From 51fcef08a81f4ac82da952d780a1f107e7f81be0 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 5 Dec 2025 10:56:57 +0100 Subject: [PATCH 1/3] Generate changelog for BIND 9.21.16 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.21.16.rst | 306 ++++++++++++++++++++++++++++ 2 files changed, 307 insertions(+) create mode 100644 doc/changelog/changelog-9.21.16.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 1aa28a1957..f4bb79f554 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.16.rst .. include:: ../changelog/changelog-9.21.15.rst .. include:: ../changelog/changelog-9.21.14.rst .. include:: ../changelog/changelog-9.21.13.rst diff --git a/doc/changelog/changelog-9.21.16.rst b/doc/changelog/changelog-9.21.16.rst new file mode 100644 index 0000000000..d0c1c7ca22 --- /dev/null +++ b/doc/changelog/changelog-9.21.16.rst @@ -0,0 +1,306 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.16 +------------ + +New Features +~~~~~~~~~~~~ + +- Add +[no]showtruncated and +[no]showallmessages to dig. ``e78e6150e5`` + + The dig option +showtruncated adds the ability to display the + truncated message before retrying the query over TCP. + + The dig option +showallmessages add a short cut which is the + equivalent of "dig +qr +showbadcookie +showbadversion +showtruncated". + :gl:`#5657` :gl:`!11275` + +- Add spatch to detect implicit bool/int/result cast. ``2affdbce19`` + + Detection of implicit cast from a boolean into an int, or an + isc_result_t into a boolean (either in an assignement or return + position). + + If such pattern is found, a warning comment is added into the code + (and the CI will fails) so the error can be spotted and manually + fixed. :gl:`!11095` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Remove internal memory filling in favor of jemalloc opt.junk. + ``def4be7cb6`` + + Instead of having our own implementation of memory junk filling, rely + on the jemalloc opt.junk feature (set with MALLOC_CONF="junk:true"). + :gl:`!11270` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Improve output of 'rndc dnssec -status' ``814f7a72cd`` + + Add a new parameter ``-v`` to the ``rndc dnssec -status`` command for + more verbose output. Previously, key states were printed, and keys + that can be purged were listed. This made the output hard to read. + This information is now only shown in the verbose output. + + Add more meaningful messages to the status output, making it clearer + what the state of a rollover is. + + This makes the output more condense, improving its readability. + :gl:`#3938` :gl:`!11099` + +- Use atomics for CMM_{LOAD,STORE}_SHARED with ThreadSanitizer. + ``6fd209b6f0`` + + Upstream has removed the atomics implementation of CMM_LOAD_SHARED and + CMM_STORE_SHARED as these can be used also with non-stdatomics types. + As we only use the CMM api with stdatomics types, we can restore the + previous behaviour to prevent ThreadSanitizer warnings. :gl:`#5660` + :gl:`!11288` + +- Change the QNAME minimization algorithm to follow the standard. + ``15494053b1`` + + In !9155, the QNAME minimization was changed to not leak the query + type to the parent name server. This violates RFC 9156 Section 3, + step (3) and it is not necessary. It also breaks some (weird) + authoritative DNS setups, especially when CNAMEs are involved. Also + there is really no privacy leak with query type. :gl:`#5661` + :gl:`!11293` + +- Add RRSIG if required as soon as they are found. ``2955bb90c8`` + + When EDNS DO flag (`dig +dnssec`) flag is set, an rdataset is + allocated to hold the RRSIG of an RR, if present in DB. However, this + allocation is not done if the zone DB is not considered as secure + (`dns_db_issecure() == false`). Changes this behaviour by allocating + the rdataset anyway, so the RRSIG can be associated in the answer + section of the response as soon it is found from the DB. + + The fact we attach the rrsig potentially more often (though it + probably occurs in edge cases) doesn't seems to affect performance in + any ways: :gl:`!11317` + +- Add dns_message functions to set EDNS options. ``b4d638473e`` + + The new `dns_message_ednsinit()` and `dns_message_ednsaddopt()` + functions allow EDNS options to be added to a message one at a time; + it is no longer necessary to construct a full array of EDNS options + and set them all at once. + + This allows us to simplify EDNS option handling code, and in the + future it wlil allow plugins to add EDNS options to existing messages. + :gl:`!11261` + +- Enforce bounds of prefetch configuration option. ``103799ac23`` + + The prefetch configuration option now enforces boundaries. The + configuration (including when using `named-checkconf`) now fails if + the trigger (first value) is above 10, and if the eligibility (second + optional value) isn't at least six seconds greater than the trigger + value. :gl:`!11243` + +- Enforces the fact that catalog-zone can not be used in non IN views. + ``346007d52d`` + + Catalog-zones can't be used in a view which is not from the IN class. + This is now enforced as the server won't load (instead of loading + without the catalog-zone) if such configuration is detected. This + configuration error is now also caught by `named-checkconf`. + :gl:`!11245` + +- No effective config as text if allow-new-zones is yes. ``416826d4ea`` + + Do not save the text version of the effective configuration when + `allow-new-zones` is enabled, as in that case the object tree can be + printed on demand, reducing unnecessary memory consumption. + :gl:`!11242` + +- Provide more information when the memory allocation fails. + ``94ffc96897`` + + Provide more information about the failure when the memory allocation + fails. :gl:`!11272` + +- Reduce the number of outgoing queries. ``37d851df37`` + + Reduces the number of outgoing queries when resolving the nameservers + for delegation points. This helps the DNS resolver with cold cache + resolve client queries with complex delegation chains and + redirections. :gl:`!11148` + +- Refactor zone fetch code. ``32322ffdd8`` + + There is code duplication between `keyfetch` and `nsfetch`, refactor + to allow common code paths to differentiate between them. This is in + preparation for support of generalized DNS notifications, that will + require fetching DSYNC records. :gl:`!11176` + +- Remove exclusive mode when scheduling zone load. ``2958b3733c`` + + Remove exclusive mode when scheduling the zone load, as it is no + longer necessary; data that can be read or written by multiple threads + are locked or atomic. + + The detection of the post zone DB loading logic has been refactored to + take into account the fact that zone databases may be loaded before + the function scheduling the loads. :gl:`!11231` + +- Use malloc_usable_size()/malloc_size() for memory accounting. + ``d8410f93d2`` + + Restore usage of malloc_usable_size()/malloc_size(), but this time + only for memory accounting and statistics purposes. This should + reduce the memory footprint in case of compilation without jemalloc as + we don't have to keep track of the allocated memory size ourselves. + :gl:`!11271` + +Bug Fixes +~~~~~~~~~ + +- Fix the spurious timeouts while resolving names. ``908b7c1f34`` + + Sometimes the loops in the resolving (e.g. to resolve or validate + ns1.example.com we need to resolve ns1.example.com) were not properly + detected leading to spurious 10 seconds delay. This has been fixed + and such loops are properly detected. :gl:`#3033`, #5578 :gl:`!11138` + +- Fix bug where zone switches from NSEC3 to NSEC after retransfer. + ``ddd1040761`` + + When a zone is re-transferred, but the zone journal on an + inline-signing secondary is out of sync, the zone could fall back to + using NSEC records instead of NSEC3. This has been fixed. :gl:`#5527` + :gl:`!11226` + +- Add support for more linkers with LTO. ``1ede6683cd`` + + Link-time optimization requires close coordination between the + compiler and the linker, so not all combinations of compiler and + linker support it. + + Previously, when compiling with Clang, we checked only for lld. With + this commit, we expand the list of supported linkers we check for. + :gl:`#5536` :gl:`!11022` + +- Attach socket before async streamdns_resume_processing. ``fec55d786a`` + + Call to `streamdns_resume_processing` is asynchronous but the socket + passed as argument is not attached when scheduling the call. + + While there is no reproducible way (so far) to make the socket + reference number down to 0 before `streamdns_resume_processing` is + called, attach the socket before scheduling the call. This guard + against an hypothetic case where, for some reasons, the socket + refcount would reach 0, and be freed from memory when + `streamdns_resume_processing` is called. :gl:`#5620` :gl:`!11247` + +- Fix caching RRSIG covering cache NODATA record. ``a81aad0cdc`` + + When a RRSIG for type that we already have cached NODATA record was + cached due to mismatch of the records on the upstream nameservers, an + assertion failure could trigger. This has been fixed. :gl:`#5633` + :gl:`!11228` + +- Fix building on OpenBSD 7.8 with Clang 19.1.7. ``d30fdf063c`` + + Add the OpenBSD and Clang combination to the existing kludge to + recognize size_t and uintXX_t types as same when using a generic. + :gl:`#5635` :gl:`!11235` + +- AMTRELAY type 0 presentation format handling was wrong. ``d091771b42`` + + RFC 8777 specifies a placeholder value of "." for the gateway field + when the gateway type is 0 (no gateway). This was not being checked + for nor emitted when displaying the record. This has been corrected. + + Instances of this record will need the placeholder period added to + them when upgrading. :gl:`#5639` :gl:`!11240` + +- Fix parsing bug in remote-servers with key or tls. ``51af07cdee`` + + The :any:`remote-servers` clause enable the following pattern using a + named ``server-list``: + + remote-servers a { 1.2.3.4; ... }; remote-servers b { a key + foo; }; + + However, such configuration was wrongly rejected, with an "unexpected + token 'foo'" error. Such configuration is now accepted. :gl:`#5646` + :gl:`!11252` + +- Fix allow-recursion/allow-query-cache inheritance. ``4a4368a5ec`` + + The merging of the user options and defaults into the effective + configuration broke the mutual inheritance of the `allow-recursion`, + `allow-query`, and `allow-query-cache` ACLs, and of the + `allow-recursion-on` and `allow-query-cache-on` ACLs. This has been + fixed. :gl:`#5647` :gl:`!11254` + +- Fix TLS contexts cache object usage bug in the resolver. + ``d441e14cbf`` + + :iscman:`named` could terminate unexpectedly when reconfiguring or + reloading, and if client-side TLS transport was in use (for example, + when forwarding queries to a DoT server). This has been fixed. + :gl:`#5653` :gl:`!11295` + +- Fix uninitialized pointer check on getipandkeylist. ``dd2d690d98`` + + Function `named_config_getipandkeylist` could, in case of error in the + early code attempting to get the `port` or `tls-port`, make a pointer + check on a non-initialized value. This is now fixed. :gl:`!11303` + +- Pass isc_buffer_t pointers when applicable. ``53ea41b459`` + + In commit aea251f3bce7, `isc_buffer_reserve()` was changed to take a + simple `isc_buffer_t *` instead of `isc_buffer_t **`. A number of + functions calling it have now been similarly modified. :gl:`!11282` + +- Remove holes in `dns_zoneflg_t` enum. ``1a9f7539bd`` + + The `dns_zoneflg_t` enum defined multiple possible flags for a zone, + but contains numerous holes (likely from flag removed in the past). + This fixes the holes, and use a bit-shift and decimal notation to make + holes easier to spot. :gl:`!11189` + +- Save configuration as text. ``09bcacbd36`` + + A `cfg_obj_t` object tree structure takes up considerably more space + than the equivalent canonical text. If `allow-new-zones` is disabled + and catalog zones are not in use, then we don't need the object tree. + By storing the configuration in text format, we can use less memory, + and `rndc showconf` and `rndc showzone` still work. :gl:`!11236` + +- Standardize CHECK and RETERR macros. ``a45d253882`` + + Previously, there were over 40 separate definitions of `CHECK` macros, + of which most used `goto cleanup`, and the rest `goto failure` or + `goto out`. There were another 10 definitions of `RETERR`, of which + most were identical to `CHECK`, but some simply returned a result code + instead of jumping to a cleanup label. + + This has now been standardized throughout the code base: `RETERR` is + for returning an error code in the case of an error, and `CHECK` is + for jumping to a cleanup tag, which is now always called `cleanup`. + Both macros are defined in `isc/util.h`. :gl:`!10472` + +- Adding NSEC3 opt-out records could leave invalid records in + chain. ``6d03b4f9c6`` + + When creating an NSEC3 opt-out chain, a node in the chain could be + removed too soon, causing the previous NSEC3 being unable to be found, + resulting in invalid NSEC3 records to be left in the zone. This has + been fixed. :gl:`#5671` + From 24acadc35e12d9f871e69c9375a7b3f9a16c4436 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 5 Dec 2025 10:58:10 +0100 Subject: [PATCH 2/3] Prepare release notes for BIND 9.21.16 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.21.16.rst | 141 ++++++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 doc/notes/notes-9.21.16.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 28d6c092ef..7578365dee 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.16.rst .. include:: ../notes/notes-9.21.15.rst .. include:: ../notes/notes-9.21.14.rst .. include:: ../notes/notes-9.21.13.rst diff --git a/doc/notes/notes-9.21.16.rst b/doc/notes/notes-9.21.16.rst new file mode 100644 index 0000000000..90ca3d9250 --- /dev/null +++ b/doc/notes/notes-9.21.16.rst @@ -0,0 +1,141 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.16 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Add +[no]showtruncated and +[no]showallmessages to dig. + + The dig option +showtruncated adds the ability to display the + truncated message before retrying the query over TCP. + + The dig option +showallmessages add a short cut which is the + equivalent of "dig +qr +showbadcookie +showbadversion +showtruncated". + :gl:`#5657` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Improve output of 'rndc dnssec -status' + + Add a new parameter ``-v`` to the ``rndc dnssec -status`` command for + more verbose output. Previously, key states were printed, and keys + that can be purged were listed. This made the output hard to read. + This information is now only shown in the verbose output. + + Add more meaningful messages to the status output, making it clearer + what the state of a rollover is. + + This makes the output more condense, improving its readability. + :gl:`#3938` + +- Change the QNAME minimization algorithm to follow the standard. + + In !9155, the QNAME minimization was changed to not leak the query + type to the parent name server. This violates RFC 9156 Section 3, + step (3) and it is not necessary. It also breaks some (weird) + authoritative DNS setups, especially when CNAMEs are involved. Also + there is really no privacy leak with query type. :gl:`#5661` + +- Enforce bounds of prefetch configuration option. + + The prefetch configuration option now enforces boundaries. The + configuration (including when using `named-checkconf`) now fails if + the trigger (first value) is above 10, and if the eligibility (second + optional value) isn't at least six seconds greater than the trigger + value. + +- Enforces the fact that catalog-zone can not be used in non IN views. + + Catalog-zones can't be used in a view which is not from the IN class. + This is now enforced as the server won't load (instead of loading + without the catalog-zone) if such configuration is detected. This + configuration error is now also caught by `named-checkconf`. + +- Provide more information when the memory allocation fails. + + Provide more information about the failure when the memory allocation + fails. + +- Reduce the number of outgoing queries. + + Reduces the number of outgoing queries when resolving the nameservers + for delegation points. This helps the DNS resolver with cold cache + resolve client queries with complex delegation chains and + redirections. + +Bug Fixes +~~~~~~~~~ + +- Fix the spurious timeouts while resolving names. + + Sometimes the loops in the resolving (e.g. to resolve or validate + ns1.example.com we need to resolve ns1.example.com) were not properly + detected leading to spurious 10 seconds delay. This has been fixed + and such loops are properly detected. :gl:`#3033`, #5578 + +- Fix bug where zone switches from NSEC3 to NSEC after retransfer. + + When a zone is re-transferred, but the zone journal on an + inline-signing secondary is out of sync, the zone could fall back to + using NSEC records instead of NSEC3. This has been fixed. :gl:`#5527` + +- Fix caching RRSIG covering cache NODATA record. + + When a RRSIG for type that we already have cached NODATA record was + cached due to mismatch of the records on the upstream nameservers, an + assertion failure could trigger. This has been fixed. :gl:`#5633` + +- AMTRELAY type 0 presentation format handling was wrong. + + RFC 8777 specifies a placeholder value of "." for the gateway field + when the gateway type is 0 (no gateway). This was not being checked + for nor emitted when displaying the record. This has been corrected. + + Instances of this record will need the placeholder period added to + them when upgrading. :gl:`#5639` + +- Fix parsing bug in remote-servers with key or tls. + + The :any:`remote-servers` clause enable the following pattern using a + named ``server-list``: + + remote-servers a { 1.2.3.4; ... }; remote-servers b { a key + foo; }; + + However, such configuration was wrongly rejected, with an "unexpected + token 'foo'" error. Such configuration is now accepted. :gl:`#5646` + +- Fix allow-recursion/allow-query-cache inheritance. + + The merging of the user options and defaults into the effective + configuration broke the mutual inheritance of the `allow-recursion`, + `allow-query`, and `allow-query-cache` ACLs, and of the + `allow-recursion-on` and `allow-query-cache-on` ACLs. This has been + fixed. :gl:`#5647` + +- Fix TLS contexts cache object usage bug in the resolver. + + :iscman:`named` could terminate unexpectedly when reconfiguring or + reloading, and if client-side TLS transport was in use (for example, + when forwarding queries to a DoT server). This has been fixed. + :gl:`#5653` + +- Adding NSEC3 opt-out records could leave invalid records in chain. + + When creating an NSEC3 opt-out chain, a node in the chain could be + removed too soon, causing the previous NSEC3 being unable to be found, + resulting in invalid NSEC3 records to be left in the zone. This has + been fixed. :gl:`#5671` + From 227376de4e4a910752252597aba7d773887ba1ba Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 5 Dec 2025 11:06:55 +0100 Subject: [PATCH 3/3] Tweak and reword release notes --- doc/notes/notes-9.21.16.rst | 141 ++++++++++++++++++------------------ 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/doc/notes/notes-9.21.16.rst b/doc/notes/notes-9.21.16.rst index 90ca3d9250..d674e4fa20 100644 --- a/doc/notes/notes-9.21.16.rst +++ b/doc/notes/notes-9.21.16.rst @@ -15,127 +15,130 @@ Notes for BIND 9.21.16 New Features ~~~~~~~~~~~~ -- Add +[no]showtruncated and +[no]showallmessages to dig. +- Add ``+[no]showtruncated`` and ``+[no]showallmessages`` to :iscman:`dig`. - The dig option +showtruncated adds the ability to display the + The option :option:`dig +showtruncated` adds the ability to display the truncated message before retrying the query over TCP. - The dig option +showallmessages add a short cut which is the - equivalent of "dig +qr +showbadcookie +showbadversion +showtruncated". + The option :option:`dig +showallmessages` adds a shortcut, which is the + equivalent of ``dig +qr +showbadcookie +showbadversion +showtruncated``. :gl:`#5657` Feature Changes ~~~~~~~~~~~~~~~ -- Improve output of 'rndc dnssec -status' +- Reduce the number of outgoing queries. + + Reduce the number of outgoing queries when resolving the nameservers + for delegation points. This helps a DNS resolver with a cold cache + resolve client queries with complex delegation chains and + redirections. :gl:`!11148` + +- Improve output of ``rndc dnssec -status`` Add a new parameter ``-v`` to the ``rndc dnssec -status`` command for more verbose output. Previously, key states were printed, and keys - that can be purged were listed. This made the output hard to read. + that could be purged were listed. This made the output hard to read. This information is now only shown in the verbose output. Add more meaningful messages to the status output, making it clearer what the state of a rollover is. - This makes the output more condense, improving its readability. + This makes the output more condensed, improving its readability. :gl:`#3938` - Change the QNAME minimization algorithm to follow the standard. - In !9155, the QNAME minimization was changed to not leak the query - type to the parent name server. This violates RFC 9156 Section 3, - step (3) and it is not necessary. It also breaks some (weird) - authoritative DNS setups, especially when CNAMEs are involved. Also - there is really no privacy leak with query type. :gl:`#5661` + In :gl:`!9155`, QNAME minimization was changed to not leak the query + type to the parent name server. This violates :rfc:`9156` Section 3, + step (3) and it is not necessary. It also breaks some unusual + authoritative DNS setups, especially when CNAMEs are involved. + There is really no privacy leak with query type, so these changes + were not beneficial. :gl:`#5661` -- Enforce bounds of prefetch configuration option. +- Enforce bounds of :any:`prefetch` configuration option. - The prefetch configuration option now enforces boundaries. The - configuration (including when using `named-checkconf`) now fails if + The :any:`prefetch` configuration option now enforces boundaries. The + configuration (including when using :iscman:`named-checkconf`) now fails if the trigger (first value) is above 10, and if the eligibility (second - optional value) isn't at least six seconds greater than the trigger - value. + optional value) is not at least six seconds greater than the trigger + value. :gl:`!11243` -- Enforces the fact that catalog-zone can not be used in non IN views. +- Enforce the fact that catalog zones cannot be used in non-IN views. - Catalog-zones can't be used in a view which is not from the IN class. - This is now enforced as the server won't load (instead of loading - without the catalog-zone) if such configuration is detected. This - configuration error is now also caught by `named-checkconf`. + Catalog zones cannot be used in a view which is not from the IN class. + This is now enforced, as the server won't load (instead of loading + without the catalog zone) if such a configuration is detected. This + configuration error is now also caught by :iscman:`named-checkconf`. + :gl:`!11245` -- Provide more information when the memory allocation fails. +- Provide more information when memory allocation fails. - Provide more information about the failure when the memory allocation - fails. - -- Reduce the number of outgoing queries. - - Reduces the number of outgoing queries when resolving the nameservers - for delegation points. This helps the DNS resolver with cold cache - resolve client queries with complex delegation chains and - redirections. + BIND now provides more information about the failure when memory allocation + fails. :gl:`!11272` Bug Fixes ~~~~~~~~~ -- Fix the spurious timeouts while resolving names. +- Adding NSEC3 opt-out records could leave invalid records in chain. - Sometimes the loops in the resolving (e.g. to resolve or validate - ns1.example.com we need to resolve ns1.example.com) were not properly - detected leading to spurious 10 seconds delay. This has been fixed - and such loops are properly detected. :gl:`#3033`, #5578 + When creating an NSEC3 opt-out chain, a node in the chain could be + removed too soon. The previous NSEC3 would therefore not be found, + resulting in invalid NSEC3 records being left in the zone. This has + been fixed. :gl:`#5671` + +- Fix spurious timeouts while resolving names. + + Sometimes, loops in the resolving process (e.g., to resolve or validate + ``ns1.example.com``, we need to resolve ``ns1.example.com``) were not properly + detected, leading to a spurious 10-second delay. This has been fixed, + and such loops are properly detected. :gl:`#3033` :gl:`#5578` - Fix bug where zone switches from NSEC3 to NSEC after retransfer. - When a zone is re-transferred, but the zone journal on an - inline-signing secondary is out of sync, the zone could fall back to + When a zone was re-transferred but the zone journal on an + inline-signing secondary was out of sync, the zone could fall back to using NSEC records instead of NSEC3. This has been fixed. :gl:`#5527` -- Fix caching RRSIG covering cache NODATA record. +- Fix caching RRSIG covering cached NODATA record. - When a RRSIG for type that we already have cached NODATA record was - cached due to mismatch of the records on the upstream nameservers, an - assertion failure could trigger. This has been fixed. :gl:`#5633` + If a cached NODATA record was already present for an RRSIG type + due to a mismatch of records on the upstream nameservers, it could + trigger an assertion failure. This has been fixed. :gl:`#5633` -- AMTRELAY type 0 presentation format handling was wrong. +- ``AMTRELAY`` type 0 presentation format handling was wrong. - RFC 8777 specifies a placeholder value of "." for the gateway field - when the gateway type is 0 (no gateway). This was not being checked - for nor emitted when displaying the record. This has been corrected. + :rfc:`8777` specifies a placeholder value of ``.`` for the gateway field + when the gateway type is 0 (no gateway). This was not being checked + for, nor was it emitted when displaying the record. This has been corrected. Instances of this record will need the placeholder period added to them when upgrading. :gl:`#5639` -- Fix parsing bug in remote-servers with key or tls. +- Fix parsing bug in :any:`remote-servers` with key or TLS. - The :any:`remote-servers` clause enable the following pattern using a - named ``server-list``: + The :any:`remote-servers` clause enables the following pattern using a + named ``server-list``:: - remote-servers a { 1.2.3.4; ... }; remote-servers b { a key - foo; }; + remote-servers a { 1.2.3.4; ... }; + remote-servers b { a key foo; }; - However, such configuration was wrongly rejected, with an "unexpected - token 'foo'" error. Such configuration is now accepted. :gl:`#5646` + However, such a configuration was wrongly rejected, with an ``unexpected + token 'foo'`` error. This configuration is now accepted. :gl:`#5646` -- Fix allow-recursion/allow-query-cache inheritance. +- Fix :any:`allow-recursion`/:any:`allow-query-cache` inheritance. The merging of the user options and defaults into the effective - configuration broke the mutual inheritance of the `allow-recursion`, - `allow-query`, and `allow-query-cache` ACLs, and of the - `allow-recursion-on` and `allow-query-cache-on` ACLs. This has been + configuration broke the mutual inheritance of the :any:`allow-recursion`, + :any:`allow-query`, and :any:`allow-query-cache` ACLs, and of the + :any:`allow-recursion-on` and :any:`allow-query-cache-on` ACLs. This has been fixed. :gl:`#5647` -- Fix TLS contexts cache object usage bug in the resolver. +- Fix DoT reconfigure/reload bug in the resolver. - :iscman:`named` could terminate unexpectedly when reconfiguring or - reloading, and if client-side TLS transport was in use (for example, - when forwarding queries to a DoT server). This has been fixed. + If client-side TLS transport was in use (for example, when + forwarding queries to a DoT server), :iscman:`named` could + terminate unexpectedly when reconfiguring or reloading. This + has been fixed. :gl:`#5653` -- Adding NSEC3 opt-out records could leave invalid records in chain. - - When creating an NSEC3 opt-out chain, a node in the chain could be - removed too soon, causing the previous NSEC3 being unable to be found, - resulting in invalid NSEC3 records to be left in the zone. This has - been fixed. :gl:`#5671` -