From: Nicki Křížek Date: Mon, 8 Jul 2024 11:31:31 +0000 (+0200) Subject: Create release notes for 9.20.0 X-Git-Tag: v9.20.0~2^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=890ebd3fd30490f812dc2641c4cac1d947293dae;p=thirdparty%2Fbind9.git Create release notes for 9.20.0 --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 10641f7ebaf..225bdcb44a6 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -17,12 +17,9 @@ Release Notes Introduction ------------ -BIND 9.19 is an unstable development release of BIND. This document -summarizes new features and functional changes that have been introduced -on this branch. With each development release leading up to the stable -BIND 9.20 release, this document will be updated with additional -features added and bugs fixed. Please see the CHANGES file for a more -detailed list of changes and bug fixes. +BIND 9.20 is a stable branch, suitable for production use. This +document summarizes significant changes since the last production +release on the 9.18 branch. Supported Platforms ------------------- @@ -38,32 +35,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-9.19.25.rst -.. include:: ../notes/notes-9.19.24.rst -.. include:: ../notes/notes-9.19.23.rst -.. include:: ../notes/notes-9.19.22.rst -.. include:: ../notes/notes-9.19.21.rst -.. include:: ../notes/notes-9.19.20.rst -.. include:: ../notes/notes-9.19.19.rst -.. include:: ../notes/notes-9.19.18.rst -.. include:: ../notes/notes-9.19.17.rst -.. include:: ../notes/notes-9.19.16.rst -.. include:: ../notes/notes-9.19.15.rst -.. include:: ../notes/notes-9.19.14.rst -.. include:: ../notes/notes-9.19.13.rst -.. include:: ../notes/notes-9.19.12.rst -.. include:: ../notes/notes-9.19.11.rst -.. include:: ../notes/notes-9.19.10.rst -.. include:: ../notes/notes-9.19.9.rst -.. include:: ../notes/notes-9.19.8.rst -.. include:: ../notes/notes-9.19.7.rst -.. include:: ../notes/notes-9.19.6.rst -.. include:: ../notes/notes-9.19.5.rst -.. include:: ../notes/notes-9.19.4.rst -.. include:: ../notes/notes-9.19.3.rst -.. include:: ../notes/notes-9.19.2.rst -.. include:: ../notes/notes-9.19.1.rst -.. include:: ../notes/notes-9.19.0.rst +.. include:: ../notes/notes-9.20.0.rst .. _relnotes_license: @@ -79,13 +51,12 @@ https://www.isc.org/contact/. End of Life ----------- -BIND 9.19 is an unstable development branch. When its development is -complete, it will be renamed to BIND 9.20, which will be a stable -branch. The end-of-life date for BIND 9.20 has not yet been determined. -For those needing long-term stability, the current Extended Support -Version (ESV) is BIND 9.18, which will be supported until at least -December 2025. See https://kb.isc.org/docs/aa-00896 for details of -ISC's software support policy. +BIND 9.20 is a stable branch, suitable for production use. After it has +been in production use for a while it will be designated as an Extended +Support Version (ESV). Until then, the current ESV is BIND 9.18, which +will be supported until at least December 2025. See +https://kb.isc.org/docs/aa-00896 for details of ISC's software support +policy. Thank You --------- diff --git a/doc/notes/notes-9.19.0.rst b/doc/notes/notes-9.19.0.rst deleted file mode 100644 index f6363e680c9..00000000000 --- a/doc/notes/notes-9.19.0.rst +++ /dev/null @@ -1,61 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.0 ---------------------- - -Known Issues -~~~~~~~~~~~~ - -- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT - be inspected when verifying a remote certificate while establishing a - DNS-over-TLS connection. Only ``subjectAltName`` must be checked - instead. Unfortunately, some quite old versions of cryptographic - libraries might lack the ability to ignore the ``Subject`` field. This - should have minimal production-use consequences, as most of the - production-ready certificates issued by certificate authorities will - have ``subjectAltName`` set. In such cases, the ``Subject`` field is - ignored. Only old platforms are affected by this, e.g. those supplied - with OpenSSL versions older than 1.1.1. :gl:`#3163` - -- See :ref:`above ` for a list of all known - issues affecting this BIND 9 branch. - -New Features -~~~~~~~~~~~~ - -- Add support for remote TLS certificate verification, both to - :iscman:`named` and :iscman:`dig`, making it possible to implement - Strict and Mutual TLS authentication, as described in :rfc:`9103`, - Section 9.3. :gl:`#3163` - -- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a - ``-J`` option to specify a journal file to read when loading the zone - to be verified or signed. :gl:`#2486` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The ``keep-response-order`` option has been declared obsolete and the - functionality has been removed. :iscman:`named` expects DNS clients to - be fully compliant with :rfc:`7766`. :gl:`#3140` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Run RPZ updates on the specialized "offload" threads to reduce the - amount of time they block query processing on the main networking - threads. This should increase the responsiveness of :iscman:`named` - when RPZ updates are being applied after an RPZ zone has been - successfully transferred. :gl:`#3190` - -- The catalog zone implementation has been optimized to work with - hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744` diff --git a/doc/notes/notes-9.19.1.rst b/doc/notes/notes-9.19.1.rst deleted file mode 100644 index 9e364bcd7b8..00000000000 --- a/doc/notes/notes-9.19.1.rst +++ /dev/null @@ -1,72 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.1 ---------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Previously, TLS socket objects could be destroyed prematurely, which - triggered assertion failures in :iscman:`named` instances serving - DNS-over-HTTPS (DoH) clients. This has been fixed. - - ISC would like to thank Thomas Amgarten from arcade solutions ag for - bringing this vulnerability to our attention. :cve:`2022-1183` - :gl:`#3216` - -New Features -~~~~~~~~~~~~ - -- Catalog Zones schema version 2, as described in the - "DNS Catalog Zones" IETF draft version 5 document, is now supported by - :iscman:`named`. All of the previously supported BIND-specific catalog - zone custom properties (:any:`primaries`, :any:`allow-query`, and - :any:`allow-transfer`), as well as the new Change of Ownership (``coo``) - property, are now implemented. Schema version 1 is still supported, - with some additional validation rules applied from schema version 2: - for example, the :any:`version` property is mandatory, and a member zone - PTR RRset must not contain more than one record. In the event of a - validation error, a corresponding error message is logged to help with - diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223` - :gl:`#3224` :gl:`#3225` - -- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and - ``Stale NXDOMAIN Answer`` when stale answers are returned from cache. - :gl:`#2267` - -- The Object Identifier (OID) embedded at the start of a PRIVATEOID - public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now - checked to ensure that it is valid when reading from zone files or - receiving data on the wire. The Object Identifier is now printed when - the ``dig +rrcomments`` option is used. Similarly, the name embedded - at the start of a PRIVATEDNS public key is also checked for validity. - :gl:`#3234` - -- The Object Identifier (OID) embedded at the start of a PRIVATEOID - signature in a SIG, or RRSIG resource records is now checked to - ensure that it is valid when reading from zone files or receiving - data on the wire. Similarly, the name embedded at the start of - a PRIVATEDNS public key is also checked for validity. :gl:`#3296` - -Bug Fixes -~~~~~~~~~ - -- Previously, CDS and CDNSKEY DELETE records were removed from the zone - when configured with the ``auto-dnssec maintain;`` option. This has - been fixed. :gl:`#2931` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.10.rst b/doc/notes/notes-9.19.10.rst deleted file mode 100644 index db6aae7d83a..00000000000 --- a/doc/notes/notes-9.19.10.rst +++ /dev/null @@ -1,73 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.10 ----------------------- - -New Features -~~~~~~~~~~~~ - -- The :any:`forwarders` statement now supports the :any:`tls` argument, - to be used to forward queries to DoT-enabled servers. :gl:`#3726` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Specifying a ``port`` when configuring source addresses (i.e., as an - argument to :any:`query-source`, :any:`query-source-v6`, - :any:`transfer-source`, :any:`transfer-source-v6`, - :any:`notify-source`, :any:`notify-source-v6`, :any:`parental-source`, - or :any:`parental-source-v6`, or in the ``source`` or ``source-v6`` - arguments to :any:`primaries`, :any:`parental-agents`, - :any:`also-notify`, or :any:`catalog-zones`) has been deprecated. In - addition, the :any:`use-v4-udp-ports`, :any:`use-v6-udp-ports`, - :any:`avoid-v4-udp-ports`, and :any:`avoid-v6-udp-ports` options have - also been deprecated. - - Warnings are now logged when any of these options are encountered in - ``named.conf``. In a future release, they will be made nonfunctional. - :gl:`#3781` - -- The Differentiated Services Code Point (DSCP) feature has been - removed: configuring DSCP values in ``named.conf`` is now a - configuration error. :gl:`#3789` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The memory statistics have been reduced to a single counter, - ``InUse``; ``Malloced`` is an alias that holds the same value. The - other counters were usable with the old BIND 9 internal memory - allocator, but they are unnecessary now that the latter has been - removed. :gl:`#3718` - -Bug Fixes -~~~~~~~~~ - -- A constant stream of zone additions and deletions via ``rndc - reconfig`` could cause increased memory consumption due to delayed - cleaning of view memory. This has been fixed. :gl:`#3801` - -- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of - NSEC3 hashing, has been improved. :gl:`#3795` - -- Pointing :any:`parental-agents` to a resolver did not work because the - RD bit was not set on DS requests. This has been fixed. :gl:`#3783` - -- Building BIND 9 failed when the ``--enable-dnsrps`` switch for - ``./configure`` was used. This has been fixed. :gl:`#3827` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.11.rst b/doc/notes/notes-9.19.11.rst deleted file mode 100644 index a4aafb9d70f..00000000000 --- a/doc/notes/notes-9.19.11.rst +++ /dev/null @@ -1,89 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.11 ----------------------- - -New Features -~~~~~~~~~~~~ - -- When using :any:`dnssec-policy`, it is now possible to configure the - digest type to use when ``CDS`` records need to be published with - :any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS - records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Support for Red Hat Enterprise Linux version 7 (and clones) has been - dropped. A C11-compliant compiler is now required to compile BIND 9. - :gl:`#3729` - -- The functions that were in the ``libbind9`` shared library have been - moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty - ``libbind9`` has been removed and is no longer installed. :gl:`#3903` - -- The ``irs_resconf`` module has been moved to the ``libdns`` shared - library. The now-empty ``libirs`` library has been removed and is no - longer installed. :gl:`#3904` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Catalog zone updates are now run on specialized "offload" threads to - reduce the amount of time they block query processing on the main - networking threads. This increases the responsiveness of - :iscman:`named` when catalog zone updates are being applied after a - catalog zone has been successfully transferred. :gl:`#3881` - -- libuv support for receiving multiple UDP messages in a single - ``recvmmsg()`` system call has been tweaked several times between - libuv versions 1.35.0 and 1.40.0; the current recommended libuv - version is 1.40.0 or higher. New rules are now in effect for running - with a different version of libuv than the one used at compilation - time. These rules may trigger a fatal error at startup: - - - Building against or running with libuv versions 1.35.0 and 1.36.0 is - now a fatal error. - - - Running with libuv version higher than 1.34.2 is now a fatal error - when :iscman:`named` is built against libuv version 1.34.2 or lower. - - - Running with libuv version higher than 1.39.0 is now a fatal error - when :iscman:`named` is built against libuv version 1.37.0, 1.38.0, - 1.38.1, or 1.39.0. - - This prevents the use of libuv versions that may trigger an assertion - failure when receiving multiple UDP messages in a single system call. - :gl:`#3840` - -Bug Fixes -~~~~~~~~~ - -- :iscman:`named` could crash with an assertion failure when adding a - new zone into the configuration file for a name which was already - configured as a member zone for a catalog zone. This has been fixed. - :gl:`#3911` - -- When :iscman:`named` starts up, it sends a query for the DNSSEC key - for each configured trust anchor to determine whether the key has - changed. In some unusual cases, the query might depend on a zone for - which the server is itself authoritative, and would have failed if it - were sent before the zone was fully loaded. This has now been fixed by - delaying the key queries until all zones have finished loading. - :gl:`#3673` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.12.rst b/doc/notes/notes-9.19.12.rst deleted file mode 100644 index 0d08a2279a7..00000000000 --- a/doc/notes/notes-9.19.12.rst +++ /dev/null @@ -1,93 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.12 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- An error in DNS message processing introduced in development version - 9.19.11 could cause BIND and its utilities to crash if the maximum - permissible number of DNS labels were present. This has been fixed. - :gl:`#3998` - -Known Issues -~~~~~~~~~~~~ - -- Loading a large number of zones is significantly slower in BIND - 9.19.12 than in the previous development releases due to a new data - structure being used for storing information about the zones to serve. - This slowdown is considered to be a bug and will be addressed in a - future BIND 9.19.x development release. :gl:`#4006` - -- A flaw in reworked code responsible for accepting TCP connections may - cause a visible performance drop for TCP queries on some platforms, - notably FreeBSD. This issue will be fixed in a future BIND 9.19.x - development release. :gl:`#3985` - -- See :ref:`above ` for a list of all known issues - affecting this BIND 9 branch. - -New Features -~~~~~~~~~~~~ - -- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data - structures. :gl:`#3934` - -- The new command-line :option:`delv +ns` option activates name server - mode, to more accurately reproduce the behavior of :iscman:`named` - when resolving a query. In this mode, :iscman:`delv` uses an internal - recursive resolver rather than an external server. All messages sent - and received during the resolution and validation process are logged. - This can be used in place of :option:`dig +trace`. :gl:`#3842` - -- A new configuration option, :any:`checkds`, has been introduced. When - set to ``yes``, it detects :any:`parental-agents` automatically by - resolving the parent NS records. These name servers are queried to - check the DS RRset during a KSK rollover initiated by - :any:`dnssec-policy`. :gl:`#3901` - -.. _`liburcu`: https://liburcu.org/ - -Removed Features -~~~~~~~~~~~~~~~~ - -- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been - removed and using TKEY Mode 2 is now a fatal error. Users are advised - to switch to TKEY Mode 3 (GSS-API). :gl:`#3905` - -- Zone type ``delegation-only``, and the ``delegation-only`` and - ``root-delegation-only`` statements, have been removed. Using them is - a configuration error. - - These statements were created to address the SiteFinder controversy, - in which certain top-level domains redirected misspelled queries to - other sites instead of returning NXDOMAIN responses. Since top-level - domains are now DNSSEC-signed, and DNSSEC validation is active by - default, the statements are no longer needed. :gl:`#3953` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The log message ``resolver priming query complete`` has been moved - from the INFO log level to the DEBUG(1) log level, to prevent - :iscman:`delv` from emitting that message when setting up its internal - resolver. :gl:`#3842` - -Bug Fixes -~~~~~~~~~ - -- Several bugs which could cause :iscman:`named` to crash during catalog - zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997` - -- Performance of DNSSEC validation in zones with many DNSKEY records has - been improved. :gl:`#3981` diff --git a/doc/notes/notes-9.19.13.rst b/doc/notes/notes-9.19.13.rst deleted file mode 100644 index 6438bc4e9ae..00000000000 --- a/doc/notes/notes-9.19.13.rst +++ /dev/null @@ -1,66 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.13 ----------------------- - -New Features -~~~~~~~~~~~~ - -- :iscman:`dnstap-read` can now print long timestamps with millisecond - precision. :gl:`#2360` - -Bug Fixes -~~~~~~~~~ - -- When the same :any:`notify-source` address and port number was - configured for multiple destinations and zones, an unresponsive server - could tie up the relevant network socket until it timed out; in the - meantime, NOTIFY messages for other servers silently failed. - :iscman:`named` will now retry sending such NOTIFY messages over TCP. - Furthermore, NOTIFY failures are now logged at the INFO level. - :gl:`#4001` :gl:`#4002` - -- The :any:`max-transfer-time-in` and :any:`max-transfer-idle-in` - statements have not had any effect since the BIND 9 networking stack - was refactored in version 9.16. The missing functionality has been - re-implemented and incoming zone transfers now time out properly when - not progressing. :gl:`#4004` - -- The read timeout in :iscman:`rndc` is now 60 seconds, matching the - behavior in BIND 9.16 and earlier. It had previously been lowered to - 30 seconds by mistake. :gl:`#4046` - -- When the ``ISC_R_INVALIDPROTO`` (``ENOPROTOOPT``, ``EPROTONOSUPPORT``) - error code is returned by libuv, it is now treated as a network - failure: the server for which that error code is returned gets marked - as broken and is not contacted again during a given resolution - process. :gl:`#4005` - -- When removing delegations from an opt-out range, empty-non-terminal - NSEC3 records generated by those delegations were not cleaned up. This - has been fixed. :gl:`#4027` - -- A flaw in reworked code responsible for accepting TCP connections has - been addressed. This issue could cause a visible performance drop for - TCP queries on some platforms, notably FreeBSD, and has now been - fixed. :gl:`#3985` - -- Log file rotation code did not clean up older versions of log files - when the logging :any:`channel` had an absolute path configured as a - ``file`` destination. This has been fixed. :gl:`#3991` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.14.rst b/doc/notes/notes-9.19.14.rst deleted file mode 100644 index 102a7f4d838..00000000000 --- a/doc/notes/notes-9.19.14.rst +++ /dev/null @@ -1,89 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.14 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- The overmem cleaning process has been improved, to prevent the cache from - significantly exceeding the configured :any:`max-cache-size` limit. - :cve:`2023-2828` - - ISC would like to thank Shoham Danino from Reichman University, Anat - Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, - and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to - our attention. :gl:`#4055` - -New Features -~~~~~~~~~~~~ - -- The read timeout in :iscman:`rndc` can now be specified on the command - line using the :option:`-t ` option, allowing commands that - take a long time to complete sufficient time to do so. :gl:`#4046` - -- Support for multi-signer model 2 (:rfc:`8901`) when using - :any:`inline-signing` was added. :gl:`#2710` - -- A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`, - that allows users to enable or disable the publication of CDNSKEY - records. :gl:`#4050` - -- The system test suite can now be executed with pytest (along with - pytest-xdist for parallel execution). :gl:`#3978` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Special-case code that was originally added to allow GSS-TSIG to work - around bugs in the Windows 2000 version of Active Directory has now - been removed, since Windows 2000 is long past end-of-life. The - :option:`-o ` option and the ``oldgsstsig`` command to - :iscman:`nsupdate` have been deprecated, and are now treated as - synonyms for :option:`-g ` and ``gsstsig`` respectively. - :gl:`#4012` - -Feature Changes -~~~~~~~~~~~~~~~ - -- If a response from an authoritative server has its RCODE set to - FORMERR and contains an echoed EDNS COOKIE option that was present in - the query, :iscman:`named` now retries sending the query to the - same server without an EDNS COOKIE option. :gl:`#4049` - -- The responsiveness of :iscman:`named` was improved, when serving as an - authoritative DNS server for a delegation-heavy zone(s) shortly after - loading such zone(s). :gl:`#4045` - -Bug Fixes -~~~~~~~~~ - -- When the :any:`stale-answer-enable` option was enabled and the - :any:`stale-answer-client-timeout` option was enabled and larger than - 0, :iscman:`named` previously allocated two slots from the - :any:`clients-per-query` limit for each client and failed to gradually - auto-tune its value, as configured. This has been fixed. :gl:`#4074` - -- Previously, it was possible for a delegation from cache to be returned - to the client after the :any:`stale-answer-client-timeout` duration. - This has been fixed. :gl:`#3950` - -- BIND could allocate too big buffers when sending data via - stream-based DNS transports, leading to increased memory usage. - This has been fixed. :gl:`#4038` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.15.rst b/doc/notes/notes-9.19.15.rst deleted file mode 100644 index 24956734054..00000000000 --- a/doc/notes/notes-9.19.15.rst +++ /dev/null @@ -1,38 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.15 ----------------------- - -Feature Changes -~~~~~~~~~~~~~~~ - -- The ``relaxed`` QNAME minimization mode now uses NS records. This - reduces the number of queries :iscman:`named` makes when resolving, as - it allows the non-existence of NS RRsets at non-referral nodes to be - cached in addition to the normally cached referrals. :gl:`#3325` - -Bug Fixes -~~~~~~~~~ - -- The ability to read HMAC-MD5 key files, which was accidentally lost in - BIND 9.19.6 and BIND 9.18.8, has been restored. :gl:`#3668` - :gl:`#4154` - -- Several minor stability issues with the catalog zone implementation - have been fixed. :gl:`#4132` :gl:`#4136` :gl:`#4171` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.16.rst b/doc/notes/notes-9.19.16.rst deleted file mode 100644 index 0b0b81bfa3a..00000000000 --- a/doc/notes/notes-9.19.16.rst +++ /dev/null @@ -1,65 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.16 ----------------------- - -Removed Features -~~~~~~~~~~~~~~~~ - -- The ``auto-dnssec`` configuration statement has been removed. Please - use :any:`dnssec-policy` or manual signing instead. The following - statements have become obsolete: :any:`dnskey-sig-validity`, - :any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`, - :any:`sig-validity-interval`, and :any:`update-check-ksk`. :gl:`#3672` - -Feature Changes -~~~~~~~~~~~~~~~ - -- BIND now returns BADCOOKIE for out-of-date or otherwise bad but - well-formed DNS server cookies. :gl:`#4194` - -- When a primary server for a zone responds to an SOA query, but the - subsequent TCP connection required to transfer the zone is refused, - that server is marked as temporarily unreachable. This now also - happens if the TCP connection attempt times out, preventing too many - zones from queuing up on an unreachable server and allowing the - refresh process to move on to the next configured primary more - quickly. :gl:`#4215` - -- The :any:`inline-signing` statement can now also be set inside - :any:`dnssec-policy`. The built-in policies ``default`` and - ``insecure`` enable the use of :any:`inline-signing`. If - :any:`inline-signing` is set at the ``zone`` level, it overrides the - value set in :any:`dnssec-policy`. :gl:`#3677` - -- To improve query-processing latency under load, the uninterrupted time - spent on resolving long chains of cached domain names has been - reduced. :gl:`#4185` - -- The :any:`dialup` and :any:`heartbeat-interval` options have been - deprecated and will be removed in a future BIND 9 release. :gl:`#3700` - -Bug Fixes -~~~~~~~~~ - -- Setting :any:`dnssec-policy` to ``insecure`` prevented zones - containing resource records with a TTL value larger than 86400 seconds - (1 day) from being loaded. This has been fixed by ignoring the TTL - values in the zone and using a value of 604800 seconds (1 week) as the - maximum zone TTL in key rollover timing calculations. :gl:`#4032` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.17.rst b/doc/notes/notes-9.19.17.rst deleted file mode 100644 index 23f40700a9c..00000000000 --- a/doc/notes/notes-9.19.17.rst +++ /dev/null @@ -1,99 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.17 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Previously, sending a specially crafted message over the control - channel could cause the packet-parsing code to run out of available - stack memory, causing :iscman:`named` to terminate unexpectedly. - This has been fixed. :cve:`2023-3341` - - ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for - bringing this vulnerability to our attention. :gl:`#4152` - -New Features -~~~~~~~~~~~~ - -- Support for User Statically Defined Tracing (USDT) probes has been - added. These probes enable fine-grained application tracing and - introduce no overhead when they are not enabled. :gl:`#4041` - -- The client-side support of the EDNS EXPIRE option has been expanded to - include IXFR and AXFR query types. This enhancement enables - :iscman:`named` to perform AXFR and IXFR queries while incorporating - the EDNS EXPIRE option. :gl:`#4170` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The :any:`dnssec-must-be-secure` option has been deprecated and will - be removed in a future release. :gl:`#4263` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Compiling with jemalloc versions older than 4.0.0 is no longer - supported; those versions do not provide the features required by - current BIND 9 releases. :gl:`#4296` - -- If the ``server`` command is specified, :iscman:`nsupdate` now honors - the :option:`nsupdate -v` option for SOA queries by sending both the - UPDATE request and the initial query over TCP. :gl:`#1181` - -Bug Fixes -~~~~~~~~~ - -- The value of the If-Modified-Since header in the statistics channel - was not being correctly validated for its length, potentially allowing - an authorized user to trigger a buffer overflow. Ensuring the - statistics channel is configured correctly to grant access exclusively - to authorized users is essential (see the :any:`statistics-channels` - block definition and usage section). :gl:`#4124` - - This issue was reported independently by Eric Sesterhenn of X41 D-Sec - GmbH and Cameron Whitehead. - -- The Content-Length header in the statistics channel was lacking proper - bounds checking. A negative or excessively large value could - potentially trigger an integer overflow and result in an assertion - failure. :gl:`#4125` - - This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. - -- Several memory leaks caused by not clearing the OpenSSL error stack - were fixed. :gl:`#4159` - - This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. - -- The introduction of ``krb5-subdomain-self-rhs`` and - ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused - :iscman:`named` to return SERVFAIL responses to deletion requests for - non-existent PTR and SRV records. This has been fixed. :gl:`#4280` - -- The :any:`stale-refresh-time` feature was mistakenly disabled when the - server cache was flushed by :option:`rndc flush`. This has been fixed. - :gl:`#4278` - -- BIND's memory consumption has been improved by implementing dedicated - jemalloc memory arenas for sending buffers. This optimization ensures - that memory usage is more efficient and better manages the return of - memory pages to the operating system. :gl:`#4038` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.18.rst b/doc/notes/notes-9.19.18.rst deleted file mode 100644 index df7511d663d..00000000000 --- a/doc/notes/notes-9.19.18.rst +++ /dev/null @@ -1,83 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.18 ----------------------- - -New Features -~~~~~~~~~~~~ - -- The statistics channel now includes information about incoming zone - transfers that are currently in progress. :gl:`#3883` - -- The new :any:`resolver-use-dns64` option enables :iscman:`named` to - apply :any:`dns64` rules to IPv4 server addresses when sending - recursive queries, so that resolution can be performed over a NAT64 - connection. :gl:`#608` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Support for the ``lock-file`` statement and the ``named -X`` - command-line option has been removed. An external process supervisor - should be used instead. :gl:`#4391` - - Alternatively, the ``flock`` utility (part of util-linux) can be used - on Linux systems to achieve the same effect as ``lock-file`` or - ``named -X``: - - :: - - flock -n -x /named.lock /named - -- Configuring the control channel to use a Unix domain socket has been a - fatal error since BIND 9.18. The feature has now been completely - removed and :iscman:`named-checkconf` now reports it as a - configuration error. :gl:`#4311` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Processing large incremental transfers (IXFR) has been offloaded to a - separate work thread so that it does not prevent networking threads - from processing regular traffic in the meantime. :gl:`#4367` - -- QNAME minimization is now used when looking up the addresses of name - servers during the recursive resolution process. :gl:`#4209` - -- The :any:`inline-signing` zone option is now ignored if there is no - :any:`dnssec-policy` configured for the zone. This means that unsigned - zones no longer create redundant signed versions of the zone. - :gl:`#4349` - -- The IP addresses for B.ROOT-SERVERS.NET have been updated to - 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101` - -Bug Fixes -~~~~~~~~~ - -- :any:`max-cache-size` accidentally became ineffective in BIND 9.19.16. - This has been fixed and the option now behaves as documented again. - :gl:`#4340` - -- If the unsigned version of an inline-signed zone contained DNSSEC - records, it was incorrectly scheduled for resigning. This has been - fixed. :gl:`#4350` - -- Looking up stale data from the cache did not take local authoritative - data into account. This has been fixed. :gl:`#4355` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.19.rst b/doc/notes/notes-9.19.19.rst deleted file mode 100644 index 53f769ce55d..00000000000 --- a/doc/notes/notes-9.19.19.rst +++ /dev/null @@ -1,55 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.19 ----------------------- - -New Features -~~~~~~~~~~~~ - -- Initial support for the PROXYv2 protocol was added. :iscman:`named` - can now accept PROXYv2 headers over all currently implemented DNS - transports and :iscman:`dig` can insert these headers into the queries - it sends. Please consult the related documentation - (:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and - :any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and - :option:`dig +proxy-plain` for :iscman:`dig`) for additional details. - :gl:`#4388` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm - aes;``) has been removed. The only supported DNS COOKIE algorithm is - now the current default, SipHash-2-4. :gl:`#4421` - -- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval`` - statements have been removed. Using them is now a fatal error. - :gl:`#4405` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The maximum number of NSEC3 iterations allowed for validation purposes - has been lowered from 150 to 50. DNSSEC responses containing NSEC3 - records with iteration counts greater than 50 are now treated as - insecure. :gl:`#4363` - -- Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only - allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using - NSEC3 that the policy manages. :gl:`#4363` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.2.rst b/doc/notes/notes-9.19.2.rst deleted file mode 100644 index b086d6c4d4a..00000000000 --- a/doc/notes/notes-9.19.2.rst +++ /dev/null @@ -1,44 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.2 ---------------------- - -Feature Changes -~~~~~~~~~~~~~~~ - -- New :any:`dnssec-policy` configuration checks have been added to detect - unusual policies, such as missing KSK and/or ZSK and too-short key - lifetimes and re-sign periods. :gl:`#1611` - -Bug Fixes -~~~~~~~~~ - -- The :any:`fetches-per-server` quota is designed to adjust itself downward - automatically when an authoritative server times out too frequently. - Due to a coding error, that adjustment was applied incorrectly, so - that the quota for a congested server was always set to 1. This has - been fixed. :gl:`#3327` - -- DNSSEC-signed catalog zones were not being processed correctly. This - has been fixed. :gl:`#3380` - -- Key files were updated every time the :any:`dnssec-policy` key manager - ran, whether the metadata had changed or not. :iscman:`named` now - checks whether changes were applied before writing out the key files. - :gl:`#3302` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.20.rst b/doc/notes/notes-9.19.20.rst deleted file mode 100644 index c7946620951..00000000000 --- a/doc/notes/notes-9.19.20.rst +++ /dev/null @@ -1,19 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.20 ----------------------- - -.. note:: - - The BIND 9.19.20 release was withdrawn after the discovery of a - regression in a security fix in it during pre-release testing. ISC - would like to acknowledge the assistance of Curtis Tuplin of SaskTel. diff --git a/doc/notes/notes-9.19.21.rst b/doc/notes/notes-9.19.21.rst deleted file mode 100644 index f0593145988..00000000000 --- a/doc/notes/notes-9.19.21.rst +++ /dev/null @@ -1,74 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.21 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Validating DNS messages containing a lot of DNSSEC signatures could - cause excessive CPU load, leading to a denial-of-service condition. - This has been fixed. :cve:`2023-50387` - - ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, - and Michael Waidner from the German National Research Center for - Applied Cybersecurity ATHENE for bringing this vulnerability to our - attention. :gl:`#4424` - -- Preparing an NSEC3 closest encloser proof could cause excessive CPU - load, leading to a denial-of-service condition. This has been fixed. - :cve:`2023-50868` :gl:`#4459` - -- Parsing