Generate changelog for BIND 9.21.5

2025-08-22 01:59:26 +00:00 · 2025-02-07 13:12:54 +01:00 · 2025-02-07 13:12:54 +01:00 · af174fe816
commit af174fe816
parent 9b15715558
2 changed files with 214 additions and 0 deletions
--- a/doc/arm/changelog.rst
+++ b/doc/arm/changelog.rst
@ -18,6 +18,7 @@ Changelog
   development. Regular users should refer to :ref:`Release Notes <relnotes>`
   for changes relevant to them.

+.. include:: ../changelog/changelog-9.21.5.rst
 .. include:: ../changelog/changelog-9.21.4.rst
 .. include:: ../changelog/changelog-9.21.3.rst
 .. include:: ../changelog/changelog-9.21.2.rst
--- a/doc/changelog/changelog-9.21.5.rst
+++ b/doc/changelog/changelog-9.21.5.rst
@ -0,0 +1,213 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.21.5
+-----------
+
+New Features
+~~~~~~~~~~~~
+
+- Adds support for EDE code 1 and 2. ``5a8fce4851b``
+
+  Add support for EDE codes 1 & 2 which might occurs during DNSSEC
+  validation in case of unsupported RRSIG algorithm or DNSKEY digest.
+  :gl:`#2715` :gl:`!9948`
+
+- Add a rndc command to toggle jemalloc profiling. ``2bee113a467``
+
+  The new command is `rndc memprof`. The memory profiling status is also
+  reported inside `rndc status`. The status also shows whether named can
+  toggle memory profiling or not and if the server is built with
+  jemalloc. :gl:`#4759` :gl:`!9370`
+
+- Add support for multiple extended DNS errors. ``076e47b4277``
+
+  Extended DNS error mechanism (EDE) may have several errors raised
+  during a DNS resolution. `named` is now able to add up to three EDE
+  codes in a DNS response. In the case of duplicate error codes, only
+  the first one will be part of the DNS response. :gl:`#5085`
+  :gl:`!9952`
+
+- Print the expiration time of the stale records. ``ae73ac81a3a``
+
+  Print the expiration time of the stale RRsets in the cache dump.
+  :gl:`!10057`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Clean up unused result codes. ``d3455be08c9``
+
+  A number of result codes are obsolete and can be removed. Others,
+  including `ISC_R_NOMEMORY`, are still checked in various places even
+  though they can't occur any longer. These have been cleaned up.
+  :gl:`!9942`
+
+- Remove fields from struct fetchctx. ``1732346fcc3``
+
+  struct fetchctx does have several fields which are now unused or
+  confusing, removing those. :gl:`!9945`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Separate the connect and the read TCP timeouts in dispatch.
+  ``3f490fe3fb7``
+
+  The network manager layer has two different timers with their own
+  timeout values for TCP connections: connect timeout and read timeout.
+  Separate the connect and the read TCP timeouts in the dispatch module
+  too. :gl:`#5009` :gl:`!9698`
+
+- Include destination address port number in query logging.
+  ``166c3241425``
+
+  When query logging is enabled, named will now include the destination
+  address port in the logged message. :gl:`#5060` :gl:`!9972`
+
+- Refactor decref() in both QPDB. ``f43bf94eceb``
+
+  Clean up the pattern in the newref() and decref() functions in QP
+  databases.  Replace the `db_nodelock_t` structure with plain reference
+  counting for every active database node in QPDB.
+
+  Related to #5134 :gl:`!10006`
+
+- Shutdown the fetch context after canceling the last fetch.
+  ``3fe440f0cf9``
+
+  Shutdown the fetch context immediately after the last fetch has been
+  canceled from that particular fetch context. :gl:`!9958`
+
+- Use a suitable response in tcp_connected() when initiating a read.
+  ``66d4f9184a4``
+
+  When 'ISC_R_TIMEDOUT' is received in 'tcp_recv()', it times out the
+  oldest response in the active responses queue, and only after that it
+  checks whether other active responses have also timed out. So when
+  setting a timeout value for a read operation after a successful
+  connection, it makes sense to take the timeout value from the oldest
+  response in the active queue too, because, theoretically, the
+  responses can have different timeout values, e.g. when the TCP
+  dispatch is shared. Currently 'resp' is always NULL. Previously when
+  connect and read timeouts were not separated in dispatch this affected
+  only logging, but now since we are setting a new timeout after a
+  successful connection, we need to choose a suitable response from the
+  active queue. :gl:`!9927`
+
+Bug Fixes
+~~~~~~~~~
+
+- Fix possible truncation in dns_keymgr_status() ``eec0aaa391e``
+
+  If the generated status output exceeds 4096 it was silently truncated,
+  now we output that the status was truncated. :gl:`#4180` :gl:`!9905`
+
+- Validate adb fetches. ``d9eb272b690``
+
+  ADB responses were not being validated, allowing spoofed responses to
+  be accepted and used for further lookups. This should not be possible
+  when the servers for the zone are in a signed zone, except with CD=1
+  requests or when glue is needed. This has been fixed. :gl:`#5066`
+  :gl:`!10052`
+
+- Recently expired records could be returned with timestamp in future.
