new: doc: Prepare documentation for BIND 9.21.18

Merge branch 'pspacek/prepare-documentation-for-bind-9.21.18' into 'v9.21.18-release'

See merge request isc-private/bind9!906

doc/arm/changelog.rst

@@ -18,6 +18,7 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+.. include:: ../changelog/changelog-9.21.18.rst
 .. include:: ../changelog/changelog-9.21.17.rst
 .. include:: ../changelog/changelog-9.21.16.rst
 .. include:: ../changelog/changelog-9.21.15.rst

doc/arm/notes.rst

@@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be
 found at
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
 
+.. include:: ../notes/notes-9.21.18.rst
 .. include:: ../notes/notes-9.21.17.rst
 .. include:: ../notes/notes-9.21.16.rst
 .. include:: ../notes/notes-9.21.15.rst

doc/changelog/changelog-9.21.18.rst

@@ -0,0 +1,183 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.21.18
+------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Update requirements for system test suite. ``b0c2670cb8``
+
+  Python 3.10 or newer is now required for running the system test
+  suite. The required python packages and their version requirements are
+  now tracked in `bin/tests/system/requirements.txt`.
+
+  Support for pytest 9.0.0 has been added its minimum supported version
+  has been raised to 7.0.0. The minimum supported dnspython version has
+  been raised to 2.3.0. :gl:`#5690`  :gl:`#5614` :gl:`!11415`
+
+- Split and refactor dns_view_findzonecut() ``263f54c9d1``
+
+  The function `dns_view_findzonecut()` was previously a complex bit of
+  code (multiple pages long with multiple gotos and mutating states)
+  into a simpler main entry point making explicit the various steps and
+  layers involved into the delegation lookup.
+
+  Separate helper functions are added for specific sub-tasks (lookup
+  from the zones, from the cache, deciding which result to use if there
+  are valid candidates from the zone or cache, etc.)
+
+  Finally, the range of result values returned by
+  `dns_view_findzonecut()` is simplified and clearly specified. This
+  simplifies a bit the callers code. :gl:`#5681` :gl:`!11377`
+
+- Lowercase the NSEC next owner name when signing. ``dd8651ff36``
+
+  When building the NSEC rdata, lowercase the next owner name before
+  storing it in the Next Domain Name Field.
+
+  Note that this is not required according to RFC 6840, but since there
+  is inconsistency in the documents over time, having uppercase next
+  owner names in the NSEC records may cause validation failures if
+  validators are not following RFC 6840. :gl:`#5702` :gl:`!11442`
+
+- Use enum rather than numbers for isc_base64_tobuffer and
+  isc_hex_tobuffer. ``7e39596d57``
+
+  Use isc_one_or_more and isc_zero_or_more rather than (-2) and (-1)
+  when calling isc_base64_tobuffer. Similarly for isc_hex_tobuffer. This
+  should help reduce the probability that the wrong number is used and
+  it makes the intent clearer. :gl:`#5713` :gl:`!11479`
+
+- Enable minimal ANY answers by default. ``40bffcc8a6``
+
+  ANY queries are widely abused by attackers doing reflection attacks as
+  they return the largest answers.  Enable minimal ANY answers by
+  default to reduce the attack surface of the DNS servers. :gl:`#5723`
+  :gl:`!11505`
+
+- Dns_rdataset_clone() and dns_rdataset_isassociated() const parameters.
+  ``8dfa96b91b``
+
+  `dns_rdataset_clone()` takes now a const source rdataset. Also,
+  `dns_rdataset_isassociated()` also takes a const rdataset.
+  :gl:`!11462`
+
+- Initial openssl version splitting. ``fe9fee63c6``
+
+  Dealing with OpenSSL has been rapidly turning into an unwieldy
+  situation as post-3.0 changes turn the library into a different beast.
+
+  Start treating pre and post-3.0 versions differently for easier
+  maintenance.
+
+  To help with this Sisyphean task, this MR had to shift things around.
+
+  `OPENSSL_NO_DEPRECATED` is now declared in BIND alongside an
+  appropriate `OPENSSL_API_COMPAT` value. The former value will set to
+  declare either OpenSSL 1.1.0 or 3.0 as the bare minimum version.
+
+  Instead of splitting `md.c` and `hmac.c` into separate
+  version-specific files, they now live inside `crypto/ossl1_1.c` and
+  `crypto/ossl3.c`. This way, these functions will be able to utilize
+  the same static `OSSL_PARAM` tables, removing redundant reconstruction
+  for HMAC.
+
+  For pre-3.0, `isc_hmac` has been reverted back to using the `HMAC_`
+  interface. Using `EVP_MD_CTX`-based functions for HMAC will end up
+  libcrypto calling the same `HMAC_` functions in the end, giving no
+  advantage while confusingly using the digest functions.
+
+  A new API, `isc_ossl_wrap` has been added. This family of functions
+  aim to provide a common interface for libcrypto version specific code
+  while not abstracting away OpenSSL's structures such as `EVP_PKEY`.
+
+  Currently the main user of this API is the `dst` family of functions
+  where some ECDSA and RSA opeations need to use the new `OSSL_PARAM`
+  functionality by requirement or to avoid speed penalties.
+
+  Furthermore OpenSSL based logging has been moved from `isc_tls` to
+  `isc_ossl_wrap` as its a more appropriate place for such
+  functionality. :gl:`!11094`
+
+- Remove `sigrdataset` from `dns_view_findzonecut()` ``b40f92eb26``
+
+  Since the `sigrdataset` "output" parameter of `dns_view_findzonecut()`
+  is never used (always called with NULL), it is now removed. As the
+  resolver is moving towards a parent-centric direction, there is no
+  point having a signature for the NS record (which is not authoritative
+  in the parent, so never signed) when `dns_view_findzonecut()` is
+  called.
+
+  Also, rename `dns_view_findzonecut()` as `dns_view_bestzonecut()` as
+  it is used only in the context where the closest name servers for a
+  name need to be queried and to avoid ambiguities with other code flows
+  using `dns_db_findzonecut()`. :gl:`!11444`
+
+- Remove rrset-order cyclic from the default config, with shim.
+  ``d0cec705ab``
+
+  Currently we add an rrset-order cyclic statement to the default
+  config. Since the rrset-order allows matching a subset of all names,
+  it must be implemented with a comparison against a wildcard, and since
+  the statement applies per rrset, this can result in million of
+  comparisons per second on a busy authoritative server.
+
+  This commit removes rrset-order from the default config, but adds back
+  a code shim in query_setorder to preserve the previous behaviour.
+  :gl:`!11417`
+
+Bug Fixes
+~~~~~~~~~
+
+- Fix a bug in qpzone.c:first_existing_header_indirect() ``0c1577b848``
+
+  There is a bug in qpzone.c:first_existing_header_indirect() where it
+  does not advance the pointer in the FOREACH type loop.
+
+  Remove the static function altogether, as it was used only once and
+  had some other problems too, and use simpler custom code instead in
+  the place where it was used. :gl:`#5691` :gl:`!11460`
+
+- Make catalog zone names and member zones' entry names
+  case-insensitive. ``96160298bd``
+
+  Previously, the catalog zone names and their member zones' entry names
+  were unintentionally case-sensitive. This has been fixed. :gl:`#5693`
+  :gl:`!11410`
+
+- Use const pointer with strchr of const pointer. ``fbab0d546e``
+
+  :gl:`#5694` :gl:`!11394`
+
+- Fix brid and hhit implementation. ``4195821686``
+
+  Fix bugs in BRID and HHIT implementation and enable the unit tests.
+  :gl:`#5710` :gl:`!11491`
+
+- DSYNC record incorrectly used two octets for the Scheme Field.
+  ``a20bbb629a``
+
+  When creating the `DSYNC` record from a structure, `uint16_tobuffer`
+  was used instead of `uint8_tobuffer` when adding the scheme, causing a
+  `DSYNC` record that was one octet too long. This has been fixed.
+  :gl:`#5711` :gl:`!11477`
+
+- Fix a possible issue with reponse policy zones and catalog zones.
+  ``fd568032ac``
+
+  If a response policy zone (RPZ) or a catalog zone contained an
+  `$INCLUDE` directive, then manually reloading that zone could fail to
+  process the changes in the response policy or in the catalog,
+  respectively. This has been fixed. :gl:`#5714` :gl:`!11489`
+
+

