From: Petr Špaček Date: Tue, 13 Aug 2024 12:36:20 +0000 (+0200) Subject: Re-apply release note tweaks from the 9.21.0 release X-Git-Tag: v9.18.29~1^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=8f0d9b7fca4d2d2b7a5758bce3329d4bd49f3ed7;p=thirdparty%2Fbind9.git Re-apply release note tweaks from the 9.21.0 release --- diff --git a/doc/notes/notes-9.18.29.rst b/doc/notes/notes-9.18.29.rst index aa91c4cb132..52097556b39 100644 --- a/doc/notes/notes-9.18.29.rst +++ b/doc/notes/notes-9.18.29.rst @@ -1,93 +1,98 @@ -(-dev) ------- - -New Features -~~~~~~~~~~~~ - -- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. - - There were cases in resolver.c when the `max-recursion-queries` quota - was ineffective. It was possible to craft zones that would cause a - resolver to waste resources by sending excessive queries while +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.29 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts` + configuration statement. + + There were cases when the :any:`max-recursion-queries` + quota was ineffective. It was possible to craft zones that would cause + a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting - errors in the implementation of `max-recursion-queries`, and by + errors in the implementation of :any:`max-recursion-queries` and by reducing the default value from 100 to 32. - In addition, a new `max-query-restarts` option has been added which - limits the number of times a recursive server will follow CNAME or - DNAME records before terminating resolution. This was previously a - hard-coded limit of 16, and now defaults to 11. :gl:`#4741` - :gl:`!9283` - -Bug Fixes -~~~~~~~~~ - -- Reconfigure catz member zones during named reconfiguration. + In addition, a new :any:`max-query-restarts` configuration statement has been + added, which limits the number of times a recursive server will follow CNAME + or DNAME records before terminating resolution. This was previously a + hard-coded limit of 16 but is now configurable with a default value of 11. - During a reconfiguration named wasn't reconfiguring catalog zones' - member zones. This has been fixed. :gl:`#4733` + ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin + Tanir from NetSec group, ETH Zurich for discovering and notifying us about + the issue. :gl:`#4741` :gl:`!9283` - Raise the log level of priming failures. - When a priming query is complete, it's currently logged at level - ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising - it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + When a priming query is complete, it was previously logged at level + ``DEBUG(1)``, regardless of success or failure. It is now + logged to ``NOTICE`` in the case of failure. :gl:`#3516` :gl:`!9251` - Add a compatibility shim for older libuv versions (< 1.19.0) The uv_stream_get_write_queue_size() is supported only in relatively - newer versions of libuv (1.19.0 or higher). Provide a compatibility - shim for this function , so BIND 9 can be built in environments with + newer versions of libuv (1.19.0 or higher). Provide a compatibility + shim for this function, so BIND 9 can be built in environments with older libuv version. -- Remove extra newline from yaml output. - - I split this into two commits, one for the actual newline removal, and - one for issues I found, ruining the yaml output when some errors were - outputted. - -- Fix generation of 6to4-self name expansion from IPv4 address. - - The period between the most significant nibble of the encoded IPv4 - address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the - wrong name being checked. Add system test for 6to4-self - implementation. :gl:`#4766` :gl:`!9218` +Bug Fixes +~~~~~~~~~ -- Fix false QNAME minimisation error being reported. +- Return SERVFAIL for a too long CNAME chain. - Remove the false positive "success resolving" log message when QNAME - minimisation is in effect and the final result is NXDOMAIN. - :gl:`#4784` :gl:`!9216` + When following long CNAME chains, :iscman:`named` was returning NOERROR + (along with a partial answer) instead of SERVFAIL, if the chain exceeded the + maximum length. This has been fixed. :gl:`#4449` :gl:`!9204` -- Dig +yaml was producing unexpected and/or invalid YAML output. +- Reconfigure catz member zones during :iscman:`named` reconfiguration. - :gl:`#4796` :gl:`!9214` + During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog + zones' member zones. This has been fixed. :gl:`#4733` -- SVBC alpn text parsing failed to reject zero length alpn. +- Update key lifetime and metadata after :any:`dnssec-policy` reconfiguration. - :gl:`#4775` :gl:`!9210` + Adjust key state and timing metadata if :any:`dnssec-policy` key + lifetime configuration is updated, so that it also affects existing + keys. :gl:`#4677` :gl:`!9192` -- Return SERVFAIL for a too long CNAME chain. +- Fix generation of 6to4-self name expansion from IPv4 address. - When cutting a long CNAME chain, named was returning NOERROR instead - of SERVFAIL (alongside with a partial answer). This has been fixed. - :gl:`#4449` :gl:`!9204` + The period between the most significant nibble of the encoded IPv4 + address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the + wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9218` -- Properly calculate the amount of system memory. +- :option:`dig +yaml` was producing unexpected and/or invalid YAML. + output. :gl:`#4796` :gl:`!9214` - On 32 bit machines isc_meminfo_totalphys could return an incorrect - value. :gl:`#4799` :gl:`!9200` +- SVBC ALPN text parsing failed to reject zero-length ALPN. :gl:`#4775` :gl:`!9210` -- Update key lifetime and metadata after dnssec-policy reconfig. +- Fix false QNAME minimisation error being reported. - Adjust key state and timing metadata if dnssec-policy key lifetime - configuration is updated, so that it also affects existing keys. - :gl:`#4677` :gl:`!9192` + Remove the false positive ``success resolving`` log message when QNAME + minimisation is in effect and the final result is an NXDOMAIN. + :gl:`#4784` :gl:`!9216` - Fix dig +timeout argument when using +https. The +timeout argument was not used on DoH connections. This has been - fixed. :gl:`#4806` :gl:`!9161` + fixed. :gl:`#4806` :gl:`!9161` +Known Issues +~~~~~~~~~~~~ +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch.