15736. [placeholder] 2 35735. [cleanup] The result codes which BIND 9 uses internally are now 4 all defined as a single list of enum values rather than 5 as multiple sets of integers scattered around shared 6 libraries. This prevents the need for locking in some 7 functions operating on result codes, and makes result 8 codes more debugger-friendly. [GL #719] 9 105734. [bug] Fix "dig" aborting with error in some cases 11 like when doing zone transfers. [GL #2884] 12 135733. [func] Require "dot" ALPN token to be negotiated for 14 zone transfers over TLS (XoT), as required by RFC9103. 15 [GL #2794] 16 175732. [cleanup] Remove dns_lib_init() and _shutdown() and 18 ns_lib_init() and _shutdown() functions, as they 19 no longer served any useful purpose. [GL #88] 20 215731. [bug] Do not allow defining "http" clauses named 22 "default". [GL #2925] 23 245730. [func] The resolver and the request and dispatch managers 25 have been substantially refactored, and are now 26 based on the network manager instead of the old 27 isc_socket API. All outgoing DNS queries and 28 requests now use the new API; isc_socket is only 29 used to monitor for network interface changes. 30 [GL #2401] 31 325729. [func] Allow finer control over the TLS protocol by 33 implementing more options within "tls" clauses, namely: 34 - Diffie-Hellman parameters via 35 'dhparam-file "<path_to_file>";' 36 - OpenSSL cipher list string via 37 'ciphers "<cipher_list>";' 38 - Server or client ciphers preference via 39 'prefer-server-ciphers yes|no;' 40 - Ability to explicitly enable or disable stateless 41 TLS session tickets via 'session-tickets yes|no;' 42 The options are enough to implement perfect forward 43 secrecy in DNS-over-TLS, DNS-over-HTTPS transports. 44 Most of these options were no-op before this 45 change. [GL #2796] 46 475728. [func] Allow specifying supported TLS protocol 48 versions within "tls" clauses 49 (e.g. protocols { TLSv1.2; TLSv1.3; };). [GL #2795] 50 515727. [bug] Ignore the missing zones when doing a reload on a 52 catalog zone, and make sure to restore them later on. 53 [GL #2308] 54 555726. [bug] Fix heap use after free when cheking for "http" 56 clauses duplicates. [GL #2924] 57 585725. [bug] Validate HTTP path passed to dig. [GL #2923] 59 605724. [bug] Address potential dead lock when checking zone 61 content consistency. [GL #2908] 62 635723. [bug] Backwards compatiblity for 'check-names master' and 64 'check-names slave' was accidentally broken. [GL #2911] 65 665722. [bug] Preserve the contents of TCPDNS and TLSDNS receive 67 buffer when growing the buffer size. [GL #2917] 68 695721. [func] New isc_mem_reget() realloc-like function was 70 introduced into the libisc API, and zero-sized 71 allocations now return non-NULL pointers. [GL !5440] 72 735720. [contrib] Remove old-style DLZ drivers that had to be enabled 74 during compile time. [GL #2814] 75 765719. [func] The "masterfile-format" format "map" has been removed. 77 [GL #2882] 78 795718. [bug] Changing the sig signing type, by specifing 80 sig-signing-type, failed as the configuration was 81 incorrectly rejected. [GL #2906] 82 835717. [func] The "cache-file" option, which was documented as 84 for testing purposes only and not to be used, 85 has been removed. [GL #2903] 86 875716. [placeholder] 88 895715. [func] Add a check when the *-source(-v6) clashes with the 90 global listening port. Such a configuration was already 91 forbidden, but it failed silently. [GL #2888] 92 935714. [bug] Remove the "adjust interface" mechanism that 94 set up a listener on interfaces where the *-source(-v6) 95 address and port were the same as the listening 96 address and port. Such a configuration is no longer 97 supported; in practice, this would disable 98 listening on TCP ports under certain timing conditions. 99 [GL #2852] 100 1015713. [func] Added "primaries" as a synonym for "masters" and 102 "default-primaries" as a synonym for "default-masters" 103 for catalog zones configuration options. [GL #2818] 104 1055712. [func] Remove native PKCS#11 support in favor of OpenSSL 106 engine_pkcs11 from the OpenSC project. [GL #2691] 107 108 --- 9.17.18 released --- 109 1105711. [bug] "map" files exceeding 2GB in size failed to load due to 111 a size comparison that incorrectly treated the file size 112 as a signed integer. [GL #2878] 113 1145710. [placeholder] 115 1165709. [func] When reporting zone types in the statistics channel, the 117 terms "primary" and "secondary" are now used instead of 118 "master" and "slave", respectively. Enum values 119 throughout the code have been updated to use this 120 terminology as well. [GL #1944] 121 1225708. [placeholder] 123 1245707. [bug] A bug was fixed which prevented dig from querying 125 DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860] 126 1275706. [cleanup] Support for external applications to register with 128 libisc and use it has been removed. Export versions of 129 BIND 9 libraries have not been supported for some time, 130 but the isc_lib_register() function was still available; 131 it has now been removed. [GL !2420] 132 1335705. [bug] Change #5686 altered the internal memory structure of 134 zone databases, but neglected to update the MAPAPI value 135 for zone files in "map" format. This caused named to 136 attempt to load incompatible map files, triggering an 137 assertion failure on startup. The MAPAPI value has now 138 been updated, so named rejects outdated files when 139 encountering them. [GL #2872] 140 1415704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be 142 ignored inadvertently in client requests. It has now 143 been fixed and this option is handled properly again. 144 [GL #1927] 145 1465703. [bug] Fix a crash in dig caused by closing an HTTP/2 socket 147 associated with an unused HTTP/2 session. [GL #2858] 148 1495702. [bug] Improve compatibility with DNS-over-HTTPS (DoH) clients 150 by allowing HTTP/2 request headers in any order. 151 [GL #2875] 152 1535701. [bug] named-checkconf failed to detect syntactically invalid 154 values of the "key" and "tls" parameters used to define 155 members of remote server lists. [GL #2461] 156 1575700. [bug] When a member zone was removed from a catalog zone, 158 journal files for the former were not deleted. 159 [GL #2842] 160 1615699. [func] Data structures holding DNSSEC signing statistics are 162 now grown and shrunk as necessary upon key rollover 163 events. [GL #1721] 164 1655698. [bug] When a DNSSEC-signed zone which only has a single 166 signing key available is migrated to use KASP, that key 167 is now treated as a Combined Signing Key (CSK). 168 [GL #2857] 169 1705697. [func] dnssec-cds now only generates SHA-2 DS records by 171 default and avoids copying deprecated SHA-1 records from 172 a child zone to its delegation in the parent. If the 173 child zone does not publish SHA-2 CDS records, 174 dnssec-cds will generate them from the CDNSKEY records. 175 The "-a algorithm" option now affects the process of 176 generating DS digest records from both CDS and CDNSKEY 177 records. Thanks to Tony Finch. [GL #2871] 178 1795696. [protocol] Support for HTTPS and SVCB record types has been added. 180 [GL #1132] 181 1825695. [func] Add a new dig command-line option, "+showbadcookie", 183 which causes a BADCOOKIE response message to be 184 displayed when it is received from the server. 185 [GL #2319] 186 1875694. [bug] Stale data in the cache could cause named to send 188 non-minimized queries despite QNAME minimization being 189 enabled. [GL #2665] 190 1915693. [func] Restore support for reading "timeout" and "attempts" 192 options from /etc/resolv.conf, and use their values in 193 dig, host, and nslookup. (This was previously supported 194 by liblwres, and was still mentioned in the man pages, 195 but had stopped working after liblwres was deprecated in 196 favor of libirs.) [GL #2785] 197 1985692. [bug] Fix a rare crash in DNS-over-HTTPS (DoH) code caused by 199 detaching from an HTTP/2 session handle too early when 200 sending data. [GL #2851] 201 2025691. [bug] When a dynamic zone was made available in another view 203 using the "in-view" statement, running "rndc freeze" 204 always reported an "already frozen" error even though 205 the zone was successfully frozen. [GL #2844] 206 2075690. [func] dnssec-signzone now honors Predecessor and Successor 208 metadata found in private key files: if a signature for 209 an RRset generated by the inactive predecessor exists 210 and does not need to be replaced, no additional 211 signature is now created for that RRset using the 212 successor key. This enables dnssec-signzone to gradually 213 replace RRSIGs during a ZSK rollover. [GL #1551] 214 215 --- 9.17.17 released --- 216 2175689. [security] An assertion failure occurred when named attempted to 218 send a UDP packet that exceeded the MTU size, if 219 Response Rate Limiting (RRL) was enabled. 220 (CVE-2021-25218) [GL #2856] 221 2225688. [bug] Zones using KASP and inline-signed zones failed to apply 223 changes from the unsigned zone to the signed zone under 224 certain circumstances. This has been fixed. [GL #2735] 225 2265687. [bug] "rndc reload <zonename>" could trigger a redundant 227 reload for an inline-signed zone whose zone file was not 228 modified since the last "rndc reload". This has been 229 fixed. [GL #2855] 230 2315686. [func] The number of internal data structures allocated for 232 each zone was reduced. [GL #2829] 233 2345685. [bug] named failed to check the opcode of responses when 235 performing zone refreshes, stub zone updates, and UPDATE 236 forwarding. This has been fixed. [GL #2762] 237 2385684. [func] The DNS-over-HTTP (DoH) configuration syntax was 239 extended: 240 - The maximum number of active DoH connections can now 241 be set using the "http-listener-clients" option. The 242 default is 300. 243 - The maximum number of concurrent HTTP/2 streams per 244 connection can now be set using the 245 "http-streams-per-connection" option. The default is 246 100. 247 - Both of these values can also be set on a per-listener 248 basis using the "listener-clients" and 249 "streams-per-connection" parameters in an "http" 250 statement. 251 [GL #2809] 252 2535683. [bug] The configuration-checking code now verifies HTTP paths. 254 [GL !5231] 255 2565682. [bug] Some changes to "zone-statistics" settings were not 257 properly processed by "rndc reconfig". This has been 258 fixed. [GL #2820] 259 2605681. [func] Relax the checks in the dns_zone_cdscheck() function to 261 allow CDS and CDNSKEY records in the zone that do not 262 match an existing DNSKEY record, as long as the 263 algorithm matches. This allows a clean rollover from one 264 provider to another in a multi-signer DNSSEC 265 configuration. [GL #2710] 266 2675680. [bug] HTTP GET requests without query strings caused a crash 268 in DoH code. This has been fixed. [GL !5268] 269 2705679. [func] Thread affinity is no longer set. [GL #2822] 271 2725678. [bug] The "check DS" code failed to release all resources upon 273 named shutdown when a refresh was in progress. This has 274 been fixed. [GL #2811] 275 2765677. [func] Previously, named accepted FORMERR responses both with 277 and without an OPT record, as an indication that a given 278 server did not support EDNS. To implement full 279 compliance with RFC 6891, only FORMERR responses without 280 an OPT record are now accepted. This intentionally 281 breaks communication with servers that do not support 282 EDNS and that incorrectly echo back the query message 283 with the RCODE field set to FORMERR and the QR bit set 284 to 1. [GL #2249] 285 2865676. [func] Memory allocation has been substantially refactored; it 287 is now based on the memory allocation API provided by 288 the jemalloc library, which is a new optional build 289 dependency for BIND 9. [GL #2433] 290 2915675. [bug] Compatibility with DoH clients has been improved by 292 ignoring the value of the "Accept" HTTP header. 293 [GL !5246] 294 2955674. [bug] A shutdown hang was triggered by DoH clients prematurely 296 aborting HTTP/2 streams. This has been fixed. [GL !5245] 297 2985673. [func] Add a new build-time option, --disable-doh, to allow 299 building BIND 9 without the libnghttp2 library. 300 [GL #2478] 301 3025672. [bug] Authentication of rndc messages could fail if a 303 "controls" statement was configured with multiple key 304 algorithms for the same listener. This has been fixed. 305 [GL #2756] 306 307 --- 9.17.16 released --- 308 3095671. [bug] A race condition could occur where two threads were 310 competing for the same set of key file locks, leading to 311 a deadlock. This has been fixed. [GL #2786] 312 3135670. [bug] create_keydata() created an invalid placeholder keydata 314 record upon a refresh failure, which prevented the 315 database of managed keys from subsequently being read 316 back. This has been fixed. [GL #2686] 317 3185669. [func] KASP support was extended with the "check DS" feature. 319 Zones with "dnssec-policy" and "parental-agents" 320 configured now check for DS presence and can perform 321 automatic KSK rollovers. [GL #1126] 322 3235668. [bug] Rescheduling a setnsec3param() task when a zone failed 324 to load on startup caused a hang on shutdown. This has 325 been fixed. [GL #2791] 326 3275667. [bug] The configuration-checking code failed to account for 328 the inheritance rules of the "dnssec-policy" option. 329 This has been fixed. [GL #2780] 330 3315666. [doc] The safe "edns-udp-size" value was tweaked to match the 332 probing value from BIND 9.16 for better compatibility. 333 [GL #2183] 334 3355665. [bug] If nsupdate sends an SOA request and receives a REFUSED 336 response, it now fails over to the next available 337 server. [GL #2758] 338 3395664. [func] For UDP messages larger than the path MTU, named now 340 sends an empty response with the TC (TrunCated) bit set. 341 In addition, setting the DF (Don't Fragment) flag on 342 outgoing UDP sockets was re-enabled. [GL #2790] 343 3445663. [bug] Non-zero OPCODEs are now properly handled when receiving 345 queries over DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) 346 channels. [GL #2787] 347 3485662. [bug] Views with recursion disabled are now configured with a 349 default cache size of 2 MB unless "max-cache-size" is 350 explicitly set. This prevents cache RBT hash tables from 351 being needlessly preallocated for such views. [GL #2777] 352 3535661. [bug] Change 5644 inadvertently introduced a deadlock: when 354 locking the key file mutex for each zone structure in a 355 different view, the "in-view" logic was not considered. 356 This has been fixed. [GL #2783] 357 3585660. [bug] The configuration-checking code failed to account for 359 the inheritance rules of the "key-directory" option. 360 [GL #2778] 361 362 This change was included in BIND 9.17.15. 363 3645659. [bug] When preparing DNS responses, named could replace the 365 letters 'W' (uppercase) and 'w' (lowercase) with '\000'. 366 This has been fixed. [GL #2779] 367 368 This change was included in BIND 9.17.15. 369 3705658. [bug] Increasing "max-cache-size" for a running named instance 371 (using "rndc reconfig") did not cause the hash tables 372 used by cache databases to be grown accordingly. This 373 has been fixed. [GL #2770] 374 3755657. [cleanup] Support was removed for both built-in atomics in old 376 versions of Clang (< 3.6.0) and GCC (< 4.7.0), and 377 atomics emulated with a mutex. [GL #2606] 378 3795656. [bug] Named now ensures that large responses work correctly 380 over DNS-over-HTTPS (DoH), and that zone transfer 381 requests over DoH are explicitly rejected. [GL !5148] 382 3835655. [bug] Signed, insecure delegation responses prepared by named 384 either lacked the necessary NSEC records or contained 385 duplicate NSEC records when both wildcard expansion and 386 CNAME chaining were required to prepare the response. 387 This has been fixed. [GL #2759] 388 3895654. [port] Windows support has been removed. [GL #2690] 390 3915653. [bug] A bug that caused the NSEC3 salt to be changed on every 392 restart for zones using KASP has been fixed. [GL #2725] 393 394 --- 9.17.14 released --- 395 3965652. [bug] A copy-and-paste error in change 5584 caused the 397 IP_DONTFRAG socket option to be enabled instead of 398 disabled. This has been fixed. [GL #2746] 399 4005651. [func] Refactor zone dumping to be processed asynchronously via 401 the uv_work_t thread pool API. [GL #2732] 402 4035650. [bug] Prevent a crash that could occur if serve-stale was 404 enabled and a prefetch was triggered during a query 405 restart. [GL #2733] 406 4075649. [bug] If a query was answered with stale data on a server with 408 DNS64 enabled, an assertion could occur if a non-stale 409 answer arrived afterward. [GL #2731] 410 4115648. [bug] The calculation of the estimated IXFR transaction size 412 in dns_journal_iter_init() was invalid. [GL #2685] 413 4145647. [func] The interface manager has been refactored to use fewer 415 client manager objects, which in turn use fewer memory 416 contexts and tasks. This should result in less 417 fragmented memory and better startup performance. 418 [GL #2433] 419 4205646. [bug] The default TCP timeout for rndc has been increased to 421 60 seconds. This was its original value, but it had been 422 inadvertently lowered to 10 when rndc was updated to use 423 the network manager. [GL #2643] 424 4255645. [cleanup] Remove the rarely-used dns_name_copy() function and 426 rename dns_name_copynf() to dns_name_copy(). [GL !5081] 427 4285644. [bug] Fix a race condition in reading and writing key files 429 for zones using KASP and configured in multiple views. 430 [GL #1875] 431 4325643. [placeholder] 433 4345642. [bug] Zones which are configured in multiple views with 435 different values set for "dnssec-policy" and with 436 identical values set for "key-directory" are now 437 detected and treated as a configuration error. 438 [GL #2463] 439 4405641. [bug] Address a potential memory leak in 441 dst_key_fromnamedfile(). [GL #2689] 442 4435640. [func] Add new configuration options for setting the size of 444 receive and send buffers in the operating system: 445 "tcp-receive-buffer", "tcp-send-buffer", 446 "udp-receive-buffer", and "udp-send-buffer". [GL #2313] 447 4485639. [bug] Check that the first and last SOA record of an AXFR are 449 consistent. [GL #2528] 450 451 --- 9.17.13 released --- 452 4535638. [bug] Improvements related to network manager/task manager 454 integration: 455 - isc_managers_create() and isc_managers_destroy() 456 functions were added to handle setup and teardown of 457 netmgr, taskmgr, timermgr, and socketmgr, since these 458 require a precise order of operations now. 459 - Event queue processing is now quantized to prevent 460 infinite looping. 461 - The netmgr can now be paused from within a netmgr 462 thread. 463 - Deadlocks due to a conflict between netmgr's 464 pause/resume and listen/stoplistening operations were 465 fixed. 466 [GL #2654] 467 4685637. [placeholder] 469 4705636. [bug] named and named-checkconf did not report an error when 471 multiple zones with the "dnssec-policy" option set were 472 using the same zone file. This has been fixed. 473 [GL #2603] 474 4755635. [bug] Journal compaction could fail when a journal with 476 invalid transaction headers was not detected at startup. 477 This has been fixed. [GL #2670] 478 4795634. [bug] If "dnssec-policy" was active and a private key file was 480 temporarily offline during a rekey event, named could 481 incorrectly introduce replacement keys and break a 482 signed zone. This has been fixed. [GL #2596] 483 4845633. [doc] The "inline-signing" option was incorrectly described as 485 being inherited from the "options"/"view" levels and was 486 incorrectly accepted at those levels without effect. 487 This has been fixed. [GL #2536] 488 4895632. [func] Add a new built-in KASP, "insecure", which is used to 490 transition a zone from a signed to an unsigned state. 491 The existing built-in KASP "none" should no longer be 492 used to unsign a zone. [GL #2645] 493 4945631. [protocol] Update the implementation of the ZONEMD RR type to match 495 RFC 8976. [GL #2658] 496 4975630. [func] Treat DNSSEC responses containing NSEC3 records with 498 iteration counts greater than 150 as insecure. 499 [GL #2445] 500 5015629. [func] Reduce the maximum supported number of NSEC3 iterations 502 that can be configured for a zone to 150. [GL #2642] 503 5045628. [bug] Host and nslookup could crash upon receiving a SERVFAIL 505 response. This has been fixed. [GL #2564] 506 5075627. [bug] RRSIG(SOA) RRsets placed anywhere other than at the zone 508 apex were triggering infinite resigning loops. This has 509 been fixed. [GL #2650] 510 5115626. [bug] When generating zone signing keys, KASP now also checks 512 for key ID conflicts among newly created keys, rather 513 than just between new and existing ones. [GL #2628] 514 5155625. [bug] A deadlock could occur when multiple "rndc addzone", 516 "rndc delzone", and/or "rndc modzone" commands were 517 invoked simultaneously for different zones. This has 518 been fixed. [GL #2626] 519 5205624. [func] Task manager events are now processed inside network 521 manager loops. The task manager no longer needs its own 522 set of worker threads, which improves resolver 523 performance. [GL #2638] 524 5255623. [bug] When named was shut down during an ongoing zone 526 transfer, xfrin_fail() could incorrectly be called 527 twice. This has been fixed. [GL #2630] 528 5295622. [cleanup] The lib/samples/ directory has been removed, as export 530 versions of libraries are no longer maintained. 531 [GL !4835] 532 5335621. [placeholder] 534 5355620. [bug] If zone journal files written by BIND 9.16.11 or earlier 536 were present when BIND was upgraded, the zone file for 537 that zone could have been inadvertently rewritten with 538 the current zone contents. This caused the original zone 539 file structure (e.g. comments, $INCLUDE directives) to 540 be lost, although the zone data itself was preserved. 541 This has been fixed. [GL #2623] 542 5435619. [protocol] Implement draft-vandijk-dnsop-nsec-ttl, updating the 544 protocol such that NSEC(3) TTL values are set to the 545 minimum of the SOA MINIMUM value or the SOA TTL. 546 [GL #2347] 547 5485618. [bug] Change 5149 introduced some inconsistencies in the way 549 record TTLs were presented in cache dumps. These 550 inconsistencies have been eliminated. [GL #389] 551 [GL #2289] 552 553 --- 9.17.12 released --- 554 5555617. [placeholder] 556 5575616. [security] named crashed when a DNAME record placed in the ANSWER 558 section during DNAME chasing turned out to be the final 559 answer to a client query. (CVE-2021-25215) [GL #2540] 560 5615615. [security] Insufficient IXFR checks could result in named serving a 562 zone without an SOA record at the apex, leading to a 563 RUNTIME_CHECK assertion failure when the zone was 564 subsequently refreshed. This has been fixed by adding an 565 owner name check for all SOA records which are included 566 in a zone transfer. (CVE-2021-25214) [GL #2467] 567 5685614. [bug] Ensure all resources are properly cleaned up when a call 569 to gss_accept_sec_context() fails. [GL #2620] 570 5715613. [bug] It was possible to write an invalid transaction header 572 in the journal file for a managed-keys database after 573 upgrading. This has been fixed. Invalid headers in 574 existing journal files are detected and named is able 575 to recover from them. [GL #2600] 576 5775612. [bug] Continued refactoring of the network manager: 578 - allow recovery from read and connect timeout events, 579 - ensure that calls to isc_nm_*connect() always 580 return the connection status via a callback 581 function. 582 [GL #2401] 583 5845611. [func] Set "stale-answer-client-timeout" to "off" by default. 585 [GL #2608] 586 5875610. [bug] Prevent a crash which could happen when a lookup 588 triggered by "stale-answer-client-timeout" was attempted 589 right after recursion for a client query finished. 590 [GL #2594] 591 5925609. [func] The ISC implementation of SPNEGO was removed from BIND 9 593 source code. It was no longer necessary as all major 594 contemporary Kerberos/GSSAPI libraries include support 595 for SPNEGO. [GL #2607] 596 5975608. [bug] When sending queries over TCP, dig now properly handles 598 "+tries=1 +retry=0" by not retrying the connection when 599 the remote server closes the connection prematurely. 600 [GL #2490] 601 6025607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover" 603 commands may affect the next scheduled key event, 604 reconfiguration of zone keys is now triggered after 605 receiving either of these commands to prevent 606 unnecessary key rollover delays. [GL #2488] 607 6085606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone 609 transitions from a secure to an insecure state. 610 named-checkzone also no longer reports an error when 611 such records are found in an unsigned zone. [GL #2517] 612 6135605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for 614 more accurate time reporting. [GL #2592] 615 6165604. [experimental] A "filter-a.so" plugin, which is similar to the 617 "filter-aaaa.so" plugin but which omits A records 618 instead of AAAA records, has been added. Thanks to 619 GitLab user @treysis. [GL #2585] 620 6215603. [placeholder] 622 6235602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This 624 makes the "tcp-initial-timeout" and "tcp-idle-timeout" 625 options work correctly again. [GL #2583] 626 6275601. [bug] Zones using KASP could not be thawed after they were 628 frozen using "rndc freeze". This has been fixed. 629 [GL #2523] 630 6315600. [bug] Send a full certificate chain instead of just the leaf 632 certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS 633 (DoH) clients. This makes BIND 9 DoT/DoH servers 634 compatible with a broader set of clients. [GL #2514] 635 6365599. [bug] Fix a named crash which occurred after skipping a 637 primary server while transferring a zone over TLS. 638 [GL #2562] 639 6405598. [port] Silence -Wchar-subscripts compiler warnings triggered on 641 some platforms due to calling character classification 642 functions declared in the <ctype.h> header with 643 arguments of type char. [GL #2567] 644 645 --- 9.17.11 released --- 646 6475597. [bug] When serve-stale was enabled and starting the recursive 648 resolution process for a query failed, a named instance 649 could crash if it was configured as both a recursive and 650 authoritative server. This problem was introduced by 651 change 5573 and has now been fixed. [GL #2565] 652 6535596. [func] Client-side support for DNS-over-HTTPS (DoH) has been 654 added to dig. "dig +https" can now query a server via 655 HTTP/2. [GL #1641] 656 6575595. [cleanup] Public header files for BIND 9 libraries no longer 658 directly include third-party library headers. This 659 prevents the need to include paths to third-party header 660 files in CFLAGS whenever BIND 9 public header files are 661 used, which could cause build-time issues on hosts with 662 older versions of BIND 9 installed. [GL #2357] 663 6645594. [bug] Building with --enable-dnsrps --enable-dnsrps-dl failed. 665 [GL #2298] 666 6675593. [bug] Journal files written by older versions of named can now 668 be read when loading zones, so that journal 669 incompatibility does not cause problems on upgrade. 670 Outdated journals are updated to the new format after 671 loading. [GL #2505] 672 6735592. [bug] Prevent hazard pointer table overflows on machines with 674 many cores, by allowing the thread IDs (serving as 675 indices into hazard pointer tables) of finished threads 676 to be reused by those created later. [GL #2396] 677 6785591. [bug] Fix a crash that occurred when 679 "stale-answer-client-timeout" was triggered without any 680 (stale) data available in the cache to answer the query. 681 [GL #2503] 682 6835590. [bug] NSEC3 records were not immediately created for dynamic 684 zones using NSEC3 with "dnssec-policy", resulting in 685 such zones going bogus. Add code to process the 686 NSEC3PARAM queue at zone load time so that NSEC3 records 687 for such zones are created immediately. [GL #2498] 688 6895589. [placeholder] 690 6915588. [func] Add a new "purge-keys" option for "dnssec-policy". This 692 option determines the period of time for which key files 693 are retained after they become obsolete. [GL #2408] 694 6955587. [bug] A standalone libtool script no longer needs to be 696 present in PATH to build BIND 9 from a source tarball 697 prepared using "make dist". [GL #2504] 698 6995586. [bug] An invalid direction field in a LOC record resulted in 700 an INSIST failure when a zone file containing such a 701 record was loaded. [GL #2499] 702 7035585. [func] Memory contexts and memory pool implementations were 704 refactored to reduce lock contention for shared memory 705 contexts by replacing mutexes with atomic operations. 706 The internal memory allocator was simplified so that it 707 is only a thin wrapper around the system allocator. This 708 change made the "-M external" named option redundant and 709 it was therefore removed. [GL #2433] 710 7115584. [bug] No longer set the IP_DONTFRAG option on UDP sockets, to 712 prevent dropping outgoing packets exceeding 713 "max-udp-size". [GL #2466] 714 7155583. [func] Changes to DNS-over-HTTPS (DoH) configuration syntax: 716 - When "http" is specified in "listen-on" or 717 "listen-on-v6" statements, "tls" must also now be 718 specified. If an unencrypted connection is desired 719 (for example, when running behind a reverse proxy), 720 use "tls none". 721 - "http default" can now be specified in "listen-on" and 722 "listen-on-v6" statements to use the default HTTP 723 endpoint of "/dns-query". It is no longer necessary to 724 include an "http" statement in named.conf unless 725 overriding this value. 726 [GL #2472] 727 7285582. [bug] BIND 9 failed to build when static OpenSSL libraries 729 were used and the pkg-config files for libssl and/or 730 libcrypto were unavailable. This has been fixed by 731 ensuring that the correct linking order for libssl and 732 libcrypto is always used. [GL #2402] 733 7345581. [bug] Fix a memory leak that occurred when inline-signed zones 735 were added to the configuration, followed by a 736 reconfiguration of named. [GL #2041] 737 7385580. [test] The system test framework no longer differentiates 739 between SKIPPED and UNTESTED system test results. Any 740 system test which is not run is now marked as SKIPPED. 741 [GL !4517] 742 7435579. [bug] If an invalid key name (e.g. "a..b") was specified in a 744 primaries list in named.conf, the wrong size was passed 745 to isc_mem_put(), resulting in the returned memory being 746 put on the wrong free list. This prevented named from 747 starting up. [GL #2460] 748 749 --- 9.17.10 released --- 750 7515578. [protocol] Make "check-names" accept A records below "_spf", 752 "_spf_rate", and "_spf_verify" labels in order to cater 753 for the "exists" SPF mechanism specified in RFC 7208 754 section 5.7 and appendix D.1. [GL #2377] 755 7565577. [bug] Fix the "three is a crowd" key rollover bug in KASP by 757 correctly implementing Equation (2) of the "Flexible and 758 Robust Key Rollover" paper. [GL #2375] 759 7605576. [experimental] Initial server-side implementation of DNS-over-HTTPS 761 (DoH). Support for both TLS-encrypted and unencrypted 762 HTTP/2 connections has been added to the network manager 763 and integrated into named. (Note: there is currently no 764 client-side support for DNS-over-HTTPS; this will be 765 added to dig in a future release.) [GL #1144] 766 7675575. [bug] When migrating to KASP, BIND 9 considered keys with the 768 "Inactive" and/or "Delete" timing metadata to be 769 possible active keys. This has been fixed. [GL #2406] 770 7715574. [func] Incoming zone transfers can now use TLS. Addresses in a 772 "primaries" list take an optional "tls" argument, 773 specifying either a previously configured "tls" block or 774 "ephemeral"; SOA queries and zone transfer requests are 775 then sent via TLS. [GL #2392] 776 7775573. [func] When serve-stale is enabled and stale data is available, 778 named now returns stale answers upon encountering any 779 unexpected error in the query resolution process. 780 However, the "stale-refresh-time" window is still only 781 started upon a timeout. [GL #2434] 782 7835572. [bug] Address potential double free in generatexml(). 784 [GL #2420] 785 7865571. [bug] named failed to start when its configuration included a 787 zone with a non-builtin "allow-update" ACL attached. 788 [GL #2413] 789 7905570. [bug] Improve performance of the DNSSEC verification code by 791 reducing the number of repeated calls to 792 dns_dnssec_keyfromrdata(). [GL #2073] 793 7945569. [bug] Emit useful error message when "rndc retransfer" is 795 applied to a zone of inappropriate type. [GL #2342] 796 7975568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA 798 keys. [GL #2178] 799 8005567. [bug] Dig now reports unknown dash options while pre-parsing 801 the options. This prevents "-multi" instead of "+multi" 802 from reporting memory usage before ending option parsing 803 with "Invalid option: -lti". [GL #2403] 804 8055566. [func] Add "stale-answer-client-timeout" option, which is the 806 amount of time a recursive resolver waits before 807 attempting to answer the query using stale data from 808 cache. [GL #2247] 809 8105565. [func] The SONAMEs for BIND 9 libraries now include the current 811 BIND 9 version number, in an effort to tightly couple 812 internal libraries with a specific release. [GL #2387] 813 8145564. [cleanup] Network manager's TLSDNS module was refactored to use 815 libuv and libssl directly instead of a stack of TCP/TLS 816 sockets. [GL #2335] 817 8185563. [cleanup] Changed several obsolete configuration options to 819 ancient, making them fatal errors. Also cleaned up the 820 number of clause flags in the configuration parser. 821 [GL #1086] 822 8235562. [placeholder] 824 8255561. [bug] KASP incorrectly set signature validity to the value of 826 the DNSKEY signature validity. This is now fixed. 827 [GL #2383] 828 8295560. [func] The default value of "max-stale-ttl" has been changed 830 from 12 hours to 1 day and the default value of 831 "stale-answer-ttl" has been changed from 1 second to 30 832 seconds, following RFC 8767 recommendations. [GL #2248] 833 834 --- 9.17.9 released --- 835 8365559. [bug] The --with-maxminddb=PATH form of the build-time option 837 enabling support for libmaxminddb was not working 838 correctly. This has been fixed. [GL #2366] 839 8405558. [bug] Asynchronous hook modules could trigger an assertion 841 failure when the fetch handle was detached too late. 842 Thanks to Jinmei Tatuya at Infoblox. [GL #2379] 843 8445557. [bug] Prevent RBTDB instances from being destroyed by multiple 845 threads at the same time. [GL #2317] 846 8475556. [bug] Further tweak newline printing in dnssec-signzone and 848 dnssec-verify. [GL #2359] 849 8505555. [placeholder] 851 8525554. [bug] dnssec-signzone and dnssec-verify were missing newlines 853 between log messages. [GL #2359] 854 8555553. [bug] When reconfiguring named, removing "auto-dnssec" did not 856 turn off DNSSEC maintenance. [GL #2341] 857 8585552. [func] When switching to "dnssec-policy none;", named now 859 permits a safe transition to insecure mode and publishes 860 the CDS and CDNSKEY DELETE records, as described in RFC 861 8078. [GL #1750] 862 8635551. [bug] named no longer attempts to assign threads to CPUs 864 outside the CPU affinity set. Thanks to Ole Bjørn 865 Hessen. [GL #2245] 866 8675550. [func] dnssec-signzone and named now log a warning when falling 868 back to the "increment" SOA serial method. [GL #2058] 869 8705549. [protocol] ipv4only.arpa is now served when DNS64 is configured. 871 [GL #385] 872 8735548. [placeholder] 874 8755547. [placeholder] 876 877 --- 9.17.8 released --- 878 8795546. [placeholder] 880 8815545. [func] OS support for load-balanced sockets is no longer 882 required to receive incoming queries in multiple netmgr 883 threads. [GL #2137] 884 8855544. [func] Restore the default value of "nocookie-udp-size" to 4096 886 bytes. [GL #2250] 887 8885543. [bug] Fix UDP performance issues caused by making netmgr 889 callbacks asynchronous-only. [GL #2320] 890 8915542. [bug] Refactor netmgr. [GL #1920] [GL #2034] [GL #2061] 892 [GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318] 893 [GL #2321] 894 8955541. [func] Adjust the "max-recursion-queries" default from 75 to 896 100. [GL #2305] 897 8985540. [port] Fix building with native PKCS#11 support for AEP Keyper. 899 [GL #2315] 900 9015539. [bug] Tighten handling of missing DNS COOKIE responses over 902 UDP by falling back to TCP. [GL #2275] 903 9045538. [func] Add NSEC3 support to KASP. A new option for 905 "dnssec-policy", "nsec3param", can be used to set the 906 desired NSEC3 parameters. NSEC3 salt collisions are 907 automatically prevented during resalting. Salt 908 generation is now logged with zone context. [GL #1620] 909 9105537. [func] The query plugin mechanism has been extended 911 to support asynchronous operations. For example, a 912 plugin can now trigger recursion and resume 913 processing when it is complete. Thanks to Jinmei 914 Tatuya at Infoblox. [GL #2141] 915 9165536. [func] Dig can now report the DNS64 prefixes in use 917 (+dns64prefix). [GL #1154] 918 9195535. [bug] dig/nslookup/host could crash on shutdown after an 920 interrupt. [GL #2287] [GL #2288] 921 9225534. [bug] The CNAME synthesized from a DNAME was incorrectly 923 followed when the QTYPE was CNAME or ANY. [GL #2280] 924 925 --- 9.17.7 released --- 926 9275533. [func] Add the "stale-refresh-time" option, a time window that 928 starts after a failed lookup, during which a stale RRset 929 is served directly from cache before a new attempt to 930 refresh it is made. [GL #2066] 931 9325532. [cleanup] Unused header files were removed: 933 bin/rndc/include/rndc/os.h, lib/isc/timer_p.h, 934 lib/isccfg/include/isccfg/dnsconf.h and code related 935 to those files. [GL #1913] 936 9375531. [func] Add support for DNS over TLS (DoT) to dig and named. 938 dig output now includes the transport protocol used. 939 [GL #1816] [GL #1840] 940 9415530. [bug] dnstap did not capture responses to forwarded UPDATE 942 requests. [GL #2252] 943 9445529. [func] The network manager API is now used by named to send 945 zone transfer requests. [GL #2016] 946 9475528. [func] Convert dig, host, and nslookup to use the network 948 manager API. As a side effect of this change, "dig 949 +unexpected" no longer works, and has been disabled. 950 [GL #2140] 951 9525527. [bug] A NULL pointer dereference occurred when creating an NTA 953 recheck query failed. [GL #2244] 954 9555526. [bug] Fix a race/NULL dereference in TCPDNS read. [GL #2227] 956 9575525. [placeholder] 958 9595524. [func] Added functionality to the network manager to support 960 outgoing DNS queries in addition to incoming ones. 961 [GL #2235] 962 9635523. [bug] The initial lookup in a zone transitioning to/from a 964 signed state could fail if the DNSKEY RRset was not 965 found. [GL #2236] 966 9675522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227] 968 9695521. [func] All use of libltdl was dropped. libuv's shared library 970 handling interface is now used instead. [GL !4278] 971 9725520. [bug] Fixed a number of shutdown races, reference counting 973 errors, and spurious log messages that could occur 974 in the network manager. [GL #2221] 975 9765519. [cleanup] Unused source code was removed: lib/dns/dbtable.c, 977 lib/dns/portlist.c, lib/isc/bufferlist.c, and code 978 related to those files. [GL #2060] 979 9805518. [bug] Stub zones now work correctly with primary servers using 981 "minimal-responses yes". [GL #1736] 982 9835517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr. 984 [GL #2208] 985 986 --- 9.17.6 released --- 987 9885516. [func] The default EDNS buffer size has been changed from 4096 989 to 1232 bytes, the EDNS buffer size probing has been 990 removed, and named now sets the DF (Don't Fragment) flag 991 on outgoing UDP packets. [GL #2183] 992 9935515. [func] Add 'rndc dnssec -rollover' command to trigger a manual 994 rollover for a specific key. [GL #1749] 995 9965514. [bug] Fix KASP expected key size for Ed25519 and Ed448. 997 [GL #2171] 998 9995513. [doc] The ARM section describing the "rrset-order" statement 1000 was rewritten to make it unambiguous and up-to-date with 1001 the source code. [GL #2139] 1002 10035512. [bug] "rrset-order" rules using "order none" were causing 1004 named to crash despite named-checkconf treating them as 1005 valid. [GL #2139] 1006 10075511. [bug] 'dig -u +yaml' failed to display timestamps to the 1008 microsecond. [GL #2190] 1009 10105510. [bug] Implement the attach/detach semantics for dns_message_t 1011 to fix a data race in accessing an already-destroyed 1012 fctx->rmessage. [GL #2124] 1013 10145509. [bug] filter-aaaa: named crashed upon shutdown if it was in 1015 the process of recursing for A RRsets. [GL #1040] 1016 10175508. [func] Added new parameter "-expired" for "rndc dumpdb" that 1018 also prints expired RRsets (awaiting cleanup) to the 1019 dump file. [GL #1870] 1020 10215507. [bug] Named could compute incorrect SIG(0) responses. 1022 [GL #2109] 1023 10245506. [bug] Properly handle failed sysconf() calls, so we don't 1025 report invalid memory size. [GL #2166] 1026 10275505. [bug] Updating contents of a mixed-case RPZ could cause some 1028 rules to be ignored. [GL #2169] 1029 10305504. [func] The "glue-cache" option has been marked as deprecated. 1031 The glue cache feature will be permanently enabled in a 1032 future release. [GL #2146] 1033 10345503. [bug] Cleaned up reference counting of network manager 1035 handles, now using isc_nmhandle_attach() and _detach() 1036 instead of _ref() and _unref(). [GL #2122] 1037 1038 --- 9.17.5 released --- 1039 10405502. [func] 'dig +bufsize=0' no longer disables EDNS. [GL #2054] 1041 10425501. [func] Log CDS/CDNSKEY publication. [GL #1748] 1043 10445500. [bug] Fix (non-)publication of CDS and CDNSKEY records. 1045 [GL #2103] 1046 10475499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime. 1048 [GL #1748] 1049 10505498. [test] The --with-gperftools-profiler configure option was 1051 removed. [GL !4045] 1052 10535497. [placeholder] 1054 10555496. [bug] Address a TSAN report by ensuring each rate limiter 1056 object holds a reference to its task. [GL #2081] 1057 10585495. [bug] With query minimization enabled, named failed to 1059 resolve ip6.arpa. names that had extra labels to the 1060 left of the IPv6 part. [GL #1847] 1061 10625494. [bug] Silence the EPROTO syslog message on older systems. 1063 [GL #1928] 1064 10655493. [bug] Fix off-by-one error when calculating new hash table 1066 size. [GL #2104] 1067 10685492. [bug] Tighten LOC parsing to reject a period (".") and/or "m" 1069 as a value. Fix handling of negative altitudes which are 1070 not whole meters. [GL #2074] 1071 10725491. [bug] rbtversion->glue_table_size could be read without the 1073 appropriate lock being held. [GL #2080] 1074 10755490. [func] Refactor readline support to use pkg-config and add 1076 support for the editline library. [GL !3942] 1077 10785489. [bug] Named erroneously accepted certain invalid resource 1079 records that were incorrectly processed after 1080 subsequently being written to disk and loaded back, as 1081 the wire format differed. Such records include: CERT, 1082 IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and 1083 X25. [GL !3953] 1084 10855488. [bug] NTA code needed to have a weak reference on its 1086 associated view to prevent the latter from being deleted 1087 while NTA tests were being performed. [GL #2067] 1088 10895487. [cleanup] Update managed keys log messages to be less confusing. 1090 [GL #2027] 1091 10925486. [func] Add 'rndc dnssec -checkds' command, which signals to 1093 named that the DS record for a given zone or key has 1094 been updated in the parent zone. [GL #1613] 1095 1096 --- 9.17.4 released --- 1097 10985485. [placeholder] 1099 11005484. [func] Expire zero TTL records quickly rather than using them 1101 for stale answers. [GL #1829] 1102 11035483. [func] Keeping "stale" answers in cache has been disabled by 1104 default and can be re-enabled with a new configuration 1105 option "stale-cache-enable". [GL #1712] 1106 11075482. [bug] If the Duplicate Address Detection (DAD) mechanism had 1108 not yet finished after adding a new IPv6 address to the 1109 system, BIND 9 would fail to bind to IPv6 addresses in a 1110 tentative state. [GL #2038] 1111 11125481. [security] "update-policy" rules of type "subdomain" were 1113 incorrectly treated as "zonesub" rules, which allowed 1114 keys used in "subdomain" rules to update names outside 1115 of the specified subdomains. The problem was fixed by 1116 making sure "subdomain" rules are again processed as 1117 described in the ARM. (CVE-2020-8624) [GL #2055] 1118 11195480. [security] When BIND 9 was compiled with native PKCS#11 support, it 1120 was possible to trigger an assertion failure in code 1121 determining the number of bits in the PKCS#11 RSA public 1122 key with a specially crafted packet. (CVE-2020-8623) 1123 [GL #2037] 1124 11255479. [security] named could crash in certain query resolution scenarios 1126 where QNAME minimization and forwarding were both 1127 enabled. (CVE-2020-8621) [GL #1997] 1128 11295478. [security] It was possible to trigger an assertion failure by 1130 sending a specially crafted large TCP DNS message. 1131 (CVE-2020-8620) [GL #1996] 1132 11335477. [bug] The idle timeout for connected TCP sockets, which was 1134 previously set to a high fixed value, is now derived 1135 from the client query processing timeout configured for 1136 a resolver. [GL #2024] 1137 11385476. [security] It was possible to trigger an assertion failure when 1139 verifying the response to a TSIG-signed request. 1140 (CVE-2020-8622) [GL #2028] 1141 11425475. [bug] Wildcard RPZ passthru rules could incorrectly be 1143 overridden by other rules that were loaded from RPZ 1144 zones which appeared later in the "response-policy" 1145 statement. This has been fixed. [GL #1619] 1146 11475474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE 1148 when it should have. [GL !3880] 1149 11505473. [func] The RBT hash table implementation has been changed 1151 to use a faster hash function (HalfSipHash2-4) and 1152 Fibonacci hashing for better distribution. Setting 1153 "max-cache-size" now preallocates a fixed-size hash 1154 table so that rehashing does not cause resolution 1155 brownouts while the hash table is grown. [GL #1775] 1156 11575472. [func] The statistics channel has been updated to use the 1158 new network manager. [GL #2022] 1159 11605471. [bug] The introduction of KASP support inadvertently caused 1161 the second field of "sig-validity-interval" to always be 1162 calculated in hours, even in cases when it should have 1163 been calculated in days. This has been fixed. (Thanks to 1164 Tony Finch.) [GL !3735] 1165 11665470. [port] gsskrb5_register_acceptor_identity() is now only called 1167 if gssapi_krb5.h is present. [GL #1995] 1168 11695469. [port] On illumos, a constant called SEC is already defined in 1170 <sys/time.h>, which conflicts with an identically named 1171 constant in libbind9. This conflict has been resolved. 1172 [GL #1993] 1173 11745468. [bug] Addressed potential double unlock in process_fd(). 1175 [GL #2005] 1176 11775467. [func] The control channel and the rndc utility have been 1178 updated to use the new network manager. To support 1179 this, the network manager was updated to enable 1180 the initiation of client TCP connections. Its 1181 internal reference counting has been refactored. 1182 1183 Note: As a side effect of this change, rndc cannot 1184 currently be used with UNIX-domain sockets, and its 1185 default timeout has changed from 60 seconds to 30. 1186 These will be addressed in a future release. 1187 [GL #1759] 1188 11895466. [bug] Addressed an error in recursive clients stats reporting. 1190 [GL #1719] 1191 11925465. [func] Added fallback to built-in trust-anchors, managed-keys, 1193 or trusted-keys if the bindkeys-file (bind.keys) cannot 1194 be parsed. [GL #1235] 1195 11965464. [bug] Requesting more than 128 files to be saved when rolling 1197 dnstap log files caused a buffer overflow. This has been 1198 fixed. [GL #1989] 1199 12005463. [placeholder] 1201 12025462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976] 1203 12045461. [bug] The STALE rdataset header attribute was updated while 1205 the write lock was not being held, leading to incorrect 1206 statistics. The header attributes are now converted to 1207 use atomic operations. [GL #1475] 1208 12095460. [cleanup] tsig-keygen was previously an alias for 1210 ddns-confgen and was documented in the ddns-confgen 1211 man page. This has been reversed; tsig-keygen is 1212 now the primary name. [GL #1998] 1213 12145459. [bug] Fixed bad isc_mem_put() size when an invalid type was 1215 specified in an "update-policy" rule. [GL #1990] 1216 1217 --- 9.17.3 released --- 1218 12195458. [bug] Prevent a theoretically possible NULL dereference caused 1220 by a data race between zone_maintenance() and 1221 dns_zone_setview_helper(). [GL #1627] 1222 12235457. [placeholder] 1224 12255456. [func] Added "primaries" as a synonym for "masters" in 1226 named.conf, and "primary-only" as a synonym for 1227 "master-only" in the parameters to "notify", to bring 1228 terminology up-to-date with RFC 8499. [GL #1948] 1229 12305455. [bug] named could crash when cleaning dead nodes in 1231 lib/dns/rbtdb.c that were being reused. [GL #1968] 1232 12335454. [bug] Address a startup crash that occurred when the server 1234 was under load and the root zone had not yet been 1235 loaded. [GL #1862] 1236 12375453. [bug] named crashed on shutdown when a new rndc connection was 1238 received during shutdown. [GL #1747] 1239 12405452. [bug] The "blackhole" ACL was accidentally disabled for client 1241 queries. [GL #1936] 1242 12435451. [func] Add 'rndc dnssec -status' command. [GL #1612] 1244 12455450. [placeholder] 1246 12475449. [bug] Fix a socket shutdown race in netmgr udp. [GL #1938] 1248 12495448. [bug] Fix a race condition in isc__nm_tcpdns_send(). 