diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 64ef6dde4f..b08a03433c 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.13.rst .. include:: ../changelog/changelog-9.20.12.rst .. include:: ../changelog/changelog-9.20.11.rst .. include:: ../changelog/changelog-9.20.10.rst diff --git a/doc/changelog/changelog-9.20.13.rst b/doc/changelog/changelog-9.20.13.rst new file mode 100644 index 0000000000..72cfd9a6d2 --- /dev/null +++ b/doc/changelog/changelog-9.20.13.rst @@ -0,0 +1,139 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.13 +------------ + +New Features +~~~~~~~~~~~~ + +- Add manual mode configuration option to dnsec-policy. ``1e435b107f`` + + Add a new option ``manual-mode`` to :any:`dnssec-policy`. The intended + use is that if it is enabled, it will not automatically move to the + next state transition, but instead the transition is logged. Only + after manual confirmation with ``rndc dnssec -step`` the transition is + made. :gl:`#4606` :gl:`!10880` + +- Add a new 'servfail-until-ready' configuration option for RPZ. + ``925af17d21`` + + By default, when :iscman:`named` is started it may start answering to + queries before the response policy zones are completely loaded and + processed. This new feature gives an option to the users to tell + :iscman:`named` that incoming requests should result in SERVFAIL + answer until all the response policy zones are processed and ready. + Note that if one or more response policy zones fail to load, + :iscman:`named` starts responding to queries according to those zones + that did load. + + Note, that enabling this option has no effect when a DNS Response + Policy Service (DNSRPS) interface is used. :gl:`#5222` :gl:`!10889` + +- Support for parsing HHIT and BRID records has been added. + ``1f051af24d`` + + :gl:`#5444` :gl:`!10932` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Deprecate the "tkey-gssapi-credential" statement. ``b239a70cac`` + + The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up + in a simpler and more reliable way than using the + :any:`tkey-gssapi-credential` statement and setting environment + variables (e.g. ``KRB5_KTNAME``). Therefore, the + :any:`tkey-gssapi-credential` statement has been deprecated; + :any:`tkey-gssapi-keytab` should be used instead. + + For configurations currently using a combination of both + :any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the + latter should be dropped and the keytab pointed to by + :any:`tkey-gssapi-keytab` should now only contain the credential + previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204` + :gl:`!10924` + +- Obsolete the "tkey-domain" statement. ``9352ae65d7`` + + Mark the ``tkey-domain`` statement as obsolete, since it has not had + any effect on server behavior since support for TKEY Mode 2 + (Diffie-Hellman) was removed (in BIND 9.20.0). :gl:`#4204` + :gl:`!10926` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Update clang-format style with options added in newer versions. + ``0c2c477c31`` + + Add and apply InsertBraces statement to add missing curly braces + around one-line statements and use + ControlStatementsExceptControlMacros for SpaceBeforeParens to remove + space between foreach macro and the brace, e.g. `FOREACH (x) {` + becomes `FOREACH(x) {`. :gl:`!10864` + +Bug Fixes +~~~~~~~~~ + +- Ensure file descriptors 0-2 are in use. ``35dee6eb90`` + + libuv expect file descriptors <= STDERR_FILENO are in use. otherwise, + it may abort when closing a file descriptor it opened. :gl:`#5226` + :gl:`!10908` + +- Prevent spurious SERVFAILs for certain 0-TTL resource records. + ``6b266b222c`` + + Under certain circumstances, BIND 9 can return SERVFAIL when updating + existing entries in the cache with new NS, A, AAAA, or DS records with + 0-TTL. :gl:`#5294` :gl:`!10898` + +- Use DNS_RDATACOMMON_INIT to hide branch differences. ``a64df9729b`` + + Initialization of the common members of rdata type structures varies + across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` + macro for all types, so that new types are more likely to use it, and + hence backport more cleanly. :gl:`#5467` :gl:`!10834` + +- RPZ canonical warning displays zone entry incorrectly. ``d833676515`` + + When an IPv6 rpz prefix entry is entered incorrectly the log message + was just displaying the prefix rather than the full entry. This has + been corrected. :gl:`#5491` :gl:`!10930` + +- Fix a catalog zone issue when having an unset 'default-primaries' + configuration clause. ``293e75af28`` + + A catalog zone with an unset ``default-primaries`` clause could cause + an unexpected termination of the :iscman:`named` process after two + reloading or reconfiguration commands. This has been fixed. + :gl:`#5494` :gl:`!10905` + +- Add and use __attribute__((nonnull)) in dnssec-signzone.c. + ``a8eed36d3e`` + + Clang 20 was spuriously warning about the possibility of passing a + NULL file pointer to `fprintf()`, which uses the 'nonnull' attribute. + To silence the warning, the functions calling `fprintf()` have been + marked with the same attribute to assure that NULL can't be passed to + them in the first place. + + Close #5487 :gl:`!10913` + +- RPZ 'servfail-until-ready': skip updating SERVFAIL cache. + ``af2fb26325`` + + In order to not pollute the SERVFAIL cache with the configured + SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC + attribute for the client. :gl:`!10940` + +