From 9635daad52f99e44d0860dbef953152e9a2fbad8 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Tue, 12 Aug 2025 19:15:02 +0200 Subject: [PATCH 1/4] Generate changelog for BIND 9.18.39 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.18.39.rst | 84 +++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 doc/changelog/changelog-9.18.39.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 95a74f0a36..fca3263d94 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.39.rst .. include:: ../changelog/changelog-9.18.38.rst .. include:: ../changelog/changelog-9.18.37.rst .. include:: ../changelog/changelog-9.18.36.rst diff --git a/doc/changelog/changelog-9.18.39.rst b/doc/changelog/changelog-9.18.39.rst new file mode 100644 index 0000000000..b06b438db4 --- /dev/null +++ b/doc/changelog/changelog-9.18.39.rst @@ -0,0 +1,84 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.39 +------------ + +New Features +~~~~~~~~~~~~ + +- Support for parsing the DSYNC record has been added. ``4eb5a0ba1c`` + + :gl:`#5440` :gl:`!10821` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest + type 1. ``1ea4164f71`` + + RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated + by the IETF and should no longer be used for DNSSEC. DS digest type 1 + (SHA1) has also been deprecated. Validators are now expected to treat + these algorithms and digest as unknown, resulting in some zones being + treated as insecure when they were previously treated as secure. + Warnings have been added to named and tools when these algorithms and + this digest are being used for signing. + + Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a + different DNSKEY algorithm. + + Zones with DS or CDS records with digest type 1 (SHA1) should be + updated to use a different digest type (e.g. SHA256) and the digest + type 1 records should be removed. + + Related to #5358 :gl:`!10739` + +Bug Fixes +~~~~~~~~~ + +- Fix a possible crash when adding a zone while recursing. + ``c8d4829223`` + + A query for a zone that was not yet loaded may yield an unexpected + result such as a CNAME or DNAME, triggering an assertion failure. This + has been fixed. :gl:`#5357` :gl:`!10719` + +- Clean enough memory when adding new ADB names/entries under memory + pressure. ``e2f539035d`` + + The ADB memory cleaning is opportunistic even when we are under memory + pressure (in the overmem condition). Split the opportunistic LRU + cleaning and overmem cleaning and make the overmem cleaning always + cleanup double of the newly allocated adbname/adbentry to ensure we + never allocate more memory than the assigned limit. :gl:`!10708` + +- Prevent spurious validation failures. ``4d24dabc25`` + + Under rare circumstances, validation could fail if multiple clients + simultaneously iterated the same set of signatures. + + References #3014 :gl:`!10816` + +- Rescan the interfaces again when reconfiguring the server. + ``c9f05d750a`` + + On FreeBSD, the server would not listen on the configured 'localhost' + interfaces immediately, but only after the 'interface-interval' period + has passed. After the fix for default interface-interval was merged + in !10281, this means the server would listen on the localhost after + 60 minutes. + + Rescan the interfaces immediately after configuring the + interface-interval value to start listening on the 'localhost' + interface immediately. :gl:`!10758` + + From 4f4a06f78212c36fa1300ce89edf8c1858c25b14 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Tue, 12 Aug 2025 19:17:47 +0200 Subject: [PATCH 2/4] Prepare release notes for BIND 9.18.39 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.18.39.rst | 76 +++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 doc/notes/notes-9.18.39.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 5dcfb91965..7349a8b8f0 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.18 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18 +.. include:: ../notes/notes-9.18.39.rst .. include:: ../notes/notes-9.18.38.rst .. include:: ../notes/notes-9.18.37.rst .. include:: ../notes/notes-9.18.36.rst diff --git a/doc/notes/notes-9.18.39.rst b/doc/notes/notes-9.18.39.rst new file mode 100644 index 0000000000..b44a340672 --- /dev/null +++ b/doc/notes/notes-9.18.39.rst @@ -0,0 +1,76 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.39 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Support for parsing the DSYNC record has been added. + + :gl:`#5440` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest + type 1. + + RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated + by the IETF and should no longer be used for DNSSEC. DS digest type 1 + (SHA1) has also been deprecated. Validators are now expected to treat + these algorithms and digest as unknown, resulting in some zones being + treated as insecure when they were previously treated as secure. + Warnings have been added to named and tools when these algorithms and + this digest are being used for signing. + + Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a + different DNSKEY algorithm. + + Zones with DS or CDS records with digest type 1 (SHA1) should be + updated to use a different digest type (e.g. SHA256) and the digest + type 1 records should be removed. + + Related to #5358 + +Bug Fixes +~~~~~~~~~ + +- Clean enough memory when adding new ADB names/entries under memory + pressure. + + The ADB memory cleaning is opportunistic even when we are under memory + pressure (in the overmem condition). Split the opportunistic LRU + cleaning and overmem cleaning and make the overmem cleaning always + cleanup double of the newly allocated adbname/adbentry to ensure we + never allocate more memory than the assigned limit. + +- Prevent spurious validation failures. + + Under rare circumstances, validation could fail if multiple clients + simultaneously iterated the same set of signatures. + + References #3014 + +- Rescan the interfaces again when reconfiguring the server. + + On FreeBSD, the server would not listen on the configured 'localhost' + interfaces immediately, but only after the 'interface-interval' period + has passed. After the fix for default interface-interval was merged + in !10281, this means the server would listen on the localhost after + 60 minutes. + + Rescan the interfaces immediately after configuring the + interface-interval value to start listening on the 'localhost' + interface immediately. + + From f17775b9125153d950bb4fedbf22cf59e0af405e Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Tue, 12 Aug 2025 19:21:04 +0200 Subject: [PATCH 3/4] Tweak and reword release notes --- doc/notes/notes-9.18.39.rst | 40 ++++++++++++++----------------------- 1 file changed, 15 insertions(+), 25 deletions(-) diff --git a/doc/notes/notes-9.18.39.rst b/doc/notes/notes-9.18.39.rst index b44a340672..c9bae527ed 100644 --- a/doc/notes/notes-9.18.39.rst +++ b/doc/notes/notes-9.18.39.rst @@ -22,15 +22,15 @@ New Features Feature Changes ~~~~~~~~~~~~~~~ -- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest +- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest type 1. RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated by the IETF and should no longer be used for DNSSEC. DS digest type 1 - (SHA1) has also been deprecated. Validators are now expected to treat + (SHA1) has also been deprecated in BIND 9. Validators are now expected to treat these algorithms and digest as unknown, resulting in some zones being treated as insecure when they were previously treated as secure. - Warnings have been added to named and tools when these algorithms and + Warnings have been added to :iscman:`named` and tools when these algorithms and this digest are being used for signing. Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a @@ -38,9 +38,7 @@ Feature Changes Zones with DS or CDS records with digest type 1 (SHA1) should be updated to use a different digest type (e.g. SHA256) and the digest - type 1 records should be removed. - - Related to #5358 + type 1 records should be removed. :gl:`#5358` Bug Fixes ~~~~~~~~~ @@ -48,29 +46,21 @@ Bug Fixes - Clean enough memory when adding new ADB names/entries under memory pressure. - The ADB memory cleaning is opportunistic even when we are under memory - pressure (in the overmem condition). Split the opportunistic LRU - cleaning and overmem cleaning and make the overmem cleaning always - cleanup double of the newly allocated adbname/adbentry to ensure we - never allocate more memory than the assigned limit. - -- Prevent spurious validation failures. - - Under rare circumstances, validation could fail if multiple clients - simultaneously iterated the same set of signatures. - - References #3014 + The ADB memory cleaning is opportunistic even when BIND is under memory + pressure (in the overmem condition). The opportunistic LRU + cleaning and overmem cleaning have been split, and the overmem cleaning always + cleans up double of the newly allocated adbname/adbentry to ensure we + never allocate more memory than the assigned limit. :gl:`!10637` - Rescan the interfaces again when reconfiguring the server. - On FreeBSD, the server would not listen on the configured 'localhost' - interfaces immediately, but only after the 'interface-interval' period - has passed. After the fix for default interface-interval was merged - in !10281, this means the server would listen on the localhost after + Previously on FreeBSD, the server did not listen on the configured ``localhost`` + interfaces immediately, but only after the ``interface-interval`` period + had passed. After an earlier fix, the server would listen on the ``localhost`` after 60 minutes. - Rescan the interfaces immediately after configuring the - interface-interval value to start listening on the 'localhost' - interface immediately. + Now, the interfaces are rescanned immediately after configuring the + ``interface-interval`` value and begin listening on the ``localhost`` + interface immediately. :gl:`!10758` From 737584125e6b078481e176e814970f560e115f1a Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Wed, 13 Aug 2025 19:08:48 +0200 Subject: [PATCH 4/4] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0b36dbf2bb..e87c70c01e 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 18)dnl m4_define([bind_VERSION_PATCH], 39)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl