From 15a345626ab1734af1cafb0aed8bb86ea56caa24 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Wed, 5 May 2021 14:30:19 +0200 Subject: [PATCH 01/10] Fix typo in doc/dnssec-guide/recipes.rst --- doc/dnssec-guide/recipes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index 1d45c039f3..6fc52e06c0 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -1098,7 +1098,7 @@ Then use ``rndc reload`` to reload the zone. The "insecure" policy is a built-in policy (like "default"). It will make sure the zone is still DNSSEC maintained, to allow for a graceful transition to -unsigned, +unsigned. When the DS records have been removed from the parent zone, use ``rndc dnssec -checkds -key withdrawn example.com`` to tell ``named`` that From ab6060c5380d4d2a13a95710e82e0f70fad957e1 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 6 May 2021 19:37:41 +0200 Subject: [PATCH 02/10] Drop duplicate release note for GL #2347 --- doc/notes/notes-current.rst | 3 --- 1 file changed, 3 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 71368b7ba7..c4f32e88e7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -50,9 +50,6 @@ Feature Changes - Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure. :gl:`#2445` -- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to - the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347` - - Zones that want to transition from secure to insecure mode without making it bogus in the process should now first change their ``dnssec-policy`` to ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have From 43cbc773a7a1b23ce07a23ae47a8c6256490c39d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 11 May 2021 23:28:48 +0200 Subject: [PATCH 03/10] Tweak and reword recent CHANGES entries --- CHANGES | 117 ++++++++++++++++++++++++++++++++------------------------ 1 file changed, 67 insertions(+), 50 deletions(-) diff --git a/CHANGES b/CHANGES index f6bf029d52..a2132c8d32 100644 --- a/CHANGES +++ b/CHANGES @@ -18,86 +18,103 @@ 5638. [bug] Improvements related to network manager/task manager integration: - - added isc_managers_create() and _destroy() functions - to handle setup and teardown of netmgr, taskmgr, - timermgr and socketmgr since these require a - precise order of operations now. - - event queue processing is now quantized to prevent + - isc_managers_create() and isc_managers_destroy() + functions were added to handle setup and teardown of + netmgr, taskmgr, timermgr, and socketmgr, since these + require a precise order of operations now. + - Event queue processing is now quantized to prevent infinite looping. - - the netmgr can now be paused from within a netmgr + - The netmgr can now be paused from within a netmgr thread. - - fixed deadlocks due to conflict between netmgr - pause/resume and listen/stoplistening operations. + - Deadlocks due to a conflict between netmgr's + pause/resume and listen/stoplistening operations were + fixed. [GL #2654] 5637. [placeholder] -5636. [bug] Check that zone files for 'dnssec-policy' zones are - only referenced once in 'named.conf'. [GL #2603] +5636. [bug] named and named-checkconf did not report an error when + multiple zones with the "dnssec-policy" option set were + using the same zone file. This has been fixed. + [GL #2603] 5635. [bug] Journal compaction could fail when a journal with - invalid transaction headers was not detected at - startup. [GL #2670] + invalid transaction headers was not detected at startup. + This has been fixed. [GL #2670] -5634. [bug] Don't roll keys when the private key file is offline. - [GL #2596] +5634. [bug] If "dnssec-policy" was active and a private key file was + temporarily offline during a rekey event, named could + incorrectly introduce replacement keys and break a + signed zone. This has been fixed. [GL #2596] -5633. [doc] Inline-signing was incorrectly described as being - inherited from the options / view levels and was +5633. [doc] The "inline-signing" option was incorrectly described as + being inherited from the "options"/"view" levels and was incorrectly accepted at those levels without effect. - This has been corrected. [GL #2536] + This has been fixed. [GL #2536] -5632. [func] Add built-in dnssec-policy "insecure". This is used to - transition a zone from a signed state to a unsigned - state. [GL #2645] +5632. [func] Add a new built-in KASP, "insecure", which is used to + transition a zone from a signed to an unsigned state. + The existing built-in KASP "none" should no longer be + used to unsign a zone. [GL #2645] -5631. [bug] Update ZONEMD to match RFC 8976. [GL #2658] +5631. [protocol] Update the implementation of the ZONEMD RR type to match + RFC 8976. [GL #2658] -5630. [func] Treat DNSSEC responses with NSEC3 iterations greater - than 150 as insecure. [GL #2445] +5630. [func] Treat DNSSEC responses containing NSEC3 records with + iteration counts greater than 150 as insecure. + [GL #2445] -5629. [func] Reduce the supported maximum number of iterations - that can be configured in an NSEC3 zone to 150. - [GL #2642] +5629. [func] Reduce the maximum supported number of NSEC3 iterations + that can be configured for a zone to 150. [GL #2642] -5628. [bug] Host and nslookup could die on SERVFAIL response. - [GL #2564] +5628. [bug] Host and nslookup could crash upon receiving a SERVFAIL + response. This has been fixed. [GL #2564] -5627. [bug] RRSIG(SOA) RRsets placed anywhere else than at zone apex - were triggering infinite resigning loops. This has been - fixed. [GL #2650] +5627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone + apex were triggering infinite resigning loops. This has + been fixed. [GL #2650] -5626. [bug] When generating new keys, check for keyid conflicts - between new keys too. [GL #2628] +5626. [bug] When generating zone signing keys, KASP now also checks + for key ID conflicts among newly created keys, rather + than just between new and existing ones. [GL #2628] -5625. [bug] Address deadlock between rndc addzone/delzone. - [GL #2626] +5625. [bug] A deadlock could occur when multiple "rndc addzone", + "rndc delzone", and/or "rndc modzone" commands were + invoked simultaneously for different zones. This has + been fixed. [GL #2626] -5624. [func] Remove the taskmgr dispatch threads and run the tasks - on top of netmgr loops. [GL #2638] +5624. [func] Task manager events are now processed inside network + manager loops. The task manager no longer needs its own + set of worker threads, which improves resolver + performance. [GL #2638] -5623. [bug] Prevent double xfrin_fail() call when shutting down - the server during ongoing transfer. [GL #2630] +5623. [bug] When named was shut down during an ongoing zone + transfer, xfrin_fail() could incorrectly be called + twice. This has been fixed. [GL #2630] -5622. [cleanup] Remove lib/samples, since export versions of libraries - are no longer maintained. [GL !4835] +5622. [cleanup] The lib/samples/ directory has been removed, as export + versions of libraries are no longer maintained. + [GL !4835] 5621. [placeholder] -5620. [bug] Named would overwrite a zone file unconditionally when - it recovered from a corrupted journal. [GL #2623] +5620. [bug] If zone journal files written by BIND 9.16.11 or earlier + were present when BIND was upgraded, the zone file for + that zone could have been inadvertently rewritten with + the current zone contents. This caused the original zone + file structure (e.g. comments, $INCLUDE directives) to + be lost, although the zone data itself was preserved. + This has been fixed. [GL #2623] 5619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the protocol such that NSEC(3) TTL values are set to the - minimum of the SOA MINIMUM value and the SOA TTL. + minimum of the SOA MINIMUM value or the SOA TTL. [GL #2347] -5618. [bug] When introducing change 5149, "rndc dumpdb" started - to print a line above a stale RRset, indicating how - long the data will be retained. Also, TTLs were - increased with 'max-stale-ttl'. This could lead to - nonsensical values and both issues have been fixed. - [GL #389] [GL #2289] +5618. [bug] Change 5149 introduced some inconsistencies in the way + record TTLs were presented in cache dumps. These + inconsistencies have been eliminated. [GL #389] + [GL #2289] --- 9.17.12 released --- From ced6c9b23a13532ab9b4a8b81e48310aa573bbfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 11 May 2021 23:28:48 +0200 Subject: [PATCH 04/10] Tweak and reword release notes --- doc/notes/notes-current.rst | 85 ++++++++++++++++++++----------------- 1 file changed, 47 insertions(+), 38 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c4f32e88e7..3218cb9e3a 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -41,28 +41,28 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to - the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347` +- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: + NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value + or the SOA TTL. :gl:`#2347` -- Reduce the supported maximum number of iterations that can be - configured in an NSEC3 zones to 150. :gl:`#2642` +- The maximum supported number of NSEC3 iterations that can be + configured for a zone has been reduced to 150. :gl:`#2642` -- Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure. - :gl:`#2445` +- DNSSEC responses containing NSEC3 records with iteration counts + greater than 150 are now treated as insecure. :gl:`#2445` -- Zones that want to transition from secure to insecure mode without making it - bogus in the process should now first change their ``dnssec-policy`` to - ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have - been removed from the zone (in a timely manner), the ``dnssec-policy`` can - be set to ``none`` (or be removed from the configuration). Setting the - ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records - to be published. :gl:`#2645` +- Zones that want to transition from secure to insecure mode without + becoming bogus in the process must now have their ``dnssec-policy`` + changed first to ``insecure``, rather than ``none``. After the DNSSEC + records have been removed from the zone, the ``dnssec-policy`` can be + set to ``none`` or removed from the configuration. Setting the + ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE + records to be published. :gl:`#2645` -- ``inline-signing`` was incorrectly described as being inherited from the - ``options`` or ``view`` levels and was incorrectly accepted at those levels - without effect. This has been corrected, ``named.conf`` files with - ``inline-signing`` at those levels will no longer load with this fix applied. - :gl:`#2536` +- ``inline-signing`` was incorrectly described as being inherited from + the ``options``/``view`` levels and was incorrectly accepted at those + levels without effect. This has been fixed; ``named.conf`` files with + ``inline-signing`` at those levels no longer load. :gl:`#2536` Bug Fixes ~~~~~~~~~ @@ -70,34 +70,43 @@ Bug Fixes - Fix a race condition in reading and writing key files for KASP zones in multiple views. :gl:`#1875` -- When dumping the cache to file, TTLs were being increased with - ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical - values if the RRset was still marked a stale but the ``max-stale-ttl`` has - passed (and is actually an RRset awaiting cleanup). Both issues have now - been fixed. :gl:`#389` :gl:`#2289` +- TTL values in cache dumps were reported incorrectly when + ``stale-cache-enable`` was set to ``yes``. This has been fixed. + :gl:`#389` :gl:`#2289` -- ``named`` would overwrite a zone file unconditionally when it recovered from - a corrupted journal. :gl:`#2623` +- If zone journal files written by BIND 9.16.11 or earlier were present + when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file + for that zone could have been inadvertently rewritten with the current + zone contents. This caused the original zone file structure (e.g. + comments, ``$INCLUDE`` directives) to be lost, although the zone data + itself was preserved. :gl:`#2623` -- After the networking manager was introduced to ``named`` to handle - incoming traffic, it was discovered that the recursive performance had been - degraded compared to the previous version (9.11). This has been now fixed by - running internal tasks inside the networking manager worker threads, so - they do not compete for resources. :gl:`#2638` +- After the network manager was introduced to ``named`` to handle + incoming traffic, it was discovered that recursive performance had + degraded compared to previous BIND 9 versions. This has now been + fixed by processing internal tasks inside network manager worker + threads, preventing resource contention among two sets of threads. + :gl:`#2638` -- With ``dnssec-policy``, when creating new keys also check for keyid conflicts - between the new keys too. :gl:`#2628` +- When generating zone signing keys, KASP now also checks for key ID + conflicts among newly created keys, rather than just between new and + existing ones. :gl:`#2628` -- Update ZONEMD to match RFC 8976. :gl:`#2658` +- The implementation of the ZONEMD RR type has been updated to match + :rfc:`8976`. :gl:`#2658` -- With ``dnssec-policy```, don't roll keys if the private key file is offline. +- If ``dnssec-policy`` was active and the private key file was + temporarily offline during a rekey event, ``named`` could introduce + replacement keys and break a signed zone. This has been fixed. :gl:`#2596` -- Journal compaction could fail when a journal with invalid transaction - headers was not detected at startup. :gl:`#2670` +- It was possible for corrupt journal files generated by an earlier + version of ``named`` to cause problems after an upgrade. This has been + fixed. :gl:`#2670` -- ``named-checkconf`` now complains if zones with ``dnssec-policy`` reference - the same zone file more than once. :gl:`#2603` +- ``named`` and ``named-checkconf`` did not report an error when + multiple zones with the ``dnssec-policy`` option set were using the + same zone file. This has been fixed. :gl:`#2603` - Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple views with different ``dnssec-policy``. Using the same ``key-directory`` for From 620cccc3fc0ba843657f53442d627086667ae84d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 11 May 2021 23:28:48 +0200 Subject: [PATCH 05/10] Reorder release notes --- doc/notes/notes-current.rst | 70 ++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 3218cb9e3a..9e95a3725c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -41,15 +41,18 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: - NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value - or the SOA TTL. :gl:`#2347` +- DNSSEC responses containing NSEC3 records with iteration counts + greater than 150 are now treated as insecure. :gl:`#2445` - The maximum supported number of NSEC3 iterations that can be configured for a zone has been reduced to 150. :gl:`#2642` -- DNSSEC responses containing NSEC3 records with iteration counts - greater than 150 are now treated as insecure. :gl:`#2445` +- After the network manager was introduced to ``named`` to handle + incoming traffic, it was discovered that recursive performance had + degraded compared to previous BIND 9 versions. This has now been + fixed by processing internal tasks inside network manager worker + threads, preventing resource contention among two sets of threads. + :gl:`#2638` - Zones that want to transition from secure to insecure mode without becoming bogus in the process must now have their ``dnssec-policy`` @@ -59,21 +62,16 @@ Feature Changes ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE records to be published. :gl:`#2645` -- ``inline-signing`` was incorrectly described as being inherited from - the ``options``/``view`` levels and was incorrectly accepted at those - levels without effect. This has been fixed; ``named.conf`` files with - ``inline-signing`` at those levels no longer load. :gl:`#2536` +- The implementation of the ZONEMD RR type has been updated to match + :rfc:`8976`. :gl:`#2658` + +- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: + NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value + or the SOA TTL. :gl:`#2347` Bug Fixes ~~~~~~~~~ -- Fix a race condition in reading and writing key files for KASP zones in - multiple views. :gl:`#1875` - -- TTL values in cache dumps were reported incorrectly when - ``stale-cache-enable`` was set to ``yes``. This has been fixed. - :gl:`#389` :gl:`#2289` - - If zone journal files written by BIND 9.16.11 or earlier were present when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file for that zone could have been inadvertently rewritten with the current @@ -81,33 +79,35 @@ Bug Fixes comments, ``$INCLUDE`` directives) to be lost, although the zone data itself was preserved. :gl:`#2623` -- After the network manager was introduced to ``named`` to handle - incoming traffic, it was discovered that recursive performance had - degraded compared to previous BIND 9 versions. This has now been - fixed by processing internal tasks inside network manager worker - threads, preventing resource contention among two sets of threads. - :gl:`#2638` - -- When generating zone signing keys, KASP now also checks for key ID - conflicts among newly created keys, rather than just between new and - existing ones. :gl:`#2628` - -- The implementation of the ZONEMD RR type has been updated to match - :rfc:`8976`. :gl:`#2658` - -- If ``dnssec-policy`` was active and the private key file was - temporarily offline during a rekey event, ``named`` could introduce - replacement keys and break a signed zone. This has been fixed. - :gl:`#2596` - - It was possible for corrupt journal files generated by an earlier version of ``named`` to cause problems after an upgrade. This has been fixed. :gl:`#2670` +- TTL values in cache dumps were reported incorrectly when + ``stale-cache-enable`` was set to ``yes``. This has been fixed. + :gl:`#389` :gl:`#2289` + +- ``inline-signing`` was incorrectly described as being inherited from + the ``options``/``view`` levels and was incorrectly accepted at those + levels without effect. This has been fixed; ``named.conf`` files with + ``inline-signing`` at those levels no longer load. :gl:`#2536` + - ``named`` and ``named-checkconf`` did not report an error when multiple zones with the ``dnssec-policy`` option set were using the same zone file. This has been fixed. :gl:`#2603` +- If ``dnssec-policy`` was active and a private key file was temporarily + offline during a rekey event, ``named`` could incorrectly introduce + replacement keys and break a signed zone. This has been fixed. + :gl:`#2596` + +- When generating zone signing keys, KASP now also checks for key ID + conflicts among newly created keys, rather than just between new and + existing ones. :gl:`#2628` + +- Fix a race condition in reading and writing key files for KASP zones in + multiple views. :gl:`#1875` + - Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple views with different ``dnssec-policy``. Using the same ``key-directory`` for such zones is not allowed. :gl:`#2463` From e49bd0906e83714ae11ed143a73c162acaea1bdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 11 May 2021 23:28:48 +0200 Subject: [PATCH 06/10] Add release note for GL #2626 --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 9e95a3725c..66097206ef 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -87,6 +87,10 @@ Bug Fixes ``stale-cache-enable`` was set to ``yes``. This has been fixed. :gl:`#389` :gl:`#2289` +- A deadlock could occur when multiple ``rndc addzone``, ``rndc + delzone``, and/or ``rndc modzone`` commands were invoked + simultaneously for different zones. This has been fixed. :gl:`#2626` + - ``inline-signing`` was incorrectly described as being inherited from the ``options``/``view`` levels and was incorrectly accepted at those levels without effect. This has been fixed; ``named.conf`` files with From 8113dbe5bb6ed2006a9b14720bb53829ed44c1f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 11 May 2021 23:28:48 +0200 Subject: [PATCH 07/10] Prepare release notes for BIND 9.17.13 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.17.13.rst} | 34 ------------------- 2 files changed, 1 insertion(+), 35 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.13.rst} (78%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index c2f4bdaf56..aff17bd023 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.13.rst .. include:: ../notes/notes-9.17.12.rst .. include:: ../notes/notes-9.17.11.rst .. include:: ../notes/notes-9.17.10.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.13.rst similarity index 78% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.13.rst index 66097206ef..1166f4f0a8 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.13.rst @@ -11,33 +11,6 @@ Notes for BIND 9.17.13 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- New configuration options, ``tcp-receive-buffer``, ``tcp-send-buffer``, - ``udp-receive-buffer``, and ``udp-send-buffer``, have been added. These - options allows the operator to fine tune the receiving and sending - buffers in the operating system. On busy servers, increasing the value - of the receive buffers can prevent the server from dropping the packets - during short spikes, and decreasing the value would prevent the server to - became clogged up with queries that are too old and have already timeouted - on the receiving side. :gl:`#2313` - -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ @@ -108,10 +81,3 @@ Bug Fixes - When generating zone signing keys, KASP now also checks for key ID conflicts among newly created keys, rather than just between new and existing ones. :gl:`#2628` - -- Fix a race condition in reading and writing key files for KASP zones in - multiple views. :gl:`#1875` - -- Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple - views with different ``dnssec-policy``. Using the same ``key-directory`` for - such zones is not allowed. :gl:`#2463` From 39b739b867830a8f1451b2773b54ecde4aae573f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 12 May 2021 11:02:57 +0200 Subject: [PATCH 08/10] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index a2132c8d32..3db805e339 100644 --- a/CHANGES +++ b/CHANGES @@ -16,6 +16,8 @@ 5639. [bug] Check that the first and last SOA record of an AXFR are consistent. [GL #2528] + --- 9.17.13 released --- + 5638. [bug] Improvements related to network manager/task manager integration: - isc_managers_create() and isc_managers_destroy() From f73d41d0a0a4cdaf46158769a624183fe1ed5ccb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 12 May 2021 11:02:57 +0200 Subject: [PATCH 09/10] Update BIND version to 9.17.13 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 013597bdc9..9b99141419 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 12)dnl +m4_define([bind_VERSION_PATCH], 13)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl From 5a71af44b1e30220f4be30c362a19107a5313f46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 20 May 2021 12:03:47 +0200 Subject: [PATCH 10/10] Set up release notes for BIND 9.17.14 --- doc/arm/notes.rst | 1 + doc/notes/notes-current.rst | 54 +++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index aff17bd023..0a526d7cad 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,6 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.17.13.rst .. include:: ../notes/notes-9.17.12.rst .. include:: ../notes/notes-9.17.11.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..8911e6ebf7 --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,54 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.14 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- None. + +Known Issues +~~~~~~~~~~~~ + +- None. + +New Features +~~~~~~~~~~~~ + +- New configuration options, ``tcp-receive-buffer``, ``tcp-send-buffer``, + ``udp-receive-buffer``, and ``udp-send-buffer``, have been added. These + options allows the operator to fine tune the receiving and sending + buffers in the operating system. On busy servers, increasing the value + of the receive buffers can prevent the server from dropping the packets + during short spikes, and decreasing the value would prevent the server to + became clogged up with queries that are too old and have already timeouted + on the receiving side. :gl:`#2313` + +Removed Features +~~~~~~~~~~~~~~~~ + +- None. + +Feature Changes +~~~~~~~~~~~~~~~ + +- None. + +Bug Fixes +~~~~~~~~~ + +- Fix a race condition in reading and writing key files for KASP zones in + multiple views. :gl:`#1875` + +- Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple + views with different ``dnssec-policy``. Using the same ``key-directory`` for + such zones is not allowed. :gl:`#2463`