Prepare release notes for BIND 9.21.10

diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 7b2b7883e3cd0c570947bcf23e291da8da25cc5f..00c8d5f8ed3eb3b6e5208773ce128f766663c4de 100644 (file)
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be
 found at
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
 
+.. include:: ../notes/notes-9.21.10.rst
 .. include:: ../notes/notes-9.21.9.rst
 .. include:: ../notes/notes-9.21.8.rst
 .. include:: ../notes/notes-9.21.7.rst

diff --git a/doc/notes/notes-9.21.10.rst b/doc/notes/notes-9.21.10.rst
new file mode 100644 (file)
index 0000000..063dfb0
--- /dev/null
+++ b/doc/notes/notes-9.21.10.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.21.10
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- [CVE-2025-40777] Fix a possible assertion failure when using the
+  'stale-answer-client-timeout 0' option.
+
+  In specific circumstances the :iscman:`named` resolver process could
+  terminate unexpectedly when stale answers were enabled and the
+  ``stale-answer-client-timeout 0`` configuration option was used. This
+  has been fixed. :gl:`#5372`
+
+New Features
+~~~~~~~~~~~~
+
+- "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys"
+
+  Added support for PRIVATEDNS and PRIVATEOID key usage. Added
+  PRIVATEOID test algorithms using the assigned OIDs for RSASHA256 and
+  RSASHA512.
+
+  Added code to support proposed DS digest types that encode the
+  PRIVATEDNS and PRIVATEOID identifiers at the start of the digest field
+  of the DS record. This code is disabled by default. :gl:`#3240`
+
+- Add "named-makejournal" tool.
+
+  The `named-makejournal` tool reads two zone files for the same domain,
+  compares them, and generates a journal file from the differences.
+  :gl:`#5164`
+
+- Add support to set and display the CO flag.
+
+  Add support to display the CO (Compact denial of existence Ok flag)
+  when displaying messages.
+
+  Add support to set the CO flag when making queries in dig (+coflag).
+  :gl:`#5319`
+
+Bug Fixes
+~~~~~~~~~
+
+- Fix the default interface-interval from 60s to 60m.
+
+  When the interface-interval parser was changed from uint32 parser to
+  duration parser, the default value stayed at plain number `60` which
+  now means 60 seconds instead of 60 minutes.  The documentation also
+  incorrectly states that the value is in minutes.  That has been fixed.
+  :gl:`#5246`
+
+- Fix purge-keys bug when using views.
+
+  Previously, when a DNSSEC key was purged by one zone view, other zone
+  views would return an error about missing key files. This has been
+  fixed. :gl:`#5315`
+
+- Use IPv6 queries in delv +ns.
+
+  `delv +ns` invokes the same code to perform name resolution as
+  `named`, but it neglected to set up an IPv6 dispatch object first.
+  Consequently, it was behaving more like `named -4`. It now sets up
+  dispatch objects for both address families, and performs resolver
+  queries to both v4 and v6 addresses, except when one of the address
+  families has been suppressed by using `delv -4` or `delv -6`.
+  :gl:`#5352`
+
+