1250 [GL #1937] 1251 12525447. [bug] IPv6 addresses ending in "::" could break YAML 1253 parsing. A "0" is now appended to such addresses 1254 in YAML output from dig, mdig, delv, and dnstap-read. 1255 [GL #1952] 1256 12575446. [bug] The validator could fail to accept a properly signed 1258 RRset if an unsupported algorithm appeared earlier in 1259 the DNSKEY RRset than a supported algorithm. It could 1260 also stop if it detected a malformed public key. 1261 [GL #1689] 1262 12635445. [cleanup] Disable and disallow static linking. [GL #1933] 1264 12655444. [bug] 'rndc dnstap -roll <value>' did not limit the number of 1266 saved files to <value>. [GL !3728] 1267 12685443. [bug] The "primary" and "secondary" keywords, when used 1269 as parameters for "check-names", were not 1270 processed correctly and were being ignored. [GL #1949] 1271 12725442. [func] Add support for outgoing TCP connections in netmgr. 1273 [GL #1958] 1274 12755441. [placeholder] 1276 12775440. [placeholder] 1278 12795439. [bug] The DS RRset returned by dns_keynode_dsset() was used in 1280 a non-thread-safe manner. [GL #1926] 1281 1282 --- 9.17.2 released --- 1283 12845438. [bug] Fix a race in TCP accepting code. [GL #1930] 1285 12865437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr(). 1287 [GL #1808] 1288 12895436. [security] It was possible to trigger an INSIST when determining 1290 whether a record would fit into a TCP message buffer. 1291 (CVE-2020-8618) [GL #1850] 1292 12935435. [tests] Add RFC 4592 responses examples to the wildcard system 1294 test. [GL #1718] 1295 12965434. [security] It was possible to trigger an INSIST in 1297 lib/dns/rbtdb.c:new_reference() with a particular zone 1298 content and query patterns. (CVE-2020-8619) [GL #1111] 1299 [GL #1718] 1300 13015433. [placeholder] 1302 13035432. [bug] Check the question section when processing AXFR, IXFR, 1304 and SOA replies when transferring a zone in. [GL #1683] 1305 13065431. [func] Reject DS records at the zone apex when loading 1307 master files. Log but otherwise ignore attempts to 1308 add DS records at the zone apex via UPDATE. [GL #1798] 1309 13105430. [doc] Update docs - with netmgr, a separate listening socket 1311 is created for each IPv6 interface (just as with IPv4). 1312 [GL #1782] 1313 13145429. [cleanup] Move BIND binaries which are neither daemons nor 1315 administrative programs to $bindir. [GL #1724] 1316 13175428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr 1318 has been destroyed. Thanks to Petr Menšík. [GL !3316] 1319 13205427. [placeholder] 1321 13225426. [bug] Don't abort() when setting SO_INCOMING_CPU on the socket 1323 fails. [GL #1911] 1324 13255425. [func] The default value of "max-stale-ttl" has been changed 1326 from 1 week to 12 hours. [GL #1877] 1327 13285424. [bug] With KASP, when creating a successor key, the "goal" 1329 state of the current active key (predecessor) was not 1330 changed and thus never removed from the zone. [GL #1846] 1331 13325423. [bug] Fix a bug in keymgr_key_has_successor(): it incorrectly 1333 returned true if any other key in the keyring had a 1334 successor. [GL #1845] 1335 13365422. [bug] When using dnssec-policy, print correct key timing 1337 metadata. [GL #1843] 1338 13395421. [bug] Fix a race that could cause named to crash when looking 1340 up the nodename of an RBT node if the tree was modified. 1341 [GL #1857] 1342 13435420. [bug] Add missing isc_{mutex,conditional}_destroy() calls 1344 that caused a memory leak on FreeBSD. [GL #1893] 1345 13465419. [func] Add new dig command line option, "+qid=<num>", which 1347 allows the query ID to be set to an arbitrary value. 1348 Add a new ./configure option, --enable-singletrace, 1349 which allows trace logging of a single query when QID is 1350 set to 0. [GL #1851] 1351 13525418. [bug] delv failed to parse deprecated trusted-keys-style 1353 trust anchors. [GL #1860] 1354 13555417. [cleanup] The code determining the advertised UDP buffer size in 1356 outgoing EDNS queries has been refactored to improve its 1357 clarity. [GL #1868] 1358 13595416. [bug] Fix a lock order inversion in lib/isc/unix/socket.c. 1360 [GL #1859] 1361 13625415. [test] Address race in dnssec system test that led to 1363 test failures. [GL #1852] 1364 13655414. [test] Adjust time allowed for journal truncation to occur 1366 in nsupdate system test to avoid test failure. 1367 [GL #1855] 1368 13695413. [test] Address race in autosign system test that led to 1370 test failures. [GL #1852] 1371 13725412. [bug] 'provide-ixfr no;' failed to return up-to-date responses 1373 when the serial was greater than or equal to the 1374 current serial. [GL #1714] 1375 13765411. [cleanup] TCP accept code has been refactored to use a single 1377 accept() and pass the accepted socket to child threads 1378 for processing. [GL !3320] 1379 13805410. [func] Add the ability to specify per-type record count limits, 1381 which are enforced when adding records via UPDATE, in an 1382 "update-policy" statement. [GL #1657] 1383 13845409. [performance] When looking up NSEC3 data in a zone database, skip the 1385 check for empty non-terminal nodes; the NSEC3 tree does 1386 not have any. [GL #1834] 1387 13885408. [protocol] Print Extended DNS Errors if present in OPT record. 1389 [GL #1835] 1390 13915407. [func] Zone timers are now exported via statistics channel. 1392 Thanks to Paul Frieden, Verizon Media. [GL #1232] 1393 13945406. [func] Add a new logging category, "rpz-passthru", which allows 1395 RPZ passthru actions to be logged in a separate channel. 1396 [GL #54] 1397 13985405. [bug] 'named-checkconf -p' could include spurious text in 1399 server-addresses statements due to an uninitialized DSCP 1400 value. [GL #1812] 1401 14025404. [bug] 'named-checkconf -z' could incorrectly indicate 1403 success if errors were found in one view but not in a 1404 subsequent one. [GL #1807] 1405 14065403. [func] Do not set UDP receive/send buffer sizes - use system 1407 defaults. [GL #1713] 1408 14095402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT. 1410 Enable use of SO_REUSEADDR on all platforms which 1411 support it. [GL !3365] 1412 14135401. [bug] The number of input queues allocated during dnstap 1414 initialization was too low, which could prevent some 1415 dnstap data from being logged. [GL #1795] 1416 14175400. [func] Add engine support to OpenSSL EdDSA implementation. 1418 [GL #1763] 1419 14205399. [func] Add engine support to OpenSSL ECDSA implementation. 1421 [GL #1534] 1422 14235398. [bug] Named could fail to restart if a zone with a double 1424 quote (") in its name was added with 'rndc addzone'. 1425 [GL #1695] 1426 14275397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. 1428 Thanks to Aaron Thompson. [GL !3326] 1429 14305396. [func] When necessary (i.e. in libuv >= 1.37), use the 1431 UV_UDP_RECVMMSG flag to enable recvmmsg() support in 1432 libuv. [GL #1797] 1433 14345395. [security] Further limit the number of queries that can be 1435 triggered from a request. Root and TLD servers 1436 are no longer exempt from max-recursion-queries. 1437 Fetches for missing name server address records 1438 are limited to 4 for any domain. (CVE-2020-8616) 1439 [GL #1388] 1440 14415394. [cleanup] Named formerly attempted to change the effective UID and 1442 GID in named_os_openfile(), which could trigger a 1443 spurious log message if they were already set to the 1444 desired values. This has been fixed. [GL #1042] 1445 [GL #1090] 1446 14475393. [cleanup] Unused and/or redundant APIs were removed from libirs. 1448 [GL #1758] 1449 14505392. [bug] It was possible for named to crash during shutdown 1451 or reconfiguration if an RPZ zone was still being 1452 updated. [GL #1779] 1453 14545391. [func] The BIND 9 build system has been changed to use a 1455 typical autoconf+automake+libtool stack. When building 1456 from the Git repository, run "autoreconf -fi" first. 1457 [GL #4] 1458 14595390. [security] Replaying a TSIG BADTIME response as a request could 1460 trigger an assertion failure. (CVE-2020-8617) 1461 [GL #1703] 1462 14635389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller 1464 bugs and use PKCS#11 v3.0 EdDSA macros and constants. 1465 Thanks to Aaron Thompson. [GL !3391] 1466 14675388. [func] Reject AXFR streams where the message ID is not 1468 consistent. [GL #1674] 1469 14705387. [placeholder] 1471 14725386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c. 1473 [GL #1737] 1474 14755385. [func] Make ISC rwlock implementation the default again. 1476 [GL #1753] 1477 14785384. [bug] With "dnssec-policy" in effect, "inline-signing" was 1479 implicitly set to "yes". Now "inline-signing" is only 1480 set to "yes" if the zone is not dynamic. [GL #1709] 1481 1482 --- 9.17.1 released --- 1483 14845383. [func] Add a quota attach function with a callback and clean up 1485 the isc_quota API. [GL !3280] 1486 14875382. [bug] Use clock_gettime() instead of gettimeofday() for 1488 isc_stdtime() function. [GL #1679] 1489 14905381. [bug] Fix logging API data race by adding rwlock and caching 1491 logging levels in stdatomic variables to restore 1492 performance to original levels. [GL #1675] [GL #1717] 1493 14945380. [contrib] Fix building MySQL DLZ modules against MySQL 8 1495 libraries. [GL #1678] 1496 14975379. [placeholder] 1498 14995378. [bug] Receiving invalid DNS data was triggering an assertion 1500 failure in nslookup. [GL #1652] 1501 15025377. [placeholder] 1503 15045376. [bug] Fix ineffective DNS rebinding protection when BIND is 1505 configured as a forwarding DNS server. Thanks to Tobias 1506 Klein. [GL #1574] 1507 15085375. [test] Fix timing issues in the "kasp" system test. [GL #1669] 1509 15105374. [bug] Statistics counters tracking recursive clients and 1511 active connections could underflow. [GL #1087] 1512 15135373. [bug] Collecting statistics for DNSSEC signing operations 1514 (change 5254) caused an array of significant size (over 1515 100 kB) to be allocated for each configured zone. Each 1516 of these arrays is tracking all possible key IDs; this 1517 could trigger an out-of-memory condition on servers with 1518 a high enough number of zones configured. Fixed by 1519 tracking up to four keys per zone and rotating counters 1520 when keys are replaced. This fixes the immediate problem 1521 of high memory usage, but should be improved in a future 1522 release by growing or shrinking the number of keys to 1523 track upon key rollover events. [GL #1179] 1524 15255372. [bug] Fix migration from existing DNSSEC key files 1526 ("auto-dnssec maintain") to "dnssec-policy". [GL #1706] 1527 15285371. [bug] Improve incremental updates of the RPZ summary 1529 database to reduce delays that could occur when 1530 a policy zone update included a large number of 1531 record deletions. [GL #1447] 1532 15335370. [bug] Deactivation of a netmgr handle associated with a 1534 socket could be skipped in some circumstances. 1535 Fixed by deactivating the netmgr handle before 1536 scheduling the asynchronous close routine. [GL #1700] 1537 15385369. [func] Add the ability to specify whether to wait for 1539 nameserver domain names to be looked up, with a new RPZ 1540 modifying directive 'nsdname-wait-recurse'. [GL #1138] 1541 15425368. [bug] Named failed to restart if 'rndc addzone' names 1543 contained special characters (e.g. '/'). [GL #1655] 1544 15455367. [placeholder] 1546 1547 --- 9.17.0 released --- 1548 15495366. [bug] Fix a race condition with the keymgr when the same 1550 zone plus dnssec-policy is configured in multiple 1551 views. [GL #1653] 1552 15535365. [bug] Algorithm rollover was stuck on submitting DS 1554 because keymgr thought it would move to an invalid 1555 state. Fixed by checking the current key against 1556 the desired state, not the existing state. [GL #1626] 1557 15585364. [bug] Algorithm rollover waited too long before introducing 1559 zone signatures. It waited to make sure all signatures 1560 were regenerated, but when introducing a new algorithm, 1561 all signatures are regenerated immediately. Only 1562 add the sign delay if there is a predecessor key. 1563 [GL #1625] 1564 15655363. [bug] When changing a dnssec-policy, existing keys with 1566 properties that no longer match were not being retired. 1567 [GL #1624] 1568 15695362. [func] Limit the size of IXFR responses so that AXFR will 1570 be used instead if it would be smaller. This is 1571 controlled by the "max-ixfr-ratio" option, which 1572 is a percentage representing the ratio of IXFR size 1573 to the size of the entire zone. This value cannot 1574 exceed 100%, which is the default. [GL #1515] 1575 15765361. [bug] named might not accept new connections after 1577 hitting tcp-clients quota. [GL #1643] 1578 15795360. [bug] delv could fail to load trust anchors in DNSKEY 1580 format. [GL #1647] 1581 15825359. [func] "rndc nta -d" and "rndc secroots" now include 1583 "validate-except" entries when listing negative 1584 trust anchors. These are indicated by the keyword 1585 "permanent" in place of an expiry date. [GL #1532] 1586 15875358. [bug] Inline master zones whose master files were touched 1588 but otherwise unchanged and were subsequently reloaded 1589 may have stopped re-signing. [GL !3135] 1590 15915357. [bug] Newly added RRSIG records with expiry times before 1592 the previous earliest expiry times might not be 1593 re-signed in time. This was a side effect of 5315. 1594 [GL !3137] 1595 15965356. [func] Update dnssec-policy configuration statements: 1597 - Rename "zone-max-ttl" dnssec-policy option to 1598 "max-zone-ttl" for consistency with the existing 1599 zone option. 1600 - Allow for "lifetime unlimited" as a synonym for 1601 "lifetime PT0S". 1602 - Make "key-directory" optional. 1603 - Warn if specifying a key length does not make 1604 sense; fail if key length is out of range for 1605 the algorithm. 1606 - Allow use of mnemonics when specifying key 1607 algorithm (e.g. "rsasha256", "ecdsa384", etc.). 1608 - Make ISO 8601 durations case-insensitive. 1609 [GL #1598] 1610 16115355. [func] What was set with --with-tuning=large option in 1612 older BIND9 versions is now a default, and 1613 a --with-tuning=small option was added for small 1614 (e.g. OpenWRT) systems. [GL !2989] 1615 16165354. [bug] dnssec-policy created new KSK keys for zones in the 1617 initial stage of signing (with the DS not yet in the 1618 rumoured or omnipresent states). Fix by checking the 1619 key goals rather than the active state when determining 1620 whether new keys are needed. [GL #1593] 1621 16225353. [doc] Document port and dscp parameters in forwarders 1623 configuration option. [GL #914] 1624 16255352. [bug] Correctly handle catalog zone entries containing 1626 characters that aren't legal in filenames. [GL #1592] 1627 16285351. [bug] CDS / CDNSKEY consistency checks failed to handle 1629 removal records. [GL #1554] 1630 16315350. [bug] When a view was configured with class CHAOS, the 1632 server could crash while processing a query for a 1633 non-existent record. [GL #1540] 1634 16355349. [bug] Fix a race in task_pause/unpause. [GL #1571] 1636 16375348. [bug] dnssec-settime -Psync was not being honoured. 1638 Thanks to Tony Finch. [GL !2893] 1639 1640 --- 9.15.8 released --- 1641 16425347. [bug] Fixed a bug that could cause an intermittent crash 1643 in validator.c when validating a negative cache 1644 entry. [GL #1561] 1645 16465346. [bug] Make hazard pointer array allocations dynamic, fixing 1647 a bug that caused named to crash on machines with more 1648 than 40 cores. [GL #1493] 1649 16505345. [func] Key-style trust anchors and DS-style trust anchors 1651 can now both be used for the same name. [GL #1237] 1652 16535344. [bug] Handle accept() errors properly in netmgr. [GL !2880] 1654 16555343. [func] Add statistics counters to the netmgr. [GL #1311] 1656 16575342. [bug] Disable pktinfo for IPv6 and bind to each interface 1658 explicitly instead, because libuv doesn't support 1659 pktinfo control messages. [GL #1558] 1660 16615341. [func] Simplify passing the bound TCP socket to child 1662 threads by using isc_uv_export/import functions. 1663 [GL !2825] 1664 16655340. [bug] Don't deadlock when binding to a TCP socket fails. 1666 [GL #1499] 1667 16685339. [bug] With some libmaxminddb versions, named could erroneously 1669 match an IP address not belonging to any subnet defined 1670 in a given GeoIP2 database to one of the existing 1671 entries in that database. [GL #1552] 1672 16735338. [bug] Fix line spacing in `rndc secroots`. 1674 Thanks to Tony Finch. [GL !2478] 1675 16765337. [func] 'named -V' now reports maxminddb and protobuf-c 1677 versions. [GL !2686] 1678 1679 --- 9.15.7 released --- 1680 16815336. [bug] The TCP high-water statistic could report an 1682 incorrect value on startup. [GL #1392] 1683 16845335. [func] Make TCP listening code multithreaded. [GL !2659] 1685 16865334. [doc] Update documentation with dnssec-policy clarifications. 1687 Also change some defaults. [GL !2711] 1688 16895333. [bug] Fix duration printing on Solaris when value is not 1690 an ISO 8601 duration. [GL #1460] 1691 16925332. [func] Renamed "dnssec-keys" configuration statement 1693 to the more descriptive "trust-anchors". [GL !2702] 1694 16955331. [func] Use compiler-provided mechanisms for thread local 1696 storage, and make the requirement for such mechanisms 1697 explicit in configure. [GL #1444] 1698 16995330. [bug] 'configure --without-python' was ineffective if 1700 PYTHON was set in the environment. [GL #1434] 1701 17025329. [bug] Reconfiguring named caused memory to be leaked when any 1703 GeoIP2 database was in use. [GL #1445] 1704 17055328. [bug] rbtdb.c:rdataset_{get,set}ownercase failed to obtain 1706 a node lock. [GL #1417] 1707 17085327. [func] Added a statistics counter to track queries 1709 dropped because the recursive-clients quota was 1710 exceeded. [GL #1399] 1711 17125326. [bug] Add Python dependency on 'distutils.core' to configure. 1713 'distutils.core' is required for installation. 1714 [GL #1397] 1715 17165325. [bug] Addressed several issues with TCP connections in 1717 the netmgr: restored support for TCP connection 1718 timeouts, restored TCP backlog support, actively 1719 close all open sockets during shutdown. [GL #1312] 1720 17215324. [bug] Change the category of some log messages from general 1722 to the more appropriate catergory of xfer-in. [GL #1394] 1723 17245323. [bug] Fix a bug in DNSSEC trust anchor verification. 1725 [GL !2609] 1726 17275322. [placeholder] 1728 17295321. [bug] Obtain write lock before updating version->records 1730 and version->bytes. [GL #1341] 1731 17325320. [cleanup] Silence TSAN on header->count. [GL #1344] 1733 1734 --- 9.15.6 released --- 1735 17365319. [func] Trust anchors can now be configured using DS 1737 format to represent a key digest, by using the 1738 new "initial-ds" or "static-ds" keywords in 1739 the "dnssec-keys" statement. 1740 1741 Note: DNSKEY-format and DS-format trust anchors 1742 cannot both be used for the same domain name. 1743 [GL #622] 1744 17455318. [cleanup] The DNSSEC validation code has been refactored 1746 for clarity and to reduce code duplication. 1747 [GL #622] 1748 17495317. [func] A new asynchronous network communications system 1750 based on libuv is now used for listening for 1751 incoming requests and responding to them. (The 1752 old isc_socket API remains in use for sending 1753 iterative queries and processing responses; this 1754 will be changed too in a later release.) 1755 1756 This change will make it easier to improve 1757 performance and implement new protocol layers 1758 (e.g., DNS over TLS) in the future. [GL #29] 1759 17605316. [func] A new "dnssec-policy" option has been added to 1761 named.conf to implement a key and signing policy 1762 (KASP) for zones. When this option is in use, 1763 named can generate new keys as needed and 1764 automatically roll both ZSK and KSK keys. (Note 1765 that the syntax for this statement differs from 1766 the dnssec policy used by dnssec-keymgr.) 1767 1768 See the ARM for configuration details. [GL #1134] 1769 17705315. [bug] Apply the initial RRSIG expiration spread fixed 1771 to all dynamically created records in the zone 1772 including NSEC3. Also fix the signature clusters 1773 when the server has been offline for prolonged 1774 period of times. [GL #1256] 1775 17765314. [func] Added a new statistics variable "tcp-highwater" 1777 that reports the maximum number of simultaneous TCP 1778 clients BIND has handled while running. [GL #1206] 1779 17805313. [bug] The default GeoIP2 database location did not match 1781 the ARM. 'named -V' now reports the default 1782 location. [GL #1301] 1783 17845312. [bug] Do not flush the cache for `rndc validation status`. 1785 Thanks to Tony Finch. [GL !2462] 1786 17875311. [cleanup] Include all views in output of `rndc validation status`. 1788 Thanks to Tony Finch. [GL !2461] 1789 17905310. [bug] TCP failures were affecting EDNS statistics. [GL #1059] 1791 17925309. [placeholder] 1793 17945308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal() 1795 at ERROR level in receive_secure_serial(). [GL #1288] 1796 17975307. [bug] Fix hang when named-compilezone output is sent to pipe. 1798 Thanks to Tony Finch. [GL !2481] 1799 18005306. [security] Set a limit on number of simultaneous pipelined TCP 1801 queries. (CVE-2019-6477) [GL #1264] 1802 18035305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been 1804 disabled by default because it was found to have 1805 a significant performance impact on the recursive 1806 service. [GL #1265] 1807 18085304. [bug] "dnskey-sig-validity 0;" was not being accepted. 1809 [GL #876] 1810 18115303. [placeholder] 1812 18135302. [bug] Fix checking that "dnstap-output" is defined when 1814 "dnstap" is specified in a view. [GL #1281] 1815 18165301. [bug] Detect partial prefixes / incomplete IPv4 address in 1817 acls. [GL #1143] 1818 18195300. [bug] dig/mdig/delv: Add a colon after EDNS option names, 1820 even when the option is empty, to improve 1821 readability and allow correct parsing of YAML 1822 output. [GL #1226] 1823 1824 --- 9.15.5 released --- 1825 18265299. [security] A flaw in DNSSEC verification when transferring 1827 mirror zones could allow data to be incorrectly 1828 marked valid. (CVE-2019-6475) [GL #1252] 1829 18305298. [security] Named could assert if a forwarder returned a 1831 referral, rather than resolving the query, when QNAME 1832 minimization was enabled. (CVE-2019-6476) [GL #1051] 1833 18345297. [bug] Check whether a previous QNAME minimization fetch 1835 is still running before starting a new one; return 1836 SERVFAIL and log an error if so. [GL #1191] 1837 18385296. [placeholder] 1839 18405295. [cleanup] Split dns_name_copy() calls into dns_name_copy() and 1841 dns_name_copynf() for those calls that can potentially 1842 fail and those that should not fail respectively. 1843 [GL !2265] 1844 18455294. [func] Fallback to ACE name on output in locale, which does not 1846 support converting it to unicode. [GL #846] 1847 18485293. [bug] On Windows, named crashed upon any attempt to fetch XML 1849 statistics from it. [GL #1245] 1850 18515292. [bug] Queue 'rndc nsec3param' requests while signing inline 1852 zone changes. [GL #1205] 1853 1854 --- 9.15.4 released --- 1855 18565291. [placeholder] 1857 18585290. [placeholder] 1859 18605289. [bug] Address NULL pointer dereference in rpz.c:rpz_detach. 1861 [GL #1210] 1862 18635288. [bug] dnssec-must-be-secure was not always honored. 1864 [GL #1209] 1865 18665287. [placeholder] 1867 18685286. [contrib] Address potential NULL pointer dereferences in 1869 dlz_mysqldyn_mod.c. [GL #1207] 1870 18715285. [port] win32: implement "-T maxudpXXX". [GL #837] 1872 18735284. [func] Added +unexpected command line option to dig. 1874 By default, dig won't accept a reply from a source 1875 other than the one to which it sent the query. 1876 Invoking dig with +unexpected argument will allow it 1877 to process replies from unexpected sources. 1878 18795283. [bug] When a response-policy zone expires, ensure that 1880 its policies are removed from the RPZ summary 1881 database. [GL #1146] 1882 18835282. [bug] Fixed a bug in searching for possible wildcard matches 1884 for query names in the RPZ summary database. [GL #1146] 1885 18865281. [cleanup] Don't escape commas when reporting named's command 1887 line. [GL #1189] 1888 18895280. [protocol] Add support for displaying EDNS option LLQ. [GL #1201] 1890 18915279. [bug] When loading, reject zones containing CDS or CDNSKEY 1892 RRsets at the zone apex if they would cause DNSSEC 1893 validation failures if published in the parent zone 1894 as the DS RRset. [GL #1187] 1895 18965278. [func] Add YAML output formats for dig, mdig and delv; 1897 use the "+yaml" option to enable. [GL #1145] 1898 1899 --- 9.15.3 released --- 1900 19015277. [bug] Cache DB statistics could underflow when serve-stale 1902 was in use, because of a bug in counter maintenance 1903 when RRsets become stale. 