mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Tweak and reword release notes

Browse Source
This commit is contained in:
Michał Kępień
2024-08-09 09:12:18 +02:00
committed by Petr Špaček
parent 53cdd247bb
commit a47707c59d
1 changed files with 64 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
doc/notes/notes-current.rst
View File

@@ -15,143 +15,132 @@
New Features New Features
~~~~~~~~~~~~ ~~~~~~~~~~~~
- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. - Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts`
configuration statement.
There were cases in resolver.c when the `max-recursion-queries` quota There were cases when the :any:`max-recursion-queries`
was ineffective. It was possible to craft zones that would cause a quota was ineffective. It was possible to craft zones that would cause
resolver to waste resources by sending excessive queries while a resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by correcting attempting to resolve a name. This has been addressed by correcting
errors in the implementation of `max-recursion-queries`, and by errors in the implementation of :any:`max-recursion-queries`, and by
reducing the default value from 100 to 32. reducing the default value from 100 to 32.
In addition, a new `max-query-restarts` option has been added which In addition, a new :any:`max-query-restarts` option has been added
limits the number of times a recursive server will follow CNAME or which limits the number of times a recursive server will follow CNAME
DNAME records before terminating resolution. This was previously a or DNAME records before terminating resolution. This was previously a
hard-coded limit of 16, and now defaults to 11. :gl:`#4741` hard-coded limit of 16, and now defaults to 11. :gl:`#4741`
:gl:`!9281` :gl:`!9281`
- Implement rndc retransfer -force. - Implement ``rndc retransfer -force``.
A new optional argument '-force' has been added to the command channel A new optional argument ``-force`` has been added to the command
command 'rndc retransfer'. When it is specified, named aborts the channel command :option:`rndc retransfer`. When it is specified,
ongoing zone transfer (if there is one), and starts a new transfer. :iscman:`named` aborts the ongoing zone transfer (if there is one) and
:gl:`#2299` :gl:`!9102` starts a new transfer. :gl:`#2299` :gl:`!9102`
- Add support for external log rotation tools. - Add support for external log rotation tools.
Add two mechanisms to close open log files. The first is `rndc Add two mechanisms to close open log files. The first is :option:`rndc
closelogs`. The second is `kill -USR1 <pid>`. They are intended to be closelogs`. The second is ``kill -USR1 <pid>``. They are intended to
used with external log rotation tools. :gl:`#4780` :gl:`!9113` be used with external log rotation tools. :gl:`#4780` :gl:`!9113`
Feature Changes Feature Changes
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
- Remove OpenSSL 1.x Engine support. - Remove OpenSSL 1.x engine support.
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x OpenSSL 1.x engine support has been deprecated in OpenSSL 3.x and is
and is going to be removed from the upstream OpenSSL. Remove the going to be removed from the OpenSSL code base. Remove OpenSSL engine
OpenSSL Engine support from BIND 9 in favor of OpenSSL 3.x Providers. support from BIND 9 in favor of OpenSSL 3.x providers. :gl:`#4828`
:gl:`#4828` :gl:`!9252` :gl:`!9252`
- Require at least OpenSSL 1.1.1. - Require at least OpenSSL 1.1.1.
OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now OpenSSL 1.1.1 or newer (or an equivalent LibreSSL version) is now
required to compile BIND 9. :gl:`#2806` :gl:`!9110` required to compile BIND 9. :gl:`#2806` :gl:`!9110`
- Allow shorter resolver-query-timeout configuration. - Allow shorter :any:`resolver-query-timeout` configuration.
The minimum allowed value of 'resolver-query-timeout' was lowered to The minimum allowed value of :any:`resolver-query-timeout` was lowered
301 milliseconds instead of the earlier 10000 milliseconds (which is to 301 milliseconds instead of the earlier 10000 milliseconds (which
the default). As earlier, values less than or equal to 300 are is the default). As earlier, values less than or equal to 300 are
converted to seconds before applying the limit. :gl:`#4320` converted to seconds before applying the limit. :gl:`#4320`
:gl:`!9091` :gl:`!9091`
Bug Fixes Bug Fixes
~~~~~~~~~ ~~~~~~~~~
- Reconfigure catz member zones during named reconfiguration. - Reconfigure catz member zones during :iscman:`named` reconfiguration.
During a reconfiguration named wasn't reconfiguring catalog zones' During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog
member zones. This has been fixed. :gl:`#4733` zones' member zones. This has been fixed. :gl:`#4733`
- Fix --enable-tracing build on systems without dtrace. - Fix ``--enable-tracing`` build on systems without dtrace.
Missing file util/dtrace.sh prevented builds on system without dtrace Missing ``util/dtrace.sh`` file prevented builds on systems without
utility. This has been corrected. the ``dtrace`` utility. This has been corrected.
