diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 99c22168f1..ac2806e5ec 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.3.rst .. include:: ../notes/notes-9.21.2.rst .. include:: ../notes/notes-9.21.1.rst .. include:: ../notes/notes-9.21.0.rst diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst new file mode 100644 index 0000000000..afec1abf25 --- /dev/null +++ b/doc/notes/notes-9.21.3.rst @@ -0,0 +1,211 @@ +Notes for BIND 9.21.3 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Add separate query counters for new protocols. + + Add query counters for DoT, DoH, unencrypted DoH and their proxied + counterparts. The new protocols do not update their respective TCP/UDP + transport counter and is now for TCP/UDP over plain 53 only. + :gl:`#598` + +- Implement RFC 9567: EDNS Report-Channel option. + + Add new `send-report-channel` and `log-report-channel` options. + `send-report-channel` specifies an agent domain, to which error + reports can be sent by querying a specially constructed name within + the agent domain. EDNS Report-Channel options will be added to + outgoing authoritative responses, to inform clients where to send such + queries in the event of a problem. + + If a zone is configured which matches the agent domain and has + `log-report-channel` set to `yes`, error-reporting queries will be + logged at level `info` to the `dns-reporting-agent` logging channel. + :gl:`#3659` + +- Add detailed debugging of update-policy rule matching. + + This logs how named determines if an update request is granted or + denied when using update-policy. :gl:`#4751` + +- Update bind.keys with the new 2025 IANA root key. + + Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, + which is scheduled for publication in January 2025. :gl:`#4896` + +- Enable runtime selection of FIPS mode in dig and delv. + + 'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime. + :gl:`#5046` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Move contributed DLZ modules into a separate repository. + + The DLZ modules are poorly maintained as we only ensure they can still + be compiled, the DLZ interface is blocking, so anything that blocks + the query to the database blocks the whole server and they should not + be used except in testing. The DLZ interface itself is going to be + scheduled for removal. + + The DLZ modules now live in + https://gitlab.isc.org/isc-projects/dlz-modules repository. + :gl:`#4865` + +- Remove RBTDB implementation. + + Remove the RBTDB database implementation, and only leave the QPDB + based implementations of zone and cache databases. This means it's no + longer possible to choose the RBTDB to be default at the compilation + time and it's not possible to configure RBTDB as the database backend + in the configuration file. :gl:`#5027` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Dnssec-ksr now supports KSK rollovers. + + The tool 'dnssec-ksr' now allows for KSK generation, as well as + planned KSK rollovers. When signing a bundle from a Key Signing + Request (KSR), only the key that is active in that time frame is being + used for signing. Also, the CDS and CDNSKEY records are now added and + removed at the correct time. :gl:`#4697` :gl:`#4705` + +- Add none parameter to query-source and query-source-v6 to disable IPv4 + or IPv6 upstream queries. + + Add a none parameter to named configuration option `query-source` + (respectively `query-source-v6`) which forbid usage of IPv4 + (respectively IPv6) addresses when named is doing an upstream query. + :gl:`#4981` Turning-off upstream IPv6 queries while still listening to + downstream queries on IPv6. + +- Print expire option in transfer summary. + + The zone transfer summary will now print the expire option value in + the zone transfer summary. :gl:`#5013` + +- Add missing EDNS option mnemonics. + + The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent + using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short), + and `dig +ednsopt=zoneversion`. + + Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and + `CHAIN`, are now displayed correctly in text and YAML formats. Also, + an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now + spelled with a hyphen in both text and YAML formats; previously, text + format used a space. + +- Add new logging module for logging crypto errors in libisc. + + Add a new 'crypto' log module that will be used for a low-level + cryptographic operations. The DNS related cryptography logs are still + logged in the 'dns/crypto' module. + +- Emit more helpful log for exceeding max-records-per-type. + + The new log message is emitted when adding or updating an RRset fails + due to exceeding the max-records-per-type limit. The log includes the + owner name and type, corresponding zone name, and the limit value. It + will be emitted on loading a zone file, inbound zone transfer (both + AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's + especially helpful in the case of zone transfer, since the secondary + side doesn't have direct access to the offending zone data. + + It could also be used for max-types-per-name, but this change doesn't + implement it yet as it's much less likely to happen in practice. + +- Harden key management when key files have become unavailabe. + + Prior to doing key management, BIND 9 will check if the key files on + disk match the expected keys. If key files for previously observed + keys have become unavailable, this will prevent the internal key + manager from running. + +Bug Fixes +~~~~~~~~~ + +- Use TLS for notifies if configured to do so. + + Notifies configured to use TLS will now be sent over TLS, instead of + plaintext UDP or TCP. Also, failing to load the TLS configuration for + notify now also results in an error. :gl:`#4821` + +- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. + + `dig` fails to parse a valid (as far as I can tell, and accepted by + `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template + containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If + the URI template contains a `{?dns}` instead `dig` is happy, but my + understanding of rfc9461 and section 1.2. "Levels and Expression + Types" of rfc6570 is that `{&dns}` is valid. See for example section + 1.2. "Levels and Expression Types" of rfc6570. + + Note that Peter van Dijk suggested that `{dns}` and + `{dns,someothervar}` might be valid forms as well, so my patch might + be too restrictive, although it's anyone's guess how DoH clients would + handle complex templates. :gl:`#4922` + +- Fix NSEC3 closest encloser lookup for names with empty non-terminals. + + The performance improvement for finding the NSEC3 closest encloser + when generating authoritative responses could cause servers to return + incorrect NSEC3 records in some cases. This has been fixed. + :gl:`#4950` + +- Report client transport in 'rndc recursing' + + When `rndc recursing` is used to dump the list of recursing clients, + it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP. + :gl:`#4971` + +- 'Recursive-clients 0;' triggers an assertion. + + BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed. + :gl:`#4987` + +- Parsing of hostnames in rndc.conf was broken. + + When DSCP support was removed, parsing of hostnames in rndc.conf was + accidentally broken, resulting in an assertion failure. This has been + fixed. :gl:`#4991` + +- Restore values when dig prints command line. + + Options of the form `[+-]option=` failed to display the value + on the printed command line. This has been fixed. :gl:`#4993` + +- Provide more visibility into configuration errors. + + by logging SSL_CTX_use_certificate_chain_file and + SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` + +- Fix race condition when canceling ADB find. + + When canceling the ADB find, the lock on the find gets released for a + brief period of time to be locked again inside adbname lock. During + the brief period that the ADB find is unlocked, it can get canceled by + other means removing it from the adbname list which in turn causes + assertion failure due to a double removal from the adbname list. This + has been fixed. :gl:`#5024` + +- Improve the memory cleaning in the SERVFAIL cache. + + The SERVFAIL cache doesn't have a memory bound and the cleaning of the + old SERVFAIL cache entries was implemented only in opportunistic + manner. Improve the memory cleaning of the SERVFAIL cache to be more + aggressive, so it doesn't consume a lot of memory in the case the + server encounters many SERVFAILs at once. :gl:`#5025` + +- Fix trying the next primary server when the preivous one was marked as + unreachable. + + In some cases (there is evidence only when XoT was used) `named` + failed to try the next primary server in the list when the previous + one was marked as unreachable. This has been fixed. :gl:`#5038` + +