diff --git a/CHANGES b/CHANGES index a49353e09b..a44e5444e1 100644 --- a/CHANGES +++ b/CHANGES @@ -36,13 +36,13 @@ on the wrong freed list. [GL #2460] 5578. [protocol] Make "check-names" accept A records below "_spf", - "_spf_rate" and "_spf_verify" labels in order to cater + "_spf_rate", and "_spf_verify" labels in order to cater for the "exists" SPF mechanism specified in RFC 7208 - section 5.7. and appendix D. [GL #2377] + section 5.7 and appendix D.1. [GL #2377] -5577. [bug] Fix the "three is a crowd" key rollover bug in - dnssec-policy by correctly implementing Equation(2) of - the "Flexible and Robust Key Rollover" paper. [GL #2375] +5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by + correctly implementing Equation (2) of the "Flexible and + Robust Key Rollover" paper. [GL #2375] 5576. [experimental] Initial server-side implementation of DNS-over-HTTPS (DoH). Support for both TLS-encrypted and unencrypted @@ -51,44 +51,46 @@ client-side support for DNS-over-HTTPS; this will be added to dig in a future release.) [GL #1144] -5575. [bug] When migrating to dnssec-policy, BIND considered keys - with the "Inactive" and/or "Delete" timing metadata as +5575. [bug] When migrating to KASP, BIND 9 considered keys with the + "Inactive" and/or "Delete" timing metadata to be possible active keys. This has been fixed. [GL #2406] -5574. [func] Incoming zone transfers can now use TLS. - Addresses in a "primaries" list take an optional - "tls" argument, specifying either a previously - configured "tls" block or "ephemeral"; SOA queries - and zone transfer requests will then be sent via - TLS. [GL #2392] +5574. [func] Incoming zone transfers can now use TLS. Addresses in a + "primaries" list take an optional "tls" argument, + specifying either a previously configured "tls" block or + "ephemeral"; SOA queries and zone transfer requests are + then sent via TLS. [GL #2392] -5573. [func] Also return stale data if an error occurred and we are - not resuming. Only start the stale-refresh-time window - if we timed out. [GL #2434] +5573. [func] When serve-stale is enabled and stale data is available, + named now returns stale answers upon encountering any + unexpected error in the query resolution process. + However, the "stale-refresh-time" window is still only + started upon a timeout. [GL #2434] -5572. [bug] Address potential double free in generatexml. +5572. [bug] Address potential double free in generatexml(). [GL #2420] -5571. [bug] If a zone had a non-builtin named allow-update acl - named failed to start. [GL #2413] +5571. [bug] named failed to start when its configuration included a + zone with a non-builtin "allow-update" ACL attached. + [GL #2413] -5570. [bug] Improve the performance of dnssec-verify by reducing - the number of repeated calls to dns_dnssec_keyfromrdata. - [GL #2073] +5570. [bug] Improve performance of the DNSSEC verification code by + reducing the number of repeated calls to + dns_dnssec_keyfromrdata(). [GL #2073] -5569. [bug] Emit useful error message when 'rndc retransfer' is +5569. [bug] Emit useful error message when "rndc retransfer" is applied to a zone of inappropriate type. [GL #2342] 5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA keys. [GL #2178] 5567. [bug] Dig now reports unknown dash options while pre-parsing - the options. This prevents '-multi' instead of - '+multi' reporting memory usage before ending option - parsing on 'Invalid option: -lti'. [GL #2403] + the options. This prevents "-multi" instead of "+multi" + from reporting memory usage before ending option parsing + with "Invalid option: -lti". [GL #2403] -5566. [func] Add "stale-answer-client-timeout" option, which - is the amount of time a recursive resolver waits before +5566. [func] Add "stale-answer-client-timeout" option, which is the + amount of time a recursive resolver waits before attempting to answer the query using stale data from cache. [GL #2247] @@ -96,26 +98,25 @@ BIND 9 version number, in an effort to tightly couple internal libraries with a specific release. [GL #2387] -5564. [cleanup] Refactored the network manager TLSDNS module to use - libuv and libssl directly, rather than opening a - TLS/TCP socket stack. [GL #2235] +5564. [cleanup] Network manager's TLSDNS module was refactored to use + libuv and libssl directly instead of a stack of TCP/TLS + sockets. [GL #2335] 5563. [cleanup] Changed several obsolete configuration options to - ancient, making them into fatal errors. Also cleaned - up the number of clause flags in the configuration - parser. [GL #1086] + ancient, making them fatal errors. Also cleaned up the + number of clause flags in the configuration parser. + [GL #1086] 5562. [placeholder] -5561. [bug] KASP incorrectly set signature validity to the value - of the DNSKEY signature validity. This is now fixed. +5561. [bug] KASP incorrectly set signature validity to the value of + the DNSKEY signature validity. This is now fixed. [GL #2383] 5560. [func] The default value of "max-stale-ttl" has been changed from 12 hours to 1 day and the default value of - "stale-answer-ttl" has been changed from 1 second to - 30 seconds, following RFC 8767 recommendations. - [GL #2248] + "stale-answer-ttl" has been changed from 1 second to 30 + seconds, following RFC 8767 recommendations. [GL #2248] --- 9.17.9 released --- diff --git a/PLATFORMS.md b/PLATFORMS.md index 398123df17..ec8d2138a6 100644 --- a/PLATFORMS.md +++ b/PLATFORMS.md @@ -13,7 +13,7 @@ In general, this version of BIND will build and run on any POSIX-compliant system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library, -and the OpenSSL cryptography library. +the OpenSSL cryptography library, and the `nghttp2` HTTP/2 library. The following C11 features are used in BIND 9: diff --git a/README.md b/README.md index 61560d2b22..823f212e1c 100644 --- a/README.md +++ b/README.md @@ -128,13 +128,13 @@ including your patch as an attachment, preferably generated by At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler, basic POSIX support, and a 64-bit integer type. BIND also requires the -`libuv` asynchronous I/O library, and a cryptography provider library -such as OpenSSL or a hardware service module supporting PKCS#11. On -Linux, BIND requires the `libcap` library to set process privileges, -though this requirement can be overridden by disabling capability -support at compile time. See [Compile-time options](#opts) below -for details on other libraries that may be required to support -optional features. +`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, and a +cryptography provider library such as OpenSSL or a hardware service +module supporting PKCS#11. On Linux, BIND requires the `libcap` library +to set process privileges, though this requirement can be overridden by +disabling capability support at compile time. See [Compile-time +options](#opts) below for details on other libraries that may be +required to support optional features. Successful builds have been observed on many versions of Linux and Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 775300054c..c0a6a4da0a 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.10.rst .. include:: ../notes/notes-9.17.9.rst .. include:: ../notes/notes-9.17.8.rst .. include:: ../notes/notes-9.17.7.rst diff --git a/doc/notes/notes-9.17.10.rst b/doc/notes/notes-9.17.10.rst new file mode 100644 index 0000000000..e73ffeca99 --- /dev/null +++ b/doc/notes/notes-9.17.10.rst @@ -0,0 +1,118 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.10 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of + this, the ``nghttp2`` HTTP/2 library is now required for building the + development branch of BIND 9. Both TLS-encrypted and unencrypted + HTTP/2 connections are supported (the latter may be used to offload + encryption to other software). + + Note that there is no client-side support for HTTPS as yet; this will + be added to ``dig`` in a future release. [GL #1144] + +- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as + outgoing zone transfers. Addresses in a ``primaries`` list can now be + accompanied by an optional ``tls`` keyword, followed by either the + name of a previously configured ``tls`` statement or ``ephemeral``. + [GL #2392] + +- A new option, ``stale-answer-client-timeout``, has been added to + improve ``named``'s behavior with respect to serving stale data. The + option defines the amount of time ``named`` waits before attempting to + answer the query with a stale RRset from cache. If a stale answer is + found, ``named`` continues the ongoing fetches, attempting to refresh + the RRset in cache until the ``resolver-query-timeout`` interval is + reached. + + The default value is ``1800`` (in milliseconds) and the maximum value + is limited to ``resolver-query-timeout`` minus one second. A value of + ``0`` causes any available cached RRset to immediately be returned + while still triggering a refresh of the data in cache. + + This new behavior can be disabled by setting + ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new + option has no effect if ``stale-answer-enable`` is disabled. + [GL #2247] + +Removed Features +~~~~~~~~~~~~~~~~ + +- A number of non-working configuration options that had been marked as + obsolete in previous releases have now been removed completely. Using + any of the following