summaryrefslogtreecommitdiffstats
path: root/doc/notes
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
commit45d6379135504814ab723b57f0eb8be23393a51d (patch)
treed4f2ec4acca824a8446387a758b0ce4238a4dffa /doc/notes
parentInitial commit. (diff)
downloadbind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz
bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip
Adding upstream version 1:9.16.44.upstream/1%9.16.44
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/notes')
-rw-r--r--doc/notes/notes-9.16.0.rst152
-rw-r--r--doc/notes/notes-9.16.1.rst48
-rw-r--r--doc/notes/notes-9.16.10.rst58
-rw-r--r--doc/notes/notes-9.16.11.rst74
-rw-r--r--doc/notes/notes-9.16.12.rst123
-rw-r--r--doc/notes/notes-9.16.13.rst79
-rw-r--r--doc/notes/notes-9.16.14.rst19
-rw-r--r--doc/notes/notes-9.16.15.rst112
-rw-r--r--doc/notes/notes-9.16.16.rst76
-rw-r--r--doc/notes/notes-9.16.17.rst67
-rw-r--r--doc/notes/notes-9.16.18.rst33
-rw-r--r--doc/notes/notes-9.16.19.rst68
-rw-r--r--doc/notes/notes-9.16.2.rst59
-rw-r--r--doc/notes/notes-9.16.20.rst57
-rw-r--r--doc/notes/notes-9.16.21.rst68
-rw-r--r--doc/notes/notes-9.16.22.rst86
-rw-r--r--doc/notes/notes-9.16.23.rst27
-rw-r--r--doc/notes/notes-9.16.24.rst43
-rw-r--r--doc/notes/notes-9.16.25.rst48
-rw-r--r--doc/notes/notes-9.16.26.rst46
-rw-r--r--doc/notes/notes-9.16.27.rst65
-rw-r--r--doc/notes/notes-9.16.28.rst40
-rw-r--r--doc/notes/notes-9.16.29.rst27
-rw-r--r--doc/notes/notes-9.16.3.rst95
-rw-r--r--doc/notes/notes-9.16.30.rst37
-rw-r--r--doc/notes/notes-9.16.31.rst31
-rw-r--r--doc/notes/notes-9.16.32.rst56
-rw-r--r--doc/notes/notes-9.16.33.rst68
-rw-r--r--doc/notes/notes-9.16.34.rst46
-rw-r--r--doc/notes/notes-9.16.35.rst56
-rw-r--r--doc/notes/notes-9.16.36.rst49
-rw-r--r--doc/notes/notes-9.16.37.rst80
-rw-r--r--doc/notes/notes-9.16.38.rst33
-rw-r--r--doc/notes/notes-9.16.39.rst60
-rw-r--r--doc/notes/notes-9.16.4.rst120
-rw-r--r--doc/notes/notes-9.16.40.rst32
-rw-r--r--doc/notes/notes-9.16.41.rst27
-rw-r--r--doc/notes/notes-9.16.42.rst45
-rw-r--r--doc/notes/notes-9.16.43.rst27
-rw-r--r--doc/notes/notes-9.16.44.rst31
-rw-r--r--doc/notes/notes-9.16.5.rst72
-rw-r--r--doc/notes/notes-9.16.6.rst121
-rw-r--r--doc/notes/notes-9.16.7.rst63
-rw-r--r--doc/notes/notes-9.16.8.rst63
-rw-r--r--doc/notes/notes-9.16.9.rst50
-rw-r--r--doc/notes/notes-known-issues.rst46
46 files changed, 2783 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.0.rst b/doc/notes/notes-9.16.0.rst
new file mode 100644
index 0000000..1b4e92f
--- /dev/null
+++ b/doc/notes/notes-9.16.0.rst
@@ -0,0 +1,152 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.0
+---------------------
+
+.. note::
+
+ This section only lists changes from BIND 9.14 (the previous
+ stable branch of BIND).
+
+New Features
+~~~~~~~~~~~~
+
+- A new asynchronous network communications system based on ``libuv``
+ is now used by ``named`` for listening for incoming requests and
+ responding to them. This change will make it easier to improve
+ performance and implement new protocol layers (for example, DNS over
+ TLS) in the future. :gl:`#29`
+
+- The new ``dnssec-policy`` option allows the configuration of a key
+ and signing policy (KASP) for zones. This option enables ``named`` to
+ generate new keys as needed and automatically roll both ZSK and KSK
+ keys. (Note that the syntax for this statement differs from the
+ DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134`
+
+- In order to clarify the configuration of DNSSEC keys, the
+ ``trusted-keys`` and ``managed-keys`` statements have been
+ deprecated, and the new ``trust-anchors`` statement should now be
+ used for both types of key.
+
+ When used with the keyword ``initial-key``, ``trust-anchors`` has the
+ same behavior as ``managed-keys``, i.e., it configures a trust anchor
+ that is to be maintained via :rfc:`5011`.
+
+ When used with the new keyword ``static-key``, ``trust-anchors`` has
+ the same behavior as ``trusted-keys``, i.e., it configures a
+ permanent trust anchor that will not automatically be updated. (This
+ usage is not recommended for the root key.) :gl:`#6`
+
+- Two new keywords have been added to the ``trust-anchors`` statement:
+ ``initial-ds`` and ``static-ds``. These allow the use of trust
+ anchors in DS format instead of DNSKEY format. DS format allows trust
+ anchors to be configured for keys that have not yet been published;
+ this is the format used by IANA when announcing future root keys.
+
+ As with the ``initial-key`` and ``static-key`` keywords,
+ ``initial-ds`` configures a dynamic trust anchor to be maintained via
+ :rfc:`5011`, and ``static-ds`` configures a permanent trust anchor.
+ :gl:`#6` :gl:`#622`
+
+- ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to
+ print output in a detailed YAML format. :gl:`#1145`
+
+- ``dig`` now has a new command line option: ``+[no]unexpected``. By
+ default, ``dig`` won't accept a reply from a source other than the
+ one to which it sent the query. Add the ``+unexpected`` argument to
+ enable it to process replies from unexpected sources. [RT #44978]
+
+- ``dig`` now accepts a new command line option, ``+[no]expandaaaa``,
+ which causes the IPv6 addresses in AAAA records to be printed in full
+ 128-bit notation rather than the default :rfc:`5952` format.
+ :gl:`#765`
+
+- Statistics channel groups can now be toggled. :gl:`#1030`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When static and managed DNSSEC keys were both configured for the same
+ name, or when a static key was used to configure a trust anchor for
+ the root zone and ``dnssec-validation`` was set to the default value
+ of ``auto``, automatic :rfc:`5011` key rollovers would be disabled.
+ This combination of settings was never intended to work, but there
+ was no check for it in the parser. This has been corrected, and it is
+ now a fatal configuration error. :gl:`#868`
+
+- DS and CDS records are now generated with SHA-256 digests only,
+ instead of both SHA-1 and SHA-256. This affects the default output of
+ ``dnssec-dsfromkey``, the ``dsset`` files generated by
+ ``dnssec-signzone``, the DS records added to a zone by
+ ``dnssec-signzone`` based on ``keyset`` files, the CDS records added
+ to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing
+ parameters in key files, and the checks performed by
+ ``dnssec-checkds``. :gl:`#1015`
+
+- ``named`` will now log a warning if a static key is configured for
+ the root zone. :gl:`#6`
+
+- A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added
+ and made default. Old non-default HMAC-SHA based DNS Cookie
+ algorithms have been removed, and only the default AES algorithm is
+ being kept for legacy reasons. This change has no operational impact
+ in most common scenarios. :gl:`#605`
+
+ If you are running multiple DNS servers (different versions of BIND 9
+ or DNS servers from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), make sure that all the
+ servers are configured with the same DNS Cookie algorithm and same
+ Server Secret for the best performance.
+
+- The information from the ``dnssec-signzone`` and ``dnssec-verify``
+ commands is now printed to standard output. The standard error output
+ is only used to print warnings and errors, and in case the user
+ requests the signed zone to be printed to standard output with the
+ ``-f -`` option. A new configuration option ``-q`` has been added to
+ silence all output on standard output except for the name of the
+ signed zone. :gl:`#1151`
+
+- The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. :gl:`#622`
+
+- Compile-time settings enabled by the ``--with-tuning=large`` option
+ for ``configure`` are now in effect by default. Previously used
+ default compile-time settings can be enabled by passing
+ ``--with-tuning=small`` to ``configure``. :gl:`!2989`
+
+- JSON-C is now the only supported library for enabling JSON support
+ for BIND statistics. The ``configure`` option has been renamed from
+ ``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH``
+ environment variable accordingly to specify a custom path to the
+ ``json-c`` library, as the new ``configure`` option does not take the
+ library installation path as an optional argument. :gl:`#855`
+
+- ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or
+ ``--localstatedir`` to ``/var`` when ``--prefix`` is not specified
+ and the aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
+ respected. :gl:`#658`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- The ``dnssec-enable`` option has been obsoleted and no longer has any
+ effect. DNSSEC responses are always enabled if signatures and other
+ DNSSEC data are present. :gl:`#866`
+
+- DNSSEC Lookaside Validation (DLV) is now obsolete. The
+ ``dnssec-lookaside`` option has been marked as deprecated; when used
+ in ``named.conf``, it will generate a warning but will otherwise be
+ ignored. All code enabling the use of lookaside validation has been
+ removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7`
+
+- The ``cleaning-interval`` option has been removed. :gl:`!1731`
diff --git a/doc/notes/notes-9.16.1.rst b/doc/notes/notes-9.16.1.rst
new file mode 100644
index 0000000..ac3668b
--- /dev/null
+++ b/doc/notes/notes-9.16.1.rst
@@ -0,0 +1,48 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.1
+---------------------
+
+Known Issues
+~~~~~~~~~~~~
+
+- UDP network ports used for listening can no longer simultaneously be
+ used for sending traffic. An example configuration which triggers
+ this issue would be one which uses the same address:port pair for
+ ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or
+ ``transfer-source(-v6)``. While this issue affects all operating
+ systems, it only triggers log messages (e.g. "unable to create
+ dispatch for reserved port") on some of them. There are currently no
+ plans to make such a combination of settings work again.
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The system-provided POSIX Threads read-write lock implementation is
+ now used by default instead of the native BIND 9 implementation.
+ Please be aware that glibc versions 2.26 through 2.29 had a
+ `bug <https://sourceware.org/bugzilla/show_bug.cgi?id=23844>`__ that
+ could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and
+ most current Linux distributions have patched or updated glibc, with
+ the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+ progress. If you are running on an affected operating system, compile
+ BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
+ glibc is available. :gl:`!3125`
+
+Bug Fixes
+~~~~~~~~~
+
+- Fixed re-signing issues with inline zones which resulted in records
+ being re-signed late or not at all.
diff --git a/doc/notes/notes-9.16.10.rst b/doc/notes/notes-9.16.10.rst
new file mode 100644
index 0000000..782011a
--- /dev/null
+++ b/doc/notes/notes-9.16.10.rst
@@ -0,0 +1,58 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.10
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- NSEC3 support was added to KASP. A new option for ``dnssec-policy``,
+ ``nsec3param``, can be used to set the desired NSEC3 parameters.
