diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 9aedad8940..352e8e8c6d 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,256 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +BIND 9.21.1 +----------- + +New Features +~~~~~~~~~~~~ + +- Support for Offline KSK implemented. ``bfa206beecc`` + + Add a new configuration option `offline-ksk` to enable Offline KSK key + management. Signed Key Response (SKR) files created with `dnssec-ksr` + (or other program) can now be imported into `named` with the new `rndc + skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY + records and generating signatures covering these types, these records + are loaded from the currently active bundle from the imported SKR. + + The implementation is loosely based on: + https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- + keymgmt-01.txt :gl:`#1128` :gl:`!9119` + +- Implement the 'request-ixfr-max-diffs' configuration option. + ``99b18bab7e1`` + + The new 'request-ixfr-max-diffs' configuration option sets the maximum + number of incoming incremental zone transfer (IXFR) differences, + exceeding which triggers a full zone transfer (AXFR). :gl:`#4389` + :gl:`!9094` + +- Print the full path of the working directory in startup log messages. + ``cf53eac46e9`` + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + :gl:`!9362` + +- Support restricted key tag range when generating new keys. + ``d40b722d462`` + + It is useful when multiple signers are being used to sign a zone to + able to specify a restricted range of range of key tags that will be + used by an operator to sign the zone. This adds controls to named + (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr + (dnssec-policy) to specify such ranges. :gl:`#4830` :gl:`!9258` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Remove the 'dialup' and 'heartbeat-interval' options. ``a133a33b650`` + + The `dialup` and `heartbeat-interval` options have been removed, along + with all code implementing them. Using these options is now a fatal + error. :gl:`#4237` :gl:`!8160` + +- Remove outdated perllib integration. ``f73a19bb3e9`` + + The code in conftools/ directory hasn't been touched since 2000. + Nobody knows what it does and nobody even knows how to build it or + test it. Just remove the whole directory. :gl:`!9302` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use deterministic ecdsa for openssl >= 3.2. ``069c6c22654`` + + OpenSSL has added support for deterministic ECDSA (RFC 6979) with + version 3.2. + + Use it by default as it removes arguably its most fragile side of + ECDSA. The derandomization doesn't pose a risk for DNS usecases and is + allowed by FIPS 186-5. :gl:`#299` :gl:`!9128` + +- Exempt prefetches from the fetches-per-zone and fetches-per-server + quotas. ``4cd73e2536c`` + + Fetches generated automatically as a result of 'prefetch' are now + exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. + This should help in maintaining the cache from which query responses + can be given. :gl:`#4219` :gl:`!9095` + +- Restore the ability to select individual unit tests. ``2299aba5c20`` + + This add the command line arguments: `-d` (debug), `-l` (list tests) + and `-t test` (run this test) to the unit tests. :gl:`#4579` + :gl:`!9384` + +- Process also the ISC_R_CANCELED result code in rpz_rewrite() + ``d0d6ad0c52e`` + + Log canceled resolver queries (e.g. when shutting down a hung fetch) + in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized" + result codes. :gl:`#4797` :gl:`!9148` + +- Use single logging context for everything. ``aa408051d6c`` + + Instead of juggling different logging context, use one single logging + context that gets initialized in the libisc constructor and destroyed + in the libisc destructor. :gl:`#4848` :gl:`!9301` + +- Remove code to read and parse /proc/net/if_inet6 on Linux. + ``8071384324b`` + + The getifaddr() works fine for years, so we don't have to keep the + callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9315` + +- Use seteuid()/setegid() instead of setreseuid()/setresgid() + ``558ec133ea1`` + + It looks like that all supported systems now have support for + _POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because + those will not change saved used/group IDs. :gl:`#4862` :gl:`!9363` + +- Follow the number of CPU set by taskset/cpuset. ``9afcdc2b184`` + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` :gl:`!9398` + +- Double the number of threadpool threads. ``cfdded46676`` + + Introduce this temporary workaround to reduce the impact of long- + running tasks in offload threads which can block the resolution of + queries. :gl:`#4898` + +Bug Fixes +~~~~~~~~~ + +- Delay release of root privileges until after configuring controls. + ``8a09d54d6be`` + + Delay relinquishing root privileges until the control channel has been + configured, for the benefit of systems that require root