From e63b385073cb76fa9d22b5d9b3ac0423957a913f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Feb 2021 10:40:25 +0100 Subject: [PATCH 1/7] Document the build-time requirement for nghttp2 --- PLATFORMS.md | 2 +- README.md | 14 +++++++------- doc/notes/notes-current.rst | 8 +++++--- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/PLATFORMS.md b/PLATFORMS.md index 398123df17..ec8d2138a6 100644 --- a/PLATFORMS.md +++ b/PLATFORMS.md @@ -13,7 +13,7 @@ In general, this version of BIND will build and run on any POSIX-compliant system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library, -and the OpenSSL cryptography library. +the OpenSSL cryptography library, and the `nghttp2` HTTP/2 library. The following C11 features are used in BIND 9: diff --git a/README.md b/README.md index 61560d2b22..823f212e1c 100644 --- a/README.md +++ b/README.md @@ -128,13 +128,13 @@ including your patch as an attachment, preferably generated by At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler, basic POSIX support, and a 64-bit integer type. BIND also requires the -`libuv` asynchronous I/O library, and a cryptography provider library -such as OpenSSL or a hardware service module supporting PKCS#11. On -Linux, BIND requires the `libcap` library to set process privileges, -though this requirement can be overridden by disabling capability -support at compile time. See [Compile-time options](#opts) below -for details on other libraries that may be required to support -optional features. +`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, and a +cryptography provider library such as OpenSSL or a hardware service +module supporting PKCS#11. On Linux, BIND requires the `libcap` library +to set process privileges, though this requirement can be overridden by +disabling capability support at compile time. See [Compile-time +options](#opts) below for details on other libraries that may be +required to support optional features. Successful builds have been observed on many versions of Linux and Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index a4a2babf21..5a843a8ab7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -52,9 +52,11 @@ New Features an optional ``tls`` option which specifies either a previously configured ``tls`` statement or ``ephemeral``. [GL #2392] -- ``named`` now supports DNS-over-HTTPS (DoH). Both TLS-encrypted and - unencrypted HTTP/2 connections are supported (the latter may be used to - offload encryption to other software). +- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of + this, the ``nghttp2`` HTTP/2 library is now required for building the + development branch of BIND 9. Both TLS-encrypted and unencrypted + HTTP/2 connections are supported (the latter may be used to offload + encryption to other software). Note that there is no client-side support for HTTPS as yet; this will be added to ``dig`` in a future release. [GL #1144] From 234ff52725905a8108b679a562af8a845790fcd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Feb 2021 10:40:25 +0100 Subject: [PATCH 2/7] Use :rfc:`` references in release notes --- doc/notes/notes-9.17.3.rst | 2 +- doc/notes/notes-9.17.9.rst | 2 +- doc/notes/notes-current.rst | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/notes/notes-9.17.3.rst b/doc/notes/notes-9.17.3.rst index b658faf299..a50c878f1f 100644 --- a/doc/notes/notes-9.17.3.rst +++ b/doc/notes/notes-9.17.3.rst @@ -31,7 +31,7 @@ Feature Changes programs that interact with the network and process arbitrary user input. [GL #1933] -- As part of an ongoing effort to use RFC 8499 terminology, +- As part of an ongoing effort to use :rfc:`8499` terminology, ``primaries`` can now be used as a synonym for ``masters`` in ``named.conf``. Similarly, ``notify primary-only`` can now be used as a synonym for ``notify master-only``. The output of ``rndc diff --git a/doc/notes/notes-9.17.9.rst b/doc/notes/notes-9.17.9.rst index d702519775..b5bb532ee4 100644 --- a/doc/notes/notes-9.17.9.rst +++ b/doc/notes/notes-9.17.9.rst @@ -23,7 +23,7 @@ Feature Changes without making it bogus in the process; changing to ``dnssec-policy none;`` also causes CDS and CDNSKEY DELETE records to be published, to signal that the entire DS RRset at the parent must be removed, as - described in RFC 8078. [GL #1750] + described in :rfc:`8078`. [GL #1750] - When using the ``unixtime`` or ``date`` method to update the SOA serial number, ``named`` and ``dnssec-signzone`` silently fell back to diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 5a843a8ab7..6972f080f7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -88,7 +88,7 @@ Feature Changes - The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 day, and the default value of ``stale-answer-ttl`` has been changed from 1 - second to 30 seconds, following RFC 8767 recommendations. [GL #2248] + second to 30 seconds, following :rfc:`8767` recommendations. [GL #2248] - When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate`` and ``_spf_verify`` labels (which are employed by the ``exists`` SPF From 589cbe9bad83b3658d5f5b2a81367acc0f4eb0fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Feb 2021 10:40:25 +0100 Subject: [PATCH 3/7] Tweak and reword recent CHANGES entries --- CHANGES | 79 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/CHANGES b/CHANGES index a49353e09b..a44e5444e1 100644 --- a/CHANGES +++ b/CHANGES @@ -36,13 +36,13 @@ on the wrong freed list. [GL #2460] 5578. [protocol] Make "check-names" accept A records below "_spf", - "_spf_rate" and "_spf_verify" labels in order to cater + "_spf_rate", and "_spf_verify" labels in order to cater for the "exists" SPF mechanism specified in RFC 7208 - section 5.7. and appendix D. [GL #2377] + section 5.7 and appendix D.1. [GL #2377] -5577. [bug] Fix the "three is a crowd" key rollover bug in - dnssec-policy by correctly implementing Equation(2) of - the "Flexible and Robust Key Rollover" paper. [GL #2375] +5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by + correctly implementing Equation (2) of the "Flexible and + Robust Key Rollover" paper. [GL #2375] 5576. [experimental] Initial server-side implementation of DNS-over-HTTPS (DoH). Support for both TLS-encrypted and unencrypted @@ -51,44 +51,46 @@ client-side support for DNS-over-HTTPS; this will be added to dig in a future release.) [GL #1144] -5575. [bug] When migrating to dnssec-policy, BIND considered keys - with the "Inactive" and/or "Delete" timing metadata as +5575. [bug] When migrating to KASP, BIND 9 considered keys with the + "Inactive" and/or "Delete" timing metadata to be possible active keys. This has been fixed. [GL #2406] -5574. [func] Incoming zone transfers can now use TLS. - Addresses in a "primaries" list take an optional - "tls" argument, specifying either a previously - configured "tls" block or "ephemeral"; SOA queries - and zone transfer requests will then be sent via - TLS. [GL #2392] +5574. [func] Incoming zone transfers can now use TLS. Addresses in a + "primaries" list take an optional "tls" argument, + specifying either a previously configured "tls" block or + "ephemeral"; SOA queries and zone transfer requests are + then sent via TLS. [GL #2392] -5573. [func] Also return stale data if an error occurred and we are - not resuming. Only start the stale-refresh-time window - if we timed out. [GL #2434] +5573. [func] When serve-stale is enabled and stale data is available, + named now returns stale answers upon encountering any + unexpected error in the query resolution process. + However, the "stale-refresh-time" window is still only + started upon a timeout. [GL #2434] -5572. [bug] Address potential double free in generatexml. +5572. [bug] Address potential double free in generatexml(). [GL #2420] -5571. [bug] If a zone had a non-builtin named allow-update acl - named failed to start. [GL #2413] +5571. [bug] named failed to start when its configuration included a + zone with a non-builtin "allow-update" ACL attached. + [GL #2413] -5570. [bug] Improve the performance of dnssec-verify by reducing - the number of repeated calls to dns_dnssec_keyfromrdata. - [GL #2073] +5570. [bug] Improve performance of the DNSSEC verification code by + reducing the number of repeated calls to + dns_dnssec_keyfromrdata(). [GL #2073] -5569. [bug] Emit useful error message when 'rndc retransfer' is +5569. [bug] Emit useful error message when "rndc retransfer" is applied to a zone of inappropriate type. [GL #2342] 5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA keys. [GL #2178] 5567. [bug] Dig now reports unknown dash options while pre-parsing - the options. This prevents '-multi' instead of - '+multi' reporting memory usage before ending option - parsing on 'Invalid option: -lti'. [GL #2403] + the options. This prevents "-multi" instead of "+multi" + from reporting memory usage before ending option parsing + with "Invalid option: -lti". [GL #2403] -5566. [func] Add "stale-answer-client-timeout" option, which - is the amount of time a recursive resolver waits before +5566. [func] Add "stale-answer-client-timeout" option, which is the + amount of time a recursive resolver waits before attempting to answer the query using stale data from cache. [GL #2247] @@ -96,26 +98,25 @@ BIND 9 version number, in an effort to tightly couple internal libraries with a specific release. [GL #2387] -5564. [cleanup] Refactored the network manager TLSDNS module to use - libuv and libssl directly, rather than opening a - TLS/TCP socket stack. [GL #2235] +5564. [cleanup] Network manager's TLSDNS module was refactored to use + libuv and libssl directly instead of a stack of TCP/TLS + sockets. [GL #2335] 5563. [cleanup] Changed several obsolete configuration options to - ancient, making them into fatal errors. Also cleaned - up the number of clause flags in the configuration - parser. [GL #1086] + ancient, making them fatal errors. Also cleaned up the + number of clause flags in the configuration parser. + [GL #1086] 5562. [placeholder] -5561. [bug] KASP incorrectly set signature validity to the value - of the DNSKEY signature validity. This is now fixed. +5561. [bug] KASP incorrectly set signature validity to the value of + the DNSKEY signature validity. This is now fixed. [GL #2383] 5560. [func] The default value of "max-stale-ttl" has been changed from 12 hours to 1 day and the default value of - "stale-answer-ttl" has