freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #01246
[Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
** Description changed:
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception
defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
-
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see:
https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-
bind-9-18-18
While there are behavioral changes in this release, I was unable to find
any backwards-incompatible changes. Some features were marked as
deprecated, but are still usable as they were before. Other changes are
related to performance and timeout management, neither of which should
change how bind9 works, but are worth keeping an eye on in case any
regressions arise.
[Test Plan]
- TODO: Check DEP-8 and reverse-depends DEP-8 tests pass
- TODO: if there are any non passing tests - explain why that is ok in this case
- TODO: add results of an autopkgtest run against all the new versions
+ DEP-8 test results:
+
+ simpletest PASS
+ validation FLAKY non-zero exit status 1
+ zonetest PASS
+
+ validation is known to be broken in its current state, both due to a
+ need for internet access and incorrect output checking, so the failure
+ is expected.
[Regression Potential]
Upstream has an extensive build and integration test suite. So
regressions would likely arise from a change in interaction with Ubuntu-
specific integrations.
-
- TODO: consider any other regression potential specific to the version being
- updated and list if any.
** Merge proposal linked:
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451681
** Merge proposal linked:
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451683
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2028413
Title:
MRE updates of bind9 for focal, jammy and lunar
Status in bind-dyndb-ldap package in Ubuntu:
Fix Released
Status in bind9 package in Ubuntu:
Fix Released
Status in bind-dyndb-ldap source package in Focal:
Triaged
Status in bind9 source package in Focal:
Triaged
Status in bind-dyndb-ldap source package in Jammy:
In Progress
Status in bind9 source package in Jammy:
In Progress
Status in bind-dyndb-ldap source package in Lunar:
In Progress
Status in bind9 source package in Lunar:
In Progress
Bug description:
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception
defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see:
https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-
bind-9-18-18
While there are behavioral changes in this release, I was unable to
find any backwards-incompatible changes. Some features were marked as
deprecated, but are still usable as they were before. Other changes
are related to performance and timeout management, neither of which
should change how bind9 works, but are worth keeping an eye on in case
any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
validation is known to be broken in its current state, both due to a
need for internet access and incorrect output checking, so the failure
is expected.
[Regression Potential]
Upstream has an extensive build and integration test suite. So
regressions would likely arise from a change in interaction with
Ubuntu-specific integrations.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2028413/+subscriptions
