After 11 months of development, the ISC consortium The first stable release of a new significant branch of the BIND 9.16 DNS server. Support for branch 9.16 will be provided for three years until the 2nd quarter of 2023 as part of an extended support cycle. Updates for the previous LTS branch 9.11 will continue to be released until December 2021. Support for branch 9.14 will end in three months.
All :
- Added KASP (Key and Signing Policy), a simplified way to manage DNSSEC keys and digital signatures, based on setting rules defined using the βdnssec-policyβ directive. This directive allows you to configure the generation of the necessary new keys for DNS zones and the automatic application of ZSK and KSK keys.
- The network subsystem has been significantly redesigned and switched to an asynchronous request processing mechanism implemented based on the library .
The rework has not yet resulted in any visible changes, but in future releases it will provide the opportunity to implement some significant performance optimizations and add support for new protocols such as DNS over TLS. - Improved process for managing DNSSEC trust anchors (Trust anchor, a public key tied to a zone to verify the authenticity of this zone). Instead of the trusted-keys and managed-keys settings, which are now deprecated, a new trust-anchors directive has been proposed that allows you to manage both types of keys.
When using trust-anchors with the initial-key keyword, the behavior of this directive is identical to managed-keys, i.e. defines the trust anchor setting in accordance with RFC 5011. When using trust-anchors with the static-key keyword, the behavior corresponds to the trusted-keys directive, i.e. defines a persistent key that is not automatically updated. Trust-anchors also offers two more keywords, initial-ds and static-ds, which allow you to use trust anchors in the format (Delegation Signer) instead of DNSKEY, which makes it possible to configure bindings for keys that have not yet been published (the IANA organization plans to use the DS format for core zone keys in the future).
- The β+yamlβ option has been added to the dig, mdig and delv utilities for output in YAML format.
- The β+[no]unexpectedβ option has been added to the dig utility, allowing the reception of responses from hosts other than the server to which the request was sent.
- Added "+[no]expandaaaa" option to dig utility, which causes IPv6 addresses in AAAA records to be shown in full 128-bit representation, rather than in RFC 5952 format.
- Added the ability to switch groups of statistics channels.
- DS and CDS records are now generated only based on SHA-256 hashes (generation based on SHA-1 has been discontinued).
- For DNS Cookie (RFC 7873), the default algorithm is SipHash 2-4, and support for HMAC-SHA has been discontinued (AES is retained).
- The output of the dnssec-signzone and dnssec-verify commands is now sent to standard output (STDOUT), and only errors and warnings are printed to STDERR (the -f option also prints the signed zone). The "-q" option has been added to mute the output.
- The DNSSEC validation code has been reworked to eliminate code duplication with other subsystems.
- To display statistics in JSON format, only the JSON-C library can now be used. The configure option "--with-libjson" has been renamed to "--with-json-c".
- The configure script no longer defaults to "--sysconfdir" in /etc and "--localstatedir" in /var unless "--prefix" is specified. The default paths are now $prefix/etc and $prefix/var, as used in Autoconf.
- Removed code implementing the DLV (Domain Look-aside Verification, dnssec-lookaside option) service, which was deprecated in BIND 9.12, and the associated dlv.isc.org handler was disabled in 2017. Removing the DLVs freed the BIND code from unnecessary complications.
Source: opennet.ru