xref: /netbsd-src/external/mpl/bind/dist/doc/notes/notes-9.20.2.rst (revision 9689912e6b171cbda866ec33f15ae94a04e2c02d) 
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.20.2
13---------------------
14
15New Features
16~~~~~~~~~~~~
17
18- Support for Offline KSK implemented.
19
20  Add a new configuration option :any:`offline-ksk` to enable Offline
21  KSK key management. Signed Key Response (SKR) files created with
22  :iscman:`dnssec-ksr` (or other programs) can now be imported into
23  :iscman:`named` with the new :option:`rndc skr -import <rndc skr>`
24  command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and
25  generating signatures covering these types, these records are loaded
26  from the currently active bundle from the imported SKR.
27
28  The implementation is loosely based on
29  `draft-icann-dnssec-keymgmt-01.txt
30  <https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt>`_.
31  :gl:`#1128`
32
33- Print the full path of the working directory in startup log messages.
34
35  :iscman:`named` now prints its initial working directory during
36  startup, and the changed working directory when loading or reloading
37  its configuration file, if it has a valid :any:`directory` option
38  defined. :gl:`#4731`
39
40- Support a restricted key tag range when generating new keys.
41
42  When multiple signers are being used to sign a zone, it is useful to
43  be able to specify a restricted range of key tags to be used by an
44  operator to sign the zone. The range can be specified with
45  ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys
46  <dnssec-policy-keys>` (for :iscman:`named` and :iscman:`dnssec-ksr`)
47  and with the new options :option:`dnssec-keyfromlabel -M` and
48  :option:`dnssec-keygen -M`. :gl:`#4830`
49
50
51Feature Changes
52~~~~~~~~~~~~~~~
53
54- Exempt prefetches from the :any:`fetches-per-zone` and
55  :any:`fetches-per-server` quotas.
56
57  Fetches generated automatically as a result of :any:`prefetch` are now
58  exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server`
59  quotas. This should help in maintaining the cache from which query
60  responses can be given. :gl:`#4219`
61
62- Improve performance for queries that require an NSEC3 wildcard proof.
63
64  Rather than starting from the longest matching part of the requested name,
65  lookup the shortest partial match. Most of the time this will be the actual
66  closest encloser. :gl:`#4460`
67
68- Follow the number of CPUs set by ``taskset``/``cpuset``.
69
70  Administrators may wish to constrain the set of cores that
71  :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl``
72  programs (or equivalents on other OSes).
73
74  If the admin has used ``taskset``, :iscman:`named` now automatically
75  uses the given number of CPUs rather than the system-wide count.
76  :gl:`#4884`
77
78Bug Fixes
79~~~~~~~~~
80
81- Delay the release of root privileges until after configuring controls.
82
83  Delay relinquishing root privileges until the control channel has been
84  configured, for the benefit of systems that require root to use
85  privileged port numbers.  This mostly affects systems without fine-
86  grained privilege systems (i.e., other than Linux). :gl:`#4793`
87
88- Fix a rare assertion failure when shutting down incoming transfer.
89
90  A very rare assertion failure could be triggered when the incoming
91  transfer was either forcefully shut down, or it finished during the
92  printing of the details about the statistics channel.  This has been
93  fixed. :gl:`#4860`
94
95- Fix algorithm rollover bug when there are two keys with the same
96  keytag.
97
98  If there was an algorithm rollover and two keys of different
99  algorithms shared the same keytags, there was the possibility that the
100  check of whether the key matched a specific state could be performed
101  against the wrong key. This has been fixed by not only checking for
102  the matching key tag but also the key algorithm. :gl:`#4878`
103
104- Fix an assertion failure in ``validate_dnskey_dsset_done()``.
105
106  Under rare circumstances, :iscman:`named` could terminate unexpectedly
107  when validating a DNSKEY resource record if the validation had been
108  canceled in the meantime. This has been fixed. :gl:`#4911`
109
110Known Issues
111~~~~~~~~~~~~
112
113- Long-running tasks in offloaded threads (e.g. the loading of RPZ zones
114  or processing zone transfers) may block the resolution of queries
115  during these operations and cause the queries to time out.
116
117  To work around the issue, the ``UV_THREADPOOL_SIZE`` environment
118  variable can be set to a larger value before starting :iscman:`named`.
119  The recommended value is the number of RPZ zones (or number of
120  transfers) plus the number of threads BIND should use, which is
121  typically the number of CPUs. :gl:`#4898`
122