ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Merge branch 'michal/prepare-release-notes-for-master' into 'master'

Browse Source 
Prepare release notes for "master"

See merge request isc-projects/bind9!3517
This commit is contained in:
Ondřej Surý
2020-05-12 13:52:32 +00:00
parent 7f748bb14a 28624cf595
commit fb3a419106
9 changed files with 311 additions and 371 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
CHANGES
View File

@@ -1,11 +1,10 @@
5408. [protocol] Print Extended DNS Errors if present in OPT record.
[GL #1835]
5407. [func] The zone timers are now exported to the statistics
channel. Thanks to Paul Frieden, Verizon Media.
[GL #1232]
5407. [func] Zone timers are now exported via statistics channel.
Thanks to Paul Frieden, Verizon Media. [GL #1232]
5406. [func] Added a new logging category "rpz-passthru". It allows
5406. [func] Added a new logging category, "rpz-passthru". It allows
RPZ passthru actions to be logged into a separate
channel. [GL #54]
@@ -17,12 +16,12 @@
success if errors were found in one view but not in a
subsequent one. [GL #1807]
5403. [func] Don't set udp recv/send buffer sizes, sockets will
use system defaults. [GL #1713]
5403. [func] Do not set UDP receive/send buffer sizes - use system
defaults. [GL #1713]
5402. [bug] Enable SO_REUSEADDR on all platforms, and either
SO_REUSEPORT_LB on FreeBSD, or SO_REUSEPORT on Linux.
[GL !3365]
5402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
Enable use of SO_REUSEADDR on all platforms which
support it. [GL !3365]
5401. [bug] The number of input queues allocated during dnstap
initialization was too low, which could prevent some
@@ -34,53 +33,57 @@
5399. [func] Add engine support to OpenSSL ECDSA implementation.
[GL #1534]
5398. [bug] Named could fail to restart if a zone added with
'rndc addzone' contained a double quote (\") in
its name. [GL #1695]
5398. [bug] Named could fail to restart if a zone with a double
quote (") in its name was added with 'rndc addzone'.
[GL #1695]
5397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
Thanks to Aaron Thompson. [GL !3326]
5396. [func] Use UV_UDP_RECVMMSG flag to enable recvmmsg support in
libuv >= 1.37. [GL #1797]
5396. [func] When necessary (i.e. in libuv >= 1.37), use the
UV_UDP_RECVMMSG flag to enable recvmmsg() support in
libuv. [GL #1797]
5395. [placeholder]
5394. [cleanup] Don't change effective uid/gid in named_os_openfile()
if named is already running under specified uid/gid.
[GL #1042] [GL #1090]
5394. [cleanup] Named formerly attempted to change the effective UID and
GID in named_os_openfile(), which could trigger a
spurious log message if they were already set to the
desired values. This has been fixed. [GL #1042]
[GL #1090]
5393. [cleanup] Unused or redundant APIs were removed from libirs.
5393. [cleanup] Unused and/or redundant APIs were removed from libirs.
[GL #1758]
5392. [bug] It was possible for named to crash during shutdown
or reconfiguration if an RPZ zone was still being
updated. [GL #1779]
5391. [func] The BIND 9 build system has been changed to use the
usual stack of autoconf+automake+libtool. If building
from the git repository run "autoreconf -fi" first.
5391. [func] The BIND 9 build system has been changed to use a
typical autoconf+automake+libtool stack. When building
from the Git repository, run "autoreconf -fi" first.
[GL #4]
5390. [placeholder]
5389. [bug] Finish the PKCS#11 code cleanup, fix couple of smaller
5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller
bugs and use PKCS#11 v3.0 EdDSA macros and constants.
Thanks to Aaron Thompson. [GL !3391]
5388. [func] Reject AXFR streams where the message id is not
5388. [func] Reject AXFR streams where the message ID is not
consistent. [GL #1674]
5387. [placeholder]
5386. [cleanup] Address Coverity warnings in keymgr.c [GL #1737]
5386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c.
[GL #1737]
5385. [func] Make ISC rwlock implementation the default again.
[GL #1753]
5384. [bug] With dnssec-policy, inline-signing was implicitly set
to yes. Change and only set inline-signing to yes
if the zone is not dynamic. [GL #1709]
5384. [bug] With "dnssec-policy" in effect, "inline-signing" was
implicitly set to "yes". Now "inline-signing" is only
set to "yes" if the zone is not dynamic. [GL #1709]
--- 9.17.1 released ---

2
doc/Makefile.am
View File

@@ -7,3 +7,5 @@ endif
if HAVE_SPHINX_BUILD
SUBDIRS += man arm
endif HAVE_SPHINX_BUILD
EXTRA_DIST = notes/

101
doc/arm/notes-9.17.1.xml
View File

@@ -1,101 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes-9.17.1"><info><title>Notes for BIND 9.17.1</title></info>
<section xml:id="relnotes-9.17.1-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-known"><info><title>Known Issues</title></info>
<itemizedlist>
<listitem>
<para>
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated.
[GL #1685]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-new"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
A new option, <command>nsdname-wait-recurse</command>, has been added
to the <command>response-policy</command> clause in the configuration
file. When set to <command>no</command>, RPZ NSDNAME rules are only
applied if the authoritative nameservers for the query name have been
looked up and are present in the cache. If this information is not
present, the RPZ NSDNAME rules are ignored, but the information is
looked up in the background and applied to subsequent queries. The
default is <command>yes</command>, meaning that RPZ NSDNAME rules
should always be applied, even if the information needs to be looked
up first. [GL #1138]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
The previous DNSSEC sign statistics used lots of memory. The number of
keys to track is reduced to four per zone, which should be enough for
99% of all signed zones. [GL #1179]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, <command>named</command> could become
nonresponsive for a short period while deleted names were removed from
the RPZ summary database. This database cleanup is now done
incrementally over a longer period of time, reducing such delays.
[GL #1447]
</para>
</listitem>
<listitem>
<para>
When trying to migrate an already-signed zone from
<command>auto-dnssec maintain</command> to one based on
<command>dnssec-policy</command>, the existing keys were immediately
deleted and replaced with new ones. As the key rollover timing
constraints were not being followed, it was possible that some clients
would not have been able to validate responses until all old DNSSEC
information had timed out from caches. BIND now looks at the time
metadata of the existing keys and incorporates it into its DNSSEC
policy operation. [GL #1706]
</para>
</listitem>
</itemizedlist>
</section>
</section>

147
doc/arm/notes-9.17.2.xml
View File

@@ -1,147 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes-9.17.2"><info><title>Notes for BIND 9.17.2</title></info>
<section xml:id="relnotes-9.17.2-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
A bug in dnstap initialization could prevent some dnstap data from
being logged, especially on recursive resolvers. [GL #1795]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.2-known"><info><title>Known Issues</title></info>
<itemizedlist>
<listitem>
<para>
In this release, the build system has been significantly changed (see
below), and there's number of unresolved issues that you need to be
aware of if you are using a development release. Please refer to
GitLab issue #4 https://gitlab.isc.org/isc-projects/bind9/-/issues/4
for a list of not yet resolved issues that will be fixed in the
following releases.
</para>
<para>
BIND crashes on startup when linked against libuv 1.36. This issue is
related to recvmmsg() support in libuv which was first included in
libuv 1.35. The problem was addressed in libuv 1.37, but the relevant
libuv code change requires a special flag to be set during library
initialization in order for recvmmsg() support to be enabled. This
BIND release sets that special flag when required, so recvmmsg()
support is now enabled when BIND is compiled against either libuv 1.35
or libuv 1.37+; libuv 1.36 is still not usable with BIND. [GL #1761]
[GL #1797]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.2-new"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
The BIND 9 build system has been changed to use the normal build tool
stack consisting of autoconf+automake+libtool. This should not make
any difference for people building BIND 9 from the release tarballs,
but if you are building BIND 9 from the git repository you will need
to run "autoreconf -fi" first. If you are using non-standard
<command>./configure</command> option, you will
need to pay extra attention. [GL #4]
</para>
</listitem>
<listitem>
<para>
The native PKCS#11 EdDSA implementation has been updated to PKCS#11
v3.0 and thus made operational again. Contributed by Aaron Thompson.
[GL !3326]
</para>
</listitem>
<listitem>
<para>
The OpenSSL ECDSA implementation has been updated to support PKCS#11
via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL #1534]
</para>
</listitem>
<listitem>
<para>
The OpenSSL EdDSA implementation has been updated to support PKCS#11
via OpenSSL engine. Please note that you need EdDSA capable OpenSSL
engine and there's only proof-of-concept as of this moment.
Contributed by Aaron Thompson. [GL #1763]
</para>
</listitem>
<listitem>
<para>
Added a new logging category "rpz-passthru", it allows RPZ passthru
actions to be logged into a separate channel. [GL #54]
</para>
</listitem>
<listitem>
<para>
The zone timers are now exported to the statistics channel. For the
primary zones, only the loaded time is exported. For the secondary
zones, the exported timers also include expire and refresh times.
Contributed by Paul Frieden, Verizon Media. [GL #1232]
</para>
</listitem>
<listitem>
<para>
<command>dig</command> and other tools can now print the Extended
DNS Error (EDE) option when it appears in a request or response.
[GL #1834]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.2-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
The default rwlock implementation has been changed back to the native
BIND 9 rwlock implementation. [GL #1753]
</para>
</listitem>
<listitem>
<para>
Message ids in inbound AXFR transfers are now checked for
consistency. Streams with inconsistent message ids are rejected.
[GL #1674]
</para>
</listitem>
<listitem>
<para>
BIND 9 no longer sets the recv and send buffer sizes for sockets, relying
on system defaults instead. [GL #1713]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.2-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
When running on a system with Linux capabilities support,
<command>named</command> drops root privileges very soon after system
startup. This was causing a spurious log message, <quote>unable to set
effective uid to 0: Operation not permitted</quote>, which has now been
silenced. [GL #1042] [GL #1090]
</para>
</listitem>
</itemizedlist>
</section>
</section>

120
doc/arm/notes.rst
View File

@@ -18,119 +18,60 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. _relnotes:
Release Notes
=============
.. _relnotes_intro:
.. contents::
Introduction
------------
BIND 9.15 is an unstable development release of BIND. This document
BIND 9.17 is an unstable development release of BIND. This document
summarizes new features and functional changes that have been introduced
on this branch. With each development release leading up to the stable
BIND 9.16 release, this document will be updated with additional
features added and bugs fixed.
.. _relnotes_versions:
Note on Version Numbering
-------------------------
Until BIND 9.12, new feature development releases were tagged as "alpha"
and "beta", leading up to the first stable release for a given
development branch, which always ended in ".0". More recently, BIND
adopted the "odd-unstable/even-stable" release numbering convention.
There will be no "alpha" or "beta" releases in the 9.15 branch, only
increasing version numbers. So, for example, what would previously have
been called 9.15.0a1, 9.15.0a2, 9.15.0b1, and so on, will instead be
called 9.15.0, 9.15.1, 9.15.2, etc.
The first stable release from this development branch will be renamed as
9.16.0. Thereafter, maintenance releases will continue on the 9.16
branch, while unstable feature development proceeds in 9.17.
.. _relnotes_platforms:
BIND 9.18 release, this document will be updated with additional
features added and bugs fixed. Please see the file CHANGES for a more
detailed list of changes and bug fixes.
Supported Platforms
-------------------
To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6
(:rfc:`3542`), and standard atomic operations provided by the C compiler.
(:rfc:`3542`), and standard atomic operations provided by the C
compiler.
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still
required for general cryptography operations such as hashing and random
number generation.
The libuv asynchronous I/O library and the OpenSSL cryptography library
must be available for the target platform. A PKCS#11 provider can be
used instead of OpenSSL for Public Key cryptography (i.e., DNSSEC
signing and validation), but OpenSSL is still required for general
cryptography operations such as hashing and random number generation.
More information can be found in the ``PLATFORMS.md`` file that is
included in the source distribution of BIND 9. If your compiler and
system libraries provide the above features, BIND 9 should compile and
run. If that isn't the case, the BIND development team will generally
run. If that is not the case, the BIND development team will generally
accept patches that add support for systems that are still supported by
their respective vendors.
.. _relnotes_download:
Download
--------
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
https://www.isc.org/download/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
.. _relnotes_security:
Security Fixes
--------------
- None.
.. _relnotes_features:
New Features
------------
- The new ``add-soa`` option specifies whether or not the
``response-policy`` zone's SOA record should be included in the
additional section of RPZ responses. [GL #865]
.. _relnotes_removed:
Removed Features
----------------
- The ``dnssec-enable`` option has been deprecated and no longer has
any effect. DNSSEC responses are always enabled if signatures and
other DNSSEC data are present. [GL #866]
.. _relnotes_changes:
Feature Changes
---------------
- None.
.. _relnotes_bugs:
Bug Fixes
---------
- The ``allow-update`` and ``allow-update-forwarding`` options were
inadvertently treated as configuration errors when used at the
``options`` or ``view`` level. This has now been corrected. [GL #913]
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.17.1.rst
.. include:: ../notes/notes-9.17.0.rst
.. _relnotes_license:
License
-------
BIND is open source software licenced under the terms of the Mozilla
BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the ``LICENSE`` file for the full
text).
@@ -143,29 +84,20 @@ modifications, without redistributing it, nor anyone redistributing BIND
without changes.
Those wishing to discuss license compliance may contact ISC at
https://www.isc.org/mission/contact/.
.. _end_of_life:
https://www.isc.org/contact/.
End of Life
-----------
BIND 9.15 is an unstable development branch. When its development is
complete, it will be renamed to BIND 9.16, which will be a stable
branch.
The end of life date for BIND 9.16 has not yet been determined. For
those needing long term support, the current Extended Support Version
(ESV) is BIND 9.11, which will be supported until at least December
2021. See https://www.isc.org/downloads/software-support-policy/ for
details of ISC's software support policy.
.. _relnotes_thanks:
BIND 9.17 is an unstable development branch. When its development is
complete, it will be renamed to BIND 9.18, which will be a stable
branch. The end of life date for BIND 9.18 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at least
December 2021. See https://kb.isc.org/docs/aa-00896 for details of
ISC's software support policy.
Thank You
---------
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
http://www.isc.org/donate/.

74
doc/notes/notes-9.17.0.rst Normal file
View File

@@ -0,0 +1,74 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.0
---------------------
Known Issues
~~~~~~~~~~~~
- UDP network ports used for listening can no longer simultaneously be
used for sending traffic. An example configuration which triggers
this issue would be one which uses the same ``address:port`` pair for
``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or
``transfer-source(-v6)``. While this issue affects all operating
systems, it only triggers log messages (e.g. "unable to create
dispatch for reserved port") on some of them. There are currently no
plans to make such a combination of settings work again.
New Features
~~~~~~~~~~~~
- When a secondary server receives a large incremental zone transfer
(IXFR), it can have a negative impact on query performance while the
incremental changes are applied to the zone. To address this,
``named`` can now limit the size of IXFR responses it sends in
response to zone transfer requests. If an IXFR response would be
larger than an AXFR of the entire zone, it will send an AXFR response
instead.
This behavior is controlled by the ``max-ixfr-ratio`` option - a
percentage value representing the ratio of IXFR size to the size of a
full zone transfer. The default is ``100%``. [GL #1515]
- A new RPZ option ``nsdname-wait-recurse`` controls whether
RPZ-NSDNAME rules should always be applied even if the names of
authoritative name servers for the query name need to be looked up
recurively first. The default is ``yes``. Setting it to ``no`` speeds
up initial responses by skipping RPZ-NSDNAME rules when name server
domain names are not yet in the cache. The names will be looked up in
the background and the rule will be applied for subsequent queries.
[GL #1138]
Feature Changes
~~~~~~~~~~~~~~~
- The system-provided POSIX Threads read-write lock implementation is
now used by default instead of the native BIND 9 implementation.
Please be aware that glibc versions 2.26 through 2.29 had a bug_ that
could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and
most current Linux distributions have patched or updated glibc, with
the notable exception of Ubuntu 18.04 (Bionic) which is a work in
progress. If you are running on an affected operating system, compile
BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
glibc is available. [GL !3125]
.. _bug: https://sourceware.org/bugzilla/show_bug.cgi?id=23844
- The ``rndc nta -dump`` and ``rndc secroots`` commands now both
include ``validate-except`` entries when listing negative trust
anchors. These are indicated by the keyword ``permanent`` in place of
the expiry date. [GL #1532]
Bug Fixes
~~~~~~~~~
- Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all.

69
doc/notes/notes-9.17.1.rst Normal file
View File

@@ -0,0 +1,69 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.1
---------------------
Security Fixes
~~~~~~~~~~~~~~
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
Known Issues
~~~~~~~~~~~~
- We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated. [GL
#1685]
New Features
~~~~~~~~~~~~
- A new option, ``nsdname-wait-recurse``, has been added to the
``response-policy`` clause in the configuration file. When set to
``no``, RPZ NSDNAME rules are only applied if the authoritative
nameservers for the query name have been looked up and are present in
the cache. If this information is not present, the RPZ NSDNAME rules
are ignored, but the information is looked up in the background and
applied to subsequent queries. The default is ``yes``, meaning that
RPZ NSDNAME rules should always be applied, even if the information
needs to be looked up first. [GL #1138]
Feature Changes
~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
for 99% of all signed zones. [GL #1179]
Bug Fixes
~~~~~~~~~
- When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, ``named`` could become nonresponsive
for a short period while deleted names were removed from the RPZ
summary database. This database cleanup is now done incrementally
over a longer period of time, reducing such delays. [GL #1447]
- When trying to migrate an already-signed zone from ``auto-dnssec
maintain`` to one based on ``dnssec-policy``, the existing keys were
immediately deleted and replaced with new ones. As the key rollover
timing constraints were not being followed, it was possible that some
clients would not have been able to validate responses until all old
DNSSEC information had timed out from caches. BIND now looks at the
time metadata of the existing keys and incorporates it into its
DNSSEC policy operation. [GL #1706]

107
doc/notes/notes-current.rst Normal file
View File

@@ -0,0 +1,107 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.2
---------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- In this release, the build system has been significantly changed (see
below), and there is a number of unresolved issues to be aware of
when using a development release. Please refer to `GitLab issue #4`_
for a list of not yet resolved issues that will be fixed in the
following releases. [GL #4]
.. _GitLab issue #4: https://gitlab.isc.org/isc-projects/bind9/-/issues/4
- BIND crashes on startup when linked against libuv 1.36. This issue
is related to ``recvmmsg()`` support in libuv which was first
included in libuv 1.35. The problem was addressed in libuv 1.37, but
the relevant libuv code change requires a special flag to be set
during library initialization in order for ``recvmmsg()`` support to
be enabled. This BIND release sets that special flag when required,
so ``recvmmsg()`` support is now enabled when BIND is compiled
against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not
usable with BIND. [GL #1761] [GL #1797]
New Features
~~~~~~~~~~~~
- The BIND 9 build system has been changed to use a typical
autoconf+automake+libtool stack. This should not make any difference
for people building BIND 9 from release tarballs, but when building
BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run
first. Extra attention is also needed when using non-standard
``./configure`` options. [GL #4]
- Added a new logging category ``rpz-passthru`` which allows RPZ
passthru actions to be logged into a separate channel. [GL #54]
- Zone timers are now exported via statistics channel. For primary
zones, only the load time is exported. For secondary zones, exported
timers also include expire and refresh times. Contributed by Paul
Frieden, Verizon Media. [GL #1232]
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or response. [GL #1834]
Feature Changes
~~~~~~~~~~~~~~~
- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
relying on system defaults instead. [GL #1713]
- The default rwlock implementation has been changed back to the native
BIND 9 rwlock implementation. [GL #1753]
- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
v3.0 and thus made operational again. Contributed by Aaron Thompson.
[GL !3326]
- The OpenSSL ECDSA implementation has been updated to support PKCS#11
via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL
#1534]
- The OpenSSL EdDSA implementation has been updated to support PKCS#11
via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
is required and thus this code is only a proof-of-concept for the
time being. Contributed by Aaron Thompson. [GL #1763]
- Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
~~~~~~~~~
- A bug in dnstap initialization could prevent some dnstap data from
being logged, especially on recursive resolvers. [GL #1795]
- When running on a system with support for Linux capabilities,
``named`` drops root privileges very soon after system startup. This
was causing a spurious log message, *unable to set effective uid to
0: Operation not permitted*, which has now been silenced. [GL #1042]
[GL #1090]
- When ``named-checkconf -z`` was run, it would sometimes incorrectly
set its exit code. It reflected the status of the last view found; if
zone-loading errors were found in earlier configured views but not in
the last one, the exit code indicated success. Thanks to Graham
Clinch. [GL #1807]
- When built without LMDB support, ``named`` failed to restart after a
zone with a double quote (") in its name was added with ``rndc
addzone``. Thanks to Alberto Fernández. [GL #1695]

5
util/copyrights
View File

@@ -1150,8 +1150,6 @@
./doc/arm/logging-categories.rst RST 2020
./doc/arm/managed-keys.rst RST 2020
./doc/arm/manpages.rst RST 2020
./doc/arm/notes-9.17.1.xml SGML 2020
./doc/arm/notes-9.17.2.xml SGML 2020
./doc/arm/notes.rst RST 2020
./doc/arm/pkcs11.rst RST 2020
./doc/arm/plugins.rst RST 2020
@@ -1248,6 +1246,9 @@
./doc/misc/sort-options.pl PERL 2007,2012,2016,2018,2019,2020
./doc/misc/static-stub.zoneopt X 2018,2019,2020
./doc/misc/stub.zoneopt X 2018,2019,2020
./doc/notes/notes-9.17.0.rst RST 2020
./doc/notes/notes-9.17.1.rst RST 2020
./doc/notes/notes-current.rst RST 2020
./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020