"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.11.23/doc/arm/notes-9.11.0.xml" (7 Sep 2020, 36679 Bytes) of package /linux/misc/dns/bind9/9.11.23/bind-9.11.23.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) XML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 <!--
    2  - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
    3  -
    4  - This Source Code Form is subject to the terms of the Mozilla Public
    5  - License, v. 2.0. If a copy of the MPL was not distributed with this
    6  - file, You can obtain one at http://mozilla.org/MPL/2.0/.
    7  -
    8  - See the COPYRIGHT file distributed with this work for additional
    9  - information regarding copyright ownership.
   10 -->
   12 <section xml:id="relnotes-9.11.0"><info><title>Notes for BIND 9.11.0</title></info>
   14   <section xml:id="relnotes-9.11.0-security"><info><title>Security Fixes</title></info>
   15     <itemizedlist>
   16       <listitem>
   17         <para>
   18           It was possible to trigger a assertion when rendering a
   19           message using a specially crafted request. This flaw is
   20           disclosed in CVE-2016-2776. [RT #43139]
   21         </para>
   22       </listitem>
   23       <listitem>
   24         <para>
   25          getrrsetbyname with a non absolute name could trigger an
   26          infinite recursion bug in lwresd and named with lwres
   27          configured if when combined with a search list entry the
   28          resulting name is too long.  This flaw is disclosed in
   29          CVE-2016-2775. [RT #42694]
   30         </para>
   31       </listitem>
   32     </itemizedlist>
   33   </section>
   35   <section xml:id="relnotes-9.11.0-features"><info><title>New Features</title></info>
   36     <itemizedlist>
   37       <listitem>
   38         <para>
   39           A new method of provisioning secondary servers called
   40           "Catalog Zones" has been added. This is an implementation of
   41           <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/">
   42             draft-muks-dnsop-dns-catalog-zones/
   43           </link>.
   44         </para>
   45         <para>
   46           A catalog zone is a regular DNS zone which contains a list
   47           of "member zones", along with the configuration options for
   48           each of those zones.  When a server is configured to use a
   49           catalog zone, all the zones listed in the catalog zone are
   50           added to the local server as slave zones.  When the catalog
   51           zone is updated (e.g., by adding or removing zones, or
   52           changing configuration options for existing zones) those
   53           changes will be put into effect.  Since the catalog zone is
   54           itself a DNS zone, this means configuration changes can be
   55           propagated to slaves using the standard AXFR/IXFR update
   56           mechanism.
   57         </para>
   58         <para>
   59           This feature should be considered experimental. It currently
   60           supports only basic features; more advanced features such as
   61           ACLs and TSIG keys are not yet supported. Example catalog
   62           zone configurations can be found in the Chapter 9 of the
   63           BIND Administrator Reference Manual.
   64         </para>
   65         <para>
   66           Support for master entries with TSIG keys has been added to catalog
   67           zones, as well as support for allow-query and allow-transfer.
   68         </para>
   69       </listitem>
   70       <listitem>
   71         <para>
   72           Added an <command>isc.rndc</command> Python module, which allows
   73           <command>rndc</command> commands to be sent from Python programs.
   74         </para>
   75       </listitem>
   76       <listitem>
   77         <para>
   78           Added support for DynDB, a new interface for loading zone data
   79           from an external database, developed by Red Hat for the FreeIPA
   80           project.  (Thanks in particular to Adam Tkac and Petr
   81           Spacek of Red Hat for the contribution.)
   82         </para>
   83         <para>
   84           Unlike the existing DLZ and SDB interfaces, which provide a
   85           limited subset of database functionality within BIND -
   86           translating DNS queries into real-time database lookups with
   87           relatively poor performance and with no ability to handle
   88           DNSSEC-signed data - DynDB is able to fully implement
   89           and extend the database API used natively by BIND.
   90         </para>
   91         <para>
   92           A DynDB module could pre-load data from an external data
   93           source, then serve it with the same performance and
   94           functionality as conventional BIND zones, and with the
   95           ability to take advantage of database features not
   96           available in BIND, such as multi-master replication.
