From 353ebedb946b3a288c8f2ac6a726e50cd827d8d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 7 Mar 2024 18:07:04 +0100 Subject: [PATCH 1/5] Prepare release notes for BIND 9.19.22 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.19.22.rst} | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) rename doc/notes/{notes-current.rst => notes-9.19.22.rst} (99%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 080f268e51..4676e8bb73 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,7 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.22.rst .. include:: ../notes/notes-9.19.21.rst .. include:: ../notes/notes-9.19.20.rst .. include:: ../notes/notes-9.19.19.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.19.22.rst similarity index 99% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.19.22.rst index db94ea44fa..947662a4d6 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.19.22.rst @@ -12,11 +12,6 @@ Notes for BIND 9.19.22 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ From cd117a932ff458324ddc6e875492d8c485a96440 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 7 Mar 2024 18:16:05 +0100 Subject: [PATCH 2/5] Add release note for GL #4413 --- doc/notes/notes-9.19.22.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/notes/notes-9.19.22.rst b/doc/notes/notes-9.19.22.rst index 947662a4d6..c362e2a659 100644 --- a/doc/notes/notes-9.19.22.rst +++ b/doc/notes/notes-9.19.22.rst @@ -33,6 +33,8 @@ New Features set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL. :gl`#1129`. +- Add support for RESINFO record type. :gl:`#4413` + Removed Features ~~~~~~~~~~~~~~~~ From 1b039fdfc586e253f2a377c1d0a85b58b17a577e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 7 Mar 2024 18:26:52 +0100 Subject: [PATCH 3/5] Reorder release notes --- doc/notes/notes-9.19.22.rst | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/doc/notes/notes-9.19.22.rst b/doc/notes/notes-9.19.22.rst index c362e2a659..0812e0d376 100644 --- a/doc/notes/notes-9.19.22.rst +++ b/doc/notes/notes-9.19.22.rst @@ -15,24 +15,24 @@ Notes for BIND 9.19.22 New Features ~~~~~~~~~~~~ -- The ``tls`` block was extended with a new ``cipher-suites`` option - that allows setting allowed cipher suites for TLSv1.3. Please - consult the documentation for additional details. - :gl:`#3504` - -- The statistics channel now includes counters that indicate the number - of currently connected TCP IPv4/IPv6 clients. :gl:`#4425` - - The statistics channel's incoming zone transfers information now also shows the zones' "first refresh" flag, which indicates that a zone is not fully ready yet, and its first ever refresh is pending or is in-progress. The number of such zones is now also exposed by the ``rndc status`` command. :gl:`#4241` +- The statistics channel now includes counters that indicate the number + of currently connected TCP IPv4/IPv6 clients. :gl:`#4425` + - Add HSM support to :any:`dnssec-policy`. You can now configure keys with a ``key-store`` that allows you to set the directory to store the key files and set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL. :gl`#1129`. +- The ``tls`` block was extended with a new ``cipher-suites`` option + that allows setting allowed cipher suites for TLSv1.3. Please + consult the documentation for additional details. + :gl:`#3504` + - Add support for RESINFO record type. :gl:`#4413` Removed Features @@ -70,6 +70,16 @@ Feature Changes Bug Fixes ~~~~~~~~~ +- A regression in cache-cleaning code enabled memory use to grow + significantly more quickly than before, until the configured + :any:`max-cache-size` limit was reached. This has been fixed. + :gl:`#4596` + +- Using :option:`rndc flush` inadvertently caused cache cleaning to + become less effective. This could ultimately lead to the configured + :any:`max-cache-size` limit being exceeded and has now been fixed. + :gl:`#4621` + - Changes to ``listen-on`` statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue @@ -84,16 +94,6 @@ Bug Fixes ISC would like to thank to Jinmei Tatuya from Infoblox for bringing this issue to our attention. -- A regression in cache-cleaning code enabled memory use to grow - significantly more quickly than before, until the configured - :any:`max-cache-size` limit was reached. This has been fixed. - :gl:`#4596` - -- Using :option:`rndc flush` inadvertently caused cache cleaning to - become less effective. This could ultimately lead to the configured - :any:`max-cache-size` limit being exceeded and has now been fixed. - :gl:`#4621` - Known Issues ~~~~~~~~~~~~ From 2fac89f039e9970614be775065bfb31e6c78d43b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 7 Mar 2024 18:28:15 +0100 Subject: [PATCH 4/5] Add release note for GL #4591 --- doc/notes/notes-9.19.22.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-9.19.22.rst b/doc/notes/notes-9.19.22.rst index 0812e0d376..a1cfe42d42 100644 --- a/doc/notes/notes-9.19.22.rst +++ b/doc/notes/notes-9.19.22.rst @@ -80,6 +80,11 @@ Bug Fixes :any:`max-cache-size` limit being exceeded and has now been fixed. :gl:`#4621` +- The logic for cleaning up expired cached DNS records was + tweaked to be more aggressive. This change helps with enforcing + :any:`max-cache-ttl` and :any:`max-ncache-ttl` in a timely manner. + :gl:`#4591` + - Changes to ``listen-on`` statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue From 59dd8c7de5d6b332aa8d6f4382f0d624de14f8c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 7 Mar 2024 18:29:23 +0100 Subject: [PATCH 5/5] Tweak and reword release notes --- doc/notes/notes-9.19.22.rst | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/notes/notes-9.19.22.rst b/doc/notes/notes-9.19.22.rst index a1cfe42d42..72c0a84254 100644 --- a/doc/notes/notes-9.19.22.rst +++ b/doc/notes/notes-9.19.22.rst @@ -15,31 +15,31 @@ Notes for BIND 9.19.22 New Features ~~~~~~~~~~~~ -- The statistics channel's incoming zone transfers information now also shows +- Information on incoming zone transfers in the statistics channel now also shows the zones' "first refresh" flag, which indicates that a zone is not fully - ready yet, and its first ever refresh is pending or is in-progress. The number + ready and that its first ever refresh is pending or is in progress. The number of such zones is now also exposed by the ``rndc status`` command. :gl:`#4241` - The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. :gl:`#4425` -- Add HSM support to :any:`dnssec-policy`. You can now configure keys with a - ``key-store`` that allows you to set the directory to store the key files and +- HSM support was added to :any:`dnssec-policy`. Keys can now be configured with a + ``key-store`` that allows users to set the directory where key files are stored and to set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 - provider to be configured for OpenSSL. :gl`#1129`. + provider to be configured for OpenSSL. :gl:`#1129` - The ``tls`` block was extended with a new ``cipher-suites`` option - that allows setting allowed cipher suites for TLSv1.3. Please + that allows permitted cipher suites for TLSv1.3 to be set. Please consult the documentation for additional details. :gl:`#3504` -- Add support for RESINFO record type. :gl:`#4413` +- Support for the RESINFO record type was added. :gl:`#4413` Removed Features ~~~~~~~~~~~~~~~~ - BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` values, - when the feature is turned on. When using a non-zero value, ``named`` now + when the feature is turned on. When using a non-zero value, :iscman:`named` now generates a warning log message, and treats the value as ``0``. :gl:`#4447` Feature Changes @@ -65,7 +65,7 @@ Feature Changes The old RBT-based database still exists for now, and can be used by specifying ``database rbt`` in a ``zone`` statement in ``named.conf``, or by compiling with ``configure --with-zonedb=rbt --with-cachedb=rbt``. - :gl:`#4411`. + :gl:`#4411` Bug Fixes ~~~~~~~~~ @@ -91,12 +91,12 @@ Bug Fixes has been fixed. ISC would like to thank Thomas Amgarten for bringing this issue to - our attention. :gl:`#4518`, :gl:`#4528` + our attention. :gl:`#4518` :gl:`#4528` -- A use-after-free assertion might get triggered when the overmem cache - cleaning triggers. :gl:`#4595` +- It was possible to trigger a use-after-free assertion when the overmem cache + cleaning was initiated. This has been fixed. :gl:`#4595` - ISC would like to thank to Jinmei Tatuya from Infoblox for bringing + ISC would like to thank Jinmei Tatuya of Infoblox for bringing this issue to our attention. Known Issues