From 04b41cd54e0e8865529f8dfc84ac1610633493d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 12 Jan 2023 22:11:14 +0100 Subject: [PATCH 1/7] Fix a typo in the DNSSEC Guide --- doc/dnssec-guide/introduction.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst index ad0a04f8aa..87fb45b876 100644 --- a/doc/dnssec-guide/introduction.rst +++ b/doc/dnssec-guide/introduction.rst @@ -250,7 +250,7 @@ at a very high level, looking up the name ``www.isc.org`` : Let's take a quick break here and look at what we've got so far... how can our server trust this answer? If a clever attacker had taken over - the ``isc.org`` name server(s), or course she would send matching + the ``isc.org`` name server(s), of course she would send matching keys and signatures. We need to ask someone else to have confidence that we are really talking to the real ``isc.org`` name server. This is a critical part of DNSSEC: at some point, the DNS administrators From 1bec7e09a3134f5bbcdbeefd1be5e2d2d1294410 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 12 Jan 2023 22:11:14 +0100 Subject: [PATCH 2/7] Update documentation for GL #3212 --- CHANGES | 4 +++- doc/notes/notes-current.rst | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 420cd05e7f..995638ee04 100644 --- a/CHANGES +++ b/CHANGES @@ -74,7 +74,9 @@ [GL !7206] 5830. [func] Implement incremental resizing of isc_ht hash tables to - perform the rehashing gradually. [GL #3212] + perform the rehashing gradually. The catalog zone + implementation has been optimized to work with hundreds + of thousands of member zones. [GL #3212] [GL #3744] --- 9.18.10 released --- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index e58b5ec8d8..c5892c0d93 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -64,7 +64,8 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- None. +- The catalog zone implementation has been optimized to work with + hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744` Bug Fixes ~~~~~~~~~ From 166523fd619487b16f143621063d5d591e7dcf34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 12 Jan 2023 22:11:14 +0100 Subject: [PATCH 3/7] Prepare release notes for BIND 9.18.11 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.18.11.rst} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename doc/notes/{notes-current.rst => notes-9.18.11.rst} (100%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index fe53af064a..3f578888b7 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -35,7 +35,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.18.11.rst .. include:: ../notes/notes-9.18.10.rst .. include:: ../notes/notes-9.18.9.rst .. include:: ../notes/notes-9.18.8.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.18.11.rst similarity index 100% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.18.11.rst From 828d5d51d0296686849136c4aa721565b9b3184a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 12 Jan 2023 22:11:14 +0100 Subject: [PATCH 4/7] Tweak and reword release notes --- doc/notes/notes-9.18.11.rst | 52 +++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst index c5892c0d93..16a0ffd994 100644 --- a/doc/notes/notes-9.18.11.rst +++ b/doc/notes/notes-9.18.11.rst @@ -55,11 +55,11 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- The Differentiated Services Code Point (DSCP) feature in BIND - has been non-operational since the new Network Manager was introduced - in BIND 9.16. It is now marked as obsolete, and vestigial code - implementing it has been removed. Configuring DSCP values in - ``named.conf`` will cause a warning to be logged. :gl:`#3773` +- The Differentiated Services Code Point (DSCP) feature in BIND has been + non-operational since the new Network Manager was introduced in BIND + 9.16. It is now marked as obsolete, and vestigial code implementing it + has been removed. Configuring DSCP values in ``named.conf`` now causes + a warning to be logged. :gl:`#3773` Feature Changes ~~~~~~~~~~~~~~~ @@ -70,32 +70,34 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- TLS session resumption might lead to handshake failures when client - certificates are used for authentication (Mutual TLS). This has - been fixed. :gl:`#3725` +- Previously, TLS session resumption could have led to handshake + failures when client certificates were used for authentication (Mutual + TLS). This has been fixed. :gl:`#3725` -- When an outgoing request timed out, the ``named`` would retry up to three - times with the same server instead of trying a next available name server. - This has been fixed. :gl:`#3637` +- When an outgoing request timed out, :iscman:`named` would retry up to + three times with the same server instead of trying the next available + name server. This has been fixed. :gl:`#3637` -- Recently used ADB names and ADB entries (IP addresses) could get cleaned when - ADB would be under memory pressure. To mitigate this, count only actual ADB - names and ADB entries into the overmem memory limit (exclude internal memory - structures used for "housekeeping") and exclude recently used (<= 10 seconds) - ADB names and entries from the overmem memory cleaner. :gl:`#3739` +- Recently used ADB names and ADB entries (IP addresses) could get + cleaned when ADB was under memory pressure. To mitigate this, only + actual ADB names and ADB entries are now counted (excluding internal + memory structures used for "housekeeping") and recently used (<= 10 + seconds) ADB names and entries are excluded from the overmem memory + cleaner. :gl:`#3739` -- Fix a rare assertion failure in the outgoing TCP DNS connection handling. - :gl:`#3178` :gl:`#3636` +- A rare assertion failure was fixed in outgoing TCP DNS connection + handling. :gl:`#3178` :gl:`#3636` -- In addition to a previously fixed bug, another similar issue was discovered - where quotas could be erroneously reached for servers, including any - configured forwarders, resulting in SERVFAIL answers being sent to clients. - This has been fixed. :gl:`#3752` +- In addition to a previously fixed bug, another similar issue was + discovered where quotas could be erroneously reached for servers, + including any configured forwarders, resulting in SERVFAIL answers + being sent to clients. This has been fixed. :gl:`#3752` -- Clients may see an unexpected "Prohibited" extended DNS error when ``named`` - is configured with :any:`allow-recursion`). :gl:`#3743` +- The "Prohibited" Extended DNS Error was inadvertently set in some + NOERROR responses. This has been fixed. :gl:`#3743` -- Fix a TLS error that occured with large transfers over XoT. :gl:`#3772` +- Large zone transfers over TLS (XoT) could fail. This has been fixed. + :gl:`#3772` Known Issues ~~~~~~~~~~~~ From 3fcc0212941c26904d3f222dfa2e6ac820e6aed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 12 Jan 2023 22:11:14 +0100 Subject: [PATCH 5/7] Reorder release notes --- doc/notes/notes-9.18.11.rst | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst index 16a0ffd994..d0cc062f4f 100644 --- a/doc/notes/notes-9.18.11.rst +++ b/doc/notes/notes-9.18.11.rst @@ -70,9 +70,16 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- Previously, TLS session resumption could have led to handshake - failures when client certificates were used for authentication (Mutual - TLS). This has been fixed. :gl:`#3725` +- A rare assertion failure was fixed in outgoing TCP DNS connection + handling. :gl:`#3178` :gl:`#3636` + +- Large zone transfers over TLS (XoT) could fail. This has been fixed. + :gl:`#3772` + +- In addition to a previously fixed bug, another similar issue was + discovered where quotas could be erroneously reached for servers, + including any configured forwarders, resulting in SERVFAIL answers + being sent to clients. This has been fixed. :gl:`#3752` - When an outgoing request timed out, :iscman:`named` would retry up to three times with the same server instead of trying the next available @@ -85,19 +92,12 @@ Bug Fixes seconds) ADB names and entries are excluded from the overmem memory cleaner. :gl:`#3739` -- A rare assertion failure was fixed in outgoing TCP DNS connection - handling. :gl:`#3178` :gl:`#3636` - -- In addition to a previously fixed bug, another similar issue was - discovered where quotas could be erroneously reached for servers, - including any configured forwarders, resulting in SERVFAIL answers - being sent to clients. This has been fixed. :gl:`#3752` - - The "Prohibited" Extended DNS Error was inadvertently set in some NOERROR responses. This has been fixed. :gl:`#3743` -- Large zone transfers over TLS (XoT) could fail. This has been fixed. - :gl:`#3772` +- Previously, TLS session resumption could have led to handshake + failures when client certificates were used for authentication (Mutual + TLS). This has been fixed. :gl:`#3725` Known Issues ~~~~~~~~~~~~ From c9012706701b0e01ab454cc4ce1b45851e4920ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 12 Jan 2023 22:11:14 +0100 Subject: [PATCH 6/7] Add release note for GL #3678 --- doc/notes/notes-9.18.11.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst index d0cc062f4f..3e44dc2d69 100644 --- a/doc/notes/notes-9.18.11.rst +++ b/doc/notes/notes-9.18.11.rst @@ -81,6 +81,11 @@ Bug Fixes including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. :gl:`#3752` +- In certain query resolution scenarios (e.g. when following CNAME + records), :iscman:`named` configured to answer from stale cache could + return a SERVFAIL response despite a usable, non-stale answer being + present in the cache. This has been fixed. :gl:`#3678` + - When an outgoing request timed out, :iscman:`named` would retry up to three times with the same server instead of trying the next available name server. This has been fixed. :gl:`#3637` From 3b4a34ccb9458eebd41fc868a3d1894b1dc15a9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 12 Jan 2023 22:11:14 +0100 Subject: [PATCH 7/7] Remove reused CHANGES entry Changes entry 6063 was added to the v9_18 branch (by commit cb3990001fb2ce978a44cc9d03b679cf626d03b1) without an associated placeholder in the main branch. The same entry number was subsequently reused for a different change in the main branch (by commit 41870dccbae3872154d5a6a76d70b5cb40d82c05). To prevent confusion, remove the entry from the v9_18 branch as the original code change whose reversal is mentioned in entry 6063 was not accompanied by its own CHANGES entry. --- CHANGES | 3 --- 1 file changed, 3 deletions(-) diff --git a/CHANGES b/CHANGES index 995638ee04..102387f4ac 100644 --- a/CHANGES +++ b/CHANGES @@ -13,9 +13,6 @@ exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] -6063. [bug] Revert a change that limited to honour single - read for TLSDNS as it broke XoT. [GL #3772] - 6062. [func] The DSCP implementation, which has been nonfunctional for some time, is now marked as obsolete and the implementation has been removed.