This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
== Owner ==
* Name: [[User:pemensik| Petr Menšík]]
* Email: <pemensik(a)redhat.com>
== Detailed Description ==
ISC BIND9 will be upgraded to new major release version 9.18.x. It
introduces new features and changes. It will also remove some packages
== Benefit to Fedora ==
The most recent major release will be provided, with some notable features:
* Support to DNS over TLS and DNS over HTTPS servers. Both
authoritative and resolver modes.
* Reworked internal connection handling using libuv
* RNDC channel does not support unix sockets
* Zone transfers over
DNS over TLS] were
added, both incoming and outgoing.
* dig is now able to send queries using DNS over TLS
* dig is now able to send queries using DNS over HTTPS
== Scope ==
* Proposal owners: The update required update of bind-dyndb-ldap
package (part of Freeipa suite), but otherwise it is isolated change.
* Other developers: Any developers
* Change pull request:
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Upgrade should be smooth from 9.16.x, without significant issues.
Incompatibility existed with bind-dyndb-ldap, but that were resolved.
=== PKCS11 removal ===
Native PKCS11 builds in separate '''bind-pkcs11''' package and
'''bind-pkcs11-utils''' will be not longer built. It used to read
directly pkcs11 plugins, but it will be supported only indirectly
using OpenSSL pkcs11 engine.
Following commands would be removed:
All their actions should be possible using ''pkcs11-tool'' from
''opensc'' package or ''p11tool'' from
* dnssec-*-pkcs11 commands would be removed too, but they have simple
replacement using ''-E pkcs11'' parameter to their respective normal
=== Python isc module ===
The utilities ''dnssec-checkds'', ''dnssec-coverage'',
''dnssec-keymgr'' have been removed from
package. Also '''python3-bind''' python module is no longer
by ISC upstream and therefore removed from a bind package. DNSSEC
features formerly provided by these utilities are now integrated into
named. See the
dnssec-policy configuration option] for more details.
=== Map file format ===
Support for the ''map'' zone file format (''masterfile-format
has been removed. Use ''raw'' format instead, which has similar
performance and less issues.
=== Removed options ===
Previously deprecated options were removed and are no longer accepted
in ''/etc/named.conf''. Their full list can be found on
removed features] release notes in Upstream.
== How To Test ==
== User Experience ==
* Users will get simple tools to query also encrypted DNS servers.
* Recent improvements packaged.
* Simplified DNSSEC maintenance of both keys and signatures via
== Dependencies ==
bind-dyndb-ldap would be built together with bind package. It were
upgraded to version 11.10 to support BIND 9.18 release.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change), Yes/No
== Documentation ==
N/A (not a System Wide Change)
He / Him / His
Fedora Program Manager