From: Michał Kępień Date: Mon, 11 Apr 2022 08:05:50 +0000 (+0200) Subject: Remove release notes for BIND 9.17.x X-Git-Tag: v9.19.0~2^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c0bf20ed8ac068b568ed8d8e965bdae1843ed80;p=thirdparty%2Fbind9.git Remove release notes for BIND 9.17.x --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 7a0c6a6f9e0..c0793b2e8a6 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -37,29 +37,6 @@ https://www.isc.org/download/. There you will find additional information about each release, and source code. .. include:: ../notes/notes-current.rst -.. include:: ../notes/notes-9.17.22.rst -.. include:: ../notes/notes-9.17.21.rst -.. include:: ../notes/notes-9.17.20.rst -.. include:: ../notes/notes-9.17.19.rst -.. include:: ../notes/notes-9.17.18.rst -.. include:: ../notes/notes-9.17.17.rst -.. include:: ../notes/notes-9.17.16.rst -.. include:: ../notes/notes-9.17.15.rst -.. include:: ../notes/notes-9.17.14.rst -.. include:: ../notes/notes-9.17.13.rst -.. include:: ../notes/notes-9.17.12.rst -.. include:: ../notes/notes-9.17.11.rst -.. include:: ../notes/notes-9.17.10.rst -.. include:: ../notes/notes-9.17.9.rst -.. include:: ../notes/notes-9.17.8.rst -.. include:: ../notes/notes-9.17.7.rst -.. include:: ../notes/notes-9.17.6.rst -.. include:: ../notes/notes-9.17.5.rst -.. include:: ../notes/notes-9.17.4.rst -.. include:: ../notes/notes-9.17.3.rst -.. include:: ../notes/notes-9.17.2.rst -.. include:: ../notes/notes-9.17.1.rst -.. include:: ../notes/notes-9.17.0.rst .. _relnotes_license: diff --git a/doc/notes/notes-9.17.0.rst b/doc/notes/notes-9.17.0.rst deleted file mode 100644 index c33d22caa24..00000000000 --- a/doc/notes/notes-9.17.0.rst +++ /dev/null @@ -1,75 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.0 ---------------------- - -Known Issues -~~~~~~~~~~~~ - -- UDP network ports used for listening can no longer simultaneously be - used for sending traffic. An example configuration which triggers - this issue would be one which uses the same ``address:port`` pair for - ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or - ``transfer-source(-v6)``. While this issue affects all operating - systems, it only triggers log messages (e.g. "unable to create - dispatch for reserved port") on some of them. There are currently no - plans to make such a combination of settings work again. - -New Features -~~~~~~~~~~~~ - -- When a secondary server receives a large incremental zone transfer - (IXFR), it can have a negative impact on query performance while the - incremental changes are applied to the zone. To address this, - :iscman:`named` can now limit the size of IXFR responses it sends in - response to zone transfer requests. If an IXFR response would be - larger than an AXFR of the entire zone, it will send an AXFR response - instead. - - This behavior is controlled by the ``max-ixfr-ratio`` option - a - percentage value representing the ratio of IXFR size to the size of a - full zone transfer. The default is ``100%``. :gl:`#1515` - -- A new RPZ option ``nsdname-wait-recurse`` controls whether - RPZ-NSDNAME rules should always be applied even if the names of - authoritative name servers for the query name need to be looked up - recurively first. The default is ``yes``. Setting it to ``no`` speeds - up initial responses by skipping RPZ-NSDNAME rules when name server - domain names are not yet in the cache. The names will be looked up in - the background and the rule will be applied for subsequent queries. - :gl:`#1138` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The system-provided POSIX Threads read-write lock implementation is - now used by default instead of the native BIND 9 implementation. - Please be aware that glibc versions 2.26 through 2.29 had a bug_ that - could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and - most current Linux distributions have patched or updated glibc, with - the notable exception of Ubuntu 18.04 (Bionic) which is a work in - progress. If you are running on an affected operating system, compile - BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of - glibc is available. :gl:`!3125` - -.. _bug: https://sourceware.org/bugzilla/show_bug.cgi?id=23844 - -- The :option:`rndc nta -dump ` and :option:`rndc secroots` commands now both - include ``validate-except`` entries when listing negative trust - anchors. These are indicated by the keyword ``permanent`` in place of - the expiry date. :gl:`#1532` - -Bug Fixes -~~~~~~~~~ - -- Fixed re-signing issues with inline zones which resulted in records - being re-signed late or not at all. diff --git a/doc/notes/notes-9.17.1.rst b/doc/notes/notes-9.17.1.rst deleted file mode 100644 index 7a7aa9cb100..00000000000 --- a/doc/notes/notes-9.17.1.rst +++ /dev/null @@ -1,70 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.1 ---------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- DNS rebinding protection was ineffective when BIND 9 is configured as - a forwarding DNS server. Found and responsibly reported by Tobias - Klein. :gl:`#1574` - -Known Issues -~~~~~~~~~~~~ - -- We have received reports that in some circumstances, receipt of an - IXFR can cause the processing of queries to slow significantly. Some - of these were related to RPZ processing, which has been fixed in this - release (see below). Others appear to occur where there are - NSEC3-related changes (such as an operator changing the NSEC3 salt - used in the hash calculation). These are being investigated. - :gl:`#1685` - -New Features -~~~~~~~~~~~~ - -- A new option, ``nsdname-wait-recurse``, has been added to the - ``response-policy`` clause in the configuration file. When set to - ``no``, RPZ NSDNAME rules are only applied if the authoritative - nameservers for the query name have been looked up and are present in - the cache. If this information is not present, the RPZ NSDNAME rules - are ignored, but the information is looked up in the background and - applied to subsequent queries. The default is ``yes``, meaning that - RPZ NSDNAME rules should always be applied, even if the information - needs to be looked up first. :gl:`#1138` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The previous DNSSEC sign statistics used lots of memory. The number - of keys to track is reduced to four per zone, which should be enough - for 99% of all signed zones. :gl:`#1179` - -Bug Fixes -~~~~~~~~~ - -- When an RPZ policy zone was updated via zone transfer and a large - number of records was deleted, :iscman:`named` could become nonresponsive - for a short period while deleted names were removed from the RPZ - summary database. This database cleanup is now done incrementally - over a longer period of time, reducing such delays. :gl:`#1447` - -- When trying to migrate an already-signed zone from ``auto-dnssec - maintain`` to one based on ``dnssec-policy``, the existing keys were - immediately deleted and replaced with new ones. As the key rollover - timing constraints were not being followed, it was possible that some - clients would not have been able to validate responses until all old - DNSSEC information had timed out from caches. BIND now looks at the - time metadata of the existing keys and incorporates it into its - DNSSEC policy operation. :gl:`#1706` - diff --git a/doc/notes/notes-9.17.10.rst b/doc/notes/notes-9.17.10.rst deleted file mode 100644 index 6ffa6ee3216..00000000000 --- a/doc/notes/notes-9.17.10.rst +++ /dev/null @@ -1,119 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.10 ----------------------- - -New Features -~~~~~~~~~~~~ - -- Support for DNS-over-HTTPS (DoH) was added to :iscman:`named`. Because of - this, the ``nghttp2`` HTTP/2 library is now required for building the - development branch of BIND 9. Both TLS-encrypted and unencrypted - HTTP/2 connections are supported (the latter may be used to offload - encryption to other software). - - Note that there is no client-side support for HTTPS as yet; this will - be added to :iscman:`dig` in a future release. :gl:`#1144` - -- :iscman:`named` now supports XFR-over-TLS (XoT) for incoming as well as - outgoing zone transfers. Addresses in a ``primaries`` list can now be - accompanied by an optional ``tls`` keyword, followed by either the - name of a previously configured ``tls`` statement or ``ephemeral``. - :gl:`#2392` - -- A new option, ``stale-answer-client-timeout``, has been added to - improve :iscman:`named`'s behavior with respect to serving stale data. The - option defines the amount of time :iscman:`named` waits before attempting to - answer the query with a stale RRset from cache. If a stale answer is - found, :iscman:`named` continues the ongoing fetches, attempting to refresh - the RRset in cache until the ``resolver-query-timeout`` interval is - reached. - - The default value is ``1800`` (in milliseconds) and the maximum value - is limited to ``resolver-query-timeout`` minus one second. A value of - ``0`` causes any available cached RRset to immediately be returned - while still triggering a refresh of the data in cache. - - This new behavior can be disabled by setting - ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new - option has no effect if ``stale-answer-enable`` is disabled. - :gl:`#2247` - -Removed Features -~~~~~~~~~~~~~~~~ - -- A number of non-working configuration options that had been marked as - obsolete in previous releases have now been removed completely. Using - any of the following options is now considered a configuration - failure: ``acache-cleaning-interval``, ``acache-enable``, - ``additional-from-auth``, ``additional-from-cache``, - ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``, - ``dnssec-lookaside``, :iscman:`filter-aaaa`, ``filter-aaaa-on-v4``, - ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, - ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, - ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, - ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086` - -Feature Changes -~~~~~~~~~~~~~~~ - -- When serve-stale is enabled and stale data is available, :iscman:`named` now - returns stale answers upon encountering any unexpected error in the - query resolution process. This may happen, for example, if the - ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In - this case, :iscman:`named` attempts to answer DNS requests with stale data, - but does not start the ``stale-refresh-time`` window. :gl:`#2434` - -- The default value of ``max-stale-ttl`` has been changed from 12 hours - to 1 day and the default value of ``stale-answer-ttl`` has been - changed from 1 second to 30 seconds, following :rfc:`8767` - recommendations. :gl:`#2248` - -- The SONAMEs for BIND 9 libraries now include the current BIND 9 - version number, in an effort to tightly couple internal libraries with - a specific release. This change makes the BIND 9 release process both - simpler and more consistent while also unequivocally preventing BIND 9 - binaries from silently loading wrong versions of shared libraries (or - multiple versions of the same shared library) at startup. :gl:`#2387` - -- When ``check-names`` is in effect, A records below an ``_spf``, - ``_spf_rate``, or ``_spf_verify`` label (which are employed by the - ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix - D.1) are no longer reported as warnings/errors. :gl:`#2377` - -Bug Fixes -~~~~~~~~~ - -- :iscman:`named` failed to start when its configuration included a zone with - a non-builtin ``allow-update`` ACL attached. :gl:`#2413` - -- Previously, :iscman:`dnssec-keyfromlabel` crashed when operating on an ECDSA - key. This has been fixed. :gl:`#2178` - -- KASP incorrectly set signature validity to the value of the DNSKEY - signature validity. This has been fixed. :gl:`#2383` - -- When migrating to KASP, BIND 9 considered keys with the ``Inactive`` - and/or ``Delete`` timing metadata to be possible active keys. This has - been fixed. :gl:`#2406` - -- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled - faster than the time required to finish the rollover procedure, the - successor relation equation failed because it assumed only two keys - were taking part in a rollover. This could lead to premature removal - of predecessor keys. BIND 9 now implements a recursive successor - relation, as described in the paper "Flexible and Robust Key Rollover" - (Equation (2)). :gl:`#2375` - -- Performance of the DNSSEC verification code (used by - :iscman:`dnssec-signzone`, :iscman:`dnssec-verify`, and mirror zones) has been - improved. :gl:`#2073` diff --git a/doc/notes/notes-9.17.11.rst b/doc/notes/notes-9.17.11.rst deleted file mode 100644 index 502f893e70a..00000000000 --- a/doc/notes/notes-9.17.11.rst +++ /dev/null @@ -1,91 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.11 ----------------------- - -New Features -~~~~~~~~~~~~ - -- :iscman:`dig` has been extended to support DNS-over-HTTPS (DoH) queries, - using ``dig +https`` and related options. :gl:`#1641` - -- A new ``purge-keys`` option has been added to ``dnssec-policy``. It - sets the period of time that key files are retained after becoming - obsolete due to a key rollover; the default is 90 days. This feature - can be disabled by setting ``purge-keys`` to 0. :gl:`#2408` - -Feature Changes -~~~~~~~~~~~~~~~ - -- To prevent users from inadvertently configuring unencrypted - DNS-over-HTTPS (DoH) in BIND 9, ``listen-on`` and ``listen-on-v6`` - statements using the ``http`` parameter must now also specify the - ``tls`` parameter. ``tls none`` can be used to explicitly allow - unencrypted HTTP connections. :gl:`#2472` - -- ``http default`` can now be specified in ``listen-on`` and - ``listen-on-v6`` statements to use the default HTTP endpoint of - ``/dns-query``. It is no longer necessary to include an ``http`` - statement in :iscman:`named.conf` unless overriding this value. :gl:`#2472` - -Bug Fixes -~~~~~~~~~ - -- Zone journal (``.jnl``) files created by versions of :iscman:`named` prior - to 9.16.12 were no longer compatible; this could cause problems when - upgrading if journal files were not synchronized first. This has been - corrected: older journal files can now be read when starting up. When - an old-style journal file is detected, it is updated to the new format - immediately after loading. - - Note that journals created by the current version of :iscman:`named` are not - usable by versions prior to 9.16.12. Before downgrading to a prior - release, users are advised to ensure that all dynamic zones have been - synchronized using :option:`rndc sync -clean `. - - A journal file's format can be changed manually by running - ``named-journalprint -d`` (downgrade) or ``named-journalprint -u`` - (upgrade). Note that this *must not* be done while :iscman:`named` is - running. :gl:`#2505` - -- :iscman:`named` crashed when it was allowed to serve stale answers and - ``stale-answer-client-timeout`` was triggered without any (stale) data - available in the cache to answer the query. :gl:`#2503` - -- If an outgoing packet exceeded ``max-udp-size``, :iscman:`named` dropped it - instead of sending back a proper response. To prevent this problem, - the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has - been happening since BIND 9.17.6. :gl:`#2466` - -- NSEC3 records were not immediately created when signing a dynamic zone - using ``dnssec-policy`` with ``nsec3param``. This has been fixed. - :gl:`#2498` - -- A memory leak occurred when :iscman:`named` was reconfigured after adding an - inline-signed zone with ``auto-dnssec maintain`` enabled. This has - been fixed. :gl:`#2041` - -- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in - a LOC record resulted in an INSIST failure when a zone file containing - such a record was loaded. :gl:`#2499` - -- If an invalid key name (e.g. ``a..b``) was specified in a - ``primaries`` list in :iscman:`named.conf`, the wrong size was passed to - ``isc_mem_put()``, which resulted in the returned memory being put on - the wrong free list and prevented :iscman:`named` from starting up. This has - been fixed. :gl:`#2460` - -- ``libtool`` was inadvertently introduced as a build-time requirement - when the build system was revamped in BIND 9.17.2. This unnecessarily - prevented hosts without that tool from building BIND 9 from source - tarballs. A standalone ``libtool`` script no longer needs to be - present in ``PATH`` to build BIND 9 from a source tarball. :gl:`#2504` diff --git a/doc/notes/notes-9.17.12.rst b/doc/notes/notes-9.17.12.rst deleted file mode 100644 index fbbf0e63ff6..00000000000 --- a/doc/notes/notes-9.17.12.rst +++ /dev/null @@ -1,87 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.12 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- A malformed incoming IXFR transfer could trigger an assertion failure - in :iscman:`named`, causing it to quit abnormally. (CVE-2021-25214) - - ISC would like to thank Greg Kuechle of SaskTel for bringing this - vulnerability to our attention. :gl:`#2467` - -- :iscman:`named` crashed when a DNAME record placed in the ANSWER section - during DNAME chasing turned out to be the final answer to a client - query. (CVE-2021-25215) - - ISC would like to thank `Siva Kakarla`_ for bringing this - vulnerability to our attention. :gl:`#2540` - -.. _Siva Kakarla: https://github.com/sivakesava1 - -Feature Changes -~~~~~~~~~~~~~~~ - -- The ISC implementation of SPNEGO was removed from BIND 9 source code. - Instead, BIND 9 now always uses the SPNEGO implementation provided by - the system GSSAPI library when it is built with GSSAPI support. All - major contemporary Kerberos/GSSAPI libraries contain an implementation - of the SPNEGO mechanism. This change was introduced in BIND 9.17.2, - but it was not included in the release notes at the time. :gl:`#2607` - -- The default value for the ``stale-answer-client-timeout`` option was - changed from ``1800`` (ms) to ``off``. The default value may be - changed again in future releases as this feature matures. :gl:`#2608` - -Bug Fixes -~~~~~~~~~ - -- TCP idle and initial timeouts were being incorrectly applied: only the - ``tcp-initial-timeout`` was applied on the whole connection, even if - the connection were still active, which could prevent a large zone - transfer from being sent back to the client. The default setting for - ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP - connection taking more than 30 seconds was abruptly terminated. This - has been fixed. :gl:`#2583` - -- When ``stale-answer-client-timeout`` was set to a positive value and - recursion for a client query completed when :iscman:`named` was about to - look for a stale answer, an assertion could fail in - ``query_respond()``, resulting in a crash. This has been fixed. - :gl:`#2594` - -- After upgrading to the previous release, journal files for trust - anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a - corrupt state. (Other zone journal files were not affected.) This has - been fixed. If a corrupt journal file is detected, :iscman:`named` can now - recover from it. :gl:`#2600` - -- When sending queries over TCP, :iscman:`dig` now properly handles ``+tries=1 - +retry=0`` by not retrying the connection when the remote server - closes the connection prematurely. :gl:`#2490` - -- CDS/CDNSKEY DELETE records are now removed when a zone transitions - from a secure to an insecure state. :iscman:`named-checkzone` also no longer - reports an error when such records are found in an unsigned zone. - :gl:`#2517` - -- Zones using KASP could not be thawed after they were frozen using - :option:`rndc freeze`. This has been fixed. :gl:`#2523` - -- After :option:`rndc dnssec -checkds ` or :option:`rndc dnssec -rollover ` is used, - :iscman:`named` now immediately