From bf549e32bb7f0cff9641a6197b7a5de2580a3228 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 2 Sep 2024 14:44:05 +0000 Subject: [PATCH 01/10] Process canceled/shut down results in validate_dnskey_dsset_done() When a validator is already shut down, val->name becomes NULL. We need to process and keep the ISC_R_CANCELED or ISC_R_SHUTTINGDOWN result code before calling validate_async_done(), otherwise, when it is called with the hardcoded DNS_R_NOVALIDSIG result code, it can cause an assetion failure when val->name (being NULL) is used in proveunsecure(). (cherry picked from commit d85918aebf8e0ce0d19cc44df3bdf04cfae3b475) --- lib/dns/validator.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 814551d759..46947c1700 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1951,15 +1951,26 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) { static void validate_dnskey_dsset_done(dns_validator_t *val, isc_result_t result) { - if (result == ISC_R_SUCCESS) { + switch (result) { + case ISC_R_CANCELED: + case ISC_R_SHUTTINGDOWN: + /* Abort, abort, abort! */ + break; + case ISC_R_SUCCESS: marksecure(val); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)"); - } else if (result == ISC_R_NOMORE && !val->supported_algorithm) { - validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm/digest (DS)"); - result = markanswer(val, "validate_dnskey (3)", - "no supported algorithm/digest (DS)"); - } else { + break; + case ISC_R_NOMORE: + if (!val->supported_algorithm) { + validator_log(val, ISC_LOG_DEBUG(3), + "no supported algorithm/digest (DS)"); + result = markanswer( + val, "validate_dnskey (3)", + "no supported algorithm/digest (DS)"); + break; + } + FALLTHROUGH; + default: validator_log(val, ISC_LOG_INFO, "no valid signature found (DS)"); result = DNS_R_NOVALIDSIG; From 4d8491396d97df4616ef0be15b0e35213d2337b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 6 Sep 2024 14:15:21 +0200 Subject: [PATCH 02/10] Double the number of threadpool threads Introduce this temporary workaround to reduce the impact of long-running tasks in offload threads which can block the resolution of queries. (cherry picked from commit 6857df20a40f4e05f465a7a3f5d24eeedce8fc6c) --- lib/isc/loop.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/isc/loop.c b/lib/isc/loop.c index 5cad59e2e6..68202aaa6e 100644 --- a/lib/isc/loop.c +++ b/lib/isc/loop.c @@ -308,7 +308,10 @@ threadpool_initialize(uint32_t workers) { int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf, &(size_t){ sizeof(buf) }); if (r == UV_ENOENT) { - snprintf(buf, sizeof(buf), "%" PRIu32, workers); + /* FIXME The number of threadpool threads has been temporarily + * doubled to work around the issue [GL #4898] until a proper + * solution is implemented. */ + snprintf(buf, sizeof(buf), "%" PRIu32, 2 * workers); uv_os_setenv("UV_THREADPOOL_SIZE", buf); } } From 92588787fb643b417bb6f63b8730c92166ff42d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:07:29 +0200 Subject: [PATCH 03/10] Generate changelog --- doc/arm/changelog.rst | 216 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 216 insertions(+) diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 292fe42540..c18cd06535 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,222 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Support for Offline KSK implemented. ``3555094a686`` + + Add a new configuration option `offline-ksk` to enable Offline KSK key + management. Signed Key Response (SKR) files created with `dnssec-ksr` + (or other program) can now be imported into `named` with the new `rndc + skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY + records and generating signatures covering these types, these records + are loaded from the currently active bundle from the imported SKR. + + The implementation is loosely based on: + https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- + keymgmt-01.txt :gl:`#1128` :gl:`!9389` + +- Print the full path of the working directory in startup log messages. + ``1c8eeafffb0`` + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + :gl:`!9372` + +- Support restricted key tag range when generating new keys. + ``d0899632635`` + + It is useful when multiple signers are being used to sign a zone to + able to specify a restricted range of range of key tags that will be + used by an operator to sign the zone. This adds controls to named + (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr + (dnssec-policy) to specify such ranges. :gl:`#4830` :gl:`!9396` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Exempt prefetches from the fetches-per-zone and fetches-per-server + quotas. ``5e78cade523`` + + Fetches generated automatically as a result of 'prefetch' are now + exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. + This should help in maintaining the cache from which query responses + can be given. :gl:`#4219` :gl:`!9420` + +- Restore the ability to select individual unit tests. ``cfac05cc966`` + + This adds the command line arguments: `-d` (debug), `-l` (list tests) + and `-t test` (run this test) to the unit tests. + + e.g. ``` % ./rdata_test -t zonemd [==========] selected: + Running 1 test(s). [ RUN ] zonemd [ OK ] zonemd + [==========] selected: 1 test(s) run. [ PASSED ] 1 test(s). + % ``` :gl:`#4579` :gl:`!9385` + +- Process also the ISC_R_CANCELED result code in rpz_rewrite() + ``eb2e0991e1a`` + + Log canceled resolver queries (e.g. when shutting down a hung fetch) + in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized" + result codes. :gl:`#4797` :gl:`!9347` + +- Remove code to read and parse /proc/net/if_inet6 on Linux. + ``e3cc5034ab0`` + + The getifaddr() works fine for years, so we don't have to keep the + callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9341` + +- Use seteuid()/setegid() instead of setreseuid()/setresgid() + ``1127b2b3d16`` + + It looks like that all supported systems now have support for + _POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because + those will not change saved used/group IDs. :gl:`#4862` :gl:`!9371` + +- Follow the number of CPU set by taskset/cpuset. ``ce3209b1dcf`` + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` :gl:`!9442` + +- Double the number of threadpool threads. ``cfdded46676`` + + Introduce this temporary workaround to reduce the impact of long- + running tasks in offload threads which can block the resolution of + queries. :gl:`#4898` + +Bug Fixes +~~~~~~~~~ + +- Delay release of root privileges until after configuring controls. + ``0b7eb9d7a90`` + + Delay relinquishing root privileges until the control channel has been + configured, for the benefit of systems that require root to use + privileged port numbers. This mostly affects systems without fine- + grained privilege systems (i.e., other than Linux). :gl:`#4793` + :gl:`!9444` + +- Fix the assertion failure in the isc_hashmap iterator. ``92e54fa9b7f`` + + When the round robin hashing reorders the map entries on deletion, we + were adjusting the iterator table size only when the reordering was + happening at the internal table boundary. The iterator table size had + to be reduced by one to prevent seeing the entry that resized on + position [0] twice because it migrated to [iter->size - 1] position. + + However, the same thing could happen when the same entry migrates a + second time from [iter->size - 1] to [iter->size - 2] position (and so + on) because the check that we are manipulating the entry just in the + [0] position was insufficient. Instead of checking the position [pos + == 0], we now check that the [pos % iter->size == 0], thus ignoring + all the entries that might have moved back to the end of the internal + table. :gl:`#4838` :gl:`!9310` + +- Add -Wno-psabi to CFLAGS for x86 (32-bit) builds. ``9f2061e31eb`` + + GCC 11.1+ emits a note during compilation when there are 64-bit atomic + fields in a structure, because it fixed a compiler bug by changing the + alignment of such fields, which caused ABI change. + + Add -Wno-psabi to CFLAGS for such builds in order to silence the + warning. That shouldn't be a problem since we don't expose our + structures to the outside. :gl:`#4841` :gl:`!9322` + +- Check if logconfig is NULL before using it in isc_log_doit() + ``11cb3767256`` + + Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(), + because it's possible that isc_log_destroy() was already called, e.g. + when a 'call_rcu' function wants to log a message during shutdown. + :gl:`#4842` :gl:`!9323` + +- Change the NS_PER_SEC (and friends) from enum to static const. + ``91cecebf4c6`` + + New version of clang (19) has introduced a stricter checks when mixing + integer (and float types) with enums. In this case, we used enum {} + as C17 doesn't have constexpr yet. Change the time conversion + constants to be static const unsigned int instead of enum values. + :gl:`#4845` :gl:`!9339` + +- Check the result of dirfd() before calling unlinkat() ``335796f32a1`` + + Instead of directly using the result of dirfd() in the unlinkat() + call, check whether the returned file descriptor is actually valid. + That doesn't really change the logic as the unlinkat() would fail with + invalid descriptor anyway, but this is cleaner and will report the + right error returned directly by dirfd() instead of EBADF from + unlinkat(). :gl:`#4853` :gl:`!9343` + +- Fix rare assertion failure when shutting down incoming transfer. + ``02d4755cc31`` + + A very rare assertion failure can be triggered when the incoming + transfer is either forcefully shut down or it is finished during + printing the details about the statistics channel. This has been + fixed. :gl:`#4860` :gl:`!9377` + +- Fix the resesuid() shim implementation for NetBSD. ``d959c035e89`` + + The shim implementation of setresuid() was wrong - there was a copy + and paste error and it was calling setresgid() instead. This only + affects NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and + setresgid() implementation available from the system library. + :gl:`#4862` :gl:`!9361` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. ``2f2003c55d4`` + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` :gl:`!9393` + +- Stop using malloc_usable_size and malloc_size. ``1b7fa52d8ff`` + + The `malloc_usable_size()` can return size larger than originally + allocated and when these sizes disagree the fortifier enabled by + `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution + abruptly. Stop using these convenience functions as they are primary + used for introspection-only. :gl:`#4880` :gl:`!9418` + +- Preserve statement tag order in documentation. ``57a9e3da00c`` + + This supports bit-for-bit reproducibility of built documentation. + :gl:`#4886` :gl:`!9408` + +- Fix an assertion failure in validate_dnskey_dsset_done() + ``870f0be27eb`` + + Under rare circumstances, named could terminate unexpectedly when + validating a DNSKEY resource record if the validation was canceled in + the meantime. This has been fixed. :gl:`#4911` + +- Silence all warnings that stem from the default config. + ``dde38470476`` + + As we now setup the logging very early, parsing the default config + would always print warnings about experimental (and possibly + deprecated) options in the default config. This would even mess with + commands like `named -V` and it is also wrong to warn users about + using experimental options in the default config, because they can't + do anything about this. Add CFG_PCTX_NODEPRECATED and + CFG_PCTX_NOEXPERIMENTAL options that we can pass to cfg parser and + silence the early warnings caused by using experimental options in the + default config. :gl:`!9305` + + BIND 9.20.1 ----------- From a0829e49422abda9a22aa76b23d819dab34c91ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:07:44 +0200 Subject: [PATCH 04/10] Generate release notes --- doc/notes/notes-9.20.2.rst | 87 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 doc/notes/notes-9.20.2.rst diff --git a/doc/notes/notes-9.20.2.rst b/doc/notes/notes-9.20.2.rst new file mode 100644 index 0000000000..7c8df734e3 --- /dev/null +++ b/doc/notes/notes-9.20.2.rst @@ -0,0 +1,87 @@ +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Support for Offline KSK implemented. + + Add a new configuration option `offline-ksk` to enable Offline KSK key + management. Signed Key Response (SKR) files created with `dnssec-ksr` + (or other program) can now be imported into `named` with the new `rndc + skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY + records and generating signatures covering these types, these records + are loaded from the currently active bundle from the imported SKR. + + The implementation is loosely based on: + https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- + keymgmt-01.txt :gl:`#1128` + +- Print the full path of the working directory in startup log messages. + + named now prints its initial working directory during startup and the + changed working directory when loading or reloading its configuration + file if it has a valid 'directory' option defined. :gl:`#4731` + +- Support restricted key tag range when generating new keys. + + It is useful when multiple signers are being used to sign a zone to + able to specify a restricted range of range of key tags that will be + used by an operator to sign the zone. This adds controls to named + (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr + (dnssec-policy) to specify such ranges. :gl:`#4830` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Exempt prefetches from the fetches-per-zone and fetches-per-server + quotas. + + Fetches generated automatically as a result of 'prefetch' are now + exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. + This should help in maintaining the cache from which query responses + can be given. :gl:`#4219` + +- Follow the number of CPU set by taskset/cpuset. + + Administrators may wish to constrain the set of cores that BIND 9 runs + on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on + other O/S). + + If the admin has used taskset, the `named` will now follow to + automatically use the given number of CPUs rather than the system wide + count. :gl:`#4884` + +Bug Fixes +~~~~~~~~~ + +- Delay release of root privileges until after configuring controls. + + Delay relinquishing root privileges until the control channel has been + configured, for the benefit of systems that require root to use + privileged port numbers. This mostly affects systems without fine- + grained privilege systems (i.e., other than Linux). :gl:`#4793` + +- Fix rare assertion failure when shutting down incoming transfer. + + A very rare assertion failure can be triggered when the incoming + transfer is either forcefully shut down or it is finished during + printing the details about the statistics channel. This has been + fixed. :gl:`#4860` + +- Fix algoritm rollover bug when there are two keys with the same + keytag. + + If there is an algorithm rollover and two keys of different algorithm + share the same keytags, then there is a possibility that if we check + that a key matches a specific state, we are checking against the wrong + key. This has been fixed by not only checking for matching key tag but + also key algorithm. :gl:`#4878` + +- Fix an assertion failure in validate_dnskey_dsset_done() + + Under rare circumstances, named could terminate unexpectedly when + validating a DNSKEY resource record if the validation was canceled in + the meantime. This has been fixed. :gl:`#4911` + + From d6df5aa97f21e1bd4c394c42cb9484c541dd9586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:16:51 +0200 Subject: [PATCH 05/10] Prepare release notes for BIND 9.20.2 --- doc/arm/changelog.rst | 4 ++-- doc/arm/notes.rst | 2 +- doc/notes/notes-9.20.2.rst | 20 ++++++++++++++++++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index c18cd06535..69b44bf0cc 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,8 +18,8 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. -(-dev) ------- +BIND 9.20.2 +----------- New Features ~~~~~~~~~~~~ diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 08690dcf0e..4ebe00686c 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -37,7 +37,7 @@ https://www.isc.org/download/. There you will find additional information about each release, and source code. .. include:: ../notes/notes-known-issues.rst - +.. include:: ../notes/notes-9.20.2.rst .. include:: ../notes/notes-9.20.1.rst .. include:: ../notes/notes-9.20.0.rst diff --git a/doc/notes/notes-9.20.2.rst b/doc/notes/notes-9.20.2.rst index 7c8df734e3..bc356073d1 100644 --- a/doc/notes/notes-9.20.2.rst +++ b/doc/notes/notes-9.20.2.rst @@ -1,5 +1,16 @@ -(-dev) ------- +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.2 +--------------------- New Features ~~~~~~~~~~~~ @@ -84,4 +95,9 @@ Bug Fixes validating a DNSKEY resource record if the validation was canceled in the meantime. This has been fixed. :gl:`#4911` +Known Issues +~~~~~~~~~~~~ +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. From f8921652ba91a700af9717378ced7d7f1aa7d5ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 13:13:43 +0200 Subject: [PATCH 06/10] Remove a fixed known issue [GL #4793] --- doc/notes/notes-known-issues.rst | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index 3084fbb243..3ee1928522 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -14,11 +14,4 @@ Known Issues ------------ -- On some platforms, including FreeBSD, :iscman:`named` must be run as - root to use the :iscman:`rndc` control channel on a privileged port - (i.e., with a port number less than 1024; this includes the default - :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the - :option:`named -u` option to switch to an unprivileged user makes - :iscman:`rndc` unusable. This will be fixed in a future release; in - the meantime, ``mac_portacl`` can be used as a workaround, as - documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793` +- There are no known issues affecting this BIND 9 branch. From 1e7e69afae1cbea80e007a8b90686c387b8177fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 6 Sep 2024 14:03:28 +0200 Subject: [PATCH 07/10] Add Known Issue [#GL 4898] --- doc/notes/notes-9.20.2.rst | 12 +++++++++--- doc/notes/notes-known-issues.rst | 10 +++++++++- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/doc/notes/notes-9.20.2.rst b/doc/notes/notes-9.20.2.rst index bc356073d1..6062bc95a2 100644 --- a/doc/notes/notes-9.20.2.rst +++ b/doc/notes/notes-9.20.2.rst @@ -98,6 +98,12 @@ Bug Fixes Known Issues ~~~~~~~~~~~~ -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. +- Long-running tasks in offloaded threads (e.g. the loading of RPZ zones + or processing zone transfers) may block the resolution of queries + during these operations and cause the queries to time out. + + To work around the issue, the ``UV_THREADPOOL_SIZE`` environment + variable can be set to a larger value before starting :iscman:`named`. + The recommended value is the number of RPZ zones (or number of + transfers) plus the number of threads BIND should use, which is + typically the number of CPUs. :gl:`#4898` diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst index 3ee1928522..bc6832eced 100644 --- a/doc/notes/notes-known-issues.rst +++ b/doc/notes/notes-known-issues.rst @@ -14,4 +14,12 @@ Known Issues ------------ -- There are no known issues affecting this BIND 9 branch. +- Long-running tasks in offloaded threads (e.g. loading RPZ zones or + processing zone transfers) may block the resolution of queries during + these operations and cause the queries to time out. + + To work around the issue, the ``UV_THREADPOOL_SIZE`` environment + variable can be set to a larger value before starting :iscman:`named`. + The recommended value is the number of RPZ zones (or number of + transfers) plus the number of threads BIND should use, which is + typically the number of CPUs. :gl:`#4898` From 000b63ad21d0c116a36bba05b3e979c2cd1142b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 15:03:15 +0200 Subject: [PATCH 08/10] Fix dnssec-policy options formatting and links in ARM The statements that already exist in the grammar can't be created with the namedconf:statement. Use a plain definition list for these statements and add a manual anchor for each one so links to them can be created. Avoid using the :any: syntax in the definition lists, as that just creates a link to the duplicate and completely unrelated statement, which just makes the documentation more confusing. --- doc/arm/reference.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 32564a8e93..51ece6838a 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6454,7 +6454,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This indicates the TTL to use when generating DNSKEY resource records. The default is 1 hour (3600 seconds). -:any:`inline-signing` +.. _dnssec-policy-inline-signing: + +inline-signing :tags: dnssec :short: Specifies whether BIND 9 maintains a separate signed version of a zone. @@ -6466,7 +6468,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This behavior is enabled by default. -.. keys +.. _dnssec-policy-keys: + +keys :tags: dnssec :short: Specifies the type of keys to be used for DNSSEC signing. @@ -6634,7 +6638,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: This is similar to :any:`signatures-validity`, but for DNSKEY records. The default is ``P2W`` (2 weeks). -:any:`max-zone-ttl` +.. _dnssec-policy-max-zone-ttl: + +max-zone-ttl :tags: zone, query :short: Specifies a maximum permissible time-to-live (TTL) value, in seconds. From a7d1c96b9d3eec43fbb951537f2b56fb99d26c11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 5 Sep 2024 17:25:00 +0200 Subject: [PATCH 09/10] Tweak and reword release notes --- doc/notes/notes-9.20.2.rst | 98 ++++++++++++++++++++------------------ 1 file changed, 52 insertions(+), 46 deletions(-) diff --git a/doc/notes/notes-9.20.2.rst b/doc/notes/notes-9.20.2.rst index 6062bc95a2..d0b4349457 100644 --- a/doc/notes/notes-9.20.2.rst +++ b/doc/notes/notes-9.20.2.rst @@ -17,83 +17,89 @@ New Features - Support for Offline KSK implemented. - Add a new configuration option `offline-ksk` to enable Offline KSK key - management. Signed Key Response (SKR) files created with `dnssec-ksr` - (or other program) can now be imported into `named` with the new `rndc - skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY - records and generating signatures covering these types, these records - are loaded from the currently active bundle from the imported SKR. + Add a new configuration option :any:`offline-ksk` to enable Offline + KSK key management. Signed Key Response (SKR) files created with + :iscman:`dnssec-ksr` (or other programs) can now be imported into + :iscman:`named` with the new :option:`rndc skr -import ` + command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and + generating signatures covering these types, these records are loaded + from the currently active bundle from the imported SKR. - The implementation is loosely based on: - https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- - keymgmt-01.txt :gl:`#1128` + The implementation is loosely based on + `draft-icann-dnssec-keymgmt-01.txt + `_. + :gl:`#1128` - Print the full path of the working directory in startup log messages. - named now prints its initial working directory during startup and the - changed working directory when loading or reloading its configuration - file if it has a valid 'directory' option defined. :gl:`#4731` + :iscman:`named` now prints its initial working directory during + startup, and the changed working directory when loading or reloading + its configuration file, if it has a valid :any:`directory` option + defined. :gl:`#4731` -- Support restricted key tag range when generating new keys. +- Support a restricted key tag range when generating new keys. + + When multiple signers are being used to sign a zone, it is useful to + be able to specify a restricted range of key tags to be used by an + operator to sign the zone. The range can be specified with + ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys + ` (for :iscman:`named` and :iscman:`dnssec-ksr`) + and with the new options :option:`dnssec-keyfromlabel -M` and + :option:`dnssec-keygen -M`. :gl:`#4830` - It is useful when multiple signers are being used to sign a zone to - able to specify a restricted range of range of key tags that will be - used by an operator to sign the zone. This adds controls to named - (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr - (dnssec-policy) to specify such ranges. :gl:`#4830` Feature Changes ~~~~~~~~~~~~~~~ -- Exempt prefetches from the fetches-per-zone and fetches-per-server - quotas. +- Exempt prefetches from the :any:`fetches-per-zone` and + :any:`fetches-per-server` quotas. - Fetches generated automatically as a result of 'prefetch' are now - exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas. - This should help in maintaining the cache from which query responses - can be given. :gl:`#4219` + Fetches generated automatically as a result of :any:`prefetch` are now + exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server` + quotas. This should help in maintaining the cache from which query + responses can be given. :gl:`#4219` -- Follow the number of CPU set by taskset/cpuset. +- Follow the number of CPUs set by ``taskset``/``cpuset``. - Administrators may wish to constrain the set of cores that BIND 9 runs - on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on - other O/S). + Administrators may wish to constrain the set of cores that + :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl`` + programs (or equivalents on other OSes). - If the admin has used taskset, the `named` will now follow to - automatically use the given number of CPUs rather than the system wide - count. :gl:`#4884` + If the admin has used ``taskset``, :iscman:`named` now automatically + uses the given number of CPUs rather than the system-wide count. + :gl:`#4884` Bug Fixes ~~~~~~~~~ -- Delay release of root privileges until after configuring controls. +- Delay the release of root privileges until after configuring controls. Delay relinquishing root privileges until the control channel has been configured, for the benefit of systems that require root to use privileged port numbers. This mostly affects systems without fine- grained privilege systems (i.e., other than Linux). :gl:`#4793` -- Fix rare assertion failure when shutting down incoming transfer. +- Fix a rare assertion failure when shutting down incoming transfer. - A very rare assertion failure can be triggered when the incoming - transfer is either forcefully shut down or it is finished during - printing the details about the statistics channel. This has been + A very rare assertion failure could be triggered when the incoming + transfer was either forcefully shut down, or it finished during the + printing of the details about the statistics channel. This has been fixed. :gl:`#4860` -- Fix algoritm rollover bug when there are two keys with the same +- Fix algorithm rollover bug when there are two keys with the same keytag. - If there is an algorithm rollover and two keys of different algorithm - share the same keytags, then there is a possibility that if we check - that a key matches a specific state, we are checking against the wrong - key. This has been fixed by not only checking for matching key tag but - also key algorithm. :gl:`#4878` + If there was an algorithm rollover and two keys of different + algorithms shared the same keytags, there was the possibility that the + check of whether the key matched a specific state could be performed + against the wrong key. This has been fixed by not only checking for + the matching key tag but also the key algorithm. :gl:`#4878` -- Fix an assertion failure in validate_dnskey_dsset_done() +- Fix an assertion failure in ``validate_dnskey_dsset_done()``. - Under rare circumstances, named could terminate unexpectedly when - validating a DNSKEY resource record if the validation was canceled in - the meantime. This has been fixed. :gl:`#4911` + Under rare circumstances, :iscman:`named` could terminate unexpectedly + when validating a DNSKEY resource record if the validation had been + canceled in the meantime. This has been fixed. :gl:`#4911` Known Issues ~~~~~~~~~~~~ From 66643d6a2a7c986d689e303a1b734f22254b936e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Mon, 9 Sep 2024 15:06:19 +0200 Subject: [PATCH 10/10] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 6a85460ea4..dd09b0115d 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 20)dnl m4_define([bind_VERSION_PATCH], 2)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Stable Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl