Information on incoming zone transfers in the statistics channel now also shows the zones’ “first refresh” flag, which indicates that a zone is not fully ready and that its first ever refresh is pending or is in progress. The number of such zones is now also exposed by the rndc status command. [GL #4241]
The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. [GL #4425]
HSM support was added to dnssec-policy
. Keys can now be configured with a key-store
that allows users to set the directory where key files are stored and to set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL. [GL #1129]
The tls
block was extended with a new cipher-suites option that allows permitted cipher suites for TLSv1.3 to be set. Please consult the documentation for additional details. [GL #3504]
Support for the RESINFO record type was added. [GL #4413]
stale-answer-client-timeout
values, when the feature is turned on. When using a non-zero value, named now generates a warning log message, and treats the value as 0. [GL #4447]The dnssec-validation yes
option now requires an explicitly configured trust-anchors
statement. If using manual trust anchors is not operationally required, then please consider using dnssec-validation auto
instead. [GL #4373]
The red-black tree data structure used in the RBTDB (the default database implementation for cache and zone databases), has been replaced with QP-tries. This is expected to improve performance and scalability, though in the current implementation it is known to have larger memory consumption.
A side effect of this change is that zone files that are created with masterfile-style relative - for example, the output of dnssec-signzone -
will no longer have multiple different $ORIGIN statements. There should be no other changes to server behavior.
The old RBT-based database still exists for now, and can be used by specifying database rbt in a zone statement in named.conf, or by compiling with configure --with-zonedb=rbt --with-cachedb=rbt. [GL #4411]
A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size
limit was reached. This has been fixed. [GL #4596]
Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size
limit being exceeded and has now been fixed. [GL #4621]
The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl
and max-ncache-ttl
in a timely manner. [GL #4591]
Changes to listen-on
statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue has been fixed.
ISC would like to thank Thomas Amgarten for bringing this issue to our attention. [GL #4518] [GL #4528]
It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. [GL #4595]
ISC would like to thank Jinmei Tatuya of Infoblox for bringing this issue to our attention.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-73f5e9693d
Please login to add feedback.
This update has been submitted for testing by pemensik.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update has been submitted for stable by bodhi.