development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
+(-dev)
+------
+
+New Features
+~~~~~~~~~~~~
+
+- Tighten 'max-recursion-queries' and add 'max-query-restarts' option.
+ ``f202937078f``
+
+ There were cases in resolver.c when the `max-recursion-queries` quota
+ was ineffective. It was possible to craft zones that would cause a
+ resolver to waste resources by sending excessive queries while
+ attempting to resolve a name. This has been addressed by correcting
+ errors in the implementation of `max-recursion-queries`, and by
+ reducing the default value from 100 to 32.
+
+ In addition, a new `max-query-restarts` option has been added which
+ limits the number of times a recursive server will follow CNAME or
+ DNAME records before terminating resolution. This was previously a
+ hard-coded limit of 16, and now defaults to 11. :gl:`#4741`
+ :gl:`!9281`
+
+- Implement rndc retransfer -force. ``34589811c59``
+
+ A new optional argument '-force' has been added to the command channel
+ command 'rndc retransfer'. When it is specified, named aborts the
+ ongoing zone transfer (if there is one), and starts a new transfer.
+ :gl:`#2299` :gl:`!9102`
+
+- Add support for external log rotation tools. ``5ff1fbe1550``
+
+ Add two mechanisms to close open log files. The first is `rndc
+ closelogs`. The second is `kill -USR1 <pid>`. They are intended to be
+ used with external log rotation tools. :gl:`#4780` :gl:`!9113`
+
+- Generate changelog from git log. ``a64ecc5fdd8``
+
+ Use a single source of truth, the git log, to generate the list of
+ CHANGES. Use the .rst format and include it in the ARM for a quick
+ reference with proper gitlab links to issues and merge requests.
+ :gl:`#75` :gl:`!9152`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Use only c23 or c11 noreturn specifiers. ``cd92a145a36``
+
+ Use `[[noreturn]]` when compiling with C23 or greater.
+
+ The attribute macro name has been capitalized as `NORETURN` as
+ defining it as `noreturn` breaks external headers. `#define noreturn
+ __attribute__((noreturn))` wasn't used as C11's
+ `stdnoreturn.h`/`_Noreturn` is required to build BIND9 in the first
+ place. :gl:`!9149`
+
+- Initialize the DST subsystem implicitly. ``7f2513a5aa8``
+
+ Instead of calling dst_lib_init() and dst_lib_destroy() explicitly by
+ all the programs, create a separate memory context for the DST
+ subsystem and use the library constructor and destructor to initialize
+ the DST internals. :gl:`!9254`
+
+- Remove OpenSSL 1.x Engine support. ``b620b7e9118``
+
+ The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
+ and is going to be removed from the upstream OpenSSL. Remove the
+ OpenSSL Engine support from BIND 9 in favor of OpenSSL 3.x Providers.
+ :gl:`#4828` :gl:`!9252`
+
+- Fix the rsa exponent to 65537. ``5fafb0e7f7b``
+
+ There isn't a realistic reason to ever use e = 4294967297. Fortunately
+ its codepath wasn't reachable to users and can be safetly removed.
+
+ Keep in mind the `dns_key_generate` header comment was outdated. e = 3
+ hasn't been used since 2006 so there isn't a reason to panic. The
+ toggle was the public exponents between 65537 and 4294967297.
+ :gl:`!9133`
+
+- Remove the crc64 implementation. ``9397251eb32``
+
+ CRC-64 has been added for map files. Now that the map file format has
+ been removed, there isn't a reason to keep the implementation.
+ :gl:`!9135`
+
+- Call rcu_barrier() in the isc_mem_destroy() just once. ``dcee04f70cb``
+
+ The previous work in this area was led by the belief that we might be
+ calling call_rcu() from within call_rcu() callbacks. After carefully
+ checking all the current callback, it became evident that this is not
+ the case and the problem isn't enough rcu_barrier() calls, but
+ something entirely else.
+
+ Call the rcu_barrier() just once as that's enough and the multiple
+ rcu_barrier() calls will not hide the real problem anymore, so we can
+ find it. :gl:`!9134`
+
+- Require at least OpenSSL 1.1.1. ``96ccd962b72``
+
+ OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now
+ required to compile BIND 9. :gl:`#2806` :gl:`!9110`
+
+- Don't open route socket if we don't need it. ``246d5ccbc9c``
+
+ When automatic-interface-scan is disabled, the route socket was still
+ being opened. Add new API to connect / disconnect from the route
+ socket only as needed.
+
+ Additionally, move the block that disables periodic interface rescans
+ to a place where it actually have access to the configuration values.
+ Previously, the values were being checked before the configuration was
+ loaded. :gl:`#4757` :gl:`!9122`
+
+- Clarify that cds_wfcq_dequeue_blocking() doesn't block if empty.
+ ``afe406be395``
+
+ :gl:`!9124`
+
+- Allow shorter resolver-query-timeout configuration. ``1661278b343``
+
+ The minimum allowed value of 'resolver-query-timeout' was lowered to
+ 301 milliseconds instead of the earlier 10000 milliseconds (which is
+ the default). As earlier, values less than or equal to 300 are
+ converted to seconds before applying the limit. :gl:`#4320`
+ :gl:`!9091`
+
+- Replace #define DNS_GETDB_ with struct of bools. ``020fda92b4b``
+
+ Replace #define DNS_GETDB_ with struct of bools to make it easier to
+ pretty-print the attributes in a debugger. :gl:`#4559` :gl:`!9093`
+
+- Fix data race in clean_finds_at_name. ``0dcc93d87a8``
+
+ Stop updating `find.result_v4` and `find.result_v4` in
+ `clean_finds_at_name`. The values are supposed to be
+ static. :gl:`#4118` :gl:`!9108`
+
+Bug Fixes
+~~~~~~~~~
+
+- Reconfigure catz member zones during named reconfiguration.
+ ``acfa5b28f91``
+
+ During a reconfiguration named wasn't reconfiguring catalog zones'
+ member zones. This has been fixed. :gl:`#4733`
+
+- Move the dst__openssl_toresult to isc_tls unit. ``9e7cd68d9fe``
+
+ Since the enable_fips_mode() now resides inside the isc_tls unit, BIND
+ 9 would fail to compile when FIPS mode was enabled as the DST
+ subsystem logging functions were missing.
+
+ Move the crypto library logging functions from the openssl_link unit
+ to isc_tls unit and enhance it, so it can now be used from both places
+ keeping the old dst__openssl_toresult* macros alive. :gl:`!9286`
+
+- Disassociate the SSL object from the cached SSL_SESSION.
+ ``1d1bc3a1485``
+
+ When the SSL object was destroyed, it would invalidate all SSL_SESSION
+ objects including the cached, but not yet used, TLS session objects.
+
+ Properly disassociate the SSL object from the SSL_SESSION before we
+ store it in the TLS session cache, so we can later destroy it without
+ invalidating the cached TLS sessions. :gl:`#4834` :gl:`!9271`
+
+- Attach/detach to the listening child socket when accepting TLS.
+ ``ee00bddf94f``
+
+ When TLS connection (TLSstream) connection was accepted, the children
+ listening socket was not attached to sock->server and thus it could
+ have been freed before all the accepted connections were actually
+ closed.
+
+ In turn, this would cause us to call isc_tls_free() too soon - causing
+ cascade errors in pending SSL_read_ex() in the accepted connections.
+
+ Properly attach and detach the children listening socket when
+ accepting and closing the server connections. :gl:`#4833` :gl:`!9270`
+
+- Fix --enable-tracing build on systems without dtrace. ``ced1eb358da``
+
+ Missing file util/dtrace.sh prevented builds on system without dtrace
+ utility. This has been corrected.
+
+- Make hypothesis optional for system tests. ``5dd3c416760``
+
+ Ensure that system tests can be executed without Python hypothesis
+ package. :gl:`#4831` :gl:`!9265`
+
+- Dig now reports missing query section for opcode QUERY.
+ ``7facf967aca``
+
+ Query responses should contain the question section with some
+ exceptions. Dig was not reporting this. :gl:`#4808` :gl:`!9233`
+
+- Fix assertion failure in the glue cache. ``227add4c3eb``
+
+ Fix an assertion failure that could happen as a result of data race
+ between free_gluetable() and addglue() on the same headers.
+ :gl:`#4691` :gl:`!9126`
+
+- Don't use 'create' flag unnecessarily in findnode() ``a26055f03ec``
+
+ when searching the cache for a node so that we can delete an rdataset,
+ it isn't necessary to set the 'create' flag. if the node doesn't exist
+ yet, we won't be able to delete anything from it anyway. :gl:`!9158`
+
+- Raise the log level of priming failures. ``6573276bada``
+
+ When a priming query is complete, it's currently logged at level
+ ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising
+ it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516`
+ :gl:`!9121`
+
+- Fix assertion failure when checking named-checkconf version.
+ ``00739e99f67``
+
+ Checking the version of `named-checkconf` would end with assertion
+ failure. This has been fixed. :gl:`#4827` :gl:`!9243`
+
+- Valid TSIG signatures with invalid time cause crash. ``7a705a3ea4e``
+
+ An assertion failure triggers when the TSIG has valid cryptographic
+ signature, but the time is invalid. This can happen when the times
+ between the primary and secondary servers are not synchronised.
+ :gl:`#4811` :gl:`!9234`
+
+- Don't skip the counting if fcount_incr() is called with force==true.
+ ``026024a6aed``
+
+ The fcount_incr() was incorrectly skipping the accounting for the
+ fetches-per-zone if the force argument was set to true. We want to
+ skip the accounting only when the fetches-per-zone is completely
+ disabled, but for individual names we need to do the accounting even
+ if we are forcing the result to be success. :gl:`#4786` :gl:`!9115`
+
+- Remove superfluous memset() in isc_nmsocket_init() ``4c363393ff1``
+
+ The tlsstream part of the isc_nmsocket_t gets initialized via
+ designater initializer and doesn't need the extra memset() later; just
+ remove it. :gl:`!9120`
+
+- Fix PTHREAD_MUTEX_ADAPTIVE_NP and PTHREAD_MUTEX_ERRORCHECK_NP usage.
+ ``4efdb8b00a0``
+
+ The PTHREAD_MUTEX_ADAPTIVE_NP and PTHREAD_MUTEX_ERRORCHECK_NP are
+ usually not defines, but enum values, so simple preprocessor check
+ doesn't work.
+
+ Check for PTHREAD_MUTEX_ADAPTIVE_NP from the autoconf
+ AS_COMPILE_IFELSE block and define HAVE_PTHREAD_MUTEX_ADAPTIVE_NP.
+ This should enable adaptive mutex on Linux and FreeBSD.
+
+ As PTHREAD_MUTEX_ERRORCHECK actually comes from POSIX and Linux glibc
+ does define it when compatibility macros are being set, we can just
+ use PTHREAD_MUTEX_ERRORCHECK instead of PTHREAD_MUTEX_ERRORCHECK_NP.
+ :gl:`!9111`
+
+- Remove extra newline from yaml output. ``b9cbd3bc767``
+
+ I split this into two commits, one for the actual newline removal, and
+ one for issues I found, ruining the yaml output when some errors were
+ outputted.
+
+- CID 498025 and CID 498031: Overflowed constant INTEGER_OVERFLOW.
+ ``35d93624a56``
+
+ Add INSIST to fail if the multiplication would cause the variables to
+ overflow. :gl:`#4798` :gl:`!9131`
+
+- Remove unnecessary operations. ``33f4ee7c36c``
+
+ Decrementing optlen immediately before calling continue is unneccesary
+ and inconsistent with the rest of dns_message_pseudosectiontoyaml and
+ dns_message_pseudosectiontotext. Coverity was also reporting an
+ impossible false positive overflow of optlen (CID 499061).
+
+ 4176 } else if (optcode == DNS_OPT_CLIENT_TAG)
+ { 4177 uint16_t id; 4178
+ ADD_STRING(target, "; CLIENT-TAG:"); 4179
+ if (optlen == 2U) { 4180 id
+ = isc_buffer_getuint16(&optbuf); 4181
+ snprintf(buf, sizeof(buf), " %u\n", id); 4182
+ ADD_STRING(target, buf);
+
+ CID 499061: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW)
+ overflow_const: Expression optlen, which is equal to 65534, underflows
+ the type that receives it, an unsigned integer 16 bits wide. 4183
+ optlen -= 2; 4184
+ POST(optlen); 4185
+ continue; 4186 } 4187
+ } else if (optcode == DNS_OPT_SERVER_TAG) { :gl:`!9130`
+
+- Fix generation of 6to4-self name expansion from IPv4 address.
+ ``ea2a5909a56``
+
+ The period between the most significant nibble of the encoded IPv4
+ address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the
+ wrong name being checked. Add system test for 6to4-self
+ implementation. :gl:`#4766` :gl:`!9099`
+
+- Fix false QNAME minimisation error being reported. ``5857a4d3972``
+
+ Remove the false positive "success resolving" log message when QNAME
+ minimisation is in effect and the final result is NXDOMAIN.
+ :gl:`#4784` :gl:`!9117`
+
+- Dig +yaml was producing unexpected and/or invalid YAML output.
+ ``93d7d221bd9``
+
+ :gl:`#4796` :gl:`!9127`
+
+- SVBC alpn text parsing failed to reject zero length alpn.
+ ``0b56763df3f``
+
+ :gl:`#4775` :gl:`!9106`
+
+- Return SERVFAIL for a too long CNAME chain. ``89ab9e948d1``
+
+ When cutting a long CNAME chain, named was returning NOERROR instead
+ of SERVFAIL (alongside with a partial answer). This has been fixed.
+ :gl:`#4449` :gl:`!9090`
+
+- Properly calculate the amount of system memory. ``6427d625ea5``
+
+ On 32 bit machines isc_meminfo_totalphys could return an incorrect
+ value. :gl:`#4799` :gl:`!9132`
+
+- Update key lifetime and metadata after dnssec-policy reconfig.
+ ``d9d882816aa``
+
+ Adjust key state and timing metadata if dnssec-policy key lifetime
+ configuration is updated, so that it also affects existing keys.
+ :gl:`#4677` :gl:`!9118`
+
+
Changes prior to 9.20.0
-----------------------
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
-Notes for BIND 9.21.0
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- None.
+(-dev)
+------
New Features
~~~~~~~~~~~~
-- None.
+- Tighten 'max-recursion-queries' and add 'max-query-restarts' option.
+
+ There were cases in resolver.c when the `max-recursion-queries` quota
+ was ineffective. It was possible to craft zones that would cause a
+ resolver to waste resources by sending excessive queries while
+ attempting to resolve a name. This has been addressed by correcting
+ errors in the implementation of `max-recursion-queries`, and by
+ reducing the default value from 100 to 32.
+
+ In addition, a new `max-query-restarts` option has been added which
+ limits the number of times a recursive server will follow CNAME or
+ DNAME records before terminating resolution. This was previously a
+ hard-coded limit of 16, and now defaults to 11. :gl:`#4741`
+ :gl:`!9281`
+
+- Implement rndc retransfer -force.
-Removed Features
-~~~~~~~~~~~~~~~~
+ A new optional argument '-force' has been added to the command channel
+ command 'rndc retransfer'. When it is specified, named aborts the
+ ongoing zone transfer (if there is one), and starts a new transfer.
+ :gl:`#2299` :gl:`!9102`
-- None.
+- Add support for external log rotation tools.
+
+ Add two mechanisms to close open log files. The first is `rndc
+ closelogs`. The second is `kill -USR1 <pid>`. They are intended to be
+ used with external log rotation tools. :gl:`#4780` :gl:`!9113`
Feature Changes
~~~~~~~~~~~~~~~
-- None.
+- Remove OpenSSL 1.x Engine support.
+
+ The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
+ and is going to be removed from the upstream OpenSSL. Remove the
+ OpenSSL Engine support from BIND 9 in favor of OpenSSL 3.x Providers.
+ :gl:`#4828` :gl:`!9252`
+
+- Require at least OpenSSL 1.1.1.
+
+ OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now
+ required to compile BIND 9. :gl:`#2806` :gl:`!9110`
+
+- Allow shorter resolver-query-timeout configuration.
+
+ The minimum allowed value of 'resolver-query-timeout' was lowered to
+ 301 milliseconds instead of the earlier 10000 milliseconds (which is
+ the default). As earlier, values less than or equal to 300 are
+ converted to seconds before applying the limit. :gl:`#4320`
+ :gl:`!9091`
Bug Fixes
~~~~~~~~~
-- None.
+- Reconfigure catz member zones during named reconfiguration.
+
+ During a reconfiguration named wasn't reconfiguring catalog zones'
+ member zones. This has been fixed. :gl:`#4733`
+
+- Fix --enable-tracing build on systems without dtrace.
+
+ Missing file util/dtrace.sh prevented builds on system without dtrace
+ utility. This has been corrected.
+
+- Dig now reports missing query section for opcode QUERY.
+
+ Query responses should contain the question section with some
+ exceptions. Dig was not reporting this. :gl:`#4808` :gl:`!9233`
+
+- Fix assertion failure in the glue cache.
+
+ Fix an assertion failure that could happen as a result of data race
+ between free_gluetable() and addglue() on the same headers.
+ :gl:`#4691` :gl:`!9126`
+
+- Raise the log level of priming failures.
+
+ When a priming query is complete, it's currently logged at level
+ ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising
+ it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516`
+ :gl:`!9121`
+
+- Fix assertion failure when checking named-checkconf version.
+
+ Checking the version of `named-checkconf` would end with assertion
+ failure. This has been fixed. :gl:`#4827` :gl:`!9243`
+
+- Valid TSIG signatures with invalid time cause crash.
+
+ An assertion failure triggers when the TSIG has valid cryptographic
+ signature, but the time is invalid. This can happen when the times
+ between the primary and secondary servers are not synchronised.
+ :gl:`#4811` :gl:`!9234`
+
+- Remove extra newline from yaml output.
+
+ I split this into two commits, one for the actual newline removal, and
+ one for issues I found, ruining the yaml output when some errors were
+ outputted.
+
+- Fix generation of 6to4-self name expansion from IPv4 address.
+
+ The period between the most significant nibble of the encoded IPv4
+ address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the
+ wrong name being checked. Add system test for 6to4-self
+ implementation. :gl:`#4766` :gl:`!9099`
+
+- Fix false QNAME minimisation error being reported.
+
+ Remove the false positive "success resolving" log message when QNAME
+ minimisation is in effect and the final result is NXDOMAIN.
+ :gl:`#4784` :gl:`!9117`
+
+- Dig +yaml was producing unexpected and/or invalid YAML output.
+
+ :gl:`#4796` :gl:`!9127`
+
+- SVBC alpn text parsing failed to reject zero length alpn.
+
+ :gl:`#4775` :gl:`!9106`
+
+- Return SERVFAIL for a too long CNAME chain.
+
+ When cutting a long CNAME chain, named was returning NOERROR instead
+ of SERVFAIL (alongside with a partial answer). This has been fixed.
+ :gl:`#4449` :gl:`!9090`
+
+- Properly calculate the amount of system memory.
+
+ On 32 bit machines isc_meminfo_totalphys could return an incorrect
+ value. :gl:`#4799` :gl:`!9132`
+
+- Update key lifetime and metadata after dnssec-policy reconfig.
+
+ Adjust key state and timing metadata if dnssec-policy key lifetime
+ configuration is updated, so that it also affects existing keys.
+ :gl:`#4677` :gl:`!9118`
Known Issues
~~~~~~~~~~~~
projects / thirdparty / bind9.git / commitdiff