- Dig now reports missing query section for opcode QUERY. - :iscman:`dig` now reports missing QUESTION section for opcode QUERY.
Query responses should contain the question section with some Query responses should contain the QUESTION section with some
exceptions. Dig was not reporting this. :gl:`#4808` :gl:`!9233` exceptions. :iscman:`dig` was not reporting this. :gl:`#4808`
:gl:`!9233`
- Fix assertion failure in the glue cache. - Fix assertion failure in glue cache code.
Fix an assertion failure that could happen as a result of data race Fix an assertion failure that could happen as a result of data race
between free_gluetable() and addglue() on the same headers. between ``free_gluetable()`` and ``addglue()`` on the same headers.
:gl:`#4691` :gl:`!9126` :gl:`#4691` :gl:`!9126`
- Raise the log level of priming failures. - Raise the log level of priming failures.
When a priming query is complete, it's currently logged at level When a priming query is complete, it was previously logged at level
ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising ``ISC_LOG_DEBUG(1)``, regardless of success or failure. It is now
it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` logged to ``ISC_LOG_NOTICE`` in the case of failure. :gl:`#3516`
:gl:`!9121` :gl:`!9121`
- Fix assertion failure when checking named-checkconf version. - Fix assertion failure when checking :iscman:`named-checkconf` version.
Checking the version of `named-checkconf` would end with assertion Checking the version of `named-checkconf` would end with assertion
failure. This has been fixed. :gl:`#4827` :gl:`!9243` failure. This has been fixed. :gl:`#4827` :gl:`!9243`
- Valid TSIG signatures with invalid time cause crash. - Fix a crash caused by valid TSIG signatures with invalid time.
An assertion failure triggers when the TSIG has valid cryptographic An assertion failure was triggered when the TSIG had valid
signature, but the time is invalid. This can happen when the times cryptographic signature, but the time was invalid. This could happen
between the primary and secondary servers are not synchronised. when the times between the primary and secondary servers were not
:gl:`#4811` :gl:`!9234` synchronised. The crash has now been fixed. :gl:`#4811` :gl:`!9234`
- Remove extra newline from yaml output.
I split this into two commits, one for the actual newline removal, and
one for issues I found, ruining the yaml output when some errors were
outputted.
- Fix generation of 6to4-self name expansion from IPv4 address. - Fix generation of 6to4-self name expansion from IPv4 address.
The period between the most significant nibble of the encoded IPv4 The period between the most significant nibble of the encoded IPv4
address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the
wrong name being checked. Add system test for 6to4-self wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9099`
implementation. :gl:`#4766` :gl:`!9099`
- Fix false QNAME minimisation error being reported. - Fix false QNAME minimisation error being reported.
Remove the false positive "success resolving" log message when QNAME Remove the false positive ``success resolving`` log message when QNAME
minimisation is in effect and the final result is NXDOMAIN. minimisation is in effect and the final result is an NXDOMAIN.
:gl:`#4784` :gl:`!9117` :gl:`#4784` :gl:`!9117`
- Dig +yaml was producing unexpected and/or invalid YAML output. - :option:`dig +yaml` was producing unexpected and/or invalid YAML
output. :gl:`#4796` :gl:`!9127`
:gl:`#4796` :gl:`!9127` - SVBC ALPN text parsing failed to reject zero-length ALPN.
- SVBC alpn text parsing failed to reject zero length alpn.
:gl:`#4775` :gl:`!9106` :gl:`#4775` :gl:`!9106`
- Return SERVFAIL for a too long CNAME chain. - Return SERVFAIL for a too long CNAME chain.
When cutting a long CNAME chain, named was returning NOERROR instead When cutting a long CNAME chain, :iscman:`named` was returning NOERROR
of SERVFAIL (alongside with a partial answer). This has been fixed. instead of SERVFAIL (alongside with a partial answer). This has been
:gl:`#4449` :gl:`!9090` fixed. :gl:`#4449` :gl:`!9090`
- Properly calculate the amount of system memory. - Update key lifetime and metadata after :any:`dnssec-policy` reconfig.
On 32 bit machines isc_meminfo_totalphys could return an incorrect Adjust key state and timing metadata if :any:`dnssec-policy` key
value. :gl:`#4799` :gl:`!9132` lifetime configuration is updated, so that it also affects existing
keys. :gl:`#4677` :gl:`!9118`
- Update key lifetime and metadata after dnssec-policy reconfig.
Adjust key state and timing metadata if dnssec-policy key lifetime
configuration is updated, so that it also affects existing keys.
:gl:`#4677` :gl:`!9118`
Known Issues Known Issues
~~~~~~~~~~~~ ~~~~~~~~~~~~