1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 Notes for BIND 9.20.0 13 --------------------- 14 15 .. note:: This section only lists changes since BIND 9.18.28, the most 16 recent release on the previous stable branch of BIND at the 17 time of the publication of BIND 9.20.0. 18 19 New Features 20 ~~~~~~~~~~~~ 21 22 - The :any:`forwarders` statement now supports the :any:`tls` argument, 23 to be used to forward queries to DoT-enabled servers. :gl:`#3726` 24 25 - :iscman:`named` now supports forwarding Dynamic DNS updates through 26 DNS-over-TLS (DoT). :gl:`#3512` 27 28 - The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). 29 :gl:`!6752` 30 31 - The :any:`tls` block was extended with a new :any:`cipher-suites` option 32 that allows permitted cipher suites for TLSv1.3 to be set. Please 33 consult the documentation for additional details. 34 :gl:`#3504` 35 36 - Initial support for the PROXYv2 protocol was added. :iscman:`named` 37 can now accept PROXYv2 headers over all currently implemented DNS 38 transports and :iscman:`dig` can insert these headers into the queries 39 it sends. Please consult the related documentation 40 (:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and 41 :any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and 42 :option:`dig +proxy-plain` for :iscman:`dig`) for additional details. 43 :gl:`#4388` 44 45 - The client-side support of the EDNS EXPIRE option has been expanded to 46 include IXFR and AXFR query types. This enhancement enables 47 :iscman:`named` to perform AXFR and IXFR queries while incorporating 48 the EDNS EXPIRE option. :gl:`#4170` 49 50 - A new configuration option :any:`require-cookie` has been introduced. 51 It specifies whether there should be a DNS COOKIE in the response for 52 a given prefix; if not, :iscman:`named` falls back to TCP. This is 53 useful if it is known that a given server supports DNS COOKIE. It can 54 also be used to force all non-DNS COOKIE responses to fall back to 55 TCP. :gl:`#2295` 56 57 - The :any:`check-svcb` option has been added to control the checking of 58 additional constraints on SVCB records. This change affects 59 :iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`, 60 :iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576` 61 62 - The new :any:`resolver-use-dns64` option enables :iscman:`named` to 63 apply :any:`dns64` rules to IPv4 server addresses when sending 64 recursive queries, so that resolution can be performed over a NAT64 65 connection. :gl:`#608` 66 67 - A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`, 68 that allows users to enable or disable the publication of CDNSKEY 69 records. :gl:`#4050` 70 71 - When using :any:`dnssec-policy`, it is now possible to configure the 72 digest type to use when CDS records need to be published with 73 :any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS 74 records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837` 75 76 - Support for multi-signer model 2 (:rfc:`8901`) when using 77 :any:`inline-signing` was added. :gl:`#2710` 78 79 - HSM support was added to :any:`dnssec-policy`. Keys can now be 80 configured with a ``key-store`` that allows users to set the directory 81 where key files are stored and to set a PKCS#11 URI string. The latter 82 requires OpenSSL 3 and a valid PKCS#11 provider to be configured for 83 OpenSSL. :gl:`#1129` 84 85 - A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key 86 Signing Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128` 87 88 - :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a 89 ``-J`` option to specify a journal file to read when loading the zone 90 to be verified or signed. :gl:`#2486` 91 92 - :iscman:`dnssec-keygen` now allows the options :option:`-k 93 <dnssec-keygen -k>` and :option:`-f <dnssec-keygen -f>` to be used 94 together. This allows the creation of keys for a given 95 :any:`dnssec-policy` that match only the KSK (``-fK``) or ZSK (``-fZ``) 96 roles. :gl:`#1128` 97 98 - The :any:`response-policy` statement was extended with a new argument 99 ``ede``. It enables an :rfc:`8914` Extended DNS Error (EDE) code of choice to 100 be set for responses which have been modified by a given RPZ. :gl:`#3410` 101 102 - A new way of configuring the preferred source address when talking to 103 remote servers, such as :any:`primaries` and :any:`parental-agents`, 104 has been added: setting the ``source`` and/or ``source-v6`` arguments 105 for a given statement is now possible. This new approach is intended 106 to eventually replace statements such as :any:`parental-source`, 107 :any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762` 108 109 - The new command-line :option:`delv +ns` option activates name server 110 mode, to more accurately reproduce the behavior of :iscman:`named` 111 when resolving a query. In this mode, :iscman:`delv` uses an internal 112 recursive resolver rather than an external server. All messages sent 113 and received during the resolution and validation process are logged. 