From 249785c1674b5b2de9df0b1065dc91c15ede0d84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 4 Feb 2026 14:08:38 +0100 Subject: [PATCH] Tweak and reword release notes --- doc/notes/notes-9.21.18.rst | 70 ++++++++++++++----------------------- 1 file changed, 26 insertions(+), 44 deletions(-) diff --git a/doc/notes/notes-9.21.18.rst b/doc/notes/notes-9.21.18.rst index 17f669171c..610cafb7cb 100644 --- a/doc/notes/notes-9.21.18.rst +++ b/doc/notes/notes-9.21.18.rst @@ -15,58 +15,40 @@ Notes for BIND 9.21.18 Feature Changes ~~~~~~~~~~~~~~~ -- Update requirements for system test suite. - - Python 3.10 or newer is now required for running the system test - suite. The required python packages and their version requirements are - now tracked in `bin/tests/system/requirements.txt`. - - Support for pytest 9.0.0 has been added its minimum supported version - has been raised to 7.0.0. The minimum supported dnspython version has - been raised to 2.3.0. :gl:`#5690` :gl:`#5614` - -- Lowercase the NSEC next owner name when signing. - - When building the NSEC rdata, lowercase the next owner name before - storing it in the Next Domain Name Field. - - Note that this is not required according to RFC 6840, but since there - is inconsistency in the documents over time, having uppercase next - owner names in the NSEC records may cause validation failures if - validators are not following RFC 6840. :gl:`#5702` - - Enable minimal ANY answers by default. - ANY queries are widely abused by attackers doing reflection attacks as - they return the largest answers. Enable minimal ANY answers by - default to reduce the attack surface of the DNS servers. :gl:`#5723` + ANY queries are widely abused by attackers in reflection attacks, as + they result in large answers. The :namedconf:ref:`minimal-any` feature + is now enabled by default to reduce the attack surface. :gl:`#5723` + +- Lowercase the NSEC Next Domain Name field. + + When building an NSEC record, the next owner name is now converted to lowercase + before storing it in the Next Domain Name field. + + This is not required according to :rfc:`6840#section-5.1`, but since + inconsistencies have been introduced to the specification over time, having + "next owner" names in only lowercase in the NSEC records improves compatibility with + software that does not follow the latest version of the DNSSEC + specification. :gl:`#5702` + +- Update requirements for system test suite. + + Python 3.10 or newer is now required for running the system test suite. The + required Python packages and their version requirements are now tracked in the + file `bin/tests/system/requirements.txt`. :gl:`#5690` :gl:`#5614` + Bug Fixes ~~~~~~~~~ - Make catalog zone names and member zones' entry names - case-insensitive. + case-insensitive. :gl:`#5693` - Previously, the catalog zone names and their member zones' entry names - were unintentionally case-sensitive. This has been fixed. :gl:`#5693` +- Fix implementation of BRID and HHIT record types. :gl:`#5710` -- Fix brid and hhit implementation. - - Fix bugs in BRID and HHIT implementation and enable the unit tests. - :gl:`#5710` - -- DSYNC record incorrectly used two octets for the Scheme Field. - - When creating the `DSYNC` record from a structure, `uint16_tobuffer` - was used instead of `uint8_tobuffer` when adding the scheme, causing a - `DSYNC` record that was one octet too long. This has been fixed. - :gl:`#5711` - -- Fix a possible issue with reponse policy zones and catalog zones. - - If a response policy zone (RPZ) or a catalog zone contained an - `$INCLUDE` directive, then manually reloading that zone could fail to - process the changes in the response policy or in the catalog, - respectively. This has been fixed. :gl:`#5714` +- Fix implementation of DSYNC record type. :gl:`#5711` +- Fix response policy and catalog zones to work with `$INCLUDE` directive. + Reloading a RPZ or a catalog zone could have failed when `$INCLUDE` was in use. :gl:`#5714`