2009年10月21日

[installer 2114] BIND 9.7.0b1

BIND 9.7.0b1 出ています。

☆ BIND 9.7.0b1
http://www.isc.org/products/BIND/
ftp://ftp.isc.org/isc/bind/9.7.0b1/bind-9.7.0b1.tar.gz

--- 9.7.0b1 released ---

2715. [bug] Require OpenSSL support to be explicitly disabled.
[RT #20288]

2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
flags.

2713. [bug] powerpc: atomic operations missing asm("ics") /
__isync() calls.

2712. [func] New 'auto-dnssec' zone option allows zone signing
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
to be signed by creating keys for it in the
key-directory and using 'rndc sign <zone>'.
'auto-dnssec maintain;' allows that too, plus it
also keeps the zone's DNSSEC keys up to date
according to their timing metadata. [RT #19943]

2711. [port] win32: Add the bin/pkcs11 tools into the full
build. [RT #20372]

2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
zone option cause a zone to be signed with only KSKs
signing the DNSKEY RRset, not ZSKs. This reduces
the size of a DNSKEY answer. [RT #20340]

2709. [func] Added some data fields, currently unused, to the
private key file format, to allow implementation
of explicit key rollover in a future release
without impairing backward or forward compatibility.
[RT #20310]

2708. [func] Insecure to secure and NSEC3 parameter changes via
update are now fully supported and no longer require
defines to enable. We now no longer overload the
NSEC3PARAM flag field, nor the NSEC OPT bit at the
apex. Secure to insecure changes are controlled by
by the named.conf option 'secure-to-insecure'.

Warning: If you had previously enabled support by
adding defines at compile time to BIND 9.6 you should
ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7
is not backwards compatible.

2707. [func] dnssec-keyfromlabel no longer require engine name
to be specified in the label if there is a default
engine or the -E option has been used. Also, it
now uses default algorithms as dnssec-keygen does
(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
[RT #20371]

2706. [bug] Loading a zone with a very large NSEC3 salt could
trigger an assert. [RT #20368]

2705. [placeholder]

2704. [bug] Serial of dynamic and stub zones could be inconsistent
with their SOA serial. [RT #19387]

2703. [func] Introduce an OpenSSL "engine" argument with -E
for all binaries which can take benefit of
crypto hardware. [RT #20230]

2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

2701. [doc] Correction to ARM: hmac-md5 is no longer the only
supported TSIG key algorithm. [RT #18046]

2700. [doc] The match-mapped-addresses option is discouraged.
[RT #12252]

2699. [bug] Missing lock in rbtdb.c. [RT #20037]

2698. [placeholder]

2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
S_IFREG are defined after including <isc/stat.h>.
[RT #20309]

2696. [bug] named failed to successfully process some valid
acl constructs. [RT #20308]

2695. [func] DHCP/DDNS - update fdwatch code for use by
DHCP. Modify the api to isc_sockfdwatch_t (the
callback funciton for isc_socket_fdwatchcreate)
to include information about the direction (read
or write) and add isc_socket_fdwatchpoke.
[RT #20253]

2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
[RT #19970]

2693. [port] Add some noreturn attributes. [RT #20257]

2692. [port] win32: 32/64 bit cleanups. [RT #20335]

2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
chain when re-signing a previously-signed zone.
Use -u to modify NSEC3 parameters or switch
between NSEC and NSEC3. [RT #20304]

2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
[RT #20315]

2689. [bug] Correctly handle snprintf result. [RT #20306]

2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
to decide to fetch the destination address. [RT #20305]

2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
Also, added warnings when revoking a ZSK, as this is
not defined by protocol (but is legal). [RT #19943]

2686. [bug] dnssec-signzone should clean the old NSEC chain when
signing with NSEC3 and vice versa. [RT #20301]

2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]

2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+adflag and +cdflag. [RT #19305]

2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
the NSEC3 parameters used to sign the zone change.
[RT #20246]

2682. [bug] "configure --enable-symtable=all" failed to
build. [RT #20282]

2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
decoded. [RT #20269]

2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]

2679. [func] dig -k can now accept TSIG keys in named.conf
format. [RT #20031]

2678. [func] Treat DS queries as if "minimal-response yes;"
was set. [RT #20258]

2677. [func] Changes to key metadata behavior:
- Keys without "publish" or "active" dates set will
no longer be used for smart signing. However,
those dates will be set to "now" by default when
a key is created; to generate a key but not use
it yet, use dnssec-keygen -G.
- New "inactive" date (dnssec-keygen/settime -I)
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favor of "deleted" (-D).
[RT #20247]

2676. [bug] --with-export-installdir should have been
--with-export-includedir. [RT #20252]

2675. [bug] dnssec-signzone could crash if the key directory
did not exist. [RT #20232]

----
こがよういちろう


投稿者 xml-rpc : 2009年10月21日 15:09
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/89601
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。