Update BIND version to 9.17.21

Prepare documentation for BIND 9.17.21

See merge request isc-private/bind9!338

CHANGES

@@ -1,3 +1,5 @@
+	--- 9.17.21 released ---
+
 5775.	[bug]		Added a timer in the resolver to kill fetches that
 			have deadlocked as a result of dependency loops
 			with the ADB or the validator. This condition is

configure.ac

@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 20)dnl
+m4_define([bind_VERSION_PATCH], 21)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl

doc/arm/notes.rst

@@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at
 https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.21.rst
 .. include:: ../notes/notes-9.17.20.rst
 .. include:: ../notes/notes-9.17.19.rst
 .. include:: ../notes/notes-9.17.18.rst

doc/arm/reference.rst

@@ -2100,15 +2100,16 @@ Boolean Options
    default is ``no``. Setting this option to ``yes`` leaves ``named``
    vulnerable to replay attacks.
 
+.. _reject_000_label:
+
 ``reject-000-label``
-   This can be used to control whether NSEC records which have the
-   ``next`` field starting with the ``\\000`` label are cached for
-   ``synth-from-dnssec``.  There are a number of DNSSEC implementations
-   that generate bad NSEC type maps where the ``next`` field starts with
-   the ``\\000`` label and between BIND 9.18 and BIND 9.20 there will be
-   a campaign to get these servers corrected.  In BIND 9.18 this defaults
-   to ``yes``.  In BIND 9.20 (BIND 9.19) this will default to ``no`` and
-   in BIND 9.22 (BIND 9.21) this option will be removed.
+   This controls whether NSEC records whose Next Owner Name field starts
+   with a ``\000`` label are cached for use by the ``synth-from-dnssec``
+   feature. The default is ``yes``, which means these records are not
+   used for negative response synthesis. This is a temporary measure to
+   improve interoperability with authoritative servers that generate
+   incorrect NSEC records. The default value of this option may change
+   in a future release, or it may be removed altogether.
 
 ``querylog``
    Query logging provides a complete log of all incoming queries and all query
@@ -2256,19 +2257,11 @@ Boolean Options
    have been proved to be correct using DNSSEC.
    The default is ``yes``.
 
-   ``server <prefix> { broken-nsec yes; };`` can be used to stop
-   named caching broken NSEC records from negative responses from servers
-   that emit broken NSEC records with missing types that actually exist.
-
-   ``reject-000-label`` can be used to control whether NSEC records
-   which have the ``next`` field starting with the ``\\000`` label
-   are cached for ``synth-from-dnssec``.  There are a number of
-   DNSSEC implementations that generate bad NSEC type maps where
-   the ``next`` field starts with the ``\\000`` label and between
-   BIND 9.18 and BIND 9.20 there will be a campaign to get these
-   servers corrected.  In BIND 9.18 this defaults to ``yes``.  In
-   BIND 9.20 (BIND 9.19) this will default to ``no`` and in BIND 9.22
-   (BIND 9.21) this option will be removed.
+   The ``reject-000-label`` :ref:`option <reject_000_label>` and the
+   ``broken-nsec`` :ref:`server configuration clause
+   <server_broken_nsec>` can be used to prevent broken NSEC records from
+   causing incorrect negative responses to be synthesized when
+   ``synth-from-dnssec`` is set to ``yes``.
 
    .. note:: DNSSEC validation must be enabled for this option to be effective.
       This initial implementation only covers synthesis of answers from
@@ -2443,13 +2436,16 @@ for details on how to specify IP address lists.
    statement set in ``options`` or ``view``. If not specified, the
    default is to allow transfers to all hosts.
 
-   The transport level limitations can also be specified.  In
-   particular, zone transfers can be restricted to a specific port and
-   DNS transport protocol by using the options ``port`` and
-   ``transport``. Zone transfers are currently only possible via the
-   TCP and TLS transports; either option can be specified.
+   The transport level limitations can also be specified. In particular,
+   zone transfers can be restricted to a specific port and/or DNS
+   transport protocol by using the options ``port`` and ``transport``.
+   Either option can be specified; if both are used, both constraints
+   must be satisfied in order for the transfer to be allowed. Zone
+   transfers are currently only possible via the TCP and TLS transports.
 
    For example: ``allow-transfer port 853 transport tls { any; };``
+   allows outgoing zone transfers to any host using the TLS transport
+   over port 853.
 
 ``blackhole``
    This specifies a list of addresses which the server does not accept queries
@@ -4560,11 +4556,15 @@ If a remote server is giving out bad data, marking it
 as bogus prevents further queries to it. The default value of
 ``bogus`` is ``no``.
 
-If a remote server is giving out broken NSEC records with type maps
-that are missing types that actually exist, ``broken-nsec`` can be
-used to stop NSEC records from negative responses from the given
-servers being cached and thus available to ``synth-from-dnssec``.
-The default value is ``no``.
+.. _server_broken_nsec:
+
+The ``broken-nsec`` clause determines whether the NSEC records found in
+negative responses sent by the remote server are ignored for the purpose
+of synthesizing negative responses or not. The default is ``no``.
+Setting this to ``yes`` can be used to prevent broken NSEC records from
+causing incorrect negative responses to be synthesized when
+``synth-from-dnssec`` is set to ``yes``. This option may be removed in a
+future release.
 
 The ``provide-ixfr`` clause determines whether the local server, acting
 as primary, responds with an incremental zone transfer when the given

doc/notes/notes-9.17.21.rst

@@ -0,0 +1,68 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.21
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- The ``allow-transfer`` option was extended to accept additional
+  ``port`` and ``transport`` parameters, to further restrict zone
+  transfers to a particular port and/or DNS transport protocol.
+  :gl:`#2776`
+
+- Extended DNS Error Code 18 - Prohibited (see :rfc:`8194` section
+  4.19) is now set if query access is denied to the specific client.
+  :gl:`#1836`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Aggressive Use of DNSSEC-Validated Cache (``synth-from-dnssec``, see
+  :rfc:`8198`) is now enabled by default again, after having been
+  disabled in BIND 9.14.8. The implementation of this feature was
+  reworked to achieve better efficiency and tuned to ignore certain
+  types of broken NSEC records. Negative answer synthesis is currently
+  only supported for zones using NSEC. :gl:`#1265`
+
+- The `UseSTD3ASCIIRules`_ flag is now disabled again for libidn2
+  function calls. Applying additional validation rules for domain names
+  in ``dig`` (a change introduced in the previous BIND 9 release) caused
+  characters which are disallowed in hostnames (e.g. underscore ``_``,
+  wildcard ``*``) to be silently stripped. That change was reverted.
+  :gl:`#1610`
+
+- Previously, when an incoming TCP connection could not be accepted
+  because the client closed the connection early, an error message of
+  ``TCP connection failed: socket is not connected`` was logged. This
+  message has been changed to ``Accepting TCP connection failed: socket
+  is not connected``. The severity level at which this type of message
+  is logged has also been changed from ``error`` to ``info`` for the
+  following triggering events: ``socket is not connected``, ``quota
+  reached``, and ``soft quota reached``. :gl:`#2700`
+
+- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys.
+  :gl:`#853`
+
+.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
+
+Bug Fixes
+~~~~~~~~~
+
+- Removing a configured ``catalog-zone`` clause from the configuration,
+  running ``rndc reconfig``, then bringing back the removed
+  ``catalog-zone`` clause and running ``rndc reconfig`` again caused
+  ``named`` to crash. This has been fixed. :gl:`#1608`
+
+- The resolver could hang on shutdown due to dispatch resources not
+  being cleaned up when a TCP connection was reset, or due to dependency
+  loops in the ADB or the DNSSEC validator. This has been fixed.
+  :gl:`#3026` :gl:`#3040`

doc/notes/notes-current.rst

@@ -1,81 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.17.21
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- None.
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- Set Extended DNS Error Code 18 - Prohibited if query access is denied to the
-  specific client. :gl:`#1836`
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The ``allow-transfers`` option was extended to accept additional
-  ``port`` and ``transport`` parameters, to further restrict zone
-  transfers to a particular port and DNS transport protocol. Either of
-  these options can be specified.
-
-  For example: ``allow-transfer port 853 transport tls { any; };``
-  :gl:`#2776`
-
-- `UseSTD3ASCIIRules`_ is now disabled for IDN support. This disables additional
-  validation rules for domain names in dig because applying the rules would
-  silently strip characters not-allowed in hostnames such as underscore (``_``)
-  or wildcard (``*``) characters.  This reverts change :gl:`!5738` from the
-  previous release.  :gl:`#1610`
-
-- Previously, when an incoming TCP connection could not be accepted because the client
-  closed the connection early, an error message of ``TCP connection
-  failed: socket is not connected`` was logged. This message has been changed
-  to ``Accepting TCP connection failed: socket is not connected``. The
-  severity level at which this type of message is logged has also
-  been changed from ``error`` to ``info`` for the following triggering
-  events: ``socket is not connected``, ``quota reached``, and ``soft
-  quota reached``. :gl:`#2700`
-
-- Restore NSEC Aggressive Cache (``synth-from-dnssec``) as active by default
-  following reworking of the code to find the potentially covering NSEC record.
-  The implementation was optimized for better efficiency, and also tuned
-  to ignore certain types of broken NSEC records.  This feature currently
-  supports answer synthtesis only for zones using NSEC.  :gl:`#1265`
-
-  The new server clause ``broken-nsec`` was added to identify servers
-  that emit bad NSEC records in negative responses so they will not be
-  cached.  This can be used to work around cases where
-  ``synth-from-dnssec`` hides data that exists. :gl:`#1265`
-
-Bug Fixes
-~~~~~~~~~
-
-- Removing a configured ``catalog-zone`` clause from the configuration, running
-  ``rndc reconfig``, then bringing back the removed ``catalog-zone`` clause and
-  running ``rndc reconfig`` again caused ``named`` to crash. This has been fixed.
-  :gl:`#1608`
-
-- The resolver could hang on shutdown due to dispatch resources not being
-  cleaned up when a TCP connection was reset. This has been fixed. :gl:`#3026`