diff --git a/CHANGES b/CHANGES index 420cd05e7f..102387f4ac 100644 --- a/CHANGES +++ b/CHANGES @@ -13,9 +13,6 @@ exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] -6063. [bug] Revert a change that limited to honour single - read for TLSDNS as it broke XoT. [GL #3772] - 6062. [func] The DSCP implementation, which has been nonfunctional for some time, is now marked as obsolete and the implementation has been removed. @@ -74,7 +71,9 @@ [GL !7206] 5830. [func] Implement incremental resizing of isc_ht hash tables to - perform the rehashing gradually. [GL #3212] + perform the rehashing gradually. The catalog zone + implementation has been optimized to work with hundreds + of thousands of member zones. [GL #3212] [GL #3744] --- 9.18.10 released --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index fe53af064a..3f578888b7 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -35,7 +35,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.18.11.rst .. include:: ../notes/notes-9.18.10.rst .. include:: ../notes/notes-9.18.9.rst .. include:: ../notes/notes-9.18.8.rst diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst index ad0a04f8aa..87fb45b876 100644 --- a/doc/dnssec-guide/introduction.rst +++ b/doc/dnssec-guide/introduction.rst @@ -250,7 +250,7 @@ at a very high level, looking up the name ``www.isc.org`` : Let's take a quick break here and look at what we've got so far... how can our server trust this answer? If a clever attacker had taken over - the ``isc.org`` name server(s), or course she would send matching + the ``isc.org`` name server(s), of course she would send matching keys and signatures. We need to ask someone else to have confidence that we are really talking to the real ``isc.org`` name server. This is a critical part of DNSSEC: at some point, the DNS administrators diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.18.11.rst similarity index 57% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.18.11.rst index e58b5ec8d8..3e44dc2d69 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.18.11.rst @@ -55,46 +55,54 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- The Differentiated Services Code Point (DSCP) feature in BIND - has been non-operational since the new Network Manager was introduced - in BIND 9.16. It is now marked as obsolete, and vestigial code - implementing it has been removed. Configuring DSCP values in - ``named.conf`` will cause a warning to be logged. :gl:`#3773` +- The Differentiated Services Code Point (DSCP) feature in BIND has been + non-operational since the new Network Manager was introduced in BIND + 9.16. It is now marked as obsolete, and vestigial code implementing it + has been removed. Configuring DSCP values in ``named.conf`` now causes + a warning to be logged. :gl:`#3773` Feature Changes ~~~~~~~~~~~~~~~ -- None. +- The catalog zone implementation has been optimized to work with + hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744` Bug Fixes ~~~~~~~~~ -- TLS session resumption might lead to handshake failures when client - certificates are used for authentication (Mutual TLS). This has - been fixed. :gl:`#3725` +- A rare assertion failure was fixed in outgoing TCP DNS connection + handling. :gl:`#3178` :gl:`#3636` -- When an outgoing request timed out, the ``named`` would retry up to three - times with the same server instead of trying a next available name server. - This has been fixed. :gl:`#3637` +- Large zone transfers over TLS (XoT) could fail. This has been fixed. + :gl:`#3772` -- Recently used ADB names and ADB entries (IP addresses) could get cleaned when - ADB would be under memory pressure. To mitigate this, count only actual ADB - names and ADB entries into the overmem memory limit (exclude internal memory - structures used for "housekeeping") and exclude recently used (<= 10 seconds) - ADB names and entries from the overmem memory cleaner. :gl:`#3739` +- In addition to a previously fixed bug, another similar issue was + discovered where quotas could be erroneously reached for servers, + including any configured forwarders, resulting in SERVFAIL answers + being sent to clients. This has been fixed. :gl:`#3752` -- Fix a rare assertion failure in the outgoing TCP DNS connection handling. - :gl:`#3178` :gl:`#3636` +- In certain query resolution scenarios (e.g. when following CNAME + records), :iscman:`named` configured to answer from stale cache could + return a SERVFAIL response despite a usable, non-stale answer being + present in the cache. This has been fixed. :gl:`#3678` -- In addition to a previously fixed bug, another similar issue was discovered - where quotas could be erroneously reached for servers, including any - configured forwarders, resulting in SERVFAIL answers being sent to clients. - This has been fixed. :gl:`#3752` +- When an outgoing request timed out, :iscman:`named` would retry up to + three times with the same server instead of trying the next available + name server. This has been fixed. :gl:`#3637` -- Clients may see an unexpected "Prohibited" extended DNS error when ``named`` - is configured with :any:`allow-recursion`). :gl:`#3743` +- Recently used ADB names and ADB entries (IP addresses) could get + cleaned when ADB was under memory pressure. To mitigate this, only + actual ADB names and ADB entries are now counted (excluding internal + memory structures used for "housekeeping") and recently used (<= 10 + seconds) ADB names and entries are excluded from the overmem memory + cleaner. :gl:`#3739` -- Fix a TLS error that occured with large transfers over XoT. :gl:`#3772` +- The "Prohibited" Extended DNS Error was inadvertently set in some + NOERROR responses. This has been fixed. :gl:`#3743` + +- Previously, TLS session resumption could have led to handshake + failures when client certificates were used for authentication (Mutual + TLS). This has been fixed. :gl:`#3725` Known Issues ~~~~~~~~~~~~