changelog and secpoll for auth-4.5.0-alpha1

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 10585b48f76c5f1a053131d0f114225eb1ac78ed..df7c6d79bd3782ad8e73eab09bf1ae212aa9ac03 100644 (file)
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -293,6 +293,7 @@ createslavedomain
 Cremers
 criteo
 cron
+crowley
 crv
 cryptokey
 Cryptoki
@@ -1156,6 +1157,7 @@ nx
 nxd
 NXDATA
 nxdomain
+nzlosh
 oarc
 oauth
 Obermayer
@@ -1462,11 +1464,13 @@ rsync
 ru
 Rueckert
 rulesets
+runtimedir
 Ruthensteiner
 rv
 Rvd
 rw
 rwlock
+rytis
 Sakaguchi
 saltsa
 sandboxing

diff --git a/docs/changelog/4.5.rst b/docs/changelog/4.5.rst
new file mode 100644 (file)
index 0000000..77ed8ed
--- /dev/null
+++ b/docs/changelog/4.5.rst
@@ -0,0 +1,253 @@
+Changelogs for 4.5.x
+====================
+
+.. changelog::
+  :version: 4.5.0-alpha1
+  :released: 15th of May 2021
+
+  This is version 4.5.0-alpha1 of the Authoritative Server.
+  This release contains a ton of improvements and bug fixes compared to 4.4, but very few user visible changes.
+
+  Please make sure to read the :doc:`upgrade notes <../upgrading>` before upgrading.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10260
+
+    Lower max-nsec3-iterations to 100 (Kees Monshouwer)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10421
+
+    add an option to in/exclude disabled zones in the pdnsutil list-all-zone and list-keys output (Kees Monshouwer)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 10399
+
+    Make sure we recheck failed SOA lookups for notifies (Kees Monshouwer)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 8999, 9788
+
+    Swagger/OpenAPI improvements (Kevin Fleming)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9813
+
+    geoip: set netmask on all string formatting types
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9768
+
+    fix rounding inaccuracy in latency statistics (Kees Monshouwer)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9574
+
+    Ensure socket-dir matches runtimedir on old systemd
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9775
+
+    pdnsutil add-record: notice when backend does not support replaceRRSet
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9764, 9847, 9848, 9910
+
+    Various logging improvements (Kees Monshouwer, nzlosh)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9752, 9803, 10028, 10067, 10068, 10165
+
+    Various improvements to the Docker image (rytis, james-crowley)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9749, 9819, 9831, 9832, 9857, 9876, 9895, 9911, 9914, 9920, 9930, 9932, 9937, 9955, 9979, 10016, 10137, 10141, 10216, 10245, 10269, 10271, 10310, 10329, 10336, 10344
+
+    Build improvements (support for new compilers and boost versions, etc.), improved usage of some library constructs, and architecture specific fixes
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9913
+
+    Switch to C++17
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9885, 9888, 9933, 10013, 10099, 10107, 10186
+
+    LMDB improvements (better transaction safety; support for the ``disabled`` field; better upgrade handling; stale reader cleanup; other bug fixes) (Robin Geuze, Kees Monshouwer)
+
+  .. change::
+    :tags: Removed Features
+    :pullreq: 10259
+
+    gpgsql backend: drop refcursor support (it never worked anyway)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9766, 9844, 9919, 10074
+
+    Fixed bugs in the implementations of the ``SVCB``, ``HTTPS``, ``IPSECKEY`` and ``APL`` types.
+
+  .. change::
+    :tags: New Features
+    :pullreq: 10078, 10172, 10121, 10256, 10234
+
+    New RRtypes supported: ``CSYNC``, ``NID``, ``L32``, ``L64``, and ``LP``
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10196
+
+    Implement priority levels in the AXFR queue (Robin Geuze)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9658, 9669, 10430
+
+    pdns.conf, pdnsutil, pdns_control: add modern aliases for words like master and slave. Add a setting to ignore unknown settings, to make mixed-version testing easier. (Chris Hofstaedtler, Kees Monshouwer)
+
+    While changing names, Kees Monshouwer also renamed 'domain' to 'zone' in a ton of places.
+
+  .. change::
+    :tags: Removed Features
+    :pullreq: 10251
+
+    remove local-ipv6, query-local-address6, after their deprecation in 4.4
+
+  .. change::
+    :tags: New Features
+    :pullreq: 10217
+
+    API HTTP cryptokeys: add cds array when configured to do so
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10236
+
+    When rectifying, do not update ordernames/auth when there is no need (Kees Monshouwer)
+
+  .. change::
+    :tags: New Features
+    :pullreq: 9995, 10060, 10149
+
+    sdig: DoT support; TCP Fast Opens support for TCP/DoT/DoH
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 10155
+
+    ALIAS: Ensure A and AAAA are in the NSEC bitmap
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10161
+
+    memory usage reporting: use RES instead of "data" size
+
+  .. change::
+    :tags: Removed Features
+    :pullreq: 10010
+
+    Check ``sizeof(time_t)`` to be at least 8. This makes it easier for us to handle times beyond the years 2038 and 2106 safely. This removes support for platforms where ``time_t`` is still only 32 bits wide.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 10081
+
+    pdnsutil load-zone: reject zones with broken rrs
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9826
+
+    pdnsutil edit-zone: do not exit on ZoneParser exception
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10087
+
+    pdnsutil: Warn on CNAME targets for NS, MX and SRV
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10264
+
+    Also disable PMTU for IPv6 (it was disabled for IPv4 already)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 8813
+
+    Make check-zone also check whether there are duplicate key value pair metadatas for the zone (RobinGeuze)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 10007
+
+    fix tcp answer counters (Kees Monshouwer)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 10037
+
+    run deleteDomain() inside a transaction (Kees Monshouwer)
+
+  .. change::
+    :tags: New Features
+    :pullreq: 9958
+
+    Serve NSEC3PARAM when asked without DO
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 8829
+
+    gsqlite3: handle escaping correctly for API search
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9872
+
+    fix direct-dnskey in AXFR-out (Kees Monshouwer)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9520
+
+    detect possible metadata cache pollution (Kees Monshouwer)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 10364
+
+    auth: Don't choke on non-base64 values when importing zone keys
+
+  .. change::
+    :tags: New Features
+    :pullreq: 9464, 10432
+
+    Add a cache of all domains, avoiding backend lookups for domains that do not exist, and for non-existing subdomains. (Chris Hofstaedtler)
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 10401
+
+    change the consistent-backends default to 'yes'
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 10392
+
+    gpgsql: use SELECT .. RETURNING to get inserted row ID

diff --git a/docs/changelog/index.rst b/docs/changelog/index.rst
index 91280d4cf7b0e3426544f3670688471225f281de..73a6df2b80784055047d4b3b225370ee72ded903 100644 (file)
--- a/docs/changelog/index.rst
+++ b/docs/changelog/index.rst
@@ -6,6 +6,7 @@ The changelogs for the PowerDNS Authoritative Server are split between release t
 .. toctree::
     :maxdepth: 2
 
+    4.5
     4.4
     4.3
     4.2

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index abaf61a32c5dcfa0861cadf4b188269ef2171720..b7bfcc0f14a7116a4a4f09dd01eb6d1c82af72f1 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021051102 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021052600 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -78,6 +78,7 @@ auth-4.4.0-beta1.security-status                        60 IN TXT "2 Unsupported
 auth-4.4.0-rc1.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
 auth-4.4.0.security-status                              60 IN TXT "1 OK"
 auth-4.4.1.security-status                              60 IN TXT "1 OK"
+auth-4.5.0-alpha1.security-status                       60 IN TXT "1 OK"
 
 ; Auth Debian
 auth-3.4.1-2.debian.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"

diff --git a/docs/upgrading.rst b/docs/upgrading.rst
index 8e433279e50aebb7d1fb6ae71773d0a25c3a914c..c4992392e4fe205db48061fc64c65df5bed5e477 100644 (file)
--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -16,7 +16,10 @@ Record type changes
 
 The in-database format of ``CSYNC``, ``IPSECKEY``, ``NID``, ``L32``, ``L64``, and ``LP`` records has changed from 'generic' format to its specialized format.
 
-API users might notice that replacing records of these types leaves the old TYPExx records around, even if PowerDNS is not serving them.
+Generation of the in-database format of ``SVCB`` and ``HTTPS`` received some important bug fixes.
+(For these two types, you can skip the :ref:`setting-upgrade-unknown-types` setting mentioned below, but we still recommend the re-transfer.)
+
+API users might notice that replacing records of the newly supported types leaves the old TYPExx records around, even if PowerDNS is not serving them.
 To fix this, enable :ref:`setting-upgrade-unknown-types` and replace the records; this will then delete those TYPExx records.
 Then, disable the setting again, because it has a serious performance impact on API operations.