Merge branch 'prep-release' into v9_16_16-release

Prepare documentation for BIND 9.16.16

See merge request isc-private/bind9!294

CHANGES

@@ -1,53 +1,68 @@
-5636.	[bug]		Check that zone files for 'dnssec-policy' zones are
-			only referenced once in 'named.conf'. [GL #2603]
+	--- 9.16.16 released ---
+
+5637.	[func]		Change the default value of the "max-ixfr-ratio" option
+			to "unlimited". [GL #2671]
+
+5636.	[bug]		named and named-checkconf did not report an error when
+			multiple zones with the "dnssec-policy" option set were
+			using the same zone file. This has been fixed.
+			[GL #2603]
 
 5635.	[bug]		Journal compaction could fail when a journal with
-			invalid transaction headers was not detected at
-			startup.  [GL #2670]
+			invalid transaction headers was not detected at startup.
+			This has been fixed. [GL #2670]
 
-5634.	[bug]		Don't roll keys when the private key file is offline.
-			[GL #2596]
+5634.	[bug]		If "dnssec-policy" was active and a private key file was
+			temporarily offline during a rekey event, named could
+			incorrectly introduce replacement keys and break a
+			signed zone. This has been fixed. [GL #2596]
 
-5633.	[func]		Change the "max-ixfr-ratio" default to "unlimited".
-			[GL #2671]
+5633.	[doc]		The "inline-signing" option was incorrectly described as
+			being inherited from the "options"/"view" levels and was
+			incorrectly accepted at those levels without effect.
+			This has been fixed. [GL #2536]
 
-5632.	[func]		Add built-in dnssec-policy "insecure". This is used to
-			transition a zone from a signed state to a unsigned
-			state. [GL #2645]
+5632.	[func]		Add a new built-in KASP, "insecure", which is used to
+			transition a zone from a signed to an unsigned state.
+			The existing built-in KASP "none" should no longer be
+			used to unsign a zone. [GL #2645]
 
-5631.	[bug]		Update ZONEMD to match RFC 8976. [GL #2658]
+5631.	[protocol]	Update the implementation of the ZONEMD RR type to match
+			RFC 8976. [GL #2658]
 
-5630.	[func]		Treat DNSSEC responses with NSEC3 iterations greater
-			than 150 as insecure. [GL #2445]
+5630.	[func]		Treat DNSSEC responses containing NSEC3 records with
+			iteration counts greater than 150 as insecure.
+			[GL #2445]
 
-5629.	[func]		Reduce the supported maximum number of iterations
-			that can be configured in an NSEC3 zone to 150.
-			[GL #2642]
+5629.	[func]		Reduce the maximum supported number of NSEC3 iterations
+			that can be configured for a zone to 150. [GL #2642]
 
-5627.	[bug]		RRSIG(SOA) RRsets placed anywhere else than at zone apex
-			were triggering infinite resigning loops. This has been
-			fixed. [GL #2650]
+5627.	[bug]		RRSIG(SOA) RRsets placed anywhere other than at the zone
+			apex were triggering infinite resigning loops. This has
+			been fixed. [GL #2650]
 
-5626.	[bug]		When generating new keys, check for keyid conflicts
-			between new keys too. [GL #2628]
+5626.	[bug]		When generating zone signing keys, KASP now also checks
+			for key ID conflicts among newly created keys, rather
+			than just between new and existing ones. [GL #2628]
 
-5625.	[bug]		Address deadlock between rndc addzone/delzone.
-			[GL #2626]
+5625.	[bug]		A deadlock could occur when multiple "rndc addzone",
+			"rndc delzone", and/or "rndc modzone" commands were
+			invoked simultaneously for different zones. This has
+			been fixed. [GL #2626]
 
-5622.	[cleanup]	Remove lib/samples, since export versions of libraries
-			are no longer maintained. [GL !4835]
+5622.	[cleanup]	The lib/samples/ directory has been removed, as export
+			versions of libraries are no longer maintained.
+			[GL !4835]
 
 5619.	[protocol]	Implement draft-vandijk-dnsop-nsec-ttl, updating the
 			protocol such that NSEC(3) TTL values are set to the
-			minimum of the SOA MINIMUM value and the SOA TTL.
+			minimum of the SOA MINIMUM value or the SOA TTL.
 			[GL #2347]
 
-5618.	[bug]		When introducing change 5149, "rndc dumpdb" started
-			to print a line above a stale RRset, indicating how
-			long the data will be retained. Also, TTLs were
-			increased with 'max-stale-ttl'. This could lead to
-			nonsensical values and both issues have been fixed.
-			[GL #389] [GL #2289]
+5618.	[bug]		Change 5149 introduced some inconsistencies in the way
+			record TTLs were presented in cache dumps. These
+			inconsistencies have been eliminated. [GL #389]
+			[GL #2289]
 
 	--- 9.16.15 released ---
 

doc/arm/notes.rst

@@ -59,7 +59,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.16.16.rst
 .. include:: ../notes/notes-9.16.15.rst
 .. include:: ../notes/notes-9.16.14.rst
 .. include:: ../notes/notes-9.16.13.rst

doc/dnssec-guide/recipes.rst

@@ -1098,7 +1098,7 @@ Then use ``rndc reload`` to reload the zone.
 
