Tweak and reword release notes

doc/notes/notes-9.21.19.rst

@@ -15,17 +15,13 @@ Notes for BIND 9.21.19
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- Remove purged adb names and entries from SIEVE list immediately.
+- Immediately remove purged ADB names and entries from the SIEVE list.
 
-  Both expire_name() and expire_entry() use isc_async mechanism to
-  remove the names and entries from the SIEVE-LRU lists on the matching
-  isc_loop.
-
-  Under certain circumstances, this could lead to double counting the
-  purged named/entries when purging the SIEVE-LRU lists under the
-  overmem condition.  This would cause not enough memory to be cleaned
-  up and the ADB would then never recover from the overmem condition
-  leading to OOM crash of the named.
+  Under certain circumstances, the ADB could double-count purged
+  named/entries when purging the SIEVE-LRU lists in an overmem
+  condition. This would cause not enough memory to be cleaned up and the
+  ADB would then never recover from the overmem condition, eventually
+  leading to an out-of-memory crash of :iscman:`named`. :gl:`!11544`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
@@ -35,102 +31,71 @@ Feature Changes
   Not all DNS responses had the query time set in their corresponding
   dnstap messages. This has been fixed. :gl:`#3695`
 
-- Optimize the TCP source port selection on Linux.
+- Optimize TCP source port selection on Linux.
 
-  Enable a socket option on the outgoing TCP sockets to allow faster
-  selection of the source <address,port> tuple for different destination
-  <address,port> tuples when nearing over 70-80% of the source port
-  utilization.
+  Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP
+  sockets to allow faster selection of the source <address,port> tuple
+  for different destination <address,port> tuples, when nearing over
+  70-80% of the source port utilization. :gl:`!11569`
 
 Bug Fixes
 ~~~~~~~~~
 
-- Fix errors when retrying over TCP in notify_send_toaddr.
+- Fix a crash when retrying a NOTIFY over TCP.
 
-  If the source address is not available do not attempt to retry over
-  TCP otherwise clear the TSIG key from the message prior to retrying.
-  :gl:`#5457`
+  Furthermore, do not attempt to retry over TCP at all if the source
+  address is not available. :gl:`#5457`
 
 - Fetch loop detection improvements.
 
-  Fixes a case where an in-domain NS with an expired glue would fail to
-  resolve.
+  Fix a case where an in-domain nameserver with expired glue would fail
+  to resolve. :gl:`#5588`
 
-  Let's consider the following parent-side delegation (both for
-  `foo.example.` and `dnshost.example.`
+- Randomize nameserver selection.
 
-  ``` foo.example.            3600    NS      ns.dnshost.example.
-  dnshost.example.        3600    NS      ns.dnshost.example.
-  ns.dnshost.example.     3600    A       1.2.3.4 ```      Then the
-  child-side of `dnshost.example.`:
+  Since BIND 9.21.16, when selecting nameserver addresses to be looked
+  up, :iscman:`named` selected them in DNSSEC order from the start of
+  the NS RRset. This could lead to a resolution failure despite there
+  being an address that could be resolved using the other nameserver
+  names. :iscman:`named` now randomizes the order in which nameserver
+  addresses are looked up. :gl:`#5695` :gl:`#5745`
 
-  ```     dnshost.example.        300     NS      ns.dnshost.example.
-  ns.dnshost.example.     300     A       1.2.3.4 ```      And then the
-  child-side of `foo.example.`:
+- Fix dnstap logging of forwarded queries. :gl:`#5724`
 
-  ``` foo.example             3600    NS      ns.dnshost.example.
-  a.foo.example           300     A       5.6.7.8 ```
+- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a
+  DNAME response.
 
-  While there is a zone misconfiguration (the TTL of the delegation and
-  glue doesn't match in the parent and the child), it is possible to
-  resolve `a.foo.example` on a cold-cache resolver. However, after the
-  `ns.dnshost.example.` glue expires, the resolution would have failed
-  with a "fetch loop detected" error. This is now fixed. :gl:`#5588`
+  This issue only affected the :iscman:`delv` tool and it has now been
+  fixed.
 
-- Remove deterministic selection of nameserver.
+  ISC would like to thank Vitaly Simonovich for bringing this
+  vulnerability to our attention. :gl:`#5728`
 
-  When selecting nameserver addresses to be looked up we where always
-  selecting them in dnssec name order from the start of the nameserver
-  rrset.  This could lead to resolution failure despite there being
-  address that could be resolved for the other names.  Use a random
-  starting point when selecting which names to lookup. :gl:`#5695`
-  :gl:`#5745`
+- Fix a NULL pointer dereference in qp-trie cache code.
 
-- DNSTAP wasn't logging forwarded queries correctly.
-
-  :gl:`#5724`
-
-- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response.
-
-  An attacker controlling a malicious DNS server returns a DNAME record,
-  and the we stores a pointer to resp->foundname, frees the response
-  structure, then uses the dangling pointer in dns_name_fullcompare()
-  possibly causing invalid match.  Only the `delv`is affected.  This has
-  been fixed. :gl:`#5728`
-
-- Fix NULL Pointer Dereference in QP-trie Cache add()
-
-  When RRSIG(rdtype) was independently cached before the RDATA for the
-  rdtype itself, named would crash on the subsequent query for the RDATA
-  itself.  This has been fixed.
+  When ``RRSIG(rdtype)`` was independently cached before the RDATA for
+  the ``rdtype`` itself, :iscman:`named` would crash on the subsequent
+  query for the RDATA itself. This has been fixed.
 
   ISC would like to thank Vitaly Simonovich for bringing this
   vulnerability to our attention. :gl:`#5738`
 
-- Clear serve-stale flags when following the CNAME chains.
-
-  A stale answer could have been served in case of multiple upstream
-  failures when following the CNAME chains.  This has been fixed.
-  :gl:`#5751`
+- A stale answer could have been served in case of multiple upstream
+  failures when following CNAME chains. This has been fixed. :gl:`#5751`
 
 - Fail DNSKEY validation when supported but invalid DS is found.
 
-  A regression was introduced when adding the EDE code for unsupported
-  DNSKEY and DS algorithms.  When the parent has both supported and
-  unsupported algorithm in the DS record, the validator would treat the
-  supported DS algorithm as insecure when validating DNSKEY records
-  instead of BOGUS.  This has not security impact as the rest of the
-  child zone correctly ends with BOGUS status, but it is incorrect and
-  thus the regression has been fixed. :gl:`#5757`
-
-- Importing invalid SKR file might corrupt stack memory.
-
-  If an BIND 9 administrator imports an invalid SKR file, local stack in
-  the import function might overflow.  This could lead to a memory
-  corruption on the stack and ultimately server crash. This has been
-  fixed.
-
-  ISC would like to thank mcsky23 for bringing this bug to our
-  attention. :gl:`#5758`
+  A regression was introduced in BIND 9.21.5 when adding the EDE code
+  for unsupported DNSKEY and DS algorithms. When the parent had both
+  supported and unsupported algorithms in the DS record, the validator
+  would treat the supported DS algorithm as insecure instead of bogus
+  when validating DNSKEY records. This has no security impact, as the
+  rest of the child zone correctly ends with bogus status, but it is
+  incorrect and thus the regression has been fixed. :gl:`#5757`
 
+- Importing an invalid SKR file might corrupt stack memory.
 
+  If an administrator imported an invalid SKR file, the local stack in
+  the import function might overflow. This could lead to a memory
+  corruption on the stack and ultimately a server crash. This has been
+  fixed. :gl:`#5758`