From Fedora Project Wiki
(Created page with "= BIND version 9.10 = == Summary == <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary pag...")
 
(Add tracking bug)
 
(15 intermediate revisions by 3 users not shown)
Line 3: Line 3:
== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
BIND (Berkeley Internet Name Domain) version 9.10 is the latest stable major update of the widely used DNS server. Besides new features, some settings that
BIND (Berkeley Internet Name Domain) version 9.10 is the latest stable major update of the widely used DNS server. Besides new features, some settings defaults have changed since the previous major version (9.9).  
were optional in the previous major version (9.9) are now default.  


== Owner ==
== Owner ==
Line 13: Line 12:
* Name: [[User:Thozza| Tomas Hozza]]
* Name: [[User:Thozza| Tomas Hozza]]
* Email: <thozza@redhat.com>
* Email: <thozza@redhat.com>
* Name: [[User:Sgallagh| Stephen Gallagher]]
* Email: <sgallagh@redhat.com>
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
Line 24: Line 25:
== Current status ==
== Current status ==
* Targeted release: [[ Fedora 22 ]]  
* Targeted release: [[ Fedora 22 ]]  
* Last updated: 2014-05-05
* Last updated: 2015-01-07
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Bugzilla states meaning as usual:
Bugzilla states meaning as usual:
Line 33: Line 34:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1181562 #1181562]


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
[http://ftp.isc.org/isc/bind9/9.10.0-P2/RELEASE-NOTES-BIND-9.10.0-P2.txt FULL BIND 9.10 RELEASE NOTES]


TBD
=== New features ===
* New zone file format, "map", stores zone data in a format that can be mapped directly into memory, allowing significantly faster zone loading.
* New tool "delv" (domain entity lookup and validation) with dig-like semantics for looking up DNS data and performing internal DNSSEC validation has been added.
* New "prefetch" option improving the recursive resolver performance has been added.
* Improved EDNS processing allowing better resolver performance.
* Substantial improvements have been made in response-policy zone (RPZ) performance.
* ACLs can now be specified based on geographic location using the MaxMind GeoIP databases.
* The statistics channel can now provide data in JSON format as well as XML.
* The new "in-view" zone option allows zone data to be shared between views, so that multiple views can serve the same zones authoritatively without storing multiple copies in memory.
* Native PKCS#11 API has been added. This allows BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module (HSM) directly instead of using a modified OpenSSL as an intermediary (Native PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM version 2 from the Open DNSSEC project.).
* New tool "named-rrchecker" can be used to check the syntax of individual resource records, and optionally to convert them to the format used for unknown record types.
* New tool "dnssec-importkey" allows "offline" DNSSEC keys (i.e., keys whose private data is not stored on the system on which named is running) to be published or deleted on schedule using automatic DNSKEY management.
* Network interfaces are re-scanned automatically whenever they change.  Use "automatic-interface-scan no;" to disable this feature.
** Added "rndc scan" to trigger an interface scan manually.
* New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated.
* Multiple DLZ databases can now be configured, and are searched in order to find one that can answer an incoming query.
* "named-checkzone" and "named-compilezone" can now read journal files.
 
=== Feature changes ===
 
* The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is no longer optional. The version 2 XML schema is now deprecated.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified so that external library clients can use the same libraries as BIND itself.
* The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance.
* Adaptive mutex locks are now used on systems which support them.
* "rndc flushtree" now flushes matching records from the address database and bad cache as well as the DNS cache. (Previously only the DNS cache was flushed.)
* The isc_bitstring API is no longer used and has been removed from the libisc library.
* The timestamps included in RRSIG records can now be read as integers indicating the number of seconds since the UNIX epoch, in addition to being read as formatted dates in YYYYMMDDHHMMSS format.


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->


RBD
Fedora will include the latest major version of popular DNS server with latest features.


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners: Rebase the package to the latest 9.10 minor version and resolve possible packaging issues. (Also rebuild all currently existing dependent packages listed below)
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-ldap) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** Owner of this feature is co-maintainer of all dependent packages. He will do the necessary rebuilds himself in cooperation with dependent packages owners.
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: no work required <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  -->


* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Policies and guidelines: no change required <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->


Line 62: Line 92:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


TBD
Users' manually compiled applications not distributed in Fedora using libraries distributed with BIND package will need to be rebuilt.
 
The Change possibly impacts the Fedora Server product. The Server WG member [[User:Sgallagh| Stephen Gallagher]] is a co-owner of this change to prevent possible issues.


== How To Test ==
== How To Test ==
Line 82: Line 113:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
TBD
 
* No special hardware is required.
 
# Users should have some existing named configuration working with the previous version (9.9).
# Upgrade the package to the lastest 9.10 version available for Fedora 22.
# Test the named behaviour with the previously used configuration.
# named behaviour did not change except from the changes listed in BIND 9.10 RELEASE NOTES.


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
Some default settings changed and are noted on this Change page. The aim for the change is to be not disruptive for users. The Change will be coordinated with the Server WG to prevent possible impact on the Fedora Server product.


== Dependencies ==
== Dependencies ==
Line 93: Line 130:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
Fedora Server product depends on BIND.


== Contingency Plan ==
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: Keep the 9.9 version of BIND <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: As given by the F22 Schedule <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? N/A <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
* Blocks product? Fedora Server <!-- Applicable for Changes that blocks specific product release/Fedora.next -->


== Documentation ==
== Documentation ==
Line 108: Line 145:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
Everything is already noted in the Detailed Description.


== Release Notes ==
== Release Notes ==
Line 117: Line 154:
-->
-->


TBD
=== New Major version of BIND DNS server is available ===
 
'''Important feature changes:'''
* The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is no longer optional. The version 2 XML schema is now deprecated.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified so that external library clients can use the same libraries as BIND itself.
* The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance.
* Adaptive mutex locks are now used on systems which support them.
* "rndc flushtree" now flushes matching records from the address database and bad cache as well as the DNS cache. (Previously only the DNS cache was flushed.)
* The isc_bitstring API is no longer used and has been removed from the libisc library.
* The timestamps included in RRSIG records can now be read as integers indicating the number of seconds since the UNIX epoch, in addition to being read as formatted dates in YYYYMMDDHHMMSS format.


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF22]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 126: Line 173:


<!-- Select proper category, default is Self Contained Change -->
<!-- Select proper category, default is Self Contained Change -->
[[Category:SelfContainedChange]]
<!-- [[Category:SelfContainedChange]] -->
<!-- [[Category:SystemWideChange]] -->
[[Category:SystemWideChange]]

Latest revision as of 11:35, 13 January 2015

BIND version 9.10

Summary

BIND (Berkeley Internet Name Domain) version 9.10 is the latest stable major update of the widely used DNS server. Besides new features, some settings defaults have changed since the previous major version (9.9).

Owner

Current status

Detailed Description

FULL BIND 9.10 RELEASE NOTES

New features

  • New zone file format, "map", stores zone data in a format that can be mapped directly into memory, allowing significantly faster zone loading.
  • New tool "delv" (domain entity lookup and validation) with dig-like semantics for looking up DNS data and performing internal DNSSEC validation has been added.
  • New "prefetch" option improving the recursive resolver performance has been added.
  • Improved EDNS processing allowing better resolver performance.
  • Substantial improvements have been made in response-policy zone (RPZ) performance.
  • ACLs can now be specified based on geographic location using the MaxMind GeoIP databases.
  • The statistics channel can now provide data in JSON format as well as XML.
  • The new "in-view" zone option allows zone data to be shared between views, so that multiple views can serve the same zones authoritatively without storing multiple copies in memory.
  • Native PKCS#11 API has been added. This allows BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module (HSM) directly instead of using a modified OpenSSL as an intermediary (Native PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM version 2 from the Open DNSSEC project.).
  • New tool "named-rrchecker" can be used to check the syntax of individual resource records, and optionally to convert them to the format used for unknown record types.
  • New tool "dnssec-importkey" allows "offline" DNSSEC keys (i.e., keys whose private data is not stored on the system on which named is running) to be published or deleted on schedule using automatic DNSKEY management.
  • Network interfaces are re-scanned automatically whenever they change. Use "automatic-interface-scan no;" to disable this feature.
    • Added "rndc scan" to trigger an interface scan manually.
  • New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated.
  • Multiple DLZ databases can now be configured, and are searched in order to find one that can answer an incoming query.
  • "named-checkzone" and "named-compilezone" can now read journal files.

Feature changes

  • The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is no longer optional. The version 2 XML schema is now deprecated.
  • "named" now listens on IPv6 as well as IPv4 interfaces by default.
  • The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified so that external library clients can use the same libraries as BIND itself.
  • The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance.
  • Adaptive mutex locks are now used on systems which support them.
  • "rndc flushtree" now flushes matching records from the address database and bad cache as well as the DNS cache. (Previously only the DNS cache was flushed.)
  • The isc_bitstring API is no longer used and has been removed from the libisc library.
  • The timestamps included in RRSIG records can now be read as integers indicating the number of seconds since the UNIX epoch, in addition to being read as formatted dates in YYYYMMDDHHMMSS format.

Benefit to Fedora

Fedora will include the latest major version of popular DNS server with latest features.

Scope

  • Proposal owners: Rebase the package to the latest 9.10 minor version and resolve possible packaging issues. (Also rebuild all currently existing dependent packages listed below)
  • Other developers: Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-ldap)
    • Owner of this feature is co-maintainer of all dependent packages. He will do the necessary rebuilds himself in cooperation with dependent packages owners.
  • Release engineering: no work required
  • Policies and guidelines: no change required

Upgrade/compatibility impact

Users' manually compiled applications not distributed in Fedora using libraries distributed with BIND package will need to be rebuilt.

The Change possibly impacts the Fedora Server product. The Server WG member Stephen Gallagher is a co-owner of this change to prevent possible issues.

How To Test

  • No special hardware is required.
  1. Users should have some existing named configuration working with the previous version (9.9).
  2. Upgrade the package to the lastest 9.10 version available for Fedora 22.
  3. Test the named behaviour with the previously used configuration.
  4. named behaviour did not change except from the changes listed in BIND 9.10 RELEASE NOTES.

User Experience

Some default settings changed and are noted on this Change page. The aim for the change is to be not disruptive for users. The Change will be coordinated with the Server WG to prevent possible impact on the Fedora Server product.

Dependencies

Fedora Server product depends on BIND.

Contingency Plan

  • Contingency mechanism: Keep the 9.9 version of BIND
  • Contingency deadline: As given by the F22 Schedule
  • Blocks release? No
  • Blocks product? Fedora Server

Documentation

Everything is already noted in the Detailed Description.

Release Notes

New Major version of BIND DNS server is available

Important feature changes:

  • The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is no longer optional. The version 2 XML schema is now deprecated.
  • "named" now listens on IPv6 as well as IPv4 interfaces by default.
  • The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified so that external library clients can use the same libraries as BIND itself.
  • The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance.
  • Adaptive mutex locks are now used on systems which support them.
  • "rndc flushtree" now flushes matching records from the address database and bad cache as well as the DNS cache. (Previously only the DNS cache was flushed.)
  • The isc_bitstring API is no longer used and has been removed from the libisc library.
  • The timestamps included in RRSIG records can now be read as integers indicating the number of seconds since the UNIX epoch, in addition to being read as formatted dates in YYYYMMDDHHMMSS format.