From: Evan Hunt Date: Thu, 17 May 2018 21:55:10 +0000 (-0700) Subject: begin preparation for 9.13.0 X-Git-Tag: v9.13.0~5^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df4df8e0d529f6f15a41e4826cb0653fc306fae1;p=thirdparty%2Fbind9.git begin preparation for 9.13.0 - tidy up release notes, removing the existing "security fixes" and "bug fixes" sections - add a section in the release notes to discuss the new version numbering - update version, CHANGES, api, and mapapi files --- diff --git a/CHANGES b/CHANGES index 9ff2799e9f9..b72e4e95673 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.13.0 released --- + 4950. [bug] ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238] 4949. [placeholder] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index f22186bd7d7..56007eae0c4 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -21,11 +21,33 @@
Introduction - BIND 9.13 is unstable development release of BIND. + BIND 9.13 is an unstable development release of BIND. This document summarizes new features and functional changes that - have been introduced on this branch. With each development - release leading up to the stable BIND 9.14 release, this document - will be updated with additional features added and bugs fixed. + have been introduced on this branch. With each development release + leading up to the stable BIND 9.14 release, this document will be + updated with additional features added and bugs fixed. + +
+ +
Note on Version Numbering + + Prior to BIND 9.13, new feature development releases were tagged + as "alpha" and "beta", leading up to the first stable release + for a given development branch, which always ended in ".0". + + + Now, however, BIND has adopted the "odd-unstable/even-stable" + release numbering convention. There will be no "alpha" or "beta" + releases in the 9.13 branch, only increasing version numbers. + So, for example, what would previously have been called 9.13.0a1, + 9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0, + 9.13.1, 9.13.2, etc. + + + The first stable release from this development branch will be + renamed as 9.14.0. Thereafter, maintenance releases will continue + on the 9.14 branch, while unstable feature development proceeds in + 9.15.
@@ -43,20 +65,7 @@ - Addresses could be referenced after being freed during resolver - processing, causing an assertion failure. The chances of this - happening were remote, but the introduction of a delay in - resolution increased them. This bug is disclosed in - CVE-2017-3145. [RT #46839] - - - - - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. If the name field was omitted - from the rule declaration and a type list was present it wouldn't - be interpreted as expected. + None. @@ -66,16 +75,21 @@ - BIND now can be compiled against libidn2 library to add - IDNA2008 support. Previously BIND only supported IDNA2003 - using (now obsolete) idnkit-1 library. + BIND now can be compiled against the libidn2 + library to add IDNA2008 support. Previously, BIND supported + IDNA2003 using the (now obsolete and unsupported) + idnkit-1 library. - Add root key sentinel support which enables resolvers to test - which trust anchors are configured for the root. To disable, add - 'root-key-sentinel no;' to named.conf. + named now supports the "root key sentinel" + mechanism. This enables validating resolvers to indicate to + which trust anchors are configured for the root, so that + information about root key rollover status can be gathered. + To disable this feature, add + root-key-sentinel no; to + named.conf. @@ -99,7 +113,7 @@ - Support for OpenSSL 0.9.x was removed. OpenSSL version + Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or greater, or LibreSSL is now required. @@ -130,7 +144,7 @@ The -r randomdev option to explicitly select - random device has been removed from + random device has been removed from the ddns-confgen, rndc-confgen, nsupdate, @@ -139,7 +153,7 @@ The -p option to use pseudo-random data - has been removed from dnssec-signzone + has been removed from the dnssec-signzone command. @@ -150,13 +164,14 @@ - BIND will now always you use the best CSPRNG - (cryptographically-secure pseudo-random number generator) - available on the platform where it is compiled. It will use - arc4random() family of functions on BSDs, getrandom() on - Linux and Solaris, CryptGenRandom on Windows, and the - selected cryptographic library (OpenSSL or PKCS#11) provider - as the last resort. [GL #221] + BIND will now always use the best CSPRNG (cryptographically-secure + pseudo-random number generator) available on the platform where + it is compiled. It will use arc4random() + family of functions on BSD operating systems, + getrandom() on Linux and Solaris, + CryptGenRandom on Windows, and the selected + cryptography provider library (OpenSSL or PKCS#11) as the last + resort. [GL #221] @@ -205,12 +220,12 @@ Several configuration options for time periods can now use TTL value suffixes (for example, 2h or 1d) in addition to an integer number of - seconds. These include: - fstrm-set-reopen-interval; - interface-interval; - max-cache-ttl; - max-ncache-ttl; - max-policy-ttl; + seconds. These include + fstrm-set-reopen-interval, + interface-interval, + max-cache-ttl, + max-ncache-ttl, + max-policy-ttl, and min-update-interval. [GL #203] @@ -222,40 +237,7 @@ - When answering authoritative queries, named - does not return the target of a cross-zone CNAME between two - locally served zones; this prevents accidental cache poisoning. - This same restriction was incorrectly applied to recursive - queries as well; this has been fixed. [RT #47078] - - - - - Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] - - - - - named could crash due to a race condition when - rolling dnstap log files. [RT #46942] - - - - - rndc reload could cause named - to leak memory if it was invoked before the zone loading actions - from a previous rndc reload command were - completed. [RT #47076] - - - - - named could crash when rolling a - dnstap log file. [RT #46942] + None. @@ -294,8 +276,8 @@ The end of life date for BIND 9.14 has not yet been determined. For those needing long term support, the current Extended Support - Version (ESV) is BIND 9.11, which will be supported until December - 2021. See + Version (ESV) is BIND 9.11, which will be supported until at + least December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy. diff --git a/lib/bind9/api b/lib/bind9/api index d946bfa4614..dff640d76cd 100644 --- a/lib/bind9/api +++ b/lib/bind9/api @@ -8,6 +8,7 @@ # 9.10-sub: 180-189 # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 -LIBINTERFACE = 1200 -LIBREVISION = 3 +# 9.13: 1300-1399 +LIBINTERFACE = 1300 +LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/dns/api b/lib/dns/api index 9697aba9de9..dff640d76cd 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -8,6 +8,7 @@ # 9.10-sub: 180-189 # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 -LIBINTERFACE = 1202 -LIBREVISION = 1 -LIBAGE = 1 +# 9.13: 1300-1399 +LIBINTERFACE = 1300 +LIBREVISION = 0 +LIBAGE = 0 diff --git a/lib/dns/mapapi b/lib/dns/mapapi index bfb7c8ad430..3a710613e9e 100644 --- a/lib/dns/mapapi +++ b/lib/dns/mapapi @@ -13,4 +13,4 @@ # Whenever releasing a new major release of BIND9, set this value # back to 1.0 when releasing the first alpha. Map files are *never* # compatible across major releases. -MAPAPI=1.1 +MAPAPI=1.0 diff --git a/lib/irs/api b/lib/irs/api index 4d31f766d21..dff640d76cd 100644 --- a/lib/irs/api +++ b/lib/irs/api @@ -8,6 +8,7 @@ # 9.10-sub: 180-189 # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 -LIBINTERFACE = 1200 -LIBREVISION = 1 +# 9.13: 1300-1399 +LIBINTERFACE = 1300 +LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index 3e53ccbeff4..dff640d76cd 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -8,6 +8,7 @@ # 9.10-sub: 180-189 # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 -LIBINTERFACE = 1202 -LIBREVISION = 1 -LIBAGE = 2 +# 9.13: 1300-1399 +LIBINTERFACE = 1300 +LIBREVISION = 0 +LIBAGE = 0 diff --git a/lib/isccc/api b/lib/isccc/api index 1c91fd4b595..dff640d76cd 100644 --- a/lib/isccc/api +++ b/lib/isccc/api @@ -8,6 +8,7 @@ # 9.10-sub: 180-189 # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 -LIBINTERFACE = 1200 +# 9.13: 1300-1399 +LIBINTERFACE = 1300 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isccfg/api b/lib/isccfg/api index 4d31f766d21..dff640d76cd 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -8,6 +8,7 @@ # 9.10-sub: 180-189 # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 -LIBINTERFACE = 1200 -LIBREVISION = 1 +# 9.13: 1300-1399 +LIBINTERFACE = 1300 +LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index 832c3d42b8f..bc92fdbfb67 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -8,6 +8,7 @@ # 9.10-sub: 180-189 # 9.11: 160-169 # 9.12: 1200-1299 -LIBINTERFACE = 1202 -LIBREVISION = 1 +# 9.13: 1300-1399 +LIBINTERFACE = 1300 +LIBREVISION = 0 LIBAGE = 0 diff --git a/version b/version index b10dee1b17a..7018474341c 100644 --- a/version +++ b/version @@ -2,10 +2,10 @@ # configure. # PRODUCT=BIND -DESCRIPTION= +DESCRIPTION="(Development Release)" MAJORVER=9 MINORVER=13 PATCHVER=0 -RELEASETYPE=-dev +RELEASETYPE= RELEASEVER= EXTENSIONS=