Latest revision as of 08:46, 17 October 2016

BIND version 9.11

Summary

BIND (Berkeley Internet Name Domain) version 9.11 is the latest stable major update of the widely used DNS server. Besides new features, some settings defaults have changed since the previous major version (9.10).

Owner

Name: Tomas Hozza
Email: <thozza@redhat.com>
Name: Michal Ruprich
Email: <mruprich@redhat.com>
Release notes owner:

Current status

Targeted release: Fedora 26
Last updated: 2016-10-17
Tracker bug: #1385505

Detailed Description

FULL BIND 9.11 RELEASE NOTES

New features

A new method of provisioning secondary servers called "Catalog Zones" has been added.
Added an isc.rndc Python module, which allows rndc commands to be sent from Python programs.
Added support for DynDB, a new interface for loading zone data from an external database, developed by Red Hat for the FreeIPA project.
New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
Added support for dnstap, a fast, flexible method for capturing and logging DNS traffic.
A new DNSSEC key management utility, dnssec-keymgr, has been added.
nslookup will now look up IPv6 as well as IPv4 addresses by default.
named will now check to see whether other name server processes are running before starting up.
Added server-side support for pipelined TCP queries.
The new mdig command is a version of dig that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting the response before sending the next.
A new message-compression option can be used to specify whether or not to use name compression when answering queries.
When loading a signed zone, named will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately.

Feature changes

When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.
Added support for OPENPGPKEY type.
Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.
On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.
Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.
Added support for the AVC resource record type (Application Visibility and Control).

Benefit to Fedora

Fedora will include the latest major version of popular DNS server with latest features.

Scope

Proposal owners: Rebase the package to the latest 9.11 minor version and resolve possible packaging issues. (Also rebuild all currently existing dependent packages listed below)

Other developers: Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-ldap)

Release engineering: no work required

Policies and guidelines: no change required

Upgrade/compatibility impact

Users' manually compiled applications not distributed in Fedora using libraries distributed with BIND package will need to be rebuilt.

The Change possibly impacts the Fedora Server product.

How To Test

No special hardware is required.

Users should have some existing named configuration working with the previous version (9.10).
Upgrade the package to the lastest 9.11 version available for Fedora 26. Right now the latest build is available in copr repo https://copr.fedorainfracloud.org/coprs/mruprich/bind-9.11/
Test the named behaviour with the previously used configuration.
named behaviour did not change except from the changes listed in BIND 9.11 RELEASE NOTES.

User Experience

Some default settings changed and are noted on this Change page. The aim for the change is to be not disruptive for users. The Change will be coordinated with the Server WG to prevent possible impact on the Fedora Server product.

Dependencies

Fedora Server product depends on BIND.

Contingency Plan

Contingency mechanism: Keep the 9.10 version of BIND
Contingency deadline: As given by the F26 Schedule
Blocks release? No
Blocks product? Fedora Server

Documentation

Everything is already noted in the Detailed Description.

Release Notes

New Major version of BIND DNS server is available

Important feature changes:

When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.
Added support for OPENPGPKEY type.
Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.
On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.
Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.
Added support for the AVC resource record type (Application Visibility and Control).

@@ Line 34: / Line 34: @@
 CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 -->
-* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id= #]
+* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1385505 #1385505]
 == Detailed Description ==
@@ Line 73: / Line 73: @@
 * Other developers: Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-ldap) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
-** Owner of this feature is co-maintainer of all dependent packages. He will do the necessary rebuilds himself in cooperation with dependent packages owners.
 <!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
@@ Line 111: / Line 110: @@
 # Users should have some existing named configuration working with the previous version (9.10).
-# Upgrade the package to the lastest 9.11 version available for Fedora 25.
+# Upgrade the package to the lastest 9.11 version available for Fedora 26. Right now the latest build is available in copr repo https://copr.fedorainfracloud.org/coprs/mruprich/bind-9.11/
 # Test the named behaviour with the previously used configuration.
 # named behaviour did not change except from the changes listed in BIND 9.11 RELEASE NOTES.
@@ Line 130: / Line 129: @@
 * Contingency mechanism: Keep the 9.10 version of BIND  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 <!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
-* Contingency deadline: As given by the F25 Schedule  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+* Contingency deadline: As given by the F26 Schedule  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
 * Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
@@ Line 159: / Line 158: @@
 * Added support for the AVC resource record type (Application Visibility and Control).
-[[Category:ChangePageIncomplete]]
+[[Category:ChangeAcceptedF26]]
 <!-- When your change proposal page is completed and ready for review and announcement -->
 <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
@@ Line 166: / Line 165: @@
 <!-- Select proper category, default is Self Contained Change -->
-<!-- [[Category:SelfContainedChange]] -->
+[[Category:SelfContainedChange]]
-[[Category:SystemWideChange]]
+<!-- [[Category:SystemWideChange]] -->

Search

Changes/BIND 9.11: Difference between revisions