From 3bb5bbac6d04998a1c9aea3c2a5c680870d2b6d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 13:05:19 +0100 Subject: [PATCH 1/5] Generate changelog for BIND 9.18.32 --- doc/arm/changelog.rst | 2 + doc/changelog/changelog-9.18.32-S1.rst | 11 ++ doc/changelog/changelog-9.18.32.rst | 202 +++++++++++++++++++++++++ 3 files changed, 215 insertions(+) create mode 100644 doc/changelog/changelog-9.18.32-S1.rst create mode 100644 doc/changelog/changelog-9.18.32.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 7ad7b321e4..c1b80be38e 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,8 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.32-S1.rst +.. include:: ../changelog/changelog-9.18.32.rst .. include:: ../changelog/changelog-9.18.31-S1.rst .. include:: ../changelog/changelog-9.18.31.rst .. include:: ../changelog/changelog-9.18.30-S1.rst diff --git a/doc/changelog/changelog-9.18.32-S1.rst b/doc/changelog/changelog-9.18.32-S1.rst new file mode 100644 index 0000000000..ba871808a1 --- /dev/null +++ b/doc/changelog/changelog-9.18.32-S1.rst @@ -0,0 +1,11 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + diff --git a/doc/changelog/changelog-9.18.32.rst b/doc/changelog/changelog-9.18.32.rst new file mode 100644 index 0000000000..4ae38ada62 --- /dev/null +++ b/doc/changelog/changelog-9.18.32.rst @@ -0,0 +1,202 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.32 +------------ + +New Features +~~~~~~~~~~~~ + +- Update bind.keys with the new 2025 IANA root key. ``1303fe5ea0`` + + Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, + which is scheduled for publication in January 2025. :gl:`#4896` + :gl:`!9747` + +- Support jinja2 templates in pytest runner. ``fa2ff6b690`` + + Configuration files in system tests which require some variables (e.g. + port numbers) filled in during test setup, can now use jinja2 + templates when `jinja2` python package is available. + + Any `*.j2` file found within the system test directory will be + automatically rendered with the environment variables into a file + without the `.j2` extension by the pytest runner. E.g. + `ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To + avoid automatic rendering, use `.j2.manual` extension and render the + files manually at test time. + + New `templates` pytest fixture has been added. Its `render()` function + can be used to render a template with custom test variables. This can + be useful to fill in different config options during the test. With + advanced jinja2 template syntax, it can also be used to include/omit + entire sections of the config file rather than using `named1.conf.in`, + `named2.conf.in` etc. :gl:`#4938` :gl:`!9700` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Move contributed DLZ modules into a separate repository. + ``8bc6a92111`` + + The DLZ modules are poorly maintained as we only ensure they can still + be compiled, the DLZ interface is blocking, so anything that blocks + the query to the database blocks the whole server and they should not + be used except in testing. The DLZ interface itself is going to be + scheduled for removal. + + The DLZ modules now live in + https://gitlab.isc.org/isc-projects/dlz-modules repository. + :gl:`#4865` :gl:`!9778` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use lists of expected artifacts in system tests. ``d9a140d5e8`` + + ``clean.sh`` scripts have been replaced by lists of expected artifacts + for each system test module. The list is defined using the custom + ``pytest.mark.extra_artifacts`` mark, which can use both filenames and + globs. :gl:`#4261` :gl:`!9735` + +- Add two new clang-format options that help with code formatting. + ``aa10ae45fd`` + + * Add new clang-format option to remove redundant semicolons * Add new + clang-format option to remove redundant parentheses :gl:`!9751` + +- Emit more helpful log for exceeding max-records-per-type. + ``99328b7369`` + + The new log message is emitted when adding or updating an RRset fails + due to exceeding the max-records-per-type limit. The log includes the + owner name and type, corresponding zone name, and the limit value. It + will be emitted on loading a zone file, inbound zone transfer (both + AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's + especially helpful in the case of zone transfer, since the secondary + side doesn't have direct access to the offending zone data. + + It could also be used for max-types-per-name, but this change doesn't + implement it yet as it's much less likely to happen in practice. + :gl:`!9772` + +- Harden key management when key files have become unavailabe. + ``f60f153b8a`` + + Prior to doing key management, BIND 9 will check if the key files on + disk match the expected keys. If key files for previously observed + keys have become unavailable, this will prevent the internal key + manager from running. :gl:`!9623` + +- Revert "Fix NSEC3 closest encloser lookup for names with empty + non-terminals" ``56d1ccbdba`` + + The fix for #4950 should have never been backported to 9.18. Revert + the change. + + This reverts MR !9632 + + History: A performance improvement for NSEC3 closest encloser lookups + (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438) + and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and + 9.21.1). + + There was a bug in the code (#4950), so we reverted the change in + !9611, !9613 and !9614 (not released). + + Then a new attempt was merged in main (MR !9610) and backported to + 9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been + backported. + + Furthermore, the initial MR used the wrong MR title so the change was + never added to the release note. This is done in main with MR !9598 + and backports to 9.20 (MR !9615) and 9.18 (MR !9616). + + The new release notes for 9.21 and 9.20 should probably say that the + bug is fixed. The new release notes for 9.18 should probably say that + the change is reverted. :gl:`!9689` + +Bug Fixes +~~~~~~~~~ + +- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. ``4b0114ffce`` + + `dig` fails to parse a valid (as far as I can tell, and accepted by + `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template + containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If + the URI template contains a `{?dns}` instead `dig` is happy, but my + understanding of rfc9461 and section 1.2. "Levels and Expression + Types" of rfc6570 is that `{&dns}` is valid. See for example section + 1.2. "Levels and Expression Types" of rfc6570. + + Note that Peter van Dijk suggested that `{dns}` and + `{dns,someothervar}` might be valid forms as well, so my patch might + be too restrictive, although it's anyone's guess how DoH clients would + handle complex templates. :gl:`#4922` :gl:`!9770` + +- Fix NSEC3 closest encloser lookup for names with empty non-terminals. + ``9d59c72798`` + + The performance improvement for finding the NSEC3 closest encloser + when generating authoritative responses could cause servers to return + incorrect NSEC3 records in some cases. This has been fixed. + :gl:`#4950` :gl:`!9632` + +- Revert "Improve performance when looking for the closest encloser" + ``257fd7eca0`` + + Revert "fix: chg: Improve performance when looking for the closest + encloser when returning NSEC3 proofs" + + This reverts merge request !9436 :gl:`#4950` :gl:`!9614` + +- Restore values when dig prints command line. ``002141af2e`` + + Options of the form `[+-]option=` failed to display the value + on the printed command line. This has been fixed. :gl:`#4993` + :gl:`!9667` + +- Provide more visibility into configuration errors. ``f63a0ebdfe`` + + by logging SSL_CTX_use_certificate_chain_file and + SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` + :gl:`!9768` + +- Fix error path bugs in the manager's "recursing-clients" list + management. ``eda40c3685`` + + In two places, after linking the client to the manager's + "recursing-clients" list using the check_recursionquota() function, + the query.c module fails to unlink it on error paths. Fix the bugs by + unlinking the client from the list. :gl:`!9605` + +- Remove unused headers from OpenSSL shims. + ``7bb817d1b6`` + + The headers were unused and including the + header might cause build failure when OpenSSL + doesn't have Engines support enabled. + + See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine + :gl:`!9645` + +- Use attach()/detach() functions instead of touching .references. + ``9712d00cb0`` + + In rbtdb.c, there were two places where the code touched .references + directly instead of using the helper functions. Use the helper + functions instead. + + Forward port from + https://gitlab.isc.org/isc-private/bind9/-/merge_requests/753 + :gl:`!9796` + + From cec1978a7ab59afb9c58926ae8423e4030fdb7f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 13:07:52 +0100 Subject: [PATCH 2/5] Fix Sphinx build failures on generated changelog for BIND 9.18.32 --- doc/changelog/changelog-9.18.32.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/changelog/changelog-9.18.32.rst b/doc/changelog/changelog-9.18.32.rst index 4ae38ada62..aeadccb28e 100644 --- a/doc/changelog/changelog-9.18.32.rst +++ b/doc/changelog/changelog-9.18.32.rst @@ -70,8 +70,10 @@ Feature Changes - Add two new clang-format options that help with code formatting. ``aa10ae45fd`` - * Add new clang-format option to remove redundant semicolons * Add new - clang-format option to remove redundant parentheses :gl:`!9751` + * Add new clang-format option to remove redundant semicolons + * Add new clang-format option to remove redundant parentheses + + :gl:`!9751` - Emit more helpful log for exceeding max-records-per-type. ``99328b7369`` From aacf8feae27edd5a781935a8c2c352845291a3f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 13:10:52 +0100 Subject: [PATCH 3/5] Prepare release notes for BIND 9.18.32 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.18.32.rst | 124 ++++++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 doc/notes/notes-9.18.32.