From 4e3a5c83fee0dbabfb0e4b57c474a5be212bee9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 18 Jun 2021 11:09:45 +0200 Subject: [PATCH 1/6] Tweak and reword recent CHANGES entries --- CHANGES | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index fae091bf04..a022d7d2ce 100644 --- a/CHANGES +++ b/CHANGES @@ -11,12 +11,13 @@ that is in a different view, "in-view" logic was not taken into account. This has been fixed. [GL #2783] -5660. [bug] Checking of key-directory and dnssec-policy was broken. - The checks failed to account for key-directory - inheritance. [GL #2778] +5660. [bug] The configuration-checking code failed to account for + the inheritance rules of the "key-directory" option. + [GL #2778] -5659. [bug] 'W' in wildcard expansions was being mapped to '\000'. - [GL #2779] +5659. [bug] When preparing DNS responses, named could replace the + letters 'W' (uppercase) and 'w' (lowercase) with '\000'. + This has been fixed. [GL #2779] 5658. [bug] Increasing "max-cache-size" for a running named instance (using "rndc reconfig") was not causing the hash tables From 7bfedd8c73fe9272015f01ac4ac923da3eb2fb9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 18 Jun 2021 11:09:45 +0200 Subject: [PATCH 2/6] Tweak and reword release notes --- doc/notes/notes-current.rst | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ced974c1f0..12889bc0f1 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -53,12 +53,15 @@ Bug Fixes when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. :gl:`#2759` -- Queries where the wildcard match contained the letter ``W`` failed - to return the correct response as the ``W`` was mapped to ``\000``. - :gl:`#2779` +- When preparing DNS responses, ``named`` could replace the letters + ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been + fixed. :gl:`#2779` -- Checking of ``key-directory`` and ``dnssec-policy`` was broken. - The checks failed to account for key-directory inheritance. :gl:`#2778` +- The configuration-checking code failed to account for the inheritance + rules of the ``key-directory`` option. As a side effect of this flaw, + the code detecting ``key-directory`` conflicts for zones using KASP + incorrectly reported unique key directories as being reused. This has + been fixed. :gl:`#2778` - A deadlock at startup was introduced when fixing :gl:`#1875` because when locking key files for reading and writing, "in-view" logic was not taken into From 7b7dea04a39d2d9f62aa52755d72a65debdd11a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 18 Jun 2021 11:09:45 +0200 Subject: [PATCH 3/6] Prepare release notes for BIND 9.17.15 --- doc/arm/notes.rst | 2 +- doc/notes/notes-9.17.15.rst | 25 ++++++++++++++ doc/notes/notes-current.rst | 68 ------------------------------------- 3 files changed, 26 insertions(+), 69 deletions(-) create mode 100644 doc/notes/notes-9.17.15.rst delete mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 4cce67f9ad..f687115b24 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.15.rst .. include:: ../notes/notes-9.17.14.rst .. include:: ../notes/notes-9.17.13.rst .. include:: ../notes/notes-9.17.12.rst diff --git a/doc/notes/notes-9.17.15.rst b/doc/notes/notes-9.17.15.rst new file mode 100644 index 0000000000..2a295301b3 --- /dev/null +++ b/doc/notes/notes-9.17.15.rst @@ -0,0 +1,25 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.15 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- When preparing DNS responses, ``named`` could replace the letters + ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been + fixed. :gl:`#2779` + +- The configuration-checking code failed to account for the inheritance + rules of the ``key-directory`` option. As a side effect of this flaw, + the code detecting ``key-directory`` conflicts for zones using KASP + incorrectly reported unique key directories as being reused. This has + been fixed. :gl:`#2778` diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index 12889bc0f1..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,68 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -Notes for BIND 9.17.15 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Sending non-zero opcode via DoT or DoH channels would trigger an assertion - failure in ``named``. This has been fixed. - - ISC would like to thank Ville Heikkila of Synopsys Cybersecurity Research - Center for responsibly disclosing the vulnerability to us. :gl:`#2787` - -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- None. - -Removed Features -~~~~~~~~~~~~~~~~ - -- Support for compiling and running BIND 9 natively on Windows has been - completely removed. The last release branch that has working Windows - support is BIND 9.16. :gl:`#2690` - -Feature Changes -~~~~~~~~~~~~~~~ - -- None. - -Bug Fixes -~~~~~~~~~ - -- Fixed a bug that caused the NSEC salt to be changed for KASP zones on - every startup. :gl:`#2725` - -- Signed, insecure delegation responses prepared by ``named`` either - lacked the necessary NSEC records or contained duplicate NSEC records - when both wildcard expansion and CNAME chaining were required to - prepare the response. This has been fixed. :gl:`#2759` - -- When preparing DNS responses, ``named`` could replace the letters - ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been - fixed. :gl:`#2779` - -- The configuration-checking code failed to account for the inheritance - rules of the ``key-directory`` option. As a side effect of this flaw, - the code detecting ``key-directory`` conflicts for zones using KASP - incorrectly reported unique key directories as being reused. This has - been fixed. :gl:`#2778` - -- A deadlock at startup was introduced when fixing :gl:`#1875` because when - locking key files for reading and writing, "in-view" logic was not taken into - account. This has been fixed. :gl:`#2783` From eeb626d75c2766976692c7a2723a446c89b22603 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 18 Jun 2021 11:44:00 +0200 Subject: [PATCH 4/6] Add CHANGES annotations --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index a022d7d2ce..a78c165cc6 100644 --- a/CHANGES +++ b/CHANGES @@ -15,10 +15,14 @@ the inheritance rules of the "key-directory" option. [GL #2778] + This change was included in BIND 9.17.15. + 5659. [bug] When preparing DNS responses, named could replace the letters 'W' (uppercase) and 'w' (lowercase) with '\000'. This has been fixed. [GL #2779] + This change was included in BIND 9.17.15. + 5658. [bug] Increasing "max-cache-size" for a running named instance (using "rndc reconfig") was not causing the hash tables used by cache databases to be grown accordingly. This From b16f9d5f0ecd2cde1d4335eae70b9bffe7d11c2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 18 Jun 2021 11:44:00 +0200 Subject: [PATCH 5/6] Update BIND version to 9.17.15 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index f1b3ac0b2c..3fb21c1ea8 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 14)dnl +m4_define([bind_VERSION_PATCH], 15)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl From 41de9ad84a82e9f9ab0867b2e9aa9867e8acc1f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 23 Jun 2021 12:56:35 +0200 Subject: [PATCH 6/6] Set up release notes for BIND 9.17.16 --- doc/arm/notes.rst | 1 + doc/notes/notes-current.rst | 58 +++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index f687115b24..d3678cb652 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,6 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.17.15.rst .. include:: ../notes/notes-9.17.14.rst .. include:: ../notes/notes-9.17.13.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..1aa3a8c3b1 --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,58 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.16 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Sending non-zero opcode via DoT or DoH channels would trigger an assertion + failure in ``named``. This has been fixed. + + ISC would like to thank Ville Heikkila of Synopsys Cybersecurity Research + Center for responsibly disclosing the vulnerability to us. :gl:`#2787` + +Known Issues +~~~~~~~~~~~~ + +- None. + +New Features +~~~~~~~~~~~~ + +- None. + +Removed Features +~~~~~~~~~~~~~~~~ + +- Support for compiling and running BIND 9 natively on Windows has been + completely removed. The last release branch that has working Windows + support is BIND 9.16. :gl:`#2690` + +Feature Changes +~~~~~~~~~~~~~~~ + +- None. + +Bug Fixes +~~~~~~~~~ + +- Fixed a bug that caused the NSEC salt to be changed for KASP zones on + every startup. :gl:`#2725` + +- Signed, insecure delegation responses prepared by ``named`` either + lacked the necessary NSEC records or contained duplicate NSEC records + when both wildcard expansion and CNAME chaining were required to + prepare the response. This has been fixed. :gl:`#2759` + +- A deadlock at startup was introduced when fixing :gl:`#1875` because when + locking key files for reading and writing, "in-view" logic was not taken into + account. This has been fixed. :gl:`#2783`