to use + privileged port numbers. This mostly affects systems without fine- + grained privilege systems (i.e., other than Linux). :gl:`#4793` + :gl:`!9123` + +- Fix the assertion failure in the isc_hashmap iterator. ``c31cd677882`` + + When the round robin hashing reorders the map entries on deletion, we + were adjusting the iterator table size only when the reordering was + happening at the internal table boundary. The iterator table size had + to be reduced by one to prevent seeing the entry that resized on + position [0] twice because it migrated to [iter->size - 1] position. + + However, the same thing could happen when the same entry migrates a + second time from [iter->size - 1] to [iter->size - 2] position (and so + on) because the check that we are manipulating the entry just in the + [0] position was insufficient. Instead of checking the position [pos + == 0], we now check that the [pos % iter->size == 0], thus ignoring + all the entries that might have moved back to the end of the internal + table. :gl:`#4838` :gl:`!9292` + +- Add -Wno-psabi to CFLAGS for x86 (32-bit) builds. ``75021765f8d`` + + GCC 11.1+ emits a note during compilation when there are 64-bit atomic + fields in a structure, because it fixed a compiler bug by changing the + alignment of such fields, which caused ABI change. + + Add -Wno-psabi to CFLAGS for such builds in order to silence the + warning. That shouldn't be a problem since we don't expose our + structures to the outside. :gl:`#4841` :gl:`!9319` + +- Check if logconfig is NULL before using it in isc_log_doit() + ``ebd669a8303`` + + Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(), + because it's possible that isc_log_destroy() was already called, e.g. + when a 'call_rcu' function wants to log a message during shutdown. + :gl:`#4842` :gl:`!9297` + +- Change the NS_PER_SEC (and friends) from enum to static const. + ``2d12e1142ae`` + + New version of clang (19) has introduced a stricter checks when mixing + integer (and float types) with enums. In this case, we used enum {} + as C17 doesn't have constexpr yet. Change the time conversion + constants to be static const unsigned int instead of enum values. + :gl:`#4845` :gl:`!9313` + +- Check the result of dirfd() before calling unlinkat() ``661981be7b0`` + + Instead of directly using the result of dirfd() in the unlinkat() + call, check whether the returned file descriptor is actually valid. + That doesn't really change the logic as the unlinkat() would fail with + invalid descriptor anyway, but this is cleaner and will report the + right error returned directly by dirfd() instead of EBADF from + unlinkat(). :gl:`#4853` :gl:`!9316` + +- Fix rare assertion failure when shutting down incoming transfer. + ``14d2040934e`` + + A very rare assertion failure can be triggered when the incoming + transfer is either forcefully shut down or it is finished during + printing the details about the statistics channel. This has been + fixed. :gl:`#4860` :gl:`!9336` + +- Fix the resesuid() shim implementation for NetBSD. ``5bfed08b253`` + + The shim implementation of setresuid() was wrong - there was a copy + and paste error and it was calling setresgid() instead. This only + affects NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and + setresgid() implementation available from the system library. + :gl:`#4862` :gl:`!9359` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. ``8dbd57116bf`` + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` :gl:`!9381` + +- Stop using malloc_usable_size and malloc_size. ``f99da39934d`` + + The `malloc_usable_size()` can return size larger than originally + allocated and when these sizes disagree the fortifier enabled by + `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution + abruptly. Stop using these convenience functions as they are primary + used for introspection-only. :gl:`#4880` :gl:`!9400` + +- Preserve statement tag order in documentation. ``0b9ce9c05b1`` + + This supports bit-for-bit reproducibility of built documentation. + :gl:`#4886` :gl:`!9399` + +- Fix an assertion failure in validate_dnskey_dsset_done() + ``31245213a09`` + + Under rare circumstances, named could terminate unexpectedly when + validating a DNSKEY resource record if the validation was canceled in + the meantime. This has been fixed. :gl:`#4911` + +- Silence all warnings that stem from the default config. + ``f4e0d0e460b`` + + As we now setup the logging very early, parsing the default config + would always print warnings about experimental (and possibly + deprecated) options in the default config. This would even mess with + commands like `named -V` and it is also wrong to warn users about + using experimental options in the default config, because they can't + do anything about this. Add CFG_PCTX_NODEPRECATED and + CFG_PCTX_NOEXPERIMENTAL options that we can pass to cfg parser and + silence the early