From 94a463138eabe71fc46f86a85322144f4f92d5d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 1/4] Generate changelog for BIND 9.21.10 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.21.10.rst | 189 ++++++++++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 doc/changelog/changelog-9.21.10.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 8aec77d363..83783bfefa 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.10.rst .. include:: ../changelog/changelog-9.21.9.rst .. include:: ../changelog/changelog-9.21.8.rst .. include:: ../changelog/changelog-9.21.7.rst diff --git a/doc/changelog/changelog-9.21.10.rst b/doc/changelog/changelog-9.21.10.rst new file mode 100644 index 0000000000..b21307c10e --- /dev/null +++ b/doc/changelog/changelog-9.21.10.rst @@ -0,0 +1,189 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.10 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40777] Fix a possible assertion failure when using the + 'stale-answer-client-timeout 0' option. ``7fafa0e48f8`` + + In specific circumstances the :iscman:`named` resolver process could + terminate unexpectedly when stale answers were enabled and the + ``stale-answer-client-timeout 0`` configuration option was used. This + has been fixed. :gl:`#5372` + +New Features +~~~~~~~~~~~~ + +- "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys" + ``119f511a458`` + + Added support for PRIVATEDNS and PRIVATEOID key usage. Added + PRIVATEOID test algorithms using the assigned OIDs for RSASHA256 and + RSASHA512. + + Added code to support proposed DS digest types that encode the + PRIVATEDNS and PRIVATEOID identifiers at the start of the digest field + of the DS record. This code is disabled by default. :gl:`#3240` + :gl:`!10341` + +- Add "named-makejournal" tool. ``6ef16565b43`` + + The `named-makejournal` tool reads two zone files for the same domain, + compares them, and generates a journal file from the differences. + :gl:`#5164` :gl:`!10081` + +- Add support to set and display the CO flag. ``419ad060238`` + + Add support to display the CO (Compact denial of existence Ok flag) + when displaying messages. + + Add support to set the CO flag when making queries in dig (+coflag). + :gl:`#5319` :gl:`!10482` + +- Replace the build system with meson. ``0c7a54095f6`` + + This MR replaces the build system with meson. + + Speed: Meson is noticeably faster to setup and build than + automake/autoconf. The improvements will likely add up in CI and + development over time. + + Readability: Readability is a subjective criteria but meson is + generally regarded as easier to read compared to CMake and + automake/autoconf. + + Developer Ergonomics: Meson produces a compilation database, doesn't + require libtool wrapping of executables/debuggers and offers JSON + based build introspection. + + WrapDB and downloading dependencies is a non-issue for us since it + requires writing wrap files explicitly and has been disabled by + default via the `wrap_mode=nofallback` project option as a measure. + :gl:`!8989` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Change QP and qpcache logging from DEBUG(1) to DEBUG(3) + ``01a49e8e47a`` + + Currently qp and qpcache logs are too verbose and enabled at a level + too low compared to how often the logging is useful. + + This commit increases the logging level, while keeping it configurable + via a define. :gl:`!10604` + +- Change isc_tid to be isc_tid_t type (a signed integer type) + ``97bb7eb4df0`` + + Change the internal type used for isc_tid unit to isc_tid_t to hide + the specific integer type being used for the 'tid'. Internally, the + isc_tid unit is now using signed integer type. This allows us to have + negatively indexed arrays that works both for threads with assigned + tid and the threads with unassigned tid. Additionally, limit the + number of threads (loops) to 512 (compile time default). :gl:`!10656` + +- Parse user configuration before exclusive mode. ``b49f83a3e6c`` + + Previously, `named.conf` was parsed while the server was in exclusive + (i.e., single-threaded) mode and unable to answer queries. This could + cause an unnecessary delay in query processing when the file was + large. We now delay entry