attempts to reconfigure zone keys. This - change prevents unnecessary key rollover delays. :gl:`#2488` - -- :iscman:`named` crashed after skipping a primary server while transferring a - zone over TLS. This has been fixed. :gl:`#2562` diff --git a/doc/notes/notes-9.17.13.rst b/doc/notes/notes-9.17.13.rst deleted file mode 100644 index 1f9e9469419..00000000000 --- a/doc/notes/notes-9.17.13.rst +++ /dev/null @@ -1,84 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.13 ----------------------- - -Feature Changes -~~~~~~~~~~~~~~~ - -- DNSSEC responses containing NSEC3 records with iteration counts - greater than 150 are now treated as insecure. :gl:`#2445` - -- The maximum supported number of NSEC3 iterations that can be - configured for a zone has been reduced to 150. :gl:`#2642` - -- After the network manager was introduced to :iscman:`named` to handle - incoming traffic, it was discovered that recursive performance had - degraded compared to previous BIND 9 versions. This has now been - fixed by processing internal tasks inside network manager worker - threads, preventing resource contention among two sets of threads. - :gl:`#2638` - -- Zones that want to transition from secure to insecure mode without - becoming bogus in the process must now have their ``dnssec-policy`` - changed first to ``insecure``, rather than ``none``. After the DNSSEC - records have been removed from the zone, the ``dnssec-policy`` can be - set to ``none`` or removed from the configuration. Setting the - ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE - records to be published. :gl:`#2645` - -- The implementation of the ZONEMD RR type has been updated to match - :rfc:`8976`. :gl:`#2658` - -- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: - NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value - or the SOA TTL. :gl:`#2347` - -Bug Fixes -~~~~~~~~~ - -- If zone journal files written by BIND 9.16.11 or earlier were present - when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file - for that zone could have been inadvertently rewritten with the current - zone contents. This caused the original zone file structure (e.g. - comments, ``$INCLUDE`` directives) to be lost, although the zone data - itself was preserved. :gl:`#2623` - -- It was possible for corrupt journal files generated by an earlier - version of :iscman:`named` to cause problems after an upgrade. This has been - fixed. :gl:`#2670` - -- TTL values in cache dumps were reported incorrectly when - ``stale-cache-enable`` was set to ``yes``. This has been fixed. - :gl:`#389` :gl:`#2289` - -- A deadlock could occur when multiple :option:`rndc addzone`, :option:`rndc - delzone`, and/or :option:`rndc modzone` commands were invoked - simultaneously for different zones. This has been fixed. :gl:`#2626` - -- ``inline-signing`` was incorrectly described as being inherited from - the ``options``/``view`` levels and was incorrectly accepted at those - levels without effect. This has been fixed; :iscman:`named.conf` files with - ``inline-signing`` at those levels no longer load. :gl:`#2536` - -- :iscman:`named` and :iscman:`named-checkconf` did not report an error when - multiple zones with the ``dnssec-policy`` option set were using the - same zone file. This has been fixed. :gl:`#2603` - -- If ``dnssec-policy`` was active and a private key file was temporarily - offline during a rekey event, :iscman:`named` could incorrectly introduce - replacement keys and break a signed zone. This has been fixed. - :gl:`#2596` - -- When generating zone signing keys, KASP now also checks for key ID - conflicts among newly created keys, rather than just between new and - existing ones. :gl:`#2628` diff --git a/doc/notes/notes-9.17.14.rst b/doc/notes/notes-9.17.14.rst deleted file mode 100644 index 310af6769ad..00000000000 --- a/doc/notes/notes-9.17.14.rst +++ /dev/null @@ -1,64 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.14 ----------------------- - -New Features -~~~~~~~~~~~~ - -- New configuration options, ``tcp-receive-buffer``, - ``tcp-send-buffer``, ``udp-receive-buffer``, and ``udp-send-buffer``, - have been added. These options allow the operator to fine-tune the - receiving and sending buffers in the operating system. On busy - servers, increasing the size of the receive buffers can prevent the - server from dropping packets during short traffic spikes, and - decreasing it can prevent the server from becoming clogged with - queries that are too old and have already timed out. :gl:`#2313` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Zone dumping tasks are now run on separate asynchronous thread pools. - This change prevents zone dumping from blocking network I/O. - :gl:`#2732` - -- The interface handling code has been refactored to use fewer - resources, which should lead to less memory fragmentation and better - startup performance. :gl:`#2433` - -Bug Fixes -~~~~~~~~~ - -- The calculation of the estimated IXFR transaction size in - ``dns_journal_iter_init()`` was invalid. This resulted in excessive - AXFR-style IXFR responses. :gl:`#2685` - -- Fixed an assertion failure that could occur if stale data was used to - answer a query, and then a prefetch was triggered after the query was - restarted (for example, to follow a CNAME). :gl:`#2733` - -- If a query was answered with stale data on a server with DNS64 - enabled, an assertion could occur if a non-stale answer arrived - afterward. This has been fixed. :gl:`#2731` - -- Fixed an error which caused the ``IP_DONTFRAG`` socket option to be - enabled instead of disabled, leading to errors when sending oversized - UDP packets. :gl:`#2746` - -- Zones which are configured in multiple views, with different values - set for ``dnssec-policy`` and with identical values set for - ``key-directory``, are now detected and treated as a configuration - error. :gl:`#2463` - -- A race condition could occur when reading and writing key files for - zones using KASP and configured in multiple views. This has been - fixed. :gl:`#1875` diff --git a/doc/notes/notes-9.17.15.rst b/doc/notes/notes-9.17.15.rst deleted file mode 100644 index 92ae3a60545..00000000000 --- a/doc/notes/notes-9.17.15.rst +++ /dev/null @@ -1,26 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.15 ----------------------- - -Bug Fixes -~~~~~~~~~ - -- When preparing DNS responses, :iscman:`named` could replace the letters - ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been - fixed. :gl:`#2779` - -- The configuration-checking code failed to account for the inheritance - rules of the ``key-directory`` option. As a side effect of this flaw, - the code detecting ``key-directory`` conflicts for zones using KASP - incorrectly reported unique key directories as being reused. This has - been fixed. :gl:`#2778` diff --git a/doc/notes/notes-9.17.16.rst b/doc/notes/notes-9.17.16.rst deleted file mode 100644 index 0b9f288a193..00000000000 --- a/doc/notes/notes-9.17.16.rst +++ /dev/null @@ -1,79 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.16 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Sending DNS messages with the OPCODE field set to anything other than - QUERY (0) via DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) channels - triggered an assertion failure in :iscman:`named`. This has been fixed. - - ISC would like to thank Ville Heikkila of Synopsys Cybersecurity - Research Center for bringing this vulnerability to our attention. - :gl:`#2787` - -New Features -~~~~~~~~~~~~ - -- Using a new configuration option, ``parental-agents``, each zone can - now be associated with a list of servers that can be used to check the - DS RRset in the parent zone. This enables automatic KSK rollovers. - :gl:`#1126` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Support for compiling and running BIND 9 natively on Windows has been - completely removed. The last stable release branch that has working - Windows support is BIND 9.16. :gl:`#2690` - -Feature Changes -~~~~~~~~~~~~~~~ - -- IP fragmentation has been disabled for outgoing UDP sockets. Errors - triggered by sending DNS messages larger than the specified path MTU - are properly handled by sending empty DNS replies with the ``TC`` - (TrunCated) bit set, which forces DNS clients to fall back to TCP. - :gl:`#2790` - -Bug Fixes -~~~~~~~~~ - -- The code managing :rfc:`5011` trust anchors created an invalid - placeholder keydata record upon a refresh failure, which prevented the - database of managed keys from subsequently being read back. This has - been fixed. :gl:`#2686` - -- Signed, insecure delegation responses prepared by :iscman:`named` either - lacked the necessary NSEC records or contained duplicate NSEC records - when both wildcard expansion and CNAME chaining were required to - prepare the response. This has been fixed. :gl:`#2759` - -- If :iscman:`nsupdate` sends an SOA request and receives a REFUSED response, - it now fails over to the next available server. :gl:`#2758` - -- A bug that caused the NSEC3 salt to be changed on every restart for - zones using KASP has been fixed. :gl:`#2725` - -- The configuration-checking code failed to account for the inheritance - rules of the ``dnssec-policy`` option. This has been fixed. - :gl:`#2780` - -- The fix for :gl:`#1875` inadvertently introduced a deadlock: when - locking key files for reading and writing, the ``in-view`` logic was - not considered. This has been fixed. :gl:`#2783` - -- A race condition could occur where two threads were competing for the - same set of key file locks, leading to a deadlock. This has been - fixed. :gl:`#2786` diff --git a/doc/notes/notes-9.17.17.rst b/doc/notes/notes-9.17.17.rst deleted file mode 100644 index 881d72c11ae..00000000000 --- a/doc/notes/notes-9.17.17.rst +++ /dev/null @@ -1,79 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.17 