mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 22:15:20 +00:00
new: doc: Prepare documentation for BIND 9.20.9
Merge branch 'michal/prepare-documentation-for-bind-9.20.9' into 'v9.20.9-release' See merge request isc-private/bind9!797
This commit is contained in:
@@ -18,6 +18,7 @@ Changelog
|
||||
development. Regular users should refer to :ref:`Release Notes <relnotes>`
|
||||
for changes relevant to them.
|
||||
|
||||
.. include:: ../changelog/changelog-9.20.9.rst
|
||||
.. include:: ../changelog/changelog-9.20.8.rst
|
||||
.. include:: ../changelog/changelog-9.20.7.rst
|
||||
.. include:: ../changelog/changelog-9.20.6.rst
|
||||
|
@@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be
|
||||
found at
|
||||
https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20
|
||||
|
||||
.. include:: ../notes/notes-9.20.9.rst
|
||||
.. include:: ../notes/notes-9.20.8.rst
|
||||
.. include:: ../notes/notes-9.20.7.rst
|
||||
.. include:: ../notes/notes-9.20.6.rst
|
||||
|
98
doc/changelog/changelog-9.20.9.rst
Normal file
98
doc/changelog/changelog-9.20.9.rst
Normal file
@@ -0,0 +1,98 @@
|
||||
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
..
|
||||
.. SPDX-License-Identifier: MPL-2.0
|
||||
..
|
||||
.. This Source Code Form is subject to the terms of the Mozilla Public
|
||||
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
..
|
||||
.. See the COPYRIGHT file distributed with this work for additional
|
||||
.. information regarding copyright ownership.
|
||||
|
||||
BIND 9.20.9
|
||||
-----------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
|
||||
``b8c198ac5ca``
|
||||
|
||||
DNS messages that included a Transaction Signature (TSIG) containing
|
||||
an invalid value in the algorithm field caused :iscman:`named` to
|
||||
crash with an assertion failure. This has been fixed.
|
||||
:cve:`2025-40775` :gl:`#5300`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Use jinja2 templates in system tests. ``8f545784ff0``
|
||||
|
||||
`python-jinja2` is now required to run system tests. :gl:`#4938`
|
||||
:gl:`!10396`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Fix EDNS yaml output. ``8c3b226d89b``
|
||||
|
||||
`dig` was producing invalid YAML when displaying some EDNS options.
|
||||
This has been corrected.
|
||||
|
||||
Several other improvements have been made to the display of EDNS
|
||||
option data: - We now use the correct name for the UPDATE-LEASE
|
||||
option, which was previously displayed as "UL", and split it into
|
||||
separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
|
||||
durations are now displayed as comments in YAML mode so as not to
|
||||
interfere with machine parsing. - KEY-TAG options are now displayed as
|
||||
an array of integers in YAML mode. - EDNS COOKIE options are displayed
|
||||
as separate CLIENT and SERVER components, and cookie STATUS is a
|
||||
retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414`
|
||||
|
||||
- Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6``
|
||||
|
||||
This change allows the client to identify the server that returns the
|
||||
BADVERS and to provide a DNS SERVER COOKIE to be included in the
|
||||
resend of the request. :gl:`#5235` :gl:`!10392`
|
||||
|
||||
- Disable own memory context for libxml2 on macOS. ``51e51d5ea8f``
|
||||
|
||||
Apple broke custom memory allocation functions in the system-wide
|
||||
libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory
|
||||
allocation functions has been disabled on macOS. :gl:`#5268`
|
||||
:gl:`!10411`
|
||||
|
||||
- `check_private` failed to account for the length byte before the OID.
|
||||
``2b827380e75``
|
||||
|
||||
In PRIVATEOID keys, the key data begins with a length byte followed
|
||||
by an ASN.1 object identifier that indicates the cryptographic
|
||||
algorithm to use. Previously, the length byte was not accounted for
|
||||
when checking the contents of keys and signatures, which could have
|
||||
led to interoperability problems with any zones signed using
|
||||
PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376`
|
||||
|
||||
- Fix a serve-stale issue with a delegated zone. ``d839d11bf62``
|
||||
|
||||
When ``stale-answer-client-timeout 0`` option was enabled, it could be
|
||||
ignored when resolving a zone which is a delegation of an
|
||||
authoritative zone belonging to the resolver. This has been fixed.
|
||||
:gl:`#5275` :gl:`!10420`
|
||||
|
||||
- Fix the ksr two-tone test. ``3e2b255b5b7``
|
||||
|
||||
The two-tone ksr subtest (test_ksr_twotone) depended on the
|
||||
dnssec-policy keys algorithm values in named.conf being entered in
|
||||
numerical order. As the algorithms used in the test can be selected
|
||||
randomly this does not always happen. Sort the dnssec-policy keys by
|
||||
algorithm when adding them to the key list from named.conf.
|
||||
:gl:`#5286` :gl:`!10435`
|
||||
|
||||
- Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad``
|
||||
|
||||
The performance improvements for NSEC3 closest encloser lookups that
|
||||
were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
|
||||
records to be returned in nonexistence proofs and were therefore
|
||||
reverted again. :gl:`#5292` :gl:`!10443`
|
||||
|
||||
|
96
doc/notes/notes-9.20.9.rst
Normal file
96
doc/notes/notes-9.20.9.rst
Normal file
@@ -0,0 +1,96 @@
|
||||
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
..
|
||||
.. SPDX-License-Identifier: MPL-2.0
|
||||
..
|
||||
.. This Source Code Form is subject to the terms of the Mozilla Public
|
||||
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
..
|
||||
.. See the COPYRIGHT file distributed with this work for additional
|
||||
.. information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.20.9
|
||||
---------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- Prevent an assertion failure when processing TSIG algorithm.
|
||||
|
||||
DNS messages that included a Transaction Signature (TSIG) containing
|
||||
an invalid value in the algorithm field caused :iscman:`named` to
|
||||
crash with an assertion failure. This has been fixed.
|
||||
:cve:`2025-40775` :gl:`#5300`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Return DNS COOKIE and NSID with BADVERS.
|
||||
|
||||
This change allows the client to identify a server that returns a
|
||||
BADVERS response and to provide a DNS SERVER COOKIE to be included in
|
||||
the resent request. :gl:`#5235`
|
||||
|
||||
- Disable separate memory context for libxml2 memory allocations on
|
||||
macOS.
|
||||
|
||||
As of macOS Sequoia 15.4, custom memory allocation functions are no
|
||||
longer supported by the system-wide version of libxml2. This prevents
|
||||
tracking libxml2 memory allocations in a separate :iscman:`named`
|
||||
memory context, so the latter has been disabled on macOS; the system
|
||||
allocator is now directly used for libxml2 memory allocations on that
|
||||
operating system. :gl:`#5268`
|
||||
|
||||
- Use Jinja2 templates in system tests.
|
||||
|
||||
`python-jinja2` is now required to run system tests. :gl:`#4938`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Revert NSEC3 closest encloser lookup improvements.
|
||||
|
||||
The performance improvements for NSEC3 closest encloser lookups that
|
||||
were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
|
||||
records to be returned in nonexistence proofs and were therefore
|
||||
reverted again. :gl:`#5292`
|
||||
|
||||
- Fix EDNS YAML output in :iscman:`dig`.
|
||||
|
||||
:iscman:`dig` was producing invalid YAML when displaying some EDNS
|
||||
options. This has been corrected.
|
||||
|
||||
Several other improvements have been made to the display of EDNS
|
||||
option data:
|
||||
|
||||
- The correct name is now used for the UPDATE-LEASE option, which
|
||||
was previously displayed as ``UL``, and it is split into separate
|
||||
``LEASE`` and ``LEASE-KEY`` components in YAML mode.
|
||||
|
||||
- Human-readable durations are now displayed as comments in YAML
|
||||
mode so as not to interfere with machine parsing.
|
||||
|
||||
- KEY-TAG options are now displayed as an array of integers in YAML
|
||||
mode.
|
||||
|
||||
- EDNS COOKIE options are displayed as separate ``CLIENT`` and
|
||||
``SERVER`` components, and cookie STATUS is a retrievable variable
|
||||
in YAML mode.
|
||||
|
||||
:gl:`#5014`
|
||||
|
||||
- Fix RDATA checks for PRIVATEOID keys.
|
||||
|
||||
In PRIVATEOID keys, the key data begins with a length byte followed by
|
||||
an ASN.1 object identifier that indicates the cryptographic algorithm
|
||||
to use. Previously, the length byte was not accounted for when
|
||||
checking the contents of keys and signatures, which could have led to
|
||||
interoperability problems with any zones signed using PRIVATEOID. This
|
||||
has been fixed. :gl:`#5270`
|
||||
|
||||
- Fix a serve-stale issue with a delegated zone.
|
||||
|
||||
Even with :any:`stale-answer-client-timeout` set to ``0``, stale
|
||||
responses were not returned immediately for names in domains delegated
|
||||
from authoritative zones configured on the resolver. This has been
|
||||
fixed. :gl:`#5275`
|
Reference in New Issue
Block a user