Commit 2edba877 authored by Michal Nowak's avatar Michal Nowak
Browse files

Merge branch 'v9_17_11-release' into 'main'

Merge 9.17.11 release branch

See merge request !4818
parents ffea6056 3265dfa9
......@@ -71,7 +71,7 @@
- [ ] ***(Support)*** Publish links to downloads on ISC website.
- [ ] ***(Support)*** Write release email to *bind-announce*.
- [ ] ***(Support)*** Write email to *bind-users* (if a major release).
- [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition.
- [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket).
- [ ] ***(Support)*** Update tickets in case of waiting support customers.
- [ ] ***(QA)*** Build and test any outstanding private packages.
- [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).
......
......@@ -13,15 +13,17 @@
5598. [port] Cast (char) to (unsigned char) when calling ctype
tests. [GL #2567]
 
--- 9.17.11 released ---
5597. [bug] When serve-stale was enabled and starting the recursive
resolution process for a query failed, a named instance
could crash if it was configured as both a recursive and
authoritative server. This problem was introduced by
change 5573 and has now been fixed. [GL #2565]
 
5596. [func] Client-side support for DNS-over-HTTPS (DoH) has
been added to dig. "dig +https" can now query
a server via HTTP/2. [GL #1641]
5596. [func] Client-side support for DNS-over-HTTPS (DoH) has been
added to dig. "dig +https" can now query a server via
HTTP/2. [GL #1641]
 
5595. [cleanup] Public header files for BIND 9 libraries no longer
directly include third-party library headers. This
......@@ -33,72 +35,75 @@
5594. [bug] Building with --enable-dnsrps --enable-dnsrps-dl failed.
[GL #2298]
 
5593. [bug] Journal files written by older versions of named
can now be read when loading zones so that journal
incompatibility will not cause problems on upgrade.
Outdated journals will be updated to the new format
after loading. [GL #2505]
5593. [bug] Journal files written by older versions of named can now
be read when loading zones, so that journal
incompatibility does not cause problems on upgrade.
Outdated journals are updated to the new format after
loading. [GL #2505]
 
5592. [bug] Add globally available thread_id (isc_tid_v) that's
incremented for each new thread, but the old thread
ids are reused, so the maximum thread_id always
correspond to the maximum number of threads running
at the time. This fixes the hazard pointer tables
overflow on machines with many cores. [GL #2396]
5592. [bug] Prevent hazard pointer table overflows on machines with
many cores, by allowing the thread IDs (serving as
indices into hazard pointer tables) of finished threads
to be reused by those created later. [GL #2396]
 
5591. [bug] Fix a crash happening when "stale-answer-client-timeout"
is triggered and there is no (stale) data for it in the
cache. [GL #2503]
5591. [bug] Fix a crash that occurred when
"stale-answer-client-timeout" was triggered without any
(stale) data available in the cache to answer the query.
[GL #2503]
 
5590. [bug] Process NSEC3PARAM queue when loading a dynamic zone.
This will immediately create NSEC3 records for zones
that use "dnssec-policy" and "nsec3param". [GL #2498]
5590. [bug] NSEC3 records were not immediately created for dynamic
zones using NSEC3 with "dnssec-policy", resulting in
such zones going bogus. Add code to process the
NSEC3PARAM queue at zone load time so that NSEC3 records
for such zones are created immediately. [GL #2498]
 
5589. [placeholder]
 
5588. [func] Add "purge-keys" option to "dnssec-policy". This sets
the time how long key files should be retained after
they have become obsolete. [GL #2408]
5588. [func] Add a new "purge-keys" option for "dnssec-policy". This
option determines the period of time for which key files
are retained after they become obsolete. [GL #2408]
 
5587. [bug] A standalone libtool script no longer needs to be
present in PATH in order to build BIND 9 from a source
tarball prepared using "make dist". [GL #2504]
present in PATH to build BIND 9 from a source tarball
prepared using "make dist". [GL #2504]
 
5586. [bug] An invalid direction field in a LOC record resulted in
an INSIST failure. [GL #2499]
an INSIST failure when a zone file containing such a
record was loaded. [GL #2499]
 
5585. [func] Implementations of memory contexts and memory pools were
5585. [func] Memory contexts and memory pool implementations were
refactored to reduce lock contention for shared memory
contexts by replacing mutexes with atomic operations.
The internal memory allocator was simplified so that it
is only a thin wrapper around the system allocator.
Since this change makes the "-M external" named option
redundant, the latter was removed. [GL #2433]
is only a thin wrapper around the system allocator. This
change made the "-M external" named option redundant and
it was therefore removed. [GL #2433]
 