1904 1905 Functions for dumping statistics have been updated 1906 to dump active, stale, and ancient statistic 1907 counters. Ancient RRset counters are prefixed 1908 with '~'; stale RRset counters are still prefixed 1909 with '#'. [GL #602] 1910 19115276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete; 1912 all code enabling its use has been removed from the 1913 validator, "delv", and the DNSSEC tools. [GL #7] 1914 19155275. [bug] Mark DS records included in referral messages 1916 with trust level "pending" so that they can be 1917 validated and cached immediately, with no need to 1918 re-query. [GL #964] 1919 19205274. [bug] Address potential use after free race when shutting 1921 down rpz. [GL #1175] 1922 19235273. [bug] Check that bits [64..71] of a dns64 prefix are zero. 1924 [GL #1159] 1925 19265272. [cleanup] Remove isc-config.sh script as the BIND 9 libraries 1927 are now purely internal. [GL #1123] 1928 19295271. [func] The normal (non-debugging) output of dnssec-signzone 1930 and dnssec-verify tools now goes to stdout, instead of 1931 the combination of stderr and stdout. 1932 19335270. [bug] 'dig +expandaaaa +short' did not work. [GL #1152] 1934 19355269. [port] cygwin: can return ETIMEDOUT on connect() with a 1936 non-blocking socket. [GL #1133] 1937 19385268. [placeholder] 1939 19405267. [func] Allow statistics groups display to be toggle-able. 1941 [GL #1030] 1942 19435266. [bug] named-checkconf failed to report dnstap-output 1944 missing from named.conf when dnstap was specified. 1945 [GL #1136] 1946 19475265. [bug] DNS64 and RPZ nodata (CNAME *.) rules interacted badly 1948 [GL #1106] 1949 19505264. [func] New DNS Cookie algorithm - siphash24 - has been added 1951 to BIND 9, and the old HMAC-SHA DNS Cookie algorithms 1952 have been removed. [GL #605] 1953 1954 --- 9.15.2 released --- 1955 19565263. [cleanup] Use atomics and isc_refcount_t wherever possible. 1957 [GL #1038] 1958 19595262. [func] Removed support for the legacy GeoIP API. [GL #1112] 1960 19615261. [cleanup] Remove SO_BSDCOMPAT socket option usage. 1962 19635260. [bug] dnstap-read was producing malformed output for large 1964 packets. [GL #1093] 1965 19665259. [func] New option '-i' for 'named-checkconf' to ignore 1967 warnings about deprecated options. [GL #1101] 1968 19695258. [func] Added support for the GeoIP2 API from MaxMind. This 1970 will be compiled in by default if the "libmaxminddb" 1971 library is found at compile time, but can be 1972 suppressed using "configure --disable-geoip". 1973 1974 Certain geoip ACL settings that were available with 1975 legacy GeoIP are not available when using GeoIP2. 1976 [GL #182] 1977 19785257. [bug] Some statistics data was not being displayed. 1979 Add shading to the zone tables. [GL #1030] 1980 19815256. [bug] Ensure that glue records are included in root 1982 priming responses if "minimal-responses" is not 1983 set to "yes". [GL #1092] 1984 19855255. [bug] Errors encountered while reloading inline-signing 1986 zones could be ignored, causing the zone content to 1987 be left in an incompletely updated state rather than 1988 reverted. [GL #1109] 1989 19905254. [func] Collect metrics to report to the statistics-channel 1991 DNSSEC signing operations (dnssec-sign) and refresh 1992 operations (dnssec-refresh) per zone and per keytag. 1993 [GL #513] 1994 19955253. [port] Support platforms that don't define ULLONG_MAX. 1996 [GL #1098] 1997 19985252. [func] Report if the last 'rndc reload/reconfig' failed in 1999 rndc status. [GL !2040] 2000 20015251. [bug] Statistics were broken in x86 Windows builds. 2002 [GL #1081] 2003 20045250. [func] The default size for RSA keys is now 2048 bits, 2005 for both ZSKs and KSKs. [GL #1097] 2006 20075249. [bug] Fix a possible underflow in recursion clients 2008 statistics when hitting recursive clients 2009 soft quota. [GL #1067] 2010 2011 --- 9.15.1 released --- 2012 20135248. [func] To clarify the configuration of DNSSEC keys, 2014 the "managed-keys" and "trusted-keys" options 2015 have both been deprecated. The new "dnssec-keys" 2016 statement can now be used for all trust anchors, 2017 with the keywords "iniital-key" or "static-key" 2018 to indicate whether the configured trust anchor 2019 should be used for initialization of RFC 5011 key 2020 management, or as a permanent trust anchor. 2021 2022 The "static-key" keyword will generate a warning if 2023 used for the root zone. 2024 2025 Configurations using "trusted-keys" or "managed-keys" 2026 will continue to work with no changes, but will 2027 generate warnings in the log. In a future release, 2028 these options will be marked obsolete. [GL #6] 2029 20305247. [cleanup] The 'cleaning-interval' option has been removed. 2031 [GL !1731] 2032 20335246. [func] Log TSIG if appropriate in 'sending notify to' message. 2034 [GL #1058] 2035 20365245. [cleanup] Reduce logging level for IXFR up-to-date poll 2037 responses. [GL #1009] 2038 20395244. [security] Fixed a race condition in dns_dispatch_getnext() 2040 that could cause an assertion failure if a 2041 significant number of incoming packets were 2042 rejected. (CVE-2019-6471) [GL #942] 2043 20445243. [bug] Fix a possible race between dispatcher and socket 2045 code in a high-load cold-cache resolver scenario. 2046 [GL #943] 2047 20485242. [bug] In relaxed qname minimization mode, fall back to 2049 normal resolution when encountering a lame 2050 delegation, and use _.domain/A queries rather 2051 than domain/NS. [GL #1055] 2052 20535241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs. 2054 [GL #225] 2055 20565240. [bug] Remove key id calculation for RSAMD5. [GL #996] 2057 20585239. [func] Change the json-c detection to pkg-config. [GL #855] 2059 20605238. [bug] Fix a possible deadlock in TCP code. [GL #1046] 2061 20625237. [bug] Recurse to find the root server list with 'dig +trace'. 2063 [GL #1028] 2064 20655236. [func] Add SipHash 2-4 implementation in lib/isc/siphash.c 2066 and switch isc_hash_function() to use SipHash 2-4. 2067 [GL #605] 2068 20695235. [cleanup] Refactor lib/isc/app.c to be thread-safe, unused 2070 parts of the API has been removed and the 2071 isc_appctx_t data type has been changed to be 2072 fully opaque. [GL #1023] 2073 20745234. [port] arm: just use the compiler's default support for 2075 yield. [GL #981] 2076 2077 --- 9.15.0 released --- 2078 20795233. [bug] Negative trust anchors did not work with "forward only;" 2080 to validating resolvers. [GL #997] 2081 20825232. [placeholder] 2083 20845231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG. 2085 [GL #960] 2086 20875230. [protocol] The SHA-1 hash algorithm is no longer used when 2088 generating DS and CDS records. [GL #1015] 2089 20905229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852] 2091 20925228. [func] If trusted-keys and managed-keys were configured 2093 simultaneously for the same name, the key could 2094 not be be rolled automatically. This is now 2095 a fatal configuration error. [GL #868] 2096 20975227. [placeholder] 2098 20995226. [placeholder] 2100 21015225. [func] Allow dig to print out AAAA record fully expanded. 2102 with +[no]expandaaaa. [GL #765] 2103 21045224. [bug] Only test provide-ixfr on TCP streams. [GL #991] 2105 21065223. [bug] Fixed a race in the filter-aaaa plugin accessing 2107 the hash table. [GL #1005] 2108 21095222. [bug] 'delv -t ANY' could leak memory. [GL #983] 2110 21115221. [test] Enable parallel execution of system tests on 2112 Windows. [GL !4101] 2113 21145220. [cleanup] Refactor the isc_stat structure to take advantage 2115 of stdatomic. [GL !1493] 2116 21175219. [bug] Fixed a race in the filter-aaaa plugin that could 2118 trigger a crash when returning an instance object 2119 to the memory pool. [GL #982] 2120 21215218. [bug] Conditionally include <dlfcn.h>. [GL #995] 2122 21235217. [bug] Restore key id calculation for RSAMD5. [GL #996] 2124 21255216. [bug] Fetches-per-zone counter wasn't updated correctly 2126 when doing qname minimization. [GL #992] 2127 21285215. [bug] Change #5124 was incomplete; named could still 2129 return FORMERR instead of SERVFAIL in some cases. 2130 [GL #990] 2131 21325214. [bug] win32: named now removes its lock file upon shutdown. 2133 [GL #979] 2134 21355213. [bug] win32: Eliminated a race which allowed named.exe running 2136 as a service to be killed prematurely during shutdown. 2137 [GL #978] 2138 21395212. [placeholder] 2140 21415211. [bug] Allow out-of-zone additional data to be included 2142 in authoritative responses if recursion is allowed 2143 and "minimal-responses" is disabled. This behavior 2144 was inadvertently removed in change #4605. [GL #817] 2145 21465210. [bug] When dnstap is enabled and recursion is not 2147 available, incoming queries are now logged 2148 as "auth". Previously, this depended on whether 2149 recursion was requested by the client, not on 2150 whether recursion was available. [GL #963] 2151 21525209. [bug] When update-check-ksk is true, add_sigs was not 2153 considering offline keys, leaving record sets signed 2154 with the incorrect type key. [GL #763] 2155 21565208. [test] Run valid rdata wire encodings through totext+fromtext 2157 and tofmttext+fromtext methods to check these methods. 2158 [GL #899] 2159 21605207. [test] Check delv and dig TTL values. [GL #965] 2161 21625206. [bug] Delv could print out bad TTLs. [GL #965] 2163 21645205. [bug] Enforce that a DS hash exists. [GL #899] 2165 21665204. [test] Check that dns_rdata_fromtext() produces a record that 2167 will be accepted by dns_rdata_fromwire(). [GL #852] 2168 21695203. [bug] Enforce whether key rdata exists or not in KEY, 2170 DNSKEY, CDNSKEY and RKEY. [GL #899] 2171 21725202. [bug] <dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976] 2173 21745201. [bug] Fix a possible deadlock in RPZ update code. [GL #973] 2175 21765200. [security] tcp-clients settings could be exceeded in some cases, 2177 which could lead to exhaustion of file descriptors. 2178 (CVE-2018-5743) [GL #615] 2179 21805199. [security] In certain configurations, named could crash 2181 if nxdomain-redirect was in use and a redirected 2182 query resulted in an NXDOMAIN from the cache. 2183 (CVE-2019-6467) [GL #880] 2184 21855198. [bug] If a fetch context was being shut down and, at the same 2186 time, we returned from qname minimization, an INSIST 2187 could be hit. [GL #966] 2188 21895197. [bug] dig could die in best effort mode on multiple SIG(0) 2190 records. Similarly on multiple OPT and multiple TSIG 2191 records. [GL #920] 2192 21935196. [bug] make install failed with --with-dlopen=no. [GL #955] 2194 21955195. [bug] "allow-update" and "allow-update-forwarding" were 2196 treated as configuration errors if used at the 2197 options or view level. [GL #913] 2198 21995194. [bug] Enforce non empty ZOMEMD hash. [GL #899] 2200 22015193. [bug] EID and NIMLOC failed to do multi-line output 2202 correctly. [GL #899] 2203 22045192. [placeholder] 2205 22065191. [placeholder] 2207 22085190. [bug] Ignore trust anchors using disabled algorithms. 2209 [GL #806] 2210 22115189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945] 2212 22135188. [func] The "dnssec-enable" option is deprecated and no 2214 longer has any effect; DNSSEC responses are 2215 always enabled. [GL #866] 2216 22175187. [test] Set time zone before running any tests in dnstap_test. 2218 [GL #940] 2219 22205186. [cleanup] More dnssec-keygen manual tidying. [GL !1678] 2221 22225185. [placeholder] 2223 22245184. [bug] Missing unlocks in sdlz.c. [GL #936] 2225 22265183. [bug] Reinitialize ECS data before reusing client 2227 structures. [GL #881] 2228 22295182. [bug] Fix a high-load race/crash in handling of 2230 isc_socket_close() in resolver. [GL #834] 2231 22325181. [func] Add a mechanism for a DLZ module to signal that 2233 the view's allow-transfer ACL should be used to 2234 determine whether transfers are allowed. [GL #803] 2235 22365180. [bug] delv now honors the operating system's preferred 2237 ephemeral port range. [GL #925] 2238 22395179. [cleanup] Replace some vague type declarations with the more 2240 specific dns_secalg_t and dns_dsdigest_t. 2241 Thanks to Tony Finch. [GL !1498] 2242 22435178. [bug] Handle EDQUOT (disk quota) and ENOSPC (disk full) 2244 errors when writing files. [GL #902] 2245 22465177. [func] Add the ability to specify in named.conf whether a 2247 response-policy zone's SOA record should be added 2248 to the additional section (add-soa yes/no). [GL #865] 2249 22505176. [tests] Remove a dependency on libxml in statschannel system 2251 test. [GL #926] 2252 22535175. [bug] Fixed a problem with file input in dnssec-keymgr, 2254 dnssec-coverage and dnssec-checkds when using 2255 python3. [GL #882] 2256 22575174. [doc] Tidy dnssec-keygen manual. [GL !1557] 2258 22595173. [bug] Fixed a race in socket code that could occur when 2260 accept, send, or recv were called from an event 2261 loop but the socket had been closed by another 2262 thread. [RT #874] 2263 22645172. [bug] nsupdate now honors the operating system's preferred 2265 ephemeral port range. [GL #905] 2266 22675171. [func] named plugins are now installed into a separate 2268 directory. Supplying a filename (a string without path 2269 separators) in a "plugin" configuration stanza now 2270 causes named to look for that plugin in that directory. 2271 [GL #878] 2272 22735170. [test] Added --with-dlz-filesystem to feature-test. [GL !1587] 2274 22755169. [bug] The presence of certain types in an otherwise 2276 empty node could cause a crash while processing a 2277 type ANY query. [GL #901] 2278 22795168. [bug] Do not crash on shutdown when RPZ fails to load. Also, 2280 keep previous version of the database if RPZ fails to 2281 load. [GL #813] 2282 22835167. [bug] nxdomain-redirect could sometimes lookup the wrong 2284 redirect name. [GL #892] 2285 22865166. [placeholder] 2287 22885165. [contrib] Removed SDB drivers from contrib; they're obsolete. 2289 [GL #428] 2290 22915164. [bug] Correct errno to result translation in dlz filesystem 2292 modules. [GL #884] 2293 22945163. [cleanup] Out-of-tree builds failed --enable-dnstap. [GL #836] 2295 22965162. [cleanup] Improve dnssec-keymgr manual. Thanks to Tony Finch. 2297 [GL !1518] 2298 22995161. [bug] Do not require the SEP bit to be set for mirror zone 2300 trust anchors. [GL #873] 2301 23025160. [contrib] Added DNAME support to the DLZ LDAP schema. Also 2303 fixed a compilation bug affecting several DLZ 2304 modules. [GL #872] 2305 23065159. [bug] dnssec-coverage was incorrectly ignoring 2307 names specified on the command line without 2308 trailing dots. [GL !1478] 2309 23105158. [protocol] Add support for AMTRELAY and ZONEMD. [GL #867] 2311 23125157. [bug] Nslookup now errors out if there are extra command 2313 line arguments. [GL #207] 2314 23155156. [doc] Extended and refined the section of the ARM describing 2316 mirror zones. [GL #774] 2317 23185155. [func] "named -V" now outputs the default paths to 2319 named.conf, rndc.conf, bind.keys, and other 2320 files used or created by named and other tools, so 2321 that the correct paths to these files can quickly be 2322 determined regardless of the configure settings 2323 used when BIND was built. [GL #859] 2324 23255154. [bug] dig: process_opt could be called twice on the same 2326 message leading to a assertion failure. [GL #860] 2327 23285153. [func] Zone transfer statistics (size, number of records, and 2329 number of messages) are now logged for outgoing 2330 transfers as well as incoming ones. [GL #513] 2331 23325152. [func] Improved logging of DNSSEC key events: 2333 - Zone signing and DNSKEY maintenance events are 2334 now logged to the "dnssec" category 2335 - Messages are now logged when DNSSEC keys are 2336 published, activated, inactivated, deleted, 2337 or revoked. 2338 [GL #714] 2339 23405151. [func] Options that have been been marked as obsolete in 2341 named.conf for a very long time are now fatal 2342 configuration errors. [GL #358] 2343 23445150. [cleanup] Remove the ability to compile BIND with assertions 2345 disabled. [GL #735] 2346 23475149. [func] "rndc dumpdb" now prints a line above a stale RRset 2348 indicating how long the data will be retained in the 2349 cache for emergency use. [GL #101] 2350 23515148. [bug] named did not sign the TKEY response. [GL #821] 2352 23535147. [bug] dnssec-keymgr: Add a five-minute margin to better 2354 handle key events close to 'now'. [GL #848] 2355 23565146. [placeholder] 2357 23585145. [func] Use atomics instead of locked variables for isc_quota 2359 and isc_counter. [GL !1389] 2360 23615144. [bug] dig now returns a non-zero exit code when a TCP 2362 connection is prematurely closed by a peer more than 2363 once for the same lookup. [GL #820] 2364 23655143. [bug] dnssec-keymgr and dnssec-coverage failed to find 2366 key files for zone names ending in ".". [GL #560] 2367 23685142. [cleanup] Removed "configure --disable-rpz-nsip" and 2369 "--disable-rpz-nsdname" options. "nsip-enable" 2370 and "nsdname-enable" both now default to yes, 2371 regardless of compile-time settings. [GL #824] 2372 23735141. [security] Zone transfer controls for writable DLZ zones were 2374 not effective as the allowzonexfr method was not being 2375 called for such zones. (CVE-2019-6465) [GL #790] 2376 23775140. [bug] Don't immediately mark existing keys as inactive and 2378 deleted when running dnssec-keymgr for the first 2379 time. [GL #117] 2380 23815139. [bug] If possible, don't use forwarders when priming. 2382 This ensures we can get root server IP addresses 2383 from priming query response glue, which may not 2384 be present if the forwarding server is returning 2385 minimal responses. [GL #752] 2386 23875138. [bug] Under some circumstances named could hit an assertion 2388 failure when doing qname minimization when using 2389 forwarders. [GL #797] 2390 23915137. [func] named now logs messages whenever a mirror zone becomes 2392 usable or unusable for resolution purposes. [GL #818] 2393 23945136. [cleanup] Check in named-checkconf that allow-update and 2395 allow-update-forwarding are not set at the 2396 view/options level; fix documentation. [GL #512] 2397 23985135. [port] sparc: Use smt_pause() instead of pause. [GL #816] 2399 24005134. [bug] win32: WSAStartup was not called before getservbyname 2401 was called. [GL #590] 2402 24035133. [bug] 'rndc managed-keys' didn't handle class and view 2404 correctly and failed to add new lines between each 2405 view. [GL !1327] 2406 24075132. [bug] Fix race condition in cleanup part of dns_dt_create(). 2408 [GL !1323] 2409 24105131. [cleanup] Address Coverity warnings. [GL #801] 2411 24125130. [cleanup] Remove support for l10n message catalogs. [GL #709] 2413 24145129. [contrib] sdlz_helper.c:build_querylist was not properly 2415 splitting the query string. [GL #798] 2416 24175128. [bug] Refreshkeytime was not being updated for managed 2418 keys zones. [GL #784] 2419 24205127. [bug] rcode.c:maybe_numeric failed to handle NUL in text 2421 regions. [GL #807] 2422 24235126. [bug] Named incorrectly accepted empty base64 and hex encoded 2424 fields when reading master files. [GL #807] 2425 24265125. [bug] Allow for up to 100 records or 64k of data when caching 2427 a negative response. [GL #804] 2428 24295124. [bug] Named could incorrectly return FORMERR rather than 2430 SERVFAIL. [GL #804] 2431 24325123. [bug] dig could hang indefinitely after encountering an error 2433 before creating a TCP socket. [GL #692] 2434 24355122. [bug] In a "forward first;" configuration, a forwarder 2436 timeout did not prevent that forwarder from being 2437 queried again after falling back to full recursive 2438 resolution. [GL #315] 2439 24405121. [contrib] dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none 2441 matching zone names. [GL !1299] 2442 24435120. [placeholder] 2444 24455119. [placeholder] 2446 24475118. [security] Named could crash if it is managing a key with 2448 `managed-keys` and the authoritative zone is rolling 2449 the key to an unsupported algorithm. (CVE-2018-5745) 2450 [GL #780] 2451 24525117. [placeholder] 2453 24545116. [bug] Named/named-checkconf triggered a assertion when 2455 a mirror zone's name is bad. [GL #778] 2456 24575115. [bug] Allow unsupported algorithms in zone when not used for 2458 signing with dnssec-signzone. [GL #783] 2459 24605114. [func] Include a 'reconfig/reload in progress' status line 2461 in rndc status, use it in tests. 2462 24635113. [port] Fixed a Windows build error. 2464 24655112. [bug] Named/named-checkconf could dump core if there was 2466 a missing masters clause and a bad notify clause. 2467 [GL #779] 2468 24695111. [bug] Occluded DNSKEY records could make it into the 2470 delegating NSEC/NSEC3 bitmap. [GL #742] 2471 24725110. [security] Named leaked memory if there were multiple Key Tag 2473 EDNS options present. (CVE-2018-5744) [GL #772] 2474 24755109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628] 2476 2477 --- 9.13.5 released --- 2478 24795108. [bug] Named could fail to determine bottom of zone when 2480 removing out of date keys leading to invalid NSEC 2481 and NSEC3 records being added to the zone. [GL #771] 2482 24835107. [bug] 'host -U' did not work. [GL #769] 2484 24855106. [experimental] A new "plugin" mechanism has been added to allow 2486 extension of query processing functionality through 2487 the use of dynamically loadable libraries. A 2488 "filter-aaaa.so" plugin has been implemented, 2489 replacing the filter-aaaa feature that was formerly 2490 implemented as a native part of BIND. 2491 2492 The "filter-aaaa", "filter-aaaa-on-v4" and 2493 "filter-aaaa-on-v6" options can no longer be 2494 configured using native named.conf syntax. However, 2495 loading the filter-aaaa.so plugin and setting its 2496 parameters provides identical functionality. 2497 2498 Note that the plugin API is a work in progress and 2499 is likely to evolve as further plugins are 2500 implemented. [GL #15] 2501 25025105. [bug] Fix a race between process_fd and socketclose in 2503 unix socket code. [GL #744] 2504 25055104. [cleanup] Log clearer informational message when a catz zone 2506 is overridden by a zone in named.conf. 2507 Thanks to Tony Finch. [GL !1157] 2508 25095103. [bug] Add missing design by contract tests to dns_catz*. 2510 [GL #748] 2511 25125102. [bug] dnssec-coverage failed to use the default TTL when 2513 checking KSK deletion times leading to a exception. 2514 [GL #585] 2515 25165101. [bug] Fix default installation path for Python modules and 2517 remove the dnspython dependency accidentally introduced 2518 by change 4970. [GL #730] 2519 25205100. [func] Pin resolver tasks to specific task queues. [GL !1117] 2521 25225099. [func] Failed mutex and conditional creations are always 2523 fatal. [GL #674] 2524 2525 --- 9.13.4 released --- 2526 25275098. [func] Failed memory allocations are now fatal. [GL #674] 2528 25295097. [cleanup] Remove embedded ATF unit testing framework 2530 from BIND source distribution. [GL !875] 2531 25325096. [func] Use multiple event loops in socket code, and 2533 make network threads CPU-affinitive. This 2534 significantly improves performance on large 2535 systems. [GL #666] 2536 25375095. [test] Converted all unit tests from ATF to CMocka; 2538 removed the source code for the ATF libraries. 2539 Build with "configure --with-cmocka" to enable 2540 unit testing. [GL #620] 2541 25425094. [func] Add 'dig -r' to disable reading of .digrc. [GL !970] 2543 25445093. [bug] Log lame qname-minimization servers only if they're 2545 really lame. [GL #671] 2546 25475092. [bug] Address memory leak on SIGTERM in nsupdate when using 2548 GSS-TSIG. [GL #558] 2549 25505091. [func] Two new global and per-view options min-cache-ttl 2551 and min-ncache-ttl [GL #613] 2552 25535090. [bug] dig and mdig failed to properly pre-parse dash value 2554 pairs when value was a separate argument and started 2555 with a dash. [GL #584] 2556 25575089. [bug] Restore localhost fallback in dig and host which is 2558 used when no nameserver addresses present in 2559 /etc/resolv.conf are usable due to the requested 2560 address family restrictions. [GL #433] 2561 25625088. [bug] dig/host/nslookup could crash when interrupted close to 2563 a query timeout. [GL #599] 2564 25655087. [test] Check that result tables are complete. [GL #676] 2566 25675086. [func] Log of RPZ now includes the QTYPE and QCLASS. [GL #623] 2568 25695085. [bug] win32: Restore looking up nameservers, search list, 2570 etc. [GL #186] 2571 25725084. [placeholder] 2573 25745083. [func] Add autoconf macro AX_POSIX_SHELL, so we 2575 can use POSIX-compatible shell features 2576 in the scripts. 2577 25785082. [bug] Fixed a race that could cause a crash in 2579 dig/host/nslookup. [GL #650] 2580 25815081. [func] Use per-worker queues in task manager, make task 2582 runners CPU-affine. [GL #659] 2583 25845080. [func] Improvements to "rndc nta" user interface: 2585 - catch and report invalid command line options 2586 - when removing an NTA from all views, do not 2587 abort with an error if the NTA was not found 2588 in one of the views 2589 - include the view name in "rndc nta -dump" 2590 output, for consistency with the add and remove 2591 actions 2592 Thanks to Tony Finch. [GL !816] 2593 25945079. [func] Disable IDN processing in dig and nslookup 2595 when not on a tty. [GL #653] 2596 25975078. [cleanup] Require python components to be explicitly disabled if 2598 python is not available on unix platforms. [GL #601] 2599 26005077. [cleanup] Remove ip6.int support (-i) from dig and mdig. 2601 [GL !969] 2602 26035076. [bug] "require-server-cookie" was not effective if 2604 "rate-limit" was configured. [GL #617] 2605 26065075. [bug] Refresh nameservers from cache when sending final 2607 query in qname minimization. [GL #16] 2608 26095074. [cleanup] Remove vector socket functions - isc_socket_recvv(), 2610 isc_socket_sendtov(), isc_socket_sendtov2(), 2611 isc_socket_sendv() - in order to simplify socket code. 2612 [GL #645] 2613 26145073. [bug] Destroy a task first when destroying rpzs and catzs. 