Ok, here’s me adding little bit more of detail to the issue:
0. I am the Director of DNS Engineering at ISC - so I am as close to the upstream as one can be.
1. The most churn came from removing the upstream patches that fixed the XFR timeouts. There was a bug when the TCP timeouts were not applied correctly and `named` would drop the long transactions after the initial timeout. I pulled the patches into the previous release directly from our git (after they had been reviewed and merged) and dropped them in this release.
2. The other churn came from the NSEC3-iteration patches that again have been reviewed in the upstream and merged to the respective branches before I pulled them into the Debian package.
3. Since this BIND 9 release was a security release, the upstream (ISC) made sure that only a minimal required set of changes would be included in this current upstream stable release. The only non-security related stuff were fixed in the DNSSEC KASP processing, a memory leak and fixes to the journal upgrade processing[a].
a. As a matter of fact, we found just another edge condition here which might cause IXFR to drop to AXFR when more than one journal transaction would be used. But that will have to be fixed separately later, as we (upstream) seem to struggle with fixing all the weird edge conditions, so I want to be 100% sure we got everything.
There’s another set of patches that I think we should pull into stable BIND 9 when the dust settles. The BIND 9.16 recursive performance is really bad due to the contention between new network threads and task threads. The code has just landed in our upstream 9.16 branch, so I’ll give it some time before requesting the SRU, but I think it would be for benefit of all the users that use BIND 9 as recursors.
Ondrej
--
Ondřej Surý (He/Him)
ondrej@sury.orgOn 14. 5. 2021, at 9:15, Salvatore Bonaccorso <carnil@debian.org> wrote:
Hi Ondrej,
On Fri, May 07, 2021 at 07:40:31AM +0200, Paul Gevers wrote:
Hi Ondřej,
On 06-05-2021 22:41, Ondřej Surý wrote:
Hi Salvatore,
thanks for following up. I will try to follow up tomorrow. Basically,
the difference between the debian versions are because I pulled some
extra upstream patches into the previous version and now I dropped them
and pulled another set for the NSEC3 iterations issue.
With my upstream hat, the 9.16 is stable release and we pull only
important stuff into it. I am not asking for a long term exception as we
have with PHP, but I am asking for an exception now.
While I could pull all the important upstream changes to the “old”
release, it would be a charade as most of the stuff needs to be picked
up anyway.
These comments helped:
- Ondřej is upstream author too
- delta is partially in patches that are in the new version upstream
- 9.16 stable release with "only important stuff"
For future reference, the release team also has a non-public list:
team@release.debian.org. It better to not bet on one horse.
I've unblocked bind9 and aged it. I'd still appreciate the follow-up in
the unblock request for the outside world (whatever you deem you can put
into it) such that I can close it.
Thanks Paul for the unlbock.
Friendly ping :). Sorry I d not want to be annoying, but guess Paul
still would appreciate a followup to the public bug, OTOH I unerstand
we do not wat to raise too much awareness on the issues you pointed
out above.
So be assured, this will the last ping from my side on this regard.
Regards,
Salvatore