From d85918aebf8e0ce0d19cc44df3bdf04cfae3b475 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 2 Sep 2024 14:44:05 +0000 Subject: [PATCH 01/10] Process canceled/shut down results in validate_dnskey_dsset_done() When a validator is already shut down, val->name becomes NULL. We need to process and keep the ISC_R_CANCELED or ISC_R_SHUTTINGDOWN result code before calling validate_async_done(), otherwise, when it is called with the hardcoded DNS_R_NOVALIDSIG result code, it can cause an assetion failure when val->name (being NULL) is used in proveunsecure(). --- lib/dns/validator.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 62f60c7c42..7ad05ef9bb 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1952,15 +1952,26 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) { static void validate_dnskey_dsset_done(dns_validator_t *val, isc_result_t result) { - if (result == ISC_R_SUCCESS) { + switch (result) { + case ISC_R_CANCELED: + case ISC_R_SHUTTINGDOWN: + /* Abort, abort, abort! */ + break; + case ISC_R_SUCCESS: marksecure(val); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)"); - } else if (result == ISC_R_NOMORE && !val->supported_algorithm) { - validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm/digest (DS)"); - result = markanswer(val, "validate_dnskey (3)", - "no supported algorithm/digest (DS)"); - } else { + break; + case ISC_R_NOMORE: + if (!val->supported_algorithm) { + validator_log(val, ISC_LOG_DEBUG(3), + "no supported algorithm/digest (DS)"); + result = markanswer( + val, "validate_dnskey (3)", + "no supported algorithm/digest (DS)"); + break; + } + FALLTHROUGH; + default: validator_log(val, ISC_LOG_INFO, "no valid signature found (DS)"); result = DNS_R_NOVALIDSIG; From 6857df20a40f4e05f465a7a3f5d24eeedce8fc6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 6 Sep 2024 14:15:21 +0200 Subject: [PATCH 02/10] Double the number of threadpool threads Introduce this temporary workaround to reduce the impact of long-running tasks in offload threads which can block the resolution of queries. --- lib/isc/loop.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/isc/loop.c b/lib/isc/loop.c index 8f2fcdf8e8..2ca6f58014 100644 --- a/lib/isc/loop.c +++ b/lib/isc/loop.c @@ -308,7 +308,10 @@ threadpool_initialize(uint32_t workers) { int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf, &(size_t){ sizeof(buf) }); if (r == UV_ENOENT) { - snprintf(buf, sizeof(buf), "%" PRIu32, workers); + /* FIXME The number of threadpool threads has been temporarily + * doubled to work around the issue [GL #4898] until a proper + * solution is implemented. */ + snprintf(buf, sizeof(buf), "%" PRIu32, 2 * workers); uv_os_setenv("UV_THREADPOOL_SIZE", buf); } } From fadea7dd2fa29d53df67705476d41eed246f0572 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 10:36:01 +0200 Subject: [PATCH 03/10] Generate changelog --- doc/arm/changelog.rst | 250 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 9aedad8940..8d31ae8be0 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,256 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Support for Offline KSK implemented. ``bfa206beecc`` + + Add a new configuration option `offline-ksk` to enable Offline KSK key + management. Signed Key Response (SKR) files created with `dnssec-ksr` + (or other program) can now be imported into `named` with the new `rndc + skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY + records and generating signatures covering these types, these records + are loaded from the currently active bundle from the imported SKR. + + The implementation is loosely based on: + https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- + keymgmt-01.txt :gl:`#1128` :gl:`!9119` + +- Implement the 'request-ixfr-max-diffs' configuration option. + ``99b18bab7e1`` + + The new 'request-ixfr-max-diffs' configuration option sets the maximum + number of incoming incremental zone transfer (IXFR) differences, + exceeding which triggers a full zone transfer (AXFR). :gl:`#4389` + :gl:`!9094` + +- Print the full path of the working directory in startup log messages. + ``cf53eac46e9`` + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + :gl:`!9362` + +- Support restricted key tag range when generating new keys. + ``d40b722d462`` + + It is useful when multiple signers are being used to sign a zone to + able to specify a restricted range of range of key tags that will be + used by an operator to sign the zone. This adds controls to named + (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr + (dnssec-policy) to specify such ranges. :gl:`#4830` :gl:`!9258` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Remove the 'dialup' and 'heartbeat-interval' options. ``a133a33b650`` + + The `dialup` and `heartbeat-interval` options have been removed, along + with all code implementing them. Using these options is now a fatal + error. :gl:`#4237` :gl:`!8160` + +- Remove outdated perllib integration. ``f73a19bb3e9`` + + The code in conftools/ directory hasn't been touched since 2000. + Nobody knows what it does and nobody even knows how to build it or + test it. Just remove the whole directory. :gl:`!9302` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use deterministic ecdsa for openssl >= 3.2. ``069c6c22654`` + + OpenSSL has added support for deterministic ECDSA (RFC 6979) with + version 3.2. + + Use it by default as it removes arguably its most fragile side of + ECDSA. The derandomization doesn't pose a risk for DNS usecases and is + allowed by FIPS 186-5. :gl:`#299` :gl:`!9128` + +- Exempt prefetches from the fetches-per-zone and fetches-per-server + quotas. ``4cd73e2536c`` + + Fetches generated automatically as a result of 'prefetch' are now + exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. + This should help in maintaining the cache from which query responses + can be given. :gl:`#4219` :gl:`!9095` + +- Restore the ability to select individual unit tests. ``2299aba5c20`` + + This add the command line arguments: `-d` (debug), `-l` (list tests) + and `-t test` (run this test) to the unit tests. :gl:`#4579` + :gl:`!9384` + +- Process also the ISC_R_CANCELED result code in rpz_rewrite() + ``d0d6ad0c52e`` + + Log canceled resolver queries (e.g. when shutting down a hung fetch) + in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized" + result codes. :gl:`#4797` :gl:`!9148` + +- Use single logging context for everything. ``aa408051d6c`` + + Instead of juggling different logging context, use one single logging + context that gets initialized in the libisc constructor and destroyed + in the libisc destructor. :gl:`#4848` :gl:`!9301` + +- Remove code to read and parse /proc/net/if_inet6 on Linux. + ``8071384324b`` + + The getifaddr() works fine for years, so we don't have to keep the + callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9315` + +- Use seteuid()/setegid() instead of setreseuid()/setresgid() + ``558ec133ea1`` + + It looks like that all supported systems now have support for + _POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because + those will not change saved used/group IDs. :gl:`#4862` :gl:`!9363` + +- Follow the number of CPU set by taskset/cpuset. ``9afcdc2b184`` + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` :gl:`!9398` + +- Double the number of threadpool threads. ``cfdded46676`` + + Introduce this temporary workaround to reduce the impact of long- + running tasks in offload threads which can block the resolution of + queries. :gl:`#4898` + +Bug Fixes +~~~~~~~~~ + +- Delay release of root privileges until after configuring controls. + ``8a09d54d6be`` + + Delay relinquishing root privileges until the control channel has been + configured, for the benefit of systems that require root to use + privileged port numbers. This mostly affects systems without fine- + grained privilege systems (i.e., other than Linux). :gl:`#4793` + :gl:`!9123` + +- Fix the assertion failure in the isc_hashmap iterator. ``c31cd677882`` + + When the round robin hashing reorders the map entries on deletion, we + were adjusting the iterator table size only when the reordering was + happening at the internal table boundary. The iterator table size had + to be reduced by one to prevent seeing the entry that resized on + position [0] twice because it migrated to [iter->size - 1] position. + + However, the same thing could happen when the same entry migrates a + second time from [iter->size - 1] to [iter->size - 2] position (and so + on) because the check that we are manipulating the entry just in the + [0] position was insufficient. Instead of checking the position [pos + == 0], we now check that the [pos % iter->size == 0], thus ignoring + all the entries that might have moved back to the end of the internal + table. :gl:`#4838` :gl:`!9292` + +- Add -Wno-psabi to CFLAGS for x86 (32-bit) builds. ``75021765f8d`` + + GCC 11.1+ emits a note during compilation when there are 64-bit atomic + fields in a structure, because it fixed a compiler bug by changing the + alignment of such fields, which caused ABI change. + + Add -Wno-psabi to CFLAGS for such builds in order to silence the + warning. That shouldn't be a problem since we don't expose our + structures to the outside. :gl:`#4841` :gl:`!9319` + +- Check if logconfig is NULL before using it in isc_log_doit() + ``ebd669a8303`` + + Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(), + because it's possible that isc_log_destroy() was already called, e.g. + when a 'call_rcu' function wants to log a message during shutdown. + :gl:`#4842` :gl:`!9297` + +- Change the NS_PER_SEC (and friends) from enum to static const. + ``2d12e1142ae`` + + New version of clang (19) has introduced a stricter checks when mixing + integer (and float types) with enums. In this case, we used enum {} + as C17 doesn't have constexpr yet. Change the time conversion + constants to be static const unsigned int instead of enum values. + :gl:`#4845` :gl:`!9313` + +- Check the result of dirfd() before calling unlinkat() ``661981be7b0`` + + Instead of directly using the result of dirfd() in the unlinkat() + call, check whether the returned file descriptor is actually valid. + That doesn't really change the logic as the unlinkat() would fail with + invalid descriptor anyway, but this is cleaner and will report the + right error returned directly by dirfd() instead of EBADF from + unlinkat(). :gl:`#4853` :gl:`!9316` + +- Fix rare assertion failure when shutting down incoming transfer. + ``14d2040934e`` + + A very rare assertion failure can be triggered when the incoming + transfer is either forcefully shut down or it is finished during + printing the details about the statistics channel. This has been + fixed. :gl:`#4860` :gl:`!9336` + +- Fix the resesuid() shim implementation for NetBSD. ``5bfed08b253`` + + The shim implementation of setresuid() was wrong - there was a copy + and paste error and it was calling setresgid() instead. This only + affects NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and + setresgid() implementation available from the system library. + :gl:`#4862` :gl:`!9359` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. ``8dbd57116bf`` + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` :gl:`!9381` + +- Stop using malloc_usable_size and malloc_size. ``f99da39934d`` + + The `malloc_usable_size()` can return size larger than originally + allocated and when these sizes disagree the fortifier enabled by + `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution + abruptly. Stop using these convenience functions as they are primary + used for introspection-only. :gl:`#4880` :gl:`!9400` + +- Preserve statement tag order in documentation. ``0b9ce9c05b1`` + + This supports bit-for-bit reproducibility of built documentation. + :gl:`#4886` :gl:`!9399` + +- Fix an assertion failure in validate_dnskey_dsset_done() + ``31245213a09`` + + Under rare circumstances, named could terminate unexpectedly when + validating a DNSKEY resource record if the validation was canceled in + the meantime. This has been fixed. :gl:`#4911` + +- Silence all warnings that stem from the default config. + ``f4e0d0e460b`` + + As we now setup the logging very early, parsing the default config + would always print warnings about experimental (and possibly + deprecated) options in the default config. This would even mess with + commands like `named -V` and it is also wrong to warn users about + using experimental options in the default config, because they can't + do anything about this. Add CFG_PCTX_NODEPRECATED and + CFG_PCTX_NOEXPERIMENTAL options that we can pass to cfg parser and + silence the early warnings caused by using experimental options in the + default config. :gl:`!9304` + + BIND 9.21.0 ----------- From 95b824f505478fab293c52482656451f6f131d42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 10:39:08 +0200 Subject: [PATCH 04/10] Generate release notes --- doc/notes/notes-9.21.1.rst | 111 +++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 doc/notes/notes-9.21.1.rst diff --git a/doc/notes/notes-9.21.1.rst b/doc/notes/notes-9.21.1.rst new file mode 100644 index 0000000000..2c84f925ee --- /dev/null +++ b/doc/notes/notes-9.21.1.rst @@ -0,0 +1,111 @@ +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Support for Offline KSK implemented. + + Add a new configuration option `offline-ksk` to enable Offline KSK key + management. Signed Key Response (SKR) files created with `dnssec-ksr` + (or other program) can now be imported into `named` with the new `rndc + skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY + records and generating signatures covering these types, these records + are loaded from the currently active bundle from the imported SKR. + + The implementation is loosely based on: + https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- + keymgmt-01.txt :gl:`#1128` + +- Implement the 'request-ixfr-max-diffs' configuration option. + + The new 'request-ixfr-max-diffs' configuration option sets the maximum + number of incoming incremental zone transfer (IXFR) differences, + exceeding which triggers a full zone transfer (AXFR). :gl:`#4389` + +- Print the full path of the working directory in startup log messages. + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + +- Support restricted key tag range when generating new keys. + + It is useful when multiple signers are being used to sign a zone to + able to specify a restricted range of range of key tags that will be + used by an operator to sign the zone. This adds controls to named + (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr + (dnssec-policy) to specify such ranges. :gl:`#4830` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Remove the 'dialup' and 'heartbeat-interval' options. + + The `dialup` and `heartbeat-interval` options have been removed, along + with all code implementing them. Using these options is now a fatal + error. :gl:`#4237` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use deterministic ecdsa for openssl >= 3.2. + + OpenSSL has added support for deterministic ECDSA (RFC 6979) with + version 3.2. + + Use it by default as it removes arguably its most fragile side of + ECDSA. The derandomization doesn't pose a risk for DNS usecases and is + allowed by FIPS 186-5. :gl:`#299` + +- Exempt prefetches from the fetches-per-zone and fetches-per-server + quotas. + + Fetches generated automatically as a result of 'prefetch' are now + exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. + This should help in maintaining the cache from which query responses + can be given. :gl:`#4219` + +- Follow the number of CPU set by taskset/cpuset. + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` + +Bug Fixes +~~~~~~~~~ + +- Delay release of root privileges until after configuring controls. + + Delay relinquishing root privileges until the control channel has been + configured, for the benefit of systems that require root to use + privileged port numbers. This mostly affects systems without fine- + grained privilege systems (i.e., other than Linux). :gl:`#4793` + +- Fix rare assertion failure when shutting down incoming transfer. + + A very rare assertion failure can be triggered when the incoming + transfer is either forcefully shut down or it is finished during + printing the details about the statistics channel. This has been + fixed. :gl:`#4860` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` + +- Fix an assertion failure in validate_dnskey_dsset_done() + + Under rare circumstances, named could terminate unexpectedly when + validating a DNSKEY resource record if the validation was canceled in + the meantime. This has been fixed. :gl:`#4911` + + From 466939abcf67cf39d61484241f30cbd70012767d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 15:20:25 +0200 Subject: [PATCH 05/10] Prepare release notes for BIND 9.21.1 --- doc/arm/changelog.rst | 4 ++-- doc/arm/notes.rst | 2 +- doc/notes/notes-9.21.1.rst | 20 ++++++++++++++++++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 8d31ae8be0..352e8e8c6d 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,8 +18,8 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. -(-dev) ------- +BIND 9.21.1 +----------- New Features ~~~~~~~~~~~~ diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 4e6560f870..f776b382b3 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -39,7 +39,7 @@ https://www.isc.org/download/. There you will find additional information about each release, and source code. .. include:: ../notes/notes-known-issues.rst - +.. include:: ../notes/notes-9.21.1.rst .. include:: ../notes/notes-9.21.0.rst .. _relnotes_license: diff --git a/doc/notes/notes-9.21.1.rst b/doc/notes/notes-9.21.1.rst index 2c84f925ee..0c91ae3e29 100644 --- a/doc/notes/notes-9.21.1.rst +++ b/doc/notes/notes-9.21.1.rst @@ -1,5 +1,16 @@ -(-dev) ------- +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.1 +--------------------- New Features ~~~~~~~~~~~~ @@ -108,4 +119,9 @@ Bug Fixes validating a DNSKEY resource record if the validation was canceled in the meantime. This has been fixed. :gl:`#4911` +Known Issues +~~~~~~~~~~~~ +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. From 03141314992f83f020093b83989bdbef80c7e84a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 13:13:43 +0200 Subject: [PATCH 06/10] Remove a fixed known issue [GL #4793] --- doc/notes/notes-known-issues.rst | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index 3084fbb243..3ee1928522 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -14,11 +14,4 @@ Known Issues ------------ -- On some platforms, including FreeBSD, :iscman:`named` must be run as - root to use the :iscman:`rndc` control channel on a privileged port - (i.e., with a port number less than 1024; this includes the default - :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the - :option:`named -u` option to switch to an unprivileged user makes - :iscman:`rndc` unusable. This will be fixed in a future release; in - the meantime, ``mac_portacl`` can be used as a workaround, as - documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793` +- There are no known issues affecting this BIND 9 branch. From c779edf78b682c99cdd8bdb8e9c3a3144ce25c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 6 Sep 2024 14:03:28 +0200 Subject: [PATCH 07/10] Add Known Issue [#GL 4898] --- doc/notes/notes-9.21.1.rst | 12 +++++++++--- doc/notes/notes-known-issues.rst | 10 +++++++++- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/doc/notes/notes-9.21.1.rst b/doc/notes/notes-9.21.1.rst index 0c91ae3e29..fa3dc44192 100644 --- a/doc/notes/notes-9.21.1.rst +++ b/doc/notes/notes-9.21.1.rst @@ -122,6 +122,12 @@ Bug Fixes Known Issues ~~~~~~~~~~~~ -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. +- Long-running tasks in offloaded threads (e.g. the loading of RPZ zones + or processing zone transfers) may block the resolution of queries + during these operations and cause the queries to time out. + + To work around the issue, the ``UV_THREADPOOL_SIZE`` environment + variable can be set to a larger value before starting :iscman:`named`. + The recommended value is the number of RPZ zones (or number of + transfers) plus the number of threads BIND should use, which is + typically the number of CPUs. :gl:`#4898` diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index 3ee1928522..bc6832eced 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -14,4 +14,12 @@ Known Issues ------------ -- There are no known issues affecting this BIND 9 branch. +- Long-running tasks in offloaded threads (e.g. loading RPZ zones or + processing zone transfers) may block the resolution of queries during + these operations and cause the queries to time out. + + To work around the issue, the ``UV_THREADPOOL_SIZE`` environment + variable can be set to a larger value before starting :iscman:`named`. + The recommended value is the number of RPZ zones (or number of + transfers) plus the number of threads BIND should use, which is + typically the number of CPUs. :gl:`#4898` From 0d97fe02bcb148742eb7c6e6873162adebeae04c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 15:03:15 +0200 Subject: [PATCH 08/10] Fix dnssec-policy options formatting and links in ARM The statements that already exist in the grammar can't be created with the namedconf:statement. Use a plain definition list for these statements and add a manual anchor for each one so links to them can be created. Avoid using the :any: syntax in the definition lists, as that just creates a link to the duplicate and completely unrelated statement, which just makes the documentation more confusing. --- doc/arm/reference.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index cf1ba1b12c..2d8f4b5829 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6398,7 +6398,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This indicates the TTL to use when generating DNSKEY resource records. The default is 1 hour (3600 seconds). -:any:`inline-signing` +.. _dnssec-policy-inline-signing: + +inline-signing :tags: dnssec :short: Specifies whether BIND 9 maintains a separate signed version of a zone. @@ -6410,7 +6412,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This behavior is enabled by default. -.. keys +.. _dnssec-policy-keys: + +keys :tags: dnssec :short: Specifies the type of keys to be used for DNSSEC signing. @@ -6578,7 +6582,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This is similar to :any:`signatures-validity`, but for DNSKEY records. The default is ``P2W`` (2 weeks). -:any:`max-zone-ttl` +.. _dnssec-policy-max-zone-ttl: + +max-zone-ttl :tags: zone, query :short: Specifies a maximum permissible time-to-live (TTL) value, in seconds. From bd944476d2e1498fe29637c2b581688a566c2791 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 13:13:30 +0200 Subject: [PATCH 09/10] Tweak