From 73686d18bfac820987ce3b914d4523de25ab1e4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 7 Oct 2022 12:55:17 +0200 Subject: [PATCH 1/6] Prepare release notes for BIND 9.19.6 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.19.6.rst} | 13 ------------- 2 files changed, 1 insertion(+), 14 deletions(-) rename doc/notes/{notes-current.rst => notes-9.19.6.rst} (97%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ab28b4955c..3cc71f542c 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -36,7 +36,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.6.rst .. include:: ../notes/notes-9.19.5.rst .. include:: ../notes/notes-9.19.4.rst .. include:: ../notes/notes-9.19.3.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.19.6.rst similarity index 97% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.19.6.rst index e6c5a02c93..0909af3ab7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.19.6.rst @@ -12,11 +12,6 @@ Notes for BIND 9.19.6 --------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - Known Issues ~~~~~~~~~~~~ @@ -35,8 +30,6 @@ Known Issues New Features ~~~~~~~~~~~~ -- None. - - A new configuration option ``require-cookie`` has been introduced, it specifies if there should be a DNS COOKIE in the response for a given prefix and if not named falls back to TCP. This is useful if you know @@ -56,11 +49,6 @@ New Features - :iscman:`named` now logs the supported cryptographic algorithms during startup and in the output of :option:`named -V`. :gl:`#3541` -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ @@ -99,4 +87,3 @@ Bug Fixes - Changing just the TSIG key names for primaries in catalog zones' member zones was not effective. :gl:`#3557` - From dfc19673c90bf1108be1965f6d01e631df808ba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 7 Oct 2022 12:55:17 +0200 Subject: [PATCH 2/6] Tweak and reword release notes --- doc/notes/notes-9.19.6.rst | 79 ++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 37 deletions(-) diff --git a/doc/notes/notes-9.19.6.rst b/doc/notes/notes-9.19.6.rst index 0909af3ab7..9a99e4783b 100644 --- a/doc/notes/notes-9.19.6.rst +++ b/doc/notes/notes-9.19.6.rst @@ -15,36 +15,40 @@ Notes for BIND 9.19.6 Known Issues ~~~~~~~~~~~~ -- Upgrading from BIND 9.16.32, 9.18.6, or older, may require a manual - configuration change. The following configurations are affected: +- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may + require a manual configuration change. The following configurations + are affected: - - :any:`type primary` zones configured with :any:`dnssec-policy` but without - either :any:`allow-update` or :any:`update-policy` - - :any:`type secondary` zones configured with :any:`dnssec-policy` + - :any:`type primary` zones configured with :any:`dnssec-policy` but + without either :any:`allow-update` or :any:`update-policy`, + - :any:`type secondary` zones configured with :any:`dnssec-policy`. In these cases please add :namedconf:ref:`inline-signing yes; - ` to individual zone configuration(s). Without applying this - change :iscman:`named` will fail to start. For more details see + ` to the individual zone configuration(s). Without + applying this change, :iscman:`named` will fail to start. For more + details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing New Features ~~~~~~~~~~~~ -- A new configuration option ``require-cookie`` has been introduced, it - specifies if there should be a DNS COOKIE in the response for a given - prefix and if not named falls back to TCP. This is useful if you know - a given server support DNS COOKIE. It can also be used to force all - non DNS COOKIE responses to fall back to TCP. :gl:`#2295` +- A new configuration option :any:`require-cookie` has been introduced. + It specifies whether there should be a DNS COOKIE in the response for + a given prefix; if not, :iscman:`named` falls back to TCP. This is + useful if it is known that a given server supports DNS COOKIE. It can + also be used to force all non-DNS COOKIE responses to fall back to + TCP. :gl:`#2295` -- Add libsystemd sd_notify() integration that allows the ``named`` to report - status to the supervisor. This allows the systemd to wait until ``named`` is - fully started before starting other services that depend on name resolution. - :gl:`#1176` +- Support for libsystemd's ``sd_notify()`` function was added, enabling + :iscman:`named` to report its status to the init system. This allows + systemd to wait until :iscman:`named` is fully ready before starting + other services that depend on name resolution. :gl:`#1176` -- The ``nsupdate`` tool now supports DNS-over-TLS (DoT). :gl:`#1781` +- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). + :gl:`#1781` -- :iscman:``named`` now supports forwarding Dynamic DNS updates through - DNS-over-TLS (DoT), configured with a TLS-enabled primary server. :gl:`#3512` +- :iscman:`named` now supports forwarding Dynamic DNS updates through + DNS-over-TLS (DoT). :gl:`#3512` - :iscman:`named` now logs the supported cryptographic algorithms during startup and in the output of :option:`named -V`. :gl:`#3541` @@ -53,37 +57,38 @@ Feature Changes ~~~~~~~~~~~~~~~ - When an international domain name is not valid according to IDNA2008, - :program:`dig` will now try to convert it according to IDNA2003 rules, - or pass it through unchanged, instead of stopping with an error message. - You can use the ``idna2`` utility for checking IDNA syntax. :gl:`#3485`. + :iscman:`dig` now tries to convert it according to IDNA2003 rules, or + pass it through unchanged, instead of stopping with an error message. + The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527` - The DNSSEC signing data included in zone statistics identified keys only by the key ID; this caused confusion when two keys using different algorithms had the same ID. Zone statistics now identify keys using the algorithm number, followed by "+", followed by the - key ID: for example, "8+54274". :gl:`#3525` + key ID: for example, ``8+54274``. :gl:`#3525` -- The ability to use pkcs11 via engine_pkcs11 has been restored, by only using - deprecated APIs in OpenSSL 3.0.0. BIND needs to be compiled - with '-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS at - compile time. :gl:`!6711` +- The ability to use PKCS#11 via engine_pkcs11 has been restored, by + using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be + compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS + environment variable at compile time. :gl:`#3578` -- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. The - libuv should be available on all supported platforms either as a native - package or as a backport. :gl:`#3567` +- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. + libuv should be available on all supported platforms either as a + native package or as a backport. :gl:`#3567` -- Add support for parsing and validating ``dohpath`` to SVBC records. - :gl:`#3544` +- Support for parsing and validating the ``dohpath`` service parameter + in SVCB records was added. :gl:`#3544` Bug Fixes ~~~~~~~~~ -- An assertion failure was fixed in ``named`` that was caused by aborting the statistics - channel connection while sending statistics data to the client. :gl:`#3542` +- An assertion failure was fixed in :iscman:`named` that was caused by + aborting the statistics channel connection while sending statistics + data to the client. :gl:`#3542` - :iscman:`named` could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size - limit. :gl:`#1967` + limit. This has been fixed. :gl:`#1967` -- Changing just the TSIG key names for primaries in catalog zones' member - zones was not effective. :gl:`#3557` +- Changing just the TSIG key names for primaries in catalog zones' + member zones was not effective. This has been fixed. :gl:`#3557` From 26a8e9093d5c8483e5e110ced25db7fbbff51597 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 7 Oct 2022 12:55:17 +0200 Subject: [PATCH 3/6] Reorder release notes --- doc/notes/notes-9.19.6.rst | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/doc/notes/notes-9.19.6.rst b/doc/notes/notes-9.19.6.rst index 9a99e4783b..14837f98e1 100644 --- a/doc/notes/notes-9.19.6.rst +++ b/doc/notes/notes-9.19.6.rst @@ -32,6 +32,18 @@ Known Issues New Features ~~~~~~~~~~~~ +- Support for parsing and validating the ``dohpath`` service parameter + in SVCB records was added. :gl:`#3544` + +- :iscman:`named` now supports forwarding Dynamic DNS updates through + DNS-over-TLS (DoT). :gl:`#3512` + +- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). + :gl:`#1781` + +- :iscman:`named` now logs the supported cryptographic algorithms during + startup and in the output of :option:`named -V`. :gl:`#3541` + - A new configuration option :any:`require-cookie` has been introduced. It specifies whether there should be a DNS COOKIE in the response for a given prefix; if not, :iscman:`named` falls back to TCP. This is @@ -44,15 +56,6 @@ New Features systemd to wait until :iscman:`named` is fully ready before starting other services that depend on name resolution. :gl:`#1176` -- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). - :gl:`#1781` - -- :iscman:`named` now supports forwarding Dynamic DNS updates through - DNS-over-TLS (DoT). :gl:`#3512` - -- :iscman:`named` now logs the supported cryptographic algorithms during - startup and in the output of :option:`named -V`. :gl:`#3541` - Feature Changes ~~~~~~~~~~~~~~~ @@ -76,9 +79,6 @@ Feature Changes libuv should be available on all supported platforms either as a native package or as a backport. :gl:`#3567` -- Support for parsing and validating the ``dohpath`` service parameter - in SVCB records was added. :gl:`#3544` - Bug Fixes ~~~~~~~~~ From f26a08b7f70bf9f47700f73adc984247cbcd8809 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 7 Oct 2022 12:55:17 +0200 Subject: [PATCH 4/6] Add release note for GL #3587 --- doc/notes/notes-9.19.6.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-9.19.6.rst b/doc/notes/notes-9.19.6.rst index 14837f98e1..7a6272217a 100644 --- a/doc/notes/notes-9.19.6.rst +++ b/doc/notes/notes-9.19.6.rst @@ -56,6 +56,10 @@ New Features systemd to wait until :iscman:`named` is fully ready before starting other services that depend on name resolution. :gl:`#1176` +- The ``recursion not available`` and ``query (cache) '...' denied`` log + messages were extended to include the name of the ACL that caused a + given query to be denied. :gl:`#3587` + Feature Changes ~~~~~~~~~~~~~~~ From 40432eae009a4470d30d0860b079443c35c09d28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 10 Oct 2022 09:00:58 +0200 Subject: [PATCH 5/6] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index f94a71947f..6c4e467d19 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.19.6 released --- + 5992. [func] Introduce the new isc_mem_*x() APIs that takes extra flags as the last argument. Currently ISC_MEM_ZERO and ISC_MEM_ALIGN(n) flags have been implemented that From cb867d2ef091dc9ca5931626d89cce20191ea326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 10 Oct 2022 09:00:58 +0200 Subject: [PATCH 6/6] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 04d400f8de..89086af0c8 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 19)dnl m4_define([bind_VERSION_PATCH], 6)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl