diff --git a/CHANGES b/CHANGES index 3bce1e270e..a836f616cb 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,8 @@ via DNS-over-HTTPS, according to the recommendations given in RFC 8484. [GL #2854] + --- 9.17.20 released --- + 5755. [bug] The statistics channel wasn't correctly handling multiple HTTP requests, or pipelined or truncated requests. [GL #2973] diff --git a/configure.ac b/configure.ac index 17ca8eb60c..ffcc69f325 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 19)dnl +m4_define([bind_VERSION_PATCH], 20)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 85eaa1d3ce..b8fc8171ac 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,6 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, and source code. .. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.20.rst .. include:: ../notes/notes-9.17.19.rst .. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst diff --git a/doc/notes/notes-9.17.20.rst b/doc/notes/notes-9.17.20.rst new file mode 100644 index 0000000000..eec841d52e --- /dev/null +++ b/doc/notes/notes-9.17.20.rst @@ -0,0 +1,83 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.20 +---------------------- + +New Features +~~~~~~~~~~~~ + +- New finer-grained ``update-policy`` rule types, + ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added. + These rule types restrict updates to SRV and PTR records so that their + content can only match the machine name embedded in the Kerberos + principal making the change. :gl:`#481` + +- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843` + +Removed Features +~~~~~~~~~~~~~~~~ + +- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9 + currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an + OpenSSL 3.0.0 build which does not retain support for deprecated APIs + makes it impossible to use PKCS#11 in BIND 9. A replacement for + engine_pkcs11 which employs the new "provider" approach introduced in + OpenSSL 3.0.0 is in the making. :gl:`#2843` + +- Since the old socket manager API has been removed, "socketmgr" + statistics are no longer reported by the :ref:`statistics channel + `. :gl:`#2926` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This + means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with + the KSK by default. The additional signatures prepared using the ZSK + when the option is set to ``no`` add to the DNS response payload + without offering added value. :gl:`#1316` + +- The default NSEC3 parameters for ``dnssec-policy`` were updated to no + extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). + :gl:`#2956` + +- Internal data structures maintained for each cache database are now + grown incrementally when they need to be expanded. This helps maintain + a steady response rate on a loaded resolver while these internal data + structures are resized. :gl:`#2941` + +- The output of ``rndc serve-stale status`` has been clarified. It now + explicitly reports whether retention of stale data in the cache is + enabled (``stale-cache-enable``), and whether returning such data in + responses is enabled (``stale-answer-enable``). :gl:`#2742` + +- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls. + This enables additional validation rules for IDN domains and hostnames + in ``dig``. :gl:`#1610` + +.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules + +Bug Fixes +~~~~~~~~~ + +- Reloading a catalog zone which referenced a missing/deleted member + zone triggered a runtime check failure, causing ``named`` to exit + prematurely. This has been fixed. :gl:`#2308` + +- Some lame delegations could trigger a dependency loop, in which a + resolver fetch waited for a name server address lookup which was + waiting for the same resolver fetch. This could cause a recursive + lookup to hang until timing out. This situation is now detected and + prevented. :gl:`#2927` + +- Log files using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by + ``versions``. This has been fixed. :gl:`#828` diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c0eaa80ec7..ee9288b72c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -8,7 +8,7 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -Notes for BIND 9.17.20 +Notes for BIND 9.17.21 ---------------------- Security Fixes @@ -24,61 +24,19 @@ Known Issues New Features ~~~~~~~~~~~~ -- Implement incremental resizing of RBT hash tables to perform the rehashing - gradually instead all-at-once to be able to grow the memory usage gradually - while keeping steady response rate during the rehashing. :gl:`#2941` - -- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` - and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records - so that their content can only match the machine name embedded in the - Kerberos principal making the change. :gl:`#481` +- None. Removed Features ~~~~~~~~~~~~~~~~ -- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. - If OpenSSL 3.0.0 has been built without support for deprecated functionality - pkcs11 via engine_pkcs11 is no longer available. At this point in time - there is no replacement ``provider`` for pkcs11 which is the replacement to - the ``engine API``. :gl:`#2843` +- None. Feature Changes ~~~~~~~~~~~~~~~ -- Because the old socket manager API has been removed, "socketmgr" - statistics are no longer reported by the - :ref:`statistics channel `. :gl:`#2926` - -- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional - validation rules for domains and hostnames within dig. :gl:`#1610` - -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means - that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by - default. The additional signatures from the ZSK that are added if the option - is set to ``no`` add to the DNS response payload without offering added value. - :gl:`#1316` - -- The output of ``rndc serve-stale status`` has been clarified. It now - explicitly reports whether retention of stale data in the cache is enabled - (``stale-cache-enable``), and whether returning of such data in responses is - enabled (``stale-answer-enable``). :gl:`#2742` - -- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use - no extra iterations and no salt. :gl:`#2956`. +- None. Bug Fixes ~~~~~~~~~ -- Reloading a catalog zone that referenced a missing/deleted zone - caused a crash. This has been fixed. :gl:`#2308` - -- Logfiles using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by ``versions``. - :gl:`#828` - -- Some lame delegations could trigger a dependency loop, in which a - resolver fetch was waiting for a name server address lookup which was - waiting for the same resolver fetch. This could cause a recursive lookup - to hang until timing out. This now detected and avoided. :gl:`#2927` +- None.