From: Nicki Křížek Date: Thu, 8 Jan 2026 13:21:55 +0000 (+0100) Subject: Tweak and reword release notes X-Git-Tag: v9.21.17~1^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=320ec03c0df5d4e0e1d4e4975ddee68f8946a56d;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-9.21.17.rst b/doc/notes/notes-9.21.17.rst index 27f1dbd8e2e..430b0f7ab71 100644 --- a/doc/notes/notes-9.21.17.rst +++ b/doc/notes/notes-9.21.17.rst @@ -15,11 +15,11 @@ Notes for BIND 9.21.17 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT - records. +- Fix incorrect length checks for BRID and HHIT records. + :cve:`2025-13878` - Malformed BRID and HHIT records could trigger an assertion failure. - This has been fixed. + Malformed BRID and HHIT records could trigger an assertion + failure. This has been fixed. ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing this vulnerability to our attention. :gl:`#5616` @@ -27,100 +27,92 @@ Security Fixes New Features ~~~~~~~~~~~~ -- Add support for Extended DNS Error 9 (Missing DNSKEY) +- Add support for Extended DNS Error 9 (Missing DNSKEY). - Extended DNS Error 9 (Missing DNSKEY) is now sent when a validating - resolver attempts to validate a response but can't get the DNSKEY from - the authoritative server of the zone, while the DS record is present - in the parent zone. :gl:`#2715` + If the DS record is present in the parent zone and a validating + resolver attempts to validate a response, but is unable to get the + DNSKEY from the authoritative server of the zone, Extended DNS + Error 9 (Missing DNSKEY) is now sent. :gl:`#2715` -- Add Extended DNS Error 13 (Cached Error) support. +- Add support for Extended DNS Error 13 (Cached Error). Extended DNS Error 13 (Cached Error) is now returned when the server answers a message from a cached SERVFAIL. - See RFC 8914 section 4.14. :gl:`#1836` + See :rfc:`8914` section 4.14. :gl:`#1836` - Add support for Generalized DNS Notifications. - A new configuration option, ``notify-cfg CDS``, is added to enable - Generalized DNS Notifications for CDS and/or CDNSKEY RRset changes, as - specified in RFC 9859. :gl:`#5611` + A new configuration option, :any:`notify-cfg CDS `, is + added to enable Generalized DNS Notifications for CDS and/or + CDNSKEY RRset changes, as specified in :rfc:`9859`. :gl:`#5611` Feature Changes ~~~~~~~~~~~~~~~ -- Add more information to the rndc recursing output about fetches. +- Add more information to the :option:`rndc recursing` output about + fetches. - This adds more information about the active fetches for debugging and - diagnostic purposes. + This adds more information about active fetches, for debugging and + diagnostic purposes. :gl:`!11305` - Enforce bounds of multiple configuration options. - The configuration options `edns-version`, `edns-udp-size`, - `max-udp-size`, `no-cookie-udp-size` and `padding` now enforce - boundaries. The configuration (including when using `named-checkconf`) - now fails if those options are set out of range. + The configuration options :any:`edns-version`, :any:`edns-udp-size`, + :any:`max-udp-size`, :any:`nocookie-udp-size`, and :any:`padding` now + enforce boundaries. The configuration (including when using + :iscman:`named-checkconf`) now fails if those options are set out of + range. :gl:`!11248` Bug Fixes ~~~~~~~~~ -- Resolve "Inbound IXFR performance regression between 9.18.31 and - 9.20.9" +- Fix inbound IXFR performance regression. - This MR adds add some specialized logic to handle IXFR in qpzone, - avoiding the need to have one qp transaction per rdataset. + Very large inbound IXFR transfers were much slower than those in BIND + 9.18. The performance was improved by adding specialized logic to + handle IXFR transfers. :gl:`#5442` - We do this in multiple steps: - We extend dns_rdatacallbacks_t vtable - to allow subtraction and resigning. - We add a new set of api - (begin|commit|abort)update to the dbmethods vtable. These API model an - incremental update that can be aborted, and make diff apply use these - functions instead of adding the rdatasets directly to the database. - - We add a specialization of dns_rdatacallbacks_t to qpzone that uses a - single qp transaction for the entire IXFR. +- Make DNSSEC key rollovers more robust. - With this batch API, we see performance improvements over adding one - rdataset at a time. :gl:`#5442` - -- Make key rollovers more robust. - - A manual rollover when the zone is in an invalid DNSSEC state causes + A manual rollover when the zone was in an invalid DNSSEC state caused predecessor keys to be removed too quickly. Additional safeguards to - prevent this have been added. DNSSEC records will not be removed from - the zone until the underlying state machine has moved back into a - valid DNSSEC state. :gl:`#5458` + prevent this have been added: DNSSEC records are not removed from the + zone until the underlying state machine has moved back into a valid + DNSSEC state. :gl:`#5458` -- Fix a catalog zones issue when a member zone could fail to load. +- Fix a catalog zone issue, where member zones could fail to load. - A catalog zone's member zone could fail to load in some rare cases, - when the internally generated zone configuration string was exceeding - 512 bytes. That condition only was not enough for the issue to arise, - but it was a necessary condition. This could happen, for example, if - the catalog zone's default primary servers list contained a large - number of items. This has been fixed. :gl:`#5658` + A catalog zone member zone could fail to load in some rare cases, when + the internally generated zone configuration string exceeded 512 bytes. + That condition by itself was not enough for the issue to arise, but it + was necessary. This could happen if, for example, the catalog zone's + default primary servers list contained a large number of items. This + has been fixed. :gl:`#5658` -- Fix slow speed of NSEC3 optout large delegation zone signing. +- Fix slow speed when signing a large delegation zone with NSEC3 + opt-out. - BIND 9.20 takes much more time signing a large delegation zone with - NSEC3 optout compared to version 9.18. This has been restored. - :gl:`#5672` + BIND 9.20+ took much longer signing a large delegation zone with NSEC3 + opt-out compared to version 9.18. This has been fixed. :gl:`#5672` -- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid. +- Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be + invalid. - A zone that is signed with NSEC3, opt-out enabled, and then - reconfigured to use NSEC, causes the zone to be published with missing - NSEC records. This has been fixed. :gl:`#5679` + A zone that was signed with NSEC3, had opt-out enabled, and was then + reconfigured to use NSEC, was published with missing NSEC records. + This has been fixed. :gl:`#5679` - Fix a possible catalog zone issue during reconfiguration. The :iscman:`named` process could terminate unexpectedly during reconfiguration when a catalog zone update was taking place at the - same time. This has been fixed. + same time. This has been fixed. :gl:`!11366` - Fix the charts in the statistics channel. The charts in the statistics channel could sometimes fail to render in - the browser, and were completely disabled for Mozilla-based browsers - for historical reasons. This has been fixed. + the browser and were completely disabled for Mozilla-based browsers, + for historical reasons. This has been fixed. :gl:`!11018`