From dcea0791c214012b8b2d34e11f742b039fa0f8f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 12 May 2020 15:20:22 +0200 Subject: [PATCH 1/7] Tweak and reword recent CHANGES entries --- CHANGES | 57 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index a57db6aaed..b8c7db017e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,11 +1,10 @@ 5408. [protocol] Print Extended DNS Errors if present in OPT record. [GL #1835] -5407. [func] The zone timers are now exported to the statistics - channel. Thanks to Paul Frieden, Verizon Media. - [GL #1232] +5407. [func] Zone timers are now exported via statistics channel. + Thanks to Paul Frieden, Verizon Media. [GL #1232] -5406. [func] Added a new logging category "rpz-passthru". It allows +5406. [func] Added a new logging category, "rpz-passthru". It allows RPZ passthru actions to be logged into a separate channel. [GL #54] @@ -17,12 +16,12 @@ success if errors were found in one view but not in a subsequent one. [GL #1807] -5403. [func] Don't set udp recv/send buffer sizes, sockets will - use system defaults. [GL #1713] +5403. [func] Do not set UDP receive/send buffer sizes - use system + defaults. [GL #1713] -5402. [bug] Enable SO_REUSEADDR on all platforms, and either - SO_REUSEPORT_LB on FreeBSD, or SO_REUSEPORT on Linux. - [GL !3365] +5402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT. + Enable use of SO_REUSEADDR on all platforms which + support it. [GL !3365] 5401. [bug] The number of input queues allocated during dnstap initialization was too low, which could prevent some @@ -34,53 +33,57 @@ 5399. [func] Add engine support to OpenSSL ECDSA implementation. [GL #1534] -5398. [bug] Named could fail to restart if a zone added with - 'rndc addzone' contained a double quote (\") in - its name. [GL #1695] +5398. [bug] Named could fail to restart if a zone with a double + quote (") in its name was added with 'rndc addzone'. + [GL #1695] 5397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. Thanks to Aaron Thompson. [GL !3326] -5396. [func] Use UV_UDP_RECVMMSG flag to enable recvmmsg support in - libuv >= 1.37. [GL #1797] +5396. [func] When necessary (i.e. in libuv >= 1.37), use the + UV_UDP_RECVMMSG flag to enable recvmmsg() support in + libuv. [GL #1797] 5395. [placeholder] -5394. [cleanup] Don't change effective uid/gid in named_os_openfile() - if named is already running under specified uid/gid. - [GL #1042] [GL #1090] +5394. [cleanup] Named formerly attempted to change the effective UID and + GID in named_os_openfile(), which could trigger a + spurious log message if they were already set to the + desired values. This has been fixed. [GL #1042] + [GL #1090] -5393. [cleanup] Unused or redundant APIs were removed from libirs. +5393. [cleanup] Unused and/or redundant APIs were removed from libirs. [GL #1758] 5392. [bug] It was possible for named to crash during shutdown or reconfiguration if an RPZ zone was still being updated. [GL #1779] -5391. [func] The BIND 9 build system has been changed to use the - usual stack of autoconf+automake+libtool. If building - from the git repository run "autoreconf -fi" first. +5391. [func] The BIND 9 build system has been changed to use a + typical autoconf+automake+libtool stack. When building + from the Git repository, run "autoreconf -fi" first. [GL #4] 5390. [placeholder] -5389. [bug] Finish the PKCS#11 code cleanup, fix couple of smaller +5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller bugs and use PKCS#11 v3.0 EdDSA macros and constants. Thanks to Aaron Thompson. [GL !3391] -5388. [func] Reject AXFR streams where the message id is not +5388. [func] Reject AXFR streams where the message ID is not consistent. [GL #1674] 5387. [placeholder] -5386. [cleanup] Address Coverity warnings in keymgr.c [GL #1737] +5386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c. + [GL #1737] 5385. [func] Make ISC rwlock implementation the default again. [GL #1753] -5384. [bug] With dnssec-policy, inline-signing was implicitly set - to yes. Change and only set inline-signing to yes - if the zone is not dynamic. [GL #1709] +5384. [bug] With "dnssec-policy" in effect, "inline-signing" was + implicitly set to "yes". Now "inline-signing" is only + set to "yes" if the zone is not dynamic. [GL #1709] --- 9.17.1 released --- From ff1ac20e0f742e6ef8afff71d2ee3d69b85dd299 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 12 May 2020 15:20:22 +0200 Subject: [PATCH 2/7] Restore release notes for BIND 9.17.0 --- doc/Makefile.am | 2 ++ doc/arm/notes.rst | 2 ++ doc/notes/notes-9.17.0.rst | 74 ++++++++++++++++++++++++++++++++++++++ util/copyrights | 1 + 4 files changed, 79 insertions(+) create mode 100644 doc/notes/notes-9.17.0.rst diff --git a/doc/Makefile.am b/doc/Makefile.am index 2811d5a65b..c9722094dd 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -7,3 +7,5 @@ endif if HAVE_SPHINX_BUILD SUBDIRS += man arm endif HAVE_SPHINX_BUILD + +EXTRA_DIST = notes/ diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 31a916f474..a8d26508e8 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -125,6 +125,8 @@ Bug Fixes inadvertently treated as configuration errors when used at the ``options`` or ``view`` level. This has now been corrected. [GL #913] +.. include:: ../notes/notes-9.17.0.rst + .. _relnotes_license: License diff --git a/doc/notes/notes-9.17.0.rst b/doc/notes/notes-9.17.0.rst new file mode 100644 index 0000000000..18526d2e56 --- /dev/null +++ b/doc/notes/notes-9.17.0.rst @@ -0,0 +1,74 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.0 +--------------------- + +Known Issues +~~~~~~~~~~~~ + +- UDP network ports used for listening can no longer simultaneously be + used for sending traffic. An example configuration which triggers + this issue would be one which uses the same ``address:port`` pair for + ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or + ``transfer-source(-v6)``. While this issue affects all operating + systems, it only triggers log messages (e.g. "unable to create + dispatch for reserved port") on some of them. There are currently no + plans to make such a combination of settings work again. + +New Features +~~~~~~~~~~~~ + +- When a secondary server receives a large incremental zone transfer + (IXFR), it can have a negative impact on query performance while the + incremental changes are applied to the zone. To address this, + ``named`` can now limit the size of IXFR responses it sends in + response to zone transfer requests. If an IXFR response would be + larger than an AXFR of the entire zone, it will send an AXFR response + instead. + + This behavior is controlled by the ``max-ixfr-ratio`` option - a + percentage value representing the ratio of IXFR size to the size of a + full zone transfer. The default is ``100%``. [GL #1515] + +- A new RPZ option ``nsdname-wait-recurse`` controls whether + RPZ-NSDNAME rules should always be applied even if the names of + authoritative name servers for the query name need to be looked up + recurively first. The default is ``yes``. Setting it to ``no`` speeds + up initial responses by skipping RPZ-NSDNAME rules when name server + domain names are not yet in the cache. The names will be looked up in + the background and the rule will be applied for subsequent queries. + [GL #1138] + +Feature Changes +~~~~~~~~~~~~~~~ + +- The system-provided POSIX Threads read-write lock implementation is + now used by default instead of the native BIND 9 implementation. + Please be aware that glibc versions 2.26 through 2.29 had a bug_ that + could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and + most current Linux distributions have patched or updated glibc, with + the notable exception of Ubuntu 18.04 (Bionic) which is a work in + progress. If you are running on an affected operating system, compile + BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of + glibc is available. [GL !3125] + +.. _bug: https://sourceware.org/bugzilla/show_bug.cgi?id=23844 + +- The ``rndc nta -dump`` and ``rndc secroots`` commands now both + include ``validate-except`` entries when listing negative trust + anchors. These are indicated by the keyword ``permanent`` in place of + the expiry date. [GL #1532] + +Bug Fixes +~~~~~~~~~ + +- Fixed re-signing issues with inline zones which resulted in records + being re-signed late or not at all. diff --git a/util/copyrights b/util/copyrights index 5c71e8dee8..b2dd3819da 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1248,6 +1248,7 @@ ./doc/misc/sort-options.pl PERL 2007,2012,2016,2018,2019,2020 ./doc/misc/static-stub.zoneopt X 2018,2019,2020 ./doc/misc/stub.zoneopt X 2018,2019,2020 +./doc/notes/notes-9.17.0.rst RST 2020 ./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020 From e7a9fc8a0ea8cc217ac9fbf1c1897d3d5f33dc6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 12 May 2020 15:20:22 +0200 Subject: [PATCH 3/7] Restore release notes for BIND 9.17.1 --- doc/arm/notes-9.17.1.xml | 101 ------------------------------------- doc/arm/notes.rst | 1 + doc/notes/notes-9.17.1.rst | 69 +++++++++++++++++++++++++ util/copyrights | 2 +- 4 files changed, 71 insertions(+), 102 deletions(-) delete mode 100644 doc/arm/notes-9.17.1.xml create mode 100644 doc/notes/notes-9.17.1.rst diff --git a/doc/arm/notes-9.17.1.xml b/doc/arm/notes-9.17.1.xml deleted file mode 100644 index da15f4bd31..0000000000 --- a/doc/arm/notes-9.17.1.xml +++ /dev/null @@ -1,101 +0,0 @@ - - -
Notes for BIND 9.17.1 - -
Security Fixes - - - - DNS rebinding protection was ineffective when BIND 9 is configured as - a forwarding DNS server. Found and responsibly reported by Tobias - Klein. [GL #1574] - - - -
- -
Known Issues - - - - We have received reports that in some circumstances, receipt of an - IXFR can cause the processing of queries to slow significantly. Some - of these were related to RPZ processing, which has been fixed in this - release (see below). Others appear to occur where there are - NSEC3-related changes (such as an operator changing the NSEC3 salt - used in the hash calculation). These are being investigated. - [GL #1685] - - - -
- -
New Features - - - - A new option, nsdname-wait-recurse, has been added - to the response-policy clause in the configuration - file. When set to no, RPZ NSDNAME rules are only - applied if the authoritative nameservers for the query name have been - looked up and are present in the cache. If this information is not - present, the RPZ NSDNAME rules are ignored, but the information is - looked up in the background and applied to subsequent queries. The - default is yes, meaning that RPZ NSDNAME rules - should always be applied, even if the information needs to be looked - up first. [GL #1138] - - - -
- -
Feature Changes - - - - The previous DNSSEC sign statistics used lots of memory. The number of - keys to track is reduced to four per zone, which should be enough for - 99% of all signed zones. [GL #1179] - - - -
- -
Bug Fixes - - - - When an RPZ policy zone was updated via zone transfer and a large - number of records was deleted, named could become - nonresponsive for a short period while deleted names were removed from - the RPZ summary database. This database cleanup is now done - incrementally over a longer period of time, reducing such delays. - [GL #1447] - - - - - When trying to migrate an already-signed zone from - auto-dnssec maintain to one based on - dnssec-policy, the existing keys were immediately - deleted and replaced with new ones. As the key rollover timing - constraints were not being followed, it was possible that some clients - would not have been able to validate responses until all old DNSSEC - information had timed out from caches. BIND now looks at the time - metadata of the existing keys and incorporates it into its DNSSEC - policy operation. [GL #1706] - - - -
- -
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index a8d26508e8..6ca3ab7b7a 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -125,6 +125,7 @@ Bug Fixes inadvertently treated as configuration errors when used at the ``options`` or ``view`` level. This has now been corrected. [GL #913] +.. include:: ../notes/notes-9.17.1.rst .. include:: ../notes/notes-9.17.0.rst .. _relnotes_license: diff --git a/doc/notes/notes-9.17.1.rst b/doc/notes/notes-9.17.1.rst new file mode 100644 index 0000000000..a088e11acc --- /dev/null +++ b/doc/notes/notes-9.17.1.rst @@ -0,0 +1,69 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.1 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- DNS rebinding protection was ineffective when BIND 9 is configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] + +Known Issues +~~~~~~~~~~~~ + +- We have received reports that in some circumstances, receipt of an + IXFR can cause the processing of queries to slow significantly. Some + of these were related to RPZ processing, which has been fixed in this + release (see below). Others appear to occur where there are + NSEC3-related changes (such as an operator changing the NSEC3 salt + used in the hash calculation). These are being investigated. [GL + #1685] + +New Features +~~~~~~~~~~~~ + +- A new option, ``nsdname-wait-recurse``, has been added to the + ``response-policy`` clause in the configuration file. When set to + ``no``, RPZ NSDNAME rules are only applied if the authoritative + nameservers for the query name have been looked up and are present in + the cache. If this information is not present, the RPZ NSDNAME rules + are ignored, but the information is looked up in the background and + applied to subsequent queries. The default is ``yes``, meaning that + RPZ NSDNAME rules should always be applied, even if the information + needs to be looked up first. [GL #1138] + +Feature Changes +~~~~~~~~~~~~~~~ + +- The previous DNSSEC sign statistics used