From: Petr Špaček Date: Wed, 4 Feb 2026 13:08:38 +0000 (+0100) Subject: Tweak and reword release notes X-Git-Tag: v9.21.18~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=249785c1674b5b2de9df0b1065dc91c15ede0d84;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-9.21.18.rst b/doc/notes/notes-9.21.18.rst index 17f669171cd..610cafb7cb7 100644 --- a/doc/notes/notes-9.21.18.rst +++ b/doc/notes/notes-9.21.18.rst @@ -15,58 +15,40 @@ Notes for BIND 9.21.18 Feature Changes ~~~~~~~~~~~~~~~ -- Update requirements for system test suite. +- Enable minimal ANY answers by default. - Python 3.10 or newer is now required for running the system test - suite. The required python packages and their version requirements are - now tracked in `bin/tests/system/requirements.txt`. + ANY queries are widely abused by attackers in reflection attacks, as + they result in large answers. The :namedconf:ref:`minimal-any` feature + is now enabled by default to reduce the attack surface. :gl:`#5723` - Support for pytest 9.0.0 has been added its minimum supported version - has been raised to 7.0.0. The minimum supported dnspython version has - been raised to 2.3.0. :gl:`#5690` :gl:`#5614` +- Lowercase the NSEC Next Domain Name field. -- Lowercase the NSEC next owner name when signing. + When building an NSEC record, the next owner name is now converted to lowercase + before storing it in the Next Domain Name field. - When building the NSEC rdata, lowercase the next owner name before - storing it in the Next Domain Name Field. + This is not required according to :rfc:`6840#section-5.1`, but since + inconsistencies have been introduced to the specification over time, having + "next owner" names in only lowercase in the NSEC records improves compatibility with + software that does not follow the latest version of the DNSSEC + specification. :gl:`#5702` - Note that this is not required according to RFC 6840, but since there - is inconsistency in the documents over time, having uppercase next - owner names in the NSEC records may cause validation failures if - validators are not following RFC 6840. :gl:`#5702` +- Update requirements for system test suite. -- Enable minimal ANY answers by default. + Python 3.10 or newer is now required for running the system test suite. The + required Python packages and their version requirements are now tracked in the + file `bin/tests/system/requirements.txt`. :gl:`#5690` :gl:`#5614` - ANY queries are widely abused by attackers doing reflection attacks as - they return the largest answers. Enable minimal ANY answers by - default to reduce the attack surface of the DNS servers. :gl:`#5723` Bug Fixes ~~~~~~~~~ - Make catalog zone names and member zones' entry names - case-insensitive. - - Previously, the catalog zone names and their member zones' entry names - were unintentionally case-sensitive. This has been fixed. :gl:`#5693` - -- Fix brid and hhit implementation. - - Fix bugs in BRID and HHIT implementation and enable the unit tests. - :gl:`#5710` - -- DSYNC record incorrectly used two octets for the Scheme Field. - - When creating the `DSYNC` record from a structure, `uint16_tobuffer` - was used instead of `uint8_tobuffer` when adding the scheme, causing a - `DSYNC` record that was one octet too long. This has been fixed. - :gl:`#5711` + case-insensitive. :gl:`#5693` -- Fix a possible issue with reponse policy zones and catalog zones. +- Fix implementation of BRID and HHIT record types. :gl:`#5710` - If a response policy zone (RPZ) or a catalog zone contained an - `$INCLUDE` directive, then manually reloading that zone could fail to - process the changes in the response policy or in the catalog, - respectively. This has been fixed. :gl:`#5714` +- Fix implementation of DSYNC record type. :gl:`#5711` +- Fix response policy and catalog zones to work with `$INCLUDE` directive. + Reloading a RPZ or a catalog zone could have failed when `$INCLUDE` was in use. :gl:`#5714`