Merge tag 'v9.20.6' into bind-9.20

2025-08-30 14:07:59 +00:00 · 2025-02-19 17:43:41 +01:00
parent 0682684028 72cbad0469
commit 5f6080a959
4 changed files with 247 additions and 0 deletions
--- a/doc/arm/changelog.rst
+++ b/doc/arm/changelog.rst
@@ -18,6 +18,7 @@ Changelog
   development. Regular users should refer to :ref:`Release Notes <relnotes>`
   for changes relevant to them.
 .. include:: ../changelog/changelog-9.20.6.rst
 .. include:: ../changelog/changelog-9.20.5.rst
 .. include:: ../changelog/changelog-9.20.4.rst
 .. include:: ../changelog/changelog-9.20.3.rst
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be
 found at
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20
 .. include:: ../notes/notes-9.20.6.rst
 .. include:: ../notes/notes-9.20.5.rst
 .. include:: ../notes/notes-9.20.4.rst
 .. include:: ../notes/notes-9.20.3.rst
--- a/doc/changelog/changelog-9.20.6.rst
+++ b/doc/changelog/changelog-9.20.6.rst
@@ -0,0 +1,160 @@
 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ..
 .. SPDX-License-Identifier: MPL-2.0
 ..
 .. This Source Code Form is subject to the terms of the Mozilla Public
 .. License, v. 2.0.  If a copy of the MPL was not distributed with this
 .. file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ..
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 BIND 9.20.6
 -----------
 New Features
 ~~~~~~~~~~~~
 - Adds support for EDE code 1 and 2. ``b3eab79bc18``
  Add support for EDE codes 1 & 2 which might occurs during DNSSEC
  validation in case of unsupported RRSIG algorithm or DNSKEY digest.
  :gl:`#2715` :gl:`!9996`
 - Add a rndc command to toggle jemalloc profiling. ``38c51c84014``
  The new command is `rndc memprof`. The memory profiling status is also
  reported inside `rndc status`. The status also shows whether named can
  toggle memory profiling or not and if the server is built with
  jemalloc. :gl:`#4759` :gl:`!10000`
 - Add support for multiple extended DNS errors. ``4d945128dc1``
  Extended DNS error mechanism (EDE) may have several errors raised
  during a DNS resolution. `named` is now able to add up to three EDE
  codes in a DNS response. In the case of duplicate error codes, only
  the first one will be part of the DNS response. :gl:`#5085`
  :gl:`!9978`
 - Print the expiration time of the stale records. ``b5cce0f5972``
  Print the expiration time of the stale RRsets in the cache dump.
  :gl:`!10061`
 Feature Changes
 ~~~~~~~~~~~~~~~
 - Refactor reference counting in both QPDB and RBTDB. ``3244f7848fd``
  Clean up the pattern in the newref() and decref() functions in QP and
  RBTDB databases.  Replace the `db_nodelock_t` structure with plain
  reference counting for every active database node in QPDB.
  Related to #5134 :gl:`!10035`
 - Shutdown the fetch context after canceling the last fetch.
  ``55b7cc9596e``
  Shutdown the fetch context immediately after the last fetch has been
  canceled from that particular fetch context. :gl:`!9977`
 Bug Fixes
 ~~~~~~~~~
 - Fix possible truncation in dns_keymgr_status() ``1333dac316c``
  If the generated status output exceeds 4096 it was silently truncated,
  now we output that the status was truncated. :gl:`#4180` :gl:`!9981`
 - Recently expired records could be returned with timestamp in future.
  ``9a4df4caac0``
  Under rare circumstances, the RRSet that expired at the time of the
  query could be returned with TTL far in the future.  This has been
  fixed.
  As a side-effect, the expiration time of expired RRSets are no longer
  printed out in the cache dump. :gl:`#5094` :gl:`!10059`
 - Yaml string not terminated in negative response in delv.
  ``74640b3613c``
  :gl:`#5098` :gl:`!9979`
 - Fix a bug in dnssec-signzone related to keys being offline.
  ``ddda6cb59e5``
  In the case when `dnssec-signzone` is called on an already signed
  zone, and the private key file is unavailable, a signature that needs
  to be refreshed may be dropped without being able to generate a
  replacement. This has been fixed. :gl:`#5126` :gl:`!9982`
 - Apply the memory limit only to ADB database items. ``0ab22458f51``
  Resolver under heavy-load could exhaust the memory available for
  storing the information in the Address Database (ADB) effectively
  evicting already stored information in the ADB.  The memory used to
  retrieve and provide information from the ADB is now not a subject of
  the same memory limits that are applied for storing the information in
  the Address Database. :gl:`#5127` :gl:`!9975`
 - Avoid unnecessary locking in the zone/cache database. ``60b81239de1``
  Prevent lock contention among many worker threads referring to the
  same database node at the same time. This would improve zone and cache
  database performance for the heavily contended database nodes.
  :gl:`#5130` :gl:`!9964`
 - Fix EDE 22 time out detection. ``8662424442c``
  Extended DNS error 22 (No reachable authority) was previously detected
  when `fctx_expired` fired. It turns out this function is used as a
  "safety net" and the timeout detection should be caught earlier.
  It was working though, because of another issue fixed by !9927. But
  then, the recursive request timed out detection occurs before
  `fctx_expired` making impossible to raise the EDE 22 error.
  This fixes the problem by triggering the EDE 22 in the part of the
  code detecting the (TCP or UDP) time out and taking the decision to
  cancel the whole fetch (i.e. There is no other server to attempt to
  contact).
  Note this is not targeting users (no release note) because there is no
  release versions of BIND between !9927 and this changes. Thus a
  release note would be confusing. :gl:`#5137` :gl:`!10001`
 - Split and simplify the use of EDE list implementation. ``23a9bed310b``
  Instead of mixing the dns_resolver and dns_validator units directly
  with the EDE code, split-out the dns_ede functionality into own
  separate compilation unit and hide the implementation details behind
  abstraction.
  Additionally, the new dns_edelist_t doesn't have to be copied into all
  responses as those are attached to the fetch context, but it could be
  only passed by reference.
  This makes the dns_ede implementation simpler to use, although sligtly
  more complicated on the inside. :gl:`#5141` :gl:`!10030`
 - Fix the cache findzonecut() implementation. ``619f163e680``
  The search for the deepest known zone cut in the cache could
  improperly reject a node if it contained any stale data, regardless of
  whether it was the NS RRset that was stale. :gl:`#5155` :gl:`!10050`
 - DNSSEC EDE system tests on FIPS platform. ``917181b4e27``
  Changes introducing the support of extended DNS error code 1 and 2
  uses SHA-1 digest for some tests which break FIPS platform. The digest
  itself was irrelevant, another digest is used. :gl:`!10031`
 - Reduce the false sharing the dns_qpcache and dns_qpzone.
  ``5c27e9cdda6``
  Instead of having many node_lock_count * sizeof(<member>) arrays, pack
  all the members into a qpcache_bucket_t that is cacheline aligned to
  prevent false sharing between RWLocks. :gl:`!10074`
--- a/doc/notes/notes-9.20.6.rst
+++ b/doc/notes/notes-9.20.6.rst
@@ -0,0 +1,85 @@
 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ..
 .. SPDX-License-Identifier: MPL-2.0
 ..
 .. This Source Code Form is subject to the terms of the Mozilla Public
 .. License, v. 2.0.  If a copy of the MPL was not distributed with this
 .. file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ..
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 Notes for BIND 9.20.6
 ---------------------
 New Features
 ~~~~~~~~~~~~
 - Adds support for EDE code 1 and 2.
  Support was added for EDE codes 1 and 2, which might occur during DNSSEC
  validation in the case of an unsupported RRSIG algorithm or DNSKEY digest.
  :gl:`#2715`
 - Add an :iscman:`rndc` command to toggle jemalloc profiling.
  The new command is :option:`rndc memprof`; the memory profiling status is also
  reported inside :option:`rndc status`. The status shows whether
  :iscman:`named` can toggle memory profiling, and whether the server is built
  with jemalloc. :gl:`#4759`
 - Add support for multiple extended DNS errors.
  The Extended DNS Error (EDE) mechanism may raise errors
  during a DNS resolution. :iscman:`named` is now able to add up to three EDE
  codes in a DNS response. If there are duplicate error codes, only
  the first one is part of the DNS response. :gl:`#5085`
 - Print the expiration time of stale records.
  BIND now prints the expiration time of any stale RRsets in the cache dump.
 Bug Fixes
 ~~~~~~~~~
 - Recently expired records could be returned with a timestamp in future.
  Under rare circumstances, an RRSet that expired at the time of the
  query could be returned with a TTL in the future. This has been
  fixed.
  As a side effect, the expiration time of expired RRSets is no longer
  returned in a cache dump. :gl:`#5094`
 - YAML string not terminated in negative response in delv.
  :gl:`#5098`
 - Fix a bug in :iscman:`dnssec-signzone` related to keys being offline.
  When :iscman:`dnssec-signzone` was called on an already-signed
  zone and the private key file was unavailable, a signature that needed
  to be refreshed was dropped without being able to generate a
  replacement. This has been fixed. :gl:`#5126`
 - Apply the memory limit only to ADB database items.
  Under heavy load, a resolver could exhaust the memory available for
  storing the information in the Address Database (ADB), effectively
  discarding previously stored information in the ADB. The memory used to
  retrieve and provide information from the ADB is no longer subject to
  the same memory limits that are applied to
  the Address Database. :gl:`#5127`
 - Avoid unnecessary locking in the zone/cache database.
  Lock contention among many worker threads referring to the
  same database node at the same time is now prevented. This improves zone and
  cache database performance for any heavily contended database nodes.
  :gl:`#5130`
 - Fix reporting of Extended DNS Error 22 (No Reachable Authority).
  This error code was previously not reported in some applicable
  situations.  This has been fixed. :gl:`#5137`