no-auth and no-auth-recursive which suppress
adding the NS records to the authority section
as well as the associated address records for the
nameservers. [RT #42005]
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
4421. [func] When built with LMDB (Lightning Memory-mapped
Database), named will now use a database to store
the configuration for zones added by "rndc addzone"
instead of using a flat NZF file. This improves
performance of "rndc delzone" and "rndc modzone"
significantly. Existing NZF files will
automatically by converted to NZD databases.
To view the contents of an NZD or to roll back to
NZF format, use "named-nzd2nzf". To disable
this feature, use "configure --without-lmdb".
[RT #39837]
4411. [func] "rndc dnstap -roll" automatically rolls the
dnstap output file; the previous version is
saved with ".0" suffix, and earlier versions
with ".1" and so on. An optional numeric argument
indicates how many prior files to save. [RT #42830]
4380. [experimental] Added a "zone-directory" option to "catalog-zones"
syntax, allowing local masterfiles for slaves
that are provisioned by catalog zones to be stored
in a directory other than the server's working
directory. [RT #42527]
provisioning secondary servers in which a list of
zones to be served is stored in a DNS zone and can
be propagated to slaves via AXFR/IXFR. [RT #41581]
4375. [func] Add support for automatic reallocation of isc_buffer
to isc_buffer_put* functions. [RT #42394]
4371. [func] New "minimal-any" option reduces the size of UDP
responses for qtype ANY by returning a single
arbitrarily selected RRset instead of all RRsets.
Thanks to Tony Finch. [RT #41615]
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #4098]
4235. [func] Added support in named for "dnstap", a fast method of
capturing and logging DNS traffic, and a new command
"dnstap-read" to read a dnstap log file. Use
"configure --enable-dnstap" to enable this
feature (note that this requires libprotobuf-c
and libfstrm). See the ARM for configuration details.
Thanks to Robert Edmonds of Farsight Security.
[RT #40211]
4224. [func] Added support for "dyndb", a new interface for loading
zone data from an external database, developed by
Red Hat for the FreeIPA project.
DynDB drivers fully implement the BIND database
API, and are capable of significantly better
performance and functionality than DLZ drivers,
while taking advantage of advanced database
features not available in BIND such as multi-master
replication.
Thanks to Adam Tkac and Petr Spacek of Red Hat.
[RT #35271]
4152. [func] Implement DNS COOKIE option. This replaces the
experimental SIT option of BIND 9.10. The following
named.conf directives are available: send-cookie,
cookie-secret, cookie-algorithm, nocookie-udp-size
and require-server-cookie. The following dig options
are available: +[no]cookie[=value] and +[no]badcookie.
[RT #39928]
3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
See the ARM for details of these options. [RT #37125]
experimental SIT option of BIND 9.10. The following
named.conf directives are avaliable: send-cookie,
cookie-secret, cookie-algorithm and nocookie-udp-size.
The following dig options are available:
+[no]cookie[=value] and +[no]badcookie. [RT #39928]
4121. [bug] When updating a response-policy zone via AXFR,
summary data about other policy zones could fall
out of sync. Ultimately this could trigger an
assertion failure in rpz.c. [RT #39567]
4120. [bug] A bug in RPZ could cause the server to crash if
policy zones were updated while recursion was
pending for RPZ processing of an active query.
[RT #39415]
4063. [bug] Asynchronous zone loads were not handled
correctly when the zone load was already in
progress; this could trigger a crash in zt.c.
[RT #37573]
4056. [bug] Expanded automatic testing of trust anchor
management and fixed several small bugs including
a memory leak and a possible loss of key state
information. [RT #38458]
4055. [func] "rndc managed-keys" can be used to check status
of trust anchors or to force keys to be refreshed,
Also, the managed keys data file has easier-to-read
comments. [RT #38458]
4034. [func] When added, negative trust anchors (NTA) are now
saved to files (viewname.nta), in order to
persist across restarts of the named server.
[RT #37087]
dns_rdata_opt_current, dns_rdata_txt_first,
dns_rdata_txt_next and dns_rdata_txt_current were
documented but not implemented. These have now been
implemented.
dns_rdata_spf_first, dns_rdata_spf_next and
dns_rdata_spf_current were document but not
implemented. The prototypes for these
functions have been removed. [RT #38068]
4023. [bug] win32: socket handling with explict ports and
invoking named with -4 was broken for some
configurations. [RT #38068]
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option. [RT #35780]
4005. [func] The buffer used for returning text from rndc
commands is now dynamically resizable, allowing
arbitrarily large amounts of text to be sent back
to the client. (Prior to this change, it was
possible for the output of "rndc tsig-list" to be
truncated.) [RT #37731]
startup-notify-rate instead of serial-query-rate.
[RT #24454]
3955. [bug] Notify messages due to changes are no longer queued
behind startup notify messages. [RT #24454]
EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
building). Add support for limiting the EDNS version
advertised to servers: server { edns-version 0; };
Log the EDNS version received in the query log.
[RT #35864]
3943. [func] SERVFAIL responses can now be cached for a
limited time (configured by "servfail-ttl",
default 10 seconds, limit 30). This can reduce
the frequency of retries when an authoritative
server is known to be failing, e.g., due to
ongoing DNSSEC validation problems. [RT #21347]
3936. [func] Added authoritative support for the EDNS Client
Subnet (ECS) option.
ACLs can now include "ecs" elements which specify
an address or network prefix; if an ECS option is
included in a DNS query, then the address encoded
in the option will be matched against "ecs" ACL
elements.
Also, if an ECS address is included in a query,
then it will be used instead of the client source
address when matching "geoip" ACL elements. This
behavior can be overridden with "geoip-use-ecs no;".
When "ecs" or "geoip" ACL elements are used to
select a view for a query, the response will include
an ECS option to indicate which client network the
answer is valid for.
(Thanks to Vincent Bernat.) [RT #36781]
3882. [func] By default, negative trust anchors will be tested
periodically to see whether data below them can be
validated, and if so, they will be allowed to
expire early. The "rndc nta -force" option
overrides this behvaior. The default NTA lifetime
and the recheck frequency can be configured by the
"nta-lifetime" and "nta-recheck" options. [RT #36146]
3867. [func] "rndc nta" can now be used to set a temporary
negative trust anchor, which disables DNSSEC
validation below a specified name for a specified
period of time (not exceeding 24 hours). This
can be used when validation for a domain is known
to be failing due to a configuration error on
the part of the domain owner rather than a
spoofing attack. [RT #29358]
No CHANGES entry was added as this commit mainly adds tests related
code.
Squashed commit of the following:
commit d3d44508daa128fb8b60f64b3a8c81f80602273d
Author: Evan Hunt <each@isc.org>
Date: Wed May 7 09:36:41 2014 -0700
[rt35904] remove private non-static names from .def file
commit dbca45661c3939f21c3bb3f405d08cfe1b35d7aa
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed May 7 21:39:32 2014 +0530
Remove test for shortcut findnode()
The implementation was not included in this review branch, but the tests
erroneously made it through.
This functionality will be addressed in a different ticket (RT#35906).
commit 94ff14576ab3407f2612d34727b7eacfefc3668c
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed May 7 21:36:50 2014 +0530
Minor indent fix
commit 50972f17697bb222996e433faa8224843366f9b2
Author: Evan Hunt <each@isc.org>
Date: Tue May 6 20:05:21 2014 -0700
[rt35904] style
commit 5c4d5d41fcc5bfecdeebc008896974385c841b8d
Author: Mukund Sivaraman <muks@isc.org>
Date: Sun May 4 19:19:36 2014 +0530
RBT related updates
* Add various RBT unit tests
* Add some helper methods useful in unit testing RBT code
* General cleanup
a REQUIRE assertion failure when a fetch is actually
initiated. [ RT #35899]
Squashed commit of the following:
commit 7f4e1f3917d743089c42cc52ec2c0eea598d2c00
Author: Mukund Sivaraman <muks@isc.org>
Date: Sun May 4 22:34:34 2014 +0530
Fix a comment
commit 6a35a6a2346013fa8e3798b9b680d8a3031fcb03
Author: Mark Andrews <marka@isc.org>
Date: Sun May 4 23:34:25 2014 +1000
pass the correct name to query_prefetch
