# flake8: noqa: E501
+from typing import List, Tuple
+
+from docutils import nodes
+from docutils.nodes import Node, system_message
+from docutils.parsers.rst import roles
+
+from sphinx import addnodes
+from sphinx.util.docutils import ReferenceRole
+
+
+GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/'
+
+
+# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
+class GitLabRefRole(ReferenceRole):
+ def __init__(self, base_url: str) -> None:
+ self.base_url = base_url
+ super().__init__()
+
+ def run(self) -> Tuple[List[Node], List[system_message]]:
+ gl_identifier = '[GL %s]' % self.target
+
+ target_id = 'index-%s' % self.env.new_serialno('index')
+ entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)]
+
+ index = addnodes.index(entries=entries)
+ target = nodes.target('', '', ids=[target_id])
+ self.inliner.document.note_explicit_target(target)
+
+ try:
+ refuri = self.build_uri()
+ reference = nodes.reference('', '', internal=False, refuri=refuri,
+ classes=['gl'])
+ if self.has_explicit_title:
+ reference += nodes.strong(self.title, self.title)
+ else:
+ reference += nodes.strong(gl_identifier, gl_identifier)
+ except ValueError:
+ error_text = 'invalid GitLab identifier %s' % self.target
+ msg = self.inliner.reporter.error(error_text, line=self.lineno)
+ prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+ return [prb], [msg]
+
+ return [index, target, reference], []
+
+ def build_uri(self):
+ if self.target[0] == '#':
+ return self.base_url + 'issues/%d' % int(self.target[1:])
+ if self.target[0] == '!':
+ return self.base_url + 'merge_requests/%d' % int(self.target[1:])
+ raise ValueError
+
+
+def setup(_):
+ roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL))
+
#
# Configuration file for the Sphinx documentation builder.
#
is now used by ``named`` for listening for incoming requests and
responding to them. This change will make it easier to improve
performance and implement new protocol layers (for example, DNS over
- TLS) in the future. [GL #29]
+ TLS) in the future. :gl:`#29`
- The new ``dnssec-policy`` option allows the configuration of a key
and signing policy (KASP) for zones. This option enables ``named`` to
generate new keys as needed and automatically roll both ZSK and KSK
keys. (Note that the syntax for this statement differs from the
- DNSSEC policy used by ``dnssec-keymgr``.) [GL #1134]
+ DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134`
- In order to clarify the configuration of DNSSEC keys, the
``trusted-keys`` and ``managed-keys`` statements have been
When used with the new keyword ``static-key``, ``trust-anchors`` has
the same behavior as ``trusted-keys``, i.e., it configures a
permanent trust anchor that will not automatically be updated. (This
- usage is not recommended for the root key.) [GL #6]
+ usage is not recommended for the root key.) :gl:`#6`
- Two new keywords have been added to the ``trust-anchors`` statement:
``initial-ds`` and ``static-ds``. These allow the use of trust
As with the ``initial-key`` and ``static-key`` keywords,
``initial-ds`` configures a dynamic trust anchor to be maintained via
:rfc:`5011`, and ``static-ds`` configures a permanent trust anchor.
- [GL #6] [GL #622]
+ :gl:`#6` :gl:`#622`
- ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to
- print output in a detailed YAML format. [GL #1145]
+ print output in a detailed YAML format. :gl:`#1145`
- ``dig`` now has a new command line option: ``+[no]unexpected``. By
default, ``dig`` won't accept a reply from a source other than the
- ``dig`` now accepts a new command line option, ``+[no]expandaaaa``,
which causes the IPv6 addresses in AAAA records to be printed in full
128-bit notation rather than the default :rfc:`5952` format.
- [GL #765]
+ :gl:`#765`
-- Statistics channel groups can now be toggled. [GL #1030]
+- Statistics channel groups can now be toggled. :gl:`#1030`
Feature Changes
~~~~~~~~~~~~~~~
of ``auto``, automatic :rfc:`5011` key rollovers would be disabled.