   97         </para>
   98       </listitem>
   99       <listitem>
  100         <para>
  101           Fetch quotas are now compiled in by default: they
  102           no longer require BIND to be configured with
  103           <command>--enable-fetchlimit</command>, as was the case
  104           when the feature was introduced in BIND 9.10.3.
  105         </para>
  106         <para>
  107           These quotas limit the queries that are sent by recursive
  108           resolvers to authoritative servers experiencing denial-of-service
  109           attacks. They can both reduce the harm done to authoritative
  110           servers and also avoid the resource exhaustion that can be
  111           experienced by recursive servers when they are being used as a
  112           vehicle for such an attack.
  113         </para>
  114         <itemizedlist>
  115           <listitem>
  116             <para>
  117               <option>fetches-per-server</option> limits the number of
  118               simultaneous queries that can be sent to any single
  119               authoritative server.  The configured value is a starting
  120               point; it is automatically adjusted downward if the server is
  121               partially or completely non-responsive. The algorithm used to
  122               adjust the quota can be configured via the
  123               <option>fetch-quota-params</option> option.
  124             </para>
  125           </listitem>
  126           <listitem>
  127             <para>
  128               <option>fetches-per-zone</option> limits the number of
  129               simultaneous queries that can be sent for names within a
  130               single domain.  (Note: Unlike "fetches-per-server", this
  131               value is not self-tuning.)
  132             </para>
  133           </listitem>
  134         </itemizedlist>
  135         <para>
  136           Statistics counters have also been added to track the number
  137           of queries affected by these quotas.
  138         </para>
  139       </listitem>
  140       <listitem>
  141         <para>
  142           Added support for <command>dnstap</command>, a fast,
  143           flexible method for capturing and logging DNS traffic,
  144           developed by Robert Edmonds at Farsight Security, Inc.,
  145           whose assistance is gratefully acknowledged.
  146         </para>
  147         <para>
  148           To enable <command>dnstap</command> at compile time,
  149           the <command>fstrm</command> and <command>protobuf-c</command>
  150           libraries must be available, and BIND must be configured with
  151           <option>--enable-dnstap</option>.
  152         </para>
  153         <para>
  154           A new utility <command>dnstap-read</command> has been added
  155           to allow <command>dnstap</command> data to be presented in
  156           a human-readable format.
  157         </para>
  158         <para>
  159           <command>rndc dnstap -roll</command> causes <command>dnstap</command>
  160           output files to be rolled like log files -- the most recent output
  161           file is renamed with a <filename>.0</filename> suffix, the next
  162           most recent with <filename>.1</filename>, etc. (Note that this
  163           only works when <command>dnstap</command> output is being written
  164           to a file, not to a UNIX domain socket.) An optional numerical
  165           argument specifies how many backup log files to retain; if not
  166           specified or set to 0, there is no limit.
  167         </para>
  168         <para>
  169           <command>rndc dnstap -reopen</command> simply closes and reopens
  170           the <command>dnstap</command> output channel without renaming
  171           the output file.
  172         </para>
  173         <para>
  174           For more information on <command>dnstap</command>, see
  175           <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://dnstap.info">https://dnstap.info</link>.
  176         </para>
  177       </listitem>
  178       <listitem>
  179         <para>
  180           New statistics counters have been added to track traffic
  181           sizes, as specified in RSSAC002.  Query and response
  182           message sizes are broken up into ranges of histogram buckets:
  183           TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
  184           and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
  185           and 4096+.  These values can be accessed via the XML and JSON
  186           statistics channels at, for example,
  187           <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://localhost:8888/xml/v3/traffic">http://localhost:8888/xml/v3/traffic</link>
  188           or
  189           <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://localhost:8888/json/v1/traffic">http://localhost:8888/json/v1/traffic</link>.
  190         </para>
  191         <para>
  192                 Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
  193                 rcode-volume reporting are now collected.
  194         </para>
  195       </listitem>
  196       <listitem>
  197         <para>
  198           A new DNSSEC key management utility,
  199           <command>dnssec-keymgr</command>, has been added. This tool
  200           is meant to run unattended (e.g., under <command>cron</command>).
  201           It reads a policy definition file
  202           (default <filename>/etc/dnssec-policy.conf</filename>)
  203           and creates or updates DNSSEC keys as necessary to ensure that a
  204           zone's keys match the defined policy for that zone.  New keys are
  205           created whenever necessary to ensure rollovers occur correctly.
  206           Existing keys' timing metadata is adjusted as needed to set the
  207           correct rollover period, prepublication interval, etc.  If
  208           the configured policy changes, keys are corrected automatically.
  209           See the <command>dnssec-keymgr</command> man page for full details.
  210         </para>
  211         <para>
  212           Note: <command>dnssec-keymgr</command> depends on Python and on
  213           the Python lex/yacc module, PLY. The other Python-based tools,
  214           <command>dnssec-coverage</command> and
  215           <command>dnssec-checkds</command>, have been
  216           refactored and updated as part of this work.
  217         </para>
  218         <para>
  219           <command>dnssec-keymgr</command> now takes a -r
  220           <replaceable>randomfile</replaceable> option.
  221         </para>
  222         <para>
  223           (Many thanks to Sebastián
  224           Castro for his assistance in developing this tool at the IETF
  225           95 Hackathon in Buenos Aires, April 2016.)
  226         </para>
  227       </listitem>
  228       <listitem>
  229         <para>
  230           The serial number of a dynamically updatable zone can
  231           now be set using
  232           <command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
  233           This is particularly useful with <option>inline-signing</option>
  234           zones that have been reset.  Setting the serial number to a value
  235           larger than that on the slaves will trigger an AXFR-style
  236           transfer.
  237         </para>
  238       </listitem>
  239       <listitem>
  240         <para>
  241           When answering recursive queries, SERVFAIL responses can now be
  242           cached by the server for a limited time; subsequent queries for
  243           the same query name and type will return another SERVFAIL until
  244           the cache times out.  This reduces the frequency of retries
  245           when a query is persistently failing, which can be a burden
  246           on recursive servers.  The SERVFAIL cache timeout is controlled
  247           by <option>servfail-ttl</option>, which defaults to 1 second
  248           and has an upper limit of 30.
  249         </para>
  250       </listitem>
  251       <listitem>
  252         <para>
  253           The new <command>rndc nta</command> command can now be used to
  254           set a "negative trust anchor" (NTA), disabling DNSSEC validation for
  255           a specific domain; this can be used when responses from a domain
  256           are known to be failing validation due to administrative error
  257           rather than because of a spoofing attack. NTAs are strictly
  258           temporary; by default they expire after one hour, but can be
  259           configured to last up to one week.  The default NTA lifetime
  260           can be changed by setting the <option>nta-lifetime</option> in
  261           <filename>named.conf</filename>. When added, NTAs are stored in a
  262           file (<filename><replaceable>viewname</replaceable>.nta</filename>)
  263           in order to persist across restarts of the <command>named</command> server.
  264         </para>
  265       </listitem>
  266       <listitem>
  267         <para>
  268           The EDNS Client Subnet (ECS) option is now supported for
  269           authoritative servers; if a query contains an ECS option then
  270           ACLs containing <option>geoip</option> or <option>ecs</option>
  271           elements can match against the address encoded in the option.
  272           This can be used to select a view for a query, so that different
  273           answers can be provided depending on the client network.
  274         </para>
  275       </listitem>
  276       <listitem>
  277         <para>
  278           The EDNS EXPIRE option has been implemented on the client
  279           side, allowing a slave server to set the expiration timer
  280           correctly when transferring zone data from another slave
  281           server.
  282         </para>
  283       </listitem>
  284       <listitem>
  285         <para>
  286           A new <option>masterfile-style</option> zone option controls
  287           the formatting of text zone files:  When set to
  288           <literal>full</literal>, the zone file will dumped in
  289           single-line-per-record format.
  290         </para>
  291       </listitem>
  292       <listitem>
  293         <para>
  294           <command>dig +ednsopt</command> can now be used to set
  295           arbitrary EDNS options in DNS requests.
  296         </para>
  297       </listitem>
  298       <listitem>
  299         <para>
  300           <command>dig +ednsflags</command> can now be used to set
  301           yet-to-be-defined EDNS flags in DNS requests.
  302         </para>
  303       </listitem>
  304       <listitem>
  305         <para>
  306           <command>dig +[no]ednsnegotiation</command> can now be used enable /
  307           disable EDNS version negotiation.
  308         </para>
  309       </listitem>
  310       <listitem>
  311         <para>
  312           <command>dig +header-only</command> can now be used to send
  313           queries without a question section.
  314         </para>
  315       </listitem>
  316       <listitem>
  317         <para>
  318           <command>dig +ttlunits</command> causes <command>dig</command>
  319           to print TTL values with time-unit suffixes: w, d, h, m, s for
  320           weeks, days, hours, minutes, and seconds.
  321         </para>
  322       </listitem>
  323       <listitem>
  324         <para>
  325           <command>dig +zflag</command> can be used to set the last
  326           unassigned DNS header flag bit.  This bit is normally zero.
  327         </para>
  328       </listitem>
  329       <listitem>
  330         <para>
  331           <command>dig +dscp=<replaceable>value</replaceable></command>
  332           can now be used to set the DSCP code point in outgoing query
  333           packets.
  334         </para>
  335       </listitem>
  336       <listitem>
  337         <para>
  338           <command>dig +mapped</command> can now be used to determine
  339           if mapped IPv4 addresses can be used.
  340         </para>
  341       </listitem>
  342       <listitem>
  343         <para>
  344           <command>nslookup</command> will now look up IPv6 as well
  345           as IPv4 addresses by default. [RT #40420]
  346         </para>
  347       </listitem>
  348       <listitem>
  349         <para>
  350           <option>serial-update-method</option> can now be set to
  351           <literal>date</literal>. On update, the serial number will
  352           be set to the current date in YYYYMMDDNN format.
  353         </para>
  354       </listitem>
  355       <listitem>
  356         <para>
  357           <command>dnssec-signzone -N date</command> also sets the serial
  358           number to YYYYMMDDNN.
  359         </para>
  360       </listitem>
  361       <listitem>
  362         <para>
  363           <command>named -L <replaceable>filename</replaceable></command>
  364           causes <command>named</command> to send log messages to the
  365           specified file by default instead of to the system log.
  366         </para>
  367       </listitem>
  368       <listitem>
  369         <para>
  370           The rate limiter configured by the
  371           <option>serial-query-rate</option> option no longer covers
  372           NOTIFY messages; those are now separately controlled by
  373           <option>notify-rate</option> and
  374           <option>startup-notify-rate</option> (the latter of which
  375           controls the rate of NOTIFY messages sent when the server
  376           is first started up or reconfigured).
  377         </para>
  378       </listitem>
  379       <listitem>
  380         <para>
  381           The default number of tasks and client objects available
  382           for serving lightweight resolver queries have been increased,
  383           and are now configurable via the new <option>lwres-tasks</option>
  384           and <option>lwres-clients</option> options in
  385           <filename>named.conf</filename>. [RT #35857]
  386         </para>
  387       </listitem>
  388       <listitem>
  389         <para>
  390           Log output to files can now be buffered by specifying
  391           <command>buffered yes;</command> when creating a channel.
  392         </para>
  393       </listitem>
  394       <listitem>
  395         <para>
  396           <command>delv +tcp</command> will exclusively use TCP when
  397           sending queries.
  398         </para>
  399       </listitem>
  400       <listitem>
  401         <para>
  402           <command>named</command> will now check to see whether
  403           other name server processes are running before starting up.
  404           This is implemented in two ways: 1) by refusing to start
  405           if the configured network interfaces all return "address
  406           in use", and 2) by attempting to acquire a lock on a file
  407           specified by the <option>lock-file</option> option or
  408           the <command>-X</command> command line option.  The
  409           default lock file is
  410           <filename>/var/run/named/named.lock</filename>.
  411           Specifying <literal>none</literal> will disable the lock
  412           file check.
  413         </para>
  414       </listitem>
  415       <listitem>
  416         <para>
  417           <command>rndc delzone</command> can now be applied to zones
  418           which were configured in <filename>named.conf</filename>;
  419           it is no longer restricted to zones which were added by
  420           <command>rndc addzone</command>.  (Note, however, that
  421           this does not edit <filename>named.conf</filename>; the zone
  422           must be removed from the configuration or it will return
  423           when <command>named</command> is restarted or reloaded.)
  424         </para>
  425       </listitem>
  426       <listitem>
  427         <para>
  428           <command>rndc modzone</command> can be used to reconfigure
  429           a zone, using similar syntax to <command>rndc addzone</command>.
  430         </para>
  431       </listitem>
  432       <listitem>
  433         <para>
  434           <command>rndc showzone</command> displays the current
  435           configuration for a specified zone.
  436         </para>
  437       </listitem>
  438       <listitem>
  439         <para>
  440           When BIND is built with the <command>lmdb</command> library
  441           (Lightning Memory-Mapped Database), <command>named</command>
  442           will store the configuration information for zones
  443           that are added via <command>rndc addzone</command>
  444           in a database, rather than in a flat "NZF" file.  This
  445           dramatically improves performance for
  446           <command>rndc delzone</command> and
  447           <command>rndc modzone</command>: deleting or changing
  448           the contents of a database is much faster than rewriting
  449           a text file.
  450         </para>
  451         <para>
  452           On startup, if <command>named</command> finds an existing
  453           NZF file, it will automatically convert it to the new NZD
  454           database format.
  455         </para>
  456         <para>
  457           To view the contents of an NZD, or to convert an
  458           NZD back to an NZF file (for example, to revert back
  459           to an earlier version of BIND which did not support the
  460           NZD format), use the new command <command>named-nzd2nzf</command>
  461           [RT #39837]
  462         </para>
  463       </listitem>
  464       <listitem>
  465         <para>
  466           Added server-side support for pipelined TCP queries.  Clients
  467           may continue sending queries via TCP while previous queries are
  468           processed in parallel.  Responses are sent when they are
  469           ready, not necessarily in the order in which the queries were
  470           received.
  471         </para>
  472         <para>
  473           To revert to the former behavior for a particular
  474           client address or range of addresses, specify the address prefix
  475           in the "keep-response-order" option.  To revert to the former
  476           behavior for all clients, use "keep-response-order { any; };".
  477         </para>
  478       </listitem>
  479       <listitem>
  480         <para>
  481           The new <command>mdig</command> command is a version of
  482           <command>dig</command> that sends multiple pipelined
  483           queries and then waits for responses, instead of sending one
  484           query and waiting the response before sending the next. [RT #38261]
  485         </para>
  486       </listitem>
  487       <listitem>
  488         <para>
  489           To enable better monitoring and troubleshooting of RFC 5011
  490           trust anchor management, the new <command>rndc managed-keys</command>
  491           can be used to check status of trust anchors or to force keys
  492           to be refreshed.  Also, the managed-keys data file now has
  493           easier-to-read comments. [RT #38458]
  494         </para>
  495       </listitem>
  496       <listitem>
  497         <para>
  498           An <command>--enable-querytrace</command> configure switch is
  499           now available to enable very verbose query trace logging. This
  500           option can only be set at compile time. This option has a
  501           negative performance impact and should be used only for
  502           debugging. [RT #37520]
  503         </para>
  504       </listitem>
  505       <listitem>
  506         <para>
  507           A new <command>tcp-only</command> option can be specified
  508           in <command>server</command> statements to force
  509           <command>named</command> to connect to the specified
  510           server via TCP. [RT #37800]
  511         </para>
  512       </listitem>
  513       <listitem>
  514         <para>
  515           The <command>nxdomain-redirect</command> option specifies
  516           a DNS namespace to use for NXDOMAIN redirection. When a
  517           recursive lookup returns NXDOMAIN, a second lookup is
  518           initiated with the specified name appended to the query
  519           name. This allows NXDOMAIN redirection data to be supplied
  520           by multiple zones configured on the server, or by recursive
  521           queries to other servers. (The older method, using
  522           a single <command>type redirect</command> zone, has
  523           better average performance but is less flexible.) [RT #37989]
  524         </para>
  525       </listitem>
  526       <listitem>
  527         <para>
  528           The following types have been implemented: CSYNC, NINFO, RKEY,
  529           SINK, TA, TALINK.
  530         </para>
  531       </listitem>
  532       <listitem>
  533         <para>
  534           A new <command>message-compression</command> option can be
  535           used to specify whether or not to use name compression when
  536           answering queries. Setting this to <userinput>no</userinput>
  537           results in larger responses, but reduces CPU consumption and
  538           may improve throughput.  The default is <userinput>yes</userinput>.
  539         </para>
  540       </listitem>
  541       <listitem>
  542         <para>
  543           A <command>read-only</command> option is now available in the
  544           <command>controls</command> statement to grant non-destructive
  545           control channel access. In such cases, a restricted set of
  546           <command>rndc</command> commands are allowed, which can
  547           report information from <command>named</command>, but cannot
  548           reconfigure or stop the server. By default, the control channel
  549           access is <emphasis>not</emphasis> restricted to these
  550           read-only operations. [RT #40498]
  551         </para>
  552       </listitem>
  553       <listitem>
  554         <para>
  555           When loading a signed zone, <command>named</command> will
  556           now check whether an RRSIG's inception time is in the future,
  557           and if so, it will regenerate the RRSIG immediately. This helps
  558           when a system's clock needs to be reset backwards.
  559         </para>
  560       </listitem>
  561       <listitem>
  562         <para>
  563           The new <command>minimal-any</command> option reduces the size
  564           of answers to UDP queries for type ANY by implementing one of
  565           the strategies in "draft-ietf-dnsop-refuse-any": returning
  566           a single arbitrarily-selected RRset that matches the query
  567           name rather than returning all of the matching RRsets.
  568           Thanks to Tony Finch for the contribution. [RT #41615]
  569         </para>
  570       </listitem>
  571       <listitem>
  572         <para>
  573           <command>named</command> now provides feedback to the
  574           owners of zones which have trust anchors configured
  575           (<command>trusted-keys</command>,
  576           <command>managed-keys</command>, <command>dnssec-validation
  577           auto;</command> and <command>dnssec-lookaside auto;</command>)
  578           by sending a daily query which encodes the keyids of the
  579           configured trust anchors for the zone.  This is controlled
  580           by <command>trust-anchor-telemetry</command> and defaults
  581           to yes.
  582         </para>
  583       </listitem>
  584     </itemizedlist>
  585   </section>
  587   <section xml:id="relnotes-9.11.0-changes"><info><title>Feature Changes</title></info>
  588     <itemizedlist>
  589       <listitem>
  590         <para>
  591           The logging format used for <command>querylog</command> has been
  592           altered. It now includes an additional field indicating the
  593           address in memory of the client object processing the query.
  594         </para>
  595         <para>
  596           The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
  597           to be disabled in 2017.  A warning is now logged when
  598           <command>named</command> is configured to use this service,
  599           either explicitly or via <option>dnssec-lookaside auto;</option>.
  600           [RT #42207]
  601         </para>
  602       </listitem>
  603       <listitem>
  604         <para>
  605           The timers returned by the statistics channel (indicating current
  606           time, server boot time, and most recent reconfiguration time) are
  607           now reported with millisecond accuracy. [RT #40082]
  608         </para>
  609       </listitem>
  610       <listitem>
  611         <para>
  612           Updated the compiled-in addresses for H.ROOT-SERVERS.NET
  613           and L.ROOT-SERVERS.NET.
  614         </para>
  615       </listitem>
  616       <listitem>
  617         <para>
  618           ACLs containing <command>geoip asnum</command> elements were
  619           not correctly matched unless the full organization name was
  620           specified in the ACL (as in
  621           <command>geoip asnum "AS1234 Example, Inc.";</command>).
  622           They can now match against the AS number alone (as in
  623           <command>geoip asnum "AS1234";</command>).
  624         </para>
  625       </listitem>
  626       <listitem>
  627         <para>
  628           When using native PKCS#11 cryptography (i.e.,
  629           <command>configure --enable-native-pkcs11</command>) HSM PINs
  630           of up to 256 characters can now be used.
  631         </para>
  632       </listitem>
  633       <listitem>
  634         <para>
  635           NXDOMAIN responses to queries of type DS are now cached separately
  636           from those for other types. This helps when using "grafted" zones
  637           of type forward, for which the parent zone does not contain a
  638           delegation, such as local top-level domains.  Previously a query
  639           of type DS for such a zone could cause the zone apex to be cached
  640           as NXDOMAIN, blocking all subsequent queries.  (Note: This
  641           change is only helpful when DNSSEC validation is not enabled.
  642           "Grafted" zones without a delegation in the parent are not a
  643           recommended configuration.)
  644         </para>
  645       </listitem>
  646       <listitem>
  647         <para>
  648           Update forwarding performance has been improved by allowing
  649           a single TCP connection to be shared between multiple updates.
  650         </para>
  651       </listitem>
  652       <listitem>
  653         <para>
  654           By default, <command>nsupdate</command> will now check
  655           the correctness of hostnames when adding records of type
  656           A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
  657           disabled with <command>check-names no</command>.
  658         </para>
  659       </listitem>
  660       <listitem>
  661         <para>
  662           Added support for OPENPGPKEY type.
  663         </para>
  664       </listitem>
  665       <listitem>
  666         <para>
  667           The names of the files used to store managed keys and added
  668           zones for each view are no longer based on the SHA256 hash
  669           of the view name, except when this is necessary because the
  670           view name contains characters that would be incompatible with use
  671           as a file name.  For views whose names do not contain forward
  672           slashes ('/'), backslashes ('\'), or capital letters - which
  673           could potentially cause namespace collision problems on
  674           case-insensitive filesystems - files will now be named
  675           after the view (for example, <filename>internal.mkeys</filename>
  676           or <filename>external.nzf</filename>).  However, to ensure
  677           consistent behavior when upgrading, if a file using the old
  678           name format is found to exist, it will continue to be used.
  679         </para>
  680       </listitem>
  681       <listitem>
  682         <para>
  683           "rndc" can now return text output of arbitrary size to
  684           the caller. (Prior to this, certain commands such as
  685           "rndc tsig-list" and "rndc zonestatus" could return
  686           truncated output.)
  687         </para>
  688       </listitem>
  689       <listitem>
  690         <para>
  691           Errors reported when running <command>rndc addzone</command>
  692           (e.g., when a zone file cannot be loaded) have been clarified
  693           to make it easier to diagnose problems.
  694         </para>
  695       </listitem>
  696       <listitem>
  697         <para>
  698           When encountering an authoritative name server whose name is
  699           an alias pointing to another name, the resolver treats
  700           this as an error and skips to the next server. Previously
  701           this happened silently; now the error will be logged to
  702           the newly-created "cname" log category.
  703         </para>
  704       </listitem>
  705       <listitem>
  706         <para>
  707           If <command>named</command> is not configured to validate
  708           answers, then allow fallback to plain DNS on timeout even when
  709           we know the server supports EDNS.  This will allow the server to
  710           potentially resolve signed queries when TCP is being
  711           blocked.
  712         </para>
  713       </listitem>
  714       <listitem>
  715         <para>
  716           Large inline-signing changes should be less disruptive.
  717           Signature generation is now done incrementally; the number
  718           of signatures to be generated in each quantum is controlled
  719           by "sig-signing-signatures <replaceable>number</replaceable>;".
  720           [RT #37927]
  721         </para>
  722       </listitem>
  723       <listitem>
  724         <para>
  725           The experimental SIT option (code point 65001) of BIND
  726           9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
  727           option (code point 10). It is no longer experimental, and
  728           is sent by default, by both <command>named</command> and
  729           <command>dig</command>.
  730         </para>
  731         <para>
  732           The SIT-related named.conf options have been marked as
  733           obsolete, and are otherwise ignored.
  734         </para>
  735       </listitem>
  736       <listitem>
  737         <para>
  738           When <command>dig</command> receives a truncated (TC=1)
  739           response or a BADCOOKIE response code from a server, it
  740           will automatically retry the query using the server COOKIE
  741           that was returned by the server in its initial response.
  742           [RT #39047]
  743         </para>
  744       </listitem>
  745       <listitem>
  746         <para>
  747           Retrieving the local port range from net.ipv4.ip_local_port_range
  748           on Linux is now supported.
  749         </para>
  750       </listitem>
  751       <listitem>
  752         <para>
  753           A new <option>nsip-wait-recurse</option> directive has been
  754           added to RPZ, specifying whether to look up unknown name server
  755           IP addresses and wait for a response before applying RPZ-NSIP rules.
  756           The default is <userinput>yes</userinput>. If set to
  757           <userinput>no</userinput>, <command>named</command> will only
  758           apply RPZ-NSIP rules to servers whose addresses are already cached.
  759           The addresses will be looked up in the background so the rule can
  760           be applied on subsequent queries. This improves performance when
  761           the cache is cold, at the cost of temporary imprecision in applying
  762           policy directives. [RT #35009]
  763         </para>
  764       </listitem>
  765       <listitem>
  766         <para>
  767           Within the <option>response-policy</option> option, it is now
  768           possible to configure RPZ rewrite logging on a per-zone basis
  769           using the <option>log</option> clause.
  770         </para>
  771       </listitem>
  772       <listitem>
  773         <para>
  774           The default preferred glue is now the address type of the
  775           transport the query was received over.
  776         </para>
  777       </listitem>
  778       <listitem>
  779         <para>
  780           On machines with 2 or more processors (CPU), the default value
  781           for the number of UDP listeners has been changed to the number
  782           of detected processors minus one.
  783         </para>
  784       </listitem>
  785       <listitem>
  786         <para>
  787           Zone transfers now use smaller message sizes to improve
  788           message compression. This results in reduced network usage.
  789         </para>
  790       </listitem>
  791       <listitem>
  792         <para>
  793           Added support for the AVC resource record type (Application
  794           Visibility and Control).
  795         </para>
  796         <para>
  797           Changed <command>rndc reconfig</command> behavior so that newly
  798           added zones are loaded asynchronously and the loading does not
  799           block the server.
  800         </para>
  801       </listitem>
  802       <listitem>
  803         <para>
  804           <command>minimal-responses</command> now takes two new
  805           arguments: <option>no-auth</option> suppresses
  806           populating the authority section but not the additional
  807           section; <option>no-auth-recursive</option>
  808           does the same but only when answering recursive queries.
  809         </para>
  810       </listitem>
  811       <listitem>
  812         <para>
  813           At server startup time, the queues for processing
  814           notify and zone refresh queries are now processed in
  815           LIFO rather than FIFO order, to speed up
  816           loading of newly added zones. [RT #42825]
  817         </para>
  818       </listitem>
  819       <listitem>
  820         <para>
  821           When answering queries of type MX or SRV, TLSA records for
  822           the target name are now included in the additional section
  823           to speed up DANE processing. [RT #42894]
  824         </para>
  825       </listitem>
  826       <listitem>
  827         <para>
  828           <command>named</command> can now use the TCP Fast Open
  829           mechanism on the server side, if supported by the
  830           local operating system. [RT #42866]
  831         </para>
  832       </listitem>
  833     </itemizedlist>
  834   </section>
  836   <section xml:id="relnotes-9.11.0-bugs"><info><title>Bug Fixes</title></info>
  837     <itemizedlist>
  838       <listitem>
  839         <para>
  840           Fixed a crash when calling <command>rndc stats</command> on some
  841           Windows builds: some Visual Studio compilers generate code that
  842           crashes when the "%z" printf() format specifier is used. [RT #42380]
  843         </para>
  844       </listitem>
  845       <listitem>
  846         <para>
  847           Windows installs were failing due to triggering UAC without
  848           the installation binary being signed.
  849         </para>
  850       </listitem>
  851       <listitem>
  852         <para>
  853           A change in the internal binary representation of the RBT database
  854           node structure enabled a race condition to occur (especially when
  855           BIND was built with certain compilers or optimizer settings),
  856           leading to inconsistent database state which caused random
  857           assertion failures. [RT #42380]
  858         </para>
  859       </listitem>
  860     </itemizedlist>
  861   </section>
  863 </section>