Prepare changelog for BIND 9.20.15

doc/arm/changelog.rst

@@ -18,6 +18,7 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+.. include:: ../changelog/changelog-9.20.15.rst
 .. include:: ../changelog/changelog-9.20.14.rst
 .. include:: ../changelog/changelog-9.20.13.rst
 .. include:: ../changelog/changelog-9.20.12.rst

doc/changelog/changelog-9.20.14.rst

@@ -12,122 +12,7 @@
 BIND 9.20.14
 ------------
 
-Security Fixes
-~~~~~~~~~~~~~~
-
-- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY
-  is found. ``0d676bf9f23``
-
-  Previously, if a matching but cryptographically invalid key was
-  encountered during DNSSEC validation, the key was skipped and not
-  counted towards validation failures. :iscman:`named` now treats such
-  DNSSEC keys as hard failures and the DNSSEC validation fails
-  immediately, instead of continuing with the next DNSKEYs in the RRset.
-
-  ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
-  Security and Privacy Laboratory at Nankai University for bringing this
-  vulnerability to our attention. :gl:`#5343`
-
-- [CVE-2025-40778] Address various spoofing attacks. ``23de94fd236``
-
-  Previously, several issues could be exploited to poison a DNS cache
-  with spoofed records for zones which were not DNSSEC-signed or if the
-  resolver was configured to not do DNSSEC validation. These issues were
-  assigned CVE-2025-40778 and have now been fixed.
-
-  As an additional layer of protection, :iscman:`named` no longer
-  accepts DNAME records or extraneous NS records in the AUTHORITY
-  section unless these are received via spoofing-resistant transport
-  (TCP, UDP with DNS cookies, TSIG, or SIG(0)).
-
-  ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
-  Duan from Tsinghua University for bringing this vulnerability to our
-  attention. :gl:`#5414`
-
-- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number
-  generator. ``34af35c2df8``
-
-  It was discovered during research for an upcoming academic paper that
-  a xoshiro128\*\* internal state can be recovered by an external 3rd
-  party, allowing the prediction of UDP ports and DNS IDs in outgoing
-  queries. This could lead to an attacker spoofing the DNS answers with
-  great efficiency and poisoning the DNS cache.
-
-  The internal random generator has been changed to a cryptographically
-  secure pseudo-random generator.
-
-  ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
-  Hebrew University of Jerusalem for bringing this vulnerability to our
-  attention. :gl:`#5484`
-
-New Features
-~~~~~~~~~~~~
-
-- Add dnssec-policy keys configuration check to named-checkconf.
-  ``1f5a0405f72``
-
-  A new option `-k` is added to `named-checkconf` that allows checking
-  the `dnssec-policy` `keys` configuration against the configured key
-  stores. If the found key files are not in sync with the given
-  `dnssec-policy`, the check will fail.
-
-  This is useful to run before migrating to `dnssec-policy`. :gl:`#5486`
-  :gl:`!11011`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Minor refactor of dst code. ``c6acbaa020b``
-
-  Convert the defines to enums. Initialize the tags more explicitly and
-  less ugly. :gl:`!11038`
-
-Bug Fixes
-~~~~~~~~~
-
-- Use signer name when disabling DNSSEC algorithms. ``986816baa74``
-
-  ``disable-algorithms`` could cause DNSSEC validation failures when the
-  parent zone was signed with the algorithms that were being disabled
-  for the child zone. This has been fixed; `disable-algorithms` now
-  works on a whole-of-zone basis.
-
-  If the zone's name is at or below the ``disable-algorithms`` name the
-  algorithm is disabled for that zone, using deepest match when there
-  are multiple ``disable-algorithms`` clauses.  :gl:`#5165` :gl:`!11014`
-
-- Rndc sign during ZSK rollover will now replace signatures.
-  ``d2f551140cd``
-
-  When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
-  :option:`rndc sign` command now signs the zone completely with the
-  successor key, replacing all zone signatures from the predecessor key
-  with new ones. :gl:`#5483` :gl:`!11017`
-
-- Missing DNSSEC information when CD bit is set in query.
-  ``968a6be41fb``
-
-  The RRSIGs for glue records were not being cached correctly for CD=1
-  queries.  This has been fixed. :gl:`#5502` :gl:`!10956`
-
-- Preserve cache when reload fails and reload the server again.
-  ``975aeda10b4``
-
-  Fixes an issue where failing to reconfigure/reload the server would
-  prevent to preserved the views caches on the subsequent server
-  reconfiguration/reload. :gl:`#5523` :gl:`!10988`
-
-- Check plugin config before registering. ``e2260b80702``
-
-  In `named_config_parsefile()`, when checking the validity of
-  `named.conf`, the checking of plugin correctness was deliberately
-  postponed until the plugin is loaded and registered. However, the
-  checking was never actually done: the `plugin_register()`
-  implementation was called, but `plugin_check()` was not.
-
-  `ns_plugin_register()` (used by `named`) now calls the check function
-  before the register function, and aborts if either one fails.
-  `ns_plugin_check()` (used by `named-checkconf`) calls only the check
-  function. :gl:`!11032`
-
+.. note::
 
+   The BIND 9.20.14 release was withdrawn after the discovery of a
+   regression in a security fix in it during pre-release testing.

doc/changelog/changelog-9.20.15.rst

@@ -0,0 +1,133 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.20.15
+------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY
+  is found. ``0d676bf9f23``
+
+  Previously, if a matching but cryptographically invalid key was
+  encountered during DNSSEC validation, the key was skipped and not
+  counted towards validation failures. :iscman:`named` now treats such
+  DNSSEC keys as hard failures and the DNSSEC validation fails
+  immediately, instead of continuing with the next DNSKEYs in the RRset.
+
+  ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
+  Security and Privacy Laboratory at Nankai University for bringing this
+  vulnerability to our attention. :gl:`#5343`
+
+- [CVE-2025-40778] Address various spoofing attacks. ``23de94fd236``
+
+  Previously, several issues could be exploited to poison a DNS cache
+  with spoofed records for zones which were not DNSSEC-signed or if the
+  resolver was configured to not do DNSSEC validation. These issues were
+  assigned CVE-2025-40778 and have now been fixed.
+
+  As an additional layer of protection, :iscman:`named` no longer
+  accepts DNAME records or extraneous NS records in the AUTHORITY
+  section unless these are received via spoofing-resistant transport
+  (TCP, UDP with DNS cookies, TSIG, or SIG(0)).
+
+  ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
+  Duan from Tsinghua University for bringing this vulnerability to our
+  attention. :gl:`#5414`
+
+- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number
+  generator. ``34af35c2df8``
+
+  It was discovered during research for an upcoming academic paper that
+  a xoshiro128\*\* internal state can be recovered by an external 3rd
+  party, allowing the prediction of UDP ports and DNS IDs in outgoing
+  queries. This could lead to an attacker spoofing the DNS answers with
+  great efficiency and poisoning the DNS cache.
+
+  The internal random generator has been changed to a cryptographically
+  secure pseudo-random generator.
+
+  ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
+  Hebrew University of Jerusalem for bringing this vulnerability to our
+  attention. :gl:`#5484`
+
+New Features
+~~~~~~~~~~~~
+
+- Add dnssec-policy keys configuration check to named-checkconf.
+  ``1f5a0405f72``
+
+  A new option `-k` is added to `named-checkconf` that allows checking
+  the `dnssec-policy` `keys` configuration against the configured key
+  stores. If the found key files are not in sync with the given
+  `dnssec-policy`, the check will fail.
+
+  This is useful to run before migrating to `dnssec-policy`. :gl:`#5486`
+  :gl:`!11011`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Minor refactor of dst code. ``c6acbaa020b``
+
+  Convert the defines to enums. Initialize the tags more explicitly and
+  less ugly. :gl:`!11038`
+
+Bug Fixes
+~~~~~~~~~
+
+- Use signer name when disabling DNSSEC algorithms. ``986816baa74``
+
+  ``disable-algorithms`` could cause DNSSEC validation failures when the
+  parent zone was signed with the algorithms that were being disabled
+  for the child zone. This has been fixed; `disable-algorithms` now
+  works on a whole-of-zone basis.
+
+  If the zone's name is at or below the ``disable-algorithms`` name the
+  algorithm is disabled for that zone, using deepest match when there
+  are multiple ``disable-algorithms`` clauses.  :gl:`#5165` :gl:`!11014`
+
+- Rndc sign during ZSK rollover will now replace signatures.
+  ``d2f551140cd``
+
+  When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
+  :option:`rndc sign` command now signs the zone completely with the
+  successor key, replacing all zone signatures from the predecessor key
+  with new ones. :gl:`#5483` :gl:`!11017`
+
+- Missing DNSSEC information when CD bit is set in query.
+  ``968a6be41fb``
+
+  The RRSIGs for glue records were not being cached correctly for CD=1
+  queries.  This has been fixed. :gl:`#5502` :gl:`!10956`
+
+- Preserve cache when reload fails and reload the server again.
+  ``975aeda10b4``
+
+  Fixes an issue where failing to reconfigure/reload the server would
+  prevent to preserved the views caches on the subsequent server
+  reconfiguration/reload. :gl:`#5523` :gl:`!10988`
+
+- Check plugin config before registering. ``e2260b80702``
+
+  In `named_config_parsefile()`, when checking the validity of
+  `named.conf`, the checking of plugin correctness was deliberately
+  postponed until the plugin is loaded and registered. However, the
+  checking was never actually done: the `plugin_register()`
+  implementation was called, but `plugin_check()` was not.
+
+  `ns_plugin_register()` (used by `named`) now calls the check function
+  before the register function, and aborts if either one fails.
+  `ns_plugin_check()` (used by `named-checkconf`) calls only the check
+  function. :gl:`!11032`
+
+