From: Michal Nowak Date: Tue, 31 Mar 2026 10:14:13 +0000 (+0200) Subject: Tweak and reword release notes X-Git-Tag: v9.21.21~2^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce291c4421f2de7ea3ae7574650388ca3bfad201;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-9.21.21.rst b/doc/notes/notes-9.21.21.rst index db1c7955c46..0958f7a5d8a 100644 --- a/doc/notes/notes-9.21.21.rst +++ b/doc/notes/notes-9.21.21.rst @@ -17,9 +17,10 @@ Security Fixes - Fix crash when reconfiguring zone update policy during active updates. - Fixed a crash that could occur when running rndc reconfig to change a - zone's update policy (e.g., from allow-update to update-policy) while - DNS UPDATE requests were being processed for that zone. + We fixed a crash that could occur when running :option:`rndc reconfig` + to change a zone's update policy (e.g., from :any:`allow-update` to + :any:`update-policy`) while DNS UPDATE requests were being processed + for that zone. ISC would like to thank Vitaly Simonovich for bringing this issue to our attention. :gl:`#5817` @@ -27,90 +28,94 @@ Security Fixes New Features ~~~~~~~~~~~~ -- Add switch to disable cookie checking in delv. +- Add switch to disable cookie checking in :iscman:`delv`. - This adds the switch +[no]cookie to delv to control the sending of DNS - COOKIE options when sending requests. The default is to send DNS - COOKIE options. :gl:`#5825` + This adds the ``+[no]cookie`` switch to :iscman:`delv` to control + whether DNS COOKIE options are included in requests. The default is to + send DNS COOKIE options. :gl:`#5825` Removed Features ~~~~~~~~~~~~~~~~ -- Remove -C option from dnssec-keygen and dnssec-keyfromlabel. +- Remove ``-C`` option from :iscman:`dnssec-keygen` and + :iscman:`dnssec-keyfromlabel`. - The -C option, introduced in BIND 9.7, caused a backward-compatible - key to be generated, using private key format version 1.2, omitting - the creation date and other timing metadata. This made it possible to - generate keys that could be loaded by older versions of BIND. + The ``-C`` option, introduced in BIND 9.7, caused a + backward-compatible key to be generated, using private key format + version 1.2, omitting the creation date and other timing metadata. + This made it possible to generate keys that could be loaded by older + versions of BIND 9. - Those older versions having reached end of life many years ago, the - option can now be removed, along with the `dnssec-settime -f` option, - which caused old-style keys to be upgraded. + Those older versions having reached end-of-life many years ago, the + option has now been removed, along with the :iscman:`dnssec-settime` + ``-f`` option, which caused old-style keys to be upgraded. + :gl:`!11446` -- Remove NZF file support in favor of NZD (New Zone Database) +- Remove NZF file support in favor of NZD. - The NZF (New Zone File) backend for storing rndc addzone - configurations has been removed; LMDB-based NZD is now the only - storage backend and LMDB is now a required build dependency. + The NZF (New Zone File) backend for storing :option:`rndc addzone` + configurations has been removed; LMDB-based NZD (New Zone + Database) is now the only storage backend and LMDB is now + a required build dependency. Existing NZF files are automatically migrated to NZD on startup, so no - manual intervention is required when upgrading. + manual intervention is required when upgrading. :gl:`!11688` Feature Changes ~~~~~~~~~~~~~~~ - Parent-centric resolver. - The `named` resolver now uses a separate "delegation database" to - store zone referral data instead of the DNS cache. This new database - holds the NS RRset on the parent side of a zone cut, as well as - necessary glue records that were included in the referral. The NS + The :iscman:`named` resolver now uses a separate "delegation database" + to store zone referral data, instead of the DNS cache. This new + database holds the NS RRset on the parent side of a zone cut, as well + as necessary glue records that were included in the referral. The NS RRset from the child side is cached in the DNS cache and is not used - for name resolution. - - This will be a step toward simplifying resolver logic and also - supporting DELEG referrals. :gl:`#3311` + for recursion. :gl:`#3311` - Switch to LRU-only cache eviction, enforce minimum cache size. - Busy resolvers will now gradually fill the configured - :any:max-cache-size before entries start being evicted. Previously, + Busy resolvers now gradually fill to the configured + :any:`max-cache-size` before entries start being evicted. Previously, expired records were proactively removed based on their TTL, which - kept memory usage below the configured limit but added overhead. Cache - eviction now relies solely on the SIEVE-LRU mechanism, which has + kept memory usage below the configured limit but added overhead. + Cache eviction now relies solely on the SIEVE-LRU mechanism, which has matured to the point where TTL-based cleaning is no longer necessary. - Setting :any:max-cache-size to unlimited or 0 is no longer supported - and falls back to the default (90% of physical memory). + Setting :any:`max-cache-size` to ``unlimited`` or ``0`` is no longer + supported and falls back to the default (90% of physical memory). + :gl:`!11459` Bug Fixes ~~~~~~~~~ -- Fix intermittent named crashes during asynchronous zone operations. +- Fix intermittent :iscman:`named` crashes during asynchronous zone + operations. Asynchronous zone loading and dumping operations occasionally dispatched tasks to the wrong internal event loop. This threading violation triggered internal safety assertions that abruptly - terminated named. Strict loop affinity is now enforced for these - tasks, ensuring they execute on their designated threads and + terminated :iscman:`named`. Strict loop affinity is now enforced for + these tasks, ensuring they execute on their designated threads and preventing the crashes. :gl:`#4882` - Fix NTA (Negative Trust Anchor) expiration issue. When a configured NTA for a name expired, any possibly cached data for - the name (with "insecure" DNSSEC validation result) was not flushed + the name (with an "insecure" DNSSEC validation result) was not flushed from the resolver's cache. This has been fixed. :gl:`#5747` - Count temporal problems with DNSSEC validation as attempts. - After KeyTrap, the temporal DNSSEC were originally hard errors that - caused validation failures even if the records had another valid - signature. This has been changed and the RRSIGs outside of the - inception and expiration time are not counted as hard errors. - However, these errors are not even counted as validation attempts, so - excessive number of expired RRSIGs would cause some non-cryptograhic - extra work for the validator. This has been fixed and the temporal - errors are correctly counted as validation attempts. :gl:`#5760` + After the KeyTrap vulnerability :cve:`2023-50387`, any temporal + DNSSEC errors were originally hard errors that caused validation + failures, even if the records had another valid signature. This has + been changed; RRSIGs outside of the inception and expiration time are + not counted as hard errors. However, these errors were not even + counted as validation attempts, so an excessive number of expired + RRSIGs would cause some non-cryptographic extra work for the + validator. This has been fixed and the temporal errors are now + correctly counted as validation attempts. :gl:`#5760` - Fix a possible deadlock in RPZ processing. @@ -118,26 +123,25 @@ Bug Fixes crafted update for a response policy zone (RPZ). This has been fixed. :gl:`#5775` -- Fix update-policy per-type max quota bypass via crafted UPDATE - messages. +- Fix :any:`update-policy` per-type max quota bypass via crafted + UPDATE messages. - An authenticated DDNS client could bypass update-policy per-type - record limits (e.g. TXT(3)) by including padding records in the UPDATE - message that are silently skipped during processing. Each skipped - record shifted an internal counter, causing subsequent records to be - checked against the wrong quota — potentially reading an unlimited (0) - entry instead of the configured maximum. + An authenticated DDNS client could bypass :any:`update-policy` + per-type record limits (e.g. ``TXT(3)``) by including padding records + in the UPDATE message that were silently skipped during processing. + Each skipped record shifted an internal counter, causing subsequent + records to be checked against the wrong quota — potentially reading an + unlimited (0) entry instead of the configured maximum. This allowed a client with valid TSIG credentials to add an arbitrary number of records beyond the configured limit across repeated UPDATE - messages up to the `max-records-per-type` limit. :gl:`#5799` - -- Fix a crash triggered by rndc modzone on zone from configuration file. + messages, up to the :any:`max-records-per-type` limit. :gl:`#5799` - Calling `rndc modzone` on a zone that was configured in the - configuration file caused a crash. This has been fixed. +- Fix a crash triggered by :option:`rndc modzone` on a zone from a + configuration file. - ISC would like to thank Nathan Reilly for reporting this. :gl:`#5800` + Calling :option:`rndc modzone` on a zone that was configured in the + configuration file caused a crash. This has been fixed. :gl:`#5800` - Fix the processing of empty catalog zone ACLs. @@ -145,11 +149,9 @@ Bug Fixes processing a catalog zone ACL in an APL resource record that was completely empty. This has been fixed. :gl:`#5801` -- Fix potential resource during resolver error handling. +- Fix potential resource leak during resolver error handling. Under specific error conditions during query processing, resources were not being properly released, which could eventually lead to - unnecessary memory consumption for the server. The a potential - resource leak in the resolver has been fixed. - - + unnecessary memory consumption for the server. A potential resource + leak in the resolver has been fixed. :gl:`!11658`