diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index eeb76f8592..5c7cc3b970 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.5.rst .. include:: ../changelog/changelog-9.21.4.rst .. include:: ../changelog/changelog-9.21.3.rst .. include:: ../changelog/changelog-9.21.2.rst diff --git a/doc/changelog/changelog-9.21.5.rst b/doc/changelog/changelog-9.21.5.rst new file mode 100644 index 0000000000..2d4f6c1788 --- /dev/null +++ b/doc/changelog/changelog-9.21.5.rst @@ -0,0 +1,213 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.5 +----------- + +New Features +~~~~~~~~~~~~ + +- Adds support for EDE code 1 and 2. ``5a8fce4851b`` + + Add support for EDE codes 1 & 2 which might occurs during DNSSEC + validation in case of unsupported RRSIG algorithm or DNSKEY digest. + :gl:`#2715` :gl:`!9948` + +- Add a rndc command to toggle jemalloc profiling. ``2bee113a467`` + + The new command is `rndc memprof`. The memory profiling status is also + reported inside `rndc status`. The status also shows whether named can + toggle memory profiling or not and if the server is built with + jemalloc. :gl:`#4759` :gl:`!9370` + +- Add support for multiple extended DNS errors. ``076e47b4277`` + + Extended DNS error mechanism (EDE) may have several errors raised + during a DNS resolution. `named` is now able to add up to three EDE + codes in a DNS response. In the case of duplicate error codes, only + the first one will be part of the DNS response. :gl:`#5085` + :gl:`!9952` + +- Print the expiration time of the stale records. ``ae73ac81a3a`` + + Print the expiration time of the stale RRsets in the cache dump. + :gl:`!10057` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Clean up unused result codes. ``d3455be08c9`` + + A number of result codes are obsolete and can be removed. Others, + including `ISC_R_NOMEMORY`, are still checked in various places even + though they can't occur any longer. These have been cleaned up. + :gl:`!9942` + +- Remove fields from struct fetchctx. ``1732346fcc3`` + + struct fetchctx does have several fields which are now unused or + confusing, removing those. :gl:`!9945` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Separate the connect and the read TCP timeouts in dispatch. + ``3f490fe3fb7`` + + The network manager layer has two different timers with their own + timeout values for TCP connections: connect timeout and read timeout. + Separate the connect and the read TCP timeouts in the dispatch module + too. :gl:`#5009` :gl:`!9698` + +- Include destination address port number in query logging. + ``166c3241425`` + + When query logging is enabled, named will now include the destination + address port in the logged message. :gl:`#5060` :gl:`!9972` + +- Refactor decref() in both QPDB. ``f43bf94eceb`` + + Clean up the pattern in the newref() and decref() functions in QP + databases. Replace the `db_nodelock_t` structure with plain reference + counting for every active database node in QPDB. + + Related to #5134 :gl:`!10006` + +- Shutdown the fetch context after canceling the last fetch. + ``3fe440f0cf9`` + + Shutdown the fetch context immediately after the last fetch has been + canceled from that particular fetch context. :gl:`!9958` + +- Use a suitable response in tcp_connected() when initiating a read. + ``66d4f9184a4`` + + When 'ISC_R_TIMEDOUT' is received in 'tcp_recv()', it times out the + oldest response in the active responses queue, and only after that it + checks whether other active responses have also timed out. So when + setting a timeout value for a read operation after a successful + connection, it makes sense to take the timeout value from the oldest + response in the active queue too, because, theoretically, the + responses can have different timeout values, e.g. when the TCP + dispatch is shared. Currently 'resp' is always NULL. Previously when + connect and read timeouts were not separated in dispatch this affected + only logging, but now since we are setting a new timeout after a + successful connection, we need to choose a suitable response from the + active queue. :gl:`!9927` + +Bug Fixes +~~~~~~~~~ + +- Fix possible truncation in dns_keymgr_status() ``eec0aaa391e`` + + If the generated status output exceeds 4096 it was silently truncated, + now we output that the status was truncated. :gl:`#4180` :gl:`!9905` + +- Validate adb fetches. ``d9eb272b690`` + + ADB responses were not being validated, allowing spoofed responses to + be accepted and used for further lookups. This should not be possible + when the servers for the zone are in a signed zone, except with CD=1 + requests or when glue is needed. This has been fixed. :gl:`#5066` + :gl:`!10052` + +- Recently expired records could be returned with timestamp in future. + ``517c5b6b28b`` + + Under rare circumstances, the RRSet that expired at the time of the + query could be returned with TTL far in the future. This has been + fixed. + + As a side-effect, the expiration time of expired RRSets are no longer + printed out in the cache dump. :gl:`#5094` :gl:`!10048` + +- Yaml string not terminated in negative response in delv. + ``e57ebb8f1b4`` + + :gl:`#5098` :gl:`!9922` + +- Fix a bug in dnssec-signzone related to keys being offline. + ``8efb4e2f26a`` + + In the case when `dnssec-signzone` is called on an already signed + zone, and the private key file is unavailable, a signature that needs + to be refreshed may be dropped without being able to generate a + replacement. This has been fixed. :gl:`#5126` :gl:`!9951` + +- Apply the memory limit only to ADB database items. ``0673568c170`` + + Resolver under heavy-load could exhaust the memory available for + storing the information in the Address Database (ADB) effectively + evicting already stored information in the ADB. The memory used to + retrieve and provide information from the ADB is now not a subject of + the same memory limits that are applied for storing the information in + the Address Database. :gl:`#5127` :gl:`!9954` + +- Avoid unnecessary locking in the zone/cache database. ``48471fd50c7`` + + Prevent lock contention among many worker threads referring to the + same database node at the same time. This would improve zone and + cache database performance for the heavily contended database nodes. + :gl:`#5130` :gl:`!9963` + +- Fix EDE 22 time out detection. ``dc3c3efdbf2`` + + Extended DNS error 22 (No reachable authority) was previously detected + when `fctx_expired` fired. It turns out this function is used as a + "safety net" and the timeout detection should be caught earlier. + + It was working though, because of another issue fixed by !9927. But + then, the recursive request timed out detection occurs before + `fctx_expired` making impossible to raise the EDE 22 error. + + This fixes the problem by triggering the EDE 22 in the part of the + code detecting the (TCP or UDP) time out and taking the decision to + cancel the whole fetch (i.e. There is no other server to attempt to + contact). + + Note this is not targeting users (no release note) because there is no + release versions of BIND between !9927 and this changes. Thus a + release note would be confusing. :gl:`#5137` :gl:`!9985` + +- Split and simplify the use of EDE list implementation. ``a8e0a695c48`` + + Instead of mixing the dns_resolver and dns_validator units directly + with the EDE code, split-out the dns_ede functionality into own + separate compilation unit and hide the implementation details behind + abstraction. + + Additionally, the new dns_edelist_t doesn't have to be copied into all + responses as those are attached to the fetch context, but it could be + only passed by reference. + + This makes the dns_ede implementation simpler to use, although sligtly + more complicated on the inside. :gl:`#5141` :gl:`!10016` + +- Fix the cache findzonecut() implementation. ``282b0ed5140`` + + The search for the deepest known zone cut in the cache could + improperly reject a node if it contained any stale data, regardless of + whether it was the NS RRset that was stale. :gl:`#5155` :gl:`!10047` + +- DNSSEC EDE system tests on FIPS platform. ``fd51d80297c`` + + Changes introducing the support of extended DNS error code 1 and 2 + uses SHA-1 digest for some tests which break FIPS platform. The digest + itself was irrelevant, another digest is used. :gl:`!10002` + +- Reduce the false sharing the dns_qpcache and dns_qpzone. + ``d4a7bff0b62`` + + Instead of having many node_lock_count * sizeof() arrays, pack + all the members into a qpcache_bucket_t that is cacheline aligned to + prevent false sharing between RWLocks. :gl:`!10072` + +