From 80a71263d7730e4a47a808a0bfabc0f8d2a2d7b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 3 Apr 2025 13:10:36 +0200 Subject: [PATCH] Generate changelog for BIND 9.21.7 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.21.7.rst | 359 +++++++++++++++++++++++++++++ 2 files changed, 360 insertions(+) create mode 100644 doc/changelog/changelog-9.21.7.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 3c6efd6929..6723be7e21 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.7.rst .. include:: ../changelog/changelog-9.21.6.rst .. include:: ../changelog/changelog-9.21.5.rst .. include:: ../changelog/changelog-9.21.4.rst diff --git a/doc/changelog/changelog-9.21.7.rst b/doc/changelog/changelog-9.21.7.rst new file mode 100644 index 0000000000..1231887055 --- /dev/null +++ b/doc/changelog/changelog-9.21.7.rst @@ -0,0 +1,359 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.7 +----------- + +New Features +~~~~~~~~~~~~ + +- Add support for EDE 20 (Not Authoritative) ``45ee3715e1`` + + Support was added for EDE codes 20 (Not Authoritative) when client + requests recursion (RD) but the server has recursion disabled. + + RFC 8914 mention EDE 20 should also be returned if the client doesn't + have the RD bit set (and recursion is needed) but it doesn't apply for + BIND as BIND would try to resolve from the "deepest" referral in + AUTHORITY section. For example, if the client asks for "www.isc.org/A" + but the server only knows the root domain, it will return NOERROR but + no answer for "www.isc.og/A", just the list of other servers to ask. + :gl:`#1836` :gl:`!10228` + +- Add support for EDE 7 and EDE 8. ``e66dc07c68`` + + Support was added for EDE codes 7 (Signature Expired) and 8 (Signature + Not Yet Valid) which might occur during DNSSEC validation. :gl:`#2715` + :gl:`!10225` + +- Add support for EDNS ZONEVERSION option. ``908840157e`` + + `dig` and `named` can now make requests with an EDNS `ZONEVERSION` + option present. + + Two new `named.conf` options have been added: `request-zoneversion` + and `provide-zoneversion`. `request-zoneversion` is `off` by default. + `provide-zoneversion` is `on` by default. :gl:`#4767` :gl:`!9103` + +- Dig can now display the received BADVERS message during negotiation. + ``3397212df3`` + + Dig +showbadvers now displays the received BADVERS message and + continues the EDNS version negotiation. Previously to see the BADVERS + message +noednsneg had to be specified which terminated the EDNS + negotiation. Additionally the specified EDNS value (+edns=value) is + now used when making all the initial queries with +trace. i.e EDNS + version negotiation will be performed with each server when performing + the trace. :gl:`#5234` :gl:`!10234` + +- Add an rndc command to reset some statistics counters. ``234b9d4922`` + + The new ``reset-stats`` command for ``rndc`` allows some statistics + counters to be reset during runtime. At the moment only two + "high-water" counters are supported, so the ability to reset them + after the initial peaks during the server's "warm-up" phase may be + useful for some operators. :gl:`#5251` :gl:`!10318` + +- Implement -T cookiealwaysvalid. ``ae2fd7ef15`` + + When `-T cookiealwaysvalid` is passed to `named`, DNS cookie checks + for the incoming queries always pass, given they are structurally + correct. :gl:`!10232` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Cleanup dead code: CID 548247. ``6bbdb1980e`` + + Clean up dead code following merge of !10302. :gl:`#5262` :gl:`!10346` + +- Cleanup BIND 8 compatibility code. ``575a2e5f11`` + + There was some code in dns_resolver unit meant to keep compatibility + with BIND 8 breaking the DNS protocol. These should not be needed + anymore. :gl:`!10270` + +- Drop readline alternatives in favor of libedit. ``cbffddcdb9`` + + Libedit is now ubiquitous and has a license compatible with MPL 2.0. + We are now dropping readline (GPL 3.0) and editline (obsolete) support + in favor of libedit. :gl:`!10202` + +- Implement the systemd notification protocol manually to remove + dependency on libsystemd. ``deb18174cd`` + + :gl:`!10263` + +- Remove dns_qpmulti_lockedread declaration. ``58dfbe3863`` + + This function was removed in 6217e434b57bd5d60ed69f792ae9a1a65a008f57 + but not from the header file. :gl:`!10308` + +- Remove lock upgrading from the hot path in the QP cache. + ``e1af47b829`` + + In QPcache, there were two places that tried to upgrade the lock. In + `clean_stale_header()`, the code would try to upgrade the lock and + clean up the header, and in `qpzonode_release()`, the tree lock would + be optionally upgraded, so we can clean up the node directly if empty. + These optimizations are not needed and they have no effect on the + performance. :gl:`!10305` + +- Remove unnecessary options in dnssec-keygen and dnssec-keyfromlabel. + ``b0f8b443c9`` + + The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was + derived from it) had several options dating to the time when keys in + DNS were still experimental and not fully specified, and when + `dnssec-keygen` had the additional function of generating TSIG keys, + which are now generated by `tsig-keygen`. These options are no longer + necessary in the modern DNSSEC environment, and have been removed. + + The removed options are: - `-t` (key type), which formerly set flags + to disable confidentiality or authentication support in a key; these + are no longer used. - `-n` (name type), which is now always set to + "ZONE" for DNSKEY and "HOST" for KEY. - `-p` (protocol), which is now + always set to 3 (DNSSEC); no other value has ever been defined. - `-s` + (signatory field), which was never fully defined. - `-d` (digest + bits), which is meaningful only for TSIG keys. :gl:`!10262` + +Feature Changes +~~~~~~~~~~~~~~~ + +- When forwarding, query with CD=0 first. ``25c91dffcc`` + + Previously, when queries were forwarded to a remote resolver, the CD + (checking disabled) bit was used, which could lead to bogus data being + retrieved that might have been corrected if validation had been + permitted. The CD bit is now only used as a fallback if an initial + query without CD fails. :gl:`#5132`. :gl:`!10024` + +- Remove zero initialization of large buffers. ``b407f9caa8`` + + Profiles show that an high amount of CPU time spent in memset. By + removing zero initalization of certain large buffers we improve + performance in certain authoritative workloads. :gl:`#5159` + :gl:`!10058` + +- Carefully check if the server name used for SNI is a hostname. + ``b6e6430b54`` + + Previously the code would not check if the string intended to be used + for SNI is a hostname. + + See also: !9923 :gl:`#5225` :gl:`!10254` + +- Improve the LRU cache-expiration mechanism. ``f70d8b4252`` + + Improve the LRU cache-expiration mechanism to a SIEVE-LRU based + mechanism that triggers when the cache is close to the + `max-cache-size` limit. This improves the recursive server + performance. :gl:`!10153` + +- Switch symtab to use fxhash hashing. ``d3db9ccf53`` + + This merge request resolves some performance regressions introduced + with the change from isc_symtab_t to isc_hashmap_t. + + The key improvements are: + + 1. Using a faster hash function than both isc_hashmap_t and + isc_symtab_t. The previous implementation used SipHash, but the + hashflood resistance properties of SipHash are unneeded for config + parsing. 2. Shrinking the initial size of the isc_hashmap_t used + inside isc_symtab_t. Symtab is mainly used for config parsing, and + the when used that way it will have between 1 and 50 keys, but the + previous implementation initialized a map with 128 slots. By + initializing a smaller map, we speed up mallocs and optimize for + the typical case of few config keys. 3. Slight optimization of the + string matching in the hashmap, so that the tail is handled in a + single load + comparison, instead of byte by byte. Of the three + improvements, this is the least important. :gl:`!10204` + +Bug Fixes +~~~~~~~~~ + +- QNAME minimization could leak the query type. ``42799ae81f`` + + When performing QNAME minimization, `named` now sends an NS query for + the original query name, before sending the final query. This prevents + the parent zone from learning the original query type, in the event + that the query name is a delegation point. + + For example, when looking up an address record for `example.com`, NS + queries are now sent to the servers for both `com` and `example.com`, + before the address query is sent to the servers for `example.com`. + Previously, an address query would have been sent to the servers for + `com`. :gl:`#4805` :gl:`!9155` + +- Add missing locks when returning addresses. ``06427720f7`` + + Add missing locks in dns_zone_getxfrsource4 et al. Addresses CID + 468706, 468708, 468741, 468742, 468785, and 468778. + + Cleanup dns_zone_setxfrsource4 et al to now return void. + + Remove double copies with dns_zone_getprimaryaddr and + dns_zone_getsourceaddr. :gl:`#4933` :gl:`!9485` + +- Stop caching lack of EDNS support. ``ebf5c87a53`` + + `named` could falsely learn that a server doesn't support EDNS when a + spoofed response was received; that subsequently prevented DNSSEC + lookups from being made. This has been fixed. :gl:`#3949` :gl:`#5066` + +- Step() could ignore rollbacks. ``3b0b658a52`` + + The `step()` function (used for stepping to the prececessor or + successor of a database node) could overlook a node if there was an + rdataset that was marked IGNORE because it had been rolled back, + covering an active rdataset under it. :gl:`#5170` :gl:`!10103` + +- Fix resolver statistics counters for timed out responses. + ``d30b9eb46e`` + + When query responses timed out, the resolver could incorrectly + increase the regular responses counters, even if no response was + received. This has been fixed. :gl:`#5193` :gl:`!10227` + +- Nested DNS validation could cause assertion failure. ``bc8799ee17`` + + When multiple nested DNS validations were destroyed out of order, the + EDE context could be freed before all EDE codes were copied, which + could cause an assertion failure. This has been fixed. :gl:`#5213` + :gl:`!10365` + +- Ensure max-clients-per-query is at least clients-per-query. + ``6ac4cfb948`` + + If the `max-clients-per-query` option is set to a lower value than + `clients-per-query`, the value is adjusted to match + `clients-per-query`. :gl:`#5224` :gl:`!10241` + +- Fix CID 544147: Code maintainability issues (UNUSED_VALUE) + ``3973c2e8c3`` + + Assigning value "NULL" to "newstr", but that stored value is + overwritten before it can be used. + + Setting "newstr" to NULL does not have any effect, so the line can + safely be removed. :gl:`#5227` :gl:`!10239` + +- Fix handling of revoked keys. ``025ef4d7b8`` + + When a key is revoked, its key ID changes due to the inclusion of the + "revoked" flag. A collision between this changed key ID and an + unrelated public-only key could cause a crash in `dnssec-signzone`. + :gl:`#5231` :gl:`!10233` + +- Fix adbname reference. ``49ecb158d4`` + + Call `dns_adbname_ref` before calling `dns_resolver_createfetch` to + ensure `adbname->name` remains stable for the life of the fetch. + :gl:`#5239` :gl:`!10290` + +- Fix write after free in validator code. ``329a332708`` + + Raw integer pointers were being used for the validator's nvalidations + and nfails values but the memory holding them could be freed before + they ceased to be used. Use reference counted counters instead. + :gl:`#5239` :gl:`!10248` + +- Don't enforce NOAUTH/NOCONF flags in DNSKEYs. ``d18787b134`` + + All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH` + (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type, + and are not applicable to DNSKEY. Previously, however, because the + DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag + prevented authentication in DNSKEYs as well. This has been corrected. + :gl:`#5240` :gl:`!10261` + +- Fix several small DNSSEC timing issues. ``d2214cb704`` + + The following small issues related to `dnssec-policy` have been fixed: + - In some cases the key manager inside BIND 9 could run every hour, + while it could have run less often. - While `CDS` and `CDNSKEY` + records will be removed correctly from the zone when the corresponding + `DS` record needs to be updated, the expected timing metadata when + this will happen was never set. - There were a couple of cases where + the safety intervals are added inappropriately, delaying key rollovers + longer than necessary. - If you have identical `keys` in your + `dnssec-policy`, they may be retired inappropriately. Note that having + keys with identical properties is discouraged in all cases. + :gl:`#5242` :gl:`!10251` + +- Copy __FILE__ when allocating memory. ``0d6839d832`` + + When allocating memory under -m trace|record, the __FILE__ pointer is + stored, so it can be printed out later in order to figure out in which + file an allocation leaked. (among others, like the line number). + + However named crashes when called with -m record and using a plugin + leaking memory. The reason is that plugins are unloaded earlier than + when the leaked allocations are dumped (obviously, as it's done as + late as possible). In such circumstances, `__FILE__` is dangling + because the dynamically loaded library (the plugin) is not in memory + anymore. + + Fix the crash by systematically copying the `__FILE__` string instead + of copying the pointer. Of course, this make each allocation to + consume a bit more memory (and longer, as it needs to calculate the + length of `__FILE__`) but this occurs only under -m trace|record + debugging flags. :gl:`!10320` + +- Fix a bug in the ns_query's get_key() function. ``75060cbd63`` + + After a refactoring in 2e6107008dae09d32e3d34fb5423b3d78c4ff651 the + dst_key_free() call is invalid and can cause an assertion. Remove the + dst_key_free() call. :gl:`!10311` + +- Fix invalid cache-line padding for qpcache buckets. ``7861042a27`` + + The isc_queue_t was missing in the calculation of the required padding + size inside the qpcache bucket structure. :gl:`!10306` + +- Optimize key ID check when searching for matching keys. ``3415392d01`` + + When searching through a DNSKEY or KEY rrset for the key matching a + particular algorithm and ID, it's a waste of time to convert every key + into a `dst_key` object; it's faster to compute the key ID from the + rdata, then do the full key conversion after determining that we've + found the right key. This optimization was already used in the + validator, but it's been refactored for code clarity, and is now also + used in query.c and message.c. :gl:`!10258` + +- Refactor to use list-like macro for message sections. ``1d14612bb9`` + + In the code base it is very common to iterate over all names in a + message section and all rdatasets for each name, but various idioms + are used for iteration. + + This commit standardizes them as much as possible to a single idiom, + through the macro `MSG_SECTION_FOREACH`, similar to the existing + `ISC_LIST_FOREACH`. :gl:`!10302` + +- Switch to ISC_LIST_FOREACH everywhere. ``04cf3ba91f`` + + The pattern `for (x = ISC_LIST_HEAD(...); x != NULL; + ISC_LIST_NEXT(...)` has been changed to `ISC_LIST_FOREACH` throughout + BIND, except in a few cases where the change would be excessively + complex. In most cases this was a straightforward change. In some + places, however, the list element variable was referenced after the + loop ended. Where possible, code has now been refactored to avoid this + necessity. `ISC_LIST_FOREACH` has also been modified to use + `typeof(list.head)` to declare list elements automatically. When the + list object to be iterated is declared with a `const` qualifier, the + qualifier is passed along to the element declaration, causing a + compilation failure. To avoid this problem, some `const` qualifiers + have been removed; where that was not possible, `UNCONST` was used. + :gl:`!10310` + +