-validation defaults to auto or yes
depending on --disable-auto-validation.
- correct the doc
For inline-signed zones, the value of "ixfr-from-differences" is
hardcoded to:
- "yes" for the raw version of the zone,
- "no" for the signed version of the zone.
In other words, any user-provided "ixfr-from-differences" setting is
effectively ignored for an inline-signed zone. Ensure the user is aware
of that by adding a note to the ARM and logging a message when an
"ixfr-from-differences" option is found at the zone level.
- added new 'validate-except' option, which configures an NTA with
expiry of 0xffffffff. NTAs with that value in the expiry field do not
expire, are are not written out when saving the NTA table and are not
dumped by rndc secroots
