dns/bind9
dns/bind9
1
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9.git synced 2025-04-18 09:44:09 +03:00
Code

new: doc: Prepare documentation for BIND 9.21.7

Browse Source 
Merge branch 'nicki/prepare-documentation-for-bind-9.21.7' into 'v9.21.7-release'

See merge request isc-private/bind9!789
This commit is contained in:
Nicki Křížek 2025-04-09 14:04:01 +00:00
commit 6eeee8c36b
6 changed files with 565 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
bin/rndc/rndc.c
View File

@ -102,6 +102,7 @@ command is one of the following:\n\
\n\
addzone zone [class [view]] { zone-options }\n\
Add zone to given view. Requires allow-new-zones option.\n\
closelogs Close currently open log files.\n\
delzone [-clean] zone [class [view]]\n\
Removes zone from given view.\n\
dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
@ -122,6 +123,8 @@ command is one of the following:\n\
Close, rename and re-open the DNSTAP output file(s).\n\
dumpdb [-all|-cache|-zones|-adb|-bad|-expired|-fail] [view ...]\n\
Dump cache(s) to the dump file (named_dump.db).\n\
fetchlimit [view]\n\
Show servers and domains currently rate-limited to fetch limits.\n\
flush Flushes all of the server's caches.\n\
flush [view] Flushes the server's cache for a view.\n\
flushname name [view]\n\
@ -176,6 +179,10 @@ command is one of the following:\n\
reload Reload configuration file and zones.\n\
reload zone [class [view]]\n\
Reload a single zone.\n\
reset-stats <counter-name ...>\n\
Reset the requested statistics counter(s).\n\
responselog [ on | off ]\n\
Enable / disable response logging.\n\
retransfer zone [class [view]]\n\
Retransfer a single zone without checking serial number.\n\
scan Scan available network interfaces for changes.\n\

9
bin/rndc/rndc.rst
View File

@ -471,18 +471,15 @@ Currently supported commands are:
If a zone is specified, this command reloads only the given zone.
If no zone is specified, the reloading happens asynchronously.
.. option:: reset-stats
.. program:: rndc
.. option:: reset-stats <counter-name ...>
This command resets the requested statistics counters.
.. program:: rndc reset-stats
.. option:: counter-name ...
At least one counter name must be provided. Currently the following counters
are supported: ``recursive-high-water``, ``tcp-high-water``.
.. program:: rndc
.. option:: responselog [on | off]
This command enables or disables response logging. For backward compatibility,

1
doc/arm/changelog.rst
View File

@ -18,6 +18,7 @@ Changelog
development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
.. include:: ../changelog/changelog-9.21.7.rst
.. include:: ../changelog/changelog-9.21.6.rst
.. include:: ../changelog/changelog-9.21.5.rst
.. include:: ../changelog/changelog-9.21.4.rst

1
doc/arm/notes.rst
View File

@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be
found at
https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
.. include:: ../notes/notes-9.21.7.rst
.. include:: ../notes/notes-9.21.6.rst
.. include:: ../notes/notes-9.21.5.rst
.. include:: ../notes/notes-9.21.4.rst

359
doc/changelog/changelog-9.21.7.rst Normal file
View File

@ -0,0 +1,359 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
BIND 9.21.7
-----------
New Features
~~~~~~~~~~~~
- Add support for EDE 20 (Not Authoritative) ``45ee3715e1``
Support was added for EDE codes 20 (Not Authoritative) when client
requests recursion (RD) but the server has recursion disabled.
RFC 8914 mention EDE 20 should also be returned if the client doesn't
have the RD bit set (and recursion is needed) but it doesn't apply for
BIND as BIND would try to resolve from the "deepest" referral in
AUTHORITY section. For example, if the client asks for "www.isc.org/A"
but the server only knows the root domain, it will return NOERROR but
no answer for "www.isc.og/A", just the list of other servers to ask.
:gl:`#1836` :gl:`!10228`
- Add support for EDE 7 and EDE 8. ``e66dc07c68``
Support was added for EDE codes 7 (Signature Expired) and 8 (Signature
Not Yet Valid) which might occur during DNSSEC validation. :gl:`#2715`
:gl:`!10225`
- Add support for EDNS ZONEVERSION option. ``908840157e``
`dig` and `named` can now make requests with an EDNS `ZONEVERSION`
option present.
Two new `named.conf` options have been added: `request-zoneversion`
and `provide-zoneversion`. `request-zoneversion` is `off` by default.
`provide-zoneversion` is `on` by default. :gl:`#4767` :gl:`!9103`
- Dig can now display the received BADVERS message during negotiation.
``3397212df3``
Dig +showbadvers now displays the received BADVERS message and
continues the EDNS version negotiation. Previously to see the BADVERS
message +noednsneg had to be specified which terminated the EDNS
negotiation. Additionally the specified EDNS value (+edns=value) is
now used when making all the initial queries with +trace. i.e EDNS
version negotiation will be performed with each server when performing
the trace. :gl:`#5234` :gl:`!10234`
- Add an rndc command to reset some statistics counters. ``234b9d4922``
The new ``reset-stats`` command for ``rndc`` allows some statistics
counters to be reset during runtime. At the moment only two
"high-water" counters are supported, so the ability to reset them
after the initial peaks during the server's "warm-up" phase may be
useful for some operators. :gl:`#5251` :gl:`!10318`
- Implement -T cookiealwaysvalid. ``ae2fd7ef15``
When `-T cookiealwaysvalid` is passed to `named`, DNS cookie checks
for the incoming queries always pass, given they are structurally
correct. :gl:`!10232`
Removed Features
~~~~~~~~~~~~~~~~
- Cleanup dead code: CID 548247. ``6bbdb1980e``
Clean up dead code following merge of !10302. :gl:`#5262` :gl:`!10346`
- Cleanup BIND 8 compatibility code. ``575a2e5f11``
There was some code in dns_resolver unit meant to keep compatibility
with BIND 8 breaking the DNS protocol. These should not be needed
anymore. :gl:`!10270`
- Drop readline alternatives in favor of libedit. ``cbffddcdb9``
Libedit is now ubiquitous and has a license compatible with MPL 2.0.
We are now dropping readline (GPL 3.0) and editline (obsolete) support
in favor of libedit. :gl:`!10202`
- Implement the systemd notification protocol manually to remove
dependency on libsystemd. ``deb18174cd``
:gl:`!10263`
- Remove dns_qpmulti_lockedread declaration. ``58dfbe3863``
This function was removed in 6217e434b57bd5d60ed69f792ae9a1a65a008f57
but not from the header file. :gl:`!10308`
- Remove lock upgrading from the hot path in the QP cache.
``e1af47b829``
In QPcache, there were two places that tried to upgrade the lock. In
`clean_stale_header()`, the code would try to upgrade the lock and
clean up the header, and in `qpzonode_release()`, the tree lock would
be optionally upgraded, so we can clean up the node directly if empty.
These optimizations are not needed and they have no effect on the
performance. :gl:`!10305`
- Remove unnecessary options in dnssec-keygen and dnssec-keyfromlabel.
``b0f8b443c9``
The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was
derived from it) had several options dating to the time when keys in
DNS were still experimental and not fully specified, and when
`dnssec-keygen` had the additional function of generating TSIG keys,
which are now generated by `tsig-keygen`. These options are no longer
necessary in the modern DNSSEC environment, and have been removed.
The removed options are: - `-t` (key type), which formerly set flags
to disable confidentiality or authentication support in a key; these
are no longer used. - `-n` (name type), which is now always set to
"ZONE" for DNSKEY and "HOST" for KEY. - `-p` (protocol), which is now
always set to 3 (DNSSEC); no other value has ever been defined. - `-s`
(signatory field), which was never fully defined. - `-d` (digest
bits), which is meaningful only for TSIG keys. :gl:`!10262`
Feature Changes
~~~~~~~~~~~~~~~
- When forwarding, query with CD=0 first. ``25c91dffcc``
Previously, when queries were forwarded to a remote resolver, the CD
(checking disabled) bit was used, which could lead to bogus data being
retrieved that might have been corrected if validation had been
permitted. The CD bit is now only used as a fallback if an initial
query without CD fails. :gl:`#5132`. :gl:`!10024`
- Remove zero initialization of large buffers. ``b407f9caa8``
Profiles show that an high amount of CPU time spent in memset. By
removing zero initalization of certain large buffers we improve
performance in certain authoritative workloads. :gl:`#5159`
:gl:`!10058`
- Carefully check if the server name used for SNI is a hostname.
``b6e6430b54``
Previously the code would not check if the string intended to be used
for SNI is a hostname.
See also: !9923 :gl:`#5225` :gl:`!10254`
- Improve the LRU cache-expiration mechanism. ``f70d8b4252``
Improve the LRU cache-expiration mechanism to a SIEVE-LRU based
mechanism that triggers when the cache is close to the
`max-cache-size` limit. This improves the recursive server
performance. :gl:`!10153`
- Switch symtab to use fxhash hashing. ``d3db9ccf53``
This merge request resolves some performance regressions introduced
with the change from isc_symtab_t to isc_hashmap_t.
The key improvements are:
1. Using a faster hash function than both isc_hashmap_t and
isc_symtab_t. The previous implementation used SipHash, but the
hashflood resistance properties of SipHash are unneeded for config
parsing. 2. Shrinking the initial size of the isc_hashmap_t used
inside isc_symtab_t. Symtab is mainly used for config parsing, and
the when used that way it will have between 1 and 50 keys, but the
previous implementation initialized a map with 128 slots. By
initializing a smaller map, we speed up mallocs and optimize for
the typical case of few config keys. 3. Slight optimization of the
string matching in the hashmap, so that the tail is handled in a
single load + comparison, instead of byte by byte. Of the three
improvements, this is the least important. :gl:`!10204`
Bug Fixes
~~~~~~~~~
- QNAME minimization could leak the query type. ``42799ae81f``
When performing QNAME minimization, `named` now sends an NS query for
the original query name, before sending the final query. This prevents
the parent zone from learning the original query type, in the event
that the query name is a delegation point.
For example, when looking up an address record for `example.com`, NS
queries are now sent to the servers for both `com` and `example.com`,
before the address query is sent to the servers for `example.com`.
Previously, an address query would have been sent to the servers for
`com`. :gl:`#4805` :gl:`!9155`
- Add missing locks when returning addresses. ``06427720f7``
Add missing locks in dns_zone_getxfrsource4 et al. Addresses CID
468706, 468708, 468741, 468742, 468785, and 468778.
Cleanup dns_zone_setxfrsource4 et al to now return void.
Remove double copies with dns_zone_getprimaryaddr and
dns_zone_getsourceaddr. :gl:`#4933` :gl:`!9485`
- Stop caching lack of EDNS support. ``ebf5c87a53``
`named` could falsely learn that a server doesn't support EDNS when a
spoofed response was received; that subsequently prevented DNSSEC
lookups from being made. This has been fixed. :gl:`#3949` :gl:`#5066`
- Step() could ignore rollbacks. ``3b0b658a52``
The `step()` function (used for stepping to the prececessor or
successor of a database node) could overlook a node if there was an
rdataset that was marked IGNORE because it had been rolled back,
covering an active rdataset under it. :gl:`#5170` :gl:`!10103`
- Fix resolver statistics counters for timed out responses.
``d30b9eb46e``
When query responses timed out, the resolver could incorrectly
increase the regular responses counters, even if no response was
received. This has been fixed. :gl:`#5193` :gl:`!10227`
- Nested DNS validation could cause assertion failure. ``bc8799ee17``
When multiple nested DNS validations were destroyed out of order, the
EDE context could be freed before all EDE codes were copied, which
could cause an assertion failure. This has been fixed. :gl:`#5213`
:gl:`!10365`
- Ensure max-clients-per-query is at least clients-per-query.
``6ac4cfb948``
If the `max-clients-per-query` option is set to a lower value than
`clients-per-query`, the value is adjusted to match
`clients-per-query`. :gl:`#5224` :gl:`!10241`
- Fix CID 544147: Code maintainability issues (UNUSED_VALUE)
``3973c2e8c3``
Assigning value "NULL" to "newstr", but that stored value is
overwritten before it can be used.
Setting "newstr" to NULL does not have any effect, so the line can
safely be removed. :gl:`#5227` :gl:`!10239`
- Fix handling of revoked keys. ``025ef4d7b8``
When a key is revoked, its key ID changes due to the inclusion of the
"revoked" flag. A collision between this changed key ID and an
unrelated public-only key could cause a crash in `dnssec-signzone`.
:gl:`#5231` :gl:`!10233`
- Fix adbname reference. ``49ecb158d4``
Call `dns_adbname_ref` before calling `dns_resolver_createfetch` to
ensure `adbname->name` remains stable for the life of the fetch.
:gl:`#5239` :gl:`!10290`
- Fix write after free in validator code. ``329a332708``
Raw integer pointers were being used for the validator's nvalidations
and nfails values but the memory holding them could be freed before
they ceased to be used. Use reference counted counters instead.
:gl:`#5239` :gl:`!10248`
- Don't enforce NOAUTH/NOCONF flags in DNSKEYs. ``d18787b134``
All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH`
(and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type,
and are not applicable to DNSKEY. Previously, however, because the
DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag
prevented authentication in DNSKEYs as well. This has been corrected.
:gl:`#5240` :gl:`!10261`
- Fix several small DNSSEC timing issues. ``d2214cb704``
The following small issues related to `dnssec-policy` have been fixed:
- In some cases the key manager inside BIND 9 could run every hour,
while it could have run less often. - While `CDS` and `CDNSKEY`
records will be removed correctly from the zone when the corresponding
`DS` record needs to be updated, the expected timing metadata when
this will happen was never set. - There were a couple of cases where
the safety intervals are added inappropriately, delaying key rollovers
longer than necessary. - If you have identical `keys` in your
`dnssec-policy`, they may be retired inappropriately. Note that having
keys with identical properties is discouraged in all cases.
:gl:`#5242` :gl:`!10251`
- Copy __FILE__ when allocating memory. ``0d6839d832``
When allocating memory under -m trace|record, the __FILE__ pointer is
stored, so it can be printed out later in order to figure out in which
file an allocation leaked. (among others, like the line number).
However named crashes when called with -m record and using a plugin
leaking memory. The reason is that plugins are unloaded earlier than
when the leaked allocations are dumped (obviously, as it's done as
late as possible). In such circumstances, `__FILE__` is dangling
because the dynamically loaded library (the plugin) is not in memory
anymore.
Fix the crash by systematically copying the `__FILE__` string instead
of copying the pointer. Of course, this make each allocation to
consume a bit more memory (and longer, as it needs to calculate the
length of `__FILE__`) but this occurs only under -m trace|record
debugging flags. :gl:`!10320`
- Fix a bug in the ns_query's get_key() function. ``75060cbd63``
After a refactoring in 2e6107008dae09d32e3d34fb5423b3d78c4ff651 the
dst_key_free() call is invalid and can cause an assertion. Remove the
dst_key_free() call. :gl:`!10311`
- Fix invalid cache-line padding for qpcache buckets. ``7861042a27``
The isc_queue_t was missing in the calculation of the required padding
size inside the qpcache bucket structure. :gl:`!10306`
- Optimize key ID check when searching for matching keys. ``3415392d01``
When searching through a DNSKEY or KEY rrset for the key matching a
particular algorithm and ID, it's a waste of time to convert every key
into a `dst_key` object; it's faster to compute the key ID from the
rdata, then do the full key conversion after determining that we've
found the right key. This optimization was already used in the
validator, but it's been refactored for code clarity, and is now also
used in query.c and message.c. :gl:`!10258`
- Refactor to use list-like macro for message sections. ``1d14612bb9``
In the code base it is very common to iterate over all names in a
message section and all rdatasets for each name, but various idioms
are used for iteration.
This commit standardizes them as much as possible to a single idiom,
through the macro `MSG_SECTION_FOREACH`, similar to the existing
`ISC_LIST_FOREACH`. :gl:`!10302`
- Switch to ISC_LIST_FOREACH everywhere. ``04cf3ba91f``
The pattern `for (x = ISC_LIST_HEAD(...); x != NULL;
ISC_LIST_NEXT(...)` has been changed to `ISC_LIST_FOREACH` throughout
BIND, except in a few cases where the change would be excessively
complex. In most cases this was a straightforward change. In some
places, however, the list element variable was referenced after the
loop ended. Where possible, code has now been refactored to avoid this
necessity. `ISC_LIST_FOREACH` has also been modified to use
`typeof(list.head)` to declare list elements automatically. When the
list object to be iterated is declared with a `const` qualifier, the
qualifier is passed along to the element declaration, causing a
compilation failure. To avoid this problem, some `const` qualifiers
have been removed; where that was not possible, `UNCONST` was used.
:gl:`!10310`

194
doc/notes/notes-9.21.7.rst Normal file
View File

@ -0,0 +1,194 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.7
---------------------
New Features
~~~~~~~~~~~~
- Add support for EDE 20 (Not Authoritative)
Support was added for EDE codes 20 (Not Authoritative) when the client
requests recursion (RD) but the server has recursion disabled.
:rfc:`8914` indicates that EDE 20 should also be returned if the
client does not have the RD bit set (and recursion is needed), but it
does not apply for BIND; BIND would try to resolve from the "deepest"
referral in the AUTHORITY section. For example, if the client asks for
``www.isc.org/A`` but the server only knows the root domain, it will
return NOERROR but no answer for ``www.isc.org/A``, just the list of
other servers to ask. :gl:`#1836`
- Add support for EDE 7 and EDE 8.
Support was added for EDE codes 7 (Signature Expired) and 8 (Signature
Not Yet Valid), which might occur during DNSSEC validation.
:gl:`#2715`
- Add support for EDNS ZONEVERSION option.
:iscman:`dig` and :iscman:`named` can now make requests with an EDNS
ZONEVERSION option present.
Two new :iscman:`named.conf` options have been added:
:any:`request-zoneversion` and :any:`provide-zoneversion`.
:any:`request-zoneversion` is ``off`` by default.
:any:`provide-zoneversion` is ``on`` by default. :gl:`#4767`
- :iscman:`dig` can now display the received BADVERS message during
negotiation.
:option:`dig +showbadvers` now displays the received BADVERS message
and continues the EDNS version negotiation. Previously, to see the
BADVERS message :option:`dig +noednsnegotiation` had to be specified,
which terminated the EDNS negotiation. Additionally, the specified
EDNS value (``+edns=value``) is now used when making all the initial
queries with :option:`dig +trace`, i.e. EDNS version negotiation is
performed with each server when performing the trace. :gl:`#5234`
- Add an :iscman:`rndc` command to reset some statistics counters.
The new :option:`rndc reset-stats` command allows some statistics
counters to be reset during runtime. At the moment only two
"high-water" counters are supported, so the ability to reset them
after the initial peaks during the server's "warm-up" phase may be
useful for some operators. :gl:`#5251`
Removed Features
~~~~~~~~~~~~~~~~
- Drop readline alternatives in favor of libedit.
Libedit is now ubiquitous and has a license compatible with MPL 2.0.
We are now dropping readline (GPL 3.0) and editline (obsolete) support
in favor of libedit.
- Implement the systemd notification protocol manually to remove
dependency on libsystemd.
- Remove unnecessary options in :iscman:`dnssec-keygen` and
:iscman:`dnssec-keyfromlabel`.
The :iscman:`dnssec-keygen` utility (and
:iscman:`dnssec-keyfromlabel`, which was derived from it) had several
options dating to the time when keys in DNS were still experimental
and not fully specified, and when :iscman:`dnssec-keygen` had the
additional function of generating TSIG keys, which are now generated
by :iscman:`tsig-keygen`. These options are no longer necessary in the
modern DNSSEC environment, and have been removed.
The removed options are:
- ``-t`` (key type), which formerly set flags to disable
confidentiality or authentication support in a key; these are no
longer used.
- ``-n`` (name type), which is now always set to "ZONE" for DNSKEY and
"HOST" for KEY.
- ``-p`` (protocol), which is now always set to 3 (DNSSEC); no other
value has ever been defined.
- ``-s`` (signatory field), which was never fully defined.
- ``-d`` (digest bits), which is meaningful only for TSIG keys.
Feature Changes
~~~~~~~~~~~~~~~
- When forwarding, query with CD=0 first.
Previously, when queries were forwarded to a remote resolver, the CD
(checking disabled) bit was used, which could lead to bogus data being
retrieved that might have been corrected if validation had been
permitted. The CD bit is now only used as a fallback if an initial
query without CD fails. :gl:`#5132`.
- Improve the LRU cache-expiration mechanism.
The LRU cache-expiration mechanism has been improved to a
SIEVE-LRU-based mechanism that triggers when the cache is close to the
:any:`max-cache-size` limit. This improves the recursive server's
performance.
Bug Fixes
~~~~~~~~~
- QNAME minimization could leak the query type.
When performing QNAME minimization, :iscman:`named` now sends an NS
query for the original query name, before sending the final query.
This prevents the parent zone from learning the original query type,
in the event that the query name is a delegation point.
For example, when looking up an address record for ``example.com``, NS
queries are now sent to the servers for both ``com`` and
``example.com``, before the address query is sent to the servers for
``example.com``. Previously, an address query would have been sent to
the servers for ``com``. :gl:`#4805`
- Stop caching lack of EDNS support.
:iscman:`named` could falsely learn that a server did not support EDNS
when a spoofed response was received; that subsequently prevented
DNSSEC lookups from being made. This has been fixed. :gl:`#3949`
:gl:`#5066`
- Fix resolver statistics counters for timed-out responses.
When query responses timed out, the resolver could incorrectly
increase the regular response counters, even if no response was
received. This has been fixed. :gl:`#5193`
- Nested DNS validation could cause an assertion failure.
When multiple nested DNS validations were destroyed out of order, the
EDE context could be freed before all EDE codes were copied, which
could cause an assertion failure. This has been fixed. :gl:`#5213`
- Ensure :any:`max-clients-per-query` is at least
:any:`clients-per-query`.
If the :any:`max-clients-per-query` option is set to a lower value
than :any:`clients-per-query`, the value is adjusted to match
:any:`clients-per-query`. :gl:`#5224`
- Fix write after free in validator code.
Raw integer pointers were being used for the validator's nvalidations
and nfails values, but the memory holding them could be freed while
they were still being used. Reference counted counters are now used
instead. :gl:`#5239`
- Don't enforce NOAUTH/NOCONF flags in DNSKEYs.
All DNSKEY keys are able to authenticate. The ``DNS_KEYTYPE_NOAUTH``
(and ``DNS_KEYTYPE_NOCONF``) flags were defined for the KEY rdata
type, and are not applicable to DNSKEY. Previously, however, because
the DNSKEY implementation was built on top of KEY, the ``_NOAUTH``
flag prevented authentication in DNSKEYs as well. This has been
corrected. :gl:`#5240`
- Fix several small DNSSEC timing issues.
The following small issues related to :any:`dnssec-policy` have been
fixed:
- In some cases the key manager inside BIND 9 would run every hour,
while in other cases it would run less often.
- While ``CDS`` and ``CDNSKEY`` records will be removed correctly from
the zone when the corresponding ``DS`` record needs to be updated,
the expected timing metadata for when this should happen was never
set.
- There were a couple of cases where the safety intervals were added
inappropriately, delaying key rollovers longer than necessary.
- Identical keys in a :any:`dnssec-policy` may have been
retired inappropriately. Note that having `keys` with identical
properties is discouraged in all cases.
:gl:`#5242`