diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 95a74f0a36..fca3263d94 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.39.rst .. include:: ../changelog/changelog-9.18.38.rst .. include:: ../changelog/changelog-9.18.37.rst .. include:: ../changelog/changelog-9.18.36.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 5dcfb91965..7349a8b8f0 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.18 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18 +.. include:: ../notes/notes-9.18.39.rst .. include:: ../notes/notes-9.18.38.rst .. include:: ../notes/notes-9.18.37.rst .. include:: ../notes/notes-9.18.36.rst diff --git a/doc/changelog/changelog-9.18.39.rst b/doc/changelog/changelog-9.18.39.rst new file mode 100644 index 0000000000..b06b438db4 --- /dev/null +++ b/doc/changelog/changelog-9.18.39.rst @@ -0,0 +1,84 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.39 +------------ + +New Features +~~~~~~~~~~~~ + +- Support for parsing the DSYNC record has been added. ``4eb5a0ba1c`` + + :gl:`#5440` :gl:`!10821` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest + type 1. ``1ea4164f71`` + + RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated + by the IETF and should no longer be used for DNSSEC. DS digest type 1 + (SHA1) has also been deprecated. Validators are now expected to treat + these algorithms and digest as unknown, resulting in some zones being + treated as insecure when they were previously treated as secure. + Warnings have been added to named and tools when these algorithms and + this digest are being used for signing. + + Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a + different DNSKEY algorithm. + + Zones with DS or CDS records with digest type 1 (SHA1) should be + updated to use a different digest type (e.g. SHA256) and the digest + type 1 records should be removed. + + Related to #5358 :gl:`!10739` + +Bug Fixes +~~~~~~~~~ + +- Fix a possible crash when adding a zone while recursing. + ``c8d4829223`` + + A query for a zone that was not yet loaded may yield an unexpected + result such as a CNAME or DNAME, triggering an assertion failure. This + has been fixed. :gl:`#5357` :gl:`!10719` + +- Clean enough memory when adding new ADB names/entries under memory + pressure. ``e2f539035d`` + + The ADB memory cleaning is opportunistic even when we are under memory + pressure (in the overmem condition). Split the opportunistic LRU + cleaning and overmem cleaning and make the overmem cleaning always + cleanup double of the newly allocated adbname/adbentry to ensure we + never allocate more memory than the assigned limit. :gl:`!10708` + +- Prevent spurious validation failures. ``4d24dabc25`` + + Under rare circumstances, validation could fail if multiple clients + simultaneously iterated the same set of signatures. + + References #3014 :gl:`!10816` + +- Rescan the interfaces again when reconfiguring the server. + ``c9f05d750a`` + + On FreeBSD, the server would not listen on the configured 'localhost' + interfaces immediately, but only after the 'interface-interval' period + has passed. After the fix for default interface-interval was merged + in !10281, this means the server would listen on the localhost after + 60 minutes. + + Rescan the interfaces immediately after configuring the + interface-interval value to start listening on the 'localhost' + interface immediately. :gl:`!10758` + + diff --git a/doc/notes/notes-9.18.39.rst b/doc/notes/notes-9.18.39.rst new file mode 100644 index 0000000000..c9bae527ed --- /dev/null +++ b/doc/notes/notes-9.18.39.rst @@ -0,0 +1,66 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.39 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Support for parsing the DSYNC record has been added. + + :gl:`#5440` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest + type 1. + + RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated + by the IETF and should no longer be used for DNSSEC. DS digest type 1 + (SHA1) has also been deprecated in BIND 9. Validators are now expected to treat + these algorithms and digest as unknown, resulting in some zones being + treated as insecure when they were previously treated as secure. + Warnings have been added to :iscman:`named` and tools when these algorithms and + this digest are being used for signing. + + Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a + different DNSKEY algorithm. + + Zones with DS or CDS records with digest type 1 (SHA1) should be + updated to use a different digest type (e.g. SHA256) and the digest + type 1 records should be removed. :gl:`#5358` + +Bug Fixes +~~~~~~~~~ + +- Clean enough memory when adding new ADB names/entries under memory + pressure. + + The ADB memory cleaning is opportunistic even when BIND is under memory + pressure (in the overmem condition). The opportunistic LRU + cleaning and overmem cleaning have been split, and the overmem cleaning always + cleans up double of the newly allocated adbname/adbentry to ensure we + never allocate more memory than the assigned limit. :gl:`!10637` + +- Rescan the interfaces again when reconfiguring the server. + + Previously on FreeBSD, the server did not listen on the configured ``localhost`` + interfaces immediately, but only after the ``interface-interval`` period + had passed. After an earlier fix, the server would listen on the ``localhost`` after + 60 minutes. + + Now, the interfaces are rescanned immediately after configuring the + ``interface-interval`` value and begin listening on the ``localhost`` + interface immediately. :gl:`!10758` + +