Merge tag 'v9_19_4'

BIND 9.19.4

CHANGES

@@ -27,6 +27,8 @@
 5935.	[bug]		Fix DiG lookup reference counting bug, which could
 			be observed in NSSEARCH mode. [GL #3478]
 
+	--- 9.19.4 released ---
+
 5934.	[func]		Improve fetches-per-zone fetch limit logging to log
 			the final allowed and spilled values of the fetch
 			counters before the counter object gets destroyed.

doc/arm/notes.rst

@@ -37,6 +37,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.19.4.rst
 .. include:: ../notes/notes-9.19.3.rst
 .. include:: ../notes/notes-9.19.2.rst
 .. include:: ../notes/notes-9.19.1.rst

doc/notes/notes-9.19.0.rst

@@ -41,7 +41,7 @@ New Features
 Removed Features
 ~~~~~~~~~~~~~~~~
 
-- The ``keep-order-response`` option has been declared obsolete and the
+- The ``keep-response-order`` option has been declared obsolete and the
   functionality has been removed. :iscman:`named` expects DNS clients to
   be fully compliant with :rfc:`7766`. :gl:`#3140`
 

doc/notes/notes-9.19.4.rst

@@ -0,0 +1,59 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.19.4
+---------------------
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options`
+  and :namedconf:ref:`zone` blocks has been deprecated; it should now be
+  configured as part of :any:`dnssec-policy`. A warning is logged if
+  this option is used in :namedconf:ref:`options` or :any:`zone` blocks.
+  In a future release, it will become nonoperational. :gl:`#2918`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
+  disabled on systems where they are disallowed by the security policy
+  (e.g. Red Hat Enterprise Linux 9). Primary zones using those
+  algorithms need to be migrated to new algorithms prior to running on
+  these systems, as graceful migration to different DNSSEC algorithms is
+  not possible when RSASHA1 is disallowed by the operating system.
+  :gl:`#3469`
+
+- Log messages related to fetch limiting have been improved to provide
+  more complete information. Specifically, the final counts of allowed
+  and spilled fetches are now logged before the counter object is
+  destroyed. :gl:`#3461`
+
+Bug Fixes
+~~~~~~~~~
+
+- When running as a validating resolver forwarding all queries to
+  another resolver, :iscman:`named` could crash with an assertion
+  failure. These crashes occurred when the configured forwarder sent a
+  broken DS response and :iscman:`named` failed its attempts to find a
+  proper one instead. This has been fixed. :gl:`#3439`
+
+- DNS compression is no longer applied to the root name (``.``) if it is
+  repeatedly used in the same RRset. :gl:`#3423`
+
+- Non-dynamic zones that inherit :any:`dnssec-policy` from the
+  :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not
+  marked as inline-signed and therefore never scheduled to be re-signed.
+  This has been fixed. :gl:`#3438`
+
+- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
+  expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
+  the cache-cleaning time window has passed. :gl:`#3462`