diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b319fa15be..1db96f8a82 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1516,7 +1516,7 @@ abi-check: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" - BIND_BASELINE_VERSION: v9_17_8 + BIND_BASELINE_VERSION: v9_17_9 script: - *configure - make -j${BUILD_PARALLEL_JOBS:-1} V=1 diff --git a/CHANGES b/CHANGES index 7652c6860b..58b3362016 100644 --- a/CHANGES +++ b/CHANGES @@ -15,50 +15,53 @@ 30 seconds, following RFC 8767 recommendations. [GL #2248] + --- 9.17.9 released --- + 5559. [bug] The --with-maxminddb=PATH form of the build-time option enabling support for libmaxminddb was not working correctly. This has been fixed. [GL #2366] -5558. [bug] Asynchronous hook modules could assert due to - the fetch handle being detached too late. [GL #2379] +5558. [bug] Asynchronous hook modules could trigger an assertion + failure when the fetch handle was detached too late. + Thanks to Jinmei Tatuya at Infoblox. [GL #2379] -5557. [bug] Prevent rbtdb instances being destroyed by multiple - threads at the same time. [GL #2355] +5557. [bug] Prevent RBTDB instances from being destroyed by multiple + threads at the same time. [GL #2317] -5556. [bug] dnssec-signzone and dnssec-verify where now - printing too many newlines between log messages. - [GL #2359] +5556. [bug] Further tweak newline printing in dnssec-signzone and + dnssec-verify. [GL #2359] 5555. [placeholder] -5554. [bug] dnssec-signzone and dnssec-verify where missing - newlines between log messages. [GL #2359] +5554. [bug] dnssec-signzone and dnssec-verify were missing newlines + between log messages. [GL #2359] -5553. [bug] When reconfiguring named, removing "auto-dnssec" - did not actually turn off DNSSEC maintenance. - This has been fixed. [GL #2341] +5553. [bug] When reconfiguring named, removing "auto-dnssec" did not + turn off DNSSEC maintenance. [GL #2341] -5552. [func] When switching to "dnssec-policy none;", named - now permits a safe transition to insecure mode - and publishes the CDS and CDNSKEY DELETE - records, as described in RFC 8078. [GL #1750] +5552. [func] When switching to "dnssec-policy none;", named now + permits a safe transition to insecure mode and publishes + the CDS and CDNSKEY DELETE records, as described in RFC + 8078. [GL #1750] -5551. [bug] Only assign threads to CPUs in the CPU affinity set. - Thanks to Ole Bjørn Hessen. [GL #2245] +5551. [bug] named no longer attempts to assign threads to CPUs + outside the CPU affinity set. Thanks to Ole Bjørn + Hessen. [GL #2245] -5550. [func] Print a warning when falling back to the "increment" SOA - serial method. [GL #2058] +5550. [func] dnssec-signzone and named now log a warning when falling + back to the "increment" SOA serial method. [GL #2058] -5549. [protocol] Serve ipv4only.arpa when dns64 is configured. [GL #385] +5549. [protocol] ipv4only.arpa is now served when DNS64 is configured. + [GL #385] 5548. [placeholder] 5547. [placeholder] -5546. [placeholder] - --- 9.17.8 released --- +5546. [placeholder] + 5545. [func] OS support for load-balanced sockets is no longer required to receive incoming queries in multiple netmgr threads. [GL #2137] diff --git a/configure.ac b/configure.ac index f95fd2583a..154e023212 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 8)dnl +m4_define([bind_VERSION_PATCH], 9)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index e8a414d148..775300054c 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. .. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.9.rst .. include:: ../notes/notes-9.17.8.rst .. include:: ../notes/notes-9.17.7.rst .. include:: ../notes/notes-9.17.6.rst diff --git a/doc/notes/notes-9.17.9.rst b/doc/notes/notes-9.17.9.rst new file mode 100644 index 0000000000..d702519775 --- /dev/null +++ b/doc/notes/notes-9.17.9.rst @@ -0,0 +1,56 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.9 +--------------------- + +New Features +~~~~~~~~~~~~ + +- ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385] + +Feature Changes +~~~~~~~~~~~~~~~ + +- It is now possible to transition a zone from secure to insecure mode + without making it bogus in the process; changing to ``dnssec-policy + none;`` also causes CDS and CDNSKEY DELETE records to be published, to + signal that the entire DS RRset at the parent must be removed, as + described in RFC 8078. [GL #1750] + +- When using the ``unixtime`` or ``date`` method to update the SOA + serial number, ``named`` and ``dnssec-signzone`` silently fell back to + the ``increment`` method to prevent the new serial number from being + smaller than the old serial number (using serial number arithmetics). + ``dnssec-signzone`` now prints a warning message, and ``named`` logs a + warning, when such a fallback happens. [GL #2058] + +Bug Fixes +~~~~~~~~~ + +- Multiple threads could attempt to destroy a single RBTDB instance at + the same time, resulting in an unpredictable but low-probability + assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317] + +- ``named`` no longer attempts to assign threads to CPUs outside the CPU + affinity set. Thanks to Ole Bjørn Hessen. [GL #2245] + +- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn + off DNSSEC maintenance. This has been fixed. [GL #2341] + +- The report of intermittent BIND assertion failures triggered in + ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed + without further action. Our initial response to this was to add + diagnostic logging instead of terminating ``named``, anticipating that + we would receive further useful troubleshooting input. This workaround + first appeared in BIND releases 9.17.5 and 9.16.7. However, since + those releases were published, there have been no new reports of + assertion failures matching this issue, but also no further diagnostic + input, so we have closed the issue. [GL #2091] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 95a441124d..dd10555d50 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -8,8 +8,8 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -Notes for BIND 9.17.9 ---------------------- +Notes for BIND 9.17.10 +---------------------- Security Fixes ~~~~~~~~~~~~~~ @@ -44,37 +44,12 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- ``ipv4only.arpa`` is now served when ``dns64`` is configured. [GL #385] - -- It is now possible to transition a zone from secure to insecure mode - without making it bogus in the process: changing to ``dnssec-policy - none;`` also causes CDS and CDNSKEY DELETE records to be published, to - signal that the entire DS RRset at the parent must be removed, as - described in RFC 8078. [GL #1750] - - The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 day and the default value of ``stale-answer-ttl`` has been changed from 1 second to 30 seconds, following RFC 8767 recommendations. [GL #2248] -- When using the ``unixtime`` or ``date`` method to update the SOA - serial number, ``named`` and ``dnssec-signzone`` silently fell back to - the ``increment`` method to prevent the new serial number from being - smaller than the old serial number (using serial number arithmetics). - ``dnsssec-signzone`` now prints a warning message, and ``named`` logs - a warning, when such a fallback happens. [GL #2058] - Bug Fixes ~~~~~~~~~ -- Only assign threads to CPUs in the CPU affinity set, so that ``named`` no - longer attempts to run threads on CPUs outside the affinity set. Thanks to - Ole Bjørn Hessen. [GL #2245] - -- When reconfiguring ``named``, removing ``auto-dnssec`` did actually not turn - off DNSSEC maintenance. This has been fixed. [GL #2341] - -- Prevent rbtdb instances being destroyed by multiple threads at the same - time. This can trigger assertion failures. [GL #2355] - - KASP incorrectly set signature validity to the value of the DNSKEY signature validity. This is now fixed. [GL #2383] diff --git a/lib/bind9/api b/lib/bind9/api index 399abc2379..1f742a50af 100644 --- a/lib/bind9/api +++ b/lib/bind9/api @@ -12,5 +12,5 @@ # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 LIBINTERFACE = 1701 -LIBREVISION = 3 +LIBREVISION = 4 LIBAGE = 0 diff --git a/lib/dns/api b/lib/dns/api index bbe9c58585..73f959a036 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1708 +LIBINTERFACE = 1709 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index f55bd9eef6..313f25dc92 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -12,5 +12,5 @@ # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 LIBINTERFACE = 1707 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/isccfg/api b/lib/isccfg/api index c1c1be9b85..2a38956a54 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1703 +LIBINTERFACE = 1704 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index 2a766927f2..f55bd9eef6 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1706 +LIBINTERFACE = 1707 LIBREVISION = 0 LIBAGE = 0