This combination of settings was never intended to work, but there
was no check for it in the parser. This has been corrected, and it is
- now a fatal configuration error. [GL #868]
+ now a fatal configuration error. :gl:`#868`
- DS and CDS records are now generated with SHA-256 digests only,
instead of both SHA-1 and SHA-256. This affects the default output of
``dnssec-signzone`` based on ``keyset`` files, the CDS records added
to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing
parameters in key files, and the checks performed by
- ``dnssec-checkds``. [GL #1015]
+ ``dnssec-checkds``. :gl:`#1015`
- ``named`` will now log a warning if a static key is configured for
- the root zone. [GL #6]
+ the root zone. :gl:`#6`
- A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added
and made default. Old non-default HMAC-SHA based DNS Cookie
algorithms have been removed, and only the default AES algorithm is
being kept for legacy reasons. This change has no operational impact
- in most common scenarios. [GL #605]
+ in most common scenarios. :gl:`#605`
If you are running multiple DNS servers (different versions of BIND 9
or DNS servers from multiple vendors) responding from the same IP
requests the signed zone to be printed to standard output with the
``-f -`` option. A new configuration option ``-q`` has been added to
silence all output on standard output except for the name of the
- signed zone. [GL #1151]
+ signed zone. :gl:`#1151`
- The DNSSEC validation code has been refactored for clarity and to
- reduce code duplication. [GL #622]
+ reduce code duplication. :gl:`#622`
- Compile-time settings enabled by the ``--with-tuning=large`` option
for ``configure`` are now in effect by default. Previously used
default compile-time settings can be enabled by passing
- ``--with-tuning=small`` to ``configure``. [GL !2989]
+ ``--with-tuning=small`` to ``configure``. :gl:`!2989`
- JSON-C is now the only supported library for enabling JSON support
for BIND statistics. The ``configure`` option has been renamed from
``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH``
environment variable accordingly to specify a custom path to the
``json-c`` library, as the new ``configure`` option does not take the
- library installation path as an optional argument. [GL #855]
+ library installation path as an optional argument. :gl:`#855`
- ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or
``--localstatedir`` to ``/var`` when ``--prefix`` is not specified
and the aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
- respected. [GL #658]
+ respected. :gl:`#658`
Removed Features
~~~~~~~~~~~~~~~~
- The ``dnssec-enable`` option has been obsoleted and no longer has any
effect. DNSSEC responses are always enabled if signatures and other
- DNSSEC data are present. [GL #866]
+ DNSSEC data are present. :gl:`#866`
- DNSSEC Lookaside Validation (DLV) is now obsolete. The
``dnssec-lookaside`` option has been marked as deprecated; when used
in ``named.conf``, it will generate a warning but will otherwise be
ignored. All code enabling the use of lookaside validation has been
- removed from the validator, ``delv``, and the DNSSEC tools. [GL #7]
+ removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7`
-- The ``cleaning-interval`` option has been removed. [GL !1731]
+- The ``cleaning-interval`` option has been removed. :gl:`!1731`
the notable exception of Ubuntu 18.04 (Bionic) which is a work in
progress. If you are running on an affected operating system, compile
BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
- glibc is available. [GL !3125]
+ glibc is available. :gl:`!3125`
Bug Fixes
~~~~~~~~~
- NSEC3 support was added to KASP. A new option for ``dnssec-policy``,
``nsec3param``, can be used to set the desired NSEC3 parameters.
NSEC3 salt collisions are automatically prevented during resalting.
- [GL #1620]
+ :gl:`#1620`
Feature Changes
~~~~~~~~~~~~~~~
included in the count (as a result of the fix for CVE-2020-8616),
``max-recursion-queries`` has a higher chance of being exceeded by
non-attack queries, which is the main reason for increasing its
- default value. [GL #2305]
+ default value. :gl:`#2305`
- The default value of ``nocookie-udp-size`` was restored back to 4096
bytes. Since ``max-udp-size`` is the upper bound for
to change ``nocookie-udp-size`` together with ``max-udp-size`` in
order to increase the default EDNS buffer size limit.
``nocookie-udp-size`` can still be set to a value lower than
- ``max-udp-size``, if desired. [GL #2250]
+ ``max-udp-size``, if desired. :gl:`#2250`
Bug Fixes
~~~~~~~~~
- Handling of missing DNS COOKIE responses over UDP was tightened by
- falling back to TCP. [GL #2275]
+ falling back to TCP. :gl:`#2275`
- The CNAME synthesized from a DNAME was incorrectly followed when the
- QTYPE was CNAME or ANY. [GL #2280]
+ QTYPE was CNAME or ANY. :gl:`#2280`
- Building with native PKCS#11 support for AEP Keyper has been broken
- since BIND 9.16.6. This has been fixed. [GL #2315]
+ since BIND 9.16.6. This has been fixed. :gl:`#2315`
- The new networking code introduced in BIND 9.16 (netmgr) was
overhauled in order to make it more stable, testable, and
- maintainable. [GL #2321]
+ maintainable. :gl:`#2321`
- Earlier releases of BIND versions 9.16 and newer required the
operating system to support load-balanced sockets in order for
FreeBSD 12, which means both UDP and TCP performance were limited to a
single thread on other systems. As of BIND 9.17.8, ``named`` attempts
to distribute incoming queries among multiple threads on systems which
- lack support for load-balanced sockets (except Windows). [GL #2137]
+ lack support for load-balanced sockets (except Windows). :gl:`#2137`
- It is now possible to transition a zone from secure to insecure mode
without making it bogus in the process; changing to ``dnssec-policy
none;`` also causes CDS and CDNSKEY DELETE records to be published, to
signal that the entire DS RRset at the parent must be removed, as
- described in :rfc:`8078`. [GL #1750]
+ described in :rfc:`8078`. :gl:`#1750`
- When using the ``unixtime`` or ``date`` method to update the SOA
serial number, ``named`` and ``dnssec-signzone`` silently fell back to
the ``increment`` method to prevent the new serial number from being
smaller than the old serial number (using serial number arithmetics).
