From: Mark Andrews <marka@isc.org>
Date: Fri, 8 Apr 2011 02:19:06 +0000 (+0000)
Subject: 9.6-ESV-R5b1
X-Git-Tag: v9.6-ESV-R5b1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b01b03fd615a00a48583d0e9c477b4e94f13a9a;p=thirdparty%2Fbind9.git

9.6-ESV-R5b1
---

diff --git a/CHANGES b/CHANGES
index a0d5f8df46d..b5796d1ad69 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,12 +1,12 @@
-3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
-			dst_gssapi_acceptctx(). [RT #24004]
+
+	--- 9.6-ESV-R5b1 released ---
 
 3095.	[bug]		Handle isolated reserved ports in the port range.
 			[RT #23957]
 
-3088.   [bug]           Remove bin/tests/system/logfileconfig/ns1/named.conf
-                        and add setup.sh in order to resolve changing
-                        named.conf issue.  [RT #23687]
+3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
+			and add setup.sh in order to resolve changing
+			named.conf issue.  [RT #23687]
 
 3083.	[bug]		NOTIFY messages were not being sent when generating
 			a NSEC3 chain incrementally. [RT #23702]
@@ -71,7 +71,7 @@
 
 3042.	[bug]		dig +trace could fail attempting to use IPv6
 			addresses on systems with only IPv4 connectivity.
-			[RT #23797]
+			[RT #23297]
 
 3041.	[bug]		dnssec-signzone failed to generate new signatures on
 			ttl changes. [RT #23330]
@@ -86,7 +86,7 @@
 3036.	[bug]		Check built-in zone arguments to see if the zone
 			is re-usable or not. [RT #21914]
 
-3035.	[cleanup]	Simplify by using strlcpy. [RT #22521] 
+3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 
 3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 
@@ -114,7 +114,7 @@
 3026.	[bug]		lib/isc/httpd.c: check that we have enough space
 			after calling grow_headerspace() and if not
 			re-call grow_headerspace() until we do. [RT #22521]
-			
+
 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 			[RT #22964]
 
@@ -140,6 +140,8 @@
 			signing records for any remaining DNSKEY changes.
 			[RT #22590]
 
+	--- 9.6-ESV-R4 released ---
+
 	--- 9.6.3 released ---
 
 3009.	[bug]		clients-per-query code didn't work as expected with
@@ -288,7 +290,7 @@
 2905.	[port]		aix: set use_atomic=yes with native compiler.
 			[RT #21402]
 
-2904.   [bug]           When using DLV, sub-zones of the zones in the DLV,
+2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
 			could be incorrectly marked as insecure instead of
 			secure leading to negative proofs failing.  This was
 			a unintended outcome from change 2890. [RT# 21392]
@@ -536,7 +538,7 @@
 
 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
 
-2789.   [bug]           Fixed an INSIST in dispatch.c [RT #20576]
+2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
 
 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
 
@@ -732,9 +734,9 @@
 
 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
 
-2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]
+2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
 
-2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]
+2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
 
 2620.	[bug]		Delay thawing the zone until the reload of it has
 			completed successfully.  [RT #19750]
@@ -964,13 +966,13 @@
 2529.	[cleanup]	Upgrade libtool to silence complaints from recent
 			version of autoconf. [RT #18657]
 
-2528.   [cleanup]	Silence spurious configure warning about
+2528.	[cleanup]	Silence spurious configure warning about
 			--datarootdir [RT #19096]
 
 2527.	[bug]		named could reuse cache on reload with
 			enabling/disabling validation. [RT #19119]
 
-2525.	[experimental]	New logging category "query-errors" to provide detailed
+2525.	[func]		New logging category "query-errors" to provide detailed
 			internal information about query failures, especially
 			about server failures. [RT #19027]
 
@@ -1227,13 +1229,13 @@
 2441.	[bug]		isc_radix_insert() could copy radix tree nodes
 			incompletely. [RT #18573]
 
-2440.   [bug]		named-checkconf used an incorrect test to determine
+2440.	[bug]		named-checkconf used an incorrect test to determine
 			if an ACL was set to none.
 
-2439.   [bug]		Potential NULL dereference in dns_acl_isanyornone().
+2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
 			[RT #18559]
 
-2438.   [bug]		Timeouts could be logged incorrectly under win32.
+2438.	[bug]		Timeouts could be logged incorrectly under win32.
 
 2437.	[bug]		Sockets could be closed too early, leading to
 			inconsistent states in the socket module. [RT #18298]
@@ -1247,7 +1249,7 @@
 
 2433.	[tuning]	Set initial timeout to 800ms.
 
-2432.   [bug]		More Windows socket handling improvements.  Stop
+2432.	[bug]		More Windows socket handling improvements.  Stop
 			using I/O events and use IO Completion Ports
 			throughout.  Rewrite the receive path logic to make
 			it easier to support multiple simultaneous
@@ -1282,7 +1284,7 @@
 			epoll and /dev/poll to be selected at compile
 			time. [RT #18277]
 
-2423.   [security]	Randomize server selection on queries, so as to
+2423.	[security]	Randomize server selection on queries, so as to
                         make forgery a little more difficult.  Instead of
                         always preferring the server with the lowest RTT,
                         pick a server with RTT within the same 128
@@ -1296,7 +1298,7 @@
 			Use caution: this option may not work for some
 			operating systems without rebuilding named.
 
-2420.   [bug]		Windows socket handling cleanup.  Let the io
+2420.	[bug]		Windows socket handling cleanup.  Let the io
 			completion event send out canceled read/write
 			done events, which keeps us from writing to memory
 			we no longer have ownership of.  Add debugging
@@ -1618,7 +1620,7 @@
 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
 			[RT #17513]
 
-2315.   [bug]           Used incorrect address family for mapped IPv4
+2315.	[bug]           Used incorrect address family for mapped IPv4
                         addresses in acl.c. [RT #17519]
 
 2314.	[bug]		Uninitialized memory use on error path in
@@ -1630,14 +1632,14 @@
 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
 			[RT #17458]
 
-2311.   [bug]           IPv6 addresses could match IPv4 ACL entries and
+2311.	[bug]           IPv6 addresses could match IPv4 ACL entries and
                         vice versa. [RT #17462]
 
 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
 			debug/fatal messages.  [RT #17501]
 
-2309.   [cleanup]       Fix Coverity warnings in lib/dns/acl.c and iptable.c.
-                        [RT #17455]
+2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
+			[RT #17455]
 
 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
 			[RT #17495]
@@ -1689,7 +1691,7 @@
 2292.	[bug]		Log if the working directory is not writable.
 			[RT #17312]
 
-2291.   [bug]           PR_SET_DUMPABLE may be set too late.  Also report
+2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
 			failure to set PR_SET_DUMPABLE. [RT #17312]
 
 2290.	[bug]		Let AD in the query signal that the client wants AD
@@ -1727,7 +1729,7 @@
 2280.	[func]		Allow the experimental http server to be reached
 			over IPv6 as well as IPv4. [RT #17332]
 
-2279.   [bug]           Use setsockopt(SO_NOSIGPIPE), when available,
+2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
 			to protect applications from receiving spurious
 			SIGPIPE signals when using the resolver.
 
@@ -1762,9 +1764,9 @@
 
 	--- 9.5.0b1 released ---
 
-2267.   [bug]           Radix tree node_num value could be set incorrectly,
-                        causing positive ACL matches to look like negative
-                        ones.  [RT #17311]
+2267.	[bug]		Radix tree node_num value could be set incorrectly,
+			causing positive ACL matches to look like negative
+			ones.  [RT #17311]
 
 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
 			once the pool of mctx's was filled. [RT #17218]
@@ -1780,7 +1782,7 @@
 2262.	[bug]		Error status from all but the last view could be
 			lost. [RT #17292]
 
-2261.   [bug]           Fix memory leak with "any" and "none" ACLs [RT #17272]
+2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
 
 2260.	[bug]		Reported wrong clients-per-query when increasing the
 			value. [RT #17236]
diff --git a/EXCLUDED b/EXCLUDED
index ce463755387..6233d652c96 100644
--- a/EXCLUDED
+++ b/EXCLUDED
@@ -375,9 +375,6 @@
 2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
 			log level to debug 1. [RT #20058]
 
-2655.   [doc]           Document that key-directory does not affect
-                        bind.keys, rndc.key or session.key.  [RT #20155]
-
 2654.   [bug]           Improve error reporting on duplicated names for
                         deny-answer-xxx. [RT #20164]
 
@@ -425,10 +422,98 @@
 			"insecurity proof failed" instead of "not
 			insecure". [RT #19400]
 
-2537.   [func]          Added more statistics counters including those on socket
-                        I/O events and query RTT histograms. [RT #18802]
+2525.   [experimental]	New logging category "query-errors" to provide detailed
+			internal information about query failures, especially
+			about server failures. [RT #19027]
+
+2537.	[func]		Added more statistics counters including those on socket
+			I/O events and query RTT histograms. [RT #18802]
+
+2655.	[doc]		Document that key-directory does not affect
+			rndc.key.  [RT #20155]
+
+2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
+			digest length were used incorrectly, leading to
+			interoperability problems with other DNS
+			implementations.  This has been corrected.
+			(Note: If an oversize key is in use, and
+			compatibility is needed with an older release of
+			BIND, the new tool "isc-hmac-fixup" can convert
+			the key secret to a form that will work with all
+			versions.) [RT #20751]
+
+2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
+			[RT #20760]
+
+3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
+			for refreshing managed-keys. [RT #22296]
+
+3013.	[bug]		The DNS64 ttl was not always being set as expected.
+			[RT #23034]
+
+3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
+			[RT #22887]
+
+3020.	[bug]		auto-dnssec failed to correctly update the zone when
+			changing the DNSKEY RRset. [RT #23232]
+
+3021.	[bug]		Change #3010 was incomplete. [RT #22296]
+
+3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
+                        [RT #23246]
+
+3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
+
+3045.	[removed]	Replaced by change #3050.
+
+3048.	[bug]		Fully separate view key mangement. [RT #23419]
+
+3050.	[bug]		The autosign system test was timing dependent.
+			Wait for the initial autosigning to complete
+			before running the rest of the test. [RT #23035]
+
+3052.	[test]		Fixed last autosign test report. [RT #23256]
+
+3054.	[bug]		Added elliptic curve support check in
+			GOST OpenSSL engine detection. [RT #23485]
+
+3057.	[bug]		"rndc secroots" would abort after the first error
+			and so could miss some views. [RT #23488]
+
+3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
+			[RT #20256]
+
+3073.	[bug]		managed-keys changes were not properly being recorded.
+			[RT #20256]
+
+3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
+			timestamp when determining which keys are active.
+			[RT #23642]
+
+3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
+			dns_zone_attach(), use zone->irefs instead. [RT #23303]
+
+3082.	[port]		strtok_r is threads only. [RT #23747]
+
+3086.	[bug]		Running dnssec-settime -f on an old-style key will
+			now force an update to the new key format even if no
+			other change has been specified, using "-P now -A now"
+			as default values.  [RT #22474]
+
+3087.	[bug]		DDNS updates using SIG(0) with update-policy match
+			type "external" could cause a crash. [RT #23735]
+
+3091.	[bug]		Fixed a bug in which zone keys that were published
+			and then subsequently activated could fail to trigger
+			automatic signing. [RT #22911]
+
+3094.	[doc]		Expand dns64 documentation.
+
+3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
+			dst_gssapi_acceptctx(). [RT #24004]
 
-2525.   [func]          New logging category "query-errors" to provide detailed
-                        internal information about query failures, especially
-                        about server failures. [RT #19027]
+2655.	[doc]		Document that key-directory does not affect
+			bind.keys, rndc.key or session.key.  [RT #20155]
 
+2810.   [doc]           Clarified the process of transitioning an NSEC3 zone
+                        to insecure. [RT #20746]
diff --git a/lib/bind9/api b/lib/bind9/api
index f3b0f9fc331..65f46ea7a5e 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 50
-LIBREVISION = 4
+LIBREVISION = 5
 LIBAGE = 0
diff --git a/lib/dns/api b/lib/dns/api
index 29ebff25e6b..c53f2e414a1 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 59
-LIBREVISION = 2
+LIBREVISION = 3
 LIBAGE = 1
diff --git a/lib/isc/api b/lib/isc/api
index e1f7b71eb11..8aa3f89d292 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 54
-LIBREVISION = 1
-LIBAGE = 4
+LIBINTERFACE = 55
+LIBREVISION = 0
+LIBAGE = 5
diff --git a/lib/isccfg/api b/lib/isccfg/api
index fbbf923b532..f3b0f9fc331 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 50
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0
diff --git a/lib/lwres/api b/lib/lwres/api
index fbbf923b532..f3b0f9fc331 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 50
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0
diff --git a/version b/version
index c596a54e942..0fc6a74bf14 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.43.12.11 2011/01/30 06:38:13 marka Exp $
+# $Id: version,v 1.43.12.12 2011/04/08 02:19:06 marka Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
 MINORVER=6
-PATCHVER=3
-RELEASETYPE=
-RELEASEVER=
+PATCHVER=
+RELEASETYPE=-ESV
+RELEASEVER=-R5b1