Merge branch 'nicki/prepare-documentation-for-bind-9.18.28' into 'v9.18.28-release'

Prepare documentation for BIND 9.18.28 See merge request isc-private/bind9!707
2026-06-10 18:00:00 -04:00 · 2024-07-08 13:11:44 +00:00 · 2024-07-08 13:11:44 +00:00 · df02a1313b
commit df02a1313b
parent ec3e15da3a a4461699e2
5 changed files with 124 additions and 105 deletions
--- a/6
+++ b/6
@ -1,10 +1,10 @@
+6404.	[security]	Remove SIG(0) support from named as a countermeasure
+			for CVE-2024-1975. [GL #4480]
+
 6403.	[security]	qctx-zversion was not being cleared when it should have
 			been leading to an assertion failure if it needed to be
 			reused. (CVE-2024-4076) [GL #4507]

-6402.	[security]	Remove SIG(0) support from named as a countermeasure
-			for CVE-2024-1975. [GL #4480]
-
 6401.	[security]	An excessively large number of rrtypes per owner can
 			slow down database query processing, so a limit has been
 			placed on the number of rrtypes that can be stored per
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@ -35,7 +35,7 @@ information about each release, and source code.

 .. include:: ../notes/notes-known-issues.rst

-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.18.28.rst
 .. include:: ../notes/notes-9.18.27.rst
 .. include:: ../notes/notes-9.18.26.rst
 .. include:: ../notes/notes-9.18.25.rst
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -3786,15 +3786,33 @@ system.
   :short: Sets the maximum number of RR types that can be stored for an owner name

   This sets the maximum number of resource record types that can be stored
-   for a single owner name in a database. When configured in :namedconf:ref:`options`
-   or :namedconf:ref:`view`, it controls the cache database, and also sets
-   the default value for zone databases, which can be overridden by setting
-   it at the :namedconf:ref:`zone` level
+   for a single owner name in a database. When configured in
+   :namedconf:ref:`options` or :namedconf:ref:`view`, it controls the cache
+   database and sets the default value for zone databases, which can be
+   overridden by setting it at the :namedconf:ref:`zone` level.

-   If set to a positive value, any attempt to cache or to add to a zone an owner
-   name with more than the specified number of resource record types will result
-   in a failure.  If set to 0, there is no cap on RR types number.  The default is
-   100.
+   An RR type and its corresponding signature are counted as two types. So,
+   for example, a signed node containing A and AAAA records has four types:
+   A, RRSIG(A), AAAA, and RRSIG(AAAA).
+
+   The behavior is slightly different for zone and cache databases:
+
+   In a zone, if :any:`max-types-per-name` is set to a positive number, any
+   attempt to add a new resource record set to a name that already has the
+   specified number of types will fail.
+
+   In a cache, if :any:`max-types-per-name` is set to a positive number, an
+   attempt to add a new resource record set to a name that already has the
+   specified number of types will temporarily succeed so that the query can
+   be answered. However, the newly added RRset will immediately be purged.
+
+   Certain high-priority types, including SOA, CNAME, DNSKEY, and their
+   corresponding signatures, are always cached. If :any:`max-types-per-name`
+   is set to a very low value, then it may be ignored to allow high-priority
+   types to be cached.
+
+   When :any:`max-types-per-name` is set to 0, there is no cap on the number
+   of RR types.  The default is 100.

 .. namedconf:statement:: recursive-clients
   :tags: query
--- a/doc/notes/notes-9.18.28.rst
+++ b/doc/notes/notes-9.18.28.rst
@ -0,0 +1,94 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.28
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- A malicious DNS client that sent many queries over TCP but never read
+  the responses could cause a server to respond slowly or not at all for
+  other clients. This has been fixed. :cve:`2024-0760` :gl:`#4481`
+
+- It is possible to craft excessively large resource records sets, which
+  have the effect of slowing down database processing. This has been
+  addressed by adding a configurable limit to the number of records that
+  can be stored per name and type in a cache or zone database. The
+  default is 100, which can be tuned with the new
+  :any:`max-records-per-type` option. :gl:`#497` :gl:`#3405`
+
+  It is possible to craft excessively large numbers of resource record
+  types for a given owner name, which has the effect of slowing down
+  database processing. This has been addressed by adding a configurable
+  limit to the number of records that can be stored per name and type in
+  a cache or zone database.  The default is 100, which can be tuned with
+  the new :any:`max-types-per-name` option. :cve:`2024-1737` :gl:`#3403`
+
+  ISC would like to thank Toshifumi Sakaguchi who independently
+  discovered and responsibly reported the issue to ISC. :gl:`#4548`
+
+- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`)
+  could cause excessive CPU load, leading to a denial-of-service
+  condition. Support for SIG(0) message validation was removed from this
+  version of :iscman:`named`. :cve:`2024-1975` :gl:`#4480`
+
+- Due to a logic error, lookups that triggered serving stale data and
+  required lookups in local authoritative zone data could have resulted
+  in an assertion failure. This has been fixed. :cve:`2024-4076`
+  :gl:`#4507`
+
+- Potential data races were found in our DoH implementation, related to
+  HTTP/2 session object management and endpoints set object management
+  after reconfiguration. These issues have been fixed. :gl:`#4473`
+
+  ISC would like to thank Dzintars and Ivo from nic.lv for bringing this
+  to our attention.
+
+- When looking up the NS records of parent zones as part of looking up DS
+  records, it was possible for :iscman:`named` to trigger an assertion
+  failure if serve-stale was enabled. This has been fixed. :gl:`#4661`
+
+Bug Fixes
+~~~~~~~~~
+
+- Command-line options for IPv4-only (:option:`named -4`) and IPv6-only
+  (:option:`named -6`) modes are now respected for zone :any:`primaries`,
+  :any:`also-notify`, and :any:`parental-agents`. :gl:`#3472`
+
+- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL,
+  if ``add-soa`` was used. This has been fixed. :gl:`#3323`
+
+- When a query related to zone maintenance (NOTIFY, SOA) timed out close
+  to a view shutdown (triggered e.g. by :option:`rndc reload`),
+  :iscman:`named` could crash with an assertion failure. This has been
+  fixed. :gl:`#4719`
+
+- The statistics channel counters that indicated the number of currently
+  connected TCP IPv4/IPv6 clients were not properly adjusted in certain
+  failure scenarios. This has been fixed. :gl:`#4742`
+
+- Some servers that could not be reached due to EHOSTDOWN or ENETDOWN
+  conditions were incorrectly prioritized during server selection. These
+  are now properly handled as unreachable. :gl:`#4736`
+
+- On some systems the libuv call may return an error code when sending a
+  TCP reset for a connection, which triggers an assertion failure in
+  :iscman:`named`. This error condition is now dealt with in a more
+  graceful manner, by logging the incident and shutting down the
+  connection. :gl:`#4708`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -1,93 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-Notes for BIND 9.18.28
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
- Malicious DNS client that sends many queries over TCP but never reads
-  responses can cause server to respond slowly or not respond at all for other
-  clients. :cve:`2024-0760` :gl:`#4481`
-
- Excessively large resource record sets can be crafted to slow down
-  database processing. This has been addressed by adding a configurable
-  limit to the number of records that can be stored per name and type in
-  a cache or zone database. The default is 100, but it can be tuned with
-  the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405`
-
-  An excessively large number of resource record types for a single owner name can
-  be crafted to slow down database processing. This has been addressed by adding
-  a configurable limit to the number of records that can be stored per name and
-  type in a cache or zone database.  The default is 100, and can be tuned with
-  the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403`
-
-  ISC would like to thank Toshifumi Sakaguchi who independently discovered
-  and responsibly reported the issue to ISC. :gl:`#4548`
-
- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`) could
-  cause excessive CPU load, leading to a denial-of-service condition.
-  Support for SIG(0) message validation was removed from this version of
-  :iscman:`named`. :cve:`2024-1975` :gl:`#4480`
-
- Due to a logic error, lookups that trigger serving stale data and require
-  lookups in local authoritative zone data may result in an assertion failure.
-  This has been fixed. :cve:`2024-4076` :gl:`#4507`
-
- Named could trigger an assertion failure when looking up the NS
-  records of parent zones as part of looking up DS records.  This
-  has been fixed. :gl:`#4661`
-
-New Features
-~~~~~~~~~~~~
-
- None.
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
- None.
-
-Bug Fixes
-~~~~~~~~~
-
- Potential data races were found in our DoH implementation related
-  to HTTP/2 session object management and endpoints set object
-  management after reconfiguration. These issues have been
-  fixed. :gl:`#4473`
-
-  ISC would like to thank Dzintars and Ivo from nic.lv for bringing
-  this to our attention.
-
- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if
-  ``add-soa`` was used. This has been fixed. :gl:`#3323`
-
- When a query related to zone maintenance (NOTIFY, SOA) timed out close
-  to a view shutdown (triggered e.g. by :option:`rndc reload`),
-  :iscman:`named` could crash with an assertion failure. This has been
-  fixed. :gl:`#4719`
-
- The statistics channel counters that indicated the number of currently
-  connected TCP IPv4/IPv6 clients were not properly adjusted in certain
-  failure scenarios. This has been fixed. :gl:`#4742`
-
-Known Issues
-~~~~~~~~~~~~
-
- There are no new known issues with this release. See :ref:`above
-  <relnotes_known_issues>` for a list of all known issues affecting this
-  BIND 9 branch.