diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 5c7cc3b970..3c6efd6929 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.6.rst .. include:: ../changelog/changelog-9.21.5.rst .. include:: ../changelog/changelog-9.21.4.rst .. include:: ../changelog/changelog-9.21.3.rst diff --git a/doc/changelog/changelog-9.21.6.rst b/doc/changelog/changelog-9.21.6.rst new file mode 100644 index 0000000000..aeec17fcda --- /dev/null +++ b/doc/changelog/changelog-9.21.6.rst @@ -0,0 +1,478 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.6 +----------- + +New Features +~~~~~~~~~~~~ + +- Implement the min-transfer-rate-in configuration option. + ``a282f1ba3f`` + + A new option 'min-transfer-rate-in ' has been added + to the view and zone configurations. It can abort incoming zone + transfers which run very slowly due to network related issues, for + example. The default value is set to 10240 bytes in 5 minutes. + :gl:`#3914` :gl:`!9098` + +- Add digest methods for SIG and RRSIG. ``fd48df20f3`` + + ZONEMD digests RRSIG records and potentially digests SIG record. Add + digests methods for both record types. :gl:`#5219` :gl:`!10217` + +- Add HTTPS record query to host command line tool. ``d34414c47b`` + + The host command was extended to also query for the HTTPS RR type by + default. :gl:`!8642` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Clean up unnecessary code in qpcache. ``74c9ff384e`` + + Removed some code from the cache database implementation that was left + over from before it and the zone database implementation were + separated. :gl:`!9991` + +- Cleanup isc/util.h header and friends. ``239712df16`` + + Cleanup short list macros from , remove two unused + headers, move locking macros to respective headers and use only the + C11 static assertion. :gl:`!10196` + +- Remove check for the mandatory IPv6 support. ``daa9c17905`` + + IPv6 Advanced Socket API (:rfc:`3542`) is a hard requirement, remove + the autoconf check to speed up the ./configure run a little bit. + :gl:`!10201` + +- Remove log initialization checks from named. ``1b3e7f52ec`` + + Logging initialization check is now redundant as there is a default + global log context created during libisc's constructor. + + `isc_log` calls can safely be made at any time outside libisc's + constructor. :gl:`!10186` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Refactor and simplify isc_symtab. ``5559539eb0`` + + This commit does several changes to isc_symtab: + + 1. Rewrite the isc_symtab to internally use isc_hashmap instead of + hand-stiched hashtable. + + 2. Create a new isc_symtab_define_and_return() api, which returns + the already defined symvalue on ISC_R_EXISTS; this allows users of + the API to skip the isc_symtab_lookup()+isc_symtab_define() calls + and directly call isc_symtab_define_and_return(). + + 3. Merge isccc_symtab into isc_symtab - the only missing function + was isccc_symtab_foreach() that was merged into isc_symtab API. + + 4. Add full set of unit tests for the isc_symtab API. :gl:`#5103` + :gl:`!9921` + +- Drop malformed notify messages early instead of decompressing them. + ``7fce7707db`` + + The DNS header shows if a message has multiple questions or invalid + NOTIFY sections. We can drop these messages early, right after parsing + the question. This matches RFC 9619 for multi-question messages and + Unbound's handling of NOTIFY. We still parse the question to include + it in our FORMERR response. + + Add drop_msg_early() function to check for these conditions: - + Messages with more than one question, as required by RFC 9619 - NOTIFY + query messages containing answer sections (like Unbound) - NOTIFY + messages containing authority sections (like Unbound) :gl:`#5158`, + #3656 :gl:`!10056` + +- Cleanup parts of the isc_mem API. ``4ba1ccfa2e`` + + This MR changes custom attach/detach implementation with refcount + macros, replaces isc_mem_destroy() with isc_mem_detach(), and does + various small cleanups. :gl:`!9456` + +- Move the library initialization and shutdown to executables. + ``6e0c1f151c`` + + Instead of relying on unreliable order of execution of the library + constructors and destructors, move them to individual binaries. The + advantage is that the execution time and order will remain constant + and will not depend on the dynamic load dependency solver. + :gl:`!10069` + +- Reduce memory used to store DNS names. ``24db1b1a8a`` + + The memory used to internally store the DNS names has been reduced. + :gl:`!10140` + +- Unify fips handling to isc_crypto and make the toggle one way. + ``3de629d6b7`` + + Since algorithm fetching is handled purely in libisc, FIPS mode + toggling can be purely done in within the library instead of provider + fetching in the binary for OpenSSL >=3.0. + + Disabling FIPS mode isn't a realistic requirement and isn't done + anywhere in the codebase. Make the FIPS mode toggle enable-only to + reflect the situation. :gl:`!9920` + +Bug Fixes +~~~~~~~~~ + +- Prevent a reference leak when using plugins. ``5604d3a44e`` + + The `NS_QUERY_DONE_BEGIN` and `NS_QUERY_DONE_SEND` plugin hooks could + cause a reference leak if they returned `NS_HOOK_RETURN` without + cleaning up the query context properly. :gl:`#2094` :gl:`!9971` + +- Fix isc_quota bug. ``742d379d88`` + + Running jobs which were entered into the isc_quota queue is the + responsibility of the isc_quota_release() function, which, when + releasing a previously acquired quota, checks whether the queue is + empty, and if it's not, it runs a job from the queue without touching + the 'quota->used' counter. This mechanism is susceptible to a possible + hangup of a newly queued job in case when between the time a decision + has been made to queue it (because used >= max) and the time it was + actually queued, the last quota was released. Since there is no more + quotas to be released (unless arriving in the future), the newly + entered job will be stuck in the queue. + + Fix the issue by adding checks in both isc_quota_release() and + isc_quota_acquire_cb() to make sure that the described hangup does not + happen. Also see code comments. :gl:`#4965` :gl:`!10082` + +- Fix dual-stack-servers configuration option. ``6af708f3b0`` + + The dual-stack-servers configuration option was not working as + expected; the specified servers were not being used when they should + have been, leading to resolution failures. This has been fixed. + :gl:`#5019` :gl:`!9708` + +- Implement sig0key-checks-limit and sig0message-checks-limit. + ``d78ebff861`` + + Previously a hard-coded limitation of maximum two key or message + verification checks were introduced when checking the message's SIG(0) + signature. It was done in order to protect against possible DoS + attacks. The logic behind choosing the number 2 was that more than a + single key should only be required during key rotations, and in that + case two keys are enough. But later it became apparent that there are + other use cases too where even more keys are required, see issue + number #5050 in GitLab. + + This change introduces two new configuration options for the views, + `sig0key-checks-limit` and `sig0message-checks-limit`, which define + how many keys are allowed to be checked to find a matching key, and + how many message verifications are allowed to take place once a + matching key has been found. The latter protects against expensive + cryptographic operations when there are keys with colliding tags and + algorithm numbers, with default being 2, and the former protects + against a bit less expensive key parsing operations and defaults to + 16. :gl:`#5050` :gl:`!9967` + +- Fix the data race causing a permanent active client increase. + ``479c366c2b`` + + Previously, a data race could cause a newly created fetch context for + a new client to be used before it had been fully initialized, which + would cause the query to become stuck; queries for the same data would + be either paused indefinitely or dropped because of the + `clients-per-query` limit. This has been fixed. :gl:`#5053` + :gl:`!10146` + +- Fix deferred validation of unsigned DS and DNSKEY records. + ``ebf1606f38`` + + When processing a query with the "checking disabled" bit set (CD=1), + `named` stores the unvalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated, + and either accepted as an answer, or ejected from the cache as + invalid. This deferred validation was not attempted for DS and DNSKEY + records if they had no cached signatures, causing spurious validation + failures. We now complete the deferred validation in this scenario. + + Also, if deferred validation fails, we now re-query the data to find + out whether the zone has been corrected since the invalid data was + cached. :gl:`#5066` :gl:`!10104` + +- When recording an rr trace, use libtool. ``6320586df0`` + + When a system test is run with the `USE_RR` environment variable set + to 1, an `rr` trace is now correctly generated for each instance of + `named`. :gl:`#5079` :gl:`!10197` + +- Do not cache signatures for rejected data. ``fc3a4d6f89`` + + The cache has been updated so that if new data is rejected - for + example, because there was already existing data at a higher trust + level - then its covering RRSIG will also be rejected. :gl:`#5132` + :gl:`!9999` + +- Fix wrong logging severity in do_nsfetch() ``1f6a16e6d0`` + + ISC_LOG_WARNING was used while ISC_LOG_DEBUG(3) was implied. + :gl:`#5145` :gl:`!10017` + +- Fix RPZ race condition during a reconfiguration. ``5ba811bea2`` + + With RPZ in use, `named` could terminate unexpectedly because of a + race condition when a reconfiguration command was received using + `rndc`. This has been fixed. :gl:`#5146` :gl:`!10079` + +- "CNAME and other data check" not applied to all types. ``b694acbe45`` + + An incorrect optimization caused "CNAME and other data" errors not to + be detected if certain types were at the same node as a CNAME. This + has been fixed. :gl:`#5150` :gl:`!10033` + +- Use named Service Parameter Keys (SvcParamKeys) by default. + ``3f61a87be3`` + + When converting SVCB records to text representation `named` now uses + named `SvcParamKeys` values unless backward-compatible mode is + activated, in which case the values which were not defined initially + in RFC9460 and were added later (see [1]) are converted to opaque + "keyNNNN" syntax, like, for example, "key7" instead of "dohpath". + + Also a new `+[no]svcparamkeycompat` option is implemented for `dig`, + which enables the backward-compatible mode and uses the opaque syntax, + if required for interoperability with other software or scripts. By + default, the compatibility mode is disabled. + + [1] https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml + :gl:`#5156` :gl:`!10085` + +- Relax private DNSKEY and RRSIG constraints. ``1bc7016d7a`` + + DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow + empty key and signature material after the algorithm identifier for + PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within + the expected use of these types as no key material is shared and the + signatures are ineffective but these are private algorithms and they + can be totally insecure. :gl:`#5167` :gl:`!10083` + +- Delete dead nodes when committing a new version. ``67255da4b3`` + + In the qpzone implementation of `dns_db_closeversion()`, if there are + changed nodes that have no remaining data, delete them. :gl:`#5169` + :gl:`!10089` + +- Revert "Delete dead nodes when committing a new version" + ``b652d5327c`` + + This reverts commit 67255da4b376f65138b299dcd5eb6a3b7f9735a9, + reversing changes made to 74c9ff384e695d1b27fa365d1fee84576f869d4c. + :gl:`#5169` :gl:`!10224` + +- Fix dns_qp_insert() checks in qpzone. ``d6b63210a8`` + + Remove code in the QP zone database to handle failures of + `dns_qp_insert()` which can't actually happen. :gl:`#5171` + :gl:`!10088` + +- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. + ``f0785fedf1`` + + Previously, when parsing responses, named incorrectly rejected + responses without matching RRSIG records for NSEC/DS/NSEC3 records in + the authority section. This rejection, if appropriate, should have + been left for the validator to determine and has been fixed. + :gl:`#5185` :gl:`!10125` + +- Fix TTL issue with ANY queries processed through RPZ "passthru" + ``23c1fbc609`` + + Answers to an "ANY" query which were processed by the RPZ "passthru" + policy had the response-policy's `max-policy-ttl` value unexpectedly + applied. This has been fixed. :gl:`#5187` :gl:`!10176` + +- Save time when creating a slab from another slab. ``cf981ab13b`` + + The `dns_rdataslab_fromrdataset()` function creates a slab from an + rdataset. If the source rdataset already uses a slab, then no + processing is necessary; we can just copy the existing slab to a new + location. :gl:`#5188` :gl:`!10162` + +- Dnssec-signzone needs to check for a NULL key when setting offline. + ``26f8ee7229`` + + dnssec-signzone could dereference a NULL key pointer when resigning a + zone. This has been fixed. :gl:`#5192` :gl:`!10161` + +- Acquire the database reference before possibly last node release. + ``c4868b5bd9`` + + Acquire the database reference in the detachnode() to prevent the last + reference to be release while the NODE_LOCK being locked. The + NODE_LOCK is locked/unlocked inside the RCU critical section, thus it + is most probably this should not pose a problem as the database uses + call_rcu memory reclamation, but this it is still safer to acquire the + reference before releasing the node. :gl:`#5194` :gl:`!10155` + +- Fix a logic error in cache_name() ``02ef8ff01c`` + + A change in 6aba56ae8 (checking whether a rejected RRset was identical + to the data it would have replaced, so that we could still cache a + signature) inadvertently introduced cases where processing of a + response would continue when previously it would have been skipped. + :gl:`#5197` :gl:`!10157` + +- Fix a bug in the statistics channel when querying zone transfers + information. ``e02d73e7e3`` + + When querying zone transfers information from the statistics channel + there was a rare possibility that `named` could terminate unexpectedly + if a zone transfer was in a state when transferring from all the + available primary servers had failed earlier. This has been fixed. + :gl:`#5198` :gl:`!10182` + +- Fix assertion failure when dumping recursing clients. ``796b662b92`` + + Previously, if a new counter was added to the hashtable while dumping + recursing clients via the `rndc recursing` command, and + `fetches-per-zone` was enabled, an assertion failure could occur. This + has been fixed. :gl:`#5200` :gl:`!10164` + +- Validating ADB fetches could cause a crash in import_rdataset() + ``49ccbe857a`` + + Previously, in some cases, the resolver could return rdatasets of type + CNAME or DNAME without the result code being set to `DNS_R_CNAME` or + `DNS_R_DNAME`. This could trigger an assertion failure in the ADB. The + resolver error has been fixed. :gl:`#5201` :gl:`!10172` + +- Call isc__iterated_hash_initialize in isc__work_cb. ``f3458fdf43`` + + isc_iterated_hash didn't work in offloaded threads as the per thread + initialisation has not been done. This has been fixed. :gl:`#5214` + :gl:`!10206` + +- Fix a bug in get_request_transport_type() ``db5166ab99`` + + When `dns_remote_done()` is true, calling `dns_remote_curraddr()` + asserts. Add a `dns_remote_curraddr()` check before calling + `dns_remote_curraddr()`. :gl:`#5215` :gl:`!10222` + +- Clean up dns_rdataslab module. ``948f8d7a98`` + + Rdata slabs used in the QP databases are usually prepended with a slab + header, but are sometimes "raw", containing only the rdata and no + header. Previously, to allow for them to be used both ways, functions + that operated on them took a `reservelen` argument, which would be set + to either the header length or to zero, and skipped over that many + bytes at the beginning of the buffer. Most such functions were never + used on the raw form. To make the code clearer, each of these + functions now operates on full slabs with headers, and an alternate + "raw" version of the function has been added in cases where that was + needed. + + In addition, the `dns_rdataslab_merge()` and `_subtract()` functions + have been rewritten for clarity and efficiency, and a minor bug has + been fixed in `dns_rdataslab_equal()` and `_equalx()`, which could + cause an incorrect result if both slabs being compared had zero + length. :gl:`!10084` + +- Dump the active resolver fetches from dns_resolver_dumpfetches() + ``5d0c347e75`` + + Previously, active resolver fetches were only dumped when the + `fetches-per-zone` configuration option was enabled. Now, active + resolver fetches are dumped along with the number of + `clients-per-server` counters per resolver fetch. :gl:`!10107` + +- Fix the foundname vs dcname madness in qpcache_findzonecut() + ``4e68dbf194`` + + The qpcache_findzonecut() accepts two "foundnames": 'foundname' and + 'dcname' could be NULL. Originally, when 'dcname' would be NULL, the + 'dcname' would be set to 'foundname' which basically means that we + were copying the .ndata over itself for no apparent reason. + :gl:`!10049` + +- Post [CVE-2024-12705] Performance Drop Fixes, Part 2. ``c8104daf8d`` + + This merge request addresses several key performance bottlenecks in + the DoH (DNS over HTTPS) implementation by introducing significant + optimizations and improvements. + + ### Key Improvements + + 1. **Simplification and Optimisation of `http_do_bio()` Function**: + - The code flow in the `http_do_bio()` function has been significantly + simplified. 2. **Flushing HTTP Write Buffer on Outgoing DNS + Messages**: - The buffer is flushed and a send operation is + performed when there is an outgoing DNS message. 3. **Bumping Active + Streams Processing Limit**: - The total number of active streams + has been increased to 60% of the total streams limit. + + These changes collectively enhance the performance and reliability of + the DoH implementation, making it more efficient and robust for + handling high-load scenarios, particularly noticeable in long runs (>= + 1h) of `stress:long:rpz:doh+udp:linux:*` tests. It improves perf. for + tests for BIND 9.18, but it likely will have a positive but less + pronounced effect on newer versions as well. + + In essence, the merge request fixes three bottlenecks stacked upon + each other. + + *It is a logical continuation of the merge requests !10109.* !10109, + unfortunately, did not completely [address the performance drop in + 9.18](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/221545) + for longer runs of the stress test. This merge request [addresses + that](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/223661). + + **P.S.** + + The origin of the fixes is, in fact, the branch in !10193. So this MR + is a ... *forward port* of them. :gl:`!10192` + +- Post [CVE-2024-12705] Performance Drop Fixes. ``3033d127d2`` + + This merge request fixes a [performance + drop](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/216728) + after merging the fixes for #4795, in particular in 9.18. + + The MR [fixes the + problem](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/219825) + without affecting performance for the newer versions, in particular + for [the development version](https://gitlab.isc.org/isc-projects/bind + 9/-/pipelines/220619). :gl:`!10109` + +- Remove 'target' from dns_adb. ``764eb65cf6`` + + When a server name turns out to be a CNAME or DNAME, the ADB does not + use it, but the `dns_adbname` structure still stored a copy of the + target name. This is unnecessary and the code has been removed. + :gl:`!10149` + +- Simplify some dns_name API calls. ``e16560a650`` + + Several functions in the `dns_name` module have had parameters + removed, that were rarely or never used: - `dns_name_fromtext()` and + `dns_name_concatenate()` no longer take a target buffer. - + `dns_name_towire()` no longer takes a compression offset pointer; this + is now part of the compression context. - `dns_name_towire()` with a + `NULL` compression context will copy name data directly into a buffer + with no processing. :gl:`!10152` + +- Sync the TSAN CC, CFLAGS and LDFLAGS in the respdiff:tsan job. + ``22b5442722`` + + :gl:`!10209` + +