diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f63aae5a9d..6ed4417040 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -15,143 +15,132 @@ New Features ~~~~~~~~~~~~ -- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. +- Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts` + configuration statement. - There were cases in resolver.c when the `max-recursion-queries` quota - was ineffective. It was possible to craft zones that would cause a - resolver to waste resources by sending excessive queries while + There were cases when the :any:`max-recursion-queries` + quota was ineffective. It was possible to craft zones that would cause + a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting - errors in the implementation of `max-recursion-queries`, and by + errors in the implementation of :any:`max-recursion-queries`, and by reducing the default value from 100 to 32. - In addition, a new `max-query-restarts` option has been added which - limits the number of times a recursive server will follow CNAME or - DNAME records before terminating resolution. This was previously a - hard-coded limit of 16, and now defaults to 11. :gl:`#4741` + In addition, a new :any:`max-query-restarts` option has been added + which limits the number of times a recursive server will follow CNAME + or DNAME records before terminating resolution. This was previously a + hard-coded limit of 16, and now defaults to 11. :gl:`#4741` :gl:`!9281` -- Implement rndc retransfer -force. +- Implement ``rndc retransfer -force``. - A new optional argument '-force' has been added to the command channel - command 'rndc retransfer'. When it is specified, named aborts the - ongoing zone transfer (if there is one), and starts a new transfer. - :gl:`#2299` :gl:`!9102` + A new optional argument ``-force`` has been added to the command + channel command :option:`rndc retransfer`. When it is specified, + :iscman:`named` aborts the ongoing zone transfer (if there is one) and + starts a new transfer. :gl:`#2299` :gl:`!9102` - Add support for external log rotation tools. - Add two mechanisms to close open log files. The first is `rndc - closelogs`. The second is `kill -USR1 `. They are intended to be - used with external log rotation tools. :gl:`#4780` :gl:`!9113` + Add two mechanisms to close open log files. The first is :option:`rndc + closelogs`. The second is ``kill -USR1 ``. They are intended to + be used with external log rotation tools. :gl:`#4780` :gl:`!9113` Feature Changes ~~~~~~~~~~~~~~~ -- Remove OpenSSL 1.x Engine support. +- Remove OpenSSL 1.x engine support. - The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x - and is going to be removed from the upstream OpenSSL. Remove the - OpenSSL Engine support from BIND 9 in favor of OpenSSL 3.x Providers. - :gl:`#4828` :gl:`!9252` + OpenSSL 1.x engine support has been deprecated in OpenSSL 3.x and is + going to be removed from the OpenSSL code base. Remove OpenSSL engine + support from BIND 9 in favor of OpenSSL 3.x providers. :gl:`#4828` + :gl:`!9252` - Require at least OpenSSL 1.1.1. - OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now + OpenSSL 1.1.1 or newer (or an equivalent LibreSSL version) is now required to compile BIND 9. :gl:`#2806` :gl:`!9110` -- Allow shorter resolver-query-timeout configuration. +- Allow shorter :any:`resolver-query-timeout` configuration. - The minimum allowed value of 'resolver-query-timeout' was lowered to - 301 milliseconds instead of the earlier 10000 milliseconds (which is - the default). As earlier, values less than or equal to 300 are + The minimum allowed value of :any:`resolver-query-timeout` was lowered + to 301 milliseconds instead of the earlier 10000 milliseconds (which + is the default). As earlier, values less than or equal to 300 are converted to seconds before applying the limit. :gl:`#4320` :gl:`!9091` Bug Fixes ~~~~~~~~~ -- Reconfigure catz member zones during named reconfiguration. +- Reconfigure catz member zones during :iscman:`named` reconfiguration. - During a reconfiguration named wasn't reconfiguring catalog zones' - member zones. This has been fixed. :gl:`#4733` + During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog + zones' member zones. This has been fixed. :gl:`#4733` -- Fix --enable-tracing build on systems without dtrace. +- Fix ``--enable-tracing`` build on systems without dtrace. - Missing file util/dtrace.sh prevented builds on system without dtrace - utility. This has been corrected. + Missing ``util/dtrace.sh`` file prevented builds on systems without + the ``dtrace`` utility. This has been corrected. -- Dig now reports missing query section for opcode QUERY. +- :iscman:`dig` now reports missing QUESTION section for opcode QUERY. - Query responses should contain the question section with some - exceptions. Dig was not reporting this. :gl:`#4808` :gl:`!9233` + Query responses should contain the QUESTION section with some + exceptions. :iscman:`dig` was not reporting this. :gl:`#4808` + :gl:`!9233` -- Fix assertion failure in the glue cache. +- Fix assertion failure in glue cache code. Fix an assertion failure that could happen as a result of data race - between free_gluetable() and addglue() on the same headers. + between ``free_gluetable()`` and ``addglue()`` on the same headers. :gl:`#4691` :gl:`!9126` - Raise the log level of priming failures. - When a priming query is complete, it's currently logged at level - ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising - it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + When a priming query is complete, it was previously logged at level + ``ISC_LOG_DEBUG(1)``, regardless of success or failure. It is now + logged to ``ISC_LOG_NOTICE`` in the case of failure. :gl:`#3516` :gl:`!9121` -- Fix assertion failure when checking named-checkconf version. +- Fix assertion failure when checking :iscman:`named-checkconf` version. Checking the version of `named-checkconf` would end with assertion - failure. This has been fixed. :gl:`#4827` :gl:`!9243` + failure. This has been fixed. :gl:`#4827` :gl:`!9243` -- Valid TSIG signatures with invalid time cause crash. +- Fix a crash caused by valid TSIG signatures with invalid time. - An assertion failure triggers when the TSIG has valid cryptographic - signature, but the time is invalid. This can happen when the times - between the primary and secondary servers are not synchronised. - :gl:`#4811` :gl:`!9234` - -- Remove extra newline from yaml output. - - I split this into two commits, one for the actual newline removal, and - one for issues I found, ruining the yaml output when some errors were - outputted. + An assertion failure was triggered when the TSIG had valid + cryptographic signature, but the time was invalid. This could happen + when the times between the primary and secondary servers were not + synchronised. The crash has now been fixed. :gl:`#4811` :gl:`!9234` - Fix generation of 6to4-self name expansion from IPv4 address. The period between the most significant nibble of the encoded IPv4 - address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the - wrong name being checked. Add system test for 6to4-self - implementation. :gl:`#4766` :gl:`!9099` + address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the + wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9099` - Fix false QNAME minimisation error being reported. - Remove the false positive "success resolving" log message when QNAME - minimisation is in effect and the final result is NXDOMAIN. + Remove the false positive ``success resolving`` log message when QNAME + minimisation is in effect and the final result is an NXDOMAIN. :gl:`#4784` :gl:`!9117` -- Dig +yaml was producing unexpected and/or invalid YAML output. +- :option:`dig +yaml` was producing unexpected and/or invalid YAML + output. :gl:`#4796` :gl:`!9127` - :gl:`#4796` :gl:`!9127` - -- SVBC alpn text parsing failed to reject zero length alpn. +- SVBC ALPN text parsing failed to reject zero-length ALPN. :gl:`#4775` :gl:`!9106` - Return SERVFAIL for a too long CNAME chain. - When cutting a long CNAME chain, named was returning NOERROR instead - of SERVFAIL (alongside with a partial answer). This has been fixed. - :gl:`#4449` :gl:`!9090` + When cutting a long CNAME chain, :iscman:`named` was returning NOERROR + instead of SERVFAIL (alongside with a partial answer). This has been + fixed. :gl:`#4449` :gl:`!9090` -- Properly calculate the amount of system memory. +- Update key lifetime and metadata after :any:`dnssec-policy` reconfig. - On 32 bit machines isc_meminfo_totalphys could return an incorrect - value. :gl:`#4799` :gl:`!9132` - -- Update key lifetime and metadata after dnssec-policy reconfig. - - Adjust key state and timing metadata if dnssec-policy key lifetime - configuration is updated, so that it also affects existing keys. - :gl:`#4677` :gl:`!9118` + Adjust key state and timing metadata if :any:`dnssec-policy` key + lifetime configuration is updated, so that it also affects existing + keys. :gl:`#4677` :gl:`!9118` Known Issues ~~~~~~~~~~~~