``dnssec-signzone`` now prints a warning message, and ``named`` logs a
- warning, when such a fallback happens. [GL #2058]
+ warning, when such a fallback happens. :gl:`#2058`
Bug Fixes
~~~~~~~~~
- Multiple threads could attempt to destroy a single RBTDB instance at
the same time, resulting in an unpredictable but low-probability
- assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317]
+ assertion failure in ``free_rbtdb()``. This has been fixed.
+ :gl:`#2317`
- ``named`` no longer attempts to assign threads to CPUs outside the CPU
- affinity set. Thanks to Ole Bjørn Hessen. [GL #2245]
+ affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245`
- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
- off DNSSEC maintenance. This has been fixed. [GL #2341]
+ off DNSSEC maintenance. This has been fixed. :gl:`#2341`
- The report of intermittent BIND assertion failures triggered in
``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
first appeared in BIND releases 9.17.5 and 9.16.7. However, since
those releases were published, there have been no new reports of
assertion failures matching this issue, but also no further diagnostic
- input, so we have closed the issue. [GL #2091]
+ input, so we have closed the issue. :gl:`#2091`
(CVE-2020-8625)
This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
- Trend Micro Zero Day Initiative. [GL #2354]
+ Trend Micro Zero Day Initiative. :gl:`#2354`
New Features
~~~~~~~~~~~~
This behavior is controlled by the ``max-ixfr-ratio`` option - a
percentage value representing the ratio of IXFR size to the size of a
- full zone transfer. The default is ``100%``. [GL #1515]
+ full zone transfer. The default is ``100%``. :gl:`#1515`
- A new option, ``stale-answer-client-timeout``, has been added to
improve ``named``'s behavior with respect to serving stale data. The
This new behavior can be disabled by setting
``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
option has no effect if ``stale-answer-enable`` is disabled.
- [GL #2247]
+ :gl:`#2247`
Feature Changes
~~~~~~~~~~~~~~~
``named.conf``. Similarly, ``notify primary-only`` can now be used as
a synonym for ``notify master-only``. The output of ``rndc
zonestatus`` now uses ``primary`` and ``secondary`` terminology.
- [GL #1948]
+ :gl:`#1948`
- The default value of ``max-stale-ttl`` has been changed from 12 hours
to 1 day and the default value of ``stale-answer-ttl`` has been
changed from 1 second to 30 seconds, following :rfc:`8767`
- recommendations. [GL #2248]
+ recommendations. :gl:`#2248`
- The SONAMEs for BIND 9 libraries now include the current BIND 9
version number, in an effort to tightly couple internal libraries with
a specific release. This change makes the BIND 9 release process both
simpler and more consistent while also unequivocally preventing BIND 9
binaries from silently loading wrong versions of shared libraries (or
- multiple versions of the same shared library) at startup. [GL #2387]
+ multiple versions of the same shared library) at startup. :gl:`#2387`
- When ``check-names`` is in effect, A records below an ``_spf``,
``_spf_rate``, or ``_spf_verify`` label (which are employed by the
``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
- D.1) are no longer reported as warnings/errors. [GL #2377]
+ D.1) are no longer reported as warnings/errors. :gl:`#2377`
Bug Fixes
~~~~~~~~~
- ``named`` failed to start when its configuration included a zone with
- a non-builtin ``allow-update`` ACL attached. [GL #2413]
+ a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
- key. This has been fixed. [GL #2178]
+ key. This has been fixed. :gl:`#2178`
- KASP incorrectly set signature validity to the value of the DNSKEY
- signature validity. This has been fixed. [GL #2383]
+ signature validity. This has been fixed. :gl:`#2383`
- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
and/or ``Delete`` timing metadata to be possible active keys. This has
- been fixed. [GL #2406]
+ been fixed. :gl:`#2406`
- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
faster than the time required to finish the rollover procedure, the
were taking part in a rollover. This could lead to premature removal
of predecessor keys. BIND 9 now implements a recursive successor
relation, as described in the paper "Flexible and Robust Key Rollover"
- (Equation (2)). [GL #2375]
+ (Equation (2)). :gl:`#2375`
- Performance of the DNSSEC verification code (used by
``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
- improved. [GL #2073]
+ improved. :gl:`#2073`
- A new ``purge-keys`` option has been added to ``dnssec-policy``. It
sets the period of time that key files are retained after becoming
obsolete due to a key rollover; the default is 90 days. This feature
