Tweak and reword release notes

2026-06-10 05:50:00 -04:00 · 2026-01-08 14:21:55 +01:00 · 2026-01-08 14:21:55 +01:00 · 320ec03c0d
commit 320ec03c0d
parent 6aae2425b3
1 changed files with 51 additions and 59 deletions
--- a/doc/notes/notes-9.21.17.rst
+++ b/doc/notes/notes-9.21.17.rst
@ -15,11 +15,11 @@ Notes for BIND 9.21.17
 Security Fixes
 ~~~~~~~~~~~~~~

- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT
-  records.
+- Fix incorrect length checks for BRID and HHIT records.
+  :cve:`2025-13878`

-  Malformed BRID and HHIT records could trigger an assertion failure.
-  This has been fixed.
+  Malformed BRID and HHIT records could trigger an assertion
+  failure. This has been fixed.

  ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
  bringing this vulnerability to our attention. :gl:`#5616`
@ -27,100 +27,92 @@ Security Fixes
 New Features
 ~~~~~~~~~~~~

- Add support for Extended DNS Error 9 (Missing DNSKEY)
+- Add support for Extended DNS Error 9 (Missing DNSKEY).

-  Extended DNS Error 9 (Missing DNSKEY) is now sent when a validating
-  resolver attempts to validate a response but can't get the DNSKEY from
-  the authoritative server of the zone, while the DS record is present
-  in the parent zone. :gl:`#2715`
+  If the DS record is present in the parent zone and a validating
+  resolver attempts to validate a response, but is unable to get the
+  DNSKEY from the authoritative server of the zone, Extended DNS
+  Error 9 (Missing DNSKEY) is now sent. :gl:`#2715`

- Add Extended DNS Error 13 (Cached Error) support.
+- Add support for Extended DNS Error 13 (Cached Error).

  Extended DNS Error 13 (Cached Error) is now returned when the server
  answers a message from a cached SERVFAIL.

-  See RFC 8914 section 4.14. :gl:`#1836`
+  See :rfc:`8914` section 4.14. :gl:`#1836`

 - Add support for Generalized DNS Notifications.

-  A new configuration option, ``notify-cfg CDS``, is added to enable
-  Generalized DNS Notifications for CDS and/or CDNSKEY RRset changes, as
-  specified in RFC 9859. :gl:`#5611`
+  A new configuration option, :any:`notify-cfg CDS <notify-cfg>`, is
+  added to enable Generalized DNS Notifications for CDS and/or
+  CDNSKEY RRset changes, as specified in :rfc:`9859`. :gl:`#5611`

 Feature Changes
 ~~~~~~~~~~~~~~~

- Add more information to the rndc recursing output about fetches.
+- Add more information to the :option:`rndc recursing` output about
+  fetches.

-  This adds more information about the active fetches for debugging and
-  diagnostic purposes.
+  This adds more information about active fetches, for debugging and
+  diagnostic purposes. :gl:`!11305`

 - Enforce bounds of multiple configuration options.

-  The configuration options `edns-version`, `edns-udp-size`,
-  `max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
-  boundaries. The configuration (including when using `named-checkconf`)
-  now fails if those options are set out of range.
+  The configuration options :any:`edns-version`, :any:`edns-udp-size`,
+  :any:`max-udp-size`, :any:`nocookie-udp-size`, and :any:`padding` now
+  enforce boundaries. The configuration (including when using
+  :iscman:`named-checkconf`) now fails if those options are set out of
+  range. :gl:`!11248`

 Bug Fixes
 ~~~~~~~~~

- Resolve "Inbound IXFR performance regression between 9.18.31 and
-  9.20.9"
+- Fix inbound IXFR performance regression.

-  This MR adds add some specialized logic to handle IXFR in qpzone,
-  avoiding the need to have one qp transaction per rdataset.
+  Very large inbound IXFR transfers were much slower than those in BIND
+  9.18. The performance was improved by adding specialized logic to
+  handle IXFR transfers. :gl:`#5442`

-  We do this in multiple steps:  - We extend dns_rdatacallbacks_t vtable
-  to allow subtraction and resigning.  - We add a new set of api
-  (begin|commit|abort)update to the dbmethods vtable. These API model an
-  incremental update that can be aborted, and make diff apply use these
-  functions instead of adding the rdatasets directly to the database.  -
-  We add a specialization of dns_rdatacallbacks_t to qpzone that uses a
-  single qp transaction for the entire IXFR.
+- Make DNSSEC key rollovers more robust.

-  With this batch API, we see performance improvements over adding one
-  rdataset at a time. :gl:`#5442`
-
- Make key rollovers more robust.
-
-  A manual rollover when the zone is in an invalid DNSSEC state causes
+  A manual rollover when the zone was in an invalid DNSSEC state caused
  predecessor keys to be removed too quickly. Additional safeguards to
-  prevent this have been added. DNSSEC records will not be removed from
-  the zone until the underlying state machine has moved back into a
-  valid DNSSEC state. :gl:`#5458`
+  prevent this have been added: DNSSEC records are not removed from the
+  zone until the underlying state machine has moved back into a valid
+  DNSSEC state. :gl:`#5458`

- Fix a catalog zones issue when a member zone could fail to load.
+- Fix a catalog zone issue, where member zones could fail to load.

-  A catalog zone's member zone could fail to load in some rare cases,
-  when the internally generated zone configuration string was exceeding
-  512 bytes. That condition only was not enough for the issue to arise,
-  but it was a necessary condition. This could happen, for example, if
-  the catalog zone's default primary servers list contained a large
-  number of items. This has been fixed. :gl:`#5658`
+  A catalog zone member zone could fail to load in some rare cases, when
+  the internally generated zone configuration string exceeded 512 bytes.
+  That condition by itself was not enough for the issue to arise, but it
+  was necessary. This could happen if, for example, the catalog zone's
+  default primary servers list contained a large number of items. This
+  has been fixed. :gl:`#5658`

- Fix slow speed of NSEC3 optout large delegation zone signing.
+- Fix slow speed when signing a large delegation zone with NSEC3
+  opt-out.

-  BIND 9.20 takes much more time signing a large delegation zone with
-  NSEC3 optout compared to version 9.18. This has been restored.
-  :gl:`#5672`
+  BIND 9.20+ took much longer signing a large delegation zone with NSEC3
+  opt-out compared to version 9.18. This has been fixed. :gl:`#5672`

- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid.
+- Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be
+  invalid.

-  A zone that is signed with NSEC3, opt-out enabled, and then
-  reconfigured to use NSEC, causes the zone to be published with missing
-  NSEC records. This has been fixed. :gl:`#5679`
+  A zone that was signed with NSEC3, had opt-out enabled, and was then
+  reconfigured to use NSEC, was published with missing NSEC records.
+  This has been fixed. :gl:`#5679`

 - Fix a possible catalog zone issue during reconfiguration.

  The :iscman:`named` process could terminate unexpectedly during
  reconfiguration when a catalog zone update was taking place at the
-  same time. This has been fixed.
+  same time. This has been fixed. :gl:`!11366`

 - Fix the charts in the statistics channel.

  The charts in the statistics channel could sometimes fail to render in
-  the browser, and were completely disabled for Mozilla-based browsers
-  for historical reasons. This has been fixed.
+  the browser and were completely disabled for Mozilla-based browsers,
+  for historical reasons. This has been fixed. :gl:`!11018`