+  ``517c5b6b28b``
+
+  Under rare circumstances, the RRSet that expired at the time of the
+  query could be returned with TTL far in the future.  This has been
+  fixed.
+
+  As a side-effect, the expiration time of expired RRSets are no longer
+  printed out in the cache dump. :gl:`#5094` :gl:`!10048`
+
+- Yaml string not terminated in negative response in delv.
+  ``e57ebb8f1b4``
+
+  :gl:`#5098` :gl:`!9922`
+
+- Fix a bug in dnssec-signzone related to keys being offline.
+  ``8efb4e2f26a``
+
+  In the case when `dnssec-signzone` is called on an already signed
+  zone, and the private key file is unavailable, a signature that needs
+  to be refreshed may be dropped without being able to generate a
+  replacement. This has been fixed. :gl:`#5126` :gl:`!9951`
+
+- Apply the memory limit only to ADB database items. ``0673568c170``
+
+  Resolver under heavy-load could exhaust the memory available for
+  storing the information in the Address Database (ADB) effectively
+  evicting already stored information in the ADB.  The memory used to
+  retrieve and provide information from the ADB is now not a subject of
+  the same memory limits that are applied for storing the information in
+  the Address Database. :gl:`#5127` :gl:`!9954`
+
+- Avoid unnecessary locking in the zone/cache database. ``48471fd50c7``
+
+  Prevent lock contention among many worker threads referring to the
+  same database node at the same time.  This would improve zone and
+  cache database performance for the heavily contended database nodes.
+  :gl:`#5130` :gl:`!9963`
+
+- Fix EDE 22 time out detection. ``dc3c3efdbf2``
+
+  Extended DNS error 22 (No reachable authority) was previously detected
+  when `fctx_expired` fired. It turns out this function is used as a
+  "safety net" and the timeout detection should be caught earlier.
+
+  It was working though, because of another issue fixed by !9927. But
+  then, the recursive request timed out detection occurs before
+  `fctx_expired` making impossible to raise the EDE 22 error.
+
+  This fixes the problem by triggering the EDE 22 in the part of the
+  code detecting the (TCP or UDP) time out and taking the decision to
+  cancel the whole fetch (i.e. There is no other server to attempt to
+  contact).
+
+  Note this is not targeting users (no release note) because there is no
+  release versions of BIND between !9927 and this changes. Thus a
+  release note would be confusing. :gl:`#5137` :gl:`!9985`
+
+- Split and simplify the use of EDE list implementation. ``a8e0a695c48``
+
+  Instead of mixing the dns_resolver and dns_validator units directly
+  with the EDE code, split-out the dns_ede functionality into own
+  separate compilation unit and hide the implementation details behind
+  abstraction.
+
+  Additionally, the new dns_edelist_t doesn't have to be copied into all
+  responses as those are attached to the fetch context, but it could be
+  only passed by reference.
+
+  This makes the dns_ede implementation simpler to use, although sligtly
+  more complicated on the inside. :gl:`#5141` :gl:`!10016`
+
+- Fix the cache findzonecut() implementation. ``282b0ed5140``
+
+  The search for the deepest known zone cut in the cache could
+  improperly reject a node if it contained any stale data, regardless of
+  whether it was the NS RRset that was stale. :gl:`#5155` :gl:`!10047`
+
+- DNSSEC EDE system tests on FIPS platform. ``fd51d80297c``
+
+  Changes introducing the support of extended DNS error code 1 and 2
+  uses SHA-1 digest for some tests which break FIPS platform. The digest
+  itself was irrelevant, another digest is used. :gl:`!10002`
+
+- Reduce the false sharing the dns_qpcache and dns_qpzone.
+  ``d4a7bff0b62``
+
+  Instead of having many node_lock_count * sizeof(<member>) arrays, pack
+  all the members into a qpcache_bucket_t that is cacheline aligned to
+  prevent false sharing between RWLocks. :gl:`!10072`
+
+