2615 [GL #84] 2616 26175072. [bug] Add unit tests for isc_buffer_copyregion() and fix its 2618 behavior for auto-reallocated buffers. [GL #644] 2619 26205071. [bug] Comparison of NXT records was broken. [GL #631] 2621 26225070. [bug] Record types which support a empty rdata field were 2623 not handling the empty rdata field case. [GL #638] 2624 26255069. [bug] Fix a hang on in RPZ when named is shutdown during RPZ 2626 zone update. [GL !907] 2627 26285068. [bug] Fix a race in RPZ with min-update-interval set to 0. 2629 [GL #643] 2630 26315067. [bug] Don't minimize qname when sending the query 2632 to a forwarder. [GL #361] 2633 26345066. [cleanup] Allow unquoted strings to be used as a zone names 2635 in response-policy statements. [GL #641] 2636 26375065. [bug] Only set IPV6_USE_MIN_MTU on IPv6. [GL #553] 2638 26395064. [test] Initialize TZ environment variable before calling 2640 dns_test_begin in dnstap_test. [GL #624] 2641 26425063. [test] In statschannel test try a few times before failing 2643 when checking if the compressed output is the same as 2644 uncompressed. [GL !909] 2645 26465062. [func] Use non-crypto-secure PRNG to generate nonces for 2647 cookies. [GL !887] 2648 26495061. [protocol] Add support for EID and NIMLOC. [GL #626] 2650 26515060. [bug] GID, UID and UINFO could not be loaded using unknown 2652 record format. [GL #627] 2653 26545059. [bug] Display a per-view list of zones in the web interface. 2655 [GL #427] 2656 26575058. [func] Replace old message digest and hmac APIs with more 2658 generic isc_md and isc_hmac APIs, and convert their 2659 respective tests to cmocka. [GL #305] 2660 26615057. [protocol] Add support for ATMA. [GL #619] 2662 26635056. [placeholder] 2664 26655055. [func] A default list of primary servers for the root zone is 2666 now built into named, allowing the "masters" statement 2667 to be omitted when configuring an IANA root zone 2668 mirror. [GL #564] 2669 26705054. [func] Attempts to use mirror zones with recursion disabled 2671 are now considered a configuration error. [GL #564] 2672 26735053. [func] The only valid zone-level NOTIFY settings for mirror 2674 zones are now "notify no;" and "notify explicit;". 2675 [GL #564] 2676 26775052. [func] Mirror zones are now configured using "type mirror;" 2678 rather than "mirror yes;". [GL #564] 2679 26805051. [doc] Documentation incorrectly stated that the 2681 "server-addresses" static-stub zone option accepts 2682 custom port numbers. [GL #582] 2683 26845050. [bug] The libirs version of getaddrinfo() was unable to parse 2685 scoped IPv6 addresses present in /etc/resolv.conf. 2686 [GL #187] 2687 26885049. [cleanup] QNAME minimization has been deeply refactored. [GL #16] 2689 26905048. [func] Add configure option to enable and enforce FIPS mode 2691 in BIND 9. [GL #506] 2692 26935047. [bug] Messages logged for certain query processing failures 2694 now include a more specific error description if it is 2695 available. [GL #572] 2696 26975046. [bug] named could crash during shutdown if an RPZ 2698 reload was in progress. [RT #46210] 2699 27005045. [func] Remove support for DNSSEC algorithms 3 (DSA) 2701 and 6 (DSA-NSEC3-SHA1). [GL #22] 2702 27035044. [cleanup] If "dnssec-enable" is no, then "dnssec-validation" 2704 now also defaults to no. [GL #388] 2705 27065043. [bug] Fix creating and validating EdDSA signatures. [GL #579] 2707 27085042. [test] Make the chained delegations in reclimit behave 2709 like they would in a regular name server. [GL #578] 2710 27115041. [test] The chain test contains a incomplete delegation. 2712 [GL #568] 2713 27145040. [func] Extended dnstap so that it can log UPDATE requests 2715 and responses as separate message types. Thanks 2716 to Greg Rabil. [GL #570] 2717 27185039. [bug] Named could fail to preserve owner name case of new 2719 RRset. [GL #420] 2720 27215038. [bug] Chaosnet addresses were compared incorrectly. 2722 [GL #562] 2723 27245037. [func] "allow-recursion-on" and "allow-query-cache-on" 2725 each now default to the other if only one of them 2726 is set, in order to be more consistent with the way 2727 "allow-recursion" and "allow-query-cache" work. 2728 Also we now ensure that both query-cache ACLs are 2729 checked when determining cache access. [GL #319] 2730 27315036. [cleanup] Fixed a spacing/formatting error in some RPZ-related 2732 error messages in the log. [GL !805] 2733 27345035. [test] Fixed errors that prevented the DNSRPS subtests 2735 from running in the rpz and rpzrecurse system 2736 tests. [GL #503] 2737 27385034. [bug] A race between threads could prevent zone maintenance 2739 scheduled immediately after zone load from being 2740 performed. [GL #542] 2741 27425033. [bug] When adding NTAs to multiple views using "rndc nta", 2743 the text returned via rndc was incorrectly terminated 2744 after the first line, making it look as if only one 2745 NTA had been added. Also, it was not possible to 2746 differentiate between views with the same name but 2747 different classes; this has been corrected with the 2748 addition of a "-class" option. [GL #105] 2749 27505032. [func] Add krb5-selfsub and ms-selfsub update policy rules. 2751 [GL #511] 2752 27535031. [cleanup] Various defines in platform.h has been either dropped 2754 if always or never triggered on supported platforms 2755 or replaced with config.h equivalents if the defines 2756 didn't have any impact on public headers. Workarounds 2757 for LinuxThreads have been removed because NPTL is 2758 available since Linux kernel 2.6.0. [GL #525] 2759 27605030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash 2761 on architectures with strict alignment. [GL #521] 2762 2763 --- 9.13.3 released --- 2764 27655029. [func] Workarounds for servers that misbehave when queried 2766 with EDNS have been removed, because these broken 2767 servers and the workarounds for their noncompliance 2768 cause unnecessary delays, increase code complexity, 2769 and prevent deployment of new DNS features. See 2770 https://dnsflagday.net for further details. [GL #150] 2771 27725028. [bug] Spread the initial RRSIG expiration times over the 2773 entire working sig-validity-interval when signing a 2774 zone in named to even out re-signing and transfer 2775 loads. [GL #418] 2776 27775027. [func] Set SO_SNDBUF size on sockets. [GL #74] 2778 27795026. [bug] rndc reconfig should not touch already loaded zones. 2780 [GL #276] 2781 27825025. [cleanup] Remove isc_keyboard family of functions. [GL #178] 2783 27845024. [func] Replace custom assembly for atomic operations with 2785 atomic support from the compiler. The code will now use 2786 C11 stdatomic, or __atomic, or __sync builtins with GCC 2787 or Clang compilers, and Interlocked functions with MSVC. 2788 [GL #10] 2789 27905023. [cleanup] Remove wrappers that try to fix broken or incomplete 2791 implementations of IPv6, pthreads and other core 2792 functionality required and used by BIND. [GL #192] 2793 27945022. [doc] Update ms-self, ms-subdomain, krb5-self, and 2795 krb5-subdomain documentation. [GL !708] 2796 27975021. [bug] dig returned a non-zero exit code when it received a 2798 reply over TCP after a retry. [GL #487] 2799 28005020. [func] RNG uses thread-local storage instead of locks, if 2801 supported by platform. [GL #496] 2802 28035019. [cleanup] A message is now logged when ixfr-from-differences is 2804 set at zone level for an inline-signed zone. [GL #470] 2805 28065018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c. 2807 [GL !588] 2808 28095017. [bug] lib/isc/pk11.c failed to unlink the session before 2810 releasing the lock which is unsafe. [GL !589] 2811 28125016. [bug] Named could assert with overlapping filter-aaaa and 2813 dns64 acls. [GL #445] 2814 28155015. [bug] Reloading all zones caused zone maintenance to cease 2816 for inline-signed zones. [GL #435] 2817 28185014. [bug] Signatures loaded from the journal for the signed 2819 version of an inline-signed zone were not scheduled for 2820 refresh. [GL #482] 2821 28225013. [bug] A referral response with a non-empty ANSWER section was 2823 inadvertently being treated as an error. [GL #390] 2824 28255012. [bug] Fix lock order reversal in pk11_initialize. [GL !590] 2826 28275011. [func] Remove support for unthreaded named. [GL #478] 2828 28295010. [func] New "validate-except" option specifies a list of 2830 domains beneath which DNSSEC validation should not 2831 be performed. [GL #237] 2832 28335009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL 2834 error queue was not logged. [GL #476] 2835 28365008. [bug] "rndc signing -nsec3param ..." requests were silently 2837 ignored for zones which were not yet loaded or 2838 transferred. [GL #468] 2839 28405007. [cleanup] Replace custom ISC boolean and integer data types 2841 with C99 stdint.h and stdbool.h types. [GL #9] 2842 28435006. [cleanup] Code preparing a delegation response was extracted from 2844 query_delegation() and query_zone_delegation() into a 2845 separate function in order to decrease code 2846 duplication. [GL #431] 2847 28485005. [bug] dnssec-verify, and dnssec-signzone at the verification 2849 step, failed on some validly signed zones. [GL #442] 2850 28515004. [bug] 'rndc reconfig' could cause inline zones to stop 2852 re-signing. [GL #439] 2853 28545003. [bug] dns_acl_isinsecure did not handle geoip elements. 2855 [GL #406] 2856 28575002. [bug] mdig: Handle malformed +ednsopt option, support 100 2858 +ednsopt options per query rather than 100 total and 2859 address memory leaks if +ednsopt was specified. 2860 [GL #410] 2861 28625001. [bug] Fix refcount errors on error paths. [GL !563] 2863 28645000. [bug] named_server_servestale() could leave the server in 2865 exclusive mode if an error occurred. [GL #441] 2866 28674999. [cleanup] Remove custom printf implementation in lib/isc/print.c. 2868 [GL #261] 2869 28704998. [test] Make resolver and cacheclean tests more civilized. 2871 28724997. [security] named could crash during recursive processing 2873 of DNAME records when "deny-answer-aliases" was 2874 in use. (CVE-2018-5740) [GL #387] 2875 28764996. [bug] dig: Handle malformed +ednsopt option. [GL #403] 2877 28784995. [test] Add tests for "tcp-self" update policy. [GL !282] 2879 28804994. [bug] Trust anchor telemetry queries were not being sent 2881 upstream for locally served zones. [GL #392] 2882 28834993. [cleanup] Remove support for silently ignoring 'no-change' deltas 2884 from BIND 8 when processing an IXFR stream. 'no-change' 2885 deltas will now trigger a fallback to AXFR as the 2886 recovery mechanism. [GL #369] 2887 28884992. [bug] The wrong address was being logged for trust anchor 2889 telemetry queries. [GL #379] 2890 28914991. [bug] "rndc reconfig" was incorrectly handling zones whose 2892 "mirror" setting was changed. [GL #381] 2893 28944990. [bug] Prevent a possible NULL reference in pkcs11-keygen. 2895 [GL #401] 2896 28974989. [cleanup] IDN support in dig has been reworked. IDNA2003 2898 fallbacks were removed in the process. [GL #384] 2899 29004988. [bug] Don't synthesize NXDOMAIN from NSEC for records under 2901 a DNAME. 2902 2903 --- 9.13.2 released --- 2904 29054987. [cleanup] dns_rdataslab_tordataset() and its related 2906 dns_rdatasetmethods_t callbacks were removed as they 2907 were not being used by anything in BIND. [GL #371] 2908 29094986. [func] When built on Linux, BIND now requires the libcap 2910 library to set process privileges, unless capability 2911 support is explicitly overridden with "configure 2912 --disable-linux-caps". [GL #321] 2913 29144985. [func] Add a new slave zone option, "mirror", to enable 2915 serving a non-authoritative copy of a zone that 2916 is subject to DNSSEC validation before being 2917 used. For now, this option is only meant to 2918 facilitate deployment of an RFC 7706-style local 2919 copy of the root zone. [GL #33] 2920 29214984. [bug] Improve handling of very large incremental 2922 zone transfers to prevent journal corruption. [GL #339] 2923 29244983. [func] Add the ability to not return a DNS COOKIE option 2925 when one is present in the request (answer-cookie no;). 2926 [GL #173] 2927 29284982. [cleanup] Return FORMERR if the question section is empty 2929 and no COOKIE option is present; this restores 2930 older behavior except in the newly specified 2931 COOKIE case. [GL #260] 2932 29334981. [bug] Fix race in cmsg buffer usage in socket code. 2934 [GL #180] 2935 29364980. [bug] Named-checkconf failed to detect bad in-view targets. 2937 [GL #288] 2938 29394979. [placeholder] 2940 29414978. [test] Fix error handling and resolver configuration in the 2942 "rpz" system test. [GL #312] 2943 29444977. [func] When starting up, log the same details that 2945 would be reported by 'named -V'. [GL #247] 2946 29474976. [bug] Log the label with invalid prefix length correctly 2948 when loading RPZ zones. [GL #254] 2949 29504975. [bug] The server cookie computation for sha1 and sha256 did 2951 not match the method described in RFC 7873. [GL #356] 2952 29534974. [bug] Restore default rrset-order to random. [GL #336] 2954 29554973. [func] verifyzone() and the functions it uses were moved to 2956 libdns and refactored to prevent exit() from being 2957 called upon failure. A side effect of that is that 2958 dnssec-signzone and dnssec-verify now check for memory 2959 leaks upon shutdown. [GL #266] 2960 29614972. [func] Declare the 'rdata' argument for dns_rdata_tostruct() 2962 to be const. [GL #341] 2963 29644971. [bug] dnssec-signzone and dnssec-verify did not treat records 2965 below a DNAME as out-of-zone data. [GL #298] 2966 29674970. [func] Add QNAME minimization option to resolver. [GL #16] 2968 29694969. [cleanup] Refactor zone logging functions. [GL #269] 2970 2971 --- 9.13.1 released --- 2972 29734968. [bug] If glue records are signed, attempt to validate them. 2974 [GL #209] 2975 29764967. [cleanup] Add "answer-cookie" to the parser, marked obsolete. 2977 29784966. [placeholder] 2979 29804965. [func] Add support for marking options as deprecated. 2981 [GL #322] 2982 29834964. [bug] Reduce the probability of double signature when deleting 2984 a DNSKEY by checking if the node is otherwise signed 2985 by the algorithm of the key to be deleted. [GL #240] 2986 29874963. [test] ifconfig.sh now uses "ip" instead of "ifconfig", 2988 if available, to configure the test interfaces on 2989 linux. [GL #302] 2990 29914962. [cleanup] Move 'named -T' processing to its own function. 2992 [GL #316] 2993 29944961. [protocol] Remove support for ECC-GOST (GOST R 34.11-94). 2995 [GL #295] 2996 29974960. [security] When recursion is enabled, but the "allow-recursion" 2998 and "allow-query-cache" ACLs are not specified, 2999 they should be limited to local networks, 3000 but were inadvertently set to match the default 3001 "allow-query", thus allowing remote queries. 3002 (CVE-2018-5738) [GL #309] 3003 30044959. [func] NSID logging (enabled by the "request-nsid" option) 3005 now has its own "nsid" category, instead of using the 3006 "resolver" category. [GL !332] 3007 30084958. [bug] Remove redundant space from NSEC3 record. [GL #281] 3009 30104957. [func] The default setting for "dnssec-validation" is now 3011 "auto", which activates DNSSEC validation using the 3012 IANA root key. (The default can be changed back to 3013 "yes", which activates DNSSEC validation only when keys 3014 are explicitly configured in named.conf, by building 3015 BIND with "configure --disable-auto-validation".) 3016 [GL #30] 3017 30184956. [func] Change isc_random() to be just PRNG using xoshiro128**, 3019 and add isc_nonce_buf() that uses CSPRNG. [GL #289] 3020 30214955. [cleanup] Silence cppcheck warnings in lib/dns/master.c. 3022 [GL #286] 3023 30244954. [func] Messages about serving of stale answers are now 3025 directed to the "serve-stale" logging category. 3026 Also clarified serve-stale documentation. [GL !323] 3027 30284953. [bug] Removed the option to build the red black tree 3029 database without a hash table; the non-hashing 3030 version was buggy and is not needed. [GL #184] 3031 30324952. [func] Authoritative server support in named for the 3033 EDNS CLIENT-SUBNET option (which was experimental 3034 and not practical to deploy) has been removed. 3035 3036 The ECS option is still supported in dig and mdig 3037 via the +subnet option, and can be parsed and logged 3038 when received by named, but it is no longer used 3039 for ACL processing. The "geoip-use-ecs" option 3040 is now obsolete; a warning will be logged if it is 3041 used in named.conf. "ecs" tags in an ACL definition 3042 are also obsolete and will cause the configuration 3043 to fail to load. [GL #32] 3044 30454951. [protocol] Add "HOME.ARPA" to list of built in empty zones as 3046 per RFC 8375. [GL #273] 3047 3048 --- 9.13.0 released --- 3049 30504950. [bug] ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238] 3051 30524949. [placeholder] 3053 30544948. [bug] When request-nsid is turned on, EDNS NSID options 3055 should be logged at level info. Since change 3741 3056 they have been logged at debug(3) by mistake. 3057 [GL !290] 3058 30594947. [func] Replace all random functions with isc_random(), 3060 isc_random_buf() and isc_random_uniform() API. 3061 [GL #221] 3062 30634946. [bug] Additional glue was not being returned by resolver 3064 for unsigned zones since change 4596. [GL #209] 3065 30664945. [func] BIND can no longer be built without DNSSEC support. 3067 A cryptography provider (i.e., OpenSSL or a hardware 3068 service module with PKCS#11 support) must be 3069 available. [GL #244] 3070 30714944. [cleanup] Silence cppcheck portability warnings in 3072 lib/isc/tests/buffer_test.c. [GL #239] 3073 30744943. [bug] Change 4687 consumed too much memory when running 3075 system tests with --with-tuning=large. Reduced the 3076 hash table size to 512 entries for 'named -m record' 3077 restoring the previous memory footprint. [GL #248] 3078 30794942. [cleanup] Consolidate multiple instances of splitting of 3080 batchline in dig into a single function. [GL #196] 3081 30824941. [cleanup] Silence clang static analyzer warnings. [GL #196] 3083 30844940. [cleanup] Extract the loop in dns__zone_updatesigs() into 3085 separate functions to improve code readability. 3086 [GL #135] 3087 30884939. [test] Add basic unit tests for update_sigs(). [GL #135] 3089 30904938. [placeholder] 3091 30924937. [func] Remove support for OpenSSL < 1.0.0 [GL #191] 3093 30944936. [func] Always use OpenSSL or PKCS#11 random data providers, 3095 and remove the --{enable,disable}-crypto-rand configure 3096 options. [GL #165] 3097 30984935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0 3099 call were added). [GL #191] 3100 31014934. [security] The serve-stale feature could cause an assertion failure 3102 in rbtdb.c even when stale-answer-enable was false. 3103 Simultaneous use of stale cache records and NSEC 3104 aggressive negative caching could trigger a recursion 3105 loop. (CVE-2018-5737) [GL #185] 3106 31074933. [bug] Not creating signing keys for an inline signed zone 3108 prevented changes applied to the raw zone from being 3109 reflected in the secure zone until signing keys were 3110 made available. [GL #159] 3111 31124932. [bug] Bumped signed serial of an inline signed zone was 3113 logged even when an error occurred while updating 3114 signatures. [GL #159] 3115 31164931. [func] Removed the "rbtdb64" database implementation. 3117 [GL #217] 3118 31194930. [bug] Remove a bogus check in nslookup command line 3120 argument processing. [GL #206] 3121 31224929. [func] Add the ability to set RA and TC in queries made by 3123 dig (+[no]raflag, +[no]tcflag). [GL #213] 3124 31254928. [func] The "dnskey-sig-validity" option allows 3126 "sig-validity-interval" to be overridden for signatures 3127 covering DNSKEY RRsets. [GL #145] 3128 31294927. [placeholder] 3130 31314926. [func] Add root key sentinel support. To disable, add 3132 'root-key-sentinel no;' to named.conf. [GL #37] 3133 31344925. [func] Several configuration options that define intervals 3135 can now take TTL value suffixes (for example, 2h or 1d) 3136 in addition to integer parameters. These include 3137 max-cache-ttl, max-ncache-ttl, max-policy-ttl, 3138 fstrm-set-reopen-interval, interface-interval, and 3139 min-update-interval. [GL #203] 3140 31414924. [cleanup] Clean up the isc_string_* namespace and leave 3142 only strlcpy and strlcat. [GL #178] 3143 31444923. [cleanup] Refactor socket and socket event options into 3145 enum types. [GL !135] 3146 31474922. [bug] dnstap: Log the destination address of client 3148 packets rather than the interface address. 3149 [GL #197] 3150 31514921. [cleanup] Add dns_fixedname_initname() and refactor the caller 3152 code to make usage of the new function, as a part of 3153 refactoring dns_fixedname_*() macros were turned into 3154 functions. [GL #183] 3155 31564920. [cleanup] Clean up libdns removing most of the backwards 3157 compatibility wrappers. 3158 31594919. [cleanup] Clean up the isc_hash_* namespace and leave only 3160 the FNV-1a hash implementation. [GL #178] 3161 31624918. [bug] Fix double free after keygen error in dnssec-keygen 3163 when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex 3164 fails. [GL #109] 3165 31664917. [func] Support 64 RPZ policy zones by default. [GL #123] 3167 31684916. [func] Remove IDNA2003 support and the bundled idnkit-1.0 3169 library. 3170 31714915. [func] Implement IDNA2008 support in dig by adding support 3172 for libidn2. New dig option +idnin has been added, 3173 which allows to process invalid domain names much 3174 like dig without IDN support. libidn2 version 2.0 3175 or higher is needed for +idnout enabled by default. 3176 31774914. [security] A bug in zone database reference counting could lead to 3178 a crash when multiple versions of a slave zone were 3179 transferred from a master in close succession. 3180 (CVE-2018-5736) [GL #134] 3181 31824913. [test] Re-implemented older unit tests in bin/tests as ATF, 3183 removed the lib/tests unit testing library. [GL #115] 3184 31854912. [test] Improved the reliability of the 'cds' system test. 3186 [GL #136] 3187 31884911. [test] Improved the reliability of the 'mkeys' system test. 3189 [GL #128] 3190 31914910. [func] Update util/check-changes to work on release branches. 3192 [GL #113] 3193 31944909. [bug] named-checkconf did not detect in-view zone collisions. 3195 [GL #125] 3196 31974908. [test] Eliminated unnecessary waiting in the allow_query 3198 system test. Also changed its name to allow-query. 3199 [GL #81] 3200 32014907. [test] Improved the reliability of the 'notify' system 3202 test. [GL #59] 3203 32044906. [func] Replace getquad() with inet_pton(), completing 3205 change #4900. [GL #56] 3206 32074905. [bug] irs_resconf_load() ignored resolv.conf syntax errors 3208 when "domain" or "search" options were present in that 3209 file. [GL #110] 3210 32114904. [bug] Temporarily revert change #4859. [GL #124] 3212 32134903. [bug] "check-mx fail;" did not prevent MX records containing 3214 IP addresses from being added to a zone by a dynamic 3215 update. [GL #112] 3216 32174902. [test] Improved the reliability of the 'ixfr' system 3218 test. [GL #66] 3219 32204901. [func] "dig +nssearch" now lists the name servers 3221 for a domain that time out, as well as the servers 3222 that respond. [GL #64] 3223 32244900. [func] Remove all uses of inet_aton(). As a result of this 3225 change, IPv4 addresses are now only accepted in 3226 dotted-quad format. [GL #13] 3227 32284899. [test] Convert most of the remaining system tests to be able 3229 to run in parallel, continuing the work from change 3230 #4895. To take advantage of this, use "make -jN check", 3231 where N is the number of processors to use. [GL #91] 3232 32334898. [func] Remove libseccomp based system-call filtering. [GL #93] 3234 32354897. [test] Update to rpz system test so that it doesn't recurse. 3236 [GL #68] 3237 32384896. [test] cacheclean system test was not robust. [GL #82] 3239 32404895. [test] Allow some system tests to run in parallel. 3241 [RT #46602] 3242 32434894. [bug] named could crash while rolling a dnstap output file. 3244 [RT #46942] 3245 32464893. [bug] Address various issues reported by cppcheck. [GL #51] 3247 32484892. [bug] named could leak memory when "rndc reload" was invoked 3249 before all zone loading actions triggered by a previous 3250 "rndc reload" command were completed. [RT #47076] 3251 32524891. [placeholder] 3253 32544890. [func] Remove unused ondestroy callback from libisc. 3255 [isc-projects/bind9!3] 3256 32574889. [func] Warn about the use of old root keys without the new 3258 root key being present. Warn about dlv.isc.org's 3259 key being present. Warn about both managed and 3260 trusted root keys being present. [RT #43670] 3261 32624888. [test] Initialize sockets correctly in sample-update so 3263 that the nsupdate system test will run on Windows. 3264 [RT #47097] 3265 32664887. [test] Enable the rpzrecurse test to run on Windows. 