From 40b3591eea064a2adcafd044feb3f4e20df71d33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 10 Jun 2020 13:18:50 +0200 Subject: [PATCH] Prepare release notes for BIND 9.16.4 --- doc/arm/notes.rst | 45 ++++++++------- doc/notes/notes-9.16.0.rst | 16 ++---- doc/notes/notes-9.16.1.rst | 16 ++---- doc/notes/notes-9.16.2.rst | 20 ++----- doc/notes/notes-9.16.3.rst | 23 ++------ doc/notes/notes-9.16.4.rst | 111 ++++++++++++++++++++++++++++++++++++ doc/notes/notes-current.rst | 51 ----------------- util/copyrights | 2 +- 8 files changed, 152 insertions(+), 132 deletions(-) create mode 100644 doc/notes/notes-9.16.4.rst delete mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 52fe0b32de..d1b0a66774 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -16,37 +16,40 @@ Release Notes Introduction ------------ -BIND 9.16 is a stable branch of BIND. This document summarizes significant -changes since the last production release on that branch. Please see the -file CHANGES for a more detailed list of changes and bug fixes. +BIND 9.16 is a stable branch of BIND. This document summarizes +significant changes since the last production release on that branch. +Please see the file CHANGES for a more detailed list of changes and bug +fixes. Note on Version Numbering ------------------------- As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable" -release numbering convention. BIND 9.16 contains new features that -were added during the BIND 9.15 development process. Henceforth, the -9.16 branch will be limited to bug fixes, and new feature development -will proceed in the unstable 9.17 branch. +release numbering convention. BIND 9.16 contains new features that were +added during the BIND 9.15 development process. Henceforth, the 9.16 +branch will be limited to bug fixes, and new feature development will +proceed in the unstable 9.17 branch. Supported Platforms ------------------- -To build on UNIX-like systems, BIND requires support for POSIX.1c threads -(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 -(:rfc:`3542`), and standard atomic operations provided by the C compiler. +To build on UNIX-like systems, BIND requires support for POSIX.1c +threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 +(:rfc:`3542`), and standard atomic operations provided by the C +compiler. The libuv asynchronous I/O library and the OpenSSL cryptography library -must be available for the target platform. A PKCS#11 provider can be used -instead of OpenSSL for Public Key cryptography (i.e., DNSSEC signing and -validation), but OpenSSL is still required for general cryptography -operations such as hashing and random number generation. +must be available for the target platform. A PKCS#11 provider can be +used instead of OpenSSL for Public Key cryptography (i.e., DNSSEC +signing and validation), but OpenSSL is still required for general +cryptography operations such as hashing and random number generation. -More information can be found in the ``PLATFORMS.md`` file that is included -in the source distribution of BIND 9. If your compiler and system libraries -provide the above features, BIND 9 should compile and run. If that isn't -the case, the BIND development team will generally accept patches that add -support for systems that are still supported by their respective vendors. +More information can be found in the ``PLATFORMS.md`` file that is +included in the source distribution of BIND 9. If your compiler and +system libraries provide the above features, BIND 9 should compile and +run. If that is not the case, the BIND development team will generally +accept patches that add support for systems that are still supported by +their respective vendors. Download -------- @@ -56,7 +59,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.16.4.rst .. include:: ../notes/notes-9.16.3.rst .. include:: ../notes/notes-9.16.2.rst .. include:: ../notes/notes-9.16.1.rst @@ -92,9 +95,7 @@ supported until at least December 2021. See https://kb.isc.org/docs/aa-00896 for details of ISC's software support policy. - Thank You --------- Thank you to everyone who assisted us in making this release possible. -License diff --git a/doc/notes/notes-9.16.0.rst b/doc/notes/notes-9.16.0.rst index 51b1e20616..425b380eb6 100644 --- a/doc/notes/notes-9.16.0.rst +++ b/doc/notes/notes-9.16.0.rst @@ -8,18 +8,14 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -.. _relnotes-9.16.0: - Notes for BIND 9.16.0 -===================== +--------------------- *Note: this section only lists changes from BIND 9.14 (the previous stable branch of BIND).* -.. _relnotes-9.16.0-new: - New Features ------------- +~~~~~~~~~~~~ - A new asynchronous network communications system based on ``libuv`` is now used by ``named`` for listening for incoming requests and @@ -72,10 +68,8 @@ New Features - Statistics channel groups can now be toggled. [GL #1030] -.. _relnotes-9.16.0-changes: - Feature Changes ---------------- +~~~~~~~~~~~~~~~ - When static and managed DNSSEC keys were both configured for the same name, or when a static key was used to configure a trust anchor for @@ -138,10 +132,8 @@ Feature Changes Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are respected. [GL #658] -.. _relnotes-9.16.0-removed: - Removed Features ----------------- +~~~~~~~~~~~~~~~~ - The ``dnssec-enable`` option has been obsoleted and no longer has any effect. DNSSEC responses are always enabled if signatures and other diff --git a/doc/notes/notes-9.16.1.rst b/doc/notes/notes-9.16.1.rst index aa9d78d3d2..598bffa974 100644 --- a/doc/notes/notes-9.16.1.rst +++ b/doc/notes/notes-9.16.1.rst @@ -8,15 +8,11 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -.. _relnotes-9.16.1: - Notes for BIND 9.16.1 -===================== - -.. _relnotes-9.16.1-known: +--------------------- Known Issues ------------- +~~~~~~~~~~~~ - UDP network ports used for listening can no longer simultaneously be used for sending traffic. An example configuration which triggers @@ -27,10 +23,8 @@ Known Issues dispatch for reserved port") on some of them. There are currently no plans to make such a combination of settings work again. -.. _relnotes-9.16.1-changes: - Feature Changes ---------------- +~~~~~~~~~~~~~~~ - The system-provided POSIX Threads read-write lock implementation is now used by default instead of the native BIND 9 implementation. @@ -43,10 +37,8 @@ Feature Changes BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of glibc is available. [GL !3125] -.. _relnotes-9.16.1-bugs: - Bug Fixes ---------- +~~~~~~~~~ - Fixed re-signing issues with inline zones which resulted in records being re-signed late or not at all. diff --git a/doc/notes/notes-9.16.2.rst b/doc/notes/notes-9.16.2.rst index b3373a0167..ca7676fd1a 100644 --- a/doc/notes/notes-9.16.2.rst +++ b/doc/notes/notes-9.16.2.rst @@ -8,24 +8,18 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -.. _relnotes-9.16.2: - Notes for BIND 9.16.2 -===================== - -.. _relnotes-9.16.2-security: +--------------------- Security Fixes --------------- +~~~~~~~~~~~~~~ - DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] -.. _relnotes-9.16.2-known: - Known Issues ------------- +~~~~~~~~~~~~ - We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some @@ -35,19 +29,15 @@ Known Issues used in the hash calculation). These are being investigated. [GL #1685] -.. _relnotes-9.16.2-changes: - Feature Changes ---------------- +~~~~~~~~~~~~~~~ - The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179] -.. _relnotes-9.16.2-bugs: - Bug Fixes ---------- +~~~~~~~~~ - When an RPZ policy zone was updated via zone transfer and a large number of records was deleted, ``named`` could become nonresponsive diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst index be85bf4cba..ae2f353f8f 100644 --- a/doc/notes/notes-9.16.3.rst +++ b/doc/notes/notes-9.16.3.rst @@ -8,22 +8,11 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -.. _relnotes-9.16.3: - Notes for BIND 9.16.3 -===================== - -.. _relnotes-9.16.3-security: - -Security Fixes --------------- - -- None. - -.. _relnotes-9.16.3-known: +--------------------- Known Issues ------------- +~~~~~~~~~~~~ - BIND crashes on startup when linked against libuv 1.36. This issue is related to recvmmsg() support in libuv which was first included in @@ -35,10 +24,8 @@ Known Issues 1.35 or libuv >= 1.37; libuv 1.36 is still not usable with BIND. [GL #1761] [GL #1797] -.. _relnotes-9.16.3-changes: - Feature Changes ---------------- +~~~~~~~~~~~~~~~ - BIND 9 no longer sets receive/send buffer sizes for UDP sockets, relying on system defaults instead. [GL #1713] @@ -68,10 +55,8 @@ Feature Changes zones, the exported timers also include expire and refresh times. Contributed by Paul Frieden, Verizon Media. [GL #1232] -.. _relnotes-9.16.3-bugs: - Bug Fixes ---------- +~~~~~~~~~ - A bug in dnstap initialization could prevent some dnstap data from being logged, especially on recursive resolvers. [GL #1795] diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst new file mode 100644 index 0000000000..748633a4bf --- /dev/null +++ b/doc/notes/notes-9.16.4.rst @@ -0,0 +1,111 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.16.4 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- It was possible to trigger an assertion when attempting to fill an + oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850] + +- It was possible to trigger an INSIST failure when a zone with an + interior wildcard label was queried in a certain pattern. This was + disclosed in CVE-2020-8619. [GL #1111] [GL #1718] + +New Features +~~~~~~~~~~~~ + +- Documentation was converted from DocBook to reStructuredText. The + BIND 9 ARM is now generated using Sphinx and published on `Read the + Docs`_. Release notes are no longer available as a separate document + accompanying a release. [GL #83] + +- ``named`` and ``named-checkzone`` now reject master zones that have a + DS RRset at the zone apex. Attempts to add DS records at the zone + apex via UPDATE will be logged but otherwise ignored. DS records + belong in the parent zone, not at the zone apex. [GL #1798] + +- ``dig`` and other tools can now print the Extended DNS Error (EDE) + option when it appears in a request or a response. [GL #1835] + +Feature Changes +~~~~~~~~~~~~~~~ + +- The default value of ``max-stale-ttl`` has changed from 1 week to 12 + hours. This option controls how long ``named`` retains expired RRsets + in cache as a potential mitigation mechanism, should there be a + problem with one or more domains. Note that cache content retention + is independent of whether stale answers are used in response to + client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale + on|off``). Serving of stale answers when the authoritative servers + are not responding must be explicitly enabled, whereas the retention + of expired cache content takes place automatically on all versions of + BIND 9 that have this feature available. [GL #1877] + + .. warning:: + This change may be significant for administrators who expect that + stale cache content will be automatically retained for up to 1 + week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep + the previous behavior of ``named``. + +- ``listen-on-v6 { any; }`` creates a separate socket for each + interface. Previously, just one socket was created on systems + conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced + in BIND 9.16.0, but it was accidentally omitted from documentation. + [GL #1782] + +Bug Fixes +~~~~~~~~~ + +- When fully updating the NSEC3 chain for a large zone via IXFR, a + temporary loss of performance could be experienced on the secondary + server when answering queries for nonexistent data that required + DNSSEC proof of non-existence (in other words, queries that required + the server to find and to return NSEC3 data). The unnecessary + processing step that was causing this delay has now been removed. + [GL #1834] + +- ``named`` could crash with an assertion failure if the name of a + database node was looked up while the database was being modified. + [GL #1857] + +- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed. + [GL #1859] + +- Previously, ``named`` did not destroy some mutexes and conditional + variables in netmgr code, which caused a memory leak on FreeBSD. This + has been fixed. [GL #1893] + +- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead + to an assertion failure was fixed. [GL #1808] + +- Previously, ``provide-ixfr no;`` failed to return up-to-date + responses when the serial number was greater than or equal to the + current serial number. [GL #1714] + +- A bug in dnssec-policy keymgr was fixed, where the check for the + existence of a given key's successor would incorrectly return + ``true`` if any other key in the keyring had a successor. [GL #1845] + +- With dnssec-policy, when creating a successor key, the "goal" state + of the current active key (the predecessor) was not changed and thus + never removed from the zone. [GL #1846] + +- ``named-checkconf -p`` could include spurious text in + ``server-addresses`` statements due to an uninitialized DSCP value. + This has been fixed. [GL #1812] + +- The ARM has been updated to indicate that the TSIG session key is + generated when named starts, regardless of whether it is needed. + [GL #1842] + +.. _Read the Docs: https://bind9.readthedocs.io/ diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index 4363b60c83..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,51 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. _relnotes-9.16.5: - -Notes for BIND 9.16.5 -===================== - -.. _relnotes-9.16.5-security: - -Security Fixes --------------- - -- None. - -.. _relnotes-9.16.5-known: - -- It was possible to trigger an assertion when attempting to fill an - oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850] - -- It was possible to trigger an INSIST failure when a zone with an - interior wildcard label was queried in a certain pattern. This was - disclosed in CVE-2020-8619. [GL #1111] [GL #1718] - -Known Issues ------------- - -- None - -.. _relnotes-9.16.5-changes: - -Feature Changes ---------------- - -- None. - -.. _relnotes-9.16.5-bugs: - -Bug Fixes ---------- - -- Properly handle missing ``kyua`` command so that ``make check`` does - not fail unexpectedly when CMocka is installed, but Kyua is not. - [GL #1950] diff --git a/util/copyrights b/util/copyrights index 7a6b147d00..35fd28cd4a 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1443,7 +1443,7 @@ ./doc/notes/notes-9.16.1.rst RST 2020 ./doc/notes/notes-9.16.2.rst RST 2020 ./doc/notes/notes-9.16.3.rst RST 2020 -./doc/notes/notes-current.rst RST 2020 +./doc/notes/notes-9.16.4.rst RST 2020 ./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020