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Fixed an assertion failure that occurred in :iscman:`named` when it - attempted to send a UDP packet that exceeded the MTU size, if - Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856` - -- :iscman:`named` failed to check the opcode of responses when performing zone - refreshes, stub zone updates, and UPDATE forwarding. This could lead - to an assertion failure under certain conditions and has been - addressed by rejecting responses whose opcode does not match the - expected value. :gl:`#2762` - -New Features -~~~~~~~~~~~~ - -- DNS-over-HTTPS (DoH) support can now be disabled at compile time using - a new build-time option, ``--disable-doh``. This allows BIND 9 to be - built without the libnghttp2 library. :gl:`#2478` - -- It is now possible to set a hard quota on both the number of - concurrent DNS-over-HTTPS (DoH) connections and the number of active - HTTP/2 streams per connection, by using the ``http-listener-clients`` - and ``http-streams-per-connection`` options, or the - ``listener-clients`` and ``streams-per-connection`` parameters in an - ``http`` statement. The defaults are 300 and 100, respectively. - :gl:`#2809` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Previously, :iscman:`named` accepted FORMERR responses both with and without - an OPT record, as an indication that a given server did not support - EDNS. To implement full compliance with :rfc:`6891`, only FORMERR - responses without an OPT record are now accepted. This intentionally - breaks communication with servers that do not support EDNS and that - incorrectly echo back the query message with the RCODE field set to - FORMERR and the QR bit set to 1. :gl:`#2249` - -- Memory allocation has been substantially refactored; it is now based - on the memory allocation API provided by the jemalloc library, on - platforms where it is available. Use of this library is now - recommended when building BIND 9; although it is optional, it is - enabled by default. :gl:`#2433` - -- Testing revealed that setting the thread affinity for various types of - :iscman:`named` threads led to inconsistent recursive performance, as - sometimes multiple sets of threads competed over a single resource. - - Due to the above, :iscman:`named` no longer sets thread affinity. This - causes a slight dip of around 5% in authoritative performance, but - recursive performance is now consistently improved. :gl:`#2822` - -- CDS and CDNSKEY records can now be published in a zone without the - requirement that they exactly match an existing DNSKEY record, as long - as the zone is signed with an algorithm represented in the CDS or - CDNSKEY record. This allows a clean rollover from one DNS provider to - another when using a multiple-signer DNSSEC configuration. :gl:`#2710` - -Bug Fixes -~~~~~~~~~ - -- Authentication of :iscman:`rndc` messages could fail if a ``controls`` - statement was configured with multiple key algorithms for the same - listener. This has been fixed. :gl:`#2756` diff --git a/doc/notes/notes-9.17.18.rst b/doc/notes/notes-9.17.18.rst deleted file mode 100644 index 23705137b0b..00000000000 --- a/doc/notes/notes-9.17.18.rst +++ /dev/null @@ -1,68 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.18 ----------------------- - -New Features -~~~~~~~~~~~~ - -- Support for HTTPS and SVCB record types has been added. :gl:`#1132` - -Feature Changes -~~~~~~~~~~~~~~~ - -- When :iscman:`dnssec-signzone` signs a zone using a successor key whose - predecessor is still published, it now only refreshes signatures for - RRsets which have an invalid signature, an expired signature, or a - signature which expires within the provided cycle interval. This - allows :iscman:`dnssec-signzone` to gradually replace signatures in a zone - whose ZSK is being rolled over (similarly to what ``auto-dnssec - maintain;`` does). :gl:`#1551` - -- :iscman:`dnssec-cds` now only generates SHA-2 DS records by default and - avoids copying deprecated SHA-1 records from a child zone to its - delegation in the parent. If the child zone does not publish SHA-2 CDS - records, :iscman:`dnssec-cds` will generate them from the CDNSKEY records. - The ``-a algorithm`` option now affects the process of generating DS - digest records from both CDS and CDNSKEY records. Thanks to Tony - Finch. :gl:`#2871` - -- When reporting zone types in the statistics channel, the terms - ``primary`` and ``secondary`` are now used instead of ``master`` and - ``slave``, respectively. :gl:`#1944` - -Bug Fixes -~~~~~~~~~ - -- A recent change to the internal memory structure of zone databases - inadvertently neglected to update the MAPAPI value for zone files in - ``map`` format. This caused version 9.17.17 of :iscman:`named` to attempt to - load files into memory that were no longer compatible, triggering an - assertion failure on startup. The MAPAPI value has now been updated, - so :iscman:`named` rejects outdated files when encountering them. - :gl:`#2872` - -- Zone files in ``map`` format whose size exceeded 2 GB failed to load. - This has been fixed. :gl:`#2878` - -- Stale data in the cache could cause :iscman:`named` to send non-minimized - queries despite QNAME minimization being enabled. This has been fixed. - :gl:`#2665` - -- When a DNSSEC-signed zone which only has a single signing key - available is migrated to ``dnssec-policy``, that key is now treated as - a Combined Signing Key (CSK). :gl:`#2857` - -- When a dynamic zone was made available in another view using the - ``in-view`` statement, running :option:`rndc freeze` always reported an - ``already frozen`` error even though the zone was successfully - frozen. This has been fixed. :gl:`#2844` diff --git a/doc/notes/notes-9.17.19.rst b/doc/notes/notes-9.17.19.rst deleted file mode 100644 index e59c5d8dc76..00000000000 --- a/doc/notes/notes-9.17.19.rst +++ /dev/null @@ -1,117 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.19 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- The ``lame-ttl`` option controls how long :iscman:`named` caches certain - types of broken responses from authoritative servers (see the - `security advisory `_ for - details). This caching mechanism could be abused by an attacker to - significantly degrade resolver performance. The vulnerability has been - mitigated by changing the default value of ``lame-ttl`` to ``0`` and - overriding any explicitly set value with ``0``, effectively disabling - this mechanism altogether. ISC's testing has determined that doing - that has a negligible impact on resolver performance while also - preventing abuse. Administrators may observe more traffic towards - servers issuing certain types of broken responses than in previous - BIND 9 releases, depending on client query patterns. (CVE-2021-25219) - - ISC would like to thank Kishore Kumar Kothapalli of Infoblox for - bringing this vulnerability to our attention. :gl:`#2899` - -New Features -~~~~~~~~~~~~ - -- It is now possible to specify the TLS protocol versions to support for - each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2; - TLSv1.3; };``). :gl:`#2795` - -- New options for ``tls`` configuration clauses were implemented, - namely: - - - ``dhparam-file "";`` for specifying Diffie-Hellman - parameters, - - - ``ciphers "";`` for specifying OpenSSL ciphers to use, - - - ``prefer-server-ciphers ;`` for specifying whether server - ciphers or client ciphers should be preferred (this controls - OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option), - - - ``session-tickets ;`` for enabling/disabling stateless TLS - session tickets (see :rfc:`5077`). - - These options allow finer control over TLS protocol configuration and - make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS - (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Native PKCS#11 support has been removed; BIND 9 now :ref:`uses - engine_pkcs11 for PKCS#11`. engine_pkcs11 is an OpenSSL engine - which is part of the `OpenSC`_ project. :gl:`#2691` - -- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be - enabled in :iscman:`named` at build time have been removed. New-style DLZ - modules should be used as a replacement. :gl:`#2814` - -- Support for the ``map`` zone file format (``masterfile-format map;``) - has been removed. Users relying on the ``map`` format are advised to - convert their zones to the ``raw`` format with :iscman:`named-compilezone` - and change the configuration appropriately prior to upgrading BIND 9. - :gl:`#2882` - -.. _OpenSC: https://github.com/OpenSC/libp11 - -Feature Changes -~~~~~~~~~~~~~~~ - -- The network manager API is now used for sending all outgoing DNS - queries and requests from :iscman:`named` and related tools, including - :iscman:`delv`, :iscman:`mdig`, and :iscman:`nsupdate`. :gl:`#2401` - -- :iscman:`named` and :iscman:`named-checkconf` now exit with an error when a single - port configured for ``query-source``, ``transfer-source``, - ``notify-source``, ``parental-source``, and/or their respective IPv6 - counterparts clashes with a global listening port. This configuration - has not been supported since BIND 9.16.0, but no error was reported - until now (even though sending UDP messages such as NOTIFY failed). - :gl:`#2888` - -- :iscman:`named` and :iscman:`named-checkconf` now issue a warning when there is a - single port configured for ``query-source``, ``transfer-source``, - ``notify-source``, ``parental-source``, and/or for their respective - IPv6 counterparts. :gl:`#2888` - -- Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer - Protocol Negotiation (ALPN) token to be selected in the TLS handshake, - as required by :rfc:`9103` section 7.1. :gl:`#2794` - -Bug Fixes -~~~~~~~~~ - -- A recent change introduced in BIND 9.17.18 inadvertently broke - backward compatibility for the ``check-names master ...`` and - ``check-names slave ...`` options, causing them to be silently - ignored. This has been fixed and these options now work properly - again. :gl:`#2911` - -- When new IP addresses were set up by the operating system during - :iscman:`named` startup, it could fail to listen for TCP connections on the - newly added interfaces. :gl:`#2852` - -- Under specific circumstances, zone transfers over TCP and TLS could be - interrupted prematurely. This has been fixed. :gl:`#2917` diff --git a/doc/notes/notes-9.17.2.rst b/doc/notes/notes-9.17.2.rst deleted file mode 100644 index 81874ff333c..00000000000 --- a/doc/notes/notes-9.17.2.rst +++ /dev/null @@ -1,216 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.2 ---------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- To prevent exhaustion of server resources by a maliciously configured - domain, the number of recursive queries that can be triggered by a - request before aborting recursion has been further limited. Root and - top-level domain servers are no longer exempt from the - ``max-recursion-queries`` limit. Fetches for missing name server - address records are limited to 4 for any domain. This issue was - disclosed in CVE-2020-8616. :gl:`#1388` - -- Replaying a TSIG BADTIME response as a request could trigger an - assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703` - -- It was possible to trigger an assertion when attempting to fill an - oversized TCP buffer. This was disclosed in CVE-2020-8618. - :gl:`#1850` - -- It was possible to trigger an INSIST failure when a zone with an - interior wildcard label was queried in a certain pattern. This was - disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718` - -Known Issues -~~~~~~~~~~~~ - -- In this release, the build system has been significantly changed (see - below) and there are several unresolved issues to be aware of when - using a development release. Please refer to :gl:`GitLab issue #4 - <#4>` for a list of not-yet-resolved issues that will be fixed in - future releases. :gl:`#4` - -- BIND crashes on startup when linked against libuv 1.36. This issue - is related to ``recvmmsg()`` support in libuv, which was first - included in libuv 1.35. The problem was addressed in libuv 1.37, but - the relevant libuv code change requires a special flag to be set - during library initialization in order for ``recvmmsg()`` support to - be enabled. This BIND release sets that special flag when required, - so ``recvmmsg()`` support is now enabled when BIND is compiled - against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not - usable with BIND. :gl:`#1761` :gl:`#1797` - -New Features -~~~~~~~~~~~~ - -- The BIND 9 build system has been changed to use a typical - autoconf+automake+libtool stack. This should not make any difference - for people building BIND 9 from release tarballs, but when building - BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run - first. Extra attention is also needed when using non-standard - ``./configure`` options. :gl:`#4` - -- Documentation was converted from DocBook to reStructuredText. The - BIND 9 ARM is now generated using Sphinx and published on `Read the - Docs`_. Release notes are no longer available as a separate document - accompanying a release. :gl:`#83` - -- :iscman:`named` and :iscman:`named-checkzone` now reject master zones that have a - DS RRset at the zone apex. Attempts to add DS records at the zone - apex via UPDATE will be logged but otherwise ignored. DS records - belong in the parent zone, not at the zone apex. :gl:`#1798` - -- Per-type record count limits can now be specified in - ``update-policy`` statements, to limit the number of records of a - particular type that can be added to a domain name via dynamic - update. :gl:`#1657` - -- :iscman:`dig` and other tools can now print the Extended DNS Error (EDE) - option when it appears in a request or a response. :gl:`#1835` - -- ``dig +qid=`` allows the user to specify a particular query ID - for testing purposes. :gl:`#1851` - -- A new logging category, ``rpz-passthru``, was added, which allows RPZ - passthru actions to be logged into a separate channel. :gl:`#54` - -- Zone timers are now exported via statistics channel. For primary - zones, only the load time is exported. For secondary zones, exported - timers also include expire and refresh times. Contributed by Paul - Frieden, Verizon Media. :gl:`#1232` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The default value of ``max-stale-ttl`` has changed from 1 week to 12 - hours. This option controls how long :iscman:`named` retains expired RRsets - in cache as a potential mitigation mechanism, should there be a - problem with one or more domains. Note that cache content retention - is independent of whether stale answers are used in response to - client queries (``stale-answer-enable yes|no`` and :option:`rndc serve-stale - on|off `). Serving of stale answers when the authoritative servers - are not responding must be explicitly enabled, whereas the retention - of expired cache content takes place automatically on all versions of - BIND 9 that have this feature available. :gl:`#1877` - - .. warning:: - This change may be significant for administrators who expect that - stale cache content will be automatically retained for up to 1 - week. Add option ``max-stale-ttl 1w;`` to :iscman:`named.conf` to keep - the previous behavior of :iscman:`named`. - -- BIND 9 no longer sets receive/send buffer sizes for UDP sockets, - relying on system defaults instead. :gl:`#1713` - -- The default rwlock implementation has been changed back to the native - BIND 9 rwlock implementation. :gl:`#1753` - -- BIND 9 binaries which are neither daemons nor administrative programs - were moved to ``$bindir``. Only :iscman:`ddns-confgen`, :iscman:`named`, - :iscman:`rndc`, :iscman:`rndc-confgen`, and ``tsig-confgen`` were left in - ``$sbindir``. :gl:`#1724` - -- ``listen-on-v6 { any; }`` creates a separate socket for each - interface. Previously, just one socket was created on systems - conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced - in BIND 9.16.0, but it was accidentally omitted from documentation. - :gl:`#1782` - -- The native PKCS#11 EdDSA implementation has been updated to PKCS#11 - v3.0 and thus made operational again. Contributed by Aaron Thompson. - :gl:`!3326` - -- The OpenSSL ECDSA implementation has been updated to support PKCS#11 - via OpenSSL engine (see engine_pkcs11 from libp11 project). - :gl:`#1534` - -- The OpenSSL EdDSA implementation has been updated to support PKCS#11 - via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine - is required and thus this code is only a proof-of-concept for the - time being. Contributed by Aaron Thompson. :gl:`#1763` - -- Message IDs in inbound AXFR transfers are now checked for - consistency. Log messages are emitted for streams with inconsistent - message IDs. :gl:`#1674` - -- The question section is now checked when processing AXFR, IXFR, - and SOA replies while transferring a zone in. :gl:`#1683` - -Bug Fixes -~~~~~~~~~ - -- When fully updating the NSEC3 chain for a large zone via IXFR, a - temporary loss of performance could be experienced on the secondary - server when answering queries for nonexistent data that required - DNSSEC proof of non-existence (in other words, queries that required - the server to find and to return NSEC3 data). The unnecessary - processing step that was causing this delay has now been removed. - :gl:`#1834` - -- :iscman:`named` could crash with an assertion failure if the name of a - database node was looked up while the database was being modified. - :gl:`#1857` - -- When running on a system with support for Linux capabilities, - :iscman:`named` drops root privileges very soon after system startup. This - was causing a spurious log message, ``unable to set effective uid to - 0: Operation not permitted``, which has now been silenced. - :gl:`#1042` :gl:`#1090` - -- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed. - :gl:`#1859` - -- Previously, :iscman:`named` did not destroy some mutexes and conditional - variables in netmgr code, which caused a memory leak on FreeBSD. This - has been fixed. :gl:`#1893` - -- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead - to an assertion failure was fixed. :gl:`#1808` - -- Previously, ``provide-ixfr no;`` failed to return up-to-date - responses when the serial number was greater than or equal to the - current serial number. :gl:`#1714` - -- A bug in dnstap initialization could prevent some dnstap data from - being logged, especially on recursive resolvers. :gl:`#1795` - -- A bug in dnssec-policy keymgr was fixed, where the check for the - existence of a given key's successor would incorrectly return - ``true`` if any other key in the keyring had a successor. :gl:`#1845` - -- With dnssec-policy, when creating a successor key, the "goal" state - of the current active key (the predecessor) was not changed and thus - never removed from the zone. :gl:`#1846` - -- When :option:`named-checkconf -z` was run, it would sometimes incorrectly - set its exit code. It reflected the status of the last view found; if - zone-loading errors were found in earlier configured views but not in - the last one, the exit code indicated success. Thanks to Graham - Clinch. :gl:`#1807` - -- :option:`named-checkconf -p` could include spurious text in - ``server-addresses`` statements due to an uninitialized DSCP value. - This has been fixed. :gl:`#1812` - -- When built without LMDB support, :iscman:`named` failed to restart after a - zone with a double quote (") in its name was added with ``rndc - addzone``. Thanks to Alberto Fernández. :gl:`#1695` - -- The ARM has been updated to indicate that the TSIG session key is - generated when named starts, regardless of whether it is needed. - :gl:`#1842` - -.. _Read the Docs: https://bind9.readthedocs.io/ diff --git a/doc/notes/notes-9.17.20.rst b/doc/notes/notes-9.17.20.rst deleted file mode 100644 index 6771d66898d..00000000000 --- a/doc/notes/notes-9.17.20.rst +++ /dev/null @@ -1,84 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.20 ----------------------- - -New Features -~~~~~~~~~~~~ - -- New finer-grained ``update-policy`` rule types, - ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added. - These rule types restrict updates to SRV and PTR records so that their - content can only match the machine name embedded in the Kerberos - principal making the change. :gl:`#481` - -- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843` - -Removed Features -~~~~~~~~~~~~~~~~ - -- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9 - currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an - OpenSSL 3.0.0 build which does not retain support for deprecated APIs - makes it impossible to use PKCS#11 in BIND 9. A replacement for - engine_pkcs11 which employs the new "provider" approach introduced in - OpenSSL 3.0.0 is in the making. :gl:`#2843` - -- Since the old socket manager API has been removed, "socketmgr" - statistics are no longer reported by the :ref:`statistics channel - `. :gl:`#2926` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This - means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with - the KSK by default. The additional signatures prepared using the ZSK - when the option is set to ``no`` add to the DNS response payload - without offering added value. :gl:`#1316` - -- The default NSEC3 parameters for ``dnssec-policy`` were updated to no - extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). - :gl:`#2956` - -- Internal data structures maintained for each cache database are now - grown incrementally when they need to be expanded. This helps maintain - a steady response rate on a loaded resolver while these internal data - structures are resized. :gl:`#2941` - -- The output of :option:`rndc serve-stale status ` has been clarified. It now - explicitly reports whether retention of stale data in the cache is - enabled (``stale-cache-enable``), and whether returning such data in - responses is enabled (``stale-answer-enable``). :gl:`#2742` - -- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls. - This enables additional validation rules for IDN domains and hostnames - in :iscman:`dig`. :gl:`#1610` - -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -Bug Fixes -~~~~~~~~~ - -- Reloading a catalog zone which referenced a missing/deleted member - zone triggered a runtime check failure, causing :iscman:`named` to exit - prematurely. This has been fixed. :gl:`#2308` - -- Some lame delegations could trigger a dependency loop, in which a - resolver fetch waited for a name server address lookup which was - waiting for the same resolver fetch. This could cause a recursive - lookup to hang until timing out. This situation is now detected and - prevented. :gl:`#2927` - -- Log files using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by - ``versions``. This has been fixed. :gl:`#828` diff --git a/doc/notes/notes-9.17.21.rst b/doc/notes/notes-9.17.21.rst deleted file mode 100644 index a70eb2806c8..00000000000 --- a/doc/notes/notes-9.17.21.rst +++ /dev/null @@ -1,69 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.21 ----------------------- - -New Features -~~~~~~~~~~~~ - -- The ``allow-transfer`` option was extended to accept additional - ``port`` and ``transport`` parameters, to further restrict zone - transfers to a particular port and/or DNS transport protocol. - :gl:`#2776` - -- Extended DNS Error Code 18 - Prohibited (see :rfc:`8194` section - 4.19) is now set if query access is denied to the specific client. - :gl:`#1836` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Aggressive Use of DNSSEC-Validated Cache (``synth-from-dnssec``, see - :rfc:`8198`) is now enabled by default again, after having been - disabled in BIND 9.14.8. The implementation of this feature was - reworked to achieve better efficiency and tuned to ignore certain - types of broken NSEC records. Negative answer synthesis is currently - only supported for zones using NSEC. :gl:`#1265` - -- The `UseSTD3ASCIIRules`_ flag is now disabled again for libidn2 - function calls. Applying additional validation rules for domain names - in :iscman:`dig` (a change introduced in the previous BIND 9 release) caused - characters which are disallowed in hostnames (e.g. underscore ``_``, - wildcard ``*``) to be silently stripped. That change was reverted. - :gl:`#1610` - -- Previously, when an incoming TCP connection could not be accepted - because the client closed the connection early, an error message of - ``TCP connection failed: socket is not connected`` was logged. This - message has been changed to ``Accepting TCP connection failed: socket - is not connected``. The severity level at which this type of message - is logged has also been changed from ``error`` to ``info`` for the - following triggering events: ``socket is not connected``, ``quota - reached``, and ``soft quota reached``. :gl:`#2700` - -- :iscman:`dnssec-dsfromkey` no longer generates DS records from revoked keys. - :gl:`#853` - -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -Bug Fixes -~~~~~~~~~ - -- Removing a configured ``catalog-zone`` clause from the configuration, - running :option:`rndc reconfig`, then bringing back the removed - ``catalog-zone`` clause and running :option:`rndc reconfig` again caused - :iscman:`named` to crash. This has been fixed. :gl:`#1608` - -- The resolver could hang on shutdown due to dispatch resources not - being cleaned up when a TCP connection was reset, or due to dependency - loops in the ADB or the DNSSEC validator. This has been fixed. - :gl:`#3026` :gl:`#3040` diff --git a/doc/notes/notes-9.17.22.rst b/doc/notes/notes-9.17.22.rst deleted file mode 100644 index 92986008809..00000000000 --- a/doc/notes/notes-9.17.22.rst +++ /dev/null @@ -1,49 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.22 ----------------------- - -New Features -~~~~~~~~~~~~ - -- :iscman:`named` now logs TLS pre-master secrets for debugging purposes when - the ``SSLKEYLOGFILE`` environment variable is set. This enables - troubleshooting issues with encrypted DNS traffic. :gl:`#2723` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Overall memory use by :iscman:`named` has been optimized and reduced, - especially on systems with many CPU cores. :gl:`#2398` :gl:`#3048` - -- :iscman:`named` formerly generated an ephemeral key and certificate for the - ``tls ephemeral`` configuration using the RSA algorithm with 4096-bit - keys. This has been changed to the ECDSA P-256 algorithm. :gl:`#2264` - -Bug Fixes -~~~~~~~~~ - -- On FreeBSD, TCP connections leaked a small amount of heap memory, - leading to an eventual out-of-memory problem. This has been fixed. - :gl:`#3051` - -- If signatures created by the ZSK were expired and the ZSK private key - was offline, the signatures were not replaced. This behavior has been - amended to replace the expired signatures with new signatures created - using the KSK. :gl:`#3049` - -- Under certain circumstances, the signed version of an inline-signed - zone could be dumped to disk without the serial number of the unsigned - version of the zone. This prevented resynchronization of the zone - contents after :iscman:`named` restarted, if the unsigned zone file was - modified while :iscman:`named` was not running. This has been fixed. - :gl:`#3071` diff --git a/doc/notes/notes-9.17.3.rst b/doc/notes/notes-9.17.3.rst deleted file mode 100644 index 1ecd164a6df..00000000000 --- a/doc/notes/notes-9.17.3.rst +++ /dev/null @@ -1,81 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.3 ---------------------- - -New Features -~~~~~~~~~~~~ - -- New :iscman:`rndc` command :option:`rndc dnssec -status ` shows the current DNSSEC - policy and keys in use, the key states, and rollover status. - :gl:`#1612` - -- Added support in the network manager for initiating outgoing TCP - connections. :gl:`#1958` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Disable and disallow static linking of BIND 9 binaries and libraries - as BIND 9 modules require ``dlopen()`` support and static linking also - prevents using security features like read-only relocations (RELRO) or - address space layout randomization (ASLR) which are important for - programs that interact with the network and process arbitrary user - input. :gl:`#1933` - -- As part of an ongoing effort to use :rfc:`8499` terminology, - ``primaries`` can now be used as a synonym for ``masters`` in - :iscman:`named.conf`. Similarly, ``notify primary-only`` can now be used as - a synonym for ``notify master-only``. The output of ``rndc - zonestatus`` now uses ``primary`` and ``secondary`` terminology. - :gl:`#1948` - -Bug Fixes -~~~~~~~~~ - -- A race condition could occur if a TCP socket connection was closed - while :iscman:`named` was waiting for a recursive response. The attempt to - send a response over the closing connection triggered an assertion - failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937` - -- A race condition could occur when :iscman:`named` attempted to use a UDP - interface that was shutting down. This triggered an assertion failure - in ``uv__udp_finish_close()``. :gl:`#1938` - -- Fix assertion failure when server was under load and root zone had not - yet been loaded. :gl:`#1862` - -- :iscman:`named` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c`` - that were being reused. :gl:`#1968` - -- :iscman:`named` crashed on shutdown when a new :iscman:`rndc` connection was - received during shutdown. This has been fixed. :gl:`#1747` - -- The DS RRset returned by ``dns_keynode_dsset()`` was used in a - non-thread-safe manner. This could result in an INSIST being - triggered. :gl:`#1926` - -- The ``primary`` and ``secondary`` keywords, when used as parameters - for ``check-names``, were not processed correctly and were being - ignored. :gl:`#1949` - -- :option:`rndc dnstap -roll value ` did not limit the number of saved files - to ``value``. :gl:`!3728` - -- The validator could fail to accept a properly signed RRset if an - unsupported algorithm appeared earlier in the DNSKEY RRset than a - supported algorithm. It could also stop if it detected a malformed - public key. :gl:`#1689` - -- The ``blackhole`` ACL was inadvertently disabled for client queries. - Blocked IP addresses were not used for upstream queries but queries - from those addresses could still be answered. :gl:`#1936` diff --git a/doc/notes/notes-9.17.4.rst b/doc/notes/notes-9.17.4.rst deleted file mode 100644 index 4e511c3afff..00000000000 --- a/doc/notes/notes-9.17.4.rst +++ /dev/null @@ -1,129 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.4 ---------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- It was possible to trigger an assertion failure by sending a specially - crafted large TCP DNS message. This was disclosed in CVE-2020-8620. - - ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for - bringing this vulnerability to our attention. :gl:`#1996` - -- :iscman:`named` could crash after failing an assertion check in certain - query resolution scenarios where QNAME minimization and forwarding - were both enabled. To prevent such crashes, QNAME minimization is now - always disabled for a given query resolution process, if forwarders - are used at any point. This was disclosed in CVE-2020-8621. - - ISC would like to thank Joseph Gullo for bringing this vulnerability - to our attention. :gl:`#1997` - -- It was possible to trigger an assertion failure when verifying the - response to a TSIG-signed request. This was disclosed in - CVE-2020-8622. - - ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham - of Oracle for bringing this vulnerability to our attention. - :gl:`#2028` - -- When BIND 9 was compiled with native PKCS#11 support, it was possible - to trigger an assertion failure in code determining the number of bits - in the PKCS#11 RSA public key with a specially crafted packet. This - was disclosed in CVE-2020-8623. - - ISC would like to thank Lyu Chiy for bringing this vulnerability to - our attention. :gl:`#2037` - -- ``update-policy`` rules of type ``subdomain`` were incorrectly treated - as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules - to update names outside of the specified subdomains. The problem was - fixed by making sure ``subdomain`` rules are again processed as - described in the ARM. This was disclosed in CVE-2020-8624. - - ISC would like to thank Joop Boonen of credativ GmbH for bringing this - vulnerability to our attention. :gl:`#2055` - -New Features -~~~~~~~~~~~~ - -- A new configuration option ``stale-cache-enable`` has been introduced - to enable or disable keeping stale answers in cache. :gl:`#1712` - -- :iscman:`rndc` has been updated to use the new BIND network manager API. - This change had the side effect of altering the TCP timeout for RNDC - connections from 60 seconds to the ``tcp-idle-timeout`` value, which - defaults to 30 seconds. Also, because the network manager currently - has no support for UNIX-domain sockets, those cannot now be used - with :iscman:`rndc`. This will be addressed in a future release, either by - restoring UNIX-domain socket support or by formally declaring them - to be obsolete in the control channel. :gl:`#1759` - -- Statistics channels have also been updated to use the new BIND network - manager API. :gl:`#2022` - -Feature Changes -~~~~~~~~~~~~~~~ - -- BIND's cache database implementation has been updated to use a faster - hash function with better distribution. In addition, the effective - ``max-cache-size`` (configured explicitly, defaulting to a value based - on system memory or set to ``unlimited``) now pre-allocates fixed-size - hash tables. This prevents interruption to query resolution when the - hash table sizes need to be increased. :gl:`#1775` - -- Keeping stale answers in cache has been disabled by default. - :gl:`#1712` - -- Resource records received with 0 TTL are no longer kept in the cache - to be used for stale answers. :gl:`#1829` - -Bug Fixes -~~~~~~~~~ - -- Wildcard RPZ passthru rules could incorrectly be overridden by other - rules that were loaded from RPZ zones which appeared later in the - ``response-policy`` statement. This has been fixed. :gl:`#1619` - -- The IPv6 Duplicate Address Detection (DAD) mechanism could - inadvertently prevent :iscman:`named` from binding to new IPv6 interfaces, - by causing multiple route socket messages to be sent for each IPv6 - address. :iscman:`named` monitors for new interfaces to ``bind()`` to when - it is configured to listen on ``any`` or on a specific range of - addresses. New IPv6 interfaces can be in a "tentative" state before - they are fully available for use. When DAD is in use, two messages are - emitted by the route socket: one when the interface first appears and - then a second one when it is fully "up." An attempt by :iscman:`named` to - ``bind()`` to the new interface prematurely would fail, causing it - thereafter to ignore that address/interface. The problem was worked - around by setting the ``IP_FREEBIND`` option on the socket and trying - to ``bind()`` to each IPv6 address again if the first ``bind()`` call - for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038` - -- Addressed an error in recursive clients stats reporting which could - cause underflow, and even negative statistics. There were occasions - when an incoming query could trigger a prefetch for some eligible - RRset, and if the prefetch code were executed before recursion, no - increment in recursive clients stats would take place. Conversely, - when processing the answers, if the recursion code were executed - before the prefetch, the same counter would be decremented without a - matching increment. :gl:`#1719` - -- The introduction of KASP support inadvertently caused the second field - of ``sig-validity-interval`` to always be calculated in hours, even in - cases when it should have been calculated in days. This has been - fixed. (Thanks to Tony Finch.) :gl:`!3735` - -- LMDB locking code was revised to make :option:`rndc reconfig` work properly - on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976` diff --git a/doc/notes/notes-9.17.5.rst b/doc/notes/notes-9.17.5.rst deleted file mode 100644 index e7164e0de0a..00000000000 --- a/doc/notes/notes-9.17.5.rst +++ /dev/null @@ -1,78 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.5 ---------------------- - -New Features -~~~~~~~~~~~~ - -- Add a new :iscman:`rndc` command, :option:`rndc dnssec -checkds `, which signals to - :iscman:`named` that a DS record for a given zone or key has been published - or withdrawn from the parent. This command replaces the time-based - ``parent-registration-delay`` configuration option. :gl:`#1613` - -- Log when :iscman:`named` adds a CDS/CDNSKEY to the zone. :gl:`#1748` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The ``--with-gperftools-profiler`` ``configure`` option was removed. - To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro - now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to - be present in ``LDFLAGS``. :gl:`!4045` - -- The ``glue-cache`` *option* has been marked as deprecated. The glue - cache *feature* still works and will be permanently *enabled* in a - future release. :gl:`#2146` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Previously, using ``dig +bufsize=0`` had the side effect of disabling - EDNS, and there was no way to test the remote server's behavior when - it had received a packet with EDNS0 buffer size set to 0. This is no - longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS - version 0 and buffer size set to 0. To disable EDNS, use ``dig - +noedns``. :gl:`#2054` - -Bug Fixes -~~~~~~~~~ - -- In rare circumstances, :iscman:`named` would exit with an assertion failure - when the number of nodes stored in the red-black tree exceeded the - maximum allowed size of the internal hash table. :gl:`#2104` - -- Silence spurious system log messages for an EPROTO(71) error code that - was seen on older operating systems, where unhandled ICMPv6 errors - resulted in a generic protocol error being returned instead of a more - specific error code. :gl:`#1928` - -- With query name minimization enabled, :iscman:`named` failed to resolve - ``ip6.arpa.`` names that had extra labels to the left of the IPv6 - part. For example, when :iscman:`named` attempted query name minimization on - a name like ``A.B.1.2.3.4.(...).ip6.arpa.``, it stopped at the - leftmost IPv6 label, i.e. ``1.2.3.4.(...).ip6.arpa.``, without - considering the extra labels (``A.B``). That caused a query loop when - resolving the name: if :iscman:`named` received NXDOMAIN answers, then the - same query was repeatedly sent until the number of queries sent - reached the value of the ``max-recursion-queries`` configuration - option. :gl:`#1847` - -- Parsing of LOC records was made more strict by rejecting a sole period - (``.``) and/or ``m`` as a value. These changes prevent zone files - using such values from being loaded. Handling of negative altitudes - which are not integers was also corrected. :gl:`#2074` - -- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are - security issues.) :gl:`!3953` :gl:`!3975` - -.. _OSS-Fuzz: https://github.com/google/oss-fuzz diff --git a/doc/notes/notes-9.17.6.rst b/doc/notes/notes-9.17.6.rst deleted file mode 100644 index fe6857f648b..00000000000 --- a/doc/notes/notes-9.17.6.rst +++ /dev/null @@ -1,65 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.6 ---------------------- - -New Features -~~~~~~~~~~~~ - -- Add a new :iscman:`rndc` command, :option:`rndc dnssec -rollover `, which triggers - a manual rollover for a specific key. :gl:`#1749` - -- Add a new :iscman:`rndc` command, :option:`rndc dumpdb -expired `, which dumps the - cache database, including expired RRsets that are awaiting cleanup, to - the ``dump-file`` for diagnostic purposes. :gl:`#1870` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The ``glue-cache`` *option* has been marked as deprecated. The glue - cache *feature* still works and will be permanently *enabled* in a - future release. :gl:`#2146` - -Feature Changes -~~~~~~~~~~~~~~~ - -- DNS Flag Day 2020: The default EDNS buffer size has been changed from - 4096 to 1232 bytes, the EDNS buffer size probing has been removed, and - :iscman:`named` now sets the DF (Don't Fragment) flag on outgoing UDP - packets. According to measurements done by multiple parties, this - should not cause any operational problems as most of the Internet - "core" is able to cope with IP message sizes between 1400-1500 bytes; - the 1232 size was picked as a conservative minimal number that could - be changed by the DNS operator to an estimated path MTU minus the - estimated header space. In practice, the smallest MTU witnessed in the - operational DNS community is 1500 octets, the maximum Ethernet payload - size, so a useful default for maximum DNS/UDP payload size on reliable - networks would be 1432 bytes. :gl:`#2183` - -Bug Fixes -~~~~~~~~~ - -- :iscman:`named` reported an invalid memory size when running in an - environment that did not properly report the number of available - memory pages and/or the size of each memory page. :gl:`#2166` - -- With multiple forwarders configured, :iscman:`named` could fail the - ``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``, - causing it to crash. This has been fixed. :gl:`#2124` - -- :iscman:`named` erroneously performed continuous key rollovers for KASP - policies that used algorithm Ed25519 or Ed448 due to a mismatch - between created key size and expected key size. :gl:`#2171` - -- Updating contents of an RPZ zone which contained names spelled using - varying letter case could cause some processing rules in that RPZ zone - to be erroneously ignored. :gl:`#2169` diff --git a/doc/notes/notes-9.17.7.rst b/doc/notes/notes-9.17.7.rst deleted file mode 100644 index d0f156ab170..00000000000 --- a/doc/notes/notes-9.17.7.rst +++ /dev/null @@ -1,65 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.7 ---------------------- - -New Features -~~~~~~~~~~~~ - -- Support for DNS over TLS (DoT) has been added: the :iscman:`dig` tool is now - able to send DoT queries (``+tls`` option) and :iscman:`named` can handle - DoT queries (``listen-on tls ...`` option). :iscman:`named` can use either a - certificate provided by the user or an ephemeral certificate generated - automatically upon startup. :gl:`#1840` - -- A new configuration option, ``stale-refresh-time``, has been - introduced. It allows a stale RRset to be served directly from cache - for a period of time after a failed lookup, before a new attempt to - refresh it is made. :gl:`#2066` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The :iscman:`dig`, :iscman:`host`, and :iscman:`nslookup` tools have been converted to - use the new network manager API rather than the older ISC socket API. - - As a side effect of this change, the ``dig +unexpected`` option no - longer works. This could previously be used to diagnose broken servers - or network configurations by listening for replies from servers other - than the one that was queried. With the new API, such answers are - filtered before they ever reach :iscman:`dig`, so the option has been - removed. :gl:`#2140` - -- The network manager API is now used by :iscman:`named` to send zone transfer - requests. :gl:`#2016` - -Bug Fixes -~~~~~~~~~ - -- :iscman:`named` could crash with an assertion failure if a TCP connection - were closed while a request was still being processed. :gl:`#2227` - -- :iscman:`named` acting as a resolver could incorrectly treat signed zones - with no DS record at the parent as bogus. Such zones should be treated - as insecure. This has been fixed. :gl:`#2236` - -- After a Negative Trust Anchor (NTA) is added, BIND performs periodic - checks to see if it is still necessary. If BIND encountered a failure - while creating a query to perform such a check, it attempted to - dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244` - -- A problem obtaining glue records could prevent a stub zone from - functioning properly, if the authoritative server for the zone were - configured for minimal responses. :gl:`#1736` - -- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a - ``TCP6RecvErr``. :gl:`#2208` diff --git a/doc/notes/notes-9.17.8.rst b/doc/notes/notes-9.17.8.rst deleted file mode 100644 index 92f57498f82..00000000000 --- a/doc/notes/notes-9.17.8.rst +++ /dev/null @@ -1,73 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.8 ---------------------- - -New Features -~~~~~~~~~~~~ - -- NSEC3 support was added to KASP. A new option for ``dnssec-policy``, - ``nsec3param``, can be used to set the desired NSEC3 parameters. - NSEC3 salt collisions are automatically prevented during resalting. - :gl:`#1620` - -- :iscman:`dig` output now includes the transport protocol used (UDP, TCP, or - TLS). :gl:`#1816` - -- :iscman:`dig` can now report the DNS64 prefixes in use (``+dns64prefix``). - This is useful when the host on which :iscman:`dig` is run is behind an - IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a - Service). :gl:`#1154` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The new networking code introduced in BIND 9.16 (netmgr) was - overhauled in order to make it more stable, testable, and - maintainable. :gl:`#2321` - -- Earlier releases of BIND versions 9.16 and newer required the - operating system to support load-balanced sockets in order for - :iscman:`named` to be able to achieve high performance (by distributing - incoming queries among multiple threads). However, the only operating - systems currently known to support load-balanced sockets are Linux and - FreeBSD 12, which means both UDP and TCP performance were limited to a - single thread on other systems. As of BIND 9.17.8, :iscman:`named` attempts - to distribute incoming queries among multiple threads on systems which - lack support for load-balanced sockets (except Windows). :gl:`#2137` - -- The default value of ``max-recursion-queries`` was increased from 75 - to 100. Since the queries sent towards root and TLD servers are now - included in the count (as a result of the fix for CVE-2020-8616), - ``max-recursion-queries`` has a higher chance of being exceeded by - non-attack queries, which is the main reason for increasing its - default value. :gl:`#2305` - -- The default value of ``nocookie-udp-size`` was restored back to 4096 - bytes. Since ``max-udp-size`` is the upper bound for - ``nocookie-udp-size``, this change relieves the operator from having - to change ``nocookie-udp-size`` together with ``max-udp-size`` in - order to increase the default EDNS buffer size limit. - ``nocookie-udp-size`` can still be set to a value lower than - ``max-udp-size``, if desired. :gl:`#2250` - -Bug Fixes -~~~~~~~~~ - -- Handling of missing DNS COOKIE responses over UDP was tightened by - falling back to TCP. :gl:`#2275` - -- The CNAME synthesized from a DNAME was incorrectly followed when the - QTYPE was CNAME or ANY. :gl:`#2280` - -- Building with native PKCS#11 support for AEP Keyper has been broken - since BIND 9.17.4. This has been fixed. :gl:`#2315` diff --git a/doc/notes/notes-9.17.9.rst b/doc/notes/notes-9.17.9.rst deleted file mode 100644 index db9f53584d9..00000000000 --- a/doc/notes/notes-9.17.9.rst +++ /dev/null @@ -1,57 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.17.9 ---------------------- - -New Features -~~~~~~~~~~~~ - -- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385` - -Feature Changes -~~~~~~~~~~~~~~~ - -- It is now possible to transition a zone from secure to insecure mode - without making it bogus in the process; changing to ``dnssec-policy - none;`` also causes CDS and CDNSKEY DELETE records to be published, to - signal that the entire DS RRset at the parent must be removed, as - described in :rfc:`8078`. :gl:`#1750` - -- When using the ``unixtime`` or ``date`` method to update the SOA - serial number, :iscman:`named` and :iscman:`dnssec-signzone` silently fell back to - the ``increment`` method to prevent the new serial number from being - smaller than the old serial number (using serial number arithmetics). - :iscman:`dnssec-signzone` now prints a warning message, and :iscman:`named` logs a - warning, when such a fallback happens. :gl:`#2058` - -Bug Fixes -~~~~~~~~~ - -- Multiple threads could attempt to destroy a single RBTDB instance at - the same time, resulting in an unpredictable but low-probability - assertion failure in ``free_rbtdb()``. This has been fixed. :gl:`#2317` - -- :iscman:`named` no longer attempts to assign threads to CPUs outside the CPU - affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245` - -- When reconfiguring :iscman:`named`, removing ``auto-dnssec`` did not turn - off DNSSEC maintenance. This has been fixed. :gl:`#2341` - -- The report of intermittent BIND assertion failures triggered in - ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed - without further action. Our initial response to this was to add - diagnostic logging instead of terminating :iscman:`named`, anticipating that - we would receive further useful troubleshooting input. This workaround - first appeared in BIND releases 9.17.5 and 9.16.7. However, since - those releases were published, there have been no new reports of - assertion failures matching this issue, but also no further diagnostic - input, so we have closed the issue. :gl:`#2091`