From 2e625f550a025a2e9564a4371f617c681fe6bba1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 8 Jan 2026 16:32:14 +0100 Subject: [PATCH] Tweak and reword release notes --- doc/notes/notes-9.20.18.rst | 64 +++++++++++++++++++------------------ 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/doc/notes/notes-9.20.18.rst b/doc/notes/notes-9.20.18.rst index ec0602b2fd..5c28d91b70 100644 --- a/doc/notes/notes-9.20.18.rst +++ b/doc/notes/notes-9.20.18.rst @@ -15,11 +15,11 @@ Notes for BIND 9.20.18 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT - records. +- Fix incorrect length checks for BRID and HHIT records. + :cve:`2025-13878` - Malformed BRID and HHIT records could trigger an assertion failure. - This has been fixed. + Malformed BRID and HHIT records could trigger an assertion + failure. This has been fixed. ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing this vulnerability to our attention. :gl:`#5616` @@ -27,59 +27,61 @@ Security Fixes Feature Changes ~~~~~~~~~~~~~~~ -- Add more information to the rndc recursing output about fetches. +- Add more information to the :option:`rndc recursing` output about + fetches. - This adds more information about the active fetches for debugging and - diagnostic purposes. + This adds more information about active fetches, for debugging and + diagnostic purposes. :gl:`!11305` Bug Fixes ~~~~~~~~~ -- Make key rollovers more robust. +- Make DNSSEC key rollovers more robust. - A manual rollover when the zone is in an invalid DNSSEC state causes + A manual rollover when the zone was in an invalid DNSSEC state caused predecessor keys to be removed too quickly. Additional safeguards to - prevent this have been added. DNSSEC records will not be removed from - the zone until the underlying state machine has moved back into a - valid DNSSEC state. :gl:`#5458` + prevent this have been added: DNSSEC records are not removed from the + zone until the underlying state machine has moved back into a valid + DNSSEC state. :gl:`#5458` -- Fix a catalog zones issue when a member zone could fail to load. +- Fix a catalog zone issue, where member zones could fail to load. - A catalog zone's member zone could fail to load in some rare cases, - when the internally generated zone configuration string was exceeding - 512 bytes. That condition only was not enough for the issue to arise, - but it was a necessary condition. This could happen, for example, if - the catalog zone's default primary servers list contained a large - number of items. This has been fixed. :gl:`#5658` + A catalog zone member zone could fail to load in some rare cases, when + the internally generated zone configuration string exceeded 512 bytes. + That condition by itself was not enough for the issue to arise, but it + was necessary. This could happen if, for example, the catalog zone's + default primary servers list contained a large number of items. This + has been fixed. :gl:`#5658` - Allow glue in delegations with QTYPE=ANY. When a query for type ANY triggered a delegation response, all additional data was omitted from the response, including mandatory - glue. This has been corrected. :gl:`#5659` + glue. This has been fixed. :gl:`#5659` -- Fix slow speed of NSEC3 optout large delegation zone signing. +- Fix slow speed when signing a large delegation zone with NSEC3 + opt-out. - BIND 9.20 takes much more time signing a large delegation zone with - NSEC3 optout compared to version 9.18. This has been restored. - :gl:`#5672` + BIND 9.20+ took much longer signing a large delegation zone with NSEC3 + opt-out compared to version 9.18. This has been fixed. :gl:`#5672` -- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid. +- Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be + invalid. - A zone that is signed with NSEC3, opt-out enabled, and then - reconfigured to use NSEC, causes the zone to be published with missing - NSEC records. This has been fixed. :gl:`#5679` + A zone that was signed with NSEC3, had opt-out enabled, and was then + reconfigured to use NSEC, was published with missing NSEC records. + This has been fixed. :gl:`#5679` - Fix a possible catalog zone issue during reconfiguration. The :iscman:`named` process could terminate unexpectedly during reconfiguration when a catalog zone update was taking place at the - same time. This has been fixed. + same time. This has been fixed. :gl:`!11366` - Fix the charts in the statistics channel. The charts in the statistics channel could sometimes fail to render in - the browser, and were completely disabled for Mozilla-based browsers - for historical reasons. This has been fixed. + the browser and were completely disabled for Mozilla-based browsers, + for historical reasons. This has been fixed. :gl:`!11018`