DNS messages with many different names could cause excessive - CPU load. This has been fixed. :cve:`2023-4408` - - ISC would like to thank Shoham Danino from Reichman University, Anat - Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv - University, and Yuval Shavitt from Tel-Aviv University for bringing - this vulnerability to our attention. :gl:`#4234` - -- Specific queries could cause :iscman:`named` to crash with an - assertion failure when :any:`nxdomain-redirect` was enabled. This has - been fixed. :cve:`2023-5517` :gl:`#4281` - -- A bad interaction between DNS64 and serve-stale could cause - :iscman:`named` to crash with an assertion failure, when both of these - features were enabled. This has been fixed. :cve:`2023-5679` - :gl:`#4334` - -Feature Changes -~~~~~~~~~~~~~~~ - -- :iscman:`named-compilezone` no longer performs zone integrity checks - by default; this allows faster conversion of a zone file from one - format to another. :gl:`#4364` - - Zone checks can be performed by running :iscman:`named-checkzone` - separately, or the previous default behavior can be restored by using: - - :: - - named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail - -Bug Fixes -~~~~~~~~~ - -- The counters exported via the statistics channel were changed back to - 64-bit signed values; they were being inadvertently truncated to - unsigned 32-bit values since BIND 9.15.0. :gl:`#4467` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.22.rst b/doc/notes/notes-9.19.22.rst deleted file mode 100644 index 72c0a842543..00000000000 --- a/doc/notes/notes-9.19.22.rst +++ /dev/null @@ -1,107 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.22 ----------------------- - -New Features -~~~~~~~~~~~~ - -- Information on incoming zone transfers in the statistics channel now also shows - the zones' "first refresh" flag, which indicates that a zone is not fully - ready and that its first ever refresh is pending or is in progress. The number - of such zones is now also exposed by the ``rndc status`` command. :gl:`#4241` - -- The statistics channel now includes counters that indicate the number - of currently connected TCP IPv4/IPv6 clients. :gl:`#4425` - -- HSM support was added to :any:`dnssec-policy`. Keys can now be configured with a - ``key-store`` that allows users to set the directory where key files are stored and to - set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 - provider to be configured for OpenSSL. :gl:`#1129` - -- The ``tls`` block was extended with a new ``cipher-suites`` option - that allows permitted cipher suites for TLSv1.3 to be set. Please - consult the documentation for additional details. - :gl:`#3504` - -- Support for the RESINFO record type was added. :gl:`#4413` - -Removed Features -~~~~~~~~~~~~~~~~ - -- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` values, - when the feature is turned on. When using a non-zero value, :iscman:`named` now - generates a warning log message, and treats the value as ``0``. :gl:`#4447` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The ``dnssec-validation yes`` option now requires an explicitly configured - :any:`trust-anchors` statement. If using manual trust anchors is not - operationally required, then please consider using ``dnssec-validation auto`` - instead. :gl:`#4373` - -- The red-black tree data structure used in the RBTDB (the default - database implementation for cache and zone databases), - has been replaced with QP-tries. This is expected to improve - performance and scalability, though in the current implementation - it is known to have larger memory consumption. - - A side effect of this change is that zone files that are created with - :any:`masterfile-style` ``relative`` - for example, the output of - :any:`dnssec-signzone` - will no longer have multiple different - `$ORIGIN` statements. There should be no other changes to server - behavior. - - The old RBT-based database still exists for now, and can be used by - specifying ``database rbt`` in a ``zone`` statement in ``named.conf``, - or by compiling with ``configure --with-zonedb=rbt --with-cachedb=rbt``. - :gl:`#4411` - -Bug Fixes -~~~~~~~~~ - -- A regression in cache-cleaning code enabled memory use to grow - significantly more quickly than before, until the configured - :any:`max-cache-size` limit was reached. This has been fixed. - :gl:`#4596` - -- Using :option:`rndc flush` inadvertently caused cache cleaning to - become less effective. This could ultimately lead to the configured - :any:`max-cache-size` limit being exceeded and has now been fixed. - :gl:`#4621` - -- The logic for cleaning up expired cached DNS records was - tweaked to be more aggressive. This change helps with enforcing - :any:`max-cache-ttl` and :any:`max-ncache-ttl` in a timely manner. - :gl:`#4591` - -- Changes to ``listen-on`` statements were ignored on reconfiguration - unless the port or interface address was changed, making it - impossible to change a related listener transport type. That issue - has been fixed. - - ISC would like to thank Thomas Amgarten for bringing this issue to - our attention. :gl:`#4518` :gl:`#4528` - -- It was possible to trigger a use-after-free assertion when the overmem cache - cleaning was initiated. This has been fixed. :gl:`#4595` - - ISC would like to thank Jinmei Tatuya of Infoblox for bringing - this issue to our attention. - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.23.rst b/doc/notes/notes-9.19.23.rst deleted file mode 100644 index 08fe30d5514..00000000000 --- a/doc/notes/notes-9.19.23.rst +++ /dev/null @@ -1,55 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.23 ----------------------- - -New Features -~~~~~~~~~~~~ - -- Added RESOLVER.ARPA to the built in empty zones. :gl:`#4580` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Memory consumption of the new QP-trie database has been optimized. Large - zones, which used to require significantly more memory with QP-trie, now only - require roughly 15% more memory than the old red-black tree data structure. - :gl:`#4614` - -- The :any:`sortlist` option has been deprecated and will be removed in a - future BIND 9.21.x release. Users should not rely on a specific order of - resource records in DNS messages. :gl:`#4593` - -- The ``fixed`` value for the :any:`rrset-order` option and the corresponding - ``configure`` script option have been deprecated and will be removed in a - future BIND 9.21.x release. Users should not rely on a specific order of - resource records in DNS messages. :gl:`#4446` - - -Bug Fixes -~~~~~~~~~ - -- A bug in the keymgr code unintentionally slowed down some DNSSEC key - rollovers. This has been fixed. :gl:`#4552` - -- Two bugs that could have caused resolvers configured with the new cache data - structure to crash or hang have been fixed. :gl:`#4622` :gl:`#4652` - -- Some ISO 8601 durations were accepted erroneously, leading to shorter - durations than expected. This has been fixed. :gl:`#4624` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.24.rst b/doc/notes/notes-9.19.24.rst deleted file mode 100644 index a6ab2b27a95..00000000000 --- a/doc/notes/notes-9.19.24.rst +++ /dev/null @@ -1,61 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.24 ----------------------- - -New Features -~~~~~~~~~~~~ - -- A new option :any:`signatures-jitter` has been added to :any:`dnssec-policy` - to allow signature expirations to be spread out over a period of time. - :gl:`#4554` - -- A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key Signing - Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128` - -- Queries and responses now emit distinct dnstap entries for DNS-over-TLS (DoT) - and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands these entries. - :gl:`#4523` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The :iscman:`named` command-line option :option:`-U `, which - specified the number of UDP dispatches, has been removed. Using it now - returns a warning. :gl:`#1879` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Querying the statistics channel no longer blocks DNS communication on the - networking event loop level. :gl:`#4680` - -- DNSSEC signatures that are not valid because the current time falls outside - the signature inception and expiration dates no longer count towards maximum - validation and maximum validation failure limits. :gl:`#4586` - -- Multiple RNDC messages are now processed when sent in a single TCP message. - - ISC would like to thank Dominik Thalhammer for reporting the issue and - preparing the initial patch. :gl:`#4416` - -- :iscman:`dnssec-keygen` now allows the options :option:`-k ` and :option:`-f ` to be used together. This allows the - creation of keys for a given :any:`dnssec-policy` that match only the KSK - (``-fK``) or ZSK (``-fZ``) roles. :gl:`#1128` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.25.rst b/doc/notes/notes-9.19.25.rst deleted file mode 100644 index d1762c1692e..00000000000 --- a/doc/notes/notes-9.19.25.rst +++ /dev/null @@ -1,94 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.25 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- A malicious DNS client that sent many queries over TCP but never read - the responses could cause a server to respond slowly or not at all for - other clients. This has been fixed. :cve:`2024-0760` :gl:`#4481` - -- Excessively large resource record sets can be crafted to slow down - database processing. This has been addressed by adding a configurable - limit to the number of records that can be stored per name and type in - a cache or zone database. The default is 100, but it can be tuned with - the new :any:`max-records-per-type` option. :gl:`#497` :gl:`#3405` - - An excessively large number of resource record types for a single owner - name can be crafted to slow down database processing. This has been - addressed by adding a configurable limit to the number of records that - can be stored per name and type in a cache or zone database. The - default is 100, and can be tuned with the new :any:`max-types-per-name` - option. :cve:`2024-1737` :gl:`#3403` - - ISC would like to thank Toshifumi Sakaguchi who independently - discovered and responsibly reported the issue to ISC. :gl:`#4548` - -- A malicious DNS client that sends many queries with a SIG(0)-signed - message can cause server to respond slowly or not respond at all for - other clients. This has been fixed. :cve:`2024-1975` :gl:`#4480` - -- Due to a logic error, lookups that triggered serving stale data and - required lookups in local authoritative zone data could have resulted - in an assertion failure. This has been fixed. :cve:`2024-4076` - :gl:`#4507` - -New Features -~~~~~~~~~~~~ - -- Added a new statistics variable ``recursive high-water`` that reports - the maximum number of simultaneous recursive clients BIND has handled - while running. :gl:`#4668` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Outgoing zone transfers are no longer enabled by default. An explicit - :any:`allow-transfer` ACL must now be set at the :any:`zone`, - :any:`view`, or :namedconf:ref:`options` level to enable outgoing - transfers. :gl:`#4728` - -Bug Fixes -~~~~~~~~~ - -- Potential data races were found in our DoH implementation, related to - HTTP/2 session object management and endpoints set object management - after reconfiguration. These issues have been fixed. :gl:`#4473` - - ISC would like to thank Dzintars and Ivo from nic.lv for bringing this - to our attention. - -- Command-line options for IPv4-only (:option:`named -4`) and IPv6-only - (:option:`named -6`) modes are now respected for zone :any:`primaries`, - :any:`also-notify`, and :any:`parental-agents`. :gl:`#3472` - -- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, - if ``add-soa`` was used. This has been fixed. :gl:`#3323` - -- Some servers which could not be reached due to EHOSTDOWN or ENETDOWN - conditions were incorrectly prioritized during server selection. These - are now properly handled as unreachable. :gl:`#4736` - -- On some systems the libuv call may return an error code when sending a - TCP reset for a connection, which triggers an assertion failure in - :iscman:`named`. This error condition is now dealt with in a more - graceful manner, by logging the incident and shutting down the - connection. :gl:`#4708` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.3.rst b/doc/notes/notes-9.19.3.rst deleted file mode 100644 index 05b71b6ab48..00000000000 --- a/doc/notes/notes-9.19.3.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.3 ---------------------- - -New Features -~~~~~~~~~~~~ - -- A new command, :option:`rndc fetchlimit`, prints a list of name server - addresses that are currently rate-limited due to - :any:`fetches-per-server` and domain names that are rate-limited due - to :any:`fetches-per-zone`. :gl:`#665` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The ``glue-cache`` *option* has been removed. The glue cache *feature* - still works and is now permanently *enabled*. :gl:`#2147` - -Feature Changes -~~~~~~~~~~~~~~~ - -- To reduce unnecessary memory consumption in the cache, NXDOMAIN - records are no longer retained past the normal negative cache TTL, - even if :any:`stale-cache-enable` is set to ``yes``. :gl:`#3386` - -- The :option:`dnssec-signzone -H` default value has been changed to 0 - additional NSEC3 iterations. This change aligns the - :iscman:`dnssec-signzone` default with the default used by the - :any:`dnssec-policy` feature. At the same - time, documentation about NSEC3 has been aligned with the `Best - Current Practice`_. :gl:`#3395` - -.. _Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10 - -Bug Fixes -~~~~~~~~~ - -- An assertion failure caused by a TCP connection closing between a - connect (or accept) and a read from a socket has been fixed. - :gl:`#3400` - -- When grafting non-delegated namespace onto delegated namespace, - :any:`synth-from-dnssec` could incorrectly synthesize non-existence of - records within the non-delegated namespace using NSEC records from - higher zones. :gl:`#3402` - -- Previously, :iscman:`named` immediately returned a SERVFAIL response - to the client when it received a FORMERR response from an - authoritative server during recursive resolution. This has been fixed: - :iscman:`named` acting as a resolver now attempts to contact other - authoritative servers for a given domain when it receives a FORMERR - response from one of them. :gl:`#3152` - -- Previously, :option:`rndc reconfig` did not pick up changes to - :any:`endpoints` statements in :any:`http` blocks. This has been - fixed. :gl:`#3415` - -- It was possible for a catalog zone consumer to process a catalog zone - member zone when there was a configured pre-existing forward-only - forward zone with the same name. This has been fixed. :gl:`#2506` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.4.rst b/doc/notes/notes-9.19.4.rst deleted file mode 100644 index 472f69029e1..00000000000 --- a/doc/notes/notes-9.19.4.rst +++ /dev/null @@ -1,66 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.4 ---------------------- - -Removed Features -~~~~~~~~~~~~~~~~ - -- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options` - and :namedconf:ref:`zone` blocks has been deprecated; it should now be - configured as part of :any:`dnssec-policy`. A warning is logged if - this option is used in :namedconf:ref:`options` or :any:`zone` blocks. - In a future release, it will become nonoperational. :gl:`#2918` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically - disabled on systems where they are disallowed by the security policy - (e.g. Red Hat Enterprise Linux 9). Primary zones using those - algorithms need to be migrated to new algorithms prior to running on - these systems, as graceful migration to different DNSSEC algorithms is - not possible when RSASHA1 is disallowed by the operating system. - :gl:`#3469` - -- Log messages related to fetch limiting have been improved to provide - more complete information. Specifically, the final counts of allowed - and spilled fetches are now logged before the counter object is - destroyed. :gl:`#3461` - -Bug Fixes -~~~~~~~~~ - -- When running as a validating resolver forwarding all queries to - another resolver, :iscman:`named` could crash with an assertion - failure. These crashes occurred when the configured forwarder sent a - broken DS response and :iscman:`named` failed its attempts to find a - proper one instead. This has been fixed. :gl:`#3439` - -- DNS compression is no longer applied to the root name (``.``) if it is - repeatedly used in the same RRset. :gl:`#3423` - -- Non-dynamic zones that inherit :any:`dnssec-policy` from the - :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not - marked as inline-signed and therefore never scheduled to be re-signed. - This has been fixed. :gl:`#3438` - -- :option:`rndc dumpdb -expired ` was fixed to include - expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and - the cache-cleaning time window has passed. :gl:`#3462` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.5.rst b/doc/notes/notes-9.19.5.rst deleted file mode 100644 index 6095a15da4a..00000000000 --- a/doc/notes/notes-9.19.5.rst +++ /dev/null @@ -1,93 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.5 ---------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Previously, there was no limit to the number of database lookups - performed while processing large delegations, which could be abused to - severely impact the performance of :iscman:`named` running as a - recursive resolver. This has been fixed. :cve:`2022-2795` - - ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat - Bremler-Barr & Shani Stajnrod from Reichman University for bringing - this vulnerability to our attention. :gl:`#3394` - -- When an HTTP connection was reused to request statistics from the - stats channel, the content length of successive responses could grow - in size past the end of the allocated buffer. This has been fixed. - :cve:`2022-2881` :gl:`#3493` - -- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that - could be externally triggered, when using TKEY records in DH mode with - OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491` - -- :iscman:`named` running as a resolver with the - :any:`stale-answer-client-timeout` option set to ``0`` could crash - with an assertion failure, when there was a stale CNAME in the cache - for the incoming query. This has been fixed. :cve:`2022-3080` - :gl:`#3517` - -- Memory leaks were fixed that could be externally triggered in the - DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178` - :gl:`#3487` - -New Features -~~~~~~~~~~~~ - -- A new Response Policy Zone (RPZ) :ref:`option`, ``ede``, was - added. It enables an :rfc:`8914` Extended DNS Error (EDE) code of - choice to be set for responses which have been modified by a given - RPZ. :gl:`#3410` - -- Worker threads' event loops are now managed by a new "loop manager" - API, significantly changing the architecture of the task, timer, and - networking subsystems for improved performance and code flow. - :gl:`#3508` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Response Rate Limiting (RRL) code now treats all QNAMEs that are - subject to wildcard processing within a given zone as the same name, - to prevent circumventing the limits enforced by RRL. :gl:`#3459` - -- Zones using :any:`dnssec-policy` now require dynamic DNS or - :any:`inline-signing` to be configured explicitly. :gl:`#3381` - -- When reconfiguring :any:`dnssec-policy` from using NSEC with an - NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, - BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC - until the offending DNSKEY records have been removed from the zone, - then switches to using NSEC3. :gl:`#3486` - -- A backward-compatible approach was implemented for encoding - internationalized domain names (IDN) in :iscman:`dig` and converting - the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 - conversion. :gl:`#3485` - -Bug Fixes -~~~~~~~~~ - -- A serve-stale bug was fixed, where BIND would try to return stale data - from cache for lookups that received duplicate queries or queries that - would be dropped. This bug resulted in premature SERVFAIL responses, - and has now been resolved. :gl:`#2982` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.6.rst b/doc/notes/notes-9.19.6.rst deleted file mode 100644 index 8c00985bb50..00000000000 --- a/doc/notes/notes-9.19.6.rst +++ /dev/null @@ -1,101 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.6 ---------------------- - -Known Issues -~~~~~~~~~~~~ - -- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may - require a manual configuration change. The following configurations - are affected: - - - :any:`type primary` zones configured with :any:`dnssec-policy` but - without either :any:`allow-update` or :any:`update-policy`, - - :any:`type secondary` zones configured with :any:`dnssec-policy`. - - In these cases please add :namedconf:ref:`inline-signing yes; - ` to the individual zone configuration(s). Without - applying this change, :iscman:`named` will fail to start. For more - details, see - https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing - -- See :ref:`above ` for a list of all known - issues affecting this BIND 9 branch. - -New Features -~~~~~~~~~~~~ - -- Support for parsing and validating the ``dohpath`` service parameter - in SVCB records was added. :gl:`#3544` - -- :iscman:`named` now supports forwarding Dynamic DNS updates through - DNS-over-TLS (DoT). :gl:`#3512` - -- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). - :gl:`#1781` - -- :iscman:`named` now logs the supported cryptographic algorithms during - startup and in the output of :option:`named -V`. :gl:`#3541` - -- A new configuration option :any:`require-cookie` has been introduced. - It specifies whether there should be a DNS COOKIE in the response for - a given prefix; if not, :iscman:`named` falls back to TCP. This is - useful if it is known that a given server supports DNS COOKIE. It can - also be used to force all non-DNS COOKIE responses to fall back to - TCP. :gl:`#2295` - -- Support for libsystemd's ``sd_notify()`` function was added, enabling - :iscman:`named` to report its status to the init system. This allows - systemd to wait until :iscman:`named` is fully ready before starting - other services that depend on name resolution. :gl:`#1176` - -- The ``recursion not available`` and ``query (cache) '...' denied`` log - messages were extended to include the name of the ACL that caused a - given query to be denied. :gl:`#3587` - -Feature Changes -~~~~~~~~~~~~~~~ - -- When an international domain name is not valid according to IDNA2008, - :iscman:`dig` now tries to convert it according to IDNA2003 rules, or - pass it through unchanged, instead of stopping with an error message. - The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527` - -- The DNSSEC signing data included in zone statistics identified - keys only by the key ID; this caused confusion when two keys using - different algorithms had the same ID. Zone statistics now identify - keys using the algorithm number, followed by "+", followed by the - key ID: for example, ``8+54274``. :gl:`#3525` - -- The ability to use PKCS#11 via engine_pkcs11 has been restored, by - using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be - compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS - environment variable at compile time. :gl:`#3578` - -- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. - libuv should be available on all supported platforms either as a - native package or as a backport. :gl:`#3567` - -Bug Fixes -~~~~~~~~~ - -- An assertion failure was fixed in :iscman:`named` that was caused by - aborting the statistics channel connection while sending statistics - data to the client. :gl:`#3542` - -- :iscman:`named` could incorrectly return non-truncated, glueless - referrals for responses whose size was close to the UDP packet size - limit. This has been fixed. :gl:`#1967` - -- Changing just the TSIG key names for primaries in catalog zones' - member zones was not effective. This has been fixed. :gl:`#3557` diff --git a/doc/notes/notes-9.19.7.rst b/doc/notes/notes-9.19.7.rst deleted file mode 100644 index 025bfef5d8d..00000000000 --- a/doc/notes/notes-9.19.7.rst +++ /dev/null @@ -1,75 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.7 ---------------------- - -New Features -~~~~~~~~~~~~ - -- The :any:`check-svcb` option has been added to control the checking of - additional constraints on SVCB records. This change affects - :iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`, - :iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576` - -Feature Changes -~~~~~~~~~~~~~~~ - -- On Linux, libcap is now a required dependency to help :iscman:`named` - keep needed privileges. :gl:`#3583` - -- The DNS name compression algorithm used in BIND 9 has been revised: it - now compresses more thoroughly than before, so responses containing - names with many labels might have a smaller encoding than before. - :gl:`#3661` - -Bug Fixes -~~~~~~~~~ - -- A crash was fixed that happened when a :any:`dnssec-policy` zone that - used NSEC3 was reconfigured to enable :any:`inline-signing`. - :gl:`#3591` - -- In certain resolution scenarios, quotas could be erroneously reached - for servers, including any configured forwarders, resulting in - SERVFAIL answers being sent to clients. This has been fixed. - :gl:`#3598` - -- ``rpz-ip`` rules in :any:`response-policy` zones could be ineffective - in some cases if a query had the CD (Checking Disabled) bit set to 1. - This has been fixed. :gl:`#3247` - -- Previously, if Internet connectivity issues were experienced during - the initial startup of :iscman:`named`, a BIND resolver with - :any:`dnssec-validation` set to ``auto`` could enter into a state - where it would not recover without stopping :iscman:`named`, manually - deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl`` - files, and starting :iscman:`named` again. This has been fixed. - :gl:`#2895` - -- Previously, the port in remote servers such as in :any:`primaries` and - :any:`parental-agents` could be wrongly configured because of an - inheritance bug. This has been fixed. :gl:`#3627` - -- Previously, BIND failed to start on Solaris-based systems with - hundreds of CPUs. This has been fixed. :gl:`#3563` - -- When a DNS resource record's TTL value was equal to the resolver's - configured :any:`prefetch` "eligibility" value, the record was - erroneously not treated as eligible for prefetching. This has been - fixed. :gl:`#3603` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.8.rst b/doc/notes/notes-9.19.8.rst deleted file mode 100644 index 257b96d7297..00000000000 --- a/doc/notes/notes-9.19.8.rst +++ /dev/null @@ -1,101 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.8 ---------------------- - -Removed Features -~~~~~~~~~~~~~~~~ - -- The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options - have been removed. The limits these options set should be enforced - externally, either by manual configuration (e.g. using ``ulimit``) or - via the process supervisor (e.g. ``systemd``). :gl:`#3676` - -- Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no - longer trigger key rollovers and denial-of-existence operations. This - also means that the :any:`dnssec-secure-to-insecure` option has been - obsoleted. :gl:`#3686` - -Feature Changes -~~~~~~~~~~~~~~~ - -- The TTL of the NSEC3PARAM record for every NSEC3-signed zone was - previously set to 0. It is now changed to match the SOA MINIMUM value - for the given zone. :gl:`#3570` - -- The ``--with-tuning`` option for ``configure`` has been removed. Each - of the compile-time settings that required different values based on - the "workload" (which were previously affected by the value of the - ``--with-tuning`` option) has either been removed or changed to a - sensible default. :gl:`#3664` - -- The ``auto-dnssec`` option has been deprecated and will be removed - in a future BIND 9.19.x release. Please migrate to - :any:`dnssec-policy`. :gl:`#3667` - -- Setting alternate local addresses for inbound zone transfers has been - deprecated. The relevant options (``alt-transfer-source``, - ``alt-transfer-source-v6``, and ``use-alt-transfer-source``) will be - removed in a future BIND 9.19.x release. :gl:`#3694` - -- On startup, :iscman:`named` now sets the limit on the number of open - files to the maximum allowed by the operating system, instead of - trying to set it to "unlimited". :gl:`#3676` - -- The number of HTTP headers allowed in requests sent to - :iscman:`named`'s statistics channel has been increased from 10 to - 100, to accommodate some browsers that send more than 10 headers - by default. :gl:`#3670` - -Bug Fixes -~~~~~~~~~ - -- :iscman:`named` could crash due to an assertion failure when an HTTP - connection to the statistics channel was closed prematurely (due to a - connection error, shutdown, etc.). This has been fixed. :gl:`#3693` - -- When a catalog zone was removed from the configuration, in some cases - a dangling pointer could cause the :iscman:`named` process to crash. - This has been fixed. :gl:`#3683` - -- When a zone was deleted from a server, a key management object related - to that zone was inadvertently kept in memory and only released upon - shutdown. This could lead to constantly increasing memory use on - servers with a high rate of changes affecting the set of zones being - served. This has been fixed. :gl:`#3727` - -- TLS configuration for primary servers was not applied for zones that - were members of a catalog zone. This has been fixed. :gl:`#3638` - -- In certain cases, :iscman:`named` waited for the resolution of - outstanding recursive queries to finish before shutting down. This was - unintended and has been fixed. :gl:`#3183` - -- :iscman:`host` and :iscman:`nslookup` command-line options setting the - custom TCP/UDP port to use were ignored for ANY queries (which are - sent over TCP). This has been fixed. :gl:`#3721` - -- The new name compression code in BIND 9.19.7 was not compressing - names in zone transfers that should have been compressed, so zone - transfers were larger than before. This has been fixed. :gl:`#3706` - -- The ``zone /: final reference detached`` log message was - moved from the INFO log level to the DEBUG(1) log level to prevent the - :iscman:`named-checkzone` tool from superfluously logging this message - in non-debug mode. :gl:`#3707` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.19.9.rst b/doc/notes/notes-9.19.9.rst deleted file mode 100644 index 65a4e711ed5..00000000000 --- a/doc/notes/notes-9.19.9.rst +++ /dev/null @@ -1,120 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.9 ---------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- An UPDATE message flood could cause :iscman:`named` to exhaust all - available memory. This flaw was addressed by adding a new - :any:`update-quota` option that controls the maximum number of - outstanding DNS UPDATE messages that :iscman:`named` can hold in a - queue at any given time (default: 100). :cve:`2022-3094` - - ISC would like to thank Rob Schulhof from Infoblox for bringing this - vulnerability to our attention. :gl:`#3523` - -- :iscman:`named` could crash with an assertion failure when an RRSIG - query was received and :any:`stale-answer-client-timeout` was set to a - non-zero value. This has been fixed. :cve:`2022-3736` - - ISC would like to thank Borja Marcos from Sarenet (with assistance by - Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to - our attention. :gl:`#3622` - -- :iscman:`named` running as a resolver with the - :any:`stale-answer-client-timeout` option set to any value greater - than ``0`` could crash with an assertion failure, when the - :any:`recursive-clients` soft quota was reached. This has been fixed. - :cve:`2022-3924` - - ISC would like to thank Maksym Odinintsev from AWS for bringing this - vulnerability to our attention. :gl:`#3619` - -New Features -~~~~~~~~~~~~ - -- The new :any:`update-quota` option can be used to control the number - of simultaneous DNS UPDATE messages that can be processed to update an - authoritative zone on a primary server, or forwarded to the primary - server by a secondary server. The default is 100. A new statistics - counter has also been added to record events when this quota is - exceeded, and the version numbers for the XML and JSON statistics - schemas have been updated. :gl:`#3523` - -Removed Features -~~~~~~~~~~~~~~~~ - -- The statements setting alternate local addresses for inbound zone - transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and - ``use-alt-transfer-source``) have been removed. :gl:`#3714` - -- The Differentiated Services Code Point (DSCP) feature in BIND has been - non-operational since the new Network Manager was introduced in BIND - 9.16. It is now marked as obsolete, and vestigial code implementing it - has been removed. Configuring DSCP values in ``named.conf`` now causes - a warning to be logged. :gl:`#3773` - -Feature Changes -~~~~~~~~~~~~~~~ - -- A new way of configuring the preferred source address when talking to - remote servers, such as :any:`primaries` and :any:`parental-agents`, - has been added: setting the ``source`` and/or ``source-v6`` arguments - for a given statement is now possible. This new approach is intended - to eventually replace statements such as :any:`parental-source`, - :any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762` - -- The code for DNS over TCP and DNS over TLS transports has been - replaced with a new, unified transport implementation. :gl:`#3374` - -Bug Fixes -~~~~~~~~~ - -- A rare assertion failure was fixed in outgoing TCP DNS connection - handling. :gl:`#3178` :gl:`#3636` - -- In addition to a previously fixed bug, another similar issue was - discovered where quotas could be erroneously reached for servers, - including any configured forwarders, resulting in SERVFAIL answers - being sent to clients. This has been fixed. :gl:`#3752` - -- In certain query resolution scenarios (e.g. when following CNAME - records), :iscman:`named` configured to answer from stale cache could - return a SERVFAIL response despite a usable, non-stale answer being - present in the cache. This has been fixed. :gl:`#3678` - -- When an outgoing request timed out, :iscman:`named` would retry up to - three times with the same server instead of trying the next available - name server. This has been fixed. :gl:`#3637` - -- Recently used ADB names and ADB entries (IP addresses) could get - cleaned when ADB was under memory pressure. To mitigate this, only - actual ADB names and ADB entries are now counted (excluding internal - memory structures used for "housekeeping") and recently used (<= 10 - seconds) ADB names and entries are excluded from the overmem memory - cleaner. :gl:`#3739` - -- The "Prohibited" Extended DNS Error was inadvertently set in some - NOERROR responses. This has been fixed. :gl:`#3743` - -- Previously, TLS session resumption could have led to handshake - failures when client certificates were used for authentication (Mutual - TLS). This has been fixed. :gl:`#3725` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. diff --git a/doc/notes/notes-9.20.0.rst b/doc/notes/notes-9.20.0.rst new file mode 100644 index 00000000000..64bf0748a21 --- /dev/null +++ b/doc/notes/notes-9.20.0.rst @@ -0,0 +1,479 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.0 +--------------------- + +.. note:: This section only lists changes since BIND 9.18.28, the most + recent release on the previous stable branch of BIND at the + time of the publication of BIND 9.20.0. + +New Features +~~~~~~~~~~~~ + +- The :any:`forwarders` statement now supports the :any:`tls` argument, + to be used to forward queries to DoT-enabled servers. :gl:`#3726` + +- :iscman:`named` now supports forwarding Dynamic DNS updates through + DNS-over-TLS (DoT). :gl:`#3512` + +- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). + :gl:`!6752` + +- The :any:`tls` block was extended with a new :any:`cipher-suites` option + that allows permitted cipher suites for TLSv1.3 to be set. Please + consult the documentation for additional details. + :gl:`#3504` + +- Initial support for the PROXYv2 protocol was added. :iscman:`named` + can now accept PROXYv2 headers over all currently implemented DNS + transports and :iscman:`dig` can insert these headers into the queries + it sends. Please consult the related documentation + (:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and + :any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and + :option:`dig +proxy-plain` for :iscman:`dig`) for additional details. + :gl:`#4388` + +- The client-side support of the EDNS EXPIRE option has been expanded to + include IXFR and AXFR query types. This enhancement enables + :iscman:`named` to perform AXFR and IXFR queries while incorporating + the EDNS EXPIRE option. :gl:`#4170` + +- A new configuration option :any:`require-cookie` has been introduced. + It specifies whether there should be a DNS COOKIE in the response for + a given prefix; if not, :iscman:`named` falls back to TCP. This is + useful if it is known that a given server supports DNS COOKIE. It can + also be used to force all non-DNS COOKIE responses to fall back to + TCP. :gl:`#2295` + +- The :any:`check-svcb` option has been added to control the checking of + additional constraints on SVCB records. This change affects + :iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`, + :iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576` + +- The new :any:`resolver-use-dns64` option enables :iscman:`named` to + apply :any:`dns64` rules to IPv4 server addresses when sending + recursive queries, so that resolution can be performed over a NAT64 + connection. :gl:`#608` + +- A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`, + that allows users to enable or disable the publication of CDNSKEY + records. :gl:`#4050` + +- When using :any:`dnssec-policy`, it is now possible to configure the + digest type to use when CDS records need to be published with + :any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS + records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837` + +- Support for multi-signer model 2 (:rfc:`8901`) when using + :any:`inline-signing` was added. :gl:`#2710` + +- HSM support was added to :any:`dnssec-policy`. Keys can now be + configured with a ``key-store`` that allows users to set the directory + where key files are stored and to set a PKCS#11 URI string. The latter + requires OpenSSL 3 and a valid PKCS#11 provider to be configured for + OpenSSL. :gl:`#1129` + +- A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key + Signing Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128` + +- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a + ``-J`` option to specify a journal file to read when loading the zone + to be verified or signed. :gl:`#2486` + +- :iscman:`dnssec-keygen` now allows the options :option:`-k + ` and :option:`-f ` to be used + together. This allows the creation of keys for a given + :any:`dnssec-policy` that match only the KSK (``-fK``) or ZSK (``-fZ``) + roles. :gl:`#1128` + +- The :any:`response-policy` statement was extended with a new argument + ``ede``. It enables an :rfc:`8914` Extended DNS Error (EDE) code of choice to + be set for responses which have been modified by a given RPZ. :gl:`#3410` + +- A new way of configuring the preferred source address when talking to + remote servers, such as :any:`primaries` and :any:`parental-agents`, + has been added: setting the ``source`` and/or ``source-v6`` arguments + for a given statement is now possible. This new approach is intended + to eventually replace statements such as :any:`parental-source`, + :any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762` + +- The new command-line :option:`delv +ns` option activates name server + mode, to more accurately reproduce the behavior of :iscman:`named` + when resolving a query. In this mode, :iscman:`delv` uses an internal + recursive resolver rather than an external server. All messages sent + and received during the resolution and validation process are logged. + This can be used in place of :option:`dig +trace`. :gl:`#3842` + +- The read timeout in :iscman:`rndc` can now be specified on the command + line using the :option:`-t ` option, allowing commands that + take a long time to complete sufficient time to do so. :gl:`#4046` + +- The statistics channel now includes information about incoming zone + transfers that are currently in progress. :gl:`#3883` + +- Information on incoming zone transfers in the statistics channel now + also shows the zones' "first refresh" flag, which indicates that a zone + is not fully ready and that its first ever refresh is pending or is in + progress. The number of such zones is now also exposed by the + :option:`rndc status` command. :gl:`#4241` + +- Added a new statistics variable ``recursive high-water`` that reports + the maximum number of simultaneous recursive clients BIND has handled + while running. :gl:`#4668` + +- A new command, :option:`rndc fetchlimit`, prints a list of name server + addresses that are currently rate-limited due to + :any:`fetches-per-server` and domain names that are rate-limited due + to :any:`fetches-per-zone`. :gl:`#665` + +- Queries and responses now emit distinct dnstap entries for DNS-over-TLS + (DoT) and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands + these entries. :gl:`#4523` + +- :iscman:`dnstap-read` can now print long timestamps with millisecond + precision. :gl:`#2360` + +- Support for libsystemd's ``sd_notify()`` function was added, enabling + :iscman:`named` to report its status to the init system. This allows + systemd to wait until :iscman:`named` is fully ready before starting + other services that depend on name resolution. :gl:`#1176` + +- Support for User Statically Defined Tracing (USDT) probes has been + added. These probes enable fine-grained application tracing and + introduce no overhead when they are not enabled. :gl:`#4041` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Support for Red Hat Enterprise Linux version 7 (and clones) has been + dropped. A C11-compliant compiler is now required to compile BIND 9. + :gl:`#3729` + +- Compiling with `jemalloc`_ versions older than 4.0.0 is no longer + supported; those versions do not provide the features required by + current BIND 9 releases. :gl:`#4296` + +- The ``auto-dnssec`` configuration statement has been removed. Please + use :any:`dnssec-policy` or manual signing instead. + See article `how to migrate `_ + from ``auto-dnssec`` to :any:`dnssec-policy`. + + The following + statements have become obsolete: :any:`dnskey-sig-validity`, + :any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`, + :any:`sig-validity-interval`, and :any:`update-check-ksk`. + :gl:`#3672` + +- Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no + longer trigger key rollovers and denial-of-existence operations. This + also means that the :any:`dnssec-secure-to-insecure` option has been + obsoleted. :gl:`#3686` + +- The ``glue-cache`` *option* has been removed. The glue cache *feature* + still works and is now permanently *enabled*. :gl:`#2147` + +- Configuring the control channel to use a Unix domain socket has been a + fatal error since BIND 9.18. The feature has now been completely + removed and :iscman:`named-checkconf` now reports it as a + configuration error. :gl:`#4311` + +- The statements setting alternate local addresses for inbound zone + transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and + ``use-alt-transfer-source``) have been removed. :gl:`#3714` + +- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval`` + statements have been removed. Using them is now a fatal error. + :gl:`#4405` + +- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` + values, when the feature is turned on. When using a non-zero value, + :iscman:`named` now generates a warning log message, and treats the + value as ``0``. :gl:`#4447` + +- The Differentiated Services Code Point (DSCP) feature has been + removed: configuring DSCP values in ``named.conf`` is now a + configuration error. :gl:`#3789` + +- The ``keep-response-order`` option has been declared obsolete and the + functionality has been removed. :iscman:`named` expects DNS clients to + be fully compliant with :rfc:`7766`. :gl:`#3140` + +- Zone type ``delegation-only``, and the ``delegation-only`` and + ``root-delegation-only`` statements, have been removed. Using them is + a configuration error. + + These statements were created to address the SiteFinder controversy, + in which certain top-level domains redirected misspelled queries to + other sites instead of returning NXDOMAIN responses. Since top-level + domains are now DNSSEC-signed, and DNSSEC validation is active by + default, the statements are no longer needed. :gl:`#3953` + +- The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options + have been removed. The limits these options set should be enforced + externally, either by manual configuration (e.g. using ``ulimit``) or + via the process supervisor (e.g. ``systemd``). :gl:`#3676` + +- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm + aes;``) has been removed. The only supported DNS COOKIE algorithm is + now the current default, SipHash-2-4. :gl:`#4421` + +- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been + removed and using TKEY Mode 2 is now a fatal error. Users are advised + to switch to TKEY Mode 3 (GSS-API). :gl:`#3905` + +- Special-case code that was originally added to allow GSS-TSIG to work + around bugs in the Windows 2000 version of Active Directory has now + been removed, since Windows 2000 is long past end-of-life. The + :option:`-o ` option and the ``oldgsstsig`` command to + :iscman:`nsupdate` have been deprecated, and are now treated as + synonyms for :option:`-g ` and ``gsstsig`` respectively. + :gl:`#4012` + +- Support for the ``lock-file`` statement and the ``named -X`` + command-line option has been removed. An external process supervisor + should be used instead. :gl:`#4391` + + Alternatively, the ``flock`` utility (part of util-linux) can be used + on Linux systems to achieve the same effect as ``lock-file`` or + ``named -X``: + + :: + + flock -n -x /named.lock /named + +- The :iscman:`named` command-line option :option:`-U `, which + specified the number of UDP dispatches, has been removed. Using it now + returns a warning. :gl:`#1879` + +- The ``--with-tuning`` option for ``configure`` has been removed. Each + of the compile-time settings that required different values based on + the "workload" (which were previously affected by the value of the + ``--with-tuning`` option) has either been removed or changed to a + sensible default. :gl:`#3664` + +- The functions that were in the ``libbind9`` shared library have been + moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty + ``libbind9`` has been removed and is no longer installed. :gl:`#3903` + +- The ``irs_resconf`` module has been moved to the ``libdns`` shared + library. The now-empty ``libirs`` library has been removed and is no + longer installed. :gl:`#3904` + +.. _`jemalloc`: https://jemalloc.net/ + +Deprecated Features +~~~~~~~~~~~~~~~~~~~ + +Features listed in this section still work but are scheduled for eventual +removal. + +- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options` + and :namedconf:ref:`zone` blocks has been deprecated; it should now be + configured as part of :any:`dnssec-policy`. A warning is logged if + this option is used in :namedconf:ref:`options` or :any:`zone` blocks. + In a future release, it will become nonoperational. :gl:`#2918` + +- The :any:`sortlist` option has been deprecated and will be removed in a + future BIND 9.21.x release. Users should not rely on a specific order + of resource records in DNS messages. :gl:`#4593` + +- The ``fixed`` value for the :any:`rrset-order` option and the + corresponding ``configure`` script option have been deprecated and will + be removed in a future BIND 9.21.x release. Users should not rely on a + specific order of resource records in DNS messages. :gl:`#4446` + +Feature Changes +~~~~~~~~~~~~~~~ + +- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data + structures. :gl:`#3934` + +- On Linux, `libcap`_ is now a required dependency to help :iscman:`named` + keep needed privileges. :gl:`#3583` + +- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. + libuv should be available on all supported platforms either as a + native package or as a backport. :gl:`#3567` + +- Outgoing zone transfers are no longer enabled by default. An explicit + :any:`allow-transfer` ACL must now be set at the :any:`zone`, + :any:`view`, or :namedconf:ref:`options` level to enable outgoing + transfers. :gl:`#4728` + +- DNS zones signed using :any:`dnssec-policy` now automatically detect + their parent servers, and BIND queries them to check the content of the + DS RRset. This allows DNSSEC key rollovers to safely and automatically + proceed when the parent zone is updated with new DNSSEC keys, i.e. + using the CDS/CDNSKEY mechanism. This behavior is facilitated by the + new :any:`checkds` feature, which automatically populates + :any:`parental-agents` by resolving the parent NS records. These parent + name servers are queried to check the DS RRset during a KSK rollover + initiated by :any:`dnssec-policy`. :gl:`#3901` + +- The responsiveness of :iscman:`named` was improved, when serving as an + authoritative DNS server for a delegation-heavy zone(s) shortly after + loading such zone(s). :gl:`#4045` + +- To improve query-processing latency under load, the uninterrupted time + spent on resolving long chains of cached domain names has been + reduced. :gl:`#4185` + +- QNAME minimization is now used when looking up the addresses of name + servers during the recursive resolution process. :gl:`#4209` + +- BIND now returns BADCOOKIE for out-of-date or otherwise bad but + well-formed DNS server cookies. :gl:`#4194` + +- The DNS name compression algorithm used in BIND 9 has been revised: it + now compresses more thoroughly than before, so responses containing + names with many labels might have a smaller encoding than before. + :gl:`#3661` + +- Processing large incremental transfers (IXFR) has been offloaded to a + separate work thread so that it does not prevent networking threads + from processing regular traffic in the meantime. :gl:`#4367` + +- Querying the statistics channel no longer blocks DNS communication on + the networking event loop level. :gl:`#4680` + +- The :any:`inline-signing` zone option is now ignored if there is no + :any:`dnssec-policy` configured for the zone. This means that unsigned + zones no longer create redundant signed versions of the zone. + :gl:`#4349` + +- The :any:`inline-signing` statement can now also be set inside + :any:`dnssec-policy`. The built-in policies ``default`` and + ``insecure`` enable the use of :any:`inline-signing`. If + :any:`inline-signing` is set at the ``zone`` level, it overrides the + value set in :any:`dnssec-policy`. :gl:`#3677` + +- Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only + allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using + NSEC3 that the policy manages. :gl:`#4363` + +- The maximum number of NSEC3 iterations allowed for validation purposes + has been lowered from 150 to 50. DNSSEC responses containing NSEC3 + records with iteration counts greater than 50 are now treated as + insecure. :gl:`#4363` + +- The ``dnssec-validation yes`` option now requires an explicitly + configured :any:`trust-anchors` statement. If using manual trust + anchors is not operationally required, then please consider using + ``dnssec-validation auto`` instead. :gl:`#4373` + +- :iscman:`named-compilezone` no longer performs zone integrity checks + by default; this allows faster conversion of a zone file from one + format to another. :gl:`#4364` + + Zone checks can be performed by running :iscman:`named-checkzone` + separately, or the previous default behavior can be restored by using: + + :: + + named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail + +- The red-black tree data structure used in the RBTDB (the default + database implementation for cache and zone databases), has been + replaced with QP-tries. This is expected to improve performance and + scalability, though in the current implementation large zones require + roughly 15% more memory than the old red-black tree data structure. + + A side effect of this change is that zone files that are created with + :any:`masterfile-style` ``relative`` - for example, the output of + :any:`dnssec-signzone` - will no longer have multiple different + `$ORIGIN` statements. There should be no other changes to server + behavior. + + The old RBT-based database still exists for now, and can be used by + specifying ``database rbt`` in a ``zone`` statement in ``named.conf``, + or by compiling with ``configure --with-zonedb=rbt + --with-cachedb=rbt``. :gl:`#4411` :gl:`#4614` + +- Multiple RNDC messages are now processed when sent in a single TCP + message. + + ISC would like to thank Dominik Thalhammer for reporting the issue and + preparing the initial patch. :gl:`#4416` + +- The DNSSEC signing data included in zone statistics identified + keys only by the key ID; this caused confusion when two keys using + different algorithms had the same ID. Zone statistics now identify + keys using the algorithm number, followed by "+", followed by the + key ID: for example, ``8+54274``. :gl:`#3525` + +- The TTL of the NSEC3PARAM record for every NSEC3-signed zone was + previously set to 0. It is now changed to match the SOA MINIMUM value + for the given zone. :gl:`#3570` + +- On startup, :iscman:`named` now sets the limit on the number of open + files to the maximum allowed by the operating system, instead of + trying to set it to "unlimited". :gl:`#3676` + +- When an international domain name is not valid according to IDNA2008, + :iscman:`dig` now tries to convert it according to IDNA2003 rules, or + pass it through unchanged, instead of stopping with an error message. + The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527` + +- The memory statistics have been reduced to a single counter, + ``InUse``; ``Malloced`` is an alias that holds the same value. The + other counters were usable with the old BIND 9 internal memory + allocator, but they are unnecessary now that the latter has been + removed. :gl:`#3718` + +- The log message ``resolver priming query complete`` has been moved + from the INFO log level to the DEBUG(1) log level, to prevent + :iscman:`delv` from emitting that message when setting up its internal + resolver. :gl:`#3842` + +- Worker threads' event loops are now managed by a new "loop manager" + API, significantly changing the architecture of the task, timer, and + networking subsystems for improved performance and code flow. + :gl:`#3508` + +- The code for DNS over TCP and DNS over TLS transports has been + replaced with a new, unified transport implementation. :gl:`#3374` + +.. _`liburcu`: https://liburcu.org/ +.. _`libcap`: https://sites.google.com/site/fullycapable/ + +Bug Fixes +~~~~~~~~~ + +- When the same :any:`notify-source` address and port number was + configured for multiple destinations and zones, an unresponsive server + could tie up the relevant network socket until it timed out; in the + meantime, NOTIFY messages for other servers silently failed. + :iscman:`named` will now retry sending such NOTIFY messages over TCP. + Furthermore, NOTIFY failures are now logged at the INFO level. + :gl:`#4001` :gl:`#4002` + +- DNS compression is no longer applied to the root name (``.``) if it is + repeatedly used in the same RRset. :gl:`#3423` + +- :iscman:`named` could incorrectly return non-truncated, glueless + referrals for responses whose size was close to the UDP packet size + limit. This has been fixed. :gl:`#1967` + +Known Issues +~~~~~~~~~~~~ + +- On some platforms, including FreeBSD, :iscman:`named` must be run as + root to use the :iscman:`rndc` control channel on a privileged port + (i.e., with a port number less than 1024; this includes the default + :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the + :option:`named -u` option to switch to an unprivileged user makes + :iscman:`rndc` unusable. This will be fixed in a future release; in + the meantime, ``mac_portacl`` can be used as a workaround, as + documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793` + +- See :ref:`above ` for a list of all known issues + affecting this BIND 9 branch. diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index e6622d56bed..3084fbb2430 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -14,27 +14,11 @@ Known Issues ------------ -- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may - require a manual configuration change. The following configurations - are affected: - - - :any:`type primary` zones configured with :any:`dnssec-policy` but - without either :any:`allow-update` or :any:`update-policy`, - - :any:`type secondary` zones configured with :any:`dnssec-policy`. - - In these cases please add :namedconf:ref:`inline-signing yes; - ` to the individual zone configuration(s). Without - applying this change, :iscman:`named` will fail to start. For more - details, see - https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing - -- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT - be inspected when verifying a remote certificate while establishing a - DNS-over-TLS connection. Only ``subjectAltName`` must be checked - instead. Unfortunately, some quite old versions of cryptographic - libraries might lack the ability to ignore the ``Subject`` field. This - should have minimal production-use consequences, as most of the - production-ready certificates issued by certificate authorities will - have ``subjectAltName`` set. In such cases, the ``Subject`` field is - ignored. Only old platforms are affected by this, e.g. those supplied - with OpenSSL versions older than 1.1.1. :gl:`#3163` +- On some platforms, including FreeBSD, :iscman:`named` must be run as + root to use the :iscman:`rndc` control channel on a privileged port + (i.e., with a port number less than 1024; this includes the default + :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the + :option:`named -u` option to switch to an unprivileged user makes + :iscman:`rndc` unusable. This will be fixed in a future release; in + the meantime, ``mac_portacl`` can be used as a workaround, as + documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793`