Merge branch '2372-add-hyperlink-to-gl-xxxx-labels-in-documentation' into 'main'

Resolve "Add hyperlink to [GL XXXX] labels in documentation"

Closes #2372

See merge request isc-projects/bind9!4563

dangerfile.py

@@ -28,7 +28,8 @@ def added_lines(target_branch, paths):
 def lines_containing(lines, string):
     return [l for l in lines if bytes(string, 'utf-8') in l]
 
-issue_or_mr_id_regex = re.compile(br'\[(GL [#!]|RT #)[0-9]+\]')
+changes_issue_or_mr_id_regex = re.compile(br'\[(GL [#!]|RT #)[0-9]+\]')
+relnotes_issue_or_mr_id_regex = re.compile(br':gl:`[#!][0-9]+`')
 release_notes_regex = re.compile(r'doc/(arm|notes)/notes-.*\.(rst|xml)')
 
 modified_files = danger.git.modified_files
@@ -186,7 +187,7 @@ if changes_modified and no_changes_label_set:
 
 changes_added_lines = added_lines(target_branch, ['CHANGES'])
 placeholders_added = lines_containing(changes_added_lines, '[placeholder]')
-identifiers_found = filter(issue_or_mr_id_regex.search, changes_added_lines)
+identifiers_found = filter(changes_issue_or_mr_id_regex.search, changes_added_lines)
 if changes_added_lines:
     if placeholders_added:
         if target_branch != 'main':
@@ -234,7 +235,7 @@ if release_notes_changed and not release_notes_label_set:
 
 if release_notes_changed:
     notes_added_lines = added_lines(target_branch, release_notes_changed)
-    identifiers_found = filter(issue_or_mr_id_regex.search, notes_added_lines)
+    identifiers_found = filter(relnotes_issue_or_mr_id_regex.search, notes_added_lines)
     if notes_added_lines and not any(identifiers_found):
         warn('No valid issue/MR identifiers found in added release notes.')
 else:

doc/arm/conf.py

@@ -11,6 +11,62 @@
 
 # flake8: noqa: E501
 
+from typing import List, Tuple
+
+from docutils import nodes
+from docutils.nodes import Node, system_message
+from docutils.parsers.rst import roles
+
+from sphinx import addnodes
+from sphinx.util.docutils import ReferenceRole
+
+
+GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/'
+
+
+# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
+class GitLabRefRole(ReferenceRole):
+    def __init__(self, base_url: str) -> None:
+        self.base_url = base_url
+        super().__init__()
+
+    def run(self) -> Tuple[List[Node], List[system_message]]:
+        gl_identifier = '[GL %s]' % self.target
+
+        target_id = 'index-%s' % self.env.new_serialno('index')
+        entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)]
+
+        index = addnodes.index(entries=entries)
+        target = nodes.target('', '', ids=[target_id])
+        self.inliner.document.note_explicit_target(target)
+
+        try:
+            refuri = self.build_uri()
+            reference = nodes.reference('', '', internal=False, refuri=refuri,
+                                        classes=['gl'])
+            if self.has_explicit_title:
+                reference += nodes.strong(self.title, self.title)
+            else:
+                reference += nodes.strong(gl_identifier, gl_identifier)
+        except ValueError:
+            error_text = 'invalid GitLab identifier %s' % self.target
+            msg = self.inliner.reporter.error(error_text, line=self.lineno)
+            prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+            return [prb], [msg]
+
+        return [index, target, reference], []
+
+    def build_uri(self):
+        if self.target[0] == '#':
+            return self.base_url + 'issues/%d' % int(self.target[1:])
+        if self.target[0] == '!':
+            return self.base_url + 'merge_requests/%d' % int(self.target[1:])
+        raise ValueError
+
+
+def setup(_):
+    roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL))
+
 #
 # Configuration file for the Sphinx documentation builder.
 #

doc/arm/general.rst

@@ -581,7 +581,7 @@ is accepted but not returned in responses.
 [17] Wildcard records are not supported in DNSSEC secure zones.
 
 [18] Servers authoritative for secure zones being resolved by BIND
-9 must support EDNS0 (RFC2671), and must return all relevant SIGs
+9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs
 and NXTs in responses, rather than relying on the resolving server
 to perform separate queries for missing SIGs and NXTs.
 

doc/arm/managed-keys.rst

@@ -35,7 +35,7 @@ zone with one of them; this is the "active" KSK. All KSKs which do not
 sign the zone are "stand-by" keys.
 
 Any validating resolver which is configured to use the active KSK as an
-RFC 5011-managed trust anchor takes note of the stand-by KSKs in the
+:rfc:`5011`-managed trust anchor takes note of the stand-by KSKs in the
 zone's DNSKEY RRset, and stores them for future reference. The resolver
 rechecks the zone periodically; after 30 days, if the new key is
 still there, the key is accepted by the resolver as a valid

doc/arm/reference.rst

@@ -1882,7 +1882,7 @@ Boolean Options
    is made. For convenience, TTL-style time-unit suffixes may be used to
    specify the value. It also accepts ISO 8601 duration formats.
 
-   The default ``stale-refresh-time`` is 30 seconds, as RFC 8767 recommends
+   The default ``stale-refresh-time`` is 30 seconds, as :rfc:`8767` recommends
    that attempts to refresh to be done no more frequently than every 30
    seconds. A value of zero disables the feature, meaning that normal
    resolution will take place first, if that fails only then ``named`` will

doc/notes/notes-9.17.0.rst

@@ -36,7 +36,7 @@ New Features
 
    This behavior is controlled by the ``max-ixfr-ratio`` option - a
    percentage value representing the ratio of IXFR size to the size of a
-   full zone transfer. The default is ``100%``. [GL #1515]
+   full zone transfer. The default is ``100%``. :gl:`#1515`
 
 -  A new RPZ option ``nsdname-wait-recurse`` controls whether
    RPZ-NSDNAME rules should always be applied even if the names of
@@ -45,7 +45,7 @@ New Features
    up initial responses by skipping RPZ-NSDNAME rules when name server
    domain names are not yet in the cache. The names will be looked up in
    the background and the rule will be applied for subsequent queries.
-   [GL #1138]
+   :gl:`#1138`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -58,14 +58,14 @@ Feature Changes
    the notable exception of Ubuntu 18.04 (Bionic) which is a work in
    progress. If you are running on an affected operating system, compile
    BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
-   glibc is available. [GL !3125]
+   glibc is available. :gl:`!3125`
 
