| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Approved by: re (gjb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable new features:
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.
Approved by: delphij (mentor)
MFC after: 3 days
Sponsored by: DK Hostmaster A/S
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New Features
Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF
and TXT records in spf format, warning if either resource record
type occurs without a corresponding record of the other resource
record type. [RT #33355]
Adds support for Uniform Resource Identifier (URI) resource
records. [RT #23386]
Adds support for the EUI48 and EUI64 RR types. [RT #33082]
Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
and L64). [RT #31836]
Feature Changes
Changes timing of when slave zones send NOTIFY messages after
loading a new copy of the zone. They now send the NOTIFY before
writing the zone data to disk. This will result in quicker
propagation of updates in multi-level server structures. [RT #27242]
"named -V" can now report a source ID string. (This is will be
of most interest to developers and troubleshooters). The source
ID for ISC's production versions of BIND is defined in the "srcid"
file in the build tree and is normally set to the most recent
git hash. [RT #31494]
Response Policy Zone performance enhancements. New "response-policy"
option "min-ns-dots". "nsip" and "nsdname" now enabled by default
with RPZ. [RT #32251]
Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S
|
| | |
|
| |
|
|
|
|
|
|
| |
https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/
Approved by: re (kib)
|
| |
|
|
|
| |
This version has many new features, see /usr/share/doc/bind9/README
for details.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.
This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.
2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
security patches to the 9.6.1 version, as well as many other bug fixes.
This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.
Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
changes from the 9.6.1rc1 version. The first 2 only affect DNSSEC.
named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
Accept DS responses from delegation only zones.
"delegation-only" was not being accepted in
delegation-only type zones.
|
|
|
lots of new features compared to 9.4.x, including:
Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
DHCID support.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Efficient LRU cache-cleaning mechanism.
NSID support.
|
