1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 Notes for BIND 9.20.4 13 --------------------- 14 15 New Features 16 ~~~~~~~~~~~~ 17 18 - Update built-in :file:`bind.keys` file with the new 2025 `IANA root key 19 <https://www.iana.org/dnssec/files>`_. 20 21 Add an `initial-ds` entry to :file:`bind.keys` for the new root key, ID 22 38696, which is scheduled for publication in January 2025. :gl:`#4896` 23 24 Removed Features 25 ~~~~~~~~~~~~~~~~ 26 27 - Move contributed DLZ modules into a separate repository. DLZ modules should 28 not be used except in testing. 29 30 The DLZ modules were not maintained, the DLZ interface itself is going to be 31 scheduled for removal, and the DLZ interface is blocking. Any module that 32 blocks the query to the :namedconf:ref:`database` blocks the whole server. 33 34 The DLZ modules now live in 35 https://gitlab.isc.org/isc-projects/dlz-modules repository. 36 :gl:`#4865` 37 38 Feature Changes 39 ~~~~~~~~~~~~~~~ 40 41 - :iscman:`dnssec-ksr` now supports KSK rollovers. 42 43 The tool now allows for KSK generation, as well as planned KSK rollovers. 44 When signing a bundle from a Key Signing Request (KSR), only the 45 key that is active in that time frame is 46 used for signing. Also, the CDS and CDNSKEY records are now added and 47 removed at the correct time. :gl:`#4697` :gl:`#4705` 48 49 - Print :rfc:`7314`: EXPIRE option in transfer summary. :gl:`#5013` 50 51 - Emit more helpful log messages for exceeding :namedconf:ref:`max-records-per-type`. 52 53 The new log message is emitted when adding or updating an RRset fails 54 due to exceeding the :namedconf:ref:`max-records-per-type` limit. The log includes the 55 owner name and type, corresponding zone name, and the limit value. It 56 will be emitted on loading a zone file, inbound zone transfer (both 57 AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's 58 especially helpful in the case of zone transfer, since the secondary 59 side doesn't have direct access to the offending zone data. 60 61 It could also be used for :namedconf:ref:`max-types-per-name`, but this change doesn't 62 implement it yet as it's much less likely to happen in practice. 63 64 - Harden key management when key files have become unavailable. 65 66 Prior to doing key management, BIND 9 will check if the key files on 67 disk match the expected keys. If key files for previously observed 68 keys have become unavailable, this will prevent the internal key 69 manager from running. 70 71 Bug Fixes 72 ~~~~~~~~~ 73 74 - Use TLS for notifies if configured to do so. 75 76 Notifies configured to use TLS will now be sent over TLS, instead of 77 plain text UDP or TCP. Also, failing to load the TLS configuration for 78 :namedconf:ref:`notify` now results in an error. :gl:`#4821` 79 80 - `{&dns}` is as valid as `{?dns}` in a SVCB's dohpath. 81 82 :iscman:`dig` failed to parse a valid `SVCB` record with a `dohpath` URI 83 template containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. 84 :gl:`#4922` 85 86 - Fix NSEC3 closest encloser lookup for names with empty non-terminals. 87 88 A previous performance optimization for finding the NSEC3 closest encloser 89 when generating authoritative responses could cause servers to return 90 incorrect NSEC3 records in some cases. This has been fixed. 91 :gl:`#4950` 92 93 - :namedconf:ref:`recursive-clients` statement with value 0 triggered an assertion failure. 94 95 BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed. 96 :gl:`#4987` 97 98 - Parsing of hostnames in :iscman:`rndc.conf` was broken. 99 100 When DSCP support was removed, parsing of hostnames in :iscman:`rndc.conf` was 101 accidentally broken, resulting in an assertion failure. This has been 102 fixed. :gl:`#4991` 103 104 - :iscman:`dig` options of the form `[+-]option=<value>` failed to display the 105 value on the printed command line. This has been fixed. :gl:`#4993` 106 107 - Provide more visibility into TLS configuration errors by logging 108 `SSL_CTX_use_certificate_chain_file()` and `SSL_CTX_use_PrivateKey_file()` 109 errors individually. :gl:`#5008` 110 111 - Fix a race condition when canceling ADB find which could cause an assertion 112 failure. :gl:`#5024` 113 114 - SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a 115 lot of memory if the server encounters many SERVFAILs at once. 116 :gl:`#5025` 117 118 - Fix trying the next primary XoT server when the previous one was marked as 119 unreachable. 120 121 In some cases :iscman:`named` failed to try the next primary 122 server in the :namedconf:ref:`primaries` list when the previous one was marked as 123 unreachable. This has been fixed. :gl:`#5038` 124
Indexes created Mon Apr 27 00:23:16 UTC 2026