 .. _bug: https://sourceware.org/bugzilla/show_bug.cgi?id=23844
 
 -  The ``rndc nta -dump`` and ``rndc secroots`` commands now both
    include ``validate-except`` entries when listing negative trust
    anchors. These are indicated by the keyword ``permanent`` in place of
-   the expiry date. [GL #1532]
+   the expiry date. :gl:`#1532`
 
 Bug Fixes
 ~~~~~~~~~

doc/notes/notes-9.17.1.rst

@@ -16,7 +16,7 @@ Security Fixes
 
 -  DNS rebinding protection was ineffective when BIND 9 is configured as
    a forwarding DNS server. Found and responsibly reported by Tobias
-   Klein. [GL #1574]
+   Klein. :gl:`#1574`
 
 Known Issues
 ~~~~~~~~~~~~
@@ -26,8 +26,8 @@ Known Issues
    of these were related to RPZ processing, which has been fixed in this
    release (see below). Others appear to occur where there are
    NSEC3-related changes (such as an operator changing the NSEC3 salt
-   used in the hash calculation). These are being investigated. [GL
+   used in the hash calculation). These are being investigated.
-   #1685]
+   :gl:`#1685`
 
 New Features
 ~~~~~~~~~~~~
@@ -40,14 +40,14 @@ New Features
    are ignored, but the information is looked up in the background and
    applied to subsequent queries. The default is ``yes``, meaning that
    RPZ NSDNAME rules should always be applied, even if the information
-   needs to be looked up first. [GL #1138]
+   needs to be looked up first. :gl:`#1138`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
 
 -  The previous DNSSEC sign statistics used lots of memory. The number
    of keys to track is reduced to four per zone, which should be enough
-   for 99% of all signed zones. [GL #1179]
+   for 99% of all signed zones. :gl:`#1179`
 
 Bug Fixes
 ~~~~~~~~~
@@ -56,7 +56,7 @@ Bug Fixes
    number of records was deleted, ``named`` could become nonresponsive
    for a short period while deleted names were removed from the RPZ
    summary database. This database cleanup is now done incrementally
-   over a longer period of time, reducing such delays. [GL #1447]
+   over a longer period of time, reducing such delays. :gl:`#1447`
 
 -  When trying to migrate an already-signed zone from ``auto-dnssec
    maintain`` to one based on ``dnssec-policy``, the existing keys were
@@ -65,5 +65,5 @@ Bug Fixes
    clients would not have been able to validate responses until all old
    DNSSEC information had timed out from caches. BIND now looks at the
    time metadata of the existing keys and incorporates it into its
-   DNSSEC policy operation. [GL #1706]
+   DNSSEC policy operation. :gl:`#1706`
 

doc/notes/notes-9.17.10.rst

@@ -21,13 +21,13 @@ New Features
   encryption to other software).
 
   Note that there is no client-side support for HTTPS as yet; this will
-  be added to ``dig`` in a future release. [GL #1144]
+  be added to ``dig`` in a future release. :gl:`#1144`
 
 - ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
   outgoing zone transfers. Addresses in a ``primaries`` list can now be
   accompanied by an optional ``tls`` keyword, followed by either the
   name of a previously configured ``tls`` statement or ``ephemeral``.
-  [GL #2392]
+  :gl:`#2392`
 
 - A new option, ``stale-answer-client-timeout``, has been added to
   improve ``named``'s behavior with respect to serving stale data. The
@@ -45,7 +45,7 @@ New Features
   This new behavior can be disabled by setting
   ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
   option has no effect if ``stale-answer-enable`` is disabled.
-  [GL #2247]
+  :gl:`#2247`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
@@ -60,7 +60,7 @@ Removed Features
   ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
   ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
   ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
-  ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086]
+  ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -70,40 +70,40 @@ Feature Changes
   query resolution process. This may happen, for example, if the
   ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
   this case, ``named`` attempts to answer DNS requests with stale data,
-  but does not start the ``stale-refresh-time`` window. [GL #2434]
+  but does not start the ``stale-refresh-time`` window. :gl:`#2434`
 
 - The default value of ``max-stale-ttl`` has been changed from 12 hours
   to 1 day and the default value of ``stale-answer-ttl`` has been
   changed from 1 second to 30 seconds, following :rfc:`8767`
-  recommendations. [GL #2248]
+  recommendations. :gl:`#2248`
 
 - The SONAMEs for BIND 9 libraries now include the current BIND 9
   version number, in an effort to tightly couple internal libraries with
   a specific release. This change makes the BIND 9 release process both
   simpler and more consistent while also unequivocally preventing BIND 9
   binaries from silently loading wrong versions of shared libraries (or
-  multiple versions of the same shared library) at startup. [GL #2387]
+  multiple versions of the same shared library) at startup. :gl:`#2387`
 
 - When ``check-names`` is in effect, A records below an ``_spf``,
   ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
   ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
-  D.1) are no longer reported as warnings/errors. [GL #2377]
+  D.1) are no longer reported as warnings/errors. :gl:`#2377`
 
 Bug Fixes
 ~~~~~~~~~
 
 - ``named`` failed to start when its configuration included a zone with
-  a non-builtin ``allow-update`` ACL attached. [GL #2413]
+  a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
 
 - Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
-  key. This has been fixed. [GL #2178]
+  key. This has been fixed. :gl:`#2178`
 
 - KASP incorrectly set signature validity to the value of the DNSKEY
-  signature validity. This has been fixed. [GL #2383]
+  signature validity. This has been fixed. :gl:`#2383`
 
 - When migrating to KASP, BIND 9 considered keys with the ``Inactive``
   and/or ``Delete`` timing metadata to be possible active keys. This has
-  been fixed. [GL #2406]
+  been fixed. :gl:`#2406`
 
 - Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
   faster than the time required to finish the rollover procedure, the
@@ -111,8 +111,8 @@ Bug Fixes
   were taking part in a rollover. This could lead to premature removal
   of predecessor keys. BIND 9 now implements a recursive successor
   relation, as described in the paper "Flexible and Robust Key Rollover"
-  (Equation (2)). [GL #2375]
+  (Equation (2)). :gl:`#2375`
 
 - Performance of the DNSSEC verification code (used by
   ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
-  improved. [GL #2073]
+  improved. :gl:`#2073`

doc/notes/notes-9.17.11.rst

@@ -15,12 +15,12 @@ New Features
 ~~~~~~~~~~~~
 
 - ``dig`` has been extended to support DNS-over-HTTPS (DoH) queries,
-  using ``dig +https`` and related options. [GL #1641]
+  using ``dig +https`` and related options. :gl:`#1641`
 
 - A new ``purge-keys`` option has been added to ``dnssec-policy``. It
   sets the period of time that key files are retained after becoming
   obsolete due to a key rollover; the default is 90 days. This feature
-  can be disabled by setting ``purge-keys`` to 0. [GL #2408]
+  can be disabled by setting ``purge-keys`` to 0. :gl:`#2408`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -29,12 +29,12 @@ Feature Changes
   DNS-over-HTTPS (DoH) in BIND 9, ``listen-on`` and ``listen-on-v6``
   statements using the ``http`` parameter must now also specify the
   ``tls`` parameter. ``tls none`` can be used to explicitly allow
-  unencrypted HTTP connections. [GL #2472]
+  unencrypted HTTP connections. :gl:`#2472`
 
 - ``http default`` can now be specified in ``listen-on`` and
   ``listen-on-v6`` statements to use the default HTTP endpoint of
   ``/dns-query``. It is no longer necessary to include an ``http``
-  statement in ``named.conf`` unless overriding this value. [GL #2472]
+  statement in ``named.conf`` unless overriding this value. :gl:`#2472`
 
 Bug Fixes
 ~~~~~~~~~
@@ -54,37 +54,37 @@ Bug Fixes
   A journal file's format can be changed manually by running
   ``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
   (upgrade). Note that this *must not* be done while ``named`` is
-  running. [GL #2505]
+  running. :gl:`#2505`
 
 - ``named`` crashed when it was allowed to serve stale answers and
   ``stale-answer-client-timeout`` was triggered without any (stale) data
-  available in the cache to answer the query. [GL #2503]
+  available in the cache to answer the query. :gl:`#2503`
 
 - If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
   instead of sending back a proper response. To prevent this problem,
   the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
-  been happening since BIND 9.17.6. [GL #2466]
+  been happening since BIND 9.17.6. :gl:`#2466`
 
 - NSEC3 records were not immediately created when signing a dynamic zone
   using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
-  [GL #2498]
+  :gl:`#2498`
 
 - A memory leak occurred when ``named`` was reconfigured after adding an
   inline-signed zone with ``auto-dnssec maintain`` enabled. This has
-  been fixed. [GL #2041]
+  been fixed. :gl:`#2041`
 
 - An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
   a LOC record resulted in an INSIST failure when a zone file containing
-  such a record was loaded. [GL #2499]
+  such a record was loaded. :gl:`#2499`
 
 - If an invalid key name (e.g. ``a..b``) was specified in a
   ``primaries`` list in ``named.conf``, the wrong size was passed to
   ``isc_mem_put()``, which resulted in the returned memory being put on
   the wrong free list and prevented ``named`` from starting up. This has
-  been fixed. [GL #2460]
+  been fixed. :gl:`#2460`
 
 - ``libtool`` was inadvertently introduced as a build-time requirement
   when the build system was revamped in BIND 9.17.2. This unnecessarily
   prevented hosts without that tool from building BIND 9 from source
   tarballs. A standalone ``libtool`` script no longer needs to be
-  present in ``PATH`` to build BIND 9 from a source tarball. [GL #2504]
+  present in ``PATH`` to build BIND 9 from a source tarball. :gl:`#2504`

doc/notes/notes-9.17.12.rst

@@ -18,14 +18,14 @@ Security Fixes
   in ``named``, causing it to quit abnormally. (CVE-2021-25214)
 
   ISC would like to thank Greg Kuechle of SaskTel for bringing this
-  vulnerability to our attention. [GL #2467]
+  vulnerability to our attention. :gl:`#2467`
 
 - ``named`` crashed when a DNAME record placed in the ANSWER section
   during DNAME chasing turned out to be the final answer to a client
   query. (CVE-2021-25215)
 
   ISC would like to thank `Siva Kakarla`_ for bringing this
-  vulnerability to our attention. [GL #2540]
+  vulnerability to our attention. :gl:`#2540`
 
 .. _Siva Kakarla: https://github.com/sivakesava1
 
@@ -37,11 +37,11 @@ Feature Changes
   the system GSSAPI library when it is built with GSSAPI support. All
   major contemporary Kerberos/GSSAPI libraries contain an implementation
   of the SPNEGO mechanism. This change was introduced in BIND 9.17.2,
-  but it was not included in the release notes at the time. [GL #2607]
+  but it was not included in the release notes at the time. :gl:`#2607`
 
 - The default value for the ``stale-answer-client-timeout`` option was
   changed from ``1800`` (ms) to ``off``. The default value may be
-  changed again in future releases as this feature matures. [GL #2608]
+  changed again in future releases as this feature matures. :gl:`#2608`
 
 Bug Fixes
 ~~~~~~~~~
@@ -52,35 +52,35 @@ Bug Fixes
   transfer from being sent back to the client. The default setting for
   ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
   connection taking more than 30 seconds was abruptly terminated. This
-  has been fixed. [GL #2583]
+  has been fixed. :gl:`#2583`
 
 - When ``stale-answer-client-timeout`` was set to a positive value and
   recursion for a client query completed when ``named`` was about to
   look for a stale answer, an assertion could fail in
   ``query_respond()``, resulting in a crash. This has been fixed.
-  [GL #2594]
+  :gl:`#2594`
 
 - After upgrading to the previous release, journal files for trust
   anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
   corrupt state. (Other zone journal files were not affected.) This has
   been fixed. If a corrupt journal file is detected, ``named`` can now
-  recover from it. [GL #2600]
+  recover from it. :gl:`#2600`
 
 - When sending queries over TCP, ``dig`` now properly handles ``+tries=1
   +retry=0`` by not retrying the connection when the remote server
-  closes the connection prematurely. [GL #2490]
+  closes the connection prematurely. :gl:`#2490`
 
 - CDS/CDNSKEY DELETE records are now removed when a zone transitions
   from a secure to an insecure state. ``named-checkzone`` also no longer
   reports an error when such records are found in an unsigned zone.
-  [GL #2517]
+  :gl:`#2517`
 
 - Zones using KASP could not be thawed after they were frozen using
-  ``rndc freeze``. This has been fixed. [GL #2523]
+  ``rndc freeze``. This has been fixed. :gl:`#2523`
 