into exclusive mode until after the + configuration has been parsed, but before it is applied. :gl:`!10418` + +- Use RCU for rad name. ``32e86ed6434`` + + The RAD/agent domain is a functionality from RFC 9567 that provides a + suffix for reporting error messages. On every query context reset, we + need to check if a RAD is configured and, if so, copy it. + + Since we allow the RAD to be changed by reconfiguring the zone, this + access is currently protected by a mutex, which causes contention. + + This commit replaces the mutex with RCU to reduce contention. The + change results in a 3% performance improvement in the 1M delegation + test. :gl:`!10616` + +Bug Fixes +~~~~~~~~~ + +- Fix the default interface-interval from 60s to 60m. ``d45109732bc`` + + When the interface-interval parser was changed from uint32 parser to + duration parser, the default value stayed at plain number `60` which + now means 60 seconds instead of 60 minutes. The documentation also + incorrectly states that the value is in minutes. That has been fixed. + :gl:`#5246` :gl:`!10281` + +- Fix purge-keys bug when using views. ``29c69d26d9f`` + + Previously, when a DNSSEC key was purged by one zone view, other zone + views would return an error about missing key files. This has been + fixed. :gl:`#5315` :gl:`!10550` + +- Use IPv6 queries in delv +ns. ``a37afc3bb18`` + + `delv +ns` invokes the same code to perform name resolution as + `named`, but it neglected to set up an IPv6 dispatch object first. + Consequently, it was behaving more like `named -4`. It now sets up + dispatch objects for both address families, and performs resolver + queries to both v4 and v6 addresses, except when one of the address + families has been suppressed by using `delv -4` or `delv -6`. + :gl:`#5352` :gl:`!10563` + +- Prevent false sharing for the .inuse member of isc_mem_t. + ``38cc19d756a`` + + Change the .inuse member of memory context to have a loop-local + variable, so there's no contention even when the same memory context + is shared among multiple threads. :gl:`#5354` :gl:`!10555` + +- Add rdata type header files to dns_header_depfiles macro. + ``29eaae06e48`` + + The header file dns/rdatastruct.h was not being rebuilt when the rdata + type header files where modified. Removed proforma.c from the + list. It is a starting point for new types. :gl:`#5368` :gl:`!10574` + +- Clean up CFG_ZONE_DELEGATION. ``b1a8938d1aa`` + + `type delegation-only` has been obsolete for some time (see #3953) but + the zone type flag for it was still defined in libisccfg. It has now + been removed. :gl:`!10558` + +- Fix RTD builds and minor documentation issues. ``181ad273e8c`` + + Fix some leftover artifacts and information while transitioning BIND + to Meson. Add CI job to verify that pre-generated config grammar files + are up-to-date with code. :gl:`!10584` + +- Remove zone keyopts field. ``9e345283934`` + + The "keyopts" field of the dns_zone object was added to support + "auto-dnssec"; at that time the "options" field already had most of + its 32 bits in use by other flags, so it made sense to add a new + field. + + Since then, "options" has been widened to 64 bits, and "auto-dnssec" + has been obsoleted and removed. Most of the DNS_ZONEKEY flags are no + longer needed. The one that still seems useful (_FULLSIGN) has been + moved into DNS_ZONEOPT and the rest have been removed, along with + "keyopts" and its setter/getter functions. :gl:`!10564` + +- Various cleanups related to the isc_mem unit. ``f9528b88aea`` + + :gl:`!10671` + + From beb5214586aacc8150eafa139f87d930cf69ce7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 2/4] Prepare release notes for BIND 9.21.10 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.21.10.rst | 80 +++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 doc/notes/notes-9.21.10.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 7b2b7883e3..00c8d5f8ed 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.10.rst .. include:: ../notes/notes-9.21.9.rst .. include:: ../notes/notes-9.21.8.rst .. include:: ../notes/notes-9.21.7.rst diff --git a/doc/notes/notes-9.21.10.rst b/doc/notes/notes-9.21.10.rst new file mode 100644 index 0000000000..063dfb0bdc --- /dev/null +++ b/doc/notes/notes-9.21.10.rst @@ -0,0 +1,80 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.10 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40777] Fix a possible assertion failure when using the + 'stale-answer-client-timeout 0' option. + + In specific circumstances the :iscman:`named` resolver process could + terminate unexpectedly when stale answers were enabled and the + ``stale-answer-client-timeout 0`` configuration option was used. This + has been fixed. :gl:`#5372` + +New Features +~~~~~~~~~~~~ + +- "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys" + + Added support for PRIVATEDNS and PRIVATEOID key usage. Added + PRIVATEOID test algorithms using the assigned OIDs for RSASHA256 and + RSASHA512. + + Added code to support proposed DS digest types that encode the + PRIVATEDNS and PRIVATEOID identifiers at the start of the digest field + of the DS record. This code is disabled by default. :gl:`#3240` + +- Add "named-makejournal" tool. + + The `named-makejournal` tool reads two zone files for the same domain, + compares them, and generates a journal file from the differences. + :gl:`#5164` + +- Add support to set and display the CO flag. + + Add support to display the CO (Compact denial of existence Ok flag) + when displaying messages. + + Add support to set the CO flag when making queries in dig (+coflag). + :gl:`#5319` + +Bug Fixes +~~~~~~~~~ + +- Fix the default interface-interval from 60s to 60m. + + When the interface-interval parser was changed from uint32 parser to + duration parser, the default value stayed at plain number `60` which + now means 60 seconds instead of 60 minutes. The documentation also + incorrectly states that the value is in minutes. That has been fixed. + :gl:`#5246` + +- Fix purge-keys bug when using views. + + Previously, when a DNSSEC key was purged by one zone view, other zone + views would return an error about missing key files. This has been + fixed. :gl:`#5315` + +- Use IPv6 queries in delv +ns. + + `delv +ns` invokes the same code to perform name resolution as + `named`, but it neglected to set up an IPv6 dispatch object first. + Consequently, it was behaving more like `named -4`. It now sets up + dispatch objects for both address families, and performs resolver + queries to both v4 and v6 addresses, except when one of the address + families has been suppressed by using `delv -4` or `delv -6`. + :gl:`#5352` + + From 9cdaaa6511873feb205cfb6688d664491dd10d2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 3/4] Tweak and reword release notes --- doc/changelog/changelog-9.21.10.rst | 4 +- doc/notes/notes-9.21.10.rst | 63 ++++++++++++++--------------- 2 files changed, 32 insertions(+), 35 deletions(-) diff --git a/doc/changelog/changelog-9.21.10.rst b/doc/changelog/changelog-9.21.10.rst index b21307c10e..09df95b497 100644 --- a/doc/changelog/changelog-9.21.10.rst +++ b/doc/changelog/changelog-9.21.10.rst @@ -44,9 +44,9 @@ New Features compares them, and generates a journal file from the differences. :gl:`#5164` :gl:`!10081` -- Add support to set and display the CO flag. ``419ad060238`` +- Add support for the CO flag to dig. ``419ad060238`` - Add support to display the CO (Compact denial of existence Ok flag) + Add support to display the CO (Compact Answers OK flag) when displaying messages. Add support to set the CO flag when making queries in dig (+coflag). diff --git a/doc/notes/notes-9.21.10.rst b/doc/notes/notes-9.21.10.rst index 063dfb0bdc..d2912c8dfd 100644 --- a/doc/notes/notes-9.21.10.rst +++ b/doc/notes/notes-9.21.10.rst @@ -15,18 +15,18 @@ Notes for BIND 9.21.10 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2025-40777] Fix a possible assertion failure when using the - 'stale-answer-client-timeout 0' option. +- Fix a possible assertion failure when + :any:`stale-answer-client-timeout` is set to ``0``. In specific circumstances the :iscman:`named` resolver process could - terminate unexpectedly when stale answers were enabled and the - ``stale-answer-client-timeout 0`` configuration option was used. This - has been fixed. :gl:`#5372` + exit with an assertion failure when stale answers were enabled and the + :any:`stale-answer-client-timeout` configuration option was set to + ``0``. This has been fixed. :cve:`2025-40777` :gl:`#5372` New Features ~~~~~~~~~~~~ -- "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys" +- Add code paths to fully support PRIVATEDNS and PRIVATEOID keys. Added support for PRIVATEDNS and PRIVATEOID key usage. Added PRIVATEOID test algorithms using the assigned OIDs for RSASHA256 and @@ -36,45 +36,42 @@ New Features PRIVATEDNS and PRIVATEOID identifiers at the start of the digest field of the DS record. This code is disabled by default. :gl:`#3240` -- Add "named-makejournal" tool. +- Add :iscman:`named-makejournal` tool. - The `named-makejournal` tool reads two zone files for the same domain, - compares them, and generates a journal file from the differences. - :gl:`#5164` + The :iscman:`named-makejournal` tool reads two zone files for the same + domain, compares them, and generates a journal file from the + differences. :gl:`#5164` -- Add support to set and display the CO flag. +- Add support for the CO flag to :iscman:`dig`. - Add support to display the CO (Compact denial of existence Ok flag) - when displaying messages. - - Add support to set the CO flag when making queries in dig (+coflag). - :gl:`#5319` + Add support for Compact Denial of Existence to :iscman:`dig`. This + includes showing the CO (Compact Answers OK) flag when displaying + messages and adding an option to set the CO flag when making queries + (:option:`dig +coflag`). :gl:`#5319` Bug Fixes ~~~~~~~~~ -- Fix the default interface-interval from 60s to 60m. +- Correct the default :any:`interface-interval` from 60s to 60m. - When the interface-interval parser was changed from uint32 parser to - duration parser, the default value stayed at plain number `60` which - now means 60 seconds instead of 60 minutes. The documentation also - incorrectly states that the value is in minutes. That has been fixed. - :gl:`#5246` + When the :any:`interface-interval` parser was changed from a + ``uint32`` parser to a duration parser, the default value stayed at + plain number ``60`` which now means 60 seconds instead of 60 minutes. + The documentation also incorrectly states that the value is in + minutes. That has been fixed. :gl:`#5246` -- Fix purge-keys bug when using views. +- Fix a :any:`purge-keys` bug when using multiple views of a zone. Previously, when a DNSSEC key was purged by one zone view, other zone views would return an error about missing key files. This has been fixed. :gl:`#5315` -- Use IPv6 queries in delv +ns. - - `delv +ns` invokes the same code to perform name resolution as - `named`, but it neglected to set up an IPv6 dispatch object first. - Consequently, it was behaving more like `named -4`. It now sets up - dispatch objects for both address families, and performs resolver - queries to both v4 and v6 addresses, except when one of the address - families has been suppressed by using `delv -4` or `delv -6`. - :gl:`#5352` - +- Use IPv6 queries in :option:`delv +ns`. + :option:`delv +ns` invokes the same code to perform name resolution as + :iscman:`named`, but it neglected to set up an IPv6 dispatch object + first. Consequently, it was behaving more like :option:`named -4`. It + now sets up dispatch objects for both address families, and performs + resolver queries to both IPv4 and IPv6 addresses, except when one of + the address families has been suppressed by using :option:`delv -4` or + :option:`delv -6`. :gl:`#5352` From 405938597fd6fb1a71e3fa3d362f4e1b15a69dae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 4/4] Add release note for GL !8989 --- doc/notes/notes-9.21.10.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/notes/notes-9.21.10.rst b/doc/notes/notes-9.21.10.rst index d2912c8dfd..3c11adcc96 100644 --- a/doc/notes/notes-9.21.10.rst +++ b/doc/notes/notes-9.21.10.rst @@ -49,6 +49,14 @@ New Features messages and adding an option to set the CO flag when making queries (:option:`dig +coflag`). :gl:`#5319` +Feature Changes +~~~~~~~~~~~~~~~ + +- The build system was changed to `Meson`_. See :ref:`build_bind` for + revised instructions on building BIND 9 from source. :gl:`!8989` + +.. _Meson: https://mesonbuild.com/ + Bug Fixes ~~~~~~~~~