diff --git a/CHANGES b/CHANGES index 1f5d67be2f..135525bfc3 100644 --- a/CHANGES +++ b/CHANGES @@ -29,6 +29,8 @@ 6147. [performance] Fix the TCP server parent quota use. [GL #3985] + --- 9.19.12 released --- + 6146. [performance] Replace the zone table red-black tree and associated locking with a lock-free qp-trie. [GL !7582] diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ad77ac85a1..c5a6cef2d8 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -39,6 +39,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst .. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.12.rst .. include:: ../notes/notes-9.19.11.rst .. include:: ../notes/notes-9.19.10.rst .. include:: ../notes/notes-9.19.9.rst diff --git a/doc/notes/notes-9.19.12.rst b/doc/notes/notes-9.19.12.rst new file mode 100644 index 0000000000..0d08a2279a --- /dev/null +++ b/doc/notes/notes-9.19.12.rst @@ -0,0 +1,93 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.19.12 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- An error in DNS message processing introduced in development version + 9.19.11 could cause BIND and its utilities to crash if the maximum + permissible number of DNS labels were present. This has been fixed. + :gl:`#3998` + +Known Issues +~~~~~~~~~~~~ + +- Loading a large number of zones is significantly slower in BIND + 9.19.12 than in the previous development releases due to a new data + structure being used for storing information about the zones to serve. + This slowdown is considered to be a bug and will be addressed in a + future BIND 9.19.x development release. :gl:`#4006` + +- A flaw in reworked code responsible for accepting TCP connections may + cause a visible performance drop for TCP queries on some platforms, + notably FreeBSD. This issue will be fixed in a future BIND 9.19.x + development release. :gl:`#3985` + +- See :ref:`above ` for a list of all known issues + affecting this BIND 9 branch. + +New Features +~~~~~~~~~~~~ + +- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data + structures. :gl:`#3934` + +- The new command-line :option:`delv +ns` option activates name server + mode, to more accurately reproduce the behavior of :iscman:`named` + when resolving a query. In this mode, :iscman:`delv` uses an internal + recursive resolver rather than an external server. All messages sent + and received during the resolution and validation process are logged. + This can be used in place of :option:`dig +trace`. :gl:`#3842` + +- A new configuration option, :any:`checkds`, has been introduced. When + set to ``yes``, it detects :any:`parental-agents` automatically by + resolving the parent NS records. These name servers are queried to + check the DS RRset during a KSK rollover initiated by + :any:`dnssec-policy`. :gl:`#3901` + +.. _`liburcu`: https://liburcu.org/ + +Removed Features +~~~~~~~~~~~~~~~~ + +- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been + removed and using TKEY Mode 2 is now a fatal error. Users are advised + to switch to TKEY Mode 3 (GSS-API). :gl:`#3905` + +- Zone type ``delegation-only``, and the ``delegation-only`` and + ``root-delegation-only`` statements, have been removed. Using them is + a configuration error. + + These statements were created to address the SiteFinder controversy, + in which certain top-level domains redirected misspelled queries to + other sites instead of returning NXDOMAIN responses. Since top-level + domains are now DNSSEC-signed, and DNSSEC validation is active by + default, the statements are no longer needed. :gl:`#3953` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The log message ``resolver priming query complete`` has been moved + from the INFO log level to the DEBUG(1) log level, to prevent + :iscman:`delv` from emitting that message when setting up its internal + resolver. :gl:`#3842` + +Bug Fixes +~~~~~~~~~ + +- Several bugs which could cause :iscman:`named` to crash during catalog + zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997` + +- Performance of DNSSEC validation in zones with many DNSKEY records has + been improved. :gl:`#3981` diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index e6622d56be..959c73d1d0 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -38,3 +38,14 @@ Known Issues have ``subjectAltName`` set. In such cases, the ``Subject`` field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. :gl:`#3163` + +- Loading a large number of zones is significantly slower in BIND + 9.19.12 than in the previous development releases due to a new data + structure being used for storing information about the zones to serve. + This slowdown is considered to be a bug and will be addressed in a + future BIND 9.19.x development release. :gl:`#4006` + +- A flaw in reworked code responsible for accepting TCP connections may + cause a visible performance drop for TCP queries on some platforms, + notably FreeBSD. This issue will be fixed in a future BIND 9.19.x + development release. :gl:`#3985`