From: Michał Kępień Date: Tue, 10 Aug 2021 10:20:52 +0000 (+0200) Subject: Tweak and reword recent CHANGES entries X-Git-Tag: v9.17.17~2^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fef0a79fe8786bf1469e8675d465405bdca98eaa;p=thirdparty%2Fbind9.git Tweak and reword recent CHANGES entries --- diff --git a/CHANGES b/CHANGES index 56ab22d58ec..c9e209544a6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,87 +1,92 @@ -5689. [security] An assertion failure occurred when rate-limiting - was applied to a UDP packet exceeding the link MTU - size. (CVE-2021-25218) [GL #2839] +5689. [security] An assertion failure occurred when named attempted to + send a UDP packet that exceeded the MTU size, if + Response Rate Limiting (RRL) was enabled. + (CVE-2021-25218) [GL #2856] -5688. [bug] Inline and dnssec-policy zones could fail to apply - changes from the unsigned zone to the signed zone - under certain cirumstances. [GL #2735] +5688. [bug] Zones using KASP and inline-signed zones failed to apply + changes from the unsigned zone to the signed zone under + certain circumstances. This has been fixed. [GL #2735] -5687. [bug] Update the load time of touched inline zones. - [GL #2542] +5687. [bug] "rndc reload " could trigger a redundant + reload for an inline-signed zone whose zone file was not + modified since the last "rndc reload". This has been + fixed. [GL #2855] 5686. [func] The number of internal data structures allocated for each zone was reduced. [GL #2829] -5685. [bug] Check the opcodes of messages returned by - dns_request_getresponse. [GL #2762] - -5684. [func] Changes to the DNS-over-HTTP (DoH) configuration - syntax: - - - The maximum number of active DoH connections - can now be set using the "http-listener-clients" - option. The default is 300. - - The maximum number of concurrent HTTP/2 streams - per connection can be set using via the - "http-streams-per-connection" option. The default - is 100. - - Both of these values also can be set on a per- - listener basis using the "listener-clients" and - "streams-per-connection" parameters in an - "http" statement. For example: - http { - listener-clients ; - streams-per-connection ; - }; +5685. [bug] named failed to check the opcode of responses when + performing zone refreshes, stub zone updates, and UPDATE + forwarding. This has been fixed. [GL #2762] + +5684. [func] The DNS-over-HTTP (DoH) configuration syntax was + extended: + - The maximum number of active DoH connections can now + be set using the "http-listener-clients" option. The + default is 300. + - The maximum number of concurrent HTTP/2 streams per + connection can now be set using the + "http-streams-per-connection" option. The default is + 100. + - Both of these values can also be set on a per-listener + basis using the "listener-clients" and + "streams-per-connection" parameters in an "http" + statement. [GL #2809] -5683. [func] The configuration checking code now verifies - HTTP paths. [GL !5231] +5683. [bug] The configuration-checking code now verifies HTTP paths. + [GL !5231] -5682. [bug] Not all changes to zone-statistics settings were - properly processed. [GL #2820] +5682. [bug] Some changes to "zone-statistics" settings were not + properly processed by "rndc reconfig". This has been + fixed. [GL #2820] -5681. [func] Relax the "zone_cdscheck" function to allow CDS and - CDNSKEY records in the zone that do not match an - existing DNSKEY record, so long as the algorithm - does match. This allows a clean rollover from one +5681. [func] Relax the checks in the dns_zone_cdscheck() function to + allow CDS and CDNSKEY records in the zone that do not + match an existing DNSKEY record, as long as the + algorithm matches. This allows a clean rollover from one provider to another in a multi-signer DNSSEC - configuration. [GL #2710]. + configuration. [GL #2710] -5680. [bug] Fix a crash in DoH code caused by GET requests without - query strings. [GL !5268] +5680. [bug] HTTP GET requests without query strings caused a crash + in DoH code. This has been fixed. [GL !5268] -5679. [bug] Disable setting the thread affinity. [GL #2822] +5679. [func] Thread affinity is no longer set. [GL #2822] 5678. [bug] The "check DS" code failed to release all resources upon named shutdown when a refresh was in progress. This has been fixed. [GL #2811] -5677. [func] Only accept FORMERR without a OPT record as an - indication that the server does net support EDNS. - This will break communication with servers that - don't understand EDNS and incorrectly echo back - the request message with the rcode field set to - FORMERR and the QR bit set to 1. [GL #2249] - -5676. [func] Memory allocation has been substantially refactored, - and is now based on the memory allocation API - provided by 'libjemalloc'. This is now a build - dependency for BIND. [GL #2433] - -5675. [bug] Improve BIND's compatibility with DoH clients by - ignoring an "Accept" HTTP header value. [GL !5246] - -5674. [bug] Fix BIND hanging when HTTP/2 streams are aborted - prematurely by web browsers. [GL !5245] - -5673. [func] Add "--disable-doh" configuration option to allow - BIND 9 to compile without libnghttp2 library. +5677. [func] Previously, named accepted FORMERR responses both with + and without an OPT record, as an indication that a given + server did not support EDNS. To implement full + compliance with RFC 6891, only FORMERR responses without + an OPT record are now accepted. This intentionally + breaks communication with servers that do not support + EDNS and that incorrectly echo back the query message + with the RCODE field set to FORMERR and the QR bit set + to 1. [GL #2249] + +5676. [func] Memory allocation has been substantially refactored; it + is now based on the memory allocation API provided by + the jemalloc library, which is a new optional build + dependency for BIND 9. [GL #2433] + +5675. [bug] Compatibility with DoH clients has been improved by + ignoring the value of the "Accept" HTTP header. + [GL !5246] + +5674. [bug] A shutdown hang was triggered by DoH clients prematurely + aborting HTTP/2 streams. This has been fixed. [GL !5245] + +5673. [func] Add a new build-time option, --disable-doh, to allow + building BIND 9 without the libnghttp2 library. [GL #2478] 5672. [bug] Authentication of rndc messages could fail if a - "controls" statement was configured with multiple - key algorithms in the same listener. [GL #2756] + "controls" statement was configured with multiple key + algorithms for the same listener. This has been fixed. + [GL #2756] --- 9.17.16 released ---