Merge branch 'v9_17_9-release' into 'main'

Merge 9.17.9 release branch See merge request isc-projects/bind9!4586
2025-09-01 15:05:23 +00:00 · 2021-01-21 08:05:29 +00:00
parent 9ec5dcf79c 7751a8eaf6
commit 8f73c70d23
11 changed files with 92 additions and 57 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1516,7 +1516,7 @@ abi-check:
    CC: gcc
    CFLAGS: "${CFLAGS_COMMON} -Og"
    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-    BIND_BASELINE_VERSION: v9_17_8
+    BIND_BASELINE_VERSION: v9_17_9
  script:
    - *configure
    - make -j${BUILD_PARALLEL_JOBS:-1} V=1
--- a/49
+++ b/49
@@ -15,50 +15,53 @@
 			30 seconds, following RFC 8767 recommendations.
 			[GL #2248]
 	--- 9.17.9 released ---
 5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
 			enabling support for libmaxminddb was not working
 			correctly. This has been fixed. [GL #2366]
-5558.	[bug]		Asynchronous hook modules could assert due to
+5558.	[bug]		Asynchronous hook modules could trigger an assertion
-			the fetch handle being detached too late. [GL #2379]
+			failure when the fetch handle was detached too late.
 			Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
-5557.	[bug]		Prevent rbtdb instances being destroyed by multiple
+5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
-			threads at the same time. [GL #2355]
+			threads at the same time. [GL #2317]
-5556.	[bug]		dnssec-signzone and dnssec-verify where now
+5556.	[bug]		Further tweak newline printing in dnssec-signzone and
-			printing too many newlines between log messages.
+			dnssec-verify. [GL #2359]
 			[GL #2359]
 5555.	[placeholder]
-5554.	[bug]		dnssec-signzone and dnssec-verify where missing
+5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
-			newlines between log messages. [GL #2359]
+			between log messages. [GL #2359]
-5553.	[bug]		When reconfiguring named, removing "auto-dnssec"
+5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
-			did not actually turn off DNSSEC maintenance.
+			turn off DNSSEC maintenance. [GL #2341]
 			This has been fixed. [GL #2341]
-5552.	[func]		When switching to "dnssec-policy none;", named
+5552.	[func]		When switching to "dnssec-policy none;", named now
-			now permits a safe transition to insecure mode
+			permits a safe transition to insecure mode and publishes
-			and publishes the CDS and CDNSKEY DELETE
+			the CDS and CDNSKEY DELETE records, as described in RFC
-			records, as described in RFC 8078. [GL #1750]
+			8078. [GL #1750]
-5551.	[bug]		Only assign threads to CPUs in the CPU affinity set.
+5551.	[bug]		named no longer attempts to assign threads to CPUs
-			Thanks to Ole Bjørn Hessen. [GL #2245]
+			outside the CPU affinity set. Thanks to Ole Bjørn
 			Hessen. [GL #2245]
-5550.	[func]		Print a warning when falling back to the "increment" SOA
+5550.	[func]		dnssec-signzone and named now log a warning when falling
-			serial method. [GL #2058]
+			back to the "increment" SOA serial method. [GL #2058]
-5549.	[protocol]	Serve ipv4only.arpa when dns64 is configured. [GL #385]
+5549.	[protocol]	ipv4only.arpa is now served when DNS64 is configured.
 			[GL #385]
 5548.	[placeholder]
 5547.	[placeholder]
 5546.	[placeholder]
 	--- 9.17.8 released ---
 5546.	[placeholder]
 5545.	[func]		OS support for load-balanced sockets is no longer
 			required to receive incoming queries in multiple netmgr
 			threads. [GL #2137]
--- a/configure.ac
+++ b/configure.ac
@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 8)dnl
+m4_define([bind_VERSION_PATCH], 9)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 .. include:: ../notes/notes-current.rst
 .. include:: ../notes/notes-9.17.9.rst
 .. include:: ../notes/notes-9.17.8.rst
 .. include:: ../notes/notes-9.17.7.rst
 .. include:: ../notes/notes-9.17.6.rst
--- a/doc/notes/notes-9.17.9.rst
+++ b/doc/notes/notes-9.17.9.rst
@@ -0,0 +1,56 @@
 .. 
   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
   This Source Code Form is subject to the terms of the Mozilla Public
   License, v. 2.0. If a copy of the MPL was not distributed with this
   file, you can obtain one at https://mozilla.org/MPL/2.0/.
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.
 Notes for BIND 9.17.9
 ---------------------
 New Features
 ~~~~~~~~~~~~
 - ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385]
 Feature Changes
 ~~~~~~~~~~~~~~~
 - It is now possible to transition a zone from secure to insecure mode
  without making it bogus in the process; changing to ``dnssec-policy
  none;`` also causes CDS and CDNSKEY DELETE records to be published, to
  signal that the entire DS RRset at the parent must be removed, as
  described in RFC 8078. [GL #1750]
 - When using the ``unixtime`` or ``date`` method to update the SOA
  serial number, ``named`` and ``dnssec-signzone`` silently fell back to
  the ``increment`` method to prevent the new serial number from being
  smaller than the old serial number (using serial number arithmetics).
  ``dnssec-signzone`` now prints a warning message, and ``named`` logs a
  warning, when such a fallback happens. [GL #2058]
 Bug Fixes
 ~~~~~~~~~
 - Multiple threads could attempt to destroy a single RBTDB instance at
  the same time, resulting in an unpredictable but low-probability
  assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317]
 - ``named`` no longer attempts to assign threads to CPUs outside the CPU
  affinity set. Thanks to Ole Bjørn Hessen. [GL #2245]
 - When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
  off DNSSEC maintenance. This has been fixed. [GL #2341]
 - The report of intermittent BIND assertion failures triggered in
  ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
  without further action. Our initial response to this was to add
  diagnostic logging instead of terminating ``named``, anticipating that
  we would receive further useful troubleshooting input. This workaround
  first appeared in BIND releases 9.17.5 and 9.16.7. However, since
  those releases were published, there have been no new reports of
  assertion failures matching this issue, but also no further diagnostic
  input, so we have closed the issue. [GL #2091]
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -8,8 +8,8 @@
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.
-Notes for BIND 9.17.9
+Notes for BIND 9.17.10
---------------------
+----------------------
 Security Fixes
 ~~~~~~~~~~~~~~
@@ -44,37 +44,12 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 - ``ipv4only.arpa`` is now served when ``dns64`` is configured. [GL #385]
 - It is now possible to transition a zone from secure to insecure mode
  without making it bogus in the process: changing to ``dnssec-policy
  none;`` also causes CDS and CDNSKEY DELETE records to be published, to
  signal that the entire DS RRset at the parent must be removed, as
  described in RFC 8078. [GL #1750]
 - The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
  day and the default value of ``stale-answer-ttl`` has been changed from 1
  second to 30 seconds, following RFC 8767 recommendations. [GL #2248]
 - When using the ``unixtime`` or ``date`` method to update the SOA
  serial number, ``named`` and ``dnssec-signzone`` silently fell back to
  the ``increment`` method to prevent the new serial number from being
  smaller than the old serial number (using serial number arithmetics).
  ``dnsssec-signzone`` now prints a warning message, and ``named`` logs
  a warning, when such a fallback happens. [GL #2058]
 Bug Fixes
 ~~~~~~~~~
 - Only assign threads to CPUs in the CPU affinity set, so that ``named`` no
  longer attempts to run threads on CPUs outside the affinity set. Thanks to
  Ole Bjørn Hessen. [GL #2245]
 - When reconfiguring ``named``, removing ``auto-dnssec`` did actually not turn
  off DNSSEC maintenance. This has been fixed. [GL #2341]
 - Prevent rbtdb instances being destroyed by multiple threads at the same
  time. This can trigger assertion failures. [GL #2355]
 - KASP incorrectly set signature validity to the value of the DNSKEY signature
  validity. This is now fixed. [GL #2383]
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -12,5 +12,5 @@
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
 LIBINTERFACE = 1701
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1708
+LIBINTERFACE = 1709
 LIBREVISION = 0
 LIBAGE = 0
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -12,5 +12,5 @@
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
 LIBINTERFACE = 1707
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1703
+LIBINTERFACE = 1704
 LIBREVISION = 0
 LIBAGE = 0
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1706
+LIBINTERFACE = 1707
 LIBREVISION = 0
 LIBAGE = 0