Merge branch 'prep-release' into security-v9_16

Prepare documentation for BIND 9.16.20

See merge request isc-private/bind9!317

CHANGES

@@ -1,35 +1,47 @@
-5688.	[bug]		Inline and dnssec-policy zones could fail to apply
-			changes from the unsigned zone to the signed zone
-			under certain cirumstances. [GL #2735]
+	--- 9.16.20 released ---
 
-5687.	[bug]		Update the load time of touched inline zones.
-			[GL #2542]
+5689.	[security]	An assertion failure occurred when named attempted to
+			send a UDP packet that exceeded the MTU size, if
+			Response Rate Limiting (RRL) was enabled.
+			(CVE-2021-25218) [GL #2856]
+
+5688.	[bug]		Zones using KASP and inline-signed zones failed to apply
+			changes from the unsigned zone to the signed zone under
+			certain circumstances. This has been fixed. [GL #2735]
+
+5687.	[bug]		"rndc reload <zonename>" could trigger a redundant
+			reload for an inline-signed zone whose zone file was not
+			modified since the last "rndc reload". This has been
+			fixed. [GL #2855]
 
 5686.	[func]		The number of internal data structures allocated for
 			each zone was reduced. [GL #2829]
 
-5685.	[bug]		Check the opcodes of messages returned by
-			dns_request_getresponse.  [GL #2762]
+5685.	[bug]		named failed to check the opcode of responses when
+			performing zone refreshes, stub zone updates, and UPDATE
+			forwarding. This has been fixed. [GL #2762]
 
-5682.	[bug]		Not all changes to zone-statistics settings were
-			properly processed. [GL #2820]
+5682.	[bug]		Some changes to "zone-statistics" settings were not
+			properly processed by "rndc reconfig". This has been
+			fixed. [GL #2820]
 
-5681.	[func]		Relax the "zone_cdscheck" function to allow CDS and
-			CDNSKEY records in the zone that do not match an
-			existing DNSKEY record, so long as the algorithm
-			does match. This allows a clean rollover from one
+5681.	[func]		Relax the checks in the dns_zone_cdscheck() function to
+			allow CDS and CDNSKEY records in the zone that do not
+			match an existing DNSKEY record, as long as the
+			algorithm matches. This allows a clean rollover from one
 			provider to another in a multi-signer DNSSEC
-			configuration. [GL #2710].
+			configuration. [GL #2710]
 
-5679.	[bug]		Disable setting the thread affinity. [GL #2822]
+5679.	[func]		Thread affinity is no longer set. [GL #2822]
 
 5678.	[bug]		The "check DS" code failed to release all resources upon
 			named shutdown when a refresh was in progress. This has
 			been fixed. [GL #2811]
 
 5672.	[bug]		Authentication of rndc messages could fail if a
-			"controls" statement was configured with multiple
-			key algorithms in the same listener. [GL #2756]
+			"controls" statement was configured with multiple key
+			algorithms for the same listener. This has been fixed.
+			[GL #2756]
 
 	--- 9.16.19 released ---
 

doc/arm/notes.rst

@@ -59,7 +59,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.16.20.rst
 .. include:: ../notes/notes-9.16.19.rst
 .. include:: ../notes/notes-9.16.18.rst
 .. include:: ../notes/notes-9.16.17.rst

doc/notes/notes-9.16.20.rst

@@ -0,0 +1,49 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.16.20
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Fixed an assertion failure that occurred in ``named`` when it
+  attempted to send a UDP packet that exceeded the MTU size, if
+  Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
+
+- ``named`` failed to check the opcode of responses when performing zone
+  refreshes, stub zone updates, and UPDATE forwarding. This could lead
+  to an assertion failure under certain conditions and has been
+  addressed by rejecting responses whose opcode does not match the
+  expected value. :gl:`#2762`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Testing revealed that setting the thread affinity for various types of
+  ``named`` threads led to inconsistent recursive performance, as
+  sometimes multiple sets of threads competed over a single resource.
+
+  Due to the above, ``named`` no longer sets thread affinity. This
+  causes a slight dip of around 5% in authoritative performance, but
+  recursive performance is now consistently improved. :gl:`#2822`
+
+- CDS and CDNSKEY records can now be published in a zone without the
+  requirement that they exactly match an existing DNSKEY record, as long
+  as the zone is signed with an algorithm represented in the CDS or
+  CDNSKEY record. This allows a clean rollover from one DNS provider to
+  another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+
+Bug Fixes
+~~~~~~~~~
+
+- Authentication of ``rndc`` messages could fail if a ``controls``
+  statement was configured with multiple key algorithms for the same
+  listener. This has been fixed. :gl:`#2756`

doc/notes/notes-current.rst

@@ -1,57 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.16.20
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- Named failed to check the opcode of responses when performing refresh,
-  stub updates, and UPDATE forwarding.  This could lead to an assertion
-  failure under particular conditions.  This has been addressed by checking
-  the opcode of those responses and rejecting the messages if they don't
-  match the expected value. :gl:`#2762`
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- None.
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- CDS and CDNSKEY records may now be published in a zone without the
-  requirement that they exactly match an existing DNSKEY record, so long
-  the zone is signed with an algorithm represented in the CDS or CDNSKEY
-  record.  This allows a clean rollover from one DNS provider to another
-  when using a multiple-signer DNSSEC configuration. :gl:`#2710`
-
-Bug Fixes
-~~~~~~~~~
-
-- Testing revealed that setting the thread affinity on both the netmgr
-  and netthread threads led to inconsistent recursive performance, as
-  sometimes the netmgr and netthread threads competed over a single
-  resource.
-
-  When the affinity is not set, tests show a slight dip in the authoritative
-  performance of around 5% (ranging from 3.8% to 7.8%), but
-  the recursive performance is now consistently improved. :gl:`#2822`

lib/isc/netmgr/netmgr-int.h

@@ -1403,9 +1403,10 @@ isc__nm_socket_incoming_cpu(uv_os_sock_t fd);
  */
 
 isc_result_t
-isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family);
+isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family);
 /*%<
- * Set the SO_IP_DONTFRAG (or equivalent) socket option of the fd if available
+ * Disable the Path MTU Discovery, either by disabling IP(V6)_DONTFRAG socket
+ * option, or setting the IP(V6)_MTU_DISCOVER socket option to IP_PMTUDISC_OMIT
  */
 
 isc_result_t

lib/isc/netmgr/netmgr.c

@@ -2937,20 +2937,20 @@ isc__nm_socket_incoming_cpu(uv_os_sock_t fd) {
 }
 
 isc_result_t
-isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
+isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family) {
 	/*
-	 * Set the Don't Fragment flag on IP packets
+	 * Disable the Path MTU Discovery on IP packets
 	 */
 	if (sa_family == AF_INET6) {
 #if defined(IPV6_DONTFRAG)
-		if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
 			return (ISC_R_FAILURE);
 		} else {
 			return (ISC_R_SUCCESS);
 		}
-#elif defined(IPV6_MTU_DISCOVER)
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
 		{
 			return (ISC_R_FAILURE);
 		} else {
@@ -2961,14 +2961,14 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
 #endif
 	} else if (sa_family == AF_INET) {
 #if defined(IP_DONTFRAG)
-		if (setsockopt_on(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
 			return (ISC_R_FAILURE);
 		} else {
 			return (ISC_R_SUCCESS);
 		}
-#elif defined(IP_MTU_DISCOVER)
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
 		{
 			return (ISC_R_FAILURE);
 		} else {

lib/isc/netmgr/udp.c

@@ -65,7 +65,7 @@ isc__nm_udp_lb_socket(sa_family_t sa_family) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	(void)isc__nm_socket_incoming_cpu(sock);
-	(void)isc__nm_socket_dontfrag(sock, sa_family);
+	(void)isc__nm_socket_disable_pmtud(sock, sa_family);
 
 	result = isc__nm_socket_reuse(sock);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
@@ -783,7 +783,7 @@ isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
 
 	(void)isc__nm_socket_incoming_cpu(sock->fd);
 
-	(void)isc__nm_socket_dontfrag(sock->fd, sa_family);
+	(void)isc__nm_socket_disable_pmtud(sock->fd, sa_family);
 
 	event = isc__nm_get_netievent_udpconnect(mgr, sock, req);
 

lib/isc/trampoline_p.h

@@ -31,8 +31,8 @@
  * that slot can use the same thread ID that its predecessor did.
  *
  * The trampoline table initially has space for 64 worker threads in
- * addition to the main thread. if more threads than that in concurrent
- * concurrently, the table is reallocated with twice as much space.
+ * addition to the main thread. If more threads than that are in
+ * concurrent use, the table is reallocated with twice as much space.
  * (Note that the number of concurrent threads is currently capped at
  * 128 by the queue and hazard pointer implementations.)
  */

lib/isc/unix/socket.c

@@ -2100,27 +2100,27 @@ set_tcp_maxseg(isc_socket_t *sock, int size) {
 }
 
 static void
-set_ip_dontfrag(isc_socket_t *sock) {
+set_ip_disable_pmtud(isc_socket_t *sock) {
 	/*
-	 * Set the Don't Fragment flag on IP packets
+	 * Disable Path MTU Discover on IP packets
 	 */
 	if (sock->pf == AF_INET6) {
 #if defined(IPV6_DONTFRAG)
 		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_DONTFRAG,
-				 &(int){ 1 }, sizeof(int));
+				 &(int){ 0 }, sizeof(int));
 #endif
-#if defined(IPV6_MTU_DISCOVER)
+#if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
-				 &(int){ IP_PMTUDISC_DO }, sizeof(int));
+				 &(int){ IP_PMTUDISC_OMIT }, sizeof(int));
 #endif
 	} else if (sock->pf == AF_INET) {
 #if defined(IP_DONTFRAG)
-		(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &(int){ 1 },
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &(int){ 0 },
 				 sizeof(int));
 #endif
-#if defined(IP_MTU_DISCOVER)
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		(void)setsockopt(sock->fd, IPPROTO_IP, IP_MTU_DISCOVER,
-				 &(int){ IP_PMTUDISC_DO }, sizeof(int));
+				 &(int){ IP_PMTUDISC_OMIT }, sizeof(int));
 #endif
 	}
 }
@@ -2411,7 +2411,7 @@ again:
 #endif /* ifdef IP_RECVTOS */
 #endif /* defined(USE_CMSG) || defined(SET_RCVBUF) || defined(SET_SNDBUF) */
 
-	set_ip_dontfrag(sock);
+	set_ip_disable_pmtud(sock);
 
 setup_done:
 	inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);

lib/ns/client.c

@@ -794,8 +794,6 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
 		dns_rrl_result_t rrl_result;
 		int loglevel;
 
-		INSIST(rcode != dns_rcode_noerror &&
-		       rcode != dns_rcode_nxdomain);
 		if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) {
 			loglevel = DNS_RRL_LOG_DROP;
 		} else {

version

@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Extended Support Version)"
 MAJORVER=9
 MINORVER=16
-PATCHVER=19
+PATCHVER=20
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=