5584. [bug] Rollback setting IP_DONTFRAG option on the UDP sockets.
[GL #2487]
5584. [bug] No longer set the IP_DONTFRAG option on UDP sockets, to
prevent dropping outgoing packets exceeding
"max-udp-size". [GL #2466]
 
5583. [func] Changes to DoH configuration syntax:
5583. [func] Changes to DNS-over-HTTPS (DoH) configuration syntax:
- When "http" is specified in "listen-on" or
"listen-on-v6" statements, "tls" must also now
be specified. If an unencrypted connection is
desired (for example, when running behind a
reverse proxy), use "tls none".
- "http default" can how be specified in "listen-on"
and "listen-on-v6" statements to use the default
HTTP endpoint, "/dns-query". It is no longer
necessary to include an "http" statement in
named.conf unless overriding this value.
"listen-on-v6" statements, "tls" must also now be
specified. If an unencrypted connection is desired
(for example, when running behind a reverse proxy),
use "tls none".
- "http default" can now be specified in "listen-on" and
"listen-on-v6" statements to use the default HTTP
endpoint of "/dns-query". It is no longer necessary to
include an "http" statement in named.conf unless
overriding this value.
[GL #2472]
 
5582. [bug] BIND 9 failed to build when static OpenSSL libraries
were used and the *.pc files for libssl and/or libcrypto
were unavailable. This has been fixed by ensuring the
correct linking order for libssl and libcrypto is always
used. [GL #2402]
were used and the pkg-config files for libssl and/or
libcrypto were unavailable. This has been fixed by
ensuring that the correct linking order for libssl and
libcrypto is always used. [GL #2402]
 
5581. [bug] Fix memory leak happening when inline-signed zones
were added to the configuration followed by a
5581. [bug] Fix a memory leak that occurred when inline-signed zones
were added to the configuration, followed by a
reconfiguration of named. [GL #2041]
 
5580. [test] The system test framework no longer differentiates
......@@ -106,11 +111,11 @@
system test which is not run is now marked as SKIPPED.
[GL !4517]
 
5579. [bug] If an invalid key name (e.g. "a..b") is
specified in an primaries list in named.conf
the wrong size is passed to isc_mem_put
resulting in the returned memory being put
on the wrong freed list. [GL #2460]
5579. [bug] If an invalid key name (e.g. "a..b") was specified in a
primaries list in named.conf, the wrong size was passed
to isc_mem_put(), resulting in the returned memory being
put on the wrong free list. This prevented named from
starting up. [GL #2460]
 
