From 53a90756a12e7b3a8e62487bc56dc51424cfb2a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:07:08 +0100 Subject: [PATCH 1/9] Remove CHANGES entry 6012 The code change that entry 6012 describes (introduced in commit be204bf4c7712d0f31aac0a7725e54e3a7786507) was reverted shortly after (in commit c429b52533e4e454905fb1507ddee8f87472e152). Remove that entry from CHANGES as it is misleading. --- CHANGES | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 9efded88ab..fbfb5a6ee6 100644 --- a/CHANGES +++ b/CHANGES @@ -2,8 +2,7 @@ a dnssec-policy zone with NSEC3 to start using inline-signing. [GL #3591] -6012. [func] Cleanup the dead nodes while pruning the tree. - [GL #3641] +6012. [placeholder] 6011. [func] Refactor the privilege setting part of named_os unit to make libcap on Linux mandatory and use setreuid From a8129353f40083678e8368e0238d6133f102dc29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:07:08 +0100 Subject: [PATCH 2/9] Prepare release notes for BIND 9.19.7 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.19.7.rst} | 12 ------------ 2 files changed, 1 insertion(+), 13 deletions(-) rename doc/notes/{notes-current.rst => notes-9.19.7.rst} (95%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 512ea416a1..4665c797c2 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,7 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.7.rst .. include:: ../notes/notes-9.19.6.rst .. include:: ../notes/notes-9.19.5.rst .. include:: ../notes/notes-9.19.4.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.19.7.rst similarity index 95% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.19.7.rst index 53d01b776c..ec30ef079e 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.19.7.rst @@ -12,11 +12,6 @@ Notes for BIND 9.19.7 --------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -25,16 +20,9 @@ New Features ``named-checkconf``, ``named-checkzone``, ``named-compilezone`` and ``nsupdate``. :gl:`#3576` -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ -- None. - - On Linux, libcap is now required dependency to help us keep needed privileges. :gl:`#3583` From ab0cb944890fca351e29c4afffe5b27bffc42220 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:07:08 +0100 Subject: [PATCH 3/9] Tweak and reword release notes --- doc/notes/notes-9.19.7.rst | 47 ++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/doc/notes/notes-9.19.7.rst b/doc/notes/notes-9.19.7.rst index ec30ef079e..cc6e262f6b 100644 --- a/doc/notes/notes-9.19.7.rst +++ b/doc/notes/notes-9.19.7.rst @@ -15,40 +15,43 @@ Notes for BIND 9.19.7 New Features ~~~~~~~~~~~~ -- ``check-svcb`` has been added to control the checking of additional - constraints on SVBC records. This change impacts on ``named``, - ``named-checkconf``, ``named-checkzone``, ``named-compilezone`` - and ``nsupdate``. :gl:`#3576` +- The :any:`check-svcb` option has been added to control the checking of + additional constraints on SVCB records. This change affects + :iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`, + :iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576` Feature Changes ~~~~~~~~~~~~~~~ -- On Linux, libcap is now required dependency to help us keep needed - privileges. :gl:`#3583` +- On Linux, libcap is now a required dependency to help :iscman:`named` + keep needed privileges. :gl:`#3583` Bug Fixes ~~~~~~~~~ -- BIND would fail to start on Solaris-based systems with hundreds of CPUs. This - has been fixed. ISC would like to thank Stacey Marshall from Oracle for - bringing this problem to our attention. :gl:`#3563` +- Previously, BIND failed to start on Solaris-based systems with + hundreds of CPUs. This has been fixed. :gl:`#3563` -- In certain resolution scenarios quotas could be erroneously reached for - servers, including the configured forwarders, resulting in SERVFAIL answers - sent to the clients. This has been fixed. :gl:`#3598` +- In certain resolution scenarios, quotas could be erroneously reached + for servers, including any configured forwarders, resulting in + SERVFAIL answers being sent to clients. This has been fixed. + :gl:`#3598` -- The port in remote servers such as in :any:`primaries` and - :any:`parental-agents` could be wrongly configured because of an inheritance - bug. :gl:`#3627` +- Previously, the port in remote servers such as in :any:`primaries` and + :any:`parental-agents` could be wrongly configured because of an + inheritance bug. This has been fixed. :gl:`#3627` -- When having Internet connectivity issues during the initial startup of - ``named``, BIND resolver with :any:`dnssec-validation` set to ``auto`` could - enter into a state where it would not recover without stopping ``named``, - manually deleting ``managed-keys.bind`` and ``managed-keys.bind.jnl`` files, - and starting ``named`` again. :gl:`#2895` +- Previously, if Internet connectivity issues were experienced during + the initial startup of :iscman:`named`, a BIND resolver with + :any:`dnssec-validation` set to ``auto`` could enter into a state + where it would not recover without stopping :iscman:`named`, manually + deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl`` + files, and starting :iscman:`named` again. This has been fixed. + :gl:`#2895` -- Fixed a crash that happens when