Update BIND version to 9.17.11

Prepare documentation for BIND 9.17.11

See merge request isc-private/bind9!252

.gitlab/issue_templates/Release.md

@@ -71,7 +71,7 @@
  - [ ] ***(Support)*** Publish links to downloads on ISC website.
  - [ ] ***(Support)*** Write release email to *bind-announce*.
  - [ ] ***(Support)*** Write email to *bind-users* (if a major release).
- - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition.
+ - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket).
  - [ ] ***(Support)*** Update tickets in case of waiting support customers.
  - [ ] ***(QA)*** Build and test any outstanding private packages.
  - [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).

CHANGES

@@ -1,12 +1,14 @@
+	--- 9.17.11 released ---
+
 5597.	[bug]		When serve-stale was enabled and starting the recursive
 			resolution process for a query failed, a named instance
 			could crash if it was configured as both a recursive and
 			authoritative server. This problem was introduced by
 			change 5573 and has now been fixed. [GL #2565]
 
-5596.	[func]		Client-side support for DNS-over-HTTPS (DoH) has
-			been added to dig. "dig +https" can now query
-			a server via HTTP/2. [GL #1641]
+5596.	[func]		Client-side support for DNS-over-HTTPS (DoH) has been
+			added to dig. "dig +https" can now query a server via
+			HTTP/2. [GL #1641]
 
 5595.	[cleanup]	Public header files for BIND 9 libraries no longer
 			directly include third-party library headers. This
@@ -18,72 +20,75 @@
 5594.	[bug]		Building with --enable-dnsrps --enable-dnsrps-dl failed.
 			[GL #2298]
 
-5593.	[bug]		Journal files written by older versions of named
-			can now be read when loading zones so that journal
-			incompatibility will not cause problems on upgrade.
-			Outdated journals will be updated to the new format
-			after loading. [GL #2505]
+5593.	[bug]		Journal files written by older versions of named can now
+			be read when loading zones, so that journal
+			incompatibility does not cause problems on upgrade.
+			Outdated journals are updated to the new format after
+			loading. [GL #2505]
 
-5592.	[bug]		Add globally available thread_id (isc_tid_v) that's
-			incremented for each new thread, but the old thread
-			ids are reused, so the maximum thread_id always
-			correspond to the maximum number of threads running
-			at the time. This fixes the hazard pointer tables
-			overflow on machines with many cores. [GL #2396]
+5592.	[bug]		Prevent hazard pointer table overflows on machines with
+			many cores, by allowing the thread IDs (serving as
+			indices into hazard pointer tables) of finished threads
+			to be reused by those created later. [GL #2396]
 
-5591.	[bug]		Fix a crash happening when "stale-answer-client-timeout"
-			is triggered and there is no (stale) data for it in the
-			cache. [GL #2503]
+5591.	[bug]		Fix a crash that occurred when
+			"stale-answer-client-timeout" was triggered without any
+			(stale) data available in the cache to answer the query.
+			[GL #2503]
 
-5590.	[bug]		Process NSEC3PARAM queue when loading a dynamic zone.
-			This will immediately create NSEC3 records for zones
-			that use "dnssec-policy" and "nsec3param". [GL #2498]
+5590.	[bug]		NSEC3 records were not immediately created for dynamic
+			zones using NSEC3 with "dnssec-policy", resulting in
+			such zones going bogus. Add code to process the
+			NSEC3PARAM queue at zone load time so that NSEC3 records
+			for such zones are created immediately. [GL #2498]
 
 5589.	[placeholder]
 
-5588.	[func]		Add "purge-keys" option to "dnssec-policy". This sets
-			the time how long key files should be retained after
-			they have become obsolete. [GL #2408]
+5588.	[func]		Add a new "purge-keys" option for "dnssec-policy". This
+			option determines the period of time for which key files
+			are retained after they become obsolete. [GL #2408]
 
 5587.	[bug]		A standalone libtool script no longer needs to be
-			present in PATH in order to build BIND 9 from a source
-			tarball prepared using "make dist". [GL #2504]
+			present in PATH to build BIND 9 from a source tarball
+			prepared using "make dist". [GL #2504]
 
 5586.	[bug]		An invalid direction field in a LOC record resulted in
-			an INSIST failure. [GL #2499]
+			an INSIST failure when a zone file containing such a
+			record was loaded. [GL #2499]
 
-5585.	[func]		Implementations of memory contexts and memory pools were
+5585.	[func]		Memory contexts and memory pool implementations were
 			refactored to reduce lock contention for shared memory
 			contexts by replacing mutexes with atomic operations.
 			The internal memory allocator was simplified so that it
-			is only a thin wrapper around the system allocator.
-			Since this change makes the "-M external" named option
-			redundant, the latter was removed. [GL #2433]
+			is only a thin wrapper around the system allocator. This
+			change made the "-M external" named option redundant and
+			it was therefore removed. [GL #2433]
 
-5584.	[bug]		Rollback setting IP_DONTFRAG option on the UDP sockets.
-			[GL #2487]
+5584.	[bug]		No longer set the IP_DONTFRAG option on UDP sockets, to
+			prevent dropping outgoing packets exceeding
+			"max-udp-size". [GL #2466]
 
-5583.	[func]		Changes to DoH configuration syntax:
+5583.	[func]		Changes to DNS-over-HTTPS (DoH) configuration syntax:
 			- When "http" is specified in "listen-on" or
-			  "listen-on-v6" statements, "tls" must also now
-			  be specified. If an unencrypted connection is
-			  desired (for example, when running behind a
-			  reverse proxy), use "tls none".
-			- "http default" can how be specified in "listen-on"
-			  and "listen-on-v6" statements to use the default
-			  HTTP endpoint, "/dns-query". It is no longer
-			  necessary to include an "http" statement in
-			  named.conf unless overriding this value.
+			  "listen-on-v6" statements, "tls" must also now be
+			  specified. If an unencrypted connection is desired
+			  (for example, when running behind a reverse proxy),
+			  use "tls none".
+			- "http default" can now be specified in "listen-on" and
+			  "listen-on-v6" statements to use the default HTTP
+			  endpoint of "/dns-query". It is no longer necessary to
+			  include an "http" statement in named.conf unless
+			  overriding this value.
 			[GL #2472]
 
 5582.	[bug]		BIND 9 failed to build when static OpenSSL libraries
-			were used and the *.pc files for libssl and/or libcrypto
-			were unavailable. This has been fixed by ensuring the
-			correct linking order for libssl and libcrypto is always
-			used. [GL #2402]
+			were used and the pkg-config files for libssl and/or
+			libcrypto were unavailable. This has been fixed by
+			ensuring that the correct linking order for libssl and
+			libcrypto is always used. [GL #2402]
 
-5581.	[bug]		Fix memory leak happening when inline-signed zones
-			were added to the configuration followed by a
+5581.	[bug]		Fix a memory leak that occurred when inline-signed zones
+			were added to the configuration, followed by a
 			reconfiguration of named. [GL #2041]
 
 5580.	[test]		The system test framework no longer differentiates
@@ -91,11 +96,11 @@
 			system test which is not run is now marked as SKIPPED.
 			[GL !4517]
 
-5579.	[bug]		If an invalid key name (e.g. "a..b") is
-			specified in an primaries list in named.conf
-			the wrong size is passed to isc_mem_put
-			resulting in the returned memory being put
-			on the wrong freed list. [GL #2460]
+5579.	[bug]		If an invalid key name (e.g. "a..b") was specified in a
+			primaries list in named.conf, the wrong size was passed
+			to isc_mem_put(), resulting in the returned memory being
+			put on the wrong free list. This prevented named from
+			starting up. [GL #2460]
 
 	--- 9.17.10 released ---
 

configure.ac

@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 10)dnl
+m4_define([bind_VERSION_PATCH], 11)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl

doc/arm/notes.rst

@@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.11.rst
 .. include:: ../notes/notes-9.17.10.rst
 .. include:: ../notes/notes-9.17.9.rst
 .. include:: ../notes/notes-9.17.8.rst

doc/notes/notes-9.17.11.rst

@@ -0,0 +1,90 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.11
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- ``dig`` has been extended to support DNS-over-HTTPS (DoH) queries,
+  using ``dig +https`` and related options. [GL #1641]
+
+- A new ``purge-keys`` option has been added to ``dnssec-policy``. It
+  sets the period of time that key files are retained after becoming
+  obsolete due to a key rollover; the default is 90 days. This feature
+  can be disabled by setting ``purge-keys`` to 0. [GL #2408]
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- To prevent users from inadvertently configuring unencrypted
+  DNS-over-HTTPS (DoH) in BIND 9, ``listen-on`` and ``listen-on-v6``
+  statements using the ``http`` parameter must now also specify the
+  ``tls`` parameter. ``tls none`` can be used to explicitly allow
+  unencrypted HTTP connections. [GL #2472]
+
+- ``http default`` can now be specified in ``listen-on`` and
+  ``listen-on-v6`` statements to use the default HTTP endpoint of
+  ``/dns-query``. It is no longer necessary to include an ``http``
+  statement in ``named.conf`` unless overriding this value. [GL #2472]
+
+Bug Fixes
+~~~~~~~~~
+
+- Zone journal (``.jnl``) files created by versions of ``named`` prior
+  to 9.16.12 were no longer compatible; this could cause problems when
+  upgrading if journal files were not synchronized first. This has been
+  corrected: older journal files can now be read when starting up. When
+  an old-style journal file is detected, it is updated to the new format
+  immediately after loading.
+
+  Note that journals created by the current version of ``named`` are not
+  usable by versions prior to 9.16.12. Before downgrading to a prior
+  release, users are advised to ensure that all dynamic zones have been
+  synchronized using ``rndc sync -clean``.
+
+  A journal file's format can be changed manually by running
+  ``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
+  (upgrade). Note that this *must not* be done while ``named`` is
+  running. [GL #2505]
+
+- ``named`` crashed when it was allowed to serve stale answers and
+  ``stale-answer-client-timeout`` was triggered without any (stale) data
+  available in the cache to answer the query. [GL #2503]
+
+- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
+  instead of sending back a proper response. To prevent this problem,
+  the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
+  been happening since BIND 9.17.6. [GL #2466]
+
+- NSEC3 records were not immediately created when signing a dynamic zone
+  using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
+  [GL #2498]
+
+- A memory leak occurred when ``named`` was reconfigured after adding an
+  inline-signed zone with ``auto-dnssec maintain`` enabled. This has
+  been fixed. [GL #2041]
+
+- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
+  a LOC record resulted in an INSIST failure when a zone file containing
+  such a record was loaded. [GL #2499]
+
+- If an invalid key name (e.g. ``a..b``) was specified in a
+  ``primaries`` list in ``named.conf``, the wrong size was passed to
+  ``isc_mem_put()``, which resulted in the returned memory being put on
+  the wrong free list and prevented ``named`` from starting up. This has
+  been fixed. [GL #2460]
+
+- ``libtool`` was inadvertently introduced as a build-time requirement
+  when the build system was revamped in BIND 9.17.2. This unnecessarily
+  prevented hosts without that tool from building BIND 9 from source
+  tarballs. A standalone ``libtool`` script no longer needs to be
+  present in ``PATH`` to build BIND 9 from a source tarball. [GL #2504]

doc/notes/notes-current.rst

@@ -1,84 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.17.11
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- None.
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- ``dig`` has been extended to support DNS-over-HTTPS (DoH) queries,
-  using ``dig +https`` and related options. [GL #1641]
-
-- A new option, ``purge-keys``, has been added to ``dnssec-policy``. It sets
-  the time how long key files should be retained after they have become
-  obsolete (due to a key rollover). Default is 90 days, and the feature can
-  be disabled by setting it to 0. [GL #2408]
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- None.
-
-Bug Fixes
-~~~~~~~~~
-
-- If an invalid key name (e.g. "a..b") was specified in a ``primaries``
-  list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``,
-  which resulted in the returned memory being put on the wrong freed
-  list. This has been fixed. [GL #2460]
-
-- If an outgoing packet would exceed max-udp-size, it would be dropped instead
-  of sending a proper response back.  Rollback setting the IP_DONTFRAG on the
-  UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue.
-  [GL #2487]
-
-- NSEC3 records were not immediately created when signing a dynamic zone with
-  ``dnssec-policy`` and ``nsec3param``. This has been fixed [GL #2498].
-
-- An invalid direction field (not one of 'N'/'S' or 'E'/'W') in a LOC record
-  triggered an INSIST failure. [GL #2499]
-
-- Previously, a BIND server could experience an unexpected server termination
-  (crash) if the return of stale cached answers was enabled and
-  ``stale-answer-client-timeout`` was applied to a client query in process.
-  This has been fixed. [GL #2503]
-
-- Zone journal (``.jnl``) files created by versions of ``named`` prior
-  to 9.16.12 were no longer compatible; this could cause problems when
-  upgrading if journal files were not synchronized first.  This has been
-  corrected: older journal files can now be read when starting up.  When
-  an old-style journal file is detected, it is updated to the new
-  format immediately after loading.
-
-  Note that journals created by the current version of ``named`` are not
-  usable by versions prior to 9.16.12. Before downgrading to a prior
-  release, users are advised to ensure that all dynamic zones have been
-  synchronized using ``rndc sync -clean``.
-
-  A journal file's format can be changed manually by running
-  ``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
-  (upgrade). Note that this *must not* be done while ``named`` is
-  running.  [GL #2505]