ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Create release notes for 9.20.0

Browse Source
This commit is contained in:
Nicki Křížek
2024-07-08 13:31:31 +02:00
parent 1fa52674e1
commit 890ebd3fd3
29 changed files with 497 additions and 2033 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
doc/notes/notes-9.19.0.rst
View File

@@ -1,61 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.0
---------------------
Known Issues
~~~~~~~~~~~~
- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
be inspected when verifying a remote certificate while establishing a
DNS-over-TLS connection. Only ``subjectAltName`` must be checked
instead. Unfortunately, some quite old versions of cryptographic
libraries might lack the ability to ignore the ``Subject`` field. This
should have minimal production-use consequences, as most of the
production-ready certificates issued by certificate authorities will
have ``subjectAltName`` set. In such cases, the ``Subject`` field is
ignored. Only old platforms are affected by this, e.g. those supplied
with OpenSSL versions older than 1.1.1. :gl:`#3163`
- See :ref:`above <relnotes_known_issues>` for a list of all known
issues affecting this BIND 9 branch.
New Features
~~~~~~~~~~~~
- Add support for remote TLS certificate verification, both to
:iscman:`named` and :iscman:`dig`, making it possible to implement
Strict and Mutual TLS authentication, as described in :rfc:`9103`,
Section 9.3. :gl:`#3163`
- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a
``-J`` option to specify a journal file to read when loading the zone
to be verified or signed. :gl:`#2486`
Removed Features
~~~~~~~~~~~~~~~~
- The ``keep-response-order`` option has been declared obsolete and the
functionality has been removed. :iscman:`named` expects DNS clients to
be fully compliant with :rfc:`7766`. :gl:`#3140`
Feature Changes
~~~~~~~~~~~~~~~
- Run RPZ updates on the specialized "offload" threads to reduce the
amount of time they block query processing on the main networking
threads. This should increase the responsiveness of :iscman:`named`
when RPZ updates are being applied after an RPZ zone has been
successfully transferred. :gl:`#3190`
- The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744`

72
doc/notes/notes-9.19.1.rst
View File

@@ -1,72 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.1
---------------------
Security Fixes
~~~~~~~~~~~~~~
- Previously, TLS socket objects could be destroyed prematurely, which
triggered assertion failures in :iscman:`named` instances serving
DNS-over-HTTPS (DoH) clients. This has been fixed.
ISC would like to thank Thomas Amgarten from arcade solutions ag for
bringing this vulnerability to our attention. :cve:`2022-1183`
:gl:`#3216`
New Features
~~~~~~~~~~~~
- Catalog Zones schema version 2, as described in the
"DNS Catalog Zones" IETF draft version 5 document, is now supported by
:iscman:`named`. All of the previously supported BIND-specific catalog
zone custom properties (:any:`primaries`, :any:`allow-query`, and
:any:`allow-transfer`), as well as the new Change of Ownership (``coo``)
property, are now implemented. Schema version 1 is still supported,
with some additional validation rules applied from schema version 2:
for example, the :any:`version` property is mandatory, and a member zone
PTR RRset must not contain more than one record. In the event of a
validation error, a corresponding error message is logged to help with
diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223`
:gl:`#3224` :gl:`#3225`
- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and
``Stale NXDOMAIN Answer`` when stale answers are returned from cache.
:gl:`#2267`
- The Object Identifier (OID) embedded at the start of a PRIVATEOID
public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now
checked to ensure that it is valid when reading from zone files or
receiving data on the wire. The Object Identifier is now printed when
the ``dig +rrcomments`` option is used. Similarly, the name embedded
at the start of a PRIVATEDNS public key is also checked for validity.
:gl:`#3234`
- The Object Identifier (OID) embedded at the start of a PRIVATEOID
signature in a SIG, or RRSIG resource records is now checked to
ensure that it is valid when reading from zone files or receiving
data on the wire. Similarly, the name embedded at the start of
a PRIVATEDNS public key is also checked for validity. :gl:`#3296`
Bug Fixes
~~~~~~~~~
- Previously, CDS and CDNSKEY DELETE records were removed from the zone
when configured with the ``auto-dnssec maintain;`` option. This has
been fixed. :gl:`#2931`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

73
doc/notes/notes-9.19.10.rst
View File

@@ -1,73 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.10
----------------------
New Features
~~~~~~~~~~~~
- The :any:`forwarders` statement now supports the :any:`tls` argument,
to be used to forward queries to DoT-enabled servers. :gl:`#3726`
Removed Features
~~~~~~~~~~~~~~~~
- Specifying a ``port`` when configuring source addresses (i.e., as an
argument to :any:`query-source`, :any:`query-source-v6`,
:any:`transfer-source`, :any:`transfer-source-v6`,
:any:`notify-source`, :any:`notify-source-v6`, :any:`parental-source`,
or :any:`parental-source-v6`, or in the ``source`` or ``source-v6``
arguments to :any:`primaries`, :any:`parental-agents`,
:any:`also-notify`, or :any:`catalog-zones`) has been deprecated. In
addition, the :any:`use-v4-udp-ports`, :any:`use-v6-udp-ports`,
:any:`avoid-v4-udp-ports`, and :any:`avoid-v6-udp-ports` options have
also been deprecated.
Warnings are now logged when any of these options are encountered in
``named.conf``. In a future release, they will be made nonfunctional.
:gl:`#3781`
- The Differentiated Services Code Point (DSCP) feature has been
removed: configuring DSCP values in ``named.conf`` is now a
configuration error. :gl:`#3789`
Feature Changes
~~~~~~~~~~~~~~~
- The memory statistics have been reduced to a single counter,
``InUse``; ``Malloced`` is an alias that holds the same value. The
other counters were usable with the old BIND 9 internal memory
allocator, but they are unnecessary now that the latter has been
removed. :gl:`#3718`
Bug Fixes
~~~~~~~~~
- A constant stream of zone additions and deletions via ``rndc
reconfig`` could cause increased memory consumption due to delayed
cleaning of view memory. This has been fixed. :gl:`#3801`
- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
NSEC3 hashing, has been improved. :gl:`#3795`
- Pointing :any:`parental-agents` to a resolver did not work because the
RD bit was not set on DS requests. This has been fixed. :gl:`#3783`
- Building BIND 9 failed when the ``--enable-dnsrps`` switch for
``./configure`` was used. This has been fixed. :gl:`#3827`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

89
doc/notes/notes-9.19.11.rst
View File

@@ -1,89 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.11
----------------------
New Features
~~~~~~~~~~~~
- When using :any:`dnssec-policy`, it is now possible to configure the
digest type to use when ``CDS`` records need to be published with
:any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS
records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837`
Removed Features
~~~~~~~~~~~~~~~~
- Support for Red Hat Enterprise Linux version 7 (and clones) has been
dropped. A C11-compliant compiler is now required to compile BIND 9.
:gl:`#3729`
- The functions that were in the ``libbind9`` shared library have been
moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty
``libbind9`` has been removed and is no longer installed. :gl:`#3903`
- The ``irs_resconf`` module has been moved to the ``libdns`` shared
library. The now-empty ``libirs`` library has been removed and is no
longer installed. :gl:`#3904`
Feature Changes
~~~~~~~~~~~~~~~
- Catalog zone updates are now run on specialized "offload" threads to
reduce the amount of time they block query processing on the main
networking threads. This increases the responsiveness of
:iscman:`named` when catalog zone updates are being applied after a
catalog zone has been successfully transferred. :gl:`#3881`
- libuv support for receiving multiple UDP messages in a single
``recvmmsg()`` system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for running
with a different version of libuv than the one used at compilation
time. These rules may trigger a fatal error at startup:
- Building against or running with libuv versions 1.35.0 and 1.36.0 is
now a fatal error.
- Running with libuv version higher than 1.34.2 is now a fatal error
when :iscman:`named` is built against libuv version 1.34.2 or lower.
- Running with libuv version higher than 1.39.0 is now a fatal error
when :iscman:`named` is built against libuv version 1.37.0, 1.38.0,
1.38.1, or 1.39.0.
This prevents the use of libuv versions that may trigger an assertion
failure when receiving multiple UDP messages in a single system call.
:gl:`#3840`
Bug Fixes
~~~~~~~~~
- :iscman:`named` could crash with an assertion failure when adding a
new zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been fixed.
:gl:`#3911`
- When :iscman:`named` starts up, it sends a query for the DNSSEC key
for each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a zone for
which the server is itself authoritative, and would have failed if it
were sent before the zone was fully loaded. This has now been fixed by
delaying the key queries until all zones have finished loading.
:gl:`#3673`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

93
doc/notes/notes-9.19.12.rst
View File

@@ -1,93 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.12
----------------------
Security Fixes
~~~~~~~~~~~~~~
- An error in DNS message processing introduced in development version
9.19.11 could cause BIND and its utilities to crash if the maximum
permissible number of DNS labels were present. This has been fixed.
:gl:`#3998`
Known Issues
~~~~~~~~~~~~
- Loading a large number of zones is significantly slower in BIND
9.19.12 than in the previous development releases due to a new data
structure being used for storing information about the zones to serve.
This slowdown is considered to be a bug and will be addressed in a
future BIND 9.19.x development release. :gl:`#4006`
- A flaw in reworked code responsible for accepting TCP connections may
cause a visible performance drop for TCP queries on some platforms,
notably FreeBSD. This issue will be fixed in a future BIND 9.19.x
development release. :gl:`#3985`
- See :ref:`above <relnotes_known_issues>` for a list of all known issues
affecting this BIND 9 branch.
New Features
~~~~~~~~~~~~
- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data
structures. :gl:`#3934`
- The new command-line :option:`delv +ns` option activates name server
mode, to more accurately reproduce the behavior of :iscman:`named`
when resolving a query. In this mode, :iscman:`delv` uses an internal
recursive resolver rather than an external server. All messages sent
and received during the resolution and validation process are logged.
This can be used in place of :option:`dig +trace`. :gl:`#3842`
- A new configuration option, :any:`checkds`, has been introduced. When
set to ``yes``, it detects :any:`parental-agents` automatically by
resolving the parent NS records. These name servers are queried to
check the DS RRset during a KSK rollover initiated by
:any:`dnssec-policy`. :gl:`#3901`
.. _`liburcu`: https://liburcu.org/
Removed Features
~~~~~~~~~~~~~~~~
- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been
removed and using TKEY Mode 2 is now a fatal error. Users are advised
to switch to TKEY Mode 3 (GSS-API). :gl:`#3905`
- Zone type ``delegation-only``, and the ``delegation-only`` and
``root-delegation-only`` statements, have been removed. Using them is
a configuration error.
These statements were created to address the SiteFinder controversy,
in which certain top-level domains redirected misspelled queries to
other sites instead of returning NXDOMAIN responses. Since top-level
domains are now DNSSEC-signed, and DNSSEC validation is active by
default, the statements are no longer needed. :gl:`#3953`
Feature Changes
~~~~~~~~~~~~~~~
- The log message ``resolver priming query complete`` has been moved
from the INFO log level to the DEBUG(1) log level, to prevent
:iscman:`delv` from emitting that message when setting up its internal
resolver. :gl:`#3842`
Bug Fixes
~~~~~~~~~
- Several bugs which could cause :iscman:`named` to crash during catalog
zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997`
- Performance of DNSSEC validation in zones with many DNSKEY records has
been improved. :gl:`#3981`

66
doc/notes/notes-9.19.13.rst
View File

@@ -1,66 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.13
----------------------
New Features
~~~~~~~~~~~~
- :iscman:`dnstap-read` can now print long timestamps with millisecond
precision. :gl:`#2360`
Bug Fixes
~~~~~~~~~
- When the same :any:`notify-source` address and port number was
configured for multiple destinations and zones, an unresponsive server
could tie up the relevant network socket until it timed out; in the
meantime, NOTIFY messages for other servers silently failed.
:iscman:`named` will now retry sending such NOTIFY messages over TCP.
Furthermore, NOTIFY failures are now logged at the INFO level.
:gl:`#4001` :gl:`#4002`
- The :any:`max-transfer-time-in` and :any:`max-transfer-idle-in`
statements have not had any effect since the BIND 9 networking stack
was refactored in version 9.16. The missing functionality has been
re-implemented and incoming zone transfers now time out properly when
not progressing. :gl:`#4004`
- The read timeout in :iscman:`rndc` is now 60 seconds, matching the
behavior in BIND 9.16 and earlier. It had previously been lowered to
30 seconds by mistake. :gl:`#4046`
- When the ``ISC_R_INVALIDPROTO`` (``ENOPROTOOPT``, ``EPROTONOSUPPORT``)
error code is returned by libuv, it is now treated as a network
failure: the server for which that error code is returned gets marked
as broken and is not contacted again during a given resolution
process. :gl:`#4005`
- When removing delegations from an opt-out range, empty-non-terminal
NSEC3 records generated by those delegations were not cleaned up. This
has been fixed. :gl:`#4027`
- A flaw in reworked code responsible for accepting TCP connections has
been addressed. This issue could cause a visible performance drop for
TCP queries on some platforms, notably FreeBSD, and has now been
fixed. :gl:`#3985`
- Log file rotation code did not clean up older versions of log files
when the logging :any:`channel` had an absolute path configured as a
``file`` destination. This has been fixed. :gl:`#3991`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

89
doc/notes/notes-9.19.14.rst
View File

@@ -1,89 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.14
----------------------
Security Fixes
~~~~~~~~~~~~~~
- The overmem cleaning process has been improved, to prevent the cache from
significantly exceeding the configured :any:`max-cache-size` limit.
:cve:`2023-2828`
ISC would like to thank Shoham Danino from Reichman University, Anat
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University,
and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to
our attention. :gl:`#4055`
New Features
~~~~~~~~~~~~
- The read timeout in :iscman:`rndc` can now be specified on the command
line using the :option:`-t <rndc -t>` option, allowing commands that
take a long time to complete sufficient time to do so. :gl:`#4046`
- Support for multi-signer model 2 (:rfc:`8901`) when using
:any:`inline-signing` was added. :gl:`#2710`
- A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`,
that allows users to enable or disable the publication of CDNSKEY
records. :gl:`#4050`
- The system test suite can now be executed with pytest (along with
pytest-xdist for parallel execution). :gl:`#3978`
Removed Features
~~~~~~~~~~~~~~~~
- Special-case code that was originally added to allow GSS-TSIG to work
around bugs in the Windows 2000 version of Active Directory has now
been removed, since Windows 2000 is long past end-of-life. The
:option:`-o <nsupdate -o>` option and the ``oldgsstsig`` command to
:iscman:`nsupdate` have been deprecated, and are now treated as
synonyms for :option:`-g <nsupdate -g>` and ``gsstsig`` respectively.
:gl:`#4012`
Feature Changes
~~~~~~~~~~~~~~~
- If a response from an authoritative server has its RCODE set to
FORMERR and contains an echoed EDNS COOKIE option that was present in
the query, :iscman:`named` now retries sending the query to the
same server without an EDNS COOKIE option. :gl:`#4049`
- The responsiveness of :iscman:`named` was improved, when serving as an
authoritative DNS server for a delegation-heavy zone(s) shortly after
loading such zone(s). :gl:`#4045`
Bug Fixes
~~~~~~~~~
- When the :any:`stale-answer-enable` option was enabled and the
:any:`stale-answer-client-timeout` option was enabled and larger than
0, :iscman:`named` previously allocated two slots from the
:any:`clients-per-query` limit for each client and failed to gradually
auto-tune its value, as configured. This has been fixed. :gl:`#4074`
- Previously, it was possible for a delegation from cache to be returned
to the client after the :any:`stale-answer-client-timeout` duration.
This has been fixed. :gl:`#3950`
- BIND could allocate too big buffers when sending data via
stream-based DNS transports, leading to increased memory usage.
This has been fixed. :gl:`#4038`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