lots of memory. The number + of keys to track is reduced to four per zone, which should be enough + for 99% of all signed zones. [GL #1179] + +Bug Fixes +~~~~~~~~~ + +- When an RPZ policy zone was updated via zone transfer and a large + number of records was deleted, ``named`` could become nonresponsive + for a short period while deleted names were removed from the RPZ + summary database. This database cleanup is now done incrementally + over a longer period of time, reducing such delays. [GL #1447] + +- When trying to migrate an already-signed zone from ``auto-dnssec + maintain`` to one based on ``dnssec-policy``, the existing keys were + immediately deleted and replaced with new ones. As the key rollover + timing constraints were not being followed, it was possible that some + clients would not have been able to validate responses until all old + DNSSEC information had timed out from caches. BIND now looks at the + time metadata of the existing keys and incorporates it into its + DNSSEC policy operation. [GL #1706] + diff --git a/util/copyrights b/util/copyrights index b2dd3819da..6b2e356143 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1150,7 +1150,6 @@ ./doc/arm/logging-categories.rst RST 2020 ./doc/arm/managed-keys.rst RST 2020 ./doc/arm/manpages.rst RST 2020 -./doc/arm/notes-9.17.1.xml SGML 2020 ./doc/arm/notes-9.17.2.xml SGML 2020 ./doc/arm/notes.rst RST 2020 ./doc/arm/pkcs11.rst RST 2020 @@ -1249,6 +1248,7 @@ ./doc/misc/static-stub.zoneopt X 2018,2019,2020 ./doc/misc/stub.zoneopt X 2018,2019,2020 ./doc/notes/notes-9.17.0.rst RST 2020 +./doc/notes/notes-9.17.1.rst RST 2020 ./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020 From 08d4983a5f5aa0563de23a47f66bd5906f8bb983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 12 May 2020 15:20:22 +0200 Subject: [PATCH 4/7] Restore release notes for BIND 9.17.2 --- doc/arm/notes-9.17.2.xml | 147 ------------------------------------ doc/arm/notes.rst | 42 +---------- doc/notes/notes-current.rst | 107 ++++++++++++++++++++++++++ util/copyrights | 2 +- 4 files changed, 109 insertions(+), 189 deletions(-) delete mode 100644 doc/arm/notes-9.17.2.xml create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes-9.17.2.xml b/doc/arm/notes-9.17.2.xml deleted file mode 100644 index 2c70de6135..0000000000 --- a/doc/arm/notes-9.17.2.xml +++ /dev/null @@ -1,147 +0,0 @@ - - -
Notes for BIND 9.17.2 - -
Security Fixes - - - - A bug in dnstap initialization could prevent some dnstap data from - being logged, especially on recursive resolvers. [GL #1795] - - - -
- -
Known Issues - - - - In this release, the build system has been significantly changed (see - below), and there's number of unresolved issues that you need to be - aware of if you are using a development release. Please refer to - GitLab issue #4 https://gitlab.isc.org/isc-projects/bind9/-/issues/4 - for a list of not yet resolved issues that will be fixed in the - following releases. - - - BIND crashes on startup when linked against libuv 1.36. This issue is - related to recvmmsg() support in libuv which was first included in - libuv 1.35. The problem was addressed in libuv 1.37, but the relevant - libuv code change requires a special flag to be set during library - initialization in order for recvmmsg() support to be enabled. This - BIND release sets that special flag when required, so recvmmsg() - support is now enabled when BIND is compiled against either libuv 1.35 - or libuv 1.37+; libuv 1.36 is still not usable with BIND. [GL #1761] - [GL #1797] - - - -
- -
New Features - - - - The BIND 9 build system has been changed to use the normal build tool - stack consisting of autoconf+automake+libtool. This should not make - any difference for people building BIND 9 from the release tarballs, - but if you are building BIND 9 from the git repository you will need - to run "autoreconf -fi" first. If you are using non-standard - ./configure option, you will - need to pay extra attention. [GL #4] - - - - - The native PKCS#11 EdDSA implementation has been updated to PKCS#11 - v3.0 and thus made operational again. Contributed by Aaron Thompson. - [GL !3326] - - - - - The OpenSSL ECDSA implementation has been updated to support PKCS#11 - via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL #1534] - - - - - The OpenSSL EdDSA implementation has been updated to support PKCS#11 - via OpenSSL engine. Please note that you need EdDSA capable OpenSSL - engine and there's only proof-of-concept as of this moment. - Contributed by Aaron Thompson. [GL #1763] - - - - - Added a new logging category "rpz-passthru", it allows RPZ passthru - actions to be logged into a separate channel. [GL #54] - - - - - The zone timers are now exported to the statistics channel. For the - primary zones, only the loaded time is exported. For the secondary - zones, the exported timers also include expire and refresh times. - Contributed by Paul Frieden, Verizon Media. [GL #1232] - - - - - dig and other tools can now print the Extended - DNS Error (EDE) option when it appears in a request or response. - [GL #1834] - - - -
- -
Feature Changes - - - - The default rwlock implementation has been changed back to the native - BIND 9 rwlock implementation. [GL #1753] - - - - - Message ids in inbound AXFR transfers are now checked for - consistency. Streams with inconsistent message ids are rejected. - [GL #1674] - - - - - BIND 9 no longer sets the recv and send buffer sizes for sockets, relying - on system defaults instead. [GL #1713] - - - -
- -
Bug Fixes - - - - When running on a system with Linux capabilities support, - named drops root privileges very soon after system - startup. This was causing a spurious log message, unable to set - effective uid to 0: Operation not permitted, which has now been - silenced. [GL #1042] [GL #1090] - - - -
- -
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 6ca3ab7b7a..90b27a7711 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -84,47 +84,7 @@ http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. _relnotes_security: - -Security Fixes --------------- - -- None. - -.. _relnotes_features: - -New Features ------------- - -- The new ``add-soa`` option specifies whether or not the - ``response-policy`` zone's SOA record should be included in the - additional section of RPZ responses. [GL #865] - -.. _relnotes_removed: - -Removed Features ----------------- - -- The ``dnssec-enable`` option has been deprecated and no longer has - any effect. DNSSEC responses are always enabled if signatures and - other DNSSEC data are present. [GL #866] - -.. _relnotes_changes: - -Feature Changes ---------------- - -- None. - -.. _relnotes_bugs: - -Bug Fixes ---------- - -- The ``allow-update`` and ``allow-update-forwarding`` options were - inadvertently treated as configuration errors when used at the - ``options`` or ``view`` level. This has now been corrected. [GL #913] - +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.17.1.rst .. include:: ../notes/notes-9.17.0.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..e115c38105 --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,107 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.2 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- None. + +Known Issues +~~~~~~~~~~~~ + +- In this release, the build system has been significantly changed (see + below), and there is a number of unresolved issues to be aware of + when using a development release. Please refer to `GitLab issue #4`_ + for a list of not yet resolved issues that will be fixed in the + following releases. [GL #4] + +.. _GitLab issue #4: https://gitlab.isc.org/isc-projects/bind9/-/issues/4 + +- BIND crashes on startup when linked against libuv 1.36. This issue + is related to ``recvmmsg()`` support in libuv which was first + included in libuv 1.35. The problem was addressed in libuv 1.37, but + the relevant libuv code change requires a special flag to be set + during library initialization in order for ``recvmmsg()`` support to + be enabled. This BIND release sets that special flag when required, + so ``recvmmsg()`` support is now enabled when BIND is compiled + against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not + usable with BIND. [GL #1761] [GL #1797] + +New Features +~~~~~~~~~~~~ + +- The BIND 9 build system has been changed to use a typical + autoconf+automake+libtool stack. This should not make any difference + for people building BIND 9 from release tarballs, but when building + BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run + first. Extra attention is also needed when using non-standard + ``./configure`` options. [GL #4] + +- Added a new logging category ``rpz-passthru`` which allows RPZ + passthru actions to be logged into a separate channel. [GL #54] + +- Zone timers are now exported via statistics channel. For primary + zones, only the load time is exported. For secondary zones, exported + timers also include expire and refresh times. Contributed by Paul + Frieden, Verizon Media. [GL #1232] + +- ``dig`` and other tools can now print the Extended DNS Error (EDE) + option when it appears in a request or response. [GL #1834] + +Feature Changes +~~~~~~~~~~~~~~~ + +- BIND 9 no longer sets receive/send buffer sizes for UDP sockets, + relying on system defaults instead. [GL #1713] + +- The default rwlock implementation has been changed back to the native + BIND 9 rwlock implementation. [GL #1753] + +- The native PKCS#11 EdDSA implementation has been updated to PKCS#11 + v3.0 and thus made operational again. Contributed by Aaron Thompson. + [GL !3326] + +- The OpenSSL ECDSA implementation has been updated to support PKCS#11 + via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL + #1534] + +- The OpenSSL EdDSA implementation has been updated to support PKCS#11 + via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine + is required and thus this code is only a proof-of-concept for the + time being. Contributed by Aaron Thompson. [GL #1763] + +- Message IDs in inbound AXFR transfers are now checked for + consistency. Log messages are emitted for streams with inconsistent + message IDs. [GL #1674] + +Bug Fixes +~~~~~~~~~ + +- A bug in dnstap initialization could prevent some dnstap data from + being logged, especially on recursive resolvers. [GL #1795] + +- When running on a system with support for Linux capabilities, + ``named`` drops root privileges very soon after system startup. This + was causing a spurious log message, *unable to set effective uid to + 0: Operation not permitted*, which has now been silenced. [GL #1042] + [GL #1090] + +- When ``named-checkconf -z`` was run, it would sometimes incorrectly + set its exit code. It reflected the status of the last view found; if + zone-loading errors were found in earlier configured views but not in + the last one, the exit code indicated success. Thanks to Graham + Clinch. [GL #1807] + +- When built without LMDB support, ``named`` failed to restart after a + zone with a double quote (") in its name was added with ``rndc + addzone``. Thanks to Alberto Fernández. [GL #1695] diff --git a/util/copyrights b/util/copyrights index 6b2e356143..e7a7acee61 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1150,7 +1150,6 @@ ./doc/arm/logging-categories.rst RST 2020 ./doc/arm/managed-keys.rst RST 2020 ./doc/arm/manpages.rst RST 2020 -./doc/arm/notes-9.17.2.xml SGML 2020 ./doc/arm/notes.rst RST 2020 ./doc/arm/pkcs11.rst RST 2020 ./doc/arm/plugins.rst RST 2020 @@ -1249,6 +1248,7 @@ ./doc/misc/stub.zoneopt X 2018,2019,2020 ./doc/notes/notes-9.17.0.rst RST 2020 ./doc/notes/notes-9.17.1.rst RST 2020 +./doc/notes/notes-current.rst RST 2020 ./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020 From 784b13344cc4be31d97c17ca9efa618a3c49145f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 12 May 2020 15:20:22 +0200 Subject: [PATCH 5/7] Apply release note tweaks lost during rebase --- doc/arm/notes.rst | 65 ++++++++++++++++------------------------------- 1 file changed, 22 insertions(+), 43 deletions(-) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 90b27a7711..34e58f66a6 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -28,29 +28,12 @@ Release Notes Introduction ------------ -BIND 9.15 is an unstable development release of BIND. This document +BIND 9.17 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable -BIND 9.16 release, this document will be updated with additional -features added and bugs fixed. - -.. _relnotes_versions: - -Note on Version Numbering -------------------------- - -Until BIND 9.12, new feature development releases were tagged as "alpha" -and "beta", leading up to the first stable release for a given -development branch, which always ended in ".0". More recently, BIND -adopted the "odd-unstable/even-stable" release numbering convention. -There will be no "alpha" or "beta" releases in the 9.15 branch, only -increasing version numbers. So, for example, what would previously have -been called 9.15.0a1, 9.15.0a2, 9.15.0b1, and so on, will instead be -called 9.15.0, 9.15.1, 9.15.2, etc. - -The first stable release from this development branch will be renamed as -9.16.0. Thereafter, maintenance releases will continue on the 9.16 -branch, while unstable feature development proceeds in 9.17. +BIND 9.18 release, this document will be updated with additional +features added and bugs fixed. Please see the file CHANGES for a more +detailed list of changes and bug fixes. .. _relnotes_platforms: @@ -59,18 +42,19 @@ Supported Platforms To build on UNIX-like systems, BIND requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 -(:rfc:`3542`), and standard atomic operations provided by the C compiler. +(:rfc:`3542`), and standard atomic operations provided by the C +compiler. -The