From def4dbc3eb25da382d83ac51064fbe55200ff9e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 23:08:05 +0200 Subject: [PATCH 1/3] Generate changelog for BIND 9.20.11 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.20.11.rst | 64 +++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 doc/changelog/changelog-9.20.11.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index c06fe15db7..a0df16c087 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.11.rst .. include:: ../changelog/changelog-9.20.10.rst .. include:: ../changelog/changelog-9.20.9.rst .. include:: ../changelog/changelog-9.20.8.rst diff --git a/doc/changelog/changelog-9.20.11.rst b/doc/changelog/changelog-9.20.11.rst new file mode 100644 index 0000000000..6c9cfd7f21 --- /dev/null +++ b/doc/changelog/changelog-9.20.11.rst @@ -0,0 +1,64 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.11 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40777] Fix a possible assertion failure when using the + 'stale-answer-client-timeout 0' option. ``055a592fd97`` + + In specific circumstances the :iscman:`named` resolver process could + terminate unexpectedly when stale answers were enabled and the + ``stale-answer-client-timeout 0`` configuration option was used. This + has been fixed. :gl:`#5372` + +New Features +~~~~~~~~~~~~ + +- Add support to set and display the CO flag. ``47108af9f2e`` + + Add support to display the CO (Compact denial of existence Ok flag) + when displaying messages. + + Add support to set the CO flag when making queries in dig (+coflag). + :gl:`#5319` :gl:`!10578` + +Bug Fixes +~~~~~~~~~ + +- Fix the default interface-interval from 60s to 60m. ``e8ffe3a15ca`` + + When the interface-interval parser was changed from uint32 parser to + duration parser, the default value stayed at plain number `60` which + now means 60 seconds instead of 60 minutes. The documentation also + incorrectly states that the value is in minutes. That has been fixed. + :gl:`#5246` :gl:`!10679` + +- Fix purge-keys bug when using views. ``35efa742b03`` + + Previously, when a DNSSEC key was purged by one zone view, other zone + views would return an error about missing key files. This has been + fixed. :gl:`#5315` :gl:`!10598` + +- Use IPv6 queries in delv +ns. ``4916fe0c6bd`` + + `delv +ns` invokes the same code to perform name resolution as + `named`, but it neglected to set up an IPv6 dispatch object first. + Consequently, it was behaving more like `named -4`. It now sets up + dispatch objects for both address families, and performs resolver + queries to both v4 and v6 addresses, except when one of the address + families has been suppressed by using `delv -4` or `delv -6`. + :gl:`#5352` :gl:`!10573` + + From 39f41a2476c3219bed38094a8354a922eacef32d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 23:08:05 +0200 Subject: [PATCH 2/3] Prepare release notes for BIND 9.20.11 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.20.11.rst | 64 +++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 doc/notes/notes-9.20.11.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 60b9f0a56e..016ff19e6e 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.11.rst .. include:: ../notes/notes-9.20.10.rst .. include:: ../notes/notes-9.20.9.rst .. include:: ../notes/notes-9.20.8.rst diff --git a/doc/notes/notes-9.20.11.rst b/doc/notes/notes-9.20.11.rst new file mode 100644 index 0000000000..e528e564a0 --- /dev/null +++ b/doc/notes/notes-9.20.11.rst @@ -0,0 +1,64 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.11 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40777] Fix a possible assertion failure when using the + 'stale-answer-client-timeout 0' option. + + In specific circumstances the :iscman:`named` resolver process could + terminate unexpectedly when stale answers were enabled and the + ``stale-answer-client-timeout 0`` configuration option was used. This + has been fixed. :gl:`#5372` + +New Features +~~~~~~~~~~~~ + +- Add support to set and display the CO flag. + + Add support to display the CO (Compact denial of existence Ok flag) + when displaying messages. + + Add support to set the CO flag when making queries in dig (+coflag). + :gl:`#5319` + +Bug Fixes +~~~~~~~~~ + +- Fix the default interface-interval from 60s to 60m. + + When the interface-interval parser was changed from uint32 parser to + duration parser, the default value stayed at plain number `60` which + now means 60 seconds instead of 60 minutes. The documentation also + incorrectly states that the value is in minutes. That has been fixed. + :gl:`#5246` + +- Fix purge-keys bug when using views. + + Previously, when a DNSSEC key was purged by one zone view, other zone + views would return an error about missing key files. This has been + fixed. :gl:`#5315` + +- Use IPv6 queries in delv +ns. + + `delv +ns` invokes the same code to perform name resolution as + `named`, but it neglected to set up an IPv6 dispatch object first. + Consequently, it was behaving more like `named -4`. It now sets up + dispatch objects for both address families, and performs resolver + queries to both v4 and v6 addresses, except when one of the address + families has been suppressed by using `delv -4` or `delv -6`. + :gl:`#5352` + + From 09e3eb98142a4d86cb8ccd34e8e9f583ba0c65c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 23:08:05 +0200 Subject: [PATCH 3/3] Tweak and reword release notes --- doc/changelog/changelog-9.20.11.rst | 4 +-- doc/notes/notes-9.20.11.rst | 53 ++++++++++++++--------------- 2 files changed, 27 insertions(+), 30 deletions(-) diff --git a/doc/changelog/changelog-9.20.11.rst b/doc/changelog/changelog-9.20.11.rst index 6c9cfd7f21..a46eab3239 100644 --- a/doc/changelog/changelog-9.20.11.rst +++ b/doc/changelog/changelog-9.20.11.rst @@ -26,9 +26,9 @@ Security Fixes New Features ~~~~~~~~~~~~ -- Add support to set and display the CO flag. ``47108af9f2e`` +- Add support for the CO flag to dig. ``47108af9f2e`` - Add support to display the CO (Compact denial of existence Ok flag) + Add support to display the CO (Compact Answers OK flag) when displaying messages. Add support to set the CO flag when making queries in dig (+coflag). diff --git a/doc/notes/notes-9.20.11.rst b/doc/notes/notes-9.20.11.rst index e528e564a0..4e4fdf6c5f 100644 --- a/doc/notes/notes-9.20.11.rst +++ b/doc/notes/notes-9.20.11.rst @@ -15,50 +15,47 @@ Notes for BIND 9.20.11 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2025-40777] Fix a possible assertion failure when using the - 'stale-answer-client-timeout 0' option. +- Fix a possible assertion failure when + :any:`stale-answer-client-timeout` is set to ``0``. In specific circumstances the :iscman:`named` resolver process could - terminate unexpectedly when stale answers were enabled and the - ``stale-answer-client-timeout 0`` configuration option was used. This - has been fixed. :gl:`#5372` + exit with an assertion failure when stale answers were enabled and the + :any:`stale-answer-client-timeout` configuration option was set to + ``0``. This has been fixed. :cve:`2025-40777` :gl:`#5372` New Features ~~~~~~~~~~~~ -- Add support to set and display the CO flag. +- Add support for the CO flag to :iscman:`dig`. - Add support to display the CO (Compact denial of existence Ok flag) - when displaying messages. - - Add support to set the CO flag when making queries in dig (+coflag). - :gl:`#5319` + Add support for Compact Denial of Existence to :iscman:`dig`. This + includes showing the CO (Compact Answers OK) flag when displaying + messages and adding an option to set the CO flag when making queries + (:option:`dig +coflag`). :gl:`#5319` Bug Fixes ~~~~~~~~~ -- Fix the default interface-interval from 60s to 60m. +- Correct the default :any:`interface-interval` from 60s to 60m. - When the interface-interval parser was changed from uint32 parser to - duration parser, the default value stayed at plain number `60` which - now means 60 seconds instead of 60 minutes. The documentation also - incorrectly states that the value is in minutes. That has been fixed. - :gl:`#5246` + When the :any:`interface-interval` parser was changed from a + ``uint32`` parser to a duration parser, the default value stayed at + plain number ``60`` which now means 60 seconds instead of 60 minutes. + The documentation also incorrectly states that the value is in + minutes. That has been fixed. :gl:`#5246` -- Fix purge-keys bug when using views. +- Fix a :any:`purge-keys` bug when using multiple views of a zone. Previously, when a DNSSEC key was purged by one zone view, other zone views would return an error about missing key files. This has been fixed. :gl:`#5315` -- Use IPv6 queries in delv +ns. - - `delv +ns` invokes the same code to perform name resolution as - `named`, but it neglected to set up an IPv6 dispatch object first. - Consequently, it was behaving more like `named -4`. It now sets up - dispatch objects for both address families, and performs resolver - queries to both v4 and v6 addresses, except when one of the address - families has been suppressed by using `delv -4` or `delv -6`. - :gl:`#5352` - +- Use IPv6 queries in :option:`delv +ns`. + :option:`delv +ns` invokes the same code to perform name resolution as + :iscman:`named`, but it neglected to set up an IPv6 dispatch object + first. Consequently, it was behaving more like :option:`named -4`. It + now sets up dispatch objects for both address families, and performs + resolver queries to both IPv4 and IPv6 addresses, except when one of + the address families has been suppressed by using :option:`delv -4` or + :option:`delv -6`. :gl:`#5352`