+ NSEC3 salt collisions are automatically prevented during resalting.
+ :gl:`#1620`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The default value of ``max-recursion-queries`` was increased from 75
+ to 100. Since the queries sent towards root and TLD servers are now
+ included in the count (as a result of the fix for CVE-2020-8616),
+ ``max-recursion-queries`` has a higher chance of being exceeded by
+ non-attack queries, which is the main reason for increasing its
+ default value. :gl:`#2305`
+
+- The default value of ``nocookie-udp-size`` was restored back to 4096
+ bytes. Since ``max-udp-size`` is the upper bound for
+ ``nocookie-udp-size``, this change relieves the operator from having
+ to change ``nocookie-udp-size`` together with ``max-udp-size`` in
+ order to increase the default EDNS buffer size limit.
+ ``nocookie-udp-size`` can still be set to a value lower than
+ ``max-udp-size``, if desired. :gl:`#2250`
+
+Bug Fixes
+~~~~~~~~~
+
+- Handling of missing DNS COOKIE responses over UDP was tightened by
+ falling back to TCP. :gl:`#2275`
+
+- The CNAME synthesized from a DNAME was incorrectly followed when the
+ QTYPE was CNAME or ANY. :gl:`#2280`
+
+- Building with native PKCS#11 support for AEP Keyper has been broken
+ since BIND 9.16.6. This has been fixed. :gl:`#2315`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.11.rst b/doc/notes/notes-9.16.11.rst
new file mode 100644
index 0000000..70a6658
--- /dev/null
+++ b/doc/notes/notes-9.16.11.rst
@@ -0,0 +1,74 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.11
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The new networking code introduced in BIND 9.16 (netmgr) was
+ overhauled in order to make it more stable, testable, and
+ maintainable. :gl:`#2321`
+
+- Earlier releases of BIND versions 9.16 and newer required the
+ operating system to support load-balanced sockets in order for
+ ``named`` to be able to achieve high performance (by distributing
+ incoming queries among multiple threads). However, the only operating
+ systems currently known to support load-balanced sockets are Linux and
+ FreeBSD 12, which means both UDP and TCP performance were limited to a
+ single thread on other systems. As of BIND 9.16.11, ``named`` attempts
+ to distribute incoming queries among multiple threads on systems which
+ lack support for load-balanced sockets (except Windows). :gl:`#2137`
+
+- It is now possible to transition a zone from secure to insecure mode
+ without making it bogus in the process; changing to ``dnssec-policy
+ none;`` also causes CDS and CDNSKEY DELETE records to be published, to
+ signal that the entire DS RRset at the parent must be removed, as
+ described in :rfc:`8078`. :gl:`#1750`
+
+- When using the ``unixtime`` or ``date`` method to update the SOA
+ serial number, ``named`` and ``dnssec-signzone`` silently fell back to
+ the ``increment`` method to prevent the new serial number from being
+ smaller than the old serial number (using serial number arithmetics).
+ ``dnssec-signzone`` now prints a warning message, and ``named`` logs a
+ warning, when such a fallback happens. :gl:`#2058`
+
+Bug Fixes
+~~~~~~~~~
+
+- Multiple threads could attempt to destroy a single RBTDB instance at
+ the same time, resulting in an unpredictable but low-probability
+ assertion failure in ``free_rbtdb()``. This has been fixed.
+ :gl:`#2317`
+
+- ``named`` no longer attempts to assign threads to CPUs outside the CPU
+ affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245`
+
+- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
+ off DNSSEC maintenance. This has been fixed. :gl:`#2341`
+
+- The report of intermittent BIND assertion failures triggered in
+ ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
+ without further action. Our initial response to this was to add
+ diagnostic logging instead of terminating ``named``, anticipating that
+ we would receive further useful troubleshooting input. This workaround
+ first appeared in BIND releases 9.17.5 and 9.16.7. However, since
+ those releases were published, there have been no new reports of
+ assertion failures matching this issue, but also no further diagnostic
+ input, so we have closed the issue. :gl:`#2091`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst
new file mode 100644
index 0000000..d236f5e
--- /dev/null
+++ b/doc/notes/notes-9.16.12.rst
@@ -0,0 +1,123 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.12
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was
+ configured, a specially crafted GSS-TSIG query could cause a buffer
+ overflow in the ISC implementation of SPNEGO (a protocol enabling
+ negotiation of the security mechanism to use for GSSAPI
+ authentication). This flaw could be exploited to crash ``named``.
+ Theoretically, it also enabled remote code execution, but achieving
+ the latter is very difficult in real-world conditions.
+ (CVE-2020-8625)
+
+ This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+ Trend Micro Zero Day Initiative. :gl:`#2354`
+
+New Features
+~~~~~~~~~~~~
+
+- When a secondary server receives a large incremental zone transfer
+ (IXFR), it can have a negative impact on query performance while the
+ incremental changes are applied to the zone. To address this,
+ ``named`` can now limit the size of IXFR responses it sends in
+ response to zone transfer requests. If an IXFR response would be
+ larger than an AXFR of the entire zone, it will send an AXFR response
+ instead.
+
+ This behavior is controlled by the ``max-ixfr-ratio`` option - a
+ percentage value representing the ratio of IXFR size to the size of a
+ full zone transfer. The default is ``100%``. :gl:`#1515`
+
+- A new option, ``stale-answer-client-timeout``, has been added to
+ improve ``named``'s behavior with respect to serving stale data. The
+ option defines the amount of time ``named`` waits before attempting to
+ answer the query with a stale RRset from cache. If a stale answer is
+ found, ``named`` continues the ongoing fetches, attempting to refresh
+ the RRset in cache until the ``resolver-query-timeout`` interval is
+ reached.
+
+ The default value is ``1800`` (in milliseconds) and the maximum value
+ is limited to ``resolver-query-timeout`` minus one second. A value of
+ ``0`` causes any available cached RRset to immediately be returned
+ while still triggering a refresh of the data in cache.
+
+ This new behavior can be disabled by setting
+ ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
+ option has no effect if ``stale-answer-enable`` is disabled.
+ :gl:`#2247`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- As part of an ongoing effort to use :rfc:`8499` terminology,
+ ``primaries`` can now be used as a synonym for ``masters`` in
+ ``named.conf``. Similarly, ``notify primary-only`` can now be used as
+ a synonym for ``notify master-only``. The output of ``rndc
+ zonestatus`` now uses ``primary`` and ``secondary`` terminology.
+ :gl:`#1948`
+
+- The default value of ``max-stale-ttl`` has been changed from 12 hours
+ to 1 day and the default value of ``stale-answer-ttl`` has been
+ changed from 1 second to 30 seconds, following :rfc:`8767`
+ recommendations. :gl:`#2248`
+
+- The SONAMEs for BIND 9 libraries now include the current BIND 9
+ version number, in an effort to tightly couple internal libraries with
+ a specific release. This change makes the BIND 9 release process both
+ simpler and more consistent while also unequivocally preventing BIND 9
+ binaries from silently loading wrong versions of shared libraries (or
+ multiple versions of the same shared library) at startup. :gl:`#2387`
+
+- When ``check-names`` is in effect, A records below an ``_spf``,
+ ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
+ ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
+ D.1) are no longer reported as warnings/errors. :gl:`#2377`
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` failed to start when its configuration included a zone with
+ a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
+
+- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
+ key. This has been fixed. :gl:`#2178`
+
+- KASP incorrectly set signature validity to the value of the DNSKEY
+ signature validity. This has been fixed. :gl:`#2383`
+
+- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
+ and/or ``Delete`` timing metadata to be possible active keys. This has
+ been fixed. :gl:`#2406`
+
+- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
+ faster than the time required to finish the rollover procedure, the
+ successor relation equation failed because it assumed only two keys
+ were taking part in a rollover. This could lead to premature removal
+ of predecessor keys. BIND 9 now implements a recursive successor
+ relation, as described in the paper "Flexible and Robust Key Rollover"
+ (Equation (2)). :gl:`#2375`
+
+- Performance of the DNSSEC verification code (used by
+ ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
+ improved. :gl:`#2073`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.13.rst b/doc/notes/notes-9.16.13.rst
new file mode 100644
index 0000000..d7650ee
--- /dev/null
+++ b/doc/notes/notes-9.16.13.rst
@@ -0,0 +1,79 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.13
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- A new ``purge-keys`` option has been added to ``dnssec-policy``. It
+ sets the period of time that key files are retained after becoming
+ obsolete due to a key rollover; the default is 90 days. This feature
+ can be disabled by setting ``purge-keys`` to 0. :gl:`#2408`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When serve-stale is enabled and stale data is available, ``named`` now
+ returns stale answers upon encountering any unexpected error in the
+ query resolution process. This may happen, for example, if the
+ ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
+ this case, ``named`` attempts to answer DNS requests with stale data,
+ but does not start the ``stale-refresh-time`` window. :gl:`#2434`
+
+Bug Fixes
+~~~~~~~~~
+
+- Zone journal (``.jnl``) files created by versions of ``named`` prior
+ to 9.16.12 were no longer compatible; this could cause problems when
+ upgrading if journal files were not synchronized first. This has been
+ corrected: older journal files can now be read when starting up. When
+ an old-style journal file is detected, it is updated to the new format
+ immediately after loading.
+
+ Note that journals created by the current version of ``named`` are not
+ usable by versions prior to 9.16.12. Before downgrading to a prior
+ release, users are advised to ensure that all dynamic zones have been
+ synchronized using ``rndc sync -clean``.
+
+ A journal file's format can be changed manually by running
+ ``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
+ (upgrade). Note that this *must not* be done while ``named`` is
+ running. :gl:`#2505`
+
+- ``named`` crashed when it was allowed to serve stale answers and
+ ``stale-answer-client-timeout`` was triggered without any (stale) data
+ available in the cache to answer the query. :gl:`#2503`
+
+- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
+ instead of sending back a proper response. To prevent this problem,
+ the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
+ been happening since BIND 9.16.11. :gl:`#2466`
+
+- NSEC3 records were not immediately created when signing a dynamic zone
+ using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
+ :gl:`#2498`
+
+- A memory leak occurred when ``named`` was reconfigured after adding an
+ inline-signed zone with ``auto-dnssec maintain`` enabled. This has
+ been fixed. :gl:`#2041`
+
+- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
+ a LOC record resulted in an INSIST failure when a zone file containing
+ such a record was loaded. :gl:`#2499`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.14.rst b/doc/notes/notes-9.16.14.rst
new file mode 100644
index 0000000..237bf28
--- /dev/null
+++ b/doc/notes/notes-9.16.14.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.14
+----------------------
+
+.. note::
+
+ The BIND 9.16.14 release was withdrawn after a backporting bug was
+ discovered during pre-release testing. ISC would like to acknowledge
+ the assistance of Natan Segal of Bluecat Networks.
diff --git a/doc/notes/notes-9.16.15.rst b/doc/notes/notes-9.16.15.rst
new file mode 100644
index 0000000..0cc0f49
--- /dev/null
+++ b/doc/notes/notes-9.16.15.rst
@@ -0,0 +1,112 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.15
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- A malformed incoming IXFR transfer could trigger an assertion failure
+ in ``named``, causing it to quit abnormally. (CVE-2021-25214)
+
+ ISC would like to thank Greg Kuechle of SaskTel for bringing this
+ vulnerability to our attention. :gl:`#2467`
+
+- ``named`` crashed when a DNAME record placed in the ANSWER section
+ during DNAME chasing turned out to be the final answer to a client
+ query. (CVE-2021-25215)
+
+ ISC would like to thank `Siva Kakarla`_ for bringing this
+ vulnerability to our attention. :gl:`#2540`
+
+.. _Siva Kakarla: https://github.com/sivakesava1
+
+- When a server's configuration set the ``tkey-gssapi-keytab`` or
+ ``tkey-gssapi-credential`` option, a specially crafted GSS-TSIG query
+ could cause a buffer overflow in the ISC implementation of SPNEGO (a
+ protocol enabling negotiation of the security mechanism used for
+ GSSAPI authentication). This flaw could be exploited to crash
+ ``named`` binaries compiled for 64-bit platforms, and could enable
+ remote code execution when ``named`` was compiled for 32-bit
+ platforms. (CVE-2021-25216)
+
+ This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
+ Zero Day Initiative. :gl:`#2604`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ISC implementation of SPNEGO was removed from BIND 9 source code.
+ Instead, BIND 9 now always uses the SPNEGO implementation provided by
+ the system GSSAPI library when it is built with GSSAPI support. All
+ major contemporary Kerberos/GSSAPI libraries contain an implementation
+ of the SPNEGO mechanism. :gl:`#2607`
+
+- The default value for the ``stale-answer-client-timeout`` option was
+ changed from ``1800`` (ms) to ``off``. The default value may be
+ changed again in future releases as this feature matures. :gl:`#2608`
+
+Bug Fixes
+~~~~~~~~~
+
+- TCP idle and initial timeouts were being incorrectly applied: only the
+ ``tcp-initial-timeout`` was applied on the whole connection, even if
+ the connection were still active, which could prevent a large zone
+ transfer from being sent back to the client. The default setting for
+ ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
+ connection taking more than 30 seconds was abruptly terminated. This
+ has been fixed. :gl:`#2583`
+
+- When ``stale-answer-client-timeout`` was set to a positive value and
+ recursion for a client query completed when ``named`` was about to
+ look for a stale answer, an assertion could fail in
+ ``query_respond()``, resulting in a crash. This has been fixed.
+ :gl:`#2594`
+
+- If zone journal files written by BIND 9.16.11 or earlier were present
+ when BIND was upgraded to BIND 9.16.13 or BIND 9.16.14, the zone file
+ for that zone could have been inadvertently rewritten with the current
+ zone contents. This caused the original zone file structure (e.g.
+ comments, ``$INCLUDE`` directives) to be lost, although the zone data
+ itself was preserved. :gl:`#2623`
+
+- After upgrading to BIND 9.16.13, journal files for trust anchor
+ databases (e.g. ``managed-keys.bind.jnl``) could be left in a corrupt
+ state. (Other zone journal files were not affected.) This has been
+ fixed. If a corrupt journal file is detected, ``named`` can now
+ recover from it. :gl:`#2600`
+
+- When sending queries over TCP, ``dig`` now properly handles ``+tries=1
+ +retry=0`` by not retrying the connection when the remote server
+ closes the connection prematurely. :gl:`#2490`
+
+- CDS/CDNSKEY DELETE records are now removed when a zone transitions
+ from a secure to an insecure state. ``named-checkzone`` also no longer
+ reports an error when such records are found in an unsigned zone.
+ :gl:`#2517`
+
+- Zones using KASP could not be thawed after they were frozen using
+ ``rndc freeze``. This has been fixed. :gl:`#2523`
+
+- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
+ ``named`` now immediately attempts to reconfigure zone keys. This
+ change prevents unnecessary key rollover delays. :gl:`#2488`
+
+- Previously, a memory leak could occur when ``named`` failed to bind a
+ UDP socket to a network interface. This has been fixed. :gl:`#2575`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.16.rst b/doc/notes/notes-9.16.16.rst
new file mode 100644
index 0000000..721546c
--- /dev/null
+++ b/doc/notes/notes-9.16.16.rst
@@ -0,0 +1,76 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.16
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DNSSEC responses containing NSEC3 records with iteration counts
+ greater than 150 are now treated as insecure. :gl:`#2445`
+
+- The maximum supported number of NSEC3 iterations that can be
+ configured for a zone has been reduced to 150. :gl:`#2642`
+
+- The default value of the ``max-ixfr-ratio`` option was changed to
+ ``unlimited``, for better backwards compatibility in the stable
+ release series. :gl:`#2671`
+
+- Zones that want to transition from secure to insecure mode without
+ becoming bogus in the process must now have their ``dnssec-policy``
+ changed first to ``insecure``, rather than ``none``. After the DNSSEC
+ records have been removed from the zone, the ``dnssec-policy`` can be
+ set to ``none`` or removed from the configuration. Setting the
+ ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
+ records to be published. :gl:`#2645`
+
+- The implementation of the ZONEMD RR type has been updated to match
+ :rfc:`8976`. :gl:`#2658`
+
+- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
+ NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
+ or the SOA TTL. :gl:`#2347`
+
+Bug Fixes
+~~~~~~~~~
+
+- It was possible for corrupt journal files generated by an earlier
+ version of ``named`` to cause problems after an upgrade. This has been
+ fixed. :gl:`#2670`
+
+- TTL values in cache dumps were reported incorrectly when
+ ``stale-cache-enable`` was set to ``yes``. This has been fixed.
+ :gl:`#389` :gl:`#2289`
+
+- A deadlock could occur when multiple ``rndc addzone``, ``rndc
+ delzone``, and/or ``rndc modzone`` commands were invoked
+ simultaneously for different zones. This has been fixed. :gl:`#2626`
+
+- ``named`` and ``named-checkconf`` did not report an error when
+ multiple zones with the ``dnssec-policy`` option set were using the
+ same zone file. This has been fixed. :gl:`#2603`
+
+- If ``dnssec-policy`` was active and a private key file was temporarily
+ offline during a rekey event, ``named`` could incorrectly introduce
+ replacement keys and break a signed zone. This has been fixed.
+ :gl:`#2596`
+
+- When generating zone signing keys, KASP now also checks for key ID
+ conflicts among newly created keys, rather than just between new and
+ existing ones. :gl:`#2628`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.17.rst b/doc/notes/notes-9.16.17.rst
new file mode 100644
index 0000000..9f2bd7a
--- /dev/null
+++ b/doc/notes/notes-9.16.17.rst
@@ -0,0 +1,67 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.17
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- After the network manager was introduced to ``named`` to handle
+ incoming traffic, it was discovered that recursive performance had
+ degraded compared to previous BIND 9 versions. This has now been
+ fixed by processing internal tasks inside network manager worker
+ threads, preventing resource contention among two sets of threads.
+ :gl:`#2638`
+
+- Zone dumping tasks are now run on separate asynchronous thread pools.
+ This change prevents zone dumping from blocking network I/O.
+ :gl:`#2732`
+
+- ``inline-signing`` was incorrectly described as being inherited from
+ the ``options``/``view`` levels and was incorrectly accepted at those
+ levels without effect. This has been fixed; ``named.conf`` files with
+ ``inline-signing`` at those levels no longer load. :gl:`#2536`
+
+Bug Fixes
+~~~~~~~~~
+
+- The calculation of the estimated IXFR transaction size in
+ ``dns_journal_iter_init()`` was invalid. This resulted in excessive
+ AXFR-style IXFR responses. :gl:`#2685`
+
+- Fixed an assertion failure that could occur if stale data was used to
+ answer a query, and then a prefetch was triggered after the query was
+ restarted (for example, to follow a CNAME). :gl:`#2733`
+
+- If a query was answered with stale data on a server with DNS64
+ enabled, an assertion could occur if a non-stale answer arrived
+ afterward. This has been fixed. :gl:`#2731`
+
+- Fixed an error which caused the ``IP_DONTFRAG`` socket option to be
+ enabled instead of disabled, leading to errors when sending oversized
+ UDP packets. :gl:`#2746`
+
+- Zones which are configured in multiple views, with different values
+ set for ``dnssec-policy`` and with identical values set for
+ ``key-directory``, are now detected and treated as a configuration
+ error. :gl:`#2463`
+
+- A race condition could occur when reading and writing key files for
+ zones using KASP and configured in multiple views. This has been
+ fixed. :gl:`#1875`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.18.rst b/doc/notes/notes-9.16.18.rst
new file mode 100644
index 0000000..c2ebda8
--- /dev/null
+++ b/doc/notes/notes-9.16.18.rst
@@ -0,0 +1,33 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.18
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- When preparing DNS responses, ``named`` could replace the letters
+ ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been
+ fixed. :gl:`#2779`
+
+- The configuration-checking code failed to account for the inheritance
+ rules of the ``key-directory`` option. As a side effect of this flaw,
+ the code detecting ``key-directory`` conflicts for zones using KASP
+ incorrectly reported unique key directories as being reused. This has
+ been fixed. :gl:`#2778`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.19.rst b/doc/notes/notes-9.16.19.rst
new file mode 100644
index 0000000..2f964ff
--- /dev/null
+++ b/doc/notes/notes-9.16.19.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.19
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Using a new configuration option, ``parental-agents``, each zone can
+ now be associated with a list of servers that can be used to check the
+ DS RRset in the parent zone. This enables automatic KSK rollovers.
+ :gl:`#1126`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- IP fragmentation has been disabled for outgoing UDP sockets. Errors
+ triggered by sending DNS messages larger than the specified path MTU
+ are properly handled by sending empty DNS replies with the ``TC``
+ (TrunCated) bit set, which forces DNS clients to fall back to TCP.