38
doc/notes/notes-9.19.15.rst
View File

@@ -1,38 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.15
----------------------
Feature Changes
~~~~~~~~~~~~~~~
- The ``relaxed`` QNAME minimization mode now uses NS records. This
reduces the number of queries :iscman:`named` makes when resolving, as
it allows the non-existence of NS RRsets at non-referral nodes to be
cached in addition to the normally cached referrals. :gl:`#3325`
Bug Fixes
~~~~~~~~~
- The ability to read HMAC-MD5 key files, which was accidentally lost in
BIND 9.19.6 and BIND 9.18.8, has been restored. :gl:`#3668`
:gl:`#4154`
- Several minor stability issues with the catalog zone implementation
have been fixed. :gl:`#4132` :gl:`#4136` :gl:`#4171`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

65
doc/notes/notes-9.19.16.rst
View File

@@ -1,65 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.16
----------------------
Removed Features
~~~~~~~~~~~~~~~~
- The ``auto-dnssec`` configuration statement has been removed. Please
use :any:`dnssec-policy` or manual signing instead. The following
statements have become obsolete: :any:`dnskey-sig-validity`,
:any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`,
:any:`sig-validity-interval`, and :any:`update-check-ksk`. :gl:`#3672`
Feature Changes
~~~~~~~~~~~~~~~
- BIND now returns BADCOOKIE for out-of-date or otherwise bad but
well-formed DNS server cookies. :gl:`#4194`
- When a primary server for a zone responds to an SOA query, but the
subsequent TCP connection required to transfer the zone is refused,
that server is marked as temporarily unreachable. This now also
happens if the TCP connection attempt times out, preventing too many
zones from queuing up on an unreachable server and allowing the
refresh process to move on to the next configured primary more
quickly. :gl:`#4215`
- The :any:`inline-signing` statement can now also be set inside
:any:`dnssec-policy`. The built-in policies ``default`` and
``insecure`` enable the use of :any:`inline-signing`. If
:any:`inline-signing` is set at the ``zone`` level, it overrides the
value set in :any:`dnssec-policy`. :gl:`#3677`
- To improve query-processing latency under load, the uninterrupted time
spent on resolving long chains of cached domain names has been
reduced. :gl:`#4185`
- The :any:`dialup` and :any:`heartbeat-interval` options have been
deprecated and will be removed in a future BIND 9 release. :gl:`#3700`
Bug Fixes
~~~~~~~~~
- Setting :any:`dnssec-policy` to ``insecure`` prevented zones
containing resource records with a TTL value larger than 86400 seconds
(1 day) from being loaded. This has been fixed by ignoring the TTL
values in the zone and using a value of 604800 seconds (1 week) as the
maximum zone TTL in key rollover timing calculations. :gl:`#4032`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

99
doc/notes/notes-9.19.17.rst
View File

@@ -1,99 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.17
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Previously, sending a specially crafted message over the control
channel could cause the packet-parsing code to run out of available
stack memory, causing :iscman:`named` to terminate unexpectedly.
This has been fixed. :cve:`2023-3341`
ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
bringing this vulnerability to our attention. :gl:`#4152`
New Features
~~~~~~~~~~~~
- Support for User Statically Defined Tracing (USDT) probes has been
added. These probes enable fine-grained application tracing and
introduce no overhead when they are not enabled. :gl:`#4041`
- The client-side support of the EDNS EXPIRE option has been expanded to
include IXFR and AXFR query types. This enhancement enables
:iscman:`named` to perform AXFR and IXFR queries while incorporating
the EDNS EXPIRE option. :gl:`#4170`
Removed Features
~~~~~~~~~~~~~~~~
- The :any:`dnssec-must-be-secure` option has been deprecated and will
be removed in a future release. :gl:`#4263`
Feature Changes
~~~~~~~~~~~~~~~
- Compiling with jemalloc versions older than 4.0.0 is no longer
supported; those versions do not provide the features required by
current BIND 9 releases. :gl:`#4296`
- If the ``server`` command is specified, :iscman:`nsupdate` now honors
the :option:`nsupdate -v` option for SOA queries by sending both the
UPDATE request and the initial query over TCP. :gl:`#1181`
Bug Fixes
~~~~~~~~~
- The value of the If-Modified-Since header in the statistics channel
was not being correctly validated for its length, potentially allowing
an authorized user to trigger a buffer overflow. Ensuring the
statistics channel is configured correctly to grant access exclusively
to authorized users is essential (see the :any:`statistics-channels`
block definition and usage section). :gl:`#4124`
This issue was reported independently by Eric Sesterhenn of X41 D-Sec
GmbH and Cameron Whitehead.
- The Content-Length header in the statistics channel was lacking proper
bounds checking. A negative or excessively large value could
potentially trigger an integer overflow and result in an assertion
failure. :gl:`#4125`
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
- Several memory leaks caused by not clearing the OpenSSL error stack
were fixed. :gl:`#4159`
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
- The introduction of ``krb5-subdomain-self-rhs`` and
``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
:iscman:`named` to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
- The :any:`stale-refresh-time` feature was mistakenly disabled when the
server cache was flushed by :option:`rndc flush`. This has been fixed.
:gl:`#4278`
- BIND's memory consumption has been improved by implementing dedicated
jemalloc memory arenas for sending buffers. This optimization ensures
that memory usage is more efficient and better manages the return of
memory pages to the operating system. :gl:`#4038`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

83
doc/notes/notes-9.19.18.rst
View File

@@ -1,83 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.18
----------------------
New Features
~~~~~~~~~~~~
- The statistics channel now includes information about incoming zone
transfers that are currently in progress. :gl:`#3883`
- The new :any:`resolver-use-dns64` option enables :iscman:`named` to
apply :any:`dns64` rules to IPv4 server addresses when sending
recursive queries, so that resolution can be performed over a NAT64
connection. :gl:`#608`
Removed Features
~~~~~~~~~~~~~~~~
- Support for the ``lock-file`` statement and the ``named -X``
command-line option has been removed. An external process supervisor
should be used instead. :gl:`#4391`
Alternatively, the ``flock`` utility (part of util-linux) can be used
on Linux systems to achieve the same effect as ``lock-file`` or
``named -X``:
::
flock -n -x <directory>/named.lock <path>/named <arguments>
- Configuring the control channel to use a Unix domain socket has been a
fatal error since BIND 9.18. The feature has now been completely
removed and :iscman:`named-checkconf` now reports it as a
configuration error. :gl:`#4311`
Feature Changes
~~~~~~~~~~~~~~~
- Processing large incremental transfers (IXFR) has been offloaded to a
separate work thread so that it does not prevent networking threads
from processing regular traffic in the meantime. :gl:`#4367`
- QNAME minimization is now used when looking up the addresses of name
servers during the recursive resolution process. :gl:`#4209`
- The :any:`inline-signing` zone option is now ignored if there is no
:any:`dnssec-policy` configured for the zone. This means that unsigned
zones no longer create redundant signed versions of the zone.
:gl:`#4349`
- The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b. :gl:`#4101`
Bug Fixes
~~~~~~~~~
- :any:`max-cache-size` accidentally became ineffective in BIND 9.19.16.
This has been fixed and the option now behaves as documented again.
:gl:`#4340`
- If the unsigned version of an inline-signed zone contained DNSSEC
records, it was incorrectly scheduled for resigning. This has been
fixed. :gl:`#4350`
- Looking up stale data from the cache did not take local authoritative
data into account. This has been fixed. :gl:`#4355`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

55
doc/notes/notes-9.19.19.rst
View File

@@ -1,55 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.19
----------------------
New Features
~~~~~~~~~~~~
- Initial support for the PROXYv2 protocol was added. :iscman:`named`
can now accept PROXYv2 headers over all currently implemented DNS
transports and :iscman:`dig` can insert these headers into the queries
it sends. Please consult the related documentation
(:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and
:any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and
:option:`dig +proxy-plain` for :iscman:`dig`) for additional details.
:gl:`#4388`
Removed Features
~~~~~~~~~~~~~~~~
- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
aes;``) has been removed. The only supported DNS COOKIE algorithm is
now the current default, SipHash-2-4. :gl:`#4421`
- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval``
statements have been removed. Using them is now a fatal error.
:gl:`#4405`
Feature Changes
~~~~~~~~~~~~~~~
- The maximum number of NSEC3 iterations allowed for validation purposes
has been lowered from 150 to 50. DNSSEC responses containing NSEC3
records with iteration counts greater than 50 are now treated as
insecure. :gl:`#4363`
- Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only
allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using
NSEC3 that the policy manages. :gl:`#4363`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

44
doc/notes/notes-9.19.2.rst
View File

@@ -1,44 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.2
---------------------
Feature Changes
~~~~~~~~~~~~~~~
- New :any:`dnssec-policy` configuration checks have been added to detect
unusual policies, such as missing KSK and/or ZSK and too-short key
lifetimes and re-sign periods. :gl:`#1611`
Bug Fixes
~~~~~~~~~
- The :any:`fetches-per-server` quota is designed to adjust itself downward
automatically when an authoritative server times out too frequently.
Due to a coding error, that adjustment was applied incorrectly, so
that the quota for a congested server was always set to 1. This has
been fixed. :gl:`#3327`
- DNSSEC-signed catalog zones were not being processed correctly. This
has been fixed. :gl:`#3380`
- Key files were updated every time the :any:`dnssec-policy` key manager
ran, whether the metadata had changed or not. :iscman:`named` now
checks whether changes were applied before writing out the key files.
:gl:`#3302`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

19
doc/notes/notes-9.19.20.rst
View File

@@ -1,19 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.20
----------------------
.. note::
The BIND 9.19.20 release was withdrawn after the discovery of a
regression in a security fix in it during pre-release testing. ISC
would like to acknowledge the assistance of Curtis Tuplin of SaskTel.

74
doc/notes/notes-9.19.21.rst
View File

@@ -1,74 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.21
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Validating DNS messages containing a lot of DNSSEC signatures could
cause excessive CPU load, leading to a denial-of-service condition.
This has been fixed. :cve:`2023-50387`
ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
and Michael Waidner from the German National Research Center for
Applied Cybersecurity ATHENE for bringing this vulnerability to our
attention. :gl:`#4424`
- Preparing an NSEC3 closest encloser proof could cause excessive CPU
load, leading to a denial-of-service condition. This has been fixed.
:cve:`2023-50868` :gl:`#4459`
- Parsing DNS messages with many different names could cause excessive
CPU load. This has been fixed. :cve:`2023-4408`
ISC would like to thank Shoham Danino from Reichman University, Anat
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
University, and Yuval Shavitt from Tel-Aviv University for bringing
this vulnerability to our attention. :gl:`#4234`
- Specific queries could cause :iscman:`named` to crash with an
assertion failure when :any:`nxdomain-redirect` was enabled. This has
been fixed. :cve:`2023-5517` :gl:`#4281`
- A bad interaction between DNS64 and serve-stale could cause
:iscman:`named` to crash with an assertion failure, when both of these
features were enabled. This has been fixed. :cve:`2023-5679`
:gl:`#4334`
Feature Changes
~~~~~~~~~~~~~~~
- :iscman:`named-compilezone` no longer performs zone integrity checks
by default; this allows faster conversion of a zone file from one
format to another. :gl:`#4364`
Zone checks can be performed by running :iscman:`named-checkzone`
separately, or the previous default behavior can be restored by using:
::
named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
Bug Fixes
~~~~~~~~~
- The counters exported via the statistics channel were changed back to
64-bit signed values; they were being inadvertently truncated to
unsigned 32-bit values since BIND 9.15.0. :gl:`#4467`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

