3936. [func] Added authoritative support for the EDNS Client
Subnet (ECS) option.
ACLs can now include "ecs" elements which specify
an address or network prefix; if an ECS option is
included in a DNS query, then the address encoded
in the option will be matched against "ecs" ACL
elements.
Also, if an ECS address is included in a query,
then it will be used instead of the client source
address when matching "geoip" ACL elements. This
behavior can be overridden with "geoip-use-ecs no;".
When "ecs" or "geoip" ACL elements are used to
select a view for a query, the response will include
an ECS option to indicate which client network the
answer is valid for.
(Thanks to Vincent Bernat.) [RT #36781]
3832. [func] "named -L <filename>" causes named to send log
messages to the specified file by default instead
of to the system log. (Thanks to Tony Finch.)
[RT #35845]
3829. [func] "dig +ttlunits" causes dig to print TTL values
with time-unit suffixes: w, d, h, m, s for
weeks, days, hours, minutes, and seconds. (Thanks
to Tony Finch.) [RT #35823]
3749. [func] "dig +subnet" sends an EDNS client subnet option
containing the specified address/prefix when
querying. (Thanks to Wilmer van der Gaast.)
[RT #35415]
3746. [func] New "max-zone-ttl" option enforces maximum
TTLs for zones. If loading a zone containing a
higher TTL, the load fails. DDNS updates with
higher TTLs are accepted but the TTL is truncated.
(Note: Currently supported for master zones only;
inline-signing slaves will be added.) [RT #38405]
3745. [func] "configure --with-tuning=large" adjusts various
compiled-in constants and default settings to
values suited to large servers with abundant
memory. [RT #29538]
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031]
3524. [func] Added an alternate statistics channel in JSON format,
when the server is built with the json-c library:
http://[address]:[port]/json. [RT #32630]
update are now fully supported and no longer require
defines to enable. We now no longer overload the
NSEC3PARAM flag field, nor the NSEC OPT bit at the
apex. Secure to insecure changes are controlled by
by the named.conf option 'secure-to-insecure'.
Warning: If you had previously enabled support by
adding defines at compile time to BIND 9.6 you should
ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7
is not backwards compatible.
dnssec-* tools. Major changes:
- all dnssec-* tools now take a -K option to
specify a directory in which key files will be
stored
- DNSSEC can now store metadata indicating when
they are scheduled to be published, acttivated,
revoked or removed; these values can be set by
dnssec-keygen or overwritten by the new
dnssec-settime command
- dnssec-signzone -S (for "smart") option reads key
metadata and uses it to determine automatically
which keys to publish to the zone, use for
signing, revoke, or remove from the zone
[RT #19816]
dnssec-keygen. Without arguments, it will now
generate a 1024-bit RSASHA1 zone-signing key,
or with the -f KSK option, a 2048-bit RSASHA1
key-signing key. [RT #19300]
2611. [func] Add -l option to dnssec-dsfromkey to generate
DLV records instead of DS records. [RT #19300]
are now /var/run/named/named.pid and
/var/run/lwresd/lwresd.pid respectively.
This allows the owner of the containing directory
to be set, for "named -u" support, and allows there
to be a permanent symbolic link in the path, for
"named -t" support. [RT #18306]
