From ff6c6ec421c9155c83d5dd71fdd9eb18bdf41115 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 13 Aug 2024 11:24:32 +0200 Subject: [PATCH] Re-apply release note tweaks from the 9.21.0 release --- doc/notes/notes-9.20.1.rst | 183 +++++++++++++++++++------------------ 1 file changed, 94 insertions(+), 89 deletions(-) diff --git a/doc/notes/notes-9.20.1.rst b/doc/notes/notes-9.20.1.rst index dc0616446d..e26516ccb2 100644 --- a/doc/notes/notes-9.20.1.rst +++ b/doc/notes/notes-9.20.1.rst @@ -1,125 +1,130 @@ -(-dev) ------- +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.1 +--------------------- New Features ~~~~~~~~~~~~ -- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. +- Implement ``rndc retransfer -force``. - There were cases in resolver.c when the `max-recursion-queries` quota - was ineffective. It was possible to craft zones that would cause a - resolver to waste resources by sending excessive queries while - attempting to resolve a name. This has been addressed by correcting - errors in the implementation of `max-recursion-queries`, and by - reducing the default value from 100 to 32. - - In addition, a new `max-query-restarts` option has been added which - limits the number of times a recursive server will follow CNAME or - DNAME records before terminating resolution. This was previously a - hard-coded limit of 16, and now defaults to 11. :gl:`#4741` - :gl:`!9282` - -- Implement rndc retransfer -force. - - A new optional argument '-force' has been added to the command channel - command 'rndc retransfer'. When it is specified, named aborts the - ongoing zone transfer (if there is one), and starts a new transfer. + A new optional argument ``-force`` has been added to the command + :option:`rndc retransfer`. When it is specified, :iscman:`named` aborts the + ongoing zone transfer (if there is one) and starts a new transfer. :gl:`#2299` :gl:`!9219` +- :iscman:`dig` now reports a missing QUESTION section for messages with opcode QUERY. + + Query responses should contain the QUESTION section, with some + exceptions. :iscman:`dig` was not reporting this. :gl:`#4808` :gl:`!9269` + Feature Changes ~~~~~~~~~~~~~~~ -- Allow shorter resolver-query-timeout configuration. - The minimum allowed value of 'resolver-query-timeout' was lowered to - 301 milliseconds instead of the earlier 10000 milliseconds (which is - the default). As earlier, values less than or equal to 300 are - converted to seconds before applying the limit. :gl:`#4320` - :gl:`!9220` +- Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts` + configuration statement. + + There were cases when the :any:`max-recursion-queries` + quota was ineffective. It was possible to craft zones that would cause + a resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by correcting + errors in the implementation of :any:`max-recursion-queries` and by + reducing the default value from 100 to 32. + + In addition, a new :any:`max-query-restarts` configuration statement has been + added, which limits the number of times a recursive server will follow CNAME + or DNAME records before terminating resolution. This was previously a + hard-coded limit of 16 but is now configurable with a default value of 11. + + ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin + Tanir from NetSec group, ETH Zurich for discovering and notifying us about + the issue. :gl:`#4741` :gl:`!9282` + +- Allow shorter :any:`resolver-query-timeout` configuration. + + The minimum allowed value of :any:`resolver-query-timeout` was lowered + from its previous value of 10 000 milliseconds (which is still the default) + to 301 milliseconds. Note however that values of 1 to 300 inclusive are + interpreted as seconds before applying the limit. A value of zero is + interpreted as the default. :gl:`#4320` :gl:`!9220` + +- Raise the log level of priming failures. + + When a priming query is complete, it was previously logged at level + ``DEBUG(1)``, regardless of success or failure. It is now + logged to ``NOTICE`` in the case of failure. :gl:`#3516` + :gl:`!9250` Bug Fixes ~~~~~~~~~ -- Reconfigure catz member zones during named reconfiguration. +- Fix a crash caused by valid TSIG signatures with invalid time. - During a reconfiguration named wasn't reconfiguring catalog zones' - member zones. This has been fixed. :gl:`#4733` + An assertion failure was triggered when the TSIG had a valid + cryptographic signature but the time was invalid. This could happen + when the times between the primary and secondary servers were not + synchronised. The crash has now been fixed. :gl:`#4811` :gl:`!9245` -- Fix --enable-tracing build on systems without dtrace. +- Return SERVFAIL for a too long CNAME chain. - Missing file util/dtrace.sh prevented builds on system without dtrace - utility. This has been corrected. + When following long CNAME chains, :iscman:`named` was returning NOERROR + (along with a partial answer) instead of SERVFAIL, if the chain exceeded the + maximum length. This has been fixed. :gl:`#4449` :gl:`!9203` -- Dig now reports missing query section for opcode QUERY. +- Reconfigure catz member zones during :iscman:`named` reconfiguration. - Query responses should contain the question section with some - exceptions. Dig was not reporting this. :gl:`#4808` :gl:`!9269` + During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog + zones' member zones. This has been fixed. :gl:`#4733` -- Fix assertion failure in the glue cache. +- Update key lifetime and metadata after :any:`dnssec-policy` reconfiguration. - Fix an assertion failure that could happen as a result of data race - between free_gluetable() and addglue() on the same headers. - :gl:`#4691` :gl:`!9256` + Adjust key state and timing metadata if :any:`dnssec-policy` key + lifetime configuration is updated, so that it also affects existing + keys. :gl:`#4677` :gl:`!9191` -- Raise the log level of priming failures. +- Fix a crash during zone modification. - When a priming query is complete, it's currently logged at level - ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising - it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` - :gl:`!9250` + Fix an assertion failure that could happen when an authoritative zone was + modified while the server was generating an answer from that zone. + :gl:`#4691` :gl:`!9126` -- Fix assertion failure when checking named-checkconf version. - - Checking the version of `named-checkconf` would end with assertion - failure. This has been fixed. :gl:`#4827` :gl:`!9246` - -- Valid TSIG signatures with invalid time cause crash. - - An assertion failure triggers when the TSIG has valid cryptographic - signature, but the time is invalid. This can happen when the times - between the primary and secondary servers are not synchronised. - :gl:`#4811` :gl:`!9245` - -- Remove extra newline from yaml output. - - I split this into two commits, one for the actual newline removal, and - one for issues I found, ruining the yaml output when some errors were - outputted. +- Fix assertion failure when executing :option:`named-checkconf -v` + to print its version. :gl:`#4827` :gl:`!9246` - Fix generation of 6to4-self name expansion from IPv4 address. The period between the most significant nibble of the encoded IPv4 - address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the - wrong name being checked. Add system test for 6to4-self - implementation. :gl:`#4766` :gl:`!9217` + address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the + wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9217` + +- :option:`dig +yaml` was producing unexpected and/or invalid YAML. + output. :gl:`#4796` :gl:`!9213` + +- SVBC ALPN text parsing failed to reject zero-length ALPN. :gl:`#4775` :gl:`!9209` - Fix false QNAME minimisation error being reported. - Remove the false positive "success resolving" log message when QNAME - minimisation is in effect and the final result is NXDOMAIN. - :gl:`#4784` :gl:`!9215` + Remove the false positive ``success resolving`` log message when QNAME + minimisation is in effect and the final result is an NXDOMAIN. :gl:`#4784` :gl:`!9215` -- Dig +yaml was producing unexpected and/or invalid YAML output. +- Fix ``--enable-tracing`` build on systems without dtrace. - :gl:`#4796` :gl:`!9213` + A missing ``util/dtrace.sh`` file prevented builds on systems without + the ``dtrace`` utility. This has been corrected. :gl:`#4835` :gl:`!9272` -- SVBC alpn text parsing failed to reject zero length alpn. +Known Issues +~~~~~~~~~~~~ - :gl:`#4775` :gl:`!9209` - -- Return SERVFAIL for a too long CNAME chain. - - When cutting a long CNAME chain, named was returning NOERROR instead - of SERVFAIL (alongside with a partial answer). This has been fixed. - :gl:`#4449` :gl:`!9203` - -- Properly calculate the amount of system memory. - - On 32 bit machines isc_meminfo_totalphys could return an incorrect - value. :gl:`#4799` :gl:`!9199` - -- Update key lifetime and metadata after dnssec-policy reconfig. - - Adjust key state and timing metadata if dnssec-policy key lifetime - configuration is updated, so that it also affects existing keys. - :gl:`#4677` :gl:`!9191` +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch.