new: doc: Prepare documentation for BIND 9.20.9

Merge branch 'michal/prepare-documentation-for-bind-9.20.9' into 'v9.20.9-release'

See merge request isc-private/bind9!797

doc/arm/changelog.rst

@@ -18,6 +18,7 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+.. include:: ../changelog/changelog-9.20.9.rst
 .. include:: ../changelog/changelog-9.20.8.rst
 .. include:: ../changelog/changelog-9.20.7.rst
 .. include:: ../changelog/changelog-9.20.6.rst

doc/arm/notes.rst

@@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be
 found at
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20
 
+.. include:: ../notes/notes-9.20.9.rst
 .. include:: ../notes/notes-9.20.8.rst
 .. include:: ../notes/notes-9.20.7.rst
 .. include:: ../notes/notes-9.20.6.rst

doc/changelog/changelog-9.20.9.rst

@@ -0,0 +1,98 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.20.9
+-----------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
+  ``b8c198ac5ca``
+
+  DNS messages that included a Transaction Signature (TSIG) containing
+  an invalid value in the algorithm field caused :iscman:`named` to
+  crash with an assertion failure. This has been fixed.
+  :cve:`2025-40775` :gl:`#5300`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Use jinja2 templates in system tests. ``8f545784ff0``
+
+  `python-jinja2` is now required to run system tests. :gl:`#4938`
+  :gl:`!10396`
+
+Bug Fixes
+~~~~~~~~~
+
+- Fix EDNS yaml output. ``8c3b226d89b``
+
+  `dig` was producing invalid YAML when displaying some EDNS options.
+  This has been corrected.
+
+  Several other improvements have been made to the display of EDNS
+  option data: - We now use the correct name for the UPDATE-LEASE
+  option, which was previously displayed as "UL", and split it into
+  separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
+  durations are now displayed as comments in YAML mode so as not to
+  interfere with machine parsing. - KEY-TAG options are now displayed as
+  an array of integers in YAML mode. - EDNS COOKIE options are displayed
+  as separate CLIENT and SERVER components, and cookie STATUS is a
+  retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414`
+
+- Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6``
+
+  This change allows the client to identify the server that returns the
+  BADVERS and to provide a DNS SERVER COOKIE to be included in the
+  resend of the request. :gl:`#5235` :gl:`!10392`
+
+- Disable own memory context for libxml2 on macOS. ``51e51d5ea8f``
+
+  Apple broke custom memory allocation functions in the system-wide
+  libxml2 starting with macOS Sequoia 15.4.  Usage of the custom memory
+  allocation functions has been disabled on macOS. :gl:`#5268`
+  :gl:`!10411`
+
+- `check_private` failed to account for the length byte before the OID.
+  ``2b827380e75``
+
+  In PRIVATEOID keys, the key data begins with a length byte followed
+  by an ASN.1 object identifier that indicates the cryptographic
+  algorithm  to use. Previously, the length byte was not accounted for
+  when  checking the contents of keys and signatures, which could have
+  led to interoperability problems with any zones signed using
+  PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376`
+
+- Fix a serve-stale issue with a delegated zone. ``d839d11bf62``
+
+  When ``stale-answer-client-timeout 0`` option was enabled, it could be
+  ignored when resolving a zone which is a delegation of an
+  authoritative zone belonging to the resolver. This has been fixed.
+  :gl:`#5275` :gl:`!10420`
+
+- Fix the ksr two-tone test. ``3e2b255b5b7``
+
+  The two-tone ksr subtest (test_ksr_twotone) depended on the
+  dnssec-policy keys algorithm values in named.conf being entered in
+  numerical order.  As the algorithms used in the test can be selected
+  randomly this does not always happen. Sort the dnssec-policy keys by
+  algorithm when adding them to the key list from named.conf.
+  :gl:`#5286` :gl:`!10435`
+
+- Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad``
+
+  The performance improvements for NSEC3 closest encloser lookups that
+  were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
+  records to be returned in nonexistence proofs and were therefore
+  reverted again. :gl:`#5292` :gl:`!10443`
+
+

doc/notes/notes-9.20.9.rst

@@ -0,0 +1,96 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.20.9
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Prevent an assertion failure when processing TSIG algorithm.
+
+  DNS messages that included a Transaction Signature (TSIG) containing
+  an invalid value in the algorithm field caused :iscman:`named` to
+  crash with an assertion failure. This has been fixed.
+  :cve:`2025-40775` :gl:`#5300`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Return DNS COOKIE and NSID with BADVERS.
+
+  This change allows the client to identify a server that returns a
+  BADVERS response and to provide a DNS SERVER COOKIE to be included in
+  the resent request. :gl:`#5235`
+
+- Disable separate memory context for libxml2 memory allocations on
+  macOS.
+
+  As of macOS Sequoia 15.4, custom memory allocation functions are no
+  longer supported by the system-wide version of libxml2. This prevents
+  tracking libxml2 memory allocations in a separate :iscman:`named`
+  memory context, so the latter has been disabled on macOS; the system
+  allocator is now directly used for libxml2 memory allocations on that
+  operating system. :gl:`#5268`
+
+- Use Jinja2 templates in system tests.
+
+  `python-jinja2` is now required to run system tests. :gl:`#4938`
+
+Bug Fixes
+~~~~~~~~~
+
+- Revert NSEC3 closest encloser lookup improvements.
+
+  The performance improvements for NSEC3 closest encloser lookups that
+  were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
+  records to be returned in nonexistence proofs and were therefore
+  reverted again. :gl:`#5292`
+
+- Fix EDNS YAML output in :iscman:`dig`.
+
+  :iscman:`dig` was producing invalid YAML when displaying some EDNS
+  options.  This has been corrected.
+
+  Several other improvements have been made to the display of EDNS
+  option data:
+
+    - The correct name is now used for the UPDATE-LEASE option, which
+      was previously displayed as ``UL``, and it is split into separate
+      ``LEASE`` and ``LEASE-KEY`` components in YAML mode.
+
+    - Human-readable durations are now displayed as comments in YAML
+      mode so as not to interfere with machine parsing.
+
+    - KEY-TAG options are now displayed as an array of integers in YAML
+      mode.
+
+    - EDNS COOKIE options are displayed as separate ``CLIENT`` and
+      ``SERVER`` components, and cookie STATUS is a retrievable variable
+      in YAML mode.
+
+  :gl:`#5014`
+
+- Fix RDATA checks for PRIVATEOID keys.
+
+  In PRIVATEOID keys, the key data begins with a length byte followed by
+  an ASN.1 object identifier that indicates the cryptographic algorithm
+  to use. Previously, the length byte was not accounted for when
+  checking the contents of keys and signatures, which could have led to
+  interoperability problems with any zones signed using PRIVATEOID. This
+  has been fixed. :gl:`#5270`
+
+- Fix a serve-stale issue with a delegated zone.
+
+  Even with :any:`stale-answer-client-timeout` set to ``0``, stale
+  responses were not returned immediately for names in domains delegated
+  from authoritative zones configured on the resolver. This has been
+  fixed. :gl:`#5275`