Generate changelog

doc/arm/changelog.rst

@@ -18,6 +18,256 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+(-dev)
+------
+
+New Features
+~~~~~~~~~~~~
+
+- Support for Offline KSK implemented. ``bfa206beecc``
+
+  Add a new configuration option `offline-ksk` to enable Offline KSK key
+  management. Signed Key Response (SKR) files created with `dnssec-ksr`
+  (or other program) can now be imported into `named` with the new `rndc
+  skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY
+  records and generating signatures covering these types, these records
+  are loaded from the currently active bundle from the imported SKR.
+
+  The implementation is loosely based on:
+  https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-
+  keymgmt-01.txt :gl:`#1128` :gl:`!9119`
+
+- Implement the 'request-ixfr-max-diffs' configuration option.
+  ``99b18bab7e1``
+
+  The new 'request-ixfr-max-diffs' configuration option sets the maximum
+  number of incoming incremental zone transfer (IXFR) differences,
+  exceeding which triggers a full zone transfer (AXFR). :gl:`#4389`
+  :gl:`!9094`
+
+- Print the full path of the working directory in startup log messages.
+  ``cf53eac46e9``
+
+  named now prints its initial working directory during startup and the
+  changed working directory when loading or reloading its configuration
+  file if it has a valid 'directory' option defined. :gl:`#4731`
+  :gl:`!9362`
+
+- Support restricted key tag range when generating new keys.
+  ``d40b722d462``
+
+  It is useful when multiple signers are being used to sign a zone to
+  able to specify a restricted range of range of key tags that will be
+  used by an operator to sign the zone.  This adds controls to named
+  (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr
+  (dnssec-policy) to specify such ranges. :gl:`#4830` :gl:`!9258`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Remove the 'dialup' and 'heartbeat-interval' options. ``a133a33b650``
+
+  The `dialup` and `heartbeat-interval` options have been removed, along
+  with all code implementing them. Using these options is now a fatal
+  error. :gl:`#4237` :gl:`!8160`
+
+- Remove outdated perllib integration. ``f73a19bb3e9``
+
+  The code in conftools/ directory hasn't been touched since 2000.
+  Nobody knows what it does and nobody even knows how to build it or
+  test it.  Just remove the whole directory. :gl:`!9302`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Use deterministic ecdsa for openssl >= 3.2. ``069c6c22654``
+
+  OpenSSL has added support for deterministic ECDSA (RFC 6979) with
+  version 3.2.
+
+  Use it by default as it removes arguably its most fragile side of
+  ECDSA. The derandomization doesn't pose a risk for DNS usecases and is
+  allowed by FIPS 186-5. :gl:`#299` :gl:`!9128`
+
+- Exempt prefetches from the fetches-per-zone and fetches-per-server
+  quotas. ``4cd73e2536c``
+
+  Fetches generated automatically as a result of 'prefetch' are now
+  exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas.
+  This should help in maintaining the cache from which query responses
+  can be given. :gl:`#4219` :gl:`!9095`
+
+- Restore the ability to select individual unit tests. ``2299aba5c20``
+
+  This add the command line arguments: `-d` (debug), `-l` (list tests)
+  and `-t test` (run this test) to the unit tests. :gl:`#4579`
+  :gl:`!9384`
+
+- Process also the ISC_R_CANCELED result code in rpz_rewrite()
+  ``d0d6ad0c52e``
+
+  Log canceled resolver queries (e.g. when shutting down a hung fetch)
+  in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized"
+  result codes. :gl:`#4797` :gl:`!9148`
+
+- Use single logging context for everything. ``aa408051d6c``
+
+  Instead of juggling different logging context, use one single logging
+  context that gets initialized in the libisc constructor and destroyed
+  in the libisc destructor. :gl:`#4848` :gl:`!9301`
+
+- Remove code to read and parse /proc/net/if_inet6 on Linux.
+  ``8071384324b``
+
+  The getifaddr() works fine for years, so we don't have to keep the
+  callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9315`
+
+- Use seteuid()/setegid() instead of setreseuid()/setresgid()
+  ``558ec133ea1``
+
+  It looks like that all supported systems now have support for
+  _POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
+  those will not change saved used/group IDs. :gl:`#4862` :gl:`!9363`
+
+- Follow the number of CPU set by taskset/cpuset. ``9afcdc2b184``
+
+  Administrators may wish to constrain the set of cores that BIND 9 runs
+  on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
+  other O/S).
+
+  If the admin has used taskset, the `named` will now follow to
+  automatically use the given number of CPUs rather than the system wide
+  count. :gl:`#4884` :gl:`!9398`
+
+- Double the number of threadpool threads. ``cfdded46676``
+
+  Introduce this temporary workaround to reduce the impact of long-
+  running tasks in offload threads which can block the resolution of
+  queries. :gl:`#4898`
+
+Bug Fixes
+~~~~~~~~~
+
+- Delay release of root privileges until after configuring controls.
+  ``8a09d54d6be``
+
+  Delay relinquishing root privileges until the control channel has been
+  configured, for the benefit of systems that require root to use
+  privileged port numbers.  This mostly affects systems without fine-
+  grained privilege systems (i.e., other than Linux). :gl:`#4793`
+  :gl:`!9123`
+
+- Fix the assertion failure in the isc_hashmap iterator. ``c31cd677882``
+
+  When the round robin hashing reorders the map entries on deletion, we
+  were adjusting the iterator table size only when the reordering was
+  happening at the internal table boundary.  The iterator table size had
+  to be reduced by one to prevent seeing the entry that resized on
+  position [0] twice because it migrated to [iter->size - 1] position.
+
+  However, the same thing could happen when the same entry migrates a
+  second time from [iter->size - 1] to [iter->size - 2] position (and so
+  on) because the check that we are manipulating the entry just in the
+  [0] position was insufficient.  Instead of checking the position [pos
+  == 0], we now check that the [pos % iter->size == 0], thus ignoring
+  all the entries that might have moved back to the end of the internal
+  table. :gl:`#4838` :gl:`!9292`
+
+- Add -Wno-psabi to CFLAGS for x86 (32-bit) builds. ``75021765f8d``
+
+  GCC 11.1+ emits a note during compilation when there are 64-bit atomic
+  fields in a structure, because it fixed a compiler bug by changing the
+  alignment of such fields, which caused ABI change.
+
+  Add -Wno-psabi to CFLAGS for such builds in order to silence the
+  warning. That shouldn't be a problem since we don't expose our
+  structures to the outside. :gl:`#4841` :gl:`!9319`
+
+- Check if logconfig is NULL before using it in isc_log_doit()
+  ``ebd669a8303``
+
+  Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
+  because it's possible that isc_log_destroy() was already called, e.g.
+  when a 'call_rcu' function wants to log a message during shutdown.
+  :gl:`#4842` :gl:`!9297`
+
+- Change the NS_PER_SEC (and friends) from enum to static const.
+  ``2d12e1142ae``
+
+  New version of clang (19) has introduced a stricter checks when mixing
+  integer (and float types) with enums.  In this case, we used enum {}
+  as C17 doesn't have constexpr yet.  Change the time conversion
+  constants to be static const unsigned int instead of enum values.
+  :gl:`#4845` :gl:`!9313`
+
+- Check the result of dirfd() before calling unlinkat() ``661981be7b0``
+
+  Instead of directly using the result of dirfd() in the unlinkat()
+  call, check whether the returned file descriptor is actually valid.
+  That doesn't really change the logic as the unlinkat() would fail with
+  invalid descriptor anyway, but this is cleaner and will report the
+  right error returned directly by dirfd() instead of EBADF from
+  unlinkat(). :gl:`#4853` :gl:`!9316`
+
+- Fix rare assertion failure when shutting down incoming transfer.
+  ``14d2040934e``
+
+  A very rare assertion failure can be triggered when the incoming
+  transfer is either forcefully shut down or it is finished during
+  printing the details about the statistics channel.  This has been
+  fixed. :gl:`#4860` :gl:`!9336`
+
+- Fix the resesuid() shim implementation for NetBSD. ``5bfed08b253``
+
+  The shim implementation of setresuid() was wrong - there was a copy
+  and paste error and it was calling setresgid() instead.  This only
+  affects NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
+  setresgid() implementation available from the system library.
+  :gl:`#4862` :gl:`!9359`
+
+- Fix algoritm rollover bug when there are two keys with the same
+  keytag. ``8dbd57116bf``
+
+  If there is an algorithm rollover and two keys of different algorithm
+  share the same keytags, then there is a possibility that if we check
+  that a key matches a specific state, we are checking against the wrong
+  key. This has been fixed by not only checking for matching key tag but
+  also key algorithm. :gl:`#4878` :gl:`!9381`
+
+- Stop using malloc_usable_size and malloc_size. ``f99da39934d``
+
+  The `malloc_usable_size()` can return size larger than originally
+  allocated and when these sizes disagree the fortifier enabled by
+  `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution
+  abruptly.  Stop using these convenience functions as they are primary
+  used for introspection-only. :gl:`#4880` :gl:`!9400`
+
+- Preserve statement tag order in documentation. ``0b9ce9c05b1``
+
+  This supports bit-for-bit reproducibility of built documentation.
+  :gl:`#4886` :gl:`!9399`
+
+- Fix an assertion failure in validate_dnskey_dsset_done()
+  ``31245213a09``
+
+  Under rare circumstances, named could terminate unexpectedly when
+  validating a DNSKEY resource record if the validation was canceled in
+  the meantime. This has been fixed. :gl:`#4911`
+
+- Silence all warnings that stem from the default config.
+  ``f4e0d0e460b``
+
+  As we now setup the logging very early, parsing the default config
+  would always print warnings about experimental (and possibly
+  deprecated) options in the default config.  This would even mess with
+  commands like `named -V` and it is also wrong to warn users about
+  using experimental options in the default config, because they can't
+  do anything about this.  Add CFG_PCTX_NODEPRECATED and
+  CFG_PCTX_NOEXPERIMENTAL options that we can pass to cfg parser and
+  silence the early warnings caused by using experimental options in the
+  default config. :gl:`!9304`
+
+
 BIND 9.21.0
 -----------