Notable new features:
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.
Approved by: delphij (mentor)
MFC after: 3 days
Sponsored by: DK Hostmaster A/S
This includes a structural change regarding atomic ops. Previously they
were enabled on all platforms unless we had knowledge that they did not
work. However both work performed by marius@ on sparc64 and the fact that
the 9.8.x branch is fussier in this area has demonstrated that this is
not a safe approach. So I've modified a patch provided by marius to
enable them for i386, amd64, and ia64 only.
in the PR by removing spurious .HP tags, thereby actually
allowing the commands to show up in the man page output,
and making the style consistent with the nslookup(1) man
page. [1]
While I'm here, fix the markup on the first command reference
in nslookup(1).
PR: docs/98009 [1]
Submitted by: Dmitry Kazarov <kazarov@ttk.ru>
1. Install man files and links for the lwres library.
2. Fix the path in various files to say /etc/namedb/ instead of just /etc.
3. Correctly install the conf file man pages for named and rndc.
but have a knob (WANT_BIND_LIBS) to build and install them in /usr/lib
and /usr/include. Rumors are that this may be useful at a later point,
let's see.
What this really means is that all BIND libraries are now internal to
buildworld (by default, unless WANT_BIND_LIBS is defined), and linked
statically into various BIND executables.
While here, removed redundant -I's from CFLAGS in lib/bind makefiles.
Sponsored by: des
OK'ed by: dougb
POSIX threads libraries are not available. Add crypto support if
the crypto libraries are available. Build dnssec-{keygen,signzone}
if crypto is available.
Submitted by: (in part) dougb@
