From e19c8e747bcc3a3f67b927fefdd6a8bd05abcf71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 3 Apr 2025 13:11:46 +0200 Subject: [PATCH] Prepare release notes for BIND 9.21.7 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.21.7.rst | 180 +++++++++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 doc/notes/notes-9.21.7.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index c9a790a722..eaaf5c4443 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.7.rst .. include:: ../notes/notes-9.21.6.rst .. include:: ../notes/notes-9.21.5.rst .. include:: ../notes/notes-9.21.4.rst diff --git a/doc/notes/notes-9.21.7.rst b/doc/notes/notes-9.21.7.rst new file mode 100644 index 0000000000..313f9cae85 --- /dev/null +++ b/doc/notes/notes-9.21.7.rst @@ -0,0 +1,180 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.7 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Add support for EDE 20 (Not Authoritative) + + Support was added for EDE codes 20 (Not Authoritative) when client + requests recursion (RD) but the server has recursion disabled. + + RFC 8914 mention EDE 20 should also be returned if the client doesn't + have the RD bit set (and recursion is needed) but it doesn't apply for + BIND as BIND would try to resolve from the "deepest" referral in + AUTHORITY section. For example, if the client asks for "www.isc.org/A" + but the server only knows the root domain, it will return NOERROR but + no answer for "www.isc.og/A", just the list of other servers to ask. + :gl:`#1836` + +- Add support for EDE 7 and EDE 8. + + Support was added for EDE codes 7 (Signature Expired) and 8 (Signature + Not Yet Valid) which might occur during DNSSEC validation. :gl:`#2715` + +- Add support for EDNS ZONEVERSION option. + + `dig` and `named` can now make requests with an EDNS `ZONEVERSION` + option present. + + Two new `named.conf` options have been added: `request-zoneversion` + and `provide-zoneversion`. `request-zoneversion` is `off` by default. + `provide-zoneversion` is `on` by default. :gl:`#4767` + +- Dig can now display the received BADVERS message during negotiation. + + Dig +showbadvers now displays the received BADVERS message and + continues the EDNS version negotiation. Previously to see the BADVERS + message +noednsneg had to be specified which terminated the EDNS + negotiation. Additionally the specified EDNS value (+edns=value) is + now used when making all the initial queries with +trace. i.e EDNS + version negotiation will be performed with each server when performing + the trace. :gl:`#5234` + +- Add an rndc command to reset some statistics counters. + + The new ``reset-stats`` command for ``rndc`` allows some statistics + counters to be reset during runtime. At the moment only two + "high-water" counters are supported, so the ability to reset them + after the initial peaks during the server's "warm-up" phase may be + useful for some operators. :gl:`#5251` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Drop readline alternatives in favor of libedit. + + Libedit is now ubiquitous and has a license compatible with MPL 2.0. + We are now dropping readline (GPL 3.0) and editline (obsolete) support + in favor of libedit. + +- Implement the systemd notification protocol manually to remove + dependency on libsystemd. + +- Remove unnecessary options in dnssec-keygen and dnssec-keyfromlabel. + + The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was + derived from it) had several options dating to the time when keys in + DNS were still experimental and not fully specified, and when + `dnssec-keygen` had the additional function of generating TSIG keys, + which are now generated by `tsig-keygen`. These options are no longer + necessary in the modern DNSSEC environment, and have been removed. + + The removed options are: - `-t` (key type), which formerly set flags + to disable confidentiality or authentication support in a key; these + are no longer used. - `-n` (name type), which is now always set to + "ZONE" for DNSKEY and "HOST" for KEY. - `-p` (protocol), which is now + always set to 3 (DNSSEC); no other value has ever been defined. - `-s` + (signatory field), which was never fully defined. - `-d` (digest + bits), which is meaningful only for TSIG keys. + +Feature Changes +~~~~~~~~~~~~~~~ + +- When forwarding, query with CD=0 first. + + Previously, when queries were forwarded to a remote resolver, the CD + (checking disabled) bit was used, which could lead to bogus data being + retrieved that might have been corrected if validation had been + permitted. The CD bit is now only used as a fallback if an initial + query without CD fails. :gl:`#5132`. + +- Improve the LRU cache-expiration mechanism. + + Improve the LRU cache-expiration mechanism to a SIEVE-LRU based + mechanism that triggers when the cache is close to the + `max-cache-size` limit. This improves the recursive server + performance. + +Bug Fixes +~~~~~~~~~ + +- QNAME minimization could leak the query type. + + When performing QNAME minimization, `named` now sends an NS query for + the original query name, before sending the final query. This prevents + the parent zone from learning the original query type, in the event + that the query name is a delegation point. + + For example, when looking up an address record for `example.com`, NS + queries are now sent to the servers for both `com` and `example.com`, + before the address query is sent to the servers for `example.com`. + Previously, an address query would have been sent to the servers for + `com`. :gl:`#4805` + +- Stop caching lack of EDNS support. + + `named` could falsely learn that a server doesn't support EDNS when a + spoofed response was received; that subsequently prevented DNSSEC + lookups from being made. This has been fixed. :gl:`#3949` :gl:`#5066` + +- Fix resolver statistics counters for timed out responses. + + When query responses timed out, the resolver could incorrectly + increase the regular responses counters, even if no response was + received. This has been fixed. :gl:`#5193` + +- Nested DNS validation could cause assertion failure. + + When multiple nested DNS validations were destroyed out of order, the + EDE context could be freed before all EDE codes were copied, which + could cause an assertion failure. This has been fixed. :gl:`#5213` + +- Ensure max-clients-per-query is at least clients-per-query. + + If the `max-clients-per-query` option is set to a lower value than + `clients-per-query`, the value is adjusted to match + `clients-per-query`. :gl:`#5224` + +- Fix write after free in validator code. + + Raw integer pointers were being used for the validator's nvalidations + and nfails values but the memory holding them could be freed before + they ceased to be used. Use reference counted counters instead. + :gl:`#5239` + +- Don't enforce NOAUTH/NOCONF flags in DNSKEYs. + + All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH` + (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type, + and are not applicable to DNSKEY. Previously, however, because the + DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag + prevented authentication in DNSKEYs as well. This has been corrected. + :gl:`#5240` + +- Fix several small DNSSEC timing issues. + + The following small issues related to `dnssec-policy` have been fixed: + - In some cases the key manager inside BIND 9 could run every hour, + while it could have run less often. - While `CDS` and `CDNSKEY` + records will be removed correctly from the zone when the corresponding + `DS` record needs to be updated, the expected timing metadata when + this will happen was never set. - There were a couple of cases where + the safety intervals are added inappropriately, delaying key rollovers + longer than necessary. - If you have identical `keys` in your + `dnssec-policy`, they may be retired inappropriately. Note that having + keys with identical properties is discouraged in all cases. + :gl:`#5242` + +