--- 9.17.10 released ---
 
......
......@@ -14,7 +14,7 @@
#
m4_define([bind_VERSION_MAJOR], 9)dnl
m4_define([bind_VERSION_MINOR], 17)dnl
m4_define([bind_VERSION_PATCH], 10)dnl
m4_define([bind_VERSION_PATCH], 11)dnl
m4_define([bind_VERSION_EXTRA], )dnl
m4_define([bind_DESCRIPTION], [(Development Release)])dnl
m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
......
......@@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.17.11.rst
.. include:: ../notes/notes-9.17.10.rst
.. include:: ../notes/notes-9.17.9.rst
.. include:: ../notes/notes-9.17.8.rst
......
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.11
----------------------
New Features
~~~~~~~~~~~~
- ``dig`` has been extended to support DNS-over-HTTPS (DoH) queries,
using ``dig +https`` and related options. [GL #1641]
- A new ``purge-keys`` option has been added to ``dnssec-policy``. It
sets the period of time that key files are retained after becoming
obsolete due to a key rollover; the default is 90 days. This feature
can be disabled by setting ``purge-keys`` to 0. [GL #2408]
Feature Changes
~~~~~~~~~~~~~~~
- To prevent users from inadvertently configuring unencrypted
DNS-over-HTTPS (DoH) in BIND 9, ``listen-on`` and ``listen-on-v6``
statements using the ``http`` parameter must now also specify the
``tls`` parameter. ``tls none`` can be used to explicitly allow
unencrypted HTTP connections. [GL #2472]
- ``http default`` can now be specified in ``listen-on`` and
``listen-on-v6`` statements to use the default HTTP endpoint of
``/dns-query``. It is no longer necessary to include an ``http``
statement in ``named.conf`` unless overriding this value. [GL #2472]
Bug Fixes
~~~~~~~~~
- Zone journal (``.jnl``) files created by versions of ``named`` prior
to 9.16.12 were no longer compatible; this could cause problems when
upgrading if journal files were not synchronized first. This has been
corrected: older journal files can now be read when starting up. When
an old-style journal file is detected, it is updated to the new format
immediately after loading.
Note that journals created by the current version of ``named`` are not
usable by versions prior to 9.16.12. Before downgrading to a prior
release, users are advised to ensure that all dynamic zones have been
synchronized using ``rndc sync -clean``.
A journal file's format can be changed manually by running
``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
(upgrade). Note that this *must not* be done while ``named`` is
running. [GL #2505]
- ``named`` crashed when it was allowed to serve stale answers and
``stale-answer-client-timeout`` was triggered without any (stale) data
available in the cache to answer the query. [GL #2503]
- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
instead of sending back a proper response. To prevent this problem,
the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
been happening since BIND 9.17.6. [GL #2466]
- NSEC3 records were not immediately created when signing a dynamic zone
using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
[GL #2498]
- A memory leak occurred when ``named`` was reconfigured after adding an
inline-signed zone with ``auto-dnssec maintain`` enabled. This has
been fixed. [GL #2041]
- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
a LOC record resulted in an INSIST failure when a zone file containing
such a record was loaded. [GL #2499]
- If an invalid key name (e.g. ``a..b``) was specified in a
``primaries`` list in ``named.conf``, the wrong size was passed to
``isc_mem_put()``, which resulted in the returned memory being put on
the wrong free list and prevented ``named`` from starting up. This has
been fixed. [GL #2460]
- ``libtool`` was inadvertently introduced as a build-time requirement
when the build system was revamped in BIND 9.17.2. This unnecessarily
prevented hosts without that tool from building BIND 9 from source
tarballs. A standalone ``libtool`` script no longer needs to be
present in ``PATH`` to build BIND 9 from a source tarball. [GL #2504]
......@@ -8,7 +8,7 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.11
Notes for BIND 9.17.12
----------------------
Security Fixes
......@@ -24,13 +24,7 @@ Known Issues
New Features
~~~~~~~~~~~~
- ``dig`` has been extended to support DNS-over-HTTPS (DoH) queries,
using ``dig +https`` and related options. [GL #1641]
- A new option, ``purge-keys``, has been added to ``dnssec-policy``. It sets
the time how long key files should be retained after they have become
obsolete (due to a key rollover). Default is 90 days, and the feature can
be disabled by setting it to 0. [GL #2408]
- None.
Removed Features
~~~~~~~~~~~~~~~~
......@@ -45,44 +39,6 @@ Feature Changes
Bug Fixes
~~~~~~~~~
- If an invalid key name (e.g. "a..b") was specified in a ``primaries``
list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``,
which resulted in the returned memory being put on the wrong freed
list. This has been fixed. [GL #2460]
- If an outgoing packet would exceed max-udp-size, it would be dropped instead
of sending a proper response back. Rollback setting the IP_DONTFRAG on the
UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue.
[GL #2487]
- NSEC3 records were not immediately created when signing a dynamic zone with
``dnssec-policy`` and ``nsec3param``. This has been fixed [GL #2498].
- An invalid direction field (not one of 'N'/'S' or 'E'/'W') in a LOC record
triggered an INSIST failure. [GL #2499]
- Previously, a BIND server could experience an unexpected server termination
(crash) if the return of stale cached answers was enabled and
``stale-answer-client-timeout`` was applied to a client query in process.
This has been fixed. [GL #2503]
- Zone journal (``.jnl``) files created by versions of ``named`` prior
to 9.16.12 were no longer compatible; this could cause problems when
upgrading if journal files were not synchronized first. This has been
corrected: older journal files can now be read when starting up. When
an old-style journal file is detected, it is updated to the new
format immediately after loading.
Note that journals created by the current version of ``named`` are not
usable by versions prior to 9.16.12. Before downgrading to a prior
release, users are advised to ensure that all dynamic zones have been
synchronized using ``rndc sync -clean``.
A journal file's format can be changed manually by running
``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
(upgrade). Note that this *must not* be done while ``named`` is
running. [GL #2505]
- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
This has been fixed. [GL #2523]
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment