mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Merge branch '2372-add-hyperlink-to-gl-xxxx-labels-in-documentation' into 'main'

Browse Source 
Resolve "Add hyperlink to [GL XXXX] labels in documentation"

Closes #2372

See merge request isc-projects/bind9!4563
This commit is contained in:
Michał Kępień
2021-04-29 11:35:33 +00:00
parent 9c3fac706e fe1dea6572
commit b189defb6a
19 changed files with 236 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dangerfile.py
View File

@@ -28,7 +28,8 @@ def added_lines(target_branch, paths):
def lines_containing(lines, string):
return [l for l in lines if bytes(string, 'utf-8') in l]
issue_or_mr_id_regex = re.compile(br'\[(GL [#!]|RT #)[0-9]+\]')
changes_issue_or_mr_id_regex = re.compile(br'\[(GL [#!]|RT #)[0-9]+\]')
relnotes_issue_or_mr_id_regex = re.compile(br':gl:`[#!][0-9]+`')
release_notes_regex = re.compile(r'doc/(arm|notes)/notes-.*\.(rst|xml)')
modified_files = danger.git.modified_files
@@ -186,7 +187,7 @@ if changes_modified and no_changes_label_set:
changes_added_lines = added_lines(target_branch, ['CHANGES'])
placeholders_added = lines_containing(changes_added_lines, '[placeholder]')
identifiers_found = filter(issue_or_mr_id_regex.search, changes_added_lines)
identifiers_found = filter(changes_issue_or_mr_id_regex.search, changes_added_lines)
if changes_added_lines:
if placeholders_added:
if target_branch != 'main':
@@ -234,7 +235,7 @@ if release_notes_changed and not release_notes_label_set:
if release_notes_changed:
notes_added_lines = added_lines(target_branch, release_notes_changed)
identifiers_found = filter(issue_or_mr_id_regex.search, notes_added_lines)
identifiers_found = filter(relnotes_issue_or_mr_id_regex.search, notes_added_lines)
if notes_added_lines and not any(identifiers_found):
warn('No valid issue/MR identifiers found in added release notes.')
else:

56
doc/arm/conf.py
View File

@@ -11,6 +11,62 @@
# flake8: noqa: E501
from typing import List, Tuple
from docutils import nodes
from docutils.nodes import Node, system_message
from docutils.parsers.rst import roles
from sphinx import addnodes
from sphinx.util.docutils import ReferenceRole
GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/'
# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
class GitLabRefRole(ReferenceRole):
def __init__(self, base_url: str) -> None:
self.base_url = base_url
super().__init__()
def run(self) -> Tuple[List[Node], List[system_message]]:
gl_identifier = '[GL %s]' % self.target
target_id = 'index-%s' % self.env.new_serialno('index')
entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)]
index = addnodes.index(entries=entries)
target = nodes.target('', '', ids=[target_id])
self.inliner.document.note_explicit_target(target)
try:
refuri = self.build_uri()
reference = nodes.reference('', '', internal=False, refuri=refuri,
classes=['gl'])
if self.has_explicit_title:
reference += nodes.strong(self.title, self.title)
else:
reference += nodes.strong(gl_identifier, gl_identifier)
except ValueError:
error_text = 'invalid GitLab identifier %s' % self.target
msg = self.inliner.reporter.error(error_text, line=self.lineno)
prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
return [prb], [msg]
return [index, target, reference], []
def build_uri(self):
if self.target[0] == '#':
return self.base_url + 'issues/%d' % int(self.target[1:])
if self.target[0] == '!':
return self.base_url + 'merge_requests/%d' % int(self.target[1:])
raise ValueError
def setup(_):
roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL))
#
# Configuration file for the Sphinx documentation builder.
#

2
doc/arm/general.rst
View File

@@ -581,7 +581,7 @@ is accepted but not returned in responses.
[17] Wildcard records are not supported in DNSSEC secure zones.
[18] Servers authoritative for secure zones being resolved by BIND
9 must support EDNS0 (RFC2671), and must return all relevant SIGs
9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs
and NXTs in responses, rather than relying on the resolving server
to perform separate queries for missing SIGs and NXTs.

2
doc/arm/managed-keys.rst
View File

@@ -35,7 +35,7 @@ zone with one of them; this is the "active" KSK. All KSKs which do not
sign the zone are "stand-by" keys.
Any validating resolver which is configured to use the active KSK as an
RFC 5011-managed trust anchor takes note of the stand-by KSKs in the
:rfc:`5011`-managed trust anchor takes note of the stand-by KSKs in the
zone's DNSKEY RRset, and stores them for future reference. The resolver
rechecks the zone periodically; after 30 days, if the new key is
still there, the key is accepted by the resolver as a valid

2
doc/arm/reference.rst
View File

@@ -1882,7 +1882,7 @@ Boolean Options
is made. For convenience, TTL-style time-unit suffixes may be used to
specify the value. It also accepts ISO 8601 duration formats.
The default ``stale-refresh-time`` is 30 seconds, as RFC 8767 recommends
The default ``stale-refresh-time`` is 30 seconds, as :rfc:`8767` recommends
that attempts to refresh to be done no more frequently than every 30
seconds. A value of zero disables the feature, meaning that normal
resolution will take place first, if that fails only then ``named`` will

