From f0b5f0cbceb5489b3f70192ea35e785bad92fc1f Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Thu, 6 Mar 2025 17:31:24 +0100 Subject: [PATCH 1/4] Generate changelog for BIND 9.21.6 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.21.6.rst | 478 +++++++++++++++++++++++++++++ 2 files changed, 479 insertions(+) create mode 100644 doc/changelog/changelog-9.21.6.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 5c7cc3b970..3c6efd6929 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.6.rst .. include:: ../changelog/changelog-9.21.5.rst .. include:: ../changelog/changelog-9.21.4.rst .. include:: ../changelog/changelog-9.21.3.rst diff --git a/doc/changelog/changelog-9.21.6.rst b/doc/changelog/changelog-9.21.6.rst new file mode 100644 index 0000000000..aeec17fcda --- /dev/null +++ b/doc/changelog/changelog-9.21.6.rst @@ -0,0 +1,478 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.6 +----------- + +New Features +~~~~~~~~~~~~ + +- Implement the min-transfer-rate-in configuration option. + ``a282f1ba3f`` + + A new option 'min-transfer-rate-in ' has been added + to the view and zone configurations. It can abort incoming zone + transfers which run very slowly due to network related issues, for + example. The default value is set to 10240 bytes in 5 minutes. + :gl:`#3914` :gl:`!9098` + +- Add digest methods for SIG and RRSIG. ``fd48df20f3`` + + ZONEMD digests RRSIG records and potentially digests SIG record. Add + digests methods for both record types. :gl:`#5219` :gl:`!10217` + +- Add HTTPS record query to host command line tool. ``d34414c47b`` + + The host command was extended to also query for the HTTPS RR type by + default. :gl:`!8642` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Clean up unnecessary code in qpcache. ``74c9ff384e`` + + Removed some code from the cache database implementation that was left + over from before it and the zone database implementation were + separated. :gl:`!9991` + +- Cleanup isc/util.h header and friends. ``239712df16`` + + Cleanup short list macros from , remove two unused + headers, move locking macros to respective headers and use only the + C11 static assertion. :gl:`!10196` + +- Remove check for the mandatory IPv6 support. ``daa9c17905`` + + IPv6 Advanced Socket API (:rfc:`3542`) is a hard requirement, remove + the autoconf check to speed up the ./configure run a little bit. + :gl:`!10201` + +- Remove log initialization checks from named. ``1b3e7f52ec`` + + Logging initialization check is now redundant as there is a default + global log context created during libisc's constructor. + + `isc_log` calls can safely be made at any time outside libisc's + constructor. :gl:`!10186` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Refactor and simplify isc_symtab. ``5559539eb0`` + + This commit does several changes to isc_symtab: + + 1. Rewrite the isc_symtab to internally use isc_hashmap instead of + hand-stiched hashtable. + + 2. Create a new isc_symtab_define_and_return() api, which returns + the already defined symvalue on ISC_R_EXISTS; this allows users of + the API to skip the isc_symtab_lookup()+isc_symtab_define() calls + and directly call isc_symtab_define_and_return(). + + 3. Merge isccc_symtab into isc_symtab - the only missing function + was isccc_symtab_foreach() that was merged into isc_symtab API. + + 4. Add full set of unit tests for the isc_symtab API. :gl:`#5103` + :gl:`!9921` + +- Drop malformed notify messages early instead of decompressing them. + ``7fce7707db`` + + The DNS header shows if a message has multiple questions or invalid + NOTIFY sections. We can drop these messages early, right after parsing + the question. This matches RFC 9619 for multi-question messages and + Unbound's handling of NOTIFY. We still parse the question to include + it in our FORMERR response. + + Add drop_msg_early() function to check for these conditions: - + Messages with more than one question, as required by RFC 9619 - NOTIFY + query messages containing answer sections (like Unbound) - NOTIFY + messages containing authority sections (like Unbound) :gl:`#5158`, + #3656 :gl:`!10056` + +- Cleanup parts of the isc_mem API. ``4ba1ccfa2e`` + + This MR changes custom attach/detach implementation with refcount + macros, replaces isc_mem_destroy() with isc_mem_detach(), and does + various small cleanups. :gl:`!9456` + +- Move the library initialization and shutdown to executables. + ``6e0c1f151c`` + + Instead of relying on unreliable order of execution of the library + constructors and destructors, move them to individual binaries. The + advantage is that the execution time and order will remain constant + and will not depend on the dynamic load dependency solver. + :gl:`!10069` + +- Reduce memory used to store DNS names. ``24db1b1a8a`` + + The memory used to internally store the DNS names has been reduced. + :gl:`!10140` + +- Unify fips handling to isc_crypto and make the toggle one way. + ``3de629d6b7`` + + Since algorithm fetching is handled purely in libisc, FIPS mode + toggling can be purely done in within the library instead of provider + fetching in the binary for OpenSSL >=3.0. + + Disabling FIPS mode isn't a realistic requirement and isn't done + anywhere in the codebase. Make the FIPS mode toggle enable-only to + reflect the situation. :gl:`!9920` + +Bug Fixes +~~~~~~~~~ + +- Prevent a reference leak when using plugins. ``5604d3a44e`` + + The `NS_QUERY_DONE_BEGIN` and `NS_QUERY_DONE_SEND` plugin hooks could + cause a reference leak if they returned `NS_HOOK_RETURN` without + cleaning up the query context properly. :gl:`#2094` :gl:`!9971` + +- Fix isc_quota bug. ``742d379d88`` + + Running jobs which were entered into the isc_quota queue is the + responsibility of the isc_quota_release() function, which, when + releasing a previously acquired quota, checks whether the queue is + empty, and if it's not, it runs a job from the queue without touching + the 'quota->used' counter. This mechanism is susceptible to a possible + hangup of a newly queued job in case when between the time a decision + has been made to queue it (because used >= max) and the time it was + actually queued, the last quota was released. Since there is no more + quotas to be released (unless arriving in the future), the newly + entered job will be stuck in the queue. + + Fix the issue by adding checks in both isc_quota_release() and + isc_quota_acquire_cb() to make sure that the described hangup does not + happen. Also see code comments. :gl:`#4965` :gl:`!10082` + +- Fix dual-stack-servers configuration option. ``6af708f3b0`` + + The dual-stack-servers configuration option was not working as + expected; the specified servers were not being used when they should + have been, leading to resolution failures. This has been fixed. + :gl:`#5019` :gl:`!9708` + +- Implement sig0key-checks-limit and sig0message-checks-limit. + ``d78ebff861`` + + Previously a hard-coded limitation of maximum two key or message + verification checks were introduced when checking the message's SIG(0) + signature. It was done in order to protect against possible DoS + attacks. The logic behind choosing the number 2 was that more than a + single key should only be required during key rotations, and in that + case two keys are enough. But later it became apparent that there are + other use cases too where even more keys are required, see issue + number #5050 in GitLab. + + This change introduces two new configuration options for the views, + `sig0key-checks-limit` and `sig0message-checks-limit`, which define + how many keys are allowed to be checked to find a matching key, and + how many message verifications are allowed to take place once a + matching key has been found. The latter protects against expensive + cryptographic operations when there are keys with colliding tags and + algorithm numbers, with default being 2, and the former protects + against a bit less expensive key parsing operations and defaults to + 16. :gl:`#5050` :gl:`!9967` + +- Fix the data race causing a permanent active client increase. + ``479c366c2b`` + + Previously, a data race could cause a newly created fetch context for + a new client to be used before it had been fully initialized, which + would cause the query to become stuck; queries for the same data would + be either paused indefinitely or dropped because of the + `clients-per-query` limit. This has been fixed. :gl:`#5053` + :gl:`!10146` + +- Fix deferred validation of unsigned DS and DNSKEY records. + ``ebf1606f38`` + + When processing a query with the "checking disabled" bit set (CD=1), + `named` stores the unvalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated, + and either accepted as an answer, or ejected from the cache as + invalid. This deferred validation was not attempted for DS and DNSKEY + records if they had no cached signatures, causing spurious validation + failures. We now complete the deferred validation in this scenario. + + Also, if deferred validation fails, we now re-query the data to find + out whether the zone has been corrected since the invalid data was + cached. :gl:`#5066` :gl:`!10104` + +- When recording an rr trace, use libtool. ``6320586df0`` + + When a system test is run with the `USE_RR` environment variable set + to 1, an `rr` trace is now correctly generated for each instance of + `named`. :gl:`#5079` :gl:`!10197` + +- Do not cache signatures for rejected data. ``fc3a4d6f89`` + + The cache has been updated so that if new data is rejected - for + example, because there was already existing data at a higher trust + level - then its covering RRSIG will also be rejected. :gl:`#5132` + :gl:`!9999` + +- Fix wrong logging severity in do_nsfetch() ``1f6a16e6d0`` + + ISC_LOG_WARNING was used while ISC_LOG_DEBUG(3) was implied. + :gl:`#5145` :gl:`!10017` + +- Fix RPZ race condition during a reconfiguration. ``5ba811bea2`` + + With RPZ in use, `named` could terminate unexpectedly because of a + race condition when a reconfiguration command was received using + `rndc`. This has been fixed. :gl:`#5146` :gl:`!10079` + +- "CNAME and other data check" not applied to all types. ``b694acbe45`` + + An incorrect optimization caused "CNAME and other data" errors not to + be detected if certain types were at the same node as a CNAME. This + has been fixed. :gl:`#5150` :gl:`!10033` + +- Use named Service Parameter Keys (SvcParamKeys) by default. + ``3f61a87be3`` + + When converting SVCB records to text representation `named` now uses + named `SvcParamKeys` values unless backward-compatible mode is + activated, in which case the values which were not defined initially + in RFC9460 and were added later (see [1]) are converted to opaque + "keyNNNN" syntax, like, for example, "key7" instead of "dohpath". + + Also a new `+[no]svcparamkeycompat` option is implemented for `dig`, + which enables the backward-compatible mode and uses the opaque syntax, + if required for interoperability with other software or scripts. By + default, the compatibility mode is disabled. + + [1] https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml + :gl:`#5156` :gl:`!10085` + +- Relax private DNSKEY and RRSIG constraints. ``1bc7016d7a`` + + DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow + empty key and signature material after the algorithm identifier for + PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within + the expected use of these types as no key material is shared and the + signatures are ineffective but these are private algorithms and they + can be totally insecure. :gl:`#5167` :gl:`!10083` + +- Delete dead nodes when committing a new version. ``67255da4b3`` + + In the qpzone implementation of `dns_db_closeversion()`, if there are + changed nodes that have no remaining data, delete them. :gl:`#5169` + :gl:`!10089` + +- Revert "Delete dead nodes when committing a new version" + ``b652d5327c`` + + This reverts commit 67255da4b376f65138b299dcd5eb6a3b7f9735a9, + reversing changes made to 74c9ff384e695d1b27fa365d1fee84576f869d4c. + :gl:`#5169` :gl:`!10224` + +- Fix dns_qp_insert() checks in qpzone. ``d6b63210a8`` + + Remove code in the QP zone database to handle failures of + `dns_qp_insert()` which can't actually happen. :gl:`#5171` + :gl:`!10088` + +- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. + ``f0785fedf1`` + + Previously, when parsing responses, named incorrectly rejected + responses without matching RRSIG records for NSEC/DS/NSEC3 records in + the authority section. This rejection, if appropriate, should have + been left for the validator to determine and has been fixed. + :gl:`#5185` :gl:`!10125` + +- Fix TTL issue with ANY queries processed through RPZ "passthru" + ``23c1fbc609`` + + Answers to an "ANY" query which were processed by the RPZ "passthru" + policy had the response-policy's `max-policy-ttl` value unexpectedly + applied. This has been fixed. :gl:`#5187` :gl:`!10176` + +- Save time when creating a slab from another slab. ``cf981ab13b`` + + The `dns_rdataslab_fromrdataset()` function creates a slab from an + rdataset. If the source rdataset already uses a slab, then no + processing is necessary; we can just copy the existing slab to a new + location. :gl:`#5188` :gl:`!10162` + +- Dnssec-signzone needs to check for a NULL key when setting offline. + ``26f8ee7229`` + + dnssec-signzone could dereference a NULL key pointer when resigning a + zone. This has been fixed. :gl:`#5192` :gl:`!10161` + +- Acquire the database reference before possibly last node release. + ``c4868b5bd9`` + + Acquire the database reference in the detachnode() to prevent the last + reference to be release while the NODE_LOCK being locked. The + NODE_LOCK is locked/unlocked inside the RCU critical section, thus it + is most probably this should not pose a problem as the database uses + call_rcu memory reclamation, but this it is still safer to acquire the + reference before releasing the node. :gl:`#5194` :gl:`!10155` + +- Fix a logic error in cache_name() ``02ef8ff01c`` + + A change in 6aba56ae8 (checking whether a rejected RRset was identical + to the data it would have replaced, so that we could still cache a + signature) inadvertently introduced cases where processing of a + response would continue when previously it would have been skipped. + :gl:`#5197` :gl:`!10157` + +- Fix a bug in the statistics channel when querying zone transfers + information. ``e02d73e7e3`` + + When querying zone transfers information from the statistics channel + there was a rare possibility that `named` could terminate unexpectedly + if a zone transfer was in a state when transferring from all the + available primary servers had failed earlier. This has been fixed. + :gl:`#5198` :gl:`!10182` + +- Fix assertion failure when dumping recursing clients. ``796b662b92`` + + Previously, if a new counter was added to the hashtable while dumping + recursing clients via the `rndc recursing` command, and + `fetches-per-zone` was enabled, an assertion failure could occur. This + has been fixed. :gl:`#5200` :gl:`!10164` + +- Validating ADB fetches could cause a crash in import_rdataset() + ``49ccbe857a`` + + Previously, in some cases, the resolver could return rdatasets of type + CNAME or DNAME without the result code being set to `DNS_R_CNAME` or + `DNS_R_DNAME`. This could trigger an assertion failure in the ADB. The + resolver error has been fixed. :gl:`#5201` :gl:`!10172` + +- Call isc__iterated_hash_initialize in isc__work_cb. ``f3458fdf43`` + + isc_iterated_hash didn't work in offloaded threads as the per thread + initialisation has not been done. This has been fixed. :gl:`#5214` + :gl:`!10206` + +- Fix a bug in get_request_transport_type() ``db5166ab99`` + + When `dns_remote_done()` is true, calling `dns_remote_curraddr()` + asserts. Add a `dns_remote_curraddr()` check before calling + `dns_remote_curraddr()`. :gl:`#5215` :gl:`!10222` + +- Clean up dns_rdataslab module. ``948f8d7a98`` + + Rdata slabs used in the QP databases are usually prepended with a slab + header, but are sometimes "raw", containing only the rdata and no + header. Previously, to allow for them to be used both ways, functions + that operated on them took a `reservelen` argument, which would be set + to either the header length or to zero, and skipped over that many + bytes at the beginning of the buffer. Most such functions were never + used on the raw form. To make the code clearer, each of these + functions now operates on full slabs with headers, and an alternate + "raw" version of the function has been added in cases where that was + needed. + + In addition, the `dns_rdataslab_merge()` and `_subtract()` functions + have been rewritten for clarity and efficiency, and a minor bug has + been fixed in `dns_rdataslab_equal()` and `_equalx()`, which could + cause an incorrect result if both slabs being compared had zero + length. :gl:`!10084` + +- Dump the active resolver fetches from dns_resolver_dumpfetches() + ``5d0c347e75`` + + Previously, active resolver fetches were only dumped when the + `fetches-per-zone` configuration option was enabled. Now, active + resolver fetches are dumped along with the number of + `clients-per-server` counters per resolver fetch. :gl:`!10107` + +- Fix the foundname vs dcname madness in qpcache_findzonecut() + ``4e68dbf194`` + + The qpcache_findzonecut() accepts two "foundnames": 'foundname' and + 'dcname' could be NULL. Originally, when 'dcname' would be NULL, the + 'dcname' would be set to 'foundname' which basically means that we + were copying the .ndata over itself for no apparent reason. + :gl:`!10049` + +- Post [CVE-2024-12705] Performance Drop Fixes, Part 2. ``c8104daf8d`` + + This merge request addresses several key performance bottlenecks in + the DoH (DNS over HTTPS) implementation by introducing significant + optimizations and improvements. + + ### Key Improvements + + 1. **Simplification and Optimisation of `http_do_bio()` Function**: + - The code flow in the `http_do_bio()` function has been significantly + simplified. 2. **Flushing HTTP Write Buffer on Outgoing DNS + Messages**: - The buffer is flushed and a send operation is + performed when there is an outgoing DNS message. 3. **Bumping Active + Streams Processing Limit**: - The total number of active streams + has been increased to 60% of the total streams limit. + + These changes collectively enhance the performance and reliability of + the DoH implementation, making it more efficient and robust for + handling high-load scenarios, particularly noticeable in long runs (>= + 1h) of `stress:long:rpz:doh+udp:linux:*` tests. It improves perf. for + tests for BIND 9.18, but it likely will have a positive but less + pronounced effect on newer versions as well. + + In essence, the merge request fixes three bottlenecks stacked upon + each other. + + *It is a logical continuation of the merge requests !10109.* !10109, + unfortunately, did not completely [address the performance drop in + 9.18](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/221545) + for longer runs of the stress test. This merge request [addresses + that](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/223661). + + **P.S.** + + The origin of the fixes is, in fact, the branch in !10193. So this MR + is a ... *forward port* of them. :gl:`!10192` + +- Post [CVE-2024-12705] Performance Drop Fixes. ``3033d127d2`` + + This merge request fixes a [performance + drop](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/216728) + after merging the fixes for #4795, in particular in 9.18. + + The MR [fixes the + problem](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/219825) + without affecting performance for the newer versions, in particular + for [the development version](https://gitlab.isc.org/isc-projects/bind + 9/-/pipelines/220619). :gl:`!10109` + +- Remove 'target' from dns_adb. ``764eb65cf6`` + + When a server name turns out to be a CNAME or DNAME, the ADB does not + use it, but the `dns_adbname` structure still stored a copy of the + target name. This is unnecessary and the code has been removed. + :gl:`!10149` + +- Simplify some dns_name API calls. ``e16560a650`` + + Several functions in the `dns_name` module have had parameters + removed, that were rarely or never used: - `dns_name_fromtext()` and + `dns_name_concatenate()` no longer take a target buffer. - + `dns_name_towire()` no longer takes a compression offset pointer; this + is now part of the compression context. - `dns_name_towire()` with a + `NULL` compression context will copy name data directly into a buffer + with no processing. :gl:`!10152` + +- Sync the TSAN CC, CFLAGS and LDFLAGS in the respdiff:tsan job. + ``22b5442722`` + + :gl:`!10209` + + From 7c308c22986f01b6f1a4b6d0939b55cee0e7c81f Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Thu, 6 Mar 2025 17:32:19 +0100 Subject: [PATCH 2/4] Prepare release notes for BIND 9.21.6 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.21.6.rst | 184 +++++++++++++++++++++++++++++++++++++ 2 files changed, 185 insertions(+) create mode 100644 doc/notes/notes-9.21.6.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index edb9dea2c0..c9a790a722 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.6.rst .. include:: ../notes/notes-9.21.5.rst .. include:: ../notes/notes-9.21.4.rst .. include:: ../notes/notes-9.21.3.rst diff --git a/doc/notes/notes-9.21.6.rst b/doc/notes/notes-9.21.6.rst new file mode 100644 index 0000000000..de3f8df94c --- /dev/null +++ b/doc/notes/notes-9.21.6.rst @@ -0,0 +1,184 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.6 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Implement the min-transfer-rate-in configuration option. + + A new option 'min-transfer-rate-in ' has been added + to the view and zone configurations. It can abort incoming zone + transfers which run very slowly due to network related issues, for + example. The default value is set to 10240 bytes in 5 minutes. + :gl:`#3914` + +- Add HTTPS record query to host command line tool. + + The host command was extended to also query for the HTTPS RR type by + default. + +Feature Changes +~~~~~~~~~~~~~~~ + +- Drop malformed notify messages early instead of decompressing them. + + The DNS header shows if a message has multiple questions or invalid + NOTIFY sections. We can drop these messages early, right after parsing + the question. This matches RFC 9619 for multi-question messages and + Unbound's handling of NOTIFY. We still parse the question to include + it in our FORMERR response. + + Add drop_msg_early() function to check for these conditions: - + Messages with more than one question, as required by RFC 9619 - NOTIFY + query messages containing answer sections (like Unbound) - NOTIFY + messages containing authority sections (like Unbound) :gl:`#5158`, + #3656 + +- Reduce memory used to store DNS names. + + The memory used to internally store the DNS names has been reduced. + +Bug Fixes +~~~~~~~~~ + +- Fix dual-stack-servers configuration option. + + The dual-stack-servers configuration option was not working as + expected; the specified servers were not being used when they should + have been, leading to resolution failures. This has been fixed. + :gl:`#5019` + +- Implement sig0key-checks-limit and sig0message-checks-limit. + + Previously a hard-coded limitation of maximum two key or message + verification checks were introduced when checking the message's SIG(0) + signature. It was done in order to protect against possible DoS + attacks. The logic behind choosing the number 2 was that more than a + single key should only be required during key rotations, and in that + case two keys are enough. But later it became apparent that there are + other use cases too where even more keys are required, see issue + number #5050 in GitLab. + + This change introduces two new configuration options for the views, + `sig0key-checks-limit` and `sig0message-checks-limit`, which define + how many keys are allowed to be checked to find a matching key, and + how many message verifications are allowed to take place once a + matching key has been found. The latter protects against expensive + cryptographic operations when there are keys with colliding tags and + algorithm numbers, with default being 2, and the former protects + against a bit less expensive key parsing operations and defaults to + 16. :gl:`#5050` + +- Fix the data race causing a permanent active client increase. + + Previously, a data race could cause a newly created fetch context for + a new client to be used before it had been fully initialized, which + would cause the query to become stuck; queries for the same data would + be either paused indefinitely or dropped because of the + `clients-per-query` limit. This has been fixed. :gl:`#5053` + +- Fix deferred validation of unsigned DS and DNSKEY records. + + When processing a query with the "checking disabled" bit set (CD=1), + `named` stores the unvalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated, + and either accepted as an answer, or ejected from the cache as + invalid. This deferred validation was not attempted for DS and DNSKEY + records if they had no cached signatures, causing spurious validation + failures. We now complete the deferred validation in this scenario. + + Also, if deferred validation fails, we now re-query the data to find + out whether the zone has been corrected since the invalid data was + cached. :gl:`#5066` + +- Fix RPZ race condition during a reconfiguration. + + With RPZ in use, `named` could terminate unexpectedly because of a + race condition when a reconfiguration command was received using + `rndc`. This has been fixed. :gl:`#5146` + +- "CNAME and other data check" not applied to all types. + + An incorrect optimization caused "CNAME and other data" errors not to + be detected if certain types were at the same node as a CNAME. This + has been fixed. :gl:`#5150` + +- Use named Service Parameter Keys (SvcParamKeys) by default. + + When converting SVCB records to text representation `named` now uses + named `SvcParamKeys` values unless backward-compatible mode is + activated, in which case the values which were not defined initially + in RFC9460 and were added later (see [1]) are converted to opaque + "keyNNNN" syntax, like, for example, "key7" instead of "dohpath". + + Also a new `+[no]svcparamkeycompat` option is implemented for `dig`, + which enables the backward-compatible mode and uses the opaque syntax, + if required for interoperability with other software or scripts. By + default, the compatibility mode is disabled. + + [1] https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml + :gl:`#5156` + +- Relax private DNSKEY and RRSIG constraints. + + DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow + empty key and signature material after the algorithm identifier for + PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within + the expected use of these types as no key material is shared and the + signatures are ineffective but these are private algorithms and they + can be totally insecure. :gl:`#5167` + +- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. + + Previously, when parsing responses, named incorrectly rejected + responses without matching RRSIG records for NSEC/DS/NSEC3 records in + the authority section. This rejection, if appropriate, should have + been left for the validator to determine and has been fixed. + :gl:`#5185` + +- Fix TTL issue with ANY queries processed through RPZ "passthru" + + Answers to an "ANY" query which were processed by the RPZ "passthru" + policy had the response-policy's `max-policy-ttl` value unexpectedly + applied. This has been fixed. :gl:`#5187` + +- Dnssec-signzone needs to check for a NULL key when setting offline. + + dnssec-signzone could dereference a NULL key pointer when resigning a + zone. This has been fixed. :gl:`#5192` + +- Fix a bug in the statistics channel when querying zone transfers + information. + + When querying zone transfers information from the statistics channel + there was a rare possibility that `named` could terminate unexpectedly + if a zone transfer was in a state when transferring from all the + available primary servers had failed earlier. This has been fixed. + :gl:`#5198` + +- Fix assertion failure when dumping recursing clients. + + Previously, if a new counter was added to the hashtable while dumping + recursing clients via the `rndc recursing` command, and + `fetches-per-zone` was enabled, an assertion failure could occur. This + has been fixed. :gl:`#5200` + +- Dump the active resolver fetches from dns_resolver_dumpfetches() + + Previously, active resolver fetches were only dumped when the + `fetches-per-zone` configuration option was enabled. Now, active + resolver fetches are dumped along with the number of + `clients-per-server` counters per resolver fetch. + + From 5dfcedd52d74ab39aa3a40f4648f7be7007ca69b Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 7 Mar 2025 19:46:20 +0100 Subject: [PATCH 3/4] Tweak and reword relase notes --- doc/notes/notes-9.21.6.rst | 152 +++++++++++++++++++------------------ 1 file changed, 77 insertions(+), 75 deletions(-) diff --git a/doc/notes/notes-9.21.6.rst b/doc/notes/notes-9.21.6.rst index de3f8df94c..a8e9c514c8 100644 --- a/doc/notes/notes-9.21.6.rst +++ b/doc/notes/notes-9.21.6.rst @@ -15,98 +15,100 @@ Notes for BIND 9.21.6 New Features ~~~~~~~~~~~~ -- Implement the min-transfer-rate-in configuration option. +- Implement the :any:`min-transfer-rate-in` configuration option. - A new option 'min-transfer-rate-in ' has been added + A new option :any:`min-transfer-rate-in` has been added to the view and zone configurations. It can abort incoming zone - transfers which run very slowly due to network related issues, for - example. The default value is set to 10240 bytes in 5 minutes. + transfers that run very slowly due to network-related issues, for + example. The default value is 10240 bytes in five minutes. :gl:`#3914` -- Add HTTPS record query to host command line tool. +- Add HTTPS record query to :iscman:`host` command line tool. - The host command was extended to also query for the HTTPS RR type by - default. + The :iscman:`host` command was extended to also query for the HTTPS RR + type by default. + +- Implement :any:`sig0key-checks-limit` and :any:`sig0message-checks-limit`. + + Previously, a hard-coded limitation of a maximum of two key or message + verification checks was introduced when checking a message's ``SIG(0)`` + signature, to protect against possible DoS + attacks. Two as a maximum was chosen so that more than a + single key should only be required during key rotations, and in that + case two keys are enough. It later became apparent that there are + other use cases where even more keys are required; see the related GitLab issue for examples. + + This change introduces two new configuration options for the views: + :any:`sig0key-checks-limit` and :any:`sig0message-checks-limit`. They define + how many keys can be checked to find a matching key, and + how many message verifications