and reword release notes --- doc/notes/notes-9.21.1.rst | 128 +++++++++++++++++++------------------ 1 file changed, 67 insertions(+), 61 deletions(-) diff --git a/doc/notes/notes-9.21.1.rst b/doc/notes/notes-9.21.1.rst index fa3dc44192..68cc258c8e 100644 --- a/doc/notes/notes-9.21.1.rst +++ b/doc/notes/notes-9.21.1.rst @@ -17,114 +17,120 @@ New Features - Support for Offline KSK implemented. - Add a new configuration option `offline-ksk` to enable Offline KSK key - management. Signed Key Response (SKR) files created with `dnssec-ksr` - (or other program) can now be imported into `named` with the new `rndc - skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY - records and generating signatures covering these types, these records - are loaded from the currently active bundle from the imported SKR. + Add a new configuration option :any:`offline-ksk` to enable Offline + KSK key management. Signed Key Response (SKR) files created with + :iscman:`dnssec-ksr` (or other programs) can now be imported into + :iscman:`named` with the new :option:`rndc skr -import ` + command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and + generating signatures covering these types, these records are loaded + from the currently active bundle from the imported SKR. - The implementation is loosely based on: - https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- - keymgmt-01.txt :gl:`#1128` + The implementation is loosely based on + `draft-icann-dnssec-keymgmt-01.txt + `_. + :gl:`#1128` -- Implement the 'request-ixfr-max-diffs' configuration option. +- Allow limiting the number of differences in IXFR. - The new 'request-ixfr-max-diffs' configuration option sets the maximum - number of incoming incremental zone transfer (IXFR) differences, - exceeding which triggers a full zone transfer (AXFR). :gl:`#4389` + A new :any:`request-ixfr-max-diffs` configuration option can set the + maximum number of incoming incremental zone transfer (IXFR) + differences. Exceeding it triggers a full zone transfer (AXFR). + :gl:`#4389` - Print the full path of the working directory in startup log messages. - named now prints its initial working directory during startup and the - changed working directory when loading or reloading its configuration - file if it has a valid 'directory' option defined. :gl:`#4731` + :iscman:`named` now prints its initial working directory during + startup, and the changed working directory when loading or reloading + its configuration file, if it has a valid :any:`directory` option + defined. :gl:`#4731` -- Support restricted key tag range when generating new keys. +- Support a restricted key tag range when generating new keys. - It is useful when multiple signers are being used to sign a zone to - able to specify a restricted range of range of key tags that will be - used by an operator to sign the zone. This adds controls to named - (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr - (dnssec-policy) to specify such ranges. :gl:`#4830` + When multiple signers are being used to sign a zone, it is useful to + be able to specify a restricted range of key tags to be used by an + operator to sign the zone. The range can be specified with + ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys + ` (for :iscman:`named` and :iscman:`dnssec-ksr`) + and with the new options :option:`dnssec-keyfromlabel -M` and + :option:`dnssec-keygen -M`. :gl:`#4830` Removed Features ~~~~~~~~~~~~~~~~ -- Remove the 'dialup' and 'heartbeat-interval' options. +- Remove the ``dialup`` and ``heartbeat-interval`` options. - The `dialup` and `heartbeat-interval` options have been removed, along - with all code implementing them. Using these options is now a fatal - error. :gl:`#4237` + The ``dialup`` and ``heartbeat-interval`` options have been removed, + along with all code implementing them. Using these options is now a + fatal error. :gl:`#4237` Feature Changes ~~~~~~~~~~~~~~~ -- Use deterministic ecdsa for openssl >= 3.2. +- Use deterministic ECDSA for OpenSSL >= 3.2. - OpenSSL has added support for deterministic ECDSA (RFC 6979) with + OpenSSL has added support for deterministic ECDSA (:rfc:`6979`) with version 3.2. - Use it by default as it removes arguably its most fragile side of - ECDSA. The derandomization doesn't pose a risk for DNS usecases and is + It is used by default, as it removes arguably its most fragile side of + ECDSA. The derandomization does not pose a risk for DNS usecases and is allowed by FIPS 186-5. :gl:`#299` -- Exempt prefetches from the fetches-per-zone and fetches-per-server - quotas. +- Exempt prefetches from the :any:`fetches-per-zone` and + :any:`fetches-per-server` quotas. - Fetches generated automatically as a result of 'prefetch' are now - exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. - This should help in maintaining the cache from which query responses - can be given. :gl:`#4219` + Fetches generated automatically as a result of :any:`prefetch` are now + exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server` + quotas. This should help in maintaining the cache from which query + responses can be given. :gl:`#4219` -- Follow the number of CPU set by taskset/cpuset. +- Follow the number of CPUs set by ``taskset``/``cpuset``. - Administrators may wish to constrain the set of cores that BIND 9 runs - on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on - other O/S). + Administrators may wish to constrain the set of cores that + :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl`` + programs (or equivalents on other OSes). - If the admin has used taskset, the `named` will now follow to - automatically use the given number of CPUs rather than the system wide - count. :gl:`#4884` + If the admin has used ``taskset``, :iscman:`named` now automatically + uses the given number of CPUs rather than the system-wide count. + :gl:`#4884` Bug Fixes ~~~~~~~~~ -- Delay release of root privileges until after configuring controls. +- Delay the release of root privileges until after configuring controls. Delay relinquishing root privileges until the control channel has been configured, for the benefit of systems that require root to use privileged port numbers. This mostly affects systems without fine- grained privilege systems (i.e., other than Linux). :gl:`#4793` -- Fix rare assertion failure when shutting down incoming transfer. +- Fix a rare assertion failure when shutting down incoming transfer. - A very rare assertion failure can be triggered when the incoming - transfer is either forcefully shut down or it is finished during - printing the details about the statistics channel. This has been + A very rare assertion failure could be triggered when the incoming + transfer was either forcefully shut down, or it finished during the + printing of the details about the statistics channel. This has been fixed. :gl:`#4860` -- Fix algoritm rollover bug when there are two keys with the same +- Fix algorithm rollover bug when there are two keys with the same keytag. - If there is an algorithm rollover and two keys of different algorithm - share the same keytags, then there is a possibility that if we check - that a key matches a specific state, we are checking against the wrong - key. This has been fixed by not only checking for matching key tag but - also key algorithm. :gl:`#4878` + If there was an algorithm rollover and two keys of different + algorithms shared the same keytags, there was the possibility that the + check of whether the key matched a specific state could be performed + against the wrong key. This has been fixed by not only checking for + the matching key tag but also the key algorithm. :gl:`#4878` -- Fix an assertion failure in validate_dnskey_dsset_done() +- Fix an assertion failure in ``validate_dnskey_dsset_done()``. - Under rare circumstances, named could terminate unexpectedly when - validating a DNSKEY resource record if the validation was canceled in - the meantime. This has been fixed. :gl:`#4911` + Under rare circumstances, :iscman:`named` could terminate unexpectedly + when validating a DNSKEY resource record if the validation had been + canceled in the meantime. This has been fixed. :gl:`#4911` Known Issues ~~~~~~~~~~~~ -- Long-running tasks in offloaded threads (e.g. the loading of RPZ zones - or processing zone transfers) may block the resolution of queries - during these operations and cause the queries to time out. +- Long-running tasks in offloaded threads (e.g. loading RPZ zones or + processing zone transfers) may block the resolution of queries during + these operations and cause the queries to time out. To work around the issue, the ``UV_THREADPOOL_SIZE`` environment variable can be set to a larger value before starting :iscman:`named`. From 2e24083c7981da673b0066f742bc3a491b0bb847 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Mon, 9 Sep 2024 15:04:19 +0200 Subject: [PATCH 10/10] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0f3513fd24..2287b3e3b2 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 21)dnl m4_define([bind_VERSION_PATCH], 1)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl