Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, [ Reason ] this is regular update of the BIND 9 package following upstream releases. This one is slightly more useful for the end users as the upstream release has significantly reduced the memory usage under normal conditions. [ Impact ] Users will be running older BIND 9 release with much higher memory requirements. The chart for the memory differences between 9.16.22 and 9.16.25: * https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244428/artifacts/file/resmon.memory.current-docker.png The memory usage is roughly halved. It ends with 2.10GB for 9.16.22 and 1.15GB for 9.16.25 for the same recursive workload The chart for the recursive performance between 9.16.22 and 9.16.25: * https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244428/artifacts/file/_allruns-latency-since_0-until_300.png [ Tests ] Upstream has an extensive unit and system test suite. I relaunched the pipeline for the v9_16_25 tag for the purposes of this request: https://gitlab.isc.org/isc-projects/bind9/-/pipelines/93327 The test results for Debian Bullseye: 64-bit build * https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244364 * https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244386 32-bit cross-compile * https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244387 * https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244365 [ Risks ] There are usual risks associated with the upstream version bump, but given the limited amount of changes between the patch releases, extensive test suite, and user-testing from people running the BIND 9 from ISC repositories, the real risks are perceived as low. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] [[ Debian ]] The single packaging change was removal of the patch that fixed sphinx-build as the issue has been fixed directly upstream. [[ Upstream ]] [[[ 9.16.23 ]]] 5752. [bug] Fix an assertion failure caused by missing member zones during a reload of a catalog zone. [GL #2308] 5750. [bug] Fix a bug when comparing two RSA keys. There was a typo which caused the "p" prime factors to not being compared. [GL #2972] 5737. [bug] Address Coverity warning in lib/dns/dnssec.c. [GL #2935] [[[ 9.16.24 ]]] 5773. [func] Change the message when accepting TCP connection has failed to say "Accepting TCP connection failed" and change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA and ISC_R_SOFTQUOTA results codes from ERROR to INFO. [GL #2700] 5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853] 5764. [bug] dns_sdlz_putrr failed to process some valid resource records. [GL #3021] 5762. [bug] Fix a "named" crash related to removing and restoring a `catalog-zone` entry in the configuration file and running `rndc reconfig`. [GL #1608] 5758. [bug] mdig now honors the operating system's preferred ephemeral port range. [GL #2374] 5757. [test] Replace sed in nsupdate system test with awk to construct the nsupdate command. The sed expression was not reliably changing the ttl. [GL #3003] [[[ 9.16.25 ]]] 5790. [bug] Enforce enqueuing TCP resumeread to prevent the next read callback from being executed before the current read callback has finished, and the worker receive buffer has been marked as "freed". [GL #3079] 5789. [bug] Allow replacing expired zone signatures with signatures created by the KSK. [GL #3049] 5788. [bug] An assertion could occur if a catalog zone event was scheduled while the task manager was being shut down. [GL #3074] 5787. [doc] Update 'auto-dnssec' documentation, it may only be activated at zone level. [GL #3023] 5786. [bug] Defer detaching from zone->raw in zone_shutdown() if the zone is in the process of being dumped to disk, to ensure that the unsigned serial number information is always written in the raw-format header of the signed version on an inline-signed zone. [GL #3071] 5785. [bug] named could leak memory when two dnssec-policy clauses had the same name. named failed to log this error. [GL #3085] 5776. [bug] Add a missing isc_condition_destroy() for nmsocket condition variable and add missing isc_mutex_destroy() for nmworker lock. [GL #3051] 5676. [func] Memory use in named was excessive. This has been addressed by: - Replacing locked memory pools with normal memory allocations. - Reducing the number of retained free items in unlocked memory pools. - Disabling the internal allocator by default. "named -M internal" turns it back on. [GL #2398] [ Other info ] The debdiff is quite massive as there was one internal change - instead of using the custom copyright handling, BIND 9 switched to REUSE specification adding SPDX headers and .reuse/dep5 to cover the binary files. Again, for posterity, I am wearing both upstream and Debian hat for BIND 9. Cheers, Ondrej -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmHqiXdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u WcJMtRAAhCo4rrxv35hJYtFsrjEKpC3YgGKhSjJkQ13zYpBMx+uAVrDl32PnmEEk awqXLAVjKboUaxXM0lwxvY8MrytDQOq6rEmII4mr0HwTf1J9NGHyVmh9WaYDUSOv DqilVOUEMeYzYdFG8RAynxtGTk2WTdrpIlVCi4i2B8AyQr7Wxqd9xYMdyEw7XtsZ uQD4HJOyp4mFtB3FvHRjvkYhaeoEfF1zc4SnVY8Cxb01uF0Rf4UC/jEVQbdqwQmv ADtos6JlG1vuEkfSEQjb6eRz47TAjHuWX6uW5Uy1ilmkuPgLcC32okT8LUdatN+Q WCnNsN8tkwF6k2JLOysq0ekRw4oke8WkRDpLCzfpGHbIYpewfB0sNoJ4Xe3Eqxtg szuDOsNfPyyca+lBUeQjWdzkLeGSceXTPWm0xxCdktX6jNJ2rSW5pw4m8IDWInto JjTp2QyOQkRUOl20DccqozIkHOue9xFhJbM0jNGyElF6wiW1aZNm17CB7sq/tB9N 2qCfkOi/K2672zRHb+0HDgxtFBqkL7K21JuwaqtXBr0Rb8xCVdNnp5ksfsQ0/jds nL0adX6ref/mRBSTKw1vKiWj1gx2KCd95H32mUujkd/Iue4/PZvG0qAsGqqiMFvW ztJZZ2Ys1ijvyxmZo8sEhGpXSvPU6bfRpCoZkG+0/scyqnkZPQk= =nQ9i -----END PGP SIGNATURE-----
Attachment:
bind9_9.16.25-1~deb11u1.debdiff.xz
Description: application/xz