114 This can be used in place of :option:`dig +trace`. :gl:`#3842` 115 116 - The read timeout in :iscman:`rndc` can now be specified on the command 117 line using the :option:`-t <rndc -t>` option, allowing commands that 118 take a long time to complete sufficient time to do so. :gl:`#4046` 119 120 - The statistics channel now includes information about incoming zone 121 transfers that are currently in progress. :gl:`#3883` 122 123 - Information on incoming zone transfers in the statistics channel now 124 also shows the zones' "first refresh" flag, which indicates that a zone 125 is not fully ready and that its first ever refresh is pending or is in 126 progress. The number of such zones is now also exposed by the 127 :option:`rndc status` command. :gl:`#4241` 128 129 - Added a new statistics variable ``recursive high-water`` that reports 130 the maximum number of simultaneous recursive clients BIND has handled 131 while running. :gl:`#4668` 132 133 - A new command, :option:`rndc fetchlimit`, prints a list of name server 134 addresses that are currently rate-limited due to 135 :any:`fetches-per-server` and domain names that are rate-limited due 136 to :any:`fetches-per-zone`. :gl:`#665` 137 138 - Queries and responses now emit distinct dnstap entries for DNS-over-TLS 139 (DoT) and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands 140 these entries. :gl:`#4523` 141 142 - :iscman:`dnstap-read` can now print long timestamps with millisecond 143 precision. :gl:`#2360` 144 145 - Support for libsystemd's ``sd_notify()`` function was added, enabling 146 :iscman:`named` to report its status to the init system. This allows 147 systemd to wait until :iscman:`named` is fully ready before starting 148 other services that depend on name resolution. :gl:`#1176` 149 150 - Support for User Statically Defined Tracing (USDT) probes has been 151 added. These probes enable fine-grained application tracing and 152 introduce no overhead when they are not enabled. :gl:`#4041` 153 154 Removed Features 155 ~~~~~~~~~~~~~~~~ 156 157 - Support for Red Hat Enterprise Linux version 7 (and clones) has been 158 dropped. A C11-compliant compiler is now required to compile BIND 9. 159 :gl:`#3729` 160 161 - Compiling with `jemalloc`_ versions older than 4.0.0 is no longer 162 supported; those versions do not provide the features required by 163 current BIND 9 releases. :gl:`#4296` 164 165 - The ``auto-dnssec`` configuration statement has been removed. Please 166 use :any:`dnssec-policy` or manual signing instead. 167 See article `how to migrate <https://kb.isc.org/docs/dnssec-key-and-signing-policy#migrate-to-dnssecpolicy>`_ 168 from ``auto-dnssec`` to :any:`dnssec-policy`. 169 170 The following 171 statements have become obsolete: :any:`dnskey-sig-validity`, 172 :any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`, 173 :any:`sig-validity-interval`, and :any:`update-check-ksk`. 174 :gl:`#3672` 175 176 - Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no 177 longer trigger key rollovers and denial-of-existence operations. This 178 also means that the :any:`dnssec-secure-to-insecure` option has been 179 obsoleted. :gl:`#3686` 180 181 - The ``glue-cache`` *option* has been removed. The glue cache *feature* 182 still works and is now permanently *enabled*. :gl:`#2147` 183 184 - Configuring the control channel to use a Unix domain socket has been a 185 fatal error since BIND 9.18. The feature has now been completely 186 removed and :iscman:`named-checkconf` now reports it as a 187 configuration error. :gl:`#4311` 188 189 - The statements setting alternate local addresses for inbound zone 190 transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and 191 ``use-alt-transfer-source``) have been removed. :gl:`#3714` 192 193 - The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval`` 194 statements have been removed. Using them is now a fatal error. 195 :gl:`#4405` 196 197 - BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` 198 values, when the feature is turned on. When using a non-zero value, 199 :iscman:`named` now generates a warning log message, and treats the 200 value as ``0``. :gl:`#4447` 201 202 - The Differentiated Services Code Point (DSCP) feature has been 203 removed: configuring DSCP values in ``named.conf`` is now a 204 configuration error. :gl:`#3789` 205 206 - The ``keep-response-order`` option has been declared obsolete and the 207 functionality has been removed. :iscman:`named` expects DNS clients to 208 be fully compliant with :rfc:`7766`. :gl:`#3140` 209 210 - Zone type ``delegation-only``, and the ``delegation-only`` and 211 ``root-delegation-only`` statements, have been removed. Using them is 212 a configuration error. 213 214 These statements were created to address the SiteFinder controversy, 215 in which certain top-level domains redirected misspelled queries to 216 other sites instead of returning NXDOMAIN responses. Since top-level 217 domains are now DNSSEC-signed, and DNSSEC validation is active by 218 default, the statements are no longer needed. :gl:`#3953` 219 220 - The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options 221 have been removed. The limits these options set should be enforced 222 externally, either by manual configuration (e.g. using ``ulimit``) or 223 via the process supervisor (e.g. ``systemd``). :gl:`#3676` 224 225 - Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm 226 aes;``) has been removed. The only supported DNS COOKIE algorithm is 227 now the current default, SipHash-2-4. :gl:`#4421` 228 229 - The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been 230 removed and using TKEY Mode 2 is now a fatal error. Users are advised 231 to switch to TKEY Mode 3 (GSS-API). :gl:`#3905` 232 233 - Special-case code that was originally added to allow GSS-TSIG to work 234 around bugs in the Windows 2000 version of Active Directory has now 235 been removed, since Windows 2000 is long past end-of-life. The 236 :option:`-o <nsupdate -o>` option and the ``oldgsstsig`` command to 237 :iscman:`nsupdate` have been deprecated, and are now treated as 238 synonyms for :option:`-g <nsupdate -g>` and ``gsstsig`` respectively. 239 :gl:`#4012` 240 241 - Support for the ``lock-file`` statement and the ``named -X`` 242 command-line option has been removed. An external process supervisor 243 should be used instead. :gl:`#4391` 244 245 Alternatively, the ``flock`` utility (part of util-linux) can be used 246 on Linux systems to achieve the same effect as ``lock-file`` or 247 ``named -X``: 248 249 :: 250 251 flock -n -x <directory>/named.lock <path>/named <arguments> 252 253 - The :iscman:`named` command-line option :option:`-U <named -U>`, which 254 specified the number of UDP dispatches, has been removed. Using it now 255 returns a warning. :gl:`#1879` 256 257 - The ``--with-tuning`` option for ``configure`` has been removed. Each 258 of the compile-time settings that required different values based on 259 the "workload" (which were previously affected by the value of the 260 ``--with-tuning`` option) has either been removed or changed to a 261 sensible default. :gl:`#3664` 262 263 - The functions that were in the ``libbind9`` shared library have been 264 moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty 265 ``libbind9`` has been removed and is no longer installed. :gl:`#3903` 266 267 - The ``irs_resconf`` module has been moved to the ``libdns`` shared 268 library. The now-empty ``libirs`` library has been removed and is no 269 longer installed. :gl:`#3904` 270 271 .. _`jemalloc`: https://jemalloc.net/ 272 273 Deprecated Features 274 ~~~~~~~~~~~~~~~~~~~ 275 276 Features listed in this section still work but are scheduled for eventual 277 removal. 278 279 - The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options` 280 and :namedconf:ref:`zone` blocks has been deprecated; it should now be 281 configured as part of :any:`dnssec-policy`. A warning is logged if 282 this option is used in :namedconf:ref:`options` or :any:`zone` blocks. 283 In a future release, it will become nonoperational. :gl:`#2918` 284 285 - The :any:`sortlist` option has been deprecated and will be removed in a 286 future BIND 9.21.x release. Users should not rely on a specific order 287 of resource records in DNS messages. :gl:`#4593` 288 289 - The ``fixed`` value for the :any:`rrset-order` option and the 290 corresponding ``configure`` script option have been deprecated and will 291 be removed in a future BIND 9.21.x release. Users should not rely on a 292 specific order of resource records in DNS messages. :gl:`#4446` 293 294 Feature Changes 295 ~~~~~~~~~~~~~~~ 296 297 - BIND now depends on `liburcu`_, Userspace RCU, for lock-free data 298 structures. :gl:`#3934` 299 300 - On Linux, `libcap`_ is now a required dependency to help :iscman:`named` 301 keep needed privileges. :gl:`#3583` 302 303 - Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. 304 libuv should be available on all supported platforms either as a 305 native package or as a backport. :gl:`#3567` 306 307 - Outgoing zone transfers are no longer enabled by default. An explicit 308 :any:`allow-transfer` ACL must now be set at the :any:`zone`, 309 :any:`view`, or :namedconf:ref:`options` level to enable outgoing 310 transfers. :gl:`#4728` 311 312 - DNS zones signed using :any:`dnssec-policy` now automatically detect 313 their parent servers, and BIND queries them to check the content of the 314 DS RRset. This allows DNSSEC key rollovers to safely and automatically 315 proceed when the parent zone is updated with new DNSSEC keys, i.e. 316 using the CDS/CDNSKEY mechanism. This behavior is facilitated by the 317 new :any:`checkds` feature, which automatically populates 318 :any:`parental-agents` by resolving the parent NS records. These parent 319 name servers are queried to check the DS RRset during a KSK rollover 320 initiated by :any:`dnssec-policy`. :gl:`#3901` 321 322 - The responsiveness of :iscman:`named` was improved, when serving as an 323 authoritative DNS server for a delegation-heavy zone(s) shortly after 324 loading such zone(s). :gl:`#4045` 325 326 - To improve query-processing latency under load, the uninterrupted time 327 spent on resolving long chains of cached domain names has been 328 reduced. :gl:`#4185` 329 330 - QNAME minimization is now used when looking up the addresses of name 331 servers during the recursive resolution process. :gl:`#4209` 332 333 - BIND now returns BADCOOKIE for out-of-date or otherwise bad but 334 well-formed DNS server cookies. :gl:`#4194` 335 336 - The DNS name compression algorithm used in BIND 9 has been revised: it 337 now compresses more thoroughly than before, so responses containing 338 names with many labels might have a smaller encoding than before. 339 :gl:`#3661` 340 341 - Processing large incremental transfers (IXFR) has been offloaded to a 342 separate work thread so that it does not prevent networking threads 343 from processing regular traffic in the meantime. :gl:`#4367` 344 345 - Querying the statistics channel no longer blocks DNS communication on 346 the networking event loop level. :gl:`#4680` 347 348 - The :any:`inline-signing` zone option is now ignored if there is no 349 :any:`dnssec-policy` configured for the zone. This means that unsigned 350 zones no longer create redundant signed versions of the zone. 351 :gl:`#4349` 352 353 - The :any:`inline-signing` statement can now also be set inside 354 :any:`dnssec-policy`. The default is to use :any:`inline-signing`. 355 This also applies to the built-in policies ``default` and ``insecure``. 356 If :any:`inline-signing` is set at the ``zone`` level, it overrides the 357 value set in :any:`dnssec-policy`. :gl:`#3677` 358 359 - Due to the change in default value from ``no`` to ``yes``, 360 DNSSEC-enabled dynamic zones that do not have :any:`inline-signing` 361 explicitly set must now add the option to their configuration with the 362 value ``no`` if they do not want their zone also to be inline-signed. 363 364 - Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only 365 allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using 366 NSEC3 that the policy manages. :gl:`#4363` 367 368 - The maximum number of NSEC3 iterations allowed for validation purposes 369 has been lowered from 150 to 50. DNSSEC responses containing NSEC3 370 records with iteration counts greater than 50 are now treated as 371 insecure. :gl:`#4363` 372 373 - The ``dnssec-validation yes`` option now requires an explicitly 374 configured :any:`trust-anchors` statement. If using manual trust 375 anchors is not operationally required, then please consider using 376 ``dnssec-validation auto`` instead. :gl:`#4373` 377 378 - :iscman:`named-compilezone` no longer performs zone integrity checks 379 by default; this allows faster conversion of a zone file from one 380 format to another. :gl:`#4364` 381 382 Zone checks can be performed by running :iscman:`named-checkzone` 383 separately, or the previous default behavior can be restored by using: 384 385 :: 386 387 named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail 388 389 - The red-black tree data structure used in the RBTDB (the default 390 database implementation for cache and zone databases), has been 391 replaced with QP-tries. This is expected to improve performance and 392 scalability, though in the current implementation large zones require 393 roughly 15% more memory than the old red-black tree data structure. 394 395 A side effect of this change is that zone files that are created with 396 :any:`masterfile-style` ``relative`` - for example, the output of 397 :any:`dnssec-signzone` - will no longer have multiple different 398 `$ORIGIN` statements. There should be no other changes to server 399 behavior. 400 401 The old RBT-based database still exists for now, and can be used by 402 specifying ``database rbt`` in a ``zone`` statement in ``named.conf``, 403 or by compiling with ``configure --with-zonedb=rbt 404 --with-cachedb=rbt``. :gl:`#4411` :gl:`#4614` 405 406 - Multiple RNDC messages are now processed when sent in a single TCP 407 message. 408 409 ISC would like to thank Dominik Thalhammer for reporting the issue and 410 preparing the initial patch. :gl:`#4416` 411 412 - The DNSSEC signing data included in zone statistics identified 413 keys only by the key ID; this caused confusion when two keys using 414 different algorithms had the same ID. Zone statistics now identify 415 keys using the algorithm number, followed by "+", followed by the 416 key ID: for example, ``8+54274``. :gl:`#3525` 417 418 - The TTL of the NSEC3PARAM record for every NSEC3-signed zone was 419 previously set to 0. It is now changed to match the SOA MINIMUM value 420 for the given zone. :gl:`#3570` 421 422 - On startup, :iscman:`named` now sets the limit on the number of open 423 files to the maximum allowed by the operating system, instead of 424 trying to set it to "unlimited". :gl:`#3676` 425 426 - When an international domain name is not valid according to IDNA2008, 427 :iscman:`dig` now tries to convert it according to IDNA2003 rules, or 428 pass it through unchanged, instead of stopping with an error message. 429 The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527` 430 431 - The memory statistics have been reduced to a single counter, 432 ``InUse``; ``Malloced`` is an alias that holds the same value. The 433 other counters were usable with the old BIND 9 internal memory 434 allocator, but they are unnecessary now that the latter has been 435 removed. :gl:`#3718` 436 437 - The log message ``resolver priming query complete`` has been moved 438 from the INFO log level to the DEBUG(1) log level, to prevent 439 :iscman:`delv` from emitting that message when setting up its internal 440 resolver. :gl:`#3842` 441 442 - Worker threads' event loops are now managed by a new "loop manager" 443 API, significantly changing the architecture of the task, timer, and 444 networking subsystems for improved performance and code flow. 445 :gl:`#3508` 446 447 - The code for DNS over TCP and DNS over TLS transports has been 448 replaced with a new, unified transport implementation. :gl:`#3374` 449 450 .. _`liburcu`: https://liburcu.org/ 451 .. _`libcap`: https://sites.google.com/site/fullycapable/ 452 453 Bug Fixes 454 ~~~~~~~~~ 455 456 - When the same :any:`notify-source` address and port number was 457 configured for multiple destinations and zones, an unresponsive server 458 could tie up the relevant network socket until it timed out; in the 459 meantime, NOTIFY messages for other servers silently failed. 460 :iscman:`named` will now retry sending such NOTIFY messages over TCP. 461 Furthermore, NOTIFY failures are now logged at the INFO level. 462 :gl:`#4001` :gl:`#4002` 463 464 - DNS compression is no longer applied to the root name (``.``) if it is 465 repeatedly used in the same RRset. :gl:`#3423` 466 467 - :iscman:`named` could incorrectly return non-truncated, glueless 468 referrals for responses whose size was close to the UDP packet size 469 limit. This has been fixed. :gl:`#1967` 470 471 Known Issues 472 ~~~~~~~~~~~~ 473 474 - On some platforms, including FreeBSD, :iscman:`named` must be run as 475 root to use the :iscman:`rndc` control channel on a privileged port 476 (i.e., with a port number less than 1024; this includes the default 477 :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the 478 :option:`named -u` option to switch to an unprivileged user makes 479 :iscman:`rndc` unusable. This will be fixed in a future release; in 480 the meantime, ``mac_portacl`` can be used as a workaround, as 481 documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793` 482 483 - See :ref:`above <relnotes_known_issues>` for a list of all known issues 484 affecting this BIND 9 branch. 485
Indexes created Fri Apr 24 00:22:58 UTC 2026