diff --git a/doc/notes/notes-9.21.3.rst b/doc/notes/notes-9.21.3.rst index 8225bb0c2f..53d21561e9 100644 --- a/doc/notes/notes-9.21.3.rst +++ b/doc/notes/notes-9.21.3.rst @@ -7,49 +7,50 @@ New Features - Add separate query counters for new protocols. Add query counters for DoT, DoH, unencrypted DoH and their proxied - counterparts. The new :namedconf:`protocols` do not update their respective TCP/UDP - transport counter and is now for TCP/UDP over plain 53 only. - :gl:`#598` + counterparts. The new protocols do not update their respective TCP/UDP + transport counter. The previously existing counters are now dedicated + for TCP/UDP over plain port 53 only. :gl:`#598` -- Implement RFC 9567: EDNS Report-Channel option. +- Implement :rfc:`9567`: EDNS Report-Channel option. - Add new :namedconf:`send-report-channel` and :namedconf:`log-report-channel` options. - :namedconf:`send-report-channel` specifies an agent domain, to which error + Add new :namedconf:ref:`send-report-channel` and :namedconf:ref:`log-report-channel` options. + + :namedconf:ref:`send-report-channel` specifies an *agent domain*, to which error reports can be sent by querying a specially constructed name within - the agent domain. EDNS Report-Channel :FIXME-rndcconf-namedconf:`options` will be added to - outgoing authoritative responses, to inform :namedconf:`clients` where to send such - queries in the event of a problem. + the agent domain. The EDNS Report-Channel option has been added to + outgoing authoritative responses, to inform clients where to send such + error reports in the event of a problem. - If a :namedconf:`zone` is configured which matches the agent domain and has - :namedconf:`log-report-channel` set to `yes`, error-reporting queries will be - logged at level `info` to the `dns-reporting-agent` :namedconf:`logging` channel. + If a :namedconf:ref:`zone` is configured which matches the *agent domain* and has + :namedconf:ref:`log-report-channel` set to `yes`, error-reporting queries will be + logged at level `info` to the `dns-reporting-agent` logging :namedconf:ref:`channel`. :gl:`#3659` -- Add detailed debugging of :namedconf:`update-policy` rule matching. +- Add detailed debugging of :namedconf:ref:`update-policy` rule matching. - This logs how :iscman:`named` determines if an update request is granted or + This logs how :iscman:`named` determines whether an update request is granted or denied when using update-policy. :gl:`#4751` -- Update bind.keys with the new 2025 IANA root key. +- Update built-in :file:`bind.keys` file with the new 2025 `IANA root key + `_. - Add an 'initial-ds' entry to bind.keys for the new root :FIXME-rndcconf-namedconf:`key`, ID 38696, - which is scheduled for publication in January 2025. :gl:`#4896` + Add an `initial-ds` entry to :file:`bind.keys` for the new root key, ID + 38696, which is scheduled for publication in January 2025. :gl:`#4896` - Enable runtime selection of FIPS mode in :iscman:`dig` and delv. - ':iscman:`dig` -F' and ':iscman:`delv` -F' can now be used to select FIPS mode at runtime. - :gl:`#5046` + :option:`dig -F` and :option:`delv -F` can now be used to select FIPS mode at + runtime. :gl:`#5046` Removed Features ~~~~~~~~~~~~~~~~ -- Move contributed DLZ modules into a separate repository. +- Move contributed DLZ modules into a separate repository. DLZ modules should + not be used except in testing. - The DLZ modules are poorly maintained as we only ensure they can still - be compiled, the DLZ interface is blocking, so anything that blocks - the query to the :namedconf:`database` blocks the whole :FIXME-rndcconf-namedconf:`server` and they should not - be used except in testing. The DLZ interface itself is going to be - scheduled for removal. + The DLZ modules were not maintained, the DLZ interface itself is going to be + scheduled for removal, and the DLZ interface is blocking. Any module that + blocks the query to the :namedconf:ref:`database` blocks the whole server. The DLZ modules now live in https://gitlab.isc.org/isc-projects/dlz-modules repository. @@ -57,73 +58,66 @@ Removed Features - Remove RBTDB implementation. - Remove the RBTDB :namedconf:`database` implementation, and only leave the QPDB - based implementations of :namedconf:`zone` and cache databases. This means it's no - longer possible to choose the RBTDB to be default at the compilation - time and it's not possible to configure RBTDB as the :namedconf:`database` backend + Remove the RBTDB :namedconf:ref:`database` implementation, and only leave the + QPDB-based implementations of :namedconf:ref:`zone` and cache databases. This means it is no + longer possible to choose RBTDB as the default database at compilation + time, nor to configure RBTDB as the :namedconf:ref:`database` backend in the configuration file. :gl:`#5027` Feature Changes ~~~~~~~~~~~~~~~ -- Dnssec-ksr now supports KSK rollovers. +- :iscman:`dnssec-ksr` now supports KSK rollovers. - The tool ':iscman:`dnssec-ksr`' now allows for KSK generation, as well as - planned KSK rollovers. When signing a bundle from a Key Signing - Request (KSR), only the :FIXME-rndcconf-namedconf:`key` that is active in that time frame is being + The tool now allows for KSK generation, as well as planned KSK rollovers. + When signing a bundle from a Key Signing Request (KSR), only the + key that is active in that time frame is used for signing. Also, the CDS and CDNSKEY records are now added and removed at the correct time. :gl:`#4697` :gl:`#4705` -- Add none parameter to :namedconf:`query-source` and :namedconf:`query-source-v6` to disable IPv4 - or IPv6 upstream queries. +- Add `none` parameter to :namedconf:ref:`query-source` and + :namedconf:ref:`query-source-v6` to disable IPv4 or IPv6 upstream queries but + allow listening to queries from clients on IPv4 or IPv6. - Add a none parameter to :iscman:`named` configuration option :namedconf:`query-source` - (respectively :namedconf:`query-source-v6`) which forbid usage of IPv4 - (respectively IPv6) :rndcconf:`addresses` when :iscman:`named` is doing an upstream query. - :gl:`#4981` Turning-off upstream IPv6 queries while still listening to - downstream queries on IPv6. +- Print :rfc:`7314`: EXPIRE option in transfer summary. :gl:`#5013` -- Print expire option in transfer summary. +- Add missing EDNS option mnemonics to :iscman:`dig`. - The :namedconf:`zone` transfer summary will now print the expire option value in - the :namedconf:`zone` transfer summary. :gl:`#5013` - -- Add missing EDNS option mnemonics. - - The `Report-Channel` and `ZONEVERSION` EDNS :FIXME-rndcconf-namedconf:`options` can now be sent + The `Report-Channel` and `ZONEVERSION` options can now be sent using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short), and `dig +ednsopt=zoneversion`. Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and - `CHAIN`, are now displayed correctly in text and YAML formats. Also, - an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now + `CHAIN`, are now displayed correctly in text and YAML formats. + + Also, an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now spelled with a hyphen in both text and YAML formats; previously, text format used a space. -- Add new :namedconf:`logging` module for :namedconf:`logging` crypto errors in libisc. +- Add new :namedconf:ref:`logging` module for crypto errors in libisc. - Add a new 'crypto' log module that will be used for a low-level - cryptographic operations. The DNS related cryptography logs are still + Add a new `crypto` log module to be used for low-level + cryptographic operations. The DNS-related cryptography logs are still logged in the 'dns/crypto' module. -- Emit more helpful log for exceeding max-records-per-type. +- Emit more helpful log messages for exceeding :namedconf:ref:`max-records-per-type`. The new log message is emitted when adding or updating an RRset fails - due to exceeding the :namedconf:`max-records-per-type` limit. The log includes the - owner name and :namedconf:`type`, corresponding :namedconf:`zone` name, and the limit value. It - will be emitted on loading a :namedconf:`zone` :namedconf:`file`, inbound :namedconf:`zone` transfer (both + due to exceeding the :namedconf:ref:`max-records-per-type` limit. The log includes the + owner name and type, corresponding zone name, and the limit value. It + will be emitted on loading a zone file, inbound zone transfer (both AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's - especially helpful in the case of :namedconf:`zone` transfer, since the secondary - side doesn't have direct access to the offending :namedconf:`zone` data. + especially helpful in the case of zone transfer, since the secondary + side doesn't have direct access to the offending zone data. - It could also be used for :namedconf:`max-types-per-name`, but this change doesn't + It could also be used for :namedconf:ref:`max-types-per-name`, but this change doesn't implement it yet as it's much less likely to happen in practice. -- Harden :FIXME-rndcconf-namedconf:`key` management when :FIXME-rndcconf-namedconf:`key` files have become unavailabe. +- Harden key management when key files have become unavailable. - Prior to doing :FIXME-rndcconf-namedconf:`key` management, BIND 9 will check if the :FIXME-rndcconf-namedconf:`key` files on - disk match the expected keys. If :FIXME-rndcconf-namedconf:`key` files for previously observed - :namedconf:`keys` have become unavailable, this will prevent the internal :FIXME-rndcconf-namedconf:`key` + Prior to doing key management, BIND 9 will check if the key files on + disk match the expected keys. If key files for previously observed + keys have become unavailable, this will prevent the internal key manager from running. Bug Fixes @@ -132,38 +126,30 @@ Bug Fixes - Use TLS for notifies if configured to do so. Notifies configured to use TLS will now be sent over TLS, instead of - plaintext UDP or TCP. Also, failing to load the TLS configuration for - :namedconf:`notify` now also results in an error. :gl:`#4821` + plain text UDP or TCP. Also, failing to load the TLS configuration for + :namedconf:ref:`notify` now results in an error. :gl:`#4821` -- '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath. +- `{&dns}` is as valid as `{?dns}` in a SVCB's dohpath. - :iscman:`dig` fails to parse a valid (as far as I can tell, and accepted by - `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template - containing a `{&dns}`, like `dohpath=/some/path?:FIXME-rndcconf-namedconf:`key`=value{&dns}"`. If - the URI template contains a `{?dns}` instead :iscman:`dig` is happy, but my - understanding of rfc9461 and section 1.2. "Levels and Expression - Types" of rfc6570 is that `{&dns}` is valid. See for example section - 1.2. "Levels and Expression Types" of rfc6570. - - Note that Peter van Dijk suggested that `{dns}` and - `{dns,someothervar}` might be valid forms as well, so my patch might - be too restrictive, although it's anyone's guess how DoH :namedconf:`clients` would - handle complex templates. :gl:`#4922` + :iscman:`dig` failed to parse a valid `SVCB` record with a `dohpath` URI + template containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. + :gl:`#4922` - Fix NSEC3 closest encloser lookup for names with empty non-terminals. - The performance improvement for finding the NSEC3 closest encloser + A previous performance optimization for finding the NSEC3 closest encloser when generating authoritative responses could cause servers to return incorrect NSEC3 records in some cases. This has been fixed. :gl:`#4950` -- Report client transport in ':iscman:`rndc` recursing' +- Report client transport in :option:`rndc recursing` output - When `rndc recursing` is used to dump the list of recursing :namedconf:`clients`, - it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP. + When :option:`rndc recursing` is used to dump the list of recursing + clients, it now indicates whether a query was sent via UDP, TCP, + TLS, or HTTP. :gl:`#4971` -- 'Recursive-clients 0;' triggers an assertion. +- :namedconf:ref:`recursive-clients` statement with value 0 triggered an assertion failure. BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed. :gl:`#4987` @@ -174,38 +160,23 @@ Bug Fixes accidentally broken, resulting in an assertion failure. This has been fixed. :gl:`#4991` -- Restore values when :iscman:`dig` prints command line. +- :iscman:`dig` options of the form `[+-]option=` failed to display the + value on the printed command line. This has been fixed. :gl:`#4993` - Options of the form `[+-]option=` failed to display the value - on the printed command line. This has been fixed. :gl:`#4993` +- Provide more visibility into TLS configuration errors by logging + `SSL_CTX_use_certificate_chain_file()` and `SSL_CTX_use_PrivateKey_file()` + errors individually. :gl:`#5008` -- Provide more visibility into configuration errors. +- Fix a race condition when canceling ADB find which could cause an assertion + failure. :gl:`#5024` - by :namedconf:`logging` SSL_CTX_use_certificate_chain_file and - SSL_CTX_use_PrivateKey_file errors individually. :gl:`#5008` +- SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a + lot of memory if the server encounters many SERVFAILs at once. + :gl:`#5025` -- Fix race condition when canceling ADB find. - - When canceling the ADB find, the lock on the find gets released for a - brief period of time to be locked again inside adbname lock. During - the brief period that the ADB find is unlocked, it can get canceled by - other means removing it from the adbname list which in turn causes - assertion failure due to a double removal from the adbname list. This - has been fixed. :gl:`#5024` - -- Improve the memory cleaning in the SERVFAIL cache. - - The SERVFAIL cache doesn't have a memory bound and the cleaning of the - old SERVFAIL cache entries was implemented only in opportunistic - manner. Improve the memory cleaning of the SERVFAIL cache to be more - aggressive, so it doesn't consume a lot of memory in the case the - :FIXME-rndcconf-namedconf:`server` encounters many SERVFAILs at once. :gl:`#5025` - -- Fix trying the next primary :FIXME-rndcconf-namedconf:`server` when the preivous one was marked as +- Fix trying the next primary XoT server when the previous one was marked as unreachable. - In some cases (there is evidence only when XoT was used) :iscman:`named` - failed to try the next primary :FIXME-rndcconf-namedconf:`server` in the list when the previous - one was marked as unreachable. This has been fixed. :gl:`#5038` - - + In some cases :iscman:`named` failed to try the next primary + server in the :namedconf:ref:`primaries` list when the previous one was marked as + unreachable. This has been fixed. :gl:`#5038`