Merge tag 'v9.18.29' into bind-9.18

bin/named/server.c

@@ -324,6 +324,12 @@ typedef struct catz_chgzone_event {
 	bool mod;
 } catz_chgzone_event_t;
 
+typedef struct catz_reconfig_data {
+	dns_catz_zone_t *catz;
+	const cfg_obj_t *config;
+	catz_cb_data_t *cbd;
+} catz_reconfig_data_t;
+
 typedef struct {
 	unsigned int magic;
 #define DZARG_MAGIC ISC_MAGIC('D', 'z', 'a', 'r')
@@ -441,7 +447,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
 	       cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
-	       bool modify);
+	       bool is_catz_member, bool modify);
 
 static void
 configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig,
@@ -2676,13 +2682,13 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) {
 	ns_cfgctx_t *cfg;
 	dns_zone_t *zone = NULL;
 
+	/*
+	 * A non-empty 'catalog-zones' statement implies that 'allow-new-zones'
+	 * is true, so this is expected to be non-NULL.
+	 */
 	cfg = (ns_cfgctx_t *)ev->view->new_zone_config;
 	if (cfg == NULL) {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "catz: allow-new-zones statement missing from "
-			      "config; cannot add zone from the catalog");
-		goto cleanup;
+		CHECK(ISC_R_FAILURE);
 	}
 
 	name = dns_catz_entry_getname(ev->entry);
@@ -2803,7 +2809,7 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) {
 		isc_buffer_free(&confbuf);
 	}
 	/*
-	 * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer3()
+	 * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer()
 	 * failed.
 	 */
 	if (result != ISC_R_SUCCESS) {
@@ -2827,10 +2833,11 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) {
 	result = isc_task_beginexclusive(task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	dns_view_thaw(ev->view);
-	result = configure_zone(
-		cfg->config, zoneobj, cfg->vconfig, ev->cbd->server->mctx,
-		ev->view, &ev->cbd->server->viewlist,
-		&ev->cbd->server->kasplist, cfg->actx, true, false, ev->mod);
+	result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
+				ev->cbd->server->mctx, ev->view,
+				&ev->cbd->server->viewlist,
+				&ev->cbd->server->kasplist, cfg->actx, true,
+				false, true, ev->mod);
 	dns_view_freeze(ev->view);
 	isc_task_endexclusive(task);
 
@@ -3028,6 +3035,86 @@ catz_modzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view,
 				     DNS_EVENT_CATZMODZONE));
 }
 
+static void
+catz_reconfigure(dns_catz_entry_t *entry, dns_view_t *view,
+		 catz_reconfig_data_t *data) {
+	isc_buffer_t namebuf;
+	isc_buffer_t *confbuf = NULL;
+	const cfg_obj_t *zlist = NULL;
+	char nameb[DNS_NAME_FORMATSIZE];
+	cfg_obj_t *zoneconf = NULL;
+	cfg_obj_t *zoneobj = NULL;
+	ns_cfgctx_t *cfg = NULL;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+
+	isc_buffer_init(&namebuf, nameb, DNS_NAME_FORMATSIZE);
+	dns_name_totext(dns_catz_entry_getname(entry), DNS_NAME_OMITFINALDOT,
+			&namebuf);
+	isc_buffer_putuint8(&namebuf, 0);
+
+	result = dns_view_findzone(view, dns_catz_entry_getname(entry), &zone);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	/*
+	 * A non-empty 'catalog-zones' statement implies that 'allow-new-zones'
+	 * is true, so this is expected to be non-NULL.
+	 */
+	cfg = (ns_cfgctx_t *)view->new_zone_config;
+	if (cfg == NULL) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	result = dns_catz_generate_zonecfg(data->catz, entry, &confbuf);
+	if (result == ISC_R_SUCCESS) {
+		cfg_parser_reset(cfg->add_parser);
+		result = cfg_parse_buffer(cfg->add_parser, confbuf, "catz", 0,
+					  &cfg_type_addzoneconf, 0, &zoneconf);
+		isc_buffer_free(&confbuf);
+	}
+	/*
+	 * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer()
+	 * failed.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "catz_reconfigure: error \"%s\" while trying to "
+			      "generate config for member zone '%s'",
+			      isc_result_totext(result), nameb);
+		goto cleanup;
+	}
+
+	CHECK(cfg_map_get(zoneconf, "zone", &zlist));
+	if (!cfg_obj_islist(zlist)) {
+		CHECK(ISC_R_FAILURE);
+	}
+	zoneobj = cfg_listelt_value(cfg_list_first(zlist));
+
+	result = configure_zone(data->config, zoneobj, cfg->vconfig,
+				data->cbd->server->mctx, view,
+				&data->cbd->server->viewlist,
+				&data->cbd->server->kasplist, cfg->actx, true,
+				false, true, true);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "catz_reconfigure : error \"%s\" while trying to "
+			      "reconfigure member zone '%s'",
+			      isc_result_totext(result), nameb);
+		goto cleanup;
+	}
+
+cleanup:
+	if (zoneconf != NULL) {
+		cfg_obj_destroy(cfg->add_parser, &zoneconf);
+	}
+
+	dns_zone_detach(&zone);
+}
+
 static isc_result_t
 configure_catz_zone(dns_view_t *view, dns_view_t *pview,
 		    const cfg_obj_t *config, const cfg_listelt_t *element) {
@@ -3066,18 +3153,18 @@ configure_catz_zone(dns_view_t *view, dns_view_t *pview,
 
 	if (result == ISC_R_EXISTS) {
 		isc_ht_iter_t *it = NULL;
+		catz_reconfig_data_t data = {
+			.catz = zone,
+			.config = config,
+			.cbd = (catz_cb_data_t *)dns_catz_zones_get_udata(
+				view->catzs),
+		};
 
 		RUNTIME_CHECK(pview != NULL);
 
 		/*
-		 * xxxwpk todo: reconfigure the zone!!!!
-		 */
-		cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL,
-			    "catz: catalog zone '%s' will not be reconfigured",
-			    str);
-		/*
-		 * We have to walk through all the member zones and attach
-		 * them to current view
+		 * We have to walk through all the member zones, attach
+		 * them to the current view and reconfigure
 		 */
 		dns_catz_get_iterator(zone, &it);
 
@@ -3100,6 +3187,8 @@ configure_catz_zone(dns_view_t *view, dns_view_t *pview,
 			dns_zone_setview(dnszone, view);
 			dns_view_addzone(view, dnszone);
 
+			catz_reconfigure(entry, view, &data);
+
 			/*
 			 * The dns_view_findzone() call above increments the
 			 * zone's reference count, which we need to decrement
@@ -4228,7 +4317,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 		const cfg_obj_t *zconfig = cfg_listelt_value(element);
 		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
 				     viewlist, kasplist, actx, false,
-				     old_rpz_ok, false));
+				     old_rpz_ok, false, false));
 		zone_element_latest = element;
 	}
 
@@ -6502,7 +6591,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
 	       cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
-	       bool modify) {
+	       bool is_catz_member, bool modify) {
 	dns_view_t *pview = NULL; /* Production view */
 	dns_zone_t *zone = NULL;  /* New or reused zone */
 	dns_zone_t *raw = NULL;	  /* New or reused raw zone */
@@ -6765,7 +6854,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		}
 	}
 
-	if (view->catzs != NULL &&
+	if (!is_catz_member && view->catzs != NULL &&
 	    dns_catz_get_zone(view->catzs, origin) != NULL)
 	{
 		zone_is_catz = true;
@@ -8073,7 +8162,7 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
 				     &named_g_server->viewlist,
 				     &named_g_server->kasplist, actx, true,
-				     false, false));
+				     false, false, false));
 	}
 
 	result = ISC_R_SUCCESS;
@@ -8257,7 +8346,7 @@ configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config,
 		  cfg_aclconfctx_t *actx) {
 	return (configure_zone(
 		config, zconfig, vconfig, mctx, view, &named_g_server->viewlist,
-		&named_g_server->kasplist, actx, true, false, false));
+		&named_g_server->kasplist, actx, true, false, false, false));
 }
 
 /*%
@@ -13964,7 +14053,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 	result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
 				server->mctx, view, &server->viewlist,
 				&server->kasplist, cfg->actx, true, false,
-				false);
+				false, false);
 	dns_view_freeze(view);
 
 	isc_task_endexclusive(server->task);
@@ -14152,7 +14241,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 	result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
 				server->mctx, view, &server->viewlist,
 				&server->kasplist, cfg->actx, true, false,
-				true);
+				false, true);
 	dns_view_freeze(view);
 
 	exclusive = false;

bin/tests/system/catz/ns2/named1.conf.in

@@ -27,6 +27,7 @@ options {
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
 	notify no;
 	recursion no;
+#T5	allow-query { 10.53.0.99; };
 	serial-query-rate 100;
 	dnssec-validation no;
 };

bin/tests/system/catz/tests.sh

@@ -703,6 +703,23 @@ wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+# GL #4733
+n=$((n + 1))
+echo_i "reconfiguring secondary - checking if catz member zones are reconfigured ($n)"
+ret=0
+sed -e "s/^#T5//" <ns2/named1.conf.in >ns2/named.conf.tmp
+copy_setports ns2/named.conf.tmp ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that dom3.example. is refused by secondary because of an activated allow-query ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "reconfiguring secondary - reverting the bad configuration ($n)"
 ret=0

doc/arm/changelog.rst

@@ -18,6 +18,183 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+BIND 9.18.29
+------------
+
+New Features
+~~~~~~~~~~~~
+
+- Tighten 'max-recursion-queries' and add 'max-query-restarts' option.
+  ``fe3ae71e90``
+
+  There were cases in resolver.c when the `max-recursion-queries` quota
+  was ineffective. It was possible to craft zones that would cause a
+  resolver to waste resources by sending excessive queries while
+  attempting to resolve a name. This has been addressed by correcting
+  errors in the implementation of `max-recursion-queries`, and by
+  reducing the default value from 100 to 32.
+
+  In addition, a new `max-query-restarts` option has been added which
+  limits the number of times a recursive server will follow CNAME or
+  DNAME records before terminating resolution. This was previously a
+  hard-coded limit of 16, and now defaults to 11.   :gl:`#4741`
+  :gl:`!9283`
+
+- Generate changelog from git log. ``21a0b6aef7``
+
+  Use a single source of truth, the git log, to generate the list of
+  CHANGES. Use the .rst format and include it in the ARM for a quick
+  reference with proper gitlab links to issues and merge requests.
+  :gl:`#75` :gl:`!9181`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Use _exit() in the fatal() function. ``e4c483f45f``
+
+  Since the fatal() isn't a correct but rather abrupt termination of the
+  program, we want to skip the various atexit() calls because not all
+  memory might be freed during fatal() call, etc.  Using _exit() instead
+  of exit() has this effect - the program will end, but no destructors
+  or atexit routines will be called. :gl:`!9263`
+
+- Fix data race in clean_finds_at_name. ``541726871d``
+
+  Stop updating `find.result_v4` and `find.result_v4` in
+  `clean_finds_at_name`. The values are supposed to be
+  static. :gl:`#4118` :gl:`!9198`
+
+Bug Fixes
+~~~~~~~~~
+
+- Reconfigure catz member zones during named reconfiguration.
+  ``944d0dc942``
+
+  During a reconfiguration named wasn't reconfiguring catalog zones'
+  member zones. This has been fixed. :gl:`#4733`
+
+- Disassociate the SSL object from the cached SSL_SESSION.
+  ``64fde41253``
+
+  When the SSL object was destroyed, it would invalidate all SSL_SESSION
+  objects including the cached, but not yet used, TLS session objects.
+
+  Properly disassociate the SSL object from the SSL_SESSION before we
+  store it in the TLS session cache, so we can later destroy it without
+  invalidating the cached TLS sessions. :gl:`#4834` :gl:`!9279`
+
+- Attach/detach to the listening child socket when accepting TLS.
+  ``3ead47daff``
+
+  When TLS connection (TLSstream) connection was accepted, the children
+  listening socket was not attached to sock->server and thus it could
+  have been freed before all the accepted connections were actually
+  closed.
+
+  In turn, this would cause us to call isc_tls_free() too soon - causing
+  cascade errors in pending SSL_read_ex() in the accepted connections.
+
+  Properly attach and detach the children listening socket when
+  accepting and closing the server connections. :gl:`#4833` :gl:`!9278`
+
+- Make hypothesis optional for system tests. ``0d1953d7a8``
+
+  Ensure that system tests can be executed without Python hypothesis
+  package. :gl:`#4831` :gl:`!9268`
+
+- Don't loop indefinitely when isc_task quantum is 'unlimited'
+  ``674420df64``
+
+  Don't run more events than already scheduled.  If the quantum is set
+  to a high value, the task_run() would execute already scheduled, and
+  all new events that result from running event->ev_action().
+
+  Setting quantum to a number of scheduled events will postpone events
+  scheduled after we enter the loop here to the next task_run()
+  invocation. :gl:`!9257`
+
+- Raise the log level of priming failures. ``c948babeeb``
+
+  When a priming query is complete, it's currently logged at level
+  ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising
+  it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516`
+  :gl:`!9251`
+
+- Add a compatibility shim for older libuv versions (< 1.19.0)
+  ``61ff983f00``
+
+  The uv_stream_get_write_queue_size() is supported only in relatively
+  newer versions of libuv (1.19.0 or higher).  Provide a compatibility
+  shim for this function , so BIND 9 can be built in environments with
+  older libuv version.
+
+- Remove extra newline from yaml output. ``1222dbe9f9``
+
+  I split this into two commits, one for the actual newline removal, and
+  one for issues I found, ruining the yaml output when some errors were
+  outputted.
+
+- CID 498025 and CID 498031: Overflowed constant INTEGER_OVERFLOW.
+  ``bbdd888b8e``
+
+  Add INSIST to fail if the multiplication would cause the variables to
+  overflow. :gl:`#4798` :gl:`!9230`
+
+- Remove unnecessary operations. ``2374a1a2bd``
+
+  Decrementing optlen immediately before calling continue is unneccesary
+  and inconsistent with the rest of dns_message_pseudosectiontoyaml and
+  dns_message_pseudosectiontotext.  Coverity was also reporting an
+  impossible false positive overflow of optlen (CID 499061). :gl:`!9224`
+
+- Fix generation of 6to4-self name expansion from IPv4 address.
+  ``df55c15ebb``
+
+  The period between the most significant nibble of the encoded IPv4
+  address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the
+  wrong name being checked. Add system test for 6to4-self
+  implementation. :gl:`#4766` :gl:`!9218`
+
+- Fix false QNAME minimisation error being reported. ``4984afc80c``
+
+  Remove the false positive "success resolving" log message when QNAME
+  minimisation is in effect and the final result is NXDOMAIN.
+  :gl:`#4784` :gl:`!9216`
+
+- Dig +yaml was producing unexpected and/or invalid YAML output.
+  ``2db62a4dba``
+
+  :gl:`#4796` :gl:`!9214`
+
+- SVBC alpn text parsing failed to reject zero length alpn.
+  ``8f7be89052``
+
+  :gl:`#4775` :gl:`!9210`
+
+- Return SERVFAIL for a too long CNAME chain. ``f7de909b98``
+
+  When cutting a long CNAME chain, named was returning NOERROR  instead
+  of SERVFAIL (alongside with a partial answer). This has been fixed.
+  :gl:`#4449` :gl:`!9204`
+
+- Properly calculate the amount of system memory. ``9faf355a5c``
+
+  On 32 bit machines isc_meminfo_totalphys could return an incorrect
+  value. :gl:`#4799` :gl:`!9200`
+
+- Update key lifetime and metadata after dnssec-policy reconfig.
+  ``2107a64ee6``
+
+  Adjust key state and timing metadata if dnssec-policy key lifetime
+  configuration is updated, so that it also affects existing keys.
+  :gl:`#4677` :gl:`!9192`
+
+- Fix dig +timeout argument when using +https. ``381d6246d6``
+
+  The +timeout argument was not used on DoH connections. This has been
+  fixed.  :gl:`#4806` :gl:`!9161`
+
+
 Changes prior to 9.18.28
 ------------------------
 

doc/arm/notes.rst

@@ -38,6 +38,7 @@ information about each release, and source code.
 
 .. include:: ../notes/notes-known-issues.rst
 
+.. include:: ../notes/notes-9.18.29.rst
 .. include:: ../notes/notes-9.18.28.rst
 .. include:: ../notes/notes-9.18.27.rst
 .. include:: ../notes/notes-9.18.26.rst

doc/notes/notes-9.18.29.rst

@@ -0,0 +1,98 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.29
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts`
+  configuration statement.
+
+  There were cases when the :any:`max-recursion-queries`
+  quota was ineffective. It was possible to craft zones that would cause
+  a resolver to waste resources by sending excessive queries while
+  attempting to resolve a name. This has been addressed by correcting
+  errors in the implementation of :any:`max-recursion-queries` and by
+  reducing the default value from 100 to 32.
+
+  In addition, a new :any:`max-query-restarts` configuration statement has been
+  added, which limits the number of times a recursive server will follow CNAME
+  or DNAME records before terminating resolution. This was previously a
+  hard-coded limit of 16 but is now configurable with a default value of 11.
+
+  ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin
+  Tanir from NetSec group, ETH Zurich for discovering and notifying us about
+  the issue. :gl:`#4741` :gl:`!9283`
+
+- Raise the log level of priming failures.
+
+  When a priming query is complete, it was previously logged at level
+  ``DEBUG(1)``, regardless of success or failure. It is now
+  logged to ``NOTICE`` in the case of failure. :gl:`#3516`
+  :gl:`!9251`
+
+- Add a compatibility shim for older libuv versions (< 1.19.0)
+
+  The function uv_stream_get_write_queue_size() is supported only in relatively
+  new versions of libuv (1.19.0 or higher). Provide a compatibility
+  shim for this function so BIND 9 can be built in environments with
+  older libuv versions.
+
+Bug Fixes
+~~~~~~~~~
+
+- Return SERVFAIL for a too long CNAME chain.
+
+  When following long CNAME chains, :iscman:`named` was returning NOERROR
+  (along with a partial answer) instead of SERVFAIL, if the chain exceeded the
+  maximum length. This has been fixed. :gl:`#4449` :gl:`!9204`
+
+- Reconfigure catz member zones during :iscman:`named` reconfiguration.
+
+  During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog
+  zones' member zones. This has been fixed. :gl:`#4733`
+
+- Update key lifetime and metadata after :any:`dnssec-policy` reconfiguration.
+
+  Adjust key state and timing metadata if :any:`dnssec-policy` key
+  lifetime configuration is updated, so that it also affects existing
+  keys. :gl:`#4677` :gl:`!9192`
+
+- Fix generation of 6to4-self name expansion from IPv4 address.
+
+  The period between the most significant nibble of the encoded IPv4
+  address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the
+  wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9218`
+
+- :option:`dig +yaml` was producing unexpected and/or invalid YAML.
+  output. :gl:`#4796` :gl:`!9214`
+
+- SVBC ALPN text parsing failed to reject zero-length ALPN. :gl:`#4775` :gl:`!9210`
+
+- Fix false QNAME minimisation error being reported.
+
+  Remove the false positive ``success resolving`` log message when QNAME
+  minimisation is in effect and the final result is an NXDOMAIN.
+  :gl:`#4784` :gl:`!9216`
+
+- Fix dig +timeout argument when using +https.
+
+  The +timeout argument was not used on DoH connections. This has been
+  fixed. :gl:`#4806` :gl:`!9161`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

lib/dns/catz.c

@@ -806,6 +806,13 @@ cleanup_task:
 	return (result);
 }
 
+void *
+dns_catz_zones_get_udata(dns_catz_zones_t *catzs) {
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+
+	return (catzs->zmm->udata);
+}
+
 void
 dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view) {
 	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));

lib/dns/include/dns/catz.h

@@ -307,6 +307,15 @@ dns_catz_new_zones(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  *
  */
 
+void *
+dns_catz_zones_get_udata(dns_catz_zones_t *catzs);
+/*%<
+ * Get the 'udata' member of the zone methods which was set when creating catzs.
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ */
+
 isc_result_t
 dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name,
 		  dns_catz_zone_t **catzp);