+ :gl:`#2790`
+
+Bug Fixes
+~~~~~~~~~
+
+- The code managing :rfc:`5011` trust anchors created an invalid
+ placeholder keydata record upon a refresh failure, which prevented the
+ database of managed keys from subsequently being read back. This has
+ been fixed. :gl:`#2686`
+
+- Signed, insecure delegation responses prepared by ``named`` either
+ lacked the necessary NSEC records or contained duplicate NSEC records
+ when both wildcard expansion and CNAME chaining were required to
+ prepare the response. This has been fixed. :gl:`#2759`
+
+- If ``nsupdate`` sends an SOA request and receives a REFUSED response,
+ it now fails over to the next available server. :gl:`#2758`
+
+- A bug that caused the NSEC3 salt to be changed on every restart for
+ zones using KASP has been fixed. :gl:`#2725`
+
+- The configuration-checking code failed to account for the inheritance
+ rules of the ``dnssec-policy`` option. This has been fixed.
+ :gl:`#2780`
+
+- The fix for :gl:`#1875` inadvertently introduced a deadlock: when
+ locking key files for reading and writing, the ``in-view`` logic was
+ not considered. This has been fixed. :gl:`#2783`
+
+- A race condition could occur where two threads were competing for the
+ same set of key file locks, leading to a deadlock. This has been
+ fixed. :gl:`#2786`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.2.rst b/doc/notes/notes-9.16.2.rst
new file mode 100644
index 0000000..ab484a1
--- /dev/null
+++ b/doc/notes/notes-9.16.2.rst
@@ -0,0 +1,59 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.2
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- DNS rebinding protection was ineffective when BIND 9 is configured as
+ a forwarding DNS server. Found and responsibly reported by Tobias
+ Klein. :gl:`#1574`
+
+Known Issues
+~~~~~~~~~~~~
+
+- We have received reports that in some circumstances, receipt of an
+ IXFR can cause the processing of queries to slow significantly. Some
+ of these were related to RPZ processing, which has been fixed in this
+ release (see below). Others appear to occur where there are
+ NSEC3-related changes (such as an operator changing the NSEC3 salt
+ used in the hash calculation). These are being investigated.
+ :gl:`#1685`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The previous DNSSEC sign statistics used lots of memory. The number
+ of keys to track is reduced to four per zone, which should be enough
+ for 99% of all signed zones. :gl:`#1179`
+
+Bug Fixes
+~~~~~~~~~
+
+- When an RPZ policy zone was updated via zone transfer and a large
+ number of records was deleted, ``named`` could become nonresponsive
+ for a short period while deleted names were removed from the RPZ
+ summary database. This database cleanup is now done incrementally
+ over a longer period of time, reducing such delays. :gl:`#1447`
+
+- When trying to migrate an already-signed zone from
+ ``auto-dnssec maintain`` to one based on ``dnssec-policy``, the
+ existing keys were immediately deleted and replaced with new ones. As
+ the key rollover timing constraints were not being followed, it was
+ possible that some clients would not have been able to validate
+ responses until all old DNSSEC information had timed out from caches.
+ BIND now looks at the time metadata of the existing keys and
+ incorporates it into its DNSSEC policy operation. :gl:`#1706`
diff --git a/doc/notes/notes-9.16.20.rst b/doc/notes/notes-9.16.20.rst
new file mode 100644
index 0000000..b1ae9b2
--- /dev/null
+++ b/doc/notes/notes-9.16.20.rst
@@ -0,0 +1,57 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.20
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Fixed an assertion failure that occurred in ``named`` when it
+ attempted to send a UDP packet that exceeded the MTU size, if
+ Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
+
+- ``named`` failed to check the opcode of responses when performing zone
+ refreshes, stub zone updates, and UPDATE forwarding. This could lead
+ to an assertion failure under certain conditions and has been
+ addressed by rejecting responses whose opcode does not match the
+ expected value. :gl:`#2762`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Testing revealed that setting the thread affinity for various types of
+ ``named`` threads led to inconsistent recursive performance, as
+ sometimes multiple sets of threads competed over a single resource.
+
+ Due to the above, ``named`` no longer sets thread affinity. This
+ causes a slight dip of around 5% in authoritative performance, but
+ recursive performance is now consistently improved. :gl:`#2822`
+
+- CDS and CDNSKEY records can now be published in a zone without the
+ requirement that they exactly match an existing DNSKEY record, as long
+ as the zone is signed with an algorithm represented in the CDS or
+ CDNSKEY record. This allows a clean rollover from one DNS provider to
+ another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+
+Bug Fixes
+~~~~~~~~~
+
+- Authentication of ``rndc`` messages could fail if a ``controls``
+ statement was configured with multiple key algorithms for the same
+ listener. This has been fixed. :gl:`#2756`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.21.rst b/doc/notes/notes-9.16.21.rst
new file mode 100644
index 0000000..b3d5567
--- /dev/null
+++ b/doc/notes/notes-9.16.21.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.21
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Support for HTTPS and SVCB record types has been added. (This does not
+ include ADDITIONAL section processing for these record types, only
+ basic support for RR type parsing and printing.) :gl:`#1132`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When ``dnssec-signzone`` signs a zone using a successor key whose
+ predecessor is still published, it now only refreshes signatures for
+ RRsets which have an invalid signature, an expired signature, or a
+ signature which expires within the provided cycle interval. This
+ allows ``dnssec-signzone`` to gradually replace signatures in a zone
+ whose ZSK is being rolled over (similarly to what ``auto-dnssec
+ maintain;`` does). :gl:`#1551`
+
+Bug Fixes
+~~~~~~~~~
+
+- A recent change to the internal memory structure of zone databases
+ inadvertently neglected to update the MAPAPI value for zone files in
+ ``map`` format. This caused version 9.16.20 of ``named`` to attempt to
+ load files into memory that were no longer compatible, triggering an
+ assertion failure on startup. The MAPAPI value has now been updated,
+ so ``named`` rejects outdated files when encountering them.
+ :gl:`#2872`
+
+- Zone files in ``map`` format whose size exceeded 2 GB failed to load.
+ This has been fixed. :gl:`#2878`
+
+- ``named`` was unable to run as a Windows Service under certain
+ circumstances. This has been fixed. :gl:`#2837`
+
+- Stale data in the cache could cause ``named`` to send non-minimized
+ queries despite QNAME minimization being enabled. This has been fixed.
+ :gl:`#2665`
+
+- When a DNSSEC-signed zone which only has a single signing key
+ available is migrated to ``dnssec-policy``, that key is now treated as
+ a Combined Signing Key (CSK). :gl:`#2857`
+
+- When a dynamic zone was made available in another view using the
+ ``in-view`` statement, running ``rndc freeze`` always reported an
+ ``already frozen`` error even though the zone was successfully
+ frozen. This has been fixed. :gl:`#2844`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst
new file mode 100644
index 0000000..3403ee6
--- /dev/null
+++ b/doc/notes/notes-9.16.22.rst
@@ -0,0 +1,86 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.22
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The ``lame-ttl`` option controls how long ``named`` caches certain
+ types of broken responses from authoritative servers (see the
+ `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
+ details). This caching mechanism could be abused by an attacker to
+ significantly degrade resolver performance. The vulnerability has been
+ mitigated by changing the default value of ``lame-ttl`` to ``0`` and
+ overriding any explicitly set value with ``0``, effectively disabling
+ this mechanism altogether. ISC's testing has determined that doing
+ that has a negligible impact on resolver performance while also
+ preventing abuse. Administrators may observe more traffic towards
+ servers issuing certain types of broken responses than in previous
+ BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
+
+ ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+ bringing this vulnerability to our attention. :gl:`#2899`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has
+ been deprecated in favor of the engine_pkcs11 OpenSSL engine from the
+ `OpenSC`_ project. The ``--with-native-pkcs11`` configuration option
+ will be removed in the next major BIND 9 release. The option to use
+ the engine_pkcs11 OpenSSL engine is already available in BIND 9;
+ please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details.
+ :gl:`#2691`
+
+- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
+ enabled in ``named`` at build time have been marked as deprecated in
+ favor of new-style DLZ modules. Old-style DLZ drivers will be removed
+ in the next major BIND 9 release. :gl:`#2814`
+
+- The ``map`` zone file format has been marked as deprecated and will be
+ removed in the next major BIND 9 release. :gl:`#2882`
+
+- ``named`` and ``named-checkconf`` now exit with an error when a single
+ port configured for ``query-source``, ``transfer-source``,
+ ``notify-source``, ``parental-source``, and/or their respective IPv6
+ counterparts clashes with a global listening port. This configuration
+ has not been supported since BIND 9.16.0, but no error was reported
+ until now (even though sending UDP messages such as NOTIFY failed).
+ :gl:`#2888`
+
+- ``named`` and ``named-checkconf`` now issue a warning when there is a
+ single port configured for ``query-source``, ``transfer-source``,
+ ``notify-source``, ``parental-source``, and/or for their respective
+ IPv6 counterparts. :gl:`#2888`
+
+.. _OpenSC: https://github.com/OpenSC/libp11
+
+Bug Fixes
+~~~~~~~~~
+
+- A recent change introduced in BIND 9.16.21 inadvertently broke
+ backward compatibility for the ``check-names master ...`` and
+ ``check-names slave ...`` options, causing them to be silently
+ ignored. This has been fixed and these options now work properly
+ again. :gl:`#2911`
+
+- When new IP addresses were set up by the operating system during
+ ``named`` startup, it could fail to listen for TCP connections on the
+ newly added interfaces. :gl:`#2852`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.23.rst b/doc/notes/notes-9.16.23.rst
new file mode 100644
index 0000000..3f715aa
--- /dev/null
+++ b/doc/notes/notes-9.16.23.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.23
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Reloading a catalog zone which referenced a missing/deleted member
+ zone triggered a runtime check failure, causing ``named`` to exit
+ prematurely. This has been fixed. :gl:`#2308`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.24.rst b/doc/notes/notes-9.16.24.rst
new file mode 100644
index 0000000..eda9a7b
--- /dev/null
+++ b/doc/notes/notes-9.16.24.rst
@@ -0,0 +1,43 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.24
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Previously, when an incoming TCP connection could not be accepted
+ because the client closed the connection early, an error message of
+ ``TCP connection failed: socket is not connected`` was logged. This
+ message has been changed to ``Accepting TCP connection failed: socket
+ is not connected``. The severity level at which this type of message
+ is logged has also been changed from ``error`` to ``info`` for the
+ following triggering events: ``socket is not connected``, ``quota
+ reached``, and ``soft quota reached``. :gl:`#2700`
+
+- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys.