 - After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
   ``named`` now immediately attempts to reconfigure zone keys. This
-  change prevents unnecessary key rollover delays. [GL #2488]
+  change prevents unnecessary key rollover delays. :gl:`#2488`
 
 - ``named`` crashed after skipping a primary server while transferring a
-  zone over TLS. This has been fixed. [GL #2562]
+  zone over TLS. This has been fixed. :gl:`#2562`

doc/notes/notes-9.17.2.rst

@@ -20,26 +20,27 @@ Security Fixes
    top-level domain servers are no longer exempt from the
    ``max-recursion-queries`` limit. Fetches for missing name server
    address records are limited to 4 for any domain. This issue was
-   disclosed in CVE-2020-8616. [GL #1388]
+   disclosed in CVE-2020-8616. :gl:`#1388`
 
 -  Replaying a TSIG BADTIME response as a request could trigger an
-   assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
+   assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
 
 -  It was possible to trigger an assertion when attempting to fill an
-   oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
+   oversized TCP buffer. This was disclosed in CVE-2020-8618.
+   :gl:`#1850`
 
 -  It was possible to trigger an INSIST failure when a zone with an
    interior wildcard label was queried in a certain pattern. This was
-   disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
+   disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
 
 Known Issues
 ~~~~~~~~~~~~
 
 -  In this release, the build system has been significantly changed (see
    below) and there are several unresolved issues to be aware of when
-   using a development release. Please refer to `GitLab issue #4`_ for a
+   using a development release. Please refer to :gl:`GitLab issue #4
-   list of not-yet-resolved issues that will be fixed in future
+   <#4>` for a list of not-yet-resolved issues that will be fixed in
-   releases. [GL #4]
+   future releases. :gl:`#4`
 
 -  BIND crashes on startup when linked against libuv 1.36. This issue
    is related to ``recvmmsg()`` support in libuv, which was first
@@ -49,7 +50,7 @@ Known Issues
    be enabled. This BIND release sets that special flag when required,
    so ``recvmmsg()`` support is now enabled when BIND is compiled
    against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not
-   usable with BIND. [GL #1761] [GL #1797]
+   usable with BIND. :gl:`#1761` :gl:`#1797`
 
 New Features
 ~~~~~~~~~~~~
@@ -59,36 +60,36 @@ New Features
    for people building BIND 9 from release tarballs, but when building
    BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run
    first. Extra attention is also needed when using non-standard
-   ``./configure`` options. [GL #4]
+   ``./configure`` options. :gl:`#4`
 
 -  Documentation was converted from DocBook to reStructuredText. The
    BIND 9 ARM is now generated using Sphinx and published on `Read the
    Docs`_. Release notes are no longer available as a separate document
-   accompanying a release. [GL #83]
+   accompanying a release. :gl:`#83`
 
 -  ``named`` and ``named-checkzone`` now reject master zones that have a
    DS RRset at the zone apex. Attempts to add DS records at the zone
    apex via UPDATE will be logged but otherwise ignored. DS records
-   belong in the parent zone, not at the zone apex. [GL #1798]
+   belong in the parent zone, not at the zone apex. :gl:`#1798`
 
 -  Per-type record count limits can now be specified in
    ``update-policy`` statements, to limit the number of records of a
    particular type that can be added to a domain name via dynamic
-   update. [GL #1657]
+   update. :gl:`#1657`
 
 -  ``dig`` and other tools can now print the Extended DNS Error (EDE)
-   option when it appears in a request or a response. [GL #1835]
+   option when it appears in a request or a response. :gl:`#1835`
 
 -  ``dig +qid=<num>`` allows the user to specify a particular query ID
-   for testing purposes. [GL #1851]
+   for testing purposes. :gl:`#1851`
 
 -  A new logging category, ``rpz-passthru``, was added, which allows RPZ
-   passthru actions to be logged into a separate channel. [GL #54]
+   passthru actions to be logged into a separate channel. :gl:`#54`
 
 -  Zone timers are now exported via statistics channel. For primary
    zones, only the load time is exported. For secondary zones, exported
    timers also include expire and refresh times. Contributed by Paul
-   Frieden, Verizon Media. [GL #1232]
+   Frieden, Verizon Media. :gl:`#1232`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -102,7 +103,7 @@ Feature Changes
    on|off``). Serving of stale answers when the authoritative servers
    are not responding must be explicitly enabled, whereas the retention
    of expired cache content takes place automatically on all versions of
-   BIND 9 that have this feature available. [GL #1877]
+   BIND 9 that have this feature available. :gl:`#1877`
 
    .. warning::
        This change may be significant for administrators who expect that
@@ -111,41 +112,41 @@ Feature Changes
        the previous behavior of ``named``.
 
 -  BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
-   relying on system defaults instead. [GL #1713]
+   relying on system defaults instead. :gl:`#1713`
 
 -  The default rwlock implementation has been changed back to the native
-   BIND 9 rwlock implementation. [GL #1753]
+   BIND 9 rwlock implementation. :gl:`#1753`
 
 -  BIND 9 binaries which are neither daemons nor administrative programs
    were moved to ``$bindir``. Only ``ddns-confgen``, ``named``,
    ``rndc``, ``rndc-confgen``, and ``tsig-confgen`` were left in
-   ``$sbindir``. [GL #1724]
+   ``$sbindir``. :gl:`#1724`
 
 -  ``listen-on-v6 { any; }`` creates a separate socket for each
    interface. Previously, just one socket was created on systems
    conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
    in BIND 9.16.0, but it was accidentally omitted from documentation.
-   [GL #1782]
+   :gl:`#1782`
 
 -  The native PKCS#11 EdDSA implementation has been updated to PKCS#11
    v3.0 and thus made operational again. Contributed by Aaron Thompson.
-   [GL !3326]
+   :gl:`!3326`
 
 -  The OpenSSL ECDSA implementation has been updated to support PKCS#11
-   via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
+   via OpenSSL engine (see engine_pkcs11 from libp11 project).
-   #1534]
+   :gl:`#1534`
 
 -  The OpenSSL EdDSA implementation has been updated to support PKCS#11
    via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
    is required and thus this code is only a proof-of-concept for the
-   time being. Contributed by Aaron Thompson. [GL #1763]
+   time being. Contributed by Aaron Thompson. :gl:`#1763`
 
 -  Message IDs in inbound AXFR transfers are now checked for
    consistency. Log messages are emitted for streams with inconsistent
-   message IDs. [GL #1674]
+   message IDs. :gl:`#1674`
 
 -  The question section is now checked when processing AXFR, IXFR,
-   and SOA replies while transferring a zone in. [GL #1683]
+   and SOA replies while transferring a zone in. :gl:`#1683`
 
 Bug Fixes
 ~~~~~~~~~
@@ -156,60 +157,59 @@ Bug Fixes
    DNSSEC proof of non-existence (in other words, queries that required
    the server to find and to return NSEC3 data). The unnecessary
    processing step that was causing this delay has now been removed.
-   [GL #1834]
+   :gl:`#1834`
 
 -  ``named`` could crash with an assertion failure if the name of a
    database node was looked up while the database was being modified.
-   [GL #1857]
+   :gl:`#1857`
 
 -  When running on a system with support for Linux capabilities,
    ``named`` drops root privileges very soon after system startup. This
    was causing a spurious log message, ``unable to set effective uid to
-   0: Operation not permitted``, which has now been silenced. [GL #1042]
+   0: Operation not permitted``, which has now been silenced.
-   [GL #1090]
+   :gl:`#1042` :gl:`#1090`
 
 -  A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
-   [GL #1859]
+   :gl:`#1859`
 
 -  Previously, ``named`` did not destroy some mutexes and conditional
    variables in netmgr code, which caused a memory leak on FreeBSD. This
-   has been fixed. [GL #1893]
+   has been fixed. :gl:`#1893`
 
 -  A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
-   to an assertion failure was fixed. [GL #1808]
+   to an assertion failure was fixed. :gl:`#1808`
 
 -  Previously, ``provide-ixfr no;`` failed to return up-to-date
    responses when the serial number was greater than or equal to the
-   current serial number. [GL #1714]
+   current serial number. :gl:`#1714`
 
 -  A bug in dnstap initialization could prevent some dnstap data from
-   being logged, especially on recursive resolvers. [GL #1795]
+   being logged, especially on recursive resolvers. :gl:`#1795`
 
 -  A bug in dnssec-policy keymgr was fixed, where the check for the
    existence of a given key's successor would incorrectly return
-   ``true`` if any other key in the keyring had a successor. [GL #1845]
+   ``true`` if any other key in the keyring had a successor. :gl:`#1845`
 
 -  With dnssec-policy, when creating a successor key, the "goal" state
    of the current active key (the predecessor) was not changed and thus
-   never removed from the zone. [GL #1846]
+   never removed from the zone. :gl:`#1846`
 
 -  When ``named-checkconf -z`` was run, it would sometimes incorrectly
    set its exit code. It reflected the status of the last view found; if
    zone-loading errors were found in earlier configured views but not in
    the last one, the exit code indicated success. Thanks to Graham
-   Clinch. [GL #1807]
+   Clinch. :gl:`#1807`
 
 - ``named-checkconf -p`` could include spurious text in
   ``server-addresses`` statements due to an uninitialized DSCP value.
-  This has been fixed. [GL #1812]
+  This has been fixed. :gl:`#1812`
 
 -  When built without LMDB support, ``named`` failed to restart after a
    zone with a double quote (") in its name was added with ``rndc
-   addzone``. Thanks to Alberto Fernández. [GL #1695]
+   addzone``. Thanks to Alberto Fernández. :gl:`#1695`
 
 -  The ARM has been updated to indicate that the TSIG session key is
    generated when named starts, regardless of whether it is needed.
-   [GL #1842]
+   :gl:`#1842`
 
-.. _GitLab issue #4: https://gitlab.isc.org/isc-projects/bind9/-/issues/4
 .. _Read the Docs: https://bind9.readthedocs.io/

doc/notes/notes-9.17.3.rst

@@ -16,10 +16,10 @@ New Features
 
 - New ``rndc`` command ``rndc dnssec -status`` shows the current DNSSEC
   policy and keys in use, the key states, and rollover status.
-  [GL #1612]
+  :gl:`#1612`
 
 - Added support in the network manager for initiating outgoing TCP
-  connections. [GL #1958]
+  connections. :gl:`#1958`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -29,14 +29,14 @@ Feature Changes
   prevents using security features like read-only relocations (RELRO) or
   address space layout randomization (ASLR) which are important for
   programs that interact with the network and process arbitrary user
-  input. [GL #1933]
+  input. :gl:`#1933`
 
 - As part of an ongoing effort to use :rfc:`8499` terminology,
   ``primaries`` can now be used as a synonym for ``masters`` in
   ``named.conf``. Similarly, ``notify primary-only`` can now be used as
   a synonym for ``notify master-only``. The output of ``rndc
   zonestatus`` now uses ``primary`` and ``secondary`` terminology.
-  [GL #1948]
+  :gl:`#1948`
 
 Bug Fixes
 ~~~~~~~~~
@@ -44,37 +44,37 @@ Bug Fixes
 - A race condition could occur if a TCP socket connection was closed
   while ``named`` was waiting for a recursive response. The attempt to
   send a response over the closing connection triggered an assertion
-  failure in the function ``isc__nm_tcpdns_send()``. [GL #1937]
+  failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937`
 
 - A race condition could occur when ``named`` attempted to use a UDP
   interface that was shutting down. This triggered an assertion failure
-  in ``uv__udp_finish_close()``. [GL #1938]
+  in ``uv__udp_finish_close()``. :gl:`#1938`
 
 - Fix assertion failure when server was under load and root zone had not
-  yet been loaded. [GL #1862]
+  yet been loaded. :gl:`#1862`
 
 - ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c``
-  that were being reused. [GL #1968]
+  that were being reused. :gl:`#1968`
 
 - ``named`` crashed on shutdown when a new ``rndc`` connection was
-  received during shutdown. This has been fixed. [GL #1747]
+  received during shutdown. This has been fixed. :gl:`#1747`
 
 - The DS RRset returned by ``dns_keynode_dsset()`` was used in a
   non-thread-safe manner. This could result in an INSIST being
-  triggered. [GL #1926]
+  triggered. :gl:`#1926`
 
 - The ``primary`` and ``secondary`` keywords, when used as parameters
   for ``check-names``, were not processed correctly and were being
-  ignored. [GL #1949]
+  ignored. :gl:`#1949`
 
 - ``rndc dnstap -roll <value>`` did not limit the number of saved files
-  to ``<value>``. [GL !3728]
+  to ``<value>``. :gl:`!3728`
 
 - The validator could fail to accept a properly signed RRset if an
   unsupported algorithm appeared earlier in the DNSKEY RRset than a
   supported algorithm. It could also stop if it detected a malformed
-  public key. [GL #1689]
+  public key. :gl:`#1689`
 
 - The ``blackhole`` ACL was inadvertently disabled for client queries.
   Blocked IP addresses were not used for upstream queries but queries
-  from those addresses could still be answered. [GL #1936]
+  from those addresses could still be answered. :gl:`#1936`

doc/notes/notes-9.17.4.rst

@@ -18,7 +18,7 @@ Security Fixes
   crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
 
   ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
-  bringing this vulnerability to our attention. [GL #1996]
+  bringing this vulnerability to our attention. :gl:`#1996`
 
 - ``named`` could crash after failing an assertion check in certain
   query resolution scenarios where QNAME minimization and forwarding
@@ -27,14 +27,15 @@ Security Fixes
   are used at any point. This was disclosed in CVE-2020-8621.
 
   ISC would like to thank Joseph Gullo for bringing this vulnerability
-  to our attention. [GL #1997]
+  to our attention. :gl:`#1997`
 
 - It was possible to trigger an assertion failure when verifying the
   response to a TSIG-signed request. This was disclosed in
   CVE-2020-8622.
 
   ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
-  of Oracle for bringing this vulnerability to our attention. [GL #2028]
+  of Oracle for bringing this vulnerability to our attention.
+  :gl:`#2028`
 
 - When BIND 9 was compiled with native PKCS#11 support, it was possible
   to trigger an assertion failure in code determining the number of bits
@@ -42,7 +43,7 @@ Security Fixes
   was disclosed in CVE-2020-8623.
 
   ISC would like to thank Lyu Chiy for bringing this vulnerability to
-  our attention. [GL #2037]
+  our attention. :gl:`#2037`
 
 - ``update-policy`` rules of type ``subdomain`` were incorrectly treated
   as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
@@ -51,13 +52,13 @@ Security Fixes
   described in the ARM. This was disclosed in CVE-2020-8624.
 
   ISC would like to thank Joop Boonen of credativ GmbH for bringing this
-  vulnerability to our attention. [GL #2055]
+  vulnerability to our attention. :gl:`#2055`
 
 New Features
 ~~~~~~~~~~~~
 
 - A new configuration option ``stale-cache-enable`` has been introduced
-  to enable or disable keeping stale answers in cache. [GL #1712]
+  to enable or disable keeping stale answers in cache. :gl:`#1712`
 
 - ``rndc`` has been updated to use the new BIND network manager API.
   This change had the side effect of altering the TCP timeout for RNDC
@@ -66,10 +67,10 @@ New Features
   has no support for UNIX-domain sockets, those cannot now be used
   with ``rndc``. This will be addressed in a future release, either by
   restoring UNIX-domain socket support or by formally declaring them
-  to be obsolete in the control channel. [GL #1759]
+  to be obsolete in the control channel. :gl:`#1759`
 
 - Statistics channels have also been updated to use the new BIND network
-  manager API. [GL #2022]
+  manager API. :gl:`#2022`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -79,20 +80,20 @@ Feature Changes
   ``max-cache-size`` (configured explicitly, defaulting to a value based
   on system memory or set to ``unlimited``) now pre-allocates fixed-size
   hash tables. This prevents interruption to query resolution when the
-  hash table sizes need to be increased. [GL #1775]
+  hash table sizes need to be increased. :gl:`#1775`
 
 - Keeping stale answers in cache has been disabled by default.
-  [GL #1712]
+  :gl:`#1712`
 
 - Resource records received with 0 TTL are no longer kept in the cache
-  to be used for stale answers. [GL #1829]
+  to be used for stale answers. :gl:`#1829`
 
 Bug Fixes
 ~~~~~~~~~
 
 - Wildcard RPZ passthru rules could incorrectly be overridden by other
   rules that were loaded from RPZ zones which appeared later in the
-  ``response-policy`` statement. This has been fixed. [GL #1619]
+  ``response-policy`` statement. This has been fixed. :gl:`#1619`
 
 - The IPv6 Duplicate Address Detection (DAD) mechanism could
   inadvertently prevent ``named`` from binding to new IPv6 interfaces,
@@ -107,7 +108,7 @@ Bug Fixes
   thereafter to ignore that address/interface. The problem was worked
   around by setting the ``IP_FREEBIND`` option on the socket and trying
   to ``bind()`` to each IPv6 address again if the first ``bind()`` call
-  for that address failed with ``EADDRNOTAVAIL``. [GL #2038]
+  for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038`
 
 - Addressed an error in recursive clients stats reporting which could
   cause underflow, and even negative statistics. There were occasions
@@ -116,12 +117,12 @@ Bug Fixes
   increment in recursive clients stats would take place. Conversely,
   when processing the answers, if the recursion code were executed
   before the prefetch, the same counter would be decremented without a
-  matching increment. [GL #1719]
+  matching increment. :gl:`#1719`
 
 - The introduction of KASP support inadvertently caused the second field
   of ``sig-validity-interval`` to always be calculated in hours, even in
   cases when it should have been calculated in days. This has been
-  fixed. (Thanks to Tony Finch.) [GL !3735]
+  fixed. (Thanks to Tony Finch.) :gl:`!3735`
 
 - LMDB locking code was revised to make ``rndc reconfig`` work properly
-  on FreeBSD and with LMDB >= 0.9.26. [GL #1976]
+  on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976`

doc/notes/notes-9.17.5.rst

@@ -17,9 +17,9 @@ New Features
 - Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to
   ``named`` that a DS record for a given zone or key has been published
   or withdrawn from the parent. This command replaces the time-based
-  ``parent-registration-delay`` configuration option. [GL #1613]
+  ``parent-registration-delay`` configuration option. :gl:`#1613`
 
-- Log when ``named`` adds a CDS/CDNSKEY to the zone. [GL #1748]
+- Log when ``named`` adds a CDS/CDNSKEY to the zone. :gl:`#1748`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
@@ -27,11 +27,11 @@ Removed Features
 - The ``--with-gperftools-profiler`` ``configure`` option was removed.
   To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro
   now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to
-  be present in ``LDFLAGS``. [GL !4045]
+  be present in ``LDFLAGS``. :gl:`!4045`
 
 - The ``glue-cache`` *option* has been marked as deprecated. The glue
   cache *feature* still works and will be permanently *enabled* in a
-  future release. [GL #2146]
+  future release. :gl:`#2146`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -41,19 +41,19 @@ Feature Changes
   it had received a packet with EDNS0 buffer size set to 0. This is no
   longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS
   version 0 and buffer size set to 0. To disable EDNS, use ``dig
-  +noedns``. [GL #2054]
+  +noedns``. :gl:`#2054`
 
 Bug Fixes
 ~~~~~~~~~
 
 - In rare circumstances, ``named`` would exit with an assertion failure
   when the number of nodes stored in the red-black tree exceeded the
-  maximum allowed size of the internal hash table. [GL #2104]
+  maximum allowed size of the internal hash table. :gl:`#2104`
 
 - Silence spurious system log messages for an EPROTO(71) error code that
   was seen on older operating systems, where unhandled ICMPv6 errors
   resulted in a generic protocol error being returned instead of a more
-  specific error code. [GL #1928]
+  specific error code. :gl:`#1928`
 
 - With query name minimization enabled, ``named`` failed to resolve
   ``ip6.arpa.`` names that had extra labels to the left of the IPv6
@@ -64,14 +64,14 @@ Bug Fixes
   resolving the name: if ``named`` received NXDOMAIN answers, then the
   same query was repeatedly sent until the number of queries sent
   reached the value of the ``max-recursion-queries`` configuration
-  option. [GL #1847]
+  option. :gl:`#1847`
 
 - Parsing of LOC records was made more strict by rejecting a sole period
   (``.``) and/or ``m`` as a value. These changes prevent zone files
   using such values from being loaded. Handling of negative altitudes
-  which are not integers was also corrected. [GL #2074]
+  which are not integers was also corrected. :gl:`#2074`
 
 - Several problems found by `OSS-Fuzz`_ were fixed. (None of these are
-  security issues.) [GL !3953] [GL !3975]
+  security issues.) :gl:`!3953` :gl:`!3975`
 
 .. _OSS-Fuzz: https://github.com/google/oss-fuzz

doc/notes/notes-9.17.6.rst

@@ -15,18 +15,18 @@ New Features
 ~~~~~~~~~~~~
 
 - Add a new ``rndc`` command, ``rndc dnssec -rollover``, which triggers
-  a manual rollover for a specific key. [GL #1749]
+  a manual rollover for a specific key. :gl:`#1749`
 
 - Add a new ``rndc`` command, ``rndc dumpdb -expired``, which dumps the
   cache database, including expired RRsets that are awaiting cleanup, to
-  the ``dump-file`` for diagnostic purposes. [GL #1870]
+  the ``dump-file`` for diagnostic purposes. :gl:`#1870`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
 
 - The ``glue-cache`` *option* has been marked as deprecated. The glue
   cache *feature* still works and will be permanently *enabled* in a
-  future release. [GL #2146]
+  future release. :gl:`#2146`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -42,23 +42,23 @@ Feature Changes
   estimated header space. In practice, the smallest MTU witnessed in the
   operational DNS community is 1500 octets, the maximum Ethernet payload
   size, so a useful default for maximum DNS/UDP payload size on reliable
-  networks would be 1400 bytes. [GL #2183]
+  networks would be 1400 bytes. :gl:`#2183`
 
 Bug Fixes
 ~~~~~~~~~
 
 - ``named`` reported an invalid memory size when running in an
   environment that did not properly report the number of available
-  memory pages and/or the size of each memory page. [GL #2166]
+  memory pages and/or the size of each memory page. :gl:`#2166`
 
 - With multiple forwarders configured, ``named`` could fail the
   ``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``,
-  causing it to crash. This has been fixed. [GL #2124]
+  causing it to crash. This has been fixed. :gl:`#2124`
 
 - ``named`` erroneously performed continuous key rollovers for KASP
   policies that used algorithm Ed25519 or Ed448 due to a mismatch
-  between created key size and expected key size. [GL #2171]
+  between created key size and expected key size. :gl:`#2171`
 
 - Updating contents of an RPZ zone which contained names spelled using
   varying letter case could cause some processing rules in that RPZ zone
-  to be erroneously ignored. [GL #2169]
+  to be erroneously ignored. :gl:`#2169`

doc/notes/notes-9.17.7.rst

@@ -18,12 +18,12 @@ New Features
   able to send DoT queries (``+tls`` option) and ``named`` can handle
   DoT queries (``listen-on tls ...`` option). ``named`` can use either a
   certificate provided by the user or an ephemeral certificate generated
-  automatically upon startup. [GL #1840]
+  automatically upon startup. :gl:`#1840`
 
 - A new configuration option, ``stale-refresh-time``, has been
   introduced. It allows a stale RRset to be served directly from cache
   for a period of time after a failed lookup, before a new attempt to
-  refresh it is made. [GL #2066]
+  refresh it is made. :gl:`#2066`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -36,29 +36,29 @@ Feature Changes
   or network configurations by listening for replies from servers other
   than the one that was queried. With the new API, such answers are
   filtered before they ever reach ``dig``, so the option has been
-  removed. [GL #2140]
+  removed. :gl:`#2140`
 
 - The network manager API is now used by ``named`` to send zone transfer
-  requests. [GL #2016]
+  requests. :gl:`#2016`
 
 Bug Fixes
 ~~~~~~~~~
 
 - ``named`` could crash with an assertion failure if a TCP connection
-  were closed while a request was still being processed. [GL #2227]
+  were closed while a request was still being processed. :gl:`#2227`
 
 - ``named`` acting as a resolver could incorrectly treat signed zones
   with no DS record at the parent as bogus. Such zones should be treated
-  as insecure. This has been fixed. [GL #2236]
+  as insecure. This has been fixed. :gl:`#2236`
 
 - After a Negative Trust Anchor (NTA) is added, BIND performs periodic
   checks to see if it is still necessary. If BIND encountered a failure
   while creating a query to perform such a check, it attempted to
-  dereference a ``NULL`` pointer, resulting in a crash. [GL #2244]
+  dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244`
 
 - A problem obtaining glue records could prevent a stub zone from
   functioning properly, if the authoritative server for the zone were
-  configured for minimal responses. [GL #1736]
+  configured for minimal responses. :gl:`#1736`
 
 - ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a
-  ``TCP6RecvErr``. [GL #2208]
+  ``TCP6RecvErr``. :gl:`#2208`

doc/notes/notes-9.17.8.rst

@@ -17,22 +17,22 @@ New Features
 - NSEC3 support was added to KASP. A new option for ``dnssec-policy``,
   ``nsec3param``, can be used to set the desired NSEC3 parameters.
   NSEC3 salt collisions are automatically prevented during resalting.
-  [GL #1620]
+  :gl:`#1620`
 
 - ``dig`` output now includes the transport protocol used (UDP, TCP, or
-  TLS). [GL #1816]
+  TLS). :gl:`#1816`
 
 - ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``).
   This is useful when the host on which ``dig`` is run is behind an
   IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
-  Service). [GL #1154]
+  Service). :gl:`#1154`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
 
 - The new networking code introduced in BIND 9.16 (netmgr) was
   overhauled in order to make it more stable, testable, and
-  maintainable. [GL #2321]
+  maintainable. :gl:`#2321`
 
 - Earlier releases of BIND versions 9.16 and newer required the
   operating system to support load-balanced sockets in order for
@@ -42,14 +42,14 @@ Feature Changes
   FreeBSD 12, which means both UDP and TCP performance were limited to a
   single thread on other systems. As of BIND 9.17.8, ``named`` attempts
   to distribute incoming queries among multiple threads on systems which
-  lack support for load-balanced sockets (except Windows). [GL #2137]
+  lack support for load-balanced sockets (except Windows). :gl:`#2137`
 
 - The default value of ``max-recursion-queries`` was increased from 75
   to 100. Since the queries sent towards root and TLD servers are now
   included in the count (as a result of the fix for CVE-2020-8616),
   ``max-recursion-queries`` has a higher chance of being exceeded by
   non-attack queries, which is the main reason for increasing its
-  default value. [GL #2305]
+  default value. :gl:`#2305`
 
 - The default value of ``nocookie-udp-size`` was restored back to 4096
   bytes. Since ``max-udp-size`` is the upper bound for
@@ -57,16 +57,16 @@ Feature Changes
   to change ``nocookie-udp-size`` together with ``max-udp-size`` in
   order to increase the default EDNS buffer size limit.
   ``nocookie-udp-size`` can still be set to a value lower than
-  ``max-udp-size``, if desired. [GL #2250]
+  ``max-udp-size``, if desired. :gl:`#2250`
 
 Bug Fixes
 ~~~~~~~~~
 
 - Handling of missing DNS COOKIE responses over UDP was tightened by
-  falling back to TCP. [GL #2275]
+  falling back to TCP. :gl:`#2275`
 
 - The CNAME synthesized from a DNAME was incorrectly followed when the
-  QTYPE was CNAME or ANY. [GL #2280]
+  QTYPE was CNAME or ANY. :gl:`#2280`
 
 - Building with native PKCS#11 support for AEP Keyper has been broken
-  since BIND 9.17.4. This has been fixed. [GL #2315]
+  since BIND 9.17.4. This has been fixed. :gl:`#2315`

doc/notes/notes-9.17.9.rst

@@ -14,7 +14,7 @@ Notes for BIND 9.17.9
 New Features
 ~~~~~~~~~~~~
 
-- ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385]
+- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -23,27 +23,27 @@ Feature Changes
   without making it bogus in the process; changing to ``dnssec-policy
   none;`` also causes CDS and CDNSKEY DELETE records to be published, to
   signal that the entire DS RRset at the parent must be removed, as
-  described in :rfc:`8078`. [GL #1750]
+  described in :rfc:`8078`. :gl:`#1750`
 
 - When using the ``unixtime`` or ``date`` method to update the SOA
   serial number, ``named`` and ``dnssec-signzone`` silently fell back to
   the ``increment`` method to prevent the new serial number from being
   smaller than the old serial number (using serial number arithmetics).
   ``dnssec-signzone`` now prints a warning message, and ``named`` logs a
-  warning, when such a fallback happens. [GL #2058]
+  warning, when such a fallback happens. :gl:`#2058`
 
 Bug Fixes
 ~~~~~~~~~
 
 - Multiple threads could attempt to destroy a single RBTDB instance at
   the same time, resulting in an unpredictable but low-probability
-  assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317]
+  assertion failure in ``free_rbtdb()``. This has been fixed. :gl:`#2317`
 
 - ``named`` no longer attempts to assign threads to CPUs outside the CPU
-  affinity set. Thanks to Ole Bjørn Hessen. [GL #2245]
+  affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245`
 
 - When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
-  off DNSSEC maintenance. This has been fixed. [GL #2341]
+  off DNSSEC maintenance. This has been fixed. :gl:`#2341`
 
 - The report of intermittent BIND assertion failures triggered in
   ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
@@ -53,4 +53,4 @@ Bug Fixes
   first appeared in BIND releases 9.17.5 and 9.16.7. However, since
   those releases were published, there have been no new reports of
   assertion failures matching this issue, but also no further diagnostic
-  input, so we have closed the issue. [GL #2091]
+  input, so we have closed the issue. :gl:`#2091`

doc/notes/notes-current.rst

@@ -35,10 +35,10 @@ Feature Changes
 ~~~~~~~~~~~~~~~
 
 - Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
-  the minimum of the SOA MINIMUM value and the SOA TTL. [GL #2347].
+  the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
 
 - Reduce the supported maximum number of iterations that can be
-  configured in an NSEC3 zones to 150. [GL #2642]
+  configured in an NSEC3 zones to 150. :gl:`#2642`
 
 Bug Fixes
 ~~~~~~~~~
@@ -47,16 +47,16 @@ Bug Fixes
   ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
   values if the RRset was still marked a stale but the ``max-stale-ttl`` has
   passed (and is actually an RRset awaiting cleanup). Both issues have now
-  been fixed. [GL #389] [GL #2289]
+  been fixed. :gl:`#389` :gl:`#2289`
 
 - ``named`` would overwrite a zone file unconditionally when it recovered from
-  a corrupted journal. [GL #2623]
+  a corrupted journal. :gl:`#2623`
 
 - After the networking manager was introduced to ``named`` to handle
   incoming traffic, it was discovered that the recursive performance had been
   degraded compared to the previous version (9.11).  This has been now fixed by
   running internal tasks inside the networking manager worker threads, so
-  they do not compete for resources. [GL #2638]
+  they do not compete for resources. :gl:`#2638`
 
 - With ``dnssec-policy``, when creating new keys also check for keyid conflicts
-  between the new keys too. [GL #2628]
+  between the new keys too. :gl:`#2628`