3267 [RT #47093] 3268 32694886. [doc] Document dig -u in manpage. [RT #47150] 3270 32714885. [security] update-policy rules that otherwise ignore the name 3272 field now require that it be set to "." to ensure 3273 that any type list present is properly interpreted. 3274 [RT #47126] 3275 32764884. [bug] named could crash on shutdown due to a race between 3277 shutdown_server() and ns__client_request(). [RT #47120] 3278 32794883. [cleanup] Improved debugging output from dnssec-cds. [RT #47026] 3280 32814882. [bug] Address potential memory leak in 3282 dns_update_signaturesinc. [RT #47084] 3283 32844881. [bug] Only include dst_openssl.h when OpenSSL is required. 3285 [RT #47068] 3286 32874880. [bug] Named wasn't returning the target of a cross-zone 3288 CNAME between two served zones when recursion was 3289 desired and available (RD=1, RA=1). (When this is 3290 not the case, the CNAME target is deliberately 3291 withheld to prevent accidental cache poisoning.) 3292 [RT #47078] 3293 32944879. [bug] dns_rdata_caa:value_len field was too small. 3295 [RT #47086] 3296 32974878. [bug] List 'ply' as a requirement for the 'isc' python 3298 package. [RT #47065] 3299 33004877. [bug] Address integer overflow when exponentially 3301 backing off retry intervals. [RT #47041] 3302 33034876. [bug] Address deadlock with accessing a keytable. [RT #47000] 3304 33054875. [bug] Address compile failures on older systems. [RT #47015] 3306 33074874. [bug] Wrong time display when reporting new keywarntime. 3308 [RT #47042] 3309 33104873. [doc] Grammars for named.conf included in the ARM are now 3311 automatically generated by the configuration parser 3312 itself. As a side effect of the work needed to 3313 separate zone type grammars from each other, this 3314 also makes checking of zone statements in 3315 named-checkconf more correct and consistent. 3316 [RT #36957] 3317 33184872. [bug] Don't permit loading meta RR types such as TKEY 3319 from master files. [RT #47009] 3320 33214871. [bug] Fix configure glitch in detecting stdatomic.h 3322 support on systems with multiple compilers. 3323 [RT #46959] 3324 33254870. [test] Update included ATF library to atf-0.21 preserving 3326 the ATF tool. [RT #46967] 3327 33284869. [bug] Address some cases where NULL with zero length could 3329 be passed to memmove which is undefined behavior and 3330 can lead to bad optimization. [RT #46888] 3331 33324868. [func] dnssec-keygen can no longer generate HMAC keys. 3333 Use tsig-keygen instead. [RT #46404] 3334 33354867. [cleanup] Normalize rndc on/off commands (validation, 3336 querylog, serve-stale) so they all accept the 3337 same synonyms for on/off (yes/no, true/false, 3338 enable/disable). Thanks to Tony Finch. [RT #47022] 3339 33404866. [port] DST library initialization verifies MD5 (when MD5 3341 was not disabled) and SHA-1 hash and HMAC support. 3342 [RT #46764] 3343 33444865. [cleanup] Simplify handling isc_socket_sendto2() return values. 3345 [RT #46986] 3346 33474864. [bug] named acting as a slave for a catalog zone crashed if 3348 the latter contained a master definition without an IP 3349 address. [RT #45999] 3350 33514863. [bug] Fix various other bugs reported by Valgrind's 3352 memcheck tool. [RT #46978] 3353 33544862. [bug] The rdata flags for RRSIG were not being properly set 3355 when constructing a rdataslab. [RT #46978] 3356 33574861. [bug] The isc_crc64 unit test was not endian independent. 3358 [RT #46973] 3359 33604860. [bug] isc_int8_t should be signed char. [RT #46973] 3361 33624859. [bug] A loop was possible when attempting to validate 3363 unsigned CNAME responses from secure zones; 3364 this caused a delay in returning SERVFAIL and 3365 also increased the chances of encountering 3366 CVE-2017-3145. [RT #46839] 3367 33684858. [security] Addresses could be referenced after being freed 3369 in resolver.c, causing an assertion failure. 3370 (CVE-2017-3145) [RT #46839] 3371 33724857. [bug] Maintain attach/detach semantics for event->db, 3373 event->node, event->rdataset and event->sigrdataset 3374 in query.c. [RT #46891] 3375 33764856. [bug] 'rndc zonestatus' reported the wrong underlying type 3377 for a inline slave zone. [RT #46875] 3378 33794855. [bug] isc_time_formatshorttimestamp produced incorrect 3380 output. [RT #46938] 3381 33824854. [bug] query_synthcnamewildcard should stop generating the 3383 response if query_synthwildcard fails. [RT #46939] 3384 33854853. [bug] Add REQUIRE's and INSIST's to isc_time_formatISO8601L 3386 and isc_time_formatISO8601Lms. [RT #46916] 3387 33884852. [bug] Handle strftime() failing in isc_time_formatISO8601ms. 3389 Add REQUIRE's and INSIST's to isc_time_formattimestamp, 3390 isc_time_formathttptimestamp, isc_time_formatISO8601, 3391 isc_time_formatISO8601ms. [RT #46892] 3392 33934851. [port] Support using kyua as well as atf-run to run the unit 3394 tests. [RT #46853] 3395 33964850. [bug] Named failed to restart with multiple added zones in 3397 lmdb database. [RT #46889] 3398 33994849. [bug] Duplicate zones could appear in the .nzf file if 3400 addzone failed. [RT #46435] 3401 34024848. [func] Zone types "primary" and "secondary" can now be used 3403 as synonyms for "master" and "slave" in named.conf. 3404 [RT #46713] 3405 34064847. [bug] dnssec-dnskey-kskonly was not being honored for 3407 CDS and CDNSKEY. [RT #46755] 3408 34094846. [test] Adjust timing values in runtime system test. Address 3410 named.pid removal races in runtime system test. 3411 [RT #46800] 3412 34134845. [bug] Dig (non iOS) should exit on malformed names. 3414 [RT #46806] 3415 34164844. [test] Address memory leaks in libatf-c. [RT #46798] 3417 34184843. [bug] dnssec-signzone free hashlist on exit. [RT #46791] 3419 34204842. [bug] Conditionally compile opensslecdsa_link.c to avoid 3421 warnings about unused function. [RT #46790] 3422 3423 --- 9.12.0rc1 released --- 3424 34254841. [bug] Address -fsanitize=undefined warnings. [RT #46786] 3426 34274840. [test] Add tests to cover fallback to using ZSK on inactive 3428 KSK. [RT #46787] 3429 34304839. [bug] zone.c:zone_sign was not properly determining 3431 if there were active KSK and ZSK keys for 3432 a algorithm when update-check-ksk is true 3433 (default) leaving records unsigned with one or 3434 more DNSKEY algorithms. [RT #46774] 3435 34364838. [bug] zone.c:add_sigs was not properly determining 3437 if there were active KSK and ZSK keys for 3438 a algorithm when update-check-ksk is true 3439 (default) leaving records unsigned with one or 3440 more DNSKEY algorithms. [RT #46754] 3441 34424837. [bug] dns_update_signatures{inc} (add_sigs) was not 3443 properly determining if there were active KSK and 3444 ZSK keys for a algorithm when update-check-ksk is 3445 true (default) leaving records unsigned when there 3446 were multiple DNSKEY algorithms for the zone. 3447 [RT #46743] 3448 34494836. [bug] Zones created using "rndc addzone" could 3450 temporarily fail to inherit an "allow-transfer" 3451 ACL that had been configured in the options 3452 statement. [RT #46603] 3453 34544835. [cleanup] Clean up and refactor LMDB-related code. [RT #46718] 3455 34564834. [port] Fix LMDB support on OpenBSD. [RT #46718] 3457 34584833. [bug] isc_event_free should check that the event is not 3459 linked when called. [RT #46725] 3460 34614832. [bug] Events were not being removed from zone->rss_events. 3462 [RT #46725] 3463 34644831. [bug] Convert the RRSIG expirytime to 64 bits for 3465 comparisons in diff.c:resign. [RT #46710] 3466 34674830. [bug] Failure to configure ATF when requested did not cause 3468 an error in top-level configure script. [RT #46655] 3469 34704829. [bug] isc_heap_delete did not zero the index value when 3471 the heap was created with a callback to do that. 3472 [RT #46709] 3473 34744828. [bug] Do not use thread-local storage for storing LMDB reader 3475 locktable slots. [RT #46556] 3476 34774827. [misc] Add a precommit check script util/checklibs.sh 3478 [RT #46215] 3479 34804826. [cleanup] Prevent potential build failures in bin/confgen/ and 3481 bin/named/ when using parallel make. [RT #46648] 3482 34834825. [bug] Prevent a bogus "error during managed-keys processing 3484 (no more)" warning from being logged. [RT #46645] 3485 34864824. [port] Add iOS hooks to dig. [RT #42011] 3487 34884823. [test] Refactor reclimit system test to improve its 3489 reliability and speed. [RT #46632] 3490 34914822. [bug] Use resign_sooner in dns_db_setsigningtime. [RT #46473] 3492 34934821. [bug] When resigning ensure that the SOA's expire time is 3494 always later that the resigning time of other records. 3495 [RT #46473] 3496 34974820. [bug] dns_db_subtractrdataset should transfer the resigning 3498 information to the new header. [RT #46473] 3499 35004819. [bug] Fully backout the transaction when adding a RRset 3501 to the resigning / removal heaps fails. [RT #46473] 3502 35034818. [test] The logfileconfig system test could intermittently 3504 report false negatives on some platforms. [RT #46615] 3505 35064817. [cleanup] Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE. 3507 [RT #45433] 3508 35094816. [bug] Don't use a common array for storing EDNS options 3510 in DiG as it could fill up. [RT #45611] 3511 35124815. [bug] rbt_test.c:insert_and_delete needed to call 3513 dns_rbt_addnode instead of dns_rbt_addname. [RT #46553] 3514 35154814. [cleanup] Use AS_HELP_STRING for consistent help text. [RT #46521] 3516 35174813. [bug] Address potential read after free errors from 3518 query_synthnodata, query_synthwildcard and 3519 query_synthnxdomain. [RT #46547] 3520 35214812. [bug] Minor improvements to stability and consistency of code 3522 handling managed keys. [RT #46468] 3523 35244811. [bug] Revert api changes to use <isc/buffer.h> inline 3525 macros. Provide a alternative mechanism to turn 3526 on the use of inline macros when building BIND. 3527 [RT #46520] 3528 35294810. [test] The chain system test failed if the IPv6 interfaces 3530 were not configured. [RT #46508] 3531 3532 --- 9.12.0b2 released --- 3533 35344809. [port] Check at configure time whether -latomic is needed 3535 for stdatomic.h. [RT #46324] 3536 35374808. [bug] Properly test for zlib.h. [RT #46504] 3538 35394807. [cleanup] isc_rng_randombytes() returns a specified number of 3540 bytes from the PRNG; this is now used instead of 3541 calling isc_rng_random() multiple times. [RT #46230] 3542 35434806. [func] Log messages related to loading of zones are now 3544 directed to the "zoneload" logging category. 3545 [RT #41640] 3546 35474805. [bug] TCP4Active and TCP6Active weren't being updated 3548 correctly. [RT #46454] 3549 35504804. [port] win32: access() does not work on directories as 3551 required by POSIX. Supply a alternative in 3552 isc_file_isdirwritable. [RT #46394] 3553 35544803. [placeholder] 3555 35564802. [test] Refactor mkeys system test to make it quicker and more 3557 reliable. [RT #45293] 3558 35594801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside . 3560 trust-anchor dlv.isc.org;' now elicit warnings rather 3561 than being fatal configuration errors. [RT #46410] 3562 35634800. [bug] When processing delzone, write one zone config per 3564 line to the NZF. [RT #46323] 3565 35664799. [cleanup] Improve clarity of keytable unit tests. [RT #46407] 3567 35684798. [func] Keys specified in "managed-keys" statements 3569 are tagged as "initializing" until they have been 3570 updated by a key refresh query. If initialization 3571 fails it will be visible from "rndc secroots". 3572 [RT #46267] 3573 35744797. [func] Removed "isc-hmac-fixup", as the versions of BIND that 3575 had the bug it worked around are long past end of 3576 life. [RT #46411] 3577 35784796. [bug] Increase the maximum configurable TCP keepalive 3579 timeout to 65535. [RT #44710] 3580 35814795. [func] A new statistics counter has been added to track 3582 priming queries. [RT #46313] 3583 35844794. [func] "dnssec-checkds -s" specifies a file from which 3585 to read a DS set rather than querying the parent. 3586 [RT #44667] 3587 35884793. [bug] nsupdate -[46] could overflow the array of server 3589 addresses. [RT #46402] 3590 35914792. [bug] Fix map file header correctness check. [RT #38418] 3592 35934791. [doc] Fixed outdated documentation about export libraries. 3594 [RT #46341] 3595 35964790. [bug] nsupdate could trigger a require when sending a 3597 update to the second address of the server. 3598 [RT #45731] 3599 36004789. [cleanup] Check writability of new-zones-directory. [RT #46308] 3601 36024788. [cleanup] When using "update-policy local", log a warning 3603 when an update matching the session key is received 3604 from a remote host. [RT #46213] 3605 36064787. [cleanup] Turn nsec3param_salt_totext() into a public function, 3607 dns_nsec3param_salttotext(), and add unit tests for it. 3608 [RT #46289] 3609 36104786. [func] The "filter-aaaa-on-v4" and "filter-aaaa-on-v6" 3611 options are no longer conditionally compiled. 3612 [RT #46340] 3613 36144785. [func] The hmac-md5 algorithm is no longer recommended for 3615 use with RNDC keys. The default in rndc-confgen 3616 is now hmac-sha256. [RT #42272] 3617 36184784. [func] The use of dnssec-keygen to generate HMAC keys is 3619 deprecated in favor of tsig-keygen. dnssec-keygen 3620 will print a warning when used for this purpose. 3621 All HMAC algorithms will be removed from 3622 dnssec-keygen in a future release. [RT #42272] 3623 36244783. [test] dnssec: 'check that NOTIFY is sent at the end of 3625 NSEC3 chain generation failed' required more time 3626 on some machines for the IXFR to complete. [RT #46388] 3627 36284782. [test] dnssec: 'checking positive and negative validation 3629 with negative trust anchors' required more time to 3630 complete on some machines. [RT #46386] 3631 36324781. [maint] B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889] 3633 36344780. [bug] When answering ANY queries, don't include the NS 3635 RRset in the authority section if it was already 3636 in the answer section. [RT #44543] 3637 36384779. [bug] Expire NTA at the start of the second. Don't update 3639 the expiry value if the record has already expired 3640 after a successful check. [RT #46368] 3641 36424778. [test] Improve synth-from-dnssec testing. [RT #46352] 3643 36444777. [cleanup] Removed a redundant call to configure_view_acl(). 3645 [RT #46369] 3646 36474776. [bug] Improve portability of ht_test. [RT #46333] 3648 36494775. [bug] Address Coverity warnings in ht_test.c and mem_test.c 3650 [RT #46281] 3651 36524774. [bug] <isc/util.h> was incorrectly included in several 3653 header files. [RT #46311] 3654 36554773. [doc] Fixed generating Doxygen documentation for functions 3656 annotated using certain macros. Miscellaneous 3657 Doxygen-related cleanups. [RT #46276] 3658 3659 --- 9.12.0b1 released --- 3660 36614772. [test] Expanded unit testing framework for libns, using 3662 hooks to interrupt query flow and inspect state 3663 at specified locations. [RT #46173] 3664 36654771. [bug] When sending RFC 5011 refresh queries, disregard 3666 cached DNSKEY rrsets. [RT #46251] 3667 36684770. [bug] Cache additional data from priming queries as glue. 3669 Previously they were ignored as unsigned 3670 non-answer data from a secure zone, and never 3671 actually got added to the cache, causing hints 3672 to be used frequently for root-server 3673 addresses, which triggered re-priming. [RT #45241] 3674 36754769. [func] The working directory and managed-keys directory has 3676 to be writeable (and seekable). [RT #46077] 3677 36784768. [func] By default, memory is no longer filled with tag values 3679 when it is allocated or freed; this improves 3680 performance but makes debugging of certain memory 3681 issues more difficult. "named -M fill" turns memory 3682 filling back on. (Building "configure 3683 --enable-developer", turns memory fill on by 3684 default again; it can then be disabled with 3685 "named -M nofill".) [RT #45123] 3686 36874767. [func] Add a new function, isc_buffer_printf(), which can be 3688 used to append a formatted string to the used region of 3689 a buffer. [RT #46201] 3690 36914766. [cleanup] Address Coverity warnings. [RT #46150] 3692 36934765. [bug] Address potential INSIST in dnssec-cds. [RT #46150] 3694 36954764. [bug] Address portability issues in cds system test. 3696 [RT #46214] 3697 36984763. [contrib] Improve compatibility when building MySQL DLZ 3699 module by using mysql_config if available. 3700 [RT #45558] 3701 37024762. [func] "update-policy local" is now restricted to updates 3703 from local addresses. (Previously, other addresses 3704 were allowed so long as updates were signed by the 3705 local session key.) [RT #45492] 3706 37074761. [protocol] Add support for DOA. [RT #45612] 3708 37094760. [func] Add glue cache statistics counters. [RT #46028] 3710 37114759. [func] Add logging channel "trust-anchor-telemetry" to 3712 record trust-anchor-telemetry in incoming requests. 3713 Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options 3714 are logged. [RT #46124] 3715 37164758. [doc] Remove documentation of unimplemented "topology". 3717 [RT #46161] 3718 37194757. [func] New "dnssec-cds" command creates a new parent DS 3720 RRset based on CDS or CDNSKEY RRsets found in 3721 a child zone, and generates either a dsset file 3722 or stream of nsupdate commands to update the 3723 parent. Thanks to Tony Finch. [RT #46090] 3724 37254756. [bug] Interrupting dig could lead to an INSIST failure after 3726 certain errors were encountered while querying a host 3727 whose name resolved to more than one address. Change 3728 4537 increased the odds of triggering this issue by 3729 causing dig to hang indefinitely when certain error 3730 paths were evaluated. dig now also retries TCP queries 3731 (once) if the server gracefully closes the connection 3732 before sending a response. [RT #42832, #45159] 3733 37344755. [cleanup] Silence unnecessary log message when NZF file doesn't 3735 exist. [RT #46186] 3736 37374754. [bug] dns_zone_setview needs a two stage commit to properly 3738 handle errors. [RT #45841] 3739 37404753. [contrib] Software obtainable from known upstream locations 3741 (i.e., zkt, nslint, query-loc) has been removed. 3742 Links to these and other packages can be found at 3743 https://www.isc.org/community/tools [RT #46182] 3744 37454752. [test] Add unit test for isc_net_pton. [RT #46171] 3746 37474751. [func] "dnssec-signzone -S" can now automatically add parent 3748 synchronization records (CDS and CDNSKEY) according 3749 to key metadata set using the -Psync and -Dsync 3750 options to dnssec-keygen and dnssec-settime. 3751 [RT #46149] 3752 37534750. [func] "rndc managed-keys destroy" shuts down RFC 5011 key 3754 maintenance and deletes the managed-keys database. 3755 If followed by "rndc reconfig" or a server restart, 3756 key maintenance is reinitialized from scratch. 3757 This is primarily intended for testing. [RT #32456] 3758 37594749. [func] The ISC DLV service has been shut down, and all 3760 DLV records have been removed from dlv.isc.org. 3761 - Removed references to ISC DLV in documentation 3762 - Removed DLV key from bind.keys 3763 - No longer use ISC DLV by default in delv 3764 - "dnssec-lookaside auto" and configuration of 3765 "dnssec-lookaide" with dlv.isc.org as the trust 3766 anchor are both now fatal errors. 3767 [RT #46155] 3768 37694748. [cleanup] Sprintf to snprintf coversions. [RT #46132] 3770 37714747. [func] Synthesis of responses from DNSSEC-verified records. 3772 Stage 3 - synthesize NODATA responses. [RT #40138] 3773 37744746. [cleanup] Add configured prefixes to configure summary 3775 output. [RT #46153] 3776 37774745. [test] Add color-coded pass/fail messages to system 3778 tests when running on terminals that support them. 3779 [RT #45977] 3780 37814744. [bug] Suppress trust-anchor-telemetry queries if 3782 validation is disabled. [RT #46131] 3783 37844743. [func] Exclude trust-anchor-telemetry queries from 3785 synth-from-dnssec processing. [RT #46123] 3786 37874742. [func] Synthesis of responses from DNSSEC-verified records. 3788 Stage 2 - synthesis of records from wildcard data. 3789 If the dns64 or filter-aaaa* is configured then the 3790 involved lookups are currently excluded. [RT #40138] 3791 37924741. [bug] Make isc_refcount_current() atomically read the 3793 counter value. [RT #46074] 3794 37954740. [cleanup] Avoid triggering format-truncated warnings. [RT #46107] 3796 37974739. [cleanup] Address clang static analysis warnings. [RT #45952] 3798 37994738. [port] win32: strftime mishandles %Z. [RT #46039] 3800 38014737. [cleanup] Address Coverity warnings. [RT #46012] 3802 38034736. [cleanup] (a) Added comments to NSEC3-related functions in 3804 lib/dns/zone.c. (b) Refactored NSEC3 salt formatting 3805 code. (c) Minor tweaks to lock and result handling. 3806 [RT #46053] 3807 38084735. [bug] Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078] 3809 38104734. [contrib] Added sample configuration for DNS-over-TLS in 3811 contrib/dnspriv. 3812 38134733. [bug] Change #4706 introduced a bug causing TCP clients 3814 not be reused correctly, leading to unconstrained 3815 memory growth. [RT #46029] 3816 38174732. [func] Change default minimal-responses setting to 3818 no-auth-recursive. [RT #46016] 3819 38204731. [bug] Fix use after free when closing an LMDB. [RT #46000] 3821 38224730. [bug] Fix out of bounds access in DHCID totext() method. 3823 [RT #46001] 3824 38254729. [bug] Don't use memset() to wipe memory, as it may be 3826 removed by compiler optimizations when the 3827 memset() occurs on automatic stack allocation 3828 just before function return. [RT #45947] 3829 38304728. [func] Use C11's stdatomic.h instead of isc_atomic 3831 where available. [RT #40668] 3832 38334727. [bug] Retransferring an inline-signed slave using NSEC3 3834 around the time its NSEC3 salt was changed could result 3835 in an infinite signing loop. [RT #45080] 3836 38374726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN 3838 from being logged on FreeBSD if the kernel does not 3839 support it. Notify the user when the kernel does 3840 support TCP_FASTOPEN, but it is disabled by sysctl. 3841 Add a new configure option, --disable-tcp-fastopen, to 3842 disable use of TCP_FASTOPEN altogether. [RT #44754] 3843 38444725. [bug] Nsupdate: "recvsoa" was incorrectly reported for 3845 failures in sending the update message. The correct 3846 location to be reported is "update_completed". 3847 [RT #46014] 3848 38494724. [func] By default, BIND now uses the random number 3850 functions provided by the crypto library (i.e., 3851 OpenSSL or a PKCS#11 provider) as a source of 3852 randomness rather than /dev/random. This is 3853 suitable for virtual machine environments 3854 which have limited entropy pools and lack 3855 hardware random number generators. 3856 3857 This can be overridden by specifying another 3858 entropy source via the "random-device" option 3859 in named.conf, or via the -r command line option; 3860 however, for functions requiring full cryptographic 3861 strength, such as DNSSEC key generation, this 3862 cannot be overridden. In particular, the -r 3863 command line option no longer has any effect on 3864 dnssec-keygen. 3865 3866 This can be disabled by building with 3867 "configure --disable-crypto-rand". 3868 [RT #31459] [RT #46047] 3869 38704723. [bug] Statistics counter DNSTAPdropped was misidentified 3871 as DNSSECdropped. [RT #46002] 3872 38734722. [cleanup] Clean up uses of strcpy() and strcat() in favor of 3874 strlcpy() and strlcat() for safety. [RT #45981] 3875 38764721. [func] 'dnssec-signzone -x' and 'dnssec-dnskey-kskonly' 3877 options now apply to CDNSKEY and DS records as well 3878 as DNSKEY. Thanks to Tony Finch. [RT #45689] 3879 38804720. [func] Added a statistics counter to track prefetch 3881 queries. [RT #45847] 3882 38834719. [bug] Address PVS static analyzer warnings. [RT #45946] 3884 38854718. [func] Avoid searching for a owner name compression pointer 3886 more than once when writing out a RRset. [RT #45802] 3887 38884717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1, 3889 FORMERR if TC=0, and log the error correctly. 3890 [RT #45836] 3891 38924716. [placeholder] 3893 3894 --- 9.12.0a1 released --- 3895 38964715. [bug] TreeMemMax was mis-identified as a second HeapMemMax 3897 in the Json cache statistics. [RT #45980] 3898 38994714. [port] openbsd/libressl: add support for building with 3900 --enable-openssl-hash. [RT #45982] 3901 39024713. [func] Added support for the DNS Response Policy Service 3903 (DNSRPS) API, which allows named to use an external 3904 response policy daemon when built with 3905 "configure --enable-dnsrps". Thanks to Farsight 3906 Security. [RT #43376] 3907 39084712. [bug] "dig +domain" and "dig +search" didn't retain the 3909 search domain when retrying with TCP. [RT #45547] 3910 39114711. [test] Some RR types were missing from genzones.sh. 3912 [RT #45782] 3913 39144710. [cleanup] Changed the --enable-openssl-hash default to yes. 3915 [RT #45019] 3916 39174709. [cleanup] Use dns_name_fullhash() to hash names for RRL. 3918 [RT #45435] 3919 39204708. [cleanup] Legacy Windows builds (i.e. for XP and earlier) 3921 are no longer supported. [RT #45186] 3922 39234707. [func] The lightweight resolver daemon and library (lwresd 3924 and liblwres) have been removed. [RT #45186] 3925 39264706. [func] Code implementing name server query processing has 3927 been moved from bin/named to a new library "libns". 