Drop Windows zips from release tarballs

Prepare documentation for BIND 9.17.16

See merge request isc-private/bind9!307

.gitlab-ci.yml

@@ -1165,7 +1165,7 @@ release:
     # Prepare release tarball contents (tarballs + documentation)
     - mkdir -p release/doc/arm
     - pushd release
-    - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip .
+    - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" .
     - tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}"
     - mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README.md,srcid} .
     - rm -rf "${BIND_DIRECTORY}"

CHANGES

@@ -1,47 +1,53 @@
-5671.	[bug]		Fix a race condition where two threads are competing for
-			the same set of key file locks, that could lead to a
-			deadlock. This has been fixed. [GL #2786]
+	--- 9.17.16 released ---
 
-5670.	[bug]		Handle place holder KEYDATA records. [GL #2769]
+5671.	[bug]		A race condition could occur where two threads were
+			competing for the same set of key file locks, leading to
+			a deadlock. This has been fixed. [GL #2786]
 
-5669.	[func]		Add 'checkds' feature. Zones with "dnssec-policy" and
-			"parental-agents" configured will check for DS presence
-			and are able to perform automatic KSK rollover.
-			[GL #1126]
+5670.	[bug]		create_keydata() created an invalid placeholder keydata
+			record upon a refresh failure, which prevented the
+			database of managed keys from subsequently being read
+			back. This has been fixed. [GL #2686]
 
-5668.	[bug]		When a zone fails to load on startup, the setnsec3param
-			task is rescheduled. This caused a hang on shutdown, and
-			is now fixed. [GL #2791]
+5669.	[func]		KASP support was extended with the "check DS" feature.
+			Zones with "dnssec-policy" and "parental-agents"
+			configured now check for DS presence and can perform
+			automatic KSK rollovers. [GL #1126]
+
+5668.	[bug]		Rescheduling a setnsec3param() task when a zone failed
+			to load on startup caused a hang on shutdown. This has
+			been fixed. [GL #2791]
 
 5667.	[bug]		The configuration-checking code failed to account for
 			the inheritance rules of the "dnssec-policy" option.
-			[GL #2780]
+			This has been fixed. [GL #2780]
 
-5666.	[func]		Tweak the safe "edns-udp-size" to match the probing
-			value from BIND 9.16 for better compatibility.
+5666.	[doc]		The safe "edns-udp-size" value was tweaked to match the
+			probing value from BIND 9.16 for better compatibility.
 			[GL #2183]
 
-5665.	[bug]		'nsupdate' did not retry with another server if
-			it received a REFUSED response. [GL #2758]
+5665.	[bug]		If nsupdate sends an SOA request and receives a REFUSED
+			response, it now fails over to the next available
+			server. [GL #2758]
 
-5664.	[func]		Handle a UDP sending error on UDP messages larger
-			than the path MTU; in such a case an empty response is
-			sent back with the TC (TrunCated) bit set. Re-enable
-			setting the DF (Don't Fragment) flag on outgoing
-			UDP sockets. [GL #2790]
+5664.	[func]		For UDP messages larger than the path MTU, named now
+			sends an empty response with the TC (TrunCated) bit set.
+			In addition, setting the DF (Don't Fragment) flag on
+			outgoing UDP sockets was re-enabled. [GL #2790]
 
-5663.	[bug]		Properly handle non-zero OPCODEs when receiving the
-			queries over DoT and DoH channels. [GL #2787]
+5663.	[bug]		Non-zero OPCODEs are now properly handled when receiving
+			queries over DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
+			channels. [GL #2787]
 
 5662.	[bug]		Views with recursion disabled are now configured with a
-			default cache size of 2 MB, unless "max-cache-size" is
+			default cache size of 2 MB unless "max-cache-size" is
 			explicitly set. This prevents cache RBT hash tables from
 			being needlessly preallocated for such views. [GL #2777]
 
-5661.	[bug]		A deadlock was introduced when fixing [GL #1875] because
-			when locking the key file mutex for each zone structure
-			that is in a different view, "in-view" logic was not
-			taken into account. This has been fixed. [GL #2783]
+5661.	[bug]		Change 5644 inadvertently introduced a deadlock: when
+			locking the key file mutex for each zone structure in a
+			different view, the "in-view" logic was not considered.
+			This has been fixed. [GL #2783]
 
 5660.	[bug]		The configuration-checking code failed to account for
 			the inheritance rules of the "key-directory" option.
@@ -56,17 +62,17 @@
 			This change was included in BIND 9.17.15.
 
 5658.	[bug]		Increasing "max-cache-size" for a running named instance
-			(using "rndc reconfig") was not causing the hash tables
+			(using "rndc reconfig") did not cause the hash tables
 			used by cache databases to be grown accordingly. This
 			has been fixed. [GL #2770]
 
-5657.	[cleanup]	Removed support for builtin atomics in old versions
-			of clang (<< 3.6.0) and gcc (<< 4.7.0), and atomics
-			emulated with mutex. [GL #2606]
+5657.	[cleanup]	Support was removed for both built-in atomics in old
+			versions of Clang (< 3.6.0) and GCC (< 4.7.0), and
+			atomics emulated with a mutex. [GL #2606]
 
-5656.	[bug]		Ensure that large responses work correctly over
-			DoH, and that zone transfer requests over DoH are
-			explicitly rejected. [GL !5148]
+5656.	[bug]		Named now ensures that large responses work correctly
+			over DNS-over-HTTPS (DoH), and that zone transfer
+			requests over DoH are explicitly rejected. [GL !5148]
 
 5655.	[bug]		Signed, insecure delegation responses prepared by named
 			either lacked the necessary NSEC records or contained
@@ -74,11 +80,10 @@
 			CNAME chaining were required to prepare the response.
 			This has been fixed. [GL #2759]
 
-5654.	[func]		Windows support has been removed. [GL #2690]
+5654.	[port]		Windows support has been removed. [GL #2690]
 
-5653.	[bug]		Fixed a bug that caused the NSEC3 salt to be changed
-			for KASP zones on restart.
-			[GL #2725]
+5653.	[bug]		A bug that caused the NSEC3 salt to be changed on every
+			restart for zones using KASP has been fixed. [GL #2725]
 
 	--- 9.17.14 released ---
 

configure.ac

@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 15)dnl
+m4_define([bind_VERSION_PATCH], 16)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl

doc/arm/notes.rst

@@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at
 https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.16.rst
 .. include:: ../notes/notes-9.17.15.rst
 .. include:: ../notes/notes-9.17.14.rst
 .. include:: ../notes/notes-9.17.13.rst

doc/notes/notes-9.17.16.rst

@@ -0,0 +1,78 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.16
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Sending DNS messages with the OPCODE field set to anything other than
+  QUERY (0) via DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) channels
+  triggered an assertion failure in ``named``. This has been fixed.
+
+  ISC would like to thank Ville Heikkila of Synopsys Cybersecurity
+  Research Center for bringing this vulnerability to our attention.
+  :gl:`#2787`
+
+New Features
+~~~~~~~~~~~~
+
+- Using a new configuration option, ``parental-agents``, each zone can
+  now be associated with a list of servers that can be used to check the
+  DS RRset in the parent zone. This enables automatic KSK rollovers.
+  :gl:`#1126`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for compiling and running BIND 9 natively on Windows has been
+  completely removed. The last stable release branch that has working
+  Windows support is BIND 9.16. :gl:`#2690`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- IP fragmentation has been disabled for outgoing UDP sockets. Errors
+  triggered by sending DNS messages larger than the specified path MTU
+  are properly handled by sending empty DNS replies with the ``TC``
+  (TrunCated) bit set, which forces DNS clients to fall back to TCP.
+  :gl:`#2790`
+
+Bug Fixes
+~~~~~~~~~
+
+- The code managing :rfc:`5011` trust anchors created an invalid
+  placeholder keydata record upon a refresh failure, which prevented the
+  database of managed keys from subsequently being read back. This has
+  been fixed. :gl:`#2686`
+
+- Signed, insecure delegation responses prepared by ``named`` either
+  lacked the necessary NSEC records or contained duplicate NSEC records
+  when both wildcard expansion and CNAME chaining were required to
+  prepare the response. This has been fixed. :gl:`#2759`
+
+- If ``nsupdate`` sends an SOA request and receives a REFUSED response,
+  it now fails over to the next available server. :gl:`#2758`
+
+- A bug that caused the NSEC3 salt to be changed on every restart for
+  zones using KASP has been fixed. :gl:`#2725`
+
+- The configuration-checking code failed to account for the inheritance
+  rules of the ``dnssec-policy`` option. This has been fixed.
+  :gl:`#2780`
+
+- The fix for :gl:`#1875` inadvertently introduced a deadlock: when
+  locking key files for reading and writing, the ``in-view`` logic was
+  not considered. This has been fixed. :gl:`#2783`
+
+- A race condition could occur where two threads were competing for the
+  same set of key file locks, leading to a deadlock. This has been
+  fixed. :gl:`#2786`

doc/notes/notes-current.rst

@@ -1,66 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.17.16
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Sending non-zero opcode via DoT or DoH channels would trigger an assertion
-  failure in ``named``. This has been fixed.
-
-  ISC would like to thank Ville Heikkila of Synopsys Cybersecurity Research
-  Center for responsibly disclosing the vulnerability to us. :gl:`#2787`
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- Automatic KSK rollover: A new configuration option ``parental-agents`` is
-  added to add a list of servers to a zone that can be used for checking DS
-  presence. :gl:`#1126`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- Support for compiling and running BIND 9 natively on Windows has been
-  completely removed.  The last release branch that has working Windows
-  support is BIND 9.16. :gl:`#2690`
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- IP fragmentation on outgoing UDP sockets has been disabled.  Errors from
-  sending DNS messages larger than the specified path MTU are properly handled;
-  ``named`` now sends back empty DNS messages with the TC (TrunCated) bit set,
-  forcing the DNS client to fall back to TCP.  :gl:`#2790`
-
-Bug Fixes
-~~~~~~~~~
-
-- Fixed a bug that caused the NSEC salt to be changed for KASP zones on
-  every startup. :gl:`#2725`
-
-- Signed, insecure delegation responses prepared by ``named`` either
-  lacked the necessary NSEC records or contained duplicate NSEC records
-  when both wildcard expansion and CNAME chaining were required to
-  prepare the response. This has been fixed. :gl:`#2759`
-
-- A deadlock at startup was introduced when fixing :gl:`#1875` because when
-  locking key files for reading and writing, "in-view" logic was not taken into
-  account. This has been fixed. :gl:`#2783`
-
-- Fix a race condition where two threads are competing for the same set of key
-  file locks, that could lead to a deadlock. This has been fixed. :gl:`#2786`