bind9/doc/notes/notes-9.17.13.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.17.13
----------------------

Feature Changes
~~~~~~~~~~~~~~~

- DNSSEC responses containing NSEC3 records with iteration counts
  greater than 150 are now treated as insecure. :gl:`#2445`

- The maximum supported number of NSEC3 iterations that can be
  configured for a zone has been reduced to 150. :gl:`#2642`

- After the network manager was introduced to ``named`` to handle
  incoming traffic, it was discovered that recursive performance had
  degraded compared to previous BIND 9 versions. This has now been
  fixed by processing internal tasks inside network manager worker
  threads, preventing resource contention among two sets of threads.
  :gl:`#2638`

- Zones that want to transition from secure to insecure mode without
  becoming bogus in the process must now have their ``dnssec-policy``
  changed first to ``insecure``, rather than ``none``. After the DNSSEC
  records have been removed from the zone, the ``dnssec-policy`` can be
  set to ``none`` or removed from the configuration. Setting the
  ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
  records to be published. :gl:`#2645`

- The implementation of the ZONEMD RR type has been updated to match
  :rfc:`8976`. :gl:`#2658`

- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
  NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
  or the SOA TTL. :gl:`#2347`

Bug Fixes
~~~~~~~~~

- If zone journal files written by BIND 9.16.11 or earlier were present
  when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file
  for that zone could have been inadvertently rewritten with the current
  zone contents. This caused the original zone file structure (e.g.
  comments, ``$INCLUDE`` directives) to be lost, although the zone data
  itself was preserved. :gl:`#2623`

- It was possible for corrupt journal files generated by an earlier
  version of ``named`` to cause problems after an upgrade. This has been
  fixed. :gl:`#2670`

- TTL values in cache dumps were reported incorrectly when
  ``stale-cache-enable`` was set to ``yes``. This has been fixed.
  :gl:`#389` :gl:`#2289`

- A deadlock could occur when multiple ``rndc addzone``, ``rndc
  delzone``, and/or ``rndc modzone`` commands were invoked
  simultaneously for different zones. This has been fixed. :gl:`#2626`

- ``inline-signing`` was incorrectly described as being inherited from
  the ``options``/``view`` levels and was incorrectly accepted at those
  levels without effect. This has been fixed; ``named.conf`` files with
  ``inline-signing`` at those levels no longer load. :gl:`#2536`

- ``named`` and ``named-checkconf`` did not report an error when
  multiple zones with the ``dnssec-policy`` option set were using the
  same zone file. This has been fixed. :gl:`#2603`

- If ``dnssec-policy`` was active and a private key file was temporarily
  offline during a rekey event, ``named`` could incorrectly introduce
  replacement keys and break a signed zone. This has been fixed.
  :gl:`#2596`

- When generating zone signing keys, KASP now also checks for key ID
  conflicts among newly created keys, rather than just between new and
  existing ones. :gl:`#2628`