From 84d9529560be2e5754b8e49449227521805ce753 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 7 Mar 2025 20:38:25 +0100 Subject: [PATCH 1/3] Generate changelog for BIND 9.18.35 --- doc/arm/changelog.rst | 2 + doc/changelog/changelog-9.18.35-S1.rst | 11 ++ doc/changelog/changelog-9.18.35.rst | 134 +++++++++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100644 doc/changelog/changelog-9.18.35-S1.rst create mode 100644 doc/changelog/changelog-9.18.35.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 3f9ee056c0..32c151f854 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,8 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.35-S1.rst +.. include:: ../changelog/changelog-9.18.35.rst .. include:: ../changelog/changelog-9.18.34-S1.rst .. include:: ../changelog/changelog-9.18.34.rst .. include:: ../changelog/changelog-9.18.33-S1.rst diff --git a/doc/changelog/changelog-9.18.35-S1.rst b/doc/changelog/changelog-9.18.35-S1.rst new file mode 100644 index 0000000000..ba871808a1 --- /dev/null +++ b/doc/changelog/changelog-9.18.35-S1.rst @@ -0,0 +1,11 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + diff --git a/doc/changelog/changelog-9.18.35.rst b/doc/changelog/changelog-9.18.35.rst new file mode 100644 index 0000000000..2e5fce8616 --- /dev/null +++ b/doc/changelog/changelog-9.18.35.rst @@ -0,0 +1,134 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.35 +------------ + +New Features +~~~~~~~~~~~~ + +- Add digest methods for SIG and RRSIG. ``7f4023fe7d`` + + ZONEMD digests RRSIG records and potentially digests SIG record. Add + digests methods for both record types. :gl:`#5219` :gl:`!10219` + +Bug Fixes +~~~~~~~~~ + +- Prevent a reference leak when using plugins. ``8d0d08ec00`` + + The `NS_QUERY_DONE_BEGIN` and `NS_QUERY_DONE_SEND` plugin hooks could + cause a reference leak if they returned `NS_HOOK_RETURN` without + cleaning up the query context properly. :gl:`#2094` :gl:`!10171` + +- Fix memory ordering issues with atomic operations in the quota.c + module. ``86f02349e5`` + + Change all the non-locked operations on `quota->used` and + `quota->waiting` to "acq/rel" for inter-thread synchronization. Some + loads are left as "relaxed", because they are under a locked mutex + which also provides protection. + + Also use relaxed memory ordering for `quota->max` and `quota->soft`, + as done in the main branch; possible ordering issues for these + variables are acceptable. :gl:`#5018` :gl:`!10203` + +- Fix deferred validation of unsigned DS and DNSKEY records. + ``60a26ecd43`` + + When processing a query with the "checking disabled" bit set (CD=1), + `named` stores the unvalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated, + and either accepted as an answer, or ejected from the cache as + invalid. This deferred validation was not attempted for DS and DNSKEY + records if they had no cached signatures, causing spurious validation + failures. We now complete the deferred validation in this scenario. + + Also, if deferred validation fails, we now re-query the data to find + out whether the zone has been corrected since the invalid data was + cached. :gl:`#5066` :gl:`!10106` + +- When recording an rr trace, use libtool. ``42afefe031`` + + When a system test is run with the `USE_RR` environment variable set + to 1, an `rr` trace is now correctly generated for each instance of + `named`. :gl:`#5079` :gl:`!10208` + +- Do not cache signatures for rejected data. ``7e24b9f6ec`` + + The cache has been updated so that if new data is rejected - for + example, because there was already existing data at a higher trust + level - then its covering RRSIG will also be rejected. :gl:`#5132` + :gl:`!10135` + +- Fix a race issue in dns_view_addzone() ``a946528023`` + + Views use two types of reference counting - regular and weak, and when + there are no more regular references, the `view_flushanddetach()` + function destroys or detaches some parts of the view, including + `view->zonetable`, while other parts are freed by `destroy()` when the + last weak reference is detached. Since catalog zones use weak + references to attach a view, it's currently possible that during + shutdown catalog zone processing will try to add a new zone into an + otherwise unused view (because it's shutting down) which doesn't have + an attached zonetable any more. This could cause an assertion failure. + Fix this issue by modifying the `dns_view_addzone()` function to + expect that `view->zonetable` can be `NULL`, and in that case just + return `ISC_R_SHUTTINGDOWN`. :gl:`#5138` :gl:`!10086` + +- Fix RPZ race condition during a reconfiguration. ``54bb8252e2`` + + With RPZ in use, `named` could terminate unexpectedly because of a + race condition when a reconfiguration command was received using + `rndc`. This has been fixed. :gl:`#5146` :gl:`!10145` + +- "CNAME and other data check" not applied to all types. ``aaaf2e989a`` + + An incorrect optimization caused "CNAME and other data" errors not to + be detected if certain types were at the same node as a CNAME. This + has been fixed. :gl:`#5150` :gl:`!10101` + +- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. + ``b601cb32ee`` + + Previously, when parsing responses, named incorrectly rejected + responses without matching RRSIG records for NSEC/DS/NSEC3 records in + the authority section. This rejection, if appropriate, should have + been left for the validator to determine and has been fixed. + :gl:`#5185` :gl:`!10143` + +- Fix a logic error in cache_name() ``ab047ff47f`` + + A change