https://downloads.isc.org/isc/bind9/9.18.21/doc/arm/html/notes.html#notes-for-bind-9-18-21
Removed Features
- Support for using AES as the DNS COOKIE algorithm (cookie-algorithm aes;) has been deprecated and will be removed in a future release. Please use the current default, SipHash-2-4, instead. [GL #4421]
- The resolver-nonbackoff-tries and resolver-retry-interval statements have been deprecated. Using them now causes a warning to be logged. [GL #4405]
named contains high number of assertions checking expected state of the
daemon. That is part of defensive code style to prevent many attacks.
The most common failure is failing some assertion check in rare
circumstances. Even when this should not happen, try keeping the service
running. If such failed assertion produces coredump just from time to
time, avoid failing hard the whole service. coredumpctl will keep track
of all crashes anyway.
Last version installed can be 9.18.4-1, which still provides dnssec-doc
subpackage. Make it more specific to obsolete even that version and
allow smooth upgrade.
Set CI=true only when --with UNITTEST_ALL is not used, which is a
default. Should skip problematic and often failing test in netmgr:
- tcp_recv_two_quota
- tcp_noresponse
Engine interface were deprecated in OpenSSL and therefore removed from
normal compilation. But it is possible to compile on OpenSSL with compat
define. That disables deprecation warnings and use functions same as for
OpenSSL 1.1. That is required to keep working engine pkcs11 support.
Otherwise loading keys via ENGINE_load_private_key would always fail.
Resolves: rhbz:#2122010
Previous change did not do anything, because rpm will terminate the
recipe on the first failed command. Make make check not failing
directly, but fail it later explicitly. Show details in the mean time.
Recent freeipa uses openssl backend pkcs11 to offload keys to secure
storage. Remove duplicate native builds of pkcs11 tools and daemon. Do
not build tools like pkcs11-tokens, rely or more advanced tools p11tool
and pkcs11-tool. Keep setup-named-softhsm as part of named package.
SELinux booleans system pushes enablement into a stack. It saves
previous values and restores them on removal. But the default for
boolean named_write_master_zones has changed to true. Update it just
single time on upgrade from previous bind versions. Then rely on
previous version being a permanent value.
bind-dyndb-ldap requires sending from custom spawned thread to main
named threads. Change queue type to locked variant, which would not
crash when isc_send_task() is called from dyndb worker thread.
Related: rhbz#2048235
Those errors can be dropped by simple configuration:
logging {
category lame_servers { null; };
};
Do not hide them into debug log on all servers. Expect lame servers are
not so common to drop it always.