107
doc/notes/notes-9.19.22.rst
View File

@@ -1,107 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.22
----------------------
New Features
~~~~~~~~~~~~
- Information on incoming zone transfers in the statistics channel now also shows
the zones' "first refresh" flag, which indicates that a zone is not fully
ready and that its first ever refresh is pending or is in progress. The number
of such zones is now also exposed by the ``rndc status`` command. :gl:`#4241`
- The statistics channel now includes counters that indicate the number
of currently connected TCP IPv4/IPv6 clients. :gl:`#4425`
- HSM support was added to :any:`dnssec-policy`. Keys can now be configured with a
``key-store`` that allows users to set the directory where key files are stored and to
set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11
provider to be configured for OpenSSL. :gl:`#1129`
- The ``tls`` block was extended with a new ``cipher-suites`` option
that allows permitted cipher suites for TLSv1.3 to be set. Please
consult the documentation for additional details.
:gl:`#3504`
- Support for the RESINFO record type was added. :gl:`#4413`
Removed Features
~~~~~~~~~~~~~~~~
- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` values,
when the feature is turned on. When using a non-zero value, :iscman:`named` now
generates a warning log message, and treats the value as ``0``. :gl:`#4447`
Feature Changes
~~~~~~~~~~~~~~~
- The ``dnssec-validation yes`` option now requires an explicitly configured
:any:`trust-anchors` statement. If using manual trust anchors is not
operationally required, then please consider using ``dnssec-validation auto``
instead. :gl:`#4373`
- The red-black tree data structure used in the RBTDB (the default
database implementation for cache and zone databases),
has been replaced with QP-tries. This is expected to improve
performance and scalability, though in the current implementation
it is known to have larger memory consumption.
A side effect of this change is that zone files that are created with
:any:`masterfile-style` ``relative`` - for example, the output of
:any:`dnssec-signzone` - will no longer have multiple different
`$ORIGIN` statements. There should be no other changes to server
behavior.
The old RBT-based database still exists for now, and can be used by
specifying ``database rbt`` in a ``zone`` statement in ``named.conf``,
or by compiling with ``configure --with-zonedb=rbt --with-cachedb=rbt``.
:gl:`#4411`
Bug Fixes
~~~~~~~~~
- A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
:any:`max-cache-size` limit was reached. This has been fixed.
:gl:`#4596`
- Using :option:`rndc flush` inadvertently caused cache cleaning to
become less effective. This could ultimately lead to the configured
:any:`max-cache-size` limit being exceeded and has now been fixed.
:gl:`#4621`
- The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
:any:`max-cache-ttl` and :any:`max-ncache-ttl` in a timely manner.
:gl:`#4591`
- Changes to ``listen-on`` statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That issue
has been fixed.
ISC would like to thank Thomas Amgarten for bringing this issue to
our attention. :gl:`#4518` :gl:`#4528`
- It was possible to trigger a use-after-free assertion when the overmem cache
cleaning was initiated. This has been fixed. :gl:`#4595`
ISC would like to thank Jinmei Tatuya of Infoblox for bringing
this issue to our attention.
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

55
doc/notes/notes-9.19.23.rst
View File

@@ -1,55 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.23
----------------------
New Features
~~~~~~~~~~~~
- Added RESOLVER.ARPA to the built in empty zones. :gl:`#4580`
Feature Changes
~~~~~~~~~~~~~~~
- Memory consumption of the new QP-trie database has been optimized. Large
zones, which used to require significantly more memory with QP-trie, now only
require roughly 15% more memory than the old red-black tree data structure.
:gl:`#4614`
- The :any:`sortlist` option has been deprecated and will be removed in a
future BIND 9.21.x release. Users should not rely on a specific order of
resource records in DNS messages. :gl:`#4593`
- The ``fixed`` value for the :any:`rrset-order` option and the corresponding
``configure`` script option have been deprecated and will be removed in a
future BIND 9.21.x release. Users should not rely on a specific order of
resource records in DNS messages. :gl:`#4446`
Bug Fixes
~~~~~~~~~
- A bug in the keymgr code unintentionally slowed down some DNSSEC key
rollovers. This has been fixed. :gl:`#4552`
- Two bugs that could have caused resolvers configured with the new cache data
structure to crash or hang have been fixed. :gl:`#4622` :gl:`#4652`
- Some ISO 8601 durations were accepted erroneously, leading to shorter
durations than expected. This has been fixed. :gl:`#4624`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

61
doc/notes/notes-9.19.24.rst
View File

@@ -1,61 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.24
----------------------
New Features
~~~~~~~~~~~~
- A new option :any:`signatures-jitter` has been added to :any:`dnssec-policy`
to allow signature expirations to be spread out over a period of time.
:gl:`#4554`
- A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key Signing
Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128`
- Queries and responses now emit distinct dnstap entries for DNS-over-TLS (DoT)
and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands these entries.
:gl:`#4523`
Removed Features
~~~~~~~~~~~~~~~~
- The :iscman:`named` command-line option :option:`-U <named -U>`, which
specified the number of UDP dispatches, has been removed. Using it now
returns a warning. :gl:`#1879`
Feature Changes
~~~~~~~~~~~~~~~
- Querying the statistics channel no longer blocks DNS communication on the
networking event loop level. :gl:`#4680`
- DNSSEC signatures that are not valid because the current time falls outside
the signature inception and expiration dates no longer count towards maximum
validation and maximum validation failure limits. :gl:`#4586`
- Multiple RNDC messages are now processed when sent in a single TCP message.
ISC would like to thank Dominik Thalhammer for reporting the issue and
preparing the initial patch. :gl:`#4416`
- :iscman:`dnssec-keygen` now allows the options :option:`-k <dnssec-keygen
-k>` and :option:`-f <dnssec-keygen -f>` to be used together. This allows the
creation of keys for a given :any:`dnssec-policy` that match only the KSK
(``-fK``) or ZSK (``-fZ``) roles. :gl:`#1128`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

94
doc/notes/notes-9.19.25.rst
View File

@@ -1,94 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.25
----------------------
Security Fixes
~~~~~~~~~~~~~~
- A malicious DNS client that sent many queries over TCP but never read
the responses could cause a server to respond slowly or not at all for
other clients. This has been fixed. :cve:`2024-0760` :gl:`#4481`
- Excessively large resource record sets can be crafted to slow down
database processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and type in
a cache or zone database. The default is 100, but it can be tuned with
the new :any:`max-records-per-type` option. :gl:`#497` :gl:`#3405`
An excessively large number of resource record types for a single owner
name can be crafted to slow down database processing. This has been
addressed by adding a configurable limit to the number of records that
can be stored per name and type in a cache or zone database. The
default is 100, and can be tuned with the new :any:`max-types-per-name`
option. :cve:`2024-1737` :gl:`#3403`
ISC would like to thank Toshifumi Sakaguchi who independently
discovered and responsibly reported the issue to ISC. :gl:`#4548`
- A malicious DNS client that sends many queries with a SIG(0)-signed
message can cause server to respond slowly or not respond at all for
other clients. This has been fixed. :cve:`2024-1975` :gl:`#4480`
- Due to a logic error, lookups that triggered serving stale data and
required lookups in local authoritative zone data could have resulted
in an assertion failure. This has been fixed. :cve:`2024-4076`
:gl:`#4507`
New Features
~~~~~~~~~~~~
- Added a new statistics variable ``recursive high-water`` that reports
the maximum number of simultaneous recursive clients BIND has handled
while running. :gl:`#4668`
Feature Changes
~~~~~~~~~~~~~~~
- Outgoing zone transfers are no longer enabled by default. An explicit
:any:`allow-transfer` ACL must now be set at the :any:`zone`,
:any:`view`, or :namedconf:ref:`options` level to enable outgoing
transfers. :gl:`#4728`
Bug Fixes
~~~~~~~~~
- Potential data races were found in our DoH implementation, related to
HTTP/2 session object management and endpoints set object management
after reconfiguration. These issues have been fixed. :gl:`#4473`
ISC would like to thank Dzintars and Ivo from nic.lv for bringing this
to our attention.
- Command-line options for IPv4-only (:option:`named -4`) and IPv6-only
(:option:`named -6`) modes are now respected for zone :any:`primaries`,
:any:`also-notify`, and :any:`parental-agents`. :gl:`#3472`
- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL,
if ``add-soa`` was used. This has been fixed. :gl:`#3323`
- Some servers which could not be reached due to EHOSTDOWN or ENETDOWN
conditions were incorrectly prioritized during server selection. These
are now properly handled as unreachable. :gl:`#4736`
- On some systems the libuv call may return an error code when sending a
TCP reset for a connection, which triggers an assertion failure in
:iscman:`named`. This error condition is now dealt with in a more
graceful manner, by logging the incident and shutting down the
connection. :gl:`#4708`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

77
doc/notes/notes-9.19.3.rst
View File

@@ -1,77 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.3
---------------------
New Features
~~~~~~~~~~~~
- A new command, :option:`rndc fetchlimit`, prints a list of name server
addresses that are currently rate-limited due to
:any:`fetches-per-server` and domain names that are rate-limited due
to :any:`fetches-per-zone`. :gl:`#665`
Removed Features
~~~~~~~~~~~~~~~~
- The ``glue-cache`` *option* has been removed. The glue cache *feature*
still works and is now permanently *enabled*. :gl:`#2147`
Feature Changes
~~~~~~~~~~~~~~~
- To reduce unnecessary memory consumption in the cache, NXDOMAIN
records are no longer retained past the normal negative cache TTL,
even if :any:`stale-cache-enable` is set to ``yes``. :gl:`#3386`
- The :option:`dnssec-signzone -H` default value has been changed to 0
additional NSEC3 iterations. This change aligns the
:iscman:`dnssec-signzone` default with the default used by the
:any:`dnssec-policy` feature. At the same
time, documentation about NSEC3 has been aligned with the `Best
Current Practice`_. :gl:`#3395`
.. _Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10
Bug Fixes
~~~~~~~~~
- An assertion failure caused by a TCP connection closing between a
connect (or accept) and a read from a socket has been fixed.
:gl:`#3400`
- When grafting non-delegated namespace onto delegated namespace,
:any:`synth-from-dnssec` could incorrectly synthesize non-existence of
records within the non-delegated namespace using NSEC records from
higher zones. :gl:`#3402`
- Previously, :iscman:`named` immediately returned a SERVFAIL response
to the client when it received a FORMERR response from an
authoritative server during recursive resolution. This has been fixed:
:iscman:`named` acting as a resolver now attempts to contact other
authoritative servers for a given domain when it receives a FORMERR
response from one of them. :gl:`#3152`
- Previously, :option:`rndc reconfig` did not pick up changes to
:any:`endpoints` statements in :any:`http` blocks. This has been
fixed. :gl:`#3415`
- It was possible for a catalog zone consumer to process a catalog zone
member zone when there was a configured pre-existing forward-only
forward zone with the same name. This has been fixed. :gl:`#2506`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

66
doc/notes/notes-9.19.4.rst
View File

@@ -1,66 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.4
---------------------
Removed Features
~~~~~~~~~~~~~~~~
- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options`
and :namedconf:ref:`zone` blocks has been deprecated; it should now be
configured as part of :any:`dnssec-policy`. A warning is logged if
this option is used in :namedconf:ref:`options` or :any:`zone` blocks.
In a future release, it will become nonoperational. :gl:`#2918`
Feature Changes
~~~~~~~~~~~~~~~
- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
disabled on systems where they are disallowed by the security policy
(e.g. Red Hat Enterprise Linux 9). Primary zones using those
algorithms need to be migrated to new algorithms prior to running on
these systems, as graceful migration to different DNSSEC algorithms is
not possible when RSASHA1 is disallowed by the operating system.
:gl:`#3469`
- Log messages related to fetch limiting have been improved to provide
more complete information. Specifically, the final counts of allowed
and spilled fetches are now logged before the counter object is
destroyed. :gl:`#3461`
Bug Fixes
~~~~~~~~~
- When running as a validating resolver forwarding all queries to
another resolver, :iscman:`named` could crash with an assertion
failure. These crashes occurred when the configured forwarder sent a
broken DS response and :iscman:`named` failed its attempts to find a
proper one instead. This has been fixed. :gl:`#3439`
- DNS compression is no longer applied to the root name (``.``) if it is
repeatedly used in the same RRset. :gl:`#3423`
- Non-dynamic zones that inherit :any:`dnssec-policy` from the
:namedconf:ref:`view` or :namedconf:ref:`options` blocks were not
marked as inline-signed and therefore never scheduled to be re-signed.
This has been fixed. :gl:`#3438`
- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
the cache-cleaning time window has passed. :gl:`#3462`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

93
doc/notes/notes-9.19.5.rst
View File

@@ -1,93 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.5
---------------------
Security Fixes
~~~~~~~~~~~~~~
- Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of :iscman:`named` running as a
recursive resolver. This has been fixed. :cve:`2022-2795`
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. :gl:`#3394`
- When an HTTP connection was reused to request statistics from the
stats channel, the content length of successive responses could grow
in size past the end of the allocated buffer. This has been fixed.
:cve:`2022-2881` :gl:`#3493`
- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
could be externally triggered, when using TKEY records in DH mode with
OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491`
- :iscman:`named` running as a resolver with the
:any:`stale-answer-client-timeout` option set to ``0`` could crash
with an assertion failure, when there was a stale CNAME in the cache
for the incoming query. This has been fixed. :cve:`2022-3080`
:gl:`#3517`
- Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178`
:gl:`#3487`
New Features
~~~~~~~~~~~~
- A new Response Policy Zone (RPZ) :ref:`option<rpz>`, ``ede``, was
added. It enables an :rfc:`8914` Extended DNS Error (EDE) code of
choice to be set for responses which have been modified by a given
RPZ. :gl:`#3410`
- Worker threads' event loops are now managed by a new "loop manager"
API, significantly changing the architecture of the task, timer, and
networking subsystems for improved performance and code flow.
:gl:`#3508`
Feature Changes
~~~~~~~~~~~~~~~
- Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name,
to prevent circumventing the limits enforced by RRL. :gl:`#3459`
- Zones using :any:`dnssec-policy` now require dynamic DNS or
:any:`inline-signing` to be configured explicitly. :gl:`#3381`
- When reconfiguring :any:`dnssec-policy` from using NSEC with an
NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC
until the offending DNSKEY records have been removed from the zone,
then switches to using NSEC3. :gl:`#3486`
- A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in :iscman:`dig` and converting
the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
conversion. :gl:`#3485`
Bug Fixes
~~~~~~~~~
- A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. :gl:`#2982`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

101
doc/notes/notes-9.19.6.rst
View File

@@ -1,101 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.6
---------------------
Known Issues
~~~~~~~~~~~~
- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may
require a manual configuration change. The following configurations
are affected:
- :any:`type primary` zones configured with :any:`dnssec-policy` but
without either :any:`allow-update` or :any:`update-policy`,
- :any:`type secondary` zones configured with :any:`dnssec-policy`.
In these cases please add :namedconf:ref:`inline-signing yes;
<inline-signing>` to the individual zone configuration(s). Without
applying this change, :iscman:`named` will fail to start. For more
details, see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
- See :ref:`above <relnotes_known_issues>` for a list of all known
issues affecting this BIND 9 branch.
New Features
~~~~~~~~~~~~
- Support for parsing and validating the ``dohpath`` service parameter
in SVCB records was added. :gl:`#3544`
- :iscman:`named` now supports forwarding Dynamic DNS updates through
DNS-over-TLS (DoT). :gl:`#3512`
- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT).
:gl:`#1781`
- :iscman:`named` now logs the supported cryptographic algorithms during
startup and in the output of :option:`named -V`. :gl:`#3541`
- A new configuration option :any:`require-cookie` has been introduced.
It specifies whether there should be a DNS COOKIE in the response for
a given prefix; if not, :iscman:`named` falls back to TCP. This is
useful if it is known that a given server supports DNS COOKIE. It can
also be used to force all non-DNS COOKIE responses to fall back to
TCP. :gl:`#2295`
- Support for libsystemd's ``sd_notify()`` function was added, enabling
:iscman:`named` to report its status to the init system. This allows
systemd to wait until :iscman:`named` is fully ready before starting
other services that depend on name resolution. :gl:`#1176`
- The ``recursion not available`` and ``query (cache) '...' denied`` log
messages were extended to include the name of the ACL that caused a
given query to be denied. :gl:`#3587`
Feature Changes
~~~~~~~~~~~~~~~
- When an international domain name is not valid according to IDNA2008,
:iscman:`dig` now tries to convert it according to IDNA2003 rules, or
pass it through unchanged, instead of stopping with an error message.
The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527`
- The DNSSEC signing data included in zone statistics identified
keys only by the key ID; this caused confusion when two keys using
different algorithms had the same ID. Zone statistics now identify
keys using the algorithm number, followed by "+", followed by the
key ID: for example, ``8+54274``. :gl:`#3525`
- The ability to use PKCS#11 via engine_pkcs11 has been restored, by
using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be
compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS
environment variable at compile time. :gl:`#3578`
- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher.
libuv should be available on all supported platforms either as a
native package or as a backport. :gl:`#3567`
Bug Fixes
~~~~~~~~~
- An assertion failure was fixed in :iscman:`named` that was caused by
aborting the statistics channel connection while sending statistics
data to the client. :gl:`#3542`
- :iscman:`named` could incorrectly return non-truncated, glueless
referrals for responses whose size was close to the UDP packet size
limit. This has been fixed. :gl:`#1967`
- Changing just the TSIG key names for primaries in catalog zones'
member zones was not effective. This has been fixed. :gl:`#3557`

75
doc/notes/notes-9.19.7.rst
View File

@@ -1,75 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.7
---------------------
New Features
~~~~~~~~~~~~
- The :any:`check-svcb` option has been added to control the checking of
additional constraints on SVCB records. This change affects
:iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`,
:iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576`
Feature Changes
~~~~~~~~~~~~~~~
- On Linux, libcap is now a required dependency to help :iscman:`named`
keep needed privileges. :gl:`#3583`
- The DNS name compression algorithm used in BIND 9 has been revised: it
now compresses more thoroughly than before, so responses containing
names with many labels might have a smaller encoding than before.
:gl:`#3661`
Bug Fixes
~~~~~~~~~
- A crash was fixed that happened when a :any:`dnssec-policy` zone that
used NSEC3 was reconfigured to enable :any:`inline-signing`.
:gl:`#3591`
- In certain resolution scenarios, quotas could be erroneously reached
for servers, including any configured forwarders, resulting in
SERVFAIL answers being sent to clients. This has been fixed.
:gl:`#3598`
- ``rpz-ip`` rules in :any:`response-policy` zones could be ineffective
in some cases if a query had the CD (Checking Disabled) bit set to 1.
This has been fixed. :gl:`#3247`
- Previously, if Internet connectivity issues were experienced during
the initial startup of :iscman:`named`, a BIND resolver with
:any:`dnssec-validation` set to ``auto`` could enter into a state
where it would not recover without stopping :iscman:`named`, manually
deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl``
files, and starting :iscman:`named` again. This has been fixed.
:gl:`#2895`
- Previously, the port in remote servers such as in :any:`primaries` and
:any:`parental-agents` could be wrongly configured because of an
inheritance bug. This has been fixed. :gl:`#3627`
- Previously, BIND failed to start on Solaris-based systems with
hundreds of CPUs. This has been fixed. :gl:`#3563`
- When a DNS resource record's TTL value was equal to the resolver's
configured :any:`prefetch` "eligibility" value, the record was
erroneously not treated as eligible for prefetching. This has been
fixed. :gl:`#3603`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

