From 075f03d37f83496e18a74c74e8fa8b23971226a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 5 Nov 2021 08:04:15 +0100 Subject: [PATCH 1/6] Tweak and reword release notes --- doc/notes/notes-current.rst | 83 ++++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 37 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c0eaa80ec7..073d40ddd5 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,61 +24,70 @@ Known Issues New Features ~~~~~~~~~~~~ -- Implement incremental resizing of RBT hash tables to perform the rehashing - gradually instead all-at-once to be able to grow the memory usage gradually - while keeping steady response rate during the rehashing. :gl:`#2941` +- Internal data structures maintained for each cache database are now + grown incrementally when they need to be expanded. This helps maintain + a steady response rate on a loaded resolver while these internal data + structures are resized. :gl:`#2941` -- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` - and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records - so that their content can only match the machine name embedded in the - Kerberos principal making the change. :gl:`#481` +- New finer-grained ``update-policy`` rule types, + ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added. + These rule types restrict updates to SRV and PTR records so that their + content can only match the machine name embedded in the Kerberos + principal making the change. :gl:`#481` + +- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843` Removed Features ~~~~~~~~~~~~~~~~ -- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. - If OpenSSL 3.0.0 has been built without support for deprecated functionality - pkcs11 via engine_pkcs11 is no longer available. At this point in time - there is no replacement ``provider`` for pkcs11 which is the replacement to - the ``engine API``. :gl:`#2843` +- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9 + currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an + OpenSSL 3.0.0 build which does not retain support for deprecated APIs + makes it impossible to use PKCS#11 in BIND 9. A replacement for + engine_pkcs11 which employs the new "provider" approach introduced in + OpenSSL 3.0.0 is in the making. :gl:`#2843` Feature Changes ~~~~~~~~~~~~~~~ -- Because the old socket manager API has been removed, "socketmgr" - statistics are no longer reported by the - :ref:`statistics channel `. :gl:`#2926` +- Since the old socket manager API has been removed, "socketmgr" + statistics are no longer reported by the :ref:`statistics channel + `. :gl:`#2926` -- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional - validation rules for domains and hostnames within dig. :gl:`#1610` +- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls. + This enables additional validation rules for IDN domains and hostnames + in ``dig``. :gl:`#1610` -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means - that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by - default. The additional signatures from the ZSK that are added if the option - is set to ``no`` add to the DNS response payload without offering added value. - :gl:`#1316` +- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This + means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with + the KSK by default. The additional signatures prepared using the ZSK + when the option is set to ``no`` add to the DNS response payload + without offering added value. :gl:`#1316` - The output of ``rndc serve-stale status`` has been clarified. It now - explicitly reports whether retention of stale data in the cache is enabled - (``stale-cache-enable``), and whether returning of such data in responses is - enabled (``stale-answer-enable``). :gl:`#2742` + explicitly reports whether retention of stale data in the cache is + enabled (``stale-cache-enable``), and whether returning such data in + responses is enabled (``stale-answer-enable``). :gl:`#2742` -- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use - no extra iterations and no salt. :gl:`#2956`. +- The default NSEC3 parameters for ``dnssec-policy`` were updated to no + extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). + :gl:`#2956` + +.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules Bug Fixes ~~~~~~~~~ -- Reloading a catalog zone that referenced a missing/deleted zone - caused a crash. This has been fixed. :gl:`#2308` +- Reloading a catalog zone which referenced a missing/deleted member + zone triggered a runtime check failure, causing ``named`` to exit + prematurely. This has been fixed. :gl:`#2308` -- Logfiles using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by ``versions``. - :gl:`#828` +- Log files using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by + ``versions``. This has been fixed. :gl:`#828` - Some lame delegations could trigger a dependency loop, in which a - resolver fetch was waiting for a name server address lookup which was - waiting for the same resolver fetch. This could cause a recursive lookup - to hang until timing out. This now detected and avoided. :gl:`#2927` + resolver fetch waited for a name server address lookup which was + waiting for the same resolver fetch. This could cause a recursive + lookup to hang until timing out. This situation is now detected and + prevented. :gl:`#2927` From 02b1a18db28a2f57f954bd075b10ddfccf43e3c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 5 Nov 2021 08:04:15 +0100 Subject: [PATCH 2/6] Reorder release notes --- doc/notes/notes-current.rst | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 073d40ddd5..ce2768aa0c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,11 +24,6 @@ Known Issues New Features ~~~~~~~~~~~~ -- Internal data structures maintained for each cache database are now - grown incrementally when they need to be expanded. This helps maintain - a steady response rate on a loaded resolver while these internal data - structures are resized. :gl:`#2941` - - New finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added. These rule types restrict updates to SRV and PTR records so that their @@ -47,16 +42,12 @@ Removed Features engine_pkcs11 which employs the new "provider" approach introduced in OpenSSL 3.0.0 is in the making. :gl:`#2843` -Feature Changes -~~~~~~~~~~~~~~~ - - Since the old socket manager API has been removed, "socketmgr" statistics are no longer reported by the :ref:`statistics channel `. :gl:`#2926` -- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls. - This enables additional validation rules for IDN domains and hostnames - in ``dig``. :gl:`#1610` +Feature Changes +~~~~~~~~~~~~~~~ - The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with @@ -64,14 +55,23 @@ Feature Changes when the option is set to ``no`` add to the DNS response payload without offering added value. :gl:`#1316` +- The default NSEC3 parameters for ``dnssec-policy`` were updated to no + extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). + :gl:`#2956` + +- Internal data structures maintained for each cache database are now + grown incrementally when they need to be expanded. This helps maintain + a steady response rate on a loaded resolver while these internal data + structures are resized. :gl:`#2941` + - The output of ``rndc serve-stale status`` has been clarified. It now explicitly reports whether retention of stale data in the cache is enabled (``stale-cache-enable``), and whether returning such data in responses is enabled (``stale-answer-enable``). :gl:`#2742` -- The default NSEC3 parameters for ``dnssec-policy`` were updated to no - extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). - :gl:`#2956` +- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls. + This enables additional validation rules for IDN domains and hostnames + in ``dig``. :gl:`#1610` .. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules @@ -82,12 +82,12 @@ Bug Fixes zone triggered a runtime check failure, causing ``named`` to exit prematurely. This has been fixed. :gl:`#2308` -- Log files using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by - ``versions``. This has been fixed. :gl:`#828` - - Some lame delegations could trigger a dependency loop, in which a resolver fetch waited for a name server address lookup which was waiting for the same resolver fetch. This could cause a recursive lookup to hang until timing out. This situation is now detected and prevented. :gl:`#2927` + +- Log files using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by + ``versions``. This has been fixed. :gl:`#828` From adf37a9d5975f37ec8b6d746c7ea0ffb85ba6e1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 5 Nov 2021 08:04:15 +0100 Subject: [PATCH 3/6] Prepare release notes for BIND 9.17.20 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.17.20.rst} | 10 ---------- 2 files changed, 1 insertion(+), 11 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.20.rst} (97%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 85eaa1d3ce..06eec5d890 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.20.rst .. include:: ../notes/notes-9.17.19.rst .. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.20.rst similarity index 97% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.20.rst index ce2768aa0c..eec841d52e 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.20.rst @@ -11,16 +11,6 @@ Notes for BIND 9.17.20 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ From 27abbbafebc870b9af122ca269e06a8b9d31bd8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 5 Nov 2021 08:25:48 +0100 Subject: [PATCH 4/6] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 3bce1e270e..a836f616cb 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,8 @@ via DNS-over-HTTPS, according to the recommendations given in RFC 8484. [GL #2854] + --- 9.17.20 released --- + 5755. [bug] The statistics channel wasn't correctly handling multiple HTTP requests, or pipelined or truncated requests. [GL #2973] From 50ea1f5fc4fccf7ce0b2ad978cde51a0cee972d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 5 Nov 2021 08:25:48 +0100 Subject: [PATCH 5/6] Update BIND version to 9.17.20 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 17ca8eb60c..ffcc69f325 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 19)dnl +m4_define([bind_VERSION_PATCH], 20)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl From d0940f87b6c1e1f4424a2d12b022d5ad460bed27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 18 Nov 2021 09:00:07 +0100 Subject: [PATCH 6/6] Set up release notes for BIND 9.17.21 --- doc/arm/notes.rst | 1 + doc/notes/notes-current.rst | 42 +++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 06eec5d890..b8fc8171ac 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,6 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.17.20.rst .. include:: ../notes/notes-9.17.19.rst .. include:: ../notes/notes-9.17.18.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..ee9288b72c --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,42 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.21 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- None. + +Known Issues +~~~~~~~~~~~~ + +- None. + +New Features +~~~~~~~~~~~~ + +- None. + +Removed Features +~~~~~~~~~~~~~~~~ + +- None. + +Feature Changes +~~~~~~~~~~~~~~~ + +- None. + +Bug Fixes +~~~~~~~~~ + +- None.