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 84cf62587d..7bd05cb401 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.18 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18 +.. include:: ../notes/notes-9.18.32.rst .. include:: ../notes/notes-9.18.31.rst .. include:: ../notes/notes-9.18.30.rst .. include:: ../notes/notes-9.18.29.rst diff --git a/doc/notes/notes-9.18.32.rst b/doc/notes/notes-9.18.32.rst new file mode 100644 index 0000000000..bd84046c8d --- /dev/null +++ b/doc/notes/notes-9.18.32.rst @@ -0,0 +1,124 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.32 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Update bind.keys with the new 2025 IANA root key. + + Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, + which is scheduled for publication in January 2025. :gl:`#4896` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Move contributed DLZ modules into a separate repository. + + The DLZ modules are poorly maintained as we only ensure they can still + be compiled, the DLZ interface is blocking, so anything that blocks + the query to the database blocks the whole server and they should not + be used except in testing. The DLZ interface itself is going to be + scheduled for removal. + + The DLZ modules now live in + https://gitlab.isc.org/isc-projects/dlz-modules repository. + :gl:`#4865` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Emit more helpful log for exceeding max-records-per-type. + + The new log message is emitted when adding or updating an RRset fails + due to exceeding the max-records-per-type limit. The log includes the + owner name and type, corresponding zone name, and the limit value. It + will be emitted on loading a zone file, inbound zone transfer (both + AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's + especially helpful in the case of zone transfer, since the secondary + side doesn't have direct access to the offending zone data. + + It could also be used for max-types-per-name, but this change doesn't + implement it yet as it's much less likely to happen in practice. + +- Harden key management when key files have become unavailabe. + + Prior to doing key management, BIND 9 will check if the key files on + disk match the expected keys. If key files for previously observed + keys have become unavailable, this will prevent the internal key + manager from running. + +- Revert "Fix NSEC3 closest encloser lookup for names with empty + non-terminals" + + The fix for #4950 should have never been backported to 9.18. Revert + the change. + + This reverts MR !9632 + + History: A performance improvement for NSEC3 closest encloser lookups + (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438) + and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and + 9.21.1). + + There was a bug in the code (#4950), so we reverted the change in + !9611, !9613 and !9614 (not released). + + Then a new attempt was merged in main (MR !9610) and backported to + 9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been + backported. + + Furthermore, the initial MR used the wrong MR title so the change was + never added to the release note. This is done in main with MR !9598 + and backports to 9.20 (MR !9615) and 9.18 (MR !9616). + + The new release notes for 9.21 and 9.20 should probably say that the + bug is fixed. The new release notes for 9.18 should probably say that + the change is reverted. + +Bug Fixes +~~~~~~~~~ + +- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. + + `dig` fails to parse a valid (as far as I can tell, and accepted by + `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template + containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If + the URI template contains a `{?dns}` instead `dig` is happy, but my + understanding of rfc9461 and section 1.2. "Levels and Expression + Types" of rfc6570 is that `{&dns}` is valid. See for example section + 1.2. "Levels and Expression Types" of rfc6570. + + Note that Peter van Dijk suggested that `{dns}` and + `{dns,someothervar}` might be valid forms as well, so my patch might + be too restrictive, although it's anyone's guess how DoH clients would + handle complex templates. :gl:`#4922` + +- Fix NSEC3 closest encloser lookup for names with empty non-terminals. + + The performance improvement for finding the NSEC3 closest encloser + when generating authoritative responses could cause servers to return + incorrect NSEC3 records in some cases. This has been fixed. + :gl:`#4950` + +- Restore values when dig prints command line. + + Options of the form `[+-]option=` failed to display the value + on the printed command line. This has been fixed. :gl:`#4993` + +- Provide more visibility into configuration errors. + + by logging SSL_CTX_use_certificate_chain_file and + SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` + + From b2820c251db94a958715f254404f73100c4d130a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 13:22:10 +0100 Subject: [PATCH 4/5] Tweak and reword release notes --- doc/notes/notes-9.18.32.rst | 90 ++++++++++--------------------------- 1 file changed, 24 insertions(+), 66 deletions(-) diff --git a/doc/notes/notes-9.18.32.rst b/doc/notes/notes-9.18.32.rst index bd84046c8d..e41802b814 100644 --- a/doc/notes/notes-9.18.32.rst +++ b/doc/notes/notes-9.18.32.rst @@ -15,21 +15,21 @@ Notes for BIND 9.18.32 New Features ~~~~~~~~~~~~ -- Update bind.keys with the new 2025 IANA root key. +- Update built-in :file:`bind.keys` file with the new 2025 `IANA root key + `_. - Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, - which is scheduled for publication in January 2025. :gl:`#4896` + Add an `initial-ds` entry to :file:`bind.keys` for the new root key, ID + 38696, which is scheduled for publication in January 2025. :gl:`#4896` Removed Features ~~~~~~~~~~~~~~~~ -- Move contributed DLZ modules into a separate repository. +- Move contributed DLZ modules into a separate repository. DLZ modules should + not be used except in testing. - The DLZ modules are poorly maintained as we only ensure they can still - be compiled, the DLZ interface is blocking, so