+ :gl:`#853`
+
+Bug Fixes
+~~~~~~~~~
+
+- Removing a configured ``catalog-zone`` clause from the configuration,
+ running ``rndc reconfig``, then bringing back the removed
+ ``catalog-zone`` clause and running ``rndc reconfig`` again caused
+ ``named`` to crash. This has been fixed. :gl:`#1608`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.25.rst b/doc/notes/notes-9.16.25.rst
new file mode 100644
index 0000000..a024a93
--- /dev/null
+++ b/doc/notes/notes-9.16.25.rst
@@ -0,0 +1,48 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.25
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Overall memory use by ``named`` has been optimized and reduced,
+ especially on systems with many CPU cores. The default memory
+ allocator has been switched from ``internal`` to ``external``. A new
+ command-line option ``-M internal`` allows ``named`` to be started
+ with the old internal memory allocator. :gl:`#2398`
+
+Bug Fixes
+~~~~~~~~~
+
+- On FreeBSD, TCP connections leaked a small amount of heap memory,
+ leading to an eventual out-of-memory problem. This has been fixed.
+ :gl:`#3051`
+
+- If signatures created by the ZSK were expired and the ZSK private key
+ was offline, the signatures were not replaced. This behavior has been
+ amended to replace the expired signatures with new signatures created
+ using the KSK. :gl:`#3049`
+
+- Under certain circumstances, the signed version of an inline-signed
+ zone could be dumped to disk without the serial number of the unsigned
+ version of the zone. This prevented resynchronization of the zone
+ contents after ``named`` restarted, if the unsigned zone file was
+ modified while ``named`` was not running. This has been fixed.
+ :gl:`#3071`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.26.rst b/doc/notes/notes-9.16.26.rst
new file mode 100644
index 0000000..92ba18d
--- /dev/null
+++ b/doc/notes/notes-9.16.26.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.26
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
+ by a client are now included in the client information sent to DLZ
+ modules when processing queries. :gl:`#3082`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, ``recvmmsg`` support was enabled in libuv 1.35.0 and
+ 1.36.0, but not in libuv versions 1.37.0 or greater, reducing the
+ maximum query-response performance. This has been fixed. :gl:`#3095`
+
+- A failed view configuration during a ``named`` reconfiguration
+ procedure could cause inconsistencies in BIND internal structures,
+ causing a crash or other unexpected errors. This has been fixed.
+ :gl:`#3060`
+
+- Previously, ``named`` logged a "quota reached" message when it hit its
+ hard quota on the number of connections. That message was accidentally
+ removed but has now been restored. :gl:`#3125`
+
+- Build errors were introduced in some DLZ modules due to an incomplete
+ change in the previous release. This has been fixed. :gl:`#3111`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.27.rst b/doc/notes/notes-9.16.27.rst
new file mode 100644
index 0000000..842a1c4
--- /dev/null
+++ b/doc/notes/notes-9.16.27.rst
@@ -0,0 +1,65 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.27
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The rules for acceptance of records into the cache have been tightened
+ to prevent the possibility of poisoning if forwarders send records
+ outside the configured bailiwick. (CVE-2021-25220)
+
+ ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
+ Network and Information Security Lab, Tsinghua University, and
+ Changgen Zou from Qi An Xin Group Corp. for bringing this
+ vulnerability to our attention. :gl:`#2950`
+
+- TCP connections with ``keep-response-order`` enabled could leave the
+ TCP sockets in the ``CLOSE_WAIT`` state when the client did not
+ properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DEBUG(1)-level messages were added when starting and ending the BIND 9
+ task-exclusive mode that stops normal DNS operation (e.g. for
+ reconfiguration, interface scans, and other events that require
+ exclusive access to a shared resource). :gl:`#3137`
+
+Bug Fixes
+~~~~~~~~~
+
+- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options
+ were not implemented when the BIND 9 networking stack was refactored
+ in 9.16. The missing functionality has been re-implemented and
+ outgoing zone transfers now time out properly when not progressing.
+ :gl:`#1897`
+
+- TCP connections could hang indefinitely if the other party did not
+ read sent data, causing the TCP write buffers to fill. This has been
+ fixed by adding a "write" timer. Connections that are hung while
+ writing now time out after the ``tcp-idle-timeout`` period has
+ elapsed. :gl:`#3132`
+
+- The statistics counter representing the current number of clients
+ awaiting recursive resolution results (``RecursClients``) could be
+ miscalculated in certain resolution scenarios, potentially causing the
+ value of the counter to drop below zero. This has been fixed.
+ :gl:`#3147`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.28.rst b/doc/notes/notes-9.16.28.rst
new file mode 100644
index 0000000..54dfc17
--- /dev/null
+++ b/doc/notes/notes-9.16.28.rst
@@ -0,0 +1,40 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.28
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new configuration option ``reuseport`` to disable load balancing
+ on sockets in situations where processing of Response Policy Zones
+ (RPZ), Catalog Zones, or large zone transfers can cause service
+ disruptions. See the BIND 9 ARM for more detail. :gl:`#3249`
+
+Bug Fixes
+~~~~~~~~~
+
+- Invalid ``dnssec-policy`` definitions, where the defined keys did not
+ cover both KSK and ZSK roles for a given algorithm, were being
+ accepted. These are now checked, and the ``dnssec-policy`` is rejected
+ if both roles are not present for all algorithms in use. :gl:`#3142`
+
+- Handling of TCP write timeouts has been improved to track the timeout
+ for each TCP write separately, leading to a faster connection teardown
+ in case the other party is not reading the data. :gl:`#3200`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.29.rst b/doc/notes/notes-9.16.29.rst
new file mode 100644
index 0000000..9e1cc4a
--- /dev/null
+++ b/doc/notes/notes-9.16.29.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.29
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, CDS and CDNSKEY DELETE records were removed from the zone
+ when configured with the ``auto-dnssec maintain;`` option. This has
+ been fixed. :gl:`#2931`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst
new file mode 100644
index 0000000..773bfd8
--- /dev/null
+++ b/doc/notes/notes-9.16.3.rst
@@ -0,0 +1,95 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.3
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- To prevent exhaustion of server resources by a maliciously configured
+ domain, the number of recursive queries that can be triggered by a
+ request before aborting recursion has been further limited. Root and
+ top-level domain servers are no longer exempt from the
+ ``max-recursion-queries`` limit. Fetches for missing name server
+ address records are limited to 4 for any domain. This issue was
+ disclosed in CVE-2020-8616. :gl:`#1388`
+
+- Replaying a TSIG BADTIME response as a request could trigger an
+ assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
+
+Known Issues
+~~~~~~~~~~~~
+
+- BIND crashes on startup when linked against libuv 1.36. This issue
+ is related to ``recvmmsg()`` support in libuv, which was first
+ included in libuv 1.35. The problem was addressed in libuv 1.37, but
+ the relevant libuv code change requires a special flag to be set
+ during library initialization in order for ``recvmmsg()`` support to
+ be enabled. This BIND release sets that special flag when required,
+ so ``recvmmsg()`` support is now enabled when BIND is compiled
+ against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not
+ usable with BIND. :gl:`#1761` :gl:`#1797`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
+ relying on system defaults instead. :gl:`#1713`
+
+- The default rwlock implementation has been changed back to the native
+ BIND 9 rwlock implementation. :gl:`#1753`
+
+- The native PKCS#11 EdDSA implementation has been updated to PKCS#11
+ v3.0 and thus made operational again. Contributed by Aaron Thompson.
+ :gl:`!3326`
+
+- The OpenSSL ECDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine (see engine_pkcs11 from libp11 project).
+ :gl:`#1534`
+
+- The OpenSSL EdDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
+ is required and thus this code is only a proof-of-concept for the
+ time being. Contributed by Aaron Thompson. :gl:`#1763`
+
+- Message IDs in inbound AXFR transfers are now checked for
+ consistency. Log messages are emitted for streams with inconsistent
+ message IDs. :gl:`#1674`
+
+- The zone timers are now exported to the statistics channel. For the
+ primary zones, only the loaded time is exported. For the secondary
+ zones, the exported timers also include expire and refresh times.
+ Contributed by Paul Frieden, Verizon Media. :gl:`#1232`
+
+Bug Fixes
+~~~~~~~~~
+
+- A bug in dnstap initialization could prevent some dnstap data from
+ being logged, especially on recursive resolvers. :gl:`#1795`
+
+- When running on a system with support for Linux capabilities,
+ ``named`` drops root privileges very soon after system startup. This
+ was causing a spurious log message, ``unable to set effective uid to
+ 0: Operation not permitted``, which has now been silenced.
+ :gl:`#1042` :gl:`#1090`
+
+- When ``named-checkconf -z`` was run, it would sometimes incorrectly set
+ its exit code. It reflected only the status of the last view found;
+ any errors found for other configured views were not reported. Thanks
+ to Graham Clinch. :gl:`#1807`
+
+- When built without LMDB support, ``named`` failed to restart after a
+ zone with a double quote (") in its name was added with
+ ``rndc addzone``. Thanks to Alberto Fernández. :gl:`#1695`
diff --git a/doc/notes/notes-9.16.30.rst b/doc/notes/notes-9.16.30.rst
new file mode 100644
index 0000000..2d375c1
--- /dev/null
+++ b/doc/notes/notes-9.16.30.rst
@@ -0,0 +1,37 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.30
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- The ``fetches-per-server`` quota is designed to adjust itself downward
+ automatically when an authoritative server times out too frequently.
+ Due to a coding error, that adjustment was applied incorrectly, so
+ that the quota for a congested server was always set to 1. This has
+ been fixed. :gl:`#3327`
+
+- DNSSEC-signed catalog zones were not being processed correctly. This
+ has been fixed. :gl:`#3380`
+
+- Key files were updated every time the ``dnssec-policy`` key manager
+ ran, whether the metadata had changed or not. :iscman:`named` now
+ checks whether changes were applied before writing out the key files.
+ :gl:`#3302`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.31.rst b/doc/notes/notes-9.16.31.rst
new file mode 100644
index 0000000..150694d
--- /dev/null
+++ b/doc/notes/notes-9.16.31.rst
@@ -0,0 +1,31 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.31
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- An assertion failure caused by a TCP connection closing between a
+ connect (or accept) and a read from a socket has been fixed.
+ :gl:`#3400`
+
+- :iscman:`named` could crash during a very rare situation that could
+ arise when validating a query which had timed out at that exact
+ moment. This has been fixed. :gl:`#3398`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.32.rst b/doc/notes/notes-9.16.32.rst
new file mode 100644
index 0000000..542051e
--- /dev/null
+++ b/doc/notes/notes-9.16.32.rst
@@ -0,0 +1,56 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.32
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
+ disabled on systems where they are disallowed by the security policy
+ (e.g. Red Hat Enterprise Linux 9). Primary zones using those
+ algorithms need to be migrated to new algorithms prior to running on
+ these systems, as graceful migration to different DNSSEC algorithms is
+ not possible when RSASHA1 is disallowed by the operating system.
+ :gl:`#3469`
+
+- Log messages related to fetch limiting have been improved to provide
+ more complete information. Specifically, the final counts of allowed
+ and spilled fetches are now logged before the counter object is
+ destroyed. :gl:`#3461`
+
+Bug Fixes
+~~~~~~~~~
+
+- Non-dynamic zones that inherit ``dnssec-policy`` from the
+ ``view`` or ``options`` blocks were not
+ marked as inline-signed and therefore never scheduled to be re-signed.
+ This has been fixed. :gl:`#3438`
+
+- The old ``max-zone-ttl`` zone option was meant to be superseded by
+ the ``max-zone-ttl`` option in ``dnssec-policy``; however, the
+ latter option was not fully effective. This has been corrected: zones
+ no longer load if they contain TTLs greater than the limit configured
+ in ``dnssec-policy``. For zones with both the old
+ ``max-zone-ttl`` option and ``dnssec-policy`` configured, the
+ old option is ignored, and a warning is generated. :gl:`#2918`
+
+- ``rndc dumpdb -expired`` was fixed to include
+ expired RRsets, even if ``stale-cache-enable`` is set to ``no`` and
+ the cache-cleaning time window has passed. :gl:`#3462`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.33.rst b/doc/notes/notes-9.16.33.rst
new file mode 100644
index 0000000..876aab8
--- /dev/null
+++ b/doc/notes/notes-9.16.33.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.33
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, there was no limit to the number of database lookups
+ performed while processing large delegations, which could be abused to
+ severely impact the performance of :iscman:`named` running as a
+ recursive resolver. This has been fixed. (CVE-2022-2795)
+
+ ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
+ Bremler-Barr & Shani Stajnrod from Reichman University for bringing
+ this vulnerability to our attention. :gl:`#3394`
+
+- :iscman:`named` running as a resolver with the
+ ``stale-answer-client-timeout`` option set to ``0`` could crash with
+ an assertion failure, when there was a stale CNAME in the cache for
+ the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517`
+
+- A memory leak was fixed that could be externally triggered in the
+ DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177)
+ :gl:`#3487`
+
+- Memory leaks were fixed that could be externally triggered in the
+ DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+ :gl:`#3487`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Response Rate Limiting (RRL) code now treats all QNAMEs that are
+ subject to wildcard processing within a given zone as the same name,
+ to prevent circumventing the limits enforced by RRL. :gl:`#3459`
+
+- Zones using ``dnssec-policy`` now require dynamic DNS or
+ ``inline-signing`` to be configured explicitly. :gl:`#3381`
+
+- A backward-compatible approach was implemented for encoding
+ internationalized domain names (IDN) in :iscman:`dig` and converting
+ the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
+ conversion. :gl:`#3485`
+
+Bug Fixes
+~~~~~~~~~
+
+- A serve-stale bug was fixed, where BIND would try to return stale data
+ from cache for lookups that received duplicate queries or queries that
+ would be dropped. This bug resulted in premature SERVFAIL responses,
+ and has now been resolved. :gl:`#2982`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.34.rst b/doc/notes/notes-9.16.34.rst
new file mode 100644
index 0000000..b1eedac
--- /dev/null
+++ b/doc/notes/notes-9.16.34.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.34
+----------------------
+
+Known Issues
+~~~~~~~~~~~~
+
+- Upgrading from BIND 9.16.32 or any older version may require a manual
+ configuration change. The following configurations are affected:
+
+ - ``type primary`` zones configured with ``dnssec-policy`` but without
+ either ``allow-update`` or ``update-policy``,
+ - ``type secondary`` zones configured with ``dnssec-policy``.
+
+ In these cases please add ``inline-signing yes;`` to the individual
+ zone configuration(s). Without applying this change, :iscman:`named`
+ will fail to start. For more details, see
+ https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- Support for parsing and validating the ``dohpath`` service parameter
+ in SVCB records was added. :gl:`#3544`
+
+- :iscman:`named` now logs the supported cryptographic algorithms during
+ startup and in the output of ``named -V``. :gl:`#3541`
+
+Bug Fixes
+~~~~~~~~~
+
+- Changing just the TSIG key names for primaries in catalog zones'
+ member zones was not effective. This has been fixed. :gl:`#3557`
diff --git a/doc/notes/notes-9.16.35.rst b/doc/notes/notes-9.16.35.rst
new file mode 100644
index 0000000..23ccf86
--- /dev/null
+++ b/doc/notes/notes-9.16.35.rst
@@ -0,0 +1,56 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.35
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- A crash was fixed that happened when a ``dnssec-policy`` zone that
+ used NSEC3 was reconfigured to enable ``inline-signing``. :gl:`#3591`
+
+- In certain resolution scenarios, quotas could be erroneously reached
+ for servers, including any configured forwarders, resulting in
+ SERVFAIL answers being sent to clients. This has been fixed.
+ :gl:`#3598`
+
+- ``rpz-ip`` rules in ``response-policy`` zones could be ineffective in
+ some cases if a query had the CD (Checking Disabled) bit set to 1.
+ This has been fixed. :gl:`#3247`
+
+- Previously, if Internet connectivity issues were experienced during
+ the initial startup of :iscman:`named`, a BIND resolver with
+ ``dnssec-validation`` set to ``auto`` could enter into a state where
+ it would not recover without stopping :iscman:`named`, manually
+ deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl``
+ files, and starting :iscman:`named` again. This has been fixed.
+ :gl:`#2895`
+
+- The statistics counter representing the current number of clients
+ awaiting recursive resolution results (``RecursClients``) could
+ overflow in certain resolution scenarios. This has been fixed.
+ :gl:`#3584`
+
+- Previously, BIND failed to start on Solaris-based systems with
+ hundreds of CPUs. This has been fixed. :gl:`#3563`
+
+- When a DNS resource record's TTL value was equal to the resolver's
+ configured ``prefetch`` "eligibility" value, the record was
+ erroneously not treated as eligible for prefetching. This has been
+ fixed. :gl:`#3603`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.36.rst b/doc/notes/notes-9.16.36.rst
new file mode 100644
index 0000000..d73df01
--- /dev/null
+++ b/doc/notes/notes-9.16.36.rst
@@ -0,0 +1,49 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.36
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ``auto-dnssec`` option has been deprecated and will be removed in
+ a future BIND 9.19.x release. Please migrate to ``dnssec-policy``.
+ :gl:`#3667`
+
+Bug Fixes
+~~~~~~~~~
+
+- When a catalog zone was removed from the configuration, in some cases
+ a dangling pointer could cause the :iscman:`named` process to crash.
+ This has been fixed. :gl:`#3683`
+
+- When a zone was deleted from a server, a key management object related
+ to that zone was inadvertently kept in memory and only released upon
+ shutdown. This could lead to constantly increasing memory use on
+ servers with a high rate of changes affecting the set of zones being
+ served. This has been fixed. :gl:`#3727`
+
+- In certain cases, :iscman:`named` waited for the resolution of
+ outstanding recursive queries to finish before shutting down. This was
+ unintended and has been fixed. :gl:`#3183`
+
+- The ``zone <name>/<class>: final reference detached`` log message was
+ moved from the INFO log level to the DEBUG(1) log level to prevent the
+ :iscman:`named-checkzone` tool from superfluously logging this message
+ in non-debug mode. :gl:`#3707`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst
new file mode 100644
index 0000000..9b0393c
--- /dev/null
+++ b/doc/notes/notes-9.16.37.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.37
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- An UPDATE message flood could cause :iscman:`named` to exhaust all
+ available memory. This flaw was addressed by adding a new
+ ``update-quota`` option that controls the maximum number of
+ outstanding DNS UPDATE messages that :iscman:`named` can hold in a
+ queue at any given time (default: 100). (CVE-2022-3094)
+
+ ISC would like to thank Rob Schulhof from Infoblox for bringing this
+ vulnerability to our attention. :gl:`#3523`
+
+- :iscman:`named` could crash with an assertion failure when an RRSIG
+ query was received and ``stale-answer-client-timeout`` was set to a
+ non-zero value. This has been fixed. (CVE-2022-3736)
+
+ ISC would like to thank Borja Marcos from Sarenet (with assistance by
+ Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
+ our attention. :gl:`#3622`
+
+- :iscman:`named` running as a resolver with the
+ ``stale-answer-client-timeout`` option set to any value greater than
+ ``0`` could crash with an assertion failure, when the
+ ``recursive-clients`` soft quota was reached. This has been fixed.
+ (CVE-2022-3924)
+
+ ISC would like to thank Maksym Odinintsev from AWS for bringing this
+ vulnerability to our attention. :gl:`#3619`
+
+New Features
+~~~~~~~~~~~~
+
+- The new ``update-quota`` option can be used to control the number of
+ simultaneous DNS UPDATE messages that can be processed to update an
+ authoritative zone on a primary server, or forwarded to the primary
+ server by a secondary server. The default is 100. A new statistics
+ counter has also been added to record events when this quota is
+ exceeded, and the version numbers for the XML and JSON statistics
+ schemas have been updated. :gl:`#3523`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The Differentiated Services Code Point (DSCP) feature in BIND has been
+ deprecated. Configuring DSCP values in ``named.conf`` now causes a
+ warning to be logged. Note that this feature has only been partly
+ operational since the new Network Manager was introduced in BIND
+ 9.16.0. :gl:`#3773`
+
+- The catalog zone implementation has been optimized to work with
+ hundreds of thousands of member zones. :gl:`#3744`
+
+Bug Fixes
+~~~~~~~~~
+
+- In certain query resolution scenarios (e.g. when following CNAME
+ records), :iscman:`named` configured to answer from stale cache could
+ return a SERVFAIL response despite a usable, non-stale answer being
+ present in the cache. This has been fixed. :gl:`#3678`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.38.rst b/doc/notes/notes-9.16.38.rst
new file mode 100644
index 0000000..8d20794
--- /dev/null
+++ b/doc/notes/notes-9.16.38.rst
@@ -0,0 +1,33 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.38
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- A constant stream of zone additions and deletions via ``rndc
+ reconfig`` could cause increased memory consumption due to delayed
+ cleaning of view memory. This has been fixed. :gl:`#3801`
+
+- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
+ NSEC3 hashing, has been improved. :gl:`#3795`
+
+- Building BIND 9 failed when the ``--enable-dnsrps`` switch for
+ ``./configure`` was used. This has been fixed. :gl:`#3827`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.39.rst b/doc/notes/notes-9.16.39.rst
new file mode 100644
index 0000000..4e88a9d
--- /dev/null
+++ b/doc/notes/notes-9.16.39.rst
@@ -0,0 +1,60 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.39
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- libuv support for receiving multiple UDP messages in a single
+ ``recvmmsg()`` system call has been tweaked several times between
+ libuv versions 1.35.0 and 1.40.0; the current recommended libuv
+ version is 1.40.0 or higher. New rules are now in effect for running
+ with a different version of libuv than the one used at compilation
+ time. These rules may trigger a fatal error at startup:
+
+ - Building against or running with libuv versions 1.35.0 and 1.36.0 is
+ now a fatal error.
