diff --git a/doc/notes/notes-9.21.2.rst b/doc/notes/notes-9.21.2.rst index d8ade1f603..4870769310 100644 --- a/doc/notes/notes-9.21.2.rst +++ b/doc/notes/notes-9.21.2.rst @@ -17,9 +17,9 @@ New Features - Log query response status to the query log. - Log a query response summary using the new category `responses`. - Logging can be controlled by the option `responselog` and `rndc - responselog`. :gl:`#459` + Log a query response summary using the new ``responses`` category. + Logging can be controlled via the :any:`responselog` option and via + :option:`rndc responselog`. :gl:`#459` - Added WALLET type. @@ -29,94 +29,79 @@ New Features - Support ISO timestamps with timezone information. - The configuration option `print-time` can now be set to - `iso8601-tzinfo` in order to use the ISO 8601 timestamp with timezone - information when logging. This is used as a default for `named -g`. - :gl:`#4963` + The configuration option :any:`print-time` can now be set to + ``iso8601-tzinfo``, to use the ISO 8601 timestamp with timezone + information when logging. This is used as a default for :option:`named + -g`. :gl:`#4963` -- Add flag to named-checkconf to ignore "not configured" errors. +- Add flag to :iscman:`named-checkconf` to ignore "not configured" + errors. - `named-checkconf` now takes "-n" to ignore "not configured" errors. - This allows named-checkconf to check the syntax of configurations from - other builds which have support for more options. + :iscman:`named-checkconf` now takes the :option:`named-checkconf -n` + option to ignore "not configured" errors. This allows + :iscman:`named-checkconf` to check the syntax of configurations from + other builds that have support for options not present in the + :iscman:`named-checkconf` build. :gl:`!9446` - Implement the ForwardOnlyFail statistics channel counter. The new ForwardOnlyFail statistics channel counter indicates the - number of queries failed due to bad forwarders for 'forward only' - zones. - - Related to #1793 + number of queries that failed due to bad forwarders for "forward only" + zones. Related to :gl:`#1793`. Removed Features ~~~~~~~~~~~~~~~~ -- Remove "port" from source address options. +- Remove ``port`` from source address options. - Remove the use of "port" when configuring query-source(-v6), transfer- - source(-v6), notify-source(-v6), parental-source(-v6), etc. Remove the - use of source ports for parental-agents. + Remove the use of ``port`` when configuring :any:`query-source`, + :any:`transfer-source`, :any:`notify-source`, :any:`parental-source`, + etc., and their ``-v6`` counterparts. Also, remove the use of source + ports for :any:`parental-agents`. - Also remove the deprecated options use-{v4,v6}-udp-ports and - avoid-{v4,v6}udp-ports. :gl:`#3843` + Also remove the deprecated options ``use-v4-udp-ports``, + ``use-v6-udp-ports``, ``avoid-v4-udp-ports``, and + ``avoid-v6-udp-ports``. :gl:`#3843` -- Remove DNSRPS implementation from the open-source version. +- Remove DNSRPS implementation from the open source version of BIND 9. - DNSRPS was the API for a commercial implementation of Response-Policy - Zones that was supposedly better. However, it was never open-sourced - and has only ever been available from a single vendor. This goes - against the principle that the open-source edition of BIND 9 should - contain only features that are generally available and universal. - - This commit removes the DNSRPS implementation from BIND 9. It may be - reinstated in the subscription edition if there's enough interest from - customers, but it would have to be rewritten as a plugin (hook) - instead of hard-wiring it again in so many places. + DNSRPS was a reputedly improved API for a commercial implementation of + Response Policy Zones; however, it was never open-sourced and has only + ever been available from a single vendor. This goes against the + principle that the open source edition of BIND 9 should contain only + features that are generally available and universal. :gl:`!9358` Feature Changes ~~~~~~~~~~~~~~~ -- Set logging category for notify/xfer-in related messages. +- Set logging category for ``notify``/``xfer-in``-related messages. - Some 'notify' and 'xfer-in' related log messages were logged at the - 'general' category instead of their own category. This has been fixed. - :gl:`#2730` + Some ``notify`` and ``xfer-in``-related log messages were logged at + the "general" category level instead of their own category. This has + been fixed. :gl:`#2730` -- Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS. +- Allow IXFR-to-AXFR fallback on ``DNS_R_TOOMANYRECORDS``. This change allows fallback from an IXFR failure to AXFR when the - reason is `DNS_R_TOOMANYRECORDS`. This is because this error condition - could be temporary only in an intermediate version of IXFR - transactions and it's possible that the latest version of the zone - doesn't have that condition. In such a case, the secondary would never - be able to update the zone (even if it could) without this fallback. + reason is ``DNS_R_TOOMANYRECORDS``. :gl:`#4928` - This fallback behavior is particularly useful with the recently - introduced `max-records-per-type` and `max-types-per-name` options: - the primary may not have these limitations and may temporarily - introduce "too many" records, breaking IXFR. If the primary side - subsequently deletes these records, this fallback will help recover - the zone transfer failure automatically; without it, the secondary - side would first need to increase the limit, which requires more - operational overhead and has its own adverse effect. :gl:`#4928` +- Honor the Control Group memory contraints on Linux. -- Honour the Control Group memory contraints on Linux. - - On Linux, the system administrator can use Control Group ``cgroup`` - mechanism to limit the amount of available memory to the process. - This limit will be honoured when calculating the percentage-based - values. + On Linux, the system administrator can use the Control Group + (``cgroup``) mechanism to limit the amount of memory available to the + process. This limit is now honored when calculating the + percentage-based values. :gl:`!9556` Bug Fixes ~~~~~~~~~ -- Fix a statistics channel counter bug when 'forward only' zones are +- Fix a statistics channel counter bug when "forward only" zones are used. - When resolving a zone with a 'forward only' policy, and finding out - that all the forwarders are marked as "bad", the 'ServerQuota' counter - of the statistics channel was incorrectly increased. This has been - fixed. :gl:`#1793` + When resolving a zone with a "forward only" policy, and finding out + that all the forwarders were marked as "bad", the "ServerQuota" + counter of the statistics channel was incorrectly increased. This has + been fixed. :gl:`#1793` - Fix a bug in the static-stub implementation. @@ -126,79 +111,66 @@ Bug Fixes addresses being used instead of the correct server addresses. :gl:`#4850` -- Don't allow statistics-channel if libxml2 and libjson-c are - unsupported. +- Don't allow :any:`statistics-channels` if libxml2 and libjson-c are + not configured. - When the libxml2 and libjson-c libraries are not supported, the - statistics channel can't return anything useful, so it is now - disabled. Use of `statistics-channel` in `named.conf` is a fatal - error. :gl:`#4895` + When BIND 9 is not configured with the libxml2 and libjson-c + libraries, the use of the :any:`statistics-channels` option is a fatal + error. :gl:`#4895` -- Separate DNSSEC validation from the long-running tasks. +- Separate DNSSEC validation from long-running tasks. - As part of the KeyTrap \[CVE-2023-50387\] mitigation, the DNSSEC CPU- - intensive operations were offloaded to a separate threadpool that we - use to run other tasks that could affect the networking latency. + Split CPU-intensive and long-running tasks into separate threadpools + in a way that the long-running tasks - like RPZ, catalog zone + processing, or zone file operations - don't block CPU-intensive + operations like DNSSEC validations. :gl:`#4898` - If that threadpool is running some long-running tasks like RPZ, - catalog zone processing, or zone file operations, it would delay - DNSSEC validations to a point where the resolving signed DNS records - would fail. +- Fix an assertion failure when processing access control lists. - Split the CPU-intensive and long-running tasks into separate - threadpools in a way that the long-running tasks don't block the CPU- - intensive operations. :gl:`#4898` + The :iscman:`named` process could terminate unexpectedly when + processing ACLs. This has been fixed. :gl:`#4908` -- Fix assertion failure when processing access control lists. +- Fix a bug in Offline KSK using a ZSK with an unlimited lifetime. - The named process could terminate unexpectedly when processing ACL. - This has been fixed. :gl:`#4908` - -- Fix bug in Offline KSK that is using ZSK with unlimited lifetime. - - If the ZSK has unlimited lifetime, the timing metadata "Inactive" and - "Delete" cannot be found and is treated as an error, preventing the - zone to be signed. This has been fixed. :gl:`#4914` + If the ZSK had an unlimited lifetime, the timing metadata ``Inactive`` + and ``Delete`` could not be found and were treated as an error, + preventing the zone from being signed. This has been fixed. + :gl:`#4914` - Limit the outgoing UDP send queue size. - If the operating system UDP queue gets full and the outgoing UDP - sending starts to be delayed, BIND 9 could exhibit memory spikes as it - tries to enqueue all the outgoing UDP messages. Try a bit harder to - deliver the outgoing UDP messages synchronously and if that fails, - drop the outgoing DNS message that would get queued up and then + If the operating system UDP queue got full and the outgoing UDP + sending started to be delayed, BIND 9 could exhibit memory spikes as + it tried to enqueue all the outgoing UDP messages. It now tries to + deliver the outgoing UDP messages synchronously; if that fails, it + drops the outgoing DNS message that would get queued up and then timeout on the client side. :gl:`#4930` -- Do not set SO_INCOMING_CPU. +- Do not set ``SO_INCOMING_CPU``. - We currently set SO_INCOMING_CPU incorrectly, and testing by Ondrej - shows that fixing the issue by setting affinities is worse than - letting the kernel schedule threads without constraints. So we should - not set SO_INCOMING_CPU anymore. :gl:`#4936` + Remove the ``SO_INCOMING_CPU`` setting as kernel scheduling performs + better without constraints. :gl:`#4936` -- Fix the 'rndc dumpdb' command's error reporting. +- Fix the :option:`rndc dumpdb` command's error reporting. - The 'rndc dumpdb' command wasn't reporting errors which occurred when - starting up the database dump process by named, like, for example, a - permission denied error for the 'dump-file' file. This has been fixed. - Note, however, that 'rndc dumpdb' performs asynchronous writes, so - errors can also occur during the dumping process, which will not be - reported back to 'rndc', but which will still be logged by named. - :gl:`#4944` + The :option:`rndc dumpdb` command was not reporting errors that + occurred when :iscman:`named` started up the database dump process. + This has been fixed. :gl:`#4944` - Fix long-running incoming transfers. Incoming transfers that took longer than 30 seconds would stop reading from the TCP stream and the incoming transfer would be indefinitely - stuck causing BIND 9 to hang during shutdown. + stuck, causing BIND 9 to hang during shutdown. - This has been fixed and the `max-transfer-time-in` and `max-transfer- - idle-in` timeouts are now honoured. :gl:`#4949` + This has been fixed, and the :any:`max-transfer-time-in` and + :any:`max-transfer-idle-in` timeouts are now honored. :gl:`#4949` -- Fix assertion failure when receiving DNS responses over TCP. +- Fix an assertion failure when receiving DNS responses over TCP. When matching the received Query ID in the TCP connection, an invalid - received Query ID can very rarely cause assertion failure. :gl:`#4952` + Query ID could cause an assertion failure. This has been fixed. + :gl:`#4952` Known Issues