From 78148b11f15b0a14e2bbfebaf93ce1d9c32f5c71 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 6 Nov 2025 19:24:45 +0100 Subject: [PATCH 1/5] Generate changelog for BIND 9.20.16 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.20.16.rst | 82 +++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 doc/changelog/changelog-9.20.16.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 2188280886..0f68889b60 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.16.rst .. include:: ../changelog/changelog-9.20.15.rst .. include:: ../changelog/changelog-9.20.14.rst .. include:: ../changelog/changelog-9.20.13.rst diff --git a/doc/changelog/changelog-9.20.16.rst b/doc/changelog/changelog-9.20.16.rst new file mode 100644 index 0000000000..a35ab1523b --- /dev/null +++ b/doc/changelog/changelog-9.20.16.rst @@ -0,0 +1,82 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.16 +------------ + +Feature Changes +~~~~~~~~~~~~~~~ + +- Fix assertion failure from arc4random_uniform with invalid limit. + ``1040282de7e`` + + When the arc4random_uniform() is called on NetBSD with upper_bound + that makes no sense statistically (0 or 1), the call crashes the + calling program. Fix this by returning 0 when upper bound is < 2 as + does Linux, FreeBSD and NetBSD. (Hint: System CSPRNG should never + crash.) :gl:`#5596` :gl:`!11151` + +Bug Fixes +~~~~~~~~~ + +- Fix dnssec-keygen key collision checking for KEY rrtype keys. + ``ac8b23b80bf`` + + The :iscman:`dnssec-keygen` utility program failed to detect possible + Key ID collisions with the existing keys generated using the + non-default ``-T KEY`` option (e.g. for ``SIG(0)``). This has been + fixed. :gl:`#5506` :gl:`!11128` + +- Fix shutdown INSIST in dns_dispatchmgr_getblackhole. ``f0aaaef166c`` + + Previously, `named` could trigger an assertion in + `dns_dispatchmgr_getblackhole` while shutting down. This has been + fixed. :gl:`#5525` :gl:`!11162` + +- Dnssec-verify now uses exit code 1 when failing due to illegal + options. ``6ead0aa4a2b`` + + Previously, dnssec-verify exited with code 0 if the options could not + be parsed. This has been fixed. :gl:`#5574` :gl:`!11129` + +- Prevent assertion failures of dig when server is specified before the + -b option. ``deada63e2b2`` + + Previously, :iscman:`dig` could exit with an assertion failure when + the server was specified before the :option:`dig -b` option. This has + been fixed. :gl:`#5609` :gl:`!11204` + +- Skip unsupported algorithms when looking for signing key. + ``c346fe88a1b`` + + A mix of supported and unsupported DNSSEC algorithms in the same zone + could have caused validation failures. Ignore the DNSSEC keys with + unsupported algorithm when looking for the signing keys. :gl:`#5622` + :gl:`!11210` + +- Fix configuration bugs involving global defaults. ``a85d6fb581c`` + + The configuration code for the `max-cache-size`, `dnssec-validation`, + and `response-padding` options were unnecessarily complicated, and in + the case of `max-cache-size`, buggy. These have been fixed. The + `optionmaps` variable in `configure_view()` is no longer needed and + has been removed. :gl:`!11172` + +- Skip buffer allocations if not logging. ``4f601175bd0`` + + Currently, during IXFR we allocate a 2KB buffer for IXFR change + logging regardless of the log level. This commit introduces an early + check on the log level in dns_diff_print to avoid this. + + Results in a speedup from 28% in the test case from issue #5442. + :gl:`!11192` + + From 9f1a1602d72da357ce0397c76e49f94102d9b161 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 6 Nov 2025 19:26:23 +0100 Subject: [PATCH 2/5] Prepare release notes for BIND 9.20.16 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.20.16.rst | 58 +++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 doc/notes/notes-9.20.16.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 77ce5df00c..1baca621d8 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.16.rst .. include:: ../notes/notes-9.20.15.rst .. include:: ../notes/notes-9.20.14.rst .. include:: ../notes/notes-9.20.13.rst diff --git a/doc/notes/notes-9.20.16.rst b/doc/notes/notes-9.20.16.rst new file mode 100644 index 0000000000..17bb16c8c4 --- /dev/null +++ b/doc/notes/notes-9.20.16.rst @@ -0,0 +1,58 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.16 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Fix dnssec-keygen key collision checking for KEY rrtype keys. + + The :iscman:`dnssec-keygen` utility program failed to detect possible + Key ID collisions with the existing keys generated using the + non-default ``-T KEY`` option (e.g. for ``SIG(0)``). This has been + fixed. :gl:`#5506` + +- Fix shutdown INSIST in dns_dispatchmgr_getblackhole. + + Previously, `named` could trigger an assertion in + `dns_dispatchmgr_getblackhole` while shutting down. This has been + fixed. :gl:`#5525` + +- Dnssec-verify now uses exit code 1 when failing due to illegal + options. + + Previously, dnssec-verify exited with code 0 if the options could not + be parsed. This has been fixed. :gl:`#5574` + +- Prevent assertion failures of dig when server is specified before the + -b option. + + Previously, :iscman:`dig` could exit with an assertion failure when + the server was specified before the :option:`dig -b` option. This has + been fixed. :gl:`#5609` + +- Skip unsupported algorithms when looking for signing key. + + A mix of supported and unsupported DNSSEC algorithms in the same zone + could have caused validation failures. Ignore the DNSSEC keys with + unsupported algorithm when looking for the signing keys. :gl:`#5622` + +- Skip buffer allocations if not logging. + + Currently, during IXFR we allocate a 2KB buffer for IXFR change + logging regardless of the log level. This commit introduces an early + check on the log level in dns_diff_print to avoid this. + + Results in a speedup from 28% in the test case from issue #5442. + + From 19aedb42c7eb1e11978de91450c2afae02283ac0 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 6 Nov 2025 12:23:11 +0100 Subject: [PATCH 3/5] Tweak and reword release notes --- doc/notes/notes-9.20.16.rst | 42 ++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/doc/notes/notes-9.20.16.rst b/doc/notes/notes-9.20.16.rst index 17bb16c8c4..88f24ecff6 100644 --- a/doc/notes/notes-9.20.16.rst +++ b/doc/notes/notes-9.20.16.rst @@ -15,44 +15,44 @@ Notes for BIND 9.20.16 Bug Fixes ~~~~~~~~~ -- Fix dnssec-keygen key collision checking for KEY rrtype keys. +- Fix :iscman:`dnssec-keygen` key collision checking for KEY RRtype + keys. The :iscman:`dnssec-keygen` utility program failed to detect possible - Key ID collisions with the existing keys generated using the - non-default ``-T KEY`` option (e.g. for ``SIG(0)``). This has been - fixed. :gl:`#5506` + KEY ID collisions with existing keys generated using the non-default + ``-T KEY`` option (e.g., for ``SIG(0)``). This has been fixed. + :gl:`#5506` -- Fix shutdown INSIST in dns_dispatchmgr_getblackhole. +- Fix shutdown assertion in ``dns_dispatchmgr_getblackhole``. - Previously, `named` could trigger an assertion in - `dns_dispatchmgr_getblackhole` while shutting down. This has been + Previously, :iscman:`named` could trigger an assertion in + ``dns_dispatchmgr_getblackhole`` while shutting down. This has been fixed. :gl:`#5525` -- Dnssec-verify now uses exit code 1 when failing due to illegal - options. +- :iscman:`dnssec-verify` now uses exit code 1 when failing due to + illegal options. - Previously, dnssec-verify exited with code 0 if the options could not - be parsed. This has been fixed. :gl:`#5574` + Previously, :iscman:`dnssec-verify` exited with code 0 if the options + could not be parsed. This has been fixed. :gl:`#5574` -- Prevent assertion failures of dig when server is specified before the - -b option. +- Prevent assertion failures of :iscman:`dig` when a server is specified + before the ``-b`` option. Previously, :iscman:`dig` could exit with an assertion failure when - the server was specified before the :option:`dig -b` option. This has + a server was specified before the :option:`dig -b` option. This has been fixed. :gl:`#5609` -- Skip unsupported algorithms when looking for signing key. +- Skip unsupported algorithms when looking for a signing key. A mix of supported and unsupported DNSSEC algorithms in the same zone - could have caused validation failures. Ignore the DNSSEC keys with - unsupported algorithm when looking for the signing keys. :gl:`#5622` + could cause validation failures. Unsupported algorithms are now + ignored when looking for signing keys. :gl:`#5622` - Skip buffer allocations if not logging. - Currently, during IXFR we allocate a 2KB buffer for IXFR change - logging regardless of the log level. This commit introduces an early - check on the log level in dns_diff_print to avoid this. + Previously, we allocated a 2KB buffer for IXFR change logging, + regardless of the log level. - Results in a speedup from 28% in the test case from issue #5442. + This results in a 28% speedup in some scenarios. From 15e365b742054df1c6f62cbfdf753d2573abebdc Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 6 Nov 2025 19:39:44 +0100 Subject: [PATCH 4/5] Reorder release notes --- doc/notes/notes-9.20.16.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/notes/notes-9.20.16.rst b/doc/notes/notes-9.20.16.rst index 88f24ecff6..81bc43737b 100644 --- a/doc/notes/notes-9.20.16.rst +++ b/doc/notes/notes-9.20.16.rst @@ -15,6 +15,12 @@ Notes for BIND 9.20.16 Bug Fixes ~~~~~~~~~ +- Skip unsupported algorithms when looking for a signing key. + + A mix of supported and unsupported DNSSEC algorithms in the same zone + could cause validation failures. Unsupported algorithms are now + ignored when looking for signing keys. :gl:`#5622` + - Fix :iscman:`dnssec-keygen` key collision checking for KEY RRtype keys. @@ -42,12 +48,6 @@ Bug Fixes a server was specified before the :option:`dig -b` option. This has been fixed. :gl:`#5609` -- Skip unsupported algorithms when looking for a signing key. - - A mix of supported and unsupported DNSSEC algorithms in the same zone - could cause validation failures. Unsupported algorithms are now - ignored when looking for signing keys. :gl:`#5622` - - Skip buffer allocations if not logging. Previously, we allocated a 2KB buffer for IXFR change logging, From 9240a3eb97d6974aed184ed4ac52f0974d1c34ed Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 6 Nov 2025 19:40:22 +0100 Subject: [PATCH 5/5] Drop #5525 release note --- doc/notes/notes-9.20.16.rst | 6 ------ 1 file changed, 6 deletions(-) diff --git a/doc/notes/notes-9.20.16.rst b/doc/notes/notes-9.20.16.rst index 81bc43737b..7a63a2fc54 100644 --- a/doc/notes/notes-9.20.16.rst +++ b/doc/notes/notes-9.20.16.rst @@ -29,12 +29,6 @@ Bug Fixes ``-T KEY`` option (e.g., for ``SIG(0)``). This has been fixed. :gl:`#5506` -- Fix shutdown assertion in ``dns_dispatchmgr_getblackhole``. - - Previously, :iscman:`named` could trigger an assertion in - ``dns_dispatchmgr_getblackhole`` while shutting down. This has been - fixed. :gl:`#5525` - - :iscman:`dnssec-verify` now uses exit code 1 when failing due to illegal options.