upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-27 17:17:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-current.rst
Ondřej Surý dff5888d9b Add CHANGES and release not for [GL #3051]
2021-12-08 17:58:53 +01:00

84 lines
3.1 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.21
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- Set Extended DNS Error Code 18 - Prohibited if query access is denied to the
specific client. :gl:`#1836`
Removed Features
~~~~~~~~~~~~~~~~
- None.
Feature Changes
~~~~~~~~~~~~~~~
- The ``allow-transfers`` option was extended to accept additional
``port`` and ``transport`` parameters, to further restrict zone
transfers to a particular port and DNS transport protocol. Either of
these options can be specified.
For example: ``allow-transfer port 853 transport tls { any; };``
:gl:`#2776`
- `UseSTD3ASCIIRules`_ is now disabled for IDN support. This disables additional
validation rules for domain names in dig because applying the rules would
silently strip characters not-allowed in hostnames such as underscore (``_``)
or wildcard (``*``) characters. This reverts change :gl:`!5738` from the
previous release. :gl:`#1610`
- Previously, when an incoming TCP connection could not be accepted because the client
closed the connection early, an error message of ``TCP connection
failed: socket is not connected`` was logged. This message has been changed
to ``Accepting TCP connection failed: socket is not connected``. The
severity level at which this type of message is logged has also
been changed from ``error`` to ``info`` for the following triggering
events: ``socket is not connected``, ``quota reached``, and ``soft
quota reached``. :gl:`#2700`
- Restore NSEC Aggressive Cache (``synth-from-dnssec``) as active by default
following reworking of the code to find the potentially covering NSEC record.
The implementation was optimized for better efficiency, and also tuned
to ignore certain types of broken NSEC records. This feature currently
supports answer synthtesis only for zones using NSEC. :gl:`#1265`
The new server clause ``broken-nsec`` was added to identify servers
that emit bad NSEC records in negative responses so they will not be
cached. This can be used to work around cases where
``synth-from-dnssec`` hides data that exists. :gl:`#1265`
Bug Fixes
~~~~~~~~~
- Removing a configured ``catalog-zone`` clause from the configuration, running
``rndc reconfig``, then bringing back the removed ``catalog-zone`` clause and
running ``rndc reconfig`` again caused ``named`` to crash. This has been fixed.
:gl:`#1608`
- The resolver could hang on shutdown due to dispatch resources not being
cleaned up when a TCP connection was reset. This has been fixed. :gl:`#3026`
- On FreeBSD, a TCP connection would leak a small amount of heap memory leading
to out-of-memory problem in a long run. This has been fixed. :gl:`#3051`
Reference in a new issue View git blame Copy permalink