From d0a0e7ad189acb635c71d050d7d4a4b0689c6af8 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Wed, 5 May 2021 14:30:19 +0200 Subject: [PATCH 1/6] Fix typo in doc/dnssec-guide/recipes.rst --- doc/dnssec-guide/recipes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index 1d45c039f3..6fc52e06c0 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -1098,7 +1098,7 @@ Then use ``rndc reload`` to reload the zone. The "insecure" policy is a built-in policy (like "default"). It will make sure the zone is still DNSSEC maintained, to allow for a graceful transition to -unsigned, +unsigned. When the DS records have been removed from the parent zone, use ``rndc dnssec -checkds -key withdrawn example.com`` to tell ``named`` that From bf54e2058058f90206cd8704c2efda2e1c9c9dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 12 May 2021 10:55:00 +0200 Subject: [PATCH 2/6] Tweak and reword recent CHANGES entries --- CHANGES | 79 +++++++++++++++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 33 deletions(-) diff --git a/CHANGES b/CHANGES index 793dac6ab5..1c2b44c7c3 100644 --- a/CHANGES +++ b/CHANGES @@ -34,56 +34,69 @@ function. [GL #2654] [GL #2638] [GL #2401] -5636. [bug] Check that zone files for 'dnssec-policy' zones are - only referenced once in 'named.conf'. [GL #2603] +5637. [func] Change the default value of the "max-ixfr-ratio" option + to "unlimited". [GL #2671] + +5636. [bug] named and named-checkconf did not report an error when + multiple zones with the "dnssec-policy" option set were + using the same zone file. This has been fixed. + [GL #2603] 5635. [bug] Journal compaction could fail when a journal with - invalid transaction headers was not detected at - startup. [GL #2670] + invalid transaction headers was not detected at startup. + This has been fixed. [GL #2670] -5634. [bug] Don't roll keys when the private key file is offline. - [GL #2596] +5634. [bug] If "dnssec-policy" was active and a private key file was + temporarily offline during a rekey event, named could + incorrectly introduce replacement keys and break a + signed zone. This has been fixed. [GL #2596] -5633. [func] Change the "max-ixfr-ratio" default to "unlimited". - [GL #2671] +5633. [doc] The "inline-signing" option was incorrectly described as + being inherited from the "options"/"view" levels and was + incorrectly accepted at those levels without effect. + This has been fixed. [GL #2536] -5632. [func] Add built-in dnssec-policy "insecure". This is used to - transition a zone from a signed state to a unsigned - state. [GL #2645] +5632. [func] Add a new built-in KASP, "insecure", which is used to + transition a zone from a signed to an unsigned state. + The existing built-in KASP "none" should no longer be + used to unsign a zone. [GL #2645] -5631. [bug] Update ZONEMD to match RFC 8976. [GL #2658] +5631. [protocol] Update the implementation of the ZONEMD RR type to match + RFC 8976. [GL #2658] -5630. [func] Treat DNSSEC responses with NSEC3 iterations greater - than 150 as insecure. [GL #2445] +5630. [func] Treat DNSSEC responses containing NSEC3 records with + iteration counts greater than 150 as insecure. + [GL #2445] -5629. [func] Reduce the supported maximum number of iterations - that can be configured in an NSEC3 zone to 150. - [GL #2642] +5629. [func] Reduce the maximum supported number of NSEC3 iterations + that can be configured for a zone to 150. [GL #2642] -5627. [bug] RRSIG(SOA) RRsets placed anywhere else than at zone apex - were triggering infinite resigning loops. This has been - fixed. [GL #2650] +5627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone + apex were triggering infinite resigning loops. This has + been fixed. [GL #2650] -5626. [bug] When generating new keys, check for keyid conflicts - between new keys too. [GL #2628] +5626. [bug] When generating zone signing keys, KASP now also checks + for key ID conflicts among newly created keys, rather + than just between new and existing ones. [GL #2628] -5625. [bug] Address deadlock between rndc addzone/delzone. - [GL #2626] +5625. [bug] A deadlock could occur when multiple "rndc addzone", + "rndc delzone", and/or "rndc modzone" commands were + invoked simultaneously for different zones. This has + been fixed. [GL #2626] -5622. [cleanup] Remove lib/samples, since export versions of libraries - are no longer maintained. [GL !4835] +5622. [cleanup] The lib/samples/ directory has been removed, as export + versions of libraries are no longer maintained. + [GL !4835] 5619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the protocol such that NSEC(3) TTL values are set to the - minimum of the SOA MINIMUM value and the SOA TTL. + minimum of the SOA MINIMUM value or the SOA TTL. [GL #2347] -5618. [bug] When introducing change 5149, "rndc dumpdb" started - to print a line above a stale RRset, indicating how - long the data will be retained. Also, TTLs were - increased with 'max-stale-ttl'. This could lead to - nonsensical values and both issues have been fixed. - [GL #389] [GL #2289] +5618. [bug] Change 5149 introduced some inconsistencies in the way + record TTLs were presented in cache dumps. These + inconsistencies have been eliminated. [GL #389] + [GL #2289] --- 9.16.15 released --- From f853ea9b15b9f15c17031d63a13714f119e3078b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 12 May 2021 10:55:00 +0200 Subject: [PATCH 3/6] Tweak and reword release notes --- doc/notes/notes-current.rst | 66 +++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index a29625635e..96d36a0221 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -34,26 +34,27 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to - the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347` +- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: + NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value + or the SOA TTL. :gl:`#2347` -- Reduce the supported maximum number of iterations that can be - configured in an NSEC3 zones to 150. :gl:`#2642` +- The maximum supported number of NSEC3 iterations that can be + configured for a zone has been reduced to 150. :gl:`#2642` -- Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure. - :gl:`#2445` +- DNSSEC responses containing NSEC3 records with iteration counts + greater than 150 are now treated as insecure. :gl:`#2445` -- Zones that want to transition from secure to insecure mode without making it - bogus in the process should now first change their ``dnssec-policy`` to - ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have - been removed from the zone (in a timely manner), the ``dnssec-policy`` can - be set to ``none`` (or be removed from the configuration). Setting the - ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records - to be published. :gl:`#2645` +- Zones that want to transition from secure to insecure mode without + becoming bogus in the process must now have their ``dnssec-policy`` + changed first to ``insecure``, rather than ``none``. After the DNSSEC + records have been removed from the zone, the ``dnssec-policy`` can be + set to ``none`` or removed from the configuration. Setting the + ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE + records to be published. :gl:`#2645` -- Change the ``max-ixfr-ratio`` configuration option default value to - ``unlimited`` for better backwards compatibility in the stable release - series. :gl:`#2671` +- The default value of the ``max-ixfr-ratio`` option was changed to + ``unlimited``, for better backwards compatibility in the stable + release series. :gl:`#2671` Bug Fixes ~~~~~~~~~ @@ -61,28 +62,29 @@ Bug Fixes - Fix a race condition in reading and writing key files for KASP zones in multiple views. :gl:`#1875` -- When dumping the cache to file, TTLs were being increased with - ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical - values if the RRset was still marked a stale but the ``max-stale-ttl`` has - passed (and is actually an RRset awaiting cleanup). Both issues have now - been fixed. :gl:`#389` :gl:`#2289` +- TTL values in cache dumps were reported incorrectly when + ``stale-cache-enable`` was set to ``yes``. This has been fixed. + :gl:`#389` :gl:`#2289` -- ``named`` would overwrite a zone file unconditionally when it recovered from - a corrupted journal. :gl:`#2623` +- When generating zone signing keys, KASP now also checks for key ID + conflicts among newly created keys, rather than just between new and + existing ones. :gl:`#2628` -- With ``dnssec-policy``, when creating new keys also check for keyid conflicts - between the new keys too. :gl:`#2628` +- The implementation of the ZONEMD RR type has been updated to match + :rfc:`8976`. :gl:`#2658` -- Update ZONEMD to match RFC 8976. :gl:`#2658` - -- With ``dnssec-policy```, don't roll keys if the private key file is offline. +- If ``dnssec-policy`` was active and the private key file was + temporarily offline during a rekey event, ``named`` could introduce + replacement keys and break a signed zone. This has been fixed. :gl:`#2596` -- Journal compaction could fail when a journal with invalid transaction - headers was not detected at startup. :gl:`#2670` +- It was possible for corrupt journal files generated by an earlier + version of ``named`` to cause problems after an upgrade. This has been + fixed. :gl:`#2670` -- ``named-checkconf`` now complains if zones with ``dnssec-policy`` reference - the same zone file more than once. :gl:`#2603` +- ``named`` and ``named-checkconf`` did not report an error when + multiple zones with the ``dnssec-policy`` option set were using the + same zone file. This has been fixed. :gl:`#2603` - After the networking manager was introduced to ``named`` to handle incoming traffic, it was discovered that the recursive performance had been From 22d7ba6d1128fb4a3c3f1386d1aa8e08238b0b3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 12 May 2021 10:55:00 +0200 Subject: [PATCH 4/6] Reorder release notes --- doc/notes/notes-current.rst | 54 ++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 96d36a0221..f7d09a04bf 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -34,15 +34,15 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: - NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value - or the SOA TTL. :gl:`#2347` +- DNSSEC responses containing NSEC3 records with iteration counts + greater than 150 are now treated as insecure. :gl:`#2445` - The maximum supported number of NSEC3 iterations that can be configured for a zone has been reduced to 150. :gl:`#2642` -- DNSSEC responses containing NSEC3 records with iteration counts - greater than 150 are now treated as insecure. :gl:`#2445` +- The default value of the ``max-ixfr-ratio`` option was changed to + ``unlimited``, for better backwards compatibility in the stable + release series. :gl:`#2671` - Zones that want to transition from secure to insecure mode without becoming bogus in the process must now have their ``dnssec-policy`` @@ -52,40 +52,40 @@ Feature Changes ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE records to be published. :gl:`#2645` -- The default value of the ``max-ixfr-ratio`` option was changed to - ``unlimited``, for better backwards compatibility in the stable - release series. :gl:`#2671` - -Bug Fixes -~~~~~~~~~ - -- Fix a race condition in reading and writing key files for KASP zones in - multiple views. :gl:`#1875` - -- TTL values in cache dumps were reported incorrectly when - ``stale-cache-enable`` was set to ``yes``. This has been fixed. - :gl:`#389` :gl:`#2289` - -- When generating zone signing keys, KASP now also checks for key ID - conflicts among newly created keys, rather than just between new and - existing ones. :gl:`#2628` - - The implementation of the ZONEMD RR type has been updated to match :rfc:`8976`. :gl:`#2658` -- If ``dnssec-policy`` was active and the private key file was - temporarily offline during a rekey event, ``named`` could introduce - replacement keys and break a signed zone. This has been fixed. - :gl:`#2596` +- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: + NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value + or the SOA TTL. :gl:`#2347` + +Bug Fixes +~~~~~~~~~ - It was possible for corrupt journal files generated by an earlier version of ``named`` to cause problems after an upgrade. This has been fixed. :gl:`#2670` +- TTL values in cache dumps were reported incorrectly when + ``stale-cache-enable`` was set to ``yes``. This has been fixed. + :gl:`#389` :gl:`#2289` + - ``named`` and ``named-checkconf`` did not report an error when multiple zones with the ``dnssec-policy`` option set were using the same zone file. This has been fixed. :gl:`#2603` +- If ``dnssec-policy`` was active and a private key file was temporarily + offline during a rekey event, ``named`` could incorrectly introduce + replacement keys and break a signed zone. This has been fixed. + :gl:`#2596` + +- When generating zone signing keys, KASP now also checks for key ID + conflicts among newly created keys, rather than just between new and + existing ones. :gl:`#2628` + +- Fix a race condition in reading and writing key files for KASP zones in + multiple views. :gl:`#1875` + - After the networking manager was introduced to ``named`` to handle incoming traffic, it was discovered that the recursive performance had been degraded compared to the previous version (9.11). This has been now fixed by From 6c144f38d99f701a362af756c94c154c61be12dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 12 May 2021 10:55:00 +0200 Subject: [PATCH 5/6] Add release note for GL #2626 --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f7d09a04bf..7f274ca228 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -70,6 +70,10 @@ Bug Fixes ``stale-cache-enable`` was set to ``yes``. This has been fixed. :gl:`#389` :gl:`#2289` +- A deadlock could occur when multiple ``rndc addzone``, ``rndc + delzone``, and/or ``rndc modzone`` commands were invoked + simultaneously for different zones. This has been fixed. :gl:`#2626` + - ``named`` and ``named-checkconf`` did not report an error when multiple zones with the ``dnssec-policy`` option set were using the same zone file. This has been fixed. :gl:`#2603` From cc503db304569cecaa65310115e845d7e3979993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 12 May 2021 10:55:00 +0200 Subject: [PATCH 6/6] Prepare release notes for BIND 9.16.16 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.16.16.rst} | 33 ------------------- 2 files changed, 1 insertion(+), 34 deletions(-) rename doc/notes/{notes-current.rst => notes-9.16.16.rst} (77%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 5da0a75431..5059b0ec78 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -59,7 +59,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.16.16.rst .. include:: ../notes/notes-9.16.15.rst .. include:: ../notes/notes-9.16.14.rst .. include:: ../notes/notes-9.16.13.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.16.16.rst similarity index 77% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.16.16.rst index 7f274ca228..a2d3020018 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.16.16.rst @@ -11,26 +11,6 @@ Notes for BIND 9.16.16 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- None. - -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ @@ -86,16 +66,3 @@ Bug Fixes - When generating zone signing keys, KASP now also checks for key ID conflicts among newly created keys, rather than just between new and existing ones. :gl:`#2628` - -- Fix a race condition in reading and writing key files for KASP zones in - multiple views. :gl:`#1875` - -- After the networking manager was introduced to ``named`` to handle - incoming traffic, it was discovered that the recursive performance had been - degraded compared to the previous version (9.11). This has been now fixed by - running internal tasks inside the networking manager worker threads, so - they do not compete for resources. :gl:`#2638` - -- Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple - views with different ``dnssec-policy``. Using the same ``key-directory`` for - such zones is not allowed. :gl:`#2463`