diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 8885631904..4d1e2ea1b7 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.6.rst .. include:: ../changelog/changelog-9.20.5.rst .. include:: ../changelog/changelog-9.20.4.rst .. include:: ../changelog/changelog-9.20.3.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 197d649ac0..ff5666f3b2 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.6.rst .. include:: ../notes/notes-9.20.5.rst .. include:: ../notes/notes-9.20.4.rst .. include:: ../notes/notes-9.20.3.rst diff --git a/doc/changelog/changelog-9.20.6.rst b/doc/changelog/changelog-9.20.6.rst new file mode 100644 index 0000000000..413d445d4f --- /dev/null +++ b/doc/changelog/changelog-9.20.6.rst @@ -0,0 +1,160 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.6 +----------- + +New Features +~~~~~~~~~~~~ + +- Adds support for EDE code 1 and 2. ``b3eab79bc18`` + + Add support for EDE codes 1 & 2 which might occurs during DNSSEC + validation in case of unsupported RRSIG algorithm or DNSKEY digest. + :gl:`#2715` :gl:`!9996` + +- Add a rndc command to toggle jemalloc profiling. ``38c51c84014`` + + The new command is `rndc memprof`. The memory profiling status is also + reported inside `rndc status`. The status also shows whether named can + toggle memory profiling or not and if the server is built with + jemalloc. :gl:`#4759` :gl:`!10000` + +- Add support for multiple extended DNS errors. ``4d945128dc1`` + + Extended DNS error mechanism (EDE) may have several errors raised + during a DNS resolution. `named` is now able to add up to three EDE + codes in a DNS response. In the case of duplicate error codes, only + the first one will be part of the DNS response. :gl:`#5085` + :gl:`!9978` + +- Print the expiration time of the stale records. ``b5cce0f5972`` + + Print the expiration time of the stale RRsets in the cache dump. + :gl:`!10061` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Refactor reference counting in both QPDB and RBTDB. ``3244f7848fd`` + + Clean up the pattern in the newref() and decref() functions in QP and + RBTDB databases. Replace the `db_nodelock_t` structure with plain + reference counting for every active database node in QPDB. + + Related to #5134 :gl:`!10035` + +- Shutdown the fetch context after canceling the last fetch. + ``55b7cc9596e`` + + Shutdown the fetch context immediately after the last fetch has been + canceled from that particular fetch context. :gl:`!9977` + +Bug Fixes +~~~~~~~~~ + +- Fix possible truncation in dns_keymgr_status() ``1333dac316c`` + + If the generated status output exceeds 4096 it was silently truncated, + now we output that the status was truncated. :gl:`#4180` :gl:`!9981` + +- Recently expired records could be returned with timestamp in future. + ``9a4df4caac0`` + + Under rare circumstances, the RRSet that expired at the time of the + query could be returned with TTL far in the future. This has been + fixed. + + As a side-effect, the expiration time of expired RRSets are no longer + printed out in the cache dump. :gl:`#5094` :gl:`!10059` + +- Yaml string not terminated in negative response in delv. + ``74640b3613c`` + + :gl:`#5098` :gl:`!9979` + +- Fix a bug in dnssec-signzone related to keys being offline. + ``ddda6cb59e5`` + + In the case when `dnssec-signzone` is called on an already signed + zone, and the private key file is unavailable, a signature that needs + to be refreshed may be dropped without being able to generate a + replacement. This has been fixed. :gl:`#5126` :gl:`!9982` + +- Apply the memory limit only to ADB database items. ``0ab22458f51`` + + Resolver under heavy-load could exhaust the memory available for + storing the information in the Address Database (ADB) effectively + evicting already stored information in the ADB. The memory used to + retrieve and provide information from the ADB is now not a subject of + the same memory limits that are applied for storing the information in + the Address Database. :gl:`#5127` :gl:`!9975` + +- Avoid unnecessary locking in the zone/cache database. ``60b81239de1`` + + Prevent lock contention among many worker threads referring to the + same database node at the same time. This would improve zone and cache + database performance for the heavily contended database nodes. + :gl:`#5130` :gl:`!9964` + +- Fix EDE 22 time out detection. ``8662424442c`` + + Extended DNS error 22 (No reachable authority) was previously detected + when `fctx_expired` fired. It turns out this function is used as a + "safety net" and the timeout detection should be caught earlier. + + It was working though, because of another issue fixed by !9927. But + then, the recursive request timed out detection occurs before + `fctx_expired` making impossible to raise the EDE 22 error. + + This fixes the problem by triggering the EDE 22 in the part of the + code detecting the (TCP or UDP) time out and taking the decision to + cancel the whole fetch (i.e. There is no other server to attempt to + contact). + + Note this is not targeting users (no release note) because there is no + release versions of BIND between !9927 and this changes. Thus a + release note would be confusing. :gl:`#5137` :gl:`!10001` + +- Split and simplify the use of EDE list implementation. ``23a9bed310b`` + + Instead of mixing the dns_resolver and dns_validator units directly + with the EDE code, split-out the dns_ede functionality into own + separate compilation unit and hide the implementation details behind + abstraction. + + Additionally, the new dns_edelist_t doesn't have to be copied into all + responses as those are attached to the fetch context, but it could be + only passed by reference. + + This makes the dns_ede implementation simpler to use, although sligtly + more complicated on the inside. :gl:`#5141` :gl:`!10030` + +- Fix the cache findzonecut() implementation. ``619f163e680`` + + The search for the deepest known zone cut in the cache could + improperly reject a node if it contained any stale data, regardless of + whether it was the NS RRset that was stale. :gl:`#5155` :gl:`!10050` + +- DNSSEC EDE system tests on FIPS platform. ``917181b4e27`` + + Changes introducing the support of extended DNS error code 1 and 2 + uses SHA-1 digest for some tests which break FIPS platform. The digest + itself was irrelevant, another digest is used. :gl:`!10031` + +- Reduce the false sharing the dns_qpcache and dns_qpzone. + ``5c27e9cdda6`` + + Instead of having many node_lock_count * sizeof() arrays, pack + all the members into a qpcache_bucket_t that is cacheline aligned to + prevent false sharing between RWLocks. :gl:`!10074` + + diff --git a/doc/notes/notes-9.20.6.rst b/doc/notes/notes-9.20.6.rst new file mode 100644 index 0000000000..9bfa5a3dfe --- /dev/null +++ b/doc/notes/notes-9.20.6.rst @@ -0,0 +1,85 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.6 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Adds support for EDE code 1 and 2. + + Support was added for EDE codes 1 and 2, which might occur during DNSSEC + validation in the case of an unsupported RRSIG algorithm or DNSKEY digest. + :gl:`#2715` + +- Add an :iscman:`rndc` command to toggle jemalloc profiling. + + The new command is :option:`rndc memprof`; the memory profiling status is also + reported inside :option:`rndc status`. The status shows whether + :iscman:`named` can toggle memory profiling, and whether the server is built + with jemalloc. :gl:`#4759` + +- Add support for multiple extended DNS errors. + + The Extended DNS Error (EDE) mechanism may raise errors + during a DNS resolution. :iscman:`named` is now able to add up to three EDE + codes in a DNS response. If there are duplicate error codes, only + the first one is part of the DNS response. :gl:`#5085` + +- Print the expiration time of stale records. + + BIND now prints the expiration time of any stale RRsets in the cache dump. + +Bug Fixes +~~~~~~~~~ + +- Recently expired records could be returned with a timestamp in future. + + Under rare circumstances, an RRSet that expired at the time of the + query could be returned with a TTL in the future. This has been + fixed. + + As a side effect, the expiration time of expired RRSets is no longer + returned in a cache dump. :gl:`#5094` + +- YAML string not terminated in negative response in delv. + + :gl:`#5098` + +- Fix a bug in :iscman:`dnssec-signzone` related to keys being offline. + + When :iscman:`dnssec-signzone` was called on an already-signed + zone and the private key file was unavailable, a signature that needed + to be refreshed was dropped without being able to generate a + replacement. This has been fixed. :gl:`#5126` + +- Apply the memory limit only to ADB database items. + + Under heavy load, a resolver could exhaust the memory available for + storing the information in the Address Database (ADB), effectively + discarding previously stored information in the ADB. The memory used to + retrieve and provide information from the ADB is no longer subject to + the same memory limits that are applied to + the Address Database. :gl:`#5127` + +- Avoid unnecessary locking in the zone/cache database. + + Lock contention among many worker threads referring to the + same database node at the same time is now prevented. This improves zone and + cache database performance for any heavily contended database nodes. + :gl:`#5130` + +- Fix reporting of Extended DNS Error 22 (No Reachable Authority). + + This error code was previously not reported in some applicable + situations. This has been fixed. :gl:`#5137` +