8
doc/notes/notes-9.17.0.rst
View File

@@ -36,7 +36,7 @@ New Features
This behavior is controlled by the ``max-ixfr-ratio`` option - a
percentage value representing the ratio of IXFR size to the size of a
full zone transfer. The default is ``100%``. [GL #1515]
full zone transfer. The default is ``100%``. :gl:`#1515`
- A new RPZ option ``nsdname-wait-recurse`` controls whether
RPZ-NSDNAME rules should always be applied even if the names of
@@ -45,7 +45,7 @@ New Features
up initial responses by skipping RPZ-NSDNAME rules when name server
domain names are not yet in the cache. The names will be looked up in
the background and the rule will be applied for subsequent queries.
[GL #1138]
:gl:`#1138`
Feature Changes
~~~~~~~~~~~~~~~
@@ -58,14 +58,14 @@ Feature Changes
the notable exception of Ubuntu 18.04 (Bionic) which is a work in
progress. If you are running on an affected operating system, compile
BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
glibc is available. [GL !3125]
glibc is available. :gl:`!3125`
.. _bug: https://sourceware.org/bugzilla/show_bug.cgi?id=23844
- The ``rndc nta -dump`` and ``rndc secroots`` commands now both
include ``validate-except`` entries when listing negative trust
anchors. These are indicated by the keyword ``permanent`` in place of
the expiry date. [GL #1532]
the expiry date. :gl:`#1532`
Bug Fixes
~~~~~~~~~

14
doc/notes/notes-9.17.1.rst
View File

@@ -16,7 +16,7 @@ Security Fixes
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
Klein. :gl:`#1574`
Known Issues
~~~~~~~~~~~~
@@ -26,8 +26,8 @@ Known Issues
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated. [GL
#1685]
used in the hash calculation). These are being investigated.
:gl:`#1685`
New Features
~~~~~~~~~~~~
@@ -40,14 +40,14 @@ New Features
are ignored, but the information is looked up in the background and
applied to subsequent queries. The default is ``yes``, meaning that
RPZ NSDNAME rules should always be applied, even if the information
needs to be looked up first. [GL #1138]
needs to be looked up first. :gl:`#1138`
Feature Changes
~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
for 99% of all signed zones. [GL #1179]
for 99% of all signed zones. :gl:`#1179`
Bug Fixes
~~~~~~~~~
@@ -56,7 +56,7 @@ Bug Fixes
number of records was deleted, ``named`` could become nonresponsive
for a short period while deleted names were removed from the RPZ
summary database. This database cleanup is now done incrementally
over a longer period of time, reducing such delays. [GL #1447]
over a longer period of time, reducing such delays. :gl:`#1447`
- When trying to migrate an already-signed zone from ``auto-dnssec
maintain`` to one based on ``dnssec-policy``, the existing keys were
@@ -65,5 +65,5 @@ Bug Fixes
clients would not have been able to validate responses until all old
DNSSEC information had timed out from caches. BIND now looks at the
time metadata of the existing keys and incorporates it into its
DNSSEC policy operation. [GL #1706]
DNSSEC policy operation. :gl:`#1706`

28
doc/notes/notes-9.17.10.rst
View File

@@ -21,13 +21,13 @@ New Features
encryption to other software).
Note that there is no client-side support for HTTPS as yet; this will
be added to ``dig`` in a future release. [GL #1144]
be added to ``dig`` in a future release. :gl:`#1144`
- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
outgoing zone transfers. Addresses in a ``primaries`` list can now be
accompanied by an optional ``tls`` keyword, followed by either the
name of a previously configured ``tls`` statement or ``ephemeral``.
[GL #2392]
:gl:`#2392`
- A new option, ``stale-answer-client-timeout``, has been added to
improve ``named``'s behavior with respect to serving stale data. The
@@ -45,7 +45,7 @@ New Features
This new behavior can be disabled by setting
``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
option has no effect if ``stale-answer-enable`` is disabled.
[GL #2247]
:gl:`#2247`
Removed Features
~~~~~~~~~~~~~~~~
@@ -60,7 +60,7 @@ Removed Features
``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086]
``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086`
Feature Changes
~~~~~~~~~~~~~~~
@@ -70,40 +70,40 @@ Feature Changes
query resolution process. This may happen, for example, if the
``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
this case, ``named`` attempts to answer DNS requests with stale data,
but does not start the ``stale-refresh-time`` window. [GL #2434]
but does not start the ``stale-refresh-time`` window. :gl:`#2434`
- The default value of ``max-stale-ttl`` has been changed from 12 hours
to 1 day and the default value of ``stale-answer-ttl`` has been
changed from 1 second to 30 seconds, following :rfc:`8767`
recommendations. [GL #2248]
recommendations. :gl:`#2248`
- The SONAMEs for BIND 9 libraries now include the current BIND 9
version number, in an effort to tightly couple internal libraries with
a specific release. This change makes the BIND 9 release process both
simpler and more consistent while also unequivocally preventing BIND 9
binaries from silently loading wrong versions of shared libraries (or
multiple versions of the same shared library) at startup. [GL #2387]
multiple versions of the same shared library) at startup. :gl:`#2387`
- When ``check-names`` is in effect, A records below an ``_spf``,
``_spf_rate``, or ``_spf_verify`` label (which are employed by the
``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
D.1) are no longer reported as warnings/errors. [GL #2377]
D.1) are no longer reported as warnings/errors. :gl:`#2377`
Bug Fixes
~~~~~~~~~
- ``named`` failed to start when its configuration included a zone with
a non-builtin ``allow-update`` ACL attached. [GL #2413]
a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
key. This has been fixed. [GL #2178]
key. This has been fixed. :gl:`#2178`
- KASP incorrectly set signature validity to the value of the DNSKEY
signature validity. This has been fixed. [GL #2383]
signature validity. This has been fixed. :gl:`#2383`
- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
and/or ``Delete`` timing metadata to be possible active keys. This has
been fixed. [GL #2406]
been fixed. :gl:`#2406`
- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
faster than the time required to finish the rollover procedure, the
@@ -111,8 +111,8 @@ Bug Fixes
were taking part in a rollover. This could lead to premature removal
of predecessor keys. BIND 9 now implements a recursive successor
relation, as described in the paper "Flexible and Robust Key Rollover"
(Equation (2)). [GL #2375]
(Equation (2)). :gl:`#2375`
- Performance of the DNSSEC verification code (used by
``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
improved. [GL #2073]
improved. :gl:`#2073`

