F22 Self Contained Change: BIND version 9.10
Jaroslav Reznik
jreznik at redhat.com
Tue Sep 16 11:34:32 UTC 2014
= Proposed Self Contained Change: BIND version 9.10 =
https://fedoraproject.org/wiki/Changes/BIND_9.10
Change owner(s): Tomas Hozza <thozza at redhat.com>
BIND (Berkeley Internet Name Domain) version 9.10 is the latest stable major
update of the widely used DNS server. Besides new features, some settings
defaults have changed since the previous major version (9.9).
== Detailed Description ==
FULL BIND 9.10 RELEASE NOTES [1]
=== New features ===
* New zone file format, "map", stores zone data in a format that can be mapped
directly into memory, allowing significantly faster zone loading.
* New tool "delv" (domain entity lookup and validation) with dig-like
semantics for looking up DNS data and performing internal DNSSEC validation
has been added.
* New "prefetch" option improving the recursive resolver performance has been
added.
* Improved EDNS processing allowing better resolver performance.
* Substantial improvements have been made in response-policy zone (RPZ)
performance.
* ACLs can now be specified based on geographic location using the MaxMind
GeoIP databases.
* The statistics channel can now provide data in JSON format as well as XML.
* The new "in-view" zone option allows zone data to be shared between views,
so that multiple views can serve the same zones authoritatively without
storing multiple copies in memory.
* Native PKCS#11 API has been added. This allows BIND 9 cryptography functions
to use the PKCS#11 API natively, so that BIND can drive a cryptographic
hardware service module (HSM) directly instead of using a modified OpenSSL as
an intermediary (Native PKCS#11 is known to work with the Thales nShield HSM
and with SoftHSM version 2 from the Open DNSSEC project.).
* New tool "named-rrchecker" can be used to check the syntax of individual
resource records, and optionally to convert them to the format used for
unknown record types.
* New tool "dnssec-importkey" allows "offline" DNSSEC keys (i.e., keys whose
private data is not stored on the system on which named is running) to be
published or deleted on schedule using automatic DNSKEY management.
* Network interfaces are re-scanned automatically whenever they change. Use
"automatic-interface-scan no;" to disable this feature.
** Added "rndc scan" to trigger an interface scan manually.
* New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone
containing a higher TTL, the load fails. DDNS updates with higher TTLs are
accepted but the TTL is truncated.
* Multiple DLZ databases can now be configured, and are searched in order to
find one that can answer an incoming query.
* "named-checkzone" and "named-compilezone" can now read journal files.
=== Feature changes ===
* The version 3 XML schema for the statistics channel, including new
statistics and a flattened XML tree for faster parsing, is no longer optional.
The version 2 XML schema is now deprecated.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* The internal and export versions of the BIND libraries (libisc, libdns, etc)
have been unified so that external library clients can use the same libraries
as BIND itself.
* The default setting for the -U option (setting the number of UDP listeners
per interface) has been adjusted to improve performance.
* Adaptive mutex locks are now used on systems which support them.
* "rndc flushtree" now flushes matching records from the address database and
bad cache as well as the DNS cache. (Previously only the DNS cache was
flushed.)
* The isc_bitstring API is no longer used and has been removed from the libisc
library.
* The timestamps included in RRSIG records can now be read as integers
indicating the number of seconds since the UNIX epoch, in addition to being
read as formatted dates in YYYYMMDDHHMMSS format.
== Scope ==
* Proposal owners: Rebase the package to the latest 9.10 minor version and
resolve possible packaging issues. (Also rebuild all currently existing
dependent packages listed below)
* Other developers: Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-
ldap)
** Owner of this feature is co-maintainer of all dependent packages. He will
do the necessary rebuilds himself in cooperation with dependent packages
owners.
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
[1] http://ftp.isc.org/isc/bind9/9.10.0-P2/RELEASE-NOTES-BIND-9.10.0-P2.txt
More information about the devel-announce
mailing list