warnings caused by using experimental options in the + default config. :gl:`!9304` + + BIND 9.21.0 ----------- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 4e6560f870..f776b382b3 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -39,7 +39,7 @@ https://www.isc.org/download/. There you will find additional information about each release, and source code. .. include:: ../notes/notes-known-issues.rst - +.. include:: ../notes/notes-9.21.1.rst .. include:: ../notes/notes-9.21.0.rst .. _relnotes_license: diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 7b9a020188..409bca325e 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6264,7 +6264,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This indicates the TTL to use when generating DNSKEY resource records. The default is 1 hour (3600 seconds). -:any:`inline-signing` +.. _dnssec-policy-inline-signing: + +inline-signing :tags: dnssec :short: Specifies whether BIND 9 maintains a separate signed version of a zone. @@ -6276,7 +6278,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This behavior is enabled by default. -.. keys +.. _dnssec-policy-keys: + +keys :tags: dnssec :short: Specifies the type of keys to be used for DNSSEC signing. @@ -6444,7 +6448,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This is similar to :any:`signatures-validity`, but for DNSKEY records. The default is ``P2W`` (2 weeks). -:any:`max-zone-ttl` +.. _dnssec-policy-max-zone-ttl: + +max-zone-ttl :tags: zone, query :short: Specifies a maximum permissible time-to-live (TTL) value, in seconds. diff --git a/doc/notes/notes-9.21.1.rst b/doc/notes/notes-9.21.1.rst new file mode 100644 index 0000000000..68cc258c8e --- /dev/null +++ b/doc/notes/notes-9.21.1.rst @@ -0,0 +1,139 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.1 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Support for Offline KSK implemented. + + Add a new configuration option :any:`offline-ksk` to enable Offline + KSK key management. Signed Key Response (SKR) files created with + :iscman:`dnssec-ksr` (or other programs) can now be imported into + :iscman:`named` with the new :option:`rndc skr -import ` + command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and + generating signatures covering these types, these records are loaded + from the currently active bundle from the imported SKR. + + The implementation is loosely based on + `draft-icann-dnssec-keymgmt-01.txt + `_. + :gl:`#1128` + +- Allow limiting the number of differences in IXFR. + + A new :any:`request-ixfr-max-diffs` configuration option can set the + maximum number of incoming incremental zone transfer (IXFR) + differences. Exceeding it triggers a full zone transfer (AXFR). + :gl:`#4389` + +- Print the full path of the working directory in startup log messages. + + :iscman:`named` now prints its initial working directory during + startup, and the changed working directory when loading or reloading + its configuration file, if it has a valid :any:`directory` option + defined. :gl:`#4731` + +- Support a restricted key tag range when generating new keys. + + When multiple signers are being used to sign a zone, it is useful to + be able to specify a restricted range of key tags to be used by an + operator to sign the zone. The range can be specified with + ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys + ` (for :iscman:`named` and :iscman:`dnssec-ksr`) + and with the new options :option:`dnssec-keyfromlabel -M` and + :option:`dnssec-keygen -M`. :gl:`#4830` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Remove the ``dialup`` and ``heartbeat-interval`` options. + + The ``dialup`` and ``heartbeat-interval`` options have been removed, + along with all code implementing them. Using these options is now a + fatal error. :gl:`#4237` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use deterministic ECDSA for OpenSSL >= 3.2. + + OpenSSL has added support for deterministic ECDSA (:rfc:`6979`) with + version 3.2. + + It is used by default, as it removes arguably its most fragile side of + ECDSA. The derandomization does not pose a risk for DNS usecases and is + allowed by FIPS 186-5. :gl:`#299` + +- Exempt prefetches from the :any:`fetches-per-zone` and + :any:`fetches-per-server` quotas. + + Fetches generated automatically as a result of :any:`prefetch` are now + exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server` + quotas. This should help in maintaining the cache from which query + responses can be given. :gl:`#4219` + +- Follow the number of CPUs set by ``taskset``/``cpuset``. + + Administrators may wish to constrain the set of cores that + :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl`` + programs (or equivalents on other OSes). + + If the admin has used ``taskset``, :iscman:`named` now automatically + uses the given number of CPUs rather than the system-wide count. + :gl:`#4884` + +Bug Fixes +~~~~~~~~~ + +- Delay the release of root privileges until after configuring controls. + + Delay relinquishing root privileges until the control channel has been + configured, for the benefit of systems that require root to use + privileged port numbers. This mostly affects systems without fine- + grained privilege systems (i.e., other than Linux). :gl:`#4793` + +- Fix a rare assertion failure when shutting down incoming transfer. + + A very rare assertion failure could be triggered when the incoming + transfer was either forcefully shut down, or it finished during the + printing of the details about the statistics channel. This has been + fixed. :gl:`#4860` + +- Fix algorithm rollover bug when there are two keys with the same + keytag. + + If there was an algorithm rollover and two keys of different + algorithms shared the same keytags, there was the possibility that the + check of whether the key matched a specific state could be performed + against the wrong key. This has been fixed by not only checking for + the matching key tag but also the key algorithm. :gl:`#4878` + +- Fix an assertion failure in ``validate_dnskey_dsset_done()``. + + Under rare circumstances, :iscman:`named` could terminate unexpectedly + when validating a DNSKEY resource record if the validation had been + canceled in the meantime. This has been fixed. :gl:`#4911` + +Known Issues +~~~~~~~~~~~~ + +- Long-running tasks in offloaded threads (e.g. loading RPZ zones or + processing zone transfers) may block the resolution of queries during + these operations and cause the queries to time out. + + To work around the issue, the ``UV_THREADPOOL_SIZE`` environment + variable can be set to a larger value before starting :iscman:`named`. + The recommended value is the number of RPZ zones (or number of + transfers) plus the number of threads BIND should use, which is + typically the number of CPUs. :gl:`#4898` diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index 3084fbb243..bc6832eced 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -14,11 +14,12 @@ Known Issues ------------ -- On some platforms, including FreeBSD, :iscman:`named` must be run as - root to use the :iscman:`rndc` control channel on a privileged port - (i.e., with a port number less than 1024; this includes the default - :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the - :option:`named -u` option to switch to an unprivileged user makes - :iscman:`rndc` unusable. This will be fixed in a future release; in - the meantime, ``mac_portacl`` can be used as a workaround, as - documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793` +- Long-running tasks in offloaded threads (e.g. loading RPZ zones or + processing zone transfers) may block the resolution of queries during + these operations and cause the queries to time out. + + To work around the issue, the ``UV_THREADPOOL_SIZE`` environment + variable can be set to a larger value before starting :iscman:`named`. + The recommended value is the number of RPZ zones (or number of + transfers) plus the number of threads BIND should use, which is + typically the number of CPUs. :gl:`#4898` diff --git a/lib/dns/validator.c b/lib/dns/validator.c index ce5d04205d..681c1b4c45 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1966,15 +1966,26 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) { static void validate_dnskey_dsset_done(dns_validator_t *val, isc_result_t result) { - if (result == ISC_R_SUCCESS) { + switch (result) { + case ISC_R_CANCELED: + case ISC_R_SHUTTINGDOWN: + /* Abort, abort, abort! */ + break; + case ISC_R_SUCCESS: marksecure(val); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)"); - } else if (result == ISC_R_NOMORE && !val->supported_algorithm) { - validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm/digest (DS)"); - result = markanswer(val, "validate_dnskey (3)", - "no supported algorithm/digest (DS)"); - } else { + break; + case ISC_R_NOMORE: + if (!val->supported_algorithm) { + validator_log(val, ISC_LOG_DEBUG(3), + "no supported algorithm/digest (DS)"); + result = markanswer( + val, "validate_dnskey (3)", + "no supported algorithm/digest (DS)"); + break; + } + FALLTHROUGH; + default: validator_log(val, ISC_LOG_INFO, "no valid signature found (DS)"); result = DNS_R_NOVALIDSIG; diff --git a/lib/isc/loop.c b/lib/isc/loop.c index fb18356973..68a69ee520 100644 --- a/lib/isc/loop.c +++ b/lib/isc/loop.c @@ -351,7 +351,10 @@ threadpool_initialize(uint32_t workers) { int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf, &(size_t){ sizeof(buf) }); if (r == UV_ENOENT) { - snprintf(buf, sizeof(buf), "%" PRIu32, workers); + /* FIXME The number of threadpool threads has been temporarily + * doubled to work around the issue [GL #4898] until a proper + * solution is implemented. */ + snprintf(buf, sizeof(buf), "%" PRIu32, 2 * workers); uv_os_setenv("UV_THREADPOOL_SIZE", buf); } }