24
doc/notes/notes-9.17.11.rst
View File

@@ -15,12 +15,12 @@ New Features
~~~~~~~~~~~~
- ``dig`` has been extended to support DNS-over-HTTPS (DoH) queries,
using ``dig +https`` and related options. [GL #1641]
using ``dig +https`` and related options. :gl:`#1641`
- A new ``purge-keys`` option has been added to ``dnssec-policy``. It
sets the period of time that key files are retained after becoming
obsolete due to a key rollover; the default is 90 days. This feature
can be disabled by setting ``purge-keys`` to 0. [GL #2408]
can be disabled by setting ``purge-keys`` to 0. :gl:`#2408`
Feature Changes
~~~~~~~~~~~~~~~
@@ -29,12 +29,12 @@ Feature Changes
DNS-over-HTTPS (DoH) in BIND 9, ``listen-on`` and ``listen-on-v6``
statements using the ``http`` parameter must now also specify the
``tls`` parameter. ``tls none`` can be used to explicitly allow
unencrypted HTTP connections. [GL #2472]
unencrypted HTTP connections. :gl:`#2472`
- ``http default`` can now be specified in ``listen-on`` and
``listen-on-v6`` statements to use the default HTTP endpoint of
``/dns-query``. It is no longer necessary to include an ``http``
statement in ``named.conf`` unless overriding this value. [GL #2472]
statement in ``named.conf`` unless overriding this value. :gl:`#2472`
Bug Fixes
~~~~~~~~~
@@ -54,37 +54,37 @@ Bug Fixes
A journal file's format can be changed manually by running
``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
(upgrade). Note that this *must not* be done while ``named`` is
running. [GL #2505]
running. :gl:`#2505`
- ``named`` crashed when it was allowed to serve stale answers and
``stale-answer-client-timeout`` was triggered without any (stale) data
available in the cache to answer the query. [GL #2503]
available in the cache to answer the query. :gl:`#2503`
- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
instead of sending back a proper response. To prevent this problem,
the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
been happening since BIND 9.17.6. [GL #2466]
been happening since BIND 9.17.6. :gl:`#2466`
- NSEC3 records were not immediately created when signing a dynamic zone
using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
[GL #2498]
:gl:`#2498`
- A memory leak occurred when ``named`` was reconfigured after adding an
inline-signed zone with ``auto-dnssec maintain`` enabled. This has
been fixed. [GL #2041]
been fixed. :gl:`#2041`
- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
a LOC record resulted in an INSIST failure when a zone file containing
such a record was loaded. [GL #2499]
such a record was loaded. :gl:`#2499`
- If an invalid key name (e.g. ``a..b``) was specified in a
``primaries`` list in ``named.conf``, the wrong size was passed to
``isc_mem_put()``, which resulted in the returned memory being put on
the wrong free list and prevented ``named`` from starting up. This has
been fixed. [GL #2460]
been fixed. :gl:`#2460`
- ``libtool`` was inadvertently introduced as a build-time requirement
when the build system was revamped in BIND 9.17.2. This unnecessarily
prevented hosts without that tool from building BIND 9 from source
tarballs. A standalone ``libtool`` script no longer needs to be
present in ``PATH`` to build BIND 9 from a source tarball. [GL #2504]
present in ``PATH`` to build BIND 9 from a source tarball. :gl:`#2504`

24
doc/notes/notes-9.17.12.rst
View File

@@ -18,14 +18,14 @@ Security Fixes
in ``named``, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. [GL #2467]
vulnerability to our attention. :gl:`#2467`
- ``named`` crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank `Siva Kakarla`_ for bringing this
vulnerability to our attention. [GL #2540]
vulnerability to our attention. :gl:`#2540`
.. _Siva Kakarla: https://github.com/sivakesava1
@@ -37,11 +37,11 @@ Feature Changes
the system GSSAPI library when it is built with GSSAPI support. All
major contemporary Kerberos/GSSAPI libraries contain an implementation
of the SPNEGO mechanism. This change was introduced in BIND 9.17.2,
but it was not included in the release notes at the time. [GL #2607]
but it was not included in the release notes at the time. :gl:`#2607`
- The default value for the ``stale-answer-client-timeout`` option was
changed from ``1800`` (ms) to ``off``. The default value may be
changed again in future releases as this feature matures. [GL #2608]
changed again in future releases as this feature matures. :gl:`#2608`
Bug Fixes
~~~~~~~~~
@@ -52,35 +52,35 @@ Bug Fixes
transfer from being sent back to the client. The default setting for
``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
connection taking more than 30 seconds was abruptly terminated. This
has been fixed. [GL #2583]
has been fixed. :gl:`#2583`
- When ``stale-answer-client-timeout`` was set to a positive value and
recursion for a client query completed when ``named`` was about to
look for a stale answer, an assertion could fail in
``query_respond()``, resulting in a crash. This has been fixed.
[GL #2594]
:gl:`#2594`
- After upgrading to the previous release, journal files for trust
anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
corrupt state. (Other zone journal files were not affected.) This has
been fixed. If a corrupt journal file is detected, ``named`` can now
recover from it. [GL #2600]
recover from it. :gl:`#2600`
- When sending queries over TCP, ``dig`` now properly handles ``+tries=1
+retry=0`` by not retrying the connection when the remote server
closes the connection prematurely. [GL #2490]
closes the connection prematurely. :gl:`#2490`
- CDS/CDNSKEY DELETE records are now removed when a zone transitions
from a secure to an insecure state. ``named-checkzone`` also no longer
reports an error when such records are found in an unsigned zone.
[GL #2517]
:gl:`#2517`
- Zones using KASP could not be thawed after they were frozen using
``rndc freeze``. This has been fixed. [GL #2523]
``rndc freeze``. This has been fixed. :gl:`#2523`
- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
``named`` now immediately attempts to reconfigure zone keys. This
change prevents unnecessary key rollover delays. [GL #2488]
change prevents unnecessary key rollover delays. :gl:`#2488`
- ``named`` crashed after skipping a primary server while transferring a
zone over TLS. This has been fixed. [GL #2562]
zone over TLS. This has been fixed. :gl:`#2562`

86
doc/notes/notes-9.17.2.rst
View File

@@ -20,26 +20,27 @@ Security Fixes
top-level domain servers are no longer exempt from the
``max-recursion-queries`` limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
disclosed in CVE-2020-8616. :gl:`#1388`
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
oversized TCP buffer. This was disclosed in CVE-2020-8618.
:gl:`#1850`
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
Known Issues
~~~~~~~~~~~~
- In this release, the build system has been significantly changed (see
below) and there are several unresolved issues to be aware of when
using a development release. Please refer to `GitLab issue #4`_ for a
list of not-yet-resolved issues that will be fixed in future
releases. [GL #4]
using a development release. Please refer to :gl:`GitLab issue #4
<#4>` for a list of not-yet-resolved issues that will be fixed in
future releases. :gl:`#4`
- BIND crashes on startup when linked against libuv 1.36. This issue
is related to ``recvmmsg()`` support in libuv, which was first
@@ -49,7 +50,7 @@ Known Issues
be enabled. This BIND release sets that special flag when required,
so ``recvmmsg()`` support is now enabled when BIND is compiled
against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not
usable with BIND. [GL #1761] [GL #1797]
usable with BIND. :gl:`#1761` :gl:`#1797`
New Features
~~~~~~~~~~~~
@@ -59,36 +60,36 @@ New Features
for people building BIND 9 from release tarballs, but when building
BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run
first. Extra attention is also needed when using non-standard
``./configure`` options. [GL #4]
``./configure`` options. :gl:`#4`
- Documentation was converted from DocBook to reStructuredText. The
BIND 9 ARM is now generated using Sphinx and published on `Read the
Docs`_. Release notes are no longer available as a separate document
accompanying a release. [GL #83]
accompanying a release. :gl:`#83`
- ``named`` and ``named-checkzone`` now reject master zones that have a
DS RRset at the zone apex. Attempts to add DS records at the zone
apex via UPDATE will be logged but otherwise ignored. DS records
belong in the parent zone, not at the zone apex. [GL #1798]
belong in the parent zone, not at the zone apex. :gl:`#1798`
- Per-type record count limits can now be specified in
``update-policy`` statements, to limit the number of records of a
particular type that can be added to a domain name via dynamic
update. [GL #1657]
update. :gl:`#1657`
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or a response. [GL #1835]
option when it appears in a request or a response. :gl:`#1835`
- ``dig +qid=<num>`` allows the user to specify a particular query ID
for testing purposes. [GL #1851]
for testing purposes. :gl:`#1851`
- A new logging category, ``rpz-passthru``, was added, which allows RPZ
passthru actions to be logged into a separate channel. [GL #54]
passthru actions to be logged into a separate channel. :gl:`#54`
- Zone timers are now exported via statistics channel. For primary
zones, only the load time is exported. For secondary zones, exported
timers also include expire and refresh times. Contributed by Paul
Frieden, Verizon Media. [GL #1232]
Frieden, Verizon Media. :gl:`#1232`
Feature Changes
~~~~~~~~~~~~~~~
@@ -102,7 +103,7 @@ Feature Changes
on|off``). Serving of stale answers when the authoritative servers
are not responding must be explicitly enabled, whereas the retention
of expired cache content takes place automatically on all versions of
BIND 9 that have this feature available. [GL #1877]
BIND 9 that have this feature available. :gl:`#1877`
.. warning::
This change may be significant for administrators who expect that
@@ -111,41 +112,41 @@ Feature Changes
the previous behavior of ``named``.
- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
relying on system defaults instead. [GL #1713]
relying on system defaults instead. :gl:`#1713`
- The default rwlock implementation has been changed back to the native
BIND 9 rwlock implementation. [GL #1753]
BIND 9 rwlock implementation. :gl:`#1753`
- BIND 9 binaries which are neither daemons nor administrative programs
were moved to ``$bindir``. Only ``ddns-confgen``, ``named``,
``rndc``, ``rndc-confgen``, and ``tsig-confgen`` were left in
``$sbindir``. [GL #1724]
``$sbindir``. :gl:`#1724`
- ``listen-on-v6 { any; }`` creates a separate socket for each
interface. Previously, just one socket was created on systems
conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
in BIND 9.16.0, but it was accidentally omitted from documentation.
[GL #1782]
:gl:`#1782`
- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
v3.0 and thus made operational again. Contributed by Aaron Thompson.
[GL !3326]
:gl:`!3326`
- The OpenSSL ECDSA implementation has been updated to support PKCS#11
via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
#1534]
via OpenSSL engine (see engine_pkcs11 from libp11 project).
:gl:`#1534`
- The OpenSSL EdDSA implementation has been updated to support PKCS#11
via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
is required and thus this code is only a proof-of-concept for the
time being. Contributed by Aaron Thompson. [GL #1763]
time being. Contributed by Aaron Thompson. :gl:`#1763`
- Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
message IDs. :gl:`#1674`
- The question section is now checked when processing AXFR, IXFR,
and SOA replies while transferring a zone in. [GL #1683]
and SOA replies while transferring a zone in. :gl:`#1683`
Bug Fixes
~~~~~~~~~
@@ -156,60 +157,59 @@ Bug Fixes
DNSSEC proof of non-existence (in other words, queries that required
the server to find and to return NSEC3 data). The unnecessary
processing step that was causing this delay has now been removed.
[GL #1834]
:gl:`#1834`
- ``named`` could crash with an assertion failure if the name of a
database node was looked up while the database was being modified.
[GL #1857]
:gl:`#1857`
- When running on a system with support for Linux capabilities,
``named`` drops root privileges very soon after system startup. This
was causing a spurious log message, ``unable to set effective uid to
0: Operation not permitted``, which has now been silenced. [GL #1042]
[GL #1090]
0: Operation not permitted``, which has now been silenced.
:gl:`#1042` :gl:`#1090`
- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
[GL #1859]
:gl:`#1859`
- Previously, ``named`` did not destroy some mutexes and conditional
variables in netmgr code, which caused a memory leak on FreeBSD. This
has been fixed. [GL #1893]
has been fixed. :gl:`#1893`
- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
to an assertion failure was fixed. [GL #1808]
to an assertion failure was fixed. :gl:`#1808`
- Previously, ``provide-ixfr no;`` failed to return up-to-date
responses when the serial number was greater than or equal to the
current serial number. [GL #1714]
current serial number. :gl:`#1714`
- A bug in dnstap initialization could prevent some dnstap data from
being logged, especially on recursive resolvers. [GL #1795]
being logged, especially on recursive resolvers. :gl:`#1795`
- A bug in dnssec-policy keymgr was fixed, where the check for the
existence of a given key's successor would incorrectly return
``true`` if any other key in the keyring had a successor. [GL #1845]
``true`` if any other key in the keyring had a successor. :gl:`#1845`
- With dnssec-policy, when creating a successor key, the "goal" state
of the current active key (the predecessor) was not changed and thus
never removed from the zone. [GL #1846]
never removed from the zone. :gl:`#1846`
- When ``named-checkconf -z`` was run, it would sometimes incorrectly
set its exit code. It reflected the status of the last view found; if
zone-loading errors were found in earlier configured views but not in
the last one, the exit code indicated success. Thanks to Graham
Clinch. [GL #1807]
Clinch. :gl:`#1807`
- ``named-checkconf -p`` could include spurious text in
``server-addresses`` statements due to an uninitialized DSCP value.
This has been fixed. [GL #1812]
This has been fixed. :gl:`#1812`
- When built without LMDB support, ``named`` failed to restart after a
zone with a double quote (") in its name was added with ``rndc
addzone``. Thanks to Alberto Fernández. [GL #1695]
addzone``. Thanks to Alberto Fernández. :gl:`#1695`
- The ARM has been updated to indicate that the TSIG session key is
generated when named starts, regardless of whether it is needed.
[GL #1842]
:gl:`#1842`
.. _GitLab issue #4: https://gitlab.isc.org/isc-projects/bind9/-/issues/4
.. _Read the Docs: https://bind9.readthedocs.io/

28
doc/notes/notes-9.17.3.rst
View File

@@ -16,10 +16,10 @@ New Features
- New ``rndc`` command ``rndc dnssec -status`` shows the current DNSSEC
policy and keys in use, the key states, and rollover status.
[GL #1612]
:gl:`#1612`
- Added support in the network manager for initiating outgoing TCP
connections. [GL #1958]
connections. :gl:`#1958`
Feature Changes
~~~~~~~~~~~~~~~
@@ -29,14 +29,14 @@ Feature Changes
prevents using security features like read-only relocations (RELRO) or
address space layout randomization (ASLR) which are important for
programs that interact with the network and process arbitrary user
input. [GL #1933]
input. :gl:`#1933`
- As part of an ongoing effort to use :rfc:`8499` terminology,
``primaries`` can now be used as a synonym for ``masters`` in
``named.conf``. Similarly, ``notify primary-only`` can now be used as
a synonym for ``notify master-only``. The output of ``rndc
zonestatus`` now uses ``primary`` and ``secondary`` terminology.
[GL #1948]
:gl:`#1948`
Bug Fixes
~~~~~~~~~
@@ -44,37 +44,37 @@ Bug Fixes
- A race condition could occur if a TCP socket connection was closed
while ``named`` was waiting for a recursive response. The attempt to
send a response over the closing connection triggered an assertion
failure in the function ``isc__nm_tcpdns_send()``. [GL #1937]
failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937`
- A race condition could occur when ``named`` attempted to use a UDP
interface that was shutting down. This triggered an assertion failure
in ``uv__udp_finish_close()``. [GL #1938]
in ``uv__udp_finish_close()``. :gl:`#1938`
- Fix assertion failure when server was under load and root zone had not
yet been loaded. [GL #1862]
yet been loaded. :gl:`#1862`
- ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c``
that were being reused. [GL #1968]
that were being reused. :gl:`#1968`
- ``named`` crashed on shutdown when a new ``rndc`` connection was
received during shutdown. This has been fixed. [GL #1747]
received during shutdown. This has been fixed. :gl:`#1747`
- The DS RRset returned by ``dns_keynode_dsset()`` was used in a
non-thread-safe manner. This could result in an INSIST being
triggered. [GL #1926]
triggered. :gl:`#1926`
- The ``primary`` and ``secondary`` keywords, when used as parameters
for ``check-names``, were not processed correctly and were being
ignored. [GL #1949]
ignored. :gl:`#1949`
- ``rndc dnstap -roll <value>`` did not limit the number of saved files
to ``<value>``. [GL !3728]
to ``<value>``. :gl:`!3728`
- The validator could fail to accept a properly signed RRset if an
unsupported algorithm appeared earlier in the DNSKEY RRset than a
supported algorithm. It could also stop if it detected a malformed
public key. [GL #1689]
public key. :gl:`#1689`
- The ``blackhole`` ACL was inadvertently disabled for client queries.
Blocked IP addresses were not used for upstream queries but queries
from those addresses could still be answered. [GL #1936]
from those addresses could still be answered. :gl:`#1936`

33
doc/notes/notes-9.17.4.rst
View File

@@ -18,7 +18,7 @@ Security Fixes
crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
bringing this vulnerability to our attention. [GL #1996]
bringing this vulnerability to our attention. :gl:`#1996`
- ``named`` could crash after failing an assertion check in certain
query resolution scenarios where QNAME minimization and forwarding
@@ -27,14 +27,15 @@ Security Fixes
are used at any point. This was disclosed in CVE-2020-8621.
ISC would like to thank Joseph Gullo for bringing this vulnerability
to our attention. [GL #1997]
to our attention. :gl:`#1997`
- It was possible to trigger an assertion failure when verifying the
response to a TSIG-signed request. This was disclosed in
CVE-2020-8622.
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
of Oracle for bringing this vulnerability to our attention. [GL #2028]
of Oracle for bringing this vulnerability to our attention.
:gl:`#2028`
- When BIND 9 was compiled with native PKCS#11 support, it was possible
to trigger an assertion failure in code determining the number of bits
@@ -42,7 +43,7 @@ Security Fixes
was disclosed in CVE-2020-8623.
ISC would like to thank Lyu Chiy for bringing this vulnerability to
our attention. [GL #2037]
our attention. :gl:`#2037`
- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
@@ -51,13 +52,13 @@ Security Fixes
described in the ARM. This was disclosed in CVE-2020-8624.
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
vulnerability to our attention. [GL #2055]
vulnerability to our attention. :gl:`#2055`
New Features
~~~~~~~~~~~~
- A new configuration option ``stale-cache-enable`` has been introduced
to enable or disable keeping stale answers in cache. [GL #1712]
to enable or disable keeping stale answers in cache. :gl:`#1712`
- ``rndc`` has been updated to use the new BIND network manager API.
This change had the side effect of altering the TCP timeout for RNDC
@@ -66,10 +67,10 @@ New Features
has no support for UNIX-domain sockets, those cannot now be used
with ``rndc``. This will be addressed in a future release, either by
restoring UNIX-domain socket support or by formally declaring them
to be obsolete in the control channel. [GL #1759]
to be obsolete in the control channel. :gl:`#1759`
- Statistics channels have also been updated to use the new BIND network
manager API. [GL #2022]
manager API. :gl:`#2022`
Feature Changes
~~~~~~~~~~~~~~~
@@ -79,20 +80,20 @@ Feature Changes
``max-cache-size`` (configured explicitly, defaulting to a value based
on system memory or set to ``unlimited``) now pre-allocates fixed-size
hash tables. This prevents interruption to query resolution when the
hash table sizes need to be increased. [GL #1775]
hash table sizes need to be increased. :gl:`#1775`
- Keeping stale answers in cache has been disabled by default.
[GL #1712]
:gl:`#1712`
- Resource records received with 0 TTL are no longer kept in the cache
to be used for stale answers. [GL #1829]
to be used for stale answers. :gl:`#1829`
Bug Fixes
~~~~~~~~~
- Wildcard RPZ passthru rules could incorrectly be overridden by other
rules that were loaded from RPZ zones which appeared later in the
``response-policy`` statement. This has been fixed. [GL #1619]
``response-policy`` statement. This has been fixed. :gl:`#1619`
- The IPv6 Duplicate Address Detection (DAD) mechanism could
inadvertently prevent ``named`` from binding to new IPv6 interfaces,
@@ -107,7 +108,7 @@ Bug Fixes
thereafter to ignore that address/interface. The problem was worked
around by setting the ``IP_FREEBIND`` option on the socket and trying
to ``bind()`` to each IPv6 address again if the first ``bind()`` call
for that address failed with ``EADDRNOTAVAIL``. [GL #2038]
for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038`
- Addressed an error in recursive clients stats reporting which could
cause underflow, and even negative statistics. There were occasions
@@ -116,12 +117,12 @@ Bug Fixes
increment in recursive clients stats would take place. Conversely,
when processing the answers, if the recursion code were executed
before the prefetch, the same counter would be decremented without a
matching increment. [GL #1719]
matching increment. :gl:`#1719`
- The introduction of KASP support inadvertently caused the second field
of ``sig-validity-interval`` to always be calculated in hours, even in
cases when it should have been calculated in days. This has been
fixed. (Thanks to Tony Finch.) [GL !3735]
fixed. (Thanks to Tony Finch.) :gl:`!3735`
- LMDB locking code was revised to make ``rndc reconfig`` work properly
on FreeBSD and with LMDB >= 0.9.26. [GL #1976]
on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976`

20
doc/notes/notes-9.17.5.rst
View File

@@ -17,9 +17,9 @@ New Features
- Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to
``named`` that a DS record for a given zone or key has been published
or withdrawn from the parent. This command replaces the time-based
``parent-registration-delay`` configuration option. [GL #1613]
``parent-registration-delay`` configuration option. :gl:`#1613`
- Log when ``named`` adds a CDS/CDNSKEY to the zone. [GL #1748]
- Log when ``named`` adds a CDS/CDNSKEY to the zone. :gl:`#1748`
Removed Features
~~~~~~~~~~~~~~~~
@@ -27,11 +27,11 @@ Removed Features
- The ``--with-gperftools-profiler`` ``configure`` option was removed.
To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro
now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to
be present in ``LDFLAGS``. [GL !4045]
be present in ``LDFLAGS``. :gl:`!4045`
- The ``glue-cache`` *option* has been marked as deprecated. The glue
cache *feature* still works and will be permanently *enabled* in a
future release. [GL #2146]
future release. :gl:`#2146`
Feature Changes
~~~~~~~~~~~~~~~
@@ -41,19 +41,19 @@ Feature Changes
it had received a packet with EDNS0 buffer size set to 0. This is no
longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS
version 0 and buffer size set to 0. To disable EDNS, use ``dig
+noedns``. [GL #2054]
+noedns``. :gl:`#2054`
Bug Fixes
~~~~~~~~~
- In rare circumstances, ``named`` would exit with an assertion failure
when the number of nodes stored in the red-black tree exceeded the
maximum allowed size of the internal hash table. [GL #2104]
maximum allowed size of the internal hash table. :gl:`#2104`
- Silence spurious system log messages for an EPROTO(71) error code that
was seen on older operating systems, where unhandled ICMPv6 errors
resulted in a generic protocol error being returned instead of a more
specific error code. [GL #1928]
specific error code. :gl:`#1928`
- With query name minimization enabled, ``named`` failed to resolve
``ip6.arpa.`` names that had extra labels to the left of the IPv6
@@ -64,14 +64,14 @@ Bug Fixes
resolving the name: if ``named`` received NXDOMAIN answers, then the
same query was repeatedly sent until the number of queries sent
reached the value of the ``max-recursion-queries`` configuration
option. [GL #1847]
option. :gl:`#1847`
- Parsing of LOC records was made more strict by rejecting a sole period
(``.``) and/or ``m`` as a value. These changes prevent zone files
using such values from being loaded. Handling of negative altitudes
which are not integers was also corrected. [GL #2074]
which are not integers was also corrected. :gl:`#2074`
- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are
security issues.) [GL !3953] [GL !3975]
security issues.) :gl:`!3953` :gl:`!3975`
.. _OSS-Fuzz: https://github.com/google/oss-fuzz

16
doc/notes/notes-9.17.6.rst
View File

@@ -15,18 +15,18 @@ New Features
~~~~~~~~~~~~
- Add a new ``rndc`` command, ``rndc dnssec -rollover``, which triggers
a manual rollover for a specific key. [GL #1749]
a manual rollover for a specific key. :gl:`#1749`
- Add a new ``rndc`` command, ``rndc dumpdb -expired``, which dumps the
cache database, including expired RRsets that are awaiting cleanup, to
the ``dump-file`` for diagnostic purposes. [GL #1870]
the ``dump-file`` for diagnostic purposes. :gl:`#1870`
Removed Features
~~~~~~~~~~~~~~~~
- The ``glue-cache`` *option* has been marked as deprecated. The glue
cache *feature* still works and will be permanently *enabled* in a
future release. [GL #2146]
future release. :gl:`#2146`
Feature Changes
~~~~~~~~~~~~~~~
@@ -42,23 +42,23 @@ Feature Changes
estimated header space. In practice, the smallest MTU witnessed in the
operational DNS community is 1500 octets, the maximum Ethernet payload
size, so a useful default for maximum DNS/UDP payload size on reliable
networks would be 1400 bytes. [GL #2183]
networks would be 1400 bytes. :gl:`#2183`
Bug Fixes
~~~~~~~~~
- ``named`` reported an invalid memory size when running in an
environment that did not properly report the number of available
memory pages and/or the size of each memory page. [GL #2166]
memory pages and/or the size of each memory page. :gl:`#2166`
- With multiple forwarders configured, ``named`` could fail the
``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``,
causing it to crash. This has been fixed. [GL #2124]
causing it to crash. This has been fixed. :gl:`#2124`
- ``named`` erroneously performed continuous key rollovers for KASP
policies that used algorithm Ed25519 or Ed448 due to a mismatch
between created key size and expected key size. [GL #2171]
between created key size and expected key size. :gl:`#2171`
- Updating contents of an RPZ zone which contained names spelled using
varying letter case could cause some processing rules in that RPZ zone
to be erroneously ignored. [GL #2169]
to be erroneously ignored. :gl:`#2169`

18
doc/notes/notes-9.17.7.rst
View File

@@ -18,12 +18,12 @@ New Features
able to send DoT queries (``+tls`` option) and ``named`` can handle
DoT queries (``listen-on tls ...`` option). ``named`` can use either a
certificate provided by the user or an ephemeral certificate generated
automatically upon startup. [GL #1840]
automatically upon startup. :gl:`#1840`
- A new configuration option, ``stale-refresh-time``, has been
introduced. It allows a stale RRset to be served directly from cache
for a period of time after a failed lookup, before a new attempt to
refresh it is made. [GL #2066]
refresh it is made. :gl:`#2066`
Feature Changes
~~~~~~~~~~~~~~~
@@ -36,29 +36,29 @@ Feature Changes
or network configurations by listening for replies from servers other
than the one that was queried. With the new API, such answers are
filtered before they ever reach ``dig``, so the option has been
removed. [GL #2140]
removed. :gl:`#2140`
- The network manager API is now used by ``named`` to send zone transfer
requests. [GL #2016]
requests. :gl:`#2016`
Bug Fixes
~~~~~~~~~
- ``named`` could crash with an assertion failure if a TCP connection
were closed while a request was still being processed. [GL #2227]
were closed while a request was still being processed. :gl:`#2227`
- ``named`` acting as a resolver could incorrectly treat signed zones
with no DS record at the parent as bogus. Such zones should be treated
as insecure. This has been fixed. [GL #2236]
as insecure. This has been fixed. :gl:`#2236`
- After a Negative Trust Anchor (NTA) is added, BIND performs periodic
checks to see if it is still necessary. If BIND encountered a failure
while creating a query to perform such a check, it attempted to
dereference a ``NULL`` pointer, resulting in a crash. [GL #2244]
dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244`
- A problem obtaining glue records could prevent a stub zone from
functioning properly, if the authoritative server for the zone were
configured for minimal responses. [GL #1736]
configured for minimal responses. :gl:`#1736`
- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a
``TCP6RecvErr``. [GL #2208]
``TCP6RecvErr``. :gl:`#2208`

20
doc/notes/notes-9.17.8.rst
View File

@@ -17,22 +17,22 @@ New Features
- NSEC3 support was added to KASP. A new option for ``dnssec-policy``,
``nsec3param``, can be used to set the desired NSEC3 parameters.
NSEC3 salt collisions are automatically prevented during resalting.
[GL #1620]
:gl:`#1620`
- ``dig`` output now includes the transport protocol used (UDP, TCP, or
TLS). [GL #1816]
TLS). :gl:`#1816`
- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``).
This is useful when the host on which ``dig`` is run is behind an
IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
Service). [GL #1154]
Service). :gl:`#1154`
Feature Changes
~~~~~~~~~~~~~~~
- The new networking code introduced in BIND 9.16 (netmgr) was
overhauled in order to make it more stable, testable, and
maintainable. [GL #2321]
maintainable. :gl:`#2321`
- Earlier releases of BIND versions 9.16 and newer required the
operating system to support load-balanced sockets in order for
@@ -42,14 +42,14 @@ Feature Changes
FreeBSD 12, which means both UDP and TCP performance were limited to a
single thread on other systems. As of BIND 9.17.8, ``named`` attempts
to distribute incoming queries among multiple threads on systems which
lack support for load-balanced sockets (except Windows). [GL #2137]
lack support for load-balanced sockets (except Windows). :gl:`#2137`
- The default value of ``max-recursion-queries`` was increased from 75
to 100. Since the queries sent towards root and TLD servers are now
included in the count (as a result of the fix for CVE-2020-8616),
``max-recursion-queries`` has a higher chance of being exceeded by
non-attack queries, which is the main reason for increasing its
default value. [GL #2305]
default value. :gl:`#2305`
- The default value of ``nocookie-udp-size`` was restored back to 4096
bytes. Since ``max-udp-size`` is the upper bound for
@@ -57,16 +57,16 @@ Feature Changes
to change ``nocookie-udp-size`` together with ``max-udp-size`` in
order to increase the default EDNS buffer size limit.
``nocookie-udp-size`` can still be set to a value lower than
``max-udp-size``, if desired. [GL #2250]
``max-udp-size``, if desired. :gl:`#2250`
Bug Fixes
~~~~~~~~~
- Handling of missing DNS COOKIE responses over UDP was tightened by
falling back to TCP. [GL #2275]
falling back to TCP. :gl:`#2275`
- The CNAME synthesized from a DNAME was incorrectly followed when the
QTYPE was CNAME or ANY. [GL #2280]
QTYPE was CNAME or ANY. :gl:`#2280`
- Building with native PKCS#11 support for AEP Keyper has been broken
since BIND 9.17.4. This has been fixed. [GL #2315]
since BIND 9.17.4. This has been fixed. :gl:`#2315`

14
doc/notes/notes-9.17.9.rst
View File

@@ -14,7 +14,7 @@ Notes for BIND 9.17.9
New Features
~~~~~~~~~~~~
- ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385]
- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385`
Feature Changes
~~~~~~~~~~~~~~~
@@ -23,27 +23,27 @@ Feature Changes
without making it bogus in the process; changing to ``dnssec-policy
none;`` also causes CDS and CDNSKEY DELETE records to be published, to
signal that the entire DS RRset at the parent must be removed, as
described in :rfc:`8078`. [GL #1750]
described in :rfc:`8078`. :gl:`#1750`
- When using the ``unixtime`` or ``date`` method to update the SOA
serial number, ``named`` and ``dnssec-signzone`` silently fell back to
the ``increment`` method to prevent the new serial number from being
smaller than the old serial number (using serial number arithmetics).
``dnssec-signzone`` now prints a warning message, and ``named`` logs a
warning, when such a fallback happens. [GL #2058]
warning, when such a fallback happens. :gl:`#2058`
Bug Fixes
~~~~~~~~~
- Multiple threads could attempt to destroy a single RBTDB instance at
the same time, resulting in an unpredictable but low-probability
assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317]
assertion failure in ``free_rbtdb()``. This has been fixed. :gl:`#2317`
- ``named`` no longer attempts to assign threads to CPUs outside the CPU
affinity set. Thanks to Ole Bjørn Hessen. [GL #2245]
affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245`
- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
off DNSSEC maintenance. This has been fixed. [GL #2341]
off DNSSEC maintenance. This has been fixed. :gl:`#2341`
- The report of intermittent BIND assertion failures triggered in
``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
@@ -53,4 +53,4 @@ Bug Fixes
first appeared in BIND releases 9.17.5 and 9.16.7. However, since
those releases were published, there have been no new reports of
assertion failures matching this issue, but also no further diagnostic
input, so we have closed the issue. [GL #2091]
input, so we have closed the issue. :gl:`#2091`

12
doc/notes/notes-current.rst
View File

@@ -35,10 +35,10 @@ Feature Changes
~~~~~~~~~~~~~~~
- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
the minimum of the SOA MINIMUM value and the SOA TTL. [GL #2347].
the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
- Reduce the supported maximum number of iterations that can be
configured in an NSEC3 zones to 150. [GL #2642]
configured in an NSEC3 zones to 150. :gl:`#2642`
Bug Fixes
~~~~~~~~~
@@ -47,16 +47,16 @@ Bug Fixes
``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
values if the RRset was still marked a stale but the ``max-stale-ttl`` has
passed (and is actually an RRset awaiting cleanup). Both issues have now
been fixed. [GL #389] [GL #2289]
been fixed. :gl:`#389` :gl:`#2289`
- ``named`` would overwrite a zone file unconditionally when it recovered from
a corrupted journal. [GL #2623]
a corrupted journal. :gl:`#2623`
- After the networking manager was introduced to ``named`` to handle
incoming traffic, it was discovered that the recursive performance had been
degraded compared to the previous version (9.11). This has been now fixed by
running internal tasks inside the networking manager worker threads, so
they do not compete for resources. [GL #2638]
they do not compete for resources. :gl:`#2638`
- With ``dnssec-policy``, when creating new keys also check for keyid conflicts
between the new keys too. [GL #2628]
between the new keys too. :gl:`#2628`