From e7b1d49b76bb95a64586690e1f096c2ae37118d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 9 Jul 2021 09:34:52 +0200 Subject: [PATCH 01/12] Restore release note for GL #2780 --- doc/notes/notes-current.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 00beeb5553..177207521c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -74,6 +74,9 @@ Bug Fixes when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. :gl:`#2759` +- Checking of ``dnssec-policy`` was broken. The checks failed to account for + ``dnssec-policy`` inheritance. :gl:`#2780` + - A deadlock at startup was introduced when fixing :gl:`#1875` because when locking key files for reading and writing, "in-view" logic was not taken into account. This has been fixed. :gl:`#2783` From 17e5161deacaf76862d43a5ebc174bff397d25d9 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Fri, 9 Jul 2021 09:34:52 +0200 Subject: [PATCH 02/12] Tweak and reword recent CHANGES entries --- CHANGES | 65 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/CHANGES b/CHANGES index 8489ac2fba..6782863655 100644 --- a/CHANGES +++ b/CHANGES @@ -31,51 +31,53 @@ "controls" statement was configured with multiple key algorithms in the same listener. [GL #2756] -5671. [bug] Fix a race condition where two threads are competing for - the same set of key file locks, that could lead to a - deadlock. This has been fixed. [GL #2786] +5671. [bug] A race condition could occur where two threads were + competing for the same set of key file locks, leading to + a deadlock. This has been fixed. [GL #2786] -5670. [bug] Handle place holder KEYDATA records. [GL #2769] +5670. [bug] create_keydata() created an invalid placeholder keydata + record upon a refresh failure, which prevented the + database of managed keys from subsequently being read + back. This has been fixed. [GL #2686] -5669. [func] Add 'checkds' feature. Zones with "dnssec-policy" and - "parental-agents" configured will check for DS presence - and are able to perform automatic KSK rollover. - [GL #1126] +5669. [func] KASP support was extended with the "check DS" feature. + Zones with "dnssec-policy" and "parental-agents" + configured now check for DS presence and can perform + automatic KSK rollovers. [GL #1126] -5668. [bug] When a zone fails to load on startup, the setnsec3param - task is rescheduled. This caused a hang on shutdown, and - is now fixed. [GL #2791] +5668. [bug] Rescheduling a setnsec3param() task when a zone failed + to load on startup caused a hang on shutdown. This has + been fixed. [GL #2791] 5667. [bug] The configuration-checking code failed to account for the inheritance rules of the "dnssec-policy" option. - [GL #2780] + This has been fixed. [GL #2780] -5666. [func] Tweak the safe "edns-udp-size" to match the probing - value from BIND 9.16 for better compatibility. Also - ``named`` now sets the DON'T FRAGMENT flag on outgoing - UDP packets. [GL #2183] +5666. [doc] The safe "edns-udp-size" value was tweaked to match the + probing value from BIND 9.16 for better compatibility. + [GL #2183] -5665. [bug] 'nsupdate' did not retry with another server if - it received a REFUSED response. [GL #2758] +5665. [bug] If nsupdate sends an SOA request and receives a REFUSED + response, it now fails over to the next available + server. [GL #2758] -5664. [func] Handle a UDP sending error on UDP messages larger - than the path MTU; in such a case an empty response is - sent back with the TC (TrunCated) bit set. Re-enable - setting the DF (Don't Fragment) flag on outgoing - UDP sockets. [GL #2790] +5664. [func] For UDP messages larger than the path MTU, named now + sends an empty response with the TC (TrunCated) bit set. + In addition, setting the DF (Don't Fragment) flag on + outgoing UDP sockets was re-enabled. [GL #2790] 5662. [bug] Views with recursion disabled are now configured with a - default cache size of 2 MB, unless "max-cache-size" is + default cache size of 2 MB unless "max-cache-size" is explicitly set. This prevents cache RBT hash tables from being needlessly preallocated for such views. [GL #2777] -5661. [bug] A deadlock was introduced when fixing [GL #1875] because - when locking the key file mutex for each zone structure - that is in a different view, "in-view" logic was not - taken into account. This has been fixed. [GL #2783] +5661. [bug] Change 