m (→Current status) |
|||
(One intermediate revision by the same user not shown) | |||
Line 34: | Line 34: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1385505 #1385505] | ||
== Detailed Description == | == Detailed Description == |
Latest revision as of 08:46, 17 October 2016
BIND version 9.11
Summary
BIND (Berkeley Internet Name Domain) version 9.11 is the latest stable major update of the widely used DNS server. Besides new features, some settings defaults have changed since the previous major version (9.10).
Owner
- Name: Tomas Hozza
- Email: <thozza@redhat.com>
- Name: Michal Ruprich
- Email: <mruprich@redhat.com>
- Release notes owner:
Current status
Detailed Description
New features
- A new method of provisioning secondary servers called "Catalog Zones" has been added.
- Added an isc.rndc Python module, which allows rndc commands to be sent from Python programs.
- Added support for DynDB, a new interface for loading zone data from an external database, developed by Red Hat for the FreeIPA project.
- New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
- Added support for dnstap, a fast, flexible method for capturing and logging DNS traffic.
- A new DNSSEC key management utility, dnssec-keymgr, has been added.
- nslookup will now look up IPv6 as well as IPv4 addresses by default.
- named will now check to see whether other name server processes are running before starting up.
- Added server-side support for pipelined TCP queries.
- The new mdig command is a version of dig that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting the response before sending the next.
- A new message-compression option can be used to specify whether or not to use name compression when answering queries.
- When loading a signed zone, named will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately.
Feature changes
- When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
- Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.
- Added support for OPENPGPKEY type.
- Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.
- On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.
- Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.
- Added support for the AVC resource record type (Application Visibility and Control).
Benefit to Fedora
Fedora will include the latest major version of popular DNS server with latest features.
Scope
- Proposal owners: Rebase the package to the latest 9.11 minor version and resolve possible packaging issues. (Also rebuild all currently existing dependent packages listed below)
- Other developers: Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-ldap)
- Release engineering: no work required
- Policies and guidelines: no change required
Upgrade/compatibility impact
Users' manually compiled applications not distributed in Fedora using libraries distributed with BIND package will need to be rebuilt.
The Change possibly impacts the Fedora Server product.
How To Test
- No special hardware is required.
- Users should have some existing named configuration working with the previous version (9.10).
- Upgrade the package to the lastest 9.11 version available for Fedora 26. Right now the latest build is available in copr repo https://copr.fedorainfracloud.org/coprs/mruprich/bind-9.11/
- Test the named behaviour with the previously used configuration.
- named behaviour did not change except from the changes listed in BIND 9.11 RELEASE NOTES.
User Experience
Some default settings changed and are noted on this Change page. The aim for the change is to be not disruptive for users. The Change will be coordinated with the Server WG to prevent possible impact on the Fedora Server product.
Dependencies
Fedora Server product depends on BIND.
Contingency Plan
- Contingency mechanism: Keep the 9.10 version of BIND
- Contingency deadline: As given by the F26 Schedule
- Blocks release? No
- Blocks product? Fedora Server
Documentation
Everything is already noted in the Detailed Description.
Release Notes
New Major version of BIND DNS server is available
Important feature changes:
- When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
- Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.
- Added support for OPENPGPKEY type.
- Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.
- On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.
- Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.
- Added support for the AVC resource record type (Application Visibility and Control).