mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
Generate changelog
This commit is contained in:
Nicki Křížek
@@ -18,6 +18,256 @@ Changelog
|
||||
development. Regular users should refer to :ref:`Release Notes <relnotes>`
|
||||
for changes relevant to them.
|
||||
|
||||
(-dev)
|
||||
------
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- Support for Offline KSK implemented. ``bfa206beecc``
|
||||
|
||||
Add a new configuration option `offline-ksk` to enable Offline KSK key
|
||||
management. Signed Key Response (SKR) files created with `dnssec-ksr`
|
||||
(or other program) can now be imported into `named` with the new `rndc
|
||||
skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY
|
||||
records and generating signatures covering these types, these records
|
||||
are loaded from the currently active bundle from the imported SKR.
|
||||
|
||||
The implementation is loosely based on:
|
||||
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-
|
||||
keymgmt-01.txt :gl:`#1128` :gl:`!9119`
|
||||
|
||||
- Implement the 'request-ixfr-max-diffs' configuration option.
|
||||
``99b18bab7e1``
|
||||
|
||||
The new 'request-ixfr-max-diffs' configuration option sets the maximum
|
||||
number of incoming incremental zone transfer (IXFR) differences,
|
||||
exceeding which triggers a full zone transfer (AXFR). :gl:`#4389`
|
||||
:gl:`!9094`
|
||||
|
||||
- Print the full path of the working directory in startup log messages.
|
||||
``cf53eac46e9``
|
||||
|
||||
named now prints its initial working directory during startup and the
|
||||
changed working directory when loading or reloading its configuration
|
||||
file if it has a valid 'directory' option defined. :gl:`#4731`
|
||||
:gl:`!9362`
|
||||
|
||||
- Support restricted key tag range when generating new keys.
|
||||
``d40b722d462``
|
||||
|
||||
It is useful when multiple signers are being used to sign a zone to
|
||||
able to specify a restricted range of range of key tags that will be
|
||||
used by an operator to sign the zone. This adds controls to named
|
||||
(dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr
|
||||
(dnssec-policy) to specify such ranges. :gl:`#4830` :gl:`!9258`
|
||||
|
||||
Removed Features
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- Remove the 'dialup' and 'heartbeat-interval' options. ``a133a33b650``
|
||||
|
||||
The `dialup` and `heartbeat-interval` options have been removed, along
|
||||
with all code implementing them. Using these options is now a fatal
|
||||
error. :gl:`#4237` :gl:`!8160`
|
||||
|
||||
- Remove outdated perllib integration. ``f73a19bb3e9``
|
||||
|
||||
The code in conftools/ directory hasn't been touched since 2000.
|
||||
Nobody knows what it does and nobody even knows how to build it or
|
||||
test it. Just remove the whole directory. :gl:`!9302`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Use deterministic ecdsa for openssl >= 3.2. ``069c6c22654``
|
||||
|
||||
OpenSSL has added support for deterministic ECDSA (RFC 6979) with
|
||||
version 3.2.
|
||||
|
||||
Use it by default as it removes arguably its most fragile side of
|
||||
ECDSA. The derandomization doesn't pose a risk for DNS usecases and is
|
||||
allowed by FIPS 186-5. :gl:`#299` :gl:`!9128`
|
||||
|
||||
- Exempt prefetches from the fetches-per-zone and fetches-per-server
|
||||
quotas. ``4cd73e2536c``
|
||||
|
||||
Fetches generated automatically as a result of 'prefetch' are now
|
||||
exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas.
|
||||
This should help in maintaining the cache from which query responses
|
||||
can be given. :gl:`#4219` :gl:`!9095`
|
||||
|
||||
- Restore the ability to select individual unit tests. ``2299aba5c20``
|
||||
|
||||
This add the command line arguments: `-d` (debug), `-l` (list tests)
|
||||
and `-t test` (run this test) to the unit tests. :gl:`#4579`
|
||||
:gl:`!9384`
|
||||
|
||||
- Process also the ISC_R_CANCELED result code in rpz_rewrite()
|
||||
``d0d6ad0c52e``
|
||||
|
||||
Log canceled resolver queries (e.g. when shutting down a hung fetch)
|
||||
in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized"
|
||||
result codes. :gl:`#4797` :gl:`!9148`
|
||||
|
||||
- Use single logging context for everything. ``aa408051d6c``
|
||||
|
||||
Instead of juggling different logging context, use one single logging
|
||||
context that gets initialized in the libisc constructor and destroyed
|
||||
in the libisc destructor. :gl:`#4848` :gl:`!9301`
|
||||
|
||||
- Remove code to read and parse /proc/net/if_inet6 on Linux.
|
||||
``8071384324b``
|
||||
|
||||
The getifaddr() works fine for years, so we don't have to keep the
|
||||
callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9315`
|
||||
|
||||
- Use seteuid()/setegid() instead of setreseuid()/setresgid()
|
||||
``558ec133ea1``
|
||||
|
||||
It looks like that all supported systems now have support for
|
||||
_POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
|
||||
those will not change saved used/group IDs. :gl:`#4862` :gl:`!9363`
|
||||
|
||||
- Follow the number of CPU set by taskset/cpuset. ``9afcdc2b184``
|
||||
|
||||
Administrators may wish to constrain the set of cores that BIND 9 runs
|
||||
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
|
||||
other O/S).
|
||||
|
||||
If the admin has used taskset, the `named` will now follow to
|
||||
automatically use the given number of CPUs rather than the system wide
|
||||
count. :gl:`#4884` :gl:`!9398`
|
||||
|
||||
- Double the number of threadpool threads. ``cfdded46676``
|
||||
|
||||
Introduce this temporary workaround to reduce the impact of long-
|
||||
running tasks in offload threads which can block the resolution of
|
||||
queries. :gl:`#4898`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Delay release of root privileges until after configuring controls.
|
||||
``8a09d54d6be``
|
||||
|
||||
Delay relinquishing root privileges until the control channel has been
|
||||
configured, for the benefit of systems that require root to use
|
||||
privileged port numbers. This mostly affects systems without fine-
|
||||
grained privilege systems (i.e., other than Linux). :gl:`#4793`
|
||||
:gl:`!9123`
|
||||
|
||||
- Fix the assertion failure in the isc_hashmap iterator. ``c31cd677882``
|
||||
|
||||
When the round robin hashing reorders the map entries on deletion, we
|
||||
were adjusting the iterator table size only when the reordering was
|
||||
happening at the internal table boundary. The iterator table size had
|
||||
to be reduced by one to prevent seeing the entry that resized on
|
||||
position [0] twice because it migrated to [iter->size - 1] position.
|
||||
|
||||
However, the same thing could happen when the same entry migrates a
|
||||
second time from [iter->size - 1] to [iter->size - 2] position (and so
|
||||
on) because the check that we are manipulating the entry just in the
|
||||
[0] position was insufficient. Instead of checking the position [pos
|
||||
== 0], we now check that the [pos % iter->size == 0], thus ignoring
|
||||
all the entries that might have moved back to the end of the internal
|
||||
table. :gl:`#4838` :gl:`!9292`
|
||||
|
||||
- Add -Wno-psabi to CFLAGS for x86 (32-bit) builds. ``75021765f8d``
|
||||
|
||||
GCC 11.1+ emits a note during compilation when there are 64-bit atomic
|
||||
fields in a structure, because it fixed a compiler bug by changing the
|
||||
alignment of such fields, which caused ABI change.
|
||||
|
||||
Add -Wno-psabi to CFLAGS for such builds in order to silence the
|
||||
warning. That shouldn't be a problem since we don't expose our
|
||||
structures to the outside. :gl:`#4841` :gl:`!9319`
|
||||
|
||||
- Check if logconfig is NULL before using it in isc_log_doit()
|
||||
``ebd669a8303``
|
||||
|
||||
Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
|
||||
because it's possible that isc_log_destroy() was already called, e.g.
|
||||
when a 'call_rcu' function wants to log a message during shutdown.
|
||||
:gl:`#4842` :gl:`!9297`
|
||||
|
||||
- Change the NS_PER_SEC (and friends) from enum to static const.
|
||||
``2d12e1142ae``
|
||||
|
||||
New version of clang (19) has introduced a stricter checks when mixing
|
||||
integer (and float types) with enums. In this case, we used enum {}
|
||||
as C17 doesn't have constexpr yet. Change the time conversion
|
||||
constants to be static const unsigned int instead of enum values.
|
||||
:gl:`#4845` :gl:`!9313`
|
||||
|
||||
- Check the result of dirfd() before calling unlinkat() ``661981be7b0``
|
||||
|
||||
Instead of directly using the result of dirfd() in the unlinkat()
|
||||
call, check whether the returned file descriptor is actually valid.
|
||||
That doesn't really change the logic as the unlinkat() would fail with
|
||||
invalid descriptor anyway, but this is cleaner and will report the
|
||||
right error returned directly by dirfd() instead of EBADF from
|
||||
unlinkat(). :gl:`#4853` :gl:`!9316`
|
||||
|
||||
- Fix rare assertion failure when shutting down incoming transfer.
|
||||
``14d2040934e``
|
||||
|
||||
A very rare assertion failure can be triggered when the incoming
|
||||
transfer is either forcefully shut down or it is finished during
|
||||
printing the details about the statistics channel. This has been
|
||||
fixed. :gl:`#4860` :gl:`!9336`
|
||||
|
||||
- Fix the resesuid() shim implementation for NetBSD. ``5bfed08b253``
|
||||
|
||||
The shim implementation of setresuid() was wrong - there was a copy
|
||||
and paste error and it was calling setresgid() instead. This only
|
||||
affects NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
|
||||
setresgid() implementation available from the system library.
|
||||
:gl:`#4862` :gl:`!9359`
|
||||
|
||||
- Fix algoritm rollover bug when there are two keys with the same
|
||||
keytag. ``8dbd57116bf``
|
||||
|
||||
If there is an algorithm rollover and two keys of different algorithm
|
||||
share the same keytags, then there is a possibility that if we check
|
||||
that a key matches a specific state, we are checking against the wrong
|
||||
key. This has been fixed by not only checking for matching key tag but
|
||||
also key algorithm. :gl:`#4878` :gl:`!9381`
|
||||
|
||||
- Stop using malloc_usable_size and malloc_size. ``f99da39934d``
|
||||
|
||||
The `malloc_usable_size()` can return size larger than originally
|
||||
allocated and when these sizes disagree the fortifier enabled by
|
||||
`_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution
|
||||
abruptly. Stop using these convenience functions as they are primary
|
||||
used for introspection-only. :gl:`#4880` :gl:`!9400`
|
||||
|
||||
- Preserve statement tag order in documentation. ``0b9ce9c05b1``
|
||||
|
||||
This supports bit-for-bit reproducibility of built documentation.
|
||||
:gl:`#4886` :gl:`!9399`
|
||||
|
||||
- Fix an assertion failure in validate_dnskey_dsset_done()
|
||||
``31245213a09``
|
||||
|
||||
Under rare circumstances, named could terminate unexpectedly when
|
||||
validating a DNSKEY resource record if the validation was canceled in
|
||||
the meantime. This has been fixed. :gl:`#4911`
|
||||
|
||||
- Silence all warnings that stem from the default config.
|
||||
``f4e0d0e460b``
|
||||
|
||||
As we now setup the logging very early, parsing the default config
|
||||
would always print warnings about experimental (and possibly
|
||||
deprecated) options in the default config. This would even mess with
|
||||
commands like `named -V` and it is also wrong to warn users about
|
||||
using experimental options in the default config, because they can't
|
||||
do anything about this. Add CFG_PCTX_NODEPRECATED and
|
||||
CFG_PCTX_NOEXPERIMENTAL options that we can pass to cfg parser and
|
||||
silence the early warnings caused by using experimental options in the
|
||||
default config. :gl:`!9304`
|
||||
|
||||
|
||||
BIND 9.21.0
|
||||
-----------
|
||||
|
||||
|
||||
Reference in New Issue
Block a user