development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
+(-dev)
+------
+
+New Features
+~~~~~~~~~~~~
+
+- Support for Offline KSK implemented. ``bfa206beecc``
+
+ Add a new configuration option `offline-ksk` to enable Offline KSK key
+ management. Signed Key Response (SKR) files created with `dnssec-ksr`
+ (or other program) can now be imported into `named` with the new `rndc
+ skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY
+ records and generating signatures covering these types, these records
+ are loaded from the currently active bundle from the imported SKR.
+
+ The implementation is loosely based on:
+ https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-
+ keymgmt-01.txt :gl:`#1128` :gl:`!9119`
+
+- Implement the 'request-ixfr-max-diffs' configuration option.
+ ``99b18bab7e1``
+
+ The new 'request-ixfr-max-diffs' configuration option sets the maximum
+ number of incoming incremental zone transfer (IXFR) differences,
+ exceeding which triggers a full zone transfer (AXFR). :gl:`#4389`
+ :gl:`!9094`
+
+- Print the full path of the working directory in startup log messages.
+ ``cf53eac46e9``
+
+ named now prints its initial working directory during startup and the
+ changed working directory when loading or reloading its configuration
+ file if it has a valid 'directory' option defined. :gl:`#4731`
+ :gl:`!9362`
+
+- Support restricted key tag range when generating new keys.
+ ``d40b722d462``
+
+ It is useful when multiple signers are being used to sign a zone to
+ able to specify a restricted range of range of key tags that will be
+ used by an operator to sign the zone. This adds controls to named
+ (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr
+ (dnssec-policy) to specify such ranges. :gl:`#4830` :gl:`!9258`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Remove the 'dialup' and 'heartbeat-interval' options. ``a133a33b650``
+
+ The `dialup` and `heartbeat-interval` options have been removed, along
+ with all code implementing them. Using these options is now a fatal
+ error. :gl:`#4237` :gl:`!8160`
+
+- Remove outdated perllib integration. ``f73a19bb3e9``
+
+ The code in conftools/ directory hasn't been touched since 2000.
+ Nobody knows what it does and nobody even knows how to build it or
+ test it. Just remove the whole directory. :gl:`!9302`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Use deterministic ecdsa for openssl >= 3.2. ``069c6c22654``
+
+ OpenSSL has added support for deterministic ECDSA (RFC 6979) with
+ version 3.2.
+
+ Use it by default as it removes arguably its most fragile side of
+ ECDSA. The derandomization doesn't pose a risk for DNS usecases and is
+ allowed by FIPS 186-5. :gl:`#299` :gl:`!9128`
+
+- Exempt prefetches from the fetches-per-zone and fetches-per-server
+ quotas. ``4cd73e2536c``
+
+ Fetches generated automatically as a result of 'prefetch' are now
+ exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas.
+ This should help in maintaining the cache from which query responses
+ can be given. :gl:`#4219` :gl:`!9095`
+
+- Restore the ability to select individual unit tests. ``2299aba5c20``
+
+ This add the command line arguments: `-d` (debug), `-l` (list tests)
+ and `-t test` (run this test) to the unit tests. :gl:`#4579`
+ :gl:`!9384`
+
+- Process also the ISC_R_CANCELED result code in rpz_rewrite()
+ ``d0d6ad0c52e``
+
+ Log canceled resolver queries (e.g. when shutting down a hung fetch)
+ in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized"
+ result codes. :gl:`#4797` :gl:`!9148`
+
+- Use single logging context for everything. ``aa408051d6c``
+
+ Instead of juggling different logging context, use one single logging
+ context that gets initialized in the libisc constructor and destroyed
+ in the libisc destructor. :gl:`#4848` :gl:`!9301`
+
+- Remove code to read and parse /proc/net/if_inet6 on Linux.
+ ``8071384324b``
+
+ The getifaddr() works fine for years, so we don't have to keep the
+ callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9315`
+
+- Use seteuid()/setegid() instead of setreseuid()/setresgid()
+ ``558ec133ea1``
+
+ It looks like that all supported systems now have support for
+ _POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
+ those will not change saved used/group IDs. :gl:`#4862` :gl:`!9363`
+
+- Follow the number of CPU set by taskset/cpuset. ``9afcdc2b184``
+
+ Administrators may wish to constrain the set of cores that BIND 9 runs
+ on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
+ other O/S).
+
+ If the admin has used taskset, the `named` will now follow to
+ automatically use the given number of CPUs rather than the system wide
+ count. :gl:`#4884` :gl:`!9398`
+
+- Double the number of threadpool threads. ``cfdded46676``
+
+ Introduce this temporary workaround to reduce the impact of long-
+ running tasks in offload threads which can block the resolution of
+ queries. :gl:`#4898`
+
+Bug Fixes
+~~~~~~~~~
+
+- Delay release of root privileges until after configuring controls.
+ ``8a09d54d6be``
+
+ Delay relinquishing root privileges until the control channel has been
+ configured, for the benefit of systems that require root to use
+ privileged port numbers. This mostly affects systems without fine-
+ grained privilege systems (i.e., other than Linux). :gl:`#4793`
+ :gl:`!9123`
+
+- Fix the assertion failure in the isc_hashmap iterator. ``c31cd677882``
+
+ When the round robin hashing reorders the map entries on deletion, we
+ were adjusting the iterator table size only when the reordering was
+ happening at the internal table boundary. The iterator table size had
+ to be reduced by one to prevent seeing the entry that resized on
+ position [0] twice because it migrated to [iter->size - 1] position.
+
+ However, the same thing could happen when the same entry migrates a
+ second time from [iter->size - 1] to [iter->size - 2] position (and so
+ on) because the check that we are manipulating the entry just in the
+ [0] position was insufficient. Instead of checking the position [pos
+ == 0], we now check that the [pos % iter->size == 0], thus ignoring
+ all the entries that might have moved back to the end of the internal
+ table. :gl:`#4838` :gl:`!9292`
+
+- Add -Wno-psabi to CFLAGS for x86 (32-bit) builds. ``75021765f8d``
+
+ GCC 11.1+ emits a note during compilation when there are 64-bit atomic
+ fields in a structure, because it fixed a compiler bug by changing the
+ alignment of such fields, which caused ABI change.
+
+ Add -Wno-psabi to CFLAGS for such builds in order to silence the
+ warning. That shouldn't be a problem since we don't expose our
+ structures to the outside. :gl:`#4841` :gl:`!9319`
+
+- Check if logconfig is NULL before using it in isc_log_doit()
+ ``ebd669a8303``
+
+ Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
+ because it's possible that isc_log_destroy() was already called, e.g.
+ when a 'call_rcu' function wants to log a message during shutdown.
+ :gl:`#4842` :gl:`!9297`
+
+- Change the NS_PER_SEC (and friends) from enum to static const.
+ ``2d12e1142ae``
+
+ New version of clang (19) has introduced a stricter checks when mixing
+ integer (and float types) with enums. In this case, we used enum {}
+ as C17 doesn't have constexpr yet. Change the time conversion
+ constants to be static const unsigned int instead of enum values.
+ :gl:`#4845` :gl:`!9313`
+
+- Check the result of dirfd() before calling unlinkat() ``661981be7b0``
+
+ Instead of directly using the result of dirfd() in the unlinkat()
+ call, check whether the returned file descriptor is actually valid.
+ That doesn't really change the logic as the unlinkat() would fail with
+ invalid descriptor anyway, but this is cleaner and will report the
+ right error returned directly by dirfd() instead of EBADF from
+ unlinkat(). :gl:`#4853` :gl:`!9316`
+
+- Fix rare assertion failure when shutting down incoming transfer.
+ ``14d2040934e``
+
+ A very rare assertion failure can be triggered when the incoming
+ transfer is either forcefully shut down or it is finished during
+ printing the details about the statistics channel. This has been
+ fixed. :gl:`#4860` :gl:`!9336`
+
+- Fix the resesuid() shim implementation for NetBSD. ``5bfed08b253``
+
+ The shim implementation of setresuid() was wrong - there was a copy
+ and paste error and it was calling setresgid() instead. This only
+ affects NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
+ setresgid() implementation available from the system library.
+ :gl:`#4862` :gl:`!9359`
+
+- Fix algoritm rollover bug when there are two keys with the same
+ keytag. ``8dbd57116bf``
+
+ If there is an algorithm rollover and two keys of different algorithm
+ share the same keytags, then there is a possibility that if we check
+ that a key matches a specific state, we are checking against the wrong
+ key. This has been fixed by not only checking for matching key tag but
+ also key algorithm. :gl:`#4878` :gl:`!9381`
+
+- Stop using malloc_usable_size and malloc_size. ``f99da39934d``
+
+ The `malloc_usable_size()` can return size larger than originally
+ allocated and when these sizes disagree the fortifier enabled by
+ `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution
+ abruptly. Stop using these convenience functions as they are primary
+ used for introspection-only. :gl:`#4880` :gl:`!9400`
+
+- Preserve statement tag order in documentation. ``0b9ce9c05b1``
+
+ This supports bit-for-bit reproducibility of built documentation.
+ :gl:`#4886` :gl:`!9399`
+
+- Fix an assertion failure in validate_dnskey_dsset_done()
+ ``31245213a09``
+
+ Under rare circumstances, named could terminate unexpectedly when
+ validating a DNSKEY resource record if the validation was canceled in
+ the meantime. This has been fixed. :gl:`#4911`
+
+- Silence all warnings that stem from the default config.
+ ``f4e0d0e460b``
+
+ As we now setup the logging very early, parsing the default config
+ would always print warnings about experimental (and possibly
+ deprecated) options in the default config. This would even mess with
+ commands like `named -V` and it is also wrong to warn users about
+ using experimental options in the default config, because they can't
+ do anything about this. Add CFG_PCTX_NODEPRECATED and
+ CFG_PCTX_NOEXPERIMENTAL options that we can pass to cfg parser and
+ silence the early warnings caused by using experimental options in the
+ default config. :gl:`!9304`
+
+
BIND 9.21.0
-----------
projects / thirdparty / bind9.git / commitdiff
