Merge tag 'v9.18.30' into bind-9.18

2026-05-27 20:25:55 -04:00 · 2024-09-18 18:08:01 +02:00 · 2024-09-18 18:08:01 +02:00 · 0b386fc34c
commit 0b386fc34c
parent 5a6c5218ad cdc8d69148
4 changed files with 172 additions and 2 deletions
--- a/doc/arm/changelog.rst
+++ b/doc/arm/changelog.rst
@ -18,6 +18,113 @@ Changelog
   development. Regular users should refer to :ref:`Release Notes <relnotes>`
   for changes relevant to them.

+BIND 9.18.30
+------------
+
+New Features
+~~~~~~~~~~~~
+
+- Print the full path of the working directory in startup log messages.
+  ``99ce0d6b838``
+
+  named now prints its initial working directory during startup and the
+  changed working directory when loading or reloading its configuration
+  file if it has a valid 'directory' option defined. :gl:`#4731`
+  :gl:`!9373`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Restore the ability to select individual unit tests. ``a59fe212a34``
+
+  This adds the command line arguments: `-d` (debug), `-l` (list tests)
+  and `-t test` (run this test) to the unit tests.
+
+  e.g.  ```     % ./rdata_test -t zonemd     [==========] selected:
+  Running 1 test(s).     [ RUN      ] zonemd     [       OK ] zonemd
+  [==========] selected: 1 test(s) run.     [  PASSED  ] 1 test(s).
+  %  ``` :gl:`#4579` :gl:`!9386`
+
+- Process also the ISC_R_CANCELED result code in rpz_rewrite()
+  ``26df9f6255b``
+
+  Log canceled resolver queries (e.g. when shutting down a hung fetch)
+  in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized"
+  result codes. :gl:`#4797` :gl:`!9348`
+
+- Remove code to read and parse /proc/net/if_inet6 on Linux.
+  ``887a61a4082``
+
+  The getifaddr() works fine for years, so we don't have to keep the
+  callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9342`
+
+- Follow the number of CPU set by taskset/cpuset. ``17efe703cc2``
+
+  Administrators may wish to constrain the set of cores that BIND 9 runs
+  on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
+  other O/S).
+
+  If the admin has used taskset, the `named` will now follow to
+  automatically use the given number of CPUs rather than the system wide
+  count. :gl:`#4884` :gl:`!9443`
+
+Bug Fixes
+~~~~~~~~~
+
+- Change the NS_PER_SEC (and friends) from enum to #define.
+  ``0da22fc138e``
+
+  New version of clang (19) has introduced a stricter checks when mixing
+  integer (and float types) with enums.  In this case, we used enum {}
+  as C17 doesn't have constexpr yet.  Change the time conversion
+  constants to be #defined constants because of RHEL 8 compiler doesn't
+  consider static const unsigned int to be constant. :gl:`#4845`
+  :gl:`!9340`
+
+- Check the result of dirfd() before calling unlinkat() ``b9f0df60972``
+
+  Instead of directly using the result of dirfd() in the unlinkat()
+  call, check whether the returned file descriptor is actually valid.
+  That doesn't really change the logic as the unlinkat() would fail with
+  invalid descriptor anyway, but this is cleaner and will report the
+  right error returned directly by dirfd() instead of EBADF from
+  unlinkat(). :gl:`#4853` :gl:`!9344`
+
+- Checking whether a EDDSA key was private or not was broken.
+  ``e04839c08e8``
+
+  Checking whether a EDDSA key was private or not was broken could lead
+  to attempting to sign records with a public key and this could cause a
+  segmentation failure (read of a NULL pointer) within OpenSSL.
+  :gl:`#4855` :gl:`!9329`
+
+- Fix algoritm rollover bug when there are two keys with the same
+  keytag. ``43c8ed45e53``
+
+  If there is an algorithm rollover and two keys of different algorithm
+  share the same keytags, then there is a possibility that if we check
+  that a key matches a specific state, we are checking against the wrong
+  key. This has been fixed by not only checking for matching key tag but
+  also key algorithm. :gl:`#4878` :gl:`!9394`
+
+- Stop using malloc_usable_size and malloc_size. ``cccd26e942c``
+
+  The `malloc_usable_size()` can return size larger than originally
+  allocated and when these sizes disagree the fortifier enabled by
+  `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution
+  abruptly.  Stop using these convenience functions as they are primary
+  used for introspection-only. :gl:`#4880` :gl:`!9419`
+
+- Preserve statement tag order in documentation. ``b4d1988c280``
+
+  This supports bit-for-bit reproducibility of built documentation.
+  :gl:`#4886` :gl:`!9409`
+
+- Fix clang-scan 19 warnings. ``01ee251d130``
+
+  Silence warnings generated by clang-scan. :gl:`!9388`
+
+
 BIND 9.18.29
 ------------

--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@ -37,7 +37,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, and source code.

 .. include:: ../notes/notes-known-issues.rst
-
+.. include:: ../notes/notes-9.18.30.rst
 .. include:: ../notes/notes-9.18.29.rst
 .. include:: ../notes/notes-9.18.28.rst
 .. include:: ../notes/notes-9.18.27.rst
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -6474,7 +6474,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
    This indicates the TTL to use when generating DNSKEY resource
    records. The default is 1 hour (3600 seconds).

-:any:`keys`
+.. _dnssec-policy-keys:
+
+keys
    This is a list specifying the algorithms and roles to use when
    generating keys and signing the zone.  Entries in this list do not
    represent specific DNSSEC keys, which may be changed on a regular
--- a/doc/notes/notes-9.18.30.rst
+++ b/doc/notes/notes-9.18.30.rst
@ -0,0 +1,61 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.30
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Print the full path of the working directory in startup log messages.
+
+  :iscman:`named` now prints its initial working directory during
+  startup, and the changed working directory when loading or reloading
+  its configuration file, if it has a valid :any:`directory` option
+  defined. :gl:`#4731`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Follow the number of CPUs set by ``taskset``/``cpuset``.
+
+  Administrators may wish to constrain the set of cores that
+  :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl``
+  programs (or equivalents on other OSes).
+
+  If the admin has used ``taskset``, :iscman:`named` now automatically
+  uses the given number of CPUs rather than the system-wide count.
+  :gl:`#4884`
+
+Bug Fixes
+~~~~~~~~~
+
+- Verification of the privacy of an EDDSA key was broken.
+
+  The check could lead to an attempt to sign records with a public key,
+  which could cause a segmentation failure (read of a NULL pointer)
+  within OpenSSL. This has been fixed. :gl:`#4855`
+
+- Fix algorithm rollover bug when there are two keys with the same
+  keytag.
+
+  If there was an algorithm rollover and two keys of different
+  algorithms shared the same keytags, there was the possibility that the
+  check of whether the key matched a specific state could be performed
+  against the wrong key. This has been fixed by not only checking for
+  the matching key tag but also the key algorithm. :gl:`#4878`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.