upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-10 02:01:32 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-9.17.1.rst
Ondřej Surý 58bd26b6cf Update the copyright information in all files in the repository 
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.
2022-01-11 09:05:02 +01:00

70 lines
2.8 KiB
ReStructuredText
Raw Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.17.1
---------------------
Security Fixes
~~~~~~~~~~~~~~
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. :gl:`#1574`
Known Issues
~~~~~~~~~~~~
- We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated.
:gl:`#1685`
New Features
~~~~~~~~~~~~
- A new option, ``nsdname-wait-recurse``, has been added to the
``response-policy`` clause in the configuration file. When set to
``no``, RPZ NSDNAME rules are only applied if the authoritative
nameservers for the query name have been looked up and are present in
the cache. If this information is not present, the RPZ NSDNAME rules
are ignored, but the information is looked up in the background and
applied to subsequent queries. The default is ``yes``, meaning that
RPZ NSDNAME rules should always be applied, even if the information
needs to be looked up first. :gl:`#1138`
Feature Changes
~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
for 99% of all signed zones. :gl:`#1179`
Bug Fixes
~~~~~~~~~
- When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, ``named`` could become nonresponsive
for a short period while deleted names were removed from the RPZ
summary database. This database cleanup is now done incrementally
over a longer period of time, reducing such delays. :gl:`#1447`
- When trying to migrate an already-signed zone from ``auto-dnssec
maintain`` to one based on ``dnssec-policy``, the existing keys were
immediately deleted and replaced with new ones. As the key rollover
timing constraints were not being followed, it was possible that some
clients would not have been able to validate responses until all old
DNSSEC information had timed out from caches. BIND now looks at the
time metadata of the existing keys and incorporates it into its
DNSSEC policy operation. :gl:`#1706`
Reference in a new issue View git blame Copy permalink