Add CHANGES and release note for GL #2038

(cherry picked from commit 94eda43ab28383c59df21280d6c06fc84260cc4f)

diff --git a/CHANGES b/CHANGES
index 335d9e54616bfb2a41219ce60169d18b9c2ab8bc..b49104509fc6c995a1cce54c5243c7c719cde7f9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5481.  [bug]           BIND 9 would fail to bind to IPv6 addresses in a
+                       tentative state when a new IPv6 address was added to the
+                       system, but the Duplicate Address Detection (DAD)
+                       mechanism had not yet finished. [GL #2038]
+
 5477.  [bug]           The idle timeout for connected TCP sockets is now
                        derived from the client query processing timeout
                        configured for a resolver. [GL #2024]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ee6e8ca7ef2b589f96599cfef19a822db3156a24..d59f0794d49ce46545be7e748d4862c3447bfba9 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -42,3 +42,12 @@ Bug Fixes
 - The introduction of KASP support broke whether the second field
   of sig-validity-interval was treated as days or hours. (Thanks to
   Tony Finch.) [GL !3735]
+
+- The IPv6 Duplicate Address Detection (DAD) mechanism could cause the operating
+  system to report the new IPv6 addresses to the applications via the
+  getifaddrs() API in a tentative (DAD not yet finished) or duplicate (DAD
+  failed) state. Such addresses cannot be bound by an application, and named
+  failed to listen on IPv6 addresses after the DAD mechanism finished. It is
+  possible to work around the issue by setting the IP_FREEBIND option on the
+  socket and trying to bind() to the IPv6 address again if the first bind() call
+  fails with EADDRNOTAVAIL. [GL #2038]