Merge branch 'prep-release' into v9_16_7-release

Prepare release notes for BIND 9.16.7

See merge request isc-private/bind9!209

CHANGES

@@ -1,48 +1,49 @@
+	--- 9.16.7 released ---
+
 5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]
 
 5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
 			[GL #2103]
 
 5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
+			[GL #1748]
 
-5497.	[bug]		dig +bufsize=0 failed to disable EDNS as a side
-			effect. [GL #2054]
+5497.	[bug]		'dig +bufsize=0' failed to disable EDNS. [GL #2054]
 
-5496.	[bug]		The rate limiter needs to hold a reference to its task.
-			[GL #2081]
+5496.	[bug]		Address a TSAN report by ensuring each rate limiter
+			object holds a reference to its task. [GL #2081]
 
 5495.	[bug]		With query minimization enabled, named failed to
-			resolve ip6.arpa. names that had more labels after the
-			IPv6 part. [GL #1847]
+			resolve ip6.arpa. names that had extra labels to the
+			left of the IPv6 part. [GL #1847]
 
 5494.	[bug]		Silence the EPROTO syslog message on older systems.
 			[GL #1928]
 
-5493.	[bug]		Fix off-by-one error when calculating new hashtable
+5493.	[bug]		Fix off-by-one error when calculating new hash table
 			size. [GL #2104]
 
-5492.	[bug]		Tighten LOC parsing to reject period and/or m as a
-			value.  Correct handling of negative altitudes which
-			are not whole metres.  [GL #2074]
+5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
+			as a value. Fix handling of negative altitudes which are
+			not whole meters. [GL #2074]
 
 5491.	[bug]		rbtversion->glue_table_size could be read without the
 			appropriate lock being held. [GL #2080]
 
-5489.	[bug]		Named failed to reject some invalid records resulting
-			in records that, after being printed, could not be
-			loaded or would result in DNSSEC validation failures
-			when re-read from zone files as the wire format
-			differed.  The covered records records are: CERT,
+5489.	[bug]		Named erroneously accepted certain invalid resource
+			records that were incorrectly processed after
+			subsequently being written to disk and loaded back, as
+			the wire format differed. Such records include: CERT,
 			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
 			X25. [GL !3953]
 
-5488.	[bug]		nta needed to have a weak reference on view to prevent
-			the view being deleted while nta tests are being
-			performed. [GL #2067]
+5488.	[bug]		NTA code needed to have a weak reference on its
+			associated view to prevent the latter from being deleted
+			while NTA tests were being performed. [GL #2067]
 
-5486.	[func]		Add 'rndc dnssec -checkds' command to tell named
-			that the DS record has been published in the parent.
-			[GL #1613]
+5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
+			named that the DS record for a given zone or key has
+			been updated in the parent zone. [GL #1613]
 
 	--- 9.16.6 released ---
 

CODE_OF_CONDUCT.md

@@ -7,8 +7,8 @@ people.
 
 Diversity is one of our huge strengths, but it can also lead to communication
 issues and unhappiness. To that end, we have a few ground rules that we ask
-people to adhere to. This code applies equally to the core development team, open source contributors and those
-seeking help and guidance.
+people to adhere to. This code applies equally to the core development team,
+open source contributors and those seeking help and guidance.
 
 This isn't an exhaustive list of things that you can't do. Rather, take it in
 the spirit in which it's intended - a guide to make it easier to enrich all of

CONTRIBUTING.md

@@ -46,8 +46,9 @@ building communities that are welcoming and inclusive: environments where people
 are encouraged to share ideas, treat each other with respect, and collaborate
 towards the best solutions. To reinforce our commitment, ISC
 has adopted a slightly modified version of the Django
-[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/master/CODE_OF_CONDUCT.md) for the BIND 9 project, as well as for the conduct of our
-developers throughout the industry.
+[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
+for the BIND 9 project, as well as for the conduct of our developers throughout
+the industry.
 
 ### <a name="access"></a>Access to source code
 
@@ -80,7 +81,7 @@ Whenever a branch is ready for publication, a tag is placed of the
 form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
-`master`.
+`main`.
 
 ### <a name="bugs"></a>Reporting bugs
 
@@ -100,6 +101,7 @@ use credentials from an existing account at GitHub, GitLab, Google,
 Twitter, or Facebook.
 
 ### Reporting possible security issues
+
 If you think you may be seeing a potential security vulnerability in BIND
 (for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
 report it immediately by emailing to security-officer@isc.org. Plain-text
@@ -111,7 +113,8 @@ Do not discuss undisclosed security vulnerabilities on any public mailing list.
 ISC has a long history of handling reported vulnerabilities promptly and
 effectively and we respect and acknowledge responsible reporters.
 
-ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+ISC's Security Vulnerability Disclosure Policy is documented at
+[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
 
 If you have a crash, you may want to consult
 ["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
@@ -120,7 +123,8 @@ If you have a crash, you may want to consult
 
 BIND is licensed under the
 [Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
-Earlier versions (BIND 9.10 and earlier) were licensed under the [ISC License](https://www.isc.org/licenses/)
+Earlier versions (BIND 9.10 and earlier) were licensed under the
+[ISC License](https://www.isc.org/licenses/)
 
 ISC does not require an explicit copyright assignment for patch
 contributions.  However, by submitting a patch to ISC, you implicitly
@@ -136,7 +140,7 @@ Patches for BIND may be submitted directly via merge requests in
 repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of
-BIND -- preferably the current top of the `master` branch.  Diffs may
+BIND -- preferably the current top of the `main` branch.  Diffs may
 be generated using either `git format-patch` or `git diff`.
 
 Those wanting to write code for BIND may be interested in the
@@ -184,7 +188,8 @@ of documentation in the BIND source tree:
   they document, in files ending in `.rst`: for example, the
   `named` man page is `bin/named/named.rst`.
 * The *BIND 9 Administrator Reference Manual* is in the .rst files in
-  `doc/arm/`; the PDF and HTML versions are automatically generated from the `.rst` files.
+  `doc/arm/`; the PDF and HTML versions are automatically generated from
+  the `.rst` files.
 * API documentation is in the header file describing the API, in
   Doxygen-formatted comments.
 

README.md

@@ -344,7 +344,7 @@ the change that was made; these categories are:
 | [cleanup] | Minor corrections and refactoring |
 | [doc] | Documentation |
 | [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
-| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
+| [placeholder] | Used in the main development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
 
 In general, [func] and [experimental] tags will only appear in new-feature
 releases (i.e., those with version numbers ending in zero).  Some new

doc/arm/notes.rst

@@ -59,7 +59,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.16.7.rst
 .. include:: ../notes/notes-9.16.6.rst
 .. include:: ../notes/notes-9.16.5.rst
 .. include:: ../notes/notes-9.16.4.rst

doc/notes/notes-9.16.7.rst

@@ -0,0 +1,55 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.16.7
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to
+  ``named`` that a DS record for a given zone or key has been published
+  or withdrawn from the parent. This command replaces the time-based
+  ``parent-registration-delay`` configuration option. [GL #1613]
+
+- Log when ``named`` adds a CDS/CDNSKEY to the zone. [GL #1748]
+
+Bug Fixes
+~~~~~~~~~
+
+- In rare circumstances, ``named`` would exit with an assertion failure
+  when the number of nodes stored in the red-black tree exceeded the
+  maximum allowed size of the internal hash table. [GL #2104]
+
+- Silence spurious system log messages for an EPROTO(71) error code that
+  was seen on older operating systems, where unhandled ICMPv6 errors
+  resulted in a generic protocol error being returned instead of a more
+  specific error code. [GL #1928]
+
+- With query name minimization enabled, ``named`` failed to resolve
+  ``ip6.arpa.`` names that had extra labels to the left of the IPv6
+  part. For example, when ``named`` attempted query name minimization on
+  a name like ``A.B.1.2.3.4.(...).ip6.arpa.``, it stopped at the
+  leftmost IPv6 label, i.e. ``1.2.3.4.(...).ip6.arpa.``, without
+  considering the extra labels (``A.B``). That caused a query loop when
+  resolving the name: if ``named`` received NXDOMAIN answers, then the
+  same query was repeatedly sent until the number of queries sent
+  reached the value of the ``max-recursion-queries`` configuration
+  option. [GL #1847]
+
+- Parsing of LOC records was made more strict by rejecting a sole period
+  (``.``) and/or ``m`` as a value. These changes prevent zone files
+  using such values from being loaded. Handling of negative altitudes
+  which are not integers was also corrected. [GL #2074]
+
+- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are
+  security issues.) [GL !3953] [GL !3975]
+
+.. _OSS-Fuzz: https://github.com/google/oss-fuzz

doc/notes/notes-current.rst

@@ -1,59 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.16.7
----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- None.
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- New ``rndc`` command ``rndc dnssec -checkds`` to tell ``named``
-  that a DS record for a given zone or key has been published or withdrawn
-  from the parent. Replaces the time-based ``parent-registration-delay``
-  configuration option. [GL #1613]
-
-- Log when ``named`` adds a CDS/CDNSKEY to the zone. [GL #1748]
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- None.
-
-Bug Fixes
-~~~~~~~~~
-
-- In rare circumstances, named would exit with assertion failure when the number
-  of nodes stored in the red-black-tree exceeds the maximum allowed size of the
-  internal hashtable.  [GL #2104]
-
-- Silence spurious system log messages for EPROTO(71) error code that has been
-  seen on older operating systems where unhandled ICMPv6 errors result in a
-  generic protocol error being returned instead of the more specific error code.
-  [GL #1928]
-
-- With query minimization enabled, named failed to resolve ip6.arpa. names
-  that had more labels before the IPv6 part. For example, when named
-  implemented query minimization on a name like
-  ``A.B.1.2.3.4.(...).ip6.arpa.``, it stopped at the left-most IPv6 label, i.e.
-  ``1.2.3.4.(...).ip6.arpa.`` without considering the extra labels ``A.B``.
-  That caused a query loop when resolving the name: if named received
-  NXDOMAIN answers, then the same query was repeatedly sent until the number
-  of queries sent reached the value in the ``max-recursion-queries``
-  configuration option. [GL #1847]

lib/dns/api

@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1606
+LIBINTERFACE = 1607
 LIBREVISION = 0
-LIBAGE = 1
+LIBAGE = 0

lib/isc/api

@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1606
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

lib/isccfg/api

@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1600
-LIBREVISION = 4
+LIBINTERFACE = 1601
+LIBREVISION = 0
 LIBAGE = 0

util/copyrights

@@ -1457,7 +1457,7 @@
 ./doc/notes/notes-9.16.4.rst			RST	2020
 ./doc/notes/notes-9.16.5.rst			RST	2020
 ./doc/notes/notes-9.16.6.rst			RST	2020
-./doc/notes/notes-current.rst			RST	2020
+./doc/notes/notes-9.16.7.rst			RST	2020
 ./docutil/HTML_COPYRIGHT			X	2001,2004,2016,2018,2019,2020
 ./docutil/MAN_COPYRIGHT				X	2001,2004,2016,2018,2019,2020
 ./docutil/patch-db2latex-duplicate-template-bug	X	2007,2018,2019,2020

version

@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Stable Release)"
 MAJORVER=9
 MINORVER=16
-PATCHVER=6
+PATCHVER=7
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=