From: Michał Kępień Date: Fri, 9 Aug 2024 07:12:18 +0000 (+0200) Subject: Generate release documentation X-Git-Tag: v9.21.0~2^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=53cdd247bbf0976208e472481d433c306c3b1cff;p=thirdparty%2Fbind9.git Generate release documentation --- diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 0696b9c9ba6..4c7eb561e98 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,343 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. + ``f202937078f`` + + There were cases in resolver.c when the `max-recursion-queries` quota + was ineffective. It was possible to craft zones that would cause a + resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by correcting + errors in the implementation of `max-recursion-queries`, and by + reducing the default value from 100 to 32. + + In addition, a new `max-query-restarts` option has been added which + limits the number of times a recursive server will follow CNAME or + DNAME records before terminating resolution. This was previously a + hard-coded limit of 16, and now defaults to 11. :gl:`#4741` + :gl:`!9281` + +- Implement rndc retransfer -force. ``34589811c59`` + + A new optional argument '-force' has been added to the command channel + command 'rndc retransfer'. When it is specified, named aborts the + ongoing zone transfer (if there is one), and starts a new transfer. + :gl:`#2299` :gl:`!9102` + +- Add support for external log rotation tools. ``5ff1fbe1550`` + + Add two mechanisms to close open log files. The first is `rndc + closelogs`. The second is `kill -USR1 `. They are intended to be + used with external log rotation tools. :gl:`#4780` :gl:`!9113` + +- Generate changelog from git log. ``a64ecc5fdd8`` + + Use a single source of truth, the git log, to generate the list of + CHANGES. Use the .rst format and include it in the ARM for a quick + reference with proper gitlab links to issues and merge requests. + :gl:`#75` :gl:`!9152` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use only c23 or c11 noreturn specifiers. ``cd92a145a36`` + + Use `[[noreturn]]` when compiling with C23 or greater. + + The attribute macro name has been capitalized as `NORETURN` as + defining it as `noreturn` breaks external headers. `#define noreturn + __attribute__((noreturn))` wasn't used as C11's + `stdnoreturn.h`/`_Noreturn` is required to build BIND9 in the first + place. :gl:`!9149` + +- Initialize the DST subsystem implicitly. ``7f2513a5aa8`` + + Instead of calling dst_lib_init() and dst_lib_destroy() explicitly by + all the programs, create a separate memory context for the DST + subsystem and use the library constructor and destructor to initialize + the DST internals. :gl:`!9254` + +- Remove OpenSSL 1.x Engine support. ``b620b7e9118`` + + The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x + and is going to be removed from the upstream OpenSSL. Remove the + OpenSSL Engine support from BIND 9 in favor of OpenSSL 3.x Providers. + :gl:`#4828` :gl:`!9252` + +- Fix the rsa exponent to 65537. ``5fafb0e7f7b`` + + There isn't a realistic reason to ever use e = 4294967297. Fortunately + its codepath wasn't reachable to users and can be safetly removed. + + Keep in mind the `dns_key_generate` header comment was outdated. e = 3 + hasn't been used since 2006 so there isn't a reason to panic. The + toggle was the public exponents between 65537 and 4294967297. + :gl:`!9133` + +- Remove the crc64 implementation. ``9397251eb32`` + + CRC-64 has been added for map files. Now that the map file format has + been removed, there isn't a reason to keep the implementation. + :gl:`!9135` + +- Call rcu_barrier() in the isc_mem_destroy() just once. ``dcee04f70cb`` + + The previous work in this area was led by the belief that we might be + calling call_rcu() from within call_rcu() callbacks. After carefully + checking all the current callback, it became evident that this is not + the case and the problem isn't enough rcu_barrier() calls, but + something entirely else. + + Call the rcu_barrier() just once as that's enough and the multiple + rcu_barrier() calls will not hide the real problem anymore, so we can + find it. :gl:`!9134` + +- Require at least OpenSSL 1.1.1. ``96ccd962b72`` + + OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now + required to compile BIND 9. :gl:`#2806` :gl:`!9110` + +- Don't open route socket if we don't need it. ``246d5ccbc9c`` + + When automatic-interface-scan is disabled, the route socket was still + being opened. Add new API to connect / disconnect from the route + socket only as needed. + + Additionally, move the block that disables periodic interface rescans + to a place where it actually have access to the configuration values. + Previously, the values were