From: Michał Kępień Date: Tue, 10 Aug 2021 10:20:52 +0000 (+0200) Subject: Tweak and reword release notes X-Git-Tag: v9.17.17~2^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=371c72355cf3e708ffae452d08aa0150cca4e6a3;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index fb6b8ae3d6d..56633de0275 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -14,15 +14,15 @@ Notes for BIND 9.17.17 Security Fixes ~~~~~~~~~~~~~~ -- Named failed to check the opcode of responses when performing refresh, - stub updates, and UPDATE forwarding. This could lead to an assertion - failure under particular conditions. This has been addressed by checking - the opcode of those responses and rejecting the messages if they don't - match the expected value. :gl:`#2762` +- ``named`` failed to check the opcode of responses when performing zone + refreshes, stub zone updates, and UPDATE forwarding. This could lead + to an assertion failure under certain conditions and has been + addressed by rejecting responses whose opcode does not match the + expected value. :gl:`#2762` -- Fix an assertion failure that occured in ``named`` when attempting to send - a UDP packet exceeding the MTU size if rate-limiting was enabled. - (CVE-2021-25218) :gl:`#2839` +- Fixed an assertion failure that occurred in ``named`` when it + attempted to send a UDP packet that exceeded the MTU size, if + Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856` Known Issues ~~~~~~~~~~~~ @@ -32,12 +32,13 @@ Known Issues New Features ~~~~~~~~~~~~ -- It is now possible to set a hard quota on the number of concurrent DoH - connections, and the number of active HTTP/2 streams per connection, - by using the ``http-listener-clients`` and ``http-streams-per-connection`` - options, or the ``listener-clients`` and ``streams-per-connection`` - parameters to an ``http`` statement. The defaults are 300 and 100 - respectively. :gl:`#2809` +- It is now possible to set a hard quota on both the number of + concurrent DNS-over-HTTPS (DoH) connections and the number of active + HTTP/2 streams per connection, by using the ``http-listener-clients`` + and ``http-streams-per-connection`` options, or the + ``listener-clients`` and ``streams-per-connection`` parameters in an + ``http`` statement. The defaults are 300 and 100, respectively. + :gl:`#2809` Removed Features ~~~~~~~~~~~~~~~~ @@ -47,37 +48,37 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- DNS over HTTPS support can be disabled at the compile time via the new - configuration option ``--disable-doh``. This allows BIND 9 to be - compiled without libnghttp2 library. :gl:`#2478` +- DNS-over-HTTPS (DoH) support can now be disabled at compile time using + a new build-time option, ``--disable-doh``. This allows BIND 9 to be + built without the libnghttp2 library. :gl:`#2478` -- Memory allocation has been substantially refactored, and is now based on - the memory allocation API provided by the `jemalloc` library on platforms - where it is available. This library is now recommended for building BIND 9. - :gl:`#2433` +- Memory allocation has been substantially refactored; it is now based + on the memory allocation API provided by the jemalloc library, on + platforms where it is available. Use of this library is now + recommended when building BIND 9; although it is optional, it is + enabled by default. :gl:`#2433` -- Previously, named accepted FORMERR responses both with and without +- Previously, ``named`` accepted FORMERR responses both with and without an OPT record, as an indication that a given server did not support - EDNS. To implement full compliance with RFC 6891, only FORMERR + EDNS. To implement full compliance with :rfc:`6891`, only FORMERR responses without an OPT record are now accepted. This intentionally - breaks communication with servers that do not support EDNS and - that incorrectly echo back the query message with the RCODE field - set to FORMERR and the QR bit set to 1. :gl:`#2249` + breaks communication with servers that do not support EDNS and that + incorrectly echo back the query message with the RCODE field set to + FORMERR and the QR bit set to 1. :gl:`#2249` -- CDS and CDNSKEY records may now be published in a zone without the - requirement that they exactly match an existing DNSKEY record, so long - the zone is signed with an algorithm represented in the CDS or CDNSKEY - record. This allows a clean rollover from one DNS provider to another - when using a multiple-signer DNSSEC configuration. :gl:`#2710` +- CDS and CDNSKEY records can now be published in a zone without the + requirement that they exactly match an existing DNSKEY record, as long + as the zone is signed with an algorithm represented in the CDS or + CDNSKEY record. This allows a clean rollover from one DNS provider to + another when using a multiple-signer DNSSEC configuration. :gl:`#2710` Bug Fixes ~~~~~~~~~ -- Testing revealed that setting the thread affinity on both the netmgr - and netthread threads led to inconsistent recursive performance, as - sometimes the netmgr and netthread threads competed over a single - resource. +- Testing revealed that setting the thread affinity for various types of + ``named`` threads led to inconsistent recursive performance, as + sometimes multiple sets of threads competed over a single resource. - When the affinity is not set, tests show a slight dip in the authoritative - performance of around 5% (ranging from 3.8% to 7.8%), but - the recursive performance is now consistently improved. :gl:`#2822` + Due to the above, ``named`` no longer sets thread affinity. This + causes a slight dip of around 5% in authoritative performance, but + recursive performance is now consistently improved. :gl:`#2822`