options is now considered a configuration + failure: ``acache-cleaning-interval``, ``acache-enable``, + ``additional-from-auth``, ``additional-from-cache``, + ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``, + ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``, + ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, + ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, + ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, + ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086] + +Feature Changes +~~~~~~~~~~~~~~~ + +- When serve-stale is enabled and stale data is available, ``named`` now + returns stale answers upon encountering any unexpected error in the + query resolution process. This may happen, for example, if the + ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In + this case, ``named`` attempts to answer DNS requests with stale data, + but does not start the ``stale-refresh-time`` window. [GL #2434] + +- The default value of ``max-stale-ttl`` has been changed from 12 hours + to 1 day and the default value of ``stale-answer-ttl`` has been + changed from 1 second to 30 seconds, following :rfc:`8767` + recommendations. [GL #2248] + +- The SONAMEs for BIND 9 libraries now include the current BIND 9 + version number, in an effort to tightly couple internal libraries with + a specific release. This change makes the BIND 9 release process both + simpler and more consistent while also unequivocally preventing BIND 9 + binaries from silently loading wrong versions of shared libraries (or + multiple versions of the same shared library) at startup. [GL #2387] + +- When ``check-names`` is in effect, A records below an ``_spf``, + ``_spf_rate``, or ``_spf_verify`` label (which are employed by the + ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix + D.1) are no longer reported as warnings/errors. [GL #2377] + +Bug Fixes +~~~~~~~~~ + +- ``named`` failed to start when its configuration included a zone with + a non-builtin ``allow-update`` ACL attached. [GL #2413] + +- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA + key. This has been fixed. [GL #2178] + +- KASP incorrectly set signature validity to the value of the DNSKEY + signature validity. This has been fixed. [GL #2383] + +- When migrating to KASP, BIND 9 considered keys with the ``Inactive`` + and/or ``Delete`` timing metadata to be possible active keys. This has + been fixed. [GL #2406] + +- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled + faster than the time required to finish the rollover procedure, the + successor relation equation failed because it assumed only two keys + were taking part in a rollover. This could lead to premature removal + of predecessor keys. BIND 9 now implements a recursive successor + relation, as described in the paper "Flexible and Robust Key Rollover" + (Equation (2)). [GL #2375] + +- Performance of the DNSSEC verification code (used by + ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been + improved. [GL #2073] diff --git a/doc/notes/notes-9.17.3.rst b/doc/notes/notes-9.17.3.rst index b658faf299..a50c878f1f 100644 --- a/doc/notes/notes-9.17.3.rst +++ b/doc/notes/notes-9.17.3.rst @@ -31,7 +31,7 @@ Feature Changes programs that interact with the network and process arbitrary user input. [GL #1933] -- As part of an ongoing effort to use RFC 8499 terminology, +- As part of an ongoing effort to use :rfc:`8499` terminology, ``primaries`` can now be used as a synonym for ``masters`` in ``named.conf``. Similarly, ``notify primary-only`` can now be used as a synonym for ``notify master-only``. The output of ``rndc diff --git a/doc/notes/notes-9.17.9.rst b/doc/notes/notes-9.17.9.rst index d702519775..b5bb532ee4 100644 --- a/doc/notes/notes-9.17.9.rst +++ b/doc/notes/notes-9.17.9.rst @@ -23,7 +23,7 @@ Feature Changes without making it bogus in the process; changing to ``dnssec-policy none;`` also causes CDS and CDNSKEY DELETE records to be published, to signal that the entire DS RRset at the parent must be removed, as - described in RFC 8078. [GL #1750] + described in :rfc:`8078`. [GL #1750] - When using the ``unixtime`` or ``date`` method to update the SOA serial number, ``named`` and ``dnssec-signzone`` silently fell back to diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index a4a2babf21..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,128 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -Notes for BIND 9.17.10 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- A new option, ``stale-answer-client-timeout``, has been added to - improve ``named``'s behavior with respect to serving stale data. The option - defines the amount of time ``named`` waits before attempting - to answer the query with a stale RRset from cache. If a stale answer - is found, ``named`` continues the ongoing fetches, attempting to - refresh the RRset in cache until the ``resolver-query-timeout`` interval is - reached. - - The default value is ``1800`` (in milliseconds) and the maximum value is - bounded to ``resolver-query-timeout`` minus one second. A value of - ``0`` immediately returns a cached RRset if available, and still - attempts a refresh of the data in cache. - - The option can be disabled by setting the value to ``off`` or - ``disabled``. It also has no effect if ``stale-answer-enable`` is - disabled. [GL #2247] - -- Also return stale data if an error occurred and we are not resuming a - query (and serve-stale is enabled). This may happen for example if - ``fetches-per-server`` or ``fetches-per-zone` limits are reached. In this - case, we will try to answer DNS requests with stale data, but not start - the ``stale-refresh-time`` window. [GL #2434] - -- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as - outgoing zone transfers. Addresses in a ``primaries`` list can take - an optional ``tls`` option which specifies either a previously configured - ``tls`` statement or ``ephemeral``. [GL #2392] - -- ``named`` now supports DNS-over-HTTPS (DoH). Both TLS-encrypted and - unencrypted HTTP/2 connections are supported (the latter may be used to - offload encryption to other software). - - Note that there is no client-side support for HTTPS as yet; this will be - added to ``dig`` in a future release. [GL #1144] - -Removed Features -~~~~~~~~~~~~~~~~ - -- A number of non-working configuration options that had been marked - as obsolete in previous releases have now been removed completely. - Using any of the following options is now considered a configuration - failure: - ``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``, - ``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``, - ``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``, - ``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, - ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, - ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, - ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086] - -Feature Changes -~~~~~~~~~~~~~~~ - -- The SONAMEs for BIND 9 libraries now include the current BIND 9 - version number, in an effort to tightly couple internal libraries with - a specific release. This change makes the BIND 9 release process both - simpler and more consistent while also unequivocally preventing BIND 9 - binaries from silently loading wrong versions of shared libraries (or - multiple versions of the same shared library) at startup. [GL #2387] - -- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 - day, and the default value of ``stale-answer-ttl`` has been changed from 1 - second to 30 seconds, following RFC 8767 recommendations. [GL #2248] - -- When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate`` - and ``_spf_verify`` labels (which are employed by the ``exists`` SPF - mechanism defined inr:rfc:`7208` section 5.7/appendix D1) are no longer - reported as warnings/errors. [GL #2377] - -Bug Fixes -~~~~~~~~~ - -- KASP incorrectly set signature validity to the value of the DNSKEY signature - validity. This is now fixed. [GL #2383] - -- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key. - This has been fixed. [GL #2178] - -- The use of named ACLs in ``allow-update`` was broken in BIND 9.17.9 and - BIND 9.16.11, preventing ``named`` from starting. [GL #2413] - -- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive" - and/or "Delete" timing metadata as possible active keys. This has been fixed. - [GL #2406] - -- Fixed the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys - rolled faster than the time required to finish the rollover procedure, the - successor relation equation failed because it assumed only two keys were - taking part in a rollover. This could lead to premature removal of - predecessor keys. BIND 9 now implements a recursive successor relation, as - described in the paper "Flexible and Robust Key Rollover" (Equation (2)). - [GL #2375] - -- If an invalid key name (e.g. "a..b") was specified in a ``primaries`` - list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``, - which resulted in the returned memory being put on the wrong freed - list. This has been fixed. [GL #2460] - -- If an outgoing packet would exceed max-udp-size, it would be dropped instead - of sending a proper response back. Rollback setting the IP_DONTFRAG on the - UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue. - [GL #2487]