1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 BIND 9.20.13 13 ------------ 14 15 New Features 16 ~~~~~~~~~~~~ 17 18 - Add manual mode configuration option to dnsec-policy. ``1e435b107f`` 19 20 Add a new option ``manual-mode`` to :any:`dnssec-policy`. The intended 21 use is that if it is enabled, it will not automatically move to the 22 next state transition, but instead the transition is logged. Only 23 after manual confirmation with ``rndc dnssec -step`` the transition is 24 made. :gl:`#4606` :gl:`!10880` 25 26 - Add a new 'servfail-until-ready' configuration option for RPZ. 27 ``925af17d21`` 28 29 By default, when :iscman:`named` is started it may start answering to 30 queries before the response policy zones are completely loaded and 31 processed. This new feature gives an option to the users to tell 32 :iscman:`named` that incoming requests should result in SERVFAIL 33 answer until all the response policy zones are processed and ready. 34 Note that if one or more response policy zones fail to load, 35 :iscman:`named` starts responding to queries according to those zones 36 that did load. 37 38 Note, that enabling this option has no effect when a DNS Response 39 Policy Service (DNSRPS) interface is used. :gl:`#5222` :gl:`!10889` 40 41 - Support for parsing HHIT and BRID records has been added. 42 ``1f051af24d`` 43 44 :gl:`#5444` :gl:`!10932` 45 46 Removed Features 47 ~~~~~~~~~~~~~~~~ 48 49 - Deprecate the "tkey-gssapi-credential" statement. ``b239a70cac`` 50 51 The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up 52 in a simpler and more reliable way than using the 53 :any:`tkey-gssapi-credential` statement and setting environment 54 variables (e.g. ``KRB5_KTNAME``). Therefore, the 55 :any:`tkey-gssapi-credential` statement has been deprecated; 56 :any:`tkey-gssapi-keytab` should be used instead. 57 58 For configurations currently using a combination of both 59 :any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the 60 latter should be dropped and the keytab pointed to by 61 :any:`tkey-gssapi-keytab` should now only contain the credential 62 previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204` 63 :gl:`!10924` 64 65 - Obsolete the "tkey-domain" statement. ``9352ae65d7`` 66 67 Mark the ``tkey-domain`` statement as obsolete, since it has not had 68 any effect on server behavior since support for TKEY Mode 2 69 (Diffie-Hellman) was removed (in BIND 9.20.0). :gl:`#4204` 70 :gl:`!10926` 71 72 Feature Changes 73 ~~~~~~~~~~~~~~~ 74 75 - Update clang-format style with options added in newer versions. 76 ``0c2c477c31`` 77 78 Add and apply InsertBraces statement to add missing curly braces 79 around one-line statements and use 80 ControlStatementsExceptControlMacros for SpaceBeforeParens to remove 81 space between foreach macro and the brace, e.g. `FOREACH (x) {` 82 becomes `FOREACH(x) {`. :gl:`!10864` 83 84 Bug Fixes 85 ~~~~~~~~~ 86 87 - Ensure file descriptors 0-2 are in use. ``35dee6eb90`` 88 89 libuv expect file descriptors <= STDERR_FILENO are in use. otherwise, 90 it may abort when closing a file descriptor it opened. :gl:`#5226` 91 :gl:`!10908` 92 93 - Prevent spurious SERVFAILs for certain 0-TTL resource records. 94 ``6b266b222c`` 95 96 Under certain circumstances, BIND 9 can return SERVFAIL when updating 97 existing entries in the cache with new NS, A, AAAA, or DS records with 98 0-TTL. :gl:`#5294` :gl:`!10898` 99 100 - Use DNS_RDATACOMMON_INIT to hide branch differences. ``a64df9729b`` 101 102 Initialization of the common members of rdata type structures varies 103 across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` 104 macro for all types, so that new types are more likely to use it, and 105 hence backport more cleanly. :gl:`#5467` :gl:`!10834` 106 107 - RPZ canonical warning displays zone entry incorrectly. ``d833676515`` 108 109 When an IPv6 rpz prefix entry is entered incorrectly the log message 110 was just displaying the prefix rather than the full entry. This has 111 been corrected. :gl:`#5491` :gl:`!10930` 112 113 - Fix a catalog zone issue when having an unset 'default-primaries' 114 configuration clause. ``293e75af28`` 115 116 A catalog zone with an unset ``default-primaries`` clause could cause 117 an unexpected termination of the :iscman:`named` process after two 118 reloading or reconfiguration commands. This has been fixed. 119 :gl:`#5494` :gl:`!10905` 120 121 - Add and use __attribute__((nonnull)) in dnssec-signzone.c. 122 ``a8eed36d3e`` 123 124 Clang 20 was spuriously warning about the possibility of passing a 125 NULL file pointer to `fprintf()`, which uses the 'nonnull' attribute. 126 To silence the warning, the functions calling `fprintf()` have been 127 marked with the same attribute to assure that NULL can't be passed to 128 them in the first place. 129 130 Close #5487 :gl:`!10913` 131 132 - RPZ 'servfail-until-ready': skip updating SERVFAIL cache. 133 ``af2fb26325`` 134 135 In order to not pollute the SERVFAIL cache with the configured 136 SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC 137 attribute for the client. :gl:`!10940` 138 139 140
Indexes created Sun Apr 19 00:22:55 UTC 2026