Locked testing stable

bind9-next-9.19.22-1.fc38

FEDORA-2024-73f5e9693d created by pemensik 5 months ago for Fedora 38

Notes for BIND 9.19.22

New Features

  • Information on incoming zone transfers in the statistics channel now also shows the zones’ “first refresh” flag, which indicates that a zone is not fully ready and that its first ever refresh is pending or is in progress. The number of such zones is now also exposed by the rndc status command. [GL #4241]

  • The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. [GL #4425]

  • HSM support was added to dnssec-policy. Keys can now be configured with a key-store that allows users to set the directory where key files are stored and to set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL. [GL #1129]

  • The tls block was extended with a new cipher-suites option that allows permitted cipher suites for TLSv1.3 to be set. Please consult the documentation for additional details. [GL #3504]

  • Support for the RESINFO record type was added. [GL #4413]

Removed Features

  • BIND 9 no longer supports non-zero stale-answer-client-timeout values, when the feature is turned on. When using a non-zero value, named now generates a warning log message, and treats the value as 0. [GL #4447]

Feature Changes

  • The dnssec-validation yes option now requires an explicitly configured trust-anchors statement. If using manual trust anchors is not operationally required, then please consider using dnssec-validation auto instead. [GL #4373]

  • The red-black tree data structure used in the RBTDB (the default database implementation for cache and zone databases), has been replaced with QP-tries. This is expected to improve performance and scalability, though in the current implementation it is known to have larger memory consumption.

  • A side effect of this change is that zone files that are created with masterfile-style relative - for example, the output of dnssec-signzone - will no longer have multiple different $ORIGIN statements. There should be no other changes to server behavior.

  • The old RBT-based database still exists for now, and can be used by specifying database rbt in a zone statement in named.conf, or by compiling with configure --with-zonedb=rbt --with-cachedb=rbt. [GL #4411]

Bug Fixes

  • A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed. [GL #4596]

  • Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed. [GL #4621]

  • The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner. [GL #4591]

  • Changes to listen-on statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue has been fixed.

    ISC would like to thank Thomas Amgarten for bringing this issue to our attention. [GL #4518] [GL #4528]

  • It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. [GL #4595]

    ISC would like to thank Jinmei Tatuya of Infoblox for bringing this issue to our attention.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-73f5e9693d

This update has been submitted for testing by pemensik.

5 months ago

This update's test gating status has been changed to 'ignored'.

5 months ago

This update has been pushed to testing.

5 months ago

This update has been submitted for stable by bodhi.

5 months ago

Please login to add feedback.

Metadata
Type
enhancement
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
5 months ago
in testing
5 months ago
approved
5 months ago
BZ#2270475 bind9-next-9.19.22 is available
0
0

Automated Test Results