diff --git a/CHANGES b/CHANGES index f6bf029d52..3db805e339 100644 --- a/CHANGES +++ b/CHANGES @@ -16,88 +16,107 @@ 5639. [bug] Check that the first and last SOA record of an AXFR are consistent. [GL #2528] + --- 9.17.13 released --- + 5638. [bug] Improvements related to network manager/task manager integration: - - added isc_managers_create() and _destroy() functions - to handle setup and teardown of netmgr, taskmgr, - timermgr and socketmgr since these require a - precise order of operations now. - - event queue processing is now quantized to prevent + - isc_managers_create() and isc_managers_destroy() + functions were added to handle setup and teardown of + netmgr, taskmgr, timermgr, and socketmgr, since these + require a precise order of operations now. + - Event queue processing is now quantized to prevent infinite looping. - - the netmgr can now be paused from within a netmgr + - The netmgr can now be paused from within a netmgr thread. - - fixed deadlocks due to conflict between netmgr - pause/resume and listen/stoplistening operations. + - Deadlocks due to a conflict between netmgr's + pause/resume and listen/stoplistening operations were + fixed. [GL #2654] 5637. [placeholder] -5636. [bug] Check that zone files for 'dnssec-policy' zones are - only referenced once in 'named.conf'. [GL #2603] +5636. [bug] named and named-checkconf did not report an error when + multiple zones with the "dnssec-policy" option set were + using the same zone file. This has been fixed. + [GL #2603] 5635. [bug] Journal compaction could fail when a journal with - invalid transaction headers was not detected at - startup. [GL #2670] + invalid transaction headers was not detected at startup. + This has been fixed. [GL #2670] -5634. [bug] Don't roll keys when the private key file is offline. - [GL #2596] +5634. [bug] If "dnssec-policy" was active and a private key file was + temporarily offline during a rekey event, named could + incorrectly introduce replacement keys and break a + signed zone. This has been fixed. [GL #2596] -5633. [doc] Inline-signing was incorrectly described as being - inherited from the options / view levels and was +5633. [doc] The "inline-signing" option was incorrectly described as + being inherited from the "options"/"view" levels and was incorrectly accepted at those levels without effect. - This has been corrected. [GL #2536] + This has been fixed. [GL #2536] -5632. [func] Add built-in dnssec-policy "insecure". This is used to - transition a zone from a signed state to a unsigned - state. [GL #2645] +5632. [func] Add a new built-in KASP, "insecure", which is used to + transition a zone from a signed to an unsigned state. + The existing built-in KASP "none" should no longer be + used to unsign a zone. [GL #2645] -5631. [bug] Update ZONEMD to match RFC 8976. [GL #2658] +5631. [protocol] Update the implementation of the ZONEMD RR type to match + RFC 8976. [GL #2658] -5630. [func] Treat DNSSEC responses with NSEC3 iterations greater - than 150 as insecure. [GL #2445] +5630. [func] Treat DNSSEC responses containing NSEC3 records with + iteration counts greater than 150 as insecure. + [GL #2445] -5629. [func] Reduce the supported maximum number of iterations - that can be configured in an NSEC3 zone to 150. - [GL #2642] +5629. [func] Reduce the maximum supported number of NSEC3 iterations + that can be configured for a zone to 150. [GL #2642] -5628. [bug] Host and nslookup could die on SERVFAIL response. - [GL #2564] +5628. [bug] Host and nslookup could crash upon receiving a SERVFAIL + response. This has been fixed. [GL #2564] -5627. [bug] RRSIG(SOA) RRsets placed anywhere else than at zone apex - were triggering infinite resigning loops. This has been - fixed. [GL #2650] +5627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone + apex were triggering infinite resigning loops. This has + been fixed. [GL #2650] -5626. [bug] When generating new keys, check for keyid conflicts - between new keys too. [GL #2628] +5626. [bug] When generating zone signing keys, KASP now also checks + for key ID conflicts among newly created keys, rather + than just between new and existing ones. [GL #2628] -5625. [bug] Address deadlock between rndc addzone/delzone. - [GL #2626] +5625. [bug] A deadlock could occur when multiple "rndc addzone", + "rndc delzone", and/or "rndc modzone" commands were + invoked simultaneously for different zones. This has + been fixed. [GL #2626] -5624. [func] Remove the taskmgr dispatch threads and run the tasks - on top of netmgr loops. [GL #2638] +5624. [func] Task manager events are now processed inside network + manager loops. The task manager no longer needs its own + set of worker threads, which improves resolver + performance. [GL #2638] -5623. [bug] Prevent double xfrin_fail() call when shutting down - the server during ongoing transfer. [GL #2630] +5623. [bug] When named was shut down during an ongoing zone + transfer, xfrin_fail() could incorrectly be called + twice. This has been fixed. [GL #2630] -5622. [cleanup] Remove lib/samples, since export versions of libraries - are no longer maintained. [GL !4835] +5622. [cleanup] The lib/samples/ directory has been removed, as export + versions of libraries are no longer maintained. + [GL !4835] 5621. [placeholder] -5620. [bug] Named would overwrite a zone file unconditionally when - it recovered from a corrupted journal. [GL #2623] +5620. [bug] If zone journal files written by BIND 9.16.11 or earlier + were present when BIND was upgraded, the zone file for + that zone could have been inadvertently rewritten with + the current zone contents. This caused the original zone + file structure (e.g. comments, $INCLUDE directives) to + be lost, although the zone data itself was preserved. + This has been fixed. [GL #2623] 5619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the protocol such that NSEC(3) TTL values are set to the - minimum of the SOA MINIMUM value and the SOA TTL. + minimum of the SOA MINIMUM value or the SOA TTL. [GL #2347] -5618. [bug] When introducing change 5149, "rndc dumpdb" started - to print a line above a stale RRset, indicating how - long the data will be retained. Also, TTLs were - increased with 'max-stale-ttl'. This could lead to - nonsensical values and both issues have been fixed. - [GL #389] [GL #2289] +5618. [bug] Change 5149 introduced some inconsistencies in the way + record TTLs were presented in cache dumps. These + inconsistencies have been eliminated. [GL #389] + [GL #2289] --- 9.17.12 released --- diff --git a/configure.ac b/configure.ac index 013597bdc9..9b99141419 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 12)dnl +m4_define([bind_VERSION_PATCH], 13)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index c2f4bdaf56..0a526d7cad 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. .. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.13.rst .. include:: ../notes/notes-9.17.12.rst .. include:: ../notes/notes-9.17.11.rst .. include:: ../notes/notes-9.17.10.rst diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index 1d45c039f3..6fc52e06c0 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -1098,7 +1098,7 @@ Then use ``rndc reload`` to reload the zone. The "insecure" policy is a built-in policy (like "default"). It will make sure the zone is still DNSSEC maintained, to allow for a graceful transition to -unsigned, +unsigned. When the DS records have been removed from the parent zone, use ``rndc dnssec -checkds -key withdrawn example.com`` to tell ``named`` that diff --git a/doc/notes/notes-9.17.13.rst b/doc/notes/notes-9.17.13.rst new file mode 100644 index 0000000000..1166f4f0a8 --- /dev/null +++ b/doc/notes/notes-9.17.13.rst @@ -0,0 +1,83 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.13 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- DNSSEC responses containing NSEC3 records with iteration counts + greater than 150 are now treated as insecure. :gl:`#2445` + +- The maximum supported number of NSEC3 iterations that can be + configured for a zone has been reduced to 150. :gl:`#2642` + +- After the network manager was introduced to ``named`` to handle + incoming traffic, it was discovered that recursive performance had + degraded compared to previous BIND 9 versions. This has now been + fixed by processing internal tasks inside network manager worker + threads, preventing resource contention among two sets of threads. + :gl:`#2638` + +- Zones that want to transition from secure to insecure mode without + becoming bogus in the process must now have their ``dnssec-policy`` + changed first to ``insecure``, rather than ``none``. After the DNSSEC + records have been removed from the zone, the ``dnssec-policy`` can be + set to ``none`` or removed from the configuration. Setting the + ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE + records to be published. :gl:`#2645` + +- The implementation of the ZONEMD RR type has been updated to match + :rfc:`8976`. :gl:`#2658` + +- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: + NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value + or the SOA TTL. :gl:`#2347` + +Bug Fixes +~~~~~~~~~ + +- If zone journal files written by BIND 9.16.11 or earlier were present + when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file + for that zone could have been inadvertently rewritten with the current + zone contents. This caused the original zone file structure (e.g. + comments, ``$INCLUDE`` directives) to be lost, although the zone data + itself was preserved. :gl:`#2623` + +- It was possible for corrupt journal files generated by an earlier + version of ``named`` to cause problems after an upgrade. This has been + fixed. :gl:`#2670` + +- TTL values in cache dumps were reported incorrectly when + ``stale-cache-enable`` was set to ``yes``. This has been fixed. + :gl:`#389` :gl:`#2289` + +- A deadlock could occur when multiple ``rndc addzone``, ``rndc + delzone``, and/or ``rndc modzone`` commands were invoked + simultaneously for different zones. This has been fixed. :gl:`#2626` + +- ``inline-signing`` was incorrectly described as being inherited from + the ``options``/``view`` levels and was incorrectly accepted at those + levels without effect. This has been fixed; ``named.conf`` files with + ``inline-signing`` at those levels no longer load. :gl:`#2536` + +- ``named`` and ``named-checkconf`` did not report an error when + multiple zones with the ``dnssec-policy`` option set were using the + same zone file. This has been fixed. :gl:`#2603` + +- If ``dnssec-policy`` was active and a private key file was temporarily + offline during a rekey event, ``named`` could incorrectly introduce + replacement keys and break a signed zone. This has been fixed. + :gl:`#2596` + +- When generating zone signing keys, KASP now also checks for key ID + conflicts among newly created keys, rather than just between new and + existing ones. :gl:`#2628` diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 71368b7ba7..8911e6ebf7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -8,7 +8,7 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -Notes for BIND 9.17.13 +Notes for BIND 9.17.14 ---------------------- Security Fixes @@ -41,31 +41,7 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to - the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347` - -- Reduce the supported maximum number of iterations that can be - configured in an NSEC3 zones to 150. :gl:`#2642` - -- Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure. - :gl:`#2445` - -- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to - the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347` - -- Zones that want to transition from secure to insecure mode without making it - bogus in the process should now first change their ``dnssec-policy`` to - ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have - been removed from the zone (in a timely manner), the ``dnssec-policy`` can - be set to ``none`` (or be removed from the configuration). Setting the - ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records - to be published. :gl:`#2645` - -- ``inline-signing`` was incorrectly described as being inherited from the - ``options`` or ``view`` levels and was incorrectly accepted at those levels - without effect. This has been corrected, ``named.conf`` files with - ``inline-signing`` at those levels will no longer load with this fix applied. - :gl:`#2536` +- None. Bug Fixes ~~~~~~~~~ @@ -73,35 +49,6 @@ Bug Fixes - Fix a race condition in reading and writing key files for KASP zones in multiple views. :gl:`#1875` -- When dumping the cache to file, TTLs were being increased with - ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical - values if the RRset was still marked a stale but the ``max-stale-ttl`` has - passed (and is actually an RRset awaiting cleanup). Both issues have now - been fixed. :gl:`#389` :gl:`#2289` - -- ``named`` would overwrite a zone file unconditionally when it recovered from - a corrupted journal. :gl:`#2623` - -- After the networking manager was introduced to ``named`` to handle - incoming traffic, it was discovered that the recursive performance had been - degraded compared to the previous version (9.11). This has been now fixed by - running internal tasks inside the networking manager worker threads, so - they do not compete for resources. :gl:`#2638` - -- With ``dnssec-policy``, when creating new keys also check for keyid conflicts - between the new keys too. :gl:`#2628` - -- Update ZONEMD to match RFC 8976. :gl:`#2658` - -- With ``dnssec-policy```, don't roll keys if the private key file is offline. - :gl:`#2596` - -- Journal compaction could fail when a journal with invalid transaction - headers was not detected at startup. :gl:`#2670` - -- ``named-checkconf`` now complains if zones with ``dnssec-policy`` reference - the same zone file more than once. :gl:`#2603` - - Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple views with different ``dnssec-policy``. Using the same ``key-directory`` for such zones is not allowed. :gl:`#2463`