doc/notes/notes-9.21.18.rst

@@ -0,0 +1,54 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.21.18
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Enable minimal ANY answers by default.
+
+  ANY queries are widely abused by attackers in reflection attacks, as
+  they result in large answers. The :namedconf:ref:`minimal-any` feature
+  is now enabled by default to reduce the attack surface. :gl:`#5723`
+
+- Lowercase the NSEC Next Domain Name field.
+
+  When building an NSEC record, the next owner name is now converted to lowercase
+  before storing it in the Next Domain Name field.
+
+  This is not required according to :rfc:`6840#section-5.1`, but since
+  inconsistencies have been introduced to the specification over time, having
+  "next owner" names in only lowercase in the NSEC records improves compatibility with
+  software that does not follow the latest version of the DNSSEC
+  specification. :gl:`#5702`
+
+- Update requirements for system test suite.
+
+  Python 3.10 or newer is now required for running the system test suite. The
+  required Python packages and their version requirements are now tracked in the
+  file `bin/tests/system/requirements.txt`. :gl:`#5690` :gl:`#5614`
+
+
+Bug Fixes
+~~~~~~~~~
+
+- Make catalog zone names and member zones' entry names
+  case-insensitive. :gl:`#5693`
+
+- Fix implementation of BRID and HHIT record types. :gl:`#5710`
+
+- Fix implementation of DSYNC record type. :gl:`#5711`
+
+- Fix response policy and catalog zones to work with `$INCLUDE` directive.
+
+  Reloading a RPZ or a catalog zone could have failed when `$INCLUDE` was in use. :gl:`#5714`