Merge tag 'v9.20.11' into bind-9.20

doc/arm/changelog.rst

@@ -18,6 +18,7 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+.. include:: ../changelog/changelog-9.20.11.rst
 .. include:: ../changelog/changelog-9.20.10.rst
 .. include:: ../changelog/changelog-9.20.9.rst
 .. include:: ../changelog/changelog-9.20.8.rst

doc/arm/notes.rst

@@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be
 found at
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20
 
+.. include:: ../notes/notes-9.20.11.rst
 .. include:: ../notes/notes-9.20.10.rst
 .. include:: ../notes/notes-9.20.9.rst
 .. include:: ../notes/notes-9.20.8.rst

doc/changelog/changelog-9.20.11.rst

@@ -0,0 +1,64 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.20.11
+------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- [CVE-2025-40777] Fix a possible assertion failure when using the
+  'stale-answer-client-timeout 0' option. ``055a592fd97``
+
+  In specific circumstances the :iscman:`named` resolver process could
+  terminate unexpectedly when stale answers were enabled and the
+  ``stale-answer-client-timeout 0`` configuration option was used. This
+  has been fixed. :gl:`#5372`
+
+New Features
+~~~~~~~~~~~~
+
+- Add support for the CO flag to dig. ``47108af9f2e``
+
+  Add support to display the CO (Compact Answers OK flag)
+  when displaying messages.
+
+  Add support to set the CO flag when making queries in dig (+coflag).
+  :gl:`#5319` :gl:`!10578`
+
+Bug Fixes
+~~~~~~~~~
+
+- Fix the default interface-interval from 60s to 60m. ``e8ffe3a15ca``
+
+  When the interface-interval parser was changed from uint32 parser to
+  duration parser, the default value stayed at plain number `60` which
+  now means 60 seconds instead of 60 minutes.  The documentation also
+  incorrectly states that the value is in minutes.  That has been fixed.
+  :gl:`#5246` :gl:`!10679`
+
+- Fix purge-keys bug when using views. ``35efa742b03``
+
+  Previously, when a DNSSEC key was purged by one zone view, other zone
+  views would return an error about missing key files. This has been
+  fixed. :gl:`#5315` :gl:`!10598`
+
+- Use IPv6 queries in delv +ns. ``4916fe0c6bd``
+
+  `delv +ns` invokes the same code to perform name resolution as
+  `named`, but it neglected to set up an IPv6 dispatch object first.
+  Consequently, it was behaving more like `named -4`. It now sets up
+  dispatch objects for both address families, and performs resolver
+  queries to both v4 and v6 addresses, except when one of the address
+  families has been suppressed by using `delv -4` or `delv -6`.
+  :gl:`#5352` :gl:`!10573`
+
+

doc/notes/notes-9.20.11.rst

@@ -0,0 +1,61 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.20.11
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Fix a possible assertion failure when
+  :any:`stale-answer-client-timeout` is set to ``0``.
+
+  In specific circumstances the :iscman:`named` resolver process could
+  exit with an assertion failure when stale answers were enabled and the
+  :any:`stale-answer-client-timeout` configuration option was set to
+  ``0``. This has been fixed. :cve:`2025-40777` :gl:`#5372`
+
+New Features
+~~~~~~~~~~~~
+
+- Add support for the CO flag to :iscman:`dig`.
+
+  Add support for Compact Denial of Existence to :iscman:`dig`.  This
+  includes showing the CO (Compact Answers OK) flag when displaying
+  messages and adding an option to set the CO flag when making queries
+  (:option:`dig +coflag`). :gl:`#5319`
+
+Bug Fixes
+~~~~~~~~~
+
+- Correct the default :any:`interface-interval` from 60s to 60m.
+
+  When the :any:`interface-interval` parser was changed from a
+  ``uint32`` parser to a duration parser, the default value stayed at
+  plain number ``60`` which now means 60 seconds instead of 60 minutes.
+  The documentation also incorrectly states that the value is in
+  minutes. That has been fixed. :gl:`#5246`
+
+- Fix a :any:`purge-keys` bug when using multiple views of a zone.
+
+  Previously, when a DNSSEC key was purged by one zone view, other zone
+  views would return an error about missing key files. This has been
+  fixed. :gl:`#5315`
+
+- Use IPv6 queries in :option:`delv +ns`.
+
+  :option:`delv +ns` invokes the same code to perform name resolution as
+  :iscman:`named`, but it neglected to set up an IPv6 dispatch object
+  first. Consequently, it was behaving more like :option:`named -4`. It
+  now sets up dispatch objects for both address families, and performs
+  resolver queries to both IPv4 and IPv6 addresses, except when one of
+  the address families has been suppressed by using :option:`delv -4` or
+  :option:`delv -6`. :gl:`#5352`

lib/ns/query.c

@@ -5920,16 +5920,14 @@ ns__query_start(query_ctx_t *qctx) {
 		}
 	}
 
-	if (!qctx->is_zone && qctx->view->staleanswerclienttimeout == 0 &&
-	    dns_view_staleanswerenabled(qctx->view))
-	{
-		/*
-		 * If stale answers are enabled and
-		 * stale-answer-client-timeout is zero, then we can promptly
-		 * answer with a stale RRset if one is available in cache.
-		 */
-		qctx->options.stalefirst = true;
-	}
+	/*
+	 * If stale answers are enabled and stale-answer-client-timeout is zero,
+	 * then we can promptly answer with a stale RRset if one is available in
+	 * cache.
+	 */
+	qctx->options.stalefirst = (!qctx->is_zone &&
+				    qctx->view->staleanswerclienttimeout == 0 &&
+				    dns_view_staleanswerenabled(qctx->view));
 
 	result = query_lookup(qctx);
 
@@ -6058,7 +6056,9 @@ query_lookup(query_ctx_t *qctx) {
 		rpzqname = qctx->client->query.qname;
 	}
 
-	if (qctx->options.stalefirst) {
+	qctx->client->query.dboptions &= ~DNS_DBFIND_STALETIMEOUT;
+
+	if (qctx->options.stalefirst && !qctx->is_zone) {
 		/*
 		 * If the 'stalefirst' flag is set, it means that a stale
 		 * RRset may be returned as part of this lookup. An attempt
@@ -6222,8 +6222,6 @@ query_lookup(query_ctx_t *qctx) {
 				qctx_freedata(qctx);
 				dns_db_attach(qctx->client->view->cachedb,
 					      &qctx->db);
-				qctx->client->query.dboptions &=
-					~DNS_DBFIND_STALETIMEOUT;
 				qctx->options.stalefirst = false;
 				if (FETCH_RECTYPE_NORMAL(qctx->client) != NULL)
 				{
@@ -8949,11 +8947,9 @@ query_zone_delegation(query_ctx_t *qctx) {
 		 * setting the 'stalefirst' option, which is usually set in
 		 * the beginning in ns__query_start().
 		 */
-		if (qctx->view->staleanswerclienttimeout == 0 &&
-		    dns_view_staleanswerenabled(qctx->view))
-		{
-			qctx->options.stalefirst = true;
-		}
+		qctx->options.stalefirst =
+			(qctx->view->staleanswerclienttimeout == 0 &&
+			 dns_view_staleanswerenabled(qctx->view));
 
 		result = query_lookup(qctx);