--- /dev/null
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.21.7
+-----------
+
+New Features
+~~~~~~~~~~~~
+
+- Add support for EDE 20 (Not Authoritative) ``45ee3715e1``
+
+ Support was added for EDE codes 20 (Not Authoritative) when client
+ requests recursion (RD) but the server has recursion disabled.
+
+ RFC 8914 mention EDE 20 should also be returned if the client doesn't
+ have the RD bit set (and recursion is needed) but it doesn't apply for
+ BIND as BIND would try to resolve from the "deepest" referral in
+ AUTHORITY section. For example, if the client asks for "www.isc.org/A"
+ but the server only knows the root domain, it will return NOERROR but
+ no answer for "www.isc.og/A", just the list of other servers to ask.
+ :gl:`#1836` :gl:`!10228`
+
+- Add support for EDE 7 and EDE 8. ``e66dc07c68``
+
+ Support was added for EDE codes 7 (Signature Expired) and 8 (Signature
+ Not Yet Valid) which might occur during DNSSEC validation. :gl:`#2715`
+ :gl:`!10225`
+
+- Add support for EDNS ZONEVERSION option. ``908840157e``
+
+ `dig` and `named` can now make requests with an EDNS `ZONEVERSION`
+ option present.
+
+ Two new `named.conf` options have been added: `request-zoneversion`
+ and `provide-zoneversion`. `request-zoneversion` is `off` by default.
+ `provide-zoneversion` is `on` by default. :gl:`#4767` :gl:`!9103`
+
+- Dig can now display the received BADVERS message during negotiation.
+ ``3397212df3``
+
+ Dig +showbadvers now displays the received BADVERS message and
+ continues the EDNS version negotiation. Previously to see the BADVERS
+ message +noednsneg had to be specified which terminated the EDNS
+ negotiation. Additionally the specified EDNS value (+edns=value) is
+ now used when making all the initial queries with +trace. i.e EDNS
+ version negotiation will be performed with each server when performing
+ the trace. :gl:`#5234` :gl:`!10234`
+
+- Add an rndc command to reset some statistics counters. ``234b9d4922``
+
+ The new ``reset-stats`` command for ``rndc`` allows some statistics
+ counters to be reset during runtime. At the moment only two
+ "high-water" counters are supported, so the ability to reset them
+ after the initial peaks during the server's "warm-up" phase may be
+ useful for some operators. :gl:`#5251` :gl:`!10318`
+
+- Implement -T cookiealwaysvalid. ``ae2fd7ef15``
+
+ When `-T cookiealwaysvalid` is passed to `named`, DNS cookie checks
+ for the incoming queries always pass, given they are structurally
+ correct. :gl:`!10232`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Cleanup dead code: CID 548247. ``6bbdb1980e``
+
+ Clean up dead code following merge of !10302. :gl:`#5262` :gl:`!10346`
+
+- Cleanup BIND 8 compatibility code. ``575a2e5f11``
+
+ There was some code in dns_resolver unit meant to keep compatibility
+ with BIND 8 breaking the DNS protocol. These should not be needed
+ anymore. :gl:`!10270`
+
+- Drop readline alternatives in favor of libedit. ``cbffddcdb9``
+
+ Libedit is now ubiquitous and has a license compatible with MPL 2.0.
+ We are now dropping readline (GPL 3.0) and editline (obsolete) support
+ in favor of libedit. :gl:`!10202`
+
+- Implement the systemd notification protocol manually to remove
+ dependency on libsystemd. ``deb18174cd``
+
+ :gl:`!10263`
+
+- Remove dns_qpmulti_lockedread declaration. ``58dfbe3863``
+
+ This function was removed in 6217e434b57bd5d60ed69f792ae9a1a65a008f57
+ but not from the header file. :gl:`!10308`
+
+- Remove lock upgrading from the hot path in the QP cache.
+ ``e1af47b829``
+
+ In QPcache, there were two places that tried to upgrade the lock. In
+ `clean_stale_header()`, the code would try to upgrade the lock and
+ clean up the header, and in `qpzonode_release()`, the tree lock would
+ be optionally upgraded, so we can clean up the node directly if empty.
+ These optimizations are not needed and they have no effect on the
+ performance. :gl:`!10305`
+
+- Remove unnecessary options in dnssec-keygen and dnssec-keyfromlabel.
+ ``b0f8b443c9``
+
+ The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was
+ derived from it) had several options dating to the time when keys in
+ DNS were still experimental and not fully specified, and when
+ `dnssec-keygen` had the additional function of generating TSIG keys,
+ which are now generated by `tsig-keygen`. These options are no longer
+ necessary in the modern DNSSEC environment, and have been removed.
+
+ The removed options are: - `-t` (key type), which formerly set flags
+ to disable confidentiality or authentication support in a key; these
+ are no longer used. - `-n` (name type), which is now always set to
+ "ZONE" for DNSKEY and "HOST" for KEY. - `-p` (protocol), which is now
+ always set to 3 (DNSSEC); no other value has ever been defined. - `-s`
+ (signatory field), which was never fully defined. - `-d` (digest
+ bits), which is meaningful only for TSIG keys. :gl:`!10262`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When forwarding, query with CD=0 first. ``25c91dffcc``
+
+ Previously, when queries were forwarded to a remote resolver, the CD
+ (checking disabled) bit was used, which could lead to bogus data being
+ retrieved that might have been corrected if validation had been
+ permitted. The CD bit is now only used as a fallback if an initial
+ query without CD fails. :gl:`#5132`. :gl:`!10024`
+
+- Remove zero initialization of large buffers. ``b407f9caa8``
+
+ Profiles show that an high amount of CPU time spent in memset. By
+ removing zero initalization of certain large buffers we improve
+ performance in certain authoritative workloads. :gl:`#5159`
+ :gl:`!10058`
+
+- Carefully check if the server name used for SNI is a hostname.
+ ``b6e6430b54``
+
+ Previously the code would not check if the string intended to be used
+ for SNI is a hostname.
+
+ See also: !9923 :gl:`#5225` :gl:`!10254`
+
+- Improve the LRU cache-expiration mechanism. ``f70d8b4252``
+
+ Improve the LRU cache-expiration mechanism to a SIEVE-LRU based
+ mechanism that triggers when the cache is close to the
+ `max-cache-size` limit. This improves the recursive server
+ performance. :gl:`!10153`
+
+- Switch symtab to use fxhash hashing. ``d3db9ccf53``
+
+ This merge request resolves some performance regressions introduced
+ with the change from isc_symtab_t to isc_hashmap_t.
+
+ The key improvements are:
+
+ 1. Using a faster hash function than both isc_hashmap_t and
+ isc_symtab_t. The previous implementation used SipHash, but the
+ hashflood resistance properties of SipHash are unneeded for config
+ parsing. 2. Shrinking the initial size of the isc_hashmap_t used
+ inside isc_symtab_t. Symtab is mainly used for config parsing, and
+ the when used that way it will have between 1 and 50 keys, but the
+ previous implementation initialized a map with 128 slots. By
+ initializing a smaller map, we speed up mallocs and optimize for
+ the typical case of few config keys. 3. Slight optimization of the
+ string matching in the hashmap, so that the tail is handled in a
+ single load + comparison, instead of byte by byte. Of the three
+ improvements, this is the least important. :gl:`!10204`
+
+Bug Fixes
+~~~~~~~~~
+
+- QNAME minimization could leak the query type. ``42799ae81f``
+
+ When performing QNAME minimization, `named` now sends an NS query for
+ the original query name, before sending the final query. This prevents
+ the parent zone from learning the original query type, in the event
+ that the query name is a delegation point.
+
+ For example, when looking up an address record for `example.com`, NS
+ queries are now sent to the servers for both `com` and `example.com`,
+ before the address query is sent to the servers for `example.com`.
+ Previously, an address query would have been sent to the servers for
+ `com`. :gl:`#4805` :gl:`!9155`
+
+- Add missing locks when returning addresses. ``06427720f7``
+
+ Add missing locks in dns_zone_getxfrsource4 et al. Addresses CID
+ 468706, 468708, 468741, 468742, 468785, and 468778.
+
+ Cleanup dns_zone_setxfrsource4 et al to now return void.
+
+ Remove double copies with dns_zone_getprimaryaddr and
+ dns_zone_getsourceaddr. :gl:`#4933` :gl:`!9485`
+
+- Stop caching lack of EDNS support. ``ebf5c87a53``
+
+ `named` could falsely learn that a server doesn't support EDNS when a
+ spoofed response was received; that subsequently prevented DNSSEC
+ lookups from being made. This has been fixed. :gl:`#3949` :gl:`#5066`
+
+- Step() could ignore rollbacks. ``3b0b658a52``
+
+ The `step()` function (used for stepping to the prececessor or
+ successor of a database node) could overlook a node if there was an
+ rdataset that was marked IGNORE because it had been rolled back,
+ covering an active rdataset under it. :gl:`#5170` :gl:`!10103`
+
+- Fix resolver statistics counters for timed out responses.
+ ``d30b9eb46e``
+
+ When query responses timed out, the resolver could incorrectly
+ increase the regular responses counters, even if no response was
+ received. This has been fixed. :gl:`#5193` :gl:`!10227`
+
+- Nested DNS validation could cause assertion failure. ``bc8799ee17``
+
+ When multiple nested DNS validations were destroyed out of order, the
+ EDE context could be freed before all EDE codes were copied, which
+ could cause an assertion failure. This has been fixed. :gl:`#5213`
+ :gl:`!10365`
+
+- Ensure max-clients-per-query is at least clients-per-query.
+ ``6ac4cfb948``
+
+ If the `max-clients-per-query` option is set to a lower value than
+ `clients-per-query`, the value is adjusted to match
+ `clients-per-query`. :gl:`#5224` :gl:`!10241`
+
+- Fix CID 544147: Code maintainability issues (UNUSED_VALUE)
+ ``3973c2e8c3``
+
+ Assigning value "NULL" to "newstr", but that stored value is
+ overwritten before it can be used.
+
+ Setting "newstr" to NULL does not have any effect, so the line can
+ safely be removed. :gl:`#5227` :gl:`!10239`
+
+- Fix handling of revoked keys. ``025ef4d7b8``
+
+ When a key is revoked, its key ID changes due to the inclusion of the
+ "revoked" flag. A collision between this changed key ID and an
+ unrelated public-only key could cause a crash in `dnssec-signzone`.
+ :gl:`#5231` :gl:`!10233`
+
+- Fix adbname reference. ``49ecb158d4``
+
+ Call `dns_adbname_ref` before calling `dns_resolver_createfetch` to
+ ensure `adbname->name` remains stable for the life of the fetch.
+ :gl:`#5239` :gl:`!10290`
+
+- Fix write after free in validator code. ``329a332708``
+
+ Raw integer pointers were being used for the validator's nvalidations
+ and nfails values but the memory holding them could be freed before
+ they ceased to be used. Use reference counted counters instead.
+ :gl:`#5239` :gl:`!10248`
+
+- Don't enforce NOAUTH/NOCONF flags in DNSKEYs. ``d18787b134``
+
+ All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH`
+ (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type,
+ and are not applicable to DNSKEY. Previously, however, because the
+ DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag
+ prevented authentication in DNSKEYs as well. This has been corrected.
+ :gl:`#5240` :gl:`!10261`
+
+- Fix several small DNSSEC timing issues. ``d2214cb704``
+
+ The following small issues related to `dnssec-policy` have been fixed:
+ - In some cases the key manager inside BIND 9 could run every hour,
+ while it could have run less often. - While `CDS` and `CDNSKEY`
+ records will be removed correctly from the zone when the corresponding
+ `DS` record needs to be updated, the expected timing metadata when
+ this will happen was never set. - There were a couple of cases where
+ the safety intervals are added inappropriately, delaying key rollovers
+ longer than necessary. - If you have identical `keys` in your
+ `dnssec-policy`, they may be retired inappropriately. Note that having
+ keys with identical properties is discouraged in all cases.
+ :gl:`#5242` :gl:`!10251`
+
+- Copy __FILE__ when allocating memory. ``0d6839d832``
+
+ When allocating memory under -m trace|record, the __FILE__ pointer is
+ stored, so it can be printed out later in order to figure out in which
+ file an allocation leaked. (among others, like the line number).
+
+ However named crashes when called with -m record and using a plugin
+ leaking memory. The reason is that plugins are unloaded earlier than
+ when the leaked allocations are dumped (obviously, as it's done as
+ late as possible). In such circumstances, `__FILE__` is dangling
+ because the dynamically loaded library (the plugin) is not in memory
+ anymore.
+
+ Fix the crash by systematically copying the `__FILE__` string instead
+ of copying the pointer. Of course, this make each allocation to
+ consume a bit more memory (and longer, as it needs to calculate the
+ length of `__FILE__`) but this occurs only under -m trace|record
+ debugging flags. :gl:`!10320`
+
+- Fix a bug in the ns_query's get_key() function. ``75060cbd63``
+
+ After a refactoring in 2e6107008dae09d32e3d34fb5423b3d78c4ff651 the
+ dst_key_free() call is invalid and can cause an assertion. Remove the
+ dst_key_free() call. :gl:`!10311`
+
+- Fix invalid cache-line padding for qpcache buckets. ``7861042a27``
+
+ The isc_queue_t was missing in the calculation of the required padding
+ size inside the qpcache bucket structure. :gl:`!10306`
+
+- Optimize key ID check when searching for matching keys. ``3415392d01``
+
+ When searching through a DNSKEY or KEY rrset for the key matching a
+ particular algorithm and ID, it's a waste of time to convert every key
+ into a `dst_key` object; it's faster to compute the key ID from the
+ rdata, then do the full key conversion after determining that we've
+ found the right key. This optimization was already used in the
+ validator, but it's been refactored for code clarity, and is now also
+ used in query.c and message.c. :gl:`!10258`
+
+- Refactor to use list-like macro for message sections. ``1d14612bb9``
+
+ In the code base it is very common to iterate over all names in a
+ message section and all rdatasets for each name, but various idioms
+ are used for iteration.
+
+ This commit standardizes them as much as possible to a single idiom,
+ through the macro `MSG_SECTION_FOREACH`, similar to the existing
+ `ISC_LIST_FOREACH`. :gl:`!10302`
+
+- Switch to ISC_LIST_FOREACH everywhere. ``04cf3ba91f``
+
+ The pattern `for (x = ISC_LIST_HEAD(...); x != NULL;
+ ISC_LIST_NEXT(...)` has been changed to `ISC_LIST_FOREACH` throughout
+ BIND, except in a few cases where the change would be excessively
+ complex. In most cases this was a straightforward change. In some
+ places, however, the list element variable was referenced after the
+ loop ended. Where possible, code has now been refactored to avoid this
+ necessity. `ISC_LIST_FOREACH` has also been modified to use
+ `typeof(list.head)` to declare list elements automatically. When the
+ list object to be iterated is declared with a `const` qualifier, the
+ qualifier is passed along to the element declaration, causing a
+ compilation failure. To avoid this problem, some `const` qualifiers
+ have been removed; where that was not possible, `UNCONST` was used.
+ :gl:`!10310`
+
+
projects / thirdparty / bind9.git / commitdiff
