Tweak and reword release notes

doc/notes/notes-9.21.3.rst

@@ -7,49 +7,50 @@ New Features
 - Add separate query counters for new protocols.
 
   Add query counters for DoT, DoH, unencrypted DoH and their proxied
-  counterparts. The new :namedconf:`protocols` do not update their respective TCP/UDP
-  transport counter and is now for TCP/UDP over plain 53 only.
-  :gl:`#598`
+  counterparts. The new protocols do not update their respective TCP/UDP
+  transport counter. The previously existing counters are now dedicated
+  for TCP/UDP over plain port 53 only. :gl:`#598`
 
-- Implement RFC 9567: EDNS Report-Channel option.
+- Implement :rfc:`9567`: EDNS Report-Channel option.
 
-  Add new :namedconf:`send-report-channel` and :namedconf:`log-report-channel` options.
-  :namedconf:`send-report-channel` specifies an agent domain, to which error
+  Add new :namedconf:ref:`send-report-channel` and :namedconf:ref:`log-report-channel` options.
+
+  :namedconf:ref:`send-report-channel` specifies an *agent domain*, to which error
   reports can be sent by querying a specially constructed name within
-  the agent domain. EDNS Report-Channel :FIXME-rndcconf-namedconf:`options` will be added to
-  outgoing authoritative responses, to inform :namedconf:`clients` where to send such
-  queries in the event of a problem.
+  the agent domain. The EDNS Report-Channel option has been added to
+  outgoing authoritative responses, to inform clients where to send such
+  error reports in the event of a problem.
 
-  If a :namedconf:`zone` is configured which matches the agent domain and has
-  :namedconf:`log-report-channel` set to `yes`, error-reporting queries will be
-  logged at level `info` to the `dns-reporting-agent` :namedconf:`logging` channel.
+  If a :namedconf:ref:`zone` is configured which matches the *agent domain* and has
+  :namedconf:ref:`log-report-channel` set to `yes`, error-reporting queries will be
+  logged at level `info` to the `dns-reporting-agent` logging :namedconf:ref:`channel`.
   :gl:`#3659`
 
-- Add detailed debugging of :namedconf:`update-policy` rule matching.
+- Add detailed debugging of :namedconf:ref:`update-policy` rule matching.
 
-  This logs how :iscman:`named` determines if an update request is granted or
+  This logs how :iscman:`named` determines whether an update request is granted or
   denied when using update-policy. :gl:`#4751`
 
-- Update bind.keys with the new 2025 IANA root key.
+- Update built-in :file:`bind.keys` file with the new 2025 `IANA root key
+  <https://www.iana.org/dnssec/files>`_.
 
-  Add an 'initial-ds' entry to bind.keys for the new root :FIXME-rndcconf-namedconf:`key`, ID 38696,
-  which is scheduled for publication in January 2025. :gl:`#4896`
+  Add an `initial-ds` entry to :file:`bind.keys` for the new root key, ID
+  38696, which is scheduled for publication in January 2025. :gl:`#4896`
 
 - Enable runtime selection of FIPS mode in :iscman:`dig` and delv.
 
-  ':iscman:`dig` -F' and ':iscman:`delv` -F' can now be used to select FIPS mode at runtime.
-  :gl:`#5046`
+  :option:`dig -F` and :option:`delv -F` can now be used to select FIPS mode at
+  runtime. :gl:`#5046`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
 
-- Move contributed DLZ modules into a separate repository.
+- Move contributed DLZ modules into a separate repository. DLZ modules should
+  not be used except in testing.
 
-  The DLZ modules are poorly maintained as we only ensure they can still
-  be compiled, the DLZ interface is blocking, so anything that blocks
-  the query to the :namedconf:`database` blocks the whole :FIXME-rndcconf-namedconf:`server` and they should not
-  be used except in testing.  The DLZ interface itself is going to be
-  scheduled for removal.
+  The DLZ modules were not maintained, the DLZ interface itself is going to be
+  scheduled for removal, and the DLZ interface is blocking. Any module that
+  blocks the query to the :namedconf:ref:`database` blocks the whole server.
 
   The DLZ modules now live in
   https://gitlab.isc.org/isc-projects/dlz-modules repository.
@@ -57,73 +58,66 @@ Removed Features
 
 - Remove RBTDB implementation.
 
-  Remove the RBTDB :namedconf:`database` implementation, and only leave the QPDB
-  based implementations of :namedconf:`zone` and cache databases.  This means it's no
-  longer possible to choose the RBTDB to be default at the compilation
-  time and it's not possible to configure RBTDB as the :namedconf:`database` backend
+  Remove the RBTDB :namedconf:ref:`database` implementation, and only leave the
+  QPDB-based implementations of :namedconf:ref:`zone` and cache databases. This means it is no
+  longer possible to choose RBTDB as the default database at compilation
+  time, nor to configure RBTDB as the :namedconf:ref:`database` backend
   in the configuration file. :gl:`#5027`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- Dnssec-ksr now supports KSK rollovers.
+- :iscman:`dnssec-ksr` now supports KSK rollovers.
 
-  The tool ':iscman:`dnssec-ksr`' now allows for KSK generation, as well as
-  planned KSK rollovers. When signing a bundle from a Key Signing
-  Request (KSR), only the :FIXME-rndcconf-namedconf:`key` that is active in that time frame is being
+  The tool now allows for KSK generation, as well as planned KSK rollovers.
+  When signing a bundle from a Key Signing Request (KSR), only the
+  key that is active in that time frame is
   used for signing. Also, the CDS and CDNSKEY records are now added and
   removed at the correct time. :gl:`#4697`  :gl:`#4705`
 
-- Add none parameter to :namedconf:`query-source` and :namedconf:`query-source-v6` to disable IPv4
-  or IPv6 upstream queries.
+- Add `none` parameter to :namedconf:ref:`query-source` and
+  :namedconf:ref:`query-source-v6` to disable IPv4 or IPv6 upstream queries but
+  allow listening to queries from clients on IPv4 or IPv6.
 
-  Add a none parameter to :iscman:`named` configuration option :namedconf:`query-source`
-  (respectively :namedconf:`query-source-v6`) which forbid usage of IPv4
-  (respectively IPv6) :rndcconf:`addresses` when :iscman:`named` is doing an upstream query.
-  :gl:`#4981` Turning-off upstream IPv6 queries while still listening to
-  downstream queries on IPv6.
+- Print :rfc:`7314`: EXPIRE option in transfer summary. :gl:`#5013`
 
-- Print expire option in transfer summary.
+- Add missing EDNS option mnemonics to :iscman:`dig`.
 
-  The :namedconf:`zone` transfer summary will now print the expire option value in
-  the :namedconf:`zone` transfer summary. :gl:`#5013`
-
-- Add missing EDNS option mnemonics.
-
-  The `Report-Channel` and `ZONEVERSION` EDNS :FIXME-rndcconf-namedconf:`options` can now be sent
+  The `Report-Channel` and `ZONEVERSION` options can now be sent
   using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short),
   and `dig +ednsopt=zoneversion`.
 
   Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and
-  `CHAIN`, are now displayed correctly in text and YAML formats. Also,
-  an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now
+  `CHAIN`, are now displayed correctly in text and YAML formats.
+
+  Also, an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now
   spelled with a hyphen in both text and YAML formats; previously, text
   format used a space.
 
-- Add new :namedconf:`logging` module for :namedconf:`logging` crypto errors in libisc.
+- Add new :namedconf:ref:`logging` module for crypto errors in libisc.
 
-  Add a new 'crypto' log module that will be used for a low-level
-  cryptographic operations.  The DNS related cryptography logs are still
+  Add a new `crypto` log module to be used for low-level
+  cryptographic operations. The DNS-related cryptography logs are still
   logged in the 'dns/crypto' module.
 
-- Emit more helpful log for exceeding max-records-per-type.
+- Emit more helpful log messages for exceeding :namedconf:ref:`max-records-per-type`.
 
   The new log message is emitted when adding or updating an RRset fails
-  due to exceeding the :namedconf:`max-records-per-type` limit. The log includes the
-  owner name and :namedconf:`type`, corresponding :namedconf:`zone` name, and the limit value. It
-  will be emitted on loading a :namedconf:`zone` :namedconf:`file`, inbound :namedconf:`zone` transfer (both
+  due to exceeding the :namedconf:ref:`max-records-per-type` limit. The log includes the
+  owner name and type, corresponding zone name, and the limit value. It
+  will be emitted on loading a zone file, inbound zone transfer (both
   AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's
-  especially helpful in the case of :namedconf:`zone` transfer, since the secondary
-  side doesn't have direct access to the offending :namedconf:`zone` data.
+  especially helpful in the case of zone transfer, since the secondary
+  side doesn't have direct access to the offending zone data.
 
-  It could also be used for :namedconf:`max-types-per-name`, but this change doesn't
+  It could also be used for :namedconf:ref:`max-types-per-name`, but this change doesn't
   implement it yet as it's much less likely to happen in practice.
 
-- Harden :FIXME-rndcconf-namedconf:`key` management when :FIXME-rndcconf-namedconf:`key` files have become unavailabe.
+- Harden key management when key files have become unavailable.
 
-  Prior to doing :FIXME-rndcconf-namedconf:`key` management, BIND 9 will check if the :FIXME-rndcconf-namedconf:`key` files on
-  disk match the expected keys. If :FIXME-rndcconf-namedconf:`key` files for previously observed
-  :namedconf:`keys` have become unavailable, this will prevent the internal :FIXME-rndcconf-namedconf:`key`
+  Prior to doing key management, BIND 9 will check if the key files on
+  disk match the expected keys. If key files for previously observed
+  keys have become unavailable, this will prevent the internal key
   manager from running.
 
 Bug Fixes
@@ -132,38 +126,30 @@ Bug Fixes
 - Use TLS for notifies if configured to do so.
 
   Notifies configured to use TLS will now be sent over TLS, instead of
-  plaintext UDP or TCP. Also, failing to load the TLS configuration for
-  :namedconf:`notify` now also results in an error. :gl:`#4821`
+  plain text UDP or TCP. Also, failing to load the TLS configuration for
+  :namedconf:ref:`notify` now results in an error. :gl:`#4821`
 
-- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath.
+- `{&dns}` is as valid as `{?dns}` in a SVCB's dohpath.
 
-  :iscman:`dig` fails to parse a valid (as far as I can tell, and accepted by
-  `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template
-  containing a `{&dns}`, like `dohpath=/some/path?:FIXME-rndcconf-namedconf:`key`=value{&dns}"`. If
-  the URI template contains a `{?dns}` instead :iscman:`dig` is happy, but my
-  understanding of rfc9461 and section 1.2. "Levels and Expression
-  Types" of rfc6570 is that `{&dns}` is valid. See for example section
-  1.2. "Levels and Expression Types" of rfc6570.
-
-  Note that Peter van Dijk suggested that `{dns}` and
-  `{dns,someothervar}` might be valid forms as well, so my patch might
-  be too restrictive, although it's anyone's guess how DoH :namedconf:`clients` would
-  handle complex templates. :gl:`#4922`
+  :iscman:`dig` failed to parse a valid `SVCB` record with a `dohpath` URI
+  template containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`.
+  :gl:`#4922`
 
 - Fix NSEC3 closest encloser lookup for names with empty non-terminals.
 
-  The performance improvement for finding the NSEC3 closest encloser
+  A previous performance optimization for finding the NSEC3 closest encloser
   when generating authoritative responses could cause servers to return
   incorrect NSEC3 records in some cases. This has been fixed.
   :gl:`#4950`
 
-- Report client transport in ':iscman:`rndc` recursing'
+- Report client transport in :option:`rndc recursing` output
 
-  When `rndc recursing` is used to dump the list of recursing :namedconf:`clients`,
-  it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP.
+  When :option:`rndc recursing` is used to dump the list of recursing
+  clients, it now indicates whether a query was sent via UDP, TCP,
+  TLS, or HTTP.
   :gl:`#4971`
 
-- 'Recursive-clients 0;' triggers an assertion.
+- :namedconf:ref:`recursive-clients` statement with value 0 triggered an assertion failure.
 
   BIND 9.20.0 broke `recursive-clients 0;`.  This has now been fixed.
   :gl:`#4987`
@@ -174,38 +160,23 @@ Bug Fixes
   accidentally broken, resulting in an assertion failure.  This has been
   fixed. :gl:`#4991`
 
-- Restore values when :iscman:`dig` prints command line.
+- :iscman:`dig` options of the form `[+-]option=<value>` failed to display the
+  value on the printed command line. This has been fixed. :gl:`#4993`
 
-  Options of the form `[+-]option=<value>` failed to display the value
-  on the printed command line. This has been fixed. :gl:`#4993`
+- Provide more visibility into TLS configuration errors by logging
+  `SSL_CTX_use_certificate_chain_file()` and `SSL_CTX_use_PrivateKey_file()`
+  errors individually. :gl:`#5008`
 
-- Provide more visibility into configuration errors.
+- Fix a race condition when canceling ADB find which could cause an assertion
+  failure. :gl:`#5024`
 
-  by :namedconf:`logging` SSL_CTX_use_certificate_chain_file and
-  SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008`
+- SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a
+  lot of memory if the server encounters many SERVFAILs at once.
+  :gl:`#5025`
 
-- Fix race condition when canceling ADB find.
-
-  When canceling the ADB find, the lock on the find gets released for a
-  brief period of time to be locked again inside adbname lock.  During
-  the brief period that the ADB find is unlocked, it can get canceled by
-  other means removing it from the adbname list which in turn causes
-  assertion failure due to a double removal from the adbname list. This
-  has been fixed. :gl:`#5024`
-
-- Improve the memory cleaning in the SERVFAIL cache.
-
-  The SERVFAIL cache doesn't have a memory bound and the cleaning of the
-  old SERVFAIL cache entries was implemented only in opportunistic
-  manner.  Improve the memory cleaning of the SERVFAIL cache to be more
-  aggressive, so it doesn't consume a lot of memory in the case the
-  :FIXME-rndcconf-namedconf:`server` encounters many SERVFAILs at once. :gl:`#5025`
-
-- Fix trying the next primary :FIXME-rndcconf-namedconf:`server` when the preivous one was marked as
+- Fix trying the next primary XoT server when the previous one was marked as
   unreachable.
 
-  In some cases (there is evidence only when XoT was used) :iscman:`named`
-  failed to try the next primary :FIXME-rndcconf-namedconf:`server` in the list when the previous
-  one was marked as unreachable. This has been fixed. :gl:`#5038`
-
-
+  In some cases :iscman:`named` failed to try the next primary
+  server in the :namedconf:ref:`primaries` list when the previous one was marked as
+  unreachable. This has been fixed. :gl:`#5038`