 The "insecure" policy is a built-in policy (like "default"). It will make sure
 the zone is still DNSSEC maintained, to allow for a graceful transition to
-unsigned,
+unsigned.
 
 When the DS records have been removed from the parent zone, use
 ``rndc dnssec -checkds -key <id> withdrawn example.com`` to tell ``named`` that

doc/notes/notes-9.16.16.rst

@@ -0,0 +1,68 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.16.16
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DNSSEC responses containing NSEC3 records with iteration counts
+  greater than 150 are now treated as insecure. :gl:`#2445`
+
+- The maximum supported number of NSEC3 iterations that can be
+  configured for a zone has been reduced to 150. :gl:`#2642`
+
+- The default value of the ``max-ixfr-ratio`` option was changed to
+  ``unlimited``, for better backwards compatibility in the stable
+  release series. :gl:`#2671`
+
+- Zones that want to transition from secure to insecure mode without
+  becoming bogus in the process must now have their ``dnssec-policy``
+  changed first to ``insecure``, rather than ``none``. After the DNSSEC
+  records have been removed from the zone, the ``dnssec-policy`` can be
+  set to ``none`` or removed from the configuration. Setting the
+  ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
+  records to be published. :gl:`#2645`
+
+- The implementation of the ZONEMD RR type has been updated to match
+  :rfc:`8976`. :gl:`#2658`
+
+- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
+  NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
+  or the SOA TTL. :gl:`#2347`
+
+Bug Fixes
+~~~~~~~~~
+
+- It was possible for corrupt journal files generated by an earlier
+  version of ``named`` to cause problems after an upgrade. This has been
+  fixed. :gl:`#2670`
+
+- TTL values in cache dumps were reported incorrectly when
+  ``stale-cache-enable`` was set to ``yes``. This has been fixed.
+  :gl:`#389` :gl:`#2289`
+
+- A deadlock could occur when multiple ``rndc addzone``, ``rndc
+  delzone``, and/or ``rndc modzone`` commands were invoked
+  simultaneously for different zones. This has been fixed. :gl:`#2626`
+
+- ``named`` and ``named-checkconf`` did not report an error when
+  multiple zones with the ``dnssec-policy`` option set were using the
+  same zone file. This has been fixed. :gl:`#2603`
+
+- If ``dnssec-policy`` was active and a private key file was temporarily
+  offline during a rekey event, ``named`` could incorrectly introduce
+  replacement keys and break a signed zone. This has been fixed.
+  :gl:`#2596`
+
+- When generating zone signing keys, KASP now also checks for key ID
+  conflicts among newly created keys, rather than just between new and
+  existing ones. :gl:`#2628`

doc/notes/notes-current.rst

@@ -1,82 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.16.16
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- None.
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- None.
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
-  the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
-
-- Reduce the supported maximum number of iterations that can be
-  configured in an NSEC3 zones to 150. :gl:`#2642`
-
-- Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure.
-  :gl:`#2445`
-
-- Zones that want to transition from secure to insecure mode without making it
-  bogus in the process should now first change their ``dnssec-policy`` to
-  ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have
-  been removed from the zone (in a timely manner), the ``dnssec-policy`` can
-  be set to ``none`` (or be removed from the configuration). Setting the
-  ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
-  to be published. :gl:`#2645`
-
-- Change the ``max-ixfr-ratio`` configuration option default value to
-  ``unlimited`` for better backwards compatibility in the stable release
-  series. :gl:`#2671`
-
-Bug Fixes
-~~~~~~~~~
-
-- When dumping the cache to file, TTLs were being increased with
-  ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
-  values if the RRset was still marked a stale but the ``max-stale-ttl`` has
-  passed (and is actually an RRset awaiting cleanup). Both issues have now
-  been fixed. :gl:`#389` :gl:`#2289`
-
-- ``named`` would overwrite a zone file unconditionally when it recovered from
-  a corrupted journal. :gl:`#2623`
-
-- With ``dnssec-policy``, when creating new keys also check for keyid conflicts
-  between the new keys too. :gl:`#2628`
-
-- Update ZONEMD to match RFC 8976. :gl:`#2658`
-
-- With ``dnssec-policy```, don't roll keys if the private key file is offline.
-  :gl:`#2596`
-
-- Journal compaction could fail when a journal with invalid transaction 
-  headers was not detected at startup. :gl:`#2670`
-
-- ``named-checkconf`` now complains if zones with ``dnssec-policy`` reference
-  the same zone file more than once. :gl:`#2603`

version

@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Stable Release)"
 MAJORVER=9
 MINORVER=16
-PATCHVER=15
+PATCHVER=16
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=