--- /dev/null
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+(-dev)
+------
+
+New Features
+~~~~~~~~~~~~
+
+- Log query response status to the query log. ``cee11c8610f``
+
+ Log a query response summary using the new category `responses`.
+ Logging can be controlled by the option `responselog` and `rndc
+ responselog`. :gl:`#459` :gl:`!9526`
+
+- Added WALLET type. ``dad3fafe9eb``
+
+ Add the new record type WALLET (262). This provides a mapping from a
+ domain name to a cryptographic currency wallet. Multiple mappings can
+ exist if multiple records exist. :gl:`#4947` :gl:`!9554`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Set logging category for notify/xfer-in related messages.
+ ``1f553c61f76``
+
+ Some 'notify' and 'xfer-in' related log messages were logged at the
+ 'general' category instead of their own category. This has been fixed.
+ :gl:`#2730` :gl:`!9514`
+
+- Restore the number of threadpool threads back to original value.
+ ``a0eada53883``
+
+ The issue of long-running operations potentially blocking query
+ resolution has been fixed. Revert this temporary workaround and
+ restore the number of threadpool threads. :gl:`#4898` :gl:`!9532`
+
+- Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS. ``30c4cbd4035``
+
+ This change allows fallback from an IXFR failure to AXFR when the
+ reason is `DNS_R_TOOMANYRECORDS`. This is because this error condition
+ could be temporary only in an intermediate version of IXFR
+ transactions and it's possible that the latest version of the zone
+ doesn't have that condition. In such a case, the secondary would never
+ be able to update the zone (even if it could) without this fallback.
+
+ This fallback behavior is particularly useful with the recently
+ introduced `max-records-per-type` and `max-types-per-name` options:
+ the primary may not have these limitations and may temporarily
+ introduce "too many" records, breaking IXFR. If the primary side
+ subsequently deletes these records, this fallback will help recover
+ the zone transfer failure automatically; without it, the secondary
+ side would first need to increase the limit, which requires more
+ operational overhead and has its own adverse effect. :gl:`#4928`
+ :gl:`!9471`
+
+- Remove statslock from dnssec-signzone. ``12eb16186ff``
+
+ Silence Coverity CID 468757 and 468767 (DATA RACE read not locked) by
+ converting dnssec-signzone to use atomics for statistics counters
+ rather than using a lock. :gl:`#4939` :gl:`!9500`
+
+- Use release memory ordering when incrementing reference counter.
+ ``19e3cd0cd2c``
+
+ As the relaxed memory ordering doesn't ensure any memory
+ synchronization, it is possible that the increment will succeed even
+ in the case when it should not - there is a race between
+ atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
+ Only the result is consistent, but the previous value for both calls
+ could be same when both calls are executed at the same time.
+ :gl:`!9567`
+
+Bug Fixes
+~~~~~~~~~
+
+- Fix a statistics channel counter bug when 'forward only' zones are
+ used. ``2287dc0ac0d``
+
+ When resolving a zone with a 'forward only' policy, and finding out
+ that all the forwarders are marked as "bad", the 'ServerQuota' counter
+ of the statistics channel was incorrectly increased. This has been
+ fixed. :gl:`#1793` :gl:`!9502`
+
+- Fix a bug in the static-stub implementation. ``72626cf9405``
+
+ Static-stub addresses and addresses from other sources were being
+ mixed together, resulting in static-stub queries going to addresses
+ not specified in the configuration, or alternatively, static-stub
+ addresses being used instead of the correct server addresses.
+ :gl:`#4850` :gl:`!9571`
+
+- Don't allow statistics-channel if libxml2 and libjson-c are
+ unsupported. ``02822b70eee``
+
+ When the libxml2 and libjson-c libraries are not supported, the
+ statistics channel can't return anything useful, so it is now
+ disabled. Use of `statistics-channel` in `named.conf` is a fatal
+ error. :gl:`#4895` :gl:`!9486`
+
+- Separate DNSSEC validation from the long-running tasks.
+ ``c0022f68025``
+
+ As part of the KeyTrap \[CVE-2023-50387\] mitigation, the DNSSEC CPU-
+ intensive operations were offloaded to a separate threadpool that we
+ use to run other tasks that could affect the networking latency.
+
+ If that threadpool is running some long-running tasks like RPZ,
+ catalog zone processing, or zone file operations, it would delay
+ DNSSEC validations to a point where the resolving signed DNS records
+ would fail.
+
+ Split the CPU-intensive and long-running tasks into separate
+ threadpools in a way that the long-running tasks don't block the CPU-
+ intensive operations. :gl:`#4898` :gl:`!9495`
+
+- Fix assertion failure when processing access control lists.
+ ``a15d975dbe2``
+
+ The named process could terminate unexpectedly when processing access
+ control lists (ACLs). This has been fixed. :gl:`#4908` :gl:`!9466`
+
+- Fix bug in Offline KSK that is using ZSK with unlimited lifetime.
+ ``3f115d3cdae``
+
+ If the ZSK has unlimited lifetime, the timing metadata "Inactive" and
+ "Delete" cannot be found and is treated as an error, preventing the
+ zone to be signed. This has been fixed. :gl:`#4914` :gl:`!9453`
+
+- Fix data race in offloaded dns_message_checksig() ``3b5c4f94d70``
+
+ When verifying a message in an offloaded thread there is a race with
+ the worker thread which writes to the same buffer. Clone the message
+ buffer before offloading. :gl:`#4929` :gl:`!9490`
+
+- Limit the outgoing UDP send queue size. ``251b90c25e0``
+
+ If the operating system UDP queue gets full and the outgoing UDP
+ sending starts to be delayed, BIND 9 could exhibit memory spikes as it
+ tries to enqueue all the outgoing UDP messages. Try a bit harder to
+ deliver the outgoing UDP messages synchronously and if that fails,
+ drop the outgoing DNS message that would get queued up and then
+ timeout on the client side. :gl:`#4930` :gl:`!9511`
+
+- Do not set SO_INCOMING_CPU. ``6c9f3d0d1ed``
+
+ We currently set SO_INCOMING_CPU incorrectly, and testing by Ondrej
+ shows that fixing the issue by setting affinities is worse than
+ letting the kernel schedule threads without constraints. So we should
+ not set SO_INCOMING_CPU anymore. :gl:`#4936` :gl:`!9504`
+
+- Fix the 'rndc dumpdb' command's error reporting. ``d35f654d674``
+
+ The 'rndc dumpdb' command wasn't reporting errors which occurred when
+ starting up the database dump process by named, like, for example, a
+ permission denied error for the 'dump-file' file. This has been fixed.
+ Note, however, that 'rndc dumpdb' performs asynchronous writes, so
+ errors can also occur during the dumping process, which will not be
+ reported back to 'rndc', but which will still be logged by named.
+ :gl:`#4944` :gl:`!9553`
+
+- Fix long-running incoming transfers. ``c5cadd29d87``
+
+ Incoming transfers that took longer than 30 seconds would stop reading
+ from the TCP stream and the incoming transfer would be indefinitely
+ stuck causing BIND 9 to hang during shutdown.
+
+ This has been fixed and the `max-transfer-time-in` and `max-transfer-
+ idle-in` timeouts are now honoured. :gl:`#4949` :gl:`!9536`
+
+- Fix assertion failure when receiving DNS responses over TCP.
+ ``e2058ab4619``
+
+ When matching the received Query ID in the TCP connection, an invalid
+ received Query ID can very rarely cause assertion failure. :gl:`#4952`
+ :gl:`!9582`
+
+- Don't ignore the local port number in dns_dispatch_add() for TCP.
+ ``97fad455d73``
+
+ The dns_dispatch_add() function registers the 'resp' entry in
+ 'disp->mgr->qids' hash table with 'resp->port' being 0, but in
+ tcp_recv_success(), when looking up an entry in the hash table after a
+ successfully received data the port is used, so if the local port was
+ set (i.e. it was not 0) it fails to find the entry and results in an
+ unexpected error.
+
+ Set the 'resp->port' to the given local port value extracted from
+ 'disp->local'. :gl:`#4969` :gl:`!9581`
+
+- Add a missing rcu_read_unlock() call on exit path. ``5db2ec07395``
+
+ An exit path in the dns_dispatch_add() function fails to get out of
+ the RCU critical section when returning early. Add the missing
+ rcu_read_unlock() call. :gl:`!9564`
+
+- Don't enable REUSEADDR on outgoing UDP sockets. ``a6692e793c3``
+
+ The outgoing UDP sockets enabled `SO_REUSEADDR` that allows sharing of
+ the UDP sockets, but with one big caveat - the socket that was opened
+ the last would get all traffic. The dispatch code would ignore the
+ invalid responses in the dns_dispatch, but this could lead to
+ unexpected results. :gl:`!9583`
+
+
projects / thirdparty / bind9.git / commitdiff
