1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 BIND 9.20.12 13 ------------ 14 15 New Features 16 ~~~~~~~~~~~~ 17 18 - Support for parsing the DSYNC record has been added. ``f440fe712d`` 19 20 :gl:`#5440` :gl:`!10820` 21 22 Feature Changes 23 ~~~~~~~~~~~~~~~ 24 25 - Adaptive memory allocation strategy for qp-tries. ``9a046cbed5`` 26 27 qp-tries allocate their nodes (twigs) in chunks to reduce allocator 28 pressure and improve memory locality. The choice of chunk size 29 presents a tradeoff: larger chunks benefit qp-tries with many values 30 (as seen in large zones and resolvers) but waste memory in smaller use 31 cases. 32 33 Previously, our fixed chunk size of 2^10 twigs meant that even an 34 empty qp-trie would consume 12KB of memory, while reducing this size 35 would negatively impact resolver performance. 36 37 This MR implements an adaptive chunking strategy that tracks the size 38 of the most recently allocated chunk and doubles the chunk size for 39 each new allocation until reaching a predefined maximum. 40 41 This approach effectively balances memory efficiency for small tries 42 while maintaining the performance benefits of larger chunk sizes for 43 bigger data structures. :gl:`#5445` :gl:`!10804` 44 45 - Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest 46 type 1. ``5aefaa4b97`` 47 48 RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated 49 by the IETF and should no longer be used for DNSSEC. DS digest type 1 50 (SHA1) has also been deprecated. Validators are now expected to treat 51 these algorithms and digest as unknown, resulting in some zones being 52 treated as insecure when they were previously treated as secure. 53 Warnings have been added to named and tools when these algorithms and 54 this digest are being used for signing. 55 56 Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a 57 different DNSKEY algorithm. 58 59 Zones with DS or CDS records with digest type 1 (SHA1) should be 60 updated to use a different digest type (e.g. SHA256) and the digest 61 type 1 records should be removed. 62 63 Related to #5358 :gl:`!10738` 64 65 Bug Fixes 66 ~~~~~~~~~ 67 68 - Stale RRsets in a CNAME chain were not always refreshed. 69 ``ed37c7825e`` 70 71 With serve-stale enabled, a CNAME chain that contains a stale RRset, 72 the refresh query doesn't always properly refresh the stale RRsets. 73 This has been fixed. :gl:`#5243` :gl:`!10767` 74 75 - Add RPZ extended DNS error for zones with a CNAME override policy 76 configured. ``39ad2016c1`` 77 78 When the zone is configured with a CNAME override policy, or the 79 response policy zone contains a wildcard CNAME, the extended DNS error 80 code was not added. This has been fixed. :gl:`#5342` :gl:`!10819` 81 82 - Fix a possible crash when adding a zone while recursing. 83 ``7a3ec8dd94`` 84 85 A query for a zone that was not yet loaded may yield an unexpected 86 result such as a CNAME or DNAME, triggering an assertion failure. This 87 has been fixed. :gl:`#5357` :gl:`!10718` 88 89 - Fix dig issues. ``8c50819aa8`` 90 91 When used with the ``+keepopen`` option with a TCP connection, 92 iscman:`dig` could terminate unexpectedly in rare situations. 93 Additionally, iscman:`dig` could hang and fail to shutdown properly 94 when interrupted during a query. These have been fixed. :gl:`#5381` 95 :gl:`!10727` 96 97 - Log dropped or slipped responses in the query-errors category. 98 ``47470b586d`` 99 100 Responses which were dropped or slipped because of RRL (Response Rate 101 Limiting) were logged in the ``rate-limit`` category instead of the 102 ``query-errors`` category, as documented in ARM. This has been fixed. 103 :gl:`#5388` :gl:`!10725` 104 105 - Separate out adbname type flags. ``fc689c6525`` 106 107 There are three adbname flags that are used to identify different 108 types of adbname lookups when hashing rather than using multiple hash 109 tables. Separate these to their own structure element as these need 110 to be able to be read without locking the adbname structure. 111 :gl:`#5404` :gl:`!10695` 112 113 - Synth-from-dnssec was not working in some scenarios. ``bc54f059e0`` 114 115 Aggressive use of DNSSEC-Validated cache with NSEC was not working in 116 scenarios when no parent NSEC was not in cache. This has been fixed. 117 :gl:`#5422` :gl:`!10754` 118 119 - Clean enough memory when adding new ADB names/entries under memory 120 pressure. ``b7e7923daa`` 121 122 The ADB memory cleaning is opportunistic even when we are under memory 123 pressure (in the overmem condition). Split the opportunistic LRU 124 cleaning and overmem cleaning and make the overmem cleaning always 125 cleanup double of the newly allocated adbname/adbentry to ensure we 126 never allocate more memory than the assigned limit. :gl:`!10707` 127 128 - Prevent spurious validation failures. ``3b98c7cc9d`` 129 130 Under rare circumstances, validation could fail if multiple clients 131 simultaneously iterated the same set of signatures. 132 133 References #3014 :gl:`!10815` 134 135 - Rename variable called 'free' to prevent the clash with free() 136 ``7f25d92c5d`` 137 138 :gl:`!10757` 139 140 141
Indexes created Sun Apr 19 00:22:55 UTC 2026