been changed from 1 second to - 30 seconds, following RFC 8767 recommendations. - [GL #2248] + "stale-answer-ttl" has been changed from 1 second to 30 + seconds, following RFC 8767 recommendations. [GL #2248] --- 9.17.9 released --- From 3799e66f04185afe3836982b25bb34ed0456f1c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Feb 2021 10:40:25 +0100 Subject: [PATCH 4/7] Tweak and reword release notes --- doc/notes/notes-current.rst | 110 +++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 53 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 6972f080f7..a94c2fa00e 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -25,32 +25,35 @@ New Features ~~~~~~~~~~~~ - A new option, ``stale-answer-client-timeout``, has been added to - improve ``named``'s behavior with respect to serving stale data. The option - defines the amount of time ``named`` waits before attempting - to answer the query with a stale RRset from cache. If a stale answer - is found, ``named`` continues the ongoing fetches, attempting to - refresh the RRset in cache until the ``resolver-query-timeout`` interval is + improve ``named``'s behavior with respect to serving stale data. The + option defines the amount of time ``named`` waits before attempting to + answer the query with a stale RRset from cache. If a stale answer is + found, ``named`` continues the ongoing fetches, attempting to refresh + the RRset in cache until the ``resolver-query-timeout`` interval is reached. - The default value is ``1800`` (in milliseconds) and the maximum value is - bounded to ``resolver-query-timeout`` minus one second. A value of - ``0`` immediately returns a cached RRset if available, and still - attempts a refresh of the data in cache. + The default value is ``1800`` (in milliseconds) and the maximum value + is limited to ``resolver-query-timeout`` minus one second. A value of + ``0`` causes any available cached RRset to immediately be returned + while still triggering a refresh of the data in cache. - The option can be disabled by setting the value to ``off`` or - ``disabled``. It also has no effect if ``stale-answer-enable`` is - disabled. [GL #2247] + This new behavior can be disabled by setting + ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new + option has no effect if ``stale-answer-enable`` is disabled. + [GL #2247] -- Also return stale data if an error occurred and we are not resuming a - query (and serve-stale is enabled). This may happen for example if - ``fetches-per-server`` or ``fetches-per-zone` limits are reached. In this - case, we will try to answer DNS requests with stale data, but not start - the ``stale-refresh-time`` window. [GL #2434] +- When serve-stale is enabled and stale data is available, ``named`` now + returns stale answers upon encountering any unexpected error in the + query resolution process. This may happen, for example, if the + ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In + this case, ``named`` attempts to answer DNS requests with stale data, + but does not start the ``stale-refresh-time`` window. [GL #2434] - ``named`` now supports XFR-over-TLS (XoT) for incoming as well as - outgoing zone transfers. Addresses in a ``primaries`` list can take - an optional ``tls`` option which specifies either a previously configured - ``tls`` statement or ``ephemeral``. [GL #2392] + outgoing zone transfers. Addresses in a ``primaries`` list can now be + accompanied by an optional ``tls`` keyword, followed by either the + name of a previously configured ``tls`` statement or ``ephemeral``. + [GL #2392] - Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of this, the ``nghttp2`` HTTP/2 library is now required for building the @@ -58,20 +61,20 @@ New Features HTTP/2 connections are supported (the latter may be used to offload encryption to other software). - Note that there is no client-side support for HTTPS as yet; this will be - added to ``dig`` in a future release. [GL #1144] + Note that there is no client-side support for HTTPS as yet; this will + be added to ``dig`` in a future release. [GL #1144] Removed Features ~~~~~~~~~~~~~~~~ -- A number of non-working configuration options that had been marked - as obsolete in previous releases have now been removed completely. - Using any of the following options is now considered a configuration - failure: - ``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``, - ``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``, - ``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``, - ``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, +- A number of non-working configuration options that had been marked as + obsolete in previous releases have now been removed completely. Using + any of the following options is now considered a configuration + failure: ``acache-cleaning-interval``, ``acache-enable``, + ``additional-from-auth``, ``additional-from-cache``, + ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``, + ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``, + ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086] @@ -86,38 +89,39 @@ Feature Changes binaries from silently loading wrong versions of shared libraries (or multiple versions of the same shared library) at startup. [GL #2387] -- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 - day, and the default value of ``stale-answer-ttl`` has been changed from 1 - second to 30 seconds, following :rfc:`8767` recommendations. [GL #2248] +- The default value of ``max-stale-ttl`` has been changed from 12 hours + to 1 day and the default value of ``stale-answer-ttl`` has been + changed from 1 second to 30 seconds, following :rfc:`8767` + recommendations. [GL #2248] -- When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate`` - and ``_spf_verify`` labels (which are employed by the ``exists`` SPF - mechanism defined inr:rfc:`7208` section 5.7/appendix D1) are no longer - reported as warnings/errors. [GL #2377] +- When ``check-names`` is in effect, A records below an ``_spf``, + ``_spf_rate``, or ``_spf_verify`` label (which are employed by the + ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix + D.1) are no longer reported as warnings/errors. [GL #2377] Bug Fixes ~~~~~~~~~ -- KASP incorrectly set signature validity to the value of the DNSKEY signature - validity. This is now fixed. [GL #2383] +- KASP incorrectly set signature validity to the value of the DNSKEY + signature validity. This has been fixed. [GL #2383] -- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key. - This has been fixed. [GL #2178] +- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA + key. This has been fixed. [GL #2178] -- The use of named ACLs in ``allow-update`` was broken in BIND 9.17.9 and - BIND 9.16.11, preventing ``named`` from starting. [GL #2413] +- ``named`` failed to start when its configuration included a zone with + a non-builtin ``allow-update`` ACL attached. [GL #2413] -- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive" - and/or "Delete" timing metadata as possible active keys. This has been fixed. - [GL #2406] +- When migrating to KASP, BIND 9 considered keys with the ``Inactive`` + and/or ``Delete`` timing metadata to be possible active keys. This has + been fixed. [GL #2406] -- Fixed the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys - rolled faster than the time required to finish the rollover procedure, the - successor relation equation failed because it assumed only two keys were - taking part in a rollover. This could lead to premature removal of - predecessor keys. BIND 9 now implements a recursive successor relation, as - described in the paper "Flexible and Robust Key Rollover" (Equation (2)). - [GL #2375] +- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled + faster than the time required to finish the rollover procedure, the + successor relation equation failed because it assumed only two keys + were taking part in a rollover. This could lead to premature removal + of predecessor keys. BIND 9 now implements a recursive successor + relation, as described in the paper "Flexible and Robust Key Rollover" + (Equation (2)). [GL #2375] - If an invalid key name (e.g. "a..b") was specified in a ``primaries`` list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``, From fc4b7e72cc28f72f65c2688c570f37c4db453be8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Feb 2021 10:40:25 +0100 Subject: [PATCH 5/7] Reorder release notes --- doc/notes/notes-current.rst | 62 ++++++++++++++++++------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index a94c2fa00e..6366695458 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,6 +24,21 @@ Known Issues New Features ~~~~~~~~~~~~ +- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of + this, the ``nghttp2`` HTTP/2 library is now required for building the + development branch of BIND 9. Both TLS-encrypted and unencrypted + HTTP/2 connections are supported (the latter may be used to offload + encryption to other software). + + Note that there is no client-side support for HTTPS as yet; this will + be added to ``dig`` in a future release. [GL #1144] + +- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as + outgoing zone transfers. Addresses in a ``primaries`` list can now be + accompanied by an optional ``tls`` keyword, followed by either the + name of a previously configured ``tls`` statement or ``ephemeral``. + [GL #2392] + - A new option, ``stale-answer-client-timeout``, has been added to improve ``named``'s behavior with respect to serving stale data. The option defines the amount of time ``named`` waits before attempting to @@ -42,28 +57,6 @@ New Features option has no effect if ``stale-answer-enable`` is disabled. [GL #2247] -- When serve-stale is enabled and stale data is available, ``named`` now - returns stale answers upon encountering any unexpected error in the - query resolution process. This may happen, for example, if the - ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In - this case, ``named`` attempts to answer DNS requests with stale data, - but does not start the ``stale-refresh-time`` window. [GL #2434] - -- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as - outgoing zone transfers. Addresses in a ``primaries`` list can now be - accompanied by an optional ``tls`` keyword, followed by either the - name of a previously configured ``tls`` statement or ``ephemeral``. - [GL #2392] - -- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of - this, the ``nghttp2`` HTTP/2 library is now required for building the - development branch of BIND 9. Both TLS-encrypted and unencrypted - HTTP/2 connections are supported (the latter may be used to offload - encryption to other software). - - Note that there is no client-side support for HTTPS as yet; this will - be added to ``dig`` in a future release. [GL #1144] - Removed Features ~~~~~~~~~~~~~~~~ @@ -82,6 +75,18 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ +- When serve-stale is enabled and stale data is available, ``named`` now + returns stale answers upon encountering any unexpected error in the + query resolution process. This may happen, for example, if the + ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In + this case, ``named`` attempts to answer DNS requests with stale data, + but does not start the ``stale-refresh-time`` window. [GL #2434] + +- The default value of ``max-stale-ttl`` has been changed from 12 hours + to 1 day and the default value of ``stale-answer-ttl`` has been + changed from 1 second to 30 seconds, following :rfc:`8767` + recommendations. [GL #2248] + - The SONAMEs for BIND 9 libraries now include the current BIND 9 version number, in an effort to tightly couple internal libraries with a specific release. This change makes the BIND 9 release process both @@ -89,11 +94,6 @@ Feature Changes binaries from silently loading wrong versions of shared libraries (or multiple versions of the same shared library) at startup. [GL #2387] -- The default value of ``max-stale-ttl`` has been changed from 12 hours - to 1 day and the default value of ``stale-answer-ttl`` has been - changed from 1 second to 30 seconds, following :rfc:`8767` - recommendations. [GL #2248] - - When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate``, or ``_spf_verify`` label (which are employed by the ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix @@ -102,14 +102,14 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- KASP incorrectly set signature validity to the value of the DNSKEY - signature validity. This has been fixed. [GL #2383] +- ``named`` failed to start when its configuration included a zone with + a non-builtin ``allow-update`` ACL attached. [GL #2413] - Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key. This has been fixed. [GL #2178] -- ``named`` failed to start when its configuration included a zone with - a non-builtin ``allow-update`` ACL attached. [GL #2413] +- KASP incorrectly set signature validity to the value of the DNSKEY + signature validity. This has been fixed. [GL #2383] - When migrating to KASP, BIND 9 considered keys with the ``Inactive`` and/or ``Delete`` timing metadata to be possible active keys. This has From 5c15c6ab21c66ea7c79561118d9ba2e7bdc63ecc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Feb 2021 10:40:25 +0100 Subject: [PATCH 6/7] Add release note for GL #2073 --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 6366695458..417b6a4e4b 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -123,6 +123,10 @@ Bug Fixes relation, as described in the paper "Flexible and Robust Key Rollover" (Equation (2)). [GL #2375] +- Performance of the DNSSEC verification code (used by + ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been + improved. [GL #2073] + - If an invalid key name (e.g. "a..b") was specified in a ``primaries`` list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``, which resulted in the returned memory being put on the wrong freed From 48353879e544354323c4168f4f87de735b1edc02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Feb 2021 10:40:25 +0100 Subject: [PATCH 7/7] Prepare release notes for BIND 9.17.10 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.17.10.rst} | 20 ------------------- 2 files changed, 1 insertion(+), 21 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.10.rst} (90%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 775300054c..c0a6a4da0a 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.10.rst .. include:: ../notes/notes-9.17.9.rst .. include:: ../notes/notes-9.17.8.rst .. include:: ../notes/notes-9.17.7.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.10.rst similarity index 90% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.10.rst index 417b6a4e4b..e73ffeca99 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.10.rst @@ -11,16 +11,6 @@ Notes for BIND 9.17.10 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -126,13 +116,3 @@ Bug Fixes - Performance of the DNSSEC verification code (used by ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been improved. [GL #2073] - -- If an invalid key name (e.g. "a..b") was specified in a ``primaries`` - list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``, - which resulted in the returned memory being put on the wrong freed - list. This has been fixed. [GL #2460] - -- If an outgoing packet would exceed max-udp-size, it would be dropped instead - of sending a proper response back. Rollback setting the IP_DONTFRAG on the - UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue. - [GL #2487]