From: Michał Kępień Date: Mon, 11 Apr 2022 08:05:50 +0000 (+0200) Subject: Remove release notes applying to BIND 9.18.x X-Git-Tag: v9.19.0~2^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e4f775d1b32b9832ced318c2276f2b7521de2696;p=thirdparty%2Fbind9.git Remove release notes applying to BIND 9.18.x --- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ae49ca4cec7..cfcee820a51 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -15,29 +15,7 @@ Notes for BIND 9.17.23 Security Fixes ~~~~~~~~~~~~~~ -- The rules for acceptance of records into the cache have been tightened - to prevent the possibility of poisoning if forwarders send records - outside the configured bailiwick. (CVE-2021-25220) - - ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from - Network and Information Security Lab, Tsinghua University, and - Changgen Zou from Qi An Xin Group Corp. for bringing this - vulnerability to our attention. :gl:`#2950` - -- TCP connections with ``keep-response-order`` enabled could leave the - TCP sockets in the ``CLOSE_WAIT`` state when the client did not - properly shut down the connection. (CVE-2022-0396) :gl:`#3112` - -- Lookups involving a DNAME could trigger an assertion failure when - ``synth-from-dnssec`` was enabled (which is the default). - (CVE-2022-0635) - - ISC would like to thank Vincent Levigneron from AFNIC for bringing - this vulnerability to our attention. :gl:`#3158` - -- When chasing DS records, a timed-out or artificially delayed fetch - could cause ``named`` to crash while resuming a DS lookup. - (CVE-2022-0667) :gl:`#3129` +- None. Known Issues ~~~~~~~~~~~~ @@ -72,10 +50,6 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- The IPv6 sockets are now explicitly restricted to sending and receiving IPv6 - packets only. This renders the :iscman:`dig` option ``+mapped`` non-functioning and - thus the option has been removed. :gl:`#3093` - - The ``keep-order-response`` option has been declared obsolete and the functionality has been removed. :iscman:`named` expects DNS clients to be fully compliant with :rfc:`7766`. :gl:`#3140` @@ -83,85 +57,9 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent - by a client are now included in the client information sent to DLZ - modules when processing queries. :gl:`#3082` - -- Add DEBUG(1) level messages when starting and ending BIND 9 task exclusive mode - that stops the normal DNS operation (f.e. for reconfiguration, interface - scans, and other events that require exclusive access to a shared resources). - :gl:`#3137` - -- The limit on the number of simultaneously processed pipelined DNS queries - received over TCP has been dropped. Previously, it was capped at 23 - queries processed at the same time. :gl:`#3141` - -- Add a new configuration option ``reuseport`` to disable - load balancing on sockets in scenarios in which processing of - Response Policy Zones (RPZ), Catalog Zones, or large zone transfers - can cause service disruptions. See the BIND 9 ARM for more detail. - :gl:`#3249` +- None. Bug Fixes ~~~~~~~~~ -- With libuv >= 1.37.0, the recvmmsg support would not be enabled in :iscman:`named` - reducing the maximum query-response performance. The recvmmsg support would - be used only in libuv 1.35.0 and 1.36.0. This has been fixed. :gl:`#3095` - -- A failed view configuration during a named reconfiguration procedure could - cause inconsistencies in BIND internal structures, causing a crash or other - unexpected errors. This has been fixed. :gl:`#3060` - -- Restore logging "quota reached" message when accepting connection is over - hard quota. :gl:`#3125` - -- Build errors were introduced in some DLZ modules due to an incomplete - change in the previous release. This has been fixed. :gl:`#3111` - -- An error in the processing of the ``blackhole`` ACL could cause some DNS - requests sent by :iscman:`named` to fail - for example, zone transfer requests - and SOA refresh queries - if the destination address or prefix was - specifically excluded from the ACL using ``!``, or if the ACL was set - to ``none``. ``blackhole`` worked correctly when it was left unset, or - if only positive-match elements were included. This has now been fixed. - :gl:`#3157` - -- TCP connections could hang indefinitely if the TCP write buffers - were full because of the other party not reading sent data. This has - been fixed by adding a "write" timer. Connections that are hung - while writing will now time out after the ``tcp-idle-timeout`` period - has elapsed. :gl:`#3132` - -- Client TCP connections are now closed immediately when data received - cannot be parsed as a valid DNS request. :gl:`#3149` - -- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options were - not implemented when the BIND 9 networking stack was refactored in 9.16. - The missing functionality has been re-implemented and outgoing zone - transfers now time out properly when not progressing. :gl:`#1897` - -- The statistics counter representing the current number of clients - awaiting recursive resolution results (``RecursClients``) could be - miscalculated in certain resolution scenarios, potentially causing the - value of the counter to drop below zero. This has been fixed. - :gl:`#3147` - -- Invalid dnssec-policy definitions were being accepted where the - defined keys did not cover both KSK and ZSK roles for a given - algorithm. This is now checked for and the dnssec-policy is - rejected if both roles are not present for all algorithms in use. - :gl:`#3142` - -- Handling of the TCP write timeouts has been improved to track timeout - for each TCP write separately leading to faster connection tear down - in case the other party is not reading the data. :gl:`#3200` - -- Zone maintenance DNS queries would retry forever while the - destination server was unreachable. These queries include outgoing - NOTIFY messages, refresh SOA queries, parental DS checks, and stub - zone NS queries. For example, if a zone has any nameservers with - IPv6 addresses and a secondary server without IPv6 connectivity, the - IPv4-only server would keep trying to send a growing amount of - NOTIFY traffic over IPv6. This futile traffic was not logged. - :gl:`#3242` +- None.