in 6aba56ae8 (checking whether a rejected RRset was identical + to the data it would have replaced, so that we could still cache a + signature) inadvertently introduced cases where processing of a + response would continue when previously it would have been skipped. + :gl:`#5197` :gl:`!10159` + +- Finalize removal of memory debug flags size and mctx [9.18] + ``853a966fe7`` + + :gl:`!9607` + +- Post [CVE-2024-12705] Performance Drop Fixes, Part 2. ``e811f444b7`` + + :gl:`!10193` + +- Post [CVE-2024-12705] Performance Drop Fixes. ``8d96ff01d4`` + + :gl:`!10128` + +- Sync the TSAN CC, CFLAGS and LDFLAGS in the respdiff:tsan job. + ``22fd7c4eb4`` + + :gl:`!10213` + + From c6869f1e4d22f2d68882680651993d244e37359d Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 7 Mar 2025 20:38:43 +0100 Subject: [PATCH 2/3] Prepare release notes for BIND 9.18.35 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.18.35.rst | 52 +++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 doc/notes/notes-9.18.35.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 3cbb9ae138..0d0a366e32 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.18 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18 +.. include:: ../notes/notes-9.18.35.rst .. include:: ../notes/notes-9.18.34.rst .. include:: ../notes/notes-9.18.33.rst .. include:: ../notes/notes-9.18.32.rst diff --git a/doc/notes/notes-9.18.35.rst b/doc/notes/notes-9.18.35.rst new file mode 100644 index 0000000000..ddaf7b1dbc --- /dev/null +++ b/doc/notes/notes-9.18.35.rst @@ -0,0 +1,52 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.35 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Fix deferred validation of unsigned DS and DNSKEY records. + + When processing a query with the "checking disabled" bit set (CD=1), + `named` stores the unvalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated, + and either accepted as an answer, or ejected from the cache as + invalid. This deferred validation was not attempted for DS and DNSKEY + records if they had no cached signatures, causing spurious validation + failures. We now complete the deferred validation in this scenario. + + Also, if deferred validation fails, we now re-query the data to find + out whether the zone has been corrected since the invalid data was + cached. :gl:`#5066` + +- Fix RPZ race condition during a reconfiguration. + + With RPZ in use, `named` could terminate unexpectedly because of a + race condition when a reconfiguration command was received using + `rndc`. This has been fixed. :gl:`#5146` + +- "CNAME and other data check" not applied to all types. + + An incorrect optimization caused "CNAME and other data" errors not to + be detected if certain types were at the same node as a CNAME. This + has been fixed. :gl:`#5150` + +- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. + + Previously, when parsing responses, named incorrectly rejected + responses without matching RRSIG records for NSEC/DS/NSEC3 records in + the authority section. This rejection, if appropriate, should have + been left for the validator to determine and has been fixed. + :gl:`#5185` + + From ee61da934af2e97bc63fe9cd1e3489732860e41c Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Tue, 11 Mar 2025 10:39:11 +0100 Subject: [PATCH 3/3] Tweak and reword relase notes --- doc/notes/notes-9.18.35.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/notes/notes-9.18.35.rst b/doc/notes/notes-9.18.35.rst index ddaf7b1dbc..a442d48bbc 100644 --- a/doc/notes/notes-9.18.35.rst +++ b/doc/notes/notes-9.18.35.rst @@ -18,22 +18,22 @@ Bug Fixes - Fix deferred validation of unsigned DS and DNSKEY records. When processing a query with the "checking disabled" bit set (CD=1), - `named` stores the unvalidated result in the cache, marked "pending". - When the same query is sent with CD=0, the cached data is validated, + :iscman:`named` stores the invalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated and either accepted as an answer, or ejected from the cache as invalid. This deferred validation was not attempted for DS and DNSKEY records if they had no cached signatures, causing spurious validation - failures. We now complete the deferred validation in this scenario. + failures. The deferred validation is now completed in this scenario. - Also, if deferred validation fails, we now re-query the data to find + Also, if deferred validation fails, the data is now re-queried to find out whether the zone has been corrected since the invalid data was cached. :gl:`#5066` - Fix RPZ race condition during a reconfiguration. - With RPZ in use, `named` could terminate unexpectedly because of a + With RPZ in use, :iscman:`named` could terminate unexpectedly because of a race condition when a reconfiguration command was received using - `rndc`. This has been fixed. :gl:`#5146` + :iscman:`rndc`. This has been fixed. :gl:`#5146` - "CNAME and other data check" not applied to all types. @@ -41,9 +41,9 @@ Bug Fixes be detected if certain types were at the same node as a CNAME. This has been fixed. :gl:`#5150` -- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. +- Remove NSEC/DS/NSEC3 RRSIG check from ``dns_message_parse()``. - Previously, when parsing responses, named incorrectly rejected + Previously, when parsing responses, :iscman:`named` incorrectly rejected responses without matching RRSIG records for NSEC/DS/NSEC3 records in the authority section. This rejection, if appropriate, should have been left for the validator to determine and has been fixed.