From Fedora Project Wiki
Line 34: Line 34:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id= #]
* Tracker bug:
<!-- [https://bugzilla.redhat.com/show_bug.cgi?id= #] -->


== Detailed Description ==
== Detailed Description ==

Revision as of 08:37, 17 October 2016

BIND version 9.11

Summary

BIND (Berkeley Internet Name Domain) version 9.11 is the latest stable major update of the widely used DNS server. Besides new features, some settings defaults have changed since the previous major version (9.10).

Owner

Current status

  • Targeted release: Fedora 26
  • Last updated: 2016-10-17
  • Tracker bug:

Detailed Description

FULL BIND 9.11 RELEASE NOTES

New features

  • A new method of provisioning secondary servers called "Catalog Zones" has been added.
  • Added an isc.rndc Python module, which allows rndc commands to be sent from Python programs.
  • Added support for DynDB, a new interface for loading zone data from an external database, developed by Red Hat for the FreeIPA project.
  • New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
  • Added support for dnstap, a fast, flexible method for capturing and logging DNS traffic.
  • A new DNSSEC key management utility, dnssec-keymgr, has been added.
  • nslookup will now look up IPv6 as well as IPv4 addresses by default.
  • named will now check to see whether other name server processes are running before starting up.
  • Added server-side support for pipelined TCP queries.
  • The new mdig command is a version of dig that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting the response before sending the next.
  • A new message-compression option can be used to specify whether or not to use name compression when answering queries.
  • When loading a signed zone, named will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately.

Feature changes

  • When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
  • Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.
  • Added support for OPENPGPKEY type.
  • Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.
  • On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.
  • Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.
  • Added support for the AVC resource record type (Application Visibility and Control).

Benefit to Fedora

Fedora will include the latest major version of popular DNS server with latest features.

Scope

  • Proposal owners: Rebase the package to the latest 9.11 minor version and resolve possible packaging issues. (Also rebuild all currently existing dependent packages listed below)
  • Other developers: Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-ldap)
  • Release engineering: no work required
  • Policies and guidelines: no change required

Upgrade/compatibility impact

Users' manually compiled applications not distributed in Fedora using libraries distributed with BIND package will need to be rebuilt.

The Change possibly impacts the Fedora Server product.

How To Test

  • No special hardware is required.
  1. Users should have some existing named configuration working with the previous version (9.10).
  2. Upgrade the package to the lastest 9.11 version available for Fedora 26. Right now the latest build is available in copr repo https://copr.fedorainfracloud.org/coprs/mruprich/bind-9.11/
  3. Test the named behaviour with the previously used configuration.
  4. named behaviour did not change except from the changes listed in BIND 9.11 RELEASE NOTES.

User Experience

Some default settings changed and are noted on this Change page. The aim for the change is to be not disruptive for users. The Change will be coordinated with the Server WG to prevent possible impact on the Fedora Server product.

Dependencies

Fedora Server product depends on BIND.

Contingency Plan

  • Contingency mechanism: Keep the 9.10 version of BIND
  • Contingency deadline: As given by the F26 Schedule
  • Blocks release? No
  • Blocks product? Fedora Server

Documentation

Everything is already noted in the Detailed Description.

Release Notes

New Major version of BIND DNS server is available

Important feature changes:

  • When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
  • Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.
  • Added support for OPENPGPKEY type.
  • Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.
  • On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.
  • Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.
  • Added support for the AVC resource record type (Application Visibility and Control).
Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/BIND_9.11&oldid=477257"