From 43e06c84d448424e9dc2bf3f64468185bbe58529 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Mon, 7 Oct 2024 09:48:56 +0200 Subject: [PATCH] Generate release notes --- doc/notes/notes-9.20.3.rst | 150 +++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 doc/notes/notes-9.20.3.rst diff --git a/doc/notes/notes-9.20.3.rst b/doc/notes/notes-9.20.3.rst new file mode 100644 index 0000000000..c51234a814 --- /dev/null +++ b/doc/notes/notes-9.20.3.rst @@ -0,0 +1,150 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Log query response status to the query log. + + Log a query response summary using the new category `responses`. + Logging can be controlled by the option `responselog` and `rndc + responselog`. :gl:`#459` + +- Added WALLET type. + + Add the new record type WALLET (262). This provides a mapping from a + domain name to a cryptographic currency wallet. Multiple mappings can + exist if multiple records exist. :gl:`#4947` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Set logging category for notify/xfer-in related messages. + + Some 'notify' and 'xfer-in' related log messages were logged at the + 'general' category instead of their own category. This has been fixed. + :gl:`#2730` + +- Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS. + + This change allows fallback from an IXFR failure to AXFR when the + reason is `DNS_R_TOOMANYRECORDS`. This is because this error condition + could be temporary only in an intermediate version of IXFR + transactions and it's possible that the latest version of the zone + doesn't have that condition. In such a case, the secondary would never + be able to update the zone (even if it could) without this fallback. + + This fallback behavior is particularly useful with the recently + introduced `max-records-per-type` and `max-types-per-name` options: + the primary may not have these limitations and may temporarily + introduce "too many" records, breaking IXFR. If the primary side + subsequently deletes these records, this fallback will help recover + the zone transfer failure automatically; without it, the secondary + side would first need to increase the limit, which requires more + operational overhead and has its own adverse effect. :gl:`#4928` + +Bug Fixes +~~~~~~~~~ + +- Fix a statistics channel counter bug when 'forward only' zones are + used. + + When resolving a zone with a 'forward only' policy, and finding out + that all the forwarders are marked as "bad", the 'ServerQuota' counter + of the statistics channel was incorrectly increased. This has been + fixed. :gl:`#1793` + +- Fix a bug in the static-stub implementation. + + Static-stub addresses and addresses from other sources were being + mixed together, resulting in static-stub queries going to addresses + not specified in the configuration, or alternatively, static-stub + addresses being used instead of the correct server addresses. + :gl:`#4850` + +- Don't allow statistics-channel if libxml2 and libjson-c are + unsupported. + + When the libxml2 and libjson-c libraries are not supported, the + statistics channel can't return anything useful, so it is now + disabled. Use of `statistics-channel` in `named.conf` is a fatal + error. :gl:`#4895` + +- Separate DNSSEC validation from the long-running tasks. + + As part of the KeyTrap \[CVE-2023-50387\] mitigation, the DNSSEC CPU- + intensive operations were offloaded to a separate threadpool that we + use to run other tasks that could affect the networking latency. + + If that threadpool is running some long-running tasks like RPZ, + catalog zone processing, or zone file operations, it would delay + DNSSEC validations to a point where the resolving signed DNS records + would fail. + + Split the CPU-intensive and long-running tasks into separate + threadpools in a way that the long-running tasks don't block the CPU- + intensive operations. :gl:`#4898` + +- Fix assertion failure when processing access control lists. + + The named process could terminate unexpectedly when processing access + control lists (ACLs). This has been fixed. :gl:`#4908` + +- Fix bug in Offline KSK that is using ZSK with unlimited lifetime. + + If the ZSK has unlimited lifetime, the timing metadata "Inactive" and + "Delete" cannot be found and is treated as an error, preventing the + zone to be signed. This has been fixed. :gl:`#4914` + +- Limit the outgoing UDP send queue size. + + If the operating system UDP queue gets full and the outgoing UDP + sending starts to be delayed, BIND 9 could exhibit memory spikes as it + tries to enqueue all the outgoing UDP messages. Try a bit harder to + deliver the outgoing UDP messages synchronously and if that fails, + drop the outgoing DNS message that would get queued up and then + timeout on the client side. :gl:`#4930` + +- Do not set SO_INCOMING_CPU. + + We currently set SO_INCOMING_CPU incorrectly, and testing by Ondrej + shows that fixing the issue by setting affinities is worse than + letting the kernel schedule threads without constraints. So we should + not set SO_INCOMING_CPU anymore. :gl:`#4936` + +- Fix the 'rndc dumpdb' command's error reporting. + + The 'rndc dumpdb' command wasn't reporting errors which occurred when + starting up the database dump process by named, like, for example, a + permission denied error for the 'dump-file' file. This has been fixed. + Note, however, that 'rndc dumpdb' performs asynchronous writes, so + errors can also occur during the dumping process, which will not be + reported back to 'rndc', but which will still be logged by named. + :gl:`#4944` + +- Fix long-running incoming transfers. + + Incoming transfers that took longer than 30 seconds would stop reading + from the TCP stream and the incoming transfer would be indefinitely + stuck causing BIND 9 to hang during shutdown. + + This has been fixed and the `max-transfer-time-in` and `max-transfer- + idle-in` timeouts are now honoured. :gl:`#4949` + +- Fix assertion failure when receiving DNS responses over TCP. + + When matching the received Query ID in the TCP connection, an invalid + received Query ID can very rarely cause assertion failure. :gl:`#4952` + +