From: Michał Kępień Date: Wed, 5 Aug 2020 14:02:38 +0000 (+0200) Subject: Tweak and reword recent CHANGES entries X-Git-Tag: v9.17.4~5^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=76421c885eb6d74df6382cff32ebca276b8d8b6b;p=thirdparty%2Fbind9.git Tweak and reword recent CHANGES entries --- diff --git a/CHANGES b/CHANGES index 8284bdbd74f..01592c62b7a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,16 +1,16 @@ 5485. [placeholder] -5484. [func] Expire the 0 TTL RRSet quickly rather using them for - stale answers. [GL #1829] +5484. [func] Expire zero TTL records quickly rather than using them + for stale answers. [GL #1829] 5483. [func] Keeping "stale" answers in cache has been disabled by default and can be re-enabled with a new configuration option "stale-cache-enable". [GL #1712] -5482. [bug] BIND 9 would fail to bind to IPv6 addresses in a - tentative state when a new IPv6 address was added to the - system, but the Duplicate Address Detection (DAD) - mechanism had not yet finished. [GL #2038] +5482. [bug] If the Duplicate Address Detection (DAD) mechanism had + not yet finished after adding a new IPv6 address to the + system, BIND 9 would fail to bind to IPv6 addresses in a + tentative state. [GL #2038] 5481. [security] "update-policy" rules of type "subdomain" were incorrectly treated as "zonesub" rules, which allowed @@ -33,53 +33,57 @@ sending a specially crafted large TCP DNS message. (CVE-2020-8620) [GL #1996] -5477. [bug] The idle timeout for connected TCP sockets is now - derived from the client query processing timeout - configured for a resolver. [GL #2024] +5477. [bug] The idle timeout for connected TCP sockets, which was + previously set to a high fixed value, is now derived + from the client query processing timeout configured for + a resolver. [GL #2024] 5476. [security] It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request. (CVE-2020-8622) [GL #2028] -5475. [bug] Fix RPZ wildcard passthru ignored when a rejection - would overwrite a passthru action matching some - rule in a previously loaded passthru rpz zone. - [GL #1619] +5475. [bug] Wildcard RPZ passthru rules could incorrectly be + overridden by other rules that were loaded from RPZ + zones which appeared later in the "response-policy" + statement. This has been fixed. [GL #1619] 5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE when it should have. [GL !3880] -5473. [func] The rbt hashtable implementation has been changed - to use faster hash-function (HalfSipHash2-4) and - uses Fibonacci hashing for better distribution. - Setting the max-cache-size now preallocates fixed - size hashtable, so the rehashing doesn't cause - resolution brownouts when growing the hashtable. - [GL #1775] +5473. [func] The RBT hash table implementation has been changed + to use a faster hash function (HalfSipHash2-4) and + Fibonacci hashing for better distribution. Setting + "max-cache-size" now preallocates a fixed-size hash + table so that rehashing does not cause resolution + brownouts while the hash table is grown. [GL #1775] 5472. [func] The statistics channel has been updated to use the new network manager. [GL #2022] -5471. [bug] The introduction of KASP support broke whether the - second field of sig-validity-interval was treated as - days or hours. (Thanks to Tony Finch.) [GL !3735] +5471. [bug] The introduction of KASP support inadvertently caused + the second field of "sig-validity-interval" to always be + calculated in hours, even in cases when it should have + been calculated in days. This has been fixed. (Thanks to + Tony Finch.) [GL !3735] -5470. [port] illumos: only call gsskrb5_register_acceptor_identity - if we have gssapi_krb5.h. [GL #1995] +5470. [port] gsskrb5_register_acceptor_identity() is now only called + if gssapi_krb5.h is present. [GL #1995] -5469. [port] illumos: SEC is defined in which - conflicted with our use of SEC. [GL #1993] +5469. [port] On illumos, a constant called SEC is already defined in + , which conflicts with an identically named + constant in libbind9. This conflict has been resolved. + [GL #1993] -5468. [bug] Address potential double unlock in process_fd(). +5468. [bug] Addressed potential double unlock in process_fd(). [GL #2005] 5467. [func] The control channel and the rndc utility have been updated to use the new network manager. To support this, the network manager was updated to enable - wthe initiation of client TCP connections. Its + the initiation of client TCP connections. Its internal reference counting has been refactored. - Note: As side effects of this change, rndc cannot + Note: As a side effect of this change, rndc cannot currently be used with UNIX-domain sockets, and its default timeout has changed from 60 seconds to 30. These will be addressed in a future release. @@ -88,30 +92,30 @@ 5466. [bug] Addressed an error in recursive clients stats reporting. [GL #1719] -5465. [func] Fallback to built in trust-anchors, managed-keys, or - trusted-keys if the bindkeys-file (bind.keys) cannot +5465. [func] Added fallback to built-in trust-anchors, managed-keys, + or trusted-keys if the bindkeys-file (bind.keys) cannot be parsed. [GL #1235] -5464. [bug] Specifying saving more than 128 files when rolling - dnstap / log files would cause buffer overflow. - [GL #1989] +5464. [bug] Requesting more than 128 files to be saved when rolling + dnstap log files caused a buffer overflow. This has been + fixed. [GL #1989] 5463. [placeholder] 5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976] -5461. [bug] The header STALE attribute was not being updated with - the write lock being held leading to incorrect - statistics. Convert the header attributes to use atomic - operations. [GL #1475] +5461. [bug] The STALE rdataset header attribute was updated while + the write lock was not being held, leading to incorrect + statistics. The header attributes are now converted to + use atomic operations. [GL #1475] 5460. [cleanup] tsig-keygen was previously an alias for ddns-confgen and was documented in the ddns-confgen man page. This has been reversed; tsig-keygen is now the primary name. [GL #1998] -5459. [bug] Bad isc_mem_put() size when an invalid type was - specified in a update-policy rule. [GL #1990] +5459. [bug] Fixed bad isc_mem_put() size when an invalid type was + specified in an "update-policy" rule. [GL #1990] --- 9.17.3 released ---