From 55734f92574e3543b965445a4665bfef8a8858ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 2 Dec 2024 15:07:55 +0100 Subject: [PATCH 1/9] Generate changelog for BIND 9.21.3 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.21.3.rst | 432 +++++++++++++++++++++++++++++ 2 files changed, 433 insertions(+) create mode 100644 doc/changelog/changelog-9.21.3.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 3b0cabef00..ec3a049e62 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.3.rst .. include:: ../changelog/changelog-9.21.2.rst .. include:: ../changelog/changelog-9.21.1.rst .. include:: ../changelog/changelog-9.21.0.rst diff --git a/doc/changelog/changelog-9.21.3.rst b/doc/changelog/changelog-9.21.3.rst new file mode 100644 index 0000000000..5fe9a562f2 --- /dev/null +++ b/doc/changelog/changelog-9.21.3.rst @@ -0,0 +1,432 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.3 +----------- + +New Features +~~~~~~~~~~~~ + +- Add separate query counters for new protocols. ``419aa3264e`` + + Add query counters for DoT, DoH, unencrypted DoH and their proxied + counterparts. The new protocols do not update their respective TCP/UDP + transport counter and is now for TCP/UDP over plain 53 only. + :gl:`#598` :gl:`!9585` + +- Implement RFC 9567: EDNS Report-Channel option. ``e1588022c1`` + + Add new `send-report-channel` and `log-report-channel` options. + `send-report-channel` specifies an agent domain, to which error + reports can be sent by querying a specially constructed name within + the agent domain. EDNS Report-Channel options will be added to + outgoing authoritative responses, to inform clients where to send such + queries in the event of a problem. + + If a zone is configured which matches the agent domain and has + `log-report-channel` set to `yes`, error-reporting queries will be + logged at level `info` to the `dns-reporting-agent` logging channel. + :gl:`#3659` :gl:`!7036` + +- Add detailed debugging of update-policy rule matching. ``80f611afe6`` + + This logs how named determines if an update request is granted or + denied when using update-policy. :gl:`#4751` :gl:`!9074` + +- Update bind.keys with the new 2025 IANA root key. ``63ee8979a7`` + + Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, + which is scheduled for publication in January 2025. :gl:`#4896` + :gl:`!9422` + +- Support jinja2 templates in pytest runner. ``04bdaf6efb`` + + Configuration files in system tests which require some variables (e.g. + port numbers) filled in during test setup, can now use jinja2 + templates when `jinja2` python package is available. + + Any `*.j2` file found within the system test directory will be + automatically rendered with the environment variables into a file + without the `.j2` extension by the pytest runner. E.g. + `ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To + avoid automatic rendering, use `.j2.manual` extension and render the + files manually at test time. + + New `templates` pytest fixture has been added. Its `render()` function + can be used to render a template with custom test variables. This can + be useful to fill in different config options during the test. With + advanced jinja2 template syntax, it can also be used to include/omit + entire sections of the config file rather than using `named1.conf.in`, + `named2.conf.in` etc. :gl:`#4938` :gl:`!9587` + +- Enable runtime selection of FIPS mode in dig and delv. ``2c1fb7e5eb`` + + 'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime. + :gl:`#5046` :gl:`!9754` + +- Extended TCP accept() logging. ``cd312298ea`` + + Add extra log messages about TCP connection management. :gl:`!9089` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Move contributed DLZ modules into a separate repository. + ``0fa2807d2b`` + + The DLZ modules are poorly maintained as we only ensure they can still + be compiled, the DLZ interface is blocking, so anything that blocks + the query to the database blocks the whole server and they should not + be used except in testing. The DLZ interface itself is going to be + scheduled for removal. + + The DLZ modules now live in + https://gitlab.isc.org/isc-projects/dlz-modules repository. + :gl:`#4865` :gl:`!9349` + +- Remove RBTDB implementation. ``a10d78db55`` + + Remove the RBTDB database implementation, and only leave the QPDB + based implementations of zone and cache databases. This means it's no + longer possible to choose the RBTDB to be default at the compilation + time and it's not possible to configure RBTDB as the database backend + in the configuration file. :gl:`#5027` :gl:`!9733` + +- Remove namedconf port/tls deprecated check on *-source[-v6] options. + ``29f1d4bb6f`` + + The usage of port and tls arguments in *-source and *-source-v6 named + configuration options has been previously removed. Remove various + configuration check deprecating usage of those arguments. :gl:`!9738` + +- Remove unused headers from OpenSSL shims. + ``a1fed2d8e7`` + + The header was unused and including the header might + cause build failure when OpenSSL doesn't have Engines support enabled. + + See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine + + Removes unused hmac includes after Remove OpenSSL Engine support + (commit ef7aba70) removed engine support. :gl:`!9228` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use default listening rules from config.c string. ``f6148f66d4`` + + Remove special code which creates default listeners, and use the + normal named.conf configuration parser instead. This removes unneeded + code and makes the built-in configuration text provide a true primary + source of defaults. This change should be transparent to end-users and + should not cause any visible change. :gl:`#1424` :gl:`!2663` + +- Use lists of expected artifacts in system tests. ``32cc143da0`` + + ``clean.sh`` scripts have been replaced by lists of expected artifacts + for each system test module. The list is defined using the custom + ``pytest.mark.extra_artifacts`` mark, which can use both filenames and + globs. :gl:`#4261` :gl:`!9426` + +- Dnssec-ksr now supports KSK rollovers. ``675a7f0166`` + + The tool 'dnssec-ksr' now allows for KSK generation, as well as + planned KSK rollovers. When signing a bundle from a Key Signing + Request (KSR), only the key that is active in that time frame is being + used for signing. Also, the CDS and CDNSKEY records are now added and + removed at the correct time. :gl:`#4697` :gl:`#4705` :gl:`!9452` + +- Unify parsing of query-source and other X-source options. + ``ff94eb9e31`` + + The query-source option currently allows the address to be specified + in two ways, either as every other X-source option, or as an "address" + key-value pair. This merge request extends the `parse_sockaddrsub` + config parsing function so that it can parse the query-source option. + It also removes the separate config parsing function for + `query-source`. :gl:`#4961` :gl:`!9551` + +- Add none parameter to query-source and query-source-v6 to disable IPv4 + or IPv6 upstream queries. ``001272127f`` + + Add a none parameter to named configuration option `query-source` + (respectively `query-source-v6`) which forbid usage of IPv4 + (respectively IPv6) addresses when named is doing an upstream query. + :gl:`#4981` Turning-off upstream IPv6 queries while still listening to + downstream queries on IPv6. :gl:`!9727` + +- Incrementally apply AXFR transfer. ``a3e03b52e2`` + + Reintroduce logic to apply diffs when the number of pending tuples is + above 128. The previous strategy of accumulating all the tuples and + pushing them at the end leads to excessive memory consumption during + transfer. + + This effectively reverts half of e3892805d6 :gl:`#4986` :gl:`!9740` + +- Print expire option in transfer summary. ``d0900b7edf`` + + The zone transfer summary will now print the expire option value in + the zone transfer summary. :gl:`#5013` :gl:`!9694` + +- Optimize memory layout of core structs. ``d94e88220c`` + + Reduce memory footprint by: - Reordering struct fields to minimize + padding. - Using exact-sized atomic types instead of + `*_least`/`*_fast` variants - Downsizing integer fields where possible + + Affected structs: - dns_name_t - dns_slabheader_t - dns_rdata_t - + qpcnode_t - qpznode_t :gl:`#5022` :gl:`!9721` + +- Add missing EDNS option mnemonics. ``887b04571b`` + + The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent + using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short), + and `dig +ednsopt=zoneversion`. + + Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and + `CHAIN`, are now displayed correctly in text and YAML formats. Also, + an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now + spelled with a hyphen in both text and YAML formats; previously, text + format used a space. :gl:`!9691` + +- Add new logging module for logging crypto errors in libisc. + ``cf930c23d0`` + + Add a new 'crypto' log module that will be used for a low-level + cryptographic operations. The DNS related cryptography logs are still + logged in the 'dns/crypto' module. :gl:`!9287` + +- Add two new clang-format options that help with code formatting. + ``94b65f5eb0`` + + * Add new clang-format option to remove redundant semicolons * Add new + clang-format option to remove redundant parentheses :gl:`!9749` + +- Assume IPv6 is universally available (on the kernel level) + ``b72a2300b9`` + + Instead of various probing, just assume that IPv6 is universally + available and cleanup the various checks and defines that we have + accumulated over the years. :gl:`!9360` + +- Emit more helpful log for exceeding max-records-per-type. + ``b2ffa5845b`` + + The new log message is emitted when adding or updating an RRset fails + due to exceeding the max-records-per-type limit. The log includes the + owner name and type, corresponding zone name, and the limit value. It + will be emitted on loading a zone file, inbound zone transfer (both + AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's + especially helpful in the case of zone transfer, since the secondary + side doesn't have direct access to the offending zone data. + + It could also be used for max-types-per-name, but this change doesn't + implement it yet as it's much less likely to happen in practice. + :gl:`!9509` + +- Enforce type checking for dns_dbversion_t. ``4b47c96a89`` + + Originally, the dns_dbversion_t was typedef'ed to void type. This + allowed some flexibility, but using (void *) just removes any + type-checking that C might have. Instead of using: + + typedef void dns_dbversion_t; + + use a trick to define the type to non-existing structure: + + typedef struct dns_dbversion dns_dbversion_t; + + This allows the C compilers to employ the type-checking while the + structure itself doesn't have to be ever defined because the actual + 'storage' is never accessed using dns_dbversion_t type. :gl:`!9724` + +- Harden key management when key files have become unavailabe. + ``7a416693bb`` + + Prior to doing key management, BIND 9 will check if the key files on + disk match the expected keys. If key files for previously observed + keys have become unavailable, this will prevent the internal key + manager from running. :gl:`!9337` + +- Unify explicit fetching and libcrypto handling. ``94e5061151`` + + Unify libcrypto initialization and explicit digest fetching in a + single place. + + It will remove the remaining implicit fetching and deduplicate + explicit fetching inside the codebase. Initialization has been moved + in to ensure OpenSSL cleanup is done only after fetched contextes are + destroyed. :gl:`!9288` + +Bug Fixes +~~~~~~~~~ + +- Use TLS for notifies if configured to do so. ``4c882e4c0b`` + + Notifies configured to use TLS will now be sent over TLS, instead of + plaintext UDP or TCP. Also, failing to load the TLS configuration for + notify now also results in an error. :gl:`#4821` :gl:`!9407` + +- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. ``8e0ec3fe0a`` + + `dig` fails to parse a valid (as far as I can tell, and accepted by + `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template + containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If + the URI template contains a `{?dns}` instead `dig` is happy, but my + understanding of rfc9461 and section 1.2. "Levels and Expression + Types" of rfc6570 is that `{&dns}` is valid. See for example section + 1.2. "Levels and Expression Types" of rfc6570. + + Note that Peter van Dijk suggested that `{dns}` and + `{dns,someothervar}` might be valid forms as well, so my patch might + be too restrictive, although it's anyone's guess how DoH clients would + handle complex templates. :gl:`#4922` :gl:`!9455` + +- Make dns_validator_cancel() respect the data ownership. ``4c0e69ff01`` + + There was a data race dns_validator_cancel() was called when the + offloaded operations were in progress. Make dns_validator_cancel() + respect the data ownership and only set new .canceling variable when + the offloaded operations are in progress. The cancel operation would + then finish when the offloaded work passes the ownership back to the + respective thread. :gl:`#4926` :gl:`!9470` + +- Fix NSEC3 closest encloser lookup for names with empty non-terminals. + ``a33528fe99`` + + The performance improvement for finding the NSEC3 closest encloser + when generating authoritative responses could cause servers to return + incorrect NSEC3 records in some cases. This has been fixed. + :gl:`#4950` :gl:`!9610` + +- Revert "Improve performance when looking for the closest encloser" + ``3a321ec661`` + + Revert "fix: chg: Improve performance when looking for the closest + encloser when returning NSEC3 proofs" + + This reverts merge request !9436 :gl:`#4950` :gl:`!9611` + +- Report client transport in 'rndc recursing' ``87ec2ce498`` + + When `rndc recursing` is used to dump the list of recursing clients, + it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP. + :gl:`#4971` :gl:`!9590` + +- Fix a data race in dns_zone_getxfrintime() ``84eac93bfd`` + + The dns_zone_getxfrintime() function fails to lock the zone before + accessing its 'xfrintime' structure member, which can cause a data + race between soa_query() and the statistics channel. Add the missing + locking/unlocking pair, like it's done in numerous other similar + functions. :gl:`#4976` :gl:`!9591` + +- 'Recursive-clients 0;' triggers an assertion. ``d7fab54393`` + + BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed. + :gl:`#4987` :gl:`!9621` + +- Transport needs to be a selector when looking for an existing + dispatch. ``a7df51b706`` + + This allows for dispatch to use existing TCP/HTTPS/TLS etc. streams + without accidentally using an unexpected transport. :gl:`#4989` + :gl:`!9633` + +- Parsing of hostnames in rndc.conf was broken. ``6ea2ac5f94`` + + When DSCP support was removed, parsing of hostnames in rndc.conf was + accidentally broken, resulting in an assertion failure. This has been + fixed. :gl:`#4991` :gl:`!9669` + +- Restore values when dig prints command line. ``8467449407`` + + Options of the form `[+-]option=` failed to display the value + on the printed command line. This has been fixed. :gl:`#4993` + :gl:`!9653` + +- Provide more visibility into configuration errors. ``54889fd2af`` + + by logging SSL_CTX_use_certificate_chain_file and + SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` + :gl:`!9683` + +- Fix a data race between dns_zone_getxfr() and dns_xfrin_create() + ``60ec9ef507`` + + There is a data race between the statistics channel, which uses + `dns_zone_getxfr()` to get a reference to `zone->xfr`, and the + creation of `zone->xfr`, because the latter happens outside of a zone + lock. + + Split the `dns_xfrin_create()` function into two parts to separate the + zone transfer starting part from the zone transfer object creation + part. This allows us to attach the new object to a local variable + first, then attach it to `zone->xfr` under a lock, and only then start + the transfer. :gl:`#5011` :gl:`!9716` + +- Fix race condition when canceling ADB find. ``75f1587aed`` + + When canceling the ADB find, the lock on the find gets released for a + brief period of time to be locked again inside adbname lock. During + the brief period that the ADB find is unlocked, it can get canceled by + other means removing it from the adbname list which in turn causes + assertion failure due to a double removal from the adbname list. This + has been fixed. :gl:`#5024` :gl:`!9722` + +- Improve the memory cleaning in the SERVFAIL cache. ``5b96cbea01`` + + The SERVFAIL cache doesn't have a memory bound and the cleaning of the + old SERVFAIL cache entries was implemented only in opportunistic + manner. Improve the memory cleaning of the SERVFAIL cache to be more + aggressive, so it doesn't consume a lot of memory in the case the + server encounters many SERVFAILs at once. :gl:`#5025` :gl:`!9760` + +- Fix trying the next primary server when the preivous one was marked as + unreachable. ``025677943d`` + + In some cases (there is evidence only when XoT was used) `named` + failed to try the next primary server in the list when the previous + one was marked as unreachable. This has been fixed. :gl:`#5038` + :gl:`!9781` + +- Clean up 'nodetach' in ns_client. ``617381f115`` + + The 'nodetach' member is a leftover from the times when non-zero + 'stale-answer-client-timeout' values were supported, and currently is + always 'false'. Clean up the member and its usage. :gl:`!9592` + +- Enforce type checking for dns_dbnode_t. ``4b47c4f628`` + + Originally, the dns_dbnode_t was typedef'ed to void type. This + allowed some flexibility, but using (void *) just removes any + type-checking that C might have. Instead of using: + + typedef void dns_dbnode_t; + + use a trick to define the type to non-existing structure: + + typedef struct dns_dbnode dns_dbnode_t; + + This allows the C compilers to employ the type-checking while the + structure itself doesn't have to be ever defined because the actual + 'storage' is never accessed using dns_dbnode_t type. :gl:`!9719` + +- Fix error path bugs in the manager's "recursing-clients" list + management. ``508f7007e8`` + + In two places, after linking the client to the manager's + "recursing-clients" list using the check_recursionquota() function, + the query.c module fails to unlink it on error paths. Fix the bugs by + unlinking the client from the list. :gl:`!9586` + + From 2707c794c70669e97ccb9f8fae1c644608e1d76b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 2 Dec 2024 15:13:30 +0100 Subject: [PATCH 2/9] Fix Sphinx build failures on generated changelog for BIND 9.21.3 --- doc/changelog/changelog-9.21.3.rst | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/doc/changelog/changelog-9.21.3.rst b/doc/changelog/changelog-9.21.3.rst index 5fe9a562f2..bef80c9ede 100644 --- a/doc/changelog/changelog-9.21.3.rst +++ b/doc/changelog/changelog-9.21.3.rst @@ -100,10 +100,10 @@ Removed Features time and it's not possible to configure RBTDB as the database backend in the configuration file. :gl:`#5027` :gl:`!9733` -- Remove namedconf port/tls deprecated check on *-source[-v6] options. +- Remove namedconf port/tls deprecated check on `*-source[-v6]` options. ``29f1d4bb6f`` - The usage of port and tls arguments in *-source and *-source-v6 named + The usage of port and tls arguments in `*-source` and `*-source-v6` named configuration options has been previously removed. Remove various configuration check deprecating usage of those arguments. :gl:`!9738` @@ -208,8 +208,10 @@ Feature Changes - Add two new clang-format options that help with code formatting. ``94b65f5eb0`` - * Add new clang-format option to remove redundant semicolons * Add new - clang-format option to remove redundant parentheses :gl:`!9749` + * Add new clang-format option to remove redundant semicolons + * Add new clang-format option to remove redundant parentheses + + :gl:`!9749` - Assume IPv6 is universally available (on the kernel level) ``b72a2300b9`` @@ -236,7 +238,7 @@ Feature Changes - Enforce type checking for dns_dbversion_t. ``4b47c96a89`` Originally, the dns_dbversion_t was typedef'ed to void type. This - allowed some flexibility, but using (void *) just removes any + allowed some flexibility, but using `(void *)` just removes any type-checking that C might have. Instead of using: typedef void dns_dbversion_t; @@ -408,7 +410,7 @@ Bug Fixes - Enforce type checking for dns_dbnode_t. ``4b47c4f628`` Originally, the dns_dbnode_t was typedef'ed to void type. This - allowed some flexibility, but using (void *) just removes any + allowed some flexibility, but using `(void *)` just removes any type-checking that C might have. Instead of using: typedef void dns_dbnode_t; From 912cd22a8d1ed3ed0b7392bb985a6d19ce5c1e4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 2 Dec 2024 15:29:59 +0100 Subject: [PATCH 3/9] Prepare release notes for BIND 9.21.3 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.21.3.rst | 211 +++++++++++++++++++++++++++++++++++++ 2 files changed, 212 insertions(+) create mode 100644 doc/notes/notes-9.21.3.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 99c22168f1..ac2806e5ec 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.3.rst .. include:: ../notes/notes-9.21.2.rst .. include:: ../notes/notes-9.21.1.rst .. include:: ../notes/notes-9.21.0.rst diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst new file mode 100644 index 0000000000..afec1abf25 --- /dev/null +++ b/doc/notes/notes-9.21.3.rst @@ -0,0 +1,211 @@ +Notes for BIND 9.21.3 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Add separate query counters for new protocols. + + Add query counters for DoT, DoH, unencrypted DoH and their proxied + counterparts. The new protocols do not update their respective TCP/UDP + transport counter and is now for TCP/UDP over plain 53 only. + :gl:`#598` + +- Implement RFC 9567: EDNS Report-Channel option. + + Add new `send-report-channel` and `log-report-channel` options. + `send-report-channel` specifies an agent domain, to which error + reports can be sent by querying a specially constructed name within + the agent domain. EDNS Report-Channel options will be added to + outgoing authoritative responses, to inform clients where to send such + queries in the event of a problem. + + If a zone is configured which matches the agent domain and has + `log-report-channel` set to `yes`, error-reporting queries will be + logged at level `info` to the `dns-reporting-agent` logging channel. + :gl:`#3659` + +- Add detailed debugging of update-policy rule matching. + + This logs how named determines if an update request is granted or + denied when using update-policy. :gl:`#4751` + +- Update bind.keys with the new 2025 IANA root key. + + Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, + which is scheduled for publication in January 2025. :gl:`#4896` + +- Enable runtime selection of FIPS mode in dig and delv. + + 'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime. + :gl:`#5046` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Move contributed DLZ modules into a separate repository. + + The DLZ modules are poorly maintained as we only ensure they can still + be compiled, the DLZ interface is blocking, so anything that blocks + the query to the database blocks the whole server and they should not + be used except in testing. The DLZ interface itself is going to be + scheduled for removal. + + The DLZ modules now live in + https://gitlab.isc.org/isc-projects/dlz-modules repository. + :gl:`#4865` + +- Remove RBTDB implementation. + + Remove the RBTDB database implementation, and only leave the QPDB + based implementations of zone and cache databases. This means it's no + longer possible to choose the RBTDB to be default at the compilation + time and it's not possible to configure RBTDB as the database backend + in the configuration file. :gl:`#5027` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Dnssec-ksr now supports KSK rollovers. + + The tool 'dnssec-ksr' now allows for KSK generation, as well as + planned KSK rollovers. When signing a bundle from a Key Signing + Request (KSR), only the key that is active in that time frame is being + used for signing. Also, the CDS and CDNSKEY records are now added and + removed at the correct time. :gl:`#4697` :gl:`#4705` + +- Add none parameter to query-source and query-source-v6 to disable IPv4 + or IPv6 upstream queries. + + Add a none parameter to named configuration option `query-source` + (respectively `query-source-v6`) which forbid usage of IPv4 + (respectively IPv6) addresses when named is doing an upstream query. + :gl:`#4981` Turning-off upstream IPv6 queries while still listening to + downstream queries on IPv6. + +- Print expire option in transfer summary. + + The zone transfer summary will now print the expire option value in + the zone transfer summary. :gl:`#5013` + +- Add missing EDNS option mnemonics. + + The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent + using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short), + and `dig +ednsopt=zoneversion`. + + Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and + `CHAIN`, are now displayed correctly in text and YAML formats. Also, + an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now + spelled with a hyphen in both text and YAML formats; previously, text + format used a space. + +- Add new logging module for logging crypto errors in libisc. + + Add a new 'crypto' log module that will be used for a low-level + cryptographic operations. The DNS related cryptography logs are still + logged in the 'dns/crypto' module. + +- Emit more helpful log for exceeding max-records-per-type. + + The new log message is emitted when adding or updating an RRset fails + due to exceeding the max-records-per-type limit. The log includes the + owner name and type, corresponding zone name, and the limit value. It + will be emitted on loading a zone file, inbound zone transfer (both + AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's + especially helpful in the case of zone transfer, since the secondary + side doesn't have direct access to the offending zone data. + + It could also be used for max-types-per-name, but this change doesn't + implement it yet as it's much less likely to happen in practice. + +- Harden key management when key files have become unavailabe. + + Prior to doing key management, BIND 9 will check if the key files on + disk match the expected keys. If key files for previously observed + keys have become unavailable, this will prevent the internal key + manager from running. + +Bug Fixes +~~~~~~~~~ + +- Use TLS for notifies if configured to do so. + + Notifies configured to use TLS will now be sent over TLS, instead of + plaintext UDP or TCP. Also, failing to load the TLS configuration for + notify now also results in an error. :gl:`#4821` + +- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. + + `dig` fails to parse a valid (as far as I can tell, and accepted by + `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template + containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If + the URI template contains a `{?dns}` instead `dig` is happy, but my + understanding of rfc9461 and section 1.2. "Levels and Expression + Types" of rfc6570 is that `{&dns}` is valid. See for example section + 1.2. "Levels and Expression Types" of rfc6570. + + Note that Peter van Dijk suggested that `{dns}` and + `{dns,someothervar}` might be valid forms as well, so my patch might + be too restrictive, although it's anyone's guess how DoH clients would + handle complex templates. :gl:`#4922` + +- Fix NSEC3 closest encloser lookup for names with empty non-terminals. + + The performance improvement for finding the NSEC3 closest encloser + when generating authoritative responses could cause servers to return + incorrect NSEC3 records in some cases. This has been fixed. + :gl:`#4950` + +- Report client transport in 'rndc recursing' + + When `rndc recursing` is used to dump the list of recursing clients, + it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP. + :gl:`#4971` + +- 'Recursive-clients 0;' triggers an assertion. + + BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed. + :gl:`#4987` + +- Parsing of hostnames in rndc.conf was broken. + + When DSCP support was removed, parsing of hostnames in rndc.conf was + accidentally broken, resulting in an assertion failure. This has been + fixed. :gl:`#4991` + +- Restore values when dig prints command line. + + Options of the form `[+-]option=` failed to display the value + on the printed command line. This has been fixed. :gl:`#4993` + +- Provide more visibility into configuration errors. + + by logging SSL_CTX_use_certificate_chain_file and + SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` + +- Fix race condition when canceling ADB find. + + When canceling the ADB find, the lock on the find gets released for a + brief period of time to be locked again inside adbname lock. During + the brief period that the ADB find is unlocked, it can get canceled by + other means removing it from the adbname list which in turn causes + assertion failure due to a double removal from the adbname list. This + has been fixed. :gl:`#5024` + +- Improve the memory cleaning in the SERVFAIL cache. + + The SERVFAIL cache doesn't have a memory bound and the cleaning of the + old SERVFAIL cache entries was implemented only in opportunistic + manner. Improve the memory cleaning of the SERVFAIL cache to be more + aggressive, so it doesn't consume a lot of memory in the case the + server encounters many SERVFAILs at once. :gl:`#5025` + +- Fix trying the next primary server when the preivous one was marked as + unreachable. + + In some cases (there is evidence only when XoT was used) `named` + failed to try the next primary server in the list when the previous + one was marked as unreachable. This has been fixed. :gl:`#5038` + + From 50ae3a3d4cd09d7fab058b26b60c27accd8d7c16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 2 Dec 2024 15:34:07 +0100 Subject: [PATCH 4/9] Automatically add hyperlinks to release notes for BIND 9.21.3 --- doc/notes/notes-9.21.3.rst | 104 ++++++++++++++++++------------------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst index afec1abf25..8225bb0c2f 100644 --- a/doc/notes/notes-9.21.3.rst +++ b/doc/notes/notes-9.21.3.rst @@ -7,37 +7,37 @@ New Features - Add separate query counters for new protocols. Add query counters for DoT, DoH, unencrypted DoH and their proxied - counterparts. The new protocols do not update their respective TCP/UDP + counterparts. The new :namedconf:`protocols` do not update their respective TCP/UDP transport counter and is now for TCP/UDP over plain 53 only. :gl:`#598` - Implement RFC 9567: EDNS Report-Channel option. - Add new `send-report-channel` and `log-report-channel` options. - `send-report-channel` specifies an agent domain, to which error + Add new :namedconf:`send-report-channel` and :namedconf:`log-report-channel` options. + :namedconf:`send-report-channel` specifies an agent domain, to which error reports can be sent by querying a specially constructed name within - the agent domain. EDNS Report-Channel options will be added to - outgoing authoritative responses, to inform clients where to send such + the agent domain. EDNS Report-Channel :FIXME-rndcconf-namedconf:`options` will be added to + outgoing authoritative responses, to inform :namedconf:`clients` where to send such queries in the event of a problem. - If a zone is configured which matches the agent domain and has - `log-report-channel` set to `yes`, error-reporting queries will be - logged at level `info` to the `dns-reporting-agent` logging channel. + If a :namedconf:`zone` is configured which matches the agent domain and has + :namedconf:`log-report-channel` set to `yes`, error-reporting queries will be + logged at level `info` to the `dns-reporting-agent` :namedconf:`logging` channel. :gl:`#3659` -- Add detailed debugging of update-policy rule matching. +- Add detailed debugging of :namedconf:`update-policy` rule matching. - This logs how named determines if an update request is granted or + This logs how :iscman:`named` determines if an update request is granted or denied when using update-policy. :gl:`#4751` - Update bind.keys with the new 2025 IANA root key. - Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, + Add an 'initial-ds' entry to bind.keys for the new root :FIXME-rndcconf-namedconf:`key`, ID 38696, which is scheduled for publication in January 2025. :gl:`#4896` -- Enable runtime selection of FIPS mode in dig and delv. +- Enable runtime selection of FIPS mode in :iscman:`dig` and delv. - 'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime. + ':iscman:`dig` -F' and ':iscman:`delv` -F' can now be used to select FIPS mode at runtime. :gl:`#5046` Removed Features @@ -47,7 +47,7 @@ Removed Features The DLZ modules are poorly maintained as we only ensure they can still be compiled, the DLZ interface is blocking, so anything that blocks - the query to the database blocks the whole server and they should not + the query to the :namedconf:`database` blocks the whole :FIXME-rndcconf-namedconf:`server` and they should not be used except in testing. The DLZ interface itself is going to be scheduled for removal. @@ -57,10 +57,10 @@ Removed Features - Remove RBTDB implementation. - Remove the RBTDB database implementation, and only leave the QPDB - based implementations of zone and cache databases. This means it's no + Remove the RBTDB :namedconf:`database` implementation, and only leave the QPDB + based implementations of :namedconf:`zone` and cache databases. This means it's no longer possible to choose the RBTDB to be default at the compilation - time and it's not possible to configure RBTDB as the database backend + time and it's not possible to configure RBTDB as the :namedconf:`database` backend in the configuration file. :gl:`#5027` Feature Changes @@ -68,29 +68,29 @@ Feature Changes - Dnssec-ksr now supports KSK rollovers. - The tool 'dnssec-ksr' now allows for KSK generation, as well as + The tool ':iscman:`dnssec-ksr`' now allows for KSK generation, as well as planned KSK rollovers. When signing a bundle from a Key Signing - Request (KSR), only the key that is active in that time frame is being + Request (KSR), only the :FIXME-rndcconf-namedconf:`key` that is active in that time frame is being used for signing. Also, the CDS and CDNSKEY records are now added and removed at the correct time. :gl:`#4697` :gl:`#4705` -- Add none parameter to query-source and query-source-v6 to disable IPv4 +- Add none parameter to :namedconf:`query-source` and :namedconf:`query-source-v6` to disable IPv4 or IPv6 upstream queries. - Add a none parameter to named configuration option `query-source` - (respectively `query-source-v6`) which forbid usage of IPv4 - (respectively IPv6) addresses when named is doing an upstream query. + Add a none parameter to :iscman:`named` configuration option :namedconf:`query-source` + (respectively :namedconf:`query-source-v6`) which forbid usage of IPv4 + (respectively IPv6) :rndcconf:`addresses` when :iscman:`named` is doing an upstream query. :gl:`#4981` Turning-off upstream IPv6 queries while still listening to downstream queries on IPv6. - Print expire option in transfer summary. - The zone transfer summary will now print the expire option value in - the zone transfer summary. :gl:`#5013` + The :namedconf:`zone` transfer summary will now print the expire option value in + the :namedconf:`zone` transfer summary. :gl:`#5013` - Add missing EDNS option mnemonics. - The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent + The `Report-Channel` and `ZONEVERSION` EDNS :FIXME-rndcconf-namedconf:`options` can now be sent using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short), and `dig +ednsopt=zoneversion`. @@ -100,7 +100,7 @@ Feature Changes spelled with a hyphen in both text and YAML formats; previously, text format used a space. -- Add new logging module for logging crypto errors in libisc. +- Add new :namedconf:`logging` module for :namedconf:`logging` crypto errors in libisc. Add a new 'crypto' log module that will be used for a low-level cryptographic operations. The DNS related cryptography logs are still @@ -109,21 +109,21 @@ Feature Changes - Emit more helpful log for exceeding max-records-per-type. The new log message is emitted when adding or updating an RRset fails - due to exceeding the max-records-per-type limit. The log includes the - owner name and type, corresponding zone name, and the limit value. It - will be emitted on loading a zone file, inbound zone transfer (both + due to exceeding the :namedconf:`max-records-per-type` limit. The log includes the + owner name and :namedconf:`type`, corresponding :namedconf:`zone` name, and the limit value. It + will be emitted on loading a :namedconf:`zone` :namedconf:`file`, inbound :namedconf:`zone` transfer (both AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's - especially helpful in the case of zone transfer, since the secondary - side doesn't have direct access to the offending zone data. + especially helpful in the case of :namedconf:`zone` transfer, since the secondary + side doesn't have direct access to the offending :namedconf:`zone` data. - It could also be used for max-types-per-name, but this change doesn't + It could also be used for :namedconf:`max-types-per-name`, but this change doesn't implement it yet as it's much less likely to happen in practice. -- Harden key management when key files have become unavailabe. +- Harden :FIXME-rndcconf-namedconf:`key` management when :FIXME-rndcconf-namedconf:`key` files have become unavailabe. - Prior to doing key management, BIND 9 will check if the key files on - disk match the expected keys. If key files for previously observed - keys have become unavailable, this will prevent the internal key + Prior to doing :FIXME-rndcconf-namedconf:`key` management, BIND 9 will check if the :FIXME-rndcconf-namedconf:`key` files on + disk match the expected keys. If :FIXME-rndcconf-namedconf:`key` files for previously observed + :namedconf:`keys` have become unavailable, this will prevent the internal :FIXME-rndcconf-namedconf:`key` manager from running. Bug Fixes @@ -133,21 +133,21 @@ Bug Fixes Notifies configured to use TLS will now be sent over TLS, instead of plaintext UDP or TCP. Also, failing to load the TLS configuration for - notify now also results in an error. :gl:`#4821` + :namedconf:`notify` now also results in an error. :gl:`#4821` - '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. - `dig` fails to parse a valid (as far as I can tell, and accepted by + :iscman:`dig` fails to parse a valid (as far as I can tell, and accepted by `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template - containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If - the URI template contains a `{?dns}` instead `dig` is happy, but my + containing a `{&dns}`, like `dohpath=/some/path?:FIXME-rndcconf-namedconf:`key`=value{&dns}"`. If + the URI template contains a `{?dns}` instead :iscman:`dig` is happy, but my understanding of rfc9461 and section 1.2. "Levels and Expression Types" of rfc6570 is that `{&dns}` is valid. See for example section 1.2. "Levels and Expression Types" of rfc6570. Note that Peter van Dijk suggested that `{dns}` and `{dns,someothervar}` might be valid forms as well, so my patch might - be too restrictive, although it's anyone's guess how DoH clients would + be too restrictive, although it's anyone's guess how DoH :namedconf:`clients` would handle complex templates. :gl:`#4922` - Fix NSEC3 closest encloser lookup for names with empty non-terminals. @@ -157,9 +157,9 @@ Bug Fixes incorrect NSEC3 records in some cases. This has been fixed. :gl:`#4950` -- Report client transport in 'rndc recursing' +- Report client transport in ':iscman:`rndc` recursing' - When `rndc recursing` is used to dump the list of recursing clients, + When `rndc recursing` is used to dump the list of recursing :namedconf:`clients`, it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP. :gl:`#4971` @@ -168,20 +168,20 @@ Bug Fixes BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed. :gl:`#4987` -- Parsing of hostnames in rndc.conf was broken. +- Parsing of hostnames in :iscman:`rndc.conf` was broken. - When DSCP support was removed, parsing of hostnames in rndc.conf was + When DSCP support was removed, parsing of hostnames in :iscman:`rndc.conf` was accidentally broken, resulting in an assertion failure. This has been fixed. :gl:`#4991` -- Restore values when dig prints command line. +- Restore values when :iscman:`dig` prints command line. Options of the form `[+-]option=` failed to display the value on the printed command line. This has been fixed. :gl:`#4993` - Provide more visibility into configuration errors. - by logging SSL_CTX_use_certificate_chain_file and + by :namedconf:`logging` SSL_CTX_use_certificate_chain_file and SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` - Fix race condition when canceling ADB find. @@ -199,13 +199,13 @@ Bug Fixes old SERVFAIL cache entries was implemented only in opportunistic manner. Improve the memory cleaning of the SERVFAIL cache to be more aggressive, so it doesn't consume a lot of memory in the case the - server encounters many SERVFAILs at once. :gl:`#5025` + :FIXME-rndcconf-namedconf:`server` encounters many SERVFAILs at once. :gl:`#5025` -- Fix trying the next primary server when the preivous one was marked as +- Fix trying the next primary :FIXME-rndcconf-namedconf:`server` when the preivous one was marked as unreachable. - In some cases (there is evidence only when XoT was used) `named` - failed to try the next primary server in the list when the previous + In some cases (there is evidence only when XoT was used) :iscman:`named` + failed to try the next primary :FIXME-rndcconf-namedconf:`server` in the list when the previous one was marked as unreachable. This has been fixed. :gl:`#5038` From 5ebcfca335ec56262057ea5eb20d81da6e387c88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 2 Dec 2024 16:24:43 +0100 Subject: [PATCH 5/9] Tweak and reword release notes --- doc/notes/notes-9.21.3.rst | 195 ++++++++++++++++--------------------- 1 file changed, 83 insertions(+), 112 deletions(-) diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst index 8225bb0c2f..53d21561e9 100644 --- a/doc/notes/notes-9.21.3.rst +++ b/doc/notes/notes-9.21.3.rst @@ -7,49 +7,50 @@ New Features - Add separate query counters for new protocols. Add query counters for DoT, DoH, unencrypted DoH and their proxied - counterparts. The new :namedconf:`protocols` do not update their respective TCP/UDP - transport counter and is now for TCP/UDP over plain 53 only. - :gl:`#598` + counterparts. The new protocols do not update their respective TCP/UDP + transport counter. The previously existing counters are now dedicated + for TCP/UDP over plain port 53 only. :gl:`#598` -- Implement RFC 9567: EDNS Report-Channel option. +- Implement :rfc:`9567`: EDNS Report-Channel option. - Add new :namedconf:`send-report-channel` and :namedconf:`log-report-channel` options. - :namedconf:`send-report-channel` specifies an agent domain, to which error + Add new :namedconf:ref:`send-report-channel` and :namedconf:ref:`log-report-channel` options. + + :namedconf:ref:`send-report-channel` specifies an *agent domain*, to which error reports can be sent by querying a specially constructed name within - the agent domain. EDNS Report-Channel :FIXME-rndcconf-namedconf:`options` will be added to - outgoing authoritative responses, to inform :namedconf:`clients` where to send such - queries in the event of a problem. + the agent domain. The EDNS Report-Channel option has been added to + outgoing authoritative responses, to inform clients where to send such + error reports in the event of a problem. - If a :namedconf:`zone` is configured which matches the agent domain and has - :namedconf:`log-report-channel` set to `yes`, error-reporting queries will be - logged at level `info` to the `dns-reporting-agent` :namedconf:`logging` channel. + If a :namedconf:ref:`zone` is configured which matches the *agent domain* and has + :namedconf:ref:`log-report-channel` set to `yes`, error-reporting queries will be + logged at level `info` to the `dns-reporting-agent` logging :namedconf:ref:`channel`. :gl:`#3659` -- Add detailed debugging of :namedconf:`update-policy` rule matching. +- Add detailed debugging of :namedconf:ref:`update-policy` rule matching. - This logs how :iscman:`named` determines if an update request is granted or + This logs how :iscman:`named` determines whether an update request is granted or denied when using update-policy. :gl:`#4751` -- Update bind.keys with the new 2025 IANA root key. +- Update built-in :file:`bind.keys` file with the new 2025 `IANA root key + `_. - Add an 'initial-ds' entry to bind.keys for the new root :FIXME-rndcconf-namedconf:`key`, ID 38696, - which is scheduled for publication in January 2025. :gl:`#4896` + Add an `initial-ds` entry to :file:`bind.keys` for the new root key, ID + 38696, which is scheduled for publication in January 2025. :gl:`#4896` - Enable runtime selection of FIPS mode in :iscman:`dig` and delv. - ':iscman:`dig` -F' and ':iscman:`delv` -F' can now be used to select FIPS mode at runtime. - :gl:`#5046` + :option:`dig -F` and :option:`delv -F` can now be used to select FIPS mode at + runtime. :gl:`#5046` Removed Features ~~~~~~~~~~~~~~~~ -- Move contributed DLZ modules into a separate repository. +- Move contributed DLZ modules into a separate repository. DLZ modules should + not be used except in testing. - The DLZ modules are poorly maintained as we only ensure they can still - be compiled, the DLZ interface is blocking, so anything that blocks - the query to the :namedconf:`database` blocks the whole :FIXME-rndcconf-namedconf:`server` and they should not - be used except in testing. The DLZ interface itself is going to be - scheduled for removal. + The DLZ modules were not maintained, the DLZ interface itself is going to be + scheduled for removal, and the DLZ interface is blocking. Any module that + blocks the query to the :namedconf:ref:`database` blocks the whole server. The DLZ modules now live in https://gitlab.isc.org/isc-projects/dlz-modules repository. @@ -57,73 +58,66 @@ Removed Features - Remove RBTDB implementation. - Remove the RBTDB :namedconf:`database` implementation, and only leave the QPDB - based implementations of :namedconf:`zone` and cache databases. This means it's no - longer possible to choose the RBTDB to be default at the compilation - time and it's not possible to configure RBTDB as the :namedconf:`database` backend + Remove the RBTDB :namedconf:ref:`database` implementation, and only leave the + QPDB-based implementations of :namedconf:ref:`zone` and cache databases. This means it is no + longer possible to choose RBTDB as the default database at compilation + time, nor to configure RBTDB as the :namedconf:ref:`database` backend in the configuration file. :gl:`#5027` Feature Changes ~~~~~~~~~~~~~~~ -- Dnssec-ksr now supports KSK rollovers. +- :iscman:`dnssec-ksr` now supports KSK rollovers. - The tool ':iscman:`dnssec-ksr`' now allows for KSK generation, as well as - planned KSK rollovers. When signing a bundle from a Key Signing - Request (KSR), only the :FIXME-rndcconf-namedconf:`key` that is active in that time frame is being + The tool now allows for KSK generation, as well as planned KSK rollovers. + When signing a bundle from a Key Signing Request (KSR), only the + key that is active in that time frame is used for signing. Also, the CDS and CDNSKEY records are now added and removed at the correct time. :gl:`#4697` :gl:`#4705` -- Add none parameter to :namedconf:`query-source` and :namedconf:`query-source-v6` to disable IPv4 - or IPv6 upstream queries. +- Add `none` parameter to :namedconf:ref:`query-source` and + :namedconf:ref:`query-source-v6` to disable IPv4 or IPv6 upstream queries but + allow listening to queries from clients on IPv4 or IPv6. - Add a none parameter to :iscman:`named` configuration option :namedconf:`query-source` - (respectively :namedconf:`query-source-v6`) which forbid usage of IPv4 - (respectively IPv6) :rndcconf:`addresses` when :iscman:`named` is doing an upstream query. - :gl:`#4981` Turning-off upstream IPv6 queries while still listening to - downstream queries on IPv6. +- Print :rfc:`7314`: EXPIRE option in transfer summary. :gl:`#5013` -- Print expire option in transfer summary. +- Add missing EDNS option mnemonics to :iscman:`dig`. - The :namedconf:`zone` transfer summary will now print the expire option value in - the :namedconf:`zone` transfer summary. :gl:`#5013` - -- Add missing EDNS option mnemonics. - - The `Report-Channel` and `ZONEVERSION` EDNS :FIXME-rndcconf-namedconf:`options` can now be sent + The `Report-Channel` and `ZONEVERSION` options can now be sent using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short), and `dig +ednsopt=zoneversion`. Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and - `CHAIN`, are now displayed correctly in text and YAML formats. Also, - an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now + `CHAIN`, are now displayed correctly in text and YAML formats. + + Also, an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now spelled with a hyphen in both text and YAML formats; previously, text format used a space. -- Add new :namedconf:`logging` module for :namedconf:`logging` crypto errors in libisc. +- Add new :namedconf:ref:`logging` module for crypto errors in libisc. - Add a new 'crypto' log module that will be used for a low-level - cryptographic operations. The DNS related cryptography logs are still + Add a new `crypto` log module to be used for low-level + cryptographic operations. The DNS-related cryptography logs are still logged in the 'dns/crypto' module. -- Emit more helpful log for exceeding max-records-per-type. +- Emit more helpful log messages for exceeding :namedconf:ref:`max-records-per-type`. The new log message is emitted when adding or updating an RRset fails - due to exceeding the :namedconf:`max-records-per-type` limit. The log includes the - owner name and :namedconf:`type`, corresponding :namedconf:`zone` name, and the limit value. It - will be emitted on loading a :namedconf:`zone` :namedconf:`file`, inbound :namedconf:`zone` transfer (both + due to exceeding the :namedconf:ref:`max-records-per-type` limit. The log includes the + owner name and type, corresponding zone name, and the limit value. It + will be emitted on loading a zone file, inbound zone transfer (both AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's - especially helpful in the case of :namedconf:`zone` transfer, since the secondary - side doesn't have direct access to the offending :namedconf:`zone` data. + especially helpful in the case of zone transfer, since the secondary + side doesn't have direct access to the offending zone data. - It could also be used for :namedconf:`max-types-per-name`, but this change doesn't + It could also be used for :namedconf:ref:`max-types-per-name`, but this change doesn't implement it yet as it's much less likely to happen in practice. -- Harden :FIXME-rndcconf-namedconf:`key` management when :FIXME-rndcconf-namedconf:`key` files have become unavailabe. +- Harden key management when key files have become unavailable. - Prior to doing :FIXME-rndcconf-namedconf:`key` management, BIND 9 will check if the :FIXME-rndcconf-namedconf:`key` files on - disk match the expected keys. If :FIXME-rndcconf-namedconf:`key` files for previously observed - :namedconf:`keys` have become unavailable, this will prevent the internal :FIXME-rndcconf-namedconf:`key` + Prior to doing key management, BIND 9 will check if the key files on + disk match the expected keys. If key files for previously observed + keys have become unavailable, this will prevent the internal key manager from running. Bug Fixes @@ -132,38 +126,30 @@ Bug Fixes - Use TLS for notifies if configured to do so. Notifies configured to use TLS will now be sent over TLS, instead of - plaintext UDP or TCP. Also, failing to load the TLS configuration for - :namedconf:`notify` now also results in an error. :gl:`#4821` + plain text UDP or TCP. Also, failing to load the TLS configuration for + :namedconf:ref:`notify` now results in an error. :gl:`#4821` -- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. +- `{&dns}` is as valid as `{?dns}` in a SVCB's dohpath. - :iscman:`dig` fails to parse a valid (as far as I can tell, and accepted by - `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template - containing a `{&dns}`, like `dohpath=/some/path?:FIXME-rndcconf-namedconf:`key`=value{&dns}"`. If - the URI template contains a `{?dns}` instead :iscman:`dig` is happy, but my - understanding of rfc9461 and section 1.2. "Levels and Expression - Types" of rfc6570 is that `{&dns}` is valid. See for example section - 1.2. "Levels and Expression Types" of rfc6570. - - Note that Peter van Dijk suggested that `{dns}` and - `{dns,someothervar}` might be valid forms as well, so my patch might - be too restrictive, although it's anyone's guess how DoH :namedconf:`clients` would - handle complex templates. :gl:`#4922` + :iscman:`dig` failed to parse a valid `SVCB` record with a `dohpath` URI + template containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. + :gl:`#4922` - Fix NSEC3 closest encloser lookup for names with empty non-terminals. - The performance improvement for finding the NSEC3 closest encloser + A previous performance optimization for finding the NSEC3 closest encloser when generating authoritative responses could cause servers to return incorrect NSEC3 records in some cases. This has been fixed. :gl:`#4950` -- Report client transport in ':iscman:`rndc` recursing' +- Report client transport in :option:`rndc recursing` output - When `rndc recursing` is used to dump the list of recursing :namedconf:`clients`, - it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP. + When :option:`rndc recursing` is used to dump the list of recursing + clients, it now indicates whether a query was sent via UDP, TCP, + TLS, or HTTP. :gl:`#4971` -- 'Recursive-clients 0;' triggers an assertion. +- :namedconf:ref:`recursive-clients` statement with value 0 triggered an assertion failure. BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed. :gl:`#4987` @@ -174,38 +160,23 @@ Bug Fixes accidentally broken, resulting in an assertion failure. This has been fixed. :gl:`#4991` -- Restore values when :iscman:`dig` prints command line. +- :iscman:`dig` options of the form `[+-]option=` failed to display the + value on the printed command line. This has been fixed. :gl:`#4993` - Options of the form `[+-]option=` failed to display the value - on the printed command line. This has been fixed. :gl:`#4993` +- Provide more visibility into TLS configuration errors by logging + `SSL_CTX_use_certificate_chain_file()` and `SSL_CTX_use_PrivateKey_file()` + errors individually. :gl:`#5008` -- Provide more visibility into configuration errors. +- Fix a race condition when canceling ADB find which could cause an assertion + failure. :gl:`#5024` - by :namedconf:`logging` SSL_CTX_use_certificate_chain_file and - SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` +- SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a + lot of memory if the server encounters many SERVFAILs at once. + :gl:`#5025` -- Fix race condition when canceling ADB find. - - When canceling the ADB find, the lock on the find gets released for a - brief period of time to be locked again inside adbname lock. During - the brief period that the ADB find is unlocked, it can get canceled by - other means removing it from the adbname list which in turn causes - assertion failure due to a double removal from the adbname list. This - has been fixed. :gl:`#5024` - -- Improve the memory cleaning in the SERVFAIL cache. - - The SERVFAIL cache doesn't have a memory bound and the cleaning of the - old SERVFAIL cache entries was implemented only in opportunistic - manner. Improve the memory cleaning of the SERVFAIL cache to be more - aggressive, so it doesn't consume a lot of memory in the case the - :FIXME-rndcconf-namedconf:`server` encounters many SERVFAILs at once. :gl:`#5025` - -- Fix trying the next primary :FIXME-rndcconf-namedconf:`server` when the preivous one was marked as +- Fix trying the next primary XoT server when the previous one was marked as unreachable. - In some cases (there is evidence only when XoT was used) :iscman:`named` - failed to try the next primary :FIXME-rndcconf-namedconf:`server` in the list when the previous - one was marked as unreachable. This has been fixed. :gl:`#5038` - - + In some cases :iscman:`named` failed to try the next primary + server in the :namedconf:ref:`primaries` list when the previous one was marked as + unreachable. This has been fixed. :gl:`#5038` From 3821a037bb6287665ae1a19c87a6495b30e31f9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 10:19:17 +0100 Subject: [PATCH 6/9] Add release note for GL #4986 --- doc/notes/notes-9.21.3.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst index 53d21561e9..d9e3d843e4 100644 --- a/doc/notes/notes-9.21.3.rst +++ b/doc/notes/notes-9.21.3.rst @@ -170,6 +170,8 @@ Bug Fixes - Fix a race condition when canceling ADB find which could cause an assertion failure. :gl:`#5024` +- Fix doubled memory usage during incoming zone transfer. :gl:`#4986` + - SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a lot of memory if the server encounters many SERVFAILs at once. :gl:`#5025` From 10b662811e60ed9b70078ef5360bf9a4178c6238 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 10:36:58 +0100 Subject: [PATCH 7/9] Add release note for GL #5022 --- doc/notes/notes-9.21.3.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst index d9e3d843e4..bb0fb99a9a 100644 --- a/doc/notes/notes-9.21.3.rst +++ b/doc/notes/notes-9.21.3.rst @@ -120,6 +120,9 @@ Feature Changes keys have become unavailable, this will prevent the internal key manager from running. +- Reduce memory footprint by optimizing commonly-used data structures. + :gl:`#5022` + Bug Fixes ~~~~~~~~~ From 766c1a13c22a3ddd120941618ce4b8d15dc62d50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 3 Dec 2024 10:43:02 +0100 Subject: [PATCH 8/9] Add missing copyright header to Release Notes --- doc/notes/notes-9.21.3.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst index bb0fb99a9a..bf21b872dc 100644 --- a/doc/notes/notes-9.21.3.rst +++ b/doc/notes/notes-9.21.3.rst @@ -1,3 +1,14 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + Notes for BIND 9.21.3 --------------------- From 8306005ef139bf3f8cb12ac99b46dd732e55dc42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 2 Dec 2024 17:57:42 +0100 Subject: [PATCH 9/9] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 5602899ff6..50912b4d0d 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 21)dnl m4_define([bind_VERSION_PATCH], 3)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl