From b2b451d0bf169178100b248cd02d8a9b1e46c7db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 8 Jan 2021 16:16:51 +0100 Subject: [PATCH 01/12] Fix location of the CHANGES marker for BIND 9.17.8 --- CHANGES | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 7652c6860b..0f51a92db5 100644 --- a/CHANGES +++ b/CHANGES @@ -55,10 +55,10 @@ 5547. [placeholder] -5546. [placeholder] - --- 9.17.8 released --- +5546. [placeholder] + 5545. [func] OS support for load-balanced sockets is no longer required to receive incoming queries in multiple netmgr threads. [GL #2137] From 598a026cae6c940e06361785ab99e6f03870fa6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 8 Jan 2021 16:16:51 +0100 Subject: [PATCH 02/12] Tweak and reword recent CHANGES entries --- CHANGES | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/CHANGES b/CHANGES index 0f51a92db5..ee54eb4fb0 100644 --- a/CHANGES +++ b/CHANGES @@ -19,37 +19,38 @@ enabling support for libmaxminddb was not working correctly. This has been fixed. [GL #2366] -5558. [bug] Asynchronous hook modules could assert due to - the fetch handle being detached too late. [GL #2379] +5558. [bug] Asynchronous hook modules could trigger an assertion + failure when the fetch handle was detached too late. + Thanks to Jinmei Tatuya at Infoblox. [GL #2379] -5557. [bug] Prevent rbtdb instances being destroyed by multiple +5557. [bug] Prevent RBTDB instances from being destroyed by multiple threads at the same time. [GL #2355] -5556. [bug] dnssec-signzone and dnssec-verify where now - printing too many newlines between log messages. - [GL #2359] +5556. [bug] Further tweak newline printing in dnssec-signzone and + dnssec-verify. [GL #2359] 5555. [placeholder] -5554. [bug] dnssec-signzone and dnssec-verify where missing - newlines between log messages. [GL #2359] +5554. [bug] dnssec-signzone and dnssec-verify were missing newlines + between log messages. [GL #2359] -5553. [bug] When reconfiguring named, removing "auto-dnssec" - did not actually turn off DNSSEC maintenance. - This has been fixed. [GL #2341] +5553. [bug] When reconfiguring named, removing "auto-dnssec" did not + turn off DNSSEC maintenance. [GL #2341] -5552. [func] When switching to "dnssec-policy none;", named - now permits a safe transition to insecure mode - and publishes the CDS and CDNSKEY DELETE - records, as described in RFC 8078. [GL #1750] +5552. [func] When switching to "dnssec-policy none;", named now + permits a safe transition to insecure mode and publishes + the CDS and CDNSKEY DELETE records, as described in RFC + 8078. [GL #1750] -5551. [bug] Only assign threads to CPUs in the CPU affinity set. - Thanks to Ole Bjørn Hessen. [GL #2245] +5551. [bug] named no longer attempts to assign threads to CPUs + outside the CPU affinity set. Thanks to Ole Bjørn + Hessen. [GL #2245] -5550. [func] Print a warning when falling back to the "increment" SOA - serial method. [GL #2058] +5550. [func] dnssec-signzone and named now log a warning when falling + back to the "increment" SOA serial method. [GL #2058] -5549. [protocol] Serve ipv4only.arpa when dns64 is configured. [GL #385] +5549. [protocol] ipv4only.arpa is now served when DNS64 is configured. + [GL #385] 5548. [placeholder] From e343aa5b9456f5d2a69063e314c3113020b46c66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 8 Jan 2021 16:16:51 +0100 Subject: [PATCH 03/12] Tweak and reword release notes --- doc/notes/notes-current.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 95a441124d..d38095453f 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -44,10 +44,10 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- ``ipv4only.arpa`` is now served when ``dns64`` is configured. [GL #385] +- ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385] - It is now possible to transition a zone from secure to insecure mode - without making it bogus in the process: changing to ``dnssec-policy + without making it bogus in the process; changing to ``dnssec-policy none;`` also causes CDS and CDNSKEY DELETE records to be published, to signal that the entire DS RRset at the parent must be removed, as described in RFC 8078. [GL #1750] @@ -60,21 +60,21 @@ Feature Changes serial number, ``named`` and ``dnssec-signzone`` silently fell back to the ``increment`` method to prevent the new serial number from being smaller than the old serial number (using serial number arithmetics). - ``dnsssec-signzone`` now prints a warning message, and ``named`` logs - a warning, when such a fallback happens. [GL #2058] + ``dnssec-signzone`` now prints a warning message, and ``named`` logs a + warning, when such a fallback happens. [GL #2058] Bug Fixes ~~~~~~~~~ -- Only assign threads to CPUs in the CPU affinity set, so that ``named`` no - longer attempts to run threads on CPUs outside the affinity set. Thanks to - Ole Bjørn Hessen. [GL #2245] +- ``named`` no longer attempts to assign threads to CPUs outside the CPU + affinity set. Thanks to Ole Bjørn Hessen. [GL #2245] -- When reconfiguring ``named``, removing ``auto-dnssec`` did actually not turn +- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn off DNSSEC maintenance. This has been fixed. [GL #2341] -- Prevent rbtdb instances being destroyed by multiple threads at the same - time. This can trigger assertion failures. [GL #2355] +- Multiple threads could attempt to destroy a single RBTDB instance at + the same time, resulting in an unpredictable but low-probability + assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317] - KASP incorrectly set signature validity to the value of the DNSKEY signature validity. This is now fixed. [GL #2383] From 09ff03bb1cf55f35c2c3c60f7d19ee57aabfd511 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 8 Jan 2021 16:16:51 +0100 Subject: [PATCH 04/12] Reorder release notes --- doc/notes/notes-current.rst | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index d38095453f..cc00a8586b 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,7 +24,7 @@ Known Issues New Features ~~~~~~~~~~~~ -- None. +- ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385] Removed Features ~~~~~~~~~~~~~~~~ @@ -44,8 +44,6 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385] - - It is now possible to transition a zone from secure to insecure mode without making it bogus in the process; changing to ``dnssec-policy none;`` also causes CDS and CDNSKEY DELETE records to be published, to @@ -66,15 +64,15 @@ Feature Changes Bug Fixes ~~~~~~~~~ +- Multiple threads could attempt to destroy a single RBTDB instance at + the same time, resulting in an unpredictable but low-probability + assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317] + - ``named`` no longer attempts to assign threads to CPUs outside the CPU affinity set. Thanks to Ole Bjørn Hessen. [GL #2245] - When reconfiguring ``named``, removing ``auto-dnssec`` did not turn off DNSSEC maintenance. This has been fixed. [GL #2341] -- Multiple threads could attempt to destroy a single RBTDB instance at - the same time, resulting in an unpredictable but low-probability - assertion failure in ``free_rbtdb()``. This has been fixed. [GL #2317] - - KASP incorrectly set signature validity to the value of the DNSKEY signature validity. This is now fixed. [GL #2383] From cf9d818be3ea14edcaa9ebfd2ba7b4e46788c217 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 8 Jan 2021 16:16:51 +0100 Subject: [PATCH 05/12] Add release note for GL #2091 --- doc/notes/notes-current.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index cc00a8586b..426975e776 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -74,5 +74,15 @@ Bug Fixes - When reconfiguring ``named``, removing ``auto-dnssec`` did not turn off DNSSEC maintenance. This has been fixed. [GL #2341] +- The report of intermittent BIND assertion failures triggered in + ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed + without further action. Our initial response to this was to add + diagnostic logging instead of terminating ``named``, anticipating that + we would receive further useful troubleshooting input. This workaround + first appeared in BIND releases 9.17.5 and 9.16.7. However, since + those releases were published, there have been no new reports of + assertion failures matching this issue, but also no further diagnostic + input, so we have closed the issue. [GL #2091] + - KASP incorrectly set signature validity to the value of the DNSKEY signature validity. This is now fixed. [GL #2383] From 6118f75c70a57f1284d01f555af23968d04a8bb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 8 Jan 2021 16:16:51 +0100 Subject: [PATCH 06/12] Prepare release notes for BIND 9.17.9 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.17.9.rst} | 32 ------------------- 2 files changed, 1 insertion(+), 33 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.9.rst} (66%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index e8a414d148..e1774db5d1 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.9.rst .. include:: ../notes/notes-9.17.8.rst .. include:: ../notes/notes-9.17.7.rst .. include:: ../notes/notes-9.17.6.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.9.rst similarity index 66% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.9.rst index 426975e776..d702519775 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.9.rst @@ -11,36 +11,11 @@ Notes for BIND 9.17.9 --------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ - ``ipv4only.arpa`` is now served when DNS64 is configured. [GL #385] -Removed Features -~~~~~~~~~~~~~~~~ - -- A number of non-working configuration options that had been marked - as obsolete in previous releases have now been removed completely. - Using any of the following options is now considered a configuration - failure: - ``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``, - ``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``, - ``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``, - ``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, - ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, - ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, - ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086] - Feature Changes ~~~~~~~~~~~~~~~ @@ -50,10 +25,6 @@ Feature Changes signal that the entire DS RRset at the parent must be removed, as described in RFC 8078. [GL #1750] -- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 - day and the default value of ``stale-answer-ttl`` has been changed from 1 - second to 30 seconds, following RFC 8767 recommendations. [GL #2248] - - When using the ``unixtime`` or ``date`` method to update the SOA serial number, ``named`` and ``dnssec-signzone`` silently fell back to the ``increment`` method to prevent the new serial number from being @@ -83,6 +54,3 @@ Bug Fixes those releases were published, there have been no new reports of assertion failures matching this issue, but also no further diagnostic input, so we have closed the issue. [GL #2091] - -- KASP incorrectly set signature validity to the value of the DNSKEY signature - validity. This is now fixed. [GL #2383] From 347d666b0f00b85c54ed8d76f528c2e68a535638 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Jan 2021 10:21:40 +0100 Subject: [PATCH 07/12] Update library API versions --- lib/bind9/api | 2 +- lib/dns/api | 2 +- lib/isc/api | 2 +- lib/isccfg/api | 2 +- lib/ns/api | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/bind9/api b/lib/bind9/api index 399abc2379..1f742a50af 100644 --- a/lib/bind9/api +++ b/lib/bind9/api @@ -12,5 +12,5 @@ # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 LIBINTERFACE = 1701 -LIBREVISION = 3 +LIBREVISION = 4 LIBAGE = 0 diff --git a/lib/dns/api b/lib/dns/api index bbe9c58585..73f959a036 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1708 +LIBINTERFACE = 1709 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index f55bd9eef6..313f25dc92 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -12,5 +12,5 @@ # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 LIBINTERFACE = 1707 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/isccfg/api b/lib/isccfg/api index c1c1be9b85..2a38956a54 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1703 +LIBINTERFACE = 1704 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index 2a766927f2..f55bd9eef6 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1706 +LIBINTERFACE = 1707 LIBREVISION = 0 LIBAGE = 0 From cacf290ad296f70a3a437bdc6806ee5106b940a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Jan 2021 10:21:40 +0100 Subject: [PATCH 08/12] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index ee54eb4fb0..3a7bfecc8a 100644 --- a/CHANGES +++ b/CHANGES @@ -15,6 +15,8 @@ 30 seconds, following RFC 8767 recommendations. [GL #2248] + --- 9.17.9 released --- + 5559. [bug] The --with-maxminddb=PATH form of the build-time option enabling support for libmaxminddb was not working correctly. This has been fixed. [GL #2366] From 49d2aafdc4ed72f1e916bd150956ebd9f95b58ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Jan 2021 10:21:40 +0100 Subject: [PATCH 09/12] Update BIND version to 9.17.9 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index f95fd2583a..154e023212 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 8)dnl +m4_define([bind_VERSION_PATCH], 9)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl From 60b3c67cf0eeaef5b680840281828dce203efc32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Jan 2021 12:40:30 +0100 Subject: [PATCH 10/12] Update GitLab issue number for CHANGES entry 5557 --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 3a7bfecc8a..58b3362016 100644 --- a/CHANGES +++ b/CHANGES @@ -26,7 +26,7 @@ Thanks to Jinmei Tatuya at Infoblox. [GL #2379] 5557. [bug] Prevent RBTDB instances from being destroyed by multiple - threads at the same time. [GL #2355] + threads at the same time. [GL #2317] 5556. [bug] Further tweak newline printing in dnssec-signzone and dnssec-verify. [GL #2359] From f28804cd98d1c925d2b6468b0f34b65238328f27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 21 Jan 2021 09:02:04 +0100 Subject: [PATCH 11/12] Bump BIND_BASELINE_VERSION for ABI checks --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b319fa15be..1db96f8a82 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1516,7 +1516,7 @@ abi-check: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2" - BIND_BASELINE_VERSION: v9_17_8 + BIND_BASELINE_VERSION: v9_17_9 script: - *configure - make -j${BUILD_PARALLEL_JOBS:-1} V=1 From 7751a8eaf6ffc94df59fb4c1b15a797f9eed5f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 21 Jan 2021 09:02:04 +0100 Subject: [PATCH 12/12] Set up release notes for BIND 9.17.10 --- doc/arm/notes.rst | 1 + doc/notes/notes-current.rst | 55 +++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index e1774db5d1..775300054c 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,6 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.17.9.rst .. include:: ../notes/notes-9.17.8.rst .. include:: ../notes/notes-9.17.7.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..dd10555d50 --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,55 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.10 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- None. + +Known Issues +~~~~~~~~~~~~ + +- None. + +New Features +~~~~~~~~~~~~ + +- None. + +Removed Features +~~~~~~~~~~~~~~~~ + +- A number of non-working configuration options that had been marked + as obsolete in previous releases have now been removed completely. + Using any of the following options is now considered a configuration + failure: + ``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``, + ``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``, + ``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``, + ``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, + ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, + ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, + ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086] + +Feature Changes +~~~~~~~~~~~~~~~ + +- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 + day and the default value of ``stale-answer-ttl`` has been changed from 1 + second to 30 seconds, following RFC 8767 recommendations. [GL #2248] + +Bug Fixes +~~~~~~~~~ + +- KASP incorrectly set signature validity to the value of the DNSKEY signature + validity. This is now fixed. [GL #2383]