[ubuntu/plucky-proposed] bind9 1:9.20.11-0ubuntu0.1 (Accepted)

Lena Voytek lena.voytek at canonical.com
Fri Aug 29 12:20:40 UTC 2025 

bind9 (1:9.20.11-0ubuntu0.1) plucky; urgency=medium

  * New upstream release 9.20.11 (LP: #2112520)
    - Features:
      + Add support for the CO flag to dig.
      + Implement a new notify-defer configuration option.
      + Add support for EDE 20 (Not Authoritative).
      + Add support for EDE 7 and EDE 8.
      + Add support for displaying and receiving BADVERS to dig.
      + Add an rndc command to reset some statistics counters.
      + Implement the min-transfer-rate-in configuration option.
      + Add HTTPS record query to host command line tool.
      + Implement sig0key-checks-limit and sig0message-checks-limit.
      + Add support for EDE code 1 and 2.
      + Add an rndc command to toggle jemalloc profiling.
      + Add support for multiple extended DNS errors.
      + Add Extended DNS Error Code 22
      + No Reachable Authority.
      + Add a new option to configure the maximum number of outgoing queries
        per client request.
    - Updates:
      + Implement the systemd notification protocol manually to remove
        dependency on libsystemd.
      + Return DNS COOKIE and NSID with BADVERS.
      + Print the expiration time of stale records.
      + Use the Server Name Indication (SNI) extension for all outgoing TLS
        connections.
      + Revert performance optimization for NSEC3 lookups introduced in BIND
        9.20.2 to avoid risks associated with a complex code change.
      + Rename parental-agents and primaries to remote-servers internally.
      + Add none parameter to query-source and query-source-v6 to disable IPv4
        or IPv6 upstream queries but allow listening to queries from clients on
        IPv4 or IPv6.
    - Bug Fixes:
      + Correct the default interface-interval from 60s to 60m.
      + Fix a purge-keys bug when using multiple views of a zone.
      + Fix zone refresh after deletion.
      + Fix failure to refresh when named reconfigured during SOA request step.
      + Fix EDNS YAML output in dig.
      + Fix RDATA checks for PRIVATEOID keys.
      + Fix a serve-stale issue with a delegated zone.
      + Stop caching lack of EDNS support.
      + Fix resolver statistics counters for timed-out responses.
      + Fix nested DNS validation assertion failure.
      + Wait for memory reclamation to finish in named-checkconf.
      + Ensure max-clients-per-query is at least clients-per-query.
      + Fix write after free in validator code.
      + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
      + Fix DNSSEC timing issues.
      + Fix inconsistency in CNAME/DNAME handling during resolution.
      + Fix dual-stack-servers configuration option.
      + Fix a data race causing a permanent active client increase.
      + Fix deferred validation of unsigned DS and DNSKEY records.
      + Fix RPZ race condition during a reconfiguration.
      + Fix “CNAME and other data check” not being applied to all types.
      + Relax private DNSKEY and RRSIG constraints.
      + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
      + Fix TTL issue with ANY queries processed through RPZ “passthru”.
      + Check for a NULL key in dnssec-signzone when setting offline.
      + Fix a bug in the statistics channel when querying zone transfer
        information.
      + Fix assertion failure when dumping recursing clients.
      + Dump the active resolver fetches from dns_resolver_dumpfetches().
      + Fix recently expired records sending timestamps in the future.
      + Fix YAML string not terminated in negative response in delv.
      + Fix a bug in dnssec-signzone related to keys being offline.
      + Apply the memory limit only to ADB database items.
      + Avoid unnecessary locking in the zone/cache database.
      + Fix nsupdate hang when processing a large update.
      + Fix possible assertion failure when reloading server while processing
        update policy rules.
      + Preserve cache across reconfig when using attach-cache.
      + Resolve the spurious drops in performance due to glue cache.
      + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
      + Fix improper handling of unknown directives in resolv.conf.
      + Fix response policy zones and catalog zones with an $INCLUDE statement
        defined.
    - See https://bind9.readthedocs.io/en/v9.20.11/notes.html for additional
      information.
  * Remove patches fixed upstream:
    - d/p/CVE-2025-40775.patch
      [Fixed in 9.20.9]
    - d/p/CVE-2025-40777.patch
      [Fixed in 9.20.11]
    - d/p/0003-Revert-Fix-the-glue-table-in-the-QP-and-RBT-zone-dat.patch
    - d/p/0004-Rewrite-the-GLUE-cache-in-QP-zone-database.patch
      [Fixed in 9.20.5]
  * d/bind9.postinst: Perform config check in postinst. (LP: #1492212)
  * d/README.Debian: Update to properly describe the new version.
  * d/control: Switch from pkg-config to pkgconf dependency.

Date: Mon, 28 Jul 2025 09:40:43 -0400
Changed-By: Lena Voytek <lena.voytek at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-0ubuntu0.1
-------------- next part --------------
Format: 1.8
Date: Mon, 28 Jul 2025 09:40:43 -0400
Source: bind9
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.20.11-0ubuntu0.1
Distribution: plucky
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Lena Voytek <lena.voytek at canonical.com>
Launchpad-Bugs-Fixed: 1492212 2112520
Changes:
 bind9 (1:9.20.11-0ubuntu0.1) plucky; urgency=medium
 .
   * New upstream release 9.20.11 (LP: #2112520)
     - Features:
       + Add support for the CO flag to dig.
       + Implement a new notify-defer configuration option.
       + Add support for EDE 20 (Not Authoritative).
       + Add support for EDE 7 and EDE 8.
       + Add support for displaying and receiving BADVERS to dig.
       + Add an rndc command to reset some statistics counters.
       + Implement the min-transfer-rate-in configuration option.
       + Add HTTPS record query to host command line tool.
       + Implement sig0key-checks-limit and sig0message-checks-limit.
       + Add support for EDE code 1 and 2.
       + Add an rndc command to toggle jemalloc profiling.
       + Add support for multiple extended DNS errors.
       + Add Extended DNS Error Code 22
       + No Reachable Authority.
       + Add a new option to configure the maximum number of outgoing queries
         per client request.
     - Updates:
       + Implement the systemd notification protocol manually to remove
         dependency on libsystemd.
       + Return DNS COOKIE and NSID with BADVERS.
       + Print the expiration time of stale records.
       + Use the Server Name Indication (SNI) extension for all outgoing TLS
         connections.
       + Revert performance optimization for NSEC3 lookups introduced in BIND
         9.20.2 to avoid risks associated with a complex code change.
       + Rename parental-agents and primaries to remote-servers internally.
       + Add none parameter to query-source and query-source-v6 to disable IPv4
         or IPv6 upstream queries but allow listening to queries from clients on
         IPv4 or IPv6.
     - Bug Fixes:
       + Correct the default interface-interval from 60s to 60m.
       + Fix a purge-keys bug when using multiple views of a zone.
       + Fix zone refresh after deletion.
       + Fix failure to refresh when named reconfigured during SOA request step.
       + Fix EDNS YAML output in dig.
       + Fix RDATA checks for PRIVATEOID keys.
       + Fix a serve-stale issue with a delegated zone.
       + Stop caching lack of EDNS support.
       + Fix resolver statistics counters for timed-out responses.
       + Fix nested DNS validation assertion failure.
       + Wait for memory reclamation to finish in named-checkconf.
       + Ensure max-clients-per-query is at least clients-per-query.
       + Fix write after free in validator code.
       + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
       + Fix DNSSEC timing issues.
       + Fix inconsistency in CNAME/DNAME handling during resolution.
       + Fix dual-stack-servers configuration option.
       + Fix a data race causing a permanent active client increase.
       + Fix deferred validation of unsigned DS and DNSKEY records.
       + Fix RPZ race condition during a reconfiguration.
       + Fix “CNAME and other data check” not being applied to all types.
       + Relax private DNSKEY and RRSIG constraints.
       + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
       + Fix TTL issue with ANY queries processed through RPZ “passthru”.
       + Check for a NULL key in dnssec-signzone when setting offline.
       + Fix a bug in the statistics channel when querying zone transfer
         information.
       + Fix assertion failure when dumping recursing clients.
       + Dump the active resolver fetches from dns_resolver_dumpfetches().
       + Fix recently expired records sending timestamps in the future.
       + Fix YAML string not terminated in negative response in delv.
       + Fix a bug in dnssec-signzone related to keys being offline.
       + Apply the memory limit only to ADB database items.
       + Avoid unnecessary locking in the zone/cache database.
       + Fix nsupdate hang when processing a large update.
       + Fix possible assertion failure when reloading server while processing
         update policy rules.
       + Preserve cache across reconfig when using attach-cache.
       + Resolve the spurious drops in performance due to glue cache.
       + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
       + Fix improper handling of unknown directives in resolv.conf.
       + Fix response policy zones and catalog zones with an $INCLUDE statement
         defined.
     - See https://bind9.readthedocs.io/en/v9.20.11/notes.html for additional
       information.
   * Remove patches fixed upstream:
     - d/p/CVE-2025-40775.patch
       [Fixed in 9.20.9]
     - d/p/CVE-2025-40777.patch
       [Fixed in 9.20.11]
     - d/p/0003-Revert-Fix-the-glue-table-in-the-QP-and-RBT-zone-dat.patch
     - d/p/0004-Rewrite-the-GLUE-cache-in-QP-zone-database.patch
       [Fixed in 9.20.5]
   * d/bind9.postinst: Perform config check in postinst. (LP: #1492212)
   * d/README.Debian: Update to properly describe the new version.
   * d/control: Switch from pkg-config to pkgconf dependency.
Checksums-Sha1:
 56cee241f48272b42a68b80a665ac32df00dc7f4 3261 bind9_9.20.11-0ubuntu0.1.dsc
 d1bf945f8b477c9e583bb39d95fe790358632cbd 5674856 bind9_9.20.11.orig.tar.xz
 da3c6ba499834cbd49473b9eb0919d11a1e68ebf 833 bind9_9.20.11.orig.tar.xz.asc
 78733bbd0205b46d58c6320fc8ad22fc9c6f2fe9 74860 bind9_9.20.11-0ubuntu0.1.debian.tar.xz
 4ed43cd1a090b86ccbc02fec0bfabc2862c5962e 7838 bind9_9.20.11-0ubuntu0.1_source.buildinfo
Checksums-Sha256:
 a6655314943d4327d0bee0cb27d8519b737cf2ce2620117d605b1b365b44e549 3261 bind9_9.20.11-0ubuntu0.1.dsc
 4da2d532e668bc21e883f6e6d9d3d81794d9ec60b181530385649a56f46ee17a 5674856 bind9_9.20.11.orig.tar.xz
 2479c6500158bd025e69e0793a7d5f87a1a0f474c1331545c2c400a6ba388f65 833 bind9_9.20.11.orig.tar.xz.asc
 55fcf0b41b22c5892b33a914fe3d71b8ef64339011af6ee4e886aaea82135cf2 74860 bind9_9.20.11-0ubuntu0.1.debian.tar.xz
 1d089cb9926d8fd4b33bd5ce1e5af832050ad9f0aa6e193cf53fb1361abb62cb 7838 bind9_9.20.11-0ubuntu0.1_source.buildinfo
Files:
 b2d20e37a2f3b1b7391a29a8632aada0 3261 net optional bind9_9.20.11-0ubuntu0.1.dsc
 84b6a72244271f0d79bc6922cf7e7ed9 5674856 net optional bind9_9.20.11.orig.tar.xz
 e0f8944f8b91a151cbc8fe8274f9c4f7 833 net optional bind9_9.20.11.orig.tar.xz.asc
 99b057392f58979e09c8681bac62b66a 74860 net optional bind9_9.20.11-0ubuntu0.1.debian.tar.xz
 490eeacd6504dc7169ecf9e57e65bc01 7838 net optional bind9_9.20.11-0ubuntu0.1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>
Vcs-Git: https://git.launchpad.net/~lvoytek/ubuntu/+source/bind9
Vcs-Git-Commit: c27d7836032620a12323e6deeb7d6edf485a5cfc
Vcs-Git-Ref: refs/heads/backport-9.20.11-plucky

More information about the plucky-changes mailing list