From c634210eedf05b1667b4a83415d55cd021ac675c Mon Sep 17 00:00:00 2001
From: Yoana Ruseva <yoana@ruseva.co.uk>
Date: Jul 10 2017 12:09:00 +0000
Subject: Add #74 'BIND version 9.11'


---

diff --git a/en-US/DNS_servers.xml b/en-US/DNS_servers.xml
new file mode 100644
index 0000000..1b9dfcd
--- /dev/null
+++ b/en-US/DNS_servers.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "Release_Notes.ent">
+%BOOK_ENTITIES;
+]>
+
+<section id="sect-dns-servers">
+  <title>Domain Name Systen (DNS) Servers</title>
+  <section id="bind-version-9.11">
+	  <title>BIND version 9.11</title>
+  	<para> 
+	  A new major version of the BIND DNS server has been added to Fedora. Most notable changes include:
+	</para>
+  	<para> 
+  	  A new method for provisioning secondary servers called "Catalog Zones" has been added to BIND. A catalog zone is a regular DNS zone which contains a list of "member zones", along with the configuration options for each of those zones. When a server is configured to use a catalog zone, all the zones listed in the catalog zone are added to the local server as slave zones. However, as this is a new feature it does not support many advanced configurations such as ACLs (Access Control Lists) and TSIG (Transaction Signatures).
+	</para>
+  	<para>
+	  The <command>isc.rndc</command> Python module has been added to BIND. It allows rndc commands to be sent from programs written in Python.
+	</para>
+  	<para> 
+          Added support for DynDB, a plug-in interface for loading zone data from an external database. DynDB is able to fully implement and extend the database API used natively by BIND. A DynDB module can pre-load data from an external data source, then serve it with the same performance and functionality as conventional BIND zones, and with the ability to take advantage of database features not available in BIND, such as multi-master replication.
+	</para>
+  	<para> 
+	  Two new quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers that are experiencing denial-of-service attacks. <literal>fetches-per-server</literal> limits the number of simultaneous queries that can be sent to any single authoritative server. The <literal>fetches-per-zone</literal> quota limits the number of simultaneous queries that can be sent for names within a single domain. Statistics counters have also been added to track the number of queries affected by these quotas.
+	</para>
+  	<para> 
+	  Added support for <application>dnstap</application>, a fast, flexible method for capturing and logging DNS traffic. To enable dnstap at compile time, the <literal>fstrm</literal> and <literal>protobuf-c</literal> libraries must be available, and BIND must be configured with the <option>--enable-dnstap</option> option.
+	</para>
+  	<para> 
+	  A new DNSSEC key management utility, <application>dnssec-keymgr<application>, has been added.
+	</para>
+  	<para> 
+          The nslookup tool will now look up IPv6 as well as IPv4 addresses by default.
+	</para>
+  	<para> 
+          BIND will now check to see whether other name server processes are running before starting up.
+	</para>
+  	<para> 
+          Added server-side support for pipelined TCP queries.
+	</para>
+  	<para> 
+	  The new <command>mdig</command> command is a version of dig that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting the response before sending the next.
+	</para>
+  	<para> 
+          A new message-compression option can be used to specify whether or not to use name compression when answering queries.
+	</para>
+  	<para> 
+          When loading a signed zone, BIND will now check whether an RRSIG's (DNSSEC signature) inception time is in the future, and if so, it will regenerate the RRSIG immediately.
+	</para>
+  </section>
+</section>