Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
[ Reason ]
this is regular update of the BIND 9 package following upstream
releases. This one is slightly more useful for the end users
as the upstream release has significantly reduced the memory
usage under normal conditions.
[ Impact ]
Users will be running older BIND 9 release with much higher memory
requirements.
The chart for the memory differences between 9.16.22 and 9.16.25:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244428/artifacts/file/resmon.memory.current-docker.png
The memory usage is roughly halved. It ends with 2.10GB for 9.16.22
and 1.15GB for 9.16.25 for the same recursive workload
The chart for the recursive performance between 9.16.22 and 9.16.25:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244428/artifacts/file/_allruns-latency-since_0-until_300.png
[ Tests ]
Upstream has an extensive unit and system test suite. I relaunched
the pipeline for the v9_16_25 tag for the purposes of this request:
https://gitlab.isc.org/isc-projects/bind9/-/pipelines/93327
The test results for Debian Bullseye:
64-bit build
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244364
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244386
32-bit cross-compile
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244387
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2244365
[ Risks ]
There are usual risks associated with the upstream version bump, but
given the limited amount of changes between the patch releases,
extensive test suite, and user-testing from people running the BIND 9
from ISC repositories, the real risks are perceived as low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
[[ Debian ]]
The single packaging change was removal of the patch that fixed
sphinx-build as the issue has been fixed directly upstream.
[[ Upstream ]]
[[[ 9.16.23 ]]]
5752. [bug] Fix an assertion failure caused by missing member zones
during a reload of a catalog zone. [GL #2308]
5750. [bug] Fix a bug when comparing two RSA keys. There was a typo
which caused the "p" prime factors to not being
compared. [GL #2972]
5737. [bug] Address Coverity warning in lib/dns/dnssec.c.
[GL #2935]
[[[ 9.16.24 ]]]
5773. [func] Change the message when accepting TCP connection has
failed to say "Accepting TCP connection failed" and
change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA
and ISC_R_SOFTQUOTA results codes from ERROR to INFO.
[GL #2700]
5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853]
5764. [bug] dns_sdlz_putrr failed to process some valid resource
records. [GL #3021]
5762. [bug] Fix a "named" crash related to removing and restoring a
`catalog-zone` entry in the configuration file and
running `rndc reconfig`. [GL #1608]
5758. [bug] mdig now honors the operating system's preferred
ephemeral port range. [GL #2374]
5757. [test] Replace sed in nsupdate system test with awk to
construct the nsupdate command. The sed expression
was not reliably changing the ttl. [GL #3003]
[[[ 9.16.25 ]]]
5790. [bug] Enforce enqueuing TCP resumeread to prevent the
next read callback from being executed before the
current read callback has finished, and the worker
receive buffer has been marked as "freed". [GL #3079]
5789. [bug] Allow replacing expired zone signatures with
signatures created by the KSK. [GL #3049]
5788. [bug] An assertion could occur if a catalog zone event was
scheduled while the task manager was being shut
down. [GL #3074]
5787. [doc] Update 'auto-dnssec' documentation, it may only be
activated at zone level. [GL #3023]
5786. [bug] Defer detaching from zone->raw in zone_shutdown() if
the zone is in the process of being dumped to disk, to
ensure that the unsigned serial number information is
always written in the raw-format header of the signed
version on an inline-signed zone. [GL #3071]
5785. [bug] named could leak memory when two dnssec-policy clauses
had the same name. named failed to log this error.
[GL #3085]
5776. [bug] Add a missing isc_condition_destroy() for nmsocket
condition variable and add missing isc_mutex_destroy()
for nmworker lock. [GL #3051]
5676. [func] Memory use in named was excessive. This has been
addressed by:
- Replacing locked memory pools with normal memory
allocations.
- Reducing the number of retained free items in
unlocked memory pools.
- Disabling the internal allocator by default.
"named -M internal" turns it back on.
[GL #2398]
[ Other info ]
The debdiff is quite massive as there was one internal change -
instead of using the custom copyright handling, BIND 9 switched to
REUSE specification adding SPDX headers and .reuse/dep5 to cover the
binary files.
Again, for posterity, I am wearing both upstream and Debian hat for
BIND 9.
Cheers,
Ondrej
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmHqiXdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcJMtRAAhCo4rrxv35hJYtFsrjEKpC3YgGKhSjJkQ13zYpBMx+uAVrDl32PnmEEk
awqXLAVjKboUaxXM0lwxvY8MrytDQOq6rEmII4mr0HwTf1J9NGHyVmh9WaYDUSOv
DqilVOUEMeYzYdFG8RAynxtGTk2WTdrpIlVCi4i2B8AyQr7Wxqd9xYMdyEw7XtsZ
uQD4HJOyp4mFtB3FvHRjvkYhaeoEfF1zc4SnVY8Cxb01uF0Rf4UC/jEVQbdqwQmv
ADtos6JlG1vuEkfSEQjb6eRz47TAjHuWX6uW5Uy1ilmkuPgLcC32okT8LUdatN+Q
WCnNsN8tkwF6k2JLOysq0ekRw4oke8WkRDpLCzfpGHbIYpewfB0sNoJ4Xe3Eqxtg
szuDOsNfPyyca+lBUeQjWdzkLeGSceXTPWm0xxCdktX6jNJ2rSW5pw4m8IDWInto
JjTp2QyOQkRUOl20DccqozIkHOue9xFhJbM0jNGyElF6wiW1aZNm17CB7sq/tB9N
2qCfkOi/K2672zRHb+0HDgxtFBqkL7K21JuwaqtXBr0Rb8xCVdNnp5ksfsQ0/jds
nL0adX6ref/mRBSTKw1vKiWj1gx2KCd95H32mUujkd/Iue4/PZvG0qAsGqqiMFvW
ztJZZ2Ys1ijvyxmZo8sEhGpXSvPU6bfRpCoZkG+0/scyqnkZPQk=
=nQ9i
-----END PGP SIGNATURE-----
Attachment:
bind9_9.16.25-1~deb11u1.debdiff.xz
Description: application/xz