101
doc/notes/notes-9.19.8.rst
View File

@@ -1,101 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.8
---------------------
Removed Features
~~~~~~~~~~~~~~~~
- The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options
have been removed. The limits these options set should be enforced
externally, either by manual configuration (e.g. using ``ulimit``) or
via the process supervisor (e.g. ``systemd``). :gl:`#3676`
- Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no
longer trigger key rollovers and denial-of-existence operations. This
also means that the :any:`dnssec-secure-to-insecure` option has been
obsoleted. :gl:`#3686`
Feature Changes
~~~~~~~~~~~~~~~
- The TTL of the NSEC3PARAM record for every NSEC3-signed zone was
previously set to 0. It is now changed to match the SOA MINIMUM value
for the given zone. :gl:`#3570`
- The ``--with-tuning`` option for ``configure`` has been removed. Each
of the compile-time settings that required different values based on
the "workload" (which were previously affected by the value of the
``--with-tuning`` option) has either been removed or changed to a
sensible default. :gl:`#3664`
- The ``auto-dnssec`` option has been deprecated and will be removed
in a future BIND 9.19.x release. Please migrate to
:any:`dnssec-policy`. :gl:`#3667`
- Setting alternate local addresses for inbound zone transfers has been
deprecated. The relevant options (``alt-transfer-source``,
``alt-transfer-source-v6``, and ``use-alt-transfer-source``) will be
removed in a future BIND 9.19.x release. :gl:`#3694`
- On startup, :iscman:`named` now sets the limit on the number of open
files to the maximum allowed by the operating system, instead of
trying to set it to "unlimited". :gl:`#3676`
- The number of HTTP headers allowed in requests sent to
:iscman:`named`'s statistics channel has been increased from 10 to
100, to accommodate some browsers that send more than 10 headers
by default. :gl:`#3670`
Bug Fixes
~~~~~~~~~
- :iscman:`named` could crash due to an assertion failure when an HTTP
connection to the statistics channel was closed prematurely (due to a
connection error, shutdown, etc.). This has been fixed. :gl:`#3693`
- When a catalog zone was removed from the configuration, in some cases
a dangling pointer could cause the :iscman:`named` process to crash.
This has been fixed. :gl:`#3683`
- When a zone was deleted from a server, a key management object related
to that zone was inadvertently kept in memory and only released upon
shutdown. This could lead to constantly increasing memory use on
servers with a high rate of changes affecting the set of zones being
served. This has been fixed. :gl:`#3727`
- TLS configuration for primary servers was not applied for zones that
were members of a catalog zone. This has been fixed. :gl:`#3638`
- In certain cases, :iscman:`named` waited for the resolution of
outstanding recursive queries to finish before shutting down. This was
unintended and has been fixed. :gl:`#3183`
- :iscman:`host` and :iscman:`nslookup` command-line options setting the
custom TCP/UDP port to use were ignored for ANY queries (which are
sent over TCP). This has been fixed. :gl:`#3721`
- The new name compression code in BIND 9.19.7 was not compressing
names in zone transfers that should have been compressed, so zone
transfers were larger than before. This has been fixed. :gl:`#3706`
- The ``zone <name>/<class>: final reference detached`` log message was
moved from the INFO log level to the DEBUG(1) log level to prevent the
:iscman:`named-checkzone` tool from superfluously logging this message
in non-debug mode. :gl:`#3707`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

120
doc/notes/notes-9.19.9.rst
View File

@@ -1,120 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.19.9
---------------------
Security Fixes
~~~~~~~~~~~~~~
- An UPDATE message flood could cause :iscman:`named` to exhaust all
available memory. This flaw was addressed by adding a new
:any:`update-quota` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
queue at any given time (default: 100). :cve:`2022-3094`
ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. :gl:`#3523`
- :iscman:`named` could crash with an assertion failure when an RRSIG
query was received and :any:`stale-answer-client-timeout` was set to a
non-zero value. This has been fixed. :cve:`2022-3736`
ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
our attention. :gl:`#3622`
- :iscman:`named` running as a resolver with the
:any:`stale-answer-client-timeout` option set to any value greater
than ``0`` could crash with an assertion failure, when the
:any:`recursive-clients` soft quota was reached. This has been fixed.
:cve:`2022-3924`
ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. :gl:`#3619`
New Features
~~~~~~~~~~~~
- The new :any:`update-quota` option can be used to control the number
of simultaneous DNS UPDATE messages that can be processed to update an
authoritative zone on a primary server, or forwarded to the primary
server by a secondary server. The default is 100. A new statistics
counter has also been added to record events when this quota is
exceeded, and the version numbers for the XML and JSON statistics
schemas have been updated. :gl:`#3523`
Removed Features
~~~~~~~~~~~~~~~~
- The statements setting alternate local addresses for inbound zone
transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and
``use-alt-transfer-source``) have been removed. :gl:`#3714`
- The Differentiated Services Code Point (DSCP) feature in BIND has been
non-operational since the new Network Manager was introduced in BIND
9.16. It is now marked as obsolete, and vestigial code implementing it
has been removed. Configuring DSCP values in ``named.conf`` now causes
a warning to be logged. :gl:`#3773`
Feature Changes
~~~~~~~~~~~~~~~
- A new way of configuring the preferred source address when talking to
remote servers, such as :any:`primaries` and :any:`parental-agents`,
has been added: setting the ``source`` and/or ``source-v6`` arguments
for a given statement is now possible. This new approach is intended
to eventually replace statements such as :any:`parental-source`,
:any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762`
- The code for DNS over TCP and DNS over TLS transports has been
replaced with a new, unified transport implementation. :gl:`#3374`
Bug Fixes
~~~~~~~~~
- A rare assertion failure was fixed in outgoing TCP DNS connection
handling. :gl:`#3178` :gl:`#3636`
- In addition to a previously fixed bug, another similar issue was
discovered where quotas could be erroneously reached for servers,
including any configured forwarders, resulting in SERVFAIL answers
being sent to clients. This has been fixed. :gl:`#3752`
- In certain query resolution scenarios (e.g. when following CNAME
records), :iscman:`named` configured to answer from stale cache could
return a SERVFAIL response despite a usable, non-stale answer being
present in the cache. This has been fixed. :gl:`#3678`
- When an outgoing request timed out, :iscman:`named` would retry up to
three times with the same server instead of trying the next available
name server. This has been fixed. :gl:`#3637`
- Recently used ADB names and ADB entries (IP addresses) could get
cleaned when ADB was under memory pressure. To mitigate this, only
actual ADB names and ADB entries are now counted (excluding internal
memory structures used for "housekeeping") and recently used (<= 10
seconds) ADB names and entries are excluded from the overmem memory
cleaner. :gl:`#3739`
- The "Prohibited" Extended DNS Error was inadvertently set in some
NOERROR responses. This has been fixed. :gl:`#3743`
- Previously, TLS session resumption could have led to handshake
failures when client certificates were used for authentication (Mutual
TLS). This has been fixed. :gl:`#3725`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.

