Tweak and reword release notes

2026-05-28 04:34:54 -04:00 · 2026-03-31 12:14:13 +02:00 · 2026-03-31 12:14:13 +02:00 · ce291c4421
commit ce291c4421
parent e438401b8c
1 changed files with 67 additions and 65 deletions
--- a/doc/notes/notes-9.21.21.rst
+++ b/doc/notes/notes-9.21.21.rst
@ -17,9 +17,10 @@ Security Fixes

 - Fix crash when reconfiguring zone update policy during active updates.

-  Fixed a crash that could occur when running rndc reconfig to change a
-  zone's update policy (e.g., from allow-update to update-policy) while
-  DNS UPDATE requests were being processed for that zone.
+  We fixed a crash that could occur when running :option:`rndc reconfig`
+  to change a zone's update policy (e.g., from :any:`allow-update` to
+  :any:`update-policy`) while DNS UPDATE requests were being processed
+  for that zone.

  ISC would like to thank Vitaly Simonovich for bringing this issue to
  our attention. :gl:`#5817`
@ -27,90 +28,94 @@ Security Fixes
 New Features
 ~~~~~~~~~~~~

- Add switch to disable cookie checking in delv.
+- Add switch to disable cookie checking in :iscman:`delv`.

-  This adds the switch +[no]cookie to delv to control the sending of DNS
-  COOKIE options when sending requests.  The default is to send DNS
-  COOKIE options. :gl:`#5825`
+  This adds the ``+[no]cookie`` switch to :iscman:`delv` to control
+  whether DNS COOKIE options are included in requests. The default is to
+  send DNS COOKIE options. :gl:`#5825`

 Removed Features
 ~~~~~~~~~~~~~~~~

- Remove -C option from dnssec-keygen and dnssec-keyfromlabel.
+- Remove ``-C`` option from :iscman:`dnssec-keygen` and
+  :iscman:`dnssec-keyfromlabel`.

-  The -C option, introduced in BIND 9.7, caused a backward-compatible
-  key to be generated, using private key format version 1.2, omitting
-  the creation date and other timing metadata. This made it possible to
-  generate keys that could be loaded by older versions of BIND.
+  The ``-C`` option, introduced in BIND 9.7, caused a
+  backward-compatible key to be generated, using private key format
+  version 1.2, omitting the creation date and other timing metadata.
+  This made it possible to generate keys that could be loaded by older
+  versions of BIND 9.

-  Those older versions having reached end of life many years ago, the
-  option can now be removed, along with the `dnssec-settime -f` option,
-  which caused old-style keys to be upgraded.
+  Those older versions having reached end-of-life many years ago, the
+  option has now been removed, along with the :iscman:`dnssec-settime`
+  ``-f`` option, which caused old-style keys to be upgraded.
+  :gl:`!11446`

- Remove NZF file support in favor of NZD (New Zone Database)
+- Remove NZF file support in favor of NZD.

-  The NZF (New Zone File) backend for storing rndc addzone
-  configurations has been removed; LMDB-based NZD is now the only
-  storage backend and LMDB is now a required build dependency.
+  The NZF (New Zone File) backend for storing :option:`rndc addzone`
+  configurations has been removed; LMDB-based NZD (New Zone
+  Database) is now the only storage backend and LMDB is now
+  a required build dependency.

  Existing NZF files are automatically migrated to NZD on startup, so no
-  manual intervention is required when upgrading.
+  manual intervention is required when upgrading. :gl:`!11688`

 Feature Changes
 ~~~~~~~~~~~~~~~

 - Parent-centric resolver.

-  The `named` resolver now uses a separate "delegation database" to
-  store zone referral data instead of the DNS cache. This new database
-  holds the NS RRset on the parent side of a zone cut, as well as
-  necessary glue records that were included in the referral. The NS
+  The :iscman:`named` resolver now uses a separate "delegation database"
+  to store zone referral data, instead of the DNS cache. This new
+  database holds the NS RRset on the parent side of a zone cut, as well
+  as necessary glue records that were included in the referral.  The NS
  RRset from the child side is cached in the DNS cache and is not used
-  for name resolution.
-
-  This will be a step toward simplifying resolver logic and also
-  supporting DELEG referrals. :gl:`#3311`
+  for recursion. :gl:`#3311`

 - Switch to LRU-only cache eviction, enforce minimum cache size.

-  Busy resolvers will now gradually fill the configured
-  :any:max-cache-size before entries start being evicted. Previously,
+  Busy resolvers now gradually fill to the configured
+  :any:`max-cache-size` before entries start being evicted. Previously,
  expired records were proactively removed based on their TTL, which
-  kept memory usage below the configured limit but added overhead. Cache
-  eviction now relies solely on the SIEVE-LRU mechanism, which has
+  kept memory usage below the configured limit but added overhead.
+  Cache eviction now relies solely on the SIEVE-LRU mechanism, which has
  matured to the point where TTL-based cleaning is no longer necessary.

-  Setting :any:max-cache-size to unlimited or 0 is no longer supported
-  and falls back to the default (90% of physical memory).
+  Setting :any:`max-cache-size` to ``unlimited`` or ``0`` is no longer
+  supported and falls back to the default (90% of physical memory).
+  :gl:`!11459`

 Bug Fixes
 ~~~~~~~~~

- Fix intermittent named crashes during asynchronous zone operations.
+- Fix intermittent :iscman:`named` crashes during asynchronous zone
+  operations.

  Asynchronous zone loading and dumping operations occasionally
  dispatched tasks to the wrong internal event loop. This threading
  violation triggered internal safety assertions that abruptly
-  terminated named. Strict loop affinity is now enforced for these
-  tasks, ensuring they execute on their designated threads and
+  terminated :iscman:`named`. Strict loop affinity is now enforced for
+  these tasks, ensuring they execute on their designated threads and
  preventing the crashes. :gl:`#4882`

 - Fix NTA (Negative Trust Anchor) expiration issue.

  When a configured NTA for a name expired, any possibly cached data for
-  the name (with "insecure" DNSSEC validation result) was not flushed
+  the name (with an "insecure" DNSSEC validation result) was not flushed
  from the resolver's cache. This has been fixed. :gl:`#5747`

 - Count temporal problems with DNSSEC validation as attempts.

-  After KeyTrap, the temporal DNSSEC were originally hard errors that
-  caused validation failures even if the records had another valid
-  signature.  This has been changed and the RRSIGs outside of the
-  inception and expiration time are not counted as hard errors.
-  However, these errors are not even counted as validation attempts, so
-  excessive number of expired RRSIGs would cause some non-cryptograhic
-  extra work for the validator.  This has been fixed and the temporal
-  errors are correctly counted as validation attempts. :gl:`#5760`
+  After the KeyTrap vulnerability :cve:`2023-50387`, any temporal
+  DNSSEC errors were originally hard errors that caused validation
+  failures, even if the records had another valid signature. This has
+  been changed; RRSIGs outside of the inception and expiration time are
+  not counted as hard errors.  However, these errors were not even
+  counted as validation attempts, so an excessive number of expired
+  RRSIGs would cause some non-cryptographic extra work for the
+  validator. This has been fixed and the temporal errors are now
+  correctly counted as validation attempts. :gl:`#5760`

 - Fix a possible deadlock in RPZ processing.

@ -118,26 +123,25 @@ Bug Fixes
  crafted update for a response policy zone (RPZ). This has been fixed.
  :gl:`#5775`

- Fix update-policy per-type max quota bypass via crafted UPDATE
-  messages.
+- Fix :any:`update-policy` per-type max quota bypass via crafted
+  UPDATE messages.

-  An authenticated DDNS client could bypass update-policy per-type
-  record limits (e.g. TXT(3)) by including padding records in the UPDATE
-  message that are silently skipped during processing. Each skipped
-  record shifted an internal counter, causing subsequent records to be
-  checked against the wrong quota — potentially reading an unlimited (0)
-  entry instead of the configured maximum.
+  An authenticated DDNS client could bypass :any:`update-policy`
+  per-type record limits (e.g. ``TXT(3)``) by including padding records
+  in the UPDATE message that were silently skipped during processing.
+  Each skipped record shifted an internal counter, causing subsequent
+  records to be checked against the wrong quota — potentially reading an
+  unlimited (0) entry instead of the configured maximum.

  This allowed a client with valid TSIG credentials to add an arbitrary
  number of records beyond the configured limit across repeated UPDATE
-  messages up to the `max-records-per-type` limit. :gl:`#5799`
+  messages, up to the :any:`max-records-per-type` limit. :gl:`#5799`

- Fix a crash triggered by rndc modzone on zone from configuration file.
+- Fix a crash triggered by :option:`rndc modzone` on a zone from a
+  configuration file.

-  Calling `rndc modzone` on a zone that was configured in the
-  configuration file caused a crash. This has been fixed.
-
-  ISC would like to thank Nathan Reilly for reporting this. :gl:`#5800`
+  Calling :option:`rndc modzone` on a zone that was configured in the
+  configuration file caused a crash. This has been fixed. :gl:`#5800`

 - Fix the processing of empty catalog zone ACLs.

@ -145,11 +149,9 @@ Bug Fixes
  processing a catalog zone ACL in an APL resource record that was
  completely empty. This has been fixed. :gl:`#5801`

- Fix potential resource during resolver error handling.
+- Fix potential resource leak during resolver error handling.

  Under specific error conditions during query processing, resources
  were not being properly released, which could eventually lead to
-  unnecessary memory consumption for the server.  The a potential
-  resource leak in the resolver has been fixed.
-
-
+  unnecessary memory consumption for the server. A potential resource
+  leak in the resolver has been fixed. :gl:`!11658`