xref: /netbsd-src/external/mpl/bind/dist/doc/notes/notes-9.20.1.rst (revision 9689912e6b171cbda866ec33f15ae94a04e2c02d) 
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.20.1
13---------------------
14
15New Features
16~~~~~~~~~~~~
17
18- Implement ``rndc retransfer -force``.
19
20  A new optional argument ``-force`` has been added to the command
21  :option:`rndc retransfer`. When it is specified, :iscman:`named` aborts the
22  ongoing zone transfer (if there is one) and starts a new transfer.
23  :gl:`#2299` :gl:`!9219`
24
25- :iscman:`dig` now reports a missing QUESTION section for messages with opcode QUERY.
26
27  Query responses should contain the QUESTION section, with some
28  exceptions. :iscman:`dig` was not reporting this. :gl:`#4808` :gl:`!9269`
29
30Feature Changes
31~~~~~~~~~~~~~~~
32
33
34- Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts`
35  configuration statement.
36
37  There were cases when the :any:`max-recursion-queries`
38  quota was ineffective. It was possible to craft zones that would cause
39  a resolver to waste resources by sending excessive queries while
40  attempting to resolve a name. This has been addressed by correcting
41  errors in the implementation of :any:`max-recursion-queries` and by
42  reducing the default value from 100 to 32.
43
44  In addition, a new :any:`max-query-restarts` configuration statement has been
45  added, which limits the number of times a recursive server will follow CNAME
46  or DNAME records before terminating resolution. This was previously a
47  hard-coded limit of 16 but is now configurable with a default value of 11.
48
49  ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin
50  Tanir from NetSec group, ETH Zurich for discovering and notifying us about
51  the issue. :gl:`#4741` :gl:`!9282`
52
53- Allow shorter :any:`resolver-query-timeout` configuration.
54
55  The minimum allowed value of :any:`resolver-query-timeout` was lowered
56  from its previous value of 10 000 milliseconds (which is still the default)
57  to 301 milliseconds. Note however that values of 1 to 300 inclusive are
58  interpreted as seconds before applying the limit. A value of zero is
59  interpreted as the default. :gl:`#4320` :gl:`!9220`
60
61- Raise the log level of priming failures.
62
63  When a priming query is complete, it was previously logged at level
64  ``DEBUG(1)``, regardless of success or failure. It is now
65  logged to ``NOTICE`` in the case of failure. :gl:`#3516`
66  :gl:`!9250`
67
68Bug Fixes
69~~~~~~~~~
70
71- Fix a crash caused by valid TSIG signatures with invalid time.
72
73  An assertion failure was triggered when the TSIG had a valid
74  cryptographic signature but the time was invalid. This could happen
75  when the times between the primary and secondary servers were not
76  synchronised. The crash has now been fixed. :gl:`#4811` :gl:`!9245`
77
78- Return SERVFAIL for a too long CNAME chain.
79
80  When following long CNAME chains, :iscman:`named` was returning NOERROR
81  (along with a partial answer) instead of SERVFAIL, if the chain exceeded the
82  maximum length. This has been fixed. :gl:`#4449` :gl:`!9203`
83
84- Reconfigure catz member zones during :iscman:`named` reconfiguration.
85
86  During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog
87  zones' member zones. This has been fixed. :gl:`#4733`
88
89- Update key lifetime and metadata after :any:`dnssec-policy` reconfiguration.
90
91  Adjust key state and timing metadata if :any:`dnssec-policy` key
92  lifetime configuration is updated, so that it also affects existing
93  keys. :gl:`#4677` :gl:`!9191`
94
95- Fix a crash during zone modification.
96
97  Fix an assertion failure that could happen when an authoritative zone was
98  modified while the server was generating an answer from that zone.
99  :gl:`#4691` :gl:`!9126`
100
101- Fix assertion failure when executing :option:`named-checkconf -v`
102  to print its version. :gl:`#4827` :gl:`!9246`
103
104- Fix generation of 6to4-self name expansion from IPv4 address.
105
106  The period between the most significant nibble of the encoded IPv4
107  address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the
108  wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9217`
109
110- :option:`dig +yaml` was producing unexpected and/or invalid YAML.
111  output. :gl:`#4796` :gl:`!9213`
112
113- SVBC ALPN text parsing failed to reject zero-length ALPN. :gl:`#4775` :gl:`!9209`
114
115- Fix false QNAME minimisation error being reported.
116
117  Remove the false positive ``success resolving`` log message when QNAME
118  minimisation is in effect and the final result is an NXDOMAIN. :gl:`#4784` :gl:`!9215`
119
120- Fix ``--enable-tracing`` build on systems without dtrace.
121
122  A missing ``util/dtrace.sh`` file prevented builds on systems without
123  the ``dtrace`` utility. This has been corrected. :gl:`#4835` :gl:`!9272`
124
125Known Issues
126~~~~~~~~~~~~
127
128- There are no new known issues with this release. See :ref:`above
129  <relnotes_known_issues>` for a list of all known issues affecting this
130  BIND 9 branch.
131