| Message ID | 20250826155538.884-1-matthias.fischer@ipfire.org |
|---|---|
| State | New |
| Headers |
Return-Path: <development+bounces-842-patchwork=ipfire.org@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cBC1j3tVKz3wkP for <patchwork@web04.haj.ipfire.org>; Tue, 26 Aug 2025 15:55:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cBC1h2FfYz5Sh for <patchwork@ipfire.org>; Tue, 26 Aug 2025 15:55:52 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=gWkRupmn; dkim=pass header.d=ipfire.org header.s=202003rsa header.b=ReuWuh4s; dmarc=pass (policy=reject) header.from=ipfire.org; spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor denied by domain of "development+bounces-842-patchwork=ipfire.org@lists.ipfire.org") smtp.mailfrom="development+bounces-842-patchwork=ipfire.org@lists.ipfire.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756223752; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=odr8jnp8k5JfvR70P0CtLizpc3T6KEc22T1wyVk0Ugg=; b=QcO5VWtv1e37uMjIN6Z2KEoPY9ZneH3R7mLexZNsKtredjADSdghlTW/cKRH4Nn3dtt/2o ncr7S/0wnCnK8eKfKmDKVdnquhHn3CjWeKsWJFvld9lFLj60yZPBGAxI+TBSSihbjXgqcD oXXondVlOg/upnLsgTP5FxjASNlrIGhKssF2cfUxmF7ZwFR3+N/1/9yruI+iY2s56cWEEV 56SrEu/l5C4b64vjHi3lKZZrKN17CHbv2D/01oQfoai9ScEmVJaQzJ1qGB+BfHjmJRhEdL ACVdprk1gUeoDZIjwFvFyBXtFnSzFAspBH0TKKvbae4/G/RqV6A7fA/QBDS6Ow== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=gWkRupmn; dkim=pass header.d=ipfire.org header.s=202003rsa header.b=ReuWuh4s; dmarc=pass (policy=reject) header.from=ipfire.org; spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor denied by domain of "development+bounces-842-patchwork=ipfire.org@lists.ipfire.org") smtp.mailfrom="development+bounces-842-patchwork=ipfire.org@lists.ipfire.org" ARC-Seal: i=1; s=202003rsa; d=ipfire.org; t=1756223752; a=rsa-sha256; cv=none; b=sAkYmTP/iFl1Eoot5u1sqF9a1vgMc1X3+8AqHAHHaaqvxnwC8W7fIgC3InFlDDginmYQ4o udBmrYMOPsCyQ2km0DxQDrm6gFStoR+N2RiVyfxSWVdC5fs5+8bDYAYiQScw250Ruu/BcA ryC1/KJma0TbF/PfiJ5yJovmnvW0O15aiPFlOR5y9G8gRMXzgM6D2M9RTLcEPlgYupgrZq iPDQmYLq4RgBAWfwx/zohOLey4PPmMPmeUh1g7mbun43J5rFPAway00dAuE/aonfgMO5cH nT8PB1Mf0JgDya99TacJC+V4y1NN7T9vgJaKCmNE1RKxBBfroN7Zh88LsG85XA== Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cBC1g3gzLz30Cn for <patchwork@ipfire.org>; Tue, 26 Aug 2025 15:55:51 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cBC1c58JDz2xQT for <development@lists.ipfire.org>; Tue, 26 Aug 2025 15:55:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cBC1b5yySzY; Tue, 26 Aug 2025 15:55:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1756223747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=odr8jnp8k5JfvR70P0CtLizpc3T6KEc22T1wyVk0Ugg=; b=gWkRupmnPW6ZIWcAnmopHUDQQ+xffDzuav+/I6v4wya0Q2F3Ik3huY/rREOR8Io1RW6N0d pmK0GpmV1d/L09AQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756223747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=odr8jnp8k5JfvR70P0CtLizpc3T6KEc22T1wyVk0Ugg=; b=ReuWuh4sDzYqwjOWULC6ubffJakCbzFu2W5BDqUa004wMr7ZKpi5SqWKUYQ9x973fah7D1 KHPrIVhyQ476hkRBj+ee+wrynpdFvSOxFycS6DKoqiDQgCfZwSQmFvoDuauDM784TgFWwH SHXBatoxBU0ivE8aZrSSpiB1hJhPNNGuL2ZvzZNdSahRXd8aBrtetvScbWwLjTuD/jQQFJ iT9jqvt3TBpUZ6YX5MRi4cWWoe+KhpK/U+iTC5egiwIYU3wlZNO6cp8U29mtHYkqmr6WYJ BWg+IesB5cirpHqpwZ5xYkWRH84OANdRWAi+YWJWEkcrsKU6/viT/c5g/SMRWg== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Cc: Matthias Fischer <matthias.fischer@ipfire.org> Subject: [PATCH] bind: Update to 9.20.12 Date: Tue, 26 Aug 2025 17:55:14 +0200 Message-ID: <20250826155538.884-1-matthias.fischer@ipfire.org> Precedence: list List-Id: <development.lists.ipfire.org> List-Subscribe: <https://lists.ipfire.org/>, <mailto:development+subscribe@lists.ipfire.org?subject=subscribe> List-Unsubscribe: <https://lists.ipfire.org/>, <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development+help@lists.ipfire.org?subject=help> Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4cBC1h2FfYz5Sh X-Rspamd-Action: no action X-Spamd-Result: default: False [-10.69 / 11.00]; BAYES_HAM(-2.98)[99.93%]; DWL_DNSWL_MED(-2.00)[ipfire.org:dkim]; FROM_INTERNAL_BULK_SENDERS(-2.00)[2001:678:b28::201]; R_DKIM_ALLOW(-1.65)[ipfire.org:s=202003ed25519,ipfire.org:s=202003rsa]; NEURAL_HAM(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; DKIM_REPUTATION(-0.91)[-0.91454729181319]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; IP_REPUTATION_HAM(-0.35)[asn: 204867(-0.10), country: DE(0.00), ip: 2001:678:b28::(-0.25)]; MAILLIST(-0.18)[generic]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; MX_GOOD(-0.01)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; TAGGED_FROM(0.00)[bounces-842-patchwork=ipfire.org]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:204867, ipnet:2001:678:b28::/48, country:DE]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_NEQ_ENVFROM(0.00)[matthias.fischer@ipfire.org,development@lists.ipfire.org]; DKIM_TRACE(0.00)[ipfire.org:+]; ARC_SIGNED(0.00)[ipfire.org:s=202003rsa:i=1]; DMARC_POLICY_ALLOW(0.00)[ipfire.org,reject]; R_SPF_SOFTFAIL(0.00)[~all:c]; FORGED_SENDER_MAILLIST(0.00)[] |
| Series |
bind: Update to 9.20.12
|
|
Commit Message
Matthias Fischer
26 Aug 2025, 3:55 p.m. UTC
For details see:
https://downloads.isc.org/isc/bind9/9.20.12/doc/arm/html/notes.html#notes-for-bind-9-20-12
"Notes for BIND 9.20.12
New Features
Support for parsing DSYNC records has been added.
These records are used for discovering the receiver endpoint for DNS
notification messages. For more information, see
draft-ietf-dnsop-generalized-notify-09. [GL #5440]
Feature Changes
Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest
type 1.
RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated by
the IETF and should no longer be used for DNSSEC. DS digest type 1
(SHA1) has also been deprecated in BIND 9. Validators are now expected
to treat these algorithms and digest as unknown, resulting in some
zones being treated as insecure when they were previously treated as
secure. Warnings have been added to named and tools when these
algorithms and this digest are being used for signing.
Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a
different DNSKEY algorithm.
Zones with DS or CDS records with digest type 1 (SHA1) should be
updated to use a different digest type (e.g. SHA256) and the digest
type 1 records should be removed. [GL #5358]
Bug Fixes
Stale RRsets in a CNAME chain were not always refreshed.
Previously, with serve-stale enabled and a CNAME chain that contained a
stale RRset, the refresh query didn’t always properly refresh the stale
RRsets. This has been fixed. [GL #5243]
Add RPZ extended DNS error for zones with a CNAME override policy
configured.
Previously, when the zone was configured with a CNAME override policy,
or the response policy zone contained a wildcard CNAME, the extended
DNS error code was not added. This has been fixed. [GL #5342]
Fix dig issues.
When used with the +keepopen option, dig could terminate unexpectedly
in rare situations. Additionally, dig could hang and fail to shutdown
properly when interrupted during a query. These have been fixed. [GL
#5381]
Log dropped or slipped responses in the query-errors category.
Responses which were dropped or slipped because of Response Rate
Limiting (RRL) were logged in the rate-limit category instead of the
query-errors category, as documented in the ARM. This has been fixed.
[GL #5388]
synth-from-dnssec was not working in some scenarios.
Aggressive use of DNSSEC-Validated cache with NSEC was not working in
scenarios when no parent NSEC was in cache. This has been fixed. [GL
#5422]
Clean enough memory when adding new ADB names/entries under memory
pressure.
The ADB memory cleaning is opportunistic even when BIND is under memory
pressure (in the overmem condition). named now ensures that the
assigned memory limit is not exceeded by releasing twice the amount of
memory allocated for each new ADB name/entry when under memory
pressure. [GL !10637]
Prevent spurious validation failures.
Under rare circumstances, validation could fail if multiple clients
simultaneously iterated the same set of DNSSEC signatures. This has
been fixed. [GL #3014]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/rootfiles/common/bind | 11 ++++++-----
lfs/bind | 4 ++--
2 files changed, 8 insertions(+), 7 deletions(-)
Comments
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Hi Matthias, You got in before me. I have built it but not had the time to submit the patch for it yet. :-) I will delete it from my build. On 26/08/2025 17:55, Matthias Fischer wrote: > For details see: > > https://downloads.isc.org/isc/bind9/9.20.12/doc/arm/html/notes.html#notes-for-bind-9-20-12 > > "Notes for BIND 9.20.12 > New Features > > Support for parsing DSYNC records has been added. > > These records are used for discovering the receiver endpoint for DNS > notification messages. For more information, see > draft-ietf-dnsop-generalized-notify-09. [GL #5440] > > Feature Changes > > Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest > type 1. > > RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated by > the IETF and should no longer be used for DNSSEC. DS digest type 1 > (SHA1) has also been deprecated in BIND 9. Validators are now expected > to treat these algorithms and digest as unknown, resulting in some > zones being treated as insecure when they were previously treated as > secure. Warnings have been added to named and tools when these > algorithms and this digest are being used for signing. > > Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a > different DNSKEY algorithm. > > Zones with DS or CDS records with digest type 1 (SHA1) should be > updated to use a different digest type (e.g. SHA256) and the digest > type 1 records should be removed. [GL #5358] > > Bug Fixes > > Stale RRsets in a CNAME chain were not always refreshed. > > Previously, with serve-stale enabled and a CNAME chain that contained a > stale RRset, the refresh query didn’t always properly refresh the stale > RRsets. This has been fixed. [GL #5243] > > Add RPZ extended DNS error for zones with a CNAME override policy > configured. > > Previously, when the zone was configured with a CNAME override policy, > or the response policy zone contained a wildcard CNAME, the extended > DNS error code was not added. This has been fixed. [GL #5342] > > Fix dig issues. > > When used with the +keepopen option, dig could terminate unexpectedly > in rare situations. Additionally, dig could hang and fail to shutdown > properly when interrupted during a query. These have been fixed. [GL > #5381] > > Log dropped or slipped responses in the query-errors category. > > Responses which were dropped or slipped because of Response Rate > Limiting (RRL) were logged in the rate-limit category instead of the > query-errors category, as documented in the ARM. This has been fixed. > [GL #5388] > > synth-from-dnssec was not working in some scenarios. > > Aggressive use of DNSSEC-Validated cache with NSEC was not working in > scenarios when no parent NSEC was in cache. This has been fixed. [GL > #5422] > > Clean enough memory when adding new ADB names/entries under memory > pressure. > > The ADB memory cleaning is opportunistic even when BIND is under memory > pressure (in the overmem condition). named now ensures that the > assigned memory limit is not exceeded by releasing twice the amount of > memory allocated for each new ADB name/entry when under memory > pressure. [GL !10637] > > Prevent spurious validation failures. > > Under rare circumstances, validation could fail if multiple clients > simultaneously iterated the same set of DNSSEC signatures. This has > been fixed. [GL #3014]" > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > config/rootfiles/common/bind | 11 ++++++----- > lfs/bind | 4 ++-- > 2 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind > index fb6220c47..538f4a6dd 100644 > --- a/config/rootfiles/common/bind > +++ b/config/rootfiles/common/bind > @@ -28,6 +28,7 @@ usr/bin/nsupdate > #usr/include/dns/dnstap.h > #usr/include/dns/ds.h > #usr/include/dns/dsdigest.h > +#usr/include/dns/dsync.h > #usr/include/dns/dyndb.h > #usr/include/dns/ecs.h > #usr/include/dns/ede.h > @@ -240,18 +241,18 @@ usr/bin/nsupdate > #usr/include/ns/types.h > #usr/include/ns/update.h > #usr/include/ns/xfrout.h > -usr/lib/libdns-9.20.11.so > +usr/lib/libdns-9.20.12.so > #usr/lib/libdns.la > #usr/lib/libdns.so > -usr/lib/libisc-9.20.11.so > +usr/lib/libisc-9.20.12.so > #usr/lib/libisc.la > #usr/lib/libisc.so > -usr/lib/libisccc-9.20.11.so > +usr/lib/libisccc-9.20.12.so > #usr/lib/libisccc.la > #usr/lib/libisccc.so > -usr/lib/libisccfg-9.20.11.so > +usr/lib/libisccfg-9.20.12.so > #usr/lib/libisccfg.la > #usr/lib/libisccfg.so > -usr/lib/libns-9.20.11.so > +usr/lib/libns-9.20.12.so > #usr/lib/libns.la > #usr/lib/libns.so > diff --git a/lfs/bind b/lfs/bind > index fa4d73d04..d62846f58 100644 > --- a/lfs/bind > +++ b/lfs/bind > @@ -25,7 +25,7 @@ > > include Config > > -VER = 9.20.11 > +VER = 9.20.12 > > THISAPP = bind-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = 582e6de2699713e870dfc853f461c78b2d2b505bed0b571f853c94a731be9006783f45a4f897692289c1a9411725eac0b4de3818f1641221e62754316f410081 > +$(DL_FILE)_BLAKE2 = f2135301ab04121c1ae82fc9283f0f03b0d11b634aaee49c072bb9a2a0f7e643a8f6c1f3890648e5d008a7d2c84953617b330241e3f856e33b56e64fb0312f0a > > install : $(TARGET) >
diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index fb6220c47..538f4a6dd 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -28,6 +28,7 @@ usr/bin/nsupdate #usr/include/dns/dnstap.h #usr/include/dns/ds.h #usr/include/dns/dsdigest.h +#usr/include/dns/dsync.h #usr/include/dns/dyndb.h #usr/include/dns/ecs.h #usr/include/dns/ede.h @@ -240,18 +241,18 @@ usr/bin/nsupdate #usr/include/ns/types.h #usr/include/ns/update.h #usr/include/ns/xfrout.h -usr/lib/libdns-9.20.11.so +usr/lib/libdns-9.20.12.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libisc-9.20.11.so +usr/lib/libisc-9.20.12.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.20.11.so +usr/lib/libisccc-9.20.12.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.20.11.so +usr/lib/libisccfg-9.20.12.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.20.11.so +usr/lib/libns-9.20.12.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index fa4d73d04..d62846f58 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.20.11 +VER = 9.20.12 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 582e6de2699713e870dfc853f461c78b2d2b505bed0b571f853c94a731be9006783f45a4f897692289c1a9411725eac0b4de3818f1641221e62754316f410081 +$(DL_FILE)_BLAKE2 = f2135301ab04121c1ae82fc9283f0f03b0d11b634aaee49c072bb9a2a0f7e643a8f6c1f3890648e5d008a7d2c84953617b330241e3f856e33b56e64fb0312f0a install : $(TARGET)