Update BIND version to 9.17.17

Prepare documentation for BIND 9.17.17

See merge request isc-private/bind9!312

CHANGES

@@ -1,85 +1,94 @@
-5689.	[placeholder]
+	--- 9.17.17 released ---
 
-5688.	[bug]		Inline and dnssec-policy zones could fail to apply
-			changes from the unsigned zone to the signed zone
-			under certain cirumstances. [GL #2735]
+5689.	[security]	An assertion failure occurred when named attempted to
+			send a UDP packet that exceeded the MTU size, if
+			Response Rate Limiting (RRL) was enabled.
+			(CVE-2021-25218) [GL #2856]
 
-5687.	[bug]		Update the load time of touched inline zones.
-			[GL #2542]
+5688.	[bug]		Zones using KASP and inline-signed zones failed to apply
+			changes from the unsigned zone to the signed zone under
+			certain circumstances. This has been fixed. [GL #2735]
+
+5687.	[bug]		"rndc reload <zonename>" could trigger a redundant
+			reload for an inline-signed zone whose zone file was not
+			modified since the last "rndc reload". This has been
+			fixed. [GL #2855]
 
 5686.	[func]		The number of internal data structures allocated for
 			each zone was reduced. [GL #2829]
 
-5685.	[bug]		Check the opcodes of messages returned by
-			dns_request_getresponse.  [GL #2762]
+5685.	[bug]		named failed to check the opcode of responses when
+			performing zone refreshes, stub zone updates, and UPDATE
+			forwarding. This has been fixed. [GL #2762]
 
-5684.	[func]		Changes to the DNS-over-HTTP (DoH) configuration
-			syntax:
-
-			- The maximum number of active DoH connections
-			  can now be set using the "http-listener-clients"
-			  option. The default is 300.
-			- The maximum number of concurrent HTTP/2 streams
-			  per connection can be set using via the
-			  "http-streams-per-connection" option. The default
-			  is 100.
-			- Both of these values also can be set on a per-
-			  listener basis using the "listener-clients" and
-			  "streams-per-connection" parameters in an
-			  "http" statement. For example:
-			  http <name> {
-			      listener-clients <number>;
-			      streams-per-connection <number>;
-			  };
+5684.	[func]		The DNS-over-HTTP (DoH) configuration syntax was
+			extended:
+			- The maximum number of active DoH connections can now
+			  be set using the "http-listener-clients" option. The
+			  default is 300.
+			- The maximum number of concurrent HTTP/2 streams per
+			  connection can now be set using the
+			  "http-streams-per-connection" option. The default is
+			  100.
+			- Both of these values can also be set on a per-listener
+			  basis using the "listener-clients" and
+			  "streams-per-connection" parameters in an "http"
+			  statement.
 			[GL #2809]
 
-5683.	[func]		The configuration checking code now verifies
-			HTTP paths. [GL !5231]
+5683.	[bug]		The configuration-checking code now verifies HTTP paths.
+			[GL !5231]
 
-5682.	[bug]		Not all changes to zone-statistics settings were
-			properly processed. [GL #2820]
+5682.	[bug]		Some changes to "zone-statistics" settings were not
+			properly processed by "rndc reconfig". This has been
+			fixed. [GL #2820]
 
-5681.	[func]		Relax the "zone_cdscheck" function to allow CDS and
-			CDNSKEY records in the zone that do not match an
-			existing DNSKEY record, so long as the algorithm
-			does match. This allows a clean rollover from one
+5681.	[func]		Relax the checks in the dns_zone_cdscheck() function to
+			allow CDS and CDNSKEY records in the zone that do not
+			match an existing DNSKEY record, as long as the
+			algorithm matches. This allows a clean rollover from one
 			provider to another in a multi-signer DNSSEC
-			configuration. [GL #2710].
+			configuration. [GL #2710]
 
-5680.	[bug]		Fix a crash in DoH code caused by GET requests without
-			query strings. [GL !5268]
+5680.	[bug]		HTTP GET requests without query strings caused a crash
+			in DoH code. This has been fixed. [GL !5268]
 
-5679.	[bug]		Disable setting the thread affinity. [GL #2822]
+5679.	[func]		Thread affinity is no longer set. [GL #2822]
 
 5678.	[bug]		The "check DS" code failed to release all resources upon
 			named shutdown when a refresh was in progress. This has
 			been fixed. [GL #2811]
 
-5677.	[func]		Only accept FORMERR without a OPT record as an
-			indication that the server does net support EDNS.
-			This will break communication with servers that
-			don't understand EDNS and incorrectly echo back
-			the request message with the rcode field set to
-			FORMERR and the QR bit set to 1. [GL #2249]
+5677.	[func]		Previously, named accepted FORMERR responses both with
+			and without an OPT record, as an indication that a given
+			server did not support EDNS. To implement full
+			compliance with RFC 6891, only FORMERR responses without
+			an OPT record are now accepted. This intentionally
+			breaks communication with servers that do not support
+			EDNS and that incorrectly echo back the query message
+			with the RCODE field set to FORMERR and the QR bit set
+			to 1. [GL #2249]
 
-5676.	[func]		Memory allocation has been substantially refactored,
-			and is now based on the memory allocation API
-			provided by 'libjemalloc'. This is now a build
-			dependency for BIND. [GL #2433]
+5676.	[func]		Memory allocation has been substantially refactored; it
+			is now based on the memory allocation API provided by
+			the jemalloc library, which is a new optional build
+			dependency for BIND 9. [GL #2433]
 
-5675.	[bug]		Improve BIND's compatibility with DoH clients by
-			ignoring an "Accept" HTTP header value. [GL !5246]
+5675.	[bug]		Compatibility with DoH clients has been improved by
+			ignoring the value of the "Accept" HTTP header.
+			[GL !5246]
 
-5674.	[bug]		Fix BIND hanging when HTTP/2 streams are aborted
-			prematurely by web browsers. [GL !5245]
+5674.	[bug]		A shutdown hang was triggered by DoH clients prematurely
+			aborting HTTP/2 streams. This has been fixed. [GL !5245]
 
-5673.	[func]		Add "--disable-doh" configuration option to allow
-			BIND 9 to compile without libnghttp2 library.
+5673.	[func]		Add a new build-time option, --disable-doh, to allow
+			building BIND 9 without the libnghttp2 library.
 			[GL #2478]
 
 5672.	[bug]		Authentication of rndc messages could fail if a
-			"controls" statement was configured with multiple
-			key algorithms in the same listener. [GL #2756]
+			"controls" statement was configured with multiple key
+			algorithms for the same listener. This has been fixed.
+			[GL #2756]
 
 	--- 9.17.16 released ---
 

PLATFORMS.md

@@ -16,9 +16,12 @@ IPv6 support, and POSIX-compliant threads, plus the following mandatory
 libraries:
 
 - `libuv` for asynchronous I/O operations and event loops
-- `libssl` and `libcrpyto` from OpenSSL for cryptography
-- `libjemalloc` for memory allocation
-- `libnghttp2` for HTTP/2
+- `libssl` and `libcrypto` from OpenSSL for cryptography
+
+Use of the following libraries is optional:
+
+- `libjemalloc` for improved memory allocation performance
+- `libnghttp2` for DNS-over-HTTPS (DoH) support
 
 The following C11 features are used in BIND 9:
 

configure.ac

@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 16)dnl
+m4_define([bind_VERSION_PATCH], 17)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
@@ -1770,11 +1770,18 @@ report() {
     echo "Features disabled or unavailable on this platform:"
     if test "no" = "$with_jemalloc"; then
       echo "    Memory allocator: system"
-      echo "    WARNING: This is not a recommended configuration"
-      echo "    WARNING: Using system memory allocator causes"
-      echo "    WARNING: reduced performance and increased memory"
-      echo "    WARNING: fragmentation.  Installing jemalloc >= 4.0.0"
-      echo "    WARNING: memory allocator is strongly recommended."
+      echo
+      echo "    +------------------------------------------+"
+      echo "    |             ==== WARNING ====            |"
+      echo "    |                                          |"
+      echo "    | This is NOT a recommended configuration. |"
+      echo "    | Using the system memory allocator causes |"
+      echo "    | reduced performance and increased memory |"
+      echo "    | fragmentation. Installing the jemalloc   |"
+      echo "    | memory allocator (version >= 4.0.0) is   |"
+      echo "    | strongly recommended.                    |"
+      echo "    +------------------------------------------+"
+      echo
     fi
     test "small" = "$with_tuning" || echo "    Small-system tuning (--with-tuning)"
 

doc/arm/notes.rst

@@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at
 https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.17.rst
 .. include:: ../notes/notes-9.17.16.rst
 .. include:: ../notes/notes-9.17.15.rst
 .. include:: ../notes/notes-9.17.14.rst