you reconfigure a ``dnssec-policy`` - zone that uses NSEC3 to enable ``inline-signing``. :gl:`#3591` +- A crash was fixed that happened when a :any:`dnssec-policy` zone that + used NSEC3 was reconfigured to enable :any:`inline-signing`. + :gl:`#3591` Known Issues ~~~~~~~~~~~~ From fa3403d3e3db8d4e93d4ed2c5e5eb2c4008713a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:07:08 +0100 Subject: [PATCH 4/9] Reorder release notes --- doc/notes/notes-9.19.7.rst | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/notes/notes-9.19.7.rst b/doc/notes/notes-9.19.7.rst index cc6e262f6b..754f84ed22 100644 --- a/doc/notes/notes-9.19.7.rst +++ b/doc/notes/notes-9.19.7.rst @@ -29,18 +29,15 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- Previously, BIND failed to start on Solaris-based systems with - hundreds of CPUs. This has been fixed. :gl:`#3563` +- A crash was fixed that happened when a :any:`dnssec-policy` zone that + used NSEC3 was reconfigured to enable :any:`inline-signing`. + :gl:`#3591` - In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. :gl:`#3598` -- Previously, the port in remote servers such as in :any:`primaries` and - :any:`parental-agents` could be wrongly configured because of an - inheritance bug. This has been fixed. :gl:`#3627` - - Previously, if Internet connectivity issues were experienced during the initial startup of :iscman:`named`, a BIND resolver with :any:`dnssec-validation` set to ``auto`` could enter into a state @@ -49,9 +46,12 @@ Bug Fixes files, and starting :iscman:`named` again. This has been fixed. :gl:`#2895` -- A crash was fixed that happened when a :any:`dnssec-policy` zone that - used NSEC3 was reconfigured to enable :any:`inline-signing`. - :gl:`#3591` +- Previously, the port in remote servers such as in :any:`primaries` and + :any:`parental-agents` could be wrongly configured because of an + inheritance bug. This has been fixed. :gl:`#3627` + +- Previously, BIND failed to start on Solaris-based systems with + hundreds of CPUs. This has been fixed. :gl:`#3563` Known Issues ~~~~~~~~~~~~ From 5ba4cd5dade3b64cff05e7abbc44136ca80f309a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:07:08 +0100 Subject: [PATCH 5/9] Add release note for GL #3247 --- doc/notes/notes-9.19.7.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-9.19.7.rst b/doc/notes/notes-9.19.7.rst index 754f84ed22..5cf561d957 100644 --- a/doc/notes/notes-9.19.7.rst +++ b/doc/notes/notes-9.19.7.rst @@ -38,6 +38,10 @@ Bug Fixes SERVFAIL answers being sent to clients. This has been fixed. :gl:`#3598` +- ``rpz-ip`` rules in :any:`response-policy` zones could be ineffective + in some cases if a query had the CD (Checking Disabled) bit set to 1. + This has been fixed. :gl:`#3247` + - Previously, if Internet connectivity issues were experienced during the initial startup of :iscman:`named`, a BIND resolver with :any:`dnssec-validation` set to ``auto`` could enter into a state From 94482c1d3d710a26fd4816dffc74d4fa38925760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:07:08 +0100 Subject: [PATCH 6/9] Add release note for GL #3603 --- doc/notes/notes-9.19.7.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-9.19.7.rst b/doc/notes/notes-9.19.7.rst index 5cf561d957..c8128955ff 100644 --- a/doc/notes/notes-9.19.7.rst +++ b/doc/notes/notes-9.19.7.rst @@ -57,6 +57,11 @@ Bug Fixes - Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs. This has been fixed. :gl:`#3563` +- When a DNS resource record's TTL value was equal to the resolver's + configured :any:`prefetch` "eligibility" value, the record was + erroneously not treated as eligible for prefetching. This has been + fixed. :gl:`#3603` + Known Issues ~~~~~~~~~~~~ From 260b77c78405995e93a3edec6b53f8b19833f2a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:07:08 +0100 Subject: [PATCH 7/9] Add release note for GL #3661 --- doc/notes/notes-9.19.7.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-9.19.7.rst b/doc/notes/notes-9.19.7.rst index c8128955ff..025bfef5d8 100644 --- a/doc/notes/notes-9.19.7.rst +++ b/doc/notes/notes-9.19.7.rst @@ -26,6 +26,11 @@ Feature Changes - On Linux, libcap is now a required dependency to help :iscman:`named` keep needed privileges. :gl:`#3583` +- The DNS name compression algorithm used in BIND 9 has been revised: it + now compresses more thoroughly than before, so responses containing + names with many labels might have a smaller encoding than before. + :gl:`#3661` + Bug Fixes ~~~~~~~~~ From e2570e0c4058b8f6175be50144723ac5460d11df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:17:02 +0100 Subject: [PATCH 8/9] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index fbfb5a6ee6..11ee7e2950 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.19.7 released --- + 6013. [bug] Fix a crash that could happen when you change a dnssec-policy zone with NSEC3 to start using inline-signing. [GL #3591] From 83b4004d71cebf4ae788596b65eb50c45c96f88e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 7 Nov 2022 22:17:02 +0100 Subject: [PATCH 9/9] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 8cbd3e65d0..83052328b8 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 19)dnl m4_define([bind_VERSION_PATCH], 7)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl