From: Andoni Duarte Pintado Date: Fri, 7 Mar 2025 19:38:25 +0000 (+0100) Subject: Generate changelog for BIND 9.18.35 X-Git-Tag: v9.18.35~1^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84d9529560be2e5754b8e49449227521805ce753;p=thirdparty%2Fbind9.git Generate changelog for BIND 9.18.35 --- diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 3f9ee056c00..32c151f8543 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,8 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.35-S1.rst +.. include:: ../changelog/changelog-9.18.35.rst .. include:: ../changelog/changelog-9.18.34-S1.rst .. include:: ../changelog/changelog-9.18.34.rst .. include:: ../changelog/changelog-9.18.33-S1.rst diff --git a/doc/changelog/changelog-9.18.35-S1.rst b/doc/changelog/changelog-9.18.35-S1.rst new file mode 100644 index 00000000000..ba871808a1a --- /dev/null +++ b/doc/changelog/changelog-9.18.35-S1.rst @@ -0,0 +1,11 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + diff --git a/doc/changelog/changelog-9.18.35.rst b/doc/changelog/changelog-9.18.35.rst new file mode 100644 index 00000000000..2e5fce8616c --- /dev/null +++ b/doc/changelog/changelog-9.18.35.rst @@ -0,0 +1,134 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.35 +------------ + +New Features +~~~~~~~~~~~~ + +- Add digest methods for SIG and RRSIG. ``7f4023fe7d`` + + ZONEMD digests RRSIG records and potentially digests SIG record. Add + digests methods for both record types. :gl:`#5219` :gl:`!10219` + +Bug Fixes +~~~~~~~~~ + +- Prevent a reference leak when using plugins. ``8d0d08ec00`` + + The `NS_QUERY_DONE_BEGIN` and `NS_QUERY_DONE_SEND` plugin hooks could + cause a reference leak if they returned `NS_HOOK_RETURN` without + cleaning up the query context properly. :gl:`#2094` :gl:`!10171` + +- Fix memory ordering issues with atomic operations in the quota.c + module. ``86f02349e5`` + + Change all the non-locked operations on `quota->used` and + `quota->waiting` to "acq/rel" for inter-thread synchronization. Some + loads are left as "relaxed", because they are under a locked mutex + which also provides protection. + + Also use relaxed memory ordering for `quota->max` and `quota->soft`, + as done in the main branch; possible ordering issues for these + variables are acceptable. :gl:`#5018` :gl:`!10203` + +- Fix deferred validation of unsigned DS and DNSKEY records. + ``60a26ecd43`` + + When processing a query with the "checking disabled" bit set (CD=1), + `named` stores the unvalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated, + and either accepted as an answer, or ejected from the cache as + invalid. This deferred validation was not attempted for DS and DNSKEY + records if they had no cached signatures, causing spurious validation + failures. We now complete the deferred validation in this scenario. + + Also, if deferred validation fails, we now re-query the data to find + out whether the zone has been corrected since the invalid data was + cached. :gl:`#5066` :gl:`!10106` + +- When recording an rr trace, use libtool. ``42afefe031`` + + When a system test is run with the `USE_RR` environment variable set + to 1, an `rr` trace is now correctly generated for each instance of + `named`. :gl:`#5079` :gl:`!10208` + +- Do not cache signatures for rejected data. ``7e24b9f6ec`` + + The cache has been updated so that if new data is rejected - for + example, because there was already existing data at a higher trust + level - then its covering RRSIG will also be rejected. :gl:`#5132` + :gl:`!10135` + +- Fix a race issue in dns_view_addzone() ``a946528023`` + + Views use two types of reference counting - regular and weak, and when + there are no more regular references, the `view_flushanddetach()` + function destroys or detaches some parts of the view, including + `view->zonetable`, while other parts are freed by `destroy()` when the + last weak reference is detached. Since catalog zones use weak + references to attach a view, it's currently possible that during + shutdown catalog zone processing will try to add a new zone into an + otherwise unused view (because it's shutting down) which doesn't have + an attached zonetable any more. This could cause an assertion failure. + Fix this issue by modifying the `dns_view_addzone()` function to + expect that `view->zonetable` can be `NULL`, and in that case just + return `ISC_R_SHUTTINGDOWN`. :gl:`#5138` :gl:`!10086` + +- Fix RPZ race condition during a reconfiguration. ``54bb8252e2`` + + With RPZ in use, `named` could terminate unexpectedly because of a + race condition when a reconfiguration command was received using + `rndc`. This has been fixed. :gl:`#5146` :gl:`!10145` + +- "CNAME and other data check" not applied to all types. ``aaaf2e989a`` + + An incorrect optimization caused "CNAME and other data" errors not to + be detected if certain types were at the same node as a CNAME. This + has been fixed. :gl:`#5150` :gl:`!10101` + +- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. + ``b601cb32ee`` + + Previously, when parsing responses, named incorrectly rejected + responses without matching RRSIG records for NSEC/DS/NSEC3 records in + the authority section. This rejection, if appropriate, should have + been left for the validator to determine and has been fixed. + :gl:`#5185` :gl:`!10143` + +- Fix a logic error in cache_name() ``ab047ff47f`` + + A change in 6aba56ae8 (checking whether a rejected RRset was identical + to the data it would have replaced, so that we could still cache a + signature) inadvertently introduced cases where processing of a + response would continue when previously it would have been skipped. + :gl:`#5197` :gl:`!10159` + +- Finalize removal of memory debug flags size and mctx [9.18] + ``853a966fe7`` + + :gl:`!9607` + +- Post [CVE-2024-12705] Performance Drop Fixes, Part 2. ``e811f444b7`` + + :gl:`!10193` + +- Post [CVE-2024-12705] Performance Drop Fixes. ``8d96ff01d4`` + + :gl:`!10128` + +- Sync the TSAN CC, CFLAGS and LDFLAGS in the respdiff:tsan job. + ``22fd7c4eb4`` + + :gl:`!10213` + +