- can be disabled by setting ``purge-keys`` to 0. [GL #2408]
+ can be disabled by setting ``purge-keys`` to 0. :gl:`#2408`
Feature Changes
~~~~~~~~~~~~~~~
query resolution process. This may happen, for example, if the
``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
this case, ``named`` attempts to answer DNS requests with stale data,
- but does not start the ``stale-refresh-time`` window. [GL #2434]
+ but does not start the ``stale-refresh-time`` window. :gl:`#2434`
Bug Fixes
~~~~~~~~~
A journal file's format can be changed manually by running
``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
(upgrade). Note that this *must not* be done while ``named`` is
- running. [GL #2505]
+ running. :gl:`#2505`
- ``named`` crashed when it was allowed to serve stale answers and
``stale-answer-client-timeout`` was triggered without any (stale) data
- available in the cache to answer the query. [GL #2503]
+ available in the cache to answer the query. :gl:`#2503`
- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
instead of sending back a proper response. To prevent this problem,
the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
- been happening since BIND 9.16.11. [GL #2466]
+ been happening since BIND 9.16.11. :gl:`#2466`
- NSEC3 records were not immediately created when signing a dynamic zone
using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
- [GL #2498]
+ :gl:`#2498`
- A memory leak occurred when ``named`` was reconfigured after adding an
inline-signed zone with ``auto-dnssec maintain`` enabled. This has
- been fixed. [GL #2041]
+ been fixed. :gl:`#2041`
- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
a LOC record resulted in an INSIST failure when a zone file containing
- such a record was loaded. [GL #2499]
+ such a record was loaded. :gl:`#2499`
in ``named``, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
- vulnerability to our attention. [GL #2467]
+ vulnerability to our attention. :gl:`#2467`
- ``named`` crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank `Siva Kakarla`_ for bringing this
- vulnerability to our attention. [GL #2540]
+ vulnerability to our attention. :gl:`#2540`
.. _Siva Kakarla: https://github.com/sivakesava1
platforms. (CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
- Zero Day Initiative. [GL #2604]
+ Zero Day Initiative. :gl:`#2604`
Feature Changes
~~~~~~~~~~~~~~~
Instead, BIND 9 now always uses the SPNEGO implementation provided by
the system GSSAPI library when it is built with GSSAPI support. All
major contemporary Kerberos/GSSAPI libraries contain an implementation
- of the SPNEGO mechanism. [GL #2607]
+ of the SPNEGO mechanism. :gl:`#2607`
- The default value for the ``stale-answer-client-timeout`` option was
changed from ``1800`` (ms) to ``off``. The default value may be
- changed again in future releases as this feature matures. [GL #2608]
+ changed again in future releases as this feature matures. :gl:`#2608`
Bug Fixes
~~~~~~~~~
transfer from being sent back to the client. The default setting for
``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
connection taking more than 30 seconds was abruptly terminated. This
- has been fixed. [GL #2583]
+ has been fixed. :gl:`#2583`
- When ``stale-answer-client-timeout`` was set to a positive value and
recursion for a client query completed when ``named`` was about to
look for a stale answer, an assertion could fail in
``query_respond()``, resulting in a crash. This has been fixed.
- [GL #2594]
+ :gl:`#2594`
- If zone journal files written by BIND 9.16.11 or earlier were present
when BIND was upgraded to BIND 9.16.13 or BIND 9.16.14, the zone file
for that zone could have been inadvertently rewritten with the current
zone contents. This caused the original zone file structure (e.g.
comments, ``$INCLUDE`` directives) to be lost, although the zone data
- itself was preserved. [GL #2623]
+ itself was preserved. :gl:`#2623`
- After upgrading to BIND 9.16.13, journal files for trust anchor
databases (e.g. ``managed-keys.bind.jnl``) could be left in a corrupt
state. (Other zone journal files were not affected.) This has been
fixed. If a corrupt journal file is detected, ``named`` can now
- recover from it. [GL #2600]
+ recover from it. :gl:`#2600`
- When sending queries over TCP, ``dig`` now properly handles ``+tries=1
+retry=0`` by not retrying the connection when the remote server
- closes the connection prematurely. [GL #2490]
+ closes the connection prematurely. :gl:`#2490`
- CDS/CDNSKEY DELETE records are now removed when a zone transitions
from a secure to an insecure state. ``named-checkzone`` also no longer
reports an error when such records are found in an unsigned zone.
- [GL #2517]
+ :gl:`#2517`
- Zones using KASP could not be thawed after they were frozen using
- ``rndc freeze``. This has been fixed. [GL #2523]
+ ``rndc freeze``. This has been fixed. :gl:`#2523`
- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
``named`` now immediately attempts to reconfigure zone keys. This
- change prevents unnecessary key rollover delays. [GL #2488]
+ change prevents unnecessary key rollover delays. :gl:`#2488`
- Previously, a memory leak could occur when ``named`` failed to bind a
- UDP socket to a network interface. This has been fixed. [GL #2575]
+ UDP socket to a network interface. This has been fixed. :gl:`#2575`
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
- Klein. [GL #1574]
+ Klein.:gl:`#1574`
Known Issues
~~~~~~~~~~~~
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
- used in the hash calculation). These are being investigated. [GL
- #1685]
+ used in the hash calculation). These are being investigated.
+ :gl:`#1685`
Feature Changes
~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
- for 99% of all signed zones. [GL #1179]
+ for 99% of all signed zones. :gl:`#1179`
Bug Fixes
~~~~~~~~~
number of records was deleted, ``named`` could become nonresponsive
for a short period while deleted names were removed from the RPZ
summary database. This database cleanup is now done incrementally
- over a longer period of time, reducing such delays. [GL #1447]
+ over a longer period of time, reducing such delays. :gl:`#1447`
- When trying to migrate an already-signed zone from
``auto-dnssec maintain`` to one based on ``dnssec-policy``, the
possible that some clients would not have been able to validate
responses until all old DNSSEC information had timed out from caches.
BIND now looks at the time metadata of the existing keys and
- incorporates it into its DNSSEC policy operation. [GL #1706]
+ incorporates it into its DNSSEC policy operation. :gl:`#1706`
be enabled. This BIND release sets that special flag when required,
so ``recvmmsg()`` support is now enabled when BIND is compiled
against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not
- usable with BIND. [GL #1761] [GL #1797]
+ usable with BIND. :gl:`#1761` :gl:`#1797`
Feature Changes
~~~~~~~~~~~~~~~
- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
- relying on system defaults instead. [GL #1713]
+ relying on system defaults instead. :gl:`#1713`
- The default rwlock implementation has been changed back to the native
- BIND 9 rwlock implementation. [GL #1753]
+ BIND 9 rwlock implementation. :gl:`#1753`
- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
v3.0 and thus made operational again. Contributed by Aaron Thompson.
- [GL !3326]
+ :gl:`!3326`
- The OpenSSL ECDSA implementation has been updated to support PKCS#11
- via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
- #1534]
+ via OpenSSL engine (see engine_pkcs11 from libp11 project).
+ :gl:`#1534`
- The OpenSSL EdDSA implementation has been updated to support PKCS#11
via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
is required and thus this code is only a proof-of-concept for the
- time being. Contributed by Aaron Thompson. [GL #1763]
+ time being. Contributed by Aaron Thompson. :gl:`#1763`
- Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
- message IDs. [GL #1674]
+ message IDs. :gl:`#1674`
- The zone timers are now exported to the statistics channel. For the
primary zones, only the loaded time is exported. For the secondary
zones, the exported timers also include expire and refresh times.
- Contributed by Paul Frieden, Verizon Media. [GL #1232]
+ Contributed by Paul Frieden, Verizon Media. :gl:`#1232`
Bug Fixes
~~~~~~~~~
- A bug in dnstap initialization could prevent some dnstap data from
- being logged, especially on recursive resolvers. [GL #1795]
+ being logged, especially on recursive resolvers. :gl:`#1795`
- When running on a system with support for Linux capabilities,
``named`` drops root privileges very soon after system startup. This
was causing a spurious log message, ``unable to set effective uid to
- 0: Operation not permitted``, which has now been silenced. [GL #1042]
- [GL #1090]
+ 0: Operation not permitted``, which has now been silenced.
+ :gl:`#1042` :gl:`#1090`
- When ``named-checkconf`` was run, it would sometimes incorrectly set
its exit code. It reflected only the status of the last view found;
any errors found for other configured views were not reported. Thanks
- to Graham Clinch. [GL #1807]
+ to Graham Clinch. :gl:`#1807`
- When built without LMDB support, ``named`` failed to restart after a
zone with a double quote (") in its name was added with
- ``rndc addzone``. Thanks to Alberto Fernández. [GL #1695]
+ ``rndc addzone``. Thanks to Alberto Fernández. :gl:`#1695`
~~~~~~~~~~~~~~
- It was possible to trigger an assertion when attempting to fill an
- oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
+ oversized TCP buffer. This was disclosed in CVE-2020-8618.
+ :gl:`#1850`
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
- disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
+ disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
New Features
~~~~~~~~~~~~
- Documentation was converted from DocBook to reStructuredText. The
BIND 9 ARM is now generated using Sphinx and published on `Read the
Docs`_. Release notes are no longer available as a separate document
- accompanying a release. [GL #83]
+ accompanying a release. :gl:`#83`
- ``named`` and ``named-checkzone`` now reject master zones that have a
DS RRset at the zone apex. Attempts to add DS records at the zone
apex via UPDATE will be logged but otherwise ignored. DS records
- belong in the parent zone, not at the zone apex. [GL #1798]
+ belong in the parent zone, not at the zone apex. :gl:`#1798`
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
- option when it appears in a request or a response. [GL #1835]
+ option when it appears in a request or a response. :gl:`#1835`
Feature Changes
~~~~~~~~~~~~~~~
on|off``). Serving of stale answers when the authoritative servers
are not responding must be explicitly enabled, whereas the retention
of expired cache content takes place automatically on all versions of
- BIND 9 that have this feature available. [GL #1877]
+ BIND 9 that have this feature available. :gl:`#1877`
.. warning::
This change may be significant for administrators who expect that
interface. Previously, just one socket was created on systems
conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
in BIND 9.16.0, but it was accidentally omitted from documentation.
- [GL #1782]
+ :gl:`#1782`
Bug Fixes
~~~~~~~~~
DNSSEC proof of non-existence (in other words, queries that required
the server to find and to return NSEC3 data). The unnecessary
processing step that was causing this delay has now been removed.
- [GL #1834]
+ :gl:`#1834`
- ``named`` could crash with an assertion failure if the name of a
database node was looked up while the database was being modified.
- [GL #1857]
+ :gl:`#1857`
- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
- [GL #1859]
+ :gl:`#1859`
- Previously, ``named`` did not destroy some mutexes and conditional
variables in netmgr code, which caused a memory leak on FreeBSD. This
- has been fixed. [GL #1893]
+ has been fixed. :gl:`#1893`
- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
- to an assertion failure was fixed. [GL #1808]
+ to an assertion failure was fixed. :gl:`#1808`
- Previously, ``provide-ixfr no;`` failed to return up-to-date
responses when the serial number was greater than or equal to the
- current serial number. [GL #1714]
+ current serial number. :gl:`#1714`
- A bug in dnssec-policy keymgr was fixed, where the check for the
existence of a given key's successor would incorrectly return
- ``true`` if any other key in the keyring had a successor. [GL #1845]
+ ``true`` if any other key in the keyring had a successor. :gl:`#1845`
- With dnssec-policy, when creating a successor key, the "goal" state
of the current active key (the predecessor) was not changed and thus
- never removed from the zone. [GL #1846]
+ never removed from the zone. :gl:`#1846`
- ``named-checkconf -p`` could include spurious text in
``server-addresses`` statements due to an uninitialized DSCP value.
- This has been fixed. [GL #1812]
+ This has been fixed. :gl:`#1812`
- The ARM has been updated to indicate that the TSIG session key is
generated when named starts, regardless of whether it is needed.
- [GL #1842]
+ :gl:`#1842`
.. _Read the Docs: https://bind9.readthedocs.io/
- New ``rndc`` command ``rndc dnssec -status`` shows the current DNSSEC
policy and keys in use, the key states, and rollover status.
- [GL #1612]
+ :gl:`#1612`
Bug Fixes
~~~~~~~~~
- A race condition could occur if a TCP socket connection was closed
while ``named`` was waiting for a recursive response. The attempt to
send a response over the closing connection triggered an assertion
- failure in the function ``isc__nm_tcpdns_send()``. [GL #1937]
+ failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937`
- A race condition could occur when ``named`` attempted to use a UDP
interface that was shutting down. This triggered an assertion failure
- in ``uv__udp_finish_close()``. [GL #1938]
+ in ``uv__udp_finish_close()``. :gl:`#1938`
- Fix assertion failure when server was under load and root zone had not
- yet been loaded. [GL #1862]
+ yet been loaded. :gl:`#1862`
- ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c``
- that were being reused. [GL #1968]
+ that were being reused. :gl:`#1968`
- ``named`` crashed on shutdown when a new ``rndc`` connection was
- received during shutdown. This has been fixed. [GL #1747]
+ received during shutdown. This has been fixed. :gl:`#1747`
- The DS RRset returned by ``dns_keynode_dsset()`` was used in a
non-thread-safe manner. This could result in an INSIST being
- triggered. [GL #1926]
+ triggered. :gl:`#1926`
- Properly handle missing ``kyua`` command so that ``make check`` does
not fail unexpectedly when CMocka is installed, but Kyua is not.
- [GL #1950]
+ :gl:`#1950`
- The ``primary`` and ``secondary`` keywords, when used as parameters
for ``check-names``, were not processed correctly and were being
- ignored. [GL #1949]
+ ignored. :gl:`#1949`
- ``rndc dnstap -roll <value>`` did not limit the number of saved files
- to ``<value>``. [GL !3728]
+ to ``<value>``. :gl:`!3728`
- The validator could fail to accept a properly signed RRset if an
unsupported algorithm appeared earlier in the DNSKEY RRset than a
supported algorithm. It could also stop if it detected a malformed
- public key. [GL #1689]
+ public key. :gl:`#1689`
- The ``blackhole`` ACL was inadvertently disabled for client queries.
Blocked IP addresses were not used for upstream queries but queries
- from those addresses could still be answered. [GL #1936]
+ from those addresses could still be answered. :gl:`#1936`
crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
- bringing this vulnerability to our attention. [GL #1996]
+ bringing this vulnerability to our attention. :gl:`#1996`
- ``named`` could crash after failing an assertion check in certain
query resolution scenarios where QNAME minimization and forwarding
are used at any point. This was disclosed in CVE-2020-8621.
ISC would like to thank Joseph Gullo for bringing this vulnerability
- to our attention. [GL #1997]
+ to our attention. :gl:`#1997`
- It was possible to trigger an assertion failure when verifying the
response to a TSIG-signed request. This was disclosed in
CVE-2020-8622.
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
- of Oracle for bringing this vulnerability to our attention. [GL #2028]
+ of Oracle for bringing this vulnerability to our attention.
+ :gl:`#2028`
- When BIND 9 was compiled with native PKCS#11 support, it was possible
to trigger an assertion failure in code determining the number of bits
was disclosed in CVE-2020-8623.
ISC would like to thank Lyu Chiy for bringing this vulnerability to
- our attention. [GL #2037]
+ our attention. :gl:`#2037`
- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
described in the ARM. This was disclosed in CVE-2020-8624.
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
- vulnerability to our attention. [GL #2055]
+ vulnerability to our attention. :gl:`#2055`
New Features
~~~~~~~~~~~~
- A new configuration option ``stale-cache-enable`` has been introduced
- to enable or disable keeping stale answers in cache. [GL #1712]
+ to enable or disable keeping stale answers in cache. :gl:`#1712`
Feature Changes
~~~~~~~~~~~~~~~
``max-cache-size`` (configured explicitly, defaulting to a value based
on system memory or set to ``unlimited``) now pre-allocates fixed-size
hash tables. This prevents interruption to query resolution when the
- hash table sizes need to be increased. [GL #1775]
+ hash table sizes need to be increased. :gl:`#1775`
- Resource records received with 0 TTL are no longer kept in the cache
- to be used for stale answers. [GL #1829]
+ to be used for stale answers. :gl:`#1829`
Bug Fixes
~~~~~~~~~
- Wildcard RPZ passthru rules could incorrectly be overridden by other
rules that were loaded from RPZ zones which appeared later in the
- ``response-policy`` statement. This has been fixed. [GL #1619]
+ ``response-policy`` statement. This has been fixed. :gl:`#1619`
- The IPv6 Duplicate Address Detection (DAD) mechanism could
inadvertently prevent ``named`` from binding to new IPv6 interfaces,
thereafter to ignore that address/interface. The problem was worked
around by setting the ``IP_FREEBIND`` option on the socket and trying
to ``bind()`` to each IPv6 address again if the first ``bind()`` call
- for that address failed with ``EADDRNOTAVAIL``. [GL #2038]
+ for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038`
- Addressed an error in recursive clients stats reporting which could
cause underflow, and even negative statistics. There were occasions
increment in recursive clients stats would take place. Conversely,
when processing the answers, if the recursion code were executed
before the prefetch, the same counter would be decremented without a
- matching increment. [GL #1719]
+ matching increment. :gl:`#1719`
- The introduction of KASP support inadvertently caused the second field
of ``sig-validity-interval`` to always be calculated in hours, even in
cases when it should have been calculated in days. This has been
- fixed. (Thanks to Tony Finch.) [GL !3735]
+ fixed. (Thanks to Tony Finch.) :gl:`!3735`
- LMDB locking code was revised to make ``rndc reconfig`` work properly
- on FreeBSD and with LMDB >= 0.9.26. [GL #1976]
+ on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976`
- Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to
``named`` that a DS record for a given zone or key has been published
or withdrawn from the parent. This command replaces the time-based
- ``parent-registration-delay`` configuration option. [GL #1613]
+ ``parent-registration-delay`` configuration option. :gl:`#1613`
-- Log when ``named`` adds a CDS/CDNSKEY to the zone. [GL #1748]
+- Log when ``named`` adds a CDS/CDNSKEY to the zone. :gl:`#1748`
Bug Fixes
~~~~~~~~~
- In rare circumstances, ``named`` would exit with an assertion failure
when the number of nodes stored in the red-black tree exceeded the
- maximum allowed size of the internal hash table. [GL #2104]
+ maximum allowed size of the internal hash table. :gl:`#2104`
- Silence spurious system log messages for an EPROTO(71) error code that
was seen on older operating systems, where unhandled ICMPv6 errors
resulted in a generic protocol error being returned instead of a more
- specific error code. [GL #1928]
+ specific error code. :gl:`#1928`
- With query name minimization enabled, ``named`` failed to resolve
``ip6.arpa.`` names that had extra labels to the left of the IPv6
resolving the name: if ``named`` received NXDOMAIN answers, then the
same query was repeatedly sent until the number of queries sent
reached the value of the ``max-recursion-queries`` configuration
- option. [GL #1847]
+ option. :gl:`#1847`
- Parsing of LOC records was made more strict by rejecting a sole period
(``.``) and/or ``m`` as a value. These changes prevent zone files
using such values from being loaded. Handling of negative altitudes
- which are not integers was also corrected. [GL #2074]
+ which are not integers was also corrected. :gl:`#2074`
- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are
- security issues.) [GL !3953] [GL !3975]
+ security issues.) :gl:`!3953` :gl:`!3975`
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
~~~~~~~~~~~~
- Add a new ``rndc`` command, ``rndc dnssec -rollover``, which triggers
- a manual rollover for a specific key. [GL #1749]
+ a manual rollover for a specific key. :gl:`#1749`
- Add a new ``rndc`` command, ``rndc dumpdb -expired``, which dumps the
cache database, including expired RRsets that are awaiting cleanup, to
- the ``dump-file`` for diagnostic purposes. [GL #1870]
+ the ``dump-file`` for diagnostic purposes. :gl:`#1870`
Feature Changes
~~~~~~~~~~~~~~~
MTU minus the estimated header space. In practice, the smallest MTU
witnessed in the operational DNS community is 1500 octets, the maximum
Ethernet payload size, so a useful default for maximum DNS/UDP payload
- size on reliable networks would be 1400 bytes. [GL #2183]
+ size on reliable networks would be 1400 bytes. :gl:`#2183`
Bug Fixes
~~~~~~~~~
- ``named`` reported an invalid memory size when running in an
environment that did not properly report the number of available
- memory pages and/or the size of each memory page. [GL #2166]
+ memory pages and/or the size of each memory page. :gl:`#2166`
- With multiple forwarders configured, ``named`` could fail the
``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``,
- causing it to crash. This has been fixed. [GL #2124]
+ causing it to crash. This has been fixed. :gl:`#2124`
- ``named`` erroneously performed continuous key rollovers for KASP
policies that used algorithm Ed25519 or Ed448 due to a mismatch
- between created key size and expected key size. [GL #2171]
+ between created key size and expected key size. :gl:`#2171`
- Updating contents of an RPZ zone which contained names spelled using
varying letter case could cause some processing rules in that RPZ zone
- to be erroneously ignored. [GL #2169]
+ to be erroneously ignored. :gl:`#2169`
- A new configuration option, ``stale-refresh-time``, has been
introduced. It allows a stale RRset to be served directly from cache
for a period of time after a failed lookup, before a new attempt to
- refresh it is made. [GL #2066]
+ refresh it is made. :gl:`#2066`
Bug Fixes
~~~~~~~~~
- ``named`` could crash with an assertion failure if a TCP connection
- were closed while a request was still being processed. [GL #2227]
+ were closed while a request was still being processed. :gl:`#2227`
- ``named`` acting as a resolver could incorrectly treat signed zones
with no DS record at the parent as bogus. Such zones should be treated
- as insecure. This has been fixed. [GL #2236]
+ as insecure. This has been fixed. :gl:`#2236`
- After a Negative Trust Anchor (NTA) is added, BIND performs periodic
checks to see if it is still necessary. If BIND encountered a failure
while creating a query to perform such a check, it attempted to
- dereference a ``NULL`` pointer, resulting in a crash. [GL #2244]
+ dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244`
- A problem obtaining glue records could prevent a stub zone from
functioning properly, if the authoritative server for the zone were
- configured for minimal responses. [GL #1736]
+ configured for minimal responses. :gl:`#1736`
- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a
- ``TCP6RecvErr``. [GL #2208]
+ ``TCP6RecvErr``. :gl:`#2208`
~~~~~~~~~~~~~~~
- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
- the minimum of the SOA MINIMUM value and the SOA TTL. [GL #2347].
+ the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
- Reduce the supported maximum number of iterations that can be
- configured in an NSEC3 zones to 150. [GL #2642]
+ configured in an NSEC3 zones to 150. :gl:`#2642`
Bug Fixes
~~~~~~~~~
``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
values if the RRset was still marked a stale but the ``max-stale-ttl`` has
passed (and is actually an RRset awaiting cleanup). Both issues have now
- been fixed. [GL #389] [GL #2289]
+ been fixed. :gl:`#389` :gl:`#2289`
- ``named`` would overwrite a zone file unconditionally when it recovered from
- a corrupted journal. [GL #2623]
+ a corrupted journal. :gl:`#2623`
- With ``dnssec-policy``, when creating new keys also check for keyid conflicts
- between the new keys too. [GL #2628]
+ between the new keys too. :gl:`#2628`
projects / thirdparty / bind9.git / commitdiff
