Prepare release notes for BIND 9.21.3

2025-09-04 08:35:31 +00:00 · 2024-12-02 15:29:59 +01:00
parent 2707c794c7
commit 912cd22a8d
2 changed files with 212 additions and 0 deletions
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be
 found at
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
 .. include:: ../notes/notes-9.21.3.rst
 .. include:: ../notes/notes-9.21.2.rst
 .. include:: ../notes/notes-9.21.1.rst
 .. include:: ../notes/notes-9.21.0.rst
--- a/doc/notes/notes-9.21.3.rst
+++ b/doc/notes/notes-9.21.3.rst
@@ -0,0 +1,211 @@
 Notes for BIND 9.21.3
 ---------------------
 New Features
 ~~~~~~~~~~~~
 - Add separate query counters for new protocols.
  Add query counters for DoT, DoH, unencrypted DoH and their proxied
  counterparts. The new protocols do not update their respective TCP/UDP
  transport counter and is now for TCP/UDP over plain 53 only.
  :gl:`#598`
 - Implement RFC 9567: EDNS Report-Channel option.
  Add new `send-report-channel` and `log-report-channel` options.
  `send-report-channel` specifies an agent domain, to which error
  reports can be sent by querying a specially constructed name within
  the agent domain. EDNS Report-Channel options will be added to
  outgoing authoritative responses, to inform clients where to send such
  queries in the event of a problem.
  If a zone is configured which matches the agent domain and has
  `log-report-channel` set to `yes`, error-reporting queries will be
  logged at level `info` to the `dns-reporting-agent` logging channel.
  :gl:`#3659`
 - Add detailed debugging of update-policy rule matching.
  This logs how named determines if an update request is granted or
  denied when using update-policy. :gl:`#4751`
 - Update bind.keys with the new 2025 IANA root key.
  Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696,
  which is scheduled for publication in January 2025. :gl:`#4896`
 - Enable runtime selection of FIPS mode in dig and delv.
  'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime.
  :gl:`#5046`
 Removed Features
 ~~~~~~~~~~~~~~~~
 - Move contributed DLZ modules into a separate repository.
  The DLZ modules are poorly maintained as we only ensure they can still
  be compiled, the DLZ interface is blocking, so anything that blocks
  the query to the database blocks the whole server and they should not
  be used except in testing.  The DLZ interface itself is going to be
  scheduled for removal.
  The DLZ modules now live in
  https://gitlab.isc.org/isc-projects/dlz-modules repository.
  :gl:`#4865`
 - Remove RBTDB implementation.
  Remove the RBTDB database implementation, and only leave the QPDB
  based implementations of zone and cache databases.  This means it's no
  longer possible to choose the RBTDB to be default at the compilation
  time and it's not possible to configure RBTDB as the database backend
  in the configuration file. :gl:`#5027`
 Feature Changes
 ~~~~~~~~~~~~~~~
 - Dnssec-ksr now supports KSK rollovers.
  The tool 'dnssec-ksr' now allows for KSK generation, as well as
  planned KSK rollovers. When signing a bundle from a Key Signing
  Request (KSR), only the key that is active in that time frame is being
  used for signing. Also, the CDS and CDNSKEY records are now added and
  removed at the correct time. :gl:`#4697`  :gl:`#4705`
 - Add none parameter to query-source and query-source-v6 to disable IPv4
  or IPv6 upstream queries.
  Add a none parameter to named configuration option `query-source`
  (respectively `query-source-v6`) which forbid usage of IPv4
  (respectively IPv6) addresses when named is doing an upstream query.
  :gl:`#4981` Turning-off upstream IPv6 queries while still listening to
  downstream queries on IPv6.
 - Print expire option in transfer summary.
  The zone transfer summary will now print the expire option value in
  the zone transfer summary. :gl:`#5013`
 - Add missing EDNS option mnemonics.
  The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent
  using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short),
  and `dig +ednsopt=zoneversion`.
  Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and
  `CHAIN`, are now displayed correctly in text and YAML formats. Also,
  an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now
  spelled with a hyphen in both text and YAML formats; previously, text
  format used a space.
 - Add new logging module for logging crypto errors in libisc.
  Add a new 'crypto' log module that will be used for a low-level
  cryptographic operations.  The DNS related cryptography logs are still
  logged in the 'dns/crypto' module.
 - Emit more helpful log for exceeding max-records-per-type.
  The new log message is emitted when adding or updating an RRset fails
  due to exceeding the max-records-per-type limit. The log includes the
  owner name and type, corresponding zone name, and the limit value. It
  will be emitted on loading a zone file, inbound zone transfer (both
  AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's
  especially helpful in the case of zone transfer, since the secondary
  side doesn't have direct access to the offending zone data.
  It could also be used for max-types-per-name, but this change doesn't
  implement it yet as it's much less likely to happen in practice.
 - Harden key management when key files have become unavailabe.
  Prior to doing key management, BIND 9 will check if the key files on
  disk match the expected keys. If key files for previously observed
  keys have become unavailable, this will prevent the internal key
  manager from running.
 Bug Fixes
 ~~~~~~~~~
 - Use TLS for notifies if configured to do so.
  Notifies configured to use TLS will now be sent over TLS, instead of
  plaintext UDP or TCP. Also, failing to load the TLS configuration for
  notify now also results in an error. :gl:`#4821`
 - '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath.
  `dig` fails to parse a valid (as far as I can tell, and accepted by
  `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template
  containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If
  the URI template contains a `{?dns}` instead `dig` is happy, but my
  understanding of rfc9461 and section 1.2. "Levels and Expression
  Types" of rfc6570 is that `{&dns}` is valid. See for example section
  1.2. "Levels and Expression Types" of rfc6570.
  Note that Peter van Dijk suggested that `{dns}` and
  `{dns,someothervar}` might be valid forms as well, so my patch might
  be too restrictive, although it's anyone's guess how DoH clients would
  handle complex templates. :gl:`#4922`
 - Fix NSEC3 closest encloser lookup for names with empty non-terminals.
  The performance improvement for finding the NSEC3 closest encloser
  when generating authoritative responses could cause servers to return
  incorrect NSEC3 records in some cases. This has been fixed.
  :gl:`#4950`
 - Report client transport in 'rndc recursing'
  When `rndc recursing` is used to dump the list of recursing clients,
  it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP.
  :gl:`#4971`
 - 'Recursive-clients 0;' triggers an assertion.
  BIND 9.20.0 broke `recursive-clients 0;`.  This has now been fixed.
  :gl:`#4987`
 - Parsing of hostnames in rndc.conf was broken.
  When DSCP support was removed, parsing of hostnames in rndc.conf was
  accidentally broken, resulting in an assertion failure.  This has been
  fixed. :gl:`#4991`
 - Restore values when dig prints command line.
  Options of the form `[+-]option=<value>` failed to display the value
  on the printed command line. This has been fixed. :gl:`#4993`
 - Provide more visibility into configuration errors.
  by logging SSL_CTX_use_certificate_chain_file and
  SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008`
 - Fix race condition when canceling ADB find.
  When canceling the ADB find, the lock on the find gets released for a
  brief period of time to be locked again inside adbname lock.  During
  the brief period that the ADB find is unlocked, it can get canceled by
  other means removing it from the adbname list which in turn causes
  assertion failure due to a double removal from the adbname list. This
  has been fixed. :gl:`#5024`
 - Improve the memory cleaning in the SERVFAIL cache.
  The SERVFAIL cache doesn't have a memory bound and the cleaning of the
  old SERVFAIL cache entries was implemented only in opportunistic
  manner.  Improve the memory cleaning of the SERVFAIL cache to be more
  aggressive, so it doesn't consume a lot of memory in the case the
  server encounters many SERVFAILs at once. :gl:`#5025`
 - Fix trying the next primary server when the preivous one was marked as
  unreachable.
  In some cases (there is evidence only when XoT was used) `named`
  failed to try the next primary server in the list when the previous
  one was marked as unreachable. This has been fixed. :gl:`#5038`