Merge branch 'v9_17_9-release' into 'main'

Merge 9.17.9 release branch

See merge request isc-projects/bind9!4586

.gitlab-ci.yml

@@ -1516,7 +1516,7 @@ abi-check:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -Og"
     EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-    BIND_BASELINE_VERSION: v9_17_8
+    BIND_BASELINE_VERSION: v9_17_9
   script:
     - *configure
     - make -j${BUILD_PARALLEL_JOBS:-1} V=1

CHANGES

@@ -15,50 +15,53 @@
 			30 seconds, following RFC 8767 recommendations.
 			[GL #2248]
 
+	--- 9.17.9 released ---
+
 5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
 			enabling support for libmaxminddb was not working
 			correctly. This has been fixed. [GL #2366]
 
-5558.	[bug]		Asynchronous hook modules could assert due to
-			the fetch handle being detached too late. [GL #2379]
+5558.	[bug]		Asynchronous hook modules could trigger an assertion
+			failure when the fetch handle was detached too late.
+			Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
 
-5557.	[bug]		Prevent rbtdb instances being destroyed by multiple
-			threads at the same time. [GL #2355]
+5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
+			threads at the same time. [GL #2317]
 
-5556.	[bug]		dnssec-signzone and dnssec-verify where now
-			printing too many newlines between log messages.
-			[GL #2359]
+5556.	[bug]		Further tweak newline printing in dnssec-signzone and
+			dnssec-verify. [GL #2359]
 
 5555.	[placeholder]
 
-5554.	[bug]		dnssec-signzone and dnssec-verify where missing
-			newlines between log messages. [GL #2359]
+5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
+			between log messages. [GL #2359]
 
-5553.	[bug]		When reconfiguring named, removing "auto-dnssec"
-			did not actually turn off DNSSEC maintenance.
-			This has been fixed. [GL #2341]
+5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
+			turn off DNSSEC maintenance. [GL #2341]
 
-5552.	[func]		When switching to "dnssec-policy none;", named
-			now permits a safe transition to insecure mode
-			and publishes the CDS and CDNSKEY DELETE
-			records, as described in RFC 8078. [GL #1750]
+5552.	[func]		When switching to "dnssec-policy none;", named now
+			permits a safe transition to insecure mode and publishes
+			the CDS and CDNSKEY DELETE records, as described in RFC
+			8078. [GL #1750]
 
-5551.	[bug]		Only assign threads to CPUs in the CPU affinity set.
-			Thanks to Ole Bjørn Hessen. [GL #2245]
+5551.	[bug]		named no longer attempts to assign threads to CPUs
+			outside the CPU affinity set. Thanks to Ole Bjørn
+			Hessen. [GL #2245]
 
-5550.	[func]		Print a warning when falling back to the "increment" SOA
-			serial method. [GL #2058]
+5550.	[func]		dnssec-signzone and named now log a warning when falling
+			back to the "increment" SOA serial method. [GL #2058]
 
-5549.	[protocol]	Serve ipv4only.arpa when dns64 is configured. [GL #385]
+5549.	[protocol]	ipv4only.arpa is now served when DNS64 is configured.
+			[GL #385]
 
 5548.	[placeholder]
 
 5547.	[placeholder]
 
-5546.	[placeholder]
-
 	--- 9.17.8 released ---
 
+5546.	[placeholder]
+
 5545.	[func]		OS support for load-balanced sockets is no longer
 			required to receive incoming queries in multiple netmgr
 			threads. [GL #2137]

configure.ac

@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 8)dnl
+m4_define([bind_VERSION_PATCH], 9)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl

doc/arm/notes.rst

@@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.9.rst
 .. include:: ../notes/notes-9.17.8.rst
 .. include:: ../notes/notes-9.17.7.rst
 .. include:: ../notes/notes-9.17.6.rst

doc/notes/notes-9.17.9.rst

@@ -0,0 +1,56 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.9
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385]
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- It is now possible to transition a zone from secure to insecure mode
+  without making it bogus in the process; changing to ``dnssec-policy
+  none;`` also causes CDS and CDNSKEY DELETE records to be published, to
+  signal that the entire DS RRset at the parent must be removed, as
+  described in RFC 8078. [GL #1750]
+
+- When using the ``unixtime`` or ``date`` method to update the SOA
+  serial number, ``named`` and ``dnssec-signzone`` silently fell back to
+  the ``increment`` method to prevent the new serial number from being
+  smaller than the old serial number (using serial number arithmetics).
+  ``dnssec-signzone`` now prints a warning message, and ``named`` logs a
+  warning, when such a fallback happens. [GL #2058]
+
+Bug Fixes
+~~~~~~~~~
+
+- Multiple threads could attempt to destroy a single RBTDB instance at
+  the same time, resulting in an unpredictable but low-probability
+  assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317]
+
+- ``named`` no longer attempts to assign threads to CPUs outside the CPU
+  affinity set. Thanks to Ole Bjørn Hessen. [GL #2245]
+
+- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
+  off DNSSEC maintenance. This has been fixed. [GL #2341]
+
+- The report of intermittent BIND assertion failures triggered in
+  ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
+  without further action. Our initial response to this was to add
+  diagnostic logging instead of terminating ``named``, anticipating that
+  we would receive further useful troubleshooting input. This workaround
+  first appeared in BIND releases 9.17.5 and 9.16.7. However, since
+  those releases were published, there have been no new reports of
+  assertion failures matching this issue, but also no further diagnostic
+  input, so we have closed the issue. [GL #2091]

doc/notes/notes-current.rst

@@ -8,8 +8,8 @@
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
 
-Notes for BIND 9.17.9
----------------------
+Notes for BIND 9.17.10
+----------------------
 
 Security Fixes
 ~~~~~~~~~~~~~~
@@ -44,37 +44,12 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- ``ipv4only.arpa`` is now served when ``dns64`` is configured. [GL #385]
-
-- It is now possible to transition a zone from secure to insecure mode
-  without making it bogus in the process: changing to ``dnssec-policy
-  none;`` also causes CDS and CDNSKEY DELETE records to be published, to
-  signal that the entire DS RRset at the parent must be removed, as
-  described in RFC 8078. [GL #1750]
-
 - The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
   day and the default value of ``stale-answer-ttl`` has been changed from 1
   second to 30 seconds, following RFC 8767 recommendations. [GL #2248]
 
-- When using the ``unixtime`` or ``date`` method to update the SOA
-  serial number, ``named`` and ``dnssec-signzone`` silently fell back to
-  the ``increment`` method to prevent the new serial number from being
-  smaller than the old serial number (using serial number arithmetics).
-  ``dnsssec-signzone`` now prints a warning message, and ``named`` logs
-  a warning, when such a fallback happens. [GL #2058]
-
 Bug Fixes
 ~~~~~~~~~
 
-- Only assign threads to CPUs in the CPU affinity set, so that ``named`` no
-  longer attempts to run threads on CPUs outside the affinity set. Thanks to
-  Ole Bjørn Hessen. [GL #2245]
-
-- When reconfiguring ``named``, removing ``auto-dnssec`` did actually not turn
-  off DNSSEC maintenance. This has been fixed. [GL #2341]
-
-- Prevent rbtdb instances being destroyed by multiple threads at the same
-  time. This can trigger assertion failures. [GL #2355]
-
 - KASP incorrectly set signature validity to the value of the DNSKEY signature
   validity. This is now fixed. [GL #2383]

lib/bind9/api

@@ -12,5 +12,5 @@
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
 LIBINTERFACE = 1701
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0

lib/dns/api

@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1708
+LIBINTERFACE = 1709
 LIBREVISION = 0
 LIBAGE = 0

lib/isc/api

@@ -12,5 +12,5 @@
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
 LIBINTERFACE = 1707
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

lib/isccfg/api

@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1703
+LIBINTERFACE = 1704
 LIBREVISION = 0
 LIBAGE = 0

lib/ns/api

@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1706
+LIBINTERFACE = 1707
 LIBREVISION = 0
 LIBAGE = 0