1 --- 9.16.27 released --- 2 35818. [security] A synchronous call to closehandle_cb() caused 4 isc__nm_process_sock_buffer() to be called recursively, 5 which in turn left TCP connections hanging in the 6 CLOSE_WAIT state blocking indefinitely when 7 out-of-order processing was disabled. (CVE-2022-0396) 8 [GL #3112] 9 105817. [security] The rules for acceptance of records into the cache 11 have been tightened to prevent the possibility of 12 poisoning if forwarders send records outside 13 the configured bailiwick. (CVE-2021-25220) [GL #2950] 14 155816. [bug] Make BIND compile with LibreSSL 3.5.0, as it was using 16 not very accurate pre-processor checks for using shims. 17 [GL #3172] 18 195815. [bug] If an oversized key name of a specific length was used 20 in the text form of an HTTP or SVBC record, an INSIST 21 could be triggered when parsing it. [GL #3175] 22 235814. [bug] The RecursClients statistics counter could underflow 24 in certain resolution scenarios. [GL #3147] 25 265811. [bug] Reimplement the maximum and idle timeouts for outgoing 27 zone transfers. [GL #1897] 28 295807. [bug] Add a TCP "write" timer, and time out writing 30 connections after the "tcp-idle-timeout" period 31 has elapsed. [GL #3132] 32 335804. [func] Add a debug log message when starting and ending 34 the task exclusive mode. [GL #3137] 35 36 --- 9.16.26 released --- 37 385801. [bug] Log "quota reached" message when hard quota 39 is reached when accepting a connection. [GL #3125] 40 415800. [func] Add ECS support to the DLZ interface. [GL #3082] 42 435797. [bug] A failed view configuration during a named 44 reconfiguration procedure could cause inconsistencies 45 in BIND internal structures, causing a crash or other 46 unexpected errors. [GL #3060] 47 485795. [bug] rndc could crash when interrupted by a signal 49 before receiving a response. [GL #3080] 50 515793. [bug] Correctly detect and enable UDP recvmmsg support 52 in all versions of libuv that support it. [GL #3095] 53 54 --- 9.16.25 released --- 55 565789. [bug] Allow replacing expired zone signatures with 57 signatures created by the KSK. [GL #3049] 58 595788. [bug] An assertion could occur if a catalog zone event was 60 scheduled while the task manager was being shut 61 down. [GL #3074] 62 635787. [doc] Update 'auto-dnssec' documentation, it may only be 64 activated at zone level. [GL #3023] 65 665786. [bug] Defer detaching from zone->raw in zone_shutdown() if 67 the zone is in the process of being dumped to disk, to 68 ensure that the unsigned serial number information is 69 always written in the raw-format header of the signed 70 version on an inline-signed zone. [GL #3071] 71 725785. [bug] named could leak memory when two dnssec-policy clauses 73 had the same name. named failed to log this error. 74 [GL #3085] 75 765776. [bug] Add a missing isc_condition_destroy() for nmsocket 77 condition variable and add missing isc_mutex_destroy() 78 for nmworker lock. [GL #3051] 79 805676. [func] Memory use in named was excessive. This has been 81 addressed by: 82 - Replacing locked memory pools with normal memory 83 allocations. 84 - Reducing the number of retained free items in 85 unlocked memory pools. 86 - Disabling the internal allocator by default. 87 "named -M internal" turns it back on. 88 [GL #2398] 89 90 --- 9.16.24 released --- 91 925773. [func] Change the message when accepting TCP connection has 93 failed to say "Accepting TCP connection failed" and 94 change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA 95 and ISC_R_SOFTQUOTA results codes from ERROR to INFO. 96 [GL #2700] 97 985768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853] 99 1005764. [bug] dns_sdlz_putrr failed to process some valid resource 101 records. [GL #3021] 102 1035762. [bug] Fix a "named" crash related to removing and restoring a 104 `catalog-zone` entry in the configuration file and 105 running `rndc reconfig`. [GL #1608] 106 1075758. [bug] mdig now honors the operating system's preferred 108 ephemeral port range. [GL #2374] 109 1105757. [test] Replace sed in nsupdate system test with awk to 111 construct the nsupdate command. The sed expression 112 was not reliably changing the ttl. [GL #3003] 113 114 --- 9.16.23 released --- 115 1165752. [bug] Fix an assertion failure caused by missing member zones 117 during a reload of a catalog zone. [GL #2308] 118 1195750. [bug] Fix a bug when comparing two RSA keys. There was a typo 120 which caused the "p" prime factors to not being 121 compared. [GL #2972] 122 1235737. [bug] Address Coverity warning in lib/dns/dnssec.c. 124 [GL #2935] 125 126 --- 9.16.22 released --- 127 1285736. [security] The "lame-ttl" option is now forcibly set to 0. This 129 effectively disables the lame server cache, as it could 130 previously be abused by an attacker to significantly 131 degrade resolver performance. (CVE-2021-25219) 132 [GL #2899] 133 1345724. [bug] Address a potential deadlock when checking zone content 135 consistency. [GL #2908] 136 1375723. [bug] Change 5709 broke backward compatibility for the 138 "check-names master ..." and "check-names slave ..." 139 options. This has been fixed. [GL #2911] 140 1415720. [contrib] Old-style DLZ drivers that had to be enabled at 142 build-time have been marked as deprecated. [GL #2814] 143 1445719. [func] The "map" zone file format has been marked as 145 deprecated. [GL #2882] 146 1475717. [func] The "cache-file" option, which was documented as "for 148 testing purposes only" and not to be used, has been 149 removed. [GL #2903] 150 1515716. [bug] Multiple library names were mistakenly passed to the 152 krb5-config utility when ./configure was invoked with 153 the --with-gssapi=[/path/to/]krb5-config option. This 154 has been fixed by invoking krb5-config separately for 155 each required library. [GL #2866] 156 1575715. [func] Add a check for ports specified in "*-source(-v6)" 158 options clashing with a global listening port. Such a 159 configuration was already unsupported, but it failed 160 silently; it is now treated as an error. [GL #2888] 161 1625714. [bug] Remove the "adjust interface" mechanism which was 163 responsible for setting up listeners on interfaces when 164 the "*-source(-v6)" address and port were the same as 165 the "listen-on(-v6)" address and port. Such a 166 configuration is no longer supported; under certain 167 timing conditions, that mechanism could prevent named 168 from listening on some TCP ports. This has been fixed. 169 [GL #2852] 170 1715712. [doc] Add deprecation notice about removing native PKCS#11 172 support in the next major BIND 9 release. [GL #2691] 173 174 --- 9.16.21 released --- 175 1765711. [bug] "map" files exceeding 2GB in size failed to load due to 177 a size comparison that incorrectly treated the file size 178 as a signed integer. [GL #2878] 179 1805710. [port] win32: incorrect parentheses resulted in the wrong 181 sizeof() tests being used to pick the appropriate 182 Windows atomic operations for the object's size. 183 [GL #2891] 184 1855709. [cleanup] Enum values throughout the code have been updated 186 to use the terms "primary" and "secondary" instead of 187 "master" and "slave", respectively. [GL #1944] 188 1895708. [bug] The thread-local isc_tid_v variable was not properly 190 initialized when running BIND 9 as a Windows Service, 191 leading to a crash on startup. [GL #2837] 192 1935705. [bug] Change #5686 altered the internal memory structure of 194 zone databases, but neglected to update the MAPAPI value 195 for zone files in "map" format. This caused named to 196 attempt to load incompatible map files, triggering an 197 assertion failure on startup. The MAPAPI value has now 198 been updated, so named rejects outdated files when 199 encountering them. [GL #2872] 200 2015704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be 202 ignored inadvertently in client requests. It has now 203 been fixed and this option is handled properly again. 204 [GL #1927] 205 2065701. [bug] named-checkconf failed to detect syntactically invalid 207 values of the "key" and "tls" parameters used to define 208 members of remote server lists. [GL #2461] 209 2105700. [bug] When a member zone was removed from a catalog zone, 211 journal files for the former were not deleted. 212 [GL #2842] 213 2145699. [func] Data structures holding DNSSEC signing statistics are 215 now grown and shrunk as necessary upon key rollover 216 events. [GL #1721] 217 2185698. [bug] When a DNSSEC-signed zone which only has a single 219 signing key available is migrated to use KASP, that key 220 is now treated as a Combined Signing Key (CSK). 221 [GL #2857] 222 2235696. [protocol] Support for HTTPS and SVCB record types has been added. 224 (This does not include ADDITIONAL section processing for 225 these record types, only basic support for RR type 226 parsing and printing.) [GL #1132] 227 2285694. [bug] Stale data in the cache could cause named to send 229 non-minimized queries despite QNAME minimization being 230 enabled. [GL #2665] 231 2325691. [bug] When a dynamic zone was made available in another view 233 using the "in-view" statement, running "rndc freeze" 234 always reported an "already frozen" error even though 235 the zone was successfully frozen. [GL #2844] 236 2375690. [func] dnssec-signzone now honors Predecessor and Successor 238 metadata found in private key files: if a signature for 239 an RRset generated by the inactive predecessor exists 240 and does not need to be replaced, no additional 241 signature is now created for that RRset using the 242 successor key. This enables dnssec-signzone to gradually 243 replace RRSIGs during a ZSK rollover. [GL #1551] 244 245 --- 9.16.20 released --- 246 2475689. [security] An assertion failure occurred when named attempted to 248 send a UDP packet that exceeded the MTU size, if 249 Response Rate Limiting (RRL) was enabled. 250 (CVE-2021-25218) [GL #2856] 251 2525688. [bug] Zones using KASP and inline-signed zones failed to apply 253 changes from the unsigned zone to the signed zone under 254 certain circumstances. This has been fixed. [GL #2735] 255 2565687. [bug] "rndc reload <zonename>" could trigger a redundant 257 reload for an inline-signed zone whose zone file was not 258 modified since the last "rndc reload". This has been 259 fixed. [GL #2855] 260 2615686. [func] The number of internal data structures allocated for 262 each zone was reduced. [GL #2829] 263 2645685. [bug] named failed to check the opcode of responses when 265 performing zone refreshes, stub zone updates, and UPDATE 266 forwarding. This has been fixed. [GL #2762] 267 2685682. [bug] Some changes to "zone-statistics" settings were not 269 properly processed by "rndc reconfig". This has been 270 fixed. [GL #2820] 271 2725681. [func] Relax the checks in the dns_zone_cdscheck() function to 273 allow CDS and CDNSKEY records in the zone that do not 274 match an existing DNSKEY record, as long as the 275 algorithm matches. This allows a clean rollover from one 276 provider to another in a multi-signer DNSSEC 277 configuration. [GL #2710] 278 2795679. [func] Thread affinity is no longer set. [GL #2822] 280 2815678. [bug] The "check DS" code failed to release all resources upon 282 named shutdown when a refresh was in progress. This has 283 been fixed. [GL #2811] 284 2855672. [bug] Authentication of rndc messages could fail if a 286 "controls" statement was configured with multiple key 287 algorithms for the same listener. This has been fixed. 288 [GL #2756] 289 290 --- 9.16.19 released --- 291 2925671. [bug] A race condition could occur where two threads were 293 competing for the same set of key file locks, leading to 294 a deadlock. This has been fixed. [GL #2786] 295 2965670. [bug] create_keydata() created an invalid placeholder keydata 297 record upon a refresh failure, which prevented the 298 database of managed keys from subsequently being read 299 back. This has been fixed. [GL #2686] 300 3015669. [func] KASP support was extended with the "check DS" feature. 302 Zones with "dnssec-policy" and "parental-agents" 303 configured now check for DS presence and can perform 304 automatic KSK rollovers. [GL #1126] 305 3065668. [bug] Rescheduling a setnsec3param() task when a zone failed 307 to load on startup caused a hang on shutdown. This has 308 been fixed. [GL #2791] 309 3105667. [bug] The configuration-checking code failed to account for 311 the inheritance rules of the "dnssec-policy" option. 312 This has been fixed. [GL #2780] 313 3145666. [doc] The safe "edns-udp-size" value was tweaked to match the 315 probing value from BIND 9.16 for better compatibility. 316 [GL #2183] 317 3185665. [bug] If nsupdate sends an SOA request and receives a REFUSED 319 response, it now fails over to the next available 320 server. [GL #2758] 321 3225664. [func] For UDP messages larger than the path MTU, named now 323 sends an empty response with the TC (TrunCated) bit set. 324 In addition, setting the DF (Don't Fragment) flag on 325 outgoing UDP sockets was re-enabled. [GL #2790] 326 3275662. [bug] Views with recursion disabled are now configured with a 328 default cache size of 2 MB unless "max-cache-size" is 329 explicitly set. This prevents cache RBT hash tables from 330 being needlessly preallocated for such views. [GL #2777] 331 3325661. [bug] Change 5644 inadvertently introduced a deadlock: when 333 locking the key file mutex for each zone structure in a 334 different view, the "in-view" logic was not considered. 335 This has been fixed. [GL #2783] 336 3375658. [bug] Increasing "max-cache-size" for a running named instance 338 (using "rndc reconfig") did not cause the hash tables 339 used by cache databases to be grown accordingly. This 340 has been fixed. [GL #2770] 341 3425655. [bug] Signed, insecure delegation responses prepared by named 343 either lacked the necessary NSEC records or contained 344 duplicate NSEC records when both wildcard expansion and 345 CNAME chaining were required to prepare the response. 346 This has been fixed. [GL #2759] 347 3485653. [bug] A bug that caused the NSEC3 salt to be changed on every 349 restart for zones using KASP has been fixed. [GL #2725] 350 351 --- 9.16.18 released --- 352 3535660. [bug] The configuration-checking code failed to account for 354 the inheritance rules of the "key-directory" option. 355 [GL #2778] 356 3575659. [bug] When preparing DNS responses, named could replace the 358 letters 'W' (uppercase) and 'w' (lowercase) with '\000'. 359 This has been fixed. [GL #2779] 360 361 --- 9.16.17 released --- 362 3635652. [bug] A copy-and-paste error in change 5584 caused the 364 IP_DONTFRAG socket option to be enabled instead of 365 disabled. This has been fixed. [GL #2746] 366 3675651. [func] Refactor zone dumping to be processed asynchronously via 368 the uv_work_t thread pool API. [GL #2732] 369 3705650. [bug] Prevent a crash that could occur if serve-stale was 371 enabled and a prefetch was triggered during a query 372 restart. [GL #2733] 373 3745649. [bug] If a query was answered with stale data on a server with 375 DNS64 enabled, an assertion could occur if a non-stale 376 answer arrived afterward. [GL #2731] 377 3785648. [bug] The calculation of the estimated IXFR transaction size 379 in dns_journal_iter_init() was invalid. [GL #2685] 380 3815644. [bug] Fix a race condition in reading and writing key files 382 for zones using KASP and configured in multiple views. 383 [GL #1875] 384 3855643. [cleanup] "make install" no longer creates an empty 386 ${localstatedir}/run directory. [GL #2709] 387 3885642. [bug] Zones which are configured in multiple views with 389 different values set for "dnssec-policy" and with 390 identical values set for "key-directory" are now 391 detected and treated as a configuration error. 392 [GL #2463] 393 3945641. [bug] Address a potential memory leak in 395 dst_key_fromnamedfile(). [GL #2689] 396 3975639. [bug] Check that the first and last SOA record of an AXFR are 398 consistent. [GL #2528] 399 4005638. [bug] Improvements related to network manager/task manager 401 integration: 402 - isc_managers_create() and isc_managers_destroy() 403 functions were added to handle setup and teardown of 404 netmgr, taskmgr, timermgr, and socketmgr, since these 405 require a precise order of operations now. 406 - Event queue processing is now quantized to prevent 407 infinite looping. 408 - The netmgr can now be paused from within a netmgr 409 thread. 410 - Deadlocks due to a conflict between netmgr's 411 pause/resume and listen/stoplistening operations were 412 fixed. 413 [GL #2654] 414 4155633. [doc] The "inline-signing" option was incorrectly described as 416 being inherited from the "options"/"view" levels and was 417 incorrectly accepted at those levels without effect. 418 This has been fixed. [GL #2536] 419 4205624. [func] Task manager events are now processed inside network 421 manager loops. The task manager no longer needs its own 422 set of worker threads, which improves resolver 423 performance. [GL #2638] 424 425 --- 9.16.16 released --- 426 4275637. [func] Change the default value of the "max-ixfr-ratio" option 428 to "unlimited". [GL #2671] 429 4305636. [bug] named and named-checkconf did not report an error when 431 multiple zones with the "dnssec-policy" option set were 432 using the same zone file. This has been fixed. 433 [GL #2603] 434 4355635. [bug] Journal compaction could fail when a journal with 436 invalid transaction headers was not detected at startup. 437 This has been fixed. [GL #2670] 438 4395634. [bug] If "dnssec-policy" was active and a private key file was 440 temporarily offline during a rekey event, named could 441 incorrectly introduce replacement keys and break a 442 signed zone. This has been fixed. [GL #2596] 443 4445633. [doc] The "inline-signing" option was incorrectly described as 445 being inherited from the "options"/"view" levels and was 446 incorrectly accepted at those levels without effect. 447 This has been fixed. [GL #2536] 448 4495632. [func] Add a new built-in KASP, "insecure", which is used to 450 transition a zone from a signed to an unsigned state. 451 The existing built-in KASP "none" should no longer be 452 used to unsign a zone. [GL #2645] 453 4545631. [protocol] Update the implementation of the ZONEMD RR type to match 455 RFC 8976. [GL #2658] 456 4575630. [func] Treat DNSSEC responses containing NSEC3 records with 458 iteration counts greater than 150 as insecure. 459 [GL #2445] 460 4615629. [func] Reduce the maximum supported number of NSEC3 iterations 462 that can be configured for a zone to 150. [GL #2642] 463 4645627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone 465 apex were triggering infinite resigning loops. This has 466 been fixed. [GL #2650] 467 4685626. [bug] When generating zone signing keys, KASP now also checks 469 for key ID conflicts among newly created keys, rather 470 than just between new and existing ones. [GL #2628] 471 4725625. [bug] A deadlock could occur when multiple "rndc addzone", 473 "rndc delzone", and/or "rndc modzone" commands were 474 invoked simultaneously for different zones. This has 475 been fixed. [GL #2626] 476 4775622. [cleanup] The lib/samples/ directory has been removed, as export 478 versions of libraries are no longer maintained. 479 [GL !4835] 480 4815619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the 482 protocol such that NSEC(3) TTL values are set to the 483 minimum of the SOA MINIMUM value or the SOA TTL. 484 [GL #2347] 485 4865618. [bug] Change 5149 introduced some inconsistencies in the way 487 record TTLs were presented in cache dumps. These 488 inconsistencies have been eliminated. [GL #389] 489 [GL #2289] 490 491 --- 9.16.15 released --- 492 4935621. [bug] Due to a backporting mistake in change 5609, named 494 binaries built against a Kerberos/GSSAPI library whose 495 header files did not define the GSS_SPNEGO_MECHANISM 496 preprocessor macro were not able to start if their 497 configuration included the "tkey-gssapi-credential" 498 option. This has been fixed. [GL #2634] 499 5005620. [bug] If zone journal files written by BIND 9.16.11 or earlier 501 were present when BIND was upgraded, the zone file for 502 that zone could have been inadvertently rewritten with 503 the current zone contents. This caused the original zone 504 file structure (e.g. comments, $INCLUDE directives) to 505 be lost, although the zone data itself was preserved. 506 This has been fixed. [GL #2623] 507 508 --- 9.16.14 released --- 509 5105617. [security] A specially crafted GSS-TSIG query could cause a buffer 511 overflow in the ISC implementation of SPNEGO. 512 (CVE-2021-25216) [GL #2604] 513 5145616. [security] named crashed when a DNAME record placed in the ANSWER 515 section during DNAME chasing turned out to be the final 516 answer to a client query. (CVE-2021-25215) [GL #2540] 517 5185615. [security] Insufficient IXFR checks could result in named serving a 519 zone without an SOA record at the apex, leading to a 520 RUNTIME_CHECK assertion failure when the zone was 521 subsequently refreshed. This has been fixed by adding an 522 owner name check for all SOA records which are included 523 in a zone transfer. (CVE-2021-25214) [GL #2467] 524 5255614. [bug] Ensure all resources are properly cleaned up when a call 526 to gss_accept_sec_context() fails. [GL #2620] 527 5285613. [bug] It was possible to write an invalid transaction header 529 in the journal file for a managed-keys database after 530 upgrading. This has been fixed. Invalid headers in 531 existing journal files are detected and named is able 532 to recover from them. [GL #2600] 533 5345611. [func] Set "stale-answer-client-timeout" to "off" by default. 535 [GL #2608] 536 5375610. [bug] Prevent a crash which could happen when a lookup 538 triggered by "stale-answer-client-timeout" was attempted 539 right after recursion for a client query finished. 540 [GL #2594] 541 5425609. [func] The ISC implementation of SPNEGO was removed from BIND 9 543 source code. It was no longer necessary as all major 544 contemporary Kerberos/GSSAPI libraries include support 545 for SPNEGO. [GL #2607] 546 5475608. [bug] When sending queries over TCP, dig now properly handles 548 "+tries=1 +retry=0" by not retrying the connection when 549 the remote server closes the connection prematurely. 550 [GL #2490] 551 5525607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover" 553 commands may affect the next scheduled key event, 554 reconfiguration of zone keys is now triggered after 555 receiving either of these commands to prevent 556 unnecessary key rollover delays. [GL #2488] 557 5585606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone 559 transitions from a secure to an insecure state. 560 named-checkzone also no longer reports an error when 561 such records are found in an unsigned zone. [GL #2517] 562 5635605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for 564 more accurate time reporting. [GL #2592] 565 5665603. [bug] Fix a memory leak that occurred when named failed to 567 bind a UDP socket to a network interface. [GL #2575] 568 5695602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This 570 makes the "tcp-initial-timeout" and "tcp-idle-timeout" 571 options work correctly again. [GL #2583] 572 5735601. [bug] Zones using KASP could not be thawed after they were 574 frozen using "rndc freeze". This has been fixed. 575 [GL #2523] 576 577 --- 9.16.13 released --- 578 5795597. [bug] When serve-stale was enabled and starting the recursive 580 resolution process for a query failed, a named instance 581 could crash if it was configured as both a recursive and 582 authoritative server. This problem was introduced by 583 change 5573 and has now been fixed. [GL #2565] 584 5855595. [cleanup] Public header files for BIND 9 libraries no longer 586 directly include third-party library headers. This 587 prevents the need to include paths to third-party header 588 files in CFLAGS whenever BIND 9 public header files are 589 used, which could cause build-time issues on hosts with 590 older versions of BIND 9 installed. [GL #2357] 591 5925594. [bug] Building with --enable-dnsrps --enable-dnsrps-dl failed. 593 [GL #2298] 594 5955593. [bug] Journal files written by older versions of named can now 596 be read when loading zones, so that journal 597 incompatibility does not cause problems on upgrade. 598 Outdated journals are updated to the new format after 599 loading. [GL #2505] 600 6015592. [bug] Prevent hazard pointer table overflows on machines with 602 many cores, by allowing the thread IDs (serving as 603 indices into hazard pointer tables) of finished threads 604 to be reused by those created later. [GL #2396] 605 6065591. [bug] Fix a crash that occurred when 607 "stale-answer-client-timeout" was triggered without any 608 (stale) data available in the cache to answer the query. 609 [GL #2503] 610 6115590. [bug] NSEC3 records were not immediately created for dynamic 612 zones using NSEC3 with "dnssec-policy", resulting in 613 such zones going bogus. Add code to process the 614 NSEC3PARAM queue at zone load time so that NSEC3 records 615 for such zones are created immediately. [GL #2498] 616 6175588. [func] Add a new "purge-keys" option for "dnssec-policy". This 618 option determines the period of time for which key files 619 are retained after they become obsolete. [GL #2408] 620 6215586. [bug] An invalid direction field in a LOC record resulted in 622 an INSIST failure when a zone file containing such a 623 record was loaded. [GL #2499] 624 6255584. [bug] No longer set the IP_DONTFRAG option on UDP sockets, to 626 prevent dropping outgoing packets exceeding 627 "max-udp-size". [GL #2466] 628 6295582. [bug] BIND 9 failed to build when static OpenSSL libraries 630 were used and the pkg-config files for libssl and/or 631 libcrypto were unavailable. This has been fixed by 632 ensuring that the correct linking order for libssl and 633 libcrypto is always used. [GL #2402] 634 6355581. [bug] Fix a memory leak that occurred when inline-signed zones 636 were added to the configuration, followed by a 637 reconfiguration of named. [GL #2041] 638 6395580. [test] The system test framework no longer differentiates 640 between SKIPPED and UNTESTED system test results. Any 641 system test which is not run is now marked as SKIPPED. 642 [GL !4517] 643 6445573. [func] When serve-stale is enabled and stale data is available, 645 named now returns stale answers upon encountering any 646 unexpected error in the query resolution process. 647 However, the "stale-refresh-time" window is still only 648 started upon a timeout. [GL #2434] 649 6505564. [cleanup] Network manager's TLSDNS module was refactored to use 651 libuv and libssl directly instead of a stack of TCP/TLS 652 sockets. [GL #2335] 653 654 --- 9.16.12 released --- 655 6565578. [protocol] Make "check-names" accept A records below "_spf", 657 "_spf_rate", and "_spf_verify" labels in order to cater 658 for the "exists" SPF mechanism specified in RFC 7208 659 section 5.7 and appendix D.1. [GL #2377] 660 6615577. [bug] Fix the "three is a crowd" key rollover bug in KASP by 662 correctly implementing Equation (2) of the "Flexible and 663 Robust Key Rollover" paper. [GL #2375] 664 6655575. [bug] When migrating to KASP, BIND 9 considered keys with the 666 "Inactive" and/or "Delete" timing metadata to be 667 possible active keys. This has been fixed. [GL #2406] 668 6695572. [bug] Address potential double free in generatexml(). 670 [GL #2420] 671 6725571. [bug] named failed to start when its configuration included a 673 zone with a non-builtin "allow-update" ACL attached. 674 [GL #2413] 675 6765570. [bug] Improve performance of the DNSSEC verification code by 677 reducing the number of repeated calls to 678 dns_dnssec_keyfromrdata(). [GL #2073] 679 6805569. [bug] Emit useful error message when "rndc retransfer" is 681 applied to a zone of inappropriate type. [GL #2342] 682 6835568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA 684 keys. [GL #2178] 685 6865567. [bug] Dig now reports unknown dash options while pre-parsing 687 the options. This prevents "-multi" instead of "+multi" 688 from reporting memory usage before ending option parsing 689 with "Invalid option: -lti". [GL #2403] 690 6915566. [func] Add "stale-answer-client-timeout" option, which is the 692 amount of time a recursive resolver waits before 693 attempting to answer the query using stale data from 694 cache. [GL #2247] 695 6965565. [func] The SONAMEs for BIND 9 libraries now include the current 697 BIND 9 version number, in an effort to tightly couple 698 internal libraries with a specific release. [GL #2387] 699 7005562. [security] Fix off-by-one bug in ISC SPNEGO implementation. 701 (CVE-2020-8625) [GL #2354] 702 7035561. [bug] KASP incorrectly set signature validity to the value of 704 the DNSKEY signature validity. This is now fixed. 705 [GL #2383] 706 7075560. [func] The default value of "max-stale-ttl" has been changed 708 from 12 hours to 1 day and the default value of 709 "stale-answer-ttl" has been changed from 1 second to 30 710 seconds, following RFC 8767 recommendations. [GL #2248] 711 7125456. [func] Added "primaries" as a synonym for "masters" in 713 named.conf, and "primary-only" as a synonym for 714 "master-only" in the parameters to "notify", to bring 715 terminology up-to-date with RFC 8499. [GL #1948] 716 7175362. [func] Limit the size of IXFR responses so that AXFR will 718 be used instead if it would be smaller. This is 719 controlled by the "max-ixfr-ratio" option, which 720 is a percentage representing the ratio of IXFR size 721 to the size of the entire zone. This value cannot 722 exceed 100%, which is the default. [GL #1515] 723 724 --- 9.16.11 released --- 725 7265559. [bug] The --with-maxminddb=PATH form of the build-time option 727 enabling support for libmaxminddb was not working 728 correctly. This has been fixed. [GL #2366] 729 7305557. [bug] Prevent RBTDB instances from being destroyed by multiple 731 threads at the same time. [GL #2317] 732 7335556. [bug] Further tweak newline printing in dnssec-signzone and 734 dnssec-verify. [GL #2359] 735 7365555. [bug] server->reload_status was not properly initialized. 737 [GL #2361] 738 7395554. [bug] dnssec-signzone and dnssec-verify were missing newlines 740 between log messages. [GL #2359] 741 7425553. [bug] When reconfiguring named, removing "auto-dnssec" did not 743 turn off DNSSEC maintenance. [GL #2341] 744 7455552. [func] When switching to "dnssec-policy none;", named now 746 permits a safe transition to insecure mode and publishes 747 the CDS and CDNSKEY DELETE records, as described in RFC 748 8078. [GL #1750] 749 7505551. [bug] named no longer attempts to assign threads to CPUs 751 outside the CPU affinity set. Thanks to Ole Bjørn 752 Hessen. [GL #2245] 753 7545550. [func] dnssec-signzone and named now log a warning when falling 755 back to the "increment" SOA serial method. [GL #2058] 756 7575545. [func] OS support for load-balanced sockets is no longer 758 required to receive incoming queries in multiple netmgr 759 threads. [GL #2137] 760 7615543. [bug] Fix UDP performance issues caused by making netmgr 762 callbacks asynchronous-only. [GL #2320] 763 7645542. [bug] Refactor netmgr. [GL #1920] [GL #2034] [GL #2061] 765 [GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318] 766 [GL #2321] 767 768 --- 9.16.10 released --- 769 7705544. [func] Restore the default value of "nocookie-udp-size" to 4096 771 bytes. [GL #2250] 772 7735541. [func] Adjust the "max-recursion-queries" default from 75 to 774 100. [GL #2305] 775 7765540. [port] Fix building with native PKCS#11 support for AEP Keyper. 777 [GL #2315] 778 7795539. [bug] Tighten handling of missing DNS COOKIE responses over 780 UDP by falling back to TCP. [GL #2275] 781 7825538. [func] Add NSEC3 support to KASP. A new option for 783 "dnssec-policy", "nsec3param", can be used to set the 784 desired NSEC3 parameters. NSEC3 salt collisions are 785 automatically prevented during resalting. Salt 786 generation is now logged with zone context. [GL #1620] 787 7885534. [bug] The CNAME synthesized from a DNAME was incorrectly 789 followed when the QTYPE was CNAME or ANY. [GL #2280] 790 791 --- 9.16.9 released --- 792 7935533. [func] Add the "stale-refresh-time" option, a time window that 794 starts after a failed lookup, during which a stale RRset 795 is served directly from cache before a new attempt to 796 refresh it is made. [GL #2066] 797 7985530. [bug] dnstap did not capture responses to forwarded UPDATE 799 requests. [GL #2252] 800 8015527. [bug] A NULL pointer dereference occurred when creating an NTA 802 recheck query failed. [GL #2244] 803 8045525. [bug] Change 5503 inadvertently broke cross-compilation by 805 replacing a call to AC_LINK_IFELSE() with a call to 806 AC_RUN_IFELSE() in configure.ac. This has been fixed, 807 making cross-compilation possible again. [GL #2237] 808 8095523. [bug] The initial lookup in a zone transitioning to/from a 810 signed state could fail if the DNSKEY RRset was not 811 found. [GL #2236] 812 8135522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227] 814 8155520. [bug] Fixed a number of shutdown races, reference counting 816 errors, and spurious log messages that could occur 817 in the network manager. [GL #2221] 818 8195518. [bug] Stub zones now work correctly with primary servers using 820 "minimal-responses yes". [GL #1736] 821 8225517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr. 823 [GL #2208] 824 825 --- 9.16.8 released --- 826 8275516. [func] The default EDNS buffer size has been changed from 4096 828 to 1232 bytes. [GL #2183] 829 8305515. [func] Add 'rndc dnssec -rollover' command to trigger a manual 831 rollover for a specific key. [GL #1749] 832 8335514. [bug] Fix KASP expected key size for Ed25519 and Ed448. 834 [GL #2171] 835 8365513. [doc] The ARM section describing the "rrset-order" statement 837 was rewritten to make it unambiguous and up-to-date with 838 the source code. [GL #2139] 839 8405512. [bug] "rrset-order" rules using "order none" were causing 841 named to crash despite named-checkconf treating them as 842 valid. [GL #2139] 843 8445511. [bug] 'dig -u +yaml' failed to display timestamps to the 845 microsecond. [GL #2190] 846 8475510. [bug] Implement the attach/detach semantics for dns_message_t 848 to fix a data race in accessing an already-destroyed 849 fctx->rmessage. [GL #2124] 850 8515509. [bug] filter-aaaa: named crashed upon shutdown if it was in 852 the process of recursing for A RRsets. [GL #1040] 853 8545508. [func] Added new parameter "-expired" for "rndc dumpdb" that 855 also prints expired RRsets (awaiting cleanup) to the 856 dump file. [GL #1870] 857 8585507. [bug] Named could compute incorrect SIG(0) responses. 859 [GL #2109] 860 8615506. [bug] Properly handle failed sysconf() calls, so we don't 862 report invalid memory size. [GL #2166] 863 8645505. [bug] Updating contents of a mixed-case RPZ could cause some 865 rules to be ignored. [GL #2169] 866 8675503. [bug] Cleaned up reference counting of network manager 868 handles, now using isc_nmhandle_attach() and _detach() 869 instead of _ref() and _unref(). [GL #2122] 870 871 --- 9.16.7 released --- 872 8735501. [func] Log CDS/CDNSKEY publication. [GL #1748] 874 8755500. [bug] Fix (non-)publication of CDS and CDNSKEY records. 876 [GL #2103] 877 8785499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime. 879 [GL #1748] 880 8815497. [bug] 'dig +bufsize=0' failed to disable EDNS. [GL #2054] 882 8835496. [bug] Address a TSAN report by ensuring each rate limiter 884 object holds a reference to its task. [GL #2081] 885 8865495. [bug] With query minimization enabled, named failed to 887 resolve ip6.arpa. names that had extra labels to the 888 left of the IPv6 part. [GL #1847] 889 8905494. [bug] Silence the EPROTO syslog message on older systems. 891 [GL #1928] 892 8935493. [bug] Fix off-by-one error when calculating new hash table 894 size. [GL #2104] 895 8965492. [bug] Tighten LOC parsing to reject a period (".") and/or "m" 897 as a value. Fix handling of negative altitudes which are 898 not whole meters. [GL #2074] 899 9005491. [bug] rbtversion->glue_table_size could be read without the 901 appropriate lock being held. [GL #2080] 902 9035489. [bug] Named erroneously accepted certain invalid resource 904 records that were incorrectly processed after 905 subsequently being written to disk and loaded back, as 906 the wire format differed. Such records include: CERT, 907 IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and 908 X25. [GL !3953] 909 9105488. [bug] NTA code needed to have a weak reference on its 911 associated view to prevent the latter from being deleted 912 while NTA tests were being performed. [GL #2067] 913 9145486. [func] Add 'rndc dnssec -checkds' command, which signals to 915 named that the DS record for a given zone or key has 916 been updated in the parent zone. [GL #1613] 917 918 --- 9.16.6 released --- 919 9205484. [func] Expire zero TTL records quickly rather than using them 921 for stale answers. [GL #1829] 922 9235483. [func] A new configuration option "stale-cache-enable" has been 924 introduced to enable or disable keeping stale answers in 925 cache. [GL #1712] 926 9275482. [bug] If the Duplicate Address Detection (DAD) mechanism had 928 not yet finished after adding a new IPv6 address to the 929 system, BIND 9 would fail to bind to IPv6 addresses in a 930 tentative state. [GL #2038] 931 9325481. [security] "update-policy" rules of type "subdomain" were 933 incorrectly treated as "zonesub" rules, which allowed 934 keys used in "subdomain" rules to update names outside 935 of the specified subdomains. The problem was fixed by 936 making sure "subdomain" rules are again processed as 937 described in the ARM. (CVE-2020-8624) [GL #2055] 938 9395480. [security] When BIND 9 was compiled with native PKCS#11 support, it 940 was possible to trigger an assertion failure in code 941 determining the number of bits in the PKCS#11 RSA public 942 key with a specially crafted packet. (CVE-2020-8623) 943 [GL #2037] 944 9455479. [security] named could crash in certain query resolution scenarios 946 where QNAME minimization and forwarding were both 947 enabled. (CVE-2020-8621) [GL #1997] 948 9495478. [security] It was possible to trigger an assertion failure by 950 sending a specially crafted large TCP DNS message. 951 (CVE-2020-8620) [GL #1996] 952 9535477. [bug] The idle timeout for connected TCP sockets, which was 954 previously set to a high fixed value, is now derived 955 from the client query processing timeout configured for 956 a resolver. [GL #2024] 957 9585476. [security] It was possible to trigger an assertion failure when 959 verifying the response to a TSIG-signed request. 960 (CVE-2020-8622) [GL #2028] 961 9625475. [bug] Wildcard RPZ passthru rules could incorrectly be 963 overridden by other rules that were loaded from RPZ 964 zones which appeared later in the "response-policy" 965 statement. This has been fixed. [GL #1619] 966 9675474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE 968 when it should have. [GL !3880] 969 9705473. [func] The RBT hash table implementation has been changed 971 to use a faster hash function (HalfSipHash2-4) and 972 Fibonacci hashing for better distribution. Setting 973 "max-cache-size" now preallocates a fixed-size hash 974 table so that rehashing does not cause resolution 975 brownouts while the hash table is grown. [GL #1775] 976 9775471. [bug] The introduction of KASP support inadvertently caused 978 the second field of "sig-validity-interval" to always be 979 calculated in hours, even in cases when it should have 980 been calculated in days. This has been fixed. (Thanks to 981 Tony Finch.) [GL !3735] 982 9835469. [port] On illumos, a constant called SEC is already defined in 984 <sys/time.h>, which conflicts with an identically named 985 constant in libbind9. This conflict has been resolved. 986 [GL #1993] 987 9885468. [bug] Addressed potential double unlock in process_fd(). 989 [GL #2005] 990 9915466. [bug] Addressed an error in recursive clients stats reporting. 992 [GL #1719] 993 9945465. [func] Added fallback to built-in trust-anchors, managed-keys, 995 or trusted-keys if the bindkeys-file (bind.keys) cannot 996 be parsed. [GL #1235] 997 9985464. [bug] Requesting more than 128 files to be saved when rolling 999 dnstap log files caused a buffer overflow. This has been 1000 fixed. [GL #1989] 1001 10025462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976] 1003 10045461. [bug] The STALE rdataset header attribute was updated while 1005 the write lock was not being held, leading to incorrect 1006 statistics. The header attributes are now converted to 1007 use atomic operations. [GL #1475] 1008 1009 --- 9.16.5 released --- 1010 10115458. [bug] Prevent a theoretically possible NULL dereference caused 1012 by a data race between zone_maintenance() and 1013 dns_zone_setview_helper(). [GL #1627] 1014 10155455. [bug] named could crash when cleaning dead nodes in 1016 lib/dns/rbtdb.c that were being reused. [GL #1968] 1017 10185454. [bug] Address a startup crash that occurred when the server 1019 was under load and the root zone had not yet been 1020 loaded. [GL #1862] 1021 10225453. [bug] named crashed on shutdown when a new rndc connection was 1023 received during shutdown. [GL #1747] 1024 10255452. [bug] The "blackhole" ACL was accidentally disabled for client 1026 queries. [GL #1936] 1027 10285451. [func] Add 'rndc dnssec -status' command. [GL #1612] 1029 10305449. [bug] Fix a socket shutdown race in netmgr udp. [GL #1938] 1031 10325448. [bug] Fix a race condition in isc__nm_tcpdns_send(). 1033 [GL #1937] 1034 10355447. [bug] IPv6 addresses ending in "::" could break YAML 1036 parsing. A "0" is now appended to such addresses 1037 in YAML output from dig, mdig, delv, and dnstap-read. 1038 [GL #1952] 1039 10405446. [bug] The validator could fail to accept a properly signed 1041 RRset if an unsupported algorithm appeared earlier in 1042 the DNSKEY RRset than a supported algorithm. It could 1043 also stop if it detected a malformed public key. 1044 [GL #1689] 1045 10465444. [bug] 'rndc dnstap -roll <value>' did not limit the number of 1047 saved files to <value>. [GL !3728] 1048 10495443. [bug] The "primary" and "secondary" keywords, when used 1050 as parameters for "check-names", were not 1051 processed correctly and were being ignored. [GL #1949] 1052 10535441. [bug] ${LMDB_CFLAGS} was missing from make/includes.in. 1054 [GL #1955] 1055 10565440. [test] Properly handle missing kyua. [GL #1950] 1057 10585439. [bug] The DS RRset returned by dns_keynode_dsset() was used in 1059 a non-thread-safe manner. [GL #1926] 1060 1061 --- 9.16.4 released --- 1062 10635438. [bug] Fix a race in TCP accepting code. [GL #1930] 1064 10655437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr(). 1066 [GL #1808] 1067 10685436. [security] It was possible to trigger an INSIST when determining 1069 whether a record would fit into a TCP message buffer. 1070 (CVE-2020-8618) [GL #1850] 1071 10725435. [tests] Add RFC 4592 responses examples to the wildcard system 1073 test. [GL #1718] 1074 10755434. [security] It was possible to trigger an INSIST in 1076 lib/dns/rbtdb.c:new_reference() with a particular zone 1077 content and query patterns. (CVE-2020-8619) [GL #1111] 1078 [GL #1718] 1079 10805431. [func] Reject DS records at the zone apex when loading 1081 master files. Log but otherwise ignore attempts to 1082 add DS records at the zone apex via UPDATE. [GL #1798] 1083 10845430. [doc] Update docs - with netmgr, a separate listening socket 1085 is created for each IPv6 interface (just as with IPv4). 1086 [GL #1782] 1087 10885428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr 1089 has been destroyed. Thanks to Petr Menšík. [GL !3316] 1090 10915426. [bug] Don't abort() when setting SO_INCOMING_CPU on the socket 1092 fails. [GL #1911] 1093 10945425. [func] The default value of "max-stale-ttl" has been changed 1095 from 1 week to 12 hours. [GL #1877] 1096 10975424. [bug] With KASP, when creating a successor key, the "goal" 1098 state of the current active key (predecessor) was not 1099 changed and thus never removed from the zone. [GL #1846] 1100 11015423. [bug] Fix a bug in keymgr_key_has_successor(): it incorrectly 1102 returned true if any other key in the keyring had a 1103 successor. [GL #1845] 1104 11055422. [bug] When using dnssec-policy, print correct key timing 1106 metadata. [GL #1843] 1107 11085421. [bug] Fix a race that could cause named to crash when looking 1109 up the nodename of an RBT node if the tree was modified. 1110 [GL #1857] 1111 11125420. [bug] Add missing isc_{mutex,conditional}_destroy() calls 1113 that caused a memory leak on FreeBSD. [GL #1893] 1114 11155418. [bug] delv failed to parse deprecated trusted-keys-style 1116 trust anchors. [GL #1860] 1117 11185416. [bug] Fix a lock order inversion in lib/isc/unix/socket.c. 1119 [GL #1859] 1120 11215415. [test] Address race in dnssec system test that led to 1122 test failures. [GL #1852] 1123 11245414. [test] Adjust time allowed for journal truncation to occur 1125 in nsupdate system test to avoid test failure. 1126 [GL #1855] 1127 11285413. [test] Address race in autosign system test that led to 1129 test failures. [GL #1852] 1130 11315412. [bug] 'provide-ixfr no;' failed to return up-to-date responses 1132 when the serial was greater than or equal to the 1133 current serial. [GL #1714] 1134 11355411. [cleanup] TCP accept code has been refactored to use a single 1136 accept() and pass the accepted socket to child threads 1137 for processing. [GL !3320] 1138 11395409. [performance] When looking up NSEC3 data in a zone database, skip the 1140 check for empty non-terminal nodes; the NSEC3 tree does 1141 not have any. [GL #1834] 1142 11435408. [protocol] Print Extended DNS Errors if present in OPT record. 1144 [GL #1835] 1145 11465407. [func] Zone timers are now exported via statistics channel. 1147 Thanks to Paul Frieden, Verizon Media. [GL #1232] 1148 11495405. [bug] 'named-checkconf -p' could include spurious text in 1150 server-addresses statements due to an uninitialized DSCP 1151 value. [GL #1812] 1152 1153 --- 9.16.3 released --- 1154 11555404. [bug] 'named-checkconf -z' could incorrectly indicate 1156 success if errors were found in one view but not in a 1157 subsequent one. [GL #1807] 1158 11595403. [func] Do not set UDP receive/send buffer sizes - use system 1160 defaults. [GL #1713] 1161 11625402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT. 1163 Enable use of SO_REUSEADDR on all platforms which 1164 support it. [GL !3365] 1165 11665401. [bug] The number of input queues allocated during dnstap 1167 initialization was too low, which could prevent some 1168 dnstap data from being logged. [GL #1795] 1169 11705400. [func] Add engine support to OpenSSL EdDSA implementation. 1171 [GL #1763] 1172 11735399. [func] Add engine support to OpenSSL ECDSA implementation. 1174 [GL #1534] 1175 11765398. [bug] Named could fail to restart if a zone with a double 1177 quote (") in its name was added with 'rndc addzone'. 1178 [GL #1695] 1179 11805397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. 1181 Thanks to Aaron Thompson. [GL !3326] 1182 11835396. [func] When necessary (i.e. in libuv >= 1.37), use the 1184 UV_UDP_RECVMMSG flag to enable recvmmsg() support in 1185 libuv. [GL #1797] 1186 11875395. [security] Further limit the number of queries that can be 1188 triggered from a request. Root and TLD servers 1189 are no longer exempt from max-recursion-queries. 1190 Fetches for missing name server address records 1191 are limited to 4 for any domain. (CVE-2020-8616) 1192 [GL #1388] 1193 11945394. [cleanup] Named formerly attempted to change the effective UID and 1195 GID in named_os_openfile(), which could trigger a 1196 spurious log message if they were already set to the 1197 desired values. This has been fixed. [GL #1042] 1198 [GL #1090] 1199 12005392. [bug] It was possible for named to crash during shutdown 1201 or reconfiguration if an RPZ zone was still being 1202 updated. [GL #1779] 1203 12045390. [security] Replaying a TSIG BADTIME response as a request could 1205 trigger an assertion failure. (CVE-2020-8617) 1206 [GL #1703] 1207 12085389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller 1209 bugs and use PKCS#11 v3.0 EdDSA macros and constants. 1210 Thanks to Aaron Thompson. [GL !3391] 1211 12125387. [func] Warn about AXFR streams with inconsistent message IDs. 1213 [GL #1674] 1214 12155386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c. 1216 [GL #1737] 1217 12185385. [func] Make ISC rwlock implementation the default again. 1219 [GL #1753] 1220 12215384. [bug] With "dnssec-policy" in effect, "inline-signing" was 1222 implicitly set to "yes". Now "inline-signing" is only 1223 set to "yes" if the zone is not dynamic. [GL #1709] 1224 1225 --- 9.16.2 released --- 1226 12275383. [func] Add a quota attach function with a callback and clean up 1228 the isc_quota API. [GL !3280] 1229 12305382. [bug] Use clock_gettime() instead of gettimeofday() for 1231 isc_stdtime() function. [GL #1679] 1232 12335381. [bug] Fix logging API data race by adding rwlock and caching 1234 logging levels in stdatomic variables to restore 1235 performance to original levels. [GL #1675] [GL #1717] 1236 12375380. [contrib] Fix building MySQL DLZ modules against MySQL 8 1238 libraries. [GL #1678] 1239 12405378. [bug] Receiving invalid DNS data was triggering an assertion 1241 failure in nslookup. [GL #1652] 1242 12435376. [bug] Fix ineffective DNS rebinding protection when BIND is 1244 configured as a forwarding DNS server. Thanks to Tobias 1245 Klein. [GL #1574] 1246 12475375. [test] Fix timing issues in the "kasp" system test. [GL #1669] 1248 12495374. [bug] Statistics counters tracking recursive clients and 1250 active connections could underflow. [GL #1087] 1251 12525373. [bug] Collecting statistics for DNSSEC signing operations 1253 (change 5254) caused an array of significant size (over 1254 100 kB) to be allocated for each configured zone. Each 1255 of these arrays is tracking all possible key IDs; this 1256 could trigger an out-of-memory condition on servers with 1257 a high enough number of zones configured. Fixed by 1258 tracking up to four keys per zone and rotating counters 1259 when keys are replaced. This fixes the immediate problem 1260 of high memory usage, but should be improved in a future 1261 release by growing or shrinking the number of keys to 1262 track upon key rollover events. [GL #1179] 1263 12645372. [bug] Fix migration from existing DNSSEC key files 1265 ("auto-dnssec maintain") to "dnssec-policy". [GL #1706] 1266 12675371. [bug] Improve incremental updates of the RPZ summary 1268 database to reduce delays that could occur when 1269 a policy zone update included a large number of 1270 record deletions. [GL #1447] 1271 12725370. [bug] Deactivation of a netmgr handle associated with a 1273 socket could be skipped in some circumstances. 1274 Fixed by deactivating the netmgr handle before 1275 scheduling the asynchronous close routine. [GL #1700] 1276 12775368. [bug] Named failed to restart if 'rndc addzone' names 1278 contained special characters (e.g. '/'). [GL #1655] 1279 12805367. [bug] Fixed a flaw in the calculation of the zone database 1281 size so that "max-journal-size default" uses the correct 1282 limit. [GL #1661] 1283 1284 --- 9.16.1 released --- 1285 12865366. [bug] Fix a race condition with the keymgr when the same 1287 zone plus dnssec-policy is configured in multiple 1288 views. [GL #1653] 1289 12905365. [bug] Algorithm rollover was stuck on submitting DS 1291 because keymgr thought it would move to an invalid 1292 state. Fixed by checking the current key against 1293 the desired state, not the existing state. [GL #1626] 1294 12955364. [bug] Algorithm rollover waited too long before introducing 1296 zone signatures. It waited to make sure all signatures 1297 were regenerated, but when introducing a new algorithm, 1298 all signatures are regenerated immediately. Only 1299 add the sign delay if there is a predecessor key. 1300 [GL #1625] 1301 13025363. [bug] When changing a dnssec-policy, existing keys with 1303 properties that no longer match were not being retired. 1304 [GL #1624] 1305 13065361. [bug] named might not accept new connections after 1307 hitting tcp-clients quota. [GL #1643] 1308 13095360. [bug] delv could fail to load trust anchors in DNSKEY 1310 format. [GL #1647] 1311 13125358. [bug] Inline master zones whose master files were touched 1313 but otherwise unchanged and were subsequently reloaded 1314 may have stopped re-signing. [GL !3135] 1315 13165357. [bug] Newly added RRSIG records with expiry times before 1317 the previous earliest expiry times might not be 1318 re-signed in time. This was a side effect of 5315. 1319 [GL !3137] 1320 1321 --- 9.16.0 released --- 1322 13235356. [func] Update dnssec-policy configuration statements: 1324 - Rename "zone-max-ttl" dnssec-policy option to 1325 "max-zone-ttl" for consistency with the existing 1326 zone option. 1327 - Allow for "lifetime unlimited" as a synonym for 1328 "lifetime PT0S". 1329 - Make "key-directory" optional. 1330 - Warn if specifying a key length does not make 1331 sense; fail if key length is out of range for 1332 the algorithm. 1333 - Allow use of mnemonics when specifying key 1334 algorithm (e.g. "rsasha256", "ecdsa384", etc.). 1335 - Make ISO 8601 durations case-insensitive. 1336 [GL #1598] 1337 13385355. [func] What was set with --with-tuning=large option in 1339 older BIND9 versions is now a default, and 1340 a --with-tuning=small option was added for small 1341 (e.g. OpenWRT) systems. [GL !2989] 1342 13435354. [bug] dnssec-policy created new KSK keys for zones in the 1344 initial stage of signing (with the DS not yet in the 1345 rumoured or omnipresent states). Fix by checking the 1346 key goals rather than the active state when determining 1347 whether new keys are needed. [GL #1593] 1348 13495353. [doc] Document port and dscp parameters in forwarders 1350 configuration option. [GL #914] 1351 13525352. [bug] Correctly handle catalog zone entries containing 1353 characters that aren't legal in filenames. [GL #1592] 1354 13555351. [bug] CDS / CDNSKEY consistency checks failed to handle 1356 removal records. [GL #1554] 1357 13585350. [bug] When a view was configured with class CHAOS, the 1359 server could crash while processing a query for a 1360 non-existent record. [GL #1540] 1361 13625349. [bug] Fix a race in task_pause/unpause. [GL #1571] 1363 13645348. [bug] dnssec-settime -Psync was not being honoured. 1365 [GL !2925] 1366 1367 --- 9.15.8 released --- 1368 13695347. [bug] Fixed a bug that could cause an intermittent crash 1370 in validator.c when validating a negative cache 1371 entry. [GL #1561] 1372 13735346. [bug] Make hazard pointer array allocations dynamic, fixing 1374 a bug that caused named to crash on machines with more 1375 than 40 cores. [GL #1493] 1376 13775345. [func] Key-style trust anchors and DS-style trust anchors 1378 can now both be used for the same name. [GL #1237] 1379 13805344. [bug] Handle accept() errors properly in netmgr. [GL !2880] 1381 13825343. [func] Add statistics counters to the netmgr. [GL #1311] 1383 13845342. [bug] Disable pktinfo for IPv6 and bind to each interface 1385 explicitly instead, because libuv doesn't support 1386 pktinfo control messages. [GL #1558] 1387 13885341. [func] Simplify passing the bound TCP socket to child 1389 threads by using isc_uv_export/import functions. 1390 [GL !2825] 1391 13925340. [bug] Don't deadlock when binding to a TCP socket fails. 1393 [GL #1499] 1394 13955339. [bug] With some libmaxminddb versions, named could erroneously 1396 match an IP address not belonging to any subnet defined 1397 in a given GeoIP2 database to one of the existing 1398 entries in that database. [GL #1552] 1399 14005338. [bug] Fix line spacing in `rndc secroots`. 1401 Thanks to Tony Finch. [GL !2478] 1402 14035337. [func] 'named -V' now reports maxminddb and protobuf-c 1404 versions. [GL !2686] 1405 1406 --- 9.15.7 released --- 1407 14085336. [bug] The TCP high-water statistic could report an 1409 incorrect value on startup. [GL #1392] 1410 14115335. [func] Make TCP listening code multithreaded. [GL !2659] 1412 14135334. [doc] Update documentation with dnssec-policy clarifications. 1414 Also change some defaults. [GL !2711] 1415 14165333. [bug] Fix duration printing on Solaris when value is not 1417 an ISO 8601 duration. [GL #1460] 1418 14195332. [func] Renamed "dnssec-keys" configuration statement 1420 to the more descriptive "trust-anchors". [GL !2702] 1421 14225331. [func] Use compiler-provided mechanisms for thread local 1423 storage, and make the requirement for such mechanisms 1424 explicit in configure. [GL #1444] 1425 14265330. [bug] 'configure --without-python' was ineffective if 1427 PYTHON was set in the environment. [GL #1434] 1428 14295329. [bug] Reconfiguring named caused memory to be leaked when any 1430 GeoIP2 database was in use. [GL #1445] 1431 14325328. [bug] rbtdb.c:rdataset_{get,set}ownercase failed to obtain 1433 a node lock. [GL #1417] 1434 14355327. [func] Added a statistics counter to track queries 1436 dropped because the recursive-clients quota was 1437 exceeded. [GL #1399] 1438 14395326. [bug] Add Python dependency on 'distutils.core' to configure. 1440 'distutils.core' is required for installation. 1441 [GL #1397] 1442 14435325. [bug] Addressed several issues with TCP connections in 1444 the netmgr: restored support for TCP connection 1445 timeouts, restored TCP backlog support, actively 1446 close all open sockets during shutdown. [GL #1312] 1447 14485324. [bug] Change the category of some log messages from general 1449 to the more appropriate catergory of xfer-in. [GL #1394] 1450 14515323. [bug] Fix a bug in DNSSEC trust anchor verification. 1452 [GL !2609] 1453 14545322. [placeholder] 1455 14565321. [bug] Obtain write lock before updating version->records 1457 and version->bytes. [GL #1341] 1458 14595320. [cleanup] Silence TSAN on header->count. [GL #1344] 1460 1461 --- 9.15.6 released --- 1462 14635319. [func] Trust anchors can now be configured using DS 1464 format to represent a key digest, by using the 1465 new "initial-ds" or "static-ds" keywords in 1466 the "dnssec-keys" statement. 1467 1468 Note: DNSKEY-format and DS-format trust anchors 1469 cannot both be used for the same domain name. 1470 [GL #622] 1471 14725318. [cleanup] The DNSSEC validation code has been refactored 1473 for clarity and to reduce code duplication. 1474 [GL #622] 1475 14765317. [func] A new asynchronous network communications system 1477 based on libuv is now used for listening for 1478 incoming requests and responding to them. (The 1479 old isc_socket API remains in use for sending 1480 iterative queries and processing responses; this 1481 will be changed too in a later release.) 1482 1483 This change will make it easier to improve 1484 performance and implement new protocol layers 1485 (e.g., DNS over TLS) in the future. [GL #29] 1486 14875316. [func] A new "dnssec-policy" option has been added to 1488 named.conf to implement a key and signing policy 1489 (KASP) for zones. When this option is in use, 1490 named can generate new keys as needed and 1491 automatically roll both ZSK and KSK keys. (Note 1492 that the syntax for this statement differs from 1493 the dnssec policy used by dnssec-keymgr.) 1494 1495 See the ARM for configuration details. [GL #1134] 1496 14975315. [bug] Apply the initial RRSIG expiration spread fixed 1498 to all dynamically created records in the zone 1499 including NSEC3. Also fix the signature clusters 1500 when the server has been offline for prolonged 1501 period of times. [GL #1256] 1502 15035314. [func] Added a new statistics variable "tcp-highwater" 1504 that reports the maximum number of simultaneous TCP 1505 clients BIND has handled while running. [GL #1206] 1506 15075313. [bug] The default GeoIP2 database location did not match 1508 the ARM. 'named -V' now reports the default 1509 location. [GL #1301] 1510 15115312. [bug] Do not flush the cache for `rndc validation status`. 1512 Thanks to Tony Finch. [GL !2462] 1513 15145311. [cleanup] Include all views in output of `rndc validation status`. 1515 Thanks to Tony Finch. [GL !2461] 1516 15175310. [bug] TCP failures were affecting EDNS statistics. [GL #1059] 1518 15195309. [placeholder] 1520 15215308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal() 1522 at ERROR level in receive_secure_serial(). [GL #1288] 1523 15245307. [bug] Fix hang when named-compilezone output is sent to pipe. 1525 Thanks to Tony Finch. [GL !2481] 1526 15275306. [security] Set a limit on number of simultaneous pipelined TCP 1528 queries. (CVE-2019-6477) [GL #1264] 1529 15305305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been 1531 disabled by default because it was found to have 1532 a significant performance impact on the recursive 1533 service. [GL #1265] 1534 15355304. [bug] "dnskey-sig-validity 0;" was not being accepted. 1536 [GL #876] 1537 15385303. [placeholder] 1539 15405302. [bug] Fix checking that "dnstap-output" is defined when 1541 "dnstap" is specified in a view. [GL #1281] 1542 15435301. [bug] Detect partial prefixes / incomplete IPv4 address in 1544 acls. [GL #1143] 1545 15465300. [bug] dig/mdig/delv: Add a colon after EDNS option names, 1547 even when the option is empty, to improve 1548 readability and allow correct parsing of YAML 1549 output. [GL #1226] 1550 1551 --- 9.15.5 released --- 1552 15535299. [security] A flaw in DNSSEC verification when transferring 1554 mirror zones could allow data to be incorrectly 1555 marked valid. (CVE-2019-6475) [GL #1252] 1556 15575298. [security] Named could assert if a forwarder returned a 1558 referral, rather than resolving the query, when QNAME 1559 minimization was enabled. (CVE-2019-6476) [GL #1051] 1560 15615297. [bug] Check whether a previous QNAME minimization fetch 1562 is still running before starting a new one; return 1563 SERVFAIL and log an error if so. [GL #1191] 1564 15655296. [placeholder] 1566 15675295. [cleanup] Split dns_name_copy() calls into dns_name_copy() and 1568 dns_name_copynf() for those calls that can potentially 1569 fail and those that should not fail respectively. 1570 [GL !2265] 1571 15725294. [func] Fallback to ACE name on output in locale, which does not 1573 support converting it to unicode. [GL #846] 1574 15755293. [bug] On Windows, named crashed upon any attempt to fetch XML 1576 statistics from it. [GL #1245] 1577 15785292. [bug] Queue 'rndc nsec3param' requests while signing inline 1579 zone changes. [GL #1205] 1580 1581 --- 9.15.4 released --- 1582 15835291. [placeholder] 1584 15855290. [placeholder] 1586 15875289. [bug] Address NULL pointer dereference in rpz.c:rpz_detach. 1588 [GL #1210] 1589 15905288. [bug] dnssec-must-be-secure was not always honored. 1591 [GL #1209] 1592 15935287. [placeholder] 1594 15955286. [contrib] Address potential NULL pointer dereferences in 1596 dlz_mysqldyn_mod.c. [GL #1207] 1597 15985285. [port] win32: implement "-T maxudpXXX". [GL #837] 1599 16005284. [func] Added +unexpected command line option to dig. 1601 By default, dig won't accept a reply from a source 1602 other than the one to which it sent the query. 1603 Invoking dig with +unexpected argument will allow it 1604 to process replies from unexpected sources. 1605 16065283. [bug] When a response-policy zone expires, ensure that 1607 its policies are removed from the RPZ summary 1608 database. [GL #1146] 1609 16105282. [bug] Fixed a bug in searching for possible wildcard matches 1611 for query names in the RPZ summary database. [GL #1146] 1612 16135281. [cleanup] Don't escape commas when reporting named's command 1614 line. [GL #1189] 1615 16165280. [protocol] Add support for displaying EDNS option LLQ. [GL #1201] 1617 16185279. [bug] When loading, reject zones containing CDS or CDNSKEY 1619 RRsets at the zone apex if they would cause DNSSEC 1620 validation failures if published in the parent zone 1621 as the DS RRset. [GL #1187] 1622 16235278. [func] Add YAML output formats for dig, mdig and delv; 1624 use the "+yaml" option to enable. [GL #1145] 1625 1626 --- 9.15.3 released --- 1627 16285277. [bug] Cache DB statistics could underflow when serve-stale 1629 was in use, because of a bug in counter maintenance 1630 when RRsets become stale. 1631 1632 Functions for dumping statistics have been updated 1633 to dump active, stale, and ancient statistic 1634 counters. Ancient RRset counters are prefixed 1635 with '~'; stale RRset counters are still prefixed 1636 with '#'. [GL #602] 1637 16385276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete; 1639 all code enabling its use has been removed from the 1640 validator, "delv", and the DNSSEC tools. [GL #7] 1641 16425275. [bug] Mark DS records included in referral messages 1643 with trust level "pending" so that they can be 1644 validated and cached immediately, with no need to 1645 re-query. [GL #964] 1646 16475274. [bug] Address potential use after free race when shutting 1648 down rpz. [GL #1175] 1649 16505273. [bug] Check that bits [64..71] of a dns64 prefix are zero. 1651 [GL #1159] 1652 16535272. [cleanup] Remove isc-config.sh script as the BIND 9 libraries 1654 are now purely internal. [GL #1123] 1655 16565271. [func] The normal (non-debugging) output of dnssec-signzone 1657 and dnssec-verify tools now goes to stdout, instead of 1658 the combination of stderr and stdout. 1659 16605270. [bug] 'dig +expandaaaa +short' did not work. [GL #1152] 1661 16625269. [port] cygwin: can return ETIMEDOUT on connect() with a 1663 non-blocking socket. [GL #1133] 1664 16655268. [placeholder] 1666 16675267. [func] Allow statistics groups display to be toggle-able. 1668 [GL #1030] 1669 16705266. [bug] named-checkconf failed to report dnstap-output 1671 missing from named.conf when dnstap was specified. 1672 [GL #1136] 1673 16745265. [bug] DNS64 and RPZ nodata (CNAME *.) rules interacted badly 1675 [GL #1106] 1676 16775264. [func] New DNS Cookie algorithm - siphash24 - has been added 1678 to BIND 9, and the old HMAC-SHA DNS Cookie algorithms 1679 have been removed. [GL #605] 1680 1681 --- 9.15.2 released --- 1682 16835263. [cleanup] Use atomics and isc_refcount_t wherever possible. 1684 [GL #1038] 1685 16865262. [func] Removed support for the legacy GeoIP API. [GL #1112] 1687 16885261. [cleanup] Remove SO_BSDCOMPAT socket option usage. 1689 16905260. [bug] dnstap-read was producing malformed output for large 1691 packets. [GL #1093] 1692 16935259. [func] New option '-i' for 'named-checkconf' to ignore 1694 warnings about deprecated options. [GL #1101] 1695 16965258. [func] Added support for the GeoIP2 API from MaxMind. This 1697 will be compiled in by default if the "libmaxminddb" 1698 library is found at compile time, but can be 1699 suppressed using "configure --disable-geoip". 1700 1701 Certain geoip ACL settings that were available with 1702 legacy GeoIP are not available when using GeoIP2. 1703 [GL #182] 1704 17055257. [bug] Some statistics data was not being displayed. 1706 Add shading to the zone tables. [GL #1030] 1707 17085256. [bug] Ensure that glue records are included in root 1709 priming responses if "minimal-responses" is not 1710 set to "yes". [GL #1092] 1711 17125255. [bug] Errors encountered while reloading inline-signing 1713 zones could be ignored, causing the zone content to 1714 be left in an incompletely updated state rather than 1715 reverted. [GL #1109] 1716 17175254. [func] Collect metrics to report to the statistics-channel 1718 DNSSEC signing operations (dnssec-sign) and refresh 1719 operations (dnssec-refresh) per zone and per keytag. 1720 [GL #513] 1721 17225253. [port] Support platforms that don't define ULLONG_MAX. 1723 [GL #1098] 1724 17255252. [func] Report if the last 'rndc reload/reconfig' failed in 1726 rndc status. [GL !2040] 1727 17285251. [bug] Statistics were broken in x86 Windows builds. 1729 [GL #1081] 1730 17315250. [func] The default size for RSA keys is now 2048 bits, 1732 for both ZSKs and KSKs. [GL #1097] 1733 17345249. [bug] Fix a possible underflow in recursion clients 1735 statistics when hitting recursive clients 1736 soft quota. [GL #1067] 1737 1738 --- 9.15.1 released --- 1739 17405248. [func] To clarify the configuration of DNSSEC keys, 1741 the "managed-keys" and "trusted-keys" options 1742 have both been deprecated. The new "dnssec-keys" 1743 statement can now be used for all trust anchors, 1744 with the keywords "iniital-key" or "static-key" 1745 to indicate whether the configured trust anchor 1746 should be used for initialization of RFC 5011 key 1747 management, or as a permanent trust anchor. 1748 1749 The "static-key" keyword will generate a warning if 1750 used for the root zone. 1751 1752 Configurations using "trusted-keys" or "managed-keys" 1753 will continue to work with no changes, but will 1754 generate warnings in the log. In a future release, 1755 these options will be marked obsolete. [GL #6] 1756 17575247. [cleanup] The 'cleaning-interval' option has been removed. 1758 [GL !1731] 1759 17605246. [func] Log TSIG if appropriate in 'sending notify to' message. 1761 [GL #1058] 1762 17635245. [cleanup] Reduce logging level for IXFR up-to-date poll 1764 responses. [GL #1009] 1765 17665244. [security] Fixed a race condition in dns_dispatch_getnext() 1767 that could cause an assertion failure if a 1768 significant number of incoming packets were 1769 rejected. (CVE-2019-6471) [GL #942] 1770 17715243. [bug] Fix a possible race between dispatcher and socket 1772 code in a high-load cold-cache resolver scenario. 1773 [GL #943] 1774 17755242. [bug] In relaxed qname minimization mode, fall back to 1776 normal resolution when encountering a lame 1777 delegation, and use _.domain/A queries rather 1778 than domain/NS. [GL #1055] 1779 17805241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs. 1781 [GL #225] 1782 17835240. [bug] Remove key id calculation for RSAMD5. [GL #996] 1784 17855239. [func] Change the json-c detection to pkg-config. [GL #855] 1786 17875238. [bug] Fix a possible deadlock in TCP code. [GL #1046] 1788 17895237. [bug] Recurse to find the root server list with 'dig +trace'. 1790 [GL #1028] 1791 17925236. [func] Add SipHash 2-4 implementation in lib/isc/siphash.c 1793 and switch isc_hash_function() to use SipHash 2-4. 1794 [GL #605] 1795 17965235. [cleanup] Refactor lib/isc/app.c to be thread-safe, unused 1797 parts of the API has been removed and the 1798 isc_appctx_t data type has been changed to be 1799 fully opaque. [GL #1023] 1800 18015234. [port] arm: just use the compiler's default support for 1802 yield. [GL #981] 1803 1804 --- 9.15.0 released --- 1805 18065233. [bug] Negative trust anchors did not work with "forward only;" 1807 to validating resolvers. [GL #997] 1808 18095232. [placeholder] 1810 18115231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG. 1812 [GL #960] 1813 18145230. [protocol] The SHA-1 hash algorithm is no longer used when 1815 generating DS and CDS records. [GL #1015] 1816 18175229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852] 1818 18195228. [func] If trusted-keys and managed-keys were configured 1820 simultaneously for the same name, the key could 1821 not be be rolled automatically. This is now 1822 a fatal configuration error. [GL #868] 1823 18245227. [placeholder] 1825 18265226. [placeholder] 1827 18285225. [func] Allow dig to print out AAAA record fully expanded. 1829 with +[no]expandaaaa. [GL #765] 1830 18315224. [bug] Only test provide-ixfr on TCP streams. [GL #991] 1832 18335223. [bug] Fixed a race in the filter-aaaa plugin accessing 1834 the hash table. [GL #1005] 1835 18365222. [bug] 'delv -t ANY' could leak memory. [GL #983] 1837 18385221. [test] Enable parallel execution of system tests on 1839 Windows. [GL !4101] 1840 18415220. [cleanup] Refactor the isc_stat structure to take advantage 1842 of stdatomic. [GL !1493] 1843 18445219. [bug] Fixed a race in the filter-aaaa plugin that could 1845 trigger a crash when returning an instance object 1846 to the memory pool. [GL #982] 1847 18485218. [bug] Conditionally include <dlfcn.h>. [GL #995] 1849 18505217. [bug] Restore key id calculation for RSAMD5. [GL #996] 1851 18525216. [bug] Fetches-per-zone counter wasn't updated correctly 1853 when doing qname minimization. [GL #992] 1854 18555215. [bug] Change #5124 was incomplete; named could still 1856 return FORMERR instead of SERVFAIL in some cases. 1857 [GL #990] 1858 18595214. [bug] win32: named now removes its lock file upon shutdown. 1860 [GL #979] 1861 18625213. [bug] win32: Eliminated a race which allowed named.exe running 1863 as a service to be killed prematurely during shutdown. 1864 [GL #978] 1865 18665212. [placeholder] 1867 18685211. [bug] Allow out-of-zone additional data to be included 1869 in authoritative responses if recursion is allowed 1870 and "minimal-responses" is disabled. This behavior 1871 was inadvertently removed in change #4605. [GL #817] 1872 18735210. [bug] When dnstap is enabled and recursion is not 1874 available, incoming queries are now logged 1875 as "auth". Previously, this depended on whether 1876 recursion was requested by the client, not on 1877 whether recursion was available. [GL #963] 1878 18795209. [bug] When update-check-ksk is true, add_sigs was not 1880 considering offline keys, leaving record sets signed 1881 with the incorrect type key. [GL #763] 1882 18835208. [test] Run valid rdata wire encodings through totext+fromtext 1884 and tofmttext+fromtext methods to check these methods. 1885 [GL #899] 1886 18875207. [test] Check delv and dig TTL values. [GL #965] 1888 18895206. [bug] Delv could print out bad TTLs. [GL #965] 1890 18915205. [bug] Enforce that a DS hash exists. [GL #899] 1892 18935204. [test] Check that dns_rdata_fromtext() produces a record that 1894 will be accepted by dns_rdata_fromwire(). [GL #852] 1895 18965203. [bug] Enforce whether key rdata exists or not in KEY, 1897 DNSKEY, CDNSKEY and RKEY. [GL #899] 1898 18995202. [bug] <dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976] 1900 19015201. [bug] Fix a possible deadlock in RPZ update code. [GL #973] 1902 19035200. [security] tcp-clients settings could be exceeded in some cases, 1904 which could lead to exhaustion of file descriptors. 1905 (CVE-2018-5743) [GL #615] 1906 19075199. [security] In certain configurations, named could crash 1908 if nxdomain-redirect was in use and a redirected 1909 query resulted in an NXDOMAIN from the cache. 1910 (CVE-2019-6467) [GL #880] 1911 19125198. [bug] If a fetch context was being shut down and, at the same 1913 time, we returned from qname minimization, an INSIST 1914 could be hit. [GL #966] 1915 19165197. [bug] dig could die in best effort mode on multiple SIG(0) 1917 records. Similarly on multiple OPT and multiple TSIG 1918 records. [GL #920] 1919 19205196. [bug] make install failed with --with-dlopen=no. [GL #955] 1921 19225195. [bug] "allow-update" and "allow-update-forwarding" were 1923 treated as configuration errors if used at the 1924 options or view level. [GL #913] 1925 19265194. [bug] Enforce non empty ZOMEMD hash. [GL #899] 1927 19285193. [bug] EID and NIMLOC failed to do multi-line output 1929 correctly. [GL #899] 1930 19315192. [placeholder] 1932 19335191. [placeholder] 1934 19355190. [bug] Ignore trust anchors using disabled algorithms. 1936 [GL #806] 1937 19385189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945] 1939 19405188. [func] The "dnssec-enable" option is deprecated and no 1941 longer has any effect; DNSSEC responses are 1942 always enabled. [GL #866] 1943 19445187. [test] Set time zone before running any tests in dnstap_test. 1945 [GL #940] 1946 19475186. [cleanup] More dnssec-keygen manual tidying. [GL !1678] 1948 19495185. [placeholder] 1950 19515184. [bug] Missing unlocks in sdlz.c. [GL #936] 1952 19535183. [bug] Reinitialize ECS data before reusing client 1954 structures. [GL #881] 1955 19565182. [bug] Fix a high-load race/crash in handling of 1957 isc_socket_close() in resolver. [GL #834] 1958 19595181. [func] Add a mechanism for a DLZ module to signal that 1960 the view's allow-transfer ACL should be used to 1961 determine whether transfers are allowed. [GL #803] 1962 19635180. [bug] delv now honors the operating system's preferred 1964 ephemeral port range. [GL #925] 1965 19665179. [cleanup] Replace some vague type declarations with the more 1967 specific dns_secalg_t and dns_dsdigest_t. 1968 Thanks to Tony Finch. [GL !1498] 1969 19705178. [bug] Handle EDQUOT (disk quota) and ENOSPC (disk full) 1971 errors when writing files. [GL #902] 1972 19735177. [func] Add the ability to specify in named.conf whether a 1974 response-policy zone's SOA record should be added 1975 to the additional section (add-soa yes/no). [GL #865] 1976 19775176. [tests] Remove a dependency on libxml in statschannel system 1978 test. [GL #926] 1979 19805175. [bug] Fixed a problem with file input in dnssec-keymgr, 1981 dnssec-coverage and dnssec-checkds when using 1982 python3. [GL #882] 1983 19845174. [doc] Tidy dnssec-keygen manual. [GL !1557] 1985 19865173. [bug] Fixed a race in socket code that could occur when 1987 accept, send, or recv were called from an event 1988 loop but the socket had been closed by another 1989 thread. [RT #874] 1990 19915172. [bug] nsupdate now honors the operating system's preferred 1992 ephemeral port range. [GL #905] 1993 19945171. [func] named plugins are now installed into a separate 1995 directory. Supplying a filename (a string without path 1996 separators) in a "plugin" configuration stanza now 1997 causes named to look for that plugin in that directory. 1998 [GL #878] 1999 20005170. [test] Added --with-dlz-filesystem to feature-test. [GL !1587] 2001 20025169. [bug] The presence of certain types in an otherwise 2003 empty node could cause a crash while processing a 2004 type ANY query. [GL #901] 2005 20065168. [bug] Do not crash on shutdown when RPZ fails to load. Also, 2007 keep previous version of the database if RPZ fails to 2008 load. [GL #813] 2009 20105167. [bug] nxdomain-redirect could sometimes lookup the wrong 2011 redirect name. [GL #892] 2012 20135166. [placeholder] 2014 20155165. [contrib] Removed SDB drivers from contrib; they're obsolete. 2016 [GL #428] 2017 20185164. [bug] Correct errno to result translation in dlz filesystem 2019 modules. [GL #884] 2020 20215163. [cleanup] Out-of-tree builds failed --enable-dnstap. [GL #836] 2022 20235162. [cleanup] Improve dnssec-keymgr manual. Thanks to Tony Finch. 2024 [GL !1518] 2025 20265161. [bug] Do not require the SEP bit to be set for mirror zone 2027 trust anchors. [GL #873] 2028 20295160. [contrib] Added DNAME support to the DLZ LDAP schema. Also 2030 fixed a compilation bug affecting several DLZ 2031 modules. [GL #872] 2032 20335159. [bug] dnssec-coverage was incorrectly ignoring 2034 names specified on the command line without 2035 trailing dots. [GL !1478] 2036 20375158. [protocol] Add support for AMTRELAY and ZONEMD. [GL #867] 2038 20395157. [bug] Nslookup now errors out if there are extra command 2040 line arguments. [GL #207] 2041 20425156. [doc] Extended and refined the section of the ARM describing 2043 mirror zones. [GL #774] 2044 20455155. [func] "named -V" now outputs the default paths to 2046 named.conf, rndc.conf, bind.keys, and other 2047 files used or created by named and other tools, so 2048 that the correct paths to these files can quickly be 2049 determined regardless of the configure settings 2050 used when BIND was built. [GL #859] 2051 20525154. [bug] dig: process_opt could be called twice on the same 2053 message leading to a assertion failure. [GL #860] 2054 20555153. [func] Zone transfer statistics (size, number of records, and 2056 number of messages) are now logged for outgoing 2057 transfers as well as incoming ones. [GL #513] 2058 20595152. [func] Improved logging of DNSSEC key events: 2060 - Zone signing and DNSKEY maintenance events are 2061 now logged to the "dnssec" category 2062 - Messages are now logged when DNSSEC keys are 2063 published, activated, inactivated, deleted, 2064 or revoked. 2065 [GL #714] 2066 20675151. [func] Options that have been been marked as obsolete in 2068 named.conf for a very long time are now fatal 2069 configuration errors. [GL #358] 2070 20715150. [cleanup] Remove the ability to compile BIND with assertions 2072 disabled. [GL #735] 2073 20745149. [func] "rndc dumpdb" now prints a line above a stale RRset 2075 indicating how long the data will be retained in the 2076 cache for emergency use. [GL #101] 2077 20785148. [bug] named did not sign the TKEY response. [GL #821] 2079 20805147. [bug] dnssec-keymgr: Add a five-minute margin to better 2081 handle key events close to 'now'. [GL #848] 2082 20835146. [placeholder] 2084 20855145. [func] Use atomics instead of locked variables for isc_quota 2086 and isc_counter. [GL !1389] 2087 20885144. [bug] dig now returns a non-zero exit code when a TCP 2089 connection is prematurely closed by a peer more than 2090 once for the same lookup. [GL #820] 2091 20925143. [bug] dnssec-keymgr and dnssec-coverage failed to find 2093 key files for zone names ending in ".". [GL #560] 2094 20955142. [cleanup] Removed "configure --disable-rpz-nsip" and 2096 "--disable-rpz-nsdname" options. "nsip-enable" 2097 and "nsdname-enable" both now default to yes, 2098 regardless of compile-time settings. [GL #824] 2099 21005141. [security] Zone transfer controls for writable DLZ zones were 2101 not effective as the allowzonexfr method was not being 2102 called for such zones. (CVE-2019-6465) [GL #790] 2103 21045140. [bug] Don't immediately mark existing keys as inactive and 2105 deleted when running dnssec-keymgr for the first 2106 time. [GL #117] 2107 21085139. [bug] If possible, don't use forwarders when priming. 2109 This ensures we can get root server IP addresses 2110 from priming query response glue, which may not 2111 be present if the forwarding server is returning 2112 minimal responses. [GL #752] 2113 21145138. [bug] Under some circumstances named could hit an assertion 2115 failure when doing qname minimization when using 2116 forwarders. [GL #797] 2117 21185137. [func] named now logs messages whenever a mirror zone becomes 2119 usable or unusable for resolution purposes. [GL #818] 2120 21215136. [cleanup] Check in named-checkconf that allow-update and 2122 allow-update-forwarding are not set at the 2123 view/options level; fix documentation. [GL #512] 2124 21255135. [port] sparc: Use smt_pause() instead of pause. [GL #816] 2126 21275134. [bug] win32: WSAStartup was not called before getservbyname 2128 was called. [GL #590] 2129 21305133. [bug] 'rndc managed-keys' didn't handle class and view 2131 correctly and failed to add new lines between each 2132 view. [GL !1327] 2133 21345132. [bug] Fix race condition in cleanup part of dns_dt_create(). 2135 [GL !1323] 2136 21375131. [cleanup] Address Coverity warnings. [GL #801] 2138 21395130. [cleanup] Remove support for l10n message catalogs. [GL #709] 2140 21415129. [contrib] sdlz_helper.c:build_querylist was not properly 2142 splitting the query string. [GL #798] 2143 21445128. [bug] Refreshkeytime was not being updated for managed 2145 keys zones. [GL #784] 2146 21475127. [bug] rcode.c:maybe_numeric failed to handle NUL in text 2148 regions. [GL #807] 2149 21505126. [bug] Named incorrectly accepted empty base64 and hex encoded 2151 fields when reading master files. [GL #807] 2152 21535125. [bug] Allow for up to 100 records or 64k of data when caching 2154 a negative response. [GL #804] 2155 21565124. [bug] Named could incorrectly return FORMERR rather than 2157 SERVFAIL. [GL #804] 2158 21595123. [bug] dig could hang indefinitely after encountering an error 2160 before creating a TCP socket. [GL #692] 2161 21625122. [bug] In a "forward first;" configuration, a forwarder 2163 timeout did not prevent that forwarder from being 2164 queried again after falling back to full recursive 2165 resolution. [GL #315] 2166 21675121. [contrib] dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none 2168 matching zone names. [GL !1299] 2169 21705120. [placeholder] 2171 21725119. [placeholder] 2173 21745118. [security] Named could crash if it is managing a key with 2175 `managed-keys` and the authoritative zone is rolling 2176 the key to an unsupported algorithm. (CVE-2018-5745) 2177 [GL #780] 2178 21795117. [placeholder] 2180 21815116. [bug] Named/named-checkconf triggered a assertion when 2182 a mirror zone's name is bad. [GL #778] 2183 21845115. [bug] Allow unsupported algorithms in zone when not used for 2185 signing with dnssec-signzone. [GL #783] 2186 21875114. [func] Include a 'reconfig/reload in progress' status line 2188 in rndc status, use it in tests. 2189 21905113. [port] Fixed a Windows build error. 2191 21925112. [bug] Named/named-checkconf could dump core if there was 2193 a missing masters clause and a bad notify clause. 2194 [GL #779] 2195 21965111. [bug] Occluded DNSKEY records could make it into the 2197 delegating NSEC/NSEC3 bitmap. [GL #742] 2198 21995110. [security] Named leaked memory if there were multiple Key Tag 2200 EDNS options present. (CVE-2018-5744) [GL #772] 2201 22025109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628] 2203 2204 --- 9.13.5 released --- 2205 22065108. [bug] Named could fail to determine bottom of zone when 2207 removing out of date keys leading to invalid NSEC 2208 and NSEC3 records being added to the zone. [GL #771] 2209 22105107. [bug] 'host -U' did not work. [GL #769] 2211 22125106. [experimental] A new "plugin" mechanism has been added to allow 2213 extension of query processing functionality through 2214 the use of dynamically loadable libraries. A 2215 "filter-aaaa.so" plugin has been implemented, 2216 replacing the filter-aaaa feature that was formerly 2217 implemented as a native part of BIND. 2218 2219 The "filter-aaaa", "filter-aaaa-on-v4" and 2220 "filter-aaaa-on-v6" options can no longer be 2221 configured using native named.conf syntax. However, 2222 loading the filter-aaaa.so plugin and setting its 2223 parameters provides identical functionality. 2224 2225 Note that the plugin API is a work in progress and 2226 is likely to evolve as further plugins are 2227 implemented. [GL #15] 2228 22295105. [bug] Fix a race between process_fd and socketclose in 2230 unix socket code. [GL #744] 2231 22325104. [cleanup] Log clearer informational message when a catz zone 2233 is overridden by a zone in named.conf. 2234 Thanks to Tony Finch. [GL !1157] 2235 22365103. [bug] Add missing design by contract tests to dns_catz*. 2237 [GL #748] 2238 22395102. [bug] dnssec-coverage failed to use the default TTL when 2240 checking KSK deletion times leading to a exception. 2241 [GL #585] 2242 22435101. [bug] Fix default installation path for Python modules and 2244 remove the dnspython dependency accidentally introduced 2245 by change 4970. [GL #730] 2246 22475100. [func] Pin resolver tasks to specific task queues. [GL !1117] 2248 22495099. [func] Failed mutex and conditional creations are always 2250 fatal. [GL #674] 2251 2252 --- 9.13.4 released --- 2253 22545098. [func] Failed memory allocations are now fatal. [GL #674] 2255 22565097. [cleanup] Remove embedded ATF unit testing framework 2257 from BIND source distribution. [GL !875] 2258 22595096. [func] Use multiple event loops in socket code, and 2260 make network threads CPU-affinitive. This 2261 significantly improves performance on large 2262 systems. [GL #666] 2263 22645095. [test] Converted all unit tests from ATF to CMocka; 2265 removed the source code for the ATF libraries. 2266 Build with "configure --with-cmocka" to enable 2267 unit testing. [GL #620] 2268 22695094. [func] Add 'dig -r' to disable reading of .digrc. [GL !970] 2270 22715093. [bug] Log lame qname-minimization servers only if they're 2272 really lame. [GL #671] 2273 22745092. [bug] Address memory leak on SIGTERM in nsupdate when using 2275 GSS-TSIG. [GL #558] 2276 22775091. [func] Two new global and per-view options min-cache-ttl 2278 and min-ncache-ttl [GL #613] 2279 22805090. [bug] dig and mdig failed to properly pre-parse dash value 2281 pairs when value was a separate argument and started 2282 with a dash. [GL #584] 2283 22845089. [bug] Restore localhost fallback in dig and host which is 2285 used when no nameserver addresses present in 2286 /etc/resolv.conf are usable due to the requested 2287 address family restrictions. [GL #433] 2288 22895088. [bug] dig/host/nslookup could crash when interrupted close to 2290 a query timeout. [GL #599] 2291 22925087. [test] Check that result tables are complete. [GL #676] 2293 22945086. [func] Log of RPZ now includes the QTYPE and QCLASS. [GL #623] 2295 22965085. [bug] win32: Restore looking up nameservers, search list, 2297 etc. [GL #186] 2298 22995084. [placeholder] 2300 23015083. [func] Add autoconf macro AX_POSIX_SHELL, so we 2302 can use POSIX-compatible shell features 2303 in the scripts. 2304 23055082. [bug] Fixed a race that could cause a crash in 2306 dig/host/nslookup. [GL #650] 2307 23085081. [func] Use per-worker queues in task manager, make task 2309 runners CPU-affine. [GL #659] 2310 23115080. [func] Improvements to "rndc nta" user interface: 2312 - catch and report invalid command line options 2313 - when removing an NTA from all views, do not 2314 abort with an error if the NTA was not found 2315 in one of the views 2316 - include the view name in "rndc nta -dump" 2317 output, for consistency with the add and remove 2318 actions 2319 Thanks to Tony Finch. [GL !816] 2320 23215079. [func] Disable IDN processing in dig and nslookup 2322 when not on a tty. [GL #653] 2323 23245078. [cleanup] Require python components to be explicitly disabled if 2325 python is not available on unix platforms. [GL #601] 2326 23275077. [cleanup] Remove ip6.int support (-i) from dig and mdig. 2328 [GL !969] 2329 23305076. [bug] "require-server-cookie" was not effective if 2331 "rate-limit" was configured. [GL #617] 2332 23335075. [bug] Refresh nameservers from cache when sending final 2334 query in qname minimization. [GL #16] 2335 23365074. [cleanup] Remove vector socket functions - isc_socket_recvv(), 2337 isc_socket_sendtov(), isc_socket_sendtov2(), 2338 isc_socket_sendv() - in order to simplify socket code. 2339 [GL #645] 2340 23415073. [bug] Destroy a task first when destroying rpzs and catzs. 2342 [GL #84] 2343 23445072. [bug] Add unit tests for isc_buffer_copyregion() and fix its 2345 behavior for auto-reallocated buffers. [GL #644] 2346 23475071. [bug] Comparison of NXT records was broken. [GL #631] 2348 23495070. [bug] Record types which support a empty rdata field were 2350 not handling the empty rdata field case. [GL #638] 2351 23525069. [bug] Fix a hang on in RPZ when named is shutdown during RPZ 2353 zone update. [GL !907] 2354 23555068. [bug] Fix a race in RPZ with min-update-interval set to 0. 2356 [GL #643] 2357 23585067. [bug] Don't minimize qname when sending the query 2359 to a forwarder. [GL #361] 2360 23615066. [cleanup] Allow unquoted strings to be used as a zone names 2362 in response-policy statements. [GL #641] 2363 23645065. [bug] Only set IPV6_USE_MIN_MTU on IPv6. [GL #553] 2365 23665064. [test] Initialize TZ environment variable before calling 2367 dns_test_begin in dnstap_test. [GL #624] 2368 23695063. [test] In statschannel test try a few times before failing 2370 when checking if the compressed output is the same as 2371 uncompressed. [GL !909] 2372 23735062. [func] Use non-crypto-secure PRNG to generate nonces for 2374 cookies. [GL !887] 2375 23765061. [protocol] Add support for EID and NIMLOC. [GL #626] 2377 23785060. [bug] GID, UID and UINFO could not be loaded using unknown 2379 record format. [GL #627] 2380 23815059. [bug] Display a per-view list of zones in the web interface. 2382 [GL #427] 2383 23845058. [func] Replace old message digest and hmac APIs with more 2385 generic isc_md and isc_hmac APIs, and convert their 2386 respective tests to cmocka. [GL #305] 2387 23885057. [protocol] Add support for ATMA. [GL #619] 2389 23905056. [placeholder] 2391 23925055. [func] A default list of primary servers for the root zone is 2393 now built into named, allowing the "masters" statement 2394 to be omitted when configuring an IANA root zone 2395 mirror. [GL #564] 2396 23975054. [func] Attempts to use mirror zones with recursion disabled 2398 are now considered a configuration error. [GL #564] 2399 24005053. [func] The only valid zone-level NOTIFY settings for mirror 2401 zones are now "notify no;" and "notify explicit;". 2402 [GL #564] 2403 24045052. [func] Mirror zones are now configured using "type mirror;" 2405 rather than "mirror yes;". [GL #564] 2406 24075051. [doc] Documentation incorrectly stated that the 2408 "server-addresses" static-stub zone option accepts 2409 custom port numbers. [GL #582] 2410 24115050. [bug] The libirs version of getaddrinfo() was unable to parse 2412 scoped IPv6 addresses present in /etc/resolv.conf. 2413 [GL #187] 2414 24155049. [cleanup] QNAME minimization has been deeply refactored. [GL #16] 2416 24175048. [func] Add configure option to enable and enforce FIPS mode 2418 in BIND 9. [GL #506] 2419 24205047. [bug] Messages logged for certain query processing failures 2421 now include a more specific error description if it is 2422 available. [GL #572] 2423 24245046. [bug] named could crash during shutdown if an RPZ 2425 reload was in progress. [RT #46210] 2426 24275045. [func] Remove support for DNSSEC algorithms 3 (DSA) 2428 and 6 (DSA-NSEC3-SHA1). [GL #22] 2429 24305044. [cleanup] If "dnssec-enable" is no, then "dnssec-validation" 2431 now also defaults to no. [GL #388] 2432 24335043. [bug] Fix creating and validating EdDSA signatures. [GL #579] 2434 24355042. [test] Make the chained delegations in reclimit behave 2436 like they would in a regular name server. [GL #578] 2437 24385041. [test] The chain test contains a incomplete delegation. 2439 [GL #568] 2440 24415040. [func] Extended dnstap so that it can log UPDATE requests 2442 and responses as separate message types. Thanks 2443 to Greg Rabil. [GL #570] 2444 24455039. [bug] Named could fail to preserve owner name case of new 2446 RRset. [GL #420] 2447 24485038. [bug] Chaosnet addresses were compared incorrectly. 2449 [GL #562] 2450 24515037. [func] "allow-recursion-on" and "allow-query-cache-on" 2452 each now default to the other if only one of them 2453 is set, in order to be more consistent with the way 2454 "allow-recursion" and "allow-query-cache" work. 2455 Also we now ensure that both query-cache ACLs are 2456 checked when determining cache access. [GL #319] 2457 24585036. [cleanup] Fixed a spacing/formatting error in some RPZ-related 2459 error messages in the log. [GL !805] 2460 24615035. [test] Fixed errors that prevented the DNSRPS subtests 2462 from running in the rpz and rpzrecurse system 2463 tests. [GL #503] 2464 24655034. [bug] A race between threads could prevent zone maintenance 2466 scheduled immediately after zone load from being 2467 performed. [GL #542] 2468 24695033. [bug] When adding NTAs to multiple views using "rndc nta", 2470 the text returned via rndc was incorrectly terminated 2471 after the first line, making it look as if only one 2472 NTA had been added. Also, it was not possible to 2473 differentiate between views with the same name but 2474 different classes; this has been corrected with the 2475 addition of a "-class" option. [GL #105] 2476 24775032. [func] Add krb5-selfsub and ms-selfsub update policy rules. 2478 [GL #511] 2479 24805031. [cleanup] Various defines in platform.h has been either dropped 2481 if always or never triggered on supported platforms 2482 or replaced with config.h equivalents if the defines 2483 didn't have any impact on public headers. Workarounds 2484 for LinuxThreads have been removed because NPTL is 2485 available since Linux kernel 2.6.0. [GL #525] 2486 24875030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash 2488 on architectures with strict alignment. [GL #521] 2489 2490 --- 9.13.3 released --- 2491 24925029. [func] Workarounds for servers that misbehave when queried 2493 with EDNS have been removed, because these broken 2494 servers and the workarounds for their noncompliance 2495 cause unnecessary delays, increase code complexity, 2496 and prevent deployment of new DNS features. See 2497 https://dnsflagday.net for further details. [GL #150] 2498 24995028. [bug] Spread the initial RRSIG expiration times over the 2500 entire working sig-validity-interval when signing a 2501 zone in named to even out re-signing and transfer 2502 loads. [GL #418] 2503 25045027. [func] Set SO_SNDBUF size on sockets. [GL #74] 2505 25065026. [bug] rndc reconfig should not touch already loaded zones. 2507 [GL #276] 2508 25095025. [cleanup] Remove isc_keyboard family of functions. [GL #178] 2510 25115024. [func] Replace custom assembly for atomic operations with 2512 atomic support from the compiler. The code will now use 2513 C11 stdatomic, or __atomic, or __sync builtins with GCC 2514 or Clang compilers, and Interlocked functions with MSVC. 2515 [GL #10] 2516 25175023. [cleanup] Remove wrappers that try to fix broken or incomplete 2518 implementations of IPv6, pthreads and other core 2519 functionality required and used by BIND. [GL #192] 2520 25215022. [doc] Update ms-self, ms-subdomain, krb5-self, and 2522 krb5-subdomain documentation. [GL !708] 2523 25245021. [bug] dig returned a non-zero exit code when it received a 2525 reply over TCP after a retry. [GL #487] 2526 25275020. [func] RNG uses thread-local storage instead of locks, if 2528 supported by platform. [GL #496] 2529 25305019. [cleanup] A message is now logged when ixfr-from-differences is 2531 set at zone level for an inline-signed zone. [GL #470] 2532 25335018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c. 2534 [GL !588] 2535 25365017. [bug] lib/isc/pk11.c failed to unlink the session before 2537 releasing the lock which is unsafe. [GL !589] 2538 25395016. [bug] Named could assert with overlapping filter-aaaa and 2540 dns64 acls. [GL #445] 2541 25425015. [bug] Reloading all zones caused zone maintenance to cease 2543 for inline-signed zones. [GL #435] 2544 25455014. [bug] Signatures loaded from the journal for the signed 2546 version of an inline-signed zone were not scheduled for 2547 refresh. [GL #482] 2548 25495013. [bug] A referral response with a non-empty ANSWER section was 2550 inadvertently being treated as an error. [GL #390] 2551 25525012. [bug] Fix lock order reversal in pk11_initialize. [GL !590] 2553 25545011. [func] Remove support for unthreaded named. [GL #478] 2555 25565010. [func] New "validate-except" option specifies a list of 2557 domains beneath which DNSSEC validation should not 2558 be performed. [GL #237] 2559 25605009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL 2561 error queue was not logged. [GL #476] 2562 25635008. [bug] "rndc signing -nsec3param ..." requests were silently 2564 ignored for zones which were not yet loaded or 2565 transferred. [GL #468] 2566 25675007. [cleanup] Replace custom ISC boolean and integer data types 2568 with C99 stdint.h and stdbool.h types. [GL #9] 2569 25705006. [cleanup] Code preparing a delegation response was extracted from 2571 query_delegation() and query_zone_delegation() into a 2572 separate function in order to decrease code 2573 duplication. [GL #431] 2574 25755005. [bug] dnssec-verify, and dnssec-signzone at the verification 2576 step, failed on some validly signed zones. [GL #442] 2577 25785004. [bug] 'rndc reconfig' could cause inline zones to stop 2579 re-signing. [GL #439] 2580 25815003. [bug] dns_acl_isinsecure did not handle geoip elements. 2582 [GL #406] 2583 25845002. [bug] mdig: Handle malformed +ednsopt option, support 100 2585 +ednsopt options per query rather than 100 total and 2586 address memory leaks if +ednsopt was specified. 2587 [GL #410] 2588 25895001. [bug] Fix refcount errors on error paths. [GL !563] 2590 25915000. [bug] named_server_servestale() could leave the server in 2592 exclusive mode if an error occurred. [GL #441] 2593 25944999. [cleanup] Remove custom printf implementation in lib/isc/print.c. 2595 [GL #261] 2596 25974998. [test] Make resolver and cacheclean tests more civilized. 2598 25994997. [security] named could crash during recursive processing 2600 of DNAME records when "deny-answer-aliases" was 2601 in use. (CVE-2018-5740) [GL #387] 2602 26034996. [bug] dig: Handle malformed +ednsopt option. [GL #403] 2604 26054995. [test] Add tests for "tcp-self" update policy. [GL !282] 2606 26074994. [bug] Trust anchor telemetry queries were not being sent 2608 upstream for locally served zones. [GL #392] 2609 26104993. [cleanup] Remove support for silently ignoring 'no-change' deltas 2611 from BIND 8 when processing an IXFR stream. 'no-change' 2612 deltas will now trigger a fallback to AXFR as the 2613 recovery mechanism. [GL #369] 2614 26154992. [bug] The wrong address was being logged for trust anchor 2616 telemetry queries. [GL #379] 2617 26184991. [bug] "rndc reconfig" was incorrectly handling zones whose 2619 "mirror" setting was changed. [GL #381] 2620 26214990. [bug] Prevent a possible NULL reference in pkcs11-keygen. 2622 [GL #401] 2623 26244989. [cleanup] IDN support in dig has been reworked. IDNA2003 2625 fallbacks were removed in the process. [GL #384] 2626 26274988. [bug] Don't synthesize NXDOMAIN from NSEC for records under 2628 a DNAME. 2629 2630 --- 9.13.2 released --- 2631 26324987. [cleanup] dns_rdataslab_tordataset() and its related 2633 dns_rdatasetmethods_t callbacks were removed as they 2634 were not being used by anything in BIND. [GL #371] 2635 26364986. [func] When built on Linux, BIND now requires the libcap 2637 library to set process privileges, unless capability 2638 support is explicitly overridden with "configure 2639 --disable-linux-caps". [GL #321] 2640 26414985. [func] Add a new slave zone option, "mirror", to enable 2642 serving a non-authoritative copy of a zone that 2643 is subject to DNSSEC validation before being 2644 used. For now, this option is only meant to 2645 facilitate deployment of an RFC 7706-style local 2646 copy of the root zone. [GL #33] 2647 26484984. [bug] Improve handling of very large incremental 2649 zone transfers to prevent journal corruption. [GL #339] 2650 26514983. [func] Add the ability to not return a DNS COOKIE option 2652 when one is present in the request (answer-cookie no;). 2653 [GL #173] 2654 26554982. [cleanup] Return FORMERR if the question section is empty 2656 and no COOKIE option is present; this restores 2657 older behavior except in the newly specified 2658 COOKIE case. [GL #260] 2659 26604981. [bug] Fix race in cmsg buffer usage in socket code. 2661 [GL #180] 2662 26634980. [bug] Named-checkconf failed to detect bad in-view targets. 2664 [GL #288] 2665 26664979. [placeholder] 2667 26684978. [test] Fix error handling and resolver configuration in the 2669 "rpz" system test. [GL #312] 2670 26714977. [func] When starting up, log the same details that 2672 would be reported by 'named -V'. [GL #247] 2673 26744976. [bug] Log the label with invalid prefix length correctly 2675 when loading RPZ zones. [GL #254] 2676 26774975. [bug] The server cookie computation for sha1 and sha256 did 2678 not match the method described in RFC 7873. [GL #356] 2679 26804974. [bug] Restore default rrset-order to random. [GL #336] 2681 26824973. [func] verifyzone() and the functions it uses were moved to 2683 libdns and refactored to prevent exit() from being 2684 called upon failure. A side effect of that is that 2685 dnssec-signzone and dnssec-verify now check for memory 2686 leaks upon shutdown. [GL #266] 2687 26884972. [func] Declare the 'rdata' argument for dns_rdata_tostruct() 2689 to be const. [GL #341] 2690 26914971. [bug] dnssec-signzone and dnssec-verify did not treat records 2692 below a DNAME as out-of-zone data. [GL #298] 2693 26944970. [func] Add QNAME minimization option to resolver. [GL #16] 2695 26964969. [cleanup] Refactor zone logging functions. [GL #269] 2697 2698 --- 9.13.1 released --- 2699 27004968. [bug] If glue records are signed, attempt to validate them. 2701 [GL #209] 2702 27034967. [cleanup] Add "answer-cookie" to the parser, marked obsolete. 2704 27054966. [placeholder] 2706 27074965. [func] Add support for marking options as deprecated. 2708 [GL #322] 2709 27104964. [bug] Reduce the probability of double signature when deleting 2711 a DNSKEY by checking if the node is otherwise signed 2712 by the algorithm of the key to be deleted. [GL #240] 2713 27144963. [test] ifconfig.sh now uses "ip" instead of "ifconfig", 2715 if available, to configure the test interfaces on 2716 linux. [GL #302] 2717 27184962. [cleanup] Move 'named -T' processing to its own function. 2719 [GL #316] 2720 27214961. [protocol] Remove support for ECC-GOST (GOST R 34.11-94). 2722 [GL #295] 2723 27244960. [security] When recursion is enabled, but the "allow-recursion" 2725 and "allow-query-cache" ACLs are not specified, 2726 they should be limited to local networks, 2727 but were inadvertently set to match the default 2728 "allow-query", thus allowing remote queries. 2729 (CVE-2018-5738) [GL #309] 2730 27314959. [func] NSID logging (enabled by the "request-nsid" option) 2732 now has its own "nsid" category, instead of using the 2733 "resolver" category. [GL !332] 2734 27354958. [bug] Remove redundant space from NSEC3 record. [GL #281] 2736 27374957. [func] The default setting for "dnssec-validation" is now 2738 "auto", which activates DNSSEC validation using the 2739 IANA root key. (The default can be changed back to 2740 "yes", which activates DNSSEC validation only when keys 2741 are explicitly configured in named.conf, by building 2742 BIND with "configure --disable-auto-validation".) 2743 [GL #30] 2744 27454956. [func] Change isc_random() to be just PRNG using xoshiro128**, 2746 and add isc_nonce_buf() that uses CSPRNG. [GL #289] 2747 27484955. [cleanup] Silence cppcheck warnings in lib/dns/master.c. 2749 [GL #286] 2750 27514954. [func] Messages about serving of stale answers are now 2752 directed to the "serve-stale" logging category. 2753 Also clarified serve-stale documentation. [GL !323] 2754 27554953. [bug] Removed the option to build the red black tree 2756 database without a hash table; the non-hashing 2757 version was buggy and is not needed. [GL #184] 2758 27594952. [func] Authoritative server support in named for the 2760 EDNS CLIENT-SUBNET option (which was experimental 2761 and not practical to deploy) has been removed. 2762 2763 The ECS option is still supported in dig and mdig 2764 via the +subnet option, and can be parsed and logged 2765 when received by named, but it is no longer used 2766 for ACL processing. The "geoip-use-ecs" option 2767 is now obsolete; a warning will be logged if it is 2768 used in named.conf. "ecs" tags in an ACL definition 2769 are also obsolete and will cause the configuration 2770 to fail to load. [GL #32] 2771 27724951. [protocol] Add "HOME.ARPA" to list of built in empty zones as 2773 per RFC 8375. [GL #273] 2774 2775 --- 9.13.0 released --- 2776 27774950. [bug] ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238] 2778 27794949. [placeholder] 2780 27814948. [bug] When request-nsid is turned on, EDNS NSID options 2782 should be logged at level info. Since change 3741 2783 they have been logged at debug(3) by mistake. 2784 [GL !290] 2785 27864947. [func] Replace all random functions with isc_random(), 2787 isc_random_buf() and isc_random_uniform() API. 2788 [GL #221] 2789 27904946. [bug] Additional glue was not being returned by resolver 2791 for unsigned zones since change 4596. [GL #209] 2792 27934945. [func] BIND can no longer be built without DNSSEC support. 2794 A cryptography provider (i.e., OpenSSL or a hardware 2795 service module with PKCS#11 support) must be 2796 available. [GL #244] 2797 27984944. [cleanup] Silence cppcheck portability warnings in 2799 lib/isc/tests/buffer_test.c. [GL #239] 2800 28014943. [bug] Change 4687 consumed too much memory when running 2802 system tests with --with-tuning=large. Reduced the 2803 hash table size to 512 entries for 'named -m record' 2804 restoring the previous memory footprint. [GL #248] 2805 28064942. [cleanup] Consolidate multiple instances of splitting of 2807 batchline in dig into a single function. [GL #196] 2808 28094941. [cleanup] Silence clang static analyzer warnings. [GL #196] 2810 28114940. [cleanup] Extract the loop in dns__zone_updatesigs() into 2812 separate functions to improve code readability. 2813 [GL #135] 2814 28154939. [test] Add basic unit tests for update_sigs(). [GL #135] 2816 28174938. [placeholder] 2818 28194937. [func] Remove support for OpenSSL < 1.0.0 [GL #191] 2820 28214936. [func] Always use OpenSSL or PKCS#11 random data providers, 2822 and remove the --{enable,disable}-crypto-rand configure 2823 options. [GL #165] 2824 28254935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0 2826 call were added). [GL #191] 2827 28284934. [security] The serve-stale feature could cause an assertion failure 2829 in rbtdb.c even when stale-answer-enable was false. 2830 Simultaneous use of stale cache records and NSEC 2831 aggressive negative caching could trigger a recursion 2832 loop. (CVE-2018-5737) [GL #185] 2833 28344933. [bug] Not creating signing keys for an inline signed zone 2835 prevented changes applied to the raw zone from being 2836 reflected in the secure zone until signing keys were 2837 made available. [GL #159] 2838 28394932. [bug] Bumped signed serial of an inline signed zone was 2840 logged even when an error occurred while updating 2841 signatures. [GL #159] 2842 28434931. [func] Removed the "rbtdb64" database implementation. 2844 [GL #217] 2845 28464930. [bug] Remove a bogus check in nslookup command line 2847 argument processing. [GL #206] 2848 28494929. [func] Add the ability to set RA and TC in queries made by 2850 dig (+[no]raflag, +[no]tcflag). [GL #213] 2851 28524928. [func] The "dnskey-sig-validity" option allows 2853 "sig-validity-interval" to be overridden for signatures 2854 covering DNSKEY RRsets. [GL #145] 2855 28564927. [placeholder] 2857 28584926. [func] Add root key sentinel support. To disable, add 2859 'root-key-sentinel no;' to named.conf. [GL #37] 2860 28614925. [func] Several configuration options that define intervals 2862 can now take TTL value suffixes (for example, 2h or 1d) 2863 in addition to integer parameters. These include 2864 max-cache-ttl, max-ncache-ttl, max-policy-ttl, 2865 fstrm-set-reopen-interval, interface-interval, and 2866 min-update-interval. [GL #203] 2867 28684924. [cleanup] Clean up the isc_string_* namespace and leave 2869 only strlcpy and strlcat. [GL #178] 2870 28714923. [cleanup] Refactor socket and socket event options into 2872 enum types. [GL !135] 2873 28744922. [bug] dnstap: Log the destination address of client 2875 packets rather than the interface address. 2876 [GL #197] 2877 28784921. [cleanup] Add dns_fixedname_initname() and refactor the caller 2879 code to make usage of the new function, as a part of 2880 refactoring dns_fixedname_*() macros were turned into 2881 functions. [GL #183] 2882 28834920. [cleanup] Clean up libdns removing most of the backwards 2884 compatibility wrappers. 2885 28864919. [cleanup] Clean up the isc_hash_* namespace and leave only 2887 the FNV-1a hash implementation. [GL #178] 2888 28894918. [bug] Fix double free after keygen error in dnssec-keygen 2890 when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex 2891 fails. [GL #109] 2892 28934917. [func] Support 64 RPZ policy zones by default. [GL #123] 2894 28954916. [func] Remove IDNA2003 support and the bundled idnkit-1.0 2896 library. 2897 28984915. [func] Implement IDNA2008 support in dig by adding support 2899 for libidn2. New dig option +idnin has been added, 2900 which allows to process invalid domain names much 2901 like dig without IDN support. libidn2 version 2.0 2902 or higher is needed for +idnout enabled by default. 2903 29044914. [security] A bug in zone database reference counting could lead to 2905 a crash when multiple versions of a slave zone were 2906 transferred from a master in close succession. 2907 (CVE-2018-5736) [GL #134] 2908 29094913. [test] Re-implemented older unit tests in bin/tests as ATF, 2910 removed the lib/tests unit testing library. [GL #115] 2911 29124912. [test] Improved the reliability of the 'cds' system test. 2913 [GL #136] 2914 29154911. [test] Improved the reliability of the 'mkeys' system test. 2916 [GL #128] 2917 29184910. [func] Update util/check-changes to work on release branches. 2919 [GL #113] 2920 29214909. [bug] named-checkconf did not detect in-view zone collisions. 2922 [GL #125] 2923 29244908. [test] Eliminated unnecessary waiting in the allow_query 2925 system test. Also changed its name to allow-query. 2926 [GL #81] 2927 29284907. [test] Improved the reliability of the 'notify' system 2929 test. [GL #59] 2930 29314906. [func] Replace getquad() with inet_pton(), completing 2932 change #4900. [GL #56] 2933 29344905. [bug] irs_resconf_load() ignored resolv.conf syntax errors 2935 when "domain" or "search" options were present in that 2936 file. [GL #110] 2937 29384904. [bug] Temporarily revert change #4859. [GL #124] 2939 29404903. [bug] "check-mx fail;" did not prevent MX records containing 2941 IP addresses from being added to a zone by a dynamic 2942 update. [GL #112] 2943 29444902. [test] Improved the reliability of the 'ixfr' system 2945 test. [GL #66] 2946 29474901. [func] "dig +nssearch" now lists the name servers 2948 for a domain that time out, as well as the servers 2949 that respond. [GL #64] 2950 29514900. [func] Remove all uses of inet_aton(). As a result of this 2952 change, IPv4 addresses are now only accepted in 2953 dotted-quad format. [GL #13] 2954 29554899. [test] Convert most of the remaining system tests to be able 2956 to run in parallel, continuing the work from change 2957 #4895. To take advantage of this, use "make -jN check", 2958 where N is the number of processors to use. [GL #91] 2959 29604898. [func] Remove libseccomp based system-call filtering. [GL #93] 2961 29624897. [test] Update to rpz system test so that it doesn't recurse. 2963 [GL #68] 2964 29654896. [test] cacheclean system test was not robust. [GL #82] 2966 29674895. [test] Allow some system tests to run in parallel. 2968 [RT #46602] 2969 29704894. [bug] named could crash while rolling a dnstap output file. 2971 [RT #46942] 2972 29734893. [bug] Address various issues reported by cppcheck. [GL #51] 2974 29754892. [bug] named could leak memory when "rndc reload" was invoked 2976 before all zone loading actions triggered by a previous 2977 "rndc reload" command were completed. [RT #47076] 2978 29794891. [placeholder] 2980 29814890. [func] Remove unused ondestroy callback from libisc. 2982 [isc-projects/bind9!3] 2983 29844889. [func] Warn about the use of old root keys without the new 2985 root key being present. Warn about dlv.isc.org's 2986 key being present. Warn about both managed and 2987 trusted root keys being present. [RT #43670] 2988 29894888. [test] Initialize sockets correctly in sample-update so 2990 that the nsupdate system test will run on Windows. 2991 [RT #47097] 2992 29934887. [test] Enable the rpzrecurse test to run on Windows. 2994 [RT #47093] 2995 29964886. [doc] Document dig -u in manpage. [RT #47150] 2997 29984885. [security] update-policy rules that otherwise ignore the name 2999 field now require that it be set to "." to ensure 3000 that any type list present is properly interpreted. 3001 [RT #47126] 3002 30034884. [bug] named could crash on shutdown due to a race between 3004 shutdown_server() and ns__client_request(). [RT #47120] 3005 30064883. [cleanup] Improved debugging output from dnssec-cds. [RT #47026] 3007 30084882. [bug] Address potential memory leak in 3009 dns_update_signaturesinc. [RT #47084] 3010 30114881. [bug] Only include dst_openssl.h when OpenSSL is required. 3012 [RT #47068] 3013 30144880. [bug] Named wasn't returning the target of a cross-zone 3015 CNAME between two served zones when recursion was 3016 desired and available (RD=1, RA=1). (When this is 3017 not the case, the CNAME target is deliberately 3018 withheld to prevent accidental cache poisoning.) 3019 [RT #47078] 3020 30214879. [bug] dns_rdata_caa:value_len field was too small. 3022 [RT #47086] 3023 30244878. [bug] List 'ply' as a requirement for the 'isc' python 3025 package. [RT #47065] 3026 30274877. [bug] Address integer overflow when exponentially 3028 backing off retry intervals. [RT #47041] 3029 30304876. [bug] Address deadlock with accessing a keytable. [RT #47000] 3031 30324875. [bug] Address compile failures on older systems. [RT #47015] 3033 30344874. [bug] Wrong time display when reporting new keywarntime. 3035 [RT #47042] 3036 30374873. [doc] Grammars for named.conf included in the ARM are now 3038 automatically generated by the configuration parser 3039 itself. As a side effect of the work needed to 3040 separate zone type grammars from each other, this 3041 also makes checking of zone statements in 3042 named-checkconf more correct and consistent. 3043 [RT #36957] 3044 30454872. [bug] Don't permit loading meta RR types such as TKEY 3046 from master files. [RT #47009] 3047 30484871. [bug] Fix configure glitch in detecting stdatomic.h 3049 support on systems with multiple compilers. 3050 [RT #46959] 3051 30524870. [test] Update included ATF library to atf-0.21 preserving 3053 the ATF tool. [RT #46967] 3054 30554869. [bug] Address some cases where NULL with zero length could 3056 be passed to memmove which is undefined behavior and 3057 can lead to bad optimization. [RT #46888] 3058 30594868. [func] dnssec-keygen can no longer generate HMAC keys. 3060 Use tsig-keygen instead. [RT #46404] 3061 30624867. [cleanup] Normalize rndc on/off commands (validation, 3063 querylog, serve-stale) so they all accept the 3064 same synonyms for on/off (yes/no, true/false, 3065 enable/disable). Thanks to Tony Finch. [RT #47022] 3066 30674866. [port] DST library initialization verifies MD5 (when MD5 3068 was not disabled) and SHA-1 hash and HMAC support. 3069 [RT #46764] 3070 30714865. [cleanup] Simplify handling isc_socket_sendto2() return values. 3072 [RT #46986] 3073 30744864. [bug] named acting as a slave for a catalog zone crashed if 3075 the latter contained a master definition without an IP 3076 address. [RT #45999] 3077 30784863. [bug] Fix various other bugs reported by Valgrind's 3079 memcheck tool. [RT #46978] 3080 30814862. [bug] The rdata flags for RRSIG were not being properly set 3082 when constructing a rdataslab. [RT #46978] 3083 30844861. [bug] The isc_crc64 unit test was not endian independent. 3085 [RT #46973] 3086 30874860. [bug] isc_int8_t should be signed char. [RT #46973] 3088 30894859. [bug] A loop was possible when attempting to validate 3090 unsigned CNAME responses from secure zones; 3091 this caused a delay in returning SERVFAIL and 3092 also increased the chances of encountering 3093 CVE-2017-3145. [RT #46839] 3094 30954858. [security] Addresses could be referenced after being freed 3096 in resolver.c, causing an assertion failure. 3097 (CVE-2017-3145) [RT #46839] 3098 30994857. [bug] Maintain attach/detach semantics for event->db, 3100 event->node, event->rdataset and event->sigrdataset 3101 in query.c. [RT #46891] 3102 31034856. [bug] 'rndc zonestatus' reported the wrong underlying type 3104 for a inline slave zone. [RT #46875] 3105 31064855. [bug] isc_time_formatshorttimestamp produced incorrect 3107 output. [RT #46938] 3108 31094854. [bug] query_synthcnamewildcard should stop generating the 3110 response if query_synthwildcard fails. [RT #46939] 3111 31124853. [bug] Add REQUIRE's and INSIST's to isc_time_formatISO8601L 3113 and isc_time_formatISO8601Lms. [RT #46916] 3114 31154852. [bug] Handle strftime() failing in isc_time_formatISO8601ms. 3116 Add REQUIRE's and INSIST's to isc_time_formattimestamp, 3117 isc_time_formathttptimestamp, isc_time_formatISO8601, 3118 isc_time_formatISO8601ms. [RT #46892] 3119 31204851. [port] Support using kyua as well as atf-run to run the unit 3121 tests. [RT #46853] 3122 31234850. [bug] Named failed to restart with multiple added zones in 3124 lmdb database. [RT #46889] 3125 31264849. [bug] Duplicate zones could appear in the .nzf file if 3127 addzone failed. [RT #46435] 3128 31294848. [func] Zone types "primary" and "secondary" can now be used 3130 as synonyms for "master" and "slave" in named.conf. 3131 [RT #46713] 3132 31334847. [bug] dnssec-dnskey-kskonly was not being honored for 3134 CDS and CDNSKEY. [RT #46755] 3135 31364846. [test] Adjust timing values in runtime system test. Address 3137 named.pid removal races in runtime system test. 3138 [RT #46800] 3139 31404845. [bug] Dig (non iOS) should exit on malformed names. 3141 [RT #46806] 3142 31434844. [test] Address memory leaks in libatf-c. [RT #46798] 3144 31454843. [bug] dnssec-signzone free hashlist on exit. [RT #46791] 3146 31474842. [bug] Conditionally compile opensslecdsa_link.c to avoid 3148 warnings about unused function. [RT #46790] 3149 3150 --- 9.12.0rc1 released --- 3151 31524841. [bug] Address -fsanitize=undefined warnings. [RT #46786] 3153 31544840. [test] Add tests to cover fallback to using ZSK on inactive 3155 KSK. [RT #46787] 3156 31574839. [bug] zone.c:zone_sign was not properly determining 3158 if there were active KSK and ZSK keys for 3159 a algorithm when update-check-ksk is true 3160 (default) leaving records unsigned with one or 3161 more DNSKEY algorithms. [RT #46774] 3162 31634838. [bug] zone.c:add_sigs was not properly determining 3164 if there were active KSK and ZSK keys for 3165 a algorithm when update-check-ksk is true 3166 (default) leaving records unsigned with one or 3167 more DNSKEY algorithms. [RT #46754] 3168 31694837. [bug] dns_update_signatures{inc} (add_sigs) was not 3170 properly determining if there were active KSK and 3171 ZSK keys for a algorithm when update-check-ksk is 3172 true (default) leaving records unsigned when there 3173 were multiple DNSKEY algorithms for the zone. 3174 [RT #46743] 3175 31764836. [bug] Zones created using "rndc addzone" could 3177 temporarily fail to inherit an "allow-transfer" 3178 ACL that had been configured in the options 3179 statement. [RT #46603] 3180 31814835. [cleanup] Clean up and refactor LMDB-related code. [RT #46718] 3182 31834834. [port] Fix LMDB support on OpenBSD. [RT #46718] 3184 31854833. [bug] isc_event_free should check that the event is not 3186 linked when called. [RT #46725] 3187 31884832. [bug] Events were not being removed from zone->rss_events. 3189 [RT #46725] 3190 31914831. [bug] Convert the RRSIG expirytime to 64 bits for 3192 comparisons in diff.c:resign. [RT #46710] 3193 31944830. [bug] Failure to configure ATF when requested did not cause 3195 an error in top-level configure script. [RT #46655] 3196 31974829. [bug] isc_heap_delete did not zero the index value when 3198 the heap was created with a callback to do that. 3199 [RT #46709] 3200 32014828. [bug] Do not use thread-local storage for storing LMDB reader 3202 locktable slots. [RT #46556] 3203 32044827. [misc] Add a precommit check script util/checklibs.sh 3205 [RT #46215] 3206 32074826. [cleanup] Prevent potential build failures in bin/confgen/ and 3208 bin/named/ when using parallel make. [RT #46648] 3209 32104825. [bug] Prevent a bogus "error during managed-keys processing 3211 (no more)" warning from being logged. [RT #46645] 3212 32134824. [port] Add iOS hooks to dig. [RT #42011] 3214 32154823. [test] Refactor reclimit system test to improve its 3216 reliability and speed. [RT #46632] 3217 32184822. [bug] Use resign_sooner in dns_db_setsigningtime. [RT #46473] 3219 32204821. [bug] When resigning ensure that the SOA's expire time is 3221 always later that the resigning time of other records. 3222 [RT #46473] 3223 32244820. [bug] dns_db_subtractrdataset should transfer the resigning 3225 information to the new header. [RT #46473] 3226 32274819. [bug] Fully backout the transaction when adding a RRset 3228 to the resigning / removal heaps fails. [RT #46473] 3229 32304818. [test] The logfileconfig system test could intermittently 3231 report false negatives on some platforms. [RT #46615] 3232 32334817. [cleanup] Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE. 3234 [RT #45433] 3235 32364816. [bug] Don't use a common array for storing EDNS options 3237 in DiG as it could fill up. [RT #45611] 3238 32394815. [bug] rbt_test.c:insert_and_delete needed to call 3240 dns_rbt_addnode instead of dns_rbt_addname. [RT #46553] 3241 32424814. [cleanup] Use AS_HELP_STRING for consistent help text. [RT #46521] 3243 32444813. [bug] Address potential read after free errors from 3245 query_synthnodata, query_synthwildcard and 3246 query_synthnxdomain. [RT #46547] 3247 32484812. [bug] Minor improvements to stability and consistency of code 3249 handling managed keys. [RT #46468] 3250 32514811. [bug] Revert api changes to use <isc/buffer.h> inline 3252 macros. Provide a alternative mechanism to turn 3253 on the use of inline macros when building BIND. 3254 [RT #46520] 3255 32564810. [test] The chain system test failed if the IPv6 interfaces 3257 were not configured. [RT #46508] 3258 3259 --- 9.12.0b2 released --- 3260 32614809. [port] Check at configure time whether -latomic is needed 3262 for stdatomic.h. [RT #46324] 3263 32644808. [bug] Properly test for zlib.h. [RT #46504] 3265 32664807. [cleanup] isc_rng_randombytes() returns a specified number of 3267 bytes from the PRNG; this is now used instead of 3268 calling isc_rng_random() multiple times. [RT #46230] 3269 32704806. [func] Log messages related to loading of zones are now 3271 directed to the "zoneload" logging category. 3272 [RT #41640] 3273 32744805. [bug] TCP4Active and TCP6Active weren't being updated 3275 correctly. [RT #46454] 3276 32774804. [port] win32: access() does not work on directories as 3278 required by POSIX. Supply a alternative in 3279 isc_file_isdirwritable. [RT #46394] 3280 32814803. [placeholder] 3282 32834802. [test] Refactor mkeys system test to make it quicker and more 3284 reliable. [RT #45293] 3285 32864801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside . 3287 trust-anchor dlv.isc.org;' now elicit warnings rather 3288 than being fatal configuration errors. [RT #46410] 3289 32904800. [bug] When processing delzone, write one zone config per 3291 line to the NZF. [RT #46323] 3292 32934799. [cleanup] Improve clarity of keytable unit tests. [RT #46407] 3294 32954798. [func] Keys specified in "managed-keys" statements 3296 are tagged as "initializing" until they have been 3297 updated by a key refresh query. If initialization 3298 fails it will be visible from "rndc secroots". 3299 [RT #46267] 3300 33014797. [func] Removed "isc-hmac-fixup", as the versions of BIND that 3302 had the bug it worked around are long past end of 3303 life. [RT #46411] 3304 33054796. [bug] Increase the maximum configurable TCP keepalive 3306 timeout to 65535. [RT #44710] 3307 33084795. [func] A new statistics counter has been added to track 3309 priming queries. [RT #46313] 3310 33114794. [func] "dnssec-checkds -s" specifies a file from which 3312 to read a DS set rather than querying the parent. 3313 [RT #44667] 3314 33154793. [bug] nsupdate -[46] could overflow the array of server 3316 addresses. [RT #46402] 3317 33184792. [bug] Fix map file header correctness check. [RT #38418] 3319 33204791. [doc] Fixed outdated documentation about export libraries. 3321 [RT #46341] 3322 33234790. [bug] nsupdate could trigger a require when sending a 3324 update to the second address of the server. 3325 [RT #45731] 3326 33274789. [cleanup] Check writability of new-zones-directory. [RT #46308] 3328 33294788. [cleanup] When using "update-policy local", log a warning 3330 when an update matching the session key is received 3331 from a remote host. [RT #46213] 3332 33334787. [cleanup] Turn nsec3param_salt_totext() into a public function, 3334 dns_nsec3param_salttotext(), and add unit tests for it. 3335 [RT #46289] 3336 33374786. [func] The "filter-aaaa-on-v4" and "filter-aaaa-on-v6" 3338 options are no longer conditionally compiled. 3339 [RT #46340] 3340 33414785. [func] The hmac-md5 algorithm is no longer recommended for 3342 use with RNDC keys. The default in rndc-confgen 3343 is now hmac-sha256. [RT #42272] 3344 33454784. [func] The use of dnssec-keygen to generate HMAC keys is 3346 deprecated in favor of tsig-keygen. dnssec-keygen 3347 will print a warning when used for this purpose. 3348 All HMAC algorithms will be removed from 3349 dnssec-keygen in a future release. [RT #42272] 3350 33514783. [test] dnssec: 'check that NOTIFY is sent at the end of 3352 NSEC3 chain generation failed' required more time 3353 on some machines for the IXFR to complete. [RT #46388] 3354 33554782. [test] dnssec: 'checking positive and negative validation 3356 with negative trust anchors' required more time to 3357 complete on some machines. [RT #46386] 3358 33594781. [maint] B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889] 3360 33614780. [bug] When answering ANY queries, don't include the NS 3362 RRset in the authority section if it was already 3363 in the answer section. [RT #44543] 3364 33654779. [bug] Expire NTA at the start of the second. Don't update 3366 the expiry value if the record has already expired 3367 after a successful check. [RT #46368] 3368 33694778. [test] Improve synth-from-dnssec testing. [RT #46352] 3370 33714777. [cleanup] Removed a redundant call to configure_view_acl(). 3372 [RT #46369] 3373 33744776. [bug] Improve portability of ht_test. [RT #46333] 3375 33764775. [bug] Address Coverity warnings in ht_test.c and mem_test.c 3377 [RT #46281] 3378 33794774. [bug] <isc/util.h> was incorrectly included in several 3380 header files. [RT #46311] 3381 33824773. [doc] Fixed generating Doxygen documentation for functions 3383 annotated using certain macros. Miscellaneous 3384 Doxygen-related cleanups. [RT #46276] 3385 3386 --- 9.12.0b1 released --- 3387 33884772. [test] Expanded unit testing framework for libns, using 3389 hooks to interrupt query flow and inspect state 3390 at specified locations. [RT #46173] 3391 33924771. [bug] When sending RFC 5011 refresh queries, disregard 3393 cached DNSKEY rrsets. [RT #46251] 3394 33954770. [bug] Cache additional data from priming queries as glue. 3396 Previously they were ignored as unsigned 3397 non-answer data from a secure zone, and never 3398 actually got added to the cache, causing hints 3399 to be used frequently for root-server 3400 addresses, which triggered re-priming. [RT #45241] 3401 34024769. [func] The working directory and managed-keys directory has 3403 to be writeable (and seekable). [RT #46077] 3404 34054768. [func] By default, memory is no longer filled with tag values 3406 when it is allocated or freed; this improves 3407 performance but makes debugging of certain memory 3408 issues more difficult. "named -M fill" turns memory 3409 filling back on. (Building "configure 3410 --enable-developer", turns memory fill on by 3411 default again; it can then be disabled with 3412 "named -M nofill".) [RT #45123] 3413 34144767. [func] Add a new function, isc_buffer_printf(), which can be 3415 used to append a formatted string to the used region of 3416 a buffer. [RT #46201] 3417 34184766. [cleanup] Address Coverity warnings. [RT #46150] 3419 34204765. [bug] Address potential INSIST in dnssec-cds. [RT #46150] 3421 34224764. [bug] Address portability issues in cds system test. 3423 [RT #46214] 3424 34254763. [contrib] Improve compatibility when building MySQL DLZ 3426 module by using mysql_config if available. 3427 [RT #45558] 3428 34294762. [func] "update-policy local" is now restricted to updates 3430 from local addresses. (Previously, other addresses 3431 were allowed so long as updates were signed by the 3432 local session key.) [RT #45492] 3433 34344761. [protocol] Add support for DOA. [RT #45612] 3435 34364760. [func] Add glue cache statistics counters. [RT #46028] 3437 34384759. [func] Add logging channel "trust-anchor-telemetry" to 3439 record trust-anchor-telemetry in incoming requests. 3440 Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options 3441 are logged. [RT #46124] 3442 34434758. [doc] Remove documentation of unimplemented "topology". 3444 [RT #46161] 3445 34464757. [func] New "dnssec-cds" command creates a new parent DS 3447 RRset based on CDS or CDNSKEY RRsets found in 3448 a child zone, and generates either a dsset file 3449 or stream of nsupdate commands to update the 3450 parent. Thanks to Tony Finch. [RT #46090] 3451 34524756. [bug] Interrupting dig could lead to an INSIST failure after 3453 certain errors were encountered while querying a host 3454 whose name resolved to more than one address. Change 3455 4537 increased the odds of triggering this issue by 3456 causing dig to hang indefinitely when certain error 3457 paths were evaluated. dig now also retries TCP queries 3458 (once) if the server gracefully closes the connection 3459 before sending a response. [RT #42832, #45159] 3460 34614755. [cleanup] Silence unnecessary log message when NZF file doesn't 3462 exist. [RT #46186] 3463 34644754. [bug] dns_zone_setview needs a two stage commit to properly 3465 handle errors. [RT #45841] 3466 34674753. [contrib] Software obtainable from known upstream locations 3468 (i.e., zkt, nslint, query-loc) has been removed. 3469 Links to these and other packages can be found at 3470 https://www.isc.org/community/tools [RT #46182] 3471 34724752. [test] Add unit test for isc_net_pton. [RT #46171] 3473 34744751. [func] "dnssec-signzone -S" can now automatically add parent 3475 synchronization records (CDS and CDNSKEY) according 3476 to key metadata set using the -Psync and -Dsync 3477 options to dnssec-keygen and dnssec-settime. 3478 [RT #46149] 3479 34804750. [func] "rndc managed-keys destroy" shuts down RFC 5011 key 3481 maintenance and deletes the managed-keys database. 3482 If followed by "rndc reconfig" or a server restart, 3483 key maintenance is reinitialized from scratch. 3484 This is primarily intended for testing. [RT #32456] 3485 34864749. [func] The ISC DLV service has been shut down, and all 3487 DLV records have been removed from dlv.isc.org. 3488 - Removed references to ISC DLV in documentation 3489 - Removed DLV key from bind.keys 3490 - No longer use ISC DLV by default in delv 3491 - "dnssec-lookaside auto" and configuration of 3492 "dnssec-lookaide" with dlv.isc.org as the trust 3493 anchor are both now fatal errors. 3494 [RT #46155] 3495 34964748. [cleanup] Sprintf to snprintf coversions. [RT #46132] 3497 34984747. [func] Synthesis of responses from DNSSEC-verified records. 3499 Stage 3 - synthesize NODATA responses. [RT #40138] 3500 35014746. [cleanup] Add configured prefixes to configure summary 3502 output. [RT #46153] 3503 35044745. [test] Add color-coded pass/fail messages to system 3505 tests when running on terminals that support them. 3506 [RT #45977] 3507 35084744. [bug] Suppress trust-anchor-telemetry queries if 3509 validation is disabled. [RT #46131] 3510 35114743. [func] Exclude trust-anchor-telemetry queries from 3512 synth-from-dnssec processing. [RT #46123] 3513 35144742. [func] Synthesis of responses from DNSSEC-verified records. 3515 Stage 2 - synthesis of records from wildcard data. 3516 If the dns64 or filter-aaaa* is configured then the 3517 involved lookups are currently excluded. [RT #40138] 3518 35194741. [bug] Make isc_refcount_current() atomically read the 3520 counter value. [RT #46074] 3521 35224740. [cleanup] Avoid triggering format-truncated warnings. [RT #46107] 3523 35244739. [cleanup] Address clang static analysis warnings. [RT #45952] 3525 35264738. [port] win32: strftime mishandles %Z. [RT #46039] 3527 35284737. [cleanup] Address Coverity warnings. [RT #46012] 3529 35304736. [cleanup] (a) Added comments to NSEC3-related functions in 3531 lib/dns/zone.c. (b) Refactored NSEC3 salt formatting 3532 code. (c) Minor tweaks to lock and result handling. 3533 [RT #46053] 3534 35354735. [bug] Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078] 3536 35374734. [contrib] Added sample configuration for DNS-over-TLS in 3538 contrib/dnspriv. 3539 35404733. [bug] Change #4706 introduced a bug causing TCP clients 3541 not be reused correctly, leading to unconstrained 3542 memory growth. [RT #46029] 3543 35444732. [func] Change default minimal-responses setting to 3545 no-auth-recursive. [RT #46016] 3546 35474731. [bug] Fix use after free when closing an LMDB. [RT #46000] 3548 35494730. [bug] Fix out of bounds access in DHCID totext() method. 3550 [RT #46001] 3551 35524729. [bug] Don't use memset() to wipe memory, as it may be 3553 removed by compiler optimizations when the 3554 memset() occurs on automatic stack allocation 3555 just before function return. [RT #45947] 3556 35574728. [func] Use C11's stdatomic.h instead of isc_atomic 3558 where available. [RT #40668] 3559 35604727. [bug] Retransferring an inline-signed slave using NSEC3 3561 around the time its NSEC3 salt was changed could result 3562 in an infinite signing loop. [RT #45080] 3563 35644726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN 3565 from being logged on FreeBSD if the kernel does not 3566 support it. Notify the user when the kernel does 3567 support TCP_FASTOPEN, but it is disabled by sysctl. 3568 Add a new configure option, --disable-tcp-fastopen, to 3569 disable use of TCP_FASTOPEN altogether. [RT #44754] 3570 35714725. [bug] Nsupdate: "recvsoa" was incorrectly reported for 3572 failures in sending the update message. The correct 3573 location to be reported is "update_completed". 3574 [RT #46014] 3575 35764724. [func] By default, BIND now uses the random number 3577 functions provided by the crypto library (i.e., 3578 OpenSSL or a PKCS#11 provider) as a source of 3579 randomness rather than /dev/random. This is 3580 suitable for virtual machine environments 3581 which have limited entropy pools and lack 3582 hardware random number generators. 3583 3584 This can be overridden by specifying another 3585 entropy source via the "random-device" option 3586 in named.conf, or via the -r command line option; 3587 however, for functions requiring full cryptographic 3588 strength, such as DNSSEC key generation, this 3589 cannot be overridden. In particular, the -r 3590 command line option no longer has any effect on 3591 dnssec-keygen. 3592 3593 This can be disabled by building with 3594 "configure --disable-crypto-rand". 3595 [RT #31459] [RT #46047] 3596 35974723. [bug] Statistics counter DNSTAPdropped was misidentified 3598 as DNSSECdropped. [RT #46002] 3599 36004722. [cleanup] Clean up uses of strcpy() and strcat() in favor of 3601 strlcpy() and strlcat() for safety. [RT #45981] 3602 36034721. [func] 'dnssec-signzone -x' and 'dnssec-dnskey-kskonly' 3604 options now apply to CDNSKEY and DS records as well 3605 as DNSKEY. Thanks to Tony Finch. [RT #45689] 3606 36074720. [func] Added a statistics counter to track prefetch 3608 queries. [RT #45847] 3609 36104719. [bug] Address PVS static analyzer warnings. [RT #45946] 3611 36124718. [func] Avoid searching for a owner name compression pointer 3613 more than once when writing out a RRset. [RT #45802] 3614 36154717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1, 3616 FORMERR if TC=0, and log the error correctly. 3617 [RT #45836] 3618 36194716. [placeholder] 3620 3621 --- 9.12.0a1 released --- 3622 36234715. [bug] TreeMemMax was mis-identified as a second HeapMemMax 3624 in the Json cache statistics. [RT #45980] 3625 36264714. [port] openbsd/libressl: add support for building with 3627 --enable-openssl-hash. [RT #45982] 3628 36294713. [func] Added support for the DNS Response Policy Service 3630 (DNSRPS) API, which allows named to use an external 3631 response policy daemon when built with 3632 "configure --enable-dnsrps". Thanks to Farsight 3633 Security. [RT #43376] 3634 36354712. [bug] "dig +domain" and "dig +search" didn't retain the 3636 search domain when retrying with TCP. [RT #45547] 3637 36384711. [test] Some RR types were missing from genzones.sh. 3639 [RT #45782] 3640 36414710. [cleanup] Changed the --enable-openssl-hash default to yes. 3642 [RT #45019] 3643 36444709. [cleanup] Use dns_name_fullhash() to hash names for RRL. 3645 [RT #45435] 3646 36474708. [cleanup] Legacy Windows builds (i.e. for XP and earlier) 3648 are no longer supported. [RT #45186] 3649 36504707. [func] The lightweight resolver daemon and library (lwresd 3651 and liblwres) have been removed. [RT #45186] 3652 36534706. [func] Code implementing name server query processing has 3654 been moved from bin/named to a new library "libns". 3655 Functions remaining in bin/named are now prefixed 3656 with "named_" rather than "ns_". This will make it 3657 easier to write unit tests for name server code, or 3658 link name server functionality into new tools. 3659 [RT #45186] 3660 36614705. [placeholder] 3662 36634704. [cleanup] Silence Visual Studio compiler warnings. [RT #45898] 3664 36654703. [bug] BINDInstall.exe was missing some buffer length checks. 3666 [RT #45898] 3667 36684702. [func] Update function declarations to use 3669 dns_masterstyle_flags_t for style flags. [RT #45924] 3670 36714701. [cleanup] Refactored lib/dns/tsig.c to reduce code 3672 duplication and simplify the disabling of MD5. 3673 [RT #45490] 3674 36754700. [func] Serving of stale answers is now supported. This 3676 allows named to provide stale cached answers when 3677 the authoritative server is under attack. 3678 See max-stale-ttl, stale-answer-enable, 3679 stale-answer-ttl. [RT #44790] 3680 36814699. [func] Multiple cookie-secret clauses can now be specified. 3682 The first one specified is used to generate new 3683 server cookies. [RT #45672] 3684 36854698. [port] Add --with-python-install-dir configure option to allow 3686 specifying a nonstandard installation directory for 3687 Python modules. [RT #45407] 3688 36894697. [bug] Restore workaround for Microsoft Windows TSIG hash 3690 computation bug. [RT #45854] 3691 36924696. [port] Enable filter-aaaa support by default on Windows 3693 builds. [RT #45883] 3694 36954695. [bug] cookie-secrets were not being properly checked by 3696 named-checkconf. [RT #45886] 3697 36984694. [func] dnssec-keygen no longer uses RSASHA1 by default; 3699 the signing algorithm must be specified on 3700 the command line with the "-a" option. Signing 3701 scripts that rely on the existing default behavior 3702 will break; use "dnssec-keygen -a RSASHA1" to 3703 repair them. (The goal of this change is to make 3704 it easier to find scripts using RSASHA1 so they 3705 can be changed in the event of that algorithm 3706 being deprecated in the future.) [RT #44755] 3707 37084693. [func] Synthesis of responses from DNSSEC-verified records. 3709 Stage 1 covers NXDOMAIN synthesis from NSEC records. 3710 This is controlled by synth-from-dnssec and is enabled 3711 by default. [RT #40138] 3712 37134692. [bug] Fix build failures with libressl introduced in 4676. 3714 [RT #45879] 3715 37164691. [func] Add -4/-6 command line options to nsupdate and rndc. 3717 [RT #45632] 3718 37194690. [bug] Command line options -4/-6 were handled inconsistently 3720 between tools. [RT #45632] 3721 37224689. [cleanup] Turn on minimal responses for CDNSKEY and CDS in 3723 addition to DNSKEY and DS. Thanks to Tony Finch. 3724 [RT #45690] 3725 37264688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in 3727 messages. [RT #44804] 3728 37294687. [func] Refactor tracklines code. [RT #45126] 3730 37314686. [bug] dnssec-settime -p could print a bogus warning about 3732 key deletion scheduled before its inactivation when a 3733 key had an inactivation date set but no deletion date 3734 set. [RT #45807] 3735 37364685. [bug] dnssec-settime incorrectly calculated publication and 3737 activation dates for a successor key. [RT #45806] 3738 37394684. [bug] delv could send bogus DNS queries when an explicit 3740 server address was specified on the command line along 3741 with -4/-6. [RT #45804] 3742 37434683. [bug] Prevent nsupdate from immediately exiting on invalid 3744 user input in interactive mode. [RT #28194] 3745 37464682. [bug] Don't report errors on records below a DNAME. 3747 [RT #44880] 3748 37494681. [bug] Log messages from the validator now include the 3750 associated view unless the view is "_default/IN" 3751 or "_dnsclient/IN". [RT #45770] 3752 37534680. [bug] Fix failing over to another master server address when 3754 nsupdate is used with GSS-API. [RT #45380] 3755 37564679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record 3757 not at top of zone and -o is not used. [RT #45519] 3758 37594678. [bug] geoip-use-ecs has the wrong type when geoip support 3760 is disabled at configure time. [RT #45763] 3761 37624677. [cleanup] Split up the main function in dig to better support 3763 the iOS app version. [RT #45508] 3764 37654676. [cleanup] Allow BIND to be built using OpenSSL 1.0.X with 3766 deprecated functions removed. [RT #45706] 3767 37684675. [cleanup] Don't use C++ keyword class. [RT #45726] 3769 37704674. [func] "dig +sigchase", and related options "+topdown" and 3771 "+trusted-keys", have been removed. Use "delv" for 3772 queries with DNSSEC validation. [RT #42793] 3773 37744673. [port] Silence GCC 7 warnings. [RT #45592] 3775 37764672. [placeholder] 3777 37784671. [bug] Fix a race condition that could cause the 3779 resolver to crash with assertion failure when 3780 chasing DS in specific conditions with a very 3781 short RTT to the upstream nameserver. [RT #45168] 3782 37834670. [cleanup] Ensure that a request MAC is never sent back 3784 in an XFR response unless the signature was 3785 verified. [RT #45494] 3786 37874669. [func] Iterative query logic in resolver.c has been 3788 refactored into smaller functions and commented, 3789 for improved readability, maintainability and 3790 testability. [RT #45362] 3791 37924668. [bug] Use localtime_r and gmtime_r for thread safety. 3793 [RT #45664] 3794 37954667. [cleanup] Refactor RDATA unit tests. [RT #45610] 3796 37974666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9) 3798 could cause a parser error when reading the policy 3799 file. This now works correctly so long as the domain 3800 name is quoted. [RT #45641] 3801 38024665. [protocol] Added support for ED25519 and ED448 DNSSEC signing 3803 algorithms (RFC 8080). (Note: these algorithms 3804 depend on code currently in the development branch 3805 of OpenSSL which has not yet been released.) 3806 [RT #44696] 3807 38084664. [func] Add a "glue-cache" option to enable or disable the 3809 glue cache. The default is "yes". [RT #45125] 3810 38114663. [cleanup] Clarify error message printed by dnssec-dsfromkey. 3812 [RT #21731] 3813 38144662. [performance] Improve cache memory cleanup of zero TTL records 3815 by putting them at the tail of LRU header lists. 3816 [RT #45274] 3817 38184661. [bug] A race condition could occur if a zone was reloaded 3819 while resigning, triggering a crash in 3820 rbtdb.c:closeversion(). [RT #45276] 3821 38224660. [bug] Remove spurious "peer" from Windows socket log 3823 messages. [RT #45617] 3824 38254659. [bug] Remove spurious log message about lmdb-mapsize 3826 not being supported when parsing builtin 3827 configuration file. [RT #45618] 3828 38294658. [bug] Clean up build directory created by "setup.py install" 3830 immediately. [RT #45628] 3831 38324657. [bug] rrchecker system test result could be improperly 3833 determined. [RT #45602] 3834 38354656. [bug] Apply "port" and "dscp" values specified in catalog 3836 zone's "default-masters" option to the generated 3837 configuration of its member zones. [RT #45545] 3838 38394655. [bug] Lack of seccomp could be falsely reported. [RT #45599] 3840 38414654. [cleanup] Don't use C++ keywords delete, new and namespace. 3842 [RT #45538] 3843 38444653. [bug] Reorder includes to move @DST_OPENSSL_INC@ and 3845 @ISC_OPENSSL_INC@ after shipped include directories. 3846 [RT #45581] 3847 38484652. [bug] Nsupdate could attempt to use a zeroed address on 3849 server timeout. [RT #45417] 3850 38514651. [test] Silence coverity warnings in tsig_test.c. [RT #45528] 3852 38534650. [placeholder] 3854 38554649. [bug] The wrong zone was logged when a catalog zone is added. 3856 [RT #45520] 3857 38584648. [bug] "rndc reconfig" on a slave no longer causes all member 3859 zones of configured catalog zones to be removed from 3860 configuration. [RT #45310] 3861 38624647. [bug] Change 4643 broke verification of TSIG signed TCP 3863 message sequences where not all the messages contain 3864 TSIG records. These may be used in AXFR and IXFR 3865 responses. [RT #45509] 3866 38674646. [placeholder] 3868 38694645. [bug] Fix PKCS#11 RSA parsing when MD5 is disabled. 3870 [RT #45300] 3871 38724644. [placeholder] 3873 38744643. [security] An error in TSIG handling could permit unauthorized 3875 zone transfers or zone updates. (CVE-2017-3142) 3876 (CVE-2017-3143) [RT #45383] 3877 38784642. [cleanup] Add more logging of RFC 5011 events affecting the 3879 status of managed keys: newly observed keys, 3880 deletion of revoked keys, etc. [RT #45354] 3881 38824641. [cleanup] Parallel builds (make -j) could fail with --with-atf / 3883 --enable-developer. [RT #45373] 3884 38854640. [bug] If query_findversion failed in query_getdb due to 3886 memory failure the error status was incorrectly 3887 discarded. [RT #45331] 3888 38894639. [bug] Fix a regression in --with-tuning reporting introduced 3890 by change 4488. [RT #45396] 3891 38924638. [bug] Reloading or reconfiguring named could fail on 3893 some platforms when LMDB was in use. [RT #45203] 3894 38954637. [func] "nsec3hash -r" option ("rdata order") takes arguments 3896 in the same order as they appear in NSEC3 or 3897 NSEC3PARAM records, so that NSEC3 parameters can 3898 be cut and pasted from an existing record. Thanks 3899 to Tony Finch for the contribution. [RT #45183] 3900 39014636. [bug] Normalize rpz policy zone names when checking for 3902 existence. [RT #45358] 3903 39044635. [bug] Fix RPZ NSDNAME logging that was logging 3905 failures as NSIP. [RT #45052] 3906 39074634. [contrib] check5011.pl needs to handle optional space before 3908 semi-colon in +multi-line output. [RT #45352] 3909 39104633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET. 3911 39124632. [security] The BIND installer on Windows used an unquoted 3913 service path, which can enable privilege escalation. 3914 (CVE-2017-3141) [RT #45229] 3915 39164631. [security] Some RPZ configurations could go into an infinite 3917 query loop when encountering responses with TTL=0. 3918 (CVE-2017-3140) [RT #45181] 3919 39204630. [bug] "dyndb" is dependent on dlopen existing / being 3921 enabled. [RT #45291] 3922 39234629. [bug] dns_client_startupdate could not be called with a 3924 running client. [RT #45277] 3925 39264628. [bug] Fixed a potential reference leak in query_getdb(). 3927 [RT #45247] 3928 39294627. [placeholder] 3930 39314626. [test] Added more tests for handling of different record 3932 ordering in CNAME and DNAME responses. [QA #430] 3933 39344625. [bug] Running "rndc addzone" and "rndc delzone" at close 3935 to the same time could trigger a deadlock if using 3936 LMDB. [RT #45209] 3937 39384624. [placeholder] 3939 39404623. [bug] Use --with-protobuf-c and --with-libfstrm to find 3941 protoc-c and fstrm_capture. [RT #45187] 3942 39434622. [bug] Remove unnecessary escaping of semicolon in CAA and 3944 URI records. [RT #45216] 3945 39464621. [port] Force alignment of oid arrays to silence loader 3947 warnings. [RT #45131] 3948 39494620. [port] Handle EPFNOSUPPORT being returned when probing 3950 to see if a socket type is supported. [RT #45214] 3951 39524619. [bug] Call isc_mem_put instead of isc_mem_free in 3953 bin/named/server.c:setup_newzones. [RT #45202] 3954 39554618. [bug] Check isc_mem_strdup results in dns_view_setnewzones. 3956 Add logging for lmdb call failures. [RT #45204] 3957 39584617. [test] Update rndc system test to be more delay tolerant. 3959 [RT #45177] 3960 39614616. [bug] When using LMDB, zones deleted using "rndc delzone" 3962 were not correctly removed from the new-zone 3963 database. [RT #45185] 3964 39654615. [bug] AD could be set on truncated answer with no records 3966 present in the answer and authority sections. 3967 [RT #45140] 3968 39694614. [test] Fixed an error in the sockaddr unit test. [RT #45146] 3970 39714613. [func] By default, the maximum size of a zone journal file 3972 is now twice the size of the zone's contents (there 3973 is little benefit to a journal larger than this). 3974 This can be overridden by setting "max-journal-size" 3975 to "unlimited" or to an explicit value up to 2G. 3976 Thanks to Tony Finch. [RT #38324] 3977 39784612. [bug] Silence 'may be use uninitalised' warning and simplify 3979 the code in lwres/getaddinfo:process_answer. 3980 [RT #45158] 3981 39824611. [bug] The default LMDB mapsize was too low and caused 3983 errors after few thousand zones were added using 3984 rndc addzone. A new config option "lmdb-mapsize" 3985 has been introduced to configure the LMDB 3986 mapsize depending on operational needs. 3987 [RT #44954] 3988 39894610. [func] The "new-zones-directory" option specifies the 3990 location of NZF or NZD files for storing 3991 configuration of zones added by "rndc addzone". 3992 Thanks to Petr Menšík. [RT #44853] 3993 39944609. [cleanup] Rearrange makefiles to enable parallel execution 3995 (i.e. "make -j"). [RT #45078] 3996 39974608. [func] DiG now warns about .local queries which are reserved 3998 for Multicast DNS. [RT #44783] 3999 40004607. [bug] The memory context's malloced and maxmalloced counters 4001 were being updated without the appropriate lock being 4002 held. [RT #44869] 4003 40044606. [port] Stop using experimental "Experimental keys on scalar" 4005 feature of perl as it has been removed. [RT #45012] 4006 40074605. [performance] Improve performance for delegation heavy answers 4008 and also general query performance. Removes the 4009 acache feature that didn't significantly improve 4010 performance. Adds a glue cache. Removes 4011 additional-from-cache and additional-from-auth 4012 features. Enables minimal-responses by 4013 default. Improves performance of compression 4014 code, owner case restoration, hash function, 4015 etc. Uses inline buffer implementation by 4016 default. Many other performance changes and fixes. 4017 [RT #44029] 4018 40194604. [bug] Don't use ERR_load_crypto_strings() when building 4020 with OpenSSL 1.1.0. [RT #45117] 4021 40224603. [doc] Automatically generate named.conf(5) man page 4023 from doc/misc/options. Thanks to Tony Finch. 4024 [RT #43525] 4025 40264602. [func] Threads are now set to human-readable 4027 names to assist debugging, when supported by 4028 the OS. [RT #43234] 4029 40304601. [bug] Reject incorrect RSA key lengths during key 4031 generation and and sign/verify context 4032 creation. [RT #45043] 4033 40344600. [bug] Adjust RPZ trigger counts only when the entry 4035 being deleted exists. [RT #43386] 4036 40374599. [bug] Fix inconsistencies in inline signing time 4038 comparison that were introduced with the 4039 introduction of rdatasetheader->resign_lsb. 4040 [RT #42112] 4041 40424598. [func] Update fuzzing code to (1) reply to a DNSKEY 4043 query from named with appropriate DNSKEY used in 4044 fuzzing; (2) patch the QTYPE correctly in 4045 resolver fuzzing; (3) comment things so the rest 4046 of us are able to understand how fuzzing is 4047 implemented in named; (4) Coding style changes, 4048 cleanup, etc. [RT #44787] 4049 40504597. [bug] The validator now ignores SHA-1 DS digest type 4051 when a DS record with SHA-384 digest type is 4052 present and is a supported digest type. 4053 [RT #45017] 4054 40554596. [bug] Validate glue before adding it to the additional 4056 section. This also fixes incorrect TTL capping 4057 when the RRSIG expired earlier than the TTL. 4058 [RT #45062] 4059 40604595. [func] dnssec-keygen will no longer generate RSA keys 4061 less than 1024 bits in length. dnssec-keymgr 4062 was similarly updated. [RT #36895] 4063 40644594. [func] "dnstap-read -x" prints a hex dump of the wire 4065 format of each logged DNS message. [RT #44816] 4066 40674593. [doc] Update README using markdown, remove outdated FAQ 4068 file in favor of the knowledge base. 4069 40704592. [bug] A race condition on shutdown could trigger an 4071 assertion failure in dispatch.c. [RT #43822] 4072 40734591. [port] Addressed some python 3 compatibility issues. 4074 Thanks to Ville Skytta. [RT #44955] [RT #44956] 4075 40764590. [bug] Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being 4077 properly detected. [RT #44871] 4078 40794589. [cleanup] "configure -q" is now silent. [RT #44829] 4080 40814588. [bug] nsupdate could send queries for TKEY to the wrong 4082 server when using GSSAPI. Thanks to Tomas Hozza. 4083 [RT #39893] 4084 40854587. [bug] named-checkzone failed to handle occulted data below 4086 DNAMEs correctly. [RT #44877] 4087 40884586. [func] dig, host and nslookup now use TCP for ANY queries. 4089 [RT #44687] 4090 40914585. [port] win32: Set CompileAS value. [RT #42474] 4092 40934584. [bug] A number of memory usage statistics were not properly 4094 reported when they exceeded 4G. [RT #44750] 4095 40964583. [func] "host -A" returns most records for a name but 4097 omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.) 4098 [RT #43032] 4099 41004582. [security] 'rndc ""' could trigger a assertion failure in named. 4101 (CVE-2017-3138) [RT #44924] 4102 41034581. [port] Linux: Add getpid and getrandom to the list of system 4104 calls named uses for seccomp. [RT #44883] 4105 41064580. [bug] 4578 introduced a regression when handling CNAME to 4107 referral below the current domain. [RT #44850] 4108 41094579. [func] Logging channels and dnstap output files can now 4110 be configured with a "suffix" option, set to 4111 either "increment" or "timestamp", indicating 4112 whether to use incrementing numbers or timestamps 4113 as the file suffix when rolling over a log file. 4114 [RT #42838] 4115 41164578. [security] Some chaining (CNAME or DNAME) responses to upstream 4117 queries could trigger assertion failures. 4118 (CVE-2017-3137) [RT #44734] 4119 41204577. [func] Make qtype of resolver fuzzing packet configurable 4121 via command line. [RT #43540] 4122 41234576. [func] The RPZ implementation has been substantially 4124 refactored for improved performance and reliability. 4125 [RT #43449] 4126 41274575. [security] DNS64 with "break-dnssec yes;" can result in an 4128 assertion failure. (CVE-2017-3136) [RT #44653] 4129 41304574. [bug] Dig leaked memory with multiple +subnet options. 4131 [RT #44683] 4132 41334573. [func] Query logic has been substantially refactored (e.g. 4134 query_find function has been split into smaller 4135 functions) for improved readability, maintainability 4136 and testability. [RT #43929] 4137 41384572. [func] The "dnstap-output" option can now take "size" and 4139 "versions" parameters to indicate the maximum size 4140 a dnstap log file can grow before rolling to a new 4141 file, and how many old files to retain. [RT #44502] 4142 41434571. [bug] Out-of-tree builds of backtrace_test failed. 4144 41454570. [cleanup] named did not correctly fall back to the built-in 4146 initializing keys if the bind.keys file was present 4147 but empty. [RT #44531] 4148 41494569. [func] Store both local and remote addresses in dnstap 4150 logging, and modify dnstap-read output format to 4151 print them. [RT #43595] 4152 41534568. [contrib] Added a --with-bind option to the dnsperf configure 4154 script to specify BIND prefix path. 4155 41564567. [port] Call getprotobyname and getservbyname prior to calling 4157 chroot so that shared libraries get loaded. [RT #44537] 4158 41594566. [func] Query logging now includes the ECS option if one 4160 was included in the query. [RT #44476] 4161 41624565. [cleanup] The inline macro versions of isc_buffer_put*() 4163 did not implement automatic buffer reallocation. 4164 [RT #44216] 4165 41664564. [maint] Update the built in managed keys to include the 4167 upcoming root KSK. [RT #44579] 4168 41694563. [bug] Modified zones would occasionally fail to reload. 4170 [RT #39424] 4171 41724562. [func] Add additional memory statistics currently malloced 4173 and maxmalloced per memory context. [RT #43593] 4174 41754561. [port] Silence a warning in strict C99 compilers. [RT #44414] 4176 41774560. [bug] mdig: add -m option to enable memory debugging rather 4178 than having it on all the time. [RT #44509] 4179 41804559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES 4181 was turned off. [RT #44509] 4182 41834558. [bug] Synthesised CNAME before matching DNAME was still 4184 being cached when it should not have been. [RT #44318] 4185 41864557. [security] Combining dns64 and rpz can result in dereferencing 4187 a NULL pointer (read). (CVE-2017-3135) [RT#44434] 4188 41894556. [bug] Sending an EDNS Padding option using "dig 4190 +ednsopt" could cause a crash in dig. [RT #44462] 4191 41924555. [func] dig +ednsopt: EDNS options can now be specified by 4193 name in addition to numeric value. [RT #44461] 4194 41954554. [bug] Remove double unlock in dns_dispatchmgr_setudp. 4196 [RT #44336] 4197 41984553. [bug] Named could deadlock there were multiple changes to 4199 NSEC/NSEC3 parameters for a zone being processed at 4200 the same time. [RT #42770] 4201 42024552. [bug] Named could trigger a assertion when sending notify 4203 messages. [RT #44019] 4204 42054551. [test] Add system tests for integrity checks of MX and 4206 SRV records. [RT #43953] 4207 42084550. [cleanup] Increased the number of available master file 4209 output style flags from 32 to 64. [RT #44043] 4210 42114549. [func] Added support for the EDNS TCP Keepalive option 4212 (RFC 7828). [RT #42126] 4213 42144548. [func] Added support for the EDNS Padding option (RFC 7830). 4215 [RT #42094] 4216 42174547. [port] Add support for --enable-native-pkcs11 on the AEP 4218 Keyper HSM. [RT #42463] 4219 42204546. [func] Extend the use of const declarations. [RT #43379] 4221 42224545. [func] Expand YAML output from dnstap-read to include 4223 a detailed breakdown of the DNS message contents. 4224 [RT #43642] 4225 42264544. [bug] Add message/payload size to dnstap-read YAML output. 4227 [RT #43622] 4228 42294543. [bug] dns_client_startupdate now delays sending the update 4230 request until isc_app_ctxrun has been called. 4231 [RT #43976] 4232 42334542. [func] Allow rndc to manipulate redirect zones with using 4234 -redirect as the zone name (use "-redirect." to 4235 manipulate a zone named "-redirect"). [RT #43971] 4236 42374541. [bug] rndc addzone should properly reject non master/slave 4238 zones. [RT #43665] 4239 42404540. [bug] Correctly handle ecs entries in dns_acl_isinsecure. 4241 [RT #43601] 4242 42434539. [bug] Referencing a nonexistent zone with RPZ could lead 4244 to a assertion failure when configuring. [RT #43787] 4245 42464538. [bug] Call dns_client_startresolve from client->task. 4247 [RT #43896] 4248 42494537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576] 4250 42514536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared 4252 when reusing the event structure. [RT #43885] 4253 42544535. [bug] Address race condition in setting / testing of 4255 DNS_REQUEST_F_SENDING. [RT #43889] 4256 42574534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879] 4258 42594533. [bug] dns_client_update should terminate on prerequisite 4260 failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET) 4261 and also on BADZONE. [RT #43865] 4262 42634532. [contrib] Make gen-data-queryperf.py python 3 compatible. 4264 [RT #43836] 4265 42664531. [security] 'is_zone' was not being properly updated by redirect2 4267 and subsequently preserved leading to an assertion 4268 failure. (CVE-2016-9778) [RT #43837] 4269 42704530. [bug] Change 4489 broke the handling of CNAME -> DNAME 4271 in responses resulting in SERVFAIL being returned. 4272 [RT #43779] 4273 42744529. [cleanup] Silence noisy log warning when DSCP probe fails 4275 due to firewall rules. [RT #43847] 4276 42774528. [bug] Only set the flag bits for the i/o we are waiting 4278 for on EPOLLERR or EPOLLHUP. [RT #43617] 4279 42804527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831] 4281 42824526. [doc] Corrected errors and improved formatting of 4283 grammar definitions in the ARM. [RT #43739] 4284 42854525. [doc] Fixed outdated documentation on managed-keys. 4286 [RT #43810] 4287 42884524. [bug] The net zero test was broken causing IPv4 servers 4289 with addresses ending in .0 to be rejected. [RT #43776] 4290 42914523. [doc] Expand config doc for <querysource4> and 4292 <querysource6>. [RT #43768] 4293 42944522. [bug] Handle big gaps in log file version numbers better. 4295 [RT #38688] 4296 42974521. [cleanup] Log it as an error if an entropy source is not 4298 found and there is no fallback available. [RT #43659] 4299 43004520. [cleanup] Alphabetize more of the grammar when printing it 4301 out. Fix unbalanced indenting. [RT #43755] 4302 43034519. [port] win32: handle ERROR_MORE_DATA. [RT #43534] 4304 43054518. [func] The "print-time" option in the logging configuration 4306 can now take arguments "local", "iso8601" or 4307 "iso8601-utc" to indicate the format in which the 4308 date and time should be logged. For backward 4309 compatibility, "yes" is a synonym for "local". 4310 [RT #42585] 4311 43124517. [security] Named could mishandle authority sections that were 4313 missing RRSIGs triggering an assertion failure. 4314 (CVE-2016-9444) [RT # 43632] 4315 43164516. [bug] isc_socketmgr_renderjson was missing from the 4317 windows build. [RT #43602] 4318 43194515. [port] FreeBSD: Find readline headers when they are in 4320 edit/readline/ instead of readline/. [RT #43658] 4321 43224514. [port] NetBSD: strip -WL, from ld command line. [RT #43204] 4323 43244513. [cleanup] Minimum Python versions are now 2.7 and 3.2. 4325 [RT #43566] 4326 43274512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in. 4328 [RT #43556] 4329 43304511. [bug] win32: mdig.exe-BNFT was missing Configure. [RT #43554] 4331 43324510. [security] Named mishandled some responses where covering RRSIG 4333 records are returned without the requested data 4334 resulting in a assertion failure. (CVE-2016-9147) 4335 [RT #43548] 4336 43374509. [test] Make the rrl system test more reliable on slower 4338 machines by using mdig instead of dig. [RT #43280] 4339 43404508. [security] Named incorrectly tried to cache TKEY records which 4341 could trigger a assertion failure when there was 4342 a class mismatch. (CVE-2016-9131) [RT #43522] 4343 43444507. [bug] Named could incorrectly log 'allows updates by IP 4345 address, which is insecure' [RT #43432] 4346 43474506. [func] 'named-checkconf -l' will now list the zones found in 4348 named.conf. [RT #43154] 4349 43504505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494] 4351 43524504. [security] Allow the maximum number of records in a zone to 4353 be specified. This provides a control for issues 4354 raised in CVE-2016-6170. [RT #42143] 4355 43564503. [cleanup] "make uninstall" now removes files installed by 4357 BIND. (This currently excludes Python files 4358 due to lack of support in setup.py.) [RT #42192] 4359 43604502. [func] Report multiple and experimental options when printing 4361 grammar. [RT #43134] 4362 43634501. [placeholder] 4364 43654500. [bug] Support modifier I64 in isc__print_printf. [RT #43526] 4366 43674499. [port] MacOSX: silence deprecated function warning 4368 by using arc4random_stir() when available 4369 instead of arc4random_addrandom(). [RT #43503] 4370 43714498. [test] Simplify prerequisite checks in system tests. 4372 [RT #43516] 4373 43744497. [port] Add support for OpenSSL 1.1.0. [RT #41284] 4375 43764496. [func] dig: add +idnout to control whether labels are 4377 display in punycode or not. Requires idn support 4378 to be enabled at compile time. [RT #43398] 4379 43804495. [bug] A isc_mutex_init call was not being checked. 4381 [RT #43391] 4382 43834494. [bug] Look for <editline/readline.h>. [RT #43429] 4384 43854493. [bug] bin/tests/system/dyndb/driver/Makefile.in should use 4386 SO_TARGETS. [RT# 43336] 4387 43884492. [bug] irs_resconf_load failed to initialize sortlistnxt 4389 causing bad writes if resolv.conf contained a 4390 sortlist directive. [RT #43459] 4391 43924491. [bug] Improve message emitted when testing whether sendmsg 4393 works with TOS/TCLASS fails. [RT #43483] 4394 43954490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET. 4396 43974489. [security] It was possible to trigger assertions when processing 4398 a response containing a DNAME answer. (CVE-2016-8864) 4399 [RT #43465] 4400 44014488. [port] Darwin: use -framework for Kerberos. [RT #43418] 4402 44034487. [test] Make system tests work on Windows. [RT #42931] 4404 44054486. [bug] Look in $prefix/lib/pythonX.Y/site-packages for 4406 the python modules we install. [RT #43330] 4407 44084485. [bug] Failure to find readline when requested should be 4409 fatal to configure. [RT #43328] 4410 44114484. [func] Check prefixes in acls to make sure the address and 4412 prefix lengths are consistent. Warn only in 4413 BIND 9.11 and earlier. [RT #43367] 4414 44154483. [bug] Address use before require check and remove extraneous 4416 dns_message_gettsigkey call in dns_tsig_sign. 4417 [RT #43374] 4418 44194482. [cleanup] Change #4455 was incomplete. [RT #43252] 4420 44214481. [func] dig: make +class, +crypto, +multiline, +rrcomments, 4422 +onesoa, +qr, +ttlid, +ttlunits and -u per lookup 4423 rather than global. [RT #42450] 4424 44254480. [placeholder] 4426 44274479. [placeholder] 4428 44294478. [func] Add +continue option to mdig, allow continue on socket 4430 errors. [RT #43281] 4431 44324477. [test] Fix mkeys test timing issues. [RT #41028] 4433 44344476. [test] Fix reclimit test on slower machines. [RT #43283] 4435 44364475. [doc] Update named-checkconf documentation. [RT #43153] 4437 44384474. [bug] win32: call WSAStartup in fromtext_in_wks so that 4439 getprotobyname and getservbyname work. [RT #43197] 4440 44414473. [bug] Only call fsync / _commit on regular files. [RT #43196] 4442 44434472. [bug] Named could fail to find the correct NSEC3 records when 4444 a zone was updated between looking for the answer and 4445 looking for the NSEC3 records proving nonexistence 4446 of the answer. [RT #43247] 4447 4448 --- 9.11.0 released --- 4449 4450 --- 9.11.0rc3 released --- 4451 44524471. [cleanup] Render client/query logging format consistent for 4453 ease of log file parsing. (Note that this affects 4454 "querylog" format: there is now an additional field 4455 indicating the client object address.) [RT #43238] 4456 44574470. [bug] Reset message with intent parse before 4458 calling dns_dispatch_getnext. [RT #43229] 4459 44604469. [placeholder] 4461 4462 --- 9.11.0rc2 released --- 4463 44644468. [bug] Address ECS option handling issues. [RT #43191] 4465 44664467. [security] It was possible to trigger an assertion when 4467 rendering a message. (CVE-2016-2776) [RT #43139] 4468 44694466. [bug] Interface scanning didn't work on a Windows system 4470 without a non local IPv6 addresses. [RT #43130] 4471 44724465. [bug] Don't use "%z" as Windows doesn't support it. 4473 [RT #43131] 4474 44754464. [bug] Fix windows python support. [RT #43173] 4476 44774463. [bug] The dnstap system test failed on some systems. 4478 [RT #43129] 4479 44804462. [bug] Don't describe a returned EDNS COOKIE as "good" 4481 when there isn't a valid server cookie. [RT #43167] 4482 44834461. [bug] win32: not all external data was properly marked 4484 as external data for windows dll. [RT #43161] 4485 4486 --- 9.11.0rc1 released --- 4487 44884460. [test] Add system test for dnstap using unix domain sockets. 4489 [RT #42926] 4490 44914459. [bug] TCP client objects created to handle pipeline queries 4492 were not cleaned up correctly, causing uncontrolled 4493 memory growth. [RT #43106] 4494 44954458. [cleanup] Update assertions to be more correct, and also remove 4496 use of a reserved word. [RT #43090] 4497 44984457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET. 4499 45004456. [doc] Add DOCTYPE and lang attribute to <html> tags. 4501 [RT #42587] 4502 45034455. [cleanup] Allow dyndb modules to correctly log the filename 4504 and line number when processing configuration text 4505 from named.conf. [RT #43050] 4506 45074454. [bug] 'rndc dnstap -reopen' had a race issue. [RT #43089] 4508 45094453. [bug] Prefetching of DS records failed to update their 4510 RRSIGs. [RT #42865] 4511 45124452. [bug] The default key manager policy file is now 4513 <sysdir>/dnssec-policy.conf (usually 4514 /etc/dnssec-policy.conf). [RT #43064] 4515 45164451. [cleanup] Log more useful information if a PKCS#11 provider 4517 library cannot be loaded. [RT #43076] 4518 45194450. [port] Provide more nuanced HSM support which better matches 4520 the specific PKCS11 providers capabilities. [RT #42458] 4521 45224449. [test] Fix catalog zones test on slower systems. [RT #42997] 4523 45244448. [bug] win32: ::1 was not being found when iterating 4525 interfaces. [RT #42993] 4526 45274447. [tuning] Allow the fstrm_iothr_init() options to be set using 4528 named.conf to control how dnstap manages the data 4529 flow. [RT #42974] 4530 45314446. [bug] The cache_find() and _findrdataset() functions 4532 could find rdatasets that had been marked stale. 4533 [RT #42853] 4534 45354445. [cleanup] isc_errno_toresult() can now be used to call the 4536 formerly private function isc__errno2result(). 4537 [RT #43050] 4538 45394444. [bug] Fixed some issues related to dyndb: A bug caused 4540 braces to be omitted when passing configuration text 4541 from named.conf to a dyndb driver, and there was a 4542 use-after-free in the sample dyndb driver. [RT #43050] 4543 45444443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on 4545 TCP sockets. [RT #42864] 4546 45474442. [bug] Fix RPZ CIDR tree insertion bug that corrupted 4548 tree data structure with overlapping networks 4549 (longest prefix match was ineffective). 4550 [RT #43035] 4551 45524441. [cleanup] Alphabetize host's help output. [RT #43031] 4553 45544440. [func] Enable TCP fast open support when available on the 4555 server side. [RT #42866] 4556 45574439. [bug] Address race conditions getting ownernames of nodes. 4558 [RT #43005] 4559 45604438. [func] Use LIFO rather than FIFO when processing startup 4561 notify and refresh queries. [RT #42825] 4562 45634437. [func] Minimal-responses now has two additional modes 4564 no-auth and no-auth-recursive which suppress 4565 adding the NS records to the authority section 4566 as well as the associated address records for the 4567 nameservers. [RT #42005] 4568 45694436. [func] Return TLSA records as additional data for MX and SRV 4570 lookups. [RT #42894] 4571 45724435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message 4573 will not fit into a single IPv4 encapsulated IPv6 4574 UDP packet when transmitted over a Ethernet link. 4575 [RT #42871] 4576 45774434. [protocol] Return EDNS EXPIRE option for master zones in addition 4578 to slave zones. [RT #43008] 4579 45804433. [cleanup] Report an error when passing an invalid option or 4581 view name to "rndc dumpdb". [RT #42958] 4582 45834432. [test] Hide rndc output on expected failures in logfileconfig 4584 system test. [RT #27996] 4585 45864431. [bug] named-checkconf now checks the rate-limit clause. 4587 [RT #42970] 4588 45894430. [bug] Lwresd died if a search list was not defined. 4590 Found by 0x710DDDD At Alibaba Security. [RT #42895] 4591 45924429. [bug] Address potential use after free on fclose() error. 4593 [RT #42976] 4594 45954428. [bug] The "test dispatch getnext" unit test could fail 4596 in a threaded build. [RT #42979] 4597 45984427. [bug] The "query" and "response" parameters to the 4599 "dnstap" option had their functions reversed. 4600 4601 --- 9.11.0b3 released --- 4602 46034426. [bug] Addressed Coverity warnings. [RT #42908] 4604 46054425. [bug] arpaname, dnstap-read and named-rrchecker were not 4606 being installed into ${prefix}/bin. Tidy up 4607 installation issues with CHANGE 4421. [RT #42910] 4608 46094424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries 4610 to provide feedback to the trust-anchor administrators 4611 about how key rollovers are progressing as per 4612 draft-ietf-dnsop-edns-key-tag-02. This can be 4613 disabled using 'trust-anchor-telemetry no;'. 4614 [RT #40583] 4615 46164423. [maint] Added missing IPv6 address 2001:500:84::b for 4617 B.ROOT-SERVERS.NET. [RT #42898] 4618 46194422. [port] Silence clang warnings in dig.c and dighost.c. 4620 [RT #42451] 4621 46224421. [func] When built with LMDB (Lightning Memory-mapped 4623 Database), named will now use a database to store 4624 the configuration for zones added by "rndc addzone" 4625 instead of using a flat NZF file. This improves 4626 performance of "rndc delzone" and "rndc modzone" 4627 significantly. Existing NZF files will 4628 automatically by converted to NZD databases. 4629 To view the contents of an NZD or to roll back to 4630 NZF format, use "named-nzd2nzf". To disable 4631 this feature, use "configure --without-lmdb". 4632 [RT #39837] 4633 46344420. [func] nslookup now looks for AAAA as well as A by default. 4635 [RT #40420] 4636 46374419. [bug] Don't cause undefined result if the label of an 4638 entry in catalog zone is changed. [RT #42708] 4639 46404418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879] 4641 46424417. [bug] dnssec-keymgr could fail to create successor keys 4643 if the prepublication interval was set to a value 4644 smaller than the default. [RT #42820] 4645 46464416. [bug] dnssec-keymgr: Domain names in policy files could 4647 fail to match due to trailing dots. [RT #42807] 4648 46494415. [bug] dnssec-keymgr: Expired/deleted keys were not always 4650 excluded. [RT #42884] 4651 46524414. [bug] Corrected a bug in the MIPS implementation of 4653 isc_atomic_xadd(). [RT #41965] 4654 46554413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED 4656 was returned. [RT #42733] 4657 4658 --- 9.11.0b2 released --- 4659 46604412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was 4661 removed. [RT #42721] 4662 46634411. [func] "rndc dnstap -roll" automatically rolls the 4664 dnstap output file; the previous version is 4665 saved with ".0" suffix, and earlier versions 4666 with ".1" and so on. An optional numeric argument 4667 indicates how many prior files to save. [RT #42830] 4668 46694410. [bug] Address use after free and memory leak with dnstap. 4670 [RT #42746] 4671 46724409. [bug] DNS64 should exclude mapped addresses by default when 4673 an exclude acl is not defined. [RT #42810] 4674 46754408. [func] Continue waiting for expected response when we the 4676 response we get does not match the request. [RT #41026] 4677 46784407. [performance] Use GCC builtin for clz in RPZ lookup code. 4679 [RT #42818] 4680 46814406. [security] getrrsetbyname with a non absolute name could 4682 trigger an infinite recursion bug in lwresd 4683 and named with lwres configured if when combined 4684 with a search list entry the resulting name is 4685 too long. (CVE-2016-2775) [RT #42694] 4686 46874405. [bug] Change 4342 introduced a regression where you could 4688 not remove a delegation in a NSEC3 signed zone using 4689 OPTOUT via nsupdate. [RT #42702] 4690 46914404. [misc] Allow krb5-config to be used when configuring gssapi. 4692 [RT #42580] 4693 46944403. [bug] Rename variables and arguments that shadow: basename, 4695 clone and gai_error. 4696 46974402. [bug] protoc-c is now a hard requirement for --enable-dnstap. 4698 4699 --- 9.11.0b1 released --- 4700 47014401. [misc] Change LICENSE to MPL 2.0. 4702 47034400. [bug] ttl policy was not being inherited in policy.py. 4704 [RT #42718] 4705 47064399. [bug] policy.py 'ECCGOST', 'ECDSAP256SHA256', and 4707 'ECDSAP384SHA384' don't have settable keysize. 4708 [RT #42718] 4709 47104398. [bug] Correct spelling of ECDSAP256SHA256 in policy.py. 4711 [RT #42718] 4712 47134397. [bug] Update Windows python support. [RT #42538] 4714 47154396. [func] dnssec-keymgr now takes a '-r randomfile' option. 4716 [RT #42455] 4717 47184395. [bug] Improve out-of-tree installation of python modules. 4719 [RT #42586] 4720 47214394. [func] Add rndc command "dnstap-reopen" to close and 4722 reopen dnstap output files. [RT #41803] 4723 47244393. [bug] Address potential NULL pointer dereferences in 4725 dnstap code. 4726 47274392. [func] Collect statistics for RSSAC02v3 traffic-volume, 4728 traffic-sizes and rcode-volume reporting. [RT #41475] 4729 47304391. [contrib] Fix leaks in contrib DLZ code. [RT #42707] 4731 47324390. [doc] Description of masters with TSIG, allow-query and 4733 allow-transfer options in catalog zones. [RT #42692] 4734 47354389. [test] Rewritten test suite for catalog zones. [RT #42676] 4736 47374388. [func] Support for master entries with TSIG keys in catalog 4738 zones. [RT #42577] 4739 47404387. [bug] Change 4336 was not complete leading to SERVFAIL 4741 being return as NS records expired. [RT #42683] 4742 47434386. [bug] Remove shadowed overmem function/variable. [RT #42706] 4744 47454385. [func] Add support for allow-query and allow-transfer ACLs 4746 to catalog zones. [RT #42578] 4747 47484384. [bug] Change 4256 accidentally disabled logging of the 4749 rndc command. [RT #42654] 4750 47514383. [bug] Correct spelling error in stats channel description of 4752 "EDNS client subnet option received". [RT #42633] 4753 47544382. [bug] rndc {addzone,modzone,delzone,showzone} should all 4755 compare the zone name using a canonical format. 4756 [RT #42630] 4757 47584381. [bug] Missing "zone-directory" option in catalog zone 4759 definition caused BIND to crash. [RT #42579] 4760 4761 --- 9.11.0a3 released --- 4762 47634380. [experimental] Added a "zone-directory" option to "catalog-zones" 4764 syntax, allowing local masterfiles for slaves 4765 that are provisioned by catalog zones to be stored 4766 in a directory other than the server's working 4767 directory. [RT #42527] 4768 47694379. [bug] An INSIST could be triggered if a zone contains 4770 RRSIG records with expiry fields that loop 4771 using serial number arithmetic. [RT #40571] 4772 47734378. [contrib] #include <isc/string.h> for strlcat in zone2ldap.c. 4774 [RT #42525] 4775 47764377. [bug] Don't reuse zero TTL responses beyond the current 4777 client set (excludes ANY/SIG/RRSIG queries). 4778 [RT #42142] 4779 47804376. [experimental] Added support for Catalog Zones, a new method for 4781 provisioning secondary servers in which a list of 4782 zones to be served is stored in a DNS zone and can 4783 be propagated to slaves via AXFR/IXFR. [RT #41581] 4784 47854375. [func] Add support for automatic reallocation of isc_buffer 4786 to isc_buffer_put* functions. [RT #42394] 4787 47884374. [bug] Use SAVE/RESTORE macros in query.c to reduce the 4789 probability of reference counting errors as seen 4790 in 4365. [RT #42405] 4791 47924373. [bug] Address undefined behavior in getaddrinfo. [RT #42479] 4793 47944372. [bug] Address undefined behavior in libt_api. [RT #42480] 4795 47964371. [func] New "minimal-any" option reduces the size of UDP 4797 responses for qtype ANY by returning a single 4798 arbitrarily selected RRset instead of all RRsets. 4799 Thanks to Tony Finch. [RT #41615] 4800 48014370. [bug] Address python3 compatibility issues with RNDC module. 4802 [RT #42499] [RT #42506] 4803 4804 --- 9.11.0a2 released --- 4805 48064369. [bug] Fix 'make' and 'make install' out-of-tree python 4807 support. [RT #42484] 4808 48094368. [bug] Fix a crash when calling "rndc stats" on some 4810 Windows builds because some Visual Studio compilers 4811 generated crashing code for the "%z" printf() 4812 format specifier. [RT #42380] 4813 48144367. [bug] Remove unnecessary assignment of loadtime in 4815 zone_touched. [RT #42440] 4816 48174366. [bug] Address race condition when updating rbtnode bit 4818 fields. [RT #42379] 4819 48204365. [bug] Address zone reference counting errors involving 4821 nxdomain-redirect. [RT #42258] 4822 48234364. [port] freebsd: add -Wl,-E to loader flags [RT #41690] 4824 48254363. [port] win32: Disable explicit triggering UAC when running 4826 BINDInstall. 4827 48284362. [func] Changed rndc reconfig behavior so that newly added 4829 zones are loaded asynchronously and the loading does 4830 not block the server. [RT #41934] 4831 48324361. [cleanup] Where supported, file modification times returned 4833 by isc_file_getmodtime() are now accurate to the 4834 nanosecond. [RT #41968] 4835 48364360. [bug] Silence spurious 'bad key type' message when there is 4837 a existing TSIG key. [RT #42195] 4838 48394359. [bug] Inherited 'also-notify' lists were not being checked 4840 by named-checkconf. [RT #42174] 4841 48424358. [test] Added American Fuzzy Lop harness that allows 4843 feeding fuzzed packets into BIND. 4844 [RT #41723] 4845 48464357. [func] Add the python RNDC module. [RT #42093] 4847 48484356. [func] Add the ability to specify whether to wait for 4849 nameserver addresses to be looked up or not to 4850 RPZ with a new modifying directive 'nsip-wait-recurse'. 4851 [RT #35009] 4852 48534355. [func] "pkcs11-list" now displays the extractability 4854 attribute of private or secret keys stored in 4855 an HSM, as either "true", "false", or "never" 4856 Thanks to Daniel Stirnimann. [RT #36557] 4857 48584354. [bug] Check that the received HMAC length matches the 4859 expected length prior to check the contents on the 4860 control channel. This prevents a OOB read error. 4861 This was reported by Lian Yihan, <lianyihan@360.cn>. 4862 [RT #42215] 4863 48644353. [cleanup] Update PKCS#11 header files. [RT #42175] 4865 48664352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service 4867 is scheduled to be disabled in 2017. A warning is 4868 now logged when named is configured to use it, 4869 either explicitly or via "dnssec-lookaside auto;" 4870 [RT #42207] 4871 48724351. [bug] 'dig +noignore' didn't work. [RT #42273] 4873 48744350. [contrib] Declare result in dlz_filesystem_dynamic.c. 4875 48764349. [contrib] kasp2policy: A python script to create a DNSSEC 4877 policy file from an OpenDNSSEC KASP XML file. 4878 48794348. [func] dnssec-keymgr: A new python-based DNSSEC key 4880 management utility, which reads a policy definition 4881 file and can create or update DNSSEC keys as needed 4882 to ensure that a zone's keys match policy, roll over 4883 correctly on schedule, etc. Thanks to Sebastian 4884 Castro for assistance in development. [RT #39211] 4885 48864347. [port] Corrected a build error on x86_64 Solaris. [RT #42150] 4887 48884346. [bug] Fixed a regression introduced in change #4337 which 4889 caused signed domains with revoked KSKs to fail 4890 validation. [RT #42147] 4891 48924345. [contrib] perftcpdns mishandled the return values from 4893 clock_nanosleep. [RT #42131] 4894 48954344. [port] Address openssl version differences. [RT #42059] 4896 48974343. [bug] dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>. 4898 [RT #42090] 4899 49004342. [bug] 'rndc flushtree' could fail to clean the tree if there 4901 wasn't a node at the specified name. [RT #41846] 4902 4903 --- 9.11.0a1 released --- 4904 49054341. [bug] Correct the handling of ECS options with 4906 address family 0. [RT #41377] 4907 49084340. [performance] Implement adaptive read-write locks, reducing the 4909 overhead of locks that are only held briefly. 4910 [RT #37329] 4911 49124339. [test] Use "mdig" to test pipelined queries. [RT #41929] 4913 49144338. [bug] Reimplement change 4324 as it wasn't properly doing 4915 all the required book keeping. [RT #41941] 4916 49174337. [bug] The previous change exposed a latent flaw in 4918 key refresh queries for managed-keys when 4919 a cached DNSKEY had TTL 0. [RT #41986] 4920 49214336. [bug] Don't emit records with zero ttl unless the records 4922 were learnt with a zero ttl. [RT #41687] 4923 49244335. [bug] zone->view could be detached too early. [RT #41942] 4925 49264334. [func] 'named -V' now reports zlib version. [RT #41913] 4927 49284333. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42 and 4929 2001:500:9f::42. 4930 49314332. [placeholder] 4932 49334331. [func] When loading managed signed zones detect if the 4934 RRSIG's inception time is in the future and regenerate 4935 the RRSIG immediately. [RT #41808] 4936 49374330. [protocol] Identify the PAD option as "PAD" when printing out 4938 a message. 4939 49404329. [func] Warn about a common misconfiguration when forwarding 4941 RFC 1918 zones. [RT #41441] 4942 49434328. [performance] Add dns_name_fromwire() benchmark test. [RT #41694] 4944 49454327. [func] Log query and depth counters during fetches when 4946 querytrace (./configure --enable-querytrace) is 4947 enabled (helps in diagnosing). [RT #41787] 4948 49494326. [protocol] Add support for AVC. [RT #41819] 4950 49514325. [func] Add a line to "rndc status" indicating the 4952 hostname and operating system details. [RT #41610] 4953 49544324. [bug] When deleting records from a zone database, interior 4955 nodes could be left empty but not deleted, damaging 4956 search performance afterward. [RT #40997] 4957 49584323. [bug] Improve HTTP header processing on statschannel. 4959 [RT #41674] 4960 49614322. [security] Duplicate EDNS COOKIE options in a response could 4962 trigger an assertion failure. (CVE-2016-2088) 4963 [RT #41809] 4964 49654321. [bug] Zones using mapped files containing out-of-zone data 4966 could return SERVFAIL instead of the expected NODATA 4967 or NXDOMAIN results. [RT #41596] 4968 49694320. [bug] Insufficient memory allocation when handling 4970 "none" ACL could cause an assertion failure in 4971 named when parsing ACL configuration. [RT #41745] 4972 49734319. [security] Fix resolver assertion failure due to improper 4974 DNAME handling when parsing fetch reply messages. 4975 (CVE-2016-1286) [RT #41753] 4976 49774318. [security] Malformed control messages can trigger assertions 4978 in named and rndc. (CVE-2016-1285) [RT #41666] 4979 49804317. [bug] Age all unused servers on fetch timeout. [RT #41597] 4981 49824316. [func] Add option to tools to print RRs in unknown 4983 presentation format [RT #41595]. 4984 49854315. [bug] Check that configured view class isn't a meta class. 4986 [RT #41572]. 4987 49884314. [contrib] Added 'dnsperf-2.1.0.0-1', a set of performance 4989 testing tools provided by Nominum, Inc. 4990 49914313. [bug] Handle ns_client_replace failures in test mode. 4992 [RT #41190] 4993 49944312. [bug] dig's unknown DNS and EDNS flags (MBZ value) logging 4995 was not consistent. [RT #41600] 4996 49974311. [bug] Prevent "rndc delzone" from being used on 4998 response-policy zones. [RT #41593] 4999 50004310. [performance] Use __builtin_expect() where available to annotate 5001 conditions with known behavior. [RT #41411] 5002 50034309. [cleanup] Remove the spurious "none" filename from log messages 5004 when processing built-in configuration. [RT #41594] 5005 50064308. [func] Added operating system details to "named -V" 5007 output. [RT #41452] 5008 50094307. [bug] "dig +subnet" and "mdig +subnet" could send 5010 incorrectly-formatted Client Subnet options 5011 if the prefix length was not divisible by 8. 5012 Also fixed a memory leak in "mdig". [RT #45178] 5013 50144306. [maint] Added a PKCS#11 openssl patch supporting 5015 version 1.0.2f [RT #38312] 5016 50174305. [bug] dnssec-signzone was not removing unnecessary rrsigs 5018 from the zone's apex. [RT #41483] 5019 50204304. [port] xfer system test failed as 'tail -n +value' is not 5021 portable. [RT #41315] 5022 50234303. [bug] "dig +subnet" was unable to send a prefix length of 5024 zero, as it was incorrectly changed to 32 for v4 5025 prefixes or 128 for v6 prefixes. In addition to 5026 fixing this, "dig +subnet=0" has been added as a 5027 short form for 0.0.0.0/0. The same changes have 5028 also been made in "mdig". [RT #41553] 5029 50304302. [port] win32: fixed a build error in VS 2015. [RT #41426] 5031 50324301. [bug] dnssec-settime -p [DP]sync was not working. [RT #41534] 5033 50344300. [bug] A flag could be set in the wrong field when setting 5035 up non-recursive queries; this could cause the 5036 SERVFAIL cache to cache responses it shouldn't. 5037 New querytrace logging has been added which 5038 identified this error. [RT #41155] 5039 50404299. [bug] Check that exactly totallen bytes are read when 5041 reading a RRset from raw files in both single read 5042 and incremental modes. [RT #41402] 5043 50444298. [bug] dns_rpz_add errors in loadzone were not being 5045 propagated up the call stack. [RT #41425] 5046 50474297. [test] Ensure delegations in RPZ zones fail robustly. 5048 [RT #41518] 5049 50504296. [bug] TCP packet sizes were calculated incorrectly in the 5051 stats channel; they could be counted in the wrong 5052 histogram bucket. [RT #40587] 5053 50544295. [bug] An unchecked result in dns_message_pseudosectiontotext() 5055 could allow incorrect text formatting of EDNS EXPIRE 5056 options. [RT #41437] 5057 50584294. [bug] Fixed a regression in which "rndc stop -p" failed 5059 to print the PID. [RT #41513] 5060 50614293. [bug] Address memory leak on priming query creation failure. 5062 [RT #41512] 5063 50644292. [placeholder] 5065 50664291. [cleanup] Added a required include to dns/forward.h. [RT #41474] 5067 50684290. [func] The timers returned by the statistics channel 5069 (indicating current time, server boot time, and 5070 most recent reconfiguration time) are now reported 5071 with millisecond accuracy. [RT #40082] 5072 50734289. [bug] The server could crash due to memory being used 5074 after it was freed if a zone transfer timed out. 5075 [RT #41297] 5076 50774288. [bug] Fixed a regression in resolver.c:possibly_mark() 5078 which caused known-bogus servers to be queried 5079 anyway. [RT #41321] 5080 50814287. [bug] Silence an overly noisy log message when message 5082 parsing fails. [RT #41374] 5083 50844286. [security] render_ecs errors were mishandled when printing out 5085 a OPT record resulting in a assertion failure. 5086 (CVE-2015-8705) [RT #41397] 5087 50884285. [security] Specific APL data could trigger a INSIST. 5089 (CVE-2015-8704) [RT #41396] 5090 50914284. [bug] Some GeoIP options were incorrectly documented 5092 using abbreviated forms which were not accepted by 5093 named. The code has been updated to allow both 5094 long and abbreviated forms. [RT #41381] 5095 50964283. [bug] OPENSSL_config is no longer re-callable. [RT #41348] 5097 50984282. [func] 'dig +[no]mapped' determine whether the use of mapped 5099 IPv4 addresses over IPv6 is permitted or not. The 5100 default is +mapped. [RT #41307] 5101 51024281. [bug] Teach dns_message_totext about BADCOOKIE. [RT #41257] 5103 51044280. [performance] Use optimal message sizes to improve compression 5105 in AXFRs. This reduces network traffic. [RT #40996] 5106 51074279. [test] Don't use fixed ports when unit testing. [RT #41194] 5108 51094278. [bug] 'delv +short +[no]split[=##]' didn't work as expected. 5110 [RT #41238] 5111 51124277. [performance] Improve performance of the RBT, the central zone 5113 datastructure: The aux hashtable was improved, 5114 hash function was updated to perform more 5115 uniform mapping, uppernode was added to 5116 dns_rbtnode, and other cleanups and performance 5117 improvements were made. [RT #41165] 5118 51194276. [protocol] Add support for SMIMEA. [RT #40513] 5120 51214275. [performance] Lazily initialize dns_compress->table only when 5122 compression is enabled. [RT #41189] 5123 51244274. [performance] Speed up typemap processing from text. [RT #41196] 5125 51264273. [bug] Only call dns_test_begin() and dns_test_end() once each 5127 in nsec3_test as it fails with GOST if called multiple 5128 times. 5129 51304272. [bug] dig: the +norrcomments option didn't work with +multi. 5131 [RT #41234] 5132 51334271. [test] Unit tests could deadlock in isc__taskmgr_pause(). 5134 [RT #41235] 5135 51364270. [security] Update allowed OpenSSL versions as named is 5137 potentially vulnerable to CVE-2015-3193. 5138 51394269. [bug] Zones using "map" format master files currently 5140 don't work as policy zones. This limitation has 5141 now been documented; attempting to use such zones 5142 in "response-policy" statements is now a 5143 configuration error. [RT #38321] 5144 51454268. [func] "rndc status" now reports the path to the 5146 configuration file. [RT #36470] 5147 51484267. [test] Check sdlz error handling. [RT #41142] 5149 51504266. [placeholder] 5151 51524265. [bug] Address unchecked isc_mem_get calls. [RT #41187] 5153 51544264. [bug] Check const of strchr/strrchr assignments match 5155 argument's const status. [RT #41150] 5156 51574263. [contrib] Address compiler warnings in mysqldyn module. 5158 [RT #41130] 5159 51604262. [bug] Fixed a bug in epoll socket code that caused 5161 sockets to not be registered for ready 5162 notification in some cases, causing named to not 5163 read from or write to them, resulting in what 5164 appear to the user as blocked connections. 5165 [RT #41067] 5166 51674261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. 5168 [RT #40556] 5169 51704260. [security] Insufficient testing when parsing a message allowed 5171 records with an incorrect class to be be accepted, 5172 triggering a REQUIRE failure when those records 5173 were subsequently cached. (CVE-2015-8000) [RT #40987] 5174 51754259. [func] Add an option for non-destructive control channel 5176 access using a "read-only" clause. In such 5177 cases, a restricted set of rndc commands are 5178 allowed for querying information from named. 5179 [RT #40498] 5180 51814258. [bug] Limit rndc query message sizes to 32 KiB. This should 5182 not break any legitimate rndc commands, but will 5183 prevent a rogue rndc query from allocating too 5184 much memory. [RT #41073] 5185 51864257. [cleanup] Python scripts reported incorrect version. [RT #41080] 5187 51884256. [bug] Allow rndc command arguments to be quoted so as 5189 to allow spaces. [RT #36665] 5190 51914255. [performance] Add 'message-compression' option to disable DNS 5192 compression in responses. [RT #40726] 5193 51944254. [bug] Address missing lock when getting zone's serial. 5195 [RT #41072] 5196 51974253. [security] Address fetch context reference count handling error 5198 on socket error. (CVE-2015-8461) [RT#40945] 5199 52004252. [func] Add support for automating the generation CDS and 5201 CDNSKEY rrsets to named and dnssec-signzone. 5202 [RT #40424] 5203 52044251. [bug] NTAs were deleted when the server was reconfigured 5205 or reloaded. [RT #41058] 5206 52074250. [func] Log the TSIG key in use during inbound zone 5208 transfers. [RT #41075] 5209 52104249. [func] Improve error reporting of TSIG / SIG(0) records in 5211 the wrong location. [RT #41030] 5212 52134248. [performance] Add an isc_atomic_storeq() function, use it in 5214 stats counters to improve performance. 5215 [RT #39972] [RT #39979] 5216 52174247. [port] Require both HAVE_JSON and JSON_C_VERSION to be 5218 defined to report json library version. [RT #41045] 5219 52204246. [test] Ensure the statschannel system test runs when BIND 5221 is not built with libjson. [RT #40944] 5222 52234245. [placeholder] 5224 52254244. [bug] The parser was not reporting that use-ixfr is obsolete. 5226 [RT #41010] 5227 52284243. [func] Improved stats reporting from Timothe Litt. [RT #38941] 5229 52304242. [bug] Replace the client if not already replaced when 5231 prefetching. [RT #41001] 5232 52334241. [doc] Improved the TSIG, TKEY, and SIG(0) sections in 5234 the ARM. [RT #40955] 5235 52364240. [port] Fix LibreSSL compatibility. [RT #40977] 5237 52384239. [func] Changed default servfail-ttl value to 1 second from 10. 5239 Also, the maximum value is now 30 instead of 300. 5240 [RT #37556] 5241 52424238. [bug] Don't send to servers on net zero (0.0.0.0/8). 5243 [RT #40947] 5244 52454237. [doc] Upgraded documentation toolchain to use DocBook 5 5246 and dblatex. [RT #40766] 5247 52484236. [performance] On machines with 2 or more processors (CPU), the 5249 default value for the number of UDP listeners 5250 has been changed to the number of detected 5251 processors minus one. [RT #40761] 5252 52534235. [func] Added support in named for "dnstap", a fast method of 5254 capturing and logging DNS traffic, and a new command 5255 "dnstap-read" to read a dnstap log file. Use 5256 "configure --enable-dnstap" to enable this 5257 feature (note that this requires libprotobuf-c 5258 and libfstrm). See the ARM for configuration details. 5259 5260 Thanks to Robert Edmonds of Farsight Security. 5261 [RT #40211] 5262 52634234. [func] Add deflate compression in statistics channel HTTP 5264 server. [RT #40861] 5265 52664233. [test] Add tests for CDS and CDNSKEY with delegation-only. 5267 [RT #40597] 5268 52694232. [contrib] Address unchecked memory allocation calls in 5270 query-loc and zone2ldap. [RT #40789] 5271 52724231. [contrib] Address unchecked calloc call in dlz_mysqldyn_mod.c. 5273 [RT #40840] 5274 52754230. [contrib] dlz_wildcard_dynamic.c:dlz_create could return a 5276 uninitialized result. [RT #40839] 5277 52784229. [bug] A variable could be used uninitialized in 5279 dns_update_signaturesinc. [RT #40784] 5280 52814228. [bug] Address race condition in dns_client_destroyrestrans. 5282 [RT #40605] 5283 52844227. [bug] Silence static analysis warnings. [RT #40828] 5285 52864226. [bug] Address a theoretical shutdown race in 5287 zone.c:notify_send_queue(). [RT #38958] 5288 52894225. [port] freebsd/openbsd: Use '${CC} -shared' for building 5290 shared libraries. [RT #39557] 5291 52924224. [func] Added support for "dyndb", a new interface for loading 5293 zone data from an external database, developed by 5294 Red Hat for the FreeIPA project. 5295 5296 DynDB drivers fully implement the BIND database 5297 API, and are capable of significantly better 5298 performance and functionality than DLZ drivers, 5299 while taking advantage of advanced database 5300 features not available in BIND such as multi-master 5301 replication. 5302 5303 Thanks to Adam Tkac and Petr Spacek of Red Hat. 5304 [RT #35271] 5305 53064223. [func] Add support for setting max-cache-size to percentage 5307 of available physical memory, set default to 90%. 5308 [RT #38442] 5309 53104222. [func] Bias IPv6 servers when selecting the next server to 5311 query. [RT #40836] 5312 53134221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create. 5314 [RT #40583] 5315 53164220. [doc] Improve documentation for zone-statistics. 5317 [RT #36955] 5318 53194219. [bug] Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK, 5320 EGAIN when these soft error are not retried for 5321 isc_socket_send*(). 5322 53234218. [bug] Potential null pointer dereference on out of memory 5324 if mmap is not supported. [RT #40777] 5325 53264217. [protocol] Add support for CSYNC. [RT #40532] 5327 53284216. [cleanup] Silence static analysis warnings. [RT #40649] 5329 53304215. [bug] nsupdate: skip to next request on GSSTKEY create 5331 failure. [RT #40685] 5332 53334214. [protocol] Add support for TALINK. [RT #40544] 5334 53354213. [bug] Don't reuse a cache across multiple classes. 5336 [RT #40205] 5337 53384212. [func] Re-query if we get a bad client cookie returned over 5339 UDP. [RT #40748] 5340 53414211. [bug] Ensure that lwresd gets at least one task to work 5342 with if enabled. [RT #40652] 5343 53444210. [cleanup] Silence use after free false positive. [RT #40743] 5345 53464209. [bug] Address resource leaks in dlz modules. [RT #40654] 5347 53484208. [bug] Address null pointer dereferences on out of memory. 5349 [RT #40764] 5350 53514207. [bug] Handle class mismatches with raw zone files. 5352 [RT #40746] 5353 53544206. [bug] contrib: fixed a possible NULL dereference in 5355 DLZ wildcard module. [RT #40745] 5356 53574205. [bug] 'named-checkconf -p' could include unwanted spaces 5358 when printing tuples with unset optional fields. 5359 [RT #40731] 5360 53614204. [bug] 'dig +trace' failed to lookup the correct type if 5362 the initial root NS query was retried. [RT #40296] 5363 53644203. [test] The rrchecker system test now tests conversion 5365 to and from unknown-type format. [RT #40584] 5366 53674202. [bug] isccc_cc_fromwire() could return an incorrect 5368 result. [RT #40614] 5369 53704201. [func] The default preferred-glue is now the address record 5371 type of the transport the query was received 5372 over. [RT #40468] 5373 53744200. [cleanup] win32: update BINDinstall to be BIND release 5375 independent. [RT #38915] 5376 53774199. [protocol] Add support for NINFO, RKEY, SINK, TA. 5378 [RT #40545] [RT #40547] [RT #40561] [RT #40563] 5379 53804198. [placeholder] 5381 53824197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses. 5383 [RT #40603] 5384 53854196. [doc] Improve how "enum + other" types are documented. 5386 [RT #40608] 5387 53884195. [bug] 'max-zone-ttl unlimited;' was broken. [RT #40608] 5389 53904194. [bug] named-checkconf -p failed to properly print a port 5391 range. [RT #40634] 5392 53934193. [bug] Handle broken servers that return BADVERS incorrectly. 5394 [RT #40427] 5395 53964192. [bug] The default rrset-order of random was not always being 5397 applied. [RT #40456] 5398 53994191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones 5400 as per RFC 6763. [RT #37889] 5401 54024190. [protocol] Accept Active Directory gc._msdcs.<forest> name as 5403 valid with check-names. <forest> still needs to be 5404 LDH. [RT #40399] 5405 54064189. [cleanup] Don't exit on overly long tokens in named.conf. 5407 [RT #40418] 5408 54094188. [bug] Support HTTP/1.0 client properly on the statistics 5410 channel. [RT #40261] 5411 54124187. [func] When any RR type implementation doesn't 5413 implement totext() for the RDATA's wire 5414 representation and returns ISC_R_NOTIMPLEMENTED, 5415 such RDATA is now printed in unknown 5416 presentation format (RFC 3597). RR types affected 5417 include LOC(29) and APL(42). [RT #40317]. 5418 54194186. [bug] Fixed an RPZ bug where a QNAME would be matched 5420 against a policy RR with wildcard owner name 5421 (trigger) where the QNAME was the wildcard owner 5422 name's parent. For example, the bug caused a query 5423 with QNAME "example.com" to match a policy RR with 5424 "*.example.com" as trigger. [RT #40357] 5425 54264185. [bug] Fixed an RPZ bug where a policy RR with wildcard 5427 owner name (trigger) would prevent another policy RR 5428 with its parent owner name from being 5429 loaded. For example, the bug caused a policy RR 5430 with trigger "example.com" to not have any 5431 effect when a previous policy RR with trigger 5432 "*.example.com" existed in that RPZ zone. 5433 [RT #40357] 5434 54354184. [bug] Fixed a possible memory leak in name compression 5436 when rendering long messages. (Also, improved 5437 wire_test for testing such messages.) [RT #40375] 5438 54394183. [cleanup] Use timing-safe memory comparisons in cryptographic 5440 code. Also, the timing-safe comparison functions have 5441 been renamed to avoid possible confusion with 5442 memcmp(). Thanks to Loganaden Velvindron of 5443 AFRINIC. [RT #40148] 5444 54454182. [cleanup] Use mnemonics for RR class and type comparisons. 5446 [RT #40297] 5447 54484181. [bug] Queued notify messages could be dequeued from the 5449 wrong rate limiter queue. [RT #40350] 5450 54514180. [bug] Error responses in pipelined queries could 5452 cause a crash in client.c. [RT #40289] 5453 54544179. [bug] Fix double frees in getaddrinfo() in libirs. 5455 [RT #40209] 5456 54574178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from 5458 text. [RT #40274] 5459 54604177. [bug] Fix assertion failure in parsing NSAP records from 5461 text. [RT #40285] 5462 54634176. [bug] Address race issues with lwresd. [RT #40284] 5464 54654175. [bug] TKEY with GSS-API keys needed bigger buffers. 5466 [RT #40333] 5467 54684174. [bug] "dnssec-coverage -r" didn't handle time unit 5469 suffixes correctly. [RT #38444] 5470 54714173. [bug] dig +sigchase was not properly matching the trusted 5472 key. [RT #40188] 5473 54744172. [bug] Named / named-checkconf didn't handle a view of CLASS0. 5475 [RT #40265] 5476 54774171. [bug] Fixed incorrect class checks in TSIG RR 5478 implementation. [RT #40287] 5479 54804170. [security] An incorrect boundary check in the OPENPGPKEY 5481 rdatatype could trigger an assertion failure. 5482 (CVE-2015-5986) [RT #40286] 5483 54844169. [test] Added a 'wire_test -d' option to read input as 5485 raw binary data, for use as a fuzzing harness. 5486 [RT #40312] 5487 54884168. [security] A buffer accounting error could trigger an 5489 assertion failure when parsing certain malformed 5490 DNSSEC keys. (CVE-2015-5722) [RT #40212] 5491 54924167. [func] Update rndc's usage output to include recently added 5493 commands. Thanks to Tony Finch for submitting a 5494 patch. [RT #40010] 5495 54964166. [func] Print informative output from rndc showzone when 5497 allow-new-zones is not enabled for a view. Thanks to 5498 Tony Finch for submitting a patch. [RT #40009] 5499 55004165. [security] A failure to reset a value to NULL in tkey.c could 5501 result in an assertion failure. (CVE-2015-5477) 5502 [RT #40046] 5503 55044164. [bug] Don't rename slave files and journals on out of memory. 5505 [RT #40033] 5506 55074163. [bug] Address compiler warnings. [RT #40024] 5508 55094162. [bug] httpdmgr->flags was not being initialized. [RT #40017] 5510 55114161. [test] Add JSON test for traffic size stats; also test 5512 for consistency between "rndc stats" and the XML 5513 and JSON statistics channel contents. [RT #38700] 5514 55154160. [placeholder] 5516 55174159. [cleanup] Alphabetize dig's help output. [RT #39966] 5518 55194158. [placeholder] 5520 55214157. [placeholder] 5522 55234156. [func] Added statistics counters to track the sizes 5524 of incoming queries and outgoing responses in 5525 histogram buckets, as specified in RSSAC002. 5526 [RT #39049] 5527 55284155. [func] Allow RPZ rewrite logging to be configured on a 5529 per-zone basis using a newly introduced log clause in 5530 the response-policy option. [RT #39754] 5531 55324154. [bug] A OPT record should be included with the FORMERR 5533 response when there is a malformed EDNS option. 5534 [RT #39647] 5535 55364153. [bug] Dig should zero non significant +subnet bits. Check 5537 that non significant ECS bits are zero on receipt. 5538 [RT #39647] 5539 55404152. [func] Implement DNS COOKIE option. This replaces the 5541 experimental SIT option of BIND 9.10. The following 5542 named.conf directives are available: send-cookie, 5543 cookie-secret, cookie-algorithm, nocookie-udp-size 5544 and require-server-cookie. The following dig options 5545 are available: +[no]cookie[=value] and +[no]badcookie. 5546 [RT #39928] 5547 55484151. [bug] 'rndc flush' could cause a deadlock. [RT #39835] 5549 55504150. [bug] win32: listen-on-v6 { any; }; was not working. Apply 5551 minimal fix. [RT #39667] 5552 55534149. [bug] Fixed a race condition in the getaddrinfo() 5554 implementation in libirs, which caused the delv 5555 utility to crash with an assertion failure when using 5556 the '@server' syntax with a hostname argument. 5557 [RT #39899] 5558 55594148. [bug] Fix a bug when printing zone names with '/' character 5560 in XML and JSON statistics output. [RT #39873] 5561 55624147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6 5563 was returning referrals rather than nodata responses 5564 when the AAAA records were filtered. [RT #39843] 5565 55664146. [bug] Address reference leak that could prevent a clean 5567 shutdown. [RT #37125] 5568 55694145. [bug] Not all unassociated adb entries where being printed. 5570 [RT #37125] 5571 55724144. [func] Add statistics counters for nxdomain redirections. 5573 [RT #39790] 5574 55754143. [placeholder] 5576 55774142. [bug] rndc addzone with view specified saved NZF config 5578 that could not be read back by named. This has now 5579 been fixed. [RT #39845] 5580 55814141. [bug] A formatting bug caused rndc zonestatus to print 5582 negative numbers for large serial values. This has 5583 now been fixed. [RT #39854] 5584 55854140. [cleanup] Remove redundant nzf_remove() call during delzone. 5586 [RT #39844] 5587 55884139. [doc] Fix rpz-client-ip documentation. [RT #39783] 5589 55904138. [security] An uninitialized value in validator.c could result 5591 in an assertion failure. (CVE-2015-4620) [RT #39795] 5592 55934137. [bug] Make rndc reconfig report configuration errors the 5594 same way rndc reload does. [RT #39635] 5595 55964136. [bug] Stale statistics counters with the leading 5597 '#' prefix (such as #NXDOMAIN) were not being 5598 updated correctly. This has been fixed. [RT #39141] 5599 56004135. [cleanup] Log expired NTA at startup. [RT #39680] 5601 56024134. [cleanup] Include client-ip rules when logging the number 5603 of RPZ rules of each type. [RT #39670] 5604 56054133. [port] Update how various json libraries are handled. 5606 [RT #39646] 5607 56084132. [cleanup] dig: added +rd as a synonym for +recurse, 5609 added +class as an unabbreviated alternative 5610 to +cl. [RT #39686] 5611 56124131. [bug] Addressed further problems with reloading RPZ 5613 zones. [RT #39649] 5614 56154130. [bug] The compatibility shim for *printf() misprinted some 5616 large numbers. [RT #39586] 5617 56184129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532] 5619 56204128. [bug] Address issues raised by Coverity 7.6. [RT #39537] 5621 56224127. [protocol] CDS and CDNSKEY need to be signed by the key signing 5623 key as per RFC 7344, Section 4.1. [RT #37215] 5624 56254126. [bug] Addressed a regression introduced in change #4121. 5626 [RT #39611] 5627 56284125. [test] Added tests for dig, renamed delv test to digdelv. 5629 [RT #39490] 5630 56314124. [func] Log errors or warnings encountered when parsing the 5632 internal default configuration. Clarify the logging 5633 of errors and warnings encountered in rndc 5634 addzone or modzone parameters. [RT #39440] 5635 56364123. [port] Added %z (size_t) format options to the portable 5637 internal printf/sprintf implementation. [RT #39586] 5638 56394122. [bug] The server could match a shorter prefix than what was 5640 available in CLIENT-IP policy triggers, and so, an 5641 unexpected action could be taken. This has been 5642 corrected. [RT #39481] 5643 56444121. [bug] On servers with one or more policy zones 5645 configured as slaves, if a policy zone updated 5646 during regular operation (rather than at 5647 startup) using a full zone reload, such as via 5648 AXFR, a bug could allow the RPZ summary data to 5649 fall out of sync, potentially leading to an 5650 assertion failure in rpz.c when further 5651 incremental updates were made to the zone, such 5652 as via IXFR. [RT #39567] 5653 56544120. [bug] A bug in RPZ could cause the server to crash if 5655 policy zones were updated while recursion was 5656 pending for RPZ processing of an active query. 5657 [RT #39415] 5658 56594119. [test] Allow dig to set the message opcode. [RT #39550] 5660 56614118. [bug] Teach isc-config.sh about irs. [RT #39213] 5662 56634117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534. 5664 56654116. [bug] Fix a bug in RPZ that could cause some policy 5666 zones that did not specifically require 5667 recursion to be treated as if they did; 5668 consequently, setting qname-wait-recurse no; was 5669 sometimes ineffective. [RT #39229] 5670 56714115. [func] "rndc -r" now prints the result code (e.g., 5672 ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after 5673 running the requested command. [RT #38913] 5674 56754114. [bug] Fix a regression in radix tree implementation 5676 introduced by ECS code. This bug was never 5677 released, but it was reported by a user testing 5678 master. [RT #38983] 5679 56804113. [test] Check for Net::DNS is some system test 5681 prerequisites. [RT #39369] 5682 56834112. [bug] Named failed to load when "root-delegation-only" 5684 was used without a list of domains to exclude. 5685 [RT #39380] 5686 56874111. [doc] Alphabetize rndc man page. [RT #39360] 5688 56894110. [bug] Address memory leaks / null pointer dereferences 5690 on out of memory. [RT #39310] 5691 56924109. [port] linux: support reading the local port range from 5693 net.ipv4.ip_local_port_range. [RT # 39379] 5694 56954108. [func] An additional NXDOMAIN redirect method (option 5696 "nxdomain-redirect") has been added, allowing 5697 redirection to a specified DNS namespace instead 5698 of a single redirect zone. [RT #37989] 5699 57004107. [bug] Address potential deadlock when updating zone content. 5701 [RT #39269] 5702 57034106. [port] Improve readline support. [RT #38938] 5704 57054105. [port] Misc fixes for Microsoft Visual Studio 5706 2015 CTP6 in 64 bit mode. [RT #39308] 5707 57084104. [bug] Address uninitialized elements. [RT #39252] 5709 57104103. [port] Misc fixes for Microsoft Visual Studio 5711 2015 CTP6. [RT #39267] 5712 57134102. [bug] Fix a use after free bug introduced in change 5714 #4094. [RT #39281] 5715 57164101. [bug] dig: the +split and +rrcomments options didn't 5717 work with +short. [RT #39291] 5718 57194100. [bug] Inherited owernames on the line immediately following 5720 a $INCLUDE were not working. [RT #39268] 5721 57224099. [port] clang: make unknown commandline options hard errors 5723 when determining what options are supported. 5724 [RT #39273] 5725 57264098. [bug] Address use-after-free issue when using a 5727 predecessor key with dnssec-settime. [RT #39272] 5728 57294097. [func] Add additional logging about xfrin transfer status. 5730 [RT #39170] 5731 57324096. [bug] Fix a use after free of query->sendevent. 5733 [RT #39132] 5734 57354095. [bug] zone->options2 was not being properly initialized. 5736 [RT #39228] 5737 57384094. [bug] A race during shutdown or reconfiguration could 5739 cause an assertion in mem.c. [RT #38979] 5740 57414093. [func] Dig now learns the SIT value from truncated 5742 responses when it retries over TCP. [RT #39047] 5743 57444092. [bug] 'in-view' didn't work for zones beneath a empty zone. 5745 [RT #39173] 5746 57474091. [cleanup] Some cleanups in isc mem code. [RT #38896] 5748 57494090. [bug] Fix a crash while parsing malformed CAA RRs in 5750 presentation format, i.e., from text such as 5751 from master files. Thanks to John Van de 5752 Meulebrouck Brendgard for discovering and 5753 reporting this problem. [RT #39003] 5754 57554089. [bug] Send notifies immediately for slave zones during 5756 startup. [RT #38843] 5757 57584088. [port] Fixed errors when building with libressl. [RT #38899] 5759 57604087. [bug] Fix a crash due to use-after-free due to sequencing 5761 of tasks actions. [RT #38495] 5762 57634086. [bug] Fix out-of-srcdir build with native pkcs11. [RT #38831] 5764 57654085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set. 5766 [RT #38828] 5767 57684084. [bug] Fix a possible race in updating stats counters. 5769 [RT #38826] 5770 57714083. [cleanup] Print the number of CPUs and UDP listeners 5772 consistently in the log and in "rndc status" 5773 output; indicate whether threads are supported 5774 in "named -V" output. [RT #38811] 5775 57764082. [bug] Incrementally sign large inline zone deltas. 5777 [RT #37927] 5778 57794081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759] 5780 57814080. [func] Completed change #4022, adding a "lock-file" option 5782 to named.conf to override the default lock file, 5783 in addition to the "named -X <filename>" command 5784 line option. Setting the lock file to "none" 5785 using either method disables the check completely. 5786 [RT #37908] 5787 57884079. [func] Preserve the case of the owner name of records to 5789 the RRset level. [RT #37442] 5790 57914078. [bug] Handle the case where CMSG_SPACE(sizeof(int)) != 5792 CMSG_SPACE(sizeof(char)). [RT #38621] 5793 57944077. [test] Add static-stub regression test for DS NXDOMAIN 5795 return making the static stub disappear. [RT #38564] 5796 57974076. [bug] Named could crash on shutdown with outstanding 5798 reload / reconfig events. [RT #38622] 5799 58004075. [placeholder] 5801 58024074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708] 5803 58044073. [cleanup] Add libjson-c version number reporting to 5805 "named -V"; normalize version number formatting. 5806 [RT #38056] 5807 58084072. [func] Add a --enable-querytrace configure switch for 5809 very verbose query trace logging. (This option 5810 has a negative performance impact and should be 5811 used only for debugging.) [RT #37520] 5812 58134071. [cleanup] Initialize pthread mutex attrs just once, instead of 5814 doing it per mutex creation. [RT #38547] 5815 58164070. [bug] Fix a segfault in nslookup in a query such as 5817 "nslookup isc.org AMS.SNS-PB.ISC.ORG -all". 5818 [RT #38548] 5819 58204069. [doc] Reorganize options in the nsupdate man page. 5821 [RT #38515] 5822 58234068. [bug] Omit unknown serial number from JSON zone statistics. 5824 [RT #38604] 5825 58264067. [cleanup] Reduce noise from RRL when query logging is 5827 disabled. [RT #38648] 5828 58294066. [doc] Reorganize options in the dig man page. [RT #38516] 5830 58314065. [test] Additional RFC 5011 tests. [RT #38569] 5832 58334064. [contrib] dnssec-keyset.sh: Generates a specified number 5834 of DNSSEC keys with timing set to implement a 5835 pre-publication key rollover strategy. Thanks 5836 to Jeffry A. Spain. [RT #38459] 5837 58384063. [bug] Asynchronous zone loads were not handled 5839 correctly when the zone load was already in 5840 progress; this could trigger a crash in zt.c. 5841 [RT #37573] 5842 58434062. [bug] Fix an out-of-bounds read in RPZ code. If the 5844 read succeeded, it doesn't result in a bug 5845 during operation. If the read failed, named 5846 could segfault. [RT #38559] 5847 58484061. [bug] Handle timeout in legacy system test. [RT #38573] 5849 58504060. [bug] dns_rdata_freestruct could be called on a 5851 uninitialized structure when handling a error. 5852 [RT #38568] 5853 58544059. [bug] Addressed valgrind warnings. [RT #38549] 5855 58564058. [bug] UDP dispatches could use the wrong pseudorandom 5857 number generator context. [RT #38578] 5858 58594057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field. 5860 [RT #38565] 5861 58624056. [bug] Expanded automatic testing of trust anchor 5863 management and fixed several small bugs including 5864 a memory leak and a possible loss of key state 5865 information. [RT #38458] 5866 58674055. [func] "rndc managed-keys" can be used to check status 5868 of trust anchors or to force keys to be refreshed, 5869 Also, the managed keys data file has easier-to-read 5870 comments. [RT #38458] 5871 58724054. [func] Added a new tool 'mdig', a lightweight clone of 5873 dig able to send multiple pipelined queries. 5874 [RT #38261] 5875 58764053. [security] Revoking a managed trust anchor and supplying 5877 an untrusted replacement could cause named 5878 to crash with an assertion failure. 5879 (CVE-2015-1349) [RT #38344] 5880 58814052. [bug] Fix a leak of query fetchlock. [RT #38454] 5882 58834051. [bug] Fix a leak of pthread_mutexattr_t. [RT #38454] 5884 58854050. [bug] RPZ could send spurious SERVFAILs in response 5886 to duplicate queries. [RT #38510] 5887 58884049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491] 5889 58904048. [bug] adb hash table was not being grown. [RT #38470] 5891 58924047. [cleanup] "named -V" now reports the current running versions 5893 of OpenSSL and the libxml2 libraries, in addition to 5894 the versions that were in use at build time. 5895 58964046. [bug] Accounting of "total use" in memory context 5897 statistics was not correct. [RT #38370] 5898 58994045. [bug] Skip to next master on dns_request_createvia4 failure. 5900 [RT #25185] 5901 59024044. [bug] Change 3955 was not complete, resulting in an assertion 5903 failure if the timing was just right. [RT #38352] 5904 59054043. [func] "rndc modzone" can be used to modify the 5906 configuration of an existing zone, using similar 5907 syntax to "rndc addzone". [RT #37895] 5908 59094042. [bug] zone.c:iszonesecure was being called too late. 5910 [RT #38371] 5911 59124041. [func] TCP sockets can now be shared while connecting. 5913 (This will be used to enable client-side support 5914 of pipelined queries.) [RT #38231] 5915 59164040. [func] Added server-side support for pipelined TCP 5917 queries. Clients may continue sending queries via 5918 TCP while previous queries are being processed 5919 in parallel. (The new "keep-response-order" 5920 option allows clients to be specified for which 5921 the old behavior will still be used.) [RT #37821] 5922 59234039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381] 5924 59254038. [bug] Add 'rpz' flag to node and use it to determine whether 5926 to call dns_rpz_delete. This should prevent unbalanced 5927 add / delete calls. [RT #36888] 5928 59294037. [bug] also-notify was ignoring the tsig key when checking 5930 for duplicates resulting in some expected notify 5931 messages not being sent. [RT #38369] 5932 59334036. [bug] Make call to open a temporary file name safe during 5934 NZF creation. [RT #38331] 5935 59364035. [bug] Close temporary and NZF FILE pointers before moving 5937 the former into the latter's place, as required on 5938 Windows. [RT #38332] 5939 59404034. [func] When added, negative trust anchors (NTA) are now 5941 saved to files (viewname.nta), in order to 5942 persist across restarts of the named server. 5943 [RT #37087] 5944 59454033. [bug] Missing out of memory check in request.c:req_send. 5946 [RT #38311] 5947 59484032. [bug] Built-in "empty" zones did not correctly inherit the 5949 "allow-transfer" ACL from the options or view. 5950 [RT #38310] 5951 59524031. [bug] named-checkconf -z failed to report a missing file 5953 with a hint zone. [RT #38294] 5954 59554030. [func] "rndc delzone" is now applicable to zones that were 5956 configured in named.conf, as well as zones that 5957 were added via "rndc addzone". (Note, however, that 5958 if named.conf is not also modified, the deleted zone 5959 will return when named is reloaded.) [RT #37887] 5960 59614029. [func] "rndc showzone" displays the current configuration 5962 of a specified zone. [RT #37887] 5963 59644028. [bug] $GENERATE with a zero step was not being caught as a 5965 error. A $GENERATE with a / but no step was not being 5966 caught as a error. [RT #38262] 5967 59684027. [port] Net::DNS 0.81 compatibility. [RT #38165] 5969 59704026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173] 5971 59724025. [port] bsdi: failed to build. [RT #38047] 5973 59744024. [bug] dns_rdata_opt_first, dns_rdata_opt_next, 5975 dns_rdata_opt_current, dns_rdata_txt_first, 5976 dns_rdata_txt_next and dns_rdata_txt_current were 5977 documented but not implemented. These have now been 5978 implemented. 5979 5980 dns_rdata_spf_first, dns_rdata_spf_next and 5981 dns_rdata_spf_current were documented but not 5982 implemented. The prototypes for these 5983 functions have been removed. [RT #38068] 5984 59854023. [bug] win32: socket handling with explicit ports and 5986 invoking named with -4 was broken for some 5987 configurations. [RT #38068] 5988 59894022. [func] Stop multiple spawns of named by limiting number of 5990 processes to 1. This is done by using a lockfile and 5991 checking whether we can listen on any configured 5992 TCP interfaces. [RT #37908] 5993 59944021. [bug] Adjust max-recursion-queries to accommodate 5995 the need for more queries when the cache is 5996 empty. [RT #38104] 5997 59984020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery 5999 resulting in updates being sent to the wrong server. 6000 [RT #37925] 6001 60024019. [func] If named is not configured to validate the answer 6003 then allow fallback to plain DNS on timeout even 6004 when we know the server supports EDNS. [RT #37978] 6005 60064018. [placeholder] 6007 60084017. [test] Add system test to check lookups to legacy servers 6009 with broken DNS behavior. [RT #37965] 6010 60114016. [bug] Fix a dig segfault due to bad linked list usage. 6012 [RT #37591] 6013 60144015. [bug] Nameservers that are skipped due to them being 6015 CNAMEs were not being logged. They are now logged 6016 to category 'cname' as per BIND 8. [RT #37935] 6017 60184014. [bug] When including a master file origin_changed was 6019 not being properly set leading to a potentially 6020 spurious 'inherited owner' warning. [RT #37919] 6021 60224013. [func] Add a new tcp-only option to server (config) / 6023 peer (struct) to use TCP transport to send 6024 queries (in place of UDP transport with a 6025 TCP fallback on truncated (TC set) response). 6026 [RT #37800] 6027 60284012. [cleanup] Check returned status of OpenSSL digest and HMAC 6029 functions when they return one. Note this applies 6030 only to FIPS capable OpenSSL libraries put in 6031 FIPS mode and MD5. [RT #37944] 6032 60334011. [bug] master's list port and dscp inheritance was not 6034 properly implemented. [RT #37792] 6035 60364010. [cleanup] Clear the prefetchable state when initiating a 6037 prefetch. [RT #37399] 6038 60394009. [func] delv: added a +tcp option. [RT #37855] 6040 60414008. [contrib] Updated zkt to latest version (1.1.3). [RT #37886] 6042 60434007. [doc] Remove acl forward reference restriction. [RT #37772] 6044 60454006. [security] A flaw in delegation handling could be exploited 6046 to put named into an infinite loop. This has 6047 been addressed by placing limits on the number 6048 of levels of recursion named will allow (default 7), 6049 and the number of iterative queries that it will 6050 send (default 50) before terminating a recursive 6051 query (CVE-2014-8500). 6052 6053 The recursion depth limit is configured via the 6054 "max-recursion-depth" option, and the query limit 6055 via the "max-recursion-queries" option. [RT #37580] 6056 60574005. [func] The buffer used for returning text from rndc 6058 commands is now dynamically resizable, allowing 6059 arbitrarily large amounts of text to be sent back 6060 to the client. (Prior to this change, it was 6061 possible for the output of "rndc tsig-list" to be 6062 truncated.) [RT #37731] 6063 60644004. [bug] When delegations had AAAA glue but not A, a 6065 reference could be leaked causing an assertion 6066 failure on shutdown. [RT #37796] 6067 60684003. [security] When geoip-directory was reconfigured during 6069 named run-time, the previously loaded GeoIP 6070 data could remain, potentially causing wrong 6071 ACLs to be used or wrong results to be served 6072 based on geolocation (CVE-2014-8680). [RT #37720] 6073 60744002. [security] Lookups in GeoIP databases that were not 6075 loaded could cause an assertion failure 6076 (CVE-2014-8680). [RT #37679] 6077 60784001. [security] The caching of GeoIP lookups did not always 6079 handle address families correctly, potentially 6080 resulting in an assertion failure (CVE-2014-8680). 6081 [RT #37672] 6082 60834000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET 6084 from the redirect zone. [RT #37722] 6085 60863999. [func] "mkeys" and "nzf" files are now named after 6087 their corresponding views, unless the view name 6088 contains characters that would be incompatible 6089 with use in a filename (i.e., slash, backslash, 6090 or capital letters). If a view name does contain 6091 these characters, the files will still be named 6092 using a cryptographic hash of the view name. 6093 Regardless of this, if a file using the old name 6094 format is found to exist, it will continue to be 6095 used. [RT #37704] 6096 60973998. [bug] isc_radix_search was returning matches that were 6098 too precise. [RT #37680] 6099 61003997. [protocol] Add OPENGPGKEY record. [RT# 37671] 6101 61023996. [bug] Address use after free on out of memory error in 6103 keyring_add. [RT #37639] 6104 61053995. [bug] receive_secure_serial holds the zone lock for too 6106 long. [RT #37626] 6107 61083994. [func] Dig now supports setting the last unassigned DNS 6109 header flag bit (dig +zflag). [RT #37421] 6110 61113993. [func] Dig now supports EDNS negotiation by default. 6112 (dig +[no]ednsnegotiation). 6113 6114 Note: This is disabled by default in BIND 9.10 6115 and enabled by default in BIND 9.11. [RT #37604] 6116 61173992. [func] DiG can now send queries without questions 6118 (dig +header-only). [RT #37599] 6119 61203991. [func] Add the ability to buffer logging output by specifying 6121 "buffered yes;" when defining a channel. [RT #26561] 6122 61233990. [test] Add tests for unknown DNSSEC algorithm handling. 6124 [RT #37541] 6125 61263989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748] 6127 61283988. [func] Allow the zone serial of a dynamically updatable 6129 zone to be updated via "rndc signing -serial". 6130 [RT #37404] 6131 61323987. [port] Handle future Visual Studio 14 incompatible changes. 6133 [RT #37380] 6134 61353986. [doc] Add the BIND version number to page footers 6136 in the ARM. [RT #37398] 6137 61383985. [doc] Describe how +ndots and +search interact in dig. 6139 [RT #37529] 6140 61413984. [func] Accept 256 byte long PINs in native PKCS#11 6142 crypto. [RT #37410] 6143 61443983. [bug] Change #3940 was incomplete: negative trust anchors 6145 could be set to last up to a week, but the 6146 "nta-lifetime" and "nta-recheck" options were 6147 still limited to one day. [RT #37522] 6148 61493982. [doc] Include release notes in product documentation. 6150 [RT #37272] 6151 61523981. [bug] Cache DS/NXDOMAIN independently of other query types. 6153 [RT #37467] 6154 61553980. [bug] Improve --with-tuning=large by self tuning of SO_RCVBUF 6156 size. [RT #37187] 6157 61583979. [bug] Negative trust anchor fetches were not properly 6159 managed. [RT #37488] 6160 61613978. [test] Added a unit test for Diffie-Hellman key 6162 computation, completing change #3974. [RT #37477] 6163 61643977. [cleanup] "rndc secroots" reported a "not found" error when 6165 there were no negative trust anchors set. [RT #37506] 6166 61673976. [bug] When refreshing managed-key trust anchors, clear 6168 any cached trust so that they will always be 6169 revalidated with the current set of secure 6170 roots. [RT #37506] 6171 61723975. [bug] Don't populate or use the bad cache for queries that 6173 don't request or use recursion. [RT #37466] 6174 61753974. [bug] Handle DH_compute_key() failure correctly in 6176 openssldh_link.c. [RT #37477] 6177 61783973. [test] Added hooks for Google Performance Tools CPU profiler, 6179 including real-time/wall-clock profiling. Use 6180 "configure --with-gperftools-profiler" to enable. 6181 [RT #37339] 6182 61833972. [bug] Fix host's usage statement. [RT #37397] 6184 61853971. [bug] Reduce the cascading failures due to a bad $TTL line 6186 in named-checkconf / named-checkzone. [RT #37138] 6187 61883970. [contrib] Fixed a use after free bug in the SDB LDAP driver. 6189 [RT #37237] 6190 61913969. [test] Added 'delv' system test. [RT #36901] 6192 61933968. [bug] Silence spurious log messages when using 'named -[46]'. 6194 [RT #37308] 6195 61963967. [test] Add test for inlined signed zone in multiple views 6197 with different DNSKEY sets. [RT #35759] 6198 61993966. [bug] Missing dns_db_closeversion call in receive_secure_db. 6200 [RT #35746] 6201 62023965. [func] Log outgoing packets and improve packet logging to 6203 support logging the remote address. [RT #36624] 6204 62053964. [func] nsupdate now performs check-names processing. 6206 [RT #36266] 6207 62083963. [test] Added NXRRSET test cases to the "dlzexternal" 6209 system test. [RT #37344] 6210 62113962. [bug] 'dig +topdown +trace +sigchase' address unhandled error 6212 conditions. [RT #34663] 6213 62143961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with 6215 BADSIG. [RT #37216] 6216 62173960. [bug] 'dig +sigchase' could loop forever. [RT #37220] 6218 62193959. [bug] Updates could be lost if they arrived immediately 6220 after a rndc thaw. [RT #37233] 6221 62223958. [bug] Detect when writeable files have multiple references 6223 in named.conf. [RT #37172] 6224 62253957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 6226 and ECDSAP384SHA384. [RT #37183] 6227 62283956. [func] Notify messages are now rate limited by notify-rate and 6229 startup-notify-rate instead of serial-query-rate. 6230 [RT #24454] 6231 62323955. [bug] Notify messages due to changes are no longer queued 6233 behind startup notify messages. [RT #24454] 6234 62353954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112] 6236 62373953. [bug] Don't escape semi-colon in TXT fields. [RT #37159] 6238 62393952. [bug] dns_name_fullcompare failed to set *nlabelsp when the 6240 two name pointers were the same. [RT #37176] 6241 62423951. [func] Add the ability to set yet-to-be-defined EDNS flags 6243 to dig (+ednsflags=#). [RT #37142] 6244 62453950. [port] Changed the bin/python Makefile to work around a 6246 bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] 6247 62483949. [experimental] Experimental support for draft-andrews-edns1 by sending 6249 EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when 6250 building). Add support for limiting the EDNS version 6251 advertised to servers: server { edns-version 0; }; 6252 Log the EDNS version received in the query log. 6253 [RT #35864] 6254 62553948. [port] solaris: RCVBUFSIZE was too large on Solaris with 6256 --with-tuning=large. [RT #37059] 6257 62583947. [cleanup] Set the executable bit on libraries when using 6259 libtool. [RT #36786] 6260 62613946. [cleanup] Improved "configure" search for a python interpreter. 6262 [RT #36992] 6263 62643945. [bug] Invalid wildcard expansions could be incorrectly 6265 accepted by the validator. [RT #37093] 6266 62673944. [test] Added a regression test for "server-id". [RT #37057] 6268 62693943. [func] SERVFAIL responses can now be cached for a 6270 limited time (configured by "servfail-ttl", 6271 default 10 seconds, limit 30). This can reduce 6272 the frequency of retries when an authoritative 6273 server is known to be failing, e.g., due to 6274 ongoing DNSSEC validation problems. [RT #21347] 6275 62763942. [bug] Wildcard responses from a optout range should be 6277 marked as insecure. [RT #37072] 6278 62793941. [doc] Include the BIND version number in the ARM. [RT #37067] 6280 62813940. [func] "rndc nta" now allows negative trust anchors to be 6282 set for up to one week. [RT #37069] 6283 62843939. [func] Improve UPDATE forwarding performance by allowing TCP 6285 connections to be shared. [RT #37039] 6286 62873938. [func] Added quotas to be used in recursive resolvers 6288 that are under high query load for names in zones 6289 whose authoritative servers are nonresponsive or 6290 are experiencing a denial of service attack. 6291 6292 - "fetches-per-server" limits the number of 6293 simultaneous queries that can be sent to any 6294 single authoritative server. The configured 6295 value is a starting point; it is automatically 6296 adjusted downward if the server is partially or 6297 completely non-responsive. The algorithm used to 6298 adjust the quota can be configured via the 6299 "fetch-quota-params" option. 6300 - "fetches-per-zone" limits the number of 6301 simultaneous queries that can be sent for names 6302 within a single domain. (Note: Unlike 6303 "fetches-per-server", this value is not 6304 self-tuning.) 6305 - New stats counters have been added to count 6306 queries spilled due to these quotas. 6307 6308 See the ARM for details of these options. [RT #37125] 6309 63103937. [func] Added some debug logging to better indicate the 6311 conditions causing SERVFAILs when resolving. 6312 [RT #35538] 6313 63143936. [func] Added authoritative support for the EDNS Client 6315 Subnet (ECS) option. 6316 6317 ACLs can now include "ecs" elements which specify 6318 an address or network prefix; if an ECS option is 6319 included in a DNS query, then the address encoded 6320 in the option will be matched against "ecs" ACL 6321 elements. 6322 6323 Also, if an ECS address is included in a query, 6324 then it will be used instead of the client source 6325 address when matching "geoip" ACL elements. This 6326 behavior can be overridden with "geoip-use-ecs no;". 6327 (Note: to enable "geoip" ACLs, use "configure 6328 --with-geoip". This requires libGeoIP version 6329 1.5.0 or higher.) 6330 6331 When "ecs" or "geoip" ACL elements are used to 6332 select a view for a query, the response will include 6333 an ECS option to indicate which client network the 6334 answer is valid for. 6335 6336 (Thanks to Vincent Bernat.) [RT #36781] 6337 63383935. [bug] "geoip asnum" ACL elements would not match unless 6339 the full organization name was specified. They 6340 can now match against the AS number alone (e.g., 6341 AS1234). [RT #36945] 6342 63433934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve 6344 sit-secret documentation. [RT #36980] 6345 63463933. [bug] Corrected the implementation of dns_rdata_casecompare() 6347 for the HIP rdata type. [RT #36911] 6348 63493932. [test] Improved named-checkconf tests. [RT #36911] 6350 63513931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879] 6352 63533930. [bug] "rndc nta -r" could cause a server hang if the 6354 NTA was not found. [RT #36909] 6355 63563929. [bug] 'host -a' needed to clear idnoptions. [RT #36963] 6357 63583928. [test] Improve rndc system test. [RT #36898] 6359 63603927. [bug] dig: report PKCS#11 error codes correctly when 6361 compiled with --enable-native-pkcs11. [RT #36956] 6362 63633926. [doc] Added doc for geoip-directory. [RT #36877] 6364 63653925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917] 6366 63673924. [bug] Improve 'rndc addzone' error reporting. [RT #35187] 6368 63693923. [bug] Sanity check the xml2-config output. [RT #22246] 6370 63713922. [bug] When resigning, dnssec-signzone was removing 6372 all signatures from delegation nodes. It now 6373 retains DS and (if applicable) NSEC signatures. 6374 [RT #36946] 6375 63763921. [bug] AD was inappropriately set on RPZ responses. [RT #36833] 6377 63783920. [doc] Added doc for masterfile-style. [RT #36823] 6379 63803919. [bug] dig: continue to next line if a address lookup fails 6381 in batch mode. [RT #36755] 6382 63833918. [doc] Update check-spf documentation. [RT #36910] 6384 63853917. [bug] dig, nslookup and host now continue on names that are 6386 too long after applying a search list elements. 6387 [RT #36892] 6388 63893916. [contrib] zone2sqlite checked wrong result code. Address 6390 compiler warnings. [RT #36931] 6391 63923915. [bug] Address a assertion if a route event arrived while 6393 shutting down. [RT #36887] 6394 63953914. [bug] Allow the URI target and CAA value fields to 6396 be zero length. [RT #36737] 6397 63983913. [bug] Address race issue in dispatch. [RT #36731] 6399 64003912. [bug] Address some unrecoverable lookup failures. [RT #36330] 6401 64023911. [func] Implement EDNS EXPIRE option client side, allowing 6403 a slave server to set the expiration timer correctly 6404 when transferring zone data from another slave 6405 server. [RT #35925] 6406 64073910. [bug] Fix races to free event during shutdown. [RT #36720] 6408 64093909. [bug] When computing the number of elements required for a 6410 acl count_acl_elements could have a short count leading 6411 to a assertion failure. Also zero out new acl elements 6412 in dns_acl_merge. [RT #36675] 6413 64143908. [bug] rndc now differentiates between a zone in multiple 6415 views and a zone that doesn't exist at all. [RT #36691] 6416 64173907. [cleanup] Alphabetize rndc help. [RT #36683] 6418 64193906. [protocol] Update URI record format to comply with 6420 draft-faltstrom-uri-08. [RT #36642] 6421 64223905. [bug] Address deadlock between view.c and adb.c. [RT #36341] 6423 64243904. [func] Add the RPZ SOA to the additional section. [RT36507] 6425 64263903. [bug] Improve the accuracy of DiG's reported round trip 6427 time. [RT 36611] 6428 64293902. [bug] liblwres wasn't handling link-local addresses in 6430 nameserver clauses in resolv.conf. [RT #36039] 6431 64323901. [protocol] Added support for CAA record type (RFC 6844). 6433 [RT #36625] 6434 64353900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637] 6436 64373899. [bug] "request-ixfr" is only applicable to slave and redirect 6438 zones. [RT #36608] 6439 64403898. [bug] Too small a buffer in tohexstr() calls in test code. 6441 [RT #36598] 6442 64433897. [bug] RPZ summary information was not properly being updated 6444 after a AXFR resulting in changes sometimes being 6445 ignored. [RT #35885] 6446 64473896. [bug] Address performance issues with DSCP code on some 6448 platforms. [RT #36534] 6449 64503895. [func] Add the ability to set the DSCP code point to dig. 6451 [RT #36546] 6452 64533894. [bug] Buffers in isc_print_vsnprintf were not properly 6454 initialized leading to potential overflows when 6455 printing out quad values. [RT #36505] 6456 64573893. [bug] Peer DSCP values could be returned without being set. 6458 [RT #36538] 6459 64603892. [bug] Setting '-t aaaa' in .digrc had unintended side 6461 effects. [RT #36452] 6462 64633891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM} 6464 to install python programs. 6465 64663890. [bug] RRSIG sets that were not loaded in a single transaction 6467 at start up where not being correctly added to 6468 re-signing heaps. [RT #36302] 6469 64703889. [port] hurd: configure fixes as per: 6471 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540 6472 64733888. [func] 'rndc status' now reports the number of automatic 6474 zones. [RT #36015] 6475 64763887. [cleanup] Make all static symbols in rbtdb64 end in "64" so 6477 they are easier to use in a debugger. [RT #36373] 6478 64793886. [bug] rbtdb_write_header should use a once to initialize 6480 FILE_VERSION. [RT #36374] 6481 64823885. [port] Use 'open()' rather than 'file()' to open files in 6483 python. 6484 64853884. [protocol] Add CDS and CDNSKEY record types. [RT #36333] 6486 64873883. [placeholder] 6488 64893882. [func] By default, negative trust anchors will be tested 6490 periodically to see whether data below them can be 6491 validated, and if so, they will be allowed to 6492 expire early. The "rndc nta -force" option 6493 overrides this behavior. The default NTA lifetime 6494 and the recheck frequency can be configured by the 6495 "nta-lifetime" and "nta-recheck" options. [RT #36146] 6496 64973881. [bug] Address memory leak with UPDATE error handling. 6498 [RT #36303] 6499 65003880. [test] Update ans.pl to work with new TSIG support in 6501 Net::DNS; add additional Net::DNS version prerequisite 6502 checks. [RT #36327] 6503 65043879. [func] Add version printing option to various BIND utilities. 6505 [RT #10686] 6506 65073878. [bug] Using the incorrect filename for a DLZ module 6508 caused a segmentation fault on startup. [RT #36286] 6509 65103877. [bug] Inserting and deleting parent and child nodes 6511 in response policy zones could trigger an assertion 6512 failure. [RT #36272] 6513 65143876. [bug] Improve efficiency of DLZ redirect zones by 6515 suppressing unnecessary database lookups. [RT #35835] 6516 65173875. [cleanup] Clarify log message when unable to read private 6518 key files. [RT #24702] 6519 65203874. [test] Check that only "check-names master" is needed for 6521 updates to be accepted. 6522 65233873. [protocol] Only warn for SPF without TXT spf record. [RT #36210] 6524 65253872. [bug] Address issues found by static analysis. [RT #36209] 6526 65273871. [bug] Don't publish an activated key automatically before 6528 its publish time. [RT #35063] 6529 65303870. [func] Updated the random number generator used in 6531 the resolver to use the updated ChaCha based one 6532 (similar to OpenBSD's changes). Also moved the 6533 RNG to libisc and added unit tests for it. 6534 [RT #35942] 6535 65363869. [doc] Document that in-view zones cannot be used for 6537 response policy zones. [RT #35941] 6538 65393868. [bug] isc_mem_setwater incorrectly cleared hi_called 6540 potentially leaving over memory cleaner running. 6541 [RT #35270] 6542 65433867. [func] "rndc nta" can now be used to set a temporary 6544 negative trust anchor, which disables DNSSEC 6545 validation below a specified name for a specified 6546 period of time (not exceeding 24 hours). This 6547 can be used when validation for a domain is known 6548 to be failing due to a configuration error on 6549 the part of the domain owner rather than a 6550 spoofing attack. [RT #29358] 6551 65523866. [bug] Named could die on disk full in generate_session_key. 6553 [RT #36119] 6554 65553865. [test] Improved testability of the red-black tree 6556 implementation and added unit tests. [RT #35904] 6557 65583864. [bug] RPZ didn't work well when being used as forwarder. 6559 [RT #36060] 6560 65613863. [bug] The "E" flag was missing from the query log as a 6562 unintended side effect of code rearrangement to 6563 support EDNS EXPIRE. [RT #36117] 6564 65653862. [cleanup] Return immediately if we are not going to log the 6566 message in ns_client_dumpmessage. 6567 65683861. [security] Missing isc_buffer_availablelength check results 6569 in a REQUIRE assertion when printing out a packet 6570 (CVE-2014-3859). [RT #36078] 6571 65723860. [bug] ioctl(DP_POLL) array size needs to be determined 6573 at run time as it is limited to {OPEN_MAX}. 6574 [RT #35878] 6575 65763859. [placeholder] 6577 65783858. [bug] Disable GCC 4.9 "delete null pointer check". 6579 [RT #35968] 6580 65813857. [bug] Make it harder for a incorrect NOEDNS classification 6582 to be made. [RT #36020] 6583 65843856. [bug] Configuring libjson without also configuring libxml 6585 resulted in a REQUIRE assertion when retrieving 6586 statistics using json. [RT #36009] 6587 65883855. [bug] Limit smoothed round trip time aging to no more than 6589 once a second. [RT #32909] 6590 65913854. [cleanup] Report unrecognized options, if any, in the final 6592 configure summary. [RT #36014] 6593 65943853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out 6595 the handling of a rdataset with no records. [RT #35968] 6596 65973852. [func] Increase the default number of clients available 6598 for servicing lightweight resolver queries, and 6599 make them configurable via the "lwres-tasks" and 6600 "lwres-clients" options. (Thanks to Tomas Hozza.) 6601 [RT #35857] 6602 66033851. [func] Allow libseccomp based system-call filtering 6604 on Linux; use "configure --enable-seccomp" to 6605 turn it on. Thanks to Loganaden Velvindron 6606 of AFRINIC for the contribution. [RT #35347] 6607 66083850. [bug] Disabling forwarding could trigger a REQUIRE assertion. 6609 [RT #35979] 6610 66113849. [doc] Alphabetized dig's +options. [RT #35992] 6612 66133848. [bug] Adjust 'statistics-channels specified but not effective' 6614 error message to account for JSON support. [RT #36008] 6615 66163847. [bug] 'configure --with-dlz-postgres' failed to fail when 6617 there is not support available. 6618 66193846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP 6620 ixfr query. [RT #35980] 6621 66223845. [placeholder] 6623 66243844. [bug] Use the x64 version of the Microsoft Visual C++ 6625 Redistributable when built for 64 bit Windows. 6626 [RT #35973] 6627 66283843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire. 6629 [RT #35969] 6630 66313842. [bug] Adjust RRL log-only logging category. [RT #35945] 6632 66333841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt. 6634 [RT #35924] 6635 66363840. [port] Check for arc4random_addrandom() before using it; 6637 it's been removed from OpenBSD 5.5. [RT #35907] 6638 66393839. [test] Use only posix-compatible shell in system tests. 6640 [RT #35625] 6641 66423838. [protocol] EDNS EXPIRE as been assigned a code point of 9. 6643 66443837. [security] A NULL pointer is passed to query_prefetch resulting 6645 a REQUIRE assertion failure when a fetch is actually 6646 initiated (CVE-2014-3214). [RT #35899] 6647 66483836. [bug] Address C++ keyword usage in header file. 6649 66503835. [bug] Geoip ACL elements didn't work correctly when 6651 referenced via named or nested ACLs. [RT #35879] 6652 66533834. [bug] The re-signing heaps were not being updated soon enough 6654 leading to multiple re-generations of the same RRSIG 6655 when a zone transfer was in progress. [RT #35273] 6656 66573833. [bug] Cross compiling was broken due to calling genrandom at 6658 build time. [RT #35869] 6659 66603832. [func] "named -L <filename>" causes named to send log 6661 messages to the specified file by default instead 6662 of to the system log. (Thanks to Tony Finch.) 6663 [RT #35845] 6664 66653831. [cleanup] Reduce logging noise when EDNS state changes occur. 6666 [RT #35843] 6667 66683830. [func] When query logging is enabled, log query errors at 6669 the same level ('info') as the queries themselves. 6670 [RT #35844] 6671 66723829. [func] "dig +ttlunits" causes dig to print TTL values 6673 with time-unit suffixes: w, d, h, m, s for 6674 weeks, days, hours, minutes, and seconds. (Thanks 6675 to Tony Finch.) [RT #35823] 6676 66773828. [func] "dnssec-signzone -N date" updates serial number 6678 to the current date in YYYYMMDDNN format. 6679 [RT #35800] 6680 66813827. [placeholder] 6682 66833826. [bug] Corrected bad INSIST logic in isc_radix_remove(). 6684 [RT #35870] 6685 66863825. [bug] Address sign extension bug in isc_regex_validate. 6687 [RT #35758] 6688 66893824. [bug] A collision between two flag values could cause 6690 problems with cache cleaning when SIT was enabled. 6691 [RT #35858] 6692 66933823. [func] Log the rpz cname target when rewriting. [RT #35667] 6694 66953822. [bug] Log the correct type of static-stub zones when 6696 removing them. [RT #35842] 6697 66983821. [contrib] Added a new "mysqldyn" DLZ module with dynamic 6699 update and transaction support. Thanks to Marty 6700 Lee for the contribution. [RT #35656] 6701 67023820. [func] The DLZ API doesn't pass the database version to 6703 the lookup() function; this can cause DLZ modules 6704 that allow dynamic updates to mishandle prerequisite 6705 checks. This has been corrected by adding a 6706 'dbversion' field to the dns_clientinfo_t 6707 structure. [RT #35656] 6708 67093819. [bug] NSEC3 hashes need to be able to be entered and 6710 displayed without padding. This is not a issue for 6711 currently defined algorithms but may be for future 6712 hash algorithms. [RT #27925] 6713 67143818. [bug] Stop lying to the optimizer that 'void *arg' is a 6715 constant in isc_event_allocate. 6716 67173817. [func] The "delve" command is now spelled "delv" to avoid 6718 a namespace collision with the Xapian project. 6719 [RT #35801] 6720 67213816. [func] "dig +qr" now reports query size. (Thanks to 6722 Tony Finch.) [RT #35822] 6723 67243815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808] 6725 67263814. [func] The "masterfile-style" zone option controls the 6727 formatting of dumped zone files. Options are 6728 "relative" (multiline format) and "full" (one 6729 record per line). The default is "relative". 6730 [RT #20798] 6731 67323813. [func] "host" now recognizes the "timeout", "attempts" and 6733 "debug" options when set in /etc/resolv.conf. 6734 (Thanks to Adam Tkac at RedHat.) [RT #21885] 6735 67363812. [func] Dig now supports sending arbitrary EDNS options from 6737 the command line (+ednsopt=code[:value]). [RT #35584] 6738 67393811. [func] "serial-update-method date;" sets serial number 6740 on dynamic update to today's date in YYYYMMDDNN 6741 format. (Thanks to Bradley Forschinger.) [RT #24903] 6742 67433810. [bug] Work around broken nameservers that fail to ignore 6744 unknown EDNS options. [RT #35766] 6745 67463809. [doc] Fix SIT and NSID documentation. 6747 67483808. [doc] Clean up "prefetch" documentation. [RT #35751] 6749 67503807. [bug] Fix sign extension bug in dns_name_fromtext when 6751 lowercase is set. [RT #35743] 6752 67533806. [test] Improved system test portability. [RT #35625] 6754 67553805. [contrib] Added contrib/perftcpdns, a performance testing tool 6756 for DNS over TCP. [RT #35710] 6757 6758 --- 9.10.0rc1 released --- 6759 67603804. [bug] Corrected a race condition in dispatch.c in which 6761 portentry could be reset leading to an assertion 6762 failure in socket_search(). (Change #3708 6763 addressed the same issue but was incomplete.) 6764 [RT #35128] 6765 67663803. [bug] "named-checkconf -z" incorrectly rejected zones 6767 using alternate data sources for not having a "file" 6768 option. [RT #35685] 6769 67703802. [bug] Various header files were not being installed. 6771 67723801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615] 6773 67743800. [bug] A pending event on the route socket could cause an 6775 assertion failure when shutting down named. [RT #35674] 6776 67773799. [bug] Improve named's command line error reporting. 6778 [RT #35603] 6779 67803798. [bug] 'rndc zonestatus' was reporting the wrong re-signing 6781 time. [RT #35659] 6782 67833797. [port] netbsd: geoip support probing was broken. [RT #35642] 6784 67853796. [bug] Register dns and pkcs#11 error codes. [RT #35629] 6786 67873795. [bug] Make named-checkconf detect raw masterfiles for 6788 hint zones and reject them. [RT #35268] 6789 67903794. [maint] Added AAAA for C.ROOT-SERVERS.NET. 6791 67923793. [bug] zone.c:save_nsec3param() could assert when out of 6793 memory. [RT #35621] 6794 67953792. [func] Provide links to the alternate statistics views when 6796 displaying in a browser. [RT #35605] 6797 67983791. [placeholder] 6799 68003790. [bug] Handle broken nameservers that send BADVERS in 6801 response to unknown EDNS options. Maintain 6802 statistics on BADVERS responses. 6803 68043789. [bug] Null pointer dereference on rbt creation failure. 6805 68063788. [bug] dns_peer_getrequestsit was returning request_nsid by 6807 mistake. 6808 6809 --- 9.10.0b2 released --- 6810 68113787. [bug] The code that checks whether "auto-dnssec" is 6812 allowed was ignoring "allow-update" ACLs set at 6813 the options or view level. [RT #29536] 6814 68153786. [func] Provide more detailed error codes when using 6816 native PKCS#11. "pkcs11-tokens" now fails robustly 6817 rather than asserting when run against an HSM with 6818 an incomplete PKCS#11 API implementation. [RT #35479] 6819 68203785. [bug] Debugging code dumphex didn't accept arbitrarily long 6821 input (only compiled with -DDEBUG). [RT #35544] 6822 68233784. [bug] Using "rrset-order fixed" when it had not been 6824 enabled at compile time caused inconsistent 6825 results. It now works as documented, defaulting 6826 to cyclic mode. [RT #28104] 6827 68283783. [func] "tsig-keygen" is now available as an alternate 6829 command name for "ddns-confgen". It generates 6830 a TSIG key in named.conf format without comments. 6831 [RT #35503] 6832 68333782. [func] Specifying "auto" as the salt when using 6834 "rndc signing -nsec3param" causes named to 6835 generate a 64-bit salt at random. [RT #35322] 6836 68373781. [tuning] Use adaptive mutex locks when available; this 6838 has been found to improve performance under load 6839 on many systems. "configure --with-locktype=standard" 6840 restores conventional mutex locks. [RT #32576] 6841 68423780. [bug] $GENERATE handled negative numbers incorrectly. 6843 [RT #25528] 6844 68453779. [cleanup] Clarify the error message when using an option 6846 that was not enabled at compile time. [RT #35504] 6847 68483778. [bug] Log a warning when the wrong address family is 6849 used in "listen-on" or "listen-on-v6". [RT #17848] 6850 68513777. [bug] EDNS EXPIRE code could dump core when processing 6852 DLZ queries. [RT #35493] 6853 68543776. [func] "rndc -q" suppresses output from successful 6855 rndc commands. Errors are printed on stderr. 6856 [RT #21393] 6857 68583775. [bug] dlz_dlopen driver could return the wrong error 6859 code on API version mismatch, leading to a segfault. 6860 [RT #35495] 6861 68623774. [func] When using "request-nsid", log the NSID value in 6863 printable form as well as hex. [RT #20864] 6864 68653773. [func] "host", "nslookup" and "nsupdate" now have 6866 options to print the version number and exit. 6867 [RT #26057] 6868 68693772. [contrib] Added sqlite3 dynamically-loadable DLZ module. 6870 (Based in part on a contribution from Tim Tessier.) 6871 [RT #20822] 6872 68733771. [cleanup] Adjusted log level for "using built-in key" 6874 messages. [RT #24383] 6875 68763770. [bug] "dig +trace" could fail with an assertion when it 6877 needed to fall back to TCP due to a truncated 6878 response. [RT #24660] 6879 68803769. [doc] Improved documentation of "rndc signing -list". 6881 [RT #30652] 6882 68833768. [bug] "dnssec-checkds" was missing the SHA-384 digest 6884 algorithm. [RT #34000] 6885 68863767. [func] Log explicitly when using rndc.key to configure 6887 command channel. [RT #35316] 6888 68893766. [cleanup] Fixed problems with building outside the source 6890 tree when using native PKCS#11. [RT #35459] 6891 68923765. [bug] Fixed a bug in "rndc secroots" that could crash 6893 named when dumping an empty keynode. [RT #35469] 6894 68953764. [bug] The dnssec-keygen/settime -S and -i options 6896 (to set up a successor key and set the prepublication 6897 interval) were missing from dnssec-keyfromlabel. 6898 [RT #35394] 6899 69003763. [bug] delve: Cache DNSSEC records to avoid the need to 6901 re-fetch them when restarting validation. [RT #35476] 6902 69033762. [bug] Address build problems with --pkcs11-native + 6904 --with-openssl with ECDSA support. [RT #35467] 6905 69063761. [bug] Address dangling reference bug in dns_keytable_add. 6907 [RT #35471] 6908 69093760. [bug] Improve SIT with native PKCS#11 and on Windows. 6910 [RT #35433] 6911 69123759. [port] Enable delve on Windows. [RT #35441] 6913 69143758. [port] Enable export library APIs on Windows. [RT #35382] 6915 69163757. [port] Enable Python tools (dnssec-coverage, 6917 dnssec-checkds) to run on Windows. [RT #34355] 6918 69193756. [bug] GSSAPI Kerberos realm checking was broken in 6920 check_config leading to spurious messages being 6921 logged. [RT #35443] 6922 6923 --- 9.10.0b1 released --- 6924 69253755. [func] Add stats counters for known EDNS options + others. 6926 [RT #35447] 6927 69283754. [cleanup] win32: Installer now places files in the 6929 Program Files area rather than system services. 6930 [RT #35361] 6931 69323753. [bug] allow-notify was ignoring keys. [RT #35425] 6933 69343752. [bug] Address potential REQUIRE failure if 6935 DNS_STYLEFLAG_COMMENTDATA is set when printing out 6936 a rdataset. 6937 69383751. [tuning] The default setting for the -U option (setting 6939 the number of UDP listeners per interface) has 6940 been adjusted to improve performance. [RT #35417] 6941 69423750. [experimental] Partially implement EDNS EXPIRE option as described 6943 in draft-andrews-dnsext-expire-00. Retrieval of 6944 the remaining time until expiry for slave zones 6945 is supported. 6946 6947 EXPIRE uses an experimental option code (65002), 6948 which is subject to change. [RT #35416] 6949 69503749. [func] "dig +subnet" sends an EDNS client subnet option 6951 containing the specified address/prefix when 6952 querying. (Thanks to Wilmer van der Gaast.) 6953 [RT #35415] 6954 69553748. [test] Use delve to test dns_client interfaces. [RT #35383] 6956 69573747. [bug] A race condition could lead to a core dump when 6958 destroying a resolver fetch object. [RT #35385] 6959 69603746. [func] New "max-zone-ttl" option enforces maximum 6961 TTLs for zones. If loading a zone containing a 6962 higher TTL, the load fails. DDNS updates with 6963 higher TTLs are accepted but the TTL is truncated. 6964 (Note: Currently supported for master zones only; 6965 inline-signing slaves will be added.) [RT #38405] 6966 69673745. [func] "configure --with-tuning=large" adjusts various 6968 compiled-in constants and default settings to 6969 values suited to large servers with abundant 6970 memory. [RT #29538] 6971 69723744. [experimental] SIT: send and process Source Identity Tokens 6973 (similar to DNS Cookies by Donald Eastlake 3rd), 6974 which are designed to help clients detect off-path 6975 spoofed responses and for servers to identify 6976 legitimate clients. 6977 6978 SIT uses an experimental EDNS option code (65001), 6979 which will be changed to an IANA-assigned value 6980 if the experiment is deemed a success. 6981 6982 SIT can be enabled via "configure --enable-sit" (or 6983 --enable-developer). It is enabled by default in 6984 Windows. 6985 6986 Servers can be configured to send smaller responses 6987 to clients that have not identified themselves via 6988 SIT. RRL processing has also been updated; 6989 legitimate clients are not subject to rate 6990 limiting. [RT #35389] 6991 69923743. [bug] delegation-only flag wasn't working in forward zone 6993 declarations despite being documented. This is 6994 needed to support turning off forwarding and turning 6995 on delegation only at the same name. [RT #35392] 6996 69973742. [port] linux: libcap support: declare curval at start of 6998 block. [RT #35387] 6999 70003741. [func] "delve" (domain entity lookup and validation engine): 7001 A new tool with dig-like semantics for performing DNS 7002 lookups, with internal DNSSEC validation, using the 7003 same resolver and validator logic as named. This 7004 allows easy validation of DNSSEC data in environments 7005 with untrustworthy resolvers, and assists with 7006 troubleshooting of DNSSEC problems. [RT #32406] 7007 70083740. [contrib] Minor fixes to configure --with-dlz-bdb, 7009 --with-dlz-postgres and --with-dlz-odbc. [RT #35340] 7010 70113739. [func] Added per-zone stats counters to track TCP and 7012 UDP queries. [RT #35375] 7013 70143738. [bug] --enable-openssl-hash failed to build. [RT #35343] 7015 70163737. [bug] 'rndc retransfer' could trigger a assertion failure 7017 with inline zones. [RT #35353] 7018 70193736. [bug] nsupdate: When specifying a server by name, 7020 fall back to alternate addresses if the first 7021 address for that name is not reachable. [RT #25784] 7022 70233735. [cleanup] Merged the libiscpk11 library into libisc 7024 to simplify dependencies. [RT #35205] 7025 70263734. [bug] Improve building with libtool. [RT #35314] 7027 70283733. [func] Improve interface scanning support. Interface 7029 information will be automatically updated if the 7030 OS supports routing sockets (MacOS, *BSD, Linux). 7031 Use "automatic-interface-scan no;" to disable. 7032 7033 Add "rndc scan" to trigger a scan. [RT #23027] 7034 70353732. [contrib] Fixed a type mismatch causing the ODBC DLZ 7036 driver to dump core on 64-bit systems. [RT #35324] 7037 70383731. [func] Added a "no-case-compress" ACL, which causes 7039 named to use case-insensitive compression 7040 (disabling change #3645) for specified 7041 clients. (This is useful when dealing 7042 with broken client implementations that 7043 use case-sensitive name comparisons, 7044 rejecting responses that fail to match the 7045 capitalization of the query that was sent.) 7046 [RT #35300] 7047 70483730. [cleanup] Added "never" as a synonym for "none" when 7049 configuring key event dates in the dnssec tools. 7050 [RT #35277] 7051 70523729. [bug] dnssec-keygen could set the publication date 7053 incorrectly when only the activation date was 7054 specified on the command line. [RT #35278] 7055 70563728. [doc] Expanded native-PKCS#11 documentation, 7057 specifically pkcs11: URI labels. [RT #35287] 7058 70593727. [func] The isc_bitstring API is no longer used and 7060 has been removed from libisc. [RT #35284] 7061 70623726. [cleanup] Clarified the error message when attempting 7063 to configure more than 32 response-policy zones. 7064 [RT #35283] 7065 70663725. [contrib] Updated zkt and nslint to newest versions, 7067 cleaned up and rearranged the contrib 7068 directory, and added a README. 7069 7070 --- 9.10.0a2 released --- 7071 70723724. [bug] win32: Fixed a bug that prevented dig and 7073 host from exiting properly after completing 7074 a UDP query. [RT #35288] 7075 70763723. [cleanup] Imported keys are now handled the same way 7077 regardless of DNSSEC algorithm. [RT #35215] 7078 70793722. [bug] Using geoip ACLs in a blackhole statement 7080 could cause a segfault. [RT #35272] 7081 70823721. [doc] Improved documentation of the EDNS processing 7083 enhancements introduced in change #3593. [RT #35275] 7084 70853720. [bug] Address compiler warnings. [RT #35261] 7086 70873719. [bug] Address memory leak in in peer.c. [RT #35255] 7088 70893718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260] 7090 70913717. [port] hpux: Treat EOPNOTSUPP as a expected error code when 7092 probing to see if it is possible to set dscp values 7093 on a per packet basis. [RT #35252] 7094 70953716. [bug] The dns_request code was setting dcsp values when not 7096 requested. [RT #35252] 7097 70983715. [bug] The region and city databases could fail to 7099 initialize when using some versions of libGeoIP, 7100 causing assertion failures when named was 7101 configured to use them. [RT #35427] 7102 71033714. [test] System tests that need to test for cryptography 7104 support before running can now use a common 7105 "testcrypto.sh" script to do so. [RT #35213] 7106 71073713. [bug] Save memory by not storing "also-notify" addresses 7108 in zone objects that are configured not to send 7109 notify requests. [RT #35195] 7110 71113712. [placeholder] 7112 71133711. [placeholder] 7114 71153710. [bug] Address double dns_zone_detach when switching to 7116 using automatic empty zones from regular zones. 7117 [RT #35177] 7118 71193709. [port] Use built-in versions of strptime() and timegm() 7120 on all platforms to avoid portability issues. 7121 [RT #35183] 7122 71233708. [bug] Address a portentry locking issue in dispatch.c. 7124 [RT #35128] 7125 71263707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND 7127 on a missing resolv.conf file and initializes the 7128 structure as if it had been configured with: 7129 7130 nameserver ::1 7131 nameserver 127.0.0.1 7132 7133 Note: Callers will need to be updated to treat 7134 ISC_R_FILENOTFOUND as a qualified success or else 7135 they will leak memory. The following code fragment 7136 will work with both old and new versions without 7137 changing the behaviour of the existing code. 7138 7139 resconf = NULL; 7140 result = irs_resconf_load(mctx, "/etc/resolv.conf", 7141 &resconf); 7142 if (result != ISC_SUCCESS) { 7143 if (resconf != NULL) 7144 irs_resconf_destroy(&resconf); 7145 .... 7146 } 7147 7148 [RT #35194] 7149 71503706. [contrib] queryperf: Fixed a possible integer overflow when 7151 printing results. [RT #35182] 7152 71533705. [func] "configure --enable-native-pkcs11" enables BIND 7154 to use the PKCS#11 API for all cryptographic 7155 functions, so that it can drive a hardware service 7156 module directly without the need to use a modified 7157 OpenSSL as intermediary (so long as the HSM's vendor 7158 provides a complete-enough implementation of the 7159 PKCS#11 interface). This has been tested successfully 7160 with the Thales nShield HSM and with SoftHSMv2 from 7161 the OpenDNSSEC project. [RT #29031] 7162 71633704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] 7164 71653703. [func] To improve recursive resolver performance, cache 7166 records which are still being requested by clients 7167 can now be automatically refreshed from the 7168 authoritative server before they expire, reducing 7169 or eliminating the time window in which no answer 7170 is available in the cache. See the "prefetch" option 7171 for more details. [RT #35041] 7172 71733702. [func] 'dnssec-coverage -l' option specifies a length 7174 of time to check for coverage; events further into 7175 the future are ignored. 'dnssec-coverage -z' 7176 checks only ZSK events, and 'dnssec-coverage -k' 7177 checks only KSK events. (Thanks to Peter Palfrader.) 7178 [RT #35168] 7179 71803701. [func] named-checkconf can now obscure shared secrets 7181 when printing by specifying '-x'. [RT #34465] 7182 71833700. [func] Allow access to subgroups of XML statistics via 7184 special URLs http://<server>:<port>/xml/v3/server, 7185 /zones, /net, /tasks, /mem, and /status. [RT #35115] 7186 71873699. [bug] Improvements to statistics channel XSL stylesheet: 7188 the stylesheet can now be cached by the browser; 7189 section headers are omitted from the stats display 7190 when there is no data in those sections to be 7191 displayed; counters are now right-justified for 7192 easier readability. [RT #35117] 7193 71943698. [cleanup] Replaced all uses of memcpy() with memmove(). 7195 [RT #35120] 7196 71973697. [bug] Handle "." as a search list element when IDN support 7198 is enabled. [RT #35133] 7199 72003696. [bug] dig failed to handle AXFR style IXFR responses which 7201 span multiple messages. [RT #35137] 7202 72033695. [bug] Address a possible race in dispatch.c. [RT #35107] 7204 72053694. [bug] Warn when a key-directory is configured for a zone, 7206 but does not exist or is not a directory. [RT #35108] 7207 72083693. [security] memcpy was incorrectly called with overlapping 7209 ranges resulting in malformed names being generated 7210 on some platforms. This could cause INSIST failures 7211 when serving NSEC3 signed zones (CVE-2014-0591). 7212 [RT #35120] 7213 72143692. [bug] Two calls to dns_db_getoriginnode were fatal if there 7215 was no data at the node. [RT #35080] 7216 72173691. [contrib] Address null pointer dereference in LDAP and 7218 MySQL DLZ modules. 7219 72203690. [bug] Iterative responses could be missed when the source 7221 port for an upstream query was the same as the 7222 listener port (53). [RT #34925] 7223 72243689. [bug] Fixed a bug causing an insecure delegation from one 7225 static-stub zone to another to fail with a broken 7226 trust chain. [RT #35081] 7227 72283688. [bug] loadnode could return a freed node on out of memory. 7229 [RT #35106] 7230 72313687. [bug] Address null pointer dereference in zone_xfrdone. 7232 [RT #35042] 7233 72343686. [func] "dnssec-signzone -Q" drops signatures from keys 7235 that are still published but no longer active. 7236 [RT #34990] 7237 72383685. [bug] "rndc refresh" didn't work correctly with slave 7239 zones using inline-signing. [RT #35105] 7240 72413684. [bug] The list of included files would grow on reload. 7242 [RT 35090] 7243 72443683. [cleanup] Add a more detailed "not found" message to rndc 7245 commands which specify a zone name. [RT #35059] 7246 72473682. [bug] Correct the behavior of rndc retransfer to allow 7248 inline-signing slave zones to retain NSEC3 parameters 7249 instead of reverting to NSEC. [RT #34745] 7250 72513681. [port] Update the Windows build system to support feature 7252 selection and WIN64 builds. This is a work in 7253 progress. [RT #34160] 7254 72553680. [bug] Ensure buffer space is available in "rndc zonestatus". 7256 [RT #35084] 7257 72583679. [bug] dig could fail to clean up TCP sockets still 7259 waiting on connect(). [RT #35074] 7260 72613678. [port] Update config.guess and config.sub. [RT #35060] 7262 72633677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple 7264 times. [RT #35073] 7265 72663676. [bug] "named-checkconf -z" now checks zones of type 7267 hint and redirect as well as master. [RT #35046] 7268 72693675. [misc] Provide a place for third parties to add version 7270 information for their extensions in the version 7271 file by setting the EXTENSIONS variable. 7272 7273 --- 9.10.0a1 released --- 7274 72753674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026] 7276 72773673. [func] New "in-view" zone option allows direct sharing 7278 of zones between views. [RT #32968] 7279 72803672. [func] Local address can now be specified when using 7281 dns_client API. [RT #34811] 7282 72833671. [bug] Don't allow dnssec-importkey overwrite a existing 7284 non-imported private key. 7285 72863670. [bug] Address read after free in server side of 7287 lwres_getrrsetbyname. [RT #29075] 7288 72893669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001] 7290 72913668. [bug] Fix cast in lex.c which could see 0xff treated as eof. 7292 [RT #34993] 7293 72943667. [test] dig: add support to keep the TCP socket open between 7295 successive queries (+[no]keepopen). [RT #34918] 7296 72973666. [func] Add a tool, named-rrchecker, for checking the syntax 7298 of individual resource records. This tool is intended 7299 to be called by provisioning systems so that the front 7300 end does not need to be upgraded to support new DNS 7301 record types. [RT #34778] 7302 73033665. [bug] Failure to release lock on error in receive_secure_db. 7304 [RT #34944] 7305 73063664. [bug] Updated OpenSSL PKCS#11 patches to fix active list 7307 locking and other bugs. [RT #34855] 7308 73093663. [bug] Address bugs in dns_rdata_fromstruct and 7310 dns_rdata_tostruct for WKS and ISDN types. [RT #34910] 7311 73123662. [bug] 'host' could die if a UDP query timed out. [RT #34870] 7313 73143661. [bug] Address lock order reversal deadlock with inline zones. 7315 [RT #34856] 7316 73173660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config". 7318 [RT #23825] 7319 73203659. [port] solaris: don't add explicit dependencies/rules for 7321 python programs as make won't use the implicit rules. 7322 [RT #34835] 7323 73243658. [port] linux: Address platform specific compilation issue 7325 when libcap-devel is installed. [RT #34838] 7326 73273657. [port] Some readline clones don't accept NULL pointers when 7328 calling add_history. [RT #34842] 7329 73303656. [security] Treat an all zero netmask as invalid when generating 7331 the localnets acl. (The prior behavior could 7332 allow unexpected matches when using some versions 7333 of Winsock: CVE-2013-6320.) [RT #34687] 7334 73353655. [cleanup] Simplify TCP message processing when requesting a 7336 zone transfer. [RT #34825] 7337 73383654. [bug] Address race condition with manual notify requests. 7339 [RT #34806] 7340 73413653. [func] Create delegations for all "children" of empty zones 7342 except "forward first". [RT #34826] 7343 73443652. [bug] Address bug with rpz-drop policy. [RT #34816] 7345 73463651. [tuning] Adjust when a master server is deemed unreachable. 7347 [RT #27075] 7348 73493650. [tuning] Use separate rate limiting queues for refresh and 7350 notify requests. [RT #30589] 7351 73523649. [cleanup] Include a comment in .nzf files, giving the name of 7353 the associated view. [RT #34765] 7354 73553648. [test] Updated the ATF test framework to version 0.17. 7356 [RT #25627] 7357 73583647. [bug] Address a race condition when shutting down a zone. 7359 [RT #34750] 7360 73613646. [bug] Journal filename string could be set incorrectly, 7362 causing garbage in log messages. [RT #34738] 7363 73643645. [protocol] Use case sensitive compression when responding to 7365 queries. [RT #34737] 7366 73673644. [protocol] Check that EDNS subnet client options are well formed. 7368 [RT #34718] 7369 73703643. [doc] Clarify RRL "slip" documentation. 7371 73723642. [func] Allow externally generated DNSKEY to be imported 7373 into the DNSKEY management framework. A new tool 7374 dnssec-importkey is used to do this. [RT #34698] 7375 73763641. [bug] Handle changes to sig-validity-interval settings 7377 better. [RT #34625] 7378 73793640. [bug] ndots was not being checked when searching. Only 7380 continue searching on NXDOMAIN responses. Add the 7381 ability to specify ndots to nslookup. [RT #34711] 7382 73833639. [bug] Treat type 65533 (KEYDATA) as opaque except when used 7384 in a key zone. [RT #34238] 7385 73863638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is 7387 encountered. [RT #34668] 7388 73893637. [bug] 'allow-query-on' was checking the source address 7390 rather than the destination address. [RT #34590] 7391 73923636. [bug] Automatic empty zones now behave better with 7393 forward only "zones" beneath them. [RT #34583] 7394 73953635. [bug] Signatures were not being removed from a zone with 7396 only KSK keys for a algorithm. [RT #34439] 7397 73983634. [func] Report build-id in rndc status. Report build-id 7399 when building from a git repository. [RT #20422] 7400 74013633. [cleanup] Refactor OPT processing in named to make it easier 7402 to support new EDNS options. [RT #34414] 7403 74043632. [bug] Signature from newly inactive keys were not being 7405 removed. [RT #32178] 7406 74073631. [bug] Remove spurious warning about missing signatures when 7408 qtype is SIG. [RT #34600] 7409 74103630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033] 7411 74123629. [func] Allow the printing of cryptographic fields in DNSSEC 7413 records by dig to be suppressed (dig +nocrypto). 7414 [RT #34534] 7415 74163628. [func] Report DNSKEY key id's when dumping the cache. 7417 [RT #34533] 7418 74193627. [bug] RPZ changes were not effective on slaves. [RT #34450] 7420 74213626. [func] dig: NSID output now easier to read. [RT #21160] 7422 74233625. [bug] Don't send notify messages to machines outside of the 7424 test setup. 7425 74263624. [bug] Look for 'json_object_new_int64' when looking for a 7427 the json library. [RT #34449] 7428 74293623. [placeholder] 7430 74313622. [tuning] Eliminate an unnecessary lock when incrementing 7432 cache statistics. [RT #34339] 7433 74343621. [security] Incorrect bounds checking on private type 'keydata' 7435 can lead to a remotely triggerable REQUIRE failure 7436 (CVE-2013-4854). [RT #34238] 7437 74383620. [func] Added "rpz-client-ip" policy triggers, enabling 7439 RPZ responses to be configured on the basis of 7440 the client IP address; this can be used, for 7441 example, to blacklist misbehaving recursive 7442 or stub resolvers. [RT #33605] 7443 74443619. [bug] Fixed a bug in RPZ with "recursive-only no;" 7445 [RT #33776] 7446 74473618. [func] "rndc reload" now checks modification times of 7448 include files as well as master files to determine 7449 whether to skip reloading a zone. [RT #33936] 7450 74513617. [bug] Named was failing to answer queries during 7452 "rndc reload" [RT #34098] 7453 74543616. [bug] Change #3613 was incomplete. [RT #34177] 7455 74563615. [cleanup] "configure" now finishes by printing a summary 7457 of optional BIND features and whether they are 7458 active or inactive. ("configure --enable-full-report" 7459 increases the verbosity of the summary.) [RT #31777] 7460 74613614. [port] Check for <linux/types.h>. [RT #34162] 7462 74633613. [bug] named could crash when deleting inline-signing 7464 zones with "rndc delzone". [RT #34066] 7465 74663612. [port] Check whether to use -ljson or -ljson-c. [RT #34115] 7467 74683611. [bug] Improved resistance to a theoretical authentication 7469 attack based on differential timing. [RT #33939] 7470 74713610. [cleanup] win32: Some executables had been omitted from the 7472 installer. [RT #34116] 7473 74743609. [bug] Corrected a possible deadlock in applications using 7475 the export version of the isc_app API. [RT #33967] 7476 74773608. [port] win32: added todos.pl script to ensure all text files 7478 the win32 build depends on are converted to DOS 7479 newline format. [RT #22067] 7480 74813607. [bug] dnssec-keygen had broken 'Invalid keyfile' error 7482 message. [RT #34045] 7483 74843606. [func] "rndc flushtree" now flushes matching 7485 records in the address database and bad cache 7486 as well as the DNS cache. (Previously only the 7487 DNS cache was flushed.) [RT #33970] 7488 74893605. [port] win32: Addressed several compatibility issues 7490 with newer versions of Visual Studio. [RT #33916] 7491 74923604. [bug] Fixed a compile-time error when building with 7493 JSON but not XML. [RT #33959] 7494 74953603. [bug] Install <isc/stat.h>. [RT #33956] 7496 74973602. [contrib] Added DLZ Perl module, allowing Perl scripts to 7498 integrate with named and serve DNS data. 7499 (Contributed by John Eaglesham of Yahoo.) 7500 75013601. [bug] Added to PKCS#11 openssl patches a value len 7502 attribute in DH derive key. [RT #33928] 7503 75043600. [cleanup] dig: Fixed a typo in the warning output when receiving 7505 an oversized response. [RT #33910] 7506 75073599. [tuning] Check for pointer equivalence in name comparisons. 7508 [RT #18125] 7509 75103598. [cleanup] Improved portability of map file code. [RT #33820] 7511 75123597. [bug] Ensure automatic-resigning heaps are reconstructed 7513 when loading zones in map format. [RT #33381] 7514 75153596. [port] Updated win32 build documentation, added 7516 dnssec-verify. [RT #22067] 7517 75183595. [port] win32: Fix build problems introduced by change #3550. 7519 [RT #33807] 7520 75213594. [maint] Update config.guess and config.sub. [RT #33816] 7522 75233593. [func] Update EDNS processing to better track remote server 7524 capabilities. [RT #30655] 7525 75263592. [doc] Moved documentation of rndc command options to the 7527 rndc man page. [RT #33506] 7528 75293591. [func] Use CRC-64 to detect map file corruption at load 7530 time. [RT #33746] 7531 75323590. [bug] When using RRL on recursive servers, defer 7533 rate-limiting until after recursion is complete; 7534 also, use correct rcode for slipped NXDOMAIN 7535 responses. [RT #33604] 7536 75373589. [func] Report serial numbers in when starting zone transfers. 7538 Report accepted NOTIFY requests including serial. 7539 [RT #33037] 7540 75413588. [bug] dig: addressed a memory leak in the sigchase code 7542 that could cause a shutdown crash. [RT #33733] 7543 75443587. [func] 'named -g' now checks the logging configuration but 7545 does not use it. [RT #33473] 7546 75473586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706] 7548 75493585. [func] "rndc delzone -clean" option removes zone files 7550 when deleting a zone. [RT #33570] 7551 75523584. [security] Caching data from an incompletely signed zone could 7553 trigger an assertion failure in resolver.c 7554 (CVE-2013-3919). [RT #33690] 7555 75563583. [bug] Address memory leak in GSS-API processing [RT #33574] 7557 75583582. [bug] Silence false positive warning regarding missing file 7559 directive for inline slave zones. [RT #33662] 7560 75613581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029] 7562 75633580. [bug] Addressed a possible race in acache.c [RT #33602] 7564 75653579. [maint] Updates to PKCS#11 openssl patches, supporting 7566 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463] 7567 75683578. [bug] 'rndc -c file' now fails if 'file' does not exist. 7569 [RT #33571] 7570 75713577. [bug] Handle zero TTL values better. [RT #33411] 7572 75733576. [bug] Address a shutdown race when validating. [RT #33573] 7574 75753575. [func] Changed the logging category for RRL events from 7576 'queries' to 'query-errors'. [RT #33540] 7577 75783574. [doc] The 'hostname' keyword was missing from server-id 7579 description in the named.conf man page. [RT #33476] 7580 75813573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled 7582 zone names containing punctuation marks and other 7583 nonstandard characters. [RT #33419] 7584 75853572. [func] Threads are now enabled by default on most 7586 operating systems. [RT #25483] 7587 75883571. [bug] Address race condition in dns_client_startresolve(). 7589 [RT #33234] 7590 75913570. [bug] Check internal pointers are valid when loading map 7592 files. [RT #33403] 7593 75943569. [contrib] Ported mysql DLZ driver to dynamically-loadable 7595 module, and added multithread support. [RT #33394] 7596 75973568. [cleanup] Add a product description line to the version file, 7598 to be reported by named -v/-V. [RT #33366] 7599 76003567. [bug] Silence clang static analyzer warnings. [RT #33365] 7601 76023566. [func] Log when forwarding updates to master. [RT #33240] 7603 76043565. [placeholder] 7605 76063564. [bug] Improved handling of corrupted map files. [RT #33380] 7607 76083563. [contrib] zone2sqlite failed with some table names. [RT #33375] 7609 76103562. [func] Update map file header format to include a SHA-1 hash 7611 of the database content, so that corrupted map files 7612 can be rejected at load time. [RT #32459] 7613 76143561. [bug] dig: issue a warning if an EDNS query returns FORMERR 7615 or NOTIMP. Adjust usage message. [RT #33363] 7616 76173560. [bug] isc-config.sh did not honor includedir and libdir 7618 when set via configure. [RT #33345] 7619 76203559. [func] Check that both forms of Sender Policy Framework 7621 records exist or do not exist. [RT #33355] 7622 76233558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331] 7624 76253557. [bug] Reloading redirect zones was broken. [RT #33292] 7626 76273556. [maint] Added AAAA for D.ROOT-SERVERS.NET. 7628 76293555. [bug] Address theoretical race conditions in acache.c 7630 (change #3553 was incomplete). [RT #33252] 7631 76323554. [bug] RRL failed to correctly rate-limit upward 7633 referrals and failed to count dropped error 7634 responses in the statistics. [RT #33225] 7635 76363553. [bug] Address suspected double free in acache. [RT #33252] 7637 76383552. [bug] Wrong getopt option string for 'nsupdate -r'. 7639 [RT #33280] 7640 76413551. [bug] resolver.querydscp[46] were uninitialized. [RT #32686] 7642 76433550. [func] Unified the internal and export versions of the 7644 BIND libraries, allowing external clients to use 7645 the same libraries as BIND. [RT #33131] 7646 76473549. [doc] Documentation for "request-nsid" was missing. 7648 [RT #33153] 7649 76503548. [bug] The NSID request code in resolver.c was broken 7651 resulting in invalid EDNS options being sent. 7652 [RT #33153] 7653 76543547. [bug] Some malformed unknown rdata records were not properly 7655 detected and rejected. [RT #33129] 7656 76573546. [func] Add EUI48 and EUI64 types. [RT #33082] 7658 76593545. [bug] RRL slip behavior was incorrect when set to 1. 7660 [RT #33111] 7661 76623544. [contrib] check5011.pl: Script to report the status of 7663 managed keys as recorded in managed-keys.bind. 7664 Contributed by Tony Finch <dot@dotat.at> 7665 76663543. [bug] Update socket structure before attaching to socket 7667 manager after accept. [RT #33084] 7668 76693542. [placeholder] 7670 76713541. [bug] Parts of libdns were not properly initialized when 7672 built in libexport mode. [RT #33028] 7673 76743540. [test] libt_api: t_info and t_assert were not thread safe. 7675 76763539. [port] win32: timestamp format didn't match other platforms. 7677 76783538. [test] Running "make test" now requires loopback interfaces 7679 to be set up. [RT #32452] 7680 76813537. [tuning] Slave zones, when updated, now send NOTIFY messages 7682 to peers before being dumped to disk rather than 7683 after. [RT #27242] 7684 76853536. [func] Add support for setting Differentiated Services Code 7686 Point (DSCP) values in named. Most configuration 7687 options which take a "port" option (e.g., 7688 listen-on, forwarders, also-notify, masters, 7689 notify-source, etc) can now also take a "dscp" 7690 option specifying a code point for use with 7691 outgoing traffic, if supported by the underlying 7692 OS. [RT #27596] 7693 76943535. [bug] Minor win32 cleanups. [RT #32962] 7695 76963534. [bug] Extra text after an embedded NULL was ignored when 7697 parsing zone files. [RT #32699] 7698 76993533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960] 7700 77013532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960] 7702 77033531. [bug] win32: A uninitialized value could be returned on out 7704 of memory. [RT #32960] 7705 77063530. [contrib] Better RTT tracking in queryperf. [RT #30128] 7707 77083529. [func] Named now listens on both IPv4 and IPv6 interfaces 7709 by default. Named previously only listened on IPv4 7710 interfaces by default unless named was running in 7711 IPv6 only mode. [RT #32945] 7712 77133528. [func] New "dnssec-coverage" command scans the timing 7714 metadata for a set of DNSSEC keys and reports if a 7715 lapse in signing coverage has been scheduled 7716 inadvertently. (Note: This tool depends on python; 7717 it will not be built or installed on systems that 7718 do not have a python interpreter.) [RT #28098] 7719 77203527. [compat] Add a URI to allow applications to explicitly 7721 request a particular XML schema from the statistics 7722 channel, returning 404 if not supported. [RT #32481] 7723 77243526. [cleanup] Set up dependencies for unit tests correctly during 7725 build. [RT #32803] 7726 77273525. [func] Support for additional signing algorithms in rndc: 7728 hmac-sha1, -sha224, -sha256, -sha384, and -sha512. 7729 The -A option to rndc-confgen can be used to 7730 select the algorithm for the generated key. 7731 (The default is still hmac-md5; this may 7732 change in a future release.) [RT #20363] 7733 77343524. [func] Added an alternate statistics channel in JSON format, 7735 when the server is built with the json-c library: 7736 http://[address]:[port]/json. [RT #32630] 7737 77383523. [contrib] Ported filesystem and ldap DLZ drivers to 7739 dynamically-loadable modules, and added the 7740 "wildcard" module based on a contribution from 7741 Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569] 7742 77433522. [bug] DLZ lookups could fail to return SERVFAIL when 7744 they ought to. [RT #32685] 7745 77463521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249] 7747 77483520. [bug] 'mctx' was not being referenced counted in some places 7749 where it should have been. [RT #32794] 7750 77513519. [func] Full replay protection via four-way handshake is 7752 now mandatory for rndc clients. Very old versions 7753 of rndc will no longer work. [RT #32798] 7754 77553518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit 7756 so that all dns_rrl_rtype_t enum values fit regardless 7757 of whether it is treated as signed or unsigned by 7758 the compiler. [RT #32792] 7759 77603517. [bug] Reorder destruction to avoid shutdown race. [RT #32777] 7761 77623516. [placeholder] 7763 77643515. [port] '%T' is not portable in strftime(). [RT #32763] 7765 77663514. [bug] The ranges for valid key sizes in ddns-confgen and 7767 rndc-confgen were too constrained. Keys up to 512 7768 bits are now allowed for most algorithms, and up 7769 to 1024 bits for hmac-sha384 and hmac-sha512. 7770 [RT #32753] 7771 77723513. [func] "dig -u" prints times in microseconds rather than 7773 milliseconds. [RT #32704] 7774 77753512. [func] "rndc validation check" reports the current status 7776 of DNSSEC validation. [RT #21397] 7777 77783511. [doc] Improve documentation of redirect zones. [RT #32756] 7779 77803510. [func] "rndc status" and XML statistics channel now report 7781 server start and reconfiguration times. [RT #21048] 7782 77833509. [cleanup] Added a product line to version file to allow for 7784 easy naming of different products (BIND 7785 vs BIND ESV, for example). [RT #32755] 7786 77873508. [contrib] queryperf was incorrectly rejecting the -T option. 7788 [RT #32338] 7789 77903507. [bug] Statistics channel XSL had a glitch when attempting 7791 to chart query data before any queries had been 7792 received. [RT #32620] 7793 77943506. [func] When setting "max-cache-size" and "max-acache-size", 7795 the keyword "unlimited" is no longer defined as equal 7796 to 4 gigabytes (except on 32-bit platforms); it 7797 means literally unlimited. [RT #32358] 7798 77993505. [bug] When setting "max-cache-size" and "max-acache-size", 7800 larger values than 4 gigabytes could not be set 7801 explicitly, though larger sizes were available 7802 when setting cache size to 0. This has been 7803 corrected; the full range is now available. 7804 [RT #32358] 7805 78063504. [func] Add support for ACLs based on geographic location, 7807 using MaxMind GeoIP databases. Based on code 7808 contributed by Ken Brownfield <kb@slide.com>. 7809 [RT #30681] 7810 78113503. [doc] Clarify size_spec syntax. [RT #32449] 7812 78133502. [func] zone-statistics: "no" is now a synonym for "none", 7814 instead of "terse". [RT #29165] 7815 78163501. [func] zone-statistics now takes three options: full, 7817 terse, and none. "yes" and "no" are retained as 7818 synonyms for full and terse, respectively. [RT #29165] 7819 78203500. [security] Support NAPTR regular expression validation on 7821 all platforms without using libregex, which 7822 can be vulnerable to memory exhaustion attack 7823 (CVE-2013-2266). [RT #32688] 7824 78253499. [doc] Corrected ARM documentation of built-in zones. 7826 [RT #32694] 7827 78283498. [bug] zone statistics for zones which matched a potential 7829 empty zone could have their zone-statistics setting 7830 overridden. 7831 78323497. [func] When deleting a slave/stub zone using 'rndc delzone' 7833 report the files that were being used so they can 7834 be cleaned up if desired. [RT #27899] 7835 78363496. [placeholder] 7837 78383495. [func] Support multiple response-policy zones (up to 32), 7839 while improving RPZ performance. "response-policy" 7840 syntax now includes a "min-ns-dots" clause, with 7841 default 1, to exclude top-level domains from 7842 NSIP and NSDNAME checking. --enable-rpz-nsip and 7843 --enable-rpz-nsdname are now the default. [RT #32251] 7844 78453494. [func] DNS RRL: Blunt the impact of DNS reflection and 7846 amplification attacks by rate-limiting substantially- 7847 identical responses. [RT #28130] 7848 78493493. [contrib] Added BDBHPT dynamically-loadable DLZ module, 7850 contributed by Mark Goldfinch. [RT #32549] 7851 78523492. [bug] Fixed a regression in zone loading performance 7853 due to lock contention. [RT #30399] 7854 78553491. [bug] Slave zones using inline-signing must specify a 7856 file name. [RT #31946] 7857 78583490. [bug] When logging RDATA during update, truncate if it's 7859 too long. [RT #32365] 7860 78613489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT. 7862 dns_dlzcreate() failed to properly initialize 7863 dlzdb.link. When cloning a rdataset do not copy 7864 the link contents. [RT #32651] 7865 78663488. [bug] Use after free error with DH generated keys. [RT #32649] 7867 78683487. [bug] Change 3444 was not complete. There was a additional 7869 place where the NOQNAME proof needed to be saved. 7870 [RT #32629] 7871 78723486. [bug] named could crash when using TKEY-negotiated keys 7873 that had been deleted and then recreated. [RT #32506] 7874 78753485. [cleanup] Only compile openssl_gostlink.c if we support GOST. 7876 78773484. [bug] Some statistics were incorrectly rendered in XML. 7878 [RT #32587] 7879 78803483. [placeholder] 7881 78823482. [func] dig +nssearch now prints name servers that don't 7883 have address records (missing AAAA or A, or the name 7884 doesn't exist). [RT #29348] 7885 78863481. [cleanup] Removed use of const const in atf. 7887 78883480. [bug] Silence logging noise when setting up zone 7889 statistics. [RT #32525] 7890 78913479. [bug] Address potential memory leaks in gssapi support 7892 code. [RT #32405] 7893 78943478. [port] Fix a build failure in strict C99 environments 7895 [RT #32475] 7896 78973477. [func] Expand logging when adding records via DDNS update 7898 [RT #32365] 7899 79003476. [bug] "rndc zonestatus" could report a spurious "not 7901 found" error on inline-signing zones. [RT #29226] 7902 79033475. [cleanup] Changed name of 'map' zone file format (previously 7904 'fast'). [RT #32458] 7905 79063474. [bug] nsupdate could assert when the local and remote 7907 address families didn't match. [RT #22897] 7908 79093473. [bug] dnssec-signzone/verify could incorrectly report 7910 an error condition due to an empty node above an 7911 opt-out delegation lacking an NSEC3. [RT #32072] 7912 79133472. [bug] The active-connections counter in the socket 7914 statistics could underflow. [RT #31747] 7915 79163471. [bug] The number of UDP dispatches now defaults to 7917 the number of CPUs even if -n has been set to 7918 a higher value. [RT #30964] 7919 79203470. [bug] Slave zones could fail to dump when successfully 7921 refreshing after an initial failure. [RT #31276] 7922 79233469. [bug] Handle DLZ lookup failures more gracefully. Improve 7924 backward compatibility between versions of DLZ dlopen 7925 API. [RT #32275] 7926 79273468. [security] RPZ rules to generate A records (but not AAAA records) 7928 could trigger an assertion failure when used in 7929 conjunction with DNS64 (CVE-2012-5689). [RT #32141] 7930 79313467. [bug] Added checks in dnssec-keygen and dnssec-settime 7932 to check for delete date < inactive date. [RT #31719] 7933 79343466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check 7935 in DLZ example driver. [RT #32275] 7936 79373465. [bug] Handle isolated reserved ports. [RT #31778] 7938 79393464. [maint] Updates to PKCS#11 openssl patches, supporting 7940 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749] 7941 79423463. [doc] Clarify managed-keys syntax in ARM. [RT #32232] 7943 79443462. [doc] Clarify server selection behavior of dig when using 7945 -4 or -6 options. [RT #32181] 7946 79473461. [bug] Negative responses could incorrectly have AD=1 7948 set. [RT #32237] 7949 79503460. [bug] Only link against readline where needed. [RT #29810] 7951 79523459. [func] Added -J option to named-checkzone/named-compilezone 7953 to specify the path to the journal file. [RT #30958] 7954 79553458. [bug] Return FORMERR when presented with a overly long 7956 domain named in a request. [RT #29682] 7957 79583457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836] 7959 79603456. [port] g++47: ATF failed to compile. [RT #32012] 7961 79623455. [contrib] queryperf: fix getopt option list. [RT #32338] 7963 79643454. [port] sparc64: improve atomic support. [RT #25182] 7965 79663453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;' 7967 failed. [RT #31960] 7968 79693452. [bug] Accept duplicate singleton records. [RT #32329] 7970 79713451. [port] Increase per thread stack size from 64K to 1M. 7972 [RT #32230] 7973 79743450. [bug] Stop logfileconfig system test spam system logs. 7975 [RT #32315] 7976 79773449. [bug] gen.c: use the pre-processor to construct format 7978 strings so that compiler can perform sanity checks; 7979 check the snprintf results. [RT #17576] 7980 79813448. [bug] The allow-query-on ACL was not processed correctly. 7982 [RT #29486] 7983 79843447. [port] Add support for libxml2-2.9.x [RT #32231] 7985 79863446. [port] win32: Add source ID (see change #3400) to build. 7987 [RT #31683] 7988 79893445. [bug] Warn about zone files with blank owner names 7990 immediately after $ORIGIN directives. [RT #31848] 7991 79923444. [bug] The NOQNAME proof was not being returned from cached 7993 insecure responses. [RT #21409] 7994 79953443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly 7996 rejected when generating keys. [RT #31927] 7997 79983442. [port] Net::DNS 0.69 introduced a non backwards compatible 7999 change. [RT #32216] 8000 80013441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13. 8002 80033440. [bug] Reorder get_key_struct to not trigger a assertion when 8004 cleaning up due to out of memory error. [RT #32131] 8005 80063439. [placeholder] 8007 80083438. [bug] Don't accept unknown data escape in quotes. [RT #32031] 8009 80103437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize 8011 buffers with constant data. [RT #32064] 8012 80133436. [bug] Check malloc/calloc return values. [RT #32088] 8014 80153435. [bug] Cross compilation support in configure was broken. 8016 [RT #32078] 8017 80183434. [bug] Pass client info to the DLZ findzone() entry 8019 point in addition to lookup(). This makes it 8020 possible for a database to answer differently 8021 whether it's authoritative for a name depending 8022 on the address of the client. [RT #31775] 8023 80243433. [bug] dlz_findzone() did not correctly handle 8025 ISC_R_NOMORE. [RT #31172] 8026 80273432. [func] Multiple DLZ databases can now be configured. 8028 DLZ databases are searched in the order configured, 8029 unless set to "search no", in which case a 8030 zone can be configured to be retrieved from a 8031 particular DLZ database by using a "dlz <name>" 8032 option in the zone statement. DLZ databases can 8033 support type "master" and "redirect" zones. 8034 [RT #27597] 8035 80363431. [bug] ddns-confgen: Some valid key algorithms were 8037 not accepted. [RT #31927] 8038 80393430. [bug] win32: isc_time_formatISO8601 was missing the 8040 'T' between the date and time. [RT #32044] 8041 80423429. [bug] dns_zone_getserial2 could a return success without 8043 returning a valid serial. [RT #32007] 8044 80453428. [cleanup] dig: Add timezone to date output. [RT #2269] 8046 80473427. [bug] dig +trace incorrectly displayed name server 8048 addresses instead of names. [RT #31641] 8049 80503426. [bug] dnssec-checkds: Clearer output when records are not 8051 found. [RT #31968] 8052 80533425. [bug] "acacheentry" reference counting was broken resulting 8054 in use after free. [RT #31908] 8055 80563424. [func] dnssec-dsfromkey now emits the hash without spaces. 8057 [RT #31951] 8058 80593423. [bug] "rndc signing -nsec3param" didn't accept the full 8060 range of possible values. Address portability issues. 8061 [RT #31938] 8062 80633422. [bug] Added a clear error message for when the SOA does not 8064 match the referral. [RT #31281] 8065 80663421. [bug] Named loops when re-signing if all keys are offline. 8067 [RT #31916] 8068 80693420. [bug] Address VPATH compilation issues. [RT #31879] 8070 80713419. [bug] Memory leak on validation cancel. [RT #31869] 8072 80733418. [func] New XML schema (version 3.0) for the statistics channel 8074 adds query type statistics at the zone level, and 8075 flattens the XML tree and uses compressed format to 8076 optimize parsing. Includes new XSL that permits 8077 charting via the Google Charts API on browsers that 8078 support javascript in XSL. The old XML schema has been 8079 deprecated. [RT #30023] 8080 80813417. [placeholder] 8082 80833416. [bug] Named could die on shutdown if running with 128 UDP 8084 dispatches per interface. [RT #31743] 8085 80863415. [bug] named could die with a REQUIRE failure if a validation 8087 was canceled. [RT #31804] 8088 80893414. [bug] Address locking issues found by Coverity. [RT #31626] 8090 80913413. [func] Record the number of DNS64 AAAA RRsets that have been 8092 synthesized. [RT #27636] 8093 80943412. [bug] Copy timeval structure from control message data. 8095 [RT #31548] 8096 80973411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition 8098 to UDP. [RT #31690] 8099 81003410. [bug] Addressed Coverity warnings. [RT #31626] 8101 81023409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's 8103 from X.509 certificates, for use with DANE 8104 (DNS-based Authentication of Named Entities). 8105 [RT #30513] 8106 81073408. [bug] Some DNSSEC-related options (update-check-ksk, 8108 dnssec-loadkeys-interval, dnssec-dnskey-kskonly) 8109 are now legal in slave zones as long as 8110 inline-signing is in use. [RT #31078] 8111 81123407. [placeholder] 8113 81143406. [bug] mem.c: Fix compilation errors when building with 8115 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled. 8116 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559] 8117 81183405. [bug] Handle time going backwards in acache. [RT #31253] 8119 81203404. [bug] dnssec-signzone: When re-signing a zone, remove 8121 RRSIG and NSEC records from nodes that used to be 8122 in-zone but are now below a zone cut. [RT #31556] 8123 81243403. [bug] Silence noisy OpenSSL logging. [RT #31497] 8125 81263402. [test] The IPv6 interface numbers used for system 8127 tests were incorrect on some platforms. [RT #25085] 8128 81293401. [bug] Addressed Coverity warnings. [RT #31484] 8130 81313400. [cleanup] "named -V" can now report a source ID string, defined 8132 in the "srcid" file in the build tree and normally set 8133 to the most recent git hash. [RT #31494] 8134 81353399. [port] netbsd: rename 'bool' parameter to avoid namespace 8136 clash. [RT #31515] 8137 81383398. [bug] SOA parameters were not being updated with inline 8139 signed zones if the zone was modified while the 8140 server was offline. [RT #29272] 8141 81423397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298] 8143 81443396. [bug] OPT records were incorrectly removed from signed, 8145 truncated responses. [RT #31439] 8146 81473395. [protocol] Add RFC 6598 reverse zones to built in empty zones 8148 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. 8149 [RT #31336] 8150 81513394. [bug] Adjust 'successfully validated after lower casing 8152 signer' log level and category. [RT #31414] 8153 81543393. [bug] 'host -C' could core dump if REFUSED was received. 8155 [RT #31381] 8156 81573392. [func] Keep statistics on REFUSED responses. [RT #31412] 8158 81593391. [bug] A DNSKEY lookup that encountered a CNAME failed. 8160 [RT #31262] 8161 81623390. [bug] Silence clang compiler warnings. [RT #30417] 8163 81643389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275] 8165 81663388. [bug] Fixed several Coverity warnings. 8167 Note: This change includes a fix for a bug that 8168 was subsequently determined to be an exploitable 8169 security vulnerability, CVE-2012-5688: named could 8170 die on specific queries with dns64 enabled. 8171 [RT #30996] 8172 81733387. [func] DS digest can be disabled at runtime with 8174 disable-ds-digests. [RT #21581] 8175 81763386. [bug] Address locking violation when generating new NSEC / 8177 NSEC3 chains. [RT #31224] 8178 81793385. [bug] named-checkconf didn't detect missing master lists 8180 in also-notify clauses. [RT #30810] 8181 81823384. [bug] Improved logging of crypto errors. [RT #30963] 8183 81843383. [security] A certain combination of records in the RBT could 8185 cause named to hang while populating the additional 8186 section of a response. [RT #31090] 8187 81883382. [bug] SOA query from slave used use-v6-udp-ports range, 8189 if set, regardless of the address family in use. 8190 [RT #24173] 8191 81923381. [contrib] Update queryperf to support more RR types. 8193 [RT #30762] 8194 81953380. [bug] named could die if a nonexistent master list was 8196 referenced in a also-notify. [RT #31004] 8197 81983379. [bug] isc_interval_zero and isc_time_epoch should be 8199 "const (type)* const". [RT #31069] 8200 82013378. [bug] Handle missing 'managed-keys-directory' better. 8202 [RT #30625] 8203 82043377. [bug] Removed spurious newline from NSEC3 multiline 8205 output. [RT #31044] 8206 82073376. [bug] Lack of EDNS support was being recorded without a 8208 successful response. [RT #30811] 8209 82103375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808] 8211 82123374. [bug] isc_parse_uint32 failed to return a range error on 8213 systems with 64 bit longs. [RT #30232] 8214 82153373. [bug] win32: open raw files in binary mode. [RT #30944] 8216 82173372. [bug] Silence spurious "deleted from unreachable cache" 8218 messages. [RT #30501] 8219 82203371. [bug] AD=1 should behave like DO=1 when deciding whether to 8221 add NS RRsets to the additional section or not. 8222 [RT #30479] 8223 82243370. [bug] Address use after free while shutting down. [RT #30241] 8225 82263369. [bug] nsupdate terminated unexpectedly in interactive mode 8227 if built with readline support. [RT #29550] 8228 82293368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h> 8230 were not C++ safe. 8231 82323367. [bug] dns_dnsseckey_create() result was not being checked. 8233 [RT #30685] 8234 82353366. [bug] Fixed Read-After-Write dependency violation for IA64 8236 atomic operations. [RT #25181] 8237 82383365. [bug] Removed spurious newlines from log messages in 8239 zone.c [RT #30675] 8240 82413364. [security] Named could die on specially crafted record. 8242 [RT #30416] 8243 82443363. [bug] Need to allow "forward" and "fowarders" options 8245 in static-stub zones; this had been overlooked. 8246 [RT #30482] 8247 82483362. [bug] Setting some option values to 0 in named.conf 8249 could trigger an assertion failure on startup. 8250 [RT #27730] 8251 82523361. [bug] "rndc signing -nsec3param" didn't work correctly 8253 when salt was set to '-' (no salt). [RT #30099] 8254 82553360. [bug] 'host -w' could die. [RT #18723] 8256 82573359. [bug] An improperly-formed TSIG secret could cause a 8258 memory leak. [RT #30607] 8259 82603358. [placeholder] 8261 82623357. [port] Add support for libxml2-2.8.x [RT #30440] 8263 82643356. [bug] Cap the TTL of signed RRsets when RRSIGs are 8265 approaching their expiry, so they don't remain 8266 in caches after expiry. [RT #26429] 8267 82683355. [port] Use more portable awk in verify system test. 8269 82703354. [func] Improve OpenSSL error logging. [RT #29932] 8271 82723353. [bug] Use a single task for task exclusive operations. 8273 [RT #29872] 8274 82753352. [bug] Ensure that learned server attributes timeout of the 8276 adb cache. [RT #29856] 8277 82783351. [bug] isc_mem_put and isc_mem_putanddetach didn't report 8279 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX 8280 memory debugging flags are set. [RT #30243] 8281 82823350. [bug] Memory read overrun in isc___mem_reallocate if 8283 ISC_MEM_DEBUGCTX memory debugging flag is set. 8284 [RT #30240] 8285 82863349. [bug] Change #3345 was incomplete. [RT #30233] 8287 82883348. [bug] Prevent RRSIG data from being cached if a negative 8289 record matching the covering type exists at a higher 8290 trust level. Such data already can't be retrieved from 8291 the cache since change 3218 -- this prevents it 8292 being inserted into the cache as well. [RT #26809] 8293 82943347. [bug] dnssec-settime: Issue a warning when writing a new 8295 private key file would cause a change in the 8296 permissions of the existing file. [RT #27724] 8297 82983346. [security] Bad-cache data could be used before it was 8299 initialized, causing an assert. [RT #30025] 8300 83013345. [bug] Addressed race condition when removing the last item 8302 or inserting the first item in an ISC_QUEUE. 8303 [RT #29539] 8304 83053344. [func] New "dnssec-checkds" command checks a zone to 8306 determine which DS records should be published 8307 in the parent zone, or which DLV records should be 8308 published in a DLV zone, and queries the DNS to 8309 ensure that it exists. (Note: This tool depends 8310 on python; it will not be built or installed on 8311 systems that do not have a python interpreter.) 8312 [RT #28099] 8313 83143343. [placeholder] 8315 83163342. [bug] Change #3314 broke saving of stub zones to disk 8317 resulting in excessive cpu usage in some cases. 8318 [RT #29952] 8319 83203341. [func] New "dnssec-verify" command checks a signed zone 8321 to ensure correctness of signatures and of NSEC/NSEC3 8322 chains. [RT #23673] 8323 83243340. [func] Added new 'map' zone file format, which is an image 8325 of a zone database that can be loaded directly into 8326 memory via mmap(), allowing much faster zone loading. 8327 (Note: Because of pointer sizes and other 8328 considerations, this file format is platform-dependent; 8329 'map' zone files cannot always be transferred from one 8330 server to another.) [RT #25419] 8331 83323339. [func] Allow the maximum supported rsa exponent size to be 8333 specified: "max-rsa-exponent-size <value>;" [RT #29228] 8334 83353338. [bug] Address race condition in units tests: asyncload_zone 8336 and asyncload_zt. [RT #26100] 8337 83383337. [bug] Change #3294 broke support for the multiple keys 8339 in controls. [RT #29694] 8340 83413336. [func] Maintain statistics for RRsets tagged as "stale". 8342 [RT #29514] 8343 83443335. [func] nslookup: return a nonzero exit code when unable 8345 to get an answer. [RT #29492] 8346 83473334. [bug] Hold a zone table reference while performing a 8348 asynchronous load of a zone. [RT #28326] 8349 83503333. [bug] Setting resolver-query-timeout too low can cause 8351 named to not recover if it loses connectivity. 8352 [RT #29623] 8353 83543332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 8355 83563331. [security] dns_rdataslab_fromrdataset could produce bad 8357 rdataslabs. [RT #29644] 8358 83593330. [func] Fix missing signatures on NOERROR results despite 8360 RPZ rewriting. Also 8361 - add optional "recursive-only yes|no" to the 8362 response-policy statement 8363 - add optional "max-policy-ttl" to the response-policy 8364 statement to limit the false data that 8365 "recursive-only no" can introduce into 8366 resolvers' caches 8367 - add a RPZ performance test to bin/tests/system/rpz 8368 when queryperf is available. 8369 - the encoding of PASSTHRU action to "rpz-passthru". 8370 (The old encoding is still accepted.) 8371 [RT #26172] 8372 8373 83743329. [bug] Handle RRSIG signer-name case consistently: We 8375 generate RRSIG records with the signer-name in 8376 lower case. We accept them with any case, but if 8377 they fail to validate, we try again in lower case. 8378 [RT #27451] 8379 83803328. [bug] Fixed inconsistent data checking in dst_parse.c. 8381 [RT #29401] 8382 83833327. [func] Added 'filter-aaaa-on-v6' option; this is similar 8384 to 'filter-aaaa-on-v4' but applies to IPv6 8385 connections. (Use "configure --enable-filter-aaaa" 8386 to enable this option.) [RT #27308] 8387 83883326. [func] Added task list statistics: task model, worker 8389 threads, quantum, tasks running, tasks ready. 8390 [RT #27678] 8391 83923325. [func] Report cache statistics: memory use, number of 8393 nodes, number of hash buckets, hit and miss counts. 8394 [RT #27056] 8395 83963324. [test] Add better tests for ADB stats [RT #27057] 8397 83983323. [func] Report the number of buckets the resolver is using. 8399 [RT #27020] 8400 84013322. [func] Monitor the number of active TCP and UDP dispatches. 8402 [RT #27055] 8403 84043321. [func] Monitor the number of recursive fetches and the 8405 number of open sockets, and report these values in 8406 the statistics channel. [RT #27054] 8407 84083320. [func] Added support for monitoring of recursing client 8409 count. [RT #27009] 8410 84113319. [func] Added support for monitoring of ADB entry count and 8412 hash size. [RT #27057] 8413 84143318. [tuning] Reduce the amount of work performed while holding a 8415 bucket lock when finished with a fetch context. 8416 [RT #29239] 8417 84183317. [func] Add ECDSA support (RFC 6605). [RT #21918] 8419 84203316. [tuning] Improved locking performance when recursing. 8421 [RT #28836] 8422 84233315. [tuning] Use multiple dispatch objects for sending upstream 8424 queries; this can improve performance on busy 8425 multiprocessor systems by reducing lock contention. 8426 [RT #28605] 8427 84283314. [bug] The masters list could be updated while stub_callback 8429 or refresh_callback were using it. [RT #26732] 8430 84313313. [protocol] Add TLSA record type. [RT #28989] 8432 84333312. [bug] named-checkconf didn't detect a bad dns64 clients acl. 8434 [RT #27631] 8435 84363311. [bug] Abort the zone dump if zone->db is NULL in 8437 zone.c:zone_gotwritehandle. [RT #29028] 8438 84393310. [test] Increase table size for mutex profiling. [RT #28809] 8440 84413309. [bug] resolver.c:fctx_finddone() was not thread safe. 8442 [RT #27995] 8443 84443308. [placeholder] 8445 84463307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS. 8447 [RT #28956] 8448 84493306. [bug] Improve DNS64 reverse zone performance. [RT #28563] 8450 84513305. [func] Add wire format lookup method to sdb. [RT #28563] 8452 84533304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps. 8454 [RT #28571] 8455 84563303. [bug] named could die when reloading. [RT #28606] 8457 84583302. [bug] dns_dnssec_findmatchingkeys could fail to find 8459 keys if the zone name contained character that 8460 required special mappings. [RT #28600] 8461 84623301. [contrib] Update queryperf to build on darwin. Add -R flag 8463 for non-recursive queries. [RT #28565] 8464 84653300. [bug] Named could die if gssapi was enabled in named.conf 8466 but was not compiled in. [RT #28338] 8467 84683299. [bug] Make SDB handle errors from database drivers better. 8469 [RT #28534] 8470 84713298. [bug] Named could dereference a NULL pointer in 8472 zmgr_start_xfrin_ifquota if the zone was being removed. 8473 [RT #28419] 8474 84753297. [bug] Named could die on a malformed master file. [RT #28467] 8476 84773296. [bug] Named could die with a INSIST failure in 8478 client.c:exit_check. [RT #28346] 8479 84803295. [bug] Adjust isc_time_secondsastimet range check to be more 8481 portable. [RT # 26542] 8482 84833294. [bug] isccc/cc.c:table_fromwire failed to free alist on 8484 error. [RT #28265] 8485 84863293. [func] nsupdate: list supported type. [RT #28261] 8487 84883292. [func] Log messages in the axfr stream at debug 10. 8489 [RT #28040] 8490 84913291. [port] Fixed a build error on systems without ENOTSUP. 8492 [RT #28200] 8493 84943290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169] 8495 84963289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036] 8497 84983288. [bug] dlz_destroy() function wasn't correctly registered 8499 by the DLZ dlopen driver. [RT #28056] 8500 85013287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028] 8502 85033286. [bug] Managed key maintenance timer could fail to start 8504 after 'rndc reconfig'. [RT #26786] 8505 85063285. [bug] val-frdataset was incorrectly disassociated in 8507 proveunsecure after calling startfinddlvsep. 8508 [RT #27928] 8509 85103284. [bug] Address race conditions with the handling of 8511 rbtnode.deadlink. [RT #27738] 8512 85133283. [bug] Raw zones with with more than 512 records in a RRset 8514 failed to load. [RT #27863] 8515 85163282. [bug] Restrict the TTL of NS RRset to no more than that 8517 of the old NS RRset when replacing it. 8518 [RT #27792] [RT #27884] 8519 85203281. [bug] SOA refresh queries could be treated as cancelled 8521 despite succeeding over the loopback interface. 8522 [RT #27782] 8523 85243280. [bug] Potential double free of a rdataset on out of memory 8525 with DNS64. [RT #27762] 8526 85273279. [bug] Hold a internal reference to the zone while performing 8528 a asynchronous load. Address potential memory leak 8529 if the asynchronous is cancelled. [RT #27750] 8530 85313278. [bug] Make sure automatic key maintenance is started 8532 when "auto-dnssec maintain" is turned on during 8533 "rndc reconfig". [RT #26805] 8534 85353277. [bug] win32: isc_socket_dup is not implemented. [RT #27696] 8536 85373276. [bug] win32: ns_os_openfile failed to return NULL on 8538 safe_open failure. [RT #27696] 8539 85403275. [bug] Corrected rndc -h output; the 'rndc sync -clean' 8541 option had been misspelled as '-clear'. (To avoid 8542 future confusion, both options now work.) [RT #27173] 8543 85443274. [placeholder] 8545 85463273. [bug] AAAA responses could be returned in the additional 8547 section even when filter-aaaa-on-v4 was in use. 8548 [RT #27292] 8549 85503272. [func] New "rndc zonestatus" command prints information 8551 about the specified zone. [RT #21671] 8552 85533271. [port] darwin: mksymtbl is not always stable, loop several 8554 times before giving up. mksymtbl was using non 8555 portable perl to covert 64 bit hex strings. [RT #27653] 8556 8557 --- 9.9.0rc2 released --- 8558 85593270. [bug] "rndc reload" didn't reuse existing zones correctly 8560 when inline-signing was in use. [RT #27650] 8561 85623269. [port] darwin 11 and later now built threaded by default. 8563 85643268. [bug] Convert RRSIG expiry times to 64 timestamps to work 8565 out the earliest expiry time. [RT #23311] 8566 85673267. [bug] Memory allocation failures could be mis-reported as 8568 unexpected error. New ISC_R_UNSET result code. 8569 [RT #27336] 8570 85713266. [bug] The maximum number of NSEC3 iterations for a 8572 DNSKEY RRset was not being properly computed. 8573 [RT #26543] 8574 85753265. [bug] Corrected a problem with lock ordering in the 8576 inline-signing code. [RT #27557] 8577 85783264. [bug] Automatic regeneration of signatures in an 8579 inline-signing zone could stall when the server 8580 was restarted. [RT #27344] 8581 85823263. [bug] "rndc sync" did not affect the unsigned side of an 8583 inline-signing zone. [RT #27337] 8584 85853262. [bug] Signed responses were handled incorrectly by RPZ. 8586 [RT #27316] 8587 85883261. [func] RRset ordering now defaults to random. [RT #27174] 8589 85903260. [bug] "rrset-order cyclic" could appear not to rotate 8591 for some query patterns. [RT #27170/27185] 8592 8593 --- 9.9.0rc1 released --- 8594 85953259. [bug] named-compilezone: Suppress "dump zone to <file>" 8596 message when writing to stdout. [RT #27109] 8597 85983258. [test] Add "forcing full sign with unreadable keys" test. 8599 [RT #27153] 8600 86013257. [bug] Do not generate a error message when calling fsync() 8602 in a pipe or socket. [RT #27109] 8603 86043256. [bug] Disable empty zones for lwresd -C. [RT #27139] 8605 86063255. [func] No longer require that a empty zones be explicitly 8607 enabled or that a empty zone is disabled for 8608 RFC 1918 empty zones to be configured. [RT #27139] 8609 86103254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels. 8611 [RT #22249] 8612 86133253. [bug] Return DNS_R_SYNTAX when the input to a text field is 8614 too long. [RT #26956] 8615 86163252. [bug] When master zones using inline-signing were 8617 updated while the server was offline, the source 8618 zone could fall out of sync with the signed 8619 copy. They can now resynchronize. [RT #26676] 8620 86213251. [bug] Enforce a upper bound (65535 bytes) on the amount of 8622 memory dns_sdlz_putrr() can allocate per record to 8623 prevent run away memory consumption on ISC_R_NOSPACE. 8624 [RT #26956] 8625 86263250. [func] 'configure --enable-developer'; turn on various 8627 configure options, normally off by default, that 8628 we want developers to build and test with. [RT #27103] 8629 86303249. [bug] Update log message when saving slave zones files for 8631 analysis after load failures. [RT #27087] 8632 86333248. [bug] Configure options --enable-fixed-rrset and 8634 --enable-exportlib were incompatible with each 8635 other. [RT #27087] 8636 86373247. [bug] 'raw' format zones failed to preserve load order 8638 breaking 'fixed' sort order. [RT #27087] 8639 86403246. [bug] Named failed to start with a empty also-notify list. 8641 [RT #27087] 8642 86433245. [bug] Don't report a error unchanged serials unless there 8644 were other changes when thawing a zone with 8645 ixfr-fromdifferences. [RT #26845] 8646 86473244. [func] Added readline support to nslookup and nsupdate. 8648 Also simplified nsupdate syntax to make "update" 8649 and "prereq" optional. [RT #24659] 8650 86513243. [port] freebsd,netbsd,bsdi: the thread defaults were not 8652 being properly set. 8653 86543242. [func] Extended the header of raw-format master files to 8655 include the serial number of the zone from which 8656 they were generated, if different (as in the case 8657 of inline-signing zones). This is to be used in 8658 inline-signing zones, to track changes between the 8659 unsigned and signed versions of the zone, which may 8660 have different serial numbers. 8661 8662 (Note: raw zonefiles generated by this version of 8663 BIND are no longer compatible with prior versions. 8664 To generate a backward-compatible raw zonefile 8665 using dnssec-signzone or named-compilezone, specify 8666 output format "raw=0" instead of simply "raw".) 8667 [RT #26587] 8668 86693241. [bug] Address race conditions in the resolver code. 8670 [RT #26889] 8671 86723240. [bug] DNSKEY state change events could be missed. [RT #26874] 8673 86743239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent 8675 timestamp. [RT #26883] 8676 86773238. [bug] keyrdata was not being reinitialized in 8678 lib/dns/rbtdb.c:iszonesecure. [RT #26913] 8679 86803237. [bug] dig -6 didn't work with +trace. [RT #26906] 8681 86823236. [bug] Backed out changes #3182 and #3202, related to 8683 EDNS(0) fallback behavior. [RT #26416] 8684 86853235. [func] dns_db_diffx, a extended dns_db_diff which returns 8686 the generated diff and optionally writes it to a 8687 journal. [RT #26386] 8688 86893234. [bug] 'make depend' produced invalid makefiles. [RT #26830] 8690 86913233. [bug] 'rndc freeze/thaw' didn't work for inline zones. 8692 [RT #26632] 8693 86943232. [bug] Zero zone->curmaster before return in 8695 dns_zone_setmasterswithkeys(). [RT #26732] 8696 86973231. [bug] named could fail to send a incompressible zone. 8698 [RT #26796] 8699 87003230. [bug] 'dig axfr' failed to properly handle a multi-message 8701 axfr with a serial of 0. [RT #26796] 8702 87033229. [bug] Fix local variable to struct var assignment 8704 found by CLANG warning. 8705 87063228. [tuning] Dynamically grow symbol table to improve zone 8707 loading performance. [RT #26523] 8708 87093227. [bug] Interim fix to make WKS's use of getprotobyname() 8710 and getservbyname() self thread safe. [RT #26232] 8711 87123226. [bug] Address minor resource leakages. [RT #26624] 8713 87143225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed" 8715 messages. [RT #26507] 8716 87173224. [bug] 'rndc signing' argument parsing was broken. [RT #26684] 8718 87193223. [bug] 'task_test privilege_drop' generated false positives. 8720 [RT #26766] 8721 87223222. [cleanup] Replace dns_journal_{get,set}_bitws with 8723 dns_journal_{get,set}_sourceserial. [RT #26634] 8724 87253221. [bug] Fixed a potential core dump on shutdown due to 8726 referencing fetch context after it's been freed. 8727 [RT #26720] 8728 8729 --- 9.9.0b2 released --- 8730 87313220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() 8732 could fail to set the database version correctly, 8733 causing an assertion failure. [RT #26180] 8734 87353219. [bug] Disable NOEDNS caching following a timeout. 8736 87373218. [security] Cache lookup could return RRSIG data associated with 8738 nonexistent records, leading to an assertion 8739 failure. [RT #26590] 8740 87413217. [cleanup] Fix build problem with --disable-static. [RT #26476] 8742 87433216. [bug] resolver.c:validated() was not thread-safe. [RT #26478] 8744 87453215. [bug] 'rndc recursing' could cause a core dump. [RT #26495] 8746 87473214. [func] Add 'named -U' option to set the number of UDP 8748 listener threads per interface. [RT #26485] 8749 87503213. [doc] Clarify ixfr-from-differences behavior. [RT #25188] 8751 87523212. [bug] rbtdb.c: failed to remove a node from the deadnodes 8753 list prior to adding a reference to it leading a 8754 possible assertion failure. [RT #23219] 8755 87563211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full" 8757 option prints in single-line-per-record format. 8758 [RT #20287] 8759 87603210. [bug] Canceling the oldest query due to recursive-client 8761 overload could trigger an assertion failure. [RT #26463] 8762 87633209. [func] Add "dnssec-lookaside 'no'". [RT #24858] 8764 87653208. [bug] 'dig -y' handle unknown tsig algorithm better. 8766 [RT #25522] 8767 87683207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444] 8769 87703206. [cleanup] Add ISC information to log at start time. [RT #25484] 8771 87723205. [func] Upgrade dig's defaults to better reflect modern 8773 nameserver behavior. Enable "dig +adflag" and 8774 "dig +edns=0" by default. Enable "+dnssec" when 8775 running "dig +trace". [RT #23497] 8776 87773204. [bug] When a master server that has been marked as 8778 unreachable sends a NOTIFY, mark it reachable 8779 again. [RT #25960] 8780 87813203. [bug] Increase log level to 'info' for validation failures 8782 from expired or not-yet-valid RRSIGs. [RT #21796] 8783 87843202. [bug] NOEDNS caching on timeout was too aggressive. 8785 [RT #26416] 8786 87873201. [func] 'rndc querylog' can now be given an on/off parameter 8788 instead of only being used as a toggle. [RT #18351] 8789 87903200. [doc] Some rndc functions were undocumented or were 8791 missing from 'rndc -h' output. [RT #25555] 8792 87933199. [func] When logging client information, include the name 8794 being queried. [RT #25944] 8795 87963198. [doc] Clarified that dnssec-settime can alter keyfile 8797 permissions. [RT #24866] 8798 87993197. [bug] Don't try to log the filename and line number when 8800 the config parser can't open a file. [RT #22263] 8801 88023196. [bug] nsupdate: return nonzero exit code when target zone 8803 doesn't exist. [RT #25783] 8804 88053195. [cleanup] Silence "file not found" warnings when loading 8806 managed-keys zone. [RT #26340] 8807 88083194. [doc] Updated RFC references in the 'empty-zones-enable' 8809 documentation. [RT #25203] 8810 88113193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to 8812 dnssec.h. [RT #26415] 8813 88143192. [bug] A query structure could be used after being freed. 8815 [RT #22208] 8816 88173191. [bug] Print NULL records using "unknown" format. [RT #26392] 8818 88193190. [bug] Underflow in error handling in isc_mutexblock_init. 8820 [RT #26397] 8821 88223189. [test] Added a summary report after system tests. [RT #25517] 8823 88243188. [bug] zone.c:zone_refreshkeys() could fail to detach 8825 references correctly when errors occurred, causing 8826 a hang on shutdown. [RT #26372] 8827 88283187. [port] win32: support for Visual Studio 2008. [RT #26356] 8829 8830 --- 9.9.0b1 released --- 8831 88323186. [bug] Version/db mismatch in rpz code. [RT #26180] 8833 88343185. [func] New 'rndc signing' option for auto-dnssec zones: 8835 - 'rndc signing -list' displays the current 8836 state of signing operations 8837 - 'rndc signing -clear' clears the signing state 8838 records for keys that have fully signed the zone 8839 - 'rndc signing -nsec3param' sets the NSEC3 8840 parameters for the zone 8841 The 'rndc keydone' syntax is removed. [RT #23729] 8842 88433184. [bug] named had excessive cpu usage when a redirect zone was 8844 configured. [RT #26013] 8845 88463183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] 8847 88483182. [bug] Auth servers behind firewalls which block packets 8849 greater than 512 bytes may cause other servers to 8850 perform poorly. Now, adb retains edns information 8851 and caches noedns servers. [RT #23392/24964] 8852 88533181. [func] Inline-signing is now supported for master zones. 8854 [RT #26224] 8855 88563180. [func] Local copies of slave zones are now saved in raw 8857 format by default, to improve startup performance. 8858 'masterfile-format text;' can be used to override 8859 the default, if desired. [RT #25867] 8860 88613179. [port] kfreebsd: build issues. [RT #26273] 8862 88633178. [bug] A race condition introduced by change #3163 could 8864 cause an assertion failure on shutdown. [RT #26271] 8865 88663177. [func] 'rndc keydone', remove the indicator record that 8867 named has finished signing the zone with the 8868 corresponding key. [RT #26206] 8869 88703176. [doc] Corrected example code and added a README to the 8871 sample external DLZ module in contrib/dlz/example. 8872 [RT #26215] 8873 88743175. [bug] Fix how DNSSEC positive wildcard responses from a 8875 NSEC3 signed zone are validated. Stop sending a 8876 unnecessary NSEC3 record when generating such 8877 responses. [RT #26200] 8878 88793174. [bug] Always compute to revoked key tag from scratch. 8880 [RT #26186] 8881 88823173. [port] Correctly validate root DS responses. [RT #25726] 8883 88843172. [port] darwin 10.* and freebsd [89] are now built threaded by 8885 default. 8886 88873171. [bug] Exclusively lock the task when adding a zone using 8888 'rndc addzone'. [RT #25600] 8889 8890 --- 9.9.0a3 released --- 8891 88923170. [func] RPZ update: 8893 - fix precedence among competing rules 8894 - improve ARM text including documenting rule precedence 8895 - try to rewrite CNAME chains until first hit 8896 - new "rpz" logging channel 8897 - RDATA for CNAME rules can include wildcards 8898 - replace "NO-OP" named.conf policy override with 8899 "PASSTHRU" and add "DISABLED" override ("NO-OP" 8900 is still recognized) 8901 [RT #25172] 8902 89033169. [func] Catch db/version mis-matches when calling dns_db_*(). 8904 [RT #26017] 8905 89063168. [bug] Nxdomain redirection could trigger an assert with 8907 a ANY query. [RT #26017] 8908 89093167. [bug] Negative answers from forwarders were not being 8910 correctly tagged making them appear to not be cached. 8911 [RT #25380] 8912 89133166. [bug] Upgrading a zone to support inline-signing failed. 8914 [RT #26014] 8915 89163165. [bug] dnssec-signzone could generate new signatures when 8917 resigning, even when valid signatures were already 8918 present. [RT #26025] 8919 89203164. [func] Enable DLZ modules to retrieve client information, 8921 so that responses can be changed depending on the 8922 source address of the query. [RT #25768] 8923 89243163. [bug] Use finer-grained locking in client.c to address 8925 concurrency problems with large numbers of threads. 8926 [RT #26044] 8927 89283162. [test] start.pl: modified to allow for "named.args" in 8929 ns*/ subdirectory to override stock arguments to 8930 named. Largely from RT #26044, but no separate ticket. 8931 89323161. [bug] zone.c:del_sigs failed to always reset rdata leading 8933 assertion failures. [RT #25880] 8934 89353160. [bug] When printing out a NSEC3 record in multiline form 8936 the newline was not being printed causing type codes 8937 to be run together. [RT #25873] 8938 89393159. [bug] On some platforms, named could assert on startup 8940 when running in a chrooted environment without 8941 /proc. [RT #25863] 8942 89433158. [bug] Recursive servers would prefer a particular UDP 8944 socket instead of using all available sockets. 8945 [RT #26038] 8946 89473157. [tuning] Reduce the time spent in "rndc reconfig" by parsing 8948 the config file before pausing the server. [RT #21373] 8949 89503156. [placeholder] 8951 8952 --- 9.9.0a2 released --- 8953 89543155. [bug] Fixed a build failure when using contrib DLZ 8955 drivers (e.g., mysql, postgresql, etc). [RT #25710] 8956 89573154. [bug] Attempting to print an empty rdataset could trigger 8958 an assert. [RT #25452] 8959 89603153. [func] Extend request-ixfr to zone level and remove the 8961 side effect of forcing an AXFR. [RT #25156] 8962 89633152. [cleanup] Some versions of gcc and clang failed due to 8964 incorrect use of __builtin_expect. [RT #25183] 8965 89663151. [bug] Queries for type RRSIG or SIG could be handled 8967 incorrectly. [RT #21050] 8968 89693150. [func] Improved startup and reconfiguration time by 8970 enabling zones to load in multiple threads. [RT #25333] 8971 89723149. [placeholder] 8973 89743148. [bug] Processing of normal queries could be stalled when 8975 forwarding a UPDATE message. [RT #24711] 8976 89773147. [func] Initial inline signing support. [RT #23657] 8978 8979 --- 9.9.0a1 released --- 8980 89813146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598] 8982 89833145. [test] Capture output of ATF unit tests in "./atf.out" if 8984 there were any errors while running them. [RT #25527] 8985 89863144. [bug] dns_dbiterator_seek() could trigger an assert when 8987 used with a nonexistent database node. [RT #25358] 8988 89893143. [bug] Silence clang compiler warnings. [RT #25174] 8990 89913142. [bug] NAPTR is class agnostic. [RT #25429] 8992 89933141. [bug] Silence spurious "zone serial (0) unchanged" messages 8994 associated with empty zones. [RT #25079] 8995 89963140. [func] New command "rndc flushtree <name>" clears the 8997 specified name from the server cache along with 8998 all names under it. [RT #19970] 8999 90003139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321 9001 for the hashing algorithms (md5, sha1 - sha512, and 9002 their hmac counterparts). [RT #25067] 9003 90043138. [bug] Address memory leaks and out-of-order operations when 9005 shutting named down. [RT #25210] 9006 90073137. [func] Improve hardware scalability by allowing multiple 9008 worker threads to process incoming UDP packets. 9009 This can significantly increase query throughput 9010 on some systems. [RT #22992] 9011 90123136. [func] Add RFC 1918 reverse zones to the list of built-in 9013 empty zones switched on by the 'empty-zones-enable' 9014 option. [RT #24990] 9015 90163135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing. 9017 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307 9018 [RT #24950] 9019 90203134. [bug] Improve the accuracy of dnssec-signzone's signing 9021 statistics. [RT #16030] 9022 90233133. [bug] Change #3114 was incomplete. [RT #24577] 9024 90253132. [placeholder] 9026 90273131. [tuning] Improve scalability by allocating one zone task 9028 per 100 zones at startup time, rather than using a 9029 fixed-size task table. [RT #24406] 9030 90313130. [func] Support alternate methods for managing a dynamic 9032 zone's serial number. Two methods are currently 9033 defined using serial-update-method, "increment" 9034 (default) and "unixtime". [RT #23849] 9035 90363129. [bug] Named could crash on 'rndc reconfig' when 9037 allow-new-zones was set to yes and named ACLs 9038 were used. [RT #22739] 9039 90403128. [func] Inserting an NSEC3PARAM via dynamic update in an 9041 auto-dnssec zone that has not been signed yet 9042 will cause it to be signed with the specified NSEC3 9043 parameters when keys are activated. The 9044 NSEC3PARAM record will not appear in the zone until 9045 it is signed, but the parameters will be stored. 9046 [RT #23684] 9047 90483127. [bug] 'rndc thaw' will now remove a zone's journal file 9049 if the zone serial number has been changed and 9050 ixfr-from-differences is not in use. [RT #24687] 9051 90523126. [security] Using DNAME record to generate replacements caused 9053 RPZ to exit with a assertion failure. [RT #24766] 9054 90553125. [security] Using wildcard CNAME records as a replacement with 9056 RPZ caused named to exit with a assertion failure. 9057 [RT #24715] 9058 90593124. [bug] Use an rdataset attribute flag to indicate 9060 negative-cache records rather than using rrtype 0; 9061 this will prevent problems when that rrtype is 9062 used in actual DNS packets. [RT #24777] 9063 90643123. [security] Change #2912 exposed a latent flaw in 9065 dns_rdataset_totext() that could cause named to 9066 crash with an assertion failure. [RT #24777] 9067 90683122. [cleanup] dnssec-settime: corrected usage message. [RT #24664] 9069 90703121. [security] An authoritative name server sending a negative 9071 response containing a very large RRset could 9072 trigger an off-by-one error in the ncache code 9073 and crash named. [RT #24650] 9074 90753120. [bug] Named could fail to validate zones listed in a DLV 9076 that validated insecure without using DLV and had 9077 DS records in the parent zone. [RT #24631] 9078 90793119. [bug] When rolling to a new DNSSEC key, a private-type 9080 record could be created and never marked complete. 9081 [RT #23253] 9082 90833118. [bug] nsupdate could dump core on shutdown when using 9084 SIG(0) keys. [RT #24604] 9085 90863117. [cleanup] Remove doc and parser references to the 9087 never-implemented 'auto-dnssec create' option. 9088 [RT #24533] 9089 90903116. [func] New 'dnssec-update-mode' option controls updates 9091 of DNSSEC records in signed dynamic zones. Set to 9092 'no-resign' to disable automatic RRSIG regeneration 9093 while retaining the ability to sign new or changed 9094 data. [RT #24533] 9095 90963115. [bug] Named could fail to return requested data when 9097 following a CNAME that points into the same zone. 9098 [RT #24455] 9099 91003114. [bug] Retain expired RRSIGs in dynamic zones if key is 9101 inactive and there is no replacement key. [RT #23136] 9102 91033113. [doc] Document the relationship between serial-query-rate 9104 and NOTIFY messages. 9105 91063112. [doc] Add missing descriptions of the update policy name 9107 types "ms-self", "ms-subdomain", "krb5-self" and 9108 "krb5-subdomain", which allow machines to update 9109 their own records, to the BIND 9 ARM. 9110 91113111. [bug] Improved consistency checks for dnssec-enable and 9112 dnssec-validation, added test cases to the 9113 checkconf system test. [RT #24398] 9114 91153110. [bug] dnssec-signzone: Wrong error message could appear 9116 when attempting to sign with no KSK. [RT #24369] 9117 91183109. [func] The also-notify option now uses the same syntax 9119 as a zone's masters clause. This means it is 9120 now possible to specify a TSIG key to use when 9121 sending notifies to a given server, or to include 9122 an explicit named masters list in an also-notify 9123 statement. [RT #23508] 9124 91253108. [cleanup] dnssec-signzone: Clarified some error and 9126 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES 9127 code (use -P instead). [RT #20852] 9128 91293107. [bug] dnssec-signzone: Report the correct number of ZSKs 9130 when using -x. [RT #20852] 9131 91323106. [func] When logging client requests, include the name of 9133 the TSIG key if any. [RT #23619] 9134 91353105. [bug] GOST support can be suppressed by "configure 9136 --without-gost" [RT #24367] 9137 91383104. [bug] Better support for cross-compiling. [RT #24367] 9139 91403103. [bug] Configuring 'dnssec-validation auto' in a view 9141 instead of in the options statement could trigger 9142 an assertion failure in named-checkconf. [RT #24382] 9143 91443102. [func] New 'dnssec-loadkeys-interval' option configures 9145 how often, in minutes, to check the key repository 9146 for updates when using automatic key maintenance. 9147 Default is every 60 minutes (formerly hard-coded 9148 to 12 hours). [RT #23744] 9149 91503101. [bug] Zones using automatic key maintenance could fail 9151 to check the key repository for updates. [RT #23744] 9152 91533100. [security] Certain response policy zone configurations could 9154 trigger an INSIST when receiving a query of type 9155 RRSIG. [RT #24280] 9156 91573099. [test] "dlz" system test now runs but gives R:SKIPPED if 9158 not compiled with --with-dlz-filesystem. [RT #24146] 9159 91603098. [bug] DLZ zones were answering without setting the AA bit. 9161 [RT #24146] 9162 91633097. [test] Add a tool to test handling of malformed packets. 9164 [RT #24096] 9165 91663096. [bug] Set KRB5_KTNAME before calling log_cred() in 9167 dst_gssapi_acceptctx(). [RT #24004] 9168 91693095. [bug] Handle isolated reserved ports in the port range. 9170 [RT #23957] 9171 91723094. [doc] Expand dns64 documentation. 9173 91743093. [bug] Fix gssapi/kerberos dependencies [RT #23836] 9175 91763092. [bug] Signatures for records at the zone apex could go 9177 stale due to an incorrect timer setting. [RT #23769] 9178 91793091. [bug] Fixed a bug in which zone keys that were published 9180 and then subsequently activated could fail to trigger 9181 automatic signing. [RT #22911] 9182 91833090. [func] Make --with-gssapi default [RT #23738] 9184 91853089. [func] dnssec-dsfromkey now supports reading keys from 9186 standard input "dnssec-dsfromkey -f -". [RT #20662] 9187 91883088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf 9189 and add setup.sh in order to resolve changing 9190 named.conf issue. [RT #23687] 9191 91923087. [bug] DDNS updates using SIG(0) with update-policy match 9193 type "external" could cause a crash. [RT #23735] 9194 91953086. [bug] Running dnssec-settime -f on an old-style key will 9196 now force an update to the new key format even if no 9197 other change has been specified, using "-P now -A now" 9198 as default values. [RT #22474] 9199 92003085. [func] New '-R' option in dnssec-signzone forces removal 9201 of signatures which have not yet expired but 9202 were generated by a key that no longer exists. 9203 [RT #22471] 9204 92053084. [func] A new command "rndc sync" dumps pending changes in 9206 a dynamic zone to disk; "rndc sync -clean" also 9207 removes the journal file after syncing. Also, 9208 "rndc freeze" no longer removes journal files. 9209 [RT #22473] 9210 92113083. [bug] NOTIFY messages were not being sent when generating 9212 a NSEC3 chain incrementally. [RT #23702] 9213 92143082. [port] strtok_r is threads only. [RT #23747] 9215 92163081. [bug] Failure of DNAME substitution did not return 9217 YXDOMAIN. [RT #23591] 9218 92193080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS. 9220 [RT #23587] 9221 92223079. [bug] Handle isc_event_allocate failures in t_tasks. 9223 [RT #23572] 9224 92253078. [func] Added a new include file with function typedefs 9226 for the DLZ "dlopen" driver. [RT #23629] 9227 92283077. [bug] zone.c:zone_refreshkeys() incorrectly called 9229 dns_zone_attach(), use zone->irefs instead. [RT #23303] 9230 92313076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and 9232 dnssec-keyfromlabel sets the default TTL of the 9233 key. When possible, automatic signing will use that 9234 TTL when the key is published. [RT #23304] 9235 92363075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent 9237 timestamp when determining which keys are active. 9238 [RT #23642] 9239 92403074. [bug] Make the adb cache read through for zone data and 9241 glue learn for zone named is authoritative for. 9242 [RT #22842] 9243 92443073. [bug] managed-keys changes were not properly being recorded. 9245 [RT #20256] 9246 92473072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. 9248 [RT #20256] 9249 92503071. [bug] has_nsec could be used uninitialized in 9251 update.c:next_active. [RT #20256] 9252 92533070. [bug] dnssec-signzone potential NULL pointer dereference. 9254 [RT #20256] 9255 92563069. [cleanup] Silence warnings messages from clang static analysis. 9257 [RT #20256] 9258 92593068. [bug] Named failed to build with a OpenSSL without engine 9260 support. [RT #23473] 9261 92623067. [bug] ixfr-from-differences {master|slave}; failed to 9263 select the master/slave zones. [RT #23580] 9264 92653066. [func] The DLZ "dlopen" driver is now built by default, 9266 no longer requiring a configure option. To 9267 disable it, use "configure --without-dlopen". 9268 Driver also supported on win32. [RT #23467] 9269 92703065. [bug] RRSIG could have time stamps too far in the future. 9271 [RT #23356] 9272 92733064. [bug] powerpc: add sync instructions to the end of atomic 9274 operations. [RT #23469] 9275 92763063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402] 9277 92783062. [func] Made several changes to enhance human readability 9279 of DNSSEC data in dig output and in generated 9280 zone files: 9281 - DNSKEY record comments are more verbose, no 9282 longer used in multiline mode only 9283 - multiline RRSIG records reformatted 9284 - multiline output mode for NSEC3PARAM records 9285 - "dig +norrcomments" suppresses DNSKEY comments 9286 - "dig +split=X" breaks hex/base64 records into 9287 fields of width X; "dig +nosplit" disables this. 9288 [RT #22820] 9289 92903061. [func] New option "dnssec-signzone -D", only write out 9291 generated DNSSEC records. [RT #22896] 9292 92933060. [func] New option "dnssec-signzone -X <date>" allows 9294 specification of a separate expiration date 9295 for DNSKEY RRSIGs and other RRSIGs. [RT #22141] 9296 92973059. [test] Added a regression test for change #3023. 9298 92993058. [bug] Cause named to terminate at startup or rndc reconfig/ 9300 reload to fail, if a log file specified in the conf 9301 file isn't a plain file. [RT #22771] 9302 93033057. [bug] "rndc secroots" would abort after the first error 9304 and so could miss some views. [RT #23488] 9305 93063056. [func] Added support for URI resource record. [RT #23386] 9307 93083055. [placeholder] 9309 93103054. [bug] Added elliptic curve support check in 9311 GOST OpenSSL engine detection. [RT #23485] 9312 93133053. [bug] Under a sustained high query load with a finite 9314 max-cache-size, it was possible for cache memory 9315 to be exhausted and not recovered. [RT #23371] 9316 93173052. [test] Fixed last autosign test report. [RT #23256] 9318 93193051. [bug] NS records obscure DNAME records at the bottom of the 9320 zone if both are present. [RT #23035] 9321 93223050. [bug] The autosign system test was timing dependent. 9323 Wait for the initial autosigning to complete 9324 before running the rest of the test. [RT #23035] 9325 93263049. [bug] Save and restore the gid when creating creating 9327 named.pid at startup. [RT #23290] 9328 93293048. [bug] Fully separate view key management. [RT #23419] 9330 93313047. [bug] DNSKEY NODATA responses not cached fixed in 9332 validator.c. Tests added to dnssec system test. 9333 [RT #22908] 9334 93353046. [bug] Use RRSIG original TTL to compute validated RRset 9336 and RRSIG TTL. [RT #23332] 9337 93383045. [removed] Replaced by change #3050. 9339 93403044. [bug] Hold the socket manager lock while freeing the socket. 9341 [RT #23333] 9342 93433043. [test] Merged in the NetBSD ATF test framework (currently 9344 version 0.12) for development of future unit tests. 9345 Use configure --with-atf to build ATF internally 9346 or configure --with-atf=prefix to use an external 9347 copy. [RT #23209] 9348 93493042. [bug] dig +trace could fail attempting to use IPv6 9350 addresses on systems with only IPv4 connectivity. 9351 [RT #23297] 9352 93533041. [bug] dnssec-signzone failed to generate new signatures on 9354 ttl changes. [RT #23330] 9355 93563040. [bug] Named failed to validate insecure zones where a node 9357 with a CNAME existed between the trust anchor and the 9358 top of the zone. [RT #23338] 9359 93603039. [func] Redirect on NXDOMAIN support. [RT #23146] 9361 93623038. [bug] Install <dns/rpz.h>. [RT #23342] 9363 93643037. [doc] Update COPYRIGHT to contain all the individual 9365 copyright notices that cover various parts. 9366 93673036. [bug] Check built-in zone arguments to see if the zone 9368 is re-usable or not. [RT #21914] 9369 93703035. [cleanup] Simplify by using strlcpy. [RT #22521] 9371 93723034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521] 9373 93743033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET). 9375 [RT #22521] 9376 93773032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521] 9378 93793031. [bug] dns_rdataclass_format() handle a zero sized buffer. 9380 [RT #22521] 9381 93823030. [bug] dns_rdatatype_format() handle a zero sized buffer. 9383 [RT #22521] 9384 93853029. [bug] isc_netaddr_format() handle a zero sized buffer. 9386 [RT #22521] 9387 93883028. [bug] isc_sockaddr_format() handle a zero sized buffer. 9389 [RT #22521] 9390 93913027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to 9392 catch NULL pointer dereferences before they happen. 9393 [RT #22521] 9394 93953026. [bug] lib/isc/httpd.c: check that we have enough space 9396 after calling grow_headerspace() and if not 9397 re-call grow_headerspace() until we do. [RT #22521] 9398 93993025. [bug] Fixed a possible deadlock due to zone resigning. 9400 [RT #22964] 9401 94023024. [func] RTT Banding removed due to minor security increase 9403 but major impact on resolver latency. [RT #23310] 9404 94053023. [bug] Named could be left in an inconsistent state when 9406 receiving multiple AXFR response messages that were 9407 not all TSIG-signed. [RT #23254] 9408 94093022. [bug] Fixed rpz SERVFAILs after failed zone transfers 9410 [RT #23246] 9411 94123021. [bug] Change #3010 was incomplete. [RT #22296] 9413 94143020. [bug] auto-dnssec failed to correctly update the zone when 9415 changing the DNSKEY RRset. [RT #23232] 9416 94173019. [test] Test: check apex NSEC3 records after adding DNSKEY 9418 record via UPDATE. [RT #23229] 9419 94203018. [bug] Named failed to check for the "none;" acl when deciding 9421 if a zone may need to be re-signed. [RT #23120] 9422 94233017. [doc] dnssec-keyfromlabel -I was not properly documented. 9424 [RT #22887] 9425 94263016. [bug] rndc usage missing '-b'. [RT #22937] 9427 94283015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and 9429 IN6_IS_ADDR_SITELOCAL macros. [RT #22724] 9430 94313014. [placeholder] 9432 94333013. [bug] The DNS64 ttl was not always being set as expected. 9434 [RT #23034] 9435 94363012. [bug] Remove DNSKEY TTL change pairs before generating 9437 signing records for any remaining DNSKEY changes. 9438 [RT #22590] 9439 94403011. [func] Change the default query timeout from 30 seconds 9441 to 10. Allow setting this in named.conf using the new 9442 'resolver-query-timeout' option, which specifies a max 9443 time in seconds. 0 means 'default' and anything longer 9444 than 30 will be silently set to 30. [RT #22852] 9445 94463010. [bug] Fixed a bug where "rndc reconfig" stopped the timer 9447 for refreshing managed-keys. [RT #22296] 9448 94493009. [bug] clients-per-query code didn't work as expected with 9450 particular query patterns. [RT #22972] 9451 9452 --- 9.8.0b1 released --- 9453 94543008. [func] Response policy zones (RPZ) support. [RT #21726] 9455 94563007. [bug] Named failed to preserve the case of domain names in 9457 rdata which is not compressible when writing master 9458 files. [RT #22863] 9459 94603006. [func] Allow dynamically generated TSIG keys to be preserved 9461 across restarts of named. Initially this is for 9462 TSIG keys generated using GSSAPI. [RT #22639] 9463 94643005. [port] Solaris: Work around the lack of 9465 gsskrb5_register_acceptor_identity() by setting 9466 the KRB5_KTNAME environment variable to the 9467 contents of tkey-gssapi-keytab. Also fixed 9468 test errors on MacOSX. [RT #22853] 9469 94703004. [func] DNS64 reverse support. [RT #22769] 9471 94723003. [experimental] Added update-policy match type "external", 9473 enabling named to defer the decision of whether to 9474 allow a dynamic update to an external daemon. 9475 (Contributed by Andrew Tridgell.) [RT #22758] 9476 94773002. [bug] isc_mutex_init_errcheck() failed to destroy attr. 9478 [RT #22766] 9479 94803001. [func] Added a default trust anchor for the root zone, which 9481 can be switched on by setting "dnssec-validation auto;" 9482 in the named.conf options. [RT #21727] 9483 94843000. [bug] More TKEY/GSS fixes: 9485 - nsupdate can now get the default realm from 9486 the user's Kerberos principal 9487 - corrected gsstest compilation flags 9488 - improved documentation 9489 - fixed some NULL dereferences 9490 [RT #22795] 9491 94922999. [func] Add GOST support (RFC 5933). [RT #20639] 9493 94942998. [func] Add isc_task_beginexclusive and isc_task_endexclusive 9495 to the task api. [RT #22776] 9496 94972997. [func] named -V now reports the OpenSSL and libxml2 versions 9498 it was compiled against. [RT #22687] 9499 95002996. [security] Temporarily disable SO_ACCEPTFILTER support. 9501 [RT #22589] 9502 95032995. [bug] The Kerberos realm was not being correctly extracted 9504 from the signer's identity. [RT #22770] 9505 95062994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and 9507 do not use threads on earlier versions. Also kill 9508 the unproven-pthreads, mit-pthreads, and ptl2 support. 9509 95102993. [func] Dynamically grow adb hash tables. [RT #21186] 9511 95122992. [contrib] contrib/check-secure-delegation.pl: A simple tool 9513 for looking at a secure delegation. [RT #22059] 9514 95152991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for 9516 dynamic zones. [RT #22365] 9517 95182990. [bug] 'dnssec-settime -S' no longer tests prepublication 9519 interval validity when the interval is set to 0. 9520 [RT #22761] 9521 95222989. [func] Added support for writable DLZ zones. (Contributed 9523 by Andrew Tridgell of the Samba project.) [RT #22629] 9524 95252988. [experimental] Added a "dlopen" DLZ driver, allowing the creation 9526 of external DLZ drivers that can be loaded as 9527 shared objects at runtime rather than linked with 9528 named. Currently this is switched on via a 9529 compile-time option, "configure --with-dlz-dlopen". 9530 Note: the syntax for configuring DLZ zones 9531 is likely to be refined in future releases. 9532 (Contributed by Andrew Tridgell of the Samba 9533 project.) [RT #22629] 9534 95352987. [func] Improve ease of configuring TKEY/GSS updates by 9536 adding a "tkey-gssapi-keytab" option. If set, 9537 updates will be allowed with any key matching 9538 a principal in the specified keytab file. 9539 "tkey-gssapi-credential" is no longer required 9540 and is expected to be deprecated. (Contributed 9541 by Andrew Tridgell of the Samba project.) 9542 [RT #22629] 9543 95442986. [func] Add new zone type "static-stub". It's like a stub 9545 zone, but the nameserver names and/or their IP 9546 addresses are statically configured. [RT #21474] 9547 95482985. [bug] Add a regression test for change #2896. [RT #21324] 9549 95502984. [bug] Don't run MX checks when the target of the MX record 9551 is ".". [RT #22645] 9552 95532983. [bug] Include "loadkeys" in rndc help output. [RT #22493] 9554 9555 --- 9.8.0a1 released --- 9556 95572982. [bug] Reference count dst keys. dst_key_attach() can be used 9558 increment the reference count. 9559 9560 Note: dns_tsigkey_createfromkey() callers should now 9561 always call dst_key_free() rather than setting it 9562 to NULL on success. [RT #22672] 9563 95642981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991] 9565 95662980. [bug] named didn't properly handle UPDATES that changed the 9567 TTL of the NSEC3PARAM RRset. [RT #22363] 9568 95692979. [bug] named could deadlock during shutdown if two 9570 "rndc stop" commands were issued at the same 9571 time. [RT #22108] 9572 95732978. [port] hpux: look for <devpoll.h> [RT #21919] 9574 95752977. [bug] 'nsupdate -l' report if the session key is missing. 9576 [RT #21670] 9577 95782976. [bug] named could die on exit after negotiating a GSS-TSIG 9579 key. [RT #22573] 9580 95812975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the 9582 wrong lock which could lead to server deadlock. 9583 [RT #22614] 9584 95852974. [bug] Some valid UPDATE requests could fail due to a 9586 consistency check examining the existing version 9587 of the zone rather than the new version resulting 9588 from the UPDATE. [RT #22413] 9589 95902973. [bug] bind.keys.h was being removed by the "make clean" 9591 at the end of configure resulting in build failures 9592 where there is very old version of perl installed. 9593 Move it to "make maintainer-clean". [RT #22230] 9594 95952972. [bug] win32: address windows socket errors. [RT #21906] 9596 95972971. [bug] Fixed a bug that caused journal files not to be 9598 compacted on Windows systems as a result of 9599 non-POSIX-compliant rename() semantics. [RT #22434] 9600 96012970. [security] Adding a NO DATA negative cache entry failed to clear 9602 any matching RRSIG records. A subsequent lookup of 9603 of NO DATA cache entry could trigger a INSIST when the 9604 unexpected RRSIG was also returned with the NO DATA 9605 cache entry. 9606 9607 CVE-2010-3613, VU#706148. [RT #22288] 9608 96092969. [security] Fix acl type processing so that allow-query works 9610 in options and view statements. Also add a new 9611 set of tests to verify proper functioning. 9612 9613 CVE-2010-3615, VU#510208. [RT #22418] 9614 96152968. [security] Named could fail to prove a data set was insecure 9616 before marking it as insecure. One set of conditions 9617 that can trigger this occurs naturally when rolling 9618 DNSKEY algorithms. 9619 9620 CVE-2010-3614, VU#837744. [RT #22309] 9621 96222967. [bug] 'host -D' now turns on debugging messages earlier. 9623 [RT #22361] 9624 96252966. [bug] isc_print_vsnprintf() failed to check if there was 9626 space available in the buffer when adding a left 9627 justified character with a non zero width, 9628 (e.g. "%-1c"). [RT #22270] 9629 96302965. [func] Test HMAC functions using test data from RFC 2104 and 9631 RFC 4634. [RT #21702] 9632 96332964. [placeholder] 9634 96352963. [security] The allow-query acl was being applied instead of the 9636 allow-query-cache acl to cache lookups. [RT #22114] 9637 96382962. [port] win32: add more dependencies to BINDBuild.dsw. 9639 [RT #22062] 9640 96412961. [bug] Be still more selective about the non-authoritative 9642 answers we apply change 2748 to. [RT #22074] 9643 96442960. [func] Check that named accepts non-authoritative answers. 9645 [RT #21594] 9646 96472959. [func] Check that named starts with a missing masterfile. 9648 [RT #22076] 9649 96502958. [bug] named failed to start with a missing master file. 9651 [RT #22076] 9652 96532957. [bug] entropy_get() and entropy_getpseudo() failed to match 9654 the API for RAND_bytes() and RAND_pseudo_bytes() 9655 respectively. [RT #21962] 9656 96572956. [port] Enable atomic operations on the PowerPC64. [RT #21899] 9658 96592955. [func] Provide more detail in the recursing log. [RT #22043] 9660 96612954. [bug] contrib: dlz_mysql_driver.c bad error handling on 9662 build_sqldbinstance failure. [RT #21623] 9663 96642953. [bug] Silence spurious "expected covering NSEC3, got an 9665 exact match" message when returning a wildcard 9666 no data response. [RT #21744] 9667 96682952. [port] win32: named-checkzone and named-checkconf failed 9669 to initialize winsock. [RT #21932] 9670 96712951. [bug] named failed to generate a correct signed response 9672 in a optout, delegation only zone with no secure 9673 delegations. [RT #22007] 9674 96752950. [bug] named failed to perform a SOA up to date check when 9676 falling back to TCP on UDP timeouts when 9677 ixfr-from-differences was set. [RT #21595] 9678 96792949. [bug] dns_view_setnewzones() contained a memory leak if 9680 it was called multiple times. [RT #21942] 9681 96822948. [port] MacOS: provide a mechanism to configure the test 9683 interfaces at reboot. See bin/tests/system/README 9684 for details. 9685 96862947. [placeholder] 9687 96882946. [doc] Document the default values for the minimum and maximum 9689 zone refresh and retry values in the ARM. [RT #21886] 9690 96912945. [doc] Update empty-zones list in ARM. [RT #21772] 9692 96932944. [maint] Remove ORCHID prefix from built in empty zones. 9694 [RT #21772] 9695 96962943. [func] Add support to load new keys into managed zones 9697 without signing immediately with "rndc loadkeys". 9698 Add support to link keys with "dnssec-keygen -S" 9699 and "dnssec-settime -S". [RT #21351] 9700 97012942. [contrib] zone2sqlite failed to setup the entropy sources. 9702 [RT #21610] 9703 97042941. [bug] sdb and sdlz (dlz's zone database) failed to support 9705 DNAME at the zone apex. [RT #21610] 9706 97072940. [port] Remove connection aborted error message on 9708 Windows. [RT #21549] 9709 97102939. [func] Check that named successfully skips NSEC3 records 9711 that fail to match the NSEC3PARAM record currently 9712 in use. [RT #21868] 9713 97142938. [bug] When generating signed responses, from a signed zone 9715 that uses NSEC3, named would use a uninitialized 9716 pointer if it needed to skip a NSEC3 record because 9717 it didn't match the selected NSEC3PARAM record for 9718 zone. [RT #21868] 9719 97202937. [bug] Worked around an apparent race condition in over 9721 memory conditions. Without this fix a DNS cache DB or 9722 ADB could incorrectly stay in an over memory state, 9723 effectively refusing further caching, which 9724 subsequently made a BIND 9 caching server unworkable. 9725 This fix prevents this problem from happening by 9726 polling the state of the memory context, rather than 9727 making a copy of the state, which appeared to cause 9728 a race. This is a "workaround" in that it doesn't 9729 solve the possible race per se, but several experiments 9730 proved this change solves the symptom. Also, the 9731 polling overhead hasn't been reported to be an issue. 9732 This bug should only affect a caching server that 9733 specifies a finite max-cache-size. It's also quite 9734 likely that the bug happens only when enabling threads, 9735 but it's not confirmed yet. [RT #21818] 9736 97372936. [func] Improved configuration syntax and multiple-view 9738 support for addzone/delzone feature (see change 9739 #2930). Removed "new-zone-file" option, replaced 9740 with "allow-new-zones (yes|no)". The new-zone-file 9741 for each view is now created automatically, with 9742 a filename generated from a hash of the view name. 9743 It is no longer necessary to "include" the 9744 new-zone-file in named.conf; this happens 9745 automatically. Zones that were not added via 9746 "rndc addzone" can no longer be removed with 9747 "rndc delzone". [RT #19447] 9748 97492935. [bug] nsupdate: improve 'file not found' error message. 9750 [RT #21871] 9751 97522934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c. 9753 [RT #21871] 9754 97552933. [bug] 'dig +nsid' used stack memory after it went out of 9756 scope. This could potentially result in a unknown, 9757 potentially malformed, EDNS option being sent instead 9758 of the desired NSID option. [RT #21781] 9759 97602932. [cleanup] Corrected a numbering error in the "dnssec" test. 9761 [RT #21597] 9762 97632931. [bug] Temporarily and partially disable change 2864 9764 because it would cause infinite attempts of RRSIG 9765 queries. This is an urgent care fix; we'll 9766 revisit the issue and complete the fix later. 9767 [RT #21710] 9768 97692930. [experimental] New "rndc addzone" and "rndc delzone" commands 9770 allow dynamic addition and deletion of zones. 9771 To enable this feature, specify a "new-zone-file" 9772 option at the view or options level in named.conf. 9773 Zone configuration information for the new zones 9774 will be written into that file. To make the new 9775 zones persist after a restart, "include" the file 9776 into named.conf in the appropriate view. (Note: 9777 This feature is not yet documented, and its syntax 9778 is expected to change.) [RT #19447] 9779 97802929. [bug] Improved handling of GSS security contexts: 9781 - added LRU expiration for generated TSIGs 9782 - added the ability to use a non-default realm 9783 - added new "realm" keyword in nsupdate 9784 - limited lifetime of generated keys to 1 hour 9785 or the lifetime of the context (whichever is 9786 smaller) 9787 [RT #19737] 9788 97892928. [bug] Be more selective about the non-authoritative 9790 answer we apply change 2748 to. [RT #21594] 9791 97922927. [placeholder] 9793 97942926. [placeholder] 9795 97962925. [bug] Named failed to accept uncachable negative responses 9797 from insecure zones. [RT #21555] 9798 97992924. [func] 'rndc secroots' dump a combined summary of the 9800 current managed keys combined with trusted keys. 9801 [RT #20904] 9802 98032923. [bug] 'dig +trace' could drop core after "connection 9804 timeout". [RT #21514] 9805 98062922. [contrib] Update zkt to version 1.0. 9807 98082921. [bug] The resolver could attempt to destroy a fetch context 9809 too soon. [RT #19878] 9810 98112920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively 9812 to IPv4 clients. New acl 'filter-aaaa' (default any). 9813 98142919. [func] Add autosign-ksk and autosign-zsk virtual time tests. 9815 [RT #20840] 9816 98172918. [maint] Add AAAA address for I.ROOT-SERVERS.NET. 9818 98192917. [func] Virtual time test framework. [RT #20801] 9820 98212916. [func] Add framework to use IPv6 in tests. 9822 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7 9823 98242915. [cleanup] Be smarter about which objects we attempt to compile 9825 based on configure options. [RT #21444] 9826 98272914. [bug] Make the "autosign" system test more portable. 9828 [RT #20997] 9829 98302913. [func] Add pkcs#11 system tests. [RT #20784] 9831 98322912. [func] Windows clients don't like UPDATE responses that clear 9833 the zone section. [RT #20986] 9834 98352911. [bug] dnssec-signzone didn't handle out of zone records well. 9836 [RT #21367] 9837 98382910. [func] Sanity check Kerberos credentials. [RT #20986] 9839 98402909. [bug] named-checkconf -p could die if "update-policy local;" 9841 was specified in named.conf. [RT #21416] 9842 98432908. [bug] It was possible for re-signing to stop after removing 9844 a DNSKEY. [RT #21384] 9845 98462907. [bug] The export version of libdns had undefined references. 9847 [RT #21444] 9848 98492906. [bug] Address RFC 5011 implementation issues. [RT #20903] 9850 98512905. [port] aix: set use_atomic=yes with native compiler. 9852 [RT #21402] 9853 98542904. [bug] When using DLV, sub-zones of the zones in the DLV, 9855 could be incorrectly marked as insecure instead of 9856 secure leading to negative proofs failing. This was 9857 a unintended outcome from change 2890. [RT #21392] 9858 98592903. [bug] managed-keys-directory missing from namedconf.c. 9860 [RT #21370] 9861 98622902. [func] Add regression test for change 2897. [RT #21040] 9863 98642901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316] 9865 98662900. [bug] The placeholder negative caching element was not 9867 properly constructed triggering a INSIST in 9868 dns_ncache_towire(). [RT #21346] 9869 98702899. [port] win32: Support linking against OpenSSL 1.0.0. 9871 98722898. [bug] nslookup leaked memory when -domain=value was 9873 specified. [RT #21301] 9874 98752897. [bug] NSEC3 chains could be left behind when transitioning 9876 to insecure. [RT #21040] 9877 98782896. [bug] "rndc sign" failed to properly update the zone 9879 when adding a DNSKEY for publication only. [RT #21045] 9880 98812895. [func] genrandom: add support for the generation of multiple 9882 files. [RT #20917] 9883 98842894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294] 9885 98862893. [bug] Improve managed keys support. New named.conf option 9887 managed-keys-directory. [RT #20924] 9888 98892892. [bug] Handle REVOKED keys better. [RT #20961] 9890 98912891. [maint] Update empty-zones list to match 9892 draft-ietf-dnsop-default-local-zones-13. [RT #21099] 9893 98942890. [bug] Handle the introduction of new trusted-keys and 9895 DS, DLV RRsets better. [RT #21097] 9896 98972889. [bug] Elements of the grammar where not properly reported. 9898 [RT #21046] 9899 99002888. [bug] Only the first EDNS option was displayed. [RT #21273] 9901 99022887. [bug] Report the keytag times in UTC in the .key file, 9903 local time is presented as a comment within the 9904 comment. [RT #21223] 9905 99062886. [bug] ctime() is not thread safe. [RT #21223] 9907 99082885. [bug] Improve -fno-strict-aliasing support probing in 9909 configure. [RT #21080] 9910 99112884. [bug] Insufficient validation in dns_name_getlabelsequence(). 9912 [RT #21283] 9913 99142883. [bug] 'dig +short' failed to handle really large datasets. 9915 [RT #21113] 9916 99172882. [bug] Remove memory context from list of active contexts 9918 before clearing 'magic'. [RT #21274] 9919 99202881. [bug] Reduce the amount of time the rbtdb write lock 9921 is held when closing a version. [RT #21198] 9922 99232880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke 9924 consistent. [RT #21078] 9925 99262879. [contrib] DLZ bdbhpt driver fails to close correct cursor. 9927 [RT #21106] 9928 99292878. [func] Incrementally write the master file after performing 9930 a AXFR. [RT #21010] 9931 99322877. [bug] The validator failed to skip obviously mismatching 9933 RRSIGs. [RT #21138] 9934 99352876. [bug] Named could return SERVFAIL for negative responses 9936 from unsigned zones. [RT #21131] 9937 99382875. [bug] dns_time64_fromtext() could accept non digits. 9939 [RT #21033] 9940 99412874. [bug] Cache lack of EDNS support only after the server 9942 successfully responds to the query using plain DNS. 9943 [RT #20930] 9944 99452873. [bug] Canceling a dynamic update via the dns/client module 9946 could trigger an assertion failure. [RT #21133] 9947 99482872. [bug] Modify dns/client.c:dns_client_createx() to only 9949 require one of IPv4 or IPv6 rather than both. 9950 [RT #21122] 9951 99522871. [bug] Type mismatch in mem_api.c between the definition and 9953 the header file, causing build failure with 9954 --enable-exportlib. [RT #21138] 9955 99562870. [maint] Add AAAA address for L.ROOT-SERVERS.NET. 9957 99582869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 9959 [RT #20877] 9960 99612868. [cleanup] Run "make clean" at the end of configure to ensure 9962 any changes made by configure are integrated. 9963 Use --with-make-clean=no to disable. [RT #20994] 9964 99652867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers 9966 don't like it. [RT #20986] 9967 99682866. [bug] Windows does not like the TSIG name being compressed. 9969 [RT #20986] 9970 99712865. [bug] memset to zero event.data. [RT #20986] 9972 99732864. [bug] Direct SIG/RRSIG queries were not handled correctly. 9974 [RT #21050] 9975 99762863. [port] linux: disable IPv6 PMTUD and use network minimum MTU. 9977 [RT #21056] 9978 99792862. [bug] nsupdate didn't default to the parent zone when 9980 updating DS records. [RT #20896] 9981 99822861. [doc] dnssec-settime man pages didn't correctly document the 9983 inactivation time. [RT #21039] 9984 99852860. [bug] named-checkconf's usage was out of date. [RT #21039] 9986 99872859. [bug] When canceling validation it was possible to leak 9988 memory. [RT #20800] 9989 99902858. [bug] RTT estimates were not being adjusted on ICMP errors. 9991 [RT #20772] 9992 99932857. [bug] named-checkconf did not fail on a bad trusted key. 9994 [RT #20705] 9995 99962856. [bug] The size of a memory allocation was not always properly 9997 recorded. [RT #20927] 9998 99992855. [func] nsupdate will now preserve the entered case of domain 10000 names in update requests it sends. [RT #20928] 10001 100022854. [func] dig: allow the final soa record in a axfr response to 10003 be suppressed, dig +onesoa. [RT #20929] 10004 100052853. [bug] add_sigs() could run out of scratch space. [RT #21015] 10006 100072852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 10008 100092851. [doc] nslookup.1, removed <informalexample> from the docbook 10010 source as it produced bad nroff. [RT #21007] 10011 100122850. [bug] If isc_heap_insert() failed due to memory shortage 10013 the heap would have corrupted entries. [RT #20951] 10014 100152849. [bug] Don't treat errors from the xml2 library as fatal. 10016 [RT #20945] 10017 100182848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and 10019 README.rfc5011 into the ARM. [RT #20899] 10020 100212847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] 10022 100232846. [bug] EOF on unix domain sockets was not being handled 10024 correctly. [RT #20731] 10025 100262845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] 10027 100282844. [doc] notify-delay default in ARM was wrong. It should have 10029 been five (5) seconds. 10030 100312843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from 10032 creating key files if there is a chance that the new 10033 key ID will collide with an existing one after 10034 either of the keys has been revoked. (To override 10035 this in the case of dnssec-keyfromlabel, use the -y 10036 option. dnssec-keygen will simply create a 10037 different, non-colliding key, so an override is 10038 not necessary.) [RT #20838] 10039 100402842. [func] Added "smartsign" and improved "autosign" and 10041 "dnssec" regression tests. [RT #20865] 10042 100432841. [bug] Change 2836 was not complete. [RT #20883] 10044 100452840. [bug] Temporary fixed pkcs11-destroy usage check. 10046 [RT #20760] 10047 100482839. [bug] A KSK revoked by named could not be deleted. 10049 [RT #20881] 10050 100512838. [placeholder] 10052 100532837. [port] Prevent Linux spurious warnings about fwrite(). 10054 [RT #20812] 10055 100562836. [bug] Keys that were scheduled to become active could 10057 be delayed. [RT #20874] 10058 100592835. [bug] Key inactivity dates were inadvertently stored in 10060 the private key file with the outdated tag 10061 "Unpublish" rather than "Inactive". This has been 10062 fixed; however, any existing keys that had Inactive 10063 dates set will now need to have them reset, using 10064 'dnssec-settime -I'. [RT #20868] 10065 100662834. [bug] HMAC-SHA* keys that were longer than the algorithm 10067 digest length were used incorrectly, leading to 10068 interoperability problems with other DNS 10069 implementations. This has been corrected. 10070 (Note: If an oversize key is in use, and 10071 compatibility is needed with an older release of 10072 BIND, the new tool "isc-hmac-fixup" can convert 10073 the key secret to a form that will work with all 10074 versions.) [RT #20751] 10075 100762833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. 10077 [RT #20851] 10078 100792832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c 10080 to avoid redefinition in some OSs [RT 20831] 10081 100822831. [security] Do not attempt to validate or cache 10083 out-of-bailiwick data returned with a secure 10084 answer; it must be re-fetched from its original 10085 source and validated in that context. [RT #20819] 10086 100872830. [bug] Changing the OPTOUT setting could take multiple 10088 passes. [RT #20813] 10089 100902829. [bug] Fixed potential node inconsistency in rbtdb.c. 10091 [RT #20808] 10092 100932828. [security] Cached CNAME or DNAME RR could be returned to clients 10094 without DNSSEC validation. [RT #20737] 10095 100962827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 10097 100982826. [bug] NSEC3->NSEC transitions could fail due to a lock not 10099 being released. [RT #20740] 10100 101012825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that 10102 was in the process of being created was not properly 10103 recorded in the zone. [RT #20786] 10104 101052824. [bug] "rndc sign" was not being run by the correct task. 10106 [RT #20759] 10107 101082823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] 10109 101102822. [bug] rbtdb.c:loadnode() could return the wrong result. 10111 [RT #20802] 10112 101132821. [doc] Add note that named-checkconf doesn't automatically 10114 read rndc.key and bind.keys [RT #20758] 10115 101162820. [func] Handle read access failure of OpenSSL configuration 10117 file more user friendly (PKCS#11 engine patch). 10118 [RT #20668] 10119 101202819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define. 10121 [RT #20771] 10122 101232818. [cleanup] rndc could return an incorrect error code 10124 when a zone was not found. [RT #20767] 10125 101262817. [cleanup] Removed unnecessary isc_task_endexclusive() calls. 10127 [RT #20768] 10128 101292816. [bug] previous_closest_nsec() could fail to return 10130 data for NSEC3 nodes [RT #29730] 10131 101322815. [bug] Exclusively lock the task when freezing a zone. 10133 [RT #19838] 10134 101352814. [func] Provide a definitive error message when a master 10136 zone is not loaded. [RT #20757] 10137 101382813. [bug] Better handling of unreadable DNSSEC key files. 10139 [RT #20710] 10140 101412812. [bug] Make sure updates can't result in a zone with 10142 NSEC-only keys and NSEC3 records. [RT #20748] 10143 101442811. [cleanup] Add "rndc sign" to list of commands in rndc usage 10145 output. [RT #20733] 10146 101472810. [doc] Clarified the process of transitioning an NSEC3 zone 10148 to insecure. [RT #20746] 10149 101502809. [cleanup] Restored accidentally-deleted text in usage output 10151 in dnssec-settime and dnssec-revoke [RT #20739] 10152 101532808. [bug] Remove the attempt to install atomic.h from lib/isc. 10154 atomic.h is correctly installed by the architecture 10155 specific subdirectories. [RT #20722] 10156 101572807. [bug] Fixed a possible ASSERT when reconfiguring zone 10158 keys. [RT #20720] 10159 10160 --- 9.7.0rc1 released --- 10161 101622806. [bug] "rdnc sign" could delay re-signing the DNSKEY 10163 when it had changed. [RT #20703] 10164 101652805. [bug] Fixed namespace problems encountered when building 10166 external programs using non-exported BIND9 libraries 10167 (i.e., built without --enable-exportlib). [RT #20679] 10168 101692804. [bug] Send notifies when a zone is signed with "rndc sign" 10170 or as a result of a scheduled key change. [RT #20700] 10171 101722803. [port] win32: Install named-journalprint, nsec3hash, arpaname 10173 and genrandom under windows. [RT #20670] 10174 101752802. [cleanup] Rename journalprint to named-journalprint. [RT #20670] 10176 101772801. [func] Detect and report records that are different according 10178 to DNSSEC but are semantically equal according to plain 10179 DNS. Apply plain DNS comparisons rather than DNSSEC 10180 comparisons when processing UPDATE requests. 10181 dnssec-signzone now removes such semantically duplicate 10182 records prior to signing the RRset. 10183 10184 named-checkzone -r {ignore|warn|fail} (default warn) 10185 named-compilezone -r {ignore|warn|fail} (default warn) 10186 10187 named.conf: check-dup-records {ignore|warn|fail}; 10188 101892800. [func] Reject zones which have NS records which refer to 10190 CNAMEs, DNAMEs or don't have address record (class IN 10191 only). Reject UPDATEs which would cause the zone 10192 to fail the above checks if committed. [RT #20678] 10193 101942799. [cleanup] Changed the "secure-to-insecure" option to 10195 "dnssec-secure-to-insecure", and "dnskey-ksk-only" 10196 to "dnssec-dnskey-kskonly", for clarity. [RT #20586] 10197 101982798. [bug] Addressed bugs in managed-keys initialization 10199 and rollover. [RT #20683] 10200 102012797. [bug] Don't decrement the dispatch manager's maxbuffers. 10202 [RT #20613] 10203 102042796. [bug] Missing dns_rdataset_disassociate() call in 10205 dns_nsec3_delnsec3sx(). [RT #20681] 10206 102072795. [cleanup] Add text to differentiate "update with no effect" 10208 log messages. [RT #18889] 10209 102102794. [bug] Install <isc/namespace.h>. [RT #20677] 10211 102122793. [func] Add "autosign" and "metadata" tests to the 10213 automatic tests. [RT #19946] 10214 102152792. [func] "filter-aaaa-on-v4" can now be set in view 10216 options (if compiled in). [RT #20635] 10217 102182791. [bug] The installation of isc-config.sh was broken. 10219 [RT #20667] 10220 102212790. [bug] Handle DS queries to stub zones. [RT #20440] 10222 102232789. [bug] Fixed an INSIST in dispatch.c [RT #20576] 10224 102252788. [bug] dnssec-signzone could sign with keys that were 10226 not requested [RT #20625] 10227 102282787. [bug] Spurious log message when zone keys were 10229 dynamically reconfigured. [RT #20659] 10230 102312786. [bug] Additional could be promoted to answer. [RT #20663] 10232 10233 --- 9.7.0b3 released --- 10234 102352785. [bug] Revoked keys could fail to self-sign [RT #20652] 10236 102372784. [bug] TC was not always being set when required glue was 10238 dropped. [RT #20655] 10239 102402783. [func] Return minimal responses to EDNS/UDP queries with a UDP 10241 buffer size of 512 or less. [RT #20654] 10242 102432782. [port] win32: use getaddrinfo() for hostname lookups. 10244 [RT #20650] 10245 102462781. [bug] Inactive keys could be used for signing. [RT #20649] 10247 102482780. [bug] dnssec-keygen -A none didn't properly unset the 10249 activation date in all cases. [RT #20648] 10250 102512779. [bug] Dynamic key revocation could fail. [RT #20644] 10252 102532778. [bug] dnssec-signzone could fail when a key was revoked 10254 without deleting the unrevoked version. [RT #20638] 10255 102562777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 10257 102582776. [bug] Change #2762 was not correct. [RT #20647] 10259 102602775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible 10261 in dnssec-keyfromlabel. [RT #20643] 10262 102632774. [bug] Existing cache DB wasn't being reused after 10264 reconfiguration. [RT #20629] 10265 102662773. [bug] In autosigned zones, the SOA could be signed 10267 with the KSK. [RT #20628] 10268 102692772. [security] When validating, track whether pending data was from 10270 the additional section or not and only return it if 10271 validates as secure. [RT #20438] 10272 102732771. [bug] dnssec-signzone: DNSKEY records could be 10274 corrupted when importing from key files [RT #20624] 10275 102762770. [cleanup] Add log messages to resolver.c to indicate events 10277 causing FORMERR responses. [RT #20526] 10278 102792769. [cleanup] Change #2742 was incomplete. [RT #19589] 10280 102812768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 10282 102832767. [bug] named could crash on startup if a zone was 10284 configured with auto-dnssec and there was no 10285 key-directory. [RT #20615] 10286 102872766. [bug] isc_socket_fdwatchpoke() should only update the 10288 socketmgr state if the socket is not pending on a 10289 read or write. [RT #20603] 10290 102912765. [bug] Skip masters for which the TSIG key cannot be found. 10292 [RT #20595] 10293 102942764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 10295 102962763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 10297 102982762. [bug] DLV validation failed with a local slave DLV zone. 10299 [RT #20577] 10300 103012761. [cleanup] Enable internal symbol table for backtrace only for 10302 systems that are known to work. Currently, BSD 10303 variants, Linux and Solaris are supported. [RT #20202] 10304 103052760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 10306 103072759. [doc] Add information about .jbk/.jnw files to 10308 the ARM. [RT #20303] 10309 103102758. [bug] win32: Added a workaround for a windows 2008 bug 10311 that could cause the UDP client handler to shut 10312 down. [RT #19176] 10313 103142757. [bug] dig: assertion failure could occur in connect 10315 timeout. [RT #20599] 10316 103172756. [bug] Fixed corrupt logfile message in update.c. [RT #20597] 10318 103192755. [placeholder] 10320 103212754. [bug] Secure-to-insecure transitions failed when zone 10322 was signed with NSEC3. [RT #20587] 10323 103242753. [bug] Removed an unnecessary warning that could appear when 10325 building an NSEC chain. [RT #20589] 10326 103272752. [bug] Locking violation. [RT #20587] 10328 103292751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 10330 103312750. [bug] dig: assertion failure could occur when a server 10332 didn't have an address. [RT #20579] 10333 103342749. [bug] ixfr-from-differences generated a non-minimal ixfr 10335 for NSEC3 signed zones. [RT #20452] 10336 103372748. [func] Identify bad answers from GTLD servers and treat them 10338 as referrals. [RT #18884] 10339 103402747. [bug] Journal roll forwards failed to set the re-signing 10341 time of RRSIGs correctly. [RT #20541] 10342 103432746. [port] hpux: address signed/unsigned expansion mismatch of 10344 dns_rbtnode_t.nsec. [RT #20542] 10345 103462745. [bug] configure script didn't probe the return type of 10347 gai_strerror(3) correctly. [RT #20573] 10348 103492744. [func] Log if a query was over TCP. [RT #19961] 10350 103512743. [bug] RRSIG could be incorrectly set in the NSEC3 record 10352 for a insecure delegation. 10353 10354 --- 9.7.0b2 released --- 10355 103562742. [cleanup] Clarify some DNSSEC-related log messages in 10357 validator.c. [RT #19589] 10358 103592741. [func] Allow the dnssec-keygen progress messages to be 10360 suppressed (dnssec-keygen -q). Automatically 10361 suppress the progress messages when stdin is not 10362 a tty. [RT #20474] 10363 103642740. [placeholder] 10365 103662739. [cleanup] Clean up API for initializing and clearing trust 10367 anchors for a view. [RT #20211] 10368 103692738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system 10370 test. [RT #20453] 10371 103722737. [func] UPDATE requests can leak existence information. 10373 [RT #17261] 10374 103752736. [func] Improve the performance of NSEC signed zones with 10376 more than a normal amount of glue below a delegation. 10377 [RT #20191] 10378 103792735. [bug] dnssec-signzone could fail to read keys 10380 that were specified on the command line with 10381 full paths, but weren't in the current 10382 directory. [RT #20421] 10383 103842734. [port] cygwin: arpaname did not compile. [RT #20473] 10385 103862733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355] 10387 103882732. [func] Add optional filter-aaaa-on-v4 option, available 10389 if built with './configure --enable-filter-aaaa'. 10390 Filters out AAAA answers to clients connecting 10391 via IPv4. (This is NOT recommended for general 10392 use.) [RT #20339] 10393 103942731. [func] Additional work on change 2709. The key parser 10395 will now ignore unrecognized fields when the 10396 minor version number of the private key format 10397 has been increased. It will reject any key with 10398 the major version number increased. [RT #20310] 10399 104002730. [func] Have dnssec-keygen display a progress indication 10401 a la 'openssl genrsa' on standard error. Note 10402 when the first '.' is followed by a long stop 10403 one has the choice between slow generation vs. 10404 poor random quality, i.e., '-r /dev/urandom'. 10405 [RT #20284] 10406 104072729. [func] When constructing a CNAME from a DNAME use the DNAME 10408 TTL. [RT #20451] 10409 104102728. [bug] dnssec-keygen, dnssec-keyfromlabel and 10411 dnssec-signzone now warn immediately if asked to 10412 write into a nonexistent directory. [RT #20278] 10413 104142727. [func] The 'key-directory' option can now specify a relative 10415 path. [RT #20154] 10416 104172726. [func] Added support for SHA-2 DNSSEC algorithms, 10418 RSASHA256 and RSASHA512. [RT #20023] 10419 104202725. [doc] Added information about the file "managed-keys.bind" 10421 to the ARM. [RT #20235] 10422 104232724. [bug] Updates to a existing node in secure zone using NSEC 10424 were failing. [RT #20448] 10425 104262723. [bug] isc_base32_totext(), isc_base32hex_totext(), and 10427 isc_base64_totext(), didn't always mark regions of 10428 memory as fully consumed after conversion. [RT #20445] 10429 104302722. [bug] Ensure that the memory associated with the name of 10431 a node in a rbt tree is not altered during the life 10432 of the node. [RT #20431] 10433 104342721. [port] Have dst__entropy_status() prime the random number 10435 generator. [RT #20369] 10436 104372720. [bug] RFC 5011 trust anchor updates could trigger an 10438 assert if the DNSKEY record was unsigned. [RT #20406] 10439 104402719. [func] Skip trusted/managed keys for unsupported algorithms. 10441 [RT #20392] 10442 104432718. [bug] The space calculations in opensslrsa_todns() were 10444 incorrect. [RT #20394] 10445 104462717. [bug] named failed to update the NSEC/NSEC3 record when 10447 the last private type record was removed as a result 10448 of completing the signing the zone with a key. 10449 [RT #20399] 10450 104512716. [bug] nslookup debug mode didn't return the ttl. [RT #20414] 10452 10453 --- 9.7.0b1 released --- 10454 104552715. [bug] Require OpenSSL support to be explicitly disabled. 10456 [RT #20288] 10457 104582714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler 10459 flags. 10460 104612713. [bug] powerpc: atomic operations missing asm("ics") / 10462 __isync() calls. 10463 104642712. [func] New 'auto-dnssec' zone option allows zone signing 10465 to be fully automated in zones configured for 10466 dynamic DNS. 'auto-dnssec allow;' permits a zone 10467 to be signed by creating keys for it in the 10468 key-directory and using 'rndc sign <zone>'. 10469 'auto-dnssec maintain;' allows that too, plus it 10470 also keeps the zone's DNSSEC keys up to date 10471 according to their timing metadata. [RT #19943] 10472 104732711. [port] win32: Add the bin/pkcs11 tools into the full 10474 build. [RT #20372] 10475 104762710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only' 10477 zone option cause a zone to be signed with only KSKs 10478 signing the DNSKEY RRset, not ZSKs. This reduces 10479 the size of a DNSKEY answer. [RT #20340] 10480 104812709. [func] Added some data fields, currently unused, to the 10482 private key file format, to allow implementation 10483 of explicit key rollover in a future release 10484 without impairing backward or forward compatibility. 10485 [RT #20310] 10486 104872708. [func] Insecure to secure and NSEC3 parameter changes via 10488 update are now fully supported and no longer require 10489 defines to enable. We now no longer overload the 10490 NSEC3PARAM flag field, nor the NSEC OPT bit at the 10491 apex. Secure to insecure changes are controlled by 10492 by the named.conf option 'secure-to-insecure'. 10493 10494 Warning: If you had previously enabled support by 10495 adding defines at compile time to BIND 9.6 you should 10496 ensure that all changes that are in progress have 10497 completed prior to upgrading to BIND 9.7. BIND 9.7 10498 is not backwards compatible. 10499 105002707. [func] dnssec-keyfromlabel no longer require engine name 10501 to be specified in the label if there is a default 10502 engine or the -E option has been used. Also, it 10503 now uses default algorithms as dnssec-keygen does 10504 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used). 10505 [RT #20371] 10506 105072706. [bug] Loading a zone with a very large NSEC3 salt could 10508 trigger an assert. [RT #20368] 10509 105102705. [placeholder] 10511 105122704. [bug] Serial of dynamic and stub zones could be inconsistent 10513 with their SOA serial. [RT #19387] 10514 105152703. [func] Introduce an OpenSSL "engine" argument with -E 10516 for all binaries which can take benefit of 10517 crypto hardware. [RT #20230] 10518 105192702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all] 10520 105212701. [doc] Correction to ARM: hmac-md5 is no longer the only 10522 supported TSIG key algorithm. [RT #18046] 10523 105242700. [doc] The match-mapped-addresses option is discouraged. 10525 [RT #12252] 10526 105272699. [bug] Missing lock in rbtdb.c. [RT #20037] 10528 105292698. [placeholder] 10530 105312697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and 10532 S_IFREG are defined after including <isc/stat.h>. 10533 [RT #20309] 10534 105352696. [bug] named failed to successfully process some valid 10536 acl constructs. [RT #20308] 10537 105382695. [func] DHCP/DDNS - update fdwatch code for use by 10539 DHCP. Modify the api to isc_sockfdwatch_t (the 10540 callback function for isc_socket_fdwatchcreate) 10541 to include information about the direction (read 10542 or write) and add isc_socket_fdwatchpoke. 10543 [RT #20253] 10544 105452694. [bug] Reduce default NSEC3 iterations from 100 to 10. 10546 [RT #19970] 10547 105482693. [port] Add some noreturn attributes. [RT #20257] 10549 105502692. [port] win32: 32/64 bit cleanups. [RT #20335] 10551 105522691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 10553 chain when re-signing a previously-signed zone. 10554 Use -u to modify NSEC3 parameters or switch 10555 between NSEC and NSEC3. [RT #20304] 10556 105572690. [bug] win32: fix isc_thread_key_getspecific() prototype. 10558 [RT #20315] 10559 105602689. [bug] Correctly handle snprintf result. [RT #20306] 10561 105622688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, 10563 to decide to fetch the destination address. [RT #20305] 10564 105652687. [bug] Fixed dnssec-signzone -S handling of revoked keys. 10566 Also, added warnings when revoking a ZSK, as this is 10567 not defined by protocol (but is legal). [RT #19943] 10568 105692686. [bug] dnssec-signzone should clean the old NSEC chain when 10570 signing with NSEC3 and vice versa. [RT #20301] 10571 105722685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 10573 105742684. [cleanup] dig: formalize +ad and +cd as synonyms for 10575 +adflag and +cdflag. [RT #19305] 10576 105772683. [bug] dnssec-signzone should clean out old NSEC3 chains when 10578 the NSEC3 parameters used to sign the zone change. 10579 [RT #20246] 10580 105812682. [bug] "configure --enable-symtable=all" failed to 10582 build. [RT #20282] 10583 105842681. [bug] IPSECKEY RR of gateway type 3 was not correctly 10585 decoded. [RT #20269] 10586 105872680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067] 10588 105892679. [func] dig -k can now accept TSIG keys in named.conf 10590 format. [RT #20031] 10591 105922678. [func] Treat DS queries as if "minimal-response yes;" 10593 was set. [RT #20258] 10594 105952677. [func] Changes to key metadata behavior: 10596 - Keys without "publish" or "active" dates set will 10597 no longer be used for smart signing. However, 10598 those dates will be set to "now" by default when 10599 a key is created; to generate a key but not use 10600 it yet, use dnssec-keygen -G. 10601 - New "inactive" date (dnssec-keygen/settime -I) 10602 sets the time when a key is no longer used for 10603 signing but is still published. 10604 - The "unpublished" date (-U) is deprecated in 10605 favor of "deleted" (-D). 10606 [RT #20247] 10607 106082676. [bug] --with-export-installdir should have been 10609 --with-export-includedir. [RT #20252] 10610 106112675. [bug] dnssec-signzone could crash if the key directory 10612 did not exist. [RT #20232] 10613 10614 --- 9.7.0a3 released --- 10615 106162674. [bug] "dnssec-lookaside auto;" crashed if named was built 10617 without openssl. [RT #20231] 10618 106192673. [bug] The managed-keys.bind zone file could fail to 10620 load due to a spurious result from sync_keyzone() 10621 [RT #20045] 10622 106232672. [bug] Don't enable searching in 'host' when doing reverse 10624 lookups. [RT #20218] 10625 106262671. [bug] Add support for PKCS#11 providers not returning 10627 the public exponent in RSA private keys 10628 (OpenCryptoki for instance) in 10629 dnssec-keyfromlabel. [RT #19294] 10630 106312670. [bug] Unexpected connect failures failed to log enough 10632 information to be useful. [RT #20205] 10633 106342669. [func] Update PKCS#11 support to support Keyper HSM. 10635 Update PKCS#11 patch to be against openssl-0.9.8i. 10636 106372668. [func] Several improvements to dnssec-* tools, including: 10638 - dnssec-keygen and dnssec-settime can now set key 10639 metadata fields 0 (to unset a value, use "none") 10640 - dnssec-revoke sets the revocation date in 10641 addition to the revoke bit 10642 - dnssec-settime can now print individual metadata 10643 fields instead of always printing all of them, 10644 and can print them in unix epoch time format for 10645 use by scripts 10646 [RT #19942] 10647 106482667. [func] Add support for logging stack backtrace on assertion 10649 failure (not available for all platforms). [RT #19780] 10650 106512666. [func] Added an 'options' argument to dns_name_fromstring() 10652 (API change from 9.7.0a2). [RT #20196] 10653 106542665. [func] Clarify syntax for managed-keys {} statement, add 10655 ARM documentation about RFC 5011 support. [RT #19874] 10656 106572664. [bug] create_keydata() and minimal_update() in zone.c 10658 didn't properly check return values for some 10659 functions. [RT #19956] 10660 106612663. [func] win32: allow named to run as a service using 10662 "NT AUTHORITY\LocalService" as the account. [RT #19977] 10663 106642662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() 10665 returned a misleading error code when lwresd was 10666 down. [RT #20028] 10667 106682661. [bug] Check whether socket fd exceeds FD_SETSIZE when 10669 creating lwres context. [RT #20029] 10670 106712660. [func] Add a new set of DNS libraries for non-BIND9 10672 applications. See README.libdns. [RT #19369] 10673 106742659. [doc] Clarify dnssec-keygen doc: key name must match zone 10675 name for DNSSEC keys. [RT #19938] 10676 106772658. [bug] dnssec-settime and dnssec-revoke didn't process 10678 key file paths correctly. [RT #20078] 10679 106802657. [cleanup] Lower "journal file <path> does not exist, creating it" 10681 log level to debug 1. [RT #20058] 10682 106832656. [func] win32: add a "tools only" check box to the installer 10684 which causes it to only install dig, host, nslookup, 10685 nsupdate and relevant DLLs. [RT #19998] 10686 106872655. [doc] Document that key-directory does not affect 10688 bind.keys, rndc.key or session.key. [RT #20155] 10689 106902654. [bug] Improve error reporting on duplicated names for 10691 deny-answer-xxx. [RT #20164] 10692 106932653. [bug] Treat ENGINE_load_private_key() failures as key 10694 not found rather than out of memory. [RT #18033] 10695 106962652. [func] Provide more detail about what record is being 10697 deleted. [RT #20061] 10698 106992651. [bug] Dates could print incorrectly in K*.key files on 10700 64-bit systems. [RT #20076] 10701 107022650. [bug] Assertion failure in dnssec-signzone when trying 10703 to read keyset-* files. [RT #20075] 10704 107052649. [bug] Set the domain for forward only zones. [RT #19944] 10706 107072648. [port] win32: isc_time_seconds() was broken. [RT #19900] 10708 107092647. [bug] Remove unnecessary SOA updates when a new KSK is 10710 added. [RT #19913] 10711 107122646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 10713 107142645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms 10715 which default to 64 bits. [RT #19927] 10716 10717 --- 9.7.0a2 released --- 10718 107192644. [bug] Change #2628 caused a regression on some systems; 10720 named was unable to write the PID file and would 10721 fail on startup. [RT #20001] 10722 107232643. [bug] Stub zones interacted badly with NSEC3 support. 10724 [RT #19777] 10725 107262642. [bug] nsupdate could dump core on solaris when reading 10727 improperly formatted key files. [RT #20015] 10728 107292641. [bug] Fixed an error in parsing update-policy syntax, 10730 added a regression test to check it. [RT #20007] 10731 107322640. [security] A specially crafted update packet will cause named 10733 to exit. [RT #20000] 10734 107352639. [bug] Silence compiler warnings in gssapi code. [RT #19954] 10736 107372638. [bug] Install arpaname. [RT #19957] 10738 107392637. [func] Rationalize dnssec-signzone's signwithkey() calling. 10740 [RT #19959] 10741 107422636. [func] Simplify zone signing and key maintenance with the 10743 dnssec-* tools. Major changes: 10744 - all dnssec-* tools now take a -K option to 10745 specify a directory in which key files will be 10746 stored 10747 - DNSSEC can now store metadata indicating when 10748 they are scheduled to be published, activated, 10749 revoked or removed; these values can be set by 10750 dnssec-keygen or overwritten by the new 10751 dnssec-settime command 10752 - dnssec-signzone -S (for "smart") option reads key 10753 metadata and uses it to determine automatically 10754 which keys to publish to the zone, use for 10755 signing, revoke, or remove from the zone 10756 [RT #19816] 10757 107582635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. 10759 [RT #19716] 10760 107612634. [port] win32: Add support for libxml2, enable 10762 statschannel. [RT #19773] 10763 107642633. [bug] Handle 15 bit rand() functions. [RT #19783] 10765 107662632. [func] util/kit.sh: warn if documentation appears to be out of 10767 date. [RT #19922] 10768 107692631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). 10770 [RT #19926 ] 10771 107722630. [func] Improved syntax for DDNS autoconfiguration: use 10773 "update-policy local;" to switch on local DDNS in a 10774 zone. (The "ddns-autoconf" option has been removed.) 10775 [RT #19875] 10776 107772629. [port] Check for seteuid()/setegid(), use setresuid()/ 10778 setresgid() if not present. [RT #19932] 10779 107802628. [port] linux: Allow /var/run/named/named.pid to be opened 10781 at startup with reduced capabilities in operation. 10782 [RT #19884] 10783 107842627. [bug] Named aborted if the same key was included in 10785 trusted-keys more than once. [RT #19918] 10786 107872626. [bug] Multiple trusted-keys could trigger an assertion 10788 failure. [RT #19914] 10789 107902625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865] 10791 107922624. [func] 'named-checkconf -p' will print out the parsed 10793 configuration. [RT #18871] 10794 107952623. [bug] Named started searches for DS non-optimally. [RT #19915] 10796 107972622. [bug] Printing of named.conf grammar was broken. [RT #19919] 10798 107992621. [doc] Made copyright boilerplate consistent. [RT #19833] 10800 108012620. [bug] Delay thawing the zone until the reload of it has 10802 completed successfully. [RT #19750] 10803 108042619. [func] Add support for RFC 5011, automatic trust anchor 10805 maintenance. The new "managed-keys" statement can 10806 be used in place of "trusted-keys" for zones which 10807 support this protocol. (Note: this syntax is 10808 expected to change prior to 9.7.0 final.) [RT #19248] 10809 108102618. [bug] The sdb and sdlz db_interator_seek() methods could 10811 loop infinitely. [RT #19847] 10812 108132617. [bug] ifconfig.sh failed to emit an error message when 10814 run from the wrong location. [RT #19375] 10815 108162616. [bug] 'host' used the nameservers from resolv.conf even 10817 when a explicit nameserver was specified. [RT #19852] 10818 108192615. [bug] "__attribute__((unused))" was in the wrong place 10820 for ia64 gcc builds. [RT #19854] 10821 108222614. [port] win32: 'named -v' should automatically be executed 10823 in the foreground. [RT #19844] 10824 108252613. [placeholder] 10826 10827 --- 9.7.0a1 released --- 10828 108292612. [func] Add default values for the arguments to 10830 dnssec-keygen. Without arguments, it will now 10831 generate a 1024-bit RSASHA1 zone-signing key, 10832 or with the -f KSK option, a 2048-bit RSASHA1 10833 key-signing key. [RT #19300] 10834 108352611. [func] Add -l option to dnssec-dsfromkey to generate 10836 DLV records instead of DS records. [RT #19300] 10837 108382610. [port] sunos: Change #2363 was not complete. [RT #19796] 10839 108402609. [func] Simplify the configuration of dynamic zones: 10841 - add ddns-confgen command to generate 10842 configuration text for named.conf 10843 - add zone option "ddns-autoconf yes;", which 10844 causes named to generate a TSIG session key 10845 and allow updates to the zone using that key 10846 - add '-l' (localhost) option to nsupdate, which 10847 causes nsupdate to connect to a locally-running 10848 named process using the session key generated 10849 by named 10850 [RT #19284] 10851 108522608. [func] Perform post signing verification checks in 10853 dnssec-signzone. These can be disabled with -P. 10854 10855 The post sign verification test ensures that for each 10856 algorithm in use there is at least one non revoked 10857 self signed KSK key. That all revoked KSK keys are 10858 self signed. That all records in the zone are signed 10859 by the algorithm. [RT #19653] 10860 108612607. [bug] named could incorrectly delete NSEC3 records for 10862 empty nodes when processing a update request. 10863 [RT #19749] 10864 108652606. [bug] "delegation-only" was not being accepted in 10866 delegation-only type zones. [RT #19717] 10867 108682605. [bug] Accept DS responses from delegation only zones. 10869 [RT # 19296] 10870 108712604. [func] Add support for DNS rebinding attack prevention through 10872 new options, deny-answer-addresses and 10873 deny-answer-aliases. Based on contributed code from 10874 JD Nurmi, Google. [RT #18192] 10875 108762603. [port] win32: handle .exe extension of named-checkzone and 10877 named-comilezone argv[0] names under windows. 10878 [RT #19767] 10879 108802602. [port] win32: fix debugging command line build of libisccfg. 10881 [RT #19767] 10882 108832601. [doc] Mention file creation mode mask in the 10884 named manual page. 10885 108862600. [doc] ARM: miscellaneous reformatting for different 10887 page widths. [RT #19574] 10888 108892599. [bug] Address rapid memory growth when validation fails. 10890 [RT #19654] 10891 108922598. [func] Reserve the -F flag. [RT #19657] 10893 108942597. [bug] Handle a validation failure with a insecure delegation 10895 from a NSEC3 signed master/slave zone. [RT #19464] 10896 108972596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay 10898 long, leading to inefficient memory usage or rejecting 10899 newer cache entries in the worst case. [RT #19563] 10900 109012595. [bug] Fix unknown extended rcodes in dig. [RT #19625] 10902 109032594. [func] Have rndc warn if using its default configuration 10904 file when the key file also exists. [RT #19424] 10905 109062593. [bug] Improve a corner source of SERVFAILs [RT #19632] 10907 109082592. [bug] Treat "any" as a type in nsupdate. [RT #19455] 10909 109102591. [bug] named could die when processing a update in 10911 removed_orphaned_ds(). [RT #19507] 10912 109132590. [func] Report zone/class of "update with no effect". 10914 [RT #19542] 10915 109162589. [bug] dns_db_unregister() failed to clear '*dbimp'. 10917 [RT #19626] 10918 109192588. [bug] SO_REUSEADDR could be set unconditionally after failure 10920 of bind(2) call. This should be rare and mostly 10921 harmless, but may cause interference with other 10922 processes that happen to use the same port. [RT #19642] 10923 109242587. [func] Improve logging by reporting serial numbers for 10925 when zone serial has gone backwards or unchanged. 10926 [RT #19506] 10927 109282586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB 10929 or SDB. [RT #19577] 10930 109312585. [bug] Uninitialized socket name could be referenced via a 10932 statistics channel, triggering an assertion failure in 10933 XML rendering. [RT #19427] 10934 109352584. [bug] alpha: gcc optimization could break atomic operations. 10936 [RT #19227] 10937 109382583. [port] netbsd: provide a control to not add the compile 10939 date to the version string, -DNO_VERSION_DATE. 10940 109412582. [bug] Don't emit warning log message when we attempt to 10942 remove non-existent journal. [RT #19516] 10943 109442581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection. 10945 Requires MySQL 5.0.19 or later. [RT #19084] 10946 109472580. [bug] UpdateRej statistics counter could be incremented twice 10948 for one rejection. [RT #19476] 10949 109502579. [bug] DNSSEC lookaside validation failed to handle unknown 10951 algorithms. [RT #19479] 10952 109532578. [bug] Changed default sig-signing-type to 65534, because 10954 65535 turns out to be reserved. [RT #19477] 10955 109562577. [doc] Clarified some statistics counters. [RT #19454] 10957 109582576. [bug] NSEC record were not being correctly signed when 10959 a zone transitions from insecure to secure. 10960 Handle such incorrectly signed zones. [RT #19114] 10961 109622575. [func] New functions dns_name_fromstring() and 10963 dns_name_tostring(), to simplify conversion 10964 of a string to a dns_name structure and vice 10965 versa. [RT #19451] 10966 109672574. [doc] Document nsupdate -g and -o. [RT #19351] 10968 109692573. [bug] Replacing a non-CNAME record with a CNAME record in a 10970 single transaction in a signed zone failed. [RT #19397] 10971 109722572. [func] Simplify DLV configuration, with a new option 10973 "dnssec-lookaside auto;" This is the equivalent 10974 of "dnssec-lookaside . trust-anchor dlv.isc.org;" 10975 plus setting a trusted-key for dlv.isc.org. 10976 10977 Note: The trusted key is hard-coded into named, 10978 but is also stored in (and can be overridden 10979 by) $sysconfdir/bind.keys. As the ISC DLV key 10980 rolls over it can be kept up to date by replacing 10981 the bind.keys file with a key downloaded from 10982 https://www.isc.org/solutions/dlv. [RT #18685] 10983 109842571. [func] Add a new tool "arpaname" which translates IP addresses 10985 to the corresponding IN-ADDR.ARPA or IP6.ARPA name. 10986 [RT #18976] 10987 109882570. [func] Log the destination address the query was sent to. 10989 [RT #19209] 10990 109912569. [func] Move journalprint, nsec3hash, and genrandom 10992 commands from bin/tests into bin/tools; 10993 "make install" will put them in $sbindir. [RT #19301] 10994 109952568. [bug] Report when the write to indicate a otherwise 10996 successful start fails. [RT #19360] 10997 109982567. [bug] dst__privstruct_writefile() could miss write errors. 10999 write_public_key() could miss write errors. 11000 dnssec-dsfromkey could miss write errors. 11001 [RT #19360] 11002 110032566. [cleanup] Clarify logged message when an insecure DNSSEC 11004 response arrives from a zone thought to be secure: 11005 "insecurity proof failed" instead of "not 11006 insecure". [RT #19400] 11007 110082565. [func] Add support for HIP record. Includes new functions 11009 dns_rdata_hip_first(), dns_rdata_hip_next() 11010 and dns_rdata_hip_current(). [RT #19384] 11011 110122564. [bug] Only take EDNS fallback steps when processing timeouts. 11013 [RT #19405] 11014 110152563. [bug] Dig could leak a socket causing it to wait forever 11016 to exit. [RT #19359] 11017 110182562. [doc] ARM: miscellaneous improvements, reorganization, 11019 and some new content. 11020 110212561. [doc] Add isc-config.sh(1) man page. [RT #16378] 11022 110232560. [bug] Add #include <config.h> to iptable.c. [RT #18258] 11024 110252559. [bug] dnssec-dsfromkey could compute bad DS records when 11026 reading from a K* files. [RT #19357] 11027 110282558. [func] Set the ownership of missing directories created 11029 for pid-file if -u has been specified on the command 11030 line. [RT #19328] 11031 110322557. [cleanup] PCI compliance: 11033 * new libisc log module file 11034 * isc_dir_chroot() now also changes the working 11035 directory to "/". 11036 * additional INSISTs 11037 * additional logging when files can't be removed. 11038 110392556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the 11040 error checks in the correct order resulting in the 11041 wrong error code sometimes being returned. [RT #19249] 11042 110432555. [func] dig: when emitting a hex dump also display the 11044 corresponding characters. [RT #19258] 11045 110462554. [bug] Validation of uppercase queries from NSEC3 zones could 11047 fail. [RT #19297] 11048 110492553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 11050 110512552. [bug] zero-no-soa-ttl-cache was not being honored. 11052 [RT #19340] 11053 110542551. [bug] Potential Reference leak on return. [RT #19341] 11055 110562550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>. 11057 [RT #19343] 11058 110592549. [port] linux: define NR_OPEN if not currently defined. 11060 [RT #19344] 11061 110622548. [bug] Install iterated_hash.h. [RT #19335] 11063 110642547. [bug] openssl_link.c:mem_realloc() could reference an 11065 out-of-range area of the source buffer. New public 11066 function isc_mem_reallocate() was introduced to address 11067 this bug. [RT #19313] 11068 110692546. [func] Add --enable-openssl-hash configure flag to use 11070 OpenSSL (in place of internal routine) for hash 11071 functions (MD5, SHA[12] and HMAC). [RT #18815] 11072 110732545. [doc] ARM: Legal hostname checking (check-names) is 11074 for SRV RDATA too. [RT #19304] 11075 110762544. [cleanup] Removed unused structure members in adb.c. [RT #19225] 11077 110782543. [contrib] Update contrib/zkt to version 0.98. [RT #19113] 11079 110802542. [doc] Update the description of dig +adflag. [RT #19290] 11081 110822541. [bug] Conditionally update dispatch manager statistics. 11083 [RT #19247] 11084 110852540. [func] Add a nibble mode to $GENERATE. [RT #18872] 11086 110872539. [security] Update the interaction between recursion, allow-query, 11088 allow-query-cache and allow-recursion. [RT #19198] 11089 110902538. [bug] cache/ADB memory could grow over max-cache-size, 11091 especially with threads and smaller max-cache-size 11092 values. [RT #19240] 11093 110942537. [func] Added more statistics counters including those on socket 11095 I/O events and query RTT histograms. [RT #18802] 11096 110972536. [cleanup] Silence some warnings when -Werror=format-security is 11098 specified. [RT #19083] 11099 111002535. [bug] dig +showsearch and +trace interacted badly. [RT #19091] 11101 111022534. [func] Check NAPTR records regular expressions and 11103 replacement strings to ensure they are syntactically 11104 valid and consistent. [RT #18168] 11105 111062533. [doc] ARM: document @ (at-sign). [RT #17144] 11107 111082532. [bug] dig: check the question section of the response to 11109 see if it matches the asked question. [RT #18495] 11110 111112531. [bug] Change #2207 was incomplete. [RT #19098] 11112 111132530. [bug] named failed to reject insecure to secure transitions 11114 via UPDATE. [RT #19101] 11115 111162529. [cleanup] Upgrade libtool to silence complaints from recent 11117 version of autoconf. [RT #18657] 11118 111192528. [cleanup] Silence spurious configure warning about 11120 --datarootdir [RT #19096] 11121 111222527. [placeholder] 11123 111242526. [func] New named option "attach-cache" that allows multiple 11125 views to share a single cache to save memory and 11126 improve lookup efficiency. Based on contributed code 11127 from Barclay Osborn, Google. [RT #18905] 11128 111292525. [func] New logging category "query-errors" to provide detailed 11130 internal information about query failures, especially 11131 about server failures. [RT #19027] 11132 111332524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129] 11134 111352523. [bug] Random type rdata freed by dns_nsec_typepresent(). 11136 [RT #19112] 11137 111382522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal(). 11139 111402521. [bug] Improve epoll cross compilation support. [RT #19047] 11141 111422520. [bug] Update xml statistics version number to 2.0 as change 11143 #2388 made the schema incompatible to the previous 11144 version. [RT #19080] 11145 111462519. [bug] dig/host with -4 or -6 didn't work if more than two 11147 nameserver addresses of the excluded address family 11148 preceded in resolv.conf. [RT #19081] 11149 111502518. [func] Add support for the new CERT types from RFC 4398. 11151 [RT #19077] 11152 111532517. [bug] dig +trace with -4 or -6 failed when it chose a 11154 nameserver address of the excluded address type. 11155 [RT #18843] 11156 111572516. [bug] glue sort for responses was performed even when not 11158 needed. [RT #19039] 11159 111602515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel. 11161 [RT #19063] 11162 111632514. [bug] dig/host failed with -4 or -6 when resolv.conf contains 11164 a nameserver of the excluded address family. 11165 [RT #18848] 11166 111672513. [bug] Fix windows cli build. [RT #19062] 11168 111692512. [func] Print a summary of the cached records which make up 11170 the negative response. [RT #18885] 11171 111722511. [cleanup] dns_rdata_tofmttext() add const to linebreak. 11173 [RT #18885] 11174 111752510. [bug] "dig +sigchase" could trigger REQUIRE failures. 11176 [RT #19033] 11177 111782509. [bug] Specifying a fixed query source port was broken. 11179 [RT #19051] 11180 111812508. [placeholder] 11182 111832507. [func] Log the recursion quota values when killing the 11184 oldest query or refusing to recurse due to quota. 11185 [RT #19022] 11186 111872506. [port] solaris: Check at configure time if 11188 hack_shutup_pthreadonceinit is needed. [RT #19037] 11189 111902505. [port] Treat amd64 similarly to x86_64 when determining 11191 atomic operation support. [RT #19031] 11192 111932504. [bug] Address race condition in the socket code. [RT #18899] 11194 111952503. [port] linux: improve compatibility with Linux Standard 11196 Base. [RT #18793] 11197 111982502. [cleanup] isc_radix: Improve compliance with coding style, 11199 document function in <isc/radix.h>. [RT #18534] 11200 112012501. [func] $GENERATE now supports all rdata types. Multi-field 11202 rdata types need to be quoted. See the ARM for 11203 details. [RT #18368] 11204 112052500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent 11206 function. [RT #18582] 11207 112082499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash. 11209 [RT #18837] 11210 11211 --- 9.6.0rc1 released --- 11212 112132498. [bug] Removed a bogus function argument used with 11214 ISC_SOCKET_USE_POLLWATCH: it could cause compiler 11215 warning or crash named with the debug 1 level 11216 of logging. [RT #18917] 11217 112182497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure 11219 delegation. 11220 112212496. [bug] Add sanity length checks to NSID option. [RT #18813] 11222 112232495. [bug] Tighten RRSIG checks. [RT #18795] 11224 112252494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being 11226 installed. [RT #18826] 11227 112282493. [bug] The linux capabilities code was not correctly cleaning 11229 up after itself. [RT #18767] 11230 112312492. [func] Rndc status now reports the number of cpus discovered 11232 and the number of worker threads when running 11233 multi-threaded. [RT #18273] 11234 112352491. [func] Attempt to re-use a local port if we are already using 11236 the port. [RT #18548] 11237 112382490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO 11239 is cleared when IPV6_V6ONLY is set. [RT #18785] 11240 112412489. [port] solaris: Workaround Solaris's kernel bug about 11242 /dev/poll: 11243 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 11244 Define ISC_SOCKET_USE_POLLWATCH at build time to enable 11245 this workaround. [RT #18870] 11246 112472488. [func] Added a tool, dnssec-dsfromkey, to generate DS records 11248 from keyset and .key files. [RT #18694] 11249 112502487. [bug] Give TCP connections longer to complete. [RT #18675] 11251 112522486. [func] The default locations for named.pid and lwresd.pid 11253 are now /var/run/named/named.pid and 11254 /var/run/lwresd/lwresd.pid respectively. 11255 11256 This allows the owner of the containing directory 11257 to be set, for "named -u" support, and allows there 11258 to be a permanent symbolic link in the path, for 11259 "named -t" support. [RT #18306] 11260 112612485. [bug] Change update's the handling of obscured RRSIG 11262 records. Not all orphaned DS records were being 11263 removed. [RT #18828] 11264 112652484. [bug] It was possible to trigger a REQUIRE failure when 11266 adding NSEC3 proofs to the response in 11267 query_addwildcardproof(). [RT #18828] 11268 112692483. [port] win32: chroot() is not supported. [RT #18805] 11270 112712482. [port] libxml2: support versions 2.7.* in addition 11272 to 2.6.*. [RT #18806] 11273 11274 --- 9.6.0b1 released --- 11275 112762481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain 11277 collisions. [RT #18812] 11278 112792480. [bug] named could fail to emit all the required NSEC3 11280 records. [RT #18812] 11281 112822479. [bug] xfrout:covers was not properly initialized. [RT #18801] 11283 112842478. [bug] 'addresses' could be used uninitialized in 11285 configure_forward(). [RT #18800] 11286 112872477. [bug] dig: the global option to print the command line is 11288 +cmd not print_cmd. Update the output to reflect 11289 this. [RT #17008] 11290 112912476. [doc] ARM: improve documentation for max-journal-size and 11292 ixfr-from-differences. [RT #15909] [RT #18541] 11293 112942475. [bug] LRU cache cleanup under overmem condition could purge 11295 particular entries more aggressively. [RT #17628] 11296 112972474. [bug] ACL structures could be allocated with insufficient 11298 space, causing an array overrun. [RT #18765] 11299 113002473. [port] linux: raise the limit on open files to the possible 11301 maximum value before spawning threads; 'files' 11302 specified in named.conf doesn't seem to work with 11303 threads as expected. [RT #18784] 11304 113052472. [port] linux: check the number of available cpu's before 11306 calling chroot as it depends on "/proc". [RT #16923] 11307 113082471. [bug] named-checkzone was not reporting missing mandatory 11309 glue when sibling checks were disabled. [RT #18768] 11310 113112470. [bug] Elements of the isc_radix_node_t could be incorrectly 11312 overwritten. [RT #18719] 11313 113142469. [port] solaris: Work around Solaris's select() limitations. 11315 [RT #18769] 11316 113172468. [bug] Resolver could try unreachable servers multiple times. 11318 [RT #18739] 11319 113202467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 11321 113222466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. 11323 [RT #18302] 11324 113252465. [bug] Adb's handling of lame addresses was different 11326 for IPv4 and IPv6. [RT #18738] 11327 113282464. [port] linux: check that a capability is present before 11329 trying to set it. [RT #18135] 11330 113312463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket 11332 API and glibc hides parts of the IPv6 Advanced Socket 11333 API as a result. This is stupid as it breaks how the 11334 two halves (Basic and Advanced) of the IPv6 Socket API 11335 were designed to be used but we have to live with it. 11336 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket 11337 API. [RT #18388] 11338 113392462. [doc] Document -m (enable memory usage debugging) 11340 option for dig. [RT #18757] 11341 113422461. [port] sunos: Change #2363 was not complete. [RT #17513] 11343 11344 --- 9.6.0a1 released --- 11345 113462460. [bug] Don't call dns_db_getnsec3parameters() on the cache. 11347 [RT #18697] 11348 113492459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448] 11350 113512458. [doc] ARM: update and correction for max-cache-size. 11352 [RT #18294] 11353 113542457. [tuning] max-cache-size is reverted to 0, the previous 11355 default. It should be safe because expired cache 11356 entries are also purged. [RT #18684] 11357 113582456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any 11359 address, regardless of family. They now correctly 11360 distinguish IPv4 from IPv6. [RT #18559] 11361 113622455. [bug] Stop metadata being transferred via axfr/ixfr. 11363 [RT #18639] 11364 113652454. [func] nsupdate: you can now set a default ttl. [RT #18317] 11366 113672453. [bug] Remove NULL pointer dereference in dns_journal_print(). 11368 [RT #18316] 11369 113702452. [func] Improve bin/test/journalprint. [RT #18316] 11371 113722451. [port] solaris: handle runtime linking better. [RT #18356] 11373 113742450. [doc] Fix lwresd docbook problem for manual page. 11375 [RT #18672] 11376 113772449. [placeholder] 11378 113792448. [func] Add NSEC3 support. [RT #15452] 11380 113812447. [cleanup] libbind has been split out as a separate product. 11382 113832446. [func] Add a new log message about build options on startup. 11384 A new command-line option '-V' for named is also 11385 provided to show this information. [RT #18645] 11386 113872445. [doc] ARM out-of-date on empty reverse zones (list includes 11388 RFC1918 address, but these are not yet compiled in). 11389 [RT #18578] 11390 113912444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery 11392 (clear DF) for UDP responses and requests. 11393 113942443. [bug] win32: UDP connect() would not generate an event, 11395 and so connected UDP sockets would never clean up. 11396 Fix this by doing an immediate WSAConnect() rather 11397 than an io completion port type for UDP. 11398 113992442. [bug] A lock could be destroyed twice. [RT #18626] 11400 114012441. [bug] isc_radix_insert() could copy radix tree nodes 11402 incompletely. [RT #18573] 11403 114042440. [bug] named-checkconf used an incorrect test to determine 11405 if an ACL was set to none. 11406 114072439. [bug] Potential NULL dereference in dns_acl_isanyornone(). 11408 [RT #18559] 11409 114102438. [bug] Timeouts could be logged incorrectly under win32. 11411 114122437. [bug] Sockets could be closed too early, leading to 11413 inconsistent states in the socket module. [RT #18298] 11414 114152436. [security] win32: UDP client handler can be shutdown. [RT #18576] 11416 114172435. [bug] Fixed an ACL memory leak affecting win32. 11418 114192434. [bug] Fixed a minor error-reporting bug in 11420 lib/isc/win32/socket.c. 11421 114222433. [tuning] Set initial timeout to 800ms. 11423 114242432. [bug] More Windows socket handling improvements. Stop 11425 using I/O events and use IO Completion Ports 11426 throughout. Rewrite the receive path logic to make 11427 it easier to support multiple simultaneous 11428 requesters in the future. Add stricter consistency 11429 checking as a compile-time option (define 11430 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off). 11431 114322431. [bug] Acl processing could leak memory. [RT #18323] 11433 114342430. [bug] win32: isc_interval_set() could round down to 11435 zero if the input was less than NS_INTERVAL 11436 nanoseconds. Round up instead. [RT #18549] 11437 114382429. [doc] nsupdate should be in section 1 of the man pages. 11439 [RT #18283] 11440 114412428. [bug] dns_iptable_merge() mishandled merges of negative 11442 tables. [RT #18409] 11443 114442427. [func] Treat DNSKEY queries as if "minimal-response yes;" 11445 was set. [RT #18528] 11446 114472426. [bug] libbind: inet_net_pton() can sometimes return the 11448 wrong value if excessively large net masks are 11449 supplied. [RT #18512] 11450 114512425. [bug] named didn't detect unavailable query source addresses 11452 at load time. [RT #18536] 11453 114542424. [port] configure now probes for a working epoll 11455 implementation. Allow the use of kqueue, 11456 epoll and /dev/poll to be selected at compile 11457 time. [RT #18277] 11458 114592423. [security] Randomize server selection on queries, so as to 11460 make forgery a little more difficult. Instead of 11461 always preferring the server with the lowest RTT, 11462 pick a server with RTT within the same 128 11463 millisecond band. [RT #18441] 11464 114652422. [bug] Handle the special return value of a empty node as 11466 if it was a NXRRSET in the validator. [RT #18447] 11467 114682421. [func] Add new command line option '-S' for named to specify 11469 the max number of sockets. [RT #18493] 11470 Use caution: this option may not work for some 11471 operating systems without rebuilding named. 11472 114732420. [bug] Windows socket handling cleanup. Let the io 11474 completion event send out canceled read/write 11475 done events, which keeps us from writing to memory 11476 we no longer have ownership of. Add debugging 11477 socket_log() function. Rework TCP socket handling 11478 to not leak sockets. 11479 114802419. [cleanup] Document that isc_socket_create() and isc_socket_open() 11481 should not be used for isc_sockettype_fdwatch sockets. 11482 [RT #18521] 11483 114842418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure 11485 [RT #18430] 11486 114872417. [bug] Connecting UDP sockets for outgoing queries could 11488 unexpectedly fail with an 'address already in use' 11489 error. [RT #18411] 11490 114912416. [func] Log file descriptors that cause exceeding the 11492 internal maximum. [RT #18460] 11493 114942415. [bug] 'rndc dumpdb' could trigger various assertion failures 11495 in rbtdb.c. [RT #18455] 11496 114972414. [bug] A masterdump context held the database lock too long, 11498 causing various troubles such as dead lock and 11499 recursive lock acquisition. [RT #18311, #18456] 11500 115012413. [bug] Fixed an unreachable code path in socket.c. [RT #18442] 11502 115032412. [bug] win32: address a resource leak. [RT #18374] 11504 115052411. [bug] Allow using a larger number of sockets than FD_SETSIZE 11506 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS 11507 at compilation time. [RT #18433] 11508 11509 Note: with changes #2469 and #2421 above, there is no 11510 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time 11511 any more. 11512 115132410. [bug] Correctly delete m_versionInfo. [RT #18432] 11514 115152409. [bug] Only log that we disabled EDNS processing if we were 11516 subsequently successful. [RT #18029] 11517 115182408. [bug] A duplicate TCP dispatch event could be sent, which 11519 could then trigger an assertion failure in 11520 resquery_response(). [RT #18275] 11521 115222407. [port] hpux: test for sys/dyntune.h. [RT #18421] 11523 115242406. [placeholder] 11525 115262405. [cleanup] The default value for dnssec-validation was changed to 11527 "yes" in 9.5.0-P1 and all subsequent releases; this 11528 was inadvertently omitted from CHANGES at the time. 11529 115302404. [port] hpux: files unlimited support. 11531 115322403. [bug] TSIG context leak. [RT #18341] 11533 115342402. [port] Support Solaris 2.11 and over. [RT #18362] 11535 115362401. [bug] Expect to get E[MN]FILE errno internal_accept() 11537 (from accept() or fcntl() system calls). [RT #18358] 11538 115392400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails. 11540 [RT #18297] 11541 115422399. [placeholder] 11543 115442398. [bug] Improve file descriptor management. New, 11545 temporary, named.conf option reserved-sockets, 11546 default 512. [RT #18344] 11547 115482397. [bug] gssapi_functions had too many elements. [RT #18355] 11549 115502396. [bug] Don't set SO_REUSEADDR for randomized ports. 11551 [RT #18336] 11552 115532395. [port] Avoid warning and no effect from "files unlimited" 11554 on Linux when running as root. [RT #18335] 11555 115562394. [bug] Default configuration options set the limit for 11557 open files to 'unlimited' as described in the 11558 documentation. [RT #18331] 11559 115602393. [bug] nested acls containing keys could trigger an 11561 assertion in acl.c. [RT #18166] 11562 115632392. [bug] remove 'grep -q' from acl test script, some platforms 11564 don't support it. [RT #18253] 11565 115662391. [port] hpux: cover additional recvmsg() error codes. 11567 [RT #18301] 11568 115692390. [bug] dispatch.c could make a false warning on 'odd socket'. 11570 [RT #18301]. 11571 115722389. [bug] Move the "working directory writable" check to after 11573 the ns_os_changeuser() call. [RT #18326] 11574 115752388. [bug] Avoid using tables for layout purposes in 11576 statistics XSL [RT #18159]. 11577 115782387. [bug] Silence compiler warnings in lib/isc/radix.c. 11579 [RT #18147] [RT #18258] 11580 115812386. [func] Add warning about too small 'open files' limit. 11582 [RT #18269] 11583 115842385. [bug] A condition variable in socket.c could leak in 11585 rare error handling [RT #17968]. 11586 115872384. [security] Fully randomize UDP query ports to improve 11588 forgery resilience. [RT #17949, #18098] 11589 115902383. [bug] named could double queries when they resulted in 11591 SERVFAIL due to overkilling EDNS0 failure detection. 11592 [RT #18182] 11593 115942382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP 11595 to ARM. 11596 115972381. [port] dlz/mysql: support multiple install layouts for 11598 mysql. <prefix>/include/{,mysql/}mysql.h and 11599 <prefix>/lib/{,mysql/}. [RT #18152] 11600 116012380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET 11602 proofs which, in turn, caused validation failures 11603 for insecure zones immediately below a secure zone 11604 the server was authoritative for. [RT #18112] 11605 116062379. [contrib] queryperf/gen-data-queryperf.py: removed redundant 11607 TLDs and supported RRs with TTLs [RT #17972] 11608 116092378. [bug] gssapi_functions{} had a redundant member in BIND 9.5. 11610 [RT #18169] 11611 116122377. [bug] Address race condition in dnssec-signzone. [RT #18142] 11613 116142376. [bug] Change #2144 was not complete. 11615 116162375. [placeholder] 11617 116182374. [bug] "blackhole" ACLs could cause named to segfault due 11619 to some uninitialized memory. [RT #18095] 11620 116212373. [bug] Default values of zone ACLs were re-parsed each time a 11622 new zone was configured, causing an overconsumption 11623 of memory. [RT #18092] 11624 116252372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] 11626 116272371. [doc] Add +nsid option to dig man page. [RT #18039] 11628 116292370. [bug] "rndc freeze" could trigger an assertion in named 11630 when called on a nonexistent zone. [RT #18050] 11631 116322369. [bug] libbind: Array bounds overrun on read in bitncmp(). 11633 [RT #18054] 11634 116352368. [port] Linux: use libcap for capability management if 11636 possible. [RT #18026] 11637 116382367. [bug] Improve counting of dns_resstatscounter_retry 11639 [RT #18030] 11640 116412366. [bug] Adb shutdown race. [RT #18021] 11642 116432365. [bug] Fix a bug that caused dns_acl_isany() to return 11644 spurious results. [RT #18000] 11645 116462364. [bug] named could trigger a assertion when serving a 11647 malformed signed zone. [RT #17828] 11648 116492363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". 11650 [RT #17513] 11651 116522362. [cleanup] Make "rrset-order fixed" a compile-time option. 11653 settable by "./configure --enable-fixed-rrset". 11654 Disabled by default. [RT #17977] 11655 116562361. [bug] "recursion" statistics counter could be counted 11657 multiple times for a single query. [RT #17990] 11658 116592360. [bug] Fix a condition where we release a database version 11660 (which may acquire a lock) while holding the lock. 11661 116622359. [bug] Fix NSID bug. [RT #17942] 11663 116642358. [doc] Update host's default query description. [RT #17934] 11665 116662357. [port] Don't use OpenSSL's engine support in versions before 11667 OpenSSL 0.9.7f. [RT #17922] 11668 116692356. [bug] Built in mutex profiler was not scalable enough. 11670 [RT #17436] 11671 116722355. [func] Extend the number statistics counters available. 11673 [RT #17590] 11674 116752354. [bug] Failed to initialize some rdatasetheader_t elements. 11676 [RT #17927] 11677 116782353. [func] Add support for Name Server ID (RFC 5001). 11679 'dig +nsid' requests NSID from server. 11680 'request-nsid yes;' causes recursive server to send 11681 NSID requests to upstream servers. Server responds 11682 to NSID requests with the string configured by 11683 'server-id' option. [RT #17091] 11684 116852352. [bug] Various GSS_API fixups. [RT #17729] 11686 116872351. [bug] convertxsl.pl generated very long lines. [RT #17906] 11688 116892350. [port] win32: IPv6 support. [RT #17797] 11690 116912349. [func] Provide incremental re-signing support for secure 11692 dynamic zones. [RT #1091] 11693 116942348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support. 11695 Documentation is in the new README.pkcs11 file. 11696 New tool, dnssec-keyfromlabel, which takes the 11697 label of a key pair in a HSM and constructs a DNS 11698 key pair for use by named and dnssec-signzone. 11699 [RT #16844] 11700 117012347. [bug] Delete now traverses the RB tree in the canonical 11702 order. [RT #17451] 11703 117042346. [func] Memory statistics now cover all active memory contexts 11705 in increased detail. [RT #17580] 11706 117072345. [bug] named-checkconf failed to detect when forwarders 11708 were set at both the options/view level and in 11709 a root zone. [RT #17671] 11710 117112344. [bug] Improve "logging{ file ...; };" documentation. 11712 [RT #17888] 11713 117142343. [bug] (Seemingly) duplicate IPv6 entries could be 11715 created in ADB. [RT #17837] 11716 117172342. [func] Use getifaddrs() if available under Linux. [RT #17224] 11718 117192341. [bug] libbind: add missing -I../include for off source 11720 tree builds. [RT #17606] 11721 117222340. [port] openbsd: interface configuration. [RT #17700] 11723 117242339. [port] tru64: support for libbind. [RT #17589] 11725 117262338. [bug] check_ds() could be called with a non DS rdataset. 11727 [RT #17598] 11728 117292337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] 11730 117312336. [func] If "named -6" is specified then listen on all IPv6 11732 interfaces if there are not listen-on-v6 clauses in 11733 named.conf. [RT #17581] 11734 117352335. [port] sunos: libbind and *printf() support for long long. 11736 [RT #17513] 11737 117382334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one 11739 bug in fromstruct_txt(). [RT #17609] 11740 117412333. [bug] Fix off by one error in isc_time_nowplusinterval(). 11742 [RT #17608] 11743 117442332. [contrib] query-loc-0.4.0. [RT #17602] 11745 117462331. [bug] Failure to regenerate any signatures was not being 11747 reported nor being past back to the UPDATE client. 11748 [RT #17570] 11749 117502330. [bug] Remove potential race condition when handling 11751 over memory events. [RT #17572] 11752 11753 WARNING: API CHANGE: over memory callback 11754 function now needs to call isc_mem_waterack(). 11755 See <isc/mem.h> for details. 11756 117572329. [bug] Clearer help text for dig's '-x' and '-i' options. 11758 117592328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, 11760 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, 11761 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and 11762 M.ROOT-SERVERS.NET. 11763 117642327. [bug] It was possible to dereference a NULL pointer in 11765 rbtdb.c. Implement dead node processing in zones as 11766 we do for caches. [RT #17312] 11767 117682326. [bug] It was possible to trigger a INSIST in the acache 11769 processing. 11770 117712325. [port] Linux: use capset() function if available. [RT #17557] 11772 117732324. [bug] Fix IPv6 matching against "any;". [RT #17533] 11774 117752323. [port] tru64: namespace clash. [RT #17547] 11776 117772322. [port] MacOS: work around the limitation of setrlimit() 11778 for RLIMIT_NOFILE. [RT #17526] 11779 117802321. [placeholder] 11781 117822320. [func] Make statistics counters thread-safe for platforms 11783 that support certain atomic operations. [RT #17466] 11784 117852319. [bug] Silence Coverity warnings in 11786 lib/dns/rdata/in_1/apl_42.c. [RT #17469] 11787 117882318. [port] sunos fixes for libbind. [RT #17514] 11789 117902317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518] 11791 117922316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c. 11793 [RT #17513] 11794 117952315. [bug] Used incorrect address family for mapped IPv4 11796 addresses in acl.c. [RT #17519] 11797 117982314. [bug] Uninitialized memory use on error path in 11799 bin/named/lwdnoop.c. [RT #17476] 11800 118012313. [cleanup] Silence Coverity warnings. Handle private stacks. 11802 [RT #17447] [RT #17478] 11803 118042312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. 11805 [RT #17458] 11806 118072311. [bug] IPv6 addresses could match IPv4 ACL entries and 11808 vice versa. [RT #17462] 11809 118102310. [bug] dig, host, nslookup: flush stdout before emitting 11811 debug/fatal messages. [RT #17501] 11812 118132309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c. 11814 [RT #17455] 11815 118162308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. 11817 [RT #17495] 11818 118192307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496] 11820 118212306. [bug] Remove potential race from lib/dns/resolver.c. 11822 [RT #17470] 11823 118242305. [security] inet_network() buffer overflow. CVE-2008-0122. 11825 118262304. [bug] Check returns from all dns_rdata_tostruct() calls. 11827 [RT #17460] 11828 118292303. [bug] Remove unnecessary code from bin/named/lwdgnba.c. 11830 [RT #17471] 11831 118322302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472] 11833 118342301. [bug] Remove resource leak and fix error messages in 11835 bin/tests/system/lwresd/lwtest.c. [RT #17474] 11836 118372300. [bug] Fixed failure to close open file in 11838 bin/tests/names/t_names.c. [RT #17473] 11839 118402299. [bug] Remove unnecessary NULL check in 11841 bin/nsupdate/nsupdate.c. [RT #17475] 11842 118432298. [bug] isc_mutex_lock() failure not caught in 11844 bin/tests/timers/t_timers.c. [RT #17468] 11845 118462297. [bug] isc_entropy_createfilesource() failure not caught in 11847 bin/tests/dst/t_dst.c. [RT #17467] 11848 118492296. [port] Allow docbook stylesheet location to be specified to 11850 configure. [RT #17457] 11851 118522295. [bug] Silence static overrun error in bin/named/lwaddr.c. 11853 [RT #17459] 11854 118552294. [func] Allow the experimental statistics channels to have 11856 multiple connections and ACL. 11857 Note: the stats-server and stats-server-v6 options 11858 available in the previous beta releases are replaced 11859 with the generic statistics-channels statement. 11860 118612293. [func] Add ACL regression test. [RT #17375] 11862 118632292. [bug] Log if the working directory is not writable. 11864 [RT #17312] 11865 118662291. [bug] PR_SET_DUMPABLE may be set too late. Also report 11867 failure to set PR_SET_DUMPABLE. [RT #17312] 11868 118692290. [bug] Let AD in the query signal that the client wants AD 11870 set in the response. [RT #17301] 11871 118722289. [func] named-checkzone now reports the out-of-zone CNAME 11873 found. [RT #17309] 11874 118752288. [port] win32: mark service as running when we have finished 11876 loading. [RT #17441] 11877 118782287. [bug] Use 'volatile' if the compiler supports it. [RT #17413] 11879 118802286. [func] Allow a TCP connection to be used as a weak 11881 authentication method for reverse zones. 11882 New update-policy methods tcp-self and 6to4-self. 11883 [RT #17378] 11884 118852285. [func] Test framework for client memory context management. 11886 [RT #17377] 11887 118882284. [bug] Memory leak in UPDATE prerequisite processing. 11889 [RT #17377] 11890 118912283. [bug] TSIG keys were not attaching to the memory 11892 context. TSIG keys should use the rings 11893 memory context rather than the clients memory 11894 context. [RT #17377] 11895 118962282. [bug] Acl code fixups. [RT #17346] [RT #17374] 11897 118982281. [bug] Attempts to use undefined acls were not being logged. 11899 [RT #17307] 11900 119012280. [func] Allow the experimental http server to be reached 11902 over IPv6 as well as IPv4. [RT #17332] 11903 119042279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, 11905 to protect applications from receiving spurious 11906 SIGPIPE signals when using the resolver. 11907 119082278. [bug] win32: handle the case where Windows returns no 11909 search list or DNS suffix. [RT #17354] 11910 119112277. [bug] Empty zone names were not correctly being caught at 11912 in the post parse checks. [RT #17357] 11913 119142276. [bug] Install <dst/gssapi.h>. [RT #17359] 11915 119162275. [func] Add support to dig to perform IXFR queries over UDP. 11917 [RT #17235] 11918 119192274. [func] Log zone transfer statistics. [RT #17336] 11920 119212273. [bug] Adjust log level to WARNING when saving inconsistent 11922 stub/slave master and journal files. [RT #17279] 11923 119242272. [bug] Handle illegal dnssec-lookaside trust-anchor names. 11925 [RT #17262] 11926 119272271. [bug] Fix a memory leak in http server code [RT #17100] 11928 119292270. [bug] dns_db_closeversion() version->writer could be reset 11930 before it is tested. [RT #17290] 11931 119322269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232] 11933 119342268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones 11935 list. 11936 11937 --- 9.5.0b1 released --- 11938 119392267. [bug] Radix tree node_num value could be set incorrectly, 11940 causing positive ACL matches to look like negative 11941 ones. [RT #17311] 11942 119432266. [bug] client.c:get_clientmctx() returned the same mctx 11944 once the pool of mctx's was filled. [RT #17218] 11945 119462265. [bug] Test that the memory context's basic_table is non NULL 11947 before freeing. [RT #17265] 11948 119492264. [bug] Server prefix length was being ignored. [RT #17308] 11950 119512263. [bug] "named-checkconf -z" failed to set default value 11952 for "check-integrity". [RT #17306] 11953 119542262. [bug] Error status from all but the last view could be 11955 lost. [RT #17292] 11956 119572261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272] 11958 119592260. [bug] Reported wrong clients-per-query when increasing the 11960 value. [RT #17236] 11961 119622259. [placeholder] 11963 11964 --- 9.5.0a7 released --- 11965 119662258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. 11967 [RT #17241] 11968 119692257. [bug] win32: Use the full path to vcredist_x86.exe when 11970 calling it. [RT #17222] 11971 119722256. [bug] win32: Correctly register the installation location of 11973 bindevt.dll. [RT #17159] 11974 119752255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. 11976 119772254. [bug] timer.c:dispatch() failed to lock timer->lock 11978 when reading timer->idle allowing it to see 11979 intermediate values as timer->idle was reset by 11980 isc_timer_touch(). [RT #17243] 11981 119822253. [func] "max-cache-size" defaults to 32M. 11983 "max-acache-size" defaults to 16M. 11984 119852252. [bug] Fixed errors in sortlist code [RT #17216] 11986 119872251. [placeholder] 11988 119892250. [func] New flag 'memstatistics' to state whether the 11990 memory statistics file should be written or not. 11991 Additionally named's -m option will cause the 11992 statistics file to be written. [RT #17113] 11993 119942249. [bug] Only set Authentic Data bit if client requested 11995 DNSSEC, per RFC 3655 [RT #17175] 11996 119972248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 11998 119992247. [doc] Sort doc/misc/options. [RT #17067] 12000 120012246. [bug] Make the startup of test servers (ans.pl) more 12002 robust. [RT #17147] 12003 120042245. [bug] Validating lack of DS records at trust anchors wasn't 12005 working. [RT #17151] 12006 120072244. [func] Allow the check of nameserver names against the 12008 SOA MNAME field to be disabled by specifying 12009 'notify-to-soa yes;'. [RT #17073] 12010 120112243. [func] Configuration files without a newline at the end now 12012 parse without error. [RT #17120] 12013 120142242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos 12015 library could require a source of random data. 12016 [RT #17127] 12017 120182241. [func] nsupdate: add a interactive 'help' command. [RT #17099] 12019 120202240. [bug] Cleanup nsupdates GSS-TSIG support. Convert 12021 a number of INSIST()s into plain fatal() errors 12022 which report the triggering result code. 12023 The 'key' command wasn't disabling GSS-TSIG. 12024 [RT #17099] 12025 120262239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114] 12027 120282238. [bug] It was possible to trigger a REQUIRE when a 12029 validation was canceled. [RT #17106] 12030 120312237. [bug] libbind: res_init() was not thread aware. [RT #17123] 12032 120332236. [bug] dnssec-signzone failed to preserve the case of 12034 of wildcard owner names. [RT #17085] 12035 120362235. [bug] <isc/atomic.h> was not being installed. [RT #17135] 12037 120382234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] 12039 120402233. [func] Add support for O(1) ACL processing, based on 12041 radix tree code originally written by Kevin 12042 Brintnall. [RT #16288] 12043 120442232. [bug] dns_adb_findaddrinfo() could fail and return 12045 ISC_R_SUCCESS. [RT #17137] 12046 120472231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken. 12048 [RT #17088] 12049 120502230. [bug] We could INSIST reading a corrupted journal. 12051 [RT #17132] 12052 120532229. [bug] Null pointer dereference on query pool creation 12054 failure. [RT #17133] 12055 120562228. [contrib] contrib: Change 2188 was incomplete. 12057 120582227. [cleanup] Tidied up the FAQ. [RT #17121] 12059 120602226. [placeholder] 12061 120622225. [bug] More support for systems with no IPv4 addresses. 12063 [RT #17111] 12064 120652224. [bug] Defer journal compaction if a xfrin is in progress. 12066 [RT #17119] 12067 120682223. [bug] Make a new journal when compacting. [RT #17119] 12069 120702222. [func] named-checkconf now checks server key references. 12071 [RT #17097] 12072 120732221. [bug] Set the event result code to reflect the actual 12074 record turned to caller when a cache update is 12075 rejected due to a more credible answer existing. 12076 [RT #17017] 12077 120782220. [bug] win32: Address a race condition in final shutdown of 12079 the Windows socket code. [RT #17028] 12080 120812219. [bug] Apply zone consistency checks to additions, not 12082 removals, when updating. [RT #17049] 12083 120842218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 12085 [RT #16976] 12086 120872217. [func] Adjust update log levels. [RT #17092] 12088 120892216. [cleanup] Fix a number of errors reported by Coverity. 12090 [RT #17094] 12091 120922215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] 12093 120942214. [bug] Deregister OpenSSL lock callback when cleaning 12095 up. Reorder OpenSSL cleanup so that RAND_cleanup() 12096 is called before the locks are destroyed. [RT #17098] 12097 120982213. [bug] SIG0 diagnostic failure messages were looking at the 12099 wrong status code. [RT #17101] 12100 121012212. [func] 'host -m' now causes memory statistics and active 12102 memory to be printed at exit. [RT 17028] 12103 121042211. [func] Update "dynamic update temporarily disabled" message. 12105 [RT #17065] 12106 121072210. [bug] Deleting class specific records via UPDATE could 12108 fail. [RT #17074] 12109 121102209. [port] osx: linking against user supplied static OpenSSL 12111 libraries failed as the system ones were still being 12112 found. [RT #17078] 12113 121142208. [port] win32: make sure both build methods produce the 12115 same output. [RT #17058] 12116 121172207. [port] Some implementations of getaddrinfo() fail to set 12118 ai_canonname correctly. [RT #17061] 12119 12120 --- 9.5.0a6 released --- 12121 121222206. [security] "allow-query-cache" and "allow-recursion" now 12123 cross inherit from each other. 12124 12125 If allow-query-cache is not set in named.conf then 12126 allow-recursion is used if set, otherwise allow-query 12127 is used if set, otherwise the default (localnets; 12128 localhost;) is used. 12129 12130 If allow-recursion is not set in named.conf then 12131 allow-query-cache is used if set, otherwise allow-query 12132 is used if set, otherwise the default (localnets; 12133 localhost;) is used. 12134 12135 [RT #16987] 12136 121372205. [bug] libbind: change #2119 broke thread support. [RT #16982] 12138 121392204. [bug] "rndc flushname name unknown-view" caused named 12140 to crash. [RT #16984] 12141 121422203. [security] Query id generation was cryptographically weak. 12143 [RT # 16915] 12144 121452202. [security] The default acls for allow-query-cache and 12146 allow-recursion were not being applied. [RT #16960] 12147 121482201. [bug] The build failed in a separate object directory. 12149 [RT #16943] 12150 121512200. [bug] The search for cached NSEC records was stopping to 12152 early leading to excessive DLV queries. [RT #16930] 12153 121542199. [bug] win32: don't call WSAStartup() while loading dlls. 12155 [RT #16911] 12156 121572198. [bug] win32: RegCloseKey() could be called when 12158 RegOpenKeyEx() failed. [RT #16911] 12159 121602197. [bug] Add INSIST to catch negative responses which are 12161 not setting the event result code appropriately. 12162 [RT #16909] 12163 121642196. [port] win32: yield processor while waiting for once to 12165 to complete. [RT #16958] 12166 121672195. [func] dnssec-keygen now defaults to nametype "ZONE" 12168 when generating DNSKEYs. [RT #16954] 12169 121702194. [bug] Close journal before calling 'done' in xfrin.c. 12171 12172 --- 9.5.0a5 released --- 12173 121742193. [port] win32: BINDInstall.exe is now linked statically. 12175 [RT #16906] 12176 121772192. [port] win32: use vcredist_x86.exe to install Visual 12178 Studio's redistributable dlls if building with 12179 Visual Stdio 2005 or later. 12180 121812191. [func] named-checkzone now allows dumping to stdout (-). 12182 named-checkconf now has -h for help. 12183 named-checkzone now has -h for help. 12184 rndc now has -h for help. 12185 Better handling of '-?' for usage summaries. 12186 [RT #16707] 12187 121882190. [func] Make fallback to plain DNS from EDNS due to timeouts 12189 more visible. New logging category "edns-disabled". 12190 [RT #16871] 12191 121922189. [bug] Handle socket() returning EINTR. [RT #15949] 12193 121942188. [contrib] queryperf: autoconf changes to make the search for 12195 libresolv or libbind more robust. [RT #16299] 12196 121972187. [bug] query_addds(), query_addwildcardproof() and 12198 query_addnxrrsetnsec() should take a version 12199 argument. [RT #16368] 12200 122012186. [port] cygwin: libbind: check for struct sockaddr_storage 12202 independently of IPv6. [RT #16482] 12203 122042185. [port] sunos: libbind: check for ssize_t, memmove() and 12205 memchr(). [RT #16463] 12206 122072184. [bug] bind9.xsl.h didn't build out of the source tree. 12208 [RT #16830] 12209 122102183. [bug] dnssec-signzone didn't handle offline private keys 12211 well. [RT #16832] 12212 122132182. [bug] dns_dispatch_createtcp() and dispatch_createudp() 12214 could return ISC_R_SUCCESS when they ran out of 12215 memory. [RT #16365] 12216 122172181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] 12218 122192180. [cleanup] Remove bit test from 'compress_test' as they 12220 are no longer needed. [RT #16497] 12221 122222179. [func] 'rndc command zone' will now find 'zone' if it is 12223 unique to all the views. [RT #16821] 12224 122252178. [bug] 'rndc reload' of a slave or stub zone resulted in 12226 a reference leak. [RT #16867] 12227 122282177. [bug] Array bounds overrun on read (rcodetext) at 12229 debug level 10+. [RT #16798] 12230 122312176. [contrib] dbus update to handle race condition during 12232 initialization (Bugzilla 235809). [RT #16842] 12233 122342175. [bug] win32: windows broadcast condition variable support 12235 was broken. [RT #16592] 12236 122372174. [bug] I/O errors should always be fatal when reading 12238 master files. [RT #16825] 12239 122402173. [port] win32: When compiling with MSVS 2005 SP1 we also 12241 need to ship Microsoft.VC80.MFCLOC. 12242 12243 --- 9.5.0a4 released --- 12244 122452172. [bug] query_addsoa() was being called with a non zone db. 12246 [RT #16834] 12247 122482171. [bug] Handle breaks in DNSSEC trust chains where the parent 12249 servers are not DS aware (DS queries to the parent 12250 return a referral to the child). 12251 122522170. [func] Add acache processing to test suite. [RT #16711] 12253 122542169. [bug] host, nslookup: when reporting NXDOMAIN report the 12255 given name and not the last name searched for. 12256 [RT #16763] 12257 122582168. [bug] nsupdate: in non-interactive mode treat syntax errors 12259 as fatal errors. [RT #16785] 12260 122612167. [bug] When re-using a automatic zone named failed to 12262 attach it to the new view. [RT #16786] 12263 12264 --- 9.5.0a3 released --- 12265 122662166. [bug] When running in batch mode, dig could misinterpret 12267 a server address as a name to be looked up, causing 12268 unexpected output. [RT #16743] 12269 122702165. [func] Allow the destination address of a query to determine 12271 if we will answer the query or recurse. 12272 allow-query-on, allow-recursion-on and 12273 allow-query-cache-on. [RT #16291] 12274 122752164. [bug] The code to determine how named-checkzone / 12276 named-compilezone was called failed under windows. 12277 [RT #16764] 12278 122792163. [bug] If only one of query-source and query-source-v6 12280 specified a port the query pools code broke (change 12281 2129). [RT #16768] 12282 122832162. [func] Allow "rrset-order fixed" to be disabled at compile 12284 time. [RT #16665] 12285 122862161. [bug] Fix which log messages are emitted for 'rndc flush'. 12287 [RT #16698] 12288 122892160. [bug] libisc wasn't handling NULL ifa_addr pointers returned 12290 from getifaddrs(). [RT #16708] 12291 12292 --- 9.5.0a2 released --- 12293 122942159. [bug] Array bounds overrun in acache processing. [RT #16710] 12295 122962158. [bug] ns_client_isself() failed to initialize key 12297 leading to a REQUIRE failure. [RT #16688] 12298 122992157. [func] dns_db_transfernode() created. [RT #16685] 12300 123012156. [bug] Fix node reference leaks in lookup.c:lookup_find(), 12302 resolver.c:validated() and resolver.c:cache_name(). 12303 Fix a memory leak in rbtdb.c:free_noqname(). 12304 Make lookup.c:lookup_find() robust against 12305 event leaks. [RT #16685] 12306 123072155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. 12308 [RT #16694] 12309 123102154. [func] Scoped (e.g. IPv6 link-local) addresses may now be 12311 matched in acls by omitting the scope. [RT #16599] 12312 123132153. [bug] nsupdate could leak memory. [RT #16691] 12314 123152152. [cleanup] Use sizeof(buf) instead of fixed number in 12316 dighost.c:get_trusted_key(). [RT #16678] 12317 123182151. [bug] Missing newline in usage message for journalprint. 12319 [RT #16679] 12320 123212150. [bug] 'rrset-order cyclic' uniformly distribute the 12322 starting point for the first response for a given 12323 RRset. [RT #16655] 12324 123252149. [bug] isc_mem_checkdestroyed() failed to abort on 12326 if there were still active memory contexts. 12327 [RT #16672] 12328 123292148. [func] Add positive logging for rndc commands. [RT #14623] 12330 123312147. [bug] libbind: remove potential buffer overflow from 12332 hmac_link.c. [RT #16437] 12333 123342146. [cleanup] Silence Linux's spurious "obsolete setsockopt 12335 SO_BSDCOMPAT" message. [RT #16641] 12336 123372145. [bug] Check DS/DLV digest lengths for known digests. 12338 [RT #16622] 12339 123402144. [cleanup] Suppress logging of SERVFAIL from forwarders. 12341 [RT #16619] 12342 123432143. [bug] We failed to restart the IPv6 client when the 12344 kernel failed to return the destination the 12345 packet was sent to. [RT #16613] 12346 123472142. [bug] Handle master files with a modification time that 12348 matches the epoch. [RT #16612] 12349 123502141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN 12351 equivalent of LDH checks). [RT #16609] 12352 123532140. [bug] libbind: missing unlock on pthread_key_create() 12354 failures. [RT #16654] 12355 123562139. [bug] dns_view_find() was being called with wrong type 12357 in adb.c. [RT #16670] 12358 123592138. [bug] Lock order reversal in resolver.c. [RT #16653] 12360 123612137. [port] Mips little endian and/or mips 64 bit are now 12362 supported for atomic operations. [RT #16648] 12363 123642136. [bug] nslookup/host looped if there was no search list 12365 and the host didn't exist. [RT #16657] 12366 123672135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656] 12368 123692134. [func] Additional statistics support. [RT #16666] 12370 123712133. [port] powerpc: Support both IBM and MacOS Power PC 12372 assembler syntaxes. [RT #16647] 12373 123742132. [bug] Missing unlock on out of memory in 12375 dns_dispatchmgr_setudp(). 12376 123772131. [contrib] dlz/mysql: AXFR was broken. [RT #16630] 12378 123792130. [func] Log if CD or DO were set. [RT #16640] 12380 123812129. [func] Provide a pool of UDP sockets for queries to be 12382 made over. See use-queryport-pool, queryport-pool-ports 12383 and queryport-pool-updateinterval. [RT #16415] 12384 123852128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] 12386 123872127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] 12388 123892126. [security] Serialize validation of type ANY responses. [RT #16555] 12390 123912125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ 12392 was defined. [RT #16574] 12393 123942124. [security] It was possible to dereference a freed fetch 12395 context. [RT #16584] 12396 12397 --- 9.5.0a1 released --- 12398 123992123. [func] Use Doxygen to generate internal documentation. 12400 [RT #11398] 12401 124022122. [func] Experimental http server and statistics support 12403 for named via xml. 12404 124052121. [func] Add a 10 slot dead masters cache (LRU) with a 600 12406 second timeout. [RT #16553] 12407 124082120. [doc] Fix markup on nsupdate man page. [RT #16556] 12409 124102119. [compat] libbind: allow res_init() to succeed enough to 12411 return the default domain even if it was unable 12412 to allocate memory. 12413 124142118. [bug] Handle response with long chains of domain name 12415 compression pointers which point to other compression 12416 pointers. [RT #16427] 12417 124182117. [bug] DNSSEC fixes: named could fail to cache NSEC records 12419 which could lead to validation failures. named didn't 12420 handle negative DS responses that were in the process 12421 of being validated. Check CNAME bit before accepting 12422 NODATA proof. To be able to ignore a child NSEC there 12423 must be SOA (and NS) set in the bitmap. [RT #16399] 12424 124252116. [bug] 'rndc reload' could cause the cache to continually 12426 be cleaned. [RT #16401] 12427 124282115. [bug] 'rndc reconfig' could trigger a INSIST if the 12429 number of masters for a zone was reduced. [RT #16444] 12430 124312114. [bug] dig/host/nslookup: searches for names with multiple 12432 labels were failing. [RT #16447] 12433 124342113. [bug] nsupdate: if a zone is specified it should be used 12435 for server discover. [RT #16455] 12436 124372112. [security] Warn if weak RSA exponent is used. [RT #16460] 12438 124392111. [bug] Fix a number of errors reported by Coverity. 12440 [RT #16507] 12441 124422110. [bug] "minimal-responses yes;" interacted badly with BIND 8 12443 priming queries. [RT #16491] 12444 124452109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] 12446 124472108. [func] DHCID support. [RT #16456] 12448 124492107. [bug] dighost.c: more cleanup of buffers. [RT #16499] 12450 124512106. [func] 'rndc status' now reports named's version. [RT #16426] 12452 124532105. [func] GSS-TSIG support (RFC 3645). 12454 124552104. [port] Fix Solaris SMF error message. 12456 124572103. [port] Add /usr/sfw to list of locations for OpenSSL 12458 under Solaris. 12459 124602102. [port] Silence Solaris 10 warnings. 12461 124622101. [bug] OpenSSL version checks were not quite right. 12463 [RT #16476] 12464 124652100. [port] win32: copy libeay32.dll to Build\Debug. 12466 Copy Debug\named-checkzone to Debug\named-compilezone. 12467 124682099. [port] win32: more manifest issues. 12469 124702098. [bug] Race in rbtdb.c:no_references(), which occasionally 12471 triggered an INSIST failure about the node lock 12472 reference. [RT #16411] 12473 124742097. [bug] named could reference a destroyed memory context 12475 after being reloaded / reconfigured. [RT #16428] 12476 124772096. [bug] libbind: handle applications that fail to detect 12478 res_init() failures better. 12479 124802095. [port] libbind: always prototype inet_cidr_ntop_ipv6() and 12481 net_cidr_ntop_ipv6(). [RT #16388] 12482 124832094. [contrib] Update named-bootconf. [RT #16404] 12484 124852093. [bug] named-checkzone -s was broken. 12486 124872092. [bug] win32: dig, host, nslookup. Use registry config 12488 if resolv.conf does not exist or no nameservers 12489 listed. [RT #15877] 12490 124912091. [port] dighost.c: race condition on cleanup. [RT #16417] 12492 124932090. [port] win32: Visual C++ 2005 command line manifest support. 12494 [RT #16417] 12495 124962089. [security] Raise the minimum safe OpenSSL versions to 12497 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions 12498 prior to these have known security flaws which 12499 are (potentially) exploitable in named. [RT #16391] 12500 125012088. [security] Change the default RSA exponent from 3 to 65537. 12502 [RT #16391] 12503 125042087. [port] libisc failed to compile on OS's w/o a vsnprintf. 12505 [RT #16382] 12506 125072086. [port] libbind: FreeBSD now has get*by*_r() functions. 12508 [RT #16403] 12509 125102085. [doc] win32: added index.html and README to zip. [RT #16201] 12511 125122084. [contrib] dbus update for 9.3.3rc2. 12513 125142083. [port] win32: Visual C++ 2005 support. 12515 125162082. [doc] Document 'cache-file' as a test only option. 12517 125182081. [port] libbind: minor 64-bit portability fix in memcluster.c. 12519 [RT #16360] 12520 125212080. [port] libbind: res_init.c did not compile on older versions 12522 of Solaris. [RT #16363] 12523 125242079. [bug] The lame cache was not handling multiple types 12525 correctly. [RT #16361] 12526 125272078. [bug] dnssec-checkzone output style "default" was badly 12528 named. It is now called "relative". [RT #16326] 12529 125302077. [bug] 'dnssec-signzone -O raw' wasn't outputting the 12531 complete signed zone. [RT #16326] 12532 125332076. [bug] Several files were missing #include <config.h> 12534 causing build failures on OSF. [RT #16341] 12535 125362075. [bug] The spillat timer event handler could leak memory. 12537 [RT #16357] 12538 125392074. [bug] dns_request_createvia2(), dns_request_createvia3(), 12540 dns_request_createraw2() and dns_request_createraw3() 12541 failed to send multiple UDP requests. [RT #16349] 12542 125432073. [bug] Incorrect semantics check for update policy "wildcard". 12544 [RT #16353] 12545 125462072. [bug] We were not generating valid HMAC SHA digests. 12547 [RT #16320] 12548 125492071. [port] Test whether gcc accepts -fno-strict-aliasing. 12550 [RT #16324] 12551 125522070. [bug] The remote address was not always displayed when 12553 reporting dispatch failures. [RT #16315] 12554 125552069. [bug] Cross compiling was not working. [RT #16330] 12556 125572068. [cleanup] Lower incremental tuning message to debug 1. 12558 [RT #16319] 12559 125602067. [bug] 'rndc' could close the socket too early triggering 12561 a INSIST under Windows. [RT #16317] 12562 125632066. [security] Handle SIG queries gracefully. [RT #16300] 12564 125652065. [bug] libbind: probe for HPUX prototypes for 12566 endprotoent_r() and endservent_r(). [RT 16313] 12567 125682064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 12569 125702063. [bug] Change #1955 introduced a bug which caused the first 12571 'rndc flush' call to not free memory. [RT #16244] 12572 125732062. [bug] 'dig +nssearch' was reusing a buffer before it had 12574 been returned by the socket code. [RT #16307] 12575 125762061. [bug] Accept expired wildcard message reversed. [RT #16296] 12577 125782060. [bug] Enabling DLZ support could leave views partially 12579 configured. [RT #16295] 12580 125812059. [bug] Search into cache rbtdb could trigger an INSIST 12582 failure while cleaning up a stale rdataset. 12583 [RT #16292] 12584 125852058. [bug] Adjust how we calculate rtt estimates in the presence 12586 of authoritative servers that drop EDNS and/or CD 12587 requests. Also fallback to EDNS/512 and plain DNS 12588 faster for zones with less than 3 servers. [RT #16187] 12589 125902057. [bug] Make setting "ra" dependent on both allow-query-cache 12591 and allow-recursion. [RT #16290] 12592 125932056. [bug] dig: ixfr= was not being treated case insensitively 12594 at all times. [RT #15955] 12595 125962055. [bug] Missing goto after dropping multicast query. 12597 [RT #15944] 12598 125992054. [port] freebsd: do not explicitly link against -lpthread. 12600 [RT #16170] 12601 126022053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 12603 126042052. [bug] 'rndc' improve connect failed message to report 12605 the failing address. [RT #15978] 12606 126072051. [port] More strtol() fixes. [RT #16249] 12608 126092050. [bug] Parsing of NSAP records was not case insensitive. 12610 [RT #16287] 12611 126122049. [bug] Restore SOA before AXFR when falling back from 12613 a attempted IXFR when transferring in a zone. 12614 Allow a initial SOA query before attempting 12615 a AXFR to be requested. [RT #16156] 12616 126172048. [bug] It was possible to loop forever when using 12618 avoid-v4-udp-ports / avoid-v6-udp-ports when 12619 the OS always returned the same local port. 12620 [RT #16182] 12621 126222047. [bug] Failed to initialize the interface flags to zero. 12623 [RT #16245] 12624 126252046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate 12626 cleanup [RT #16247]. 12627 126282045. [func] Use lock buckets for acache entries to limit memory 12629 consumption. [RT #16183] 12630 126312044. [port] Add support for atomic operations for Itanium. 12632 [RT #16179] 12633 126342043. [port] nsupdate/nslookup: Force the flushing of the prompt 12635 for interactive sessions. [RT #16148] 12636 126372042. [bug] named-checkconf was incorrectly rejecting the 12638 logging category "config". [RT #16117] 12639 126402041. [bug] "configure --with-dlz-bdb=yes" produced a bad 12641 set of libraries to be linked. [RT #16129] 12642 126432040. [bug] rbtdb no_references() could trigger an INSIST 12644 failure with --enable-atomic. [RT #16022] 12645 126462039. [func] Check that all buffers passed to the socket code 12647 have been retrieved when the socket event is freed. 12648 [RT #16122] 12649 126502038. [bug] dig/nslookup/host was unlinking from wrong list 12651 when handling errors. [RT #16122] 12652 126532037. [func] When unlinking the first or last element in a list 12654 check that the list head points to the element to 12655 be unlinked. [RT #15959] 12656 126572036. [bug] 'rndc recursing' could cause trigger a REQUIRE. 12658 [RT #16075] 12659 126602035. [func] Make falling back to TCP on UDP refresh failure 12661 optional. Default "try-tcp-refresh yes;" for BIND 8 12662 compatibility. [RT #16123] 12663 126642034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] 12665 126662033. [bug] We weren't creating multiple client memory contexts 12667 on demand as expected. [RT #16095] 12668 126692032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] 12670 126712031. [bug] Emit a error message when "rndc refresh" is called on 12672 a non slave/stub zone. [RT # 16073] 12673 126742030. [bug] We were being overly conservative when disabling 12675 openssl engine support. [RT #16030] 12676 126772029. [bug] host printed out the server multiple times when 12678 specified on the command line. [RT #15992] 12679 126802028. [port] linux: socket.c compatibility for old systems. 12681 [RT #16015] 12682 126832027. [port] libbind: Solaris x86 support. [RT #16020] 12684 126852026. [bug] Rate limit the two recursive client exceeded messages. 12686 [RT #16044] 12687 126882025. [func] Update "zone serial unchanged" message. [RT #16026] 12689 126902024. [bug] named emitted spurious "zone serial unchanged" 12691 messages on reload. [RT #16027] 12692 126932023. [bug] "make install" should create ${localstatedir}/run and 12694 ${sysconfdir} if they do not exist. [RT #16033] 12695 126962022. [bug] If dnssec validation is disabled only assert CD if 12697 CD was requested. [RT #16037] 12698 126992021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037] 12700 127012020. [bug] rdataset_setadditional() could leak memory. [RT #16034] 12702 127032019. [tuning] Reduce the amount of work performed per quantum 12704 when cleaning the cache. [RT #15986] 12705 127062018. [bug] Checking if the HMAC MD5 private file was broken. 12707 [RT #15960] 12708 127092017. [bug] allow-query default was not correct. [RT #15946] 12710 127112016. [bug] Return a partial answer if recursion is not 12712 allowed but requested and we had the answer 12713 to the original qname. [RT #15945] 12714 127152015. [cleanup] use-additional-cache is now acache-enable for 12716 consistency. Default acache-enable off in BIND 9.4 12717 as it requires memory usage to be configured. 12718 It may be enabled by default in BIND 9.5 once we 12719 have more experience with it. 12720 127212014. [func] Statistics about acache now recorded and sent 12722 to log. [RT #15976] 12723 127242013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR 12725 responses more gracefully. [RT #15941] 12726 127272012. [func] Don't insert new acache entries if acache is full. 12728 [RT #15970] 12729 127302011. [func] dnssec-signzone can now update the SOA record of 12731 the signed zone, either as an increment or as the 12732 system time(). [RT #15633] 12733 127342010. [placeholder] rt15958 12735 127362009. [bug] libbind: Coverity fixes. [RT #15808] 12737 127382008. [func] It is now possible to enable/disable DNSSEC 12739 validation from rndc. This is useful for the 12740 mobile hosts where the current connection point 12741 breaks DNSSEC (firewall/proxy). [RT #15592] 12742 12743 rndc validation newstate [view] 12744 127452007. [func] It is now possible to explicitly enable DNSSEC 12746 validation. default dnssec-validation no; to 12747 be changed to yes in 9.5.0. [RT #15674] 12748 127492006. [security] Allow-query-cache and allow-recursion now default 12750 to the built in acls "localnets" and "localhost". 12751 12752 This is being done to make caching servers less 12753 attractive as reflective amplifying targets for 12754 spoofed traffic. This still leave authoritative 12755 servers exposed. 12756 12757 The best fix is for full BCP 38 deployment to 12758 remove spoofed traffic. 12759 127602005. [bug] libbind: Retransmission timeouts should be 12761 based on which attempt it is to the nameserver 12762 and not the nameserver itself. [RT #13548] 12763 127642004. [bug] dns_tsig_sign() could pass a NULL pointer to 12765 dst_context_destroy() when cleaning up after a 12766 error. [RT #15835] 12767 127682003. [bug] libbind: The DNS name/address lookup functions could 12769 occasionally follow a random pointer due to 12770 structures not being completely zeroed. [RT #15806] 12771 127722002. [bug] libbind: tighten the constraints on when 12773 struct addrinfo._ai_pad exists. [RT #15783] 12774 127752001. [func] Check the KSK flag when updating a secure dynamic zone. 12776 New zone option "update-check-ksk yes;". [RT #15817] 12777 127782000. [bug] memmove()/strtol() fix was incomplete. [RT #15812] 12779 127801999. [func] Implement "rrset-order fixed". [RT #13662] 12781 127821998. [bug] Restrict handling of fifos as sockets to just SunOS. 12783 This allows named to connect to entropy gathering 12784 daemons that use fifos instead of sockets. [RT #15840] 12785 127861997. [bug] Named was failing to replace negative cache entries 12787 when a positive one for the type was learnt. 12788 [RT #15818] 12789 127901996. [bug] nsupdate: if a zone has been specified it should 12791 appear in the output of 'show'. [RT #15797] 12792 127931995. [bug] 'host' was reporting multiple "is an alias" messages. 12794 [RT #15702] 12795 127961994. [port] OpenSSL 0.9.8 support. [RT #15694] 12797 127981993. [bug] Log messages, via syslog, were missing the space 12799 after the timestamp if "print-time yes" was specified. 12800 [RT #15844] 12801 128021992. [bug] Not all incoming zone transfer messages included the 12803 view. [RT #15825] 12804 128051991. [cleanup] The configuration data, once read, should be treated 12806 as read only. Expand the use of const to enforce this 12807 at compile time. [RT #15813] 12808 128091990. [bug] libbind: isc's override of broken gettimeofday() 12810 implementations was not always effective. 12811 [RT #15709] 12812 128131989. [bug] win32: don't check the service password when 12814 re-installing. [RT #15882] 12815 128161988. [bug] Remove a bus error from the SHA256/SHA512 support. 12817 [RT #15878] 12818 128191987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 12820 128211986. [func] Report when a zone is removed. [RT #15849] 12822 128231985. [protocol] DLV has now been assigned a official type code of 12824 32769. [RT #15807] 12825 12826 Note: care should be taken to ensure you upgrade 12827 both named and dnssec-signzone at the same time for 12828 zones with DLV records where named is the master 12829 server for the zone. Also any zones that contain 12830 DLV records should be removed when upgrading a slave 12831 zone. You do not however have to upgrade all 12832 servers for a zone with DLV records simultaneously. 12833 128341984. [func] dig, nslookup and host now advertise a 4096 byte 12835 EDNS UDP buffer size by default. [RT #15855] 12836 128371983. [func] Two new update policies. "selfsub" and "selfwild". 12838 [RT #12895] 12839 128401982. [bug] DNSKEY was being accepted on the parent side of 12841 a delegation. KEY is still accepted there for 12842 RFC 3007 validated updates. [RT #15620] 12843 128441981. [bug] win32: condition.c:wait() could fail to reattain 12845 the mutex lock. 12846 128471980. [func] dnssec-signzone: output the SOA record as the 12848 first record in the signed zone. [RT #15758] 12849 128501979. [port] linux: allow named to drop core after changing 12851 user ids. [RT #15753] 12852 128531978. [port] Handle systems which have a broken recvmsg(). 12854 [RT #15742] 12855 128561977. [bug] Silence noisy log message. [RT #15704] 12857 128581976. [bug] Handle systems with no IPv4 addresses. [RT #15695] 12859 128601975. [bug] libbind: isc_gethexstring() could misparse multi-line 12861 hex strings with comments. [RT #15814] 12862 128631974. [doc] List each of the zone types and associated zone 12864 options separately in the ARM. 12865 128661973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and 12867 HMACSHA512 support. [RT #13606] 12868 128691972. [contrib] DBUS dynamic forwarders integration from 12870 Jason Vas Dias <jvdias@redhat.com>. 12871 128721971. [port] linux: make detection of missing IF_NAMESIZE more 12873 robust. [RT #15443] 12874 128751970. [bug] nsupdate: adjust UDP timeout when falling back to 12876 unsigned SOA query. [RT #15775] 12877 128781969. [bug] win32: the socket code was freeing the socket 12879 structure too early. [RT #15776] 12880 128811968. [bug] Missing lock in resolver.c:validated(). [RT #15739] 12882 128831967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779] 12884 128851966. [bug] Don't set CD when we have fallen back to plain DNS. 12886 [RT #15727] 12887 128881965. [func] Suppress spurious "recursion requested but not 12889 available" warning with 'dig +qr'. [RT #15780]. 12890 128911964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] 12892 128931963. [port] Tru64 4.0E doesn't support send() and recv(). 12894 [RT #15586] 12895 128961962. [bug] Named failed to clear old update-policy when it 12897 was removed. [RT #15491] 12898 128991961. [bug] Check the port and address of responses forwarded 12900 to dispatch. [RT #15474] 12901 129021960. [bug] Update code should set NSEC ttls from SOA MINIMUM. 12903 [RT #15465] 12904 129051959. [func] Control the zeroing of the negative response TTL to 12906 a soa query. Defaults "zero-no-soa-ttl yes;" and 12907 "zero-no-soa-ttl-cache no;". [RT #15460] 12908 129091958. [bug] Named failed to update the zone's secure state 12910 until the zone was reloaded. [RT #15412] 12911 129121957. [bug] Dig mishandled responses to class ANY queries. 12913 [RT #15402] 12914 129151956. [bug] Improve cross compile support, 'gen' is now built 12916 by native compiler. See README for additional 12917 cross compile support information. [RT #15148] 12918 129191955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998] 12920 129211954. [func] Named now falls back to advertising EDNS with a 12922 512 byte receive buffer if the initial EDNS queries 12923 fail. [RT #14852] 12924 129251953. [func] The maximum EDNS UDP response named will send can 12926 now be set in named.conf (max-udp-size). This is 12927 independent of the advertised receive buffer 12928 (edns-udp-size). [RT #14852] 12929 129301952. [port] hpux: tell the linker to build a runtime link 12931 path "-Wl,+b:". [RT #14816]. 12932 129331951. [security] Drop queries from particular well known ports. 12934 Don't return FORMERR to queries from particular 12935 well known ports. [RT #15636] 12936 129371950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() 12938 a TCP socket. This prevents the source address being 12939 set for TCP connections. [RT #15628] 12940 129411949. [func] Addition memory leakage checks. [RT #15544] 12942 129431948. [bug] If was possible to trigger a REQUIRE failure in 12944 xfrin.c:maybe_free() if named ran out of memory. 12945 [RT #15568] 12946 129471947. [func] It is now possible to configure named to accept 12948 expired RRSIGs. Default "dnssec-accept-expired no;". 12949 Setting "dnssec-accept-expired yes;" leaves named 12950 vulnerable to replay attacks. [RT #14685] 12951 129521946. [bug] resume_dslookup() could trigger a REQUIRE failure 12953 when using forwarders. [RT #15549] 12954 129551945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. 12956 To generate a RSAMD5 key you must explicitly request 12957 RSAMD5. [RT #13780] 12958 129591944. [cleanup] isc_hash_create() does not need a read/write lock. 12960 [RT #15522] 12961 129621943. [bug] Set the loadtime after rolling forward the journal. 12963 [RT #15647] 12964 129651942. [bug] If the name of a DNSKEY match that of one in 12966 trusted-keys do not attempt to validate the DNSKEY 12967 using the parents DS RRset. [RT #15649] 12968 129691941. [bug] ncache_adderesult() should set eresult even if no 12970 rdataset is passed to it. [RT #15642] 12971 129721940. [bug] Fixed a number of error conditions reported by 12973 Coverity. 12974 129751939. [bug] The resolver could dereference a null pointer after 12976 validation if all the queries have timed out. 12977 [RT #15528] 12978 129791938. [bug] The validator was not correctly handling unsecure 12980 negative responses at or below a SEP. [RT #15528] 12981 129821937. [bug] sdlz doesn't handle RRSIG records. [RT #15564] 12983 129841936. [bug] The validator could leak memory. [RT #15544] 12985 129861935. [bug] 'acache' was DO sensitive. [RT #15430] 12987 129881934. [func] Validate pending NS RRsets, in the authority section, 12989 prior to returning them if it can be done without 12990 requiring DNSKEYs to be fetched. [RT #15430] 12991 129921933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534] 12993 129941932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] 12995 129961931. [bug] Per-client mctx could require a huge amount of memory, 12997 particularly for a busy caching server. [RT #15519] 12998 129991930. [port] HPUX: ia64 support. [RT #15473] 13000 130011929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. 13002 130031928. [bug] Race in rbtdb.c:currentversion(). [RT #15517] 13004 130051927. [bug] Access to soanode or nsnode in rbtdb violated the 13006 lock order rule and could cause a dead lock. 13007 [RT #15518] 13008 130091926. [bug] The Windows installer did not check for empty 13010 passwords. BINDinstall was being installed in 13011 the wrong place. [RT #15483] 13012 130131925. [port] All outer level AC_TRY_RUNs need cross compiling 13014 defaults. [RT #15469] 13015 130161924. [port] libbind: hpux ia64 support. [RT #15473] 13017 130181923. [bug] ns_client_detach() called too early. [RT #15499] 13019 130201922. [bug] check-tool.c:setup_logging() missing call to 13021 dns_log_setcontext(). 13022 130231921. [bug] Client memory contexts were not using internal 13024 malloc. [RT #15434] 13025 130261920. [bug] The cache rbtdb lock array was too small to 13027 have the desired performance characteristics. 13028 [RT #15454] 13029 130301919. [contrib] queryperf: a set of new features: collecting/printing 13031 response delays, printing intermediate results, and 13032 adjusting query rate for the "target" qps. 13033 130341918. [bug] Memory leak when checking acls. [RT #15391] 13035 130361917. [doc] funcsynopsisinfo wasn't being treated as verbatim 13037 when generating man pages. [RT #15385] 13038 130391916. [func] Integrate contributed IDN code from JPNIC. [RT #15383] 13040 130411915. [bug] dig +ndots was broken. [RT #15215] 13042 130431914. [protocol] DS is required to accept mnemonic algorithms 13044 (RFC 4034). Still emit numeric algorithms for 13045 compatibility with RFC 3658. [RT #15354] 13046 130471913. [func] Integrate contributed DLZ code into named. [RT #11382] 13048 130491912. [port] aix: atomic locking for powerpc. [RT #15020] 13050 130511911. [bug] Update windows socket code. [RT #14965] 13052 130531910. [bug] dig's +sigchase code overhauled. [RT #14933] 13054 130551909. [bug] The DLV code has been re-worked to make no longer 13056 query order sensitive. [RT #14933] 13057 130581908. [func] dig now warns if 'RA' is not set in the answer when 13059 'RD' was set in the query. host/nslookup skip servers 13060 that fail to set 'RA' when 'RD' is set unless a server 13061 is explicitly set. [RT #15005] 13062 130631907. [func] host/nslookup now continue (default)/fail on SERVFAIL. 13064 [RT #15006] 13065 130661906. [func] dig now has a '-q queryname' and '+showsearch' options. 13067 [RT #15034] 13068 130691905. [bug] Strings returned from cfg_obj_asstring() should be 13070 treated as read-only. The prototype for 13071 cfg_obj_asstring() has been updated to reflect this. 13072 [RT #15256] 13073 130741904. [func] Automatic empty zone creation for D.F.IP6.ARPA and 13075 friends. Note: RFC 1918 zones are not yet covered by 13076 this but are likely to be in a future release. 13077 13078 New options: empty-server, empty-contact, 13079 empty-zones-enable and disable-empty-zone. 13080 130811903. [func] ISC string copy API. 13082 130831902. [func] Attempt to make the amount of work performed in a 13084 iteration self tuning. The covers nodes clean from 13085 the cache per iteration, nodes written to disk when 13086 rewriting a master file and nodes destroyed per 13087 iteration when destroying a zone or a cache. 13088 [RT #14996] 13089 130901901. [cleanup] Don't add DNSKEY records to the additional section. 13091 130921900. [bug] ixfr-from-differences failed to ensure that the 13093 serial number increased. [RT #15036] 13094 130951899. [func] named-checkconf now validates update-policy entries. 13096 [RT #14963] 13097 130981898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and 13099 ISC_NETADDR_FORMATSIZE to allow for scope details. 13100 131011897. [func] x86 and x86_64 now have separate atomic locking 13102 implementations. 13103 131041896. [bug] Recursive clients soft quota support wasn't working 13105 as expected. [RT #15103] 13106 131071895. [bug] A escaped character is, potentially, converted to 13108 the output character set too early. [RT #14666] 13109 131101894. [doc] Review ARM for BIND 9.4. 13111 131121893. [port] Use uintptr_t if available. [RT #14606] 13113 131141892. [func] Support for SPF rdata type. [RT #15033] 13115 131161891. [port] freebsd: pthread_mutex_init can fail if it runs out 13117 of memory. [RT #14995] 13118 131191890. [func] Raise the UDP receive buffer size to 32k if it is 13120 less than 32k. [RT #14953] 13121 131221889. [port] sunos: non blocking i/o support. [RT #14951] 13123 131241888. [func] Support for IPSECKEY rdata type. [RT #14967] 13125 131261887. [bug] The cache could delete expired records too fast for 13127 clients with a virtual time in the past. [RT #14991] 13128 131291886. [bug] fctx_create() could return success even though it 13130 failed. [RT #14993] 13131 131321885. [func] dig: report the number of extra bytes still left in 13133 the packet after processing all the records. 13134 131351884. [cleanup] dighost.c: move external declarations into <dig/dig.h>. 13136 131371883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug 13138 levels. [RT #14962] 13139 131401882. [func] Limit the number of recursive clients that can be 13141 waiting for a single query (<qname,qtype,qclass>) to 13142 resolve. New options clients-per-query and 13143 max-clients-per-query. 13144 131451881. [func] Add a system test for named-checkconf. [RT #14931] 13146 131471880. [func] The lame cache is now done on a <qname,qclass,qtype> 13148 basis as some servers only appear to be lame for 13149 certain query types. [RT #14916] 13150 131511879. [func] "USE INTERNAL MALLOC" is now runtime selectable. 13152 [RT #14892] 13153 131541878. [func] Detect duplicates of UDP queries we are recursing on 13155 and drop them. New stats category "duplicate". 13156 [RT #2471] 13157 131581877. [bug] Fix unreasonably low quantum on call to 13159 dns_rbt_destroy2(). Remove unnecessary unhash_node() 13160 call. [RT #14919] 13161 131621876. [func] Additional memory debugging support to track size 13163 and mctx arguments. [RT #14814] 13164 131651875. [bug] process_dhtkey() was using the wrong memory context 13166 to free some memory. [RT #14890] 13167 131681874. [port] sunos: portability fixes. [RT #14814] 13169 131701873. [port] win32: isc__errno2result() now reports its caller. 13171 [RT #13753] 13172 131731872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] 13174 131751871. [placeholder] 13176 131771870. [func] Added framework for handling multiple EDNS versions. 13178 [RT #14873] 13179 131801869. [func] dig can now specify the EDNS version when making 13181 a query. [RT #14873] 13182 131831868. [func] edns-udp-size can now be overridden on a per 13184 server basis. [RT #14851] 13185 131861867. [bug] It was possible to trigger a INSIST in 13187 dlv_validatezonekey(). [RT #14846] 13188 131891866. [bug] resolv.conf parse errors were being ignored by 13190 dig/host/nslookup. [RT #14841] 13191 131921865. [bug] Silently ignore nameservers in /etc/resolv.conf with 13193 bad addresses. [RT #14841] 13194 131951864. [bug] Don't try the alternative transfer source if you 13196 got a answer / transfer with the main source 13197 address. [RT #14802] 13198 131991863. [bug] rrset-order "fixed" error messages not complete. 13200 132011862. [func] Add additional zone data constancy checks. 13202 named-checkzone has extended checking of NS, MX and 13203 SRV record and the hosts they reference. 13204 named has extended post zone load checks. 13205 New zone options: check-mx and integrity-check. 13206 [RT #4940] 13207 132081861. [bug] dig could trigger a INSIST on certain malformed 13209 responses. [RT #14801] 13210 132111860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was 13212 incorrectly set. [RT #14775] 13213 132141859. [func] Add support for CH A record. [RT #14695] 13215 132161858. [bug] The flush-zones-on-shutdown option wasn't being 13217 parsed. [RT #14686] 13218 132191857. [bug] named could trigger a INSIST() if reconfigured / 13220 reloaded too fast. [RT #14673] 13221 132221856. [doc] Switch Docbook toolchain from DSSSL to XSL. 13223 [RT #11398] 13224 132251855. [bug] ixfr-from-differences was failing to detect changes 13226 of ttl due to dns_diff_subtract() was ignoring the ttl 13227 of records. [RT #14616] 13228 132291854. [bug] lwres also needs to know the print format for 13230 (long long). [RT #13754] 13231 132321853. [bug] Rework how DLV interacts with proveunsecure(). 13233 [RT #13605] 13234 132351852. [cleanup] Remove last vestiges of dnssec-signkey and 13236 dnssec-makekeyset (removed from Makefile years ago). 13237 132381851. [doc] Doxygen comment markup. [RT #11398] 13239 132401850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] 13241 132421849. [doc] All forms of the man pages (docbook, man, html) should 13243 have consistent copyright dates. 13244 132451848. [bug] Improve SMF integration. [RT #13238] 13246 132471847. [bug] isc_ondestroy_init() is called too late in 13248 dns_rbtdb_create()/dns_rbtdb64_create(). 13249 [RT #13661] 13250 132511846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer 13252 <bortzmeyer@nic.fr>. 13253 132541845. [bug] Improve error reporting to distinguish between 13255 accept()/fcntl() and socket()/fcntl() errors. 13256 [RT #13745] 13257 132581844. [bug] inet_pton() accepted more that 4 hexadecimal digits 13259 for each 16 bit piece of the IPv6 address. The text 13260 representation of a IPv6 address has been tightened 13261 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). 13262 [RT #5662] 13263 132641843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps 13265 when CFLAGS contains "-I /usr/local/include" 13266 resulting in old header files being used. 13267 132681842. [port] cmsg_len() could produce incorrect results on 13269 some platform. [RT #13744] 13270 132711841. [bug] "dig +nssearch" now makes a recursive query to 13272 find the list of nameservers to query. [RT #13694] 13273 132741840. [func] dnssec-signzone can now randomize signature end times 13275 (dnssec-signzone -j jitter). [RT #13609] 13276 132771839. [bug] <isc/hash.h> was not being installed. 13278 132791838. [cleanup] Don't allow Linux capabilities to be inherited. 13280 [RT #13707] 13281 132821837. [bug] Compile time option ISC_FACILITY was not effective 13283 for 'named -u <user>'. [RT #13714] 13284 132851836. [cleanup] Silence compiler warnings in hash_test.c. 13286 132871835. [bug] Update dnssec-signzone's usage message. [RT #13657] 13288 132891834. [bug] Bad memset in rdata_test.c. [RT #13658] 13290 132911833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] 13292 132931832. [bug] named fails to return BADKEY on unknown TSIG algorithm. 13294 [RT #13620] 13295 132961831. [doc] Update named-checkzone documentation. [RT #13604] 13297 132981830. [bug] adb lame cache has sense of test reversed. [RT #13600] 13299 133001829. [bug] win32: "pid-file none;" broken. [RT #13563] 13301 133021828. [bug] isc_rwlock_init() failed to properly cleanup if it 13303 encountered a error. [RT #13549] 13304 133051827. [bug] host: update usage message for '-a'. [RT #37116] 13306 133071826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out 13308 of memory error. [RT #13537] 13309 133101825. [bug] Missing UNLOCK() on out of memory error from in 13311 rbtdb.c:subtractrdataset(). [RT #13519] 13312 133131824. [bug] Memory leak on dns_zone_setdbtype() failure. 13314 [RT #13510] 13315 133161823. [bug] Wrong macro used to check for point to point interface. 13317 [RT #13418] 13318 133191822. [bug] check-names test for RT was reversed. [RT #13382] 13320 133211821. [placeholder] 13322 133231820. [bug] Gracefully handle acl loops. [RT #13659] 13324 133251819. [bug] The validator needed to check both the algorithm and 13326 digest types of the DS to determine if it could be 13327 used to introduce a secure zone. [RT #13593] 13328 133291818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] 13330 133311817. [func] Add support for additional zone file formats for 13332 improving loading performance. The masterfile-format 13333 option in named.conf can be used to specify a 13334 non-default format. A separate command 13335 named-compilezone was provided to generate zone files 13336 in the new format. Additionally, the -I and -O options 13337 for dnssec-signzone specify the input and output 13338 formats. 13339 133401816. [port] UnixWare: failed to compile lib/isc/unix/net.c. 13341 [RT #13597] 13342 133431815. [bug] nsupdate triggered a REQUIRE if the server was set 13344 without also setting the zone and it encountered 13345 a CNAME and was using TSIG. [RT #13086] 13346 133471814. [func] UNIX domain controls are now supported. 13348 133491813. [func] Restructured the data locking framework using 13350 architecture dependent atomic operations (when 13351 available), improving response performance on 13352 multi-processor machines significantly. 13353 x86, x86_64, alpha, powerpc, and mips are currently 13354 supported. 13355 133561812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect. 13357 [RT #13453] 13358 133591811. [func] Preserve the case of domain names in rdata during 13360 zone transfers. [RT #13547] 13361 133621810. [bug] configure, lib/bind/configure make different default 13363 decisions about whether to do a threaded build. 13364 [RT #13212] 13365 133661809. [bug] "make distclean" failed for libbind if the platform 13367 is not supported. 13368 133691808. [bug] zone.c:notify_zone() contained a race condition, 13370 zone->db could change underneath it. [RT #13511] 13371 133721807. [bug] When forwarding (forward only) set the active domain 13373 from the forward zone name. [RT #13526] 13374 133751806. [bug] The resolver returned the wrong result when a CNAME / 13376 DNAME was encountered when fetching glue from a 13377 secure namespace. [RT #13501] 13378 133791805. [bug] Pending status was not being cleared when DLV was 13380 active. [RT #13501] 13381 133821804. [bug] Ensure that if we are queried for glue that it fits 13383 in the additional section or TC is set to tell the 13384 client to retry using TCP. [RT #10114] 13385 133861803. [bug] dnssec-signzone sometimes failed to remove old 13387 RRSIGs. [RT #13483] 13388 133891802. [bug] Handle connection resets better. [RT #11280] 13390 133911801. [func] Report differences between hints and real NS rrset 13392 and associated address records. 13393 133941800. [bug] Changes #1719 allowed a INSIST to be triggered. 13395 [RT #13428] 13396 133971799. [bug] 'rndc flushname' failed to flush negative cache 13398 entries. [RT #13438] 13399 134001798. [func] The server syntax has been extended to support a 13401 range of servers. [RT #11132] 13402 134031797. [func] named-checkconf now check acls to verify that they 13404 only refer to existing acls. [RT #13101] 13405 134061796. [func] "rndc freeze/thaw" now freezes/thaws all zones. 13407 134081795. [bug] "rndc dumpdb" was not fully documented. Minor 13409 formatting issues with "rndc dumpdb -all". [RT #13396] 13410 134111794. [func] Named and named-checkzone can now both check for 13412 non-terminal wildcard records. 13413 134141793. [func] Extend adjusting TTL warning messages. [RT #13378] 13415 134161792. [func] New zone option "notify-delay". Specify a minimum 13417 delay between sets of NOTIFY messages. 13418 134191791. [bug] 'host -t a' still printed out AAAA and MX records. 13420 [RT #13230] 13421 134221790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should 13423 allow parallel make to succeed. 13424 134251789. [bug] Prerequisite test for tkey and dnssec could fail 13426 with "configure --with-libtool". 13427 134281788. [bug] libbind9.la/libbind9.so needs to link against 13429 libisccfg.la/libisccfg.so. 13430 134311787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings. 13432 134331786. [port] AIX: libt_api needs to be taught to look for 13434 T_testlist in the main executable (--with-libtool). 13435 [RT #13239] 13436 134371785. [bug] libbind9.la/libbind9.so needs to link against 13438 libisc.la/libisc.so. 13439 134401784. [cleanup] "libtool -allow-undefined" is the default. 13441 Leave hooks in configure to allow it to be set 13442 if needed in the future. 13443 134441783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the 13445 source tree. 13446 134471782. [port] OSX: --with-libtool + --enable-libbind broke on 13448 __evOptMonoTime. [RT #13219] 13449 134501781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810] 13451 134521780. [bug] Update libtool to 1.5.10. 13453 134541779. [port] OSF 5.1: libtool didn't handle -pthread correctly. 13455 134561778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and 13457 IN6ADDR_LOOPBACK_INIT macros. 13458 134591777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and 13460 IN6ADDR_LOOPBACK_INIT macros. 13461 134621776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and 13463 IN6ADDR_LOOPBACK_INIT macros. 13464 134651775. [bug] Only compile getnetent_r.c when threaded. [RT #13205] 13466 134671774. [port] Aix: Silence compiler warnings / build failures. 13468 [RT #13154] 13469 134701773. [bug] Fast retry on host / net unreachable. [RT #13153] 13471 134721772. [placeholder] 13473 134741771. [placeholder] 13475 134761770. [bug] named-checkconf failed to report missing a missing 13477 file clause for rbt{64} master/hint zones. [RT #13009] 13478 134791769. [port] win32: change compiler flags /MTd ==> /MDd, 13480 /MT ==> /MD. 13481 134821768. [bug] nsecnoexistnodata() could be called with a non-NSEC 13483 rdataset. [RT #12907] 13484 134851767. [port] Builds on IPv6 platforms without IPv6 Advanced API 13486 support for (struct in6_pktinfo) failed. [RT #13077] 13487 134881766. [bug] Update the master file timestamp on successful refresh 13489 as well as the journal's timestamp. [RT #13062] 13490 134911765. [bug] configure --with-openssl=auto failed. [RT #12937] 13492 134931764. [bug] dns_zone_replacedb failed to emit a error message 13494 if there was no SOA record in the replacement db. 13495 [RT #13016] 13496 134971763. [func] Perform sanity checks on NS records which refer to 13498 'in zone' names. [RT #13002] 13499 135001762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS 13501 even when it failed. [RT #12995] 13502 135031761. [bug] 'rndc dumpdb' didn't report unassociated entries. 13504 [RT #12971] 13505 135061760. [bug] Host / net unreachable was not penalising rtt 13507 estimates. [RT #12970] 13508 135091759. [bug] Named failed to startup if the OS supported IPv6 13510 but had no IPv6 interfaces configured. [RT #12942] 13511 135121758. [func] Don't send notify messages to self. [RT #12933] 13513 135141757. [func] host now can turn on memory debugging flags with '-m'. 13515 135161756. [func] named-checkconf now checks the logging configuration. 13517 [RT #12352] 13518 135191755. [func] allow-update is now settable at the options / view 13520 level. [RT #6636] 13521 135221754. [bug] We weren't always attempting to query the parent 13523 server for the DS records at the zone cut. 13524 [RT #12774] 13525 135261753. [bug] Don't serve a slave zone which has no NS records. 13527 [RT #12894] 13528 135291752. [port] Move isc_app_start() to after ns_os_daemonise() 13530 as some fork() implementations unblock the signals 13531 that are blocked by isc_app_start(). [RT #12810] 13532 135331751. [bug] --enable-getifaddrs failed under linux. [RT #12867] 13534 135351750. [port] lib/bind/make/rules.in:subdirs was not bash friendly. 13536 [RT #12864] 13537 135381749. [bug] 'check-names response ignore;' failed to ignore. 13539 [RT #12866] 13540 135411748. [func] dig now returns the byte count for axfr/ixfr. 13542 135431747. [bug] BIND 8 compatibility: named/named-checkconf failed 13544 to parse "host-statistics-max" in named.conf. 13545 135461746. [func] Make public the function to read a key file, 13547 dst_key_read_public(). [RT #12450] 13548 135491745. [bug] Dig/host/nslookup accept replies from link locals 13550 regardless of scope if no scope was specified when 13551 query was sent. [RT #12745] 13552 135531744. [bug] If tuple2msgname() failed to convert a tuple to 13554 a name a REQUIRE could be triggered. [RT #12796] 13555 135561743. [bug] If isc_taskmgr_create() was not able to create the 13557 requested number of worker threads then destruction 13558 of the manager would trigger an INSIST() failure. 13559 [RT #12790] 13560 135611742. [bug] Deleting all records at a node then adding a 13562 previously existing record, in a single UPDATE 13563 transaction, failed to leave / regenerate the 13564 associated RRSIG records. [RT #12788] 13565 135661741. [bug] Deleting all records at a node in a secure zone 13567 using a update-policy grant failed. [RT #12787] 13568 135691740. [bug] Replace rbt's hash algorithm as it performed badly 13570 with certain zones. [RT #12729] 13571 13572 NOTE: a hash context now needs to be established 13573 via isc_hash_create() if the application was not 13574 already doing this. 13575 135761739. [bug] dns_rbt_deletetree() could incorrectly return 13577 ISC_R_QUOTA. [RT #12695] 13578 135791738. [bug] Enable overrun checking by default. [RT #12695] 13580 135811737. [bug] named failed if more than 16 masters were specified. 13582 [RT #12627] 13583 135841736. [bug] dst_key_fromnamedfile() could fail to read a 13585 public key. [RT #12687] 13586 135871735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. 13588 [RE #12688] 13589 135901734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path. 13591 [RT #12588] 13592 135931733. [bug] Return non-zero exit status on initial load failure. 13594 [RT #12658] 13595 135961732. [bug] 'rrset-order name "*"' wasn't being applied to ".". 13597 [RT #12467] 13598 135991731. [port] darwin: relax version test in ifconfig.sh. 13600 [RT #12581] 13601 136021730. [port] Determine the length type used by the socket API. 13603 [RT #12581] 13604 136051729. [func] Improve check-names error messages. 13606 136071728. [doc] Update check-names documentation. 13608 136091727. [bug] named-checkzone: check-names support didn't match 13610 documentation. 13611 136121726. [port] aix5: add support for aix5. 13613 136141725. [port] linux: update error message on interaction of threads, 13615 capabilities and setuid support (named -u). [RT #12541] 13616 136171724. [bug] Look for DNSKEY records with "dig +sigtrace". 13618 [RT #12557] 13619 136201723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493] 13621 136221722. [bug] Don't commit the journal on malformed ixfr streams. 13623 [RT #12519] 13624 136251721. [bug] Error message from the journal processing were not 13626 always identifying the relevant journal. [RT #12519] 13627 136281720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1 13629 negative response. [RT #12506] 13630 136311719. [bug] named was not correctly caching a RFC 2308 Type 1 13632 negative response. [RT #12506] 13633 136341718. [bug] nsupdate was not handling RFC 2308 Type 3 negative 13635 responses when looking for the zone / master server. 13636 [RT #12506] 13637 136381717. [port] solaris: ifconfig.sh did not support Solaris 10. 13639 "ifconfig.sh down" didn't work for Solaris 9. 13640 136411716. [doc] named.conf(5) was being installed in the wrong 13642 location. [RT #12441] 13643 136441715. [func] 'dig +trace' now randomly selects the next servers 13645 to try. Report if there is a bad delegation. 13646 136471714. [bug] dig/host/nslookup were only trying the first 13648 address when a nameserver was specified by name. 13649 [RT #12286] 13650 136511713. [port] linux: extend capset failure message to say: 13652 please ensure that the capset kernel module is 13653 loaded. see insmod(8) 13654 136551712. [bug] Missing FULLCHECK for "trusted-key" in dig. 13656 136571711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'. 13658 136591710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY 13660 messages for the specified zone. [RT #9479] 13661 136621709. [port] solaris: add SMF support from Sun. 13663 136641708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash() 13665 for conformance to the name space convention. Binary 13666 backward compatibility to the old function name is 13667 provided. [RT #12376] 13668 136691707. [contrib] sdb/ldap updated to version 1.0-beta. 13670 136711706. [bug] 'rndc stop' failed to cause zones to be flushed 13672 sometimes. [RT #12328] 13673 136741705. [func] Allow the journal's name to be changed via named.conf. 13675 136761704. [port] lwres needed a snprintf() implementation for 13677 platforms without snprintf(). Add missing 13678 "#include <isc/print.h>". [RT #12321] 13679 136801703. [bug] named would loop sending NOTIFY messages when it 13681 failed to receive a response. [RT #12322] 13682 136831702. [bug] also-notify should not be applied to built in zones. 13684 [RT #12323] 13685 136861701. [doc] A minimal named.conf man page. 13687 136881700. [func] nslookup is no longer to be treated as deprecated. 13689 Remove "deprecated" warning message. Add man page. 13690 136911699. [bug] dnssec-signzone can generate "not exact" errors 13692 when resigning. [RT #12281] 13693 136941698. [doc] Use reserved IPv6 documentation prefix. 13695 136961697. [bug] xxx-source{,-v6} was not effective when it 13697 specified one of listening addresses and a 13698 different port than the listening port. [RT #12257] 13699 137001696. [bug] dnssec-signzone failed to clean out nodes that 13701 consisted of only NSEC and RRSIG records. 13702 [RT #12154] 13703 137041695. [bug] DS records when forwarding require special handling. 13705 [RT #12133] 13706 137071694. [bug] Report if the builtin views of "_default" / "_bind" 13708 are defined in named.conf. [RT #12023] 13709 137101693. [bug] max-journal-size was not effective for master zones 13711 with ixfr-from-differences set. [RT #12024] 13712 137131692. [bug] Don't set -I, -L and -R flags when libcrypto is in 13714 /usr/lib. [RT #11971] 13715 137161691. [bug] sdb's attachversion was not complete. [RT #11990] 13717 137181690. [bug] Delay detaching view from the client until UPDATE 13719 processing completes when shutting down. [RT #11714] 13720 137211689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros 13722 contained gratuitous semicolons. [RT #11707] 13723 137241688. [bug] LDFLAGS was not supported. 13725 137261687. [bug] Race condition in dispatch. [RT #10272] 13727 137281686. [bug] Named sent a extraneous NOTIFY when it received a 13729 redundant UPDATE request. [RT #11943] 13730 137311685. [bug] Change #1679 loop tests weren't quite right. 13732 137331684. [func] ixfr-from-differences now takes master and slave in 13734 addition to yes and no at the options and view levels. 13735 137361683. [bug] dig +sigchase could leak memory. [RT #11445] 13737 137381682. [port] Update configure test for (long long) printf format. 13739 [RT #5066] 13740 137411681. [bug] Only set SO_REUSEADDR when a port is specified in 13742 isc_socket_bind(). [RT #11742] 13743 137441680. [func] rndc: the source address can now be specified. 13745 137461679. [bug] When there was a single nameserver with multiple 13747 addresses for a zone not all addresses were tried. 13748 [RT #11706] 13749 137501678. [bug] RRSIG should use TYPEXXXXX for unknown types. 13751 137521677. [bug] dig: +aaonly didn't work, +aaflag undocumented. 13753 137541676. [func] New option "allow-query-cache". This lets 13755 allow-query be used to specify the default zone 13756 access level rather than having to have every 13757 zone override the global value. allow-query-cache 13758 can be set at both the options and view levels. 13759 If allow-query-cache is not set allow-query applies. 13760 137611675. [bug] named would sometimes add extra NSEC records to 13762 the authority section. 13763 137641674. [port] linux: increase buffer size used to scan 13765 /proc/net/if_inet6. 13766 137671673. [port] linux: issue a error messages if IPv6 interface 13768 scans fails. 13769 137701672. [cleanup] Tests which only function in a threaded build 13771 now return R:THREADONLY (rather than R:UNTESTED) 13772 in a non-threaded build. 13773 137741671. [contrib] queryperf: add NAPTR to the list of known types. 13775 137761670. [func] Log UPDATE requests to slave zones without an acl as 13777 "disabled" at debug level 3. [RT #11657] 13778 137791669. [placeholder] 13780 137811668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. 13782 137831667. [port] linux: not all versions have IF_NAMESIZE. 13784 137851666. [bug] The optional port on hostnames in dual-stack-servers 13786 was being ignored. 13787 137881665. [func] rndc now allows addresses to be set in the 13789 server clauses. 13790 137911664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 13792 137931663. [func] Look for OpenSSL by default. 13794 137951662. [bug] Change #1658 failed to change one use of 'type' 13796 to 'keytype'. 13797 137981661. [bug] Restore dns_name_concatenate() call in 13799 adb.c:set_target(). [RT #11582] 13800 138011660. [bug] win32: connection_reset_fix() was being called 13802 unconditionally. [RT #11595] 13803 138041659. [cleanup] Cleanup some messages that were referring to KEY vs 13805 DNSKEY, NXT vs NSEC and SIG vs RRSIG. 13806 138071658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 13808 and DH. Tighten which options apply to KEY and 13809 DNSKEY records. 13810 138111657. [doc] ARM: document query log output. 13812 138131656. [doc] Update DNSSEC description in ARM to cover DS, NSEC 13814 DNSKEY and RRSIG. [RT #11542] 13815 138161655. [bug] Logging multiple versions w/o a size was broken. 13817 [RT #11446] 13818 138191654. [bug] isc_result_totext() contained array bounds read 13820 error. 13821 138221653. [func] Add key type checking to dst_key_fromfilename(), 13823 DST_TYPE_KEY should be used to read TSIG, TKEY and 13824 SIG(0) keys. 13825 138261652. [bug] TKEY still uses KEY. 13827 138281651. [bug] dig: process multiple dash options. 13829 138301650. [bug] dig, nslookup: flush standard out after each command. 13831 138321649. [bug] Silence "unexpected non-minimal diff" message. 13833 [RT #11206] 13834 138351648. [func] Update dnssec-lookaside named.conf syntax to support 13836 multiple dnssec-lookaside namespaces (not yet 13837 implemented). 13838 138391647. [bug] It was possible trigger a INSIST when chasing a DS 13840 record that required walking back over a empty node. 13841 [RT #11445] 13842 138431646. [bug] win32: logging file versions didn't work with 13844 non-UNC filenames. [RT #11486] 13845 138461645. [bug] named could trigger a REQUIRE failure if multiple 13847 masters with keys are specified. 13848 138491644. [bug] Update the journal modification time after a 13850 successful refresh query. [RT #11436] 13851 138521643. [bug] dns_db_closeversion() could leak memory / node 13853 references. [RT #11163] 13854 138551642. [port] Support OpenSSL implementations which don't have 13856 DSA support. [RT #11360] 13857 138581641. [bug] Update the check-names description in ARM. [RT #11389] 13859 138601640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was 13861 incorrectly closing the socket. [RT #11291] 13862 138631639. [func] Initial dlv system test. 13864 138651638. [bug] "ixfr-from-differences" could generate a REQUIRE 13866 failure if the journal open failed. [RT #11347] 13867 138681637. [bug] Node reference leak on error in addnoqname(). 13869 138701636. [bug] The dump done callback could get ISC_R_SUCCESS even if 13871 a error had occurred. The database version no longer 13872 matched the version of the database that was dumped. 13873 138741635. [bug] Memory leak on error in query_addds(). 13875 138761634. [bug] named didn't supply a useful error message when it 13877 detected duplicate views. [RT #11208] 13878 138791633. [bug] named should return NOTIMP to update requests to a 13880 slaves without a allow-update-forwarding acl specified. 13881 [RT #11331] 13882 138831632. [bug] nsupdate failed to send prerequisite only UPDATE 13884 messages. [RT #11288] 13885 138861631. [bug] dns_journal_compact() could sometimes corrupt the 13887 journal. [RT #11124] 13888 138891630. [contrib] queryperf: add support for IPv6 transport. 13890 138911629. [func] dig now supports IPv6 scoped addresses with the 13892 extended format in the local-server part. [RT #8753] 13893 138941628. [bug] Typo in Compaq Trucluster support. [RT #11264] 13895 138961627. [bug] win32: sockets were not being closed when the 13897 last external reference was removed. [RT #11179] 13898 138991626. [bug] --enable-getifaddrs was broken. [RT #11259] 13900 139011625. [bug] named failed to load/transfer RFC2535 signed zones 13902 which contained CNAMES. [RT #11237] 13903 139041624. [bug] zonemgr_putio() call should be locked. [RT #11163] 13905 139061623. [bug] A serial number of zero was being displayed in the 13907 "sending notifies" log message when also-notify was 13908 used. [RT #11177] 13909 139101622. [func] probe the system to see if IPV6_(RECV)PKTINFO is 13911 available, and suppress wildcard binding if not. 13912 139131621. [bug] match-destinations did not work for IPv6 TCP queries. 13914 [RT #11156] 13915 139161620. [func] When loading a zone report if it is signed. [RT #11149] 13917 139181619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). 13919 [RT #11118] 13920 139211618. [bug] Fencepost errors in dns_name_ishostname() and 13922 dns_name_ismailbox() could trigger a INSIST(). 13923 139241617. [port] win32: VC++ 6.0 support. 13925 139261616. [compat] Ensure that named's version is visible in the core 13927 dump. [RT #11127] 13928 139291615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if 13930 it is defined. 13931 139321614. [port] win32: silence resource limit messages. [RT #11101] 13933 139341613. [bug] Builds would fail on machines w/o a if_nametoindex(). 13935 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. 13936 [RT #11119] 13937 139381612. [bug] check-names at the option/view level could trigger 13939 an INSIST. [RT #11116] 13940 139411611. [bug] solaris: IPv6 interface scanning failed to cope with 13942 no active IPv6 interfaces. 13943 139441610. [bug] On dual stack machines "dig -b" failed to set the 13945 address type to be looked up with "@server". 13946 [RT #11069] 13947 139481609. [func] dig now has support to chase DNSSEC signature chains. 13949 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. 13950 13951 DNSSEC validation code in dig coded by Olivier Courtay 13952 (olivier.courtay@irisa.fr) for the IDsA project 13953 (http://idsa.irisa.fr). 13954 139551608. [func] dig and host now accept -4/-6 to select IP transport 13956 to use when making queries. 13957 139581607. [bug] dig, host and nslookup were still using random() 13959 to generate query ids. [RT #11013] 13960 139611606. [bug] DLV insecurity proof was failing. 13962 139631605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 13964 139651604. [bug] A xfrout_ctx_create() failure would result in 13966 xfrout_ctx_destroy() being called with a 13967 partially initialized structure. 13968 139691603. [bug] nsupdate: set interactive based on isatty(). 13970 [RT #10929] 13971 139721602. [bug] Logging to a file failed unless a size was specified. 13973 [RT #10925] 13974 139751601. [bug] Silence spurious warning 'both "recursion no;" and 13976 "allow-recursion" active' warning from view "_bind". 13977 [RT #10920] 13978 139791600. [bug] Duplicate zone pre-load checks were not case 13980 insensitive. 13981 139821599. [bug] Fix memory leak on error path when checking named.conf. 13983 139841598. [func] Specify that certain parts of the namespace must 13985 be secure (dnssec-must-be-secure). 13986 139871597. [func] Allow notify-source and query-source to be specified 13988 on a per server basis similar to transfer-source. 13989 [RT #6496] 13990 139911596. [func] Accept 'notify-source' style syntax for query-source. 13992 139931595. [func] New notify type 'master-only'. Enable notify for 13994 master zones only. 13995 139961594. [bug] 'rndc dumpdb' could prevent named from answering 13997 queries while the dump was in progress. [RT #10565] 13998 139991593. [bug] rndc should return "unknown command" to unknown 14000 commands. [RT #10642] 14001 140021592. [bug] configure_view() could leak a dispatch. [RT #10675] 14003 140041591. [bug] libbind: updated to BIND 8.4.5. 14005 140061590. [port] netbsd: update thread support. 14007 140081589. [func] DNSSEC lookaside validation. 14009 140101588. [bug] win32: TCP sockets could become blocked. [RT #10115] 14011 140121587. [bug] dns_message_settsigkey() failed to clear existing key. 14013 [RT #10590] 14014 140151586. [func] "check-names" is now implemented. 14016 140171585. [placeholder] 14018 140191584. [bug] "make test" failed with a read only source tree. 14020 [RT #10461] 14021 140221583. [bug] Records add via UPDATE failed to get the correct trust 14023 level. [RT #10452] 14024 140251582. [bug] rrset-order failed to work on RRsets with more 14026 than 32 elements. [RT #10381] 14027 140281581. [func] Disable DNSSEC support by default. To enable 14029 DNSSEC specify "dnssec-enable yes;" in named.conf. 14030 140311580. [bug] Zone destruction on final detach takes a long time. 14032 [RT #3746] 14033 140341579. [bug] Multiple task managers could not be created. 14035 140361578. [bug] Don't use CLASS E IPv4 addresses when resolving. 14037 [RT #10346] 14038 140391577. [bug] Use isc_uint32_t in ultrasparc optimizer bug 14040 workaround code. [RT #10331] 14041 140421576. [bug] Race condition in dns_dispatch_addresponse(). 14043 [RT #10272] 14044 140451575. [func] Log TSIG name on TSIG verify failure. [RT #4404] 14046 140471574. [bug] Don't attempt to open the controls socket(s) when 14048 running tests. [RT #9091] 14049 140501573. [port] linux: update to libtool 1.5.2 so that 14051 "make install DESTDIR=/xx" works with 14052 "configure --with-libtool". [RT #9941] 14053 140541572. [bug] nsupdate: sign the soa query to find the enclosing 14055 zone if the server is specified. [RT #10148] 14056 140571571. [bug] rbt:hash_node() could fail leaving the hash table 14058 in an inconsistent state. [RT #10208] 14059 140601570. [bug] nsupdate failed to handle classes other than IN. 14061 New keyword 'class' which sets the default class. 14062 [RT #10202] 14063 140641569. [func] nsupdate new command 'answer' which displays the 14065 complete answer message to the last update. 14066 140671568. [bug] nsupdate now reports that the update failed in 14068 interactive mode. [RT #10236] 14069 140701567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. 14071 140721566. [port] Support for the cmsg framework on Solaris and HP/UX. 14073 This also solved the problem that match-destinations 14074 for IPv6 addresses did not work on these systems. 14075 [RT #10221] 14076 140771565. [bug] CD flag should be copied to outgoing queries unless 14078 the query is under a secure entry point in which case 14079 CD should be set. 14080 140811564. [func] Attempt to provide a fallback entropy source to be 14082 used if named is running chrooted and named is unable 14083 to open entropy source within the chroot area. 14084 [RT #10133] 14085 140861563. [bug] Gracefully fail when unable to obtain neither an IPv4 14087 nor an IPv6 dispatch. [RT #10230] 14088 140891562. [bug] isc_socket_create() and isc_socket_accept() could 14090 leak memory under error conditions. [RT #10230] 14091 140921561. [bug] It was possible to release the same name twice if 14093 named ran out of memory. [RT #10197] 14094 140951560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA 14096 and EAI_NONAME to the same value. 14097 140981559. [port] named should ignore SIGFSZ. 14099 141001558. [func] New DNSSEC 'disable-algorithms'. Support entry into 14101 child zones for which we don't have a supported 14102 algorithm. Such child zones are treated as unsigned. 14103 141041557. [func] Implement missing DNSSEC tests for 14105 * NOQNAME proof with wildcard answers. 14106 * NOWILDARD proof with NXDOMAIN. 14107 Cache and return NOQNAME with wildcard answers. 14108 141091556. [bug] nsupdate now treats all names as fully qualified. 14110 [RT #6427] 14111 141121555. [func] 'rrset-order cyclic' no longer has a random starting 14113 point per query. [RT #7572] 14114 141151554. [bug] dig, host, nslookup failed when no nameservers 14116 were specified in /etc/resolv.conf. [RT #8232] 14117 141181553. [bug] The windows socket code could stop accepting 14119 connections. [RT #10115] 14120 141211552. [bug] Accept NOTIFY requests from mapped masters if 14122 matched-mapped is set. [RT #10049] 14123 141241551. [port] Open "/dev/null" before calling chroot(). 14125 141261550. [port] Call tzset(), if available, before calling chroot(). 14127 141281549. [func] named-checkzone can now write out the zone contents 14129 in a easily parsable format (-D and -o). 14130 141311548. [bug] When parsing APL records it was possible to silently 14132 accept out of range ADDRESSFAMILY values. [RT #9979] 14133 141341547. [bug] Named wasted memory recording duplicate lame zone 14135 entries. [RT #9341] 14136 141371546. [bug] We were rejecting valid secure CNAME to negative 14138 answers. 14139 141401545. [bug] It was possible to leak memory if named was unable to 14141 bind to the specified transfer source and TSIG was 14142 being used. [RT #10120] 14143 141441544. [bug] Named would logged a single entry to a file despite it 14145 being over the specified size limit. 14146 141471543. [bug] Logging using "versions unlimited" did not work. 14148 141491542. [placeholder] 14150 141511541. [func] NSEC now uses new bitmap format. 14152 141531540. [bug] "rndc reload <dynamiczone>" was silently accepted. 14154 [RT #8934] 14155 141561539. [bug] Open UDP sockets for notify-source and transfer-source 14157 that use reserved ports at startup. [RT #9475] 14158 141591538. [placeholder] rt9997 14160 141611537. [func] New option "querylog". If set specify whether query 14162 logging is to be enabled or disabled at startup. 14163 141641536. [bug] Windows socket code failed to log a error description 14165 when returning ISC_R_UNEXPECTED. [RT #9998] 14166 141671535. [placeholder] 14168 141691534. [bug] Race condition when priming cache. [RT #9940] 14170 141711533. [func] Warn if both "recursion no;" and "allow-recursion" 14172 are active. [RT #4389] 14173 141741532. [port] netbsd: the configure test for <sys/sysctl.h> 14175 requires <sys/param.h>. 14176 141771531. [port] AIX more libtool fixes. 14178 141791530. [bug] It was possible to trigger a INSIST() failure if a 14180 slave master file was removed at just the correct 14181 moment. [RT #9462] 14182 141831529. [bug] "notify explicit;" failed to log that NOTIFY messages 14184 were being sent for the zone. [RT #9442] 14185 141861528. [cleanup] Simplify some dns_name_ functions based on the 14187 deprecation of bitstring labels. 14188 141891527. [cleanup] Reduce the number of gettimeofday() calls without 14190 losing necessary timer granularity. 14191 141921526. [func] Implemented "additional section caching (or acache)", 14193 an internal cache framework for additional section 14194 content to improve response performance. Several 14195 configuration options were provided to control the 14196 behavior. 14197 141981525. [bug] dns_cache_create() could trigger a REQUIRE 14199 failure in isc_mem_put() during error cleanup. 14200 [RT #9360] 14201 142021524. [port] AIX needs to be able to resolve all symbols when 14203 creating shared libraries (--with-libtool). 14204 142051523. [bug] Fix race condition in rbtdb. [RT #9189] 14206 142071522. [bug] dns_db_findnode() relax the requirements on 'name'. 14208 [RT #9286] 14209 142101521. [bug] dns_view_createresolver() failed to check the 14211 result from isc_mem_create(). [RT #9294] 14212 142131520. [protocol] Add SSHFP (SSH Finger Print) type. 14214 142151519. [bug] dnssec-signzone:nsec_setbit() computed the wrong 14216 length of the new bitmap. 14217 142181518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(), 14219 contained a off-by-one error when working out the 14220 number of octets in the bitmap. 14221 142221517. [port] Support for IPv6 interface scanning on HP/UX and 14223 TrueUNIX 5.1. 14224 142251516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 14226 142271515. [func] Allow transfer source to be set in a server statement. 14228 [RT #6496] 14229 142301514. [bug] named: isc_hash_destroy() was being called too early. 14231 [RT #9160] 14232 142331513. [doc] Add "US" to root-delegation-only exclude list. 14234 142351512. [bug] Extend the delegation-only logging to return query 14236 type, class and responding nameserver. 14237 142381511. [bug] delegation-only was generating false positives 14239 on negative answers from sub-zones. 14240 142411510. [func] New view option "root-delegation-only". Apply 14242 delegation-only check to all TLDs and root. 14243 Note there are some TLDs that are NOT delegation 14244 only (e.g. DE, LV, US and MUSEUM) these can be excluded 14245 from the checks by using exclude. 14246 14247 root-delegation-only exclude { 14248 "DE"; "LV"; "US"; "MUSEUM"; 14249 }; 14250 142511509. [bug] Hint zones should accept delegation-only. Forward 14252 zone should not accept delegation-only. 14253 142541508. [bug] Don't apply delegation-only checks to answers from 14255 forwarders. 14256 142571507. [bug] Handle BIND 8 style returns to NS queries to parents 14258 when making delegation-only checks. 14259 142601506. [bug] Wrong return type for dns_view_isdelegationonly(). 14261 142621505. [bug] Uninitialized rdataset in sdb. [RT #8750] 14263 142641504. [func] New zone type "delegation-only". 14265 142661503. [port] win32: install libeay32.dll outside of system32. 14267 142681502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP. 14269 142701501. [func] Allow TCP queue length to be specified via 14271 named.conf, tcp-listen-queue. 14272 142731500. [bug] host failed to lookup MX records. Also look up 14274 AAAA records. 14275 142761499. [bug] isc_random need to be seeded better if arc4random() 14277 is not used. 14278 142791498. [port] bsdos: 5.x support. 14280 142811497. [placeholder] 14282 142831496. [port] test for pthread_attr_setstacksize(). 14284 142851495. [cleanup] Replace hash functions with universal hash. 14286 142871494. [security] Turn on RSA BLINDING as a precaution. 14288 142891493. [placeholder] 14290 142911492. [cleanup] Preserve rwlock quota context when upgrading / 14292 downgrading. [RT #5599] 14293 142941491. [bug] dns_master_dump*() would produce extraneous $ORIGIN 14295 lines. [RT #6206] 14296 142971490. [bug] Accept reading state as well as working state in 14298 ns_client_next(). [RT #6813] 14299 143001489. [compat] Treat 'allow-update' on slave zones as a warning. 14301 [RT #3469] 14302 143031488. [bug] Don't override trust levels for glue addresses. 14304 [RT #5764] 14305 143061487. [bug] A REQUIRE() failure could be triggered if a zone was 14307 queued for transfer and the zone was then removed. 14308 [RT #6189] 14309 143101486. [bug] isc_print_snprintf() '%%' consumed one too many format 14311 characters. [RT #8230] 14312 143131485. [bug] gen failed to handle high type values. [RT #6225] 14314 143151484. [bug] The number of records reported after a AXFR was wrong. 14316 [RT #6229] 14317 143181483. [bug] dig axfr failed if the message id in the answer failed 14319 to match that in the request. Only the id in the first 14320 message is required to match. [RT #8138] 14321 143221482. [bug] named could fail to start if the kernel supports 14323 IPv6 but no interfaces are configured. Similarly 14324 for IPv4. [RT #6229] 14325 143261481. [bug] Refresh and stub queries failed to use masters keys 14327 if specified. [RT #7391] 14328 143291480. [bug] Provide replay protection for rndc commands. Full 14330 replay protection requires both rndc and named to 14331 be updated. Partial replay protection (limited 14332 exposure after restart) is provided if just named 14333 is updated. 14334 143351479. [bug] cfg_create_tuple() failed to handle out of 14336 memory cleanup. parse_list() would leak memory 14337 on syntax errors. 14338 143391478. [port] ifconfig.sh didn't account for other virtual 14340 interfaces. It now takes a optional argument 14341 to specify the first interface number. [RT #3907] 14342 143431477. [bug] memory leak using stub zones and TSIG. 14344 143451476. [placeholder] 14346 143471475. [port] Probe for old sprintf(). 14348 143491474. [port] Provide strtoul() and memmove() for platforms 14350 without them. 14351 143521473. [bug] create_map() and create_string() failed to handle out 14353 of memory cleanup. [RT #6813] 14354 143551472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit. 14356 143571471. [bug] libbind: updated to BIND 8.4.0. 14358 143591470. [bug] Incorrect length passed to snprintf. [RT #5966] 14360 143611469. [func] Log end of outgoing zone transfer at same level 14362 as the start of transfer is logged. [RT #4441] 14363 143641468. [func] Internal zones are no longer counted for 14365 'rndc status'. [RT #4706] 14366 143671467. [func] $GENERATES now supports optional class and ttl. 14368 143691466. [bug] lwresd configuration errors resulted in memory 14370 and lock leaks. [RT #5228] 14371 143721465. [bug] isc_base64_decodestring() and isc_base64_tobuffer() 14373 failed to check that trailing bits were zero allowing 14374 some invalid base64 strings to be accepted. [RT #5397] 14375 143761464. [bug] Preserve "out of zone" data for outgoing zone 14377 transfers. [RT #5192] 14378 143791463. [bug] dns_rdata_from{wire,struct}() failed to catch bad 14380 NXT bit maps. [RT #5577] 14381 143821462. [bug] parse_sizeval() failed to check the token type. 14383 [RT #5586] 14384 143851461. [bug] Remove deadlock from rbtdb code. [RT #5599] 14386 143871460. [bug] inet_pton() failed to reject certain malformed 14388 IPv6 literals. 14389 143901459. [placeholder] 14391 143921458. [cleanup] sprintf() -> snprintf(). 14393 143941457. [port] Provide strlcat() and strlcpy() for platforms without 14395 them. 14396 143971456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer. 14398 143991455. [bug] <netaddr> missing from server grammar in 14400 doc/misc/options. [RT #5616] 14401 144021454. [port] Use getifaddrs() if available for interface scanning. 14403 --disable-getifaddrs to override. Glibc currently 14404 has a getifaddrs() that does not support IPv6. 14405 Use --enable-getifaddrs=glibc to force the use of 14406 this version under linux machines. 14407 144081453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298] 14409 144101452. [placeholder] 14411 144121451. [bug] rndc-confgen didn't exit with a error code for all 14413 failures. [RT #5209] 14414 144151450. [bug] Fetching expired glue failed under certain 14416 circumstances. [RT #5124] 14417 144181449. [bug] query_addbestns() didn't handle running out of memory 14419 gracefully. 14420 144211448. [bug] Handle empty wildcards labels. 14422 144231447. [bug] We were casting (unsigned int) to and from (void *). 14424 rdataset->private4 is now rdataset->privateuint4 14425 to reflect a type change. 14426 144271446. [func] Implemented undocumented alternate transfer sources 14428 from BIND 8. See use-alt-transfer-source, 14429 alt-transfer-source and alt-transfer-source-v6. 14430 14431 SECURITY: use-alt-transfer-source is ENABLED unless 14432 you are using views. This may cause a security risk 14433 resulting in accidental disclosure of wrong zone 14434 content if the master supplying different source 14435 content based on IP address. If you are not certain 14436 ISC recommends setting use-alt-transfer-source no; 14437 144381445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has 14439 been replaced with DNS_ADBFIND_STARTATZONE which 14440 causes the search to start using the closest zone. 14441 144421444. [func] dns_view_findzonecut2() allows you to specify if the 14443 cache should be searched for zone cuts. 14444 144451443. [func] Masters lists can now be specified and referenced 14446 in zone masters clauses and other masters lists. 14447 144481442. [func] New functions for manipulating port lists: 14449 dns_portlist_create(), dns_portlist_add(), 14450 dns_portlist_remove(), dns_portlist_match(), 14451 dns_portlist_attach() and dns_portlist_detach(). 14452 144531441. [func] It is now possible to tell dig to bind to a specific 14454 source port. 14455 144561440. [func] It is now possible to tell named to avoid using 14457 certain source ports (avoid-v4-udp-ports, 14458 avoid-v6-udp-ports). 14459 144601439. [bug] Named could return NOERROR with certain NOTIFY 14461 failures. Return NOTAUTH if the NOTIFY zone is 14462 not being served. 14463 144641438. [func] Log TSIG (if any) when logging NOTIFY requests. 14465 144661437. [bug] Leave space for stdio to work in. [RT #5033] 14467 144681436. [func] dns_zonemgr_resumexfrs() can be used to restart 14469 stalled transfers. 14470 144711435. [bug] zmgr_resume_xfrs() was being called read locked 14472 rather than write locked. zmgr_resume_xfrs() 14473 was not being called if the zone was being 14474 shutdown. 14475 144761434. [bug] "rndc reconfig" failed to initiate the initial 14477 zone transfer of new slave zones. 14478 144791433. [bug] named could trigger a REQUIRE failure if it could 14480 not get a file descriptor when attempting to write 14481 a master file. [RT #4347] 14482 144831432. [func] The advertised EDNS UDP buffer size can now be set 14484 via named.conf (edns-udp-size). 14485 144861431. [bug] isc_print_snprintf() "%s" with precision could walk off 14487 end of argument. [RT #5191] 14488 144891430. [port] linux: IPv6 interface scanning support. 14490 144911429. [bug] Prevent the cache getting locked to old servers. 14492 144931428. [placeholder] 14494 144951427. [bug] Race condition in adb with threaded build. 14496 144971426. [placeholder] 14498 144991425. [port] linux/libbind: define __USE_MISC when testing *_r() 14500 function prototypes in netdb.h. [RT #4921] 14501 145021424. [bug] EDNS version not being correctly printed. 14503 145041423. [contrib] queryperf: added A6 and SRV. 14505 145061422. [func] Log name/type/class when denying a query. [RT #4663] 14507 145081421. [func] Differentiate updates that don't succeed due to 14509 prerequisites (unsuccessful) vs other reasons 14510 (failed). 14511 145121420. [port] solaris: work around gcc optimizer bug. 14513 145141419. [port] openbsd: use /dev/arandom. [RT #4950] 14515 145161418. [bug] 'rndc reconfig' did not cause new slaves to load. 14517 145181417. [func] ID.SERVER/CHAOS is now a built in zone. 14519 See "server-id" for how to configure. 14520 145211416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 14522 [RT #4715] 14523 145241415. [func] DS TTL now derived from NS ttl. NXT TTL now derived 14525 from SOA MINIMUM. 14526 145271414. [func] Support for KSK flag. 14528 145291413. [func] Explicitly request the (re-)generation of DS records 14530 from keysets (dnssec-signzone -g). 14531 145321412. [func] You can now specify servers to be tried if a nameserver 14533 has IPv6 address and you only support IPv4 or the 14534 reverse. See dual-stack-servers. 14535 145361411. [bug] empty nodes should stop wildcard matches. [RT #4802] 14537 145381410. [func] Handle records that live in the parent zone, e.g. DS. 14539 145401409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC. 14541 145421408. [bug] "make distclean" was not complete. [RT #4700] 14543 145441407. [bug] lfsr incorrectly implements the shift register. 14545 [RT #4617] 14546 145471406. [bug] dispatch initializes one of the LFSR's with a incorrect 14548 polynomial. [RT #4617] 14549 145501405. [func] Use arc4random() if available. 14551 145521404. [bug] libbind: ns_name_ntol() could overwrite a zero length 14553 buffer. 14554 145551403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset 14556 dnssec-signkey now report their version in the 14557 usage message. 14558 145591402. [cleanup] A6 has been moved to experimental and is no longer 14560 fully supported. 14561 145621401. [bug] adb wasn't clearing state when the timer expired. 14563 145641400. [bug] Block the addition of wildcard NS records by IXFR 14565 or UPDATE. [RT #3502] 14566 145671399. [bug] Use serial number arithmetic when testing SIG 14568 timestamps. [RT #4268] 14569 145701398. [doc] ARM: notify-also should have been also-notify. 14571 [RT #4345] 14572 145731397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. 14574 145751396. [func] dnssec-signzone: adjust the default signing time by 14576 1 hour to allow for clock skew. 14577 145781395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't 14579 have a working implementation. [RT #4079] 14580 145811394. [func] It is now possible to check if a particular element is 14582 in a acl. Remove duplicate entries from the localnets 14583 acl. 14584 145851393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY 14586 is not available in the kernel to prevent accidentally 14587 listening on IPv4 interfaces. 14588 145891392. [bug] named-checkzone: update usage. 14590 145911391. [func] Add support for IPv6 scoped addresses in named. 14592 145931390. [func] host now supports ixfr. 14594 145951389. [bug] named could fail to rotate long log files. [RT #3666] 14596 145971388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before 14598 defining HAVE_IFLIST_SYSCTL. [RT #3770] 14599 146001387. [bug] named could crash due to an access to invalid memory 14601 space (which caused an assertion failure) in 14602 incremental cleaning. [RT #3588] 14603 146041386. [bug] named-checkzone -z stopped on errors in a zone. 14605 [RT #3653] 14606 146071385. [bug] Setting serial-query-rate to 10 would trigger a 14608 REQUIRE failure. 14609 146101384. [bug] host was incompatible with BIND 8 in its exit code and 14611 in the output with the -l option. [RT #3536] 14612 146131383. [func] Track the serial number in a IXFR response and log if 14614 a mismatch occurs. This is a more specific error than 14615 "not exact". [RT #3445] 14616 146171382. [bug] make install failed with --enable-libbind. [RT #3656] 14618 146191381. [bug] named failed to correctly process answers that 14620 contained DNAME records where the resulting CNAME 14621 resulted in a negative answer. 14622 146231380. [func] 'rndc recursing' dump recursing queries to 14624 'recursing-file = "named.recursing";'. 14625 146261379. [func] 'rndc status' now reports tcp and recursion quota 14627 states. 14628 146291378. [func] Improved positive feedback for 'rndc {reload|refresh}. 14630 146311377. [func] dns_zone_load{new}() now reports if the zone was 14632 loaded, queued for loading to up to date. 14633 146341376. [func] New function dns_zone_logc() to log to specified 14635 category. 14636 146371375. [func] 'rndc dumpdb' now dumps the adb cache along with the 14638 data cache. 14639 146401374. [func] dns_adb_dump() now logs the lame zones associated 14641 with each server. 14642 146431373. [bug] Recovery from expired glue failed under certain 14644 circumstances. 14645 146461372. [bug] named crashes with an assertion failure on exit when 14647 sharing the same port for listening and querying, and 14648 changing listening addresses several times. [RT #3509] 14649 146501371. [bug] notify-source-v6, transfer-source-v6 and 14651 query-source-v6 with explicit addresses and using the 14652 same ports as named was listening on could interfere 14653 with named's ability to answer queries sent to those 14654 addresses. 14655 146561370. [bug] dig '+[no]recurse' was incorrectly documented. 14657 146581369. [bug] Adding an NS record as the lexicographically last 14659 record in a secure zone didn't work. 14660 146611368. [func] remove support for bitstring labels. 14662 146631367. [func] Use response times to select forwarders. 14664 146651366. [contrib] queryperf usage was incomplete. Add '-h' for help. 14666 146671365. [func] "localhost" and "localnets" acls now include IPv6 14668 addresses / prefixes. 14669 146701364. [func] Log file name when unable to open memory statistics 14671 and dump database files. [RT #3437] 14672 146731363. [func] Listen-on-v6 now supports specific addresses. 14674 146751362. [bug] remove IFF_RUNNING test when scanning interfaces. 14676 146771361. [func] log the reason for rejecting a server when resolving 14678 queries. 14679 146801360. [bug] --enable-libbind would fail when not built in the 14681 source tree for certain OS's. 14682 146831359. [security] Support patches OpenSSL libraries. 14684 http://www.cert.org/advisories/CA-2002-23.html 14685 146861358. [bug] It was possible to trigger a INSIST when debugging 14687 large dynamic updates. [RT #3390] 14688 146891357. [bug] nsupdate was extremely wasteful of memory. 14690 146911356. [tuning] Reduce the number of events / quantum for zone tasks. 14692 146931355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME. 14694 146951354. [doc] lwres man pages had illegal nroff. 14696 146971353. [contrib] sdb/ldap to version 0.9. 14698 146991352. [bug] dig, host, nslookup when falling back to TCP use the 14700 current search entry (if any). [RT #3374] 14701 147021351. [bug] lwres_getipnodebyname() returned the wrong name 14703 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED 14704 was set. 14705 147061350. [bug] dns_name_fromtext() failed to handle too many labels 14707 gracefully. 14708 147091349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). 14710 http://www.cert.org/advisories/CA-2002-23.html 14711 147121348. [port] win32: Rewrote code to use I/O Completion Ports 14713 in socket.c and eliminating a host of socket 14714 errors. Performance is enhanced. 14715 147161347. [placeholder] 14717 147181346. [placeholder] 14719 147201345. [port] Use a explicit -Wformat with gcc. Not all versions 14721 include it in -Wall. 14722 147231344. [func] Log if the serial number on the master has gone 14724 backwards. 14725 If you have multiple machines specified in the masters 14726 clause you may want to set 'multi-master yes;' to 14727 suppress this warning. 14728 147291343. [func] Log successful notifies received (info). Adjust log 14730 level for failed notifies to notice. 14731 147321342. [func] Log remote address with TCP dispatch failures. 14733 147341341. [func] Allow a rate limiter to be stalled. 14735 147361340. [bug] Delay and spread out the startup refresh load. 14737 147381339. [func] dig, host and nslookup now use IP6.ARPA for nibble 14739 lookups. Bit string lookups are no longer attempted. 14740 147411338. [placeholder] 14742 147431337. [placeholder] 14744 147451336. [func] Nibble lookups under IP6.ARPA are now supported by 14746 dns_byaddr_create(). dns_byaddr_createptrname() is 14747 deprecated, use dns_byaddr_createptrname2() instead. 14748 147491335. [bug] When performing a nonexistence proof, the validator 14750 should discard parent NXTs from higher in the DNS. 14751 147521334. [bug] When signing/verifying rdatasets, duplicate rdatas 14753 need to be suppressed. 14754 147551333. [contrib] queryperf now reports a summary of returned 14756 rcodes (-c), rcodes are printed in mnemonic form (-v). 14757 147581332. [func] Report the current serial with periodic commits when 14759 rolling forward the journal. 14760 147611331. [func] Generate DNSSEC wildcard proofs. 14762 147631330. [bug] When processing events (non-threaded) only allow 14764 the task one chance to use to use its quantum. 14765 147661329. [func] named-checkzone will now check if nameservers that 14767 appear to be IP addresses. Available modes "fail", 14768 "warn" (default) and "ignore" the results of the 14769 check. 14770 147711328. [bug] The validator could incorrectly verify an invalid 14772 negative proof. 14773 147741327. [bug] The validator would incorrectly mark data as insecure 14775 when seeing a bogus signature before a correct 14776 signature. 14777 147781326. [bug] DNAME/CNAME signatures were not being cached when 14779 validation was not being performed. [RT #3284] 14780 147811325. [bug] If the tcpquota was exhausted it was possible to 14782 to trigger a INSIST() failure. 14783 147841324. [port] darwin: ifconfig.sh now supports darwin. 14785 147861323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205] 14787 147881322. [bug] dnssec-signzone usage message was misleading. 14789 147901321. [bug] If the last RRset in a zone is glue, dnssec-signzone 14791 would incorrectly duplicate its output and sign it. 14792 147931320. [doc] query-source-v6 was missing from options section. 14794 [RT #3218] 14795 147961319. [func] libbind: log attempts to exploit #1318. 14797 147981318. [bug] libbind: Remote buffer overrun. 14799 148001317. [port] libbind: TrueUNIX 5.1 does not like __align as a 14801 element name. 14802 148031316. [bug] libbind: gethostans() could get out of sync parsing 14804 the response if there was a very long CNAME chain. 14805 148061315. [bug] Options should apply to the internal _bind view. 14807 148081314. [port] Handle ECONNRESET from sendmsg() [unix]. 14809 148101313. [func] Query log now says if the query was signed (S) or 14811 if EDNS was used (E). 14812 148131312. [func] Log TSIG key used w/ outgoing zone transfers. 14814 148151311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159] 14816 148171310. [bug] 'rndc stop' failed to cause zones to be flushed 14818 sometimes. [RT #3157] 14819 148201309. [func] Log that a zone transfer was covered by a TSIG. 14821 148221308. [func] DS (delegation signer) support. 14823 148241307. [bug] nsupdate: allow white space base64 key data. 14825 148261306. [bug] Badly encoded LOC record when the size, horizontal 14827 precision or vertical precision was 0.1m. 14828 148291305. [bug] Document that internal zones are included in the 14830 rndc status results. 14831 148321304. [func] New function: dns_zone_name(). 14833 148341303. [func] Option 'flush-zones-on-shutdown <boolean>;'. 14835 148361302. [func] Extended rndc dumpdb to support dumping of zones and 14837 view selection: 'dumpdb [-all|-zones|-cache] [view]'. 14838 148391301. [func] New category 'update-security'. 14840 148411300. [port] Compaq Trucluster support. 14842 148431299. [bug] Set AI_ADDRCONFIG when looking up addresses 14844 via getaddrinfo() (affects dig, host, nslookup, rndc 14845 and nsupdate). 14846 148471298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile 14848 could be left with a trailing "\" after configure 14849 has been run. 14850 148511297. [port] linux: make handling EINVAL from socket() no longer 14852 conditional on #ifdef LINUX. 14853 148541296. [bug] isc_log_closefilelogs() needed to lock the log 14855 context. 14856 148571295. [bug] isc_log_setdebuglevel() needed to lock the log 14858 context. 14859 148601294. [func] libbind: no longer attempts bit string labels for 14861 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT 14862 for nibble style resolution. 14863 148641293. [func] Entropy can now be retrieved from EGDs. [RT #2438] 14865 148661292. [func] Enable IPv6 support when using ioctl style interface 14867 scanning and OS supports SIOCGLIFADDR using struct 14868 if_laddrreq. 14869 148701291. [func] Enable IPv6 support when using sysctl style interface 14871 scanning. 14872 148731290. [func] "dig axfr" now reports the number of messages 14874 as well as the number of records. 14875 148761289. [port] See if -ldl is required for OpenSSL? [RT #2672] 14877 148781288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better 14879 reflect written requirements. 14880 148811287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding 14882 a rdataset to a zone db in the rbtdb implementation of 14883 addrdataset. 14884 148851286. [bug] dns_name_downcase() enforce requirement that 14886 target != NULL or name->buffer != NULL. 14887 148881285. [func] lwres: probe the system to see what address families 14889 are currently in use. 14890 148911284. [bug] The RTT estimate on unused servers was not aged. 14892 [RT #2569] 14893 148941283. [func] Use "dataready" accept filter if available. 14895 148961282. [port] libbind: hpux 11.11 interface scanning. 14897 148981281. [func] Log zone when unable to get private keys to update 14899 zone. Log zone when NXT records are missing from 14900 secure zone. 14901 149021280. [bug] libbind: escape '(' and ')' when converting to 14903 presentation form. 14904 149051279. [port] Darwin uses (unsigned long) for size_t. [RT #2590] 14906 149071278. [func] dig: now supports +[no]cl +[no]ttlid. 14908 149091277. [func] You can now create your own customized printing 14910 styles: dns_master_stylecreate() and 14911 dns_master_styledestroy(). 14912 149131276. [bug] libbind: const pointer conflicts in res_debug.c. 14914 149151275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN. 14916 149171274. [bug] Memory leak in lwres_gnbarequest_parse(). 14918 149191273. [port] libbind: solaris: 64 bit binary compatibility. 14920 149211272. [contrib] Berkeley DB 4.0 sdb implementation from 14922 Nuno Miguel Rodrigues <nmr@co.sapo.pt>. 14923 149241271. [bug] "recursion available: {denied,approved}" was too 14925 confusing. 14926 149271270. [bug] Check that system inet_pton() and inet_ntop() support 14928 AF_INET6. 14929 149301269. [port] Openserver: ifconfig.sh support. 14931 149321268. [port] Openserver: the value FD_SETSIZE depends on whether 14933 <sys/param.h> is included or not. Be consistent. 14934 149351267. [func] isc_file_openunique() now creates file using mode 14936 0666 rather than 0600. 14937 149381266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE, 14939 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE 14940 are not C++ compatible, use *_TYPE versions instead. 14941 149421265. [bug] libbind: LINK_INIT and UNLINK were not compatible with 14943 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead. 14944 149451264. [placeholder] 14946 149471263. [bug] Reference after free error if dns_dispatchmgr_create() 14948 failed. 14949 149501262. [bug] ns_server_destroy() failed to set *serverp to NULL. 14951 149521261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide 14953 support for compressed TSIG owner names. 14954 149551260. [func] libbind: res_update can now update IPv6 servers, 14956 new function res_findzonecut2(). 14957 149581259. [bug] libbind: get_salen() IPv6 support was broken for OSs 14959 w/o sa_len. 14960 149611258. [bug] libbind: res_nametotype() and res_nametoclass() were 14962 broken. 14963 149641257. [bug] Failure to write pid-file should not be fatal on 14965 reload. [RT #2861] 14966 149671256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support. 14968 149691255. [bug] When verifying that an NXT proves nonexistence, check 14970 the rcode of the message and only do the matching NXT 14971 check. That is, for NXDOMAIN responses, check that 14972 the name is in the range between the NXT owner and 14973 next name, and for NOERROR NODATA responses, check 14974 that the type is not present in the NXT bitmap. 14975 149761254. [func] preferred-glue option from BIND 8.3. 14977 149781253. [bug] The dnssec system test failed to remove the correct 14979 files. 14980 149811252. [bug] Dig, host and nslookup were not checking the address 14982 the answer was coming from against the address it was 14983 sent to. [RT #2692] 14984 149851251. [port] win32: a make file contained absolute version specific 14986 references. 14987 149881250. [func] Nsupdate will report the address the update was 14989 sent to. 14990 149911249. [bug] Missing masters clause was not handled gracefully. 14992 [RT #2703] 14993 149941248. [bug] DESTDIR was not being propagated between makes. 14995 149961247. [bug] Don't reset the interface index for link/site local 14997 addresses. [RT #2576] 14998 149991246. [func] New functions isc_sockaddr_issitelocal(), 15000 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal() 15001 and isc_netaddr_islinklocal(). 15002 150031245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for 15004 accept(). 15005 150061244. [bug] Receiving a TCP message from a blackhole address would 15007 prevent further messages being received over that 15008 interface. 15009 150101243. [bug] It was possible to trigger a REQUIRE() in 15011 dns_message_findtype(). [RT #2659] 15012 150131242. [bug] named-checkzone failed if a journal existed. [RT #2657] 15014 150151241. [bug] Drop received UDP messages with a zero source port 15016 as these are invariably forged. [RT #2621] 15017 150181240. [bug] It was possible to leak zone references by 15019 specifying an incorrect zone to rndc. 15020 150211239. [bug] Under certain circumstances named could continue to 15022 use a name after it had been freed triggering 15023 INSIST() failures. [RT #2614] 15024 150251238. [bug] It is possible to lockup the server when shutting down 15026 if notifies were being processed. [RT #2591] 15027 150281237. [bug] nslookup: "set q=type" failed. 15029 150301236. [bug] dns_rdata{class,type}_fromtext() didn't handle non 15031 NULL terminated text regions. [RT #2588] 15032 150331235. [func] Report 'out of memory' errors from openssl. 15034 150351234. [bug] contrib/sdb: 'zonetodb' failed to call 15036 dns_result_register(). DNS_R_SEENINCLUDE should not 15037 be fatal. 15038 150391233. [bug] The flags field of a KEY record can be expressed in 15040 hex as well as decimal. 15041 150421232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL. 15043 150441231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL. 15045 150461230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken. 15047 150481229. [bug] named would crash if it received a TSIG signed 15049 query as part of an AXFR response. [RT #2570] 15050 150511228. [bug] 'make install' did not depend on 'make all'. [RT #2559] 15052 150531227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER 15054 if a number was expected and some other token was 15055 found. [RT #2532] 15056 150571226. [func] Use EDNS for zone refresh queries. [RT #2551] 15058 150591225. [func] dns_message_setopt() no longer requires that 15060 dns_message_renderbegin() to have been called. 15061 150621224. [bug] 'rrset-order' and 'sortlist' should be additive 15063 not exclusive. 15064 150651223. [func] 'rrset-order' partially works 'cyclic' and 'random' 15066 are supported. 15067 150681222. [bug] Specifying 'port *' did not always result in a system 15069 selected (non-reserved) port being used. [RT #2537] 15070 150711221. [bug] Zone types 'master', 'slave' and 'stub' were not being 15072 compared case insensitively. [RT #2542] 15073 150741220. [func] Support for APL rdata type. 15075 150761219. [func] Named now reports the TSIG extended error code when 15077 signature verification fails. [RT #1651] 15078 150791218. [bug] Named incorrectly returned SERVFAIL rather than 15080 NOTAUTH when there was a TSIG BADTIME error. [RT #2519] 15081 150821217. [func] Report locations of previous key definition when a 15083 duplicate is detected. 15084 150851216. [bug] Multiple server clauses for the same server were not 15086 reported. [RT #2514] 15087 150881215. [port] solaris: add support to ifconfig.sh for x86 2.5.1 15089 150901214. [bug] Win32: isc_file_renameunique() could leave zero length 15091 files behind. 15092 150931213. [func] Report view associated with client if it is not a 15094 standard view (_default or _bind). 15095 150961212. [port] libbind: 64k answer buffers were causing stack space 15097 to be exceeded for certain OS. Use heap space instead. 15098 150991211. [bug] dns_name_fromtext() incorrectly handled certain 15100 valid octal bitlabels. [RT #2483] 15101 151021210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped / 15103 compatible addresses. [RT #2461] 15104 151051209. [bug] Dig, host, nslookup were not checking the message ids 15106 on the responses. [RT #2454] 15107 151081208. [bug] dns_master_load*() failed to log a error message if 15109 an error was detected when parsing the owner name of 15110 a record. [RT #2448] 15111 151121207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with 15113 an invalid pointer. 15114 151151206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should 15116 trigger a non-EDNS retry. 15117 151181205. [bug] OPT, TSIG and TKEY cannot be used to set the "class" 15119 of the message. [RT #2449] 15120 151211204. [bug] libbind: res_nupdate() failed to update the name 15122 server addresses before sending the update. 15123 151241203. [func] Report locations of previous acl and zone definitions 15125 when a duplicate is detected. 15126 151271202. [func] New functions: cfg_obj_line() and cfg_obj_file(). 15128 151291201. [bug] Require that if 'callbacks' is passed to 15130 dns_rdata_fromtext(), callbacks->error and 15131 callbacks->warn are initialized. 15132 151331200. [bug] Log 'errno' that we are unable to convert to 15134 isc_result_t. [RT #2404] 15135 151361199. [doc] ARM reference to RFC 2157 should have been RFC 1918. 15137 [RT #2436] 15138 151391198. [bug] OPT printing style was not consistent with the way the 15140 header fields are printed. The DO bit was not reported 15141 if set. Report if any of the MBZ bits are set. 15142 151431197. [bug] Attempts to define the same acl multiple times were not 15144 detected. 15145 151461196. [contrib] update mdnkit to 2.2.3. 15147 151481195. [bug] Attempts to redefine builtin acls should be caught. 15149 [RT #2403] 15150 151511194. [bug] Not all duplicate zone definitions were being detected 15152 at the named.conf checking stage. [RT #2431] 15153 151541193. [bug] dig +besteffort parsing didn't handle packet 15155 truncation. dns_message_parse() has new flag 15156 DNS_MESSAGE_IGNORETRUNCATION. 15157 151581192. [bug] The seconds fields in LOC records were restricted 15159 to three decimal places. More decimal places should 15160 be allowed but warned about. 15161 151621191. [bug] A dynamic update removing the last non-apex name in 15163 a secure zone would fail. [RT #2399] 15164 151651190. [func] Add the "rndc freeze" and "rndc unfreeze" commands. 15166 [RT #2394] 15167 151681189. [bug] On some systems, malloc(0) returns NULL, which 15169 could cause the caller to report an out of memory 15170 error. [RT #2398] 15171 151721188. [bug] Dynamic updates of a signed zone would fail if 15173 some of the zone private keys were unavailable. 15174 151751187. [bug] named was incorrectly returning DNSSEC records 15176 in negative responses when the DO bit was not set. 15177 151781186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the 15179 EOL token when reading to end of line. 15180 151811185. [bug] libbind: don't assume statp->_u._ext.ext is valid 15182 unless RES_INIT is set when calling res_*init(). 15183 151841184. [bug] libbind: call res_ndestroy() if RES_INIT is set 15185 when res_*init() is called. 15186 151871183. [bug] Handle ENOSR error when writing to the internal 15188 control pipe. [RT #2395] 15189 151901182. [bug] The server could throw an assertion failure when 15191 constructing a negative response packet. 15192 151931181. [func] Add the "key-directory" configuration statement, 15194 which allows the server to look for online signing 15195 keys in alternate directories. 15196 151971180. [func] dnssec-keygen should always generate keys with 15198 protocol 3 (DNSSEC), since it's less confusing 15199 that way. 15200 152011179. [func] Add SIG(0) support to nsupdate. 15202 152031178. [bug] Follow and cache (if appropriate) A6 and other 15204 data chains to completion in the additional section. 15205 152061177. [func] Report view when loading zones if it is not a 15207 standard view (_default or _bind). [RT #2270] 15208 152091176. [doc] Document that allow-v6-synthesis is only performed 15210 for clients that are supplied recursive service. 15211 [RT #2260] 15212 152131175. [bug] named-checkzone and named-checkconf failed to call 15214 dns_result_register() at startup which could 15215 result in runtime exceptions when printing 15216 "out of memory" errors. [RT #2335] 15217 152181174. [bug] Win32: add WSAECONNRESET to the expected errors 15219 from connect(). [RT #2308] 15220 152211173. [bug] Potential memory leaks in isc_log_create() and 15222 isc_log_settag(). [RT #2336] 15223 152241172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to 15225 table of RR types in ARM. 15226 152271171. [func] Added function isc_region_compare(), updated files in 15228 lib/dns to use this function instead of local one. 15229 152301170. [bug] Don't attempt to print the token when a I/O error 15231 occurs when parsing named.conf. [RT #2275] 15232 152331169. [func] Identify recursive queries in the query log. 15234 152351168. [bug] Empty also-notify clauses were not handled. [RT #2309] 15236 152371167. [contrib] nslint-2.1a3 (from author). 15238 152391166. [bug] "Not Implemented" should be reported as NOTIMP, 15240 not NOTIMPL. [RT #2281] 15241 152421165. [bug] We were rejecting notify-source{-v6} in zone clauses. 15243 152441164. [bug] Empty masters clauses in slave / stub zones were not 15245 handled gracefully. [RT #2262] 15246 152471163. [func] isc_time_formattimestamp() now includes the year. 15248 152491162. [bug] The allow-notify option was not accepted in slave 15250 zone statements. 15251 152521161. [bug] named-checkzone looped on unbalanced brackets. 15253 [RT #2248] 15254 152551160. [bug] Generating Diffie-Hellman keys longer than 1024 15256 bits could fail. [RT #2241] 15257 152581159. [bug] MD and MF are not permitted to be loaded by RFC1123. 15259 152601158. [func] Report the client's address when logging notify 15261 messages. 15262 152631157. [func] match-clients and match-destinations now accept 15264 keys. [RT #2045] 15265 152661156. [port] The configure test for strsep() incorrectly 15267 succeeded on certain patched versions of 15268 AIX 4.3.3. [RT #2190] 15269 152701155. [func] Recover from master files being removed from under 15271 us. 15272 152731154. [bug] Don't attempt to obtain the netmask of a interface 15274 if there is no address configured. [RT #2176] 15275 152761153. [func] 'rndc {stop|halt} -p' now reports the process id 15277 of the instance of named being shutdown. 15278 152791152. [bug] libbind: read buffer overflows. 15280 152811151. [bug] nslookup failed to check that the arguments to 15282 the port, timeout, and retry options were 15283 valid integers and in range. [RT #2099] 15284 152851150. [bug] named incorrectly accepted TTL values 15286 containing plus or minus signs, such as 15287 1d+1h-1s. 15288 152891149. [func] New function isc_parse_uint32(). 15290 152911148. [func] 'rndc-confgen -a' now provides positive feedback. 15292 152931147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by 15294 the OS. listen-on-v6 { any; }; should no longer 15295 result in IPv4 queries be accepted. Similarly 15296 control { inet :: ... }; should no longer result 15297 in IPv4 connections being accepted. This can be 15298 overridden at compile time by defining 15299 ISC_ALLOW_MAPPED=1. 15300 153011146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if 15302 supported by the OS by a new function 15303 isc_socket_ipv6only(). 15304 153051145. [func] "host" no longer reports a NOERROR/NODATA response 15306 by printing nothing. [RT #2065] 15307 153081144. [bug] rndc-confgen would crash if both the -a and -t 15309 options were specified. [RT #2159] 15310 153111143. [bug] When a trusted-keys statement was present and named 15312 was built without crypto support, it would leak memory. 15313 153141142. [bug] dnssec-signzone would fail to delete temporary files 15315 in some failure cases. [RT #2144] 15316 153171141. [bug] When named rejected a control message, it would 15318 leak a file descriptor and memory. It would also 15319 fail to respond, causing rndc to hang. 15320 [RT #2139, #2164] 15321 153221140. [bug] rndc-confgen did not accept IPv6 addresses as arguments 15323 to the -s option. [RT #2138] 15324 153251139. [func] It is now possible to flush a given name from the 15326 cache(s) via 'rndc flushname name [view]'. [RT #2051] 15327 153281138. [func] It is now possible to flush a given name from the 15329 cache by calling the new function 15330 dns_cache_flushname(). 15331 153321137. [func] It is now possible to flush a given name from the 15333 ADB by calling the new function dns_adb_flushname(). 15334 153351136. [bug] CNAME records synthesized from DNAMEs did not 15336 have a TTL of zero as required by RFC2672. 15337 [RT #2129] 15338 153391135. [func] You can now override the default syslog() facility for 15340 named/lwresd at compile time. [RT #1982] 15341 153421134. [bug] Multi-threaded servers could deadlock in ferror() 15343 when reloading zone files. [RT #1951, #1998] 15344 153451133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on 15346 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106] 15347 153481132. [func] Improve UPDATE prerequisite failure diagnostic messages. 15349 153501131. [bug] The match-destinations view option did not work with 15351 IPv6 destinations. [RT #2073, #2074] 15352 153531130. [bug] Log messages reporting an out-of-range serial number 15354 did not include the out-of-range number but the 15355 following token. [RT #2076] 15356 153571129. [bug] Multi-threaded servers could crash under heavy 15358 resolution load due to a race condition. [RT #2018] 15359 153601128. [func] sdb drivers can now provide RR data in either text 15361 or wire format, the latter using the new functions 15362 dns_sdb_putrdata() and dns_sdb_putnamedrdata(). 15363 153641127. [func] rndc: If the server to contact has multiple addresses, 15365 try all of them. 15366 153671126. [bug] The server could access a freed event if shut 15368 down while a client start event was pending 15369 delivery. [RT #2061] 15370 153711125. [bug] rndc: -k option was missing from usage message. 15372 [RT #2057] 15373 153741124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail 15375 are now documented. [RT #2052] 15376 153771123. [bug] dig +[no]fail did not match description. [RT #2052] 15378 153791122. [tuning] Resolution timeout reduced from 90 to 30 seconds. 15380 [RT #2046] 15381 153821121. [bug] The server could attempt to access a NULL zone 15383 table if shut down while resolving. 15384 [RT #1587, #2054] 15385 153861120. [bug] Errors in options were not fatal. [RT #2002] 15387 153881119. [func] Added support in Win32 for NTFS file/directory ACL's 15389 for access control. 15390 153911118. [bug] On multi-threaded servers, a race condition 15392 could cause an assertion failure in resolver.c 15393 during resolver shutdown. [RT #2029] 15394 153951117. [port] The configure check for in6addr_loopback incorrectly 15396 succeeded on AIX 4.3 when compiling with -O2 15397 because the test code was optimized away. 15398 [RT #2016] 15399 154001116. [bug] Setting transfers in a server clause, transfers-in, 15401 or transfers-per-ns to a value greater than 15402 2147483647 disabled transfers. [RT #2002] 15403 154041115. [func] Set maximum values for cleaning-interval, 15405 heartbeat-interval, interface-interval, 15406 max-transfer-idle-in, max-transfer-idle-out, 15407 max-transfer-time-in, max-transfer-time-out, 15408 statistics-interval of 28 days and 15409 sig-validity-interval of 3660 days. [RT #2002] 15410 154111114. [port] Ignore more accept() errors. [RT #2021] 15412 154131113. [bug] The allow-update-forwarding option was ignored 15414 when specified in a view. [RT #2014] 15415 154161112. [placeholder] 15417 154181111. [bug] Multi-threaded servers could deadlock processing 15419 recursive queries due to a locking hierarchy 15420 violation in adb.c. [RT #2017] 15421 154221110. [bug] dig should only accept valid abbreviations of +options. 15423 [RT #2003] 15424 154251109. [bug] nsupdate accepted illegal ttl values. 15426 154271108. [bug] On Win32, rndc was hanging when named was not running 15428 due to failure to select for exceptional conditions 15429 in select(). [RT #1870] 15430 154311107. [bug] nsupdate could catch an assertion failure if an 15432 invalid domain name was given as the argument to 15433 the "zone" command. 15434 154351106. [bug] After seeing an out of range TTL, nsupdate would 15436 treat all TTLs as out of range. [RT #2001] 15437 154381105. [port] OpenUNIX 8 enable threads by default. [RT #1970] 15439 154401104. [bug] Invalid arguments to the transfer-format option 15441 could cause an assertion failure. [RT #1995] 15442 154431103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970] 15444 154451102. [doc] Note that query logging is enabled by directing the 15446 queries category to a channel. 15447 154481101. [bug] Array bounds read error in lwres_gai_strerror. 15449 154501100. [bug] libbind: DNSSEC key ids were computed incorrectly. 15451 154521099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused 15453 compile time errors. 15454 154551098. [bug] libbind: HMAC-MD5 key files are now mode 0600. 15456 154571097. [func] libbind: RES_PRF_TRUNC for dig. 15458 154591096. [func] libbind: "DNSSEC OK" (DO) support. 15460 154611095. [func] libbind: resolver option: no-tld-query. disables 15462 trying unqualified as a tld. no_tld_query is also 15463 supported for FreeBSD compatibility. 15464 154651094. [func] libbind: add support gcc's format string checking. 15466 154671093. [doc] libbind: miscellaneous nroff fixes. 15468 154691092. [bug] libbind: get*by*() failed to check if res_init() had 15470 been called. 15471 154721091. [bug] libbind: misplaced va_end(). 15473 154741090. [bug] libbind: dns_ho.c:add_hostent() was not returning 15475 the amount of memory consumed resulting in garbage 15476 address being returned. Alignment calculations were 15477 wasting space. We weren't suppressing duplicate 15478 addresses. 15479 154801089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6 15481 support. 15482 154831088. [port] libbind: MPE/iX C.70 (incomplete) 15484 154851087. [bug] libbind: struct __res_state too large on 64 bit arch. 15486 154871086. [port] libbind: sunos: old sprintf. 15488 154891085. [port] libbind: solaris: sys_nerr and sys_errlist do not 15490 exist when compiling in 64 bit mode. 15491 154921084. [cleanup] libbind: gai_strerror() rewritten. 15493 154941083. [bug] The default control channel listened on the 15495 wildcard address, not the loopback as documented. 15496 [RT #1975] 15497 154981082. [bug] The -g option to named incorrectly caused logging 15499 to be sent to syslog in addition to stderr. 15500 [RT #1974] 15501 155021081. [bug] Multicast queries were incorrectly identified 15503 based on the source address, not the destination 15504 address. 15505 155061080. [bug] BIND 8 compatibility: accept bare IP prefixes 15507 as the second element of a two-element top level 15508 sort list statement. [RT #1964] 15509 155101079. [bug] BIND 8 compatibility: accept bare elements at top 15511 level of sort list treating them as if they were 15512 a single element list. [RT #1963] 15513 155141078. [bug] We failed to correct bad tv_usec values in one case. 15515 [RT #1966] 15516 155171077. [func] Do not accept further recursive clients when 15518 the total number of recursive lookups being 15519 processed exceeds max-recursive-clients, even 15520 if some of the lookups are internally generated. 15521 [RT #1915, #1938] 15522 155231076. [bug] A badly defined global key could trigger an assertion 15524 on load/reload if views were used. [RT #1947] 15525 155261075. [bug] Out-of-range network prefix lengths were not 15527 reported. [RT #1954] 15528 155291074. [bug] Running out of memory in dump_rdataset() could 15530 cause an assertion failure. [RT #1946] 15531 155321073. [bug] The ADB cache cleaning should also be space driven. 15533 [RT #1915, #1938] 15534 155351072. [bug] The TCP client quota could be exceeded when 15536 recursion occurred. [RT #1937] 15537 155381071. [bug] Sockets listening for TCP DNS connections 15539 specified an excessive listen backlog. [RT #1937] 15540 155411070. [bug] Copy DNSSEC OK (DO) to response as specified by 15542 draft-ietf-dnsext-dnssec-okbit-03.txt. 15543 155441069. [placeholder] 15545 155461068. [bug] errno could be overwritten by catgets(). [RT #1921] 15547 155481067. [func] Allow quotas to be soft, isc_quota_soft(). 15549 155501066. [bug] Provide a thread safe wrapper for strerror(). 15551 [RT #1689] 15552 155531065. [func] Runtime support to select new / old style interface 15554 scanning using ioctls. 15555 155561064. [bug] Do not shut down active network interfaces if we 15557 are unable to scan the interface list. [RT #1921] 15558 155591063. [bug] libbind: "make install" was failing on IRIX. 15560 [RT #1919] 15561 155621062. [bug] If the control channel listener socket was shut 15563 down before server exit, the listener object could 15564 be freed twice. [RT #1916] 15565 155661061. [bug] If periodic cache cleaning happened to start 15567 while cleaning due to reaching the configured 15568 maximum cache size was in progress, the server 15569 could catch an assertion failure. [RT #1912] 15570 155711060. [func] Move refresh, stub and notify UDP retry processing 15572 into dns_request. 15573 155741059. [func] dns_request now support will now retry UDP queries, 15575 dns_request_createvia2() and dns_request_createraw2(). 15576 155771058. [func] Limited lifetime ticker timers are now available, 15578 isc_timertype_limited. 15579 155801057. [bug] Reloading the server after adding a "file" clause 15581 to a zone statement could cause the server to 15582 crash due to a typo in change 1016. 15583 155841056. [bug] Rndc could catch an assertion failure on SIGINT due 15585 to an uninitialized variable. [RT #1908] 15586 155871055. [func] Version and hostname queries can now be disabled 15588 using "version none;" and "hostname none;", 15589 respectively. 15590 155911054. [bug] On Win32, cfg_categories and cfg_modules need to be 15592 exported from the libisccfg DLL. 15593 155941053. [bug] Dig did not increase its timeout when receiving 15595 AXFRs unless the +time option was used. [RT #1904] 15596 155971052. [bug] Journals were not being created in binary mode 15598 resulting in "journal format not recognized" error 15599 under Win32. [RT #1889] 15600 156011051. [bug] Do not ignore a network interface completely just 15602 because it has a noncontiguous netmask. Instead, 15603 omit it from the localnets ACL and issue a warning. 15604 [RT #1891] 15605 156061050. [bug] Log messages reporting malformed IP addresses in 15607 address lists such as that of the forwarders option 15608 failed to include the correct error code, file 15609 name, and line number. [RT #1890] 15610 156111049. [func] "pid-file none;" will disable writing a pid file. 15612 [RT #1848] 15613 156141048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1 15615 didn't work. 15616 156171047. [bug] named was incorrectly refusing all requests signed 15618 with a TSIG key derived from an unsigned TKEY 15619 negotiation with a NOERROR response. [RT #1886] 15620 156211046. [bug] The help message for the --with-openssl configure 15622 option was inaccurate. [RT #1880] 15623 156241045. [bug] It was possible to skip saving glue for a nameserver 15625 for a stub zone. 15626 156271044. [bug] Specifying allow-transfer, notify-source, or 15628 notify-source-v6 in a stub zone was not treated 15629 as an error. 15630 156311043. [bug] Specifying a transfer-source or transfer-source-v6 15632 option in the zone statement for a master zone was 15633 not treated as an error. [RT #1876] 15634 156351042. [bug] The "config" logging category did not work properly. 15636 [RT #1873] 15637 156381041. [bug] Dig/host/nslookup could catch an assertion failure 15639 on SIGINT due to an uninitialized variable. [RT #1867] 15640 156411040. [bug] Multiple listen-on-v6 options with different ports 15642 were not accepted. [RT #1875] 15643 156441039. [bug] Negative responses with CNAMEs in the answer section 15645 were cached incorrectly. [RT #1862] 15646 156471038. [bug] In servers configured with a tkey-domain option, 15648 TKEY queries with an owner name other than the root 15649 could cause an assertion failure. [RT #1866, #1869] 15650 156511037. [bug] Negative responses whose authority section contain 15652 SOA or NS records whose owner names are not equal 15653 equal to or parents of the query name should be 15654 rejected. [RT #1862] 15655 156561036. [func] Silently drop requests received via multicast as 15657 long as there is no final multicast DNS standard. 15658 156591035. [bug] If we respond to multicast queries (which we 15660 currently do not), respond from a unicast address 15661 as specified in RFC 1123. [RT #137] 15662 156631034. [bug] Ignore the RD bit on multicast queries as specified 15664 in RFC 1123. [RT #137] 15665 156661033. [bug] Always respond to requests with an unsupported opcode 15667 with NOTIMP, even if we don't have a matching view 15668 or cannot determine the class. 15669 156701032. [func] hostname.bind/txt/chaos now returns the name of 15671 the machine hosting the nameserver. This is useful 15672 in diagnosing problems with anycast servers. 15673 156741031. [bug] libbind.a: isc__gettimeofday() infinite recursion. 15675 [RT #1858] 15676 156771030. [bug] On systems with no resolv.conf file, nsupdate 15678 exited with an error rather than defaulting 15679 to using the loopback address. [RT #1836] 15680 156811029. [bug] Some named.conf errors did not cause the loading 15682 of the configuration file to return a failure 15683 status even though they were logged. [RT #1847] 15684 156851028. [bug] On Win32, dig/host/nslookup looked for resolv.conf 15686 in the wrong directory. [RT #1833] 15687 156881027. [bug] RRs having the reserved type 0 should be rejected. 15689 [RT #1471] 15690 156911026. [placeholder] 15692 156931025. [bug] Don't use multicast addresses to resolve iterative 15694 queries. [RT #101] 15695 156961024. [port] Compilation failed on HP-UX 11.11 due to 15697 incompatible use of the SIOCGLIFCONF macro 15698 name. [RT #1831] 15699 157001023. [func] Accept hints without TTLs. 15701 157021022. [bug] Don't report empty root hints as "extra data". 15703 [RT #1802] 15704 157051021. [bug] On Win32, log message timestamps were one month 15706 later than they should have been, and the server 15707 would exhibit unspecified behavior in December. 15708 157091020. [bug] IXFR log messages did not distinguish between 15710 true IXFRs, AXFR-style IXFRs, and mere version 15711 polls. [RT #1811] 15712 157131019. [bug] The value of the lame-ttl option was limited to 18000 15714 seconds, not 1800 seconds as documented. [RT #1803] 15715 157161018. [bug] The default log channel was not always initialized 15717 correctly. [RT #1813] 15718 157191017. [bug] When specifying TSIG keys to dig and nsupdate using 15720 the -k option, they must be HMAC-MD5 keys. [RT #1810] 15721 157221016. [bug] Slave zones with no backup file were re-transferred 15723 on every server reload. 15724 157251015. [bug] Log channels that had a "versions" option but no 15726 "size" option failed to create numbered log 15727 files. [RT #1783] 15728 157291014. [bug] Some queries would cause statistics counters to 15730 increment more than once or not at all. [RT #1321] 15731 157321013. [bug] It was possible to cancel a query twice when marking 15733 a server as bogus or by having a blackhole acl. 15734 [RT #1776] 15735 157361012. [bug] The -p option to named did not behave as documented. 15737 157381011. [cleanup] Removed isc_dir_current(). 15739 157401010. [bug] The server could attempt to execute a command channel 15741 command after initiating server shutdown, causing 15742 an assertion failure. [RT #1766] 15743 157441009. [port] OpenUNIX 8 support. [RT #1728] 15745 157461008. [port] libtool.m4, ltmain.sh from libtool-1.4.2. 15747 157481007. [port] config.guess, config.sub from autoconf-2.52. 15749 157501006. [bug] If a KEY RR was found missing during DNSSEC validation, 15751 an assertion failure could subsequently be triggered 15752 in the resolver. [RT #1763] 15753 157541005. [bug] Don't copy nonzero RCODEs from request to response. 15755 [RT #1765] 15756 157571004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770] 15758 157591003. [func] Add the +retry option to dig. 15760 157611002. [bug] When reporting an unknown class name in named.conf, 15762 including the file name and line number. [RT #1759] 15763 157641001. [bug] win32 socket code doio_recv was not catching a 15765 WSACONNRESET error when a client was timing out 15766 the request and closing its socket. [RT #1745] 15767 157681000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias 15769 for class "HS". [RT #1759] 15770 15771 999. [func] "rndc retransfer zone [class [view]]" added. 15772 [RT #1752] 15773 15774 998. [func] named-checkzone now has arguments to specify the 15775 chroot directory (-t) and working directory (-w). 15776 [RT #1755] 15777 15778 997. [func] Add support for RSA-SHA1 keys (RFC3110). 15779 15780 996. [func] Issue warning if the configuration filename contains 15781 the chroot path. 15782 15783 995. [bug] dig, host, nslookup: using a raw IPv6 address as a 15784 target address should be fatal on a IPv4 only system. 15785 15786 994. [func] Treat non-authoritative responses to queries for type 15787 NS as referrals even if the NS records are in the 15788 answer section, because BIND 8 servers incorrectly 15789 send them that way. This is necessary for DNSSEC 15790 validation of the NS records of a secure zone to 15791 succeed when the parent is a BIND 8 server. [RT #1706] 15792 15793 993. [func] dig: -v now reports the version. 15794 15795 992. [doc] dig: ~/.digrc is now documented. 15796 15797 991. [func] Lower UDP refresh timeout messages to level 15798 debug 1. 15799 15800 990. [bug] The rndc-confgen man page was not installed. 15801 15802 989. [bug] Report filename if $INCLUDE fails for file related 15803 errors. [RT #1736] 15804 15805 988. [bug] 'additional-from-auth no;' did not work reliably 15806 in the case of queries answered from the cache. 15807 [RT #1436] 15808 15809 987. [bug] "dig -help" didn't show "+[no]stats". 15810 15811 986. [bug] "dig +noall" failed to clear stats and command 15812 printing. 15813 15814 985. [func] Consider network interfaces to be up iff they have 15815 a nonzero IP address rather than based on the 15816 IFF_UP flag. [RT #1160] 15817 15818 984. [bug] Multi-threading should be enabled by default on 15819 Solaris 2.7 and newer, but it wasn't. 15820 15821 983. [func] The server now supports generating IXFR difference 15822 sequences for non-dynamic zones by comparing zone 15823 versions, when enabled using the new config 15824 option "ixfr-from-differences". [RT #1727] 15825 15826 982. [func] If "memstatistics-file" is set in options the memory 15827 statistics will be written to it. 15828 15829 981. [func] The dnssec tools can now take multiple '-r randomfile' 15830 arguments. 15831 15832 980. [bug] Incoming zone transfers restarting after an error 15833 could trigger an assertion failure. [RT #1692] 15834 15835 979. [func] Incremental master file dumping. dns_master_dumpinc(), 15836 dns_master_dumptostreaminc(), dns_dumpctx_attach(), 15837 dns_dumpctx_detach(), dns_dumpctx_cancel(), 15838 dns_dumpctx_db() and dns_dumpctx_version(). 15839 15840 978. [bug] dns_db_attachversion() had an invalid REQUIRE() 15841 condition. 15842 15843 977. [bug] Improve "not at top of zone" error message. 15844 15845 976. [func] named-checkconf can now test load master zones 15846 (named-checkconf -z). [RT #1468] 15847 15848 975. [bug] "max-cache-size default;" as a view option 15849 caused an assertion failure. 15850 15851 974. [bug] "max-cache-size unlimited;" as a global option 15852 was not accepted. 15853 15854 973. [bug] Failed to log the question name when logging: 15855 "bad zone transfer request: non-authoritative zone 15856 (NOTAUTH)". 15857 15858 972. [bug] The file modification time code in zone.c was using the 15859 wrong epoch. [RT #1667] 15860 15861 971. [placeholder] 15862 15863 970. [func] 'max-journal-size' can now be used to set a target 15864 size for a journal. 15865 15866 969. [func] dig now supports the undocumented dig 8 feature 15867 of allowing arbitrary labels, not just dotted 15868 decimal quads, with the -x option. This can be 15869 used to conveniently look up RFC2317 names as in 15870 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598] 15871 15872 968. [bug] On win32, the isc_time_now() function was unnecessarily 15873 calling strtime(). [RT #1671] 15874 15875 967. [bug] On win32, the link for bindevt was not including the 15876 required resource file to enable the event viewer 15877 to interpret the error messages in the event log, 15878 [RT #1668] 15879 15880 966. [placeholder] 15881 15882 965. [bug] Including data other than root server NS and A 15883 records in the root hint file could cause a rbtdb 15884 node reference leak. [RT #1581, #1618] 15885 15886 964. [func] Warn if data other than root server NS and A records 15887 are found in the root hint file. [RT #1581, #1618] 15888 15889 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] 15890 15891 962. [bug] libbind: bad "#undef", don't attempt to install 15892 non-existent nlist.h. [RT #1640] 15893 15894 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 15895 was not defined. [RT #1482] 15896 15897 960. [port] liblwres failed to build on systems with support for 15898 getrrsetbyname() in the OS. [RT #1592] 15899 15900 959. [port] On FreeBSD, determine the number of CPUs by calling 15901 sysctlbyname(). [RT #1584] 15902 15903 958. [port] ssize_t is not available on all platforms. [RT #1607] 15904 15905 957. [bug] sys/select.h inclusion was broken on older platforms. 15906 [RT #1607] 15907 15908 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile 15909 in named/win32/os.c due to code changes in 15910 change #953. win32 .make file for rndc-confgen 15911 updated to add include path for os.h header. 15912 15913 --- 9.2.0rc1 released --- 15914 15915 955. [bug] When using views, the zone's class was not being 15916 inherited from the view's class. [RT #1583] 15917 15918 954. [bug] When requesting AXFRs or IXFRs using dig, host, or 15919 nslookup, the RD bit should not be set as zone 15920 transfers are inherently non-recursive. [RT #1575] 15921 15922 953. [func] The /var/run/named.key file from change #843 15923 has been replaced by /etc/rndc.key. Both 15924 named and rndc will look for this file and use 15925 it to configure a default control channel key 15926 if not already configured using a different 15927 method (rndc.conf / controls). Unlike 15928 named.key, rndc.key is not created automatically; 15929 it must be created by manually running 15930 "rndc-confgen -a". 15931 15932 952. [bug] The server required manual intervention to serve the 15933 affected zones if it died between creating a journal 15934 and committing the first change to it. 15935 15936 951. [bug] CFLAGS was not passed to the linker when 15937 linking some of the test programs under 15938 bin/tests. [RT #1555]. 15939 15940 950. [bug] Explicit TTLs did not properly override $TTL 15941 due to a bug in change 834. [RT #1558] 15942 15943 949. [bug] host was unable to print records larger than 512 15944 bytes. [RT #1557] 15945 15946 --- 9.2.0b2 released --- 15947 15948 948. [port] Integrated support for building on Windows NT / 15949 Windows 2000. 15950 15951 947. [bug] dns_rdata_soa_t had a badly named element "mname" which 15952 was really the RNAME field from RFC1035. To avoid 15953 confusion and silent errors that would occur it the 15954 "origin" and "mname" elements were given their correct 15955 names "mname" and "rname" respectively, the "mname" 15956 element is renamed to "contact". 15957 15958 946. [cleanup] doc/misc/options is now machine-generated from the 15959 configuration parser syntax tables, and therefore 15960 more likely to be correct. 15961 15962 945. [func] Add the new view-specific options 15963 "match-destinations" and "match-recursive-only". 15964 15965 944. [func] Check for expired signatures on load. 15966 15967 943. [bug] The server could crash when receiving a command 15968 via rndc if the configuration file listed only 15969 nonexistent keys in the controls statement. [RT #1530] 15970 15971 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly 15972 defined on some platforms. 15973 15974 941. [bug] The configuration checker crashed if a slave 15975 zone didn't contain a masters statement. [RT #1514] 15976 15977 940. [bug] Double zone locking failure on error path. [RT #1510] 15978 15979 --- 9.2.0b1 released --- 15980 15981 939. [port] Add the --disable-linux-caps option to configure for 15982 systems that manage capabilities outside of named. 15983 [RT #1503] 15984 15985 938. [placeholder] 15986 15987 937. [bug] A race when shutting down a zone could trigger a 15988 INSIST() failure. [RT #1034] 15989 15990 936. [func] Warn about IPv4 addresses that are not complete 15991 dotted quads. [RT #1084] 15992 15993 935. [bug] inet_pton failed to reject leading zeros. 15994 15995 934. [port] Deal with systems where accept() spuriously returns 15996 ECONNRESET. 15997 15998 933. [bug] configure failed doing libbind on platforms not 15999 supported by BIND 8. [RT #1496] 16000 16001 --- 9.2.0a3 released --- 16002 16003 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM, 16004 when installing isc-config.sh. 16005 [RT #198, #1466] 16006 16007 931. [bug] The controls statement only attempted to verify 16008 messages using the first key in the key list. 16009 (9.2.0a1/a2 only). 16010 16011 930. [func] Query performance testing tool added as 16012 contrib/queryperf. 16013 16014 929. [placeholder] 16015 16016 928. [bug] nsupdate would send empty update packets if the 16017 send (or empty line) command was run after 16018 another send but before any new updates or 16019 prerequisites were specified. It should simply 16020 ignore this command. 16021 16022 927. [bug] Don't hold the zone lock for the entire dump to disk. 16023 [RT #1423] 16024 16025 926. [bug] The resolver could deadlock with the ADB when 16026 shutting down (multi-threaded builds only). 16027 [RT #1324] 16028 16029 925. [cleanup] Remove openssl from the distribution; require that 16030 --with-openssl be specified if DNSSEC is needed. 16031 16032 924. [port] Extend support for pre-RFC2133 IPv6 implementation. 16033 [RT #987] 16034 16035 923. [bug] Multiline TSIG secrets (and other multiline strings) 16036 were not accepted in named.conf. [RT #1469] 16037 16038 922. [func] Added two new lwres_getrrsetbyname() result codes, 16039 ERR_NONAME and ERR_NODATA. 16040 16041 921. [bug] lwres returned an incorrect error code if it received 16042 a truncated message. 16043 16044 920. [func] Increase the lwres receive buffer size to 16K. 16045 [RT #1451] 16046 16047 919. [placeholder] 16048 16049 918. [func] In nsupdate, TSIG errors are no longer treated as 16050 fatal errors. 16051 16052 917. [func] New nsupdate command 'key', allowing TSIG keys to 16053 be specified in the nsupdate command stream rather 16054 than the command line. 16055 16056 916. [bug] Specifying type ixfr to dig without specifying 16057 a serial number failed in unexpected ways. 16058 16059 915. [func] The named-checkconf and named-checkzone programs 16060 now have a '-v' option for printing their version. 16061 [RT #1151] 16062 16063 914. [bug] Global 'server' statements were rejected when 16064 using views, even though they were accepted 16065 in 9.1. [RT #1368] 16066 16067 913. [bug] Cache cleaning was not sufficiently aggressive. 16068 [RT #1441, #1444] 16069 16070 912. [bug] Attempts to set the 'additional-from-cache' or 16071 'additional-from-auth' option to 'no' in a 16072 server with recursion enabled will now 16073 be ignored and cause a warning message. 16074 [RT #1145] 16075 16076 911. [placeholder] 16077 16078 910. [port] Some pre-RFC2133 IPv6 implementations do not define 16079 IN6ADDR_ANY_INIT. [RT #1416] 16080 16081 909. [placeholder] 16082 16083 908. [func] New program, rndc-confgen, to simplify setting up rndc. 16084 16085 907. [func] The ability to get entropy from either the 16086 random device, a user-provided file or from 16087 the keyboard was migrated from the DNSSEC tools 16088 to libisc as isc_entropy_usebestsource(). 16089 16090 906. [port] Separated the system independent portion of 16091 lib/isc/unix/entropy.c into lib/isc/entropy.c 16092 and added lib/isc/win32/entropy.c. 16093 16094 905. [bug] Configuring a forward "zone" for the root domain 16095 did not work. [RT #1418] 16096 16097 904. [bug] The server would leak memory if attempting to use 16098 an expired TSIG key. [RT #1406] 16099 16100 903. [bug] dig should not crash when receiving a TCP packet 16101 of length 0. 16102 16103 902. [bug] The -d option was ignored if both -t and -g were also 16104 specified. 16105 16106 901. [placeholder] 16107 16108 900. [bug] A config.guess update changed the system identification 16109 string of FreeBSD systems; configure and 16110 bin/tests/system/ifconfig.sh now recognize the new 16111 string. 16112 16113 --- 9.2.0a2 released --- 16114 16115 899. [bug] lib/dns/soa.c failed to compile on many platforms 16116 due to inappropriate use of a void value. 16117 [RT #1372, #1373, #1386, #1387, #1395] 16118 16119 898. [bug] "dig" failed to set a nonzero exit status 16120 on UDP query timeout. [RT #1323] 16121 16122 897. [bug] A config.guess update changed the system identification 16123 string of UnixWare systems; configure now recognizes 16124 the new string. 16125 16126 896. [bug] If a configuration file is set on named's command line 16127 and it has a relative pathname, the current directory 16128 (after any possible jailing resulting from named -t) 16129 will be prepended to it so that reloading works 16130 properly even when a directory option is present. 16131 16132 895. [func] New function, isc_dir_current(), akin to POSIX's 16133 getcwd(). 16134 16135 894. [bug] When using the DNSSEC tools, a message intended to warn 16136 when the keyboard was being used because of the lack 16137 of a suitable random device was not being printed. 16138 16139 893. [func] Removed isc_file_test() and added isc_file_exists() 16140 for the basic functionality that was being added 16141 with isc_file_test(). 16142 16143 892. [placeholder] 16144 16145 891. [bug] Return an error when a SIG(0) signed response to 16146 an unsigned query is seen. This should actually 16147 do the verification, but it's not currently 16148 possible. [RT #1391] 16149 16150 890. [cleanup] The man pages no longer require the mandoc macros 16151 and should now format cleanly using most versions of 16152 nroff, and HTML versions of the man pages have been 16153 added. Both are generated from DocBook source. 16154 16155 889. [port] Eliminated blank lines before .TH in nroff man 16156 pages since they cause problems with some versions 16157 of nroff. [RT #1390] 16158 16159 888. [bug] Don't die when using TKEY to delete a nonexistent 16160 TSIG key. [RT #1392] 16161 16162 887. [port] Detect broken compilers that can't call static 16163 functions from inline functions. [RT #1212] 16164 16165 886. [placeholder] 16166 16167 885. [placeholder] 16168 16169 884. [placeholder] 16170 16171 883. [placeholder] 16172 16173 882. [placeholder] 16174 16175 881. [placeholder] 16176 16177 880. [placeholder] 16178 16179 879. [placeholder] 16180 16181 878. [placeholder] 16182 16183 877. [placeholder] 16184 16185 876. [placeholder] 16186 16187 875. [placeholder] 16188 16189 874. [placeholder] 16190 16191 873. [placeholder] 16192 16193 872. [placeholder] 16194 16195 871. [placeholder] 16196 16197 870. [placeholder] 16198 16199 869. [placeholder] 16200 16201 868. [placeholder] 16202 16203 867. [placeholder] 16204 16205 866. [func] Close debug only file channels when debug is set to 16206 zero. [RT #1246] 16207 16208 865. [bug] The new configuration parser did not allow 16209 the optional debug level in a "severity debug" 16210 clause of a logging channel to be omitted. 16211 This is now allowed and treated as "severity 16212 debug 1;" like it does in BIND 8.2.4, not as 16213 "severity debug 0;" like it did in BIND 9.1. 16214 [RT #1367] 16215 16216 864. [cleanup] Multi-threading is now enabled by default on 16217 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX. 16218 16219 863. [bug] If an error occurred while an outgoing zone transfer 16220 was starting up, the server could access a domain 16221 name that had already been freed when logging a 16222 message saying that the transfer was starting. 16223 [RT #1383] 16224 16225 862. [bug] Use after realloc(), non portable pointer arithmetic in 16226 grmerge(). 16227 16228 861. [port] Add support for Mac OS X, by making it equivalent 16229 to Darwin. This was derived from the config.guess 16230 file shipped with Mac OS X. [RT #1355] 16231 16232 860. [func] Drop cross class glue in zone transfers. 16233 16234 859. [bug] Cache cleaning now won't swamp the CPU if there 16235 is a persistent over limit condition. 16236 16237 858. [func] isc_mem_setwater() no longer requires that when the 16238 callback function is non-NULL then its hi_water 16239 argument must be greater than its lo_water argument 16240 (they can now be equal) or that they be non-zero. 16241 16242 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for 16243 structs, for our friends in EBCDIC-land. 16244 16245 856. [func] Allow partial rdatasets to be returned in answer and 16246 authority sections to help non-TCP capable clients 16247 recover from truncation. [RT #1301] 16248 16249 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings. 16250 16251 854. [bug] The config parser didn't properly handle config 16252 options that were specified in units of time other 16253 than seconds. [RT #1372] 16254 16255 853. [bug] configure_view_acl() failed to detach existing acls. 16256 [RT #1374] 16257 16258 852. [bug] Handle responses from servers which do not know 16259 about IXFR. 16260 16261 851. [cleanup] The obsolete support-ixfr option was not properly 16262 ignored. 16263 16264 --- 9.2.0a1 released --- 16265 16266 850. [bug] dns_rbt_findnode() would not find nodes that were 16267 split on a bitstring label somewhere other than in 16268 the last label of the node. [RT #1351] 16269 16270 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined. 16271 16272 848. [func] A minimum max-cache-size of two megabytes is enforced 16273 by the cache cleaner. 16274 16275 847. [func] Added isc_file_test(), which currently only has 16276 some very basic functionality to test for the 16277 existence of a file, whether a pathname is absolute, 16278 or whether a pathname is the fundamental representation 16279 of the current directory. It is intended that this 16280 function can be expanded to test other things a 16281 programmer might want to know about a file. 16282 16283 846. [func] A non-zero 'param' to dst_key_generate() when making an 16284 hmac-md5 key means that good entropy is not required. 16285 16286 845. [bug] The access rights on the public file of a symmetric 16287 key are now restricted as soon as the file is opened, 16288 rather than after it has been written and closed. 16289 16290 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined, 16291 just as <lwres/net.h> does. 16292 16293 843. [func] If no controls statement is present in named.conf, 16294 or if any inet phrase of a controls statement is 16295 lacking a keys clause, then a key will be automatically 16296 generated by named and an rndc.conf-style file 16297 named named.key will be written that uses it. rndc 16298 will use this file only if its normal configuration 16299 file, or one provided on the command line, does not 16300 exist. 16301 16302 842. [func] 'rndc flush' now takes an optional view. 16303 16304 841. [bug] When sdb modules were not declared threadsafe, their 16305 create and destroy functions were not serialized. 16306 16307 840. [bug] The config file parser could print the wrong file 16308 name if an error was detected after an included file 16309 was parsed. [RT #1353] 16310 16311 839. [func] Dump packets for which there was no view or that the 16312 class could not be determined to category "unmatched". 16313 16314 838. [port] UnixWare 7.x.x is now supported by 16315 bin/tests/system/ifconfig.sh. 16316 16317 837. [cleanup] Multi-threading is now enabled by default only on 16318 OSF1, Solaris 2.7 and newer, and AIX. 16319 16320 836. [func] Upgraded libtool to 1.4. 16321 16322 835. [bug] The dispatcher could enter a busy loop if 16323 it got an I/O error receiving on a UDP socket. 16324 [RT #1293] 16325 16326 834. [func] Accept (but warn about) master files beginning with 16327 an SOA record without an explicit TTL field and 16328 lacking a $TTL directive, by using the SOA MINTTL 16329 as a default TTL. This is for backwards compatibility 16330 with old versions of BIND 8, which accepted such 16331 files without warning although they are illegal 16332 according to RFC1035. 16333 16334 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to 16335 <dns/soa.h>, and extended them to support 16336 all the integer-valued fields of the SOA RR. 16337 16338 832. [bug] The default location for named.conf in named-checkconf 16339 should depend on --sysconfdir like it does in named. 16340 [RT #1258] 16341 16342 831. [placeholder] 16343 16344 830. [func] Implement 'rndc status'. 16345 16346 829. [bug] The DNS_R_ZONECUT result code should only be returned 16347 when an ANY query is made with DNS_DBFIND_GLUEOK set. 16348 In all other ANY query cases, returning the delegation 16349 is better. 16350 16351 828. [bug] The errno value from recvfrom() could be overwritten 16352 by logging code. [RT #1293] 16353 16354 827. [bug] When an IXFR protocol error occurs, the slave 16355 should retry with AXFR. 16356 16357 826. [bug] Some IXFR protocol errors were not detected. 16358 16359 825. [bug] zone.c:ns_query() detached from the wrong zone 16360 reference. [RT #1264] 16361 16362 824. [bug] Correct line numbers reported by dns_master_load(). 16363 [RT #1263] 16364 16365 823. [func] The output of "dig -h" now goes to stdout so that it 16366 can easily be piped through "more". [RT #1254] 16367 16368 822. [bug] Sending nxrrset prerequisites would crash nsupdate. 16369 [RT #1248] 16370 16371 821. [bug] The program name used when logging to syslog should 16372 be stripped of leading path components. 16373 [RT #1178, #1232] 16374 16375 820. [bug] Name server address lookups failed to follow 16376 A6 chains into the glue of local authoritative 16377 zones. 16378 16379 819. [bug] In certain cases, the resolver's attempts to 16380 restart an address lookup at the root could cause 16381 the fetch to deadlock (with itself) instead of 16382 restarting. [RT #1225] 16383 16384 818. [bug] Certain pathological responses to ANY queries could 16385 cause an assertion failure. [RT #1218] 16386 16387 817. [func] Adjust timeouts for dialup zone queries. 16388 16389 816. [bug] Report potential problems with log file accessibility 16390 at configuration time, since such problems can't 16391 reliably be reported at the time they actually occur. 16392 16393 815. [bug] If a log file was specified with a path separator 16394 character (i.e. "/") in its name and the directory 16395 did not exist, the log file's name was treated as 16396 though it were the directory name. [RT #1189] 16397 16398 814. [bug] Socket objects left over from accept() failures 16399 were incorrectly destroyed, causing corruption 16400 of socket manager data structures. 16401 16402 813. [bug] File descriptors exceeding FD_SETSIZE were handled 16403 badly. [RT #1192] 16404 16405 812. [bug] dig sometimes printed incomplete IXFR responses 16406 due to an uninitialized variable. [RT #1188] 16407 16408 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194] 16409 16410 810. [bug] The signer name in SIG records was not properly 16411 down-cased when signing/verifying records. [RT #1186] 16412 16413 809. [bug] Configuring a non-local address as a transfer-source 16414 could cause an assertion failure during load. 16415 16416 808. [func] Add 'rndc flush' to flush the server's cache. 16417 16418 807. [bug] When setting up TCP connections for incoming zone 16419 transfers, the transfer-source port was not 16420 ignored like it should be. 16421 16422 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up 16423 the calling stack to the zone maintenance level, 16424 causing zones to not reload when an included file was 16425 touched but the top-level zone file was not. 16426 16427 805. [bug] When using "forward only", missing root hints should 16428 not cause queries to fail. [RT #1143] 16429 16430 804. [bug] Attempting to obtain entropy could fail in some 16431 situations. This would be most common on systems 16432 with user-space threads. [RT #1131] 16433 16434 803. [bug] Treat all SIG queries as if they have the CD bit set, 16435 otherwise no data will be returned [RT #749] 16436 16437 802. [bug] DNSSEC key tags were computed incorrectly in almost 16438 all cases. [RT #1146] 16439 16440 801. [bug] nsupdate should treat lines beginning with ';' as 16441 comments. [RT #1139] 16442 16443 800. [bug] dnssec-signzone produced incorrect statistics for 16444 large zones. [RT #1133] 16445 16446 799. [bug] The ADB didn't find AAAA glue in a zone unless A6 16447 glue was also present. 16448 16449 798. [bug] nsupdate should be able to reject bad input lines 16450 and continue. [RT #1130] 16451 16452 797. [func] Issue a warning if the 'directory' option contains 16453 a relative path. [RT #269] 16454 16455 796. [func] When a size limit is associated with a log file, 16456 only roll it when the size is reached, not every 16457 time the log file is opened. [RT #1096] 16458 16459 795. [func] Add the +multiline option to dig. [RT #1095] 16460 16461 794. [func] Implement the "port" and "default-port" statements 16462 in rndc.conf. 16463 16464 793. [cleanup] The DNSSEC tools could create filenames that were 16465 illegal or contained shell meta-characters. They 16466 now use a different text encoding of names that 16467 doesn't have these problems. [RT #1101] 16468 16469 792. [cleanup] Replace the OMAPI command channel protocol with a 16470 simpler one. 16471 16472 791. [bug] The command channel now works over IPv6. 16473 16474 790. [bug] Wildcards created using dynamic update or IXFR 16475 could fail to match. [RT #1111] 16476 16477 789. [bug] The "localhost" and "localnets" ACLs did not match 16478 when used as the second element of a two-element 16479 sortlist item. 16480 16481 788. [func] Add the "match-mapped-addresses" option, which 16482 causes IPv6 v4mapped addresses to be treated as 16483 IPv4 addresses for the purpose of acl matching. 16484 16485 787. [bug] The DNSSEC tools failed to downcase domain 16486 names when mapping them into file names. 16487 16488 786. [bug] When DNSSEC signing/verifying data, owner names were 16489 not properly down-cased. 16490 16491 785. [bug] A race condition in the resolver could cause 16492 an assertion failure. [RT #673, #872, #1048] 16493 16494 784. [bug] nsupdate and other programs would not quit properly 16495 if some signals were blocked by the caller. [RT #1081] 16496 16497 783. [bug] Following CNAMEs could cause an assertion failure 16498 when either using an sdb database or under very 16499 rare conditions. 16500 16501 782. [func] Implement the "serial-query-rate" option. 16502 16503 781. [func] Avoid error packet loops by dropping duplicate FORMERR 16504 responses. [RT #1006] 16505 16506 780. [bug] Error handling code dealing with out of memory or 16507 other rare errors could lead to assertion failures 16508 by calling functions on uninitialized names. [RT #1065] 16509 16510 779. [func] Added the "minimal-responses" option. 16511 16512 778. [bug] When starting cache cleaning, cleaning_timer_action() 16513 returned without first pausing the iterator, which 16514 could cause deadlock. [RT #998] 16515 16516 777. [bug] An empty forwarders list in a zone failed to override 16517 global forwarders. [RT #995] 16518 16519 776. [func] Improved error reporting in denied messages. [RT #252] 16520 16521 775. [placeholder] 16522 16523 774. [func] max-cache-size is implemented. 16524 16525 773. [func] Added isc_rwlock_trylock() to attempt to lock without 16526 blocking. 16527 16528 772. [bug] Owner names could be incorrectly omitted from cache 16529 dumps in the presence of negative caching entries. 16530 [RT #991] 16531 16532 771. [cleanup] TSIG errors related to unsynchronized clocks 16533 are logged better. [RT #919] 16534 16535 770. [func] Add the "edns yes_or_no" statement to the server 16536 clause. [RT #524] 16537 16538 769. [func] Improved error reporting when parsing rdata. [RT #740] 16539 16540 768. [bug] The server did not emit an SOA when a CNAME 16541 or DNAME chain ended in NXDOMAIN in an 16542 authoritative zone. 16543 16544 767. [placeholder] 16545 16546 766. [bug] A few cases in query_find() could leak fname. 16547 This would trigger the mpctx->allocated == 0 16548 assertion when the server exited. 16549 [RT #739, #776, #798, #812, #818, #821, #845, 16550 #892, #935, #966] 16551 16552 765. [func] ACL names are once again case insensitive, like 16553 in BIND 8. [RT #252] 16554 16555 764. [func] Configuration files now allow "include" directives 16556 in more places, such as inside the "view" statement. 16557 [RT #377, #728, #860] 16558 16559 763. [func] Configuration files no longer have reserved words. 16560 [RT #731, #753] 16561 16562 762. [cleanup] The named.conf and rndc.conf file parsers have 16563 been completely rewritten. 16564 16565 761. [bug] _REENTRANT was still defined when building with 16566 --disable-threads. 16567 16568 760. [contrib] Significant enhancements to the pgsql sdb driver. 16569 16570 759. [bug] The resolver didn't turn off "avoid fetches" mode 16571 when restarting, possibly causing resolution 16572 to fail when it should not. This bug only affected 16573 platforms which support both IPv4 and IPv6. [RT #927] 16574 16575 758. [bug] The "avoid fetches" code did not treat negative 16576 cache entries correctly, causing fetches that would 16577 be useful to be avoided. This bug only affected 16578 platforms which support both IPv4 and IPv6. [RT #927] 16579 16580 757. [func] Log zone transfers. 16581 16582 756. [bug] dns_zone_load() could "return" success when no master 16583 file was configured. 16584 16585 755. [bug] Fix incorrectly formatted log messages in zone.c. 16586 16587 754. [bug] Certain failure conditions sending UDP packets 16588 could cause the server to retry the transmission 16589 indefinitely. [RT #902] 16590 16591 753. [bug] dig, host, and nslookup would fail to contact a 16592 remote server if getaddrinfo() returned an IPv6 16593 address on a system that doesn't support IPv6. 16594 [RT #917] 16595 16596 752. [func] Correct bad tv_usec elements returned by 16597 gettimeofday(). 16598 16599 751. [func] Log successful zone loads / transfers. [RT #898] 16600 16601 750. [bug] A query should not match a DNAME whose trust level 16602 is pending. [RT #916] 16603 16604 749. [bug] When a query matched a DNAME in a secure zone, the 16605 server did not return the signature of the DNAME. 16606 [RT #915] 16607 16608 748. [doc] List supported RFCs in doc/misc/rfc-compliance. 16609 [RT #781] 16610 16611 747. [bug] The code to determine whether an IXFR was possible 16612 did not properly check for a database that could 16613 not have a journal. [RT #865, #908] 16614 16615 746. [bug] The sdb didn't clone rdatasets properly, causing 16616 a crash when the server followed delegations. [RT #905] 16617 16618 745. [func] Report the owner name of records that fail 16619 semantic checks while loading. 16620 16621 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the 16622 result of an ANY or SIG query, the resolver failed 16623 to setup the return event's rdatasets, causing an 16624 assertion failure in the query code. [RT #881] 16625 16626 743. [bug] Receiving a large number of certain malformed 16627 answers could cause named to stop responding. 16628 [RT #861] 16629 16630 742. [placeholder] 16631 16632 741. [port] Support openssl-engine. [RT #709] 16633 16634 740. [port] Handle openssl library mismatches slightly better. 16635 16636 739. [port] Look for /dev/random in configure, rather than 16637 assuming it will be there for only a predefined 16638 set of OSes. 16639 16640 738. [bug] If a non-threadsafe sdb driver supported AXFR and 16641 received an AXFR request, it would deadlock or die 16642 with an assertion failure. [RT #852] 16643 16644 737. [port] stdtime.c failed to compile on certain platforms. 16645 16646 736. [func] New functions isc_task_{begin,end}exclusive(). 16647 16648 735. [doc] Add BIND 4 migration notes. 16649 16650 734. [bug] An attempt to re-lock the zone lock could occur if 16651 the server was shutdown during a zone transfer. 16652 [RT #830] 16653 16654 733. [bug] Reference counts of dns_acl_t objects need to be 16655 locked but were not. [RT #801, #821] 16656 16657 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828] 16658 16659 731. [bug] Certain zone errors could cause named-checkzone to 16660 fail ungracefully. [RT #819] 16661 16662 730. [bug] lwres_getaddrinfo() returns the correct result when 16663 it fails to contact a server. [RT #768] 16664 16665 729. [port] pthread_setconcurrency() needs to be called on Solaris. 16666 16667 728. [bug] Fix comment processing on master file directives. 16668 [RT #757] 16669 16670 727. [port] Work around OS bug where accept() succeeds but 16671 fails to fill in the peer address of the accepted 16672 connection, by treating it as an error rather than 16673 an assertion failure. [RT #809] 16674 16675 726. [func] Implement the "trace" and "notrace" commands in rndc. 16676 16677 725. [bug] Installing man pages could fail. 16678 16679 724. [func] New libisc functions isc_netaddr_any(), 16680 isc_netaddr_any6(). 16681 16682 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver 16683 to return DNS_R_SERVFAIL. [RT #783] 16684 16685 722. [func] Allow incremental loads to be canceled. 16686 16687 721. [cleanup] Load manager and dns_master_loadfilequota() are no 16688 more. 16689 16690 720. [bug] Server could enter infinite loop in 16691 dispatch.c:do_cancel(). [RT #733] 16692 16693 719. [bug] Rapid reloads could trigger an assertion failure. 16694 [RT #743, #763] 16695 16696 718. [cleanup] "internal" is no longer a reserved word in named.conf. 16697 [RT #753, #731] 16698 16699 717. [bug] Certain TKEY processing failure modes could 16700 reference an uninitialized variable, causing the 16701 server to crash. [RT #750] 16702 16703 716. [bug] The first line of a $INCLUDE master file was lost if 16704 an origin was specified. [RT #744] 16705 16706 715. [bug] Resolving some A6 chains could cause an assertion 16707 failure in adb.c. [RT #738] 16708 16709 714. [bug] Preserve interval timers across reloads unless changed. 16710 [RT #729] 16711 16712 713. [func] named-checkconf takes '-t directory' similar to named. 16713 [RT #726] 16714 16715 712. [bug] Sending a large signed update message caused an 16716 assertion failure. [RT #718] 16717 16718 711. [bug] The libisc and liblwres implementations of 16719 inet_ntop contained an off by one error. 16720 16721 710. [func] The forwarders statement now takes an optional 16722 port. [RT #418] 16723 16724 709. [bug] ANY or SIG queries for data with a TTL of 0 16725 would return SERVFAIL. [RT #620] 16726 16727 708. [bug] When building with --with-openssl, the openssl headers 16728 included with BIND 9 should not be used. [RT #702] 16729 16730 707. [func] The "filename" argument to named-checkzone is no 16731 longer optional, to reduce confusion. [RT #612] 16732 16733 706. [bug] Zones with an explicit "allow-update { none; };" 16734 were considered dynamic and therefore not reloaded 16735 on SIGHUP or "rndc reload". 16736 16737 705. [port] Work out resource limit type for use where rlim_t is 16738 not available. [RT #695] 16739 16740 704. [port] RLIMIT_NOFILE is not available on all platforms. 16741 [RT #695] 16742 16743 703. [port] sys/select.h is needed on older platforms. [RT #695] 16744 16745 702. [func] If the address 0.0.0.0 is seen in resolv.conf, 16746 use 127.0.0.1 instead. [RT #693] 16747 16748 701. [func] Root hints are now fully optional. Class IN 16749 views use compiled-in hints by default, as 16750 before. Non-IN views with no root hints now 16751 provide authoritative service but not recursion. 16752 A warning is logged if a view has neither root 16753 hints nor authoritative data for the root. [RT #696] 16754 16755 700. [bug] $GENERATE range check was wrong. [RT #688] 16756 16757 699. [bug] The lexer mishandled empty quoted strings. [RT #694] 16758 16759 698. [bug] Aborting nsupdate with ^C would lead to several 16760 race conditions. 16761 16762 697. [bug] nsupdate was not compatible with the undocumented 16763 BIND 8 behavior of ignoring TTLs in "update delete" 16764 commands. [RT #693] 16765 16766 696. [bug] lwresd would die with an assertion failure when passed 16767 a zero-length name. [RT #692] 16768 16769 695. [bug] If the resolver attempted to query a blackholed or 16770 bogus server, the resolution would fail immediately. 16771 16772 694. [bug] $GENERATE did not produce the last entry. 16773 [RT #682, #683] 16774 16775 693. [bug] An empty lwres statement in named.conf caused 16776 the server to crash while loading. 16777 16778 692. [bug] Deal with systems that have getaddrinfo() but not 16779 gai_strerror(). [RT #679] 16780 16781 691. [bug] Configuring per-view forwarders caused an assertion 16782 failure. [RT #675, #734] 16783 16784 690. [func] $GENERATE now supports DNAME. [RT #654] 16785 16786 689. [doc] man pages are now installed. [RT #210] 16787 16788 688. [func] "make tags" now works on systems with the 16789 "Exuberant Ctags" etags. 16790 16791 687. [bug] Only say we have IPv6, with sufficient functionality, 16792 if it has actually been tested. [RT #586] 16793 16794 686. [bug] dig and nslookup can now be properly aborted during 16795 blocking operations. [RT #568] 16796 16797 685. [bug] nslookup should use the search list/domain options 16798 from resolv.conf by default. [RT #405, #630] 16799 16800 684. [bug] Memory leak with view forwarders. [RT #656] 16801 16802 683. [bug] File descriptor leak in isc_lex_openfile(). 16803 16804 682. [bug] nslookup displayed SOA records incorrectly. [RT #665] 16805 16806 681. [bug] $GENERATE specifying output format was broken. [RT #653] 16807 16808 680. [bug] dns_rdata_fromstruct() mishandled options bigger 16809 than 255 octets. 16810 16811 679. [bug] $INCLUDE could leak memory and file descriptors on 16812 reload. [RT #639] 16813 16814 678. [bug] "transfer-format one-answer;" could trigger an assertion 16815 failure. [RT #646] 16816 16817 677. [bug] dnssec-signzone would occasionally use the wrong ttl 16818 for database operations and fail. [RT #643] 16819 16820 676. [bug] Log messages about lame servers to category 16821 'lame-servers' rather than 'resolver', so as not 16822 to be gratuitously incompatible with BIND 8. 16823 16824 675. [bug] TKEY queries could cause the server to leak 16825 memory. 16826 16827 674. [func] Allow messages to be TSIG signed / verified using 16828 a offset from the current time. 16829 16830 673. [func] The server can now convert RFC1886-style recursive 16831 lookup requests into RFC2874-style lookups, when 16832 enabled using the new option "allow-v6-synthesis". 16833 16834 672. [bug] The wrong time was in the "time signed" field when 16835 replying with BADTIME error. 16836 16837 671. [bug] The message code was failing to parse a message with 16838 no question section and a TSIG record. [RT #628] 16839 16840 670. [bug] The lwres replacements for getaddrinfo and 16841 getipnodebyname didn't properly check for the 16842 existence of the sockaddr sa_len field. 16843 16844 669. [bug] dnssec-keygen now makes the public key file 16845 non-world-readable for symmetric keys. [RT #403] 16846 16847 668. [func] named-checkzone now reports multiple errors in master 16848 files. 16849 16850 667. [bug] On Linux, running named with the -u option and a 16851 non-world-readable configuration file didn't work. 16852 [RT #626] 16853 16854 666. [bug] If a request sent by dig is longer than 512 bytes, 16855 use TCP. 16856 16857 665. [bug] Signed responses were not sent when the size of the 16858 TSIG + question exceeded the maximum message size. 16859 [RT #628] 16860 16861 664. [bug] The t_tasks and t_timers module tests are now skipped 16862 when building without threads, since they require 16863 threads. 16864 16865 663. [func] Accept a size_spec, not just an integer, in the 16866 (unimplemented and ignored) max-ixfr-log-size option 16867 for compatibility with recent versions of BIND 8. 16868 [RT #613] 16869 16870 662. [bug] dns_rdata_fromtext() failed to log certain errors. 16871 16872 661. [bug] Certain UDP IXFR requests caused an assertion failure 16873 (mpctx->allocated == 0). [RT #355, #394, #623] 16874 16875 660. [port] Detect multiple CPUs on HP-UX and IRIX. 16876 16877 659. [performance] Rewrite the name compression code to be much faster. 16878 16879 658. [cleanup] Remove all vestiges of 16 bit global compression. 16880 16881 657. [bug] When a listen-on statement in an lwres block does not 16882 specify a port, use 921, not 53. Also update the 16883 listen-on documentation. [RT #616] 16884 16885 656. [func] Treat an unescaped newline in a quoted string as 16886 an error. This means that TXT records with missing 16887 close quotes should have meaningful errors printed. 16888 16889 655. [bug] Improve error reporting on unexpected eof when loading 16890 zones. [RT #611] 16891 16892 654. [bug] Origin was being forgotten in TCP retries in dig. 16893 [RT #574] 16894 16895 653. [bug] +defname option in dig was reversed in sense. 16896 [RT #549] 16897 16898 652. [bug] zone_saveunique() did not report the new name. 16899 16900 651. [func] The AD bit in responses now has the meaning 16901 specified in <draft-ietf-dnsext-ad-is-secure>. 16902 16903 650. [bug] SIG(0) records were being generated and verified 16904 incorrectly. [RT #606] 16905 16906 649. [bug] It was possible to join to an already running fctx 16907 after it had "cloned" its events, but before it sent 16908 them. In this case, the event of the newly joined 16909 fetch would not contain the answer, and would 16910 trigger the INSIST() in fctx_sendevents(). In 16911 BIND 9.0, this bug did not trigger an INSIST(), but 16912 caused the fetch to fail with a SERVFAIL result. 16913 [RT #588, #597, #605, #607] 16914 16915 648. [port] Add support for pre-RFC2133 IPv6 implementations. 16916 16917 647. [bug] Resolver queries sent after following multiple 16918 referrals had excessively long retransmission 16919 timeouts due to incorrectly counting the referrals 16920 as "restarts". 16921 16922 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h 16923 didn't _cleanly_ fix the problem it was trying to fix. 16924 16925 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603] 16926 16927 644. [bug] #622 needed more work. [RT #562] 16928 16929 643. [bug] xfrin error messages made more verbose, added class 16930 of the zone. [RT #599] 16931 16932 642. [bug] Break the exit_check() race in the zone module. 16933 [RT #598] 16934 16935 --- 9.1.0b2 released --- 16936 16937 641. [bug] $GENERATE caused a uninitialized link to be used. 16938 [RT #595] 16939 16940 640. [bug] Memory leak in error path could cause 16941 "mpctx->allocated == 0" failure. [RT #584] 16942 16943 639. [bug] Reading entropy from the keyboard would sometimes fail. 16944 [RT #591] 16945 16946 638. [port] lib/isc/random.c needed to explicitly include time.h 16947 to get a prototype for time() when pthreads was not 16948 being used. [RT #592] 16949 16950 637. [port] Use isc_u?int64_t instead of (unsigned) long long in 16951 lib/isc/print.c. Also allow lib/isc/print.c to 16952 be compiled even if the platform does not need it. 16953 [RT #592] 16954 16955 636. [port] Shut up MSVC++ about a possible loss of precision 16956 in the ISC__BUFFER_PUTUINT*() macros. [RT #592] 16957 16958 635. [bug] Reloading a server with a configured blackhole list 16959 would cause an assertion. [RT #590] 16960 16961 634. [bug] A log file will completely stop being written when 16962 it reaches the maximum size in all cases, not just 16963 when versioning is also enabled. [RT #570] 16964 16965 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575] 16966 16967 632. [bug] The index array of the journal file was 16968 corrupted as it was written to disk. 16969 16970 631. [port] Build without thread support on systems without 16971 pthreads. 16972 16973 630. [bug] Locking failure in zone code. [RT #582] 16974 16975 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed 16976 when responding to a UDP IXFR request. 16977 16978 628. [bug] If the root hints contained only AAAA addresses, 16979 named would be unable to perform resolution. 16980 16981 627. [bug] The EDNS0 blackhole detection code of change 324 16982 waited for three retransmissions to each server, 16983 which takes much too long when a domain has many 16984 name servers and all of them drop EDNS0 queries. 16985 Now we retry without EDNS0 after three consecutive 16986 timeouts, even if they are all from different 16987 servers. [RT #143] 16988 16989 626. [bug] The lightweight resolver daemon no longer crashes 16990 when asked for a SIG rrset. [RT #558] 16991 16992 625. [func] Zones now inherit their class from the enclosing view. 16993 16994 624. [bug] The zone object could get timer events after it had 16995 been destroyed, causing a server crash. [RT #571] 16996 16997 623. [func] Added "named-checkconf" and "named-checkzone" program 16998 for syntax checking named.conf files and zone files, 16999 respectively. 17000 17001 622. [bug] A canceled request could be destroyed before 17002 dns_request_destroy() was called. [RT #562] 17003 17004 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable. 17005 This mostly affects Red Hat Linux 7.0, which has 17006 conflicts between libc and the kernel. 17007 17008 620. [bug] dns_master_load*inc() now require 'task' and 'load' 17009 to be non-null. Also 'done' will not be called if 17010 dns_master_load*inc() fails immediately. [RT #565] 17011 17012 619. [placeholder] 17013 17014 618. [bug] Queries to a signed zone could sometimes cause 17015 an assertion failure. 17016 17017 617. [bug] When using dynamic update to add a new RR to an 17018 existing RRset with a different TTL, the journal 17019 entries generated from the update did not include 17020 explicit deletions and re-additions of the existing 17021 RRs to update their TTL to the new value. 17022 17023 616. [func] dnssec-signzone -t output now includes performance 17024 statistics. 17025 17026 615. [bug] dnssec-signzone did not like child keysets signed 17027 by multiple keys. 17028 17029 614. [bug] Checks for uninitialized link fields were prone 17030 to false positives, causing assertion failures. 17031 The checks are now disabled by default and may 17032 be re-enabled by defining ISC_LIST_CHECKINIT. 17033 17034 613. [bug] "rndc reload zone" now reloads primary zones. 17035 It previously only updated slave and stub zones, 17036 if an SOA query indicated an out of date serial. 17037 17038 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that 17039 complains relentlessly about how its treatment 17040 of 'const' has changed as well as how casting 17041 sometimes tightens alignment constraints. 17042 17043 611. [func] allow-notify can be used to permit processing of 17044 notify messages from hosts other than a slave's 17045 masters. 17046 17047 610. [func] rndc dumpdb is now supported. 17048 17049 609. [bug] getrrsetbyname() would crash lwresd if the server 17050 found more SIGs than answers. [RT #554] 17051 17052 608. [func] dnssec-signzone now adds a comment to the zone 17053 with the time the file was signed. 17054 17055 607. [bug] nsupdate would fail if it encountered a CNAME or 17056 DNAME in a response to an SOA query. [RT #515] 17057 17058 606. [bug] Compiling with --disable-threads failed due 17059 to isc_thread_self() being incorrectly defined 17060 as an integer rather than a function. 17061 17062 605. [func] New function isc_lex_getlasttokentext(). 17063 17064 604. [bug] The named.conf parser could print incorrect line 17065 numbers when long comments were present. 17066 17067 603. [bug] Make dig handle multiple types or classes on the same 17068 query more correctly. 17069 17070 602. [func] Cope automatically with UnixWare's broken 17071 IN6_IS_ADDR_* macros. [RT #539] 17072 17073 601. [func] Return a non-zero exit code if an update fails 17074 in nsupdate. 17075 17076 600. [bug] Reverse lookups sometimes failed in dig, etc... 17077 17078 599. [func] Added four new functions to the libisc log API to 17079 support i18n messages. isc_log_iwrite(), 17080 isc_log_ivwrite(), isc_log_iwrite1() and 17081 isc_log_ivwrite1() were added. 17082 17083 598. [bug] An update-policy statement would cause the server 17084 to assert while loading. [RT #536] 17085 17086 597. [func] dnssec-signzone is now multi-threaded. 17087 17088 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are 17089 not mutually exclusive. 17090 17091 595. [port] On Linux 2.2, socket() returns EINVAL when it 17092 should return EAFNOSUPPORT. Work around this. 17093 [RT #531] 17094 17095 594. [func] sdb drivers are now assumed to not be thread-safe 17096 unless the DNS_SDBFLAG_THREADSAFE flag is supplied. 17097 17098 593. [bug] If a secure zone was missing all its NXTs and 17099 a dynamic update was attempted, the server entered 17100 an infinite loop. 17101 17102 592. [bug] The sig-validity-interval option now specifies a 17103 number of days, not seconds. This matches the 17104 documentation. [RT #529] 17105 17106 --- 9.1.0b1 released --- 17107 17108 591. [bug] Work around non-reentrancy in openssl by disabling 17109 pre-computation in keys. 17110 17111 590. [doc] There are now man pages for the lwres library in 17112 doc/man/lwres. 17113 17114 589. [bug] The server could deadlock if a zone was updated 17115 while being transferred out. 17116 17117 588. [bug] ctx->in_use was not being correctly initialized when 17118 when pushing a file for $INCLUDE. [RT #523] 17119 17120 587. [func] A warning is now printed if the "allow-update" 17121 option allows updates based on the source IP 17122 address, to alert users to the fact that this 17123 is insecure and becoming increasingly so as 17124 servers capable of update forwarding are being 17125 deployed. 17126 17127 586. [bug] multiple views with the same name were fatal. [RT #516] 17128 17129 585. [func] dns_db_addrdataset() and dns_rdataslab_merge() 17130 now support 'exact' additions in a similar manner to 17131 dns_db_subtractrdataset() and dns_rdataslab_subtract(). 17132 17133 584. [func] You can now say 'notify explicit'; to suppress 17134 notification of the servers listed in NS records 17135 and notify only those servers listed in the 17136 'also-notify' option. 17137 17138 583. [func] "rndc querylog" will now toggle logging of 17139 queries, like "ndc querylog" in BIND 8. 17140 17141 582. [bug] dns_zone_idetach() failed to lock the zone. 17142 [RT #199, #463] 17143 17144 581. [bug] log severity was not being correctly processed. 17145 [RT #485] 17146 17147 580. [func] Ignore trailing garbage on incoming DNS packets, 17148 for interoperability with broken server 17149 implementations. [RT #491] 17150 17151 579. [bug] nsupdate did not take a filename to read update from. 17152 [RT #492] 17153 17154 578. [func] New config option "notify-source", to specify the 17155 source address for notify messages. 17156 17157 577. [func] Log illegal RDATA combinations. e.g. multiple 17158 singleton types, cname and other data. 17159 17160 576. [doc] isc_log_create() description did not match reality. 17161 17162 575. [bug] isc_log_create() was not setting internal state 17163 correctly to reflect the default channels created. 17164 17165 574. [bug] TSIG signed queries sent by the resolver would fail to 17166 have their responses validated and would leak memory. 17167 17168 573. [bug] The journal files of IXFRed slave zones were 17169 inadvertently discarded on server reload, causing 17170 "journal out of sync with zone" errors on subsequent 17171 reloads. [RT #482] 17172 17173 572. [bug] Quoted strings were not accepted as key names in 17174 address match lists. 17175 17176 571. [bug] It was possible to create an rdataset of singleton 17177 type which had more than one rdata. [RT #154] 17178 [RT #279] 17179 17180 570. [bug] rbtdb.c allowed zones containing nodes which had 17181 both a CNAME and "other data". [RT #154] 17182 17183 569. [func] The DNSSEC AD bit will not be set on queries which 17184 have not requested a DNSSEC response. 17185 17186 568. [func] Add sample simple database drivers in contrib/sdb. 17187 17188 567. [bug] Setting the zone transfer timeout to zero caused an 17189 assertion failure. [RT #302] 17190 17191 566. [func] New public function dns_timer_setidle(). 17192 17193 565. [func] Log queries more like BIND 8: query logging is now 17194 done to category "queries", level "info". [RT #169] 17195 17196 564. [func] Add sortlist support to lwresd. 17197 17198 563. [func] New public functions dns_rdatatype_format() and 17199 dns_rdataclass_format(), for convenient formatting 17200 of rdata type/class mnemonics in log messages. 17201 17202 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong. 17203 17204 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files' 17205 clauses of the options{} statement are now implemented. 17206 17207 560. [bug] dns_name_split did not properly the resulting prefix 17208 when a maximal length bitstring label was split which 17209 was preceded by another bitstring label. [RT #429] 17210 17211 559. [bug] dns_name_split did not properly create the suffix 17212 when splitting within a maximal length bitstring label. 17213 17214 558. [func] New functions, isc_resource_getlimit and 17215 isc_resource_setlimit. 17216 17217 557. [func] Symbolic constants for libisc integral types. 17218 17219 556. [func] The DNSSEC OK bit in the EDNS extended flags 17220 is now implemented. Responses to queries without 17221 this bit set will not contain any DNSSEC records. 17222 17223 555. [bug] A slave server attempting a zone transfer could 17224 crash with an assertion failure on certain 17225 malformed responses from the master. [RT #457] 17226 17227 554. [bug] In some cases, not all of the dnssec tools were 17228 properly installed. 17229 17230 553. [bug] Incoming zone transfers deferred due to quota 17231 were not started when quota was increased but 17232 only when a transfer in progress finished. [RT #456] 17233 17234 552. [bug] We were not correctly detecting the end of all c-style 17235 comments. [RT #455] 17236 17237 551. [func] Implemented the 'sortlist' option. 17238 17239 550. [func] Support unknown rdata types and classes. 17240 17241 549. [bug] "make" did not immediately abort the build when a 17242 subdirectory make failed [RT #450]. 17243 17244 548. [func] The lexer now ungets tokens more correctly. 17245 17246 547. [placeholder] 17247 17248 546. [func] Option 'lame-ttl' is now implemented. 17249 17250 545. [func] Name limit and counting options removed from dig; 17251 they didn't work properly, and cannot be correctly 17252 implemented without significant changes. 17253 17254 544. [func] Add statistics option, enable statistics-file option, 17255 add RNDC option "dump-statistics" to write out a 17256 query statistics file. 17257 17258 543. [doc] The 'port' option is now documented. 17259 17260 542. [func] Add support for update forwarding as required for 17261 full compliance with RFC2136. It is turned off 17262 by default and can be enabled using the 17263 'allow-update-forwarding' option. 17264 17265 541. [func] Add bogus server support. 17266 17267 540. [func] Add dialup support. 17268 17269 539. [func] Support the blackhole option. 17270 17271 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo(). 17272 17273 537. [placeholder] 17274 17275 536. [func] Use transfer-source{-v6} when sending refresh queries. 17276 Transfer-source{-v6} now take a optional port 17277 parameter for setting the UDP source port. The port 17278 parameter is ignored for TCP. 17279 17280 535. [func] Use transfer-source{-v6} when forwarding update 17281 requests. 17282 17283 534. [func] Ancestors have been removed from RBT chains. Ancestor 17284 information can be discerned via node parent pointers. 17285 17286 533. [func] Incorporated name hashing into the RBT database to 17287 improve search speed. 17288 17289 532. [func] Implement DNS UPDATE pseudo records using 17290 DNS_RDATA_UPDATE flag. 17291 17292 531. [func] Rdata really should be initialized before being assigned 17293 to (dns_rdata_fromwire(), dns_rdata_fromtext(), 17294 dns_rdata_clone(), dns_rdata_fromregion()), 17295 check that it is. 17296 17297 530. [func] New function dns_rdata_invalidate(). 17298 17299 529. [bug] 521 contained a bug which caused zones to always 17300 reload. [RT #410] 17301 17302 528. [func] The ISC_LIST_XXXX macros now perform sanity checks 17303 on their arguments. ISC_LIST_XXXXUNSAFE can be use 17304 to skip the checks however use with caution. 17305 17306 527. [func] New function dns_rdata_clone(). 17307 17308 526. [bug] nsupdate incorrectly refused to add RRs with a TTL 17309 of 0. 17310 17311 525. [func] New arguments 'options' for dns_db_subtractrdataset(), 17312 and 'flags' for dns_rdataslab_subtract() allowing you 17313 to request that the RR's must exist prior to deletion. 17314 DNS_R_NOTEXACT is returned if the condition is not met. 17315 17316 524. [func] The 'forward' and 'forwarders' statement in 17317 non-forward zones should work now. 17318 17319 523. [doc] The source to the Administrator Reference Manual is 17320 now an XML file using the DocBook DTD, and is included 17321 in the distribution. The plain text version of the 17322 ARM is temporarily unavailable while we figure out 17323 how to generate readable plain text from the XML. 17324 17325 522. [func] The lightweight resolver daemon can now use 17326 a real configuration file, and its functionality 17327 can be provided by a name server. Also, the -p and -P 17328 options to lwresd have been reversed. 17329 17330 521. [bug] Detect master files which contain $INCLUDE and always 17331 reload. [RT #196] 17332 17333 520. [bug] Upgraded libtool to 1.3.5, which makes shared 17334 library builds almost work on AIX (and possibly 17335 others). 17336 17337 519. [bug] dns_name_split() would improperly split some bitstring 17338 labels, zeroing a few of the least significant bits in 17339 the prefix part. When such an improperly created 17340 prefix was returned to the RBT database, the bogus 17341 label was dutifully stored, corrupting the tree. 17342 [RT #369] 17343 17344 518. [bug] The resolver did not realize that a DNAME which was 17345 "the answer" to the client's query was "the answer", 17346 and such queries would fail. [RT #399] 17347 17348 517. [bug] The resolver's DNAME code would trigger an assertion 17349 if there was more than one DNAME in the chain. 17350 [RT #399] 17351 17352 516. [bug] Cache lookups which had a NULL node pointer, e.g. 17353 those by dns_view_find(), and which would match a 17354 DNAME, would trigger an INSIST(!search.need_cleanup) 17355 assertion. [RT #399] 17356 17357 515. [bug] The ssu table was not being attached / detached 17358 by dns_zone_[sg]etssutable. [RT #397] 17359 17360 514. [func] Retry refresh and notify queries if they timeout. 17361 [RT #388] 17362 17363 513. [func] New functionality added to rdnc and server to allow 17364 individual zones to be refreshed or reloaded. 17365 17366 512. [bug] The zone transfer code could throw an exception with 17367 an invalid IXFR stream. 17368 17369 511. [bug] The message code could throw an assertion on an 17370 out of memory failure. [RT #392] 17371 17372 510. [bug] Remove spurious view notify warning. [RT #376] 17373 17374 509. [func] Add support for write of zone files on shutdown. 17375 17376 508. [func] dns_message_parse() can now do a best-effort 17377 attempt, which should allow dig to print more invalid 17378 messages. 17379 17380 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach() 17381 and dns_view_flushanddetach(). 17382 17383 506. [func] Do not fail to start on errors in zone files. 17384 17385 505. [bug] nsupdate was printing "unknown result code". [RT #373] 17386 17387 504. [bug] The zone was not being marked as dirty when updated via 17388 IXFR. 17389 17390 503. [bug] dumptime was not being set along with 17391 DNS_ZONEFLG_NEEDDUMP. 17392 17393 502. [func] On a SERVFAIL reply, DiG will now try the next server 17394 in the list, unless the +fail option is specified. 17395 17396 501. [bug] Incorrect port numbers were being displayed by 17397 nslookup. [RT #352] 17398 17399 500. [func] Nearly useless +details option removed from DiG. 17400 17401 499. [func] In DiG, specifying a class with -c or type with -t 17402 changes command-line parsing so that classes and 17403 types are only recognized if following -c or -t. 17404 This allows hosts with the same name as a class or 17405 type to be looked up. 17406 17407 498. [doc] There is now a man page for "dig" 17408 in doc/man/bin/dig.1. 17409 17410 497. [bug] The error messages printed when an IP match list 17411 contained a network address with a nonzero host 17412 part where not sufficiently detailed. [RT #365] 17413 17414 496. [bug] named didn't sanity check numeric parameters. [RT #361] 17415 17416 495. [bug] nsupdate was unable to handle large records. [RT #368] 17417 17418 494. [func] Do not cache NXDOMAIN responses for SOA queries. 17419 17420 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses 17421 for SOA queries. This makes it easier to locate 17422 the containing zone without polluting intermediate 17423 caches. 17424 17425 492. [bug] attempting to reload a zone caused the server fail 17426 to shutdown cleanly. [RT #360] 17427 17428 491. [bug] nsupdate would segfault when sending certain 17429 prerequisites with empty RDATA. [RT #356] 17430 17431 490. [func] When a slave/stub zone has not yet successfully 17432 obtained an SOA containing the zone's configured 17433 retry time, perform the SOA query retries using 17434 exponential backoff. [RT #337] 17435 17436 489. [func] The zone manager now has a "i/o" queue. 17437 17438 488. [bug] Locks weren't properly destroyed in some cases. 17439 17440 487. [port] flockfile() is not defined on all systems. 17441 17442 486. [bug] nslookup: "set all" and "server" commands showed 17443 the incorrect port number if a port other than 53 17444 was specified. [RT #352] 17445 17446 485. [func] When dig had more than one server to query, it would 17447 send all of the messages at the same time. Add 17448 rate limiting of the transmitted messages. 17449 17450 484. [bug] When the server was reloaded after removing addresses 17451 from the named.conf "listen-on" statement, sockets 17452 were still listening on the removed addresses due 17453 to reference count loops. [RT #325] 17454 17455 483. [bug] nslookup: "set all" showed a "search" option but it 17456 was not settable. 17457 17458 482. [bug] nslookup: a plain "server" or "lserver" should be 17459 treated as a lookup. 17460 17461 481. [bug] nslookup:get_next_command() stack size could exceed 17462 per thread limit. 17463 17464 480. [bug] strtok() is not thread safe. [RT #349] 17465 17466 479. [func] The test suite can now be run by typing "make check" 17467 or "make test" at the top level. 17468 17469 478. [bug] "make install" failed if the directory specified with 17470 --prefix did not already exist. 17471 17472 477. [bug] The the isc-config.sh script could be installed before 17473 its directory was created. [RT #324] 17474 17475 476. [bug] A zone could expire while a zone transfer was in 17476 progress triggering a INSIST failure. [RT #329] 17477 17478 475. [bug] query_getzonedb() sometimes returned a non-null version 17479 on failure. This caused assertion failures when 17480 generating query responses where names subject to 17481 additional section processing pointed to a zone 17482 to which access had been denied by means of the 17483 allow-query option. [RT #336] 17484 17485 474. [bug] The mnemonic of the CHAOS class is CH according to 17486 RFC1035, but it was printed and read only as CHAOS. 17487 We now accept both forms as input, and print it 17488 as CH. [RT #305] 17489 17490 473. [bug] nsupdate overran the end of the list of name servers 17491 when no servers could be reached, typically causing 17492 it to print the error message "dns_request_create: 17493 not implemented". 17494 17495 472. [bug] Off-by-one error caused isc_time_add() to sometimes 17496 produce invalid time values. 17497 17498 471. [bug] nsupdate didn't compile on HP/UX 10.20 17499 17500 470. [func] $GENERATE is now supported. See also 17501 doc/misc/migration. 17502 17503 469. [bug] "query-source address * port 53;" now works. 17504 17505 468. [bug] dns_master_load*() failed to report file and line 17506 number in certain error conditions. 17507 17508 467. [bug] dns_master_load*() failed to log an error if 17509 pushfile() failed. 17510 17511 466. [bug] dns_master_load*() could return success when it failed. 17512 17513 465. [cleanup] Allow 0 to be set as an omapi_value_t value by 17514 omapi_value_storeint(). 17515 17516 464. [cleanup] Build with openssl's RSA code instead of dnssafe. 17517 17518 463. [bug] nsupdate sent malformed SOA queries to the second 17519 and subsequent name servers in resolv.conf if the 17520 query sent to the first one failed. 17521 17522 462. [bug] --disable-ipv6 should work now. 17523 17524 461. [bug] Specifying an unknown key in the "keys" clause of the 17525 "controls" statement caused a NULL pointer dereference. 17526 [RT #316] 17527 17528 460. [bug] Much of the DNSSEC code only worked with class IN. 17529 17530 459. [bug] Nslookup processed the "set" command incorrectly. 17531 17532 458. [bug] Nslookup didn't properly check class and type values. 17533 [RT #305] 17534 17535 457. [bug] Dig/host/hslookup didn't properly handle connect 17536 timeouts in certain situations, causing an 17537 unnecessary warning message to be printed. 17538 17539 456. [bug] Stub zones were not resetting the refresh and expire 17540 counters, loadtime or clearing the DNS_ZONE_REFRESH 17541 (refresh in progress) flag upon successful update. 17542 This disabled further refreshing of the stub zone, 17543 causing it to eventually expire. [RT #300] 17544 17545 455. [doc] Document IPv4 prefix notation does not require a 17546 dotted decimal quad but may be just dotted decimal. 17547 17548 454. [bug] Enforce dotted decimal and dotted decimal quad where 17549 documented as such in named.conf. [RT #304, RT #311] 17550 17551 453. [bug] Warn if the obsolete option "maintain-ixfr-base" 17552 is specified in named.conf. [RT #306] 17553 17554 452. [bug] Warn if the unimplemented option "statistics-file" 17555 is specified in named.conf. [RT #301] 17556 17557 451. [func] Update forwarding implemented. 17558 17559 450. [func] New function ns_client_sendraw(). 17560 17561 449. [bug] isc_bitstring_copy() only works correctly if the 17562 two bitstrings have the same lsb0 value, but this 17563 requirement was not documented, nor was there a 17564 REQUIRE for it. 17565 17566 448. [bug] Host output formatting change, to match v8. [RT #255] 17567 17568 447. [bug] Dig didn't properly retry in TCP mode after 17569 a truncated reply. [RT #277] 17570 17571 446. [bug] Confusing notify log message. [RT #298] 17572 17573 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0 17574 bitstring triggered a REQUIRE statement. The REQUIRE 17575 statement was incorrect. [RT #297] 17576 17577 444. [func] "recursion denied" messages are always logged at 17578 debug level 1, now, rather than sometimes at ERROR. 17579 This silences these warnings in the usual case, where 17580 some clients set the RD bit in all queries. 17581 17582 443. [bug] When loading a master file failed because of an 17583 unrecognized RR type name, the error message 17584 did not include the file name and line number. 17585 [RT #285] 17586 17587 442. [bug] TSIG signed messages that did not match any view 17588 crashed the server. [RT #290] 17589 17590 441. [bug] Nodes obscured by a DNAME were inaccessible even 17591 when DNS_DBFIND_GLUEOK was set. 17592 17593 440. [func] New function dns_zone_forwardupdate(). 17594 17595 439. [func] New function dns_request_createraw(). 17596 17597 438. [func] New function dns_message_getrawmessage(). 17598 17599 437. [func] Log NOTIFY activity to the notify channel. 17600 17601 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH, 17602 which sometimes happens on Linux, named would enter 17603 a busy loop. Also, unexpected socket errors were 17604 not logged at a high enough logging level to be 17605 useful in diagnosing this situation. [RT #275] 17606 17607 435. [bug] dns_zone_dump() overwrote existing zone files 17608 rather than writing to a temporary file and 17609 renaming. This could lead to empty or partial 17610 zone files being left around in certain error 17611 conditions involving the initial transfer of a 17612 slave zone, interfering with subsequent server 17613 startup. [RT #282] 17614 17615 434. [func] New function isc_file_isabsolute(). 17616 17617 433. [func] isc_base64_decodestring() now accepts newlines 17618 within the base64 data. This makes it possible 17619 to break up the key data in a "trusted-keys" 17620 statement into multiple lines. [RT #284] 17621 17622 432. [func] Added refresh/retry jitter. The actual refresh/ 17623 retry time is now a random value between 75% and 17624 100% of the configured value. 17625 17626 431. [func] Log at ISC_LOG_INFO when a zone is successfully 17627 loaded. 17628 17629 430. [bug] Rewrote the lightweight resolver client management 17630 code to handle shutdown correctly and general 17631 cleanup. 17632 17633 429. [bug] The space reserved for a TSIG record in a response 17634 was 2 bytes too short, leading to message 17635 generation failures. 17636 17637 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned 17638 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT 17639 (e.g. glue). This could cause SERVFAILs when 17640 generating negative responses in a secure zone. 17641 17642 427. [bug] Avoid going into an infinite loop when the validator 17643 gets a negative response to a key query where the 17644 records are signed by the missing key. 17645 17646 426. [bug] Attempting to generate an oversized RSA key could 17647 cause dnssec-keygen to dump core. 17648 17649 425. [bug] Warn about the auth-nxdomain default value change 17650 if there is no auth-nxdomain statement in the 17651 config file. [RT #287] 17652 17653 424. [bug] notify_createmessage() could trigger an assertion 17654 failure when creating the notify message failed, 17655 e.g. due to corrupt zones with multiple SOA records. 17656 [RT #279] 17657 17658 423. [bug] When responding to a recursive query, errors that occur 17659 after following a CNAME should cause the query to fail. 17660 [RT #274] 17661 17662 422. [func] get rid of isc_random_t, and make isc_random_get() 17663 and isc_random_jitter() use rand() internally 17664 instead of local state. Note that isc_random_*() 17665 functions are only for weak, non-critical "randomness" 17666 such as timing jitter and such. 17667 17668 421. [bug] nslookup would exit when given a blank line as input. 17669 17670 420. [bug] nslookup failed to implement the "exit" command. 17671 17672 419. [bug] The certificate type PKIX was misspelled as SKIX. 17673 17674 418. [bug] At debug levels >= 10, getting an unexpected 17675 socket receive error would crash the server 17676 while trying to log the error message. 17677 17678 417. [func] Add isc_app_block() and isc_app_unblock(), which 17679 allow an application to handle signals while 17680 blocking. 17681 17682 416. [bug] Slave zones with no master file tried to use a 17683 NULL pointer for a journal file name when they 17684 received an IXFR. [RT #273] 17685 17686 415. [bug] The logging code leaked file descriptors. 17687 17688 414. [bug] Server did not shut down until all incoming zone 17689 transfers were finished. 17690 17691 413. [bug] Notify could attempt to use the zone database after 17692 it had been unloaded. [RT #267] 17693 17694 412. [bug] named -v didn't print the version. 17695 17696 411. [bug] A typo in the HS A code caused an assertion failure. 17697 17698 410. [bug] lwres_gethostbyname() and company set lwres_h_errno 17699 to a random value on success. 17700 17701 409. [bug] If named was shut down early in the startup 17702 process, ns_omapi_shutdown() would attempt to lock 17703 an uninitialized mutex. [RT #262] 17704 17705 408. [bug] stub zones could leak memory and reference counts if 17706 all the masters were unreachable. 17707 17708 407. [bug] isc_rwlock_lock() would needlessly block 17709 readers when it reached the read quota even 17710 if no writers were waiting. 17711 17712 406. [bug] Log messages were occasionally lost or corrupted 17713 due to a race condition in isc_log_doit(). 17714 17715 405. [func] Add support for selective forwarding (forward zones) 17716 17717 404. [bug] The request library didn't completely work with IPv6. 17718 17719 403. [bug] "host" did not use the search list. 17720 17721 402. [bug] Treat undefined acls as errors, rather than 17722 warning and then later throwing an assertion. 17723 [RT #252] 17724 17725 401. [func] Added simple database API. 17726 17727 400. [bug] SIG(0) signing and verifying was done incorrectly. 17728 [RT #249] 17729 17730 399. [bug] When reloading the server with a config file 17731 containing a syntax error, it could catch an 17732 assertion failure trying to perform zone 17733 maintenance on, or sending notifies from, 17734 tentatively created zones whose views were 17735 never fully configured and lacked an address 17736 database and request manager. 17737 17738 398. [bug] "dig" sometimes caught an assertion failure when 17739 using TSIG, depending on the key length. 17740 17741 397. [func] Added utility functions dns_view_gettsig() and 17742 dns_view_getpeertsig(). 17743 17744 396. [doc] There is now a man page for "nsupdate" 17745 in doc/man/bin/nsupdate.8. 17746 17747 395. [bug] nslookup printed incorrect RR type mnemonics 17748 for RRs of type >= 21 [RT #237]. 17749 17750 394. [bug] Current name was not propagated via $INCLUDE. 17751 17752 393. [func] Initial answer while loading (awl) support. 17753 Entry points: dns_master_loadfileinc(), 17754 dns_master_loadstreaminc(), dns_master_loadbufferinc(). 17755 Note: calls to dns_master_load*inc() should be rate 17756 be rate limited so as to not use up all file 17757 descriptors. 17758 17759 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does 17760 not support the given address family requested. 17761 17762 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH. 17763 17764 390. [func] The function dns_zone_setdbtype() now takes 17765 an argc/argv style vector of words and sets 17766 both the zone database type and its arguments, 17767 making the functions dns_zone_adddbarg() 17768 and dns_zone_cleardbargs() unnecessary. 17769 17770 389. [bug] Attempting to send a request over IPv6 using 17771 dns_request_create() on a system without IPv6 17772 support caused an assertion failure [RT #235]. 17773 17774 388. [func] dig and host can now do reverse ipv6 lookups. 17775 17776 387. [func] Add dns_byaddr_createptrname(), which converts 17777 an address into the name used by a PTR query. 17778 17779 386. [bug] Missing strdup() of ACL name caused random 17780 ACL matching failures [RT #228]. 17781 17782 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(), 17783 and dns_zt_print(). 17784 17785 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead 17786 of 2147483647. 17787 17788 383. [func] When writing a master file, print the SOA and NS 17789 records (and their SIGs) before other records. 17790 17791 382. [bug] named -u failed on many Linux systems where the 17792 libc provided kernel headers do not match 17793 the current kernel. 17794 17795 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of 17796 IPV6_PKTINFO if found. [RT #229] 17797 17798 380. [bug] nsupdate didn't work with IPv6. 17799 17800 379. [func] New library function isc_sockaddr_anyofpf(). 17801 17802 378. [func] named and lwresd will log the command line arguments 17803 they were started with in the "starting ..." message. 17804 17805 377. [bug] When additional data lookups were refused due to 17806 "allow-query", the databases were still being 17807 attached causing reference leaks. 17808 17809 376. [bug] The server should always use good entropy when 17810 performing cryptographic functions needing entropy. 17811 17812 375. [bug] Per-zone "allow-query" did not properly override the 17813 view/global one for CNAME targets and additional 17814 data [RT #220]. 17815 17816 374. [bug] SOA in authoritative negative responses had wrong TTL. 17817 17818 373. [func] nslookup is now installed by "make install". 17819 17820 372. [bug] Deal with Microsoft DNS servers appending two bytes of 17821 garbage to zone transfer requests. 17822 17823 371. [bug] At high debug levels, doing an outgoing zone transfer 17824 of a very large RRset could cause an assertion failure 17825 during logging. 17826 17827 370. [bug] The error messages for roll-forward failures were 17828 overly terse. 17829 17830 369. [func] Support new named.conf options, view and zone 17831 statements: 17832 17833 max-retry-time, min-retry-time, 17834 max-refresh-time, min-refresh-time. 17835 17836 368. [func] Restructure the internal ".bind" view so that more 17837 zones can be added to it. 17838 17839 367. [bug] Allow proper selection of server on nslookup command 17840 line. 17841 17842 366. [func] Allow use of '-' batch file in dig for stdin. 17843 17844 365. [bug] nsupdate -k leaked memory. 17845 17846 364. [func] Added additional-from-{cache,auth} 17847 17848 363. [placeholder] 17849 17850 362. [bug] rndc no longer aborts if the configuration file is 17851 missing an options statement. [RT #209] 17852 17853 361. [func] When the RBT find or chain functions set the name and 17854 origin for a node that stores the root label 17855 the name is now set to an empty name, instead of ".", 17856 to simplify later use of the name and origin by 17857 dns_name_concatenate(), dns_name_totext() or 17858 dns_name_format(). 17859 17860 360. [func] dns_name_totext() and dns_name_format() now allow 17861 an empty name to be passed, which is formatted as "@". 17862 17863 359. [bug] dnssec-signzone occasionally signed glue records. 17864 17865 358. [cleanup] Rename the intermediate files used by the dnssec 17866 programs. 17867 17868 357. [bug] The zone file parser crashed if the argument 17869 to $INCLUDE was a quoted string. 17870 17871 356. [cleanup] isc_task_send no longer requires event->sender to 17872 be non-null. 17873 17874 355. [func] Added isc_dir_createunique(), similar to mkdtemp(). 17875 17876 354. [doc] Man pages for the dnssec tools are now included in 17877 the distribution, in doc/man/dnssec. 17878 17879 353. [bug] double increment in lwres/gethost.c:copytobuf(). 17880 [RT #187] 17881 17882 352. [bug] Race condition in dns_client_t startup could cause 17883 an assertion failure. 17884 17885 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG 17886 signed query could crash the server. 17887 17888 350. [bug] Also-notify lists specified in the global options 17889 block were not correctly reference counted, causing 17890 a memory leak. 17891 17892 349. [bug] Processing a query with the CD bit set now works 17893 as expected. 17894 17895 348. [func] New boolean named.conf options 'additional-from-auth' 17896 and 'additional-from-cache' now supported in view and 17897 global options statement. 17898 17899 347. [bug] Don't crash if an argument is left off options in dig. 17900 17901 346. [placeholder] 17902 17903 345. [bug] Large-scale changes/cleanups to dig: 17904 * Significantly improve structure handling 17905 * Don't pre-load entire batch files 17906 * Add name/rr counting/limiting 17907 * Fix SIGINT handling 17908 * Shorten timeouts to match v8's behavior 17909 17910 344. [bug] When shutting down, lwresd sometimes tried 17911 to shut down its client tasks twice, 17912 triggering an assertion. 17913 17914 343. [bug] Although zone maintenance SOA queries and 17915 notify requests were signed with TSIG keys 17916 when configured for the server in case, 17917 the TSIG was not verified on the response. 17918 17919 342. [bug] The wrong name was being passed to 17920 dns_name_dup() when generating a TSIG 17921 key using TKEY. 17922 17923 341. [func] Support 'key' clause in named.conf zone masters 17924 statement to allow authentication via TSIG keys: 17925 17926 masters { 17927 10.0.0.1 port 5353 key "foo"; 17928 10.0.0.2 ; 17929 }; 17930 17931 340. [bug] The top-level COPYRIGHT file was missing from 17932 the distribution. 17933 17934 339. [bug] DNSSEC validation of the response to an ANY 17935 query at a name with a CNAME RR in a secure 17936 zone triggered an assertion failure. 17937 17938 338. [bug] lwresd logged to syslog as named, not lwresd. 17939 17940 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type 17941 on the command line. 17942 17943 336. [bug] "dig -f" used 64 k of memory for each line in 17944 the file. It now uses much less, though still 17945 proportionally to the file size. 17946 17947 335. [bug] named would occasionally attempt recursion when 17948 it was disallowed or undesired. 17949 17950 334. [func] Added hmac-md5 to libisc. 17951 17952 333. [bug] The resolver incorrectly accepted referrals to 17953 domains that were not parents of the query name, 17954 causing assertion failures. 17955 17956 332. [func] New function dns_name_reset(). 17957 17958 331. [bug] Only log "recursion denied" if RD is set. [RT #178] 17959 17960 330. [bug] Many debugging messages were partially formatted 17961 even when debugging was turned off, causing a 17962 significant decrease in query performance. 17963 17964 329. [func] omapi_auth_register() now takes a size_t argument for 17965 the length of a key's secret data. Previously 17966 OMAPI only stored secrets up to the first NUL byte. 17967 17968 328. [func] Added isc_base64_decodestring(). 17969 17970 327. [bug] rndc.conf parser wasn't correctly recognizing an IP 17971 address where a host specification was required. 17972 17973 326. [func] 'keys' in an 'inet' control statement is now 17974 required and must have at least one item in it. 17975 A "not supported" warning is now issued if a 'unix' 17976 control channel is defined. 17977 17978 325. [bug] isc_lex_gettoken was processing octal strings when 17979 ISC_LEXOPT_CNUMBER was not set. 17980 17981 324. [func] In the resolver, turn EDNS0 off if there is no 17982 response after a number of retransmissions. 17983 This is to allow queries some chance of succeeding 17984 even if all the authoritative servers of a zone 17985 silently discard EDNS0 requests instead of 17986 sending an error response like they ought to. 17987 17988 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes. 17989 Because of this, servers authoritative for a parent 17990 and grandchild zone but not authoritative for the 17991 intervening child zone did not correctly issue 17992 referrals to the servers of the child zone. 17993 17994 322. [bug] Queries for KEY RRs are now sent to the parent 17995 server before the authoritative one, making 17996 DNSSEC insecurity proofs work in many cases 17997 where they previously didn't. 17998 17999 321. [bug] When synthesizing a CNAME RR for a DNAME 18000 response, query_addcname() failed to initialize 18001 the type and class of the CNAME dns_rdata_t, 18002 causing random failures. 18003 18004 320. [func] Multiple rndc changes: parses an rndc.conf file, 18005 uses authentication to talk to named, command 18006 line syntax changed. This will all be described 18007 in the ARM. 18008 18009 319. [func] The named.conf "controls" statement is now used 18010 to configure the OMAPI command channel. 18011 18012 318. [func] dns_c_ndcctx_destroy() could never return anything 18013 except ISC_R_SUCCESS; made it have void return instead. 18014 18015 317. [func] Use callbacks from libomapi to determine if a 18016 new connection is valid, and if a key requested 18017 to be used with that connection is valid. 18018 18019 316. [bug] Generate a warning if we detect an unexpected <eof> 18020 but treat as <eol><eof>. 18021 18022 315. [bug] Handle non-empty blanks lines. [RT #163] 18023 18024 314. [func] The named.conf controls statement can now have 18025 more than one key specified for the inet clause. 18026 18027 313. [bug] When parsing resolv.conf, don't terminate on an 18028 error. Instead, parse as much as possible, but 18029 still return an error if one was found. 18030 18031 312. [bug] Increase the number of allowed elements in the 18032 resolv.conf search path from 6 to 8. If there 18033 are more than this, ignore the remainder rather 18034 than returning a failure in lwres_conf_parse. 18035 18036 311. [bug] lwres_conf_parse failed when the first line of 18037 resolv.conf was empty or a comment. 18038 18039 310. [func] Changes to named.conf "controls" statement (inet 18040 subtype only) 18041 18042 - support "keys" clause 18043 18044 controls { 18045 inet * port 1024 18046 allow { any; } keys { "foo"; } 18047 } 18048 18049 - allow "port xxx" to be left out of statement, 18050 in which case it defaults to omapi's default port 18051 of 953. 18052 18053 309. [bug] When sending a referral, the server did not look 18054 for name server addresses as glue in the zone 18055 holding the NS RRset in the case where this zone 18056 was not the same as the one where it looked for 18057 name server addresses as authoritative data. 18058 18059 308. [bug] Treat a SOA record not at top of zone as an error 18060 when loading a zone. [RT #154] 18061 18062 307. [bug] When canceling a query, the resolver didn't check for 18063 isc_socket_sendto() calls that did not yet have their 18064 completion events posted, so it could (rarely) end up 18065 destroying the query context and then want to use 18066 it again when the send event posted, triggering an 18067 assertion as it tried to cancel an already-canceled 18068 query. [RT #77] 18069 18070 306. [bug] Reading HMAC-MD5 private key files didn't work. 18071 18072 305. [bug] When reloading the server with a config file 18073 containing a syntax error, it could catch an 18074 assertion failure trying to perform zone 18075 maintenance on tentatively created zones whose 18076 views were never fully configured and lacked 18077 an address database. 18078 18079 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers 18080 are listed in resolv.conf, silently ignore them 18081 instead of returning failure. 18082 18083 303. [bug] Add additional sanity checks to differentiate a AXFR 18084 response vs a IXFR response. [RT #157] 18085 18086 302. [bug] In dig, host, and nslookup, MXNAME should be large 18087 enough to hold any legal domain name in presentation 18088 format + terminating NULL. 18089 18090 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159] 18091 18092 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work 18093 on platforms lacking IPv6 because each included their 18094 own ipv6 header file for the missing definitions. Now 18095 each library's ipv6.h defines the wrapper symbol of 18096 the other (ISC_IPV6_H and LWRES_IPV6_H). 18097 18098 299. [cleanup] Get the user and group information before changing the 18099 root directory, so the administrator does not need to 18100 keep a copy of the user and group databases in the 18101 chroot'ed environment. Suggested by Hakan Olsson. 18102 18103 298. [bug] A mutex deadlock occurred during shutdown of the 18104 interface manager under certain conditions. 18105 Digital Unix systems were the most affected. 18106 18107 297. [bug] Specifying a key name that wasn't fully qualified 18108 in certain parts of the config file could cause 18109 an assertion failure. 18110 18111 296. [bug] "make install" from a separate build directory 18112 failed unless configure had been run in the source 18113 directory, too. 18114 18115 295. [bug] When invoked with type==CNAME and a message 18116 not constructed by dns_message_parse(), 18117 dns_message_findname() failed to find anything 18118 due to checking for attribute bits that are set 18119 only in dns_message_parse(). This caused an 18120 infinite loop when constructing the response to 18121 an ANY query at a CNAME in a secure zone. 18122 18123 294. [bug] If we run out of space in while processing glue 18124 when reading a master file and commit "current name" 18125 reverts to "name_current" instead of staying as 18126 "name_glue". 18127 18128 293. [port] Add support for FreeBSD 4.0 system tests. 18129 18130 292. [bug] Due to problems with the way some operating systems 18131 handle simultaneous listening on IPv4 and IPv6 18132 addresses, the server no longer listens on IPv6 18133 addresses by default. To revert to the previous 18134 behavior, specify "listen-on-v6 { any; };" in 18135 the config file. 18136 18137 291. [func] Caching servers no longer send outgoing queries 18138 over TCP just because the incoming recursive query 18139 was a TCP one. 18140 18141 290. [cleanup] +twiddle option to dig (for testing only) removed. 18142 18143 289. [cleanup] dig is now installed in $bindir instead of $sbindir. 18144 host is now installed in $bindir. (Be sure to remove 18145 any $sbindir/dig from a previous release.) 18146 18147 288. [func] rndc is now installed by "make install" into $sbindir. 18148 18149 287. [bug] rndc now works again as "rndc 127.1 reload" (for 18150 only that task). Parsing its configuration file and 18151 using digital signatures for authentication has been 18152 disabled until named supports the "controls" statement, 18153 post-9.0.0. 18154 18155 286. [bug] On Solaris 2, when named inherited a signal state 18156 where SIGHUP had the SIG_IGN action, SIGHUP would 18157 be ignored rather than causing the server to reload 18158 its configuration. 18159 18160 285. [bug] A change made to the dst API for beta4 inadvertently 18161 broke OMAPI's creation of a dst key from an incoming 18162 message, causing an assertion to be triggered. Fixed. 18163 18164 284. [func] The DNSSEC key generation and signing tools now 18165 generate randomness from keyboard input on systems 18166 that lack /dev/random. 18167 18168 283. [cleanup] The 'lwresd' program is now a link to 'named'. 18169 18170 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is 18171 too big for an unsigned long. 18172 18173 281. [bug] Fixed list of recognized config file category names. 18174 18175 280. [func] Add isc-config.sh, which can be used to more 18176 easily build applications that link with 18177 our libraries. 18178 18179 279. [bug] Private omapi function symbols shared between 18180 two or more files in libomapi.a were not namespace 18181 protected using the ISC convention of starting with 18182 the library name and two underscores ("omapi__"...) 18183 18184 278. [bug] bin/named/logconf.c:category_fromconf() didn't take 18185 note of when isc_log_categorybyname() wasn't able 18186 to find the category name and would then apply the 18187 channel list of the unknown category to all categories. 18188 18189 277. [bug] isc_log_categorybyname() and isc_log_modulebyname() 18190 would fail to find the first member of any category 18191 or module array apart from the internal defaults. 18192 Thus, for example, the "notify" category was improperly 18193 configured by named. 18194 18195 276. [bug] dig now supports maximum sized TCP messages. 18196 18197 275. [bug] The definition of lwres_gai_strerror() was missing 18198 the lwres_ prefix. 18199 18200 274. [bug] TSIG AXFR verify failed when talking to a BIND 8 18201 server. 18202 18203 273. [func] The default for the 'transfer-format' option is 18204 now 'many-answers'. This will break zone transfers 18205 to BIND 4.9.5 and older unless there is an explicit 18206 'one-answer' configuration. 18207 18208 272. [bug] The sending of large TCP responses was canceled 18209 in mid-transmission due to a race condition 18210 caused by the failure to set the client object's 18211 "newstate" variable correctly when transitioning 18212 to the "working" state. 18213 18214 271. [func] Attempt to probe the number of cpus in named 18215 if unspecified rather than defaulting to 1. 18216 18217 270. [func] Allow maximum sized TCP answers. 18218 18219 269. [bug] Failed DNSSEC validations could cause an assertion 18220 failure by causing clone_results() to be called with 18221 with hevent->node == NULL. 18222 18223 268. [doc] A plain text version of the Administrator 18224 Reference Manual is now included in the distribution, 18225 as doc/arm/Bv9ARM.txt. 18226 18227 267. [func] Nsupdate is now provided in the distribution. 18228 18229 266. [bug] zone.c:save_nsrrset() node was not initialized. 18230 18231 265. [bug] dns_request_create() now works for TCP. 18232 18233 264. [func] Dispatch can not take TCP sockets in connecting 18234 state. Set DNS_DISPATCHATTR_CONNECTED when calling 18235 dns_dispatch_createtcp() for connected TCP sockets 18236 or call dns_dispatch_starttcp() when the socket is 18237 connected. 18238 18239 263. [func] New logging channel type 'stderr' 18240 18241 channel some-name { 18242 stderr; 18243 severity error; 18244 } 18245 18246 262. [bug] 'master' was not initialized in zone.c:stub_callback(). 18247 18248 261. [func] Add dns_zone_markdirty(). 18249 18250 260. [bug] Running named as a non-root user failed on Linux 18251 kernels new enough to support retaining capabilities 18252 after setuid(). 18253 18254 259. [func] New random-device and random-seed-file statements 18255 for global options block of named.conf. Both accept 18256 a single string argument. 18257 18258 258. [bug] Fixed printing of lwres_addr_t.address field. 18259 18260 257. [bug] The server detached the last zone manager reference 18261 too early, while it could still be in use by queries. 18262 This manifested itself as assertion failures during the 18263 shutdown process for busy name servers. [RT #133] 18264 18265 256. [func] isc_ratelimiter_t now has attach/detach semantics, and 18266 isc_ratelimiter_shutdown guarantees that the rate 18267 limiter is detached from its task. 18268 18269 255. [func] New function dns_zonemgr_attach(). 18270 18271 254. [bug] Suppress "query denied" messages on additional data 18272 lookups. 18273 18274 --- 9.0.0b4 released --- 18275 18276 253. [func] resolv.conf parser now recognizes ';' and '#' as 18277 comments (anywhere in line, not just as the beginning). 18278 18279 252. [bug] resolv.conf parser mishandled masks on sortlists. 18280 It also aborted when an unrecognized keyword was seen, 18281 now it silently ignores the entire line. 18282 18283 251. [bug] lwresd caught an assertion failure on startup. 18284 18285 250. [bug] fixed handling of size+unit when value would be too 18286 large for internal representation. 18287 18288 249. [cleanup] max-cache-size config option now takes a size-spec 18289 like 'datasize', except 'default' is not allowed. 18290 18291 248. [bug] global lame-ttl option was not being printed when 18292 config structures were written out. 18293 18294 247. [cleanup] Rename cache-size config option to max-cache-size. 18295 18296 246. [func] Rename global option cachesize to cache-size and 18297 add corresponding option to view statement. 18298 18299 245. [bug] If an uncompressed name will take more than 255 18300 bytes and the buffer is sufficiently long, 18301 dns_name_fromwire should return DNS_R_FORMERR, 18302 not ISC_R_NOSPACE. This bug caused cause the 18303 server to catch an assertion failure when it 18304 received a query for a name longer than 255 18305 bytes. 18306 18307 244. [bug] empty named.conf file and empty options statement are 18308 now parsed properly. 18309 18310 243. [func] new cachesize option for named.conf 18311 18312 242. [cleanup] fixed incorrect warning about auth-nxdomain usage. 18313 18314 241. [cleanup] nscount and soacount have been removed from the 18315 dns_master_*() argument lists. 18316 18317 240. [func] databases now come in three flavours: zone, cache 18318 and stub. 18319 18320 239. [func] If ISC_MEM_DEBUG is enabled, the variable 18321 isc_mem_debugging controls whether messages 18322 are printed or not. 18323 18324 238. [cleanup] A few more compilation warnings have been quieted: 18325 + missing sigwait prototype on BSD/OS 4.0/4.0.1. 18326 + PTHREAD_ONCE_INIT unbraced initializer warnings on 18327 Solaris 2.8. 18328 + IN6ADDR_ANY_INIT unbraced initializer warnings on 18329 BSD/OS 4.*, Linux and Solaris 2.8. 18330 18331 237. [bug] If connect() returned ENOBUFS when the resolver was 18332 initiating a TCP query, the socket didn't get 18333 destroyed, and the server did not shut down cleanly. 18334 18335 236. [func] Added new listen-on-v6 config file statement. 18336 18337 235. [func] Consider it a config file error if a listen-on 18338 statement has an IPv6 address in it, or a 18339 listen-on-v6 statement has an IPv4 address in it. 18340 18341 234. [bug] Allow a trusted-key's first field (domain-name) be 18342 either a quoted or an unquoted string, instead of 18343 requiring a quoted string. 18344 18345 233. [cleanup] Convert all config structure integer values to unsigned 18346 integer (isc_uint32_t) to match grammar. 18347 18348 232. [bug] Allow slave zones to not have a file. 18349 18350 231. [func] Support new 'port' clause in config file options 18351 section. Causes 'listen-on', 'masters' and 18352 'also-notify' statements to use its value instead of 18353 default (53). 18354 18355 230. [func] Replace the dst sign/verify API with a cleaner one. 18356 18357 229. [func] Support config file sig-validity-interval statement 18358 in options, views and zone statements (master 18359 zones only). 18360 18361 228. [cleanup] Logging messages in config module stripped of 18362 trailing period. 18363 18364 227. [cleanup] The enumerated identifiers dns_rdataclass_*, 18365 dns_rcode_*, dns_opcode_*, and dns_trust_* are 18366 also now cast to their appropriate types, as with 18367 dns_rdatatype_* in item number 225 below. 18368 18369 226. [func] dns_name_totext() now always prints the root name as 18370 '.', even when omit_final_dot is true. 18371 18372 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now 18373 cast to dns_rdatatype_t via macros of their same name 18374 so that they are of the proper integral type wherever 18375 a dns_rdatatype_t is needed. 18376 18377 224. [cleanup] The entire project builds cleanly with gcc's 18378 -Wcast-qual and -Wwrite-strings warnings enabled, 18379 which is now the default when using gcc. (Warnings 18380 from confparser.c, because of yacc's code, are 18381 unfortunately to be expected.) 18382 18383 223. [func] Several functions were re-prototyped to qualify one 18384 or more of their arguments with "const". Similarly, 18385 several functions that return pointers now have 18386 those pointers qualified with const. 18387 18388 222. [bug] The global 'also-notify' option was ignored. 18389 18390 221. [bug] An uninitialized variable was sometimes passed to 18391 dns_rdata_freestruct() when loading a zone, causing 18392 an assertion failure. 18393 18394 220. [cleanup] Set the default outgoing port in the view, and 18395 set it in sockaddrs returned from the ADB. 18396 [31-May-2000 explorer] 18397 18398 219. [bug] Signed truncated messages more correctly follow 18399 the respective specs. 18400 18401 218. [func] When an rdataset is signed, its ttl is normalized 18402 based on the signature validity period. 18403 18404 217. [func] Also-notify and trusted-keys can now be used in 18405 the 'view' statement. 18406 18407 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options 18408 now work. 18409 18410 215. [bug] Failures at certain points in request processing 18411 could cause the assertion INSIST(client->lockview 18412 == NULL) to be triggered. 18413 18414 214. [func] New public function isc_netaddr_format(), for 18415 formatting network addresses in log messages. 18416 18417 213. [bug] Don't leak memory when reloading the zone if 18418 an update-policy clause was present in the old zone. 18419 18420 212. [func] Added dns_message_get/settsigkey, to make TSIG 18421 key management reasonable. 18422 18423 211. [func] The 'key' and 'server' statements can now occur 18424 inside 'view' statements. 18425 18426 210. [bug] The 'allow-transfer' option was ignored for slave 18427 zones, and the 'transfers-per-ns' option was 18428 was ignored for all zones. 18429 18430 209. [cleanup] Upgraded openssl files to new version 0.9.5a 18431 18432 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value 18433 of an isc_offset_t. 18434 18435 207. [func] The dnssec tools properly use the logging subsystem. 18436 18437 206. [cleanup] dst now stores the key name as a dns_name_t, not 18438 a char *. 18439 18440 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692 18441 ("prototyped function redeclared without prototype") 18442 and 1552 ("variable ... set but not used") when 18443 compiling in the lib/dns/sec/{dnssafe,openssl} 18444 directories, which contain code imported from outside 18445 sources. 18446 18447 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker 18448 to quiet the warnings that "The linked output may not 18449 run on a PA 1.x system." 18450 18451 203. [func] notify and zone soa queries are now tsig signed when 18452 appropriate. 18453 18454 202. [func] isc_lex_getsourceline() changed from returning int 18455 to returning unsigned long, the type of its underlying 18456 counter. 18457 18458 201. [cleanup] Removed the test/sdig program, it has been 18459 replaced by bin/dig/dig. 18460 18461 --- 9.0.0b3 released --- 18462 18463 200. [bug] Failures in sending query responses to clients 18464 (e.g., running out of network buffers) were 18465 not logged. 18466 18467 199. [bug] isc_heap_delete() sometimes violated the heap 18468 invariant, causing timer events not to be posted 18469 when due. 18470 18471 198. [func] Dispatch managers hold memory pools which 18472 any managed dispatcher may use. This allows 18473 us to avoid dipping into the memory context for 18474 most allocations. [19-May-2000 explorer] 18475 18476 197. [bug] When an incoming AXFR or IXFR completes, the 18477 zone's internal state is refreshed from the 18478 SOA data. [19-May-2000 explorer] 18479 18480 196. [func] Dispatchers can be shared easily between views 18481 and/or interfaces. [19-May-2000 explorer] 18482 18483 195. [bug] Including the NXT record of the root domain 18484 in a negative response caused an assertion 18485 failure. 18486 18487 194. [doc] The PDF version of the Administrator's Reference 18488 Manual is no longer included in the ISC BIND9 18489 distribution. 18490 18491 193. [func] changed dst_key_free() prototype. 18492 18493 192. [bug] Zone configuration validation is now done at end 18494 of config file parsing, and before loading 18495 callbacks. 18496 18497 191. [func] Patched to compile on UnixWare 7.x. This platform 18498 is not directly supported by the ISC. 18499 18500 190. [cleanup] The DNSSEC tools have been moved to a separate 18501 directory dnssec/ and given the following new, 18502 more descriptive names: 18503 18504 dnssec-keygen 18505 dnssec-signzone 18506 dnssec-signkey 18507 dnssec-makekeyset 18508 18509 Their command line arguments have also been changed to 18510 be more consistent. dnssec-keygen now prints the 18511 name of the generated key files (sans extension) 18512 on standard output to simplify its use in automated 18513 scripts. 18514 18515 189. [func] isc_time_secondsastimet(), a new function, will ensure 18516 that the number of seconds in an isc_time_t does not 18517 exceed the range of a time_t, or return ISC_R_RANGE. 18518 Similarly, isc_time_now(), isc_time_nowplusinterval(), 18519 isc_time_add() and isc_time_subtract() now check the 18520 range for overflow/underflow. In the case of 18521 isc_time_subtract, this changed a calling requirement 18522 (ie, something that could generate an assertion) 18523 into merely a condition that returns an error result. 18524 isc_time_add() and isc_time_subtract() were void- 18525 valued before but now return isc_result_t. 18526 18527 188. [func] Log a warning message when an incoming zone transfer 18528 contains out-of-zone data. 18529 18530 187. [func] isc_ratelimiter_enqueue() has an additional argument 18531 'task'. 18532 18533 186. [func] dns_request_getresponse() has an additional argument 18534 'preserve_order'. 18535 18536 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several 18537 public functions did not have an isc__ prefix, and 18538 referred to functions that had previously been 18539 renamed. 18540 18541 184. [cleanup] Variables/functions which began with two leading 18542 underscores were made to conform to the ANSI/ISO 18543 standard, which says that such names are reserved. 18544 18545 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful 18546 for logging the program name or other identifier. 18547 18548 182. [cleanup] New command-line parameters for dnssec tools 18549 18550 181. [func] Added dst_key_buildfilename and dst_key_parsefilename 18551 18552 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE. 18553 18554 179. [func] options named.conf statement *must* now come 18555 before any zone or view statements. 18556 18557 178. [func] Post-load of named.conf check verifies a slave zone 18558 has non-empty list of masters defined. 18559 18560 177. [func] New per-zone boolean: 18561 18562 enable-zone yes | no ; 18563 18564 intended to let a zone be disabled without having 18565 to comment out the entire zone statement. 18566 18567 176. [func] New global and per-view option: 18568 18569 max-cache-ttl number 18570 18571 175. [func] New global and per-view option: 18572 18573 additional-data internal | minimal | maximal; 18574 18575 174. [func] New public function isc_sockaddr_format(), for 18576 formatting socket addresses in log messages. 18577 18578 173. [func] Keep a queue of zones waiting for zone transfer 18579 quota so that a new transfer can be dispatched 18580 immediately whenever quota becomes available. 18581 18582 172. [bug] $TTL directive was sometimes missing from dumped 18583 master files because totext_ctx_init() failed to 18584 initialize ctx->current_ttl_valid. 18585 18586 171. [cleanup] On NetBSD systems, the mit-pthreads or 18587 unproven-pthreads library is now always used 18588 unless --with-ptl2 is explicitly specified on 18589 the configure command line. The 18590 --with-mit-pthreads option is no longer needed 18591 and has been removed. 18592 18593 170. [cleanup] Remove inter server consistency checks from zone, 18594 these should return as a separate module in 9.1. 18595 dns_zone_checkservers(), dns_zone_checkparents(), 18596 dns_zone_checkchildren(), dns_zone_checkglue(). 18597 18598 Remove dns_zone_setadb(), dns_zone_setresolver(), 18599 dns_zone_setrequestmgr() these should now be found 18600 via the view. 18601 18602 169. [func] ratelimiter can now process N events per interval. 18603 18604 168. [bug] include statements in named.conf caused syntax errors 18605 due to not consuming the semicolon ending the include 18606 statement before switching input streams. 18607 18608 167. [bug] Make lack of masters for a slave zone a soft error. 18609 18610 166. [bug] Keygen was overwriting existing keys if key_id 18611 conflicted, now it will retry, and non-null keys 18612 with key_id == 0 are not generated anymore. Key 18613 was not able to generate NOAUTHCONF DSA key, 18614 increased RSA key size to 2048 bits. 18615 18616 165. [cleanup] Silence "end-of-loop condition not reached" warnings 18617 from Solaris compiler. 18618 18619 164. [func] Added functions isc_stdio_open(), isc_stdio_close(), 18620 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(), 18621 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove() 18622 to encapsulate nonportable usage of errno and sync. 18623 18624 163. [func] Added result codes ISC_R_FILENOTFOUND and 18625 ISC_R_FILEEXISTS. 18626 18627 162. [bug] Ensure proper range for arguments to ctype.h functions. 18628 18629 161. [cleanup] error in yyparse prototype that only HPUX caught. 18630 18631 160. [cleanup] getnet*() are not going to be implemented at this 18632 stage. 18633 18634 159. [func] Redefinition of config file elements is now an 18635 error (instead of a warning). 18636 18637 158. [bug] Log channel and category list copy routines 18638 weren't assigning properly to output parameter. 18639 18640 157. [port] Fix missing prototype for getopt(). 18641 18642 156. [func] Support new 'database' statement in zone. 18643 18644 database "quoted-string"; 18645 18646 155. [bug] ns_notify_start() was not detaching the found zone. 18647 18648 154. [func] The signer now logs libdns warnings to stderr even when 18649 not verbose, and in a nicer format. 18650 18651 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx' 18652 is NULL then you need to preserve the 'rdata' until 18653 you have finished using the structure as there may be 18654 references to the associated memory. If 'mctx' is 18655 non-NULL it is guaranteed that there are no references 18656 to memory associated with 'rdata'. 18657 18658 dns_rdata_freestruct() must be called if 'mctx' was 18659 non-NULL and may safely be called if 'mctx' was NULL. 18660 18661 152. [bug] keygen dumped core if domain name argument was omitted 18662 from command line. 18663 18664 151. [func] Support 'disabled' statement in zone config (causes 18665 zone to be parsed and then ignored). Currently must 18666 come after the 'type' clause. 18667 18668 150. [func] Support optional ports in masters and also-notify 18669 statements: 18670 18671 masters [ port xxx ] { y.y.y.y [ port zzz ] ; } 18672 18673 149. [cleanup] Removed unused argument 'olist' from 18674 dns_c_view_unsetordering(). 18675 18676 148. [cleanup] Stop issuing some warnings about some configuration 18677 file statements that were not implemented, but now are. 18678 18679 147. [bug] Changed yacc union size to be smaller for yaccs that 18680 put yacc-stack on the real stack. 18681 18682 146. [cleanup] More general redundant header file cleanup. Rather 18683 than continuing to itemize every header which changed, 18684 this changelog entry just notes that if a header file 18685 did not need another header file that it was including 18686 in order to provide its advertised functionality, the 18687 inclusion of the other header file was removed. See 18688 util/check-includes for how this was tested. 18689 18690 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/ 18691 ISC_LANG_ENDDECLS to header files that had function 18692 prototypes, and removed it from those that did not. 18693 18694 144. [cleanup] libdns header files too numerous to name were made 18695 to conform to the same style for multiple inclusion 18696 protection. 18697 18698 143. [func] Added function dns_rdatatype_isknown(). 18699 18700 142. [cleanup] <isc/stdtime.h> does not need <time.h> or 18701 <isc/result.h>. 18702 18703 141. [bug] Corrupt requests with multiple questions could 18704 cause an assertion failure. 18705 18706 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>. 18707 18708 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of 18709 <isc/int.h> and <isc/result.h>. 18710 18711 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and 18712 renamed isc_string_touint64. isc_strsep moved from 18713 strsep.c to string.c and renamed isc_string_separate. 18714 18715 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h> 18716 <isc/serial.h>, <isc/string.h> and <isc/offset.h> 18717 made to conform to the same style for multiple 18718 inclusion protection. 18719 18720 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>, 18721 <isc/net.h> and Win32's <isc/thread.h> needed 18722 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS. 18723 18724 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h> 18725 or <isc/boolean.h>, now uses <isc/types.h> in place 18726 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS 18727 and ISC_LANG_ENDDECLS. 18728 18729 134. [cleanup] <isc/dir.h> does not need <limits.h>. 18730 18731 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>. 18732 18733 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does 18734 need <isc/eventclass.h>. 18735 18736 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h> 18737 for ISC_R_* codes used in macros. 18738 18739 130. [cleanup] <isc/condition.h> does not need <pthread.h> or 18740 <isc/boolean.h>, and now includes <isc/types.h> 18741 instead of <isc/time.h>. 18742 18743 129. [bug] The 'default_debug' log channel was not set up when 18744 'category default' was present in the config file 18745 18746 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of 18747 ISC_LANG_ENDDECLS at end of header. 18748 18749 127. [cleanup] The contracts for the comparison routines 18750 dns_name_fullcompare(), dns_name_compare(), 18751 dns_name_rdatacompare(), and dns_rdata_compare() now 18752 specify that the order value returned is < 0, 0, or > 0 18753 instead of -1, 0, or 1. 18754 18755 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>. 18756 18757 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>, 18758 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and 18759 <isc/resultclass.h> do not need <isc/lang.h>. 18760 18761 124. [func] signer now imports parent's zone key signature 18762 and creates null keys/sets zone status bit for 18763 children when necessary 18764 18765 123. [cleanup] <isc/event.h> does not need <stddef.h>. 18766 18767 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or 18768 <isc/result.h>. 18769 18770 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or 18771 <isc/result.h>. Multiple inclusion protection 18772 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H. 18773 isc_symtab_t moved to <isc/types.h>. 18774 18775 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>, 18776 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or 18777 <isc/net.h>. 18778 18779 119. [cleanup] structure definitions for generic rdata structures do 18780 not have _generic_ in their names. 18781 18782 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting 18783 YACC crust (yyparse, etc) [2000-apr-27 explorer] 18784 18785 117. [cleanup] libdns.a changes: 18786 dns_zone_clearnotify() and dns_zone_addnotify() 18787 are replaced by dns_zone_setnotifyalso(). 18788 dns_zone_clearmasters() and dns_zone_addmaster() 18789 are replaced by dns_zone_setmasters(). 18790 18791 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t 18792 on Unix systems). 18793 18794 115. [port] Shut up the -Wmissing-declarations warning about 18795 <stdio.h>'s __sputaux on BSD/OS pre-4.1. 18796 18797 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or 18798 <isc/list.h>. 18799 18800 113. [func] Utility programs dig and host added. 18801 18802 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>. 18803 18804 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or 18805 <isc/mutex.h>. 18806 18807 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or 18808 <isc/list.h>. 18809 18810 109. [bug] "make depend" did nothing for 18811 bin/tests/{db,mem,sockaddr,tasks,timers}/. 18812 18813 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from 18814 <dns/types.h> to <dns/bit.h> and renamed to 18815 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR. 18816 18817 107. [func] Add keysigner and keysettool. 18818 18819 106. [func] Allow dnssec verifications to ignore the validity 18820 period. Used by several of the dnssec tools. 18821 18822 105. [doc] doc/dev/coding.html expanded with other 18823 implicit conventions the developers have used. 18824 18825 104. [bug] Made compress_add and compress_find static to 18826 lib/dns/compress.c. 18827 18828 103. [func] libisc buffer API changes for <isc/buffer.h>: 18829 Added: 18830 isc_buffer_base(b) (pointer) 18831 isc_buffer_current(b) (pointer) 18832 isc_buffer_active(b) (pointer) 18833 isc_buffer_used(b) (pointer) 18834 isc_buffer_length(b) (int) 18835 isc_buffer_usedlength(b) (int) 18836 isc_buffer_consumedlength(b) (int) 18837 isc_buffer_remaininglength(b) (int) 18838 isc_buffer_activelength(b) (int) 18839 isc_buffer_availablelength(b) (int) 18840 Removed: 18841 ISC_BUFFER_USEDCOUNT(b) 18842 ISC_BUFFER_AVAILABLECOUNT(b) 18843 isc_buffer_type(b) 18844 Changed names: 18845 isc_buffer_used(b, r) -> 18846 isc_buffer_usedregion(b, r) 18847 isc_buffer_available(b, r) -> 18848 isc_buffer_available_region(b, r) 18849 isc_buffer_consumed(b, r) -> 18850 isc_buffer_consumedregion(b, r) 18851 isc_buffer_active(b, r) -> 18852 isc_buffer_activeregion(b, r) 18853 isc_buffer_remaining(b, r) -> 18854 isc_buffer_remainingregion(b, r) 18855 18856 Buffer types were removed, so the ISC_BUFFERTYPE_* 18857 macros are no more, and the type argument to 18858 isc_buffer_init and isc_buffer_allocate were removed. 18859 isc_buffer_putstr is now void (instead of isc_result_t) 18860 and requires that the caller ensure that there 18861 is enough available buffer space for the string. 18862 18863 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop 18864 on BSD/OS 4.1. 18865 18866 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c. 18867 18868 100. [cleanup] <isc/random.h> does not need <isc/int.h> or 18869 <isc/mutex.h>. isc_random_t moved to <isc/types.h>. 18870 18871 99. [cleanup] Rate limiter now has separate shutdown() and 18872 destroy() functions, and it guarantees that all 18873 queued events are delivered even in the shutdown case. 18874 18875 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h> 18876 unless ISC_PLATFORM_NEEDVSNPRINTF is defined. 18877 18878 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or 18879 <isc/event.h>. 18880 18881 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>. 18882 18883 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>. 18884 18885 94. [cleanup] Some installed header files did not compile as C++. 18886 18887 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>. 18888 18889 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>, 18890 or <isc/result.h>. 18891 18892 91. [cleanup] <isc/log.h> does not need <sys/types.h> or 18893 <isc/result.h>. 18894 18895 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS 18896 from <named/listenlist.h>. 18897 18898 89. [cleanup] <isc/lex.h> does not need <stddef.h>. 18899 18900 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or 18901 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t 18902 moved to <isc/types.h>. 18903 18904 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>, 18905 <isc/mem.h> or <isc/result.h>. 18906 18907 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to 18908 <isc/types.h>. 18909 18910 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>, 18911 <isc/list.h>, <isc/mem.h>, <isc/region.h> or 18912 <isc/int.h>. 18913 18914 84. [func] allow-query ACL checks now apply to all data 18915 added to a response. 18916 18917 83. [func] If the server is authoritative for both a 18918 delegating zone and its (nonsecure) delegatee, and 18919 a query is made for a KEY RR at the top of the 18920 delegatee, then the server will look for a KEY 18921 in the delegator if it is not found in the delegatee. 18922 18923 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>. 18924 18925 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need 18926 <isc/lang.h>. 18927 18928 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>. 18929 18930 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>. 18931 18932 78. [cleanup] lwres_conftest renamed to lwresconf_test for 18933 consistency with other *_test programs. 18934 18935 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from 18936 <isc/time.h> to <isc/types.h>. 18937 18938 76. [cleanup] Rewrote keygen. 18939 18940 75. [func] Don't load a zone if its database file is older 18941 than the last time the zone was loaded. 18942 18943 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a, 18944 subsumed by file.o. 18945 18946 73. [func] New "file" API in libisc, including new function 18947 isc_file_getmodtime, isc_mktemplate renamed to 18948 isc_file_mktemplate and isc_ufile renamed to 18949 isc_file_openunique. By no means an exhaustive API, 18950 it is just what's needed for now. 18951 18952 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS 18953 added for dns_rbt_findnode, the former to disable the 18954 setting of the chain to the predecessor, and the 18955 latter to make clear when no options are set. 18956 18957 71. [cleanup] Made explicit the implicit REQUIREs of 18958 isc_time_seconds, isc_time_nanoseconds, and 18959 isc_time_subtract. 18960 18961 70. [func] isc_time_set() added. 18962 18963 69. [bug] The zone object's master and also-notify lists grew 18964 longer with each server reload. 18965 18966 68. [func] Partial support for SIG(0) on incoming messages. 18967 18968 67. [performance] Allow use of alternate (compile-time supplied) 18969 OpenSSL libraries/headers. 18970 18971 66. [func] Data in authoritative zones should have a trust level 18972 beyond secure. 18973 18974 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t 18975 from <dns/types.h>. 18976 18977 64. [func] The RBT, DB, and zone table APIs now allow the 18978 caller find the most-enclosing superdomain of 18979 a name. 18980 18981 63. [func] Generate NOTIFY messages. 18982 18983 62. [func] Add UDP refresh support. 18984 18985 61. [cleanup] Use single quotes consistently in log messages. 18986 18987 60. [func] Catch and disallow singleton types on message 18988 parse. 18989 18990 59. [bug] Cause net/host unreachable to be a hard error 18991 when sending and receiving. 18992 18993 58. [bug] bin/named/query.c could sometimes trigger the 18994 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) 18995 == 0 assertion in query_newname(). 18996 18997 57. [func] Added dns_nxt_typepresent() 18998 18999 56. [bug] SIG records were not properly returned in cached 19000 negative answers. 19001 19002 55. [bug] Responses containing multiple names in the authority 19003 section were not negatively cached. 19004 19005 54. [bug] If a fetch with sigrdataset==NULL joined one with 19006 sigrdataset!=NULL or vice versa, the resolver 19007 could catch an assertion or lose signature data, 19008 respectively. 19009 19010 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires 19011 <sys/param.h>. 19012 19013 52. [bug] rndc: taskmgr and socketmgr were not initialized 19014 to NULL. 19015 19016 51. [cleanup] dns/compress.h and dns/zt.h did not need to include 19017 dns/rbt.h; it was needed only by compress.c and zt.c. 19018 19019 50. [func] RBT deletion no longer requires a valid chain to work, 19020 and dns_rbt_deletenode was added. 19021 19022 49. [func] Each cache now has its own mctx. 19023 19024 48. [func] isc_task_create() no longer takes an mctx. 19025 isc_task_mem() has been eliminated. 19026 19027 47. [func] A number of modules now use memory context reference 19028 counting. 19029 19030 46. [func] Memory contexts are now reference counted. 19031 Added isc_mem_inuse() and isc_mem_preallocate(). 19032 Renamed isc_mem_destroy_check() to 19033 isc_mem_setdestroycheck(). 19034 19035 45. [bug] The trusted-key statement incorrectly loaded keys. 19036 19037 44. [bug] Don't include authority data if it would force us 19038 to unset the AD bit in the message. 19039 19040 43. [bug] DNSSEC verification of cached rdatasets was failing. 19041 19042 42. [cleanup] Simplified logging of messages with embedded domain 19043 names by introducing a new convenience function 19044 dns_name_format(). 19045 19046 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later 19047 to allow 'named' to run as a non-root user while 19048 retaining the ability to bind() to privileged 19049 ports. 19050 19051 40. [func] Introduced new logging category "dnssec" and 19052 logging module "dns/validator". 19053 19054 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t, 19055 and isc_lex_t to <isc/types.h>. 19056 19057 38. [bug] TSIG signed incoming zone transfers work now. 19058 19059 37. [bug] If the first RR in an incoming zone transfer was 19060 not an SOA, the server died with an assertion failure 19061 instead of just reporting an error. 19062 19063 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS 19064 19065 35. [performance] Log messages which are of a level too high to be 19066 logged by any channel in the logging configuration 19067 will not cause the log mutex to be locked. 19068 19069 34. [bug] Recursion was allowed even with 'recursion no'. 19070 19071 33. [func] The RBT now maintains a parent pointer at each node. 19072 19073 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset() 19074 prototype. 19075 19076 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@. 19077 19078 30. [func] config file grammar change to support optional 19079 class type for a view. 19080 19081 29. [func] support new config file view options: 19082 19083 auth-nxdomain recursion query-source 19084 query-source-v6 transfer-source 19085 transfer-source-v6 max-transfer-time-out 19086 max-transfer-idle-out transfer-format 19087 request-ixfr provide-ixfr cleaning-interval 19088 fetch-glue notify rfc2308-type1 lame-ttl 19089 max-ncache-ttl min-roots 19090 19091 28. [func] support lame-ttl, min-roots and serial-queries 19092 config global options. 19093 19094 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*. 19095 Including it on other platforms (eg, NetBSD) can 19096 cause a forced #error from the C preprocessor. 19097 19098 26. [func] new match-clients statement in config file view. 19099 19100 25. [bug] make install failed to install <isc/log.h> and 19101 <isc/ondestroy.h>. 19102 19103 24. [cleanup] Eliminate some unnecessary #includes of header 19104 files from header files. 19105 19106 23. [cleanup] Provide more context in log messages about client 19107 requests, using a new function ns_client_log(). 19108 19109 22. [bug] SIGs weren't returned in the answer section when 19110 the query resulted in a fetch. 19111 19112 21. [port] Look at STD_CINCLUDES after CINCLUDES during 19113 compilation, so additional system include directories 19114 can be searched but header files in the bind9 source 19115 tree with conflicting names take precedence. This 19116 avoids issues with installed versions of dnssafe and 19117 openssl. 19118 19119 20. [func] Configuration file post-load validation of zones 19120 failed if there were no zones. 19121 19122 19. [bug] dns_zone_notifyreceive() failed to unlock the zone 19123 lock in certain error cases. 19124 19125 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in 19126 configure.in to check for presence of in6addr_any. 19127 19128 17. [func] Do configuration file post-load validation of zones. 19129 19130 16. [bug] put quotes around key names on config file 19131 output to avoid possible keyword clashes. 19132 19133 15. [func] Add dns_name_dupwithoffsets(). This function is 19134 improves comparison performance for duped names. 19135 19136 14. [bug] free_rbtdb() could have 'put' unallocated memory in 19137 an unlikely error path. 19138 19139 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore 19140 out-of-zone data. 19141 19142 12. [bug] Fixed possible uninitialized variable error. 19143 19144 11. [bug] axfr_rrstream_first() didn't check the result code of 19145 db_rr_iterator_first(), possibly causing an assertion 19146 to be triggered later. 19147 19148 10. [bug] A bug in the code which makes EDNS0 OPT records in 19149 bin/named/client.c and lib/dns/resolver.c could 19150 trigger an assertion. 19151 19152 9. [cleanup] replaced bit-setting code in confctx.c and replaced 19153 repeated code with macro calls. 19154 19155 8. [bug] Shutdown of incoming zone transfer accessed 19156 freed memory. 19157 19158 7. [cleanup] removed 'listen-on' from view statement. 19159 19160 6. [bug] quote RR names when generating config file to 19161 prevent possible clash with config file keywords 19162 (such as 'key'). 19163 19164 5. [func] syntax change to named.conf file: new ssu grant/deny 19165 statements must now be enclosed by an 'update-policy' 19166 block. 19167 19168 4. [port] bin/named/unix/os.c didn't compile on systems with 19169 linux 2.3 kernel includes due to conflicts between 19170 C library includes and the kernel includes. We now 19171 get only what we need from <linux/capability.h>, and 19172 avoid pulling in other linux kernel .h files. 19173 19174 3. [bug] TKEYs go in the answer section of responses, not 19175 the additional section. 19176 19177 2. [bug] Generating cryptographic randomness failed on 19178 systems without /dev/random. 19179 19180 1. [bug] The installdirs rule in 19181 lib/isc/unix/include/isc/Makefile.in had a typo which 19182 prevented the isc directory from being created if it 19183 didn't exist. 19184 19185 --- 9.0.0b2 released --- 19186 19187# This tells Emacs to use hard tabs in this file. 19188# Local Variables: 19189# indent-tabs-mode: t 19190# End: 19191