diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index a0df16c087..64ef6dde4f 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.12.rst .. include:: ../changelog/changelog-9.20.11.rst .. include:: ../changelog/changelog-9.20.10.rst .. include:: ../changelog/changelog-9.20.9.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 016ff19e6e..877cbf0d73 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.12.rst .. include:: ../notes/notes-9.20.11.rst .. include:: ../notes/notes-9.20.10.rst .. include:: ../notes/notes-9.20.9.rst diff --git a/doc/changelog/changelog-9.20.12.rst b/doc/changelog/changelog-9.20.12.rst new file mode 100644 index 0000000000..71e997bfc9 --- /dev/null +++ b/doc/changelog/changelog-9.20.12.rst @@ -0,0 +1,140 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.12 +------------ + +New Features +~~~~~~~~~~~~ + +- Support for parsing the DSYNC record has been added. ``f440fe712d`` + + :gl:`#5440` :gl:`!10820` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Adaptive memory allocation strategy for qp-tries. ``9a046cbed5`` + + qp-tries allocate their nodes (twigs) in chunks to reduce allocator + pressure and improve memory locality. The choice of chunk size + presents a tradeoff: larger chunks benefit qp-tries with many values + (as seen in large zones and resolvers) but waste memory in smaller use + cases. + + Previously, our fixed chunk size of 2^10 twigs meant that even an + empty qp-trie would consume 12KB of memory, while reducing this size + would negatively impact resolver performance. + + This MR implements an adaptive chunking strategy that tracks the size + of the most recently allocated chunk and doubles the chunk size for + each new allocation until reaching a predefined maximum. + + This approach effectively balances memory efficiency for small tries + while maintaining the performance benefits of larger chunk sizes for + bigger data structures. :gl:`#5445` :gl:`!10804` + +- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest + type 1. ``5aefaa4b97`` + + RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated + by the IETF and should no longer be used for DNSSEC. DS digest type 1 + (SHA1) has also been deprecated. Validators are now expected to treat + these algorithms and digest as unknown, resulting in some zones being + treated as insecure when they were previously treated as secure. + Warnings have been added to named and tools when these algorithms and + this digest are being used for signing. + + Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a + different DNSKEY algorithm. + + Zones with DS or CDS records with digest type 1 (SHA1) should be + updated to use a different digest type (e.g. SHA256) and the digest + type 1 records should be removed. + + Related to #5358 :gl:`!10738` + +Bug Fixes +~~~~~~~~~ + +- Stale RRsets in a CNAME chain were not always refreshed. + ``ed37c7825e`` + + With serve-stale enabled, a CNAME chain that contains a stale RRset, + the refresh query doesn't always properly refresh the stale RRsets. + This has been fixed. :gl:`#5243` :gl:`!10767` + +- Add RPZ extended DNS error for zones with a CNAME override policy + configured. ``39ad2016c1`` + + When the zone is configured with a CNAME override policy, or the + response policy zone contains a wildcard CNAME, the extended DNS error + code was not added. This has been fixed. :gl:`#5342` :gl:`!10819` + +- Fix a possible crash when adding a zone while recursing. + ``7a3ec8dd94`` + + A query for a zone that was not yet loaded may yield an unexpected + result such as a CNAME or DNAME, triggering an assertion failure. This + has been fixed. :gl:`#5357` :gl:`!10718` + +- Fix dig issues. ``8c50819aa8`` + + When used with the ``+keepopen`` option with a TCP connection, + iscman:`dig` could terminate unexpectedly in rare situations. + Additionally, iscman:`dig` could hang and fail to shutdown properly + when interrupted during a query. These have been fixed. :gl:`#5381` + :gl:`!10727` + +- Log dropped or slipped responses in the query-errors category. + ``47470b586d`` + + Responses which were dropped or slipped because of RRL (Response Rate + Limiting) were logged in the ``rate-limit`` category instead of the + ``query-errors`` category, as documented in ARM. This has been fixed. + :gl:`#5388` :gl:`!10725` + +- Separate out adbname type flags. ``fc689c6525`` + + There are three adbname flags that are used to identify different + types of adbname lookups when hashing rather than using multiple hash + tables. Separate these to their own structure element as these need + to be able to be read without locking the adbname structure. + :gl:`#5404` :gl:`!10695` + +- Synth-from-dnssec was not working in some scenarios. ``bc54f059e0`` + + Aggressive use of DNSSEC-Validated cache with NSEC was not working in + scenarios when no parent NSEC was not in cache. This has been fixed. + :gl:`#5422` :gl:`!10754` + +- Clean enough memory when adding new ADB names/entries under memory + pressure. ``b7e7923daa`` + + The ADB memory cleaning is opportunistic even when we are under memory + pressure (in the overmem condition). Split the opportunistic LRU + cleaning and overmem cleaning and make the overmem cleaning always + cleanup double of the newly allocated adbname/adbentry to ensure we + never allocate more memory than the assigned limit. :gl:`!10707` + +- Prevent spurious validation failures. ``3b98c7cc9d`` + + Under rare circumstances, validation could fail if multiple clients + simultaneously iterated the same set of signatures. + + References #3014 :gl:`!10815` + +- Rename variable called 'free' to prevent the clash with free() + ``7f25d92c5d`` + + :gl:`!10757` + + diff --git a/doc/notes/notes-9.20.12.rst b/doc/notes/notes-9.20.12.rst new file mode 100644 index 0000000000..152bd01fcd --- /dev/null +++ b/doc/notes/notes-9.20.12.rst @@ -0,0 +1,98 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.12 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Support for parsing DSYNC records has been added. + + These records are used for discovering the receiver endpoint for DNS + notification messages. For more information, see + `draft-ietf-dnsop-generalized-notify-09`_. :gl:`#5440` + +.. _`draft-ietf-dnsop-generalized-notify-09`: https://datatracker.ietf.org/doc/draft-ietf-dnsop-generalized-notify/09/ + +Feature Changes +~~~~~~~~~~~~~~~ + +- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest + type 1. + + RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated + by the IETF and should no longer be used for DNSSEC. DS digest type 1 + (SHA1) has also been deprecated in BIND 9. Validators are now expected to treat + these algorithms and digest as unknown, resulting in some zones being + treated as insecure when they were previously treated as secure. + Warnings have been added to :iscman:`named` and tools when these algorithms and + this digest are being used for signing. + + Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a + different DNSKEY algorithm. + + Zones with DS or CDS records with digest type 1 (SHA1) should be + updated to use a different digest type (e.g. SHA256) and the digest + type 1 records should be removed. :gl:`#5358` + +Bug Fixes +~~~~~~~~~ + +- Stale RRsets in a CNAME chain were not always refreshed. + + Previously, with serve-stale enabled and a CNAME chain that contained a stale RRset, + the refresh query didn't always properly refresh the stale RRsets. + This has been fixed. :gl:`#5243` + +- Add RPZ extended DNS error for zones with a CNAME override policy + configured. + + Previously, when the zone was configured with a CNAME override policy, or the + response policy zone contained a wildcard CNAME, the extended DNS error + code was not added. This has been fixed. :gl:`#5342` + +- Fix :iscman:`dig` issues. + + When used with the ``+keepopen`` option, + :iscman:`dig` could terminate unexpectedly in rare situations. + Additionally, :iscman:`dig` could hang and fail to shutdown properly + when interrupted during a query. These have been fixed. :gl:`#5381` + +- Log dropped or slipped responses in the ``query-errors`` category. + + Responses which were dropped or slipped because of Response Rate + Limiting (RRL) were logged in the ``rate-limit`` category instead of the + ``query-errors`` category, as documented in the ARM. This has been fixed. + :gl:`#5388` + +- :any:`synth-from-dnssec` was not working in some scenarios. + + Aggressive use of DNSSEC-Validated cache with NSEC was not working in + scenarios when no parent NSEC was in cache. This has been fixed. + :gl:`#5422` + +- Clean enough memory when adding new ADB names/entries under memory + pressure. + + The ADB memory cleaning is opportunistic even when BIND is under memory + pressure (in the overmem condition). :iscman:`named` now ensures that the assigned memory + limit is not exceeded by releasing twice the amount of memory + allocated for each new ADB name/entry when under memory pressure. + :gl:`!10637` + +- Prevent spurious validation failures. + + Under rare circumstances, validation could fail if multiple clients + simultaneously iterated the same set of DNSSEC signatures. This has + been fixed. :gl:`#3014` + +