are allowed to take place once a + matching key has been found. The former provides + slightly less "expensive" key parsing operations and defaults to + 16. The latter protects against expensive + cryptographic operations when there are keys with colliding tags and + algorithm numbers; the default is 2. :gl:`#5050` Feature Changes ~~~~~~~~~~~~~~~ - Drop malformed notify messages early instead of decompressing them. - The DNS header shows if a message has multiple questions or invalid - NOTIFY sections. We can drop these messages early, right after parsing - the question. This matches RFC 9619 for multi-question messages and - Unbound's handling of NOTIFY. We still parse the question to include - it in our FORMERR response. + The DNS header shows whether a message has multiple questions or invalid + NOTIFY sections. :iscman:`named` can now drop these messages early, right after parsing + the question, to match :rfc:`9619` for multi-question messages and + Unbound's handling of NOTIFY. Questions are still parsed to be included + in BIND's FORMERR response. - Add drop_msg_early() function to check for these conditions: - - Messages with more than one question, as required by RFC 9619 - NOTIFY - query messages containing answer sections (like Unbound) - NOTIFY - messages containing authority sections (like Unbound) :gl:`#5158`, - #3656 + Add ``drop_msg_early()`` function to check for these conditions: + + - Messages with more than one question, as required by :rfc:`9619` + - NOTIFY query messages containing answer sections (like Unbound) + + :gl:`#5158` - Reduce memory used to store DNS names. - The memory used to internally store the DNS names has been reduced. + The memory used to internally store the DNS names has been reduced + by no longer caching certain fields from an internal data structure. + Bug Fixes ~~~~~~~~~ -- Fix dual-stack-servers configuration option. +- Fix :any:`dual-stack-servers` configuration option. - The dual-stack-servers configuration option was not working as + The :any:`dual-stack-servers` configuration option was not working as expected; the specified servers were not being used when they should have been, leading to resolution failures. This has been fixed. :gl:`#5019` -- Implement sig0key-checks-limit and sig0message-checks-limit. - - Previously a hard-coded limitation of maximum two key or message - verification checks were introduced when checking the message's SIG(0) - signature. It was done in order to protect against possible DoS - attacks. The logic behind choosing the number 2 was that more than a - single key should only be required during key rotations, and in that - case two keys are enough. But later it became apparent that there are - other use cases too where even more keys are required, see issue - number #5050 in GitLab. - - This change introduces two new configuration options for the views, - `sig0key-checks-limit` and `sig0message-checks-limit`, which define - how many keys are allowed to be checked to find a matching key, and - how many message verifications are allowed to take place once a - matching key has been found. The latter protects against expensive - cryptographic operations when there are keys with colliding tags and - algorithm numbers, with default being 2, and the former protects - against a bit less expensive key parsing operations and defaults to - 16. :gl:`#5050` - -- Fix the data race causing a permanent active client increase. +- Fix a data race causing a permanent active client increase. Previously, a data race could cause a newly created fetch context for a new client to be used before it had been fully initialized, which would cause the query to become stuck; queries for the same data would be either paused indefinitely or dropped because of the - `clients-per-query` limit. This has been fixed. :gl:`#5053` + :any:`clients-per-query` limit. This has been fixed. :gl:`#5053` - Fix deferred validation of unsigned DS and DNSKEY records. When processing a query with the "checking disabled" bit set (CD=1), - `named` stores the unvalidated result in the cache, marked "pending". - When the same query is sent with CD=0, the cached data is validated, + :iscman:`named` stores the invalidated result in the cache, marked "pending". + When the same query is sent with CD=0, the cached data is validated and either accepted as an answer, or ejected from the cache as invalid. This deferred validation was not attempted for DS and DNSKEY records if they had no cached signatures, causing spurious validation - failures. We now complete the deferred validation in this scenario. + failures. The deferred validation is now completed in this scenario. - Also, if deferred validation fails, we now re-query the data to find + Also, if deferred validation fails, the data is now re-queried to find out whether the zone has been corrected since the invalid data was cached. :gl:`#5066` - Fix RPZ race condition during a reconfiguration. - With RPZ in use, `named` could terminate unexpectedly because of a + With RPZ in use, :iscman:`named` could terminate unexpectedly because of a race condition when a reconfiguration command was received using - `rndc`. This has been fixed. :gl:`#5146` + :iscman:`rndc`. This has been fixed. :gl:`#5146` - "CNAME and other data check" not applied to all types. @@ -114,15 +116,15 @@ Bug Fixes be detected if certain types were at the same node as a CNAME. This has been fixed. :gl:`#5150` -- Use named Service Parameter Keys (SvcParamKeys) by default. +- Use named Service Parameter Keys (``SvcParamKeys``) by default. - When converting SVCB records to text representation `named` now uses - named `SvcParamKeys` values unless backward-compatible mode is - activated, in which case the values which were not defined initially - in RFC9460 and were added later (see [1]) are converted to opaque - "keyNNNN" syntax, like, for example, "key7" instead of "dohpath". + When converting SVCB records to text representation, :iscman:`named` now uses + named ``SvcParamKeys`` values unless backward-compatible mode is + activated. In that case, values which were not defined initially + in :rfc:`9460` and were added later (see [1]) are converted to opaque + "keyNNNN" syntax, e.g. "key7" instead of "dohpath". - Also a new `+[no]svcparamkeycompat` option is implemented for `dig`, + Also a new ``+[no]svcparamkeycompat`` option is implemented for :iscman:`dig`, which enables the backward-compatible mode and uses the opaque syntax, if required for interoperability with other software or scripts. By default, the compatibility mode is disabled. @@ -132,53 +134,53 @@ Bug Fixes - Relax private DNSKEY and RRSIG constraints. - DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow + DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within - the expected use of these types as no key material is shared and the - signatures are ineffective but these are private algorithms and they + the expected use of these types, as no key material is shared and the + signatures are ineffective, but these are private algorithms and they can be totally insecure. :gl:`#5167` -- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse. +- Remove NSEC/DS/NSEC3 RRSIG check from ``dns_message_parse()``. - Previously, when parsing responses, named incorrectly rejected + Previously, when parsing responses, :iscman:`named` incorrectly rejected responses without matching RRSIG records for NSEC/DS/NSEC3 records in the authority section. This rejection, if appropriate, should have been left for the validator to determine and has been fixed. :gl:`#5185` -- Fix TTL issue with ANY queries processed through RPZ "passthru" +- Fix TTL issue with ANY queries processed through RPZ "passthru". Answers to an "ANY" query which were processed by the RPZ "passthru" - policy had the response-policy's `max-policy-ttl` value unexpectedly + policy had the response-policy's ``max-policy-ttl`` value unexpectedly applied. This has been fixed. :gl:`#5187` -- Dnssec-signzone needs to check for a NULL key when setting offline. +- :iscman:`dnssec-signzone` needs to check for a NULL key when setting offline. - dnssec-signzone could dereference a NULL key pointer when resigning a - zone. This has been fixed. :gl:`#5192` + :iscman:`dnssec-signzone` could dereference a NULL key pointer when resigning + a zone. This has been fixed. :gl:`#5192` -- Fix a bug in the statistics channel when querying zone transfers +- Fix a bug in the statistics channel when querying zone transfer information. - When querying zone transfers information from the statistics channel - there was a rare possibility that `named` could terminate unexpectedly + When querying zone transfer information from the statistics channel, + there was a rare possibility that :iscman:`named` could terminate unexpectedly if a zone transfer was in a state when transferring from all the available primary servers had failed earlier. This has been fixed. :gl:`#5198` - Fix assertion failure when dumping recursing clients. - Previously, if a new counter was added to the hashtable while dumping - recursing clients via the `rndc recursing` command, and - `fetches-per-zone` was enabled, an assertion failure could occur. This + Previously, if a new counter was added to the hash table while dumping + recursing clients via the :option:`rndc recursing` command, and + :any:`fetches-per-zone` was enabled, an assertion failure could occur. This has been fixed. :gl:`#5200` -- Dump the active resolver fetches from dns_resolver_dumpfetches() +- Dump the active resolver fetches from ``dns_resolver_dumpfetches()`` Previously, active resolver fetches were only dumped when the - `fetches-per-zone` configuration option was enabled. Now, active + :any:`fetches-per-zone` configuration option was enabled. Now, active resolver fetches are dumped along with the number of - `clients-per-server` counters per resolver fetch. + :any:`clients-per-query` counters per resolver fetch. From 21ca763bca1a0f5c826109ff739947a2a49b1563 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Tue, 11 Mar 2025 11:37:59 +0100 Subject: [PATCH 4/4] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 7261d4451e..247d73ea00 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 21)dnl m4_define([bind_VERSION_PATCH], 6)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl