From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cBFWK1PzRz30Cn for ; Tue, 26 Aug 2025 17:48:13 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cBFWF4ZMnz2xMK for ; Tue, 26 Aug 2025 17:48:09 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cBFWD5sjkz2B; Tue, 26 Aug 2025 17:48:08 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1756230488; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=COkLX+m8lMSpjV1NDj27GFQdrRU5MrTgfquWEk1/+Zg=; b=2doOVJ0fzyr9OEkX6peA9ZkmO7a5jp0QDxLWiJrC9OPLYJ2D7NtKO4EeRIVx4Q4+i97gbU zBqNkTOBnHKJMyDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756230488; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=COkLX+m8lMSpjV1NDj27GFQdrRU5MrTgfquWEk1/+Zg=; b=dKVPIlm0y2GmTiFPEixbOL6D+WlHg+rCB4yDUxaAI2IQdwJfkqiUZ9NAaXe2gwx25k7Bmy icZmLCVoYMjD+pe8/BtH8VwoYQ/ybnBjczww0i9bhFbYc+FZfqn0MBA4ynaDKchkWLo3LB fMpJsV3ulaPmEVHu5VWJyp5deqTx2sqcm4rfwrOaERtUnvDlRK4VbyP6H5uhwv2h8hFQrV KNaFk6NIiwBdfKM1XXsfdtPeXZurx5BfybWZnFNfQn/wsXBUzUKObQlydkWZ1Gxx/XM1Uf b/MgGYhj25hK8C4ofWMF1awxKgVyp6tjdAWUWlFBnmkavJhrxjiEgQI13T9pzA== Message-ID: Date: Tue, 26 Aug 2025 19:48:05 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: [PATCH] bind: Update to 9.20.12 To: Matthias Fischer References: <20250826155538.884-1-matthias.fischer@ipfire.org> Content-Language: en-GB Cc: "IPFire: Development-List" From: Adolf Belka In-Reply-To: <20250826155538.884-1-matthias.fischer@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Reviewed-by: Adolf Belka Hi Matthias, You got in before me. I have built it but not had the time to submit the patch for it yet. :-) I will delete it from my build. On 26/08/2025 17:55, Matthias Fischer wrote: > For details see: > > https://downloads.isc.org/isc/bind9/9.20.12/doc/arm/html/notes.html#notes-for-bind-9-20-12 > > "Notes for BIND 9.20.12 > New Features > > Support for parsing DSYNC records has been added. > > These records are used for discovering the receiver endpoint for DNS > notification messages. For more information, see > draft-ietf-dnsop-generalized-notify-09. [GL #5440] > > Feature Changes > > Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest > type 1. > > RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated by > the IETF and should no longer be used for DNSSEC. DS digest type 1 > (SHA1) has also been deprecated in BIND 9. Validators are now expected > to treat these algorithms and digest as unknown, resulting in some > zones being treated as insecure when they were previously treated as > secure. Warnings have been added to named and tools when these > algorithms and this digest are being used for signing. > > Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a > different DNSKEY algorithm. > > Zones with DS or CDS records with digest type 1 (SHA1) should be > updated to use a different digest type (e.g. SHA256) and the digest > type 1 records should be removed. [GL #5358] > > Bug Fixes > > Stale RRsets in a CNAME chain were not always refreshed. > > Previously, with serve-stale enabled and a CNAME chain that contained a > stale RRset, the refresh query didn’t always properly refresh the stale > RRsets. This has been fixed. [GL #5243] > > Add RPZ extended DNS error for zones with a CNAME override policy > configured. > > Previously, when the zone was configured with a CNAME override policy, > or the response policy zone contained a wildcard CNAME, the extended > DNS error code was not added. This has been fixed. [GL #5342] > > Fix dig issues. > > When used with the +keepopen option, dig could terminate unexpectedly > in rare situations. Additionally, dig could hang and fail to shutdown > properly when interrupted during a query. These have been fixed. [GL > #5381] > > Log dropped or slipped responses in the query-errors category. > > Responses which were dropped or slipped because of Response Rate > Limiting (RRL) were logged in the rate-limit category instead of the > query-errors category, as documented in the ARM. This has been fixed. > [GL #5388] > > synth-from-dnssec was not working in some scenarios. > > Aggressive use of DNSSEC-Validated cache with NSEC was not working in > scenarios when no parent NSEC was in cache. This has been fixed. [GL > #5422] > > Clean enough memory when adding new ADB names/entries under memory > pressure. > > The ADB memory cleaning is opportunistic even when BIND is under memory > pressure (in the overmem condition). named now ensures that the > assigned memory limit is not exceeded by releasing twice the amount of > memory allocated for each new ADB name/entry when under memory > pressure. [GL !10637] > > Prevent spurious validation failures. > > Under rare circumstances, validation could fail if multiple clients > simultaneously iterated the same set of DNSSEC signatures. This has > been fixed. [GL #3014]" > > Signed-off-by: Matthias Fischer > --- > config/rootfiles/common/bind | 11 ++++++----- > lfs/bind | 4 ++-- > 2 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind > index fb6220c47..538f4a6dd 100644 > --- a/config/rootfiles/common/bind > +++ b/config/rootfiles/common/bind > @@ -28,6 +28,7 @@ usr/bin/nsupdate > #usr/include/dns/dnstap.h > #usr/include/dns/ds.h > #usr/include/dns/dsdigest.h > +#usr/include/dns/dsync.h > #usr/include/dns/dyndb.h > #usr/include/dns/ecs.h > #usr/include/dns/ede.h > @@ -240,18 +241,18 @@ usr/bin/nsupdate > #usr/include/ns/types.h > #usr/include/ns/update.h > #usr/include/ns/xfrout.h > -usr/lib/libdns-9.20.11.so > +usr/lib/libdns-9.20.12.so > #usr/lib/libdns.la > #usr/lib/libdns.so > -usr/lib/libisc-9.20.11.so > +usr/lib/libisc-9.20.12.so > #usr/lib/libisc.la > #usr/lib/libisc.so > -usr/lib/libisccc-9.20.11.so > +usr/lib/libisccc-9.20.12.so > #usr/lib/libisccc.la > #usr/lib/libisccc.so > -usr/lib/libisccfg-9.20.11.so > +usr/lib/libisccfg-9.20.12.so > #usr/lib/libisccfg.la > #usr/lib/libisccfg.so > -usr/lib/libns-9.20.11.so > +usr/lib/libns-9.20.12.so > #usr/lib/libns.la > #usr/lib/libns.so > diff --git a/lfs/bind b/lfs/bind > index fa4d73d04..d62846f58 100644 > --- a/lfs/bind > +++ b/lfs/bind > @@ -25,7 +25,7 @@ > > include Config > > -VER = 9.20.11 > +VER = 9.20.12 > > THISAPP = bind-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = 582e6de2699713e870dfc853f461c78b2d2b505bed0b571f853c94a731be9006783f45a4f897692289c1a9411725eac0b4de3818f1641221e62754316f410081 > +$(DL_FILE)_BLAKE2 = f2135301ab04121c1ae82fc9283f0f03b0d11b634aaee49c072bb9a2a0f7e643a8f6c1f3890648e5d008a7d2c84953617b330241e3f856e33b56e64fb0312f0a > > install : $(TARGET) >