From b08e54a0d201241e697ce063e9d8c506ad25e5c4 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 2 Mar 2023 11:42:45 +0100 Subject: [PATCH 1/6] Move "disallow merging to maintained branches" closer to tagging Updating GitLab settings for all maintained branches to disallow merging to them has an unfortunate consequence: daily scheduled pipelines won't be executed anymore. This is a problem because we need the pipelines to ensure no new bugs were introduced just before a code freeze. The "Announce (on Mattermost) that the code freeze is in effect" item is still in place but is now more of a social "disallow merging to maintained branches". --- .gitlab/issue_templates/Release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Release.md b/.gitlab/issue_templates/Release.md index 16cc0c73b8..6243739f7d 100644 --- a/.gitlab/issue_templates/Release.md +++ b/.gitlab/issue_templates/Release.md @@ -36,7 +36,6 @@ - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1]. - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only). - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported. - - [ ] ***(QA)*** Update GitLab settings for all maintained branches to disallow merging to them. - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is in effect. ### Before the Tagging Deadline @@ -46,6 +45,7 @@ - [ ] ***(QA)*** Add a release marker to `CHANGES.SE` (Subscription Edition only). - [ ] ***(QA)*** Update BIND 9 version in `configure.ac` (9.18+) or `version` (9.16). - [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org` (9.16). + - [ ] ***(QA)*** Update GitLab settings for all maintained branches to disallow merging to them. - [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9_x_y`). ### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases) From 9b944eb8a5a2b2f06ab3092d26e09b0a466243e2 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Thu, 2 Mar 2023 13:02:48 +0100 Subject: [PATCH 2/6] Add release metadata update to release checklist The release engineering automation we have relies on up-to-date information about our upcoming release plans. Ensure these are updated at the end of each release cycle. --- .gitlab/issue_templates/Release.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab/issue_templates/Release.md b/.gitlab/issue_templates/Release.md index 6243739f7d..e468784d04 100644 --- a/.gitlab/issue_templates/Release.md +++ b/.gitlab/issue_templates/Release.md @@ -90,6 +90,7 @@ - [ ] ***(QA)*** Sanitize confidential issues which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2]. - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Black, PyLint, Sphinx) by modifying the relevant `Dockerfile`. - [ ] ***(QA)*** Run a pipeline to rebuild all [images](https://gitlab.isc.org/isc-projects/images) used in GitLab CI. + - [ ] ***(QA)*** Update [`metadata.json`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/metadata.json) with the upcoming release information. [^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone. [^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure. From d4ab5a476c82358e85e9d076d2d52e2791258b31 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Thu, 2 Mar 2023 10:19:08 +0100 Subject: [PATCH 3/6] Prepare release notes for BIND 9.19.11 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.19.11.rst} | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) rename doc/notes/{notes-current.rst => notes-9.19.11.rst} (94%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index cc306dd23d..9562cdb3ed 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,7 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.11.rst .. include:: ../notes/notes-9.19.10.rst .. include:: ../notes/notes-9.19.9.rst .. include:: ../notes/notes-9.19.8.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.19.11.rst similarity index 94% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.19.11.rst index 60dfc975f4..e4ea966780 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.19.11.rst @@ -12,16 +12,9 @@ Notes for BIND 9.19.11 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ -- None. - - When using :any:`dnssec-policy`, you can now configure the digest type to use when ``CDS`` records need to be published with `cds-digest-types`. Also, with ``dnssec-signzone -G`` you can set which CDNSKEY/CDS records you want to @@ -82,4 +75,6 @@ Bug Fixes Known Issues ~~~~~~~~~~~~ -- None. +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. From 3838c56ed858bae753b9da9aa44afaf1126294d2 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Thu, 2 Mar 2023 10:23:12 +0100 Subject: [PATCH 4/6] Tweak and reword release notes --- doc/notes/notes-9.19.11.rst | 49 +++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/doc/notes/notes-9.19.11.rst b/doc/notes/notes-9.19.11.rst index e4ea966780..dd503921de 100644 --- a/doc/notes/notes-9.19.11.rst +++ b/doc/notes/notes-9.19.11.rst @@ -15,35 +15,35 @@ Notes for BIND 9.19.11 New Features ~~~~~~~~~~~~ -- When using :any:`dnssec-policy`, you can now configure the digest type to - use when ``CDS`` records need to be published with `cds-digest-types`. Also, - with ``dnssec-signzone -G`` you can set which CDNSKEY/CDS records you want to - publish. :gl:`#3837` +- When using :any:`dnssec-policy`, it is now possible to configure the + digest type to use when ``CDS`` records need to be published with + :any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS + records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837` Removed Features ~~~~~~~~~~~~~~~~ -- Support for Red Hat Enterprise Linux version 7 (and clones) has been dropped. - A C11 compliant compiler (or better) is now required to compile BIND 9. +- Support for Red Hat Enterprise Linux version 7 (and clones) has been + dropped. A C11-compliant compiler is now required to compile BIND 9. :gl:`#3729` - The functions that were in the ``libbind9`` shared library have been - moved to the ``libisc`` and ``libisccfg`` libraries, and the - now-empty ``libbind9`` has been removed and is no longer installed. + moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty + ``libbind9`` has been removed and is no longer installed. :gl:`#3903` - The ``irs_resconf`` module has been moved to the ``libdns`` shared - library and the now-empty ``libirs`` library has been removed and is - no longer installed. + library. The now-empty ``libirs`` library has been removed and is no + longer installed. :gl:`#3904` Feature Changes ~~~~~~~~~~~~~~~ -- libuv support for receiving multiple UDP messages in a single system - call (``recvmmsg()``) has been tweaked several times between libuv - versions 1.35.0 and 1.40.0; the recommended libuv version is 1.40.0 or - higher. New rules are now in effect for running with a different - version of libuv than the one used at compilation time. These rules - may trigger a fatal error at startup: +- libuv support for receiving multiple UDP messages in a single + ``recvmmsg()`` system call has been tweaked several times between + libuv versions 1.35.0 and 1.40.0; the current recommended libuv + version is 1.40.0 or higher. New rules are now in effect for running + with a different version of libuv than the one used at compilation + time. These rules may trigger a fatal error at startup: - Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error. @@ -59,18 +59,19 @@ Feature Changes failure when receiving multiple UDP messages in a single system call. :gl:`#3840` -- Run catalog zone updates on the specialized "offload" threads to reduce the - amount of time they block query processing on the main networking - threads. This should increase the responsiveness of :iscman:`named` - when catalog zone updates are being applied after a catalog zone has been - successfully transferred. :gl:`#3881` +- Catalog zone updates are now run on specialized "offload" threads to + reduce the amount of time they block query processing on the main + networking threads. This increases the responsiveness of + :iscman:`named` when catalog zone updates are being applied after a + catalog zone has been successfully transferred. :gl:`#3881` Bug Fixes ~~~~~~~~~ -- :iscman:`named` could crash with an assertion failure when adding a new zone - into the configuration file for a name, which is already configured as a - member zone for a catalog zone. This has been fixed. :gl:`#3911` +- :iscman:`named` could crash with an assertion failure when adding a + new zone into the configuration file for a name which was already + configured as a member zone for a catalog zone. This has been fixed. + :gl:`#3911` Known Issues ~~~~~~~~~~~~ From 86bd0c719e54fb9894ff725e8d453fec7416b861 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Thu, 2 Mar 2023 10:41:54 +0100 Subject: [PATCH 5/6] Reorder release notes --- doc/notes/notes-9.19.11.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/notes/notes-9.19.11.rst b/doc/notes/notes-9.19.11.rst index dd503921de..34df938681 100644 --- a/doc/notes/notes-9.19.11.rst +++ b/doc/notes/notes-9.19.11.rst @@ -38,6 +38,12 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ +- Catalog zone updates are now run on specialized "offload" threads to + reduce the amount of time they block query processing on the main + networking threads. This increases the responsiveness of + :iscman:`named` when catalog zone updates are being applied after a + catalog zone has been successfully transferred. :gl:`#3881` + - libuv support for receiving multiple UDP messages in a single ``recvmmsg()`` system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv @@ -59,12 +65,6 @@ Feature Changes failure when receiving multiple UDP messages in a single system call. :gl:`#3840` -- Catalog zone updates are now run on specialized "offload" threads to - reduce the amount of time they block query processing on the main - networking threads. This increases the responsiveness of - :iscman:`named` when catalog zone updates are being applied after a - catalog zone has been successfully transferred. :gl:`#3881` - Bug Fixes ~~~~~~~~~ From 8f315605ba919b06b82f4c081592c2e639b123fd Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Thu, 2 Mar 2023 10:43:07 +0100 Subject: [PATCH 6/6] Add release note for GL #3673 --- doc/notes/notes-9.19.11.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/notes/notes-9.19.11.rst b/doc/notes/notes-9.19.11.rst index 34df938681..a4aafb9d70 100644 --- a/doc/notes/notes-9.19.11.rst +++ b/doc/notes/notes-9.19.11.rst @@ -73,6 +73,14 @@ Bug Fixes configured as a member zone for a catalog zone. This has been fixed. :gl:`#3911` +- When :iscman:`named` starts up, it sends a query for the DNSSEC key + for each configured trust anchor to determine whether the key has + changed. In some unusual cases, the query might depend on a zone for + which the server is itself authoritative, and would have failed if it + were sent before the zone was fully loaded. This has now been fixed by + delaying the key queries until all zones have finished loading. + :gl:`#3673` + Known Issues ~~~~~~~~~~~~