diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ad77ac85a1..f96e7dab0d 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,7 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.12.rst .. include:: ../notes/notes-9.19.11.rst .. include:: ../notes/notes-9.19.10.rst .. include:: ../notes/notes-9.19.9.rst diff --git a/doc/notes/notes-9.19.12.rst b/doc/notes/notes-9.19.12.rst new file mode 100644 index 0000000000..0d08a2279a --- /dev/null +++ b/doc/notes/notes-9.19.12.rst @@ -0,0 +1,93 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.19.12 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- An error in DNS message processing introduced in development version + 9.19.11 could cause BIND and its utilities to crash if the maximum + permissible number of DNS labels were present. This has been fixed. + :gl:`#3998` + +Known Issues +~~~~~~~~~~~~ + +- Loading a large number of zones is significantly slower in BIND + 9.19.12 than in the previous development releases due to a new data + structure being used for storing information about the zones to serve. + This slowdown is considered to be a bug and will be addressed in a + future BIND 9.19.x development release. :gl:`#4006` + +- A flaw in reworked code responsible for accepting TCP connections may + cause a visible performance drop for TCP queries on some platforms, + notably FreeBSD. This issue will be fixed in a future BIND 9.19.x + development release. :gl:`#3985` + +- See :ref:`above ` for a list of all known issues + affecting this BIND 9 branch. + +New Features +~~~~~~~~~~~~ + +- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data + structures. :gl:`#3934` + +- The new command-line :option:`delv +ns` option activates name server + mode, to more accurately reproduce the behavior of :iscman:`named` + when resolving a query. In this mode, :iscman:`delv` uses an internal + recursive resolver rather than an external server. All messages sent + and received during the resolution and validation process are logged. + This can be used in place of :option:`dig +trace`. :gl:`#3842` + +- A new configuration option, :any:`checkds`, has been introduced. When + set to ``yes``, it detects :any:`parental-agents` automatically by + resolving the parent NS records. These name servers are queried to + check the DS RRset during a KSK rollover initiated by + :any:`dnssec-policy`. :gl:`#3901` + +.. _`liburcu`: https://liburcu.org/ + +Removed Features +~~~~~~~~~~~~~~~~ + +- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been + removed and using TKEY Mode 2 is now a fatal error. Users are advised + to switch to TKEY Mode 3 (GSS-API). :gl:`#3905` + +- Zone type ``delegation-only``, and the ``delegation-only`` and + ``root-delegation-only`` statements, have been removed. Using them is + a configuration error. + + These statements were created to address the SiteFinder controversy, + in which certain top-level domains redirected misspelled queries to + other sites instead of returning NXDOMAIN responses. Since top-level + domains are now DNSSEC-signed, and DNSSEC validation is active by + default, the statements are no longer needed. :gl:`#3953` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The log message ``resolver priming query complete`` has been moved + from the INFO log level to the DEBUG(1) log level, to prevent + :iscman:`delv` from emitting that message when setting up its internal + resolver. :gl:`#3842` + +Bug Fixes +~~~~~~~~~ + +- Several bugs which could cause :iscman:`named` to crash during catalog + zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997` + +- Performance of DNSSEC validation in zones with many DNSKEY records has + been improved. :gl:`#3981` diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index d2bc6ef619..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,75 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.12 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- BIND now depends on ``liburcu``, Userspace RCU, for lock-free data - structures. :gl:`#3934` - -- The new ``delv +ns`` option activates name server mode, in which ``delv`` - sets up an internal recursive resolver and uses that, rather than an - external server, to look up the requested query name and type. All messages - sent and received during the resolution and validation process are logged. - This can be used in place of ``dig +trace``: it more accurately - reproduces the behavior of ``named`` when resolving a query. - - The log message ``resolver priming query complete`` was moved from the - INFO log level to the DEBUG(1) log level, to prevent ``delv`` from - emitting that message when setting up its internal resolver. :gl:`#3842` - -- A new configuration option :any:`checkds` is introduced that when set to - ``yes`` will detect :any:`parental-agents` automatically by resolving the - parent NS records. These name servers will be used to check the DS RRset - during a KSK rollover initiated by :any:`dnssec-policy`. :gl:`#3901` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been removed and - using TKEY Mode 2 is now a fatal error. Users are advised to switch to TKEY - Mode 3 (GSS-API). :gl:`#3905` - -- Zone type ``delegation-only``, and the ``delegation-only`` and - ``root-delegation-only`` options, have been removed. Using them - is a configuration error. - - These options were created to address the SiteFinder controversy, in - which certain top-level domains redirected misspelled queries to other - sites instead of returning NXDOMAIN responses. Since top-level domains are - now DNSSEC signed, and DNSSEC validation is active by default, the - options are no longer needed. :gl:`#3953` - -Feature Changes -~~~~~~~~~~~~~~~ - -- None. - -Bug Fixes -~~~~~~~~~ - -- Performance of DNSSEC validation in zones with many DNSKEY records - has been improved. :gl:`#3981` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index e6622d56be..959c73d1d0 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -38,3 +38,14 @@ Known Issues have ``subjectAltName`` set. In such cases, the ``Subject`` field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. :gl:`#3163` + +- Loading a large number of zones is significantly slower in BIND + 9.19.12 than in the previous development releases due to a new data + structure being used for storing information about the zones to serve. + This slowdown is considered to be a bug and will be addressed in a + future BIND 9.19.x development release. :gl:`#4006` + +- A flaw in reworked code responsible for accepting TCP connections may + cause a visible performance drop for TCP queries on some platforms, + notably FreeBSD. This issue will be fixed in a future BIND 9.19.x + development release. :gl:`#3985`