From 5bc50e7c5f665e01651989b02db3ddab14128d39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:35:03 +0200 Subject: [PATCH 1/6] Generate changelog --- doc/arm/changelog.rst | 107 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 2a55861310..6c47979222 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,113 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Print the full path of the working directory in startup log messages. + ``99ce0d6b838`` + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + :gl:`!9373` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Restore the ability to select individual unit tests. ``a59fe212a34`` + + This adds the command line arguments: `-d` (debug), `-l` (list tests) + and `-t test` (run this test) to the unit tests. + + e.g. ``` % ./rdata_test -t zonemd [==========] selected: + Running 1 test(s). [ RUN ] zonemd [ OK ] zonemd + [==========] selected: 1 test(s) run. [ PASSED ] 1 test(s). + % ``` :gl:`#4579` :gl:`!9386` + +- Process also the ISC_R_CANCELED result code in rpz_rewrite() + ``26df9f6255b`` + + Log canceled resolver queries (e.g. when shutting down a hung fetch) + in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized" + result codes. :gl:`#4797` :gl:`!9348` + +- Remove code to read and parse /proc/net/if_inet6 on Linux. + ``887a61a4082`` + + The getifaddr() works fine for years, so we don't have to keep the + callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9342` + +- Follow the number of CPU set by taskset/cpuset. ``17efe703cc2`` + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` :gl:`!9443` + +Bug Fixes +~~~~~~~~~ + +- Change the NS_PER_SEC (and friends) from enum to #define. + ``0da22fc138e`` + + New version of clang (19) has introduced a stricter checks when mixing + integer (and float types) with enums. In this case, we used enum {} + as C17 doesn't have constexpr yet. Change the time conversion + constants to be #defined constants because of RHEL 8 compiler doesn't + consider static const unsigned int to be constant. :gl:`#4845` + :gl:`!9340` + +- Check the result of dirfd() before calling unlinkat() ``b9f0df60972`` + + Instead of directly using the result of dirfd() in the unlinkat() + call, check whether the returned file descriptor is actually valid. + That doesn't really change the logic as the unlinkat() would fail with + invalid descriptor anyway, but this is cleaner and will report the + right error returned directly by dirfd() instead of EBADF from + unlinkat(). :gl:`#4853` :gl:`!9344` + +- Checking whether a EDDSA key was private or not was broken. + ``e04839c08e8`` + + Checking whether a EDDSA key was private or not was broken could lead + to attempting to sign records with a public key and this could cause a + segmentation failure (read of a NULL pointer) within OpenSSL. + :gl:`#4855` :gl:`!9329` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. ``43c8ed45e53`` + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` :gl:`!9394` + +- Stop using malloc_usable_size and malloc_size. ``cccd26e942c`` + + The `malloc_usable_size()` can return size larger than originally + allocated and when these sizes disagree the fortifier enabled by + `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution + abruptly. Stop using these convenience functions as they are primary + used for introspection-only. :gl:`#4880` :gl:`!9419` + +- Preserve statement tag order in documentation. ``b4d1988c280`` + + This supports bit-for-bit reproducibility of built documentation. + :gl:`#4886` :gl:`!9409` + +- Fix clang-scan 19 warnings. ``01ee251d130`` + + Silence warnings generated by clang-scan. :gl:`!9388` + + BIND 9.18.29 ------------ From 470ba8a39de3bb6ff245dd0a544fa77fde539d2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:35:14 +0200 Subject: [PATCH 2/6] Generate release notes --- doc/notes/notes-9.18.30.rst | 45 +++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 doc/notes/notes-9.18.30.rst diff --git a/doc/notes/notes-9.18.30.rst b/doc/notes/notes-9.18.30.rst new file mode 100644 index 0000000000..65b1d7e345 --- /dev/null +++ b/doc/notes/notes-9.18.30.rst @@ -0,0 +1,45 @@ +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Print the full path of the working directory in startup log messages. + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Follow the number of CPU set by taskset/cpuset. + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` + +Bug Fixes +~~~~~~~~~ + +- Checking whether a EDDSA key was private or not was broken. + + Checking whether a EDDSA key was private or not was broken could lead + to attempting to sign records with a public key and this could cause a + segmentation failure (read of a NULL pointer) within OpenSSL. + :gl:`#4855` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` + + From c3adfa5a89f350878671b6cbe4769640a0de1011 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:36:44 +0200 Subject: [PATCH 3/6] Prepare release notes for BIND 9.18.30 --- doc/arm/changelog.rst | 4 ++-- doc/arm/notes.rst | 2 +- doc/notes/notes-9.18.30.rst | 20 ++++++++++++++++++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 6c47979222..4fb8d52f30 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,8 +18,8 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. -(-dev) ------- +BIND 9.18.30 +------------ New Features ~~~~~~~~~~~~ diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 71454d0724..34fe234543 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -37,7 +37,7 @@ https://www.isc.org/download/. There you will find additional information about each release, and source code. .. include:: ../notes/notes-known-issues.rst - +.. include:: ../notes/notes-9.18.30.rst .. include:: ../notes/notes-9.18.29.rst .. include:: ../notes/notes-9.18.28.rst .. include:: ../notes/notes-9.18.27.rst diff --git a/doc/notes/notes-9.18.30.rst b/doc/notes/notes-9.18.30.rst index 65b1d7e345..ac2354bc32 100644 --- a/doc/notes/notes-9.18.30.rst +++ b/doc/notes/notes-9.18.30.rst @@ -1,5 +1,16 @@ -(-dev) ------- +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.30 +---------------------- New Features ~~~~~~~~~~~~ @@ -42,4 +53,9 @@ Bug Fixes key. This has been fixed by not only checking for matching key tag but also key algorithm. :gl:`#4878` +Known Issues +~~~~~~~~~~~~ +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. From 010999d9c29c6fee210b0863af4412da9cbf8856 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:42:21 +0200 Subject: [PATCH 4/6] Fix dnssec-policy options formatting and links in ARM The statements that already exist in the grammar can't be created with the namedconf:statement. Use a plain definition list for these statements and add a manual anchor for each one so links to them can be created. Avoid using the :any: syntax in the definition lists, as that just creates a link to the duplicate and completely unrelated statement, which just makes the documentation more confusing. --- doc/arm/reference.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 3fc76fa735..96695af87e 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6474,7 +6474,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This indicates the TTL to use when generating DNSKEY resource records. The default is 1 hour (3600 seconds). -:any:`keys` +.. _dnssec-policy-keys: + +keys This is a list specifying the algorithms and roles to use when generating keys and signing the zone. Entries in this list do not represent specific DNSSEC keys, which may be changed on a regular From bec3ac5725948b4657878891e298c60daac8a3b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:47:43 +0200 Subject: [PATCH 5/6] Tweak and reword release notes --- doc/notes/notes-9.18.30.rst | 42 ++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/doc/notes/notes-9.18.30.rst b/doc/notes/notes-9.18.30.rst index ac2354bc32..c5a0df5836 100644 --- a/doc/notes/notes-9.18.30.rst +++ b/doc/notes/notes-9.18.30.rst @@ -17,41 +17,41 @@ New Features - Print the full path of the working directory in startup log messages. - named now prints its initial working directory during startup and the - changed working directory when loading or reloading its configuration - file if it has a valid 'directory' option defined. :gl:`#4731` + :iscman:`named` now prints its initial working directory during + startup, and the changed working directory when loading or reloading + its configuration file, if it has a valid :any:`directory` option + defined. :gl:`#4731` Feature Changes ~~~~~~~~~~~~~~~ -- Follow the number of CPU set by taskset/cpuset. +- Follow the number of CPUs set by ``taskset``/``cpuset``. - Administrators may wish to constrain the set of cores that BIND 9 runs - on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on - other O/S). + Administrators may wish to constrain the set of cores that + :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl`` + programs (or equivalents on other OSes). - If the admin has used taskset, the `named` will now follow to - automatically use the given number of CPUs rather than the system wide - count. :gl:`#4884` + If the admin has used ``taskset``, :iscman:`named` now automatically + uses the given number of CPUs rather than the system-wide count. + :gl:`#4884` Bug Fixes ~~~~~~~~~ -- Checking whether a EDDSA key was private or not was broken. +- Verification of the privacy of an EDDSA key was broken. - Checking whether a EDDSA key was private or not was broken could lead - to attempting to sign records with a public key and this could cause a - segmentation failure (read of a NULL pointer) within OpenSSL. - :gl:`#4855` + The check could lead to an attempt to sign records with a public key, + which could cause a segmentation failure (read of a NULL pointer) + within OpenSSL. This has been fixed. :gl:`#4855` -- Fix algoritm rollover bug when there are two keys with the same +- Fix algorithm rollover bug when there are two keys with the same keytag. - If there is an algorithm rollover and two keys of different algorithm - share the same keytags, then there is a possibility that if we check - that a key matches a specific state, we are checking against the wrong - key. This has been fixed by not only checking for matching key tag but - also key algorithm. :gl:`#4878` + If there was an algorithm rollover and two keys of different + algorithms shared the same keytags, there was the possibility that the + check of whether the key matched a specific state could be performed + against the wrong key. This has been fixed by not only checking for + the matching key tag but also the key algorithm. :gl:`#4878` Known Issues ~~~~~~~~~~~~ From cdc8d6914853f23cb8893df0436abbd34b13bd11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Mon, 9 Sep 2024 15:09:10 +0200 Subject: [PATCH 6/6] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index f62789f837..5b82ae6d74 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 18)dnl m4_define([bind_VERSION_PATCH], 30)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl