+++ /dev/null
- --- 9.18.28 released ---
-
-6404. [security] Remove SIG(0) support from named as a countermeasure
- for CVE-2024-1975. [GL #4480]
-
-6403. [security] qctx-zversion was not being cleared when it should have
- been leading to an assertion failure if it needed to be
- reused. (CVE-2024-4076) [GL #4507]
-
-6401. [security] An excessively large number of rrtypes per owner can
- slow down database query processing, so a limit has been
- placed on the number of rrtypes that can be stored per
- owner (node) in a cache or zone database. This is
- configured with the new "max-rrtypes-per-name" option,
- and defaults to 100. (CVE-2024-1737)
- [GL #3403] [GL #4548]
-
-6400. [security] Excessively large rdatasets can slow down database
- query processing, so a limit has been placed on the
- number of records that can be stored per rdataset
- in a cache or zone database. This is configured
- with the new "max-records-per-type" option, and
- defaults to 100. (CVE-2024-1737)
- [GL #497] [GL #3405]
-
-6399. [security] Malicious DNS client that sends many queries over
- TCP but never reads responses can cause server to
- respond slowly or not respond at all for other
- clients. (CVE-2024-0760) [GL #4481]
-
-6398. [bug] Fix potential data races in our DoH implementation
- related to HTTP/2 session object management and
- endpoints set object management after reconfiguration.
- We would like to thank Dzintars and Ivo from nic.lv
- for bringing this to our attention. [GL #4473]
-
-6397. [bug] Clear DNS_FETCHOPT_TRYSTALE_ONTIMEOUT when looking for
- parent NS records needed to get the DS result.
- [GL #4661]
-
-6395. [bug] Handle ISC_R_HOSTDOWN and ISC_R_NETDOWN in resolver.c.
- [GL #4736]
-
-6394. [bug] Named's -4 and -6 options now apply to zone primaries,
- also-notify and parental-agents. Report when a zone
- has these options configured but does not have an IPv4
- or IPv6 address listed respectively. [GL #3472]
-
-6393. [func] Deal with uv_tcp_close_reset() error return codes
- more gracefully. [GL #4708]
-
-6392. [bug] Use a completely new memory context when flushing the
- cache. [GL #2744]
-
-6391. [bug] TCP client statistics could sometimes fail to decrease
- when accepting client connection fails. [GL #4742]
-
-6390. [bug] Fix a data race in isc_task_purgeevent(). [GL !8937]
-
-6389. [bug] dnssec-verify and dnssec-signzone could fail if there
- was an obscured DNSKEY RRset at a delegatation.
- [GL #4517]
-
-6388. [bug] Prevent an assertion failure caused by passing NULL to
- dns_dispatch_resume() when a dns_request times out close
- to view shutdown. [GL #4719]
-
-6386. [bug] When shutting down catzs->view could point to freed
- memory. Obtain a reference to the view to prevent this.
- [GL #4502]
-
-6385. [func] Relax SVCB alias mode checks to allow parameters.
- [GL #4704]
-
-6384. [bug] Remove infinite loop when including a directory in a
- zone file. [GL #4357]
-
-6383. [bug] Address an infinite loop in $GENERATE when a negative
- value was converted in nibble mode. [GL #4353]
-
-6382. [bug] Fix RPZ response's SOA record TTL, which was incorrectly
- set to 1 if 'add-soa' is used. [GL #3323]
-
- --- 9.18.27 released ---
-
-6374. [bug] Skip to next RRSIG if signature has expired or is in
- the future rather than failing immediately. [GL #4586]
-
-6372. [func] Implement signature jitter for dnssec-policy. [GL #4554]
-
- --- 9.18.26 released ---
-
-6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
- [GL #4580]
-
-6363. [bug] dig/mdig +ednsflags=<non-zero-value> did not re-enable
- EDNS if it had been disabled. [GL #4641]
-
-6361. [bug] Some invalid ISO 8601 durations were accepted
- erroneously. [GL #4624]
-
-6360. [bug] Don't return static-stub synthesised NS RRset.
- [GL #4608]
-
-6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552]
-
-6351. [protocol] Support for the RESINFO record type has been added.
- [GL #4413]
-
-6346. [bug] Cleaned up several minor bugs in the RBTDB dbiterator
- implementation. [GL !8741]
-
-6345. [bug] Added missing dns_rdataset_disassociate calls in
- validator.c:findnsec3proofs. [GL #4571]
-
-6340. [test] Fix incorrectly reported errors when running tests
- with `make test` on platforms with older pytest.
- [GL #4560]
-
-6338. [func] Optimize slabheader placement, so the infrastructure
- records are put in the beginning of the slabheader
- linked list. [GL !8675]
-
-6334. [doc] Improve ARM parental-agents definition. [GL #4531]
-
-6333. [bug] Fix the DNS_GETDB_STALEFIRST flag, which was defined
- incorrectly in lib/ns/query.c. [GL !8683]
-
-6330. [doc] Update ZSK minimum lifetime documentation in ARM, also
- depends on signing delay. [GL #4510]
-
-6328. [func] Add workaround to enforce dynamic linker to pull
- jemalloc earlier than libc to ensure all memory
- allocations are done via jemalloc. [GL #4404]
-
-6326. [bug] Changes to "listen-on" statements were ignored on
- reconfiguration unless the port or interface address was
- changed, making it impossible to change a related
- listener transport type. Thanks to Thomas Amgarten.
- [GL #4518] [GL #4528]
-
-6325. [func] Expose the TCP client count in statistics channel.
- [GL #4425]
-
-6324. [bug] Fix a possible crash in 'dig +nssearch +nofail' and
- 'host -C' commands when one of the name servers returns
- SERVFAIL. [GL #4508]
-
-6313. [bug] When dnssec-policy is in effect the DNSKEY's TTLs in
- the zone where not being updated to match the policy.
- This lead to failures when DNSKEYs where updated as the
- TTLs mismatched. [GL #4466]
-
- --- 9.18.25 released ---
-
-6356. [bug] Create the pruning task in the dns_cache_flush(), so
- the cache pruning still works after the flush.
- [GL #4621]
-
-6353. [bug] Improve the TTL-based cleaning by removing the expired
- headers from the heap, so they don't block the next
- cleaning round and clean more than a single item for
- each new addition to the RBTDB. [GL #4591]
-
-6352. [bug] Revert change 6319 and decrease lock contention during
- RBTDB tree pruning by not cleaning up nodes recursively
- within a single prune_tree() call. [GL #4596]
-
-6350. [bug] Address use after free in expire_lru_headers. [GL #4495]
-
- --- 9.18.24 released ---
-
-6343. [bug] Fix case insensitive setting for isc_ht hashtable.
- [GL #4568]
-
- --- 9.18.23 released ---
-
-6322. [security] Specific DNS answers could cause a denial-of-service
- condition due to DNS validation taking a long time.
- (CVE-2023-50387) [GL #4424]
-
- The same code change also addresses another problem:
- preparing NSEC3 closest encloser proofs could exhaust
- available CPU resources. (CVE-2023-50868) [GL #4459]
-
-6321. [security] Change 6315 inadvertently introduced regressions that
- could cause named to crash. [GL #4234]
-
-6320. [bug] Under some circumstances, the DoT code in client
- mode could process more than one message at a time when
- that was not expected. That has been fixed. [GL #4487]
-
- --- 9.18.22 released ---
-
-6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning.
- [GL #4383]
-
-6317. [security] Restore DNS64 state when handling a serve-stale timeout.
- (CVE-2023-5679) [GL #4334]
-
-6316. [security] Specific queries could trigger an assertion check with
- nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
-
-6315. [security] Speed up parsing of DNS messages with many different
- names. (CVE-2023-4408) [GL #4234]
-
-6314. [bug] Address race conditions in dns_tsigkey_find().
- [GL #4182]
-
-6312. [bug] Conversion from NSEC3 signed to NSEC signed could
- temporarily put the zone into a state where it was
- treated as unsigned until the NSEC chain was built.
- Additionally conversion from one set of NSEC3 parameters
- to another could also temporarily put the zone into a
- state where it was treated as unsigned until the new
- NSEC3 chain was built. [GL #1794] [GL #4495]
-
-6310. [bug] Memory leak in zone.c:sign_zone. When named signed a
- zone it could leak dst_keys due to a misplaced
- 'continue'. [GL #4488]
-
-6306. [func] Log more details about the cause of "not exact" errors.
- [GL #4500]
-
-6304. [bug] The wrong time was being used to determine what RRSIGs
- where to be generated when dnssec-policy was in use.
- [GL #4494]
-
-6302. [func] The "trust-anchor-telemetry" statement is no longer
- marked as experimental. This silences a relevant log
- message that was emitted even when the feature was
- explicitly disabled. [GL #4497]
-
-6300. [bug] Fix statistics export to use full 64 bit signed numbers
- instead of truncating values to unsigned 32 bits.
- [GL #4467]
-
-6299. [port] NetBSD has added 'hmac' to libc which collides with our
- use of 'hmac'. [GL #4478]
-
- --- 9.18.21 released ---
-
-6297. [bug] Improve LRU cleaning behaviour. [GL #4448]
-
-6296. [func] The "resolver-nonbackoff-tries" and
- "resolver-retry-interval" options are deprecated;
- a warning will be logged if they are used. [GL #4405]
-
-6294. [bug] BIND might sometimes crash after startup or
- re-configuration when one 'tls' entry is used multiple
- times to connect to remote servers due to initialisation
- attempts from contexts of multiple threads. That has
- been fixed. [GL #4464]
-
-6290. [bug] Dig +yaml will now report "no servers could be reached"
- also for UDP setup failure when no other servers or
- tries are left. [GL #1229]
-
-6287. [bug] Recognize escapes when reading the public key from file.
- [GL !8502]
-
-6286. [bug] Dig +yaml will now report "no servers could be reached"
- on TCP connection failure as well as for UDP timeouts.
- [GL #4396]
-
-6282. [func] Deprecate AES-based DNS cookies. [GL #4421]
-
- --- 9.18.20 released ---
-
-6280. [bug] Fix missing newlines in the output of "rndc nta -dump".
- [GL !8454]
-
-6277. [bug] Take into account local authoritative zones when
- falling back to serve-stale. [GL #4355]
-
-6275. [bug] Fix assertion failure when using lock-file configuration
- option together -X argument to named. [GL #4386]
-
-6274. [bug] The 'lock-file' file was being removed when it
- shouldn't have been making it ineffective if named was
- started 3 or more times. [GL #4387]
-
-6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381]
-
-6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and
- 2801:1b8:10::b. [GL #4101]
-
-6267. [func] The timeouts for resending zone refresh queries over UDP
- were lowered to enable named to more quickly determine
- that a primary is down. [GL #4260]
-
-6265. [bug] Don't schedule resign operations on the raw version
- of an inline-signing zone. [GL #4350]
-
-6261. [bug] Fix a possible assertion failure on an error path in
- resolver.c:fctx_query(), when using an uninitialized
- link. [GL #4331]
-
-6254. [cleanup] Add semantic patch to do an explicit cast from char
- to unsigned char in ctype.h class of functions.
- [GL #4327]
-
-6252. [test] Python system tests have to be executed by invoking
- pytest directly. Executing them with the legacy test
- runner is no longer supported. [GL #4250]
-
-6250. [bug] The wrong covered value was being set by
- dns_ncache_current for RRSIG records in the returned
- rdataset structure. This resulted in TYPE0 being
- reported as the covered value of the RRSIG when dumping
- the cache contents. [GL #4314]
-
- --- 9.18.19 released ---
-
-6246. [security] Fix use-after-free error in TLS DNS code when sending
- data. (CVE-2023-4236) [GL #4242]
-
-6245. [security] Limit the amount of recursion that can be performed
- by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]
-
-6244. [bug] Adjust log levels on malformed messages to NOTICE when
- transferring in a zone. [GL #4290]
-
-6241. [bug] Take into account the possibility of partial TLS writes
- in TLS DNS code. That helps to prevent DNS messages
- corruption on long DNS over TLS streams. [GL #4255]
-
-6240. [bug] Use dedicated per-worker thread jemalloc memory
- arenas for send buffers allocation to reduce memory
- consumption and avoid lock contention. [GL #4038]
-
-6239. [func] Deprecate the 'dnssec-must-be-secure' option.
- [GL #3700]
-
-6237. [bug] Address memory leaks due to not clearing OpenSSL error
- stack. [GL #4159]
-
-6235. [doc] Clarify BIND 9 time formats. [GL #4266]
-
-6234. [bug] Restore stale-refresh-time value after flushing the
- cache. [GL #4278]
-
-6232. [bug] Following the introduction of krb5-subdomain-self-rhs
- and ms-subdomain-self-rhs update rules, removal of
- nonexistent PTR and SRV records via UPDATE could fail.
- [GL #4280]
-
-6231. [func] Make nsupdate honor -v for SOA requests if the server
- is specified. [GL #1181]
-
-6230. [bug] Prevent an unnecessary query restart if a synthesized
- CNAME target points to the CNAME owner. [GL #3835]
-
-6227. [bug] Check the statistics-channel HTTP Content-length
- to prevent negative or overflowing values from
- causing a crash. [GL #4125]
-
-6224. [bug] Check the If-Modified-Since value length to prevent
- out-of-bounds write. [GL #4124]
-
- --- 9.18.18 released ---
-
-6220. [func] Deprecate the 'dialup' and 'heartbeat-interval'
- options. [GL #3700]
-
-6219. [bug] Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
- [GL #4032]
-
-6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API
- support is not configured. [GL #4225]
-
-6213. [bug] Mark a primary server as temporarily unreachable if the
- TCP connection attempt times out. [GL #4215]
-
-6212. [bug] Don't process detach and close netmgr events when
- the netmgr has been paused. [GL #4200]
-
- --- 9.18.17 released ---
-
-6206. [bug] Add shutdown checks in dns_catz_dbupdate_callback() to
- avoid a race with dns_catz_shutdown_catzs(). [GL #4171]
-
-6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs.
- [GL #4154]
-
-6204. [bug] Use NS records for relaxed QNAME-minimization mode.
- This reduces the number of queries named makes when
- resolving, as it allows the non-existence of NS RRsets
- at non-referral nodes to be cached in addition to the
- referrals that are normally cached. [GL #3325]
-
-6200. [bug] Fix nslookup erroneously reporting a timeout when the
- input is delayed. [GL #4044]
-
-6199. [bug] Improve HTTP Connection: header protocol conformance
- in the statistics channel. [GL #4126]
-
-6198. [func] Remove the holes in the isc_result_t enum to compact
- the isc_result tables. [GL #4149]
-
-6197. [bug] Fix a data race between the dns_zone and dns_catz
- modules when registering/unregistering a database
- update notification callback for a catalog zone.
- [GL #4132]
-
-6196. [cleanup] Report "permission denied" instead of "unexpected error"
- when trying to update a zone file on a read-only file
- system. Thanks to Midnight Veil. [GL #4134]
-
-6193. [bug] Fix a catz db update notification callback registration
- logic error, which could crash named when receiving an
- AXFR update for a catalog zone while the previous update
- process of the catalog zone was already running.
- [GL #4136]
-
-6166. [func] Retry without DNS COOKIE on FORMERR if it appears that
- the FORMERR was due to the presence of a DNS COOKIE
- option. [GL #4049]
-
- --- 9.18.16 released ---
-
-6192. [security] A query that prioritizes stale data over lookup
- triggers a fetch to refresh the stale data in cache.
- If the fetch is aborted for exceeding the recursion
- quota, it was possible for 'named' to enter an infinite
- callback loop and crash due to stack overflow. This has
- been fixed. (CVE-2023-2911) [GL #4089]
-
-6190. [security] Improve the overmem cleaning process to prevent the
- cache going over the configured limit. (CVE-2023-2828)
- [GL #4055]
-
-6188. [performance] Reduce memory consumption by allocating properly
- sized send buffers for stream-based transports.
- [GL #4038]
-
-6186. [bug] Fix a 'clients-per-query' miscalculation bug. When the
- 'stale-answer-enable' options was enabled and the
- 'stale-answer-client-timeout' option was enabled and
- larger than 0, named was taking two places from the
- 'clients-per-query' limit for each client and was
- failing to gradually auto-tune its value, as configured.
- [GL #4074]
-
-6185. [func] Add "ClientQuota" statistics channel counter, which
- indicates the number of the resolver's spilled queries
- due to reaching the clients per query quota. [GL !7978]
-
-6183. [bug] Fix a serve-stale bug where a delegation from cache
- could be returned to the client. [GL #3950]
-
-6182. [cleanup] Remove configure checks for epoll, kqueue and
- /dev/poll. [GL #4098]
-
-6181. [func] The "tkey-dhkey" option has been deprecated; a
- warning will be logged when it is used. In a future
- release, Diffie-Hellman TKEY mode will be removed.
- [GL #3905]
-
-6180. [bug] The session key object could be incorrectly added
- to multiple different views' keyrings. [GL #4079]
-
-6179. [bug] Fix an interfacemgr use-after-free error in
- zoneconf.c:isself(). [GL #3765]
-
-6176. [test] Add support for using pytest & pytest-xdist to
- execute the system test suite. [GL #3978]
-
-6174. [bug] BIND could get stuck on reconfiguration when a
- 'listen' statement for HTTP is removed from the
- configuration. That has been fixed. [GL #4071]
-
-6173. [bug] Properly process extra "nameserver" lines in
- resolv.conf otherwise the next line is not properly
- processed. [GL #4066]
-
-6169. [bug] named could crash when deleting inline-signing zones
- with "rndc delzone". [GL #4054]
-
-6165. [bug] Fix a logic error in dighost.c which could call the
- dighost_shutdown() callback twice and cause problems
- if the callback function was not idempotent. [GL #4039]
-
- --- 9.18.15 released ---
-
-6164. [bug] Set the rndc idle read timeout back to 60 seconds,
- from the netmgr default of 30 seconds, in order to
- match the behavior of 9.16 and earlier. [GL #4046]
-
-6161. [bug] Fix log file rotation when using absolute path as
- file. [GL #3991]
-
-6157. [bug] When removing delegations in an OPTOUT range
- empty-non-terminal NSEC3 records generated by
- those delegations were not removed. [GL #4027]
-
-6156. [bug] Reimplement the maximum and idle timeouts for incoming
- zone tranfers. [GL #4004]
-
-6155. [bug] Treat ISC_R_INVALIDPROTO as a networking error
- in the dispatch code to avoid retrying with the
- same server. [GL #4005]
-
-6152. [bug] In dispatch, honour the configured source-port
- selection when UDP connection fails with address
- in use error.
-
- Also treat ISC_R_NOPERM same as ISC_R_ADDRINUSE.
- [GL #3986]
-
-6149. [test] As a workaround, include an OpenSSL header file before
- including cmocka.h in the unit tests, because OpenSSL
- 3.1.0 uses __attribute__(malloc), conflicting with a
- redefined malloc in cmocka.h. [GL #4000]
-
- --- 9.18.14 released ---
-
-6145. [bug] Fix a possible use-after-free bug in the
- dns__catz_done_cb() function. [GL #3997]
-
-6143. [bug] A reference counting problem on the error path in
- the xfrin_connect_done() might cause an assertion
- failure on shutdown. [GL #3989]
-
-6142. [bug] Reduce the number of dns_dnssec_verify calls made
- determining if revoked keys needs to be removed from
- the trust anchors. [GL #3981]
-
-6141. [bug] Fix several issues in nsupdate timeout handling and
- update the -t option's documentation. [GL #3674]
-
-6138. [doc] Fix the DF-flag documentation on the outgoing
- UDP packets. [GL #3710]
-
-6136. [cleanup] Remove the isc_fsaccess API in favor of creating
- temporary file first and atomically replace the key
- with non-truncated content. [GL #3982]
-
-6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967]
-
-6129. [cleanup] Value stored to 'source' during its initialization is
- never read. [GL #3965]
-
-6128. [bug] Fix an omission in an earlier commit to avoid a race
- between the 'dns__catz_update_cb()' and
- 'dns_catz_dbupdate_callback()' functions. [GL #3968]
-
-6126. [cleanup] Deprecate zone type "delegation-only" and the
- "delegation-only" and "root-delegation-only"
- options. [GL #3953]
-
-6125. [bug] Hold a catz reference while the update process is
- running, so that the catalog zone is not destroyed
- during shutdown until the update process is finished or
- properly canceled by the activated 'shuttingdown' flag.
- [GL #3955]
-
-6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to
- an NSEC3 incapable DNSSEC algorithm using KASP the zone
- could sometimes be incompletely signed. [GL #3937]
-
-6121. [bug] Fix BIND and dig zone transfer hanging when
- downloading large zones over TLS from a primary server,
- especially over unstable connections. [GL #3867]
-
- --- 9.18.13 released ---
-
-6120. [bug] Use two pairs of dns_db_t and dns_dbversion_t in a
- catalog zone structure to avoid a race between the
- dns__catz_update_cb() and dns_catz_dbupdate_callback()
- functions. [GL #3907]
-
-6119. [bug] Make sure to revert the reconfigured zones to the
- previous version of the view, when the new view
- reconfiguration fails during the configuration of
- one of the configured zones. [GL #3911]
-
-6116. [bug] Fix error path cleanup issues in dns_catz_new_zones()
- and dns_catz_new_zone() functions. [GL #3900]
-
-6115. [bug] Unregister db update notify callback before detaching
- from the previous db inside the catz update notify
- callback. [GL #3777]
-
-6114. [func] Run the catalog zone update process on the offload
- threads. [GL #3881]
-
-6113. [func] Add shutdown signaling for catalog zones. [GL !7571]
-
-6112. [func] Add reference count tracing for dns_catz_zone_t and
- dns_catz_zones_t. [GL !7570]
-
-6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in
- configure_rpz() and configure_catz(), respectively,
- just after attaching it to the new view. [GL #3880]
-
-6098. [test] Don't test HMAC-MD5 when not supported by libcrypto.
- [GL #3871]
-
-6096. [bug] Fix RPZ reference counting error on shutdown in
- dns__rpz_timer_cb(). [GL #3866]
-
-6095. [test] Test various 'islands of trust' configurations when
- using managed keys. [GL #3662]
-
-6094. [bug] Building against (or running with) libuv versions
- 1.35.0 and 1.36.0 is now a fatal error. The rules for
- mixing and matching compile-time and run-time libuv
- versions have been tightened for libuv versions between
- 1.35.0 and 1.40.0. [GL #3840]
-
-6092. [bug] dnssec-cds failed to cleanup properly. [GL #3831]
-
-6089. [bug] Source ports configured for query-source,
- transfer-source, etc, were being ignored. (This
- feature is deprecated, but it is not yet removed,
- so the bug still needed fixing.) [GL #3790]
-
- --- 9.18.12 released ---
-
-6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently
- broken by change 6042. [GL #3827]
-
-6082. [test] fuzz/dns_message_checksig leaked memory when shutting
- down. [GL #3828]
-
-6081. [bug] Handle primary server address lookup failures in
- nsupdate more gracefully. [GL #3830]
-
-6080. [bug] 'named -V' leaked memory. [GL #3829]
-
-6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds'
- command. [GL #3822]
-
-6075. [bug] Add missing node lock when setting node->wild in
- add_wildcard_magic. [GL #3799]
-
-6074. [func] Refactor the isc_nm_xfr_allowed() function to return
- isc_result_t instead of boolean. [GL #3808]
-
-6073. [bug] Set RD=1 on DS requests to parental-agents. [GL #3783]
-
-6072. [bug] Avoid the OpenSSL lock contention when initializing
- Message Digest Contexts by using explicit algorithm
- fetching, initializing static contexts for every
- supported algorithms, and initializing the new context
- by copying the static copy. [GL #3795]
-
-6071. [func] The use of "port" when configuring query-source,
- transfer-source, notify-source and parental-source
- addresses has been deprecated, along with the
- use-v[46]-udp-ports and avoid-v[46]-udp-ports
- options. A warning will be logged when these
- options are used. In a future release, they
- will be removed. [GL #3781]
-
-
-6069. [bug] Detach from the view in zone_shutdown() to
- release the memory held by the dead view
- early. [GL #3801]
-
-6068. [bug] Downloading a zone via TLS from a server which does
- not negotiate "dot" ALPN token could crash BIND
- on shutdown. That has been fixed. [GL #3767]
-
-6057. [bug] Fix shutdown and error path bugs in the rpz unit.
- [GL #3735]
-
-5850. [func] Run the RPZ update process on the offload threads.
- [GL #3190]
-
- --- 9.18.11 released ---
-
-6067. [security] Fix serve-stale crash when recursive clients soft quota
- is reached. (CVE-2022-3924) [GL #3619]
-
-6066. [security] Handle RRSIG lookups when serve-stale is active.
- (CVE-2022-3736) [GL #3622]
-
-6064. [security] An UPDATE message flood could cause named to exhaust all
- available memory. This flaw was addressed by adding a
- new "update-quota" statement that controls the number of
- simultaneous UPDATE messages that can be processed or
- forwarded. The default is 100. A stats counter has been
- added to record events when the update quota is
- exceeded, and the XML and JSON statistics version
- numbers have been updated. (CVE-2022-3094) [GL #3523]
-
-6062. [func] The DSCP implementation, which has been
- nonfunctional for some time, is now marked as
- obsolete and the implementation has been removed.
- Configuring DSCP values in named.conf has no
- effect, and a warning will be logged that
- the feature should no longer be used. [GL #3773]
-
-6061. [bug] Fix unexpected "Prohibited" extended DNS error
- on allow-recursion. [GL #3743]
-
-6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
- by detaching from the zone manager outside of the write
- lock. [GL #3768]
-
-6059. [bug] In some serve stale scenarios, like when following an
- expired CNAME record, named could return SERVFAIL if the
- previous request wasn't successful. Consider non-stale
- data when in serve-stale mode. [GL #3678]
-
-6058. [bug] Prevent named from crashing when "rndc delzone"
- attempts to delete a zone added by a catalog zone.
- [GL #3745]
-
-6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752]
-
-6051. [bug] Improve thread safety in the dns_dispatch unit.
- [GL #3178] [GL #3636]
-
-6050. [bug] Changes to the RPZ response-policy min-update-interval
- and add-soa options now take effect as expected when
- named is reconfigured. [GL #3740]
-
-6049. [bug] Exclude ABD hashtables from the ADB memory
- overmem checks and don't clean ADB names
- and ADB entries used in the last 10 seconds
- (ADB_CACHE_MINIMUM). [GL #3739]
-
-6048. [bug] Fix a log message error in dns_catz_update_from_db(),
- where serials with values of 2^31 or larger were logged
- incorrectly as negative numbers. [GL #3742]
-
-6047. [bug] Try the next server instead of trying the same
- server again on an outgoing query timeout.
- [GL #3637]
-
-6046. [bug] TLS session resumption might lead to handshake
- failures when client certificates are used for
- authentication (Mutual TLS). This has been fixed.
- [GL #3725]
-
-6045. [cleanup] The list of supported DNSSEC algorithms changed log
- level from "warning" to "notice" to match named's other
- startup messages. [GL !7217]
-
-6044. [bug] There was an "RSASHA236" typo in a log message.
- [GL !7206]
-
-5845. [bug] Refactor the timer to keep track of posted events
- as to use isc_task_purgeevent() instead of using
- isc_task_purgerange(). The isc_task_purgeevent()
- has been refactored to purge a single event instead
- of walking through the list of posted events.
- [GL #3252]
-
-5830. [func] Implement incremental resizing of isc_ht hash tables to
- perform the rehashing gradually. The catalog zone
- implementation has been optimized to work with hundreds
- of thousands of member zones. [GL #3212] [GL #3744]
-
- --- 9.18.10 released ---
-
-6043. [bug] The key file IO locks objects would never get
- deleted from the hashtable due to off-by-one error.
- [GL #3727]
-
-6042. [bug] ANY responses could sometimes have the wrong TTL.
- [GL #3613]
-
-6040. [bug] Speed up the named shutdown time by explicitly
- canceling all recursing ns_client objects for
- each ns_clientmgr. [GL #3183]
-
-6039. [bug] Removing a catalog zone from catalog-zones without
- also removing the referenced zone could leave a
- dangling pointer. [GL #3683]
-
-6036. [bug] nslookup and host were not honoring the selected port
- in TCP mode. [GL #3721]
-
-6034. [func] Deprecate alt-transfer-source, alt-transfer-source-v6
- and use-alt-transfer-source. [GL #3694]
-
-6031. [bug] Move the "final reference detached" log message
- from dns_zone unit to the DEBUG(1) log level.
- [GL #3707]
-
-6027. [bug] Fix assertion failure in isc_http API used by
- statschannel if the read callback would be called
- on HTTP request that has been already closed.
- [GL #3693]
-
-6026. [cleanup] Deduplicate time unit conversion factors.
- [GL !7033]
-
-6025. [bug] Copy TLS identifier when setting up primaries for
- catalog member zones. [GL #3638]
-
-6024. [func] Deprecate 'auto-dnssec'. [GL #3667]
-
-6022. [performance] The decompression implementation in dns_name_fromwire()
- is now smaller and faster. [GL #3655]
-
-6021. [bug] Use the current domain name when checking answers from
- a dual-stack-server. [GL #3607]
-
-6020. [bug] Ensure 'named-checkconf -z' respects the check-wildcard
- option when loading a zone. [GL #1905]
-
-6019. [func] Deprecate `coresize`, `datasize`, `files`, and
- `stacksize` named.conf options. [GL #3676]
-
-
-6017. [bug] The view's zone table was not locked when it should
- have been leading to race conditions when external
- extensions that manipulate the zone table where in
- use. [GL #3468]
-
-6015. [bug] Some browsers (Firefox) send more than 10 HTTP
- headers. Bump the number of allowed HTTP headers
- to 100. [GL #3670]
-
-5902. [func] NXDOMAIN cache records are no longer retained in
- the cache after expiry, even when serve-stale is
- in use. [GL #3386]
-
- --- 9.18.9 released ---
-
-6013. [bug] Fix a crash that could happen when you change
- a dnssec-policy zone with NSEC3 to start using
- inline-signing. [GL #3591]
-
-6009. [bug] Don't trust a placeholder KEYDATA from the managed-keys
- zone by adding it into secroots. [GL #2895]
-
-6008. [bug] Fixed a race condition that could cause a crash
- in dns_zone_synckeyzone(). [GL #3617]
-
-6007. [cleanup] Don't enforce the jemalloc use on NetBSD. [GL #3634]
-
-6003. [bug] Fix an inheritance bug when setting the port on
- remote servers in configuration. [GL #3627]
-
-6002. [bug] Fix a resolver prefetch bug when the record's TTL value
- is equal to the configured prefetch eligibility value,
- but the record was erroneously not treated as eligible
- for prefetching. [GL #3603]
-
-6001. [bug] Always call dns_adb_endudpfetch() after calling
- dns_adb_beginudpfetch() for UDP queries in resolver.c,
- in order to adjust back the quota. [GL #3598]
-
-6000. [bug] Fix a startup issue on Solaris systems with many
- (reportedly > 510) CPUs. Thanks to Stacey Marshall from
- Oracle for deep investigation of the problem. [GL #3563]
-
-5999. [bug] rpz-ip rules could be ineffective in some scenarios
- with CD=1 queries. [GL #3247]
-
-5998. [bug] The RecursClients statistics counter could overflow
- in certain resolution scenarios. [GL #3584]
-
-5997. [cleanup] Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR()
- reporting macros. [GL !6914]
-
-5996. [bug] Fix a couple of bugs in cfg_print_duration(), which
- could result in generating incomplete duration values
- when printing the configuration using named-checkconf.
- [GL !6880]
-
-5994. [func] Refactor the isc_httpd implementation used in the
- statistics channel. [GL !6879]
-
- --- 9.18.8 released ---
-
-5991. [protocol] Add support for parsing and validating "dohpath" to
- SVCB. [GL #3544]
-
-5990. [test] fuzz/dns_message_checksig now creates the key directory
- it uses when testing in /tmp at run time. [GL #3569]
-
-5988. [bug] Some out of memory conditions in opensslrsa_link.c
- could lead to memory leaks. [GL #3551]
-
-5984. [func] 'named -V' now reports the list of supported
- DNSSEC/DS/HMAC algorithms and the supported TKEY modes.
- [GL #3541]
-
-5983. [bug] Changing just the TSIG key names for primaries in
- catalog zones' member zones was not effective.
- [GL #3557]
-
-5982. [func] Extend dig to allow requests to be signed using SIG(0)
- as well as providing a mechanism to specify the signing
- time. [GL !5923]
-
-5981. [test] Add dns_message_checksig fuzzer to check messages
- signed using TSIG or SIG(0). [GL !5923]
-
-5978. [port] The ability to use pkcs11 via engine_pkcs11 has been
- restored, by only using deprecated APIs in
- OpenSSL 3.0.0. BIND needs to be compiled with
- '-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS
- at compile time. [GL !6711]
-
-5973. [bug] Fixed a possible invalid detach in UPDATE
- processing. [GL #3522]
-
-5972. [bug] Gracefully handle when the statschannel HTTP connection
- gets cancelled during sending data back to the client.
- [GL #3542]
-
-5970. [func] Log the reason why a query was refused. [GL !6669]
-
-5967. [cleanup] Flagged the "random-device" option (which was
- already nonoperational) as obsolete; configuring it
- will generate a warning. [GL #3399]
-
-5963. [bug] Ensure struct named_server is properly initialized.
- [GL #6531]
-
- --- 9.18.7 released ---
-
-5962. [security] Fix memory leak in EdDSA verify processing.
- (CVE-2022-38178) [GL #3487]
-
-5960. [security] Fix serve-stale crash that could happen when
- stale-answer-client-timeout was set to 0 and there was
- a stale CNAME in the cache for an incoming query.
- (CVE-2022-3080) [GL #3517]
-
-5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0
- and later versions. The openssldh_compare(),
- openssldh_paramcompare(), and openssldh_todns()
- functions were affected. (CVE-2022-2906) [GL #3491]
-
-5958. [security] When an HTTP connection was reused to get
- statistics from the stats channel, and zlib
- compression was in use, each successive
- response sent larger and larger blocks of memory,
- potentially reading past the end of the allocated
- buffer. (CVE-2022-2881) [GL #3493]
-
-5957. [security] Prevent excessive resource use while processing large
- delegations. (CVE-2022-2795) [GL #3394]
-
-5956. [func] Make RRL code treat all QNAMEs that are subject to
- wildcard processing within a given zone as the same
- name. [GL #3459]
-
-5955. [port] The libxml2 library has deprecated the usage of
- xmlInitThreads() and xmlCleanupThreads() functions. Use
- xmlInitParser() and xmlCleanupParser() instead.
- [GL #3518]
-
-5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008
- conversion fails. [GL #3485]
-
-5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add
- mctx attach/detach pair to make sure that the memory
- context used by a memory pool is not destroyed before
- the memory pool itself. [GL #3515]
-
-5952. [bug] Use quotes around address strings in YAML output.
- [GL #3511]
-
-5951. [bug] In some cases, the dnstap query_message field was
- erroneously set when logging response messages.
- [GL #3501]
-
-5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing
- dns_db_detachnode() call. [GL #3500]
-
-5947. [func] Change dnssec-policy to allow graceful transition from
- an NSEC only zone to NSEC3. [GL #3486]
-
-5946. [bug] Fix statistics channel's handling of multiple HTTP
- requests in a single connection which have non-empty
- request bodies. [GL #3463]
-
-5945. [bug] If parsing /etc/bind.key failed, delv could assert
- when trying to parse the built in trust anchors as
- the parser hadn't been reset. [GL !6468]
-
-5944. [bug] Fix +http-plain-get and +http-plain-post options
- support in dig. Thanks to Marco Davids at SIDN for
- reporting the problem. [GL !6672]
-
-5942. [bug] Fix tkey.c:buildquery() function's error handling by
- adding the missing cleanup code. [GL #3492]
-
-5941. [func] Zones with dnssec-policy now require dynamic DNS or
- inline-siging to be configured explicitly. [GL #3381]
-
-5938. [bug] An integer type overflow could cause an assertion
- failure when freeing memory. [GL #3483]
-
-5936. [bug] Don't enable serve-stale for lookups that error because
- it is a duplicate query or a query that would be
- dropped. [GL #2982]
-
-5935. [bug] Fix DiG lookup reference counting bug, which could
- be observed in NSSEARCH mode. [GL #3478]
-
- --- 9.18.6 released ---
-
-5934. [func] Improve fetches-per-zone fetch limit logging to log
- the final allowed and spilled values of the fetch
- counters before the counter object gets destroyed.
- [GL #3461]
-
-5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in
- named on Fedorda 33, Oracle Linux 9 and RHEL9 when
- they are disabled by the security policy. [GL #3469]
-
-5932. [bug] Fix rndc dumpdb -expired and always include expired
- RRsets, not just for RBTDB_VIRTUAL time window.
- [GL #3462]
-
-5931. [bug] Fix DiG query error handling robustness in NSSEARCH
- mode by making sure that udp_ready(), tcp_connected(),
- and send_done() callbacks start the next query in chain
- even if there is some kind of error with the previous
- query. [GL #3419]
-
-5930. [bug] Fix DiG query retry and fail-over bug in UDP mode.
- Also simplify the overall retry and fail-over logic to
- make it behave predictably, and always respect the
- documented +retry/+tries count set by a command-line
- option (or use the default values of 2 or 3
- respectively). [GL #3407]
-
-5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was
- not fully effective; it was used for timing key
- rollovers but did not actually place an upper limit
- on TTLs when loading a zone. This has been
- corrected, and the documentation has been clarified
- to indicate that the old "max-zone-ttl" zone option
- is now ignored when "dnssec-policy" is in use.
- [GL #2918]
-
-5927. [bug] A race was possible in dns_dispatch_connect()
- that could trigger an assertion failure if two
- threads called it near-simultaneously. [GL #3456]
-
-5926. [func] Handle transient TCP connect() EADDRINUSE failures
- on FreeBSD (and possibly other BSDs) by trying three
- times before giving up. [GL #3451]
-
-5925. [bug] With a forwarder configured for all queries, resolution
- failures encountered during DS chasing could trigger
- assertion failures due to a logic bug in
- resume_dslookup() that caused it to call
- dns_resolver_createfetch() with an invalid name.
- [GL #3439]
-
-5924. [func] When it's necessary to use AXFR to respond to an
- IXFR request, a message explaining the reason
- is now logged at level info. [GL #2683]
-
-5923. [bug] Fix inheritance for dnssec-policy when checking for
- inline-signing. [GL #3438]
-
-5922. [bug] Forwarding of UPDATE message could fail with the
- introduction of netmgr. This has been fixed. [GL #3389]
-
-5921. [test] Convert system tests to use a default DNSKEY algorithm
- where the test is not DNSKEY algorithm specific.
- [GL #3440]
-
- --- 9.18.5 released ---
-
-5917. [bug] Update ifconfig.sh script as is miscomputed interface
- identifiers when destroying interfaces. [GL #3061]
-
-5916. [bug] When resolving a name, don't give up immediately if an
- authoritative server returns FORMERR; try the other
- servers first. [GL #3152]
-
-5915. [bug] Detect missing closing brace (}) and computational
- overflows in $GENERATE directives. [GL #3429]
-
-5914. [bug] When synth-from-dnssec generated a response using
- records from a higher zone, it could unexpectedly prove
- non-existance of records in a subordinate grafted-on
- namespace. [GL #3402]
-
-5911. [bug] Update HTTP listener settings on reconfiguration.
- [GL #3415]
-
-5910. [cleanup] Move built-in dnssec-policies into the defaultconf.
- These are now printed with 'named -C'. [GL !6467]
-
-5909. [bug] The server-side destination port was missing from dnstap
- captures of client traffic. [GL #3309]
-
-5908. [bug] Fix race conditions in route_connected(). [GL #3401]
-
-5907. [bug] Fix a crash in dig NS search mode when one of the NS
- server queries fail. [GL #3207]
-
-5905. [bug] When the TCP connection would be closed/reset between
- the connect/accept and the read, the uv_read_start()
- return value would be unexpected and cause an assertion
- failure. [GL #3400]
-
-5904. [func] Changed dnssec-signzone -H default to 0 additional
- NSEC3 iterations. [GL #3395]
-
-5903. [bug] When named checks that the OPCODE in a response matches
- that of the request, if there is a mismatch named logs
- an error. Some of those error messages incorrectly
- used RCODE instead of OPCODE to lookup the nemonic.
- This has been corrected. [GL !6420]
-
-5901. [bug] When processing a catalog zone member zone make sure
- that there is no configured pre-existing forward-only
- forward zone with that name. [GL #2506]
-
- --- 9.18.4 released ---
-
-5899. [func] Don't try to process DNSSEC-related and ZONEMD records
- in catz. [GL #3380]
-
-5896. [func] Add some more dnssec-policy checks to detect weird
- policies. [GL #1611]
-
-5895. [test] Add new set of unit test macros and move the unit
- tests under single namespace in /tests/. [GL !6243]
-
-5893. [func] Add TLS session resumption support to the client-side
- TLS code. [GL !6274]
-
-5891. [func] Key timing options for `dnssec-settime` and related
- utilities now accept "UNSET" times as printed by
- `dnssec-settime -p`. [GL #3361]
-
-5890. [bug] When the fetches-per-server quota was adjusted
- because of an authoritative server timing out more
- or less frequently, it was incorrectly set to 1
- rather than the intended value. This has been
- fixed. [GL #3327]
-
-5888. [bug] Only write key files if the dnssec-policy keymgr has
- changed the metadata. [GL #3302]
-
-5837. [func] Key timing options for `dnssec-keygen` and
- `dnssec-settime` now accept times as printed by
- `dnssec-settime -p`. [GL !2947]
-
- --- 9.18.3 released ---
-
-5886. [security] Fix a crash in DNS-over-HTTPS (DoH) code caused by
- premature TLS stream socket object deletion.
- (CVE-2022-1183) [GL #3216]
-
-5885. [bug] RPZ NSIP and NSDNAME rule processing didn't handle stub
- and static-stub zones at or above the query name. This
- has now been addressed. [GL #3232]
-
-5882. [contrib] Avoid name space collision in dlz modules by prefixing
- functions with 'dlz_'. [GL !5778]
-
-5880. [func] Add new named command-line option -C to print built-in
- defaults. [GL #1326]
-
-5879. [contrib] dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
-
-5877. [func] Introduce the concept of broken catalog zones described
- in the DNS catalog zones draft version 5 document.
- [GL #3224]
-
-5876. [func] Add DNS Extended Errors when stale answers are returned
- from cache. [GL #2267]
-
-5875. [bug] Fixed a deadlock that could occur if an rndc
- connection arrived during the shutdown of network
- interfaces. [GL #3272]
-
-5873. [bug] Refactor the fctx_done() function to set fctx to
- NULL after detaching, so that reference counting
- errors will be easier to avoid. [GL #2969]
-
-5872. [bug] udp_recv() in dispatch could trigger an INSIST when the
- callback's result indicated success but the response
- was canceled in the meantime. [GL #3300]
-
-5866. [bug] Work around a jemalloc quirk which could trigger an
- out-of-memory condition in named over time. [GL #3287]
-
-5863. [bug] If there was a pending negative cache DS entry,
- validations depending upon it could fail. [GL #3279]
-
-5862. [bug] dig returned a 0 exit status on UDP connection failure.
- [GL #3235]
-
-5861. [func] Implement support for catalog zones change of ownership
- (coo) mechanism described in the DNS catalog zones draft
- version 5 document. [GL #3223]
-
-5860. [func] Implement support for catalog zones options new syntax
- based on catalog zones custom properties with "ext"
- suffix described in the DNS catalog zones draft version
- 5 document. [GL #3222]
-
-5859. [bug] Fix an assertion failure when using dig with +nssearch
- and +tcp options by starting the next query in the
- send_done() callback (like in the UDP mode) instead
- of doing that recursively in start_tcp(). Also
- ensure that queries interrupted while connecting
- are detached properly. [GL #3144]
-
-5858. [bug] Don't remove CDS/CDNSKEY DELETE records on zone sign
- when using 'auto-dnssec maintain;'. [GL #2931]
-
-5854. [func] Implement reference counting for TLS contexts and
- allow reloading of TLS certificates on reconfiguration
- without destroying the underlying TCP listener sockets
- for TLS-based DNS transports. [GL #3122]
-
-5849. [cleanup] Remove use of exclusive mode in ns_interfacemgr in
- favor of rwlocked access to localhost and localnets
- members of dns_aclenv_t structure. [GL #3229]
-
-5842. [cleanup] Remove the task exclusive mode use in ns_clientmgr.
- [GL #3230]
-
-5839. [func] Add support for remote TLS certificates
- verification, both to BIND and dig, making it possible
- to implement Strict and Mutual TLS authentication,
- as described in RFC 9103, Section 9.3. [GL #3163]
-
- --- 9.18.2 released ---
-
-5856. [bug] The "starting maxtime timer" message related to outgoing
- zone transfers was incorrectly logged at the ERROR level
- instead of DEBUG(1). [GL #3208]
-
-5855. [bug] Ensure that zone maintenance queries have a retry limit.
- [GL #3242]
-
-5853. [bug] When using both the `+qr` and `+y` options `dig` could
- crash if the connection to the first server was not
- successful. [GL #3244]
-
-5852. [func] Add new "reuseport" option to enable/disable load
- balancing of sockets. [GL #3249]
-
-5848. [bug] dig could hang in some cases involving multiple servers
- in a lookup, when a request fails and the next one
- refuses to start for some reason, for example if it was
- an IPv4 mapped IPv6 address. [GL #3248]
-
-5844. [bug] dig +nssearch was hanging until manually interrupted.
- [GL #3145]
-
-5843. [bug] When an UPDATE targets a zone that is not configured,
- the requested zone name is now logged in the "not
- authoritative" error message, so that it is easier to
- track down problematic update clients. [GL #3209]
-
-5838. [cleanup] When modifying a member zone in a catalog zone, and it
- is detected that the zone exists and was not created by
- the current catalog zone, distinguish the two cases when
- the zone was not added by a catalog zone at all, and
- when the zone was added by a different catalog zone,
- and log a warning message accordingly. [GL #3221]
-
-5836. [bug] Quote the dns64 prefix in error messages that complain
- about problems with it, to avoid confusion with the
- following dns64 ACLs. [GL #3210]
-
-5834. [cleanup] C99 variable-length arrays are difficult to use safely,
- so avoid them except in test code. [GL #3201]
-
-5833. [bug] When encountering socket error while trying to initiate
- a TCP connection to a server, dig could hang
- indefinitely, when there were more servers to try.
- [GL #3205]
-
-5832. [bug] When timing-out or having other types of socket errors
- during a query, dig wasn't trying to perform the lookup
- using other servers, in case they exist. [GL #3128]
-
-5831. [bug] When resending a UDP request in the result of a timeout,
- the recv_done() function in dighost.c was prepending
- the new query into the loookup's queries list instead
- of inserting, which could cause an assertion failure
- when the resent query's result was SERVFAIL. [GL #3020]
-
-5828. [bug] Replace single TCP write timer with per-TCP write
- timers. [GL #3200]
-
-5825. [func] Set the minimum MTU on UDPv6 and TCPv6 sockets and
- limit TCP maximum segment size (TCP_MAXSEG) to (1220)
- for both TCPv4 and TCPv6 sockets. [GL #2201]
-
-5824. [bug] Invalid dnssec-policy definitions were being accepted
- where the defined keys did not cover both KSK and ZSK
- roles for a given algorithm. This is now checked for
- and the dnssec-policy is rejected if both roles are
- not present for all algorithms in use. [GL #3142]
-
-5823. [func] Replace hazard pointers based lock-free list with
- locked-list based queue that's simpler and has no or
- little performance impact. [GL #3180]
-
-5822. [bug] When calling dns_dispatch_send(), attach/detach
- dns_request_t object as the read callback could
- be called before send callback dereferencing
- dns_request_t object too early. [GL #3105]
-
-5821. [bug] Fix query context management issues in the TCP part
- of dig. [GL #3184]
-
- --- 9.18.1 released ---
-
-5820. [security] An assertion could occur in resume_dslookup() if the
- fetch had been shut down earlier. (CVE-2022-0667)
- [GL #3129]
-
-5819. [security] Lookups involving a DNAME could trigger an INSIST when
- "synth-from-dnssec" was enabled. (CVE-2022-0635)
- [GL #3158]
-
-5818. [security] A synchronous call to closehandle_cb() caused
- isc__nm_process_sock_buffer() to be called recursively,
- which in turn left TCP connections hanging in the
- CLOSE_WAIT state blocking indefinitely when
- out-of-order processing was disabled. (CVE-2022-0396)
- [GL #3112]
-
-5817. [security] The rules for acceptance of records into the cache
- have been tightened to prevent the possibility of
- poisoning if forwarders send records outside
- the configured bailiwick. (CVE-2021-25220) [GL #2950]
-
-5816. [bug] Make BIND compile with LibreSSL 3.5.0, as it was using
- not very accurate pre-processor checks for using shims.
- [GL #3172]
-
-5815. [bug] If an oversized key name of a specific length was used
- in the text form of an HTTP or SVBC record, an INSIST
- could be triggered when parsing it. [GL #3175]
-
-5814. [bug] The RecursClients statistics counter could underflow
- in certain resolution scenarios. [GL #3147]
-
-5812. [func] Drop the artificial limit on the number of queries
- processed in a single TCP read callback. [GL #3141]
-
-5811. [bug] Reimplement the maximum and idle timeouts for outgoing
- zone transfers. [GL #1897]
-
-5809. [bug] Reset client TCP connection when data received cannot
- be parsed as a valid DNS request. [GL #3149]
-
-5808. [bug] Certain TCP failures were not caught and handled
- correctly by the dispatch manager, causing
- connections to time out rather than returning
- SERVFAIL. [GL #3133]
-
-5807. [bug] Add a TCP "write" timer, and time out writing
- connections after the "tcp-idle-timeout" period
- has elapsed. [GL #3132]
-
-5806. [bug] An error in checking the "blackhole" ACL could cause
- DNS requests sent by named to fail if the
- destination address or prefix was specifically
- excluded from the ACL. [GL #3157]
-
-5805. [func] The result of each resolver priming attempt is now
- included in the "resolver priming query complete" log
- message. [GL #3139]
-
-5804. [func] Add a debug log message when starting and ending
- the task exclusive mode. [GL #3137]
-
-5803. [func] Use compile-time paths in the documentation.
- [GL #2717]
-
-5802. [test] Add system test to test engine_pkcs11. [GL !5727]
-
-5801. [bug] Log "quota reached" message when hard quota
- is reached when accepting a connection. [GL #3125]
-
-5800. [func] Add ECS support to the DLZ interface. [GL #3082]
-
-5799. [bug] Use L1 cache-line size detected at runtime. [GL #3108]
-
-5798. [test] Add system test to test dnssec-keyfromlabel. [GL #3092]
-
-5797. [bug] A failed view configuration during a named
- reconfiguration procedure could cause inconsistencies
- in BIND internal structures, causing a crash or other
- unexpected errors. [GL #3060]
-
- --- 9.18.0 released ---
-
-5796. [bug] Ignore the invalid (<= 0) values returned
- by the sysconf() check for the L1 cache line
- size. [GL #3108]
-
-5795. [bug] rndc could crash when interrupted by a signal
- before receiving a response. [GL #3080]
-
-5794. [func] Set the IPV6_V6ONLY on all IPv6 sockets to
- restrict the IPv6 sockets to sending and
- receiving IPv6 packets only. [GL #3093]
-
-5793. [bug] Correctly detect and enable UDP recvmmsg support
- in all versions of libuv that support it. [GL #3095]
-
-5792. [bug] Don't schedule zone events on ISC_R_SHUTTINGDOWN
- event failures. [GL #3084]
-
-5791. [func] Remove workaround for servers returning FORMERR
- when receiving NOTIFY query with SOA record in
- ANSWER section. [GL #3086]
-
-5790. [bug] The control channel was incorrectly looking for
- ISC_R_CANCELED as a signal that the named is
- shutting down. In the dispatch refactoring,
- the result code returned from network manager
- is now ISC_R_SHUTTINGDOWN. Change the control
- channel code to use ISC_R_SHUTTINGDOWN result
- code to detect named being shut down. [GL #3079]
-
- --- 9.17.22 released ---
-
-5789. [bug] Allow replacing expired zone signatures with
- signatures created by the KSK. [GL #3049]
-
-5788. [bug] An assertion could occur if a catalog zone event was
- scheduled while the task manager was being shut
- down. [GL #3074]
-
-5787. [doc] Update 'auto-dnssec' documentation, it may only be
- activated at zone level. [GL #3023]
-
-5786. [bug] Defer detaching from zone->raw in zone_shutdown() if
- the zone is in the process of being dumped to disk, to
- ensure that the unsigned serial number information is
- always written in the raw-format header of the signed
- version on an inline-signed zone. [GL #3071]
-
-5785. [bug] named could leak memory when two dnssec-policy clauses
- had the same name. named failed to log this error.
- [GL #3085]
-
-5784. [func] Implement TLS-contexts reuse. Reusing the
- previously created TLS context objects can reduce
- initialisation time for some configurations and enables
- TLS session resumption for incoming zone transfers over
- TLS (XoT). [GL #3067]
-
-5783. [func] named is now able to log TLS pre-master secrets for
- debugging purposes. This requires setting the
- SSLKEYLOGFILE environment variable appropriately.
- [GL #2723]
-
-5782. [func] Use ECDSA P-256 instead of a 4096-bit RSA when
- generating ephemeral key and certificate for the
- 'tls ephemeral' configuration. [GL #2264]
-
-5781. [bug] Make BIND work with OpenSSL 3.0.1 as it is now
- enforcing minimum buffer lengths in EVP_MAC_final and
- hence EVP_DigestSignFinal. rndc and TSIG at a minimum
- were broken by this change. [GL #3057]
-
-5780. [bug] The Linux kernel may send netlink messages
- indicating that network interfaces have changed
- when they have not. This caused frequent unnecessary
- re-scans of the interfaces. Netlink messages now
- only trigger re-scanning if a new address is seen
- or an existing address is removed. [GL #3055]
-
-5779. [test] Drop cppcheck suppressions and workarounds. [GL #2886]
-
-5778. [bug] Destroyed TLS contexts could have been used after a
- reconfiguration, making BIND unable to serve queries
- over TLS and HTTPS. [GL #3053]
-
-5777. [bug] TCP connections could hang after receiving
- non-matching responses. [GL #3042]
-
-5776. [bug] Add a missing isc_condition_destroy() for nmsocket
- condition variable and add missing isc_mutex_destroy()
- for nmworker lock. [GL #3051]
-
- --- 9.17.21 released ---
-
-5775. [bug] Added a timer in the resolver to kill fetches that
- have deadlocked as a result of dependency loops
- with the ADB or the validator. This condition is
- now logged with the message "shut down hung fetch
- while resolving '<name>/<type>'". [GL #3040]
-
-5774. [func] Restore NSEC Aggressive Cache ("synth-from-dnssec")
- as active by default. It is limited to NSEC only
- and by default ignores NSEC records with next name
- in form \000.domain. [GL #1265]
-
-5773. [func] Change the message when accepting TCP connection has
- failed to say "Accepting TCP connection failed" and
- change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA
- and ISC_R_SOFTQUOTA results codes from ERROR to INFO.
- [GL #2700]
-
-5772. [bug] The resolver could hang on shutdown due to dispatch
- resources not being cleaned up when a TCP connection
- was reset. [GL #3026]
-
-5771. [bug] Use idn2 UseSTD3ASCIIRules=false to disable additional
- unicode validity checks because enabling the additional
- checks would break valid domain names that contains
- non-alphanumerical characters such as underscore
- character (_) or wildcard (*). This reverts change
- [GL !5738] from the previous release. [GL #1610]
-
-5770. [func] BIND could abort on startup on systems using old
- OpenSSL versions when 'protocols' option is used inside
- a 'tls' statement. [GL !5602]
-
-5769. [func] Added support for client-side 'tls' parameters when
- doing incoming zone transfers via XoT. [GL !5602]
-
-5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853]
-
-5767. [func] Extend allow-transfer option with 'port' and
- 'transport' options to restrict zone transfers to
- a specific port and DNS transport protocol.
- [GL #2776]
-
-5766. [func] Unused 'tls' clause options 'ca-file' and 'hostname'
- were disabled. [GL !5600]
-
-5765. [bug] Fix a bug in DoH implementation making 'dig'
- abort when ALPN negotiation fails. [GL #3022]
-
-5764. [bug] dns_sdlz_putrr failed to process some valid resource
- records. [GL #3021]
-
-5763. [bug] Fix a bug in DoT code leading to an abort when
- a zone transfer ends with an unexpected DNS message.
- [GL #3004]
-
-5762. [bug] Fix a "named" crash related to removing and restoring a
- `catalog-zone` entry in the configuration file and
- running `rndc reconfig`. [GL #1608]
-
-5761. [bug] OpenSSL 3.0.0 support could fail to correctly read
- ECDSA private keys leading to incorrect signatures
- being generated. [GL #3014]
-
-5760. [bug] Prevent a possible use-after-free error in resolver.
- [GL #3018]
-
-5759. [func] Set Extended DNS Error Code 18 - Prohibited if query
- access is denied to the specific client. [GL #1836]
-
-5758. [bug] mdig now honors the operating system's preferred
- ephemeral port range. [GL #2374]
-
-5757. [test] Replace sed in nsupdate system test with awk to
- construct the nsupdate command. The sed expression
- was not reliably changing the ttl. [GL #3003]
-
-5756. [func] Assign HTTP freshness lifetime to responses sent
- via DNS-over-HTTPS, according to the recommendations
- given in RFC 8484. [GL #2854]
-
- --- 9.17.20 released ---
-
-5755. [bug] The statistics channel wasn't correctly handling
- multiple HTTP requests, or pipelined or truncated
- requests. [GL #2973]
-
-5754. [bug] "tls" statements may omit "key-file" and "cert-file",
- but if either one is specified, then both must be.
- [GL #2986]
-
-5753. [placeholder]
-
-5752. [bug] Fix an assertion failure caused by missing member zones
- during a reload of a catalog zone. [GL #2308]
-
-5751. [port] Add support for OpenSSL 3.0.0. OpenSSL 3.0.0
- deprecated 'engine' support. If OpenSSL 3.0.0 has
- been built without support for deprecated functionality
- pkcs11 via engine_pkcs11 is no longer available.
- [GL #2843]
-
-5750. [bug] Fix a bug when comparing two RSA keys. There was a typo
- which caused the "p" prime factors to not being
- compared. [GL #2972]
-
-5749. [bug] Handle duplicate references to the same catalog
- zone gracefully. [GL #2916]
-
-5748. [func] Update "nsec3param" defaults to iterations 0, salt
- length 0. [GL #2956]
-
-5747. [func] Update rndc serve-stale status output to be less
- confusing. [GL #2742]
-
-5746. [bug] A lame server delegation could lead to a loop in which
- a resolver fetch depends on an ADB find which depends
- on the same resolver fetch. Previously, this would
- cause the fetch to hang until timing out, but after
- change #5730 it would hang forever. The condition is
- now detected and avoided. [GL #2927]
-
-5745. [bug] Fetch context objects now use attach/detach
- semantics to make it easier to find and debug
- reference-counting errors, and several such errors
- have been fixed. [GL #2953]
-
-5744. [func] The network manager is now used for netlink sockets
- to monitor network interface changes. This was the
- last remaining use of the old isc_socket and
- isc_socketmgr APIs, so they have now been removed.
- The "named -S" argument and the "reserved-sockets"
- option in named.conf have no function now, and are
- deprecated. "socketmgr" statistics are no longer
- reported in the statistics channel. [GL #2926]
-
-5743. [func] Add finer-grained "update-policy" rules,
- "krb5-subdomain-self-rhs" and "ms-subdomain-self-rhs",
- which restrict SRV and PTR record changes, allowing
- only records whose content matches the machine name
- embedded in the Kerberos principal making the change.
- [GL #481]
-
-5742. [func] ISC_LIKELY() and ISC_UNLIKELY() macros have been
- removed. [GL #2952]
-
-5741. [bug] Log files with "timestamp" suffixes could be left in
- place after rolling, even if the number of preserved
- log files exceeded the configured "versions" limit.
- [GL #828]
-
-5740. [func] Implement incremental resizing of RBT hash table to
- perform the rehashing gradually. [GL #2941]
-
-5739. [func] Change default of 'dnssec-dnskey-kskonly' to 'yes'.
- [GL #1316]
-
-5738. [bug] Enable idn2 UseSTD3ASCIIRules=true to implement
- additional unicode validity checks. [GL #1610]
-
-5737. [bug] Address Coverity warning in lib/dns/dnssec.c.
- [GL #2935]
-
- --- 9.17.19 released ---
-
-5736. [security] The "lame-ttl" option is now forcibly set to 0. This
- effectively disables the lame server cache, as it could
- previously be abused by an attacker to significantly
- degrade resolver performance. (CVE-2021-25219)
- [GL #2899]
-
-5735. [cleanup] The result codes which BIND 9 uses internally are now
- all defined as a single list of enum values rather than
- as multiple sets of integers scattered around shared
- libraries. This prevents the need for locking in some
- functions operating on result codes, and makes result
- codes more debugger-friendly. [GL #719]
-
-5734. [bug] Fix intermittent assertion failures in dig which were
- triggered during zone transfers. [GL #2884]
-
-5733. [func] Require the "dot" Application-Layer Protocol Negotiation
- (ALPN) token to be selected in the TLS handshake for
- zone transfers over TLS (XoT), as required by RFC 9103
- section 7.1. [GL #2794]
-
-5732. [cleanup] Remove the dns_lib_init(), dns_lib_shutdown(),
- ns_lib_init(), and ns_lib_shutdown() functions, as they
- no longer served any useful purpose. [GL #88]
-
-5731. [bug] Disallow defining "http" configuration clauses called
- "default" as they were silently ignored. [GL #2925]
-
-5730. [func] The resolver and the request and dispatch managers have
- been substantially refactored, and are now based on the
- network manager instead of the old isc_socket API. All
- outgoing DNS queries and requests now use the new API;
- isc_socket is only used to monitor for network interface
- changes. [GL #2401]
-
-5729. [func] Allow finer control over TLS protocol configuration by
- implementing new options for "tls" configuration clauses
- ("dhparam-file", "ciphers", "prefer-server-ciphers",
- "session-tickets"). These options make achieving perfect
- forward secrecy (PFS) possible for DNS-over-TLS (DoT)
- and DNS-over-HTTPS (DoH). [GL #2796]
-
-5728. [func] Allow specifying supported TLS protocol versions for
- each "tls" configuration clause. [GL #2795]
-
-5727. [placeholder]
-
-5726. [bug] Fix a use-after-free bug which was triggered while
- checking for duplicate "http" configuration clauses.
- [GL #2924]
-
-5725. [bug] Fix an assertion failure triggered by passing an invalid
- HTTP path to dig. [GL #2923]
-
-5724. [bug] Address a potential deadlock when checking zone content
- consistency. [GL #2908]
-
-5723. [bug] Change 5709 broke backward compatibility for the
- "check-names master ..." and "check-names slave ..."
- options. This has been fixed. [GL #2911]
-
-5722. [bug] Preserve the contents of the receive buffer for TCPDNS
- and TLSDNS when growing its size. [GL #2917]
-
-5721. [func] A new realloc()-like function, isc_mem_reget(), was
- added to the libisc API for resizing memory chunks
- allocated using isc_mem_get(). Memory (re)allocation
- functions are now guaranteed to return non-NULL pointers
- for zero-sized allocation requests. [GL !5440]
-
-5720. [contrib] Remove old-style DLZ drivers that had to be enabled at
- build time. [GL #2814]
-
-5719. [func] Remove support for the "map" zone file format.
- [GL #2882]
-
-5718. [bug] The "sig-signing-type" zone configuration option was
- processed incorrectly, causing valid configurations to
- be rejected. This has been fixed. [GL #2906]
-
-5717. [func] The "cache-file" option, which was documented as "for
- testing purposes only" and not to be used, has been
- removed. [GL #2903]
-
-5716. [placeholder]
-
-5715. [func] Add a check for ports specified in "*-source(-v6)"
- options clashing with a global listening port. Such a
- configuration was already unsupported, but it failed
- silently; it is now treated as an error. [GL #2888]
-
-5714. [bug] Remove the "adjust interface" mechanism which was
- responsible for setting up listeners on interfaces when
- the "*-source(-v6)" address and port were the same as
- the "listen-on(-v6)" address and port. Such a
- configuration is no longer supported; under certain
- timing conditions, that mechanism could prevent named
- from listening on some TCP ports. This has been fixed.
- [GL #2852]
-
-5713. [func] Add "primaries" as a synonym for "masters" and
- "default-primaries" as a synonym for "default-masters"
- in catalog zone configuration options. [GL #2818]
-
-5712. [func] Remove native PKCS#11 support in favor of engine_pkcs11
- from the OpenSC project. [GL #2691]
-
- --- 9.17.18 released ---
-
-5711. [bug] "map" files exceeding 2GB in size failed to load due to
- a size comparison that incorrectly treated the file size
- as a signed integer. [GL #2878]
-
-5710. [placeholder]
-
-5709. [func] When reporting zone types in the statistics channel, the
- terms "primary" and "secondary" are now used instead of
- "master" and "slave", respectively. Enum values
- throughout the code have been updated to use this
- terminology as well. [GL #1944]
-
-5708. [placeholder]
-
-5707. [bug] A bug was fixed which prevented dig from querying
- DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860]
-
-5706. [cleanup] Support for external applications to register with
- libisc and use it has been removed. Export versions of
- BIND 9 libraries have not been supported for some time,
- but the isc_lib_register() function was still available;
- it has now been removed. [GL !2420]
-
-5705. [bug] Change #5686 altered the internal memory structure of
- zone databases, but neglected to update the MAPAPI value
- for zone files in "map" format. This caused named to
- attempt to load incompatible map files, triggering an
- assertion failure on startup. The MAPAPI value has now
- been updated, so named rejects outdated files when
- encountering them. [GL #2872]
-
-5704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be
- ignored inadvertently in client requests. It has now
- been fixed and this option is handled properly again.
- [GL #1927]
-
-5703. [bug] Fix a crash in dig caused by closing an HTTP/2 socket
- associated with an unused HTTP/2 session. [GL #2858]
-
-5702. [bug] Improve compatibility with DNS-over-HTTPS (DoH) clients
- by allowing HTTP/2 request headers in any order.
- [GL #2875]
-
-5701. [bug] named-checkconf failed to detect syntactically invalid
- values of the "key" and "tls" parameters used to define
- members of remote server lists. [GL #2461]
-
-5700. [bug] When a member zone was removed from a catalog zone,
- journal files for the former were not deleted.
- [GL #2842]
-
-5699. [func] Data structures holding DNSSEC signing statistics are
- now grown and shrunk as necessary upon key rollover
- events. [GL #1721]
-
-5698. [bug] When a DNSSEC-signed zone which only has a single
- signing key available is migrated to use KASP, that key
- is now treated as a Combined Signing Key (CSK).
- [GL #2857]
-
-5697. [func] dnssec-cds now only generates SHA-2 DS records by
- default and avoids copying deprecated SHA-1 records from
- a child zone to its delegation in the parent. If the
- child zone does not publish SHA-2 CDS records,
- dnssec-cds will generate them from the CDNSKEY records.
- The "-a algorithm" option now affects the process of
- generating DS digest records from both CDS and CDNSKEY
- records. Thanks to Tony Finch. [GL #2871]
-
-5696. [protocol] Support for HTTPS and SVCB record types has been added.
- [GL #1132]
-
-5695. [func] Add a new dig command-line option, "+showbadcookie",
- which causes a BADCOOKIE response message to be
- displayed when it is received from the server.
- [GL #2319]
-
-5694. [bug] Stale data in the cache could cause named to send
- non-minimized queries despite QNAME minimization being
- enabled. [GL #2665]
-
-5693. [func] Restore support for reading "timeout" and "attempts"
- options from /etc/resolv.conf, and use their values in
- dig, host, and nslookup. (This was previously supported
- by liblwres, and was still mentioned in the man pages,
- but had stopped working after liblwres was deprecated in
- favor of libirs.) [GL #2785]
-
-5692. [bug] Fix a rare crash in DNS-over-HTTPS (DoH) code caused by
- detaching from an HTTP/2 session handle too early when
- sending data. [GL #2851]
-
-5691. [bug] When a dynamic zone was made available in another view
- using the "in-view" statement, running "rndc freeze"
- always reported an "already frozen" error even though
- the zone was successfully frozen. [GL #2844]
-
-5690. [func] dnssec-signzone now honors Predecessor and Successor
- metadata found in private key files: if a signature for
- an RRset generated by the inactive predecessor exists
- and does not need to be replaced, no additional
- signature is now created for that RRset using the
- successor key. This enables dnssec-signzone to gradually
- replace RRSIGs during a ZSK rollover. [GL #1551]
-
- --- 9.17.17 released ---
-
-5689. [security] An assertion failure occurred when named attempted to
- send a UDP packet that exceeded the MTU size, if
- Response Rate Limiting (RRL) was enabled.
- (CVE-2021-25218) [GL #2856]
-
-5688. [bug] Zones using KASP and inline-signed zones failed to apply
- changes from the unsigned zone to the signed zone under
- certain circumstances. This has been fixed. [GL #2735]
-
-5687. [bug] "rndc reload <zonename>" could trigger a redundant
- reload for an inline-signed zone whose zone file was not
- modified since the last "rndc reload". This has been
- fixed. [GL #2855]
-
-5686. [func] The number of internal data structures allocated for
- each zone was reduced. [GL #2829]
-
-5685. [bug] named failed to check the opcode of responses when
- performing zone refreshes, stub zone updates, and UPDATE
- forwarding. This has been fixed. [GL #2762]
-
-5684. [func] The DNS-over-HTTP (DoH) configuration syntax was
- extended:
- - The maximum number of active DoH connections can now
- be set using the "http-listener-clients" option. The
- default is 300.
- - The maximum number of concurrent HTTP/2 streams per
- connection can now be set using the
- "http-streams-per-connection" option. The default is
- 100.
- - Both of these values can also be set on a per-listener
- basis using the "listener-clients" and
- "streams-per-connection" parameters in an "http"
- statement.
- [GL #2809]
-
-5683. [bug] The configuration-checking code now verifies HTTP paths.
- [GL !5231]
-
-5682. [bug] Some changes to "zone-statistics" settings were not
- properly processed by "rndc reconfig". This has been
- fixed. [GL #2820]
-
-5681. [func] Relax the checks in the dns_zone_cdscheck() function to
- allow CDS and CDNSKEY records in the zone that do not
- match an existing DNSKEY record, as long as the
- algorithm matches. This allows a clean rollover from one
- provider to another in a multi-signer DNSSEC
- configuration. [GL #2710]
-
-5680. [bug] HTTP GET requests without query strings caused a crash
- in DoH code. This has been fixed. [GL !5268]
-
-5679. [func] Thread affinity is no longer set. [GL #2822]
-
-5678. [bug] The "check DS" code failed to release all resources upon
- named shutdown when a refresh was in progress. This has
- been fixed. [GL #2811]
-
-5677. [func] Previously, named accepted FORMERR responses both with
- and without an OPT record, as an indication that a given
- server did not support EDNS. To implement full
- compliance with RFC 6891, only FORMERR responses without
- an OPT record are now accepted. This intentionally
- breaks communication with servers that do not support
- EDNS and that incorrectly echo back the query message
- with the RCODE field set to FORMERR and the QR bit set
- to 1. [GL #2249]
-
-5676. [func] Memory allocation has been substantially refactored; it
- is now based on the memory allocation API provided by
- the jemalloc library, which is a new optional build
- dependency for BIND 9. [GL #2433]
-
-5675. [bug] Compatibility with DoH clients has been improved by
- ignoring the value of the "Accept" HTTP header.
- [GL !5246]
-
-5674. [bug] A shutdown hang was triggered by DoH clients prematurely
- aborting HTTP/2 streams. This has been fixed. [GL !5245]
-
-5673. [func] Add a new build-time option, --disable-doh, to allow
- building BIND 9 without the libnghttp2 library.
- [GL #2478]
-
-5672. [bug] Authentication of rndc messages could fail if a
- "controls" statement was configured with multiple key
- algorithms for the same listener. This has been fixed.
- [GL #2756]
-
- --- 9.17.16 released ---
-
-5671. [bug] A race condition could occur where two threads were
- competing for the same set of key file locks, leading to
- a deadlock. This has been fixed. [GL #2786]
-
-5670. [bug] create_keydata() created an invalid placeholder keydata
- record upon a refresh failure, which prevented the
- database of managed keys from subsequently being read
- back. This has been fixed. [GL #2686]
-
-5669. [func] KASP support was extended with the "check DS" feature.
- Zones with "dnssec-policy" and "parental-agents"
- configured now check for DS presence and can perform
- automatic KSK rollovers. [GL #1126]
-
-5668. [bug] Rescheduling a setnsec3param() task when a zone failed
- to load on startup caused a hang on shutdown. This has
- been fixed. [GL #2791]
-
-5667. [bug] The configuration-checking code failed to account for
- the inheritance rules of the "dnssec-policy" option.
- This has been fixed. [GL #2780]
-
-5666. [doc] The safe "edns-udp-size" value was tweaked to match the
- probing value from BIND 9.16 for better compatibility.
- [GL #2183]
-
-5665. [bug] If nsupdate sends an SOA request and receives a REFUSED
- response, it now fails over to the next available
- server. [GL #2758]
-
-5664. [func] For UDP messages larger than the path MTU, named now
- sends an empty response with the TC (TrunCated) bit set.
- In addition, setting the DF (Don't Fragment) flag on
- outgoing UDP sockets was re-enabled. [GL #2790]
-
-5663. [bug] Non-zero OPCODEs are now properly handled when receiving
- queries over DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
- channels. [GL #2787]
-
-5662. [bug] Views with recursion disabled are now configured with a
- default cache size of 2 MB unless "max-cache-size" is
- explicitly set. This prevents cache RBT hash tables from
- being needlessly preallocated for such views. [GL #2777]
-
-5661. [bug] Change 5644 inadvertently introduced a deadlock: when
- locking the key file mutex for each zone structure in a
- different view, the "in-view" logic was not considered.
- This has been fixed. [GL #2783]
-
-5660. [bug] The configuration-checking code failed to account for
- the inheritance rules of the "key-directory" option.
- [GL #2778]
-
- This change was included in BIND 9.17.15.
-
-5659. [bug] When preparing DNS responses, named could replace the
- letters 'W' (uppercase) and 'w' (lowercase) with '\000'.
- This has been fixed. [GL #2779]
-
- This change was included in BIND 9.17.15.
-
-5658. [bug] Increasing "max-cache-size" for a running named instance
- (using "rndc reconfig") did not cause the hash tables
- used by cache databases to be grown accordingly. This
- has been fixed. [GL #2770]
-
-5657. [cleanup] Support was removed for both built-in atomics in old
- versions of Clang (< 3.6.0) and GCC (< 4.7.0), and
- atomics emulated with a mutex. [GL #2606]
-
-5656. [bug] Named now ensures that large responses work correctly
- over DNS-over-HTTPS (DoH), and that zone transfer
- requests over DoH are explicitly rejected. [GL !5148]
-
-5655. [bug] Signed, insecure delegation responses prepared by named
- either lacked the necessary NSEC records or contained
- duplicate NSEC records when both wildcard expansion and
- CNAME chaining were required to prepare the response.
- This has been fixed. [GL #2759]
-
-5654. [port] Windows support has been removed. [GL #2690]
-
-5653. [bug] A bug that caused the NSEC3 salt to be changed on every
- restart for zones using KASP has been fixed. [GL #2725]
-
- --- 9.17.14 released ---
-
-5652. [bug] A copy-and-paste error in change 5584 caused the
- IP_DONTFRAG socket option to be enabled instead of
- disabled. This has been fixed. [GL #2746]
-
-5651. [func] Refactor zone dumping to be processed asynchronously via
- the uv_work_t thread pool API. [GL #2732]
-
-5650. [bug] Prevent a crash that could occur if serve-stale was
- enabled and a prefetch was triggered during a query
- restart. [GL #2733]
-
-5649. [bug] If a query was answered with stale data on a server with
- DNS64 enabled, an assertion could occur if a non-stale
- answer arrived afterward. [GL #2731]
-
-5648. [bug] The calculation of the estimated IXFR transaction size
- in dns_journal_iter_init() was invalid. [GL #2685]
-
-5647. [func] The interface manager has been refactored to use fewer
- client manager objects, which in turn use fewer memory
- contexts and tasks. This should result in less
- fragmented memory and better startup performance.
- [GL #2433]
-
-5646. [bug] The default TCP timeout for rndc has been increased to
- 60 seconds. This was its original value, but it had been
- inadvertently lowered to 10 when rndc was updated to use
- the network manager. [GL #2643]
-
-5645. [cleanup] Remove the rarely-used dns_name_copy() function and
- rename dns_name_copynf() to dns_name_copy(). [GL !5081]
-
-5644. [bug] Fix a race condition in reading and writing key files
- for zones using KASP and configured in multiple views.
- [GL #1875]
-
-5643. [placeholder]
-
-5642. [bug] Zones which are configured in multiple views with
- different values set for "dnssec-policy" and with
- identical values set for "key-directory" are now
- detected and treated as a configuration error.
- [GL #2463]
-
-5641. [bug] Address a potential memory leak in
- dst_key_fromnamedfile(). [GL #2689]
-
-5640. [func] Add new configuration options for setting the size of
- receive and send buffers in the operating system:
- "tcp-receive-buffer", "tcp-send-buffer",
- "udp-receive-buffer", and "udp-send-buffer". [GL #2313]
-
-5639. [bug] Check that the first and last SOA record of an AXFR are
- consistent. [GL #2528]
-
- --- 9.17.13 released ---
-
-5638. [bug] Improvements related to network manager/task manager
- integration:
- - isc_managers_create() and isc_managers_destroy()
- functions were added to handle setup and teardown of
- netmgr, taskmgr, timermgr, and socketmgr, since these
- require a precise order of operations now.
- - Event queue processing is now quantized to prevent
- infinite looping.
- - The netmgr can now be paused from within a netmgr
- thread.
- - Deadlocks due to a conflict between netmgr's
- pause/resume and listen/stoplistening operations were
- fixed.
- [GL #2654]
-
-5637. [placeholder]
-
-5636. [bug] named and named-checkconf did not report an error when
- multiple zones with the "dnssec-policy" option set were
- using the same zone file. This has been fixed.
- [GL #2603]
-
-5635. [bug] Journal compaction could fail when a journal with
- invalid transaction headers was not detected at startup.
- This has been fixed. [GL #2670]
-
-5634. [bug] If "dnssec-policy" was active and a private key file was
- temporarily offline during a rekey event, named could
- incorrectly introduce replacement keys and break a
- signed zone. This has been fixed. [GL #2596]
-
-5633. [doc] The "inline-signing" option was incorrectly described as
- being inherited from the "options"/"view" levels and was
- incorrectly accepted at those levels without effect.
- This has been fixed. [GL #2536]
-
-5632. [func] Add a new built-in KASP, "insecure", which is used to
- transition a zone from a signed to an unsigned state.
- The existing built-in KASP "none" should no longer be
- used to unsign a zone. [GL #2645]
-
-5631. [protocol] Update the implementation of the ZONEMD RR type to match
- RFC 8976. [GL #2658]
-
-5630. [func] Treat DNSSEC responses containing NSEC3 records with
- iteration counts greater than 150 as insecure.
- [GL #2445]
-
-5629. [func] Reduce the maximum supported number of NSEC3 iterations
- that can be configured for a zone to 150. [GL #2642]
-
-5628. [bug] Host and nslookup could crash upon receiving a SERVFAIL
- response. This has been fixed. [GL #2564]
-
-5627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone
- apex were triggering infinite resigning loops. This has
- been fixed. [GL #2650]
-
-5626. [bug] When generating zone signing keys, KASP now also checks
- for key ID conflicts among newly created keys, rather
- than just between new and existing ones. [GL #2628]
-
-5625. [bug] A deadlock could occur when multiple "rndc addzone",
- "rndc delzone", and/or "rndc modzone" commands were
- invoked simultaneously for different zones. This has
- been fixed. [GL #2626]
-
-5624. [func] Task manager events are now processed inside network
- manager loops. The task manager no longer needs its own
- set of worker threads, which improves resolver
- performance. [GL #2638]
-
-5623. [bug] When named was shut down during an ongoing zone
- transfer, xfrin_fail() could incorrectly be called
- twice. This has been fixed. [GL #2630]
-
-5622. [cleanup] The lib/samples/ directory has been removed, as export
- versions of libraries are no longer maintained.
- [GL !4835]
-
-5621. [placeholder]
-
-5620. [bug] If zone journal files written by BIND 9.16.11 or earlier
- were present when BIND was upgraded, the zone file for
- that zone could have been inadvertently rewritten with
- the current zone contents. This caused the original zone
- file structure (e.g. comments, $INCLUDE directives) to
- be lost, although the zone data itself was preserved.
- This has been fixed. [GL #2623]
-
-5619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the
- protocol such that NSEC(3) TTL values are set to the
- minimum of the SOA MINIMUM value or the SOA TTL.
- [GL #2347]
-
-5618. [bug] Change 5149 introduced some inconsistencies in the way
- record TTLs were presented in cache dumps. These
- inconsistencies have been eliminated. [GL #389]
- [GL #2289]
-
- --- 9.17.12 released ---
-
-5617. [placeholder]
-
-5616. [security] named crashed when a DNAME record placed in the ANSWER
- section during DNAME chasing turned out to be the final
- answer to a client query. (CVE-2021-25215) [GL #2540]
-
-5615. [security] Insufficient IXFR checks could result in named serving a
- zone without an SOA record at the apex, leading to a
- RUNTIME_CHECK assertion failure when the zone was
- subsequently refreshed. This has been fixed by adding an
- owner name check for all SOA records which are included
- in a zone transfer. (CVE-2021-25214) [GL #2467]
-
-5614. [bug] Ensure all resources are properly cleaned up when a call
- to gss_accept_sec_context() fails. [GL #2620]
-
-5613. [bug] It was possible to write an invalid transaction header
- in the journal file for a managed-keys database after
- upgrading. This has been fixed. Invalid headers in
- existing journal files are detected and named is able
- to recover from them. [GL #2600]
-
-5612. [bug] Continued refactoring of the network manager:
- - allow recovery from read and connect timeout events,
- - ensure that calls to isc_nm_*connect() always
- return the connection status via a callback
- function.
- [GL #2401]
-
-5611. [func] Set "stale-answer-client-timeout" to "off" by default.
- [GL #2608]
-
-5610. [bug] Prevent a crash which could happen when a lookup
- triggered by "stale-answer-client-timeout" was attempted
- right after recursion for a client query finished.
- [GL #2594]
-
-5609. [func] The ISC implementation of SPNEGO was removed from BIND 9
- source code. It was no longer necessary as all major
- contemporary Kerberos/GSSAPI libraries include support
- for SPNEGO. [GL #2607]
-
-5608. [bug] When sending queries over TCP, dig now properly handles
- "+tries=1 +retry=0" by not retrying the connection when
- the remote server closes the connection prematurely.
- [GL #2490]
-
-5607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover"
- commands may affect the next scheduled key event,
- reconfiguration of zone keys is now triggered after
- receiving either of these commands to prevent
- unnecessary key rollover delays. [GL #2488]
-
-5606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone
- transitions from a secure to an insecure state.
- named-checkzone also no longer reports an error when
- such records are found in an unsigned zone. [GL #2517]
-
-5605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for
- more accurate time reporting. [GL #2592]
-
-5604. [experimental] A "filter-a.so" plugin, which is similar to the
- "filter-aaaa.so" plugin but which omits A records
- instead of AAAA records, has been added. Thanks to
- GitLab user @treysis. [GL #2585]
-
-5603. [placeholder]
-
-5602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This
- makes the "tcp-initial-timeout" and "tcp-idle-timeout"
- options work correctly again. [GL #2583]
-
-5601. [bug] Zones using KASP could not be thawed after they were
- frozen using "rndc freeze". This has been fixed.
- [GL #2523]
-
-5600. [bug] Send a full certificate chain instead of just the leaf
- certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS
- (DoH) clients. This makes BIND 9 DoT/DoH servers
- compatible with a broader set of clients. [GL #2514]
-
-5599. [bug] Fix a named crash which occurred after skipping a
- primary server while transferring a zone over TLS.
- [GL #2562]
-
-5598. [port] Silence -Wchar-subscripts compiler warnings triggered on
- some platforms due to calling character classification
- functions declared in the <ctype.h> header with
- arguments of type char. [GL #2567]
-
- --- 9.17.11 released ---
-
-5597. [bug] When serve-stale was enabled and starting the recursive
- resolution process for a query failed, a named instance
- could crash if it was configured as both a recursive and
- authoritative server. This problem was introduced by
- change 5573 and has now been fixed. [GL #2565]
-
-5596. [func] Client-side support for DNS-over-HTTPS (DoH) has been
- added to dig. "dig +https" can now query a server via
- HTTP/2. [GL #1641]
-
-5595. [cleanup] Public header files for BIND 9 libraries no longer
- directly include third-party library headers. This
- prevents the need to include paths to third-party header
- files in CFLAGS whenever BIND 9 public header files are
- used, which could cause build-time issues on hosts with
- older versions of BIND 9 installed. [GL #2357]
-
-5594. [bug] Building with --enable-dnsrps --enable-dnsrps-dl failed.
- [GL #2298]
-
-5593. [bug] Journal files written by older versions of named can now
- be read when loading zones, so that journal
- incompatibility does not cause problems on upgrade.
- Outdated journals are updated to the new format after
- loading. [GL #2505]
-
-5592. [bug] Prevent hazard pointer table overflows on machines with
- many cores, by allowing the thread IDs (serving as
- indices into hazard pointer tables) of finished threads
- to be reused by those created later. [GL #2396]
-
-5591. [bug] Fix a crash that occurred when
- "stale-answer-client-timeout" was triggered without any
- (stale) data available in the cache to answer the query.
- [GL #2503]
-
-5590. [bug] NSEC3 records were not immediately created for dynamic
- zones using NSEC3 with "dnssec-policy", resulting in
- such zones going bogus. Add code to process the
- NSEC3PARAM queue at zone load time so that NSEC3 records
- for such zones are created immediately. [GL #2498]
-
-5589. [placeholder]
-
-5588. [func] Add a new "purge-keys" option for "dnssec-policy". This
- option determines the period of time for which key files
- are retained after they become obsolete. [GL #2408]
-
-5587. [bug] A standalone libtool script no longer needs to be
- present in PATH to build BIND 9 from a source tarball
- prepared using "make dist". [GL #2504]
-
-5586. [bug] An invalid direction field in a LOC record resulted in
- an INSIST failure when a zone file containing such a
- record was loaded. [GL #2499]
-
-5585. [func] Memory contexts and memory pool implementations were
- refactored to reduce lock contention for shared memory
- contexts by replacing mutexes with atomic operations.
- The internal memory allocator was simplified so that it
- is only a thin wrapper around the system allocator. This
- change made the "-M external" named option redundant and
- it was therefore removed. [GL #2433]
-
-5584. [bug] No longer set the IP_DONTFRAG option on UDP sockets, to
- prevent dropping outgoing packets exceeding
- "max-udp-size". [GL #2466]
-
-5583. [func] Changes to DNS-over-HTTPS (DoH) configuration syntax:
- - When "http" is specified in "listen-on" or
- "listen-on-v6" statements, "tls" must also now be
- specified. If an unencrypted connection is desired
- (for example, when running behind a reverse proxy),
- use "tls none".
- - "http default" can now be specified in "listen-on" and
- "listen-on-v6" statements to use the default HTTP
- endpoint of "/dns-query". It is no longer necessary to
- include an "http" statement in named.conf unless
- overriding this value.
- [GL #2472]
-
-5582. [bug] BIND 9 failed to build when static OpenSSL libraries
- were used and the pkg-config files for libssl and/or
- libcrypto were unavailable. This has been fixed by
- ensuring that the correct linking order for libssl and
- libcrypto is always used. [GL #2402]
-
-5581. [bug] Fix a memory leak that occurred when inline-signed zones
- were added to the configuration, followed by a
- reconfiguration of named. [GL #2041]
-
-5580. [test] The system test framework no longer differentiates
- between SKIPPED and UNTESTED system test results. Any
- system test which is not run is now marked as SKIPPED.
- [GL !4517]
-
-5579. [bug] If an invalid key name (e.g. "a..b") was specified in a
- primaries list in named.conf, the wrong size was passed
- to isc_mem_put(), resulting in the returned memory being
- put on the wrong free list. This prevented named from
- starting up. [GL #2460]
-
- --- 9.17.10 released ---
-
-5578. [protocol] Make "check-names" accept A records below "_spf",
- "_spf_rate", and "_spf_verify" labels in order to cater
- for the "exists" SPF mechanism specified in RFC 7208
- section 5.7 and appendix D.1. [GL #2377]
-
-5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by
- correctly implementing Equation (2) of the "Flexible and
- Robust Key Rollover" paper. [GL #2375]
-
-5576. [experimental] Initial server-side implementation of DNS-over-HTTPS
- (DoH). Support for both TLS-encrypted and unencrypted
- HTTP/2 connections has been added to the network manager
- and integrated into named. (Note: there is currently no
- client-side support for DNS-over-HTTPS; this will be
- added to dig in a future release.) [GL #1144]
-
-5575. [bug] When migrating to KASP, BIND 9 considered keys with the
- "Inactive" and/or "Delete" timing metadata to be
- possible active keys. This has been fixed. [GL #2406]
-
-5574. [func] Incoming zone transfers can now use TLS. Addresses in a
- "primaries" list take an optional "tls" argument,
- specifying either a previously configured "tls" block or
- "ephemeral"; SOA queries and zone transfer requests are
- then sent via TLS. [GL #2392]
-
-5573. [func] When serve-stale is enabled and stale data is available,
- named now returns stale answers upon encountering any
- unexpected error in the query resolution process.
- However, the "stale-refresh-time" window is still only
- started upon a timeout. [GL #2434]
-
-5572. [bug] Address potential double free in generatexml().
- [GL #2420]
-
-5571. [bug] named failed to start when its configuration included a
- zone with a non-builtin "allow-update" ACL attached.
- [GL #2413]
-
-5570. [bug] Improve performance of the DNSSEC verification code by
- reducing the number of repeated calls to
- dns_dnssec_keyfromrdata(). [GL #2073]
-
-5569. [bug] Emit useful error message when "rndc retransfer" is
- applied to a zone of inappropriate type. [GL #2342]
-
-5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
- keys. [GL #2178]
-
-5567. [bug] Dig now reports unknown dash options while pre-parsing
- the options. This prevents "-multi" instead of "+multi"
- from reporting memory usage before ending option parsing
- with "Invalid option: -lti". [GL #2403]
-
-5566. [func] Add "stale-answer-client-timeout" option, which is the
- amount of time a recursive resolver waits before
- attempting to answer the query using stale data from
- cache. [GL #2247]
-
-5565. [func] The SONAMEs for BIND 9 libraries now include the current
- BIND 9 version number, in an effort to tightly couple
- internal libraries with a specific release. [GL #2387]
-
-5564. [cleanup] Network manager's TLSDNS module was refactored to use
- libuv and libssl directly instead of a stack of TCP/TLS
- sockets. [GL #2335]
-
-5563. [cleanup] Changed several obsolete configuration options to
- ancient, making them fatal errors. Also cleaned up the
- number of clause flags in the configuration parser.
- [GL #1086]
-
-5562. [placeholder]
-
-5561. [bug] KASP incorrectly set signature validity to the value of
- the DNSKEY signature validity. This is now fixed.
- [GL #2383]
-
-5560. [func] The default value of "max-stale-ttl" has been changed
- from 12 hours to 1 day and the default value of
- "stale-answer-ttl" has been changed from 1 second to 30
- seconds, following RFC 8767 recommendations. [GL #2248]
-
- --- 9.17.9 released ---
-
-5559. [bug] The --with-maxminddb=PATH form of the build-time option
- enabling support for libmaxminddb was not working
- correctly. This has been fixed. [GL #2366]
-
-5558. [bug] Asynchronous hook modules could trigger an assertion
- failure when the fetch handle was detached too late.
- Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
-
-5557. [bug] Prevent RBTDB instances from being destroyed by multiple
- threads at the same time. [GL #2317]
-
-5556. [bug] Further tweak newline printing in dnssec-signzone and
- dnssec-verify. [GL #2359]
-
-5555. [placeholder]
-
-5554. [bug] dnssec-signzone and dnssec-verify were missing newlines
- between log messages. [GL #2359]
-
-5553. [bug] When reconfiguring named, removing "auto-dnssec" did not
- turn off DNSSEC maintenance. [GL #2341]
-
-5552. [func] When switching to "dnssec-policy none;", named now
- permits a safe transition to insecure mode and publishes
- the CDS and CDNSKEY DELETE records, as described in RFC
- 8078. [GL #1750]
-
-5551. [bug] named no longer attempts to assign threads to CPUs
- outside the CPU affinity set. Thanks to Ole Bjørn
- Hessen. [GL #2245]
-
-5550. [func] dnssec-signzone and named now log a warning when falling
- back to the "increment" SOA serial method. [GL #2058]
-
-5549. [protocol] ipv4only.arpa is now served when DNS64 is configured.
- [GL #385]
-
-5548. [placeholder]
-
-5547. [placeholder]
-
- --- 9.17.8 released ---
-
-5546. [placeholder]
-
-5545. [func] OS support for load-balanced sockets is no longer
- required to receive incoming queries in multiple netmgr
- threads. [GL #2137]
-
-5544. [func] Restore the default value of "nocookie-udp-size" to 4096
- bytes. [GL #2250]
-
-5543. [bug] Fix UDP performance issues caused by making netmgr
- callbacks asynchronous-only. [GL #2320]
-
-5542. [bug] Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
- [GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
- [GL #2321]
-
-5541. [func] Adjust the "max-recursion-queries" default from 75 to
- 100. [GL #2305]
-
-5540. [port] Fix building with native PKCS#11 support for AEP Keyper.
- [GL #2315]
-
-5539. [bug] Tighten handling of missing DNS COOKIE responses over
- UDP by falling back to TCP. [GL #2275]
-
-5538. [func] Add NSEC3 support to KASP. A new option for
- "dnssec-policy", "nsec3param", can be used to set the
- desired NSEC3 parameters. NSEC3 salt collisions are
- automatically prevented during resalting. Salt
- generation is now logged with zone context. [GL #1620]
-
-5537. [func] The query plugin mechanism has been extended
- to support asynchronous operations. For example, a
- plugin can now trigger recursion and resume
- processing when it is complete. Thanks to Jinmei
- Tatuya at Infoblox. [GL #2141]
-
-5536. [func] Dig can now report the DNS64 prefixes in use
- (+dns64prefix). [GL #1154]
-
-5535. [bug] dig/nslookup/host could crash on shutdown after an
- interrupt. [GL #2287] [GL #2288]
-
-5534. [bug] The CNAME synthesized from a DNAME was incorrectly
- followed when the QTYPE was CNAME or ANY. [GL #2280]
-
- --- 9.17.7 released ---
-
-5533. [func] Add the "stale-refresh-time" option, a time window that
- starts after a failed lookup, during which a stale RRset
- is served directly from cache before a new attempt to
- refresh it is made. [GL #2066]
-
-5532. [cleanup] Unused header files were removed:
- bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
- lib/isccfg/include/isccfg/dnsconf.h and code related
- to those files. [GL #1913]
-
-5531. [func] Add support for DNS over TLS (DoT) to dig and named.
- dig output now includes the transport protocol used.
- [GL #1816] [GL #1840]
-
-5530. [bug] dnstap did not capture responses to forwarded UPDATE
- requests. [GL #2252]
-
-5529. [func] The network manager API is now used by named to send
- zone transfer requests. [GL #2016]
-
-5528. [func] Convert dig, host, and nslookup to use the network
- manager API. As a side effect of this change, "dig
- +unexpected" no longer works, and has been disabled.
- [GL #2140]
-
-5527. [bug] A NULL pointer dereference occurred when creating an NTA
- recheck query failed. [GL #2244]
-
-5526. [bug] Fix a race/NULL dereference in TCPDNS read. [GL #2227]
-
-5525. [placeholder]
-
-5524. [func] Added functionality to the network manager to support
- outgoing DNS queries in addition to incoming ones.
- [GL #2235]
-
-5523. [bug] The initial lookup in a zone transitioning to/from a
- signed state could fail if the DNSKEY RRset was not
- found. [GL #2236]
-
-5522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
-
-5521. [func] All use of libltdl was dropped. libuv's shared library
- handling interface is now used instead. [GL !4278]
-
-5520. [bug] Fixed a number of shutdown races, reference counting
- errors, and spurious log messages that could occur
- in the network manager. [GL #2221]
-
-5519. [cleanup] Unused source code was removed: lib/dns/dbtable.c,
- lib/dns/portlist.c, lib/isc/bufferlist.c, and code
- related to those files. [GL #2060]
-
-5518. [bug] Stub zones now work correctly with primary servers using
- "minimal-responses yes". [GL #1736]
-
-5517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
- [GL #2208]
-
- --- 9.17.6 released ---
-
-5516. [func] The default EDNS buffer size has been changed from 4096
- to 1232 bytes, the EDNS buffer size probing has been
- removed, and named now sets the DF (Don't Fragment) flag
- on outgoing UDP packets. [GL #2183]
-
-5515. [func] Add 'rndc dnssec -rollover' command to trigger a manual
- rollover for a specific key. [GL #1749]
-
-5514. [bug] Fix KASP expected key size for Ed25519 and Ed448.
- [GL #2171]
-
-5513. [doc] The ARM section describing the "rrset-order" statement
- was rewritten to make it unambiguous and up-to-date with
- the source code. [GL #2139]
-
-5512. [bug] "rrset-order" rules using "order none" were causing
- named to crash despite named-checkconf treating them as
- valid. [GL #2139]
-
-5511. [bug] 'dig -u +yaml' failed to display timestamps to the
- microsecond. [GL #2190]
-
-5510. [bug] Implement the attach/detach semantics for dns_message_t
- to fix a data race in accessing an already-destroyed
- fctx->rmessage. [GL #2124]
-
-5509. [bug] filter-aaaa: named crashed upon shutdown if it was in
- the process of recursing for A RRsets. [GL #1040]
-
-5508. [func] Added new parameter "-expired" for "rndc dumpdb" that
- also prints expired RRsets (awaiting cleanup) to the
- dump file. [GL #1870]
-
-5507. [bug] Named could compute incorrect SIG(0) responses.
- [GL #2109]
-
-5506. [bug] Properly handle failed sysconf() calls, so we don't
- report invalid memory size. [GL #2166]
-
-5505. [bug] Updating contents of a mixed-case RPZ could cause some
- rules to be ignored. [GL #2169]
-
-5504. [func] The "glue-cache" option has been marked as deprecated.
- The glue cache feature will be permanently enabled in a
- future release. [GL #2146]
-
-5503. [bug] Cleaned up reference counting of network manager
- handles, now using isc_nmhandle_attach() and _detach()
- instead of _ref() and _unref(). [GL #2122]
-
- --- 9.17.5 released ---
-
-5502. [func] 'dig +bufsize=0' no longer disables EDNS. [GL #2054]
-
-5501. [func] Log CDS/CDNSKEY publication. [GL #1748]
-
-5500. [bug] Fix (non-)publication of CDS and CDNSKEY records.
- [GL #2103]
-
-5499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime.
- [GL #1748]
-
-5498. [test] The --with-gperftools-profiler configure option was
- removed. [GL !4045]
-
-5497. [placeholder]
-
-5496. [bug] Address a TSAN report by ensuring each rate limiter
- object holds a reference to its task. [GL #2081]
-
-5495. [bug] With query minimization enabled, named failed to
- resolve ip6.arpa. names that had extra labels to the
- left of the IPv6 part. [GL #1847]
-
-5494. [bug] Silence the EPROTO syslog message on older systems.
- [GL #1928]
-
-5493. [bug] Fix off-by-one error when calculating new hash table
- size. [GL #2104]
-
-5492. [bug] Tighten LOC parsing to reject a period (".") and/or "m"
- as a value. Fix handling of negative altitudes which are
- not whole meters. [GL #2074]
-
-5491. [bug] rbtversion->glue_table_size could be read without the
- appropriate lock being held. [GL #2080]
-
-5490. [func] Refactor readline support to use pkg-config and add
- support for the editline library. [GL !3942]
-
-5489. [bug] Named erroneously accepted certain invalid resource
- records that were incorrectly processed after
- subsequently being written to disk and loaded back, as
- the wire format differed. Such records include: CERT,
- IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
- X25. [GL !3953]
-
-5488. [bug] NTA code needed to have a weak reference on its
- associated view to prevent the latter from being deleted
- while NTA tests were being performed. [GL #2067]
-
-5487. [cleanup] Update managed keys log messages to be less confusing.
- [GL #2027]
-
-5486. [func] Add 'rndc dnssec -checkds' command, which signals to
- named that the DS record for a given zone or key has
- been updated in the parent zone. [GL #1613]
-
- --- 9.17.4 released ---
-
-5485. [placeholder]
-
-5484. [func] Expire zero TTL records quickly rather than using them
- for stale answers. [GL #1829]
-
-5483. [func] Keeping "stale" answers in cache has been disabled by
- default and can be re-enabled with a new configuration
- option "stale-cache-enable". [GL #1712]
-
-5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
- not yet finished after adding a new IPv6 address to the
- system, BIND 9 would fail to bind to IPv6 addresses in a
- tentative state. [GL #2038]
-
-5481. [security] "update-policy" rules of type "subdomain" were
- incorrectly treated as "zonesub" rules, which allowed
- keys used in "subdomain" rules to update names outside
- of the specified subdomains. The problem was fixed by
- making sure "subdomain" rules are again processed as
- described in the ARM. (CVE-2020-8624) [GL #2055]
-
-5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
- was possible to trigger an assertion failure in code
- determining the number of bits in the PKCS#11 RSA public
- key with a specially crafted packet. (CVE-2020-8623)
- [GL #2037]
-
-5479. [security] named could crash in certain query resolution scenarios
- where QNAME minimization and forwarding were both
- enabled. (CVE-2020-8621) [GL #1997]
-
-5478. [security] It was possible to trigger an assertion failure by
- sending a specially crafted large TCP DNS message.
- (CVE-2020-8620) [GL #1996]
-
-5477. [bug] The idle timeout for connected TCP sockets, which was
- previously set to a high fixed value, is now derived
- from the client query processing timeout configured for
- a resolver. [GL #2024]
-
-5476. [security] It was possible to trigger an assertion failure when
- verifying the response to a TSIG-signed request.
- (CVE-2020-8622) [GL #2028]
-
-5475. [bug] Wildcard RPZ passthru rules could incorrectly be
- overridden by other rules that were loaded from RPZ
- zones which appeared later in the "response-policy"
- statement. This has been fixed. [GL #1619]
-
-5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
- when it should have. [GL !3880]
-
-5473. [func] The RBT hash table implementation has been changed
- to use a faster hash function (HalfSipHash2-4) and
- Fibonacci hashing for better distribution. Setting
- "max-cache-size" now preallocates a fixed-size hash
- table so that rehashing does not cause resolution
- brownouts while the hash table is grown. [GL #1775]
-
-5472. [func] The statistics channel has been updated to use the
- new network manager. [GL #2022]
-
-5471. [bug] The introduction of KASP support inadvertently caused
- the second field of "sig-validity-interval" to always be
- calculated in hours, even in cases when it should have
- been calculated in days. This has been fixed. (Thanks to
- Tony Finch.) [GL !3735]
-
-5470. [port] gsskrb5_register_acceptor_identity() is now only called
- if gssapi_krb5.h is present. [GL #1995]
-
-5469. [port] On illumos, a constant called SEC is already defined in
- <sys/time.h>, which conflicts with an identically named
- constant in libbind9. This conflict has been resolved.
- [GL #1993]
-
-5468. [bug] Addressed potential double unlock in process_fd().
- [GL #2005]
-
-5467. [func] The control channel and the rndc utility have been
- updated to use the new network manager. To support
- this, the network manager was updated to enable
- the initiation of client TCP connections. Its
- internal reference counting has been refactored.
-
- Note: As a side effect of this change, rndc cannot
- currently be used with UNIX-domain sockets, and its
- default timeout has changed from 60 seconds to 30.
- These will be addressed in a future release.
- [GL #1759]
-
-5466. [bug] Addressed an error in recursive clients stats reporting.
- [GL #1719]
-
-5465. [func] Added fallback to built-in trust-anchors, managed-keys,
- or trusted-keys if the bindkeys-file (bind.keys) cannot
- be parsed. [GL #1235]
-
-5464. [bug] Requesting more than 128 files to be saved when rolling
- dnstap log files caused a buffer overflow. This has been
- fixed. [GL #1989]
-
-5463. [placeholder]
-
-5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
-
-5461. [bug] The STALE rdataset header attribute was updated while
- the write lock was not being held, leading to incorrect
- statistics. The header attributes are now converted to
- use atomic operations. [GL #1475]
-
-5460. [cleanup] tsig-keygen was previously an alias for
- ddns-confgen and was documented in the ddns-confgen
- man page. This has been reversed; tsig-keygen is
- now the primary name. [GL #1998]
-
-5459. [bug] Fixed bad isc_mem_put() size when an invalid type was
- specified in an "update-policy" rule. [GL #1990]
-
- --- 9.17.3 released ---
-
-5458. [bug] Prevent a theoretically possible NULL dereference caused
- by a data race between zone_maintenance() and
- dns_zone_setview_helper(). [GL #1627]
-
-5457. [placeholder]
-
-5456. [func] Added "primaries" as a synonym for "masters" in
- named.conf, and "primary-only" as a synonym for
- "master-only" in the parameters to "notify", to bring
- terminology up-to-date with RFC 8499. [GL #1948]
-
-5455. [bug] named could crash when cleaning dead nodes in
- lib/dns/rbtdb.c that were being reused. [GL #1968]
-
-5454. [bug] Address a startup crash that occurred when the server
- was under load and the root zone had not yet been
- loaded. [GL #1862]
-
-5453. [bug] named crashed on shutdown when a new rndc connection was
- received during shutdown. [GL #1747]
-
-5452. [bug] The "blackhole" ACL was accidentally disabled for client
- queries. [GL #1936]
-
-5451. [func] Add 'rndc dnssec -status' command. [GL #1612]
-
-5450. [placeholder]
-
-5449. [bug] Fix a socket shutdown race in netmgr udp. [GL #1938]
-
-5448. [bug] Fix a race condition in isc__nm_tcpdns_send().
- [GL #1937]
-
-5447. [bug] IPv6 addresses ending in "::" could break YAML
- parsing. A "0" is now appended to such addresses
- in YAML output from dig, mdig, delv, and dnstap-read.
- [GL #1952]
-
-5446. [bug] The validator could fail to accept a properly signed
- RRset if an unsupported algorithm appeared earlier in
- the DNSKEY RRset than a supported algorithm. It could
- also stop if it detected a malformed public key.
- [GL #1689]
-
-5445. [cleanup] Disable and disallow static linking. [GL #1933]
-
-5444. [bug] 'rndc dnstap -roll <value>' did not limit the number of
- saved files to <value>. [GL !3728]
-
-5443. [bug] The "primary" and "secondary" keywords, when used
- as parameters for "check-names", were not
- processed correctly and were being ignored. [GL #1949]
-
-5442. [func] Add support for outgoing TCP connections in netmgr.
- [GL #1958]
-
-5441. [placeholder]
-
-5440. [placeholder]
-
-5439. [bug] The DS RRset returned by dns_keynode_dsset() was used in
- a non-thread-safe manner. [GL #1926]
-
- --- 9.17.2 released ---
-
-5438. [bug] Fix a race in TCP accepting code. [GL #1930]
-
-5437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr().
- [GL #1808]
-
-5436. [security] It was possible to trigger an INSIST when determining
- whether a record would fit into a TCP message buffer.
- (CVE-2020-8618) [GL #1850]
-
-5435. [tests] Add RFC 4592 responses examples to the wildcard system
- test. [GL #1718]
-
-5434. [security] It was possible to trigger an INSIST in
- lib/dns/rbtdb.c:new_reference() with a particular zone
- content and query patterns. (CVE-2020-8619) [GL #1111]
- [GL #1718]
-
-5433. [placeholder]
-
-5432. [bug] Check the question section when processing AXFR, IXFR,
- and SOA replies when transferring a zone in. [GL #1683]
-
-5431. [func] Reject DS records at the zone apex when loading
- master files. Log but otherwise ignore attempts to
- add DS records at the zone apex via UPDATE. [GL #1798]
-
-5430. [doc] Update docs - with netmgr, a separate listening socket
- is created for each IPv6 interface (just as with IPv4).
- [GL #1782]
-
-5429. [cleanup] Move BIND binaries which are neither daemons nor
- administrative programs to $bindir. [GL #1724]
-
-5428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr
- has been destroyed. Thanks to Petr Menšík. [GL !3316]
-
-5427. [placeholder]
-
-5426. [bug] Don't abort() when setting SO_INCOMING_CPU on the socket
- fails. [GL #1911]
-
-5425. [func] The default value of "max-stale-ttl" has been changed
- from 1 week to 12 hours. [GL #1877]
-
-5424. [bug] With KASP, when creating a successor key, the "goal"
- state of the current active key (predecessor) was not
- changed and thus never removed from the zone. [GL #1846]
-
-5423. [bug] Fix a bug in keymgr_key_has_successor(): it incorrectly
- returned true if any other key in the keyring had a
- successor. [GL #1845]
-
-5422. [bug] When using dnssec-policy, print correct key timing
- metadata. [GL #1843]
-
-5421. [bug] Fix a race that could cause named to crash when looking
- up the nodename of an RBT node if the tree was modified.
- [GL #1857]
-
-5420. [bug] Add missing isc_{mutex,conditional}_destroy() calls
- that caused a memory leak on FreeBSD. [GL #1893]
-
-5419. [func] Add new dig command line option, "+qid=<num>", which
- allows the query ID to be set to an arbitrary value.
- Add a new ./configure option, --enable-singletrace,
- which allows trace logging of a single query when QID is
- set to 0. [GL #1851]
-
-5418. [bug] delv failed to parse deprecated trusted-keys-style
- trust anchors. [GL #1860]
-
-5417. [cleanup] The code determining the advertised UDP buffer size in
- outgoing EDNS queries has been refactored to improve its
- clarity. [GL #1868]
-
-5416. [bug] Fix a lock order inversion in lib/isc/unix/socket.c.
- [GL #1859]
-
-5415. [test] Address race in dnssec system test that led to
- test failures. [GL #1852]
-
-5414. [test] Adjust time allowed for journal truncation to occur
- in nsupdate system test to avoid test failure.
- [GL #1855]
-
-5413. [test] Address race in autosign system test that led to
- test failures. [GL #1852]
-
-5412. [bug] 'provide-ixfr no;' failed to return up-to-date responses
- when the serial was greater than or equal to the
- current serial. [GL #1714]
-
-5411. [cleanup] TCP accept code has been refactored to use a single
- accept() and pass the accepted socket to child threads
- for processing. [GL !3320]
-
-5410. [func] Add the ability to specify per-type record count limits,
- which are enforced when adding records via UPDATE, in an
- "update-policy" statement. [GL #1657]
-
-5409. [performance] When looking up NSEC3 data in a zone database, skip the
- check for empty non-terminal nodes; the NSEC3 tree does
- not have any. [GL #1834]
-
-5408. [protocol] Print Extended DNS Errors if present in OPT record.
- [GL #1835]
-
-5407. [func] Zone timers are now exported via statistics channel.
- Thanks to Paul Frieden, Verizon Media. [GL #1232]
-
-5406. [func] Add a new logging category, "rpz-passthru", which allows
- RPZ passthru actions to be logged in a separate channel.
- [GL #54]
-
-5405. [bug] 'named-checkconf -p' could include spurious text in
- server-addresses statements due to an uninitialized DSCP
- value. [GL #1812]
-
-5404. [bug] 'named-checkconf -z' could incorrectly indicate
- success if errors were found in one view but not in a
- subsequent one. [GL #1807]
-
-5403. [func] Do not set UDP receive/send buffer sizes - use system
- defaults. [GL #1713]
-
-5402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
- Enable use of SO_REUSEADDR on all platforms which
- support it. [GL !3365]
-
-5401. [bug] The number of input queues allocated during dnstap
- initialization was too low, which could prevent some
- dnstap data from being logged. [GL #1795]
-
-5400. [func] Add engine support to OpenSSL EdDSA implementation.
- [GL #1763]
-
-5399. [func] Add engine support to OpenSSL ECDSA implementation.
- [GL #1534]
-
-5398. [bug] Named could fail to restart if a zone with a double
- quote (") in its name was added with 'rndc addzone'.
- [GL #1695]
-
-5397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Thanks to Aaron Thompson. [GL !3326]
-
-5396. [func] When necessary (i.e. in libuv >= 1.37), use the
- UV_UDP_RECVMMSG flag to enable recvmmsg() support in
- libuv. [GL #1797]
-
-5395. [security] Further limit the number of queries that can be
- triggered from a request. Root and TLD servers
- are no longer exempt from max-recursion-queries.
- Fetches for missing name server address records
- are limited to 4 for any domain. (CVE-2020-8616)
- [GL #1388]
-
-5394. [cleanup] Named formerly attempted to change the effective UID and
- GID in named_os_openfile(), which could trigger a
- spurious log message if they were already set to the
- desired values. This has been fixed. [GL #1042]
- [GL #1090]
-
-5393. [cleanup] Unused and/or redundant APIs were removed from libirs.
- [GL #1758]
-
-5392. [bug] It was possible for named to crash during shutdown
- or reconfiguration if an RPZ zone was still being
- updated. [GL #1779]
-
-5391. [func] The BIND 9 build system has been changed to use a
- typical autoconf+automake+libtool stack. When building
- from the Git repository, run "autoreconf -fi" first.
- [GL #4]
-
-5390. [security] Replaying a TSIG BADTIME response as a request could
- trigger an assertion failure. (CVE-2020-8617)
- [GL #1703]
-
-5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller
- bugs and use PKCS#11 v3.0 EdDSA macros and constants.
- Thanks to Aaron Thompson. [GL !3391]
-
-5388. [func] Reject AXFR streams where the message ID is not
- consistent. [GL #1674]
-
-5387. [placeholder]
-
-5386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c.
- [GL #1737]
-
-5385. [func] Make ISC rwlock implementation the default again.
- [GL #1753]
-
-5384. [bug] With "dnssec-policy" in effect, "inline-signing" was
- implicitly set to "yes". Now "inline-signing" is only
- set to "yes" if the zone is not dynamic. [GL #1709]
-
- --- 9.17.1 released ---
-
-5383. [func] Add a quota attach function with a callback and clean up
- the isc_quota API. [GL !3280]
-
-5382. [bug] Use clock_gettime() instead of gettimeofday() for
- isc_stdtime() function. [GL #1679]
-
-5381. [bug] Fix logging API data race by adding rwlock and caching
- logging levels in stdatomic variables to restore
- performance to original levels. [GL #1675] [GL #1717]
-
-5380. [contrib] Fix building MySQL DLZ modules against MySQL 8
- libraries. [GL #1678]
-
-5379. [placeholder]
-
-5378. [bug] Receiving invalid DNS data was triggering an assertion
- failure in nslookup. [GL #1652]
-
-5377. [placeholder]
-
-5376. [bug] Fix ineffective DNS rebinding protection when BIND is
- configured as a forwarding DNS server. Thanks to Tobias
- Klein. [GL #1574]
-
-5375. [test] Fix timing issues in the "kasp" system test. [GL #1669]
-
-5374. [bug] Statistics counters tracking recursive clients and
- active connections could underflow. [GL #1087]
-
-5373. [bug] Collecting statistics for DNSSEC signing operations
- (change 5254) caused an array of significant size (over
- 100 kB) to be allocated for each configured zone. Each
- of these arrays is tracking all possible key IDs; this
- could trigger an out-of-memory condition on servers with
- a high enough number of zones configured. Fixed by
- tracking up to four keys per zone and rotating counters
- when keys are replaced. This fixes the immediate problem
- of high memory usage, but should be improved in a future
- release by growing or shrinking the number of keys to
- track upon key rollover events. [GL #1179]
-
-5372. [bug] Fix migration from existing DNSSEC key files
- ("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
-
-5371. [bug] Improve incremental updates of the RPZ summary
- database to reduce delays that could occur when
- a policy zone update included a large number of
- record deletions. [GL #1447]
-
-5370. [bug] Deactivation of a netmgr handle associated with a
- socket could be skipped in some circumstances.
- Fixed by deactivating the netmgr handle before
- scheduling the asynchronous close routine. [GL #1700]
-
-5369. [func] Add the ability to specify whether to wait for
- nameserver domain names to be looked up, with a new RPZ
- modifying directive 'nsdname-wait-recurse'. [GL #1138]
-
-5368. [bug] Named failed to restart if 'rndc addzone' names
- contained special characters (e.g. '/'). [GL #1655]
-
-5367. [placeholder]
-
- --- 9.17.0 released ---
-
-5366. [bug] Fix a race condition with the keymgr when the same
- zone plus dnssec-policy is configured in multiple
- views. [GL #1653]
-
-5365. [bug] Algorithm rollover was stuck on submitting DS
- because keymgr thought it would move to an invalid
- state. Fixed by checking the current key against
- the desired state, not the existing state. [GL #1626]
-
-5364. [bug] Algorithm rollover waited too long before introducing
- zone signatures. It waited to make sure all signatures
- were regenerated, but when introducing a new algorithm,
- all signatures are regenerated immediately. Only
- add the sign delay if there is a predecessor key.
- [GL #1625]
-
-5363. [bug] When changing a dnssec-policy, existing keys with
- properties that no longer match were not being retired.
- [GL #1624]
-
-5362. [func] Limit the size of IXFR responses so that AXFR will
- be used instead if it would be smaller. This is
- controlled by the "max-ixfr-ratio" option, which
- is a percentage representing the ratio of IXFR size
- to the size of the entire zone. This value cannot
- exceed 100%, which is the default. [GL #1515]
-
-5361. [bug] named might not accept new connections after
- hitting tcp-clients quota. [GL #1643]
-
-5360. [bug] delv could fail to load trust anchors in DNSKEY
- format. [GL #1647]
-
-5359. [func] "rndc nta -d" and "rndc secroots" now include
- "validate-except" entries when listing negative
- trust anchors. These are indicated by the keyword
- "permanent" in place of an expiry date. [GL #1532]
-
-5358. [bug] Inline master zones whose master files were touched
- but otherwise unchanged and were subsequently reloaded
- may have stopped re-signing. [GL !3135]
-
-5357. [bug] Newly added RRSIG records with expiry times before
- the previous earliest expiry times might not be
- re-signed in time. This was a side effect of 5315.
- [GL !3137]
-
-5356. [func] Update dnssec-policy configuration statements:
- - Rename "zone-max-ttl" dnssec-policy option to
- "max-zone-ttl" for consistency with the existing
- zone option.
- - Allow for "lifetime unlimited" as a synonym for
- "lifetime PT0S".
- - Make "key-directory" optional.
- - Warn if specifying a key length does not make
- sense; fail if key length is out of range for
- the algorithm.
- - Allow use of mnemonics when specifying key
- algorithm (e.g. "rsasha256", "ecdsa384", etc.).
- - Make ISO 8601 durations case-insensitive.
- [GL #1598]
-
-5355. [func] What was set with --with-tuning=large option in
- older BIND9 versions is now a default, and
- a --with-tuning=small option was added for small
- (e.g. OpenWRT) systems. [GL !2989]
-
-5354. [bug] dnssec-policy created new KSK keys for zones in the
- initial stage of signing (with the DS not yet in the
- rumoured or omnipresent states). Fix by checking the
- key goals rather than the active state when determining
- whether new keys are needed. [GL #1593]
-
-5353. [doc] Document port and dscp parameters in forwarders
- configuration option. [GL #914]
-
-5352. [bug] Correctly handle catalog zone entries containing
- characters that aren't legal in filenames. [GL #1592]
-
-5351. [bug] CDS / CDNSKEY consistency checks failed to handle
- removal records. [GL #1554]
-
-5350. [bug] When a view was configured with class CHAOS, the
- server could crash while processing a query for a
- non-existent record. [GL #1540]
-
-5349. [bug] Fix a race in task_pause/unpause. [GL #1571]
-
-5348. [bug] dnssec-settime -Psync was not being honoured.
- Thanks to Tony Finch. [GL !2893]
-
- --- 9.15.8 released ---
-
-5347. [bug] Fixed a bug that could cause an intermittent crash
- in validator.c when validating a negative cache
- entry. [GL #1561]
-
-5346. [bug] Make hazard pointer array allocations dynamic, fixing
- a bug that caused named to crash on machines with more
- than 40 cores. [GL #1493]
-
-5345. [func] Key-style trust anchors and DS-style trust anchors
- can now both be used for the same name. [GL #1237]
-
-5344. [bug] Handle accept() errors properly in netmgr. [GL !2880]
-
-5343. [func] Add statistics counters to the netmgr. [GL #1311]
-
-5342. [bug] Disable pktinfo for IPv6 and bind to each interface
- explicitly instead, because libuv doesn't support
- pktinfo control messages. [GL #1558]
-
-5341. [func] Simplify passing the bound TCP socket to child
- threads by using isc_uv_export/import functions.
- [GL !2825]
-
-5340. [bug] Don't deadlock when binding to a TCP socket fails.
- [GL #1499]
-
-5339. [bug] With some libmaxminddb versions, named could erroneously
- match an IP address not belonging to any subnet defined
- in a given GeoIP2 database to one of the existing
- entries in that database. [GL #1552]
-
-5338. [bug] Fix line spacing in `rndc secroots`.
- Thanks to Tony Finch. [GL !2478]
-
-5337. [func] 'named -V' now reports maxminddb and protobuf-c
- versions. [GL !2686]
-
- --- 9.15.7 released ---
-
-5336. [bug] The TCP high-water statistic could report an
- incorrect value on startup. [GL #1392]
-
-5335. [func] Make TCP listening code multithreaded. [GL !2659]
-
-5334. [doc] Update documentation with dnssec-policy clarifications.
- Also change some defaults. [GL !2711]
-
-5333. [bug] Fix duration printing on Solaris when value is not
- an ISO 8601 duration. [GL #1460]
-
-5332. [func] Renamed "dnssec-keys" configuration statement
- to the more descriptive "trust-anchors". [GL !2702]
-
-5331. [func] Use compiler-provided mechanisms for thread local
- storage, and make the requirement for such mechanisms
- explicit in configure. [GL #1444]
-
-5330. [bug] 'configure --without-python' was ineffective if
- PYTHON was set in the environment. [GL #1434]
-
-5329. [bug] Reconfiguring named caused memory to be leaked when any
- GeoIP2 database was in use. [GL #1445]
-
-5328. [bug] rbtdb.c:rdataset_{get,set}ownercase failed to obtain
- a node lock. [GL #1417]
-
-5327. [func] Added a statistics counter to track queries
- dropped because the recursive-clients quota was
- exceeded. [GL #1399]
-
-5326. [bug] Add Python dependency on 'distutils.core' to configure.
- 'distutils.core' is required for installation.
- [GL #1397]
-
-5325. [bug] Addressed several issues with TCP connections in
- the netmgr: restored support for TCP connection
- timeouts, restored TCP backlog support, actively
- close all open sockets during shutdown. [GL #1312]
-
-5324. [bug] Change the category of some log messages from general
- to the more appropriate catergory of xfer-in. [GL #1394]
-
-5323. [bug] Fix a bug in DNSSEC trust anchor verification.
- [GL !2609]
-
-5322. [placeholder]
-
-5321. [bug] Obtain write lock before updating version->records
- and version->bytes. [GL #1341]
-
-5320. [cleanup] Silence TSAN on header->count. [GL #1344]
-
- --- 9.15.6 released ---
-
-5319. [func] Trust anchors can now be configured using DS
- format to represent a key digest, by using the
- new "initial-ds" or "static-ds" keywords in
- the "dnssec-keys" statement.
-
- Note: DNSKEY-format and DS-format trust anchors
- cannot both be used for the same domain name.
- [GL #622]
-
-5318. [cleanup] The DNSSEC validation code has been refactored
- for clarity and to reduce code duplication.
- [GL #622]
-
-5317. [func] A new asynchronous network communications system
- based on libuv is now used for listening for
- incoming requests and responding to them. (The
- old isc_socket API remains in use for sending
- iterative queries and processing responses; this
- will be changed too in a later release.)
-
- This change will make it easier to improve
- performance and implement new protocol layers
- (e.g., DNS over TLS) in the future. [GL #29]
-
-5316. [func] A new "dnssec-policy" option has been added to
- named.conf to implement a key and signing policy
- (KASP) for zones. When this option is in use,
- named can generate new keys as needed and
- automatically roll both ZSK and KSK keys. (Note
- that the syntax for this statement differs from
- the dnssec policy used by dnssec-keymgr.)
-
- See the ARM for configuration details. [GL #1134]
-
-5315. [bug] Apply the initial RRSIG expiration spread fixed
- to all dynamically created records in the zone
- including NSEC3. Also fix the signature clusters
- when the server has been offline for prolonged
- period of times. [GL #1256]
-
-5314. [func] Added a new statistics variable "tcp-highwater"
- that reports the maximum number of simultaneous TCP
- clients BIND has handled while running. [GL #1206]
-
-5313. [bug] The default GeoIP2 database location did not match
- the ARM. 'named -V' now reports the default
- location. [GL #1301]
-
-5312. [bug] Do not flush the cache for `rndc validation status`.
- Thanks to Tony Finch. [GL !2462]
-
-5311. [cleanup] Include all views in output of `rndc validation status`.
- Thanks to Tony Finch. [GL !2461]
-
-5310. [bug] TCP failures were affecting EDNS statistics. [GL #1059]
-
-5309. [placeholder]
-
-5308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal()
- at ERROR level in receive_secure_serial(). [GL #1288]
-
-5307. [bug] Fix hang when named-compilezone output is sent to pipe.
- Thanks to Tony Finch. [GL !2481]
-
-5306. [security] Set a limit on number of simultaneous pipelined TCP
- queries. (CVE-2019-6477) [GL #1264]
-
-5305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been
- disabled by default because it was found to have
- a significant performance impact on the recursive
- service. [GL #1265]
-
-5304. [bug] "dnskey-sig-validity 0;" was not being accepted.
- [GL #876]
-
-5303. [placeholder]
-
-5302. [bug] Fix checking that "dnstap-output" is defined when
- "dnstap" is specified in a view. [GL #1281]
-
-5301. [bug] Detect partial prefixes / incomplete IPv4 address in
- acls. [GL #1143]
-
-5300. [bug] dig/mdig/delv: Add a colon after EDNS option names,
- even when the option is empty, to improve
- readability and allow correct parsing of YAML
- output. [GL #1226]
-
- --- 9.15.5 released ---
-
-5299. [security] A flaw in DNSSEC verification when transferring
- mirror zones could allow data to be incorrectly
- marked valid. (CVE-2019-6475) [GL #1252]
-
-5298. [security] Named could assert if a forwarder returned a
- referral, rather than resolving the query, when QNAME
- minimization was enabled. (CVE-2019-6476) [GL #1051]
-
-5297. [bug] Check whether a previous QNAME minimization fetch
- is still running before starting a new one; return
- SERVFAIL and log an error if so. [GL #1191]
-
-5296. [placeholder]
-
-5295. [cleanup] Split dns_name_copy() calls into dns_name_copy() and
- dns_name_copynf() for those calls that can potentially
- fail and those that should not fail respectively.
- [GL !2265]
-
-5294. [func] Fallback to ACE name on output in locale, which does not
- support converting it to unicode. [GL #846]
-
-5293. [bug] On Windows, named crashed upon any attempt to fetch XML
- statistics from it. [GL #1245]
-
-5292. [bug] Queue 'rndc nsec3param' requests while signing inline
- zone changes. [GL #1205]
-
- --- 9.15.4 released ---
-
-5291. [placeholder]
-
-5290. [placeholder]
-
-5289. [bug] Address NULL pointer dereference in rpz.c:rpz_detach.
- [GL #1210]
-
-5288. [bug] dnssec-must-be-secure was not always honored.
- [GL #1209]
-
-5287. [placeholder]
-
-5286. [contrib] Address potential NULL pointer dereferences in
- dlz_mysqldyn_mod.c. [GL #1207]
-
-5285. [port] win32: implement "-T maxudpXXX". [GL #837]
-
-5284. [func] Added +unexpected command line option to dig.
- By default, dig won't accept a reply from a source
- other than the one to which it sent the query.
- Invoking dig with +unexpected argument will allow it
- to process replies from unexpected sources.
-
-5283. [bug] When a response-policy zone expires, ensure that
- its policies are removed from the RPZ summary
- database. [GL #1146]
-
-5282. [bug] Fixed a bug in searching for possible wildcard matches
- for query names in the RPZ summary database. [GL #1146]
-
-5281. [cleanup] Don't escape commas when reporting named's command
- line. [GL #1189]
-
-5280. [protocol] Add support for displaying EDNS option LLQ. [GL #1201]
-
-5279. [bug] When loading, reject zones containing CDS or CDNSKEY
- RRsets at the zone apex if they would cause DNSSEC
- validation failures if published in the parent zone
- as the DS RRset. [GL #1187]
-
-5278. [func] Add YAML output formats for dig, mdig and delv;
- use the "+yaml" option to enable. [GL #1145]
-
- --- 9.15.3 released ---
-
-5277. [bug] Cache DB statistics could underflow when serve-stale
- was in use, because of a bug in counter maintenance
- when RRsets become stale.
-
- Functions for dumping statistics have been updated
- to dump active, stale, and ancient statistic
- counters. Ancient RRset counters are prefixed
- with '~'; stale RRset counters are still prefixed
- with '#'. [GL #602]
-
-5276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete;
- all code enabling its use has been removed from the
- validator, "delv", and the DNSSEC tools. [GL #7]
-
-5275. [bug] Mark DS records included in referral messages
- with trust level "pending" so that they can be
- validated and cached immediately, with no need to
- re-query. [GL #964]
-
-5274. [bug] Address potential use after free race when shutting
- down rpz. [GL #1175]
-
-5273. [bug] Check that bits [64..71] of a dns64 prefix are zero.
- [GL #1159]
-
-5272. [cleanup] Remove isc-config.sh script as the BIND 9 libraries
- are now purely internal. [GL #1123]
-
-5271. [func] The normal (non-debugging) output of dnssec-signzone
- and dnssec-verify tools now goes to stdout, instead of
- the combination of stderr and stdout.
-
-5270. [bug] 'dig +expandaaaa +short' did not work. [GL #1152]
-
-5269. [port] cygwin: can return ETIMEDOUT on connect() with a
- non-blocking socket. [GL #1133]
-
-5268. [placeholder]
-
-5267. [func] Allow statistics groups display to be toggle-able.
- [GL #1030]
-
-5266. [bug] named-checkconf failed to report dnstap-output
- missing from named.conf when dnstap was specified.
- [GL #1136]
-
-5265. [bug] DNS64 and RPZ nodata (CNAME *.) rules interacted badly
- [GL #1106]
-
-5264. [func] New DNS Cookie algorithm - siphash24 - has been added
- to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
- have been removed. [GL #605]
-
- --- 9.15.2 released ---
-
-5263. [cleanup] Use atomics and isc_refcount_t wherever possible.
- [GL #1038]
-
-5262. [func] Removed support for the legacy GeoIP API. [GL #1112]
-
-5261. [cleanup] Remove SO_BSDCOMPAT socket option usage.
-
-5260. [bug] dnstap-read was producing malformed output for large
- packets. [GL #1093]
-
-5259. [func] New option '-i' for 'named-checkconf' to ignore
- warnings about deprecated options. [GL #1101]
-
-5258. [func] Added support for the GeoIP2 API from MaxMind. This
- will be compiled in by default if the "libmaxminddb"
- library is found at compile time, but can be
- suppressed using "configure --disable-geoip".
-
- Certain geoip ACL settings that were available with
- legacy GeoIP are not available when using GeoIP2.
- [GL #182]
-
-5257. [bug] Some statistics data was not being displayed.
- Add shading to the zone tables. [GL #1030]
-
-5256. [bug] Ensure that glue records are included in root
- priming responses if "minimal-responses" is not
- set to "yes". [GL #1092]
-
-5255. [bug] Errors encountered while reloading inline-signing
- zones could be ignored, causing the zone content to
- be left in an incompletely updated state rather than
- reverted. [GL #1109]
-
-5254. [func] Collect metrics to report to the statistics-channel
- DNSSEC signing operations (dnssec-sign) and refresh
- operations (dnssec-refresh) per zone and per keytag.
- [GL #513]
-
-5253. [port] Support platforms that don't define ULLONG_MAX.
- [GL #1098]
-
-5252. [func] Report if the last 'rndc reload/reconfig' failed in
- rndc status. [GL !2040]
-
-5251. [bug] Statistics were broken in x86 Windows builds.
- [GL #1081]
-
-5250. [func] The default size for RSA keys is now 2048 bits,
- for both ZSKs and KSKs. [GL #1097]
-
-5249. [bug] Fix a possible underflow in recursion clients
- statistics when hitting recursive clients
- soft quota. [GL #1067]
-
- --- 9.15.1 released ---
-
-5248. [func] To clarify the configuration of DNSSEC keys,
- the "managed-keys" and "trusted-keys" options
- have both been deprecated. The new "dnssec-keys"
- statement can now be used for all trust anchors,
- with the keywords "iniital-key" or "static-key"
- to indicate whether the configured trust anchor
- should be used for initialization of RFC 5011 key
- management, or as a permanent trust anchor.
-
- The "static-key" keyword will generate a warning if
- used for the root zone.
-
- Configurations using "trusted-keys" or "managed-keys"
- will continue to work with no changes, but will
- generate warnings in the log. In a future release,
- these options will be marked obsolete. [GL #6]
-
-5247. [cleanup] The 'cleaning-interval' option has been removed.
- [GL !1731]
-
-5246. [func] Log TSIG if appropriate in 'sending notify to' message.
- [GL #1058]
-
-5245. [cleanup] Reduce logging level for IXFR up-to-date poll
- responses. [GL #1009]
-
-5244. [security] Fixed a race condition in dns_dispatch_getnext()
- that could cause an assertion failure if a
- significant number of incoming packets were
- rejected. (CVE-2019-6471) [GL #942]
-
-5243. [bug] Fix a possible race between dispatcher and socket
- code in a high-load cold-cache resolver scenario.
- [GL #943]
-
-5242. [bug] In relaxed qname minimization mode, fall back to
- normal resolution when encountering a lame
- delegation, and use _.domain/A queries rather
- than domain/NS. [GL #1055]
-
-5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
- [GL #225]
-
-5240. [bug] Remove key id calculation for RSAMD5. [GL #996]
-
-5239. [func] Change the json-c detection to pkg-config. [GL #855]
-
-5238. [bug] Fix a possible deadlock in TCP code. [GL #1046]
-
-5237. [bug] Recurse to find the root server list with 'dig +trace'.
- [GL #1028]
-
-5236. [func] Add SipHash 2-4 implementation in lib/isc/siphash.c
- and switch isc_hash_function() to use SipHash 2-4.
- [GL #605]
-
-5235. [cleanup] Refactor lib/isc/app.c to be thread-safe, unused
- parts of the API has been removed and the
- isc_appctx_t data type has been changed to be
- fully opaque. [GL #1023]
-
-5234. [port] arm: just use the compiler's default support for
- yield. [GL #981]
-
- --- 9.15.0 released ---
-
-5233. [bug] Negative trust anchors did not work with "forward only;"
- to validating resolvers. [GL #997]
-
-5232. [placeholder]
-
-5231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG.
- [GL #960]
-
-5230. [protocol] The SHA-1 hash algorithm is no longer used when
- generating DS and CDS records. [GL #1015]
-
-5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852]
-
-5228. [func] If trusted-keys and managed-keys were configured
- simultaneously for the same name, the key could
- not be be rolled automatically. This is now
- a fatal configuration error. [GL #868]
-
-5227. [placeholder]
-
-5226. [placeholder]
-
-5225. [func] Allow dig to print out AAAA record fully expanded.
- with +[no]expandaaaa. [GL #765]
-
-5224. [bug] Only test provide-ixfr on TCP streams. [GL #991]
-
-5223. [bug] Fixed a race in the filter-aaaa plugin accessing
- the hash table. [GL #1005]
-
-5222. [bug] 'delv -t ANY' could leak memory. [GL #983]
-
-5221. [test] Enable parallel execution of system tests on
- Windows. [GL !4101]
-
-5220. [cleanup] Refactor the isc_stat structure to take advantage
- of stdatomic. [GL !1493]
-
-5219. [bug] Fixed a race in the filter-aaaa plugin that could
- trigger a crash when returning an instance object
- to the memory pool. [GL #982]
-
-5218. [bug] Conditionally include <dlfcn.h>. [GL #995]
-
-5217. [bug] Restore key id calculation for RSAMD5. [GL #996]
-
-5216. [bug] Fetches-per-zone counter wasn't updated correctly
- when doing qname minimization. [GL #992]
-
-5215. [bug] Change #5124 was incomplete; named could still
- return FORMERR instead of SERVFAIL in some cases.
- [GL #990]
-
-5214. [bug] win32: named now removes its lock file upon shutdown.
- [GL #979]
-
-5213. [bug] win32: Eliminated a race which allowed named.exe running
- as a service to be killed prematurely during shutdown.
- [GL #978]
-
-5212. [placeholder]
-
-5211. [bug] Allow out-of-zone additional data to be included
- in authoritative responses if recursion is allowed
- and "minimal-responses" is disabled. This behavior
- was inadvertently removed in change #4605. [GL #817]
-
-5210. [bug] When dnstap is enabled and recursion is not
- available, incoming queries are now logged
- as "auth". Previously, this depended on whether
- recursion was requested by the client, not on
- whether recursion was available. [GL #963]
-
-5209. [bug] When update-check-ksk is true, add_sigs was not
- considering offline keys, leaving record sets signed
- with the incorrect type key. [GL #763]
-
-5208. [test] Run valid rdata wire encodings through totext+fromtext
- and tofmttext+fromtext methods to check these methods.
- [GL #899]
-
-5207. [test] Check delv and dig TTL values. [GL #965]
-
-5206. [bug] Delv could print out bad TTLs. [GL #965]
-
-5205. [bug] Enforce that a DS hash exists. [GL #899]
-
-5204. [test] Check that dns_rdata_fromtext() produces a record that
- will be accepted by dns_rdata_fromwire(). [GL #852]
-
-5203. [bug] Enforce whether key rdata exists or not in KEY,
- DNSKEY, CDNSKEY and RKEY. [GL #899]
-
-5202. [bug] <dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
-
-5201. [bug] Fix a possible deadlock in RPZ update code. [GL #973]
-
-5200. [security] tcp-clients settings could be exceeded in some cases,
- which could lead to exhaustion of file descriptors.
- (CVE-2018-5743) [GL #615]
-
-5199. [security] In certain configurations, named could crash
- if nxdomain-redirect was in use and a redirected
- query resulted in an NXDOMAIN from the cache.
- (CVE-2019-6467) [GL #880]
-
-5198. [bug] If a fetch context was being shut down and, at the same
- time, we returned from qname minimization, an INSIST
- could be hit. [GL #966]
-
-5197. [bug] dig could die in best effort mode on multiple SIG(0)
- records. Similarly on multiple OPT and multiple TSIG
- records. [GL #920]
-
-5196. [bug] make install failed with --with-dlopen=no. [GL #955]
-
-5195. [bug] "allow-update" and "allow-update-forwarding" were
- treated as configuration errors if used at the
- options or view level. [GL #913]
-
-5194. [bug] Enforce non empty ZOMEMD hash. [GL #899]
-
-5193. [bug] EID and NIMLOC failed to do multi-line output
- correctly. [GL #899]
-
-5192. [placeholder]
-
-5191. [placeholder]
-
-5190. [bug] Ignore trust anchors using disabled algorithms.
- [GL #806]
-
-5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945]
-
-5188. [func] The "dnssec-enable" option is deprecated and no
- longer has any effect; DNSSEC responses are
- always enabled. [GL #866]
-
-5187. [test] Set time zone before running any tests in dnstap_test.
- [GL #940]
-
-5186. [cleanup] More dnssec-keygen manual tidying. [GL !1678]
-
-5185. [placeholder]
-
-5184. [bug] Missing unlocks in sdlz.c. [GL #936]
-
-5183. [bug] Reinitialize ECS data before reusing client
- structures. [GL #881]
-
-5182. [bug] Fix a high-load race/crash in handling of
- isc_socket_close() in resolver. [GL #834]
-
-5181. [func] Add a mechanism for a DLZ module to signal that
- the view's allow-transfer ACL should be used to
- determine whether transfers are allowed. [GL #803]
-
-5180. [bug] delv now honors the operating system's preferred
- ephemeral port range. [GL #925]
-
-5179. [cleanup] Replace some vague type declarations with the more
- specific dns_secalg_t and dns_dsdigest_t.
- Thanks to Tony Finch. [GL !1498]
-
-5178. [bug] Handle EDQUOT (disk quota) and ENOSPC (disk full)
- errors when writing files. [GL #902]
-
-5177. [func] Add the ability to specify in named.conf whether a
- response-policy zone's SOA record should be added
- to the additional section (add-soa yes/no). [GL #865]
-
-5176. [tests] Remove a dependency on libxml in statschannel system
- test. [GL #926]
-
-5175. [bug] Fixed a problem with file input in dnssec-keymgr,
- dnssec-coverage and dnssec-checkds when using
- python3. [GL #882]
-
-5174. [doc] Tidy dnssec-keygen manual. [GL !1557]
-
-5173. [bug] Fixed a race in socket code that could occur when
- accept, send, or recv were called from an event
- loop but the socket had been closed by another
- thread. [RT #874]
-
-5172. [bug] nsupdate now honors the operating system's preferred
- ephemeral port range. [GL #905]
-
-5171. [func] named plugins are now installed into a separate
- directory. Supplying a filename (a string without path
- separators) in a "plugin" configuration stanza now
- causes named to look for that plugin in that directory.
- [GL #878]
-
-5170. [test] Added --with-dlz-filesystem to feature-test. [GL !1587]
-
-5169. [bug] The presence of certain types in an otherwise
- empty node could cause a crash while processing a
- type ANY query. [GL #901]
-
-5168. [bug] Do not crash on shutdown when RPZ fails to load. Also,
- keep previous version of the database if RPZ fails to
- load. [GL #813]
-
-5167. [bug] nxdomain-redirect could sometimes lookup the wrong
- redirect name. [GL #892]
-
-5166. [placeholder]
-
-5165. [contrib] Removed SDB drivers from contrib; they're obsolete.
- [GL #428]
-
-5164. [bug] Correct errno to result translation in dlz filesystem
- modules. [GL #884]
-
-5163. [cleanup] Out-of-tree builds failed --enable-dnstap. [GL #836]
-
-5162. [cleanup] Improve dnssec-keymgr manual. Thanks to Tony Finch.
- [GL !1518]
-
-5161. [bug] Do not require the SEP bit to be set for mirror zone
- trust anchors. [GL #873]
-
-5160. [contrib] Added DNAME support to the DLZ LDAP schema. Also
- fixed a compilation bug affecting several DLZ
- modules. [GL #872]
-
-5159. [bug] dnssec-coverage was incorrectly ignoring
- names specified on the command line without
- trailing dots. [GL !1478]
-
-5158. [protocol] Add support for AMTRELAY and ZONEMD. [GL #867]
-
-5157. [bug] Nslookup now errors out if there are extra command
- line arguments. [GL #207]
-
-5156. [doc] Extended and refined the section of the ARM describing
- mirror zones. [GL #774]
-
-5155. [func] "named -V" now outputs the default paths to
- named.conf, rndc.conf, bind.keys, and other
- files used or created by named and other tools, so
- that the correct paths to these files can quickly be
- determined regardless of the configure settings
- used when BIND was built. [GL #859]
-
-5154. [bug] dig: process_opt could be called twice on the same
- message leading to a assertion failure. [GL #860]
-
-5153. [func] Zone transfer statistics (size, number of records, and
- number of messages) are now logged for outgoing
- transfers as well as incoming ones. [GL #513]
-
-5152. [func] Improved logging of DNSSEC key events:
- - Zone signing and DNSKEY maintenance events are
- now logged to the "dnssec" category
- - Messages are now logged when DNSSEC keys are
- published, activated, inactivated, deleted,
- or revoked.
- [GL #714]
-
-5151. [func] Options that have been been marked as obsolete in
- named.conf for a very long time are now fatal
- configuration errors. [GL #358]
-
-5150. [cleanup] Remove the ability to compile BIND with assertions
- disabled. [GL #735]
-
-5149. [func] "rndc dumpdb" now prints a line above a stale RRset
- indicating how long the data will be retained in the
- cache for emergency use. [GL #101]
-
-5148. [bug] named did not sign the TKEY response. [GL #821]
-
-5147. [bug] dnssec-keymgr: Add a five-minute margin to better
- handle key events close to 'now'. [GL #848]
-
-5146. [placeholder]
-
-5145. [func] Use atomics instead of locked variables for isc_quota
- and isc_counter. [GL !1389]
-
-5144. [bug] dig now returns a non-zero exit code when a TCP
- connection is prematurely closed by a peer more than
- once for the same lookup. [GL #820]
-
-5143. [bug] dnssec-keymgr and dnssec-coverage failed to find
- key files for zone names ending in ".". [GL #560]
-
-5142. [cleanup] Removed "configure --disable-rpz-nsip" and
- "--disable-rpz-nsdname" options. "nsip-enable"
- and "nsdname-enable" both now default to yes,
- regardless of compile-time settings. [GL #824]
-
-5141. [security] Zone transfer controls for writable DLZ zones were
- not effective as the allowzonexfr method was not being
- called for such zones. (CVE-2019-6465) [GL #790]
-
-5140. [bug] Don't immediately mark existing keys as inactive and
- deleted when running dnssec-keymgr for the first
- time. [GL #117]
-
-5139. [bug] If possible, don't use forwarders when priming.
- This ensures we can get root server IP addresses
- from priming query response glue, which may not
- be present if the forwarding server is returning
- minimal responses. [GL #752]
-
-5138. [bug] Under some circumstances named could hit an assertion
- failure when doing qname minimization when using
- forwarders. [GL #797]
-
-5137. [func] named now logs messages whenever a mirror zone becomes
- usable or unusable for resolution purposes. [GL #818]
-
-5136. [cleanup] Check in named-checkconf that allow-update and
- allow-update-forwarding are not set at the
- view/options level; fix documentation. [GL #512]
-
-5135. [port] sparc: Use smt_pause() instead of pause. [GL #816]
-
-5134. [bug] win32: WSAStartup was not called before getservbyname
- was called. [GL #590]
-
-5133. [bug] 'rndc managed-keys' didn't handle class and view
- correctly and failed to add new lines between each
- view. [GL !1327]
-
-5132. [bug] Fix race condition in cleanup part of dns_dt_create().
- [GL !1323]
-
-5131. [cleanup] Address Coverity warnings. [GL #801]
-
-5130. [cleanup] Remove support for l10n message catalogs. [GL #709]
-
-5129. [contrib] sdlz_helper.c:build_querylist was not properly
- splitting the query string. [GL #798]
-
-5128. [bug] Refreshkeytime was not being updated for managed
- keys zones. [GL #784]
-
-5127. [bug] rcode.c:maybe_numeric failed to handle NUL in text
- regions. [GL #807]
-
-5126. [bug] Named incorrectly accepted empty base64 and hex encoded
- fields when reading master files. [GL #807]
-
-5125. [bug] Allow for up to 100 records or 64k of data when caching
- a negative response. [GL #804]
-
-5124. [bug] Named could incorrectly return FORMERR rather than
- SERVFAIL. [GL #804]
-
-5123. [bug] dig could hang indefinitely after encountering an error
- before creating a TCP socket. [GL #692]
-
-5122. [bug] In a "forward first;" configuration, a forwarder
- timeout did not prevent that forwarder from being
- queried again after falling back to full recursive
- resolution. [GL #315]
-
-5121. [contrib] dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
- matching zone names. [GL !1299]
-
-5120. [placeholder]
-
-5119. [placeholder]
-
-5118. [security] Named could crash if it is managing a key with
- `managed-keys` and the authoritative zone is rolling
- the key to an unsupported algorithm. (CVE-2018-5745)
- [GL #780]
-
-5117. [placeholder]
-
-5116. [bug] Named/named-checkconf triggered a assertion when
- a mirror zone's name is bad. [GL #778]
-
-5115. [bug] Allow unsupported algorithms in zone when not used for
- signing with dnssec-signzone. [GL #783]
-
-5114. [func] Include a 'reconfig/reload in progress' status line
- in rndc status, use it in tests.
-
-5113. [port] Fixed a Windows build error.
-
-5112. [bug] Named/named-checkconf could dump core if there was
- a missing masters clause and a bad notify clause.
- [GL #779]
-
-5111. [bug] Occluded DNSKEY records could make it into the
- delegating NSEC/NSEC3 bitmap. [GL #742]
-
-5110. [security] Named leaked memory if there were multiple Key Tag
- EDNS options present. (CVE-2018-5744) [GL #772]
-
-5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628]
-
- --- 9.13.5 released ---
-
-5108. [bug] Named could fail to determine bottom of zone when
- removing out of date keys leading to invalid NSEC
- and NSEC3 records being added to the zone. [GL #771]
-
-5107. [bug] 'host -U' did not work. [GL #769]
-
-5106. [experimental] A new "plugin" mechanism has been added to allow
- extension of query processing functionality through
- the use of dynamically loadable libraries. A
- "filter-aaaa.so" plugin has been implemented,
- replacing the filter-aaaa feature that was formerly
- implemented as a native part of BIND.
-
- The "filter-aaaa", "filter-aaaa-on-v4" and
- "filter-aaaa-on-v6" options can no longer be
- configured using native named.conf syntax. However,
- loading the filter-aaaa.so plugin and setting its
- parameters provides identical functionality.
-
- Note that the plugin API is a work in progress and
- is likely to evolve as further plugins are
- implemented. [GL #15]
-
-5105. [bug] Fix a race between process_fd and socketclose in
- unix socket code. [GL #744]
-
-5104. [cleanup] Log clearer informational message when a catz zone
- is overridden by a zone in named.conf.
- Thanks to Tony Finch. [GL !1157]
-
-5103. [bug] Add missing design by contract tests to dns_catz*.
- [GL #748]
-
-5102. [bug] dnssec-coverage failed to use the default TTL when
- checking KSK deletion times leading to a exception.
- [GL #585]
-
-5101. [bug] Fix default installation path for Python modules and
- remove the dnspython dependency accidentally introduced
- by change 4970. [GL #730]
-
-5100. [func] Pin resolver tasks to specific task queues. [GL !1117]
-
-5099. [func] Failed mutex and conditional creations are always
- fatal. [GL #674]
-
- --- 9.13.4 released ---
-
-5098. [func] Failed memory allocations are now fatal. [GL #674]
-
-5097. [cleanup] Remove embedded ATF unit testing framework
- from BIND source distribution. [GL !875]
-
-5096. [func] Use multiple event loops in socket code, and
- make network threads CPU-affinitive. This
- significantly improves performance on large
- systems. [GL #666]
-
-5095. [test] Converted all unit tests from ATF to CMocka;
- removed the source code for the ATF libraries.
- Build with "configure --with-cmocka" to enable
- unit testing. [GL #620]
-
-5094. [func] Add 'dig -r' to disable reading of .digrc. [GL !970]
-
-5093. [bug] Log lame qname-minimization servers only if they're
- really lame. [GL #671]
-
-5092. [bug] Address memory leak on SIGTERM in nsupdate when using
- GSS-TSIG. [GL #558]
-
-5091. [func] Two new global and per-view options min-cache-ttl
- and min-ncache-ttl [GL #613]
-
-5090. [bug] dig and mdig failed to properly pre-parse dash value
- pairs when value was a separate argument and started
- with a dash. [GL #584]
-
-5089. [bug] Restore localhost fallback in dig and host which is
- used when no nameserver addresses present in
- /etc/resolv.conf are usable due to the requested
- address family restrictions. [GL #433]
-
-5088. [bug] dig/host/nslookup could crash when interrupted close to
- a query timeout. [GL #599]
-
-5087. [test] Check that result tables are complete. [GL #676]
-
-5086. [func] Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
-
-5085. [bug] win32: Restore looking up nameservers, search list,
- etc. [GL #186]
-
-5084. [placeholder]
-
-5083. [func] Add autoconf macro AX_POSIX_SHELL, so we
- can use POSIX-compatible shell features
- in the scripts.
-
-5082. [bug] Fixed a race that could cause a crash in
- dig/host/nslookup. [GL #650]
-
-5081. [func] Use per-worker queues in task manager, make task
- runners CPU-affine. [GL #659]
-
-5080. [func] Improvements to "rndc nta" user interface:
- - catch and report invalid command line options
- - when removing an NTA from all views, do not
- abort with an error if the NTA was not found
- in one of the views
- - include the view name in "rndc nta -dump"
- output, for consistency with the add and remove
- actions
- Thanks to Tony Finch. [GL !816]
-
-5079. [func] Disable IDN processing in dig and nslookup
- when not on a tty. [GL #653]
-
-5078. [cleanup] Require python components to be explicitly disabled if
- python is not available on unix platforms. [GL #601]
-
-5077. [cleanup] Remove ip6.int support (-i) from dig and mdig.
- [GL !969]
-
-5076. [bug] "require-server-cookie" was not effective if
- "rate-limit" was configured. [GL #617]
-
-5075. [bug] Refresh nameservers from cache when sending final
- query in qname minimization. [GL #16]
-
-5074. [cleanup] Remove vector socket functions - isc_socket_recvv(),
- isc_socket_sendtov(), isc_socket_sendtov2(),
- isc_socket_sendv() - in order to simplify socket code.
- [GL #645]
-
-5073. [bug] Destroy a task first when destroying rpzs and catzs.
- [GL #84]
-
-5072. [bug] Add unit tests for isc_buffer_copyregion() and fix its
- behavior for auto-reallocated buffers. [GL #644]
-
-5071. [bug] Comparison of NXT records was broken. [GL #631]
-
-5070. [bug] Record types which support a empty rdata field were
- not handling the empty rdata field case. [GL #638]
-
-5069. [bug] Fix a hang on in RPZ when named is shutdown during RPZ
- zone update. [GL !907]
-
-5068. [bug] Fix a race in RPZ with min-update-interval set to 0.
- [GL #643]
-
-5067. [bug] Don't minimize qname when sending the query
- to a forwarder. [GL #361]
-
-5066. [cleanup] Allow unquoted strings to be used as a zone names
- in response-policy statements. [GL #641]
-
-5065. [bug] Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
-
-5064. [test] Initialize TZ environment variable before calling
- dns_test_begin in dnstap_test. [GL #624]
-
-5063. [test] In statschannel test try a few times before failing
- when checking if the compressed output is the same as
- uncompressed. [GL !909]
-
-5062. [func] Use non-crypto-secure PRNG to generate nonces for
- cookies. [GL !887]
-
-5061. [protocol] Add support for EID and NIMLOC. [GL #626]
-
-5060. [bug] GID, UID and UINFO could not be loaded using unknown
- record format. [GL #627]
-
-5059. [bug] Display a per-view list of zones in the web interface.
- [GL #427]
-
-5058. [func] Replace old message digest and hmac APIs with more
- generic isc_md and isc_hmac APIs, and convert their
- respective tests to cmocka. [GL #305]
-
-5057. [protocol] Add support for ATMA. [GL #619]
-
-5056. [placeholder]
-
-5055. [func] A default list of primary servers for the root zone is
- now built into named, allowing the "masters" statement
- to be omitted when configuring an IANA root zone
- mirror. [GL #564]
-
-5054. [func] Attempts to use mirror zones with recursion disabled
- are now considered a configuration error. [GL #564]
-
-5053. [func] The only valid zone-level NOTIFY settings for mirror
- zones are now "notify no;" and "notify explicit;".
- [GL #564]
-
-5052. [func] Mirror zones are now configured using "type mirror;"
- rather than "mirror yes;". [GL #564]
-
-5051. [doc] Documentation incorrectly stated that the
- "server-addresses" static-stub zone option accepts
- custom port numbers. [GL #582]
-
-5050. [bug] The libirs version of getaddrinfo() was unable to parse
- scoped IPv6 addresses present in /etc/resolv.conf.
- [GL #187]
-
-5049. [cleanup] QNAME minimization has been deeply refactored. [GL #16]
-
-5048. [func] Add configure option to enable and enforce FIPS mode
- in BIND 9. [GL #506]
-
-5047. [bug] Messages logged for certain query processing failures
- now include a more specific error description if it is
- available. [GL #572]
-
-5046. [bug] named could crash during shutdown if an RPZ
- reload was in progress. [RT #46210]
-
-5045. [func] Remove support for DNSSEC algorithms 3 (DSA)
- and 6 (DSA-NSEC3-SHA1). [GL #22]
-
-5044. [cleanup] If "dnssec-enable" is no, then "dnssec-validation"
- now also defaults to no. [GL #388]
-
-5043. [bug] Fix creating and validating EdDSA signatures. [GL #579]
-
-5042. [test] Make the chained delegations in reclimit behave
- like they would in a regular name server. [GL #578]
-
-5041. [test] The chain test contains a incomplete delegation.
- [GL #568]
-
-5040. [func] Extended dnstap so that it can log UPDATE requests
- and responses as separate message types. Thanks
- to Greg Rabil. [GL #570]
-
-5039. [bug] Named could fail to preserve owner name case of new
- RRset. [GL #420]
-
-5038. [bug] Chaosnet addresses were compared incorrectly.
- [GL #562]
-
-5037. [func] "allow-recursion-on" and "allow-query-cache-on"
- each now default to the other if only one of them
- is set, in order to be more consistent with the way
- "allow-recursion" and "allow-query-cache" work.
- Also we now ensure that both query-cache ACLs are
- checked when determining cache access. [GL #319]
-
-5036. [cleanup] Fixed a spacing/formatting error in some RPZ-related
- error messages in the log. [GL !805]
-
-5035. [test] Fixed errors that prevented the DNSRPS subtests
- from running in the rpz and rpzrecurse system
- tests. [GL #503]
-
-5034. [bug] A race between threads could prevent zone maintenance
- scheduled immediately after zone load from being
- performed. [GL #542]
-
-5033. [bug] When adding NTAs to multiple views using "rndc nta",
- the text returned via rndc was incorrectly terminated
- after the first line, making it look as if only one
- NTA had been added. Also, it was not possible to
- differentiate between views with the same name but
- different classes; this has been corrected with the
- addition of a "-class" option. [GL #105]
-
-5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
- [GL #511]
-
-5031. [cleanup] Various defines in platform.h has been either dropped
- if always or never triggered on supported platforms
- or replaced with config.h equivalents if the defines
- didn't have any impact on public headers. Workarounds
- for LinuxThreads have been removed because NPTL is
- available since Linux kernel 2.6.0. [GL #525]
-
-5030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash
- on architectures with strict alignment. [GL #521]
-
- --- 9.13.3 released ---
-
-5029. [func] Workarounds for servers that misbehave when queried
- with EDNS have been removed, because these broken
- servers and the workarounds for their noncompliance
- cause unnecessary delays, increase code complexity,
- and prevent deployment of new DNS features. See
- https://dnsflagday.net for further details. [GL #150]
-
-5028. [bug] Spread the initial RRSIG expiration times over the
- entire working sig-validity-interval when signing a
- zone in named to even out re-signing and transfer
- loads. [GL #418]
-
-5027. [func] Set SO_SNDBUF size on sockets. [GL #74]
-
-5026. [bug] rndc reconfig should not touch already loaded zones.
- [GL #276]
-
-5025. [cleanup] Remove isc_keyboard family of functions. [GL #178]
-
-5024. [func] Replace custom assembly for atomic operations with
- atomic support from the compiler. The code will now use
- C11 stdatomic, or __atomic, or __sync builtins with GCC
- or Clang compilers, and Interlocked functions with MSVC.
- [GL #10]
-
-5023. [cleanup] Remove wrappers that try to fix broken or incomplete
- implementations of IPv6, pthreads and other core
- functionality required and used by BIND. [GL #192]
-
-5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
- krb5-subdomain documentation. [GL !708]
-
-5021. [bug] dig returned a non-zero exit code when it received a
- reply over TCP after a retry. [GL #487]
-
-5020. [func] RNG uses thread-local storage instead of locks, if
- supported by platform. [GL #496]
-
-5019. [cleanup] A message is now logged when ixfr-from-differences is
- set at zone level for an inline-signed zone. [GL #470]
-
-5018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c.
- [GL !588]
-
-5017. [bug] lib/isc/pk11.c failed to unlink the session before
- releasing the lock which is unsafe. [GL !589]
-
-5016. [bug] Named could assert with overlapping filter-aaaa and
- dns64 acls. [GL #445]
-
-5015. [bug] Reloading all zones caused zone maintenance to cease
- for inline-signed zones. [GL #435]
-
-5014. [bug] Signatures loaded from the journal for the signed
- version of an inline-signed zone were not scheduled for
- refresh. [GL #482]
-
-5013. [bug] A referral response with a non-empty ANSWER section was
- inadvertently being treated as an error. [GL #390]
-
-5012. [bug] Fix lock order reversal in pk11_initialize. [GL !590]
-
-5011. [func] Remove support for unthreaded named. [GL #478]
-
-5010. [func] New "validate-except" option specifies a list of
- domains beneath which DNSSEC validation should not
- be performed. [GL #237]
-
-5009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL
- error queue was not logged. [GL #476]
-
-5008. [bug] "rndc signing -nsec3param ..." requests were silently
- ignored for zones which were not yet loaded or
- transferred. [GL #468]
-
-5007. [cleanup] Replace custom ISC boolean and integer data types
- with C99 stdint.h and stdbool.h types. [GL #9]
-
-5006. [cleanup] Code preparing a delegation response was extracted from
- query_delegation() and query_zone_delegation() into a
- separate function in order to decrease code
- duplication. [GL #431]
-
-5005. [bug] dnssec-verify, and dnssec-signzone at the verification
- step, failed on some validly signed zones. [GL #442]
-
-5004. [bug] 'rndc reconfig' could cause inline zones to stop
- re-signing. [GL #439]
-
-5003. [bug] dns_acl_isinsecure did not handle geoip elements.
- [GL #406]
-
-5002. [bug] mdig: Handle malformed +ednsopt option, support 100
- +ednsopt options per query rather than 100 total and
- address memory leaks if +ednsopt was specified.
- [GL #410]
-
-5001. [bug] Fix refcount errors on error paths. [GL !563]
-
-5000. [bug] named_server_servestale() could leave the server in
- exclusive mode if an error occurred. [GL #441]
-
-4999. [cleanup] Remove custom printf implementation in lib/isc/print.c.
- [GL #261]
-
-4998. [test] Make resolver and cacheclean tests more civilized.
-
-4997. [security] named could crash during recursive processing
- of DNAME records when "deny-answer-aliases" was
- in use. (CVE-2018-5740) [GL #387]
-
-4996. [bug] dig: Handle malformed +ednsopt option. [GL #403]
-
-4995. [test] Add tests for "tcp-self" update policy. [GL !282]
-
-4994. [bug] Trust anchor telemetry queries were not being sent
- upstream for locally served zones. [GL #392]
-
-4993. [cleanup] Remove support for silently ignoring 'no-change' deltas
- from BIND 8 when processing an IXFR stream. 'no-change'
- deltas will now trigger a fallback to AXFR as the
- recovery mechanism. [GL #369]
-
-4992. [bug] The wrong address was being logged for trust anchor
- telemetry queries. [GL #379]
-
-4991. [bug] "rndc reconfig" was incorrectly handling zones whose
- "mirror" setting was changed. [GL #381]
-
-4990. [bug] Prevent a possible NULL reference in pkcs11-keygen.
- [GL #401]
-
-4989. [cleanup] IDN support in dig has been reworked. IDNA2003
- fallbacks were removed in the process. [GL #384]
-
-4988. [bug] Don't synthesize NXDOMAIN from NSEC for records under
- a DNAME.
-
- --- 9.13.2 released ---
-
-4987. [cleanup] dns_rdataslab_tordataset() and its related
- dns_rdatasetmethods_t callbacks were removed as they
- were not being used by anything in BIND. [GL #371]
-
-4986. [func] When built on Linux, BIND now requires the libcap
- library to set process privileges, unless capability
- support is explicitly overridden with "configure
- --disable-linux-caps". [GL #321]
-
-4985. [func] Add a new slave zone option, "mirror", to enable
- serving a non-authoritative copy of a zone that
- is subject to DNSSEC validation before being
- used. For now, this option is only meant to
- facilitate deployment of an RFC 7706-style local
- copy of the root zone. [GL #33]
-
-4984. [bug] Improve handling of very large incremental
- zone transfers to prevent journal corruption. [GL #339]
-
-4983. [func] Add the ability to not return a DNS COOKIE option
- when one is present in the request (answer-cookie no;).
- [GL #173]
-
-4982. [cleanup] Return FORMERR if the question section is empty
- and no COOKIE option is present; this restores
- older behavior except in the newly specified
- COOKIE case. [GL #260]
-
-4981. [bug] Fix race in cmsg buffer usage in socket code.
- [GL #180]
-
-4980. [bug] Named-checkconf failed to detect bad in-view targets.
- [GL #288]
-
-4979. [placeholder]
-
-4978. [test] Fix error handling and resolver configuration in the
- "rpz" system test. [GL #312]
-
-4977. [func] When starting up, log the same details that
- would be reported by 'named -V'. [GL #247]
-
-4976. [bug] Log the label with invalid prefix length correctly
- when loading RPZ zones. [GL #254]
-
-4975. [bug] The server cookie computation for sha1 and sha256 did
- not match the method described in RFC 7873. [GL #356]
-
-4974. [bug] Restore default rrset-order to random. [GL #336]
-
-4973. [func] verifyzone() and the functions it uses were moved to
- libdns and refactored to prevent exit() from being
- called upon failure. A side effect of that is that
- dnssec-signzone and dnssec-verify now check for memory
- leaks upon shutdown. [GL #266]
-
-4972. [func] Declare the 'rdata' argument for dns_rdata_tostruct()
- to be const. [GL #341]
-
-4971. [bug] dnssec-signzone and dnssec-verify did not treat records
- below a DNAME as out-of-zone data. [GL #298]
-
-4970. [func] Add QNAME minimization option to resolver. [GL #16]
-
-4969. [cleanup] Refactor zone logging functions. [GL #269]
-
- --- 9.13.1 released ---
-
-4968. [bug] If glue records are signed, attempt to validate them.
- [GL #209]
-
-4967. [cleanup] Add "answer-cookie" to the parser, marked obsolete.
-
-4966. [placeholder]
-
-4965. [func] Add support for marking options as deprecated.
- [GL #322]
-
-4964. [bug] Reduce the probability of double signature when deleting
- a DNSKEY by checking if the node is otherwise signed
- by the algorithm of the key to be deleted. [GL #240]
-
-4963. [test] ifconfig.sh now uses "ip" instead of "ifconfig",
- if available, to configure the test interfaces on
- linux. [GL #302]
-
-4962. [cleanup] Move 'named -T' processing to its own function.
- [GL #316]
-
-4961. [protocol] Remove support for ECC-GOST (GOST R 34.11-94).
- [GL #295]
-
-4960. [security] When recursion is enabled, but the "allow-recursion"
- and "allow-query-cache" ACLs are not specified,
- they should be limited to local networks,
- but were inadvertently set to match the default
- "allow-query", thus allowing remote queries.
- (CVE-2018-5738) [GL #309]
-
-4959. [func] NSID logging (enabled by the "request-nsid" option)
- now has its own "nsid" category, instead of using the
- "resolver" category. [GL !332]
-
-4958. [bug] Remove redundant space from NSEC3 record. [GL #281]
-
-4957. [func] The default setting for "dnssec-validation" is now
- "auto", which activates DNSSEC validation using the
- IANA root key. (The default can be changed back to
- "yes", which activates DNSSEC validation only when keys
- are explicitly configured in named.conf, by building
- BIND with "configure --disable-auto-validation".)
- [GL #30]
-
-4956. [func] Change isc_random() to be just PRNG using xoshiro128**,
- and add isc_nonce_buf() that uses CSPRNG. [GL #289]
-
-4955. [cleanup] Silence cppcheck warnings in lib/dns/master.c.
- [GL #286]
-
-4954. [func] Messages about serving of stale answers are now
- directed to the "serve-stale" logging category.
- Also clarified serve-stale documentation. [GL !323]
-
-4953. [bug] Removed the option to build the red black tree
- database without a hash table; the non-hashing
- version was buggy and is not needed. [GL #184]
-
-4952. [func] Authoritative server support in named for the
- EDNS CLIENT-SUBNET option (which was experimental
- and not practical to deploy) has been removed.
-
- The ECS option is still supported in dig and mdig
- via the +subnet option, and can be parsed and logged
- when received by named, but it is no longer used
- for ACL processing. The "geoip-use-ecs" option
- is now obsolete; a warning will be logged if it is
- used in named.conf. "ecs" tags in an ACL definition
- are also obsolete and will cause the configuration
- to fail to load. [GL #32]
-
-4951. [protocol] Add "HOME.ARPA" to list of built in empty zones as
- per RFC 8375. [GL #273]
-
- --- 9.13.0 released ---
-
-4950. [bug] ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
-
-4949. [placeholder]
-
-4948. [bug] When request-nsid is turned on, EDNS NSID options
- should be logged at level info. Since change 3741
- they have been logged at debug(3) by mistake.
- [GL !290]
-
-4947. [func] Replace all random functions with isc_random(),
- isc_random_buf() and isc_random_uniform() API.
- [GL #221]
-
-4946. [bug] Additional glue was not being returned by resolver
- for unsigned zones since change 4596. [GL #209]
-
-4945. [func] BIND can no longer be built without DNSSEC support.
- A cryptography provider (i.e., OpenSSL or a hardware
- service module with PKCS#11 support) must be
- available. [GL #244]
-
-4944. [cleanup] Silence cppcheck portability warnings in
- lib/isc/tests/buffer_test.c. [GL #239]
-
-4943. [bug] Change 4687 consumed too much memory when running
- system tests with --with-tuning=large. Reduced the
- hash table size to 512 entries for 'named -m record'
- restoring the previous memory footprint. [GL #248]
-
-4942. [cleanup] Consolidate multiple instances of splitting of
- batchline in dig into a single function. [GL #196]
-
-4941. [cleanup] Silence clang static analyzer warnings. [GL #196]
-
-4940. [cleanup] Extract the loop in dns__zone_updatesigs() into
- separate functions to improve code readability.
- [GL #135]
-
-4939. [test] Add basic unit tests for update_sigs(). [GL #135]
-
-4938. [placeholder]
-
-4937. [func] Remove support for OpenSSL < 1.0.0 [GL #191]
-
-4936. [func] Always use OpenSSL or PKCS#11 random data providers,
- and remove the --{enable,disable}-crypto-rand configure
- options. [GL #165]
-
-4935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
- call were added). [GL #191]
-
-4934. [security] The serve-stale feature could cause an assertion failure
- in rbtdb.c even when stale-answer-enable was false.
- Simultaneous use of stale cache records and NSEC
- aggressive negative caching could trigger a recursion
- loop. (CVE-2018-5737) [GL #185]
-
-4933. [bug] Not creating signing keys for an inline signed zone
- prevented changes applied to the raw zone from being
- reflected in the secure zone until signing keys were
- made available. [GL #159]
-
-4932. [bug] Bumped signed serial of an inline signed zone was
- logged even when an error occurred while updating
- signatures. [GL #159]
-
-4931. [func] Removed the "rbtdb64" database implementation.
- [GL #217]
-
-4930. [bug] Remove a bogus check in nslookup command line
- argument processing. [GL #206]
-
-4929. [func] Add the ability to set RA and TC in queries made by
- dig (+[no]raflag, +[no]tcflag). [GL #213]
-
-4928. [func] The "dnskey-sig-validity" option allows
- "sig-validity-interval" to be overridden for signatures
- covering DNSKEY RRsets. [GL #145]
-
-4927. [placeholder]
-
-4926. [func] Add root key sentinel support. To disable, add
- 'root-key-sentinel no;' to named.conf. [GL #37]
-
-4925. [func] Several configuration options that define intervals
- can now take TTL value suffixes (for example, 2h or 1d)
- in addition to integer parameters. These include
- max-cache-ttl, max-ncache-ttl, max-policy-ttl,
- fstrm-set-reopen-interval, interface-interval, and
- min-update-interval. [GL #203]
-
-4924. [cleanup] Clean up the isc_string_* namespace and leave
- only strlcpy and strlcat. [GL #178]
-
-4923. [cleanup] Refactor socket and socket event options into
- enum types. [GL !135]
-
-4922. [bug] dnstap: Log the destination address of client
- packets rather than the interface address.
- [GL #197]
-
-4921. [cleanup] Add dns_fixedname_initname() and refactor the caller
- code to make usage of the new function, as a part of
- refactoring dns_fixedname_*() macros were turned into
- functions. [GL #183]
-
-4920. [cleanup] Clean up libdns removing most of the backwards
- compatibility wrappers.
-
-4919. [cleanup] Clean up the isc_hash_* namespace and leave only
- the FNV-1a hash implementation. [GL #178]
-
-4918. [bug] Fix double free after keygen error in dnssec-keygen
- when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
- fails. [GL #109]
-
-4917. [func] Support 64 RPZ policy zones by default. [GL #123]
-
-4916. [func] Remove IDNA2003 support and the bundled idnkit-1.0
- library.
-
-4915. [func] Implement IDNA2008 support in dig by adding support
- for libidn2. New dig option +idnin has been added,
- which allows to process invalid domain names much
- like dig without IDN support. libidn2 version 2.0
- or higher is needed for +idnout enabled by default.
-
-4914. [security] A bug in zone database reference counting could lead to
- a crash when multiple versions of a slave zone were
- transferred from a master in close succession.
- (CVE-2018-5736) [GL #134]
-
-4913. [test] Re-implemented older unit tests in bin/tests as ATF,
- removed the lib/tests unit testing library. [GL #115]
-
-4912. [test] Improved the reliability of the 'cds' system test.
- [GL #136]
-
-4911. [test] Improved the reliability of the 'mkeys' system test.
- [GL #128]
-
-4910. [func] Update util/check-changes to work on release branches.
- [GL #113]
-
-4909. [bug] named-checkconf did not detect in-view zone collisions.
- [GL #125]
-
-4908. [test] Eliminated unnecessary waiting in the allow_query
- system test. Also changed its name to allow-query.
- [GL #81]
-
-4907. [test] Improved the reliability of the 'notify' system
- test. [GL #59]
-
-4906. [func] Replace getquad() with inet_pton(), completing
- change #4900. [GL #56]
-
-4905. [bug] irs_resconf_load() ignored resolv.conf syntax errors
- when "domain" or "search" options were present in that
- file. [GL #110]
-
-4904. [bug] Temporarily revert change #4859. [GL #124]
-
-4903. [bug] "check-mx fail;" did not prevent MX records containing
- IP addresses from being added to a zone by a dynamic
- update. [GL #112]
-
-4902. [test] Improved the reliability of the 'ixfr' system
- test. [GL #66]
-
-4901. [func] "dig +nssearch" now lists the name servers
- for a domain that time out, as well as the servers
- that respond. [GL #64]
-
-4900. [func] Remove all uses of inet_aton(). As a result of this
- change, IPv4 addresses are now only accepted in
- dotted-quad format. [GL #13]
-
-4899. [test] Convert most of the remaining system tests to be able
- to run in parallel, continuing the work from change
- #4895. To take advantage of this, use "make -jN check",
- where N is the number of processors to use. [GL #91]
-
-4898. [func] Remove libseccomp based system-call filtering. [GL #93]
-
-4897. [test] Update to rpz system test so that it doesn't recurse.
- [GL #68]
-
-4896. [test] cacheclean system test was not robust. [GL #82]
-
-4895. [test] Allow some system tests to run in parallel.
- [RT #46602]
-
-4894. [bug] named could crash while rolling a dnstap output file.
- [RT #46942]
-
-4893. [bug] Address various issues reported by cppcheck. [GL #51]
-
-4892. [bug] named could leak memory when "rndc reload" was invoked
- before all zone loading actions triggered by a previous
- "rndc reload" command were completed. [RT #47076]
-
-4891. [placeholder]
-
-4890. [func] Remove unused ondestroy callback from libisc.
- [isc-projects/bind9!3]
-
-4889. [func] Warn about the use of old root keys without the new
- root key being present. Warn about dlv.isc.org's
- key being present. Warn about both managed and
- trusted root keys being present. [RT #43670]
-
-4888. [test] Initialize sockets correctly in sample-update so
- that the nsupdate system test will run on Windows.
- [RT #47097]
-
-4887. [test] Enable the rpzrecurse test to run on Windows.
- [RT #47093]
-
-4886. [doc] Document dig -u in manpage. [RT #47150]
-
-4885. [security] update-policy rules that otherwise ignore the name
- field now require that it be set to "." to ensure
- that any type list present is properly interpreted.
- [RT #47126]
-
-4884. [bug] named could crash on shutdown due to a race between
- shutdown_server() and ns__client_request(). [RT #47120]
-
-4883. [cleanup] Improved debugging output from dnssec-cds. [RT #47026]
-
-4882. [bug] Address potential memory leak in
- dns_update_signaturesinc. [RT #47084]
-
-4881. [bug] Only include dst_openssl.h when OpenSSL is required.
- [RT #47068]
-
-4880. [bug] Named wasn't returning the target of a cross-zone
- CNAME between two served zones when recursion was
- desired and available (RD=1, RA=1). (When this is
- not the case, the CNAME target is deliberately
- withheld to prevent accidental cache poisoning.)
- [RT #47078]
-
-4879. [bug] dns_rdata_caa:value_len field was too small.
- [RT #47086]
-
-4878. [bug] List 'ply' as a requirement for the 'isc' python
- package. [RT #47065]
-
-4877. [bug] Address integer overflow when exponentially
- backing off retry intervals. [RT #47041]
-
-4876. [bug] Address deadlock with accessing a keytable. [RT #47000]
-
-4875. [bug] Address compile failures on older systems. [RT #47015]
-
-4874. [bug] Wrong time display when reporting new keywarntime.
- [RT #47042]
-
-4873. [doc] Grammars for named.conf included in the ARM are now
- automatically generated by the configuration parser
- itself. As a side effect of the work needed to
- separate zone type grammars from each other, this
- also makes checking of zone statements in
- named-checkconf more correct and consistent.
- [RT #36957]
-
-4872. [bug] Don't permit loading meta RR types such as TKEY
- from master files. [RT #47009]
-
-4871. [bug] Fix configure glitch in detecting stdatomic.h
- support on systems with multiple compilers.
- [RT #46959]
-
-4870. [test] Update included ATF library to atf-0.21 preserving
- the ATF tool. [RT #46967]
-
-4869. [bug] Address some cases where NULL with zero length could
- be passed to memmove which is undefined behavior and
- can lead to bad optimization. [RT #46888]
-
-4868. [func] dnssec-keygen can no longer generate HMAC keys.
- Use tsig-keygen instead. [RT #46404]
-
-4867. [cleanup] Normalize rndc on/off commands (validation,
- querylog, serve-stale) so they all accept the
- same synonyms for on/off (yes/no, true/false,
- enable/disable). Thanks to Tony Finch. [RT #47022]
-
-4866. [port] DST library initialization verifies MD5 (when MD5
- was not disabled) and SHA-1 hash and HMAC support.
- [RT #46764]
-
-4865. [cleanup] Simplify handling isc_socket_sendto2() return values.
- [RT #46986]
-
-4864. [bug] named acting as a slave for a catalog zone crashed if
- the latter contained a master definition without an IP
- address. [RT #45999]
-
-4863. [bug] Fix various other bugs reported by Valgrind's
- memcheck tool. [RT #46978]
-
-4862. [bug] The rdata flags for RRSIG were not being properly set
- when constructing a rdataslab. [RT #46978]
-
-4861. [bug] The isc_crc64 unit test was not endian independent.
- [RT #46973]
-
-4860. [bug] isc_int8_t should be signed char. [RT #46973]
-
-4859. [bug] A loop was possible when attempting to validate
- unsigned CNAME responses from secure zones;
- this caused a delay in returning SERVFAIL and
- also increased the chances of encountering
- CVE-2017-3145. [RT #46839]
-
-4858. [security] Addresses could be referenced after being freed
- in resolver.c, causing an assertion failure.
- (CVE-2017-3145) [RT #46839]
-
-4857. [bug] Maintain attach/detach semantics for event->db,
- event->node, event->rdataset and event->sigrdataset
- in query.c. [RT #46891]
-
-4856. [bug] 'rndc zonestatus' reported the wrong underlying type
- for a inline slave zone. [RT #46875]
-
-4855. [bug] isc_time_formatshorttimestamp produced incorrect
- output. [RT #46938]
-
-4854. [bug] query_synthcnamewildcard should stop generating the
- response if query_synthwildcard fails. [RT #46939]
-
-4853. [bug] Add REQUIRE's and INSIST's to isc_time_formatISO8601L
- and isc_time_formatISO8601Lms. [RT #46916]
-
-4852. [bug] Handle strftime() failing in isc_time_formatISO8601ms.
- Add REQUIRE's and INSIST's to isc_time_formattimestamp,
- isc_time_formathttptimestamp, isc_time_formatISO8601,
- isc_time_formatISO8601ms. [RT #46892]
-
-4851. [port] Support using kyua as well as atf-run to run the unit
- tests. [RT #46853]
-
-4850. [bug] Named failed to restart with multiple added zones in
- lmdb database. [RT #46889]
-
-4849. [bug] Duplicate zones could appear in the .nzf file if
- addzone failed. [RT #46435]
-
-4848. [func] Zone types "primary" and "secondary" can now be used
- as synonyms for "master" and "slave" in named.conf.
- [RT #46713]
-
-4847. [bug] dnssec-dnskey-kskonly was not being honored for
- CDS and CDNSKEY. [RT #46755]
-
-4846. [test] Adjust timing values in runtime system test. Address
- named.pid removal races in runtime system test.
- [RT #46800]
-
-4845. [bug] Dig (non iOS) should exit on malformed names.
- [RT #46806]
-
-4844. [test] Address memory leaks in libatf-c. [RT #46798]
-
-4843. [bug] dnssec-signzone free hashlist on exit. [RT #46791]
-
-4842. [bug] Conditionally compile opensslecdsa_link.c to avoid
- warnings about unused function. [RT #46790]
-
- --- 9.12.0rc1 released ---
-
-4841. [bug] Address -fsanitize=undefined warnings. [RT #46786]
-
-4840. [test] Add tests to cover fallback to using ZSK on inactive
- KSK. [RT #46787]
-
-4839. [bug] zone.c:zone_sign was not properly determining
- if there were active KSK and ZSK keys for
- a algorithm when update-check-ksk is true
- (default) leaving records unsigned with one or
- more DNSKEY algorithms. [RT #46774]
-
-4838. [bug] zone.c:add_sigs was not properly determining
- if there were active KSK and ZSK keys for
- a algorithm when update-check-ksk is true
- (default) leaving records unsigned with one or
- more DNSKEY algorithms. [RT #46754]
-
-4837. [bug] dns_update_signatures{inc} (add_sigs) was not
- properly determining if there were active KSK and
- ZSK keys for a algorithm when update-check-ksk is
- true (default) leaving records unsigned when there
- were multiple DNSKEY algorithms for the zone.
- [RT #46743]
-
-4836. [bug] Zones created using "rndc addzone" could
- temporarily fail to inherit an "allow-transfer"
- ACL that had been configured in the options
- statement. [RT #46603]
-
-4835. [cleanup] Clean up and refactor LMDB-related code. [RT #46718]
-
-4834. [port] Fix LMDB support on OpenBSD. [RT #46718]
-
-4833. [bug] isc_event_free should check that the event is not
- linked when called. [RT #46725]
-
-4832. [bug] Events were not being removed from zone->rss_events.
- [RT #46725]
-
-4831. [bug] Convert the RRSIG expirytime to 64 bits for
- comparisons in diff.c:resign. [RT #46710]
-
-4830. [bug] Failure to configure ATF when requested did not cause
- an error in top-level configure script. [RT #46655]
-
-4829. [bug] isc_heap_delete did not zero the index value when
- the heap was created with a callback to do that.
- [RT #46709]
-
-4828. [bug] Do not use thread-local storage for storing LMDB reader
- locktable slots. [RT #46556]
-
-4827. [misc] Add a precommit check script util/checklibs.sh
- [RT #46215]
-
-4826. [cleanup] Prevent potential build failures in bin/confgen/ and
- bin/named/ when using parallel make. [RT #46648]
-
-4825. [bug] Prevent a bogus "error during managed-keys processing
- (no more)" warning from being logged. [RT #46645]
-
-4824. [port] Add iOS hooks to dig. [RT #42011]
-
-4823. [test] Refactor reclimit system test to improve its
- reliability and speed. [RT #46632]
-
-4822. [bug] Use resign_sooner in dns_db_setsigningtime. [RT #46473]
-
-4821. [bug] When resigning ensure that the SOA's expire time is
- always later that the resigning time of other records.
- [RT #46473]
-
-4820. [bug] dns_db_subtractrdataset should transfer the resigning
- information to the new header. [RT #46473]
-
-4819. [bug] Fully backout the transaction when adding a RRset
- to the resigning / removal heaps fails. [RT #46473]
-
-4818. [test] The logfileconfig system test could intermittently
- report false negatives on some platforms. [RT #46615]
-
-4817. [cleanup] Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
- [RT #45433]
-
-4816. [bug] Don't use a common array for storing EDNS options
- in DiG as it could fill up. [RT #45611]
-
-4815. [bug] rbt_test.c:insert_and_delete needed to call
- dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
-
-4814. [cleanup] Use AS_HELP_STRING for consistent help text. [RT #46521]
-
-4813. [bug] Address potential read after free errors from
- query_synthnodata, query_synthwildcard and
- query_synthnxdomain. [RT #46547]
-
-4812. [bug] Minor improvements to stability and consistency of code
- handling managed keys. [RT #46468]
-
-4811. [bug] Revert api changes to use <isc/buffer.h> inline
- macros. Provide a alternative mechanism to turn
- on the use of inline macros when building BIND.
- [RT #46520]
-
-4810. [test] The chain system test failed if the IPv6 interfaces
- were not configured. [RT #46508]
-
- --- 9.12.0b2 released ---
-
-4809. [port] Check at configure time whether -latomic is needed
- for stdatomic.h. [RT #46324]
-
-4808. [bug] Properly test for zlib.h. [RT #46504]
-
-4807. [cleanup] isc_rng_randombytes() returns a specified number of
- bytes from the PRNG; this is now used instead of
- calling isc_rng_random() multiple times. [RT #46230]
-
-4806. [func] Log messages related to loading of zones are now
- directed to the "zoneload" logging category.
- [RT #41640]
-
-4805. [bug] TCP4Active and TCP6Active weren't being updated
- correctly. [RT #46454]
-
-4804. [port] win32: access() does not work on directories as
- required by POSIX. Supply a alternative in
- isc_file_isdirwritable. [RT #46394]
-
-4803. [placeholder]
-
-4802. [test] Refactor mkeys system test to make it quicker and more
- reliable. [RT #45293]
-
-4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
- trust-anchor dlv.isc.org;' now elicit warnings rather
- than being fatal configuration errors. [RT #46410]
-
-4800. [bug] When processing delzone, write one zone config per
- line to the NZF. [RT #46323]
-
-4799. [cleanup] Improve clarity of keytable unit tests. [RT #46407]
-
-4798. [func] Keys specified in "managed-keys" statements
- are tagged as "initializing" until they have been
- updated by a key refresh query. If initialization
- fails it will be visible from "rndc secroots".
- [RT #46267]
-
-4797. [func] Removed "isc-hmac-fixup", as the versions of BIND that
- had the bug it worked around are long past end of
- life. [RT #46411]
-
-4796. [bug] Increase the maximum configurable TCP keepalive
- timeout to 65535. [RT #44710]
-
-4795. [func] A new statistics counter has been added to track
- priming queries. [RT #46313]
-
-4794. [func] "dnssec-checkds -s" specifies a file from which
- to read a DS set rather than querying the parent.
- [RT #44667]
-
-4793. [bug] nsupdate -[46] could overflow the array of server
- addresses. [RT #46402]
-
-4792. [bug] Fix map file header correctness check. [RT #38418]
-
-4791. [doc] Fixed outdated documentation about export libraries.
- [RT #46341]
-
-4790. [bug] nsupdate could trigger a require when sending a
- update to the second address of the server.
- [RT #45731]
-
-4789. [cleanup] Check writability of new-zones-directory. [RT #46308]
-
-4788. [cleanup] When using "update-policy local", log a warning
- when an update matching the session key is received
- from a remote host. [RT #46213]
-
-4787. [cleanup] Turn nsec3param_salt_totext() into a public function,
- dns_nsec3param_salttotext(), and add unit tests for it.
- [RT #46289]
-
-4786. [func] The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
- options are no longer conditionally compiled.
- [RT #46340]
-
-4785. [func] The hmac-md5 algorithm is no longer recommended for
- use with RNDC keys. The default in rndc-confgen
- is now hmac-sha256. [RT #42272]
-
-4784. [func] The use of dnssec-keygen to generate HMAC keys is
- deprecated in favor of tsig-keygen. dnssec-keygen
- will print a warning when used for this purpose.
- All HMAC algorithms will be removed from
- dnssec-keygen in a future release. [RT #42272]
-
-4783. [test] dnssec: 'check that NOTIFY is sent at the end of
- NSEC3 chain generation failed' required more time
- on some machines for the IXFR to complete. [RT #46388]
-
-4782. [test] dnssec: 'checking positive and negative validation
- with negative trust anchors' required more time to
- complete on some machines. [RT #46386]
-
-4781. [maint] B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
-
-4780. [bug] When answering ANY queries, don't include the NS
- RRset in the authority section if it was already
- in the answer section. [RT #44543]
-
-4779. [bug] Expire NTA at the start of the second. Don't update
- the expiry value if the record has already expired
- after a successful check. [RT #46368]
-
-4778. [test] Improve synth-from-dnssec testing. [RT #46352]
-
-4777. [cleanup] Removed a redundant call to configure_view_acl().
- [RT #46369]
-
-4776. [bug] Improve portability of ht_test. [RT #46333]
-
-4775. [bug] Address Coverity warnings in ht_test.c and mem_test.c
- [RT #46281]
-
-4774. [bug] <isc/util.h> was incorrectly included in several
- header files. [RT #46311]
-
-4773. [doc] Fixed generating Doxygen documentation for functions
- annotated using certain macros. Miscellaneous
- Doxygen-related cleanups. [RT #46276]
-
- --- 9.12.0b1 released ---
-
-4772. [test] Expanded unit testing framework for libns, using
- hooks to interrupt query flow and inspect state
- at specified locations. [RT #46173]
-
-4771. [bug] When sending RFC 5011 refresh queries, disregard
- cached DNSKEY rrsets. [RT #46251]
-
-4770. [bug] Cache additional data from priming queries as glue.
- Previously they were ignored as unsigned
- non-answer data from a secure zone, and never
- actually got added to the cache, causing hints
- to be used frequently for root-server
- addresses, which triggered re-priming. [RT #45241]
-
-4769. [func] The working directory and managed-keys directory has
- to be writeable (and seekable). [RT #46077]
-
-4768. [func] By default, memory is no longer filled with tag values
- when it is allocated or freed; this improves
- performance but makes debugging of certain memory
- issues more difficult. "named -M fill" turns memory
- filling back on. (Building "configure
- --enable-developer", turns memory fill on by
- default again; it can then be disabled with
- "named -M nofill".) [RT #45123]
-
-4767. [func] Add a new function, isc_buffer_printf(), which can be
- used to append a formatted string to the used region of
- a buffer. [RT #46201]
-
-4766. [cleanup] Address Coverity warnings. [RT #46150]
-
-4765. [bug] Address potential INSIST in dnssec-cds. [RT #46150]
-
-4764. [bug] Address portability issues in cds system test.
- [RT #46214]
-
-4763. [contrib] Improve compatibility when building MySQL DLZ
- module by using mysql_config if available.
- [RT #45558]
-
-4762. [func] "update-policy local" is now restricted to updates
- from local addresses. (Previously, other addresses
- were allowed so long as updates were signed by the
- local session key.) [RT #45492]
-
-4761. [protocol] Add support for DOA. [RT #45612]
-
-4760. [func] Add glue cache statistics counters. [RT #46028]
-
-4759. [func] Add logging channel "trust-anchor-telemetry" to
- record trust-anchor-telemetry in incoming requests.
- Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
- are logged. [RT #46124]
-
-4758. [doc] Remove documentation of unimplemented "topology".
- [RT #46161]
-
-4757. [func] New "dnssec-cds" command creates a new parent DS
- RRset based on CDS or CDNSKEY RRsets found in
- a child zone, and generates either a dsset file
- or stream of nsupdate commands to update the
- parent. Thanks to Tony Finch. [RT #46090]
-
-4756. [bug] Interrupting dig could lead to an INSIST failure after
- certain errors were encountered while querying a host
- whose name resolved to more than one address. Change
- 4537 increased the odds of triggering this issue by
- causing dig to hang indefinitely when certain error
- paths were evaluated. dig now also retries TCP queries
- (once) if the server gracefully closes the connection
- before sending a response. [RT #42832, #45159]
-
-4755. [cleanup] Silence unnecessary log message when NZF file doesn't
- exist. [RT #46186]
-
-4754. [bug] dns_zone_setview needs a two stage commit to properly
- handle errors. [RT #45841]
-
-4753. [contrib] Software obtainable from known upstream locations
- (i.e., zkt, nslint, query-loc) has been removed.
- Links to these and other packages can be found at
- https://www.isc.org/community/tools [RT #46182]
-
-4752. [test] Add unit test for isc_net_pton. [RT #46171]
-
-4751. [func] "dnssec-signzone -S" can now automatically add parent
- synchronization records (CDS and CDNSKEY) according
- to key metadata set using the -Psync and -Dsync
- options to dnssec-keygen and dnssec-settime.
- [RT #46149]
-
-4750. [func] "rndc managed-keys destroy" shuts down RFC 5011 key
- maintenance and deletes the managed-keys database.
- If followed by "rndc reconfig" or a server restart,
- key maintenance is reinitialized from scratch.
- This is primarily intended for testing. [RT #32456]
-
-4749. [func] The ISC DLV service has been shut down, and all
- DLV records have been removed from dlv.isc.org.
- - Removed references to ISC DLV in documentation
- - Removed DLV key from bind.keys
- - No longer use ISC DLV by default in delv
- - "dnssec-lookaside auto" and configuration of
- "dnssec-lookaide" with dlv.isc.org as the trust
- anchor are both now fatal errors.
- [RT #46155]
-
-4748. [cleanup] Sprintf to snprintf coversions. [RT #46132]
-
-4747. [func] Synthesis of responses from DNSSEC-verified records.
- Stage 3 - synthesize NODATA responses. [RT #40138]
-
-4746. [cleanup] Add configured prefixes to configure summary
- output. [RT #46153]
-
-4745. [test] Add color-coded pass/fail messages to system
- tests when running on terminals that support them.
- [RT #45977]
-
-4744. [bug] Suppress trust-anchor-telemetry queries if
- validation is disabled. [RT #46131]
-
-4743. [func] Exclude trust-anchor-telemetry queries from
- synth-from-dnssec processing. [RT #46123]
-
-4742. [func] Synthesis of responses from DNSSEC-verified records.
- Stage 2 - synthesis of records from wildcard data.
- If the dns64 or filter-aaaa* is configured then the
- involved lookups are currently excluded. [RT #40138]
-
-4741. [bug] Make isc_refcount_current() atomically read the
- counter value. [RT #46074]
-
-4740. [cleanup] Avoid triggering format-truncated warnings. [RT #46107]
-
-4739. [cleanup] Address clang static analysis warnings. [RT #45952]
-
-4738. [port] win32: strftime mishandles %Z. [RT #46039]
-
-4737. [cleanup] Address Coverity warnings. [RT #46012]
-
-4736. [cleanup] (a) Added comments to NSEC3-related functions in
- lib/dns/zone.c. (b) Refactored NSEC3 salt formatting
- code. (c) Minor tweaks to lock and result handling.
- [RT #46053]
-
-4735. [bug] Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
-
-4734. [contrib] Added sample configuration for DNS-over-TLS in
- contrib/dnspriv.
-
-4733. [bug] Change #4706 introduced a bug causing TCP clients
- not be reused correctly, leading to unconstrained
- memory growth. [RT #46029]
-
-4732. [func] Change default minimal-responses setting to
- no-auth-recursive. [RT #46016]
-
-4731. [bug] Fix use after free when closing an LMDB. [RT #46000]
-
-4730. [bug] Fix out of bounds access in DHCID totext() method.
- [RT #46001]
-
-4729. [bug] Don't use memset() to wipe memory, as it may be
- removed by compiler optimizations when the
- memset() occurs on automatic stack allocation
- just before function return. [RT #45947]
-
-4728. [func] Use C11's stdatomic.h instead of isc_atomic
- where available. [RT #40668]
-
-4727. [bug] Retransferring an inline-signed slave using NSEC3
- around the time its NSEC3 salt was changed could result
- in an infinite signing loop. [RT #45080]
-
-4726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN
- from being logged on FreeBSD if the kernel does not
- support it. Notify the user when the kernel does
- support TCP_FASTOPEN, but it is disabled by sysctl.
- Add a new configure option, --disable-tcp-fastopen, to
- disable use of TCP_FASTOPEN altogether. [RT #44754]
-
-4725. [bug] Nsupdate: "recvsoa" was incorrectly reported for
- failures in sending the update message. The correct
- location to be reported is "update_completed".
- [RT #46014]
-
-4724. [func] By default, BIND now uses the random number
- functions provided by the crypto library (i.e.,
- OpenSSL or a PKCS#11 provider) as a source of
- randomness rather than /dev/random. This is
- suitable for virtual machine environments
- which have limited entropy pools and lack
- hardware random number generators.
-
- This can be overridden by specifying another
- entropy source via the "random-device" option
- in named.conf, or via the -r command line option;
- however, for functions requiring full cryptographic
- strength, such as DNSSEC key generation, this
- cannot be overridden. In particular, the -r
- command line option no longer has any effect on
- dnssec-keygen.
-
- This can be disabled by building with
- "configure --disable-crypto-rand".
- [RT #31459] [RT #46047]
-
-4723. [bug] Statistics counter DNSTAPdropped was misidentified
- as DNSSECdropped. [RT #46002]
-
-4722. [cleanup] Clean up uses of strcpy() and strcat() in favor of
- strlcpy() and strlcat() for safety. [RT #45981]
-
-4721. [func] 'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
- options now apply to CDNSKEY and DS records as well
- as DNSKEY. Thanks to Tony Finch. [RT #45689]
-
-4720. [func] Added a statistics counter to track prefetch
- queries. [RT #45847]
-
-4719. [bug] Address PVS static analyzer warnings. [RT #45946]
-
-4718. [func] Avoid searching for a owner name compression pointer
- more than once when writing out a RRset. [RT #45802]
-
-4717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1,
- FORMERR if TC=0, and log the error correctly.
- [RT #45836]
-
-4716. [placeholder]
-
- --- 9.12.0a1 released ---
-
-4715. [bug] TreeMemMax was mis-identified as a second HeapMemMax
- in the Json cache statistics. [RT #45980]
-
-4714. [port] openbsd/libressl: add support for building with
- --enable-openssl-hash. [RT #45982]
-
-4713. [func] Added support for the DNS Response Policy Service
- (DNSRPS) API, which allows named to use an external
- response policy daemon when built with
- "configure --enable-dnsrps". Thanks to Farsight
- Security. [RT #43376]
-
-4712. [bug] "dig +domain" and "dig +search" didn't retain the
- search domain when retrying with TCP. [RT #45547]
-
-4711. [test] Some RR types were missing from genzones.sh.
- [RT #45782]
-
-4710. [cleanup] Changed the --enable-openssl-hash default to yes.
- [RT #45019]
-
-4709. [cleanup] Use dns_name_fullhash() to hash names for RRL.
- [RT #45435]
-
-4708. [cleanup] Legacy Windows builds (i.e. for XP and earlier)
- are no longer supported. [RT #45186]
-
-4707. [func] The lightweight resolver daemon and library (lwresd
- and liblwres) have been removed. [RT #45186]
-
-4706. [func] Code implementing name server query processing has
- been moved from bin/named to a new library "libns".
- Functions remaining in bin/named are now prefixed
- with "named_" rather than "ns_". This will make it
- easier to write unit tests for name server code, or
- link name server functionality into new tools.
- [RT #45186]
-
-4705. [placeholder]
-
-4704. [cleanup] Silence Visual Studio compiler warnings. [RT #45898]
-
-4703. [bug] BINDInstall.exe was missing some buffer length checks.
- [RT #45898]
-
-4702. [func] Update function declarations to use
- dns_masterstyle_flags_t for style flags. [RT #45924]
-
-4701. [cleanup] Refactored lib/dns/tsig.c to reduce code
- duplication and simplify the disabling of MD5.
- [RT #45490]
-
-4700. [func] Serving of stale answers is now supported. This
- allows named to provide stale cached answers when
- the authoritative server is under attack.
- See max-stale-ttl, stale-answer-enable,
- stale-answer-ttl. [RT #44790]
-
-4699. [func] Multiple cookie-secret clauses can now be specified.
- The first one specified is used to generate new
- server cookies. [RT #45672]
-
-4698. [port] Add --with-python-install-dir configure option to allow
- specifying a nonstandard installation directory for
- Python modules. [RT #45407]
-
-4697. [bug] Restore workaround for Microsoft Windows TSIG hash
- computation bug. [RT #45854]
-
-4696. [port] Enable filter-aaaa support by default on Windows
- builds. [RT #45883]
-
-4695. [bug] cookie-secrets were not being properly checked by
- named-checkconf. [RT #45886]
-
-4694. [func] dnssec-keygen no longer uses RSASHA1 by default;
- the signing algorithm must be specified on
- the command line with the "-a" option. Signing
- scripts that rely on the existing default behavior
- will break; use "dnssec-keygen -a RSASHA1" to
- repair them. (The goal of this change is to make
- it easier to find scripts using RSASHA1 so they
- can be changed in the event of that algorithm
- being deprecated in the future.) [RT #44755]
-
-4693. [func] Synthesis of responses from DNSSEC-verified records.
- Stage 1 covers NXDOMAIN synthesis from NSEC records.
- This is controlled by synth-from-dnssec and is enabled
- by default. [RT #40138]
-
-4692. [bug] Fix build failures with libressl introduced in 4676.
- [RT #45879]
-
-4691. [func] Add -4/-6 command line options to nsupdate and rndc.
- [RT #45632]
-
-4690. [bug] Command line options -4/-6 were handled inconsistently
- between tools. [RT #45632]
-
-4689. [cleanup] Turn on minimal responses for CDNSKEY and CDS in
- addition to DNSKEY and DS. Thanks to Tony Finch.
- [RT #45690]
-
-4688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in
- messages. [RT #44804]
-
-4687. [func] Refactor tracklines code. [RT #45126]
-
-4686. [bug] dnssec-settime -p could print a bogus warning about
- key deletion scheduled before its inactivation when a
- key had an inactivation date set but no deletion date
- set. [RT #45807]
-
-4685. [bug] dnssec-settime incorrectly calculated publication and
- activation dates for a successor key. [RT #45806]
-
-4684. [bug] delv could send bogus DNS queries when an explicit
- server address was specified on the command line along
- with -4/-6. [RT #45804]
-
-4683. [bug] Prevent nsupdate from immediately exiting on invalid
- user input in interactive mode. [RT #28194]
-
-4682. [bug] Don't report errors on records below a DNAME.
- [RT #44880]
-
-4681. [bug] Log messages from the validator now include the
- associated view unless the view is "_default/IN"
- or "_dnsclient/IN". [RT #45770]
-
-4680. [bug] Fix failing over to another master server address when
- nsupdate is used with GSS-API. [RT #45380]
-
-4679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record
- not at top of zone and -o is not used. [RT #45519]
-
-4678. [bug] geoip-use-ecs has the wrong type when geoip support
- is disabled at configure time. [RT #45763]
-
-4677. [cleanup] Split up the main function in dig to better support
- the iOS app version. [RT #45508]
-
-4676. [cleanup] Allow BIND to be built using OpenSSL 1.0.X with
- deprecated functions removed. [RT #45706]
-
-4675. [cleanup] Don't use C++ keyword class. [RT #45726]
-
-4674. [func] "dig +sigchase", and related options "+topdown" and
- "+trusted-keys", have been removed. Use "delv" for
- queries with DNSSEC validation. [RT #42793]
-
-4673. [port] Silence GCC 7 warnings. [RT #45592]
-
-4672. [placeholder]
-
-4671. [bug] Fix a race condition that could cause the
- resolver to crash with assertion failure when
- chasing DS in specific conditions with a very
- short RTT to the upstream nameserver. [RT #45168]
-
-4670. [cleanup] Ensure that a request MAC is never sent back
- in an XFR response unless the signature was
- verified. [RT #45494]
-
-4669. [func] Iterative query logic in resolver.c has been
- refactored into smaller functions and commented,
- for improved readability, maintainability and
- testability. [RT #45362]
-
-4668. [bug] Use localtime_r and gmtime_r for thread safety.
- [RT #45664]
-
-4667. [cleanup] Refactor RDATA unit tests. [RT #45610]
-
-4666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9)
- could cause a parser error when reading the policy
- file. This now works correctly so long as the domain
- name is quoted. [RT #45641]
-
-4665. [protocol] Added support for ED25519 and ED448 DNSSEC signing
- algorithms (RFC 8080). (Note: these algorithms
- depend on code currently in the development branch
- of OpenSSL which has not yet been released.)
- [RT #44696]
-
-4664. [func] Add a "glue-cache" option to enable or disable the
- glue cache. The default is "yes". [RT #45125]
-
-4663. [cleanup] Clarify error message printed by dnssec-dsfromkey.
- [RT #21731]
-
-4662. [performance] Improve cache memory cleanup of zero TTL records
- by putting them at the tail of LRU header lists.
- [RT #45274]
-
-4661. [bug] A race condition could occur if a zone was reloaded
- while resigning, triggering a crash in
- rbtdb.c:closeversion(). [RT #45276]
-
-4660. [bug] Remove spurious "peer" from Windows socket log
- messages. [RT #45617]
-
-4659. [bug] Remove spurious log message about lmdb-mapsize
- not being supported when parsing builtin
- configuration file. [RT #45618]
-
-4658. [bug] Clean up build directory created by "setup.py install"
- immediately. [RT #45628]
-
-4657. [bug] rrchecker system test result could be improperly
- determined. [RT #45602]
-
-4656. [bug] Apply "port" and "dscp" values specified in catalog
- zone's "default-masters" option to the generated
- configuration of its member zones. [RT #45545]
-
-4655. [bug] Lack of seccomp could be falsely reported. [RT #45599]
-
-4654. [cleanup] Don't use C++ keywords delete, new and namespace.
- [RT #45538]
-
-4653. [bug] Reorder includes to move @DST_OPENSSL_INC@ and
- @ISC_OPENSSL_INC@ after shipped include directories.
- [RT #45581]
-
-4652. [bug] Nsupdate could attempt to use a zeroed address on
- server timeout. [RT #45417]
-
-4651. [test] Silence coverity warnings in tsig_test.c. [RT #45528]
-
-4650. [placeholder]
-
-4649. [bug] The wrong zone was logged when a catalog zone is added.
- [RT #45520]
-
-4648. [bug] "rndc reconfig" on a slave no longer causes all member
- zones of configured catalog zones to be removed from
- configuration. [RT #45310]
-
-4647. [bug] Change 4643 broke verification of TSIG signed TCP
- message sequences where not all the messages contain
- TSIG records. These may be used in AXFR and IXFR
- responses. [RT #45509]
-
-4646. [placeholder]
-
-4645. [bug] Fix PKCS#11 RSA parsing when MD5 is disabled.
- [RT #45300]
-
-4644. [placeholder]
-
-4643. [security] An error in TSIG handling could permit unauthorized
- zone transfers or zone updates. (CVE-2017-3142)
- (CVE-2017-3143) [RT #45383]
-
-4642. [cleanup] Add more logging of RFC 5011 events affecting the
- status of managed keys: newly observed keys,
- deletion of revoked keys, etc. [RT #45354]
-
-4641. [cleanup] Parallel builds (make -j) could fail with --with-atf /
- --enable-developer. [RT #45373]
-
-4640. [bug] If query_findversion failed in query_getdb due to
- memory failure the error status was incorrectly
- discarded. [RT #45331]
-
-4639. [bug] Fix a regression in --with-tuning reporting introduced
- by change 4488. [RT #45396]
-
-4638. [bug] Reloading or reconfiguring named could fail on
- some platforms when LMDB was in use. [RT #45203]
-
-4637. [func] "nsec3hash -r" option ("rdata order") takes arguments
- in the same order as they appear in NSEC3 or
- NSEC3PARAM records, so that NSEC3 parameters can
- be cut and pasted from an existing record. Thanks
- to Tony Finch for the contribution. [RT #45183]
-
-4636. [bug] Normalize rpz policy zone names when checking for
- existence. [RT #45358]
-
-4635. [bug] Fix RPZ NSDNAME logging that was logging
- failures as NSIP. [RT #45052]
-
-4634. [contrib] check5011.pl needs to handle optional space before
- semi-colon in +multi-line output. [RT #45352]
-
-4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
-
-4632. [security] The BIND installer on Windows used an unquoted
- service path, which can enable privilege escalation.
- (CVE-2017-3141) [RT #45229]
-
-4631. [security] Some RPZ configurations could go into an infinite
- query loop when encountering responses with TTL=0.
- (CVE-2017-3140) [RT #45181]
-
-4630. [bug] "dyndb" is dependent on dlopen existing / being
- enabled. [RT #45291]
-
-4629. [bug] dns_client_startupdate could not be called with a
- running client. [RT #45277]
-
-4628. [bug] Fixed a potential reference leak in query_getdb().
- [RT #45247]
-
-4627. [placeholder]
-
-4626. [test] Added more tests for handling of different record
- ordering in CNAME and DNAME responses. [QA #430]
-
-4625. [bug] Running "rndc addzone" and "rndc delzone" at close
- to the same time could trigger a deadlock if using
- LMDB. [RT #45209]
-
-4624. [placeholder]
-
-4623. [bug] Use --with-protobuf-c and --with-libfstrm to find
- protoc-c and fstrm_capture. [RT #45187]
-
-4622. [bug] Remove unnecessary escaping of semicolon in CAA and
- URI records. [RT #45216]
-
-4621. [port] Force alignment of oid arrays to silence loader
- warnings. [RT #45131]
-
-4620. [port] Handle EPFNOSUPPORT being returned when probing
- to see if a socket type is supported. [RT #45214]
-
-4619. [bug] Call isc_mem_put instead of isc_mem_free in
- bin/named/server.c:setup_newzones. [RT #45202]
-
-4618. [bug] Check isc_mem_strdup results in dns_view_setnewzones.
- Add logging for lmdb call failures. [RT #45204]
-
-4617. [test] Update rndc system test to be more delay tolerant.
- [RT #45177]
-
-4616. [bug] When using LMDB, zones deleted using "rndc delzone"
- were not correctly removed from the new-zone
- database. [RT #45185]
-
-4615. [bug] AD could be set on truncated answer with no records
- present in the answer and authority sections.
- [RT #45140]
-
-4614. [test] Fixed an error in the sockaddr unit test. [RT #45146]
-
-4613. [func] By default, the maximum size of a zone journal file
- is now twice the size of the zone's contents (there
- is little benefit to a journal larger than this).
- This can be overridden by setting "max-journal-size"
- to "unlimited" or to an explicit value up to 2G.
- Thanks to Tony Finch. [RT #38324]
-
-4612. [bug] Silence 'may be use uninitalised' warning and simplify
- the code in lwres/getaddinfo:process_answer.
- [RT #45158]
-
-4611. [bug] The default LMDB mapsize was too low and caused
- errors after few thousand zones were added using
- rndc addzone. A new config option "lmdb-mapsize"
- has been introduced to configure the LMDB
- mapsize depending on operational needs.
- [RT #44954]
-
-4610. [func] The "new-zones-directory" option specifies the
- location of NZF or NZD files for storing
- configuration of zones added by "rndc addzone".
- Thanks to Petr Menšík. [RT #44853]
-
-4609. [cleanup] Rearrange makefiles to enable parallel execution
- (i.e. "make -j"). [RT #45078]
-
-4608. [func] DiG now warns about .local queries which are reserved
- for Multicast DNS. [RT #44783]
-
-4607. [bug] The memory context's malloced and maxmalloced counters
- were being updated without the appropriate lock being
- held. [RT #44869]
-
-4606. [port] Stop using experimental "Experimental keys on scalar"
- feature of perl as it has been removed. [RT #45012]
-
-4605. [performance] Improve performance for delegation heavy answers
- and also general query performance. Removes the
- acache feature that didn't significantly improve
- performance. Adds a glue cache. Removes
- additional-from-cache and additional-from-auth
- features. Enables minimal-responses by
- default. Improves performance of compression
- code, owner case restoration, hash function,
- etc. Uses inline buffer implementation by
- default. Many other performance changes and fixes.
- [RT #44029]
-
-4604. [bug] Don't use ERR_load_crypto_strings() when building
- with OpenSSL 1.1.0. [RT #45117]
-
-4603. [doc] Automatically generate named.conf(5) man page
- from doc/misc/options. Thanks to Tony Finch.
- [RT #43525]
-
-4602. [func] Threads are now set to human-readable
- names to assist debugging, when supported by
- the OS. [RT #43234]
-
-4601. [bug] Reject incorrect RSA key lengths during key
- generation and and sign/verify context
- creation. [RT #45043]
-
-4600. [bug] Adjust RPZ trigger counts only when the entry
- being deleted exists. [RT #43386]
-
-4599. [bug] Fix inconsistencies in inline signing time
- comparison that were introduced with the
- introduction of rdatasetheader->resign_lsb.
- [RT #42112]
-
-4598. [func] Update fuzzing code to (1) reply to a DNSKEY
- query from named with appropriate DNSKEY used in
- fuzzing; (2) patch the QTYPE correctly in
- resolver fuzzing; (3) comment things so the rest
- of us are able to understand how fuzzing is
- implemented in named; (4) Coding style changes,
- cleanup, etc. [RT #44787]
-
-4597. [bug] The validator now ignores SHA-1 DS digest type
- when a DS record with SHA-384 digest type is
- present and is a supported digest type.
- [RT #45017]
-
-4596. [bug] Validate glue before adding it to the additional
- section. This also fixes incorrect TTL capping
- when the RRSIG expired earlier than the TTL.
- [RT #45062]
-
-4595. [func] dnssec-keygen will no longer generate RSA keys
- less than 1024 bits in length. dnssec-keymgr
- was similarly updated. [RT #36895]
-
-4594. [func] "dnstap-read -x" prints a hex dump of the wire
- format of each logged DNS message. [RT #44816]
-
-4593. [doc] Update README using markdown, remove outdated FAQ
- file in favor of the knowledge base.
-
-4592. [bug] A race condition on shutdown could trigger an
- assertion failure in dispatch.c. [RT #43822]
-
-4591. [port] Addressed some python 3 compatibility issues.
- Thanks to Ville Skytta. [RT #44955] [RT #44956]
-
-4590. [bug] Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
- properly detected. [RT #44871]
-
-4589. [cleanup] "configure -q" is now silent. [RT #44829]
-
-4588. [bug] nsupdate could send queries for TKEY to the wrong
- server when using GSSAPI. Thanks to Tomas Hozza.
- [RT #39893]
-
-4587. [bug] named-checkzone failed to handle occulted data below
- DNAMEs correctly. [RT #44877]
-
-4586. [func] dig, host and nslookup now use TCP for ANY queries.
- [RT #44687]
-
-4585. [port] win32: Set CompileAS value. [RT #42474]
-
-4584. [bug] A number of memory usage statistics were not properly
- reported when they exceeded 4G. [RT #44750]
-
-4583. [func] "host -A" returns most records for a name but
- omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
- [RT #43032]
-
-4582. [security] 'rndc ""' could trigger a assertion failure in named.
- (CVE-2017-3138) [RT #44924]
-
-4581. [port] Linux: Add getpid and getrandom to the list of system
- calls named uses for seccomp. [RT #44883]
-
-4580. [bug] 4578 introduced a regression when handling CNAME to
- referral below the current domain. [RT #44850]
-
-4579. [func] Logging channels and dnstap output files can now
- be configured with a "suffix" option, set to
- either "increment" or "timestamp", indicating
- whether to use incrementing numbers or timestamps
- as the file suffix when rolling over a log file.
- [RT #42838]
-
-4578. [security] Some chaining (CNAME or DNAME) responses to upstream
- queries could trigger assertion failures.
- (CVE-2017-3137) [RT #44734]
-
-4577. [func] Make qtype of resolver fuzzing packet configurable
- via command line. [RT #43540]
-
-4576. [func] The RPZ implementation has been substantially
- refactored for improved performance and reliability.
- [RT #43449]
-
-4575. [security] DNS64 with "break-dnssec yes;" can result in an
- assertion failure. (CVE-2017-3136) [RT #44653]
-
-4574. [bug] Dig leaked memory with multiple +subnet options.
- [RT #44683]
-
-4573. [func] Query logic has been substantially refactored (e.g.
- query_find function has been split into smaller
- functions) for improved readability, maintainability
- and testability. [RT #43929]
-
-4572. [func] The "dnstap-output" option can now take "size" and
- "versions" parameters to indicate the maximum size
- a dnstap log file can grow before rolling to a new
- file, and how many old files to retain. [RT #44502]
-
-4571. [bug] Out-of-tree builds of backtrace_test failed.
-
-4570. [cleanup] named did not correctly fall back to the built-in
- initializing keys if the bind.keys file was present
- but empty. [RT #44531]
-
-4569. [func] Store both local and remote addresses in dnstap
- logging, and modify dnstap-read output format to
- print them. [RT #43595]
-
-4568. [contrib] Added a --with-bind option to the dnsperf configure
- script to specify BIND prefix path.
-
-4567. [port] Call getprotobyname and getservbyname prior to calling
- chroot so that shared libraries get loaded. [RT #44537]
-
-4566. [func] Query logging now includes the ECS option if one
- was included in the query. [RT #44476]
-
-4565. [cleanup] The inline macro versions of isc_buffer_put*()
- did not implement automatic buffer reallocation.
- [RT #44216]
-
-4564. [maint] Update the built in managed keys to include the
- upcoming root KSK. [RT #44579]
-
-4563. [bug] Modified zones would occasionally fail to reload.
- [RT #39424]
-
-4562. [func] Add additional memory statistics currently malloced
- and maxmalloced per memory context. [RT #43593]
-
-4561. [port] Silence a warning in strict C99 compilers. [RT #44414]
-
-4560. [bug] mdig: add -m option to enable memory debugging rather
- than having it on all the time. [RT #44509]
-
-4559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES
- was turned off. [RT #44509]
-
-4558. [bug] Synthesised CNAME before matching DNAME was still
- being cached when it should not have been. [RT #44318]
-
-4557. [security] Combining dns64 and rpz can result in dereferencing
- a NULL pointer (read). (CVE-2017-3135) [RT#44434]
-
-4556. [bug] Sending an EDNS Padding option using "dig
- +ednsopt" could cause a crash in dig. [RT #44462]
-
-4555. [func] dig +ednsopt: EDNS options can now be specified by
- name in addition to numeric value. [RT #44461]
-
-4554. [bug] Remove double unlock in dns_dispatchmgr_setudp.
- [RT #44336]
-
-4553. [bug] Named could deadlock there were multiple changes to
- NSEC/NSEC3 parameters for a zone being processed at
- the same time. [RT #42770]
-
-4552. [bug] Named could trigger a assertion when sending notify
- messages. [RT #44019]
-
-4551. [test] Add system tests for integrity checks of MX and
- SRV records. [RT #43953]
-
-4550. [cleanup] Increased the number of available master file
- output style flags from 32 to 64. [RT #44043]
-
-4549. [func] Added support for the EDNS TCP Keepalive option
- (RFC 7828). [RT #42126]
-
-4548. [func] Added support for the EDNS Padding option (RFC 7830).
- [RT #42094]
-
-4547. [port] Add support for --enable-native-pkcs11 on the AEP
- Keyper HSM. [RT #42463]
-
-4546. [func] Extend the use of const declarations. [RT #43379]
-
-4545. [func] Expand YAML output from dnstap-read to include
- a detailed breakdown of the DNS message contents.
- [RT #43642]
-
-4544. [bug] Add message/payload size to dnstap-read YAML output.
- [RT #43622]
-
-4543. [bug] dns_client_startupdate now delays sending the update
- request until isc_app_ctxrun has been called.
- [RT #43976]
-
-4542. [func] Allow rndc to manipulate redirect zones with using
- -redirect as the zone name (use "-redirect." to
- manipulate a zone named "-redirect"). [RT #43971]
-
-4541. [bug] rndc addzone should properly reject non master/slave
- zones. [RT #43665]
-
-4540. [bug] Correctly handle ecs entries in dns_acl_isinsecure.
- [RT #43601]
-
-4539. [bug] Referencing a nonexistent zone with RPZ could lead
- to a assertion failure when configuring. [RT #43787]
-
-4538. [bug] Call dns_client_startresolve from client->task.
- [RT #43896]
-
-4537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576]
-
-4536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
- when reusing the event structure. [RT #43885]
-
-4535. [bug] Address race condition in setting / testing of
- DNS_REQUEST_F_SENDING. [RT #43889]
-
-4534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879]
-
-4533. [bug] dns_client_update should terminate on prerequisite
- failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
- and also on BADZONE. [RT #43865]
-
-4532. [contrib] Make gen-data-queryperf.py python 3 compatible.
- [RT #43836]
-
-4531. [security] 'is_zone' was not being properly updated by redirect2
- and subsequently preserved leading to an assertion
- failure. (CVE-2016-9778) [RT #43837]
-
-4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
- in responses resulting in SERVFAIL being returned.
- [RT #43779]
-
-4529. [cleanup] Silence noisy log warning when DSCP probe fails
- due to firewall rules. [RT #43847]
-
-4528. [bug] Only set the flag bits for the i/o we are waiting
- for on EPOLLERR or EPOLLHUP. [RT #43617]
-
-4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
-
-4526. [doc] Corrected errors and improved formatting of
- grammar definitions in the ARM. [RT #43739]
-
-4525. [doc] Fixed outdated documentation on managed-keys.
- [RT #43810]
-
-4524. [bug] The net zero test was broken causing IPv4 servers
- with addresses ending in .0 to be rejected. [RT #43776]
-
-4523. [doc] Expand config doc for <querysource4> and
- <querysource6>. [RT #43768]
-
-4522. [bug] Handle big gaps in log file version numbers better.
- [RT #38688]
-
-4521. [cleanup] Log it as an error if an entropy source is not
- found and there is no fallback available. [RT #43659]
-
-4520. [cleanup] Alphabetize more of the grammar when printing it
- out. Fix unbalanced indenting. [RT #43755]
-
-4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
-
-4518. [func] The "print-time" option in the logging configuration
- can now take arguments "local", "iso8601" or
- "iso8601-utc" to indicate the format in which the
- date and time should be logged. For backward
- compatibility, "yes" is a synonym for "local".
- [RT #42585]
-
-4517. [security] Named could mishandle authority sections that were
- missing RRSIGs triggering an assertion failure.
- (CVE-2016-9444) [RT # 43632]
-
-4516. [bug] isc_socketmgr_renderjson was missing from the
- windows build. [RT #43602]
-
-4515. [port] FreeBSD: Find readline headers when they are in
- edit/readline/ instead of readline/. [RT #43658]
-
-4514. [port] NetBSD: strip -WL, from ld command line. [RT #43204]
-
-4513. [cleanup] Minimum Python versions are now 2.7 and 3.2.
- [RT #43566]
-
-4512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in.
- [RT #43556]
-
-4511. [bug] win32: mdig.exe-BNFT was missing Configure. [RT #43554]
-
-4510. [security] Named mishandled some responses where covering RRSIG
- records are returned without the requested data
- resulting in a assertion failure. (CVE-2016-9147)
- [RT #43548]
-
-4509. [test] Make the rrl system test more reliable on slower
- machines by using mdig instead of dig. [RT #43280]
-
-4508. [security] Named incorrectly tried to cache TKEY records which
- could trigger a assertion failure when there was
- a class mismatch. (CVE-2016-9131) [RT #43522]
-
-4507. [bug] Named could incorrectly log 'allows updates by IP
- address, which is insecure' [RT #43432]
-
-4506. [func] 'named-checkconf -l' will now list the zones found in
- named.conf. [RT #43154]
-
-4505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494]
-
-4504. [security] Allow the maximum number of records in a zone to
- be specified. This provides a control for issues
- raised in CVE-2016-6170. [RT #42143]
-
-4503. [cleanup] "make uninstall" now removes files installed by
- BIND. (This currently excludes Python files
- due to lack of support in setup.py.) [RT #42192]
-
-4502. [func] Report multiple and experimental options when printing
- grammar. [RT #43134]
-
-4501. [placeholder]
-
-4500. [bug] Support modifier I64 in isc__print_printf. [RT #43526]
-
-4499. [port] MacOSX: silence deprecated function warning
- by using arc4random_stir() when available
- instead of arc4random_addrandom(). [RT #43503]
-
-4498. [test] Simplify prerequisite checks in system tests.
- [RT #43516]
-
-4497. [port] Add support for OpenSSL 1.1.0. [RT #41284]
-
-4496. [func] dig: add +idnout to control whether labels are
- display in punycode or not. Requires idn support
- to be enabled at compile time. [RT #43398]
-
-4495. [bug] A isc_mutex_init call was not being checked.
- [RT #43391]
-
-4494. [bug] Look for <editline/readline.h>. [RT #43429]
-
-4493. [bug] bin/tests/system/dyndb/driver/Makefile.in should use
- SO_TARGETS. [RT# 43336]
-
-4492. [bug] irs_resconf_load failed to initialize sortlistnxt
- causing bad writes if resolv.conf contained a
- sortlist directive. [RT #43459]
-
-4491. [bug] Improve message emitted when testing whether sendmsg
- works with TOS/TCLASS fails. [RT #43483]
-
-4490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
-
-4489. [security] It was possible to trigger assertions when processing
- a response containing a DNAME answer. (CVE-2016-8864)
- [RT #43465]
-
-4488. [port] Darwin: use -framework for Kerberos. [RT #43418]
-
-4487. [test] Make system tests work on Windows. [RT #42931]
-
-4486. [bug] Look in $prefix/lib/pythonX.Y/site-packages for
- the python modules we install. [RT #43330]
-
-4485. [bug] Failure to find readline when requested should be
- fatal to configure. [RT #43328]
-
-4484. [func] Check prefixes in acls to make sure the address and
- prefix lengths are consistent. Warn only in
- BIND 9.11 and earlier. [RT #43367]
-
-4483. [bug] Address use before require check and remove extraneous
- dns_message_gettsigkey call in dns_tsig_sign.
- [RT #43374]
-
-4482. [cleanup] Change #4455 was incomplete. [RT #43252]
-
-4481. [func] dig: make +class, +crypto, +multiline, +rrcomments,
- +onesoa, +qr, +ttlid, +ttlunits and -u per lookup
- rather than global. [RT #42450]
-
-4480. [placeholder]
-
-4479. [placeholder]
-
-4478. [func] Add +continue option to mdig, allow continue on socket
- errors. [RT #43281]
-
-4477. [test] Fix mkeys test timing issues. [RT #41028]
-
-4476. [test] Fix reclimit test on slower machines. [RT #43283]
-
-4475. [doc] Update named-checkconf documentation. [RT #43153]
-
-4474. [bug] win32: call WSAStartup in fromtext_in_wks so that
- getprotobyname and getservbyname work. [RT #43197]
-
-4473. [bug] Only call fsync / _commit on regular files. [RT #43196]
-
-4472. [bug] Named could fail to find the correct NSEC3 records when
- a zone was updated between looking for the answer and
- looking for the NSEC3 records proving nonexistence
- of the answer. [RT #43247]
-
- --- 9.11.0 released ---
-
- --- 9.11.0rc3 released ---
-
-4471. [cleanup] Render client/query logging format consistent for
- ease of log file parsing. (Note that this affects
- "querylog" format: there is now an additional field
- indicating the client object address.) [RT #43238]
-
-4470. [bug] Reset message with intent parse before
- calling dns_dispatch_getnext. [RT #43229]
-
-4469. [placeholder]
-
- --- 9.11.0rc2 released ---
-
-4468. [bug] Address ECS option handling issues. [RT #43191]
-
-4467. [security] It was possible to trigger an assertion when
- rendering a message. (CVE-2016-2776) [RT #43139]
-
-4466. [bug] Interface scanning didn't work on a Windows system
- without a non local IPv6 addresses. [RT #43130]
-
-4465. [bug] Don't use "%z" as Windows doesn't support it.
- [RT #43131]
-
-4464. [bug] Fix windows python support. [RT #43173]
-
-4463. [bug] The dnstap system test failed on some systems.
- [RT #43129]
-
-4462. [bug] Don't describe a returned EDNS COOKIE as "good"
- when there isn't a valid server cookie. [RT #43167]
-
-4461. [bug] win32: not all external data was properly marked
- as external data for windows dll. [RT #43161]
-
- --- 9.11.0rc1 released ---
-
-4460. [test] Add system test for dnstap using unix domain sockets.
- [RT #42926]
-
-4459. [bug] TCP client objects created to handle pipeline queries
- were not cleaned up correctly, causing uncontrolled
- memory growth. [RT #43106]
-
-4458. [cleanup] Update assertions to be more correct, and also remove
- use of a reserved word. [RT #43090]
-
-4457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
-
-4456. [doc] Add DOCTYPE and lang attribute to <html> tags.
- [RT #42587]
-
-4455. [cleanup] Allow dyndb modules to correctly log the filename
- and line number when processing configuration text
- from named.conf. [RT #43050]
-
-4454. [bug] 'rndc dnstap -reopen' had a race issue. [RT #43089]
-
-4453. [bug] Prefetching of DS records failed to update their
- RRSIGs. [RT #42865]
-
-4452. [bug] The default key manager policy file is now
- <sysdir>/dnssec-policy.conf (usually
- /etc/dnssec-policy.conf). [RT #43064]
-
-4451. [cleanup] Log more useful information if a PKCS#11 provider
- library cannot be loaded. [RT #43076]
-
-4450. [port] Provide more nuanced HSM support which better matches
- the specific PKCS11 providers capabilities. [RT #42458]
-
-4449. [test] Fix catalog zones test on slower systems. [RT #42997]
-
-4448. [bug] win32: ::1 was not being found when iterating
- interfaces. [RT #42993]
-
-4447. [tuning] Allow the fstrm_iothr_init() options to be set using
- named.conf to control how dnstap manages the data
- flow. [RT #42974]
-
-4446. [bug] The cache_find() and _findrdataset() functions
- could find rdatasets that had been marked stale.
- [RT #42853]
-
-4445. [cleanup] isc_errno_toresult() can now be used to call the
- formerly private function isc__errno2result().
- [RT #43050]
-
-4444. [bug] Fixed some issues related to dyndb: A bug caused
- braces to be omitted when passing configuration text
- from named.conf to a dyndb driver, and there was a
- use-after-free in the sample dyndb driver. [RT #43050]
-
-4443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
- TCP sockets. [RT #42864]
-
-4442. [bug] Fix RPZ CIDR tree insertion bug that corrupted
- tree data structure with overlapping networks
- (longest prefix match was ineffective).
- [RT #43035]
-
-4441. [cleanup] Alphabetize host's help output. [RT #43031]
-
-4440. [func] Enable TCP fast open support when available on the
- server side. [RT #42866]
-
-4439. [bug] Address race conditions getting ownernames of nodes.
- [RT #43005]
-
-4438. [func] Use LIFO rather than FIFO when processing startup
- notify and refresh queries. [RT #42825]
-
-4437. [func] Minimal-responses now has two additional modes
- no-auth and no-auth-recursive which suppress
- adding the NS records to the authority section
- as well as the associated address records for the
- nameservers. [RT #42005]
-
-4436. [func] Return TLSA records as additional data for MX and SRV
- lookups. [RT #42894]
-
-4435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message
- will not fit into a single IPv4 encapsulated IPv6
- UDP packet when transmitted over a Ethernet link.
- [RT #42871]
-
-4434. [protocol] Return EDNS EXPIRE option for master zones in addition
- to slave zones. [RT #43008]
-
-4433. [cleanup] Report an error when passing an invalid option or
- view name to "rndc dumpdb". [RT #42958]
-
-4432. [test] Hide rndc output on expected failures in logfileconfig
- system test. [RT #27996]
-
-4431. [bug] named-checkconf now checks the rate-limit clause.
- [RT #42970]
-
-4430. [bug] Lwresd died if a search list was not defined.
- Found by 0x710DDDD At Alibaba Security. [RT #42895]
-
-4429. [bug] Address potential use after free on fclose() error.
- [RT #42976]
-
-4428. [bug] The "test dispatch getnext" unit test could fail
- in a threaded build. [RT #42979]
-
-4427. [bug] The "query" and "response" parameters to the
- "dnstap" option had their functions reversed.
-
- --- 9.11.0b3 released ---
-
-4426. [bug] Addressed Coverity warnings. [RT #42908]
-
-4425. [bug] arpaname, dnstap-read and named-rrchecker were not
- being installed into ${prefix}/bin. Tidy up
- installation issues with CHANGE 4421. [RT #42910]
-
-4424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries
- to provide feedback to the trust-anchor administrators
- about how key rollovers are progressing as per
- draft-ietf-dnsop-edns-key-tag-02. This can be
- disabled using 'trust-anchor-telemetry no;'.
- [RT #40583]
-
-4423. [maint] Added missing IPv6 address 2001:500:84::b for
- B.ROOT-SERVERS.NET. [RT #42898]
-
-4422. [port] Silence clang warnings in dig.c and dighost.c.
- [RT #42451]
-
-4421. [func] When built with LMDB (Lightning Memory-mapped
- Database), named will now use a database to store
- the configuration for zones added by "rndc addzone"
- instead of using a flat NZF file. This improves
- performance of "rndc delzone" and "rndc modzone"
- significantly. Existing NZF files will
- automatically by converted to NZD databases.
- To view the contents of an NZD or to roll back to
- NZF format, use "named-nzd2nzf". To disable
- this feature, use "configure --without-lmdb".
- [RT #39837]
-
-4420. [func] nslookup now looks for AAAA as well as A by default.
- [RT #40420]
-
-4419. [bug] Don't cause undefined result if the label of an
- entry in catalog zone is changed. [RT #42708]
-
-4418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879]
-
-4417. [bug] dnssec-keymgr could fail to create successor keys
- if the prepublication interval was set to a value
- smaller than the default. [RT #42820]
-
-4416. [bug] dnssec-keymgr: Domain names in policy files could
- fail to match due to trailing dots. [RT #42807]
-
-4415. [bug] dnssec-keymgr: Expired/deleted keys were not always
- excluded. [RT #42884]
-
-4414. [bug] Corrected a bug in the MIPS implementation of
- isc_atomic_xadd(). [RT #41965]
-
-4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
- was returned. [RT #42733]
-
- --- 9.11.0b2 released ---
-
-4412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
- removed. [RT #42721]
-
-4411. [func] "rndc dnstap -roll" automatically rolls the
- dnstap output file; the previous version is
- saved with ".0" suffix, and earlier versions
- with ".1" and so on. An optional numeric argument
- indicates how many prior files to save. [RT #42830]
-
-4410. [bug] Address use after free and memory leak with dnstap.
- [RT #42746]
-
-4409. [bug] DNS64 should exclude mapped addresses by default when
- an exclude acl is not defined. [RT #42810]
-
-4408. [func] Continue waiting for expected response when we the
- response we get does not match the request. [RT #41026]
-
-4407. [performance] Use GCC builtin for clz in RPZ lookup code.
- [RT #42818]
-
-4406. [security] getrrsetbyname with a non absolute name could
- trigger an infinite recursion bug in lwresd
- and named with lwres configured if when combined
- with a search list entry the resulting name is
- too long. (CVE-2016-2775) [RT #42694]
-
-4405. [bug] Change 4342 introduced a regression where you could
- not remove a delegation in a NSEC3 signed zone using
- OPTOUT via nsupdate. [RT #42702]
-
-4404. [misc] Allow krb5-config to be used when configuring gssapi.
- [RT #42580]
-
-4403. [bug] Rename variables and arguments that shadow: basename,
- clone and gai_error.
-
-4402. [bug] protoc-c is now a hard requirement for --enable-dnstap.
-
- --- 9.11.0b1 released ---
-
-4401. [misc] Change LICENSE to MPL 2.0.
-
-4400. [bug] ttl policy was not being inherited in policy.py.
- [RT #42718]
-
-4399. [bug] policy.py 'ECCGOST', 'ECDSAP256SHA256', and
- 'ECDSAP384SHA384' don't have settable keysize.
- [RT #42718]
-
-4398. [bug] Correct spelling of ECDSAP256SHA256 in policy.py.
- [RT #42718]
-
-4397. [bug] Update Windows python support. [RT #42538]
-
-4396. [func] dnssec-keymgr now takes a '-r randomfile' option.
- [RT #42455]
-
-4395. [bug] Improve out-of-tree installation of python modules.
- [RT #42586]
-
-4394. [func] Add rndc command "dnstap-reopen" to close and
- reopen dnstap output files. [RT #41803]
-
-4393. [bug] Address potential NULL pointer dereferences in
- dnstap code.
-
-4392. [func] Collect statistics for RSSAC02v3 traffic-volume,
- traffic-sizes and rcode-volume reporting. [RT #41475]
-
-4391. [contrib] Fix leaks in contrib DLZ code. [RT #42707]
-
-4390. [doc] Description of masters with TSIG, allow-query and
- allow-transfer options in catalog zones. [RT #42692]
-
-4389. [test] Rewritten test suite for catalog zones. [RT #42676]
-
-4388. [func] Support for master entries with TSIG keys in catalog
- zones. [RT #42577]
-
-4387. [bug] Change 4336 was not complete leading to SERVFAIL
- being return as NS records expired. [RT #42683]
-
-4386. [bug] Remove shadowed overmem function/variable. [RT #42706]
-
-4385. [func] Add support for allow-query and allow-transfer ACLs
- to catalog zones. [RT #42578]
-
-4384. [bug] Change 4256 accidentally disabled logging of the
- rndc command. [RT #42654]
-
-4383. [bug] Correct spelling error in stats channel description of
- "EDNS client subnet option received". [RT #42633]
-
-4382. [bug] rndc {addzone,modzone,delzone,showzone} should all
- compare the zone name using a canonical format.
- [RT #42630]
-
-4381. [bug] Missing "zone-directory" option in catalog zone
- definition caused BIND to crash. [RT #42579]
-
- --- 9.11.0a3 released ---
-
-4380. [experimental] Added a "zone-directory" option to "catalog-zones"
- syntax, allowing local masterfiles for slaves
- that are provisioned by catalog zones to be stored
- in a directory other than the server's working
- directory. [RT #42527]
-
-4379. [bug] An INSIST could be triggered if a zone contains
- RRSIG records with expiry fields that loop
- using serial number arithmetic. [RT #40571]
-
-4378. [contrib] #include <isc/string.h> for strlcat in zone2ldap.c.
- [RT #42525]
-
-4377. [bug] Don't reuse zero TTL responses beyond the current
- client set (excludes ANY/SIG/RRSIG queries).
- [RT #42142]
-
-4376. [experimental] Added support for Catalog Zones, a new method for
- provisioning secondary servers in which a list of
- zones to be served is stored in a DNS zone and can
- be propagated to slaves via AXFR/IXFR. [RT #41581]
-
-4375. [func] Add support for automatic reallocation of isc_buffer
- to isc_buffer_put* functions. [RT #42394]
-
-4374. [bug] Use SAVE/RESTORE macros in query.c to reduce the
- probability of reference counting errors as seen
- in 4365. [RT #42405]
-
-4373. [bug] Address undefined behavior in getaddrinfo. [RT #42479]
-
-4372. [bug] Address undefined behavior in libt_api. [RT #42480]
-
-4371. [func] New "minimal-any" option reduces the size of UDP
- responses for qtype ANY by returning a single
- arbitrarily selected RRset instead of all RRsets.
- Thanks to Tony Finch. [RT #41615]
-
-4370. [bug] Address python3 compatibility issues with RNDC module.
- [RT #42499] [RT #42506]
-
- --- 9.11.0a2 released ---
-
-4369. [bug] Fix 'make' and 'make install' out-of-tree python
- support. [RT #42484]
-
-4368. [bug] Fix a crash when calling "rndc stats" on some
- Windows builds because some Visual Studio compilers
- generated crashing code for the "%z" printf()
- format specifier. [RT #42380]
-
-4367. [bug] Remove unnecessary assignment of loadtime in
- zone_touched. [RT #42440]
-
-4366. [bug] Address race condition when updating rbtnode bit
- fields. [RT #42379]
-
-4365. [bug] Address zone reference counting errors involving
- nxdomain-redirect. [RT #42258]
-
-4364. [port] freebsd: add -Wl,-E to loader flags [RT #41690]
-
-4363. [port] win32: Disable explicit triggering UAC when running
- BINDInstall.
-
-4362. [func] Changed rndc reconfig behavior so that newly added
- zones are loaded asynchronously and the loading does
- not block the server. [RT #41934]
-
-4361. [cleanup] Where supported, file modification times returned
- by isc_file_getmodtime() are now accurate to the
- nanosecond. [RT #41968]
-
-4360. [bug] Silence spurious 'bad key type' message when there is
- a existing TSIG key. [RT #42195]
-
-4359. [bug] Inherited 'also-notify' lists were not being checked
- by named-checkconf. [RT #42174]
-
-4358. [test] Added American Fuzzy Lop harness that allows
- feeding fuzzed packets into BIND.
- [RT #41723]
-
-4357. [func] Add the python RNDC module. [RT #42093]
-
-4356. [func] Add the ability to specify whether to wait for
- nameserver addresses to be looked up or not to
- RPZ with a new modifying directive 'nsip-wait-recurse'.
- [RT #35009]
-
-4355. [func] "pkcs11-list" now displays the extractability
- attribute of private or secret keys stored in
- an HSM, as either "true", "false", or "never"
- Thanks to Daniel Stirnimann. [RT #36557]
-
-4354. [bug] Check that the received HMAC length matches the
- expected length prior to check the contents on the
- control channel. This prevents a OOB read error.
- This was reported by Lian Yihan, <lianyihan@360.cn>.
- [RT #42215]
-
-4353. [cleanup] Update PKCS#11 header files. [RT #42175]
-
-4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service
- is scheduled to be disabled in 2017. A warning is
- now logged when named is configured to use it,
- either explicitly or via "dnssec-lookaside auto;"
- [RT #42207]
-
-4351. [bug] 'dig +noignore' didn't work. [RT #42273]
-
-4350. [contrib] Declare result in dlz_filesystem_dynamic.c.
-
-4349. [contrib] kasp2policy: A python script to create a DNSSEC
- policy file from an OpenDNSSEC KASP XML file.
-
-4348. [func] dnssec-keymgr: A new python-based DNSSEC key
- management utility, which reads a policy definition
- file and can create or update DNSSEC keys as needed
- to ensure that a zone's keys match policy, roll over
- correctly on schedule, etc. Thanks to Sebastian
- Castro for assistance in development. [RT #39211]
-
-4347. [port] Corrected a build error on x86_64 Solaris. [RT #42150]
-
-4346. [bug] Fixed a regression introduced in change #4337 which
- caused signed domains with revoked KSKs to fail
- validation. [RT #42147]
-
-4345. [contrib] perftcpdns mishandled the return values from
- clock_nanosleep. [RT #42131]
-
-4344. [port] Address openssl version differences. [RT #42059]
-
-4343. [bug] dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
- [RT #42090]
-
-4342. [bug] 'rndc flushtree' could fail to clean the tree if there
- wasn't a node at the specified name. [RT #41846]
-
- --- 9.11.0a1 released ---
-
-4341. [bug] Correct the handling of ECS options with
- address family 0. [RT #41377]
-
-4340. [performance] Implement adaptive read-write locks, reducing the
- overhead of locks that are only held briefly.
- [RT #37329]
-
-4339. [test] Use "mdig" to test pipelined queries. [RT #41929]
-
-4338. [bug] Reimplement change 4324 as it wasn't properly doing
- all the required book keeping. [RT #41941]
-
-4337. [bug] The previous change exposed a latent flaw in
- key refresh queries for managed-keys when
- a cached DNSKEY had TTL 0. [RT #41986]
-
-4336. [bug] Don't emit records with zero ttl unless the records
- were learnt with a zero ttl. [RT #41687]
-
-4335. [bug] zone->view could be detached too early. [RT #41942]
-
-4334. [func] 'named -V' now reports zlib version. [RT #41913]
-
-4333. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42 and
- 2001:500:9f::42.
-
-4332. [placeholder]
-
-4331. [func] When loading managed signed zones detect if the
- RRSIG's inception time is in the future and regenerate
- the RRSIG immediately. [RT #41808]
-
-4330. [protocol] Identify the PAD option as "PAD" when printing out
- a message.
-
-4329. [func] Warn about a common misconfiguration when forwarding
- RFC 1918 zones. [RT #41441]
-
-4328. [performance] Add dns_name_fromwire() benchmark test. [RT #41694]
-
-4327. [func] Log query and depth counters during fetches when
- querytrace (./configure --enable-querytrace) is
- enabled (helps in diagnosing). [RT #41787]
-
-4326. [protocol] Add support for AVC. [RT #41819]
-
-4325. [func] Add a line to "rndc status" indicating the
- hostname and operating system details. [RT #41610]
-
-4324. [bug] When deleting records from a zone database, interior
- nodes could be left empty but not deleted, damaging
- search performance afterward. [RT #40997]
-
-4323. [bug] Improve HTTP header processing on statschannel.
- [RT #41674]
-
-4322. [security] Duplicate EDNS COOKIE options in a response could
- trigger an assertion failure. (CVE-2016-2088)
- [RT #41809]
-
-4321. [bug] Zones using mapped files containing out-of-zone data
- could return SERVFAIL instead of the expected NODATA
- or NXDOMAIN results. [RT #41596]
-
-4320. [bug] Insufficient memory allocation when handling
- "none" ACL could cause an assertion failure in
- named when parsing ACL configuration. [RT #41745]
-
-4319. [security] Fix resolver assertion failure due to improper
- DNAME handling when parsing fetch reply messages.
- (CVE-2016-1286) [RT #41753]
-
-4318. [security] Malformed control messages can trigger assertions
- in named and rndc. (CVE-2016-1285) [RT #41666]
-
-4317. [bug] Age all unused servers on fetch timeout. [RT #41597]
-
-4316. [func] Add option to tools to print RRs in unknown
- presentation format [RT #41595].
-
-4315. [bug] Check that configured view class isn't a meta class.
- [RT #41572].
-
-4314. [contrib] Added 'dnsperf-2.1.0.0-1', a set of performance
- testing tools provided by Nominum, Inc.
-
-4313. [bug] Handle ns_client_replace failures in test mode.
- [RT #41190]
-
-4312. [bug] dig's unknown DNS and EDNS flags (MBZ value) logging
- was not consistent. [RT #41600]
-
-4311. [bug] Prevent "rndc delzone" from being used on
- response-policy zones. [RT #41593]
-
-4310. [performance] Use __builtin_expect() where available to annotate
- conditions with known behavior. [RT #41411]
-
-4309. [cleanup] Remove the spurious "none" filename from log messages
- when processing built-in configuration. [RT #41594]
-
-4308. [func] Added operating system details to "named -V"
- output. [RT #41452]
-
-4307. [bug] "dig +subnet" and "mdig +subnet" could send
- incorrectly-formatted Client Subnet options
- if the prefix length was not divisible by 8.
- Also fixed a memory leak in "mdig". [RT #45178]
-
-4306. [maint] Added a PKCS#11 openssl patch supporting
- version 1.0.2f [RT #38312]
-
-4305. [bug] dnssec-signzone was not removing unnecessary rrsigs
- from the zone's apex. [RT #41483]
-
-4304. [port] xfer system test failed as 'tail -n +value' is not
- portable. [RT #41315]
-
-4303. [bug] "dig +subnet" was unable to send a prefix length of
- zero, as it was incorrectly changed to 32 for v4
- prefixes or 128 for v6 prefixes. In addition to
- fixing this, "dig +subnet=0" has been added as a
- short form for 0.0.0.0/0. The same changes have
- also been made in "mdig". [RT #41553]
-
-4302. [port] win32: fixed a build error in VS 2015. [RT #41426]
-
-4301. [bug] dnssec-settime -p [DP]sync was not working. [RT #41534]
-
-4300. [bug] A flag could be set in the wrong field when setting
- up non-recursive queries; this could cause the
- SERVFAIL cache to cache responses it shouldn't.
- New querytrace logging has been added which
- identified this error. [RT #41155]
-
-4299. [bug] Check that exactly totallen bytes are read when
- reading a RRset from raw files in both single read
- and incremental modes. [RT #41402]
-
-4298. [bug] dns_rpz_add errors in loadzone were not being
- propagated up the call stack. [RT #41425]
-
-4297. [test] Ensure delegations in RPZ zones fail robustly.
- [RT #41518]
-
-4296. [bug] TCP packet sizes were calculated incorrectly in the
- stats channel; they could be counted in the wrong
- histogram bucket. [RT #40587]
-
-4295. [bug] An unchecked result in dns_message_pseudosectiontotext()
- could allow incorrect text formatting of EDNS EXPIRE
- options. [RT #41437]
-
-4294. [bug] Fixed a regression in which "rndc stop -p" failed
- to print the PID. [RT #41513]
-
-4293. [bug] Address memory leak on priming query creation failure.
- [RT #41512]
-
-4292. [placeholder]
-
-4291. [cleanup] Added a required include to dns/forward.h. [RT #41474]
-
-4290. [func] The timers returned by the statistics channel
- (indicating current time, server boot time, and
- most recent reconfiguration time) are now reported
- with millisecond accuracy. [RT #40082]
-
-4289. [bug] The server could crash due to memory being used
- after it was freed if a zone transfer timed out.
- [RT #41297]
-
-4288. [bug] Fixed a regression in resolver.c:possibly_mark()
- which caused known-bogus servers to be queried
- anyway. [RT #41321]
-
-4287. [bug] Silence an overly noisy log message when message
- parsing fails. [RT #41374]
-
-4286. [security] render_ecs errors were mishandled when printing out
- a OPT record resulting in a assertion failure.
- (CVE-2015-8705) [RT #41397]
-
-4285. [security] Specific APL data could trigger a INSIST.
- (CVE-2015-8704) [RT #41396]
-
-4284. [bug] Some GeoIP options were incorrectly documented
- using abbreviated forms which were not accepted by
- named. The code has been updated to allow both
- long and abbreviated forms. [RT #41381]
-
-4283. [bug] OPENSSL_config is no longer re-callable. [RT #41348]
-
-4282. [func] 'dig +[no]mapped' determine whether the use of mapped
- IPv4 addresses over IPv6 is permitted or not. The
- default is +mapped. [RT #41307]
-
-4281. [bug] Teach dns_message_totext about BADCOOKIE. [RT #41257]
-
-4280. [performance] Use optimal message sizes to improve compression
- in AXFRs. This reduces network traffic. [RT #40996]
-
-4279. [test] Don't use fixed ports when unit testing. [RT #41194]
-
-4278. [bug] 'delv +short +[no]split[=##]' didn't work as expected.
- [RT #41238]
-
-4277. [performance] Improve performance of the RBT, the central zone
- datastructure: The aux hashtable was improved,
- hash function was updated to perform more
- uniform mapping, uppernode was added to
- dns_rbtnode, and other cleanups and performance
- improvements were made. [RT #41165]
-
-4276. [protocol] Add support for SMIMEA. [RT #40513]
-
-4275. [performance] Lazily initialize dns_compress->table only when
- compression is enabled. [RT #41189]
-
-4274. [performance] Speed up typemap processing from text. [RT #41196]
-
-4273. [bug] Only call dns_test_begin() and dns_test_end() once each
- in nsec3_test as it fails with GOST if called multiple
- times.
-
-4272. [bug] dig: the +norrcomments option didn't work with +multi.
- [RT #41234]
-
-4271. [test] Unit tests could deadlock in isc__taskmgr_pause().
- [RT #41235]
-
-4270. [security] Update allowed OpenSSL versions as named is
- potentially vulnerable to CVE-2015-3193.
-
-4269. [bug] Zones using "map" format master files currently
- don't work as policy zones. This limitation has
- now been documented; attempting to use such zones
- in "response-policy" statements is now a
- configuration error. [RT #38321]
-
-4268. [func] "rndc status" now reports the path to the
- configuration file. [RT #36470]
-
-4267. [test] Check sdlz error handling. [RT #41142]
-
-4266. [placeholder]
-
-4265. [bug] Address unchecked isc_mem_get calls. [RT #41187]
-
-4264. [bug] Check const of strchr/strrchr assignments match
- argument's const status. [RT #41150]
-
-4263. [contrib] Address compiler warnings in mysqldyn module.
- [RT #41130]
-
-4262. [bug] Fixed a bug in epoll socket code that caused
- sockets to not be registered for ready
- notification in some cases, causing named to not
- read from or write to them, resulting in what
- appear to the user as blocked connections.
- [RT #41067]
-
-4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
- [RT #40556]
-
-4260. [security] Insufficient testing when parsing a message allowed
- records with an incorrect class to be be accepted,
- triggering a REQUIRE failure when those records
- were subsequently cached. (CVE-2015-8000) [RT #40987]
-
-4259. [func] Add an option for non-destructive control channel
- access using a "read-only" clause. In such
- cases, a restricted set of rndc commands are
- allowed for querying information from named.
- [RT #40498]
-
-4258. [bug] Limit rndc query message sizes to 32 KiB. This should
- not break any legitimate rndc commands, but will
- prevent a rogue rndc query from allocating too
- much memory. [RT #41073]
-
-4257. [cleanup] Python scripts reported incorrect version. [RT #41080]
-
-4256. [bug] Allow rndc command arguments to be quoted so as
- to allow spaces. [RT #36665]
-
-4255. [performance] Add 'message-compression' option to disable DNS
- compression in responses. [RT #40726]
-
-4254. [bug] Address missing lock when getting zone's serial.
- [RT #41072]
-
-4253. [security] Address fetch context reference count handling error
- on socket error. (CVE-2015-8461) [RT#40945]
-
-4252. [func] Add support for automating the generation CDS and
- CDNSKEY rrsets to named and dnssec-signzone.
- [RT #40424]
-
-4251. [bug] NTAs were deleted when the server was reconfigured
- or reloaded. [RT #41058]
-
-4250. [func] Log the TSIG key in use during inbound zone
- transfers. [RT #41075]
-
-4249. [func] Improve error reporting of TSIG / SIG(0) records in
- the wrong location. [RT #41030]
-
-4248. [performance] Add an isc_atomic_storeq() function, use it in
- stats counters to improve performance.
- [RT #39972] [RT #39979]
-
-4247. [port] Require both HAVE_JSON and JSON_C_VERSION to be
- defined to report json library version. [RT #41045]
-
-4246. [test] Ensure the statschannel system test runs when BIND
- is not built with libjson. [RT #40944]
-
-4245. [placeholder]
-
-4244. [bug] The parser was not reporting that use-ixfr is obsolete.
- [RT #41010]
-
-4243. [func] Improved stats reporting from Timothe Litt. [RT #38941]
-
-4242. [bug] Replace the client if not already replaced when
- prefetching. [RT #41001]
-
-4241. [doc] Improved the TSIG, TKEY, and SIG(0) sections in
- the ARM. [RT #40955]
-
-4240. [port] Fix LibreSSL compatibility. [RT #40977]
-
-4239. [func] Changed default servfail-ttl value to 1 second from 10.
- Also, the maximum value is now 30 instead of 300.
- [RT #37556]
-
-4238. [bug] Don't send to servers on net zero (0.0.0.0/8).
- [RT #40947]
-
-4237. [doc] Upgraded documentation toolchain to use DocBook 5
- and dblatex. [RT #40766]
-
-4236. [performance] On machines with 2 or more processors (CPU), the
- default value for the number of UDP listeners
- has been changed to the number of detected
- processors minus one. [RT #40761]
-
-4235. [func] Added support in named for "dnstap", a fast method of
- capturing and logging DNS traffic, and a new command
- "dnstap-read" to read a dnstap log file. Use
- "configure --enable-dnstap" to enable this
- feature (note that this requires libprotobuf-c
- and libfstrm). See the ARM for configuration details.
-
- Thanks to Robert Edmonds of Farsight Security.
- [RT #40211]
-
-4234. [func] Add deflate compression in statistics channel HTTP
- server. [RT #40861]
-
-4233. [test] Add tests for CDS and CDNSKEY with delegation-only.
- [RT #40597]
-
-4232. [contrib] Address unchecked memory allocation calls in
- query-loc and zone2ldap. [RT #40789]
-
-4231. [contrib] Address unchecked calloc call in dlz_mysqldyn_mod.c.
- [RT #40840]
-
-4230. [contrib] dlz_wildcard_dynamic.c:dlz_create could return a
- uninitialized result. [RT #40839]
-
-4229. [bug] A variable could be used uninitialized in
- dns_update_signaturesinc. [RT #40784]
-
-4228. [bug] Address race condition in dns_client_destroyrestrans.
- [RT #40605]
-
-4227. [bug] Silence static analysis warnings. [RT #40828]
-
-4226. [bug] Address a theoretical shutdown race in
- zone.c:notify_send_queue(). [RT #38958]
-
-4225. [port] freebsd/openbsd: Use '${CC} -shared' for building
- shared libraries. [RT #39557]
-
-4224. [func] Added support for "dyndb", a new interface for loading
- zone data from an external database, developed by
- Red Hat for the FreeIPA project.
-
- DynDB drivers fully implement the BIND database
- API, and are capable of significantly better
- performance and functionality than DLZ drivers,
- while taking advantage of advanced database
- features not available in BIND such as multi-master
- replication.
-
- Thanks to Adam Tkac and Petr Spacek of Red Hat.
- [RT #35271]
-
-4223. [func] Add support for setting max-cache-size to percentage
- of available physical memory, set default to 90%.
- [RT #38442]
-
-4222. [func] Bias IPv6 servers when selecting the next server to
- query. [RT #40836]
-
-4221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create.
- [RT #40583]
-
-4220. [doc] Improve documentation for zone-statistics.
- [RT #36955]
-
-4219. [bug] Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
- EGAIN when these soft error are not retried for
- isc_socket_send*().
-
-4218. [bug] Potential null pointer dereference on out of memory
- if mmap is not supported. [RT #40777]
-
-4217. [protocol] Add support for CSYNC. [RT #40532]
-
-4216. [cleanup] Silence static analysis warnings. [RT #40649]
-
-4215. [bug] nsupdate: skip to next request on GSSTKEY create
- failure. [RT #40685]
-
-4214. [protocol] Add support for TALINK. [RT #40544]
-
-4213. [bug] Don't reuse a cache across multiple classes.
- [RT #40205]
-
-4212. [func] Re-query if we get a bad client cookie returned over
- UDP. [RT #40748]
-
-4211. [bug] Ensure that lwresd gets at least one task to work
- with if enabled. [RT #40652]
-
-4210. [cleanup] Silence use after free false positive. [RT #40743]
-
-4209. [bug] Address resource leaks in dlz modules. [RT #40654]
-
-4208. [bug] Address null pointer dereferences on out of memory.
- [RT #40764]
-
-4207. [bug] Handle class mismatches with raw zone files.
- [RT #40746]
-
-4206. [bug] contrib: fixed a possible NULL dereference in
- DLZ wildcard module. [RT #40745]
-
-4205. [bug] 'named-checkconf -p' could include unwanted spaces
- when printing tuples with unset optional fields.
- [RT #40731]
-
-4204. [bug] 'dig +trace' failed to lookup the correct type if
- the initial root NS query was retried. [RT #40296]
-
-4203. [test] The rrchecker system test now tests conversion
- to and from unknown-type format. [RT #40584]
-
-4202. [bug] isccc_cc_fromwire() could return an incorrect
- result. [RT #40614]
-
-4201. [func] The default preferred-glue is now the address record
- type of the transport the query was received
- over. [RT #40468]
-
-4200. [cleanup] win32: update BINDinstall to be BIND release
- independent. [RT #38915]
-
-4199. [protocol] Add support for NINFO, RKEY, SINK, TA.
- [RT #40545] [RT #40547] [RT #40561] [RT #40563]
-
-4198. [placeholder]
-
-4197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses.
- [RT #40603]
-
-4196. [doc] Improve how "enum + other" types are documented.
- [RT #40608]
-
-4195. [bug] 'max-zone-ttl unlimited;' was broken. [RT #40608]
-
-4194. [bug] named-checkconf -p failed to properly print a port
- range. [RT #40634]
-
-4193. [bug] Handle broken servers that return BADVERS incorrectly.
- [RT #40427]
-
-4192. [bug] The default rrset-order of random was not always being
- applied. [RT #40456]
-
-4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones
- as per RFC 6763. [RT #37889]
-
-4190. [protocol] Accept Active Directory gc._msdcs.<forest> name as
- valid with check-names. <forest> still needs to be
- LDH. [RT #40399]
-
-4189. [cleanup] Don't exit on overly long tokens in named.conf.
- [RT #40418]
-
-4188. [bug] Support HTTP/1.0 client properly on the statistics
- channel. [RT #40261]
-
-4187. [func] When any RR type implementation doesn't
- implement totext() for the RDATA's wire
- representation and returns ISC_R_NOTIMPLEMENTED,
- such RDATA is now printed in unknown
- presentation format (RFC 3597). RR types affected
- include LOC(29) and APL(42). [RT #40317].
-
-4186. [bug] Fixed an RPZ bug where a QNAME would be matched
- against a policy RR with wildcard owner name
- (trigger) where the QNAME was the wildcard owner
- name's parent. For example, the bug caused a query
- with QNAME "example.com" to match a policy RR with
- "*.example.com" as trigger. [RT #40357]
-
-4185. [bug] Fixed an RPZ bug where a policy RR with wildcard
- owner name (trigger) would prevent another policy RR
- with its parent owner name from being
- loaded. For example, the bug caused a policy RR
- with trigger "example.com" to not have any
- effect when a previous policy RR with trigger
- "*.example.com" existed in that RPZ zone.
- [RT #40357]
-
-4184. [bug] Fixed a possible memory leak in name compression
- when rendering long messages. (Also, improved
- wire_test for testing such messages.) [RT #40375]
-
-4183. [cleanup] Use timing-safe memory comparisons in cryptographic
- code. Also, the timing-safe comparison functions have
- been renamed to avoid possible confusion with
- memcmp(). Thanks to Loganaden Velvindron of
- AFRINIC. [RT #40148]
-
-4182. [cleanup] Use mnemonics for RR class and type comparisons.
- [RT #40297]
-
-4181. [bug] Queued notify messages could be dequeued from the
- wrong rate limiter queue. [RT #40350]
-
-4180. [bug] Error responses in pipelined queries could
- cause a crash in client.c. [RT #40289]
-
-4179. [bug] Fix double frees in getaddrinfo() in libirs.
- [RT #40209]
-
-4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from
- text. [RT #40274]
-
-4177. [bug] Fix assertion failure in parsing NSAP records from
- text. [RT #40285]
-
-4176. [bug] Address race issues with lwresd. [RT #40284]
-
-4175. [bug] TKEY with GSS-API keys needed bigger buffers.
- [RT #40333]
-
-4174. [bug] "dnssec-coverage -r" didn't handle time unit
- suffixes correctly. [RT #38444]
-
-4173. [bug] dig +sigchase was not properly matching the trusted
- key. [RT #40188]
-
-4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
- [RT #40265]
-
-4171. [bug] Fixed incorrect class checks in TSIG RR
- implementation. [RT #40287]
-
-4170. [security] An incorrect boundary check in the OPENPGPKEY
- rdatatype could trigger an assertion failure.
- (CVE-2015-5986) [RT #40286]
-
-4169. [test] Added a 'wire_test -d' option to read input as
- raw binary data, for use as a fuzzing harness.
- [RT #40312]
-
-4168. [security] A buffer accounting error could trigger an
- assertion failure when parsing certain malformed
- DNSSEC keys. (CVE-2015-5722) [RT #40212]
-
-4167. [func] Update rndc's usage output to include recently added
- commands. Thanks to Tony Finch for submitting a
- patch. [RT #40010]
-
-4166. [func] Print informative output from rndc showzone when
- allow-new-zones is not enabled for a view. Thanks to
- Tony Finch for submitting a patch. [RT #40009]
-
-4165. [security] A failure to reset a value to NULL in tkey.c could
- result in an assertion failure. (CVE-2015-5477)
- [RT #40046]
-
-4164. [bug] Don't rename slave files and journals on out of memory.
- [RT #40033]
-
-4163. [bug] Address compiler warnings. [RT #40024]
-
-4162. [bug] httpdmgr->flags was not being initialized. [RT #40017]
-
-4161. [test] Add JSON test for traffic size stats; also test
- for consistency between "rndc stats" and the XML
- and JSON statistics channel contents. [RT #38700]
-
-4160. [placeholder]
-
-4159. [cleanup] Alphabetize dig's help output. [RT #39966]
-
-4158. [placeholder]
-
-4157. [placeholder]
-
-4156. [func] Added statistics counters to track the sizes
- of incoming queries and outgoing responses in
- histogram buckets, as specified in RSSAC002.
- [RT #39049]
-
-4155. [func] Allow RPZ rewrite logging to be configured on a
- per-zone basis using a newly introduced log clause in
- the response-policy option. [RT #39754]
-
-4154. [bug] A OPT record should be included with the FORMERR
- response when there is a malformed EDNS option.
- [RT #39647]
-
-4153. [bug] Dig should zero non significant +subnet bits. Check
- that non significant ECS bits are zero on receipt.
- [RT #39647]
-
-4152. [func] Implement DNS COOKIE option. This replaces the
- experimental SIT option of BIND 9.10. The following
- named.conf directives are available: send-cookie,
- cookie-secret, cookie-algorithm, nocookie-udp-size
- and require-server-cookie. The following dig options
- are available: +[no]cookie[=value] and +[no]badcookie.
- [RT #39928]
-
-4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
-
-4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply
- minimal fix. [RT #39667]
-
-4149. [bug] Fixed a race condition in the getaddrinfo()
- implementation in libirs, which caused the delv
- utility to crash with an assertion failure when using
- the '@server' syntax with a hostname argument.
- [RT #39899]
-
-4148. [bug] Fix a bug when printing zone names with '/' character
- in XML and JSON statistics output. [RT #39873]
-
-4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
- was returning referrals rather than nodata responses
- when the AAAA records were filtered. [RT #39843]
-
-4146. [bug] Address reference leak that could prevent a clean
- shutdown. [RT #37125]
-
-4145. [bug] Not all unassociated adb entries where being printed.
- [RT #37125]
-
-4144. [func] Add statistics counters for nxdomain redirections.
- [RT #39790]
-
-4143. [placeholder]
-
-4142. [bug] rndc addzone with view specified saved NZF config
- that could not be read back by named. This has now
- been fixed. [RT #39845]
-
-4141. [bug] A formatting bug caused rndc zonestatus to print
- negative numbers for large serial values. This has
- now been fixed. [RT #39854]
-
-4140. [cleanup] Remove redundant nzf_remove() call during delzone.
- [RT #39844]
-
-4139. [doc] Fix rpz-client-ip documentation. [RT #39783]
-
-4138. [security] An uninitialized value in validator.c could result
- in an assertion failure. (CVE-2015-4620) [RT #39795]
-
-4137. [bug] Make rndc reconfig report configuration errors the
- same way rndc reload does. [RT #39635]
-
-4136. [bug] Stale statistics counters with the leading
- '#' prefix (such as #NXDOMAIN) were not being
- updated correctly. This has been fixed. [RT #39141]
-
-4135. [cleanup] Log expired NTA at startup. [RT #39680]
-
-4134. [cleanup] Include client-ip rules when logging the number
- of RPZ rules of each type. [RT #39670]
-
-4133. [port] Update how various json libraries are handled.
- [RT #39646]
-
-4132. [cleanup] dig: added +rd as a synonym for +recurse,
- added +class as an unabbreviated alternative
- to +cl. [RT #39686]
-
-4131. [bug] Addressed further problems with reloading RPZ
- zones. [RT #39649]
-
-4130. [bug] The compatibility shim for *printf() misprinted some
- large numbers. [RT #39586]
-
-4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532]
-
-4128. [bug] Address issues raised by Coverity 7.6. [RT #39537]
-
-4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
- key as per RFC 7344, Section 4.1. [RT #37215]
-
-4126. [bug] Addressed a regression introduced in change #4121.
- [RT #39611]
-
-4125. [test] Added tests for dig, renamed delv test to digdelv.
- [RT #39490]
-
-4124. [func] Log errors or warnings encountered when parsing the
- internal default configuration. Clarify the logging
- of errors and warnings encountered in rndc
- addzone or modzone parameters. [RT #39440]
-
-4123. [port] Added %z (size_t) format options to the portable
- internal printf/sprintf implementation. [RT #39586]
-
-4122. [bug] The server could match a shorter prefix than what was
- available in CLIENT-IP policy triggers, and so, an
- unexpected action could be taken. This has been
- corrected. [RT #39481]
-
-4121. [bug] On servers with one or more policy zones
- configured as slaves, if a policy zone updated
- during regular operation (rather than at
- startup) using a full zone reload, such as via
- AXFR, a bug could allow the RPZ summary data to
- fall out of sync, potentially leading to an
- assertion failure in rpz.c when further
- incremental updates were made to the zone, such
- as via IXFR. [RT #39567]
-
-4120. [bug] A bug in RPZ could cause the server to crash if
- policy zones were updated while recursion was
- pending for RPZ processing of an active query.
- [RT #39415]
-
-4119. [test] Allow dig to set the message opcode. [RT #39550]
-
-4118. [bug] Teach isc-config.sh about irs. [RT #39213]
-
-4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534.
-
-4116. [bug] Fix a bug in RPZ that could cause some policy
- zones that did not specifically require
- recursion to be treated as if they did;
- consequently, setting qname-wait-recurse no; was
- sometimes ineffective. [RT #39229]
-
-4115. [func] "rndc -r" now prints the result code (e.g.,
- ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
- running the requested command. [RT #38913]
-
-4114. [bug] Fix a regression in radix tree implementation
- introduced by ECS code. This bug was never
- released, but it was reported by a user testing
- master. [RT #38983]
-
-4113. [test] Check for Net::DNS is some system test
- prerequisites. [RT #39369]
-
-4112. [bug] Named failed to load when "root-delegation-only"
- was used without a list of domains to exclude.
- [RT #39380]
-
-4111. [doc] Alphabetize rndc man page. [RT #39360]
-
-4110. [bug] Address memory leaks / null pointer dereferences
- on out of memory. [RT #39310]
-
-4109. [port] linux: support reading the local port range from
- net.ipv4.ip_local_port_range. [RT # 39379]
-
-4108. [func] An additional NXDOMAIN redirect method (option
- "nxdomain-redirect") has been added, allowing
- redirection to a specified DNS namespace instead
- of a single redirect zone. [RT #37989]
-
-4107. [bug] Address potential deadlock when updating zone content.
- [RT #39269]
-
-4106. [port] Improve readline support. [RT #38938]
-
-4105. [port] Misc fixes for Microsoft Visual Studio
- 2015 CTP6 in 64 bit mode. [RT #39308]
-
-4104. [bug] Address uninitialized elements. [RT #39252]
-
-4103. [port] Misc fixes for Microsoft Visual Studio
- 2015 CTP6. [RT #39267]
-
-4102. [bug] Fix a use after free bug introduced in change
- #4094. [RT #39281]
-
-4101. [bug] dig: the +split and +rrcomments options didn't
- work with +short. [RT #39291]
-
-4100. [bug] Inherited owernames on the line immediately following
- a $INCLUDE were not working. [RT #39268]
-
-4099. [port] clang: make unknown commandline options hard errors
- when determining what options are supported.
- [RT #39273]
-
-4098. [bug] Address use-after-free issue when using a
- predecessor key with dnssec-settime. [RT #39272]
-
-4097. [func] Add additional logging about xfrin transfer status.
- [RT #39170]
-
-4096. [bug] Fix a use after free of query->sendevent.
- [RT #39132]
-
-4095. [bug] zone->options2 was not being properly initialized.
- [RT #39228]
-
-4094. [bug] A race during shutdown or reconfiguration could
- cause an assertion in mem.c. [RT #38979]
-
-4093. [func] Dig now learns the SIT value from truncated
- responses when it retries over TCP. [RT #39047]
-
-4092. [bug] 'in-view' didn't work for zones beneath a empty zone.
- [RT #39173]
-
-4091. [cleanup] Some cleanups in isc mem code. [RT #38896]
-
-4090. [bug] Fix a crash while parsing malformed CAA RRs in
- presentation format, i.e., from text such as
- from master files. Thanks to John Van de
- Meulebrouck Brendgard for discovering and
- reporting this problem. [RT #39003]
-
-4089. [bug] Send notifies immediately for slave zones during
- startup. [RT #38843]
-
-4088. [port] Fixed errors when building with libressl. [RT #38899]
-
-4087. [bug] Fix a crash due to use-after-free due to sequencing
- of tasks actions. [RT #38495]
-
-4086. [bug] Fix out-of-srcdir build with native pkcs11. [RT #38831]
-
-4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
- [RT #38828]
-
-4084. [bug] Fix a possible race in updating stats counters.
- [RT #38826]
-
-4083. [cleanup] Print the number of CPUs and UDP listeners
- consistently in the log and in "rndc status"
- output; indicate whether threads are supported
- in "named -V" output. [RT #38811]
-
-4082. [bug] Incrementally sign large inline zone deltas.
- [RT #37927]
-
-4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
-
-4080. [func] Completed change #4022, adding a "lock-file" option
- to named.conf to override the default lock file,
- in addition to the "named -X <filename>" command
- line option. Setting the lock file to "none"
- using either method disables the check completely.
- [RT #37908]
-
-4079. [func] Preserve the case of the owner name of records to
- the RRset level. [RT #37442]
-
-4078. [bug] Handle the case where CMSG_SPACE(sizeof(int)) !=
- CMSG_SPACE(sizeof(char)). [RT #38621]
-
-4077. [test] Add static-stub regression test for DS NXDOMAIN
- return making the static stub disappear. [RT #38564]
-
-4076. [bug] Named could crash on shutdown with outstanding
- reload / reconfig events. [RT #38622]
-
-4075. [placeholder]
-
-4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708]
-
-4073. [cleanup] Add libjson-c version number reporting to
- "named -V"; normalize version number formatting.
- [RT #38056]
-
-4072. [func] Add a --enable-querytrace configure switch for
- very verbose query trace logging. (This option
- has a negative performance impact and should be
- used only for debugging.) [RT #37520]
-
-4071. [cleanup] Initialize pthread mutex attrs just once, instead of
- doing it per mutex creation. [RT #38547]
-
-4070. [bug] Fix a segfault in nslookup in a query such as
- "nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
- [RT #38548]
-
-4069. [doc] Reorganize options in the nsupdate man page.
- [RT #38515]
-
-4068. [bug] Omit unknown serial number from JSON zone statistics.
- [RT #38604]
-
-4067. [cleanup] Reduce noise from RRL when query logging is
- disabled. [RT #38648]
-
-4066. [doc] Reorganize options in the dig man page. [RT #38516]
-
-4065. [test] Additional RFC 5011 tests. [RT #38569]
-
-4064. [contrib] dnssec-keyset.sh: Generates a specified number
- of DNSSEC keys with timing set to implement a
- pre-publication key rollover strategy. Thanks
- to Jeffry A. Spain. [RT #38459]
-
-4063. [bug] Asynchronous zone loads were not handled
- correctly when the zone load was already in
- progress; this could trigger a crash in zt.c.
- [RT #37573]
-
-4062. [bug] Fix an out-of-bounds read in RPZ code. If the
- read succeeded, it doesn't result in a bug
- during operation. If the read failed, named
- could segfault. [RT #38559]
-
-4061. [bug] Handle timeout in legacy system test. [RT #38573]
-
-4060. [bug] dns_rdata_freestruct could be called on a
- uninitialized structure when handling a error.
- [RT #38568]
-
-4059. [bug] Addressed valgrind warnings. [RT #38549]
-
-4058. [bug] UDP dispatches could use the wrong pseudorandom
- number generator context. [RT #38578]
-
-4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
- [RT #38565]
-
-4056. [bug] Expanded automatic testing of trust anchor
- management and fixed several small bugs including
- a memory leak and a possible loss of key state
- information. [RT #38458]
-
-4055. [func] "rndc managed-keys" can be used to check status
- of trust anchors or to force keys to be refreshed,
- Also, the managed keys data file has easier-to-read
- comments. [RT #38458]
-
-4054. [func] Added a new tool 'mdig', a lightweight clone of
- dig able to send multiple pipelined queries.
- [RT #38261]
-
-4053. [security] Revoking a managed trust anchor and supplying
- an untrusted replacement could cause named
- to crash with an assertion failure.
- (CVE-2015-1349) [RT #38344]
-
-4052. [bug] Fix a leak of query fetchlock. [RT #38454]
-
-4051. [bug] Fix a leak of pthread_mutexattr_t. [RT #38454]
-
-4050. [bug] RPZ could send spurious SERVFAILs in response
- to duplicate queries. [RT #38510]
-
-4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
-
-4048. [bug] adb hash table was not being grown. [RT #38470]
-
-4047. [cleanup] "named -V" now reports the current running versions
- of OpenSSL and the libxml2 libraries, in addition to
- the versions that were in use at build time.
-
-4046. [bug] Accounting of "total use" in memory context
- statistics was not correct. [RT #38370]
-
-4045. [bug] Skip to next master on dns_request_createvia4 failure.
- [RT #25185]
-
-4044. [bug] Change 3955 was not complete, resulting in an assertion
- failure if the timing was just right. [RT #38352]
-
-4043. [func] "rndc modzone" can be used to modify the
- configuration of an existing zone, using similar
- syntax to "rndc addzone". [RT #37895]
-
-4042. [bug] zone.c:iszonesecure was being called too late.
- [RT #38371]
-
-4041. [func] TCP sockets can now be shared while connecting.
- (This will be used to enable client-side support
- of pipelined queries.) [RT #38231]
-
-4040. [func] Added server-side support for pipelined TCP
- queries. Clients may continue sending queries via
- TCP while previous queries are being processed
- in parallel. (The new "keep-response-order"
- option allows clients to be specified for which
- the old behavior will still be used.) [RT #37821]
-
-4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
-
-4038. [bug] Add 'rpz' flag to node and use it to determine whether
- to call dns_rpz_delete. This should prevent unbalanced
- add / delete calls. [RT #36888]
-
-4037. [bug] also-notify was ignoring the tsig key when checking
- for duplicates resulting in some expected notify
- messages not being sent. [RT #38369]
-
-4036. [bug] Make call to open a temporary file name safe during
- NZF creation. [RT #38331]
-
-4035. [bug] Close temporary and NZF FILE pointers before moving
- the former into the latter's place, as required on
- Windows. [RT #38332]
-
-4034. [func] When added, negative trust anchors (NTA) are now
- saved to files (viewname.nta), in order to
- persist across restarts of the named server.
- [RT #37087]
-
-4033. [bug] Missing out of memory check in request.c:req_send.
- [RT #38311]
-
-4032. [bug] Built-in "empty" zones did not correctly inherit the
- "allow-transfer" ACL from the options or view.
- [RT #38310]
-
-4031. [bug] named-checkconf -z failed to report a missing file
- with a hint zone. [RT #38294]
-
-4030. [func] "rndc delzone" is now applicable to zones that were
- configured in named.conf, as well as zones that
- were added via "rndc addzone". (Note, however, that
- if named.conf is not also modified, the deleted zone
- will return when named is reloaded.) [RT #37887]
-
-4029. [func] "rndc showzone" displays the current configuration
- of a specified zone. [RT #37887]
-
-4028. [bug] $GENERATE with a zero step was not being caught as a
- error. A $GENERATE with a / but no step was not being
- caught as a error. [RT #38262]
-
-4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
-
-4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
-
-4025. [port] bsdi: failed to build. [RT #38047]
-
-4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
- dns_rdata_opt_current, dns_rdata_txt_first,
- dns_rdata_txt_next and dns_rdata_txt_current were
- documented but not implemented. These have now been
- implemented.
-
- dns_rdata_spf_first, dns_rdata_spf_next and
- dns_rdata_spf_current were documented but not
- implemented. The prototypes for these
- functions have been removed. [RT #38068]
-
-4023. [bug] win32: socket handling with explicit ports and
- invoking named with -4 was broken for some
- configurations. [RT #38068]
-
-4022. [func] Stop multiple spawns of named by limiting number of
- processes to 1. This is done by using a lockfile and
- checking whether we can listen on any configured
- TCP interfaces. [RT #37908]
-
-4021. [bug] Adjust max-recursion-queries to accommodate
- the need for more queries when the cache is
- empty. [RT #38104]
-
-4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
- resulting in updates being sent to the wrong server.
- [RT #37925]
-
-4019. [func] If named is not configured to validate the answer
- then allow fallback to plain DNS on timeout even
- when we know the server supports EDNS. [RT #37978]
-
-4018. [placeholder]
-
-4017. [test] Add system test to check lookups to legacy servers
- with broken DNS behavior. [RT #37965]
-
-4016. [bug] Fix a dig segfault due to bad linked list usage.
- [RT #37591]
-
-4015. [bug] Nameservers that are skipped due to them being
- CNAMEs were not being logged. They are now logged
- to category 'cname' as per BIND 8. [RT #37935]
-
-4014. [bug] When including a master file origin_changed was
- not being properly set leading to a potentially
- spurious 'inherited owner' warning. [RT #37919]
-
-4013. [func] Add a new tcp-only option to server (config) /
- peer (struct) to use TCP transport to send
- queries (in place of UDP transport with a
- TCP fallback on truncated (TC set) response).
- [RT #37800]
-
-4012. [cleanup] Check returned status of OpenSSL digest and HMAC
- functions when they return one. Note this applies
- only to FIPS capable OpenSSL libraries put in
- FIPS mode and MD5. [RT #37944]
-
-4011. [bug] master's list port and dscp inheritance was not
- properly implemented. [RT #37792]
-
-4010. [cleanup] Clear the prefetchable state when initiating a
- prefetch. [RT #37399]
-
-4009. [func] delv: added a +tcp option. [RT #37855]
-
-4008. [contrib] Updated zkt to latest version (1.1.3). [RT #37886]
-
-4007. [doc] Remove acl forward reference restriction. [RT #37772]
-
-4006. [security] A flaw in delegation handling could be exploited
- to put named into an infinite loop. This has
- been addressed by placing limits on the number
- of levels of recursion named will allow (default 7),
- and the number of iterative queries that it will
- send (default 50) before terminating a recursive
- query (CVE-2014-8500).
-
- The recursion depth limit is configured via the
- "max-recursion-depth" option, and the query limit
- via the "max-recursion-queries" option. [RT #37580]
-
-4005. [func] The buffer used for returning text from rndc
- commands is now dynamically resizable, allowing
- arbitrarily large amounts of text to be sent back
- to the client. (Prior to this change, it was
- possible for the output of "rndc tsig-list" to be
- truncated.) [RT #37731]
-
-4004. [bug] When delegations had AAAA glue but not A, a
- reference could be leaked causing an assertion
- failure on shutdown. [RT #37796]
-
-4003. [security] When geoip-directory was reconfigured during
- named run-time, the previously loaded GeoIP
- data could remain, potentially causing wrong
- ACLs to be used or wrong results to be served
- based on geolocation (CVE-2014-8680). [RT #37720]
-
-4002. [security] Lookups in GeoIP databases that were not
- loaded could cause an assertion failure
- (CVE-2014-8680). [RT #37679]
-
-4001. [security] The caching of GeoIP lookups did not always
- handle address families correctly, potentially
- resulting in an assertion failure (CVE-2014-8680).
- [RT #37672]
-
-4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
- from the redirect zone. [RT #37722]
-
-3999. [func] "mkeys" and "nzf" files are now named after
- their corresponding views, unless the view name
- contains characters that would be incompatible
- with use in a filename (i.e., slash, backslash,
- or capital letters). If a view name does contain
- these characters, the files will still be named
- using a cryptographic hash of the view name.
- Regardless of this, if a file using the old name
- format is found to exist, it will continue to be
- used. [RT #37704]
-
-3998. [bug] isc_radix_search was returning matches that were
- too precise. [RT #37680]
-
-3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
-
-3996. [bug] Address use after free on out of memory error in
- keyring_add. [RT #37639]
-
-3995. [bug] receive_secure_serial holds the zone lock for too
- long. [RT #37626]
-
-3994. [func] Dig now supports setting the last unassigned DNS
- header flag bit (dig +zflag). [RT #37421]
-
-3993. [func] Dig now supports EDNS negotiation by default.
- (dig +[no]ednsnegotiation).
-
- Note: This is disabled by default in BIND 9.10
- and enabled by default in BIND 9.11. [RT #37604]
-
-3992. [func] DiG can now send queries without questions
- (dig +header-only). [RT #37599]
-
-3991. [func] Add the ability to buffer logging output by specifying
- "buffered yes;" when defining a channel. [RT #26561]
-
-3990. [test] Add tests for unknown DNSSEC algorithm handling.
- [RT #37541]
-
-3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
-
-3988. [func] Allow the zone serial of a dynamically updatable
- zone to be updated via "rndc signing -serial".
- [RT #37404]
-
-3987. [port] Handle future Visual Studio 14 incompatible changes.
- [RT #37380]
-
-3986. [doc] Add the BIND version number to page footers
- in the ARM. [RT #37398]
-
-3985. [doc] Describe how +ndots and +search interact in dig.
- [RT #37529]
-
-3984. [func] Accept 256 byte long PINs in native PKCS#11
- crypto. [RT #37410]
-
-3983. [bug] Change #3940 was incomplete: negative trust anchors
- could be set to last up to a week, but the
- "nta-lifetime" and "nta-recheck" options were
- still limited to one day. [RT #37522]
-
-3982. [doc] Include release notes in product documentation.
- [RT #37272]
-
-3981. [bug] Cache DS/NXDOMAIN independently of other query types.
- [RT #37467]
-
-3980. [bug] Improve --with-tuning=large by self tuning of SO_RCVBUF
- size. [RT #37187]
-
-3979. [bug] Negative trust anchor fetches were not properly
- managed. [RT #37488]
-
-3978. [test] Added a unit test for Diffie-Hellman key
- computation, completing change #3974. [RT #37477]
-
-3977. [cleanup] "rndc secroots" reported a "not found" error when
- there were no negative trust anchors set. [RT #37506]
-
-3976. [bug] When refreshing managed-key trust anchors, clear
- any cached trust so that they will always be
- revalidated with the current set of secure
- roots. [RT #37506]
-
-3975. [bug] Don't populate or use the bad cache for queries that
- don't request or use recursion. [RT #37466]
-
-3974. [bug] Handle DH_compute_key() failure correctly in
- openssldh_link.c. [RT #37477]
-
-3973. [test] Added hooks for Google Performance Tools CPU profiler,
- including real-time/wall-clock profiling. Use
- "configure --with-gperftools-profiler" to enable.
- [RT #37339]
-
-3972. [bug] Fix host's usage statement. [RT #37397]
-
-3971. [bug] Reduce the cascading failures due to a bad $TTL line
- in named-checkconf / named-checkzone. [RT #37138]
-
-3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
- [RT #37237]
-
-3969. [test] Added 'delv' system test. [RT #36901]
-
-3968. [bug] Silence spurious log messages when using 'named -[46]'.
- [RT #37308]
-
-3967. [test] Add test for inlined signed zone in multiple views
- with different DNSKEY sets. [RT #35759]
-
-3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
- [RT #35746]
-
-3965. [func] Log outgoing packets and improve packet logging to
- support logging the remote address. [RT #36624]
-
-3964. [func] nsupdate now performs check-names processing.
- [RT #36266]
-
-3963. [test] Added NXRRSET test cases to the "dlzexternal"
- system test. [RT #37344]
-
-3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
- conditions. [RT #34663]
-
-3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
- BADSIG. [RT #37216]
-
-3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
-
-3959. [bug] Updates could be lost if they arrived immediately
- after a rndc thaw. [RT #37233]
-
-3958. [bug] Detect when writeable files have multiple references
- in named.conf. [RT #37172]
-
-3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
- and ECDSAP384SHA384. [RT #37183]
-
-3956. [func] Notify messages are now rate limited by notify-rate and
- startup-notify-rate instead of serial-query-rate.
- [RT #24454]
-
-3955. [bug] Notify messages due to changes are no longer queued
- behind startup notify messages. [RT #24454]
-
-3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
-
-3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
-
-3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
- two name pointers were the same. [RT #37176]
-
-3951. [func] Add the ability to set yet-to-be-defined EDNS flags
- to dig (+ednsflags=#). [RT #37142]
-
-3950. [port] Changed the bin/python Makefile to work around a
- bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
-
-3949. [experimental] Experimental support for draft-andrews-edns1 by sending
- EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
- building). Add support for limiting the EDNS version
- advertised to servers: server { edns-version 0; };
- Log the EDNS version received in the query log.
- [RT #35864]
-
-3948. [port] solaris: RCVBUFSIZE was too large on Solaris with
- --with-tuning=large. [RT #37059]
-
-3947. [cleanup] Set the executable bit on libraries when using
- libtool. [RT #36786]
-
-3946. [cleanup] Improved "configure" search for a python interpreter.
- [RT #36992]
-
-3945. [bug] Invalid wildcard expansions could be incorrectly
- accepted by the validator. [RT #37093]
-
-3944. [test] Added a regression test for "server-id". [RT #37057]
-
-3943. [func] SERVFAIL responses can now be cached for a
- limited time (configured by "servfail-ttl",
- default 10 seconds, limit 30). This can reduce
- the frequency of retries when an authoritative
- server is known to be failing, e.g., due to
- ongoing DNSSEC validation problems. [RT #21347]
-
-3942. [bug] Wildcard responses from a optout range should be
- marked as insecure. [RT #37072]
-
-3941. [doc] Include the BIND version number in the ARM. [RT #37067]
-
-3940. [func] "rndc nta" now allows negative trust anchors to be
- set for up to one week. [RT #37069]
-
-3939. [func] Improve UPDATE forwarding performance by allowing TCP
- connections to be shared. [RT #37039]
-
-3938. [func] Added quotas to be used in recursive resolvers
- that are under high query load for names in zones
- whose authoritative servers are nonresponsive or
- are experiencing a denial of service attack.
-
- - "fetches-per-server" limits the number of
- simultaneous queries that can be sent to any
- single authoritative server. The configured
- value is a starting point; it is automatically
- adjusted downward if the server is partially or
- completely non-responsive. The algorithm used to
- adjust the quota can be configured via the
- "fetch-quota-params" option.
- - "fetches-per-zone" limits the number of
- simultaneous queries that can be sent for names
- within a single domain. (Note: Unlike
- "fetches-per-server", this value is not
- self-tuning.)
- - New stats counters have been added to count
- queries spilled due to these quotas.
-
- See the ARM for details of these options. [RT #37125]
-
-3937. [func] Added some debug logging to better indicate the
- conditions causing SERVFAILs when resolving.
- [RT #35538]
-
-3936. [func] Added authoritative support for the EDNS Client
- Subnet (ECS) option.
-
- ACLs can now include "ecs" elements which specify
- an address or network prefix; if an ECS option is
- included in a DNS query, then the address encoded
- in the option will be matched against "ecs" ACL
- elements.
-
- Also, if an ECS address is included in a query,
- then it will be used instead of the client source
- address when matching "geoip" ACL elements. This
- behavior can be overridden with "geoip-use-ecs no;".
- (Note: to enable "geoip" ACLs, use "configure
- --with-geoip". This requires libGeoIP version
- 1.5.0 or higher.)
-
- When "ecs" or "geoip" ACL elements are used to
- select a view for a query, the response will include
- an ECS option to indicate which client network the
- answer is valid for.
-
- (Thanks to Vincent Bernat.) [RT #36781]
-
-3935. [bug] "geoip asnum" ACL elements would not match unless
- the full organization name was specified. They
- can now match against the AS number alone (e.g.,
- AS1234). [RT #36945]
-
-3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
- sit-secret documentation. [RT #36980]
-
-3933. [bug] Corrected the implementation of dns_rdata_casecompare()
- for the HIP rdata type. [RT #36911]
-
-3932. [test] Improved named-checkconf tests. [RT #36911]
-
-3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
-
-3930. [bug] "rndc nta -r" could cause a server hang if the
- NTA was not found. [RT #36909]
-
-3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963]
-
-3928. [test] Improve rndc system test. [RT #36898]
-
-3927. [bug] dig: report PKCS#11 error codes correctly when
- compiled with --enable-native-pkcs11. [RT #36956]
-
-3926. [doc] Added doc for geoip-directory. [RT #36877]
-
-3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
-
-3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
-
-3923. [bug] Sanity check the xml2-config output. [RT #22246]
-
-3922. [bug] When resigning, dnssec-signzone was removing
- all signatures from delegation nodes. It now
- retains DS and (if applicable) NSEC signatures.
- [RT #36946]
-
-3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
-
-3920. [doc] Added doc for masterfile-style. [RT #36823]
-
-3919. [bug] dig: continue to next line if a address lookup fails
- in batch mode. [RT #36755]
-
-3918. [doc] Update check-spf documentation. [RT #36910]
-
-3917. [bug] dig, nslookup and host now continue on names that are
- too long after applying a search list elements.
- [RT #36892]
-
-3916. [contrib] zone2sqlite checked wrong result code. Address
- compiler warnings. [RT #36931]
-
-3915. [bug] Address a assertion if a route event arrived while
- shutting down. [RT #36887]
-
-3914. [bug] Allow the URI target and CAA value fields to
- be zero length. [RT #36737]
-
-3913. [bug] Address race issue in dispatch. [RT #36731]
-
-3912. [bug] Address some unrecoverable lookup failures. [RT #36330]
-
-3911. [func] Implement EDNS EXPIRE option client side, allowing
- a slave server to set the expiration timer correctly
- when transferring zone data from another slave
- server. [RT #35925]
-
-3910. [bug] Fix races to free event during shutdown. [RT #36720]
-
-3909. [bug] When computing the number of elements required for a
- acl count_acl_elements could have a short count leading
- to a assertion failure. Also zero out new acl elements
- in dns_acl_merge. [RT #36675]
-
-3908. [bug] rndc now differentiates between a zone in multiple
- views and a zone that doesn't exist at all. [RT #36691]
-
-3907. [cleanup] Alphabetize rndc help. [RT #36683]
-
-3906. [protocol] Update URI record format to comply with
- draft-faltstrom-uri-08. [RT #36642]
-
-3905. [bug] Address deadlock between view.c and adb.c. [RT #36341]
-
-3904. [func] Add the RPZ SOA to the additional section. [RT36507]
-
-3903. [bug] Improve the accuracy of DiG's reported round trip
- time. [RT 36611]
-
-3902. [bug] liblwres wasn't handling link-local addresses in
- nameserver clauses in resolv.conf. [RT #36039]
-
-3901. [protocol] Added support for CAA record type (RFC 6844).
- [RT #36625]
-
-3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637]
-
-3899. [bug] "request-ixfr" is only applicable to slave and redirect
- zones. [RT #36608]
-
-3898. [bug] Too small a buffer in tohexstr() calls in test code.
- [RT #36598]
-
-3897. [bug] RPZ summary information was not properly being updated
- after a AXFR resulting in changes sometimes being
- ignored. [RT #35885]
-
-3896. [bug] Address performance issues with DSCP code on some
- platforms. [RT #36534]
-
-3895. [func] Add the ability to set the DSCP code point to dig.
- [RT #36546]
-
-3894. [bug] Buffers in isc_print_vsnprintf were not properly
- initialized leading to potential overflows when
- printing out quad values. [RT #36505]
-
-3893. [bug] Peer DSCP values could be returned without being set.
- [RT #36538]
-
-3892. [bug] Setting '-t aaaa' in .digrc had unintended side
- effects. [RT #36452]
-
-3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
- to install python programs.
-
-3890. [bug] RRSIG sets that were not loaded in a single transaction
- at start up where not being correctly added to
- re-signing heaps. [RT #36302]
-
-3889. [port] hurd: configure fixes as per:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
-
-3888. [func] 'rndc status' now reports the number of automatic
- zones. [RT #36015]
-
-3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so
- they are easier to use in a debugger. [RT #36373]
-
-3886. [bug] rbtdb_write_header should use a once to initialize
- FILE_VERSION. [RT #36374]
-
-3885. [port] Use 'open()' rather than 'file()' to open files in
- python.
-
-3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333]
-
-3883. [placeholder]
-
-3882. [func] By default, negative trust anchors will be tested
- periodically to see whether data below them can be
- validated, and if so, they will be allowed to
- expire early. The "rndc nta -force" option
- overrides this behavior. The default NTA lifetime
- and the recheck frequency can be configured by the
- "nta-lifetime" and "nta-recheck" options. [RT #36146]
-
-3881. [bug] Address memory leak with UPDATE error handling.
- [RT #36303]
-
-3880. [test] Update ans.pl to work with new TSIG support in
- Net::DNS; add additional Net::DNS version prerequisite
- checks. [RT #36327]
-
-3879. [func] Add version printing option to various BIND utilities.
- [RT #10686]
-
-3878. [bug] Using the incorrect filename for a DLZ module
- caused a segmentation fault on startup. [RT #36286]
-
-3877. [bug] Inserting and deleting parent and child nodes
- in response policy zones could trigger an assertion
- failure. [RT #36272]
-
-3876. [bug] Improve efficiency of DLZ redirect zones by
- suppressing unnecessary database lookups. [RT #35835]
-
-3875. [cleanup] Clarify log message when unable to read private
- key files. [RT #24702]
-
-3874. [test] Check that only "check-names master" is needed for
- updates to be accepted.
-
-3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210]
-
-3872. [bug] Address issues found by static analysis. [RT #36209]
-
-3871. [bug] Don't publish an activated key automatically before
- its publish time. [RT #35063]
-
-3870. [func] Updated the random number generator used in
- the resolver to use the updated ChaCha based one
- (similar to OpenBSD's changes). Also moved the
- RNG to libisc and added unit tests for it.
- [RT #35942]
-
-3869. [doc] Document that in-view zones cannot be used for
- response policy zones. [RT #35941]
-
-3868. [bug] isc_mem_setwater incorrectly cleared hi_called
- potentially leaving over memory cleaner running.
- [RT #35270]
-
-3867. [func] "rndc nta" can now be used to set a temporary
- negative trust anchor, which disables DNSSEC
- validation below a specified name for a specified
- period of time (not exceeding 24 hours). This
- can be used when validation for a domain is known
- to be failing due to a configuration error on
- the part of the domain owner rather than a
- spoofing attack. [RT #29358]
-
-3866. [bug] Named could die on disk full in generate_session_key.
- [RT #36119]
-
-3865. [test] Improved testability of the red-black tree
- implementation and added unit tests. [RT #35904]
-
-3864. [bug] RPZ didn't work well when being used as forwarder.
- [RT #36060]
-
-3863. [bug] The "E" flag was missing from the query log as a
- unintended side effect of code rearrangement to
- support EDNS EXPIRE. [RT #36117]
-
-3862. [cleanup] Return immediately if we are not going to log the
- message in ns_client_dumpmessage.
-
-3861. [security] Missing isc_buffer_availablelength check results
- in a REQUIRE assertion when printing out a packet
- (CVE-2014-3859). [RT #36078]
-
-3860. [bug] ioctl(DP_POLL) array size needs to be determined
- at run time as it is limited to {OPEN_MAX}.
- [RT #35878]
-
-3859. [placeholder]
-
-3858. [bug] Disable GCC 4.9 "delete null pointer check".
- [RT #35968]
-
-3857. [bug] Make it harder for a incorrect NOEDNS classification
- to be made. [RT #36020]
-
-3856. [bug] Configuring libjson without also configuring libxml
- resulted in a REQUIRE assertion when retrieving
- statistics using json. [RT #36009]
-
-3855. [bug] Limit smoothed round trip time aging to no more than
- once a second. [RT #32909]
-
-3854. [cleanup] Report unrecognized options, if any, in the final
- configure summary. [RT #36014]
-
-3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out
- the handling of a rdataset with no records. [RT #35968]
-
-3852. [func] Increase the default number of clients available
- for servicing lightweight resolver queries, and
- make them configurable via the "lwres-tasks" and
- "lwres-clients" options. (Thanks to Tomas Hozza.)
- [RT #35857]
-
-3851. [func] Allow libseccomp based system-call filtering
- on Linux; use "configure --enable-seccomp" to
- turn it on. Thanks to Loganaden Velvindron
- of AFRINIC for the contribution. [RT #35347]
-
-3850. [bug] Disabling forwarding could trigger a REQUIRE assertion.
- [RT #35979]
-
-3849. [doc] Alphabetized dig's +options. [RT #35992]
-
-3848. [bug] Adjust 'statistics-channels specified but not effective'
- error message to account for JSON support. [RT #36008]
-
-3847. [bug] 'configure --with-dlz-postgres' failed to fail when
- there is not support available.
-
-3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP
- ixfr query. [RT #35980]
-
-3845. [placeholder]
-
-3844. [bug] Use the x64 version of the Microsoft Visual C++
- Redistributable when built for 64 bit Windows.
- [RT #35973]
-
-3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire.
- [RT #35969]
-
-3842. [bug] Adjust RRL log-only logging category. [RT #35945]
-
-3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt.
- [RT #35924]
-
-3840. [port] Check for arc4random_addrandom() before using it;
- it's been removed from OpenBSD 5.5. [RT #35907]
-
-3839. [test] Use only posix-compatible shell in system tests.
- [RT #35625]
-
-3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
-
-3837. [security] A NULL pointer is passed to query_prefetch resulting
- a REQUIRE assertion failure when a fetch is actually
- initiated (CVE-2014-3214). [RT #35899]
-
-3836. [bug] Address C++ keyword usage in header file.
-
-3835. [bug] Geoip ACL elements didn't work correctly when
- referenced via named or nested ACLs. [RT #35879]
-
-3834. [bug] The re-signing heaps were not being updated soon enough
- leading to multiple re-generations of the same RRSIG
- when a zone transfer was in progress. [RT #35273]
-
-3833. [bug] Cross compiling was broken due to calling genrandom at
- build time. [RT #35869]
-
-3832. [func] "named -L <filename>" causes named to send log
- messages to the specified file by default instead
- of to the system log. (Thanks to Tony Finch.)
- [RT #35845]
-
-3831. [cleanup] Reduce logging noise when EDNS state changes occur.
- [RT #35843]
-
-3830. [func] When query logging is enabled, log query errors at
- the same level ('info') as the queries themselves.
- [RT #35844]
-
-3829. [func] "dig +ttlunits" causes dig to print TTL values
- with time-unit suffixes: w, d, h, m, s for
- weeks, days, hours, minutes, and seconds. (Thanks
- to Tony Finch.) [RT #35823]
-
-3828. [func] "dnssec-signzone -N date" updates serial number
- to the current date in YYYYMMDDNN format.
- [RT #35800]
-
-3827. [placeholder]
-
-3826. [bug] Corrected bad INSIST logic in isc_radix_remove().
- [RT #35870]
-
-3825. [bug] Address sign extension bug in isc_regex_validate.
- [RT #35758]
-
-3824. [bug] A collision between two flag values could cause
- problems with cache cleaning when SIT was enabled.
- [RT #35858]
-
-3823. [func] Log the rpz cname target when rewriting. [RT #35667]
-
-3822. [bug] Log the correct type of static-stub zones when
- removing them. [RT #35842]
-
-3821. [contrib] Added a new "mysqldyn" DLZ module with dynamic
- update and transaction support. Thanks to Marty
- Lee for the contribution. [RT #35656]
-
-3820. [func] The DLZ API doesn't pass the database version to
- the lookup() function; this can cause DLZ modules
- that allow dynamic updates to mishandle prerequisite
- checks. This has been corrected by adding a
- 'dbversion' field to the dns_clientinfo_t
- structure. [RT #35656]
-
-3819. [bug] NSEC3 hashes need to be able to be entered and
- displayed without padding. This is not a issue for
- currently defined algorithms but may be for future
- hash algorithms. [RT #27925]
-
-3818. [bug] Stop lying to the optimizer that 'void *arg' is a
- constant in isc_event_allocate.
-
-3817. [func] The "delve" command is now spelled "delv" to avoid
- a namespace collision with the Xapian project.
- [RT #35801]
-
-3816. [func] "dig +qr" now reports query size. (Thanks to
- Tony Finch.) [RT #35822]
-
-3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
-
-3814. [func] The "masterfile-style" zone option controls the
- formatting of dumped zone files. Options are
- "relative" (multiline format) and "full" (one
- record per line). The default is "relative".
- [RT #20798]
-
-3813. [func] "host" now recognizes the "timeout", "attempts" and
- "debug" options when set in /etc/resolv.conf.
- (Thanks to Adam Tkac at RedHat.) [RT #21885]
-
-3812. [func] Dig now supports sending arbitrary EDNS options from
- the command line (+ednsopt=code[:value]). [RT #35584]
-
-3811. [func] "serial-update-method date;" sets serial number
- on dynamic update to today's date in YYYYMMDDNN
- format. (Thanks to Bradley Forschinger.) [RT #24903]
-
-3810. [bug] Work around broken nameservers that fail to ignore
- unknown EDNS options. [RT #35766]
-
-3809. [doc] Fix SIT and NSID documentation.
-
-3808. [doc] Clean up "prefetch" documentation. [RT #35751]
-
-3807. [bug] Fix sign extension bug in dns_name_fromtext when
- lowercase is set. [RT #35743]
-
-3806. [test] Improved system test portability. [RT #35625]
-
-3805. [contrib] Added contrib/perftcpdns, a performance testing tool
- for DNS over TCP. [RT #35710]
-
- --- 9.10.0rc1 released ---
-
-3804. [bug] Corrected a race condition in dispatch.c in which
- portentry could be reset leading to an assertion
- failure in socket_search(). (Change #3708
- addressed the same issue but was incomplete.)
- [RT #35128]
-
-3803. [bug] "named-checkconf -z" incorrectly rejected zones
- using alternate data sources for not having a "file"
- option. [RT #35685]
-
-3802. [bug] Various header files were not being installed.
-
-3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
-
-3800. [bug] A pending event on the route socket could cause an
- assertion failure when shutting down named. [RT #35674]
-
-3799. [bug] Improve named's command line error reporting.
- [RT #35603]
-
-3798. [bug] 'rndc zonestatus' was reporting the wrong re-signing
- time. [RT #35659]
-
-3797. [port] netbsd: geoip support probing was broken. [RT #35642]
-
-3796. [bug] Register dns and pkcs#11 error codes. [RT #35629]
-
-3795. [bug] Make named-checkconf detect raw masterfiles for
- hint zones and reject them. [RT #35268]
-
-3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
-
-3793. [bug] zone.c:save_nsec3param() could assert when out of
- memory. [RT #35621]
-
-3792. [func] Provide links to the alternate statistics views when
- displaying in a browser. [RT #35605]
-
-3791. [placeholder]
-
-3790. [bug] Handle broken nameservers that send BADVERS in
- response to unknown EDNS options. Maintain
- statistics on BADVERS responses.
-
-3789. [bug] Null pointer dereference on rbt creation failure.
-
-3788. [bug] dns_peer_getrequestsit was returning request_nsid by
- mistake.
-
- --- 9.10.0b2 released ---
-
-3787. [bug] The code that checks whether "auto-dnssec" is
- allowed was ignoring "allow-update" ACLs set at
- the options or view level. [RT #29536]
-
-3786. [func] Provide more detailed error codes when using
- native PKCS#11. "pkcs11-tokens" now fails robustly
- rather than asserting when run against an HSM with
- an incomplete PKCS#11 API implementation. [RT #35479]
-
-3785. [bug] Debugging code dumphex didn't accept arbitrarily long
- input (only compiled with -DDEBUG). [RT #35544]
-
-3784. [bug] Using "rrset-order fixed" when it had not been
- enabled at compile time caused inconsistent
- results. It now works as documented, defaulting
- to cyclic mode. [RT #28104]
-
-3783. [func] "tsig-keygen" is now available as an alternate
- command name for "ddns-confgen". It generates
- a TSIG key in named.conf format without comments.
- [RT #35503]
-
-3782. [func] Specifying "auto" as the salt when using
- "rndc signing -nsec3param" causes named to
- generate a 64-bit salt at random. [RT #35322]
-
-3781. [tuning] Use adaptive mutex locks when available; this
- has been found to improve performance under load
- on many systems. "configure --with-locktype=standard"
- restores conventional mutex locks. [RT #32576]
-
-3780. [bug] $GENERATE handled negative numbers incorrectly.
- [RT #25528]
-
-3779. [cleanup] Clarify the error message when using an option
- that was not enabled at compile time. [RT #35504]
-
-3778. [bug] Log a warning when the wrong address family is
- used in "listen-on" or "listen-on-v6". [RT #17848]
-
-3777. [bug] EDNS EXPIRE code could dump core when processing
- DLZ queries. [RT #35493]
-
-3776. [func] "rndc -q" suppresses output from successful
- rndc commands. Errors are printed on stderr.
- [RT #21393]
-
-3775. [bug] dlz_dlopen driver could return the wrong error
- code on API version mismatch, leading to a segfault.
- [RT #35495]
-
-3774. [func] When using "request-nsid", log the NSID value in
- printable form as well as hex. [RT #20864]
-
-3773. [func] "host", "nslookup" and "nsupdate" now have
- options to print the version number and exit.
- [RT #26057]
-
-3772. [contrib] Added sqlite3 dynamically-loadable DLZ module.
- (Based in part on a contribution from Tim Tessier.)
- [RT #20822]
-
-3771. [cleanup] Adjusted log level for "using built-in key"
- messages. [RT #24383]
-
-3770. [bug] "dig +trace" could fail with an assertion when it
- needed to fall back to TCP due to a truncated
- response. [RT #24660]
-
-3769. [doc] Improved documentation of "rndc signing -list".
- [RT #30652]
-
-3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
- algorithm. [RT #34000]
-
-3767. [func] Log explicitly when using rndc.key to configure
- command channel. [RT #35316]
-
-3766. [cleanup] Fixed problems with building outside the source
- tree when using native PKCS#11. [RT #35459]
-
-3765. [bug] Fixed a bug in "rndc secroots" that could crash
- named when dumping an empty keynode. [RT #35469]
-
-3764. [bug] The dnssec-keygen/settime -S and -i options
- (to set up a successor key and set the prepublication
- interval) were missing from dnssec-keyfromlabel.
- [RT #35394]
-
-3763. [bug] delve: Cache DNSSEC records to avoid the need to
- re-fetch them when restarting validation. [RT #35476]
-
-3762. [bug] Address build problems with --pkcs11-native +
- --with-openssl with ECDSA support. [RT #35467]
-
-3761. [bug] Address dangling reference bug in dns_keytable_add.
- [RT #35471]
-
-3760. [bug] Improve SIT with native PKCS#11 and on Windows.
- [RT #35433]
-
-3759. [port] Enable delve on Windows. [RT #35441]
-
-3758. [port] Enable export library APIs on Windows. [RT #35382]
-
-3757. [port] Enable Python tools (dnssec-coverage,
- dnssec-checkds) to run on Windows. [RT #34355]
-
-3756. [bug] GSSAPI Kerberos realm checking was broken in
- check_config leading to spurious messages being
- logged. [RT #35443]
-
- --- 9.10.0b1 released ---
-
-3755. [func] Add stats counters for known EDNS options + others.
- [RT #35447]
-
-3754. [cleanup] win32: Installer now places files in the
- Program Files area rather than system services.
- [RT #35361]
-
-3753. [bug] allow-notify was ignoring keys. [RT #35425]
-
-3752. [bug] Address potential REQUIRE failure if
- DNS_STYLEFLAG_COMMENTDATA is set when printing out
- a rdataset.
-
-3751. [tuning] The default setting for the -U option (setting
- the number of UDP listeners per interface) has
- been adjusted to improve performance. [RT #35417]
-
-3750. [experimental] Partially implement EDNS EXPIRE option as described
- in draft-andrews-dnsext-expire-00. Retrieval of
- the remaining time until expiry for slave zones
- is supported.
-
- EXPIRE uses an experimental option code (65002),
- which is subject to change. [RT #35416]
-
-3749. [func] "dig +subnet" sends an EDNS client subnet option
- containing the specified address/prefix when
- querying. (Thanks to Wilmer van der Gaast.)
- [RT #35415]
-
-3748. [test] Use delve to test dns_client interfaces. [RT #35383]
-
-3747. [bug] A race condition could lead to a core dump when
- destroying a resolver fetch object. [RT #35385]
-
-3746. [func] New "max-zone-ttl" option enforces maximum
- TTLs for zones. If loading a zone containing a
- higher TTL, the load fails. DDNS updates with
- higher TTLs are accepted but the TTL is truncated.
- (Note: Currently supported for master zones only;
- inline-signing slaves will be added.) [RT #38405]
-
-3745. [func] "configure --with-tuning=large" adjusts various
- compiled-in constants and default settings to
- values suited to large servers with abundant
- memory. [RT #29538]
-
-3744. [experimental] SIT: send and process Source Identity Tokens
- (similar to DNS Cookies by Donald Eastlake 3rd),
- which are designed to help clients detect off-path
- spoofed responses and for servers to identify
- legitimate clients.
-
- SIT uses an experimental EDNS option code (65001),
- which will be changed to an IANA-assigned value
- if the experiment is deemed a success.
-
- SIT can be enabled via "configure --enable-sit" (or
- --enable-developer). It is enabled by default in
- Windows.
-
- Servers can be configured to send smaller responses
- to clients that have not identified themselves via
- SIT. RRL processing has also been updated;
- legitimate clients are not subject to rate
- limiting. [RT #35389]
-
-3743. [bug] delegation-only flag wasn't working in forward zone
- declarations despite being documented. This is
- needed to support turning off forwarding and turning
- on delegation only at the same name. [RT #35392]
-
-3742. [port] linux: libcap support: declare curval at start of
- block. [RT #35387]
-
-3741. [func] "delve" (domain entity lookup and validation engine):
- A new tool with dig-like semantics for performing DNS
- lookups, with internal DNSSEC validation, using the
- same resolver and validator logic as named. This
- allows easy validation of DNSSEC data in environments
- with untrustworthy resolvers, and assists with
- troubleshooting of DNSSEC problems. [RT #32406]
-
-3740. [contrib] Minor fixes to configure --with-dlz-bdb,
- --with-dlz-postgres and --with-dlz-odbc. [RT #35340]
-
-3739. [func] Added per-zone stats counters to track TCP and
- UDP queries. [RT #35375]
-
-3738. [bug] --enable-openssl-hash failed to build. [RT #35343]
-
-3737. [bug] 'rndc retransfer' could trigger a assertion failure
- with inline zones. [RT #35353]
-
-3736. [bug] nsupdate: When specifying a server by name,
- fall back to alternate addresses if the first
- address for that name is not reachable. [RT #25784]
-
-3735. [cleanup] Merged the libiscpk11 library into libisc
- to simplify dependencies. [RT #35205]
-
-3734. [bug] Improve building with libtool. [RT #35314]
-
-3733. [func] Improve interface scanning support. Interface
- information will be automatically updated if the
- OS supports routing sockets (MacOS, *BSD, Linux).
- Use "automatic-interface-scan no;" to disable.
-
- Add "rndc scan" to trigger a scan. [RT #23027]
-
-3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
- driver to dump core on 64-bit systems. [RT #35324]
-
-3731. [func] Added a "no-case-compress" ACL, which causes
- named to use case-insensitive compression
- (disabling change #3645) for specified
- clients. (This is useful when dealing
- with broken client implementations that
- use case-sensitive name comparisons,
- rejecting responses that fail to match the
- capitalization of the query that was sent.)
- [RT #35300]
-
-3730. [cleanup] Added "never" as a synonym for "none" when
- configuring key event dates in the dnssec tools.
- [RT #35277]
-
-3729. [bug] dnssec-keygen could set the publication date
- incorrectly when only the activation date was
- specified on the command line. [RT #35278]
-
-3728. [doc] Expanded native-PKCS#11 documentation,
- specifically pkcs11: URI labels. [RT #35287]
-
-3727. [func] The isc_bitstring API is no longer used and
- has been removed from libisc. [RT #35284]
-
-3726. [cleanup] Clarified the error message when attempting
- to configure more than 32 response-policy zones.
- [RT #35283]
-
-3725. [contrib] Updated zkt and nslint to newest versions,
- cleaned up and rearranged the contrib
- directory, and added a README.
-
- --- 9.10.0a2 released ---
-
-3724. [bug] win32: Fixed a bug that prevented dig and
- host from exiting properly after completing
- a UDP query. [RT #35288]
-
-3723. [cleanup] Imported keys are now handled the same way
- regardless of DNSSEC algorithm. [RT #35215]
-
-3722. [bug] Using geoip ACLs in a blackhole statement
- could cause a segfault. [RT #35272]
-
-3721. [doc] Improved documentation of the EDNS processing
- enhancements introduced in change #3593. [RT #35275]
-
-3720. [bug] Address compiler warnings. [RT #35261]
-
-3719. [bug] Address memory leak in in peer.c. [RT #35255]
-
-3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260]
-
-3717. [port] hpux: Treat EOPNOTSUPP as a expected error code when
- probing to see if it is possible to set dscp values
- on a per packet basis. [RT #35252]
-
-3716. [bug] The dns_request code was setting dcsp values when not
- requested. [RT #35252]
-
-3715. [bug] The region and city databases could fail to
- initialize when using some versions of libGeoIP,
- causing assertion failures when named was
- configured to use them. [RT #35427]
-
-3714. [test] System tests that need to test for cryptography
- support before running can now use a common
- "testcrypto.sh" script to do so. [RT #35213]
-
-3713. [bug] Save memory by not storing "also-notify" addresses
- in zone objects that are configured not to send
- notify requests. [RT #35195]
-
-3712. [placeholder]
-
-3711. [placeholder]
-
-3710. [bug] Address double dns_zone_detach when switching to
- using automatic empty zones from regular zones.
- [RT #35177]
-
-3709. [port] Use built-in versions of strptime() and timegm()
- on all platforms to avoid portability issues.
- [RT #35183]
-
-3708. [bug] Address a portentry locking issue in dispatch.c.
- [RT #35128]
-
-3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
- on a missing resolv.conf file and initializes the
- structure as if it had been configured with:
-
- nameserver ::1
- nameserver 127.0.0.1
-
- Note: Callers will need to be updated to treat
- ISC_R_FILENOTFOUND as a qualified success or else
- they will leak memory. The following code fragment
- will work with both old and new versions without
- changing the behaviour of the existing code.
-
- resconf = NULL;
- result = irs_resconf_load(mctx, "/etc/resolv.conf",
- &resconf);
- if (result != ISC_SUCCESS) {
- if (resconf != NULL)
- irs_resconf_destroy(&resconf);
- ....
- }
-
- [RT #35194]
-
-3706. [contrib] queryperf: Fixed a possible integer overflow when
- printing results. [RT #35182]
-
-3705. [func] "configure --enable-native-pkcs11" enables BIND
- to use the PKCS#11 API for all cryptographic
- functions, so that it can drive a hardware service
- module directly without the need to use a modified
- OpenSSL as intermediary (so long as the HSM's vendor
- provides a complete-enough implementation of the
- PKCS#11 interface). This has been tested successfully
- with the Thales nShield HSM and with SoftHSMv2 from
- the OpenDNSSEC project. [RT #29031]
-
-3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
-
-3703. [func] To improve recursive resolver performance, cache
- records which are still being requested by clients
- can now be automatically refreshed from the
- authoritative server before they expire, reducing
- or eliminating the time window in which no answer
- is available in the cache. See the "prefetch" option
- for more details. [RT #35041]
-
-3702. [func] 'dnssec-coverage -l' option specifies a length
- of time to check for coverage; events further into
- the future are ignored. 'dnssec-coverage -z'
- checks only ZSK events, and 'dnssec-coverage -k'
- checks only KSK events. (Thanks to Peter Palfrader.)
- [RT #35168]
-
-3701. [func] named-checkconf can now obscure shared secrets
- when printing by specifying '-x'. [RT #34465]
-
-3700. [func] Allow access to subgroups of XML statistics via
- special URLs http://<server>:<port>/xml/v3/server,
- /zones, /net, /tasks, /mem, and /status. [RT #35115]
-
-3699. [bug] Improvements to statistics channel XSL stylesheet:
- the stylesheet can now be cached by the browser;
- section headers are omitted from the stats display
- when there is no data in those sections to be
- displayed; counters are now right-justified for
- easier readability. [RT #35117]
-
-3698. [cleanup] Replaced all uses of memcpy() with memmove().
- [RT #35120]
-
-3697. [bug] Handle "." as a search list element when IDN support
- is enabled. [RT #35133]
-
-3696. [bug] dig failed to handle AXFR style IXFR responses which
- span multiple messages. [RT #35137]
-
-3695. [bug] Address a possible race in dispatch.c. [RT #35107]
-
-3694. [bug] Warn when a key-directory is configured for a zone,
- but does not exist or is not a directory. [RT #35108]
-
-3693. [security] memcpy was incorrectly called with overlapping
- ranges resulting in malformed names being generated
- on some platforms. This could cause INSIST failures
- when serving NSEC3 signed zones (CVE-2014-0591).
- [RT #35120]
-
-3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
- was no data at the node. [RT #35080]
-
-3691. [contrib] Address null pointer dereference in LDAP and
- MySQL DLZ modules.
-
-3690. [bug] Iterative responses could be missed when the source
- port for an upstream query was the same as the
- listener port (53). [RT #34925]
-
-3689. [bug] Fixed a bug causing an insecure delegation from one
- static-stub zone to another to fail with a broken
- trust chain. [RT #35081]
-
-3688. [bug] loadnode could return a freed node on out of memory.
- [RT #35106]
-
-3687. [bug] Address null pointer dereference in zone_xfrdone.
- [RT #35042]
-
-3686. [func] "dnssec-signzone -Q" drops signatures from keys
- that are still published but no longer active.
- [RT #34990]
-
-3685. [bug] "rndc refresh" didn't work correctly with slave
- zones using inline-signing. [RT #35105]
-
-3684. [bug] The list of included files would grow on reload.
- [RT 35090]
-
-3683. [cleanup] Add a more detailed "not found" message to rndc
- commands which specify a zone name. [RT #35059]
-
-3682. [bug] Correct the behavior of rndc retransfer to allow
- inline-signing slave zones to retain NSEC3 parameters
- instead of reverting to NSEC. [RT #34745]
-
-3681. [port] Update the Windows build system to support feature
- selection and WIN64 builds. This is a work in
- progress. [RT #34160]
-
-3680. [bug] Ensure buffer space is available in "rndc zonestatus".
- [RT #35084]
-
-3679. [bug] dig could fail to clean up TCP sockets still
- waiting on connect(). [RT #35074]
-
-3678. [port] Update config.guess and config.sub. [RT #35060]
-
-3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
- times. [RT #35073]
-
-3676. [bug] "named-checkconf -z" now checks zones of type
- hint and redirect as well as master. [RT #35046]
-
-3675. [misc] Provide a place for third parties to add version
- information for their extensions in the version
- file by setting the EXTENSIONS variable.
-
- --- 9.10.0a1 released ---
-
-3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
-
-3673. [func] New "in-view" zone option allows direct sharing
- of zones between views. [RT #32968]
-
-3672. [func] Local address can now be specified when using
- dns_client API. [RT #34811]
-
-3671. [bug] Don't allow dnssec-importkey overwrite a existing
- non-imported private key.
-
-3670. [bug] Address read after free in server side of
- lwres_getrrsetbyname. [RT #29075]
-
-3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
-
-3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
- [RT #34993]
-
-3667. [test] dig: add support to keep the TCP socket open between
- successive queries (+[no]keepopen). [RT #34918]
-
-3666. [func] Add a tool, named-rrchecker, for checking the syntax
- of individual resource records. This tool is intended
- to be called by provisioning systems so that the front
- end does not need to be upgraded to support new DNS
- record types. [RT #34778]
-
-3665. [bug] Failure to release lock on error in receive_secure_db.
- [RT #34944]
-
-3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
- locking and other bugs. [RT #34855]
-
-3663. [bug] Address bugs in dns_rdata_fromstruct and
- dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
-
-3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
-
-3661. [bug] Address lock order reversal deadlock with inline zones.
- [RT #34856]
-
-3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
- [RT #23825]
-
-3659. [port] solaris: don't add explicit dependencies/rules for
- python programs as make won't use the implicit rules.
- [RT #34835]
-
-3658. [port] linux: Address platform specific compilation issue
- when libcap-devel is installed. [RT #34838]
-
-3657. [port] Some readline clones don't accept NULL pointers when
- calling add_history. [RT #34842]
-
-3656. [security] Treat an all zero netmask as invalid when generating
- the localnets acl. (The prior behavior could
- allow unexpected matches when using some versions
- of Winsock: CVE-2013-6320.) [RT #34687]
-
-3655. [cleanup] Simplify TCP message processing when requesting a
- zone transfer. [RT #34825]
-
-3654. [bug] Address race condition with manual notify requests.
- [RT #34806]
-
-3653. [func] Create delegations for all "children" of empty zones
- except "forward first". [RT #34826]
-
-3652. [bug] Address bug with rpz-drop policy. [RT #34816]
-
-3651. [tuning] Adjust when a master server is deemed unreachable.
- [RT #27075]
-
-3650. [tuning] Use separate rate limiting queues for refresh and
- notify requests. [RT #30589]
-
-3649. [cleanup] Include a comment in .nzf files, giving the name of
- the associated view. [RT #34765]
-
-3648. [test] Updated the ATF test framework to version 0.17.
- [RT #25627]
-
-3647. [bug] Address a race condition when shutting down a zone.
- [RT #34750]
-
-3646. [bug] Journal filename string could be set incorrectly,
- causing garbage in log messages. [RT #34738]
-
-3645. [protocol] Use case sensitive compression when responding to
- queries. [RT #34737]
-
-3644. [protocol] Check that EDNS subnet client options are well formed.
- [RT #34718]
-
-3643. [doc] Clarify RRL "slip" documentation.
-
-3642. [func] Allow externally generated DNSKEY to be imported
- into the DNSKEY management framework. A new tool
- dnssec-importkey is used to do this. [RT #34698]
-
-3641. [bug] Handle changes to sig-validity-interval settings
- better. [RT #34625]
-
-3640. [bug] ndots was not being checked when searching. Only
- continue searching on NXDOMAIN responses. Add the
- ability to specify ndots to nslookup. [RT #34711]
-
-3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
- in a key zone. [RT #34238]
-
-3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
- encountered. [RT #34668]
-
-3637. [bug] 'allow-query-on' was checking the source address
- rather than the destination address. [RT #34590]
-
-3636. [bug] Automatic empty zones now behave better with
- forward only "zones" beneath them. [RT #34583]
-
-3635. [bug] Signatures were not being removed from a zone with
- only KSK keys for a algorithm. [RT #34439]
-
-3634. [func] Report build-id in rndc status. Report build-id
- when building from a git repository. [RT #20422]
-
-3633. [cleanup] Refactor OPT processing in named to make it easier
- to support new EDNS options. [RT #34414]
-
-3632. [bug] Signature from newly inactive keys were not being
- removed. [RT #32178]
-
-3631. [bug] Remove spurious warning about missing signatures when
- qtype is SIG. [RT #34600]
-
-3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
-
-3629. [func] Allow the printing of cryptographic fields in DNSSEC
- records by dig to be suppressed (dig +nocrypto).
- [RT #34534]
-
-3628. [func] Report DNSKEY key id's when dumping the cache.
- [RT #34533]
-
-3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
-
-3626. [func] dig: NSID output now easier to read. [RT #21160]
-
-3625. [bug] Don't send notify messages to machines outside of the
- test setup.
-
-3624. [bug] Look for 'json_object_new_int64' when looking for a
- the json library. [RT #34449]
-
-3623. [placeholder]
-
-3622. [tuning] Eliminate an unnecessary lock when incrementing
- cache statistics. [RT #34339]
-
-3621. [security] Incorrect bounds checking on private type 'keydata'
- can lead to a remotely triggerable REQUIRE failure
- (CVE-2013-4854). [RT #34238]
-
-3620. [func] Added "rpz-client-ip" policy triggers, enabling
- RPZ responses to be configured on the basis of
- the client IP address; this can be used, for
- example, to blacklist misbehaving recursive
- or stub resolvers. [RT #33605]
-
-3619. [bug] Fixed a bug in RPZ with "recursive-only no;"
- [RT #33776]
-
-3618. [func] "rndc reload" now checks modification times of
- include files as well as master files to determine
- whether to skip reloading a zone. [RT #33936]
-
-3617. [bug] Named was failing to answer queries during
- "rndc reload" [RT #34098]
-
-3616. [bug] Change #3613 was incomplete. [RT #34177]
-
-3615. [cleanup] "configure" now finishes by printing a summary
- of optional BIND features and whether they are
- active or inactive. ("configure --enable-full-report"
- increases the verbosity of the summary.) [RT #31777]
-
-3614. [port] Check for <linux/types.h>. [RT #34162]
-
-3613. [bug] named could crash when deleting inline-signing
- zones with "rndc delzone". [RT #34066]
-
-3612. [port] Check whether to use -ljson or -ljson-c. [RT #34115]
-
-3611. [bug] Improved resistance to a theoretical authentication
- attack based on differential timing. [RT #33939]
-
-3610. [cleanup] win32: Some executables had been omitted from the
- installer. [RT #34116]
-
-3609. [bug] Corrected a possible deadlock in applications using
- the export version of the isc_app API. [RT #33967]
-
-3608. [port] win32: added todos.pl script to ensure all text files
- the win32 build depends on are converted to DOS
- newline format. [RT #22067]
-
-3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
- message. [RT #34045]
-
-3606. [func] "rndc flushtree" now flushes matching
- records in the address database and bad cache
- as well as the DNS cache. (Previously only the
- DNS cache was flushed.) [RT #33970]
-
-3605. [port] win32: Addressed several compatibility issues
- with newer versions of Visual Studio. [RT #33916]
-
-3604. [bug] Fixed a compile-time error when building with
- JSON but not XML. [RT #33959]
-
-3603. [bug] Install <isc/stat.h>. [RT #33956]
-
-3602. [contrib] Added DLZ Perl module, allowing Perl scripts to
- integrate with named and serve DNS data.
- (Contributed by John Eaglesham of Yahoo.)
-
-3601. [bug] Added to PKCS#11 openssl patches a value len
- attribute in DH derive key. [RT #33928]
-
-3600. [cleanup] dig: Fixed a typo in the warning output when receiving
- an oversized response. [RT #33910]
-
-3599. [tuning] Check for pointer equivalence in name comparisons.
- [RT #18125]
-
-3598. [cleanup] Improved portability of map file code. [RT #33820]
-
-3597. [bug] Ensure automatic-resigning heaps are reconstructed
- when loading zones in map format. [RT #33381]
-
-3596. [port] Updated win32 build documentation, added
- dnssec-verify. [RT #22067]
-
-3595. [port] win32: Fix build problems introduced by change #3550.
- [RT #33807]
-
-3594. [maint] Update config.guess and config.sub. [RT #33816]
-
-3593. [func] Update EDNS processing to better track remote server
- capabilities. [RT #30655]
-
-3592. [doc] Moved documentation of rndc command options to the
- rndc man page. [RT #33506]
-
-3591. [func] Use CRC-64 to detect map file corruption at load
- time. [RT #33746]
-
-3590. [bug] When using RRL on recursive servers, defer
- rate-limiting until after recursion is complete;
- also, use correct rcode for slipped NXDOMAIN
- responses. [RT #33604]
-
-3589. [func] Report serial numbers in when starting zone transfers.
- Report accepted NOTIFY requests including serial.
- [RT #33037]
-
-3588. [bug] dig: addressed a memory leak in the sigchase code
- that could cause a shutdown crash. [RT #33733]
-
-3587. [func] 'named -g' now checks the logging configuration but
- does not use it. [RT #33473]
-
-3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
-
-3585. [func] "rndc delzone -clean" option removes zone files
- when deleting a zone. [RT #33570]
-
-3584. [security] Caching data from an incompletely signed zone could
- trigger an assertion failure in resolver.c
- (CVE-2013-3919). [RT #33690]
-
-3583. [bug] Address memory leak in GSS-API processing [RT #33574]
-
-3582. [bug] Silence false positive warning regarding missing file
- directive for inline slave zones. [RT #33662]
-
-3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
-
-3580. [bug] Addressed a possible race in acache.c [RT #33602]
-
-3579. [maint] Updates to PKCS#11 openssl patches, supporting
- versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
-
-3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
- [RT #33571]
-
-3577. [bug] Handle zero TTL values better. [RT #33411]
-
-3576. [bug] Address a shutdown race when validating. [RT #33573]
-
-3575. [func] Changed the logging category for RRL events from
- 'queries' to 'query-errors'. [RT #33540]
-
-3574. [doc] The 'hostname' keyword was missing from server-id
- description in the named.conf man page. [RT #33476]
-
-3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
- zone names containing punctuation marks and other
- nonstandard characters. [RT #33419]
-
-3572. [func] Threads are now enabled by default on most
- operating systems. [RT #25483]
-
-3571. [bug] Address race condition in dns_client_startresolve().
- [RT #33234]
-
-3570. [bug] Check internal pointers are valid when loading map
- files. [RT #33403]
-
-3569. [contrib] Ported mysql DLZ driver to dynamically-loadable
- module, and added multithread support. [RT #33394]
-
-3568. [cleanup] Add a product description line to the version file,
- to be reported by named -v/-V. [RT #33366]
-
-3567. [bug] Silence clang static analyzer warnings. [RT #33365]
-
-3566. [func] Log when forwarding updates to master. [RT #33240]
-
-3565. [placeholder]
-
-3564. [bug] Improved handling of corrupted map files. [RT #33380]
-
-3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
-
-3562. [func] Update map file header format to include a SHA-1 hash
- of the database content, so that corrupted map files
- can be rejected at load time. [RT #32459]
-
-3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
- or NOTIMP. Adjust usage message. [RT #33363]
-
-3560. [bug] isc-config.sh did not honor includedir and libdir
- when set via configure. [RT #33345]
-
-3559. [func] Check that both forms of Sender Policy Framework
- records exist or do not exist. [RT #33355]
-
-3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
-
-3557. [bug] Reloading redirect zones was broken. [RT #33292]
-
-3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
-
-3555. [bug] Address theoretical race conditions in acache.c
- (change #3553 was incomplete). [RT #33252]
-
-3554. [bug] RRL failed to correctly rate-limit upward
- referrals and failed to count dropped error
- responses in the statistics. [RT #33225]
-
-3553. [bug] Address suspected double free in acache. [RT #33252]
-
-3552. [bug] Wrong getopt option string for 'nsupdate -r'.
- [RT #33280]
-
-3551. [bug] resolver.querydscp[46] were uninitialized. [RT #32686]
-
-3550. [func] Unified the internal and export versions of the
- BIND libraries, allowing external clients to use
- the same libraries as BIND. [RT #33131]
-
-3549. [doc] Documentation for "request-nsid" was missing.
- [RT #33153]
-
-3548. [bug] The NSID request code in resolver.c was broken
- resulting in invalid EDNS options being sent.
- [RT #33153]
-
-3547. [bug] Some malformed unknown rdata records were not properly
- detected and rejected. [RT #33129]
-
-3546. [func] Add EUI48 and EUI64 types. [RT #33082]
-
-3545. [bug] RRL slip behavior was incorrect when set to 1.
- [RT #33111]
-
-3544. [contrib] check5011.pl: Script to report the status of
- managed keys as recorded in managed-keys.bind.
- Contributed by Tony Finch <dot@dotat.at>
-
-3543. [bug] Update socket structure before attaching to socket
- manager after accept. [RT #33084]
-
-3542. [placeholder]
-
-3541. [bug] Parts of libdns were not properly initialized when
- built in libexport mode. [RT #33028]
-
-3540. [test] libt_api: t_info and t_assert were not thread safe.
-
-3539. [port] win32: timestamp format didn't match other platforms.
-
-3538. [test] Running "make test" now requires loopback interfaces
- to be set up. [RT #32452]
-
-3537. [tuning] Slave zones, when updated, now send NOTIFY messages
- to peers before being dumped to disk rather than
- after. [RT #27242]
-
-3536. [func] Add support for setting Differentiated Services Code
- Point (DSCP) values in named. Most configuration
- options which take a "port" option (e.g.,
- listen-on, forwarders, also-notify, masters,
- notify-source, etc) can now also take a "dscp"
- option specifying a code point for use with
- outgoing traffic, if supported by the underlying
- OS. [RT #27596]
-
-3535. [bug] Minor win32 cleanups. [RT #32962]
-
-3534. [bug] Extra text after an embedded NULL was ignored when
- parsing zone files. [RT #32699]
-
-3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
-
-3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
-
-3531. [bug] win32: A uninitialized value could be returned on out
- of memory. [RT #32960]
-
-3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
-
-3529. [func] Named now listens on both IPv4 and IPv6 interfaces
- by default. Named previously only listened on IPv4
- interfaces by default unless named was running in
- IPv6 only mode. [RT #32945]
-
-3528. [func] New "dnssec-coverage" command scans the timing
- metadata for a set of DNSSEC keys and reports if a
- lapse in signing coverage has been scheduled
- inadvertently. (Note: This tool depends on python;
- it will not be built or installed on systems that
- do not have a python interpreter.) [RT #28098]
-
-3527. [compat] Add a URI to allow applications to explicitly
- request a particular XML schema from the statistics
- channel, returning 404 if not supported. [RT #32481]
-
-3526. [cleanup] Set up dependencies for unit tests correctly during
- build. [RT #32803]
-
-3525. [func] Support for additional signing algorithms in rndc:
- hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
- The -A option to rndc-confgen can be used to
- select the algorithm for the generated key.
- (The default is still hmac-md5; this may
- change in a future release.) [RT #20363]
-
-3524. [func] Added an alternate statistics channel in JSON format,
- when the server is built with the json-c library:
- http://[address]:[port]/json. [RT #32630]
-
-3523. [contrib] Ported filesystem and ldap DLZ drivers to
- dynamically-loadable modules, and added the
- "wildcard" module based on a contribution from
- Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
-
-3522. [bug] DLZ lookups could fail to return SERVFAIL when
- they ought to. [RT #32685]
-
-3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
-
-3520. [bug] 'mctx' was not being referenced counted in some places
- where it should have been. [RT #32794]
-
-3519. [func] Full replay protection via four-way handshake is
- now mandatory for rndc clients. Very old versions
- of rndc will no longer work. [RT #32798]
-
-3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
- so that all dns_rrl_rtype_t enum values fit regardless
- of whether it is treated as signed or unsigned by
- the compiler. [RT #32792]
-
-3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
-
-3516. [placeholder]
-
-3515. [port] '%T' is not portable in strftime(). [RT #32763]
-
-3514. [bug] The ranges for valid key sizes in ddns-confgen and
- rndc-confgen were too constrained. Keys up to 512
- bits are now allowed for most algorithms, and up
- to 1024 bits for hmac-sha384 and hmac-sha512.
- [RT #32753]
-
-3513. [func] "dig -u" prints times in microseconds rather than
- milliseconds. [RT #32704]
-
-3512. [func] "rndc validation check" reports the current status
- of DNSSEC validation. [RT #21397]
-
-3511. [doc] Improve documentation of redirect zones. [RT #32756]
-
-3510. [func] "rndc status" and XML statistics channel now report
- server start and reconfiguration times. [RT #21048]
-
-3509. [cleanup] Added a product line to version file to allow for
- easy naming of different products (BIND
- vs BIND ESV, for example). [RT #32755]
-
-3508. [contrib] queryperf was incorrectly rejecting the -T option.
- [RT #32338]
-
-3507. [bug] Statistics channel XSL had a glitch when attempting
- to chart query data before any queries had been
- received. [RT #32620]
-
-3506. [func] When setting "max-cache-size" and "max-acache-size",
- the keyword "unlimited" is no longer defined as equal
- to 4 gigabytes (except on 32-bit platforms); it
- means literally unlimited. [RT #32358]
-
-3505. [bug] When setting "max-cache-size" and "max-acache-size",
- larger values than 4 gigabytes could not be set
- explicitly, though larger sizes were available
- when setting cache size to 0. This has been
- corrected; the full range is now available.
- [RT #32358]
-
-3504. [func] Add support for ACLs based on geographic location,
- using MaxMind GeoIP databases. Based on code
- contributed by Ken Brownfield <kb@slide.com>.
- [RT #30681]
-
-3503. [doc] Clarify size_spec syntax. [RT #32449]
-
-3502. [func] zone-statistics: "no" is now a synonym for "none",
- instead of "terse". [RT #29165]
-
-3501. [func] zone-statistics now takes three options: full,
- terse, and none. "yes" and "no" are retained as
- synonyms for full and terse, respectively. [RT #29165]
-
-3500. [security] Support NAPTR regular expression validation on
- all platforms without using libregex, which
- can be vulnerable to memory exhaustion attack
- (CVE-2013-2266). [RT #32688]
-
-3499. [doc] Corrected ARM documentation of built-in zones.
- [RT #32694]
-
-3498. [bug] zone statistics for zones which matched a potential
- empty zone could have their zone-statistics setting
- overridden.
-
-3497. [func] When deleting a slave/stub zone using 'rndc delzone'
- report the files that were being used so they can
- be cleaned up if desired. [RT #27899]
-
-3496. [placeholder]
-
-3495. [func] Support multiple response-policy zones (up to 32),
- while improving RPZ performance. "response-policy"
- syntax now includes a "min-ns-dots" clause, with
- default 1, to exclude top-level domains from
- NSIP and NSDNAME checking. --enable-rpz-nsip and
- --enable-rpz-nsdname are now the default. [RT #32251]
-
-3494. [func] DNS RRL: Blunt the impact of DNS reflection and
- amplification attacks by rate-limiting substantially-
- identical responses. [RT #28130]
-
-3493. [contrib] Added BDBHPT dynamically-loadable DLZ module,
- contributed by Mark Goldfinch. [RT #32549]
-
-3492. [bug] Fixed a regression in zone loading performance
- due to lock contention. [RT #30399]
-
-3491. [bug] Slave zones using inline-signing must specify a
- file name. [RT #31946]
-
-3490. [bug] When logging RDATA during update, truncate if it's
- too long. [RT #32365]
-
-3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
- dns_dlzcreate() failed to properly initialize
- dlzdb.link. When cloning a rdataset do not copy
- the link contents. [RT #32651]
-
-3488. [bug] Use after free error with DH generated keys. [RT #32649]
-
-3487. [bug] Change 3444 was not complete. There was a additional
- place where the NOQNAME proof needed to be saved.
- [RT #32629]
-
-3486. [bug] named could crash when using TKEY-negotiated keys
- that had been deleted and then recreated. [RT #32506]
-
-3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
-
-3484. [bug] Some statistics were incorrectly rendered in XML.
- [RT #32587]
-
-3483. [placeholder]
-
-3482. [func] dig +nssearch now prints name servers that don't
- have address records (missing AAAA or A, or the name
- doesn't exist). [RT #29348]
-
-3481. [cleanup] Removed use of const const in atf.
-
-3480. [bug] Silence logging noise when setting up zone
- statistics. [RT #32525]
-
-3479. [bug] Address potential memory leaks in gssapi support
- code. [RT #32405]
-
-3478. [port] Fix a build failure in strict C99 environments
- [RT #32475]
-
-3477. [func] Expand logging when adding records via DDNS update
- [RT #32365]
-
-3476. [bug] "rndc zonestatus" could report a spurious "not
- found" error on inline-signing zones. [RT #29226]
-
-3475. [cleanup] Changed name of 'map' zone file format (previously
- 'fast'). [RT #32458]
-
-3474. [bug] nsupdate could assert when the local and remote
- address families didn't match. [RT #22897]
-
-3473. [bug] dnssec-signzone/verify could incorrectly report
- an error condition due to an empty node above an
- opt-out delegation lacking an NSEC3. [RT #32072]
-
-3472. [bug] The active-connections counter in the socket
- statistics could underflow. [RT #31747]
-
-3471. [bug] The number of UDP dispatches now defaults to
- the number of CPUs even if -n has been set to
- a higher value. [RT #30964]
-
-3470. [bug] Slave zones could fail to dump when successfully
- refreshing after an initial failure. [RT #31276]
-
-3469. [bug] Handle DLZ lookup failures more gracefully. Improve
- backward compatibility between versions of DLZ dlopen
- API. [RT #32275]
-
-3468. [security] RPZ rules to generate A records (but not AAAA records)
- could trigger an assertion failure when used in
- conjunction with DNS64 (CVE-2012-5689). [RT #32141]
-
-3467. [bug] Added checks in dnssec-keygen and dnssec-settime
- to check for delete date < inactive date. [RT #31719]
-
-3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
- in DLZ example driver. [RT #32275]
-
-3465. [bug] Handle isolated reserved ports. [RT #31778]
-
-3464. [maint] Updates to PKCS#11 openssl patches, supporting
- versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
-
-3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
-
-3462. [doc] Clarify server selection behavior of dig when using
- -4 or -6 options. [RT #32181]
-
-3461. [bug] Negative responses could incorrectly have AD=1
- set. [RT #32237]
-
-3460. [bug] Only link against readline where needed. [RT #29810]
-
-3459. [func] Added -J option to named-checkzone/named-compilezone
- to specify the path to the journal file. [RT #30958]
-
-3458. [bug] Return FORMERR when presented with a overly long
- domain named in a request. [RT #29682]
-
-3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
-
-3456. [port] g++47: ATF failed to compile. [RT #32012]
-
-3455. [contrib] queryperf: fix getopt option list. [RT #32338]
-
-3454. [port] sparc64: improve atomic support. [RT #25182]
-
-3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
- failed. [RT #31960]
-
-3452. [bug] Accept duplicate singleton records. [RT #32329]
-
-3451. [port] Increase per thread stack size from 64K to 1M.
- [RT #32230]
-
-3450. [bug] Stop logfileconfig system test spam system logs.
- [RT #32315]
-
-3449. [bug] gen.c: use the pre-processor to construct format
- strings so that compiler can perform sanity checks;
- check the snprintf results. [RT #17576]
-
-3448. [bug] The allow-query-on ACL was not processed correctly.
- [RT #29486]
-
-3447. [port] Add support for libxml2-2.9.x [RT #32231]
-
-3446. [port] win32: Add source ID (see change #3400) to build.
- [RT #31683]
-
-3445. [bug] Warn about zone files with blank owner names
- immediately after $ORIGIN directives. [RT #31848]
-
-3444. [bug] The NOQNAME proof was not being returned from cached
- insecure responses. [RT #21409]
-
-3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
- rejected when generating keys. [RT #31927]
-
-3442. [port] Net::DNS 0.69 introduced a non backwards compatible
- change. [RT #32216]
-
-3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
-
-3440. [bug] Reorder get_key_struct to not trigger a assertion when
- cleaning up due to out of memory error. [RT #32131]
-
-3439. [placeholder]
-
-3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
-
-3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
- buffers with constant data. [RT #32064]
-
-3436. [bug] Check malloc/calloc return values. [RT #32088]
-
-3435. [bug] Cross compilation support in configure was broken.
- [RT #32078]
-
-3434. [bug] Pass client info to the DLZ findzone() entry
- point in addition to lookup(). This makes it
- possible for a database to answer differently
- whether it's authoritative for a name depending
- on the address of the client. [RT #31775]
-
-3433. [bug] dlz_findzone() did not correctly handle
- ISC_R_NOMORE. [RT #31172]
-
-3432. [func] Multiple DLZ databases can now be configured.
- DLZ databases are searched in the order configured,
- unless set to "search no", in which case a
- zone can be configured to be retrieved from a
- particular DLZ database by using a "dlz <name>"
- option in the zone statement. DLZ databases can
- support type "master" and "redirect" zones.
- [RT #27597]
-
-3431. [bug] ddns-confgen: Some valid key algorithms were
- not accepted. [RT #31927]
-
-3430. [bug] win32: isc_time_formatISO8601 was missing the
- 'T' between the date and time. [RT #32044]
-
-3429. [bug] dns_zone_getserial2 could a return success without
- returning a valid serial. [RT #32007]
-
-3428. [cleanup] dig: Add timezone to date output. [RT #2269]
-
-3427. [bug] dig +trace incorrectly displayed name server
- addresses instead of names. [RT #31641]
-
-3426. [bug] dnssec-checkds: Clearer output when records are not
- found. [RT #31968]
-
-3425. [bug] "acacheentry" reference counting was broken resulting
- in use after free. [RT #31908]
-
-3424. [func] dnssec-dsfromkey now emits the hash without spaces.
- [RT #31951]
-
-3423. [bug] "rndc signing -nsec3param" didn't accept the full
- range of possible values. Address portability issues.
- [RT #31938]
-
-3422. [bug] Added a clear error message for when the SOA does not
- match the referral. [RT #31281]
-
-3421. [bug] Named loops when re-signing if all keys are offline.
- [RT #31916]
-
-3420. [bug] Address VPATH compilation issues. [RT #31879]
-
-3419. [bug] Memory leak on validation cancel. [RT #31869]
-
-3418. [func] New XML schema (version 3.0) for the statistics channel
- adds query type statistics at the zone level, and
- flattens the XML tree and uses compressed format to
- optimize parsing. Includes new XSL that permits
- charting via the Google Charts API on browsers that
- support javascript in XSL. The old XML schema has been
- deprecated. [RT #30023]
-
-3417. [placeholder]
-
-3416. [bug] Named could die on shutdown if running with 128 UDP
- dispatches per interface. [RT #31743]
-
-3415. [bug] named could die with a REQUIRE failure if a validation
- was canceled. [RT #31804]
-
-3414. [bug] Address locking issues found by Coverity. [RT #31626]
-
-3413. [func] Record the number of DNS64 AAAA RRsets that have been
- synthesized. [RT #27636]
-
-3412. [bug] Copy timeval structure from control message data.
- [RT #31548]
-
-3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
- to UDP. [RT #31690]
-
-3410. [bug] Addressed Coverity warnings. [RT #31626]
-
-3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
- from X.509 certificates, for use with DANE
- (DNS-based Authentication of Named Entities).
- [RT #30513]
-
-3408. [bug] Some DNSSEC-related options (update-check-ksk,
- dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
- are now legal in slave zones as long as
- inline-signing is in use. [RT #31078]
-
-3407. [placeholder]
-
-3406. [bug] mem.c: Fix compilation errors when building with
- ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
- Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
-
-3405. [bug] Handle time going backwards in acache. [RT #31253]
-
-3404. [bug] dnssec-signzone: When re-signing a zone, remove
- RRSIG and NSEC records from nodes that used to be
- in-zone but are now below a zone cut. [RT #31556]
-
-3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
-
-3402. [test] The IPv6 interface numbers used for system
- tests were incorrect on some platforms. [RT #25085]
-
-3401. [bug] Addressed Coverity warnings. [RT #31484]
-
-3400. [cleanup] "named -V" can now report a source ID string, defined
- in the "srcid" file in the build tree and normally set
- to the most recent git hash. [RT #31494]
-
-3399. [port] netbsd: rename 'bool' parameter to avoid namespace
- clash. [RT #31515]
-
-3398. [bug] SOA parameters were not being updated with inline
- signed zones if the zone was modified while the
- server was offline. [RT #29272]
-
-3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
-
-3396. [bug] OPT records were incorrectly removed from signed,
- truncated responses. [RT #31439]
-
-3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
- list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
- [RT #31336]
-
-3394. [bug] Adjust 'successfully validated after lower casing
- signer' log level and category. [RT #31414]
-
-3393. [bug] 'host -C' could core dump if REFUSED was received.
- [RT #31381]
-
-3392. [func] Keep statistics on REFUSED responses. [RT #31412]
-
-3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
- [RT #31262]
-
-3390. [bug] Silence clang compiler warnings. [RT #30417]
-
-3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
-
-3388. [bug] Fixed several Coverity warnings.
- Note: This change includes a fix for a bug that
- was subsequently determined to be an exploitable
- security vulnerability, CVE-2012-5688: named could
- die on specific queries with dns64 enabled.
- [RT #30996]
-
-3387. [func] DS digest can be disabled at runtime with
- disable-ds-digests. [RT #21581]
-
-3386. [bug] Address locking violation when generating new NSEC /
- NSEC3 chains. [RT #31224]
-
-3385. [bug] named-checkconf didn't detect missing master lists
- in also-notify clauses. [RT #30810]
-
-3384. [bug] Improved logging of crypto errors. [RT #30963]
-
-3383. [security] A certain combination of records in the RBT could
- cause named to hang while populating the additional
- section of a response. [RT #31090]
-
-3382. [bug] SOA query from slave used use-v6-udp-ports range,
- if set, regardless of the address family in use.
- [RT #24173]
-
-3381. [contrib] Update queryperf to support more RR types.
- [RT #30762]
-
-3380. [bug] named could die if a nonexistent master list was
- referenced in a also-notify. [RT #31004]
-
-3379. [bug] isc_interval_zero and isc_time_epoch should be
- "const (type)* const". [RT #31069]
-
-3378. [bug] Handle missing 'managed-keys-directory' better.
- [RT #30625]
-
-3377. [bug] Removed spurious newline from NSEC3 multiline
- output. [RT #31044]
-
-3376. [bug] Lack of EDNS support was being recorded without a
- successful response. [RT #30811]
-
-3375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808]
-
-3374. [bug] isc_parse_uint32 failed to return a range error on
- systems with 64 bit longs. [RT #30232]
-
-3373. [bug] win32: open raw files in binary mode. [RT #30944]
-
-3372. [bug] Silence spurious "deleted from unreachable cache"
- messages. [RT #30501]
-
-3371. [bug] AD=1 should behave like DO=1 when deciding whether to
- add NS RRsets to the additional section or not.
- [RT #30479]
-
-3370. [bug] Address use after free while shutting down. [RT #30241]
-
-3369. [bug] nsupdate terminated unexpectedly in interactive mode
- if built with readline support. [RT #29550]
-
-3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
- were not C++ safe.
-
-3367. [bug] dns_dnsseckey_create() result was not being checked.
- [RT #30685]
-
-3366. [bug] Fixed Read-After-Write dependency violation for IA64
- atomic operations. [RT #25181]
-
-3365. [bug] Removed spurious newlines from log messages in
- zone.c [RT #30675]
-
-3364. [security] Named could die on specially crafted record.
- [RT #30416]
-
-3363. [bug] Need to allow "forward" and "fowarders" options
- in static-stub zones; this had been overlooked.
- [RT #30482]
-
-3362. [bug] Setting some option values to 0 in named.conf
- could trigger an assertion failure on startup.
- [RT #27730]
-
-3361. [bug] "rndc signing -nsec3param" didn't work correctly
- when salt was set to '-' (no salt). [RT #30099]
-
-3360. [bug] 'host -w' could die. [RT #18723]
-
-3359. [bug] An improperly-formed TSIG secret could cause a
- memory leak. [RT #30607]
-
-3358. [placeholder]
-
-3357. [port] Add support for libxml2-2.8.x [RT #30440]
-
-3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
- approaching their expiry, so they don't remain
- in caches after expiry. [RT #26429]
-
-3355. [port] Use more portable awk in verify system test.
-
-3354. [func] Improve OpenSSL error logging. [RT #29932]
-
-3353. [bug] Use a single task for task exclusive operations.
- [RT #29872]
-
-3352. [bug] Ensure that learned server attributes timeout of the
- adb cache. [RT #29856]
-
-3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
- caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
- memory debugging flags are set. [RT #30243]
-
-3350. [bug] Memory read overrun in isc___mem_reallocate if
- ISC_MEM_DEBUGCTX memory debugging flag is set.
- [RT #30240]
-
-3349. [bug] Change #3345 was incomplete. [RT #30233]
-
-3348. [bug] Prevent RRSIG data from being cached if a negative
- record matching the covering type exists at a higher
- trust level. Such data already can't be retrieved from
- the cache since change 3218 -- this prevents it
- being inserted into the cache as well. [RT #26809]
-
-3347. [bug] dnssec-settime: Issue a warning when writing a new
- private key file would cause a change in the
- permissions of the existing file. [RT #27724]
-
-3346. [security] Bad-cache data could be used before it was
- initialized, causing an assert. [RT #30025]
-
-3345. [bug] Addressed race condition when removing the last item
- or inserting the first item in an ISC_QUEUE.
- [RT #29539]
-
-3344. [func] New "dnssec-checkds" command checks a zone to
- determine which DS records should be published
- in the parent zone, or which DLV records should be
- published in a DLV zone, and queries the DNS to
- ensure that it exists. (Note: This tool depends
- on python; it will not be built or installed on
- systems that do not have a python interpreter.)
- [RT #28099]
-
-3343. [placeholder]
-
-3342. [bug] Change #3314 broke saving of stub zones to disk
- resulting in excessive cpu usage in some cases.
- [RT #29952]
-
-3341. [func] New "dnssec-verify" command checks a signed zone
- to ensure correctness of signatures and of NSEC/NSEC3
- chains. [RT #23673]
-
-3340. [func] Added new 'map' zone file format, which is an image
- of a zone database that can be loaded directly into
- memory via mmap(), allowing much faster zone loading.
- (Note: Because of pointer sizes and other
- considerations, this file format is platform-dependent;
- 'map' zone files cannot always be transferred from one
- server to another.) [RT #25419]
-
-3339. [func] Allow the maximum supported rsa exponent size to be
- specified: "max-rsa-exponent-size <value>;" [RT #29228]
-
-3338. [bug] Address race condition in units tests: asyncload_zone
- and asyncload_zt. [RT #26100]
-
-3337. [bug] Change #3294 broke support for the multiple keys
- in controls. [RT #29694]
-
-3336. [func] Maintain statistics for RRsets tagged as "stale".
- [RT #29514]
-
-3335. [func] nslookup: return a nonzero exit code when unable
- to get an answer. [RT #29492]
-
-3334. [bug] Hold a zone table reference while performing a
- asynchronous load of a zone. [RT #28326]
-
-3333. [bug] Setting resolver-query-timeout too low can cause
- named to not recover if it loses connectivity.
- [RT #29623]
-
-3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
-
-3331. [security] dns_rdataslab_fromrdataset could produce bad
- rdataslabs. [RT #29644]
-
-3330. [func] Fix missing signatures on NOERROR results despite
- RPZ rewriting. Also
- - add optional "recursive-only yes|no" to the
- response-policy statement
- - add optional "max-policy-ttl" to the response-policy
- statement to limit the false data that
- "recursive-only no" can introduce into
- resolvers' caches
- - add a RPZ performance test to bin/tests/system/rpz
- when queryperf is available.
- - the encoding of PASSTHRU action to "rpz-passthru".
- (The old encoding is still accepted.)
- [RT #26172]
-
-
-3329. [bug] Handle RRSIG signer-name case consistently: We
- generate RRSIG records with the signer-name in
- lower case. We accept them with any case, but if
- they fail to validate, we try again in lower case.
- [RT #27451]
-
-3328. [bug] Fixed inconsistent data checking in dst_parse.c.
- [RT #29401]
-
-3327. [func] Added 'filter-aaaa-on-v6' option; this is similar
- to 'filter-aaaa-on-v4' but applies to IPv6
- connections. (Use "configure --enable-filter-aaaa"
- to enable this option.) [RT #27308]
-
-3326. [func] Added task list statistics: task model, worker
- threads, quantum, tasks running, tasks ready.
- [RT #27678]
-
-3325. [func] Report cache statistics: memory use, number of
- nodes, number of hash buckets, hit and miss counts.
- [RT #27056]
-
-3324. [test] Add better tests for ADB stats [RT #27057]
-
-3323. [func] Report the number of buckets the resolver is using.
- [RT #27020]
-
-3322. [func] Monitor the number of active TCP and UDP dispatches.
- [RT #27055]
-
-3321. [func] Monitor the number of recursive fetches and the
- number of open sockets, and report these values in
- the statistics channel. [RT #27054]
-
-3320. [func] Added support for monitoring of recursing client
- count. [RT #27009]
-
-3319. [func] Added support for monitoring of ADB entry count and
- hash size. [RT #27057]
-
-3318. [tuning] Reduce the amount of work performed while holding a
- bucket lock when finished with a fetch context.
- [RT #29239]
-
-3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
-
-3316. [tuning] Improved locking performance when recursing.
- [RT #28836]
-
-3315. [tuning] Use multiple dispatch objects for sending upstream
- queries; this can improve performance on busy
- multiprocessor systems by reducing lock contention.
- [RT #28605]
-
-3314. [bug] The masters list could be updated while stub_callback
- or refresh_callback were using it. [RT #26732]
-
-3313. [protocol] Add TLSA record type. [RT #28989]
-
-3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
- [RT #27631]
-
-3311. [bug] Abort the zone dump if zone->db is NULL in
- zone.c:zone_gotwritehandle. [RT #29028]
-
-3310. [test] Increase table size for mutex profiling. [RT #28809]
-
-3309. [bug] resolver.c:fctx_finddone() was not thread safe.
- [RT #27995]
-
-3308. [placeholder]
-
-3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
- [RT #28956]
-
-3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
-
-3305. [func] Add wire format lookup method to sdb. [RT #28563]
-
-3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
- [RT #28571]
-
-3303. [bug] named could die when reloading. [RT #28606]
-
-3302. [bug] dns_dnssec_findmatchingkeys could fail to find
- keys if the zone name contained character that
- required special mappings. [RT #28600]
-
-3301. [contrib] Update queryperf to build on darwin. Add -R flag
- for non-recursive queries. [RT #28565]
-
-3300. [bug] Named could die if gssapi was enabled in named.conf
- but was not compiled in. [RT #28338]
-
-3299. [bug] Make SDB handle errors from database drivers better.
- [RT #28534]
-
-3298. [bug] Named could dereference a NULL pointer in
- zmgr_start_xfrin_ifquota if the zone was being removed.
- [RT #28419]
-
-3297. [bug] Named could die on a malformed master file. [RT #28467]
-
-3296. [bug] Named could die with a INSIST failure in
- client.c:exit_check. [RT #28346]
-
-3295. [bug] Adjust isc_time_secondsastimet range check to be more
- portable. [RT # 26542]
-
-3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
- error. [RT #28265]
-
-3293. [func] nsupdate: list supported type. [RT #28261]
-
-3292. [func] Log messages in the axfr stream at debug 10.
- [RT #28040]
-
-3291. [port] Fixed a build error on systems without ENOTSUP.
- [RT #28200]
-
-3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
-
-3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
-
-3288. [bug] dlz_destroy() function wasn't correctly registered
- by the DLZ dlopen driver. [RT #28056]
-
-3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
-
-3286. [bug] Managed key maintenance timer could fail to start
- after 'rndc reconfig'. [RT #26786]
-
-3285. [bug] val-frdataset was incorrectly disassociated in
- proveunsecure after calling startfinddlvsep.
- [RT #27928]
-
-3284. [bug] Address race conditions with the handling of
- rbtnode.deadlink. [RT #27738]
-
-3283. [bug] Raw zones with with more than 512 records in a RRset
- failed to load. [RT #27863]
-
-3282. [bug] Restrict the TTL of NS RRset to no more than that
- of the old NS RRset when replacing it.
- [RT #27792] [RT #27884]
-
-3281. [bug] SOA refresh queries could be treated as cancelled
- despite succeeding over the loopback interface.
- [RT #27782]
-
-3280. [bug] Potential double free of a rdataset on out of memory
- with DNS64. [RT #27762]
-
-3279. [bug] Hold a internal reference to the zone while performing
- a asynchronous load. Address potential memory leak
- if the asynchronous is cancelled. [RT #27750]
-
-3278. [bug] Make sure automatic key maintenance is started
- when "auto-dnssec maintain" is turned on during
- "rndc reconfig". [RT #26805]
-
-3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
-
-3276. [bug] win32: ns_os_openfile failed to return NULL on
- safe_open failure. [RT #27696]
-
-3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
- option had been misspelled as '-clear'. (To avoid
- future confusion, both options now work.) [RT #27173]
-
-3274. [placeholder]
-
-3273. [bug] AAAA responses could be returned in the additional
- section even when filter-aaaa-on-v4 was in use.
- [RT #27292]
-
-3272. [func] New "rndc zonestatus" command prints information
- about the specified zone. [RT #21671]
-
-3271. [port] darwin: mksymtbl is not always stable, loop several
- times before giving up. mksymtbl was using non
- portable perl to covert 64 bit hex strings. [RT #27653]
-
- --- 9.9.0rc2 released ---
-
-3270. [bug] "rndc reload" didn't reuse existing zones correctly
- when inline-signing was in use. [RT #27650]
-
-3269. [port] darwin 11 and later now built threaded by default.
-
-3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
- out the earliest expiry time. [RT #23311]
-
-3267. [bug] Memory allocation failures could be mis-reported as
- unexpected error. New ISC_R_UNSET result code.
- [RT #27336]
-
-3266. [bug] The maximum number of NSEC3 iterations for a
- DNSKEY RRset was not being properly computed.
- [RT #26543]
-
-3265. [bug] Corrected a problem with lock ordering in the
- inline-signing code. [RT #27557]
-
-3264. [bug] Automatic regeneration of signatures in an
- inline-signing zone could stall when the server
- was restarted. [RT #27344]
-
-3263. [bug] "rndc sync" did not affect the unsigned side of an
- inline-signing zone. [RT #27337]
-
-3262. [bug] Signed responses were handled incorrectly by RPZ.
- [RT #27316]
-
-3261. [func] RRset ordering now defaults to random. [RT #27174]
-
-3260. [bug] "rrset-order cyclic" could appear not to rotate
- for some query patterns. [RT #27170/27185]
-
- --- 9.9.0rc1 released ---
-
-3259. [bug] named-compilezone: Suppress "dump zone to <file>"
- message when writing to stdout. [RT #27109]
-
-3258. [test] Add "forcing full sign with unreadable keys" test.
- [RT #27153]
-
-3257. [bug] Do not generate a error message when calling fsync()
- in a pipe or socket. [RT #27109]
-
-3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
-
-3255. [func] No longer require that a empty zones be explicitly
- enabled or that a empty zone is disabled for
- RFC 1918 empty zones to be configured. [RT #27139]
-
-3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
- [RT #22249]
-
-3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
- too long. [RT #26956]
-
-3252. [bug] When master zones using inline-signing were
- updated while the server was offline, the source
- zone could fall out of sync with the signed
- copy. They can now resynchronize. [RT #26676]
-
-3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
- memory dns_sdlz_putrr() can allocate per record to
- prevent run away memory consumption on ISC_R_NOSPACE.
- [RT #26956]
-
-3250. [func] 'configure --enable-developer'; turn on various
- configure options, normally off by default, that
- we want developers to build and test with. [RT #27103]
-
-3249. [bug] Update log message when saving slave zones files for
- analysis after load failures. [RT #27087]
-
-3248. [bug] Configure options --enable-fixed-rrset and
- --enable-exportlib were incompatible with each
- other. [RT #27087]
-
-3247. [bug] 'raw' format zones failed to preserve load order
- breaking 'fixed' sort order. [RT #27087]
-
-3246. [bug] Named failed to start with a empty also-notify list.
- [RT #27087]
-
-3245. [bug] Don't report a error unchanged serials unless there
- were other changes when thawing a zone with
- ixfr-fromdifferences. [RT #26845]
-
-3244. [func] Added readline support to nslookup and nsupdate.
- Also simplified nsupdate syntax to make "update"
- and "prereq" optional. [RT #24659]
-
-3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
- being properly set.
-
-3242. [func] Extended the header of raw-format master files to
- include the serial number of the zone from which
- they were generated, if different (as in the case
- of inline-signing zones). This is to be used in
- inline-signing zones, to track changes between the
- unsigned and signed versions of the zone, which may
- have different serial numbers.
-
- (Note: raw zonefiles generated by this version of
- BIND are no longer compatible with prior versions.
- To generate a backward-compatible raw zonefile
- using dnssec-signzone or named-compilezone, specify
- output format "raw=0" instead of simply "raw".)
- [RT #26587]
-
-3241. [bug] Address race conditions in the resolver code.
- [RT #26889]
-
-3240. [bug] DNSKEY state change events could be missed. [RT #26874]
-
-3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
- timestamp. [RT #26883]
-
-3238. [bug] keyrdata was not being reinitialized in
- lib/dns/rbtdb.c:iszonesecure. [RT #26913]
-
-3237. [bug] dig -6 didn't work with +trace. [RT #26906]
-
-3236. [bug] Backed out changes #3182 and #3202, related to
- EDNS(0) fallback behavior. [RT #26416]
-
-3235. [func] dns_db_diffx, a extended dns_db_diff which returns
- the generated diff and optionally writes it to a
- journal. [RT #26386]
-
-3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
-
-3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
- [RT #26632]
-
-3232. [bug] Zero zone->curmaster before return in
- dns_zone_setmasterswithkeys(). [RT #26732]
-
-3231. [bug] named could fail to send a incompressible zone.
- [RT #26796]
-
-3230. [bug] 'dig axfr' failed to properly handle a multi-message
- axfr with a serial of 0. [RT #26796]
-
-3229. [bug] Fix local variable to struct var assignment
- found by CLANG warning.
-
-3228. [tuning] Dynamically grow symbol table to improve zone
- loading performance. [RT #26523]
-
-3227. [bug] Interim fix to make WKS's use of getprotobyname()
- and getservbyname() self thread safe. [RT #26232]
-
-3226. [bug] Address minor resource leakages. [RT #26624]
-
-3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
- messages. [RT #26507]
-
-3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
-
-3223. [bug] 'task_test privilege_drop' generated false positives.
- [RT #26766]
-
-3222. [cleanup] Replace dns_journal_{get,set}_bitws with
- dns_journal_{get,set}_sourceserial. [RT #26634]
-
-3221. [bug] Fixed a potential core dump on shutdown due to
- referencing fetch context after it's been freed.
- [RT #26720]
-
- --- 9.9.0b2 released ---
-
-3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
- could fail to set the database version correctly,
- causing an assertion failure. [RT #26180]
-
-3219. [bug] Disable NOEDNS caching following a timeout.
-
-3218. [security] Cache lookup could return RRSIG data associated with
- nonexistent records, leading to an assertion
- failure. [RT #26590]
-
-3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
-
-3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
-
-3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
-
-3214. [func] Add 'named -U' option to set the number of UDP
- listener threads per interface. [RT #26485]
-
-3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
-
-3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
- list prior to adding a reference to it leading a
- possible assertion failure. [RT #23219]
-
-3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
- option prints in single-line-per-record format.
- [RT #20287]
-
-3210. [bug] Canceling the oldest query due to recursive-client
- overload could trigger an assertion failure. [RT #26463]
-
-3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
-
-3208. [bug] 'dig -y' handle unknown tsig algorithm better.
- [RT #25522]
-
-3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
-
-3206. [cleanup] Add ISC information to log at start time. [RT #25484]
-
-3205. [func] Upgrade dig's defaults to better reflect modern
- nameserver behavior. Enable "dig +adflag" and
- "dig +edns=0" by default. Enable "+dnssec" when
- running "dig +trace". [RT #23497]
-
-3204. [bug] When a master server that has been marked as
- unreachable sends a NOTIFY, mark it reachable
- again. [RT #25960]
-
-3203. [bug] Increase log level to 'info' for validation failures
- from expired or not-yet-valid RRSIGs. [RT #21796]
-
-3202. [bug] NOEDNS caching on timeout was too aggressive.
- [RT #26416]
-
-3201. [func] 'rndc querylog' can now be given an on/off parameter
- instead of only being used as a toggle. [RT #18351]
-
-3200. [doc] Some rndc functions were undocumented or were
- missing from 'rndc -h' output. [RT #25555]
-
-3199. [func] When logging client information, include the name
- being queried. [RT #25944]
-
-3198. [doc] Clarified that dnssec-settime can alter keyfile
- permissions. [RT #24866]
-
-3197. [bug] Don't try to log the filename and line number when
- the config parser can't open a file. [RT #22263]
-
-3196. [bug] nsupdate: return nonzero exit code when target zone
- doesn't exist. [RT #25783]
-
-3195. [cleanup] Silence "file not found" warnings when loading
- managed-keys zone. [RT #26340]
-
-3194. [doc] Updated RFC references in the 'empty-zones-enable'
- documentation. [RT #25203]
-
-3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
- dnssec.h. [RT #26415]
-
-3192. [bug] A query structure could be used after being freed.
- [RT #22208]
-
-3191. [bug] Print NULL records using "unknown" format. [RT #26392]
-
-3190. [bug] Underflow in error handling in isc_mutexblock_init.
- [RT #26397]
-
-3189. [test] Added a summary report after system tests. [RT #25517]
-
-3188. [bug] zone.c:zone_refreshkeys() could fail to detach
- references correctly when errors occurred, causing
- a hang on shutdown. [RT #26372]
-
-3187. [port] win32: support for Visual Studio 2008. [RT #26356]
-
- --- 9.9.0b1 released ---
-
-3186. [bug] Version/db mismatch in rpz code. [RT #26180]
-
-3185. [func] New 'rndc signing' option for auto-dnssec zones:
- - 'rndc signing -list' displays the current
- state of signing operations
- - 'rndc signing -clear' clears the signing state
- records for keys that have fully signed the zone
- - 'rndc signing -nsec3param' sets the NSEC3
- parameters for the zone
- The 'rndc keydone' syntax is removed. [RT #23729]
-
-3184. [bug] named had excessive cpu usage when a redirect zone was
- configured. [RT #26013]
-
-3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
-
-3182. [bug] Auth servers behind firewalls which block packets
- greater than 512 bytes may cause other servers to
- perform poorly. Now, adb retains edns information
- and caches noedns servers. [RT #23392/24964]
-
-3181. [func] Inline-signing is now supported for master zones.
- [RT #26224]
-
-3180. [func] Local copies of slave zones are now saved in raw
- format by default, to improve startup performance.
- 'masterfile-format text;' can be used to override
- the default, if desired. [RT #25867]
-
-3179. [port] kfreebsd: build issues. [RT #26273]
-
-3178. [bug] A race condition introduced by change #3163 could
- cause an assertion failure on shutdown. [RT #26271]
-
-3177. [func] 'rndc keydone', remove the indicator record that
- named has finished signing the zone with the
- corresponding key. [RT #26206]
-
-3176. [doc] Corrected example code and added a README to the
- sample external DLZ module in contrib/dlz/example.
- [RT #26215]
-
-3175. [bug] Fix how DNSSEC positive wildcard responses from a
- NSEC3 signed zone are validated. Stop sending a
- unnecessary NSEC3 record when generating such
- responses. [RT #26200]
-
-3174. [bug] Always compute to revoked key tag from scratch.
- [RT #26186]
-
-3173. [port] Correctly validate root DS responses. [RT #25726]
-
-3172. [port] darwin 10.* and freebsd [89] are now built threaded by
- default.
-
-3171. [bug] Exclusively lock the task when adding a zone using
- 'rndc addzone'. [RT #25600]
-
- --- 9.9.0a3 released ---
-
-3170. [func] RPZ update:
- - fix precedence among competing rules
- - improve ARM text including documenting rule precedence
- - try to rewrite CNAME chains until first hit
- - new "rpz" logging channel
- - RDATA for CNAME rules can include wildcards
- - replace "NO-OP" named.conf policy override with
- "PASSTHRU" and add "DISABLED" override ("NO-OP"
- is still recognized)
- [RT #25172]
-
-3169. [func] Catch db/version mis-matches when calling dns_db_*().
- [RT #26017]
-
-3168. [bug] Nxdomain redirection could trigger an assert with
- a ANY query. [RT #26017]
-
-3167. [bug] Negative answers from forwarders were not being
- correctly tagged making them appear to not be cached.
- [RT #25380]
-
-3166. [bug] Upgrading a zone to support inline-signing failed.
- [RT #26014]
-
-3165. [bug] dnssec-signzone could generate new signatures when
- resigning, even when valid signatures were already
- present. [RT #26025]
-
-3164. [func] Enable DLZ modules to retrieve client information,
- so that responses can be changed depending on the
- source address of the query. [RT #25768]
-
-3163. [bug] Use finer-grained locking in client.c to address
- concurrency problems with large numbers of threads.
- [RT #26044]
-
-3162. [test] start.pl: modified to allow for "named.args" in
- ns*/ subdirectory to override stock arguments to
- named. Largely from RT #26044, but no separate ticket.
-
-3161. [bug] zone.c:del_sigs failed to always reset rdata leading
- assertion failures. [RT #25880]
-
-3160. [bug] When printing out a NSEC3 record in multiline form
- the newline was not being printed causing type codes
- to be run together. [RT #25873]
-
-3159. [bug] On some platforms, named could assert on startup
- when running in a chrooted environment without
- /proc. [RT #25863]
-
-3158. [bug] Recursive servers would prefer a particular UDP
- socket instead of using all available sockets.
- [RT #26038]
-
-3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
- the config file before pausing the server. [RT #21373]
-
-3156. [placeholder]
-
- --- 9.9.0a2 released ---
-
-3155. [bug] Fixed a build failure when using contrib DLZ
- drivers (e.g., mysql, postgresql, etc). [RT #25710]
-
-3154. [bug] Attempting to print an empty rdataset could trigger
- an assert. [RT #25452]
-
-3153. [func] Extend request-ixfr to zone level and remove the
- side effect of forcing an AXFR. [RT #25156]
-
-3152. [cleanup] Some versions of gcc and clang failed due to
- incorrect use of __builtin_expect. [RT #25183]
-
-3151. [bug] Queries for type RRSIG or SIG could be handled
- incorrectly. [RT #21050]
-
-3150. [func] Improved startup and reconfiguration time by
- enabling zones to load in multiple threads. [RT #25333]
-
-3149. [placeholder]
-
-3148. [bug] Processing of normal queries could be stalled when
- forwarding a UPDATE message. [RT #24711]
-
-3147. [func] Initial inline signing support. [RT #23657]
-
- --- 9.9.0a1 released ---
-
-3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
-
-3145. [test] Capture output of ATF unit tests in "./atf.out" if
- there were any errors while running them. [RT #25527]
-
-3144. [bug] dns_dbiterator_seek() could trigger an assert when
- used with a nonexistent database node. [RT #25358]
-
-3143. [bug] Silence clang compiler warnings. [RT #25174]
-
-3142. [bug] NAPTR is class agnostic. [RT #25429]
-
-3141. [bug] Silence spurious "zone serial (0) unchanged" messages
- associated with empty zones. [RT #25079]
-
-3140. [func] New command "rndc flushtree <name>" clears the
- specified name from the server cache along with
- all names under it. [RT #19970]
-
-3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
- for the hashing algorithms (md5, sha1 - sha512, and
- their hmac counterparts). [RT #25067]
-
-3138. [bug] Address memory leaks and out-of-order operations when
- shutting named down. [RT #25210]
-
-3137. [func] Improve hardware scalability by allowing multiple
- worker threads to process incoming UDP packets.
- This can significantly increase query throughput
- on some systems. [RT #22992]
-
-3136. [func] Add RFC 1918 reverse zones to the list of built-in
- empty zones switched on by the 'empty-zones-enable'
- option. [RT #24990]
-
-3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
- See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
- [RT #24950]
-
-3134. [bug] Improve the accuracy of dnssec-signzone's signing
- statistics. [RT #16030]
-
-3133. [bug] Change #3114 was incomplete. [RT #24577]
-
-3132. [placeholder]
-
-3131. [tuning] Improve scalability by allocating one zone task
- per 100 zones at startup time, rather than using a
- fixed-size task table. [RT #24406]
-
-3130. [func] Support alternate methods for managing a dynamic
- zone's serial number. Two methods are currently
- defined using serial-update-method, "increment"
- (default) and "unixtime". [RT #23849]
-
-3129. [bug] Named could crash on 'rndc reconfig' when
- allow-new-zones was set to yes and named ACLs
- were used. [RT #22739]
-
-3128. [func] Inserting an NSEC3PARAM via dynamic update in an
- auto-dnssec zone that has not been signed yet
- will cause it to be signed with the specified NSEC3
- parameters when keys are activated. The
- NSEC3PARAM record will not appear in the zone until
- it is signed, but the parameters will be stored.
- [RT #23684]
-
-3127. [bug] 'rndc thaw' will now remove a zone's journal file
- if the zone serial number has been changed and
- ixfr-from-differences is not in use. [RT #24687]
-
-3126. [security] Using DNAME record to generate replacements caused
- RPZ to exit with a assertion failure. [RT #24766]
-
-3125. [security] Using wildcard CNAME records as a replacement with
- RPZ caused named to exit with a assertion failure.
- [RT #24715]
-
-3124. [bug] Use an rdataset attribute flag to indicate
- negative-cache records rather than using rrtype 0;
- this will prevent problems when that rrtype is
- used in actual DNS packets. [RT #24777]
-
-3123. [security] Change #2912 exposed a latent flaw in
- dns_rdataset_totext() that could cause named to
- crash with an assertion failure. [RT #24777]
-
-3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
-
-3121. [security] An authoritative name server sending a negative
- response containing a very large RRset could
- trigger an off-by-one error in the ncache code
- and crash named. [RT #24650]
-
-3120. [bug] Named could fail to validate zones listed in a DLV
- that validated insecure without using DLV and had
- DS records in the parent zone. [RT #24631]
-
-3119. [bug] When rolling to a new DNSSEC key, a private-type
- record could be created and never marked complete.
- [RT #23253]
-
-3118. [bug] nsupdate could dump core on shutdown when using
- SIG(0) keys. [RT #24604]
-
-3117. [cleanup] Remove doc and parser references to the
- never-implemented 'auto-dnssec create' option.
- [RT #24533]
-
-3116. [func] New 'dnssec-update-mode' option controls updates
- of DNSSEC records in signed dynamic zones. Set to
- 'no-resign' to disable automatic RRSIG regeneration
- while retaining the ability to sign new or changed
- data. [RT #24533]
-
-3115. [bug] Named could fail to return requested data when
- following a CNAME that points into the same zone.
- [RT #24455]
-
-3114. [bug] Retain expired RRSIGs in dynamic zones if key is
- inactive and there is no replacement key. [RT #23136]
-
-3113. [doc] Document the relationship between serial-query-rate
- and NOTIFY messages.
-
-3112. [doc] Add missing descriptions of the update policy name
- types "ms-self", "ms-subdomain", "krb5-self" and
- "krb5-subdomain", which allow machines to update
- their own records, to the BIND 9 ARM.
-
-3111. [bug] Improved consistency checks for dnssec-enable and
- dnssec-validation, added test cases to the
- checkconf system test. [RT #24398]
-
-3110. [bug] dnssec-signzone: Wrong error message could appear
- when attempting to sign with no KSK. [RT #24369]
-
-3109. [func] The also-notify option now uses the same syntax
- as a zone's masters clause. This means it is
- now possible to specify a TSIG key to use when
- sending notifies to a given server, or to include
- an explicit named masters list in an also-notify
- statement. [RT #23508]
-
-3108. [cleanup] dnssec-signzone: Clarified some error and
- warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
- code (use -P instead). [RT #20852]
-
-3107. [bug] dnssec-signzone: Report the correct number of ZSKs
- when using -x. [RT #20852]
-
-3106. [func] When logging client requests, include the name of
- the TSIG key if any. [RT #23619]
-
-3105. [bug] GOST support can be suppressed by "configure
- --without-gost" [RT #24367]
-
-3104. [bug] Better support for cross-compiling. [RT #24367]
-
-3103. [bug] Configuring 'dnssec-validation auto' in a view
- instead of in the options statement could trigger
- an assertion failure in named-checkconf. [RT #24382]
-
-3102. [func] New 'dnssec-loadkeys-interval' option configures
- how often, in minutes, to check the key repository
- for updates when using automatic key maintenance.
- Default is every 60 minutes (formerly hard-coded
- to 12 hours). [RT #23744]
-
-3101. [bug] Zones using automatic key maintenance could fail
- to check the key repository for updates. [RT #23744]
-
-3100. [security] Certain response policy zone configurations could
- trigger an INSIST when receiving a query of type
- RRSIG. [RT #24280]
-
-3099. [test] "dlz" system test now runs but gives R:SKIPPED if
- not compiled with --with-dlz-filesystem. [RT #24146]
-
-3098. [bug] DLZ zones were answering without setting the AA bit.
- [RT #24146]
-
-3097. [test] Add a tool to test handling of malformed packets.
- [RT #24096]
-
-3096. [bug] Set KRB5_KTNAME before calling log_cred() in
- dst_gssapi_acceptctx(). [RT #24004]
-
-3095. [bug] Handle isolated reserved ports in the port range.
- [RT #23957]
-
-3094. [doc] Expand dns64 documentation.
-
-3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
-
-3092. [bug] Signatures for records at the zone apex could go
- stale due to an incorrect timer setting. [RT #23769]
-
-3091. [bug] Fixed a bug in which zone keys that were published
- and then subsequently activated could fail to trigger
- automatic signing. [RT #22911]
-
-3090. [func] Make --with-gssapi default [RT #23738]
-
-3089. [func] dnssec-dsfromkey now supports reading keys from
- standard input "dnssec-dsfromkey -f -". [RT #20662]
-
-3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
- and add setup.sh in order to resolve changing
- named.conf issue. [RT #23687]
-
-3087. [bug] DDNS updates using SIG(0) with update-policy match
- type "external" could cause a crash. [RT #23735]
-
-3086. [bug] Running dnssec-settime -f on an old-style key will
- now force an update to the new key format even if no
- other change has been specified, using "-P now -A now"
- as default values. [RT #22474]
-
-3085. [func] New '-R' option in dnssec-signzone forces removal
- of signatures which have not yet expired but
- were generated by a key that no longer exists.
- [RT #22471]
-
-3084. [func] A new command "rndc sync" dumps pending changes in
- a dynamic zone to disk; "rndc sync -clean" also
- removes the journal file after syncing. Also,
- "rndc freeze" no longer removes journal files.
- [RT #22473]
-
-3083. [bug] NOTIFY messages were not being sent when generating
- a NSEC3 chain incrementally. [RT #23702]
-
-3082. [port] strtok_r is threads only. [RT #23747]
-
-3081. [bug] Failure of DNAME substitution did not return
- YXDOMAIN. [RT #23591]
-
-3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
- [RT #23587]
-
-3079. [bug] Handle isc_event_allocate failures in t_tasks.
- [RT #23572]
-
-3078. [func] Added a new include file with function typedefs
- for the DLZ "dlopen" driver. [RT #23629]
-
-3077. [bug] zone.c:zone_refreshkeys() incorrectly called
- dns_zone_attach(), use zone->irefs instead. [RT #23303]
-
-3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
- dnssec-keyfromlabel sets the default TTL of the
- key. When possible, automatic signing will use that
- TTL when the key is published. [RT #23304]
-
-3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
- timestamp when determining which keys are active.
- [RT #23642]
-
-3074. [bug] Make the adb cache read through for zone data and
- glue learn for zone named is authoritative for.
- [RT #22842]
-
-3073. [bug] managed-keys changes were not properly being recorded.
- [RT #20256]
-
-3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
- [RT #20256]
-
-3071. [bug] has_nsec could be used uninitialized in
- update.c:next_active. [RT #20256]
-
-3070. [bug] dnssec-signzone potential NULL pointer dereference.
- [RT #20256]
-
-3069. [cleanup] Silence warnings messages from clang static analysis.
- [RT #20256]
-
-3068. [bug] Named failed to build with a OpenSSL without engine
- support. [RT #23473]
-
-3067. [bug] ixfr-from-differences {master|slave}; failed to
- select the master/slave zones. [RT #23580]
-
-3066. [func] The DLZ "dlopen" driver is now built by default,
- no longer requiring a configure option. To
- disable it, use "configure --without-dlopen".
- Driver also supported on win32. [RT #23467]
-
-3065. [bug] RRSIG could have time stamps too far in the future.
- [RT #23356]
-
-3064. [bug] powerpc: add sync instructions to the end of atomic
- operations. [RT #23469]
-
-3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
-
-3062. [func] Made several changes to enhance human readability
- of DNSSEC data in dig output and in generated
- zone files:
- - DNSKEY record comments are more verbose, no
- longer used in multiline mode only
- - multiline RRSIG records reformatted
- - multiline output mode for NSEC3PARAM records
- - "dig +norrcomments" suppresses DNSKEY comments
- - "dig +split=X" breaks hex/base64 records into
- fields of width X; "dig +nosplit" disables this.
- [RT #22820]
-
-3061. [func] New option "dnssec-signzone -D", only write out
- generated DNSSEC records. [RT #22896]
-
-3060. [func] New option "dnssec-signzone -X <date>" allows
- specification of a separate expiration date
- for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
-
-3059. [test] Added a regression test for change #3023.
-
-3058. [bug] Cause named to terminate at startup or rndc reconfig/
- reload to fail, if a log file specified in the conf
- file isn't a plain file. [RT #22771]
-
-3057. [bug] "rndc secroots" would abort after the first error
- and so could miss some views. [RT #23488]
-
-3056. [func] Added support for URI resource record. [RT #23386]
-
-3055. [placeholder]
-
-3054. [bug] Added elliptic curve support check in
- GOST OpenSSL engine detection. [RT #23485]
-
-3053. [bug] Under a sustained high query load with a finite
- max-cache-size, it was possible for cache memory
- to be exhausted and not recovered. [RT #23371]
-
-3052. [test] Fixed last autosign test report. [RT #23256]
-
-3051. [bug] NS records obscure DNAME records at the bottom of the
- zone if both are present. [RT #23035]
-
-3050. [bug] The autosign system test was timing dependent.
- Wait for the initial autosigning to complete
- before running the rest of the test. [RT #23035]
-
-3049. [bug] Save and restore the gid when creating creating
- named.pid at startup. [RT #23290]
-
-3048. [bug] Fully separate view key management. [RT #23419]
-
-3047. [bug] DNSKEY NODATA responses not cached fixed in
- validator.c. Tests added to dnssec system test.
- [RT #22908]
-
-3046. [bug] Use RRSIG original TTL to compute validated RRset
- and RRSIG TTL. [RT #23332]
-
-3045. [removed] Replaced by change #3050.
-
-3044. [bug] Hold the socket manager lock while freeing the socket.
- [RT #23333]
-
-3043. [test] Merged in the NetBSD ATF test framework (currently
- version 0.12) for development of future unit tests.
- Use configure --with-atf to build ATF internally
- or configure --with-atf=prefix to use an external
- copy. [RT #23209]
-
-3042. [bug] dig +trace could fail attempting to use IPv6
- addresses on systems with only IPv4 connectivity.
- [RT #23297]
-
-3041. [bug] dnssec-signzone failed to generate new signatures on
- ttl changes. [RT #23330]
-
-3040. [bug] Named failed to validate insecure zones where a node
- with a CNAME existed between the trust anchor and the
- top of the zone. [RT #23338]
-
-3039. [func] Redirect on NXDOMAIN support. [RT #23146]
-
-3038. [bug] Install <dns/rpz.h>. [RT #23342]
-
-3037. [doc] Update COPYRIGHT to contain all the individual
- copyright notices that cover various parts.
-
-3036. [bug] Check built-in zone arguments to see if the zone
- is re-usable or not. [RT #21914]
-
-3035. [cleanup] Simplify by using strlcpy. [RT #22521]
-
-3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
-
-3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
- [RT #22521]
-
-3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
-
-3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
- [RT #22521]
-
-3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
- [RT #22521]
-
-3029. [bug] isc_netaddr_format() handle a zero sized buffer.
- [RT #22521]
-
-3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
- [RT #22521]
-
-3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
- catch NULL pointer dereferences before they happen.
- [RT #22521]
-
-3026. [bug] lib/isc/httpd.c: check that we have enough space
- after calling grow_headerspace() and if not
- re-call grow_headerspace() until we do. [RT #22521]
-
-3025. [bug] Fixed a possible deadlock due to zone resigning.
- [RT #22964]
-
-3024. [func] RTT Banding removed due to minor security increase
- but major impact on resolver latency. [RT #23310]
-
-3023. [bug] Named could be left in an inconsistent state when
- receiving multiple AXFR response messages that were
- not all TSIG-signed. [RT #23254]
-
-3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
- [RT #23246]
-
-3021. [bug] Change #3010 was incomplete. [RT #22296]
-
-3020. [bug] auto-dnssec failed to correctly update the zone when
- changing the DNSKEY RRset. [RT #23232]
-
-3019. [test] Test: check apex NSEC3 records after adding DNSKEY
- record via UPDATE. [RT #23229]
-
-3018. [bug] Named failed to check for the "none;" acl when deciding
- if a zone may need to be re-signed. [RT #23120]
-
-3017. [doc] dnssec-keyfromlabel -I was not properly documented.
- [RT #22887]
-
-3016. [bug] rndc usage missing '-b'. [RT #22937]
-
-3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
- IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
-
-3014. [placeholder]
-
-3013. [bug] The DNS64 ttl was not always being set as expected.
- [RT #23034]
-
-3012. [bug] Remove DNSKEY TTL change pairs before generating
- signing records for any remaining DNSKEY changes.
- [RT #22590]
-
-3011. [func] Change the default query timeout from 30 seconds
- to 10. Allow setting this in named.conf using the new
- 'resolver-query-timeout' option, which specifies a max
- time in seconds. 0 means 'default' and anything longer
- than 30 will be silently set to 30. [RT #22852]
-
-3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
- for refreshing managed-keys. [RT #22296]
-
-3009. [bug] clients-per-query code didn't work as expected with
- particular query patterns. [RT #22972]
-
- --- 9.8.0b1 released ---
-
-3008. [func] Response policy zones (RPZ) support. [RT #21726]
-
-3007. [bug] Named failed to preserve the case of domain names in
- rdata which is not compressible when writing master
- files. [RT #22863]
-
-3006. [func] Allow dynamically generated TSIG keys to be preserved
- across restarts of named. Initially this is for
- TSIG keys generated using GSSAPI. [RT #22639]
-
-3005. [port] Solaris: Work around the lack of
- gsskrb5_register_acceptor_identity() by setting
- the KRB5_KTNAME environment variable to the
- contents of tkey-gssapi-keytab. Also fixed
- test errors on MacOSX. [RT #22853]
-
-3004. [func] DNS64 reverse support. [RT #22769]
-
-3003. [experimental] Added update-policy match type "external",
- enabling named to defer the decision of whether to
- allow a dynamic update to an external daemon.
- (Contributed by Andrew Tridgell.) [RT #22758]
-
-3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
- [RT #22766]
-
-3001. [func] Added a default trust anchor for the root zone, which
- can be switched on by setting "dnssec-validation auto;"
- in the named.conf options. [RT #21727]
-
-3000. [bug] More TKEY/GSS fixes:
- - nsupdate can now get the default realm from
- the user's Kerberos principal
- - corrected gsstest compilation flags
- - improved documentation
- - fixed some NULL dereferences
- [RT #22795]
-
-2999. [func] Add GOST support (RFC 5933). [RT #20639]
-
-2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
- to the task api. [RT #22776]
-
-2997. [func] named -V now reports the OpenSSL and libxml2 versions
- it was compiled against. [RT #22687]
-
-2996. [security] Temporarily disable SO_ACCEPTFILTER support.
- [RT #22589]
-
-2995. [bug] The Kerberos realm was not being correctly extracted
- from the signer's identity. [RT #22770]
-
-2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
- do not use threads on earlier versions. Also kill
- the unproven-pthreads, mit-pthreads, and ptl2 support.
-
-2993. [func] Dynamically grow adb hash tables. [RT #21186]
-
-2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
- for looking at a secure delegation. [RT #22059]
-
-2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
- dynamic zones. [RT #22365]
-
-2990. [bug] 'dnssec-settime -S' no longer tests prepublication
- interval validity when the interval is set to 0.
- [RT #22761]
-
-2989. [func] Added support for writable DLZ zones. (Contributed
- by Andrew Tridgell of the Samba project.) [RT #22629]
-
-2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
- of external DLZ drivers that can be loaded as
- shared objects at runtime rather than linked with
- named. Currently this is switched on via a
- compile-time option, "configure --with-dlz-dlopen".
- Note: the syntax for configuring DLZ zones
- is likely to be refined in future releases.
- (Contributed by Andrew Tridgell of the Samba
- project.) [RT #22629]
-
-2987. [func] Improve ease of configuring TKEY/GSS updates by
- adding a "tkey-gssapi-keytab" option. If set,
- updates will be allowed with any key matching
- a principal in the specified keytab file.
- "tkey-gssapi-credential" is no longer required
- and is expected to be deprecated. (Contributed
- by Andrew Tridgell of the Samba project.)
- [RT #22629]
-
-2986. [func] Add new zone type "static-stub". It's like a stub
- zone, but the nameserver names and/or their IP
- addresses are statically configured. [RT #21474]
-
-2985. [bug] Add a regression test for change #2896. [RT #21324]
-
-2984. [bug] Don't run MX checks when the target of the MX record
- is ".". [RT #22645]
-
-2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
-
- --- 9.8.0a1 released ---
-
-2982. [bug] Reference count dst keys. dst_key_attach() can be used
- increment the reference count.
-
- Note: dns_tsigkey_createfromkey() callers should now
- always call dst_key_free() rather than setting it
- to NULL on success. [RT #22672]
-
-2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
-
-2980. [bug] named didn't properly handle UPDATES that changed the
- TTL of the NSEC3PARAM RRset. [RT #22363]
-
-2979. [bug] named could deadlock during shutdown if two
- "rndc stop" commands were issued at the same
- time. [RT #22108]
-
-2978. [port] hpux: look for <devpoll.h> [RT #21919]
-
-2977. [bug] 'nsupdate -l' report if the session key is missing.
- [RT #21670]
-
-2976. [bug] named could die on exit after negotiating a GSS-TSIG
- key. [RT #22573]
-
-2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
- wrong lock which could lead to server deadlock.
- [RT #22614]
-
-2974. [bug] Some valid UPDATE requests could fail due to a
- consistency check examining the existing version
- of the zone rather than the new version resulting
- from the UPDATE. [RT #22413]
-
-2973. [bug] bind.keys.h was being removed by the "make clean"
- at the end of configure resulting in build failures
- where there is very old version of perl installed.
- Move it to "make maintainer-clean". [RT #22230]
-
-2972. [bug] win32: address windows socket errors. [RT #21906]
-
-2971. [bug] Fixed a bug that caused journal files not to be
- compacted on Windows systems as a result of
- non-POSIX-compliant rename() semantics. [RT #22434]
-
-2970. [security] Adding a NO DATA negative cache entry failed to clear
- any matching RRSIG records. A subsequent lookup of
- of NO DATA cache entry could trigger a INSIST when the
- unexpected RRSIG was also returned with the NO DATA
- cache entry.
-
- CVE-2010-3613, VU#706148. [RT #22288]
-
-2969. [security] Fix acl type processing so that allow-query works
- in options and view statements. Also add a new
- set of tests to verify proper functioning.
-
- CVE-2010-3615, VU#510208. [RT #22418]
-
-2968. [security] Named could fail to prove a data set was insecure
- before marking it as insecure. One set of conditions
- that can trigger this occurs naturally when rolling
- DNSKEY algorithms.
-
- CVE-2010-3614, VU#837744. [RT #22309]
-
-2967. [bug] 'host -D' now turns on debugging messages earlier.
- [RT #22361]
-
-2966. [bug] isc_print_vsnprintf() failed to check if there was
- space available in the buffer when adding a left
- justified character with a non zero width,
- (e.g. "%-1c"). [RT #22270]
-
-2965. [func] Test HMAC functions using test data from RFC 2104 and
- RFC 4634. [RT #21702]
-
-2964. [placeholder]
-
-2963. [security] The allow-query acl was being applied instead of the
- allow-query-cache acl to cache lookups. [RT #22114]
-
-2962. [port] win32: add more dependencies to BINDBuild.dsw.
- [RT #22062]
-
-2961. [bug] Be still more selective about the non-authoritative
- answers we apply change 2748 to. [RT #22074]
-
-2960. [func] Check that named accepts non-authoritative answers.
- [RT #21594]
-
-2959. [func] Check that named starts with a missing masterfile.
- [RT #22076]
-
-2958. [bug] named failed to start with a missing master file.
- [RT #22076]
-
-2957. [bug] entropy_get() and entropy_getpseudo() failed to match
- the API for RAND_bytes() and RAND_pseudo_bytes()
- respectively. [RT #21962]
-
-2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
-
-2955. [func] Provide more detail in the recursing log. [RT #22043]
-
-2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
- build_sqldbinstance failure. [RT #21623]
-
-2953. [bug] Silence spurious "expected covering NSEC3, got an
- exact match" message when returning a wildcard
- no data response. [RT #21744]
-
-2952. [port] win32: named-checkzone and named-checkconf failed
- to initialize winsock. [RT #21932]
-
-2951. [bug] named failed to generate a correct signed response
- in a optout, delegation only zone with no secure
- delegations. [RT #22007]
-
-2950. [bug] named failed to perform a SOA up to date check when
- falling back to TCP on UDP timeouts when
- ixfr-from-differences was set. [RT #21595]
-
-2949. [bug] dns_view_setnewzones() contained a memory leak if
- it was called multiple times. [RT #21942]
-
-2948. [port] MacOS: provide a mechanism to configure the test
- interfaces at reboot. See bin/tests/system/README
- for details.
-
-2947. [placeholder]
-
-2946. [doc] Document the default values for the minimum and maximum
- zone refresh and retry values in the ARM. [RT #21886]
-
-2945. [doc] Update empty-zones list in ARM. [RT #21772]
-
-2944. [maint] Remove ORCHID prefix from built in empty zones.
- [RT #21772]
-
-2943. [func] Add support to load new keys into managed zones
- without signing immediately with "rndc loadkeys".
- Add support to link keys with "dnssec-keygen -S"
- and "dnssec-settime -S". [RT #21351]
-
-2942. [contrib] zone2sqlite failed to setup the entropy sources.
- [RT #21610]
-
-2941. [bug] sdb and sdlz (dlz's zone database) failed to support
- DNAME at the zone apex. [RT #21610]
-
-2940. [port] Remove connection aborted error message on
- Windows. [RT #21549]
-
-2939. [func] Check that named successfully skips NSEC3 records
- that fail to match the NSEC3PARAM record currently
- in use. [RT #21868]
-
-2938. [bug] When generating signed responses, from a signed zone
- that uses NSEC3, named would use a uninitialized
- pointer if it needed to skip a NSEC3 record because
- it didn't match the selected NSEC3PARAM record for
- zone. [RT #21868]
-
-2937. [bug] Worked around an apparent race condition in over
- memory conditions. Without this fix a DNS cache DB or
- ADB could incorrectly stay in an over memory state,
- effectively refusing further caching, which
- subsequently made a BIND 9 caching server unworkable.
- This fix prevents this problem from happening by
- polling the state of the memory context, rather than
- making a copy of the state, which appeared to cause
- a race. This is a "workaround" in that it doesn't
- solve the possible race per se, but several experiments
- proved this change solves the symptom. Also, the
- polling overhead hasn't been reported to be an issue.
- This bug should only affect a caching server that
- specifies a finite max-cache-size. It's also quite
- likely that the bug happens only when enabling threads,
- but it's not confirmed yet. [RT #21818]
-
-2936. [func] Improved configuration syntax and multiple-view
- support for addzone/delzone feature (see change
- #2930). Removed "new-zone-file" option, replaced
- with "allow-new-zones (yes|no)". The new-zone-file
- for each view is now created automatically, with
- a filename generated from a hash of the view name.
- It is no longer necessary to "include" the
- new-zone-file in named.conf; this happens
- automatically. Zones that were not added via
- "rndc addzone" can no longer be removed with
- "rndc delzone". [RT #19447]
-
-2935. [bug] nsupdate: improve 'file not found' error message.
- [RT #21871]
-
-2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
- [RT #21871]
-
-2933. [bug] 'dig +nsid' used stack memory after it went out of
- scope. This could potentially result in a unknown,
- potentially malformed, EDNS option being sent instead
- of the desired NSID option. [RT #21781]
-
-2932. [cleanup] Corrected a numbering error in the "dnssec" test.
- [RT #21597]
-
-2931. [bug] Temporarily and partially disable change 2864
- because it would cause infinite attempts of RRSIG
- queries. This is an urgent care fix; we'll
- revisit the issue and complete the fix later.
- [RT #21710]
-
-2930. [experimental] New "rndc addzone" and "rndc delzone" commands
- allow dynamic addition and deletion of zones.
- To enable this feature, specify a "new-zone-file"
- option at the view or options level in named.conf.
- Zone configuration information for the new zones
- will be written into that file. To make the new
- zones persist after a restart, "include" the file
- into named.conf in the appropriate view. (Note:
- This feature is not yet documented, and its syntax
- is expected to change.) [RT #19447]
-
-2929. [bug] Improved handling of GSS security contexts:
- - added LRU expiration for generated TSIGs
- - added the ability to use a non-default realm
- - added new "realm" keyword in nsupdate
- - limited lifetime of generated keys to 1 hour
- or the lifetime of the context (whichever is
- smaller)
- [RT #19737]
-
-2928. [bug] Be more selective about the non-authoritative
- answer we apply change 2748 to. [RT #21594]
-
-2927. [placeholder]
-
-2926. [placeholder]
-
-2925. [bug] Named failed to accept uncachable negative responses
- from insecure zones. [RT #21555]
-
-2924. [func] 'rndc secroots' dump a combined summary of the
- current managed keys combined with trusted keys.
- [RT #20904]
-
-2923. [bug] 'dig +trace' could drop core after "connection
- timeout". [RT #21514]
-
-2922. [contrib] Update zkt to version 1.0.
-
-2921. [bug] The resolver could attempt to destroy a fetch context
- too soon. [RT #19878]
-
-2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
- to IPv4 clients. New acl 'filter-aaaa' (default any).
-
-2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
- [RT #20840]
-
-2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
-
-2917. [func] Virtual time test framework. [RT #20801]
-
-2916. [func] Add framework to use IPv6 in tests.
- fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
-
-2915. [cleanup] Be smarter about which objects we attempt to compile
- based on configure options. [RT #21444]
-
-2914. [bug] Make the "autosign" system test more portable.
- [RT #20997]
-
-2913. [func] Add pkcs#11 system tests. [RT #20784]
-
-2912. [func] Windows clients don't like UPDATE responses that clear
- the zone section. [RT #20986]
-
-2911. [bug] dnssec-signzone didn't handle out of zone records well.
- [RT #21367]
-
-2910. [func] Sanity check Kerberos credentials. [RT #20986]
-
-2909. [bug] named-checkconf -p could die if "update-policy local;"
- was specified in named.conf. [RT #21416]
-
-2908. [bug] It was possible for re-signing to stop after removing
- a DNSKEY. [RT #21384]
-
-2907. [bug] The export version of libdns had undefined references.
- [RT #21444]
-
-2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
-
-2905. [port] aix: set use_atomic=yes with native compiler.
- [RT #21402]
-
-2904. [bug] When using DLV, sub-zones of the zones in the DLV,
- could be incorrectly marked as insecure instead of
- secure leading to negative proofs failing. This was
- a unintended outcome from change 2890. [RT #21392]
-
-2903. [bug] managed-keys-directory missing from namedconf.c.
- [RT #21370]
-
-2902. [func] Add regression test for change 2897. [RT #21040]
-
-2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
-
-2900. [bug] The placeholder negative caching element was not
- properly constructed triggering a INSIST in
- dns_ncache_towire(). [RT #21346]
-
-2899. [port] win32: Support linking against OpenSSL 1.0.0.
-
-2898. [bug] nslookup leaked memory when -domain=value was
- specified. [RT #21301]
-
-2897. [bug] NSEC3 chains could be left behind when transitioning
- to insecure. [RT #21040]
-
-2896. [bug] "rndc sign" failed to properly update the zone
- when adding a DNSKEY for publication only. [RT #21045]
-
-2895. [func] genrandom: add support for the generation of multiple
- files. [RT #20917]
-
-2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
-
-2893. [bug] Improve managed keys support. New named.conf option
- managed-keys-directory. [RT #20924]
-
-2892. [bug] Handle REVOKED keys better. [RT #20961]
-
-2891. [maint] Update empty-zones list to match
- draft-ietf-dnsop-default-local-zones-13. [RT #21099]
-
-2890. [bug] Handle the introduction of new trusted-keys and
- DS, DLV RRsets better. [RT #21097]
-
-2889. [bug] Elements of the grammar where not properly reported.
- [RT #21046]
-
-2888. [bug] Only the first EDNS option was displayed. [RT #21273]
-
-2887. [bug] Report the keytag times in UTC in the .key file,
- local time is presented as a comment within the
- comment. [RT #21223]
-
-2886. [bug] ctime() is not thread safe. [RT #21223]
-
-2885. [bug] Improve -fno-strict-aliasing support probing in
- configure. [RT #21080]
-
-2884. [bug] Insufficient validation in dns_name_getlabelsequence().
- [RT #21283]
-
-2883. [bug] 'dig +short' failed to handle really large datasets.
- [RT #21113]
-
-2882. [bug] Remove memory context from list of active contexts
- before clearing 'magic'. [RT #21274]
-
-2881. [bug] Reduce the amount of time the rbtdb write lock
- is held when closing a version. [RT #21198]
-
-2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
- consistent. [RT #21078]
-
-2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
- [RT #21106]
-
-2878. [func] Incrementally write the master file after performing
- a AXFR. [RT #21010]
-
-2877. [bug] The validator failed to skip obviously mismatching
- RRSIGs. [RT #21138]
-
-2876. [bug] Named could return SERVFAIL for negative responses
- from unsigned zones. [RT #21131]
-
-2875. [bug] dns_time64_fromtext() could accept non digits.
- [RT #21033]
-
-2874. [bug] Cache lack of EDNS support only after the server
- successfully responds to the query using plain DNS.
- [RT #20930]
-
-2873. [bug] Canceling a dynamic update via the dns/client module
- could trigger an assertion failure. [RT #21133]
-
-2872. [bug] Modify dns/client.c:dns_client_createx() to only
- require one of IPv4 or IPv6 rather than both.
- [RT #21122]
-
-2871. [bug] Type mismatch in mem_api.c between the definition and
- the header file, causing build failure with
- --enable-exportlib. [RT #21138]
-
-2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
-
-2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
- [RT #20877]
-
-2868. [cleanup] Run "make clean" at the end of configure to ensure
- any changes made by configure are integrated.
- Use --with-make-clean=no to disable. [RT #20994]
-
-2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
- don't like it. [RT #20986]
-
-2866. [bug] Windows does not like the TSIG name being compressed.
- [RT #20986]
-
-2865. [bug] memset to zero event.data. [RT #20986]
-
-2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
- [RT #21050]
-
-2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
- [RT #21056]
-
-2862. [bug] nsupdate didn't default to the parent zone when
- updating DS records. [RT #20896]
-
-2861. [doc] dnssec-settime man pages didn't correctly document the
- inactivation time. [RT #21039]
-
-2860. [bug] named-checkconf's usage was out of date. [RT #21039]
-
-2859. [bug] When canceling validation it was possible to leak
- memory. [RT #20800]
-
-2858. [bug] RTT estimates were not being adjusted on ICMP errors.
- [RT #20772]
-
-2857. [bug] named-checkconf did not fail on a bad trusted key.
- [RT #20705]
-
-2856. [bug] The size of a memory allocation was not always properly
- recorded. [RT #20927]
-
-2855. [func] nsupdate will now preserve the entered case of domain
- names in update requests it sends. [RT #20928]
-
-2854. [func] dig: allow the final soa record in a axfr response to
- be suppressed, dig +onesoa. [RT #20929]
-
-2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
-
-2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
-
-2851. [doc] nslookup.1, removed <informalexample> from the docbook
- source as it produced bad nroff. [RT #21007]
-
-2850. [bug] If isc_heap_insert() failed due to memory shortage
- the heap would have corrupted entries. [RT #20951]
-
-2849. [bug] Don't treat errors from the xml2 library as fatal.
- [RT #20945]
-
-2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
- README.rfc5011 into the ARM. [RT #20899]
-
-2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
-
-2846. [bug] EOF on unix domain sockets was not being handled
- correctly. [RT #20731]
-
-2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
-
-2844. [doc] notify-delay default in ARM was wrong. It should have
- been five (5) seconds.
-
-2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
- creating key files if there is a chance that the new
- key ID will collide with an existing one after
- either of the keys has been revoked. (To override
- this in the case of dnssec-keyfromlabel, use the -y
- option. dnssec-keygen will simply create a
- different, non-colliding key, so an override is
- not necessary.) [RT #20838]
-
-2842. [func] Added "smartsign" and improved "autosign" and
- "dnssec" regression tests. [RT #20865]
-
-2841. [bug] Change 2836 was not complete. [RT #20883]
-
-2840. [bug] Temporary fixed pkcs11-destroy usage check.
- [RT #20760]
-
-2839. [bug] A KSK revoked by named could not be deleted.
- [RT #20881]
-
-2838. [placeholder]
-
-2837. [port] Prevent Linux spurious warnings about fwrite().
- [RT #20812]
-
-2836. [bug] Keys that were scheduled to become active could
- be delayed. [RT #20874]
-
-2835. [bug] Key inactivity dates were inadvertently stored in
- the private key file with the outdated tag
- "Unpublish" rather than "Inactive". This has been
- fixed; however, any existing keys that had Inactive
- dates set will now need to have them reset, using
- 'dnssec-settime -I'. [RT #20868]
-
-2834. [bug] HMAC-SHA* keys that were longer than the algorithm
- digest length were used incorrectly, leading to
- interoperability problems with other DNS
- implementations. This has been corrected.
- (Note: If an oversize key is in use, and
- compatibility is needed with an older release of
- BIND, the new tool "isc-hmac-fixup" can convert
- the key secret to a form that will work with all
- versions.) [RT #20751]
-
-2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
- [RT #20851]
-
-2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
- to avoid redefinition in some OSs [RT 20831]
-
-2831. [security] Do not attempt to validate or cache
- out-of-bailiwick data returned with a secure
- answer; it must be re-fetched from its original
- source and validated in that context. [RT #20819]
-
-2830. [bug] Changing the OPTOUT setting could take multiple
- passes. [RT #20813]
-
-2829. [bug] Fixed potential node inconsistency in rbtdb.c.
- [RT #20808]
-
-2828. [security] Cached CNAME or DNAME RR could be returned to clients
- without DNSSEC validation. [RT #20737]
-
-2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
-
-2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
- being released. [RT #20740]
-
-2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
- was in the process of being created was not properly
- recorded in the zone. [RT #20786]
-
-2824. [bug] "rndc sign" was not being run by the correct task.
- [RT #20759]
-
-2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
-
-2822. [bug] rbtdb.c:loadnode() could return the wrong result.
- [RT #20802]
-
-2821. [doc] Add note that named-checkconf doesn't automatically
- read rndc.key and bind.keys [RT #20758]
-
-2820. [func] Handle read access failure of OpenSSL configuration
- file more user friendly (PKCS#11 engine patch).
- [RT #20668]
-
-2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
- [RT #20771]
-
-2818. [cleanup] rndc could return an incorrect error code
- when a zone was not found. [RT #20767]
-
-2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
- [RT #20768]
-
-2816. [bug] previous_closest_nsec() could fail to return
- data for NSEC3 nodes [RT #29730]
-
-2815. [bug] Exclusively lock the task when freezing a zone.
- [RT #19838]
-
-2814. [func] Provide a definitive error message when a master
- zone is not loaded. [RT #20757]
-
-2813. [bug] Better handling of unreadable DNSSEC key files.
- [RT #20710]
-
-2812. [bug] Make sure updates can't result in a zone with
- NSEC-only keys and NSEC3 records. [RT #20748]
-
-2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
- output. [RT #20733]
-
-2810. [doc] Clarified the process of transitioning an NSEC3 zone
- to insecure. [RT #20746]
-
-2809. [cleanup] Restored accidentally-deleted text in usage output
- in dnssec-settime and dnssec-revoke [RT #20739]
-
-2808. [bug] Remove the attempt to install atomic.h from lib/isc.
- atomic.h is correctly installed by the architecture
- specific subdirectories. [RT #20722]
-
-2807. [bug] Fixed a possible ASSERT when reconfiguring zone
- keys. [RT #20720]
-
- --- 9.7.0rc1 released ---
-
-2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
- when it had changed. [RT #20703]
-
-2805. [bug] Fixed namespace problems encountered when building
- external programs using non-exported BIND9 libraries
- (i.e., built without --enable-exportlib). [RT #20679]
-
-2804. [bug] Send notifies when a zone is signed with "rndc sign"
- or as a result of a scheduled key change. [RT #20700]
-
-2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
- and genrandom under windows. [RT #20670]
-
-2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
-
-2801. [func] Detect and report records that are different according
- to DNSSEC but are semantically equal according to plain
- DNS. Apply plain DNS comparisons rather than DNSSEC
- comparisons when processing UPDATE requests.
- dnssec-signzone now removes such semantically duplicate
- records prior to signing the RRset.
-
- named-checkzone -r {ignore|warn|fail} (default warn)
- named-compilezone -r {ignore|warn|fail} (default warn)
-
- named.conf: check-dup-records {ignore|warn|fail};
-
-2800. [func] Reject zones which have NS records which refer to
- CNAMEs, DNAMEs or don't have address record (class IN
- only). Reject UPDATEs which would cause the zone
- to fail the above checks if committed. [RT #20678]
-
-2799. [cleanup] Changed the "secure-to-insecure" option to
- "dnssec-secure-to-insecure", and "dnskey-ksk-only"
- to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
-
-2798. [bug] Addressed bugs in managed-keys initialization
- and rollover. [RT #20683]
-
-2797. [bug] Don't decrement the dispatch manager's maxbuffers.
- [RT #20613]
-
-2796. [bug] Missing dns_rdataset_disassociate() call in
- dns_nsec3_delnsec3sx(). [RT #20681]
-
-2795. [cleanup] Add text to differentiate "update with no effect"
- log messages. [RT #18889]
-
-2794. [bug] Install <isc/namespace.h>. [RT #20677]
-
-2793. [func] Add "autosign" and "metadata" tests to the
- automatic tests. [RT #19946]
-
-2792. [func] "filter-aaaa-on-v4" can now be set in view
- options (if compiled in). [RT #20635]
-
-2791. [bug] The installation of isc-config.sh was broken.
- [RT #20667]
-
-2790. [bug] Handle DS queries to stub zones. [RT #20440]
-
-2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
-
-2788. [bug] dnssec-signzone could sign with keys that were
- not requested [RT #20625]
-
-2787. [bug] Spurious log message when zone keys were
- dynamically reconfigured. [RT #20659]
-
-2786. [bug] Additional could be promoted to answer. [RT #20663]
-
- --- 9.7.0b3 released ---
-
-2785. [bug] Revoked keys could fail to self-sign [RT #20652]
-
-2784. [bug] TC was not always being set when required glue was
- dropped. [RT #20655]
-
-2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
- buffer size of 512 or less. [RT #20654]
-
-2782. [port] win32: use getaddrinfo() for hostname lookups.
- [RT #20650]
-
-2781. [bug] Inactive keys could be used for signing. [RT #20649]
-
-2780. [bug] dnssec-keygen -A none didn't properly unset the
- activation date in all cases. [RT #20648]
-
-2779. [bug] Dynamic key revocation could fail. [RT #20644]
-
-2778. [bug] dnssec-signzone could fail when a key was revoked
- without deleting the unrevoked version. [RT #20638]
-
-2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
-
-2776. [bug] Change #2762 was not correct. [RT #20647]
-
-2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
- in dnssec-keyfromlabel. [RT #20643]
-
-2774. [bug] Existing cache DB wasn't being reused after
- reconfiguration. [RT #20629]
-
-2773. [bug] In autosigned zones, the SOA could be signed
- with the KSK. [RT #20628]
-
-2772. [security] When validating, track whether pending data was from
- the additional section or not and only return it if
- validates as secure. [RT #20438]
-
-2771. [bug] dnssec-signzone: DNSKEY records could be
- corrupted when importing from key files [RT #20624]
-
-2770. [cleanup] Add log messages to resolver.c to indicate events
- causing FORMERR responses. [RT #20526]
-
-2769. [cleanup] Change #2742 was incomplete. [RT #19589]
-
-2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
-
-2767. [bug] named could crash on startup if a zone was
- configured with auto-dnssec and there was no
- key-directory. [RT #20615]
-
-2766. [bug] isc_socket_fdwatchpoke() should only update the
- socketmgr state if the socket is not pending on a
- read or write. [RT #20603]
-
-2765. [bug] Skip masters for which the TSIG key cannot be found.
- [RT #20595]
-
-2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
-
-2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
-
-2762. [bug] DLV validation failed with a local slave DLV zone.
- [RT #20577]
-
-2761. [cleanup] Enable internal symbol table for backtrace only for
- systems that are known to work. Currently, BSD
- variants, Linux and Solaris are supported. [RT #20202]
-
-2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
-
-2759. [doc] Add information about .jbk/.jnw files to
- the ARM. [RT #20303]
-
-2758. [bug] win32: Added a workaround for a windows 2008 bug
- that could cause the UDP client handler to shut
- down. [RT #19176]
-
-2757. [bug] dig: assertion failure could occur in connect
- timeout. [RT #20599]
-
-2756. [bug] Fixed corrupt logfile message in update.c. [RT #20597]
-
-2755. [placeholder]
-
-2754. [bug] Secure-to-insecure transitions failed when zone
- was signed with NSEC3. [RT #20587]
-
-2753. [bug] Removed an unnecessary warning that could appear when
- building an NSEC chain. [RT #20589]
-
-2752. [bug] Locking violation. [RT #20587]
-
-2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
-
-2750. [bug] dig: assertion failure could occur when a server
- didn't have an address. [RT #20579]
-
-2749. [bug] ixfr-from-differences generated a non-minimal ixfr
- for NSEC3 signed zones. [RT #20452]
-
-2748. [func] Identify bad answers from GTLD servers and treat them
- as referrals. [RT #18884]
-
-2747. [bug] Journal roll forwards failed to set the re-signing
- time of RRSIGs correctly. [RT #20541]
-
-2746. [port] hpux: address signed/unsigned expansion mismatch of
- dns_rbtnode_t.nsec. [RT #20542]
-
-2745. [bug] configure script didn't probe the return type of
- gai_strerror(3) correctly. [RT #20573]
-
-2744. [func] Log if a query was over TCP. [RT #19961]
-
-2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
- for a insecure delegation.
-
- --- 9.7.0b2 released ---
-
-2742. [cleanup] Clarify some DNSSEC-related log messages in
- validator.c. [RT #19589]
-
-2741. [func] Allow the dnssec-keygen progress messages to be
- suppressed (dnssec-keygen -q). Automatically
- suppress the progress messages when stdin is not
- a tty. [RT #20474]
-
-2740. [placeholder]
-
-2739. [cleanup] Clean up API for initializing and clearing trust
- anchors for a view. [RT #20211]
-
-2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
- test. [RT #20453]
-
-2737. [func] UPDATE requests can leak existence information.
- [RT #17261]
-
-2736. [func] Improve the performance of NSEC signed zones with
- more than a normal amount of glue below a delegation.
- [RT #20191]
-
-2735. [bug] dnssec-signzone could fail to read keys
- that were specified on the command line with
- full paths, but weren't in the current
- directory. [RT #20421]
-
-2734. [port] cygwin: arpaname did not compile. [RT #20473]
-
-2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
-
-2732. [func] Add optional filter-aaaa-on-v4 option, available
- if built with './configure --enable-filter-aaaa'.
- Filters out AAAA answers to clients connecting
- via IPv4. (This is NOT recommended for general
- use.) [RT #20339]
-
-2731. [func] Additional work on change 2709. The key parser
- will now ignore unrecognized fields when the
- minor version number of the private key format
- has been increased. It will reject any key with
- the major version number increased. [RT #20310]
-
-2730. [func] Have dnssec-keygen display a progress indication
- a la 'openssl genrsa' on standard error. Note
- when the first '.' is followed by a long stop
- one has the choice between slow generation vs.
- poor random quality, i.e., '-r /dev/urandom'.
- [RT #20284]
-
-2729. [func] When constructing a CNAME from a DNAME use the DNAME
- TTL. [RT #20451]
-
-2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
- dnssec-signzone now warn immediately if asked to
- write into a nonexistent directory. [RT #20278]
-
-2727. [func] The 'key-directory' option can now specify a relative
- path. [RT #20154]
-
-2726. [func] Added support for SHA-2 DNSSEC algorithms,
- RSASHA256 and RSASHA512. [RT #20023]
-
-2725. [doc] Added information about the file "managed-keys.bind"
- to the ARM. [RT #20235]
-
-2724. [bug] Updates to a existing node in secure zone using NSEC
- were failing. [RT #20448]
-
-2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
- isc_base64_totext(), didn't always mark regions of
- memory as fully consumed after conversion. [RT #20445]
-
-2722. [bug] Ensure that the memory associated with the name of
- a node in a rbt tree is not altered during the life
- of the node. [RT #20431]
-
-2721. [port] Have dst__entropy_status() prime the random number
- generator. [RT #20369]
-
-2720. [bug] RFC 5011 trust anchor updates could trigger an
- assert if the DNSKEY record was unsigned. [RT #20406]
-
-2719. [func] Skip trusted/managed keys for unsupported algorithms.
- [RT #20392]
-
-2718. [bug] The space calculations in opensslrsa_todns() were
- incorrect. [RT #20394]
-
-2717. [bug] named failed to update the NSEC/NSEC3 record when
- the last private type record was removed as a result
- of completing the signing the zone with a key.
- [RT #20399]
-
-2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
-
- --- 9.7.0b1 released ---
-
-2715. [bug] Require OpenSSL support to be explicitly disabled.
- [RT #20288]
-
-2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
- flags.
-
-2713. [bug] powerpc: atomic operations missing asm("ics") /
- __isync() calls.
-
-2712. [func] New 'auto-dnssec' zone option allows zone signing
- to be fully automated in zones configured for
- dynamic DNS. 'auto-dnssec allow;' permits a zone
- to be signed by creating keys for it in the
- key-directory and using 'rndc sign <zone>'.
- 'auto-dnssec maintain;' allows that too, plus it
- also keeps the zone's DNSSEC keys up to date
- according to their timing metadata. [RT #19943]
-
-2711. [port] win32: Add the bin/pkcs11 tools into the full
- build. [RT #20372]
-
-2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
- zone option cause a zone to be signed with only KSKs
- signing the DNSKEY RRset, not ZSKs. This reduces
- the size of a DNSKEY answer. [RT #20340]
-
-2709. [func] Added some data fields, currently unused, to the
- private key file format, to allow implementation
- of explicit key rollover in a future release
- without impairing backward or forward compatibility.
- [RT #20310]
-
-2708. [func] Insecure to secure and NSEC3 parameter changes via
- update are now fully supported and no longer require
- defines to enable. We now no longer overload the
- NSEC3PARAM flag field, nor the NSEC OPT bit at the
- apex. Secure to insecure changes are controlled by
- by the named.conf option 'secure-to-insecure'.
-
- Warning: If you had previously enabled support by
- adding defines at compile time to BIND 9.6 you should
- ensure that all changes that are in progress have
- completed prior to upgrading to BIND 9.7. BIND 9.7
- is not backwards compatible.
-
-2707. [func] dnssec-keyfromlabel no longer require engine name
- to be specified in the label if there is a default
- engine or the -E option has been used. Also, it
- now uses default algorithms as dnssec-keygen does
- (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
- [RT #20371]
-
-2706. [bug] Loading a zone with a very large NSEC3 salt could
- trigger an assert. [RT #20368]
-
-2705. [placeholder]
-
-2704. [bug] Serial of dynamic and stub zones could be inconsistent
- with their SOA serial. [RT #19387]
-
-2703. [func] Introduce an OpenSSL "engine" argument with -E
- for all binaries which can take benefit of
- crypto hardware. [RT #20230]
-
-2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
-
-2701. [doc] Correction to ARM: hmac-md5 is no longer the only
- supported TSIG key algorithm. [RT #18046]
-
-2700. [doc] The match-mapped-addresses option is discouraged.
- [RT #12252]
-
-2699. [bug] Missing lock in rbtdb.c. [RT #20037]
-
-2698. [placeholder]
-
-2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
- S_IFREG are defined after including <isc/stat.h>.
- [RT #20309]
-
-2696. [bug] named failed to successfully process some valid
- acl constructs. [RT #20308]
-
-2695. [func] DHCP/DDNS - update fdwatch code for use by
- DHCP. Modify the api to isc_sockfdwatch_t (the
- callback function for isc_socket_fdwatchcreate)
- to include information about the direction (read
- or write) and add isc_socket_fdwatchpoke.
- [RT #20253]
-
-2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
- [RT #19970]
-
-2693. [port] Add some noreturn attributes. [RT #20257]
-
-2692. [port] win32: 32/64 bit cleanups. [RT #20335]
-
-2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
- chain when re-signing a previously-signed zone.
- Use -u to modify NSEC3 parameters or switch
- between NSEC and NSEC3. [RT #20304]
-
-2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
- [RT #20315]
-
-2689. [bug] Correctly handle snprintf result. [RT #20306]
-
-2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
- to decide to fetch the destination address. [RT #20305]
-
-2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
- Also, added warnings when revoking a ZSK, as this is
- not defined by protocol (but is legal). [RT #19943]
-
-2686. [bug] dnssec-signzone should clean the old NSEC chain when
- signing with NSEC3 and vice versa. [RT #20301]
-
-2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
-
-2684. [cleanup] dig: formalize +ad and +cd as synonyms for
- +adflag and +cdflag. [RT #19305]
-
-2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
- the NSEC3 parameters used to sign the zone change.
- [RT #20246]
-
-2682. [bug] "configure --enable-symtable=all" failed to
- build. [RT #20282]
-
-2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
- decoded. [RT #20269]
-
-2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
-
-2679. [func] dig -k can now accept TSIG keys in named.conf
- format. [RT #20031]
-
-2678. [func] Treat DS queries as if "minimal-response yes;"
- was set. [RT #20258]
-
-2677. [func] Changes to key metadata behavior:
- - Keys without "publish" or "active" dates set will
- no longer be used for smart signing. However,
- those dates will be set to "now" by default when
- a key is created; to generate a key but not use
- it yet, use dnssec-keygen -G.
- - New "inactive" date (dnssec-keygen/settime -I)
- sets the time when a key is no longer used for
- signing but is still published.
- - The "unpublished" date (-U) is deprecated in
- favor of "deleted" (-D).
- [RT #20247]
-
-2676. [bug] --with-export-installdir should have been
- --with-export-includedir. [RT #20252]
-
-2675. [bug] dnssec-signzone could crash if the key directory
- did not exist. [RT #20232]
-
- --- 9.7.0a3 released ---
-
-2674. [bug] "dnssec-lookaside auto;" crashed if named was built
- without openssl. [RT #20231]
-
-2673. [bug] The managed-keys.bind zone file could fail to
- load due to a spurious result from sync_keyzone()
- [RT #20045]
-
-2672. [bug] Don't enable searching in 'host' when doing reverse
- lookups. [RT #20218]
-
-2671. [bug] Add support for PKCS#11 providers not returning
- the public exponent in RSA private keys
- (OpenCryptoki for instance) in
- dnssec-keyfromlabel. [RT #19294]
-
-2670. [bug] Unexpected connect failures failed to log enough
- information to be useful. [RT #20205]
-
-2669. [func] Update PKCS#11 support to support Keyper HSM.
- Update PKCS#11 patch to be against openssl-0.9.8i.
-
-2668. [func] Several improvements to dnssec-* tools, including:
- - dnssec-keygen and dnssec-settime can now set key
- metadata fields 0 (to unset a value, use "none")
- - dnssec-revoke sets the revocation date in
- addition to the revoke bit
- - dnssec-settime can now print individual metadata
- fields instead of always printing all of them,
- and can print them in unix epoch time format for
- use by scripts
- [RT #19942]
-
-2667. [func] Add support for logging stack backtrace on assertion
- failure (not available for all platforms). [RT #19780]
-
-2666. [func] Added an 'options' argument to dns_name_fromstring()
- (API change from 9.7.0a2). [RT #20196]
-
-2665. [func] Clarify syntax for managed-keys {} statement, add
- ARM documentation about RFC 5011 support. [RT #19874]
-
-2664. [bug] create_keydata() and minimal_update() in zone.c
- didn't properly check return values for some
- functions. [RT #19956]
-
-2663. [func] win32: allow named to run as a service using
- "NT AUTHORITY\LocalService" as the account. [RT #19977]
-
-2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
- returned a misleading error code when lwresd was
- down. [RT #20028]
-
-2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
- creating lwres context. [RT #20029]
-
-2660. [func] Add a new set of DNS libraries for non-BIND9
- applications. See README.libdns. [RT #19369]
-
-2659. [doc] Clarify dnssec-keygen doc: key name must match zone
- name for DNSSEC keys. [RT #19938]
-
-2658. [bug] dnssec-settime and dnssec-revoke didn't process
- key file paths correctly. [RT #20078]
-
-2657. [cleanup] Lower "journal file <path> does not exist, creating it"
- log level to debug 1. [RT #20058]
-
-2656. [func] win32: add a "tools only" check box to the installer
- which causes it to only install dig, host, nslookup,
- nsupdate and relevant DLLs. [RT #19998]
-
-2655. [doc] Document that key-directory does not affect
- bind.keys, rndc.key or session.key. [RT #20155]
-
-2654. [bug] Improve error reporting on duplicated names for
- deny-answer-xxx. [RT #20164]
-
-2653. [bug] Treat ENGINE_load_private_key() failures as key
- not found rather than out of memory. [RT #18033]
-
-2652. [func] Provide more detail about what record is being
- deleted. [RT #20061]
-
-2651. [bug] Dates could print incorrectly in K*.key files on
- 64-bit systems. [RT #20076]
-
-2650. [bug] Assertion failure in dnssec-signzone when trying
- to read keyset-* files. [RT #20075]
-
-2649. [bug] Set the domain for forward only zones. [RT #19944]
-
-2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
-
-2647. [bug] Remove unnecessary SOA updates when a new KSK is
- added. [RT #19913]
-
-2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
-
-2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
- which default to 64 bits. [RT #19927]
-
- --- 9.7.0a2 released ---
-
-2644. [bug] Change #2628 caused a regression on some systems;
- named was unable to write the PID file and would
- fail on startup. [RT #20001]
-
-2643. [bug] Stub zones interacted badly with NSEC3 support.
- [RT #19777]
-
-2642. [bug] nsupdate could dump core on solaris when reading
- improperly formatted key files. [RT #20015]
-
-2641. [bug] Fixed an error in parsing update-policy syntax,
- added a regression test to check it. [RT #20007]
-
-2640. [security] A specially crafted update packet will cause named
- to exit. [RT #20000]
-
-2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
-
-2638. [bug] Install arpaname. [RT #19957]
-
-2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
- [RT #19959]
-
-2636. [func] Simplify zone signing and key maintenance with the
- dnssec-* tools. Major changes:
- - all dnssec-* tools now take a -K option to
- specify a directory in which key files will be
- stored
- - DNSSEC can now store metadata indicating when
- they are scheduled to be published, activated,
- revoked or removed; these values can be set by
- dnssec-keygen or overwritten by the new
- dnssec-settime command
- - dnssec-signzone -S (for "smart") option reads key
- metadata and uses it to determine automatically
- which keys to publish to the zone, use for
- signing, revoke, or remove from the zone
- [RT #19816]
-
-2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
- [RT #19716]
-
-2634. [port] win32: Add support for libxml2, enable
- statschannel. [RT #19773]
-
-2633. [bug] Handle 15 bit rand() functions. [RT #19783]
-
-2632. [func] util/kit.sh: warn if documentation appears to be out of
- date. [RT #19922]
-
-2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
- [RT #19926 ]
-
-2630. [func] Improved syntax for DDNS autoconfiguration: use
- "update-policy local;" to switch on local DDNS in a
- zone. (The "ddns-autoconf" option has been removed.)
- [RT #19875]
-
-2629. [port] Check for seteuid()/setegid(), use setresuid()/
- setresgid() if not present. [RT #19932]
-
-2628. [port] linux: Allow /var/run/named/named.pid to be opened
- at startup with reduced capabilities in operation.
- [RT #19884]
-
-2627. [bug] Named aborted if the same key was included in
- trusted-keys more than once. [RT #19918]
-
-2626. [bug] Multiple trusted-keys could trigger an assertion
- failure. [RT #19914]
-
-2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
-
-2624. [func] 'named-checkconf -p' will print out the parsed
- configuration. [RT #18871]
-
-2623. [bug] Named started searches for DS non-optimally. [RT #19915]
-
-2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
-
-2621. [doc] Made copyright boilerplate consistent. [RT #19833]
-
-2620. [bug] Delay thawing the zone until the reload of it has
- completed successfully. [RT #19750]
-
-2619. [func] Add support for RFC 5011, automatic trust anchor
- maintenance. The new "managed-keys" statement can
- be used in place of "trusted-keys" for zones which
- support this protocol. (Note: this syntax is
- expected to change prior to 9.7.0 final.) [RT #19248]
-
-2618. [bug] The sdb and sdlz db_interator_seek() methods could
- loop infinitely. [RT #19847]
-
-2617. [bug] ifconfig.sh failed to emit an error message when
- run from the wrong location. [RT #19375]
-
-2616. [bug] 'host' used the nameservers from resolv.conf even
- when a explicit nameserver was specified. [RT #19852]
-
-2615. [bug] "__attribute__((unused))" was in the wrong place
- for ia64 gcc builds. [RT #19854]
-
-2614. [port] win32: 'named -v' should automatically be executed
- in the foreground. [RT #19844]
-
-2613. [placeholder]
-
- --- 9.7.0a1 released ---
-
-2612. [func] Add default values for the arguments to
- dnssec-keygen. Without arguments, it will now
- generate a 1024-bit RSASHA1 zone-signing key,
- or with the -f KSK option, a 2048-bit RSASHA1
- key-signing key. [RT #19300]
-
-2611. [func] Add -l option to dnssec-dsfromkey to generate
- DLV records instead of DS records. [RT #19300]
-
-2610. [port] sunos: Change #2363 was not complete. [RT #19796]
-
-2609. [func] Simplify the configuration of dynamic zones:
- - add ddns-confgen command to generate
- configuration text for named.conf
- - add zone option "ddns-autoconf yes;", which
- causes named to generate a TSIG session key
- and allow updates to the zone using that key
- - add '-l' (localhost) option to nsupdate, which
- causes nsupdate to connect to a locally-running
- named process using the session key generated
- by named
- [RT #19284]
-
-2608. [func] Perform post signing verification checks in
- dnssec-signzone. These can be disabled with -P.
-
- The post sign verification test ensures that for each
- algorithm in use there is at least one non revoked
- self signed KSK key. That all revoked KSK keys are
- self signed. That all records in the zone are signed
- by the algorithm. [RT #19653]
-
-2607. [bug] named could incorrectly delete NSEC3 records for
- empty nodes when processing a update request.
- [RT #19749]
-
-2606. [bug] "delegation-only" was not being accepted in
- delegation-only type zones. [RT #19717]
-
-2605. [bug] Accept DS responses from delegation only zones.
- [RT # 19296]
-
-2604. [func] Add support for DNS rebinding attack prevention through
- new options, deny-answer-addresses and
- deny-answer-aliases. Based on contributed code from
- JD Nurmi, Google. [RT #18192]
-
-2603. [port] win32: handle .exe extension of named-checkzone and
- named-comilezone argv[0] names under windows.
- [RT #19767]
-
-2602. [port] win32: fix debugging command line build of libisccfg.
- [RT #19767]
-
-2601. [doc] Mention file creation mode mask in the
- named manual page.
-
-2600. [doc] ARM: miscellaneous reformatting for different
- page widths. [RT #19574]
-
-2599. [bug] Address rapid memory growth when validation fails.
- [RT #19654]
-
-2598. [func] Reserve the -F flag. [RT #19657]
-
-2597. [bug] Handle a validation failure with a insecure delegation
- from a NSEC3 signed master/slave zone. [RT #19464]
-
-2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
- long, leading to inefficient memory usage or rejecting
- newer cache entries in the worst case. [RT #19563]
-
-2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
-
-2594. [func] Have rndc warn if using its default configuration
- file when the key file also exists. [RT #19424]
-
-2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
-
-2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
-
-2591. [bug] named could die when processing a update in
- removed_orphaned_ds(). [RT #19507]
-
-2590. [func] Report zone/class of "update with no effect".
- [RT #19542]
-
-2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
- [RT #19626]
-
-2588. [bug] SO_REUSEADDR could be set unconditionally after failure
- of bind(2) call. This should be rare and mostly
- harmless, but may cause interference with other
- processes that happen to use the same port. [RT #19642]
-
-2587. [func] Improve logging by reporting serial numbers for
- when zone serial has gone backwards or unchanged.
- [RT #19506]
-
-2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
- or SDB. [RT #19577]
-
-2585. [bug] Uninitialized socket name could be referenced via a
- statistics channel, triggering an assertion failure in
- XML rendering. [RT #19427]
-
-2584. [bug] alpha: gcc optimization could break atomic operations.
- [RT #19227]
-
-2583. [port] netbsd: provide a control to not add the compile
- date to the version string, -DNO_VERSION_DATE.
-
-2582. [bug] Don't emit warning log message when we attempt to
- remove non-existent journal. [RT #19516]
-
-2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
- Requires MySQL 5.0.19 or later. [RT #19084]
-
-2580. [bug] UpdateRej statistics counter could be incremented twice
- for one rejection. [RT #19476]
-
-2579. [bug] DNSSEC lookaside validation failed to handle unknown
- algorithms. [RT #19479]
-
-2578. [bug] Changed default sig-signing-type to 65534, because
- 65535 turns out to be reserved. [RT #19477]
-
-2577. [doc] Clarified some statistics counters. [RT #19454]
-
-2576. [bug] NSEC record were not being correctly signed when
- a zone transitions from insecure to secure.
- Handle such incorrectly signed zones. [RT #19114]
-
-2575. [func] New functions dns_name_fromstring() and
- dns_name_tostring(), to simplify conversion
- of a string to a dns_name structure and vice
- versa. [RT #19451]
-
-2574. [doc] Document nsupdate -g and -o. [RT #19351]
-
-2573. [bug] Replacing a non-CNAME record with a CNAME record in a
- single transaction in a signed zone failed. [RT #19397]
-
-2572. [func] Simplify DLV configuration, with a new option
- "dnssec-lookaside auto;" This is the equivalent
- of "dnssec-lookaside . trust-anchor dlv.isc.org;"
- plus setting a trusted-key for dlv.isc.org.
-
- Note: The trusted key is hard-coded into named,
- but is also stored in (and can be overridden
- by) $sysconfdir/bind.keys. As the ISC DLV key
- rolls over it can be kept up to date by replacing
- the bind.keys file with a key downloaded from
- https://www.isc.org/solutions/dlv. [RT #18685]
-
-2571. [func] Add a new tool "arpaname" which translates IP addresses
- to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
- [RT #18976]
-
-2570. [func] Log the destination address the query was sent to.
- [RT #19209]
-
-2569. [func] Move journalprint, nsec3hash, and genrandom
- commands from bin/tests into bin/tools;
- "make install" will put them in $sbindir. [RT #19301]
-
-2568. [bug] Report when the write to indicate a otherwise
- successful start fails. [RT #19360]
-
-2567. [bug] dst__privstruct_writefile() could miss write errors.
- write_public_key() could miss write errors.
- dnssec-dsfromkey could miss write errors.
- [RT #19360]
-
-2566. [cleanup] Clarify logged message when an insecure DNSSEC
- response arrives from a zone thought to be secure:
- "insecurity proof failed" instead of "not
- insecure". [RT #19400]
-
-2565. [func] Add support for HIP record. Includes new functions
- dns_rdata_hip_first(), dns_rdata_hip_next()
- and dns_rdata_hip_current(). [RT #19384]
-
-2564. [bug] Only take EDNS fallback steps when processing timeouts.
- [RT #19405]
-
-2563. [bug] Dig could leak a socket causing it to wait forever
- to exit. [RT #19359]
-
-2562. [doc] ARM: miscellaneous improvements, reorganization,
- and some new content.
-
-2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
-
-2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
-
-2559. [bug] dnssec-dsfromkey could compute bad DS records when
- reading from a K* files. [RT #19357]
-
-2558. [func] Set the ownership of missing directories created
- for pid-file if -u has been specified on the command
- line. [RT #19328]
-
-2557. [cleanup] PCI compliance:
- * new libisc log module file
- * isc_dir_chroot() now also changes the working
- directory to "/".
- * additional INSISTs
- * additional logging when files can't be removed.
-
-2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
- error checks in the correct order resulting in the
- wrong error code sometimes being returned. [RT #19249]
-
-2555. [func] dig: when emitting a hex dump also display the
- corresponding characters. [RT #19258]
-
-2554. [bug] Validation of uppercase queries from NSEC3 zones could
- fail. [RT #19297]
-
-2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
-
-2552. [bug] zero-no-soa-ttl-cache was not being honored.
- [RT #19340]
-
-2551. [bug] Potential Reference leak on return. [RT #19341]
-
-2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
- [RT #19343]
-
-2549. [port] linux: define NR_OPEN if not currently defined.
- [RT #19344]
-
-2548. [bug] Install iterated_hash.h. [RT #19335]
-
-2547. [bug] openssl_link.c:mem_realloc() could reference an
- out-of-range area of the source buffer. New public
- function isc_mem_reallocate() was introduced to address
- this bug. [RT #19313]
-
-2546. [func] Add --enable-openssl-hash configure flag to use
- OpenSSL (in place of internal routine) for hash
- functions (MD5, SHA[12] and HMAC). [RT #18815]
-
-2545. [doc] ARM: Legal hostname checking (check-names) is
- for SRV RDATA too. [RT #19304]
-
-2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
-
-2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
-
-2542. [doc] Update the description of dig +adflag. [RT #19290]
-
-2541. [bug] Conditionally update dispatch manager statistics.
- [RT #19247]
-
-2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
-
-2539. [security] Update the interaction between recursion, allow-query,
- allow-query-cache and allow-recursion. [RT #19198]
-
-2538. [bug] cache/ADB memory could grow over max-cache-size,
- especially with threads and smaller max-cache-size
- values. [RT #19240]
-
-2537. [func] Added more statistics counters including those on socket
- I/O events and query RTT histograms. [RT #18802]
-
-2536. [cleanup] Silence some warnings when -Werror=format-security is
- specified. [RT #19083]
-
-2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
-
-2534. [func] Check NAPTR records regular expressions and
- replacement strings to ensure they are syntactically
- valid and consistent. [RT #18168]
-
-2533. [doc] ARM: document @ (at-sign). [RT #17144]
-
-2532. [bug] dig: check the question section of the response to
- see if it matches the asked question. [RT #18495]
-
-2531. [bug] Change #2207 was incomplete. [RT #19098]
-
-2530. [bug] named failed to reject insecure to secure transitions
- via UPDATE. [RT #19101]
-
-2529. [cleanup] Upgrade libtool to silence complaints from recent
- version of autoconf. [RT #18657]
-
-2528. [cleanup] Silence spurious configure warning about
- --datarootdir [RT #19096]
-
-2527. [placeholder]
-
-2526. [func] New named option "attach-cache" that allows multiple
- views to share a single cache to save memory and
- improve lookup efficiency. Based on contributed code
- from Barclay Osborn, Google. [RT #18905]
-
-2525. [func] New logging category "query-errors" to provide detailed
- internal information about query failures, especially
- about server failures. [RT #19027]
-
-2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
-
-2523. [bug] Random type rdata freed by dns_nsec_typepresent().
- [RT #19112]
-
-2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
-
-2521. [bug] Improve epoll cross compilation support. [RT #19047]
-
-2520. [bug] Update xml statistics version number to 2.0 as change
- #2388 made the schema incompatible to the previous
- version. [RT #19080]
-
-2519. [bug] dig/host with -4 or -6 didn't work if more than two
- nameserver addresses of the excluded address family
- preceded in resolv.conf. [RT #19081]
-
-2518. [func] Add support for the new CERT types from RFC 4398.
- [RT #19077]
-
-2517. [bug] dig +trace with -4 or -6 failed when it chose a
- nameserver address of the excluded address type.
- [RT #18843]
-
-2516. [bug] glue sort for responses was performed even when not
- needed. [RT #19039]
-
-2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
- [RT #19063]
-
-2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
- a nameserver of the excluded address family.
- [RT #18848]
-
-2513. [bug] Fix windows cli build. [RT #19062]
-
-2512. [func] Print a summary of the cached records which make up
- the negative response. [RT #18885]
-
-2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
- [RT #18885]
-
-2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
- [RT #19033]
-
-2509. [bug] Specifying a fixed query source port was broken.
- [RT #19051]
-
-2508. [placeholder]
-
-2507. [func] Log the recursion quota values when killing the
- oldest query or refusing to recurse due to quota.
- [RT #19022]
-
-2506. [port] solaris: Check at configure time if
- hack_shutup_pthreadonceinit is needed. [RT #19037]
-
-2505. [port] Treat amd64 similarly to x86_64 when determining
- atomic operation support. [RT #19031]
-
-2504. [bug] Address race condition in the socket code. [RT #18899]
-
-2503. [port] linux: improve compatibility with Linux Standard
- Base. [RT #18793]
-
-2502. [cleanup] isc_radix: Improve compliance with coding style,
- document function in <isc/radix.h>. [RT #18534]
-
-2501. [func] $GENERATE now supports all rdata types. Multi-field
- rdata types need to be quoted. See the ARM for
- details. [RT #18368]
-
-2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
- function. [RT #18582]
-
-2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
- [RT #18837]
-
- --- 9.6.0rc1 released ---
-
-2498. [bug] Removed a bogus function argument used with
- ISC_SOCKET_USE_POLLWATCH: it could cause compiler
- warning or crash named with the debug 1 level
- of logging. [RT #18917]
-
-2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
- delegation.
-
-2496. [bug] Add sanity length checks to NSID option. [RT #18813]
-
-2495. [bug] Tighten RRSIG checks. [RT #18795]
-
-2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
- installed. [RT #18826]
-
-2493. [bug] The linux capabilities code was not correctly cleaning
- up after itself. [RT #18767]
-
-2492. [func] Rndc status now reports the number of cpus discovered
- and the number of worker threads when running
- multi-threaded. [RT #18273]
-
-2491. [func] Attempt to re-use a local port if we are already using
- the port. [RT #18548]
-
-2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
- is cleared when IPV6_V6ONLY is set. [RT #18785]
-
-2489. [port] solaris: Workaround Solaris's kernel bug about
- /dev/poll:
- http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
- Define ISC_SOCKET_USE_POLLWATCH at build time to enable
- this workaround. [RT #18870]
-
-2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
- from keyset and .key files. [RT #18694]
-
-2487. [bug] Give TCP connections longer to complete. [RT #18675]
-
-2486. [func] The default locations for named.pid and lwresd.pid
- are now /var/run/named/named.pid and
- /var/run/lwresd/lwresd.pid respectively.
-
- This allows the owner of the containing directory
- to be set, for "named -u" support, and allows there
- to be a permanent symbolic link in the path, for
- "named -t" support. [RT #18306]
-
-2485. [bug] Change update's the handling of obscured RRSIG
- records. Not all orphaned DS records were being
- removed. [RT #18828]
-
-2484. [bug] It was possible to trigger a REQUIRE failure when
- adding NSEC3 proofs to the response in
- query_addwildcardproof(). [RT #18828]
-
-2483. [port] win32: chroot() is not supported. [RT #18805]
-
-2482. [port] libxml2: support versions 2.7.* in addition
- to 2.6.*. [RT #18806]
-
- --- 9.6.0b1 released ---
-
-2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
- collisions. [RT #18812]
-
-2480. [bug] named could fail to emit all the required NSEC3
- records. [RT #18812]
-
-2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
-
-2478. [bug] 'addresses' could be used uninitialized in
- configure_forward(). [RT #18800]
-
-2477. [bug] dig: the global option to print the command line is
- +cmd not print_cmd. Update the output to reflect
- this. [RT #17008]
-
-2476. [doc] ARM: improve documentation for max-journal-size and
- ixfr-from-differences. [RT #15909] [RT #18541]
-
-2475. [bug] LRU cache cleanup under overmem condition could purge
- particular entries more aggressively. [RT #17628]
-
-2474. [bug] ACL structures could be allocated with insufficient
- space, causing an array overrun. [RT #18765]
-
-2473. [port] linux: raise the limit on open files to the possible
- maximum value before spawning threads; 'files'
- specified in named.conf doesn't seem to work with
- threads as expected. [RT #18784]
-
-2472. [port] linux: check the number of available cpu's before
- calling chroot as it depends on "/proc". [RT #16923]
-
-2471. [bug] named-checkzone was not reporting missing mandatory
- glue when sibling checks were disabled. [RT #18768]
-
-2470. [bug] Elements of the isc_radix_node_t could be incorrectly
- overwritten. [RT #18719]
-
-2469. [port] solaris: Work around Solaris's select() limitations.
- [RT #18769]
-
-2468. [bug] Resolver could try unreachable servers multiple times.
- [RT #18739]
-
-2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
-
-2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
- [RT #18302]
-
-2465. [bug] Adb's handling of lame addresses was different
- for IPv4 and IPv6. [RT #18738]
-
-2464. [port] linux: check that a capability is present before
- trying to set it. [RT #18135]
-
-2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
- API and glibc hides parts of the IPv6 Advanced Socket
- API as a result. This is stupid as it breaks how the
- two halves (Basic and Advanced) of the IPv6 Socket API
- were designed to be used but we have to live with it.
- Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
- API. [RT #18388]
-
-2462. [doc] Document -m (enable memory usage debugging)
- option for dig. [RT #18757]
-
-2461. [port] sunos: Change #2363 was not complete. [RT #17513]
-
- --- 9.6.0a1 released ---
-
-2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
- [RT #18697]
-
-2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
-
-2458. [doc] ARM: update and correction for max-cache-size.
- [RT #18294]
-
-2457. [tuning] max-cache-size is reverted to 0, the previous
- default. It should be safe because expired cache
- entries are also purged. [RT #18684]
-
-2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
- address, regardless of family. They now correctly
- distinguish IPv4 from IPv6. [RT #18559]
-
-2455. [bug] Stop metadata being transferred via axfr/ixfr.
- [RT #18639]
-
-2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
-
-2453. [bug] Remove NULL pointer dereference in dns_journal_print().
- [RT #18316]
-
-2452. [func] Improve bin/test/journalprint. [RT #18316]
-
-2451. [port] solaris: handle runtime linking better. [RT #18356]
-
-2450. [doc] Fix lwresd docbook problem for manual page.
- [RT #18672]
-
-2449. [placeholder]
-
-2448. [func] Add NSEC3 support. [RT #15452]
-
-2447. [cleanup] libbind has been split out as a separate product.
-
-2446. [func] Add a new log message about build options on startup.
- A new command-line option '-V' for named is also
- provided to show this information. [RT #18645]
-
-2445. [doc] ARM out-of-date on empty reverse zones (list includes
- RFC1918 address, but these are not yet compiled in).
- [RT #18578]
-
-2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
- (clear DF) for UDP responses and requests.
-
-2443. [bug] win32: UDP connect() would not generate an event,
- and so connected UDP sockets would never clean up.
- Fix this by doing an immediate WSAConnect() rather
- than an io completion port type for UDP.
-
-2442. [bug] A lock could be destroyed twice. [RT #18626]
-
-2441. [bug] isc_radix_insert() could copy radix tree nodes
- incompletely. [RT #18573]
-
-2440. [bug] named-checkconf used an incorrect test to determine
- if an ACL was set to none.
-
-2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
- [RT #18559]
-
-2438. [bug] Timeouts could be logged incorrectly under win32.
-
-2437. [bug] Sockets could be closed too early, leading to
- inconsistent states in the socket module. [RT #18298]
-
-2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
-
-2435. [bug] Fixed an ACL memory leak affecting win32.
-
-2434. [bug] Fixed a minor error-reporting bug in
- lib/isc/win32/socket.c.
-
-2433. [tuning] Set initial timeout to 800ms.
-
-2432. [bug] More Windows socket handling improvements. Stop
- using I/O events and use IO Completion Ports
- throughout. Rewrite the receive path logic to make
- it easier to support multiple simultaneous
- requesters in the future. Add stricter consistency
- checking as a compile-time option (define
- ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
-
-2431. [bug] Acl processing could leak memory. [RT #18323]
-
-2430. [bug] win32: isc_interval_set() could round down to
- zero if the input was less than NS_INTERVAL
- nanoseconds. Round up instead. [RT #18549]
-
-2429. [doc] nsupdate should be in section 1 of the man pages.
- [RT #18283]
-
-2428. [bug] dns_iptable_merge() mishandled merges of negative
- tables. [RT #18409]
-
-2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
- was set. [RT #18528]
-
-2426. [bug] libbind: inet_net_pton() can sometimes return the
- wrong value if excessively large net masks are
- supplied. [RT #18512]
-
-2425. [bug] named didn't detect unavailable query source addresses
- at load time. [RT #18536]
-
-2424. [port] configure now probes for a working epoll
- implementation. Allow the use of kqueue,
- epoll and /dev/poll to be selected at compile
- time. [RT #18277]
-
-2423. [security] Randomize server selection on queries, so as to
- make forgery a little more difficult. Instead of
- always preferring the server with the lowest RTT,
- pick a server with RTT within the same 128
- millisecond band. [RT #18441]
-
-2422. [bug] Handle the special return value of a empty node as
- if it was a NXRRSET in the validator. [RT #18447]
-
-2421. [func] Add new command line option '-S' for named to specify
- the max number of sockets. [RT #18493]
- Use caution: this option may not work for some
- operating systems without rebuilding named.
-
-2420. [bug] Windows socket handling cleanup. Let the io
- completion event send out canceled read/write
- done events, which keeps us from writing to memory
- we no longer have ownership of. Add debugging
- socket_log() function. Rework TCP socket handling
- to not leak sockets.
-
-2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
- should not be used for isc_sockettype_fdwatch sockets.
- [RT #18521]
-
-2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
- [RT #18430]
-
-2417. [bug] Connecting UDP sockets for outgoing queries could
- unexpectedly fail with an 'address already in use'
- error. [RT #18411]
-
-2416. [func] Log file descriptors that cause exceeding the
- internal maximum. [RT #18460]
-
-2415. [bug] 'rndc dumpdb' could trigger various assertion failures
- in rbtdb.c. [RT #18455]
-
-2414. [bug] A masterdump context held the database lock too long,
- causing various troubles such as dead lock and
- recursive lock acquisition. [RT #18311, #18456]
-
-2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
-
-2412. [bug] win32: address a resource leak. [RT #18374]
-
-2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
- for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
- at compilation time. [RT #18433]
-
- Note: with changes #2469 and #2421 above, there is no
- need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
- any more.
-
-2410. [bug] Correctly delete m_versionInfo. [RT #18432]
-
-2409. [bug] Only log that we disabled EDNS processing if we were
- subsequently successful. [RT #18029]
-
-2408. [bug] A duplicate TCP dispatch event could be sent, which
- could then trigger an assertion failure in
- resquery_response(). [RT #18275]
-
-2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
-
-2406. [placeholder]
-
-2405. [cleanup] The default value for dnssec-validation was changed to
- "yes" in 9.5.0-P1 and all subsequent releases; this
- was inadvertently omitted from CHANGES at the time.
-
-2404. [port] hpux: files unlimited support.
-
-2403. [bug] TSIG context leak. [RT #18341]
-
-2402. [port] Support Solaris 2.11 and over. [RT #18362]
-
-2401. [bug] Expect to get E[MN]FILE errno internal_accept()
- (from accept() or fcntl() system calls). [RT #18358]
-
-2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
- [RT #18297]
-
-2399. [placeholder]
-
-2398. [bug] Improve file descriptor management. New,
- temporary, named.conf option reserved-sockets,
- default 512. [RT #18344]
-
-2397. [bug] gssapi_functions had too many elements. [RT #18355]
-
-2396. [bug] Don't set SO_REUSEADDR for randomized ports.
- [RT #18336]
-
-2395. [port] Avoid warning and no effect from "files unlimited"
- on Linux when running as root. [RT #18335]
-
-2394. [bug] Default configuration options set the limit for
- open files to 'unlimited' as described in the
- documentation. [RT #18331]
-
-2393. [bug] nested acls containing keys could trigger an
- assertion in acl.c. [RT #18166]
-
-2392. [bug] remove 'grep -q' from acl test script, some platforms
- don't support it. [RT #18253]
-
-2391. [port] hpux: cover additional recvmsg() error codes.
- [RT #18301]
-
-2390. [bug] dispatch.c could make a false warning on 'odd socket'.
- [RT #18301].
-
-2389. [bug] Move the "working directory writable" check to after
- the ns_os_changeuser() call. [RT #18326]
-
-2388. [bug] Avoid using tables for layout purposes in
- statistics XSL [RT #18159].
-
-2387. [bug] Silence compiler warnings in lib/isc/radix.c.
- [RT #18147] [RT #18258]
-
-2386. [func] Add warning about too small 'open files' limit.
- [RT #18269]
-
-2385. [bug] A condition variable in socket.c could leak in
- rare error handling [RT #17968].
-
-2384. [security] Fully randomize UDP query ports to improve
- forgery resilience. [RT #17949, #18098]
-
-2383. [bug] named could double queries when they resulted in
- SERVFAIL due to overkilling EDNS0 failure detection.
- [RT #18182]
-
-2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
- to ARM.
-
-2381. [port] dlz/mysql: support multiple install layouts for
- mysql. <prefix>/include/{,mysql/}mysql.h and
- <prefix>/lib/{,mysql/}. [RT #18152]
-
-2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
- proofs which, in turn, caused validation failures
- for insecure zones immediately below a secure zone
- the server was authoritative for. [RT #18112]
-
-2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
- TLDs and supported RRs with TTLs [RT #17972]
-
-2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
- [RT #18169]
-
-2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
-
-2376. [bug] Change #2144 was not complete.
-
-2375. [placeholder]
-
-2374. [bug] "blackhole" ACLs could cause named to segfault due
- to some uninitialized memory. [RT #18095]
-
-2373. [bug] Default values of zone ACLs were re-parsed each time a
- new zone was configured, causing an overconsumption
- of memory. [RT #18092]
-
-2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
-
-2371. [doc] Add +nsid option to dig man page. [RT #18039]
-
-2370. [bug] "rndc freeze" could trigger an assertion in named
- when called on a nonexistent zone. [RT #18050]
-
-2369. [bug] libbind: Array bounds overrun on read in bitncmp().
- [RT #18054]
-
-2368. [port] Linux: use libcap for capability management if
- possible. [RT #18026]
-
-2367. [bug] Improve counting of dns_resstatscounter_retry
- [RT #18030]
-
-2366. [bug] Adb shutdown race. [RT #18021]
-
-2365. [bug] Fix a bug that caused dns_acl_isany() to return
- spurious results. [RT #18000]
-
-2364. [bug] named could trigger a assertion when serving a
- malformed signed zone. [RT #17828]
-
-2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
- [RT #17513]
-
-2362. [cleanup] Make "rrset-order fixed" a compile-time option.
- settable by "./configure --enable-fixed-rrset".
- Disabled by default. [RT #17977]
-
-2361. [bug] "recursion" statistics counter could be counted
- multiple times for a single query. [RT #17990]
-
-2360. [bug] Fix a condition where we release a database version
- (which may acquire a lock) while holding the lock.
-
-2359. [bug] Fix NSID bug. [RT #17942]
-
-2358. [doc] Update host's default query description. [RT #17934]
-
-2357. [port] Don't use OpenSSL's engine support in versions before
- OpenSSL 0.9.7f. [RT #17922]
-
-2356. [bug] Built in mutex profiler was not scalable enough.
- [RT #17436]
-
-2355. [func] Extend the number statistics counters available.
- [RT #17590]
-
-2354. [bug] Failed to initialize some rdatasetheader_t elements.
- [RT #17927]
-
-2353. [func] Add support for Name Server ID (RFC 5001).
- 'dig +nsid' requests NSID from server.
- 'request-nsid yes;' causes recursive server to send
- NSID requests to upstream servers. Server responds
- to NSID requests with the string configured by
- 'server-id' option. [RT #17091]
-
-2352. [bug] Various GSS_API fixups. [RT #17729]
-
-2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
-
-2350. [port] win32: IPv6 support. [RT #17797]
-
-2349. [func] Provide incremental re-signing support for secure
- dynamic zones. [RT #1091]
-
-2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
- Documentation is in the new README.pkcs11 file.
- New tool, dnssec-keyfromlabel, which takes the
- label of a key pair in a HSM and constructs a DNS
- key pair for use by named and dnssec-signzone.
- [RT #16844]
-
-2347. [bug] Delete now traverses the RB tree in the canonical
- order. [RT #17451]
-
-2346. [func] Memory statistics now cover all active memory contexts
- in increased detail. [RT #17580]
-
-2345. [bug] named-checkconf failed to detect when forwarders
- were set at both the options/view level and in
- a root zone. [RT #17671]
-
-2344. [bug] Improve "logging{ file ...; };" documentation.
- [RT #17888]
-
-2343. [bug] (Seemingly) duplicate IPv6 entries could be
- created in ADB. [RT #17837]
-
-2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
-
-2341. [bug] libbind: add missing -I../include for off source
- tree builds. [RT #17606]
-
-2340. [port] openbsd: interface configuration. [RT #17700]
-
-2339. [port] tru64: support for libbind. [RT #17589]
-
-2338. [bug] check_ds() could be called with a non DS rdataset.
- [RT #17598]
-
-2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
-
-2336. [func] If "named -6" is specified then listen on all IPv6
- interfaces if there are not listen-on-v6 clauses in
- named.conf. [RT #17581]
-
-2335. [port] sunos: libbind and *printf() support for long long.
- [RT #17513]
-
-2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
- bug in fromstruct_txt(). [RT #17609]
-
-2333. [bug] Fix off by one error in isc_time_nowplusinterval().
- [RT #17608]
-
-2332. [contrib] query-loc-0.4.0. [RT #17602]
-
-2331. [bug] Failure to regenerate any signatures was not being
- reported nor being past back to the UPDATE client.
- [RT #17570]
-
-2330. [bug] Remove potential race condition when handling
- over memory events. [RT #17572]
-
- WARNING: API CHANGE: over memory callback
- function now needs to call isc_mem_waterack().
- See <isc/mem.h> for details.
-
-2329. [bug] Clearer help text for dig's '-x' and '-i' options.
-
-2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
- F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
- J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
- M.ROOT-SERVERS.NET.
-
-2327. [bug] It was possible to dereference a NULL pointer in
- rbtdb.c. Implement dead node processing in zones as
- we do for caches. [RT #17312]
-
-2326. [bug] It was possible to trigger a INSIST in the acache
- processing.
-
-2325. [port] Linux: use capset() function if available. [RT #17557]
-
-2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
-
-2323. [port] tru64: namespace clash. [RT #17547]
-
-2322. [port] MacOS: work around the limitation of setrlimit()
- for RLIMIT_NOFILE. [RT #17526]
-
-2321. [placeholder]
-
-2320. [func] Make statistics counters thread-safe for platforms
- that support certain atomic operations. [RT #17466]
-
-2319. [bug] Silence Coverity warnings in
- lib/dns/rdata/in_1/apl_42.c. [RT #17469]
-
-2318. [port] sunos fixes for libbind. [RT #17514]
-
-2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
-
-2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
- [RT #17513]
-
-2315. [bug] Used incorrect address family for mapped IPv4
- addresses in acl.c. [RT #17519]
-
-2314. [bug] Uninitialized memory use on error path in
- bin/named/lwdnoop.c. [RT #17476]
-
-2313. [cleanup] Silence Coverity warnings. Handle private stacks.
- [RT #17447] [RT #17478]
-
-2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
- [RT #17458]
-
-2311. [bug] IPv6 addresses could match IPv4 ACL entries and
- vice versa. [RT #17462]
-
-2310. [bug] dig, host, nslookup: flush stdout before emitting
- debug/fatal messages. [RT #17501]
-
-2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
- [RT #17455]
-
-2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
- [RT #17495]
-
-2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
-
-2306. [bug] Remove potential race from lib/dns/resolver.c.
- [RT #17470]
-
-2305. [security] inet_network() buffer overflow. CVE-2008-0122.
-
-2304. [bug] Check returns from all dns_rdata_tostruct() calls.
- [RT #17460]
-
-2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
- [RT #17471]
-
-2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
-
-2301. [bug] Remove resource leak and fix error messages in
- bin/tests/system/lwresd/lwtest.c. [RT #17474]
-
-2300. [bug] Fixed failure to close open file in
- bin/tests/names/t_names.c. [RT #17473]
-
-2299. [bug] Remove unnecessary NULL check in
- bin/nsupdate/nsupdate.c. [RT #17475]
-
-2298. [bug] isc_mutex_lock() failure not caught in
- bin/tests/timers/t_timers.c. [RT #17468]
-
-2297. [bug] isc_entropy_createfilesource() failure not caught in
- bin/tests/dst/t_dst.c. [RT #17467]
-
-2296. [port] Allow docbook stylesheet location to be specified to
- configure. [RT #17457]
-
-2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
- [RT #17459]
-
-2294. [func] Allow the experimental statistics channels to have
- multiple connections and ACL.
- Note: the stats-server and stats-server-v6 options
- available in the previous beta releases are replaced
- with the generic statistics-channels statement.
-
-2293. [func] Add ACL regression test. [RT #17375]
-
-2292. [bug] Log if the working directory is not writable.
- [RT #17312]
-
-2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
- failure to set PR_SET_DUMPABLE. [RT #17312]
-
-2290. [bug] Let AD in the query signal that the client wants AD
- set in the response. [RT #17301]
-
-2289. [func] named-checkzone now reports the out-of-zone CNAME
- found. [RT #17309]
-
-2288. [port] win32: mark service as running when we have finished
- loading. [RT #17441]
-
-2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
-
-2286. [func] Allow a TCP connection to be used as a weak
- authentication method for reverse zones.
- New update-policy methods tcp-self and 6to4-self.
- [RT #17378]
-
-2285. [func] Test framework for client memory context management.
- [RT #17377]
-
-2284. [bug] Memory leak in UPDATE prerequisite processing.
- [RT #17377]
-
-2283. [bug] TSIG keys were not attaching to the memory
- context. TSIG keys should use the rings
- memory context rather than the clients memory
- context. [RT #17377]
-
-2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
-
-2281. [bug] Attempts to use undefined acls were not being logged.
- [RT #17307]
-
-2280. [func] Allow the experimental http server to be reached
- over IPv6 as well as IPv4. [RT #17332]
-
-2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
- to protect applications from receiving spurious
- SIGPIPE signals when using the resolver.
-
-2278. [bug] win32: handle the case where Windows returns no
- search list or DNS suffix. [RT #17354]
-
-2277. [bug] Empty zone names were not correctly being caught at
- in the post parse checks. [RT #17357]
-
-2276. [bug] Install <dst/gssapi.h>. [RT #17359]
-
-2275. [func] Add support to dig to perform IXFR queries over UDP.
- [RT #17235]
-
-2274. [func] Log zone transfer statistics. [RT #17336]
-
-2273. [bug] Adjust log level to WARNING when saving inconsistent
- stub/slave master and journal files. [RT #17279]
-
-2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
- [RT #17262]
-
-2271. [bug] Fix a memory leak in http server code [RT #17100]
-
-2270. [bug] dns_db_closeversion() version->writer could be reset
- before it is tested. [RT #17290]
-
-2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
-
-2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
- list.
-
- --- 9.5.0b1 released ---
-
-2267. [bug] Radix tree node_num value could be set incorrectly,
- causing positive ACL matches to look like negative
- ones. [RT #17311]
-
-2266. [bug] client.c:get_clientmctx() returned the same mctx
- once the pool of mctx's was filled. [RT #17218]
-
-2265. [bug] Test that the memory context's basic_table is non NULL
- before freeing. [RT #17265]
-
-2264. [bug] Server prefix length was being ignored. [RT #17308]
-
-2263. [bug] "named-checkconf -z" failed to set default value
- for "check-integrity". [RT #17306]
-
-2262. [bug] Error status from all but the last view could be
- lost. [RT #17292]
-
-2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
-
-2260. [bug] Reported wrong clients-per-query when increasing the
- value. [RT #17236]
-
-2259. [placeholder]
-
- --- 9.5.0a7 released ---
-
-2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
- [RT #17241]
-
-2257. [bug] win32: Use the full path to vcredist_x86.exe when
- calling it. [RT #17222]
-
-2256. [bug] win32: Correctly register the installation location of
- bindevt.dll. [RT #17159]
-
-2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
-
-2254. [bug] timer.c:dispatch() failed to lock timer->lock
- when reading timer->idle allowing it to see
- intermediate values as timer->idle was reset by
- isc_timer_touch(). [RT #17243]
-
-2253. [func] "max-cache-size" defaults to 32M.
- "max-acache-size" defaults to 16M.
-
-2252. [bug] Fixed errors in sortlist code [RT #17216]
-
-2251. [placeholder]
-
-2250. [func] New flag 'memstatistics' to state whether the
- memory statistics file should be written or not.
- Additionally named's -m option will cause the
- statistics file to be written. [RT #17113]
-
-2249. [bug] Only set Authentic Data bit if client requested
- DNSSEC, per RFC 3655 [RT #17175]
-
-2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
-
-2247. [doc] Sort doc/misc/options. [RT #17067]
-
-2246. [bug] Make the startup of test servers (ans.pl) more
- robust. [RT #17147]
-
-2245. [bug] Validating lack of DS records at trust anchors wasn't
- working. [RT #17151]
-
-2244. [func] Allow the check of nameserver names against the
- SOA MNAME field to be disabled by specifying
- 'notify-to-soa yes;'. [RT #17073]
-
-2243. [func] Configuration files without a newline at the end now
- parse without error. [RT #17120]
-
-2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
- library could require a source of random data.
- [RT #17127]
-
-2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
-
-2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
- a number of INSIST()s into plain fatal() errors
- which report the triggering result code.
- The 'key' command wasn't disabling GSS-TSIG.
- [RT #17099]
-
-2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
-
-2238. [bug] It was possible to trigger a REQUIRE when a
- validation was canceled. [RT #17106]
-
-2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
-
-2236. [bug] dnssec-signzone failed to preserve the case of
- of wildcard owner names. [RT #17085]
-
-2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
-
-2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
-
-2233. [func] Add support for O(1) ACL processing, based on
- radix tree code originally written by Kevin
- Brintnall. [RT #16288]
-
-2232. [bug] dns_adb_findaddrinfo() could fail and return
- ISC_R_SUCCESS. [RT #17137]
-
-2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
- [RT #17088]
-
-2230. [bug] We could INSIST reading a corrupted journal.
- [RT #17132]
-
-2229. [bug] Null pointer dereference on query pool creation
- failure. [RT #17133]
-
-2228. [contrib] contrib: Change 2188 was incomplete.
-
-2227. [cleanup] Tidied up the FAQ. [RT #17121]
-
-2226. [placeholder]
-
-2225. [bug] More support for systems with no IPv4 addresses.
- [RT #17111]
-
-2224. [bug] Defer journal compaction if a xfrin is in progress.
- [RT #17119]
-
-2223. [bug] Make a new journal when compacting. [RT #17119]
-
-2222. [func] named-checkconf now checks server key references.
- [RT #17097]
-
-2221. [bug] Set the event result code to reflect the actual
- record turned to caller when a cache update is
- rejected due to a more credible answer existing.
- [RT #17017]
-
-2220. [bug] win32: Address a race condition in final shutdown of
- the Windows socket code. [RT #17028]
-
-2219. [bug] Apply zone consistency checks to additions, not
- removals, when updating. [RT #17049]
-
-2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
- [RT #16976]
-
-2217. [func] Adjust update log levels. [RT #17092]
-
-2216. [cleanup] Fix a number of errors reported by Coverity.
- [RT #17094]
-
-2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
-
-2214. [bug] Deregister OpenSSL lock callback when cleaning
- up. Reorder OpenSSL cleanup so that RAND_cleanup()
- is called before the locks are destroyed. [RT #17098]
-
-2213. [bug] SIG0 diagnostic failure messages were looking at the
- wrong status code. [RT #17101]
-
-2212. [func] 'host -m' now causes memory statistics and active
- memory to be printed at exit. [RT 17028]
-
-2211. [func] Update "dynamic update temporarily disabled" message.
- [RT #17065]
-
-2210. [bug] Deleting class specific records via UPDATE could
- fail. [RT #17074]
-
-2209. [port] osx: linking against user supplied static OpenSSL
- libraries failed as the system ones were still being
- found. [RT #17078]
-
-2208. [port] win32: make sure both build methods produce the
- same output. [RT #17058]
-
-2207. [port] Some implementations of getaddrinfo() fail to set
- ai_canonname correctly. [RT #17061]
-
- --- 9.5.0a6 released ---
-
-2206. [security] "allow-query-cache" and "allow-recursion" now
- cross inherit from each other.
-
- If allow-query-cache is not set in named.conf then
- allow-recursion is used if set, otherwise allow-query
- is used if set, otherwise the default (localnets;
- localhost;) is used.
-
- If allow-recursion is not set in named.conf then
- allow-query-cache is used if set, otherwise allow-query
- is used if set, otherwise the default (localnets;
- localhost;) is used.
-
- [RT #16987]
-
-2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
-
-2204. [bug] "rndc flushname name unknown-view" caused named
- to crash. [RT #16984]
-
-2203. [security] Query id generation was cryptographically weak.
- [RT # 16915]
-
-2202. [security] The default acls for allow-query-cache and
- allow-recursion were not being applied. [RT #16960]
-
-2201. [bug] The build failed in a separate object directory.
- [RT #16943]
-
-2200. [bug] The search for cached NSEC records was stopping to
- early leading to excessive DLV queries. [RT #16930]
-
-2199. [bug] win32: don't call WSAStartup() while loading dlls.
- [RT #16911]
-
-2198. [bug] win32: RegCloseKey() could be called when
- RegOpenKeyEx() failed. [RT #16911]
-
-2197. [bug] Add INSIST to catch negative responses which are
- not setting the event result code appropriately.
- [RT #16909]
-
-2196. [port] win32: yield processor while waiting for once to
- to complete. [RT #16958]
-
-2195. [func] dnssec-keygen now defaults to nametype "ZONE"
- when generating DNSKEYs. [RT #16954]
-
-2194. [bug] Close journal before calling 'done' in xfrin.c.
-
- --- 9.5.0a5 released ---
-
-2193. [port] win32: BINDInstall.exe is now linked statically.
- [RT #16906]
-
-2192. [port] win32: use vcredist_x86.exe to install Visual
- Studio's redistributable dlls if building with
- Visual Stdio 2005 or later.
-
-2191. [func] named-checkzone now allows dumping to stdout (-).
- named-checkconf now has -h for help.
- named-checkzone now has -h for help.
- rndc now has -h for help.
- Better handling of '-?' for usage summaries.
- [RT #16707]
-
-2190. [func] Make fallback to plain DNS from EDNS due to timeouts
- more visible. New logging category "edns-disabled".
- [RT #16871]
-
-2189. [bug] Handle socket() returning EINTR. [RT #15949]
-
-2188. [contrib] queryperf: autoconf changes to make the search for
- libresolv or libbind more robust. [RT #16299]
-
-2187. [bug] query_addds(), query_addwildcardproof() and
- query_addnxrrsetnsec() should take a version
- argument. [RT #16368]
-
-2186. [port] cygwin: libbind: check for struct sockaddr_storage
- independently of IPv6. [RT #16482]
-
-2185. [port] sunos: libbind: check for ssize_t, memmove() and
- memchr(). [RT #16463]
-
-2184. [bug] bind9.xsl.h didn't build out of the source tree.
- [RT #16830]
-
-2183. [bug] dnssec-signzone didn't handle offline private keys
- well. [RT #16832]
-
-2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
- could return ISC_R_SUCCESS when they ran out of
- memory. [RT #16365]
-
-2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
-
-2180. [cleanup] Remove bit test from 'compress_test' as they
- are no longer needed. [RT #16497]
-
-2179. [func] 'rndc command zone' will now find 'zone' if it is
- unique to all the views. [RT #16821]
-
-2178. [bug] 'rndc reload' of a slave or stub zone resulted in
- a reference leak. [RT #16867]
-
-2177. [bug] Array bounds overrun on read (rcodetext) at
- debug level 10+. [RT #16798]
-
-2176. [contrib] dbus update to handle race condition during
- initialization (Bugzilla 235809). [RT #16842]
-
-2175. [bug] win32: windows broadcast condition variable support
- was broken. [RT #16592]
-
-2174. [bug] I/O errors should always be fatal when reading
- master files. [RT #16825]
-
-2173. [port] win32: When compiling with MSVS 2005 SP1 we also
- need to ship Microsoft.VC80.MFCLOC.
-
- --- 9.5.0a4 released ---
-
-2172. [bug] query_addsoa() was being called with a non zone db.
- [RT #16834]
-
-2171. [bug] Handle breaks in DNSSEC trust chains where the parent
- servers are not DS aware (DS queries to the parent
- return a referral to the child).
-
-2170. [func] Add acache processing to test suite. [RT #16711]
-
-2169. [bug] host, nslookup: when reporting NXDOMAIN report the
- given name and not the last name searched for.
- [RT #16763]
-
-2168. [bug] nsupdate: in non-interactive mode treat syntax errors
- as fatal errors. [RT #16785]
-
-2167. [bug] When re-using a automatic zone named failed to
- attach it to the new view. [RT #16786]
-
- --- 9.5.0a3 released ---
-
-2166. [bug] When running in batch mode, dig could misinterpret
- a server address as a name to be looked up, causing
- unexpected output. [RT #16743]
-
-2165. [func] Allow the destination address of a query to determine
- if we will answer the query or recurse.
- allow-query-on, allow-recursion-on and
- allow-query-cache-on. [RT #16291]
-
-2164. [bug] The code to determine how named-checkzone /
- named-compilezone was called failed under windows.
- [RT #16764]
-
-2163. [bug] If only one of query-source and query-source-v6
- specified a port the query pools code broke (change
- 2129). [RT #16768]
-
-2162. [func] Allow "rrset-order fixed" to be disabled at compile
- time. [RT #16665]
-
-2161. [bug] Fix which log messages are emitted for 'rndc flush'.
- [RT #16698]
-
-2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
- from getifaddrs(). [RT #16708]
-
- --- 9.5.0a2 released ---
-
-2159. [bug] Array bounds overrun in acache processing. [RT #16710]
-
-2158. [bug] ns_client_isself() failed to initialize key
- leading to a REQUIRE failure. [RT #16688]
-
-2157. [func] dns_db_transfernode() created. [RT #16685]
-
-2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
- resolver.c:validated() and resolver.c:cache_name().
- Fix a memory leak in rbtdb.c:free_noqname().
- Make lookup.c:lookup_find() robust against
- event leaks. [RT #16685]
-
-2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
- [RT #16694]
-
-2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
- matched in acls by omitting the scope. [RT #16599]
-
-2153. [bug] nsupdate could leak memory. [RT #16691]
-
-2152. [cleanup] Use sizeof(buf) instead of fixed number in
- dighost.c:get_trusted_key(). [RT #16678]
-
-2151. [bug] Missing newline in usage message for journalprint.
- [RT #16679]
-
-2150. [bug] 'rrset-order cyclic' uniformly distribute the
- starting point for the first response for a given
- RRset. [RT #16655]
-
-2149. [bug] isc_mem_checkdestroyed() failed to abort on
- if there were still active memory contexts.
- [RT #16672]
-
-2148. [func] Add positive logging for rndc commands. [RT #14623]
-
-2147. [bug] libbind: remove potential buffer overflow from
- hmac_link.c. [RT #16437]
-
-2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
- SO_BSDCOMPAT" message. [RT #16641]
-
-2145. [bug] Check DS/DLV digest lengths for known digests.
- [RT #16622]
-
-2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
- [RT #16619]
-
-2143. [bug] We failed to restart the IPv6 client when the
- kernel failed to return the destination the
- packet was sent to. [RT #16613]
-
-2142. [bug] Handle master files with a modification time that
- matches the epoch. [RT #16612]
-
-2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
- equivalent of LDH checks). [RT #16609]
-
-2140. [bug] libbind: missing unlock on pthread_key_create()
- failures. [RT #16654]
-
-2139. [bug] dns_view_find() was being called with wrong type
- in adb.c. [RT #16670]
-
-2138. [bug] Lock order reversal in resolver.c. [RT #16653]
-
-2137. [port] Mips little endian and/or mips 64 bit are now
- supported for atomic operations. [RT #16648]
-
-2136. [bug] nslookup/host looped if there was no search list
- and the host didn't exist. [RT #16657]
-
-2135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656]
-
-2134. [func] Additional statistics support. [RT #16666]
-
-2133. [port] powerpc: Support both IBM and MacOS Power PC
- assembler syntaxes. [RT #16647]
-
-2132. [bug] Missing unlock on out of memory in
- dns_dispatchmgr_setudp().
-
-2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
-
-2130. [func] Log if CD or DO were set. [RT #16640]
-
-2129. [func] Provide a pool of UDP sockets for queries to be
- made over. See use-queryport-pool, queryport-pool-ports
- and queryport-pool-updateinterval. [RT #16415]
-
-2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
-
-2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
-
-2126. [security] Serialize validation of type ANY responses. [RT #16555]
-
-2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
- was defined. [RT #16574]
-
-2124. [security] It was possible to dereference a freed fetch
- context. [RT #16584]
-
- --- 9.5.0a1 released ---
-
-2123. [func] Use Doxygen to generate internal documentation.
- [RT #11398]
-
-2122. [func] Experimental http server and statistics support
- for named via xml.
-
-2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
- second timeout. [RT #16553]
-
-2120. [doc] Fix markup on nsupdate man page. [RT #16556]
-
-2119. [compat] libbind: allow res_init() to succeed enough to
- return the default domain even if it was unable
- to allocate memory.
-
-2118. [bug] Handle response with long chains of domain name
- compression pointers which point to other compression
- pointers. [RT #16427]
-
-2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
- which could lead to validation failures. named didn't
- handle negative DS responses that were in the process
- of being validated. Check CNAME bit before accepting
- NODATA proof. To be able to ignore a child NSEC there
- must be SOA (and NS) set in the bitmap. [RT #16399]
-
-2116. [bug] 'rndc reload' could cause the cache to continually
- be cleaned. [RT #16401]
-
-2115. [bug] 'rndc reconfig' could trigger a INSIST if the
- number of masters for a zone was reduced. [RT #16444]
-
-2114. [bug] dig/host/nslookup: searches for names with multiple
- labels were failing. [RT #16447]
-
-2113. [bug] nsupdate: if a zone is specified it should be used
- for server discover. [RT #16455]
-
-2112. [security] Warn if weak RSA exponent is used. [RT #16460]
-
-2111. [bug] Fix a number of errors reported by Coverity.
- [RT #16507]
-
-2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
- priming queries. [RT #16491]
-
-2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
-
-2108. [func] DHCID support. [RT #16456]
-
-2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
-
-2106. [func] 'rndc status' now reports named's version. [RT #16426]
-
-2105. [func] GSS-TSIG support (RFC 3645).
-
-2104. [port] Fix Solaris SMF error message.
-
-2103. [port] Add /usr/sfw to list of locations for OpenSSL
- under Solaris.
-
-2102. [port] Silence Solaris 10 warnings.
-
-2101. [bug] OpenSSL version checks were not quite right.
- [RT #16476]
-
-2100. [port] win32: copy libeay32.dll to Build\Debug.
- Copy Debug\named-checkzone to Debug\named-compilezone.
-
-2099. [port] win32: more manifest issues.
-
-2098. [bug] Race in rbtdb.c:no_references(), which occasionally
- triggered an INSIST failure about the node lock
- reference. [RT #16411]
-
-2097. [bug] named could reference a destroyed memory context
- after being reloaded / reconfigured. [RT #16428]
-
-2096. [bug] libbind: handle applications that fail to detect
- res_init() failures better.
-
-2095. [port] libbind: always prototype inet_cidr_ntop_ipv6() and
- net_cidr_ntop_ipv6(). [RT #16388]
-
-2094. [contrib] Update named-bootconf. [RT #16404]
-
-2093. [bug] named-checkzone -s was broken.
-
-2092. [bug] win32: dig, host, nslookup. Use registry config
- if resolv.conf does not exist or no nameservers
- listed. [RT #15877]
-
-2091. [port] dighost.c: race condition on cleanup. [RT #16417]
-
-2090. [port] win32: Visual C++ 2005 command line manifest support.
- [RT #16417]
-
-2089. [security] Raise the minimum safe OpenSSL versions to
- OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
- prior to these have known security flaws which
- are (potentially) exploitable in named. [RT #16391]
-
-2088. [security] Change the default RSA exponent from 3 to 65537.
- [RT #16391]
-
-2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
- [RT #16382]
-
-2086. [port] libbind: FreeBSD now has get*by*_r() functions.
- [RT #16403]
-
-2085. [doc] win32: added index.html and README to zip. [RT #16201]
-
-2084. [contrib] dbus update for 9.3.3rc2.
-
-2083. [port] win32: Visual C++ 2005 support.
-
-2082. [doc] Document 'cache-file' as a test only option.
-
-2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
- [RT #16360]
-
-2080. [port] libbind: res_init.c did not compile on older versions
- of Solaris. [RT #16363]
-
-2079. [bug] The lame cache was not handling multiple types
- correctly. [RT #16361]
-
-2078. [bug] dnssec-checkzone output style "default" was badly
- named. It is now called "relative". [RT #16326]
-
-2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
- complete signed zone. [RT #16326]
-
-2076. [bug] Several files were missing #include <config.h>
- causing build failures on OSF. [RT #16341]
-
-2075. [bug] The spillat timer event handler could leak memory.
- [RT #16357]
-
-2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
- dns_request_createraw2() and dns_request_createraw3()
- failed to send multiple UDP requests. [RT #16349]
-
-2073. [bug] Incorrect semantics check for update policy "wildcard".
- [RT #16353]
-
-2072. [bug] We were not generating valid HMAC SHA digests.
- [RT #16320]
-
-2071. [port] Test whether gcc accepts -fno-strict-aliasing.
- [RT #16324]
-
-2070. [bug] The remote address was not always displayed when
- reporting dispatch failures. [RT #16315]
-
-2069. [bug] Cross compiling was not working. [RT #16330]
-
-2068. [cleanup] Lower incremental tuning message to debug 1.
- [RT #16319]
-
-2067. [bug] 'rndc' could close the socket too early triggering
- a INSIST under Windows. [RT #16317]
-
-2066. [security] Handle SIG queries gracefully. [RT #16300]
-
-2065. [bug] libbind: probe for HPUX prototypes for
- endprotoent_r() and endservent_r(). [RT 16313]
-
-2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
-
-2063. [bug] Change #1955 introduced a bug which caused the first
- 'rndc flush' call to not free memory. [RT #16244]
-
-2062. [bug] 'dig +nssearch' was reusing a buffer before it had
- been returned by the socket code. [RT #16307]
-
-2061. [bug] Accept expired wildcard message reversed. [RT #16296]
-
-2060. [bug] Enabling DLZ support could leave views partially
- configured. [RT #16295]
-
-2059. [bug] Search into cache rbtdb could trigger an INSIST
- failure while cleaning up a stale rdataset.
- [RT #16292]
-
-2058. [bug] Adjust how we calculate rtt estimates in the presence
- of authoritative servers that drop EDNS and/or CD
- requests. Also fallback to EDNS/512 and plain DNS
- faster for zones with less than 3 servers. [RT #16187]
-
-2057. [bug] Make setting "ra" dependent on both allow-query-cache
- and allow-recursion. [RT #16290]
-
-2056. [bug] dig: ixfr= was not being treated case insensitively
- at all times. [RT #15955]
-
-2055. [bug] Missing goto after dropping multicast query.
- [RT #15944]
-
-2054. [port] freebsd: do not explicitly link against -lpthread.
- [RT #16170]
-
-2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
-
-2052. [bug] 'rndc' improve connect failed message to report
- the failing address. [RT #15978]
-
-2051. [port] More strtol() fixes. [RT #16249]
-
-2050. [bug] Parsing of NSAP records was not case insensitive.
- [RT #16287]
-
-2049. [bug] Restore SOA before AXFR when falling back from
- a attempted IXFR when transferring in a zone.
- Allow a initial SOA query before attempting
- a AXFR to be requested. [RT #16156]
-
-2048. [bug] It was possible to loop forever when using
- avoid-v4-udp-ports / avoid-v6-udp-ports when
- the OS always returned the same local port.
- [RT #16182]
-
-2047. [bug] Failed to initialize the interface flags to zero.
- [RT #16245]
-
-2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
- cleanup [RT #16247].
-
-2045. [func] Use lock buckets for acache entries to limit memory
- consumption. [RT #16183]
-
-2044. [port] Add support for atomic operations for Itanium.
- [RT #16179]
-
-2043. [port] nsupdate/nslookup: Force the flushing of the prompt
- for interactive sessions. [RT #16148]
-
-2042. [bug] named-checkconf was incorrectly rejecting the
- logging category "config". [RT #16117]
-
-2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
- set of libraries to be linked. [RT #16129]
-
-2040. [bug] rbtdb no_references() could trigger an INSIST
- failure with --enable-atomic. [RT #16022]
-
-2039. [func] Check that all buffers passed to the socket code
- have been retrieved when the socket event is freed.
- [RT #16122]
-
-2038. [bug] dig/nslookup/host was unlinking from wrong list
- when handling errors. [RT #16122]
-
-2037. [func] When unlinking the first or last element in a list
- check that the list head points to the element to
- be unlinked. [RT #15959]
-
-2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
- [RT #16075]
-
-2035. [func] Make falling back to TCP on UDP refresh failure
- optional. Default "try-tcp-refresh yes;" for BIND 8
- compatibility. [RT #16123]
-
-2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
-
-2033. [bug] We weren't creating multiple client memory contexts
- on demand as expected. [RT #16095]
-
-2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
-
-2031. [bug] Emit a error message when "rndc refresh" is called on
- a non slave/stub zone. [RT # 16073]
-
-2030. [bug] We were being overly conservative when disabling
- openssl engine support. [RT #16030]
-
-2029. [bug] host printed out the server multiple times when
- specified on the command line. [RT #15992]
-
-2028. [port] linux: socket.c compatibility for old systems.
- [RT #16015]
-
-2027. [port] libbind: Solaris x86 support. [RT #16020]
-
-2026. [bug] Rate limit the two recursive client exceeded messages.
- [RT #16044]
-
-2025. [func] Update "zone serial unchanged" message. [RT #16026]
-
-2024. [bug] named emitted spurious "zone serial unchanged"
- messages on reload. [RT #16027]
-
-2023. [bug] "make install" should create ${localstatedir}/run and
- ${sysconfdir} if they do not exist. [RT #16033]
-
-2022. [bug] If dnssec validation is disabled only assert CD if
- CD was requested. [RT #16037]
-
-2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
-
-2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
-
-2019. [tuning] Reduce the amount of work performed per quantum
- when cleaning the cache. [RT #15986]
-
-2018. [bug] Checking if the HMAC MD5 private file was broken.
- [RT #15960]
-
-2017. [bug] allow-query default was not correct. [RT #15946]
-
-2016. [bug] Return a partial answer if recursion is not
- allowed but requested and we had the answer
- to the original qname. [RT #15945]
-
-2015. [cleanup] use-additional-cache is now acache-enable for
- consistency. Default acache-enable off in BIND 9.4
- as it requires memory usage to be configured.
- It may be enabled by default in BIND 9.5 once we
- have more experience with it.
-
-2014. [func] Statistics about acache now recorded and sent
- to log. [RT #15976]
-
-2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
- responses more gracefully. [RT #15941]
-
-2012. [func] Don't insert new acache entries if acache is full.
- [RT #15970]
-
-2011. [func] dnssec-signzone can now update the SOA record of
- the signed zone, either as an increment or as the
- system time(). [RT #15633]
-
-2010. [placeholder] rt15958
-
-2009. [bug] libbind: Coverity fixes. [RT #15808]
-
-2008. [func] It is now possible to enable/disable DNSSEC
- validation from rndc. This is useful for the
- mobile hosts where the current connection point
- breaks DNSSEC (firewall/proxy). [RT #15592]
-
- rndc validation newstate [view]
-
-2007. [func] It is now possible to explicitly enable DNSSEC
- validation. default dnssec-validation no; to
- be changed to yes in 9.5.0. [RT #15674]
-
-2006. [security] Allow-query-cache and allow-recursion now default
- to the built in acls "localnets" and "localhost".
-
- This is being done to make caching servers less
- attractive as reflective amplifying targets for
- spoofed traffic. This still leave authoritative
- servers exposed.
-
- The best fix is for full BCP 38 deployment to
- remove spoofed traffic.
-
-2005. [bug] libbind: Retransmission timeouts should be
- based on which attempt it is to the nameserver
- and not the nameserver itself. [RT #13548]
-
-2004. [bug] dns_tsig_sign() could pass a NULL pointer to
- dst_context_destroy() when cleaning up after a
- error. [RT #15835]
-
-2003. [bug] libbind: The DNS name/address lookup functions could
- occasionally follow a random pointer due to
- structures not being completely zeroed. [RT #15806]
-
-2002. [bug] libbind: tighten the constraints on when
- struct addrinfo._ai_pad exists. [RT #15783]
-
-2001. [func] Check the KSK flag when updating a secure dynamic zone.
- New zone option "update-check-ksk yes;". [RT #15817]
-
-2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
-
-1999. [func] Implement "rrset-order fixed". [RT #13662]
-
-1998. [bug] Restrict handling of fifos as sockets to just SunOS.
- This allows named to connect to entropy gathering
- daemons that use fifos instead of sockets. [RT #15840]
-
-1997. [bug] Named was failing to replace negative cache entries
- when a positive one for the type was learnt.
- [RT #15818]
-
-1996. [bug] nsupdate: if a zone has been specified it should
- appear in the output of 'show'. [RT #15797]
-
-1995. [bug] 'host' was reporting multiple "is an alias" messages.
- [RT #15702]
-
-1994. [port] OpenSSL 0.9.8 support. [RT #15694]
-
-1993. [bug] Log messages, via syslog, were missing the space
- after the timestamp if "print-time yes" was specified.
- [RT #15844]
-
-1992. [bug] Not all incoming zone transfer messages included the
- view. [RT #15825]
-
-1991. [cleanup] The configuration data, once read, should be treated
- as read only. Expand the use of const to enforce this
- at compile time. [RT #15813]
-
-1990. [bug] libbind: isc's override of broken gettimeofday()
- implementations was not always effective.
- [RT #15709]
-
-1989. [bug] win32: don't check the service password when
- re-installing. [RT #15882]
-
-1988. [bug] Remove a bus error from the SHA256/SHA512 support.
- [RT #15878]
-
-1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
-
-1986. [func] Report when a zone is removed. [RT #15849]
-
-1985. [protocol] DLV has now been assigned a official type code of
- 32769. [RT #15807]
-
- Note: care should be taken to ensure you upgrade
- both named and dnssec-signzone at the same time for
- zones with DLV records where named is the master
- server for the zone. Also any zones that contain
- DLV records should be removed when upgrading a slave
- zone. You do not however have to upgrade all
- servers for a zone with DLV records simultaneously.
-
-1984. [func] dig, nslookup and host now advertise a 4096 byte
- EDNS UDP buffer size by default. [RT #15855]
-
-1983. [func] Two new update policies. "selfsub" and "selfwild".
- [RT #12895]
-
-1982. [bug] DNSKEY was being accepted on the parent side of
- a delegation. KEY is still accepted there for
- RFC 3007 validated updates. [RT #15620]
-
-1981. [bug] win32: condition.c:wait() could fail to reattain
- the mutex lock.
-
-1980. [func] dnssec-signzone: output the SOA record as the
- first record in the signed zone. [RT #15758]
-
-1979. [port] linux: allow named to drop core after changing
- user ids. [RT #15753]
-
-1978. [port] Handle systems which have a broken recvmsg().
- [RT #15742]
-
-1977. [bug] Silence noisy log message. [RT #15704]
-
-1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
-
-1975. [bug] libbind: isc_gethexstring() could misparse multi-line
- hex strings with comments. [RT #15814]
-
-1974. [doc] List each of the zone types and associated zone
- options separately in the ARM.
-
-1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
- HMACSHA512 support. [RT #13606]
-
-1972. [contrib] DBUS dynamic forwarders integration from
- Jason Vas Dias <jvdias@redhat.com>.
-
-1971. [port] linux: make detection of missing IF_NAMESIZE more
- robust. [RT #15443]
-
-1970. [bug] nsupdate: adjust UDP timeout when falling back to
- unsigned SOA query. [RT #15775]
-
-1969. [bug] win32: the socket code was freeing the socket
- structure too early. [RT #15776]
-
-1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
-
-1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
-
-1966. [bug] Don't set CD when we have fallen back to plain DNS.
- [RT #15727]
-
-1965. [func] Suppress spurious "recursion requested but not
- available" warning with 'dig +qr'. [RT #15780].
-
-1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
-
-1963. [port] Tru64 4.0E doesn't support send() and recv().
- [RT #15586]
-
-1962. [bug] Named failed to clear old update-policy when it
- was removed. [RT #15491]
-
-1961. [bug] Check the port and address of responses forwarded
- to dispatch. [RT #15474]
-
-1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
- [RT #15465]
-
-1959. [func] Control the zeroing of the negative response TTL to
- a soa query. Defaults "zero-no-soa-ttl yes;" and
- "zero-no-soa-ttl-cache no;". [RT #15460]
-
-1958. [bug] Named failed to update the zone's secure state
- until the zone was reloaded. [RT #15412]
-
-1957. [bug] Dig mishandled responses to class ANY queries.
- [RT #15402]
-
-1956. [bug] Improve cross compile support, 'gen' is now built
- by native compiler. See README for additional
- cross compile support information. [RT #15148]
-
-1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
-
-1954. [func] Named now falls back to advertising EDNS with a
- 512 byte receive buffer if the initial EDNS queries
- fail. [RT #14852]
-
-1953. [func] The maximum EDNS UDP response named will send can
- now be set in named.conf (max-udp-size). This is
- independent of the advertised receive buffer
- (edns-udp-size). [RT #14852]
-
-1952. [port] hpux: tell the linker to build a runtime link
- path "-Wl,+b:". [RT #14816].
-
-1951. [security] Drop queries from particular well known ports.
- Don't return FORMERR to queries from particular
- well known ports. [RT #15636]
-
-1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
- a TCP socket. This prevents the source address being
- set for TCP connections. [RT #15628]
-
-1949. [func] Addition memory leakage checks. [RT #15544]
-
-1948. [bug] If was possible to trigger a REQUIRE failure in
- xfrin.c:maybe_free() if named ran out of memory.
- [RT #15568]
-
-1947. [func] It is now possible to configure named to accept
- expired RRSIGs. Default "dnssec-accept-expired no;".
- Setting "dnssec-accept-expired yes;" leaves named
- vulnerable to replay attacks. [RT #14685]
-
-1946. [bug] resume_dslookup() could trigger a REQUIRE failure
- when using forwarders. [RT #15549]
-
-1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
- To generate a RSAMD5 key you must explicitly request
- RSAMD5. [RT #13780]
-
-1944. [cleanup] isc_hash_create() does not need a read/write lock.
- [RT #15522]
-
-1943. [bug] Set the loadtime after rolling forward the journal.
- [RT #15647]
-
-1942. [bug] If the name of a DNSKEY match that of one in
- trusted-keys do not attempt to validate the DNSKEY
- using the parents DS RRset. [RT #15649]
-
-1941. [bug] ncache_adderesult() should set eresult even if no
- rdataset is passed to it. [RT #15642]
-
-1940. [bug] Fixed a number of error conditions reported by
- Coverity.
-
-1939. [bug] The resolver could dereference a null pointer after
- validation if all the queries have timed out.
- [RT #15528]
-
-1938. [bug] The validator was not correctly handling unsecure
- negative responses at or below a SEP. [RT #15528]
-
-1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
-
-1936. [bug] The validator could leak memory. [RT #15544]
-
-1935. [bug] 'acache' was DO sensitive. [RT #15430]
-
-1934. [func] Validate pending NS RRsets, in the authority section,
- prior to returning them if it can be done without
- requiring DNSKEYs to be fetched. [RT #15430]
-
-1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
-
-1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
-
-1931. [bug] Per-client mctx could require a huge amount of memory,
- particularly for a busy caching server. [RT #15519]
-
-1930. [port] HPUX: ia64 support. [RT #15473]
-
-1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
-
-1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
-
-1927. [bug] Access to soanode or nsnode in rbtdb violated the
- lock order rule and could cause a dead lock.
- [RT #15518]
-
-1926. [bug] The Windows installer did not check for empty
- passwords. BINDinstall was being installed in
- the wrong place. [RT #15483]
-
-1925. [port] All outer level AC_TRY_RUNs need cross compiling
- defaults. [RT #15469]
-
-1924. [port] libbind: hpux ia64 support. [RT #15473]
-
-1923. [bug] ns_client_detach() called too early. [RT #15499]
-
-1922. [bug] check-tool.c:setup_logging() missing call to
- dns_log_setcontext().
-
-1921. [bug] Client memory contexts were not using internal
- malloc. [RT #15434]
-
-1920. [bug] The cache rbtdb lock array was too small to
- have the desired performance characteristics.
- [RT #15454]
-
-1919. [contrib] queryperf: a set of new features: collecting/printing
- response delays, printing intermediate results, and
- adjusting query rate for the "target" qps.
-
-1918. [bug] Memory leak when checking acls. [RT #15391]
-
-1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
- when generating man pages. [RT #15385]
-
-1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
-
-1915. [bug] dig +ndots was broken. [RT #15215]
-
-1914. [protocol] DS is required to accept mnemonic algorithms
- (RFC 4034). Still emit numeric algorithms for
- compatibility with RFC 3658. [RT #15354]
-
-1913. [func] Integrate contributed DLZ code into named. [RT #11382]
-
-1912. [port] aix: atomic locking for powerpc. [RT #15020]
-
-1911. [bug] Update windows socket code. [RT #14965]
-
-1910. [bug] dig's +sigchase code overhauled. [RT #14933]
-
-1909. [bug] The DLV code has been re-worked to make no longer
- query order sensitive. [RT #14933]
-
-1908. [func] dig now warns if 'RA' is not set in the answer when
- 'RD' was set in the query. host/nslookup skip servers
- that fail to set 'RA' when 'RD' is set unless a server
- is explicitly set. [RT #15005]
-
-1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
- [RT #15006]
-
-1906. [func] dig now has a '-q queryname' and '+showsearch' options.
- [RT #15034]
-
-1905. [bug] Strings returned from cfg_obj_asstring() should be
- treated as read-only. The prototype for
- cfg_obj_asstring() has been updated to reflect this.
- [RT #15256]
-
-1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
- friends. Note: RFC 1918 zones are not yet covered by
- this but are likely to be in a future release.
-
- New options: empty-server, empty-contact,
- empty-zones-enable and disable-empty-zone.
-
-1903. [func] ISC string copy API.
-
-1902. [func] Attempt to make the amount of work performed in a
- iteration self tuning. The covers nodes clean from
- the cache per iteration, nodes written to disk when
- rewriting a master file and nodes destroyed per
- iteration when destroying a zone or a cache.
- [RT #14996]
-
-1901. [cleanup] Don't add DNSKEY records to the additional section.
-
-1900. [bug] ixfr-from-differences failed to ensure that the
- serial number increased. [RT #15036]
-
-1899. [func] named-checkconf now validates update-policy entries.
- [RT #14963]
-
-1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
- ISC_NETADDR_FORMATSIZE to allow for scope details.
-
-1897. [func] x86 and x86_64 now have separate atomic locking
- implementations.
-
-1896. [bug] Recursive clients soft quota support wasn't working
- as expected. [RT #15103]
-
-1895. [bug] A escaped character is, potentially, converted to
- the output character set too early. [RT #14666]
-
-1894. [doc] Review ARM for BIND 9.4.
-
-1893. [port] Use uintptr_t if available. [RT #14606]
-
-1892. [func] Support for SPF rdata type. [RT #15033]
-
-1891. [port] freebsd: pthread_mutex_init can fail if it runs out
- of memory. [RT #14995]
-
-1890. [func] Raise the UDP receive buffer size to 32k if it is
- less than 32k. [RT #14953]
-
-1889. [port] sunos: non blocking i/o support. [RT #14951]
-
-1888. [func] Support for IPSECKEY rdata type. [RT #14967]
-
-1887. [bug] The cache could delete expired records too fast for
- clients with a virtual time in the past. [RT #14991]
-
-1886. [bug] fctx_create() could return success even though it
- failed. [RT #14993]
-
-1885. [func] dig: report the number of extra bytes still left in
- the packet after processing all the records.
-
-1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
-
-1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
- levels. [RT #14962]
-
-1882. [func] Limit the number of recursive clients that can be
- waiting for a single query (<qname,qtype,qclass>) to
- resolve. New options clients-per-query and
- max-clients-per-query.
-
-1881. [func] Add a system test for named-checkconf. [RT #14931]
-
-1880. [func] The lame cache is now done on a <qname,qclass,qtype>
- basis as some servers only appear to be lame for
- certain query types. [RT #14916]
-
-1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
- [RT #14892]
-
-1878. [func] Detect duplicates of UDP queries we are recursing on
- and drop them. New stats category "duplicate".
- [RT #2471]
-
-1877. [bug] Fix unreasonably low quantum on call to
- dns_rbt_destroy2(). Remove unnecessary unhash_node()
- call. [RT #14919]
-
-1876. [func] Additional memory debugging support to track size
- and mctx arguments. [RT #14814]
-
-1875. [bug] process_dhtkey() was using the wrong memory context
- to free some memory. [RT #14890]
-
-1874. [port] sunos: portability fixes. [RT #14814]
-
-1873. [port] win32: isc__errno2result() now reports its caller.
- [RT #13753]
-
-1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
-
-1871. [placeholder]
-
-1870. [func] Added framework for handling multiple EDNS versions.
- [RT #14873]
-
-1869. [func] dig can now specify the EDNS version when making
- a query. [RT #14873]
-
-1868. [func] edns-udp-size can now be overridden on a per
- server basis. [RT #14851]
-
-1867. [bug] It was possible to trigger a INSIST in
- dlv_validatezonekey(). [RT #14846]
-
-1866. [bug] resolv.conf parse errors were being ignored by
- dig/host/nslookup. [RT #14841]
-
-1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
- bad addresses. [RT #14841]
-
-1864. [bug] Don't try the alternative transfer source if you
- got a answer / transfer with the main source
- address. [RT #14802]
-
-1863. [bug] rrset-order "fixed" error messages not complete.
-
-1862. [func] Add additional zone data constancy checks.
- named-checkzone has extended checking of NS, MX and
- SRV record and the hosts they reference.
- named has extended post zone load checks.
- New zone options: check-mx and integrity-check.
- [RT #4940]
-
-1861. [bug] dig could trigger a INSIST on certain malformed
- responses. [RT #14801]
-
-1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
- incorrectly set. [RT #14775]
-
-1859. [func] Add support for CH A record. [RT #14695]
-
-1858. [bug] The flush-zones-on-shutdown option wasn't being
- parsed. [RT #14686]
-
-1857. [bug] named could trigger a INSIST() if reconfigured /
- reloaded too fast. [RT #14673]
-
-1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
- [RT #11398]
-
-1855. [bug] ixfr-from-differences was failing to detect changes
- of ttl due to dns_diff_subtract() was ignoring the ttl
- of records. [RT #14616]
-
-1854. [bug] lwres also needs to know the print format for
- (long long). [RT #13754]
-
-1853. [bug] Rework how DLV interacts with proveunsecure().
- [RT #13605]
-
-1852. [cleanup] Remove last vestiges of dnssec-signkey and
- dnssec-makekeyset (removed from Makefile years ago).
-
-1851. [doc] Doxygen comment markup. [RT #11398]
-
-1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
-
-1849. [doc] All forms of the man pages (docbook, man, html) should
- have consistent copyright dates.
-
-1848. [bug] Improve SMF integration. [RT #13238]
-
-1847. [bug] isc_ondestroy_init() is called too late in
- dns_rbtdb_create()/dns_rbtdb64_create().
- [RT #13661]
-
-1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
- <bortzmeyer@nic.fr>.
-
-1845. [bug] Improve error reporting to distinguish between
- accept()/fcntl() and socket()/fcntl() errors.
- [RT #13745]
-
-1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
- for each 16 bit piece of the IPv6 address. The text
- representation of a IPv6 address has been tightened
- to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
- [RT #5662]
-
-1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
- when CFLAGS contains "-I /usr/local/include"
- resulting in old header files being used.
-
-1842. [port] cmsg_len() could produce incorrect results on
- some platform. [RT #13744]
-
-1841. [bug] "dig +nssearch" now makes a recursive query to
- find the list of nameservers to query. [RT #13694]
-
-1840. [func] dnssec-signzone can now randomize signature end times
- (dnssec-signzone -j jitter). [RT #13609]
-
-1839. [bug] <isc/hash.h> was not being installed.
-
-1838. [cleanup] Don't allow Linux capabilities to be inherited.
- [RT #13707]
-
-1837. [bug] Compile time option ISC_FACILITY was not effective
- for 'named -u <user>'. [RT #13714]
-
-1836. [cleanup] Silence compiler warnings in hash_test.c.
-
-1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
-
-1834. [bug] Bad memset in rdata_test.c. [RT #13658]
-
-1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
-
-1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
- [RT #13620]
-
-1831. [doc] Update named-checkzone documentation. [RT #13604]
-
-1830. [bug] adb lame cache has sense of test reversed. [RT #13600]
-
-1829. [bug] win32: "pid-file none;" broken. [RT #13563]
-
-1828. [bug] isc_rwlock_init() failed to properly cleanup if it
- encountered a error. [RT #13549]
-
-1827. [bug] host: update usage message for '-a'. [RT #37116]
-
-1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
- of memory error. [RT #13537]
-
-1825. [bug] Missing UNLOCK() on out of memory error from in
- rbtdb.c:subtractrdataset(). [RT #13519]
-
-1824. [bug] Memory leak on dns_zone_setdbtype() failure.
- [RT #13510]
-
-1823. [bug] Wrong macro used to check for point to point interface.
- [RT #13418]
-
-1822. [bug] check-names test for RT was reversed. [RT #13382]
-
-1821. [placeholder]
-
-1820. [bug] Gracefully handle acl loops. [RT #13659]
-
-1819. [bug] The validator needed to check both the algorithm and
- digest types of the DS to determine if it could be
- used to introduce a secure zone. [RT #13593]
-
-1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
-
-1817. [func] Add support for additional zone file formats for
- improving loading performance. The masterfile-format
- option in named.conf can be used to specify a
- non-default format. A separate command
- named-compilezone was provided to generate zone files
- in the new format. Additionally, the -I and -O options
- for dnssec-signzone specify the input and output
- formats.
-
-1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
- [RT #13597]
-
-1815. [bug] nsupdate triggered a REQUIRE if the server was set
- without also setting the zone and it encountered
- a CNAME and was using TSIG. [RT #13086]
-
-1814. [func] UNIX domain controls are now supported.
-
-1813. [func] Restructured the data locking framework using
- architecture dependent atomic operations (when
- available), improving response performance on
- multi-processor machines significantly.
- x86, x86_64, alpha, powerpc, and mips are currently
- supported.
-
-1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
- [RT #13453]
-
-1811. [func] Preserve the case of domain names in rdata during
- zone transfers. [RT #13547]
-
-1810. [bug] configure, lib/bind/configure make different default
- decisions about whether to do a threaded build.
- [RT #13212]
-
-1809. [bug] "make distclean" failed for libbind if the platform
- is not supported.
-
-1808. [bug] zone.c:notify_zone() contained a race condition,
- zone->db could change underneath it. [RT #13511]
-
-1807. [bug] When forwarding (forward only) set the active domain
- from the forward zone name. [RT #13526]
-
-1806. [bug] The resolver returned the wrong result when a CNAME /
- DNAME was encountered when fetching glue from a
- secure namespace. [RT #13501]
-
-1805. [bug] Pending status was not being cleared when DLV was
- active. [RT #13501]
-
-1804. [bug] Ensure that if we are queried for glue that it fits
- in the additional section or TC is set to tell the
- client to retry using TCP. [RT #10114]
-
-1803. [bug] dnssec-signzone sometimes failed to remove old
- RRSIGs. [RT #13483]
-
-1802. [bug] Handle connection resets better. [RT #11280]
-
-1801. [func] Report differences between hints and real NS rrset
- and associated address records.
-
-1800. [bug] Changes #1719 allowed a INSIST to be triggered.
- [RT #13428]
-
-1799. [bug] 'rndc flushname' failed to flush negative cache
- entries. [RT #13438]
-
-1798. [func] The server syntax has been extended to support a
- range of servers. [RT #11132]
-
-1797. [func] named-checkconf now check acls to verify that they
- only refer to existing acls. [RT #13101]
-
-1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
-
-1795. [bug] "rndc dumpdb" was not fully documented. Minor
- formatting issues with "rndc dumpdb -all". [RT #13396]
-
-1794. [func] Named and named-checkzone can now both check for
- non-terminal wildcard records.
-
-1793. [func] Extend adjusting TTL warning messages. [RT #13378]
-
-1792. [func] New zone option "notify-delay". Specify a minimum
- delay between sets of NOTIFY messages.
-
-1791. [bug] 'host -t a' still printed out AAAA and MX records.
- [RT #13230]
-
-1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
- allow parallel make to succeed.
-
-1789. [bug] Prerequisite test for tkey and dnssec could fail
- with "configure --with-libtool".
-
-1788. [bug] libbind9.la/libbind9.so needs to link against
- libisccfg.la/libisccfg.so.
-
-1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
-
-1786. [port] AIX: libt_api needs to be taught to look for
- T_testlist in the main executable (--with-libtool).
- [RT #13239]
-
-1785. [bug] libbind9.la/libbind9.so needs to link against
- libisc.la/libisc.so.
-
-1784. [cleanup] "libtool -allow-undefined" is the default.
- Leave hooks in configure to allow it to be set
- if needed in the future.
-
-1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
- source tree.
-
-1782. [port] OSX: --with-libtool + --enable-libbind broke on
- __evOptMonoTime. [RT #13219]
-
-1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
-
-1780. [bug] Update libtool to 1.5.10.
-
-1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
-
-1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
- IN6ADDR_LOOPBACK_INIT macros.
-
-1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
- IN6ADDR_LOOPBACK_INIT macros.
-
-1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
- IN6ADDR_LOOPBACK_INIT macros.
-
-1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
-
-1774. [port] Aix: Silence compiler warnings / build failures.
- [RT #13154]
-
-1773. [bug] Fast retry on host / net unreachable. [RT #13153]
-
-1772. [placeholder]
-
-1771. [placeholder]
-
-1770. [bug] named-checkconf failed to report missing a missing
- file clause for rbt{64} master/hint zones. [RT #13009]
-
-1769. [port] win32: change compiler flags /MTd ==> /MDd,
- /MT ==> /MD.
-
-1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
- rdataset. [RT #12907]
-
-1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
- support for (struct in6_pktinfo) failed. [RT #13077]
-
-1766. [bug] Update the master file timestamp on successful refresh
- as well as the journal's timestamp. [RT #13062]
-
-1765. [bug] configure --with-openssl=auto failed. [RT #12937]
-
-1764. [bug] dns_zone_replacedb failed to emit a error message
- if there was no SOA record in the replacement db.
- [RT #13016]
-
-1763. [func] Perform sanity checks on NS records which refer to
- 'in zone' names. [RT #13002]
-
-1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
- even when it failed. [RT #12995]
-
-1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
- [RT #12971]
-
-1760. [bug] Host / net unreachable was not penalising rtt
- estimates. [RT #12970]
-
-1759. [bug] Named failed to startup if the OS supported IPv6
- but had no IPv6 interfaces configured. [RT #12942]
-
-1758. [func] Don't send notify messages to self. [RT #12933]
-
-1757. [func] host now can turn on memory debugging flags with '-m'.
-
-1756. [func] named-checkconf now checks the logging configuration.
- [RT #12352]
-
-1755. [func] allow-update is now settable at the options / view
- level. [RT #6636]
-
-1754. [bug] We weren't always attempting to query the parent
- server for the DS records at the zone cut.
- [RT #12774]
-
-1753. [bug] Don't serve a slave zone which has no NS records.
- [RT #12894]
-
-1752. [port] Move isc_app_start() to after ns_os_daemonise()
- as some fork() implementations unblock the signals
- that are blocked by isc_app_start(). [RT #12810]
-
-1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
-
-1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
- [RT #12864]
-
-1749. [bug] 'check-names response ignore;' failed to ignore.
- [RT #12866]
-
-1748. [func] dig now returns the byte count for axfr/ixfr.
-
-1747. [bug] BIND 8 compatibility: named/named-checkconf failed
- to parse "host-statistics-max" in named.conf.
-
-1746. [func] Make public the function to read a key file,
- dst_key_read_public(). [RT #12450]
-
-1745. [bug] Dig/host/nslookup accept replies from link locals
- regardless of scope if no scope was specified when
- query was sent. [RT #12745]
-
-1744. [bug] If tuple2msgname() failed to convert a tuple to
- a name a REQUIRE could be triggered. [RT #12796]
-
-1743. [bug] If isc_taskmgr_create() was not able to create the
- requested number of worker threads then destruction
- of the manager would trigger an INSIST() failure.
- [RT #12790]
-
-1742. [bug] Deleting all records at a node then adding a
- previously existing record, in a single UPDATE
- transaction, failed to leave / regenerate the
- associated RRSIG records. [RT #12788]
-
-1741. [bug] Deleting all records at a node in a secure zone
- using a update-policy grant failed. [RT #12787]
-
-1740. [bug] Replace rbt's hash algorithm as it performed badly
- with certain zones. [RT #12729]
-
- NOTE: a hash context now needs to be established
- via isc_hash_create() if the application was not
- already doing this.
-
-1739. [bug] dns_rbt_deletetree() could incorrectly return
- ISC_R_QUOTA. [RT #12695]
-
-1738. [bug] Enable overrun checking by default. [RT #12695]
-
-1737. [bug] named failed if more than 16 masters were specified.
- [RT #12627]
-
-1736. [bug] dst_key_fromnamedfile() could fail to read a
- public key. [RT #12687]
-
-1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
- [RE #12688]
-
-1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
- [RT #12588]
-
-1733. [bug] Return non-zero exit status on initial load failure.
- [RT #12658]
-
-1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
- [RT #12467]
-
-1731. [port] darwin: relax version test in ifconfig.sh.
- [RT #12581]
-
-1730. [port] Determine the length type used by the socket API.
- [RT #12581]
-
-1729. [func] Improve check-names error messages.
-
-1728. [doc] Update check-names documentation.
-
-1727. [bug] named-checkzone: check-names support didn't match
- documentation.
-
-1726. [port] aix5: add support for aix5.
-
-1725. [port] linux: update error message on interaction of threads,
- capabilities and setuid support (named -u). [RT #12541]
-
-1724. [bug] Look for DNSKEY records with "dig +sigtrace".
- [RT #12557]
-
-1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
-
-1722. [bug] Don't commit the journal on malformed ixfr streams.
- [RT #12519]
-
-1721. [bug] Error message from the journal processing were not
- always identifying the relevant journal. [RT #12519]
-
-1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
- negative response. [RT #12506]
-
-1719. [bug] named was not correctly caching a RFC 2308 Type 1
- negative response. [RT #12506]
-
-1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
- responses when looking for the zone / master server.
- [RT #12506]
-
-1717. [port] solaris: ifconfig.sh did not support Solaris 10.
- "ifconfig.sh down" didn't work for Solaris 9.
-
-1716. [doc] named.conf(5) was being installed in the wrong
- location. [RT #12441]
-
-1715. [func] 'dig +trace' now randomly selects the next servers
- to try. Report if there is a bad delegation.
-
-1714. [bug] dig/host/nslookup were only trying the first
- address when a nameserver was specified by name.
- [RT #12286]
-
-1713. [port] linux: extend capset failure message to say:
- please ensure that the capset kernel module is
- loaded. see insmod(8)
-
-1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
-
-1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
-
-1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
- messages for the specified zone. [RT #9479]
-
-1709. [port] solaris: add SMF support from Sun.
-
-1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
- for conformance to the name space convention. Binary
- backward compatibility to the old function name is
- provided. [RT #12376]
-
-1707. [contrib] sdb/ldap updated to version 1.0-beta.
-
-1706. [bug] 'rndc stop' failed to cause zones to be flushed
- sometimes. [RT #12328]
-
-1705. [func] Allow the journal's name to be changed via named.conf.
-
-1704. [port] lwres needed a snprintf() implementation for
- platforms without snprintf(). Add missing
- "#include <isc/print.h>". [RT #12321]
-
-1703. [bug] named would loop sending NOTIFY messages when it
- failed to receive a response. [RT #12322]
-
-1702. [bug] also-notify should not be applied to built in zones.
- [RT #12323]
-
-1701. [doc] A minimal named.conf man page.
-
-1700. [func] nslookup is no longer to be treated as deprecated.
- Remove "deprecated" warning message. Add man page.
-
-1699. [bug] dnssec-signzone can generate "not exact" errors
- when resigning. [RT #12281]
-
-1698. [doc] Use reserved IPv6 documentation prefix.
-
-1697. [bug] xxx-source{,-v6} was not effective when it
- specified one of listening addresses and a
- different port than the listening port. [RT #12257]
-
-1696. [bug] dnssec-signzone failed to clean out nodes that
- consisted of only NSEC and RRSIG records.
- [RT #12154]
-
-1695. [bug] DS records when forwarding require special handling.
- [RT #12133]
-
-1694. [bug] Report if the builtin views of "_default" / "_bind"
- are defined in named.conf. [RT #12023]
-
-1693. [bug] max-journal-size was not effective for master zones
- with ixfr-from-differences set. [RT #12024]
-
-1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
- /usr/lib. [RT #11971]
-
-1691. [bug] sdb's attachversion was not complete. [RT #11990]
-
-1690. [bug] Delay detaching view from the client until UPDATE
- processing completes when shutting down. [RT #11714]
-
-1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
- contained gratuitous semicolons. [RT #11707]
-
-1688. [bug] LDFLAGS was not supported.
-
-1687. [bug] Race condition in dispatch. [RT #10272]
-
-1686. [bug] Named sent a extraneous NOTIFY when it received a
- redundant UPDATE request. [RT #11943]
-
-1685. [bug] Change #1679 loop tests weren't quite right.
-
-1684. [func] ixfr-from-differences now takes master and slave in
- addition to yes and no at the options and view levels.
-
-1683. [bug] dig +sigchase could leak memory. [RT #11445]
-
-1682. [port] Update configure test for (long long) printf format.
- [RT #5066]
-
-1681. [bug] Only set SO_REUSEADDR when a port is specified in
- isc_socket_bind(). [RT #11742]
-
-1680. [func] rndc: the source address can now be specified.
-
-1679. [bug] When there was a single nameserver with multiple
- addresses for a zone not all addresses were tried.
- [RT #11706]
-
-1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
-
-1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
-
-1676. [func] New option "allow-query-cache". This lets
- allow-query be used to specify the default zone
- access level rather than having to have every
- zone override the global value. allow-query-cache
- can be set at both the options and view levels.
- If allow-query-cache is not set allow-query applies.
-
-1675. [bug] named would sometimes add extra NSEC records to
- the authority section.
-
-1674. [port] linux: increase buffer size used to scan
- /proc/net/if_inet6.
-
-1673. [port] linux: issue a error messages if IPv6 interface
- scans fails.
-
-1672. [cleanup] Tests which only function in a threaded build
- now return R:THREADONLY (rather than R:UNTESTED)
- in a non-threaded build.
-
-1671. [contrib] queryperf: add NAPTR to the list of known types.
-
-1670. [func] Log UPDATE requests to slave zones without an acl as
- "disabled" at debug level 3. [RT #11657]
-
-1669. [placeholder]
-
-1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
-
-1667. [port] linux: not all versions have IF_NAMESIZE.
-
-1666. [bug] The optional port on hostnames in dual-stack-servers
- was being ignored.
-
-1665. [func] rndc now allows addresses to be set in the
- server clauses.
-
-1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
-
-1663. [func] Look for OpenSSL by default.
-
-1662. [bug] Change #1658 failed to change one use of 'type'
- to 'keytype'.
-
-1661. [bug] Restore dns_name_concatenate() call in
- adb.c:set_target(). [RT #11582]
-
-1660. [bug] win32: connection_reset_fix() was being called
- unconditionally. [RT #11595]
-
-1659. [cleanup] Cleanup some messages that were referring to KEY vs
- DNSKEY, NXT vs NSEC and SIG vs RRSIG.
-
-1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
- and DH. Tighten which options apply to KEY and
- DNSKEY records.
-
-1657. [doc] ARM: document query log output.
-
-1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
- DNSKEY and RRSIG. [RT #11542]
-
-1655. [bug] Logging multiple versions w/o a size was broken.
- [RT #11446]
-
-1654. [bug] isc_result_totext() contained array bounds read
- error.
-
-1653. [func] Add key type checking to dst_key_fromfilename(),
- DST_TYPE_KEY should be used to read TSIG, TKEY and
- SIG(0) keys.
-
-1652. [bug] TKEY still uses KEY.
-
-1651. [bug] dig: process multiple dash options.
-
-1650. [bug] dig, nslookup: flush standard out after each command.
-
-1649. [bug] Silence "unexpected non-minimal diff" message.
- [RT #11206]
-
-1648. [func] Update dnssec-lookaside named.conf syntax to support
- multiple dnssec-lookaside namespaces (not yet
- implemented).
-
-1647. [bug] It was possible trigger a INSIST when chasing a DS
- record that required walking back over a empty node.
- [RT #11445]
-
-1646. [bug] win32: logging file versions didn't work with
- non-UNC filenames. [RT #11486]
-
-1645. [bug] named could trigger a REQUIRE failure if multiple
- masters with keys are specified.
-
-1644. [bug] Update the journal modification time after a
- successful refresh query. [RT #11436]
-
-1643. [bug] dns_db_closeversion() could leak memory / node
- references. [RT #11163]
-
-1642. [port] Support OpenSSL implementations which don't have
- DSA support. [RT #11360]
-
-1641. [bug] Update the check-names description in ARM. [RT #11389]
-
-1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
- incorrectly closing the socket. [RT #11291]
-
-1639. [func] Initial dlv system test.
-
-1638. [bug] "ixfr-from-differences" could generate a REQUIRE
- failure if the journal open failed. [RT #11347]
-
-1637. [bug] Node reference leak on error in addnoqname().
-
-1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
- a error had occurred. The database version no longer
- matched the version of the database that was dumped.
-
-1635. [bug] Memory leak on error in query_addds().
-
-1634. [bug] named didn't supply a useful error message when it
- detected duplicate views. [RT #11208]
-
-1633. [bug] named should return NOTIMP to update requests to a
- slaves without a allow-update-forwarding acl specified.
- [RT #11331]
-
-1632. [bug] nsupdate failed to send prerequisite only UPDATE
- messages. [RT #11288]
-
-1631. [bug] dns_journal_compact() could sometimes corrupt the
- journal. [RT #11124]
-
-1630. [contrib] queryperf: add support for IPv6 transport.
-
-1629. [func] dig now supports IPv6 scoped addresses with the
- extended format in the local-server part. [RT #8753]
-
-1628. [bug] Typo in Compaq Trucluster support. [RT #11264]
-
-1627. [bug] win32: sockets were not being closed when the
- last external reference was removed. [RT #11179]
-
-1626. [bug] --enable-getifaddrs was broken. [RT #11259]
-
-1625. [bug] named failed to load/transfer RFC2535 signed zones
- which contained CNAMES. [RT #11237]
-
-1624. [bug] zonemgr_putio() call should be locked. [RT #11163]
-
-1623. [bug] A serial number of zero was being displayed in the
- "sending notifies" log message when also-notify was
- used. [RT #11177]
-
-1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
- available, and suppress wildcard binding if not.
-
-1621. [bug] match-destinations did not work for IPv6 TCP queries.
- [RT #11156]
-
-1620. [func] When loading a zone report if it is signed. [RT #11149]
-
-1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
- [RT #11118]
-
-1618. [bug] Fencepost errors in dns_name_ishostname() and
- dns_name_ismailbox() could trigger a INSIST().
-
-1617. [port] win32: VC++ 6.0 support.
-
-1616. [compat] Ensure that named's version is visible in the core
- dump. [RT #11127]
-
-1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
- it is defined.
-
-1614. [port] win32: silence resource limit messages. [RT #11101]
-
-1613. [bug] Builds would fail on machines w/o a if_nametoindex().
- Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
- [RT #11119]
-
-1612. [bug] check-names at the option/view level could trigger
- an INSIST. [RT #11116]
-
-1611. [bug] solaris: IPv6 interface scanning failed to cope with
- no active IPv6 interfaces.
-
-1610. [bug] On dual stack machines "dig -b" failed to set the
- address type to be looked up with "@server".
- [RT #11069]
-
-1609. [func] dig now has support to chase DNSSEC signature chains.
- Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
-
- DNSSEC validation code in dig coded by Olivier Courtay
- (olivier.courtay@irisa.fr) for the IDsA project
- (http://idsa.irisa.fr).
-
-1608. [func] dig and host now accept -4/-6 to select IP transport
- to use when making queries.
-
-1607. [bug] dig, host and nslookup were still using random()
- to generate query ids. [RT #11013]
-
-1606. [bug] DLV insecurity proof was failing.
-
-1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
-
-1604. [bug] A xfrout_ctx_create() failure would result in
- xfrout_ctx_destroy() being called with a
- partially initialized structure.
-
-1603. [bug] nsupdate: set interactive based on isatty().
- [RT #10929]
-
-1602. [bug] Logging to a file failed unless a size was specified.
- [RT #10925]
-
-1601. [bug] Silence spurious warning 'both "recursion no;" and
- "allow-recursion" active' warning from view "_bind".
- [RT #10920]
-
-1600. [bug] Duplicate zone pre-load checks were not case
- insensitive.
-
-1599. [bug] Fix memory leak on error path when checking named.conf.
-
-1598. [func] Specify that certain parts of the namespace must
- be secure (dnssec-must-be-secure).
-
-1597. [func] Allow notify-source and query-source to be specified
- on a per server basis similar to transfer-source.
- [RT #6496]
-
-1596. [func] Accept 'notify-source' style syntax for query-source.
-
-1595. [func] New notify type 'master-only'. Enable notify for
- master zones only.
-
-1594. [bug] 'rndc dumpdb' could prevent named from answering
- queries while the dump was in progress. [RT #10565]
-
-1593. [bug] rndc should return "unknown command" to unknown
- commands. [RT #10642]
-
-1592. [bug] configure_view() could leak a dispatch. [RT #10675]
-
-1591. [bug] libbind: updated to BIND 8.4.5.
-
-1590. [port] netbsd: update thread support.
-
-1589. [func] DNSSEC lookaside validation.
-
-1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
-
-1587. [bug] dns_message_settsigkey() failed to clear existing key.
- [RT #10590]
-
-1586. [func] "check-names" is now implemented.
-
-1585. [placeholder]
-
-1584. [bug] "make test" failed with a read only source tree.
- [RT #10461]
-
-1583. [bug] Records add via UPDATE failed to get the correct trust
- level. [RT #10452]
-
-1582. [bug] rrset-order failed to work on RRsets with more
- than 32 elements. [RT #10381]
-
-1581. [func] Disable DNSSEC support by default. To enable
- DNSSEC specify "dnssec-enable yes;" in named.conf.
-
-1580. [bug] Zone destruction on final detach takes a long time.
- [RT #3746]
-
-1579. [bug] Multiple task managers could not be created.
-
-1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
- [RT #10346]
-
-1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
- workaround code. [RT #10331]
-
-1576. [bug] Race condition in dns_dispatch_addresponse().
- [RT #10272]
-
-1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
-
-1574. [bug] Don't attempt to open the controls socket(s) when
- running tests. [RT #9091]
-
-1573. [port] linux: update to libtool 1.5.2 so that
- "make install DESTDIR=/xx" works with
- "configure --with-libtool". [RT #9941]
-
-1572. [bug] nsupdate: sign the soa query to find the enclosing
- zone if the server is specified. [RT #10148]
-
-1571. [bug] rbt:hash_node() could fail leaving the hash table
- in an inconsistent state. [RT #10208]
-
-1570. [bug] nsupdate failed to handle classes other than IN.
- New keyword 'class' which sets the default class.
- [RT #10202]
-
-1569. [func] nsupdate new command 'answer' which displays the
- complete answer message to the last update.
-
-1568. [bug] nsupdate now reports that the update failed in
- interactive mode. [RT #10236]
-
-1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
-
-1566. [port] Support for the cmsg framework on Solaris and HP/UX.
- This also solved the problem that match-destinations
- for IPv6 addresses did not work on these systems.
- [RT #10221]
-
-1565. [bug] CD flag should be copied to outgoing queries unless
- the query is under a secure entry point in which case
- CD should be set.
-
-1564. [func] Attempt to provide a fallback entropy source to be
- used if named is running chrooted and named is unable
- to open entropy source within the chroot area.
- [RT #10133]
-
-1563. [bug] Gracefully fail when unable to obtain neither an IPv4
- nor an IPv6 dispatch. [RT #10230]
-
-1562. [bug] isc_socket_create() and isc_socket_accept() could
- leak memory under error conditions. [RT #10230]
-
-1561. [bug] It was possible to release the same name twice if
- named ran out of memory. [RT #10197]
-
-1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
- and EAI_NONAME to the same value.
-
-1559. [port] named should ignore SIGFSZ.
-
-1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
- child zones for which we don't have a supported
- algorithm. Such child zones are treated as unsigned.
-
-1557. [func] Implement missing DNSSEC tests for
- * NOQNAME proof with wildcard answers.
- * NOWILDARD proof with NXDOMAIN.
- Cache and return NOQNAME with wildcard answers.
-
-1556. [bug] nsupdate now treats all names as fully qualified.
- [RT #6427]
-
-1555. [func] 'rrset-order cyclic' no longer has a random starting
- point per query. [RT #7572]
-
-1554. [bug] dig, host, nslookup failed when no nameservers
- were specified in /etc/resolv.conf. [RT #8232]
-
-1553. [bug] The windows socket code could stop accepting
- connections. [RT #10115]
-
-1552. [bug] Accept NOTIFY requests from mapped masters if
- matched-mapped is set. [RT #10049]
-
-1551. [port] Open "/dev/null" before calling chroot().
-
-1550. [port] Call tzset(), if available, before calling chroot().
-
-1549. [func] named-checkzone can now write out the zone contents
- in a easily parsable format (-D and -o).
-
-1548. [bug] When parsing APL records it was possible to silently
- accept out of range ADDRESSFAMILY values. [RT #9979]
-
-1547. [bug] Named wasted memory recording duplicate lame zone
- entries. [RT #9341]
-
-1546. [bug] We were rejecting valid secure CNAME to negative
- answers.
-
-1545. [bug] It was possible to leak memory if named was unable to
- bind to the specified transfer source and TSIG was
- being used. [RT #10120]
-
-1544. [bug] Named would logged a single entry to a file despite it
- being over the specified size limit.
-
-1543. [bug] Logging using "versions unlimited" did not work.
-
-1542. [placeholder]
-
-1541. [func] NSEC now uses new bitmap format.
-
-1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
- [RT #8934]
-
-1539. [bug] Open UDP sockets for notify-source and transfer-source
- that use reserved ports at startup. [RT #9475]
-
-1538. [placeholder] rt9997
-
-1537. [func] New option "querylog". If set specify whether query
- logging is to be enabled or disabled at startup.
-
-1536. [bug] Windows socket code failed to log a error description
- when returning ISC_R_UNEXPECTED. [RT #9998]
-
-1535. [placeholder]
-
-1534. [bug] Race condition when priming cache. [RT #9940]
-
-1533. [func] Warn if both "recursion no;" and "allow-recursion"
- are active. [RT #4389]
-
-1532. [port] netbsd: the configure test for <sys/sysctl.h>
- requires <sys/param.h>.
-
-1531. [port] AIX more libtool fixes.
-
-1530. [bug] It was possible to trigger a INSIST() failure if a
- slave master file was removed at just the correct
- moment. [RT #9462]
-
-1529. [bug] "notify explicit;" failed to log that NOTIFY messages
- were being sent for the zone. [RT #9442]
-
-1528. [cleanup] Simplify some dns_name_ functions based on the
- deprecation of bitstring labels.
-
-1527. [cleanup] Reduce the number of gettimeofday() calls without
- losing necessary timer granularity.
-
-1526. [func] Implemented "additional section caching (or acache)",
- an internal cache framework for additional section
- content to improve response performance. Several
- configuration options were provided to control the
- behavior.
-
-1525. [bug] dns_cache_create() could trigger a REQUIRE
- failure in isc_mem_put() during error cleanup.
- [RT #9360]
-
-1524. [port] AIX needs to be able to resolve all symbols when
- creating shared libraries (--with-libtool).
-
-1523. [bug] Fix race condition in rbtdb. [RT #9189]
-
-1522. [bug] dns_db_findnode() relax the requirements on 'name'.
- [RT #9286]
-
-1521. [bug] dns_view_createresolver() failed to check the
- result from isc_mem_create(). [RT #9294]
-
-1520. [protocol] Add SSHFP (SSH Finger Print) type.
-
-1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
- length of the new bitmap.
-
-1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
- contained a off-by-one error when working out the
- number of octets in the bitmap.
-
-1517. [port] Support for IPv6 interface scanning on HP/UX and
- TrueUNIX 5.1.
-
-1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
-
-1515. [func] Allow transfer source to be set in a server statement.
- [RT #6496]
-
-1514. [bug] named: isc_hash_destroy() was being called too early.
- [RT #9160]
-
-1513. [doc] Add "US" to root-delegation-only exclude list.
-
-1512. [bug] Extend the delegation-only logging to return query
- type, class and responding nameserver.
-
-1511. [bug] delegation-only was generating false positives
- on negative answers from sub-zones.
-
-1510. [func] New view option "root-delegation-only". Apply
- delegation-only check to all TLDs and root.
- Note there are some TLDs that are NOT delegation
- only (e.g. DE, LV, US and MUSEUM) these can be excluded
- from the checks by using exclude.
-
- root-delegation-only exclude {
- "DE"; "LV"; "US"; "MUSEUM";
- };
-
-1509. [bug] Hint zones should accept delegation-only. Forward
- zone should not accept delegation-only.
-
-1508. [bug] Don't apply delegation-only checks to answers from
- forwarders.
-
-1507. [bug] Handle BIND 8 style returns to NS queries to parents
- when making delegation-only checks.
-
-1506. [bug] Wrong return type for dns_view_isdelegationonly().
-
-1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
-
-1504. [func] New zone type "delegation-only".
-
-1503. [port] win32: install libeay32.dll outside of system32.
-
-1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
-
-1501. [func] Allow TCP queue length to be specified via
- named.conf, tcp-listen-queue.
-
-1500. [bug] host failed to lookup MX records. Also look up
- AAAA records.
-
-1499. [bug] isc_random need to be seeded better if arc4random()
- is not used.
-
-1498. [port] bsdos: 5.x support.
-
-1497. [placeholder]
-
-1496. [port] test for pthread_attr_setstacksize().
-
-1495. [cleanup] Replace hash functions with universal hash.
-
-1494. [security] Turn on RSA BLINDING as a precaution.
-
-1493. [placeholder]
-
-1492. [cleanup] Preserve rwlock quota context when upgrading /
- downgrading. [RT #5599]
-
-1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
- lines. [RT #6206]
-
-1490. [bug] Accept reading state as well as working state in
- ns_client_next(). [RT #6813]
-
-1489. [compat] Treat 'allow-update' on slave zones as a warning.
- [RT #3469]
-
-1488. [bug] Don't override trust levels for glue addresses.
- [RT #5764]
-
-1487. [bug] A REQUIRE() failure could be triggered if a zone was
- queued for transfer and the zone was then removed.
- [RT #6189]
-
-1486. [bug] isc_print_snprintf() '%%' consumed one too many format
- characters. [RT #8230]
-
-1485. [bug] gen failed to handle high type values. [RT #6225]
-
-1484. [bug] The number of records reported after a AXFR was wrong.
- [RT #6229]
-
-1483. [bug] dig axfr failed if the message id in the answer failed
- to match that in the request. Only the id in the first
- message is required to match. [RT #8138]
-
-1482. [bug] named could fail to start if the kernel supports
- IPv6 but no interfaces are configured. Similarly
- for IPv4. [RT #6229]
-
-1481. [bug] Refresh and stub queries failed to use masters keys
- if specified. [RT #7391]
-
-1480. [bug] Provide replay protection for rndc commands. Full
- replay protection requires both rndc and named to
- be updated. Partial replay protection (limited
- exposure after restart) is provided if just named
- is updated.
-
-1479. [bug] cfg_create_tuple() failed to handle out of
- memory cleanup. parse_list() would leak memory
- on syntax errors.
-
-1478. [port] ifconfig.sh didn't account for other virtual
- interfaces. It now takes a optional argument
- to specify the first interface number. [RT #3907]
-
-1477. [bug] memory leak using stub zones and TSIG.
-
-1476. [placeholder]
-
-1475. [port] Probe for old sprintf().
-
-1474. [port] Provide strtoul() and memmove() for platforms
- without them.
-
-1473. [bug] create_map() and create_string() failed to handle out
- of memory cleanup. [RT #6813]
-
-1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
-
-1471. [bug] libbind: updated to BIND 8.4.0.
-
-1470. [bug] Incorrect length passed to snprintf. [RT #5966]
-
-1469. [func] Log end of outgoing zone transfer at same level
- as the start of transfer is logged. [RT #4441]
-
-1468. [func] Internal zones are no longer counted for
- 'rndc status'. [RT #4706]
-
-1467. [func] $GENERATES now supports optional class and ttl.
-
-1466. [bug] lwresd configuration errors resulted in memory
- and lock leaks. [RT #5228]
-
-1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
- failed to check that trailing bits were zero allowing
- some invalid base64 strings to be accepted. [RT #5397]
-
-1464. [bug] Preserve "out of zone" data for outgoing zone
- transfers. [RT #5192]
-
-1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
- NXT bit maps. [RT #5577]
-
-1462. [bug] parse_sizeval() failed to check the token type.
- [RT #5586]
-
-1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
-
-1460. [bug] inet_pton() failed to reject certain malformed
- IPv6 literals.
-
-1459. [placeholder]
-
-1458. [cleanup] sprintf() -> snprintf().
-
-1457. [port] Provide strlcat() and strlcpy() for platforms without
- them.
-
-1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
-
-1455. [bug] <netaddr> missing from server grammar in
- doc/misc/options. [RT #5616]
-
-1454. [port] Use getifaddrs() if available for interface scanning.
- --disable-getifaddrs to override. Glibc currently
- has a getifaddrs() that does not support IPv6.
- Use --enable-getifaddrs=glibc to force the use of
- this version under linux machines.
-
-1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
-
-1452. [placeholder]
-
-1451. [bug] rndc-confgen didn't exit with a error code for all
- failures. [RT #5209]
-
-1450. [bug] Fetching expired glue failed under certain
- circumstances. [RT #5124]
-
-1449. [bug] query_addbestns() didn't handle running out of memory
- gracefully.
-
-1448. [bug] Handle empty wildcards labels.
-
-1447. [bug] We were casting (unsigned int) to and from (void *).
- rdataset->private4 is now rdataset->privateuint4
- to reflect a type change.
-
-1446. [func] Implemented undocumented alternate transfer sources
- from BIND 8. See use-alt-transfer-source,
- alt-transfer-source and alt-transfer-source-v6.
-
- SECURITY: use-alt-transfer-source is ENABLED unless
- you are using views. This may cause a security risk
- resulting in accidental disclosure of wrong zone
- content if the master supplying different source
- content based on IP address. If you are not certain
- ISC recommends setting use-alt-transfer-source no;
-
-1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
- been replaced with DNS_ADBFIND_STARTATZONE which
- causes the search to start using the closest zone.
-
-1444. [func] dns_view_findzonecut2() allows you to specify if the
- cache should be searched for zone cuts.
-
-1443. [func] Masters lists can now be specified and referenced
- in zone masters clauses and other masters lists.
-
-1442. [func] New functions for manipulating port lists:
- dns_portlist_create(), dns_portlist_add(),
- dns_portlist_remove(), dns_portlist_match(),
- dns_portlist_attach() and dns_portlist_detach().
-
-1441. [func] It is now possible to tell dig to bind to a specific
- source port.
-
-1440. [func] It is now possible to tell named to avoid using
- certain source ports (avoid-v4-udp-ports,
- avoid-v6-udp-ports).
-
-1439. [bug] Named could return NOERROR with certain NOTIFY
- failures. Return NOTAUTH if the NOTIFY zone is
- not being served.
-
-1438. [func] Log TSIG (if any) when logging NOTIFY requests.
-
-1437. [bug] Leave space for stdio to work in. [RT #5033]
-
-1436. [func] dns_zonemgr_resumexfrs() can be used to restart
- stalled transfers.
-
-1435. [bug] zmgr_resume_xfrs() was being called read locked
- rather than write locked. zmgr_resume_xfrs()
- was not being called if the zone was being
- shutdown.
-
-1434. [bug] "rndc reconfig" failed to initiate the initial
- zone transfer of new slave zones.
-
-1433. [bug] named could trigger a REQUIRE failure if it could
- not get a file descriptor when attempting to write
- a master file. [RT #4347]
-
-1432. [func] The advertised EDNS UDP buffer size can now be set
- via named.conf (edns-udp-size).
-
-1431. [bug] isc_print_snprintf() "%s" with precision could walk off
- end of argument. [RT #5191]
-
-1430. [port] linux: IPv6 interface scanning support.
-
-1429. [bug] Prevent the cache getting locked to old servers.
-
-1428. [placeholder]
-
-1427. [bug] Race condition in adb with threaded build.
-
-1426. [placeholder]
-
-1425. [port] linux/libbind: define __USE_MISC when testing *_r()
- function prototypes in netdb.h. [RT #4921]
-
-1424. [bug] EDNS version not being correctly printed.
-
-1423. [contrib] queryperf: added A6 and SRV.
-
-1422. [func] Log name/type/class when denying a query. [RT #4663]
-
-1421. [func] Differentiate updates that don't succeed due to
- prerequisites (unsuccessful) vs other reasons
- (failed).
-
-1420. [port] solaris: work around gcc optimizer bug.
-
-1419. [port] openbsd: use /dev/arandom. [RT #4950]
-
-1418. [bug] 'rndc reconfig' did not cause new slaves to load.
-
-1417. [func] ID.SERVER/CHAOS is now a built in zone.
- See "server-id" for how to configure.
-
-1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
- [RT #4715]
-
-1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
- from SOA MINIMUM.
-
-1414. [func] Support for KSK flag.
-
-1413. [func] Explicitly request the (re-)generation of DS records
- from keysets (dnssec-signzone -g).
-
-1412. [func] You can now specify servers to be tried if a nameserver
- has IPv6 address and you only support IPv4 or the
- reverse. See dual-stack-servers.
-
-1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
-
-1410. [func] Handle records that live in the parent zone, e.g. DS.
-
-1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
-
-1408. [bug] "make distclean" was not complete. [RT #4700]
-
-1407. [bug] lfsr incorrectly implements the shift register.
- [RT #4617]
-
-1406. [bug] dispatch initializes one of the LFSR's with a incorrect
- polynomial. [RT #4617]
-
-1405. [func] Use arc4random() if available.
-
-1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
- buffer.
-
-1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
- dnssec-signkey now report their version in the
- usage message.
-
-1402. [cleanup] A6 has been moved to experimental and is no longer
- fully supported.
-
-1401. [bug] adb wasn't clearing state when the timer expired.
-
-1400. [bug] Block the addition of wildcard NS records by IXFR
- or UPDATE. [RT #3502]
-
-1399. [bug] Use serial number arithmetic when testing SIG
- timestamps. [RT #4268]
-
-1398. [doc] ARM: notify-also should have been also-notify.
- [RT #4345]
-
-1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
-
-1396. [func] dnssec-signzone: adjust the default signing time by
- 1 hour to allow for clock skew.
-
-1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
- have a working implementation. [RT #4079]
-
-1394. [func] It is now possible to check if a particular element is
- in a acl. Remove duplicate entries from the localnets
- acl.
-
-1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
- is not available in the kernel to prevent accidentally
- listening on IPv4 interfaces.
-
-1392. [bug] named-checkzone: update usage.
-
-1391. [func] Add support for IPv6 scoped addresses in named.
-
-1390. [func] host now supports ixfr.
-
-1389. [bug] named could fail to rotate long log files. [RT #3666]
-
-1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
- defining HAVE_IFLIST_SYSCTL. [RT #3770]
-
-1387. [bug] named could crash due to an access to invalid memory
- space (which caused an assertion failure) in
- incremental cleaning. [RT #3588]
-
-1386. [bug] named-checkzone -z stopped on errors in a zone.
- [RT #3653]
-
-1385. [bug] Setting serial-query-rate to 10 would trigger a
- REQUIRE failure.
-
-1384. [bug] host was incompatible with BIND 8 in its exit code and
- in the output with the -l option. [RT #3536]
-
-1383. [func] Track the serial number in a IXFR response and log if
- a mismatch occurs. This is a more specific error than
- "not exact". [RT #3445]
-
-1382. [bug] make install failed with --enable-libbind. [RT #3656]
-
-1381. [bug] named failed to correctly process answers that
- contained DNAME records where the resulting CNAME
- resulted in a negative answer.
-
-1380. [func] 'rndc recursing' dump recursing queries to
- 'recursing-file = "named.recursing";'.
-
-1379. [func] 'rndc status' now reports tcp and recursion quota
- states.
-
-1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
-
-1377. [func] dns_zone_load{new}() now reports if the zone was
- loaded, queued for loading to up to date.
-
-1376. [func] New function dns_zone_logc() to log to specified
- category.
-
-1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
- data cache.
-
-1374. [func] dns_adb_dump() now logs the lame zones associated
- with each server.
-
-1373. [bug] Recovery from expired glue failed under certain
- circumstances.
-
-1372. [bug] named crashes with an assertion failure on exit when
- sharing the same port for listening and querying, and
- changing listening addresses several times. [RT #3509]
-
-1371. [bug] notify-source-v6, transfer-source-v6 and
- query-source-v6 with explicit addresses and using the
- same ports as named was listening on could interfere
- with named's ability to answer queries sent to those
- addresses.
-
-1370. [bug] dig '+[no]recurse' was incorrectly documented.
-
-1369. [bug] Adding an NS record as the lexicographically last
- record in a secure zone didn't work.
-
-1368. [func] remove support for bitstring labels.
-
-1367. [func] Use response times to select forwarders.
-
-1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
-
-1365. [func] "localhost" and "localnets" acls now include IPv6
- addresses / prefixes.
-
-1364. [func] Log file name when unable to open memory statistics
- and dump database files. [RT #3437]
-
-1363. [func] Listen-on-v6 now supports specific addresses.
-
-1362. [bug] remove IFF_RUNNING test when scanning interfaces.
-
-1361. [func] log the reason for rejecting a server when resolving
- queries.
-
-1360. [bug] --enable-libbind would fail when not built in the
- source tree for certain OS's.
-
-1359. [security] Support patches OpenSSL libraries.
- http://www.cert.org/advisories/CA-2002-23.html
-
-1358. [bug] It was possible to trigger a INSIST when debugging
- large dynamic updates. [RT #3390]
-
-1357. [bug] nsupdate was extremely wasteful of memory.
-
-1356. [tuning] Reduce the number of events / quantum for zone tasks.
-
-1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
-
-1354. [doc] lwres man pages had illegal nroff.
-
-1353. [contrib] sdb/ldap to version 0.9.
-
-1352. [bug] dig, host, nslookup when falling back to TCP use the
- current search entry (if any). [RT #3374]
-
-1351. [bug] lwres_getipnodebyname() returned the wrong name
- when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
- was set.
-
-1350. [bug] dns_name_fromtext() failed to handle too many labels
- gracefully.
-
-1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
- http://www.cert.org/advisories/CA-2002-23.html
-
-1348. [port] win32: Rewrote code to use I/O Completion Ports
- in socket.c and eliminating a host of socket
- errors. Performance is enhanced.
-
-1347. [placeholder]
-
-1346. [placeholder]
-
-1345. [port] Use a explicit -Wformat with gcc. Not all versions
- include it in -Wall.
-
-1344. [func] Log if the serial number on the master has gone
- backwards.
- If you have multiple machines specified in the masters
- clause you may want to set 'multi-master yes;' to
- suppress this warning.
-
-1343. [func] Log successful notifies received (info). Adjust log
- level for failed notifies to notice.
-
-1342. [func] Log remote address with TCP dispatch failures.
-
-1341. [func] Allow a rate limiter to be stalled.
-
-1340. [bug] Delay and spread out the startup refresh load.
-
-1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
- lookups. Bit string lookups are no longer attempted.
-
-1338. [placeholder]
-
-1337. [placeholder]
-
-1336. [func] Nibble lookups under IP6.ARPA are now supported by
- dns_byaddr_create(). dns_byaddr_createptrname() is
- deprecated, use dns_byaddr_createptrname2() instead.
-
-1335. [bug] When performing a nonexistence proof, the validator
- should discard parent NXTs from higher in the DNS.
-
-1334. [bug] When signing/verifying rdatasets, duplicate rdatas
- need to be suppressed.
-
-1333. [contrib] queryperf now reports a summary of returned
- rcodes (-c), rcodes are printed in mnemonic form (-v).
-
-1332. [func] Report the current serial with periodic commits when
- rolling forward the journal.
-
-1331. [func] Generate DNSSEC wildcard proofs.
-
-1330. [bug] When processing events (non-threaded) only allow
- the task one chance to use to use its quantum.
-
-1329. [func] named-checkzone will now check if nameservers that
- appear to be IP addresses. Available modes "fail",
- "warn" (default) and "ignore" the results of the
- check.
-
-1328. [bug] The validator could incorrectly verify an invalid
- negative proof.
-
-1327. [bug] The validator would incorrectly mark data as insecure
- when seeing a bogus signature before a correct
- signature.
-
-1326. [bug] DNAME/CNAME signatures were not being cached when
- validation was not being performed. [RT #3284]
-
-1325. [bug] If the tcpquota was exhausted it was possible to
- to trigger a INSIST() failure.
-
-1324. [port] darwin: ifconfig.sh now supports darwin.
-
-1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
-
-1322. [bug] dnssec-signzone usage message was misleading.
-
-1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
- would incorrectly duplicate its output and sign it.
-
-1320. [doc] query-source-v6 was missing from options section.
- [RT #3218]
-
-1319. [func] libbind: log attempts to exploit #1318.
-
-1318. [bug] libbind: Remote buffer overrun.
-
-1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
- element name.
-
-1316. [bug] libbind: gethostans() could get out of sync parsing
- the response if there was a very long CNAME chain.
-
-1315. [bug] Options should apply to the internal _bind view.
-
-1314. [port] Handle ECONNRESET from sendmsg() [unix].
-
-1313. [func] Query log now says if the query was signed (S) or
- if EDNS was used (E).
-
-1312. [func] Log TSIG key used w/ outgoing zone transfers.
-
-1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
-
-1310. [bug] 'rndc stop' failed to cause zones to be flushed
- sometimes. [RT #3157]
-
-1309. [func] Log that a zone transfer was covered by a TSIG.
-
-1308. [func] DS (delegation signer) support.
-
-1307. [bug] nsupdate: allow white space base64 key data.
-
-1306. [bug] Badly encoded LOC record when the size, horizontal
- precision or vertical precision was 0.1m.
-
-1305. [bug] Document that internal zones are included in the
- rndc status results.
-
-1304. [func] New function: dns_zone_name().
-
-1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
-
-1302. [func] Extended rndc dumpdb to support dumping of zones and
- view selection: 'dumpdb [-all|-zones|-cache] [view]'.
-
-1301. [func] New category 'update-security'.
-
-1300. [port] Compaq Trucluster support.
-
-1299. [bug] Set AI_ADDRCONFIG when looking up addresses
- via getaddrinfo() (affects dig, host, nslookup, rndc
- and nsupdate).
-
-1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
- could be left with a trailing "\" after configure
- has been run.
-
-1297. [port] linux: make handling EINVAL from socket() no longer
- conditional on #ifdef LINUX.
-
-1296. [bug] isc_log_closefilelogs() needed to lock the log
- context.
-
-1295. [bug] isc_log_setdebuglevel() needed to lock the log
- context.
-
-1294. [func] libbind: no longer attempts bit string labels for
- IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
- for nibble style resolution.
-
-1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
-
-1292. [func] Enable IPv6 support when using ioctl style interface
- scanning and OS supports SIOCGLIFADDR using struct
- if_laddrreq.
-
-1291. [func] Enable IPv6 support when using sysctl style interface
- scanning.
-
-1290. [func] "dig axfr" now reports the number of messages
- as well as the number of records.
-
-1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
-
-1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
- reflect written requirements.
-
-1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
- a rdataset to a zone db in the rbtdb implementation of
- addrdataset.
-
-1286. [bug] dns_name_downcase() enforce requirement that
- target != NULL or name->buffer != NULL.
-
-1285. [func] lwres: probe the system to see what address families
- are currently in use.
-
-1284. [bug] The RTT estimate on unused servers was not aged.
- [RT #2569]
-
-1283. [func] Use "dataready" accept filter if available.
-
-1282. [port] libbind: hpux 11.11 interface scanning.
-
-1281. [func] Log zone when unable to get private keys to update
- zone. Log zone when NXT records are missing from
- secure zone.
-
-1280. [bug] libbind: escape '(' and ')' when converting to
- presentation form.
-
-1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
-
-1278. [func] dig: now supports +[no]cl +[no]ttlid.
-
-1277. [func] You can now create your own customized printing
- styles: dns_master_stylecreate() and
- dns_master_styledestroy().
-
-1276. [bug] libbind: const pointer conflicts in res_debug.c.
-
-1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
-
-1274. [bug] Memory leak in lwres_gnbarequest_parse().
-
-1273. [port] libbind: solaris: 64 bit binary compatibility.
-
-1272. [contrib] Berkeley DB 4.0 sdb implementation from
- Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
-
-1271. [bug] "recursion available: {denied,approved}" was too
- confusing.
-
-1270. [bug] Check that system inet_pton() and inet_ntop() support
- AF_INET6.
-
-1269. [port] Openserver: ifconfig.sh support.
-
-1268. [port] Openserver: the value FD_SETSIZE depends on whether
- <sys/param.h> is included or not. Be consistent.
-
-1267. [func] isc_file_openunique() now creates file using mode
- 0666 rather than 0600.
-
-1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
- __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
- are not C++ compatible, use *_TYPE versions instead.
-
-1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
- C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
-
-1264. [placeholder]
-
-1263. [bug] Reference after free error if dns_dispatchmgr_create()
- failed.
-
-1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
-
-1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
- support for compressed TSIG owner names.
-
-1260. [func] libbind: res_update can now update IPv6 servers,
- new function res_findzonecut2().
-
-1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
- w/o sa_len.
-
-1258. [bug] libbind: res_nametotype() and res_nametoclass() were
- broken.
-
-1257. [bug] Failure to write pid-file should not be fatal on
- reload. [RT #2861]
-
-1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
-
-1255. [bug] When verifying that an NXT proves nonexistence, check
- the rcode of the message and only do the matching NXT
- check. That is, for NXDOMAIN responses, check that
- the name is in the range between the NXT owner and
- next name, and for NOERROR NODATA responses, check
- that the type is not present in the NXT bitmap.
-
-1254. [func] preferred-glue option from BIND 8.3.
-
-1253. [bug] The dnssec system test failed to remove the correct
- files.
-
-1252. [bug] Dig, host and nslookup were not checking the address
- the answer was coming from against the address it was
- sent to. [RT #2692]
-
-1251. [port] win32: a make file contained absolute version specific
- references.
-
-1250. [func] Nsupdate will report the address the update was
- sent to.
-
-1249. [bug] Missing masters clause was not handled gracefully.
- [RT #2703]
-
-1248. [bug] DESTDIR was not being propagated between makes.
-
-1247. [bug] Don't reset the interface index for link/site local
- addresses. [RT #2576]
-
-1246. [func] New functions isc_sockaddr_issitelocal(),
- isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
- and isc_netaddr_islinklocal().
-
-1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
- accept().
-
-1244. [bug] Receiving a TCP message from a blackhole address would
- prevent further messages being received over that
- interface.
-
-1243. [bug] It was possible to trigger a REQUIRE() in
- dns_message_findtype(). [RT #2659]
-
-1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
-
-1241. [bug] Drop received UDP messages with a zero source port
- as these are invariably forged. [RT #2621]
-
-1240. [bug] It was possible to leak zone references by
- specifying an incorrect zone to rndc.
-
-1239. [bug] Under certain circumstances named could continue to
- use a name after it had been freed triggering
- INSIST() failures. [RT #2614]
-
-1238. [bug] It is possible to lockup the server when shutting down
- if notifies were being processed. [RT #2591]
-
-1237. [bug] nslookup: "set q=type" failed.
-
-1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
- NULL terminated text regions. [RT #2588]
-
-1235. [func] Report 'out of memory' errors from openssl.
-
-1234. [bug] contrib/sdb: 'zonetodb' failed to call
- dns_result_register(). DNS_R_SEENINCLUDE should not
- be fatal.
-
-1233. [bug] The flags field of a KEY record can be expressed in
- hex as well as decimal.
-
-1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
-
-1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
-
-1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
-
-1229. [bug] named would crash if it received a TSIG signed
- query as part of an AXFR response. [RT #2570]
-
-1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
-
-1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
- if a number was expected and some other token was
- found. [RT #2532]
-
-1226. [func] Use EDNS for zone refresh queries. [RT #2551]
-
-1225. [func] dns_message_setopt() no longer requires that
- dns_message_renderbegin() to have been called.
-
-1224. [bug] 'rrset-order' and 'sortlist' should be additive
- not exclusive.
-
-1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
- are supported.
-
-1222. [bug] Specifying 'port *' did not always result in a system
- selected (non-reserved) port being used. [RT #2537]
-
-1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
- compared case insensitively. [RT #2542]
-
-1220. [func] Support for APL rdata type.
-
-1219. [func] Named now reports the TSIG extended error code when
- signature verification fails. [RT #1651]
-
-1218. [bug] Named incorrectly returned SERVFAIL rather than
- NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
-
-1217. [func] Report locations of previous key definition when a
- duplicate is detected.
-
-1216. [bug] Multiple server clauses for the same server were not
- reported. [RT #2514]
-
-1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
-
-1214. [bug] Win32: isc_file_renameunique() could leave zero length
- files behind.
-
-1213. [func] Report view associated with client if it is not a
- standard view (_default or _bind).
-
-1212. [port] libbind: 64k answer buffers were causing stack space
- to be exceeded for certain OS. Use heap space instead.
-
-1211. [bug] dns_name_fromtext() incorrectly handled certain
- valid octal bitlabels. [RT #2483]
-
-1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
- compatible addresses. [RT #2461]
-
-1209. [bug] Dig, host, nslookup were not checking the message ids
- on the responses. [RT #2454]
-
-1208. [bug] dns_master_load*() failed to log a error message if
- an error was detected when parsing the owner name of
- a record. [RT #2448]
-
-1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
- an invalid pointer.
-
-1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
- trigger a non-EDNS retry.
-
-1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
- of the message. [RT #2449]
-
-1204. [bug] libbind: res_nupdate() failed to update the name
- server addresses before sending the update.
-
-1203. [func] Report locations of previous acl and zone definitions
- when a duplicate is detected.
-
-1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
-
-1201. [bug] Require that if 'callbacks' is passed to
- dns_rdata_fromtext(), callbacks->error and
- callbacks->warn are initialized.
-
-1200. [bug] Log 'errno' that we are unable to convert to
- isc_result_t. [RT #2404]
-
-1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
- [RT #2436]
-
-1198. [bug] OPT printing style was not consistent with the way the
- header fields are printed. The DO bit was not reported
- if set. Report if any of the MBZ bits are set.
-
-1197. [bug] Attempts to define the same acl multiple times were not
- detected.
-
-1196. [contrib] update mdnkit to 2.2.3.
-
-1195. [bug] Attempts to redefine builtin acls should be caught.
- [RT #2403]
-
-1194. [bug] Not all duplicate zone definitions were being detected
- at the named.conf checking stage. [RT #2431]
-
-1193. [bug] dig +besteffort parsing didn't handle packet
- truncation. dns_message_parse() has new flag
- DNS_MESSAGE_IGNORETRUNCATION.
-
-1192. [bug] The seconds fields in LOC records were restricted
- to three decimal places. More decimal places should
- be allowed but warned about.
-
-1191. [bug] A dynamic update removing the last non-apex name in
- a secure zone would fail. [RT #2399]
-
-1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
- [RT #2394]
-
-1189. [bug] On some systems, malloc(0) returns NULL, which
- could cause the caller to report an out of memory
- error. [RT #2398]
-
-1188. [bug] Dynamic updates of a signed zone would fail if
- some of the zone private keys were unavailable.
-
-1187. [bug] named was incorrectly returning DNSSEC records
- in negative responses when the DO bit was not set.
-
-1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
- EOL token when reading to end of line.
-
-1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
- unless RES_INIT is set when calling res_*init().
-
-1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
- when res_*init() is called.
-
-1183. [bug] Handle ENOSR error when writing to the internal
- control pipe. [RT #2395]
-
-1182. [bug] The server could throw an assertion failure when
- constructing a negative response packet.
-
-1181. [func] Add the "key-directory" configuration statement,
- which allows the server to look for online signing
- keys in alternate directories.
-
-1180. [func] dnssec-keygen should always generate keys with
- protocol 3 (DNSSEC), since it's less confusing
- that way.
-
-1179. [func] Add SIG(0) support to nsupdate.
-
-1178. [bug] Follow and cache (if appropriate) A6 and other
- data chains to completion in the additional section.
-
-1177. [func] Report view when loading zones if it is not a
- standard view (_default or _bind). [RT #2270]
-
-1176. [doc] Document that allow-v6-synthesis is only performed
- for clients that are supplied recursive service.
- [RT #2260]
-
-1175. [bug] named-checkzone and named-checkconf failed to call
- dns_result_register() at startup which could
- result in runtime exceptions when printing
- "out of memory" errors. [RT #2335]
-
-1174. [bug] Win32: add WSAECONNRESET to the expected errors
- from connect(). [RT #2308]
-
-1173. [bug] Potential memory leaks in isc_log_create() and
- isc_log_settag(). [RT #2336]
-
-1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
- table of RR types in ARM.
-
-1171. [func] Added function isc_region_compare(), updated files in
- lib/dns to use this function instead of local one.
-
-1170. [bug] Don't attempt to print the token when a I/O error
- occurs when parsing named.conf. [RT #2275]
-
-1169. [func] Identify recursive queries in the query log.
-
-1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
-
-1167. [contrib] nslint-2.1a3 (from author).
-
-1166. [bug] "Not Implemented" should be reported as NOTIMP,
- not NOTIMPL. [RT #2281]
-
-1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
-
-1164. [bug] Empty masters clauses in slave / stub zones were not
- handled gracefully. [RT #2262]
-
-1163. [func] isc_time_formattimestamp() now includes the year.
-
-1162. [bug] The allow-notify option was not accepted in slave
- zone statements.
-
-1161. [bug] named-checkzone looped on unbalanced brackets.
- [RT #2248]
-
-1160. [bug] Generating Diffie-Hellman keys longer than 1024
- bits could fail. [RT #2241]
-
-1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
-
-1158. [func] Report the client's address when logging notify
- messages.
-
-1157. [func] match-clients and match-destinations now accept
- keys. [RT #2045]
-
-1156. [port] The configure test for strsep() incorrectly
- succeeded on certain patched versions of
- AIX 4.3.3. [RT #2190]
-
-1155. [func] Recover from master files being removed from under
- us.
-
-1154. [bug] Don't attempt to obtain the netmask of a interface
- if there is no address configured. [RT #2176]
-
-1153. [func] 'rndc {stop|halt} -p' now reports the process id
- of the instance of named being shutdown.
-
-1152. [bug] libbind: read buffer overflows.
-
-1151. [bug] nslookup failed to check that the arguments to
- the port, timeout, and retry options were
- valid integers and in range. [RT #2099]
-
-1150. [bug] named incorrectly accepted TTL values
- containing plus or minus signs, such as
- 1d+1h-1s.
-
-1149. [func] New function isc_parse_uint32().
-
-1148. [func] 'rndc-confgen -a' now provides positive feedback.
-
-1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
- the OS. listen-on-v6 { any; }; should no longer
- result in IPv4 queries be accepted. Similarly
- control { inet :: ... }; should no longer result
- in IPv4 connections being accepted. This can be
- overridden at compile time by defining
- ISC_ALLOW_MAPPED=1.
-
-1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
- supported by the OS by a new function
- isc_socket_ipv6only().
-
-1145. [func] "host" no longer reports a NOERROR/NODATA response
- by printing nothing. [RT #2065]
-
-1144. [bug] rndc-confgen would crash if both the -a and -t
- options were specified. [RT #2159]
-
-1143. [bug] When a trusted-keys statement was present and named
- was built without crypto support, it would leak memory.
-
-1142. [bug] dnssec-signzone would fail to delete temporary files
- in some failure cases. [RT #2144]
-
-1141. [bug] When named rejected a control message, it would
- leak a file descriptor and memory. It would also
- fail to respond, causing rndc to hang.
- [RT #2139, #2164]
-
-1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
- to the -s option. [RT #2138]
-
-1139. [func] It is now possible to flush a given name from the
- cache(s) via 'rndc flushname name [view]'. [RT #2051]
-
-1138. [func] It is now possible to flush a given name from the
- cache by calling the new function
- dns_cache_flushname().
-
-1137. [func] It is now possible to flush a given name from the
- ADB by calling the new function dns_adb_flushname().
-
-1136. [bug] CNAME records synthesized from DNAMEs did not
- have a TTL of zero as required by RFC2672.
- [RT #2129]
-
-1135. [func] You can now override the default syslog() facility for
- named/lwresd at compile time. [RT #1982]
-
-1134. [bug] Multi-threaded servers could deadlock in ferror()
- when reloading zone files. [RT #1951, #1998]
-
-1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
- platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
-
-1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
-
-1131. [bug] The match-destinations view option did not work with
- IPv6 destinations. [RT #2073, #2074]
-
-1130. [bug] Log messages reporting an out-of-range serial number
- did not include the out-of-range number but the
- following token. [RT #2076]
-
-1129. [bug] Multi-threaded servers could crash under heavy
- resolution load due to a race condition. [RT #2018]
-
-1128. [func] sdb drivers can now provide RR data in either text
- or wire format, the latter using the new functions
- dns_sdb_putrdata() and dns_sdb_putnamedrdata().
-
-1127. [func] rndc: If the server to contact has multiple addresses,
- try all of them.
-
-1126. [bug] The server could access a freed event if shut
- down while a client start event was pending
- delivery. [RT #2061]
-
-1125. [bug] rndc: -k option was missing from usage message.
- [RT #2057]
-
-1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
- are now documented. [RT #2052]
-
-1123. [bug] dig +[no]fail did not match description. [RT #2052]
-
-1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
- [RT #2046]
-
-1121. [bug] The server could attempt to access a NULL zone
- table if shut down while resolving.
- [RT #1587, #2054]
-
-1120. [bug] Errors in options were not fatal. [RT #2002]
-
-1119. [func] Added support in Win32 for NTFS file/directory ACL's
- for access control.
-
-1118. [bug] On multi-threaded servers, a race condition
- could cause an assertion failure in resolver.c
- during resolver shutdown. [RT #2029]
-
-1117. [port] The configure check for in6addr_loopback incorrectly
- succeeded on AIX 4.3 when compiling with -O2
- because the test code was optimized away.
- [RT #2016]
-
-1116. [bug] Setting transfers in a server clause, transfers-in,
- or transfers-per-ns to a value greater than
- 2147483647 disabled transfers. [RT #2002]
-
-1115. [func] Set maximum values for cleaning-interval,
- heartbeat-interval, interface-interval,
- max-transfer-idle-in, max-transfer-idle-out,
- max-transfer-time-in, max-transfer-time-out,
- statistics-interval of 28 days and
- sig-validity-interval of 3660 days. [RT #2002]
-
-1114. [port] Ignore more accept() errors. [RT #2021]
-
-1113. [bug] The allow-update-forwarding option was ignored
- when specified in a view. [RT #2014]
-
-1112. [placeholder]
-
-1111. [bug] Multi-threaded servers could deadlock processing
- recursive queries due to a locking hierarchy
- violation in adb.c. [RT #2017]
-
-1110. [bug] dig should only accept valid abbreviations of +options.
- [RT #2003]
-
-1109. [bug] nsupdate accepted illegal ttl values.
-
-1108. [bug] On Win32, rndc was hanging when named was not running
- due to failure to select for exceptional conditions
- in select(). [RT #1870]
-
-1107. [bug] nsupdate could catch an assertion failure if an
- invalid domain name was given as the argument to
- the "zone" command.
-
-1106. [bug] After seeing an out of range TTL, nsupdate would
- treat all TTLs as out of range. [RT #2001]
-
-1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
-
-1104. [bug] Invalid arguments to the transfer-format option
- could cause an assertion failure. [RT #1995]
-
-1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
-
-1102. [doc] Note that query logging is enabled by directing the
- queries category to a channel.
-
-1101. [bug] Array bounds read error in lwres_gai_strerror.
-
-1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
-
-1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
- compile time errors.
-
-1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
-
-1097. [func] libbind: RES_PRF_TRUNC for dig.
-
-1096. [func] libbind: "DNSSEC OK" (DO) support.
-
-1095. [func] libbind: resolver option: no-tld-query. disables
- trying unqualified as a tld. no_tld_query is also
- supported for FreeBSD compatibility.
-
-1094. [func] libbind: add support gcc's format string checking.
-
-1093. [doc] libbind: miscellaneous nroff fixes.
-
-1092. [bug] libbind: get*by*() failed to check if res_init() had
- been called.
-
-1091. [bug] libbind: misplaced va_end().
-
-1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
- the amount of memory consumed resulting in garbage
- address being returned. Alignment calculations were
- wasting space. We weren't suppressing duplicate
- addresses.
-
-1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
- support.
-
-1088. [port] libbind: MPE/iX C.70 (incomplete)
-
-1087. [bug] libbind: struct __res_state too large on 64 bit arch.
-
-1086. [port] libbind: sunos: old sprintf.
-
-1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
- exist when compiling in 64 bit mode.
-
-1084. [cleanup] libbind: gai_strerror() rewritten.
-
-1083. [bug] The default control channel listened on the
- wildcard address, not the loopback as documented.
- [RT #1975]
-
-1082. [bug] The -g option to named incorrectly caused logging
- to be sent to syslog in addition to stderr.
- [RT #1974]
-
-1081. [bug] Multicast queries were incorrectly identified
- based on the source address, not the destination
- address.
-
-1080. [bug] BIND 8 compatibility: accept bare IP prefixes
- as the second element of a two-element top level
- sort list statement. [RT #1964]
-
-1079. [bug] BIND 8 compatibility: accept bare elements at top
- level of sort list treating them as if they were
- a single element list. [RT #1963]
-
-1078. [bug] We failed to correct bad tv_usec values in one case.
- [RT #1966]
-
-1077. [func] Do not accept further recursive clients when
- the total number of recursive lookups being
- processed exceeds max-recursive-clients, even
- if some of the lookups are internally generated.
- [RT #1915, #1938]
-
-1076. [bug] A badly defined global key could trigger an assertion
- on load/reload if views were used. [RT #1947]
-
-1075. [bug] Out-of-range network prefix lengths were not
- reported. [RT #1954]
-
-1074. [bug] Running out of memory in dump_rdataset() could
- cause an assertion failure. [RT #1946]
-
-1073. [bug] The ADB cache cleaning should also be space driven.
- [RT #1915, #1938]
-
-1072. [bug] The TCP client quota could be exceeded when
- recursion occurred. [RT #1937]
-
-1071. [bug] Sockets listening for TCP DNS connections
- specified an excessive listen backlog. [RT #1937]
-
-1070. [bug] Copy DNSSEC OK (DO) to response as specified by
- draft-ietf-dnsext-dnssec-okbit-03.txt.
-
-1069. [placeholder]
-
-1068. [bug] errno could be overwritten by catgets(). [RT #1921]
-
-1067. [func] Allow quotas to be soft, isc_quota_soft().
-
-1066. [bug] Provide a thread safe wrapper for strerror().
- [RT #1689]
-
-1065. [func] Runtime support to select new / old style interface
- scanning using ioctls.
-
-1064. [bug] Do not shut down active network interfaces if we
- are unable to scan the interface list. [RT #1921]
-
-1063. [bug] libbind: "make install" was failing on IRIX.
- [RT #1919]
-
-1062. [bug] If the control channel listener socket was shut
- down before server exit, the listener object could
- be freed twice. [RT #1916]
-
-1061. [bug] If periodic cache cleaning happened to start
- while cleaning due to reaching the configured
- maximum cache size was in progress, the server
- could catch an assertion failure. [RT #1912]
-
-1060. [func] Move refresh, stub and notify UDP retry processing
- into dns_request.
-
-1059. [func] dns_request now support will now retry UDP queries,
- dns_request_createvia2() and dns_request_createraw2().
-
-1058. [func] Limited lifetime ticker timers are now available,
- isc_timertype_limited.
-
-1057. [bug] Reloading the server after adding a "file" clause
- to a zone statement could cause the server to
- crash due to a typo in change 1016.
-
-1056. [bug] Rndc could catch an assertion failure on SIGINT due
- to an uninitialized variable. [RT #1908]
-
-1055. [func] Version and hostname queries can now be disabled
- using "version none;" and "hostname none;",
- respectively.
-
-1054. [bug] On Win32, cfg_categories and cfg_modules need to be
- exported from the libisccfg DLL.
-
-1053. [bug] Dig did not increase its timeout when receiving
- AXFRs unless the +time option was used. [RT #1904]
-
-1052. [bug] Journals were not being created in binary mode
- resulting in "journal format not recognized" error
- under Win32. [RT #1889]
-
-1051. [bug] Do not ignore a network interface completely just
- because it has a noncontiguous netmask. Instead,
- omit it from the localnets ACL and issue a warning.
- [RT #1891]
-
-1050. [bug] Log messages reporting malformed IP addresses in
- address lists such as that of the forwarders option
- failed to include the correct error code, file
- name, and line number. [RT #1890]
-
-1049. [func] "pid-file none;" will disable writing a pid file.
- [RT #1848]
-
-1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
- didn't work.
-
-1047. [bug] named was incorrectly refusing all requests signed
- with a TSIG key derived from an unsigned TKEY
- negotiation with a NOERROR response. [RT #1886]
-
-1046. [bug] The help message for the --with-openssl configure
- option was inaccurate. [RT #1880]
-
-1045. [bug] It was possible to skip saving glue for a nameserver
- for a stub zone.
-
-1044. [bug] Specifying allow-transfer, notify-source, or
- notify-source-v6 in a stub zone was not treated
- as an error.
-
-1043. [bug] Specifying a transfer-source or transfer-source-v6
- option in the zone statement for a master zone was
- not treated as an error. [RT #1876]
-
-1042. [bug] The "config" logging category did not work properly.
- [RT #1873]
-
-1041. [bug] Dig/host/nslookup could catch an assertion failure
- on SIGINT due to an uninitialized variable. [RT #1867]
-
-1040. [bug] Multiple listen-on-v6 options with different ports
- were not accepted. [RT #1875]
-
-1039. [bug] Negative responses with CNAMEs in the answer section
- were cached incorrectly. [RT #1862]
-
-1038. [bug] In servers configured with a tkey-domain option,
- TKEY queries with an owner name other than the root
- could cause an assertion failure. [RT #1866, #1869]
-
-1037. [bug] Negative responses whose authority section contain
- SOA or NS records whose owner names are not equal
- equal to or parents of the query name should be
- rejected. [RT #1862]
-
-1036. [func] Silently drop requests received via multicast as
- long as there is no final multicast DNS standard.
-
-1035. [bug] If we respond to multicast queries (which we
- currently do not), respond from a unicast address
- as specified in RFC 1123. [RT #137]
-
-1034. [bug] Ignore the RD bit on multicast queries as specified
- in RFC 1123. [RT #137]
-
-1033. [bug] Always respond to requests with an unsupported opcode
- with NOTIMP, even if we don't have a matching view
- or cannot determine the class.
-
-1032. [func] hostname.bind/txt/chaos now returns the name of
- the machine hosting the nameserver. This is useful
- in diagnosing problems with anycast servers.
-
-1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
- [RT #1858]
-
-1030. [bug] On systems with no resolv.conf file, nsupdate
- exited with an error rather than defaulting
- to using the loopback address. [RT #1836]
-
-1029. [bug] Some named.conf errors did not cause the loading
- of the configuration file to return a failure
- status even though they were logged. [RT #1847]
-
-1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
- in the wrong directory. [RT #1833]
-
-1027. [bug] RRs having the reserved type 0 should be rejected.
- [RT #1471]
-
-1026. [placeholder]
-
-1025. [bug] Don't use multicast addresses to resolve iterative
- queries. [RT #101]
-
-1024. [port] Compilation failed on HP-UX 11.11 due to
- incompatible use of the SIOCGLIFCONF macro
- name. [RT #1831]
-
-1023. [func] Accept hints without TTLs.
-
-1022. [bug] Don't report empty root hints as "extra data".
- [RT #1802]
-
-1021. [bug] On Win32, log message timestamps were one month
- later than they should have been, and the server
- would exhibit unspecified behavior in December.
-
-1020. [bug] IXFR log messages did not distinguish between
- true IXFRs, AXFR-style IXFRs, and mere version
- polls. [RT #1811]
-
-1019. [bug] The value of the lame-ttl option was limited to 18000
- seconds, not 1800 seconds as documented. [RT #1803]
-
-1018. [bug] The default log channel was not always initialized
- correctly. [RT #1813]
-
-1017. [bug] When specifying TSIG keys to dig and nsupdate using
- the -k option, they must be HMAC-MD5 keys. [RT #1810]
-
-1016. [bug] Slave zones with no backup file were re-transferred
- on every server reload.
-
-1015. [bug] Log channels that had a "versions" option but no
- "size" option failed to create numbered log
- files. [RT #1783]
-
-1014. [bug] Some queries would cause statistics counters to
- increment more than once or not at all. [RT #1321]
-
-1013. [bug] It was possible to cancel a query twice when marking
- a server as bogus or by having a blackhole acl.
- [RT #1776]
-
-1012. [bug] The -p option to named did not behave as documented.
-
-1011. [cleanup] Removed isc_dir_current().
-
-1010. [bug] The server could attempt to execute a command channel
- command after initiating server shutdown, causing
- an assertion failure. [RT #1766]
-
-1009. [port] OpenUNIX 8 support. [RT #1728]
-
-1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
-
-1007. [port] config.guess, config.sub from autoconf-2.52.
-
-1006. [bug] If a KEY RR was found missing during DNSSEC validation,
- an assertion failure could subsequently be triggered
- in the resolver. [RT #1763]
-
-1005. [bug] Don't copy nonzero RCODEs from request to response.
- [RT #1765]
-
-1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
-
-1003. [func] Add the +retry option to dig.
-
-1002. [bug] When reporting an unknown class name in named.conf,
- including the file name and line number. [RT #1759]
-
-1001. [bug] win32 socket code doio_recv was not catching a
- WSACONNRESET error when a client was timing out
- the request and closing its socket. [RT #1745]
-
-1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
- for class "HS". [RT #1759]
-
- 999. [func] "rndc retransfer zone [class [view]]" added.
- [RT #1752]
-
- 998. [func] named-checkzone now has arguments to specify the
- chroot directory (-t) and working directory (-w).
- [RT #1755]
-
- 997. [func] Add support for RSA-SHA1 keys (RFC3110).
-
- 996. [func] Issue warning if the configuration filename contains
- the chroot path.
-
- 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
- target address should be fatal on a IPv4 only system.
-
- 994. [func] Treat non-authoritative responses to queries for type
- NS as referrals even if the NS records are in the
- answer section, because BIND 8 servers incorrectly
- send them that way. This is necessary for DNSSEC
- validation of the NS records of a secure zone to
- succeed when the parent is a BIND 8 server. [RT #1706]
-
- 993. [func] dig: -v now reports the version.
-
- 992. [doc] dig: ~/.digrc is now documented.
-
- 991. [func] Lower UDP refresh timeout messages to level
- debug 1.
-
- 990. [bug] The rndc-confgen man page was not installed.
-
- 989. [bug] Report filename if $INCLUDE fails for file related
- errors. [RT #1736]
-
- 988. [bug] 'additional-from-auth no;' did not work reliably
- in the case of queries answered from the cache.
- [RT #1436]
-
- 987. [bug] "dig -help" didn't show "+[no]stats".
-
- 986. [bug] "dig +noall" failed to clear stats and command
- printing.
-
- 985. [func] Consider network interfaces to be up iff they have
- a nonzero IP address rather than based on the
- IFF_UP flag. [RT #1160]
-
- 984. [bug] Multi-threading should be enabled by default on
- Solaris 2.7 and newer, but it wasn't.
-
- 983. [func] The server now supports generating IXFR difference
- sequences for non-dynamic zones by comparing zone
- versions, when enabled using the new config
- option "ixfr-from-differences". [RT #1727]
-
- 982. [func] If "memstatistics-file" is set in options the memory
- statistics will be written to it.
-
- 981. [func] The dnssec tools can now take multiple '-r randomfile'
- arguments.
-
- 980. [bug] Incoming zone transfers restarting after an error
- could trigger an assertion failure. [RT #1692]
-
- 979. [func] Incremental master file dumping. dns_master_dumpinc(),
- dns_master_dumptostreaminc(), dns_dumpctx_attach(),
- dns_dumpctx_detach(), dns_dumpctx_cancel(),
- dns_dumpctx_db() and dns_dumpctx_version().
-
- 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
- condition.
-
- 977. [bug] Improve "not at top of zone" error message.
-
- 976. [func] named-checkconf can now test load master zones
- (named-checkconf -z). [RT #1468]
-
- 975. [bug] "max-cache-size default;" as a view option
- caused an assertion failure.
-
- 974. [bug] "max-cache-size unlimited;" as a global option
- was not accepted.
-
- 973. [bug] Failed to log the question name when logging:
- "bad zone transfer request: non-authoritative zone
- (NOTAUTH)".
-
- 972. [bug] The file modification time code in zone.c was using the
- wrong epoch. [RT #1667]
-
- 971. [placeholder]
-
- 970. [func] 'max-journal-size' can now be used to set a target
- size for a journal.
-
- 969. [func] dig now supports the undocumented dig 8 feature
- of allowing arbitrary labels, not just dotted
- decimal quads, with the -x option. This can be
- used to conveniently look up RFC2317 names as in
- "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
-
- 968. [bug] On win32, the isc_time_now() function was unnecessarily
- calling strtime(). [RT #1671]
-
- 967. [bug] On win32, the link for bindevt was not including the
- required resource file to enable the event viewer
- to interpret the error messages in the event log,
- [RT #1668]
-
- 966. [placeholder]
-
- 965. [bug] Including data other than root server NS and A
- records in the root hint file could cause a rbtdb
- node reference leak. [RT #1581, #1618]
-
- 964. [func] Warn if data other than root server NS and A records
- are found in the root hint file. [RT #1581, #1618]
-
- 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
-
- 962. [bug] libbind: bad "#undef", don't attempt to install
- non-existent nlist.h. [RT #1640]
-
- 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
- was not defined. [RT #1482]
-
- 960. [port] liblwres failed to build on systems with support for
- getrrsetbyname() in the OS. [RT #1592]
-
- 959. [port] On FreeBSD, determine the number of CPUs by calling
- sysctlbyname(). [RT #1584]
-
- 958. [port] ssize_t is not available on all platforms. [RT #1607]
-
- 957. [bug] sys/select.h inclusion was broken on older platforms.
- [RT #1607]
-
- 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
- in named/win32/os.c due to code changes in
- change #953. win32 .make file for rndc-confgen
- updated to add include path for os.h header.
-
- --- 9.2.0rc1 released ---
-
- 955. [bug] When using views, the zone's class was not being
- inherited from the view's class. [RT #1583]
-
- 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
- nslookup, the RD bit should not be set as zone
- transfers are inherently non-recursive. [RT #1575]
-
- 953. [func] The /var/run/named.key file from change #843
- has been replaced by /etc/rndc.key. Both
- named and rndc will look for this file and use
- it to configure a default control channel key
- if not already configured using a different
- method (rndc.conf / controls). Unlike
- named.key, rndc.key is not created automatically;
- it must be created by manually running
- "rndc-confgen -a".
-
- 952. [bug] The server required manual intervention to serve the
- affected zones if it died between creating a journal
- and committing the first change to it.
-
- 951. [bug] CFLAGS was not passed to the linker when
- linking some of the test programs under
- bin/tests. [RT #1555].
-
- 950. [bug] Explicit TTLs did not properly override $TTL
- due to a bug in change 834. [RT #1558]
-
- 949. [bug] host was unable to print records larger than 512
- bytes. [RT #1557]
-
- --- 9.2.0b2 released ---
-
- 948. [port] Integrated support for building on Windows NT /
- Windows 2000.
-
- 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
- was really the RNAME field from RFC1035. To avoid
- confusion and silent errors that would occur it the
- "origin" and "mname" elements were given their correct
- names "mname" and "rname" respectively, the "mname"
- element is renamed to "contact".
-
- 946. [cleanup] doc/misc/options is now machine-generated from the
- configuration parser syntax tables, and therefore
- more likely to be correct.
-
- 945. [func] Add the new view-specific options
- "match-destinations" and "match-recursive-only".
-
- 944. [func] Check for expired signatures on load.
-
- 943. [bug] The server could crash when receiving a command
- via rndc if the configuration file listed only
- nonexistent keys in the controls statement. [RT #1530]
-
- 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
- defined on some platforms.
-
- 941. [bug] The configuration checker crashed if a slave
- zone didn't contain a masters statement. [RT #1514]
-
- 940. [bug] Double zone locking failure on error path. [RT #1510]
-
- --- 9.2.0b1 released ---
-
- 939. [port] Add the --disable-linux-caps option to configure for
- systems that manage capabilities outside of named.
- [RT #1503]
-
- 938. [placeholder]
-
- 937. [bug] A race when shutting down a zone could trigger a
- INSIST() failure. [RT #1034]
-
- 936. [func] Warn about IPv4 addresses that are not complete
- dotted quads. [RT #1084]
-
- 935. [bug] inet_pton failed to reject leading zeros.
-
- 934. [port] Deal with systems where accept() spuriously returns
- ECONNRESET.
-
- 933. [bug] configure failed doing libbind on platforms not
- supported by BIND 8. [RT #1496]
-
- --- 9.2.0a3 released ---
-
- 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
- when installing isc-config.sh.
- [RT #198, #1466]
-
- 931. [bug] The controls statement only attempted to verify
- messages using the first key in the key list.
- (9.2.0a1/a2 only).
-
- 930. [func] Query performance testing tool added as
- contrib/queryperf.
-
- 929. [placeholder]
-
- 928. [bug] nsupdate would send empty update packets if the
- send (or empty line) command was run after
- another send but before any new updates or
- prerequisites were specified. It should simply
- ignore this command.
-
- 927. [bug] Don't hold the zone lock for the entire dump to disk.
- [RT #1423]
-
- 926. [bug] The resolver could deadlock with the ADB when
- shutting down (multi-threaded builds only).
- [RT #1324]
-
- 925. [cleanup] Remove openssl from the distribution; require that
- --with-openssl be specified if DNSSEC is needed.
-
- 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
- [RT #987]
-
- 923. [bug] Multiline TSIG secrets (and other multiline strings)
- were not accepted in named.conf. [RT #1469]
-
- 922. [func] Added two new lwres_getrrsetbyname() result codes,
- ERR_NONAME and ERR_NODATA.
-
- 921. [bug] lwres returned an incorrect error code if it received
- a truncated message.
-
- 920. [func] Increase the lwres receive buffer size to 16K.
- [RT #1451]
-
- 919. [placeholder]
-
- 918. [func] In nsupdate, TSIG errors are no longer treated as
- fatal errors.
-
- 917. [func] New nsupdate command 'key', allowing TSIG keys to
- be specified in the nsupdate command stream rather
- than the command line.
-
- 916. [bug] Specifying type ixfr to dig without specifying
- a serial number failed in unexpected ways.
-
- 915. [func] The named-checkconf and named-checkzone programs
- now have a '-v' option for printing their version.
- [RT #1151]
-
- 914. [bug] Global 'server' statements were rejected when
- using views, even though they were accepted
- in 9.1. [RT #1368]
-
- 913. [bug] Cache cleaning was not sufficiently aggressive.
- [RT #1441, #1444]
-
- 912. [bug] Attempts to set the 'additional-from-cache' or
- 'additional-from-auth' option to 'no' in a
- server with recursion enabled will now
- be ignored and cause a warning message.
- [RT #1145]
-
- 911. [placeholder]
-
- 910. [port] Some pre-RFC2133 IPv6 implementations do not define
- IN6ADDR_ANY_INIT. [RT #1416]
-
- 909. [placeholder]
-
- 908. [func] New program, rndc-confgen, to simplify setting up rndc.
-
- 907. [func] The ability to get entropy from either the
- random device, a user-provided file or from
- the keyboard was migrated from the DNSSEC tools
- to libisc as isc_entropy_usebestsource().
-
- 906. [port] Separated the system independent portion of
- lib/isc/unix/entropy.c into lib/isc/entropy.c
- and added lib/isc/win32/entropy.c.
-
- 905. [bug] Configuring a forward "zone" for the root domain
- did not work. [RT #1418]
-
- 904. [bug] The server would leak memory if attempting to use
- an expired TSIG key. [RT #1406]
-
- 903. [bug] dig should not crash when receiving a TCP packet
- of length 0.
-
- 902. [bug] The -d option was ignored if both -t and -g were also
- specified.
-
- 901. [placeholder]
-
- 900. [bug] A config.guess update changed the system identification
- string of FreeBSD systems; configure and
- bin/tests/system/ifconfig.sh now recognize the new
- string.
-
- --- 9.2.0a2 released ---
-
- 899. [bug] lib/dns/soa.c failed to compile on many platforms
- due to inappropriate use of a void value.
- [RT #1372, #1373, #1386, #1387, #1395]
-
- 898. [bug] "dig" failed to set a nonzero exit status
- on UDP query timeout. [RT #1323]
-
- 897. [bug] A config.guess update changed the system identification
- string of UnixWare systems; configure now recognizes
- the new string.
-
- 896. [bug] If a configuration file is set on named's command line
- and it has a relative pathname, the current directory
- (after any possible jailing resulting from named -t)
- will be prepended to it so that reloading works
- properly even when a directory option is present.
-
- 895. [func] New function, isc_dir_current(), akin to POSIX's
- getcwd().
-
- 894. [bug] When using the DNSSEC tools, a message intended to warn
- when the keyboard was being used because of the lack
- of a suitable random device was not being printed.
-
- 893. [func] Removed isc_file_test() and added isc_file_exists()
- for the basic functionality that was being added
- with isc_file_test().
-
- 892. [placeholder]
-
- 891. [bug] Return an error when a SIG(0) signed response to
- an unsigned query is seen. This should actually
- do the verification, but it's not currently
- possible. [RT #1391]
-
- 890. [cleanup] The man pages no longer require the mandoc macros
- and should now format cleanly using most versions of
- nroff, and HTML versions of the man pages have been
- added. Both are generated from DocBook source.
-
- 889. [port] Eliminated blank lines before .TH in nroff man
- pages since they cause problems with some versions
- of nroff. [RT #1390]
-
- 888. [bug] Don't die when using TKEY to delete a nonexistent
- TSIG key. [RT #1392]
-
- 887. [port] Detect broken compilers that can't call static
- functions from inline functions. [RT #1212]
-
- 886. [placeholder]
-
- 885. [placeholder]
-
- 884. [placeholder]
-
- 883. [placeholder]
-
- 882. [placeholder]
-
- 881. [placeholder]
-
- 880. [placeholder]
-
- 879. [placeholder]
-
- 878. [placeholder]
-
- 877. [placeholder]
-
- 876. [placeholder]
-
- 875. [placeholder]
-
- 874. [placeholder]
-
- 873. [placeholder]
-
- 872. [placeholder]
-
- 871. [placeholder]
-
- 870. [placeholder]
-
- 869. [placeholder]
-
- 868. [placeholder]
-
- 867. [placeholder]
-
- 866. [func] Close debug only file channels when debug is set to
- zero. [RT #1246]
-
- 865. [bug] The new configuration parser did not allow
- the optional debug level in a "severity debug"
- clause of a logging channel to be omitted.
- This is now allowed and treated as "severity
- debug 1;" like it does in BIND 8.2.4, not as
- "severity debug 0;" like it did in BIND 9.1.
- [RT #1367]
-
- 864. [cleanup] Multi-threading is now enabled by default on
- OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
-
- 863. [bug] If an error occurred while an outgoing zone transfer
- was starting up, the server could access a domain
- name that had already been freed when logging a
- message saying that the transfer was starting.
- [RT #1383]
-
- 862. [bug] Use after realloc(), non portable pointer arithmetic in
- grmerge().
-
- 861. [port] Add support for Mac OS X, by making it equivalent
- to Darwin. This was derived from the config.guess
- file shipped with Mac OS X. [RT #1355]
-
- 860. [func] Drop cross class glue in zone transfers.
-
- 859. [bug] Cache cleaning now won't swamp the CPU if there
- is a persistent over limit condition.
-
- 858. [func] isc_mem_setwater() no longer requires that when the
- callback function is non-NULL then its hi_water
- argument must be greater than its lo_water argument
- (they can now be equal) or that they be non-zero.
-
- 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
- structs, for our friends in EBCDIC-land.
-
- 856. [func] Allow partial rdatasets to be returned in answer and
- authority sections to help non-TCP capable clients
- recover from truncation. [RT #1301]
-
- 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
-
- 854. [bug] The config parser didn't properly handle config
- options that were specified in units of time other
- than seconds. [RT #1372]
-
- 853. [bug] configure_view_acl() failed to detach existing acls.
- [RT #1374]
-
- 852. [bug] Handle responses from servers which do not know
- about IXFR.
-
- 851. [cleanup] The obsolete support-ixfr option was not properly
- ignored.
-
- --- 9.2.0a1 released ---
-
- 850. [bug] dns_rbt_findnode() would not find nodes that were
- split on a bitstring label somewhere other than in
- the last label of the node. [RT #1351]
-
- 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
-
- 848. [func] A minimum max-cache-size of two megabytes is enforced
- by the cache cleaner.
-
- 847. [func] Added isc_file_test(), which currently only has
- some very basic functionality to test for the
- existence of a file, whether a pathname is absolute,
- or whether a pathname is the fundamental representation
- of the current directory. It is intended that this
- function can be expanded to test other things a
- programmer might want to know about a file.
-
- 846. [func] A non-zero 'param' to dst_key_generate() when making an
- hmac-md5 key means that good entropy is not required.
-
- 845. [bug] The access rights on the public file of a symmetric
- key are now restricted as soon as the file is opened,
- rather than after it has been written and closed.
-
- 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
- just as <lwres/net.h> does.
-
- 843. [func] If no controls statement is present in named.conf,
- or if any inet phrase of a controls statement is
- lacking a keys clause, then a key will be automatically
- generated by named and an rndc.conf-style file
- named named.key will be written that uses it. rndc
- will use this file only if its normal configuration
- file, or one provided on the command line, does not
- exist.
-
- 842. [func] 'rndc flush' now takes an optional view.
-
- 841. [bug] When sdb modules were not declared threadsafe, their
- create and destroy functions were not serialized.
-
- 840. [bug] The config file parser could print the wrong file
- name if an error was detected after an included file
- was parsed. [RT #1353]
-
- 839. [func] Dump packets for which there was no view or that the
- class could not be determined to category "unmatched".
-
- 838. [port] UnixWare 7.x.x is now supported by
- bin/tests/system/ifconfig.sh.
-
- 837. [cleanup] Multi-threading is now enabled by default only on
- OSF1, Solaris 2.7 and newer, and AIX.
-
- 836. [func] Upgraded libtool to 1.4.
-
- 835. [bug] The dispatcher could enter a busy loop if
- it got an I/O error receiving on a UDP socket.
- [RT #1293]
-
- 834. [func] Accept (but warn about) master files beginning with
- an SOA record without an explicit TTL field and
- lacking a $TTL directive, by using the SOA MINTTL
- as a default TTL. This is for backwards compatibility
- with old versions of BIND 8, which accepted such
- files without warning although they are illegal
- according to RFC1035.
-
- 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
- <dns/soa.h>, and extended them to support
- all the integer-valued fields of the SOA RR.
-
- 832. [bug] The default location for named.conf in named-checkconf
- should depend on --sysconfdir like it does in named.
- [RT #1258]
-
- 831. [placeholder]
-
- 830. [func] Implement 'rndc status'.
-
- 829. [bug] The DNS_R_ZONECUT result code should only be returned
- when an ANY query is made with DNS_DBFIND_GLUEOK set.
- In all other ANY query cases, returning the delegation
- is better.
-
- 828. [bug] The errno value from recvfrom() could be overwritten
- by logging code. [RT #1293]
-
- 827. [bug] When an IXFR protocol error occurs, the slave
- should retry with AXFR.
-
- 826. [bug] Some IXFR protocol errors were not detected.
-
- 825. [bug] zone.c:ns_query() detached from the wrong zone
- reference. [RT #1264]
-
- 824. [bug] Correct line numbers reported by dns_master_load().
- [RT #1263]
-
- 823. [func] The output of "dig -h" now goes to stdout so that it
- can easily be piped through "more". [RT #1254]
-
- 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
- [RT #1248]
-
- 821. [bug] The program name used when logging to syslog should
- be stripped of leading path components.
- [RT #1178, #1232]
-
- 820. [bug] Name server address lookups failed to follow
- A6 chains into the glue of local authoritative
- zones.
-
- 819. [bug] In certain cases, the resolver's attempts to
- restart an address lookup at the root could cause
- the fetch to deadlock (with itself) instead of
- restarting. [RT #1225]
-
- 818. [bug] Certain pathological responses to ANY queries could
- cause an assertion failure. [RT #1218]
-
- 817. [func] Adjust timeouts for dialup zone queries.
-
- 816. [bug] Report potential problems with log file accessibility
- at configuration time, since such problems can't
- reliably be reported at the time they actually occur.
-
- 815. [bug] If a log file was specified with a path separator
- character (i.e. "/") in its name and the directory
- did not exist, the log file's name was treated as
- though it were the directory name. [RT #1189]
-
- 814. [bug] Socket objects left over from accept() failures
- were incorrectly destroyed, causing corruption
- of socket manager data structures.
-
- 813. [bug] File descriptors exceeding FD_SETSIZE were handled
- badly. [RT #1192]
-
- 812. [bug] dig sometimes printed incomplete IXFR responses
- due to an uninitialized variable. [RT #1188]
-
- 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
-
- 810. [bug] The signer name in SIG records was not properly
- down-cased when signing/verifying records. [RT #1186]
-
- 809. [bug] Configuring a non-local address as a transfer-source
- could cause an assertion failure during load.
-
- 808. [func] Add 'rndc flush' to flush the server's cache.
-
- 807. [bug] When setting up TCP connections for incoming zone
- transfers, the transfer-source port was not
- ignored like it should be.
-
- 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
- the calling stack to the zone maintenance level,
- causing zones to not reload when an included file was
- touched but the top-level zone file was not.
-
- 805. [bug] When using "forward only", missing root hints should
- not cause queries to fail. [RT #1143]
-
- 804. [bug] Attempting to obtain entropy could fail in some
- situations. This would be most common on systems
- with user-space threads. [RT #1131]
-
- 803. [bug] Treat all SIG queries as if they have the CD bit set,
- otherwise no data will be returned [RT #749]
-
- 802. [bug] DNSSEC key tags were computed incorrectly in almost
- all cases. [RT #1146]
-
- 801. [bug] nsupdate should treat lines beginning with ';' as
- comments. [RT #1139]
-
- 800. [bug] dnssec-signzone produced incorrect statistics for
- large zones. [RT #1133]
-
- 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
- glue was also present.
-
- 798. [bug] nsupdate should be able to reject bad input lines
- and continue. [RT #1130]
-
- 797. [func] Issue a warning if the 'directory' option contains
- a relative path. [RT #269]
-
- 796. [func] When a size limit is associated with a log file,
- only roll it when the size is reached, not every
- time the log file is opened. [RT #1096]
-
- 795. [func] Add the +multiline option to dig. [RT #1095]
-
- 794. [func] Implement the "port" and "default-port" statements
- in rndc.conf.
-
- 793. [cleanup] The DNSSEC tools could create filenames that were
- illegal or contained shell meta-characters. They
- now use a different text encoding of names that
- doesn't have these problems. [RT #1101]
-
- 792. [cleanup] Replace the OMAPI command channel protocol with a
- simpler one.
-
- 791. [bug] The command channel now works over IPv6.
-
- 790. [bug] Wildcards created using dynamic update or IXFR
- could fail to match. [RT #1111]
-
- 789. [bug] The "localhost" and "localnets" ACLs did not match
- when used as the second element of a two-element
- sortlist item.
-
- 788. [func] Add the "match-mapped-addresses" option, which
- causes IPv6 v4mapped addresses to be treated as
- IPv4 addresses for the purpose of acl matching.
-
- 787. [bug] The DNSSEC tools failed to downcase domain
- names when mapping them into file names.
-
- 786. [bug] When DNSSEC signing/verifying data, owner names were
- not properly down-cased.
-
- 785. [bug] A race condition in the resolver could cause
- an assertion failure. [RT #673, #872, #1048]
-
- 784. [bug] nsupdate and other programs would not quit properly
- if some signals were blocked by the caller. [RT #1081]
-
- 783. [bug] Following CNAMEs could cause an assertion failure
- when either using an sdb database or under very
- rare conditions.
-
- 782. [func] Implement the "serial-query-rate" option.
-
- 781. [func] Avoid error packet loops by dropping duplicate FORMERR
- responses. [RT #1006]
-
- 780. [bug] Error handling code dealing with out of memory or
- other rare errors could lead to assertion failures
- by calling functions on uninitialized names. [RT #1065]
-
- 779. [func] Added the "minimal-responses" option.
-
- 778. [bug] When starting cache cleaning, cleaning_timer_action()
- returned without first pausing the iterator, which
- could cause deadlock. [RT #998]
-
- 777. [bug] An empty forwarders list in a zone failed to override
- global forwarders. [RT #995]
-
- 776. [func] Improved error reporting in denied messages. [RT #252]
-
- 775. [placeholder]
-
- 774. [func] max-cache-size is implemented.
-
- 773. [func] Added isc_rwlock_trylock() to attempt to lock without
- blocking.
-
- 772. [bug] Owner names could be incorrectly omitted from cache
- dumps in the presence of negative caching entries.
- [RT #991]
-
- 771. [cleanup] TSIG errors related to unsynchronized clocks
- are logged better. [RT #919]
-
- 770. [func] Add the "edns yes_or_no" statement to the server
- clause. [RT #524]
-
- 769. [func] Improved error reporting when parsing rdata. [RT #740]
-
- 768. [bug] The server did not emit an SOA when a CNAME
- or DNAME chain ended in NXDOMAIN in an
- authoritative zone.
-
- 767. [placeholder]
-
- 766. [bug] A few cases in query_find() could leak fname.
- This would trigger the mpctx->allocated == 0
- assertion when the server exited.
- [RT #739, #776, #798, #812, #818, #821, #845,
- #892, #935, #966]
-
- 765. [func] ACL names are once again case insensitive, like
- in BIND 8. [RT #252]
-
- 764. [func] Configuration files now allow "include" directives
- in more places, such as inside the "view" statement.
- [RT #377, #728, #860]
-
- 763. [func] Configuration files no longer have reserved words.
- [RT #731, #753]
-
- 762. [cleanup] The named.conf and rndc.conf file parsers have
- been completely rewritten.
-
- 761. [bug] _REENTRANT was still defined when building with
- --disable-threads.
-
- 760. [contrib] Significant enhancements to the pgsql sdb driver.
-
- 759. [bug] The resolver didn't turn off "avoid fetches" mode
- when restarting, possibly causing resolution
- to fail when it should not. This bug only affected
- platforms which support both IPv4 and IPv6. [RT #927]
-
- 758. [bug] The "avoid fetches" code did not treat negative
- cache entries correctly, causing fetches that would
- be useful to be avoided. This bug only affected
- platforms which support both IPv4 and IPv6. [RT #927]
-
- 757. [func] Log zone transfers.
-
- 756. [bug] dns_zone_load() could "return" success when no master
- file was configured.
-
- 755. [bug] Fix incorrectly formatted log messages in zone.c.
-
- 754. [bug] Certain failure conditions sending UDP packets
- could cause the server to retry the transmission
- indefinitely. [RT #902]
-
- 753. [bug] dig, host, and nslookup would fail to contact a
- remote server if getaddrinfo() returned an IPv6
- address on a system that doesn't support IPv6.
- [RT #917]
-
- 752. [func] Correct bad tv_usec elements returned by
- gettimeofday().
-
- 751. [func] Log successful zone loads / transfers. [RT #898]
-
- 750. [bug] A query should not match a DNAME whose trust level
- is pending. [RT #916]
-
- 749. [bug] When a query matched a DNAME in a secure zone, the
- server did not return the signature of the DNAME.
- [RT #915]
-
- 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
- [RT #781]
-
- 747. [bug] The code to determine whether an IXFR was possible
- did not properly check for a database that could
- not have a journal. [RT #865, #908]
-
- 746. [bug] The sdb didn't clone rdatasets properly, causing
- a crash when the server followed delegations. [RT #905]
-
- 745. [func] Report the owner name of records that fail
- semantic checks while loading.
-
- 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
- result of an ANY or SIG query, the resolver failed
- to setup the return event's rdatasets, causing an
- assertion failure in the query code. [RT #881]
-
- 743. [bug] Receiving a large number of certain malformed
- answers could cause named to stop responding.
- [RT #861]
-
- 742. [placeholder]
-
- 741. [port] Support openssl-engine. [RT #709]
-
- 740. [port] Handle openssl library mismatches slightly better.
-
- 739. [port] Look for /dev/random in configure, rather than
- assuming it will be there for only a predefined
- set of OSes.
-
- 738. [bug] If a non-threadsafe sdb driver supported AXFR and
- received an AXFR request, it would deadlock or die
- with an assertion failure. [RT #852]
-
- 737. [port] stdtime.c failed to compile on certain platforms.
-
- 736. [func] New functions isc_task_{begin,end}exclusive().
-
- 735. [doc] Add BIND 4 migration notes.
-
- 734. [bug] An attempt to re-lock the zone lock could occur if
- the server was shutdown during a zone transfer.
- [RT #830]
-
- 733. [bug] Reference counts of dns_acl_t objects need to be
- locked but were not. [RT #801, #821]
-
- 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
-
- 731. [bug] Certain zone errors could cause named-checkzone to
- fail ungracefully. [RT #819]
-
- 730. [bug] lwres_getaddrinfo() returns the correct result when
- it fails to contact a server. [RT #768]
-
- 729. [port] pthread_setconcurrency() needs to be called on Solaris.
-
- 728. [bug] Fix comment processing on master file directives.
- [RT #757]
-
- 727. [port] Work around OS bug where accept() succeeds but
- fails to fill in the peer address of the accepted
- connection, by treating it as an error rather than
- an assertion failure. [RT #809]
-
- 726. [func] Implement the "trace" and "notrace" commands in rndc.
-
- 725. [bug] Installing man pages could fail.
-
- 724. [func] New libisc functions isc_netaddr_any(),
- isc_netaddr_any6().
-
- 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
- to return DNS_R_SERVFAIL. [RT #783]
-
- 722. [func] Allow incremental loads to be canceled.
-
- 721. [cleanup] Load manager and dns_master_loadfilequota() are no
- more.
-
- 720. [bug] Server could enter infinite loop in
- dispatch.c:do_cancel(). [RT #733]
-
- 719. [bug] Rapid reloads could trigger an assertion failure.
- [RT #743, #763]
-
- 718. [cleanup] "internal" is no longer a reserved word in named.conf.
- [RT #753, #731]
-
- 717. [bug] Certain TKEY processing failure modes could
- reference an uninitialized variable, causing the
- server to crash. [RT #750]
-
- 716. [bug] The first line of a $INCLUDE master file was lost if
- an origin was specified. [RT #744]
-
- 715. [bug] Resolving some A6 chains could cause an assertion
- failure in adb.c. [RT #738]
-
- 714. [bug] Preserve interval timers across reloads unless changed.
- [RT #729]
-
- 713. [func] named-checkconf takes '-t directory' similar to named.
- [RT #726]
-
- 712. [bug] Sending a large signed update message caused an
- assertion failure. [RT #718]
-
- 711. [bug] The libisc and liblwres implementations of
- inet_ntop contained an off by one error.
-
- 710. [func] The forwarders statement now takes an optional
- port. [RT #418]
-
- 709. [bug] ANY or SIG queries for data with a TTL of 0
- would return SERVFAIL. [RT #620]
-
- 708. [bug] When building with --with-openssl, the openssl headers
- included with BIND 9 should not be used. [RT #702]
-
- 707. [func] The "filename" argument to named-checkzone is no
- longer optional, to reduce confusion. [RT #612]
-
- 706. [bug] Zones with an explicit "allow-update { none; };"
- were considered dynamic and therefore not reloaded
- on SIGHUP or "rndc reload".
-
- 705. [port] Work out resource limit type for use where rlim_t is
- not available. [RT #695]
-
- 704. [port] RLIMIT_NOFILE is not available on all platforms.
- [RT #695]
-
- 703. [port] sys/select.h is needed on older platforms. [RT #695]
-
- 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
- use 127.0.0.1 instead. [RT #693]
-
- 701. [func] Root hints are now fully optional. Class IN
- views use compiled-in hints by default, as
- before. Non-IN views with no root hints now
- provide authoritative service but not recursion.
- A warning is logged if a view has neither root
- hints nor authoritative data for the root. [RT #696]
-
- 700. [bug] $GENERATE range check was wrong. [RT #688]
-
- 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
-
- 698. [bug] Aborting nsupdate with ^C would lead to several
- race conditions.
-
- 697. [bug] nsupdate was not compatible with the undocumented
- BIND 8 behavior of ignoring TTLs in "update delete"
- commands. [RT #693]
-
- 696. [bug] lwresd would die with an assertion failure when passed
- a zero-length name. [RT #692]
-
- 695. [bug] If the resolver attempted to query a blackholed or
- bogus server, the resolution would fail immediately.
-
- 694. [bug] $GENERATE did not produce the last entry.
- [RT #682, #683]
-
- 693. [bug] An empty lwres statement in named.conf caused
- the server to crash while loading.
-
- 692. [bug] Deal with systems that have getaddrinfo() but not
- gai_strerror(). [RT #679]
-
- 691. [bug] Configuring per-view forwarders caused an assertion
- failure. [RT #675, #734]
-
- 690. [func] $GENERATE now supports DNAME. [RT #654]
-
- 689. [doc] man pages are now installed. [RT #210]
-
- 688. [func] "make tags" now works on systems with the
- "Exuberant Ctags" etags.
-
- 687. [bug] Only say we have IPv6, with sufficient functionality,
- if it has actually been tested. [RT #586]
-
- 686. [bug] dig and nslookup can now be properly aborted during
- blocking operations. [RT #568]
-
- 685. [bug] nslookup should use the search list/domain options
- from resolv.conf by default. [RT #405, #630]
-
- 684. [bug] Memory leak with view forwarders. [RT #656]
-
- 683. [bug] File descriptor leak in isc_lex_openfile().
-
- 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
-
- 681. [bug] $GENERATE specifying output format was broken. [RT #653]
-
- 680. [bug] dns_rdata_fromstruct() mishandled options bigger
- than 255 octets.
-
- 679. [bug] $INCLUDE could leak memory and file descriptors on
- reload. [RT #639]
-
- 678. [bug] "transfer-format one-answer;" could trigger an assertion
- failure. [RT #646]
-
- 677. [bug] dnssec-signzone would occasionally use the wrong ttl
- for database operations and fail. [RT #643]
-
- 676. [bug] Log messages about lame servers to category
- 'lame-servers' rather than 'resolver', so as not
- to be gratuitously incompatible with BIND 8.
-
- 675. [bug] TKEY queries could cause the server to leak
- memory.
-
- 674. [func] Allow messages to be TSIG signed / verified using
- a offset from the current time.
-
- 673. [func] The server can now convert RFC1886-style recursive
- lookup requests into RFC2874-style lookups, when
- enabled using the new option "allow-v6-synthesis".
-
- 672. [bug] The wrong time was in the "time signed" field when
- replying with BADTIME error.
-
- 671. [bug] The message code was failing to parse a message with
- no question section and a TSIG record. [RT #628]
-
- 670. [bug] The lwres replacements for getaddrinfo and
- getipnodebyname didn't properly check for the
- existence of the sockaddr sa_len field.
-
- 669. [bug] dnssec-keygen now makes the public key file
- non-world-readable for symmetric keys. [RT #403]
-
- 668. [func] named-checkzone now reports multiple errors in master
- files.
-
- 667. [bug] On Linux, running named with the -u option and a
- non-world-readable configuration file didn't work.
- [RT #626]
-
- 666. [bug] If a request sent by dig is longer than 512 bytes,
- use TCP.
-
- 665. [bug] Signed responses were not sent when the size of the
- TSIG + question exceeded the maximum message size.
- [RT #628]
-
- 664. [bug] The t_tasks and t_timers module tests are now skipped
- when building without threads, since they require
- threads.
-
- 663. [func] Accept a size_spec, not just an integer, in the
- (unimplemented and ignored) max-ixfr-log-size option
- for compatibility with recent versions of BIND 8.
- [RT #613]
-
- 662. [bug] dns_rdata_fromtext() failed to log certain errors.
-
- 661. [bug] Certain UDP IXFR requests caused an assertion failure
- (mpctx->allocated == 0). [RT #355, #394, #623]
-
- 660. [port] Detect multiple CPUs on HP-UX and IRIX.
-
- 659. [performance] Rewrite the name compression code to be much faster.
-
- 658. [cleanup] Remove all vestiges of 16 bit global compression.
-
- 657. [bug] When a listen-on statement in an lwres block does not
- specify a port, use 921, not 53. Also update the
- listen-on documentation. [RT #616]
-
- 656. [func] Treat an unescaped newline in a quoted string as
- an error. This means that TXT records with missing
- close quotes should have meaningful errors printed.
-
- 655. [bug] Improve error reporting on unexpected eof when loading
- zones. [RT #611]
-
- 654. [bug] Origin was being forgotten in TCP retries in dig.
- [RT #574]
-
- 653. [bug] +defname option in dig was reversed in sense.
- [RT #549]
-
- 652. [bug] zone_saveunique() did not report the new name.
-
- 651. [func] The AD bit in responses now has the meaning
- specified in <draft-ietf-dnsext-ad-is-secure>.
-
- 650. [bug] SIG(0) records were being generated and verified
- incorrectly. [RT #606]
-
- 649. [bug] It was possible to join to an already running fctx
- after it had "cloned" its events, but before it sent
- them. In this case, the event of the newly joined
- fetch would not contain the answer, and would
- trigger the INSIST() in fctx_sendevents(). In
- BIND 9.0, this bug did not trigger an INSIST(), but
- caused the fetch to fail with a SERVFAIL result.
- [RT #588, #597, #605, #607]
-
- 648. [port] Add support for pre-RFC2133 IPv6 implementations.
-
- 647. [bug] Resolver queries sent after following multiple
- referrals had excessively long retransmission
- timeouts due to incorrectly counting the referrals
- as "restarts".
-
- 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
- didn't _cleanly_ fix the problem it was trying to fix.
-
- 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
-
- 644. [bug] #622 needed more work. [RT #562]
-
- 643. [bug] xfrin error messages made more verbose, added class
- of the zone. [RT #599]
-
- 642. [bug] Break the exit_check() race in the zone module.
- [RT #598]
-
- --- 9.1.0b2 released ---
-
- 641. [bug] $GENERATE caused a uninitialized link to be used.
- [RT #595]
-
- 640. [bug] Memory leak in error path could cause
- "mpctx->allocated == 0" failure. [RT #584]
-
- 639. [bug] Reading entropy from the keyboard would sometimes fail.
- [RT #591]
-
- 638. [port] lib/isc/random.c needed to explicitly include time.h
- to get a prototype for time() when pthreads was not
- being used. [RT #592]
-
- 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
- lib/isc/print.c. Also allow lib/isc/print.c to
- be compiled even if the platform does not need it.
- [RT #592]
-
- 636. [port] Shut up MSVC++ about a possible loss of precision
- in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
-
- 635. [bug] Reloading a server with a configured blackhole list
- would cause an assertion. [RT #590]
-
- 634. [bug] A log file will completely stop being written when
- it reaches the maximum size in all cases, not just
- when versioning is also enabled. [RT #570]
-
- 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
-
- 632. [bug] The index array of the journal file was
- corrupted as it was written to disk.
-
- 631. [port] Build without thread support on systems without
- pthreads.
-
- 630. [bug] Locking failure in zone code. [RT #582]
-
- 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
- when responding to a UDP IXFR request.
-
- 628. [bug] If the root hints contained only AAAA addresses,
- named would be unable to perform resolution.
-
- 627. [bug] The EDNS0 blackhole detection code of change 324
- waited for three retransmissions to each server,
- which takes much too long when a domain has many
- name servers and all of them drop EDNS0 queries.
- Now we retry without EDNS0 after three consecutive
- timeouts, even if they are all from different
- servers. [RT #143]
-
- 626. [bug] The lightweight resolver daemon no longer crashes
- when asked for a SIG rrset. [RT #558]
-
- 625. [func] Zones now inherit their class from the enclosing view.
-
- 624. [bug] The zone object could get timer events after it had
- been destroyed, causing a server crash. [RT #571]
-
- 623. [func] Added "named-checkconf" and "named-checkzone" program
- for syntax checking named.conf files and zone files,
- respectively.
-
- 622. [bug] A canceled request could be destroyed before
- dns_request_destroy() was called. [RT #562]
-
- 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
- This mostly affects Red Hat Linux 7.0, which has
- conflicts between libc and the kernel.
-
- 620. [bug] dns_master_load*inc() now require 'task' and 'load'
- to be non-null. Also 'done' will not be called if
- dns_master_load*inc() fails immediately. [RT #565]
-
- 619. [placeholder]
-
- 618. [bug] Queries to a signed zone could sometimes cause
- an assertion failure.
-
- 617. [bug] When using dynamic update to add a new RR to an
- existing RRset with a different TTL, the journal
- entries generated from the update did not include
- explicit deletions and re-additions of the existing
- RRs to update their TTL to the new value.
-
- 616. [func] dnssec-signzone -t output now includes performance
- statistics.
-
- 615. [bug] dnssec-signzone did not like child keysets signed
- by multiple keys.
-
- 614. [bug] Checks for uninitialized link fields were prone
- to false positives, causing assertion failures.
- The checks are now disabled by default and may
- be re-enabled by defining ISC_LIST_CHECKINIT.
-
- 613. [bug] "rndc reload zone" now reloads primary zones.
- It previously only updated slave and stub zones,
- if an SOA query indicated an out of date serial.
-
- 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
- complains relentlessly about how its treatment
- of 'const' has changed as well as how casting
- sometimes tightens alignment constraints.
-
- 611. [func] allow-notify can be used to permit processing of
- notify messages from hosts other than a slave's
- masters.
-
- 610. [func] rndc dumpdb is now supported.
-
- 609. [bug] getrrsetbyname() would crash lwresd if the server
- found more SIGs than answers. [RT #554]
-
- 608. [func] dnssec-signzone now adds a comment to the zone
- with the time the file was signed.
-
- 607. [bug] nsupdate would fail if it encountered a CNAME or
- DNAME in a response to an SOA query. [RT #515]
-
- 606. [bug] Compiling with --disable-threads failed due
- to isc_thread_self() being incorrectly defined
- as an integer rather than a function.
-
- 605. [func] New function isc_lex_getlasttokentext().
-
- 604. [bug] The named.conf parser could print incorrect line
- numbers when long comments were present.
-
- 603. [bug] Make dig handle multiple types or classes on the same
- query more correctly.
-
- 602. [func] Cope automatically with UnixWare's broken
- IN6_IS_ADDR_* macros. [RT #539]
-
- 601. [func] Return a non-zero exit code if an update fails
- in nsupdate.
-
- 600. [bug] Reverse lookups sometimes failed in dig, etc...
-
- 599. [func] Added four new functions to the libisc log API to
- support i18n messages. isc_log_iwrite(),
- isc_log_ivwrite(), isc_log_iwrite1() and
- isc_log_ivwrite1() were added.
-
- 598. [bug] An update-policy statement would cause the server
- to assert while loading. [RT #536]
-
- 597. [func] dnssec-signzone is now multi-threaded.
-
- 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
- not mutually exclusive.
-
- 595. [port] On Linux 2.2, socket() returns EINVAL when it
- should return EAFNOSUPPORT. Work around this.
- [RT #531]
-
- 594. [func] sdb drivers are now assumed to not be thread-safe
- unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
-
- 593. [bug] If a secure zone was missing all its NXTs and
- a dynamic update was attempted, the server entered
- an infinite loop.
-
- 592. [bug] The sig-validity-interval option now specifies a
- number of days, not seconds. This matches the
- documentation. [RT #529]
-
- --- 9.1.0b1 released ---
-
- 591. [bug] Work around non-reentrancy in openssl by disabling
- pre-computation in keys.
-
- 590. [doc] There are now man pages for the lwres library in
- doc/man/lwres.
-
- 589. [bug] The server could deadlock if a zone was updated
- while being transferred out.
-
- 588. [bug] ctx->in_use was not being correctly initialized when
- when pushing a file for $INCLUDE. [RT #523]
-
- 587. [func] A warning is now printed if the "allow-update"
- option allows updates based on the source IP
- address, to alert users to the fact that this
- is insecure and becoming increasingly so as
- servers capable of update forwarding are being
- deployed.
-
- 586. [bug] multiple views with the same name were fatal. [RT #516]
-
- 585. [func] dns_db_addrdataset() and dns_rdataslab_merge()
- now support 'exact' additions in a similar manner to
- dns_db_subtractrdataset() and dns_rdataslab_subtract().
-
- 584. [func] You can now say 'notify explicit'; to suppress
- notification of the servers listed in NS records
- and notify only those servers listed in the
- 'also-notify' option.
-
- 583. [func] "rndc querylog" will now toggle logging of
- queries, like "ndc querylog" in BIND 8.
-
- 582. [bug] dns_zone_idetach() failed to lock the zone.
- [RT #199, #463]
-
- 581. [bug] log severity was not being correctly processed.
- [RT #485]
-
- 580. [func] Ignore trailing garbage on incoming DNS packets,
- for interoperability with broken server
- implementations. [RT #491]
-
- 579. [bug] nsupdate did not take a filename to read update from.
- [RT #492]
-
- 578. [func] New config option "notify-source", to specify the
- source address for notify messages.
-
- 577. [func] Log illegal RDATA combinations. e.g. multiple
- singleton types, cname and other data.
-
- 576. [doc] isc_log_create() description did not match reality.
-
- 575. [bug] isc_log_create() was not setting internal state
- correctly to reflect the default channels created.
-
- 574. [bug] TSIG signed queries sent by the resolver would fail to
- have their responses validated and would leak memory.
-
- 573. [bug] The journal files of IXFRed slave zones were
- inadvertently discarded on server reload, causing
- "journal out of sync with zone" errors on subsequent
- reloads. [RT #482]
-
- 572. [bug] Quoted strings were not accepted as key names in
- address match lists.
-
- 571. [bug] It was possible to create an rdataset of singleton
- type which had more than one rdata. [RT #154]
- [RT #279]
-
- 570. [bug] rbtdb.c allowed zones containing nodes which had
- both a CNAME and "other data". [RT #154]
-
- 569. [func] The DNSSEC AD bit will not be set on queries which
- have not requested a DNSSEC response.
-
- 568. [func] Add sample simple database drivers in contrib/sdb.
-
- 567. [bug] Setting the zone transfer timeout to zero caused an
- assertion failure. [RT #302]
-
- 566. [func] New public function dns_timer_setidle().
-
- 565. [func] Log queries more like BIND 8: query logging is now
- done to category "queries", level "info". [RT #169]
-
- 564. [func] Add sortlist support to lwresd.
-
- 563. [func] New public functions dns_rdatatype_format() and
- dns_rdataclass_format(), for convenient formatting
- of rdata type/class mnemonics in log messages.
-
- 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
-
- 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
- clauses of the options{} statement are now implemented.
-
- 560. [bug] dns_name_split did not properly the resulting prefix
- when a maximal length bitstring label was split which
- was preceded by another bitstring label. [RT #429]
-
- 559. [bug] dns_name_split did not properly create the suffix
- when splitting within a maximal length bitstring label.
-
- 558. [func] New functions, isc_resource_getlimit and
- isc_resource_setlimit.
-
- 557. [func] Symbolic constants for libisc integral types.
-
- 556. [func] The DNSSEC OK bit in the EDNS extended flags
- is now implemented. Responses to queries without
- this bit set will not contain any DNSSEC records.
-
- 555. [bug] A slave server attempting a zone transfer could
- crash with an assertion failure on certain
- malformed responses from the master. [RT #457]
-
- 554. [bug] In some cases, not all of the dnssec tools were
- properly installed.
-
- 553. [bug] Incoming zone transfers deferred due to quota
- were not started when quota was increased but
- only when a transfer in progress finished. [RT #456]
-
- 552. [bug] We were not correctly detecting the end of all c-style
- comments. [RT #455]
-
- 551. [func] Implemented the 'sortlist' option.
-
- 550. [func] Support unknown rdata types and classes.
-
- 549. [bug] "make" did not immediately abort the build when a
- subdirectory make failed [RT #450].
-
- 548. [func] The lexer now ungets tokens more correctly.
-
- 547. [placeholder]
-
- 546. [func] Option 'lame-ttl' is now implemented.
-
- 545. [func] Name limit and counting options removed from dig;
- they didn't work properly, and cannot be correctly
- implemented without significant changes.
-
- 544. [func] Add statistics option, enable statistics-file option,
- add RNDC option "dump-statistics" to write out a
- query statistics file.
-
- 543. [doc] The 'port' option is now documented.
-
- 542. [func] Add support for update forwarding as required for
- full compliance with RFC2136. It is turned off
- by default and can be enabled using the
- 'allow-update-forwarding' option.
-
- 541. [func] Add bogus server support.
-
- 540. [func] Add dialup support.
-
- 539. [func] Support the blackhole option.
-
- 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
-
- 537. [placeholder]
-
- 536. [func] Use transfer-source{-v6} when sending refresh queries.
- Transfer-source{-v6} now take a optional port
- parameter for setting the UDP source port. The port
- parameter is ignored for TCP.
-
- 535. [func] Use transfer-source{-v6} when forwarding update
- requests.
-
- 534. [func] Ancestors have been removed from RBT chains. Ancestor
- information can be discerned via node parent pointers.
-
- 533. [func] Incorporated name hashing into the RBT database to
- improve search speed.
-
- 532. [func] Implement DNS UPDATE pseudo records using
- DNS_RDATA_UPDATE flag.
-
- 531. [func] Rdata really should be initialized before being assigned
- to (dns_rdata_fromwire(), dns_rdata_fromtext(),
- dns_rdata_clone(), dns_rdata_fromregion()),
- check that it is.
-
- 530. [func] New function dns_rdata_invalidate().
-
- 529. [bug] 521 contained a bug which caused zones to always
- reload. [RT #410]
-
- 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
- on their arguments. ISC_LIST_XXXXUNSAFE can be use
- to skip the checks however use with caution.
-
- 527. [func] New function dns_rdata_clone().
-
- 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
- of 0.
-
- 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
- and 'flags' for dns_rdataslab_subtract() allowing you
- to request that the RR's must exist prior to deletion.
- DNS_R_NOTEXACT is returned if the condition is not met.
-
- 524. [func] The 'forward' and 'forwarders' statement in
- non-forward zones should work now.
-
- 523. [doc] The source to the Administrator Reference Manual is
- now an XML file using the DocBook DTD, and is included
- in the distribution. The plain text version of the
- ARM is temporarily unavailable while we figure out
- how to generate readable plain text from the XML.
-
- 522. [func] The lightweight resolver daemon can now use
- a real configuration file, and its functionality
- can be provided by a name server. Also, the -p and -P
- options to lwresd have been reversed.
-
- 521. [bug] Detect master files which contain $INCLUDE and always
- reload. [RT #196]
-
- 520. [bug] Upgraded libtool to 1.3.5, which makes shared
- library builds almost work on AIX (and possibly
- others).
-
- 519. [bug] dns_name_split() would improperly split some bitstring
- labels, zeroing a few of the least significant bits in
- the prefix part. When such an improperly created
- prefix was returned to the RBT database, the bogus
- label was dutifully stored, corrupting the tree.
- [RT #369]
-
- 518. [bug] The resolver did not realize that a DNAME which was
- "the answer" to the client's query was "the answer",
- and such queries would fail. [RT #399]
-
- 517. [bug] The resolver's DNAME code would trigger an assertion
- if there was more than one DNAME in the chain.
- [RT #399]
-
- 516. [bug] Cache lookups which had a NULL node pointer, e.g.
- those by dns_view_find(), and which would match a
- DNAME, would trigger an INSIST(!search.need_cleanup)
- assertion. [RT #399]
-
- 515. [bug] The ssu table was not being attached / detached
- by dns_zone_[sg]etssutable. [RT #397]
-
- 514. [func] Retry refresh and notify queries if they timeout.
- [RT #388]
-
- 513. [func] New functionality added to rdnc and server to allow
- individual zones to be refreshed or reloaded.
-
- 512. [bug] The zone transfer code could throw an exception with
- an invalid IXFR stream.
-
- 511. [bug] The message code could throw an assertion on an
- out of memory failure. [RT #392]
-
- 510. [bug] Remove spurious view notify warning. [RT #376]
-
- 509. [func] Add support for write of zone files on shutdown.
-
- 508. [func] dns_message_parse() can now do a best-effort
- attempt, which should allow dig to print more invalid
- messages.
-
- 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
- and dns_view_flushanddetach().
-
- 506. [func] Do not fail to start on errors in zone files.
-
- 505. [bug] nsupdate was printing "unknown result code". [RT #373]
-
- 504. [bug] The zone was not being marked as dirty when updated via
- IXFR.
-
- 503. [bug] dumptime was not being set along with
- DNS_ZONEFLG_NEEDDUMP.
-
- 502. [func] On a SERVFAIL reply, DiG will now try the next server
- in the list, unless the +fail option is specified.
-
- 501. [bug] Incorrect port numbers were being displayed by
- nslookup. [RT #352]
-
- 500. [func] Nearly useless +details option removed from DiG.
-
- 499. [func] In DiG, specifying a class with -c or type with -t
- changes command-line parsing so that classes and
- types are only recognized if following -c or -t.
- This allows hosts with the same name as a class or
- type to be looked up.
-
- 498. [doc] There is now a man page for "dig"
- in doc/man/bin/dig.1.
-
- 497. [bug] The error messages printed when an IP match list
- contained a network address with a nonzero host
- part where not sufficiently detailed. [RT #365]
-
- 496. [bug] named didn't sanity check numeric parameters. [RT #361]
-
- 495. [bug] nsupdate was unable to handle large records. [RT #368]
-
- 494. [func] Do not cache NXDOMAIN responses for SOA queries.
-
- 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
- for SOA queries. This makes it easier to locate
- the containing zone without polluting intermediate
- caches.
-
- 492. [bug] attempting to reload a zone caused the server fail
- to shutdown cleanly. [RT #360]
-
- 491. [bug] nsupdate would segfault when sending certain
- prerequisites with empty RDATA. [RT #356]
-
- 490. [func] When a slave/stub zone has not yet successfully
- obtained an SOA containing the zone's configured
- retry time, perform the SOA query retries using
- exponential backoff. [RT #337]
-
- 489. [func] The zone manager now has a "i/o" queue.
-
- 488. [bug] Locks weren't properly destroyed in some cases.
-
- 487. [port] flockfile() is not defined on all systems.
-
- 486. [bug] nslookup: "set all" and "server" commands showed
- the incorrect port number if a port other than 53
- was specified. [RT #352]
-
- 485. [func] When dig had more than one server to query, it would
- send all of the messages at the same time. Add
- rate limiting of the transmitted messages.
-
- 484. [bug] When the server was reloaded after removing addresses
- from the named.conf "listen-on" statement, sockets
- were still listening on the removed addresses due
- to reference count loops. [RT #325]
-
- 483. [bug] nslookup: "set all" showed a "search" option but it
- was not settable.
-
- 482. [bug] nslookup: a plain "server" or "lserver" should be
- treated as a lookup.
-
- 481. [bug] nslookup:get_next_command() stack size could exceed
- per thread limit.
-
- 480. [bug] strtok() is not thread safe. [RT #349]
-
- 479. [func] The test suite can now be run by typing "make check"
- or "make test" at the top level.
-
- 478. [bug] "make install" failed if the directory specified with
- --prefix did not already exist.
-
- 477. [bug] The the isc-config.sh script could be installed before
- its directory was created. [RT #324]
-
- 476. [bug] A zone could expire while a zone transfer was in
- progress triggering a INSIST failure. [RT #329]
-
- 475. [bug] query_getzonedb() sometimes returned a non-null version
- on failure. This caused assertion failures when
- generating query responses where names subject to
- additional section processing pointed to a zone
- to which access had been denied by means of the
- allow-query option. [RT #336]
-
- 474. [bug] The mnemonic of the CHAOS class is CH according to
- RFC1035, but it was printed and read only as CHAOS.
- We now accept both forms as input, and print it
- as CH. [RT #305]
-
- 473. [bug] nsupdate overran the end of the list of name servers
- when no servers could be reached, typically causing
- it to print the error message "dns_request_create:
- not implemented".
-
- 472. [bug] Off-by-one error caused isc_time_add() to sometimes
- produce invalid time values.
-
- 471. [bug] nsupdate didn't compile on HP/UX 10.20
-
- 470. [func] $GENERATE is now supported. See also
- doc/misc/migration.
-
- 469. [bug] "query-source address * port 53;" now works.
-
- 468. [bug] dns_master_load*() failed to report file and line
- number in certain error conditions.
-
- 467. [bug] dns_master_load*() failed to log an error if
- pushfile() failed.
-
- 466. [bug] dns_master_load*() could return success when it failed.
-
- 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
- omapi_value_storeint().
-
- 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
-
- 463. [bug] nsupdate sent malformed SOA queries to the second
- and subsequent name servers in resolv.conf if the
- query sent to the first one failed.
-
- 462. [bug] --disable-ipv6 should work now.
-
- 461. [bug] Specifying an unknown key in the "keys" clause of the
- "controls" statement caused a NULL pointer dereference.
- [RT #316]
-
- 460. [bug] Much of the DNSSEC code only worked with class IN.
-
- 459. [bug] Nslookup processed the "set" command incorrectly.
-
- 458. [bug] Nslookup didn't properly check class and type values.
- [RT #305]
-
- 457. [bug] Dig/host/hslookup didn't properly handle connect
- timeouts in certain situations, causing an
- unnecessary warning message to be printed.
-
- 456. [bug] Stub zones were not resetting the refresh and expire
- counters, loadtime or clearing the DNS_ZONE_REFRESH
- (refresh in progress) flag upon successful update.
- This disabled further refreshing of the stub zone,
- causing it to eventually expire. [RT #300]
-
- 455. [doc] Document IPv4 prefix notation does not require a
- dotted decimal quad but may be just dotted decimal.
-
- 454. [bug] Enforce dotted decimal and dotted decimal quad where
- documented as such in named.conf. [RT #304, RT #311]
-
- 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
- is specified in named.conf. [RT #306]
-
- 452. [bug] Warn if the unimplemented option "statistics-file"
- is specified in named.conf. [RT #301]
-
- 451. [func] Update forwarding implemented.
-
- 450. [func] New function ns_client_sendraw().
-
- 449. [bug] isc_bitstring_copy() only works correctly if the
- two bitstrings have the same lsb0 value, but this
- requirement was not documented, nor was there a
- REQUIRE for it.
-
- 448. [bug] Host output formatting change, to match v8. [RT #255]
-
- 447. [bug] Dig didn't properly retry in TCP mode after
- a truncated reply. [RT #277]
-
- 446. [bug] Confusing notify log message. [RT #298]
-
- 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
- bitstring triggered a REQUIRE statement. The REQUIRE
- statement was incorrect. [RT #297]
-
- 444. [func] "recursion denied" messages are always logged at
- debug level 1, now, rather than sometimes at ERROR.
- This silences these warnings in the usual case, where
- some clients set the RD bit in all queries.
-
- 443. [bug] When loading a master file failed because of an
- unrecognized RR type name, the error message
- did not include the file name and line number.
- [RT #285]
-
- 442. [bug] TSIG signed messages that did not match any view
- crashed the server. [RT #290]
-
- 441. [bug] Nodes obscured by a DNAME were inaccessible even
- when DNS_DBFIND_GLUEOK was set.
-
- 440. [func] New function dns_zone_forwardupdate().
-
- 439. [func] New function dns_request_createraw().
-
- 438. [func] New function dns_message_getrawmessage().
-
- 437. [func] Log NOTIFY activity to the notify channel.
-
- 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
- which sometimes happens on Linux, named would enter
- a busy loop. Also, unexpected socket errors were
- not logged at a high enough logging level to be
- useful in diagnosing this situation. [RT #275]
-
- 435. [bug] dns_zone_dump() overwrote existing zone files
- rather than writing to a temporary file and
- renaming. This could lead to empty or partial
- zone files being left around in certain error
- conditions involving the initial transfer of a
- slave zone, interfering with subsequent server
- startup. [RT #282]
-
- 434. [func] New function isc_file_isabsolute().
-
- 433. [func] isc_base64_decodestring() now accepts newlines
- within the base64 data. This makes it possible
- to break up the key data in a "trusted-keys"
- statement into multiple lines. [RT #284]
-
- 432. [func] Added refresh/retry jitter. The actual refresh/
- retry time is now a random value between 75% and
- 100% of the configured value.
-
- 431. [func] Log at ISC_LOG_INFO when a zone is successfully
- loaded.
-
- 430. [bug] Rewrote the lightweight resolver client management
- code to handle shutdown correctly and general
- cleanup.
-
- 429. [bug] The space reserved for a TSIG record in a response
- was 2 bytes too short, leading to message
- generation failures.
-
- 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
- DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
- (e.g. glue). This could cause SERVFAILs when
- generating negative responses in a secure zone.
-
- 427. [bug] Avoid going into an infinite loop when the validator
- gets a negative response to a key query where the
- records are signed by the missing key.
-
- 426. [bug] Attempting to generate an oversized RSA key could
- cause dnssec-keygen to dump core.
-
- 425. [bug] Warn about the auth-nxdomain default value change
- if there is no auth-nxdomain statement in the
- config file. [RT #287]
-
- 424. [bug] notify_createmessage() could trigger an assertion
- failure when creating the notify message failed,
- e.g. due to corrupt zones with multiple SOA records.
- [RT #279]
-
- 423. [bug] When responding to a recursive query, errors that occur
- after following a CNAME should cause the query to fail.
- [RT #274]
-
- 422. [func] get rid of isc_random_t, and make isc_random_get()
- and isc_random_jitter() use rand() internally
- instead of local state. Note that isc_random_*()
- functions are only for weak, non-critical "randomness"
- such as timing jitter and such.
-
- 421. [bug] nslookup would exit when given a blank line as input.
-
- 420. [bug] nslookup failed to implement the "exit" command.
-
- 419. [bug] The certificate type PKIX was misspelled as SKIX.
-
- 418. [bug] At debug levels >= 10, getting an unexpected
- socket receive error would crash the server
- while trying to log the error message.
-
- 417. [func] Add isc_app_block() and isc_app_unblock(), which
- allow an application to handle signals while
- blocking.
-
- 416. [bug] Slave zones with no master file tried to use a
- NULL pointer for a journal file name when they
- received an IXFR. [RT #273]
-
- 415. [bug] The logging code leaked file descriptors.
-
- 414. [bug] Server did not shut down until all incoming zone
- transfers were finished.
-
- 413. [bug] Notify could attempt to use the zone database after
- it had been unloaded. [RT #267]
-
- 412. [bug] named -v didn't print the version.
-
- 411. [bug] A typo in the HS A code caused an assertion failure.
-
- 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
- to a random value on success.
-
- 409. [bug] If named was shut down early in the startup
- process, ns_omapi_shutdown() would attempt to lock
- an uninitialized mutex. [RT #262]
-
- 408. [bug] stub zones could leak memory and reference counts if
- all the masters were unreachable.
-
- 407. [bug] isc_rwlock_lock() would needlessly block
- readers when it reached the read quota even
- if no writers were waiting.
-
- 406. [bug] Log messages were occasionally lost or corrupted
- due to a race condition in isc_log_doit().
-
- 405. [func] Add support for selective forwarding (forward zones)
-
- 404. [bug] The request library didn't completely work with IPv6.
-
- 403. [bug] "host" did not use the search list.
-
- 402. [bug] Treat undefined acls as errors, rather than
- warning and then later throwing an assertion.
- [RT #252]
-
- 401. [func] Added simple database API.
-
- 400. [bug] SIG(0) signing and verifying was done incorrectly.
- [RT #249]
-
- 399. [bug] When reloading the server with a config file
- containing a syntax error, it could catch an
- assertion failure trying to perform zone
- maintenance on, or sending notifies from,
- tentatively created zones whose views were
- never fully configured and lacked an address
- database and request manager.
-
- 398. [bug] "dig" sometimes caught an assertion failure when
- using TSIG, depending on the key length.
-
- 397. [func] Added utility functions dns_view_gettsig() and
- dns_view_getpeertsig().
-
- 396. [doc] There is now a man page for "nsupdate"
- in doc/man/bin/nsupdate.8.
-
- 395. [bug] nslookup printed incorrect RR type mnemonics
- for RRs of type >= 21 [RT #237].
-
- 394. [bug] Current name was not propagated via $INCLUDE.
-
- 393. [func] Initial answer while loading (awl) support.
- Entry points: dns_master_loadfileinc(),
- dns_master_loadstreaminc(), dns_master_loadbufferinc().
- Note: calls to dns_master_load*inc() should be rate
- be rate limited so as to not use up all file
- descriptors.
-
- 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
- not support the given address family requested.
-
- 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
-
- 390. [func] The function dns_zone_setdbtype() now takes
- an argc/argv style vector of words and sets
- both the zone database type and its arguments,
- making the functions dns_zone_adddbarg()
- and dns_zone_cleardbargs() unnecessary.
-
- 389. [bug] Attempting to send a request over IPv6 using
- dns_request_create() on a system without IPv6
- support caused an assertion failure [RT #235].
-
- 388. [func] dig and host can now do reverse ipv6 lookups.
-
- 387. [func] Add dns_byaddr_createptrname(), which converts
- an address into the name used by a PTR query.
-
- 386. [bug] Missing strdup() of ACL name caused random
- ACL matching failures [RT #228].
-
- 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
- and dns_zt_print().
-
- 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
- of 2147483647.
-
- 383. [func] When writing a master file, print the SOA and NS
- records (and their SIGs) before other records.
-
- 382. [bug] named -u failed on many Linux systems where the
- libc provided kernel headers do not match
- the current kernel.
-
- 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
- IPV6_PKTINFO if found. [RT #229]
-
- 380. [bug] nsupdate didn't work with IPv6.
-
- 379. [func] New library function isc_sockaddr_anyofpf().
-
- 378. [func] named and lwresd will log the command line arguments
- they were started with in the "starting ..." message.
-
- 377. [bug] When additional data lookups were refused due to
- "allow-query", the databases were still being
- attached causing reference leaks.
-
- 376. [bug] The server should always use good entropy when
- performing cryptographic functions needing entropy.
-
- 375. [bug] Per-zone "allow-query" did not properly override the
- view/global one for CNAME targets and additional
- data [RT #220].
-
- 374. [bug] SOA in authoritative negative responses had wrong TTL.
-
- 373. [func] nslookup is now installed by "make install".
-
- 372. [bug] Deal with Microsoft DNS servers appending two bytes of
- garbage to zone transfer requests.
-
- 371. [bug] At high debug levels, doing an outgoing zone transfer
- of a very large RRset could cause an assertion failure
- during logging.
-
- 370. [bug] The error messages for roll-forward failures were
- overly terse.
-
- 369. [func] Support new named.conf options, view and zone
- statements:
-
- max-retry-time, min-retry-time,
- max-refresh-time, min-refresh-time.
-
- 368. [func] Restructure the internal ".bind" view so that more
- zones can be added to it.
-
- 367. [bug] Allow proper selection of server on nslookup command
- line.
-
- 366. [func] Allow use of '-' batch file in dig for stdin.
-
- 365. [bug] nsupdate -k leaked memory.
-
- 364. [func] Added additional-from-{cache,auth}
-
- 363. [placeholder]
-
- 362. [bug] rndc no longer aborts if the configuration file is
- missing an options statement. [RT #209]
-
- 361. [func] When the RBT find or chain functions set the name and
- origin for a node that stores the root label
- the name is now set to an empty name, instead of ".",
- to simplify later use of the name and origin by
- dns_name_concatenate(), dns_name_totext() or
- dns_name_format().
-
- 360. [func] dns_name_totext() and dns_name_format() now allow
- an empty name to be passed, which is formatted as "@".
-
- 359. [bug] dnssec-signzone occasionally signed glue records.
-
- 358. [cleanup] Rename the intermediate files used by the dnssec
- programs.
-
- 357. [bug] The zone file parser crashed if the argument
- to $INCLUDE was a quoted string.
-
- 356. [cleanup] isc_task_send no longer requires event->sender to
- be non-null.
-
- 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
-
- 354. [doc] Man pages for the dnssec tools are now included in
- the distribution, in doc/man/dnssec.
-
- 353. [bug] double increment in lwres/gethost.c:copytobuf().
- [RT #187]
-
- 352. [bug] Race condition in dns_client_t startup could cause
- an assertion failure.
-
- 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
- signed query could crash the server.
-
- 350. [bug] Also-notify lists specified in the global options
- block were not correctly reference counted, causing
- a memory leak.
-
- 349. [bug] Processing a query with the CD bit set now works
- as expected.
-
- 348. [func] New boolean named.conf options 'additional-from-auth'
- and 'additional-from-cache' now supported in view and
- global options statement.
-
- 347. [bug] Don't crash if an argument is left off options in dig.
-
- 346. [placeholder]
-
- 345. [bug] Large-scale changes/cleanups to dig:
- * Significantly improve structure handling
- * Don't pre-load entire batch files
- * Add name/rr counting/limiting
- * Fix SIGINT handling
- * Shorten timeouts to match v8's behavior
-
- 344. [bug] When shutting down, lwresd sometimes tried
- to shut down its client tasks twice,
- triggering an assertion.
-
- 343. [bug] Although zone maintenance SOA queries and
- notify requests were signed with TSIG keys
- when configured for the server in case,
- the TSIG was not verified on the response.
-
- 342. [bug] The wrong name was being passed to
- dns_name_dup() when generating a TSIG
- key using TKEY.
-
- 341. [func] Support 'key' clause in named.conf zone masters
- statement to allow authentication via TSIG keys:
-
- masters {
- 10.0.0.1 port 5353 key "foo";
- 10.0.0.2 ;
- };
-
- 340. [bug] The top-level COPYRIGHT file was missing from
- the distribution.
-
- 339. [bug] DNSSEC validation of the response to an ANY
- query at a name with a CNAME RR in a secure
- zone triggered an assertion failure.
-
- 338. [bug] lwresd logged to syslog as named, not lwresd.
-
- 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
- on the command line.
-
- 336. [bug] "dig -f" used 64 k of memory for each line in
- the file. It now uses much less, though still
- proportionally to the file size.
-
- 335. [bug] named would occasionally attempt recursion when
- it was disallowed or undesired.
-
- 334. [func] Added hmac-md5 to libisc.
-
- 333. [bug] The resolver incorrectly accepted referrals to
- domains that were not parents of the query name,
- causing assertion failures.
-
- 332. [func] New function dns_name_reset().
-
- 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
-
- 330. [bug] Many debugging messages were partially formatted
- even when debugging was turned off, causing a
- significant decrease in query performance.
-
- 329. [func] omapi_auth_register() now takes a size_t argument for
- the length of a key's secret data. Previously
- OMAPI only stored secrets up to the first NUL byte.
-
- 328. [func] Added isc_base64_decodestring().
-
- 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
- address where a host specification was required.
-
- 326. [func] 'keys' in an 'inet' control statement is now
- required and must have at least one item in it.
- A "not supported" warning is now issued if a 'unix'
- control channel is defined.
-
- 325. [bug] isc_lex_gettoken was processing octal strings when
- ISC_LEXOPT_CNUMBER was not set.
-
- 324. [func] In the resolver, turn EDNS0 off if there is no
- response after a number of retransmissions.
- This is to allow queries some chance of succeeding
- even if all the authoritative servers of a zone
- silently discard EDNS0 requests instead of
- sending an error response like they ought to.
-
- 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
- Because of this, servers authoritative for a parent
- and grandchild zone but not authoritative for the
- intervening child zone did not correctly issue
- referrals to the servers of the child zone.
-
- 322. [bug] Queries for KEY RRs are now sent to the parent
- server before the authoritative one, making
- DNSSEC insecurity proofs work in many cases
- where they previously didn't.
-
- 321. [bug] When synthesizing a CNAME RR for a DNAME
- response, query_addcname() failed to initialize
- the type and class of the CNAME dns_rdata_t,
- causing random failures.
-
- 320. [func] Multiple rndc changes: parses an rndc.conf file,
- uses authentication to talk to named, command
- line syntax changed. This will all be described
- in the ARM.
-
- 319. [func] The named.conf "controls" statement is now used
- to configure the OMAPI command channel.
-
- 318. [func] dns_c_ndcctx_destroy() could never return anything
- except ISC_R_SUCCESS; made it have void return instead.
-
- 317. [func] Use callbacks from libomapi to determine if a
- new connection is valid, and if a key requested
- to be used with that connection is valid.
-
- 316. [bug] Generate a warning if we detect an unexpected <eof>
- but treat as <eol><eof>.
-
- 315. [bug] Handle non-empty blanks lines. [RT #163]
-
- 314. [func] The named.conf controls statement can now have
- more than one key specified for the inet clause.
-
- 313. [bug] When parsing resolv.conf, don't terminate on an
- error. Instead, parse as much as possible, but
- still return an error if one was found.
-
- 312. [bug] Increase the number of allowed elements in the
- resolv.conf search path from 6 to 8. If there
- are more than this, ignore the remainder rather
- than returning a failure in lwres_conf_parse.
-
- 311. [bug] lwres_conf_parse failed when the first line of
- resolv.conf was empty or a comment.
-
- 310. [func] Changes to named.conf "controls" statement (inet
- subtype only)
-
- - support "keys" clause
-
- controls {
- inet * port 1024
- allow { any; } keys { "foo"; }
- }
-
- - allow "port xxx" to be left out of statement,
- in which case it defaults to omapi's default port
- of 953.
-
- 309. [bug] When sending a referral, the server did not look
- for name server addresses as glue in the zone
- holding the NS RRset in the case where this zone
- was not the same as the one where it looked for
- name server addresses as authoritative data.
-
- 308. [bug] Treat a SOA record not at top of zone as an error
- when loading a zone. [RT #154]
-
- 307. [bug] When canceling a query, the resolver didn't check for
- isc_socket_sendto() calls that did not yet have their
- completion events posted, so it could (rarely) end up
- destroying the query context and then want to use
- it again when the send event posted, triggering an
- assertion as it tried to cancel an already-canceled
- query. [RT #77]
-
- 306. [bug] Reading HMAC-MD5 private key files didn't work.
-
- 305. [bug] When reloading the server with a config file
- containing a syntax error, it could catch an
- assertion failure trying to perform zone
- maintenance on tentatively created zones whose
- views were never fully configured and lacked
- an address database.
-
- 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
- are listed in resolv.conf, silently ignore them
- instead of returning failure.
-
- 303. [bug] Add additional sanity checks to differentiate a AXFR
- response vs a IXFR response. [RT #157]
-
- 302. [bug] In dig, host, and nslookup, MXNAME should be large
- enough to hold any legal domain name in presentation
- format + terminating NULL.
-
- 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
-
- 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
- on platforms lacking IPv6 because each included their
- own ipv6 header file for the missing definitions. Now
- each library's ipv6.h defines the wrapper symbol of
- the other (ISC_IPV6_H and LWRES_IPV6_H).
-
- 299. [cleanup] Get the user and group information before changing the
- root directory, so the administrator does not need to
- keep a copy of the user and group databases in the
- chroot'ed environment. Suggested by Hakan Olsson.
-
- 298. [bug] A mutex deadlock occurred during shutdown of the
- interface manager under certain conditions.
- Digital Unix systems were the most affected.
-
- 297. [bug] Specifying a key name that wasn't fully qualified
- in certain parts of the config file could cause
- an assertion failure.
-
- 296. [bug] "make install" from a separate build directory
- failed unless configure had been run in the source
- directory, too.
-
- 295. [bug] When invoked with type==CNAME and a message
- not constructed by dns_message_parse(),
- dns_message_findname() failed to find anything
- due to checking for attribute bits that are set
- only in dns_message_parse(). This caused an
- infinite loop when constructing the response to
- an ANY query at a CNAME in a secure zone.
-
- 294. [bug] If we run out of space in while processing glue
- when reading a master file and commit "current name"
- reverts to "name_current" instead of staying as
- "name_glue".
-
- 293. [port] Add support for FreeBSD 4.0 system tests.
-
- 292. [bug] Due to problems with the way some operating systems
- handle simultaneous listening on IPv4 and IPv6
- addresses, the server no longer listens on IPv6
- addresses by default. To revert to the previous
- behavior, specify "listen-on-v6 { any; };" in
- the config file.
-
- 291. [func] Caching servers no longer send outgoing queries
- over TCP just because the incoming recursive query
- was a TCP one.
-
- 290. [cleanup] +twiddle option to dig (for testing only) removed.
-
- 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
- host is now installed in $bindir. (Be sure to remove
- any $sbindir/dig from a previous release.)
-
- 288. [func] rndc is now installed by "make install" into $sbindir.
-
- 287. [bug] rndc now works again as "rndc 127.1 reload" (for
- only that task). Parsing its configuration file and
- using digital signatures for authentication has been
- disabled until named supports the "controls" statement,
- post-9.0.0.
-
- 286. [bug] On Solaris 2, when named inherited a signal state
- where SIGHUP had the SIG_IGN action, SIGHUP would
- be ignored rather than causing the server to reload
- its configuration.
-
- 285. [bug] A change made to the dst API for beta4 inadvertently
- broke OMAPI's creation of a dst key from an incoming
- message, causing an assertion to be triggered. Fixed.
-
- 284. [func] The DNSSEC key generation and signing tools now
- generate randomness from keyboard input on systems
- that lack /dev/random.
-
- 283. [cleanup] The 'lwresd' program is now a link to 'named'.
-
- 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
- too big for an unsigned long.
-
- 281. [bug] Fixed list of recognized config file category names.
-
- 280. [func] Add isc-config.sh, which can be used to more
- easily build applications that link with
- our libraries.
-
- 279. [bug] Private omapi function symbols shared between
- two or more files in libomapi.a were not namespace
- protected using the ISC convention of starting with
- the library name and two underscores ("omapi__"...)
-
- 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
- note of when isc_log_categorybyname() wasn't able
- to find the category name and would then apply the
- channel list of the unknown category to all categories.
-
- 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
- would fail to find the first member of any category
- or module array apart from the internal defaults.
- Thus, for example, the "notify" category was improperly
- configured by named.
-
- 276. [bug] dig now supports maximum sized TCP messages.
-
- 275. [bug] The definition of lwres_gai_strerror() was missing
- the lwres_ prefix.
-
- 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
- server.
-
- 273. [func] The default for the 'transfer-format' option is
- now 'many-answers'. This will break zone transfers
- to BIND 4.9.5 and older unless there is an explicit
- 'one-answer' configuration.
-
- 272. [bug] The sending of large TCP responses was canceled
- in mid-transmission due to a race condition
- caused by the failure to set the client object's
- "newstate" variable correctly when transitioning
- to the "working" state.
-
- 271. [func] Attempt to probe the number of cpus in named
- if unspecified rather than defaulting to 1.
-
- 270. [func] Allow maximum sized TCP answers.
-
- 269. [bug] Failed DNSSEC validations could cause an assertion
- failure by causing clone_results() to be called with
- with hevent->node == NULL.
-
- 268. [doc] A plain text version of the Administrator
- Reference Manual is now included in the distribution,
- as doc/arm/Bv9ARM.txt.
-
- 267. [func] Nsupdate is now provided in the distribution.
-
- 266. [bug] zone.c:save_nsrrset() node was not initialized.
-
- 265. [bug] dns_request_create() now works for TCP.
-
- 264. [func] Dispatch can not take TCP sockets in connecting
- state. Set DNS_DISPATCHATTR_CONNECTED when calling
- dns_dispatch_createtcp() for connected TCP sockets
- or call dns_dispatch_starttcp() when the socket is
- connected.
-
- 263. [func] New logging channel type 'stderr'
-
- channel some-name {
- stderr;
- severity error;
- }
-
- 262. [bug] 'master' was not initialized in zone.c:stub_callback().
-
- 261. [func] Add dns_zone_markdirty().
-
- 260. [bug] Running named as a non-root user failed on Linux
- kernels new enough to support retaining capabilities
- after setuid().
-
- 259. [func] New random-device and random-seed-file statements
- for global options block of named.conf. Both accept
- a single string argument.
-
- 258. [bug] Fixed printing of lwres_addr_t.address field.
-
- 257. [bug] The server detached the last zone manager reference
- too early, while it could still be in use by queries.
- This manifested itself as assertion failures during the
- shutdown process for busy name servers. [RT #133]
-
- 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
- isc_ratelimiter_shutdown guarantees that the rate
- limiter is detached from its task.
-
- 255. [func] New function dns_zonemgr_attach().
-
- 254. [bug] Suppress "query denied" messages on additional data
- lookups.
-
- --- 9.0.0b4 released ---
-
- 253. [func] resolv.conf parser now recognizes ';' and '#' as
- comments (anywhere in line, not just as the beginning).
-
- 252. [bug] resolv.conf parser mishandled masks on sortlists.
- It also aborted when an unrecognized keyword was seen,
- now it silently ignores the entire line.
-
- 251. [bug] lwresd caught an assertion failure on startup.
-
- 250. [bug] fixed handling of size+unit when value would be too
- large for internal representation.
-
- 249. [cleanup] max-cache-size config option now takes a size-spec
- like 'datasize', except 'default' is not allowed.
-
- 248. [bug] global lame-ttl option was not being printed when
- config structures were written out.
-
- 247. [cleanup] Rename cache-size config option to max-cache-size.
-
- 246. [func] Rename global option cachesize to cache-size and
- add corresponding option to view statement.
-
- 245. [bug] If an uncompressed name will take more than 255
- bytes and the buffer is sufficiently long,
- dns_name_fromwire should return DNS_R_FORMERR,
- not ISC_R_NOSPACE. This bug caused cause the
- server to catch an assertion failure when it
- received a query for a name longer than 255
- bytes.
-
- 244. [bug] empty named.conf file and empty options statement are
- now parsed properly.
-
- 243. [func] new cachesize option for named.conf
-
- 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
-
- 241. [cleanup] nscount and soacount have been removed from the
- dns_master_*() argument lists.
-
- 240. [func] databases now come in three flavours: zone, cache
- and stub.
-
- 239. [func] If ISC_MEM_DEBUG is enabled, the variable
- isc_mem_debugging controls whether messages
- are printed or not.
-
- 238. [cleanup] A few more compilation warnings have been quieted:
- + missing sigwait prototype on BSD/OS 4.0/4.0.1.
- + PTHREAD_ONCE_INIT unbraced initializer warnings on
- Solaris 2.8.
- + IN6ADDR_ANY_INIT unbraced initializer warnings on
- BSD/OS 4.*, Linux and Solaris 2.8.
-
- 237. [bug] If connect() returned ENOBUFS when the resolver was
- initiating a TCP query, the socket didn't get
- destroyed, and the server did not shut down cleanly.
-
- 236. [func] Added new listen-on-v6 config file statement.
-
- 235. [func] Consider it a config file error if a listen-on
- statement has an IPv6 address in it, or a
- listen-on-v6 statement has an IPv4 address in it.
-
- 234. [bug] Allow a trusted-key's first field (domain-name) be
- either a quoted or an unquoted string, instead of
- requiring a quoted string.
-
- 233. [cleanup] Convert all config structure integer values to unsigned
- integer (isc_uint32_t) to match grammar.
-
- 232. [bug] Allow slave zones to not have a file.
-
- 231. [func] Support new 'port' clause in config file options
- section. Causes 'listen-on', 'masters' and
- 'also-notify' statements to use its value instead of
- default (53).
-
- 230. [func] Replace the dst sign/verify API with a cleaner one.
-
- 229. [func] Support config file sig-validity-interval statement
- in options, views and zone statements (master
- zones only).
-
- 228. [cleanup] Logging messages in config module stripped of
- trailing period.
-
- 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
- dns_rcode_*, dns_opcode_*, and dns_trust_* are
- also now cast to their appropriate types, as with
- dns_rdatatype_* in item number 225 below.
-
- 226. [func] dns_name_totext() now always prints the root name as
- '.', even when omit_final_dot is true.
-
- 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
- cast to dns_rdatatype_t via macros of their same name
- so that they are of the proper integral type wherever
- a dns_rdatatype_t is needed.
-
- 224. [cleanup] The entire project builds cleanly with gcc's
- -Wcast-qual and -Wwrite-strings warnings enabled,
- which is now the default when using gcc. (Warnings
- from confparser.c, because of yacc's code, are
- unfortunately to be expected.)
-
- 223. [func] Several functions were re-prototyped to qualify one
- or more of their arguments with "const". Similarly,
- several functions that return pointers now have
- those pointers qualified with const.
-
- 222. [bug] The global 'also-notify' option was ignored.
-
- 221. [bug] An uninitialized variable was sometimes passed to
- dns_rdata_freestruct() when loading a zone, causing
- an assertion failure.
-
- 220. [cleanup] Set the default outgoing port in the view, and
- set it in sockaddrs returned from the ADB.
- [31-May-2000 explorer]
-
- 219. [bug] Signed truncated messages more correctly follow
- the respective specs.
-
- 218. [func] When an rdataset is signed, its ttl is normalized
- based on the signature validity period.
-
- 217. [func] Also-notify and trusted-keys can now be used in
- the 'view' statement.
-
- 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
- now work.
-
- 215. [bug] Failures at certain points in request processing
- could cause the assertion INSIST(client->lockview
- == NULL) to be triggered.
-
- 214. [func] New public function isc_netaddr_format(), for
- formatting network addresses in log messages.
-
- 213. [bug] Don't leak memory when reloading the zone if
- an update-policy clause was present in the old zone.
-
- 212. [func] Added dns_message_get/settsigkey, to make TSIG
- key management reasonable.
-
- 211. [func] The 'key' and 'server' statements can now occur
- inside 'view' statements.
-
- 210. [bug] The 'allow-transfer' option was ignored for slave
- zones, and the 'transfers-per-ns' option was
- was ignored for all zones.
-
- 209. [cleanup] Upgraded openssl files to new version 0.9.5a
-
- 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
- of an isc_offset_t.
-
- 207. [func] The dnssec tools properly use the logging subsystem.
-
- 206. [cleanup] dst now stores the key name as a dns_name_t, not
- a char *.
-
- 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
- ("prototyped function redeclared without prototype")
- and 1552 ("variable ... set but not used") when
- compiling in the lib/dns/sec/{dnssafe,openssl}
- directories, which contain code imported from outside
- sources.
-
- 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
- to quiet the warnings that "The linked output may not
- run on a PA 1.x system."
-
- 203. [func] notify and zone soa queries are now tsig signed when
- appropriate.
-
- 202. [func] isc_lex_getsourceline() changed from returning int
- to returning unsigned long, the type of its underlying
- counter.
-
- 201. [cleanup] Removed the test/sdig program, it has been
- replaced by bin/dig/dig.
-
- --- 9.0.0b3 released ---
-
- 200. [bug] Failures in sending query responses to clients
- (e.g., running out of network buffers) were
- not logged.
-
- 199. [bug] isc_heap_delete() sometimes violated the heap
- invariant, causing timer events not to be posted
- when due.
-
- 198. [func] Dispatch managers hold memory pools which
- any managed dispatcher may use. This allows
- us to avoid dipping into the memory context for
- most allocations. [19-May-2000 explorer]
-
- 197. [bug] When an incoming AXFR or IXFR completes, the
- zone's internal state is refreshed from the
- SOA data. [19-May-2000 explorer]
-
- 196. [func] Dispatchers can be shared easily between views
- and/or interfaces. [19-May-2000 explorer]
-
- 195. [bug] Including the NXT record of the root domain
- in a negative response caused an assertion
- failure.
-
- 194. [doc] The PDF version of the Administrator's Reference
- Manual is no longer included in the ISC BIND9
- distribution.
-
- 193. [func] changed dst_key_free() prototype.
-
- 192. [bug] Zone configuration validation is now done at end
- of config file parsing, and before loading
- callbacks.
-
- 191. [func] Patched to compile on UnixWare 7.x. This platform
- is not directly supported by the ISC.
-
- 190. [cleanup] The DNSSEC tools have been moved to a separate
- directory dnssec/ and given the following new,
- more descriptive names:
-
- dnssec-keygen
- dnssec-signzone
- dnssec-signkey
- dnssec-makekeyset
-
- Their command line arguments have also been changed to
- be more consistent. dnssec-keygen now prints the
- name of the generated key files (sans extension)
- on standard output to simplify its use in automated
- scripts.
-
- 189. [func] isc_time_secondsastimet(), a new function, will ensure
- that the number of seconds in an isc_time_t does not
- exceed the range of a time_t, or return ISC_R_RANGE.
- Similarly, isc_time_now(), isc_time_nowplusinterval(),
- isc_time_add() and isc_time_subtract() now check the
- range for overflow/underflow. In the case of
- isc_time_subtract, this changed a calling requirement
- (ie, something that could generate an assertion)
- into merely a condition that returns an error result.
- isc_time_add() and isc_time_subtract() were void-
- valued before but now return isc_result_t.
-
- 188. [func] Log a warning message when an incoming zone transfer
- contains out-of-zone data.
-
- 187. [func] isc_ratelimiter_enqueue() has an additional argument
- 'task'.
-
- 186. [func] dns_request_getresponse() has an additional argument
- 'preserve_order'.
-
- 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
- public functions did not have an isc__ prefix, and
- referred to functions that had previously been
- renamed.
-
- 184. [cleanup] Variables/functions which began with two leading
- underscores were made to conform to the ANSI/ISO
- standard, which says that such names are reserved.
-
- 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
- for logging the program name or other identifier.
-
- 182. [cleanup] New command-line parameters for dnssec tools
-
- 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
-
- 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
-
- 179. [func] options named.conf statement *must* now come
- before any zone or view statements.
-
- 178. [func] Post-load of named.conf check verifies a slave zone
- has non-empty list of masters defined.
-
- 177. [func] New per-zone boolean:
-
- enable-zone yes | no ;
-
- intended to let a zone be disabled without having
- to comment out the entire zone statement.
-
- 176. [func] New global and per-view option:
-
- max-cache-ttl number
-
- 175. [func] New global and per-view option:
-
- additional-data internal | minimal | maximal;
-
- 174. [func] New public function isc_sockaddr_format(), for
- formatting socket addresses in log messages.
-
- 173. [func] Keep a queue of zones waiting for zone transfer
- quota so that a new transfer can be dispatched
- immediately whenever quota becomes available.
-
- 172. [bug] $TTL directive was sometimes missing from dumped
- master files because totext_ctx_init() failed to
- initialize ctx->current_ttl_valid.
-
- 171. [cleanup] On NetBSD systems, the mit-pthreads or
- unproven-pthreads library is now always used
- unless --with-ptl2 is explicitly specified on
- the configure command line. The
- --with-mit-pthreads option is no longer needed
- and has been removed.
-
- 170. [cleanup] Remove inter server consistency checks from zone,
- these should return as a separate module in 9.1.
- dns_zone_checkservers(), dns_zone_checkparents(),
- dns_zone_checkchildren(), dns_zone_checkglue().
-
- Remove dns_zone_setadb(), dns_zone_setresolver(),
- dns_zone_setrequestmgr() these should now be found
- via the view.
-
- 169. [func] ratelimiter can now process N events per interval.
-
- 168. [bug] include statements in named.conf caused syntax errors
- due to not consuming the semicolon ending the include
- statement before switching input streams.
-
- 167. [bug] Make lack of masters for a slave zone a soft error.
-
- 166. [bug] Keygen was overwriting existing keys if key_id
- conflicted, now it will retry, and non-null keys
- with key_id == 0 are not generated anymore. Key
- was not able to generate NOAUTHCONF DSA key,
- increased RSA key size to 2048 bits.
-
- 165. [cleanup] Silence "end-of-loop condition not reached" warnings
- from Solaris compiler.
-
- 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
- isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
- isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
- to encapsulate nonportable usage of errno and sync.
-
- 163. [func] Added result codes ISC_R_FILENOTFOUND and
- ISC_R_FILEEXISTS.
-
- 162. [bug] Ensure proper range for arguments to ctype.h functions.
-
- 161. [cleanup] error in yyparse prototype that only HPUX caught.
-
- 160. [cleanup] getnet*() are not going to be implemented at this
- stage.
-
- 159. [func] Redefinition of config file elements is now an
- error (instead of a warning).
-
- 158. [bug] Log channel and category list copy routines
- weren't assigning properly to output parameter.
-
- 157. [port] Fix missing prototype for getopt().
-
- 156. [func] Support new 'database' statement in zone.
-
- database "quoted-string";
-
- 155. [bug] ns_notify_start() was not detaching the found zone.
-
- 154. [func] The signer now logs libdns warnings to stderr even when
- not verbose, and in a nicer format.
-
- 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
- is NULL then you need to preserve the 'rdata' until
- you have finished using the structure as there may be
- references to the associated memory. If 'mctx' is
- non-NULL it is guaranteed that there are no references
- to memory associated with 'rdata'.
-
- dns_rdata_freestruct() must be called if 'mctx' was
- non-NULL and may safely be called if 'mctx' was NULL.
-
- 152. [bug] keygen dumped core if domain name argument was omitted
- from command line.
-
- 151. [func] Support 'disabled' statement in zone config (causes
- zone to be parsed and then ignored). Currently must
- come after the 'type' clause.
-
- 150. [func] Support optional ports in masters and also-notify
- statements:
-
- masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
-
- 149. [cleanup] Removed unused argument 'olist' from
- dns_c_view_unsetordering().
-
- 148. [cleanup] Stop issuing some warnings about some configuration
- file statements that were not implemented, but now are.
-
- 147. [bug] Changed yacc union size to be smaller for yaccs that
- put yacc-stack on the real stack.
-
- 146. [cleanup] More general redundant header file cleanup. Rather
- than continuing to itemize every header which changed,
- this changelog entry just notes that if a header file
- did not need another header file that it was including
- in order to provide its advertised functionality, the
- inclusion of the other header file was removed. See
- util/check-includes for how this was tested.
-
- 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
- ISC_LANG_ENDDECLS to header files that had function
- prototypes, and removed it from those that did not.
-
- 144. [cleanup] libdns header files too numerous to name were made
- to conform to the same style for multiple inclusion
- protection.
-
- 143. [func] Added function dns_rdatatype_isknown().
-
- 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
- <isc/result.h>.
-
- 141. [bug] Corrupt requests with multiple questions could
- cause an assertion failure.
-
- 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
-
- 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
- <isc/int.h> and <isc/result.h>.
-
- 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
- renamed isc_string_touint64. isc_strsep moved from
- strsep.c to string.c and renamed isc_string_separate.
-
- 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
- <isc/serial.h>, <isc/string.h> and <isc/offset.h>
- made to conform to the same style for multiple
- inclusion protection.
-
- 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
- <isc/net.h> and Win32's <isc/thread.h> needed
- ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
-
- 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
- or <isc/boolean.h>, now uses <isc/types.h> in place
- of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
- and ISC_LANG_ENDDECLS.
-
- 134. [cleanup] <isc/dir.h> does not need <limits.h>.
-
- 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
-
- 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
- need <isc/eventclass.h>.
-
- 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
- for ISC_R_* codes used in macros.
-
- 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
- <isc/boolean.h>, and now includes <isc/types.h>
- instead of <isc/time.h>.
-
- 129. [bug] The 'default_debug' log channel was not set up when
- 'category default' was present in the config file
-
- 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
- ISC_LANG_ENDDECLS at end of header.
-
- 127. [cleanup] The contracts for the comparison routines
- dns_name_fullcompare(), dns_name_compare(),
- dns_name_rdatacompare(), and dns_rdata_compare() now
- specify that the order value returned is < 0, 0, or > 0
- instead of -1, 0, or 1.
-
- 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
-
- 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
- <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
- <isc/resultclass.h> do not need <isc/lang.h>.
-
- 124. [func] signer now imports parent's zone key signature
- and creates null keys/sets zone status bit for
- children when necessary
-
- 123. [cleanup] <isc/event.h> does not need <stddef.h>.
-
- 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
- <isc/result.h>.
-
- 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
- <isc/result.h>. Multiple inclusion protection
- symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
- isc_symtab_t moved to <isc/types.h>.
-
- 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
- <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
- <isc/net.h>.
-
- 119. [cleanup] structure definitions for generic rdata structures do
- not have _generic_ in their names.
-
- 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
- YACC crust (yyparse, etc) [2000-apr-27 explorer]
-
- 117. [cleanup] libdns.a changes:
- dns_zone_clearnotify() and dns_zone_addnotify()
- are replaced by dns_zone_setnotifyalso().
- dns_zone_clearmasters() and dns_zone_addmaster()
- are replaced by dns_zone_setmasters().
-
- 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
- on Unix systems).
-
- 115. [port] Shut up the -Wmissing-declarations warning about
- <stdio.h>'s __sputaux on BSD/OS pre-4.1.
-
- 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
- <isc/list.h>.
-
- 113. [func] Utility programs dig and host added.
-
- 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
-
- 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
- <isc/mutex.h>.
-
- 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
- <isc/list.h>.
-
- 109. [bug] "make depend" did nothing for
- bin/tests/{db,mem,sockaddr,tasks,timers}/.
-
- 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
- <dns/types.h> to <dns/bit.h> and renamed to
- DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
-
- 107. [func] Add keysigner and keysettool.
-
- 106. [func] Allow dnssec verifications to ignore the validity
- period. Used by several of the dnssec tools.
-
- 105. [doc] doc/dev/coding.html expanded with other
- implicit conventions the developers have used.
-
- 104. [bug] Made compress_add and compress_find static to
- lib/dns/compress.c.
-
- 103. [func] libisc buffer API changes for <isc/buffer.h>:
- Added:
- isc_buffer_base(b) (pointer)
- isc_buffer_current(b) (pointer)
- isc_buffer_active(b) (pointer)
- isc_buffer_used(b) (pointer)
- isc_buffer_length(b) (int)
- isc_buffer_usedlength(b) (int)
- isc_buffer_consumedlength(b) (int)
- isc_buffer_remaininglength(b) (int)
- isc_buffer_activelength(b) (int)
- isc_buffer_availablelength(b) (int)
- Removed:
- ISC_BUFFER_USEDCOUNT(b)
- ISC_BUFFER_AVAILABLECOUNT(b)
- isc_buffer_type(b)
- Changed names:
- isc_buffer_used(b, r) ->
- isc_buffer_usedregion(b, r)
- isc_buffer_available(b, r) ->
- isc_buffer_available_region(b, r)
- isc_buffer_consumed(b, r) ->
- isc_buffer_consumedregion(b, r)
- isc_buffer_active(b, r) ->
- isc_buffer_activeregion(b, r)
- isc_buffer_remaining(b, r) ->
- isc_buffer_remainingregion(b, r)
-
- Buffer types were removed, so the ISC_BUFFERTYPE_*
- macros are no more, and the type argument to
- isc_buffer_init and isc_buffer_allocate were removed.
- isc_buffer_putstr is now void (instead of isc_result_t)
- and requires that the caller ensure that there
- is enough available buffer space for the string.
-
- 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
- on BSD/OS 4.1.
-
- 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
-
- 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
- <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
-
- 99. [cleanup] Rate limiter now has separate shutdown() and
- destroy() functions, and it guarantees that all
- queued events are delivered even in the shutdown case.
-
- 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
- unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
-
- 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
- <isc/event.h>.
-
- 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
-
- 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
-
- 94. [cleanup] Some installed header files did not compile as C++.
-
- 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
-
- 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
- or <isc/result.h>.
-
- 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
- <isc/result.h>.
-
- 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
- from <named/listenlist.h>.
-
- 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
-
- 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
- <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
- moved to <isc/types.h>.
-
- 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
- <isc/mem.h> or <isc/result.h>.
-
- 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
- <isc/types.h>.
-
- 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
- <isc/list.h>, <isc/mem.h>, <isc/region.h> or
- <isc/int.h>.
-
- 84. [func] allow-query ACL checks now apply to all data
- added to a response.
-
- 83. [func] If the server is authoritative for both a
- delegating zone and its (nonsecure) delegatee, and
- a query is made for a KEY RR at the top of the
- delegatee, then the server will look for a KEY
- in the delegator if it is not found in the delegatee.
-
- 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
-
- 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
- <isc/lang.h>.
-
- 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
-
- 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
-
- 78. [cleanup] lwres_conftest renamed to lwresconf_test for
- consistency with other *_test programs.
-
- 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
- <isc/time.h> to <isc/types.h>.
-
- 76. [cleanup] Rewrote keygen.
-
- 75. [func] Don't load a zone if its database file is older
- than the last time the zone was loaded.
-
- 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
- subsumed by file.o.
-
- 73. [func] New "file" API in libisc, including new function
- isc_file_getmodtime, isc_mktemplate renamed to
- isc_file_mktemplate and isc_ufile renamed to
- isc_file_openunique. By no means an exhaustive API,
- it is just what's needed for now.
-
- 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
- added for dns_rbt_findnode, the former to disable the
- setting of the chain to the predecessor, and the
- latter to make clear when no options are set.
-
- 71. [cleanup] Made explicit the implicit REQUIREs of
- isc_time_seconds, isc_time_nanoseconds, and
- isc_time_subtract.
-
- 70. [func] isc_time_set() added.
-
- 69. [bug] The zone object's master and also-notify lists grew
- longer with each server reload.
-
- 68. [func] Partial support for SIG(0) on incoming messages.
-
- 67. [performance] Allow use of alternate (compile-time supplied)
- OpenSSL libraries/headers.
-
- 66. [func] Data in authoritative zones should have a trust level
- beyond secure.
-
- 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
- from <dns/types.h>.
-
- 64. [func] The RBT, DB, and zone table APIs now allow the
- caller find the most-enclosing superdomain of
- a name.
-
- 63. [func] Generate NOTIFY messages.
-
- 62. [func] Add UDP refresh support.
-
- 61. [cleanup] Use single quotes consistently in log messages.
-
- 60. [func] Catch and disallow singleton types on message
- parse.
-
- 59. [bug] Cause net/host unreachable to be a hard error
- when sending and receiving.
-
- 58. [bug] bin/named/query.c could sometimes trigger the
- (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
- == 0 assertion in query_newname().
-
- 57. [func] Added dns_nxt_typepresent()
-
- 56. [bug] SIG records were not properly returned in cached
- negative answers.
-
- 55. [bug] Responses containing multiple names in the authority
- section were not negatively cached.
-
- 54. [bug] If a fetch with sigrdataset==NULL joined one with
- sigrdataset!=NULL or vice versa, the resolver
- could catch an assertion or lose signature data,
- respectively.
-
- 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
- <sys/param.h>.
-
- 52. [bug] rndc: taskmgr and socketmgr were not initialized
- to NULL.
-
- 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
- dns/rbt.h; it was needed only by compress.c and zt.c.
-
- 50. [func] RBT deletion no longer requires a valid chain to work,
- and dns_rbt_deletenode was added.
-
- 49. [func] Each cache now has its own mctx.
-
- 48. [func] isc_task_create() no longer takes an mctx.
- isc_task_mem() has been eliminated.
-
- 47. [func] A number of modules now use memory context reference
- counting.
-
- 46. [func] Memory contexts are now reference counted.
- Added isc_mem_inuse() and isc_mem_preallocate().
- Renamed isc_mem_destroy_check() to
- isc_mem_setdestroycheck().
-
- 45. [bug] The trusted-key statement incorrectly loaded keys.
-
- 44. [bug] Don't include authority data if it would force us
- to unset the AD bit in the message.
-
- 43. [bug] DNSSEC verification of cached rdatasets was failing.
-
- 42. [cleanup] Simplified logging of messages with embedded domain
- names by introducing a new convenience function
- dns_name_format().
-
- 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
- to allow 'named' to run as a non-root user while
- retaining the ability to bind() to privileged
- ports.
-
- 40. [func] Introduced new logging category "dnssec" and
- logging module "dns/validator".
-
- 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
- and isc_lex_t to <isc/types.h>.
-
- 38. [bug] TSIG signed incoming zone transfers work now.
-
- 37. [bug] If the first RR in an incoming zone transfer was
- not an SOA, the server died with an assertion failure
- instead of just reporting an error.
-
- 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
-
- 35. [performance] Log messages which are of a level too high to be
- logged by any channel in the logging configuration
- will not cause the log mutex to be locked.
-
- 34. [bug] Recursion was allowed even with 'recursion no'.
-
- 33. [func] The RBT now maintains a parent pointer at each node.
-
- 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
- prototype.
-
- 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
-
- 30. [func] config file grammar change to support optional
- class type for a view.
-
- 29. [func] support new config file view options:
-
- auth-nxdomain recursion query-source
- query-source-v6 transfer-source
- transfer-source-v6 max-transfer-time-out
- max-transfer-idle-out transfer-format
- request-ixfr provide-ixfr cleaning-interval
- fetch-glue notify rfc2308-type1 lame-ttl
- max-ncache-ttl min-roots
-
- 28. [func] support lame-ttl, min-roots and serial-queries
- config global options.
-
- 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
- Including it on other platforms (eg, NetBSD) can
- cause a forced #error from the C preprocessor.
-
- 26. [func] new match-clients statement in config file view.
-
- 25. [bug] make install failed to install <isc/log.h> and
- <isc/ondestroy.h>.
-
- 24. [cleanup] Eliminate some unnecessary #includes of header
- files from header files.
-
- 23. [cleanup] Provide more context in log messages about client
- requests, using a new function ns_client_log().
-
- 22. [bug] SIGs weren't returned in the answer section when
- the query resulted in a fetch.
-
- 21. [port] Look at STD_CINCLUDES after CINCLUDES during
- compilation, so additional system include directories
- can be searched but header files in the bind9 source
- tree with conflicting names take precedence. This
- avoids issues with installed versions of dnssafe and
- openssl.
-
- 20. [func] Configuration file post-load validation of zones
- failed if there were no zones.
-
- 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
- lock in certain error cases.
-
- 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
- configure.in to check for presence of in6addr_any.
-
- 17. [func] Do configuration file post-load validation of zones.
-
- 16. [bug] put quotes around key names on config file
- output to avoid possible keyword clashes.
-
- 15. [func] Add dns_name_dupwithoffsets(). This function is
- improves comparison performance for duped names.
-
- 14. [bug] free_rbtdb() could have 'put' unallocated memory in
- an unlikely error path.
-
- 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
- out-of-zone data.
-
- 12. [bug] Fixed possible uninitialized variable error.
-
- 11. [bug] axfr_rrstream_first() didn't check the result code of
- db_rr_iterator_first(), possibly causing an assertion
- to be triggered later.
-
- 10. [bug] A bug in the code which makes EDNS0 OPT records in
- bin/named/client.c and lib/dns/resolver.c could
- trigger an assertion.
-
- 9. [cleanup] replaced bit-setting code in confctx.c and replaced
- repeated code with macro calls.
-
- 8. [bug] Shutdown of incoming zone transfer accessed
- freed memory.
-
- 7. [cleanup] removed 'listen-on' from view statement.
-
- 6. [bug] quote RR names when generating config file to
- prevent possible clash with config file keywords
- (such as 'key').
-
- 5. [func] syntax change to named.conf file: new ssu grant/deny
- statements must now be enclosed by an 'update-policy'
- block.
-
- 4. [port] bin/named/unix/os.c didn't compile on systems with
- linux 2.3 kernel includes due to conflicts between
- C library includes and the kernel includes. We now
- get only what we need from <linux/capability.h>, and
- avoid pulling in other linux kernel .h files.
-
- 3. [bug] TKEYs go in the answer section of responses, not
- the additional section.
-
- 2. [bug] Generating cryptographic randomness failed on
- systems without /dev/random.
-
- 1. [bug] The installdirs rule in
- lib/isc/unix/include/isc/Makefile.in had a typo which
- prevented the isc directory from being created if it
- didn't exist.
-
- --- 9.0.0b2 released ---
-
-# This tells Emacs to use hard tabs in this file.
-# Local Variables:
-# indent-tabs-mode: t
-# End:
--- /dev/null
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _changelog:
+
+Changelog
+=========
+
+.. note:: The following list contains detailed information about BIND9's
+ development. Regular users should refer to :ref:`Release Notes <relnotes>`
+ for changes relevant to them.
+
+Changes prior to 9.18.28
+------------------------
+
+::
+
+ --- 9.18.28 released ---
+
+ 6404. [security] Remove SIG(0) support from named as a countermeasure
+ for CVE-2024-1975. [GL #4480]
+
+ 6403. [security] qctx-zversion was not being cleared when it should have
+ been leading to an assertion failure if it needed to be
+ reused. (CVE-2024-4076) [GL #4507]
+
+ 6401. [security] An excessively large number of rrtypes per owner can
+ slow down database query processing, so a limit has been
+ placed on the number of rrtypes that can be stored per
+ owner (node) in a cache or zone database. This is
+ configured with the new "max-rrtypes-per-name" option,
+ and defaults to 100. (CVE-2024-1737)
+ [GL #3403] [GL #4548]
+
+ 6400. [security] Excessively large rdatasets can slow down database
+ query processing, so a limit has been placed on the
+ number of records that can be stored per rdataset
+ in a cache or zone database. This is configured
+ with the new "max-records-per-type" option, and
+ defaults to 100. (CVE-2024-1737)
+ [GL #497] [GL #3405]
+
+ 6399. [security] Malicious DNS client that sends many queries over
+ TCP but never reads responses can cause server to
+ respond slowly or not respond at all for other
+ clients. (CVE-2024-0760) [GL #4481]
+
+ 6398. [bug] Fix potential data races in our DoH implementation
+ related to HTTP/2 session object management and
+ endpoints set object management after reconfiguration.
+ We would like to thank Dzintars and Ivo from nic.lv
+ for bringing this to our attention. [GL #4473]
+
+ 6397. [bug] Clear DNS_FETCHOPT_TRYSTALE_ONTIMEOUT when looking for
+ parent NS records needed to get the DS result.
+ [GL #4661]
+
+ 6395. [bug] Handle ISC_R_HOSTDOWN and ISC_R_NETDOWN in resolver.c.
+ [GL #4736]
+
+ 6394. [bug] Named's -4 and -6 options now apply to zone primaries,
+ also-notify and parental-agents. Report when a zone
+ has these options configured but does not have an IPv4
+ or IPv6 address listed respectively. [GL #3472]
+
+ 6393. [func] Deal with uv_tcp_close_reset() error return codes
+ more gracefully. [GL #4708]
+
+ 6392. [bug] Use a completely new memory context when flushing the
+ cache. [GL #2744]
+
+ 6391. [bug] TCP client statistics could sometimes fail to decrease
+ when accepting client connection fails. [GL #4742]
+
+ 6390. [bug] Fix a data race in isc_task_purgeevent(). [GL !8937]
+
+ 6389. [bug] dnssec-verify and dnssec-signzone could fail if there
+ was an obscured DNSKEY RRset at a delegatation.
+ [GL #4517]
+
+ 6388. [bug] Prevent an assertion failure caused by passing NULL to
+ dns_dispatch_resume() when a dns_request times out close
+ to view shutdown. [GL #4719]
+
+ 6386. [bug] When shutting down catzs->view could point to freed
+ memory. Obtain a reference to the view to prevent this.
+ [GL #4502]
+
+ 6385. [func] Relax SVCB alias mode checks to allow parameters.
+ [GL #4704]
+
+ 6384. [bug] Remove infinite loop when including a directory in a
+ zone file. [GL #4357]
+
+ 6383. [bug] Address an infinite loop in $GENERATE when a negative
+ value was converted in nibble mode. [GL #4353]
+
+ 6382. [bug] Fix RPZ response's SOA record TTL, which was incorrectly
+ set to 1 if 'add-soa' is used. [GL #3323]
+
+ --- 9.18.27 released ---
+
+ 6374. [bug] Skip to next RRSIG if signature has expired or is in
+ the future rather than failing immediately. [GL #4586]
+
+ 6372. [func] Implement signature jitter for dnssec-policy. [GL #4554]
+
+ --- 9.18.26 released ---
+
+ 6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
+ [GL #4580]
+
+ 6363. [bug] dig/mdig +ednsflags=<non-zero-value> did not re-enable
+ EDNS if it had been disabled. [GL #4641]
+
+ 6361. [bug] Some invalid ISO 8601 durations were accepted
+ erroneously. [GL #4624]
+
+ 6360. [bug] Don't return static-stub synthesised NS RRset.
+ [GL #4608]
+
+ 6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552]
+
+ 6351. [protocol] Support for the RESINFO record type has been added.
+ [GL #4413]
+
+ 6346. [bug] Cleaned up several minor bugs in the RBTDB dbiterator
+ implementation. [GL !8741]
+
+ 6345. [bug] Added missing dns_rdataset_disassociate calls in
+ validator.c:findnsec3proofs. [GL #4571]
+
+ 6340. [test] Fix incorrectly reported errors when running tests
+ with `make test` on platforms with older pytest.
+ [GL #4560]
+
+ 6338. [func] Optimize slabheader placement, so the infrastructure
+ records are put in the beginning of the slabheader
+ linked list. [GL !8675]
+
+ 6334. [doc] Improve ARM parental-agents definition. [GL #4531]
+
+ 6333. [bug] Fix the DNS_GETDB_STALEFIRST flag, which was defined
+ incorrectly in lib/ns/query.c. [GL !8683]
+
+ 6330. [doc] Update ZSK minimum lifetime documentation in ARM, also
+ depends on signing delay. [GL #4510]
+
+ 6328. [func] Add workaround to enforce dynamic linker to pull
+ jemalloc earlier than libc to ensure all memory
+ allocations are done via jemalloc. [GL #4404]
+
+ 6326. [bug] Changes to "listen-on" statements were ignored on
+ reconfiguration unless the port or interface address was
+ changed, making it impossible to change a related
+ listener transport type. Thanks to Thomas Amgarten.
+ [GL #4518] [GL #4528]
+
+ 6325. [func] Expose the TCP client count in statistics channel.
+ [GL #4425]
+
+ 6324. [bug] Fix a possible crash in 'dig +nssearch +nofail' and
+ 'host -C' commands when one of the name servers returns
+ SERVFAIL. [GL #4508]
+
+ 6313. [bug] When dnssec-policy is in effect the DNSKEY's TTLs in
+ the zone where not being updated to match the policy.
+ This lead to failures when DNSKEYs where updated as the
+ TTLs mismatched. [GL #4466]
+
+ --- 9.18.25 released ---
+
+ 6356. [bug] Create the pruning task in the dns_cache_flush(), so
+ the cache pruning still works after the flush.
+ [GL #4621]
+
+ 6353. [bug] Improve the TTL-based cleaning by removing the expired
+ headers from the heap, so they don't block the next
+ cleaning round and clean more than a single item for
+ each new addition to the RBTDB. [GL #4591]
+
+ 6352. [bug] Revert change 6319 and decrease lock contention during
+ RBTDB tree pruning by not cleaning up nodes recursively
+ within a single prune_tree() call. [GL #4596]
+
+ 6350. [bug] Address use after free in expire_lru_headers. [GL #4495]
+
+ --- 9.18.24 released ---
+
+ 6343. [bug] Fix case insensitive setting for isc_ht hashtable.
+ [GL #4568]
+
+ --- 9.18.23 released ---
+
+ 6322. [security] Specific DNS answers could cause a denial-of-service
+ condition due to DNS validation taking a long time.
+ (CVE-2023-50387) [GL #4424]
+
+ The same code change also addresses another problem:
+ preparing NSEC3 closest encloser proofs could exhaust
+ available CPU resources. (CVE-2023-50868) [GL #4459]
+
+ 6321. [security] Change 6315 inadvertently introduced regressions that
+ could cause named to crash. [GL #4234]
+
+ 6320. [bug] Under some circumstances, the DoT code in client
+ mode could process more than one message at a time when
+ that was not expected. That has been fixed. [GL #4487]
+
+ --- 9.18.22 released ---
+
+ 6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning.
+ [GL #4383]
+
+ 6317. [security] Restore DNS64 state when handling a serve-stale timeout.
+ (CVE-2023-5679) [GL #4334]
+
+ 6316. [security] Specific queries could trigger an assertion check with
+ nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
+
+ 6315. [security] Speed up parsing of DNS messages with many different
+ names. (CVE-2023-4408) [GL #4234]
+
+ 6314. [bug] Address race conditions in dns_tsigkey_find().
+ [GL #4182]
+
+ 6312. [bug] Conversion from NSEC3 signed to NSEC signed could
+ temporarily put the zone into a state where it was
+ treated as unsigned until the NSEC chain was built.
+ Additionally conversion from one set of NSEC3 parameters
+ to another could also temporarily put the zone into a
+ state where it was treated as unsigned until the new
+ NSEC3 chain was built. [GL #1794] [GL #4495]
+
+ 6310. [bug] Memory leak in zone.c:sign_zone. When named signed a
+ zone it could leak dst_keys due to a misplaced
+ 'continue'. [GL #4488]
+
+ 6306. [func] Log more details about the cause of "not exact" errors.
+ [GL #4500]
+
+ 6304. [bug] The wrong time was being used to determine what RRSIGs
+ where to be generated when dnssec-policy was in use.
+ [GL #4494]
+
+ 6302. [func] The "trust-anchor-telemetry" statement is no longer
+ marked as experimental. This silences a relevant log
+ message that was emitted even when the feature was
+ explicitly disabled. [GL #4497]
+
+ 6300. [bug] Fix statistics export to use full 64 bit signed numbers
+ instead of truncating values to unsigned 32 bits.
+ [GL #4467]
+
+ 6299. [port] NetBSD has added 'hmac' to libc which collides with our
+ use of 'hmac'. [GL #4478]
+
+ --- 9.18.21 released ---
+
+ 6297. [bug] Improve LRU cleaning behaviour. [GL #4448]
+
+ 6296. [func] The "resolver-nonbackoff-tries" and
+ "resolver-retry-interval" options are deprecated;
+ a warning will be logged if they are used. [GL #4405]
+
+ 6294. [bug] BIND might sometimes crash after startup or
+ re-configuration when one 'tls' entry is used multiple
+ times to connect to remote servers due to initialisation
+ attempts from contexts of multiple threads. That has
+ been fixed. [GL #4464]
+
+ 6290. [bug] Dig +yaml will now report "no servers could be reached"
+ also for UDP setup failure when no other servers or
+ tries are left. [GL #1229]
+
+ 6287. [bug] Recognize escapes when reading the public key from file.
+ [GL !8502]
+
+ 6286. [bug] Dig +yaml will now report "no servers could be reached"
+ on TCP connection failure as well as for UDP timeouts.
+ [GL #4396]
+
+ 6282. [func] Deprecate AES-based DNS cookies. [GL #4421]
+
+ --- 9.18.20 released ---
+
+ 6280. [bug] Fix missing newlines in the output of "rndc nta -dump".
+ [GL !8454]
+
+ 6277. [bug] Take into account local authoritative zones when
+ falling back to serve-stale. [GL #4355]
+
+ 6275. [bug] Fix assertion failure when using lock-file configuration
+ option together -X argument to named. [GL #4386]
+
+ 6274. [bug] The 'lock-file' file was being removed when it
+ shouldn't have been making it ineffective if named was
+ started 3 or more times. [GL #4387]
+
+ 6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381]
+
+ 6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and
+ 2801:1b8:10::b. [GL #4101]
+
+ 6267. [func] The timeouts for resending zone refresh queries over UDP
+ were lowered to enable named to more quickly determine
+ that a primary is down. [GL #4260]
+
+ 6265. [bug] Don't schedule resign operations on the raw version
+ of an inline-signing zone. [GL #4350]
+
+ 6261. [bug] Fix a possible assertion failure on an error path in
+ resolver.c:fctx_query(), when using an uninitialized
+ link. [GL #4331]
+
+ 6254. [cleanup] Add semantic patch to do an explicit cast from char
+ to unsigned char in ctype.h class of functions.
+ [GL #4327]
+
+ 6252. [test] Python system tests have to be executed by invoking
+ pytest directly. Executing them with the legacy test
+ runner is no longer supported. [GL #4250]
+
+ 6250. [bug] The wrong covered value was being set by
+ dns_ncache_current for RRSIG records in the returned
+ rdataset structure. This resulted in TYPE0 being
+ reported as the covered value of the RRSIG when dumping
+ the cache contents. [GL #4314]
+
+ --- 9.18.19 released ---
+
+ 6246. [security] Fix use-after-free error in TLS DNS code when sending
+ data. (CVE-2023-4236) [GL #4242]
+
+ 6245. [security] Limit the amount of recursion that can be performed
+ by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]
+
+ 6244. [bug] Adjust log levels on malformed messages to NOTICE when
+ transferring in a zone. [GL #4290]
+
+ 6241. [bug] Take into account the possibility of partial TLS writes
+ in TLS DNS code. That helps to prevent DNS messages
+ corruption on long DNS over TLS streams. [GL #4255]
+
+ 6240. [bug] Use dedicated per-worker thread jemalloc memory
+ arenas for send buffers allocation to reduce memory
+ consumption and avoid lock contention. [GL #4038]
+
+ 6239. [func] Deprecate the 'dnssec-must-be-secure' option.
+ [GL #3700]
+
+ 6237. [bug] Address memory leaks due to not clearing OpenSSL error
+ stack. [GL #4159]
+
+ 6235. [doc] Clarify BIND 9 time formats. [GL #4266]
+
+ 6234. [bug] Restore stale-refresh-time value after flushing the
+ cache. [GL #4278]
+
+ 6232. [bug] Following the introduction of krb5-subdomain-self-rhs
+ and ms-subdomain-self-rhs update rules, removal of
+ nonexistent PTR and SRV records via UPDATE could fail.
+ [GL #4280]
+
+ 6231. [func] Make nsupdate honor -v for SOA requests if the server
+ is specified. [GL #1181]
+
+ 6230. [bug] Prevent an unnecessary query restart if a synthesized
+ CNAME target points to the CNAME owner. [GL #3835]
+
+ 6227. [bug] Check the statistics-channel HTTP Content-length
+ to prevent negative or overflowing values from
+ causing a crash. [GL #4125]
+
+ 6224. [bug] Check the If-Modified-Since value length to prevent
+ out-of-bounds write. [GL #4124]
+
+ --- 9.18.18 released ---
+
+ 6220. [func] Deprecate the 'dialup' and 'heartbeat-interval'
+ options. [GL #3700]
+
+ 6219. [bug] Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
+ [GL #4032]
+
+ 6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API
+ support is not configured. [GL #4225]
+
+ 6213. [bug] Mark a primary server as temporarily unreachable if the
+ TCP connection attempt times out. [GL #4215]
+
+ 6212. [bug] Don't process detach and close netmgr events when
+ the netmgr has been paused. [GL #4200]
+
+ --- 9.18.17 released ---
+
+ 6206. [bug] Add shutdown checks in dns_catz_dbupdate_callback() to
+ avoid a race with dns_catz_shutdown_catzs(). [GL #4171]
+
+ 6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs.
+ [GL #4154]
+
+ 6204. [bug] Use NS records for relaxed QNAME-minimization mode.
+ This reduces the number of queries named makes when
+ resolving, as it allows the non-existence of NS RRsets
+ at non-referral nodes to be cached in addition to the
+ referrals that are normally cached. [GL #3325]
+
+ 6200. [bug] Fix nslookup erroneously reporting a timeout when the
+ input is delayed. [GL #4044]
+
+ 6199. [bug] Improve HTTP Connection: header protocol conformance
+ in the statistics channel. [GL #4126]
+
+ 6198. [func] Remove the holes in the isc_result_t enum to compact
+ the isc_result tables. [GL #4149]
+
+ 6197. [bug] Fix a data race between the dns_zone and dns_catz
+ modules when registering/unregistering a database
+ update notification callback for a catalog zone.
+ [GL #4132]
+
+ 6196. [cleanup] Report "permission denied" instead of "unexpected error"
+ when trying to update a zone file on a read-only file
+ system. Thanks to Midnight Veil. [GL #4134]
+
+ 6193. [bug] Fix a catz db update notification callback registration
+ logic error, which could crash named when receiving an
+ AXFR update for a catalog zone while the previous update
+ process of the catalog zone was already running.
+ [GL #4136]
+
+ 6166. [func] Retry without DNS COOKIE on FORMERR if it appears that
+ the FORMERR was due to the presence of a DNS COOKIE
+ option. [GL #4049]
+
+ --- 9.18.16 released ---
+
+ 6192. [security] A query that prioritizes stale data over lookup
+ triggers a fetch to refresh the stale data in cache.
+ If the fetch is aborted for exceeding the recursion
+ quota, it was possible for 'named' to enter an infinite
+ callback loop and crash due to stack overflow. This has
+ been fixed. (CVE-2023-2911) [GL #4089]
+
+ 6190. [security] Improve the overmem cleaning process to prevent the
+ cache going over the configured limit. (CVE-2023-2828)
+ [GL #4055]
+
+ 6188. [performance] Reduce memory consumption by allocating properly
+ sized send buffers for stream-based transports.
+ [GL #4038]
+
+ 6186. [bug] Fix a 'clients-per-query' miscalculation bug. When the
+ 'stale-answer-enable' options was enabled and the
+ 'stale-answer-client-timeout' option was enabled and
+ larger than 0, named was taking two places from the
+ 'clients-per-query' limit for each client and was
+ failing to gradually auto-tune its value, as configured.
+ [GL #4074]
+
+ 6185. [func] Add "ClientQuota" statistics channel counter, which
+ indicates the number of the resolver's spilled queries
+ due to reaching the clients per query quota. [GL !7978]
+
+ 6183. [bug] Fix a serve-stale bug where a delegation from cache
+ could be returned to the client. [GL #3950]
+
+ 6182. [cleanup] Remove configure checks for epoll, kqueue and
+ /dev/poll. [GL #4098]
+
+ 6181. [func] The "tkey-dhkey" option has been deprecated; a
+ warning will be logged when it is used. In a future
+ release, Diffie-Hellman TKEY mode will be removed.
+ [GL #3905]
+
+ 6180. [bug] The session key object could be incorrectly added
+ to multiple different views' keyrings. [GL #4079]
+
+ 6179. [bug] Fix an interfacemgr use-after-free error in
+ zoneconf.c:isself(). [GL #3765]
+
+ 6176. [test] Add support for using pytest & pytest-xdist to
+ execute the system test suite. [GL #3978]
+
+ 6174. [bug] BIND could get stuck on reconfiguration when a
+ 'listen' statement for HTTP is removed from the
+ configuration. That has been fixed. [GL #4071]
+
+ 6173. [bug] Properly process extra "nameserver" lines in
+ resolv.conf otherwise the next line is not properly
+ processed. [GL #4066]
+
+ 6169. [bug] named could crash when deleting inline-signing zones
+ with "rndc delzone". [GL #4054]
+
+ 6165. [bug] Fix a logic error in dighost.c which could call the
+ dighost_shutdown() callback twice and cause problems
+ if the callback function was not idempotent. [GL #4039]
+
+ --- 9.18.15 released ---
+
+ 6164. [bug] Set the rndc idle read timeout back to 60 seconds,
+ from the netmgr default of 30 seconds, in order to
+ match the behavior of 9.16 and earlier. [GL #4046]
+
+ 6161. [bug] Fix log file rotation when using absolute path as
+ file. [GL #3991]
+
+ 6157. [bug] When removing delegations in an OPTOUT range
+ empty-non-terminal NSEC3 records generated by
+ those delegations were not removed. [GL #4027]
+
+ 6156. [bug] Reimplement the maximum and idle timeouts for incoming
+ zone tranfers. [GL #4004]
+
+ 6155. [bug] Treat ISC_R_INVALIDPROTO as a networking error
+ in the dispatch code to avoid retrying with the
+ same server. [GL #4005]
+
+ 6152. [bug] In dispatch, honour the configured source-port
+ selection when UDP connection fails with address
+ in use error.
+
+ Also treat ISC_R_NOPERM same as ISC_R_ADDRINUSE.
+ [GL #3986]
+
+ 6149. [test] As a workaround, include an OpenSSL header file before
+ including cmocka.h in the unit tests, because OpenSSL
+ 3.1.0 uses __attribute__(malloc), conflicting with a
+ redefined malloc in cmocka.h. [GL #4000]
+
+ --- 9.18.14 released ---
+
+ 6145. [bug] Fix a possible use-after-free bug in the
+ dns__catz_done_cb() function. [GL #3997]
+
+ 6143. [bug] A reference counting problem on the error path in
+ the xfrin_connect_done() might cause an assertion
+ failure on shutdown. [GL #3989]
+
+ 6142. [bug] Reduce the number of dns_dnssec_verify calls made
+ determining if revoked keys needs to be removed from
+ the trust anchors. [GL #3981]
+
+ 6141. [bug] Fix several issues in nsupdate timeout handling and
+ update the -t option's documentation. [GL #3674]
+
+ 6138. [doc] Fix the DF-flag documentation on the outgoing
+ UDP packets. [GL #3710]
+
+ 6136. [cleanup] Remove the isc_fsaccess API in favor of creating
+ temporary file first and atomically replace the key
+ with non-truncated content. [GL #3982]
+
+ 6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967]
+
+ 6129. [cleanup] Value stored to 'source' during its initialization is
+ never read. [GL #3965]
+
+ 6128. [bug] Fix an omission in an earlier commit to avoid a race
+ between the 'dns__catz_update_cb()' and
+ 'dns_catz_dbupdate_callback()' functions. [GL #3968]
+
+ 6126. [cleanup] Deprecate zone type "delegation-only" and the
+ "delegation-only" and "root-delegation-only"
+ options. [GL #3953]
+
+ 6125. [bug] Hold a catz reference while the update process is
+ running, so that the catalog zone is not destroyed
+ during shutdown until the update process is finished or
+ properly canceled by the activated 'shuttingdown' flag.
+ [GL #3955]
+
+ 6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to
+ an NSEC3 incapable DNSSEC algorithm using KASP the zone
+ could sometimes be incompletely signed. [GL #3937]
+
+ 6121. [bug] Fix BIND and dig zone transfer hanging when
+ downloading large zones over TLS from a primary server,
+ especially over unstable connections. [GL #3867]
+
+ --- 9.18.13 released ---
+
+ 6120. [bug] Use two pairs of dns_db_t and dns_dbversion_t in a
+ catalog zone structure to avoid a race between the
+ dns__catz_update_cb() and dns_catz_dbupdate_callback()
+ functions. [GL #3907]
+
+ 6119. [bug] Make sure to revert the reconfigured zones to the
+ previous version of the view, when the new view
+ reconfiguration fails during the configuration of
+ one of the configured zones. [GL #3911]
+
+ 6116. [bug] Fix error path cleanup issues in dns_catz_new_zones()
+ and dns_catz_new_zone() functions. [GL #3900]
+
+ 6115. [bug] Unregister db update notify callback before detaching
+ from the previous db inside the catz update notify
+ callback. [GL #3777]
+
+ 6114. [func] Run the catalog zone update process on the offload
+ threads. [GL #3881]
+
+ 6113. [func] Add shutdown signaling for catalog zones. [GL !7571]
+
+ 6112. [func] Add reference count tracing for dns_catz_zone_t and
+ dns_catz_zones_t. [GL !7570]
+
+ 6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in
+ configure_rpz() and configure_catz(), respectively,
+ just after attaching it to the new view. [GL #3880]
+
+ 6098. [test] Don't test HMAC-MD5 when not supported by libcrypto.
+ [GL #3871]
+
+ 6096. [bug] Fix RPZ reference counting error on shutdown in
+ dns__rpz_timer_cb(). [GL #3866]
+
+ 6095. [test] Test various 'islands of trust' configurations when
+ using managed keys. [GL #3662]
+
+ 6094. [bug] Building against (or running with) libuv versions
+ 1.35.0 and 1.36.0 is now a fatal error. The rules for
+ mixing and matching compile-time and run-time libuv
+ versions have been tightened for libuv versions between
+ 1.35.0 and 1.40.0. [GL #3840]
+
+ 6092. [bug] dnssec-cds failed to cleanup properly. [GL #3831]
+
+ 6089. [bug] Source ports configured for query-source,
+ transfer-source, etc, were being ignored. (This
+ feature is deprecated, but it is not yet removed,
+ so the bug still needed fixing.) [GL #3790]
+
+ --- 9.18.12 released ---
+
+ 6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently
+ broken by change 6042. [GL #3827]
+
+ 6082. [test] fuzz/dns_message_checksig leaked memory when shutting
+ down. [GL #3828]
+
+ 6081. [bug] Handle primary server address lookup failures in
+ nsupdate more gracefully. [GL #3830]
+
+ 6080. [bug] 'named -V' leaked memory. [GL #3829]
+
+ 6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds'
+ command. [GL #3822]
+
+ 6075. [bug] Add missing node lock when setting node->wild in
+ add_wildcard_magic. [GL #3799]
+
+ 6074. [func] Refactor the isc_nm_xfr_allowed() function to return
+ isc_result_t instead of boolean. [GL #3808]
+
+ 6073. [bug] Set RD=1 on DS requests to parental-agents. [GL #3783]
+
+ 6072. [bug] Avoid the OpenSSL lock contention when initializing
+ Message Digest Contexts by using explicit algorithm
+ fetching, initializing static contexts for every
+ supported algorithms, and initializing the new context
+ by copying the static copy. [GL #3795]
+
+ 6071. [func] The use of "port" when configuring query-source,
+ transfer-source, notify-source and parental-source
+ addresses has been deprecated, along with the
+ use-v[46]-udp-ports and avoid-v[46]-udp-ports
+ options. A warning will be logged when these
+ options are used. In a future release, they
+ will be removed. [GL #3781]
+
+
+ 6069. [bug] Detach from the view in zone_shutdown() to
+ release the memory held by the dead view
+ early. [GL #3801]
+
+ 6068. [bug] Downloading a zone via TLS from a server which does
+ not negotiate "dot" ALPN token could crash BIND
+ on shutdown. That has been fixed. [GL #3767]
+
+ 6057. [bug] Fix shutdown and error path bugs in the rpz unit.
+ [GL #3735]
+
+ 5850. [func] Run the RPZ update process on the offload threads.
+ [GL #3190]
+
+ --- 9.18.11 released ---
+
+ 6067. [security] Fix serve-stale crash when recursive clients soft quota
+ is reached. (CVE-2022-3924) [GL #3619]
+
+ 6066. [security] Handle RRSIG lookups when serve-stale is active.
+ (CVE-2022-3736) [GL #3622]
+
+ 6064. [security] An UPDATE message flood could cause named to exhaust all
+ available memory. This flaw was addressed by adding a
+ new "update-quota" statement that controls the number of
+ simultaneous UPDATE messages that can be processed or
+ forwarded. The default is 100. A stats counter has been
+ added to record events when the update quota is
+ exceeded, and the XML and JSON statistics version
+ numbers have been updated. (CVE-2022-3094) [GL #3523]
+
+ 6062. [func] The DSCP implementation, which has been
+ nonfunctional for some time, is now marked as
+ obsolete and the implementation has been removed.
+ Configuring DSCP values in named.conf has no
+ effect, and a warning will be logged that
+ the feature should no longer be used. [GL #3773]
+
+ 6061. [bug] Fix unexpected "Prohibited" extended DNS error
+ on allow-recursion. [GL #3743]
+
+ 6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
+ by detaching from the zone manager outside of the write
+ lock. [GL #3768]
+
+ 6059. [bug] In some serve stale scenarios, like when following an
+ expired CNAME record, named could return SERVFAIL if the
+ previous request wasn't successful. Consider non-stale
+ data when in serve-stale mode. [GL #3678]
+
+ 6058. [bug] Prevent named from crashing when "rndc delzone"
+ attempts to delete a zone added by a catalog zone.
+ [GL #3745]
+
+ 6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752]
+
+ 6051. [bug] Improve thread safety in the dns_dispatch unit.
+ [GL #3178] [GL #3636]
+
+ 6050. [bug] Changes to the RPZ response-policy min-update-interval
+ and add-soa options now take effect as expected when
+ named is reconfigured. [GL #3740]
+
+ 6049. [bug] Exclude ABD hashtables from the ADB memory
+ overmem checks and don't clean ADB names
+ and ADB entries used in the last 10 seconds
+ (ADB_CACHE_MINIMUM). [GL #3739]
+
+ 6048. [bug] Fix a log message error in dns_catz_update_from_db(),
+ where serials with values of 2^31 or larger were logged
+ incorrectly as negative numbers. [GL #3742]
+
+ 6047. [bug] Try the next server instead of trying the same
+ server again on an outgoing query timeout.
+ [GL #3637]
+
+ 6046. [bug] TLS session resumption might lead to handshake
+ failures when client certificates are used for
+ authentication (Mutual TLS). This has been fixed.
+ [GL #3725]
+
+ 6045. [cleanup] The list of supported DNSSEC algorithms changed log
+ level from "warning" to "notice" to match named's other
+ startup messages. [GL !7217]
+
+ 6044. [bug] There was an "RSASHA236" typo in a log message.
+ [GL !7206]
+
+ 5845. [bug] Refactor the timer to keep track of posted events
+ as to use isc_task_purgeevent() instead of using
+ isc_task_purgerange(). The isc_task_purgeevent()
+ has been refactored to purge a single event instead
+ of walking through the list of posted events.
+ [GL #3252]
+
+ 5830. [func] Implement incremental resizing of isc_ht hash tables to
+ perform the rehashing gradually. The catalog zone
+ implementation has been optimized to work with hundreds
+ of thousands of member zones. [GL #3212] [GL #3744]
+
+ --- 9.18.10 released ---
+
+ 6043. [bug] The key file IO locks objects would never get
+ deleted from the hashtable due to off-by-one error.
+ [GL #3727]
+
+ 6042. [bug] ANY responses could sometimes have the wrong TTL.
+ [GL #3613]
+
+ 6040. [bug] Speed up the named shutdown time by explicitly
+ canceling all recursing ns_client objects for
+ each ns_clientmgr. [GL #3183]
+
+ 6039. [bug] Removing a catalog zone from catalog-zones without
+ also removing the referenced zone could leave a
+ dangling pointer. [GL #3683]
+
+ 6036. [bug] nslookup and host were not honoring the selected port
+ in TCP mode. [GL #3721]
+
+ 6034. [func] Deprecate alt-transfer-source, alt-transfer-source-v6
+ and use-alt-transfer-source. [GL #3694]
+
+ 6031. [bug] Move the "final reference detached" log message
+ from dns_zone unit to the DEBUG(1) log level.
+ [GL #3707]
+
+ 6027. [bug] Fix assertion failure in isc_http API used by
+ statschannel if the read callback would be called
+ on HTTP request that has been already closed.
+ [GL #3693]
+
+ 6026. [cleanup] Deduplicate time unit conversion factors.
+ [GL !7033]
+
+ 6025. [bug] Copy TLS identifier when setting up primaries for
+ catalog member zones. [GL #3638]
+
+ 6024. [func] Deprecate 'auto-dnssec'. [GL #3667]
+
+ 6022. [performance] The decompression implementation in dns_name_fromwire()
+ is now smaller and faster. [GL #3655]
+
+ 6021. [bug] Use the current domain name when checking answers from
+ a dual-stack-server. [GL #3607]
+
+ 6020. [bug] Ensure 'named-checkconf -z' respects the check-wildcard
+ option when loading a zone. [GL #1905]
+
+ 6019. [func] Deprecate `coresize`, `datasize`, `files`, and
+ `stacksize` named.conf options. [GL #3676]
+
+
+ 6017. [bug] The view's zone table was not locked when it should
+ have been leading to race conditions when external
+ extensions that manipulate the zone table where in
+ use. [GL #3468]
+
+ 6015. [bug] Some browsers (Firefox) send more than 10 HTTP
+ headers. Bump the number of allowed HTTP headers
+ to 100. [GL #3670]
+
+ 5902. [func] NXDOMAIN cache records are no longer retained in
+ the cache after expiry, even when serve-stale is
+ in use. [GL #3386]
+
+ --- 9.18.9 released ---
+
+ 6013. [bug] Fix a crash that could happen when you change
+ a dnssec-policy zone with NSEC3 to start using
+ inline-signing. [GL #3591]
+
+ 6009. [bug] Don't trust a placeholder KEYDATA from the managed-keys
+ zone by adding it into secroots. [GL #2895]
+
+ 6008. [bug] Fixed a race condition that could cause a crash
+ in dns_zone_synckeyzone(). [GL #3617]
+
+ 6007. [cleanup] Don't enforce the jemalloc use on NetBSD. [GL #3634]
+
+ 6003. [bug] Fix an inheritance bug when setting the port on
+ remote servers in configuration. [GL #3627]
+
+ 6002. [bug] Fix a resolver prefetch bug when the record's TTL value
+ is equal to the configured prefetch eligibility value,
+ but the record was erroneously not treated as eligible
+ for prefetching. [GL #3603]
+
+ 6001. [bug] Always call dns_adb_endudpfetch() after calling
+ dns_adb_beginudpfetch() for UDP queries in resolver.c,
+ in order to adjust back the quota. [GL #3598]
+
+ 6000. [bug] Fix a startup issue on Solaris systems with many
+ (reportedly > 510) CPUs. Thanks to Stacey Marshall from
+ Oracle for deep investigation of the problem. [GL #3563]
+
+ 5999. [bug] rpz-ip rules could be ineffective in some scenarios
+ with CD=1 queries. [GL #3247]
+
+ 5998. [bug] The RecursClients statistics counter could overflow
+ in certain resolution scenarios. [GL #3584]
+
+ 5997. [cleanup] Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR()
+ reporting macros. [GL !6914]
+
+ 5996. [bug] Fix a couple of bugs in cfg_print_duration(), which
+ could result in generating incomplete duration values
+ when printing the configuration using named-checkconf.
+ [GL !6880]
+
+ 5994. [func] Refactor the isc_httpd implementation used in the
+ statistics channel. [GL !6879]
+
+ --- 9.18.8 released ---
+
+ 5991. [protocol] Add support for parsing and validating "dohpath" to
+ SVCB. [GL #3544]
+
+ 5990. [test] fuzz/dns_message_checksig now creates the key directory
+ it uses when testing in /tmp at run time. [GL #3569]
+
+ 5988. [bug] Some out of memory conditions in opensslrsa_link.c
+ could lead to memory leaks. [GL #3551]
+
+ 5984. [func] 'named -V' now reports the list of supported
+ DNSSEC/DS/HMAC algorithms and the supported TKEY modes.
+ [GL #3541]
+
+ 5983. [bug] Changing just the TSIG key names for primaries in
+ catalog zones' member zones was not effective.
+ [GL #3557]
+
+ 5982. [func] Extend dig to allow requests to be signed using SIG(0)
+ as well as providing a mechanism to specify the signing
+ time. [GL !5923]
+
+ 5981. [test] Add dns_message_checksig fuzzer to check messages
+ signed using TSIG or SIG(0). [GL !5923]
+
+ 5978. [port] The ability to use pkcs11 via engine_pkcs11 has been
+ restored, by only using deprecated APIs in
+ OpenSSL 3.0.0. BIND needs to be compiled with
+ '-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS
+ at compile time. [GL !6711]
+
+ 5973. [bug] Fixed a possible invalid detach in UPDATE
+ processing. [GL #3522]
+
+ 5972. [bug] Gracefully handle when the statschannel HTTP connection
+ gets cancelled during sending data back to the client.
+ [GL #3542]
+
+ 5970. [func] Log the reason why a query was refused. [GL !6669]
+
+ 5967. [cleanup] Flagged the "random-device" option (which was
+ already nonoperational) as obsolete; configuring it
+ will generate a warning. [GL #3399]
+
+ 5963. [bug] Ensure struct named_server is properly initialized.
+ [GL #6531]
+
+ --- 9.18.7 released ---
+
+ 5962. [security] Fix memory leak in EdDSA verify processing.
+ (CVE-2022-38178) [GL #3487]
+
+ 5960. [security] Fix serve-stale crash that could happen when
+ stale-answer-client-timeout was set to 0 and there was
+ a stale CNAME in the cache for an incoming query.
+ (CVE-2022-3080) [GL #3517]
+
+ 5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0
+ and later versions. The openssldh_compare(),
+ openssldh_paramcompare(), and openssldh_todns()
+ functions were affected. (CVE-2022-2906) [GL #3491]
+
+ 5958. [security] When an HTTP connection was reused to get
+ statistics from the stats channel, and zlib
+ compression was in use, each successive
+ response sent larger and larger blocks of memory,
+ potentially reading past the end of the allocated
+ buffer. (CVE-2022-2881) [GL #3493]
+
+ 5957. [security] Prevent excessive resource use while processing large
+ delegations. (CVE-2022-2795) [GL #3394]
+
+ 5956. [func] Make RRL code treat all QNAMEs that are subject to
+ wildcard processing within a given zone as the same
+ name. [GL #3459]
+
+ 5955. [port] The libxml2 library has deprecated the usage of
+ xmlInitThreads() and xmlCleanupThreads() functions. Use
+ xmlInitParser() and xmlCleanupParser() instead.
+ [GL #3518]
+
+ 5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008
+ conversion fails. [GL #3485]
+
+ 5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add
+ mctx attach/detach pair to make sure that the memory
+ context used by a memory pool is not destroyed before
+ the memory pool itself. [GL #3515]
+
+ 5952. [bug] Use quotes around address strings in YAML output.
+ [GL #3511]
+
+ 5951. [bug] In some cases, the dnstap query_message field was
+ erroneously set when logging response messages.
+ [GL #3501]
+
+ 5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing
+ dns_db_detachnode() call. [GL #3500]
+
+ 5947. [func] Change dnssec-policy to allow graceful transition from
+ an NSEC only zone to NSEC3. [GL #3486]
+
+ 5946. [bug] Fix statistics channel's handling of multiple HTTP
+ requests in a single connection which have non-empty
+ request bodies. [GL #3463]
+
+ 5945. [bug] If parsing /etc/bind.key failed, delv could assert
+ when trying to parse the built in trust anchors as
+ the parser hadn't been reset. [GL !6468]
+
+ 5944. [bug] Fix +http-plain-get and +http-plain-post options
+ support in dig. Thanks to Marco Davids at SIDN for
+ reporting the problem. [GL !6672]
+
+ 5942. [bug] Fix tkey.c:buildquery() function's error handling by
+ adding the missing cleanup code. [GL #3492]
+
+ 5941. [func] Zones with dnssec-policy now require dynamic DNS or
+ inline-siging to be configured explicitly. [GL #3381]
+
+ 5938. [bug] An integer type overflow could cause an assertion
+ failure when freeing memory. [GL #3483]
+
+ 5936. [bug] Don't enable serve-stale for lookups that error because
+ it is a duplicate query or a query that would be
+ dropped. [GL #2982]
+
+ 5935. [bug] Fix DiG lookup reference counting bug, which could
+ be observed in NSSEARCH mode. [GL #3478]
+
+ --- 9.18.6 released ---
+
+ 5934. [func] Improve fetches-per-zone fetch limit logging to log
+ the final allowed and spilled values of the fetch
+ counters before the counter object gets destroyed.
+ [GL #3461]
+
+ 5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in
+ named on Fedorda 33, Oracle Linux 9 and RHEL9 when
+ they are disabled by the security policy. [GL #3469]
+
+ 5932. [bug] Fix rndc dumpdb -expired and always include expired
+ RRsets, not just for RBTDB_VIRTUAL time window.
+ [GL #3462]
+
+ 5931. [bug] Fix DiG query error handling robustness in NSSEARCH
+ mode by making sure that udp_ready(), tcp_connected(),
+ and send_done() callbacks start the next query in chain
+ even if there is some kind of error with the previous
+ query. [GL #3419]
+
+ 5930. [bug] Fix DiG query retry and fail-over bug in UDP mode.
+ Also simplify the overall retry and fail-over logic to
+ make it behave predictably, and always respect the
+ documented +retry/+tries count set by a command-line
+ option (or use the default values of 2 or 3
+ respectively). [GL #3407]
+
+ 5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was
+ not fully effective; it was used for timing key
+ rollovers but did not actually place an upper limit
+ on TTLs when loading a zone. This has been
+ corrected, and the documentation has been clarified
+ to indicate that the old "max-zone-ttl" zone option
+ is now ignored when "dnssec-policy" is in use.
+ [GL #2918]
+
+ 5927. [bug] A race was possible in dns_dispatch_connect()
+ that could trigger an assertion failure if two
+ threads called it near-simultaneously. [GL #3456]
+
+ 5926. [func] Handle transient TCP connect() EADDRINUSE failures
+ on FreeBSD (and possibly other BSDs) by trying three
+ times before giving up. [GL #3451]
+
+ 5925. [bug] With a forwarder configured for all queries, resolution
+ failures encountered during DS chasing could trigger
+ assertion failures due to a logic bug in
+ resume_dslookup() that caused it to call
+ dns_resolver_createfetch() with an invalid name.
+ [GL #3439]
+
+ 5924. [func] When it's necessary to use AXFR to respond to an
+ IXFR request, a message explaining the reason
+ is now logged at level info. [GL #2683]
+
+ 5923. [bug] Fix inheritance for dnssec-policy when checking for
+ inline-signing. [GL #3438]
+
+ 5922. [bug] Forwarding of UPDATE message could fail with the
+ introduction of netmgr. This has been fixed. [GL #3389]
+
+ 5921. [test] Convert system tests to use a default DNSKEY algorithm
+ where the test is not DNSKEY algorithm specific.
+ [GL #3440]
+
+ --- 9.18.5 released ---
+
+ 5917. [bug] Update ifconfig.sh script as is miscomputed interface
+ identifiers when destroying interfaces. [GL #3061]
+
+ 5916. [bug] When resolving a name, don't give up immediately if an
+ authoritative server returns FORMERR; try the other
+ servers first. [GL #3152]
+
+ 5915. [bug] Detect missing closing brace (}) and computational
+ overflows in $GENERATE directives. [GL #3429]
+
+ 5914. [bug] When synth-from-dnssec generated a response using
+ records from a higher zone, it could unexpectedly prove
+ non-existance of records in a subordinate grafted-on
+ namespace. [GL #3402]
+
+ 5911. [bug] Update HTTP listener settings on reconfiguration.
+ [GL #3415]
+
+ 5910. [cleanup] Move built-in dnssec-policies into the defaultconf.
+ These are now printed with 'named -C'. [GL !6467]
+
+ 5909. [bug] The server-side destination port was missing from dnstap
+ captures of client traffic. [GL #3309]
+
+ 5908. [bug] Fix race conditions in route_connected(). [GL #3401]
+
+ 5907. [bug] Fix a crash in dig NS search mode when one of the NS
+ server queries fail. [GL #3207]
+
+ 5905. [bug] When the TCP connection would be closed/reset between
+ the connect/accept and the read, the uv_read_start()
+ return value would be unexpected and cause an assertion
+ failure. [GL #3400]
+
+ 5904. [func] Changed dnssec-signzone -H default to 0 additional
+ NSEC3 iterations. [GL #3395]
+
+ 5903. [bug] When named checks that the OPCODE in a response matches
+ that of the request, if there is a mismatch named logs
+ an error. Some of those error messages incorrectly
+ used RCODE instead of OPCODE to lookup the nemonic.
+ This has been corrected. [GL !6420]
+
+ 5901. [bug] When processing a catalog zone member zone make sure
+ that there is no configured pre-existing forward-only
+ forward zone with that name. [GL #2506]
+
+ --- 9.18.4 released ---
+
+ 5899. [func] Don't try to process DNSSEC-related and ZONEMD records
+ in catz. [GL #3380]
+
+ 5896. [func] Add some more dnssec-policy checks to detect weird
+ policies. [GL #1611]
+
+ 5895. [test] Add new set of unit test macros and move the unit
+ tests under single namespace in /tests/. [GL !6243]
+
+ 5893. [func] Add TLS session resumption support to the client-side
+ TLS code. [GL !6274]
+
+ 5891. [func] Key timing options for `dnssec-settime` and related
+ utilities now accept "UNSET" times as printed by
+ `dnssec-settime -p`. [GL #3361]
+
+ 5890. [bug] When the fetches-per-server quota was adjusted
+ because of an authoritative server timing out more
+ or less frequently, it was incorrectly set to 1
+ rather than the intended value. This has been
+ fixed. [GL #3327]
+
+ 5888. [bug] Only write key files if the dnssec-policy keymgr has
+ changed the metadata. [GL #3302]
+
+ 5837. [func] Key timing options for `dnssec-keygen` and
+ `dnssec-settime` now accept times as printed by
+ `dnssec-settime -p`. [GL !2947]
+
+ --- 9.18.3 released ---
+
+ 5886. [security] Fix a crash in DNS-over-HTTPS (DoH) code caused by
+ premature TLS stream socket object deletion.
+ (CVE-2022-1183) [GL #3216]
+
+ 5885. [bug] RPZ NSIP and NSDNAME rule processing didn't handle stub
+ and static-stub zones at or above the query name. This
+ has now been addressed. [GL #3232]
+
+ 5882. [contrib] Avoid name space collision in dlz modules by prefixing
+ functions with 'dlz_'. [GL !5778]
+
+ 5880. [func] Add new named command-line option -C to print built-in
+ defaults. [GL #1326]
+
+ 5879. [contrib] dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
+
+ 5877. [func] Introduce the concept of broken catalog zones described
+ in the DNS catalog zones draft version 5 document.
+ [GL #3224]
+
+ 5876. [func] Add DNS Extended Errors when stale answers are returned
+ from cache. [GL #2267]
+
+ 5875. [bug] Fixed a deadlock that could occur if an rndc
+ connection arrived during the shutdown of network
+ interfaces. [GL #3272]
+
+ 5873. [bug] Refactor the fctx_done() function to set fctx to
+ NULL after detaching, so that reference counting
+ errors will be easier to avoid. [GL #2969]
+
+ 5872. [bug] udp_recv() in dispatch could trigger an INSIST when the
+ callback's result indicated success but the response
+ was canceled in the meantime. [GL #3300]
+
+ 5866. [bug] Work around a jemalloc quirk which could trigger an
+ out-of-memory condition in named over time. [GL #3287]
+
+ 5863. [bug] If there was a pending negative cache DS entry,
+ validations depending upon it could fail. [GL #3279]
+
+ 5862. [bug] dig returned a 0 exit status on UDP connection failure.
+ [GL #3235]
+
+ 5861. [func] Implement support for catalog zones change of ownership
+ (coo) mechanism described in the DNS catalog zones draft
+ version 5 document. [GL #3223]
+
+ 5860. [func] Implement support for catalog zones options new syntax
+ based on catalog zones custom properties with "ext"
+ suffix described in the DNS catalog zones draft version
+ 5 document. [GL #3222]
+
+ 5859. [bug] Fix an assertion failure when using dig with +nssearch
+ and +tcp options by starting the next query in the
+ send_done() callback (like in the UDP mode) instead
+ of doing that recursively in start_tcp(). Also
+ ensure that queries interrupted while connecting
+ are detached properly. [GL #3144]
+
+ 5858. [bug] Don't remove CDS/CDNSKEY DELETE records on zone sign
+ when using 'auto-dnssec maintain;'. [GL #2931]
+
+ 5854. [func] Implement reference counting for TLS contexts and
+ allow reloading of TLS certificates on reconfiguration
+ without destroying the underlying TCP listener sockets
+ for TLS-based DNS transports. [GL #3122]
+
+ 5849. [cleanup] Remove use of exclusive mode in ns_interfacemgr in
+ favor of rwlocked access to localhost and localnets
+ members of dns_aclenv_t structure. [GL #3229]
+
+ 5842. [cleanup] Remove the task exclusive mode use in ns_clientmgr.
+ [GL #3230]
+
+ 5839. [func] Add support for remote TLS certificates
+ verification, both to BIND and dig, making it possible
+ to implement Strict and Mutual TLS authentication,
+ as described in RFC 9103, Section 9.3. [GL #3163]
+
+ --- 9.18.2 released ---
+
+ 5856. [bug] The "starting maxtime timer" message related to outgoing
+ zone transfers was incorrectly logged at the ERROR level
+ instead of DEBUG(1). [GL #3208]
+
+ 5855. [bug] Ensure that zone maintenance queries have a retry limit.
+ [GL #3242]
+
+ 5853. [bug] When using both the `+qr` and `+y` options `dig` could
+ crash if the connection to the first server was not
+ successful. [GL #3244]
+
+ 5852. [func] Add new "reuseport" option to enable/disable load
+ balancing of sockets. [GL #3249]
+
+ 5848. [bug] dig could hang in some cases involving multiple servers
+ in a lookup, when a request fails and the next one
+ refuses to start for some reason, for example if it was
+ an IPv4 mapped IPv6 address. [GL #3248]
+
+ 5844. [bug] dig +nssearch was hanging until manually interrupted.
+ [GL #3145]
+
+ 5843. [bug] When an UPDATE targets a zone that is not configured,
+ the requested zone name is now logged in the "not
+ authoritative" error message, so that it is easier to
+ track down problematic update clients. [GL #3209]
+
+ 5838. [cleanup] When modifying a member zone in a catalog zone, and it
+ is detected that the zone exists and was not created by
+ the current catalog zone, distinguish the two cases when
+ the zone was not added by a catalog zone at all, and
+ when the zone was added by a different catalog zone,
+ and log a warning message accordingly. [GL #3221]
+
+ 5836. [bug] Quote the dns64 prefix in error messages that complain
+ about problems with it, to avoid confusion with the
+ following dns64 ACLs. [GL #3210]
+
+ 5834. [cleanup] C99 variable-length arrays are difficult to use safely,
+ so avoid them except in test code. [GL #3201]
+
+ 5833. [bug] When encountering socket error while trying to initiate
+ a TCP connection to a server, dig could hang
+ indefinitely, when there were more servers to try.
+ [GL #3205]
+
+ 5832. [bug] When timing-out or having other types of socket errors
+ during a query, dig wasn't trying to perform the lookup
+ using other servers, in case they exist. [GL #3128]
+
+ 5831. [bug] When resending a UDP request in the result of a timeout,
+ the recv_done() function in dighost.c was prepending
+ the new query into the loookup's queries list instead
+ of inserting, which could cause an assertion failure
+ when the resent query's result was SERVFAIL. [GL #3020]
+
+ 5828. [bug] Replace single TCP write timer with per-TCP write
+ timers. [GL #3200]
+
+ 5825. [func] Set the minimum MTU on UDPv6 and TCPv6 sockets and
+ limit TCP maximum segment size (TCP_MAXSEG) to (1220)
+ for both TCPv4 and TCPv6 sockets. [GL #2201]
+
+ 5824. [bug] Invalid dnssec-policy definitions were being accepted
+ where the defined keys did not cover both KSK and ZSK
+ roles for a given algorithm. This is now checked for
+ and the dnssec-policy is rejected if both roles are
+ not present for all algorithms in use. [GL #3142]
+
+ 5823. [func] Replace hazard pointers based lock-free list with
+ locked-list based queue that's simpler and has no or
+ little performance impact. [GL #3180]
+
+ 5822. [bug] When calling dns_dispatch_send(), attach/detach
+ dns_request_t object as the read callback could
+ be called before send callback dereferencing
+ dns_request_t object too early. [GL #3105]
+
+ 5821. [bug] Fix query context management issues in the TCP part
+ of dig. [GL #3184]
+
+ --- 9.18.1 released ---
+
+ 5820. [security] An assertion could occur in resume_dslookup() if the
+ fetch had been shut down earlier. (CVE-2022-0667)
+ [GL #3129]
+
+ 5819. [security] Lookups involving a DNAME could trigger an INSIST when
+ "synth-from-dnssec" was enabled. (CVE-2022-0635)
+ [GL #3158]
+
+ 5818. [security] A synchronous call to closehandle_cb() caused
+ isc__nm_process_sock_buffer() to be called recursively,
+ which in turn left TCP connections hanging in the
+ CLOSE_WAIT state blocking indefinitely when
+ out-of-order processing was disabled. (CVE-2022-0396)
+ [GL #3112]
+
+ 5817. [security] The rules for acceptance of records into the cache
+ have been tightened to prevent the possibility of
+ poisoning if forwarders send records outside
+ the configured bailiwick. (CVE-2021-25220) [GL #2950]
+
+ 5816. [bug] Make BIND compile with LibreSSL 3.5.0, as it was using
+ not very accurate pre-processor checks for using shims.
+ [GL #3172]
+
+ 5815. [bug] If an oversized key name of a specific length was used
+ in the text form of an HTTP or SVBC record, an INSIST
+ could be triggered when parsing it. [GL #3175]
+
+ 5814. [bug] The RecursClients statistics counter could underflow
+ in certain resolution scenarios. [GL #3147]
+
+ 5812. [func] Drop the artificial limit on the number of queries
+ processed in a single TCP read callback. [GL #3141]
+
+ 5811. [bug] Reimplement the maximum and idle timeouts for outgoing
+ zone transfers. [GL #1897]
+
+ 5809. [bug] Reset client TCP connection when data received cannot
+ be parsed as a valid DNS request. [GL #3149]
+
+ 5808. [bug] Certain TCP failures were not caught and handled
+ correctly by the dispatch manager, causing
+ connections to time out rather than returning
+ SERVFAIL. [GL #3133]
+
+ 5807. [bug] Add a TCP "write" timer, and time out writing
+ connections after the "tcp-idle-timeout" period
+ has elapsed. [GL #3132]
+
+ 5806. [bug] An error in checking the "blackhole" ACL could cause
+ DNS requests sent by named to fail if the
+ destination address or prefix was specifically
+ excluded from the ACL. [GL #3157]
+
+ 5805. [func] The result of each resolver priming attempt is now
+ included in the "resolver priming query complete" log
+ message. [GL #3139]
+
+ 5804. [func] Add a debug log message when starting and ending
+ the task exclusive mode. [GL #3137]
+
+ 5803. [func] Use compile-time paths in the documentation.
+ [GL #2717]
+
+ 5802. [test] Add system test to test engine_pkcs11. [GL !5727]
+
+ 5801. [bug] Log "quota reached" message when hard quota
+ is reached when accepting a connection. [GL #3125]
+
+ 5800. [func] Add ECS support to the DLZ interface. [GL #3082]
+
+ 5799. [bug] Use L1 cache-line size detected at runtime. [GL #3108]
+
+ 5798. [test] Add system test to test dnssec-keyfromlabel. [GL #3092]
+
+ 5797. [bug] A failed view configuration during a named
+ reconfiguration procedure could cause inconsistencies
+ in BIND internal structures, causing a crash or other
+ unexpected errors. [GL #3060]
+
+ --- 9.18.0 released ---
+
+ 5796. [bug] Ignore the invalid (<= 0) values returned
+ by the sysconf() check for the L1 cache line
+ size. [GL #3108]
+
+ 5795. [bug] rndc could crash when interrupted by a signal
+ before receiving a response. [GL #3080]
+
+ 5794. [func] Set the IPV6_V6ONLY on all IPv6 sockets to
+ restrict the IPv6 sockets to sending and
+ receiving IPv6 packets only. [GL #3093]
+
+ 5793. [bug] Correctly detect and enable UDP recvmmsg support
+ in all versions of libuv that support it. [GL #3095]
+
+ 5792. [bug] Don't schedule zone events on ISC_R_SHUTTINGDOWN
+ event failures. [GL #3084]
+
+ 5791. [func] Remove workaround for servers returning FORMERR
+ when receiving NOTIFY query with SOA record in
+ ANSWER section. [GL #3086]
+
+ 5790. [bug] The control channel was incorrectly looking for
+ ISC_R_CANCELED as a signal that the named is
+ shutting down. In the dispatch refactoring,
+ the result code returned from network manager
+ is now ISC_R_SHUTTINGDOWN. Change the control
+ channel code to use ISC_R_SHUTTINGDOWN result
+ code to detect named being shut down. [GL #3079]
+
+ --- 9.17.22 released ---
+
+ 5789. [bug] Allow replacing expired zone signatures with
+ signatures created by the KSK. [GL #3049]
+
+ 5788. [bug] An assertion could occur if a catalog zone event was
+ scheduled while the task manager was being shut
+ down. [GL #3074]
+
+ 5787. [doc] Update 'auto-dnssec' documentation, it may only be
+ activated at zone level. [GL #3023]
+
+ 5786. [bug] Defer detaching from zone->raw in zone_shutdown() if
+ the zone is in the process of being dumped to disk, to
+ ensure that the unsigned serial number information is
+ always written in the raw-format header of the signed
+ version on an inline-signed zone. [GL #3071]
+
+ 5785. [bug] named could leak memory when two dnssec-policy clauses
+ had the same name. named failed to log this error.
+ [GL #3085]
+
+ 5784. [func] Implement TLS-contexts reuse. Reusing the
+ previously created TLS context objects can reduce
+ initialisation time for some configurations and enables
+ TLS session resumption for incoming zone transfers over
+ TLS (XoT). [GL #3067]
+
+ 5783. [func] named is now able to log TLS pre-master secrets for
+ debugging purposes. This requires setting the
+ SSLKEYLOGFILE environment variable appropriately.
+ [GL #2723]
+
+ 5782. [func] Use ECDSA P-256 instead of a 4096-bit RSA when
+ generating ephemeral key and certificate for the
+ 'tls ephemeral' configuration. [GL #2264]
+
+ 5781. [bug] Make BIND work with OpenSSL 3.0.1 as it is now
+ enforcing minimum buffer lengths in EVP_MAC_final and
+ hence EVP_DigestSignFinal. rndc and TSIG at a minimum
+ were broken by this change. [GL #3057]
+
+ 5780. [bug] The Linux kernel may send netlink messages
+ indicating that network interfaces have changed
+ when they have not. This caused frequent unnecessary
+ re-scans of the interfaces. Netlink messages now
+ only trigger re-scanning if a new address is seen
+ or an existing address is removed. [GL #3055]
+
+ 5779. [test] Drop cppcheck suppressions and workarounds. [GL #2886]
+
+ 5778. [bug] Destroyed TLS contexts could have been used after a
+ reconfiguration, making BIND unable to serve queries
+ over TLS and HTTPS. [GL #3053]
+
+ 5777. [bug] TCP connections could hang after receiving
+ non-matching responses. [GL #3042]
+
+ 5776. [bug] Add a missing isc_condition_destroy() for nmsocket
+ condition variable and add missing isc_mutex_destroy()
+ for nmworker lock. [GL #3051]
+
+ --- 9.17.21 released ---
+
+ 5775. [bug] Added a timer in the resolver to kill fetches that
+ have deadlocked as a result of dependency loops
+ with the ADB or the validator. This condition is
+ now logged with the message "shut down hung fetch
+ while resolving '<name>/<type>'". [GL #3040]
+
+ 5774. [func] Restore NSEC Aggressive Cache ("synth-from-dnssec")
+ as active by default. It is limited to NSEC only
+ and by default ignores NSEC records with next name
+ in form \000.domain. [GL #1265]
+
+ 5773. [func] Change the message when accepting TCP connection has
+ failed to say "Accepting TCP connection failed" and
+ change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA
+ and ISC_R_SOFTQUOTA results codes from ERROR to INFO.
+ [GL #2700]
+
+ 5772. [bug] The resolver could hang on shutdown due to dispatch
+ resources not being cleaned up when a TCP connection
+ was reset. [GL #3026]
+
+ 5771. [bug] Use idn2 UseSTD3ASCIIRules=false to disable additional
+ unicode validity checks because enabling the additional
+ checks would break valid domain names that contains
+ non-alphanumerical characters such as underscore
+ character (_) or wildcard (*). This reverts change
+ [GL !5738] from the previous release. [GL #1610]
+
+ 5770. [func] BIND could abort on startup on systems using old
+ OpenSSL versions when 'protocols' option is used inside
+ a 'tls' statement. [GL !5602]
+
+ 5769. [func] Added support for client-side 'tls' parameters when
+ doing incoming zone transfers via XoT. [GL !5602]
+
+ 5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853]
+
+ 5767. [func] Extend allow-transfer option with 'port' and
+ 'transport' options to restrict zone transfers to
+ a specific port and DNS transport protocol.
+ [GL #2776]
+
+ 5766. [func] Unused 'tls' clause options 'ca-file' and 'hostname'
+ were disabled. [GL !5600]
+
+ 5765. [bug] Fix a bug in DoH implementation making 'dig'
+ abort when ALPN negotiation fails. [GL #3022]
+
+ 5764. [bug] dns_sdlz_putrr failed to process some valid resource
+ records. [GL #3021]
+
+ 5763. [bug] Fix a bug in DoT code leading to an abort when
+ a zone transfer ends with an unexpected DNS message.
+ [GL #3004]
+
+ 5762. [bug] Fix a "named" crash related to removing and restoring a
+ `catalog-zone` entry in the configuration file and
+ running `rndc reconfig`. [GL #1608]
+
+ 5761. [bug] OpenSSL 3.0.0 support could fail to correctly read
+ ECDSA private keys leading to incorrect signatures
+ being generated. [GL #3014]
+
+ 5760. [bug] Prevent a possible use-after-free error in resolver.
+ [GL #3018]
+
+ 5759. [func] Set Extended DNS Error Code 18 - Prohibited if query
+ access is denied to the specific client. [GL #1836]
+
+ 5758. [bug] mdig now honors the operating system's preferred
+ ephemeral port range. [GL #2374]
+
+ 5757. [test] Replace sed in nsupdate system test with awk to
+ construct the nsupdate command. The sed expression
+ was not reliably changing the ttl. [GL #3003]
+
+ 5756. [func] Assign HTTP freshness lifetime to responses sent
+ via DNS-over-HTTPS, according to the recommendations
+ given in RFC 8484. [GL #2854]
+
+ --- 9.17.20 released ---
+
+ 5755. [bug] The statistics channel wasn't correctly handling
+ multiple HTTP requests, or pipelined or truncated
+ requests. [GL #2973]
+
+ 5754. [bug] "tls" statements may omit "key-file" and "cert-file",
+ but if either one is specified, then both must be.
+ [GL #2986]
+
+ 5753. [placeholder]
+
+ 5752. [bug] Fix an assertion failure caused by missing member zones
+ during a reload of a catalog zone. [GL #2308]
+
+ 5751. [port] Add support for OpenSSL 3.0.0. OpenSSL 3.0.0
+ deprecated 'engine' support. If OpenSSL 3.0.0 has
+ been built without support for deprecated functionality
+ pkcs11 via engine_pkcs11 is no longer available.
+ [GL #2843]
+
+ 5750. [bug] Fix a bug when comparing two RSA keys. There was a typo
+ which caused the "p" prime factors to not being
+ compared. [GL #2972]
+
+ 5749. [bug] Handle duplicate references to the same catalog
+ zone gracefully. [GL #2916]
+
+ 5748. [func] Update "nsec3param" defaults to iterations 0, salt
+ length 0. [GL #2956]
+
+ 5747. [func] Update rndc serve-stale status output to be less
+ confusing. [GL #2742]
+
+ 5746. [bug] A lame server delegation could lead to a loop in which
+ a resolver fetch depends on an ADB find which depends
+ on the same resolver fetch. Previously, this would
+ cause the fetch to hang until timing out, but after
+ change #5730 it would hang forever. The condition is
+ now detected and avoided. [GL #2927]
+
+ 5745. [bug] Fetch context objects now use attach/detach
+ semantics to make it easier to find and debug
+ reference-counting errors, and several such errors
+ have been fixed. [GL #2953]
+
+ 5744. [func] The network manager is now used for netlink sockets
+ to monitor network interface changes. This was the
+ last remaining use of the old isc_socket and
+ isc_socketmgr APIs, so they have now been removed.
+ The "named -S" argument and the "reserved-sockets"
+ option in named.conf have no function now, and are
+ deprecated. "socketmgr" statistics are no longer
+ reported in the statistics channel. [GL #2926]
+
+ 5743. [func] Add finer-grained "update-policy" rules,
+ "krb5-subdomain-self-rhs" and "ms-subdomain-self-rhs",
+ which restrict SRV and PTR record changes, allowing
+ only records whose content matches the machine name
+ embedded in the Kerberos principal making the change.
+ [GL #481]
+
+ 5742. [func] ISC_LIKELY() and ISC_UNLIKELY() macros have been
+ removed. [GL #2952]
+
+ 5741. [bug] Log files with "timestamp" suffixes could be left in
+ place after rolling, even if the number of preserved
+ log files exceeded the configured "versions" limit.
+ [GL #828]
+
+ 5740. [func] Implement incremental resizing of RBT hash table to
+ perform the rehashing gradually. [GL #2941]
+
+ 5739. [func] Change default of 'dnssec-dnskey-kskonly' to 'yes'.
+ [GL #1316]
+
+ 5738. [bug] Enable idn2 UseSTD3ASCIIRules=true to implement
+ additional unicode validity checks. [GL #1610]
+
+ 5737. [bug] Address Coverity warning in lib/dns/dnssec.c.
+ [GL #2935]
+
+ --- 9.17.19 released ---
+
+ 5736. [security] The "lame-ttl" option is now forcibly set to 0. This
+ effectively disables the lame server cache, as it could
+ previously be abused by an attacker to significantly
+ degrade resolver performance. (CVE-2021-25219)
+ [GL #2899]
+
+ 5735. [cleanup] The result codes which BIND 9 uses internally are now
+ all defined as a single list of enum values rather than
+ as multiple sets of integers scattered around shared
+ libraries. This prevents the need for locking in some
+ functions operating on result codes, and makes result
+ codes more debugger-friendly. [GL #719]
+
+ 5734. [bug] Fix intermittent assertion failures in dig which were
+ triggered during zone transfers. [GL #2884]
+
+ 5733. [func] Require the "dot" Application-Layer Protocol Negotiation
+ (ALPN) token to be selected in the TLS handshake for
+ zone transfers over TLS (XoT), as required by RFC 9103
+ section 7.1. [GL #2794]
+
+ 5732. [cleanup] Remove the dns_lib_init(), dns_lib_shutdown(),
+ ns_lib_init(), and ns_lib_shutdown() functions, as they
+ no longer served any useful purpose. [GL #88]
+
+ 5731. [bug] Disallow defining "http" configuration clauses called
+ "default" as they were silently ignored. [GL #2925]
+
+ 5730. [func] The resolver and the request and dispatch managers have
+ been substantially refactored, and are now based on the
+ network manager instead of the old isc_socket API. All
+ outgoing DNS queries and requests now use the new API;
+ isc_socket is only used to monitor for network interface
+ changes. [GL #2401]
+
+ 5729. [func] Allow finer control over TLS protocol configuration by
+ implementing new options for "tls" configuration clauses
+ ("dhparam-file", "ciphers", "prefer-server-ciphers",
+ "session-tickets"). These options make achieving perfect
+ forward secrecy (PFS) possible for DNS-over-TLS (DoT)
+ and DNS-over-HTTPS (DoH). [GL #2796]
+
+ 5728. [func] Allow specifying supported TLS protocol versions for
+ each "tls" configuration clause. [GL #2795]
+
+ 5727. [placeholder]
+
+ 5726. [bug] Fix a use-after-free bug which was triggered while
+ checking for duplicate "http" configuration clauses.
+ [GL #2924]
+
+ 5725. [bug] Fix an assertion failure triggered by passing an invalid
+ HTTP path to dig. [GL #2923]
+
+ 5724. [bug] Address a potential deadlock when checking zone content
+ consistency. [GL #2908]
+
+ 5723. [bug] Change 5709 broke backward compatibility for the
+ "check-names master ..." and "check-names slave ..."
+ options. This has been fixed. [GL #2911]
+
+ 5722. [bug] Preserve the contents of the receive buffer for TCPDNS
+ and TLSDNS when growing its size. [GL #2917]
+
+ 5721. [func] A new realloc()-like function, isc_mem_reget(), was
+ added to the libisc API for resizing memory chunks
+ allocated using isc_mem_get(). Memory (re)allocation
+ functions are now guaranteed to return non-NULL pointers
+ for zero-sized allocation requests. [GL !5440]
+
+ 5720. [contrib] Remove old-style DLZ drivers that had to be enabled at
+ build time. [GL #2814]
+
+ 5719. [func] Remove support for the "map" zone file format.
+ [GL #2882]
+
+ 5718. [bug] The "sig-signing-type" zone configuration option was
+ processed incorrectly, causing valid configurations to
+ be rejected. This has been fixed. [GL #2906]
+
+ 5717. [func] The "cache-file" option, which was documented as "for
+ testing purposes only" and not to be used, has been
+ removed. [GL #2903]
+
+ 5716. [placeholder]
+
+ 5715. [func] Add a check for ports specified in "*-source(-v6)"
+ options clashing with a global listening port. Such a
+ configuration was already unsupported, but it failed
+ silently; it is now treated as an error. [GL #2888]
+
+ 5714. [bug] Remove the "adjust interface" mechanism which was
+ responsible for setting up listeners on interfaces when
+ the "*-source(-v6)" address and port were the same as
+ the "listen-on(-v6)" address and port. Such a
+ configuration is no longer supported; under certain
+ timing conditions, that mechanism could prevent named
+ from listening on some TCP ports. This has been fixed.
+ [GL #2852]
+
+ 5713. [func] Add "primaries" as a synonym for "masters" and
+ "default-primaries" as a synonym for "default-masters"
+ in catalog zone configuration options. [GL #2818]
+
+ 5712. [func] Remove native PKCS#11 support in favor of engine_pkcs11
+ from the OpenSC project. [GL #2691]
+
+ --- 9.17.18 released ---
+
+ 5711. [bug] "map" files exceeding 2GB in size failed to load due to
+ a size comparison that incorrectly treated the file size
+ as a signed integer. [GL #2878]
+
+ 5710. [placeholder]
+
+ 5709. [func] When reporting zone types in the statistics channel, the
+ terms "primary" and "secondary" are now used instead of
+ "master" and "slave", respectively. Enum values
+ throughout the code have been updated to use this
+ terminology as well. [GL #1944]
+
+ 5708. [placeholder]
+
+ 5707. [bug] A bug was fixed which prevented dig from querying
+ DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860]
+
+ 5706. [cleanup] Support for external applications to register with
+ libisc and use it has been removed. Export versions of
+ BIND 9 libraries have not been supported for some time,
+ but the isc_lib_register() function was still available;
+ it has now been removed. [GL !2420]
+
+ 5705. [bug] Change #5686 altered the internal memory structure of
+ zone databases, but neglected to update the MAPAPI value
+ for zone files in "map" format. This caused named to
+ attempt to load incompatible map files, triggering an
+ assertion failure on startup. The MAPAPI value has now
+ been updated, so named rejects outdated files when
+ encountering them. [GL #2872]
+
+ 5704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be
+ ignored inadvertently in client requests. It has now
+ been fixed and this option is handled properly again.
+ [GL #1927]
+
+ 5703. [bug] Fix a crash in dig caused by closing an HTTP/2 socket
+ associated with an unused HTTP/2 session. [GL #2858]
+
+ 5702. [bug] Improve compatibility with DNS-over-HTTPS (DoH) clients
+ by allowing HTTP/2 request headers in any order.
+ [GL #2875]
+
+ 5701. [bug] named-checkconf failed to detect syntactically invalid
+ values of the "key" and "tls" parameters used to define
+ members of remote server lists. [GL #2461]
+
+ 5700. [bug] When a member zone was removed from a catalog zone,
+ journal files for the former were not deleted.
+ [GL #2842]
+
+ 5699. [func] Data structures holding DNSSEC signing statistics are
+ now grown and shrunk as necessary upon key rollover
+ events. [GL #1721]
+
+ 5698. [bug] When a DNSSEC-signed zone which only has a single
+ signing key available is migrated to use KASP, that key
+ is now treated as a Combined Signing Key (CSK).
+ [GL #2857]
+
+ 5697. [func] dnssec-cds now only generates SHA-2 DS records by
+ default and avoids copying deprecated SHA-1 records from
+ a child zone to its delegation in the parent. If the
+ child zone does not publish SHA-2 CDS records,
+ dnssec-cds will generate them from the CDNSKEY records.
+ The "-a algorithm" option now affects the process of
+ generating DS digest records from both CDS and CDNSKEY
+ records. Thanks to Tony Finch. [GL #2871]
+
+ 5696. [protocol] Support for HTTPS and SVCB record types has been added.
+ [GL #1132]
+
+ 5695. [func] Add a new dig command-line option, "+showbadcookie",
+ which causes a BADCOOKIE response message to be
+ displayed when it is received from the server.
+ [GL #2319]
+
+ 5694. [bug] Stale data in the cache could cause named to send
+ non-minimized queries despite QNAME minimization being
+ enabled. [GL #2665]
+
+ 5693. [func] Restore support for reading "timeout" and "attempts"
+ options from /etc/resolv.conf, and use their values in
+ dig, host, and nslookup. (This was previously supported
+ by liblwres, and was still mentioned in the man pages,
+ but had stopped working after liblwres was deprecated in
+ favor of libirs.) [GL #2785]
+
+ 5692. [bug] Fix a rare crash in DNS-over-HTTPS (DoH) code caused by
+ detaching from an HTTP/2 session handle too early when
+ sending data. [GL #2851]
+
+ 5691. [bug] When a dynamic zone was made available in another view
+ using the "in-view" statement, running "rndc freeze"
+ always reported an "already frozen" error even though
+ the zone was successfully frozen. [GL #2844]
+
+ 5690. [func] dnssec-signzone now honors Predecessor and Successor
+ metadata found in private key files: if a signature for
+ an RRset generated by the inactive predecessor exists
+ and does not need to be replaced, no additional
+ signature is now created for that RRset using the
+ successor key. This enables dnssec-signzone to gradually
+ replace RRSIGs during a ZSK rollover. [GL #1551]
+
+ --- 9.17.17 released ---
+
+ 5689. [security] An assertion failure occurred when named attempted to
+ send a UDP packet that exceeded the MTU size, if
+ Response Rate Limiting (RRL) was enabled.
+ (CVE-2021-25218) [GL #2856]
+
+ 5688. [bug] Zones using KASP and inline-signed zones failed to apply
+ changes from the unsigned zone to the signed zone under
+ certain circumstances. This has been fixed. [GL #2735]
+
+ 5687. [bug] "rndc reload <zonename>" could trigger a redundant
+ reload for an inline-signed zone whose zone file was not
+ modified since the last "rndc reload". This has been
+ fixed. [GL #2855]
+
+ 5686. [func] The number of internal data structures allocated for
+ each zone was reduced. [GL #2829]
+
+ 5685. [bug] named failed to check the opcode of responses when
+ performing zone refreshes, stub zone updates, and UPDATE
+ forwarding. This has been fixed. [GL #2762]
+
+ 5684. [func] The DNS-over-HTTP (DoH) configuration syntax was
+ extended:
+ - The maximum number of active DoH connections can now
+ be set using the "http-listener-clients" option. The
+ default is 300.
+ - The maximum number of concurrent HTTP/2 streams per
+ connection can now be set using the
+ "http-streams-per-connection" option. The default is
+ 100.
+ - Both of these values can also be set on a per-listener
+ basis using the "listener-clients" and
+ "streams-per-connection" parameters in an "http"
+ statement.
+ [GL #2809]
+
+ 5683. [bug] The configuration-checking code now verifies HTTP paths.
+ [GL !5231]
+
+ 5682. [bug] Some changes to "zone-statistics" settings were not
+ properly processed by "rndc reconfig". This has been
+ fixed. [GL #2820]
+
+ 5681. [func] Relax the checks in the dns_zone_cdscheck() function to
+ allow CDS and CDNSKEY records in the zone that do not
+ match an existing DNSKEY record, as long as the
+ algorithm matches. This allows a clean rollover from one
+ provider to another in a multi-signer DNSSEC
+ configuration. [GL #2710]
+
+ 5680. [bug] HTTP GET requests without query strings caused a crash
+ in DoH code. This has been fixed. [GL !5268]
+
+ 5679. [func] Thread affinity is no longer set. [GL #2822]
+
+ 5678. [bug] The "check DS" code failed to release all resources upon
+ named shutdown when a refresh was in progress. This has
+ been fixed. [GL #2811]
+
+ 5677. [func] Previously, named accepted FORMERR responses both with
+ and without an OPT record, as an indication that a given
+ server did not support EDNS. To implement full
+ compliance with RFC 6891, only FORMERR responses without
+ an OPT record are now accepted. This intentionally
+ breaks communication with servers that do not support
+ EDNS and that incorrectly echo back the query message
+ with the RCODE field set to FORMERR and the QR bit set
+ to 1. [GL #2249]
+
+ 5676. [func] Memory allocation has been substantially refactored; it
+ is now based on the memory allocation API provided by
+ the jemalloc library, which is a new optional build
+ dependency for BIND 9. [GL #2433]
+
+ 5675. [bug] Compatibility with DoH clients has been improved by
+ ignoring the value of the "Accept" HTTP header.
+ [GL !5246]
+
+ 5674. [bug] A shutdown hang was triggered by DoH clients prematurely
+ aborting HTTP/2 streams. This has been fixed. [GL !5245]
+
+ 5673. [func] Add a new build-time option, --disable-doh, to allow
+ building BIND 9 without the libnghttp2 library.
+ [GL #2478]
+
+ 5672. [bug] Authentication of rndc messages could fail if a
+ "controls" statement was configured with multiple key
+ algorithms for the same listener. This has been fixed.
+ [GL #2756]
+
+ --- 9.17.16 released ---
+
+ 5671. [bug] A race condition could occur where two threads were
+ competing for the same set of key file locks, leading to
+ a deadlock. This has been fixed. [GL #2786]
+
+ 5670. [bug] create_keydata() created an invalid placeholder keydata
+ record upon a refresh failure, which prevented the
+ database of managed keys from subsequently being read
+ back. This has been fixed. [GL #2686]
+
+ 5669. [func] KASP support was extended with the "check DS" feature.
+ Zones with "dnssec-policy" and "parental-agents"
+ configured now check for DS presence and can perform
+ automatic KSK rollovers. [GL #1126]
+
+ 5668. [bug] Rescheduling a setnsec3param() task when a zone failed
+ to load on startup caused a hang on shutdown. This has
+ been fixed. [GL #2791]
+
+ 5667. [bug] The configuration-checking code failed to account for
+ the inheritance rules of the "dnssec-policy" option.
+ This has been fixed. [GL #2780]
+
+ 5666. [doc] The safe "edns-udp-size" value was tweaked to match the
+ probing value from BIND 9.16 for better compatibility.
+ [GL #2183]
+
+ 5665. [bug] If nsupdate sends an SOA request and receives a REFUSED
+ response, it now fails over to the next available
+ server. [GL #2758]
+
+ 5664. [func] For UDP messages larger than the path MTU, named now
+ sends an empty response with the TC (TrunCated) bit set.
+ In addition, setting the DF (Don't Fragment) flag on
+ outgoing UDP sockets was re-enabled. [GL #2790]
+
+ 5663. [bug] Non-zero OPCODEs are now properly handled when receiving
+ queries over DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
+ channels. [GL #2787]
+
+ 5662. [bug] Views with recursion disabled are now configured with a
+ default cache size of 2 MB unless "max-cache-size" is
+ explicitly set. This prevents cache RBT hash tables from
+ being needlessly preallocated for such views. [GL #2777]
+
+ 5661. [bug] Change 5644 inadvertently introduced a deadlock: when
+ locking the key file mutex for each zone structure in a
+ different view, the "in-view" logic was not considered.
+ This has been fixed. [GL #2783]
+
+ 5660. [bug] The configuration-checking code failed to account for
+ the inheritance rules of the "key-directory" option.
+ [GL #2778]
+
+ This change was included in BIND 9.17.15.
+
+ 5659. [bug] When preparing DNS responses, named could replace the
+ letters 'W' (uppercase) and 'w' (lowercase) with '\000'.
+ This has been fixed. [GL #2779]
+
+ This change was included in BIND 9.17.15.
+
+ 5658. [bug] Increasing "max-cache-size" for a running named instance
+ (using "rndc reconfig") did not cause the hash tables
+ used by cache databases to be grown accordingly. This
+ has been fixed. [GL #2770]
+
+ 5657. [cleanup] Support was removed for both built-in atomics in old
+ versions of Clang (< 3.6.0) and GCC (< 4.7.0), and
+ atomics emulated with a mutex. [GL #2606]
+
+ 5656. [bug] Named now ensures that large responses work correctly
+ over DNS-over-HTTPS (DoH), and that zone transfer
+ requests over DoH are explicitly rejected. [GL !5148]
+
+ 5655. [bug] Signed, insecure delegation responses prepared by named
+ either lacked the necessary NSEC records or contained
+ duplicate NSEC records when both wildcard expansion and
+ CNAME chaining were required to prepare the response.
+ This has been fixed. [GL #2759]
+
+ 5654. [port] Windows support has been removed. [GL #2690]
+
+ 5653. [bug] A bug that caused the NSEC3 salt to be changed on every
+ restart for zones using KASP has been fixed. [GL #2725]
+
+ --- 9.17.14 released ---
+
+ 5652. [bug] A copy-and-paste error in change 5584 caused the
+ IP_DONTFRAG socket option to be enabled instead of
+ disabled. This has been fixed. [GL #2746]
+
+ 5651. [func] Refactor zone dumping to be processed asynchronously via
+ the uv_work_t thread pool API. [GL #2732]
+
+ 5650. [bug] Prevent a crash that could occur if serve-stale was
+ enabled and a prefetch was triggered during a query
+ restart. [GL #2733]
+
+ 5649. [bug] If a query was answered with stale data on a server with
+ DNS64 enabled, an assertion could occur if a non-stale
+ answer arrived afterward. [GL #2731]
+
+ 5648. [bug] The calculation of the estimated IXFR transaction size
+ in dns_journal_iter_init() was invalid. [GL #2685]
+
+ 5647. [func] The interface manager has been refactored to use fewer
+ client manager objects, which in turn use fewer memory
+ contexts and tasks. This should result in less
+ fragmented memory and better startup performance.
+ [GL #2433]
+
+ 5646. [bug] The default TCP timeout for rndc has been increased to
+ 60 seconds. This was its original value, but it had been
+ inadvertently lowered to 10 when rndc was updated to use
+ the network manager. [GL #2643]
+
+ 5645. [cleanup] Remove the rarely-used dns_name_copy() function and
+ rename dns_name_copynf() to dns_name_copy(). [GL !5081]
+
+ 5644. [bug] Fix a race condition in reading and writing key files
+ for zones using KASP and configured in multiple views.
+ [GL #1875]
+
+ 5643. [placeholder]
+
+ 5642. [bug] Zones which are configured in multiple views with
+ different values set for "dnssec-policy" and with
+ identical values set for "key-directory" are now
+ detected and treated as a configuration error.
+ [GL #2463]
+
+ 5641. [bug] Address a potential memory leak in
+ dst_key_fromnamedfile(). [GL #2689]
+
+ 5640. [func] Add new configuration options for setting the size of
+ receive and send buffers in the operating system:
+ "tcp-receive-buffer", "tcp-send-buffer",
+ "udp-receive-buffer", and "udp-send-buffer". [GL #2313]
+
+ 5639. [bug] Check that the first and last SOA record of an AXFR are
+ consistent. [GL #2528]
+
+ --- 9.17.13 released ---
+
+ 5638. [bug] Improvements related to network manager/task manager
+ integration:
+ - isc_managers_create() and isc_managers_destroy()
+ functions were added to handle setup and teardown of
+ netmgr, taskmgr, timermgr, and socketmgr, since these
+ require a precise order of operations now.
+ - Event queue processing is now quantized to prevent
+ infinite looping.
+ - The netmgr can now be paused from within a netmgr
+ thread.
+ - Deadlocks due to a conflict between netmgr's
+ pause/resume and listen/stoplistening operations were
+ fixed.
+ [GL #2654]
+
+ 5637. [placeholder]
+
+ 5636. [bug] named and named-checkconf did not report an error when
+ multiple zones with the "dnssec-policy" option set were
+ using the same zone file. This has been fixed.
+ [GL #2603]
+
+ 5635. [bug] Journal compaction could fail when a journal with
+ invalid transaction headers was not detected at startup.
+ This has been fixed. [GL #2670]
+
+ 5634. [bug] If "dnssec-policy" was active and a private key file was
+ temporarily offline during a rekey event, named could
+ incorrectly introduce replacement keys and break a
+ signed zone. This has been fixed. [GL #2596]
+
+ 5633. [doc] The "inline-signing" option was incorrectly described as
+ being inherited from the "options"/"view" levels and was
+ incorrectly accepted at those levels without effect.
+ This has been fixed. [GL #2536]
+
+ 5632. [func] Add a new built-in KASP, "insecure", which is used to
+ transition a zone from a signed to an unsigned state.
+ The existing built-in KASP "none" should no longer be
+ used to unsign a zone. [GL #2645]
+
+ 5631. [protocol] Update the implementation of the ZONEMD RR type to match
+ RFC 8976. [GL #2658]
+
+ 5630. [func] Treat DNSSEC responses containing NSEC3 records with
+ iteration counts greater than 150 as insecure.
+ [GL #2445]
+
+ 5629. [func] Reduce the maximum supported number of NSEC3 iterations
+ that can be configured for a zone to 150. [GL #2642]
+
+ 5628. [bug] Host and nslookup could crash upon receiving a SERVFAIL
+ response. This has been fixed. [GL #2564]
+
+ 5627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone
+ apex were triggering infinite resigning loops. This has
+ been fixed. [GL #2650]
+
+ 5626. [bug] When generating zone signing keys, KASP now also checks
+ for key ID conflicts among newly created keys, rather
+ than just between new and existing ones. [GL #2628]
+
+ 5625. [bug] A deadlock could occur when multiple "rndc addzone",
+ "rndc delzone", and/or "rndc modzone" commands were
+ invoked simultaneously for different zones. This has
+ been fixed. [GL #2626]
+
+ 5624. [func] Task manager events are now processed inside network
+ manager loops. The task manager no longer needs its own
+ set of worker threads, which improves resolver
+ performance. [GL #2638]
+
+ 5623. [bug] When named was shut down during an ongoing zone
+ transfer, xfrin_fail() could incorrectly be called
+ twice. This has been fixed. [GL #2630]
+
+ 5622. [cleanup] The lib/samples/ directory has been removed, as export
+ versions of libraries are no longer maintained.
+ [GL !4835]
+
+ 5621. [placeholder]
+
+ 5620. [bug] If zone journal files written by BIND 9.16.11 or earlier
+ were present when BIND was upgraded, the zone file for
+ that zone could have been inadvertently rewritten with
+ the current zone contents. This caused the original zone
+ file structure (e.g. comments, $INCLUDE directives) to
+ be lost, although the zone data itself was preserved.
+ This has been fixed. [GL #2623]
+
+ 5619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the
+ protocol such that NSEC(3) TTL values are set to the
+ minimum of the SOA MINIMUM value or the SOA TTL.
+ [GL #2347]
+
+ 5618. [bug] Change 5149 introduced some inconsistencies in the way
+ record TTLs were presented in cache dumps. These
+ inconsistencies have been eliminated. [GL #389]
+ [GL #2289]
+
+ --- 9.17.12 released ---
+
+ 5617. [placeholder]
+
+ 5616. [security] named crashed when a DNAME record placed in the ANSWER
+ section during DNAME chasing turned out to be the final
+ answer to a client query. (CVE-2021-25215) [GL #2540]
+
+ 5615. [security] Insufficient IXFR checks could result in named serving a
+ zone without an SOA record at the apex, leading to a
+ RUNTIME_CHECK assertion failure when the zone was
+ subsequently refreshed. This has been fixed by adding an
+ owner name check for all SOA records which are included
+ in a zone transfer. (CVE-2021-25214) [GL #2467]
+
+ 5614. [bug] Ensure all resources are properly cleaned up when a call
+ to gss_accept_sec_context() fails. [GL #2620]
+
+ 5613. [bug] It was possible to write an invalid transaction header
+ in the journal file for a managed-keys database after
+ upgrading. This has been fixed. Invalid headers in
+ existing journal files are detected and named is able
+ to recover from them. [GL #2600]
+
+ 5612. [bug] Continued refactoring of the network manager:
+ - allow recovery from read and connect timeout events,
+ - ensure that calls to isc_nm_*connect() always
+ return the connection status via a callback
+ function.
+ [GL #2401]
+
+ 5611. [func] Set "stale-answer-client-timeout" to "off" by default.
+ [GL #2608]
+
+ 5610. [bug] Prevent a crash which could happen when a lookup
+ triggered by "stale-answer-client-timeout" was attempted
+ right after recursion for a client query finished.
+ [GL #2594]
+
+ 5609. [func] The ISC implementation of SPNEGO was removed from BIND 9
+ source code. It was no longer necessary as all major
+ contemporary Kerberos/GSSAPI libraries include support
+ for SPNEGO. [GL #2607]
+
+ 5608. [bug] When sending queries over TCP, dig now properly handles
+ "+tries=1 +retry=0" by not retrying the connection when
+ the remote server closes the connection prematurely.
+ [GL #2490]
+
+ 5607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover"
+ commands may affect the next scheduled key event,
+ reconfiguration of zone keys is now triggered after
+ receiving either of these commands to prevent
+ unnecessary key rollover delays. [GL #2488]
+
+ 5606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone
+ transitions from a secure to an insecure state.
+ named-checkzone also no longer reports an error when
+ such records are found in an unsigned zone. [GL #2517]
+
+ 5605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for
+ more accurate time reporting. [GL #2592]
+
+ 5604. [experimental] A "filter-a.so" plugin, which is similar to the
+ "filter-aaaa.so" plugin but which omits A records
+ instead of AAAA records, has been added. Thanks to
+ GitLab user @treysis. [GL #2585]
+
+ 5603. [placeholder]
+
+ 5602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This
+ makes the "tcp-initial-timeout" and "tcp-idle-timeout"
+ options work correctly again. [GL #2583]
+
+ 5601. [bug] Zones using KASP could not be thawed after they were
+ frozen using "rndc freeze". This has been fixed.
+ [GL #2523]
+
+ 5600. [bug] Send a full certificate chain instead of just the leaf
+ certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS
+ (DoH) clients. This makes BIND 9 DoT/DoH servers
+ compatible with a broader set of clients. [GL #2514]
+
+ 5599. [bug] Fix a named crash which occurred after skipping a
+ primary server while transferring a zone over TLS.
+ [GL #2562]
+
+ 5598. [port] Silence -Wchar-subscripts compiler warnings triggered on
+ some platforms due to calling character classification
+ functions declared in the <ctype.h> header with
+ arguments of type char. [GL #2567]
+
+ --- 9.17.11 released ---
+
+ 5597. [bug] When serve-stale was enabled and starting the recursive
+ resolution process for a query failed, a named instance
+ could crash if it was configured as both a recursive and
+ authoritative server. This problem was introduced by
+ change 5573 and has now been fixed. [GL #2565]
+
+ 5596. [func] Client-side support for DNS-over-HTTPS (DoH) has been
+ added to dig. "dig +https" can now query a server via
+ HTTP/2. [GL #1641]
+
+ 5595. [cleanup] Public header files for BIND 9 libraries no longer
+ directly include third-party library headers. This
+ prevents the need to include paths to third-party header
+ files in CFLAGS whenever BIND 9 public header files are
+ used, which could cause build-time issues on hosts with
+ older versions of BIND 9 installed. [GL #2357]
+
+ 5594. [bug] Building with --enable-dnsrps --enable-dnsrps-dl failed.
+ [GL #2298]
+
+ 5593. [bug] Journal files written by older versions of named can now
+ be read when loading zones, so that journal
+ incompatibility does not cause problems on upgrade.
+ Outdated journals are updated to the new format after
+ loading. [GL #2505]
+
+ 5592. [bug] Prevent hazard pointer table overflows on machines with
+ many cores, by allowing the thread IDs (serving as
+ indices into hazard pointer tables) of finished threads
+ to be reused by those created later. [GL #2396]
+
+ 5591. [bug] Fix a crash that occurred when
+ "stale-answer-client-timeout" was triggered without any
+ (stale) data available in the cache to answer the query.
+ [GL #2503]
+
+ 5590. [bug] NSEC3 records were not immediately created for dynamic
+ zones using NSEC3 with "dnssec-policy", resulting in
+ such zones going bogus. Add code to process the
+ NSEC3PARAM queue at zone load time so that NSEC3 records
+ for such zones are created immediately. [GL #2498]
+
+ 5589. [placeholder]
+
+ 5588. [func] Add a new "purge-keys" option for "dnssec-policy". This
+ option determines the period of time for which key files
+ are retained after they become obsolete. [GL #2408]
+
+ 5587. [bug] A standalone libtool script no longer needs to be
+ present in PATH to build BIND 9 from a source tarball
+ prepared using "make dist". [GL #2504]
+
+ 5586. [bug] An invalid direction field in a LOC record resulted in
+ an INSIST failure when a zone file containing such a
+ record was loaded. [GL #2499]
+
+ 5585. [func] Memory contexts and memory pool implementations were
+ refactored to reduce lock contention for shared memory
+ contexts by replacing mutexes with atomic operations.
+ The internal memory allocator was simplified so that it
+ is only a thin wrapper around the system allocator. This
+ change made the "-M external" named option redundant and
+ it was therefore removed. [GL #2433]
+
+ 5584. [bug] No longer set the IP_DONTFRAG option on UDP sockets, to
+ prevent dropping outgoing packets exceeding
+ "max-udp-size". [GL #2466]
+
+ 5583. [func] Changes to DNS-over-HTTPS (DoH) configuration syntax:
+ - When "http" is specified in "listen-on" or
+ "listen-on-v6" statements, "tls" must also now be
+ specified. If an unencrypted connection is desired
+ (for example, when running behind a reverse proxy),
+ use "tls none".
+ - "http default" can now be specified in "listen-on" and
+ "listen-on-v6" statements to use the default HTTP
+ endpoint of "/dns-query". It is no longer necessary to
+ include an "http" statement in named.conf unless
+ overriding this value.
+ [GL #2472]
+
+ 5582. [bug] BIND 9 failed to build when static OpenSSL libraries
+ were used and the pkg-config files for libssl and/or
+ libcrypto were unavailable. This has been fixed by
+ ensuring that the correct linking order for libssl and
+ libcrypto is always used. [GL #2402]
+
+ 5581. [bug] Fix a memory leak that occurred when inline-signed zones
+ were added to the configuration, followed by a
+ reconfiguration of named. [GL #2041]
+
+ 5580. [test] The system test framework no longer differentiates
+ between SKIPPED and UNTESTED system test results. Any
+ system test which is not run is now marked as SKIPPED.
+ [GL !4517]
+
+ 5579. [bug] If an invalid key name (e.g. "a..b") was specified in a
+ primaries list in named.conf, the wrong size was passed
+ to isc_mem_put(), resulting in the returned memory being
+ put on the wrong free list. This prevented named from
+ starting up. [GL #2460]
+
+ --- 9.17.10 released ---
+
+ 5578. [protocol] Make "check-names" accept A records below "_spf",
+ "_spf_rate", and "_spf_verify" labels in order to cater
+ for the "exists" SPF mechanism specified in RFC 7208
+ section 5.7 and appendix D.1. [GL #2377]
+
+ 5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by
+ correctly implementing Equation (2) of the "Flexible and
+ Robust Key Rollover" paper. [GL #2375]
+
+ 5576. [experimental] Initial server-side implementation of DNS-over-HTTPS
+ (DoH). Support for both TLS-encrypted and unencrypted
+ HTTP/2 connections has been added to the network manager
+ and integrated into named. (Note: there is currently no
+ client-side support for DNS-over-HTTPS; this will be
+ added to dig in a future release.) [GL #1144]
+
+ 5575. [bug] When migrating to KASP, BIND 9 considered keys with the
+ "Inactive" and/or "Delete" timing metadata to be
+ possible active keys. This has been fixed. [GL #2406]
+
+ 5574. [func] Incoming zone transfers can now use TLS. Addresses in a
+ "primaries" list take an optional "tls" argument,
+ specifying either a previously configured "tls" block or
+ "ephemeral"; SOA queries and zone transfer requests are
+ then sent via TLS. [GL #2392]
+
+ 5573. [func] When serve-stale is enabled and stale data is available,
+ named now returns stale answers upon encountering any
+ unexpected error in the query resolution process.
+ However, the "stale-refresh-time" window is still only
+ started upon a timeout. [GL #2434]
+
+ 5572. [bug] Address potential double free in generatexml().
+ [GL #2420]
+
+ 5571. [bug] named failed to start when its configuration included a
+ zone with a non-builtin "allow-update" ACL attached.
+ [GL #2413]
+
+ 5570. [bug] Improve performance of the DNSSEC verification code by
+ reducing the number of repeated calls to
+ dns_dnssec_keyfromrdata(). [GL #2073]
+
+ 5569. [bug] Emit useful error message when "rndc retransfer" is
+ applied to a zone of inappropriate type. [GL #2342]
+
+ 5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
+ keys. [GL #2178]
+
+ 5567. [bug] Dig now reports unknown dash options while pre-parsing
+ the options. This prevents "-multi" instead of "+multi"
+ from reporting memory usage before ending option parsing
+ with "Invalid option: -lti". [GL #2403]
+
+ 5566. [func] Add "stale-answer-client-timeout" option, which is the
+ amount of time a recursive resolver waits before
+ attempting to answer the query using stale data from
+ cache. [GL #2247]
+
+ 5565. [func] The SONAMEs for BIND 9 libraries now include the current
+ BIND 9 version number, in an effort to tightly couple
+ internal libraries with a specific release. [GL #2387]
+
+ 5564. [cleanup] Network manager's TLSDNS module was refactored to use
+ libuv and libssl directly instead of a stack of TCP/TLS
+ sockets. [GL #2335]
+
+ 5563. [cleanup] Changed several obsolete configuration options to
+ ancient, making them fatal errors. Also cleaned up the
+ number of clause flags in the configuration parser.
+ [GL #1086]
+
+ 5562. [placeholder]
+
+ 5561. [bug] KASP incorrectly set signature validity to the value of
+ the DNSKEY signature validity. This is now fixed.
+ [GL #2383]
+
+ 5560. [func] The default value of "max-stale-ttl" has been changed
+ from 12 hours to 1 day and the default value of
+ "stale-answer-ttl" has been changed from 1 second to 30
+ seconds, following RFC 8767 recommendations. [GL #2248]
+
+ --- 9.17.9 released ---
+
+ 5559. [bug] The --with-maxminddb=PATH form of the build-time option
+ enabling support for libmaxminddb was not working
+ correctly. This has been fixed. [GL #2366]
+
+ 5558. [bug] Asynchronous hook modules could trigger an assertion
+ failure when the fetch handle was detached too late.
+ Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
+
+ 5557. [bug] Prevent RBTDB instances from being destroyed by multiple
+ threads at the same time. [GL #2317]
+
+ 5556. [bug] Further tweak newline printing in dnssec-signzone and
+ dnssec-verify. [GL #2359]
+
+ 5555. [placeholder]
+
+ 5554. [bug] dnssec-signzone and dnssec-verify were missing newlines
+ between log messages. [GL #2359]
+
+ 5553. [bug] When reconfiguring named, removing "auto-dnssec" did not
+ turn off DNSSEC maintenance. [GL #2341]
+
+ 5552. [func] When switching to "dnssec-policy none;", named now
+ permits a safe transition to insecure mode and publishes
+ the CDS and CDNSKEY DELETE records, as described in RFC
+ 8078. [GL #1750]
+
+ 5551. [bug] named no longer attempts to assign threads to CPUs
+ outside the CPU affinity set. Thanks to Ole Bjørn
+ Hessen. [GL #2245]
+
+ 5550. [func] dnssec-signzone and named now log a warning when falling
+ back to the "increment" SOA serial method. [GL #2058]
+
+ 5549. [protocol] ipv4only.arpa is now served when DNS64 is configured.
+ [GL #385]
+
+ 5548. [placeholder]
+
+ 5547. [placeholder]
+
+ --- 9.17.8 released ---
+
+ 5546. [placeholder]
+
+ 5545. [func] OS support for load-balanced sockets is no longer
+ required to receive incoming queries in multiple netmgr
+ threads. [GL #2137]
+
+ 5544. [func] Restore the default value of "nocookie-udp-size" to 4096
+ bytes. [GL #2250]
+
+ 5543. [bug] Fix UDP performance issues caused by making netmgr
+ callbacks asynchronous-only. [GL #2320]
+
+ 5542. [bug] Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
+ [GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
+ [GL #2321]
+
+ 5541. [func] Adjust the "max-recursion-queries" default from 75 to
+ 100. [GL #2305]
+
+ 5540. [port] Fix building with native PKCS#11 support for AEP Keyper.
+ [GL #2315]
+
+ 5539. [bug] Tighten handling of missing DNS COOKIE responses over
+ UDP by falling back to TCP. [GL #2275]
+
+ 5538. [func] Add NSEC3 support to KASP. A new option for
+ "dnssec-policy", "nsec3param", can be used to set the
+ desired NSEC3 parameters. NSEC3 salt collisions are
+ automatically prevented during resalting. Salt
+ generation is now logged with zone context. [GL #1620]
+
+ 5537. [func] The query plugin mechanism has been extended
+ to support asynchronous operations. For example, a
+ plugin can now trigger recursion and resume
+ processing when it is complete. Thanks to Jinmei
+ Tatuya at Infoblox. [GL #2141]
+
+ 5536. [func] Dig can now report the DNS64 prefixes in use
+ (+dns64prefix). [GL #1154]
+
+ 5535. [bug] dig/nslookup/host could crash on shutdown after an
+ interrupt. [GL #2287] [GL #2288]
+
+ 5534. [bug] The CNAME synthesized from a DNAME was incorrectly
+ followed when the QTYPE was CNAME or ANY. [GL #2280]
+
+ --- 9.17.7 released ---
+
+ 5533. [func] Add the "stale-refresh-time" option, a time window that
+ starts after a failed lookup, during which a stale RRset
+ is served directly from cache before a new attempt to
+ refresh it is made. [GL #2066]
+
+ 5532. [cleanup] Unused header files were removed:
+ bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
+ lib/isccfg/include/isccfg/dnsconf.h and code related
+ to those files. [GL #1913]
+
+ 5531. [func] Add support for DNS over TLS (DoT) to dig and named.
+ dig output now includes the transport protocol used.
+ [GL #1816] [GL #1840]
+
+ 5530. [bug] dnstap did not capture responses to forwarded UPDATE
+ requests. [GL #2252]
+
+ 5529. [func] The network manager API is now used by named to send
+ zone transfer requests. [GL #2016]
+
+ 5528. [func] Convert dig, host, and nslookup to use the network
+ manager API. As a side effect of this change, "dig
+ +unexpected" no longer works, and has been disabled.
+ [GL #2140]
+
+ 5527. [bug] A NULL pointer dereference occurred when creating an NTA
+ recheck query failed. [GL #2244]
+
+ 5526. [bug] Fix a race/NULL dereference in TCPDNS read. [GL #2227]
+
+ 5525. [placeholder]
+
+ 5524. [func] Added functionality to the network manager to support
+ outgoing DNS queries in addition to incoming ones.
+ [GL #2235]
+
+ 5523. [bug] The initial lookup in a zone transitioning to/from a
+ signed state could fail if the DNSKEY RRset was not
+ found. [GL #2236]
+
+ 5522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
+
+ 5521. [func] All use of libltdl was dropped. libuv's shared library
+ handling interface is now used instead. [GL !4278]
+
+ 5520. [bug] Fixed a number of shutdown races, reference counting
+ errors, and spurious log messages that could occur
+ in the network manager. [GL #2221]
+
+ 5519. [cleanup] Unused source code was removed: lib/dns/dbtable.c,
+ lib/dns/portlist.c, lib/isc/bufferlist.c, and code
+ related to those files. [GL #2060]
+
+ 5518. [bug] Stub zones now work correctly with primary servers using
+ "minimal-responses yes". [GL #1736]
+
+ 5517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
+ [GL #2208]
+
+ --- 9.17.6 released ---
+
+ 5516. [func] The default EDNS buffer size has been changed from 4096
+ to 1232 bytes, the EDNS buffer size probing has been
+ removed, and named now sets the DF (Don't Fragment) flag
+ on outgoing UDP packets. [GL #2183]
+
+ 5515. [func] Add 'rndc dnssec -rollover' command to trigger a manual
+ rollover for a specific key. [GL #1749]
+
+ 5514. [bug] Fix KASP expected key size for Ed25519 and Ed448.
+ [GL #2171]
+
+ 5513. [doc] The ARM section describing the "rrset-order" statement
+ was rewritten to make it unambiguous and up-to-date with
+ the source code. [GL #2139]
+
+ 5512. [bug] "rrset-order" rules using "order none" were causing
+ named to crash despite named-checkconf treating them as
+ valid. [GL #2139]
+
+ 5511. [bug] 'dig -u +yaml' failed to display timestamps to the
+ microsecond. [GL #2190]
+
+ 5510. [bug] Implement the attach/detach semantics for dns_message_t
+ to fix a data race in accessing an already-destroyed
+ fctx->rmessage. [GL #2124]
+
+ 5509. [bug] filter-aaaa: named crashed upon shutdown if it was in
+ the process of recursing for A RRsets. [GL #1040]
+
+ 5508. [func] Added new parameter "-expired" for "rndc dumpdb" that
+ also prints expired RRsets (awaiting cleanup) to the
+ dump file. [GL #1870]
+
+ 5507. [bug] Named could compute incorrect SIG(0) responses.
+ [GL #2109]
+
+ 5506. [bug] Properly handle failed sysconf() calls, so we don't
+ report invalid memory size. [GL #2166]
+
+ 5505. [bug] Updating contents of a mixed-case RPZ could cause some
+ rules to be ignored. [GL #2169]
+
+ 5504. [func] The "glue-cache" option has been marked as deprecated.
+ The glue cache feature will be permanently enabled in a
+ future release. [GL #2146]
+
+ 5503. [bug] Cleaned up reference counting of network manager
+ handles, now using isc_nmhandle_attach() and _detach()
+ instead of _ref() and _unref(). [GL #2122]
+
+ --- 9.17.5 released ---
+
+ 5502. [func] 'dig +bufsize=0' no longer disables EDNS. [GL #2054]
+
+ 5501. [func] Log CDS/CDNSKEY publication. [GL #1748]
+
+ 5500. [bug] Fix (non-)publication of CDS and CDNSKEY records.
+ [GL #2103]
+
+ 5499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime.
+ [GL #1748]
+
+ 5498. [test] The --with-gperftools-profiler configure option was
+ removed. [GL !4045]
+
+ 5497. [placeholder]
+
+ 5496. [bug] Address a TSAN report by ensuring each rate limiter
+ object holds a reference to its task. [GL #2081]
+
+ 5495. [bug] With query minimization enabled, named failed to
+ resolve ip6.arpa. names that had extra labels to the
+ left of the IPv6 part. [GL #1847]
+
+ 5494. [bug] Silence the EPROTO syslog message on older systems.
+ [GL #1928]
+
+ 5493. [bug] Fix off-by-one error when calculating new hash table
+ size. [GL #2104]
+
+ 5492. [bug] Tighten LOC parsing to reject a period (".") and/or "m"
+ as a value. Fix handling of negative altitudes which are
+ not whole meters. [GL #2074]
+
+ 5491. [bug] rbtversion->glue_table_size could be read without the
+ appropriate lock being held. [GL #2080]
+
+ 5490. [func] Refactor readline support to use pkg-config and add
+ support for the editline library. [GL !3942]
+
+ 5489. [bug] Named erroneously accepted certain invalid resource
+ records that were incorrectly processed after
+ subsequently being written to disk and loaded back, as
+ the wire format differed. Such records include: CERT,
+ IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
+ X25. [GL !3953]
+
+ 5488. [bug] NTA code needed to have a weak reference on its
+ associated view to prevent the latter from being deleted
+ while NTA tests were being performed. [GL #2067]
+
+ 5487. [cleanup] Update managed keys log messages to be less confusing.
+ [GL #2027]
+
+ 5486. [func] Add 'rndc dnssec -checkds' command, which signals to
+ named that the DS record for a given zone or key has
+ been updated in the parent zone. [GL #1613]
+
+ --- 9.17.4 released ---
+
+ 5485. [placeholder]
+
+ 5484. [func] Expire zero TTL records quickly rather than using them
+ for stale answers. [GL #1829]
+
+ 5483. [func] Keeping "stale" answers in cache has been disabled by
+ default and can be re-enabled with a new configuration
+ option "stale-cache-enable". [GL #1712]
+
+ 5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
+ not yet finished after adding a new IPv6 address to the
+ system, BIND 9 would fail to bind to IPv6 addresses in a
+ tentative state. [GL #2038]
+
+ 5481. [security] "update-policy" rules of type "subdomain" were
+ incorrectly treated as "zonesub" rules, which allowed
+ keys used in "subdomain" rules to update names outside
+ of the specified subdomains. The problem was fixed by
+ making sure "subdomain" rules are again processed as
+ described in the ARM. (CVE-2020-8624) [GL #2055]
+
+ 5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
+ was possible to trigger an assertion failure in code
+ determining the number of bits in the PKCS#11 RSA public
+ key with a specially crafted packet. (CVE-2020-8623)
+ [GL #2037]
+
+ 5479. [security] named could crash in certain query resolution scenarios
+ where QNAME minimization and forwarding were both
+ enabled. (CVE-2020-8621) [GL #1997]
+
+ 5478. [security] It was possible to trigger an assertion failure by
+ sending a specially crafted large TCP DNS message.
+ (CVE-2020-8620) [GL #1996]
+
+ 5477. [bug] The idle timeout for connected TCP sockets, which was
+ previously set to a high fixed value, is now derived
+ from the client query processing timeout configured for
+ a resolver. [GL #2024]
+
+ 5476. [security] It was possible to trigger an assertion failure when
+ verifying the response to a TSIG-signed request.
+ (CVE-2020-8622) [GL #2028]
+
+ 5475. [bug] Wildcard RPZ passthru rules could incorrectly be
+ overridden by other rules that were loaded from RPZ
+ zones which appeared later in the "response-policy"
+ statement. This has been fixed. [GL #1619]
+
+ 5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
+ when it should have. [GL !3880]
+
+ 5473. [func] The RBT hash table implementation has been changed
+ to use a faster hash function (HalfSipHash2-4) and
+ Fibonacci hashing for better distribution. Setting
+ "max-cache-size" now preallocates a fixed-size hash
+ table so that rehashing does not cause resolution
+ brownouts while the hash table is grown. [GL #1775]
+
+ 5472. [func] The statistics channel has been updated to use the
+ new network manager. [GL #2022]
+
+ 5471. [bug] The introduction of KASP support inadvertently caused
+ the second field of "sig-validity-interval" to always be
+ calculated in hours, even in cases when it should have
+ been calculated in days. This has been fixed. (Thanks to
+ Tony Finch.) [GL !3735]
+
+ 5470. [port] gsskrb5_register_acceptor_identity() is now only called
+ if gssapi_krb5.h is present. [GL #1995]
+
+ 5469. [port] On illumos, a constant called SEC is already defined in
+ <sys/time.h>, which conflicts with an identically named
+ constant in libbind9. This conflict has been resolved.
+ [GL #1993]
+
+ 5468. [bug] Addressed potential double unlock in process_fd().
+ [GL #2005]
+
+ 5467. [func] The control channel and the rndc utility have been
+ updated to use the new network manager. To support
+ this, the network manager was updated to enable
+ the initiation of client TCP connections. Its
+ internal reference counting has been refactored.
+
+ Note: As a side effect of this change, rndc cannot
+ currently be used with UNIX-domain sockets, and its
+ default timeout has changed from 60 seconds to 30.
+ These will be addressed in a future release.
+ [GL #1759]
+
+ 5466. [bug] Addressed an error in recursive clients stats reporting.
+ [GL #1719]
+
+ 5465. [func] Added fallback to built-in trust-anchors, managed-keys,
+ or trusted-keys if the bindkeys-file (bind.keys) cannot
+ be parsed. [GL #1235]
+
+ 5464. [bug] Requesting more than 128 files to be saved when rolling
+ dnstap log files caused a buffer overflow. This has been
+ fixed. [GL #1989]
+
+ 5463. [placeholder]
+
+ 5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
+
+ 5461. [bug] The STALE rdataset header attribute was updated while
+ the write lock was not being held, leading to incorrect
+ statistics. The header attributes are now converted to
+ use atomic operations. [GL #1475]
+
+ 5460. [cleanup] tsig-keygen was previously an alias for
+ ddns-confgen and was documented in the ddns-confgen
+ man page. This has been reversed; tsig-keygen is
+ now the primary name. [GL #1998]
+
+ 5459. [bug] Fixed bad isc_mem_put() size when an invalid type was
+ specified in an "update-policy" rule. [GL #1990]
+
+ --- 9.17.3 released ---
+
+ 5458. [bug] Prevent a theoretically possible NULL dereference caused
+ by a data race between zone_maintenance() and
+ dns_zone_setview_helper(). [GL #1627]
+
+ 5457. [placeholder]
+
+ 5456. [func] Added "primaries" as a synonym for "masters" in
+ named.conf, and "primary-only" as a synonym for
+ "master-only" in the parameters to "notify", to bring
+ terminology up-to-date with RFC 8499. [GL #1948]
+
+ 5455. [bug] named could crash when cleaning dead nodes in
+ lib/dns/rbtdb.c that were being reused. [GL #1968]
+
+ 5454. [bug] Address a startup crash that occurred when the server
+ was under load and the root zone had not yet been
+ loaded. [GL #1862]
+
+ 5453. [bug] named crashed on shutdown when a new rndc connection was
+ received during shutdown. [GL #1747]
+
+ 5452. [bug] The "blackhole" ACL was accidentally disabled for client
+ queries. [GL #1936]
+
+ 5451. [func] Add 'rndc dnssec -status' command. [GL #1612]
+
+ 5450. [placeholder]
+
+ 5449. [bug] Fix a socket shutdown race in netmgr udp. [GL #1938]
+
+ 5448. [bug] Fix a race condition in isc__nm_tcpdns_send().
+ [GL #1937]
+
+ 5447. [bug] IPv6 addresses ending in "::" could break YAML
+ parsing. A "0" is now appended to such addresses
+ in YAML output from dig, mdig, delv, and dnstap-read.
+ [GL #1952]
+
+ 5446. [bug] The validator could fail to accept a properly signed
+ RRset if an unsupported algorithm appeared earlier in
+ the DNSKEY RRset than a supported algorithm. It could
+ also stop if it detected a malformed public key.
+ [GL #1689]
+
+ 5445. [cleanup] Disable and disallow static linking. [GL #1933]
+
+ 5444. [bug] 'rndc dnstap -roll <value>' did not limit the number of
+ saved files to <value>. [GL !3728]
+
+ 5443. [bug] The "primary" and "secondary" keywords, when used
+ as parameters for "check-names", were not
+ processed correctly and were being ignored. [GL #1949]
+
+ 5442. [func] Add support for outgoing TCP connections in netmgr.
+ [GL #1958]
+
+ 5441. [placeholder]
+
+ 5440. [placeholder]
+
+ 5439. [bug] The DS RRset returned by dns_keynode_dsset() was used in
+ a non-thread-safe manner. [GL #1926]
+
+ --- 9.17.2 released ---
+
+ 5438. [bug] Fix a race in TCP accepting code. [GL #1930]
+
+ 5437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr().
+ [GL #1808]
+
+ 5436. [security] It was possible to trigger an INSIST when determining
+ whether a record would fit into a TCP message buffer.
+ (CVE-2020-8618) [GL #1850]
+
+ 5435. [tests] Add RFC 4592 responses examples to the wildcard system
+ test. [GL #1718]
+
+ 5434. [security] It was possible to trigger an INSIST in
+ lib/dns/rbtdb.c:new_reference() with a particular zone
+ content and query patterns. (CVE-2020-8619) [GL #1111]
+ [GL #1718]
+
+ 5433. [placeholder]
+
+ 5432. [bug] Check the question section when processing AXFR, IXFR,
+ and SOA replies when transferring a zone in. [GL #1683]
+
+ 5431. [func] Reject DS records at the zone apex when loading
+ master files. Log but otherwise ignore attempts to
+ add DS records at the zone apex via UPDATE. [GL #1798]
+
+ 5430. [doc] Update docs - with netmgr, a separate listening socket
+ is created for each IPv6 interface (just as with IPv4).
+ [GL #1782]
+
+ 5429. [cleanup] Move BIND binaries which are neither daemons nor
+ administrative programs to $bindir. [GL #1724]
+
+ 5428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr
+ has been destroyed. Thanks to Petr Menšík. [GL !3316]
+
+ 5427. [placeholder]
+
+ 5426. [bug] Don't abort() when setting SO_INCOMING_CPU on the socket
+ fails. [GL #1911]
+
+ 5425. [func] The default value of "max-stale-ttl" has been changed
+ from 1 week to 12 hours. [GL #1877]
+
+ 5424. [bug] With KASP, when creating a successor key, the "goal"
+ state of the current active key (predecessor) was not
+ changed and thus never removed from the zone. [GL #1846]
+
+ 5423. [bug] Fix a bug in keymgr_key_has_successor(): it incorrectly
+ returned true if any other key in the keyring had a
+ successor. [GL #1845]
+
+ 5422. [bug] When using dnssec-policy, print correct key timing
+ metadata. [GL #1843]
+
+ 5421. [bug] Fix a race that could cause named to crash when looking
+ up the nodename of an RBT node if the tree was modified.
+ [GL #1857]
+
+ 5420. [bug] Add missing isc_{mutex,conditional}_destroy() calls
+ that caused a memory leak on FreeBSD. [GL #1893]
+
+ 5419. [func] Add new dig command line option, "+qid=<num>", which
+ allows the query ID to be set to an arbitrary value.
+ Add a new ./configure option, --enable-singletrace,
+ which allows trace logging of a single query when QID is
+ set to 0. [GL #1851]
+
+ 5418. [bug] delv failed to parse deprecated trusted-keys-style
+ trust anchors. [GL #1860]
+
+ 5417. [cleanup] The code determining the advertised UDP buffer size in
+ outgoing EDNS queries has been refactored to improve its
+ clarity. [GL #1868]
+
+ 5416. [bug] Fix a lock order inversion in lib/isc/unix/socket.c.
+ [GL #1859]
+
+ 5415. [test] Address race in dnssec system test that led to
+ test failures. [GL #1852]
+
+ 5414. [test] Adjust time allowed for journal truncation to occur
+ in nsupdate system test to avoid test failure.
+ [GL #1855]
+
+ 5413. [test] Address race in autosign system test that led to
+ test failures. [GL #1852]
+
+ 5412. [bug] 'provide-ixfr no;' failed to return up-to-date responses
+ when the serial was greater than or equal to the
+ current serial. [GL #1714]
+
+ 5411. [cleanup] TCP accept code has been refactored to use a single
+ accept() and pass the accepted socket to child threads
+ for processing. [GL !3320]
+
+ 5410. [func] Add the ability to specify per-type record count limits,
+ which are enforced when adding records via UPDATE, in an
+ "update-policy" statement. [GL #1657]
+
+ 5409. [performance] When looking up NSEC3 data in a zone database, skip the
+ check for empty non-terminal nodes; the NSEC3 tree does
+ not have any. [GL #1834]
+
+ 5408. [protocol] Print Extended DNS Errors if present in OPT record.
+ [GL #1835]
+
+ 5407. [func] Zone timers are now exported via statistics channel.
+ Thanks to Paul Frieden, Verizon Media. [GL #1232]
+
+ 5406. [func] Add a new logging category, "rpz-passthru", which allows
+ RPZ passthru actions to be logged in a separate channel.
+ [GL #54]
+
+ 5405. [bug] 'named-checkconf -p' could include spurious text in
+ server-addresses statements due to an uninitialized DSCP
+ value. [GL #1812]
+
+ 5404. [bug] 'named-checkconf -z' could incorrectly indicate
+ success if errors were found in one view but not in a
+ subsequent one. [GL #1807]
+
+ 5403. [func] Do not set UDP receive/send buffer sizes - use system
+ defaults. [GL #1713]
+
+ 5402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
+ Enable use of SO_REUSEADDR on all platforms which
+ support it. [GL !3365]
+
+ 5401. [bug] The number of input queues allocated during dnstap
+ initialization was too low, which could prevent some
+ dnstap data from being logged. [GL #1795]
+
+ 5400. [func] Add engine support to OpenSSL EdDSA implementation.
+ [GL #1763]
+
+ 5399. [func] Add engine support to OpenSSL ECDSA implementation.
+ [GL #1534]
+
+ 5398. [bug] Named could fail to restart if a zone with a double
+ quote (") in its name was added with 'rndc addzone'.
+ [GL #1695]
+
+ 5397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
+ Thanks to Aaron Thompson. [GL !3326]
+
+ 5396. [func] When necessary (i.e. in libuv >= 1.37), use the
+ UV_UDP_RECVMMSG flag to enable recvmmsg() support in
+ libuv. [GL #1797]
+
+ 5395. [security] Further limit the number of queries that can be
+ triggered from a request. Root and TLD servers
+ are no longer exempt from max-recursion-queries.
+ Fetches for missing name server address records
+ are limited to 4 for any domain. (CVE-2020-8616)
+ [GL #1388]
+
+ 5394. [cleanup] Named formerly attempted to change the effective UID and
+ GID in named_os_openfile(), which could trigger a
+ spurious log message if they were already set to the
+ desired values. This has been fixed. [GL #1042]
+ [GL #1090]
+
+ 5393. [cleanup] Unused and/or redundant APIs were removed from libirs.
+ [GL #1758]
+
+ 5392. [bug] It was possible for named to crash during shutdown
+ or reconfiguration if an RPZ zone was still being
+ updated. [GL #1779]
+
+ 5391. [func] The BIND 9 build system has been changed to use a
+ typical autoconf+automake+libtool stack. When building
+ from the Git repository, run "autoreconf -fi" first.
+ [GL #4]
+
+ 5390. [security] Replaying a TSIG BADTIME response as a request could
+ trigger an assertion failure. (CVE-2020-8617)
+ [GL #1703]
+
+ 5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller
+ bugs and use PKCS#11 v3.0 EdDSA macros and constants.
+ Thanks to Aaron Thompson. [GL !3391]
+
+ 5388. [func] Reject AXFR streams where the message ID is not
+ consistent. [GL #1674]
+
+ 5387. [placeholder]
+
+ 5386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c.
+ [GL #1737]
+
+ 5385. [func] Make ISC rwlock implementation the default again.
+ [GL #1753]
+
+ 5384. [bug] With "dnssec-policy" in effect, "inline-signing" was
+ implicitly set to "yes". Now "inline-signing" is only
+ set to "yes" if the zone is not dynamic. [GL #1709]
+
+ --- 9.17.1 released ---
+
+ 5383. [func] Add a quota attach function with a callback and clean up
+ the isc_quota API. [GL !3280]
+
+ 5382. [bug] Use clock_gettime() instead of gettimeofday() for
+ isc_stdtime() function. [GL #1679]
+
+ 5381. [bug] Fix logging API data race by adding rwlock and caching
+ logging levels in stdatomic variables to restore
+ performance to original levels. [GL #1675] [GL #1717]
+
+ 5380. [contrib] Fix building MySQL DLZ modules against MySQL 8
+ libraries. [GL #1678]
+
+ 5379. [placeholder]
+
+ 5378. [bug] Receiving invalid DNS data was triggering an assertion
+ failure in nslookup. [GL #1652]
+
+ 5377. [placeholder]
+
+ 5376. [bug] Fix ineffective DNS rebinding protection when BIND is
+ configured as a forwarding DNS server. Thanks to Tobias
+ Klein. [GL #1574]
+
+ 5375. [test] Fix timing issues in the "kasp" system test. [GL #1669]
+
+ 5374. [bug] Statistics counters tracking recursive clients and
+ active connections could underflow. [GL #1087]
+
+ 5373. [bug] Collecting statistics for DNSSEC signing operations
+ (change 5254) caused an array of significant size (over
+ 100 kB) to be allocated for each configured zone. Each
+ of these arrays is tracking all possible key IDs; this
+ could trigger an out-of-memory condition on servers with
+ a high enough number of zones configured. Fixed by
+ tracking up to four keys per zone and rotating counters
+ when keys are replaced. This fixes the immediate problem
+ of high memory usage, but should be improved in a future
+ release by growing or shrinking the number of keys to
+ track upon key rollover events. [GL #1179]
+
+ 5372. [bug] Fix migration from existing DNSSEC key files
+ ("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
+
+ 5371. [bug] Improve incremental updates of the RPZ summary
+ database to reduce delays that could occur when
+ a policy zone update included a large number of
+ record deletions. [GL #1447]
+
+ 5370. [bug] Deactivation of a netmgr handle associated with a
+ socket could be skipped in some circumstances.
+ Fixed by deactivating the netmgr handle before
+ scheduling the asynchronous close routine. [GL #1700]
+
+ 5369. [func] Add the ability to specify whether to wait for
+ nameserver domain names to be looked up, with a new RPZ
+ modifying directive 'nsdname-wait-recurse'. [GL #1138]
+
+ 5368. [bug] Named failed to restart if 'rndc addzone' names
+ contained special characters (e.g. '/'). [GL #1655]
+
+ 5367. [placeholder]
+
+ --- 9.17.0 released ---
+
+ 5366. [bug] Fix a race condition with the keymgr when the same
+ zone plus dnssec-policy is configured in multiple
+ views. [GL #1653]
+
+ 5365. [bug] Algorithm rollover was stuck on submitting DS
+ because keymgr thought it would move to an invalid
+ state. Fixed by checking the current key against
+ the desired state, not the existing state. [GL #1626]
+
+ 5364. [bug] Algorithm rollover waited too long before introducing
+ zone signatures. It waited to make sure all signatures
+ were regenerated, but when introducing a new algorithm,
+ all signatures are regenerated immediately. Only
+ add the sign delay if there is a predecessor key.
+ [GL #1625]
+
+ 5363. [bug] When changing a dnssec-policy, existing keys with
+ properties that no longer match were not being retired.
+ [GL #1624]
+
+ 5362. [func] Limit the size of IXFR responses so that AXFR will
+ be used instead if it would be smaller. This is
+ controlled by the "max-ixfr-ratio" option, which
+ is a percentage representing the ratio of IXFR size
+ to the size of the entire zone. This value cannot
+ exceed 100%, which is the default. [GL #1515]
+
+ 5361. [bug] named might not accept new connections after
+ hitting tcp-clients quota. [GL #1643]
+
+ 5360. [bug] delv could fail to load trust anchors in DNSKEY
+ format. [GL #1647]
+
+ 5359. [func] "rndc nta -d" and "rndc secroots" now include
+ "validate-except" entries when listing negative
+ trust anchors. These are indicated by the keyword
+ "permanent" in place of an expiry date. [GL #1532]
+
+ 5358. [bug] Inline master zones whose master files were touched
+ but otherwise unchanged and were subsequently reloaded
+ may have stopped re-signing. [GL !3135]
+
+ 5357. [bug] Newly added RRSIG records with expiry times before
+ the previous earliest expiry times might not be
+ re-signed in time. This was a side effect of 5315.
+ [GL !3137]
+
+ 5356. [func] Update dnssec-policy configuration statements:
+ - Rename "zone-max-ttl" dnssec-policy option to
+ "max-zone-ttl" for consistency with the existing
+ zone option.
+ - Allow for "lifetime unlimited" as a synonym for
+ "lifetime PT0S".
+ - Make "key-directory" optional.
+ - Warn if specifying a key length does not make
+ sense; fail if key length is out of range for
+ the algorithm.
+ - Allow use of mnemonics when specifying key
+ algorithm (e.g. "rsasha256", "ecdsa384", etc.).
+ - Make ISO 8601 durations case-insensitive.
+ [GL #1598]
+
+ 5355. [func] What was set with --with-tuning=large option in
+ older BIND9 versions is now a default, and
+ a --with-tuning=small option was added for small
+ (e.g. OpenWRT) systems. [GL !2989]
+
+ 5354. [bug] dnssec-policy created new KSK keys for zones in the
+ initial stage of signing (with the DS not yet in the
+ rumoured or omnipresent states). Fix by checking the
+ key goals rather than the active state when determining
+ whether new keys are needed. [GL #1593]
+
+ 5353. [doc] Document port and dscp parameters in forwarders
+ configuration option. [GL #914]
+
+ 5352. [bug] Correctly handle catalog zone entries containing
+ characters that aren't legal in filenames. [GL #1592]
+
+ 5351. [bug] CDS / CDNSKEY consistency checks failed to handle
+ removal records. [GL #1554]
+
+ 5350. [bug] When a view was configured with class CHAOS, the
+ server could crash while processing a query for a
+ non-existent record. [GL #1540]
+
+ 5349. [bug] Fix a race in task_pause/unpause. [GL #1571]
+
+ 5348. [bug] dnssec-settime -Psync was not being honoured.
+ Thanks to Tony Finch. [GL !2893]
+
+ --- 9.15.8 released ---
+
+ 5347. [bug] Fixed a bug that could cause an intermittent crash
+ in validator.c when validating a negative cache
+ entry. [GL #1561]
+
+ 5346. [bug] Make hazard pointer array allocations dynamic, fixing
+ a bug that caused named to crash on machines with more
+ than 40 cores. [GL #1493]
+
+ 5345. [func] Key-style trust anchors and DS-style trust anchors
+ can now both be used for the same name. [GL #1237]
+
+ 5344. [bug] Handle accept() errors properly in netmgr. [GL !2880]
+
+ 5343. [func] Add statistics counters to the netmgr. [GL #1311]
+
+ 5342. [bug] Disable pktinfo for IPv6 and bind to each interface
+ explicitly instead, because libuv doesn't support
+ pktinfo control messages. [GL #1558]
+
+ 5341. [func] Simplify passing the bound TCP socket to child
+ threads by using isc_uv_export/import functions.
+ [GL !2825]
+
+ 5340. [bug] Don't deadlock when binding to a TCP socket fails.
+ [GL #1499]
+
+ 5339. [bug] With some libmaxminddb versions, named could erroneously
+ match an IP address not belonging to any subnet defined
+ in a given GeoIP2 database to one of the existing
+ entries in that database. [GL #1552]
+
+ 5338. [bug] Fix line spacing in `rndc secroots`.
+ Thanks to Tony Finch. [GL !2478]
+
+ 5337. [func] 'named -V' now reports maxminddb and protobuf-c
+ versions. [GL !2686]
+
+ --- 9.15.7 released ---
+
+ 5336. [bug] The TCP high-water statistic could report an
+ incorrect value on startup. [GL #1392]
+
+ 5335. [func] Make TCP listening code multithreaded. [GL !2659]
+
+ 5334. [doc] Update documentation with dnssec-policy clarifications.
+ Also change some defaults. [GL !2711]
+
+ 5333. [bug] Fix duration printing on Solaris when value is not
+ an ISO 8601 duration. [GL #1460]
+
+ 5332. [func] Renamed "dnssec-keys" configuration statement
+ to the more descriptive "trust-anchors". [GL !2702]
+
+ 5331. [func] Use compiler-provided mechanisms for thread local
+ storage, and make the requirement for such mechanisms
+ explicit in configure. [GL #1444]
+
+ 5330. [bug] 'configure --without-python' was ineffective if
+ PYTHON was set in the environment. [GL #1434]
+
+ 5329. [bug] Reconfiguring named caused memory to be leaked when any
+ GeoIP2 database was in use. [GL #1445]
+
+ 5328. [bug] rbtdb.c:rdataset_{get,set}ownercase failed to obtain
+ a node lock. [GL #1417]
+
+ 5327. [func] Added a statistics counter to track queries
+ dropped because the recursive-clients quota was
+ exceeded. [GL #1399]
+
+ 5326. [bug] Add Python dependency on 'distutils.core' to configure.
+ 'distutils.core' is required for installation.
+ [GL #1397]
+
+ 5325. [bug] Addressed several issues with TCP connections in
+ the netmgr: restored support for TCP connection
+ timeouts, restored TCP backlog support, actively
+ close all open sockets during shutdown. [GL #1312]
+
+ 5324. [bug] Change the category of some log messages from general
+ to the more appropriate catergory of xfer-in. [GL #1394]
+
+ 5323. [bug] Fix a bug in DNSSEC trust anchor verification.
+ [GL !2609]
+
+ 5322. [placeholder]
+
+ 5321. [bug] Obtain write lock before updating version->records
+ and version->bytes. [GL #1341]
+
+ 5320. [cleanup] Silence TSAN on header->count. [GL #1344]
+
+ --- 9.15.6 released ---
+
+ 5319. [func] Trust anchors can now be configured using DS
+ format to represent a key digest, by using the
+ new "initial-ds" or "static-ds" keywords in
+ the "dnssec-keys" statement.
+
+ Note: DNSKEY-format and DS-format trust anchors
+ cannot both be used for the same domain name.
+ [GL #622]
+
+ 5318. [cleanup] The DNSSEC validation code has been refactored
+ for clarity and to reduce code duplication.
+ [GL #622]
+
+ 5317. [func] A new asynchronous network communications system
+ based on libuv is now used for listening for
+ incoming requests and responding to them. (The
+ old isc_socket API remains in use for sending
+ iterative queries and processing responses; this
+ will be changed too in a later release.)
+
+ This change will make it easier to improve
+ performance and implement new protocol layers
+ (e.g., DNS over TLS) in the future. [GL #29]
+
+ 5316. [func] A new "dnssec-policy" option has been added to
+ named.conf to implement a key and signing policy
+ (KASP) for zones. When this option is in use,
+ named can generate new keys as needed and
+ automatically roll both ZSK and KSK keys. (Note
+ that the syntax for this statement differs from
+ the dnssec policy used by dnssec-keymgr.)
+
+ See the ARM for configuration details. [GL #1134]
+
+ 5315. [bug] Apply the initial RRSIG expiration spread fixed
+ to all dynamically created records in the zone
+ including NSEC3. Also fix the signature clusters
+ when the server has been offline for prolonged
+ period of times. [GL #1256]
+
+ 5314. [func] Added a new statistics variable "tcp-highwater"
+ that reports the maximum number of simultaneous TCP
+ clients BIND has handled while running. [GL #1206]
+
+ 5313. [bug] The default GeoIP2 database location did not match
+ the ARM. 'named -V' now reports the default
+ location. [GL #1301]
+
+ 5312. [bug] Do not flush the cache for `rndc validation status`.
+ Thanks to Tony Finch. [GL !2462]
+
+ 5311. [cleanup] Include all views in output of `rndc validation status`.
+ Thanks to Tony Finch. [GL !2461]
+
+ 5310. [bug] TCP failures were affecting EDNS statistics. [GL #1059]
+
+ 5309. [placeholder]
+
+ 5308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal()
+ at ERROR level in receive_secure_serial(). [GL #1288]
+
+ 5307. [bug] Fix hang when named-compilezone output is sent to pipe.
+ Thanks to Tony Finch. [GL !2481]
+
+ 5306. [security] Set a limit on number of simultaneous pipelined TCP
+ queries. (CVE-2019-6477) [GL #1264]
+
+ 5305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been
+ disabled by default because it was found to have
+ a significant performance impact on the recursive
+ service. [GL #1265]
+
+ 5304. [bug] "dnskey-sig-validity 0;" was not being accepted.
+ [GL #876]
+
+ 5303. [placeholder]
+
+ 5302. [bug] Fix checking that "dnstap-output" is defined when
+ "dnstap" is specified in a view. [GL #1281]
+
+ 5301. [bug] Detect partial prefixes / incomplete IPv4 address in
+ acls. [GL #1143]
+
+ 5300. [bug] dig/mdig/delv: Add a colon after EDNS option names,
+ even when the option is empty, to improve
+ readability and allow correct parsing of YAML
+ output. [GL #1226]
+
+ --- 9.15.5 released ---
+
+ 5299. [security] A flaw in DNSSEC verification when transferring
+ mirror zones could allow data to be incorrectly
+ marked valid. (CVE-2019-6475) [GL #1252]
+
+ 5298. [security] Named could assert if a forwarder returned a
+ referral, rather than resolving the query, when QNAME
+ minimization was enabled. (CVE-2019-6476) [GL #1051]
+
+ 5297. [bug] Check whether a previous QNAME minimization fetch
+ is still running before starting a new one; return
+ SERVFAIL and log an error if so. [GL #1191]
+
+ 5296. [placeholder]
+
+ 5295. [cleanup] Split dns_name_copy() calls into dns_name_copy() and
+ dns_name_copynf() for those calls that can potentially
+ fail and those that should not fail respectively.
+ [GL !2265]
+
+ 5294. [func] Fallback to ACE name on output in locale, which does not
+ support converting it to unicode. [GL #846]
+
+ 5293. [bug] On Windows, named crashed upon any attempt to fetch XML
+ statistics from it. [GL #1245]
+
+ 5292. [bug] Queue 'rndc nsec3param' requests while signing inline
+ zone changes. [GL #1205]
+
+ --- 9.15.4 released ---
+
+ 5291. [placeholder]
+
+ 5290. [placeholder]
+
+ 5289. [bug] Address NULL pointer dereference in rpz.c:rpz_detach.
+ [GL #1210]
+
+ 5288. [bug] dnssec-must-be-secure was not always honored.
+ [GL #1209]
+
+ 5287. [placeholder]
+
+ 5286. [contrib] Address potential NULL pointer dereferences in
+ dlz_mysqldyn_mod.c. [GL #1207]
+
+ 5285. [port] win32: implement "-T maxudpXXX". [GL #837]
+
+ 5284. [func] Added +unexpected command line option to dig.
+ By default, dig won't accept a reply from a source
+ other than the one to which it sent the query.
+ Invoking dig with +unexpected argument will allow it
+ to process replies from unexpected sources.
+
+ 5283. [bug] When a response-policy zone expires, ensure that
+ its policies are removed from the RPZ summary
+ database. [GL #1146]
+
+ 5282. [bug] Fixed a bug in searching for possible wildcard matches
+ for query names in the RPZ summary database. [GL #1146]
+
+ 5281. [cleanup] Don't escape commas when reporting named's command
+ line. [GL #1189]
+
+ 5280. [protocol] Add support for displaying EDNS option LLQ. [GL #1201]
+
+ 5279. [bug] When loading, reject zones containing CDS or CDNSKEY
+ RRsets at the zone apex if they would cause DNSSEC
+ validation failures if published in the parent zone
+ as the DS RRset. [GL #1187]
+
+ 5278. [func] Add YAML output formats for dig, mdig and delv;
+ use the "+yaml" option to enable. [GL #1145]
+
+ --- 9.15.3 released ---
+
+ 5277. [bug] Cache DB statistics could underflow when serve-stale
+ was in use, because of a bug in counter maintenance
+ when RRsets become stale.
+
+ Functions for dumping statistics have been updated
+ to dump active, stale, and ancient statistic
+ counters. Ancient RRset counters are prefixed
+ with '~'; stale RRset counters are still prefixed
+ with '#'. [GL #602]
+
+ 5276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete;
+ all code enabling its use has been removed from the
+ validator, "delv", and the DNSSEC tools. [GL #7]
+
+ 5275. [bug] Mark DS records included in referral messages
+ with trust level "pending" so that they can be
+ validated and cached immediately, with no need to
+ re-query. [GL #964]
+
+ 5274. [bug] Address potential use after free race when shutting
+ down rpz. [GL #1175]
+
+ 5273. [bug] Check that bits [64..71] of a dns64 prefix are zero.
+ [GL #1159]
+
+ 5272. [cleanup] Remove isc-config.sh script as the BIND 9 libraries
+ are now purely internal. [GL #1123]
+
+ 5271. [func] The normal (non-debugging) output of dnssec-signzone
+ and dnssec-verify tools now goes to stdout, instead of
+ the combination of stderr and stdout.
+
+ 5270. [bug] 'dig +expandaaaa +short' did not work. [GL #1152]
+
+ 5269. [port] cygwin: can return ETIMEDOUT on connect() with a
+ non-blocking socket. [GL #1133]
+
+ 5268. [placeholder]
+
+ 5267. [func] Allow statistics groups display to be toggle-able.
+ [GL #1030]
+
+ 5266. [bug] named-checkconf failed to report dnstap-output
+ missing from named.conf when dnstap was specified.
+ [GL #1136]
+
+ 5265. [bug] DNS64 and RPZ nodata (CNAME *.) rules interacted badly
+ [GL #1106]
+
+ 5264. [func] New DNS Cookie algorithm - siphash24 - has been added
+ to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
+ have been removed. [GL #605]
+
+ --- 9.15.2 released ---
+
+ 5263. [cleanup] Use atomics and isc_refcount_t wherever possible.
+ [GL #1038]
+
+ 5262. [func] Removed support for the legacy GeoIP API. [GL #1112]
+
+ 5261. [cleanup] Remove SO_BSDCOMPAT socket option usage.
+
+ 5260. [bug] dnstap-read was producing malformed output for large
+ packets. [GL #1093]
+
+ 5259. [func] New option '-i' for 'named-checkconf' to ignore
+ warnings about deprecated options. [GL #1101]
+
+ 5258. [func] Added support for the GeoIP2 API from MaxMind. This
+ will be compiled in by default if the "libmaxminddb"
+ library is found at compile time, but can be
+ suppressed using "configure --disable-geoip".
+
+ Certain geoip ACL settings that were available with
+ legacy GeoIP are not available when using GeoIP2.
+ [GL #182]
+
+ 5257. [bug] Some statistics data was not being displayed.
+ Add shading to the zone tables. [GL #1030]
+
+ 5256. [bug] Ensure that glue records are included in root
+ priming responses if "minimal-responses" is not
+ set to "yes". [GL #1092]
+
+ 5255. [bug] Errors encountered while reloading inline-signing
+ zones could be ignored, causing the zone content to
+ be left in an incompletely updated state rather than
+ reverted. [GL #1109]
+
+ 5254. [func] Collect metrics to report to the statistics-channel
+ DNSSEC signing operations (dnssec-sign) and refresh
+ operations (dnssec-refresh) per zone and per keytag.
+ [GL #513]
+
+ 5253. [port] Support platforms that don't define ULLONG_MAX.
+ [GL #1098]
+
+ 5252. [func] Report if the last 'rndc reload/reconfig' failed in
+ rndc status. [GL !2040]
+
+ 5251. [bug] Statistics were broken in x86 Windows builds.
+ [GL #1081]
+
+ 5250. [func] The default size for RSA keys is now 2048 bits,
+ for both ZSKs and KSKs. [GL #1097]
+
+ 5249. [bug] Fix a possible underflow in recursion clients
+ statistics when hitting recursive clients
+ soft quota. [GL #1067]
+
+ --- 9.15.1 released ---
+
+ 5248. [func] To clarify the configuration of DNSSEC keys,
+ the "managed-keys" and "trusted-keys" options
+ have both been deprecated. The new "dnssec-keys"
+ statement can now be used for all trust anchors,
+ with the keywords "iniital-key" or "static-key"
+ to indicate whether the configured trust anchor
+ should be used for initialization of RFC 5011 key
+ management, or as a permanent trust anchor.
+
+ The "static-key" keyword will generate a warning if
+ used for the root zone.
+
+ Configurations using "trusted-keys" or "managed-keys"
+ will continue to work with no changes, but will
+ generate warnings in the log. In a future release,
+ these options will be marked obsolete. [GL #6]
+
+ 5247. [cleanup] The 'cleaning-interval' option has been removed.
+ [GL !1731]
+
+ 5246. [func] Log TSIG if appropriate in 'sending notify to' message.
+ [GL #1058]
+
+ 5245. [cleanup] Reduce logging level for IXFR up-to-date poll
+ responses. [GL #1009]
+
+ 5244. [security] Fixed a race condition in dns_dispatch_getnext()
+ that could cause an assertion failure if a
+ significant number of incoming packets were
+ rejected. (CVE-2019-6471) [GL #942]
+
+ 5243. [bug] Fix a possible race between dispatcher and socket
+ code in a high-load cold-cache resolver scenario.
+ [GL #943]
+
+ 5242. [bug] In relaxed qname minimization mode, fall back to
+ normal resolution when encountering a lame
+ delegation, and use _.domain/A queries rather
+ than domain/NS. [GL #1055]
+
+ 5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
+ [GL #225]
+
+ 5240. [bug] Remove key id calculation for RSAMD5. [GL #996]
+
+ 5239. [func] Change the json-c detection to pkg-config. [GL #855]
+
+ 5238. [bug] Fix a possible deadlock in TCP code. [GL #1046]
+
+ 5237. [bug] Recurse to find the root server list with 'dig +trace'.
+ [GL #1028]
+
+ 5236. [func] Add SipHash 2-4 implementation in lib/isc/siphash.c
+ and switch isc_hash_function() to use SipHash 2-4.
+ [GL #605]
+
+ 5235. [cleanup] Refactor lib/isc/app.c to be thread-safe, unused
+ parts of the API has been removed and the
+ isc_appctx_t data type has been changed to be
+ fully opaque. [GL #1023]
+
+ 5234. [port] arm: just use the compiler's default support for
+ yield. [GL #981]
+
+ --- 9.15.0 released ---
+
+ 5233. [bug] Negative trust anchors did not work with "forward only;"
+ to validating resolvers. [GL #997]
+
+ 5232. [placeholder]
+
+ 5231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG.
+ [GL #960]
+
+ 5230. [protocol] The SHA-1 hash algorithm is no longer used when
+ generating DS and CDS records. [GL #1015]
+
+ 5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852]
+
+ 5228. [func] If trusted-keys and managed-keys were configured
+ simultaneously for the same name, the key could
+ not be be rolled automatically. This is now
+ a fatal configuration error. [GL #868]
+
+ 5227. [placeholder]
+
+ 5226. [placeholder]
+
+ 5225. [func] Allow dig to print out AAAA record fully expanded.
+ with +[no]expandaaaa. [GL #765]
+
+ 5224. [bug] Only test provide-ixfr on TCP streams. [GL #991]
+
+ 5223. [bug] Fixed a race in the filter-aaaa plugin accessing
+ the hash table. [GL #1005]
+
+ 5222. [bug] 'delv -t ANY' could leak memory. [GL #983]
+
+ 5221. [test] Enable parallel execution of system tests on
+ Windows. [GL !4101]
+
+ 5220. [cleanup] Refactor the isc_stat structure to take advantage
+ of stdatomic. [GL !1493]
+
+ 5219. [bug] Fixed a race in the filter-aaaa plugin that could
+ trigger a crash when returning an instance object
+ to the memory pool. [GL #982]
+
+ 5218. [bug] Conditionally include <dlfcn.h>. [GL #995]
+
+ 5217. [bug] Restore key id calculation for RSAMD5. [GL #996]
+
+ 5216. [bug] Fetches-per-zone counter wasn't updated correctly
+ when doing qname minimization. [GL #992]
+
+ 5215. [bug] Change #5124 was incomplete; named could still
+ return FORMERR instead of SERVFAIL in some cases.
+ [GL #990]
+
+ 5214. [bug] win32: named now removes its lock file upon shutdown.
+ [GL #979]
+
+ 5213. [bug] win32: Eliminated a race which allowed named.exe running
+ as a service to be killed prematurely during shutdown.
+ [GL #978]
+
+ 5212. [placeholder]
+
+ 5211. [bug] Allow out-of-zone additional data to be included
+ in authoritative responses if recursion is allowed
+ and "minimal-responses" is disabled. This behavior
+ was inadvertently removed in change #4605. [GL #817]
+
+ 5210. [bug] When dnstap is enabled and recursion is not
+ available, incoming queries are now logged
+ as "auth". Previously, this depended on whether
+ recursion was requested by the client, not on
+ whether recursion was available. [GL #963]
+
+ 5209. [bug] When update-check-ksk is true, add_sigs was not
+ considering offline keys, leaving record sets signed
+ with the incorrect type key. [GL #763]
+
+ 5208. [test] Run valid rdata wire encodings through totext+fromtext
+ and tofmttext+fromtext methods to check these methods.
+ [GL #899]
+
+ 5207. [test] Check delv and dig TTL values. [GL #965]
+
+ 5206. [bug] Delv could print out bad TTLs. [GL #965]
+
+ 5205. [bug] Enforce that a DS hash exists. [GL #899]
+
+ 5204. [test] Check that dns_rdata_fromtext() produces a record that
+ will be accepted by dns_rdata_fromwire(). [GL #852]
+
+ 5203. [bug] Enforce whether key rdata exists or not in KEY,
+ DNSKEY, CDNSKEY and RKEY. [GL #899]
+
+ 5202. [bug] <dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
+
+ 5201. [bug] Fix a possible deadlock in RPZ update code. [GL #973]
+
+ 5200. [security] tcp-clients settings could be exceeded in some cases,
+ which could lead to exhaustion of file descriptors.
+ (CVE-2018-5743) [GL #615]
+
+ 5199. [security] In certain configurations, named could crash
+ if nxdomain-redirect was in use and a redirected
+ query resulted in an NXDOMAIN from the cache.
+ (CVE-2019-6467) [GL #880]
+
+ 5198. [bug] If a fetch context was being shut down and, at the same
+ time, we returned from qname minimization, an INSIST
+ could be hit. [GL #966]
+
+ 5197. [bug] dig could die in best effort mode on multiple SIG(0)
+ records. Similarly on multiple OPT and multiple TSIG
+ records. [GL #920]
+
+ 5196. [bug] make install failed with --with-dlopen=no. [GL #955]
+
+ 5195. [bug] "allow-update" and "allow-update-forwarding" were
+ treated as configuration errors if used at the
+ options or view level. [GL #913]
+
+ 5194. [bug] Enforce non empty ZOMEMD hash. [GL #899]
+
+ 5193. [bug] EID and NIMLOC failed to do multi-line output
+ correctly. [GL #899]
+
+ 5192. [placeholder]
+
+ 5191. [placeholder]
+
+ 5190. [bug] Ignore trust anchors using disabled algorithms.
+ [GL #806]
+
+ 5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945]
+
+ 5188. [func] The "dnssec-enable" option is deprecated and no
+ longer has any effect; DNSSEC responses are
+ always enabled. [GL #866]
+
+ 5187. [test] Set time zone before running any tests in dnstap_test.
+ [GL #940]
+
+ 5186. [cleanup] More dnssec-keygen manual tidying. [GL !1678]
+
+ 5185. [placeholder]
+
+ 5184. [bug] Missing unlocks in sdlz.c. [GL #936]
+
+ 5183. [bug] Reinitialize ECS data before reusing client
+ structures. [GL #881]
+
+ 5182. [bug] Fix a high-load race/crash in handling of
+ isc_socket_close() in resolver. [GL #834]
+
+ 5181. [func] Add a mechanism for a DLZ module to signal that
+ the view's allow-transfer ACL should be used to
+ determine whether transfers are allowed. [GL #803]
+
+ 5180. [bug] delv now honors the operating system's preferred
+ ephemeral port range. [GL #925]
+
+ 5179. [cleanup] Replace some vague type declarations with the more
+ specific dns_secalg_t and dns_dsdigest_t.
+ Thanks to Tony Finch. [GL !1498]
+
+ 5178. [bug] Handle EDQUOT (disk quota) and ENOSPC (disk full)
+ errors when writing files. [GL #902]
+
+ 5177. [func] Add the ability to specify in named.conf whether a
+ response-policy zone's SOA record should be added
+ to the additional section (add-soa yes/no). [GL #865]
+
+ 5176. [tests] Remove a dependency on libxml in statschannel system
+ test. [GL #926]
+
+ 5175. [bug] Fixed a problem with file input in dnssec-keymgr,
+ dnssec-coverage and dnssec-checkds when using
+ python3. [GL #882]
+
+ 5174. [doc] Tidy dnssec-keygen manual. [GL !1557]
+
+ 5173. [bug] Fixed a race in socket code that could occur when
+ accept, send, or recv were called from an event
+ loop but the socket had been closed by another
+ thread. [RT #874]
+
+ 5172. [bug] nsupdate now honors the operating system's preferred
+ ephemeral port range. [GL #905]
+
+ 5171. [func] named plugins are now installed into a separate
+ directory. Supplying a filename (a string without path
+ separators) in a "plugin" configuration stanza now
+ causes named to look for that plugin in that directory.
+ [GL #878]
+
+ 5170. [test] Added --with-dlz-filesystem to feature-test. [GL !1587]
+
+ 5169. [bug] The presence of certain types in an otherwise
+ empty node could cause a crash while processing a
+ type ANY query. [GL #901]
+
+ 5168. [bug] Do not crash on shutdown when RPZ fails to load. Also,
+ keep previous version of the database if RPZ fails to
+ load. [GL #813]
+
+ 5167. [bug] nxdomain-redirect could sometimes lookup the wrong
+ redirect name. [GL #892]
+
+ 5166. [placeholder]
+
+ 5165. [contrib] Removed SDB drivers from contrib; they're obsolete.
+ [GL #428]
+
+ 5164. [bug] Correct errno to result translation in dlz filesystem
+ modules. [GL #884]
+
+ 5163. [cleanup] Out-of-tree builds failed --enable-dnstap. [GL #836]
+
+ 5162. [cleanup] Improve dnssec-keymgr manual. Thanks to Tony Finch.
+ [GL !1518]
+
+ 5161. [bug] Do not require the SEP bit to be set for mirror zone
+ trust anchors. [GL #873]
+
+ 5160. [contrib] Added DNAME support to the DLZ LDAP schema. Also
+ fixed a compilation bug affecting several DLZ
+ modules. [GL #872]
+
+ 5159. [bug] dnssec-coverage was incorrectly ignoring
+ names specified on the command line without
+ trailing dots. [GL !1478]
+
+ 5158. [protocol] Add support for AMTRELAY and ZONEMD. [GL #867]
+
+ 5157. [bug] Nslookup now errors out if there are extra command
+ line arguments. [GL #207]
+
+ 5156. [doc] Extended and refined the section of the ARM describing
+ mirror zones. [GL #774]
+
+ 5155. [func] "named -V" now outputs the default paths to
+ named.conf, rndc.conf, bind.keys, and other
+ files used or created by named and other tools, so
+ that the correct paths to these files can quickly be
+ determined regardless of the configure settings
+ used when BIND was built. [GL #859]
+
+ 5154. [bug] dig: process_opt could be called twice on the same
+ message leading to a assertion failure. [GL #860]
+
+ 5153. [func] Zone transfer statistics (size, number of records, and
+ number of messages) are now logged for outgoing
+ transfers as well as incoming ones. [GL #513]
+
+ 5152. [func] Improved logging of DNSSEC key events:
+ - Zone signing and DNSKEY maintenance events are
+ now logged to the "dnssec" category
+ - Messages are now logged when DNSSEC keys are
+ published, activated, inactivated, deleted,
+ or revoked.
+ [GL #714]
+
+ 5151. [func] Options that have been been marked as obsolete in
+ named.conf for a very long time are now fatal
+ configuration errors. [GL #358]
+
+ 5150. [cleanup] Remove the ability to compile BIND with assertions
+ disabled. [GL #735]
+
+ 5149. [func] "rndc dumpdb" now prints a line above a stale RRset
+ indicating how long the data will be retained in the
+ cache for emergency use. [GL #101]
+
+ 5148. [bug] named did not sign the TKEY response. [GL #821]
+
+ 5147. [bug] dnssec-keymgr: Add a five-minute margin to better
+ handle key events close to 'now'. [GL #848]
+
+ 5146. [placeholder]
+
+ 5145. [func] Use atomics instead of locked variables for isc_quota
+ and isc_counter. [GL !1389]
+
+ 5144. [bug] dig now returns a non-zero exit code when a TCP
+ connection is prematurely closed by a peer more than
+ once for the same lookup. [GL #820]
+
+ 5143. [bug] dnssec-keymgr and dnssec-coverage failed to find
+ key files for zone names ending in ".". [GL #560]
+
+ 5142. [cleanup] Removed "configure --disable-rpz-nsip" and
+ "--disable-rpz-nsdname" options. "nsip-enable"
+ and "nsdname-enable" both now default to yes,
+ regardless of compile-time settings. [GL #824]
+
+ 5141. [security] Zone transfer controls for writable DLZ zones were
+ not effective as the allowzonexfr method was not being
+ called for such zones. (CVE-2019-6465) [GL #790]
+
+ 5140. [bug] Don't immediately mark existing keys as inactive and
+ deleted when running dnssec-keymgr for the first
+ time. [GL #117]
+
+ 5139. [bug] If possible, don't use forwarders when priming.
+ This ensures we can get root server IP addresses
+ from priming query response glue, which may not
+ be present if the forwarding server is returning
+ minimal responses. [GL #752]
+
+ 5138. [bug] Under some circumstances named could hit an assertion
+ failure when doing qname minimization when using
+ forwarders. [GL #797]
+
+ 5137. [func] named now logs messages whenever a mirror zone becomes
+ usable or unusable for resolution purposes. [GL #818]
+
+ 5136. [cleanup] Check in named-checkconf that allow-update and
+ allow-update-forwarding are not set at the
+ view/options level; fix documentation. [GL #512]
+
+ 5135. [port] sparc: Use smt_pause() instead of pause. [GL #816]
+
+ 5134. [bug] win32: WSAStartup was not called before getservbyname
+ was called. [GL #590]
+
+ 5133. [bug] 'rndc managed-keys' didn't handle class and view
+ correctly and failed to add new lines between each
+ view. [GL !1327]
+
+ 5132. [bug] Fix race condition in cleanup part of dns_dt_create().
+ [GL !1323]
+
+ 5131. [cleanup] Address Coverity warnings. [GL #801]
+
+ 5130. [cleanup] Remove support for l10n message catalogs. [GL #709]
+
+ 5129. [contrib] sdlz_helper.c:build_querylist was not properly
+ splitting the query string. [GL #798]
+
+ 5128. [bug] Refreshkeytime was not being updated for managed
+ keys zones. [GL #784]
+
+ 5127. [bug] rcode.c:maybe_numeric failed to handle NUL in text
+ regions. [GL #807]
+
+ 5126. [bug] Named incorrectly accepted empty base64 and hex encoded
+ fields when reading master files. [GL #807]
+
+ 5125. [bug] Allow for up to 100 records or 64k of data when caching
+ a negative response. [GL #804]
+
+ 5124. [bug] Named could incorrectly return FORMERR rather than
+ SERVFAIL. [GL #804]
+
+ 5123. [bug] dig could hang indefinitely after encountering an error
+ before creating a TCP socket. [GL #692]
+
+ 5122. [bug] In a "forward first;" configuration, a forwarder
+ timeout did not prevent that forwarder from being
+ queried again after falling back to full recursive
+ resolution. [GL #315]
+
+ 5121. [contrib] dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
+ matching zone names. [GL !1299]
+
+ 5120. [placeholder]
+
+ 5119. [placeholder]
+
+ 5118. [security] Named could crash if it is managing a key with
+ `managed-keys` and the authoritative zone is rolling
+ the key to an unsupported algorithm. (CVE-2018-5745)
+ [GL #780]
+
+ 5117. [placeholder]
+
+ 5116. [bug] Named/named-checkconf triggered a assertion when
+ a mirror zone's name is bad. [GL #778]
+
+ 5115. [bug] Allow unsupported algorithms in zone when not used for
+ signing with dnssec-signzone. [GL #783]
+
+ 5114. [func] Include a 'reconfig/reload in progress' status line
+ in rndc status, use it in tests.
+
+ 5113. [port] Fixed a Windows build error.
+
+ 5112. [bug] Named/named-checkconf could dump core if there was
+ a missing masters clause and a bad notify clause.
+ [GL #779]
+
+ 5111. [bug] Occluded DNSKEY records could make it into the
+ delegating NSEC/NSEC3 bitmap. [GL #742]
+
+ 5110. [security] Named leaked memory if there were multiple Key Tag
+ EDNS options present. (CVE-2018-5744) [GL #772]
+
+ 5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628]
+
+ --- 9.13.5 released ---
+
+ 5108. [bug] Named could fail to determine bottom of zone when
+ removing out of date keys leading to invalid NSEC
+ and NSEC3 records being added to the zone. [GL #771]
+
+ 5107. [bug] 'host -U' did not work. [GL #769]
+
+ 5106. [experimental] A new "plugin" mechanism has been added to allow
+ extension of query processing functionality through
+ the use of dynamically loadable libraries. A
+ "filter-aaaa.so" plugin has been implemented,
+ replacing the filter-aaaa feature that was formerly
+ implemented as a native part of BIND.
+
+ The "filter-aaaa", "filter-aaaa-on-v4" and
+ "filter-aaaa-on-v6" options can no longer be
+ configured using native named.conf syntax. However,
+ loading the filter-aaaa.so plugin and setting its
+ parameters provides identical functionality.
+
+ Note that the plugin API is a work in progress and
+ is likely to evolve as further plugins are
+ implemented. [GL #15]
+
+ 5105. [bug] Fix a race between process_fd and socketclose in
+ unix socket code. [GL #744]
+
+ 5104. [cleanup] Log clearer informational message when a catz zone
+ is overridden by a zone in named.conf.
+ Thanks to Tony Finch. [GL !1157]
+
+ 5103. [bug] Add missing design by contract tests to dns_catz*.
+ [GL #748]
+
+ 5102. [bug] dnssec-coverage failed to use the default TTL when
+ checking KSK deletion times leading to a exception.
+ [GL #585]
+
+ 5101. [bug] Fix default installation path for Python modules and
+ remove the dnspython dependency accidentally introduced
+ by change 4970. [GL #730]
+
+ 5100. [func] Pin resolver tasks to specific task queues. [GL !1117]
+
+ 5099. [func] Failed mutex and conditional creations are always
+ fatal. [GL #674]
+
+ --- 9.13.4 released ---
+
+ 5098. [func] Failed memory allocations are now fatal. [GL #674]
+
+ 5097. [cleanup] Remove embedded ATF unit testing framework
+ from BIND source distribution. [GL !875]
+
+ 5096. [func] Use multiple event loops in socket code, and
+ make network threads CPU-affinitive. This
+ significantly improves performance on large
+ systems. [GL #666]
+
+ 5095. [test] Converted all unit tests from ATF to CMocka;
+ removed the source code for the ATF libraries.
+ Build with "configure --with-cmocka" to enable
+ unit testing. [GL #620]
+
+ 5094. [func] Add 'dig -r' to disable reading of .digrc. [GL !970]
+
+ 5093. [bug] Log lame qname-minimization servers only if they're
+ really lame. [GL #671]
+
+ 5092. [bug] Address memory leak on SIGTERM in nsupdate when using
+ GSS-TSIG. [GL #558]
+
+ 5091. [func] Two new global and per-view options min-cache-ttl
+ and min-ncache-ttl [GL #613]
+
+ 5090. [bug] dig and mdig failed to properly pre-parse dash value
+ pairs when value was a separate argument and started
+ with a dash. [GL #584]
+
+ 5089. [bug] Restore localhost fallback in dig and host which is
+ used when no nameserver addresses present in
+ /etc/resolv.conf are usable due to the requested
+ address family restrictions. [GL #433]
+
+ 5088. [bug] dig/host/nslookup could crash when interrupted close to
+ a query timeout. [GL #599]
+
+ 5087. [test] Check that result tables are complete. [GL #676]
+
+ 5086. [func] Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
+
+ 5085. [bug] win32: Restore looking up nameservers, search list,
+ etc. [GL #186]
+
+ 5084. [placeholder]
+
+ 5083. [func] Add autoconf macro AX_POSIX_SHELL, so we
+ can use POSIX-compatible shell features
+ in the scripts.
+
+ 5082. [bug] Fixed a race that could cause a crash in
+ dig/host/nslookup. [GL #650]
+
+ 5081. [func] Use per-worker queues in task manager, make task
+ runners CPU-affine. [GL #659]
+
+ 5080. [func] Improvements to "rndc nta" user interface:
+ - catch and report invalid command line options
+ - when removing an NTA from all views, do not
+ abort with an error if the NTA was not found
+ in one of the views
+ - include the view name in "rndc nta -dump"
+ output, for consistency with the add and remove
+ actions
+ Thanks to Tony Finch. [GL !816]
+
+ 5079. [func] Disable IDN processing in dig and nslookup
+ when not on a tty. [GL #653]
+
+ 5078. [cleanup] Require python components to be explicitly disabled if
+ python is not available on unix platforms. [GL #601]
+
+ 5077. [cleanup] Remove ip6.int support (-i) from dig and mdig.
+ [GL !969]
+
+ 5076. [bug] "require-server-cookie" was not effective if
+ "rate-limit" was configured. [GL #617]
+
+ 5075. [bug] Refresh nameservers from cache when sending final
+ query in qname minimization. [GL #16]
+
+ 5074. [cleanup] Remove vector socket functions - isc_socket_recvv(),
+ isc_socket_sendtov(), isc_socket_sendtov2(),
+ isc_socket_sendv() - in order to simplify socket code.
+ [GL #645]
+
+ 5073. [bug] Destroy a task first when destroying rpzs and catzs.
+ [GL #84]
+
+ 5072. [bug] Add unit tests for isc_buffer_copyregion() and fix its
+ behavior for auto-reallocated buffers. [GL #644]
+
+ 5071. [bug] Comparison of NXT records was broken. [GL #631]
+
+ 5070. [bug] Record types which support a empty rdata field were
+ not handling the empty rdata field case. [GL #638]
+
+ 5069. [bug] Fix a hang on in RPZ when named is shutdown during RPZ
+ zone update. [GL !907]
+
+ 5068. [bug] Fix a race in RPZ with min-update-interval set to 0.
+ [GL #643]
+
+ 5067. [bug] Don't minimize qname when sending the query
+ to a forwarder. [GL #361]
+
+ 5066. [cleanup] Allow unquoted strings to be used as a zone names
+ in response-policy statements. [GL #641]
+
+ 5065. [bug] Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
+
+ 5064. [test] Initialize TZ environment variable before calling
+ dns_test_begin in dnstap_test. [GL #624]
+
+ 5063. [test] In statschannel test try a few times before failing
+ when checking if the compressed output is the same as
+ uncompressed. [GL !909]
+
+ 5062. [func] Use non-crypto-secure PRNG to generate nonces for
+ cookies. [GL !887]
+
+ 5061. [protocol] Add support for EID and NIMLOC. [GL #626]
+
+ 5060. [bug] GID, UID and UINFO could not be loaded using unknown
+ record format. [GL #627]
+
+ 5059. [bug] Display a per-view list of zones in the web interface.
+ [GL #427]
+
+ 5058. [func] Replace old message digest and hmac APIs with more
+ generic isc_md and isc_hmac APIs, and convert their
+ respective tests to cmocka. [GL #305]
+
+ 5057. [protocol] Add support for ATMA. [GL #619]
+
+ 5056. [placeholder]
+
+ 5055. [func] A default list of primary servers for the root zone is
+ now built into named, allowing the "masters" statement
+ to be omitted when configuring an IANA root zone
+ mirror. [GL #564]
+
+ 5054. [func] Attempts to use mirror zones with recursion disabled
+ are now considered a configuration error. [GL #564]
+
+ 5053. [func] The only valid zone-level NOTIFY settings for mirror
+ zones are now "notify no;" and "notify explicit;".
+ [GL #564]
+
+ 5052. [func] Mirror zones are now configured using "type mirror;"
+ rather than "mirror yes;". [GL #564]
+
+ 5051. [doc] Documentation incorrectly stated that the
+ "server-addresses" static-stub zone option accepts
+ custom port numbers. [GL #582]
+
+ 5050. [bug] The libirs version of getaddrinfo() was unable to parse
+ scoped IPv6 addresses present in /etc/resolv.conf.
+ [GL #187]
+
+ 5049. [cleanup] QNAME minimization has been deeply refactored. [GL #16]
+
+ 5048. [func] Add configure option to enable and enforce FIPS mode
+ in BIND 9. [GL #506]
+
+ 5047. [bug] Messages logged for certain query processing failures
+ now include a more specific error description if it is
+ available. [GL #572]
+
+ 5046. [bug] named could crash during shutdown if an RPZ
+ reload was in progress. [RT #46210]
+
+ 5045. [func] Remove support for DNSSEC algorithms 3 (DSA)
+ and 6 (DSA-NSEC3-SHA1). [GL #22]
+
+ 5044. [cleanup] If "dnssec-enable" is no, then "dnssec-validation"
+ now also defaults to no. [GL #388]
+
+ 5043. [bug] Fix creating and validating EdDSA signatures. [GL #579]
+
+ 5042. [test] Make the chained delegations in reclimit behave
+ like they would in a regular name server. [GL #578]
+
+ 5041. [test] The chain test contains a incomplete delegation.
+ [GL #568]
+
+ 5040. [func] Extended dnstap so that it can log UPDATE requests
+ and responses as separate message types. Thanks
+ to Greg Rabil. [GL #570]
+
+ 5039. [bug] Named could fail to preserve owner name case of new
+ RRset. [GL #420]
+
+ 5038. [bug] Chaosnet addresses were compared incorrectly.
+ [GL #562]
+
+ 5037. [func] "allow-recursion-on" and "allow-query-cache-on"
+ each now default to the other if only one of them
+ is set, in order to be more consistent with the way
+ "allow-recursion" and "allow-query-cache" work.
+ Also we now ensure that both query-cache ACLs are
+ checked when determining cache access. [GL #319]
+
+ 5036. [cleanup] Fixed a spacing/formatting error in some RPZ-related
+ error messages in the log. [GL !805]
+
+ 5035. [test] Fixed errors that prevented the DNSRPS subtests
+ from running in the rpz and rpzrecurse system
+ tests. [GL #503]
+
+ 5034. [bug] A race between threads could prevent zone maintenance
+ scheduled immediately after zone load from being
+ performed. [GL #542]
+
+ 5033. [bug] When adding NTAs to multiple views using "rndc nta",
+ the text returned via rndc was incorrectly terminated
+ after the first line, making it look as if only one
+ NTA had been added. Also, it was not possible to
+ differentiate between views with the same name but
+ different classes; this has been corrected with the
+ addition of a "-class" option. [GL #105]
+
+ 5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
+ [GL #511]
+
+ 5031. [cleanup] Various defines in platform.h has been either dropped
+ if always or never triggered on supported platforms
+ or replaced with config.h equivalents if the defines
+ didn't have any impact on public headers. Workarounds
+ for LinuxThreads have been removed because NPTL is
+ available since Linux kernel 2.6.0. [GL #525]
+
+ 5030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash
+ on architectures with strict alignment. [GL #521]
+
+ --- 9.13.3 released ---
+
+ 5029. [func] Workarounds for servers that misbehave when queried
+ with EDNS have been removed, because these broken
+ servers and the workarounds for their noncompliance
+ cause unnecessary delays, increase code complexity,
+ and prevent deployment of new DNS features. See
+ https://dnsflagday.net for further details. [GL #150]
+
+ 5028. [bug] Spread the initial RRSIG expiration times over the
+ entire working sig-validity-interval when signing a
+ zone in named to even out re-signing and transfer
+ loads. [GL #418]
+
+ 5027. [func] Set SO_SNDBUF size on sockets. [GL #74]
+
+ 5026. [bug] rndc reconfig should not touch already loaded zones.
+ [GL #276]
+
+ 5025. [cleanup] Remove isc_keyboard family of functions. [GL #178]
+
+ 5024. [func] Replace custom assembly for atomic operations with
+ atomic support from the compiler. The code will now use
+ C11 stdatomic, or __atomic, or __sync builtins with GCC
+ or Clang compilers, and Interlocked functions with MSVC.
+ [GL #10]
+
+ 5023. [cleanup] Remove wrappers that try to fix broken or incomplete
+ implementations of IPv6, pthreads and other core
+ functionality required and used by BIND. [GL #192]
+
+ 5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
+ krb5-subdomain documentation. [GL !708]
+
+ 5021. [bug] dig returned a non-zero exit code when it received a
+ reply over TCP after a retry. [GL #487]
+
+ 5020. [func] RNG uses thread-local storage instead of locks, if
+ supported by platform. [GL #496]
+
+ 5019. [cleanup] A message is now logged when ixfr-from-differences is
+ set at zone level for an inline-signed zone. [GL #470]
+
+ 5018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c.
+ [GL !588]
+
+ 5017. [bug] lib/isc/pk11.c failed to unlink the session before
+ releasing the lock which is unsafe. [GL !589]
+
+ 5016. [bug] Named could assert with overlapping filter-aaaa and
+ dns64 acls. [GL #445]
+
+ 5015. [bug] Reloading all zones caused zone maintenance to cease
+ for inline-signed zones. [GL #435]
+
+ 5014. [bug] Signatures loaded from the journal for the signed
+ version of an inline-signed zone were not scheduled for
+ refresh. [GL #482]
+
+ 5013. [bug] A referral response with a non-empty ANSWER section was
+ inadvertently being treated as an error. [GL #390]
+
+ 5012. [bug] Fix lock order reversal in pk11_initialize. [GL !590]
+
+ 5011. [func] Remove support for unthreaded named. [GL #478]
+
+ 5010. [func] New "validate-except" option specifies a list of
+ domains beneath which DNSSEC validation should not
+ be performed. [GL #237]
+
+ 5009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL
+ error queue was not logged. [GL #476]
+
+ 5008. [bug] "rndc signing -nsec3param ..." requests were silently
+ ignored for zones which were not yet loaded or
+ transferred. [GL #468]
+
+ 5007. [cleanup] Replace custom ISC boolean and integer data types
+ with C99 stdint.h and stdbool.h types. [GL #9]
+
+ 5006. [cleanup] Code preparing a delegation response was extracted from
+ query_delegation() and query_zone_delegation() into a
+ separate function in order to decrease code
+ duplication. [GL #431]
+
+ 5005. [bug] dnssec-verify, and dnssec-signzone at the verification
+ step, failed on some validly signed zones. [GL #442]
+
+ 5004. [bug] 'rndc reconfig' could cause inline zones to stop
+ re-signing. [GL #439]
+
+ 5003. [bug] dns_acl_isinsecure did not handle geoip elements.
+ [GL #406]
+
+ 5002. [bug] mdig: Handle malformed +ednsopt option, support 100
+ +ednsopt options per query rather than 100 total and
+ address memory leaks if +ednsopt was specified.
+ [GL #410]
+
+ 5001. [bug] Fix refcount errors on error paths. [GL !563]
+
+ 5000. [bug] named_server_servestale() could leave the server in
+ exclusive mode if an error occurred. [GL #441]
+
+ 4999. [cleanup] Remove custom printf implementation in lib/isc/print.c.
+ [GL #261]
+
+ 4998. [test] Make resolver and cacheclean tests more civilized.
+
+ 4997. [security] named could crash during recursive processing
+ of DNAME records when "deny-answer-aliases" was
+ in use. (CVE-2018-5740) [GL #387]
+
+ 4996. [bug] dig: Handle malformed +ednsopt option. [GL #403]
+
+ 4995. [test] Add tests for "tcp-self" update policy. [GL !282]
+
+ 4994. [bug] Trust anchor telemetry queries were not being sent
+ upstream for locally served zones. [GL #392]
+
+ 4993. [cleanup] Remove support for silently ignoring 'no-change' deltas
+ from BIND 8 when processing an IXFR stream. 'no-change'
+ deltas will now trigger a fallback to AXFR as the
+ recovery mechanism. [GL #369]
+
+ 4992. [bug] The wrong address was being logged for trust anchor
+ telemetry queries. [GL #379]
+
+ 4991. [bug] "rndc reconfig" was incorrectly handling zones whose
+ "mirror" setting was changed. [GL #381]
+
+ 4990. [bug] Prevent a possible NULL reference in pkcs11-keygen.
+ [GL #401]
+
+ 4989. [cleanup] IDN support in dig has been reworked. IDNA2003
+ fallbacks were removed in the process. [GL #384]
+
+ 4988. [bug] Don't synthesize NXDOMAIN from NSEC for records under
+ a DNAME.
+
+ --- 9.13.2 released ---
+
+ 4987. [cleanup] dns_rdataslab_tordataset() and its related
+ dns_rdatasetmethods_t callbacks were removed as they
+ were not being used by anything in BIND. [GL #371]
+
+ 4986. [func] When built on Linux, BIND now requires the libcap
+ library to set process privileges, unless capability
+ support is explicitly overridden with "configure
+ --disable-linux-caps". [GL #321]
+
+ 4985. [func] Add a new slave zone option, "mirror", to enable
+ serving a non-authoritative copy of a zone that
+ is subject to DNSSEC validation before being
+ used. For now, this option is only meant to
+ facilitate deployment of an RFC 7706-style local
+ copy of the root zone. [GL #33]
+
+ 4984. [bug] Improve handling of very large incremental
+ zone transfers to prevent journal corruption. [GL #339]
+
+ 4983. [func] Add the ability to not return a DNS COOKIE option
+ when one is present in the request (answer-cookie no;).
+ [GL #173]
+
+ 4982. [cleanup] Return FORMERR if the question section is empty
+ and no COOKIE option is present; this restores
+ older behavior except in the newly specified
+ COOKIE case. [GL #260]
+
+ 4981. [bug] Fix race in cmsg buffer usage in socket code.
+ [GL #180]
+
+ 4980. [bug] Named-checkconf failed to detect bad in-view targets.
+ [GL #288]
+
+ 4979. [placeholder]
+
+ 4978. [test] Fix error handling and resolver configuration in the
+ "rpz" system test. [GL #312]
+
+ 4977. [func] When starting up, log the same details that
+ would be reported by 'named -V'. [GL #247]
+
+ 4976. [bug] Log the label with invalid prefix length correctly
+ when loading RPZ zones. [GL #254]
+
+ 4975. [bug] The server cookie computation for sha1 and sha256 did
+ not match the method described in RFC 7873. [GL #356]
+
+ 4974. [bug] Restore default rrset-order to random. [GL #336]
+
+ 4973. [func] verifyzone() and the functions it uses were moved to
+ libdns and refactored to prevent exit() from being
+ called upon failure. A side effect of that is that
+ dnssec-signzone and dnssec-verify now check for memory
+ leaks upon shutdown. [GL #266]
+
+ 4972. [func] Declare the 'rdata' argument for dns_rdata_tostruct()
+ to be const. [GL #341]
+
+ 4971. [bug] dnssec-signzone and dnssec-verify did not treat records
+ below a DNAME as out-of-zone data. [GL #298]
+
+ 4970. [func] Add QNAME minimization option to resolver. [GL #16]
+
+ 4969. [cleanup] Refactor zone logging functions. [GL #269]
+
+ --- 9.13.1 released ---
+
+ 4968. [bug] If glue records are signed, attempt to validate them.
+ [GL #209]
+
+ 4967. [cleanup] Add "answer-cookie" to the parser, marked obsolete.
+
+ 4966. [placeholder]
+
+ 4965. [func] Add support for marking options as deprecated.
+ [GL #322]
+
+ 4964. [bug] Reduce the probability of double signature when deleting
+ a DNSKEY by checking if the node is otherwise signed
+ by the algorithm of the key to be deleted. [GL #240]
+
+ 4963. [test] ifconfig.sh now uses "ip" instead of "ifconfig",
+ if available, to configure the test interfaces on
+ linux. [GL #302]
+
+ 4962. [cleanup] Move 'named -T' processing to its own function.
+ [GL #316]
+
+ 4961. [protocol] Remove support for ECC-GOST (GOST R 34.11-94).
+ [GL #295]
+
+ 4960. [security] When recursion is enabled, but the "allow-recursion"
+ and "allow-query-cache" ACLs are not specified,
+ they should be limited to local networks,
+ but were inadvertently set to match the default
+ "allow-query", thus allowing remote queries.
+ (CVE-2018-5738) [GL #309]
+
+ 4959. [func] NSID logging (enabled by the "request-nsid" option)
+ now has its own "nsid" category, instead of using the
+ "resolver" category. [GL !332]
+
+ 4958. [bug] Remove redundant space from NSEC3 record. [GL #281]
+
+ 4957. [func] The default setting for "dnssec-validation" is now
+ "auto", which activates DNSSEC validation using the
+ IANA root key. (The default can be changed back to
+ "yes", which activates DNSSEC validation only when keys
+ are explicitly configured in named.conf, by building
+ BIND with "configure --disable-auto-validation".)
+ [GL #30]
+
+ 4956. [func] Change isc_random() to be just PRNG using xoshiro128**,
+ and add isc_nonce_buf() that uses CSPRNG. [GL #289]
+
+ 4955. [cleanup] Silence cppcheck warnings in lib/dns/master.c.
+ [GL #286]
+
+ 4954. [func] Messages about serving of stale answers are now
+ directed to the "serve-stale" logging category.
+ Also clarified serve-stale documentation. [GL !323]
+
+ 4953. [bug] Removed the option to build the red black tree
+ database without a hash table; the non-hashing
+ version was buggy and is not needed. [GL #184]
+
+ 4952. [func] Authoritative server support in named for the
+ EDNS CLIENT-SUBNET option (which was experimental
+ and not practical to deploy) has been removed.
+
+ The ECS option is still supported in dig and mdig
+ via the +subnet option, and can be parsed and logged
+ when received by named, but it is no longer used
+ for ACL processing. The "geoip-use-ecs" option
+ is now obsolete; a warning will be logged if it is
+ used in named.conf. "ecs" tags in an ACL definition
+ are also obsolete and will cause the configuration
+ to fail to load. [GL #32]
+
+ 4951. [protocol] Add "HOME.ARPA" to list of built in empty zones as
+ per RFC 8375. [GL #273]
+
+ --- 9.13.0 released ---
+
+ 4950. [bug] ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
+
+ 4949. [placeholder]
+
+ 4948. [bug] When request-nsid is turned on, EDNS NSID options
+ should be logged at level info. Since change 3741
+ they have been logged at debug(3) by mistake.
+ [GL !290]
+
+ 4947. [func] Replace all random functions with isc_random(),
+ isc_random_buf() and isc_random_uniform() API.
+ [GL #221]
+
+ 4946. [bug] Additional glue was not being returned by resolver
+ for unsigned zones since change 4596. [GL #209]
+
+ 4945. [func] BIND can no longer be built without DNSSEC support.
+ A cryptography provider (i.e., OpenSSL or a hardware
+ service module with PKCS#11 support) must be
+ available. [GL #244]
+
+ 4944. [cleanup] Silence cppcheck portability warnings in
+ lib/isc/tests/buffer_test.c. [GL #239]
+
+ 4943. [bug] Change 4687 consumed too much memory when running
+ system tests with --with-tuning=large. Reduced the
+ hash table size to 512 entries for 'named -m record'
+ restoring the previous memory footprint. [GL #248]
+
+ 4942. [cleanup] Consolidate multiple instances of splitting of
+ batchline in dig into a single function. [GL #196]
+
+ 4941. [cleanup] Silence clang static analyzer warnings. [GL #196]
+
+ 4940. [cleanup] Extract the loop in dns__zone_updatesigs() into
+ separate functions to improve code readability.
+ [GL #135]
+
+ 4939. [test] Add basic unit tests for update_sigs(). [GL #135]
+
+ 4938. [placeholder]
+
+ 4937. [func] Remove support for OpenSSL < 1.0.0 [GL #191]
+
+ 4936. [func] Always use OpenSSL or PKCS#11 random data providers,
+ and remove the --{enable,disable}-crypto-rand configure
+ options. [GL #165]
+
+ 4935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
+ call were added). [GL #191]
+
+ 4934. [security] The serve-stale feature could cause an assertion failure
+ in rbtdb.c even when stale-answer-enable was false.
+ Simultaneous use of stale cache records and NSEC
+ aggressive negative caching could trigger a recursion
+ loop. (CVE-2018-5737) [GL #185]
+
+ 4933. [bug] Not creating signing keys for an inline signed zone
+ prevented changes applied to the raw zone from being
+ reflected in the secure zone until signing keys were
+ made available. [GL #159]
+
+ 4932. [bug] Bumped signed serial of an inline signed zone was
+ logged even when an error occurred while updating
+ signatures. [GL #159]
+
+ 4931. [func] Removed the "rbtdb64" database implementation.
+ [GL #217]
+
+ 4930. [bug] Remove a bogus check in nslookup command line
+ argument processing. [GL #206]
+
+ 4929. [func] Add the ability to set RA and TC in queries made by
+ dig (+[no]raflag, +[no]tcflag). [GL #213]
+
+ 4928. [func] The "dnskey-sig-validity" option allows
+ "sig-validity-interval" to be overridden for signatures
+ covering DNSKEY RRsets. [GL #145]
+
+ 4927. [placeholder]
+
+ 4926. [func] Add root key sentinel support. To disable, add
+ 'root-key-sentinel no;' to named.conf. [GL #37]
+
+ 4925. [func] Several configuration options that define intervals
+ can now take TTL value suffixes (for example, 2h or 1d)
+ in addition to integer parameters. These include
+ max-cache-ttl, max-ncache-ttl, max-policy-ttl,
+ fstrm-set-reopen-interval, interface-interval, and
+ min-update-interval. [GL #203]
+
+ 4924. [cleanup] Clean up the isc_string_* namespace and leave
+ only strlcpy and strlcat. [GL #178]
+
+ 4923. [cleanup] Refactor socket and socket event options into
+ enum types. [GL !135]
+
+ 4922. [bug] dnstap: Log the destination address of client
+ packets rather than the interface address.
+ [GL #197]
+
+ 4921. [cleanup] Add dns_fixedname_initname() and refactor the caller
+ code to make usage of the new function, as a part of
+ refactoring dns_fixedname_*() macros were turned into
+ functions. [GL #183]
+
+ 4920. [cleanup] Clean up libdns removing most of the backwards
+ compatibility wrappers.
+
+ 4919. [cleanup] Clean up the isc_hash_* namespace and leave only
+ the FNV-1a hash implementation. [GL #178]
+
+ 4918. [bug] Fix double free after keygen error in dnssec-keygen
+ when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
+ fails. [GL #109]
+
+ 4917. [func] Support 64 RPZ policy zones by default. [GL #123]
+
+ 4916. [func] Remove IDNA2003 support and the bundled idnkit-1.0
+ library.
+
+ 4915. [func] Implement IDNA2008 support in dig by adding support
+ for libidn2. New dig option +idnin has been added,
+ which allows to process invalid domain names much
+ like dig without IDN support. libidn2 version 2.0
+ or higher is needed for +idnout enabled by default.
+
+ 4914. [security] A bug in zone database reference counting could lead to
+ a crash when multiple versions of a slave zone were
+ transferred from a master in close succession.
+ (CVE-2018-5736) [GL #134]
+
+ 4913. [test] Re-implemented older unit tests in bin/tests as ATF,
+ removed the lib/tests unit testing library. [GL #115]
+
+ 4912. [test] Improved the reliability of the 'cds' system test.
+ [GL #136]
+
+ 4911. [test] Improved the reliability of the 'mkeys' system test.
+ [GL #128]
+
+ 4910. [func] Update util/check-changes to work on release branches.
+ [GL #113]
+
+ 4909. [bug] named-checkconf did not detect in-view zone collisions.
+ [GL #125]
+
+ 4908. [test] Eliminated unnecessary waiting in the allow_query
+ system test. Also changed its name to allow-query.
+ [GL #81]
+
+ 4907. [test] Improved the reliability of the 'notify' system
+ test. [GL #59]
+
+ 4906. [func] Replace getquad() with inet_pton(), completing
+ change #4900. [GL #56]
+
+ 4905. [bug] irs_resconf_load() ignored resolv.conf syntax errors
+ when "domain" or "search" options were present in that
+ file. [GL #110]
+
+ 4904. [bug] Temporarily revert change #4859. [GL #124]
+
+ 4903. [bug] "check-mx fail;" did not prevent MX records containing
+ IP addresses from being added to a zone by a dynamic
+ update. [GL #112]
+
+ 4902. [test] Improved the reliability of the 'ixfr' system
+ test. [GL #66]
+
+ 4901. [func] "dig +nssearch" now lists the name servers
+ for a domain that time out, as well as the servers
+ that respond. [GL #64]
+
+ 4900. [func] Remove all uses of inet_aton(). As a result of this
+ change, IPv4 addresses are now only accepted in
+ dotted-quad format. [GL #13]
+
+ 4899. [test] Convert most of the remaining system tests to be able
+ to run in parallel, continuing the work from change
+ #4895. To take advantage of this, use "make -jN check",
+ where N is the number of processors to use. [GL #91]
+
+ 4898. [func] Remove libseccomp based system-call filtering. [GL #93]
+
+ 4897. [test] Update to rpz system test so that it doesn't recurse.
+ [GL #68]
+
+ 4896. [test] cacheclean system test was not robust. [GL #82]
+
+ 4895. [test] Allow some system tests to run in parallel.
+ [RT #46602]
+
+ 4894. [bug] named could crash while rolling a dnstap output file.
+ [RT #46942]
+
+ 4893. [bug] Address various issues reported by cppcheck. [GL #51]
+
+ 4892. [bug] named could leak memory when "rndc reload" was invoked
+ before all zone loading actions triggered by a previous
+ "rndc reload" command were completed. [RT #47076]
+
+ 4891. [placeholder]
+
+ 4890. [func] Remove unused ondestroy callback from libisc.
+ [isc-projects/bind9!3]
+
+ 4889. [func] Warn about the use of old root keys without the new
+ root key being present. Warn about dlv.isc.org's
+ key being present. Warn about both managed and
+ trusted root keys being present. [RT #43670]
+
+ 4888. [test] Initialize sockets correctly in sample-update so
+ that the nsupdate system test will run on Windows.
+ [RT #47097]
+
+ 4887. [test] Enable the rpzrecurse test to run on Windows.
+ [RT #47093]
+
+ 4886. [doc] Document dig -u in manpage. [RT #47150]
+
+ 4885. [security] update-policy rules that otherwise ignore the name
+ field now require that it be set to "." to ensure
+ that any type list present is properly interpreted.
+ [RT #47126]
+
+ 4884. [bug] named could crash on shutdown due to a race between
+ shutdown_server() and ns__client_request(). [RT #47120]
+
+ 4883. [cleanup] Improved debugging output from dnssec-cds. [RT #47026]
+
+ 4882. [bug] Address potential memory leak in
+ dns_update_signaturesinc. [RT #47084]
+
+ 4881. [bug] Only include dst_openssl.h when OpenSSL is required.
+ [RT #47068]
+
+ 4880. [bug] Named wasn't returning the target of a cross-zone
+ CNAME between two served zones when recursion was
+ desired and available (RD=1, RA=1). (When this is
+ not the case, the CNAME target is deliberately
+ withheld to prevent accidental cache poisoning.)
+ [RT #47078]
+
+ 4879. [bug] dns_rdata_caa:value_len field was too small.
+ [RT #47086]
+
+ 4878. [bug] List 'ply' as a requirement for the 'isc' python
+ package. [RT #47065]
+
+ 4877. [bug] Address integer overflow when exponentially
+ backing off retry intervals. [RT #47041]
+
+ 4876. [bug] Address deadlock with accessing a keytable. [RT #47000]
+
+ 4875. [bug] Address compile failures on older systems. [RT #47015]
+
+ 4874. [bug] Wrong time display when reporting new keywarntime.
+ [RT #47042]
+
+ 4873. [doc] Grammars for named.conf included in the ARM are now
+ automatically generated by the configuration parser
+ itself. As a side effect of the work needed to
+ separate zone type grammars from each other, this
+ also makes checking of zone statements in
+ named-checkconf more correct and consistent.
+ [RT #36957]
+
+ 4872. [bug] Don't permit loading meta RR types such as TKEY
+ from master files. [RT #47009]
+
+ 4871. [bug] Fix configure glitch in detecting stdatomic.h
+ support on systems with multiple compilers.
+ [RT #46959]
+
+ 4870. [test] Update included ATF library to atf-0.21 preserving
+ the ATF tool. [RT #46967]
+
+ 4869. [bug] Address some cases where NULL with zero length could
+ be passed to memmove which is undefined behavior and
+ can lead to bad optimization. [RT #46888]
+
+ 4868. [func] dnssec-keygen can no longer generate HMAC keys.
+ Use tsig-keygen instead. [RT #46404]
+
+ 4867. [cleanup] Normalize rndc on/off commands (validation,
+ querylog, serve-stale) so they all accept the
+ same synonyms for on/off (yes/no, true/false,
+ enable/disable). Thanks to Tony Finch. [RT #47022]
+
+ 4866. [port] DST library initialization verifies MD5 (when MD5
+ was not disabled) and SHA-1 hash and HMAC support.
+ [RT #46764]
+
+ 4865. [cleanup] Simplify handling isc_socket_sendto2() return values.
+ [RT #46986]
+
+ 4864. [bug] named acting as a slave for a catalog zone crashed if
+ the latter contained a master definition without an IP
+ address. [RT #45999]
+
+ 4863. [bug] Fix various other bugs reported by Valgrind's
+ memcheck tool. [RT #46978]
+
+ 4862. [bug] The rdata flags for RRSIG were not being properly set
+ when constructing a rdataslab. [RT #46978]
+
+ 4861. [bug] The isc_crc64 unit test was not endian independent.
+ [RT #46973]
+
+ 4860. [bug] isc_int8_t should be signed char. [RT #46973]
+
+ 4859. [bug] A loop was possible when attempting to validate
+ unsigned CNAME responses from secure zones;
+ this caused a delay in returning SERVFAIL and
+ also increased the chances of encountering
+ CVE-2017-3145. [RT #46839]
+
+ 4858. [security] Addresses could be referenced after being freed
+ in resolver.c, causing an assertion failure.
+ (CVE-2017-3145) [RT #46839]
+
+ 4857. [bug] Maintain attach/detach semantics for event->db,
+ event->node, event->rdataset and event->sigrdataset
+ in query.c. [RT #46891]
+
+ 4856. [bug] 'rndc zonestatus' reported the wrong underlying type
+ for a inline slave zone. [RT #46875]
+
+ 4855. [bug] isc_time_formatshorttimestamp produced incorrect
+ output. [RT #46938]
+
+ 4854. [bug] query_synthcnamewildcard should stop generating the
+ response if query_synthwildcard fails. [RT #46939]
+
+ 4853. [bug] Add REQUIRE's and INSIST's to isc_time_formatISO8601L
+ and isc_time_formatISO8601Lms. [RT #46916]
+
+ 4852. [bug] Handle strftime() failing in isc_time_formatISO8601ms.
+ Add REQUIRE's and INSIST's to isc_time_formattimestamp,
+ isc_time_formathttptimestamp, isc_time_formatISO8601,
+ isc_time_formatISO8601ms. [RT #46892]
+
+ 4851. [port] Support using kyua as well as atf-run to run the unit
+ tests. [RT #46853]
+
+ 4850. [bug] Named failed to restart with multiple added zones in
+ lmdb database. [RT #46889]
+
+ 4849. [bug] Duplicate zones could appear in the .nzf file if
+ addzone failed. [RT #46435]
+
+ 4848. [func] Zone types "primary" and "secondary" can now be used
+ as synonyms for "master" and "slave" in named.conf.
+ [RT #46713]
+
+ 4847. [bug] dnssec-dnskey-kskonly was not being honored for
+ CDS and CDNSKEY. [RT #46755]
+
+ 4846. [test] Adjust timing values in runtime system test. Address
+ named.pid removal races in runtime system test.
+ [RT #46800]
+
+ 4845. [bug] Dig (non iOS) should exit on malformed names.
+ [RT #46806]
+
+ 4844. [test] Address memory leaks in libatf-c. [RT #46798]
+
+ 4843. [bug] dnssec-signzone free hashlist on exit. [RT #46791]
+
+ 4842. [bug] Conditionally compile opensslecdsa_link.c to avoid
+ warnings about unused function. [RT #46790]
+
+ --- 9.12.0rc1 released ---
+
+ 4841. [bug] Address -fsanitize=undefined warnings. [RT #46786]
+
+ 4840. [test] Add tests to cover fallback to using ZSK on inactive
+ KSK. [RT #46787]
+
+ 4839. [bug] zone.c:zone_sign was not properly determining
+ if there were active KSK and ZSK keys for
+ a algorithm when update-check-ksk is true
+ (default) leaving records unsigned with one or
+ more DNSKEY algorithms. [RT #46774]
+
+ 4838. [bug] zone.c:add_sigs was not properly determining
+ if there were active KSK and ZSK keys for
+ a algorithm when update-check-ksk is true
+ (default) leaving records unsigned with one or
+ more DNSKEY algorithms. [RT #46754]
+
+ 4837. [bug] dns_update_signatures{inc} (add_sigs) was not
+ properly determining if there were active KSK and
+ ZSK keys for a algorithm when update-check-ksk is
+ true (default) leaving records unsigned when there
+ were multiple DNSKEY algorithms for the zone.
+ [RT #46743]
+
+ 4836. [bug] Zones created using "rndc addzone" could
+ temporarily fail to inherit an "allow-transfer"
+ ACL that had been configured in the options
+ statement. [RT #46603]
+
+ 4835. [cleanup] Clean up and refactor LMDB-related code. [RT #46718]
+
+ 4834. [port] Fix LMDB support on OpenBSD. [RT #46718]
+
+ 4833. [bug] isc_event_free should check that the event is not
+ linked when called. [RT #46725]
+
+ 4832. [bug] Events were not being removed from zone->rss_events.
+ [RT #46725]
+
+ 4831. [bug] Convert the RRSIG expirytime to 64 bits for
+ comparisons in diff.c:resign. [RT #46710]
+
+ 4830. [bug] Failure to configure ATF when requested did not cause
+ an error in top-level configure script. [RT #46655]
+
+ 4829. [bug] isc_heap_delete did not zero the index value when
+ the heap was created with a callback to do that.
+ [RT #46709]
+
+ 4828. [bug] Do not use thread-local storage for storing LMDB reader
+ locktable slots. [RT #46556]
+
+ 4827. [misc] Add a precommit check script util/checklibs.sh
+ [RT #46215]
+
+ 4826. [cleanup] Prevent potential build failures in bin/confgen/ and
+ bin/named/ when using parallel make. [RT #46648]
+
+ 4825. [bug] Prevent a bogus "error during managed-keys processing
+ (no more)" warning from being logged. [RT #46645]
+
+ 4824. [port] Add iOS hooks to dig. [RT #42011]
+
+ 4823. [test] Refactor reclimit system test to improve its
+ reliability and speed. [RT #46632]
+
+ 4822. [bug] Use resign_sooner in dns_db_setsigningtime. [RT #46473]
+
+ 4821. [bug] When resigning ensure that the SOA's expire time is
+ always later that the resigning time of other records.
+ [RT #46473]
+
+ 4820. [bug] dns_db_subtractrdataset should transfer the resigning
+ information to the new header. [RT #46473]
+
+ 4819. [bug] Fully backout the transaction when adding a RRset
+ to the resigning / removal heaps fails. [RT #46473]
+
+ 4818. [test] The logfileconfig system test could intermittently
+ report false negatives on some platforms. [RT #46615]
+
+ 4817. [cleanup] Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
+ [RT #45433]
+
+ 4816. [bug] Don't use a common array for storing EDNS options
+ in DiG as it could fill up. [RT #45611]
+
+ 4815. [bug] rbt_test.c:insert_and_delete needed to call
+ dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
+
+ 4814. [cleanup] Use AS_HELP_STRING for consistent help text. [RT #46521]
+
+ 4813. [bug] Address potential read after free errors from
+ query_synthnodata, query_synthwildcard and
+ query_synthnxdomain. [RT #46547]
+
+ 4812. [bug] Minor improvements to stability and consistency of code
+ handling managed keys. [RT #46468]
+
+ 4811. [bug] Revert api changes to use <isc/buffer.h> inline
+ macros. Provide a alternative mechanism to turn
+ on the use of inline macros when building BIND.
+ [RT #46520]
+
+ 4810. [test] The chain system test failed if the IPv6 interfaces
+ were not configured. [RT #46508]
+
+ --- 9.12.0b2 released ---
+
+ 4809. [port] Check at configure time whether -latomic is needed
+ for stdatomic.h. [RT #46324]
+
+ 4808. [bug] Properly test for zlib.h. [RT #46504]
+
+ 4807. [cleanup] isc_rng_randombytes() returns a specified number of
+ bytes from the PRNG; this is now used instead of
+ calling isc_rng_random() multiple times. [RT #46230]
+
+ 4806. [func] Log messages related to loading of zones are now
+ directed to the "zoneload" logging category.
+ [RT #41640]
+
+ 4805. [bug] TCP4Active and TCP6Active weren't being updated
+ correctly. [RT #46454]
+
+ 4804. [port] win32: access() does not work on directories as
+ required by POSIX. Supply a alternative in
+ isc_file_isdirwritable. [RT #46394]
+
+ 4803. [placeholder]
+
+ 4802. [test] Refactor mkeys system test to make it quicker and more
+ reliable. [RT #45293]
+
+ 4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
+ trust-anchor dlv.isc.org;' now elicit warnings rather
+ than being fatal configuration errors. [RT #46410]
+
+ 4800. [bug] When processing delzone, write one zone config per
+ line to the NZF. [RT #46323]
+
+ 4799. [cleanup] Improve clarity of keytable unit tests. [RT #46407]
+
+ 4798. [func] Keys specified in "managed-keys" statements
+ are tagged as "initializing" until they have been
+ updated by a key refresh query. If initialization
+ fails it will be visible from "rndc secroots".
+ [RT #46267]
+
+ 4797. [func] Removed "isc-hmac-fixup", as the versions of BIND that
+ had the bug it worked around are long past end of
+ life. [RT #46411]
+
+ 4796. [bug] Increase the maximum configurable TCP keepalive
+ timeout to 65535. [RT #44710]
+
+ 4795. [func] A new statistics counter has been added to track
+ priming queries. [RT #46313]
+
+ 4794. [func] "dnssec-checkds -s" specifies a file from which
+ to read a DS set rather than querying the parent.
+ [RT #44667]
+
+ 4793. [bug] nsupdate -[46] could overflow the array of server
+ addresses. [RT #46402]
+
+ 4792. [bug] Fix map file header correctness check. [RT #38418]
+
+ 4791. [doc] Fixed outdated documentation about export libraries.
+ [RT #46341]
+
+ 4790. [bug] nsupdate could trigger a require when sending a
+ update to the second address of the server.
+ [RT #45731]
+
+ 4789. [cleanup] Check writability of new-zones-directory. [RT #46308]
+
+ 4788. [cleanup] When using "update-policy local", log a warning
+ when an update matching the session key is received
+ from a remote host. [RT #46213]
+
+ 4787. [cleanup] Turn nsec3param_salt_totext() into a public function,
+ dns_nsec3param_salttotext(), and add unit tests for it.
+ [RT #46289]
+
+ 4786. [func] The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
+ options are no longer conditionally compiled.
+ [RT #46340]
+
+ 4785. [func] The hmac-md5 algorithm is no longer recommended for
+ use with RNDC keys. The default in rndc-confgen
+ is now hmac-sha256. [RT #42272]
+
+ 4784. [func] The use of dnssec-keygen to generate HMAC keys is
+ deprecated in favor of tsig-keygen. dnssec-keygen
+ will print a warning when used for this purpose.
+ All HMAC algorithms will be removed from
+ dnssec-keygen in a future release. [RT #42272]
+
+ 4783. [test] dnssec: 'check that NOTIFY is sent at the end of
+ NSEC3 chain generation failed' required more time
+ on some machines for the IXFR to complete. [RT #46388]
+
+ 4782. [test] dnssec: 'checking positive and negative validation
+ with negative trust anchors' required more time to
+ complete on some machines. [RT #46386]
+
+ 4781. [maint] B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
+
+ 4780. [bug] When answering ANY queries, don't include the NS
+ RRset in the authority section if it was already
+ in the answer section. [RT #44543]
+
+ 4779. [bug] Expire NTA at the start of the second. Don't update
+ the expiry value if the record has already expired
+ after a successful check. [RT #46368]
+
+ 4778. [test] Improve synth-from-dnssec testing. [RT #46352]
+
+ 4777. [cleanup] Removed a redundant call to configure_view_acl().
+ [RT #46369]
+
+ 4776. [bug] Improve portability of ht_test. [RT #46333]
+
+ 4775. [bug] Address Coverity warnings in ht_test.c and mem_test.c
+ [RT #46281]
+
+ 4774. [bug] <isc/util.h> was incorrectly included in several
+ header files. [RT #46311]
+
+ 4773. [doc] Fixed generating Doxygen documentation for functions
+ annotated using certain macros. Miscellaneous
+ Doxygen-related cleanups. [RT #46276]
+
+ --- 9.12.0b1 released ---
+
+ 4772. [test] Expanded unit testing framework for libns, using
+ hooks to interrupt query flow and inspect state
+ at specified locations. [RT #46173]
+
+ 4771. [bug] When sending RFC 5011 refresh queries, disregard
+ cached DNSKEY rrsets. [RT #46251]
+
+ 4770. [bug] Cache additional data from priming queries as glue.
+ Previously they were ignored as unsigned
+ non-answer data from a secure zone, and never
+ actually got added to the cache, causing hints
+ to be used frequently for root-server
+ addresses, which triggered re-priming. [RT #45241]
+
+ 4769. [func] The working directory and managed-keys directory has
+ to be writeable (and seekable). [RT #46077]
+
+ 4768. [func] By default, memory is no longer filled with tag values
+ when it is allocated or freed; this improves
+ performance but makes debugging of certain memory
+ issues more difficult. "named -M fill" turns memory
+ filling back on. (Building "configure
+ --enable-developer", turns memory fill on by
+ default again; it can then be disabled with
+ "named -M nofill".) [RT #45123]
+
+ 4767. [func] Add a new function, isc_buffer_printf(), which can be
+ used to append a formatted string to the used region of
+ a buffer. [RT #46201]
+
+ 4766. [cleanup] Address Coverity warnings. [RT #46150]
+
+ 4765. [bug] Address potential INSIST in dnssec-cds. [RT #46150]
+
+ 4764. [bug] Address portability issues in cds system test.
+ [RT #46214]
+
+ 4763. [contrib] Improve compatibility when building MySQL DLZ
+ module by using mysql_config if available.
+ [RT #45558]
+
+ 4762. [func] "update-policy local" is now restricted to updates
+ from local addresses. (Previously, other addresses
+ were allowed so long as updates were signed by the
+ local session key.) [RT #45492]
+
+ 4761. [protocol] Add support for DOA. [RT #45612]
+
+ 4760. [func] Add glue cache statistics counters. [RT #46028]
+
+ 4759. [func] Add logging channel "trust-anchor-telemetry" to
+ record trust-anchor-telemetry in incoming requests.
+ Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
+ are logged. [RT #46124]
+
+ 4758. [doc] Remove documentation of unimplemented "topology".
+ [RT #46161]
+
+ 4757. [func] New "dnssec-cds" command creates a new parent DS
+ RRset based on CDS or CDNSKEY RRsets found in
+ a child zone, and generates either a dsset file
+ or stream of nsupdate commands to update the
+ parent. Thanks to Tony Finch. [RT #46090]
+
+ 4756. [bug] Interrupting dig could lead to an INSIST failure after
+ certain errors were encountered while querying a host
+ whose name resolved to more than one address. Change
+ 4537 increased the odds of triggering this issue by
+ causing dig to hang indefinitely when certain error
+ paths were evaluated. dig now also retries TCP queries
+ (once) if the server gracefully closes the connection
+ before sending a response. [RT #42832, #45159]
+
+ 4755. [cleanup] Silence unnecessary log message when NZF file doesn't
+ exist. [RT #46186]
+
+ 4754. [bug] dns_zone_setview needs a two stage commit to properly
+ handle errors. [RT #45841]
+
+ 4753. [contrib] Software obtainable from known upstream locations
+ (i.e., zkt, nslint, query-loc) has been removed.
+ Links to these and other packages can be found at
+ https://www.isc.org/community/tools [RT #46182]
+
+ 4752. [test] Add unit test for isc_net_pton. [RT #46171]
+
+ 4751. [func] "dnssec-signzone -S" can now automatically add parent
+ synchronization records (CDS and CDNSKEY) according
+ to key metadata set using the -Psync and -Dsync
+ options to dnssec-keygen and dnssec-settime.
+ [RT #46149]
+
+ 4750. [func] "rndc managed-keys destroy" shuts down RFC 5011 key
+ maintenance and deletes the managed-keys database.
+ If followed by "rndc reconfig" or a server restart,
+ key maintenance is reinitialized from scratch.
+ This is primarily intended for testing. [RT #32456]
+
+ 4749. [func] The ISC DLV service has been shut down, and all
+ DLV records have been removed from dlv.isc.org.
+ - Removed references to ISC DLV in documentation
+ - Removed DLV key from bind.keys
+ - No longer use ISC DLV by default in delv
+ - "dnssec-lookaside auto" and configuration of
+ "dnssec-lookaide" with dlv.isc.org as the trust
+ anchor are both now fatal errors.
+ [RT #46155]
+
+ 4748. [cleanup] Sprintf to snprintf coversions. [RT #46132]
+
+ 4747. [func] Synthesis of responses from DNSSEC-verified records.
+ Stage 3 - synthesize NODATA responses. [RT #40138]
+
+ 4746. [cleanup] Add configured prefixes to configure summary
+ output. [RT #46153]
+
+ 4745. [test] Add color-coded pass/fail messages to system
+ tests when running on terminals that support them.
+ [RT #45977]
+
+ 4744. [bug] Suppress trust-anchor-telemetry queries if
+ validation is disabled. [RT #46131]
+
+ 4743. [func] Exclude trust-anchor-telemetry queries from
+ synth-from-dnssec processing. [RT #46123]
+
+ 4742. [func] Synthesis of responses from DNSSEC-verified records.
+ Stage 2 - synthesis of records from wildcard data.
+ If the dns64 or filter-aaaa* is configured then the
+ involved lookups are currently excluded. [RT #40138]
+
+ 4741. [bug] Make isc_refcount_current() atomically read the
+ counter value. [RT #46074]
+
+ 4740. [cleanup] Avoid triggering format-truncated warnings. [RT #46107]
+
+ 4739. [cleanup] Address clang static analysis warnings. [RT #45952]
+
+ 4738. [port] win32: strftime mishandles %Z. [RT #46039]
+
+ 4737. [cleanup] Address Coverity warnings. [RT #46012]
+
+ 4736. [cleanup] (a) Added comments to NSEC3-related functions in
+ lib/dns/zone.c. (b) Refactored NSEC3 salt formatting
+ code. (c) Minor tweaks to lock and result handling.
+ [RT #46053]
+
+ 4735. [bug] Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
+
+ 4734. [contrib] Added sample configuration for DNS-over-TLS in
+ contrib/dnspriv.
+
+ 4733. [bug] Change #4706 introduced a bug causing TCP clients
+ not be reused correctly, leading to unconstrained
+ memory growth. [RT #46029]
+
+ 4732. [func] Change default minimal-responses setting to
+ no-auth-recursive. [RT #46016]
+
+ 4731. [bug] Fix use after free when closing an LMDB. [RT #46000]
+
+ 4730. [bug] Fix out of bounds access in DHCID totext() method.
+ [RT #46001]
+
+ 4729. [bug] Don't use memset() to wipe memory, as it may be
+ removed by compiler optimizations when the
+ memset() occurs on automatic stack allocation
+ just before function return. [RT #45947]
+
+ 4728. [func] Use C11's stdatomic.h instead of isc_atomic
+ where available. [RT #40668]
+
+ 4727. [bug] Retransferring an inline-signed slave using NSEC3
+ around the time its NSEC3 salt was changed could result
+ in an infinite signing loop. [RT #45080]
+
+ 4726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN
+ from being logged on FreeBSD if the kernel does not
+ support it. Notify the user when the kernel does
+ support TCP_FASTOPEN, but it is disabled by sysctl.
+ Add a new configure option, --disable-tcp-fastopen, to
+ disable use of TCP_FASTOPEN altogether. [RT #44754]
+
+ 4725. [bug] Nsupdate: "recvsoa" was incorrectly reported for
+ failures in sending the update message. The correct
+ location to be reported is "update_completed".
+ [RT #46014]
+
+ 4724. [func] By default, BIND now uses the random number
+ functions provided by the crypto library (i.e.,
+ OpenSSL or a PKCS#11 provider) as a source of
+ randomness rather than /dev/random. This is
+ suitable for virtual machine environments
+ which have limited entropy pools and lack
+ hardware random number generators.
+
+ This can be overridden by specifying another
+ entropy source via the "random-device" option
+ in named.conf, or via the -r command line option;
+ however, for functions requiring full cryptographic
+ strength, such as DNSSEC key generation, this
+ cannot be overridden. In particular, the -r
+ command line option no longer has any effect on
+ dnssec-keygen.
+
+ This can be disabled by building with
+ "configure --disable-crypto-rand".
+ [RT #31459] [RT #46047]
+
+ 4723. [bug] Statistics counter DNSTAPdropped was misidentified
+ as DNSSECdropped. [RT #46002]
+
+ 4722. [cleanup] Clean up uses of strcpy() and strcat() in favor of
+ strlcpy() and strlcat() for safety. [RT #45981]
+
+ 4721. [func] 'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
+ options now apply to CDNSKEY and DS records as well
+ as DNSKEY. Thanks to Tony Finch. [RT #45689]
+
+ 4720. [func] Added a statistics counter to track prefetch
+ queries. [RT #45847]
+
+ 4719. [bug] Address PVS static analyzer warnings. [RT #45946]
+
+ 4718. [func] Avoid searching for a owner name compression pointer
+ more than once when writing out a RRset. [RT #45802]
+
+ 4717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1,
+ FORMERR if TC=0, and log the error correctly.
+ [RT #45836]
+
+ 4716. [placeholder]
+
+ --- 9.12.0a1 released ---
+
+ 4715. [bug] TreeMemMax was mis-identified as a second HeapMemMax
+ in the Json cache statistics. [RT #45980]
+
+ 4714. [port] openbsd/libressl: add support for building with
+ --enable-openssl-hash. [RT #45982]
+
+ 4713. [func] Added support for the DNS Response Policy Service
+ (DNSRPS) API, which allows named to use an external
+ response policy daemon when built with
+ "configure --enable-dnsrps". Thanks to Farsight
+ Security. [RT #43376]
+
+ 4712. [bug] "dig +domain" and "dig +search" didn't retain the
+ search domain when retrying with TCP. [RT #45547]
+
+ 4711. [test] Some RR types were missing from genzones.sh.
+ [RT #45782]
+
+ 4710. [cleanup] Changed the --enable-openssl-hash default to yes.
+ [RT #45019]
+
+ 4709. [cleanup] Use dns_name_fullhash() to hash names for RRL.
+ [RT #45435]
+
+ 4708. [cleanup] Legacy Windows builds (i.e. for XP and earlier)
+ are no longer supported. [RT #45186]
+
+ 4707. [func] The lightweight resolver daemon and library (lwresd
+ and liblwres) have been removed. [RT #45186]
+
+ 4706. [func] Code implementing name server query processing has
+ been moved from bin/named to a new library "libns".
+ Functions remaining in bin/named are now prefixed
+ with "named_" rather than "ns_". This will make it
+ easier to write unit tests for name server code, or
+ link name server functionality into new tools.
+ [RT #45186]
+
+ 4705. [placeholder]
+
+ 4704. [cleanup] Silence Visual Studio compiler warnings. [RT #45898]
+
+ 4703. [bug] BINDInstall.exe was missing some buffer length checks.
+ [RT #45898]
+
+ 4702. [func] Update function declarations to use
+ dns_masterstyle_flags_t for style flags. [RT #45924]
+
+ 4701. [cleanup] Refactored lib/dns/tsig.c to reduce code
+ duplication and simplify the disabling of MD5.
+ [RT #45490]
+
+ 4700. [func] Serving of stale answers is now supported. This
+ allows named to provide stale cached answers when
+ the authoritative server is under attack.
+ See max-stale-ttl, stale-answer-enable,
+ stale-answer-ttl. [RT #44790]
+
+ 4699. [func] Multiple cookie-secret clauses can now be specified.
+ The first one specified is used to generate new
+ server cookies. [RT #45672]
+
+ 4698. [port] Add --with-python-install-dir configure option to allow
+ specifying a nonstandard installation directory for
+ Python modules. [RT #45407]
+
+ 4697. [bug] Restore workaround for Microsoft Windows TSIG hash
+ computation bug. [RT #45854]
+
+ 4696. [port] Enable filter-aaaa support by default on Windows
+ builds. [RT #45883]
+
+ 4695. [bug] cookie-secrets were not being properly checked by
+ named-checkconf. [RT #45886]
+
+ 4694. [func] dnssec-keygen no longer uses RSASHA1 by default;
+ the signing algorithm must be specified on
+ the command line with the "-a" option. Signing
+ scripts that rely on the existing default behavior
+ will break; use "dnssec-keygen -a RSASHA1" to
+ repair them. (The goal of this change is to make
+ it easier to find scripts using RSASHA1 so they
+ can be changed in the event of that algorithm
+ being deprecated in the future.) [RT #44755]
+
+ 4693. [func] Synthesis of responses from DNSSEC-verified records.
+ Stage 1 covers NXDOMAIN synthesis from NSEC records.
+ This is controlled by synth-from-dnssec and is enabled
+ by default. [RT #40138]
+
+ 4692. [bug] Fix build failures with libressl introduced in 4676.
+ [RT #45879]
+
+ 4691. [func] Add -4/-6 command line options to nsupdate and rndc.
+ [RT #45632]
+
+ 4690. [bug] Command line options -4/-6 were handled inconsistently
+ between tools. [RT #45632]
+
+ 4689. [cleanup] Turn on minimal responses for CDNSKEY and CDS in
+ addition to DNSKEY and DS. Thanks to Tony Finch.
+ [RT #45690]
+
+ 4688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in
+ messages. [RT #44804]
+
+ 4687. [func] Refactor tracklines code. [RT #45126]
+
+ 4686. [bug] dnssec-settime -p could print a bogus warning about
+ key deletion scheduled before its inactivation when a
+ key had an inactivation date set but no deletion date
+ set. [RT #45807]
+
+ 4685. [bug] dnssec-settime incorrectly calculated publication and
+ activation dates for a successor key. [RT #45806]
+
+ 4684. [bug] delv could send bogus DNS queries when an explicit
+ server address was specified on the command line along
+ with -4/-6. [RT #45804]
+
+ 4683. [bug] Prevent nsupdate from immediately exiting on invalid
+ user input in interactive mode. [RT #28194]
+
+ 4682. [bug] Don't report errors on records below a DNAME.
+ [RT #44880]
+
+ 4681. [bug] Log messages from the validator now include the
+ associated view unless the view is "_default/IN"
+ or "_dnsclient/IN". [RT #45770]
+
+ 4680. [bug] Fix failing over to another master server address when
+ nsupdate is used with GSS-API. [RT #45380]
+
+ 4679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record
+ not at top of zone and -o is not used. [RT #45519]
+
+ 4678. [bug] geoip-use-ecs has the wrong type when geoip support
+ is disabled at configure time. [RT #45763]
+
+ 4677. [cleanup] Split up the main function in dig to better support
+ the iOS app version. [RT #45508]
+
+ 4676. [cleanup] Allow BIND to be built using OpenSSL 1.0.X with
+ deprecated functions removed. [RT #45706]
+
+ 4675. [cleanup] Don't use C++ keyword class. [RT #45726]
+
+ 4674. [func] "dig +sigchase", and related options "+topdown" and
+ "+trusted-keys", have been removed. Use "delv" for
+ queries with DNSSEC validation. [RT #42793]
+
+ 4673. [port] Silence GCC 7 warnings. [RT #45592]
+
+ 4672. [placeholder]
+
+ 4671. [bug] Fix a race condition that could cause the
+ resolver to crash with assertion failure when
+ chasing DS in specific conditions with a very
+ short RTT to the upstream nameserver. [RT #45168]
+
+ 4670. [cleanup] Ensure that a request MAC is never sent back
+ in an XFR response unless the signature was
+ verified. [RT #45494]
+
+ 4669. [func] Iterative query logic in resolver.c has been
+ refactored into smaller functions and commented,
+ for improved readability, maintainability and
+ testability. [RT #45362]
+
+ 4668. [bug] Use localtime_r and gmtime_r for thread safety.
+ [RT #45664]
+
+ 4667. [cleanup] Refactor RDATA unit tests. [RT #45610]
+
+ 4666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9)
+ could cause a parser error when reading the policy
+ file. This now works correctly so long as the domain
+ name is quoted. [RT #45641]
+
+ 4665. [protocol] Added support for ED25519 and ED448 DNSSEC signing
+ algorithms (RFC 8080). (Note: these algorithms
+ depend on code currently in the development branch
+ of OpenSSL which has not yet been released.)
+ [RT #44696]
+
+ 4664. [func] Add a "glue-cache" option to enable or disable the
+ glue cache. The default is "yes". [RT #45125]
+
+ 4663. [cleanup] Clarify error message printed by dnssec-dsfromkey.
+ [RT #21731]
+
+ 4662. [performance] Improve cache memory cleanup of zero TTL records
+ by putting them at the tail of LRU header lists.
+ [RT #45274]
+
+ 4661. [bug] A race condition could occur if a zone was reloaded
+ while resigning, triggering a crash in
+ rbtdb.c:closeversion(). [RT #45276]
+
+ 4660. [bug] Remove spurious "peer" from Windows socket log
+ messages. [RT #45617]
+
+ 4659. [bug] Remove spurious log message about lmdb-mapsize
+ not being supported when parsing builtin
+ configuration file. [RT #45618]
+
+ 4658. [bug] Clean up build directory created by "setup.py install"
+ immediately. [RT #45628]
+
+ 4657. [bug] rrchecker system test result could be improperly
+ determined. [RT #45602]
+
+ 4656. [bug] Apply "port" and "dscp" values specified in catalog
+ zone's "default-masters" option to the generated
+ configuration of its member zones. [RT #45545]
+
+ 4655. [bug] Lack of seccomp could be falsely reported. [RT #45599]
+
+ 4654. [cleanup] Don't use C++ keywords delete, new and namespace.
+ [RT #45538]
+
+ 4653. [bug] Reorder includes to move @DST_OPENSSL_INC@ and
+ @ISC_OPENSSL_INC@ after shipped include directories.
+ [RT #45581]
+
+ 4652. [bug] Nsupdate could attempt to use a zeroed address on
+ server timeout. [RT #45417]
+
+ 4651. [test] Silence coverity warnings in tsig_test.c. [RT #45528]
+
+ 4650. [placeholder]
+
+ 4649. [bug] The wrong zone was logged when a catalog zone is added.
+ [RT #45520]
+
+ 4648. [bug] "rndc reconfig" on a slave no longer causes all member
+ zones of configured catalog zones to be removed from
+ configuration. [RT #45310]
+
+ 4647. [bug] Change 4643 broke verification of TSIG signed TCP
+ message sequences where not all the messages contain
+ TSIG records. These may be used in AXFR and IXFR
+ responses. [RT #45509]
+
+ 4646. [placeholder]
+
+ 4645. [bug] Fix PKCS#11 RSA parsing when MD5 is disabled.
+ [RT #45300]
+
+ 4644. [placeholder]
+
+ 4643. [security] An error in TSIG handling could permit unauthorized
+ zone transfers or zone updates. (CVE-2017-3142)
+ (CVE-2017-3143) [RT #45383]
+
+ 4642. [cleanup] Add more logging of RFC 5011 events affecting the
+ status of managed keys: newly observed keys,
+ deletion of revoked keys, etc. [RT #45354]
+
+ 4641. [cleanup] Parallel builds (make -j) could fail with --with-atf /
+ --enable-developer. [RT #45373]
+
+ 4640. [bug] If query_findversion failed in query_getdb due to
+ memory failure the error status was incorrectly
+ discarded. [RT #45331]
+
+ 4639. [bug] Fix a regression in --with-tuning reporting introduced
+ by change 4488. [RT #45396]
+
+ 4638. [bug] Reloading or reconfiguring named could fail on
+ some platforms when LMDB was in use. [RT #45203]
+
+ 4637. [func] "nsec3hash -r" option ("rdata order") takes arguments
+ in the same order as they appear in NSEC3 or
+ NSEC3PARAM records, so that NSEC3 parameters can
+ be cut and pasted from an existing record. Thanks
+ to Tony Finch for the contribution. [RT #45183]
+
+ 4636. [bug] Normalize rpz policy zone names when checking for
+ existence. [RT #45358]
+
+ 4635. [bug] Fix RPZ NSDNAME logging that was logging
+ failures as NSIP. [RT #45052]
+
+ 4634. [contrib] check5011.pl needs to handle optional space before
+ semi-colon in +multi-line output. [RT #45352]
+
+ 4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
+
+ 4632. [security] The BIND installer on Windows used an unquoted
+ service path, which can enable privilege escalation.
+ (CVE-2017-3141) [RT #45229]
+
+ 4631. [security] Some RPZ configurations could go into an infinite
+ query loop when encountering responses with TTL=0.
+ (CVE-2017-3140) [RT #45181]
+
+ 4630. [bug] "dyndb" is dependent on dlopen existing / being
+ enabled. [RT #45291]
+
+ 4629. [bug] dns_client_startupdate could not be called with a
+ running client. [RT #45277]
+
+ 4628. [bug] Fixed a potential reference leak in query_getdb().
+ [RT #45247]
+
+ 4627. [placeholder]
+
+ 4626. [test] Added more tests for handling of different record
+ ordering in CNAME and DNAME responses. [QA #430]
+
+ 4625. [bug] Running "rndc addzone" and "rndc delzone" at close
+ to the same time could trigger a deadlock if using
+ LMDB. [RT #45209]
+
+ 4624. [placeholder]
+
+ 4623. [bug] Use --with-protobuf-c and --with-libfstrm to find
+ protoc-c and fstrm_capture. [RT #45187]
+
+ 4622. [bug] Remove unnecessary escaping of semicolon in CAA and
+ URI records. [RT #45216]
+
+ 4621. [port] Force alignment of oid arrays to silence loader
+ warnings. [RT #45131]
+
+ 4620. [port] Handle EPFNOSUPPORT being returned when probing
+ to see if a socket type is supported. [RT #45214]
+
+ 4619. [bug] Call isc_mem_put instead of isc_mem_free in
+ bin/named/server.c:setup_newzones. [RT #45202]
+
+ 4618. [bug] Check isc_mem_strdup results in dns_view_setnewzones.
+ Add logging for lmdb call failures. [RT #45204]
+
+ 4617. [test] Update rndc system test to be more delay tolerant.
+ [RT #45177]
+
+ 4616. [bug] When using LMDB, zones deleted using "rndc delzone"
+ were not correctly removed from the new-zone
+ database. [RT #45185]
+
+ 4615. [bug] AD could be set on truncated answer with no records
+ present in the answer and authority sections.
+ [RT #45140]
+
+ 4614. [test] Fixed an error in the sockaddr unit test. [RT #45146]
+
+ 4613. [func] By default, the maximum size of a zone journal file
+ is now twice the size of the zone's contents (there
+ is little benefit to a journal larger than this).
+ This can be overridden by setting "max-journal-size"
+ to "unlimited" or to an explicit value up to 2G.
+ Thanks to Tony Finch. [RT #38324]
+
+ 4612. [bug] Silence 'may be use uninitalised' warning and simplify
+ the code in lwres/getaddinfo:process_answer.
+ [RT #45158]
+
+ 4611. [bug] The default LMDB mapsize was too low and caused
+ errors after few thousand zones were added using
+ rndc addzone. A new config option "lmdb-mapsize"
+ has been introduced to configure the LMDB
+ mapsize depending on operational needs.
+ [RT #44954]
+
+ 4610. [func] The "new-zones-directory" option specifies the
+ location of NZF or NZD files for storing
+ configuration of zones added by "rndc addzone".
+ Thanks to Petr Menšík. [RT #44853]
+
+ 4609. [cleanup] Rearrange makefiles to enable parallel execution
+ (i.e. "make -j"). [RT #45078]
+
+ 4608. [func] DiG now warns about .local queries which are reserved
+ for Multicast DNS. [RT #44783]
+
+ 4607. [bug] The memory context's malloced and maxmalloced counters
+ were being updated without the appropriate lock being
+ held. [RT #44869]
+
+ 4606. [port] Stop using experimental "Experimental keys on scalar"
+ feature of perl as it has been removed. [RT #45012]
+
+ 4605. [performance] Improve performance for delegation heavy answers
+ and also general query performance. Removes the
+ acache feature that didn't significantly improve
+ performance. Adds a glue cache. Removes
+ additional-from-cache and additional-from-auth
+ features. Enables minimal-responses by
+ default. Improves performance of compression
+ code, owner case restoration, hash function,
+ etc. Uses inline buffer implementation by
+ default. Many other performance changes and fixes.
+ [RT #44029]
+
+ 4604. [bug] Don't use ERR_load_crypto_strings() when building
+ with OpenSSL 1.1.0. [RT #45117]
+
+ 4603. [doc] Automatically generate named.conf(5) man page
+ from doc/misc/options. Thanks to Tony Finch.
+ [RT #43525]
+
+ 4602. [func] Threads are now set to human-readable
+ names to assist debugging, when supported by
+ the OS. [RT #43234]
+
+ 4601. [bug] Reject incorrect RSA key lengths during key
+ generation and and sign/verify context
+ creation. [RT #45043]
+
+ 4600. [bug] Adjust RPZ trigger counts only when the entry
+ being deleted exists. [RT #43386]
+
+ 4599. [bug] Fix inconsistencies in inline signing time
+ comparison that were introduced with the
+ introduction of rdatasetheader->resign_lsb.
+ [RT #42112]
+
+ 4598. [func] Update fuzzing code to (1) reply to a DNSKEY
+ query from named with appropriate DNSKEY used in
+ fuzzing; (2) patch the QTYPE correctly in
+ resolver fuzzing; (3) comment things so the rest
+ of us are able to understand how fuzzing is
+ implemented in named; (4) Coding style changes,
+ cleanup, etc. [RT #44787]
+
+ 4597. [bug] The validator now ignores SHA-1 DS digest type
+ when a DS record with SHA-384 digest type is
+ present and is a supported digest type.
+ [RT #45017]
+
+ 4596. [bug] Validate glue before adding it to the additional
+ section. This also fixes incorrect TTL capping
+ when the RRSIG expired earlier than the TTL.
+ [RT #45062]
+
+ 4595. [func] dnssec-keygen will no longer generate RSA keys
+ less than 1024 bits in length. dnssec-keymgr
+ was similarly updated. [RT #36895]
+
+ 4594. [func] "dnstap-read -x" prints a hex dump of the wire
+ format of each logged DNS message. [RT #44816]
+
+ 4593. [doc] Update README using markdown, remove outdated FAQ
+ file in favor of the knowledge base.
+
+ 4592. [bug] A race condition on shutdown could trigger an
+ assertion failure in dispatch.c. [RT #43822]
+
+ 4591. [port] Addressed some python 3 compatibility issues.
+ Thanks to Ville Skytta. [RT #44955] [RT #44956]
+
+ 4590. [bug] Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
+ properly detected. [RT #44871]
+
+ 4589. [cleanup] "configure -q" is now silent. [RT #44829]
+
+ 4588. [bug] nsupdate could send queries for TKEY to the wrong
+ server when using GSSAPI. Thanks to Tomas Hozza.
+ [RT #39893]
+
+ 4587. [bug] named-checkzone failed to handle occulted data below
+ DNAMEs correctly. [RT #44877]
+
+ 4586. [func] dig, host and nslookup now use TCP for ANY queries.
+ [RT #44687]
+
+ 4585. [port] win32: Set CompileAS value. [RT #42474]
+
+ 4584. [bug] A number of memory usage statistics were not properly
+ reported when they exceeded 4G. [RT #44750]
+
+ 4583. [func] "host -A" returns most records for a name but
+ omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
+ [RT #43032]
+
+ 4582. [security] 'rndc ""' could trigger a assertion failure in named.
+ (CVE-2017-3138) [RT #44924]
+
+ 4581. [port] Linux: Add getpid and getrandom to the list of system
+ calls named uses for seccomp. [RT #44883]
+
+ 4580. [bug] 4578 introduced a regression when handling CNAME to
+ referral below the current domain. [RT #44850]
+
+ 4579. [func] Logging channels and dnstap output files can now
+ be configured with a "suffix" option, set to
+ either "increment" or "timestamp", indicating
+ whether to use incrementing numbers or timestamps
+ as the file suffix when rolling over a log file.
+ [RT #42838]
+
+ 4578. [security] Some chaining (CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures.
+ (CVE-2017-3137) [RT #44734]
+
+ 4577. [func] Make qtype of resolver fuzzing packet configurable
+ via command line. [RT #43540]
+
+ 4576. [func] The RPZ implementation has been substantially
+ refactored for improved performance and reliability.
+ [RT #43449]
+
+ 4575. [security] DNS64 with "break-dnssec yes;" can result in an
+ assertion failure. (CVE-2017-3136) [RT #44653]
+
+ 4574. [bug] Dig leaked memory with multiple +subnet options.
+ [RT #44683]
+
+ 4573. [func] Query logic has been substantially refactored (e.g.
+ query_find function has been split into smaller
+ functions) for improved readability, maintainability
+ and testability. [RT #43929]
+
+ 4572. [func] The "dnstap-output" option can now take "size" and
+ "versions" parameters to indicate the maximum size
+ a dnstap log file can grow before rolling to a new
+ file, and how many old files to retain. [RT #44502]
+
+ 4571. [bug] Out-of-tree builds of backtrace_test failed.
+
+ 4570. [cleanup] named did not correctly fall back to the built-in
+ initializing keys if the bind.keys file was present
+ but empty. [RT #44531]
+
+ 4569. [func] Store both local and remote addresses in dnstap
+ logging, and modify dnstap-read output format to
+ print them. [RT #43595]
+
+ 4568. [contrib] Added a --with-bind option to the dnsperf configure
+ script to specify BIND prefix path.
+
+ 4567. [port] Call getprotobyname and getservbyname prior to calling
+ chroot so that shared libraries get loaded. [RT #44537]
+
+ 4566. [func] Query logging now includes the ECS option if one
+ was included in the query. [RT #44476]
+
+ 4565. [cleanup] The inline macro versions of isc_buffer_put*()
+ did not implement automatic buffer reallocation.
+ [RT #44216]
+
+ 4564. [maint] Update the built in managed keys to include the
+ upcoming root KSK. [RT #44579]
+
+ 4563. [bug] Modified zones would occasionally fail to reload.
+ [RT #39424]
+
+ 4562. [func] Add additional memory statistics currently malloced
+ and maxmalloced per memory context. [RT #43593]
+
+ 4561. [port] Silence a warning in strict C99 compilers. [RT #44414]
+
+ 4560. [bug] mdig: add -m option to enable memory debugging rather
+ than having it on all the time. [RT #44509]
+
+ 4559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES
+ was turned off. [RT #44509]
+
+ 4558. [bug] Synthesised CNAME before matching DNAME was still
+ being cached when it should not have been. [RT #44318]
+
+ 4557. [security] Combining dns64 and rpz can result in dereferencing
+ a NULL pointer (read). (CVE-2017-3135) [RT#44434]
+
+ 4556. [bug] Sending an EDNS Padding option using "dig
+ +ednsopt" could cause a crash in dig. [RT #44462]
+
+ 4555. [func] dig +ednsopt: EDNS options can now be specified by
+ name in addition to numeric value. [RT #44461]
+
+ 4554. [bug] Remove double unlock in dns_dispatchmgr_setudp.
+ [RT #44336]
+
+ 4553. [bug] Named could deadlock there were multiple changes to
+ NSEC/NSEC3 parameters for a zone being processed at
+ the same time. [RT #42770]
+
+ 4552. [bug] Named could trigger a assertion when sending notify
+ messages. [RT #44019]
+
+ 4551. [test] Add system tests for integrity checks of MX and
+ SRV records. [RT #43953]
+
+ 4550. [cleanup] Increased the number of available master file
+ output style flags from 32 to 64. [RT #44043]
+
+ 4549. [func] Added support for the EDNS TCP Keepalive option
+ (RFC 7828). [RT #42126]
+
+ 4548. [func] Added support for the EDNS Padding option (RFC 7830).
+ [RT #42094]
+
+ 4547. [port] Add support for --enable-native-pkcs11 on the AEP
+ Keyper HSM. [RT #42463]
+
+ 4546. [func] Extend the use of const declarations. [RT #43379]
+
+ 4545. [func] Expand YAML output from dnstap-read to include
+ a detailed breakdown of the DNS message contents.
+ [RT #43642]
+
+ 4544. [bug] Add message/payload size to dnstap-read YAML output.
+ [RT #43622]
+
+ 4543. [bug] dns_client_startupdate now delays sending the update
+ request until isc_app_ctxrun has been called.
+ [RT #43976]
+
+ 4542. [func] Allow rndc to manipulate redirect zones with using
+ -redirect as the zone name (use "-redirect." to
+ manipulate a zone named "-redirect"). [RT #43971]
+
+ 4541. [bug] rndc addzone should properly reject non master/slave
+ zones. [RT #43665]
+
+ 4540. [bug] Correctly handle ecs entries in dns_acl_isinsecure.
+ [RT #43601]
+
+ 4539. [bug] Referencing a nonexistent zone with RPZ could lead
+ to a assertion failure when configuring. [RT #43787]
+
+ 4538. [bug] Call dns_client_startresolve from client->task.
+ [RT #43896]
+
+ 4537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576]
+
+ 4536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
+ when reusing the event structure. [RT #43885]
+
+ 4535. [bug] Address race condition in setting / testing of
+ DNS_REQUEST_F_SENDING. [RT #43889]
+
+ 4534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879]
+
+ 4533. [bug] dns_client_update should terminate on prerequisite
+ failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
+ and also on BADZONE. [RT #43865]
+
+ 4532. [contrib] Make gen-data-queryperf.py python 3 compatible.
+ [RT #43836]
+
+ 4531. [security] 'is_zone' was not being properly updated by redirect2
+ and subsequently preserved leading to an assertion
+ failure. (CVE-2016-9778) [RT #43837]
+
+ 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
+ in responses resulting in SERVFAIL being returned.
+ [RT #43779]
+
+ 4529. [cleanup] Silence noisy log warning when DSCP probe fails
+ due to firewall rules. [RT #43847]
+
+ 4528. [bug] Only set the flag bits for the i/o we are waiting
+ for on EPOLLERR or EPOLLHUP. [RT #43617]
+
+ 4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
+
+ 4526. [doc] Corrected errors and improved formatting of
+ grammar definitions in the ARM. [RT #43739]
+
+ 4525. [doc] Fixed outdated documentation on managed-keys.
+ [RT #43810]
+
+ 4524. [bug] The net zero test was broken causing IPv4 servers
+ with addresses ending in .0 to be rejected. [RT #43776]
+
+ 4523. [doc] Expand config doc for <querysource4> and
+ <querysource6>. [RT #43768]
+
+ 4522. [bug] Handle big gaps in log file version numbers better.
+ [RT #38688]
+
+ 4521. [cleanup] Log it as an error if an entropy source is not
+ found and there is no fallback available. [RT #43659]
+
+ 4520. [cleanup] Alphabetize more of the grammar when printing it
+ out. Fix unbalanced indenting. [RT #43755]
+
+ 4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
+
+ 4518. [func] The "print-time" option in the logging configuration
+ can now take arguments "local", "iso8601" or
+ "iso8601-utc" to indicate the format in which the
+ date and time should be logged. For backward
+ compatibility, "yes" is a synonym for "local".
+ [RT #42585]
+
+ 4517. [security] Named could mishandle authority sections that were
+ missing RRSIGs triggering an assertion failure.
+ (CVE-2016-9444) [RT # 43632]
+
+ 4516. [bug] isc_socketmgr_renderjson was missing from the
+ windows build. [RT #43602]
+
+ 4515. [port] FreeBSD: Find readline headers when they are in
+ edit/readline/ instead of readline/. [RT #43658]
+
+ 4514. [port] NetBSD: strip -WL, from ld command line. [RT #43204]
+
+ 4513. [cleanup] Minimum Python versions are now 2.7 and 3.2.
+ [RT #43566]
+
+ 4512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in.
+ [RT #43556]
+
+ 4511. [bug] win32: mdig.exe-BNFT was missing Configure. [RT #43554]
+
+ 4510. [security] Named mishandled some responses where covering RRSIG
+ records are returned without the requested data
+ resulting in a assertion failure. (CVE-2016-9147)
+ [RT #43548]
+
+ 4509. [test] Make the rrl system test more reliable on slower
+ machines by using mdig instead of dig. [RT #43280]
+
+ 4508. [security] Named incorrectly tried to cache TKEY records which
+ could trigger a assertion failure when there was
+ a class mismatch. (CVE-2016-9131) [RT #43522]
+
+ 4507. [bug] Named could incorrectly log 'allows updates by IP
+ address, which is insecure' [RT #43432]
+
+ 4506. [func] 'named-checkconf -l' will now list the zones found in
+ named.conf. [RT #43154]
+
+ 4505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494]
+
+ 4504. [security] Allow the maximum number of records in a zone to
+ be specified. This provides a control for issues
+ raised in CVE-2016-6170. [RT #42143]
+
+ 4503. [cleanup] "make uninstall" now removes files installed by
+ BIND. (This currently excludes Python files
+ due to lack of support in setup.py.) [RT #42192]
+
+ 4502. [func] Report multiple and experimental options when printing
+ grammar. [RT #43134]
+
+ 4501. [placeholder]
+
+ 4500. [bug] Support modifier I64 in isc__print_printf. [RT #43526]
+
+ 4499. [port] MacOSX: silence deprecated function warning
+ by using arc4random_stir() when available
+ instead of arc4random_addrandom(). [RT #43503]
+
+ 4498. [test] Simplify prerequisite checks in system tests.
+ [RT #43516]
+
+ 4497. [port] Add support for OpenSSL 1.1.0. [RT #41284]
+
+ 4496. [func] dig: add +idnout to control whether labels are
+ display in punycode or not. Requires idn support
+ to be enabled at compile time. [RT #43398]
+
+ 4495. [bug] A isc_mutex_init call was not being checked.
+ [RT #43391]
+
+ 4494. [bug] Look for <editline/readline.h>. [RT #43429]
+
+ 4493. [bug] bin/tests/system/dyndb/driver/Makefile.in should use
+ SO_TARGETS. [RT# 43336]
+
+ 4492. [bug] irs_resconf_load failed to initialize sortlistnxt
+ causing bad writes if resolv.conf contained a
+ sortlist directive. [RT #43459]
+
+ 4491. [bug] Improve message emitted when testing whether sendmsg
+ works with TOS/TCLASS fails. [RT #43483]
+
+ 4490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
+
+ 4489. [security] It was possible to trigger assertions when processing
+ a response containing a DNAME answer. (CVE-2016-8864)
+ [RT #43465]
+
+ 4488. [port] Darwin: use -framework for Kerberos. [RT #43418]
+
+ 4487. [test] Make system tests work on Windows. [RT #42931]
+
+ 4486. [bug] Look in $prefix/lib/pythonX.Y/site-packages for
+ the python modules we install. [RT #43330]
+
+ 4485. [bug] Failure to find readline when requested should be
+ fatal to configure. [RT #43328]
+
+ 4484. [func] Check prefixes in acls to make sure the address and
+ prefix lengths are consistent. Warn only in
+ BIND 9.11 and earlier. [RT #43367]
+
+ 4483. [bug] Address use before require check and remove extraneous
+ dns_message_gettsigkey call in dns_tsig_sign.
+ [RT #43374]
+
+ 4482. [cleanup] Change #4455 was incomplete. [RT #43252]
+
+ 4481. [func] dig: make +class, +crypto, +multiline, +rrcomments,
+ +onesoa, +qr, +ttlid, +ttlunits and -u per lookup
+ rather than global. [RT #42450]
+
+ 4480. [placeholder]
+
+ 4479. [placeholder]
+
+ 4478. [func] Add +continue option to mdig, allow continue on socket
+ errors. [RT #43281]
+
+ 4477. [test] Fix mkeys test timing issues. [RT #41028]
+
+ 4476. [test] Fix reclimit test on slower machines. [RT #43283]
+
+ 4475. [doc] Update named-checkconf documentation. [RT #43153]
+
+ 4474. [bug] win32: call WSAStartup in fromtext_in_wks so that
+ getprotobyname and getservbyname work. [RT #43197]
+
+ 4473. [bug] Only call fsync / _commit on regular files. [RT #43196]
+
+ 4472. [bug] Named could fail to find the correct NSEC3 records when
+ a zone was updated between looking for the answer and
+ looking for the NSEC3 records proving nonexistence
+ of the answer. [RT #43247]
+
+ --- 9.11.0 released ---
+
+ --- 9.11.0rc3 released ---
+
+ 4471. [cleanup] Render client/query logging format consistent for
+ ease of log file parsing. (Note that this affects
+ "querylog" format: there is now an additional field
+ indicating the client object address.) [RT #43238]
+
+ 4470. [bug] Reset message with intent parse before
+ calling dns_dispatch_getnext. [RT #43229]
+
+ 4469. [placeholder]
+
+ --- 9.11.0rc2 released ---
+
+ 4468. [bug] Address ECS option handling issues. [RT #43191]
+
+ 4467. [security] It was possible to trigger an assertion when
+ rendering a message. (CVE-2016-2776) [RT #43139]
+
+ 4466. [bug] Interface scanning didn't work on a Windows system
+ without a non local IPv6 addresses. [RT #43130]
+
+ 4465. [bug] Don't use "%z" as Windows doesn't support it.
+ [RT #43131]
+
+ 4464. [bug] Fix windows python support. [RT #43173]
+
+ 4463. [bug] The dnstap system test failed on some systems.
+ [RT #43129]
+
+ 4462. [bug] Don't describe a returned EDNS COOKIE as "good"
+ when there isn't a valid server cookie. [RT #43167]
+
+ 4461. [bug] win32: not all external data was properly marked
+ as external data for windows dll. [RT #43161]
+
+ --- 9.11.0rc1 released ---
+
+ 4460. [test] Add system test for dnstap using unix domain sockets.
+ [RT #42926]
+
+ 4459. [bug] TCP client objects created to handle pipeline queries
+ were not cleaned up correctly, causing uncontrolled
+ memory growth. [RT #43106]
+
+ 4458. [cleanup] Update assertions to be more correct, and also remove
+ use of a reserved word. [RT #43090]
+
+ 4457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
+
+ 4456. [doc] Add DOCTYPE and lang attribute to <html> tags.
+ [RT #42587]
+
+ 4455. [cleanup] Allow dyndb modules to correctly log the filename
+ and line number when processing configuration text
+ from named.conf. [RT #43050]
+
+ 4454. [bug] 'rndc dnstap -reopen' had a race issue. [RT #43089]
+
+ 4453. [bug] Prefetching of DS records failed to update their
+ RRSIGs. [RT #42865]
+
+ 4452. [bug] The default key manager policy file is now
+ <sysdir>/dnssec-policy.conf (usually
+ /etc/dnssec-policy.conf). [RT #43064]
+
+ 4451. [cleanup] Log more useful information if a PKCS#11 provider
+ library cannot be loaded. [RT #43076]
+
+ 4450. [port] Provide more nuanced HSM support which better matches
+ the specific PKCS11 providers capabilities. [RT #42458]
+
+ 4449. [test] Fix catalog zones test on slower systems. [RT #42997]
+
+ 4448. [bug] win32: ::1 was not being found when iterating
+ interfaces. [RT #42993]
+
+ 4447. [tuning] Allow the fstrm_iothr_init() options to be set using
+ named.conf to control how dnstap manages the data
+ flow. [RT #42974]
+
+ 4446. [bug] The cache_find() and _findrdataset() functions
+ could find rdatasets that had been marked stale.
+ [RT #42853]
+
+ 4445. [cleanup] isc_errno_toresult() can now be used to call the
+ formerly private function isc__errno2result().
+ [RT #43050]
+
+ 4444. [bug] Fixed some issues related to dyndb: A bug caused
+ braces to be omitted when passing configuration text
+ from named.conf to a dyndb driver, and there was a
+ use-after-free in the sample dyndb driver. [RT #43050]
+
+ 4443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
+ TCP sockets. [RT #42864]
+
+ 4442. [bug] Fix RPZ CIDR tree insertion bug that corrupted
+ tree data structure with overlapping networks
+ (longest prefix match was ineffective).
+ [RT #43035]
+
+ 4441. [cleanup] Alphabetize host's help output. [RT #43031]
+
+ 4440. [func] Enable TCP fast open support when available on the
+ server side. [RT #42866]
+
+ 4439. [bug] Address race conditions getting ownernames of nodes.
+ [RT #43005]
+
+ 4438. [func] Use LIFO rather than FIFO when processing startup
+ notify and refresh queries. [RT #42825]
+
+ 4437. [func] Minimal-responses now has two additional modes
+ no-auth and no-auth-recursive which suppress
+ adding the NS records to the authority section
+ as well as the associated address records for the
+ nameservers. [RT #42005]
+
+ 4436. [func] Return TLSA records as additional data for MX and SRV
+ lookups. [RT #42894]
+
+ 4435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message
+ will not fit into a single IPv4 encapsulated IPv6
+ UDP packet when transmitted over a Ethernet link.
+ [RT #42871]
+
+ 4434. [protocol] Return EDNS EXPIRE option for master zones in addition
+ to slave zones. [RT #43008]
+
+ 4433. [cleanup] Report an error when passing an invalid option or
+ view name to "rndc dumpdb". [RT #42958]
+
+ 4432. [test] Hide rndc output on expected failures in logfileconfig
+ system test. [RT #27996]
+
+ 4431. [bug] named-checkconf now checks the rate-limit clause.
+ [RT #42970]
+
+ 4430. [bug] Lwresd died if a search list was not defined.
+ Found by 0x710DDDD At Alibaba Security. [RT #42895]
+
+ 4429. [bug] Address potential use after free on fclose() error.
+ [RT #42976]
+
+ 4428. [bug] The "test dispatch getnext" unit test could fail
+ in a threaded build. [RT #42979]
+
+ 4427. [bug] The "query" and "response" parameters to the
+ "dnstap" option had their functions reversed.
+
+ --- 9.11.0b3 released ---
+
+ 4426. [bug] Addressed Coverity warnings. [RT #42908]
+
+ 4425. [bug] arpaname, dnstap-read and named-rrchecker were not
+ being installed into ${prefix}/bin. Tidy up
+ installation issues with CHANGE 4421. [RT #42910]
+
+ 4424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries
+ to provide feedback to the trust-anchor administrators
+ about how key rollovers are progressing as per
+ draft-ietf-dnsop-edns-key-tag-02. This can be
+ disabled using 'trust-anchor-telemetry no;'.
+ [RT #40583]
+
+ 4423. [maint] Added missing IPv6 address 2001:500:84::b for
+ B.ROOT-SERVERS.NET. [RT #42898]
+
+ 4422. [port] Silence clang warnings in dig.c and dighost.c.
+ [RT #42451]
+
+ 4421. [func] When built with LMDB (Lightning Memory-mapped
+ Database), named will now use a database to store
+ the configuration for zones added by "rndc addzone"
+ instead of using a flat NZF file. This improves
+ performance of "rndc delzone" and "rndc modzone"
+ significantly. Existing NZF files will
+ automatically by converted to NZD databases.
+ To view the contents of an NZD or to roll back to
+ NZF format, use "named-nzd2nzf". To disable
+ this feature, use "configure --without-lmdb".
+ [RT #39837]
+
+ 4420. [func] nslookup now looks for AAAA as well as A by default.
+ [RT #40420]
+
+ 4419. [bug] Don't cause undefined result if the label of an
+ entry in catalog zone is changed. [RT #42708]
+
+ 4418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879]
+
+ 4417. [bug] dnssec-keymgr could fail to create successor keys
+ if the prepublication interval was set to a value
+ smaller than the default. [RT #42820]
+
+ 4416. [bug] dnssec-keymgr: Domain names in policy files could
+ fail to match due to trailing dots. [RT #42807]
+
+ 4415. [bug] dnssec-keymgr: Expired/deleted keys were not always
+ excluded. [RT #42884]
+
+ 4414. [bug] Corrected a bug in the MIPS implementation of
+ isc_atomic_xadd(). [RT #41965]
+
+ 4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
+ was returned. [RT #42733]
+
+ --- 9.11.0b2 released ---
+
+ 4412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
+ removed. [RT #42721]
+
+ 4411. [func] "rndc dnstap -roll" automatically rolls the
+ dnstap output file; the previous version is
+ saved with ".0" suffix, and earlier versions
+ with ".1" and so on. An optional numeric argument
+ indicates how many prior files to save. [RT #42830]
+
+ 4410. [bug] Address use after free and memory leak with dnstap.
+ [RT #42746]
+
+ 4409. [bug] DNS64 should exclude mapped addresses by default when
+ an exclude acl is not defined. [RT #42810]
+
+ 4408. [func] Continue waiting for expected response when we the
+ response we get does not match the request. [RT #41026]
+
+ 4407. [performance] Use GCC builtin for clz in RPZ lookup code.
+ [RT #42818]
+
+ 4406. [security] getrrsetbyname with a non absolute name could
+ trigger an infinite recursion bug in lwresd
+ and named with lwres configured if when combined
+ with a search list entry the resulting name is
+ too long. (CVE-2016-2775) [RT #42694]
+
+ 4405. [bug] Change 4342 introduced a regression where you could
+ not remove a delegation in a NSEC3 signed zone using
+ OPTOUT via nsupdate. [RT #42702]
+
+ 4404. [misc] Allow krb5-config to be used when configuring gssapi.
+ [RT #42580]
+
+ 4403. [bug] Rename variables and arguments that shadow: basename,
+ clone and gai_error.
+
+ 4402. [bug] protoc-c is now a hard requirement for --enable-dnstap.
+
+ --- 9.11.0b1 released ---
+
+ 4401. [misc] Change LICENSE to MPL 2.0.
+
+ 4400. [bug] ttl policy was not being inherited in policy.py.
+ [RT #42718]
+
+ 4399. [bug] policy.py 'ECCGOST', 'ECDSAP256SHA256', and
+ 'ECDSAP384SHA384' don't have settable keysize.
+ [RT #42718]
+
+ 4398. [bug] Correct spelling of ECDSAP256SHA256 in policy.py.
+ [RT #42718]
+
+ 4397. [bug] Update Windows python support. [RT #42538]
+
+ 4396. [func] dnssec-keymgr now takes a '-r randomfile' option.
+ [RT #42455]
+
+ 4395. [bug] Improve out-of-tree installation of python modules.
+ [RT #42586]
+
+ 4394. [func] Add rndc command "dnstap-reopen" to close and
+ reopen dnstap output files. [RT #41803]
+
+ 4393. [bug] Address potential NULL pointer dereferences in
+ dnstap code.
+
+ 4392. [func] Collect statistics for RSSAC02v3 traffic-volume,
+ traffic-sizes and rcode-volume reporting. [RT #41475]
+
+ 4391. [contrib] Fix leaks in contrib DLZ code. [RT #42707]
+
+ 4390. [doc] Description of masters with TSIG, allow-query and
+ allow-transfer options in catalog zones. [RT #42692]
+
+ 4389. [test] Rewritten test suite for catalog zones. [RT #42676]
+
+ 4388. [func] Support for master entries with TSIG keys in catalog
+ zones. [RT #42577]
+
+ 4387. [bug] Change 4336 was not complete leading to SERVFAIL
+ being return as NS records expired. [RT #42683]
+
+ 4386. [bug] Remove shadowed overmem function/variable. [RT #42706]
+
+ 4385. [func] Add support for allow-query and allow-transfer ACLs
+ to catalog zones. [RT #42578]
+
+ 4384. [bug] Change 4256 accidentally disabled logging of the
+ rndc command. [RT #42654]
+
+ 4383. [bug] Correct spelling error in stats channel description of
+ "EDNS client subnet option received". [RT #42633]
+
+ 4382. [bug] rndc {addzone,modzone,delzone,showzone} should all
+ compare the zone name using a canonical format.
+ [RT #42630]
+
+ 4381. [bug] Missing "zone-directory" option in catalog zone
+ definition caused BIND to crash. [RT #42579]
+
+ --- 9.11.0a3 released ---
+
+ 4380. [experimental] Added a "zone-directory" option to "catalog-zones"
+ syntax, allowing local masterfiles for slaves
+ that are provisioned by catalog zones to be stored
+ in a directory other than the server's working
+ directory. [RT #42527]
+
+ 4379. [bug] An INSIST could be triggered if a zone contains
+ RRSIG records with expiry fields that loop
+ using serial number arithmetic. [RT #40571]
+
+ 4378. [contrib] #include <isc/string.h> for strlcat in zone2ldap.c.
+ [RT #42525]
+
+ 4377. [bug] Don't reuse zero TTL responses beyond the current
+ client set (excludes ANY/SIG/RRSIG queries).
+ [RT #42142]
+
+ 4376. [experimental] Added support for Catalog Zones, a new method for
+ provisioning secondary servers in which a list of
+ zones to be served is stored in a DNS zone and can
+ be propagated to slaves via AXFR/IXFR. [RT #41581]
+
+ 4375. [func] Add support for automatic reallocation of isc_buffer
+ to isc_buffer_put* functions. [RT #42394]
+
+ 4374. [bug] Use SAVE/RESTORE macros in query.c to reduce the
+ probability of reference counting errors as seen
+ in 4365. [RT #42405]
+
+ 4373. [bug] Address undefined behavior in getaddrinfo. [RT #42479]
+
+ 4372. [bug] Address undefined behavior in libt_api. [RT #42480]
+
+ 4371. [func] New "minimal-any" option reduces the size of UDP
+ responses for qtype ANY by returning a single
+ arbitrarily selected RRset instead of all RRsets.
+ Thanks to Tony Finch. [RT #41615]
+
+ 4370. [bug] Address python3 compatibility issues with RNDC module.
+ [RT #42499] [RT #42506]
+
+ --- 9.11.0a2 released ---
+
+ 4369. [bug] Fix 'make' and 'make install' out-of-tree python
+ support. [RT #42484]
+
+ 4368. [bug] Fix a crash when calling "rndc stats" on some
+ Windows builds because some Visual Studio compilers
+ generated crashing code for the "%z" printf()
+ format specifier. [RT #42380]
+
+ 4367. [bug] Remove unnecessary assignment of loadtime in
+ zone_touched. [RT #42440]
+
+ 4366. [bug] Address race condition when updating rbtnode bit
+ fields. [RT #42379]
+
+ 4365. [bug] Address zone reference counting errors involving
+ nxdomain-redirect. [RT #42258]
+
+ 4364. [port] freebsd: add -Wl,-E to loader flags [RT #41690]
+
+ 4363. [port] win32: Disable explicit triggering UAC when running
+ BINDInstall.
+
+ 4362. [func] Changed rndc reconfig behavior so that newly added
+ zones are loaded asynchronously and the loading does
+ not block the server. [RT #41934]
+
+ 4361. [cleanup] Where supported, file modification times returned
+ by isc_file_getmodtime() are now accurate to the
+ nanosecond. [RT #41968]
+
+ 4360. [bug] Silence spurious 'bad key type' message when there is
+ a existing TSIG key. [RT #42195]
+
+ 4359. [bug] Inherited 'also-notify' lists were not being checked
+ by named-checkconf. [RT #42174]
+
+ 4358. [test] Added American Fuzzy Lop harness that allows
+ feeding fuzzed packets into BIND.
+ [RT #41723]
+
+ 4357. [func] Add the python RNDC module. [RT #42093]
+
+ 4356. [func] Add the ability to specify whether to wait for
+ nameserver addresses to be looked up or not to
+ RPZ with a new modifying directive 'nsip-wait-recurse'.
+ [RT #35009]
+
+ 4355. [func] "pkcs11-list" now displays the extractability
+ attribute of private or secret keys stored in
+ an HSM, as either "true", "false", or "never"
+ Thanks to Daniel Stirnimann. [RT #36557]
+
+ 4354. [bug] Check that the received HMAC length matches the
+ expected length prior to check the contents on the
+ control channel. This prevents a OOB read error.
+ This was reported by Lian Yihan, <lianyihan@360.cn>.
+ [RT #42215]
+
+ 4353. [cleanup] Update PKCS#11 header files. [RT #42175]
+
+ 4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service
+ is scheduled to be disabled in 2017. A warning is
+ now logged when named is configured to use it,
+ either explicitly or via "dnssec-lookaside auto;"
+ [RT #42207]
+
+ 4351. [bug] 'dig +noignore' didn't work. [RT #42273]
+
+ 4350. [contrib] Declare result in dlz_filesystem_dynamic.c.
+
+ 4349. [contrib] kasp2policy: A python script to create a DNSSEC
+ policy file from an OpenDNSSEC KASP XML file.
+
+ 4348. [func] dnssec-keymgr: A new python-based DNSSEC key
+ management utility, which reads a policy definition
+ file and can create or update DNSSEC keys as needed
+ to ensure that a zone's keys match policy, roll over
+ correctly on schedule, etc. Thanks to Sebastian
+ Castro for assistance in development. [RT #39211]
+
+ 4347. [port] Corrected a build error on x86_64 Solaris. [RT #42150]
+
+ 4346. [bug] Fixed a regression introduced in change #4337 which
+ caused signed domains with revoked KSKs to fail
+ validation. [RT #42147]
+
+ 4345. [contrib] perftcpdns mishandled the return values from
+ clock_nanosleep. [RT #42131]
+
+ 4344. [port] Address openssl version differences. [RT #42059]
+
+ 4343. [bug] dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
+ [RT #42090]
+
+ 4342. [bug] 'rndc flushtree' could fail to clean the tree if there
+ wasn't a node at the specified name. [RT #41846]
+
+ --- 9.11.0a1 released ---
+
+ 4341. [bug] Correct the handling of ECS options with
+ address family 0. [RT #41377]
+
+ 4340. [performance] Implement adaptive read-write locks, reducing the
+ overhead of locks that are only held briefly.
+ [RT #37329]
+
+ 4339. [test] Use "mdig" to test pipelined queries. [RT #41929]
+
+ 4338. [bug] Reimplement change 4324 as it wasn't properly doing
+ all the required book keeping. [RT #41941]
+
+ 4337. [bug] The previous change exposed a latent flaw in
+ key refresh queries for managed-keys when
+ a cached DNSKEY had TTL 0. [RT #41986]
+
+ 4336. [bug] Don't emit records with zero ttl unless the records
+ were learnt with a zero ttl. [RT #41687]
+
+ 4335. [bug] zone->view could be detached too early. [RT #41942]
+
+ 4334. [func] 'named -V' now reports zlib version. [RT #41913]
+
+ 4333. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42 and
+ 2001:500:9f::42.
+
+ 4332. [placeholder]
+
+ 4331. [func] When loading managed signed zones detect if the
+ RRSIG's inception time is in the future and regenerate
+ the RRSIG immediately. [RT #41808]
+
+ 4330. [protocol] Identify the PAD option as "PAD" when printing out
+ a message.
+
+ 4329. [func] Warn about a common misconfiguration when forwarding
+ RFC 1918 zones. [RT #41441]
+
+ 4328. [performance] Add dns_name_fromwire() benchmark test. [RT #41694]
+
+ 4327. [func] Log query and depth counters during fetches when
+ querytrace (./configure --enable-querytrace) is
+ enabled (helps in diagnosing). [RT #41787]
+
+ 4326. [protocol] Add support for AVC. [RT #41819]
+
+ 4325. [func] Add a line to "rndc status" indicating the
+ hostname and operating system details. [RT #41610]
+
+ 4324. [bug] When deleting records from a zone database, interior
+ nodes could be left empty but not deleted, damaging
+ search performance afterward. [RT #40997]
+
+ 4323. [bug] Improve HTTP header processing on statschannel.
+ [RT #41674]
+
+ 4322. [security] Duplicate EDNS COOKIE options in a response could
+ trigger an assertion failure. (CVE-2016-2088)
+ [RT #41809]
+
+ 4321. [bug] Zones using mapped files containing out-of-zone data
+ could return SERVFAIL instead of the expected NODATA
+ or NXDOMAIN results. [RT #41596]
+
+ 4320. [bug] Insufficient memory allocation when handling
+ "none" ACL could cause an assertion failure in
+ named when parsing ACL configuration. [RT #41745]
+
+ 4319. [security] Fix resolver assertion failure due to improper
+ DNAME handling when parsing fetch reply messages.
+ (CVE-2016-1286) [RT #41753]
+
+ 4318. [security] Malformed control messages can trigger assertions
+ in named and rndc. (CVE-2016-1285) [RT #41666]
+
+ 4317. [bug] Age all unused servers on fetch timeout. [RT #41597]
+
+ 4316. [func] Add option to tools to print RRs in unknown
+ presentation format [RT #41595].
+
+ 4315. [bug] Check that configured view class isn't a meta class.
+ [RT #41572].
+
+ 4314. [contrib] Added 'dnsperf-2.1.0.0-1', a set of performance
+ testing tools provided by Nominum, Inc.
+
+ 4313. [bug] Handle ns_client_replace failures in test mode.
+ [RT #41190]
+
+ 4312. [bug] dig's unknown DNS and EDNS flags (MBZ value) logging
+ was not consistent. [RT #41600]
+
+ 4311. [bug] Prevent "rndc delzone" from being used on
+ response-policy zones. [RT #41593]
+
+ 4310. [performance] Use __builtin_expect() where available to annotate
+ conditions with known behavior. [RT #41411]
+
+ 4309. [cleanup] Remove the spurious "none" filename from log messages
+ when processing built-in configuration. [RT #41594]
+
+ 4308. [func] Added operating system details to "named -V"
+ output. [RT #41452]
+
+ 4307. [bug] "dig +subnet" and "mdig +subnet" could send
+ incorrectly-formatted Client Subnet options
+ if the prefix length was not divisible by 8.
+ Also fixed a memory leak in "mdig". [RT #45178]
+
+ 4306. [maint] Added a PKCS#11 openssl patch supporting
+ version 1.0.2f [RT #38312]
+
+ 4305. [bug] dnssec-signzone was not removing unnecessary rrsigs
+ from the zone's apex. [RT #41483]
+
+ 4304. [port] xfer system test failed as 'tail -n +value' is not
+ portable. [RT #41315]
+
+ 4303. [bug] "dig +subnet" was unable to send a prefix length of
+ zero, as it was incorrectly changed to 32 for v4
+ prefixes or 128 for v6 prefixes. In addition to
+ fixing this, "dig +subnet=0" has been added as a
+ short form for 0.0.0.0/0. The same changes have
+ also been made in "mdig". [RT #41553]
+
+ 4302. [port] win32: fixed a build error in VS 2015. [RT #41426]
+
+ 4301. [bug] dnssec-settime -p [DP]sync was not working. [RT #41534]
+
+ 4300. [bug] A flag could be set in the wrong field when setting
+ up non-recursive queries; this could cause the
+ SERVFAIL cache to cache responses it shouldn't.
+ New querytrace logging has been added which
+ identified this error. [RT #41155]
+
+ 4299. [bug] Check that exactly totallen bytes are read when
+ reading a RRset from raw files in both single read
+ and incremental modes. [RT #41402]
+
+ 4298. [bug] dns_rpz_add errors in loadzone were not being
+ propagated up the call stack. [RT #41425]
+
+ 4297. [test] Ensure delegations in RPZ zones fail robustly.
+ [RT #41518]
+
+ 4296. [bug] TCP packet sizes were calculated incorrectly in the
+ stats channel; they could be counted in the wrong
+ histogram bucket. [RT #40587]
+
+ 4295. [bug] An unchecked result in dns_message_pseudosectiontotext()
+ could allow incorrect text formatting of EDNS EXPIRE
+ options. [RT #41437]
+
+ 4294. [bug] Fixed a regression in which "rndc stop -p" failed
+ to print the PID. [RT #41513]
+
+ 4293. [bug] Address memory leak on priming query creation failure.
+ [RT #41512]
+
+ 4292. [placeholder]
+
+ 4291. [cleanup] Added a required include to dns/forward.h. [RT #41474]
+
+ 4290. [func] The timers returned by the statistics channel
+ (indicating current time, server boot time, and
+ most recent reconfiguration time) are now reported
+ with millisecond accuracy. [RT #40082]
+
+ 4289. [bug] The server could crash due to memory being used
+ after it was freed if a zone transfer timed out.
+ [RT #41297]
+
+ 4288. [bug] Fixed a regression in resolver.c:possibly_mark()
+ which caused known-bogus servers to be queried
+ anyway. [RT #41321]
+
+ 4287. [bug] Silence an overly noisy log message when message
+ parsing fails. [RT #41374]
+
+ 4286. [security] render_ecs errors were mishandled when printing out
+ a OPT record resulting in a assertion failure.
+ (CVE-2015-8705) [RT #41397]
+
+ 4285. [security] Specific APL data could trigger a INSIST.
+ (CVE-2015-8704) [RT #41396]
+
+ 4284. [bug] Some GeoIP options were incorrectly documented
+ using abbreviated forms which were not accepted by
+ named. The code has been updated to allow both
+ long and abbreviated forms. [RT #41381]
+
+ 4283. [bug] OPENSSL_config is no longer re-callable. [RT #41348]
+
+ 4282. [func] 'dig +[no]mapped' determine whether the use of mapped
+ IPv4 addresses over IPv6 is permitted or not. The
+ default is +mapped. [RT #41307]
+
+ 4281. [bug] Teach dns_message_totext about BADCOOKIE. [RT #41257]
+
+ 4280. [performance] Use optimal message sizes to improve compression
+ in AXFRs. This reduces network traffic. [RT #40996]
+
+ 4279. [test] Don't use fixed ports when unit testing. [RT #41194]
+
+ 4278. [bug] 'delv +short +[no]split[=##]' didn't work as expected.
+ [RT #41238]
+
+ 4277. [performance] Improve performance of the RBT, the central zone
+ datastructure: The aux hashtable was improved,
+ hash function was updated to perform more
+ uniform mapping, uppernode was added to
+ dns_rbtnode, and other cleanups and performance
+ improvements were made. [RT #41165]
+
+ 4276. [protocol] Add support for SMIMEA. [RT #40513]
+
+ 4275. [performance] Lazily initialize dns_compress->table only when
+ compression is enabled. [RT #41189]
+
+ 4274. [performance] Speed up typemap processing from text. [RT #41196]
+
+ 4273. [bug] Only call dns_test_begin() and dns_test_end() once each
+ in nsec3_test as it fails with GOST if called multiple
+ times.
+
+ 4272. [bug] dig: the +norrcomments option didn't work with +multi.
+ [RT #41234]
+
+ 4271. [test] Unit tests could deadlock in isc__taskmgr_pause().
+ [RT #41235]
+
+ 4270. [security] Update allowed OpenSSL versions as named is
+ potentially vulnerable to CVE-2015-3193.
+
+ 4269. [bug] Zones using "map" format master files currently
+ don't work as policy zones. This limitation has
+ now been documented; attempting to use such zones
+ in "response-policy" statements is now a
+ configuration error. [RT #38321]
+
+ 4268. [func] "rndc status" now reports the path to the
+ configuration file. [RT #36470]
+
+ 4267. [test] Check sdlz error handling. [RT #41142]
+
+ 4266. [placeholder]
+
+ 4265. [bug] Address unchecked isc_mem_get calls. [RT #41187]
+
+ 4264. [bug] Check const of strchr/strrchr assignments match
+ argument's const status. [RT #41150]
+
+ 4263. [contrib] Address compiler warnings in mysqldyn module.
+ [RT #41130]
+
+ 4262. [bug] Fixed a bug in epoll socket code that caused
+ sockets to not be registered for ready
+ notification in some cases, causing named to not
+ read from or write to them, resulting in what
+ appear to the user as blocked connections.
+ [RT #41067]
+
+ 4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
+ [RT #40556]
+
+ 4260. [security] Insufficient testing when parsing a message allowed
+ records with an incorrect class to be be accepted,
+ triggering a REQUIRE failure when those records
+ were subsequently cached. (CVE-2015-8000) [RT #40987]
+
+ 4259. [func] Add an option for non-destructive control channel
+ access using a "read-only" clause. In such
+ cases, a restricted set of rndc commands are
+ allowed for querying information from named.
+ [RT #40498]
+
+ 4258. [bug] Limit rndc query message sizes to 32 KiB. This should
+ not break any legitimate rndc commands, but will
+ prevent a rogue rndc query from allocating too
+ much memory. [RT #41073]
+
+ 4257. [cleanup] Python scripts reported incorrect version. [RT #41080]
+
+ 4256. [bug] Allow rndc command arguments to be quoted so as
+ to allow spaces. [RT #36665]
+
+ 4255. [performance] Add 'message-compression' option to disable DNS
+ compression in responses. [RT #40726]
+
+ 4254. [bug] Address missing lock when getting zone's serial.
+ [RT #41072]
+
+ 4253. [security] Address fetch context reference count handling error
+ on socket error. (CVE-2015-8461) [RT#40945]
+
+ 4252. [func] Add support for automating the generation CDS and
+ CDNSKEY rrsets to named and dnssec-signzone.
+ [RT #40424]
+
+ 4251. [bug] NTAs were deleted when the server was reconfigured
+ or reloaded. [RT #41058]
+
+ 4250. [func] Log the TSIG key in use during inbound zone
+ transfers. [RT #41075]
+
+ 4249. [func] Improve error reporting of TSIG / SIG(0) records in
+ the wrong location. [RT #41030]
+
+ 4248. [performance] Add an isc_atomic_storeq() function, use it in
+ stats counters to improve performance.
+ [RT #39972] [RT #39979]
+
+ 4247. [port] Require both HAVE_JSON and JSON_C_VERSION to be
+ defined to report json library version. [RT #41045]
+
+ 4246. [test] Ensure the statschannel system test runs when BIND
+ is not built with libjson. [RT #40944]
+
+ 4245. [placeholder]
+
+ 4244. [bug] The parser was not reporting that use-ixfr is obsolete.
+ [RT #41010]
+
+ 4243. [func] Improved stats reporting from Timothe Litt. [RT #38941]
+
+ 4242. [bug] Replace the client if not already replaced when
+ prefetching. [RT #41001]
+
+ 4241. [doc] Improved the TSIG, TKEY, and SIG(0) sections in
+ the ARM. [RT #40955]
+
+ 4240. [port] Fix LibreSSL compatibility. [RT #40977]
+
+ 4239. [func] Changed default servfail-ttl value to 1 second from 10.
+ Also, the maximum value is now 30 instead of 300.
+ [RT #37556]
+
+ 4238. [bug] Don't send to servers on net zero (0.0.0.0/8).
+ [RT #40947]
+
+ 4237. [doc] Upgraded documentation toolchain to use DocBook 5
+ and dblatex. [RT #40766]
+
+ 4236. [performance] On machines with 2 or more processors (CPU), the
+ default value for the number of UDP listeners
+ has been changed to the number of detected
+ processors minus one. [RT #40761]
+
+ 4235. [func] Added support in named for "dnstap", a fast method of
+ capturing and logging DNS traffic, and a new command
+ "dnstap-read" to read a dnstap log file. Use
+ "configure --enable-dnstap" to enable this
+ feature (note that this requires libprotobuf-c
+ and libfstrm). See the ARM for configuration details.
+
+ Thanks to Robert Edmonds of Farsight Security.
+ [RT #40211]
+
+ 4234. [func] Add deflate compression in statistics channel HTTP
+ server. [RT #40861]
+
+ 4233. [test] Add tests for CDS and CDNSKEY with delegation-only.
+ [RT #40597]
+
+ 4232. [contrib] Address unchecked memory allocation calls in
+ query-loc and zone2ldap. [RT #40789]
+
+ 4231. [contrib] Address unchecked calloc call in dlz_mysqldyn_mod.c.
+ [RT #40840]
+
+ 4230. [contrib] dlz_wildcard_dynamic.c:dlz_create could return a
+ uninitialized result. [RT #40839]
+
+ 4229. [bug] A variable could be used uninitialized in
+ dns_update_signaturesinc. [RT #40784]
+
+ 4228. [bug] Address race condition in dns_client_destroyrestrans.
+ [RT #40605]
+
+ 4227. [bug] Silence static analysis warnings. [RT #40828]
+
+ 4226. [bug] Address a theoretical shutdown race in
+ zone.c:notify_send_queue(). [RT #38958]
+
+ 4225. [port] freebsd/openbsd: Use '${CC} -shared' for building
+ shared libraries. [RT #39557]
+
+ 4224. [func] Added support for "dyndb", a new interface for loading
+ zone data from an external database, developed by
+ Red Hat for the FreeIPA project.
+
+ DynDB drivers fully implement the BIND database
+ API, and are capable of significantly better
+ performance and functionality than DLZ drivers,
+ while taking advantage of advanced database
+ features not available in BIND such as multi-master
+ replication.
+
+ Thanks to Adam Tkac and Petr Spacek of Red Hat.
+ [RT #35271]
+
+ 4223. [func] Add support for setting max-cache-size to percentage
+ of available physical memory, set default to 90%.
+ [RT #38442]
+
+ 4222. [func] Bias IPv6 servers when selecting the next server to
+ query. [RT #40836]
+
+ 4221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create.
+ [RT #40583]
+
+ 4220. [doc] Improve documentation for zone-statistics.
+ [RT #36955]
+
+ 4219. [bug] Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
+ EGAIN when these soft error are not retried for
+ isc_socket_send*().
+
+ 4218. [bug] Potential null pointer dereference on out of memory
+ if mmap is not supported. [RT #40777]
+
+ 4217. [protocol] Add support for CSYNC. [RT #40532]
+
+ 4216. [cleanup] Silence static analysis warnings. [RT #40649]
+
+ 4215. [bug] nsupdate: skip to next request on GSSTKEY create
+ failure. [RT #40685]
+
+ 4214. [protocol] Add support for TALINK. [RT #40544]
+
+ 4213. [bug] Don't reuse a cache across multiple classes.
+ [RT #40205]
+
+ 4212. [func] Re-query if we get a bad client cookie returned over
+ UDP. [RT #40748]
+
+ 4211. [bug] Ensure that lwresd gets at least one task to work
+ with if enabled. [RT #40652]
+
+ 4210. [cleanup] Silence use after free false positive. [RT #40743]
+
+ 4209. [bug] Address resource leaks in dlz modules. [RT #40654]
+
+ 4208. [bug] Address null pointer dereferences on out of memory.
+ [RT #40764]
+
+ 4207. [bug] Handle class mismatches with raw zone files.
+ [RT #40746]
+
+ 4206. [bug] contrib: fixed a possible NULL dereference in
+ DLZ wildcard module. [RT #40745]
+
+ 4205. [bug] 'named-checkconf -p' could include unwanted spaces
+ when printing tuples with unset optional fields.
+ [RT #40731]
+
+ 4204. [bug] 'dig +trace' failed to lookup the correct type if
+ the initial root NS query was retried. [RT #40296]
+
+ 4203. [test] The rrchecker system test now tests conversion
+ to and from unknown-type format. [RT #40584]
+
+ 4202. [bug] isccc_cc_fromwire() could return an incorrect
+ result. [RT #40614]
+
+ 4201. [func] The default preferred-glue is now the address record
+ type of the transport the query was received
+ over. [RT #40468]
+
+ 4200. [cleanup] win32: update BINDinstall to be BIND release
+ independent. [RT #38915]
+
+ 4199. [protocol] Add support for NINFO, RKEY, SINK, TA.
+ [RT #40545] [RT #40547] [RT #40561] [RT #40563]
+
+ 4198. [placeholder]
+
+ 4197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses.
+ [RT #40603]
+
+ 4196. [doc] Improve how "enum + other" types are documented.
+ [RT #40608]
+
+ 4195. [bug] 'max-zone-ttl unlimited;' was broken. [RT #40608]
+
+ 4194. [bug] named-checkconf -p failed to properly print a port
+ range. [RT #40634]
+
+ 4193. [bug] Handle broken servers that return BADVERS incorrectly.
+ [RT #40427]
+
+ 4192. [bug] The default rrset-order of random was not always being
+ applied. [RT #40456]
+
+ 4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones
+ as per RFC 6763. [RT #37889]
+
+ 4190. [protocol] Accept Active Directory gc._msdcs.<forest> name as
+ valid with check-names. <forest> still needs to be
+ LDH. [RT #40399]
+
+ 4189. [cleanup] Don't exit on overly long tokens in named.conf.
+ [RT #40418]
+
+ 4188. [bug] Support HTTP/1.0 client properly on the statistics
+ channel. [RT #40261]
+
+ 4187. [func] When any RR type implementation doesn't
+ implement totext() for the RDATA's wire
+ representation and returns ISC_R_NOTIMPLEMENTED,
+ such RDATA is now printed in unknown
+ presentation format (RFC 3597). RR types affected
+ include LOC(29) and APL(42). [RT #40317].
+
+ 4186. [bug] Fixed an RPZ bug where a QNAME would be matched
+ against a policy RR with wildcard owner name
+ (trigger) where the QNAME was the wildcard owner
+ name's parent. For example, the bug caused a query
+ with QNAME "example.com" to match a policy RR with
+ "*.example.com" as trigger. [RT #40357]
+
+ 4185. [bug] Fixed an RPZ bug where a policy RR with wildcard
+ owner name (trigger) would prevent another policy RR
+ with its parent owner name from being
+ loaded. For example, the bug caused a policy RR
+ with trigger "example.com" to not have any
+ effect when a previous policy RR with trigger
+ "*.example.com" existed in that RPZ zone.
+ [RT #40357]
+
+ 4184. [bug] Fixed a possible memory leak in name compression
+ when rendering long messages. (Also, improved
+ wire_test for testing such messages.) [RT #40375]
+
+ 4183. [cleanup] Use timing-safe memory comparisons in cryptographic
+ code. Also, the timing-safe comparison functions have
+ been renamed to avoid possible confusion with
+ memcmp(). Thanks to Loganaden Velvindron of
+ AFRINIC. [RT #40148]
+
+ 4182. [cleanup] Use mnemonics for RR class and type comparisons.
+ [RT #40297]
+
+ 4181. [bug] Queued notify messages could be dequeued from the
+ wrong rate limiter queue. [RT #40350]
+
+ 4180. [bug] Error responses in pipelined queries could
+ cause a crash in client.c. [RT #40289]
+
+ 4179. [bug] Fix double frees in getaddrinfo() in libirs.
+ [RT #40209]
+
+ 4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from
+ text. [RT #40274]
+
+ 4177. [bug] Fix assertion failure in parsing NSAP records from
+ text. [RT #40285]
+
+ 4176. [bug] Address race issues with lwresd. [RT #40284]
+
+ 4175. [bug] TKEY with GSS-API keys needed bigger buffers.
+ [RT #40333]
+
+ 4174. [bug] "dnssec-coverage -r" didn't handle time unit
+ suffixes correctly. [RT #38444]
+
+ 4173. [bug] dig +sigchase was not properly matching the trusted
+ key. [RT #40188]
+
+ 4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
+ [RT #40265]
+
+ 4171. [bug] Fixed incorrect class checks in TSIG RR
+ implementation. [RT #40287]
+
+ 4170. [security] An incorrect boundary check in the OPENPGPKEY
+ rdatatype could trigger an assertion failure.
+ (CVE-2015-5986) [RT #40286]
+
+ 4169. [test] Added a 'wire_test -d' option to read input as
+ raw binary data, for use as a fuzzing harness.
+ [RT #40312]
+
+ 4168. [security] A buffer accounting error could trigger an
+ assertion failure when parsing certain malformed
+ DNSSEC keys. (CVE-2015-5722) [RT #40212]
+
+ 4167. [func] Update rndc's usage output to include recently added
+ commands. Thanks to Tony Finch for submitting a
+ patch. [RT #40010]
+
+ 4166. [func] Print informative output from rndc showzone when
+ allow-new-zones is not enabled for a view. Thanks to
+ Tony Finch for submitting a patch. [RT #40009]
+
+ 4165. [security] A failure to reset a value to NULL in tkey.c could
+ result in an assertion failure. (CVE-2015-5477)
+ [RT #40046]
+
+ 4164. [bug] Don't rename slave files and journals on out of memory.
+ [RT #40033]
+
+ 4163. [bug] Address compiler warnings. [RT #40024]
+
+ 4162. [bug] httpdmgr->flags was not being initialized. [RT #40017]
+
+ 4161. [test] Add JSON test for traffic size stats; also test
+ for consistency between "rndc stats" and the XML
+ and JSON statistics channel contents. [RT #38700]
+
+ 4160. [placeholder]
+
+ 4159. [cleanup] Alphabetize dig's help output. [RT #39966]
+
+ 4158. [placeholder]
+
+ 4157. [placeholder]
+
+ 4156. [func] Added statistics counters to track the sizes
+ of incoming queries and outgoing responses in
+ histogram buckets, as specified in RSSAC002.
+ [RT #39049]
+
+ 4155. [func] Allow RPZ rewrite logging to be configured on a
+ per-zone basis using a newly introduced log clause in
+ the response-policy option. [RT #39754]
+
+ 4154. [bug] A OPT record should be included with the FORMERR
+ response when there is a malformed EDNS option.
+ [RT #39647]
+
+ 4153. [bug] Dig should zero non significant +subnet bits. Check
+ that non significant ECS bits are zero on receipt.
+ [RT #39647]
+
+ 4152. [func] Implement DNS COOKIE option. This replaces the
+ experimental SIT option of BIND 9.10. The following
+ named.conf directives are available: send-cookie,
+ cookie-secret, cookie-algorithm, nocookie-udp-size
+ and require-server-cookie. The following dig options
+ are available: +[no]cookie[=value] and +[no]badcookie.
+ [RT #39928]
+
+ 4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
+
+ 4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply
+ minimal fix. [RT #39667]
+
+ 4149. [bug] Fixed a race condition in the getaddrinfo()
+ implementation in libirs, which caused the delv
+ utility to crash with an assertion failure when using
+ the '@server' syntax with a hostname argument.
+ [RT #39899]
+
+ 4148. [bug] Fix a bug when printing zone names with '/' character
+ in XML and JSON statistics output. [RT #39873]
+
+ 4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
+ was returning referrals rather than nodata responses
+ when the AAAA records were filtered. [RT #39843]
+
+ 4146. [bug] Address reference leak that could prevent a clean
+ shutdown. [RT #37125]
+
+ 4145. [bug] Not all unassociated adb entries where being printed.
+ [RT #37125]
+
+ 4144. [func] Add statistics counters for nxdomain redirections.
+ [RT #39790]
+
+ 4143. [placeholder]
+
+ 4142. [bug] rndc addzone with view specified saved NZF config
+ that could not be read back by named. This has now
+ been fixed. [RT #39845]
+
+ 4141. [bug] A formatting bug caused rndc zonestatus to print
+ negative numbers for large serial values. This has
+ now been fixed. [RT #39854]
+
+ 4140. [cleanup] Remove redundant nzf_remove() call during delzone.
+ [RT #39844]
+
+ 4139. [doc] Fix rpz-client-ip documentation. [RT #39783]
+
+ 4138. [security] An uninitialized value in validator.c could result
+ in an assertion failure. (CVE-2015-4620) [RT #39795]
+
+ 4137. [bug] Make rndc reconfig report configuration errors the
+ same way rndc reload does. [RT #39635]
+
+ 4136. [bug] Stale statistics counters with the leading
+ '#' prefix (such as #NXDOMAIN) were not being
+ updated correctly. This has been fixed. [RT #39141]
+
+ 4135. [cleanup] Log expired NTA at startup. [RT #39680]
+
+ 4134. [cleanup] Include client-ip rules when logging the number
+ of RPZ rules of each type. [RT #39670]
+
+ 4133. [port] Update how various json libraries are handled.
+ [RT #39646]
+
+ 4132. [cleanup] dig: added +rd as a synonym for +recurse,
+ added +class as an unabbreviated alternative
+ to +cl. [RT #39686]
+
+ 4131. [bug] Addressed further problems with reloading RPZ
+ zones. [RT #39649]
+
+ 4130. [bug] The compatibility shim for *printf() misprinted some
+ large numbers. [RT #39586]
+
+ 4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532]
+
+ 4128. [bug] Address issues raised by Coverity 7.6. [RT #39537]
+
+ 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
+ key as per RFC 7344, Section 4.1. [RT #37215]
+
+ 4126. [bug] Addressed a regression introduced in change #4121.
+ [RT #39611]
+
+ 4125. [test] Added tests for dig, renamed delv test to digdelv.
+ [RT #39490]
+
+ 4124. [func] Log errors or warnings encountered when parsing the
+ internal default configuration. Clarify the logging
+ of errors and warnings encountered in rndc
+ addzone or modzone parameters. [RT #39440]
+
+ 4123. [port] Added %z (size_t) format options to the portable
+ internal printf/sprintf implementation. [RT #39586]
+
+ 4122. [bug] The server could match a shorter prefix than what was
+ available in CLIENT-IP policy triggers, and so, an
+ unexpected action could be taken. This has been
+ corrected. [RT #39481]
+
+ 4121. [bug] On servers with one or more policy zones
+ configured as slaves, if a policy zone updated
+ during regular operation (rather than at
+ startup) using a full zone reload, such as via
+ AXFR, a bug could allow the RPZ summary data to
+ fall out of sync, potentially leading to an
+ assertion failure in rpz.c when further
+ incremental updates were made to the zone, such
+ as via IXFR. [RT #39567]
+
+ 4120. [bug] A bug in RPZ could cause the server to crash if
+ policy zones were updated while recursion was
+ pending for RPZ processing of an active query.
+ [RT #39415]
+
+ 4119. [test] Allow dig to set the message opcode. [RT #39550]
+
+ 4118. [bug] Teach isc-config.sh about irs. [RT #39213]
+
+ 4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534.
+
+ 4116. [bug] Fix a bug in RPZ that could cause some policy
+ zones that did not specifically require
+ recursion to be treated as if they did;
+ consequently, setting qname-wait-recurse no; was
+ sometimes ineffective. [RT #39229]
+
+ 4115. [func] "rndc -r" now prints the result code (e.g.,
+ ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
+ running the requested command. [RT #38913]
+
+ 4114. [bug] Fix a regression in radix tree implementation
+ introduced by ECS code. This bug was never
+ released, but it was reported by a user testing
+ master. [RT #38983]
+
+ 4113. [test] Check for Net::DNS is some system test
+ prerequisites. [RT #39369]
+
+ 4112. [bug] Named failed to load when "root-delegation-only"
+ was used without a list of domains to exclude.
+ [RT #39380]
+
+ 4111. [doc] Alphabetize rndc man page. [RT #39360]
+
+ 4110. [bug] Address memory leaks / null pointer dereferences
+ on out of memory. [RT #39310]
+
+ 4109. [port] linux: support reading the local port range from
+ net.ipv4.ip_local_port_range. [RT # 39379]
+
+ 4108. [func] An additional NXDOMAIN redirect method (option
+ "nxdomain-redirect") has been added, allowing
+ redirection to a specified DNS namespace instead
+ of a single redirect zone. [RT #37989]
+
+ 4107. [bug] Address potential deadlock when updating zone content.
+ [RT #39269]
+
+ 4106. [port] Improve readline support. [RT #38938]
+
+ 4105. [port] Misc fixes for Microsoft Visual Studio
+ 2015 CTP6 in 64 bit mode. [RT #39308]
+
+ 4104. [bug] Address uninitialized elements. [RT #39252]
+
+ 4103. [port] Misc fixes for Microsoft Visual Studio
+ 2015 CTP6. [RT #39267]
+
+ 4102. [bug] Fix a use after free bug introduced in change
+ #4094. [RT #39281]
+
+ 4101. [bug] dig: the +split and +rrcomments options didn't
+ work with +short. [RT #39291]
+
+ 4100. [bug] Inherited owernames on the line immediately following
+ a $INCLUDE were not working. [RT #39268]
+
+ 4099. [port] clang: make unknown commandline options hard errors
+ when determining what options are supported.
+ [RT #39273]
+
+ 4098. [bug] Address use-after-free issue when using a
+ predecessor key with dnssec-settime. [RT #39272]
+
+ 4097. [func] Add additional logging about xfrin transfer status.
+ [RT #39170]
+
+ 4096. [bug] Fix a use after free of query->sendevent.
+ [RT #39132]
+
+ 4095. [bug] zone->options2 was not being properly initialized.
+ [RT #39228]
+
+ 4094. [bug] A race during shutdown or reconfiguration could
+ cause an assertion in mem.c. [RT #38979]
+
+ 4093. [func] Dig now learns the SIT value from truncated
+ responses when it retries over TCP. [RT #39047]
+
+ 4092. [bug] 'in-view' didn't work for zones beneath a empty zone.
+ [RT #39173]
+
+ 4091. [cleanup] Some cleanups in isc mem code. [RT #38896]
+
+ 4090. [bug] Fix a crash while parsing malformed CAA RRs in
+ presentation format, i.e., from text such as
+ from master files. Thanks to John Van de
+ Meulebrouck Brendgard for discovering and
+ reporting this problem. [RT #39003]
+
+ 4089. [bug] Send notifies immediately for slave zones during
+ startup. [RT #38843]
+
+ 4088. [port] Fixed errors when building with libressl. [RT #38899]
+
+ 4087. [bug] Fix a crash due to use-after-free due to sequencing
+ of tasks actions. [RT #38495]
+
+ 4086. [bug] Fix out-of-srcdir build with native pkcs11. [RT #38831]
+
+ 4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
+ [RT #38828]
+
+ 4084. [bug] Fix a possible race in updating stats counters.
+ [RT #38826]
+
+ 4083. [cleanup] Print the number of CPUs and UDP listeners
+ consistently in the log and in "rndc status"
+ output; indicate whether threads are supported
+ in "named -V" output. [RT #38811]
+
+ 4082. [bug] Incrementally sign large inline zone deltas.
+ [RT #37927]
+
+ 4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
+
+ 4080. [func] Completed change #4022, adding a "lock-file" option
+ to named.conf to override the default lock file,
+ in addition to the "named -X <filename>" command
+ line option. Setting the lock file to "none"
+ using either method disables the check completely.
+ [RT #37908]
+
+ 4079. [func] Preserve the case of the owner name of records to
+ the RRset level. [RT #37442]
+
+ 4078. [bug] Handle the case where CMSG_SPACE(sizeof(int)) !=
+ CMSG_SPACE(sizeof(char)). [RT #38621]
+
+ 4077. [test] Add static-stub regression test for DS NXDOMAIN
+ return making the static stub disappear. [RT #38564]
+
+ 4076. [bug] Named could crash on shutdown with outstanding
+ reload / reconfig events. [RT #38622]
+
+ 4075. [placeholder]
+
+ 4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708]
+
+ 4073. [cleanup] Add libjson-c version number reporting to
+ "named -V"; normalize version number formatting.
+ [RT #38056]
+
+ 4072. [func] Add a --enable-querytrace configure switch for
+ very verbose query trace logging. (This option
+ has a negative performance impact and should be
+ used only for debugging.) [RT #37520]
+
+ 4071. [cleanup] Initialize pthread mutex attrs just once, instead of
+ doing it per mutex creation. [RT #38547]
+
+ 4070. [bug] Fix a segfault in nslookup in a query such as
+ "nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
+ [RT #38548]
+
+ 4069. [doc] Reorganize options in the nsupdate man page.
+ [RT #38515]
+
+ 4068. [bug] Omit unknown serial number from JSON zone statistics.
+ [RT #38604]
+
+ 4067. [cleanup] Reduce noise from RRL when query logging is
+ disabled. [RT #38648]
+
+ 4066. [doc] Reorganize options in the dig man page. [RT #38516]
+
+ 4065. [test] Additional RFC 5011 tests. [RT #38569]
+
+ 4064. [contrib] dnssec-keyset.sh: Generates a specified number
+ of DNSSEC keys with timing set to implement a
+ pre-publication key rollover strategy. Thanks
+ to Jeffry A. Spain. [RT #38459]
+
+ 4063. [bug] Asynchronous zone loads were not handled
+ correctly when the zone load was already in
+ progress; this could trigger a crash in zt.c.
+ [RT #37573]
+
+ 4062. [bug] Fix an out-of-bounds read in RPZ code. If the
+ read succeeded, it doesn't result in a bug
+ during operation. If the read failed, named
+ could segfault. [RT #38559]
+
+ 4061. [bug] Handle timeout in legacy system test. [RT #38573]
+
+ 4060. [bug] dns_rdata_freestruct could be called on a
+ uninitialized structure when handling a error.
+ [RT #38568]
+
+ 4059. [bug] Addressed valgrind warnings. [RT #38549]
+
+ 4058. [bug] UDP dispatches could use the wrong pseudorandom
+ number generator context. [RT #38578]
+
+ 4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
+ [RT #38565]
+
+ 4056. [bug] Expanded automatic testing of trust anchor
+ management and fixed several small bugs including
+ a memory leak and a possible loss of key state
+ information. [RT #38458]
+
+ 4055. [func] "rndc managed-keys" can be used to check status
+ of trust anchors or to force keys to be refreshed,
+ Also, the managed keys data file has easier-to-read
+ comments. [RT #38458]
+
+ 4054. [func] Added a new tool 'mdig', a lightweight clone of
+ dig able to send multiple pipelined queries.
+ [RT #38261]
+
+ 4053. [security] Revoking a managed trust anchor and supplying
+ an untrusted replacement could cause named
+ to crash with an assertion failure.
+ (CVE-2015-1349) [RT #38344]
+
+ 4052. [bug] Fix a leak of query fetchlock. [RT #38454]
+
+ 4051. [bug] Fix a leak of pthread_mutexattr_t. [RT #38454]
+
+ 4050. [bug] RPZ could send spurious SERVFAILs in response
+ to duplicate queries. [RT #38510]
+
+ 4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
+
+ 4048. [bug] adb hash table was not being grown. [RT #38470]
+
+ 4047. [cleanup] "named -V" now reports the current running versions
+ of OpenSSL and the libxml2 libraries, in addition to
+ the versions that were in use at build time.
+
+ 4046. [bug] Accounting of "total use" in memory context
+ statistics was not correct. [RT #38370]
+
+ 4045. [bug] Skip to next master on dns_request_createvia4 failure.
+ [RT #25185]
+
+ 4044. [bug] Change 3955 was not complete, resulting in an assertion
+ failure if the timing was just right. [RT #38352]
+
+ 4043. [func] "rndc modzone" can be used to modify the
+ configuration of an existing zone, using similar
+ syntax to "rndc addzone". [RT #37895]
+
+ 4042. [bug] zone.c:iszonesecure was being called too late.
+ [RT #38371]
+
+ 4041. [func] TCP sockets can now be shared while connecting.
+ (This will be used to enable client-side support
+ of pipelined queries.) [RT #38231]
+
+ 4040. [func] Added server-side support for pipelined TCP
+ queries. Clients may continue sending queries via
+ TCP while previous queries are being processed
+ in parallel. (The new "keep-response-order"
+ option allows clients to be specified for which
+ the old behavior will still be used.) [RT #37821]
+
+ 4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
+
+ 4038. [bug] Add 'rpz' flag to node and use it to determine whether
+ to call dns_rpz_delete. This should prevent unbalanced
+ add / delete calls. [RT #36888]
+
+ 4037. [bug] also-notify was ignoring the tsig key when checking
+ for duplicates resulting in some expected notify
+ messages not being sent. [RT #38369]
+
+ 4036. [bug] Make call to open a temporary file name safe during
+ NZF creation. [RT #38331]
+
+ 4035. [bug] Close temporary and NZF FILE pointers before moving
+ the former into the latter's place, as required on
+ Windows. [RT #38332]
+
+ 4034. [func] When added, negative trust anchors (NTA) are now
+ saved to files (viewname.nta), in order to
+ persist across restarts of the named server.
+ [RT #37087]
+
+ 4033. [bug] Missing out of memory check in request.c:req_send.
+ [RT #38311]
+
+ 4032. [bug] Built-in "empty" zones did not correctly inherit the
+ "allow-transfer" ACL from the options or view.
+ [RT #38310]
+
+ 4031. [bug] named-checkconf -z failed to report a missing file
+ with a hint zone. [RT #38294]
+
+ 4030. [func] "rndc delzone" is now applicable to zones that were
+ configured in named.conf, as well as zones that
+ were added via "rndc addzone". (Note, however, that
+ if named.conf is not also modified, the deleted zone
+ will return when named is reloaded.) [RT #37887]
+
+ 4029. [func] "rndc showzone" displays the current configuration
+ of a specified zone. [RT #37887]
+
+ 4028. [bug] $GENERATE with a zero step was not being caught as a
+ error. A $GENERATE with a / but no step was not being
+ caught as a error. [RT #38262]
+
+ 4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
+
+ 4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
+
+ 4025. [port] bsdi: failed to build. [RT #38047]
+
+ 4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
+ dns_rdata_opt_current, dns_rdata_txt_first,
+ dns_rdata_txt_next and dns_rdata_txt_current were
+ documented but not implemented. These have now been
+ implemented.
+
+ dns_rdata_spf_first, dns_rdata_spf_next and
+ dns_rdata_spf_current were documented but not
+ implemented. The prototypes for these
+ functions have been removed. [RT #38068]
+
+ 4023. [bug] win32: socket handling with explicit ports and
+ invoking named with -4 was broken for some
+ configurations. [RT #38068]
+
+ 4022. [func] Stop multiple spawns of named by limiting number of
+ processes to 1. This is done by using a lockfile and
+ checking whether we can listen on any configured
+ TCP interfaces. [RT #37908]
+
+ 4021. [bug] Adjust max-recursion-queries to accommodate
+ the need for more queries when the cache is
+ empty. [RT #38104]
+
+ 4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
+ resulting in updates being sent to the wrong server.
+ [RT #37925]
+
+ 4019. [func] If named is not configured to validate the answer
+ then allow fallback to plain DNS on timeout even
+ when we know the server supports EDNS. [RT #37978]
+
+ 4018. [placeholder]
+
+ 4017. [test] Add system test to check lookups to legacy servers
+ with broken DNS behavior. [RT #37965]
+
+ 4016. [bug] Fix a dig segfault due to bad linked list usage.
+ [RT #37591]
+
+ 4015. [bug] Nameservers that are skipped due to them being
+ CNAMEs were not being logged. They are now logged
+ to category 'cname' as per BIND 8. [RT #37935]
+
+ 4014. [bug] When including a master file origin_changed was
+ not being properly set leading to a potentially
+ spurious 'inherited owner' warning. [RT #37919]
+
+ 4013. [func] Add a new tcp-only option to server (config) /
+ peer (struct) to use TCP transport to send
+ queries (in place of UDP transport with a
+ TCP fallback on truncated (TC set) response).
+ [RT #37800]
+
+ 4012. [cleanup] Check returned status of OpenSSL digest and HMAC
+ functions when they return one. Note this applies
+ only to FIPS capable OpenSSL libraries put in
+ FIPS mode and MD5. [RT #37944]
+
+ 4011. [bug] master's list port and dscp inheritance was not
+ properly implemented. [RT #37792]
+
+ 4010. [cleanup] Clear the prefetchable state when initiating a
+ prefetch. [RT #37399]
+
+ 4009. [func] delv: added a +tcp option. [RT #37855]
+
+ 4008. [contrib] Updated zkt to latest version (1.1.3). [RT #37886]
+
+ 4007. [doc] Remove acl forward reference restriction. [RT #37772]
+
+ 4006. [security] A flaw in delegation handling could be exploited
+ to put named into an infinite loop. This has
+ been addressed by placing limits on the number
+ of levels of recursion named will allow (default 7),
+ and the number of iterative queries that it will
+ send (default 50) before terminating a recursive
+ query (CVE-2014-8500).
+
+ The recursion depth limit is configured via the
+ "max-recursion-depth" option, and the query limit
+ via the "max-recursion-queries" option. [RT #37580]
+
+ 4005. [func] The buffer used for returning text from rndc
+ commands is now dynamically resizable, allowing
+ arbitrarily large amounts of text to be sent back
+ to the client. (Prior to this change, it was
+ possible for the output of "rndc tsig-list" to be
+ truncated.) [RT #37731]
+
+ 4004. [bug] When delegations had AAAA glue but not A, a
+ reference could be leaked causing an assertion
+ failure on shutdown. [RT #37796]
+
+ 4003. [security] When geoip-directory was reconfigured during
+ named run-time, the previously loaded GeoIP
+ data could remain, potentially causing wrong
+ ACLs to be used or wrong results to be served
+ based on geolocation (CVE-2014-8680). [RT #37720]
+
+ 4002. [security] Lookups in GeoIP databases that were not
+ loaded could cause an assertion failure
+ (CVE-2014-8680). [RT #37679]
+
+ 4001. [security] The caching of GeoIP lookups did not always
+ handle address families correctly, potentially
+ resulting in an assertion failure (CVE-2014-8680).
+ [RT #37672]
+
+ 4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
+ from the redirect zone. [RT #37722]
+
+ 3999. [func] "mkeys" and "nzf" files are now named after
+ their corresponding views, unless the view name
+ contains characters that would be incompatible
+ with use in a filename (i.e., slash, backslash,
+ or capital letters). If a view name does contain
+ these characters, the files will still be named
+ using a cryptographic hash of the view name.
+ Regardless of this, if a file using the old name
+ format is found to exist, it will continue to be
+ used. [RT #37704]
+
+ 3998. [bug] isc_radix_search was returning matches that were
+ too precise. [RT #37680]
+
+ 3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
+
+ 3996. [bug] Address use after free on out of memory error in
+ keyring_add. [RT #37639]
+
+ 3995. [bug] receive_secure_serial holds the zone lock for too
+ long. [RT #37626]
+
+ 3994. [func] Dig now supports setting the last unassigned DNS
+ header flag bit (dig +zflag). [RT #37421]
+
+ 3993. [func] Dig now supports EDNS negotiation by default.
+ (dig +[no]ednsnegotiation).
+
+ Note: This is disabled by default in BIND 9.10
+ and enabled by default in BIND 9.11. [RT #37604]
+
+ 3992. [func] DiG can now send queries without questions
+ (dig +header-only). [RT #37599]
+
+ 3991. [func] Add the ability to buffer logging output by specifying
+ "buffered yes;" when defining a channel. [RT #26561]
+
+ 3990. [test] Add tests for unknown DNSSEC algorithm handling.
+ [RT #37541]
+
+ 3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
+
+ 3988. [func] Allow the zone serial of a dynamically updatable
+ zone to be updated via "rndc signing -serial".
+ [RT #37404]
+
+ 3987. [port] Handle future Visual Studio 14 incompatible changes.
+ [RT #37380]
+
+ 3986. [doc] Add the BIND version number to page footers
+ in the ARM. [RT #37398]
+
+ 3985. [doc] Describe how +ndots and +search interact in dig.
+ [RT #37529]
+
+ 3984. [func] Accept 256 byte long PINs in native PKCS#11
+ crypto. [RT #37410]
+
+ 3983. [bug] Change #3940 was incomplete: negative trust anchors
+ could be set to last up to a week, but the
+ "nta-lifetime" and "nta-recheck" options were
+ still limited to one day. [RT #37522]
+
+ 3982. [doc] Include release notes in product documentation.
+ [RT #37272]
+
+ 3981. [bug] Cache DS/NXDOMAIN independently of other query types.
+ [RT #37467]
+
+ 3980. [bug] Improve --with-tuning=large by self tuning of SO_RCVBUF
+ size. [RT #37187]
+
+ 3979. [bug] Negative trust anchor fetches were not properly
+ managed. [RT #37488]
+
+ 3978. [test] Added a unit test for Diffie-Hellman key
+ computation, completing change #3974. [RT #37477]
+
+ 3977. [cleanup] "rndc secroots" reported a "not found" error when
+ there were no negative trust anchors set. [RT #37506]
+
+ 3976. [bug] When refreshing managed-key trust anchors, clear
+ any cached trust so that they will always be
+ revalidated with the current set of secure
+ roots. [RT #37506]
+
+ 3975. [bug] Don't populate or use the bad cache for queries that
+ don't request or use recursion. [RT #37466]
+
+ 3974. [bug] Handle DH_compute_key() failure correctly in
+ openssldh_link.c. [RT #37477]
+
+ 3973. [test] Added hooks for Google Performance Tools CPU profiler,
+ including real-time/wall-clock profiling. Use
+ "configure --with-gperftools-profiler" to enable.
+ [RT #37339]
+
+ 3972. [bug] Fix host's usage statement. [RT #37397]
+
+ 3971. [bug] Reduce the cascading failures due to a bad $TTL line
+ in named-checkconf / named-checkzone. [RT #37138]
+
+ 3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
+ [RT #37237]
+
+ 3969. [test] Added 'delv' system test. [RT #36901]
+
+ 3968. [bug] Silence spurious log messages when using 'named -[46]'.
+ [RT #37308]
+
+ 3967. [test] Add test for inlined signed zone in multiple views
+ with different DNSKEY sets. [RT #35759]
+
+ 3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
+ [RT #35746]
+
+ 3965. [func] Log outgoing packets and improve packet logging to
+ support logging the remote address. [RT #36624]
+
+ 3964. [func] nsupdate now performs check-names processing.
+ [RT #36266]
+
+ 3963. [test] Added NXRRSET test cases to the "dlzexternal"
+ system test. [RT #37344]
+
+ 3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
+ conditions. [RT #34663]
+
+ 3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
+ BADSIG. [RT #37216]
+
+ 3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
+
+ 3959. [bug] Updates could be lost if they arrived immediately
+ after a rndc thaw. [RT #37233]
+
+ 3958. [bug] Detect when writeable files have multiple references
+ in named.conf. [RT #37172]
+
+ 3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+ and ECDSAP384SHA384. [RT #37183]
+
+ 3956. [func] Notify messages are now rate limited by notify-rate and
+ startup-notify-rate instead of serial-query-rate.
+ [RT #24454]
+
+ 3955. [bug] Notify messages due to changes are no longer queued
+ behind startup notify messages. [RT #24454]
+
+ 3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
+
+ 3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
+
+ 3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
+ two name pointers were the same. [RT #37176]
+
+ 3951. [func] Add the ability to set yet-to-be-defined EDNS flags
+ to dig (+ednsflags=#). [RT #37142]
+
+ 3950. [port] Changed the bin/python Makefile to work around a
+ bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
+
+ 3949. [experimental] Experimental support for draft-andrews-edns1 by sending
+ EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
+ building). Add support for limiting the EDNS version
+ advertised to servers: server { edns-version 0; };
+ Log the EDNS version received in the query log.
+ [RT #35864]
+
+ 3948. [port] solaris: RCVBUFSIZE was too large on Solaris with
+ --with-tuning=large. [RT #37059]
+
+ 3947. [cleanup] Set the executable bit on libraries when using
+ libtool. [RT #36786]
+
+ 3946. [cleanup] Improved "configure" search for a python interpreter.
+ [RT #36992]
+
+ 3945. [bug] Invalid wildcard expansions could be incorrectly
+ accepted by the validator. [RT #37093]
+
+ 3944. [test] Added a regression test for "server-id". [RT #37057]
+
+ 3943. [func] SERVFAIL responses can now be cached for a
+ limited time (configured by "servfail-ttl",
+ default 10 seconds, limit 30). This can reduce
+ the frequency of retries when an authoritative
+ server is known to be failing, e.g., due to
+ ongoing DNSSEC validation problems. [RT #21347]
+
+ 3942. [bug] Wildcard responses from a optout range should be
+ marked as insecure. [RT #37072]
+
+ 3941. [doc] Include the BIND version number in the ARM. [RT #37067]
+
+ 3940. [func] "rndc nta" now allows negative trust anchors to be
+ set for up to one week. [RT #37069]
+
+ 3939. [func] Improve UPDATE forwarding performance by allowing TCP
+ connections to be shared. [RT #37039]
+
+ 3938. [func] Added quotas to be used in recursive resolvers
+ that are under high query load for names in zones
+ whose authoritative servers are nonresponsive or
+ are experiencing a denial of service attack.
+
+ - "fetches-per-server" limits the number of
+ simultaneous queries that can be sent to any
+ single authoritative server. The configured
+ value is a starting point; it is automatically
+ adjusted downward if the server is partially or
+ completely non-responsive. The algorithm used to
+ adjust the quota can be configured via the
+ "fetch-quota-params" option.
+ - "fetches-per-zone" limits the number of
+ simultaneous queries that can be sent for names
+ within a single domain. (Note: Unlike
+ "fetches-per-server", this value is not
+ self-tuning.)
+ - New stats counters have been added to count
+ queries spilled due to these quotas.
+
+ See the ARM for details of these options. [RT #37125]
+
+ 3937. [func] Added some debug logging to better indicate the
+ conditions causing SERVFAILs when resolving.
+ [RT #35538]
+
+ 3936. [func] Added authoritative support for the EDNS Client
+ Subnet (ECS) option.
+
+ ACLs can now include "ecs" elements which specify
+ an address or network prefix; if an ECS option is
+ included in a DNS query, then the address encoded
+ in the option will be matched against "ecs" ACL
+ elements.
+
+ Also, if an ECS address is included in a query,
+ then it will be used instead of the client source
+ address when matching "geoip" ACL elements. This
+ behavior can be overridden with "geoip-use-ecs no;".
+ (Note: to enable "geoip" ACLs, use "configure
+ --with-geoip". This requires libGeoIP version
+ 1.5.0 or higher.)
+
+ When "ecs" or "geoip" ACL elements are used to
+ select a view for a query, the response will include
+ an ECS option to indicate which client network the
+ answer is valid for.
+
+ (Thanks to Vincent Bernat.) [RT #36781]
+
+ 3935. [bug] "geoip asnum" ACL elements would not match unless
+ the full organization name was specified. They
+ can now match against the AS number alone (e.g.,
+ AS1234). [RT #36945]
+
+ 3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
+ sit-secret documentation. [RT #36980]
+
+ 3933. [bug] Corrected the implementation of dns_rdata_casecompare()
+ for the HIP rdata type. [RT #36911]
+
+ 3932. [test] Improved named-checkconf tests. [RT #36911]
+
+ 3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
+
+ 3930. [bug] "rndc nta -r" could cause a server hang if the
+ NTA was not found. [RT #36909]
+
+ 3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963]
+
+ 3928. [test] Improve rndc system test. [RT #36898]
+
+ 3927. [bug] dig: report PKCS#11 error codes correctly when
+ compiled with --enable-native-pkcs11. [RT #36956]
+
+ 3926. [doc] Added doc for geoip-directory. [RT #36877]
+
+ 3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
+
+ 3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
+
+ 3923. [bug] Sanity check the xml2-config output. [RT #22246]
+
+ 3922. [bug] When resigning, dnssec-signzone was removing
+ all signatures from delegation nodes. It now
+ retains DS and (if applicable) NSEC signatures.
+ [RT #36946]
+
+ 3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
+
+ 3920. [doc] Added doc for masterfile-style. [RT #36823]
+
+ 3919. [bug] dig: continue to next line if a address lookup fails
+ in batch mode. [RT #36755]
+
+ 3918. [doc] Update check-spf documentation. [RT #36910]
+
+ 3917. [bug] dig, nslookup and host now continue on names that are
+ too long after applying a search list elements.
+ [RT #36892]
+
+ 3916. [contrib] zone2sqlite checked wrong result code. Address
+ compiler warnings. [RT #36931]
+
+ 3915. [bug] Address a assertion if a route event arrived while
+ shutting down. [RT #36887]
+
+ 3914. [bug] Allow the URI target and CAA value fields to
+ be zero length. [RT #36737]
+
+ 3913. [bug] Address race issue in dispatch. [RT #36731]
+
+ 3912. [bug] Address some unrecoverable lookup failures. [RT #36330]
+
+ 3911. [func] Implement EDNS EXPIRE option client side, allowing
+ a slave server to set the expiration timer correctly
+ when transferring zone data from another slave
+ server. [RT #35925]
+
+ 3910. [bug] Fix races to free event during shutdown. [RT #36720]
+
+ 3909. [bug] When computing the number of elements required for a
+ acl count_acl_elements could have a short count leading
+ to a assertion failure. Also zero out new acl elements
+ in dns_acl_merge. [RT #36675]
+
+ 3908. [bug] rndc now differentiates between a zone in multiple
+ views and a zone that doesn't exist at all. [RT #36691]
+
+ 3907. [cleanup] Alphabetize rndc help. [RT #36683]
+
+ 3906. [protocol] Update URI record format to comply with
+ draft-faltstrom-uri-08. [RT #36642]
+
+ 3905. [bug] Address deadlock between view.c and adb.c. [RT #36341]
+
+ 3904. [func] Add the RPZ SOA to the additional section. [RT36507]
+
+ 3903. [bug] Improve the accuracy of DiG's reported round trip
+ time. [RT 36611]
+
+ 3902. [bug] liblwres wasn't handling link-local addresses in
+ nameserver clauses in resolv.conf. [RT #36039]
+
+ 3901. [protocol] Added support for CAA record type (RFC 6844).
+ [RT #36625]
+
+ 3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637]
+
+ 3899. [bug] "request-ixfr" is only applicable to slave and redirect
+ zones. [RT #36608]
+
+ 3898. [bug] Too small a buffer in tohexstr() calls in test code.
+ [RT #36598]
+
+ 3897. [bug] RPZ summary information was not properly being updated
+ after a AXFR resulting in changes sometimes being
+ ignored. [RT #35885]
+
+ 3896. [bug] Address performance issues with DSCP code on some
+ platforms. [RT #36534]
+
+ 3895. [func] Add the ability to set the DSCP code point to dig.
+ [RT #36546]
+
+ 3894. [bug] Buffers in isc_print_vsnprintf were not properly
+ initialized leading to potential overflows when
+ printing out quad values. [RT #36505]
+
+ 3893. [bug] Peer DSCP values could be returned without being set.
+ [RT #36538]
+
+ 3892. [bug] Setting '-t aaaa' in .digrc had unintended side
+ effects. [RT #36452]
+
+ 3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
+ to install python programs.
+
+ 3890. [bug] RRSIG sets that were not loaded in a single transaction
+ at start up where not being correctly added to
+ re-signing heaps. [RT #36302]
+
+ 3889. [port] hurd: configure fixes as per:
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
+
+ 3888. [func] 'rndc status' now reports the number of automatic
+ zones. [RT #36015]
+
+ 3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so
+ they are easier to use in a debugger. [RT #36373]
+
+ 3886. [bug] rbtdb_write_header should use a once to initialize
+ FILE_VERSION. [RT #36374]
+
+ 3885. [port] Use 'open()' rather than 'file()' to open files in
+ python.
+
+ 3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333]
+
+ 3883. [placeholder]
+
+ 3882. [func] By default, negative trust anchors will be tested
+ periodically to see whether data below them can be
+ validated, and if so, they will be allowed to
+ expire early. The "rndc nta -force" option
+ overrides this behavior. The default NTA lifetime
+ and the recheck frequency can be configured by the
+ "nta-lifetime" and "nta-recheck" options. [RT #36146]
+
+ 3881. [bug] Address memory leak with UPDATE error handling.
+ [RT #36303]
+
+ 3880. [test] Update ans.pl to work with new TSIG support in
+ Net::DNS; add additional Net::DNS version prerequisite
+ checks. [RT #36327]
+
+ 3879. [func] Add version printing option to various BIND utilities.
+ [RT #10686]
+
+ 3878. [bug] Using the incorrect filename for a DLZ module
+ caused a segmentation fault on startup. [RT #36286]
+
+ 3877. [bug] Inserting and deleting parent and child nodes
+ in response policy zones could trigger an assertion
+ failure. [RT #36272]
+
+ 3876. [bug] Improve efficiency of DLZ redirect zones by
+ suppressing unnecessary database lookups. [RT #35835]
+
+ 3875. [cleanup] Clarify log message when unable to read private
+ key files. [RT #24702]
+
+ 3874. [test] Check that only "check-names master" is needed for
+ updates to be accepted.
+
+ 3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210]
+
+ 3872. [bug] Address issues found by static analysis. [RT #36209]
+
+ 3871. [bug] Don't publish an activated key automatically before
+ its publish time. [RT #35063]
+
+ 3870. [func] Updated the random number generator used in
+ the resolver to use the updated ChaCha based one
+ (similar to OpenBSD's changes). Also moved the
+ RNG to libisc and added unit tests for it.
+ [RT #35942]
+
+ 3869. [doc] Document that in-view zones cannot be used for
+ response policy zones. [RT #35941]
+
+ 3868. [bug] isc_mem_setwater incorrectly cleared hi_called
+ potentially leaving over memory cleaner running.
+ [RT #35270]
+
+ 3867. [func] "rndc nta" can now be used to set a temporary
+ negative trust anchor, which disables DNSSEC
+ validation below a specified name for a specified
+ period of time (not exceeding 24 hours). This
+ can be used when validation for a domain is known
+ to be failing due to a configuration error on
+ the part of the domain owner rather than a
+ spoofing attack. [RT #29358]
+
+ 3866. [bug] Named could die on disk full in generate_session_key.
+ [RT #36119]
+
+ 3865. [test] Improved testability of the red-black tree
+ implementation and added unit tests. [RT #35904]
+
+ 3864. [bug] RPZ didn't work well when being used as forwarder.
+ [RT #36060]
+
+ 3863. [bug] The "E" flag was missing from the query log as a
+ unintended side effect of code rearrangement to
+ support EDNS EXPIRE. [RT #36117]
+
+ 3862. [cleanup] Return immediately if we are not going to log the
+ message in ns_client_dumpmessage.
+
+ 3861. [security] Missing isc_buffer_availablelength check results
+ in a REQUIRE assertion when printing out a packet
+ (CVE-2014-3859). [RT #36078]
+
+ 3860. [bug] ioctl(DP_POLL) array size needs to be determined
+ at run time as it is limited to {OPEN_MAX}.
+ [RT #35878]
+
+ 3859. [placeholder]
+
+ 3858. [bug] Disable GCC 4.9 "delete null pointer check".
+ [RT #35968]
+
+ 3857. [bug] Make it harder for a incorrect NOEDNS classification
+ to be made. [RT #36020]
+
+ 3856. [bug] Configuring libjson without also configuring libxml
+ resulted in a REQUIRE assertion when retrieving
+ statistics using json. [RT #36009]
+
+ 3855. [bug] Limit smoothed round trip time aging to no more than
+ once a second. [RT #32909]
+
+ 3854. [cleanup] Report unrecognized options, if any, in the final
+ configure summary. [RT #36014]
+
+ 3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out
+ the handling of a rdataset with no records. [RT #35968]
+
+ 3852. [func] Increase the default number of clients available
+ for servicing lightweight resolver queries, and
+ make them configurable via the "lwres-tasks" and
+ "lwres-clients" options. (Thanks to Tomas Hozza.)
+ [RT #35857]
+
+ 3851. [func] Allow libseccomp based system-call filtering
+ on Linux; use "configure --enable-seccomp" to
+ turn it on. Thanks to Loganaden Velvindron
+ of AFRINIC for the contribution. [RT #35347]
+
+ 3850. [bug] Disabling forwarding could trigger a REQUIRE assertion.
+ [RT #35979]
+
+ 3849. [doc] Alphabetized dig's +options. [RT #35992]
+
+ 3848. [bug] Adjust 'statistics-channels specified but not effective'
+ error message to account for JSON support. [RT #36008]
+
+ 3847. [bug] 'configure --with-dlz-postgres' failed to fail when
+ there is not support available.
+
+ 3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP
+ ixfr query. [RT #35980]
+
+ 3845. [placeholder]
+
+ 3844. [bug] Use the x64 version of the Microsoft Visual C++
+ Redistributable when built for 64 bit Windows.
+ [RT #35973]
+
+ 3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire.
+ [RT #35969]
+
+ 3842. [bug] Adjust RRL log-only logging category. [RT #35945]
+
+ 3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt.
+ [RT #35924]
+
+ 3840. [port] Check for arc4random_addrandom() before using it;
+ it's been removed from OpenBSD 5.5. [RT #35907]
+
+ 3839. [test] Use only posix-compatible shell in system tests.
+ [RT #35625]
+
+ 3838. [protocol] EDNS EXPIRE as been assigned a code point of 9.
+
+ 3837. [security] A NULL pointer is passed to query_prefetch resulting
+ a REQUIRE assertion failure when a fetch is actually
+ initiated (CVE-2014-3214). [RT #35899]
+
+ 3836. [bug] Address C++ keyword usage in header file.
+
+ 3835. [bug] Geoip ACL elements didn't work correctly when
+ referenced via named or nested ACLs. [RT #35879]
+
+ 3834. [bug] The re-signing heaps were not being updated soon enough
+ leading to multiple re-generations of the same RRSIG
+ when a zone transfer was in progress. [RT #35273]
+
+ 3833. [bug] Cross compiling was broken due to calling genrandom at
+ build time. [RT #35869]
+
+ 3832. [func] "named -L <filename>" causes named to send log
+ messages to the specified file by default instead
+ of to the system log. (Thanks to Tony Finch.)
+ [RT #35845]
+
+ 3831. [cleanup] Reduce logging noise when EDNS state changes occur.
+ [RT #35843]
+
+ 3830. [func] When query logging is enabled, log query errors at
+ the same level ('info') as the queries themselves.
+ [RT #35844]
+
+ 3829. [func] "dig +ttlunits" causes dig to print TTL values
+ with time-unit suffixes: w, d, h, m, s for
+ weeks, days, hours, minutes, and seconds. (Thanks
+ to Tony Finch.) [RT #35823]
+
+ 3828. [func] "dnssec-signzone -N date" updates serial number
+ to the current date in YYYYMMDDNN format.
+ [RT #35800]
+
+ 3827. [placeholder]
+
+ 3826. [bug] Corrected bad INSIST logic in isc_radix_remove().
+ [RT #35870]
+
+ 3825. [bug] Address sign extension bug in isc_regex_validate.
+ [RT #35758]
+
+ 3824. [bug] A collision between two flag values could cause
+ problems with cache cleaning when SIT was enabled.
+ [RT #35858]
+
+ 3823. [func] Log the rpz cname target when rewriting. [RT #35667]
+
+ 3822. [bug] Log the correct type of static-stub zones when
+ removing them. [RT #35842]
+
+ 3821. [contrib] Added a new "mysqldyn" DLZ module with dynamic
+ update and transaction support. Thanks to Marty
+ Lee for the contribution. [RT #35656]
+
+ 3820. [func] The DLZ API doesn't pass the database version to
+ the lookup() function; this can cause DLZ modules
+ that allow dynamic updates to mishandle prerequisite
+ checks. This has been corrected by adding a
+ 'dbversion' field to the dns_clientinfo_t
+ structure. [RT #35656]
+
+ 3819. [bug] NSEC3 hashes need to be able to be entered and
+ displayed without padding. This is not a issue for
+ currently defined algorithms but may be for future
+ hash algorithms. [RT #27925]
+
+ 3818. [bug] Stop lying to the optimizer that 'void *arg' is a
+ constant in isc_event_allocate.
+
+ 3817. [func] The "delve" command is now spelled "delv" to avoid
+ a namespace collision with the Xapian project.
+ [RT #35801]
+
+ 3816. [func] "dig +qr" now reports query size. (Thanks to
+ Tony Finch.) [RT #35822]
+
+ 3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808]
+
+ 3814. [func] The "masterfile-style" zone option controls the
+ formatting of dumped zone files. Options are
+ "relative" (multiline format) and "full" (one
+ record per line). The default is "relative".
+ [RT #20798]
+
+ 3813. [func] "host" now recognizes the "timeout", "attempts" and
+ "debug" options when set in /etc/resolv.conf.
+ (Thanks to Adam Tkac at RedHat.) [RT #21885]
+
+ 3812. [func] Dig now supports sending arbitrary EDNS options from
+ the command line (+ednsopt=code[:value]). [RT #35584]
+
+ 3811. [func] "serial-update-method date;" sets serial number
+ on dynamic update to today's date in YYYYMMDDNN
+ format. (Thanks to Bradley Forschinger.) [RT #24903]
+
+ 3810. [bug] Work around broken nameservers that fail to ignore
+ unknown EDNS options. [RT #35766]
+
+ 3809. [doc] Fix SIT and NSID documentation.
+
+ 3808. [doc] Clean up "prefetch" documentation. [RT #35751]
+
+ 3807. [bug] Fix sign extension bug in dns_name_fromtext when
+ lowercase is set. [RT #35743]
+
+ 3806. [test] Improved system test portability. [RT #35625]
+
+ 3805. [contrib] Added contrib/perftcpdns, a performance testing tool
+ for DNS over TCP. [RT #35710]
+
+ --- 9.10.0rc1 released ---
+
+ 3804. [bug] Corrected a race condition in dispatch.c in which
+ portentry could be reset leading to an assertion
+ failure in socket_search(). (Change #3708
+ addressed the same issue but was incomplete.)
+ [RT #35128]
+
+ 3803. [bug] "named-checkconf -z" incorrectly rejected zones
+ using alternate data sources for not having a "file"
+ option. [RT #35685]
+
+ 3802. [bug] Various header files were not being installed.
+
+ 3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615]
+
+ 3800. [bug] A pending event on the route socket could cause an
+ assertion failure when shutting down named. [RT #35674]
+
+ 3799. [bug] Improve named's command line error reporting.
+ [RT #35603]
+
+ 3798. [bug] 'rndc zonestatus' was reporting the wrong re-signing
+ time. [RT #35659]
+
+ 3797. [port] netbsd: geoip support probing was broken. [RT #35642]
+
+ 3796. [bug] Register dns and pkcs#11 error codes. [RT #35629]
+
+ 3795. [bug] Make named-checkconf detect raw masterfiles for
+ hint zones and reject them. [RT #35268]
+
+ 3794. [maint] Added AAAA for C.ROOT-SERVERS.NET.
+
+ 3793. [bug] zone.c:save_nsec3param() could assert when out of
+ memory. [RT #35621]
+
+ 3792. [func] Provide links to the alternate statistics views when
+ displaying in a browser. [RT #35605]
+
+ 3791. [placeholder]
+
+ 3790. [bug] Handle broken nameservers that send BADVERS in
+ response to unknown EDNS options. Maintain
+ statistics on BADVERS responses.
+
+ 3789. [bug] Null pointer dereference on rbt creation failure.
+
+ 3788. [bug] dns_peer_getrequestsit was returning request_nsid by
+ mistake.
+
+ --- 9.10.0b2 released ---
+
+ 3787. [bug] The code that checks whether "auto-dnssec" is
+ allowed was ignoring "allow-update" ACLs set at
+ the options or view level. [RT #29536]
+
+ 3786. [func] Provide more detailed error codes when using
+ native PKCS#11. "pkcs11-tokens" now fails robustly
+ rather than asserting when run against an HSM with
+ an incomplete PKCS#11 API implementation. [RT #35479]
+
+ 3785. [bug] Debugging code dumphex didn't accept arbitrarily long
+ input (only compiled with -DDEBUG). [RT #35544]
+
+ 3784. [bug] Using "rrset-order fixed" when it had not been
+ enabled at compile time caused inconsistent
+ results. It now works as documented, defaulting
+ to cyclic mode. [RT #28104]
+
+ 3783. [func] "tsig-keygen" is now available as an alternate
+ command name for "ddns-confgen". It generates
+ a TSIG key in named.conf format without comments.
+ [RT #35503]
+
+ 3782. [func] Specifying "auto" as the salt when using
+ "rndc signing -nsec3param" causes named to
+ generate a 64-bit salt at random. [RT #35322]
+
+ 3781. [tuning] Use adaptive mutex locks when available; this
+ has been found to improve performance under load
+ on many systems. "configure --with-locktype=standard"
+ restores conventional mutex locks. [RT #32576]
+
+ 3780. [bug] $GENERATE handled negative numbers incorrectly.
+ [RT #25528]
+
+ 3779. [cleanup] Clarify the error message when using an option
+ that was not enabled at compile time. [RT #35504]
+
+ 3778. [bug] Log a warning when the wrong address family is
+ used in "listen-on" or "listen-on-v6". [RT #17848]
+
+ 3777. [bug] EDNS EXPIRE code could dump core when processing
+ DLZ queries. [RT #35493]
+
+ 3776. [func] "rndc -q" suppresses output from successful
+ rndc commands. Errors are printed on stderr.
+ [RT #21393]
+
+ 3775. [bug] dlz_dlopen driver could return the wrong error
+ code on API version mismatch, leading to a segfault.
+ [RT #35495]
+
+ 3774. [func] When using "request-nsid", log the NSID value in
+ printable form as well as hex. [RT #20864]
+
+ 3773. [func] "host", "nslookup" and "nsupdate" now have
+ options to print the version number and exit.
+ [RT #26057]
+
+ 3772. [contrib] Added sqlite3 dynamically-loadable DLZ module.
+ (Based in part on a contribution from Tim Tessier.)
+ [RT #20822]
+
+ 3771. [cleanup] Adjusted log level for "using built-in key"
+ messages. [RT #24383]
+
+ 3770. [bug] "dig +trace" could fail with an assertion when it
+ needed to fall back to TCP due to a truncated
+ response. [RT #24660]
+
+ 3769. [doc] Improved documentation of "rndc signing -list".
+ [RT #30652]
+
+ 3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
+ algorithm. [RT #34000]
+
+ 3767. [func] Log explicitly when using rndc.key to configure
+ command channel. [RT #35316]
+
+ 3766. [cleanup] Fixed problems with building outside the source
+ tree when using native PKCS#11. [RT #35459]
+
+ 3765. [bug] Fixed a bug in "rndc secroots" that could crash
+ named when dumping an empty keynode. [RT #35469]
+
+ 3764. [bug] The dnssec-keygen/settime -S and -i options
+ (to set up a successor key and set the prepublication
+ interval) were missing from dnssec-keyfromlabel.
+ [RT #35394]
+
+ 3763. [bug] delve: Cache DNSSEC records to avoid the need to
+ re-fetch them when restarting validation. [RT #35476]
+
+ 3762. [bug] Address build problems with --pkcs11-native +
+ --with-openssl with ECDSA support. [RT #35467]
+
+ 3761. [bug] Address dangling reference bug in dns_keytable_add.
+ [RT #35471]
+
+ 3760. [bug] Improve SIT with native PKCS#11 and on Windows.
+ [RT #35433]
+
+ 3759. [port] Enable delve on Windows. [RT #35441]
+
+ 3758. [port] Enable export library APIs on Windows. [RT #35382]
+
+ 3757. [port] Enable Python tools (dnssec-coverage,
+ dnssec-checkds) to run on Windows. [RT #34355]
+
+ 3756. [bug] GSSAPI Kerberos realm checking was broken in
+ check_config leading to spurious messages being
+ logged. [RT #35443]
+
+ --- 9.10.0b1 released ---
+
+ 3755. [func] Add stats counters for known EDNS options + others.
+ [RT #35447]
+
+ 3754. [cleanup] win32: Installer now places files in the
+ Program Files area rather than system services.
+ [RT #35361]
+
+ 3753. [bug] allow-notify was ignoring keys. [RT #35425]
+
+ 3752. [bug] Address potential REQUIRE failure if
+ DNS_STYLEFLAG_COMMENTDATA is set when printing out
+ a rdataset.
+
+ 3751. [tuning] The default setting for the -U option (setting
+ the number of UDP listeners per interface) has
+ been adjusted to improve performance. [RT #35417]
+
+ 3750. [experimental] Partially implement EDNS EXPIRE option as described
+ in draft-andrews-dnsext-expire-00. Retrieval of
+ the remaining time until expiry for slave zones
+ is supported.
+
+ EXPIRE uses an experimental option code (65002),
+ which is subject to change. [RT #35416]
+
+ 3749. [func] "dig +subnet" sends an EDNS client subnet option
+ containing the specified address/prefix when
+ querying. (Thanks to Wilmer van der Gaast.)
+ [RT #35415]
+
+ 3748. [test] Use delve to test dns_client interfaces. [RT #35383]
+
+ 3747. [bug] A race condition could lead to a core dump when
+ destroying a resolver fetch object. [RT #35385]
+
+ 3746. [func] New "max-zone-ttl" option enforces maximum
+ TTLs for zones. If loading a zone containing a
+ higher TTL, the load fails. DDNS updates with
+ higher TTLs are accepted but the TTL is truncated.
+ (Note: Currently supported for master zones only;
+ inline-signing slaves will be added.) [RT #38405]
+
+ 3745. [func] "configure --with-tuning=large" adjusts various
+ compiled-in constants and default settings to
+ values suited to large servers with abundant
+ memory. [RT #29538]
+
+ 3744. [experimental] SIT: send and process Source Identity Tokens
+ (similar to DNS Cookies by Donald Eastlake 3rd),
+ which are designed to help clients detect off-path
+ spoofed responses and for servers to identify
+ legitimate clients.
+
+ SIT uses an experimental EDNS option code (65001),
+ which will be changed to an IANA-assigned value
+ if the experiment is deemed a success.
+
+ SIT can be enabled via "configure --enable-sit" (or
+ --enable-developer). It is enabled by default in
+ Windows.
+
+ Servers can be configured to send smaller responses
+ to clients that have not identified themselves via
+ SIT. RRL processing has also been updated;
+ legitimate clients are not subject to rate
+ limiting. [RT #35389]
+
+ 3743. [bug] delegation-only flag wasn't working in forward zone
+ declarations despite being documented. This is
+ needed to support turning off forwarding and turning
+ on delegation only at the same name. [RT #35392]
+
+ 3742. [port] linux: libcap support: declare curval at start of
+ block. [RT #35387]
+
+ 3741. [func] "delve" (domain entity lookup and validation engine):
+ A new tool with dig-like semantics for performing DNS
+ lookups, with internal DNSSEC validation, using the
+ same resolver and validator logic as named. This
+ allows easy validation of DNSSEC data in environments
+ with untrustworthy resolvers, and assists with
+ troubleshooting of DNSSEC problems. [RT #32406]
+
+ 3740. [contrib] Minor fixes to configure --with-dlz-bdb,
+ --with-dlz-postgres and --with-dlz-odbc. [RT #35340]
+
+ 3739. [func] Added per-zone stats counters to track TCP and
+ UDP queries. [RT #35375]
+
+ 3738. [bug] --enable-openssl-hash failed to build. [RT #35343]
+
+ 3737. [bug] 'rndc retransfer' could trigger a assertion failure
+ with inline zones. [RT #35353]
+
+ 3736. [bug] nsupdate: When specifying a server by name,
+ fall back to alternate addresses if the first
+ address for that name is not reachable. [RT #25784]
+
+ 3735. [cleanup] Merged the libiscpk11 library into libisc
+ to simplify dependencies. [RT #35205]
+
+ 3734. [bug] Improve building with libtool. [RT #35314]
+
+ 3733. [func] Improve interface scanning support. Interface
+ information will be automatically updated if the
+ OS supports routing sockets (MacOS, *BSD, Linux).
+ Use "automatic-interface-scan no;" to disable.
+
+ Add "rndc scan" to trigger a scan. [RT #23027]
+
+ 3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
+ driver to dump core on 64-bit systems. [RT #35324]
+
+ 3731. [func] Added a "no-case-compress" ACL, which causes
+ named to use case-insensitive compression
+ (disabling change #3645) for specified
+ clients. (This is useful when dealing
+ with broken client implementations that
+ use case-sensitive name comparisons,
+ rejecting responses that fail to match the
+ capitalization of the query that was sent.)
+ [RT #35300]
+
+ 3730. [cleanup] Added "never" as a synonym for "none" when
+ configuring key event dates in the dnssec tools.
+ [RT #35277]
+
+ 3729. [bug] dnssec-keygen could set the publication date
+ incorrectly when only the activation date was
+ specified on the command line. [RT #35278]
+
+ 3728. [doc] Expanded native-PKCS#11 documentation,
+ specifically pkcs11: URI labels. [RT #35287]
+
+ 3727. [func] The isc_bitstring API is no longer used and
+ has been removed from libisc. [RT #35284]
+
+ 3726. [cleanup] Clarified the error message when attempting
+ to configure more than 32 response-policy zones.
+ [RT #35283]
+
+ 3725. [contrib] Updated zkt and nslint to newest versions,
+ cleaned up and rearranged the contrib
+ directory, and added a README.
+
+ --- 9.10.0a2 released ---
+
+ 3724. [bug] win32: Fixed a bug that prevented dig and
+ host from exiting properly after completing
+ a UDP query. [RT #35288]
+
+ 3723. [cleanup] Imported keys are now handled the same way
+ regardless of DNSSEC algorithm. [RT #35215]
+
+ 3722. [bug] Using geoip ACLs in a blackhole statement
+ could cause a segfault. [RT #35272]
+
+ 3721. [doc] Improved documentation of the EDNS processing
+ enhancements introduced in change #3593. [RT #35275]
+
+ 3720. [bug] Address compiler warnings. [RT #35261]
+
+ 3719. [bug] Address memory leak in in peer.c. [RT #35255]
+
+ 3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260]
+
+ 3717. [port] hpux: Treat EOPNOTSUPP as a expected error code when
+ probing to see if it is possible to set dscp values
+ on a per packet basis. [RT #35252]
+
+ 3716. [bug] The dns_request code was setting dcsp values when not
+ requested. [RT #35252]
+
+ 3715. [bug] The region and city databases could fail to
+ initialize when using some versions of libGeoIP,
+ causing assertion failures when named was
+ configured to use them. [RT #35427]
+
+ 3714. [test] System tests that need to test for cryptography
+ support before running can now use a common
+ "testcrypto.sh" script to do so. [RT #35213]
+
+ 3713. [bug] Save memory by not storing "also-notify" addresses
+ in zone objects that are configured not to send
+ notify requests. [RT #35195]
+
+ 3712. [placeholder]
+
+ 3711. [placeholder]
+
+ 3710. [bug] Address double dns_zone_detach when switching to
+ using automatic empty zones from regular zones.
+ [RT #35177]
+
+ 3709. [port] Use built-in versions of strptime() and timegm()
+ on all platforms to avoid portability issues.
+ [RT #35183]
+
+ 3708. [bug] Address a portentry locking issue in dispatch.c.
+ [RT #35128]
+
+ 3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND
+ on a missing resolv.conf file and initializes the
+ structure as if it had been configured with:
+
+ nameserver ::1
+ nameserver 127.0.0.1
+
+ Note: Callers will need to be updated to treat
+ ISC_R_FILENOTFOUND as a qualified success or else
+ they will leak memory. The following code fragment
+ will work with both old and new versions without
+ changing the behaviour of the existing code.
+
+ resconf = NULL;
+ result = irs_resconf_load(mctx, "/etc/resolv.conf",
+ &resconf);
+ if (result != ISC_SUCCESS) {
+ if (resconf != NULL)
+ irs_resconf_destroy(&resconf);
+ ....
+ }
+
+ [RT #35194]
+
+ 3706. [contrib] queryperf: Fixed a possible integer overflow when
+ printing results. [RT #35182]
+
+ 3705. [func] "configure --enable-native-pkcs11" enables BIND
+ to use the PKCS#11 API for all cryptographic
+ functions, so that it can drive a hardware service
+ module directly without the need to use a modified
+ OpenSSL as intermediary (so long as the HSM's vendor
+ provides a complete-enough implementation of the
+ PKCS#11 interface). This has been tested successfully
+ with the Thales nShield HSM and with SoftHSMv2 from
+ the OpenDNSSEC project. [RT #29031]
+
+ 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
+
+ 3703. [func] To improve recursive resolver performance, cache
+ records which are still being requested by clients
+ can now be automatically refreshed from the
+ authoritative server before they expire, reducing
+ or eliminating the time window in which no answer
+ is available in the cache. See the "prefetch" option
+ for more details. [RT #35041]
+
+ 3702. [func] 'dnssec-coverage -l' option specifies a length
+ of time to check for coverage; events further into
+ the future are ignored. 'dnssec-coverage -z'
+ checks only ZSK events, and 'dnssec-coverage -k'
+ checks only KSK events. (Thanks to Peter Palfrader.)
+ [RT #35168]
+
+ 3701. [func] named-checkconf can now obscure shared secrets
+ when printing by specifying '-x'. [RT #34465]
+
+ 3700. [func] Allow access to subgroups of XML statistics via
+ special URLs http://<server>:<port>/xml/v3/server,
+ /zones, /net, /tasks, /mem, and /status. [RT #35115]
+
+ 3699. [bug] Improvements to statistics channel XSL stylesheet:
+ the stylesheet can now be cached by the browser;
+ section headers are omitted from the stats display
+ when there is no data in those sections to be
+ displayed; counters are now right-justified for
+ easier readability. [RT #35117]
+
+ 3698. [cleanup] Replaced all uses of memcpy() with memmove().
+ [RT #35120]
+
+ 3697. [bug] Handle "." as a search list element when IDN support
+ is enabled. [RT #35133]
+
+ 3696. [bug] dig failed to handle AXFR style IXFR responses which
+ span multiple messages. [RT #35137]
+
+ 3695. [bug] Address a possible race in dispatch.c. [RT #35107]
+
+ 3694. [bug] Warn when a key-directory is configured for a zone,
+ but does not exist or is not a directory. [RT #35108]
+
+ 3693. [security] memcpy was incorrectly called with overlapping
+ ranges resulting in malformed names being generated
+ on some platforms. This could cause INSIST failures
+ when serving NSEC3 signed zones (CVE-2014-0591).
+ [RT #35120]
+
+ 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
+ was no data at the node. [RT #35080]
+
+ 3691. [contrib] Address null pointer dereference in LDAP and
+ MySQL DLZ modules.
+
+ 3690. [bug] Iterative responses could be missed when the source
+ port for an upstream query was the same as the
+ listener port (53). [RT #34925]
+
+ 3689. [bug] Fixed a bug causing an insecure delegation from one
+ static-stub zone to another to fail with a broken
+ trust chain. [RT #35081]
+
+ 3688. [bug] loadnode could return a freed node on out of memory.
+ [RT #35106]
+
+ 3687. [bug] Address null pointer dereference in zone_xfrdone.
+ [RT #35042]
+
+ 3686. [func] "dnssec-signzone -Q" drops signatures from keys
+ that are still published but no longer active.
+ [RT #34990]
+
+ 3685. [bug] "rndc refresh" didn't work correctly with slave
+ zones using inline-signing. [RT #35105]
+
+ 3684. [bug] The list of included files would grow on reload.
+ [RT 35090]
+
+ 3683. [cleanup] Add a more detailed "not found" message to rndc
+ commands which specify a zone name. [RT #35059]
+
+ 3682. [bug] Correct the behavior of rndc retransfer to allow
+ inline-signing slave zones to retain NSEC3 parameters
+ instead of reverting to NSEC. [RT #34745]
+
+ 3681. [port] Update the Windows build system to support feature
+ selection and WIN64 builds. This is a work in
+ progress. [RT #34160]
+
+ 3680. [bug] Ensure buffer space is available in "rndc zonestatus".
+ [RT #35084]
+
+ 3679. [bug] dig could fail to clean up TCP sockets still
+ waiting on connect(). [RT #35074]
+
+ 3678. [port] Update config.guess and config.sub. [RT #35060]
+
+ 3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple
+ times. [RT #35073]
+
+ 3676. [bug] "named-checkconf -z" now checks zones of type
+ hint and redirect as well as master. [RT #35046]
+
+ 3675. [misc] Provide a place for third parties to add version
+ information for their extensions in the version
+ file by setting the EXTENSIONS variable.
+
+ --- 9.10.0a1 released ---
+
+ 3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
+
+ 3673. [func] New "in-view" zone option allows direct sharing
+ of zones between views. [RT #32968]
+
+ 3672. [func] Local address can now be specified when using
+ dns_client API. [RT #34811]
+
+ 3671. [bug] Don't allow dnssec-importkey overwrite a existing
+ non-imported private key.
+
+ 3670. [bug] Address read after free in server side of
+ lwres_getrrsetbyname. [RT #29075]
+
+ 3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001]
+
+ 3668. [bug] Fix cast in lex.c which could see 0xff treated as eof.
+ [RT #34993]
+
+ 3667. [test] dig: add support to keep the TCP socket open between
+ successive queries (+[no]keepopen). [RT #34918]
+
+ 3666. [func] Add a tool, named-rrchecker, for checking the syntax
+ of individual resource records. This tool is intended
+ to be called by provisioning systems so that the front
+ end does not need to be upgraded to support new DNS
+ record types. [RT #34778]
+
+ 3665. [bug] Failure to release lock on error in receive_secure_db.
+ [RT #34944]
+
+ 3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
+ locking and other bugs. [RT #34855]
+
+ 3663. [bug] Address bugs in dns_rdata_fromstruct and
+ dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
+
+ 3662. [bug] 'host' could die if a UDP query timed out. [RT #34870]
+
+ 3661. [bug] Address lock order reversal deadlock with inline zones.
+ [RT #34856]
+
+ 3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
+ [RT #23825]
+
+ 3659. [port] solaris: don't add explicit dependencies/rules for
+ python programs as make won't use the implicit rules.
+ [RT #34835]
+
+ 3658. [port] linux: Address platform specific compilation issue
+ when libcap-devel is installed. [RT #34838]
+
+ 3657. [port] Some readline clones don't accept NULL pointers when
+ calling add_history. [RT #34842]
+
+ 3656. [security] Treat an all zero netmask as invalid when generating
+ the localnets acl. (The prior behavior could
+ allow unexpected matches when using some versions
+ of Winsock: CVE-2013-6320.) [RT #34687]
+
+ 3655. [cleanup] Simplify TCP message processing when requesting a
+ zone transfer. [RT #34825]
+
+ 3654. [bug] Address race condition with manual notify requests.
+ [RT #34806]
+
+ 3653. [func] Create delegations for all "children" of empty zones
+ except "forward first". [RT #34826]
+
+ 3652. [bug] Address bug with rpz-drop policy. [RT #34816]
+
+ 3651. [tuning] Adjust when a master server is deemed unreachable.
+ [RT #27075]
+
+ 3650. [tuning] Use separate rate limiting queues for refresh and
+ notify requests. [RT #30589]
+
+ 3649. [cleanup] Include a comment in .nzf files, giving the name of
+ the associated view. [RT #34765]
+
+ 3648. [test] Updated the ATF test framework to version 0.17.
+ [RT #25627]
+
+ 3647. [bug] Address a race condition when shutting down a zone.
+ [RT #34750]
+
+ 3646. [bug] Journal filename string could be set incorrectly,
+ causing garbage in log messages. [RT #34738]
+
+ 3645. [protocol] Use case sensitive compression when responding to
+ queries. [RT #34737]
+
+ 3644. [protocol] Check that EDNS subnet client options are well formed.
+ [RT #34718]
+
+ 3643. [doc] Clarify RRL "slip" documentation.
+
+ 3642. [func] Allow externally generated DNSKEY to be imported
+ into the DNSKEY management framework. A new tool
+ dnssec-importkey is used to do this. [RT #34698]
+
+ 3641. [bug] Handle changes to sig-validity-interval settings
+ better. [RT #34625]
+
+ 3640. [bug] ndots was not being checked when searching. Only
+ continue searching on NXDOMAIN responses. Add the
+ ability to specify ndots to nslookup. [RT #34711]
+
+ 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used
+ in a key zone. [RT #34238]
+
+ 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is
+ encountered. [RT #34668]
+
+ 3637. [bug] 'allow-query-on' was checking the source address
+ rather than the destination address. [RT #34590]
+
+ 3636. [bug] Automatic empty zones now behave better with
+ forward only "zones" beneath them. [RT #34583]
+
+ 3635. [bug] Signatures were not being removed from a zone with
+ only KSK keys for a algorithm. [RT #34439]
+
+ 3634. [func] Report build-id in rndc status. Report build-id
+ when building from a git repository. [RT #20422]
+
+ 3633. [cleanup] Refactor OPT processing in named to make it easier
+ to support new EDNS options. [RT #34414]
+
+ 3632. [bug] Signature from newly inactive keys were not being
+ removed. [RT #32178]
+
+ 3631. [bug] Remove spurious warning about missing signatures when
+ qtype is SIG. [RT #34600]
+
+ 3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033]
+
+ 3629. [func] Allow the printing of cryptographic fields in DNSSEC
+ records by dig to be suppressed (dig +nocrypto).
+ [RT #34534]
+
+ 3628. [func] Report DNSKEY key id's when dumping the cache.
+ [RT #34533]
+
+ 3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
+
+ 3626. [func] dig: NSID output now easier to read. [RT #21160]
+
+ 3625. [bug] Don't send notify messages to machines outside of the
+ test setup.
+
+ 3624. [bug] Look for 'json_object_new_int64' when looking for a
+ the json library. [RT #34449]
+
+ 3623. [placeholder]
+
+ 3622. [tuning] Eliminate an unnecessary lock when incrementing
+ cache statistics. [RT #34339]
+
+ 3621. [security] Incorrect bounds checking on private type 'keydata'
+ can lead to a remotely triggerable REQUIRE failure
+ (CVE-2013-4854). [RT #34238]
+
+ 3620. [func] Added "rpz-client-ip" policy triggers, enabling
+ RPZ responses to be configured on the basis of
+ the client IP address; this can be used, for
+ example, to blacklist misbehaving recursive
+ or stub resolvers. [RT #33605]
+
+ 3619. [bug] Fixed a bug in RPZ with "recursive-only no;"
+ [RT #33776]
+
+ 3618. [func] "rndc reload" now checks modification times of
+ include files as well as master files to determine
+ whether to skip reloading a zone. [RT #33936]
+
+ 3617. [bug] Named was failing to answer queries during
+ "rndc reload" [RT #34098]
+
+ 3616. [bug] Change #3613 was incomplete. [RT #34177]
+
+ 3615. [cleanup] "configure" now finishes by printing a summary
+ of optional BIND features and whether they are
+ active or inactive. ("configure --enable-full-report"
+ increases the verbosity of the summary.) [RT #31777]
+
+ 3614. [port] Check for <linux/types.h>. [RT #34162]
+
+ 3613. [bug] named could crash when deleting inline-signing
+ zones with "rndc delzone". [RT #34066]
+
+ 3612. [port] Check whether to use -ljson or -ljson-c. [RT #34115]
+
+ 3611. [bug] Improved resistance to a theoretical authentication
+ attack based on differential timing. [RT #33939]
+
+ 3610. [cleanup] win32: Some executables had been omitted from the
+ installer. [RT #34116]
+
+ 3609. [bug] Corrected a possible deadlock in applications using
+ the export version of the isc_app API. [RT #33967]
+
+ 3608. [port] win32: added todos.pl script to ensure all text files
+ the win32 build depends on are converted to DOS
+ newline format. [RT #22067]
+
+ 3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error
+ message. [RT #34045]
+
+ 3606. [func] "rndc flushtree" now flushes matching
+ records in the address database and bad cache
+ as well as the DNS cache. (Previously only the
+ DNS cache was flushed.) [RT #33970]
+
+ 3605. [port] win32: Addressed several compatibility issues
+ with newer versions of Visual Studio. [RT #33916]
+
+ 3604. [bug] Fixed a compile-time error when building with
+ JSON but not XML. [RT #33959]
+
+ 3603. [bug] Install <isc/stat.h>. [RT #33956]
+
+ 3602. [contrib] Added DLZ Perl module, allowing Perl scripts to
+ integrate with named and serve DNS data.
+ (Contributed by John Eaglesham of Yahoo.)
+
+ 3601. [bug] Added to PKCS#11 openssl patches a value len
+ attribute in DH derive key. [RT #33928]
+
+ 3600. [cleanup] dig: Fixed a typo in the warning output when receiving
+ an oversized response. [RT #33910]
+
+ 3599. [tuning] Check for pointer equivalence in name comparisons.
+ [RT #18125]
+
+ 3598. [cleanup] Improved portability of map file code. [RT #33820]
+
+ 3597. [bug] Ensure automatic-resigning heaps are reconstructed
+ when loading zones in map format. [RT #33381]
+
+ 3596. [port] Updated win32 build documentation, added
+ dnssec-verify. [RT #22067]
+
+ 3595. [port] win32: Fix build problems introduced by change #3550.
+ [RT #33807]
+
+ 3594. [maint] Update config.guess and config.sub. [RT #33816]
+
+ 3593. [func] Update EDNS processing to better track remote server
+ capabilities. [RT #30655]
+
+ 3592. [doc] Moved documentation of rndc command options to the
+ rndc man page. [RT #33506]
+
+ 3591. [func] Use CRC-64 to detect map file corruption at load
+ time. [RT #33746]
+
+ 3590. [bug] When using RRL on recursive servers, defer
+ rate-limiting until after recursion is complete;
+ also, use correct rcode for slipped NXDOMAIN
+ responses. [RT #33604]
+
+ 3589. [func] Report serial numbers in when starting zone transfers.
+ Report accepted NOTIFY requests including serial.
+ [RT #33037]
+
+ 3588. [bug] dig: addressed a memory leak in the sigchase code
+ that could cause a shutdown crash. [RT #33733]
+
+ 3587. [func] 'named -g' now checks the logging configuration but
+ does not use it. [RT #33473]
+
+ 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
+
+ 3585. [func] "rndc delzone -clean" option removes zone files
+ when deleting a zone. [RT #33570]
+
+ 3584. [security] Caching data from an incompletely signed zone could
+ trigger an assertion failure in resolver.c
+ (CVE-2013-3919). [RT #33690]
+
+ 3583. [bug] Address memory leak in GSS-API processing [RT #33574]
+
+ 3582. [bug] Silence false positive warning regarding missing file
+ directive for inline slave zones. [RT #33662]
+
+ 3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029]
+
+ 3580. [bug] Addressed a possible race in acache.c [RT #33602]
+
+ 3579. [maint] Updates to PKCS#11 openssl patches, supporting
+ versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
+
+ 3578. [bug] 'rndc -c file' now fails if 'file' does not exist.
+ [RT #33571]
+
+ 3577. [bug] Handle zero TTL values better. [RT #33411]
+
+ 3576. [bug] Address a shutdown race when validating. [RT #33573]
+
+ 3575. [func] Changed the logging category for RRL events from
+ 'queries' to 'query-errors'. [RT #33540]
+
+ 3574. [doc] The 'hostname' keyword was missing from server-id
+ description in the named.conf man page. [RT #33476]
+
+ 3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled
+ zone names containing punctuation marks and other
+ nonstandard characters. [RT #33419]
+
+ 3572. [func] Threads are now enabled by default on most
+ operating systems. [RT #25483]
+
+ 3571. [bug] Address race condition in dns_client_startresolve().
+ [RT #33234]
+
+ 3570. [bug] Check internal pointers are valid when loading map
+ files. [RT #33403]
+
+ 3569. [contrib] Ported mysql DLZ driver to dynamically-loadable
+ module, and added multithread support. [RT #33394]
+
+ 3568. [cleanup] Add a product description line to the version file,
+ to be reported by named -v/-V. [RT #33366]
+
+ 3567. [bug] Silence clang static analyzer warnings. [RT #33365]
+
+ 3566. [func] Log when forwarding updates to master. [RT #33240]
+
+ 3565. [placeholder]
+
+ 3564. [bug] Improved handling of corrupted map files. [RT #33380]
+
+ 3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
+
+ 3562. [func] Update map file header format to include a SHA-1 hash
+ of the database content, so that corrupted map files
+ can be rejected at load time. [RT #32459]
+
+ 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
+ or NOTIMP. Adjust usage message. [RT #33363]
+
+ 3560. [bug] isc-config.sh did not honor includedir and libdir
+ when set via configure. [RT #33345]
+
+ 3559. [func] Check that both forms of Sender Policy Framework
+ records exist or do not exist. [RT #33355]
+
+ 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
+
+ 3557. [bug] Reloading redirect zones was broken. [RT #33292]
+
+ 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
+
+ 3555. [bug] Address theoretical race conditions in acache.c
+ (change #3553 was incomplete). [RT #33252]
+
+ 3554. [bug] RRL failed to correctly rate-limit upward
+ referrals and failed to count dropped error
+ responses in the statistics. [RT #33225]
+
+ 3553. [bug] Address suspected double free in acache. [RT #33252]
+
+ 3552. [bug] Wrong getopt option string for 'nsupdate -r'.
+ [RT #33280]
+
+ 3551. [bug] resolver.querydscp[46] were uninitialized. [RT #32686]
+
+ 3550. [func] Unified the internal and export versions of the
+ BIND libraries, allowing external clients to use
+ the same libraries as BIND. [RT #33131]
+
+ 3549. [doc] Documentation for "request-nsid" was missing.
+ [RT #33153]
+
+ 3548. [bug] The NSID request code in resolver.c was broken
+ resulting in invalid EDNS options being sent.
+ [RT #33153]
+
+ 3547. [bug] Some malformed unknown rdata records were not properly
+ detected and rejected. [RT #33129]
+
+ 3546. [func] Add EUI48 and EUI64 types. [RT #33082]
+
+ 3545. [bug] RRL slip behavior was incorrect when set to 1.
+ [RT #33111]
+
+ 3544. [contrib] check5011.pl: Script to report the status of
+ managed keys as recorded in managed-keys.bind.
+ Contributed by Tony Finch <dot@dotat.at>
+
+ 3543. [bug] Update socket structure before attaching to socket
+ manager after accept. [RT #33084]
+
+ 3542. [placeholder]
+
+ 3541. [bug] Parts of libdns were not properly initialized when
+ built in libexport mode. [RT #33028]
+
+ 3540. [test] libt_api: t_info and t_assert were not thread safe.
+
+ 3539. [port] win32: timestamp format didn't match other platforms.
+
+ 3538. [test] Running "make test" now requires loopback interfaces
+ to be set up. [RT #32452]
+
+ 3537. [tuning] Slave zones, when updated, now send NOTIFY messages
+ to peers before being dumped to disk rather than
+ after. [RT #27242]
+
+ 3536. [func] Add support for setting Differentiated Services Code
+ Point (DSCP) values in named. Most configuration
+ options which take a "port" option (e.g.,
+ listen-on, forwarders, also-notify, masters,
+ notify-source, etc) can now also take a "dscp"
+ option specifying a code point for use with
+ outgoing traffic, if supported by the underlying
+ OS. [RT #27596]
+
+ 3535. [bug] Minor win32 cleanups. [RT #32962]
+
+ 3534. [bug] Extra text after an embedded NULL was ignored when
+ parsing zone files. [RT #32699]
+
+ 3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
+
+ 3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
+
+ 3531. [bug] win32: A uninitialized value could be returned on out
+ of memory. [RT #32960]
+
+ 3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
+
+ 3529. [func] Named now listens on both IPv4 and IPv6 interfaces
+ by default. Named previously only listened on IPv4
+ interfaces by default unless named was running in
+ IPv6 only mode. [RT #32945]
+
+ 3528. [func] New "dnssec-coverage" command scans the timing
+ metadata for a set of DNSSEC keys and reports if a
+ lapse in signing coverage has been scheduled
+ inadvertently. (Note: This tool depends on python;
+ it will not be built or installed on systems that
+ do not have a python interpreter.) [RT #28098]
+
+ 3527. [compat] Add a URI to allow applications to explicitly
+ request a particular XML schema from the statistics
+ channel, returning 404 if not supported. [RT #32481]
+
+ 3526. [cleanup] Set up dependencies for unit tests correctly during
+ build. [RT #32803]
+
+ 3525. [func] Support for additional signing algorithms in rndc:
+ hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
+ The -A option to rndc-confgen can be used to
+ select the algorithm for the generated key.
+ (The default is still hmac-md5; this may
+ change in a future release.) [RT #20363]
+
+ 3524. [func] Added an alternate statistics channel in JSON format,
+ when the server is built with the json-c library:
+ http://[address]:[port]/json. [RT #32630]
+
+ 3523. [contrib] Ported filesystem and ldap DLZ drivers to
+ dynamically-loadable modules, and added the
+ "wildcard" module based on a contribution from
+ Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
+
+ 3522. [bug] DLZ lookups could fail to return SERVFAIL when
+ they ought to. [RT #32685]
+
+ 3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
+
+ 3520. [bug] 'mctx' was not being referenced counted in some places
+ where it should have been. [RT #32794]
+
+ 3519. [func] Full replay protection via four-way handshake is
+ now mandatory for rndc clients. Very old versions
+ of rndc will no longer work. [RT #32798]
+
+ 3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
+ so that all dns_rrl_rtype_t enum values fit regardless
+ of whether it is treated as signed or unsigned by
+ the compiler. [RT #32792]
+
+ 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
+
+ 3516. [placeholder]
+
+ 3515. [port] '%T' is not portable in strftime(). [RT #32763]
+
+ 3514. [bug] The ranges for valid key sizes in ddns-confgen and
+ rndc-confgen were too constrained. Keys up to 512
+ bits are now allowed for most algorithms, and up
+ to 1024 bits for hmac-sha384 and hmac-sha512.
+ [RT #32753]
+
+ 3513. [func] "dig -u" prints times in microseconds rather than
+ milliseconds. [RT #32704]
+
+ 3512. [func] "rndc validation check" reports the current status
+ of DNSSEC validation. [RT #21397]
+
+ 3511. [doc] Improve documentation of redirect zones. [RT #32756]
+
+ 3510. [func] "rndc status" and XML statistics channel now report
+ server start and reconfiguration times. [RT #21048]
+
+ 3509. [cleanup] Added a product line to version file to allow for
+ easy naming of different products (BIND
+ vs BIND ESV, for example). [RT #32755]
+
+ 3508. [contrib] queryperf was incorrectly rejecting the -T option.
+ [RT #32338]
+
+ 3507. [bug] Statistics channel XSL had a glitch when attempting
+ to chart query data before any queries had been
+ received. [RT #32620]
+
+ 3506. [func] When setting "max-cache-size" and "max-acache-size",
+ the keyword "unlimited" is no longer defined as equal
+ to 4 gigabytes (except on 32-bit platforms); it
+ means literally unlimited. [RT #32358]
+
+ 3505. [bug] When setting "max-cache-size" and "max-acache-size",
+ larger values than 4 gigabytes could not be set
+ explicitly, though larger sizes were available
+ when setting cache size to 0. This has been
+ corrected; the full range is now available.
+ [RT #32358]
+
+ 3504. [func] Add support for ACLs based on geographic location,
+ using MaxMind GeoIP databases. Based on code
+ contributed by Ken Brownfield <kb@slide.com>.
+ [RT #30681]
+
+ 3503. [doc] Clarify size_spec syntax. [RT #32449]
+
+ 3502. [func] zone-statistics: "no" is now a synonym for "none",
+ instead of "terse". [RT #29165]
+
+ 3501. [func] zone-statistics now takes three options: full,
+ terse, and none. "yes" and "no" are retained as
+ synonyms for full and terse, respectively. [RT #29165]
+
+ 3500. [security] Support NAPTR regular expression validation on
+ all platforms without using libregex, which
+ can be vulnerable to memory exhaustion attack
+ (CVE-2013-2266). [RT #32688]
+
+ 3499. [doc] Corrected ARM documentation of built-in zones.
+ [RT #32694]
+
+ 3498. [bug] zone statistics for zones which matched a potential
+ empty zone could have their zone-statistics setting
+ overridden.
+
+ 3497. [func] When deleting a slave/stub zone using 'rndc delzone'
+ report the files that were being used so they can
+ be cleaned up if desired. [RT #27899]
+
+ 3496. [placeholder]
+
+ 3495. [func] Support multiple response-policy zones (up to 32),
+ while improving RPZ performance. "response-policy"
+ syntax now includes a "min-ns-dots" clause, with
+ default 1, to exclude top-level domains from
+ NSIP and NSDNAME checking. --enable-rpz-nsip and
+ --enable-rpz-nsdname are now the default. [RT #32251]
+
+ 3494. [func] DNS RRL: Blunt the impact of DNS reflection and
+ amplification attacks by rate-limiting substantially-
+ identical responses. [RT #28130]
+
+ 3493. [contrib] Added BDBHPT dynamically-loadable DLZ module,
+ contributed by Mark Goldfinch. [RT #32549]
+
+ 3492. [bug] Fixed a regression in zone loading performance
+ due to lock contention. [RT #30399]
+
+ 3491. [bug] Slave zones using inline-signing must specify a
+ file name. [RT #31946]
+
+ 3490. [bug] When logging RDATA during update, truncate if it's
+ too long. [RT #32365]
+
+ 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
+ dns_dlzcreate() failed to properly initialize
+ dlzdb.link. When cloning a rdataset do not copy
+ the link contents. [RT #32651]
+
+ 3488. [bug] Use after free error with DH generated keys. [RT #32649]
+
+ 3487. [bug] Change 3444 was not complete. There was a additional
+ place where the NOQNAME proof needed to be saved.
+ [RT #32629]
+
+ 3486. [bug] named could crash when using TKEY-negotiated keys
+ that had been deleted and then recreated. [RT #32506]
+
+ 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
+
+ 3484. [bug] Some statistics were incorrectly rendered in XML.
+ [RT #32587]
+
+ 3483. [placeholder]
+
+ 3482. [func] dig +nssearch now prints name servers that don't
+ have address records (missing AAAA or A, or the name
+ doesn't exist). [RT #29348]
+
+ 3481. [cleanup] Removed use of const const in atf.
+
+ 3480. [bug] Silence logging noise when setting up zone
+ statistics. [RT #32525]
+
+ 3479. [bug] Address potential memory leaks in gssapi support
+ code. [RT #32405]
+
+ 3478. [port] Fix a build failure in strict C99 environments
+ [RT #32475]
+
+ 3477. [func] Expand logging when adding records via DDNS update
+ [RT #32365]
+
+ 3476. [bug] "rndc zonestatus" could report a spurious "not
+ found" error on inline-signing zones. [RT #29226]
+
+ 3475. [cleanup] Changed name of 'map' zone file format (previously
+ 'fast'). [RT #32458]
+
+ 3474. [bug] nsupdate could assert when the local and remote
+ address families didn't match. [RT #22897]
+
+ 3473. [bug] dnssec-signzone/verify could incorrectly report
+ an error condition due to an empty node above an
+ opt-out delegation lacking an NSEC3. [RT #32072]
+
+ 3472. [bug] The active-connections counter in the socket
+ statistics could underflow. [RT #31747]
+
+ 3471. [bug] The number of UDP dispatches now defaults to
+ the number of CPUs even if -n has been set to
+ a higher value. [RT #30964]
+
+ 3470. [bug] Slave zones could fail to dump when successfully
+ refreshing after an initial failure. [RT #31276]
+
+ 3469. [bug] Handle DLZ lookup failures more gracefully. Improve
+ backward compatibility between versions of DLZ dlopen
+ API. [RT #32275]
+
+ 3468. [security] RPZ rules to generate A records (but not AAAA records)
+ could trigger an assertion failure when used in
+ conjunction with DNS64 (CVE-2012-5689). [RT #32141]
+
+ 3467. [bug] Added checks in dnssec-keygen and dnssec-settime
+ to check for delete date < inactive date. [RT #31719]
+
+ 3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
+ in DLZ example driver. [RT #32275]
+
+ 3465. [bug] Handle isolated reserved ports. [RT #31778]
+
+ 3464. [maint] Updates to PKCS#11 openssl patches, supporting
+ versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
+
+ 3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
+
+ 3462. [doc] Clarify server selection behavior of dig when using
+ -4 or -6 options. [RT #32181]
+
+ 3461. [bug] Negative responses could incorrectly have AD=1
+ set. [RT #32237]
+
+ 3460. [bug] Only link against readline where needed. [RT #29810]
+
+ 3459. [func] Added -J option to named-checkzone/named-compilezone
+ to specify the path to the journal file. [RT #30958]
+
+ 3458. [bug] Return FORMERR when presented with a overly long
+ domain named in a request. [RT #29682]
+
+ 3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
+
+ 3456. [port] g++47: ATF failed to compile. [RT #32012]
+
+ 3455. [contrib] queryperf: fix getopt option list. [RT #32338]
+
+ 3454. [port] sparc64: improve atomic support. [RT #25182]
+
+ 3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;'
+ failed. [RT #31960]
+
+ 3452. [bug] Accept duplicate singleton records. [RT #32329]
+
+ 3451. [port] Increase per thread stack size from 64K to 1M.
+ [RT #32230]
+
+ 3450. [bug] Stop logfileconfig system test spam system logs.
+ [RT #32315]
+
+ 3449. [bug] gen.c: use the pre-processor to construct format
+ strings so that compiler can perform sanity checks;
+ check the snprintf results. [RT #17576]
+
+ 3448. [bug] The allow-query-on ACL was not processed correctly.
+ [RT #29486]
+
+ 3447. [port] Add support for libxml2-2.9.x [RT #32231]
+
+ 3446. [port] win32: Add source ID (see change #3400) to build.
+ [RT #31683]
+
+ 3445. [bug] Warn about zone files with blank owner names
+ immediately after $ORIGIN directives. [RT #31848]
+
+ 3444. [bug] The NOQNAME proof was not being returned from cached
+ insecure responses. [RT #21409]
+
+ 3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
+ rejected when generating keys. [RT #31927]
+
+ 3442. [port] Net::DNS 0.69 introduced a non backwards compatible
+ change. [RT #32216]
+
+ 3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
+
+ 3440. [bug] Reorder get_key_struct to not trigger a assertion when
+ cleaning up due to out of memory error. [RT #32131]
+
+ 3439. [placeholder]
+
+ 3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
+
+ 3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
+ buffers with constant data. [RT #32064]
+
+ 3436. [bug] Check malloc/calloc return values. [RT #32088]
+
+ 3435. [bug] Cross compilation support in configure was broken.
+ [RT #32078]
+
+ 3434. [bug] Pass client info to the DLZ findzone() entry
+ point in addition to lookup(). This makes it
+ possible for a database to answer differently
+ whether it's authoritative for a name depending
+ on the address of the client. [RT #31775]
+
+ 3433. [bug] dlz_findzone() did not correctly handle
+ ISC_R_NOMORE. [RT #31172]
+
+ 3432. [func] Multiple DLZ databases can now be configured.
+ DLZ databases are searched in the order configured,
+ unless set to "search no", in which case a
+ zone can be configured to be retrieved from a
+ particular DLZ database by using a "dlz <name>"
+ option in the zone statement. DLZ databases can
+ support type "master" and "redirect" zones.
+ [RT #27597]
+
+ 3431. [bug] ddns-confgen: Some valid key algorithms were
+ not accepted. [RT #31927]
+
+ 3430. [bug] win32: isc_time_formatISO8601 was missing the
+ 'T' between the date and time. [RT #32044]
+
+ 3429. [bug] dns_zone_getserial2 could a return success without
+ returning a valid serial. [RT #32007]
+
+ 3428. [cleanup] dig: Add timezone to date output. [RT #2269]
+
+ 3427. [bug] dig +trace incorrectly displayed name server
+ addresses instead of names. [RT #31641]
+
+ 3426. [bug] dnssec-checkds: Clearer output when records are not
+ found. [RT #31968]
+
+ 3425. [bug] "acacheentry" reference counting was broken resulting
+ in use after free. [RT #31908]
+
+ 3424. [func] dnssec-dsfromkey now emits the hash without spaces.
+ [RT #31951]
+
+ 3423. [bug] "rndc signing -nsec3param" didn't accept the full
+ range of possible values. Address portability issues.
+ [RT #31938]
+
+ 3422. [bug] Added a clear error message for when the SOA does not
+ match the referral. [RT #31281]
+
+ 3421. [bug] Named loops when re-signing if all keys are offline.
+ [RT #31916]
+
+ 3420. [bug] Address VPATH compilation issues. [RT #31879]
+
+ 3419. [bug] Memory leak on validation cancel. [RT #31869]
+
+ 3418. [func] New XML schema (version 3.0) for the statistics channel
+ adds query type statistics at the zone level, and
+ flattens the XML tree and uses compressed format to
+ optimize parsing. Includes new XSL that permits
+ charting via the Google Charts API on browsers that
+ support javascript in XSL. The old XML schema has been
+ deprecated. [RT #30023]
+
+ 3417. [placeholder]
+
+ 3416. [bug] Named could die on shutdown if running with 128 UDP
+ dispatches per interface. [RT #31743]
+
+ 3415. [bug] named could die with a REQUIRE failure if a validation
+ was canceled. [RT #31804]
+
+ 3414. [bug] Address locking issues found by Coverity. [RT #31626]
+
+ 3413. [func] Record the number of DNS64 AAAA RRsets that have been
+ synthesized. [RT #27636]
+
+ 3412. [bug] Copy timeval structure from control message data.
+ [RT #31548]
+
+ 3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
+ to UDP. [RT #31690]
+
+ 3410. [bug] Addressed Coverity warnings. [RT #31626]
+
+ 3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
+ from X.509 certificates, for use with DANE
+ (DNS-based Authentication of Named Entities).
+ [RT #30513]
+
+ 3408. [bug] Some DNSSEC-related options (update-check-ksk,
+ dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
+ are now legal in slave zones as long as
+ inline-signing is in use. [RT #31078]
+
+ 3407. [placeholder]
+
+ 3406. [bug] mem.c: Fix compilation errors when building with
+ ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
+ Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
+
+ 3405. [bug] Handle time going backwards in acache. [RT #31253]
+
+ 3404. [bug] dnssec-signzone: When re-signing a zone, remove
+ RRSIG and NSEC records from nodes that used to be
+ in-zone but are now below a zone cut. [RT #31556]
+
+ 3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
+
+ 3402. [test] The IPv6 interface numbers used for system
+ tests were incorrect on some platforms. [RT #25085]
+
+ 3401. [bug] Addressed Coverity warnings. [RT #31484]
+
+ 3400. [cleanup] "named -V" can now report a source ID string, defined
+ in the "srcid" file in the build tree and normally set
+ to the most recent git hash. [RT #31494]
+
+ 3399. [port] netbsd: rename 'bool' parameter to avoid namespace
+ clash. [RT #31515]
+
+ 3398. [bug] SOA parameters were not being updated with inline
+ signed zones if the zone was modified while the
+ server was offline. [RT #29272]
+
+ 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
+
+ 3396. [bug] OPT records were incorrectly removed from signed,
+ truncated responses. [RT #31439]
+
+ 3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
+ list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
+ [RT #31336]
+
+ 3394. [bug] Adjust 'successfully validated after lower casing
+ signer' log level and category. [RT #31414]
+
+ 3393. [bug] 'host -C' could core dump if REFUSED was received.
+ [RT #31381]
+
+ 3392. [func] Keep statistics on REFUSED responses. [RT #31412]
+
+ 3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
+ [RT #31262]
+
+ 3390. [bug] Silence clang compiler warnings. [RT #30417]
+
+ 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
+
+ 3388. [bug] Fixed several Coverity warnings.
+ Note: This change includes a fix for a bug that
+ was subsequently determined to be an exploitable
+ security vulnerability, CVE-2012-5688: named could
+ die on specific queries with dns64 enabled.
+ [RT #30996]
+
+ 3387. [func] DS digest can be disabled at runtime with
+ disable-ds-digests. [RT #21581]
+
+ 3386. [bug] Address locking violation when generating new NSEC /
+ NSEC3 chains. [RT #31224]
+
+ 3385. [bug] named-checkconf didn't detect missing master lists
+ in also-notify clauses. [RT #30810]
+
+ 3384. [bug] Improved logging of crypto errors. [RT #30963]
+
+ 3383. [security] A certain combination of records in the RBT could
+ cause named to hang while populating the additional
+ section of a response. [RT #31090]
+
+ 3382. [bug] SOA query from slave used use-v6-udp-ports range,
+ if set, regardless of the address family in use.
+ [RT #24173]
+
+ 3381. [contrib] Update queryperf to support more RR types.
+ [RT #30762]
+
+ 3380. [bug] named could die if a nonexistent master list was
+ referenced in a also-notify. [RT #31004]
+
+ 3379. [bug] isc_interval_zero and isc_time_epoch should be
+ "const (type)* const". [RT #31069]
+
+ 3378. [bug] Handle missing 'managed-keys-directory' better.
+ [RT #30625]
+
+ 3377. [bug] Removed spurious newline from NSEC3 multiline
+ output. [RT #31044]
+
+ 3376. [bug] Lack of EDNS support was being recorded without a
+ successful response. [RT #30811]
+
+ 3375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808]
+
+ 3374. [bug] isc_parse_uint32 failed to return a range error on
+ systems with 64 bit longs. [RT #30232]
+
+ 3373. [bug] win32: open raw files in binary mode. [RT #30944]
+
+ 3372. [bug] Silence spurious "deleted from unreachable cache"
+ messages. [RT #30501]
+
+ 3371. [bug] AD=1 should behave like DO=1 when deciding whether to
+ add NS RRsets to the additional section or not.
+ [RT #30479]
+
+ 3370. [bug] Address use after free while shutting down. [RT #30241]
+
+ 3369. [bug] nsupdate terminated unexpectedly in interactive mode
+ if built with readline support. [RT #29550]
+
+ 3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
+ were not C++ safe.
+
+ 3367. [bug] dns_dnsseckey_create() result was not being checked.
+ [RT #30685]
+
+ 3366. [bug] Fixed Read-After-Write dependency violation for IA64
+ atomic operations. [RT #25181]
+
+ 3365. [bug] Removed spurious newlines from log messages in
+ zone.c [RT #30675]
+
+ 3364. [security] Named could die on specially crafted record.
+ [RT #30416]
+
+ 3363. [bug] Need to allow "forward" and "fowarders" options
+ in static-stub zones; this had been overlooked.
+ [RT #30482]
+
+ 3362. [bug] Setting some option values to 0 in named.conf
+ could trigger an assertion failure on startup.
+ [RT #27730]
+
+ 3361. [bug] "rndc signing -nsec3param" didn't work correctly
+ when salt was set to '-' (no salt). [RT #30099]
+
+ 3360. [bug] 'host -w' could die. [RT #18723]
+
+ 3359. [bug] An improperly-formed TSIG secret could cause a
+ memory leak. [RT #30607]
+
+ 3358. [placeholder]
+
+ 3357. [port] Add support for libxml2-2.8.x [RT #30440]
+
+ 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
+ approaching their expiry, so they don't remain
+ in caches after expiry. [RT #26429]
+
+ 3355. [port] Use more portable awk in verify system test.
+
+ 3354. [func] Improve OpenSSL error logging. [RT #29932]
+
+ 3353. [bug] Use a single task for task exclusive operations.
+ [RT #29872]
+
+ 3352. [bug] Ensure that learned server attributes timeout of the
+ adb cache. [RT #29856]
+
+ 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
+ caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
+ memory debugging flags are set. [RT #30243]
+
+ 3350. [bug] Memory read overrun in isc___mem_reallocate if
+ ISC_MEM_DEBUGCTX memory debugging flag is set.
+ [RT #30240]
+
+ 3349. [bug] Change #3345 was incomplete. [RT #30233]
+
+ 3348. [bug] Prevent RRSIG data from being cached if a negative
+ record matching the covering type exists at a higher
+ trust level. Such data already can't be retrieved from
+ the cache since change 3218 -- this prevents it
+ being inserted into the cache as well. [RT #26809]
+
+ 3347. [bug] dnssec-settime: Issue a warning when writing a new
+ private key file would cause a change in the
+ permissions of the existing file. [RT #27724]
+
+ 3346. [security] Bad-cache data could be used before it was
+ initialized, causing an assert. [RT #30025]
+
+ 3345. [bug] Addressed race condition when removing the last item
+ or inserting the first item in an ISC_QUEUE.
+ [RT #29539]
+
+ 3344. [func] New "dnssec-checkds" command checks a zone to
+ determine which DS records should be published
+ in the parent zone, or which DLV records should be
+ published in a DLV zone, and queries the DNS to
+ ensure that it exists. (Note: This tool depends
+ on python; it will not be built or installed on
+ systems that do not have a python interpreter.)
+ [RT #28099]
+
+ 3343. [placeholder]
+
+ 3342. [bug] Change #3314 broke saving of stub zones to disk
+ resulting in excessive cpu usage in some cases.
+ [RT #29952]
+
+ 3341. [func] New "dnssec-verify" command checks a signed zone
+ to ensure correctness of signatures and of NSEC/NSEC3
+ chains. [RT #23673]
+
+ 3340. [func] Added new 'map' zone file format, which is an image
+ of a zone database that can be loaded directly into
+ memory via mmap(), allowing much faster zone loading.
+ (Note: Because of pointer sizes and other
+ considerations, this file format is platform-dependent;
+ 'map' zone files cannot always be transferred from one
+ server to another.) [RT #25419]
+
+ 3339. [func] Allow the maximum supported rsa exponent size to be
+ specified: "max-rsa-exponent-size <value>;" [RT #29228]
+
+ 3338. [bug] Address race condition in units tests: asyncload_zone
+ and asyncload_zt. [RT #26100]
+
+ 3337. [bug] Change #3294 broke support for the multiple keys
+ in controls. [RT #29694]
+
+ 3336. [func] Maintain statistics for RRsets tagged as "stale".
+ [RT #29514]
+
+ 3335. [func] nslookup: return a nonzero exit code when unable
+ to get an answer. [RT #29492]
+
+ 3334. [bug] Hold a zone table reference while performing a
+ asynchronous load of a zone. [RT #28326]
+
+ 3333. [bug] Setting resolver-query-timeout too low can cause
+ named to not recover if it loses connectivity.
+ [RT #29623]
+
+ 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
+
+ 3331. [security] dns_rdataslab_fromrdataset could produce bad
+ rdataslabs. [RT #29644]
+
+ 3330. [func] Fix missing signatures on NOERROR results despite
+ RPZ rewriting. Also
+ - add optional "recursive-only yes|no" to the
+ response-policy statement
+ - add optional "max-policy-ttl" to the response-policy
+ statement to limit the false data that
+ "recursive-only no" can introduce into
+ resolvers' caches
+ - add a RPZ performance test to bin/tests/system/rpz
+ when queryperf is available.
+ - the encoding of PASSTHRU action to "rpz-passthru".
+ (The old encoding is still accepted.)
+ [RT #26172]
+
+
+ 3329. [bug] Handle RRSIG signer-name case consistently: We
+ generate RRSIG records with the signer-name in
+ lower case. We accept them with any case, but if
+ they fail to validate, we try again in lower case.
+ [RT #27451]
+
+ 3328. [bug] Fixed inconsistent data checking in dst_parse.c.
+ [RT #29401]
+
+ 3327. [func] Added 'filter-aaaa-on-v6' option; this is similar
+ to 'filter-aaaa-on-v4' but applies to IPv6
+ connections. (Use "configure --enable-filter-aaaa"
+ to enable this option.) [RT #27308]
+
+ 3326. [func] Added task list statistics: task model, worker
+ threads, quantum, tasks running, tasks ready.
+ [RT #27678]
+
+ 3325. [func] Report cache statistics: memory use, number of
+ nodes, number of hash buckets, hit and miss counts.
+ [RT #27056]
+
+ 3324. [test] Add better tests for ADB stats [RT #27057]
+
+ 3323. [func] Report the number of buckets the resolver is using.
+ [RT #27020]
+
+ 3322. [func] Monitor the number of active TCP and UDP dispatches.
+ [RT #27055]
+
+ 3321. [func] Monitor the number of recursive fetches and the
+ number of open sockets, and report these values in
+ the statistics channel. [RT #27054]
+
+ 3320. [func] Added support for monitoring of recursing client
+ count. [RT #27009]
+
+ 3319. [func] Added support for monitoring of ADB entry count and
+ hash size. [RT #27057]
+
+ 3318. [tuning] Reduce the amount of work performed while holding a
+ bucket lock when finished with a fetch context.
+ [RT #29239]
+
+ 3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
+
+ 3316. [tuning] Improved locking performance when recursing.
+ [RT #28836]
+
+ 3315. [tuning] Use multiple dispatch objects for sending upstream
+ queries; this can improve performance on busy
+ multiprocessor systems by reducing lock contention.
+ [RT #28605]
+
+ 3314. [bug] The masters list could be updated while stub_callback
+ or refresh_callback were using it. [RT #26732]
+
+ 3313. [protocol] Add TLSA record type. [RT #28989]
+
+ 3312. [bug] named-checkconf didn't detect a bad dns64 clients acl.
+ [RT #27631]
+
+ 3311. [bug] Abort the zone dump if zone->db is NULL in
+ zone.c:zone_gotwritehandle. [RT #29028]
+
+ 3310. [test] Increase table size for mutex profiling. [RT #28809]
+
+ 3309. [bug] resolver.c:fctx_finddone() was not thread safe.
+ [RT #27995]
+
+ 3308. [placeholder]
+
+ 3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
+ [RT #28956]
+
+ 3306. [bug] Improve DNS64 reverse zone performance. [RT #28563]
+
+ 3305. [func] Add wire format lookup method to sdb. [RT #28563]
+
+ 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps.
+ [RT #28571]
+
+ 3303. [bug] named could die when reloading. [RT #28606]
+
+ 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
+ keys if the zone name contained character that
+ required special mappings. [RT #28600]
+
+ 3301. [contrib] Update queryperf to build on darwin. Add -R flag
+ for non-recursive queries. [RT #28565]
+
+ 3300. [bug] Named could die if gssapi was enabled in named.conf
+ but was not compiled in. [RT #28338]
+
+ 3299. [bug] Make SDB handle errors from database drivers better.
+ [RT #28534]
+
+ 3298. [bug] Named could dereference a NULL pointer in
+ zmgr_start_xfrin_ifquota if the zone was being removed.
+ [RT #28419]
+
+ 3297. [bug] Named could die on a malformed master file. [RT #28467]
+
+ 3296. [bug] Named could die with a INSIST failure in
+ client.c:exit_check. [RT #28346]
+
+ 3295. [bug] Adjust isc_time_secondsastimet range check to be more
+ portable. [RT # 26542]
+
+ 3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
+ error. [RT #28265]
+
+ 3293. [func] nsupdate: list supported type. [RT #28261]
+
+ 3292. [func] Log messages in the axfr stream at debug 10.
+ [RT #28040]
+
+ 3291. [port] Fixed a build error on systems without ENOTSUP.
+ [RT #28200]
+
+ 3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
+
+ 3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036]
+
+ 3288. [bug] dlz_destroy() function wasn't correctly registered
+ by the DLZ dlopen driver. [RT #28056]
+
+ 3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
+
+ 3286. [bug] Managed key maintenance timer could fail to start
+ after 'rndc reconfig'. [RT #26786]
+
+ 3285. [bug] val-frdataset was incorrectly disassociated in
+ proveunsecure after calling startfinddlvsep.
+ [RT #27928]
+
+ 3284. [bug] Address race conditions with the handling of
+ rbtnode.deadlink. [RT #27738]
+
+ 3283. [bug] Raw zones with with more than 512 records in a RRset
+ failed to load. [RT #27863]
+
+ 3282. [bug] Restrict the TTL of NS RRset to no more than that
+ of the old NS RRset when replacing it.
+ [RT #27792] [RT #27884]
+
+ 3281. [bug] SOA refresh queries could be treated as cancelled
+ despite succeeding over the loopback interface.
+ [RT #27782]
+
+ 3280. [bug] Potential double free of a rdataset on out of memory
+ with DNS64. [RT #27762]
+
+ 3279. [bug] Hold a internal reference to the zone while performing
+ a asynchronous load. Address potential memory leak
+ if the asynchronous is cancelled. [RT #27750]
+
+ 3278. [bug] Make sure automatic key maintenance is started
+ when "auto-dnssec maintain" is turned on during
+ "rndc reconfig". [RT #26805]
+
+ 3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696]
+
+ 3276. [bug] win32: ns_os_openfile failed to return NULL on
+ safe_open failure. [RT #27696]
+
+ 3275. [bug] Corrected rndc -h output; the 'rndc sync -clean'
+ option had been misspelled as '-clear'. (To avoid
+ future confusion, both options now work.) [RT #27173]
+
+ 3274. [placeholder]
+
+ 3273. [bug] AAAA responses could be returned in the additional
+ section even when filter-aaaa-on-v4 was in use.
+ [RT #27292]
+
+ 3272. [func] New "rndc zonestatus" command prints information
+ about the specified zone. [RT #21671]
+
+ 3271. [port] darwin: mksymtbl is not always stable, loop several
+ times before giving up. mksymtbl was using non
+ portable perl to covert 64 bit hex strings. [RT #27653]
+
+ --- 9.9.0rc2 released ---
+
+ 3270. [bug] "rndc reload" didn't reuse existing zones correctly
+ when inline-signing was in use. [RT #27650]
+
+ 3269. [port] darwin 11 and later now built threaded by default.
+
+ 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
+ out the earliest expiry time. [RT #23311]
+
+ 3267. [bug] Memory allocation failures could be mis-reported as
+ unexpected error. New ISC_R_UNSET result code.
+ [RT #27336]
+
+ 3266. [bug] The maximum number of NSEC3 iterations for a
+ DNSKEY RRset was not being properly computed.
+ [RT #26543]
+
+ 3265. [bug] Corrected a problem with lock ordering in the
+ inline-signing code. [RT #27557]
+
+ 3264. [bug] Automatic regeneration of signatures in an
+ inline-signing zone could stall when the server
+ was restarted. [RT #27344]
+
+ 3263. [bug] "rndc sync" did not affect the unsigned side of an
+ inline-signing zone. [RT #27337]
+
+ 3262. [bug] Signed responses were handled incorrectly by RPZ.
+ [RT #27316]
+
+ 3261. [func] RRset ordering now defaults to random. [RT #27174]
+
+ 3260. [bug] "rrset-order cyclic" could appear not to rotate
+ for some query patterns. [RT #27170/27185]
+
+ --- 9.9.0rc1 released ---
+
+ 3259. [bug] named-compilezone: Suppress "dump zone to <file>"
+ message when writing to stdout. [RT #27109]
+
+ 3258. [test] Add "forcing full sign with unreadable keys" test.
+ [RT #27153]
+
+ 3257. [bug] Do not generate a error message when calling fsync()
+ in a pipe or socket. [RT #27109]
+
+ 3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
+
+ 3255. [func] No longer require that a empty zones be explicitly
+ enabled or that a empty zone is disabled for
+ RFC 1918 empty zones to be configured. [RT #27139]
+
+ 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
+ [RT #22249]
+
+ 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
+ too long. [RT #26956]
+
+ 3252. [bug] When master zones using inline-signing were
+ updated while the server was offline, the source
+ zone could fall out of sync with the signed
+ copy. They can now resynchronize. [RT #26676]
+
+ 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
+ memory dns_sdlz_putrr() can allocate per record to
+ prevent run away memory consumption on ISC_R_NOSPACE.
+ [RT #26956]
+
+ 3250. [func] 'configure --enable-developer'; turn on various
+ configure options, normally off by default, that
+ we want developers to build and test with. [RT #27103]
+
+ 3249. [bug] Update log message when saving slave zones files for
+ analysis after load failures. [RT #27087]
+
+ 3248. [bug] Configure options --enable-fixed-rrset and
+ --enable-exportlib were incompatible with each
+ other. [RT #27087]
+
+ 3247. [bug] 'raw' format zones failed to preserve load order
+ breaking 'fixed' sort order. [RT #27087]
+
+ 3246. [bug] Named failed to start with a empty also-notify list.
+ [RT #27087]
+
+ 3245. [bug] Don't report a error unchanged serials unless there
+ were other changes when thawing a zone with
+ ixfr-fromdifferences. [RT #26845]
+
+ 3244. [func] Added readline support to nslookup and nsupdate.
+ Also simplified nsupdate syntax to make "update"
+ and "prereq" optional. [RT #24659]
+
+ 3243. [port] freebsd,netbsd,bsdi: the thread defaults were not
+ being properly set.
+
+ 3242. [func] Extended the header of raw-format master files to
+ include the serial number of the zone from which
+ they were generated, if different (as in the case
+ of inline-signing zones). This is to be used in
+ inline-signing zones, to track changes between the
+ unsigned and signed versions of the zone, which may
+ have different serial numbers.
+
+ (Note: raw zonefiles generated by this version of
+ BIND are no longer compatible with prior versions.
+ To generate a backward-compatible raw zonefile
+ using dnssec-signzone or named-compilezone, specify
+ output format "raw=0" instead of simply "raw".)
+ [RT #26587]
+
+ 3241. [bug] Address race conditions in the resolver code.
+ [RT #26889]
+
+ 3240. [bug] DNSKEY state change events could be missed. [RT #26874]
+
+ 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
+ timestamp. [RT #26883]
+
+ 3238. [bug] keyrdata was not being reinitialized in
+ lib/dns/rbtdb.c:iszonesecure. [RT #26913]
+
+ 3237. [bug] dig -6 didn't work with +trace. [RT #26906]
+
+ 3236. [bug] Backed out changes #3182 and #3202, related to
+ EDNS(0) fallback behavior. [RT #26416]
+
+ 3235. [func] dns_db_diffx, a extended dns_db_diff which returns
+ the generated diff and optionally writes it to a
+ journal. [RT #26386]
+
+ 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
+
+ 3233. [bug] 'rndc freeze/thaw' didn't work for inline zones.
+ [RT #26632]
+
+ 3232. [bug] Zero zone->curmaster before return in
+ dns_zone_setmasterswithkeys(). [RT #26732]
+
+ 3231. [bug] named could fail to send a incompressible zone.
+ [RT #26796]
+
+ 3230. [bug] 'dig axfr' failed to properly handle a multi-message
+ axfr with a serial of 0. [RT #26796]
+
+ 3229. [bug] Fix local variable to struct var assignment
+ found by CLANG warning.
+
+ 3228. [tuning] Dynamically grow symbol table to improve zone
+ loading performance. [RT #26523]
+
+ 3227. [bug] Interim fix to make WKS's use of getprotobyname()
+ and getservbyname() self thread safe. [RT #26232]
+
+ 3226. [bug] Address minor resource leakages. [RT #26624]
+
+ 3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
+ messages. [RT #26507]
+
+ 3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684]
+
+ 3223. [bug] 'task_test privilege_drop' generated false positives.
+ [RT #26766]
+
+ 3222. [cleanup] Replace dns_journal_{get,set}_bitws with
+ dns_journal_{get,set}_sourceserial. [RT #26634]
+
+ 3221. [bug] Fixed a potential core dump on shutdown due to
+ referencing fetch context after it's been freed.
+ [RT #26720]
+
+ --- 9.9.0b2 released ---
+
+ 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
+ could fail to set the database version correctly,
+ causing an assertion failure. [RT #26180]
+
+ 3219. [bug] Disable NOEDNS caching following a timeout.
+
+ 3218. [security] Cache lookup could return RRSIG data associated with
+ nonexistent records, leading to an assertion
+ failure. [RT #26590]
+
+ 3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
+
+ 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
+
+ 3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495]
+
+ 3214. [func] Add 'named -U' option to set the number of UDP
+ listener threads per interface. [RT #26485]
+
+ 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
+
+ 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
+ list prior to adding a reference to it leading a
+ possible assertion failure. [RT #23219]
+
+ 3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full"
+ option prints in single-line-per-record format.
+ [RT #20287]
+
+ 3210. [bug] Canceling the oldest query due to recursive-client
+ overload could trigger an assertion failure. [RT #26463]
+
+ 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
+
+ 3208. [bug] 'dig -y' handle unknown tsig algorithm better.
+ [RT #25522]
+
+ 3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
+
+ 3206. [cleanup] Add ISC information to log at start time. [RT #25484]
+
+ 3205. [func] Upgrade dig's defaults to better reflect modern
+ nameserver behavior. Enable "dig +adflag" and
+ "dig +edns=0" by default. Enable "+dnssec" when
+ running "dig +trace". [RT #23497]
+
+ 3204. [bug] When a master server that has been marked as
+ unreachable sends a NOTIFY, mark it reachable
+ again. [RT #25960]
+
+ 3203. [bug] Increase log level to 'info' for validation failures
+ from expired or not-yet-valid RRSIGs. [RT #21796]
+
+ 3202. [bug] NOEDNS caching on timeout was too aggressive.
+ [RT #26416]
+
+ 3201. [func] 'rndc querylog' can now be given an on/off parameter
+ instead of only being used as a toggle. [RT #18351]
+
+ 3200. [doc] Some rndc functions were undocumented or were
+ missing from 'rndc -h' output. [RT #25555]
+
+ 3199. [func] When logging client information, include the name
+ being queried. [RT #25944]
+
+ 3198. [doc] Clarified that dnssec-settime can alter keyfile
+ permissions. [RT #24866]
+
+ 3197. [bug] Don't try to log the filename and line number when
+ the config parser can't open a file. [RT #22263]
+
+ 3196. [bug] nsupdate: return nonzero exit code when target zone
+ doesn't exist. [RT #25783]
+
+ 3195. [cleanup] Silence "file not found" warnings when loading
+ managed-keys zone. [RT #26340]
+
+ 3194. [doc] Updated RFC references in the 'empty-zones-enable'
+ documentation. [RT #25203]
+
+ 3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
+ dnssec.h. [RT #26415]
+
+ 3192. [bug] A query structure could be used after being freed.
+ [RT #22208]
+
+ 3191. [bug] Print NULL records using "unknown" format. [RT #26392]
+
+ 3190. [bug] Underflow in error handling in isc_mutexblock_init.
+ [RT #26397]
+
+ 3189. [test] Added a summary report after system tests. [RT #25517]
+
+ 3188. [bug] zone.c:zone_refreshkeys() could fail to detach
+ references correctly when errors occurred, causing
+ a hang on shutdown. [RT #26372]
+
+ 3187. [port] win32: support for Visual Studio 2008. [RT #26356]
+
+ --- 9.9.0b1 released ---
+
+ 3186. [bug] Version/db mismatch in rpz code. [RT #26180]
+
+ 3185. [func] New 'rndc signing' option for auto-dnssec zones:
+ - 'rndc signing -list' displays the current
+ state of signing operations
+ - 'rndc signing -clear' clears the signing state
+ records for keys that have fully signed the zone
+ - 'rndc signing -nsec3param' sets the NSEC3
+ parameters for the zone
+ The 'rndc keydone' syntax is removed. [RT #23729]
+
+ 3184. [bug] named had excessive cpu usage when a redirect zone was
+ configured. [RT #26013]
+
+ 3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
+
+ 3182. [bug] Auth servers behind firewalls which block packets
+ greater than 512 bytes may cause other servers to
+ perform poorly. Now, adb retains edns information
+ and caches noedns servers. [RT #23392/24964]
+
+ 3181. [func] Inline-signing is now supported for master zones.
+ [RT #26224]
+
+ 3180. [func] Local copies of slave zones are now saved in raw
+ format by default, to improve startup performance.
+ 'masterfile-format text;' can be used to override
+ the default, if desired. [RT #25867]
+
+ 3179. [port] kfreebsd: build issues. [RT #26273]
+
+ 3178. [bug] A race condition introduced by change #3163 could
+ cause an assertion failure on shutdown. [RT #26271]
+
+ 3177. [func] 'rndc keydone', remove the indicator record that
+ named has finished signing the zone with the
+ corresponding key. [RT #26206]
+
+ 3176. [doc] Corrected example code and added a README to the
+ sample external DLZ module in contrib/dlz/example.
+ [RT #26215]
+
+ 3175. [bug] Fix how DNSSEC positive wildcard responses from a
+ NSEC3 signed zone are validated. Stop sending a
+ unnecessary NSEC3 record when generating such
+ responses. [RT #26200]
+
+ 3174. [bug] Always compute to revoked key tag from scratch.
+ [RT #26186]
+
+ 3173. [port] Correctly validate root DS responses. [RT #25726]
+
+ 3172. [port] darwin 10.* and freebsd [89] are now built threaded by
+ default.
+
+ 3171. [bug] Exclusively lock the task when adding a zone using
+ 'rndc addzone'. [RT #25600]
+
+ --- 9.9.0a3 released ---
+
+ 3170. [func] RPZ update:
+ - fix precedence among competing rules
+ - improve ARM text including documenting rule precedence
+ - try to rewrite CNAME chains until first hit
+ - new "rpz" logging channel
+ - RDATA for CNAME rules can include wildcards
+ - replace "NO-OP" named.conf policy override with
+ "PASSTHRU" and add "DISABLED" override ("NO-OP"
+ is still recognized)
+ [RT #25172]
+
+ 3169. [func] Catch db/version mis-matches when calling dns_db_*().
+ [RT #26017]
+
+ 3168. [bug] Nxdomain redirection could trigger an assert with
+ a ANY query. [RT #26017]
+
+ 3167. [bug] Negative answers from forwarders were not being
+ correctly tagged making them appear to not be cached.
+ [RT #25380]
+
+ 3166. [bug] Upgrading a zone to support inline-signing failed.
+ [RT #26014]
+
+ 3165. [bug] dnssec-signzone could generate new signatures when
+ resigning, even when valid signatures were already
+ present. [RT #26025]
+
+ 3164. [func] Enable DLZ modules to retrieve client information,
+ so that responses can be changed depending on the
+ source address of the query. [RT #25768]
+
+ 3163. [bug] Use finer-grained locking in client.c to address
+ concurrency problems with large numbers of threads.
+ [RT #26044]
+
+ 3162. [test] start.pl: modified to allow for "named.args" in
+ ns*/ subdirectory to override stock arguments to
+ named. Largely from RT #26044, but no separate ticket.
+
+ 3161. [bug] zone.c:del_sigs failed to always reset rdata leading
+ assertion failures. [RT #25880]
+
+ 3160. [bug] When printing out a NSEC3 record in multiline form
+ the newline was not being printed causing type codes
+ to be run together. [RT #25873]
+
+ 3159. [bug] On some platforms, named could assert on startup
+ when running in a chrooted environment without
+ /proc. [RT #25863]
+
+ 3158. [bug] Recursive servers would prefer a particular UDP
+ socket instead of using all available sockets.
+ [RT #26038]
+
+ 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
+ the config file before pausing the server. [RT #21373]
+
+ 3156. [placeholder]
+
+ --- 9.9.0a2 released ---
+
+ 3155. [bug] Fixed a build failure when using contrib DLZ
+ drivers (e.g., mysql, postgresql, etc). [RT #25710]
+
+ 3154. [bug] Attempting to print an empty rdataset could trigger
+ an assert. [RT #25452]
+
+ 3153. [func] Extend request-ixfr to zone level and remove the
+ side effect of forcing an AXFR. [RT #25156]
+
+ 3152. [cleanup] Some versions of gcc and clang failed due to
+ incorrect use of __builtin_expect. [RT #25183]
+
+ 3151. [bug] Queries for type RRSIG or SIG could be handled
+ incorrectly. [RT #21050]
+
+ 3150. [func] Improved startup and reconfiguration time by
+ enabling zones to load in multiple threads. [RT #25333]
+
+ 3149. [placeholder]
+
+ 3148. [bug] Processing of normal queries could be stalled when
+ forwarding a UPDATE message. [RT #24711]
+
+ 3147. [func] Initial inline signing support. [RT #23657]
+
+ --- 9.9.0a1 released ---
+
+ 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
+
+ 3145. [test] Capture output of ATF unit tests in "./atf.out" if
+ there were any errors while running them. [RT #25527]
+
+ 3144. [bug] dns_dbiterator_seek() could trigger an assert when
+ used with a nonexistent database node. [RT #25358]
+
+ 3143. [bug] Silence clang compiler warnings. [RT #25174]
+
+ 3142. [bug] NAPTR is class agnostic. [RT #25429]
+
+ 3141. [bug] Silence spurious "zone serial (0) unchanged" messages
+ associated with empty zones. [RT #25079]
+
+ 3140. [func] New command "rndc flushtree <name>" clears the
+ specified name from the server cache along with
+ all names under it. [RT #19970]
+
+ 3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
+ for the hashing algorithms (md5, sha1 - sha512, and
+ their hmac counterparts). [RT #25067]
+
+ 3138. [bug] Address memory leaks and out-of-order operations when
+ shutting named down. [RT #25210]
+
+ 3137. [func] Improve hardware scalability by allowing multiple
+ worker threads to process incoming UDP packets.
+ This can significantly increase query throughput
+ on some systems. [RT #22992]
+
+ 3136. [func] Add RFC 1918 reverse zones to the list of built-in
+ empty zones switched on by the 'empty-zones-enable'
+ option. [RT #24990]
+
+ 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
+ See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
+ [RT #24950]
+
+ 3134. [bug] Improve the accuracy of dnssec-signzone's signing
+ statistics. [RT #16030]
+
+ 3133. [bug] Change #3114 was incomplete. [RT #24577]
+
+ 3132. [placeholder]
+
+ 3131. [tuning] Improve scalability by allocating one zone task
+ per 100 zones at startup time, rather than using a
+ fixed-size task table. [RT #24406]
+
+ 3130. [func] Support alternate methods for managing a dynamic
+ zone's serial number. Two methods are currently
+ defined using serial-update-method, "increment"
+ (default) and "unixtime". [RT #23849]
+
+ 3129. [bug] Named could crash on 'rndc reconfig' when
+ allow-new-zones was set to yes and named ACLs
+ were used. [RT #22739]
+
+ 3128. [func] Inserting an NSEC3PARAM via dynamic update in an
+ auto-dnssec zone that has not been signed yet
+ will cause it to be signed with the specified NSEC3
+ parameters when keys are activated. The
+ NSEC3PARAM record will not appear in the zone until
+ it is signed, but the parameters will be stored.
+ [RT #23684]
+
+ 3127. [bug] 'rndc thaw' will now remove a zone's journal file
+ if the zone serial number has been changed and
+ ixfr-from-differences is not in use. [RT #24687]
+
+ 3126. [security] Using DNAME record to generate replacements caused
+ RPZ to exit with a assertion failure. [RT #24766]
+
+ 3125. [security] Using wildcard CNAME records as a replacement with
+ RPZ caused named to exit with a assertion failure.
+ [RT #24715]
+
+ 3124. [bug] Use an rdataset attribute flag to indicate
+ negative-cache records rather than using rrtype 0;
+ this will prevent problems when that rrtype is
+ used in actual DNS packets. [RT #24777]
+
+ 3123. [security] Change #2912 exposed a latent flaw in
+ dns_rdataset_totext() that could cause named to
+ crash with an assertion failure. [RT #24777]
+
+ 3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
+
+ 3121. [security] An authoritative name server sending a negative
+ response containing a very large RRset could
+ trigger an off-by-one error in the ncache code
+ and crash named. [RT #24650]
+
+ 3120. [bug] Named could fail to validate zones listed in a DLV
+ that validated insecure without using DLV and had
+ DS records in the parent zone. [RT #24631]
+
+ 3119. [bug] When rolling to a new DNSSEC key, a private-type
+ record could be created and never marked complete.
+ [RT #23253]
+
+ 3118. [bug] nsupdate could dump core on shutdown when using
+ SIG(0) keys. [RT #24604]
+
+ 3117. [cleanup] Remove doc and parser references to the
+ never-implemented 'auto-dnssec create' option.
+ [RT #24533]
+
+ 3116. [func] New 'dnssec-update-mode' option controls updates
+ of DNSSEC records in signed dynamic zones. Set to
+ 'no-resign' to disable automatic RRSIG regeneration
+ while retaining the ability to sign new or changed
+ data. [RT #24533]
+
+ 3115. [bug] Named could fail to return requested data when
+ following a CNAME that points into the same zone.
+ [RT #24455]
+
+ 3114. [bug] Retain expired RRSIGs in dynamic zones if key is
+ inactive and there is no replacement key. [RT #23136]
+
+ 3113. [doc] Document the relationship between serial-query-rate
+ and NOTIFY messages.
+
+ 3112. [doc] Add missing descriptions of the update policy name
+ types "ms-self", "ms-subdomain", "krb5-self" and
+ "krb5-subdomain", which allow machines to update
+ their own records, to the BIND 9 ARM.
+
+ 3111. [bug] Improved consistency checks for dnssec-enable and
+ dnssec-validation, added test cases to the
+ checkconf system test. [RT #24398]
+
+ 3110. [bug] dnssec-signzone: Wrong error message could appear
+ when attempting to sign with no KSK. [RT #24369]
+
+ 3109. [func] The also-notify option now uses the same syntax
+ as a zone's masters clause. This means it is
+ now possible to specify a TSIG key to use when
+ sending notifies to a given server, or to include
+ an explicit named masters list in an also-notify
+ statement. [RT #23508]
+
+ 3108. [cleanup] dnssec-signzone: Clarified some error and
+ warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
+ code (use -P instead). [RT #20852]
+
+ 3107. [bug] dnssec-signzone: Report the correct number of ZSKs
+ when using -x. [RT #20852]
+
+ 3106. [func] When logging client requests, include the name of
+ the TSIG key if any. [RT #23619]
+
+ 3105. [bug] GOST support can be suppressed by "configure
+ --without-gost" [RT #24367]
+
+ 3104. [bug] Better support for cross-compiling. [RT #24367]
+
+ 3103. [bug] Configuring 'dnssec-validation auto' in a view
+ instead of in the options statement could trigger
+ an assertion failure in named-checkconf. [RT #24382]
+
+ 3102. [func] New 'dnssec-loadkeys-interval' option configures
+ how often, in minutes, to check the key repository
+ for updates when using automatic key maintenance.
+ Default is every 60 minutes (formerly hard-coded
+ to 12 hours). [RT #23744]
+
+ 3101. [bug] Zones using automatic key maintenance could fail
+ to check the key repository for updates. [RT #23744]
+
+ 3100. [security] Certain response policy zone configurations could
+ trigger an INSIST when receiving a query of type
+ RRSIG. [RT #24280]
+
+ 3099. [test] "dlz" system test now runs but gives R:SKIPPED if
+ not compiled with --with-dlz-filesystem. [RT #24146]
+
+ 3098. [bug] DLZ zones were answering without setting the AA bit.
+ [RT #24146]
+
+ 3097. [test] Add a tool to test handling of malformed packets.
+ [RT #24096]
+
+ 3096. [bug] Set KRB5_KTNAME before calling log_cred() in
+ dst_gssapi_acceptctx(). [RT #24004]
+
+ 3095. [bug] Handle isolated reserved ports in the port range.
+ [RT #23957]
+
+ 3094. [doc] Expand dns64 documentation.
+
+ 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
+
+ 3092. [bug] Signatures for records at the zone apex could go
+ stale due to an incorrect timer setting. [RT #23769]
+
+ 3091. [bug] Fixed a bug in which zone keys that were published
+ and then subsequently activated could fail to trigger
+ automatic signing. [RT #22911]
+
+ 3090. [func] Make --with-gssapi default [RT #23738]
+
+ 3089. [func] dnssec-dsfromkey now supports reading keys from
+ standard input "dnssec-dsfromkey -f -". [RT #20662]
+
+ 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
+ and add setup.sh in order to resolve changing
+ named.conf issue. [RT #23687]
+
+ 3087. [bug] DDNS updates using SIG(0) with update-policy match
+ type "external" could cause a crash. [RT #23735]
+
+ 3086. [bug] Running dnssec-settime -f on an old-style key will
+ now force an update to the new key format even if no
+ other change has been specified, using "-P now -A now"
+ as default values. [RT #22474]
+
+ 3085. [func] New '-R' option in dnssec-signzone forces removal
+ of signatures which have not yet expired but
+ were generated by a key that no longer exists.
+ [RT #22471]
+
+ 3084. [func] A new command "rndc sync" dumps pending changes in
+ a dynamic zone to disk; "rndc sync -clean" also
+ removes the journal file after syncing. Also,
+ "rndc freeze" no longer removes journal files.
+ [RT #22473]
+
+ 3083. [bug] NOTIFY messages were not being sent when generating
+ a NSEC3 chain incrementally. [RT #23702]
+
+ 3082. [port] strtok_r is threads only. [RT #23747]
+
+ 3081. [bug] Failure of DNAME substitution did not return
+ YXDOMAIN. [RT #23591]
+
+ 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
+ [RT #23587]
+
+ 3079. [bug] Handle isc_event_allocate failures in t_tasks.
+ [RT #23572]
+
+ 3078. [func] Added a new include file with function typedefs
+ for the DLZ "dlopen" driver. [RT #23629]
+
+ 3077. [bug] zone.c:zone_refreshkeys() incorrectly called
+ dns_zone_attach(), use zone->irefs instead. [RT #23303]
+
+ 3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
+ dnssec-keyfromlabel sets the default TTL of the
+ key. When possible, automatic signing will use that
+ TTL when the key is published. [RT #23304]
+
+ 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
+ timestamp when determining which keys are active.
+ [RT #23642]
+
+ 3074. [bug] Make the adb cache read through for zone data and
+ glue learn for zone named is authoritative for.
+ [RT #22842]
+
+ 3073. [bug] managed-keys changes were not properly being recorded.
+ [RT #20256]
+
+ 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
+ [RT #20256]
+
+ 3071. [bug] has_nsec could be used uninitialized in
+ update.c:next_active. [RT #20256]
+
+ 3070. [bug] dnssec-signzone potential NULL pointer dereference.
+ [RT #20256]
+
+ 3069. [cleanup] Silence warnings messages from clang static analysis.
+ [RT #20256]
+
+ 3068. [bug] Named failed to build with a OpenSSL without engine
+ support. [RT #23473]
+
+ 3067. [bug] ixfr-from-differences {master|slave}; failed to
+ select the master/slave zones. [RT #23580]
+
+ 3066. [func] The DLZ "dlopen" driver is now built by default,
+ no longer requiring a configure option. To
+ disable it, use "configure --without-dlopen".
+ Driver also supported on win32. [RT #23467]
+
+ 3065. [bug] RRSIG could have time stamps too far in the future.
+ [RT #23356]
+
+ 3064. [bug] powerpc: add sync instructions to the end of atomic
+ operations. [RT #23469]
+
+ 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]
+
+ 3062. [func] Made several changes to enhance human readability
+ of DNSSEC data in dig output and in generated
+ zone files:
+ - DNSKEY record comments are more verbose, no
+ longer used in multiline mode only
+ - multiline RRSIG records reformatted
+ - multiline output mode for NSEC3PARAM records
+ - "dig +norrcomments" suppresses DNSKEY comments
+ - "dig +split=X" breaks hex/base64 records into
+ fields of width X; "dig +nosplit" disables this.
+ [RT #22820]
+
+ 3061. [func] New option "dnssec-signzone -D", only write out
+ generated DNSSEC records. [RT #22896]
+
+ 3060. [func] New option "dnssec-signzone -X <date>" allows
+ specification of a separate expiration date
+ for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
+
+ 3059. [test] Added a regression test for change #3023.
+
+ 3058. [bug] Cause named to terminate at startup or rndc reconfig/
+ reload to fail, if a log file specified in the conf
+ file isn't a plain file. [RT #22771]
+
+ 3057. [bug] "rndc secroots" would abort after the first error
+ and so could miss some views. [RT #23488]
+
+ 3056. [func] Added support for URI resource record. [RT #23386]
+
+ 3055. [placeholder]
+
+ 3054. [bug] Added elliptic curve support check in
+ GOST OpenSSL engine detection. [RT #23485]
+
+ 3053. [bug] Under a sustained high query load with a finite
+ max-cache-size, it was possible for cache memory
+ to be exhausted and not recovered. [RT #23371]
+
+ 3052. [test] Fixed last autosign test report. [RT #23256]
+
+ 3051. [bug] NS records obscure DNAME records at the bottom of the
+ zone if both are present. [RT #23035]
+
+ 3050. [bug] The autosign system test was timing dependent.
+ Wait for the initial autosigning to complete
+ before running the rest of the test. [RT #23035]
+
+ 3049. [bug] Save and restore the gid when creating creating
+ named.pid at startup. [RT #23290]
+
+ 3048. [bug] Fully separate view key management. [RT #23419]
+
+ 3047. [bug] DNSKEY NODATA responses not cached fixed in
+ validator.c. Tests added to dnssec system test.
+ [RT #22908]
+
+ 3046. [bug] Use RRSIG original TTL to compute validated RRset
+ and RRSIG TTL. [RT #23332]
+
+ 3045. [removed] Replaced by change #3050.
+
+ 3044. [bug] Hold the socket manager lock while freeing the socket.
+ [RT #23333]
+
+ 3043. [test] Merged in the NetBSD ATF test framework (currently
+ version 0.12) for development of future unit tests.
+ Use configure --with-atf to build ATF internally
+ or configure --with-atf=prefix to use an external
+ copy. [RT #23209]
+
+ 3042. [bug] dig +trace could fail attempting to use IPv6
+ addresses on systems with only IPv4 connectivity.
+ [RT #23297]
+
+ 3041. [bug] dnssec-signzone failed to generate new signatures on
+ ttl changes. [RT #23330]
+
+ 3040. [bug] Named failed to validate insecure zones where a node
+ with a CNAME existed between the trust anchor and the
+ top of the zone. [RT #23338]
+
+ 3039. [func] Redirect on NXDOMAIN support. [RT #23146]
+
+ 3038. [bug] Install <dns/rpz.h>. [RT #23342]
+
+ 3037. [doc] Update COPYRIGHT to contain all the individual
+ copyright notices that cover various parts.
+
+ 3036. [bug] Check built-in zone arguments to see if the zone
+ is re-usable or not. [RT #21914]
+
+ 3035. [cleanup] Simplify by using strlcpy. [RT #22521]
+
+ 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]
+
+ 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
+ [RT #22521]
+
+ 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]
+
+ 3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
+ [RT #22521]
+
+ 3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
+ [RT #22521]
+
+ 3029. [bug] isc_netaddr_format() handle a zero sized buffer.
+ [RT #22521]
+
+ 3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
+ [RT #22521]
+
+ 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
+ catch NULL pointer dereferences before they happen.
+ [RT #22521]
+
+ 3026. [bug] lib/isc/httpd.c: check that we have enough space
+ after calling grow_headerspace() and if not
+ re-call grow_headerspace() until we do. [RT #22521]
+
+ 3025. [bug] Fixed a possible deadlock due to zone resigning.
+ [RT #22964]
+
+ 3024. [func] RTT Banding removed due to minor security increase
+ but major impact on resolver latency. [RT #23310]
+
+ 3023. [bug] Named could be left in an inconsistent state when
+ receiving multiple AXFR response messages that were
+ not all TSIG-signed. [RT #23254]
+
+ 3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
+ [RT #23246]
+
+ 3021. [bug] Change #3010 was incomplete. [RT #22296]
+
+ 3020. [bug] auto-dnssec failed to correctly update the zone when
+ changing the DNSKEY RRset. [RT #23232]
+
+ 3019. [test] Test: check apex NSEC3 records after adding DNSKEY
+ record via UPDATE. [RT #23229]
+
+ 3018. [bug] Named failed to check for the "none;" acl when deciding
+ if a zone may need to be re-signed. [RT #23120]
+
+ 3017. [doc] dnssec-keyfromlabel -I was not properly documented.
+ [RT #22887]
+
+ 3016. [bug] rndc usage missing '-b'. [RT #22937]
+
+ 3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
+ IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
+
+ 3014. [placeholder]
+
+ 3013. [bug] The DNS64 ttl was not always being set as expected.
+ [RT #23034]
+
+ 3012. [bug] Remove DNSKEY TTL change pairs before generating
+ signing records for any remaining DNSKEY changes.
+ [RT #22590]
+
+ 3011. [func] Change the default query timeout from 30 seconds
+ to 10. Allow setting this in named.conf using the new
+ 'resolver-query-timeout' option, which specifies a max
+ time in seconds. 0 means 'default' and anything longer
+ than 30 will be silently set to 30. [RT #22852]
+
+ 3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
+ for refreshing managed-keys. [RT #22296]
+
+ 3009. [bug] clients-per-query code didn't work as expected with
+ particular query patterns. [RT #22972]
+
+ --- 9.8.0b1 released ---
+
+ 3008. [func] Response policy zones (RPZ) support. [RT #21726]
+
+ 3007. [bug] Named failed to preserve the case of domain names in
+ rdata which is not compressible when writing master
+ files. [RT #22863]
+
+ 3006. [func] Allow dynamically generated TSIG keys to be preserved
+ across restarts of named. Initially this is for
+ TSIG keys generated using GSSAPI. [RT #22639]
+
+ 3005. [port] Solaris: Work around the lack of
+ gsskrb5_register_acceptor_identity() by setting
+ the KRB5_KTNAME environment variable to the
+ contents of tkey-gssapi-keytab. Also fixed
+ test errors on MacOSX. [RT #22853]
+
+ 3004. [func] DNS64 reverse support. [RT #22769]
+
+ 3003. [experimental] Added update-policy match type "external",
+ enabling named to defer the decision of whether to
+ allow a dynamic update to an external daemon.
+ (Contributed by Andrew Tridgell.) [RT #22758]
+
+ 3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
+ [RT #22766]
+
+ 3001. [func] Added a default trust anchor for the root zone, which
+ can be switched on by setting "dnssec-validation auto;"
+ in the named.conf options. [RT #21727]
+
+ 3000. [bug] More TKEY/GSS fixes:
+ - nsupdate can now get the default realm from
+ the user's Kerberos principal
+ - corrected gsstest compilation flags
+ - improved documentation
+ - fixed some NULL dereferences
+ [RT #22795]
+
+ 2999. [func] Add GOST support (RFC 5933). [RT #20639]
+
+ 2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
+ to the task api. [RT #22776]
+
+ 2997. [func] named -V now reports the OpenSSL and libxml2 versions
+ it was compiled against. [RT #22687]
+
+ 2996. [security] Temporarily disable SO_ACCEPTFILTER support.
+ [RT #22589]
+
+ 2995. [bug] The Kerberos realm was not being correctly extracted
+ from the signer's identity. [RT #22770]
+
+ 2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and
+ do not use threads on earlier versions. Also kill
+ the unproven-pthreads, mit-pthreads, and ptl2 support.
+
+ 2993. [func] Dynamically grow adb hash tables. [RT #21186]
+
+ 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
+ for looking at a secure delegation. [RT #22059]
+
+ 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
+ dynamic zones. [RT #22365]
+
+ 2990. [bug] 'dnssec-settime -S' no longer tests prepublication
+ interval validity when the interval is set to 0.
+ [RT #22761]
+
+ 2989. [func] Added support for writable DLZ zones. (Contributed
+ by Andrew Tridgell of the Samba project.) [RT #22629]
+
+ 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
+ of external DLZ drivers that can be loaded as
+ shared objects at runtime rather than linked with
+ named. Currently this is switched on via a
+ compile-time option, "configure --with-dlz-dlopen".
+ Note: the syntax for configuring DLZ zones
+ is likely to be refined in future releases.
+ (Contributed by Andrew Tridgell of the Samba
+ project.) [RT #22629]
+
+ 2987. [func] Improve ease of configuring TKEY/GSS updates by
+ adding a "tkey-gssapi-keytab" option. If set,
+ updates will be allowed with any key matching
+ a principal in the specified keytab file.
+ "tkey-gssapi-credential" is no longer required
+ and is expected to be deprecated. (Contributed
+ by Andrew Tridgell of the Samba project.)
+ [RT #22629]
+
+ 2986. [func] Add new zone type "static-stub". It's like a stub
+ zone, but the nameserver names and/or their IP
+ addresses are statically configured. [RT #21474]
+
+ 2985. [bug] Add a regression test for change #2896. [RT #21324]
+
+ 2984. [bug] Don't run MX checks when the target of the MX record
+ is ".". [RT #22645]
+
+ 2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
+
+ --- 9.8.0a1 released ---
+
+ 2982. [bug] Reference count dst keys. dst_key_attach() can be used
+ increment the reference count.
+
+ Note: dns_tsigkey_createfromkey() callers should now
+ always call dst_key_free() rather than setting it
+ to NULL on success. [RT #22672]
+
+ 2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
+
+ 2980. [bug] named didn't properly handle UPDATES that changed the
+ TTL of the NSEC3PARAM RRset. [RT #22363]
+
+ 2979. [bug] named could deadlock during shutdown if two
+ "rndc stop" commands were issued at the same
+ time. [RT #22108]
+
+ 2978. [port] hpux: look for <devpoll.h> [RT #21919]
+
+ 2977. [bug] 'nsupdate -l' report if the session key is missing.
+ [RT #21670]
+
+ 2976. [bug] named could die on exit after negotiating a GSS-TSIG
+ key. [RT #22573]
+
+ 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
+ wrong lock which could lead to server deadlock.
+ [RT #22614]
+
+ 2974. [bug] Some valid UPDATE requests could fail due to a
+ consistency check examining the existing version
+ of the zone rather than the new version resulting
+ from the UPDATE. [RT #22413]
+
+ 2973. [bug] bind.keys.h was being removed by the "make clean"
+ at the end of configure resulting in build failures
+ where there is very old version of perl installed.
+ Move it to "make maintainer-clean". [RT #22230]
+
+ 2972. [bug] win32: address windows socket errors. [RT #21906]
+
+ 2971. [bug] Fixed a bug that caused journal files not to be
+ compacted on Windows systems as a result of
+ non-POSIX-compliant rename() semantics. [RT #22434]
+
+ 2970. [security] Adding a NO DATA negative cache entry failed to clear
+ any matching RRSIG records. A subsequent lookup of
+ of NO DATA cache entry could trigger a INSIST when the
+ unexpected RRSIG was also returned with the NO DATA
+ cache entry.
+
+ CVE-2010-3613, VU#706148. [RT #22288]
+
+ 2969. [security] Fix acl type processing so that allow-query works
+ in options and view statements. Also add a new
+ set of tests to verify proper functioning.
+
+ CVE-2010-3615, VU#510208. [RT #22418]
+
+ 2968. [security] Named could fail to prove a data set was insecure
+ before marking it as insecure. One set of conditions
+ that can trigger this occurs naturally when rolling
+ DNSKEY algorithms.
+
+ CVE-2010-3614, VU#837744. [RT #22309]
+
+ 2967. [bug] 'host -D' now turns on debugging messages earlier.
+ [RT #22361]
+
+ 2966. [bug] isc_print_vsnprintf() failed to check if there was
+ space available in the buffer when adding a left
+ justified character with a non zero width,
+ (e.g. "%-1c"). [RT #22270]
+
+ 2965. [func] Test HMAC functions using test data from RFC 2104 and
+ RFC 4634. [RT #21702]
+
+ 2964. [placeholder]
+
+ 2963. [security] The allow-query acl was being applied instead of the
+ allow-query-cache acl to cache lookups. [RT #22114]
+
+ 2962. [port] win32: add more dependencies to BINDBuild.dsw.
+ [RT #22062]
+
+ 2961. [bug] Be still more selective about the non-authoritative
+ answers we apply change 2748 to. [RT #22074]
+
+ 2960. [func] Check that named accepts non-authoritative answers.
+ [RT #21594]
+
+ 2959. [func] Check that named starts with a missing masterfile.
+ [RT #22076]
+
+ 2958. [bug] named failed to start with a missing master file.
+ [RT #22076]
+
+ 2957. [bug] entropy_get() and entropy_getpseudo() failed to match
+ the API for RAND_bytes() and RAND_pseudo_bytes()
+ respectively. [RT #21962]
+
+ 2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
+
+ 2955. [func] Provide more detail in the recursing log. [RT #22043]
+
+ 2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
+ build_sqldbinstance failure. [RT #21623]
+
+ 2953. [bug] Silence spurious "expected covering NSEC3, got an
+ exact match" message when returning a wildcard
+ no data response. [RT #21744]
+
+ 2952. [port] win32: named-checkzone and named-checkconf failed
+ to initialize winsock. [RT #21932]
+
+ 2951. [bug] named failed to generate a correct signed response
+ in a optout, delegation only zone with no secure
+ delegations. [RT #22007]
+
+ 2950. [bug] named failed to perform a SOA up to date check when
+ falling back to TCP on UDP timeouts when
+ ixfr-from-differences was set. [RT #21595]
+
+ 2949. [bug] dns_view_setnewzones() contained a memory leak if
+ it was called multiple times. [RT #21942]
+
+ 2948. [port] MacOS: provide a mechanism to configure the test
+ interfaces at reboot. See bin/tests/system/README
+ for details.
+
+ 2947. [placeholder]
+
+ 2946. [doc] Document the default values for the minimum and maximum
+ zone refresh and retry values in the ARM. [RT #21886]
+
+ 2945. [doc] Update empty-zones list in ARM. [RT #21772]
+
+ 2944. [maint] Remove ORCHID prefix from built in empty zones.
+ [RT #21772]
+
+ 2943. [func] Add support to load new keys into managed zones
+ without signing immediately with "rndc loadkeys".
+ Add support to link keys with "dnssec-keygen -S"
+ and "dnssec-settime -S". [RT #21351]
+
+ 2942. [contrib] zone2sqlite failed to setup the entropy sources.
+ [RT #21610]
+
+ 2941. [bug] sdb and sdlz (dlz's zone database) failed to support
+ DNAME at the zone apex. [RT #21610]
+
+ 2940. [port] Remove connection aborted error message on
+ Windows. [RT #21549]
+
+ 2939. [func] Check that named successfully skips NSEC3 records
+ that fail to match the NSEC3PARAM record currently
+ in use. [RT #21868]
+
+ 2938. [bug] When generating signed responses, from a signed zone
+ that uses NSEC3, named would use a uninitialized
+ pointer if it needed to skip a NSEC3 record because
+ it didn't match the selected NSEC3PARAM record for
+ zone. [RT #21868]
+
+ 2937. [bug] Worked around an apparent race condition in over
+ memory conditions. Without this fix a DNS cache DB or
+ ADB could incorrectly stay in an over memory state,
+ effectively refusing further caching, which
+ subsequently made a BIND 9 caching server unworkable.
+ This fix prevents this problem from happening by
+ polling the state of the memory context, rather than
+ making a copy of the state, which appeared to cause
+ a race. This is a "workaround" in that it doesn't
+ solve the possible race per se, but several experiments
+ proved this change solves the symptom. Also, the
+ polling overhead hasn't been reported to be an issue.
+ This bug should only affect a caching server that
+ specifies a finite max-cache-size. It's also quite
+ likely that the bug happens only when enabling threads,
+ but it's not confirmed yet. [RT #21818]
+
+ 2936. [func] Improved configuration syntax and multiple-view
+ support for addzone/delzone feature (see change
+ #2930). Removed "new-zone-file" option, replaced
+ with "allow-new-zones (yes|no)". The new-zone-file
+ for each view is now created automatically, with
+ a filename generated from a hash of the view name.
+ It is no longer necessary to "include" the
+ new-zone-file in named.conf; this happens
+ automatically. Zones that were not added via
+ "rndc addzone" can no longer be removed with
+ "rndc delzone". [RT #19447]
+
+ 2935. [bug] nsupdate: improve 'file not found' error message.
+ [RT #21871]
+
+ 2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
+ [RT #21871]
+
+ 2933. [bug] 'dig +nsid' used stack memory after it went out of
+ scope. This could potentially result in a unknown,
+ potentially malformed, EDNS option being sent instead
+ of the desired NSID option. [RT #21781]
+
+ 2932. [cleanup] Corrected a numbering error in the "dnssec" test.
+ [RT #21597]
+
+ 2931. [bug] Temporarily and partially disable change 2864
+ because it would cause infinite attempts of RRSIG
+ queries. This is an urgent care fix; we'll
+ revisit the issue and complete the fix later.
+ [RT #21710]
+
+ 2930. [experimental] New "rndc addzone" and "rndc delzone" commands
+ allow dynamic addition and deletion of zones.
+ To enable this feature, specify a "new-zone-file"
+ option at the view or options level in named.conf.
+ Zone configuration information for the new zones
+ will be written into that file. To make the new
+ zones persist after a restart, "include" the file
+ into named.conf in the appropriate view. (Note:
+ This feature is not yet documented, and its syntax
+ is expected to change.) [RT #19447]
+
+ 2929. [bug] Improved handling of GSS security contexts:
+ - added LRU expiration for generated TSIGs
+ - added the ability to use a non-default realm
+ - added new "realm" keyword in nsupdate
+ - limited lifetime of generated keys to 1 hour
+ or the lifetime of the context (whichever is
+ smaller)
+ [RT #19737]
+
+ 2928. [bug] Be more selective about the non-authoritative
+ answer we apply change 2748 to. [RT #21594]
+
+ 2927. [placeholder]
+
+ 2926. [placeholder]
+
+ 2925. [bug] Named failed to accept uncachable negative responses
+ from insecure zones. [RT #21555]
+
+ 2924. [func] 'rndc secroots' dump a combined summary of the
+ current managed keys combined with trusted keys.
+ [RT #20904]
+
+ 2923. [bug] 'dig +trace' could drop core after "connection
+ timeout". [RT #21514]
+
+ 2922. [contrib] Update zkt to version 1.0.
+
+ 2921. [bug] The resolver could attempt to destroy a fetch context
+ too soon. [RT #19878]
+
+ 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
+ to IPv4 clients. New acl 'filter-aaaa' (default any).
+
+ 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
+ [RT #20840]
+
+ 2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
+
+ 2917. [func] Virtual time test framework. [RT #20801]
+
+ 2916. [func] Add framework to use IPv6 in tests.
+ fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
+
+ 2915. [cleanup] Be smarter about which objects we attempt to compile
+ based on configure options. [RT #21444]
+
+ 2914. [bug] Make the "autosign" system test more portable.
+ [RT #20997]
+
+ 2913. [func] Add pkcs#11 system tests. [RT #20784]
+
+ 2912. [func] Windows clients don't like UPDATE responses that clear
+ the zone section. [RT #20986]
+
+ 2911. [bug] dnssec-signzone didn't handle out of zone records well.
+ [RT #21367]
+
+ 2910. [func] Sanity check Kerberos credentials. [RT #20986]
+
+ 2909. [bug] named-checkconf -p could die if "update-policy local;"
+ was specified in named.conf. [RT #21416]
+
+ 2908. [bug] It was possible for re-signing to stop after removing
+ a DNSKEY. [RT #21384]
+
+ 2907. [bug] The export version of libdns had undefined references.
+ [RT #21444]
+
+ 2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
+
+ 2905. [port] aix: set use_atomic=yes with native compiler.
+ [RT #21402]
+
+ 2904. [bug] When using DLV, sub-zones of the zones in the DLV,
+ could be incorrectly marked as insecure instead of
+ secure leading to negative proofs failing. This was
+ a unintended outcome from change 2890. [RT #21392]
+
+ 2903. [bug] managed-keys-directory missing from namedconf.c.
+ [RT #21370]
+
+ 2902. [func] Add regression test for change 2897. [RT #21040]
+
+ 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
+
+ 2900. [bug] The placeholder negative caching element was not
+ properly constructed triggering a INSIST in
+ dns_ncache_towire(). [RT #21346]
+
+ 2899. [port] win32: Support linking against OpenSSL 1.0.0.
+
+ 2898. [bug] nslookup leaked memory when -domain=value was
+ specified. [RT #21301]
+
+ 2897. [bug] NSEC3 chains could be left behind when transitioning
+ to insecure. [RT #21040]
+
+ 2896. [bug] "rndc sign" failed to properly update the zone
+ when adding a DNSKEY for publication only. [RT #21045]
+
+ 2895. [func] genrandom: add support for the generation of multiple
+ files. [RT #20917]
+
+ 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
+
+ 2893. [bug] Improve managed keys support. New named.conf option
+ managed-keys-directory. [RT #20924]
+
+ 2892. [bug] Handle REVOKED keys better. [RT #20961]
+
+ 2891. [maint] Update empty-zones list to match
+ draft-ietf-dnsop-default-local-zones-13. [RT #21099]
+
+ 2890. [bug] Handle the introduction of new trusted-keys and
+ DS, DLV RRsets better. [RT #21097]
+
+ 2889. [bug] Elements of the grammar where not properly reported.
+ [RT #21046]
+
+ 2888. [bug] Only the first EDNS option was displayed. [RT #21273]
+
+ 2887. [bug] Report the keytag times in UTC in the .key file,
+ local time is presented as a comment within the
+ comment. [RT #21223]
+
+ 2886. [bug] ctime() is not thread safe. [RT #21223]
+
+ 2885. [bug] Improve -fno-strict-aliasing support probing in
+ configure. [RT #21080]
+
+ 2884. [bug] Insufficient validation in dns_name_getlabelsequence().
+ [RT #21283]
+
+ 2883. [bug] 'dig +short' failed to handle really large datasets.
+ [RT #21113]
+
+ 2882. [bug] Remove memory context from list of active contexts
+ before clearing 'magic'. [RT #21274]
+
+ 2881. [bug] Reduce the amount of time the rbtdb write lock
+ is held when closing a version. [RT #21198]
+
+ 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
+ consistent. [RT #21078]
+
+ 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
+ [RT #21106]
+
+ 2878. [func] Incrementally write the master file after performing
+ a AXFR. [RT #21010]
+
+ 2877. [bug] The validator failed to skip obviously mismatching
+ RRSIGs. [RT #21138]
+
+ 2876. [bug] Named could return SERVFAIL for negative responses
+ from unsigned zones. [RT #21131]
+
+ 2875. [bug] dns_time64_fromtext() could accept non digits.
+ [RT #21033]
+
+ 2874. [bug] Cache lack of EDNS support only after the server
+ successfully responds to the query using plain DNS.
+ [RT #20930]
+
+ 2873. [bug] Canceling a dynamic update via the dns/client module
+ could trigger an assertion failure. [RT #21133]
+
+ 2872. [bug] Modify dns/client.c:dns_client_createx() to only
+ require one of IPv4 or IPv6 rather than both.
+ [RT #21122]
+
+ 2871. [bug] Type mismatch in mem_api.c between the definition and
+ the header file, causing build failure with
+ --enable-exportlib. [RT #21138]
+
+ 2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
+
+ 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
+ [RT #20877]
+
+ 2868. [cleanup] Run "make clean" at the end of configure to ensure
+ any changes made by configure are integrated.
+ Use --with-make-clean=no to disable. [RT #20994]
+
+ 2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
+ don't like it. [RT #20986]
+
+ 2866. [bug] Windows does not like the TSIG name being compressed.
+ [RT #20986]
+
+ 2865. [bug] memset to zero event.data. [RT #20986]
+
+ 2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
+ [RT #21050]
+
+ 2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
+ [RT #21056]
+
+ 2862. [bug] nsupdate didn't default to the parent zone when
+ updating DS records. [RT #20896]
+
+ 2861. [doc] dnssec-settime man pages didn't correctly document the
+ inactivation time. [RT #21039]
+
+ 2860. [bug] named-checkconf's usage was out of date. [RT #21039]
+
+ 2859. [bug] When canceling validation it was possible to leak
+ memory. [RT #20800]
+
+ 2858. [bug] RTT estimates were not being adjusted on ICMP errors.
+ [RT #20772]
+
+ 2857. [bug] named-checkconf did not fail on a bad trusted key.
+ [RT #20705]
+
+ 2856. [bug] The size of a memory allocation was not always properly
+ recorded. [RT #20927]
+
+ 2855. [func] nsupdate will now preserve the entered case of domain
+ names in update requests it sends. [RT #20928]
+
+ 2854. [func] dig: allow the final soa record in a axfr response to
+ be suppressed, dig +onesoa. [RT #20929]
+
+ 2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
+
+ 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
+
+ 2851. [doc] nslookup.1, removed <informalexample> from the docbook
+ source as it produced bad nroff. [RT #21007]
+
+ 2850. [bug] If isc_heap_insert() failed due to memory shortage
+ the heap would have corrupted entries. [RT #20951]
+
+ 2849. [bug] Don't treat errors from the xml2 library as fatal.
+ [RT #20945]
+
+ 2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
+ README.rfc5011 into the ARM. [RT #20899]
+
+ 2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
+
+ 2846. [bug] EOF on unix domain sockets was not being handled
+ correctly. [RT #20731]
+
+ 2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
+
+ 2844. [doc] notify-delay default in ARM was wrong. It should have
+ been five (5) seconds.
+
+ 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
+ creating key files if there is a chance that the new
+ key ID will collide with an existing one after
+ either of the keys has been revoked. (To override
+ this in the case of dnssec-keyfromlabel, use the -y
+ option. dnssec-keygen will simply create a
+ different, non-colliding key, so an override is
+ not necessary.) [RT #20838]
+
+ 2842. [func] Added "smartsign" and improved "autosign" and
+ "dnssec" regression tests. [RT #20865]
+
+ 2841. [bug] Change 2836 was not complete. [RT #20883]
+
+ 2840. [bug] Temporary fixed pkcs11-destroy usage check.
+ [RT #20760]
+
+ 2839. [bug] A KSK revoked by named could not be deleted.
+ [RT #20881]
+
+ 2838. [placeholder]
+
+ 2837. [port] Prevent Linux spurious warnings about fwrite().
+ [RT #20812]
+
+ 2836. [bug] Keys that were scheduled to become active could
+ be delayed. [RT #20874]
+
+ 2835. [bug] Key inactivity dates were inadvertently stored in
+ the private key file with the outdated tag
+ "Unpublish" rather than "Inactive". This has been
+ fixed; however, any existing keys that had Inactive
+ dates set will now need to have them reset, using
+ 'dnssec-settime -I'. [RT #20868]
+
+ 2834. [bug] HMAC-SHA* keys that were longer than the algorithm
+ digest length were used incorrectly, leading to
+ interoperability problems with other DNS
+ implementations. This has been corrected.
+ (Note: If an oversize key is in use, and
+ compatibility is needed with an older release of
+ BIND, the new tool "isc-hmac-fixup" can convert
+ the key secret to a form that will work with all
+ versions.) [RT #20751]
+
+ 2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
+ [RT #20851]
+
+ 2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
+ to avoid redefinition in some OSs [RT 20831]
+
+ 2831. [security] Do not attempt to validate or cache
+ out-of-bailiwick data returned with a secure
+ answer; it must be re-fetched from its original
+ source and validated in that context. [RT #20819]
+
+ 2830. [bug] Changing the OPTOUT setting could take multiple
+ passes. [RT #20813]
+
+ 2829. [bug] Fixed potential node inconsistency in rbtdb.c.
+ [RT #20808]
+
+ 2828. [security] Cached CNAME or DNAME RR could be returned to clients
+ without DNSSEC validation. [RT #20737]
+
+ 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
+ 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
+ being released. [RT #20740]
+
+ 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
+ was in the process of being created was not properly
+ recorded in the zone. [RT #20786]
+
+ 2824. [bug] "rndc sign" was not being run by the correct task.
+ [RT #20759]
+
+ 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
+
+ 2822. [bug] rbtdb.c:loadnode() could return the wrong result.
+ [RT #20802]
+
+ 2821. [doc] Add note that named-checkconf doesn't automatically
+ read rndc.key and bind.keys [RT #20758]
+
+ 2820. [func] Handle read access failure of OpenSSL configuration
+ file more user friendly (PKCS#11 engine patch).
+ [RT #20668]
+
+ 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
+ [RT #20771]
+
+ 2818. [cleanup] rndc could return an incorrect error code
+ when a zone was not found. [RT #20767]
+
+ 2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
+ [RT #20768]
+
+ 2816. [bug] previous_closest_nsec() could fail to return
+ data for NSEC3 nodes [RT #29730]
+
+ 2815. [bug] Exclusively lock the task when freezing a zone.
+ [RT #19838]
+
+ 2814. [func] Provide a definitive error message when a master
+ zone is not loaded. [RT #20757]
+
+ 2813. [bug] Better handling of unreadable DNSSEC key files.
+ [RT #20710]
+
+ 2812. [bug] Make sure updates can't result in a zone with
+ NSEC-only keys and NSEC3 records. [RT #20748]
+
+ 2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
+ output. [RT #20733]
+
+ 2810. [doc] Clarified the process of transitioning an NSEC3 zone
+ to insecure. [RT #20746]
+
+ 2809. [cleanup] Restored accidentally-deleted text in usage output
+ in dnssec-settime and dnssec-revoke [RT #20739]
+
+ 2808. [bug] Remove the attempt to install atomic.h from lib/isc.
+ atomic.h is correctly installed by the architecture
+ specific subdirectories. [RT #20722]
+
+ 2807. [bug] Fixed a possible ASSERT when reconfiguring zone
+ keys. [RT #20720]
+
+ --- 9.7.0rc1 released ---
+
+ 2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
+ when it had changed. [RT #20703]
+
+ 2805. [bug] Fixed namespace problems encountered when building
+ external programs using non-exported BIND9 libraries
+ (i.e., built without --enable-exportlib). [RT #20679]
+
+ 2804. [bug] Send notifies when a zone is signed with "rndc sign"
+ or as a result of a scheduled key change. [RT #20700]
+
+ 2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
+ and genrandom under windows. [RT #20670]
+
+ 2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
+
+ 2801. [func] Detect and report records that are different according
+ to DNSSEC but are semantically equal according to plain
+ DNS. Apply plain DNS comparisons rather than DNSSEC
+ comparisons when processing UPDATE requests.
+ dnssec-signzone now removes such semantically duplicate
+ records prior to signing the RRset.
+
+ named-checkzone -r {ignore|warn|fail} (default warn)
+ named-compilezone -r {ignore|warn|fail} (default warn)
+
+ named.conf: check-dup-records {ignore|warn|fail};
+
+ 2800. [func] Reject zones which have NS records which refer to
+ CNAMEs, DNAMEs or don't have address record (class IN
+ only). Reject UPDATEs which would cause the zone
+ to fail the above checks if committed. [RT #20678]
+
+ 2799. [cleanup] Changed the "secure-to-insecure" option to
+ "dnssec-secure-to-insecure", and "dnskey-ksk-only"
+ to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
+
+ 2798. [bug] Addressed bugs in managed-keys initialization
+ and rollover. [RT #20683]
+
+ 2797. [bug] Don't decrement the dispatch manager's maxbuffers.
+ [RT #20613]
+
+ 2796. [bug] Missing dns_rdataset_disassociate() call in
+ dns_nsec3_delnsec3sx(). [RT #20681]
+
+ 2795. [cleanup] Add text to differentiate "update with no effect"
+ log messages. [RT #18889]
+
+ 2794. [bug] Install <isc/namespace.h>. [RT #20677]
+
+ 2793. [func] Add "autosign" and "metadata" tests to the
+ automatic tests. [RT #19946]
+
+ 2792. [func] "filter-aaaa-on-v4" can now be set in view
+ options (if compiled in). [RT #20635]
+
+ 2791. [bug] The installation of isc-config.sh was broken.
+ [RT #20667]
+
+ 2790. [bug] Handle DS queries to stub zones. [RT #20440]
+
+ 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
+
+ 2788. [bug] dnssec-signzone could sign with keys that were
+ not requested [RT #20625]
+
+ 2787. [bug] Spurious log message when zone keys were
+ dynamically reconfigured. [RT #20659]
+
+ 2786. [bug] Additional could be promoted to answer. [RT #20663]
+
+ --- 9.7.0b3 released ---
+
+ 2785. [bug] Revoked keys could fail to self-sign [RT #20652]
+
+ 2784. [bug] TC was not always being set when required glue was
+ dropped. [RT #20655]
+
+ 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
+ buffer size of 512 or less. [RT #20654]
+
+ 2782. [port] win32: use getaddrinfo() for hostname lookups.
+ [RT #20650]
+
+ 2781. [bug] Inactive keys could be used for signing. [RT #20649]
+
+ 2780. [bug] dnssec-keygen -A none didn't properly unset the
+ activation date in all cases. [RT #20648]
+
+ 2779. [bug] Dynamic key revocation could fail. [RT #20644]
+
+ 2778. [bug] dnssec-signzone could fail when a key was revoked
+ without deleting the unrevoked version. [RT #20638]
+
+ 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
+
+ 2776. [bug] Change #2762 was not correct. [RT #20647]
+
+ 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
+ in dnssec-keyfromlabel. [RT #20643]
+
+ 2774. [bug] Existing cache DB wasn't being reused after
+ reconfiguration. [RT #20629]
+
+ 2773. [bug] In autosigned zones, the SOA could be signed
+ with the KSK. [RT #20628]
+
+ 2772. [security] When validating, track whether pending data was from
+ the additional section or not and only return it if
+ validates as secure. [RT #20438]
+
+ 2771. [bug] dnssec-signzone: DNSKEY records could be
+ corrupted when importing from key files [RT #20624]
+
+ 2770. [cleanup] Add log messages to resolver.c to indicate events
+ causing FORMERR responses. [RT #20526]
+
+ 2769. [cleanup] Change #2742 was incomplete. [RT #19589]
+
+ 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
+
+ 2767. [bug] named could crash on startup if a zone was
+ configured with auto-dnssec and there was no
+ key-directory. [RT #20615]
+
+ 2766. [bug] isc_socket_fdwatchpoke() should only update the
+ socketmgr state if the socket is not pending on a
+ read or write. [RT #20603]
+
+ 2765. [bug] Skip masters for which the TSIG key cannot be found.
+ [RT #20595]
+
+ 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
+
+ 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
+
+ 2762. [bug] DLV validation failed with a local slave DLV zone.
+ [RT #20577]
+
+ 2761. [cleanup] Enable internal symbol table for backtrace only for
+ systems that are known to work. Currently, BSD
+ variants, Linux and Solaris are supported. [RT #20202]
+
+ 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
+
+ 2759. [doc] Add information about .jbk/.jnw files to
+ the ARM. [RT #20303]
+
+ 2758. [bug] win32: Added a workaround for a windows 2008 bug
+ that could cause the UDP client handler to shut
+ down. [RT #19176]
+
+ 2757. [bug] dig: assertion failure could occur in connect
+ timeout. [RT #20599]
+
+ 2756. [bug] Fixed corrupt logfile message in update.c. [RT #20597]
+
+ 2755. [placeholder]
+
+ 2754. [bug] Secure-to-insecure transitions failed when zone
+ was signed with NSEC3. [RT #20587]
+
+ 2753. [bug] Removed an unnecessary warning that could appear when
+ building an NSEC chain. [RT #20589]
+
+ 2752. [bug] Locking violation. [RT #20587]
+
+ 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
+
+ 2750. [bug] dig: assertion failure could occur when a server
+ didn't have an address. [RT #20579]
+
+ 2749. [bug] ixfr-from-differences generated a non-minimal ixfr
+ for NSEC3 signed zones. [RT #20452]
+
+ 2748. [func] Identify bad answers from GTLD servers and treat them
+ as referrals. [RT #18884]
+
+ 2747. [bug] Journal roll forwards failed to set the re-signing
+ time of RRSIGs correctly. [RT #20541]
+
+ 2746. [port] hpux: address signed/unsigned expansion mismatch of
+ dns_rbtnode_t.nsec. [RT #20542]
+
+ 2745. [bug] configure script didn't probe the return type of
+ gai_strerror(3) correctly. [RT #20573]
+
+ 2744. [func] Log if a query was over TCP. [RT #19961]
+
+ 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
+ for a insecure delegation.
+
+ --- 9.7.0b2 released ---
+
+ 2742. [cleanup] Clarify some DNSSEC-related log messages in
+ validator.c. [RT #19589]
+
+ 2741. [func] Allow the dnssec-keygen progress messages to be
+ suppressed (dnssec-keygen -q). Automatically
+ suppress the progress messages when stdin is not
+ a tty. [RT #20474]
+
+ 2740. [placeholder]
+
+ 2739. [cleanup] Clean up API for initializing and clearing trust
+ anchors for a view. [RT #20211]
+
+ 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
+ test. [RT #20453]
+
+ 2737. [func] UPDATE requests can leak existence information.
+ [RT #17261]
+
+ 2736. [func] Improve the performance of NSEC signed zones with
+ more than a normal amount of glue below a delegation.
+ [RT #20191]
+
+ 2735. [bug] dnssec-signzone could fail to read keys
+ that were specified on the command line with
+ full paths, but weren't in the current
+ directory. [RT #20421]
+
+ 2734. [port] cygwin: arpaname did not compile. [RT #20473]
+
+ 2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
+
+ 2732. [func] Add optional filter-aaaa-on-v4 option, available
+ if built with './configure --enable-filter-aaaa'.
+ Filters out AAAA answers to clients connecting
+ via IPv4. (This is NOT recommended for general
+ use.) [RT #20339]
+
+ 2731. [func] Additional work on change 2709. The key parser
+ will now ignore unrecognized fields when the
+ minor version number of the private key format
+ has been increased. It will reject any key with
+ the major version number increased. [RT #20310]
+
+ 2730. [func] Have dnssec-keygen display a progress indication
+ a la 'openssl genrsa' on standard error. Note
+ when the first '.' is followed by a long stop
+ one has the choice between slow generation vs.
+ poor random quality, i.e., '-r /dev/urandom'.
+ [RT #20284]
+
+ 2729. [func] When constructing a CNAME from a DNAME use the DNAME
+ TTL. [RT #20451]
+
+ 2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
+ dnssec-signzone now warn immediately if asked to
+ write into a nonexistent directory. [RT #20278]
+
+ 2727. [func] The 'key-directory' option can now specify a relative
+ path. [RT #20154]
+
+ 2726. [func] Added support for SHA-2 DNSSEC algorithms,
+ RSASHA256 and RSASHA512. [RT #20023]
+
+ 2725. [doc] Added information about the file "managed-keys.bind"
+ to the ARM. [RT #20235]
+
+ 2724. [bug] Updates to a existing node in secure zone using NSEC
+ were failing. [RT #20448]
+
+ 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
+ isc_base64_totext(), didn't always mark regions of
+ memory as fully consumed after conversion. [RT #20445]
+
+ 2722. [bug] Ensure that the memory associated with the name of
+ a node in a rbt tree is not altered during the life
+ of the node. [RT #20431]
+
+ 2721. [port] Have dst__entropy_status() prime the random number
+ generator. [RT #20369]
+
+ 2720. [bug] RFC 5011 trust anchor updates could trigger an
+ assert if the DNSKEY record was unsigned. [RT #20406]
+
+ 2719. [func] Skip trusted/managed keys for unsupported algorithms.
+ [RT #20392]
+
+ 2718. [bug] The space calculations in opensslrsa_todns() were
+ incorrect. [RT #20394]
+
+ 2717. [bug] named failed to update the NSEC/NSEC3 record when
+ the last private type record was removed as a result
+ of completing the signing the zone with a key.
+ [RT #20399]
+
+ 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
+
+ --- 9.7.0b1 released ---
+
+ 2715. [bug] Require OpenSSL support to be explicitly disabled.
+ [RT #20288]
+
+ 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
+ flags.
+
+ 2713. [bug] powerpc: atomic operations missing asm("ics") /
+ __isync() calls.
+
+ 2712. [func] New 'auto-dnssec' zone option allows zone signing
+ to be fully automated in zones configured for
+ dynamic DNS. 'auto-dnssec allow;' permits a zone
+ to be signed by creating keys for it in the
+ key-directory and using 'rndc sign <zone>'.
+ 'auto-dnssec maintain;' allows that too, plus it
+ also keeps the zone's DNSSEC keys up to date
+ according to their timing metadata. [RT #19943]
+
+ 2711. [port] win32: Add the bin/pkcs11 tools into the full
+ build. [RT #20372]
+
+ 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
+ zone option cause a zone to be signed with only KSKs
+ signing the DNSKEY RRset, not ZSKs. This reduces
+ the size of a DNSKEY answer. [RT #20340]
+
+ 2709. [func] Added some data fields, currently unused, to the
+ private key file format, to allow implementation
+ of explicit key rollover in a future release
+ without impairing backward or forward compatibility.
+ [RT #20310]
+
+ 2708. [func] Insecure to secure and NSEC3 parameter changes via
+ update are now fully supported and no longer require
+ defines to enable. We now no longer overload the
+ NSEC3PARAM flag field, nor the NSEC OPT bit at the
+ apex. Secure to insecure changes are controlled by
+ by the named.conf option 'secure-to-insecure'.
+
+ Warning: If you had previously enabled support by
+ adding defines at compile time to BIND 9.6 you should
+ ensure that all changes that are in progress have
+ completed prior to upgrading to BIND 9.7. BIND 9.7
+ is not backwards compatible.
+
+ 2707. [func] dnssec-keyfromlabel no longer require engine name
+ to be specified in the label if there is a default
+ engine or the -E option has been used. Also, it
+ now uses default algorithms as dnssec-keygen does
+ (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
+ [RT #20371]
+
+ 2706. [bug] Loading a zone with a very large NSEC3 salt could
+ trigger an assert. [RT #20368]
+
+ 2705. [placeholder]
+
+ 2704. [bug] Serial of dynamic and stub zones could be inconsistent
+ with their SOA serial. [RT #19387]
+
+ 2703. [func] Introduce an OpenSSL "engine" argument with -E
+ for all binaries which can take benefit of
+ crypto hardware. [RT #20230]
+
+ 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
+
+ 2701. [doc] Correction to ARM: hmac-md5 is no longer the only
+ supported TSIG key algorithm. [RT #18046]
+
+ 2700. [doc] The match-mapped-addresses option is discouraged.
+ [RT #12252]
+
+ 2699. [bug] Missing lock in rbtdb.c. [RT #20037]
+
+ 2698. [placeholder]
+
+ 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
+ S_IFREG are defined after including <isc/stat.h>.
+ [RT #20309]
+
+ 2696. [bug] named failed to successfully process some valid
+ acl constructs. [RT #20308]
+
+ 2695. [func] DHCP/DDNS - update fdwatch code for use by
+ DHCP. Modify the api to isc_sockfdwatch_t (the
+ callback function for isc_socket_fdwatchcreate)
+ to include information about the direction (read
+ or write) and add isc_socket_fdwatchpoke.
+ [RT #20253]
+
+ 2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
+ [RT #19970]
+
+ 2693. [port] Add some noreturn attributes. [RT #20257]
+
+ 2692. [port] win32: 32/64 bit cleanups. [RT #20335]
+
+ 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
+ chain when re-signing a previously-signed zone.
+ Use -u to modify NSEC3 parameters or switch
+ between NSEC and NSEC3. [RT #20304]
+
+ 2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
+ [RT #20315]
+
+ 2689. [bug] Correctly handle snprintf result. [RT #20306]
+
+ 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
+ to decide to fetch the destination address. [RT #20305]
+
+ 2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
+ Also, added warnings when revoking a ZSK, as this is
+ not defined by protocol (but is legal). [RT #19943]
+
+ 2686. [bug] dnssec-signzone should clean the old NSEC chain when
+ signing with NSEC3 and vice versa. [RT #20301]
+
+ 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
+
+ 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+ +adflag and +cdflag. [RT #19305]
+
+ 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
+ the NSEC3 parameters used to sign the zone change.
+ [RT #20246]
+
+ 2682. [bug] "configure --enable-symtable=all" failed to
+ build. [RT #20282]
+
+ 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
+ decoded. [RT #20269]
+
+ 2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
+
+ 2679. [func] dig -k can now accept TSIG keys in named.conf
+ format. [RT #20031]
+
+ 2678. [func] Treat DS queries as if "minimal-response yes;"
+ was set. [RT #20258]
+
+ 2677. [func] Changes to key metadata behavior:
+ - Keys without "publish" or "active" dates set will
+ no longer be used for smart signing. However,
+ those dates will be set to "now" by default when
+ a key is created; to generate a key but not use
+ it yet, use dnssec-keygen -G.
+ - New "inactive" date (dnssec-keygen/settime -I)
+ sets the time when a key is no longer used for
+ signing but is still published.
+ - The "unpublished" date (-U) is deprecated in
+ favor of "deleted" (-D).
+ [RT #20247]
+
+ 2676. [bug] --with-export-installdir should have been
+ --with-export-includedir. [RT #20252]
+
+ 2675. [bug] dnssec-signzone could crash if the key directory
+ did not exist. [RT #20232]
+
+ --- 9.7.0a3 released ---
+
+ 2674. [bug] "dnssec-lookaside auto;" crashed if named was built
+ without openssl. [RT #20231]
+
+ 2673. [bug] The managed-keys.bind zone file could fail to
+ load due to a spurious result from sync_keyzone()
+ [RT #20045]
+
+ 2672. [bug] Don't enable searching in 'host' when doing reverse
+ lookups. [RT #20218]
+
+ 2671. [bug] Add support for PKCS#11 providers not returning
+ the public exponent in RSA private keys
+ (OpenCryptoki for instance) in
+ dnssec-keyfromlabel. [RT #19294]
+
+ 2670. [bug] Unexpected connect failures failed to log enough
+ information to be useful. [RT #20205]
+
+ 2669. [func] Update PKCS#11 support to support Keyper HSM.
+ Update PKCS#11 patch to be against openssl-0.9.8i.
+
+ 2668. [func] Several improvements to dnssec-* tools, including:
+ - dnssec-keygen and dnssec-settime can now set key
+ metadata fields 0 (to unset a value, use "none")
+ - dnssec-revoke sets the revocation date in
+ addition to the revoke bit
+ - dnssec-settime can now print individual metadata
+ fields instead of always printing all of them,
+ and can print them in unix epoch time format for
+ use by scripts
+ [RT #19942]
+
+ 2667. [func] Add support for logging stack backtrace on assertion
+ failure (not available for all platforms). [RT #19780]
+
+ 2666. [func] Added an 'options' argument to dns_name_fromstring()
+ (API change from 9.7.0a2). [RT #20196]
+
+ 2665. [func] Clarify syntax for managed-keys {} statement, add
+ ARM documentation about RFC 5011 support. [RT #19874]
+
+ 2664. [bug] create_keydata() and minimal_update() in zone.c
+ didn't properly check return values for some
+ functions. [RT #19956]
+
+ 2663. [func] win32: allow named to run as a service using
+ "NT AUTHORITY\LocalService" as the account. [RT #19977]
+
+ 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
+ returned a misleading error code when lwresd was
+ down. [RT #20028]
+
+ 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
+ creating lwres context. [RT #20029]
+
+ 2660. [func] Add a new set of DNS libraries for non-BIND9
+ applications. See README.libdns. [RT #19369]
+
+ 2659. [doc] Clarify dnssec-keygen doc: key name must match zone
+ name for DNSSEC keys. [RT #19938]
+
+ 2658. [bug] dnssec-settime and dnssec-revoke didn't process
+ key file paths correctly. [RT #20078]
+
+ 2657. [cleanup] Lower "journal file <path> does not exist, creating it"
+ log level to debug 1. [RT #20058]
+
+ 2656. [func] win32: add a "tools only" check box to the installer
+ which causes it to only install dig, host, nslookup,
+ nsupdate and relevant DLLs. [RT #19998]
+
+ 2655. [doc] Document that key-directory does not affect
+ bind.keys, rndc.key or session.key. [RT #20155]
+
+ 2654. [bug] Improve error reporting on duplicated names for
+ deny-answer-xxx. [RT #20164]
+
+ 2653. [bug] Treat ENGINE_load_private_key() failures as key
+ not found rather than out of memory. [RT #18033]
+
+ 2652. [func] Provide more detail about what record is being
+ deleted. [RT #20061]
+
+ 2651. [bug] Dates could print incorrectly in K*.key files on
+ 64-bit systems. [RT #20076]
+
+ 2650. [bug] Assertion failure in dnssec-signzone when trying
+ to read keyset-* files. [RT #20075]
+
+ 2649. [bug] Set the domain for forward only zones. [RT #19944]
+
+ 2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
+
+ 2647. [bug] Remove unnecessary SOA updates when a new KSK is
+ added. [RT #19913]
+
+ 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
+
+ 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
+ which default to 64 bits. [RT #19927]
+
+ --- 9.7.0a2 released ---
+
+ 2644. [bug] Change #2628 caused a regression on some systems;
+ named was unable to write the PID file and would
+ fail on startup. [RT #20001]
+
+ 2643. [bug] Stub zones interacted badly with NSEC3 support.
+ [RT #19777]
+
+ 2642. [bug] nsupdate could dump core on solaris when reading
+ improperly formatted key files. [RT #20015]
+
+ 2641. [bug] Fixed an error in parsing update-policy syntax,
+ added a regression test to check it. [RT #20007]
+
+ 2640. [security] A specially crafted update packet will cause named
+ to exit. [RT #20000]
+
+ 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
+
+ 2638. [bug] Install arpaname. [RT #19957]
+
+ 2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
+ [RT #19959]
+
+ 2636. [func] Simplify zone signing and key maintenance with the
+ dnssec-* tools. Major changes:
+ - all dnssec-* tools now take a -K option to
+ specify a directory in which key files will be
+ stored
+ - DNSSEC can now store metadata indicating when
+ they are scheduled to be published, activated,
+ revoked or removed; these values can be set by
+ dnssec-keygen or overwritten by the new
+ dnssec-settime command
+ - dnssec-signzone -S (for "smart") option reads key
+ metadata and uses it to determine automatically
+ which keys to publish to the zone, use for
+ signing, revoke, or remove from the zone
+ [RT #19816]
+
+ 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
+ [RT #19716]
+
+ 2634. [port] win32: Add support for libxml2, enable
+ statschannel. [RT #19773]
+
+ 2633. [bug] Handle 15 bit rand() functions. [RT #19783]
+
+ 2632. [func] util/kit.sh: warn if documentation appears to be out of
+ date. [RT #19922]
+
+ 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
+ [RT #19926 ]
+
+ 2630. [func] Improved syntax for DDNS autoconfiguration: use
+ "update-policy local;" to switch on local DDNS in a
+ zone. (The "ddns-autoconf" option has been removed.)
+ [RT #19875]
+
+ 2629. [port] Check for seteuid()/setegid(), use setresuid()/
+ setresgid() if not present. [RT #19932]
+
+ 2628. [port] linux: Allow /var/run/named/named.pid to be opened
+ at startup with reduced capabilities in operation.
+ [RT #19884]
+
+ 2627. [bug] Named aborted if the same key was included in
+ trusted-keys more than once. [RT #19918]
+
+ 2626. [bug] Multiple trusted-keys could trigger an assertion
+ failure. [RT #19914]
+
+ 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
+
+ 2624. [func] 'named-checkconf -p' will print out the parsed
+ configuration. [RT #18871]
+
+ 2623. [bug] Named started searches for DS non-optimally. [RT #19915]
+
+ 2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
+
+ 2621. [doc] Made copyright boilerplate consistent. [RT #19833]
+
+ 2620. [bug] Delay thawing the zone until the reload of it has
+ completed successfully. [RT #19750]
+
+ 2619. [func] Add support for RFC 5011, automatic trust anchor
+ maintenance. The new "managed-keys" statement can
+ be used in place of "trusted-keys" for zones which
+ support this protocol. (Note: this syntax is
+ expected to change prior to 9.7.0 final.) [RT #19248]
+
+ 2618. [bug] The sdb and sdlz db_interator_seek() methods could
+ loop infinitely. [RT #19847]
+
+ 2617. [bug] ifconfig.sh failed to emit an error message when
+ run from the wrong location. [RT #19375]
+
+ 2616. [bug] 'host' used the nameservers from resolv.conf even
+ when a explicit nameserver was specified. [RT #19852]
+
+ 2615. [bug] "__attribute__((unused))" was in the wrong place
+ for ia64 gcc builds. [RT #19854]
+
+ 2614. [port] win32: 'named -v' should automatically be executed
+ in the foreground. [RT #19844]
+
+ 2613. [placeholder]
+
+ --- 9.7.0a1 released ---
+
+ 2612. [func] Add default values for the arguments to
+ dnssec-keygen. Without arguments, it will now
+ generate a 1024-bit RSASHA1 zone-signing key,
+ or with the -f KSK option, a 2048-bit RSASHA1
+ key-signing key. [RT #19300]
+
+ 2611. [func] Add -l option to dnssec-dsfromkey to generate
+ DLV records instead of DS records. [RT #19300]
+
+ 2610. [port] sunos: Change #2363 was not complete. [RT #19796]
+
+ 2609. [func] Simplify the configuration of dynamic zones:
+ - add ddns-confgen command to generate
+ configuration text for named.conf
+ - add zone option "ddns-autoconf yes;", which
+ causes named to generate a TSIG session key
+ and allow updates to the zone using that key
+ - add '-l' (localhost) option to nsupdate, which
+ causes nsupdate to connect to a locally-running
+ named process using the session key generated
+ by named
+ [RT #19284]
+
+ 2608. [func] Perform post signing verification checks in
+ dnssec-signzone. These can be disabled with -P.
+
+ The post sign verification test ensures that for each
+ algorithm in use there is at least one non revoked
+ self signed KSK key. That all revoked KSK keys are
+ self signed. That all records in the zone are signed
+ by the algorithm. [RT #19653]
+
+ 2607. [bug] named could incorrectly delete NSEC3 records for
+ empty nodes when processing a update request.
+ [RT #19749]
+
+ 2606. [bug] "delegation-only" was not being accepted in
+ delegation-only type zones. [RT #19717]
+
+ 2605. [bug] Accept DS responses from delegation only zones.
+ [RT # 19296]
+
+ 2604. [func] Add support for DNS rebinding attack prevention through
+ new options, deny-answer-addresses and
+ deny-answer-aliases. Based on contributed code from
+ JD Nurmi, Google. [RT #18192]
+
+ 2603. [port] win32: handle .exe extension of named-checkzone and
+ named-comilezone argv[0] names under windows.
+ [RT #19767]
+
+ 2602. [port] win32: fix debugging command line build of libisccfg.
+ [RT #19767]
+
+ 2601. [doc] Mention file creation mode mask in the
+ named manual page.
+
+ 2600. [doc] ARM: miscellaneous reformatting for different
+ page widths. [RT #19574]
+
+ 2599. [bug] Address rapid memory growth when validation fails.
+ [RT #19654]
+
+ 2598. [func] Reserve the -F flag. [RT #19657]
+
+ 2597. [bug] Handle a validation failure with a insecure delegation
+ from a NSEC3 signed master/slave zone. [RT #19464]
+
+ 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
+ long, leading to inefficient memory usage or rejecting
+ newer cache entries in the worst case. [RT #19563]
+
+ 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
+
+ 2594. [func] Have rndc warn if using its default configuration
+ file when the key file also exists. [RT #19424]
+
+ 2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
+
+ 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
+
+ 2591. [bug] named could die when processing a update in
+ removed_orphaned_ds(). [RT #19507]
+
+ 2590. [func] Report zone/class of "update with no effect".
+ [RT #19542]
+
+ 2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
+ [RT #19626]
+
+ 2588. [bug] SO_REUSEADDR could be set unconditionally after failure
+ of bind(2) call. This should be rare and mostly
+ harmless, but may cause interference with other
+ processes that happen to use the same port. [RT #19642]
+
+ 2587. [func] Improve logging by reporting serial numbers for
+ when zone serial has gone backwards or unchanged.
+ [RT #19506]
+
+ 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
+ or SDB. [RT #19577]
+
+ 2585. [bug] Uninitialized socket name could be referenced via a
+ statistics channel, triggering an assertion failure in
+ XML rendering. [RT #19427]
+
+ 2584. [bug] alpha: gcc optimization could break atomic operations.
+ [RT #19227]
+
+ 2583. [port] netbsd: provide a control to not add the compile
+ date to the version string, -DNO_VERSION_DATE.
+
+ 2582. [bug] Don't emit warning log message when we attempt to
+ remove non-existent journal. [RT #19516]
+
+ 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
+ Requires MySQL 5.0.19 or later. [RT #19084]
+
+ 2580. [bug] UpdateRej statistics counter could be incremented twice
+ for one rejection. [RT #19476]
+
+ 2579. [bug] DNSSEC lookaside validation failed to handle unknown
+ algorithms. [RT #19479]
+
+ 2578. [bug] Changed default sig-signing-type to 65534, because
+ 65535 turns out to be reserved. [RT #19477]
+
+ 2577. [doc] Clarified some statistics counters. [RT #19454]
+
+ 2576. [bug] NSEC record were not being correctly signed when
+ a zone transitions from insecure to secure.
+ Handle such incorrectly signed zones. [RT #19114]
+
+ 2575. [func] New functions dns_name_fromstring() and
+ dns_name_tostring(), to simplify conversion
+ of a string to a dns_name structure and vice
+ versa. [RT #19451]
+
+ 2574. [doc] Document nsupdate -g and -o. [RT #19351]
+
+ 2573. [bug] Replacing a non-CNAME record with a CNAME record in a
+ single transaction in a signed zone failed. [RT #19397]
+
+ 2572. [func] Simplify DLV configuration, with a new option
+ "dnssec-lookaside auto;" This is the equivalent
+ of "dnssec-lookaside . trust-anchor dlv.isc.org;"
+ plus setting a trusted-key for dlv.isc.org.
+
+ Note: The trusted key is hard-coded into named,
+ but is also stored in (and can be overridden
+ by) $sysconfdir/bind.keys. As the ISC DLV key
+ rolls over it can be kept up to date by replacing
+ the bind.keys file with a key downloaded from
+ https://www.isc.org/solutions/dlv. [RT #18685]
+
+ 2571. [func] Add a new tool "arpaname" which translates IP addresses
+ to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
+ [RT #18976]
+
+ 2570. [func] Log the destination address the query was sent to.
+ [RT #19209]
+
+ 2569. [func] Move journalprint, nsec3hash, and genrandom
+ commands from bin/tests into bin/tools;
+ "make install" will put them in $sbindir. [RT #19301]
+
+ 2568. [bug] Report when the write to indicate a otherwise
+ successful start fails. [RT #19360]
+
+ 2567. [bug] dst__privstruct_writefile() could miss write errors.
+ write_public_key() could miss write errors.
+ dnssec-dsfromkey could miss write errors.
+ [RT #19360]
+
+ 2566. [cleanup] Clarify logged message when an insecure DNSSEC
+ response arrives from a zone thought to be secure:
+ "insecurity proof failed" instead of "not
+ insecure". [RT #19400]
+
+ 2565. [func] Add support for HIP record. Includes new functions
+ dns_rdata_hip_first(), dns_rdata_hip_next()
+ and dns_rdata_hip_current(). [RT #19384]
+
+ 2564. [bug] Only take EDNS fallback steps when processing timeouts.
+ [RT #19405]
+
+ 2563. [bug] Dig could leak a socket causing it to wait forever
+ to exit. [RT #19359]
+
+ 2562. [doc] ARM: miscellaneous improvements, reorganization,
+ and some new content.
+
+ 2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
+
+ 2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
+
+ 2559. [bug] dnssec-dsfromkey could compute bad DS records when
+ reading from a K* files. [RT #19357]
+
+ 2558. [func] Set the ownership of missing directories created
+ for pid-file if -u has been specified on the command
+ line. [RT #19328]
+
+ 2557. [cleanup] PCI compliance:
+ * new libisc log module file
+ * isc_dir_chroot() now also changes the working
+ directory to "/".
+ * additional INSISTs
+ * additional logging when files can't be removed.
+
+ 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
+ error checks in the correct order resulting in the
+ wrong error code sometimes being returned. [RT #19249]
+
+ 2555. [func] dig: when emitting a hex dump also display the
+ corresponding characters. [RT #19258]
+
+ 2554. [bug] Validation of uppercase queries from NSEC3 zones could
+ fail. [RT #19297]
+
+ 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
+
+ 2552. [bug] zero-no-soa-ttl-cache was not being honored.
+ [RT #19340]
+
+ 2551. [bug] Potential Reference leak on return. [RT #19341]
+
+ 2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
+ [RT #19343]
+
+ 2549. [port] linux: define NR_OPEN if not currently defined.
+ [RT #19344]
+
+ 2548. [bug] Install iterated_hash.h. [RT #19335]
+
+ 2547. [bug] openssl_link.c:mem_realloc() could reference an
+ out-of-range area of the source buffer. New public
+ function isc_mem_reallocate() was introduced to address
+ this bug. [RT #19313]
+
+ 2546. [func] Add --enable-openssl-hash configure flag to use
+ OpenSSL (in place of internal routine) for hash
+ functions (MD5, SHA[12] and HMAC). [RT #18815]
+
+ 2545. [doc] ARM: Legal hostname checking (check-names) is
+ for SRV RDATA too. [RT #19304]
+
+ 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
+
+ 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
+
+ 2542. [doc] Update the description of dig +adflag. [RT #19290]
+
+ 2541. [bug] Conditionally update dispatch manager statistics.
+ [RT #19247]
+
+ 2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
+
+ 2539. [security] Update the interaction between recursion, allow-query,
+ allow-query-cache and allow-recursion. [RT #19198]
+
+ 2538. [bug] cache/ADB memory could grow over max-cache-size,
+ especially with threads and smaller max-cache-size
+ values. [RT #19240]
+
+ 2537. [func] Added more statistics counters including those on socket
+ I/O events and query RTT histograms. [RT #18802]
+
+ 2536. [cleanup] Silence some warnings when -Werror=format-security is
+ specified. [RT #19083]
+
+ 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
+
+ 2534. [func] Check NAPTR records regular expressions and
+ replacement strings to ensure they are syntactically
+ valid and consistent. [RT #18168]
+
+ 2533. [doc] ARM: document @ (at-sign). [RT #17144]
+
+ 2532. [bug] dig: check the question section of the response to
+ see if it matches the asked question. [RT #18495]
+
+ 2531. [bug] Change #2207 was incomplete. [RT #19098]
+
+ 2530. [bug] named failed to reject insecure to secure transitions
+ via UPDATE. [RT #19101]
+
+ 2529. [cleanup] Upgrade libtool to silence complaints from recent
+ version of autoconf. [RT #18657]
+
+ 2528. [cleanup] Silence spurious configure warning about
+ --datarootdir [RT #19096]
+
+ 2527. [placeholder]
+
+ 2526. [func] New named option "attach-cache" that allows multiple
+ views to share a single cache to save memory and
+ improve lookup efficiency. Based on contributed code
+ from Barclay Osborn, Google. [RT #18905]
+
+ 2525. [func] New logging category "query-errors" to provide detailed
+ internal information about query failures, especially
+ about server failures. [RT #19027]
+
+ 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
+
+ 2523. [bug] Random type rdata freed by dns_nsec_typepresent().
+ [RT #19112]
+
+ 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
+
+ 2521. [bug] Improve epoll cross compilation support. [RT #19047]
+
+ 2520. [bug] Update xml statistics version number to 2.0 as change
+ #2388 made the schema incompatible to the previous
+ version. [RT #19080]
+
+ 2519. [bug] dig/host with -4 or -6 didn't work if more than two
+ nameserver addresses of the excluded address family
+ preceded in resolv.conf. [RT #19081]
+
+ 2518. [func] Add support for the new CERT types from RFC 4398.
+ [RT #19077]
+
+ 2517. [bug] dig +trace with -4 or -6 failed when it chose a
+ nameserver address of the excluded address type.
+ [RT #18843]
+
+ 2516. [bug] glue sort for responses was performed even when not
+ needed. [RT #19039]
+
+ 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
+ [RT #19063]
+
+ 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
+ a nameserver of the excluded address family.
+ [RT #18848]
+
+ 2513. [bug] Fix windows cli build. [RT #19062]
+
+ 2512. [func] Print a summary of the cached records which make up
+ the negative response. [RT #18885]
+
+ 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
+ [RT #18885]
+
+ 2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
+ [RT #19033]
+
+ 2509. [bug] Specifying a fixed query source port was broken.
+ [RT #19051]
+
+ 2508. [placeholder]
+
+ 2507. [func] Log the recursion quota values when killing the
+ oldest query or refusing to recurse due to quota.
+ [RT #19022]
+
+ 2506. [port] solaris: Check at configure time if
+ hack_shutup_pthreadonceinit is needed. [RT #19037]
+
+ 2505. [port] Treat amd64 similarly to x86_64 when determining
+ atomic operation support. [RT #19031]
+
+ 2504. [bug] Address race condition in the socket code. [RT #18899]
+
+ 2503. [port] linux: improve compatibility with Linux Standard
+ Base. [RT #18793]
+
+ 2502. [cleanup] isc_radix: Improve compliance with coding style,
+ document function in <isc/radix.h>. [RT #18534]
+
+ 2501. [func] $GENERATE now supports all rdata types. Multi-field
+ rdata types need to be quoted. See the ARM for
+ details. [RT #18368]
+
+ 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
+ function. [RT #18582]
+
+ 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
+ [RT #18837]
+
+ --- 9.6.0rc1 released ---
+
+ 2498. [bug] Removed a bogus function argument used with
+ ISC_SOCKET_USE_POLLWATCH: it could cause compiler
+ warning or crash named with the debug 1 level
+ of logging. [RT #18917]
+
+ 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
+ delegation.
+
+ 2496. [bug] Add sanity length checks to NSID option. [RT #18813]
+
+ 2495. [bug] Tighten RRSIG checks. [RT #18795]
+
+ 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
+ installed. [RT #18826]
+
+ 2493. [bug] The linux capabilities code was not correctly cleaning
+ up after itself. [RT #18767]
+
+ 2492. [func] Rndc status now reports the number of cpus discovered
+ and the number of worker threads when running
+ multi-threaded. [RT #18273]
+
+ 2491. [func] Attempt to re-use a local port if we are already using
+ the port. [RT #18548]
+
+ 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
+ is cleared when IPV6_V6ONLY is set. [RT #18785]
+
+ 2489. [port] solaris: Workaround Solaris's kernel bug about
+ /dev/poll:
+ http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
+ Define ISC_SOCKET_USE_POLLWATCH at build time to enable
+ this workaround. [RT #18870]
+
+ 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
+ from keyset and .key files. [RT #18694]
+
+ 2487. [bug] Give TCP connections longer to complete. [RT #18675]
+
+ 2486. [func] The default locations for named.pid and lwresd.pid
+ are now /var/run/named/named.pid and
+ /var/run/lwresd/lwresd.pid respectively.
+
+ This allows the owner of the containing directory
+ to be set, for "named -u" support, and allows there
+ to be a permanent symbolic link in the path, for
+ "named -t" support. [RT #18306]
+
+ 2485. [bug] Change update's the handling of obscured RRSIG
+ records. Not all orphaned DS records were being
+ removed. [RT #18828]
+
+ 2484. [bug] It was possible to trigger a REQUIRE failure when
+ adding NSEC3 proofs to the response in
+ query_addwildcardproof(). [RT #18828]
+
+ 2483. [port] win32: chroot() is not supported. [RT #18805]
+
+ 2482. [port] libxml2: support versions 2.7.* in addition
+ to 2.6.*. [RT #18806]
+
+ --- 9.6.0b1 released ---
+
+ 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
+ collisions. [RT #18812]
+
+ 2480. [bug] named could fail to emit all the required NSEC3
+ records. [RT #18812]
+
+ 2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
+
+ 2478. [bug] 'addresses' could be used uninitialized in
+ configure_forward(). [RT #18800]
+
+ 2477. [bug] dig: the global option to print the command line is
+ +cmd not print_cmd. Update the output to reflect
+ this. [RT #17008]
+
+ 2476. [doc] ARM: improve documentation for max-journal-size and
+ ixfr-from-differences. [RT #15909] [RT #18541]
+
+ 2475. [bug] LRU cache cleanup under overmem condition could purge
+ particular entries more aggressively. [RT #17628]
+
+ 2474. [bug] ACL structures could be allocated with insufficient
+ space, causing an array overrun. [RT #18765]
+
+ 2473. [port] linux: raise the limit on open files to the possible
+ maximum value before spawning threads; 'files'
+ specified in named.conf doesn't seem to work with
+ threads as expected. [RT #18784]
+
+ 2472. [port] linux: check the number of available cpu's before
+ calling chroot as it depends on "/proc". [RT #16923]
+
+ 2471. [bug] named-checkzone was not reporting missing mandatory
+ glue when sibling checks were disabled. [RT #18768]
+
+ 2470. [bug] Elements of the isc_radix_node_t could be incorrectly
+ overwritten. [RT #18719]
+
+ 2469. [port] solaris: Work around Solaris's select() limitations.
+ [RT #18769]
+
+ 2468. [bug] Resolver could try unreachable servers multiple times.
+ [RT #18739]
+
+ 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
+
+ 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue.
+ [RT #18302]
+
+ 2465. [bug] Adb's handling of lame addresses was different
+ for IPv4 and IPv6. [RT #18738]
+
+ 2464. [port] linux: check that a capability is present before
+ trying to set it. [RT #18135]
+
+ 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
+ API and glibc hides parts of the IPv6 Advanced Socket
+ API as a result. This is stupid as it breaks how the
+ two halves (Basic and Advanced) of the IPv6 Socket API
+ were designed to be used but we have to live with it.
+ Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
+ API. [RT #18388]
+
+ 2462. [doc] Document -m (enable memory usage debugging)
+ option for dig. [RT #18757]
+
+ 2461. [port] sunos: Change #2363 was not complete. [RT #17513]
+
+ --- 9.6.0a1 released ---
+
+ 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
+ [RT #18697]
+
+ 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
+
+ 2458. [doc] ARM: update and correction for max-cache-size.
+ [RT #18294]
+
+ 2457. [tuning] max-cache-size is reverted to 0, the previous
+ default. It should be safe because expired cache
+ entries are also purged. [RT #18684]
+
+ 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
+ address, regardless of family. They now correctly
+ distinguish IPv4 from IPv6. [RT #18559]
+
+ 2455. [bug] Stop metadata being transferred via axfr/ixfr.
+ [RT #18639]
+
+ 2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
+
+ 2453. [bug] Remove NULL pointer dereference in dns_journal_print().
+ [RT #18316]
+
+ 2452. [func] Improve bin/test/journalprint. [RT #18316]
+
+ 2451. [port] solaris: handle runtime linking better. [RT #18356]
+
+ 2450. [doc] Fix lwresd docbook problem for manual page.
+ [RT #18672]
+
+ 2449. [placeholder]
+
+ 2448. [func] Add NSEC3 support. [RT #15452]
+
+ 2447. [cleanup] libbind has been split out as a separate product.
+
+ 2446. [func] Add a new log message about build options on startup.
+ A new command-line option '-V' for named is also
+ provided to show this information. [RT #18645]
+
+ 2445. [doc] ARM out-of-date on empty reverse zones (list includes
+ RFC1918 address, but these are not yet compiled in).
+ [RT #18578]
+
+ 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
+ (clear DF) for UDP responses and requests.
+
+ 2443. [bug] win32: UDP connect() would not generate an event,
+ and so connected UDP sockets would never clean up.
+ Fix this by doing an immediate WSAConnect() rather
+ than an io completion port type for UDP.
+
+ 2442. [bug] A lock could be destroyed twice. [RT #18626]
+
+ 2441. [bug] isc_radix_insert() could copy radix tree nodes
+ incompletely. [RT #18573]
+
+ 2440. [bug] named-checkconf used an incorrect test to determine
+ if an ACL was set to none.
+
+ 2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
+ [RT #18559]
+
+ 2438. [bug] Timeouts could be logged incorrectly under win32.
+
+ 2437. [bug] Sockets could be closed too early, leading to
+ inconsistent states in the socket module. [RT #18298]
+
+ 2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
+
+ 2435. [bug] Fixed an ACL memory leak affecting win32.
+
+ 2434. [bug] Fixed a minor error-reporting bug in
+ lib/isc/win32/socket.c.
+
+ 2433. [tuning] Set initial timeout to 800ms.
+
+ 2432. [bug] More Windows socket handling improvements. Stop
+ using I/O events and use IO Completion Ports
+ throughout. Rewrite the receive path logic to make
+ it easier to support multiple simultaneous
+ requesters in the future. Add stricter consistency
+ checking as a compile-time option (define
+ ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
+
+ 2431. [bug] Acl processing could leak memory. [RT #18323]
+
+ 2430. [bug] win32: isc_interval_set() could round down to
+ zero if the input was less than NS_INTERVAL
+ nanoseconds. Round up instead. [RT #18549]
+
+ 2429. [doc] nsupdate should be in section 1 of the man pages.
+ [RT #18283]
+
+ 2428. [bug] dns_iptable_merge() mishandled merges of negative
+ tables. [RT #18409]
+
+ 2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
+ was set. [RT #18528]
+
+ 2426. [bug] libbind: inet_net_pton() can sometimes return the
+ wrong value if excessively large net masks are
+ supplied. [RT #18512]
+
+ 2425. [bug] named didn't detect unavailable query source addresses
+ at load time. [RT #18536]
+
+ 2424. [port] configure now probes for a working epoll
+ implementation. Allow the use of kqueue,
+ epoll and /dev/poll to be selected at compile
+ time. [RT #18277]
+
+ 2423. [security] Randomize server selection on queries, so as to
+ make forgery a little more difficult. Instead of
+ always preferring the server with the lowest RTT,
+ pick a server with RTT within the same 128
+ millisecond band. [RT #18441]
+
+ 2422. [bug] Handle the special return value of a empty node as
+ if it was a NXRRSET in the validator. [RT #18447]
+
+ 2421. [func] Add new command line option '-S' for named to specify
+ the max number of sockets. [RT #18493]
+ Use caution: this option may not work for some
+ operating systems without rebuilding named.
+
+ 2420. [bug] Windows socket handling cleanup. Let the io
+ completion event send out canceled read/write
+ done events, which keeps us from writing to memory
+ we no longer have ownership of. Add debugging
+ socket_log() function. Rework TCP socket handling
+ to not leak sockets.
+
+ 2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
+ should not be used for isc_sockettype_fdwatch sockets.
+ [RT #18521]
+
+ 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
+ [RT #18430]
+
+ 2417. [bug] Connecting UDP sockets for outgoing queries could
+ unexpectedly fail with an 'address already in use'
+ error. [RT #18411]
+
+ 2416. [func] Log file descriptors that cause exceeding the
+ internal maximum. [RT #18460]
+
+ 2415. [bug] 'rndc dumpdb' could trigger various assertion failures
+ in rbtdb.c. [RT #18455]
+
+ 2414. [bug] A masterdump context held the database lock too long,
+ causing various troubles such as dead lock and
+ recursive lock acquisition. [RT #18311, #18456]
+
+ 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
+
+ 2412. [bug] win32: address a resource leak. [RT #18374]
+
+ 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
+ for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
+ at compilation time. [RT #18433]
+
+ Note: with changes #2469 and #2421 above, there is no
+ need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
+ any more.
+
+ 2410. [bug] Correctly delete m_versionInfo. [RT #18432]
+
+ 2409. [bug] Only log that we disabled EDNS processing if we were
+ subsequently successful. [RT #18029]
+
+ 2408. [bug] A duplicate TCP dispatch event could be sent, which
+ could then trigger an assertion failure in
+ resquery_response(). [RT #18275]
+
+ 2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
+
+ 2406. [placeholder]
+
+ 2405. [cleanup] The default value for dnssec-validation was changed to
+ "yes" in 9.5.0-P1 and all subsequent releases; this
+ was inadvertently omitted from CHANGES at the time.
+
+ 2404. [port] hpux: files unlimited support.
+
+ 2403. [bug] TSIG context leak. [RT #18341]
+
+ 2402. [port] Support Solaris 2.11 and over. [RT #18362]
+
+ 2401. [bug] Expect to get E[MN]FILE errno internal_accept()
+ (from accept() or fcntl() system calls). [RT #18358]
+
+ 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
+ [RT #18297]
+
+ 2399. [placeholder]
+
+ 2398. [bug] Improve file descriptor management. New,
+ temporary, named.conf option reserved-sockets,
+ default 512. [RT #18344]
+
+ 2397. [bug] gssapi_functions had too many elements. [RT #18355]
+
+ 2396. [bug] Don't set SO_REUSEADDR for randomized ports.
+ [RT #18336]
+
+ 2395. [port] Avoid warning and no effect from "files unlimited"
+ on Linux when running as root. [RT #18335]
+
+ 2394. [bug] Default configuration options set the limit for
+ open files to 'unlimited' as described in the
+ documentation. [RT #18331]
+
+ 2393. [bug] nested acls containing keys could trigger an
+ assertion in acl.c. [RT #18166]
+
+ 2392. [bug] remove 'grep -q' from acl test script, some platforms
+ don't support it. [RT #18253]
+
+ 2391. [port] hpux: cover additional recvmsg() error codes.
+ [RT #18301]
+
+ 2390. [bug] dispatch.c could make a false warning on 'odd socket'.
+ [RT #18301].
+
+ 2389. [bug] Move the "working directory writable" check to after
+ the ns_os_changeuser() call. [RT #18326]
+
+ 2388. [bug] Avoid using tables for layout purposes in
+ statistics XSL [RT #18159].
+
+ 2387. [bug] Silence compiler warnings in lib/isc/radix.c.
+ [RT #18147] [RT #18258]
+
+ 2386. [func] Add warning about too small 'open files' limit.
+ [RT #18269]
+
+ 2385. [bug] A condition variable in socket.c could leak in
+ rare error handling [RT #17968].
+
+ 2384. [security] Fully randomize UDP query ports to improve
+ forgery resilience. [RT #17949, #18098]
+
+ 2383. [bug] named could double queries when they resulted in
+ SERVFAIL due to overkilling EDNS0 failure detection.
+ [RT #18182]
+
+ 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
+ to ARM.
+
+ 2381. [port] dlz/mysql: support multiple install layouts for
+ mysql. <prefix>/include/{,mysql/}mysql.h and
+ <prefix>/lib/{,mysql/}. [RT #18152]
+
+ 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
+ proofs which, in turn, caused validation failures
+ for insecure zones immediately below a secure zone
+ the server was authoritative for. [RT #18112]
+
+ 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
+ TLDs and supported RRs with TTLs [RT #17972]
+
+ 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
+ [RT #18169]
+
+ 2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
+
+ 2376. [bug] Change #2144 was not complete.
+
+ 2375. [placeholder]
+
+ 2374. [bug] "blackhole" ACLs could cause named to segfault due
+ to some uninitialized memory. [RT #18095]
+
+ 2373. [bug] Default values of zone ACLs were re-parsed each time a
+ new zone was configured, causing an overconsumption
+ of memory. [RT #18092]
+
+ 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
+
+ 2371. [doc] Add +nsid option to dig man page. [RT #18039]
+
+ 2370. [bug] "rndc freeze" could trigger an assertion in named
+ when called on a nonexistent zone. [RT #18050]
+
+ 2369. [bug] libbind: Array bounds overrun on read in bitncmp().
+ [RT #18054]
+
+ 2368. [port] Linux: use libcap for capability management if
+ possible. [RT #18026]
+
+ 2367. [bug] Improve counting of dns_resstatscounter_retry
+ [RT #18030]
+
+ 2366. [bug] Adb shutdown race. [RT #18021]
+
+ 2365. [bug] Fix a bug that caused dns_acl_isany() to return
+ spurious results. [RT #18000]
+
+ 2364. [bug] named could trigger a assertion when serving a
+ malformed signed zone. [RT #17828]
+
+ 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
+ [RT #17513]
+
+ 2362. [cleanup] Make "rrset-order fixed" a compile-time option.
+ settable by "./configure --enable-fixed-rrset".
+ Disabled by default. [RT #17977]
+
+ 2361. [bug] "recursion" statistics counter could be counted
+ multiple times for a single query. [RT #17990]
+
+ 2360. [bug] Fix a condition where we release a database version
+ (which may acquire a lock) while holding the lock.
+
+ 2359. [bug] Fix NSID bug. [RT #17942]
+
+ 2358. [doc] Update host's default query description. [RT #17934]
+
+ 2357. [port] Don't use OpenSSL's engine support in versions before
+ OpenSSL 0.9.7f. [RT #17922]
+
+ 2356. [bug] Built in mutex profiler was not scalable enough.
+ [RT #17436]
+
+ 2355. [func] Extend the number statistics counters available.
+ [RT #17590]
+
+ 2354. [bug] Failed to initialize some rdatasetheader_t elements.
+ [RT #17927]
+
+ 2353. [func] Add support for Name Server ID (RFC 5001).
+ 'dig +nsid' requests NSID from server.
+ 'request-nsid yes;' causes recursive server to send
+ NSID requests to upstream servers. Server responds
+ to NSID requests with the string configured by
+ 'server-id' option. [RT #17091]
+
+ 2352. [bug] Various GSS_API fixups. [RT #17729]
+
+ 2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
+
+ 2350. [port] win32: IPv6 support. [RT #17797]
+
+ 2349. [func] Provide incremental re-signing support for secure
+ dynamic zones. [RT #1091]
+
+ 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
+ Documentation is in the new README.pkcs11 file.
+ New tool, dnssec-keyfromlabel, which takes the
+ label of a key pair in a HSM and constructs a DNS
+ key pair for use by named and dnssec-signzone.
+ [RT #16844]
+
+ 2347. [bug] Delete now traverses the RB tree in the canonical
+ order. [RT #17451]
+
+ 2346. [func] Memory statistics now cover all active memory contexts
+ in increased detail. [RT #17580]
+
+ 2345. [bug] named-checkconf failed to detect when forwarders
+ were set at both the options/view level and in
+ a root zone. [RT #17671]
+
+ 2344. [bug] Improve "logging{ file ...; };" documentation.
+ [RT #17888]
+
+ 2343. [bug] (Seemingly) duplicate IPv6 entries could be
+ created in ADB. [RT #17837]
+
+ 2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
+
+ 2341. [bug] libbind: add missing -I../include for off source
+ tree builds. [RT #17606]
+
+ 2340. [port] openbsd: interface configuration. [RT #17700]
+
+ 2339. [port] tru64: support for libbind. [RT #17589]
+
+ 2338. [bug] check_ds() could be called with a non DS rdataset.
+ [RT #17598]
+
+ 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
+
+ 2336. [func] If "named -6" is specified then listen on all IPv6
+ interfaces if there are not listen-on-v6 clauses in
+ named.conf. [RT #17581]
+
+ 2335. [port] sunos: libbind and *printf() support for long long.
+ [RT #17513]
+
+ 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
+ bug in fromstruct_txt(). [RT #17609]
+
+ 2333. [bug] Fix off by one error in isc_time_nowplusinterval().
+ [RT #17608]
+
+ 2332. [contrib] query-loc-0.4.0. [RT #17602]
+
+ 2331. [bug] Failure to regenerate any signatures was not being
+ reported nor being past back to the UPDATE client.
+ [RT #17570]
+
+ 2330. [bug] Remove potential race condition when handling
+ over memory events. [RT #17572]
+
+ WARNING: API CHANGE: over memory callback
+ function now needs to call isc_mem_waterack().
+ See <isc/mem.h> for details.
+
+ 2329. [bug] Clearer help text for dig's '-x' and '-i' options.
+
+ 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET,
+ F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
+ J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
+ M.ROOT-SERVERS.NET.
+
+ 2327. [bug] It was possible to dereference a NULL pointer in
+ rbtdb.c. Implement dead node processing in zones as
+ we do for caches. [RT #17312]
+
+ 2326. [bug] It was possible to trigger a INSIST in the acache
+ processing.
+
+ 2325. [port] Linux: use capset() function if available. [RT #17557]
+
+ 2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
+
+ 2323. [port] tru64: namespace clash. [RT #17547]
+
+ 2322. [port] MacOS: work around the limitation of setrlimit()
+ for RLIMIT_NOFILE. [RT #17526]
+
+ 2321. [placeholder]
+
+ 2320. [func] Make statistics counters thread-safe for platforms
+ that support certain atomic operations. [RT #17466]
+
+ 2319. [bug] Silence Coverity warnings in
+ lib/dns/rdata/in_1/apl_42.c. [RT #17469]
+
+ 2318. [port] sunos fixes for libbind. [RT #17514]
+
+ 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
+
+ 2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
+ [RT #17513]
+
+ 2315. [bug] Used incorrect address family for mapped IPv4
+ addresses in acl.c. [RT #17519]
+
+ 2314. [bug] Uninitialized memory use on error path in
+ bin/named/lwdnoop.c. [RT #17476]
+
+ 2313. [cleanup] Silence Coverity warnings. Handle private stacks.
+ [RT #17447] [RT #17478]
+
+ 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
+ [RT #17458]
+
+ 2311. [bug] IPv6 addresses could match IPv4 ACL entries and
+ vice versa. [RT #17462]
+
+ 2310. [bug] dig, host, nslookup: flush stdout before emitting
+ debug/fatal messages. [RT #17501]
+
+ 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
+ [RT #17455]
+
+ 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
+ [RT #17495]
+
+ 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496]
+
+ 2306. [bug] Remove potential race from lib/dns/resolver.c.
+ [RT #17470]
+
+ 2305. [security] inet_network() buffer overflow. CVE-2008-0122.
+
+ 2304. [bug] Check returns from all dns_rdata_tostruct() calls.
+ [RT #17460]
+
+ 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c.
+ [RT #17471]
+
+ 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472]
+
+ 2301. [bug] Remove resource leak and fix error messages in
+ bin/tests/system/lwresd/lwtest.c. [RT #17474]
+
+ 2300. [bug] Fixed failure to close open file in
+ bin/tests/names/t_names.c. [RT #17473]
+
+ 2299. [bug] Remove unnecessary NULL check in
+ bin/nsupdate/nsupdate.c. [RT #17475]
+
+ 2298. [bug] isc_mutex_lock() failure not caught in
+ bin/tests/timers/t_timers.c. [RT #17468]
+
+ 2297. [bug] isc_entropy_createfilesource() failure not caught in
+ bin/tests/dst/t_dst.c. [RT #17467]
+
+ 2296. [port] Allow docbook stylesheet location to be specified to
+ configure. [RT #17457]
+
+ 2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
+ [RT #17459]
+
+ 2294. [func] Allow the experimental statistics channels to have
+ multiple connections and ACL.
+ Note: the stats-server and stats-server-v6 options
+ available in the previous beta releases are replaced
+ with the generic statistics-channels statement.
+
+ 2293. [func] Add ACL regression test. [RT #17375]
+
+ 2292. [bug] Log if the working directory is not writable.
+ [RT #17312]
+
+ 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
+ failure to set PR_SET_DUMPABLE. [RT #17312]
+
+ 2290. [bug] Let AD in the query signal that the client wants AD
+ set in the response. [RT #17301]
+
+ 2289. [func] named-checkzone now reports the out-of-zone CNAME
+ found. [RT #17309]
+
+ 2288. [port] win32: mark service as running when we have finished
+ loading. [RT #17441]
+
+ 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
+
+ 2286. [func] Allow a TCP connection to be used as a weak
+ authentication method for reverse zones.
+ New update-policy methods tcp-self and 6to4-self.
+ [RT #17378]
+
+ 2285. [func] Test framework for client memory context management.
+ [RT #17377]
+
+ 2284. [bug] Memory leak in UPDATE prerequisite processing.
+ [RT #17377]
+
+ 2283. [bug] TSIG keys were not attaching to the memory
+ context. TSIG keys should use the rings
+ memory context rather than the clients memory
+ context. [RT #17377]
+
+ 2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
+
+ 2281. [bug] Attempts to use undefined acls were not being logged.
+ [RT #17307]
+
+ 2280. [func] Allow the experimental http server to be reached
+ over IPv6 as well as IPv4. [RT #17332]
+
+ 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
+ to protect applications from receiving spurious
+ SIGPIPE signals when using the resolver.
+
+ 2278. [bug] win32: handle the case where Windows returns no
+ search list or DNS suffix. [RT #17354]
+
+ 2277. [bug] Empty zone names were not correctly being caught at
+ in the post parse checks. [RT #17357]
+
+ 2276. [bug] Install <dst/gssapi.h>. [RT #17359]
+
+ 2275. [func] Add support to dig to perform IXFR queries over UDP.
+ [RT #17235]
+
+ 2274. [func] Log zone transfer statistics. [RT #17336]
+
+ 2273. [bug] Adjust log level to WARNING when saving inconsistent
+ stub/slave master and journal files. [RT #17279]
+
+ 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
+ [RT #17262]
+
+ 2271. [bug] Fix a memory leak in http server code [RT #17100]
+
+ 2270. [bug] dns_db_closeversion() version->writer could be reset
+ before it is tested. [RT #17290]
+
+ 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232]
+
+ 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
+ list.
+
+ --- 9.5.0b1 released ---
+
+ 2267. [bug] Radix tree node_num value could be set incorrectly,
+ causing positive ACL matches to look like negative
+ ones. [RT #17311]
+
+ 2266. [bug] client.c:get_clientmctx() returned the same mctx
+ once the pool of mctx's was filled. [RT #17218]
+
+ 2265. [bug] Test that the memory context's basic_table is non NULL
+ before freeing. [RT #17265]
+
+ 2264. [bug] Server prefix length was being ignored. [RT #17308]
+
+ 2263. [bug] "named-checkconf -z" failed to set default value
+ for "check-integrity". [RT #17306]
+
+ 2262. [bug] Error status from all but the last view could be
+ lost. [RT #17292]
+
+ 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
+
+ 2260. [bug] Reported wrong clients-per-query when increasing the
+ value. [RT #17236]
+
+ 2259. [placeholder]
+
+ --- 9.5.0a7 released ---
+
+ 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
+ [RT #17241]
+
+ 2257. [bug] win32: Use the full path to vcredist_x86.exe when
+ calling it. [RT #17222]
+
+ 2256. [bug] win32: Correctly register the installation location of
+ bindevt.dll. [RT #17159]
+
+ 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42.
+
+ 2254. [bug] timer.c:dispatch() failed to lock timer->lock
+ when reading timer->idle allowing it to see
+ intermediate values as timer->idle was reset by
+ isc_timer_touch(). [RT #17243]
+
+ 2253. [func] "max-cache-size" defaults to 32M.
+ "max-acache-size" defaults to 16M.
+
+ 2252. [bug] Fixed errors in sortlist code [RT #17216]
+
+ 2251. [placeholder]
+
+ 2250. [func] New flag 'memstatistics' to state whether the
+ memory statistics file should be written or not.
+ Additionally named's -m option will cause the
+ statistics file to be written. [RT #17113]
+
+ 2249. [bug] Only set Authentic Data bit if client requested
+ DNSSEC, per RFC 3655 [RT #17175]
+
+ 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
+
+ 2247. [doc] Sort doc/misc/options. [RT #17067]
+
+ 2246. [bug] Make the startup of test servers (ans.pl) more
+ robust. [RT #17147]
+
+ 2245. [bug] Validating lack of DS records at trust anchors wasn't
+ working. [RT #17151]
+
+ 2244. [func] Allow the check of nameserver names against the
+ SOA MNAME field to be disabled by specifying
+ 'notify-to-soa yes;'. [RT #17073]
+
+ 2243. [func] Configuration files without a newline at the end now
+ parse without error. [RT #17120]
+
+ 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
+ library could require a source of random data.
+ [RT #17127]
+
+ 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
+
+ 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
+ a number of INSIST()s into plain fatal() errors
+ which report the triggering result code.
+ The 'key' command wasn't disabling GSS-TSIG.
+ [RT #17099]
+
+ 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
+
+ 2238. [bug] It was possible to trigger a REQUIRE when a
+ validation was canceled. [RT #17106]
+
+ 2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
+
+ 2236. [bug] dnssec-signzone failed to preserve the case of
+ of wildcard owner names. [RT #17085]
+
+ 2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
+
+ 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
+
+ 2233. [func] Add support for O(1) ACL processing, based on
+ radix tree code originally written by Kevin
+ Brintnall. [RT #16288]
+
+ 2232. [bug] dns_adb_findaddrinfo() could fail and return
+ ISC_R_SUCCESS. [RT #17137]
+
+ 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
+ [RT #17088]
+
+ 2230. [bug] We could INSIST reading a corrupted journal.
+ [RT #17132]
+
+ 2229. [bug] Null pointer dereference on query pool creation
+ failure. [RT #17133]
+
+ 2228. [contrib] contrib: Change 2188 was incomplete.
+
+ 2227. [cleanup] Tidied up the FAQ. [RT #17121]
+
+ 2226. [placeholder]
+
+ 2225. [bug] More support for systems with no IPv4 addresses.
+ [RT #17111]
+
+ 2224. [bug] Defer journal compaction if a xfrin is in progress.
+ [RT #17119]
+
+ 2223. [bug] Make a new journal when compacting. [RT #17119]
+
+ 2222. [func] named-checkconf now checks server key references.
+ [RT #17097]
+
+ 2221. [bug] Set the event result code to reflect the actual
+ record turned to caller when a cache update is
+ rejected due to a more credible answer existing.
+ [RT #17017]
+
+ 2220. [bug] win32: Address a race condition in final shutdown of
+ the Windows socket code. [RT #17028]
+
+ 2219. [bug] Apply zone consistency checks to additions, not
+ removals, when updating. [RT #17049]
+
+ 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
+ [RT #16976]
+
+ 2217. [func] Adjust update log levels. [RT #17092]
+
+ 2216. [cleanup] Fix a number of errors reported by Coverity.
+ [RT #17094]
+
+ 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
+
+ 2214. [bug] Deregister OpenSSL lock callback when cleaning
+ up. Reorder OpenSSL cleanup so that RAND_cleanup()
+ is called before the locks are destroyed. [RT #17098]
+
+ 2213. [bug] SIG0 diagnostic failure messages were looking at the
+ wrong status code. [RT #17101]
+
+ 2212. [func] 'host -m' now causes memory statistics and active
+ memory to be printed at exit. [RT 17028]
+
+ 2211. [func] Update "dynamic update temporarily disabled" message.
+ [RT #17065]
+
+ 2210. [bug] Deleting class specific records via UPDATE could
+ fail. [RT #17074]
+
+ 2209. [port] osx: linking against user supplied static OpenSSL
+ libraries failed as the system ones were still being
+ found. [RT #17078]
+
+ 2208. [port] win32: make sure both build methods produce the
+ same output. [RT #17058]
+
+ 2207. [port] Some implementations of getaddrinfo() fail to set
+ ai_canonname correctly. [RT #17061]
+
+ --- 9.5.0a6 released ---
+
+ 2206. [security] "allow-query-cache" and "allow-recursion" now
+ cross inherit from each other.
+
+ If allow-query-cache is not set in named.conf then
+ allow-recursion is used if set, otherwise allow-query
+ is used if set, otherwise the default (localnets;
+ localhost;) is used.
+
+ If allow-recursion is not set in named.conf then
+ allow-query-cache is used if set, otherwise allow-query
+ is used if set, otherwise the default (localnets;
+ localhost;) is used.
+
+ [RT #16987]
+
+ 2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
+
+ 2204. [bug] "rndc flushname name unknown-view" caused named
+ to crash. [RT #16984]
+
+ 2203. [security] Query id generation was cryptographically weak.
+ [RT # 16915]
+
+ 2202. [security] The default acls for allow-query-cache and
+ allow-recursion were not being applied. [RT #16960]
+
+ 2201. [bug] The build failed in a separate object directory.
+ [RT #16943]
+
+ 2200. [bug] The search for cached NSEC records was stopping to
+ early leading to excessive DLV queries. [RT #16930]
+
+ 2199. [bug] win32: don't call WSAStartup() while loading dlls.
+ [RT #16911]
+
+ 2198. [bug] win32: RegCloseKey() could be called when
+ RegOpenKeyEx() failed. [RT #16911]
+
+ 2197. [bug] Add INSIST to catch negative responses which are
+ not setting the event result code appropriately.
+ [RT #16909]
+
+ 2196. [port] win32: yield processor while waiting for once to
+ to complete. [RT #16958]
+
+ 2195. [func] dnssec-keygen now defaults to nametype "ZONE"
+ when generating DNSKEYs. [RT #16954]
+
+ 2194. [bug] Close journal before calling 'done' in xfrin.c.
+
+ --- 9.5.0a5 released ---
+
+ 2193. [port] win32: BINDInstall.exe is now linked statically.
+ [RT #16906]
+
+ 2192. [port] win32: use vcredist_x86.exe to install Visual
+ Studio's redistributable dlls if building with
+ Visual Stdio 2005 or later.
+
+ 2191. [func] named-checkzone now allows dumping to stdout (-).
+ named-checkconf now has -h for help.
+ named-checkzone now has -h for help.
+ rndc now has -h for help.
+ Better handling of '-?' for usage summaries.
+ [RT #16707]
+
+ 2190. [func] Make fallback to plain DNS from EDNS due to timeouts
+ more visible. New logging category "edns-disabled".
+ [RT #16871]
+
+ 2189. [bug] Handle socket() returning EINTR. [RT #15949]
+
+ 2188. [contrib] queryperf: autoconf changes to make the search for
+ libresolv or libbind more robust. [RT #16299]
+
+ 2187. [bug] query_addds(), query_addwildcardproof() and
+ query_addnxrrsetnsec() should take a version
+ argument. [RT #16368]
+
+ 2186. [port] cygwin: libbind: check for struct sockaddr_storage
+ independently of IPv6. [RT #16482]
+
+ 2185. [port] sunos: libbind: check for ssize_t, memmove() and
+ memchr(). [RT #16463]
+
+ 2184. [bug] bind9.xsl.h didn't build out of the source tree.
+ [RT #16830]
+
+ 2183. [bug] dnssec-signzone didn't handle offline private keys
+ well. [RT #16832]
+
+ 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
+ could return ISC_R_SUCCESS when they ran out of
+ memory. [RT #16365]
+
+ 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
+
+ 2180. [cleanup] Remove bit test from 'compress_test' as they
+ are no longer needed. [RT #16497]
+
+ 2179. [func] 'rndc command zone' will now find 'zone' if it is
+ unique to all the views. [RT #16821]
+
+ 2178. [bug] 'rndc reload' of a slave or stub zone resulted in
+ a reference leak. [RT #16867]
+
+ 2177. [bug] Array bounds overrun on read (rcodetext) at
+ debug level 10+. [RT #16798]
+
+ 2176. [contrib] dbus update to handle race condition during
+ initialization (Bugzilla 235809). [RT #16842]
+
+ 2175. [bug] win32: windows broadcast condition variable support
+ was broken. [RT #16592]
+
+ 2174. [bug] I/O errors should always be fatal when reading
+ master files. [RT #16825]
+
+ 2173. [port] win32: When compiling with MSVS 2005 SP1 we also
+ need to ship Microsoft.VC80.MFCLOC.
+
+ --- 9.5.0a4 released ---
+
+ 2172. [bug] query_addsoa() was being called with a non zone db.
+ [RT #16834]
+
+ 2171. [bug] Handle breaks in DNSSEC trust chains where the parent
+ servers are not DS aware (DS queries to the parent
+ return a referral to the child).
+
+ 2170. [func] Add acache processing to test suite. [RT #16711]
+
+ 2169. [bug] host, nslookup: when reporting NXDOMAIN report the
+ given name and not the last name searched for.
+ [RT #16763]
+
+ 2168. [bug] nsupdate: in non-interactive mode treat syntax errors
+ as fatal errors. [RT #16785]
+
+ 2167. [bug] When re-using a automatic zone named failed to
+ attach it to the new view. [RT #16786]
+
+ --- 9.5.0a3 released ---
+
+ 2166. [bug] When running in batch mode, dig could misinterpret
+ a server address as a name to be looked up, causing
+ unexpected output. [RT #16743]
+
+ 2165. [func] Allow the destination address of a query to determine
+ if we will answer the query or recurse.
+ allow-query-on, allow-recursion-on and
+ allow-query-cache-on. [RT #16291]
+
+ 2164. [bug] The code to determine how named-checkzone /
+ named-compilezone was called failed under windows.
+ [RT #16764]
+
+ 2163. [bug] If only one of query-source and query-source-v6
+ specified a port the query pools code broke (change
+ 2129). [RT #16768]
+
+ 2162. [func] Allow "rrset-order fixed" to be disabled at compile
+ time. [RT #16665]
+
+ 2161. [bug] Fix which log messages are emitted for 'rndc flush'.
+ [RT #16698]
+
+ 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
+ from getifaddrs(). [RT #16708]
+
+ --- 9.5.0a2 released ---
+
+ 2159. [bug] Array bounds overrun in acache processing. [RT #16710]
+
+ 2158. [bug] ns_client_isself() failed to initialize key
+ leading to a REQUIRE failure. [RT #16688]
+
+ 2157. [func] dns_db_transfernode() created. [RT #16685]
+
+ 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
+ resolver.c:validated() and resolver.c:cache_name().
+ Fix a memory leak in rbtdb.c:free_noqname().
+ Make lookup.c:lookup_find() robust against
+ event leaks. [RT #16685]
+
+ 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
+ [RT #16694]
+
+ 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
+ matched in acls by omitting the scope. [RT #16599]
+
+ 2153. [bug] nsupdate could leak memory. [RT #16691]
+
+ 2152. [cleanup] Use sizeof(buf) instead of fixed number in
+ dighost.c:get_trusted_key(). [RT #16678]
+
+ 2151. [bug] Missing newline in usage message for journalprint.
+ [RT #16679]
+
+ 2150. [bug] 'rrset-order cyclic' uniformly distribute the
+ starting point for the first response for a given
+ RRset. [RT #16655]
+
+ 2149. [bug] isc_mem_checkdestroyed() failed to abort on
+ if there were still active memory contexts.
+ [RT #16672]
+
+ 2148. [func] Add positive logging for rndc commands. [RT #14623]
+
+ 2147. [bug] libbind: remove potential buffer overflow from
+ hmac_link.c. [RT #16437]
+
+ 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
+ SO_BSDCOMPAT" message. [RT #16641]
+
+ 2145. [bug] Check DS/DLV digest lengths for known digests.
+ [RT #16622]
+
+ 2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
+ [RT #16619]
+
+ 2143. [bug] We failed to restart the IPv6 client when the
+ kernel failed to return the destination the
+ packet was sent to. [RT #16613]
+
+ 2142. [bug] Handle master files with a modification time that
+ matches the epoch. [RT #16612]
+
+ 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
+ equivalent of LDH checks). [RT #16609]
+
+ 2140. [bug] libbind: missing unlock on pthread_key_create()
+ failures. [RT #16654]
+
+ 2139. [bug] dns_view_find() was being called with wrong type
+ in adb.c. [RT #16670]
+
+ 2138. [bug] Lock order reversal in resolver.c. [RT #16653]
+
+ 2137. [port] Mips little endian and/or mips 64 bit are now
+ supported for atomic operations. [RT #16648]
+
+ 2136. [bug] nslookup/host looped if there was no search list
+ and the host didn't exist. [RT #16657]
+
+ 2135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656]
+
+ 2134. [func] Additional statistics support. [RT #16666]
+
+ 2133. [port] powerpc: Support both IBM and MacOS Power PC
+ assembler syntaxes. [RT #16647]
+
+ 2132. [bug] Missing unlock on out of memory in
+ dns_dispatchmgr_setudp().
+
+ 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
+
+ 2130. [func] Log if CD or DO were set. [RT #16640]
+
+ 2129. [func] Provide a pool of UDP sockets for queries to be
+ made over. See use-queryport-pool, queryport-pool-ports
+ and queryport-pool-updateinterval. [RT #16415]
+
+ 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
+
+ 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
+
+ 2126. [security] Serialize validation of type ANY responses. [RT #16555]
+
+ 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
+ was defined. [RT #16574]
+
+ 2124. [security] It was possible to dereference a freed fetch
+ context. [RT #16584]
+
+ --- 9.5.0a1 released ---
+
+ 2123. [func] Use Doxygen to generate internal documentation.
+ [RT #11398]
+
+ 2122. [func] Experimental http server and statistics support
+ for named via xml.
+
+ 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
+ second timeout. [RT #16553]
+
+ 2120. [doc] Fix markup on nsupdate man page. [RT #16556]
+
+ 2119. [compat] libbind: allow res_init() to succeed enough to
+ return the default domain even if it was unable
+ to allocate memory.
+
+ 2118. [bug] Handle response with long chains of domain name
+ compression pointers which point to other compression
+ pointers. [RT #16427]
+
+ 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
+ which could lead to validation failures. named didn't
+ handle negative DS responses that were in the process
+ of being validated. Check CNAME bit before accepting
+ NODATA proof. To be able to ignore a child NSEC there
+ must be SOA (and NS) set in the bitmap. [RT #16399]
+
+ 2116. [bug] 'rndc reload' could cause the cache to continually
+ be cleaned. [RT #16401]
+
+ 2115. [bug] 'rndc reconfig' could trigger a INSIST if the
+ number of masters for a zone was reduced. [RT #16444]
+
+ 2114. [bug] dig/host/nslookup: searches for names with multiple
+ labels were failing. [RT #16447]
+
+ 2113. [bug] nsupdate: if a zone is specified it should be used
+ for server discover. [RT #16455]
+
+ 2112. [security] Warn if weak RSA exponent is used. [RT #16460]
+
+ 2111. [bug] Fix a number of errors reported by Coverity.
+ [RT #16507]
+
+ 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8
+ priming queries. [RT #16491]
+
+ 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
+
+ 2108. [func] DHCID support. [RT #16456]
+
+ 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
+
+ 2106. [func] 'rndc status' now reports named's version. [RT #16426]
+
+ 2105. [func] GSS-TSIG support (RFC 3645).
+
+ 2104. [port] Fix Solaris SMF error message.
+
+ 2103. [port] Add /usr/sfw to list of locations for OpenSSL
+ under Solaris.
+
+ 2102. [port] Silence Solaris 10 warnings.
+
+ 2101. [bug] OpenSSL version checks were not quite right.
+ [RT #16476]
+
+ 2100. [port] win32: copy libeay32.dll to Build\Debug.
+ Copy Debug\named-checkzone to Debug\named-compilezone.
+
+ 2099. [port] win32: more manifest issues.
+
+ 2098. [bug] Race in rbtdb.c:no_references(), which occasionally
+ triggered an INSIST failure about the node lock
+ reference. [RT #16411]
+
+ 2097. [bug] named could reference a destroyed memory context
+ after being reloaded / reconfigured. [RT #16428]
+
+ 2096. [bug] libbind: handle applications that fail to detect
+ res_init() failures better.
+
+ 2095. [port] libbind: always prototype inet_cidr_ntop_ipv6() and
+ net_cidr_ntop_ipv6(). [RT #16388]
+
+ 2094. [contrib] Update named-bootconf. [RT #16404]
+
+ 2093. [bug] named-checkzone -s was broken.
+
+ 2092. [bug] win32: dig, host, nslookup. Use registry config
+ if resolv.conf does not exist or no nameservers
+ listed. [RT #15877]
+
+ 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
+
+ 2090. [port] win32: Visual C++ 2005 command line manifest support.
+ [RT #16417]
+
+ 2089. [security] Raise the minimum safe OpenSSL versions to
+ OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
+ prior to these have known security flaws which
+ are (potentially) exploitable in named. [RT #16391]
+
+ 2088. [security] Change the default RSA exponent from 3 to 65537.
+ [RT #16391]
+
+ 2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
+ [RT #16382]
+
+ 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
+ [RT #16403]
+
+ 2085. [doc] win32: added index.html and README to zip. [RT #16201]
+
+ 2084. [contrib] dbus update for 9.3.3rc2.
+
+ 2083. [port] win32: Visual C++ 2005 support.
+
+ 2082. [doc] Document 'cache-file' as a test only option.
+
+ 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
+ [RT #16360]
+
+ 2080. [port] libbind: res_init.c did not compile on older versions
+ of Solaris. [RT #16363]
+
+ 2079. [bug] The lame cache was not handling multiple types
+ correctly. [RT #16361]
+
+ 2078. [bug] dnssec-checkzone output style "default" was badly
+ named. It is now called "relative". [RT #16326]
+
+ 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the
+ complete signed zone. [RT #16326]
+
+ 2076. [bug] Several files were missing #include <config.h>
+ causing build failures on OSF. [RT #16341]
+
+ 2075. [bug] The spillat timer event handler could leak memory.
+ [RT #16357]
+
+ 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
+ dns_request_createraw2() and dns_request_createraw3()
+ failed to send multiple UDP requests. [RT #16349]
+
+ 2073. [bug] Incorrect semantics check for update policy "wildcard".
+ [RT #16353]
+
+ 2072. [bug] We were not generating valid HMAC SHA digests.
+ [RT #16320]
+
+ 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
+ [RT #16324]
+
+ 2070. [bug] The remote address was not always displayed when
+ reporting dispatch failures. [RT #16315]
+
+ 2069. [bug] Cross compiling was not working. [RT #16330]
+
+ 2068. [cleanup] Lower incremental tuning message to debug 1.
+ [RT #16319]
+
+ 2067. [bug] 'rndc' could close the socket too early triggering
+ a INSIST under Windows. [RT #16317]
+
+ 2066. [security] Handle SIG queries gracefully. [RT #16300]
+
+ 2065. [bug] libbind: probe for HPUX prototypes for
+ endprotoent_r() and endservent_r(). [RT 16313]
+
+ 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
+
+ 2063. [bug] Change #1955 introduced a bug which caused the first
+ 'rndc flush' call to not free memory. [RT #16244]
+
+ 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
+ been returned by the socket code. [RT #16307]
+
+ 2061. [bug] Accept expired wildcard message reversed. [RT #16296]
+
+ 2060. [bug] Enabling DLZ support could leave views partially
+ configured. [RT #16295]
+
+ 2059. [bug] Search into cache rbtdb could trigger an INSIST
+ failure while cleaning up a stale rdataset.
+ [RT #16292]
+
+ 2058. [bug] Adjust how we calculate rtt estimates in the presence
+ of authoritative servers that drop EDNS and/or CD
+ requests. Also fallback to EDNS/512 and plain DNS
+ faster for zones with less than 3 servers. [RT #16187]
+
+ 2057. [bug] Make setting "ra" dependent on both allow-query-cache
+ and allow-recursion. [RT #16290]
+
+ 2056. [bug] dig: ixfr= was not being treated case insensitively
+ at all times. [RT #15955]
+
+ 2055. [bug] Missing goto after dropping multicast query.
+ [RT #15944]
+
+ 2054. [port] freebsd: do not explicitly link against -lpthread.
+ [RT #16170]
+
+ 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
+
+ 2052. [bug] 'rndc' improve connect failed message to report
+ the failing address. [RT #15978]
+
+ 2051. [port] More strtol() fixes. [RT #16249]
+
+ 2050. [bug] Parsing of NSAP records was not case insensitive.
+ [RT #16287]
+
+ 2049. [bug] Restore SOA before AXFR when falling back from
+ a attempted IXFR when transferring in a zone.
+ Allow a initial SOA query before attempting
+ a AXFR to be requested. [RT #16156]
+
+ 2048. [bug] It was possible to loop forever when using
+ avoid-v4-udp-ports / avoid-v6-udp-ports when
+ the OS always returned the same local port.
+ [RT #16182]
+
+ 2047. [bug] Failed to initialize the interface flags to zero.
+ [RT #16245]
+
+ 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
+ cleanup [RT #16247].
+
+ 2045. [func] Use lock buckets for acache entries to limit memory
+ consumption. [RT #16183]
+
+ 2044. [port] Add support for atomic operations for Itanium.
+ [RT #16179]
+
+ 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
+ for interactive sessions. [RT #16148]
+
+ 2042. [bug] named-checkconf was incorrectly rejecting the
+ logging category "config". [RT #16117]
+
+ 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
+ set of libraries to be linked. [RT #16129]
+
+ 2040. [bug] rbtdb no_references() could trigger an INSIST
+ failure with --enable-atomic. [RT #16022]
+
+ 2039. [func] Check that all buffers passed to the socket code
+ have been retrieved when the socket event is freed.
+ [RT #16122]
+
+ 2038. [bug] dig/nslookup/host was unlinking from wrong list
+ when handling errors. [RT #16122]
+
+ 2037. [func] When unlinking the first or last element in a list
+ check that the list head points to the element to
+ be unlinked. [RT #15959]
+
+ 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
+ [RT #16075]
+
+ 2035. [func] Make falling back to TCP on UDP refresh failure
+ optional. Default "try-tcp-refresh yes;" for BIND 8
+ compatibility. [RT #16123]
+
+ 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
+
+ 2033. [bug] We weren't creating multiple client memory contexts
+ on demand as expected. [RT #16095]
+
+ 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
+
+ 2031. [bug] Emit a error message when "rndc refresh" is called on
+ a non slave/stub zone. [RT # 16073]
+
+ 2030. [bug] We were being overly conservative when disabling
+ openssl engine support. [RT #16030]
+
+ 2029. [bug] host printed out the server multiple times when
+ specified on the command line. [RT #15992]
+
+ 2028. [port] linux: socket.c compatibility for old systems.
+ [RT #16015]
+
+ 2027. [port] libbind: Solaris x86 support. [RT #16020]
+
+ 2026. [bug] Rate limit the two recursive client exceeded messages.
+ [RT #16044]
+
+ 2025. [func] Update "zone serial unchanged" message. [RT #16026]
+
+ 2024. [bug] named emitted spurious "zone serial unchanged"
+ messages on reload. [RT #16027]
+
+ 2023. [bug] "make install" should create ${localstatedir}/run and
+ ${sysconfdir} if they do not exist. [RT #16033]
+
+ 2022. [bug] If dnssec validation is disabled only assert CD if
+ CD was requested. [RT #16037]
+
+ 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]
+
+ 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]
+
+ 2019. [tuning] Reduce the amount of work performed per quantum
+ when cleaning the cache. [RT #15986]
+
+ 2018. [bug] Checking if the HMAC MD5 private file was broken.
+ [RT #15960]
+
+ 2017. [bug] allow-query default was not correct. [RT #15946]
+
+ 2016. [bug] Return a partial answer if recursion is not
+ allowed but requested and we had the answer
+ to the original qname. [RT #15945]
+
+ 2015. [cleanup] use-additional-cache is now acache-enable for
+ consistency. Default acache-enable off in BIND 9.4
+ as it requires memory usage to be configured.
+ It may be enabled by default in BIND 9.5 once we
+ have more experience with it.
+
+ 2014. [func] Statistics about acache now recorded and sent
+ to log. [RT #15976]
+
+ 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
+ responses more gracefully. [RT #15941]
+
+ 2012. [func] Don't insert new acache entries if acache is full.
+ [RT #15970]
+
+ 2011. [func] dnssec-signzone can now update the SOA record of
+ the signed zone, either as an increment or as the
+ system time(). [RT #15633]
+
+ 2010. [placeholder] rt15958
+
+ 2009. [bug] libbind: Coverity fixes. [RT #15808]
+
+ 2008. [func] It is now possible to enable/disable DNSSEC
+ validation from rndc. This is useful for the
+ mobile hosts where the current connection point
+ breaks DNSSEC (firewall/proxy). [RT #15592]
+
+ rndc validation newstate [view]
+
+ 2007. [func] It is now possible to explicitly enable DNSSEC
+ validation. default dnssec-validation no; to
+ be changed to yes in 9.5.0. [RT #15674]
+
+ 2006. [security] Allow-query-cache and allow-recursion now default
+ to the built in acls "localnets" and "localhost".
+
+ This is being done to make caching servers less
+ attractive as reflective amplifying targets for
+ spoofed traffic. This still leave authoritative
+ servers exposed.
+
+ The best fix is for full BCP 38 deployment to
+ remove spoofed traffic.
+
+ 2005. [bug] libbind: Retransmission timeouts should be
+ based on which attempt it is to the nameserver
+ and not the nameserver itself. [RT #13548]
+
+ 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
+ dst_context_destroy() when cleaning up after a
+ error. [RT #15835]
+
+ 2003. [bug] libbind: The DNS name/address lookup functions could
+ occasionally follow a random pointer due to
+ structures not being completely zeroed. [RT #15806]
+
+ 2002. [bug] libbind: tighten the constraints on when
+ struct addrinfo._ai_pad exists. [RT #15783]
+
+ 2001. [func] Check the KSK flag when updating a secure dynamic zone.
+ New zone option "update-check-ksk yes;". [RT #15817]
+
+ 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
+
+ 1999. [func] Implement "rrset-order fixed". [RT #13662]
+
+ 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
+ This allows named to connect to entropy gathering
+ daemons that use fifos instead of sockets. [RT #15840]
+
+ 1997. [bug] Named was failing to replace negative cache entries
+ when a positive one for the type was learnt.
+ [RT #15818]
+
+ 1996. [bug] nsupdate: if a zone has been specified it should
+ appear in the output of 'show'. [RT #15797]
+
+ 1995. [bug] 'host' was reporting multiple "is an alias" messages.
+ [RT #15702]
+
+ 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
+
+ 1993. [bug] Log messages, via syslog, were missing the space
+ after the timestamp if "print-time yes" was specified.
+ [RT #15844]
+
+ 1992. [bug] Not all incoming zone transfer messages included the
+ view. [RT #15825]
+
+ 1991. [cleanup] The configuration data, once read, should be treated
+ as read only. Expand the use of const to enforce this
+ at compile time. [RT #15813]
+
+ 1990. [bug] libbind: isc's override of broken gettimeofday()
+ implementations was not always effective.
+ [RT #15709]
+
+ 1989. [bug] win32: don't check the service password when
+ re-installing. [RT #15882]
+
+ 1988. [bug] Remove a bus error from the SHA256/SHA512 support.
+ [RT #15878]
+
+ 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]
+
+ 1986. [func] Report when a zone is removed. [RT #15849]
+
+ 1985. [protocol] DLV has now been assigned a official type code of
+ 32769. [RT #15807]
+
+ Note: care should be taken to ensure you upgrade
+ both named and dnssec-signzone at the same time for
+ zones with DLV records where named is the master
+ server for the zone. Also any zones that contain
+ DLV records should be removed when upgrading a slave
+ zone. You do not however have to upgrade all
+ servers for a zone with DLV records simultaneously.
+
+ 1984. [func] dig, nslookup and host now advertise a 4096 byte
+ EDNS UDP buffer size by default. [RT #15855]
+
+ 1983. [func] Two new update policies. "selfsub" and "selfwild".
+ [RT #12895]
+
+ 1982. [bug] DNSKEY was being accepted on the parent side of
+ a delegation. KEY is still accepted there for
+ RFC 3007 validated updates. [RT #15620]
+
+ 1981. [bug] win32: condition.c:wait() could fail to reattain
+ the mutex lock.
+
+ 1980. [func] dnssec-signzone: output the SOA record as the
+ first record in the signed zone. [RT #15758]
+
+ 1979. [port] linux: allow named to drop core after changing
+ user ids. [RT #15753]
+
+ 1978. [port] Handle systems which have a broken recvmsg().
+ [RT #15742]
+
+ 1977. [bug] Silence noisy log message. [RT #15704]
+
+ 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
+
+ 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
+ hex strings with comments. [RT #15814]
+
+ 1974. [doc] List each of the zone types and associated zone
+ options separately in the ARM.
+
+ 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
+ HMACSHA512 support. [RT #13606]
+
+ 1972. [contrib] DBUS dynamic forwarders integration from
+ Jason Vas Dias <jvdias@redhat.com>.
+
+ 1971. [port] linux: make detection of missing IF_NAMESIZE more
+ robust. [RT #15443]
+
+ 1970. [bug] nsupdate: adjust UDP timeout when falling back to
+ unsigned SOA query. [RT #15775]
+
+ 1969. [bug] win32: the socket code was freeing the socket
+ structure too early. [RT #15776]
+
+ 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
+
+ 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]
+
+ 1966. [bug] Don't set CD when we have fallen back to plain DNS.
+ [RT #15727]
+
+ 1965. [func] Suppress spurious "recursion requested but not
+ available" warning with 'dig +qr'. [RT #15780].
+
+ 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
+
+ 1963. [port] Tru64 4.0E doesn't support send() and recv().
+ [RT #15586]
+
+ 1962. [bug] Named failed to clear old update-policy when it
+ was removed. [RT #15491]
+
+ 1961. [bug] Check the port and address of responses forwarded
+ to dispatch. [RT #15474]
+
+ 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
+ [RT #15465]
+
+ 1959. [func] Control the zeroing of the negative response TTL to
+ a soa query. Defaults "zero-no-soa-ttl yes;" and
+ "zero-no-soa-ttl-cache no;". [RT #15460]
+
+ 1958. [bug] Named failed to update the zone's secure state
+ until the zone was reloaded. [RT #15412]
+
+ 1957. [bug] Dig mishandled responses to class ANY queries.
+ [RT #15402]
+
+ 1956. [bug] Improve cross compile support, 'gen' is now built
+ by native compiler. See README for additional
+ cross compile support information. [RT #15148]
+
+ 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998]
+
+ 1954. [func] Named now falls back to advertising EDNS with a
+ 512 byte receive buffer if the initial EDNS queries
+ fail. [RT #14852]
+
+ 1953. [func] The maximum EDNS UDP response named will send can
+ now be set in named.conf (max-udp-size). This is
+ independent of the advertised receive buffer
+ (edns-udp-size). [RT #14852]
+
+ 1952. [port] hpux: tell the linker to build a runtime link
+ path "-Wl,+b:". [RT #14816].
+
+ 1951. [security] Drop queries from particular well known ports.
+ Don't return FORMERR to queries from particular
+ well known ports. [RT #15636]
+
+ 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
+ a TCP socket. This prevents the source address being
+ set for TCP connections. [RT #15628]
+
+ 1949. [func] Addition memory leakage checks. [RT #15544]
+
+ 1948. [bug] If was possible to trigger a REQUIRE failure in
+ xfrin.c:maybe_free() if named ran out of memory.
+ [RT #15568]
+
+ 1947. [func] It is now possible to configure named to accept
+ expired RRSIGs. Default "dnssec-accept-expired no;".
+ Setting "dnssec-accept-expired yes;" leaves named
+ vulnerable to replay attacks. [RT #14685]
+
+ 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
+ when using forwarders. [RT #15549]
+
+ 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
+ To generate a RSAMD5 key you must explicitly request
+ RSAMD5. [RT #13780]
+
+ 1944. [cleanup] isc_hash_create() does not need a read/write lock.
+ [RT #15522]
+
+ 1943. [bug] Set the loadtime after rolling forward the journal.
+ [RT #15647]
+
+ 1942. [bug] If the name of a DNSKEY match that of one in
+ trusted-keys do not attempt to validate the DNSKEY
+ using the parents DS RRset. [RT #15649]
+
+ 1941. [bug] ncache_adderesult() should set eresult even if no
+ rdataset is passed to it. [RT #15642]
+
+ 1940. [bug] Fixed a number of error conditions reported by
+ Coverity.
+
+ 1939. [bug] The resolver could dereference a null pointer after
+ validation if all the queries have timed out.
+ [RT #15528]
+
+ 1938. [bug] The validator was not correctly handling unsecure
+ negative responses at or below a SEP. [RT #15528]
+
+ 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
+
+ 1936. [bug] The validator could leak memory. [RT #15544]
+
+ 1935. [bug] 'acache' was DO sensitive. [RT #15430]
+
+ 1934. [func] Validate pending NS RRsets, in the authority section,
+ prior to returning them if it can be done without
+ requiring DNSKEYs to be fetched. [RT #15430]
+
+ 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
+
+ 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
+
+ 1931. [bug] Per-client mctx could require a huge amount of memory,
+ particularly for a busy caching server. [RT #15519]
+
+ 1930. [port] HPUX: ia64 support. [RT #15473]
+
+ 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
+
+ 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]
+
+ 1927. [bug] Access to soanode or nsnode in rbtdb violated the
+ lock order rule and could cause a dead lock.
+ [RT #15518]
+
+ 1926. [bug] The Windows installer did not check for empty
+ passwords. BINDinstall was being installed in
+ the wrong place. [RT #15483]
+
+ 1925. [port] All outer level AC_TRY_RUNs need cross compiling
+ defaults. [RT #15469]
+
+ 1924. [port] libbind: hpux ia64 support. [RT #15473]
+
+ 1923. [bug] ns_client_detach() called too early. [RT #15499]
+
+ 1922. [bug] check-tool.c:setup_logging() missing call to
+ dns_log_setcontext().
+
+ 1921. [bug] Client memory contexts were not using internal
+ malloc. [RT #15434]
+
+ 1920. [bug] The cache rbtdb lock array was too small to
+ have the desired performance characteristics.
+ [RT #15454]
+
+ 1919. [contrib] queryperf: a set of new features: collecting/printing
+ response delays, printing intermediate results, and
+ adjusting query rate for the "target" qps.
+
+ 1918. [bug] Memory leak when checking acls. [RT #15391]
+
+ 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
+ when generating man pages. [RT #15385]
+
+ 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383]
+
+ 1915. [bug] dig +ndots was broken. [RT #15215]
+
+ 1914. [protocol] DS is required to accept mnemonic algorithms
+ (RFC 4034). Still emit numeric algorithms for
+ compatibility with RFC 3658. [RT #15354]
+
+ 1913. [func] Integrate contributed DLZ code into named. [RT #11382]
+
+ 1912. [port] aix: atomic locking for powerpc. [RT #15020]
+
+ 1911. [bug] Update windows socket code. [RT #14965]
+
+ 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
+
+ 1909. [bug] The DLV code has been re-worked to make no longer
+ query order sensitive. [RT #14933]
+
+ 1908. [func] dig now warns if 'RA' is not set in the answer when
+ 'RD' was set in the query. host/nslookup skip servers
+ that fail to set 'RA' when 'RD' is set unless a server
+ is explicitly set. [RT #15005]
+
+ 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL.
+ [RT #15006]
+
+ 1906. [func] dig now has a '-q queryname' and '+showsearch' options.
+ [RT #15034]
+
+ 1905. [bug] Strings returned from cfg_obj_asstring() should be
+ treated as read-only. The prototype for
+ cfg_obj_asstring() has been updated to reflect this.
+ [RT #15256]
+
+ 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and
+ friends. Note: RFC 1918 zones are not yet covered by
+ this but are likely to be in a future release.
+
+ New options: empty-server, empty-contact,
+ empty-zones-enable and disable-empty-zone.
+
+ 1903. [func] ISC string copy API.
+
+ 1902. [func] Attempt to make the amount of work performed in a
+ iteration self tuning. The covers nodes clean from
+ the cache per iteration, nodes written to disk when
+ rewriting a master file and nodes destroyed per
+ iteration when destroying a zone or a cache.
+ [RT #14996]
+
+ 1901. [cleanup] Don't add DNSKEY records to the additional section.
+
+ 1900. [bug] ixfr-from-differences failed to ensure that the
+ serial number increased. [RT #15036]
+
+ 1899. [func] named-checkconf now validates update-policy entries.
+ [RT #14963]
+
+ 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
+ ISC_NETADDR_FORMATSIZE to allow for scope details.
+
+ 1897. [func] x86 and x86_64 now have separate atomic locking
+ implementations.
+
+ 1896. [bug] Recursive clients soft quota support wasn't working
+ as expected. [RT #15103]
+
+ 1895. [bug] A escaped character is, potentially, converted to
+ the output character set too early. [RT #14666]
+
+ 1894. [doc] Review ARM for BIND 9.4.
+
+ 1893. [port] Use uintptr_t if available. [RT #14606]
+
+ 1892. [func] Support for SPF rdata type. [RT #15033]
+
+ 1891. [port] freebsd: pthread_mutex_init can fail if it runs out
+ of memory. [RT #14995]
+
+ 1890. [func] Raise the UDP receive buffer size to 32k if it is
+ less than 32k. [RT #14953]
+
+ 1889. [port] sunos: non blocking i/o support. [RT #14951]
+
+ 1888. [func] Support for IPSECKEY rdata type. [RT #14967]
+
+ 1887. [bug] The cache could delete expired records too fast for
+ clients with a virtual time in the past. [RT #14991]
+
+ 1886. [bug] fctx_create() could return success even though it
+ failed. [RT #14993]
+
+ 1885. [func] dig: report the number of extra bytes still left in
+ the packet after processing all the records.
+
+ 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
+
+ 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
+ levels. [RT #14962]
+
+ 1882. [func] Limit the number of recursive clients that can be
+ waiting for a single query (<qname,qtype,qclass>) to
+ resolve. New options clients-per-query and
+ max-clients-per-query.
+
+ 1881. [func] Add a system test for named-checkconf. [RT #14931]
+
+ 1880. [func] The lame cache is now done on a <qname,qclass,qtype>
+ basis as some servers only appear to be lame for
+ certain query types. [RT #14916]
+
+ 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable.
+ [RT #14892]
+
+ 1878. [func] Detect duplicates of UDP queries we are recursing on
+ and drop them. New stats category "duplicate".
+ [RT #2471]
+
+ 1877. [bug] Fix unreasonably low quantum on call to
+ dns_rbt_destroy2(). Remove unnecessary unhash_node()
+ call. [RT #14919]
+
+ 1876. [func] Additional memory debugging support to track size
+ and mctx arguments. [RT #14814]
+
+ 1875. [bug] process_dhtkey() was using the wrong memory context
+ to free some memory. [RT #14890]
+
+ 1874. [port] sunos: portability fixes. [RT #14814]
+
+ 1873. [port] win32: isc__errno2result() now reports its caller.
+ [RT #13753]
+
+ 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
+
+ 1871. [placeholder]
+
+ 1870. [func] Added framework for handling multiple EDNS versions.
+ [RT #14873]
+
+ 1869. [func] dig can now specify the EDNS version when making
+ a query. [RT #14873]
+
+ 1868. [func] edns-udp-size can now be overridden on a per
+ server basis. [RT #14851]
+
+ 1867. [bug] It was possible to trigger a INSIST in
+ dlv_validatezonekey(). [RT #14846]
+
+ 1866. [bug] resolv.conf parse errors were being ignored by
+ dig/host/nslookup. [RT #14841]
+
+ 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
+ bad addresses. [RT #14841]
+
+ 1864. [bug] Don't try the alternative transfer source if you
+ got a answer / transfer with the main source
+ address. [RT #14802]
+
+ 1863. [bug] rrset-order "fixed" error messages not complete.
+
+ 1862. [func] Add additional zone data constancy checks.
+ named-checkzone has extended checking of NS, MX and
+ SRV record and the hosts they reference.
+ named has extended post zone load checks.
+ New zone options: check-mx and integrity-check.
+ [RT #4940]
+
+ 1861. [bug] dig could trigger a INSIST on certain malformed
+ responses. [RT #14801]
+
+ 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
+ incorrectly set. [RT #14775]
+
+ 1859. [func] Add support for CH A record. [RT #14695]
+
+ 1858. [bug] The flush-zones-on-shutdown option wasn't being
+ parsed. [RT #14686]
+
+ 1857. [bug] named could trigger a INSIST() if reconfigured /
+ reloaded too fast. [RT #14673]
+
+ 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
+ [RT #11398]
+
+ 1855. [bug] ixfr-from-differences was failing to detect changes
+ of ttl due to dns_diff_subtract() was ignoring the ttl
+ of records. [RT #14616]
+
+ 1854. [bug] lwres also needs to know the print format for
+ (long long). [RT #13754]
+
+ 1853. [bug] Rework how DLV interacts with proveunsecure().
+ [RT #13605]
+
+ 1852. [cleanup] Remove last vestiges of dnssec-signkey and
+ dnssec-makekeyset (removed from Makefile years ago).
+
+ 1851. [doc] Doxygen comment markup. [RT #11398]
+
+ 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
+
+ 1849. [doc] All forms of the man pages (docbook, man, html) should
+ have consistent copyright dates.
+
+ 1848. [bug] Improve SMF integration. [RT #13238]
+
+ 1847. [bug] isc_ondestroy_init() is called too late in
+ dns_rbtdb_create()/dns_rbtdb64_create().
+ [RT #13661]
+
+ 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
+ <bortzmeyer@nic.fr>.
+
+ 1845. [bug] Improve error reporting to distinguish between
+ accept()/fcntl() and socket()/fcntl() errors.
+ [RT #13745]
+
+ 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
+ for each 16 bit piece of the IPv6 address. The text
+ representation of a IPv6 address has been tightened
+ to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
+ [RT #5662]
+
+ 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
+ when CFLAGS contains "-I /usr/local/include"
+ resulting in old header files being used.
+
+ 1842. [port] cmsg_len() could produce incorrect results on
+ some platform. [RT #13744]
+
+ 1841. [bug] "dig +nssearch" now makes a recursive query to
+ find the list of nameservers to query. [RT #13694]
+
+ 1840. [func] dnssec-signzone can now randomize signature end times
+ (dnssec-signzone -j jitter). [RT #13609]
+
+ 1839. [bug] <isc/hash.h> was not being installed.
+
+ 1838. [cleanup] Don't allow Linux capabilities to be inherited.
+ [RT #13707]
+
+ 1837. [bug] Compile time option ISC_FACILITY was not effective
+ for 'named -u <user>'. [RT #13714]
+
+ 1836. [cleanup] Silence compiler warnings in hash_test.c.
+
+ 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
+
+ 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
+
+ 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
+
+ 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
+ [RT #13620]
+
+ 1831. [doc] Update named-checkzone documentation. [RT #13604]
+
+ 1830. [bug] adb lame cache has sense of test reversed. [RT #13600]
+
+ 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
+
+ 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
+ encountered a error. [RT #13549]
+
+ 1827. [bug] host: update usage message for '-a'. [RT #37116]
+
+ 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
+ of memory error. [RT #13537]
+
+ 1825. [bug] Missing UNLOCK() on out of memory error from in
+ rbtdb.c:subtractrdataset(). [RT #13519]
+
+ 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
+ [RT #13510]
+
+ 1823. [bug] Wrong macro used to check for point to point interface.
+ [RT #13418]
+
+ 1822. [bug] check-names test for RT was reversed. [RT #13382]
+
+ 1821. [placeholder]
+
+ 1820. [bug] Gracefully handle acl loops. [RT #13659]
+
+ 1819. [bug] The validator needed to check both the algorithm and
+ digest types of the DS to determine if it could be
+ used to introduce a secure zone. [RT #13593]
+
+ 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
+
+ 1817. [func] Add support for additional zone file formats for
+ improving loading performance. The masterfile-format
+ option in named.conf can be used to specify a
+ non-default format. A separate command
+ named-compilezone was provided to generate zone files
+ in the new format. Additionally, the -I and -O options
+ for dnssec-signzone specify the input and output
+ formats.
+
+ 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
+ [RT #13597]
+
+ 1815. [bug] nsupdate triggered a REQUIRE if the server was set
+ without also setting the zone and it encountered
+ a CNAME and was using TSIG. [RT #13086]
+
+ 1814. [func] UNIX domain controls are now supported.
+
+ 1813. [func] Restructured the data locking framework using
+ architecture dependent atomic operations (when
+ available), improving response performance on
+ multi-processor machines significantly.
+ x86, x86_64, alpha, powerpc, and mips are currently
+ supported.
+
+ 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
+ [RT #13453]
+
+ 1811. [func] Preserve the case of domain names in rdata during
+ zone transfers. [RT #13547]
+
+ 1810. [bug] configure, lib/bind/configure make different default
+ decisions about whether to do a threaded build.
+ [RT #13212]
+
+ 1809. [bug] "make distclean" failed for libbind if the platform
+ is not supported.
+
+ 1808. [bug] zone.c:notify_zone() contained a race condition,
+ zone->db could change underneath it. [RT #13511]
+
+ 1807. [bug] When forwarding (forward only) set the active domain
+ from the forward zone name. [RT #13526]
+
+ 1806. [bug] The resolver returned the wrong result when a CNAME /
+ DNAME was encountered when fetching glue from a
+ secure namespace. [RT #13501]
+
+ 1805. [bug] Pending status was not being cleared when DLV was
+ active. [RT #13501]
+
+ 1804. [bug] Ensure that if we are queried for glue that it fits
+ in the additional section or TC is set to tell the
+ client to retry using TCP. [RT #10114]
+
+ 1803. [bug] dnssec-signzone sometimes failed to remove old
+ RRSIGs. [RT #13483]
+
+ 1802. [bug] Handle connection resets better. [RT #11280]
+
+ 1801. [func] Report differences between hints and real NS rrset
+ and associated address records.
+
+ 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
+ [RT #13428]
+
+ 1799. [bug] 'rndc flushname' failed to flush negative cache
+ entries. [RT #13438]
+
+ 1798. [func] The server syntax has been extended to support a
+ range of servers. [RT #11132]
+
+ 1797. [func] named-checkconf now check acls to verify that they
+ only refer to existing acls. [RT #13101]
+
+ 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones.
+
+ 1795. [bug] "rndc dumpdb" was not fully documented. Minor
+ formatting issues with "rndc dumpdb -all". [RT #13396]
+
+ 1794. [func] Named and named-checkzone can now both check for
+ non-terminal wildcard records.
+
+ 1793. [func] Extend adjusting TTL warning messages. [RT #13378]
+
+ 1792. [func] New zone option "notify-delay". Specify a minimum
+ delay between sets of NOTIFY messages.
+
+ 1791. [bug] 'host -t a' still printed out AAAA and MX records.
+ [RT #13230]
+
+ 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
+ allow parallel make to succeed.
+
+ 1789. [bug] Prerequisite test for tkey and dnssec could fail
+ with "configure --with-libtool".
+
+ 1788. [bug] libbind9.la/libbind9.so needs to link against
+ libisccfg.la/libisccfg.so.
+
+ 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
+
+ 1786. [port] AIX: libt_api needs to be taught to look for
+ T_testlist in the main executable (--with-libtool).
+ [RT #13239]
+
+ 1785. [bug] libbind9.la/libbind9.so needs to link against
+ libisc.la/libisc.so.
+
+ 1784. [cleanup] "libtool -allow-undefined" is the default.
+ Leave hooks in configure to allow it to be set
+ if needed in the future.
+
+ 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
+ source tree.
+
+ 1782. [port] OSX: --with-libtool + --enable-libbind broke on
+ __evOptMonoTime. [RT #13219]
+
+ 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
+
+ 1780. [bug] Update libtool to 1.5.10.
+
+ 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
+
+ 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
+ IN6ADDR_LOOPBACK_INIT macros.
+
+ 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
+ IN6ADDR_LOOPBACK_INIT macros.
+
+ 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
+ IN6ADDR_LOOPBACK_INIT macros.
+
+ 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
+
+ 1774. [port] Aix: Silence compiler warnings / build failures.
+ [RT #13154]
+
+ 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
+
+ 1772. [placeholder]
+
+ 1771. [placeholder]
+
+ 1770. [bug] named-checkconf failed to report missing a missing
+ file clause for rbt{64} master/hint zones. [RT #13009]
+
+ 1769. [port] win32: change compiler flags /MTd ==> /MDd,
+ /MT ==> /MD.
+
+ 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
+ rdataset. [RT #12907]
+
+ 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
+ support for (struct in6_pktinfo) failed. [RT #13077]
+
+ 1766. [bug] Update the master file timestamp on successful refresh
+ as well as the journal's timestamp. [RT #13062]
+
+ 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
+
+ 1764. [bug] dns_zone_replacedb failed to emit a error message
+ if there was no SOA record in the replacement db.
+ [RT #13016]
+
+ 1763. [func] Perform sanity checks on NS records which refer to
+ 'in zone' names. [RT #13002]
+
+ 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
+ even when it failed. [RT #12995]
+
+ 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
+ [RT #12971]
+
+ 1760. [bug] Host / net unreachable was not penalising rtt
+ estimates. [RT #12970]
+
+ 1759. [bug] Named failed to startup if the OS supported IPv6
+ but had no IPv6 interfaces configured. [RT #12942]
+
+ 1758. [func] Don't send notify messages to self. [RT #12933]
+
+ 1757. [func] host now can turn on memory debugging flags with '-m'.
+
+ 1756. [func] named-checkconf now checks the logging configuration.
+ [RT #12352]
+
+ 1755. [func] allow-update is now settable at the options / view
+ level. [RT #6636]
+
+ 1754. [bug] We weren't always attempting to query the parent
+ server for the DS records at the zone cut.
+ [RT #12774]
+
+ 1753. [bug] Don't serve a slave zone which has no NS records.
+ [RT #12894]
+
+ 1752. [port] Move isc_app_start() to after ns_os_daemonise()
+ as some fork() implementations unblock the signals
+ that are blocked by isc_app_start(). [RT #12810]
+
+ 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
+
+ 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
+ [RT #12864]
+
+ 1749. [bug] 'check-names response ignore;' failed to ignore.
+ [RT #12866]
+
+ 1748. [func] dig now returns the byte count for axfr/ixfr.
+
+ 1747. [bug] BIND 8 compatibility: named/named-checkconf failed
+ to parse "host-statistics-max" in named.conf.
+
+ 1746. [func] Make public the function to read a key file,
+ dst_key_read_public(). [RT #12450]
+
+ 1745. [bug] Dig/host/nslookup accept replies from link locals
+ regardless of scope if no scope was specified when
+ query was sent. [RT #12745]
+
+ 1744. [bug] If tuple2msgname() failed to convert a tuple to
+ a name a REQUIRE could be triggered. [RT #12796]
+
+ 1743. [bug] If isc_taskmgr_create() was not able to create the
+ requested number of worker threads then destruction
+ of the manager would trigger an INSIST() failure.
+ [RT #12790]
+
+ 1742. [bug] Deleting all records at a node then adding a
+ previously existing record, in a single UPDATE
+ transaction, failed to leave / regenerate the
+ associated RRSIG records. [RT #12788]
+
+ 1741. [bug] Deleting all records at a node in a secure zone
+ using a update-policy grant failed. [RT #12787]
+
+ 1740. [bug] Replace rbt's hash algorithm as it performed badly
+ with certain zones. [RT #12729]
+
+ NOTE: a hash context now needs to be established
+ via isc_hash_create() if the application was not
+ already doing this.
+
+ 1739. [bug] dns_rbt_deletetree() could incorrectly return
+ ISC_R_QUOTA. [RT #12695]
+
+ 1738. [bug] Enable overrun checking by default. [RT #12695]
+
+ 1737. [bug] named failed if more than 16 masters were specified.
+ [RT #12627]
+
+ 1736. [bug] dst_key_fromnamedfile() could fail to read a
+ public key. [RT #12687]
+
+ 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
+ [RE #12688]
+
+ 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
+ [RT #12588]
+
+ 1733. [bug] Return non-zero exit status on initial load failure.
+ [RT #12658]
+
+ 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
+ [RT #12467]
+
+ 1731. [port] darwin: relax version test in ifconfig.sh.
+ [RT #12581]
+
+ 1730. [port] Determine the length type used by the socket API.
+ [RT #12581]
+
+ 1729. [func] Improve check-names error messages.
+
+ 1728. [doc] Update check-names documentation.
+
+ 1727. [bug] named-checkzone: check-names support didn't match
+ documentation.
+
+ 1726. [port] aix5: add support for aix5.
+
+ 1725. [port] linux: update error message on interaction of threads,
+ capabilities and setuid support (named -u). [RT #12541]
+
+ 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
+ [RT #12557]
+
+ 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
+
+ 1722. [bug] Don't commit the journal on malformed ixfr streams.
+ [RT #12519]
+
+ 1721. [bug] Error message from the journal processing were not
+ always identifying the relevant journal. [RT #12519]
+
+ 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
+ negative response. [RT #12506]
+
+ 1719. [bug] named was not correctly caching a RFC 2308 Type 1
+ negative response. [RT #12506]
+
+ 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
+ responses when looking for the zone / master server.
+ [RT #12506]
+
+ 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
+ "ifconfig.sh down" didn't work for Solaris 9.
+
+ 1716. [doc] named.conf(5) was being installed in the wrong
+ location. [RT #12441]
+
+ 1715. [func] 'dig +trace' now randomly selects the next servers
+ to try. Report if there is a bad delegation.
+
+ 1714. [bug] dig/host/nslookup were only trying the first
+ address when a nameserver was specified by name.
+ [RT #12286]
+
+ 1713. [port] linux: extend capset failure message to say:
+ please ensure that the capset kernel module is
+ loaded. see insmod(8)
+
+ 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
+
+ 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
+
+ 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY
+ messages for the specified zone. [RT #9479]
+
+ 1709. [port] solaris: add SMF support from Sun.
+
+ 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash()
+ for conformance to the name space convention. Binary
+ backward compatibility to the old function name is
+ provided. [RT #12376]
+
+ 1707. [contrib] sdb/ldap updated to version 1.0-beta.
+
+ 1706. [bug] 'rndc stop' failed to cause zones to be flushed
+ sometimes. [RT #12328]
+
+ 1705. [func] Allow the journal's name to be changed via named.conf.
+
+ 1704. [port] lwres needed a snprintf() implementation for
+ platforms without snprintf(). Add missing
+ "#include <isc/print.h>". [RT #12321]
+
+ 1703. [bug] named would loop sending NOTIFY messages when it
+ failed to receive a response. [RT #12322]
+
+ 1702. [bug] also-notify should not be applied to built in zones.
+ [RT #12323]
+
+ 1701. [doc] A minimal named.conf man page.
+
+ 1700. [func] nslookup is no longer to be treated as deprecated.
+ Remove "deprecated" warning message. Add man page.
+
+ 1699. [bug] dnssec-signzone can generate "not exact" errors
+ when resigning. [RT #12281]
+
+ 1698. [doc] Use reserved IPv6 documentation prefix.
+
+ 1697. [bug] xxx-source{,-v6} was not effective when it
+ specified one of listening addresses and a
+ different port than the listening port. [RT #12257]
+
+ 1696. [bug] dnssec-signzone failed to clean out nodes that
+ consisted of only NSEC and RRSIG records.
+ [RT #12154]
+
+ 1695. [bug] DS records when forwarding require special handling.
+ [RT #12133]
+
+ 1694. [bug] Report if the builtin views of "_default" / "_bind"
+ are defined in named.conf. [RT #12023]
+
+ 1693. [bug] max-journal-size was not effective for master zones
+ with ixfr-from-differences set. [RT #12024]
+
+ 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in
+ /usr/lib. [RT #11971]
+
+ 1691. [bug] sdb's attachversion was not complete. [RT #11990]
+
+ 1690. [bug] Delay detaching view from the client until UPDATE
+ processing completes when shutting down. [RT #11714]
+
+ 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
+ contained gratuitous semicolons. [RT #11707]
+
+ 1688. [bug] LDFLAGS was not supported.
+
+ 1687. [bug] Race condition in dispatch. [RT #10272]
+
+ 1686. [bug] Named sent a extraneous NOTIFY when it received a
+ redundant UPDATE request. [RT #11943]
+
+ 1685. [bug] Change #1679 loop tests weren't quite right.
+
+ 1684. [func] ixfr-from-differences now takes master and slave in
+ addition to yes and no at the options and view levels.
+
+ 1683. [bug] dig +sigchase could leak memory. [RT #11445]
+
+ 1682. [port] Update configure test for (long long) printf format.
+ [RT #5066]
+
+ 1681. [bug] Only set SO_REUSEADDR when a port is specified in
+ isc_socket_bind(). [RT #11742]
+
+ 1680. [func] rndc: the source address can now be specified.
+
+ 1679. [bug] When there was a single nameserver with multiple
+ addresses for a zone not all addresses were tried.
+ [RT #11706]
+
+ 1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
+
+ 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
+
+ 1676. [func] New option "allow-query-cache". This lets
+ allow-query be used to specify the default zone
+ access level rather than having to have every
+ zone override the global value. allow-query-cache
+ can be set at both the options and view levels.
+ If allow-query-cache is not set allow-query applies.
+
+ 1675. [bug] named would sometimes add extra NSEC records to
+ the authority section.
+
+ 1674. [port] linux: increase buffer size used to scan
+ /proc/net/if_inet6.
+
+ 1673. [port] linux: issue a error messages if IPv6 interface
+ scans fails.
+
+ 1672. [cleanup] Tests which only function in a threaded build
+ now return R:THREADONLY (rather than R:UNTESTED)
+ in a non-threaded build.
+
+ 1671. [contrib] queryperf: add NAPTR to the list of known types.
+
+ 1670. [func] Log UPDATE requests to slave zones without an acl as
+ "disabled" at debug level 3. [RT #11657]
+
+ 1669. [placeholder]
+
+ 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
+
+ 1667. [port] linux: not all versions have IF_NAMESIZE.
+
+ 1666. [bug] The optional port on hostnames in dual-stack-servers
+ was being ignored.
+
+ 1665. [func] rndc now allows addresses to be set in the
+ server clauses.
+
+ 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
+
+ 1663. [func] Look for OpenSSL by default.
+
+ 1662. [bug] Change #1658 failed to change one use of 'type'
+ to 'keytype'.
+
+ 1661. [bug] Restore dns_name_concatenate() call in
+ adb.c:set_target(). [RT #11582]
+
+ 1660. [bug] win32: connection_reset_fix() was being called
+ unconditionally. [RT #11595]
+
+ 1659. [cleanup] Cleanup some messages that were referring to KEY vs
+ DNSKEY, NXT vs NSEC and SIG vs RRSIG.
+
+ 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
+ and DH. Tighten which options apply to KEY and
+ DNSKEY records.
+
+ 1657. [doc] ARM: document query log output.
+
+ 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
+ DNSKEY and RRSIG. [RT #11542]
+
+ 1655. [bug] Logging multiple versions w/o a size was broken.
+ [RT #11446]
+
+ 1654. [bug] isc_result_totext() contained array bounds read
+ error.
+
+ 1653. [func] Add key type checking to dst_key_fromfilename(),
+ DST_TYPE_KEY should be used to read TSIG, TKEY and
+ SIG(0) keys.
+
+ 1652. [bug] TKEY still uses KEY.
+
+ 1651. [bug] dig: process multiple dash options.
+
+ 1650. [bug] dig, nslookup: flush standard out after each command.
+
+ 1649. [bug] Silence "unexpected non-minimal diff" message.
+ [RT #11206]
+
+ 1648. [func] Update dnssec-lookaside named.conf syntax to support
+ multiple dnssec-lookaside namespaces (not yet
+ implemented).
+
+ 1647. [bug] It was possible trigger a INSIST when chasing a DS
+ record that required walking back over a empty node.
+ [RT #11445]
+
+ 1646. [bug] win32: logging file versions didn't work with
+ non-UNC filenames. [RT #11486]
+
+ 1645. [bug] named could trigger a REQUIRE failure if multiple
+ masters with keys are specified.
+
+ 1644. [bug] Update the journal modification time after a
+ successful refresh query. [RT #11436]
+
+ 1643. [bug] dns_db_closeversion() could leak memory / node
+ references. [RT #11163]
+
+ 1642. [port] Support OpenSSL implementations which don't have
+ DSA support. [RT #11360]
+
+ 1641. [bug] Update the check-names description in ARM. [RT #11389]
+
+ 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
+ incorrectly closing the socket. [RT #11291]
+
+ 1639. [func] Initial dlv system test.
+
+ 1638. [bug] "ixfr-from-differences" could generate a REQUIRE
+ failure if the journal open failed. [RT #11347]
+
+ 1637. [bug] Node reference leak on error in addnoqname().
+
+ 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
+ a error had occurred. The database version no longer
+ matched the version of the database that was dumped.
+
+ 1635. [bug] Memory leak on error in query_addds().
+
+ 1634. [bug] named didn't supply a useful error message when it
+ detected duplicate views. [RT #11208]
+
+ 1633. [bug] named should return NOTIMP to update requests to a
+ slaves without a allow-update-forwarding acl specified.
+ [RT #11331]
+
+ 1632. [bug] nsupdate failed to send prerequisite only UPDATE
+ messages. [RT #11288]
+
+ 1631. [bug] dns_journal_compact() could sometimes corrupt the
+ journal. [RT #11124]
+
+ 1630. [contrib] queryperf: add support for IPv6 transport.
+
+ 1629. [func] dig now supports IPv6 scoped addresses with the
+ extended format in the local-server part. [RT #8753]
+
+ 1628. [bug] Typo in Compaq Trucluster support. [RT #11264]
+
+ 1627. [bug] win32: sockets were not being closed when the
+ last external reference was removed. [RT #11179]
+
+ 1626. [bug] --enable-getifaddrs was broken. [RT #11259]
+
+ 1625. [bug] named failed to load/transfer RFC2535 signed zones
+ which contained CNAMES. [RT #11237]
+
+ 1624. [bug] zonemgr_putio() call should be locked. [RT #11163]
+
+ 1623. [bug] A serial number of zero was being displayed in the
+ "sending notifies" log message when also-notify was
+ used. [RT #11177]
+
+ 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
+ available, and suppress wildcard binding if not.
+
+ 1621. [bug] match-destinations did not work for IPv6 TCP queries.
+ [RT #11156]
+
+ 1620. [func] When loading a zone report if it is signed. [RT #11149]
+
+ 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches().
+ [RT #11118]
+
+ 1618. [bug] Fencepost errors in dns_name_ishostname() and
+ dns_name_ismailbox() could trigger a INSIST().
+
+ 1617. [port] win32: VC++ 6.0 support.
+
+ 1616. [compat] Ensure that named's version is visible in the core
+ dump. [RT #11127]
+
+ 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
+ it is defined.
+
+ 1614. [port] win32: silence resource limit messages. [RT #11101]
+
+ 1613. [bug] Builds would fail on machines w/o a if_nametoindex().
+ Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
+ [RT #11119]
+
+ 1612. [bug] check-names at the option/view level could trigger
+ an INSIST. [RT #11116]
+
+ 1611. [bug] solaris: IPv6 interface scanning failed to cope with
+ no active IPv6 interfaces.
+
+ 1610. [bug] On dual stack machines "dig -b" failed to set the
+ address type to be looked up with "@server".
+ [RT #11069]
+
+ 1609. [func] dig now has support to chase DNSSEC signature chains.
+ Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
+
+ DNSSEC validation code in dig coded by Olivier Courtay
+ (olivier.courtay@irisa.fr) for the IDsA project
+ (http://idsa.irisa.fr).
+
+ 1608. [func] dig and host now accept -4/-6 to select IP transport
+ to use when making queries.
+
+ 1607. [bug] dig, host and nslookup were still using random()
+ to generate query ids. [RT #11013]
+
+ 1606. [bug] DLV insecurity proof was failing.
+
+ 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
+
+ 1604. [bug] A xfrout_ctx_create() failure would result in
+ xfrout_ctx_destroy() being called with a
+ partially initialized structure.
+
+ 1603. [bug] nsupdate: set interactive based on isatty().
+ [RT #10929]
+
+ 1602. [bug] Logging to a file failed unless a size was specified.
+ [RT #10925]
+
+ 1601. [bug] Silence spurious warning 'both "recursion no;" and
+ "allow-recursion" active' warning from view "_bind".
+ [RT #10920]
+
+ 1600. [bug] Duplicate zone pre-load checks were not case
+ insensitive.
+
+ 1599. [bug] Fix memory leak on error path when checking named.conf.
+
+ 1598. [func] Specify that certain parts of the namespace must
+ be secure (dnssec-must-be-secure).
+
+ 1597. [func] Allow notify-source and query-source to be specified
+ on a per server basis similar to transfer-source.
+ [RT #6496]
+
+ 1596. [func] Accept 'notify-source' style syntax for query-source.
+
+ 1595. [func] New notify type 'master-only'. Enable notify for
+ master zones only.
+
+ 1594. [bug] 'rndc dumpdb' could prevent named from answering
+ queries while the dump was in progress. [RT #10565]
+
+ 1593. [bug] rndc should return "unknown command" to unknown
+ commands. [RT #10642]
+
+ 1592. [bug] configure_view() could leak a dispatch. [RT #10675]
+
+ 1591. [bug] libbind: updated to BIND 8.4.5.
+
+ 1590. [port] netbsd: update thread support.
+
+ 1589. [func] DNSSEC lookaside validation.
+
+ 1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
+
+ 1587. [bug] dns_message_settsigkey() failed to clear existing key.
+ [RT #10590]
+
+ 1586. [func] "check-names" is now implemented.
+
+ 1585. [placeholder]
+
+ 1584. [bug] "make test" failed with a read only source tree.
+ [RT #10461]
+
+ 1583. [bug] Records add via UPDATE failed to get the correct trust
+ level. [RT #10452]
+
+ 1582. [bug] rrset-order failed to work on RRsets with more
+ than 32 elements. [RT #10381]
+
+ 1581. [func] Disable DNSSEC support by default. To enable
+ DNSSEC specify "dnssec-enable yes;" in named.conf.
+
+ 1580. [bug] Zone destruction on final detach takes a long time.
+ [RT #3746]
+
+ 1579. [bug] Multiple task managers could not be created.
+
+ 1578. [bug] Don't use CLASS E IPv4 addresses when resolving.
+ [RT #10346]
+
+ 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug
+ workaround code. [RT #10331]
+
+ 1576. [bug] Race condition in dns_dispatch_addresponse().
+ [RT #10272]
+
+ 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
+
+ 1574. [bug] Don't attempt to open the controls socket(s) when
+ running tests. [RT #9091]
+
+ 1573. [port] linux: update to libtool 1.5.2 so that
+ "make install DESTDIR=/xx" works with
+ "configure --with-libtool". [RT #9941]
+
+ 1572. [bug] nsupdate: sign the soa query to find the enclosing
+ zone if the server is specified. [RT #10148]
+
+ 1571. [bug] rbt:hash_node() could fail leaving the hash table
+ in an inconsistent state. [RT #10208]
+
+ 1570. [bug] nsupdate failed to handle classes other than IN.
+ New keyword 'class' which sets the default class.
+ [RT #10202]
+
+ 1569. [func] nsupdate new command 'answer' which displays the
+ complete answer message to the last update.
+
+ 1568. [bug] nsupdate now reports that the update failed in
+ interactive mode. [RT #10236]
+
+ 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201.
+
+ 1566. [port] Support for the cmsg framework on Solaris and HP/UX.
+ This also solved the problem that match-destinations
+ for IPv6 addresses did not work on these systems.
+ [RT #10221]
+
+ 1565. [bug] CD flag should be copied to outgoing queries unless
+ the query is under a secure entry point in which case
+ CD should be set.
+
+ 1564. [func] Attempt to provide a fallback entropy source to be
+ used if named is running chrooted and named is unable
+ to open entropy source within the chroot area.
+ [RT #10133]
+
+ 1563. [bug] Gracefully fail when unable to obtain neither an IPv4
+ nor an IPv6 dispatch. [RT #10230]
+
+ 1562. [bug] isc_socket_create() and isc_socket_accept() could
+ leak memory under error conditions. [RT #10230]
+
+ 1561. [bug] It was possible to release the same name twice if
+ named ran out of memory. [RT #10197]
+
+ 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
+ and EAI_NONAME to the same value.
+
+ 1559. [port] named should ignore SIGFSZ.
+
+ 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
+ child zones for which we don't have a supported
+ algorithm. Such child zones are treated as unsigned.
+
+ 1557. [func] Implement missing DNSSEC tests for
+ * NOQNAME proof with wildcard answers.
+ * NOWILDARD proof with NXDOMAIN.
+ Cache and return NOQNAME with wildcard answers.
+
+ 1556. [bug] nsupdate now treats all names as fully qualified.
+ [RT #6427]
+
+ 1555. [func] 'rrset-order cyclic' no longer has a random starting
+ point per query. [RT #7572]
+
+ 1554. [bug] dig, host, nslookup failed when no nameservers
+ were specified in /etc/resolv.conf. [RT #8232]
+
+ 1553. [bug] The windows socket code could stop accepting
+ connections. [RT #10115]
+
+ 1552. [bug] Accept NOTIFY requests from mapped masters if
+ matched-mapped is set. [RT #10049]
+
+ 1551. [port] Open "/dev/null" before calling chroot().
+
+ 1550. [port] Call tzset(), if available, before calling chroot().
+
+ 1549. [func] named-checkzone can now write out the zone contents
+ in a easily parsable format (-D and -o).
+
+ 1548. [bug] When parsing APL records it was possible to silently
+ accept out of range ADDRESSFAMILY values. [RT #9979]
+
+ 1547. [bug] Named wasted memory recording duplicate lame zone
+ entries. [RT #9341]
+
+ 1546. [bug] We were rejecting valid secure CNAME to negative
+ answers.
+
+ 1545. [bug] It was possible to leak memory if named was unable to
+ bind to the specified transfer source and TSIG was
+ being used. [RT #10120]
+
+ 1544. [bug] Named would logged a single entry to a file despite it
+ being over the specified size limit.
+
+ 1543. [bug] Logging using "versions unlimited" did not work.
+
+ 1542. [placeholder]
+
+ 1541. [func] NSEC now uses new bitmap format.
+
+ 1540. [bug] "rndc reload <dynamiczone>" was silently accepted.
+ [RT #8934]
+
+ 1539. [bug] Open UDP sockets for notify-source and transfer-source
+ that use reserved ports at startup. [RT #9475]
+
+ 1538. [placeholder] rt9997
+
+ 1537. [func] New option "querylog". If set specify whether query
+ logging is to be enabled or disabled at startup.
+
+ 1536. [bug] Windows socket code failed to log a error description
+ when returning ISC_R_UNEXPECTED. [RT #9998]
+
+ 1535. [placeholder]
+
+ 1534. [bug] Race condition when priming cache. [RT #9940]
+
+ 1533. [func] Warn if both "recursion no;" and "allow-recursion"
+ are active. [RT #4389]
+
+ 1532. [port] netbsd: the configure test for <sys/sysctl.h>
+ requires <sys/param.h>.
+
+ 1531. [port] AIX more libtool fixes.
+
+ 1530. [bug] It was possible to trigger a INSIST() failure if a
+ slave master file was removed at just the correct
+ moment. [RT #9462]
+
+ 1529. [bug] "notify explicit;" failed to log that NOTIFY messages
+ were being sent for the zone. [RT #9442]
+
+ 1528. [cleanup] Simplify some dns_name_ functions based on the
+ deprecation of bitstring labels.
+
+ 1527. [cleanup] Reduce the number of gettimeofday() calls without
+ losing necessary timer granularity.
+
+ 1526. [func] Implemented "additional section caching (or acache)",
+ an internal cache framework for additional section
+ content to improve response performance. Several
+ configuration options were provided to control the
+ behavior.
+
+ 1525. [bug] dns_cache_create() could trigger a REQUIRE
+ failure in isc_mem_put() during error cleanup.
+ [RT #9360]
+
+ 1524. [port] AIX needs to be able to resolve all symbols when
+ creating shared libraries (--with-libtool).
+
+ 1523. [bug] Fix race condition in rbtdb. [RT #9189]
+
+ 1522. [bug] dns_db_findnode() relax the requirements on 'name'.
+ [RT #9286]
+
+ 1521. [bug] dns_view_createresolver() failed to check the
+ result from isc_mem_create(). [RT #9294]
+
+ 1520. [protocol] Add SSHFP (SSH Finger Print) type.
+
+ 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
+ length of the new bitmap.
+
+ 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(),
+ contained a off-by-one error when working out the
+ number of octets in the bitmap.
+
+ 1517. [port] Support for IPv6 interface scanning on HP/UX and
+ TrueUNIX 5.1.
+
+ 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
+
+ 1515. [func] Allow transfer source to be set in a server statement.
+ [RT #6496]
+
+ 1514. [bug] named: isc_hash_destroy() was being called too early.
+ [RT #9160]
+
+ 1513. [doc] Add "US" to root-delegation-only exclude list.
+
+ 1512. [bug] Extend the delegation-only logging to return query
+ type, class and responding nameserver.
+
+ 1511. [bug] delegation-only was generating false positives
+ on negative answers from sub-zones.
+
+ 1510. [func] New view option "root-delegation-only". Apply
+ delegation-only check to all TLDs and root.
+ Note there are some TLDs that are NOT delegation
+ only (e.g. DE, LV, US and MUSEUM) these can be excluded
+ from the checks by using exclude.
+
+ root-delegation-only exclude {
+ "DE"; "LV"; "US"; "MUSEUM";
+ };
+
+ 1509. [bug] Hint zones should accept delegation-only. Forward
+ zone should not accept delegation-only.
+
+ 1508. [bug] Don't apply delegation-only checks to answers from
+ forwarders.
+
+ 1507. [bug] Handle BIND 8 style returns to NS queries to parents
+ when making delegation-only checks.
+
+ 1506. [bug] Wrong return type for dns_view_isdelegationonly().
+
+ 1505. [bug] Uninitialized rdataset in sdb. [RT #8750]
+
+ 1504. [func] New zone type "delegation-only".
+
+ 1503. [port] win32: install libeay32.dll outside of system32.
+
+ 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
+
+ 1501. [func] Allow TCP queue length to be specified via
+ named.conf, tcp-listen-queue.
+
+ 1500. [bug] host failed to lookup MX records. Also look up
+ AAAA records.
+
+ 1499. [bug] isc_random need to be seeded better if arc4random()
+ is not used.
+
+ 1498. [port] bsdos: 5.x support.
+
+ 1497. [placeholder]
+
+ 1496. [port] test for pthread_attr_setstacksize().
+
+ 1495. [cleanup] Replace hash functions with universal hash.
+
+ 1494. [security] Turn on RSA BLINDING as a precaution.
+
+ 1493. [placeholder]
+
+ 1492. [cleanup] Preserve rwlock quota context when upgrading /
+ downgrading. [RT #5599]
+
+ 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN
+ lines. [RT #6206]
+
+ 1490. [bug] Accept reading state as well as working state in
+ ns_client_next(). [RT #6813]
+
+ 1489. [compat] Treat 'allow-update' on slave zones as a warning.
+ [RT #3469]
+
+ 1488. [bug] Don't override trust levels for glue addresses.
+ [RT #5764]
+
+ 1487. [bug] A REQUIRE() failure could be triggered if a zone was
+ queued for transfer and the zone was then removed.
+ [RT #6189]
+
+ 1486. [bug] isc_print_snprintf() '%%' consumed one too many format
+ characters. [RT #8230]
+
+ 1485. [bug] gen failed to handle high type values. [RT #6225]
+
+ 1484. [bug] The number of records reported after a AXFR was wrong.
+ [RT #6229]
+
+ 1483. [bug] dig axfr failed if the message id in the answer failed
+ to match that in the request. Only the id in the first
+ message is required to match. [RT #8138]
+
+ 1482. [bug] named could fail to start if the kernel supports
+ IPv6 but no interfaces are configured. Similarly
+ for IPv4. [RT #6229]
+
+ 1481. [bug] Refresh and stub queries failed to use masters keys
+ if specified. [RT #7391]
+
+ 1480. [bug] Provide replay protection for rndc commands. Full
+ replay protection requires both rndc and named to
+ be updated. Partial replay protection (limited
+ exposure after restart) is provided if just named
+ is updated.
+
+ 1479. [bug] cfg_create_tuple() failed to handle out of
+ memory cleanup. parse_list() would leak memory
+ on syntax errors.
+
+ 1478. [port] ifconfig.sh didn't account for other virtual
+ interfaces. It now takes a optional argument
+ to specify the first interface number. [RT #3907]
+
+ 1477. [bug] memory leak using stub zones and TSIG.
+
+ 1476. [placeholder]
+
+ 1475. [port] Probe for old sprintf().
+
+ 1474. [port] Provide strtoul() and memmove() for platforms
+ without them.
+
+ 1473. [bug] create_map() and create_string() failed to handle out
+ of memory cleanup. [RT #6813]
+
+ 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit.
+
+ 1471. [bug] libbind: updated to BIND 8.4.0.
+
+ 1470. [bug] Incorrect length passed to snprintf. [RT #5966]
+
+ 1469. [func] Log end of outgoing zone transfer at same level
+ as the start of transfer is logged. [RT #4441]
+
+ 1468. [func] Internal zones are no longer counted for
+ 'rndc status'. [RT #4706]
+
+ 1467. [func] $GENERATES now supports optional class and ttl.
+
+ 1466. [bug] lwresd configuration errors resulted in memory
+ and lock leaks. [RT #5228]
+
+ 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer()
+ failed to check that trailing bits were zero allowing
+ some invalid base64 strings to be accepted. [RT #5397]
+
+ 1464. [bug] Preserve "out of zone" data for outgoing zone
+ transfers. [RT #5192]
+
+ 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad
+ NXT bit maps. [RT #5577]
+
+ 1462. [bug] parse_sizeval() failed to check the token type.
+ [RT #5586]
+
+ 1461. [bug] Remove deadlock from rbtdb code. [RT #5599]
+
+ 1460. [bug] inet_pton() failed to reject certain malformed
+ IPv6 literals.
+
+ 1459. [placeholder]
+
+ 1458. [cleanup] sprintf() -> snprintf().
+
+ 1457. [port] Provide strlcat() and strlcpy() for platforms without
+ them.
+
+ 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer.
+
+ 1455. [bug] <netaddr> missing from server grammar in
+ doc/misc/options. [RT #5616]
+
+ 1454. [port] Use getifaddrs() if available for interface scanning.
+ --disable-getifaddrs to override. Glibc currently
+ has a getifaddrs() that does not support IPv6.
+ Use --enable-getifaddrs=glibc to force the use of
+ this version under linux machines.
+
+ 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298]
+
+ 1452. [placeholder]
+
+ 1451. [bug] rndc-confgen didn't exit with a error code for all
+ failures. [RT #5209]
+
+ 1450. [bug] Fetching expired glue failed under certain
+ circumstances. [RT #5124]
+
+ 1449. [bug] query_addbestns() didn't handle running out of memory
+ gracefully.
+
+ 1448. [bug] Handle empty wildcards labels.
+
+ 1447. [bug] We were casting (unsigned int) to and from (void *).
+ rdataset->private4 is now rdataset->privateuint4
+ to reflect a type change.
+
+ 1446. [func] Implemented undocumented alternate transfer sources
+ from BIND 8. See use-alt-transfer-source,
+ alt-transfer-source and alt-transfer-source-v6.
+
+ SECURITY: use-alt-transfer-source is ENABLED unless
+ you are using views. This may cause a security risk
+ resulting in accidental disclosure of wrong zone
+ content if the master supplying different source
+ content based on IP address. If you are not certain
+ ISC recommends setting use-alt-transfer-source no;
+
+ 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has
+ been replaced with DNS_ADBFIND_STARTATZONE which
+ causes the search to start using the closest zone.
+
+ 1444. [func] dns_view_findzonecut2() allows you to specify if the
+ cache should be searched for zone cuts.
+
+ 1443. [func] Masters lists can now be specified and referenced
+ in zone masters clauses and other masters lists.
+
+ 1442. [func] New functions for manipulating port lists:
+ dns_portlist_create(), dns_portlist_add(),
+ dns_portlist_remove(), dns_portlist_match(),
+ dns_portlist_attach() and dns_portlist_detach().
+
+ 1441. [func] It is now possible to tell dig to bind to a specific
+ source port.
+
+ 1440. [func] It is now possible to tell named to avoid using
+ certain source ports (avoid-v4-udp-ports,
+ avoid-v6-udp-ports).
+
+ 1439. [bug] Named could return NOERROR with certain NOTIFY
+ failures. Return NOTAUTH if the NOTIFY zone is
+ not being served.
+
+ 1438. [func] Log TSIG (if any) when logging NOTIFY requests.
+
+ 1437. [bug] Leave space for stdio to work in. [RT #5033]
+
+ 1436. [func] dns_zonemgr_resumexfrs() can be used to restart
+ stalled transfers.
+
+ 1435. [bug] zmgr_resume_xfrs() was being called read locked
+ rather than write locked. zmgr_resume_xfrs()
+ was not being called if the zone was being
+ shutdown.
+
+ 1434. [bug] "rndc reconfig" failed to initiate the initial
+ zone transfer of new slave zones.
+
+ 1433. [bug] named could trigger a REQUIRE failure if it could
+ not get a file descriptor when attempting to write
+ a master file. [RT #4347]
+
+ 1432. [func] The advertised EDNS UDP buffer size can now be set
+ via named.conf (edns-udp-size).
+
+ 1431. [bug] isc_print_snprintf() "%s" with precision could walk off
+ end of argument. [RT #5191]
+
+ 1430. [port] linux: IPv6 interface scanning support.
+
+ 1429. [bug] Prevent the cache getting locked to old servers.
+
+ 1428. [placeholder]
+
+ 1427. [bug] Race condition in adb with threaded build.
+
+ 1426. [placeholder]
+
+ 1425. [port] linux/libbind: define __USE_MISC when testing *_r()
+ function prototypes in netdb.h. [RT #4921]
+
+ 1424. [bug] EDNS version not being correctly printed.
+
+ 1423. [contrib] queryperf: added A6 and SRV.
+
+ 1422. [func] Log name/type/class when denying a query. [RT #4663]
+
+ 1421. [func] Differentiate updates that don't succeed due to
+ prerequisites (unsuccessful) vs other reasons
+ (failed).
+
+ 1420. [port] solaris: work around gcc optimizer bug.
+
+ 1419. [port] openbsd: use /dev/arandom. [RT #4950]
+
+ 1418. [bug] 'rndc reconfig' did not cause new slaves to load.
+
+ 1417. [func] ID.SERVER/CHAOS is now a built in zone.
+ See "server-id" for how to configure.
+
+ 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
+ [RT #4715]
+
+ 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
+ from SOA MINIMUM.
+
+ 1414. [func] Support for KSK flag.
+
+ 1413. [func] Explicitly request the (re-)generation of DS records
+ from keysets (dnssec-signzone -g).
+
+ 1412. [func] You can now specify servers to be tried if a nameserver
+ has IPv6 address and you only support IPv4 or the
+ reverse. See dual-stack-servers.
+
+ 1411. [bug] empty nodes should stop wildcard matches. [RT #4802]
+
+ 1410. [func] Handle records that live in the parent zone, e.g. DS.
+
+ 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
+
+ 1408. [bug] "make distclean" was not complete. [RT #4700]
+
+ 1407. [bug] lfsr incorrectly implements the shift register.
+ [RT #4617]
+
+ 1406. [bug] dispatch initializes one of the LFSR's with a incorrect
+ polynomial. [RT #4617]
+
+ 1405. [func] Use arc4random() if available.
+
+ 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
+ buffer.
+
+ 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
+ dnssec-signkey now report their version in the
+ usage message.
+
+ 1402. [cleanup] A6 has been moved to experimental and is no longer
+ fully supported.
+
+ 1401. [bug] adb wasn't clearing state when the timer expired.
+
+ 1400. [bug] Block the addition of wildcard NS records by IXFR
+ or UPDATE. [RT #3502]
+
+ 1399. [bug] Use serial number arithmetic when testing SIG
+ timestamps. [RT #4268]
+
+ 1398. [doc] ARM: notify-also should have been also-notify.
+ [RT #4345]
+
+ 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30.
+
+ 1396. [func] dnssec-signzone: adjust the default signing time by
+ 1 hour to allow for clock skew.
+
+ 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
+ have a working implementation. [RT #4079]
+
+ 1394. [func] It is now possible to check if a particular element is
+ in a acl. Remove duplicate entries from the localnets
+ acl.
+
+ 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
+ is not available in the kernel to prevent accidentally
+ listening on IPv4 interfaces.
+
+ 1392. [bug] named-checkzone: update usage.
+
+ 1391. [func] Add support for IPv6 scoped addresses in named.
+
+ 1390. [func] host now supports ixfr.
+
+ 1389. [bug] named could fail to rotate long log files. [RT #3666]
+
+ 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before
+ defining HAVE_IFLIST_SYSCTL. [RT #3770]
+
+ 1387. [bug] named could crash due to an access to invalid memory
+ space (which caused an assertion failure) in
+ incremental cleaning. [RT #3588]
+
+ 1386. [bug] named-checkzone -z stopped on errors in a zone.
+ [RT #3653]
+
+ 1385. [bug] Setting serial-query-rate to 10 would trigger a
+ REQUIRE failure.
+
+ 1384. [bug] host was incompatible with BIND 8 in its exit code and
+ in the output with the -l option. [RT #3536]
+
+ 1383. [func] Track the serial number in a IXFR response and log if
+ a mismatch occurs. This is a more specific error than
+ "not exact". [RT #3445]
+
+ 1382. [bug] make install failed with --enable-libbind. [RT #3656]
+
+ 1381. [bug] named failed to correctly process answers that
+ contained DNAME records where the resulting CNAME
+ resulted in a negative answer.
+
+ 1380. [func] 'rndc recursing' dump recursing queries to
+ 'recursing-file = "named.recursing";'.
+
+ 1379. [func] 'rndc status' now reports tcp and recursion quota
+ states.
+
+ 1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
+
+ 1377. [func] dns_zone_load{new}() now reports if the zone was
+ loaded, queued for loading to up to date.
+
+ 1376. [func] New function dns_zone_logc() to log to specified
+ category.
+
+ 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
+ data cache.
+
+ 1374. [func] dns_adb_dump() now logs the lame zones associated
+ with each server.
+
+ 1373. [bug] Recovery from expired glue failed under certain
+ circumstances.
+
+ 1372. [bug] named crashes with an assertion failure on exit when
+ sharing the same port for listening and querying, and
+ changing listening addresses several times. [RT #3509]
+
+ 1371. [bug] notify-source-v6, transfer-source-v6 and
+ query-source-v6 with explicit addresses and using the
+ same ports as named was listening on could interfere
+ with named's ability to answer queries sent to those
+ addresses.
+
+ 1370. [bug] dig '+[no]recurse' was incorrectly documented.
+
+ 1369. [bug] Adding an NS record as the lexicographically last
+ record in a secure zone didn't work.
+
+ 1368. [func] remove support for bitstring labels.
+
+ 1367. [func] Use response times to select forwarders.
+
+ 1366. [contrib] queryperf usage was incomplete. Add '-h' for help.
+
+ 1365. [func] "localhost" and "localnets" acls now include IPv6
+ addresses / prefixes.
+
+ 1364. [func] Log file name when unable to open memory statistics
+ and dump database files. [RT #3437]
+
+ 1363. [func] Listen-on-v6 now supports specific addresses.
+
+ 1362. [bug] remove IFF_RUNNING test when scanning interfaces.
+
+ 1361. [func] log the reason for rejecting a server when resolving
+ queries.
+
+ 1360. [bug] --enable-libbind would fail when not built in the
+ source tree for certain OS's.
+
+ 1359. [security] Support patches OpenSSL libraries.
+ http://www.cert.org/advisories/CA-2002-23.html
+
+ 1358. [bug] It was possible to trigger a INSIST when debugging
+ large dynamic updates. [RT #3390]
+
+ 1357. [bug] nsupdate was extremely wasteful of memory.
+
+ 1356. [tuning] Reduce the number of events / quantum for zone tasks.
+
+ 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
+
+ 1354. [doc] lwres man pages had illegal nroff.
+
+ 1353. [contrib] sdb/ldap to version 0.9.
+
+ 1352. [bug] dig, host, nslookup when falling back to TCP use the
+ current search entry (if any). [RT #3374]
+
+ 1351. [bug] lwres_getipnodebyname() returned the wrong name
+ when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
+ was set.
+
+ 1350. [bug] dns_name_fromtext() failed to handle too many labels
+ gracefully.
+
+ 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
+ http://www.cert.org/advisories/CA-2002-23.html
+
+ 1348. [port] win32: Rewrote code to use I/O Completion Ports
+ in socket.c and eliminating a host of socket
+ errors. Performance is enhanced.
+
+ 1347. [placeholder]
+
+ 1346. [placeholder]
+
+ 1345. [port] Use a explicit -Wformat with gcc. Not all versions
+ include it in -Wall.
+
+ 1344. [func] Log if the serial number on the master has gone
+ backwards.
+ If you have multiple machines specified in the masters
+ clause you may want to set 'multi-master yes;' to
+ suppress this warning.
+
+ 1343. [func] Log successful notifies received (info). Adjust log
+ level for failed notifies to notice.
+
+ 1342. [func] Log remote address with TCP dispatch failures.
+
+ 1341. [func] Allow a rate limiter to be stalled.
+
+ 1340. [bug] Delay and spread out the startup refresh load.
+
+ 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
+ lookups. Bit string lookups are no longer attempted.
+
+ 1338. [placeholder]
+
+ 1337. [placeholder]
+
+ 1336. [func] Nibble lookups under IP6.ARPA are now supported by
+ dns_byaddr_create(). dns_byaddr_createptrname() is
+ deprecated, use dns_byaddr_createptrname2() instead.
+
+ 1335. [bug] When performing a nonexistence proof, the validator
+ should discard parent NXTs from higher in the DNS.
+
+ 1334. [bug] When signing/verifying rdatasets, duplicate rdatas
+ need to be suppressed.
+
+ 1333. [contrib] queryperf now reports a summary of returned
+ rcodes (-c), rcodes are printed in mnemonic form (-v).
+
+ 1332. [func] Report the current serial with periodic commits when
+ rolling forward the journal.
+
+ 1331. [func] Generate DNSSEC wildcard proofs.
+
+ 1330. [bug] When processing events (non-threaded) only allow
+ the task one chance to use to use its quantum.
+
+ 1329. [func] named-checkzone will now check if nameservers that
+ appear to be IP addresses. Available modes "fail",
+ "warn" (default) and "ignore" the results of the
+ check.
+
+ 1328. [bug] The validator could incorrectly verify an invalid
+ negative proof.
+
+ 1327. [bug] The validator would incorrectly mark data as insecure
+ when seeing a bogus signature before a correct
+ signature.
+
+ 1326. [bug] DNAME/CNAME signatures were not being cached when
+ validation was not being performed. [RT #3284]
+
+ 1325. [bug] If the tcpquota was exhausted it was possible to
+ to trigger a INSIST() failure.
+
+ 1324. [port] darwin: ifconfig.sh now supports darwin.
+
+ 1323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
+
+ 1322. [bug] dnssec-signzone usage message was misleading.
+
+ 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
+ would incorrectly duplicate its output and sign it.
+
+ 1320. [doc] query-source-v6 was missing from options section.
+ [RT #3218]
+
+ 1319. [func] libbind: log attempts to exploit #1318.
+
+ 1318. [bug] libbind: Remote buffer overrun.
+
+ 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a
+ element name.
+
+ 1316. [bug] libbind: gethostans() could get out of sync parsing
+ the response if there was a very long CNAME chain.
+
+ 1315. [bug] Options should apply to the internal _bind view.
+
+ 1314. [port] Handle ECONNRESET from sendmsg() [unix].
+
+ 1313. [func] Query log now says if the query was signed (S) or
+ if EDNS was used (E).
+
+ 1312. [func] Log TSIG key used w/ outgoing zone transfers.
+
+ 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159]
+
+ 1310. [bug] 'rndc stop' failed to cause zones to be flushed
+ sometimes. [RT #3157]
+
+ 1309. [func] Log that a zone transfer was covered by a TSIG.
+
+ 1308. [func] DS (delegation signer) support.
+
+ 1307. [bug] nsupdate: allow white space base64 key data.
+
+ 1306. [bug] Badly encoded LOC record when the size, horizontal
+ precision or vertical precision was 0.1m.
+
+ 1305. [bug] Document that internal zones are included in the
+ rndc status results.
+
+ 1304. [func] New function: dns_zone_name().
+
+ 1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
+
+ 1302. [func] Extended rndc dumpdb to support dumping of zones and
+ view selection: 'dumpdb [-all|-zones|-cache] [view]'.
+
+ 1301. [func] New category 'update-security'.
+
+ 1300. [port] Compaq Trucluster support.
+
+ 1299. [bug] Set AI_ADDRCONFIG when looking up addresses
+ via getaddrinfo() (affects dig, host, nslookup, rndc
+ and nsupdate).
+
+ 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile
+ could be left with a trailing "\" after configure
+ has been run.
+
+ 1297. [port] linux: make handling EINVAL from socket() no longer
+ conditional on #ifdef LINUX.
+
+ 1296. [bug] isc_log_closefilelogs() needed to lock the log
+ context.
+
+ 1295. [bug] isc_log_setdebuglevel() needed to lock the log
+ context.
+
+ 1294. [func] libbind: no longer attempts bit string labels for
+ IPv6 reverse resolution. Try IP6.ARPA then IP6.INT
+ for nibble style resolution.
+
+ 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
+
+ 1292. [func] Enable IPv6 support when using ioctl style interface
+ scanning and OS supports SIOCGLIFADDR using struct
+ if_laddrreq.
+
+ 1291. [func] Enable IPv6 support when using sysctl style interface
+ scanning.
+
+ 1290. [func] "dig axfr" now reports the number of messages
+ as well as the number of records.
+
+ 1289. [port] See if -ldl is required for OpenSSL? [RT #2672]
+
+ 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better
+ reflect written requirements.
+
+ 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding
+ a rdataset to a zone db in the rbtdb implementation of
+ addrdataset.
+
+ 1286. [bug] dns_name_downcase() enforce requirement that
+ target != NULL or name->buffer != NULL.
+
+ 1285. [func] lwres: probe the system to see what address families
+ are currently in use.
+
+ 1284. [bug] The RTT estimate on unused servers was not aged.
+ [RT #2569]
+
+ 1283. [func] Use "dataready" accept filter if available.
+
+ 1282. [port] libbind: hpux 11.11 interface scanning.
+
+ 1281. [func] Log zone when unable to get private keys to update
+ zone. Log zone when NXT records are missing from
+ secure zone.
+
+ 1280. [bug] libbind: escape '(' and ')' when converting to
+ presentation form.
+
+ 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590]
+
+ 1278. [func] dig: now supports +[no]cl +[no]ttlid.
+
+ 1277. [func] You can now create your own customized printing
+ styles: dns_master_stylecreate() and
+ dns_master_styledestroy().
+
+ 1276. [bug] libbind: const pointer conflicts in res_debug.c.
+
+ 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN.
+
+ 1274. [bug] Memory leak in lwres_gnbarequest_parse().
+
+ 1273. [port] libbind: solaris: 64 bit binary compatibility.
+
+ 1272. [contrib] Berkeley DB 4.0 sdb implementation from
+ Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
+
+ 1271. [bug] "recursion available: {denied,approved}" was too
+ confusing.
+
+ 1270. [bug] Check that system inet_pton() and inet_ntop() support
+ AF_INET6.
+
+ 1269. [port] Openserver: ifconfig.sh support.
+
+ 1268. [port] Openserver: the value FD_SETSIZE depends on whether
+ <sys/param.h> is included or not. Be consistent.
+
+ 1267. [func] isc_file_openunique() now creates file using mode
+ 0666 rather than 0600.
+
+ 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
+ __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
+ are not C++ compatible, use *_TYPE versions instead.
+
+ 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with
+ C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
+
+ 1264. [placeholder]
+
+ 1263. [bug] Reference after free error if dns_dispatchmgr_create()
+ failed.
+
+ 1262. [bug] ns_server_destroy() failed to set *serverp to NULL.
+
+ 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide
+ support for compressed TSIG owner names.
+
+ 1260. [func] libbind: res_update can now update IPv6 servers,
+ new function res_findzonecut2().
+
+ 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs
+ w/o sa_len.
+
+ 1258. [bug] libbind: res_nametotype() and res_nametoclass() were
+ broken.
+
+ 1257. [bug] Failure to write pid-file should not be fatal on
+ reload. [RT #2861]
+
+ 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
+
+ 1255. [bug] When verifying that an NXT proves nonexistence, check
+ the rcode of the message and only do the matching NXT
+ check. That is, for NXDOMAIN responses, check that
+ the name is in the range between the NXT owner and
+ next name, and for NOERROR NODATA responses, check
+ that the type is not present in the NXT bitmap.
+
+ 1254. [func] preferred-glue option from BIND 8.3.
+
+ 1253. [bug] The dnssec system test failed to remove the correct
+ files.
+
+ 1252. [bug] Dig, host and nslookup were not checking the address
+ the answer was coming from against the address it was
+ sent to. [RT #2692]
+
+ 1251. [port] win32: a make file contained absolute version specific
+ references.
+
+ 1250. [func] Nsupdate will report the address the update was
+ sent to.
+
+ 1249. [bug] Missing masters clause was not handled gracefully.
+ [RT #2703]
+
+ 1248. [bug] DESTDIR was not being propagated between makes.
+
+ 1247. [bug] Don't reset the interface index for link/site local
+ addresses. [RT #2576]
+
+ 1246. [func] New functions isc_sockaddr_issitelocal(),
+ isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
+ and isc_netaddr_islinklocal().
+
+ 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
+ accept().
+
+ 1244. [bug] Receiving a TCP message from a blackhole address would
+ prevent further messages being received over that
+ interface.
+
+ 1243. [bug] It was possible to trigger a REQUIRE() in
+ dns_message_findtype(). [RT #2659]
+
+ 1242. [bug] named-checkzone failed if a journal existed. [RT #2657]
+
+ 1241. [bug] Drop received UDP messages with a zero source port
+ as these are invariably forged. [RT #2621]
+
+ 1240. [bug] It was possible to leak zone references by
+ specifying an incorrect zone to rndc.
+
+ 1239. [bug] Under certain circumstances named could continue to
+ use a name after it had been freed triggering
+ INSIST() failures. [RT #2614]
+
+ 1238. [bug] It is possible to lockup the server when shutting down
+ if notifies were being processed. [RT #2591]
+
+ 1237. [bug] nslookup: "set q=type" failed.
+
+ 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non
+ NULL terminated text regions. [RT #2588]
+
+ 1235. [func] Report 'out of memory' errors from openssl.
+
+ 1234. [bug] contrib/sdb: 'zonetodb' failed to call
+ dns_result_register(). DNS_R_SEENINCLUDE should not
+ be fatal.
+
+ 1233. [bug] The flags field of a KEY record can be expressed in
+ hex as well as decimal.
+
+ 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL.
+
+ 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
+
+ 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken.
+
+ 1229. [bug] named would crash if it received a TSIG signed
+ query as part of an AXFR response. [RT #2570]
+
+ 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559]
+
+ 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
+ if a number was expected and some other token was
+ found. [RT #2532]
+
+ 1226. [func] Use EDNS for zone refresh queries. [RT #2551]
+
+ 1225. [func] dns_message_setopt() no longer requires that
+ dns_message_renderbegin() to have been called.
+
+ 1224. [bug] 'rrset-order' and 'sortlist' should be additive
+ not exclusive.
+
+ 1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
+ are supported.
+
+ 1222. [bug] Specifying 'port *' did not always result in a system
+ selected (non-reserved) port being used. [RT #2537]
+
+ 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being
+ compared case insensitively. [RT #2542]
+
+ 1220. [func] Support for APL rdata type.
+
+ 1219. [func] Named now reports the TSIG extended error code when
+ signature verification fails. [RT #1651]
+
+ 1218. [bug] Named incorrectly returned SERVFAIL rather than
+ NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
+
+ 1217. [func] Report locations of previous key definition when a
+ duplicate is detected.
+
+ 1216. [bug] Multiple server clauses for the same server were not
+ reported. [RT #2514]
+
+ 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1
+
+ 1214. [bug] Win32: isc_file_renameunique() could leave zero length
+ files behind.
+
+ 1213. [func] Report view associated with client if it is not a
+ standard view (_default or _bind).
+
+ 1212. [port] libbind: 64k answer buffers were causing stack space
+ to be exceeded for certain OS. Use heap space instead.
+
+ 1211. [bug] dns_name_fromtext() incorrectly handled certain
+ valid octal bitlabels. [RT #2483]
+
+ 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped /
+ compatible addresses. [RT #2461]
+
+ 1209. [bug] Dig, host, nslookup were not checking the message ids
+ on the responses. [RT #2454]
+
+ 1208. [bug] dns_master_load*() failed to log a error message if
+ an error was detected when parsing the owner name of
+ a record. [RT #2448]
+
+ 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with
+ an invalid pointer.
+
+ 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should
+ trigger a non-EDNS retry.
+
+ 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class"
+ of the message. [RT #2449]
+
+ 1204. [bug] libbind: res_nupdate() failed to update the name
+ server addresses before sending the update.
+
+ 1203. [func] Report locations of previous acl and zone definitions
+ when a duplicate is detected.
+
+ 1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
+
+ 1201. [bug] Require that if 'callbacks' is passed to
+ dns_rdata_fromtext(), callbacks->error and
+ callbacks->warn are initialized.
+
+ 1200. [bug] Log 'errno' that we are unable to convert to
+ isc_result_t. [RT #2404]
+
+ 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918.
+ [RT #2436]
+
+ 1198. [bug] OPT printing style was not consistent with the way the
+ header fields are printed. The DO bit was not reported
+ if set. Report if any of the MBZ bits are set.
+
+ 1197. [bug] Attempts to define the same acl multiple times were not
+ detected.
+
+ 1196. [contrib] update mdnkit to 2.2.3.
+
+ 1195. [bug] Attempts to redefine builtin acls should be caught.
+ [RT #2403]
+
+ 1194. [bug] Not all duplicate zone definitions were being detected
+ at the named.conf checking stage. [RT #2431]
+
+ 1193. [bug] dig +besteffort parsing didn't handle packet
+ truncation. dns_message_parse() has new flag
+ DNS_MESSAGE_IGNORETRUNCATION.
+
+ 1192. [bug] The seconds fields in LOC records were restricted
+ to three decimal places. More decimal places should
+ be allowed but warned about.
+
+ 1191. [bug] A dynamic update removing the last non-apex name in
+ a secure zone would fail. [RT #2399]
+
+ 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
+ [RT #2394]
+
+ 1189. [bug] On some systems, malloc(0) returns NULL, which
+ could cause the caller to report an out of memory
+ error. [RT #2398]
+
+ 1188. [bug] Dynamic updates of a signed zone would fail if
+ some of the zone private keys were unavailable.
+
+ 1187. [bug] named was incorrectly returning DNSSEC records
+ in negative responses when the DO bit was not set.
+
+ 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the
+ EOL token when reading to end of line.
+
+ 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid
+ unless RES_INIT is set when calling res_*init().
+
+ 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set
+ when res_*init() is called.
+
+ 1183. [bug] Handle ENOSR error when writing to the internal
+ control pipe. [RT #2395]
+
+ 1182. [bug] The server could throw an assertion failure when
+ constructing a negative response packet.
+
+ 1181. [func] Add the "key-directory" configuration statement,
+ which allows the server to look for online signing
+ keys in alternate directories.
+
+ 1180. [func] dnssec-keygen should always generate keys with
+ protocol 3 (DNSSEC), since it's less confusing
+ that way.
+
+ 1179. [func] Add SIG(0) support to nsupdate.
+
+ 1178. [bug] Follow and cache (if appropriate) A6 and other
+ data chains to completion in the additional section.
+
+ 1177. [func] Report view when loading zones if it is not a
+ standard view (_default or _bind). [RT #2270]
+
+ 1176. [doc] Document that allow-v6-synthesis is only performed
+ for clients that are supplied recursive service.
+ [RT #2260]
+
+ 1175. [bug] named-checkzone and named-checkconf failed to call
+ dns_result_register() at startup which could
+ result in runtime exceptions when printing
+ "out of memory" errors. [RT #2335]
+
+ 1174. [bug] Win32: add WSAECONNRESET to the expected errors
+ from connect(). [RT #2308]
+
+ 1173. [bug] Potential memory leaks in isc_log_create() and
+ isc_log_settag(). [RT #2336]
+
+ 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
+ table of RR types in ARM.
+
+ 1171. [func] Added function isc_region_compare(), updated files in
+ lib/dns to use this function instead of local one.
+
+ 1170. [bug] Don't attempt to print the token when a I/O error
+ occurs when parsing named.conf. [RT #2275]
+
+ 1169. [func] Identify recursive queries in the query log.
+
+ 1168. [bug] Empty also-notify clauses were not handled. [RT #2309]
+
+ 1167. [contrib] nslint-2.1a3 (from author).
+
+ 1166. [bug] "Not Implemented" should be reported as NOTIMP,
+ not NOTIMPL. [RT #2281]
+
+ 1165. [bug] We were rejecting notify-source{-v6} in zone clauses.
+
+ 1164. [bug] Empty masters clauses in slave / stub zones were not
+ handled gracefully. [RT #2262]
+
+ 1163. [func] isc_time_formattimestamp() now includes the year.
+
+ 1162. [bug] The allow-notify option was not accepted in slave
+ zone statements.
+
+ 1161. [bug] named-checkzone looped on unbalanced brackets.
+ [RT #2248]
+
+ 1160. [bug] Generating Diffie-Hellman keys longer than 1024
+ bits could fail. [RT #2241]
+
+ 1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
+
+ 1158. [func] Report the client's address when logging notify
+ messages.
+
+ 1157. [func] match-clients and match-destinations now accept
+ keys. [RT #2045]
+
+ 1156. [port] The configure test for strsep() incorrectly
+ succeeded on certain patched versions of
+ AIX 4.3.3. [RT #2190]
+
+ 1155. [func] Recover from master files being removed from under
+ us.
+
+ 1154. [bug] Don't attempt to obtain the netmask of a interface
+ if there is no address configured. [RT #2176]
+
+ 1153. [func] 'rndc {stop|halt} -p' now reports the process id
+ of the instance of named being shutdown.
+
+ 1152. [bug] libbind: read buffer overflows.
+
+ 1151. [bug] nslookup failed to check that the arguments to
+ the port, timeout, and retry options were
+ valid integers and in range. [RT #2099]
+
+ 1150. [bug] named incorrectly accepted TTL values
+ containing plus or minus signs, such as
+ 1d+1h-1s.
+
+ 1149. [func] New function isc_parse_uint32().
+
+ 1148. [func] 'rndc-confgen -a' now provides positive feedback.
+
+ 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
+ the OS. listen-on-v6 { any; }; should no longer
+ result in IPv4 queries be accepted. Similarly
+ control { inet :: ... }; should no longer result
+ in IPv4 connections being accepted. This can be
+ overridden at compile time by defining
+ ISC_ALLOW_MAPPED=1.
+
+ 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
+ supported by the OS by a new function
+ isc_socket_ipv6only().
+
+ 1145. [func] "host" no longer reports a NOERROR/NODATA response
+ by printing nothing. [RT #2065]
+
+ 1144. [bug] rndc-confgen would crash if both the -a and -t
+ options were specified. [RT #2159]
+
+ 1143. [bug] When a trusted-keys statement was present and named
+ was built without crypto support, it would leak memory.
+
+ 1142. [bug] dnssec-signzone would fail to delete temporary files
+ in some failure cases. [RT #2144]
+
+ 1141. [bug] When named rejected a control message, it would
+ leak a file descriptor and memory. It would also
+ fail to respond, causing rndc to hang.
+ [RT #2139, #2164]
+
+ 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments
+ to the -s option. [RT #2138]
+
+ 1139. [func] It is now possible to flush a given name from the
+ cache(s) via 'rndc flushname name [view]'. [RT #2051]
+
+ 1138. [func] It is now possible to flush a given name from the
+ cache by calling the new function
+ dns_cache_flushname().
+
+ 1137. [func] It is now possible to flush a given name from the
+ ADB by calling the new function dns_adb_flushname().
+
+ 1136. [bug] CNAME records synthesized from DNAMEs did not
+ have a TTL of zero as required by RFC2672.
+ [RT #2129]
+
+ 1135. [func] You can now override the default syslog() facility for
+ named/lwresd at compile time. [RT #1982]
+
+ 1134. [bug] Multi-threaded servers could deadlock in ferror()
+ when reloading zone files. [RT #1951, #1998]
+
+ 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on
+ platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
+
+ 1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
+
+ 1131. [bug] The match-destinations view option did not work with
+ IPv6 destinations. [RT #2073, #2074]
+
+ 1130. [bug] Log messages reporting an out-of-range serial number
+ did not include the out-of-range number but the
+ following token. [RT #2076]
+
+ 1129. [bug] Multi-threaded servers could crash under heavy
+ resolution load due to a race condition. [RT #2018]
+
+ 1128. [func] sdb drivers can now provide RR data in either text
+ or wire format, the latter using the new functions
+ dns_sdb_putrdata() and dns_sdb_putnamedrdata().
+
+ 1127. [func] rndc: If the server to contact has multiple addresses,
+ try all of them.
+
+ 1126. [bug] The server could access a freed event if shut
+ down while a client start event was pending
+ delivery. [RT #2061]
+
+ 1125. [bug] rndc: -k option was missing from usage message.
+ [RT #2057]
+
+ 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail
+ are now documented. [RT #2052]
+
+ 1123. [bug] dig +[no]fail did not match description. [RT #2052]
+
+ 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds.
+ [RT #2046]
+
+ 1121. [bug] The server could attempt to access a NULL zone
+ table if shut down while resolving.
+ [RT #1587, #2054]
+
+ 1120. [bug] Errors in options were not fatal. [RT #2002]
+
+ 1119. [func] Added support in Win32 for NTFS file/directory ACL's
+ for access control.
+
+ 1118. [bug] On multi-threaded servers, a race condition
+ could cause an assertion failure in resolver.c
+ during resolver shutdown. [RT #2029]
+
+ 1117. [port] The configure check for in6addr_loopback incorrectly
+ succeeded on AIX 4.3 when compiling with -O2
+ because the test code was optimized away.
+ [RT #2016]
+
+ 1116. [bug] Setting transfers in a server clause, transfers-in,
+ or transfers-per-ns to a value greater than
+ 2147483647 disabled transfers. [RT #2002]
+
+ 1115. [func] Set maximum values for cleaning-interval,
+ heartbeat-interval, interface-interval,
+ max-transfer-idle-in, max-transfer-idle-out,
+ max-transfer-time-in, max-transfer-time-out,
+ statistics-interval of 28 days and
+ sig-validity-interval of 3660 days. [RT #2002]
+
+ 1114. [port] Ignore more accept() errors. [RT #2021]
+
+ 1113. [bug] The allow-update-forwarding option was ignored
+ when specified in a view. [RT #2014]
+
+ 1112. [placeholder]
+
+ 1111. [bug] Multi-threaded servers could deadlock processing
+ recursive queries due to a locking hierarchy
+ violation in adb.c. [RT #2017]
+
+ 1110. [bug] dig should only accept valid abbreviations of +options.
+ [RT #2003]
+
+ 1109. [bug] nsupdate accepted illegal ttl values.
+
+ 1108. [bug] On Win32, rndc was hanging when named was not running
+ due to failure to select for exceptional conditions
+ in select(). [RT #1870]
+
+ 1107. [bug] nsupdate could catch an assertion failure if an
+ invalid domain name was given as the argument to
+ the "zone" command.
+
+ 1106. [bug] After seeing an out of range TTL, nsupdate would
+ treat all TTLs as out of range. [RT #2001]
+
+ 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
+
+ 1104. [bug] Invalid arguments to the transfer-format option
+ could cause an assertion failure. [RT #1995]
+
+ 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970]
+
+ 1102. [doc] Note that query logging is enabled by directing the
+ queries category to a channel.
+
+ 1101. [bug] Array bounds read error in lwres_gai_strerror.
+
+ 1100. [bug] libbind: DNSSEC key ids were computed incorrectly.
+
+ 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused
+ compile time errors.
+
+ 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600.
+
+ 1097. [func] libbind: RES_PRF_TRUNC for dig.
+
+ 1096. [func] libbind: "DNSSEC OK" (DO) support.
+
+ 1095. [func] libbind: resolver option: no-tld-query. disables
+ trying unqualified as a tld. no_tld_query is also
+ supported for FreeBSD compatibility.
+
+ 1094. [func] libbind: add support gcc's format string checking.
+
+ 1093. [doc] libbind: miscellaneous nroff fixes.
+
+ 1092. [bug] libbind: get*by*() failed to check if res_init() had
+ been called.
+
+ 1091. [bug] libbind: misplaced va_end().
+
+ 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning
+ the amount of memory consumed resulting in garbage
+ address being returned. Alignment calculations were
+ wasting space. We weren't suppressing duplicate
+ addresses.
+
+ 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
+ support.
+
+ 1088. [port] libbind: MPE/iX C.70 (incomplete)
+
+ 1087. [bug] libbind: struct __res_state too large on 64 bit arch.
+
+ 1086. [port] libbind: sunos: old sprintf.
+
+ 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not
+ exist when compiling in 64 bit mode.
+
+ 1084. [cleanup] libbind: gai_strerror() rewritten.
+
+ 1083. [bug] The default control channel listened on the
+ wildcard address, not the loopback as documented.
+ [RT #1975]
+
+ 1082. [bug] The -g option to named incorrectly caused logging
+ to be sent to syslog in addition to stderr.
+ [RT #1974]
+
+ 1081. [bug] Multicast queries were incorrectly identified
+ based on the source address, not the destination
+ address.
+
+ 1080. [bug] BIND 8 compatibility: accept bare IP prefixes
+ as the second element of a two-element top level
+ sort list statement. [RT #1964]
+
+ 1079. [bug] BIND 8 compatibility: accept bare elements at top
+ level of sort list treating them as if they were
+ a single element list. [RT #1963]
+
+ 1078. [bug] We failed to correct bad tv_usec values in one case.
+ [RT #1966]
+
+ 1077. [func] Do not accept further recursive clients when
+ the total number of recursive lookups being
+ processed exceeds max-recursive-clients, even
+ if some of the lookups are internally generated.
+ [RT #1915, #1938]
+
+ 1076. [bug] A badly defined global key could trigger an assertion
+ on load/reload if views were used. [RT #1947]
+
+ 1075. [bug] Out-of-range network prefix lengths were not
+ reported. [RT #1954]
+
+ 1074. [bug] Running out of memory in dump_rdataset() could
+ cause an assertion failure. [RT #1946]
+
+ 1073. [bug] The ADB cache cleaning should also be space driven.
+ [RT #1915, #1938]
+
+ 1072. [bug] The TCP client quota could be exceeded when
+ recursion occurred. [RT #1937]
+
+ 1071. [bug] Sockets listening for TCP DNS connections
+ specified an excessive listen backlog. [RT #1937]
+
+ 1070. [bug] Copy DNSSEC OK (DO) to response as specified by
+ draft-ietf-dnsext-dnssec-okbit-03.txt.
+
+ 1069. [placeholder]
+
+ 1068. [bug] errno could be overwritten by catgets(). [RT #1921]
+
+ 1067. [func] Allow quotas to be soft, isc_quota_soft().
+
+ 1066. [bug] Provide a thread safe wrapper for strerror().
+ [RT #1689]
+
+ 1065. [func] Runtime support to select new / old style interface
+ scanning using ioctls.
+
+ 1064. [bug] Do not shut down active network interfaces if we
+ are unable to scan the interface list. [RT #1921]
+
+ 1063. [bug] libbind: "make install" was failing on IRIX.
+ [RT #1919]
+
+ 1062. [bug] If the control channel listener socket was shut
+ down before server exit, the listener object could
+ be freed twice. [RT #1916]
+
+ 1061. [bug] If periodic cache cleaning happened to start
+ while cleaning due to reaching the configured
+ maximum cache size was in progress, the server
+ could catch an assertion failure. [RT #1912]
+
+ 1060. [func] Move refresh, stub and notify UDP retry processing
+ into dns_request.
+
+ 1059. [func] dns_request now support will now retry UDP queries,
+ dns_request_createvia2() and dns_request_createraw2().
+
+ 1058. [func] Limited lifetime ticker timers are now available,
+ isc_timertype_limited.
+
+ 1057. [bug] Reloading the server after adding a "file" clause
+ to a zone statement could cause the server to
+ crash due to a typo in change 1016.
+
+ 1056. [bug] Rndc could catch an assertion failure on SIGINT due
+ to an uninitialized variable. [RT #1908]
+
+ 1055. [func] Version and hostname queries can now be disabled
+ using "version none;" and "hostname none;",
+ respectively.
+
+ 1054. [bug] On Win32, cfg_categories and cfg_modules need to be
+ exported from the libisccfg DLL.
+
+ 1053. [bug] Dig did not increase its timeout when receiving
+ AXFRs unless the +time option was used. [RT #1904]
+
+ 1052. [bug] Journals were not being created in binary mode
+ resulting in "journal format not recognized" error
+ under Win32. [RT #1889]
+
+ 1051. [bug] Do not ignore a network interface completely just
+ because it has a noncontiguous netmask. Instead,
+ omit it from the localnets ACL and issue a warning.
+ [RT #1891]
+
+ 1050. [bug] Log messages reporting malformed IP addresses in
+ address lists such as that of the forwarders option
+ failed to include the correct error code, file
+ name, and line number. [RT #1890]
+
+ 1049. [func] "pid-file none;" will disable writing a pid file.
+ [RT #1848]
+
+ 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
+ didn't work.
+
+ 1047. [bug] named was incorrectly refusing all requests signed
+ with a TSIG key derived from an unsigned TKEY
+ negotiation with a NOERROR response. [RT #1886]
+
+ 1046. [bug] The help message for the --with-openssl configure
+ option was inaccurate. [RT #1880]
+
+ 1045. [bug] It was possible to skip saving glue for a nameserver
+ for a stub zone.
+
+ 1044. [bug] Specifying allow-transfer, notify-source, or
+ notify-source-v6 in a stub zone was not treated
+ as an error.
+
+ 1043. [bug] Specifying a transfer-source or transfer-source-v6
+ option in the zone statement for a master zone was
+ not treated as an error. [RT #1876]
+
+ 1042. [bug] The "config" logging category did not work properly.
+ [RT #1873]
+
+ 1041. [bug] Dig/host/nslookup could catch an assertion failure
+ on SIGINT due to an uninitialized variable. [RT #1867]
+
+ 1040. [bug] Multiple listen-on-v6 options with different ports
+ were not accepted. [RT #1875]
+
+ 1039. [bug] Negative responses with CNAMEs in the answer section
+ were cached incorrectly. [RT #1862]
+
+ 1038. [bug] In servers configured with a tkey-domain option,
+ TKEY queries with an owner name other than the root
+ could cause an assertion failure. [RT #1866, #1869]
+
+ 1037. [bug] Negative responses whose authority section contain
+ SOA or NS records whose owner names are not equal
+ equal to or parents of the query name should be
+ rejected. [RT #1862]
+
+ 1036. [func] Silently drop requests received via multicast as
+ long as there is no final multicast DNS standard.
+
+ 1035. [bug] If we respond to multicast queries (which we
+ currently do not), respond from a unicast address
+ as specified in RFC 1123. [RT #137]
+
+ 1034. [bug] Ignore the RD bit on multicast queries as specified
+ in RFC 1123. [RT #137]
+
+ 1033. [bug] Always respond to requests with an unsupported opcode
+ with NOTIMP, even if we don't have a matching view
+ or cannot determine the class.
+
+ 1032. [func] hostname.bind/txt/chaos now returns the name of
+ the machine hosting the nameserver. This is useful
+ in diagnosing problems with anycast servers.
+
+ 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion.
+ [RT #1858]
+
+ 1030. [bug] On systems with no resolv.conf file, nsupdate
+ exited with an error rather than defaulting
+ to using the loopback address. [RT #1836]
+
+ 1029. [bug] Some named.conf errors did not cause the loading
+ of the configuration file to return a failure
+ status even though they were logged. [RT #1847]
+
+ 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf
+ in the wrong directory. [RT #1833]
+
+ 1027. [bug] RRs having the reserved type 0 should be rejected.
+ [RT #1471]
+
+ 1026. [placeholder]
+
+ 1025. [bug] Don't use multicast addresses to resolve iterative
+ queries. [RT #101]
+
+ 1024. [port] Compilation failed on HP-UX 11.11 due to
+ incompatible use of the SIOCGLIFCONF macro
+ name. [RT #1831]
+
+ 1023. [func] Accept hints without TTLs.
+
+ 1022. [bug] Don't report empty root hints as "extra data".
+ [RT #1802]
+
+ 1021. [bug] On Win32, log message timestamps were one month
+ later than they should have been, and the server
+ would exhibit unspecified behavior in December.
+
+ 1020. [bug] IXFR log messages did not distinguish between
+ true IXFRs, AXFR-style IXFRs, and mere version
+ polls. [RT #1811]
+
+ 1019. [bug] The value of the lame-ttl option was limited to 18000
+ seconds, not 1800 seconds as documented. [RT #1803]
+
+ 1018. [bug] The default log channel was not always initialized
+ correctly. [RT #1813]
+
+ 1017. [bug] When specifying TSIG keys to dig and nsupdate using
+ the -k option, they must be HMAC-MD5 keys. [RT #1810]
+
+ 1016. [bug] Slave zones with no backup file were re-transferred
+ on every server reload.
+
+ 1015. [bug] Log channels that had a "versions" option but no
+ "size" option failed to create numbered log
+ files. [RT #1783]
+
+ 1014. [bug] Some queries would cause statistics counters to
+ increment more than once or not at all. [RT #1321]
+
+ 1013. [bug] It was possible to cancel a query twice when marking
+ a server as bogus or by having a blackhole acl.
+ [RT #1776]
+
+ 1012. [bug] The -p option to named did not behave as documented.
+
+ 1011. [cleanup] Removed isc_dir_current().
+
+ 1010. [bug] The server could attempt to execute a command channel
+ command after initiating server shutdown, causing
+ an assertion failure. [RT #1766]
+
+ 1009. [port] OpenUNIX 8 support. [RT #1728]
+
+ 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
+
+ 1007. [port] config.guess, config.sub from autoconf-2.52.
+
+ 1006. [bug] If a KEY RR was found missing during DNSSEC validation,
+ an assertion failure could subsequently be triggered
+ in the resolver. [RT #1763]
+
+ 1005. [bug] Don't copy nonzero RCODEs from request to response.
+ [RT #1765]
+
+ 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
+
+ 1003. [func] Add the +retry option to dig.
+
+ 1002. [bug] When reporting an unknown class name in named.conf,
+ including the file name and line number. [RT #1759]
+
+ 1001. [bug] win32 socket code doio_recv was not catching a
+ WSACONNRESET error when a client was timing out
+ the request and closing its socket. [RT #1745]
+
+ 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias
+ for class "HS". [RT #1759]
+
+ 999. [func] "rndc retransfer zone [class [view]]" added.
+ [RT #1752]
+
+ 998. [func] named-checkzone now has arguments to specify the
+ chroot directory (-t) and working directory (-w).
+ [RT #1755]
+
+ 997. [func] Add support for RSA-SHA1 keys (RFC3110).
+
+ 996. [func] Issue warning if the configuration filename contains
+ the chroot path.
+
+ 995. [bug] dig, host, nslookup: using a raw IPv6 address as a
+ target address should be fatal on a IPv4 only system.
+
+ 994. [func] Treat non-authoritative responses to queries for type
+ NS as referrals even if the NS records are in the
+ answer section, because BIND 8 servers incorrectly
+ send them that way. This is necessary for DNSSEC
+ validation of the NS records of a secure zone to
+ succeed when the parent is a BIND 8 server. [RT #1706]
+
+ 993. [func] dig: -v now reports the version.
+
+ 992. [doc] dig: ~/.digrc is now documented.
+
+ 991. [func] Lower UDP refresh timeout messages to level
+ debug 1.
+
+ 990. [bug] The rndc-confgen man page was not installed.
+
+ 989. [bug] Report filename if $INCLUDE fails for file related
+ errors. [RT #1736]
+
+ 988. [bug] 'additional-from-auth no;' did not work reliably
+ in the case of queries answered from the cache.
+ [RT #1436]
+
+ 987. [bug] "dig -help" didn't show "+[no]stats".
+
+ 986. [bug] "dig +noall" failed to clear stats and command
+ printing.
+
+ 985. [func] Consider network interfaces to be up iff they have
+ a nonzero IP address rather than based on the
+ IFF_UP flag. [RT #1160]
+
+ 984. [bug] Multi-threading should be enabled by default on
+ Solaris 2.7 and newer, but it wasn't.
+
+ 983. [func] The server now supports generating IXFR difference
+ sequences for non-dynamic zones by comparing zone
+ versions, when enabled using the new config
+ option "ixfr-from-differences". [RT #1727]
+
+ 982. [func] If "memstatistics-file" is set in options the memory
+ statistics will be written to it.
+
+ 981. [func] The dnssec tools can now take multiple '-r randomfile'
+ arguments.
+
+ 980. [bug] Incoming zone transfers restarting after an error
+ could trigger an assertion failure. [RT #1692]
+
+ 979. [func] Incremental master file dumping. dns_master_dumpinc(),
+ dns_master_dumptostreaminc(), dns_dumpctx_attach(),
+ dns_dumpctx_detach(), dns_dumpctx_cancel(),
+ dns_dumpctx_db() and dns_dumpctx_version().
+
+ 978. [bug] dns_db_attachversion() had an invalid REQUIRE()
+ condition.
+
+ 977. [bug] Improve "not at top of zone" error message.
+
+ 976. [func] named-checkconf can now test load master zones
+ (named-checkconf -z). [RT #1468]
+
+ 975. [bug] "max-cache-size default;" as a view option
+ caused an assertion failure.
+
+ 974. [bug] "max-cache-size unlimited;" as a global option
+ was not accepted.
+
+ 973. [bug] Failed to log the question name when logging:
+ "bad zone transfer request: non-authoritative zone
+ (NOTAUTH)".
+
+ 972. [bug] The file modification time code in zone.c was using the
+ wrong epoch. [RT #1667]
+
+ 971. [placeholder]
+
+ 970. [func] 'max-journal-size' can now be used to set a target
+ size for a journal.
+
+ 969. [func] dig now supports the undocumented dig 8 feature
+ of allowing arbitrary labels, not just dotted
+ decimal quads, with the -x option. This can be
+ used to conveniently look up RFC2317 names as in
+ "dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
+
+ 968. [bug] On win32, the isc_time_now() function was unnecessarily
+ calling strtime(). [RT #1671]
+
+ 967. [bug] On win32, the link for bindevt was not including the
+ required resource file to enable the event viewer
+ to interpret the error messages in the event log,
+ [RT #1668]
+
+ 966. [placeholder]
+
+ 965. [bug] Including data other than root server NS and A
+ records in the root hint file could cause a rbtdb
+ node reference leak. [RT #1581, #1618]
+
+ 964. [func] Warn if data other than root server NS and A records
+ are found in the root hint file. [RT #1581, #1618]
+
+ 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
+
+ 962. [bug] libbind: bad "#undef", don't attempt to install
+ non-existent nlist.h. [RT #1640]
+
+ 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
+ was not defined. [RT #1482]
+
+ 960. [port] liblwres failed to build on systems with support for
+ getrrsetbyname() in the OS. [RT #1592]
+
+ 959. [port] On FreeBSD, determine the number of CPUs by calling
+ sysctlbyname(). [RT #1584]
+
+ 958. [port] ssize_t is not available on all platforms. [RT #1607]
+
+ 957. [bug] sys/select.h inclusion was broken on older platforms.
+ [RT #1607]
+
+ 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile
+ in named/win32/os.c due to code changes in
+ change #953. win32 .make file for rndc-confgen
+ updated to add include path for os.h header.
+
+ --- 9.2.0rc1 released ---
+
+ 955. [bug] When using views, the zone's class was not being
+ inherited from the view's class. [RT #1583]
+
+ 954. [bug] When requesting AXFRs or IXFRs using dig, host, or
+ nslookup, the RD bit should not be set as zone
+ transfers are inherently non-recursive. [RT #1575]
+
+ 953. [func] The /var/run/named.key file from change #843
+ has been replaced by /etc/rndc.key. Both
+ named and rndc will look for this file and use
+ it to configure a default control channel key
+ if not already configured using a different
+ method (rndc.conf / controls). Unlike
+ named.key, rndc.key is not created automatically;
+ it must be created by manually running
+ "rndc-confgen -a".
+
+ 952. [bug] The server required manual intervention to serve the
+ affected zones if it died between creating a journal
+ and committing the first change to it.
+
+ 951. [bug] CFLAGS was not passed to the linker when
+ linking some of the test programs under
+ bin/tests. [RT #1555].
+
+ 950. [bug] Explicit TTLs did not properly override $TTL
+ due to a bug in change 834. [RT #1558]
+
+ 949. [bug] host was unable to print records larger than 512
+ bytes. [RT #1557]
+
+ --- 9.2.0b2 released ---
+
+ 948. [port] Integrated support for building on Windows NT /
+ Windows 2000.
+
+ 947. [bug] dns_rdata_soa_t had a badly named element "mname" which
+ was really the RNAME field from RFC1035. To avoid
+ confusion and silent errors that would occur it the
+ "origin" and "mname" elements were given their correct
+ names "mname" and "rname" respectively, the "mname"
+ element is renamed to "contact".
+
+ 946. [cleanup] doc/misc/options is now machine-generated from the
+ configuration parser syntax tables, and therefore
+ more likely to be correct.
+
+ 945. [func] Add the new view-specific options
+ "match-destinations" and "match-recursive-only".
+
+ 944. [func] Check for expired signatures on load.
+
+ 943. [bug] The server could crash when receiving a command
+ via rndc if the configuration file listed only
+ nonexistent keys in the controls statement. [RT #1530]
+
+ 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly
+ defined on some platforms.
+
+ 941. [bug] The configuration checker crashed if a slave
+ zone didn't contain a masters statement. [RT #1514]
+
+ 940. [bug] Double zone locking failure on error path. [RT #1510]
+
+ --- 9.2.0b1 released ---
+
+ 939. [port] Add the --disable-linux-caps option to configure for
+ systems that manage capabilities outside of named.
+ [RT #1503]
+
+ 938. [placeholder]
+
+ 937. [bug] A race when shutting down a zone could trigger a
+ INSIST() failure. [RT #1034]
+
+ 936. [func] Warn about IPv4 addresses that are not complete
+ dotted quads. [RT #1084]
+
+ 935. [bug] inet_pton failed to reject leading zeros.
+
+ 934. [port] Deal with systems where accept() spuriously returns
+ ECONNRESET.
+
+ 933. [bug] configure failed doing libbind on platforms not
+ supported by BIND 8. [RT #1496]
+
+ --- 9.2.0a3 released ---
+
+ 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
+ when installing isc-config.sh.
+ [RT #198, #1466]
+
+ 931. [bug] The controls statement only attempted to verify
+ messages using the first key in the key list.
+ (9.2.0a1/a2 only).
+
+ 930. [func] Query performance testing tool added as
+ contrib/queryperf.
+
+ 929. [placeholder]
+
+ 928. [bug] nsupdate would send empty update packets if the
+ send (or empty line) command was run after
+ another send but before any new updates or
+ prerequisites were specified. It should simply
+ ignore this command.
+
+ 927. [bug] Don't hold the zone lock for the entire dump to disk.
+ [RT #1423]
+
+ 926. [bug] The resolver could deadlock with the ADB when
+ shutting down (multi-threaded builds only).
+ [RT #1324]
+
+ 925. [cleanup] Remove openssl from the distribution; require that
+ --with-openssl be specified if DNSSEC is needed.
+
+ 924. [port] Extend support for pre-RFC2133 IPv6 implementation.
+ [RT #987]
+
+ 923. [bug] Multiline TSIG secrets (and other multiline strings)
+ were not accepted in named.conf. [RT #1469]
+
+ 922. [func] Added two new lwres_getrrsetbyname() result codes,
+ ERR_NONAME and ERR_NODATA.
+
+ 921. [bug] lwres returned an incorrect error code if it received
+ a truncated message.
+
+ 920. [func] Increase the lwres receive buffer size to 16K.
+ [RT #1451]
+
+ 919. [placeholder]
+
+ 918. [func] In nsupdate, TSIG errors are no longer treated as
+ fatal errors.
+
+ 917. [func] New nsupdate command 'key', allowing TSIG keys to
+ be specified in the nsupdate command stream rather
+ than the command line.
+
+ 916. [bug] Specifying type ixfr to dig without specifying
+ a serial number failed in unexpected ways.
+
+ 915. [func] The named-checkconf and named-checkzone programs
+ now have a '-v' option for printing their version.
+ [RT #1151]
+
+ 914. [bug] Global 'server' statements were rejected when
+ using views, even though they were accepted
+ in 9.1. [RT #1368]
+
+ 913. [bug] Cache cleaning was not sufficiently aggressive.
+ [RT #1441, #1444]
+
+ 912. [bug] Attempts to set the 'additional-from-cache' or
+ 'additional-from-auth' option to 'no' in a
+ server with recursion enabled will now
+ be ignored and cause a warning message.
+ [RT #1145]
+
+ 911. [placeholder]
+
+ 910. [port] Some pre-RFC2133 IPv6 implementations do not define
+ IN6ADDR_ANY_INIT. [RT #1416]
+
+ 909. [placeholder]
+
+ 908. [func] New program, rndc-confgen, to simplify setting up rndc.
+
+ 907. [func] The ability to get entropy from either the
+ random device, a user-provided file or from
+ the keyboard was migrated from the DNSSEC tools
+ to libisc as isc_entropy_usebestsource().
+
+ 906. [port] Separated the system independent portion of
+ lib/isc/unix/entropy.c into lib/isc/entropy.c
+ and added lib/isc/win32/entropy.c.
+
+ 905. [bug] Configuring a forward "zone" for the root domain
+ did not work. [RT #1418]
+
+ 904. [bug] The server would leak memory if attempting to use
+ an expired TSIG key. [RT #1406]
+
+ 903. [bug] dig should not crash when receiving a TCP packet
+ of length 0.
+
+ 902. [bug] The -d option was ignored if both -t and -g were also
+ specified.
+
+ 901. [placeholder]
+
+ 900. [bug] A config.guess update changed the system identification
+ string of FreeBSD systems; configure and
+ bin/tests/system/ifconfig.sh now recognize the new
+ string.
+
+ --- 9.2.0a2 released ---
+
+ 899. [bug] lib/dns/soa.c failed to compile on many platforms
+ due to inappropriate use of a void value.
+ [RT #1372, #1373, #1386, #1387, #1395]
+
+ 898. [bug] "dig" failed to set a nonzero exit status
+ on UDP query timeout. [RT #1323]
+
+ 897. [bug] A config.guess update changed the system identification
+ string of UnixWare systems; configure now recognizes
+ the new string.
+
+ 896. [bug] If a configuration file is set on named's command line
+ and it has a relative pathname, the current directory
+ (after any possible jailing resulting from named -t)
+ will be prepended to it so that reloading works
+ properly even when a directory option is present.
+
+ 895. [func] New function, isc_dir_current(), akin to POSIX's
+ getcwd().
+
+ 894. [bug] When using the DNSSEC tools, a message intended to warn
+ when the keyboard was being used because of the lack
+ of a suitable random device was not being printed.
+
+ 893. [func] Removed isc_file_test() and added isc_file_exists()
+ for the basic functionality that was being added
+ with isc_file_test().
+
+ 892. [placeholder]
+
+ 891. [bug] Return an error when a SIG(0) signed response to
+ an unsigned query is seen. This should actually
+ do the verification, but it's not currently
+ possible. [RT #1391]
+
+ 890. [cleanup] The man pages no longer require the mandoc macros
+ and should now format cleanly using most versions of
+ nroff, and HTML versions of the man pages have been
+ added. Both are generated from DocBook source.
+
+ 889. [port] Eliminated blank lines before .TH in nroff man
+ pages since they cause problems with some versions
+ of nroff. [RT #1390]
+
+ 888. [bug] Don't die when using TKEY to delete a nonexistent
+ TSIG key. [RT #1392]
+
+ 887. [port] Detect broken compilers that can't call static
+ functions from inline functions. [RT #1212]
+
+ 886. [placeholder]
+
+ 885. [placeholder]
+
+ 884. [placeholder]
+
+ 883. [placeholder]
+
+ 882. [placeholder]
+
+ 881. [placeholder]
+
+ 880. [placeholder]
+
+ 879. [placeholder]
+
+ 878. [placeholder]
+
+ 877. [placeholder]
+
+ 876. [placeholder]
+
+ 875. [placeholder]
+
+ 874. [placeholder]
+
+ 873. [placeholder]
+
+ 872. [placeholder]
+
+ 871. [placeholder]
+
+ 870. [placeholder]
+
+ 869. [placeholder]
+
+ 868. [placeholder]
+
+ 867. [placeholder]
+
+ 866. [func] Close debug only file channels when debug is set to
+ zero. [RT #1246]
+
+ 865. [bug] The new configuration parser did not allow
+ the optional debug level in a "severity debug"
+ clause of a logging channel to be omitted.
+ This is now allowed and treated as "severity
+ debug 1;" like it does in BIND 8.2.4, not as
+ "severity debug 0;" like it did in BIND 9.1.
+ [RT #1367]
+
+ 864. [cleanup] Multi-threading is now enabled by default on
+ OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
+
+ 863. [bug] If an error occurred while an outgoing zone transfer
+ was starting up, the server could access a domain
+ name that had already been freed when logging a
+ message saying that the transfer was starting.
+ [RT #1383]
+
+ 862. [bug] Use after realloc(), non portable pointer arithmetic in
+ grmerge().
+
+ 861. [port] Add support for Mac OS X, by making it equivalent
+ to Darwin. This was derived from the config.guess
+ file shipped with Mac OS X. [RT #1355]
+
+ 860. [func] Drop cross class glue in zone transfers.
+
+ 859. [bug] Cache cleaning now won't swamp the CPU if there
+ is a persistent over limit condition.
+
+ 858. [func] isc_mem_setwater() no longer requires that when the
+ callback function is non-NULL then its hi_water
+ argument must be greater than its lo_water argument
+ (they can now be equal) or that they be non-zero.
+
+ 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
+ structs, for our friends in EBCDIC-land.
+
+ 856. [func] Allow partial rdatasets to be returned in answer and
+ authority sections to help non-TCP capable clients
+ recover from truncation. [RT #1301]
+
+ 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
+
+ 854. [bug] The config parser didn't properly handle config
+ options that were specified in units of time other
+ than seconds. [RT #1372]
+
+ 853. [bug] configure_view_acl() failed to detach existing acls.
+ [RT #1374]
+
+ 852. [bug] Handle responses from servers which do not know
+ about IXFR.
+
+ 851. [cleanup] The obsolete support-ixfr option was not properly
+ ignored.
+
+ --- 9.2.0a1 released ---
+
+ 850. [bug] dns_rbt_findnode() would not find nodes that were
+ split on a bitstring label somewhere other than in
+ the last label of the node. [RT #1351]
+
+ 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
+
+ 848. [func] A minimum max-cache-size of two megabytes is enforced
+ by the cache cleaner.
+
+ 847. [func] Added isc_file_test(), which currently only has
+ some very basic functionality to test for the
+ existence of a file, whether a pathname is absolute,
+ or whether a pathname is the fundamental representation
+ of the current directory. It is intended that this
+ function can be expanded to test other things a
+ programmer might want to know about a file.
+
+ 846. [func] A non-zero 'param' to dst_key_generate() when making an
+ hmac-md5 key means that good entropy is not required.
+
+ 845. [bug] The access rights on the public file of a symmetric
+ key are now restricted as soon as the file is opened,
+ rather than after it has been written and closed.
+
+ 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
+ just as <lwres/net.h> does.
+
+ 843. [func] If no controls statement is present in named.conf,
+ or if any inet phrase of a controls statement is
+ lacking a keys clause, then a key will be automatically
+ generated by named and an rndc.conf-style file
+ named named.key will be written that uses it. rndc
+ will use this file only if its normal configuration
+ file, or one provided on the command line, does not
+ exist.
+
+ 842. [func] 'rndc flush' now takes an optional view.
+
+ 841. [bug] When sdb modules were not declared threadsafe, their
+ create and destroy functions were not serialized.
+
+ 840. [bug] The config file parser could print the wrong file
+ name if an error was detected after an included file
+ was parsed. [RT #1353]
+
+ 839. [func] Dump packets for which there was no view or that the
+ class could not be determined to category "unmatched".
+
+ 838. [port] UnixWare 7.x.x is now supported by
+ bin/tests/system/ifconfig.sh.
+
+ 837. [cleanup] Multi-threading is now enabled by default only on
+ OSF1, Solaris 2.7 and newer, and AIX.
+
+ 836. [func] Upgraded libtool to 1.4.
+
+ 835. [bug] The dispatcher could enter a busy loop if
+ it got an I/O error receiving on a UDP socket.
+ [RT #1293]
+
+ 834. [func] Accept (but warn about) master files beginning with
+ an SOA record without an explicit TTL field and
+ lacking a $TTL directive, by using the SOA MINTTL
+ as a default TTL. This is for backwards compatibility
+ with old versions of BIND 8, which accepted such
+ files without warning although they are illegal
+ according to RFC1035.
+
+ 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
+ <dns/soa.h>, and extended them to support
+ all the integer-valued fields of the SOA RR.
+
+ 832. [bug] The default location for named.conf in named-checkconf
+ should depend on --sysconfdir like it does in named.
+ [RT #1258]
+
+ 831. [placeholder]
+
+ 830. [func] Implement 'rndc status'.
+
+ 829. [bug] The DNS_R_ZONECUT result code should only be returned
+ when an ANY query is made with DNS_DBFIND_GLUEOK set.
+ In all other ANY query cases, returning the delegation
+ is better.
+
+ 828. [bug] The errno value from recvfrom() could be overwritten
+ by logging code. [RT #1293]
+
+ 827. [bug] When an IXFR protocol error occurs, the slave
+ should retry with AXFR.
+
+ 826. [bug] Some IXFR protocol errors were not detected.
+
+ 825. [bug] zone.c:ns_query() detached from the wrong zone
+ reference. [RT #1264]
+
+ 824. [bug] Correct line numbers reported by dns_master_load().
+ [RT #1263]
+
+ 823. [func] The output of "dig -h" now goes to stdout so that it
+ can easily be piped through "more". [RT #1254]
+
+ 822. [bug] Sending nxrrset prerequisites would crash nsupdate.
+ [RT #1248]
+
+ 821. [bug] The program name used when logging to syslog should
+ be stripped of leading path components.
+ [RT #1178, #1232]
+
+ 820. [bug] Name server address lookups failed to follow
+ A6 chains into the glue of local authoritative
+ zones.
+
+ 819. [bug] In certain cases, the resolver's attempts to
+ restart an address lookup at the root could cause
+ the fetch to deadlock (with itself) instead of
+ restarting. [RT #1225]
+
+ 818. [bug] Certain pathological responses to ANY queries could
+ cause an assertion failure. [RT #1218]
+
+ 817. [func] Adjust timeouts for dialup zone queries.
+
+ 816. [bug] Report potential problems with log file accessibility
+ at configuration time, since such problems can't
+ reliably be reported at the time they actually occur.
+
+ 815. [bug] If a log file was specified with a path separator
+ character (i.e. "/") in its name and the directory
+ did not exist, the log file's name was treated as
+ though it were the directory name. [RT #1189]
+
+ 814. [bug] Socket objects left over from accept() failures
+ were incorrectly destroyed, causing corruption
+ of socket manager data structures.
+
+ 813. [bug] File descriptors exceeding FD_SETSIZE were handled
+ badly. [RT #1192]
+
+ 812. [bug] dig sometimes printed incomplete IXFR responses
+ due to an uninitialized variable. [RT #1188]
+
+ 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
+
+ 810. [bug] The signer name in SIG records was not properly
+ down-cased when signing/verifying records. [RT #1186]
+
+ 809. [bug] Configuring a non-local address as a transfer-source
+ could cause an assertion failure during load.
+
+ 808. [func] Add 'rndc flush' to flush the server's cache.
+
+ 807. [bug] When setting up TCP connections for incoming zone
+ transfers, the transfer-source port was not
+ ignored like it should be.
+
+ 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
+ the calling stack to the zone maintenance level,
+ causing zones to not reload when an included file was
+ touched but the top-level zone file was not.
+
+ 805. [bug] When using "forward only", missing root hints should
+ not cause queries to fail. [RT #1143]
+
+ 804. [bug] Attempting to obtain entropy could fail in some
+ situations. This would be most common on systems
+ with user-space threads. [RT #1131]
+
+ 803. [bug] Treat all SIG queries as if they have the CD bit set,
+ otherwise no data will be returned [RT #749]
+
+ 802. [bug] DNSSEC key tags were computed incorrectly in almost
+ all cases. [RT #1146]
+
+ 801. [bug] nsupdate should treat lines beginning with ';' as
+ comments. [RT #1139]
+
+ 800. [bug] dnssec-signzone produced incorrect statistics for
+ large zones. [RT #1133]
+
+ 799. [bug] The ADB didn't find AAAA glue in a zone unless A6
+ glue was also present.
+
+ 798. [bug] nsupdate should be able to reject bad input lines
+ and continue. [RT #1130]
+
+ 797. [func] Issue a warning if the 'directory' option contains
+ a relative path. [RT #269]
+
+ 796. [func] When a size limit is associated with a log file,
+ only roll it when the size is reached, not every
+ time the log file is opened. [RT #1096]
+
+ 795. [func] Add the +multiline option to dig. [RT #1095]
+
+ 794. [func] Implement the "port" and "default-port" statements
+ in rndc.conf.
+
+ 793. [cleanup] The DNSSEC tools could create filenames that were
+ illegal or contained shell meta-characters. They
+ now use a different text encoding of names that
+ doesn't have these problems. [RT #1101]
+
+ 792. [cleanup] Replace the OMAPI command channel protocol with a
+ simpler one.
+
+ 791. [bug] The command channel now works over IPv6.
+
+ 790. [bug] Wildcards created using dynamic update or IXFR
+ could fail to match. [RT #1111]
+
+ 789. [bug] The "localhost" and "localnets" ACLs did not match
+ when used as the second element of a two-element
+ sortlist item.
+
+ 788. [func] Add the "match-mapped-addresses" option, which
+ causes IPv6 v4mapped addresses to be treated as
+ IPv4 addresses for the purpose of acl matching.
+
+ 787. [bug] The DNSSEC tools failed to downcase domain
+ names when mapping them into file names.
+
+ 786. [bug] When DNSSEC signing/verifying data, owner names were
+ not properly down-cased.
+
+ 785. [bug] A race condition in the resolver could cause
+ an assertion failure. [RT #673, #872, #1048]
+
+ 784. [bug] nsupdate and other programs would not quit properly
+ if some signals were blocked by the caller. [RT #1081]
+
+ 783. [bug] Following CNAMEs could cause an assertion failure
+ when either using an sdb database or under very
+ rare conditions.
+
+ 782. [func] Implement the "serial-query-rate" option.
+
+ 781. [func] Avoid error packet loops by dropping duplicate FORMERR
+ responses. [RT #1006]
+
+ 780. [bug] Error handling code dealing with out of memory or
+ other rare errors could lead to assertion failures
+ by calling functions on uninitialized names. [RT #1065]
+
+ 779. [func] Added the "minimal-responses" option.
+
+ 778. [bug] When starting cache cleaning, cleaning_timer_action()
+ returned without first pausing the iterator, which
+ could cause deadlock. [RT #998]
+
+ 777. [bug] An empty forwarders list in a zone failed to override
+ global forwarders. [RT #995]
+
+ 776. [func] Improved error reporting in denied messages. [RT #252]
+
+ 775. [placeholder]
+
+ 774. [func] max-cache-size is implemented.
+
+ 773. [func] Added isc_rwlock_trylock() to attempt to lock without
+ blocking.
+
+ 772. [bug] Owner names could be incorrectly omitted from cache
+ dumps in the presence of negative caching entries.
+ [RT #991]
+
+ 771. [cleanup] TSIG errors related to unsynchronized clocks
+ are logged better. [RT #919]
+
+ 770. [func] Add the "edns yes_or_no" statement to the server
+ clause. [RT #524]
+
+ 769. [func] Improved error reporting when parsing rdata. [RT #740]
+
+ 768. [bug] The server did not emit an SOA when a CNAME
+ or DNAME chain ended in NXDOMAIN in an
+ authoritative zone.
+
+ 767. [placeholder]
+
+ 766. [bug] A few cases in query_find() could leak fname.
+ This would trigger the mpctx->allocated == 0
+ assertion when the server exited.
+ [RT #739, #776, #798, #812, #818, #821, #845,
+ #892, #935, #966]
+
+ 765. [func] ACL names are once again case insensitive, like
+ in BIND 8. [RT #252]
+
+ 764. [func] Configuration files now allow "include" directives
+ in more places, such as inside the "view" statement.
+ [RT #377, #728, #860]
+
+ 763. [func] Configuration files no longer have reserved words.
+ [RT #731, #753]
+
+ 762. [cleanup] The named.conf and rndc.conf file parsers have
+ been completely rewritten.
+
+ 761. [bug] _REENTRANT was still defined when building with
+ --disable-threads.
+
+ 760. [contrib] Significant enhancements to the pgsql sdb driver.
+
+ 759. [bug] The resolver didn't turn off "avoid fetches" mode
+ when restarting, possibly causing resolution
+ to fail when it should not. This bug only affected
+ platforms which support both IPv4 and IPv6. [RT #927]
+
+ 758. [bug] The "avoid fetches" code did not treat negative
+ cache entries correctly, causing fetches that would
+ be useful to be avoided. This bug only affected
+ platforms which support both IPv4 and IPv6. [RT #927]
+
+ 757. [func] Log zone transfers.
+
+ 756. [bug] dns_zone_load() could "return" success when no master
+ file was configured.
+
+ 755. [bug] Fix incorrectly formatted log messages in zone.c.
+
+ 754. [bug] Certain failure conditions sending UDP packets
+ could cause the server to retry the transmission
+ indefinitely. [RT #902]
+
+ 753. [bug] dig, host, and nslookup would fail to contact a
+ remote server if getaddrinfo() returned an IPv6
+ address on a system that doesn't support IPv6.
+ [RT #917]
+
+ 752. [func] Correct bad tv_usec elements returned by
+ gettimeofday().
+
+ 751. [func] Log successful zone loads / transfers. [RT #898]
+
+ 750. [bug] A query should not match a DNAME whose trust level
+ is pending. [RT #916]
+
+ 749. [bug] When a query matched a DNAME in a secure zone, the
+ server did not return the signature of the DNAME.
+ [RT #915]
+
+ 748. [doc] List supported RFCs in doc/misc/rfc-compliance.
+ [RT #781]
+
+ 747. [bug] The code to determine whether an IXFR was possible
+ did not properly check for a database that could
+ not have a journal. [RT #865, #908]
+
+ 746. [bug] The sdb didn't clone rdatasets properly, causing
+ a crash when the server followed delegations. [RT #905]
+
+ 745. [func] Report the owner name of records that fail
+ semantic checks while loading.
+
+ 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
+ result of an ANY or SIG query, the resolver failed
+ to setup the return event's rdatasets, causing an
+ assertion failure in the query code. [RT #881]
+
+ 743. [bug] Receiving a large number of certain malformed
+ answers could cause named to stop responding.
+ [RT #861]
+
+ 742. [placeholder]
+
+ 741. [port] Support openssl-engine. [RT #709]
+
+ 740. [port] Handle openssl library mismatches slightly better.
+
+ 739. [port] Look for /dev/random in configure, rather than
+ assuming it will be there for only a predefined
+ set of OSes.
+
+ 738. [bug] If a non-threadsafe sdb driver supported AXFR and
+ received an AXFR request, it would deadlock or die
+ with an assertion failure. [RT #852]
+
+ 737. [port] stdtime.c failed to compile on certain platforms.
+
+ 736. [func] New functions isc_task_{begin,end}exclusive().
+
+ 735. [doc] Add BIND 4 migration notes.
+
+ 734. [bug] An attempt to re-lock the zone lock could occur if
+ the server was shutdown during a zone transfer.
+ [RT #830]
+
+ 733. [bug] Reference counts of dns_acl_t objects need to be
+ locked but were not. [RT #801, #821]
+
+ 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828]
+
+ 731. [bug] Certain zone errors could cause named-checkzone to
+ fail ungracefully. [RT #819]
+
+ 730. [bug] lwres_getaddrinfo() returns the correct result when
+ it fails to contact a server. [RT #768]
+
+ 729. [port] pthread_setconcurrency() needs to be called on Solaris.
+
+ 728. [bug] Fix comment processing on master file directives.
+ [RT #757]
+
+ 727. [port] Work around OS bug where accept() succeeds but
+ fails to fill in the peer address of the accepted
+ connection, by treating it as an error rather than
+ an assertion failure. [RT #809]
+
+ 726. [func] Implement the "trace" and "notrace" commands in rndc.
+
+ 725. [bug] Installing man pages could fail.
+
+ 724. [func] New libisc functions isc_netaddr_any(),
+ isc_netaddr_any6().
+
+ 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
+ to return DNS_R_SERVFAIL. [RT #783]
+
+ 722. [func] Allow incremental loads to be canceled.
+
+ 721. [cleanup] Load manager and dns_master_loadfilequota() are no
+ more.
+
+ 720. [bug] Server could enter infinite loop in
+ dispatch.c:do_cancel(). [RT #733]
+
+ 719. [bug] Rapid reloads could trigger an assertion failure.
+ [RT #743, #763]
+
+ 718. [cleanup] "internal" is no longer a reserved word in named.conf.
+ [RT #753, #731]
+
+ 717. [bug] Certain TKEY processing failure modes could
+ reference an uninitialized variable, causing the
+ server to crash. [RT #750]
+
+ 716. [bug] The first line of a $INCLUDE master file was lost if
+ an origin was specified. [RT #744]
+
+ 715. [bug] Resolving some A6 chains could cause an assertion
+ failure in adb.c. [RT #738]
+
+ 714. [bug] Preserve interval timers across reloads unless changed.
+ [RT #729]
+
+ 713. [func] named-checkconf takes '-t directory' similar to named.
+ [RT #726]
+
+ 712. [bug] Sending a large signed update message caused an
+ assertion failure. [RT #718]
+
+ 711. [bug] The libisc and liblwres implementations of
+ inet_ntop contained an off by one error.
+
+ 710. [func] The forwarders statement now takes an optional
+ port. [RT #418]
+
+ 709. [bug] ANY or SIG queries for data with a TTL of 0
+ would return SERVFAIL. [RT #620]
+
+ 708. [bug] When building with --with-openssl, the openssl headers
+ included with BIND 9 should not be used. [RT #702]
+
+ 707. [func] The "filename" argument to named-checkzone is no
+ longer optional, to reduce confusion. [RT #612]
+
+ 706. [bug] Zones with an explicit "allow-update { none; };"
+ were considered dynamic and therefore not reloaded
+ on SIGHUP or "rndc reload".
+
+ 705. [port] Work out resource limit type for use where rlim_t is
+ not available. [RT #695]
+
+ 704. [port] RLIMIT_NOFILE is not available on all platforms.
+ [RT #695]
+
+ 703. [port] sys/select.h is needed on older platforms. [RT #695]
+
+ 702. [func] If the address 0.0.0.0 is seen in resolv.conf,
+ use 127.0.0.1 instead. [RT #693]
+
+ 701. [func] Root hints are now fully optional. Class IN
+ views use compiled-in hints by default, as
+ before. Non-IN views with no root hints now
+ provide authoritative service but not recursion.
+ A warning is logged if a view has neither root
+ hints nor authoritative data for the root. [RT #696]
+
+ 700. [bug] $GENERATE range check was wrong. [RT #688]
+
+ 699. [bug] The lexer mishandled empty quoted strings. [RT #694]
+
+ 698. [bug] Aborting nsupdate with ^C would lead to several
+ race conditions.
+
+ 697. [bug] nsupdate was not compatible with the undocumented
+ BIND 8 behavior of ignoring TTLs in "update delete"
+ commands. [RT #693]
+
+ 696. [bug] lwresd would die with an assertion failure when passed
+ a zero-length name. [RT #692]
+
+ 695. [bug] If the resolver attempted to query a blackholed or
+ bogus server, the resolution would fail immediately.
+
+ 694. [bug] $GENERATE did not produce the last entry.
+ [RT #682, #683]
+
+ 693. [bug] An empty lwres statement in named.conf caused
+ the server to crash while loading.
+
+ 692. [bug] Deal with systems that have getaddrinfo() but not
+ gai_strerror(). [RT #679]
+
+ 691. [bug] Configuring per-view forwarders caused an assertion
+ failure. [RT #675, #734]
+
+ 690. [func] $GENERATE now supports DNAME. [RT #654]
+
+ 689. [doc] man pages are now installed. [RT #210]
+
+ 688. [func] "make tags" now works on systems with the
+ "Exuberant Ctags" etags.
+
+ 687. [bug] Only say we have IPv6, with sufficient functionality,
+ if it has actually been tested. [RT #586]
+
+ 686. [bug] dig and nslookup can now be properly aborted during
+ blocking operations. [RT #568]
+
+ 685. [bug] nslookup should use the search list/domain options
+ from resolv.conf by default. [RT #405, #630]
+
+ 684. [bug] Memory leak with view forwarders. [RT #656]
+
+ 683. [bug] File descriptor leak in isc_lex_openfile().
+
+ 682. [bug] nslookup displayed SOA records incorrectly. [RT #665]
+
+ 681. [bug] $GENERATE specifying output format was broken. [RT #653]
+
+ 680. [bug] dns_rdata_fromstruct() mishandled options bigger
+ than 255 octets.
+
+ 679. [bug] $INCLUDE could leak memory and file descriptors on
+ reload. [RT #639]
+
+ 678. [bug] "transfer-format one-answer;" could trigger an assertion
+ failure. [RT #646]
+
+ 677. [bug] dnssec-signzone would occasionally use the wrong ttl
+ for database operations and fail. [RT #643]
+
+ 676. [bug] Log messages about lame servers to category
+ 'lame-servers' rather than 'resolver', so as not
+ to be gratuitously incompatible with BIND 8.
+
+ 675. [bug] TKEY queries could cause the server to leak
+ memory.
+
+ 674. [func] Allow messages to be TSIG signed / verified using
+ a offset from the current time.
+
+ 673. [func] The server can now convert RFC1886-style recursive
+ lookup requests into RFC2874-style lookups, when
+ enabled using the new option "allow-v6-synthesis".
+
+ 672. [bug] The wrong time was in the "time signed" field when
+ replying with BADTIME error.
+
+ 671. [bug] The message code was failing to parse a message with
+ no question section and a TSIG record. [RT #628]
+
+ 670. [bug] The lwres replacements for getaddrinfo and
+ getipnodebyname didn't properly check for the
+ existence of the sockaddr sa_len field.
+
+ 669. [bug] dnssec-keygen now makes the public key file
+ non-world-readable for symmetric keys. [RT #403]
+
+ 668. [func] named-checkzone now reports multiple errors in master
+ files.
+
+ 667. [bug] On Linux, running named with the -u option and a
+ non-world-readable configuration file didn't work.
+ [RT #626]
+
+ 666. [bug] If a request sent by dig is longer than 512 bytes,
+ use TCP.
+
+ 665. [bug] Signed responses were not sent when the size of the
+ TSIG + question exceeded the maximum message size.
+ [RT #628]
+
+ 664. [bug] The t_tasks and t_timers module tests are now skipped
+ when building without threads, since they require
+ threads.
+
+ 663. [func] Accept a size_spec, not just an integer, in the
+ (unimplemented and ignored) max-ixfr-log-size option
+ for compatibility with recent versions of BIND 8.
+ [RT #613]
+
+ 662. [bug] dns_rdata_fromtext() failed to log certain errors.
+
+ 661. [bug] Certain UDP IXFR requests caused an assertion failure
+ (mpctx->allocated == 0). [RT #355, #394, #623]
+
+ 660. [port] Detect multiple CPUs on HP-UX and IRIX.
+
+ 659. [performance] Rewrite the name compression code to be much faster.
+
+ 658. [cleanup] Remove all vestiges of 16 bit global compression.
+
+ 657. [bug] When a listen-on statement in an lwres block does not
+ specify a port, use 921, not 53. Also update the
+ listen-on documentation. [RT #616]
+
+ 656. [func] Treat an unescaped newline in a quoted string as
+ an error. This means that TXT records with missing
+ close quotes should have meaningful errors printed.
+
+ 655. [bug] Improve error reporting on unexpected eof when loading
+ zones. [RT #611]
+
+ 654. [bug] Origin was being forgotten in TCP retries in dig.
+ [RT #574]
+
+ 653. [bug] +defname option in dig was reversed in sense.
+ [RT #549]
+
+ 652. [bug] zone_saveunique() did not report the new name.
+
+ 651. [func] The AD bit in responses now has the meaning
+ specified in <draft-ietf-dnsext-ad-is-secure>.
+
+ 650. [bug] SIG(0) records were being generated and verified
+ incorrectly. [RT #606]
+
+ 649. [bug] It was possible to join to an already running fctx
+ after it had "cloned" its events, but before it sent
+ them. In this case, the event of the newly joined
+ fetch would not contain the answer, and would
+ trigger the INSIST() in fctx_sendevents(). In
+ BIND 9.0, this bug did not trigger an INSIST(), but
+ caused the fetch to fail with a SERVFAIL result.
+ [RT #588, #597, #605, #607]
+
+ 648. [port] Add support for pre-RFC2133 IPv6 implementations.
+
+ 647. [bug] Resolver queries sent after following multiple
+ referrals had excessively long retransmission
+ timeouts due to incorrectly counting the referrals
+ as "restarts".
+
+ 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
+ didn't _cleanly_ fix the problem it was trying to fix.
+
+ 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603]
+
+ 644. [bug] #622 needed more work. [RT #562]
+
+ 643. [bug] xfrin error messages made more verbose, added class
+ of the zone. [RT #599]
+
+ 642. [bug] Break the exit_check() race in the zone module.
+ [RT #598]
+
+ --- 9.1.0b2 released ---
+
+ 641. [bug] $GENERATE caused a uninitialized link to be used.
+ [RT #595]
+
+ 640. [bug] Memory leak in error path could cause
+ "mpctx->allocated == 0" failure. [RT #584]
+
+ 639. [bug] Reading entropy from the keyboard would sometimes fail.
+ [RT #591]
+
+ 638. [port] lib/isc/random.c needed to explicitly include time.h
+ to get a prototype for time() when pthreads was not
+ being used. [RT #592]
+
+ 637. [port] Use isc_u?int64_t instead of (unsigned) long long in
+ lib/isc/print.c. Also allow lib/isc/print.c to
+ be compiled even if the platform does not need it.
+ [RT #592]
+
+ 636. [port] Shut up MSVC++ about a possible loss of precision
+ in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
+
+ 635. [bug] Reloading a server with a configured blackhole list
+ would cause an assertion. [RT #590]
+
+ 634. [bug] A log file will completely stop being written when
+ it reaches the maximum size in all cases, not just
+ when versioning is also enabled. [RT #570]
+
+ 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575]
+
+ 632. [bug] The index array of the journal file was
+ corrupted as it was written to disk.
+
+ 631. [port] Build without thread support on systems without
+ pthreads.
+
+ 630. [bug] Locking failure in zone code. [RT #582]
+
+ 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed
+ when responding to a UDP IXFR request.
+
+ 628. [bug] If the root hints contained only AAAA addresses,
+ named would be unable to perform resolution.
+
+ 627. [bug] The EDNS0 blackhole detection code of change 324
+ waited for three retransmissions to each server,
+ which takes much too long when a domain has many
+ name servers and all of them drop EDNS0 queries.
+ Now we retry without EDNS0 after three consecutive
+ timeouts, even if they are all from different
+ servers. [RT #143]
+
+ 626. [bug] The lightweight resolver daemon no longer crashes
+ when asked for a SIG rrset. [RT #558]
+
+ 625. [func] Zones now inherit their class from the enclosing view.
+
+ 624. [bug] The zone object could get timer events after it had
+ been destroyed, causing a server crash. [RT #571]
+
+ 623. [func] Added "named-checkconf" and "named-checkzone" program
+ for syntax checking named.conf files and zone files,
+ respectively.
+
+ 622. [bug] A canceled request could be destroyed before
+ dns_request_destroy() was called. [RT #562]
+
+ 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable.
+ This mostly affects Red Hat Linux 7.0, which has
+ conflicts between libc and the kernel.
+
+ 620. [bug] dns_master_load*inc() now require 'task' and 'load'
+ to be non-null. Also 'done' will not be called if
+ dns_master_load*inc() fails immediately. [RT #565]
+
+ 619. [placeholder]
+
+ 618. [bug] Queries to a signed zone could sometimes cause
+ an assertion failure.
+
+ 617. [bug] When using dynamic update to add a new RR to an
+ existing RRset with a different TTL, the journal
+ entries generated from the update did not include
+ explicit deletions and re-additions of the existing
+ RRs to update their TTL to the new value.
+
+ 616. [func] dnssec-signzone -t output now includes performance
+ statistics.
+
+ 615. [bug] dnssec-signzone did not like child keysets signed
+ by multiple keys.
+
+ 614. [bug] Checks for uninitialized link fields were prone
+ to false positives, causing assertion failures.
+ The checks are now disabled by default and may
+ be re-enabled by defining ISC_LIST_CHECKINIT.
+
+ 613. [bug] "rndc reload zone" now reloads primary zones.
+ It previously only updated slave and stub zones,
+ if an SOA query indicated an out of date serial.
+
+ 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that
+ complains relentlessly about how its treatment
+ of 'const' has changed as well as how casting
+ sometimes tightens alignment constraints.
+
+ 611. [func] allow-notify can be used to permit processing of
+ notify messages from hosts other than a slave's
+ masters.
+
+ 610. [func] rndc dumpdb is now supported.
+
+ 609. [bug] getrrsetbyname() would crash lwresd if the server
+ found more SIGs than answers. [RT #554]
+
+ 608. [func] dnssec-signzone now adds a comment to the zone
+ with the time the file was signed.
+
+ 607. [bug] nsupdate would fail if it encountered a CNAME or
+ DNAME in a response to an SOA query. [RT #515]
+
+ 606. [bug] Compiling with --disable-threads failed due
+ to isc_thread_self() being incorrectly defined
+ as an integer rather than a function.
+
+ 605. [func] New function isc_lex_getlasttokentext().
+
+ 604. [bug] The named.conf parser could print incorrect line
+ numbers when long comments were present.
+
+ 603. [bug] Make dig handle multiple types or classes on the same
+ query more correctly.
+
+ 602. [func] Cope automatically with UnixWare's broken
+ IN6_IS_ADDR_* macros. [RT #539]
+
+ 601. [func] Return a non-zero exit code if an update fails
+ in nsupdate.
+
+ 600. [bug] Reverse lookups sometimes failed in dig, etc...
+
+ 599. [func] Added four new functions to the libisc log API to
+ support i18n messages. isc_log_iwrite(),
+ isc_log_ivwrite(), isc_log_iwrite1() and
+ isc_log_ivwrite1() were added.
+
+ 598. [bug] An update-policy statement would cause the server
+ to assert while loading. [RT #536]
+
+ 597. [func] dnssec-signzone is now multi-threaded.
+
+ 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
+ not mutually exclusive.
+
+ 595. [port] On Linux 2.2, socket() returns EINVAL when it
+ should return EAFNOSUPPORT. Work around this.
+ [RT #531]
+
+ 594. [func] sdb drivers are now assumed to not be thread-safe
+ unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
+
+ 593. [bug] If a secure zone was missing all its NXTs and
+ a dynamic update was attempted, the server entered
+ an infinite loop.
+
+ 592. [bug] The sig-validity-interval option now specifies a
+ number of days, not seconds. This matches the
+ documentation. [RT #529]
+
+ --- 9.1.0b1 released ---
+
+ 591. [bug] Work around non-reentrancy in openssl by disabling
+ pre-computation in keys.
+
+ 590. [doc] There are now man pages for the lwres library in
+ doc/man/lwres.
+
+ 589. [bug] The server could deadlock if a zone was updated
+ while being transferred out.
+
+ 588. [bug] ctx->in_use was not being correctly initialized when
+ when pushing a file for $INCLUDE. [RT #523]
+
+ 587. [func] A warning is now printed if the "allow-update"
+ option allows updates based on the source IP
+ address, to alert users to the fact that this
+ is insecure and becoming increasingly so as
+ servers capable of update forwarding are being
+ deployed.
+
+ 586. [bug] multiple views with the same name were fatal. [RT #516]
+
+ 585. [func] dns_db_addrdataset() and dns_rdataslab_merge()
+ now support 'exact' additions in a similar manner to
+ dns_db_subtractrdataset() and dns_rdataslab_subtract().
+
+ 584. [func] You can now say 'notify explicit'; to suppress
+ notification of the servers listed in NS records
+ and notify only those servers listed in the
+ 'also-notify' option.
+
+ 583. [func] "rndc querylog" will now toggle logging of
+ queries, like "ndc querylog" in BIND 8.
+
+ 582. [bug] dns_zone_idetach() failed to lock the zone.
+ [RT #199, #463]
+
+ 581. [bug] log severity was not being correctly processed.
+ [RT #485]
+
+ 580. [func] Ignore trailing garbage on incoming DNS packets,
+ for interoperability with broken server
+ implementations. [RT #491]
+
+ 579. [bug] nsupdate did not take a filename to read update from.
+ [RT #492]
+
+ 578. [func] New config option "notify-source", to specify the
+ source address for notify messages.
+
+ 577. [func] Log illegal RDATA combinations. e.g. multiple
+ singleton types, cname and other data.
+
+ 576. [doc] isc_log_create() description did not match reality.
+
+ 575. [bug] isc_log_create() was not setting internal state
+ correctly to reflect the default channels created.
+
+ 574. [bug] TSIG signed queries sent by the resolver would fail to
+ have their responses validated and would leak memory.
+
+ 573. [bug] The journal files of IXFRed slave zones were
+ inadvertently discarded on server reload, causing
+ "journal out of sync with zone" errors on subsequent
+ reloads. [RT #482]
+
+ 572. [bug] Quoted strings were not accepted as key names in
+ address match lists.
+
+ 571. [bug] It was possible to create an rdataset of singleton
+ type which had more than one rdata. [RT #154]
+ [RT #279]
+
+ 570. [bug] rbtdb.c allowed zones containing nodes which had
+ both a CNAME and "other data". [RT #154]
+
+ 569. [func] The DNSSEC AD bit will not be set on queries which
+ have not requested a DNSSEC response.
+
+ 568. [func] Add sample simple database drivers in contrib/sdb.
+
+ 567. [bug] Setting the zone transfer timeout to zero caused an
+ assertion failure. [RT #302]
+
+ 566. [func] New public function dns_timer_setidle().
+
+ 565. [func] Log queries more like BIND 8: query logging is now
+ done to category "queries", level "info". [RT #169]
+
+ 564. [func] Add sortlist support to lwresd.
+
+ 563. [func] New public functions dns_rdatatype_format() and
+ dns_rdataclass_format(), for convenient formatting
+ of rdata type/class mnemonics in log messages.
+
+ 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong.
+
+ 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files'
+ clauses of the options{} statement are now implemented.
+
+ 560. [bug] dns_name_split did not properly the resulting prefix
+ when a maximal length bitstring label was split which
+ was preceded by another bitstring label. [RT #429]
+
+ 559. [bug] dns_name_split did not properly create the suffix
+ when splitting within a maximal length bitstring label.
+
+ 558. [func] New functions, isc_resource_getlimit and
+ isc_resource_setlimit.
+
+ 557. [func] Symbolic constants for libisc integral types.
+
+ 556. [func] The DNSSEC OK bit in the EDNS extended flags
+ is now implemented. Responses to queries without
+ this bit set will not contain any DNSSEC records.
+
+ 555. [bug] A slave server attempting a zone transfer could
+ crash with an assertion failure on certain
+ malformed responses from the master. [RT #457]
+
+ 554. [bug] In some cases, not all of the dnssec tools were
+ properly installed.
+
+ 553. [bug] Incoming zone transfers deferred due to quota
+ were not started when quota was increased but
+ only when a transfer in progress finished. [RT #456]
+
+ 552. [bug] We were not correctly detecting the end of all c-style
+ comments. [RT #455]
+
+ 551. [func] Implemented the 'sortlist' option.
+
+ 550. [func] Support unknown rdata types and classes.
+
+ 549. [bug] "make" did not immediately abort the build when a
+ subdirectory make failed [RT #450].
+
+ 548. [func] The lexer now ungets tokens more correctly.
+
+ 547. [placeholder]
+
+ 546. [func] Option 'lame-ttl' is now implemented.
+
+ 545. [func] Name limit and counting options removed from dig;
+ they didn't work properly, and cannot be correctly
+ implemented without significant changes.
+
+ 544. [func] Add statistics option, enable statistics-file option,
+ add RNDC option "dump-statistics" to write out a
+ query statistics file.
+
+ 543. [doc] The 'port' option is now documented.
+
+ 542. [func] Add support for update forwarding as required for
+ full compliance with RFC2136. It is turned off
+ by default and can be enabled using the
+ 'allow-update-forwarding' option.
+
+ 541. [func] Add bogus server support.
+
+ 540. [func] Add dialup support.
+
+ 539. [func] Support the blackhole option.
+
+ 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo().
+
+ 537. [placeholder]
+
+ 536. [func] Use transfer-source{-v6} when sending refresh queries.
+ Transfer-source{-v6} now take a optional port
+ parameter for setting the UDP source port. The port
+ parameter is ignored for TCP.
+
+ 535. [func] Use transfer-source{-v6} when forwarding update
+ requests.
+
+ 534. [func] Ancestors have been removed from RBT chains. Ancestor
+ information can be discerned via node parent pointers.
+
+ 533. [func] Incorporated name hashing into the RBT database to
+ improve search speed.
+
+ 532. [func] Implement DNS UPDATE pseudo records using
+ DNS_RDATA_UPDATE flag.
+
+ 531. [func] Rdata really should be initialized before being assigned
+ to (dns_rdata_fromwire(), dns_rdata_fromtext(),
+ dns_rdata_clone(), dns_rdata_fromregion()),
+ check that it is.
+
+ 530. [func] New function dns_rdata_invalidate().
+
+ 529. [bug] 521 contained a bug which caused zones to always
+ reload. [RT #410]
+
+ 528. [func] The ISC_LIST_XXXX macros now perform sanity checks
+ on their arguments. ISC_LIST_XXXXUNSAFE can be use
+ to skip the checks however use with caution.
+
+ 527. [func] New function dns_rdata_clone().
+
+ 526. [bug] nsupdate incorrectly refused to add RRs with a TTL
+ of 0.
+
+ 525. [func] New arguments 'options' for dns_db_subtractrdataset(),
+ and 'flags' for dns_rdataslab_subtract() allowing you
+ to request that the RR's must exist prior to deletion.
+ DNS_R_NOTEXACT is returned if the condition is not met.
+
+ 524. [func] The 'forward' and 'forwarders' statement in
+ non-forward zones should work now.
+
+ 523. [doc] The source to the Administrator Reference Manual is
+ now an XML file using the DocBook DTD, and is included
+ in the distribution. The plain text version of the
+ ARM is temporarily unavailable while we figure out
+ how to generate readable plain text from the XML.
+
+ 522. [func] The lightweight resolver daemon can now use
+ a real configuration file, and its functionality
+ can be provided by a name server. Also, the -p and -P
+ options to lwresd have been reversed.
+
+ 521. [bug] Detect master files which contain $INCLUDE and always
+ reload. [RT #196]
+
+ 520. [bug] Upgraded libtool to 1.3.5, which makes shared
+ library builds almost work on AIX (and possibly
+ others).
+
+ 519. [bug] dns_name_split() would improperly split some bitstring
+ labels, zeroing a few of the least significant bits in
+ the prefix part. When such an improperly created
+ prefix was returned to the RBT database, the bogus
+ label was dutifully stored, corrupting the tree.
+ [RT #369]
+
+ 518. [bug] The resolver did not realize that a DNAME which was
+ "the answer" to the client's query was "the answer",
+ and such queries would fail. [RT #399]
+
+ 517. [bug] The resolver's DNAME code would trigger an assertion
+ if there was more than one DNAME in the chain.
+ [RT #399]
+
+ 516. [bug] Cache lookups which had a NULL node pointer, e.g.
+ those by dns_view_find(), and which would match a
+ DNAME, would trigger an INSIST(!search.need_cleanup)
+ assertion. [RT #399]
+
+ 515. [bug] The ssu table was not being attached / detached
+ by dns_zone_[sg]etssutable. [RT #397]
+
+ 514. [func] Retry refresh and notify queries if they timeout.
+ [RT #388]
+
+ 513. [func] New functionality added to rdnc and server to allow
+ individual zones to be refreshed or reloaded.
+
+ 512. [bug] The zone transfer code could throw an exception with
+ an invalid IXFR stream.
+
+ 511. [bug] The message code could throw an assertion on an
+ out of memory failure. [RT #392]
+
+ 510. [bug] Remove spurious view notify warning. [RT #376]
+
+ 509. [func] Add support for write of zone files on shutdown.
+
+ 508. [func] dns_message_parse() can now do a best-effort
+ attempt, which should allow dig to print more invalid
+ messages.
+
+ 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach()
+ and dns_view_flushanddetach().
+
+ 506. [func] Do not fail to start on errors in zone files.
+
+ 505. [bug] nsupdate was printing "unknown result code". [RT #373]
+
+ 504. [bug] The zone was not being marked as dirty when updated via
+ IXFR.
+
+ 503. [bug] dumptime was not being set along with
+ DNS_ZONEFLG_NEEDDUMP.
+
+ 502. [func] On a SERVFAIL reply, DiG will now try the next server
+ in the list, unless the +fail option is specified.
+
+ 501. [bug] Incorrect port numbers were being displayed by
+ nslookup. [RT #352]
+
+ 500. [func] Nearly useless +details option removed from DiG.
+
+ 499. [func] In DiG, specifying a class with -c or type with -t
+ changes command-line parsing so that classes and
+ types are only recognized if following -c or -t.
+ This allows hosts with the same name as a class or
+ type to be looked up.
+
+ 498. [doc] There is now a man page for "dig"
+ in doc/man/bin/dig.1.
+
+ 497. [bug] The error messages printed when an IP match list
+ contained a network address with a nonzero host
+ part where not sufficiently detailed. [RT #365]
+
+ 496. [bug] named didn't sanity check numeric parameters. [RT #361]
+
+ 495. [bug] nsupdate was unable to handle large records. [RT #368]
+
+ 494. [func] Do not cache NXDOMAIN responses for SOA queries.
+
+ 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses
+ for SOA queries. This makes it easier to locate
+ the containing zone without polluting intermediate
+ caches.
+
+ 492. [bug] attempting to reload a zone caused the server fail
+ to shutdown cleanly. [RT #360]
+
+ 491. [bug] nsupdate would segfault when sending certain
+ prerequisites with empty RDATA. [RT #356]
+
+ 490. [func] When a slave/stub zone has not yet successfully
+ obtained an SOA containing the zone's configured
+ retry time, perform the SOA query retries using
+ exponential backoff. [RT #337]
+
+ 489. [func] The zone manager now has a "i/o" queue.
+
+ 488. [bug] Locks weren't properly destroyed in some cases.
+
+ 487. [port] flockfile() is not defined on all systems.
+
+ 486. [bug] nslookup: "set all" and "server" commands showed
+ the incorrect port number if a port other than 53
+ was specified. [RT #352]
+
+ 485. [func] When dig had more than one server to query, it would
+ send all of the messages at the same time. Add
+ rate limiting of the transmitted messages.
+
+ 484. [bug] When the server was reloaded after removing addresses
+ from the named.conf "listen-on" statement, sockets
+ were still listening on the removed addresses due
+ to reference count loops. [RT #325]
+
+ 483. [bug] nslookup: "set all" showed a "search" option but it
+ was not settable.
+
+ 482. [bug] nslookup: a plain "server" or "lserver" should be
+ treated as a lookup.
+
+ 481. [bug] nslookup:get_next_command() stack size could exceed
+ per thread limit.
+
+ 480. [bug] strtok() is not thread safe. [RT #349]
+
+ 479. [func] The test suite can now be run by typing "make check"
+ or "make test" at the top level.
+
+ 478. [bug] "make install" failed if the directory specified with
+ --prefix did not already exist.
+
+ 477. [bug] The the isc-config.sh script could be installed before
+ its directory was created. [RT #324]
+
+ 476. [bug] A zone could expire while a zone transfer was in
+ progress triggering a INSIST failure. [RT #329]
+
+ 475. [bug] query_getzonedb() sometimes returned a non-null version
+ on failure. This caused assertion failures when
+ generating query responses where names subject to
+ additional section processing pointed to a zone
+ to which access had been denied by means of the
+ allow-query option. [RT #336]
+
+ 474. [bug] The mnemonic of the CHAOS class is CH according to
+ RFC1035, but it was printed and read only as CHAOS.
+ We now accept both forms as input, and print it
+ as CH. [RT #305]
+
+ 473. [bug] nsupdate overran the end of the list of name servers
+ when no servers could be reached, typically causing
+ it to print the error message "dns_request_create:
+ not implemented".
+
+ 472. [bug] Off-by-one error caused isc_time_add() to sometimes
+ produce invalid time values.
+
+ 471. [bug] nsupdate didn't compile on HP/UX 10.20
+
+ 470. [func] $GENERATE is now supported. See also
+ doc/misc/migration.
+
+ 469. [bug] "query-source address * port 53;" now works.
+
+ 468. [bug] dns_master_load*() failed to report file and line
+ number in certain error conditions.
+
+ 467. [bug] dns_master_load*() failed to log an error if
+ pushfile() failed.
+
+ 466. [bug] dns_master_load*() could return success when it failed.
+
+ 465. [cleanup] Allow 0 to be set as an omapi_value_t value by
+ omapi_value_storeint().
+
+ 464. [cleanup] Build with openssl's RSA code instead of dnssafe.
+
+ 463. [bug] nsupdate sent malformed SOA queries to the second
+ and subsequent name servers in resolv.conf if the
+ query sent to the first one failed.
+
+ 462. [bug] --disable-ipv6 should work now.
+
+ 461. [bug] Specifying an unknown key in the "keys" clause of the
+ "controls" statement caused a NULL pointer dereference.
+ [RT #316]
+
+ 460. [bug] Much of the DNSSEC code only worked with class IN.
+
+ 459. [bug] Nslookup processed the "set" command incorrectly.
+
+ 458. [bug] Nslookup didn't properly check class and type values.
+ [RT #305]
+
+ 457. [bug] Dig/host/hslookup didn't properly handle connect
+ timeouts in certain situations, causing an
+ unnecessary warning message to be printed.
+
+ 456. [bug] Stub zones were not resetting the refresh and expire
+ counters, loadtime or clearing the DNS_ZONE_REFRESH
+ (refresh in progress) flag upon successful update.
+ This disabled further refreshing of the stub zone,
+ causing it to eventually expire. [RT #300]
+
+ 455. [doc] Document IPv4 prefix notation does not require a
+ dotted decimal quad but may be just dotted decimal.
+
+ 454. [bug] Enforce dotted decimal and dotted decimal quad where
+ documented as such in named.conf. [RT #304, RT #311]
+
+ 453. [bug] Warn if the obsolete option "maintain-ixfr-base"
+ is specified in named.conf. [RT #306]
+
+ 452. [bug] Warn if the unimplemented option "statistics-file"
+ is specified in named.conf. [RT #301]
+
+ 451. [func] Update forwarding implemented.
+
+ 450. [func] New function ns_client_sendraw().
+
+ 449. [bug] isc_bitstring_copy() only works correctly if the
+ two bitstrings have the same lsb0 value, but this
+ requirement was not documented, nor was there a
+ REQUIRE for it.
+
+ 448. [bug] Host output formatting change, to match v8. [RT #255]
+
+ 447. [bug] Dig didn't properly retry in TCP mode after
+ a truncated reply. [RT #277]
+
+ 446. [bug] Confusing notify log message. [RT #298]
+
+ 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0
+ bitstring triggered a REQUIRE statement. The REQUIRE
+ statement was incorrect. [RT #297]
+
+ 444. [func] "recursion denied" messages are always logged at
+ debug level 1, now, rather than sometimes at ERROR.
+ This silences these warnings in the usual case, where
+ some clients set the RD bit in all queries.
+
+ 443. [bug] When loading a master file failed because of an
+ unrecognized RR type name, the error message
+ did not include the file name and line number.
+ [RT #285]
+
+ 442. [bug] TSIG signed messages that did not match any view
+ crashed the server. [RT #290]
+
+ 441. [bug] Nodes obscured by a DNAME were inaccessible even
+ when DNS_DBFIND_GLUEOK was set.
+
+ 440. [func] New function dns_zone_forwardupdate().
+
+ 439. [func] New function dns_request_createraw().
+
+ 438. [func] New function dns_message_getrawmessage().
+
+ 437. [func] Log NOTIFY activity to the notify channel.
+
+ 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
+ which sometimes happens on Linux, named would enter
+ a busy loop. Also, unexpected socket errors were
+ not logged at a high enough logging level to be
+ useful in diagnosing this situation. [RT #275]
+
+ 435. [bug] dns_zone_dump() overwrote existing zone files
+ rather than writing to a temporary file and
+ renaming. This could lead to empty or partial
+ zone files being left around in certain error
+ conditions involving the initial transfer of a
+ slave zone, interfering with subsequent server
+ startup. [RT #282]
+
+ 434. [func] New function isc_file_isabsolute().
+
+ 433. [func] isc_base64_decodestring() now accepts newlines
+ within the base64 data. This makes it possible
+ to break up the key data in a "trusted-keys"
+ statement into multiple lines. [RT #284]
+
+ 432. [func] Added refresh/retry jitter. The actual refresh/
+ retry time is now a random value between 75% and
+ 100% of the configured value.
+
+ 431. [func] Log at ISC_LOG_INFO when a zone is successfully
+ loaded.
+
+ 430. [bug] Rewrote the lightweight resolver client management
+ code to handle shutdown correctly and general
+ cleanup.
+
+ 429. [bug] The space reserved for a TSIG record in a response
+ was 2 bytes too short, leading to message
+ generation failures.
+
+ 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned
+ DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
+ (e.g. glue). This could cause SERVFAILs when
+ generating negative responses in a secure zone.
+
+ 427. [bug] Avoid going into an infinite loop when the validator
+ gets a negative response to a key query where the
+ records are signed by the missing key.
+
+ 426. [bug] Attempting to generate an oversized RSA key could
+ cause dnssec-keygen to dump core.
+
+ 425. [bug] Warn about the auth-nxdomain default value change
+ if there is no auth-nxdomain statement in the
+ config file. [RT #287]
+
+ 424. [bug] notify_createmessage() could trigger an assertion
+ failure when creating the notify message failed,
+ e.g. due to corrupt zones with multiple SOA records.
+ [RT #279]
+
+ 423. [bug] When responding to a recursive query, errors that occur
+ after following a CNAME should cause the query to fail.
+ [RT #274]
+
+ 422. [func] get rid of isc_random_t, and make isc_random_get()
+ and isc_random_jitter() use rand() internally
+ instead of local state. Note that isc_random_*()
+ functions are only for weak, non-critical "randomness"
+ such as timing jitter and such.
+
+ 421. [bug] nslookup would exit when given a blank line as input.
+
+ 420. [bug] nslookup failed to implement the "exit" command.
+
+ 419. [bug] The certificate type PKIX was misspelled as SKIX.
+
+ 418. [bug] At debug levels >= 10, getting an unexpected
+ socket receive error would crash the server
+ while trying to log the error message.
+
+ 417. [func] Add isc_app_block() and isc_app_unblock(), which
+ allow an application to handle signals while
+ blocking.
+
+ 416. [bug] Slave zones with no master file tried to use a
+ NULL pointer for a journal file name when they
+ received an IXFR. [RT #273]
+
+ 415. [bug] The logging code leaked file descriptors.
+
+ 414. [bug] Server did not shut down until all incoming zone
+ transfers were finished.
+
+ 413. [bug] Notify could attempt to use the zone database after
+ it had been unloaded. [RT #267]
+
+ 412. [bug] named -v didn't print the version.
+
+ 411. [bug] A typo in the HS A code caused an assertion failure.
+
+ 410. [bug] lwres_gethostbyname() and company set lwres_h_errno
+ to a random value on success.
+
+ 409. [bug] If named was shut down early in the startup
+ process, ns_omapi_shutdown() would attempt to lock
+ an uninitialized mutex. [RT #262]
+
+ 408. [bug] stub zones could leak memory and reference counts if
+ all the masters were unreachable.
+
+ 407. [bug] isc_rwlock_lock() would needlessly block
+ readers when it reached the read quota even
+ if no writers were waiting.
+
+ 406. [bug] Log messages were occasionally lost or corrupted
+ due to a race condition in isc_log_doit().
+
+ 405. [func] Add support for selective forwarding (forward zones)
+
+ 404. [bug] The request library didn't completely work with IPv6.
+
+ 403. [bug] "host" did not use the search list.
+
+ 402. [bug] Treat undefined acls as errors, rather than
+ warning and then later throwing an assertion.
+ [RT #252]
+
+ 401. [func] Added simple database API.
+
+ 400. [bug] SIG(0) signing and verifying was done incorrectly.
+ [RT #249]
+
+ 399. [bug] When reloading the server with a config file
+ containing a syntax error, it could catch an
+ assertion failure trying to perform zone
+ maintenance on, or sending notifies from,
+ tentatively created zones whose views were
+ never fully configured and lacked an address
+ database and request manager.
+
+ 398. [bug] "dig" sometimes caught an assertion failure when
+ using TSIG, depending on the key length.
+
+ 397. [func] Added utility functions dns_view_gettsig() and
+ dns_view_getpeertsig().
+
+ 396. [doc] There is now a man page for "nsupdate"
+ in doc/man/bin/nsupdate.8.
+
+ 395. [bug] nslookup printed incorrect RR type mnemonics
+ for RRs of type >= 21 [RT #237].
+
+ 394. [bug] Current name was not propagated via $INCLUDE.
+
+ 393. [func] Initial answer while loading (awl) support.
+ Entry points: dns_master_loadfileinc(),
+ dns_master_loadstreaminc(), dns_master_loadbufferinc().
+ Note: calls to dns_master_load*inc() should be rate
+ be rate limited so as to not use up all file
+ descriptors.
+
+ 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does
+ not support the given address family requested.
+
+ 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
+
+ 390. [func] The function dns_zone_setdbtype() now takes
+ an argc/argv style vector of words and sets
+ both the zone database type and its arguments,
+ making the functions dns_zone_adddbarg()
+ and dns_zone_cleardbargs() unnecessary.
+
+ 389. [bug] Attempting to send a request over IPv6 using
+ dns_request_create() on a system without IPv6
+ support caused an assertion failure [RT #235].
+
+ 388. [func] dig and host can now do reverse ipv6 lookups.
+
+ 387. [func] Add dns_byaddr_createptrname(), which converts
+ an address into the name used by a PTR query.
+
+ 386. [bug] Missing strdup() of ACL name caused random
+ ACL matching failures [RT #228].
+
+ 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(),
+ and dns_zt_print().
+
+ 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead
+ of 2147483647.
+
+ 383. [func] When writing a master file, print the SOA and NS
+ records (and their SIGs) before other records.
+
+ 382. [bug] named -u failed on many Linux systems where the
+ libc provided kernel headers do not match
+ the current kernel.
+
+ 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of
+ IPV6_PKTINFO if found. [RT #229]
+
+ 380. [bug] nsupdate didn't work with IPv6.
+
+ 379. [func] New library function isc_sockaddr_anyofpf().
+
+ 378. [func] named and lwresd will log the command line arguments
+ they were started with in the "starting ..." message.
+
+ 377. [bug] When additional data lookups were refused due to
+ "allow-query", the databases were still being
+ attached causing reference leaks.
+
+ 376. [bug] The server should always use good entropy when
+ performing cryptographic functions needing entropy.
+
+ 375. [bug] Per-zone "allow-query" did not properly override the
+ view/global one for CNAME targets and additional
+ data [RT #220].
+
+ 374. [bug] SOA in authoritative negative responses had wrong TTL.
+
+ 373. [func] nslookup is now installed by "make install".
+
+ 372. [bug] Deal with Microsoft DNS servers appending two bytes of
+ garbage to zone transfer requests.
+
+ 371. [bug] At high debug levels, doing an outgoing zone transfer
+ of a very large RRset could cause an assertion failure
+ during logging.
+
+ 370. [bug] The error messages for roll-forward failures were
+ overly terse.
+
+ 369. [func] Support new named.conf options, view and zone
+ statements:
+
+ max-retry-time, min-retry-time,
+ max-refresh-time, min-refresh-time.
+
+ 368. [func] Restructure the internal ".bind" view so that more
+ zones can be added to it.
+
+ 367. [bug] Allow proper selection of server on nslookup command
+ line.
+
+ 366. [func] Allow use of '-' batch file in dig for stdin.
+
+ 365. [bug] nsupdate -k leaked memory.
+
+ 364. [func] Added additional-from-{cache,auth}
+
+ 363. [placeholder]
+
+ 362. [bug] rndc no longer aborts if the configuration file is
+ missing an options statement. [RT #209]
+
+ 361. [func] When the RBT find or chain functions set the name and
+ origin for a node that stores the root label
+ the name is now set to an empty name, instead of ".",
+ to simplify later use of the name and origin by
+ dns_name_concatenate(), dns_name_totext() or
+ dns_name_format().
+
+ 360. [func] dns_name_totext() and dns_name_format() now allow
+ an empty name to be passed, which is formatted as "@".
+
+ 359. [bug] dnssec-signzone occasionally signed glue records.
+
+ 358. [cleanup] Rename the intermediate files used by the dnssec
+ programs.
+
+ 357. [bug] The zone file parser crashed if the argument
+ to $INCLUDE was a quoted string.
+
+ 356. [cleanup] isc_task_send no longer requires event->sender to
+ be non-null.
+
+ 355. [func] Added isc_dir_createunique(), similar to mkdtemp().
+
+ 354. [doc] Man pages for the dnssec tools are now included in
+ the distribution, in doc/man/dnssec.
+
+ 353. [bug] double increment in lwres/gethost.c:copytobuf().
+ [RT #187]
+
+ 352. [bug] Race condition in dns_client_t startup could cause
+ an assertion failure.
+
+ 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
+ signed query could crash the server.
+
+ 350. [bug] Also-notify lists specified in the global options
+ block were not correctly reference counted, causing
+ a memory leak.
+
+ 349. [bug] Processing a query with the CD bit set now works
+ as expected.
+
+ 348. [func] New boolean named.conf options 'additional-from-auth'
+ and 'additional-from-cache' now supported in view and
+ global options statement.
+
+ 347. [bug] Don't crash if an argument is left off options in dig.
+
+ 346. [placeholder]
+
+ 345. [bug] Large-scale changes/cleanups to dig:
+ * Significantly improve structure handling
+ * Don't pre-load entire batch files
+ * Add name/rr counting/limiting
+ * Fix SIGINT handling
+ * Shorten timeouts to match v8's behavior
+
+ 344. [bug] When shutting down, lwresd sometimes tried
+ to shut down its client tasks twice,
+ triggering an assertion.
+
+ 343. [bug] Although zone maintenance SOA queries and
+ notify requests were signed with TSIG keys
+ when configured for the server in case,
+ the TSIG was not verified on the response.
+
+ 342. [bug] The wrong name was being passed to
+ dns_name_dup() when generating a TSIG
+ key using TKEY.
+
+ 341. [func] Support 'key' clause in named.conf zone masters
+ statement to allow authentication via TSIG keys:
+
+ masters {
+ 10.0.0.1 port 5353 key "foo";
+ 10.0.0.2 ;
+ };
+
+ 340. [bug] The top-level COPYRIGHT file was missing from
+ the distribution.
+
+ 339. [bug] DNSSEC validation of the response to an ANY
+ query at a name with a CNAME RR in a secure
+ zone triggered an assertion failure.
+
+ 338. [bug] lwresd logged to syslog as named, not lwresd.
+
+ 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
+ on the command line.
+
+ 336. [bug] "dig -f" used 64 k of memory for each line in
+ the file. It now uses much less, though still
+ proportionally to the file size.
+
+ 335. [bug] named would occasionally attempt recursion when
+ it was disallowed or undesired.
+
+ 334. [func] Added hmac-md5 to libisc.
+
+ 333. [bug] The resolver incorrectly accepted referrals to
+ domains that were not parents of the query name,
+ causing assertion failures.
+
+ 332. [func] New function dns_name_reset().
+
+ 331. [bug] Only log "recursion denied" if RD is set. [RT #178]
+
+ 330. [bug] Many debugging messages were partially formatted
+ even when debugging was turned off, causing a
+ significant decrease in query performance.
+
+ 329. [func] omapi_auth_register() now takes a size_t argument for
+ the length of a key's secret data. Previously
+ OMAPI only stored secrets up to the first NUL byte.
+
+ 328. [func] Added isc_base64_decodestring().
+
+ 327. [bug] rndc.conf parser wasn't correctly recognizing an IP
+ address where a host specification was required.
+
+ 326. [func] 'keys' in an 'inet' control statement is now
+ required and must have at least one item in it.
+ A "not supported" warning is now issued if a 'unix'
+ control channel is defined.
+
+ 325. [bug] isc_lex_gettoken was processing octal strings when
+ ISC_LEXOPT_CNUMBER was not set.
+
+ 324. [func] In the resolver, turn EDNS0 off if there is no
+ response after a number of retransmissions.
+ This is to allow queries some chance of succeeding
+ even if all the authoritative servers of a zone
+ silently discard EDNS0 requests instead of
+ sending an error response like they ought to.
+
+ 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes.
+ Because of this, servers authoritative for a parent
+ and grandchild zone but not authoritative for the
+ intervening child zone did not correctly issue
+ referrals to the servers of the child zone.
+
+ 322. [bug] Queries for KEY RRs are now sent to the parent
+ server before the authoritative one, making
+ DNSSEC insecurity proofs work in many cases
+ where they previously didn't.
+
+ 321. [bug] When synthesizing a CNAME RR for a DNAME
+ response, query_addcname() failed to initialize
+ the type and class of the CNAME dns_rdata_t,
+ causing random failures.
+
+ 320. [func] Multiple rndc changes: parses an rndc.conf file,
+ uses authentication to talk to named, command
+ line syntax changed. This will all be described
+ in the ARM.
+
+ 319. [func] The named.conf "controls" statement is now used
+ to configure the OMAPI command channel.
+
+ 318. [func] dns_c_ndcctx_destroy() could never return anything
+ except ISC_R_SUCCESS; made it have void return instead.
+
+ 317. [func] Use callbacks from libomapi to determine if a
+ new connection is valid, and if a key requested
+ to be used with that connection is valid.
+
+ 316. [bug] Generate a warning if we detect an unexpected <eof>
+ but treat as <eol><eof>.
+
+ 315. [bug] Handle non-empty blanks lines. [RT #163]
+
+ 314. [func] The named.conf controls statement can now have
+ more than one key specified for the inet clause.
+
+ 313. [bug] When parsing resolv.conf, don't terminate on an
+ error. Instead, parse as much as possible, but
+ still return an error if one was found.
+
+ 312. [bug] Increase the number of allowed elements in the
+ resolv.conf search path from 6 to 8. If there
+ are more than this, ignore the remainder rather
+ than returning a failure in lwres_conf_parse.
+
+ 311. [bug] lwres_conf_parse failed when the first line of
+ resolv.conf was empty or a comment.
+
+ 310. [func] Changes to named.conf "controls" statement (inet
+ subtype only)
+
+ - support "keys" clause
+
+ controls {
+ inet * port 1024
+ allow { any; } keys { "foo"; }
+ }
+
+ - allow "port xxx" to be left out of statement,
+ in which case it defaults to omapi's default port
+ of 953.
+
+ 309. [bug] When sending a referral, the server did not look
+ for name server addresses as glue in the zone
+ holding the NS RRset in the case where this zone
+ was not the same as the one where it looked for
+ name server addresses as authoritative data.
+
+ 308. [bug] Treat a SOA record not at top of zone as an error
+ when loading a zone. [RT #154]
+
+ 307. [bug] When canceling a query, the resolver didn't check for
+ isc_socket_sendto() calls that did not yet have their
+ completion events posted, so it could (rarely) end up
+ destroying the query context and then want to use
+ it again when the send event posted, triggering an
+ assertion as it tried to cancel an already-canceled
+ query. [RT #77]
+
+ 306. [bug] Reading HMAC-MD5 private key files didn't work.
+
+ 305. [bug] When reloading the server with a config file
+ containing a syntax error, it could catch an
+ assertion failure trying to perform zone
+ maintenance on tentatively created zones whose
+ views were never fully configured and lacked
+ an address database.
+
+ 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers
+ are listed in resolv.conf, silently ignore them
+ instead of returning failure.
+
+ 303. [bug] Add additional sanity checks to differentiate a AXFR
+ response vs a IXFR response. [RT #157]
+
+ 302. [bug] In dig, host, and nslookup, MXNAME should be large
+ enough to hold any legal domain name in presentation
+ format + terminating NULL.
+
+ 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159]
+
+ 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work
+ on platforms lacking IPv6 because each included their
+ own ipv6 header file for the missing definitions. Now
+ each library's ipv6.h defines the wrapper symbol of
+ the other (ISC_IPV6_H and LWRES_IPV6_H).
+
+ 299. [cleanup] Get the user and group information before changing the
+ root directory, so the administrator does not need to
+ keep a copy of the user and group databases in the
+ chroot'ed environment. Suggested by Hakan Olsson.
+
+ 298. [bug] A mutex deadlock occurred during shutdown of the
+ interface manager under certain conditions.
+ Digital Unix systems were the most affected.
+
+ 297. [bug] Specifying a key name that wasn't fully qualified
+ in certain parts of the config file could cause
+ an assertion failure.
+
+ 296. [bug] "make install" from a separate build directory
+ failed unless configure had been run in the source
+ directory, too.
+
+ 295. [bug] When invoked with type==CNAME and a message
+ not constructed by dns_message_parse(),
+ dns_message_findname() failed to find anything
+ due to checking for attribute bits that are set
+ only in dns_message_parse(). This caused an
+ infinite loop when constructing the response to
+ an ANY query at a CNAME in a secure zone.
+
+ 294. [bug] If we run out of space in while processing glue
+ when reading a master file and commit "current name"
+ reverts to "name_current" instead of staying as
+ "name_glue".
+
+ 293. [port] Add support for FreeBSD 4.0 system tests.
+
+ 292. [bug] Due to problems with the way some operating systems
+ handle simultaneous listening on IPv4 and IPv6
+ addresses, the server no longer listens on IPv6
+ addresses by default. To revert to the previous
+ behavior, specify "listen-on-v6 { any; };" in
+ the config file.
+
+ 291. [func] Caching servers no longer send outgoing queries
+ over TCP just because the incoming recursive query
+ was a TCP one.
+
+ 290. [cleanup] +twiddle option to dig (for testing only) removed.
+
+ 289. [cleanup] dig is now installed in $bindir instead of $sbindir.
+ host is now installed in $bindir. (Be sure to remove
+ any $sbindir/dig from a previous release.)
+
+ 288. [func] rndc is now installed by "make install" into $sbindir.
+
+ 287. [bug] rndc now works again as "rndc 127.1 reload" (for
+ only that task). Parsing its configuration file and
+ using digital signatures for authentication has been
+ disabled until named supports the "controls" statement,
+ post-9.0.0.
+
+ 286. [bug] On Solaris 2, when named inherited a signal state
+ where SIGHUP had the SIG_IGN action, SIGHUP would
+ be ignored rather than causing the server to reload
+ its configuration.
+
+ 285. [bug] A change made to the dst API for beta4 inadvertently
+ broke OMAPI's creation of a dst key from an incoming
+ message, causing an assertion to be triggered. Fixed.
+
+ 284. [func] The DNSSEC key generation and signing tools now
+ generate randomness from keyboard input on systems
+ that lack /dev/random.
+
+ 283. [cleanup] The 'lwresd' program is now a link to 'named'.
+
+ 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
+ too big for an unsigned long.
+
+ 281. [bug] Fixed list of recognized config file category names.
+
+ 280. [func] Add isc-config.sh, which can be used to more
+ easily build applications that link with
+ our libraries.
+
+ 279. [bug] Private omapi function symbols shared between
+ two or more files in libomapi.a were not namespace
+ protected using the ISC convention of starting with
+ the library name and two underscores ("omapi__"...)
+
+ 278. [bug] bin/named/logconf.c:category_fromconf() didn't take
+ note of when isc_log_categorybyname() wasn't able
+ to find the category name and would then apply the
+ channel list of the unknown category to all categories.
+
+ 277. [bug] isc_log_categorybyname() and isc_log_modulebyname()
+ would fail to find the first member of any category
+ or module array apart from the internal defaults.
+ Thus, for example, the "notify" category was improperly
+ configured by named.
+
+ 276. [bug] dig now supports maximum sized TCP messages.
+
+ 275. [bug] The definition of lwres_gai_strerror() was missing
+ the lwres_ prefix.
+
+ 274. [bug] TSIG AXFR verify failed when talking to a BIND 8
+ server.
+
+ 273. [func] The default for the 'transfer-format' option is
+ now 'many-answers'. This will break zone transfers
+ to BIND 4.9.5 and older unless there is an explicit
+ 'one-answer' configuration.
+
+ 272. [bug] The sending of large TCP responses was canceled
+ in mid-transmission due to a race condition
+ caused by the failure to set the client object's
+ "newstate" variable correctly when transitioning
+ to the "working" state.
+
+ 271. [func] Attempt to probe the number of cpus in named
+ if unspecified rather than defaulting to 1.
+
+ 270. [func] Allow maximum sized TCP answers.
+
+ 269. [bug] Failed DNSSEC validations could cause an assertion
+ failure by causing clone_results() to be called with
+ with hevent->node == NULL.
+
+ 268. [doc] A plain text version of the Administrator
+ Reference Manual is now included in the distribution,
+ as doc/arm/Bv9ARM.txt.
+
+ 267. [func] Nsupdate is now provided in the distribution.
+
+ 266. [bug] zone.c:save_nsrrset() node was not initialized.
+
+ 265. [bug] dns_request_create() now works for TCP.
+
+ 264. [func] Dispatch can not take TCP sockets in connecting
+ state. Set DNS_DISPATCHATTR_CONNECTED when calling
+ dns_dispatch_createtcp() for connected TCP sockets
+ or call dns_dispatch_starttcp() when the socket is
+ connected.
+
+ 263. [func] New logging channel type 'stderr'
+
+ channel some-name {
+ stderr;
+ severity error;
+ }
+
+ 262. [bug] 'master' was not initialized in zone.c:stub_callback().
+
+ 261. [func] Add dns_zone_markdirty().
+
+ 260. [bug] Running named as a non-root user failed on Linux
+ kernels new enough to support retaining capabilities
+ after setuid().
+
+ 259. [func] New random-device and random-seed-file statements
+ for global options block of named.conf. Both accept
+ a single string argument.
+
+ 258. [bug] Fixed printing of lwres_addr_t.address field.
+
+ 257. [bug] The server detached the last zone manager reference
+ too early, while it could still be in use by queries.
+ This manifested itself as assertion failures during the
+ shutdown process for busy name servers. [RT #133]
+
+ 256. [func] isc_ratelimiter_t now has attach/detach semantics, and
+ isc_ratelimiter_shutdown guarantees that the rate
+ limiter is detached from its task.
+
+ 255. [func] New function dns_zonemgr_attach().
+
+ 254. [bug] Suppress "query denied" messages on additional data
+ lookups.
+
+ --- 9.0.0b4 released ---
+
+ 253. [func] resolv.conf parser now recognizes ';' and '#' as
+ comments (anywhere in line, not just as the beginning).
+
+ 252. [bug] resolv.conf parser mishandled masks on sortlists.
+ It also aborted when an unrecognized keyword was seen,
+ now it silently ignores the entire line.
+
+ 251. [bug] lwresd caught an assertion failure on startup.
+
+ 250. [bug] fixed handling of size+unit when value would be too
+ large for internal representation.
+
+ 249. [cleanup] max-cache-size config option now takes a size-spec
+ like 'datasize', except 'default' is not allowed.
+
+ 248. [bug] global lame-ttl option was not being printed when
+ config structures were written out.
+
+ 247. [cleanup] Rename cache-size config option to max-cache-size.
+
+ 246. [func] Rename global option cachesize to cache-size and
+ add corresponding option to view statement.
+
+ 245. [bug] If an uncompressed name will take more than 255
+ bytes and the buffer is sufficiently long,
+ dns_name_fromwire should return DNS_R_FORMERR,
+ not ISC_R_NOSPACE. This bug caused cause the
+ server to catch an assertion failure when it
+ received a query for a name longer than 255
+ bytes.
+
+ 244. [bug] empty named.conf file and empty options statement are
+ now parsed properly.
+
+ 243. [func] new cachesize option for named.conf
+
+ 242. [cleanup] fixed incorrect warning about auth-nxdomain usage.
+
+ 241. [cleanup] nscount and soacount have been removed from the
+ dns_master_*() argument lists.
+
+ 240. [func] databases now come in three flavours: zone, cache
+ and stub.
+
+ 239. [func] If ISC_MEM_DEBUG is enabled, the variable
+ isc_mem_debugging controls whether messages
+ are printed or not.
+
+ 238. [cleanup] A few more compilation warnings have been quieted:
+ + missing sigwait prototype on BSD/OS 4.0/4.0.1.
+ + PTHREAD_ONCE_INIT unbraced initializer warnings on
+ Solaris 2.8.
+ + IN6ADDR_ANY_INIT unbraced initializer warnings on
+ BSD/OS 4.*, Linux and Solaris 2.8.
+
+ 237. [bug] If connect() returned ENOBUFS when the resolver was
+ initiating a TCP query, the socket didn't get
+ destroyed, and the server did not shut down cleanly.
+
+ 236. [func] Added new listen-on-v6 config file statement.
+
+ 235. [func] Consider it a config file error if a listen-on
+ statement has an IPv6 address in it, or a
+ listen-on-v6 statement has an IPv4 address in it.
+
+ 234. [bug] Allow a trusted-key's first field (domain-name) be
+ either a quoted or an unquoted string, instead of
+ requiring a quoted string.
+
+ 233. [cleanup] Convert all config structure integer values to unsigned
+ integer (isc_uint32_t) to match grammar.
+
+ 232. [bug] Allow slave zones to not have a file.
+
+ 231. [func] Support new 'port' clause in config file options
+ section. Causes 'listen-on', 'masters' and
+ 'also-notify' statements to use its value instead of
+ default (53).
+
+ 230. [func] Replace the dst sign/verify API with a cleaner one.
+
+ 229. [func] Support config file sig-validity-interval statement
+ in options, views and zone statements (master
+ zones only).
+
+ 228. [cleanup] Logging messages in config module stripped of
+ trailing period.
+
+ 227. [cleanup] The enumerated identifiers dns_rdataclass_*,
+ dns_rcode_*, dns_opcode_*, and dns_trust_* are
+ also now cast to their appropriate types, as with
+ dns_rdatatype_* in item number 225 below.
+
+ 226. [func] dns_name_totext() now always prints the root name as
+ '.', even when omit_final_dot is true.
+
+ 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now
+ cast to dns_rdatatype_t via macros of their same name
+ so that they are of the proper integral type wherever
+ a dns_rdatatype_t is needed.
+
+ 224. [cleanup] The entire project builds cleanly with gcc's
+ -Wcast-qual and -Wwrite-strings warnings enabled,
+ which is now the default when using gcc. (Warnings
+ from confparser.c, because of yacc's code, are
+ unfortunately to be expected.)
+
+ 223. [func] Several functions were re-prototyped to qualify one
+ or more of their arguments with "const". Similarly,
+ several functions that return pointers now have
+ those pointers qualified with const.
+
+ 222. [bug] The global 'also-notify' option was ignored.
+
+ 221. [bug] An uninitialized variable was sometimes passed to
+ dns_rdata_freestruct() when loading a zone, causing
+ an assertion failure.
+
+ 220. [cleanup] Set the default outgoing port in the view, and
+ set it in sockaddrs returned from the ADB.
+ [31-May-2000 explorer]
+
+ 219. [bug] Signed truncated messages more correctly follow
+ the respective specs.
+
+ 218. [func] When an rdataset is signed, its ttl is normalized
+ based on the signature validity period.
+
+ 217. [func] Also-notify and trusted-keys can now be used in
+ the 'view' statement.
+
+ 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options
+ now work.
+
+ 215. [bug] Failures at certain points in request processing
+ could cause the assertion INSIST(client->lockview
+ == NULL) to be triggered.
+
+ 214. [func] New public function isc_netaddr_format(), for
+ formatting network addresses in log messages.
+
+ 213. [bug] Don't leak memory when reloading the zone if
+ an update-policy clause was present in the old zone.
+
+ 212. [func] Added dns_message_get/settsigkey, to make TSIG
+ key management reasonable.
+
+ 211. [func] The 'key' and 'server' statements can now occur
+ inside 'view' statements.
+
+ 210. [bug] The 'allow-transfer' option was ignored for slave
+ zones, and the 'transfers-per-ns' option was
+ was ignored for all zones.
+
+ 209. [cleanup] Upgraded openssl files to new version 0.9.5a
+
+ 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value
+ of an isc_offset_t.
+
+ 207. [func] The dnssec tools properly use the logging subsystem.
+
+ 206. [cleanup] dst now stores the key name as a dns_name_t, not
+ a char *.
+
+ 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692
+ ("prototyped function redeclared without prototype")
+ and 1552 ("variable ... set but not used") when
+ compiling in the lib/dns/sec/{dnssafe,openssl}
+ directories, which contain code imported from outside
+ sources.
+
+ 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker
+ to quiet the warnings that "The linked output may not
+ run on a PA 1.x system."
+
+ 203. [func] notify and zone soa queries are now tsig signed when
+ appropriate.
+
+ 202. [func] isc_lex_getsourceline() changed from returning int
+ to returning unsigned long, the type of its underlying
+ counter.
+
+ 201. [cleanup] Removed the test/sdig program, it has been
+ replaced by bin/dig/dig.
+
+ --- 9.0.0b3 released ---
+
+ 200. [bug] Failures in sending query responses to clients
+ (e.g., running out of network buffers) were
+ not logged.
+
+ 199. [bug] isc_heap_delete() sometimes violated the heap
+ invariant, causing timer events not to be posted
+ when due.
+
+ 198. [func] Dispatch managers hold memory pools which
+ any managed dispatcher may use. This allows
+ us to avoid dipping into the memory context for
+ most allocations. [19-May-2000 explorer]
+
+ 197. [bug] When an incoming AXFR or IXFR completes, the
+ zone's internal state is refreshed from the
+ SOA data. [19-May-2000 explorer]
+
+ 196. [func] Dispatchers can be shared easily between views
+ and/or interfaces. [19-May-2000 explorer]
+
+ 195. [bug] Including the NXT record of the root domain
+ in a negative response caused an assertion
+ failure.
+
+ 194. [doc] The PDF version of the Administrator's Reference
+ Manual is no longer included in the ISC BIND9
+ distribution.
+
+ 193. [func] changed dst_key_free() prototype.
+
+ 192. [bug] Zone configuration validation is now done at end
+ of config file parsing, and before loading
+ callbacks.
+
+ 191. [func] Patched to compile on UnixWare 7.x. This platform
+ is not directly supported by the ISC.
+
+ 190. [cleanup] The DNSSEC tools have been moved to a separate
+ directory dnssec/ and given the following new,
+ more descriptive names:
+
+ dnssec-keygen
+ dnssec-signzone
+ dnssec-signkey
+ dnssec-makekeyset
+
+ Their command line arguments have also been changed to
+ be more consistent. dnssec-keygen now prints the
+ name of the generated key files (sans extension)
+ on standard output to simplify its use in automated
+ scripts.
+
+ 189. [func] isc_time_secondsastimet(), a new function, will ensure
+ that the number of seconds in an isc_time_t does not
+ exceed the range of a time_t, or return ISC_R_RANGE.
+ Similarly, isc_time_now(), isc_time_nowplusinterval(),
+ isc_time_add() and isc_time_subtract() now check the
+ range for overflow/underflow. In the case of
+ isc_time_subtract, this changed a calling requirement
+ (ie, something that could generate an assertion)
+ into merely a condition that returns an error result.
+ isc_time_add() and isc_time_subtract() were void-
+ valued before but now return isc_result_t.
+
+ 188. [func] Log a warning message when an incoming zone transfer
+ contains out-of-zone data.
+
+ 187. [func] isc_ratelimiter_enqueue() has an additional argument
+ 'task'.
+
+ 186. [func] dns_request_getresponse() has an additional argument
+ 'preserve_order'.
+
+ 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several
+ public functions did not have an isc__ prefix, and
+ referred to functions that had previously been
+ renamed.
+
+ 184. [cleanup] Variables/functions which began with two leading
+ underscores were made to conform to the ANSI/ISO
+ standard, which says that such names are reserved.
+
+ 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful
+ for logging the program name or other identifier.
+
+ 182. [cleanup] New command-line parameters for dnssec tools
+
+ 181. [func] Added dst_key_buildfilename and dst_key_parsefilename
+
+ 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE.
+
+ 179. [func] options named.conf statement *must* now come
+ before any zone or view statements.
+
+ 178. [func] Post-load of named.conf check verifies a slave zone
+ has non-empty list of masters defined.
+
+ 177. [func] New per-zone boolean:
+
+ enable-zone yes | no ;
+
+ intended to let a zone be disabled without having
+ to comment out the entire zone statement.
+
+ 176. [func] New global and per-view option:
+
+ max-cache-ttl number
+
+ 175. [func] New global and per-view option:
+
+ additional-data internal | minimal | maximal;
+
+ 174. [func] New public function isc_sockaddr_format(), for
+ formatting socket addresses in log messages.
+
+ 173. [func] Keep a queue of zones waiting for zone transfer
+ quota so that a new transfer can be dispatched
+ immediately whenever quota becomes available.
+
+ 172. [bug] $TTL directive was sometimes missing from dumped
+ master files because totext_ctx_init() failed to
+ initialize ctx->current_ttl_valid.
+
+ 171. [cleanup] On NetBSD systems, the mit-pthreads or
+ unproven-pthreads library is now always used
+ unless --with-ptl2 is explicitly specified on
+ the configure command line. The
+ --with-mit-pthreads option is no longer needed
+ and has been removed.
+
+ 170. [cleanup] Remove inter server consistency checks from zone,
+ these should return as a separate module in 9.1.
+ dns_zone_checkservers(), dns_zone_checkparents(),
+ dns_zone_checkchildren(), dns_zone_checkglue().
+
+ Remove dns_zone_setadb(), dns_zone_setresolver(),
+ dns_zone_setrequestmgr() these should now be found
+ via the view.
+
+ 169. [func] ratelimiter can now process N events per interval.
+
+ 168. [bug] include statements in named.conf caused syntax errors
+ due to not consuming the semicolon ending the include
+ statement before switching input streams.
+
+ 167. [bug] Make lack of masters for a slave zone a soft error.
+
+ 166. [bug] Keygen was overwriting existing keys if key_id
+ conflicted, now it will retry, and non-null keys
+ with key_id == 0 are not generated anymore. Key
+ was not able to generate NOAUTHCONF DSA key,
+ increased RSA key size to 2048 bits.
+
+ 165. [cleanup] Silence "end-of-loop condition not reached" warnings
+ from Solaris compiler.
+
+ 164. [func] Added functions isc_stdio_open(), isc_stdio_close(),
+ isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
+ isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
+ to encapsulate nonportable usage of errno and sync.
+
+ 163. [func] Added result codes ISC_R_FILENOTFOUND and
+ ISC_R_FILEEXISTS.
+
+ 162. [bug] Ensure proper range for arguments to ctype.h functions.
+
+ 161. [cleanup] error in yyparse prototype that only HPUX caught.
+
+ 160. [cleanup] getnet*() are not going to be implemented at this
+ stage.
+
+ 159. [func] Redefinition of config file elements is now an
+ error (instead of a warning).
+
+ 158. [bug] Log channel and category list copy routines
+ weren't assigning properly to output parameter.
+
+ 157. [port] Fix missing prototype for getopt().
+
+ 156. [func] Support new 'database' statement in zone.
+
+ database "quoted-string";
+
+ 155. [bug] ns_notify_start() was not detaching the found zone.
+
+ 154. [func] The signer now logs libdns warnings to stderr even when
+ not verbose, and in a nicer format.
+
+ 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx'
+ is NULL then you need to preserve the 'rdata' until
+ you have finished using the structure as there may be
+ references to the associated memory. If 'mctx' is
+ non-NULL it is guaranteed that there are no references
+ to memory associated with 'rdata'.
+
+ dns_rdata_freestruct() must be called if 'mctx' was
+ non-NULL and may safely be called if 'mctx' was NULL.
+
+ 152. [bug] keygen dumped core if domain name argument was omitted
+ from command line.
+
+ 151. [func] Support 'disabled' statement in zone config (causes
+ zone to be parsed and then ignored). Currently must
+ come after the 'type' clause.
+
+ 150. [func] Support optional ports in masters and also-notify
+ statements:
+
+ masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
+
+ 149. [cleanup] Removed unused argument 'olist' from
+ dns_c_view_unsetordering().
+
+ 148. [cleanup] Stop issuing some warnings about some configuration
+ file statements that were not implemented, but now are.
+
+ 147. [bug] Changed yacc union size to be smaller for yaccs that
+ put yacc-stack on the real stack.
+
+ 146. [cleanup] More general redundant header file cleanup. Rather
+ than continuing to itemize every header which changed,
+ this changelog entry just notes that if a header file
+ did not need another header file that it was including
+ in order to provide its advertised functionality, the
+ inclusion of the other header file was removed. See
+ util/check-includes for how this was tested.
+
+ 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
+ ISC_LANG_ENDDECLS to header files that had function
+ prototypes, and removed it from those that did not.
+
+ 144. [cleanup] libdns header files too numerous to name were made
+ to conform to the same style for multiple inclusion
+ protection.
+
+ 143. [func] Added function dns_rdatatype_isknown().
+
+ 142. [cleanup] <isc/stdtime.h> does not need <time.h> or
+ <isc/result.h>.
+
+ 141. [bug] Corrupt requests with multiple questions could
+ cause an assertion failure.
+
+ 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>.
+
+ 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of
+ <isc/int.h> and <isc/result.h>.
+
+ 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and
+ renamed isc_string_touint64. isc_strsep moved from
+ strsep.c to string.c and renamed isc_string_separate.
+
+ 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
+ <isc/serial.h>, <isc/string.h> and <isc/offset.h>
+ made to conform to the same style for multiple
+ inclusion protection.
+
+ 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>,
+ <isc/net.h> and Win32's <isc/thread.h> needed
+ ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
+
+ 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h>
+ or <isc/boolean.h>, now uses <isc/types.h> in place
+ of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
+ and ISC_LANG_ENDDECLS.
+
+ 134. [cleanup] <isc/dir.h> does not need <limits.h>.
+
+ 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>.
+
+ 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does
+ need <isc/eventclass.h>.
+
+ 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h>
+ for ISC_R_* codes used in macros.
+
+ 130. [cleanup] <isc/condition.h> does not need <pthread.h> or
+ <isc/boolean.h>, and now includes <isc/types.h>
+ instead of <isc/time.h>.
+
+ 129. [bug] The 'default_debug' log channel was not set up when
+ 'category default' was present in the config file
+
+ 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
+ ISC_LANG_ENDDECLS at end of header.
+
+ 127. [cleanup] The contracts for the comparison routines
+ dns_name_fullcompare(), dns_name_compare(),
+ dns_name_rdatacompare(), and dns_rdata_compare() now
+ specify that the order value returned is < 0, 0, or > 0
+ instead of -1, 0, or 1.
+
+ 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
+
+ 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
+ <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
+ <isc/resultclass.h> do not need <isc/lang.h>.
+
+ 124. [func] signer now imports parent's zone key signature
+ and creates null keys/sets zone status bit for
+ children when necessary
+
+ 123. [cleanup] <isc/event.h> does not need <stddef.h>.
+
+ 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or
+ <isc/result.h>.
+
+ 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or
+ <isc/result.h>. Multiple inclusion protection
+ symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
+ isc_symtab_t moved to <isc/types.h>.
+
+ 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>,
+ <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
+ <isc/net.h>.
+
+ 119. [cleanup] structure definitions for generic rdata structures do
+ not have _generic_ in their names.
+
+ 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting
+ YACC crust (yyparse, etc) [2000-apr-27 explorer]
+
+ 117. [cleanup] libdns.a changes:
+ dns_zone_clearnotify() and dns_zone_addnotify()
+ are replaced by dns_zone_setnotifyalso().
+ dns_zone_clearmasters() and dns_zone_addmaster()
+ are replaced by dns_zone_setmasters().
+
+ 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t
+ on Unix systems).
+
+ 115. [port] Shut up the -Wmissing-declarations warning about
+ <stdio.h>'s __sputaux on BSD/OS pre-4.1.
+
+ 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or
+ <isc/list.h>.
+
+ 113. [func] Utility programs dig and host added.
+
+ 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>.
+
+ 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or
+ <isc/mutex.h>.
+
+ 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or
+ <isc/list.h>.
+
+ 109. [bug] "make depend" did nothing for
+ bin/tests/{db,mem,sockaddr,tasks,timers}/.
+
+ 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
+ <dns/types.h> to <dns/bit.h> and renamed to
+ DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
+
+ 107. [func] Add keysigner and keysettool.
+
+ 106. [func] Allow dnssec verifications to ignore the validity
+ period. Used by several of the dnssec tools.
+
+ 105. [doc] doc/dev/coding.html expanded with other
+ implicit conventions the developers have used.
+
+ 104. [bug] Made compress_add and compress_find static to
+ lib/dns/compress.c.
+
+ 103. [func] libisc buffer API changes for <isc/buffer.h>:
+ Added:
+ isc_buffer_base(b) (pointer)
+ isc_buffer_current(b) (pointer)
+ isc_buffer_active(b) (pointer)
+ isc_buffer_used(b) (pointer)
+ isc_buffer_length(b) (int)
+ isc_buffer_usedlength(b) (int)
+ isc_buffer_consumedlength(b) (int)
+ isc_buffer_remaininglength(b) (int)
+ isc_buffer_activelength(b) (int)
+ isc_buffer_availablelength(b) (int)
+ Removed:
+ ISC_BUFFER_USEDCOUNT(b)
+ ISC_BUFFER_AVAILABLECOUNT(b)
+ isc_buffer_type(b)
+ Changed names:
+ isc_buffer_used(b, r) ->
+ isc_buffer_usedregion(b, r)
+ isc_buffer_available(b, r) ->
+ isc_buffer_available_region(b, r)
+ isc_buffer_consumed(b, r) ->
+ isc_buffer_consumedregion(b, r)
+ isc_buffer_active(b, r) ->
+ isc_buffer_activeregion(b, r)
+ isc_buffer_remaining(b, r) ->
+ isc_buffer_remainingregion(b, r)
+
+ Buffer types were removed, so the ISC_BUFFERTYPE_*
+ macros are no more, and the type argument to
+ isc_buffer_init and isc_buffer_allocate were removed.
+ isc_buffer_putstr is now void (instead of isc_result_t)
+ and requires that the caller ensure that there
+ is enough available buffer space for the string.
+
+ 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop
+ on BSD/OS 4.1.
+
+ 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c.
+
+ 100. [cleanup] <isc/random.h> does not need <isc/int.h> or
+ <isc/mutex.h>. isc_random_t moved to <isc/types.h>.
+
+ 99. [cleanup] Rate limiter now has separate shutdown() and
+ destroy() functions, and it guarantees that all
+ queued events are delivered even in the shutdown case.
+
+ 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h>
+ unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
+
+ 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or
+ <isc/event.h>.
+
+ 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>.
+
+ 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>.
+
+ 94. [cleanup] Some installed header files did not compile as C++.
+
+ 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>.
+
+ 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
+ or <isc/result.h>.
+
+ 91. [cleanup] <isc/log.h> does not need <sys/types.h> or
+ <isc/result.h>.
+
+ 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
+ from <named/listenlist.h>.
+
+ 89. [cleanup] <isc/lex.h> does not need <stddef.h>.
+
+ 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or
+ <isc/mem.h>. isc_interface_t and isc_interfaceiter_t
+ moved to <isc/types.h>.
+
+ 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>,
+ <isc/mem.h> or <isc/result.h>.
+
+ 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to
+ <isc/types.h>.
+
+ 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>,
+ <isc/list.h>, <isc/mem.h>, <isc/region.h> or
+ <isc/int.h>.
+
+ 84. [func] allow-query ACL checks now apply to all data
+ added to a response.
+
+ 83. [func] If the server is authoritative for both a
+ delegating zone and its (nonsecure) delegatee, and
+ a query is made for a KEY RR at the top of the
+ delegatee, then the server will look for a KEY
+ in the delegator if it is not found in the delegatee.
+
+ 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>.
+
+ 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need
+ <isc/lang.h>.
+
+ 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>.
+
+ 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>.
+
+ 78. [cleanup] lwres_conftest renamed to lwresconf_test for
+ consistency with other *_test programs.
+
+ 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from
+ <isc/time.h> to <isc/types.h>.
+
+ 76. [cleanup] Rewrote keygen.
+
+ 75. [func] Don't load a zone if its database file is older
+ than the last time the zone was loaded.
+
+ 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a,
+ subsumed by file.o.
+
+ 73. [func] New "file" API in libisc, including new function
+ isc_file_getmodtime, isc_mktemplate renamed to
+ isc_file_mktemplate and isc_ufile renamed to
+ isc_file_openunique. By no means an exhaustive API,
+ it is just what's needed for now.
+
+ 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
+ added for dns_rbt_findnode, the former to disable the
+ setting of the chain to the predecessor, and the
+ latter to make clear when no options are set.
+
+ 71. [cleanup] Made explicit the implicit REQUIREs of
+ isc_time_seconds, isc_time_nanoseconds, and
+ isc_time_subtract.
+
+ 70. [func] isc_time_set() added.
+
+ 69. [bug] The zone object's master and also-notify lists grew
+ longer with each server reload.
+
+ 68. [func] Partial support for SIG(0) on incoming messages.
+
+ 67. [performance] Allow use of alternate (compile-time supplied)
+ OpenSSL libraries/headers.
+
+ 66. [func] Data in authoritative zones should have a trust level
+ beyond secure.
+
+ 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t
+ from <dns/types.h>.
+
+ 64. [func] The RBT, DB, and zone table APIs now allow the
+ caller find the most-enclosing superdomain of
+ a name.
+
+ 63. [func] Generate NOTIFY messages.
+
+ 62. [func] Add UDP refresh support.
+
+ 61. [cleanup] Use single quotes consistently in log messages.
+
+ 60. [func] Catch and disallow singleton types on message
+ parse.
+
+ 59. [bug] Cause net/host unreachable to be a hard error
+ when sending and receiving.
+
+ 58. [bug] bin/named/query.c could sometimes trigger the
+ (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
+ == 0 assertion in query_newname().
+
+ 57. [func] Added dns_nxt_typepresent()
+
+ 56. [bug] SIG records were not properly returned in cached
+ negative answers.
+
+ 55. [bug] Responses containing multiple names in the authority
+ section were not negatively cached.
+
+ 54. [bug] If a fetch with sigrdataset==NULL joined one with
+ sigrdataset!=NULL or vice versa, the resolver
+ could catch an assertion or lose signature data,
+ respectively.
+
+ 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires
+ <sys/param.h>.
+
+ 52. [bug] rndc: taskmgr and socketmgr were not initialized
+ to NULL.
+
+ 51. [cleanup] dns/compress.h and dns/zt.h did not need to include
+ dns/rbt.h; it was needed only by compress.c and zt.c.
+
+ 50. [func] RBT deletion no longer requires a valid chain to work,
+ and dns_rbt_deletenode was added.
+
+ 49. [func] Each cache now has its own mctx.
+
+ 48. [func] isc_task_create() no longer takes an mctx.
+ isc_task_mem() has been eliminated.
+
+ 47. [func] A number of modules now use memory context reference
+ counting.
+
+ 46. [func] Memory contexts are now reference counted.
+ Added isc_mem_inuse() and isc_mem_preallocate().
+ Renamed isc_mem_destroy_check() to
+ isc_mem_setdestroycheck().
+
+ 45. [bug] The trusted-key statement incorrectly loaded keys.
+
+ 44. [bug] Don't include authority data if it would force us
+ to unset the AD bit in the message.
+
+ 43. [bug] DNSSEC verification of cached rdatasets was failing.
+
+ 42. [cleanup] Simplified logging of messages with embedded domain
+ names by introducing a new convenience function
+ dns_name_format().
+
+ 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
+ to allow 'named' to run as a non-root user while
+ retaining the ability to bind() to privileged
+ ports.
+
+ 40. [func] Introduced new logging category "dnssec" and
+ logging module "dns/validator".
+
+ 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t,
+ and isc_lex_t to <isc/types.h>.
+
+ 38. [bug] TSIG signed incoming zone transfers work now.
+
+ 37. [bug] If the first RR in an incoming zone transfer was
+ not an SOA, the server died with an assertion failure
+ instead of just reporting an error.
+
+ 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
+
+ 35. [performance] Log messages which are of a level too high to be
+ logged by any channel in the logging configuration
+ will not cause the log mutex to be locked.
+
+ 34. [bug] Recursion was allowed even with 'recursion no'.
+
+ 33. [func] The RBT now maintains a parent pointer at each node.
+
+ 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset()
+ prototype.
+
+ 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@.
+
+ 30. [func] config file grammar change to support optional
+ class type for a view.
+
+ 29. [func] support new config file view options:
+
+ auth-nxdomain recursion query-source
+ query-source-v6 transfer-source
+ transfer-source-v6 max-transfer-time-out
+ max-transfer-idle-out transfer-format
+ request-ixfr provide-ixfr cleaning-interval
+ fetch-glue notify rfc2308-type1 lame-ttl
+ max-ncache-ttl min-roots
+
+ 28. [func] support lame-ttl, min-roots and serial-queries
+ config global options.
+
+ 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
+ Including it on other platforms (eg, NetBSD) can
+ cause a forced #error from the C preprocessor.
+
+ 26. [func] new match-clients statement in config file view.
+
+ 25. [bug] make install failed to install <isc/log.h> and
+ <isc/ondestroy.h>.
+
+ 24. [cleanup] Eliminate some unnecessary #includes of header
+ files from header files.
+
+ 23. [cleanup] Provide more context in log messages about client
+ requests, using a new function ns_client_log().
+
+ 22. [bug] SIGs weren't returned in the answer section when
+ the query resulted in a fetch.
+
+ 21. [port] Look at STD_CINCLUDES after CINCLUDES during
+ compilation, so additional system include directories
+ can be searched but header files in the bind9 source
+ tree with conflicting names take precedence. This
+ avoids issues with installed versions of dnssafe and
+ openssl.
+
+ 20. [func] Configuration file post-load validation of zones
+ failed if there were no zones.
+
+ 19. [bug] dns_zone_notifyreceive() failed to unlock the zone
+ lock in certain error cases.
+
+ 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in
+ configure.in to check for presence of in6addr_any.
+
+ 17. [func] Do configuration file post-load validation of zones.
+
+ 16. [bug] put quotes around key names on config file
+ output to avoid possible keyword clashes.
+
+ 15. [func] Add dns_name_dupwithoffsets(). This function is
+ improves comparison performance for duped names.
+
+ 14. [bug] free_rbtdb() could have 'put' unallocated memory in
+ an unlikely error path.
+
+ 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore
+ out-of-zone data.
+
+ 12. [bug] Fixed possible uninitialized variable error.
+
+ 11. [bug] axfr_rrstream_first() didn't check the result code of
+ db_rr_iterator_first(), possibly causing an assertion
+ to be triggered later.
+
+ 10. [bug] A bug in the code which makes EDNS0 OPT records in
+ bin/named/client.c and lib/dns/resolver.c could
+ trigger an assertion.
+
+ 9. [cleanup] replaced bit-setting code in confctx.c and replaced
+ repeated code with macro calls.
+
+ 8. [bug] Shutdown of incoming zone transfer accessed
+ freed memory.
+
+ 7. [cleanup] removed 'listen-on' from view statement.
+
+ 6. [bug] quote RR names when generating config file to
+ prevent possible clash with config file keywords
+ (such as 'key').
+
+ 5. [func] syntax change to named.conf file: new ssu grant/deny
+ statements must now be enclosed by an 'update-policy'
+ block.
+
+ 4. [port] bin/named/unix/os.c didn't compile on systems with
+ linux 2.3 kernel includes due to conflicts between
+ C library includes and the kernel includes. We now
+ get only what we need from <linux/capability.h>, and
+ avoid pulling in other linux kernel .h files.
+
+ 3. [bug] TKEYs go in the answer section of responses, not
+ the additional section.
+
+ 2. [bug] Generating cryptographic randomness failed on
+ systems without /dev/random.
+
+ 1. [bug] The installdirs rule in
+ lib/isc/unix/include/isc/Makefile.in had a typo which
+ prevented the isc directory from being created if it
+ didn't exist.
+
+ --- 9.0.0b2 released ---
projects / thirdparty / bind9.git / commitdiff
