From 3f7ddefdd1d784a095290cbf8906eb19fa819901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 1/8] Remove any mention of "make depend" from README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 3921107923..2af04d5502 100644 --- a/README.md +++ b/README.md @@ -162,8 +162,7 @@ To build on a Unix or Linux system, use: $ ./configure $ make -If you're planning on making changes to the BIND 9 source, you should run -`make depend`. If you're using Emacs, you might find `make tags` helpful. +If you're using Emacs, you might find `make tags` helpful. Several environment variables, which can be set before running `configure`, affect compilation. Significant ones are: From 429cac9d1a26d98f1d4808f81224e2b3c91cd064 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 2/8] Tweak and reword recent CHANGES entries --- CHANGES | 60 +++++++++++++++++++++++++++------------------------------ 1 file changed, 28 insertions(+), 32 deletions(-) diff --git a/CHANGES b/CHANGES index dbb7f5bcb4..d21e20801b 100644 --- a/CHANGES +++ b/CHANGES @@ -20,51 +20,48 @@ 5534. [bug] The synthesised CNAME from a DNAME was incorrectly followed when the QTYPE was CNAME or ANY. [GL #2280] -5533. [func] Add "stale-refresh-time" option, a time window that - starts after a failed lookup, during which stale rrset - will be served directly from cache before a new - attempt to refresh it is made. [GL #2066] +5533. [func] Add the "stale-refresh-time" option, a time window that + starts after a failed lookup, during which a stale RRset + is served directly from cache before a new attempt to + refresh it is made. [GL #2066] 5532. [cleanup] Unused header files were removed: bin/rndc/include/rndc/os.h, lib/isc/timer_p.h, lib/isccfg/include/isccfg/dnsconf.h and code related to those files. [GL #1913] -5531. [func] Add a netmgr TLS layer, enabling server-side DoT - support (not yet available), and client-side DoT - support in dig with "dig +tls". [GL #1840] +5531. [func] Add support for DNS over TLS (DoT) to dig and named. + [GL #1840] -5530. [bug] DNSTAP did not capture responses to forwarded - UPDATE requests. [GL #2252] +5530. [bug] dnstap did not capture responses to forwarded UPDATE + requests. [GL #2252] -5529. [func] The network manager API is now used by named - to send zone transfer requests. [GL #2016] +5529. [func] The network manager API is now used by named to send + zone transfer requests. [GL #2016] -5528. [func] Convert "dig", "host" and "nslookup" to use the - network manager. As a side effect of this change, - "dig +unexpected" no longer works, and has been - disabled. [GL #2140] +5528. [func] Convert dig, host, and nslookup to use the network + manager API. As a side effect of this change, "dig + +unexpected" no longer works, and has been disabled. + [GL #2140] -5527. [bug] There was a NULL pointer dereference if the creation - of the fetch to determine if a negative trust anchor - was still valid failed. [GL #2244] +5527. [bug] A NULL pointer dereference occurred when creating an NTA + recheck query failed. [GL #2244] 5526. [bug] Fix a race/NULL dereference in TCPDNS read. [GL #2227] 5525. [placeholder] -5524. [func] Added functionality to the network manager to - support outgoing DNS queries in addition to - incoming ones. [GL #2235] +5524. [func] Added functionality to the network manager to support + outgoing DNS queries in addition to incoming ones. + [GL #2235] -5523. [bug] The initial lookup of a zone transitioning to/from - the signed state could fail if the DNSKEY RRset was - not found. Subsequent lookups would succeed. - [GL #2236] +5523. [bug] The initial lookup in a zone transitioning to/from a + signed state could fail if the DNSKEY RRset was not + found. [GL #2236] -5522. [bug] Fix a race/NULL dereference in TCPDNS send. [GL #2227] +5522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227] -5521. [func] All use of libltdl was dropped. libuv's shared library +5521. [func] All use of libltdl was dropped. libuv's shared library handling interface is now used instead. [GL !4278] 5520. [bug] Fixed a number of shutdown races, reference counting @@ -75,12 +72,11 @@ lib/dns/portlist.c, lib/isc/bufferlist.c, and code related to those files. [GL #2060] -5518. [bug] Fix stub zone not transferring nameserver addresses - from masters configured with 'minimal-responses yes'. - [GL #1736] +5518. [bug] Stub zones now work correctly with primary servers using + "minimal-responses yes". [GL #1736] -5517. [bug] Handle 'UV_EOF' differently and don't contribute it to - the RECVFAIL statistic count. [GL #2208] +5517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr. + [GL #2208] --- 9.17.6 released --- From 59221c4b3b784dbf6f02607cf4ae04636b8a4ed6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 3/8] Tweak and reword release notes --- doc/notes/notes-current.rst | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 0823a0c490..aa7b60e08f 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,9 +24,10 @@ Known Issues New Features ~~~~~~~~~~~~ -- A new configuration option ``stale-refresh-time`` has been introduced, it - allows stale RRset to be served directly from cache for a period of time - after a failed lookup, before a new attempt to refresh it is made. [GL #2066] +- A new configuration option, ``stale-refresh-time``, has been + introduced. It allows a stale RRset to be served directly from cache + for a period of time after a failed lookup, before a new attempt to + refresh it is made. [GL #2066] - ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``). This is useful when the host on which ``dig`` is run is behind an @@ -47,18 +48,18 @@ Feature Changes - The ``dig``, ``host``, and ``nslookup`` tools have been converted to use the new network manager API rather than the older ISC socket API. - As a side effect of this change, the ``dig +unexpected`` option no longer - works. This could previously be used for diagnosing broken servers or - network configurations by listening for replies from servers other than - the one that was queried. With the new API such answers are filtered - before they ever reach ``dig``. Consequently, the option has been + As a side effect of this change, the ``dig +unexpected`` option no + longer works. This could previously be used to diagnose broken servers + or network configurations by listening for replies from servers other + than the one that was queried. With the new API, such answers are + filtered before they ever reach ``dig``, so the option has been removed. [GL #2140] -- Support for DNS over TLS (DoT) has been added to the network manager API, and - the support for DoT has been added to the ``dig`` tool and support for - listening on TLS port has been added to ``named``. ``named`` could use a - certificate provided by the user or it can generate an ephemeral certificate - on startup of the daemon. +- Support for DNS over TLS (DoT) has been added: the ``dig`` tool is now + able to send DoT queries (``+tls`` option) and ``named`` can handle + DoT queries (``listen-on tls ...`` option). ``named`` can use either a + certificate provided by the user or an ephemeral certificate generated + automatically upon startup. [GL #1840] - Add NSEC3 support for zones that manage their DNSSEC with the `dnssec-policy` configuration. A new option 'nsec3param' can be used to set the desired @@ -67,11 +68,11 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- Handle `UV_EOF` differently such that it is not treated as a `TCP4RecvErr` or - `TCP6RecvErr`. [GL #2208] +- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a + ``TCP6RecvErr``. [GL #2208] -- ``named`` could crash with an assertion failure if a TCP connection is closed - while the request is still processing. [GL #2227] +- ``named`` could crash with an assertion failure if a TCP connection + were closed while a request was still being processed. [GL #2227] - The synthesised CNAME from a DNAME was incorrectly followed when the QTYPE was CNAME or ANY. [GL #2280] From a4dea3c70c8649f5eb8ff7b5c8bc58b220e19f08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 4/8] Reorder release notes --- doc/notes/notes-current.rst | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index aa7b60e08f..af86b5112a 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,6 +24,12 @@ Known Issues New Features ~~~~~~~~~~~~ +- Support for DNS over TLS (DoT) has been added: the ``dig`` tool is now + able to send DoT queries (``+tls`` option) and ``named`` can handle + DoT queries (``listen-on tls ...`` option). ``named`` can use either a + certificate provided by the user or an ephemeral certificate generated + automatically upon startup. [GL #1840] + - A new configuration option, ``stale-refresh-time``, has been introduced. It allows a stale RRset to be served directly from cache for a period of time after a failed lookup, before a new attempt to @@ -42,9 +48,6 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- The network manager API is now used by ``named`` to send zone transfer - requests. [GL #2016] - - The ``dig``, ``host``, and ``nslookup`` tools have been converted to use the new network manager API rather than the older ISC socket API. @@ -55,11 +58,8 @@ Feature Changes filtered before they ever reach ``dig``, so the option has been removed. [GL #2140] -- Support for DNS over TLS (DoT) has been added: the ``dig`` tool is now - able to send DoT queries (``+tls`` option) and ``named`` can handle - DoT queries (``listen-on tls ...`` option). ``named`` can use either a - certificate provided by the user or an ephemeral certificate generated - automatically upon startup. [GL #1840] +- The network manager API is now used by ``named`` to send zone transfer + requests. [GL #2016] - Add NSEC3 support for zones that manage their DNSSEC with the `dnssec-policy` configuration. A new option 'nsec3param' can be used to set the desired @@ -68,11 +68,11 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a - ``TCP6RecvErr``. [GL #2208] - - ``named`` could crash with an assertion failure if a TCP connection were closed while a request was still being processed. [GL #2227] +- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a + ``TCP6RecvErr``. [GL #2208] + - The synthesised CNAME from a DNAME was incorrectly followed when the QTYPE was CNAME or ANY. [GL #2280] From 572bc05aca9df97bbc7901b7bf61b74101d85446 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 5/8] Add release note for GL #1736 --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index af86b5112a..2c0a3243fb 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -71,6 +71,10 @@ Bug Fixes - ``named`` could crash with an assertion failure if a TCP connection were closed while a request was still being processed. [GL #2227] +- A problem obtaining glue records could prevent a stub zone from + functioning properly, if the authoritative server for the zone were + configured for minimal responses. [GL #1736] + - ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a ``TCP6RecvErr``. [GL #2208] From 563f8a78e9e9aa9cebb428869245203de7101267 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 6/8] Add release note for GL #2236 --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 2c0a3243fb..f1a5a29e4c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -71,6 +71,10 @@ Bug Fixes - ``named`` could crash with an assertion failure if a TCP connection were closed while a request was still being processed. [GL #2227] +- ``named`` acting as a resolver could incorrectly treat signed zones + with no DS record at the parent as bogus. Such zones should be treated + as insecure. This has been fixed. [GL #2236] + - A problem obtaining glue records could prevent a stub zone from functioning properly, if the authoritative server for the zone were configured for minimal responses. [GL #1736] From 42cf594b37635d1df46484a1eb4c4ad9f5ee9379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 7/8] Add release note for GL #2244 --- doc/notes/notes-current.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f1a5a29e4c..eeb1e00153 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -75,6 +75,11 @@ Bug Fixes with no DS record at the parent as bogus. Such zones should be treated as insecure. This has been fixed. [GL #2236] +- After a Negative Trust Anchor (NTA) is added, BIND performs periodic + checks to see if it is still necessary. If BIND encountered a failure + while creating a query to perform such a check, it attempted to + dereference a ``NULL`` pointer, resulting in a crash. [GL #2244] + - A problem obtaining glue records could prevent a stub zone from functioning properly, if the authoritative server for the zone were configured for minimal responses. [GL #1736] From 3a447d02b44cd0654af823913a1aa35f61285d14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 16 Nov 2020 11:00:50 +0100 Subject: [PATCH 8/8] Prepare release notes for BIND 9.17.7 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.17.7.rst} | 29 +------------------ util/copyrights | 2 +- 3 files changed, 3 insertions(+), 30 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.7.rst} (78%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index f524e02367..7aca931513 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.7.rst .. include:: ../notes/notes-9.17.6.rst .. include:: ../notes/notes-9.17.5.rst .. include:: ../notes/notes-9.17.4.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.7.rst similarity index 78% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.7.rst index eeb1e00153..ce7d5343f7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.7.rst @@ -8,19 +8,9 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -Notes for BIND 9.17.6 +Notes for BIND 9.17.7 --------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -35,16 +25,6 @@ New Features for a period of time after a failed lookup, before a new attempt to refresh it is made. [GL #2066] -- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``). - This is useful when the host on which ``dig`` is run is behind an - IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a - Service). [GL #1154] - -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ @@ -61,10 +41,6 @@ Feature Changes - The network manager API is now used by ``named`` to send zone transfer requests. [GL #2016] -- Add NSEC3 support for zones that manage their DNSSEC with the `dnssec-policy` - configuration. A new option 'nsec3param' can be used to set the desired - NSEC3 parameters, and will detect collisions when resalting. [GL #1620]. - Bug Fixes ~~~~~~~~~ @@ -86,6 +62,3 @@ Bug Fixes - ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a ``TCP6RecvErr``. [GL #2208] - -- The synthesised CNAME from a DNAME was incorrectly followed when the QTYPE - was CNAME or ANY. [GL #2280] diff --git a/util/copyrights b/util/copyrights index 065652da30..cd705090e2 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1252,7 +1252,7 @@ ./doc/notes/notes-9.17.4.rst RST 2020 ./doc/notes/notes-9.17.5.rst RST 2020 ./doc/notes/notes-9.17.6.rst RST 2020 -./doc/notes/notes-current.rst RST 2020 +./doc/notes/notes-9.17.7.rst RST 2020 ./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020