5644 inadvertently introduced a deadlock: when + locking the key file mutex for each zone structure in a + different view, the "in-view" logic was not considered. + This has been fixed. [GL #2783] 5658. [bug] Increasing "max-cache-size" for a running named instance - (using "rndc reconfig") was not causing the hash tables + (using "rndc reconfig") did not cause the hash tables used by cache databases to be grown accordingly. This has been fixed. [GL #2770] @@ -85,9 +87,8 @@ CNAME chaining were required to prepare the response. This has been fixed. [GL #2759] -5653. [bug] Fixed a bug that caused the NSEC3 salt to be changed - for KASP zones on restart. - [GL #2725] +5653. [bug] A bug that caused the NSEC3 salt to be changed on every + restart for zones using KASP has been fixed. [GL #2725] --- 9.16.18 released --- From f122497c72b1c9ac2afc4c9bb85fa756d9f24ff1 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Fri, 9 Jul 2021 09:34:52 +0200 Subject: [PATCH 03/12] Tweak and reword release notes --- doc/notes/notes-9.16.8.rst | 2 +- doc/notes/notes-current.rst | 46 ++++++++++++++++--------------------- 2 files changed, 21 insertions(+), 27 deletions(-) diff --git a/doc/notes/notes-9.16.8.rst b/doc/notes/notes-9.16.8.rst index eb789f6143..2ca95d4e61 100644 --- a/doc/notes/notes-9.16.8.rst +++ b/doc/notes/notes-9.16.8.rst @@ -33,7 +33,7 @@ Feature Changes MTU minus the estimated header space. In practice, the smallest MTU witnessed in the operational DNS community is 1500 octets, the maximum Ethernet payload size, so a useful default for maximum DNS/UDP payload - size on reliable networks would be 1400 bytes. :gl:`#2183` + size on reliable networks would be 1432 bytes. :gl:`#2183` Bug Fixes ~~~~~~~~~ diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 177207521c..dd9b1851d5 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -30,9 +30,10 @@ Known Issues New Features ~~~~~~~~~~~~ -- Automatic KSK rollover: A new configuration option ``parental-agents`` is - added to add a list of servers to a zone that can be used for checking DS - presence. :gl:`#1126` +- Using a new configuration option, ``parental-agents``, each zone can + now be associated with a list of servers that can be used to check the + DS RRset in the parent zone. This enables automatic KSK rollovers. + :gl:`#1126` Removed Features ~~~~~~~~~~~~~~~~ @@ -42,20 +43,11 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- IP fragmentation on outgoing UDP sockets has been disabled. Errors from - sending DNS messages larger than the specified path MTU are properly handled; - ``named`` now sends back empty DNS messages with the TC (TrunCated) bit set, - forcing the DNS client to fall back to TCP. :gl:`#2790` - - ``named`` now sets the DON'T FRAGMENT flag on outgoing UDP packets. According - to the measurements done by multiple parties this should not be causing any - operational problems as most of the Internet "core" is able to cope with IP - message sizes between 1400-1500 bytes, the 1232 size was picked as a - conservative minimal number that could be changed by the DNS operator to a - estimated path MTU minus the estimated header space. In practice, the smallest - MTU witnessed in the operational DNS community is 1500 octets, the Ethernet - maximum payload size, so a a useful default for maximum DNS/UDP payload size - on reliable networks would be 1432. [GL #2183] +- IP fragmentation has been disabled for outgoing UDP sockets. Errors + triggered by sending DNS messages larger than the specified path MTU + are properly handled by sending empty DNS replies with the ``TC`` + (TrunCated) bit set, which forces DNS clients to fall back to TCP. + :gl:`#2790` - CDS and CDNSKEY records may now be published in a zone without the requirement that they exactly match an existing DNSKEY record, so long @@ -66,23 +58,25 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- Fixed a bug that caused the NSEC salt to be changed for KASP zones on - every startup. :gl:`#2725` +- A bug that caused the NSEC3 salt to be changed on every restart for + zones using KASP has been fixed. :gl:`#2725` - Signed, insecure delegation responses prepared by ``named`` either lacked the necessary NSEC records or contained duplicate NSEC records when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. :gl:`#2759` -- Checking of ``dnssec-policy`` was broken. The checks failed to account for - ``dnssec-policy`` inheritance. :gl:`#2780` +- The configuration-checking code failed to account for the inheritance + rules of the ``dnssec-policy`` option. This has been fixed. + :gl:`#2780` -- A deadlock at startup was introduced when fixing :gl:`#1875` because when - locking key files for reading and writing, "in-view" logic was not taken into - account. This has been fixed. :gl:`#2783` +- The fix for :gl:`#1875` inadvertently introduced a deadlock: when + locking key files for reading and writing, the ``in-view`` logic was + not considered. This has been fixed. :gl:`#2783` -- Fix a race condition where two threads are competing for the same set of key - file locks, that could lead to a deadlock. This has been fixed. :gl:`#2786` +- A race condition could occur where two threads were competing for the + same set of key file locks, leading to a deadlock. This has been + fixed. :gl:`#2786` - Testing revealed that setting the thread affinity on both the netmgr and netthread threads led to inconsistent recursive performance, as From 36906b1bb2ecb2123f3235eba476aab2218816d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 9 Jul 2021 09:34:52 +0200 Subject: [PATCH 04/12] Reorder release notes --- doc/notes/notes-current.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index dd9b1851d5..1d41b63a26 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -58,14 +58,14 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- A bug that caused the NSEC3 salt to be changed on every restart for - zones using KASP has been fixed. :gl:`#2725` - - Signed, insecure delegation responses prepared by ``named`` either lacked the necessary NSEC records or contained duplicate NSEC records when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. :gl:`#2759` +- A bug that caused the NSEC3 salt to be changed on every restart for + zones using KASP has been fixed. :gl:`#2725` + - The configuration-checking code failed to account for the inheritance rules of the ``dnssec-policy`` option. This has been fixed. :gl:`#2780` From 8d5c429816b23d23be0335cd0c690d6553b39053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 9 Jul 2021 09:34:52 +0200 Subject: [PATCH 05/12] Add release note for GL #2686 --- doc/notes/notes-current.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 1d41b63a26..26f6771a26 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -58,6 +58,11 @@ Feature Changes Bug Fixes ~~~~~~~~~ +- The code managing :rfc:`5011` trust anchors created an invalid + placeholder keydata record upon a refresh failure, which prevented the + database of managed keys from subsequently being read back. This has + been fixed. :gl:`#2686` + - Signed, insecure delegation responses prepared by ``named`` either lacked the necessary NSEC records or contained duplicate NSEC records when both wildcard expansion and CNAME chaining were required to From 53351f3d2a82dd084b0d29ffc0746f3bddc2537b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 9 Jul 2021 09:34:52 +0200 Subject: [PATCH 06/12] Add release note for GL #2758 --- doc/notes/notes-current.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 26f6771a26..fa58976125 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -68,6 +68,9 @@ Bug Fixes when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. :gl:`#2759` +- If ``nsupdate`` sends an SOA request and receives a REFUSED response, + it now fails over to the next available server. :gl:`#2758` + - A bug that caused the NSEC3 salt to be changed on every restart for zones using KASP has been fixed. :gl:`#2725` From 018e887bd806a2f4fb9ccbb18c9f77cf2c7578d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 9 Jul 2021 09:34:52 +0200 Subject: [PATCH 07/12] Prepare release notes for BIND 9.16.19 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.16.19.rst} | 12 ------------ 2 files changed, 1 insertion(+), 13 deletions(-) rename doc/notes/{notes-current.rst => notes-9.16.19.rst} (97%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 767a3ce6ca..d590458b0c 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -59,7 +59,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.16.19.rst .. include:: ../notes/notes-9.16.18.rst .. include:: ../notes/notes-9.16.17.rst .. include:: ../notes/notes-9.16.16.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.16.19.rst similarity index 97% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.16.19.rst index fa58976125..135d556c5b 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.16.19.rst @@ -14,19 +14,12 @@ Notes for BIND 9.16.19 Security Fixes ~~~~~~~~~~~~~~ -- None. - - Named failed to check the opcode of responses when performing refresh, stub updates, and UPDATE forwarding. This could lead to an assertion failure under particular conditions. This has been addressed by checking the opcode of those responses and rejecting the messages if they don't match the expected value. :gl:`#2762` -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -35,11 +28,6 @@ New Features DS RRset in the parent zone. This enables automatic KSK rollovers. :gl:`#1126` -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ From b22548d8be81daee06119d826fb6ee7b7e791788 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Fri, 9 Jul 2021 08:02:03 +0000 Subject: [PATCH 08/12] Add prereq.sh script for the "checkds" system test --- bin/tests/system/checkds/prereq.sh | 29 +++++++++++++++++++++++++++++ util/copyrights | 1 + 2 files changed, 30 insertions(+) create mode 100644 bin/tests/system/checkds/prereq.sh diff --git a/bin/tests/system/checkds/prereq.sh b/bin/tests/system/checkds/prereq.sh new file mode 100644 index 0000000000..4b122c9bf0 --- /dev/null +++ b/bin/tests/system/checkds/prereq.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "from dns.query import send_tcp" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython >= 2.0.0 module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/util/copyrights b/util/copyrights index 432bc11ea5..ca167f66c3 100644 --- a/util/copyrights +++ b/util/copyrights @@ -368,6 +368,7 @@ ./bin/tests/system/checkds/ns2/setup.sh SH 2021 ./bin/tests/system/checkds/ns5/setup.sh SH 2021 ./bin/tests/system/checkds/ns9/setup.sh SH 2021 +./bin/tests/system/checkds/prereq.sh SH 2021 ./bin/tests/system/checkds/setup.sh SH 2021 ./bin/tests/system/checkds/tests-checkds.py PYTHON-BIN 2021 ./bin/tests/system/checkdstool/clean.sh SH 2012,2013,2014,2016,2017,2018,2019,2020,2021 From e2fb29ad710c4c95efb6e98fe7ee0f6ddc495a50 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Fri, 9 Jul 2021 08:02:03 +0000 Subject: [PATCH 09/12] prep 9.16.19 --- CHANGES | 2 ++ version | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 6782863655..efdac3ebd9 100644 --- a/CHANGES +++ b/CHANGES @@ -31,6 +31,8 @@ "controls" statement was configured with multiple key algorithms in the same listener. [GL #2756] + --- 9.16.19 released --- + 5671. [bug] A race condition could occur where two threads were competing for the same set of key file locks, leading to a deadlock. This has been fixed. [GL #2786] diff --git a/version b/version index 03f3192a4e..d4a355fd51 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Stable Release)" MAJORVER=9 MINORVER=16 -PATCHVER=18 +PATCHVER=19 RELEASETYPE= RELEASEVER= EXTENSIONS= From c775e62a8682234de5f286f57bac877b4ea3dc78 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 22 Jul 2021 17:38:22 +0200 Subject: [PATCH 10/12] Set up release notes for BIND 9.16.20 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.16.19.rst | 24 ---------------- doc/notes/notes-current.rst | 57 +++++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 24 deletions(-) create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index d590458b0c..2fe3b4ec5a 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -59,6 +59,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.16.19.rst .. include:: ../notes/notes-9.16.18.rst .. include:: ../notes/notes-9.16.17.rst diff --git a/doc/notes/notes-9.16.19.rst b/doc/notes/notes-9.16.19.rst index 135d556c5b..bfcd74bd5a 100644 --- a/doc/notes/notes-9.16.19.rst +++ b/doc/notes/notes-9.16.19.rst @@ -11,15 +11,6 @@ Notes for BIND 9.16.19 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- Named failed to check the opcode of responses when performing refresh, - stub updates, and UPDATE forwarding. This could lead to an assertion - failure under particular conditions. This has been addressed by checking - the opcode of those responses and rejecting the messages if they don't - match the expected value. :gl:`#2762` - New Features ~~~~~~~~~~~~ @@ -37,12 +28,6 @@ Feature Changes (TrunCated) bit set, which forces DNS clients to fall back to TCP. :gl:`#2790` -- CDS and CDNSKEY records may now be published in a zone without the - requirement that they exactly match an existing DNSKEY record, so long - the zone is signed with an algorithm represented in the CDS or CDNSKEY - record. This allows a clean rollover from one DNS provider to another - when using a multiple-signer DNSSEC configuration. :gl:`#2710` - Bug Fixes ~~~~~~~~~ @@ -73,12 +58,3 @@ Bug Fixes - A race condition could occur where two threads were competing for the same set of key file locks, leading to a deadlock. This has been fixed. :gl:`#2786` - -- Testing revealed that setting the thread affinity on both the netmgr - and netthread threads led to inconsistent recursive performance, as - sometimes the netmgr and netthread threads competed over a single - resource. - - When the affinity is not set, tests show a slight dip in the authoritative - performance of around 5% (ranging from 3.8% to 7.8%), but - the recursive performance is now consistently improved. :gl:`#2822` diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..7544bffda6 --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,57 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.16.20 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Named failed to check the opcode of responses when performing refresh, + stub updates, and UPDATE forwarding. This could lead to an assertion + failure under particular conditions. This has been addressed by checking + the opcode of those responses and rejecting the messages if they don't + match the expected value. :gl:`#2762` + +Known Issues +~~~~~~~~~~~~ + +- None. + +New Features +~~~~~~~~~~~~ + +- None. + +Removed Features +~~~~~~~~~~~~~~~~ + +- None. + +Feature Changes +~~~~~~~~~~~~~~~ + +- CDS and CDNSKEY records may now be published in a zone without the + requirement that they exactly match an existing DNSKEY record, so long + the zone is signed with an algorithm represented in the CDS or CDNSKEY + record. This allows a clean rollover from one DNS provider to another + when using a multiple-signer DNSSEC configuration. :gl:`#2710` + +Bug Fixes +~~~~~~~~~ + +- Testing revealed that setting the thread affinity on both the netmgr + and netthread threads led to inconsistent recursive performance, as + sometimes the netmgr and netthread threads competed over a single + resource. + + When the affinity is not set, tests show a slight dip in the authoritative + performance of around 5% (ranging from 3.8% to 7.8%), but + the recursive performance is now consistently improved. :gl:`#2822` From 4433315351ec6a0d0e9f0435f699c6ca4223698c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 23 Jul 2021 08:55:05 +0200 Subject: [PATCH 11/12] Fix version number in a backported release note --- doc/notes/notes-9.16.11.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/notes/notes-9.16.11.rst b/doc/notes/notes-9.16.11.rst index ae09f8859c..45d0ff7e59 100644 --- a/doc/notes/notes-9.16.11.rst +++ b/doc/notes/notes-9.16.11.rst @@ -24,7 +24,7 @@ Feature Changes incoming queries among multiple threads). However, the only operating systems currently known to support load-balanced sockets are Linux and FreeBSD 12, which means both UDP and TCP performance were limited to a - single thread on other systems. As of BIND 9.17.8, ``named`` attempts + single thread on other systems. As of BIND 9.16.11, ``named`` attempts to distribute incoming queries among multiple threads on systems which lack support for load-balanced sockets (except Windows). :gl:`#2137` From 1a585743937898b3783690947b3e10883d951d4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 23 Jul 2021 08:55:05 +0200 Subject: [PATCH 12/12] Add a missing CHANGES entry for BIND 9.16.17 --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index efdac3ebd9..6e77ae3e0e 100644 --- a/CHANGES +++ b/CHANGES @@ -161,6 +161,11 @@ incorrectly accepted at those levels without effect. This has been fixed. [GL #2536] +5624. [func] Task manager events are now processed inside network + manager loops. The task manager no longer needs its own + set of worker threads, which improves resolver + performance. [GL #2638] + --- 9.16.16 released --- 5637. [func] Change the default value of the "max-ixfr-ratio" option