bind/doc/notes/notes-current.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.18.2
---------------------

Security Fixes
~~~~~~~~~~~~~~

- None.

Known Issues
~~~~~~~~~~~~

- None.

New Features
~~~~~~~~~~~~

- None.

Removed Features
~~~~~~~~~~~~~~~~

- None.

Feature Changes
~~~~~~~~~~~~~~~

- None.

- Add a new configuration option ``reuseport`` to disable
  load balancing on sockets in scenarios in which processing of
  Response Policy Zones (RPZ), Catalog Zones, or large zone transfers
  can cause service disruptions. See the BIND 9 ARM for more detail.
  :gl:`#3249`

Bug Fixes
~~~~~~~~~

- Invalid dnssec-policy definitions were being accepted where the
  defined keys did not cover both KSK and ZSK roles for a given
  algorithm.  This is now checked for and the dnssec-policy is
  rejected if both roles are not present for all algorithms in use.
  :gl:`#3142`

- Handling of the TCP write timeouts has been improved to track timeout
  for each TCP write separately leading to faster connection tear down
  in case the other party is not reading the data. :gl:`#3200`

- Zone maintenance DNS queries would retry forever while the
  destination server was unreachable. These queries include outgoing
  NOTIFY messages, refresh SOA queries, parental DS checks, and stub
  zone NS queries. For example, if a zone has any nameservers with
  IPv6 addresses and a secondary server without IPv6 connectivity, the
  IPv4-only server would keep trying to send a growing amount of
  NOTIFY traffic over IPv6. This futile traffic was not logged.
  :gl:`#3242`
Set up release notes for BIND 9.18.2 2022-03-16 23:18:18 +01:00			`.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`..`
			`.. SPDX-License-Identifier: MPL-2.0`
			`..`
			`.. This Source Code Form is subject to the terms of the Mozilla Public`
			`.. License, v. 2.0. If a copy of the MPL was not distributed with this`
			`.. file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`..`
			`.. See the COPYRIGHT file distributed with this work for additional`
			`.. information regarding copyright ownership.`

			`Notes for BIND 9.18.2`
			`---------------------`

			`Security Fixes`
			`~~~~~~~~~~~~~~`

			`- None.`

			`Known Issues`
			`~~~~~~~~~~~~`

			`- None.`

			`New Features`
			`~~~~~~~~~~~~`

			`- None.`

			`Removed Features`
			`~~~~~~~~~~~~~~~~`

			`- None.`

			`Feature Changes`
			`~~~~~~~~~~~~~~~`

			`- None.`

Rename the configuration option to load balance sockets to reuseport After some back and forth, it was decidede to match the configuration option with unbound ("so-reuseport"), PowerDNS ("reuseport") and/or nginx ("reuseport"). (cherry picked from commit 7e71c4d0cc9b7961c56e9ec3cbdcde6c6e37c497) 2022-04-06 17:00:24 +02:00			- Add a new configuration option ``reuseport`` to disable
Add CHANGES and release note for [GL #3249] (cherry picked from commit 855f49cfbad3404d695d501ed806df7d3565161f) 2022-04-01 14:51:42 +02:00			`load balancing on sockets in scenarios in which processing of`
			`Response Policy Zones (RPZ), Catalog Zones, or large zone transfers`
			`can cause service disruptions. See the BIND 9 ARM for more detail.`
			:gl:`#3249`

Set up release notes for BIND 9.18.2 2022-03-16 23:18:18 +01:00			`Bug Fixes`
			`~~~~~~~~~`

			`- Invalid dnssec-policy definitions were being accepted where the`
			`defined keys did not cover both KSK and ZSK roles for a given`
			`algorithm. This is now checked for and the dnssec-policy is`
			`rejected if both roles are not present for all algorithms in use.`
			:gl:`#3142`

			`- Handling of the TCP write timeouts has been improved to track timeout`
			`for each TCP write separately leading to faster connection tear down`
			in case the other party is not reading the data. :gl:`#3200`
Ensure that dns_request_createvia() has a retry limit There are a couple of problems with dns_request_createvia(): a UDP retry count of zero means unlimited retries (it should mean no retries), and the overall request timeout is not enforced. The combination of these bugs means that requests can be retried forever. This change alters calls to dns_request_createvia() to avoid the infinite retry bug by providing an explicit retry count. Previously, the calls specified infinite retries and relied on the limit implied by the overall request timeout and the UDP timeout (which did not work because the overall timeout is not enforced). The `udpretries` argument is also changed to be the number of retries; previously, zero was interpreted as infinity because of an underflow to UINT_MAX, which appeared to be a mistake. And `mdig` is updated to match the change in retry accounting. The bug could be triggered by zone maintenance queries, including NOTIFY messages, DS parental checks, refresh SOA queries and stub zone nameserver lookups. It could also occur with `nsupdate -r 0`. (But `mdig` had its own code to avoid the bug.) (cherry picked from commit 71ce8b0a51bc028ed46541d274965e7e4b5fc832) 2022-04-01 13:46:39 +01:00
			`- Zone maintenance DNS queries would retry forever while the`
			`destination server was unreachable. These queries include outgoing`
			`NOTIFY messages, refresh SOA queries, parental DS checks, and stub`
			`zone NS queries. For example, if a zone has any nameservers with`
			`IPv6 addresses and a secondary server without IPv6 connectivity, the`
			`IPv4-only server would keep trying to send a growing amount of`
			`NOTIFY traffic over IPv6. This futile traffic was not logged.`
			:gl:`#3242`