summaryrefslogtreecommitdiffstats
path: root/doc/notes/notes-9.16.4.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/notes/notes-9.16.4.rst')
-rw-r--r--doc/notes/notes-9.16.4.rst120
1 files changed, 120 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst
new file mode 100644
index 0000000..6dd03f6
--- /dev/null
+++ b/doc/notes/notes-9.16.4.rst
@@ -0,0 +1,120 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.4
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- It was possible to trigger an assertion when attempting to fill an
+ oversized TCP buffer. This was disclosed in CVE-2020-8618.
+ :gl:`#1850`
+
+- It was possible to trigger an INSIST failure when a zone with an
+ interior wildcard label was queried in a certain pattern. This was
+ disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
+
+New Features
+~~~~~~~~~~~~
+
+- Documentation was converted from DocBook to reStructuredText. The
+ BIND 9 ARM is now generated using Sphinx and published on `Read the
+ Docs`_. Release notes are no longer available as a separate document
+ accompanying a release. :gl:`#83`
+
+- ``named`` and ``named-checkzone`` now reject master zones that have a
+ DS RRset at the zone apex. Attempts to add DS records at the zone
+ apex via UPDATE will be logged but otherwise ignored. DS records
+ belong in the parent zone, not at the zone apex. :gl:`#1798`
+
+- ``dig`` and other tools can now print the Extended DNS Error (EDE)
+ option when it appears in a request or a response. :gl:`#1835`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The default value of ``max-stale-ttl`` has changed from 1 week to 12
+ hours. This option controls how long ``named`` retains expired RRsets
+ in cache as a potential mitigation mechanism, should there be a
+ problem with one or more domains. Note that cache content retention
+ is independent of whether stale answers are used in response to
+ client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale
+ on|off``). Serving of stale answers when the authoritative servers
+ are not responding must be explicitly enabled, whereas the retention
+ of expired cache content takes place automatically on all versions of
+ BIND 9 that have this feature available. :gl:`#1877`
+
+ .. warning::
+ This change may be significant for administrators who expect that
+ stale cache content will be automatically retained for up to 1
+ week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep
+ the previous behavior of ``named``.
+
+- ``listen-on-v6 { any; }`` creates a separate socket for each
+ interface. Previously, just one socket was created on systems
+ conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
+ in BIND 9.16.0, but it was accidentally omitted from documentation.
+ :gl:`#1782`
+
+Bug Fixes
+~~~~~~~~~
+
+- When fully updating the NSEC3 chain for a large zone via IXFR, a
+ temporary loss of performance could be experienced on the secondary
+ server when answering queries for nonexistent data that required
+ DNSSEC proof of non-existence (in other words, queries that required
+ the server to find and to return NSEC3 data). The unnecessary
+ processing step that was causing this delay has now been removed.
+ :gl:`#1834`
+
+- ``named`` could crash with an assertion failure if the name of a
+ database node was looked up while the database was being modified.
+ :gl:`#1857`
+
+- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
+ :gl:`#1859`
+
+- Previously, ``named`` did not destroy some mutexes and conditional
+ variables in netmgr code, which caused a memory leak on FreeBSD. This
+ has been fixed. :gl:`#1893`
+
+- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
+ to an assertion failure was fixed. :gl:`#1808`
+
+- Previously, ``provide-ixfr no;`` failed to return up-to-date
+ responses when the serial number was greater than or equal to the
+ current serial number. :gl:`#1714`
+
+- A bug in dnssec-policy keymgr was fixed, where the check for the
+ existence of a given key's successor would incorrectly return
+ ``true`` if any other key in the keyring had a successor. :gl:`#1845`
+
+- With dnssec-policy, when creating a successor key, the "goal" state
+ of the current active key (the predecessor) was not changed and thus
+ never removed from the zone. :gl:`#1846`
+
+- ``named-checkconf -p`` could include spurious text in
+ ``server-addresses`` statements due to an uninitialized DSCP value.
+ This has been fixed. :gl:`#1812`
+
+- The ARM has been updated to indicate that the TSIG session key is
+ generated when named starts, regardless of whether it is needed.
+ :gl:`#1842`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting
+ this BIND 9 branch.
+
+.. _Read the Docs: https://bind9.readthedocs.io/
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-12 06:37:27 +0000