being checked before the configuration was + loaded. :gl:`#4757` :gl:`!9122` + +- Clarify that cds_wfcq_dequeue_blocking() doesn't block if empty. + ``afe406be395`` + + :gl:`!9124` + +- Allow shorter resolver-query-timeout configuration. ``1661278b343`` + + The minimum allowed value of 'resolver-query-timeout' was lowered to + 301 milliseconds instead of the earlier 10000 milliseconds (which is + the default). As earlier, values less than or equal to 300 are + converted to seconds before applying the limit. :gl:`#4320` + :gl:`!9091` + +- Replace #define DNS_GETDB_ with struct of bools. ``020fda92b4b`` + + Replace #define DNS_GETDB_ with struct of bools to make it easier to + pretty-print the attributes in a debugger. :gl:`#4559` :gl:`!9093` + +- Fix data race in clean_finds_at_name. ``0dcc93d87a8`` + + Stop updating `find.result_v4` and `find.result_v4` in + `clean_finds_at_name`. The values are supposed to be + static. :gl:`#4118` :gl:`!9108` + +Bug Fixes +~~~~~~~~~ + +- Reconfigure catz member zones during named reconfiguration. + ``acfa5b28f91`` + + During a reconfiguration named wasn't reconfiguring catalog zones' + member zones. This has been fixed. :gl:`#4733` + +- Move the dst__openssl_toresult to isc_tls unit. ``9e7cd68d9fe`` + + Since the enable_fips_mode() now resides inside the isc_tls unit, BIND + 9 would fail to compile when FIPS mode was enabled as the DST + subsystem logging functions were missing. + + Move the crypto library logging functions from the openssl_link unit + to isc_tls unit and enhance it, so it can now be used from both places + keeping the old dst__openssl_toresult* macros alive. :gl:`!9286` + +- Disassociate the SSL object from the cached SSL_SESSION. + ``1d1bc3a1485`` + + When the SSL object was destroyed, it would invalidate all SSL_SESSION + objects including the cached, but not yet used, TLS session objects. + + Properly disassociate the SSL object from the SSL_SESSION before we + store it in the TLS session cache, so we can later destroy it without + invalidating the cached TLS sessions. :gl:`#4834` :gl:`!9271` + +- Attach/detach to the listening child socket when accepting TLS. + ``ee00bddf94f`` + + When TLS connection (TLSstream) connection was accepted, the children + listening socket was not attached to sock->server and thus it could + have been freed before all the accepted connections were actually + closed. + + In turn, this would cause us to call isc_tls_free() too soon - causing + cascade errors in pending SSL_read_ex() in the accepted connections. + + Properly attach and detach the children listening socket when + accepting and closing the server connections. :gl:`#4833` :gl:`!9270` + +- Fix --enable-tracing build on systems without dtrace. ``ced1eb358da`` + + Missing file util/dtrace.sh prevented builds on system without dtrace + utility. This has been corrected. + +- Make hypothesis optional for system tests. ``5dd3c416760`` + + Ensure that system tests can be executed without Python hypothesis + package. :gl:`#4831` :gl:`!9265` + +- Dig now reports missing query section for opcode QUERY. + ``7facf967aca`` + + Query responses should contain the question section with some + exceptions. Dig was not reporting this. :gl:`#4808` :gl:`!9233` + +- Fix assertion failure in the glue cache. ``227add4c3eb`` + + Fix an assertion failure that could happen as a result of data race + between free_gluetable() and addglue() on the same headers. + :gl:`#4691` :gl:`!9126` + +- Don't use 'create' flag unnecessarily in findnode() ``a26055f03ec`` + + when searching the cache for a node so that we can delete an rdataset, + it isn't necessary to set the 'create' flag. if the node doesn't exist + yet, we won't be able to delete anything from it anyway. :gl:`!9158` + +- Raise the log level of priming failures. ``6573276bada`` + + When a priming query is complete, it's currently logged at level + ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising + it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + :gl:`!9121` + +- Fix assertion failure when checking named-checkconf version. + ``00739e99f67`` + + Checking the version of `named-checkconf` would end with assertion + failure. This has been fixed. :gl:`#4827` :gl:`!9243` + +- Valid TSIG signatures with invalid time cause crash. ``7a705a3ea4e`` + + An assertion failure triggers when the TSIG has valid cryptographic + signature, but the time is invalid. This can happen when the times + between the primary and secondary servers are not synchronised. + :gl:`#4811` :gl:`!9234` + +- Don't skip the counting if fcount_incr() is called with force==true. + ``026024a6aed`` + + The fcount_incr() was incorrectly skipping the accounting for the + fetches-per-zone if the force argument was set to true. We want to + skip the accounting only when the fetches-per-zone is completely + disabled, but for individual names we need to do the accounting even + if we are forcing the result to be success. :gl:`#4786` :gl:`!9115` + +- Remove superfluous memset() in isc_nmsocket_init() ``4c363393ff1`` + + The tlsstream part of the isc_nmsocket_t gets initialized via + designater initializer and doesn't need the extra memset() later; just + remove it. :gl:`!9120` + +- Fix PTHREAD_MUTEX_ADAPTIVE_NP and PTHREAD_MUTEX_ERRORCHECK_NP usage. + ``4efdb8b00a0`` + + The PTHREAD_MUTEX_ADAPTIVE_NP and PTHREAD_MUTEX_ERRORCHECK_NP are + usually not defines, but enum values, so simple preprocessor check + doesn't work. + + Check for PTHREAD_MUTEX_ADAPTIVE_NP from the autoconf + AS_COMPILE_IFELSE block and define HAVE_PTHREAD_MUTEX_ADAPTIVE_NP. + This should enable adaptive mutex on Linux and FreeBSD. + + As PTHREAD_MUTEX_ERRORCHECK actually comes from POSIX and Linux glibc + does define it when compatibility macros are being set, we can just + use PTHREAD_MUTEX_ERRORCHECK instead of PTHREAD_MUTEX_ERRORCHECK_NP. + :gl:`!9111` + +- Remove extra newline from yaml output. ``b9cbd3bc767`` + + I split this into two commits, one for the actual newline removal, and + one for issues I found, ruining the yaml output when some errors were + outputted. + +- CID 498025 and CID 498031: Overflowed constant INTEGER_OVERFLOW. + ``35d93624a56`` + + Add INSIST to fail if the multiplication would cause the variables to + overflow. :gl:`#4798` :gl:`!9131` + +- Remove unnecessary operations. ``33f4ee7c36c`` + + Decrementing optlen immediately before calling continue is unneccesary + and inconsistent with the rest of dns_message_pseudosectiontoyaml and + dns_message_pseudosectiontotext. Coverity was also reporting an + impossible false positive overflow of optlen (CID 499061). + + 4176 } else if (optcode == DNS_OPT_CLIENT_TAG) + { 4177 uint16_t id; 4178 + ADD_STRING(target, "; CLIENT-TAG:"); 4179 + if (optlen == 2U) { 4180 id + = isc_buffer_getuint16(&optbuf); 4181 + snprintf(buf, sizeof(buf), " %u\n", id); 4182 + ADD_STRING(target, buf); + + CID 499061: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW) + overflow_const: Expression optlen, which is equal to 65534, underflows + the type that receives it, an unsigned integer 16 bits wide. 4183 + optlen -= 2; 4184 + POST(optlen); 4185 + continue; 4186 } 4187 + } else if (optcode == DNS_OPT_SERVER_TAG) { :gl:`!9130` + +- Fix generation of 6to4-self name expansion from IPv4 address. + ``ea2a5909a56`` + + The period between the most significant nibble of the encoded IPv4 + address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the + wrong name being checked. Add system test for 6to4-self + implementation. :gl:`#4766` :gl:`!9099` + +- Fix false QNAME minimisation error being reported. ``5857a4d3972`` + + Remove the false positive "success resolving" log message when QNAME + minimisation is in effect and the final result is NXDOMAIN. + :gl:`#4784` :gl:`!9117` + +- Dig +yaml was producing unexpected and/or invalid YAML output. + ``93d7d221bd9`` + + :gl:`#4796` :gl:`!9127` + +- SVBC alpn text parsing failed to reject zero length alpn. + ``0b56763df3f`` + + :gl:`#4775` :gl:`!9106` + +- Return SERVFAIL for a too long CNAME chain. ``89ab9e948d1`` + + When cutting a long CNAME chain, named was returning NOERROR instead + of SERVFAIL (alongside with a partial answer). This has been fixed. + :gl:`#4449` :gl:`!9090` + +- Properly calculate the amount of system memory. ``6427d625ea5`` + + On 32 bit machines isc_meminfo_totalphys could return an incorrect + value. :gl:`#4799` :gl:`!9132` + +- Update key lifetime and metadata after dnssec-policy reconfig. + ``d9d882816aa`` + + Adjust key state and timing metadata if dnssec-policy key lifetime + configuration is updated, so that it also affects existing keys. + :gl:`#4677` :gl:`!9118` + + Changes prior to 9.20.0 ----------------------- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 0e089b68bc9..f63aae5a9d3 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -9,33 +9,149 @@ .. See the COPYRIGHT file distributed with this work for additional .. information regarding copyright ownership. -Notes for BIND 9.21.0 ---------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- None. +(-dev) +------ New Features ~~~~~~~~~~~~ -- None. +- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. + + There were cases in resolver.c when the `max-recursion-queries` quota + was ineffective. It was possible to craft zones that would cause a + resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by correcting + errors in the implementation of `max-recursion-queries`, and by + reducing the default value from 100 to 32. + + In addition, a new `max-query-restarts` option has been added which + limits the number of times a recursive server will follow CNAME or + DNAME records before terminating resolution. This was previously a + hard-coded limit of 16, and now defaults to 11. :gl:`#4741` + :gl:`!9281` + +- Implement rndc retransfer -force. -Removed Features -~~~~~~~~~~~~~~~~ + A new optional argument '-force' has been added to the command channel + command 'rndc retransfer'. When it is specified, named aborts the + ongoing zone transfer (if there is one), and starts a new transfer. + :gl:`#2299` :gl:`!9102` -- None. +- Add support for external log rotation tools. + + Add two mechanisms to close open log files. The first is `rndc + closelogs`. The second is `kill -USR1 `. They are intended to be + used with external log rotation tools. :gl:`#4780` :gl:`!9113` Feature Changes ~~~~~~~~~~~~~~~ -- None. +- Remove OpenSSL 1.x Engine support. + + The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x + and is going to be removed from the upstream OpenSSL. Remove the + OpenSSL Engine support from BIND 9 in favor of OpenSSL 3.x Providers. + :gl:`#4828` :gl:`!9252` + +- Require at least OpenSSL 1.1.1. + + OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now + required to compile BIND 9. :gl:`#2806` :gl:`!9110` + +- Allow shorter resolver-query-timeout configuration. + + The minimum allowed value of 'resolver-query-timeout' was lowered to + 301 milliseconds instead of the earlier 10000 milliseconds (which is + the default). As earlier, values less than or equal to 300 are + converted to seconds before applying the limit. :gl:`#4320` + :gl:`!9091` Bug Fixes ~~~~~~~~~ -- None. +- Reconfigure catz member zones during named reconfiguration. + + During a reconfiguration named wasn't reconfiguring catalog zones' + member zones. This has been fixed. :gl:`#4733` + +- Fix --enable-tracing build on systems without dtrace. + + Missing file util/dtrace.sh prevented builds on system without dtrace + utility. This has been corrected. + +- Dig now reports missing query section for opcode QUERY. + + Query responses should contain the question section with some + exceptions. Dig was not reporting this. :gl:`#4808` :gl:`!9233` + +- Fix assertion failure in the glue cache. + + Fix an assertion failure that could happen as a result of data race + between free_gluetable() and addglue() on the same headers. + :gl:`#4691` :gl:`!9126` + +- Raise the log level of priming failures. + + When a priming query is complete, it's currently logged at level + ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising + it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + :gl:`!9121` + +- Fix assertion failure when checking named-checkconf version. + + Checking the version of `named-checkconf` would end with assertion + failure. This has been fixed. :gl:`#4827` :gl:`!9243` + +- Valid TSIG signatures with invalid time cause crash. + + An assertion failure triggers when the TSIG has valid cryptographic + signature, but the time is invalid. This can happen when the times + between the primary and secondary servers are not synchronised. + :gl:`#4811` :gl:`!9234` + +- Remove extra newline from yaml output. + + I split this into two commits, one for the actual newline removal, and + one for issues I found, ruining the yaml output when some errors were + outputted. + +- Fix generation of 6to4-self name expansion from IPv4 address. + + The period between the most significant nibble of the encoded IPv4 + address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the + wrong name being checked. Add system test for 6to4-self + implementation. :gl:`#4766` :gl:`!9099` + +- Fix false QNAME minimisation error being reported. + + Remove the false positive "success resolving" log message when QNAME + minimisation is in effect and the final result is NXDOMAIN. + :gl:`#4784` :gl:`!9117` + +- Dig +yaml was producing unexpected and/or invalid YAML output. + + :gl:`#4796` :gl:`!9127` + +- SVBC alpn text parsing failed to reject zero length alpn. + + :gl:`#4775` :gl:`!9106` + +- Return SERVFAIL for a too long CNAME chain. + + When cutting a long CNAME chain, named was returning NOERROR instead + of SERVFAIL (alongside with a partial answer). This has been fixed. + :gl:`#4449` :gl:`!9090` + +- Properly calculate the amount of system memory. + + On 32 bit machines isc_meminfo_totalphys could return an incorrect + value. :gl:`#4799` :gl:`!9132` + +- Update key lifetime and metadata after dnssec-policy reconfig. + + Adjust key state and timing metadata if dnssec-policy key lifetime + configuration is updated, so that it also affects existing keys. + :gl:`#4677` :gl:`!9118` Known Issues ~~~~~~~~~~~~