From: Nicki Křížek Date: Thu, 3 Apr 2025 14:49:35 +0000 (+0200) Subject: Tweak and reword release notes X-Git-Tag: v9.18.36~1^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b825eda1bc70a5fe8e2c3cbe8ab0151e17d1545;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-9.18.36.rst b/doc/notes/notes-9.18.36.rst index 63f4214d5eb..ddf4bc9f8bf 100644 --- a/doc/notes/notes-9.18.36.rst +++ b/doc/notes/notes-9.18.36.rst @@ -15,19 +15,13 @@ Notes for BIND 9.18.36 Feature Changes ~~~~~~~~~~~~~~~ -- Fix network manager issue when both success and timeout callbacks can - be called for the same read request. - - This commit simplifies code flow in the tls_cycle_input() and makes - the incoming data processing similar to that in TCP DNS. In - particular, now we decipher all the the incoming data before making a - single isc__nm_process_sock_buffer() call. Previously we would try to - decipher data bit-by-bit before trying to process the deciphered bit - via isc__nm_process_sock_buffer(). Doing like before made the code - much less predictable, in particular in the areas like when reading is - paused or resumed. - - The newer approach also allowed us to get rid of some old kludges. +- Make TLS data processing more reliable in various network conditions. + + BIND now deciphers incoming TLS data before processing it, making it + more similar to the handling of TCP. This results in a more + predictable behavior, particularly when reading from the stream is + paused or resumed. Previously, this could result in an assertion + failure when using XFR over TLS (XoT). This has been fixed. :gl:`#5247` Bug Fixes @@ -35,23 +29,22 @@ Bug Fixes - Stop caching lack of EDNS support. - `named` could falsely learn that a server doesn't support EDNS when a - spoofed response was received; that subsequently prevented DNSSEC - lookups from being made. This has been fixed. :gl:`#3949` :gl:`#5066` + :iscman:`named` could falsely learn that a server did not support EDNS + when a spoofed response was received; that subsequently prevented + DNSSEC lookups from being made. This has been fixed. :gl:`#3949` + :gl:`#5066` -- Fix resolver statistics counters for timed out responses. +- Fix resolver statistics counters for timed-out responses. When query responses timed out, the resolver could incorrectly - increase the regular responses counters, even if no response was + increase the regular response counters, even if no response was received. This has been fixed. :gl:`#5193` - Don't enforce NOAUTH/NOCONF flags in DNSKEYs. - All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH` - (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type, - and are not applicable to DNSKEY. Previously, however, because the - DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag - prevented authentication in DNSKEYs as well. This has been corrected. - :gl:`#5240` - - + All DNSKEY keys are able to authenticate. The ``DNS_KEYTYPE_NOAUTH`` + (and ``DNS_KEYTYPE_NOCONF``) flags were defined for the KEY rdata + type, and are not applicable to DNSKEY. Previously, however, because + the DNSKEY implementation was built on top of KEY, the ``_NOAUTH`` + flag prevented authentication in DNSKEYs as well. This has been + corrected. :gl:`#5240`