doc/notes/notes-9.17.17.rst

@@ -0,0 +1,78 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.17
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Fixed an assertion failure that occurred in ``named`` when it
+  attempted to send a UDP packet that exceeded the MTU size, if
+  Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
+
+- ``named`` failed to check the opcode of responses when performing zone
+  refreshes, stub zone updates, and UPDATE forwarding. This could lead
+  to an assertion failure under certain conditions and has been
+  addressed by rejecting responses whose opcode does not match the
+  expected value. :gl:`#2762`
+
+New Features
+~~~~~~~~~~~~
+
+- DNS-over-HTTPS (DoH) support can now be disabled at compile time using
+  a new build-time option, ``--disable-doh``. This allows BIND 9 to be
+  built without the libnghttp2 library. :gl:`#2478`
+
+- It is now possible to set a hard quota on both the number of
+  concurrent DNS-over-HTTPS (DoH) connections and the number of active
+  HTTP/2 streams per connection, by using the ``http-listener-clients``
+  and ``http-streams-per-connection`` options, or the
+  ``listener-clients`` and ``streams-per-connection`` parameters in an
+  ``http`` statement. The defaults are 300 and 100, respectively.
+  :gl:`#2809`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Previously, ``named`` accepted FORMERR responses both with and without
+  an OPT record, as an indication that a given server did not support
+  EDNS. To implement full compliance with :rfc:`6891`, only FORMERR
+  responses without an OPT record are now accepted. This intentionally
+  breaks communication with servers that do not support EDNS and that
+  incorrectly echo back the query message with the RCODE field set to
+  FORMERR and the QR bit set to 1. :gl:`#2249`
+
+- Memory allocation has been substantially refactored; it is now based
+  on the memory allocation API provided by the jemalloc library, on
+  platforms where it is available. Use of this library is now
+  recommended when building BIND 9; although it is optional, it is
+  enabled by default. :gl:`#2433`
+
+- Testing revealed that setting the thread affinity for various types of
+  ``named`` threads led to inconsistent recursive performance, as
+  sometimes multiple sets of threads competed over a single resource.
+
+  Due to the above, ``named`` no longer sets thread affinity. This
+  causes a slight dip of around 5% in authoritative performance, but
+  recursive performance is now consistently improved. :gl:`#2822`
+
+- CDS and CDNSKEY records can now be published in a zone without the
+  requirement that they exactly match an existing DNSKEY record, as long
+  as the zone is signed with an algorithm represented in the CDS or
+  CDNSKEY record. This allows a clean rollover from one DNS provider to
+  another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+
+Bug Fixes
+~~~~~~~~~
+
+- Authentication of ``rndc`` messages could fail if a ``controls``
+  statement was configured with multiple key algorithms for the same
+  listener. This has been fixed. :gl:`#2756`

doc/notes/notes-current.rst

@@ -1,79 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.17.17
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Named failed to check the opcode of responses when performing refresh,
-  stub updates, and UPDATE forwarding.  This could lead to an assertion
-  failure under particular conditions.  This has been addressed by checking
-  the opcode of those responses and rejecting the messages if they don't
-  match the expected value. :gl:`#2762`
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- It is now possible to set a hard quota on the number of concurrent DoH
-  connections, and the number of active HTTP/2 streams per connection,
-  by using the ``http-listener-clients`` and ``http-streams-per-connection``
-  options, or the ``listener-clients`` and ``streams-per-connection``
-  parameters to an ``http`` statement. The defaults are 300 and 100
-  respectively. :gl:`#2809`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- DNS over HTTPS support can be disabled at the compile time via the new
-  configuration option ``--disable-doh``.  This allows BIND 9 to be
-  compiled without libnghttp2 library. :gl:`#2478`
-
-- Memory allocation has been substantially refactored, and is now based on
-  the memory allocation API provided by the `jemalloc` library on platforms
-  where it is available. This library is now recommended for building BIND 9.
-  :gl:`#2433`
-
-- Previously, named accepted FORMERR responses both with and without
-  an OPT record, as an indication that a given server did not support
-  EDNS. To implement full compliance with RFC 6891, only FORMERR
-  responses without an OPT record are now accepted. This intentionally
-  breaks communication with servers that do not support EDNS and
-  that incorrectly echo back the query message with the RCODE field
-  set to FORMERR and the QR bit set to 1. :gl:`#2249`
-
-- CDS and CDNSKEY records may now be published in a zone without the
-  requirement that they exactly match an existing DNSKEY record, so long
-  the zone is signed with an algorithm represented in the CDS or CDNSKEY
-  record.  This allows a clean rollover from one DNS provider to another
-  when using a multiple-signer DNSSEC configuration. :gl:`#2710`
-
-Bug Fixes
-~~~~~~~~~
-
-- Testing revealed that setting the thread affinity on both the netmgr
-  and netthread threads led to inconsistent recursive performance, as
-  sometimes the netmgr and netthread threads competed over a single
-  resource.
-
-  When the affinity is not set, tests show a slight dip in the authoritative
-  performance of around 5% (ranging from 3.8% to 7.8%), but
-  the recursive performance is now consistently improved. :gl:`#2822`

lib/isc/netmgr/netmgr-int.h

@@ -1779,9 +1779,10 @@ isc__nm_socket_incoming_cpu(uv_os_sock_t fd);
  */
 
 isc_result_t
-isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family);
+isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family);
 /*%<
- * Set the SO_IP_DONTFRAG (or equivalent) socket option of the fd if available
+ * Disable the Path MTU Discovery, either by disabling IP(V6)_DONTFRAG socket
+ * option, or setting the IP(V6)_MTU_DISCOVER socket option to IP_PMTUDISC_OMIT
  */
 
 isc_result_t

lib/isc/netmgr/netmgr.c

@@ -3044,20 +3044,20 @@ isc__nm_socket_incoming_cpu(uv_os_sock_t fd) {
 }
 
 isc_result_t
-isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
+isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family) {
 	/*
-	 * Set the Don't Fragment flag on IP packets
+	 * Disable the Path MTU Discovery on IP packets
 	 */
 	if (sa_family == AF_INET6) {
 #if defined(IPV6_DONTFRAG)
-		if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
 			return (ISC_R_FAILURE);
 		} else {
 			return (ISC_R_SUCCESS);
 		}
-#elif defined(IPV6_MTU_DISCOVER)
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
 		{
 			return (ISC_R_FAILURE);
 		} else {
@@ -3068,14 +3068,14 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
 #endif
 	} else if (sa_family == AF_INET) {
 #if defined(IP_DONTFRAG)
-		if (setsockopt_on(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
 			return (ISC_R_FAILURE);
 		} else {
 			return (ISC_R_SUCCESS);
 		}
-#elif defined(IP_MTU_DISCOVER)
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
 		{
 			return (ISC_R_FAILURE);
 		} else {

lib/isc/netmgr/udp.c

@@ -65,7 +65,7 @@ isc__nm_udp_lb_socket(sa_family_t sa_family) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	(void)isc__nm_socket_incoming_cpu(sock);
-	(void)isc__nm_socket_dontfrag(sock, sa_family);
+	(void)isc__nm_socket_disable_pmtud(sock, sa_family);
 
 	result = isc__nm_socket_reuse(sock);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
@@ -760,7 +760,7 @@ isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
 
 	(void)isc__nm_socket_incoming_cpu(sock->fd);
 
-	(void)isc__nm_socket_dontfrag(sock->fd, sa_family);
+	(void)isc__nm_socket_disable_pmtud(sock->fd, sa_family);
 
 	event = isc__nm_get_netievent_udpconnect(mgr, sock, req);
 

lib/isc/socket.c

@@ -2098,27 +2098,27 @@ set_tcp_maxseg(isc_socket_t *sock, int size) {
 }
 
 static void
-set_ip_dontfrag(isc_socket_t *sock) {
+set_ip_disable_pmtud(isc_socket_t *sock) {
 	/*
-	 * Set the Don't Fragment flag on IP packets
+	 * Disable Path MTU Discover on IP packets
 	 */
 	if (sock->pf == AF_INET6) {
 #if defined(IPV6_DONTFRAG)
 		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_DONTFRAG,
-				 &(int){ 1 }, sizeof(int));
+				 &(int){ 0 }, sizeof(int));
 #endif
-#if defined(IPV6_MTU_DISCOVER)
+#if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
-				 &(int){ IP_PMTUDISC_DO }, sizeof(int));
+				 &(int){ IP_PMTUDISC_OMIT }, sizeof(int));
 #endif
 	} else if (sock->pf == AF_INET) {
 #if defined(IP_DONTFRAG)
-		(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &(int){ 1 },
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &(int){ 0 },
 				 sizeof(int));
 #endif
-#if defined(IP_MTU_DISCOVER)
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		(void)setsockopt(sock->fd, IPPROTO_IP, IP_MTU_DISCOVER,
-				 &(int){ IP_PMTUDISC_DO }, sizeof(int));
+				 &(int){ IP_PMTUDISC_OMIT }, sizeof(int));
 #endif
 	}
 }
@@ -2409,7 +2409,7 @@ again:
 #endif /* ifdef IP_RECVTOS */
 #endif /* defined(USE_CMSG) || defined(SET_RCVBUF) || defined(SET_SNDBUF) */
 
-	set_ip_dontfrag(sock);
+	set_ip_disable_pmtud(sock);
 
 setup_done:
 	inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);

lib/isc/trampoline_p.h

@@ -31,8 +31,8 @@
  * that slot can use the same thread ID that its predecessor did.
  *
  * The trampoline table initially has space for 64 worker threads in
- * addition to the main thread. if more threads than that in concurrent
- * concurrently, the table is reallocated with twice as much space.
+ * addition to the main thread. If more threads than that are in
+ * concurrent use, the table is reallocated with twice as much space.
  * (Note that the number of concurrent threads is currently capped at
  * 128 by the queue and hazard pointer implementations.)
  */

lib/ns/client.c

@@ -770,8 +770,6 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
 		dns_rrl_result_t rrl_result;
 		int loglevel;
 
-		INSIST(rcode != dns_rcode_noerror &&
-		       rcode != dns_rcode_nxdomain);
 		if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) {
 			loglevel = DNS_RRL_LOG_DROP;
 		} else {