479
doc/notes/notes-9.20.0.rst Normal file
View File

@@ -0,0 +1,479 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.20.0
---------------------
.. note:: This section only lists changes since BIND 9.18.28, the most
recent release on the previous stable branch of BIND at the
time of the publication of BIND 9.20.0.
New Features
~~~~~~~~~~~~
- The :any:`forwarders` statement now supports the :any:`tls` argument,
to be used to forward queries to DoT-enabled servers. :gl:`#3726`
- :iscman:`named` now supports forwarding Dynamic DNS updates through
DNS-over-TLS (DoT). :gl:`#3512`
- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT).
:gl:`!6752`
- The :any:`tls` block was extended with a new :any:`cipher-suites` option
that allows permitted cipher suites for TLSv1.3 to be set. Please
consult the documentation for additional details.
:gl:`#3504`
- Initial support for the PROXYv2 protocol was added. :iscman:`named`
can now accept PROXYv2 headers over all currently implemented DNS
transports and :iscman:`dig` can insert these headers into the queries
it sends. Please consult the related documentation
(:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and
:any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and
:option:`dig +proxy-plain` for :iscman:`dig`) for additional details.
:gl:`#4388`
- The client-side support of the EDNS EXPIRE option has been expanded to
include IXFR and AXFR query types. This enhancement enables
:iscman:`named` to perform AXFR and IXFR queries while incorporating
the EDNS EXPIRE option. :gl:`#4170`
- A new configuration option :any:`require-cookie` has been introduced.
It specifies whether there should be a DNS COOKIE in the response for
a given prefix; if not, :iscman:`named` falls back to TCP. This is
useful if it is known that a given server supports DNS COOKIE. It can
also be used to force all non-DNS COOKIE responses to fall back to
TCP. :gl:`#2295`
- The :any:`check-svcb` option has been added to control the checking of
additional constraints on SVCB records. This change affects
:iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`,
:iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576`
- The new :any:`resolver-use-dns64` option enables :iscman:`named` to
apply :any:`dns64` rules to IPv4 server addresses when sending
recursive queries, so that resolution can be performed over a NAT64
connection. :gl:`#608`
- A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`,
that allows users to enable or disable the publication of CDNSKEY
records. :gl:`#4050`
- When using :any:`dnssec-policy`, it is now possible to configure the
digest type to use when CDS records need to be published with
:any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS
records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837`
- Support for multi-signer model 2 (:rfc:`8901`) when using
:any:`inline-signing` was added. :gl:`#2710`
- HSM support was added to :any:`dnssec-policy`. Keys can now be
configured with a ``key-store`` that allows users to set the directory
where key files are stored and to set a PKCS#11 URI string. The latter
requires OpenSSL 3 and a valid PKCS#11 provider to be configured for
OpenSSL. :gl:`#1129`
- A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key
Signing Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128`
- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a
``-J`` option to specify a journal file to read when loading the zone
to be verified or signed. :gl:`#2486`
- :iscman:`dnssec-keygen` now allows the options :option:`-k
<dnssec-keygen -k>` and :option:`-f <dnssec-keygen -f>` to be used
together. This allows the creation of keys for a given
:any:`dnssec-policy` that match only the KSK (``-fK``) or ZSK (``-fZ``)
roles. :gl:`#1128`
- The :any:`response-policy` statement was extended with a new argument
``ede``. It enables an :rfc:`8914` Extended DNS Error (EDE) code of choice to
be set for responses which have been modified by a given RPZ. :gl:`#3410`
- A new way of configuring the preferred source address when talking to
remote servers, such as :any:`primaries` and :any:`parental-agents`,
has been added: setting the ``source`` and/or ``source-v6`` arguments
for a given statement is now possible. This new approach is intended
to eventually replace statements such as :any:`parental-source`,
:any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762`
- The new command-line :option:`delv +ns` option activates name server
mode, to more accurately reproduce the behavior of :iscman:`named`
when resolving a query. In this mode, :iscman:`delv` uses an internal
recursive resolver rather than an external server. All messages sent
and received during the resolution and validation process are logged.
This can be used in place of :option:`dig +trace`. :gl:`#3842`
- The read timeout in :iscman:`rndc` can now be specified on the command
line using the :option:`-t <rndc -t>` option, allowing commands that
take a long time to complete sufficient time to do so. :gl:`#4046`
- The statistics channel now includes information about incoming zone
transfers that are currently in progress. :gl:`#3883`
- Information on incoming zone transfers in the statistics channel now
also shows the zones' "first refresh" flag, which indicates that a zone
is not fully ready and that its first ever refresh is pending or is in
progress. The number of such zones is now also exposed by the
:option:`rndc status` command. :gl:`#4241`
- Added a new statistics variable ``recursive high-water`` that reports
the maximum number of simultaneous recursive clients BIND has handled
while running. :gl:`#4668`
- A new command, :option:`rndc fetchlimit`, prints a list of name server
addresses that are currently rate-limited due to
:any:`fetches-per-server` and domain names that are rate-limited due
to :any:`fetches-per-zone`. :gl:`#665`
- Queries and responses now emit distinct dnstap entries for DNS-over-TLS
(DoT) and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands
these entries. :gl:`#4523`
- :iscman:`dnstap-read` can now print long timestamps with millisecond
precision. :gl:`#2360`
- Support for libsystemd's ``sd_notify()`` function was added, enabling
:iscman:`named` to report its status to the init system. This allows
systemd to wait until :iscman:`named` is fully ready before starting
other services that depend on name resolution. :gl:`#1176`
- Support for User Statically Defined Tracing (USDT) probes has been
added. These probes enable fine-grained application tracing and
introduce no overhead when they are not enabled. :gl:`#4041`
Removed Features
~~~~~~~~~~~~~~~~
- Support for Red Hat Enterprise Linux version 7 (and clones) has been
dropped. A C11-compliant compiler is now required to compile BIND 9.
:gl:`#3729`
- Compiling with `jemalloc`_ versions older than 4.0.0 is no longer
supported; those versions do not provide the features required by
current BIND 9 releases. :gl:`#4296`
- The ``auto-dnssec`` configuration statement has been removed. Please
use :any:`dnssec-policy` or manual signing instead.
See article `how to migrate <https://kb.isc.org/docs/dnssec-key-and-signing-policy#migrate-to-dnssecpolicy>`_
from ``auto-dnssec`` to :any:`dnssec-policy`.
The following
statements have become obsolete: :any:`dnskey-sig-validity`,
:any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`,
:any:`sig-validity-interval`, and :any:`update-check-ksk`.
:gl:`#3672`
- Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no
longer trigger key rollovers and denial-of-existence operations. This
also means that the :any:`dnssec-secure-to-insecure` option has been
obsoleted. :gl:`#3686`
- The ``glue-cache`` *option* has been removed. The glue cache *feature*
still works and is now permanently *enabled*. :gl:`#2147`
- Configuring the control channel to use a Unix domain socket has been a
fatal error since BIND 9.18. The feature has now been completely
removed and :iscman:`named-checkconf` now reports it as a
configuration error. :gl:`#4311`
- The statements setting alternate local addresses for inbound zone
transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and
``use-alt-transfer-source``) have been removed. :gl:`#3714`
- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval``
statements have been removed. Using them is now a fatal error.
:gl:`#4405`
- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout`
values, when the feature is turned on. When using a non-zero value,
:iscman:`named` now generates a warning log message, and treats the
value as ``0``. :gl:`#4447`
- The Differentiated Services Code Point (DSCP) feature has been
removed: configuring DSCP values in ``named.conf`` is now a
configuration error. :gl:`#3789`
- The ``keep-response-order`` option has been declared obsolete and the
functionality has been removed. :iscman:`named` expects DNS clients to
be fully compliant with :rfc:`7766`. :gl:`#3140`
- Zone type ``delegation-only``, and the ``delegation-only`` and
``root-delegation-only`` statements, have been removed. Using them is
a configuration error.
These statements were created to address the SiteFinder controversy,
in which certain top-level domains redirected misspelled queries to
other sites instead of returning NXDOMAIN responses. Since top-level
domains are now DNSSEC-signed, and DNSSEC validation is active by
default, the statements are no longer needed. :gl:`#3953`
- The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options
have been removed. The limits these options set should be enforced
externally, either by manual configuration (e.g. using ``ulimit``) or
via the process supervisor (e.g. ``systemd``). :gl:`#3676`
- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
aes;``) has been removed. The only supported DNS COOKIE algorithm is
now the current default, SipHash-2-4. :gl:`#4421`
- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been
removed and using TKEY Mode 2 is now a fatal error. Users are advised
to switch to TKEY Mode 3 (GSS-API). :gl:`#3905`
- Special-case code that was originally added to allow GSS-TSIG to work
around bugs in the Windows 2000 version of Active Directory has now
been removed, since Windows 2000 is long past end-of-life. The
:option:`-o <nsupdate -o>` option and the ``oldgsstsig`` command to
:iscman:`nsupdate` have been deprecated, and are now treated as
synonyms for :option:`-g <nsupdate -g>` and ``gsstsig`` respectively.
:gl:`#4012`
- Support for the ``lock-file`` statement and the ``named -X``
command-line option has been removed. An external process supervisor
should be used instead. :gl:`#4391`
Alternatively, the ``flock`` utility (part of util-linux) can be used
on Linux systems to achieve the same effect as ``lock-file`` or
``named -X``:
::
flock -n -x <directory>/named.lock <path>/named <arguments>
- The :iscman:`named` command-line option :option:`-U <named -U>`, which
specified the number of UDP dispatches, has been removed. Using it now
returns a warning. :gl:`#1879`
- The ``--with-tuning`` option for ``configure`` has been removed. Each
of the compile-time settings that required different values based on
the "workload" (which were previously affected by the value of the
``--with-tuning`` option) has either been removed or changed to a
sensible default. :gl:`#3664`
- The functions that were in the ``libbind9`` shared library have been
moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty
``libbind9`` has been removed and is no longer installed. :gl:`#3903`
- The ``irs_resconf`` module has been moved to the ``libdns`` shared
library. The now-empty ``libirs`` library has been removed and is no
longer installed. :gl:`#3904`
.. _`jemalloc`: https://jemalloc.net/
Deprecated Features
~~~~~~~~~~~~~~~~~~~
Features listed in this section still work but are scheduled for eventual
removal.
- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options`
and :namedconf:ref:`zone` blocks has been deprecated; it should now be
configured as part of :any:`dnssec-policy`. A warning is logged if
this option is used in :namedconf:ref:`options` or :any:`zone` blocks.
In a future release, it will become nonoperational. :gl:`#2918`
- The :any:`sortlist` option has been deprecated and will be removed in a
future BIND 9.21.x release. Users should not rely on a specific order
of resource records in DNS messages. :gl:`#4593`
- The ``fixed`` value for the :any:`rrset-order` option and the
corresponding ``configure`` script option have been deprecated and will
be removed in a future BIND 9.21.x release. Users should not rely on a
specific order of resource records in DNS messages. :gl:`#4446`
Feature Changes
~~~~~~~~~~~~~~~
- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data
structures. :gl:`#3934`
- On Linux, `libcap`_ is now a required dependency to help :iscman:`named`
keep needed privileges. :gl:`#3583`
- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher.
libuv should be available on all supported platforms either as a
native package or as a backport. :gl:`#3567`
- Outgoing zone transfers are no longer enabled by default. An explicit
:any:`allow-transfer` ACL must now be set at the :any:`zone`,
:any:`view`, or :namedconf:ref:`options` level to enable outgoing
transfers. :gl:`#4728`
- DNS zones signed using :any:`dnssec-policy` now automatically detect
their parent servers, and BIND queries them to check the content of the
DS RRset. This allows DNSSEC key rollovers to safely and automatically
proceed when the parent zone is updated with new DNSSEC keys, i.e.
using the CDS/CDNSKEY mechanism. This behavior is facilitated by the
new :any:`checkds` feature, which automatically populates
:any:`parental-agents` by resolving the parent NS records. These parent
name servers are queried to check the DS RRset during a KSK rollover
initiated by :any:`dnssec-policy`. :gl:`#3901`
- The responsiveness of :iscman:`named` was improved, when serving as an
authoritative DNS server for a delegation-heavy zone(s) shortly after
loading such zone(s). :gl:`#4045`
- To improve query-processing latency under load, the uninterrupted time
spent on resolving long chains of cached domain names has been
reduced. :gl:`#4185`
- QNAME minimization is now used when looking up the addresses of name
servers during the recursive resolution process. :gl:`#4209`
- BIND now returns BADCOOKIE for out-of-date or otherwise bad but
well-formed DNS server cookies. :gl:`#4194`
- The DNS name compression algorithm used in BIND 9 has been revised: it
now compresses more thoroughly than before, so responses containing
names with many labels might have a smaller encoding than before.
:gl:`#3661`
- Processing large incremental transfers (IXFR) has been offloaded to a
separate work thread so that it does not prevent networking threads
from processing regular traffic in the meantime. :gl:`#4367`
- Querying the statistics channel no longer blocks DNS communication on
the networking event loop level. :gl:`#4680`
- The :any:`inline-signing` zone option is now ignored if there is no
:any:`dnssec-policy` configured for the zone. This means that unsigned
zones no longer create redundant signed versions of the zone.
:gl:`#4349`
- The :any:`inline-signing` statement can now also be set inside
:any:`dnssec-policy`. The built-in policies ``default`` and
``insecure`` enable the use of :any:`inline-signing`. If
:any:`inline-signing` is set at the ``zone`` level, it overrides the
value set in :any:`dnssec-policy`. :gl:`#3677`
- Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only
allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using
NSEC3 that the policy manages. :gl:`#4363`
- The maximum number of NSEC3 iterations allowed for validation purposes
has been lowered from 150 to 50. DNSSEC responses containing NSEC3
records with iteration counts greater than 50 are now treated as
insecure. :gl:`#4363`
- The ``dnssec-validation yes`` option now requires an explicitly
configured :any:`trust-anchors` statement. If using manual trust
anchors is not operationally required, then please consider using
``dnssec-validation auto`` instead. :gl:`#4373`
- :iscman:`named-compilezone` no longer performs zone integrity checks
by default; this allows faster conversion of a zone file from one
format to another. :gl:`#4364`
Zone checks can be performed by running :iscman:`named-checkzone`
separately, or the previous default behavior can be restored by using:
::
named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
- The red-black tree data structure used in the RBTDB (the default
database implementation for cache and zone databases), has been
replaced with QP-tries. This is expected to improve performance and
scalability, though in the current implementation large zones require
roughly 15% more memory than the old red-black tree data structure.
A side effect of this change is that zone files that are created with
:any:`masterfile-style` ``relative`` - for example, the output of
:any:`dnssec-signzone` - will no longer have multiple different
`$ORIGIN` statements. There should be no other changes to server
behavior.
The old RBT-based database still exists for now, and can be used by
specifying ``database rbt`` in a ``zone`` statement in ``named.conf``,
or by compiling with ``configure --with-zonedb=rbt
--with-cachedb=rbt``. :gl:`#4411` :gl:`#4614`
- Multiple RNDC messages are now processed when sent in a single TCP
message.
ISC would like to thank Dominik Thalhammer for reporting the issue and
preparing the initial patch. :gl:`#4416`
- The DNSSEC signing data included in zone statistics identified
keys only by the key ID; this caused confusion when two keys using
different algorithms had the same ID. Zone statistics now identify
keys using the algorithm number, followed by "+", followed by the
key ID: for example, ``8+54274``. :gl:`#3525`
- The TTL of the NSEC3PARAM record for every NSEC3-signed zone was
previously set to 0. It is now changed to match the SOA MINIMUM value
for the given zone. :gl:`#3570`
- On startup, :iscman:`named` now sets the limit on the number of open
files to the maximum allowed by the operating system, instead of
trying to set it to "unlimited". :gl:`#3676`
- When an international domain name is not valid according to IDNA2008,
:iscman:`dig` now tries to convert it according to IDNA2003 rules, or
pass it through unchanged, instead of stopping with an error message.
The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527`
- The memory statistics have been reduced to a single counter,
``InUse``; ``Malloced`` is an alias that holds the same value. The
other counters were usable with the old BIND 9 internal memory
allocator, but they are unnecessary now that the latter has been
removed. :gl:`#3718`
- The log message ``resolver priming query complete`` has been moved
from the INFO log level to the DEBUG(1) log level, to prevent
:iscman:`delv` from emitting that message when setting up its internal
resolver. :gl:`#3842`
- Worker threads' event loops are now managed by a new "loop manager"
API, significantly changing the architecture of the task, timer, and
networking subsystems for improved performance and code flow.
:gl:`#3508`
- The code for DNS over TCP and DNS over TLS transports has been
replaced with a new, unified transport implementation. :gl:`#3374`
.. _`liburcu`: https://liburcu.org/
.. _`libcap`: https://sites.google.com/site/fullycapable/
Bug Fixes
~~~~~~~~~
- When the same :any:`notify-source` address and port number was
configured for multiple destinations and zones, an unresponsive server
could tie up the relevant network socket until it timed out; in the
meantime, NOTIFY messages for other servers silently failed.
:iscman:`named` will now retry sending such NOTIFY messages over TCP.
Furthermore, NOTIFY failures are now logged at the INFO level.
:gl:`#4001` :gl:`#4002`
- DNS compression is no longer applied to the root name (``.``) if it is
repeatedly used in the same RRset. :gl:`#3423`
- :iscman:`named` could incorrectly return non-truncated, glueless
referrals for responses whose size was close to the UDP packet size
limit. This has been fixed. :gl:`#1967`
Known Issues
~~~~~~~~~~~~
- On some platforms, including FreeBSD, :iscman:`named` must be run as
root to use the :iscman:`rndc` control channel on a privileged port
(i.e., with a port number less than 1024; this includes the default
:iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the
:option:`named -u` option to switch to an unprivileged user makes
:iscman:`rndc` unusable. This will be fixed in a future release; in
the meantime, ``mac_portacl`` can be used as a workaround, as
documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793`
- See :ref:`above <relnotes_known_issues>` for a list of all known issues
affecting this BIND 9 branch.

32
doc/notes/notes-known-issues.rst
View File

@@ -14,27 +14,11 @@
Known Issues
------------
- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may
require a manual configuration change. The following configurations
are affected:
- :any:`type primary` zones configured with :any:`dnssec-policy` but
without either :any:`allow-update` or :any:`update-policy`,
- :any:`type secondary` zones configured with :any:`dnssec-policy`.
In these cases please add :namedconf:ref:`inline-signing yes;
<inline-signing>` to the individual zone configuration(s). Without
applying this change, :iscman:`named` will fail to start. For more
details, see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
be inspected when verifying a remote certificate while establishing a
DNS-over-TLS connection. Only ``subjectAltName`` must be checked
instead. Unfortunately, some quite old versions of cryptographic
libraries might lack the ability to ignore the ``Subject`` field. This
should have minimal production-use consequences, as most of the
production-ready certificates issued by certificate authorities will
have ``subjectAltName`` set. In such cases, the ``Subject`` field is
ignored. Only old platforms are affected by this, e.g. those supplied
with OpenSSL versions older than 1.1.1. :gl:`#3163`
- On some platforms, including FreeBSD, :iscman:`named` must be run as
root to use the :iscman:`rndc` control channel on a privileged port
(i.e., with a port number less than 1024; this includes the default
:iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the
:option:`named -u` option to switch to an unprivileged user makes
:iscman:`rndc` unusable. This will be fixed in a future release; in
the meantime, ``mac_portacl`` can be used as a workaround, as
documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793`