+
+ - Running with libuv version higher than 1.34.2 is now a fatal error
+ when :iscman:`named` is built against libuv version 1.34.2 or lower.
+
+ - Running with libuv version higher than 1.39.0 is now a fatal error
+ when :iscman:`named` is built against libuv version 1.37.0, 1.38.0,
+ 1.38.1, or 1.39.0.
+
+ This prevents the use of libuv versions that may trigger an assertion
+ failure when receiving multiple UDP messages in a single system call.
+ :gl:`#3840`
+
+Bug Fixes
+~~~~~~~~~
+
+- :iscman:`named` could crash with an assertion failure when adding a
+ new zone into the configuration file for a name which was already
+ configured as a member zone for a catalog zone. This has been fixed.
+ :gl:`#3911`
+
+- When :iscman:`named` starts up, it sends a query for the DNSSEC key
+ for each configured trust anchor to determine whether the key has
+ changed. In some unusual cases, the query might depend on a zone for
+ which the server is itself authoritative, and would have failed if it
+ were sent before the zone was fully loaded. This has now been fixed by
+ delaying the key queries until all zones have finished loading.
+ :gl:`#3673`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst
new file mode 100644
index 0000000..6dd03f6
--- /dev/null
+++ b/doc/notes/notes-9.16.4.rst
@@ -0,0 +1,120 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.4
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- It was possible to trigger an assertion when attempting to fill an
+ oversized TCP buffer. This was disclosed in CVE-2020-8618.
+ :gl:`#1850`
+
+- It was possible to trigger an INSIST failure when a zone with an
+ interior wildcard label was queried in a certain pattern. This was
+ disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
+
+New Features
+~~~~~~~~~~~~
+
+- Documentation was converted from DocBook to reStructuredText. The
+ BIND 9 ARM is now generated using Sphinx and published on `Read the
+ Docs`_. Release notes are no longer available as a separate document
+ accompanying a release. :gl:`#83`
+
+- ``named`` and ``named-checkzone`` now reject master zones that have a
+ DS RRset at the zone apex. Attempts to add DS records at the zone
+ apex via UPDATE will be logged but otherwise ignored. DS records
+ belong in the parent zone, not at the zone apex. :gl:`#1798`
+
+- ``dig`` and other tools can now print the Extended DNS Error (EDE)
+ option when it appears in a request or a response. :gl:`#1835`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The default value of ``max-stale-ttl`` has changed from 1 week to 12
+ hours. This option controls how long ``named`` retains expired RRsets
+ in cache as a potential mitigation mechanism, should there be a
+ problem with one or more domains. Note that cache content retention
+ is independent of whether stale answers are used in response to
+ client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale
+ on|off``). Serving of stale answers when the authoritative servers
+ are not responding must be explicitly enabled, whereas the retention
+ of expired cache content takes place automatically on all versions of
+ BIND 9 that have this feature available. :gl:`#1877`
+
+ .. warning::
+ This change may be significant for administrators who expect that
+ stale cache content will be automatically retained for up to 1
+ week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep
+ the previous behavior of ``named``.
+
+- ``listen-on-v6 { any; }`` creates a separate socket for each
+ interface. Previously, just one socket was created on systems
+ conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
+ in BIND 9.16.0, but it was accidentally omitted from documentation.
+ :gl:`#1782`
+
+Bug Fixes
+~~~~~~~~~
+
+- When fully updating the NSEC3 chain for a large zone via IXFR, a
+ temporary loss of performance could be experienced on the secondary
+ server when answering queries for nonexistent data that required
+ DNSSEC proof of non-existence (in other words, queries that required
+ the server to find and to return NSEC3 data). The unnecessary
+ processing step that was causing this delay has now been removed.
+ :gl:`#1834`
+
+- ``named`` could crash with an assertion failure if the name of a
+ database node was looked up while the database was being modified.
+ :gl:`#1857`
+
+- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
+ :gl:`#1859`
+
+- Previously, ``named`` did not destroy some mutexes and conditional
+ variables in netmgr code, which caused a memory leak on FreeBSD. This
+ has been fixed. :gl:`#1893`
+
+- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
+ to an assertion failure was fixed. :gl:`#1808`
+
+- Previously, ``provide-ixfr no;`` failed to return up-to-date
+ responses when the serial number was greater than or equal to the
+ current serial number. :gl:`#1714`
+
+- A bug in dnssec-policy keymgr was fixed, where the check for the
+ existence of a given key's successor would incorrectly return
+ ``true`` if any other key in the keyring had a successor. :gl:`#1845`
+
+- With dnssec-policy, when creating a successor key, the "goal" state
+ of the current active key (the predecessor) was not changed and thus
+ never removed from the zone. :gl:`#1846`
+
+- ``named-checkconf -p`` could include spurious text in
+ ``server-addresses`` statements due to an uninitialized DSCP value.
+ This has been fixed. :gl:`#1812`
+
+- The ARM has been updated to indicate that the TSIG session key is
+ generated when named starts, regardless of whether it is needed.
+ :gl:`#1842`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting
+ this BIND 9 branch.
+
+.. _Read the Docs: https://bind9.readthedocs.io/
diff --git a/doc/notes/notes-9.16.40.rst b/doc/notes/notes-9.16.40.rst
new file mode 100644
index 0000000..caa2e61
--- /dev/null
+++ b/doc/notes/notes-9.16.40.rst
@@ -0,0 +1,32 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.40
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Logfiles using ``timestamp``-style suffixes were not always correctly
+ removed when the number of files exceeded the limit set by ``versions``.
+ This has been fixed for configurations which do not explicitly specify
+ a directory path as part of the ``file`` argument in the ``channel``
+ specification. :gl:`#3959` :gl:`#3991`
+
+- Performance of DNSSEC validation in zones with many DNSKEY records
+ has been improved. :gl:`#3981`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.41.rst b/doc/notes/notes-9.16.41.rst
new file mode 100644
index 0000000..24f2cb8
--- /dev/null
+++ b/doc/notes/notes-9.16.41.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.41
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- When removing delegations from an opt-out range, empty-non-terminal
+ NSEC3 records generated by those delegations were not cleaned up. This
+ has been fixed. :gl:`#4027`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.42.rst b/doc/notes/notes-9.16.42.rst
new file mode 100644
index 0000000..85b0ede
--- /dev/null
+++ b/doc/notes/notes-9.16.42.rst
@@ -0,0 +1,45 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.42
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The overmem cleaning process has been improved, to prevent the cache
+ from significantly exceeding the configured ``max-cache-size`` limit.
+ (CVE-2023-2828)
+
+ ISC would like to thank Shoham Danino from Reichman University, Anat
+ Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
+ University, and Yuval Shavitt from Tel-Aviv University for bringing
+ this vulnerability to our attention. :gl:`#4055`
+
+- A query that prioritizes stale data over lookup triggers a fetch to
+ refresh the stale data in cache. If the fetch is aborted for exceeding
+ the recursion quota, it was possible for :iscman:`named` to enter an
+ infinite callback loop and crash due to stack overflow. This has been
+ fixed. (CVE-2023-2911) :gl:`#4089`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, it was possible for a delegation from cache to be returned
+ to the client after the ``stale-answer-client-timeout`` duration.
+ This has been fixed. :gl:`#3950`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.43.rst b/doc/notes/notes-9.16.43.rst
new file mode 100644
index 0000000..4c30315
--- /dev/null
+++ b/doc/notes/notes-9.16.43.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.43
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Processing already-queued queries received over TCP could cause an
+ assertion failure, when the server was reconfigured at the same time
+ or the cache was being flushed. This has been fixed. :gl:`#4200`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.44.rst b/doc/notes/notes-9.16.44.rst
new file mode 100644
index 0000000..81c157a
--- /dev/null
+++ b/doc/notes/notes-9.16.44.rst
@@ -0,0 +1,31 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.44
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, sending a specially crafted message over the control
+ channel could cause the packet-parsing code to run out of available
+ stack memory, causing :iscman:`named` to terminate unexpectedly.
+ This has been fixed. (CVE-2023-3341)
+
+ ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
+ bringing this vulnerability to our attention. :gl:`#4152`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.5.rst b/doc/notes/notes-9.16.5.rst
new file mode 100644
index 0000000..613dcf7
--- /dev/null
+++ b/doc/notes/notes-9.16.5.rst
@@ -0,0 +1,72 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.5
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- New ``rndc`` command ``rndc dnssec -status`` shows the current DNSSEC
+ policy and keys in use, the key states, and rollover status.
+ :gl:`#1612`
+
+Bug Fixes
+~~~~~~~~~
+
+- A race condition could occur if a TCP socket connection was closed
+ while ``named`` was waiting for a recursive response. The attempt to
+ send a response over the closing connection triggered an assertion
+ failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937`
+
+- A race condition could occur when ``named`` attempted to use a UDP
+ interface that was shutting down. This triggered an assertion failure
+ in ``uv__udp_finish_close()``. :gl:`#1938`
+
+- Fix assertion failure when server was under load and root zone had not
+ yet been loaded. :gl:`#1862`
+
+- ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c``
+ that were being reused. :gl:`#1968`
+
+- ``named`` crashed on shutdown when a new ``rndc`` connection was
+ received during shutdown. This has been fixed. :gl:`#1747`
+
+- The DS RRset returned by ``dns_keynode_dsset()`` was used in a
+ non-thread-safe manner. This could result in an INSIST being
+ triggered. :gl:`#1926`
+
+- Properly handle missing ``kyua`` command so that ``make check`` does
+ not fail unexpectedly when CMocka is installed, but Kyua is not.
+ :gl:`#1950`
+
+- The ``primary`` and ``secondary`` keywords, when used as parameters
+ for ``check-names``, were not processed correctly and were being
+ ignored. :gl:`#1949`
+
+- ``rndc dnstap -roll <value>`` did not limit the number of saved files
+ to ``<value>``. :gl:`!3728`
+
+- The validator could fail to accept a properly signed RRset if an
+ unsupported algorithm appeared earlier in the DNSKEY RRset than a
+ supported algorithm. It could also stop if it detected a malformed
+ public key. :gl:`#1689`
+
+- The ``blackhole`` ACL was inadvertently disabled for client queries.
+ Blocked IP addresses were not used for upstream queries but queries
+ from those addresses could still be answered. :gl:`#1936`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.6.rst b/doc/notes/notes-9.16.6.rst
new file mode 100644
index 0000000..1357f1d
--- /dev/null
+++ b/doc/notes/notes-9.16.6.rst
@@ -0,0 +1,121 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.6
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- It was possible to trigger an assertion failure by sending a specially
+ crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+
+ ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
+ bringing this vulnerability to our attention. :gl:`#1996`
+
+- ``named`` could crash after failing an assertion check in certain
+ query resolution scenarios where QNAME minimization and forwarding
+ were both enabled. To prevent such crashes, QNAME minimization is now
+ always disabled for a given query resolution process, if forwarders
+ are used at any point. This was disclosed in CVE-2020-8621.
+
+ ISC would like to thank Joseph Gullo for bringing this vulnerability
+ to our attention. :gl:`#1997`
+
+- It was possible to trigger an assertion failure when verifying the
+ response to a TSIG-signed request. This was disclosed in
+ CVE-2020-8622.
+
+ ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
+ of Oracle for bringing this vulnerability to our attention.
+ :gl:`#2028`
+
+- When BIND 9 was compiled with native PKCS#11 support, it was possible
+ to trigger an assertion failure in code determining the number of bits
+ in the PKCS#11 RSA public key with a specially crafted packet. This
+ was disclosed in CVE-2020-8623.
+
+ ISC would like to thank Lyu Chiy for bringing this vulnerability to
+ our attention. :gl:`#2037`
+
+- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
+ as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
+ to update names outside of the specified subdomains. The problem was
+ fixed by making sure ``subdomain`` rules are again processed as
+ described in the ARM. This was disclosed in CVE-2020-8624.
+
+ ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+ vulnerability to our attention. :gl:`#2055`
+
+New Features
+~~~~~~~~~~~~
+
+- A new configuration option ``stale-cache-enable`` has been introduced
+ to enable or disable keeping stale answers in cache. :gl:`#1712`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- BIND's cache database implementation has been updated to use a faster
+ hash function with better distribution. In addition, the effective
+ ``max-cache-size`` (configured explicitly, defaulting to a value based
+ on system memory or set to ``unlimited``) now pre-allocates fixed-size
+ hash tables. This prevents interruption to query resolution when the
+ hash table sizes need to be increased. :gl:`#1775`
+
+- Resource records received with 0 TTL are no longer kept in the cache
+ to be used for stale answers. :gl:`#1829`
+
+Bug Fixes
+~~~~~~~~~
+
+- Wildcard RPZ passthru rules could incorrectly be overridden by other
+ rules that were loaded from RPZ zones which appeared later in the
+ ``response-policy`` statement. This has been fixed. :gl:`#1619`
+
+- The IPv6 Duplicate Address Detection (DAD) mechanism could
+ inadvertently prevent ``named`` from binding to new IPv6 interfaces,
+ by causing multiple route socket messages to be sent for each IPv6
+ address. ``named`` monitors for new interfaces to ``bind()`` to when
+ it is configured to listen on ``any`` or on a specific range of
+ addresses. New IPv6 interfaces can be in a "tentative" state before
+ they are fully available for use. When DAD is in use, two messages are
+ emitted by the route socket: one when the interface first appears and
+ then a second one when it is fully "up." An attempt by ``named`` to
+ ``bind()`` to the new interface prematurely would fail, causing it
+ thereafter to ignore that address/interface. The problem was worked
+ around by setting the ``IP_FREEBIND`` option on the socket and trying
+ to ``bind()`` to each IPv6 address again if the first ``bind()`` call
+ for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038`
+
+- Addressed an error in recursive clients stats reporting which could
+ cause underflow, and even negative statistics. There were occasions
+ when an incoming query could trigger a prefetch for some eligible
+ RRset, and if the prefetch code were executed before recursion, no
+ increment in recursive clients stats would take place. Conversely,
+ when processing the answers, if the recursion code were executed
+ before the prefetch, the same counter would be decremented without a
+ matching increment. :gl:`#1719`
+
+- The introduction of KASP support inadvertently caused the second field
+ of ``sig-validity-interval`` to always be calculated in hours, even in
+ cases when it should have been calculated in days. This has been
+ fixed. (Thanks to Tony Finch.) :gl:`!3735`
+
+- LMDB locking code was revised to make ``rndc reconfig`` work properly
+ on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.7.rst b/doc/notes/notes-9.16.7.rst
new file mode 100644
index 0000000..ed04df2
--- /dev/null
+++ b/doc/notes/notes-9.16.7.rst
@@ -0,0 +1,63 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.7
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to
+ ``named`` that a DS record for a given zone or key has been published
+ or withdrawn from the parent. This command replaces the time-based
+ ``parent-registration-delay`` configuration option. :gl:`#1613`
+
+- Log when ``named`` adds a CDS/CDNSKEY to the zone. :gl:`#1748`
+
+Bug Fixes
+~~~~~~~~~
+
+- In rare circumstances, ``named`` would exit with an assertion failure
+ when the number of nodes stored in the red-black tree exceeded the
+ maximum allowed size of the internal hash table. :gl:`#2104`
+
+- Silence spurious system log messages for an EPROTO(71) error code that
+ was seen on older operating systems, where unhandled ICMPv6 errors
+ resulted in a generic protocol error being returned instead of a more
+ specific error code. :gl:`#1928`
+
+- With query name minimization enabled, ``named`` failed to resolve
+ ``ip6.arpa.`` names that had extra labels to the left of the IPv6
+ part. For example, when ``named`` attempted query name minimization on
+ a name like ``A.B.1.2.3.4.(...).ip6.arpa.``, it stopped at the
+ leftmost IPv6 label, i.e. ``1.2.3.4.(...).ip6.arpa.``, without
+ considering the extra labels (``A.B``). That caused a query loop when
+ resolving the name: if ``named`` received NXDOMAIN answers, then the
+ same query was repeatedly sent until the number of queries sent
+ reached the value of the ``max-recursion-queries`` configuration
+ option. :gl:`#1847`
+
+- Parsing of LOC records was made more strict by rejecting a sole period
+ (``.``) and/or ``m`` as a value. These changes prevent zone files
+ using such values from being loaded. Handling of negative altitudes
+ which are not integers was also corrected. :gl:`#2074`
+
+- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are
+ security issues.) :gl:`!3953` :gl:`!3975`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
+
+.. _OSS-Fuzz: https://github.com/google/oss-fuzz
diff --git a/doc/notes/notes-9.16.8.rst b/doc/notes/notes-9.16.8.rst
new file mode 100644
index 0000000..e441e42
--- /dev/null
+++ b/doc/notes/notes-9.16.8.rst
@@ -0,0 +1,63 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.8
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new ``rndc`` command, ``rndc dnssec -rollover``, which triggers
+ a manual rollover for a specific key. :gl:`#1749`
+
+- Add a new ``rndc`` command, ``rndc dumpdb -expired``, which dumps the
+ cache database, including expired RRsets that are awaiting cleanup, to
+ the ``dump-file`` for diagnostic purposes. :gl:`#1870`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DNS Flag Day 2020: The default EDNS buffer size has been changed from
+ 4096 to 1232 bytes. According to measurements done by multiple
+ parties, this should not cause any operational problems as most of the
+ Internet "core" is able to cope with IP message sizes between
+ 1400-1500 bytes; the 1232 size was picked as a conservative minimal
+ number that could be changed by the DNS operator to an estimated path
+ MTU minus the estimated header space. In practice, the smallest MTU
+ witnessed in the operational DNS community is 1500 octets, the maximum
+ Ethernet payload size, so a useful default for maximum DNS/UDP payload
+ size on reliable networks would be 1432 bytes. :gl:`#2183`
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` reported an invalid memory size when running in an
+ environment that did not properly report the number of available
+ memory pages and/or the size of each memory page. :gl:`#2166`
+
+- With multiple forwarders configured, ``named`` could fail the
+ ``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``,
+ causing it to crash. This has been fixed. :gl:`#2124`
+
+- ``named`` erroneously performed continuous key rollovers for KASP
+ policies that used algorithm Ed25519 or Ed448 due to a mismatch
+ between created key size and expected key size. :gl:`#2171`
+
+- Updating contents of an RPZ zone which contained names spelled using
+ varying letter case could cause some processing rules in that RPZ zone
+ to be erroneously ignored. :gl:`#2169`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.9.rst b/doc/notes/notes-9.16.9.rst
new file mode 100644
index 0000000..5ce2b37
--- /dev/null
+++ b/doc/notes/notes-9.16.9.rst
@@ -0,0 +1,50 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.9
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- A new configuration option, ``stale-refresh-time``, has been
+ introduced. It allows a stale RRset to be served directly from cache
+ for a period of time after a failed lookup, before a new attempt to
+ refresh it is made. :gl:`#2066`
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` could crash with an assertion failure if a TCP connection
+ were closed while a request was still being processed. :gl:`#2227`
+
+- ``named`` acting as a resolver could incorrectly treat signed zones
+ with no DS record at the parent as bogus. Such zones should be treated
+ as insecure. This has been fixed. :gl:`#2236`
+
+- After a Negative Trust Anchor (NTA) is added, BIND performs periodic
+ checks to see if it is still necessary. If BIND encountered a failure
+ while creating a query to perform such a check, it attempted to
+ dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244`
+
+- A problem obtaining glue records could prevent a stub zone from
+ functioning properly, if the authoritative server for the zone were
+ configured for minimal responses. :gl:`#1736`
+
+- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a
+ ``TCP6RecvErr``. :gl:`#2208`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst
new file mode 100644
index 0000000..d9000cb
--- /dev/null
+++ b/doc/notes/notes-known-issues.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+- Upgrading from BIND 9.16.32 or any older version may require a manual
+ configuration change. The following configurations are affected:
+
+ - ``type primary`` zones configured with ``dnssec-policy`` but without
+ either ``allow-update`` or ``update-policy``,
+ - ``type secondary`` zones configured with ``dnssec-policy``.
+
+ In these cases please add ``inline-signing yes;`` to the individual
+ zone configuration(s). Without applying this change, :iscman:`named`
+ will fail to start. For more details, see
+ https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- BIND crashes on startup when linked against libuv 1.36. This issue is
+ related to ``recvmmsg()`` support in libuv, which was first included
+ in libuv 1.35. The problem was addressed in libuv 1.37, but the
+ relevant libuv code change requires a special flag to be set during
+ library initialization in order for ``recvmmsg()`` support to be
+ enabled. This BIND release sets that special flag when required, so
+ ``recvmmsg()`` support is now enabled when BIND is compiled against
+ either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not usable with
+ BIND. :gl:`#1761` :gl:`#1797`
+
+- UDP network ports used for listening can no longer simultaneously be
+ used for sending traffic. An example configuration which triggers this
+ issue would be one which uses the same address:port pair for
+ ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or
+ ``transfer-source(-v6)``. While this issue affects all operating
+ systems, it only triggers log messages (e.g. "unable to create
+ dispatch for reserved port") on some of them. There are currently no
+ plans to make such a combination of settings work again.