From: Tinderbox User <tbox@isc.org>
Date: Tue, 13 Aug 2019 09:47:16 +0000 (+0000)
Subject: prep 9.11.10
X-Git-Tag: v9.11.10^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=711cca3bc98ab899ba72834565c49a583b4e5eb5;p=thirdparty%2Fbind9.git

prep 9.11.10
---

diff --git a/CHANGES b/CHANGES
index b31c6b578bc..90f62502e2b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,4 @@
-        --- 9.11.10 released ---
+	--- 9.11.10 released ---
 
 5275.	[bug]		Mark DS records included in referral messages
 			with trust level "pending" so that they can be
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index 8a25a7cb653..857c47d19e2 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -368,14 +368,20 @@ Display [do not display] the CLASS when printing the record\&.
 .PP
 \fB+[no]cmd\fR
 .RS 4
-Toggles the printing of the initial comment in the output identifying the version of
+Toggles the printing of the initial comment in the output, identifying the version of
 \fBdig\fR
-and the query options that have been applied\&. This comment is printed by default\&.
+and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
 .RE
 .PP
 \fB+[no]comments\fR
 .RS 4
-Toggle the display of comment lines in the output\&. The default is to print comments\&.
+Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
+.sp
+Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
+\fB+[no]cmd\fR,
+\fB+[no]question\fR,
+\fB+[no]stats\fR, and
+\fB+[no]rrcomments\fR\&.
 .RE
 .PP
 \fB+[no]cookie\fR\fB[=####]\fR
@@ -554,12 +560,12 @@ Set [restore] the DNS message opcode to the specified value\&. The default value
 .PP
 \fB+[no]qr\fR
 .RS 4
-Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
+Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
 .RE
 .PP
 \fB+[no]question\fR
 .RS 4
-Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
+Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
 .RE
 .PP
 \fB+[no]rdflag\fR
@@ -607,7 +613,7 @@ determines if the name will be treated as relative or not and hence whether a se
 .PP
 \fB+[no]short\fR
 .RS 4
-Provide a terse answer\&. The default is to print the answer in a verbose form\&.
+Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
 .RE
 .PP
 \fB+[no]showsearch\fR
@@ -637,7 +643,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char
 .PP
 \fB+[no]stats\fR
 .RS 4
-This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
+Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
 .RE
 .PP
 \fB+[no]subnet=addr[/prefix\-length]\fR
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index 050d5efe5f0..2e2571b15ef 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -490,16 +490,28 @@
 <dd>
 	    <p>
 	      Toggles the printing of the initial comment in the
-	      output identifying the version of <span class="command"><strong>dig</strong></span>
-	      and the query options that have been applied.  This
-	      comment is printed by default.
+	      output, identifying the version of <span class="command"><strong>dig</strong></span>
+	      and the query options that have been applied.  This option
+	      always has global effect; it cannot be set globally
+	      and then overridden on a per-lookup basis.  The default
+	      is to print this comment.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd>
 	    <p>
-	      Toggle the display of comment lines in the output.
-	      The default is to print comments.
+	      Toggles the display of some comment lines in the output,
+	      containing information about the packet header and
+	      OPT pseudosection, and the names of the response
+	      section.  The default is to print these comments.
+	    </p>
+	    <p>
+	      Other types of comments in the output are not affected by
+	      this option, but can be controlled using other command
+	      line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
+	      <span class="command"><strong>+[no]question</strong></span>,
+	      <span class="command"><strong>+[no]stats</strong></span>, and
+	      <span class="command"><strong>+[no]rrcomments</strong></span>.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
@@ -745,14 +757,14 @@
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
 <dd>
 	    <p>
-	      Print [do not print] the query as it is sent.  By
-	      default, the query is not printed.
+	      Toggles the display of the query message as it is sent.
+	      By default, the query is not printed.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
 <dd>
 	    <p>
-	      Print [do not print] the question section of a query
+	      Toggles the display of the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
 	    </p>
@@ -814,7 +826,9 @@
 <dd>
 	    <p>
 	      Provide a terse answer.  The default is to print the
-	      answer in a verbose form.
+	      answer in a verbose form.  This option always has global
+	      effect; it cannot be set globally and then overridden on
+	      a per-lookup basis.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
@@ -848,10 +862,9 @@
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
 <dd>
 	    <p>
-	      This query option toggles the printing of statistics:
-	      when the query was made, the size of the reply and
-	      so on.  The default behavior is to print the query
-	      statistics.
+	      Toggles the printing of statistics: when the query was made,
+	      the size of the reply and so on.  The default behavior is to
+	      print the query statistics as a comment after each lookup.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 98e0b369e6c..53f26f5819d 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-02-20
+.\"      Date: 2019-07-22
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2019\-02\-20" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-07\-22" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -249,7 +249,7 @@ options {
 	check\-wildcard \fIboolean\fR;
 	cleaning\-interval \fIinteger\fR;
 	clients\-per\-query \fIinteger\fR;
-	cookie\-algorithm ( aes | sha1 | sha256 );
+	cookie\-algorithm ( aes | sha1 | sha256 | siphash24 );
 	cookie\-secret \fIstring\fR;
 	coresize ( default | unlimited | \fIsizeval\fR );
 	datasize ( default | unlimited | \fIsizeval\fR );
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index ee5c3140e5c..5e8d10f0862 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -226,7 +226,7 @@ options
 	check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
-	cookie-algorithm ( aes | sha1 | sha256 );<br>
+	cookie-algorithm ( aes | sha1 | sha256 | siphash24 );<br>
 	cookie-secret <em class="replaceable"><code>string</code></em>;<br>
 	coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 8e5bde693c6..a67475859f8 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -187,12 +187,6 @@
 	  to root priming queries; this has been corrected. [GL #1092]
 	</p>
       </li>
-<li class="listitem">
-	<p>
-	  Glue address records were not being returned in responses
-	  to root priming queries; this has been corrected. [GL #1092]
-	</p>
-      </li>
 <li class="listitem">
 	<p>
 	  Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 753b31f54c7..7a74e72e76d 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.9</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.10</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -241,7 +241,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.9</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.10</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -440,6 +440,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.9 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.10 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index dc63f1a3048..f28ff155638 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 48b5226bf60..430a20762a6 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.9</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.10</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -88,7 +88,8 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
 	<p>
 	  The new GeoIP2 API from MaxMind is now supported when BIND
 	  is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
@@ -116,18 +117,73 @@
 	  <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
 	  and IPv6 lookups. [GL #182]
 	</p>
-      </li></ul></div>
+      </li>
+<li class="listitem">
+	<p>
+	  A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+	  [GL #605]
+	</p>
+	<p>
+	  If you are running multiple DNS Servers (different versions of BIND 9
+	  or DNS server from multiple vendors) responding from the same IP
+	  address (anycast or load-balancing scenarios), you'll have to make
+	  sure that all the servers are configured with the same DNS Cookie
+	  algorithm and same Server Secret for the best performance.
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  DS records included in DNS referral messages can now be validated
+	  and cached immediately, reducing the number of queries needed for
+	  a DNSSEC validation. [GL #964]
+	</p>
+      </li>
+</ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
 	<p>
 	  Glue address records were not being returned in responses
 	  to root priming queries; this has been corrected. [GL #1092]
 	</p>
-      </li></ul></div>
+      </li>
+<li class="listitem">
+	<p>
+	  Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+	  cause unexpected results; this has been fixed. [GL #1106]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+          to ensure bits 64-71 are zero. [GL #1159]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  <span class="command"><strong>named-checkconf</strong></span> could crash during
+	  configuration if configured to use "geoip continent" ACLs with
+	  legacy GeoIP. [GL #1163]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  <span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
+	  <span class="command"><strong>dnstap-output</strong></span> option when
+	  <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  Handle ETIMEDOUT error on connect() with a non-blocking
+	  socket. [GL #1133]
+	</p>
+      </li>
+</ul></div>
   </div>
 
   <div class="section">
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index e98502febc4..b8b65732175 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index 1a1707b95a9..aa25e44251d 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.11.9
+Release Notes for BIND Version 9.11.10
 
 Introduction
 
@@ -61,11 +61,39 @@ New Features
     database types are country, city, domain, isp, and as. All of the
     databases support both IPv4 and IPv6 lookups. [GL #182]
 
+  * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+    [GL #605]
+
+    If you are running multiple DNS Servers (different versions of BIND 9
+    or DNS server from multiple vendors) responding from the same IP
+    address (anycast or load-balancing scenarios), you'll have to make
+    sure that all the servers are configured with the same DNS Cookie
+    algorithm and same Server Secret for the best performance.
+
+  * DS records included in DNS referral messages can now be validated and
+    cached immediately, reducing the number of queries needed for a DNSSEC
+    validation. [GL #964]
+
 Bug Fixes
 
   * Glue address records were not being returned in responses to root
     priming queries; this has been corrected. [GL #1092]
 
+  * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
+    unexpected results; this has been fixed. [GL #1106]
+
+  * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
+    zero. [GL #1159]
+
+  * named-checkconf could crash during configuration if configured to use
+    "geoip continent" ACLs with legacy GeoIP. [GL #1163]
+
+  * named-checkconf now correctly reports missing dnstap-output option
+    when dnstap is set. [GL #1136]
+
+  * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
+    1133]
+
 End of Life
 
 BIND 9.11 (Extended Support Version) will be supported until at least