Update BIND version to 9.17.18

Prepare documentation for BIND 9.17.18

See merge request isc-private/bind9!320

.gitlab/issue_templates/CVE.md

@@ -31,3 +31,7 @@ email to [security-officer@isc.org](security-officer@isc.org).
   - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
   - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
   - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order
+
+### Post-disclosure actions
+
+  - [ ] Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches

CHANGES

@@ -1,85 +1,109 @@
-5711.	[bug]		"map" files exceeding 2GB in size could fail to
-			load due to a size comparison that incorrectly
-			treated the file size as a signed integer. [GL #2878]
+	--- 9.17.18 released ---
+
+5711.	[bug]		"map" files exceeding 2GB in size failed to load due to
+			a size comparison that incorrectly treated the file size
+			as a signed integer. [GL #2878]
 
 5710.	[placeholder]
 
-5709.	[func]		Zone types are now reported in the statistics channel
-			using "primary" and "secondary". Enum values
+5709.	[func]		When reporting zone types in the statistics channel, the
+			terms "primary" and "secondary" are now used instead of
+			"master" and "slave", respectively. Enum values
 			throughout the code have been updated to use this
 			terminology as well. [GL #1944]
 
 5708.	[placeholder]
 
-5707.	[bug]		Fix a bug preventing dig from qurying DoH servers
-			via IPv6 adresses. [GL #2860]
+5707.	[bug]		A bug was fixed which prevented dig from querying
+			DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860]
 
-5706.	[cleanup]	Remove support for external applications to register
-			and use libisc. Export versions of BIND 9 libraries
-			have not been supported for some time, but the
-			isc_lib_register() function was still available;
+5706.	[cleanup]	Support for external applications to register with
+			libisc and use it has been removed. Export versions of
+			BIND 9 libraries have not been supported for some time,
+			but the isc_lib_register() function was still available;
 			it has now been removed. [GL !2420]
 
-5705.	[bug]		Change #5686 altered the internal memory structure
-			of zone databases, but neglected to update the
-			MAPAPI value for map-format zone files. This caused
-			named to attempt to load incompatible map files,
-			triggering an assertion failure on startup. [GL #2872]
+5705.	[bug]		Change #5686 altered the internal memory structure of
+			zone databases, but neglected to update the MAPAPI value
+			for zone files in "map" format. This caused named to
+			attempt to load incompatible map files, triggering an
+			assertion failure on startup. The MAPAPI value has now
+			been updated, so named rejects outdated files when
+			encountering them. [GL #2872]
 
-5704.	[bug]		TCP keepalive settings were not being applied
-			correctly. [GL #1927]
+5704.	[bug]		Change #5317 caused the EDNS TCP Keepalive option to be
+			ignored inadvertently in client requests. It has now
+			been fixed and this option is handled properly again.
+			[GL #1927]
 
-5703.	[bug]		Fix a crash in dig caused by closing an HTTP/2
-			socket with an unused HTTP/2 session. [GL #2735]
+5703.	[bug]		Fix a crash in dig caused by closing an HTTP/2 socket
+			associated with an unused HTTP/2 session. [GL #2858]
 
-5702.	[bug]		Improve compatibility with DNS-over-HTTPS clients by
-			allowing HTTP/2 request headers in any order. [GL #2875]
+5702.	[bug]		Improve compatibility with DNS-over-HTTPS (DoH) clients
+			by allowing HTTP/2 request headers in any order.
+			[GL #2875]
 
 5701.	[bug]		named-checkconf failed to detect syntactically invalid
-			key and tls names. [GL #2461]
+			values of the "key" and "tls" parameters used to define
+			members of remote server lists. [GL #2461]
 
-5700.	[bug]		Journals were not being removed when a catalog zone
-			was removed. [GL #2842]
+5700.	[bug]		When a member zone was removed from a catalog zone,
+			journal files for the former were not deleted.
+			[GL #2842]
 
-5699.	[func]		Grow and shrink dnssec-sign statistics on key rollover
+5699.	[func]		Data structures holding DNSSEC signing statistics are
+			now grown and shrunk as necessary upon key rollover
 			events. [GL #1721]
 
-5698.	[bug]		Migrate a single key to CSK when reconfiguring a zone
-			to use 'dnssec-policy'. [GL #2857]
+5698.	[bug]		When a DNSSEC-signed zone which only has a single
+			signing key available is migrated to use KASP, that key
+			is now treated as a Combined Signing Key (CSK).
+			[GL #2857]
 
-5697.	[protocol]	SHA-1 CDS records are no longer used by dnssec-cds to
-			make DS records. Thanks to Tony Finch. [GL !2946]
+5697.	[func]		dnssec-cds now only generates SHA-2 DS records by
+			default and avoids copying deprecated SHA-1 records from
+			a child zone to its delegation in the parent. If the
+			child zone does not publish SHA-2 CDS records,
+			dnssec-cds will generate them from the CDNSKEY records.
+			The "-a algorithm" option now affects the process of
+			generating DS digest records from both CDS and CDNSKEY
+			records. Thanks to Tony Finch. [GL #2871]
 
-5696.	[protocol]	Add support for HTTPS and SVCB record types. [GL #1132]
+5696.	[protocol]	Support for HTTPS and SVCB record types has been added.
+			[GL #1132]
 
-5695.	[func]		Dig can now display the BADCOOKIE message as part of
-			processing it (+showbadcookie). [GL #2319]
+5695.	[func]		Add a new dig command-line option, "+showbadcookie",
+			which causes a BADCOOKIE response message to be
+			displayed when it is received from the server.
+			[GL #2319]
 
-5694.	[bug]		BIND looks up the deepest zone cut in cache in order
-			to iterate a query. When this node is stale, it may
-			bypass QNAME minimization. This has been fixed.
-			[GL #2665]
+5694.	[bug]		Stale data in the cache could cause named to send
+			non-minimized queries despite QNAME minimization being
+			enabled. [GL #2665]
 
-5693.	[func]		Restore support for reading 'timeout' and 'attempts'
-			options from /etc/resolv.conf, and use their values
-			in dig, host and nslookup. (Previously this was
-			supported by liblwres, and was still mentioned
-			in man pages, but had stopped working after liblwres
-			was deprecated in favor of libirs.) [GL #2785]
+5693.	[func]		Restore support for reading "timeout" and "attempts"
+			options from /etc/resolv.conf, and use their values in
+			dig, host, and nslookup. (This was previously supported
+			by liblwres, and was still mentioned in the man pages,
+			but had stopped working after liblwres was deprecated in
+			favor of libirs.) [GL #2785]
 
-5692.	[bug]		Fix a rare crash in the DoH code caused by
+5692.	[bug]		Fix a rare crash in DNS-over-HTTPS (DoH) code caused by
 			detaching from an HTTP/2 session handle too early when
 			sending data. [GL #2851]
 
-5691.	[bug]		'rndc freeze' with in-view zones present would
-			spuriously report failures. [GL #2844]
+5691.	[bug]		When a dynamic zone was made available in another view
+			using the "in-view" statement, running "rndc freeze"
+			always reported an "already frozen" error even though
+			the zone was successfully frozen. [GL #2844]
 
-5690.	[func]		Change "dnssec-signzone" to honor the Predecessor and
-			Successor metadata values, and allow for gradual
-			replacement of RRSIGs. In other words, don't sign
-			with the successor key if there is an RRSIG from the
-			predecessor key that does not need to be refreshed.
-			[GL #1551]
+5690.	[func]		dnssec-signzone now honors Predecessor and Successor
+			metadata found in private key files: if a signature for
+			an RRset generated by the inactive predecessor exists
+			and does not need to be replaced, no additional
+			signature is now created for that RRset using the
+			successor key. This enables dnssec-signzone to gradually
+			replace RRSIGs during a ZSK rollover. [GL #1551]
 
 	--- 9.17.17 released ---
 

configure.ac

@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 17)dnl
+m4_define([bind_VERSION_PATCH], 18)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl

doc/arm/notes.rst

@@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at
 https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.18.rst
 .. include:: ../notes/notes-9.17.17.rst
 .. include:: ../notes/notes-9.17.16.rst
 .. include:: ../notes/notes-9.17.15.rst

doc/notes/notes-9.17.18.rst

@@ -0,0 +1,67 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.18
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Support for HTTPS and SVCB record types has been added. :gl:`#1132`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When ``dnssec-signzone`` signs a zone using a successor key whose
+  predecessor is still published, it now only refreshes signatures for
+  RRsets which have an invalid signature, an expired signature, or a
+  signature which expires within the provided cycle interval. This
+  allows ``dnssec-signzone`` to gradually replace signatures in a zone
+  whose ZSK is being rolled over (similarly to what ``auto-dnssec
+  maintain;`` does). :gl:`#1551`
+
+- ``dnssec-cds`` now only generates SHA-2 DS records by default and
+  avoids copying deprecated SHA-1 records from a child zone to its
+  delegation in the parent. If the child zone does not publish SHA-2 CDS
+  records, ``dnssec-cds`` will generate them from the CDNSKEY records.
+  The ``-a algorithm`` option now affects the process of generating DS
+  digest records from both CDS and CDNSKEY records. Thanks to Tony
+  Finch. :gl:`#2871`
+
+- When reporting zone types in the statistics channel, the terms
+  ``primary`` and ``secondary`` are now used instead of ``master`` and
+  ``slave``, respectively. :gl:`#1944`
+
+Bug Fixes
+~~~~~~~~~
+
+- A recent change to the internal memory structure of zone databases
+  inadvertently neglected to update the MAPAPI value for zone files in
+  ``map`` format. This caused version 9.17.17 of ``named`` to attempt to
+  load files into memory that were no longer compatible, triggering an
+  assertion failure on startup. The MAPAPI value has now been updated,
+  so ``named`` rejects outdated files when encountering them.
+  :gl:`#2872`
+
+- Zone files in ``map`` format whose size exceeded 2 GB failed to load.
+  This has been fixed. :gl:`#2878`
+
+- Stale data in the cache could cause ``named`` to send non-minimized
+  queries despite QNAME minimization being enabled. This has been fixed.
+  :gl:`#2665`
+
+- When a DNSSEC-signed zone which only has a single signing key
+  available is migrated to ``dnssec-policy``, that key is now treated as
+  a Combined Signing Key (CSK). :gl:`#2857`
+
+- When a dynamic zone was made available in another view using the
+  ``in-view`` statement, running ``rndc freeze`` always reported an
+  ``already frozen`` error even though the zone was successfully
+  frozen. This has been fixed. :gl:`#2844`

doc/notes/notes-current.rst

@@ -1,60 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.17.18
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- None.
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- Add support for HTTPS and SVCB record types. :gl:`#1132`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- ``dnssec-signzone`` is now able to retain signatures from inactive
-  predecessor keys without introducing additional signatures from the successor
-  key. This allows for a gradual replacement of RRSIGs as they reach expiry.
-  :gl:`#1551`
-
-- SHA-1 CDS records are no longer used by ``dnssec-cds`` to make DS
-  records. Thanks to Tony Finch. :gl:`!2946`
-
-Bug Fixes
-~~~~~~~~~
-
-- When following QNAME minimization, BIND could use a stale zonecut from cache 
-  to resolve the query, resulting in a non-minimized query. This has been
-  fixed :gl:`#2665`
-
-- Migrate a single key to CSK when reconfiguring a zone to make use of
-  'dnssec-policy' :gl:`#2857`
-
-- A recent change to the internal memory structure of zone databases
-  inadvertently neglected to update the MAPAPI value for ``map``-format
-  zone files. This caused ``named`` to attempt to load files into memory
-  that were no longer compatible, triggering an assertion failure on
-  startup. The MAPAPI value has now been updated, so ``named`` will
-  reject outdated files when encountering them. :gl:`#2872`