3928 Functions remaining in bin/named are now prefixed 3929 with "named_" rather than "ns_". This will make it 3930 easier to write unit tests for name server code, or 3931 link name server functionality into new tools. 3932 [RT #45186] 3933 39344705. [placeholder] 3935 39364704. [cleanup] Silence Visual Studio compiler warnings. [RT #45898] 3937 39384703. [bug] BINDInstall.exe was missing some buffer length checks. 3939 [RT #45898] 3940 39414702. [func] Update function declarations to use 3942 dns_masterstyle_flags_t for style flags. [RT #45924] 3943 39444701. [cleanup] Refactored lib/dns/tsig.c to reduce code 3945 duplication and simplify the disabling of MD5. 3946 [RT #45490] 3947 39484700. [func] Serving of stale answers is now supported. This 3949 allows named to provide stale cached answers when 3950 the authoritative server is under attack. 3951 See max-stale-ttl, stale-answer-enable, 3952 stale-answer-ttl. [RT #44790] 3953 39544699. [func] Multiple cookie-secret clauses can now be specified. 3955 The first one specified is used to generate new 3956 server cookies. [RT #45672] 3957 39584698. [port] Add --with-python-install-dir configure option to allow 3959 specifying a nonstandard installation directory for 3960 Python modules. [RT #45407] 3961 39624697. [bug] Restore workaround for Microsoft Windows TSIG hash 3963 computation bug. [RT #45854] 3964 39654696. [port] Enable filter-aaaa support by default on Windows 3966 builds. [RT #45883] 3967 39684695. [bug] cookie-secrets were not being properly checked by 3969 named-checkconf. [RT #45886] 3970 39714694. [func] dnssec-keygen no longer uses RSASHA1 by default; 3972 the signing algorithm must be specified on 3973 the command line with the "-a" option. Signing 3974 scripts that rely on the existing default behavior 3975 will break; use "dnssec-keygen -a RSASHA1" to 3976 repair them. (The goal of this change is to make 3977 it easier to find scripts using RSASHA1 so they 3978 can be changed in the event of that algorithm 3979 being deprecated in the future.) [RT #44755] 3980 39814693. [func] Synthesis of responses from DNSSEC-verified records. 3982 Stage 1 covers NXDOMAIN synthesis from NSEC records. 3983 This is controlled by synth-from-dnssec and is enabled 3984 by default. [RT #40138] 3985 39864692. [bug] Fix build failures with libressl introduced in 4676. 3987 [RT #45879] 3988 39894691. [func] Add -4/-6 command line options to nsupdate and rndc. 3990 [RT #45632] 3991 39924690. [bug] Command line options -4/-6 were handled inconsistently 3993 between tools. [RT #45632] 3994 39954689. [cleanup] Turn on minimal responses for CDNSKEY and CDS in 3996 addition to DNSKEY and DS. Thanks to Tony Finch. 3997 [RT #45690] 3998 39994688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in 4000 messages. [RT #44804] 4001 40024687. [func] Refactor tracklines code. [RT #45126] 4003 40044686. [bug] dnssec-settime -p could print a bogus warning about 4005 key deletion scheduled before its inactivation when a 4006 key had an inactivation date set but no deletion date 4007 set. [RT #45807] 4008 40094685. [bug] dnssec-settime incorrectly calculated publication and 4010 activation dates for a successor key. [RT #45806] 4011 40124684. [bug] delv could send bogus DNS queries when an explicit 4013 server address was specified on the command line along 4014 with -4/-6. [RT #45804] 4015 40164683. [bug] Prevent nsupdate from immediately exiting on invalid 4017 user input in interactive mode. [RT #28194] 4018 40194682. [bug] Don't report errors on records below a DNAME. 4020 [RT #44880] 4021 40224681. [bug] Log messages from the validator now include the 4023 associated view unless the view is "_default/IN" 4024 or "_dnsclient/IN". [RT #45770] 4025 40264680. [bug] Fix failing over to another master server address when 4027 nsupdate is used with GSS-API. [RT #45380] 4028 40294679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record 4030 not at top of zone and -o is not used. [RT #45519] 4031 40324678. [bug] geoip-use-ecs has the wrong type when geoip support 4033 is disabled at configure time. [RT #45763] 4034 40354677. [cleanup] Split up the main function in dig to better support 4036 the iOS app version. [RT #45508] 4037 40384676. [cleanup] Allow BIND to be built using OpenSSL 1.0.X with 4039 deprecated functions removed. [RT #45706] 4040 40414675. [cleanup] Don't use C++ keyword class. [RT #45726] 4042 40434674. [func] "dig +sigchase", and related options "+topdown" and 4044 "+trusted-keys", have been removed. Use "delv" for 4045 queries with DNSSEC validation. [RT #42793] 4046 40474673. [port] Silence GCC 7 warnings. [RT #45592] 4048 40494672. [placeholder] 4050 40514671. [bug] Fix a race condition that could cause the 4052 resolver to crash with assertion failure when 4053 chasing DS in specific conditions with a very 4054 short RTT to the upstream nameserver. [RT #45168] 4055 40564670. [cleanup] Ensure that a request MAC is never sent back 4057 in an XFR response unless the signature was 4058 verified. [RT #45494] 4059 40604669. [func] Iterative query logic in resolver.c has been 4061 refactored into smaller functions and commented, 4062 for improved readability, maintainability and 4063 testability. [RT #45362] 4064 40654668. [bug] Use localtime_r and gmtime_r for thread safety. 4066 [RT #45664] 4067 40684667. [cleanup] Refactor RDATA unit tests. [RT #45610] 4069 40704666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9) 4071 could cause a parser error when reading the policy 4072 file. This now works correctly so long as the domain 4073 name is quoted. [RT #45641] 4074 40754665. [protocol] Added support for ED25519 and ED448 DNSSEC signing 4076 algorithms (RFC 8080). (Note: these algorithms 4077 depend on code currently in the development branch 4078 of OpenSSL which has not yet been released.) 4079 [RT #44696] 4080 40814664. [func] Add a "glue-cache" option to enable or disable the 4082 glue cache. The default is "yes". [RT #45125] 4083 40844663. [cleanup] Clarify error message printed by dnssec-dsfromkey. 4085 [RT #21731] 4086 40874662. [performance] Improve cache memory cleanup of zero TTL records 4088 by putting them at the tail of LRU header lists. 4089 [RT #45274] 4090 40914661. [bug] A race condition could occur if a zone was reloaded 4092 while resigning, triggering a crash in 4093 rbtdb.c:closeversion(). [RT #45276] 4094 40954660. [bug] Remove spurious "peer" from Windows socket log 4096 messages. [RT #45617] 4097 40984659. [bug] Remove spurious log message about lmdb-mapsize 4099 not being supported when parsing builtin 4100 configuration file. [RT #45618] 4101 41024658. [bug] Clean up build directory created by "setup.py install" 4103 immediately. [RT #45628] 4104 41054657. [bug] rrchecker system test result could be improperly 4106 determined. [RT #45602] 4107 41084656. [bug] Apply "port" and "dscp" values specified in catalog 4109 zone's "default-masters" option to the generated 4110 configuration of its member zones. [RT #45545] 4111 41124655. [bug] Lack of seccomp could be falsely reported. [RT #45599] 4113 41144654. [cleanup] Don't use C++ keywords delete, new and namespace. 4115 [RT #45538] 4116 41174653. [bug] Reorder includes to move @DST_OPENSSL_INC@ and 4118 @ISC_OPENSSL_INC@ after shipped include directories. 4119 [RT #45581] 4120 41214652. [bug] Nsupdate could attempt to use a zeroed address on 4122 server timeout. [RT #45417] 4123 41244651. [test] Silence coverity warnings in tsig_test.c. [RT #45528] 4125 41264650. [placeholder] 4127 41284649. [bug] The wrong zone was logged when a catalog zone is added. 4129 [RT #45520] 4130 41314648. [bug] "rndc reconfig" on a slave no longer causes all member 4132 zones of configured catalog zones to be removed from 4133 configuration. [RT #45310] 4134 41354647. [bug] Change 4643 broke verification of TSIG signed TCP 4136 message sequences where not all the messages contain 4137 TSIG records. These may be used in AXFR and IXFR 4138 responses. [RT #45509] 4139 41404646. [placeholder] 4141 41424645. [bug] Fix PKCS#11 RSA parsing when MD5 is disabled. 4143 [RT #45300] 4144 41454644. [placeholder] 4146 41474643. [security] An error in TSIG handling could permit unauthorized 4148 zone transfers or zone updates. (CVE-2017-3142) 4149 (CVE-2017-3143) [RT #45383] 4150 41514642. [cleanup] Add more logging of RFC 5011 events affecting the 4152 status of managed keys: newly observed keys, 4153 deletion of revoked keys, etc. [RT #45354] 4154 41554641. [cleanup] Parallel builds (make -j) could fail with --with-atf / 4156 --enable-developer. [RT #45373] 4157 41584640. [bug] If query_findversion failed in query_getdb due to 4159 memory failure the error status was incorrectly 4160 discarded. [RT #45331] 4161 41624639. [bug] Fix a regression in --with-tuning reporting introduced 4163 by change 4488. [RT #45396] 4164 41654638. [bug] Reloading or reconfiguring named could fail on 4166 some platforms when LMDB was in use. [RT #45203] 4167 41684637. [func] "nsec3hash -r" option ("rdata order") takes arguments 4169 in the same order as they appear in NSEC3 or 4170 NSEC3PARAM records, so that NSEC3 parameters can 4171 be cut and pasted from an existing record. Thanks 4172 to Tony Finch for the contribution. [RT #45183] 4173 41744636. [bug] Normalize rpz policy zone names when checking for 4175 existence. [RT #45358] 4176 41774635. [bug] Fix RPZ NSDNAME logging that was logging 4178 failures as NSIP. [RT #45052] 4179 41804634. [contrib] check5011.pl needs to handle optional space before 4181 semi-colon in +multi-line output. [RT #45352] 4182 41834633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET. 4184 41854632. [security] The BIND installer on Windows used an unquoted 4186 service path, which can enable privilege escalation. 4187 (CVE-2017-3141) [RT #45229] 4188 41894631. [security] Some RPZ configurations could go into an infinite 4190 query loop when encountering responses with TTL=0. 4191 (CVE-2017-3140) [RT #45181] 4192 41934630. [bug] "dyndb" is dependent on dlopen existing / being 4194 enabled. [RT #45291] 4195 41964629. [bug] dns_client_startupdate could not be called with a 4197 running client. [RT #45277] 4198 41994628. [bug] Fixed a potential reference leak in query_getdb(). 4200 [RT #45247] 4201 42024627. [placeholder] 4203 42044626. [test] Added more tests for handling of different record 4205 ordering in CNAME and DNAME responses. [QA #430] 4206 42074625. [bug] Running "rndc addzone" and "rndc delzone" at close 4208 to the same time could trigger a deadlock if using 4209 LMDB. [RT #45209] 4210 42114624. [placeholder] 4212 42134623. [bug] Use --with-protobuf-c and --with-libfstrm to find 4214 protoc-c and fstrm_capture. [RT #45187] 4215 42164622. [bug] Remove unnecessary escaping of semicolon in CAA and 4217 URI records. [RT #45216] 4218 42194621. [port] Force alignment of oid arrays to silence loader 4220 warnings. [RT #45131] 4221 42224620. [port] Handle EPFNOSUPPORT being returned when probing 4223 to see if a socket type is supported. [RT #45214] 4224 42254619. [bug] Call isc_mem_put instead of isc_mem_free in 4226 bin/named/server.c:setup_newzones. [RT #45202] 4227 42284618. [bug] Check isc_mem_strdup results in dns_view_setnewzones. 4229 Add logging for lmdb call failures. [RT #45204] 4230 42314617. [test] Update rndc system test to be more delay tolerant. 4232 [RT #45177] 4233 42344616. [bug] When using LMDB, zones deleted using "rndc delzone" 4235 were not correctly removed from the new-zone 4236 database. [RT #45185] 4237 42384615. [bug] AD could be set on truncated answer with no records 4239 present in the answer and authority sections. 4240 [RT #45140] 4241 42424614. [test] Fixed an error in the sockaddr unit test. [RT #45146] 4243 42444613. [func] By default, the maximum size of a zone journal file 4245 is now twice the size of the zone's contents (there 4246 is little benefit to a journal larger than this). 4247 This can be overridden by setting "max-journal-size" 4248 to "unlimited" or to an explicit value up to 2G. 4249 Thanks to Tony Finch. [RT #38324] 4250 42514612. [bug] Silence 'may be use uninitalised' warning and simplify 4252 the code in lwres/getaddinfo:process_answer. 4253 [RT #45158] 4254 42554611. [bug] The default LMDB mapsize was too low and caused 4256 errors after few thousand zones were added using 4257 rndc addzone. A new config option "lmdb-mapsize" 4258 has been introduced to configure the LMDB 4259 mapsize depending on operational needs. 4260 [RT #44954] 4261 42624610. [func] The "new-zones-directory" option specifies the 4263 location of NZF or NZD files for storing 4264 configuration of zones added by "rndc addzone". 4265 Thanks to Petr Menšík. [RT #44853] 4266 42674609. [cleanup] Rearrange makefiles to enable parallel execution 4268 (i.e. "make -j"). [RT #45078] 4269 42704608. [func] DiG now warns about .local queries which are reserved 4271 for Multicast DNS. [RT #44783] 4272 42734607. [bug] The memory context's malloced and maxmalloced counters 4274 were being updated without the appropriate lock being 4275 held. [RT #44869] 4276 42774606. [port] Stop using experimental "Experimental keys on scalar" 4278 feature of perl as it has been removed. [RT #45012] 4279 42804605. [performance] Improve performance for delegation heavy answers 4281 and also general query performance. Removes the 4282 acache feature that didn't significantly improve 4283 performance. Adds a glue cache. Removes 4284 additional-from-cache and additional-from-auth 4285 features. Enables minimal-responses by 4286 default. Improves performance of compression 4287 code, owner case restoration, hash function, 4288 etc. Uses inline buffer implementation by 4289 default. Many other performance changes and fixes. 4290 [RT #44029] 4291 42924604. [bug] Don't use ERR_load_crypto_strings() when building 4293 with OpenSSL 1.1.0. [RT #45117] 4294 42954603. [doc] Automatically generate named.conf(5) man page 4296 from doc/misc/options. Thanks to Tony Finch. 4297 [RT #43525] 4298 42994602. [func] Threads are now set to human-readable 4300 names to assist debugging, when supported by 4301 the OS. [RT #43234] 4302 43034601. [bug] Reject incorrect RSA key lengths during key 4304 generation and and sign/verify context 4305 creation. [RT #45043] 4306 43074600. [bug] Adjust RPZ trigger counts only when the entry 4308 being deleted exists. [RT #43386] 4309 43104599. [bug] Fix inconsistencies in inline signing time 4311 comparison that were introduced with the 4312 introduction of rdatasetheader->resign_lsb. 4313 [RT #42112] 4314 43154598. [func] Update fuzzing code to (1) reply to a DNSKEY 4316 query from named with appropriate DNSKEY used in 4317 fuzzing; (2) patch the QTYPE correctly in 4318 resolver fuzzing; (3) comment things so the rest 4319 of us are able to understand how fuzzing is 4320 implemented in named; (4) Coding style changes, 4321 cleanup, etc. [RT #44787] 4322 43234597. [bug] The validator now ignores SHA-1 DS digest type 4324 when a DS record with SHA-384 digest type is 4325 present and is a supported digest type. 4326 [RT #45017] 4327 43284596. [bug] Validate glue before adding it to the additional 4329 section. This also fixes incorrect TTL capping 4330 when the RRSIG expired earlier than the TTL. 4331 [RT #45062] 4332 43334595. [func] dnssec-keygen will no longer generate RSA keys 4334 less than 1024 bits in length. dnssec-keymgr 4335 was similarly updated. [RT #36895] 4336 43374594. [func] "dnstap-read -x" prints a hex dump of the wire 4338 format of each logged DNS message. [RT #44816] 4339 43404593. [doc] Update README using markdown, remove outdated FAQ 4341 file in favor of the knowledge base. 4342 43434592. [bug] A race condition on shutdown could trigger an 4344 assertion failure in dispatch.c. [RT #43822] 4345 43464591. [port] Addressed some python 3 compatibility issues. 4347 Thanks to Ville Skytta. [RT #44955] [RT #44956] 4348 43494590. [bug] Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being 4350 properly detected. [RT #44871] 4351 43524589. [cleanup] "configure -q" is now silent. [RT #44829] 4353 43544588. [bug] nsupdate could send queries for TKEY to the wrong 4355 server when using GSSAPI. Thanks to Tomas Hozza. 4356 [RT #39893] 4357 43584587. [bug] named-checkzone failed to handle occulted data below 4359 DNAMEs correctly. [RT #44877] 4360 43614586. [func] dig, host and nslookup now use TCP for ANY queries. 4362 [RT #44687] 4363 43644585. [port] win32: Set CompileAS value. [RT #42474] 4365 43664584. [bug] A number of memory usage statistics were not properly 4367 reported when they exceeded 4G. [RT #44750] 4368 43694583. [func] "host -A" returns most records for a name but 4370 omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.) 4371 [RT #43032] 4372 43734582. [security] 'rndc ""' could trigger a assertion failure in named. 4374 (CVE-2017-3138) [RT #44924] 4375 43764581. [port] Linux: Add getpid and getrandom to the list of system 4377 calls named uses for seccomp. [RT #44883] 4378 43794580. [bug] 4578 introduced a regression when handling CNAME to 4380 referral below the current domain. [RT #44850] 4381 43824579. [func] Logging channels and dnstap output files can now 4383 be configured with a "suffix" option, set to 4384 either "increment" or "timestamp", indicating 4385 whether to use incrementing numbers or timestamps 4386 as the file suffix when rolling over a log file. 4387 [RT #42838] 4388 43894578. [security] Some chaining (CNAME or DNAME) responses to upstream 4390 queries could trigger assertion failures. 4391 (CVE-2017-3137) [RT #44734] 4392 43934577. [func] Make qtype of resolver fuzzing packet configurable 4394 via command line. [RT #43540] 4395 43964576. [func] The RPZ implementation has been substantially 4397 refactored for improved performance and reliability. 4398 [RT #43449] 4399 44004575. [security] DNS64 with "break-dnssec yes;" can result in an 4401 assertion failure. (CVE-2017-3136) [RT #44653] 4402 44034574. [bug] Dig leaked memory with multiple +subnet options. 4404 [RT #44683] 4405 44064573. [func] Query logic has been substantially refactored (e.g. 4407 query_find function has been split into smaller 4408 functions) for improved readability, maintainability 4409 and testability. [RT #43929] 4410 44114572. [func] The "dnstap-output" option can now take "size" and 4412 "versions" parameters to indicate the maximum size 4413 a dnstap log file can grow before rolling to a new 4414 file, and how many old files to retain. [RT #44502] 4415 44164571. [bug] Out-of-tree builds of backtrace_test failed. 4417 44184570. [cleanup] named did not correctly fall back to the built-in 4419 initializing keys if the bind.keys file was present 4420 but empty. [RT #44531] 4421 44224569. [func] Store both local and remote addresses in dnstap 4423 logging, and modify dnstap-read output format to 4424 print them. [RT #43595] 4425 44264568. [contrib] Added a --with-bind option to the dnsperf configure 4427 script to specify BIND prefix path. 4428 44294567. [port] Call getprotobyname and getservbyname prior to calling 4430 chroot so that shared libraries get loaded. [RT #44537] 4431 44324566. [func] Query logging now includes the ECS option if one 4433 was included in the query. [RT #44476] 4434 44354565. [cleanup] The inline macro versions of isc_buffer_put*() 4436 did not implement automatic buffer reallocation. 4437 [RT #44216] 4438 44394564. [maint] Update the built in managed keys to include the 4440 upcoming root KSK. [RT #44579] 4441 44424563. [bug] Modified zones would occasionally fail to reload. 4443 [RT #39424] 4444 44454562. [func] Add additional memory statistics currently malloced 4446 and maxmalloced per memory context. [RT #43593] 4447 44484561. [port] Silence a warning in strict C99 compilers. [RT #44414] 4449 44504560. [bug] mdig: add -m option to enable memory debugging rather 4451 than having it on all the time. [RT #44509] 4452 44534559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES 4454 was turned off. [RT #44509] 4455 44564558. [bug] Synthesised CNAME before matching DNAME was still 4457 being cached when it should not have been. [RT #44318] 4458 44594557. [security] Combining dns64 and rpz can result in dereferencing 4460 a NULL pointer (read). (CVE-2017-3135) [RT#44434] 4461 44624556. [bug] Sending an EDNS Padding option using "dig 4463 +ednsopt" could cause a crash in dig. [RT #44462] 4464 44654555. [func] dig +ednsopt: EDNS options can now be specified by 4466 name in addition to numeric value. [RT #44461] 4467 44684554. [bug] Remove double unlock in dns_dispatchmgr_setudp. 4469 [RT #44336] 4470 44714553. [bug] Named could deadlock there were multiple changes to 4472 NSEC/NSEC3 parameters for a zone being processed at 4473 the same time. [RT #42770] 4474 44754552. [bug] Named could trigger a assertion when sending notify 4476 messages. [RT #44019] 4477 44784551. [test] Add system tests for integrity checks of MX and 4479 SRV records. [RT #43953] 4480 44814550. [cleanup] Increased the number of available master file 4482 output style flags from 32 to 64. [RT #44043] 4483 44844549. [func] Added support for the EDNS TCP Keepalive option 4485 (RFC 7828). [RT #42126] 4486 44874548. [func] Added support for the EDNS Padding option (RFC 7830). 4488 [RT #42094] 4489 44904547. [port] Add support for --enable-native-pkcs11 on the AEP 4491 Keyper HSM. [RT #42463] 4492 44934546. [func] Extend the use of const declarations. [RT #43379] 4494 44954545. [func] Expand YAML output from dnstap-read to include 4496 a detailed breakdown of the DNS message contents. 4497 [RT #43642] 4498 44994544. [bug] Add message/payload size to dnstap-read YAML output. 4500 [RT #43622] 4501 45024543. [bug] dns_client_startupdate now delays sending the update 4503 request until isc_app_ctxrun has been called. 4504 [RT #43976] 4505 45064542. [func] Allow rndc to manipulate redirect zones with using 4507 -redirect as the zone name (use "-redirect." to 4508 manipulate a zone named "-redirect"). [RT #43971] 4509 45104541. [bug] rndc addzone should properly reject non master/slave 4511 zones. [RT #43665] 4512 45134540. [bug] Correctly handle ecs entries in dns_acl_isinsecure. 4514 [RT #43601] 4515 45164539. [bug] Referencing a nonexistent zone with RPZ could lead 4517 to a assertion failure when configuring. [RT #43787] 4518 45194538. [bug] Call dns_client_startresolve from client->task. 4520 [RT #43896] 4521 45224537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576] 4523 45244536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared 4525 when reusing the event structure. [RT #43885] 4526 45274535. [bug] Address race condition in setting / testing of 4528 DNS_REQUEST_F_SENDING. [RT #43889] 4529 45304534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879] 4531 45324533. [bug] dns_client_update should terminate on prerequisite 4533 failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET) 4534 and also on BADZONE. [RT #43865] 4535 45364532. [contrib] Make gen-data-queryperf.py python 3 compatible. 4537 [RT #43836] 4538 45394531. [security] 'is_zone' was not being properly updated by redirect2 4540 and subsequently preserved leading to an assertion 4541 failure. (CVE-2016-9778) [RT #43837] 4542 45434530. [bug] Change 4489 broke the handling of CNAME -> DNAME 4544 in responses resulting in SERVFAIL being returned. 4545 [RT #43779] 4546 45474529. [cleanup] Silence noisy log warning when DSCP probe fails 4548 due to firewall rules. [RT #43847] 4549 45504528. [bug] Only set the flag bits for the i/o we are waiting 4551 for on EPOLLERR or EPOLLHUP. [RT #43617] 4552 45534527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831] 4554 45554526. [doc] Corrected errors and improved formatting of 4556 grammar definitions in the ARM. [RT #43739] 4557 45584525. [doc] Fixed outdated documentation on managed-keys. 4559 [RT #43810] 4560 45614524. [bug] The net zero test was broken causing IPv4 servers 4562 with addresses ending in .0 to be rejected. [RT #43776] 4563 45644523. [doc] Expand config doc for <querysource4> and 4565 <querysource6>. [RT #43768] 4566 45674522. [bug] Handle big gaps in log file version numbers better. 4568 [RT #38688] 4569 45704521. [cleanup] Log it as an error if an entropy source is not 4571 found and there is no fallback available. [RT #43659] 4572 45734520. [cleanup] Alphabetize more of the grammar when printing it 4574 out. Fix unbalanced indenting. [RT #43755] 4575 45764519. [port] win32: handle ERROR_MORE_DATA. [RT #43534] 4577 45784518. [func] The "print-time" option in the logging configuration 4579 can now take arguments "local", "iso8601" or 4580 "iso8601-utc" to indicate the format in which the 4581 date and time should be logged. For backward 4582 compatibility, "yes" is a synonym for "local". 4583 [RT #42585] 4584 45854517. [security] Named could mishandle authority sections that were 4586 missing RRSIGs triggering an assertion failure. 4587 (CVE-2016-9444) [RT # 43632] 4588 45894516. [bug] isc_socketmgr_renderjson was missing from the 4590 windows build. [RT #43602] 4591 45924515. [port] FreeBSD: Find readline headers when they are in 4593 edit/readline/ instead of readline/. [RT #43658] 4594 45954514. [port] NetBSD: strip -WL, from ld command line. [RT #43204] 4596 45974513. [cleanup] Minimum Python versions are now 2.7 and 3.2. 