mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity

Merge tag 'v9.21.3'

Browse Source
This commit is contained in:
Andoni Duarte Pintado 2024-12-13 10:53:33 +01:00
commit 3fa50a98a2
4 changed files with 634 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/arm/changelog.rst
View File

@ -18,6 +18,7 @@ Changelog
development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
.. include:: ../changelog/changelog-9.21.3.rst
.. include:: ../changelog/changelog-9.21.2.rst
.. include:: ../changelog/changelog-9.21.1.rst
.. include:: ../changelog/changelog-9.21.0.rst

1
doc/arm/notes.rst
View File

@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be
found at
https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
.. include:: ../notes/notes-9.21.3.rst
.. include:: ../notes/notes-9.21.2.rst
.. include:: ../notes/notes-9.21.1.rst
.. include:: ../notes/notes-9.21.0.rst

434
doc/changelog/changelog-9.21.3.rst Normal file
View File

@ -0,0 +1,434 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
BIND 9.21.3
-----------
New Features
~~~~~~~~~~~~
- Add separate query counters for new protocols. ``419aa3264e``
Add query counters for DoT, DoH, unencrypted DoH and their proxied
counterparts. The new protocols do not update their respective TCP/UDP
transport counter and is now for TCP/UDP over plain 53 only.
:gl:`#598` :gl:`!9585`
- Implement RFC 9567: EDNS Report-Channel option. ``e1588022c1``
Add new `send-report-channel` and `log-report-channel` options.
`send-report-channel` specifies an agent domain, to which error
reports can be sent by querying a specially constructed name within
the agent domain. EDNS Report-Channel options will be added to
outgoing authoritative responses, to inform clients where to send such
queries in the event of a problem.
If a zone is configured which matches the agent domain and has
`log-report-channel` set to `yes`, error-reporting queries will be
logged at level `info` to the `dns-reporting-agent` logging channel.
:gl:`#3659` :gl:`!7036`
- Add detailed debugging of update-policy rule matching. ``80f611afe6``
This logs how named determines if an update request is granted or
denied when using update-policy. :gl:`#4751` :gl:`!9074`
- Update bind.keys with the new 2025 IANA root key. ``63ee8979a7``
Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696,
which is scheduled for publication in January 2025. :gl:`#4896`
:gl:`!9422`
- Support jinja2 templates in pytest runner. ``04bdaf6efb``
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2
templates when `jinja2` python package is available.
Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.
New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can
be useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc. :gl:`#4938` :gl:`!9587`
- Enable runtime selection of FIPS mode in dig and delv. ``2c1fb7e5eb``
'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime.
:gl:`#5046` :gl:`!9754`
- Extended TCP accept() logging. ``cd312298ea``
Add extra log messages about TCP connection management. :gl:`!9089`
Removed Features
~~~~~~~~~~~~~~~~
- Move contributed DLZ modules into a separate repository.
``0fa2807d2b``
The DLZ modules are poorly maintained as we only ensure they can still
be compiled, the DLZ interface is blocking, so anything that blocks
the query to the database blocks the whole server and they should not
be used except in testing. The DLZ interface itself is going to be
scheduled for removal.
The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
:gl:`#4865` :gl:`!9349`
- Remove RBTDB implementation. ``a10d78db55``
Remove the RBTDB database implementation, and only leave the QPDB
based implementations of zone and cache databases. This means it's no
longer possible to choose the RBTDB to be default at the compilation
time and it's not possible to configure RBTDB as the database backend
in the configuration file. :gl:`#5027` :gl:`!9733`
- Remove namedconf port/tls deprecated check on `*-source[-v6]` options.
``29f1d4bb6f``
The usage of port and tls arguments in `*-source` and `*-source-v6` named
configuration options has been previously removed. Remove various
configuration check deprecating usage of those arguments. :gl:`!9738`
- Remove unused <openssl/hmac.h> headers from OpenSSL shims.
``a1fed2d8e7``
The <openssl/hmac.h> header was unused and including the header might
cause build failure when OpenSSL doesn't have Engines support enabled.
See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
Removes unused hmac includes after Remove OpenSSL Engine support
(commit ef7aba70) removed engine support. :gl:`!9228`
Feature Changes
~~~~~~~~~~~~~~~
- Use default listening rules from config.c string. ``f6148f66d4``
Remove special code which creates default listeners, and use the
normal named.conf configuration parser instead. This removes unneeded
code and makes the built-in configuration text provide a true primary
source of defaults. This change should be transparent to end-users and
should not cause any visible change. :gl:`#1424` :gl:`!2663`
- Use lists of expected artifacts in system tests. ``32cc143da0``
``clean.sh`` scripts have been replaced by lists of expected artifacts
for each system test module. The list is defined using the custom
``pytest.mark.extra_artifacts`` mark, which can use both filenames and
globs. :gl:`#4261` :gl:`!9426`
- Dnssec-ksr now supports KSK rollovers. ``675a7f0166``
The tool 'dnssec-ksr' now allows for KSK generation, as well as
planned KSK rollovers. When signing a bundle from a Key Signing
Request (KSR), only the key that is active in that time frame is being
used for signing. Also, the CDS and CDNSKEY records are now added and
removed at the correct time. :gl:`#4697` :gl:`#4705` :gl:`!9452`
- Unify parsing of query-source and other X-source options.
``ff94eb9e31``
The query-source option currently allows the address to be specified
in two ways, either as every other X-source option, or as an "address"
key-value pair. This merge request extends the `parse_sockaddrsub`
config parsing function so that it can parse the query-source option.
It also removes the separate config parsing function for
`query-source`. :gl:`#4961` :gl:`!9551`
- Add none parameter to query-source and query-source-v6 to disable IPv4
or IPv6 upstream queries. ``001272127f``
Add a none parameter to named configuration option `query-source`
(respectively `query-source-v6`) which forbid usage of IPv4
(respectively IPv6) addresses when named is doing an upstream query.
:gl:`#4981` Turning-off upstream IPv6 queries while still listening to
downstream queries on IPv6. :gl:`!9727`
- Incrementally apply AXFR transfer. ``a3e03b52e2``
Reintroduce logic to apply diffs when the number of pending tuples is
above 128. The previous strategy of accumulating all the tuples and
pushing them at the end leads to excessive memory consumption during
transfer.
This effectively reverts half of e3892805d6 :gl:`#4986` :gl:`!9740`
- Print expire option in transfer summary. ``d0900b7edf``
The zone transfer summary will now print the expire option value in
the zone transfer summary. :gl:`#5013` :gl:`!9694`
- Optimize memory layout of core structs. ``d94e88220c``
Reduce memory footprint by: - Reordering struct fields to minimize
padding. - Using exact-sized atomic types instead of
`*_least`/`*_fast` variants - Downsizing integer fields where possible
Affected structs: - dns_name_t - dns_slabheader_t - dns_rdata_t -
qpcnode_t - qpznode_t :gl:`#5022` :gl:`!9721`
- Add missing EDNS option mnemonics. ``887b04571b``
The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent
using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short),
and `dig +ednsopt=zoneversion`.
Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and
`CHAIN`, are now displayed correctly in text and YAML formats. Also,
an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now
spelled with a hyphen in both text and YAML formats; previously, text
format used a space. :gl:`!9691`
- Add new logging module for logging crypto errors in libisc.
``cf930c23d0``
Add a new 'crypto' log module that will be used for a low-level
cryptographic operations. The DNS related cryptography logs are still
logged in the 'dns/crypto' module. :gl:`!9287`
- Add two new clang-format options that help with code formatting.
``94b65f5eb0``
* Add new clang-format option to remove redundant semicolons
* Add new clang-format option to remove redundant parentheses
:gl:`!9749`
- Assume IPv6 is universally available (on the kernel level)
``b72a2300b9``
Instead of various probing, just assume that IPv6 is universally
available and cleanup the various checks and defines that we have
accumulated over the years. :gl:`!9360`
- Emit more helpful log for exceeding max-records-per-type.
``b2ffa5845b``
The new log message is emitted when adding or updating an RRset fails
due to exceeding the max-records-per-type limit. The log includes the
owner name and type, corresponding zone name, and the limit value. It
will be emitted on loading a zone file, inbound zone transfer (both
AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's
especially helpful in the case of zone transfer, since the secondary
side doesn't have direct access to the offending zone data.
It could also be used for max-types-per-name, but this change doesn't
implement it yet as it's much less likely to happen in practice.
:gl:`!9509`
- Enforce type checking for dns_dbversion_t. ``4b47c96a89``
Originally, the dns_dbversion_t was typedef'ed to void type. This
allowed some flexibility, but using `(void *)` just removes any
type-checking that C might have. Instead of using:
typedef void dns_dbversion_t;
use a trick to define the type to non-existing structure:
typedef struct dns_dbversion dns_dbversion_t;
This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbversion_t type. :gl:`!9724`
- Harden key management when key files have become unavailabe.
``7a416693bb``
Prior to doing key management, BIND 9 will check if the key files on
disk match the expected keys. If key files for previously observed
keys have become unavailable, this will prevent the internal key
manager from running. :gl:`!9337`
- Unify explicit fetching and libcrypto handling. ``94e5061151``
Unify libcrypto initialization and explicit digest fetching in a
single place.
It will remove the remaining implicit fetching and deduplicate
explicit fetching inside the codebase. Initialization has been moved
in to ensure OpenSSL cleanup is done only after fetched contextes are
destroyed. :gl:`!9288`
Bug Fixes
~~~~~~~~~
- Use TLS for notifies if configured to do so. ``4c882e4c0b``
Notifies configured to use TLS will now be sent over TLS, instead of
plaintext UDP or TCP. Also, failing to load the TLS configuration for
notify now also results in an error. :gl:`#4821` :gl:`!9407`
- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. ``8e0ec3fe0a``
`dig` fails to parse a valid (as far as I can tell, and accepted by
`kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template
containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If
the URI template contains a `{?dns}` instead `dig` is happy, but my
understanding of rfc9461 and section 1.2. "Levels and Expression
Types" of rfc6570 is that `{&dns}` is valid. See for example section
1.2. "Levels and Expression Types" of rfc6570.
Note that Peter van Dijk suggested that `{dns}` and
`{dns,someothervar}` might be valid forms as well, so my patch might
be too restrictive, although it's anyone's guess how DoH clients would
handle complex templates. :gl:`#4922` :gl:`!9455`
- Make dns_validator_cancel() respect the data ownership. ``4c0e69ff01``
There was a data race dns_validator_cancel() was called when the
offloaded operations were in progress. Make dns_validator_cancel()
respect the data ownership and only set new .canceling variable when
the offloaded operations are in progress. The cancel operation would
then finish when the offloaded work passes the ownership back to the
respective thread. :gl:`#4926` :gl:`!9470`
- Fix NSEC3 closest encloser lookup for names with empty non-terminals.
``a33528fe99``
The performance improvement for finding the NSEC3 closest encloser
when generating authoritative responses could cause servers to return
incorrect NSEC3 records in some cases. This has been fixed.
:gl:`#4950` :gl:`!9610`
- Revert "Improve performance when looking for the closest encloser"
``3a321ec661``
Revert "fix: chg: Improve performance when looking for the closest
encloser when returning NSEC3 proofs"
This reverts merge request !9436 :gl:`#4950` :gl:`!9611`
- Report client transport in 'rndc recursing' ``87ec2ce498``
When `rndc recursing` is used to dump the list of recursing clients,
it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP.
:gl:`#4971` :gl:`!9590`
- Fix a data race in dns_zone_getxfrintime() ``84eac93bfd``
The dns_zone_getxfrintime() function fails to lock the zone before
accessing its 'xfrintime' structure member, which can cause a data
race between soa_query() and the statistics channel. Add the missing
locking/unlocking pair, like it's done in numerous other similar
functions. :gl:`#4976` :gl:`!9591`
- 'Recursive-clients 0;' triggers an assertion. ``d7fab54393``
BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed.
:gl:`#4987` :gl:`!9621`
- Transport needs to be a selector when looking for an existing
dispatch. ``a7df51b706``
This allows for dispatch to use existing TCP/HTTPS/TLS etc. streams
without accidentally using an unexpected transport. :gl:`#4989`
:gl:`!9633`
- Parsing of hostnames in rndc.conf was broken. ``6ea2ac5f94``
When DSCP support was removed, parsing of hostnames in rndc.conf was
accidentally broken, resulting in an assertion failure. This has been
fixed. :gl:`#4991` :gl:`!9669`
- Restore values when dig prints command line. ``8467449407``
Options of the form `[+-]option=<value>` failed to display the value
on the printed command line. This has been fixed. :gl:`#4993`
:gl:`!9653`
- Provide more visibility into configuration errors. ``54889fd2af``
by logging SSL_CTX_use_certificate_chain_file and
SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008`
:gl:`!9683`
- Fix a data race between dns_zone_getxfr() and dns_xfrin_create()
``60ec9ef507``
There is a data race between the statistics channel, which uses
`dns_zone_getxfr()` to get a reference to `zone->xfr`, and the
creation of `zone->xfr`, because the latter happens outside of a zone
lock.
Split the `dns_xfrin_create()` function into two parts to separate the
zone transfer starting part from the zone transfer object creation
part. This allows us to attach the new object to a local variable
first, then attach it to `zone->xfr` under a lock, and only then start
the transfer. :gl:`#5011` :gl:`!9716`
- Fix race condition when canceling ADB find. ``75f1587aed``
When canceling the ADB find, the lock on the find gets released for a
brief period of time to be locked again inside adbname lock. During
the brief period that the ADB find is unlocked, it can get canceled by
other means removing it from the adbname list which in turn causes
assertion failure due to a double removal from the adbname list. This
has been fixed. :gl:`#5024` :gl:`!9722`
- Improve the memory cleaning in the SERVFAIL cache. ``5b96cbea01``
The SERVFAIL cache doesn't have a memory bound and the cleaning of the
old SERVFAIL cache entries was implemented only in opportunistic
manner. Improve the memory cleaning of the SERVFAIL cache to be more
aggressive, so it doesn't consume a lot of memory in the case the
server encounters many SERVFAILs at once. :gl:`#5025` :gl:`!9760`
- Fix trying the next primary server when the preivous one was marked as
unreachable. ``025677943d``
In some cases (there is evidence only when XoT was used) `named`
failed to try the next primary server in the list when the previous
one was marked as unreachable. This has been fixed. :gl:`#5038`
:gl:`!9781`
- Clean up 'nodetach' in ns_client. ``617381f115``
The 'nodetach' member is a leftover from the times when non-zero
'stale-answer-client-timeout' values were supported, and currently is
always 'false'. Clean up the member and its usage. :gl:`!9592`
- Enforce type checking for dns_dbnode_t. ``4b47c4f628``
Originally, the dns_dbnode_t was typedef'ed to void type. This
allowed some flexibility, but using `(void *)` just removes any
type-checking that C might have. Instead of using:
typedef void dns_dbnode_t;
use a trick to define the type to non-existing structure:
typedef struct dns_dbnode dns_dbnode_t;
This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbnode_t type. :gl:`!9719`
- Fix error path bugs in the manager's "recursing-clients" list
management. ``508f7007e8``
In two places, after linking the client to the manager's
"recursing-clients" list using the check_recursionquota() function,
the query.c module fails to unlink it on error paths. Fix the bugs by
unlinking the client from the list. :gl:`!9586`

198
doc/notes/notes-9.21.3.rst Normal file
View File

@ -0,0 +1,198 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.3
---------------------
New Features
~~~~~~~~~~~~
- Add separate query counters for new protocols.
Add query counters for DoT, DoH, unencrypted DoH and their proxied
counterparts. The new protocols do not update their respective TCP/UDP
transport counter. The previously existing counters are now dedicated
for TCP/UDP over plain port 53 only. :gl:`#598`
- Implement :rfc:`9567`: EDNS Report-Channel option.
Add new :namedconf:ref:`send-report-channel` and :namedconf:ref:`log-report-channel` options.
:namedconf:ref:`send-report-channel` specifies an *agent domain*, to which error
reports can be sent by querying a specially constructed name within
the agent domain. The EDNS Report-Channel option has been added to
outgoing authoritative responses, to inform clients where to send such
error reports in the event of a problem.
If a :namedconf:ref:`zone` is configured which matches the *agent domain* and has
:namedconf:ref:`log-report-channel` set to `yes`, error-reporting queries will be
logged at level `info` to the `dns-reporting-agent` logging :namedconf:ref:`channel`.
:gl:`#3659`
- Add detailed debugging of :namedconf:ref:`update-policy` rule matching.
This logs how :iscman:`named` determines whether an update request is granted or
denied when using update-policy. :gl:`#4751`
- Update built-in :file:`bind.keys` file with the new 2025 `IANA root key
<https://www.iana.org/dnssec/files>`_.
Add an `initial-ds` entry to :file:`bind.keys` for the new root key, ID
38696, which is scheduled for publication in January 2025. :gl:`#4896`
- Enable runtime selection of FIPS mode in :iscman:`dig` and delv.
:option:`dig -F` and :option:`delv -F` can now be used to select FIPS mode at
runtime. :gl:`#5046`
Removed Features
~~~~~~~~~~~~~~~~
- Move contributed DLZ modules into a separate repository. DLZ modules should
not be used except in testing.
The DLZ modules were not maintained, the DLZ interface itself is going to be
scheduled for removal, and the DLZ interface is blocking. Any module that
blocks the query to the :namedconf:ref:`database` blocks the whole server.
The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
:gl:`#4865`
- Remove RBTDB implementation.
Remove the RBTDB :namedconf:ref:`database` implementation, and only leave the
QPDB-based implementations of :namedconf:ref:`zone` and cache databases. This means it is no
longer possible to choose RBTDB as the default database at compilation
time, nor to configure RBTDB as the :namedconf:ref:`database` backend
in the configuration file. :gl:`#5027`
Feature Changes
~~~~~~~~~~~~~~~
- :iscman:`dnssec-ksr` now supports KSK rollovers.
The tool now allows for KSK generation, as well as planned KSK rollovers.
When signing a bundle from a Key Signing Request (KSR), only the
key that is active in that time frame is
used for signing. Also, the CDS and CDNSKEY records are now added and
removed at the correct time. :gl:`#4697` :gl:`#4705`
- Add `none` parameter to :namedconf:ref:`query-source` and
:namedconf:ref:`query-source-v6` to disable IPv4 or IPv6 upstream queries but
allow listening to queries from clients on IPv4 or IPv6.
- Print :rfc:`7314`: EXPIRE option in transfer summary. :gl:`#5013`
- Add missing EDNS option mnemonics to :iscman:`dig`.
The `Report-Channel` and `ZONEVERSION` options can now be sent
using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short),
and `dig +ednsopt=zoneversion`.
Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and
`CHAIN`, are now displayed correctly in text and YAML formats.
Also, an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now
spelled with a hyphen in both text and YAML formats; previously, text
format used a space.
- Add new :namedconf:ref:`logging` module for crypto errors in libisc.
Add a new `crypto` log module to be used for low-level
cryptographic operations. The DNS-related cryptography logs are still
logged in the 'dns/crypto' module.
- Emit more helpful log messages for exceeding :namedconf:ref:`max-records-per-type`.
The new log message is emitted when adding or updating an RRset fails
due to exceeding the :namedconf:ref:`max-records-per-type` limit. The log includes the
owner name and type, corresponding zone name, and the limit value. It
will be emitted on loading a zone file, inbound zone transfer (both
AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's
especially helpful in the case of zone transfer, since the secondary
side doesn't have direct access to the offending zone data.
It could also be used for :namedconf:ref:`max-types-per-name`, but this change doesn't
implement it yet as it's much less likely to happen in practice.
- Harden key management when key files have become unavailable.
Prior to doing key management, BIND 9 will check if the key files on
disk match the expected keys. If key files for previously observed
keys have become unavailable, this will prevent the internal key
manager from running.
- Reduce memory footprint by optimizing commonly-used data structures.
:gl:`#5022`
Bug Fixes
~~~~~~~~~
- Use TLS for notifies if configured to do so.
Notifies configured to use TLS will now be sent over TLS, instead of
plain text UDP or TCP. Also, failing to load the TLS configuration for
:namedconf:ref:`notify` now results in an error. :gl:`#4821`
- `{&dns}` is as valid as `{?dns}` in a SVCB's dohpath.
:iscman:`dig` failed to parse a valid `SVCB` record with a `dohpath` URI
template containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`.
:gl:`#4922`
- Fix NSEC3 closest encloser lookup for names with empty non-terminals.
A previous performance optimization for finding the NSEC3 closest encloser
when generating authoritative responses could cause servers to return
incorrect NSEC3 records in some cases. This has been fixed.
:gl:`#4950`
- Report client transport in :option:`rndc recursing` output
When :option:`rndc recursing` is used to dump the list of recursing
clients, it now indicates whether a query was sent via UDP, TCP,
TLS, or HTTP.
:gl:`#4971`
- :namedconf:ref:`recursive-clients` statement with value 0 triggered an assertion failure.
BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed.
:gl:`#4987`
- Parsing of hostnames in :iscman:`rndc.conf` was broken.
When DSCP support was removed, parsing of hostnames in :iscman:`rndc.conf` was
accidentally broken, resulting in an assertion failure. This has been
fixed. :gl:`#4991`
- :iscman:`dig` options of the form `[+-]option=<value>` failed to display the
value on the printed command line. This has been fixed. :gl:`#4993`
- Provide more visibility into TLS configuration errors by logging
`SSL_CTX_use_certificate_chain_file()` and `SSL_CTX_use_PrivateKey_file()`
errors individually. :gl:`#5008`
- Fix a race condition when canceling ADB find which could cause an assertion
failure. :gl:`#5024`
- Fix doubled memory usage during incoming zone transfer. :gl:`#4986`
- SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a
lot of memory if the server encounters many SERVFAILs at once.
:gl:`#5025`
- Fix trying the next primary XoT server when the previous one was marked as
unreachable.
In some cases :iscman:`named` failed to try the next primary
server in the :namedconf:ref:`primaries` list when the previous one was marked as
unreachable. This has been fixed. :gl:`#5038`