From: Michał Kępień <michal@isc.org>
Date: Thu, 2 Oct 2025 16:12:18 +0000 (+0200)
Subject: Tweak and reword release notes
X-Git-Tag: v9.21.14~4^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63a93a1a079f4a50baa2e531452a7bbb43b75e47;p=thirdparty%2Fbind9.git

Tweak and reword release notes
---

diff --git a/doc/changelog/changelog-9.21.13.rst b/doc/changelog/changelog-9.21.13.rst
index 78c8ed3f419..375d83168c4 100644
--- a/doc/changelog/changelog-9.21.13.rst
+++ b/doc/changelog/changelog-9.21.13.rst
@@ -69,19 +69,24 @@ New Features
   zone name, zone's view name and type); the new following tokens are
   now also accepted:
 
-  - `$name` or `%s` is replaced with the zone name in lower case; -
-  `$type` or `%t` is replaced with the zone type -- i.e., primary,
-  secondary, etc); - `$view` or `%v` is replaced with the view name; -
-  `$char1` or `%1` is replaced with the first character of the zone
-  name; - `$char2` or `%2` is replaced with the second character of the
-  zone name   (or a dot if there is no second character); - `$char3` or
-  `%3` is replaced with the third character of the zone name (or   a dot
-  if there is no third character); - `$label1` or `%z` is replaced with
-  the toplevel domain of the zone (or a   dot if it is the root zone); -
-  `$label2` or `%y` is replaced with the next label under the toplevel
-  domain (or a dot if there is no next label); - `$label3` or `%x` is
-  replaced with the next-next label under the toplevel   domain (or a
-  dot if there is no next-next label). :gl:`#85` :gl:`!10779`
+  - `$name` or `%s` is replaced with the zone name in lower case;
+  - `$type` or `%t` is replaced with the zone type -- i.e., primary,
+    secondary, etc);
+  - `$view` or `%v` is replaced with the view name;
+  - `$char1` or `%1` is replaced with the first character of the zone
+    name;
+  - `$char2` or `%2` is replaced with the second character of the zone
+    name (or a dot if there is no second character);
+  - `$char3` or `%3` is replaced with the third character of the zone
+    name (or a dot if there is no third character);
+  - `$label1` or `%z` is replaced with the toplevel domain of the zone
+    (or a dot if it is the root zone);
+  - `$label2` or `%y` is replaced with the next label under the toplevel
+    domain (or a dot if there is no next label);
+  - `$label3` or `%x` is replaced with the next-next label under the
+    toplevel domain (or a dot if there is no next-next label).
+
+  :gl:`#85` :gl:`!10779`
 
 - Add support for synthetic records. ``cefed841046``
 
diff --git a/doc/notes/notes-9.21.13.rst b/doc/notes/notes-9.21.13.rst
index 3462b96d98e..5fb5d95a418 100644
--- a/doc/notes/notes-9.21.13.rst
+++ b/doc/notes/notes-9.21.13.rst
@@ -15,8 +15,8 @@ Notes for BIND 9.21.13
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY
-  is found.
+- DNSSEC validation fails if matching but invalid DNSKEY is found.
+  :cve:`2025-8677`
 
   Previously, if a matching but cryptographically invalid key was
   encountered during DNSSEC validation, the key was skipped and not
@@ -28,7 +28,7 @@ Security Fixes
   Security and Privacy Laboratory at Nankai University for bringing this
   vulnerability to our attention. :gl:`#5343`
 
-- [CVE-2025-40778] Address various spoofing attacks.
+- Address various spoofing attacks. :cve:`2025-40778`
 
   Previously, several issues could be exploited to poison a DNS cache
   with spoofed records for zones which were not DNSSEC-signed or if the
@@ -44,8 +44,8 @@ Security Fixes
   Duan from Tsinghua University for bringing this vulnerability to our
   attention. :gl:`#5414`
 
-- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number
-  generator.
+- Cache-poisoning due to weak pseudo-random number generator.
+  :cve:`2025-40780`
 
   It was discovered during research for an upcoming academic paper that
   a xoshiro128\*\* internal state can be recovered by an external 3rd
@@ -63,86 +63,78 @@ Security Fixes
 New Features
 ~~~~~~~~~~~~
 
-- Add extra tokens to the zone file name template.
-
-  Extend the `$name`, `$view` and `$type` tokens (expanding into the
-  zone name, zone's view name and type); the new following tokens are
-  now also accepted:
-
-  - `$name` or `%s` is replaced with the zone name in lower case; -
-  `$type` or `%t` is replaced with the zone type -- i.e., primary,
-  secondary, etc); - `$view` or `%v` is replaced with the view name; -
-  `$char1` or `%1` is replaced with the first character of the zone
-  name; - `$char2` or `%2` is replaced with the second character of the
-  zone name   (or a dot if there is no second character); - `$char3` or
-  `%3` is replaced with the third character of the zone name (or   a dot
-  if there is no third character); - `$label1` or `%z` is replaced with
-  the toplevel domain of the zone (or a   dot if it is the root zone); -
-  `$label2` or `%y` is replaced with the next label under the toplevel
-  domain (or a dot if there is no next label); - `$label3` or `%x` is
-  replaced with the next-next label under the toplevel   domain (or a
-  dot if there is no next-next label). :gl:`#85`
+- Support for additional tokens in the zone file name template.
+
+  See :any:`file` for a complete list of currently supported tokens.
+  :gl:`#85`
 
 - Add support for synthetic records.
 
-  Add a query plugin which, in "reverse" mode, enables the server to
-  build a synthesized response to a PTR query when the PTR record
-  requested is not found in the zone.      The dynamically-built name is
-  constructed from a static prefix (passed as a plugin parameter), the
-  IP address (extracted from the query name) and a suffix (also passed
-  as a plugin parameter).  An `allow-synth` address-match list can be
-  used to limit the network addresses for which the plugin may generate
-  responses.      The plugin can also be used in "forward" mode, to
-  build synthesized A/AAAA records from names using the same format as
-  the dynamically-built PTR names. The same parameters are used: the
-  plugin will react and answer a query if the name matches the
-  configured prefix and origin, and encodes an IP address that is within
-  `allow-synth`. :gl:`#1586`
+  Add :iscman:`synthrecord` query plugin which, in "reverse" mode,
+  enables the server to build a synthesized response to a PTR query when
+  the PTR record requested is not found in the zone.
+
+  The dynamically built name is constructed from a static prefix (passed
+  as a plugin parameter), the IP address (extracted from the query
+  name), and a suffix (also passed as a plugin parameter). An
+  ``allow-synth`` address-match list can be used to limit the network
+  addresses for which the plugin may generate responses.
+
+  The plugin can also be used in "forward" mode, to build synthesized
+  A/AAAA records from names using the same format as the dynamically
+  built PTR names. The same parameters are used: the plugin reacts and
+  answers a query if the name matches the configured prefix and origin,
+  and encodes an IP address that is within ``allow-synth``. :gl:`#1586`
 
 - Support for zone-specific plugins.
 
-  Query plugins can now be configured at the `zone` level, as well as
-  globally or at the `view` level. A plugin's hooks are then called only
-  while that specific zone's database is being used to answer a query.
+  Query plugins can now be configured at the :any:`zone` level, as well
+  as globally or at the :any:`view` level. A plugin's hooks are then
+  called only while that specific zone's database is being used to
+  answer a query.
 
   This simplifies the implementation of plugins that are only needed for
   specific namespaces for which the server is authoritative. It can also
-  enable quicker responses, since plugins will only be called when they
-  are needed. :gl:`#5356`
+  enable quicker responses, since plugins are only called when they are
+  needed. :gl:`#5356`
 
-- Add dnssec-policy keys configuration check to named-checkconf.
+- Add :any:`dnssec-policy` keys configuration check to
+  :iscman:`named-checkconf`.
 
-  A new option `-k` is added to `named-checkconf` that allows checking
-  the `dnssec-policy` `keys` configuration against the configured key
-  stores. If the found key files are not in sync with the given
-  `dnssec-policy`, the check will fail.
+  A new option :option:`-k <named-checkconf -k>` was added to
+  :iscman:`named-checkconf` that allows checking the
+  :any:`dnssec-policy` :any:`keys` configuration against the configured
+  key stores. If the found key files are not in sync with the given
+  :any:`dnssec-policy`, the check will fail.
 
-  This is useful to run before migrating to `dnssec-policy`. :gl:`#5486`
+  This is useful to run before migrating to :any:`dnssec-policy`.
+  :gl:`#5486`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
 
 - Remove randomized RRset ordering.
 
-  The rrset-order random doesn't offer uniform distribution of all
-  permutations and it isn't superior to cyclic order in any way.  Make
-  the random ordering an alias to the cyclic ordering. :gl:`#5513`
+  :any:`rrset-order` ``random`` did not offer uniform distribution of
+  all permutations and it was not superior to the ``cyclic`` order in
+  any way. ``random`` ordering is now an alias for ``cyclic`` ordering.
+  :gl:`#5513`
 
 Bug Fixes
 ~~~~~~~~~
 
 - Use signer name when disabling DNSSEC algorithms.
 
-  ``disable-algorithms`` could cause DNSSEC validation failures when the
-  parent zone was signed with the algorithms that were being disabled
-  for the child zone. This has been fixed; `disable-algorithms` now
-  works on a whole-of-zone basis.
+  :any:`disable-algorithms` could cause DNSSEC validation failures when
+  the parent zone was signed with the algorithms that were being
+  disabled for the child zone. This has been fixed;
+  :any:`disable-algorithms` now works on a whole-of-zone basis.
 
-  If the zone's name is at or below the ``disable-algorithms`` name the
-  algorithm is disabled for that zone, using deepest match when there
-  are multiple ``disable-algorithms`` clauses.  :gl:`#5165`
+  If the zone's name is at or below the :any:`disable-algorithms` name
+  the algorithm is disabled for that zone, using deepest match when
+  there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
 
-- Rndc sign during ZSK rollover will now replace signatures.
+- :option:`rndc sign` during ZSK rollover will now replace signatures.
 
   When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
   :option:`rndc sign` command now signs the zone completely with the
@@ -152,17 +144,15 @@ Bug Fixes
 - Missing DNSSEC information when CD bit is set in query.
 
   The RRSIGs for glue records were not being cached correctly for CD=1
-  queries.  This has been fixed. :gl:`#5502`
+  queries. This has been fixed. :gl:`#5502`
 
-- Add chroot check to meson.build.
+- Add a check for ``chroot()`` to the build system.
 
-  The meson build procedure was not checking for the existence of the
-  chroot function.  This has been fixed. :gl:`#5519`
+  The Meson build procedure was not checking for the existence of the
+  ``chroot()`` function. This has been fixed. :gl:`#5519`
 
 - Preserve cache when reload fails and reload the server again.
 
-  Fixes an issue where failing to reconfigure/reload the server would
-  prevent to preserved the views caches on the subsequent server
-  reconfiguration/reload. :gl:`#5523`
-
-
+  This fixes an issue where failing to reconfigure/reload the server
+  would fail to preserve the views' caches for subsequent server
+  reconfigurations/reloads. :gl:`#5523`