OpenSSL cryptography library must be available for the target -platform. A PKCS#11 provider can be used instead for Public Key -cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still -required for general cryptography operations such as hashing and random -number generation. +The libuv asynchronous I/O library and the OpenSSL cryptography library +must be available for the target platform. A PKCS#11 provider can be +used instead of OpenSSL for Public Key cryptography (i.e., DNSSEC +signing and validation), but OpenSSL is still required for general +cryptography operations such as hashing and random number generation. More information can be found in the ``PLATFORMS.md`` file that is included in the source distribution of BIND 9. If your compiler and system libraries provide the above features, BIND 9 should compile and -run. If that isn't the case, the BIND development team will generally +run. If that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors. @@ -80,7 +64,7 @@ Download -------- The latest versions of BIND 9 software can always be found at -http://www.isc.org/downloads/. There you will find additional +https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. @@ -93,7 +77,7 @@ for Microsoft Windows operating systems. License ------- -BIND is open source software licenced under the terms of the Mozilla +BIND 9 is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the ``LICENSE`` file for the full text). @@ -106,22 +90,20 @@ modifications, without redistributing it, nor anyone redistributing BIND without changes. Those wishing to discuss license compliance may contact ISC at -https://www.isc.org/mission/contact/. +https://www.isc.org/contact/. .. _end_of_life: End of Life ----------- -BIND 9.15 is an unstable development branch. When its development is -complete, it will be renamed to BIND 9.16, which will be a stable -branch. - -The end of life date for BIND 9.16 has not yet been determined. For -those needing long term support, the current Extended Support Version -(ESV) is BIND 9.11, which will be supported until at least December -2021. See https://www.isc.org/downloads/software-support-policy/ for -details of ISC's software support policy. +BIND 9.17 is an unstable development branch. When its development is +complete, it will be renamed to BIND 9.18, which will be a stable +branch. The end of life date for BIND 9.18 has not yet been determined. +For those needing long term support, the current Extended Support +Version (ESV) is BIND 9.11, which will be supported until at least +December 2021. See https://kb.isc.org/docs/aa-00896 for details of +ISC's software support policy. .. _relnotes_thanks: @@ -129,6 +111,3 @@ Thank You --------- Thank you to everyone who assisted us in making this release possible. -If you would like to contribute to ISC to assist us in continuing to -make quality open source software, please visit our donations page at -http://www.isc.org/donate/. From 6e25fd373df3b303cdecd97de41bba20ee25a6b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 12 May 2020 15:20:22 +0200 Subject: [PATCH 6/7] Drop custom section identifiers --- doc/arm/notes.rst | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 34e58f66a6..d4362e0d2d 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -18,13 +18,9 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -.. _relnotes: - Release Notes ============= -.. _relnotes_intro: - Introduction ------------ @@ -35,8 +31,6 @@ BIND 9.18 release, this document will be updated with additional features added and bugs fixed. Please see the file CHANGES for a more detailed list of changes and bug fixes. -.. _relnotes_platforms: - Supported Platforms ------------------- @@ -58,8 +52,6 @@ run. If that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors. -.. _relnotes_download: - Download -------- @@ -92,8 +84,6 @@ without changes. Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/. -.. _end_of_life: - End of Life ----------- @@ -105,8 +95,6 @@ Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See https://kb.isc.org/docs/aa-00896 for details of ISC's software support policy. -.. _relnotes_thanks: - Thank You --------- From 28624cf595e2ef6e890b12f484622cc052006af9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 12 May 2020 15:20:22 +0200 Subject: [PATCH 7/7] Add table of contents for release notes --- doc/arm/notes.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index d4362e0d2d..b88ff95e6b 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -21,6 +21,8 @@ Release Notes ============= +.. contents:: + Introduction ------------