anything that blocks - the query to the database blocks the whole server and they should not - be used except in testing. The DLZ interface itself is going to be - scheduled for removal. + The DLZ modules were not maintained, the DLZ interface itself is going to be + scheduled for removal, and the DLZ interface is blocking. Any module that + blocks the query to the :namedconf:ref:`database` blocks the whole server. The DLZ modules now live in https://gitlab.isc.org/isc-projects/dlz-modules repository. @@ -38,87 +38,45 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- Emit more helpful log for exceeding max-records-per-type. +- Emit more helpful log messages for exceeding :namedconf:ref:`max-records-per-type`. The new log message is emitted when adding or updating an RRset fails - due to exceeding the max-records-per-type limit. The log includes the + due to exceeding the :namedconf:ref:`max-records-per-type` limit. The log includes the owner name and type, corresponding zone name, and the limit value. It will be emitted on loading a zone file, inbound zone transfer (both AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's especially helpful in the case of zone transfer, since the secondary side doesn't have direct access to the offending zone data. - It could also be used for max-types-per-name, but this change doesn't + It could also be used for :namedconf:ref:`max-types-per-name`, but this change doesn't implement it yet as it's much less likely to happen in practice. -- Harden key management when key files have become unavailabe. +- Harden key management when key files have become unavailable. Prior to doing key management, BIND 9 will check if the key files on disk match the expected keys. If key files for previously observed keys have become unavailable, this will prevent the internal key manager from running. -- Revert "Fix NSEC3 closest encloser lookup for names with empty - non-terminals" - - The fix for #4950 should have never been backported to 9.18. Revert - the change. - - This reverts MR !9632 - - History: A performance improvement for NSEC3 closest encloser lookups - (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438) - and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and - 9.21.1). - - There was a bug in the code (#4950), so we reverted the change in - !9611, !9613 and !9614 (not released). - - Then a new attempt was merged in main (MR !9610) and backported to - 9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been - backported. - - Furthermore, the initial MR used the wrong MR title so the change was - never added to the release note. This is done in main with MR !9598 - and backports to 9.20 (MR !9615) and 9.18 (MR !9616). - - The new release notes for 9.21 and 9.20 should probably say that the - bug is fixed. The new release notes for 9.18 should probably say that - the change is reverted. - Bug Fixes ~~~~~~~~~ -- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. +- `{&dns}` is as valid as `{?dns}` in a SVCB's dohpath. - `dig` fails to parse a valid (as far as I can tell, and accepted by - `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template - containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If - the URI template contains a `{?dns}` instead `dig` is happy, but my - understanding of rfc9461 and section 1.2. "Levels and Expression - Types" of rfc6570 is that `{&dns}` is valid. See for example section - 1.2. "Levels and Expression Types" of rfc6570. - - Note that Peter van Dijk suggested that `{dns}` and - `{dns,someothervar}` might be valid forms as well, so my patch might - be too restrictive, although it's anyone's guess how DoH clients would - handle complex templates. :gl:`#4922` + :iscman:`dig` failed to parse a valid `SVCB` record with a `dohpath` URI + template containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. + :gl:`#4922` - Fix NSEC3 closest encloser lookup for names with empty non-terminals. - The performance improvement for finding the NSEC3 closest encloser + A previous performance optimization for finding the NSEC3 closest encloser when generating authoritative responses could cause servers to return - incorrect NSEC3 records in some cases. This has been fixed. + incorrect NSEC3 records in some cases. This faulty optimization has been removed. :gl:`#4950` -- Restore values when dig prints command line. - - Options of the form `[+-]option=` failed to display the value - on the printed command line. This has been fixed. :gl:`#4993` - -- Provide more visibility into configuration errors. - - by logging SSL_CTX_use_certificate_chain_file and - SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` - +- :iscman:`dig` options of the form `[+-]option=` failed to display the + value on the printed command line. This has been fixed. :gl:`#4993` +- Provide more visibility into TLS configuration errors by logging + `SSL_CTX_use_certificate_chain_file()` and `SSL_CTX_use_PrivateKey_file()` + errors individually. :gl:`#5008` From d1f139270ce2d764d90ad0b8724cf0265792136c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 13:58:29 +0100 Subject: [PATCH 5/5] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 14a57a2580..a103daabe5 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 18)dnl m4_define([bind_VERSION_PATCH], 32)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl