1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 Notes for BIND 9.20.2 13 --------------------- 14 15 New Features 16 ~~~~~~~~~~~~ 17 18 - Support for Offline KSK implemented. 19 20 Add a new configuration option :any:`offline-ksk` to enable Offline 21 KSK key management. Signed Key Response (SKR) files created with 22 :iscman:`dnssec-ksr` (or other programs) can now be imported into 23 :iscman:`named` with the new :option:`rndc skr -import <rndc skr>` 24 command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and 25 generating signatures covering these types, these records are loaded 26 from the currently active bundle from the imported SKR. 27 28 The implementation is loosely based on 29 `draft-icann-dnssec-keymgmt-01.txt 30 <https://web.archive.org/web/20250121040252/https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt>`_. 31 :gl:`#1128` 32 33 - Print the full path of the working directory in startup log messages. 34 35 :iscman:`named` now prints its initial working directory during 36 startup, and the changed working directory when loading or reloading 37 its configuration file, if it has a valid :any:`directory` option 38 defined. :gl:`#4731` 39 40 - Support a restricted key tag range when generating new keys. 41 42 When multiple signers are being used to sign a zone, it is useful to 43 be able to specify a restricted range of key tags to be used by an 44 operator to sign the zone. The range can be specified with 45 ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys 46 <dnssec-policy-keys>` (for :iscman:`named` and :iscman:`dnssec-ksr`) 47 and with the new options :option:`dnssec-keyfromlabel -M` and 48 :option:`dnssec-keygen -M`. :gl:`#4830` 49 50 51 Feature Changes 52 ~~~~~~~~~~~~~~~ 53 54 - Exempt prefetches from the :any:`fetches-per-zone` and 55 :any:`fetches-per-server` quotas. 56 57 Fetches generated automatically as a result of :any:`prefetch` are now 58 exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server` 59 quotas. This should help in maintaining the cache from which query 60 responses can be given. :gl:`#4219` 61 62 - Improve performance for queries that require an NSEC3 wildcard proof. 63 64 Rather than starting from the longest matching part of the requested name, 65 lookup the shortest partial match. Most of the time this will be the actual 66 closest encloser. :gl:`#4460` 67 68 - Follow the number of CPUs set by ``taskset``/``cpuset``. 69 70 Administrators may wish to constrain the set of cores that 71 :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl`` 72 programs (or equivalents on other OSes). 73 74 If the admin has used ``taskset``, :iscman:`named` now automatically 75 uses the given number of CPUs rather than the system-wide count. 76 :gl:`#4884` 77 78 Bug Fixes 79 ~~~~~~~~~ 80 81 - Delay the release of root privileges until after configuring controls. 82 83 Delay relinquishing root privileges until the control channel has been 84 configured, for the benefit of systems that require root to use 85 privileged port numbers. This mostly affects systems without fine- 86 grained privilege systems (i.e., other than Linux). :gl:`#4793` 87 88 - Fix a rare assertion failure when shutting down incoming transfer. 89 90 A very rare assertion failure could be triggered when the incoming 91 transfer was either forcefully shut down, or it finished during the 92 printing of the details about the statistics channel. This has been 93 fixed. :gl:`#4860` 94 95 - Fix algorithm rollover bug when there are two keys with the same 96 keytag. 97 98 If there was an algorithm rollover and two keys of different 99 algorithms shared the same keytags, there was the possibility that the 100 check of whether the key matched a specific state could be performed 101 against the wrong key. This has been fixed by not only checking for 102 the matching key tag but also the key algorithm. :gl:`#4878` 103 104 - Fix an assertion failure in ``validate_dnskey_dsset_done()``. 105 106 Under rare circumstances, :iscman:`named` could terminate unexpectedly 107 when validating a DNSKEY resource record if the validation had been 108 canceled in the meantime. This has been fixed. :gl:`#4911` 109 110 Known Issues 111 ~~~~~~~~~~~~ 112 113 - Long-running tasks in offloaded threads (e.g. the loading of RPZ zones 114 or processing zone transfers) may block the resolution of queries 115 during these operations and cause the queries to time out. 116 117 To work around the issue, the ``UV_THREADPOOL_SIZE`` environment 118 variable can be set to a larger value before starting :iscman:`named`. 119 The recommended value is the number of RPZ zones (or number of 120 transfers) plus the number of threads BIND should use, which is 121 typically the number of CPUs. :gl:`#4898` 122
Indexes created Wed Apr 29 00:23:26 UTC 2026