upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-26 03:11:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Prepare release notes for BIND 9.16.4

Browse source
This commit is contained in:
Michał Kępień 2020-06-10 13:18:50 +02:00
parent ef42ca2864
commit 40b3591eea
8 changed files with 152 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
doc/arm/notes.rst
View file

@ -16,37 +16,40 @@ Release Notes
Introduction
------------
BIND 9.16 is a stable branch of BIND. This document summarizes significant
changes since the last production release on that branch. Please see the
file CHANGES for a more detailed list of changes and bug fixes.
BIND 9.16 is a stable branch of BIND. This document summarizes
significant changes since the last production release on that branch.
Please see the file CHANGES for a more detailed list of changes and bug
fixes.
Note on Version Numbering
-------------------------
As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
release numbering convention. BIND 9.16 contains new features that
were added during the BIND 9.15 development process. Henceforth, the
9.16 branch will be limited to bug fixes, and new feature development
will proceed in the unstable 9.17 branch.
release numbering convention. BIND 9.16 contains new features that were
added during the BIND 9.15 development process. Henceforth, the 9.16
branch will be limited to bug fixes, and new feature development will
proceed in the unstable 9.17 branch.
Supported Platforms
-------------------
To build on UNIX-like systems, BIND requires support for POSIX.1c threads
(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6
(:rfc:`3542`), and standard atomic operations provided by the C compiler.
To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6
(:rfc:`3542`), and standard atomic operations provided by the C
compiler.
The libuv asynchronous I/O library and the OpenSSL cryptography library
must be available for the target platform. A PKCS#11 provider can be used
instead of OpenSSL for Public Key cryptography (i.e., DNSSEC signing and
validation), but OpenSSL is still required for general cryptography
operations such as hashing and random number generation.
must be available for the target platform. A PKCS#11 provider can be
used instead of OpenSSL for Public Key cryptography (i.e., DNSSEC
signing and validation), but OpenSSL is still required for general
cryptography operations such as hashing and random number generation.
More information can be found in the ``PLATFORMS.md`` file that is included
in the source distribution of BIND 9. If your compiler and system libraries
provide the above features, BIND 9 should compile and run. If that isn't
the case, the BIND development team will generally accept patches that add
support for systems that are still supported by their respective vendors.
More information can be found in the ``PLATFORMS.md`` file that is
included in the source distribution of BIND 9. If your compiler and
system libraries provide the above features, BIND 9 should compile and
run. If that is not the case, the BIND development team will generally
accept patches that add support for systems that are still supported by
their respective vendors.
Download
--------
@ -56,7 +59,7 @@ https://www.isc.org/download/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.16.4.rst
.. include:: ../notes/notes-9.16.3.rst
.. include:: ../notes/notes-9.16.2.rst
.. include:: ../notes/notes-9.16.1.rst
@ -92,9 +95,7 @@ supported until at least December 2021. See
https://kb.isc.org/docs/aa-00896 for details of ISC's software support
policy.
Thank You
---------
Thank you to everyone who assisted us in making this release possible.
License

16
doc/notes/notes-9.16.0.rst
View file

@ -8,18 +8,14 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. _relnotes-9.16.0:
Notes for BIND 9.16.0
=====================
---------------------
*Note: this section only lists changes from BIND 9.14 (the previous
stable branch of BIND).*
.. _relnotes-9.16.0-new:
New Features
------------
~~~~~~~~~~~~
- A new asynchronous network communications system based on ``libuv``
is now used by ``named`` for listening for incoming requests and
@ -72,10 +68,8 @@ New Features
- Statistics channel groups can now be toggled. [GL #1030]
.. _relnotes-9.16.0-changes:
Feature Changes
---------------
~~~~~~~~~~~~~~~
- When static and managed DNSSEC keys were both configured for the same
name, or when a static key was used to configure a trust anchor for
@ -138,10 +132,8 @@ Feature Changes
Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
respected. [GL #658]
.. _relnotes-9.16.0-removed:
Removed Features
----------------
~~~~~~~~~~~~~~~~
- The ``dnssec-enable`` option has been obsoleted and no longer has any
effect. DNSSEC responses are always enabled if signatures and other

16
doc/notes/notes-9.16.1.rst
View file

@ -8,15 +8,11 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. _relnotes-9.16.1:
Notes for BIND 9.16.1
=====================
.. _relnotes-9.16.1-known:
---------------------
Known Issues
------------
~~~~~~~~~~~~
- UDP network ports used for listening can no longer simultaneously be
used for sending traffic. An example configuration which triggers
@ -27,10 +23,8 @@ Known Issues
dispatch for reserved port") on some of them. There are currently no
plans to make such a combination of settings work again.
.. _relnotes-9.16.1-changes:
Feature Changes
---------------
~~~~~~~~~~~~~~~
- The system-provided POSIX Threads read-write lock implementation is
now used by default instead of the native BIND 9 implementation.
@ -43,10 +37,8 @@ Feature Changes
BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
glibc is available. [GL !3125]
.. _relnotes-9.16.1-bugs:
Bug Fixes
---------
~~~~~~~~~
- Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all.

20
doc/notes/notes-9.16.2.rst
View file

@ -8,24 +8,18 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. _relnotes-9.16.2:
Notes for BIND 9.16.2
=====================
.. _relnotes-9.16.2-security:
---------------------
Security Fixes
--------------
~~~~~~~~~~~~~~
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
.. _relnotes-9.16.2-known:
Known Issues
------------
~~~~~~~~~~~~
- We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
@ -35,19 +29,15 @@ Known Issues
used in the hash calculation). These are being investigated. [GL
#1685]
.. _relnotes-9.16.2-changes:
Feature Changes
---------------
~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
for 99% of all signed zones. [GL #1179]
.. _relnotes-9.16.2-bugs:
Bug Fixes
---------
~~~~~~~~~
- When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, ``named`` could become nonresponsive

23
doc/notes/notes-9.16.3.rst
View file

@ -8,22 +8,11 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. _relnotes-9.16.3:
Notes for BIND 9.16.3
=====================
.. _relnotes-9.16.3-security:
Security Fixes
--------------
- None.
.. _relnotes-9.16.3-known:
---------------------
Known Issues
------------
~~~~~~~~~~~~
- BIND crashes on startup when linked against libuv 1.36. This issue is
related to recvmmsg() support in libuv which was first included in
@ -35,10 +24,8 @@ Known Issues
1.35 or libuv >= 1.37; libuv 1.36 is still not usable with BIND. [GL
#1761] [GL #1797]
.. _relnotes-9.16.3-changes:
Feature Changes
---------------
~~~~~~~~~~~~~~~
- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
relying on system defaults instead. [GL #1713]
@ -68,10 +55,8 @@ Feature Changes
zones, the exported timers also include expire and refresh times.
Contributed by Paul Frieden, Verizon Media. [GL #1232]
.. _relnotes-9.16.3-bugs:
Bug Fixes
---------
~~~~~~~~~
- A bug in dnstap initialization could prevent some dnstap data from
being logged, especially on recursive resolvers. [GL #1795]

111
doc/notes/notes-9.16.4.rst Normal file
View file

@ -0,0 +1,111 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.16.4
---------------------
Security Fixes
~~~~~~~~~~~~~~
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
New Features
~~~~~~~~~~~~
- Documentation was converted from DocBook to reStructuredText. The
BIND 9 ARM is now generated using Sphinx and published on `Read the
Docs`_. Release notes are no longer available as a separate document
accompanying a release. [GL #83]
- ``named`` and ``named-checkzone`` now reject master zones that have a
DS RRset at the zone apex. Attempts to add DS records at the zone
apex via UPDATE will be logged but otherwise ignored. DS records
belong in the parent zone, not at the zone apex. [GL #1798]
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or a response. [GL #1835]
Feature Changes
~~~~~~~~~~~~~~~
- The default value of ``max-stale-ttl`` has changed from 1 week to 12
hours. This option controls how long ``named`` retains expired RRsets
in cache as a potential mitigation mechanism, should there be a
problem with one or more domains. Note that cache content retention
is independent of whether stale answers are used in response to
client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale
on|off``). Serving of stale answers when the authoritative servers
are not responding must be explicitly enabled, whereas the retention
of expired cache content takes place automatically on all versions of
BIND 9 that have this feature available. [GL #1877]
.. warning::
This change may be significant for administrators who expect that
stale cache content will be automatically retained for up to 1
week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep
the previous behavior of ``named``.
- ``listen-on-v6 { any; }`` creates a separate socket for each
interface. Previously, just one socket was created on systems
conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
in BIND 9.16.0, but it was accidentally omitted from documentation.
[GL #1782]
Bug Fixes
~~~~~~~~~
- When fully updating the NSEC3 chain for a large zone via IXFR, a
temporary loss of performance could be experienced on the secondary
server when answering queries for nonexistent data that required
DNSSEC proof of non-existence (in other words, queries that required
the server to find and to return NSEC3 data). The unnecessary
processing step that was causing this delay has now been removed.
[GL #1834]
- ``named`` could crash with an assertion failure if the name of a
database node was looked up while the database was being modified.
[GL #1857]
- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
[GL #1859]
- Previously, ``named`` did not destroy some mutexes and conditional
variables in netmgr code, which caused a memory leak on FreeBSD. This
has been fixed. [GL #1893]
- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
to an assertion failure was fixed. [GL #1808]
- Previously, ``provide-ixfr no;`` failed to return up-to-date
responses when the serial number was greater than or equal to the
current serial number. [GL #1714]
- A bug in dnssec-policy keymgr was fixed, where the check for the
existence of a given key's successor would incorrectly return
``true`` if any other key in the keyring had a successor. [GL #1845]
- With dnssec-policy, when creating a successor key, the "goal" state
of the current active key (the predecessor) was not changed and thus
never removed from the zone. [GL #1846]
- ``named-checkconf -p`` could include spurious text in
``server-addresses`` statements due to an uninitialized DSCP value.
This has been fixed. [GL #1812]
- The ARM has been updated to indicate that the TSIG session key is
generated when named starts, regardless of whether it is needed.
[GL #1842]
.. _Read the Docs: https://bind9.readthedocs.io/

51
doc/notes/notes-current.rst
View file

@ -1,51 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. _relnotes-9.16.5:
Notes for BIND 9.16.5
=====================
.. _relnotes-9.16.5-security:
Security Fixes
--------------
- None.
.. _relnotes-9.16.5-known:
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
Known Issues
------------
- None
.. _relnotes-9.16.5-changes:
Feature Changes
---------------
- None.
.. _relnotes-9.16.5-bugs:
Bug Fixes
---------
- Properly handle missing ``kyua`` command so that ``make check`` does
not fail unexpectedly when CMocka is installed, but Kyua is not.
[GL #1950]

2
util/copyrights
View file

@ -1443,7 +1443,7 @@
./doc/notes/notes-9.16.1.rst RST 2020
./doc/notes/notes-9.16.2.rst RST 2020
./doc/notes/notes-9.16.3.rst RST 2020
./doc/notes/notes-current.rst RST 2020
./doc/notes/notes-9.16.4.rst RST 2020
./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020