Ngemuva kwezinyanga eziyi-11 zokuthuthukiswa, i-ISC consortium Ukukhishwa kokuqala okuzinzile kwegatsha elisha elibalulekile leseva ye-BIND 9.16 DNS. Ukwesekwa kwegatsha 9.16 kuzohlinzekwa iminyaka emithathu kuze kube ikota yesi-2 ka-2023 njengengxenye yomjikelezo wokwesekwa owandisiwe. Izibuyekezo zegatsha langaphambilini le-LTS 9.11 zizoqhubeka nokukhishwa kuze kube nguDisemba 2021. Ukwesekwa kwegatsha 9.14 kuzophela ezinyangeni ezintathu.
main :
- Kwengezwe i-KASP (Inqubomgomo Yokhiye Nokusayina), indlela eyenziwe lula yokuphatha okhiye be-DNSSEC namasiginesha edijithali, ngokusekelwe emithethweni yokumisa echazwe kusetshenziswa isiqondiso se-βdnssec-policyβ. Lo myalelo ukuvumela ukuthi ulungiselele ukukhiqizwa kokhiye abasha abadingekayo bezindawo ze-DNS kanye nokusetshenziswa okuzenzakalelayo kokhiye be-ZSK ne-KSK.
- Isistimu engaphansi yenethiwekhi iklanywe kabusha ngokuphawulekayo futhi yashintshelwa endleleni yokucubungula isicelo engavumelaniyo esetshenziswe ngokusekelwe kulabhulali. .
Ukusetshenzwa kabusha akukaphumeleli kunoma yiziphi izinguquko ezibonakalayo, kodwa ekukhishweni okuzayo kuzonikeza ithuba lokusebenzisa ukulungiselelwa okubalulekile kokusebenza nokwengeza ukusekelwa kwezivumelwano ezintsha ezifana ne-DNS phezu kwe-TLS. - Inqubo ethuthukisiwe yokuphatha amahange e-DNSSEC (i-Trust anchor, ukhiye osesidlangalaleni oboshelwe endaweni ukuze kuqinisekiswe ubuqiniso bale ndawo). Esikhundleni sokhiye abathenjwayo kanye nezilungiselelo zokhiye abaphethwe, manje asebahoxisiwe, kuhlongozwe isiqondiso esisha se-trust-anchors esikuvumela ukuthi uphathe zombili izinhlobo zokhiye.
Uma usebenzisa ama-trust-anchor ngegama elingukhiye lokuqala, ukuziphatha kwalesi siqondiso kufana nokhiye abaphethwe, i.e. ichaza ukulungiselelwa kwehange lokuthembela ngokuhambisana ne-RFC 5011. Uma usebenzisa ama-trust-anchor ngegama elingukhiye elimile, ukuziphatha kuhambisana nomyalelo wokhiye abathembekile, i.e. ichaza ukhiye ophikelelayo ongabuyekezwa ngokuzenzakalelayo. Ama-Trust-anchors aphinde anikeze amagama angukhiye amabili, i-initial-ds kanye ne-static-ds, akuvumela ukuthi usebenzise amahange okuthemba ngefomethi. (Delegation Signer) esikhundleni se-DNSKEY, okwenza kube nokwenzeka ukulungisa ukubophezela kokhiye abangakashicilelwa (inhlangano ye-IANA ihlela ukusebenzisa ifomethi ye-DS kokhiye bezoni eyinhloko esikhathini esizayo).
- Inketho ethi β+yamlβ yengezwe ezinsizeni ze-dig, mdig kanye ne-delv ukuze zikhishwe ngefomethi ye-YAML.
- Inketho ethi β+[cha]ebeyingalindelekileβ yengezwe kusizo lokumba, okuvumela ukwamukelwa kwezimpendulo ezivela kubasingathi ngaphandle kweseva lapho isicelo sithunyelwe khona.
- Kwengezwe inketho ethi "+[no]expandaaaa" yokumba insiza, ebangela ukuthi amakheli e-IPv6 kumarekhodi e-AAAA aboniswe ngokugcwele okumelwa okungu-128-bit, kunokuba kufomethi ye-RFC 5952.
- Kwengezwe ikhono lokushintsha amaqembu amashaneli ezibalo.
- Amarekhodi e-DS ne-CDS manje akhiqizwa kuphela ngokususelwe kumaheshi e-SHA-256 (isizukulwane esisekelwe ku-SHA-1 sinqanyuliwe).
- Ku-DNS Cookie (RFC 7873), i-algorithm ezenzakalelayo i-SipHash 2-4, futhi ukusekelwa kwe-HMAC-SHA kunqanyuliwe (i-AES igciniwe).
- Okukhiphayo kwemiyalo ye-dnssec-signzone kanye ne-dnssec-verify manje kuthunyelwa kokuphumayo okujwayelekile (STDOUT), futhi amaphutha nezixwayiso kuphela eziphrintwa ku-STDERR (inketho -f iphinda iphrinte indawo esayiniwe). Inketho ethi "-q" yengeziwe ukuze kuthuliswe okukhiphayo.
- Ikhodi yokuqinisekisa ye-DNSSEC isetshenzwe kabusha ukuze kuqedwe impinda yekhodi namanye amasistimu angaphansi.
- Ukuze ubonise izibalo ngefomethi ye-JSON, ilabhulali ye-JSON-C kuphela engasetshenziswa. Inketho yokumisa "--with-libjson" iqanjwe kabusha ukuze ithi "--with-json-c".
- Isikripthi sokumisa asisaguquki ku-"--sysconfdir" ku-/etc kanye no-"--localstatedir" ku-/var ngaphandle kokuthi "--prefix" kucacisiwe. Izindlela ezizenzakalelayo manje seziyi-$prefix/etc kanye ne-$prefix/var, njengoba isetshenziswe ku-Autoconf.
- Ikhodi ekhishiwe esebenzisa i-DLV (Domain Look-aside Verification, dnssec-lookaside option) isevisi, eyehliswa kokuthi BIND 9.12, futhi isibambi se-dlv.isc.org esihlotshaniswayo sakhutshazwa ngo-2017. Ukususa ama-DLV kukhulule ikhodi ye-BIND ezinkingeni ezingadingekile.
Source: opennet.ru