Merge branch 'v9_17_20-release' into 'main'

Merge 9.17.20 release branch See merge request isc-projects/bind9!5581
2025-08-31 22:45:39 +00:00 · 2021-11-18 08:14:40 +00:00
parent 00d379da8e d0940f87b6
commit a814f72261
5 changed files with 92 additions and 48 deletions
--- a/2
+++ b/2
@@ -9,6 +9,8 @@
 			via DNS-over-HTTPS, according to the recommendations
 			given in RFC 8484. [GL #2854]
 	--- 9.17.20 released ---
 5755.	[bug]		The statistics channel wasn't correctly handling
 			multiple HTTP requests, or pipelined or truncated
 			requests. [GL #2973]
--- a/configure.ac
+++ b/configure.ac
@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 19)dnl
+m4_define([bind_VERSION_PATCH], 20)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -52,6 +52,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 .. include:: ../notes/notes-current.rst
 .. include:: ../notes/notes-9.17.20.rst
 .. include:: ../notes/notes-9.17.19.rst
 .. include:: ../notes/notes-9.17.18.rst
 .. include:: ../notes/notes-9.17.17.rst
--- a/doc/notes/notes-9.17.20.rst
+++ b/doc/notes/notes-9.17.20.rst
@@ -0,0 +1,83 @@
 .. 
   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
   This Source Code Form is subject to the terms of the Mozilla Public
   License, v. 2.0. If a copy of the MPL was not distributed with this
   file, you can obtain one at https://mozilla.org/MPL/2.0/.
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.
 Notes for BIND 9.17.20
 ----------------------
 New Features
 ~~~~~~~~~~~~
 - New finer-grained ``update-policy`` rule types,
  ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
  These rule types restrict updates to SRV and PTR records so that their
  content can only match the machine name embedded in the Kerberos
  principal making the change. :gl:`#481`
 - Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843`
 Removed Features
 ~~~~~~~~~~~~~~~~
 - OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9
  currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an
  OpenSSL 3.0.0 build which does not retain support for deprecated APIs
  makes it impossible to use PKCS#11 in BIND 9. A replacement for
  engine_pkcs11 which employs the new "provider" approach introduced in
  OpenSSL 3.0.0 is in the making. :gl:`#2843`
 - Since the old socket manager API has been removed, "socketmgr"
  statistics are no longer reported by the :ref:`statistics channel
  <statschannels>`. :gl:`#2926`
 Feature Changes
 ~~~~~~~~~~~~~~~
 - The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This
  means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
  the KSK by default. The additional signatures prepared using the ZSK
  when the option is set to ``no`` add to the DNS response payload
  without offering added value. :gl:`#1316`
 - The default NSEC3 parameters for ``dnssec-policy`` were updated to no
  extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``).
  :gl:`#2956`
 - Internal data structures maintained for each cache database are now
  grown incrementally when they need to be expanded. This helps maintain
  a steady response rate on a loaded resolver while these internal data
  structures are resized. :gl:`#2941`
 - The output of ``rndc serve-stale status`` has been clarified. It now
  explicitly reports whether retention of stale data in the cache is
  enabled (``stale-cache-enable``), and whether returning such data in
  responses is enabled (``stale-answer-enable``). :gl:`#2742`
 - The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls.
  This enables additional validation rules for IDN domains and hostnames
  in ``dig``. :gl:`#1610`
 .. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
 Bug Fixes
 ~~~~~~~~~
 - Reloading a catalog zone which referenced a missing/deleted member
  zone triggered a runtime check failure, causing ``named`` to exit
  prematurely. This has been fixed. :gl:`#2308`
 - Some lame delegations could trigger a dependency loop, in which a
  resolver fetch waited for a name server address lookup which was
  waiting for the same resolver fetch. This could cause a recursive
  lookup to hang until timing out. This situation is now detected and
  prevented. :gl:`#2927`
 - Log files using ``timestamp``-style suffixes were not always correctly
  removed when the number of files exceeded the limit set by
  ``versions``. This has been fixed. :gl:`#828`
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -8,7 +8,7 @@
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.
-Notes for BIND 9.17.20
+Notes for BIND 9.17.21
 ----------------------
 Security Fixes
@@ -24,61 +24,19 @@ Known Issues
 New Features
 ~~~~~~~~~~~~
- Implement incremental resizing of RBT hash tables to perform the rehashing
+- None.
  gradually instead all-at-once to be able to grow the memory usage gradually
  while keeping steady response rate during the rehashing. :gl:`#2941`
 - Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs``
  and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records
  so that their content can only match the machine name embedded in the
  Kerberos principal making the change. :gl:`#481`
 Removed Features
 ~~~~~~~~~~~~~~~~
- Add support for OpenSSL 3.0.0.  OpenSSL 3.0.0 deprecated 'engine' support.
+- None.
  If OpenSSL 3.0.0 has been built without support for deprecated functionality
  pkcs11 via engine_pkcs11 is no longer available.  At this point in time
  there is no replacement ``provider`` for pkcs11 which is the replacement to
  the ``engine API``. :gl:`#2843`
 Feature Changes
 ~~~~~~~~~~~~~~~
- Because the old socket manager API has been removed, "socketmgr"
+- None.
  statistics are no longer reported by the
  :ref:`statistics channel <statschannels>`. :gl:`#2926`
 - `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional
  validation rules for domains and hostnames within dig.  :gl:`#1610`
 .. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
 - The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means
  that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by
  default. The additional signatures from the ZSK that are added if the option
  is set to ``no`` add to the DNS response payload without offering added value.
  :gl:`#1316`
 - The output of ``rndc serve-stale status`` has been clarified. It now
  explicitly reports whether retention of stale data in the cache is enabled
  (``stale-cache-enable``), and whether returning of such data in responses is 
  enabled (``stale-answer-enable``). :gl:`#2742`
 - The default for ``dnssec-policy``'s ``nsec3param`` is changed to use
  no extra iterations and no salt. :gl:`#2956`.
 Bug Fixes
 ~~~~~~~~~
- Reloading a catalog zone that referenced a missing/deleted zone
+- None.
  caused a crash. This has been fixed. :gl:`#2308`
 - Logfiles using ``timestamp``-style suffixes were not always correctly
  removed when the number of files exceeded the limit set by ``versions``.
  :gl:`#828`
 - Some lame delegations could trigger a dependency loop, in which a
  resolver fetch was waiting for a name server address lookup which was
  waiting for the same resolver fetch. This could cause a recursive lookup
  to hang until timing out. This now detected and avoided. :gl:`#2927`