4598 [RT #43566] 4599 46004512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in. 4601 [RT #43556] 4602 46034511. [bug] win32: mdig.exe-BNFT was missing Configure. [RT #43554] 4604 46054510. [security] Named mishandled some responses where covering RRSIG 4606 records are returned without the requested data 4607 resulting in a assertion failure. (CVE-2016-9147) 4608 [RT #43548] 4609 46104509. [test] Make the rrl system test more reliable on slower 4611 machines by using mdig instead of dig. [RT #43280] 4612 46134508. [security] Named incorrectly tried to cache TKEY records which 4614 could trigger a assertion failure when there was 4615 a class mismatch. (CVE-2016-9131) [RT #43522] 4616 46174507. [bug] Named could incorrectly log 'allows updates by IP 4618 address, which is insecure' [RT #43432] 4619 46204506. [func] 'named-checkconf -l' will now list the zones found in 4621 named.conf. [RT #43154] 4622 46234505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494] 4624 46254504. [security] Allow the maximum number of records in a zone to 4626 be specified. This provides a control for issues 4627 raised in CVE-2016-6170. [RT #42143] 4628 46294503. [cleanup] "make uninstall" now removes files installed by 4630 BIND. (This currently excludes Python files 4631 due to lack of support in setup.py.) [RT #42192] 4632 46334502. [func] Report multiple and experimental options when printing 4634 grammar. [RT #43134] 4635 46364501. [placeholder] 4637 46384500. [bug] Support modifier I64 in isc__print_printf. [RT #43526] 4639 46404499. [port] MacOSX: silence deprecated function warning 4641 by using arc4random_stir() when available 4642 instead of arc4random_addrandom(). [RT #43503] 4643 46444498. [test] Simplify prerequisite checks in system tests. 4645 [RT #43516] 4646 46474497. [port] Add support for OpenSSL 1.1.0. [RT #41284] 4648 46494496. [func] dig: add +idnout to control whether labels are 4650 display in punycode or not. Requires idn support 4651 to be enabled at compile time. [RT #43398] 4652 46534495. [bug] A isc_mutex_init call was not being checked. 4654 [RT #43391] 4655 46564494. [bug] Look for <editline/readline.h>. [RT #43429] 4657 46584493. [bug] bin/tests/system/dyndb/driver/Makefile.in should use 4659 SO_TARGETS. [RT# 43336] 4660 46614492. [bug] irs_resconf_load failed to initialize sortlistnxt 4662 causing bad writes if resolv.conf contained a 4663 sortlist directive. [RT #43459] 4664 46654491. [bug] Improve message emitted when testing whether sendmsg 4666 works with TOS/TCLASS fails. [RT #43483] 4667 46684490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET. 4669 46704489. [security] It was possible to trigger assertions when processing 4671 a response containing a DNAME answer. (CVE-2016-8864) 4672 [RT #43465] 4673 46744488. [port] Darwin: use -framework for Kerberos. [RT #43418] 4675 46764487. [test] Make system tests work on Windows. [RT #42931] 4677 46784486. [bug] Look in $prefix/lib/pythonX.Y/site-packages for 4679 the python modules we install. [RT #43330] 4680 46814485. [bug] Failure to find readline when requested should be 4682 fatal to configure. [RT #43328] 4683 46844484. [func] Check prefixes in acls to make sure the address and 4685 prefix lengths are consistent. Warn only in 4686 BIND 9.11 and earlier. [RT #43367] 4687 46884483. [bug] Address use before require check and remove extraneous 4689 dns_message_gettsigkey call in dns_tsig_sign. 4690 [RT #43374] 4691 46924482. [cleanup] Change #4455 was incomplete. [RT #43252] 4693 46944481. [func] dig: make +class, +crypto, +multiline, +rrcomments, 4695 +onesoa, +qr, +ttlid, +ttlunits and -u per lookup 4696 rather than global. [RT #42450] 4697 46984480. [placeholder] 4699 47004479. [placeholder] 4701 47024478. [func] Add +continue option to mdig, allow continue on socket 4703 errors. [RT #43281] 4704 47054477. [test] Fix mkeys test timing issues. [RT #41028] 4706 47074476. [test] Fix reclimit test on slower machines. [RT #43283] 4708 47094475. [doc] Update named-checkconf documentation. [RT #43153] 4710 47114474. [bug] win32: call WSAStartup in fromtext_in_wks so that 4712 getprotobyname and getservbyname work. [RT #43197] 4713 47144473. [bug] Only call fsync / _commit on regular files. [RT #43196] 4715 47164472. [bug] Named could fail to find the correct NSEC3 records when 4717 a zone was updated between looking for the answer and 4718 looking for the NSEC3 records proving nonexistence 4719 of the answer. [RT #43247] 4720 4721 --- 9.11.0 released --- 4722 4723 --- 9.11.0rc3 released --- 4724 47254471. [cleanup] Render client/query logging format consistent for 4726 ease of log file parsing. (Note that this affects 4727 "querylog" format: there is now an additional field 4728 indicating the client object address.) [RT #43238] 4729 47304470. [bug] Reset message with intent parse before 4731 calling dns_dispatch_getnext. [RT #43229] 4732 47334469. [placeholder] 4734 4735 --- 9.11.0rc2 released --- 4736 47374468. [bug] Address ECS option handling issues. [RT #43191] 4738 47394467. [security] It was possible to trigger an assertion when 4740 rendering a message. (CVE-2016-2776) [RT #43139] 4741 47424466. [bug] Interface scanning didn't work on a Windows system 4743 without a non local IPv6 addresses. [RT #43130] 4744 47454465. [bug] Don't use "%z" as Windows doesn't support it. 4746 [RT #43131] 4747 47484464. [bug] Fix windows python support. [RT #43173] 4749 47504463. [bug] The dnstap system test failed on some systems. 4751 [RT #43129] 4752 47534462. [bug] Don't describe a returned EDNS COOKIE as "good" 4754 when there isn't a valid server cookie. [RT #43167] 4755 47564461. [bug] win32: not all external data was properly marked 4757 as external data for windows dll. [RT #43161] 4758 4759 --- 9.11.0rc1 released --- 4760 47614460. [test] Add system test for dnstap using unix domain sockets. 4762 [RT #42926] 4763 47644459. [bug] TCP client objects created to handle pipeline queries 4765 were not cleaned up correctly, causing uncontrolled 4766 memory growth. [RT #43106] 4767 47684458. [cleanup] Update assertions to be more correct, and also remove 4769 use of a reserved word. [RT #43090] 4770 47714457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET. 4772 47734456. [doc] Add DOCTYPE and lang attribute to <html> tags. 4774 [RT #42587] 4775 47764455. [cleanup] Allow dyndb modules to correctly log the filename 4777 and line number when processing configuration text 4778 from named.conf. [RT #43050] 4779 47804454. [bug] 'rndc dnstap -reopen' had a race issue. [RT #43089] 4781 47824453. [bug] Prefetching of DS records failed to update their 4783 RRSIGs. [RT #42865] 4784 47854452. [bug] The default key manager policy file is now 4786 <sysdir>/dnssec-policy.conf (usually 4787 /etc/dnssec-policy.conf). [RT #43064] 4788 47894451. [cleanup] Log more useful information if a PKCS#11 provider 4790 library cannot be loaded. [RT #43076] 4791 47924450. [port] Provide more nuanced HSM support which better matches 4793 the specific PKCS11 providers capabilities. [RT #42458] 4794 47954449. [test] Fix catalog zones test on slower systems. [RT #42997] 4796 47974448. [bug] win32: ::1 was not being found when iterating 4798 interfaces. [RT #42993] 4799 48004447. [tuning] Allow the fstrm_iothr_init() options to be set using 4801 named.conf to control how dnstap manages the data 4802 flow. [RT #42974] 4803 48044446. [bug] The cache_find() and _findrdataset() functions 4805 could find rdatasets that had been marked stale. 4806 [RT #42853] 4807 48084445. [cleanup] isc_errno_toresult() can now be used to call the 4809 formerly private function isc__errno2result(). 4810 [RT #43050] 4811 48124444. [bug] Fixed some issues related to dyndb: A bug caused 4813 braces to be omitted when passing configuration text 4814 from named.conf to a dyndb driver, and there was a 4815 use-after-free in the sample dyndb driver. [RT #43050] 4816 48174443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on 4818 TCP sockets. [RT #42864] 4819 48204442. [bug] Fix RPZ CIDR tree insertion bug that corrupted 4821 tree data structure with overlapping networks 4822 (longest prefix match was ineffective). 4823 [RT #43035] 4824 48254441. [cleanup] Alphabetize host's help output. [RT #43031] 4826 48274440. [func] Enable TCP fast open support when available on the 4828 server side. [RT #42866] 4829 48304439. [bug] Address race conditions getting ownernames of nodes. 4831 [RT #43005] 4832 48334438. [func] Use LIFO rather than FIFO when processing startup 4834 notify and refresh queries. [RT #42825] 4835 48364437. [func] Minimal-responses now has two additional modes 4837 no-auth and no-auth-recursive which suppress 4838 adding the NS records to the authority section 4839 as well as the associated address records for the 4840 nameservers. [RT #42005] 4841 48424436. [func] Return TLSA records as additional data for MX and SRV 4843 lookups. [RT #42894] 4844 48454435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message 4846 will not fit into a single IPv4 encapsulated IPv6 4847 UDP packet when transmitted over a Ethernet link. 4848 [RT #42871] 4849 48504434. [protocol] Return EDNS EXPIRE option for master zones in addition 4851 to slave zones. [RT #43008] 4852 48534433. [cleanup] Report an error when passing an invalid option or 4854 view name to "rndc dumpdb". [RT #42958] 4855 48564432. [test] Hide rndc output on expected failures in logfileconfig 4857 system test. [RT #27996] 4858 48594431. [bug] named-checkconf now checks the rate-limit clause. 4860 [RT #42970] 4861 48624430. [bug] Lwresd died if a search list was not defined. 4863 Found by 0x710DDDD At Alibaba Security. [RT #42895] 4864 48654429. [bug] Address potential use after free on fclose() error. 4866 [RT #42976] 4867 48684428. [bug] The "test dispatch getnext" unit test could fail 4869 in a threaded build. [RT #42979] 4870 48714427. [bug] The "query" and "response" parameters to the 4872 "dnstap" option had their functions reversed. 4873 4874 --- 9.11.0b3 released --- 4875 48764426. [bug] Addressed Coverity warnings. [RT #42908] 4877 48784425. [bug] arpaname, dnstap-read and named-rrchecker were not 4879 being installed into ${prefix}/bin. Tidy up 4880 installation issues with CHANGE 4421. [RT #42910] 4881 48824424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries 4883 to provide feedback to the trust-anchor administrators 4884 about how key rollovers are progressing as per 4885 draft-ietf-dnsop-edns-key-tag-02. This can be 4886 disabled using 'trust-anchor-telemetry no;'. 4887 [RT #40583] 4888 48894423. [maint] Added missing IPv6 address 2001:500:84::b for 4890 B.ROOT-SERVERS.NET. [RT #42898] 4891 48924422. [port] Silence clang warnings in dig.c and dighost.c. 4893 [RT #42451] 4894 48954421. [func] When built with LMDB (Lightning Memory-mapped 4896 Database), named will now use a database to store 4897 the configuration for zones added by "rndc addzone" 4898 instead of using a flat NZF file. This improves 4899 performance of "rndc delzone" and "rndc modzone" 4900 significantly. Existing NZF files will 4901 automatically by converted to NZD databases. 4902 To view the contents of an NZD or to roll back to 4903 NZF format, use "named-nzd2nzf". To disable 4904 this feature, use "configure --without-lmdb". 4905 [RT #39837] 4906 49074420. [func] nslookup now looks for AAAA as well as A by default. 4908 [RT #40420] 4909 49104419. [bug] Don't cause undefined result if the label of an 4911 entry in catalog zone is changed. [RT #42708] 4912 49134418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879] 4914 49154417. [bug] dnssec-keymgr could fail to create successor keys 4916 if the prepublication interval was set to a value 4917 smaller than the default. [RT #42820] 4918 49194416. [bug] dnssec-keymgr: Domain names in policy files could 4920 fail to match due to trailing dots. [RT #42807] 4921 49224415. [bug] dnssec-keymgr: Expired/deleted keys were not always 4923 excluded. [RT #42884] 4924 49254414. [bug] Corrected a bug in the MIPS implementation of 4926 isc_atomic_xadd(). [RT #41965] 4927 49284413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED 4929 was returned. [RT #42733] 4930 4931 --- 9.11.0b2 released --- 4932 49334412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was 4934 removed. [RT #42721] 4935 49364411. [func] "rndc dnstap -roll" automatically rolls the 4937 dnstap output file; the previous version is 4938 saved with ".0" suffix, and earlier versions 4939 with ".1" and so on. An optional numeric argument 4940 indicates how many prior files to save. [RT #42830] 4941 49424410. [bug] Address use after free and memory leak with dnstap. 4943 [RT #42746] 4944 49454409. [bug] DNS64 should exclude mapped addresses by default when 4946 an exclude acl is not defined. [RT #42810] 4947 49484408. [func] Continue waiting for expected response when we the 4949 response we get does not match the request. [RT #41026] 4950 49514407. [performance] Use GCC builtin for clz in RPZ lookup code. 4952 [RT #42818] 4953 49544406. [security] getrrsetbyname with a non absolute name could 4955 trigger an infinite recursion bug in lwresd 4956 and named with lwres configured if when combined 4957 with a search list entry the resulting name is 4958 too long. (CVE-2016-2775) [RT #42694] 4959 49604405. [bug] Change 4342 introduced a regression where you could 4961 not remove a delegation in a NSEC3 signed zone using 4962 OPTOUT via nsupdate. [RT #42702] 4963 49644404. [misc] Allow krb5-config to be used when configuring gssapi. 4965 [RT #42580] 4966 49674403. [bug] Rename variables and arguments that shadow: basename, 4968 clone and gai_error. 4969 49704402. [bug] protoc-c is now a hard requirement for --enable-dnstap. 4971 4972 --- 9.11.0b1 released --- 4973 49744401. [misc] Change LICENSE to MPL 2.0. 4975 49764400. [bug] ttl policy was not being inherited in policy.py. 4977 [RT #42718] 4978 49794399. [bug] policy.py 'ECCGOST', 'ECDSAP256SHA256', and 4980 'ECDSAP384SHA384' don't have settable keysize. 4981 [RT #42718] 4982 49834398. [bug] Correct spelling of ECDSAP256SHA256 in policy.py. 4984 [RT #42718] 4985 49864397. [bug] Update Windows python support. [RT #42538] 4987 49884396. [func] dnssec-keymgr now takes a '-r randomfile' option. 4989 [RT #42455] 4990 49914395. [bug] Improve out-of-tree installation of python modules. 4992 [RT #42586] 4993 49944394. [func] Add rndc command "dnstap-reopen" to close and 4995 reopen dnstap output files. [RT #41803] 4996 49974393. [bug] Address potential NULL pointer dereferences in 4998 dnstap code. 4999 50004392. [func] Collect statistics for RSSAC02v3 traffic-volume, 5001 traffic-sizes and rcode-volume reporting. [RT #41475] 5002 50034391. [contrib] Fix leaks in contrib DLZ code. [RT #42707] 5004 50054390. [doc] Description of masters with TSIG, allow-query and 5006 allow-transfer options in catalog zones. [RT #42692] 5007 50084389. [test] Rewritten test suite for catalog zones. [RT #42676] 5009 50104388. [func] Support for master entries with TSIG keys in catalog 5011 zones. [RT #42577] 5012 50134387. [bug] Change 4336 was not complete leading to SERVFAIL 5014 being return as NS records expired. [RT #42683] 5015 50164386. [bug] Remove shadowed overmem function/variable. [RT #42706] 5017 50184385. [func] Add support for allow-query and allow-transfer ACLs 5019 to catalog zones. [RT #42578] 5020 50214384. [bug] Change 4256 accidentally disabled logging of the 5022 rndc command. [RT #42654] 5023 50244383. [bug] Correct spelling error in stats channel description of 5025 "EDNS client subnet option received". [RT #42633] 5026 50274382. [bug] rndc {addzone,modzone,delzone,showzone} should all 5028 compare the zone name using a canonical format. 5029 [RT #42630] 5030 50314381. [bug] Missing "zone-directory" option in catalog zone 5032 definition caused BIND to crash. [RT #42579] 5033 5034 --- 9.11.0a3 released --- 5035 50364380. [experimental] Added a "zone-directory" option to "catalog-zones" 5037 syntax, allowing local masterfiles for slaves 5038 that are provisioned by catalog zones to be stored 5039 in a directory other than the server's working 5040 directory. [RT #42527] 5041 50424379. [bug] An INSIST could be triggered if a zone contains 5043 RRSIG records with expiry fields that loop 5044 using serial number arithmetic. [RT #40571] 5045 50464378. [contrib] #include <isc/string.h> for strlcat in zone2ldap.c. 5047 [RT #42525] 5048 50494377. [bug] Don't reuse zero TTL responses beyond the current 5050 client set (excludes ANY/SIG/RRSIG queries). 5051 [RT #42142] 5052 50534376. [experimental] Added support for Catalog Zones, a new method for 5054 provisioning secondary servers in which a list of 5055 zones to be served is stored in a DNS zone and can 5056 be propagated to slaves via AXFR/IXFR. [RT #41581] 5057 50584375. [func] Add support for automatic reallocation of isc_buffer 5059 to isc_buffer_put* functions. [RT #42394] 5060 50614374. [bug] Use SAVE/RESTORE macros in query.c to reduce the 5062 probability of reference counting errors as seen 5063 in 4365. [RT #42405] 5064 50654373. [bug] Address undefined behavior in getaddrinfo. [RT #42479] 5066 50674372. [bug] Address undefined behavior in libt_api. [RT #42480] 5068 50694371. [func] New "minimal-any" option reduces the size of UDP 5070 responses for qtype ANY by returning a single 5071 arbitrarily selected RRset instead of all RRsets. 5072 Thanks to Tony Finch. [RT #41615] 5073 50744370. [bug] Address python3 compatibility issues with RNDC module. 5075 [RT #42499] [RT #42506] 5076 5077 --- 9.11.0a2 released --- 5078 50794369. [bug] Fix 'make' and 'make install' out-of-tree python 5080 support. [RT #42484] 5081 50824368. [bug] Fix a crash when calling "rndc stats" on some 5083 Windows builds because some Visual Studio compilers 5084 generated crashing code for the "%z" printf() 5085 format specifier. [RT #42380] 5086 50874367. [bug] Remove unnecessary assignment of loadtime in 5088 zone_touched. [RT #42440] 5089 50904366. [bug] Address race condition when updating rbtnode bit 5091 fields. [RT #42379] 5092 50934365. [bug] Address zone reference counting errors involving 5094 nxdomain-redirect. [RT #42258] 5095 50964364. [port] freebsd: add -Wl,-E to loader flags [RT #41690] 5097 50984363. [port] win32: Disable explicit triggering UAC when running 5099 BINDInstall. 5100 51014362. [func] Changed rndc reconfig behavior so that newly added 5102 zones are loaded asynchronously and the loading does 5103 not block the server. [RT #41934] 5104 51054361. [cleanup] Where supported, file modification times returned 5106 by isc_file_getmodtime() are now accurate to the 5107 nanosecond. [RT #41968] 5108 51094360. [bug] Silence spurious 'bad key type' message when there is 5110 a existing TSIG key. [RT #42195] 5111 51124359. [bug] Inherited 'also-notify' lists were not being checked 5113 by named-checkconf. [RT #42174] 5114 51154358. [test] Added American Fuzzy Lop harness that allows 5116 feeding fuzzed packets into BIND. 5117 [RT #41723] 5118 51194357. [func] Add the python RNDC module. [RT #42093] 5120 51214356. [func] Add the ability to specify whether to wait for 5122 nameserver addresses to be looked up or not to 5123 RPZ with a new modifying directive 'nsip-wait-recurse'. 5124 [RT #35009] 5125 51264355. [func] "pkcs11-list" now displays the extractability 5127 attribute of private or secret keys stored in 5128 an HSM, as either "true", "false", or "never" 5129 Thanks to Daniel Stirnimann. [RT #36557] 5130 51314354. [bug] Check that the received HMAC length matches the 5132 expected length prior to check the contents on the 5133 control channel. This prevents a OOB read error. 5134 This was reported by Lian Yihan, <lianyihan@360.cn>. 5135 [RT #42215] 5136 51374353. [cleanup] Update PKCS#11 header files. [RT #42175] 5138 51394352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service 5140 is scheduled to be disabled in 2017. A warning is 5141 now logged when named is configured to use it, 5142 either explicitly or via "dnssec-lookaside auto;" 5143 [RT #42207] 5144 51454351. [bug] 'dig +noignore' didn't work. [RT #42273] 5146 51474350. [contrib] Declare result in dlz_filesystem_dynamic.c. 5148 51494349. [contrib] kasp2policy: A python script to create a DNSSEC 5150 policy file from an OpenDNSSEC KASP XML file. 5151 51524348. [func] dnssec-keymgr: A new python-based DNSSEC key 5153 management utility, which reads a policy definition 5154 file and can create or update DNSSEC keys as needed 5155 to ensure that a zone's keys match policy, roll over 5156 correctly on schedule, etc. Thanks to Sebastian 5157 Castro for assistance in development. [RT #39211] 5158 51594347. [port] Corrected a build error on x86_64 Solaris. [RT #42150] 5160 51614346. [bug] Fixed a regression introduced in change #4337 which 5162 caused signed domains with revoked KSKs to fail 5163 validation. [RT #42147] 5164 51654345. [contrib] perftcpdns mishandled the return values from 5166 clock_nanosleep. [RT #42131] 5167 51684344. [port] Address openssl version differences. [RT #42059] 5169 51704343. [bug] dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>. 5171 [RT #42090] 5172 51734342. [bug] 'rndc flushtree' could fail to clean the tree if there 5174 wasn't a node at the specified name. [RT #41846] 5175 5176 --- 9.11.0a1 released --- 5177 51784341. [bug] Correct the handling of ECS options with 5179 address family 0. [RT #41377] 5180 51814340. [performance] Implement adaptive read-write locks, reducing the 5182 overhead of locks that are only held briefly. 5183 [RT #37329] 5184 51854339. [test] Use "mdig" to test pipelined queries. [RT #41929] 5186 51874338. [bug] Reimplement change 4324 as it wasn't properly doing 5188 all the required book keeping. [RT #41941] 5189 51904337. [bug] The previous change exposed a latent flaw in 5191 key refresh queries for managed-keys when 5192 a cached DNSKEY had TTL 0. [RT #41986] 5193 51944336. [bug] Don't emit records with zero ttl unless the records 5195 were learnt with a zero ttl. [RT #41687] 5196 51974335. [bug] zone->view could be detached too early. [RT #41942] 5198 51994334. [func] 'named -V' now reports zlib version. [RT #41913] 5200 52014333. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42 and 5202 2001:500:9f::42. 5203 52044332. [placeholder] 5205 52064331. [func] When loading managed signed zones detect if the 5207 RRSIG's inception time is in the future and regenerate 5208 the RRSIG immediately. [RT #41808] 5209 52104330. [protocol] Identify the PAD option as "PAD" when printing out 5211 a message. 5212 52134329. [func] Warn about a common misconfiguration when forwarding 5214 RFC 1918 zones. [RT #41441] 5215 52164328. [performance] Add dns_name_fromwire() benchmark test. [RT #41694] 5217 52184327. [func] Log query and depth counters during fetches when 5219 querytrace (./configure --enable-querytrace) is 5220 enabled (helps in diagnosing). [RT #41787] 5221 52224326. [protocol] Add support for AVC. [RT #41819] 5223 52244325. [func] Add a line to "rndc status" indicating the 5225 hostname and operating system details. [RT #41610] 5226 52274324. [bug] When deleting records from a zone database, interior 5228 nodes could be left empty but not deleted, damaging 5229 search performance afterward. [RT #40997] 5230 52314323. [bug] Improve HTTP header processing on statschannel. 5232 [RT #41674] 5233 52344322. [security] Duplicate EDNS COOKIE options in a response could 5235 trigger an assertion failure. (CVE-2016-2088) 5236 [RT #41809] 5237 52384321. [bug] Zones using mapped files containing out-of-zone data 5239 could return SERVFAIL instead of the expected NODATA 5240 or NXDOMAIN results. [RT #41596] 5241 52424320. [bug] Insufficient memory allocation when handling 5243 "none" ACL could cause an assertion failure in 5244 named when parsing ACL configuration. [RT #41745] 5245 52464319. [security] Fix resolver assertion failure due to improper 5247 DNAME handling when parsing fetch reply messages. 5248 (CVE-2016-1286) [RT #41753] 5249 52504318. [security] Malformed control messages can trigger assertions 5251 in named and rndc. (CVE-2016-1285) [RT #41666] 5252 52534317. [bug] Age all unused servers on fetch timeout. [RT #41597] 5254 52554316. [func] Add option to tools to print RRs in unknown 5256 presentation format [RT #41595]. 5257 52584315. [bug] Check that configured view class isn't a meta class. 5259 [RT #41572]. 5260 52614314. [contrib] Added 'dnsperf-2.1.0.0-1', a set of performance 5262 testing tools provided by Nominum, Inc. 5263 52644313. [bug] Handle ns_client_replace failures in test mode. 5265 [RT #41190] 5266 52674312. [bug] dig's unknown DNS and EDNS flags (MBZ value) logging 5268 was not consistent. [RT #41600] 5269 52704311. [bug] Prevent "rndc delzone" from being used on 5271 response-policy zones. [RT #41593] 5272 52734310. [performance] Use __builtin_expect() where available to annotate 5274 conditions with known behavior. [RT #41411] 5275 52764309. [cleanup] Remove the spurious "none" filename from log messages 5277 when processing built-in configuration. [RT #41594] 5278 52794308. [func] Added operating system details to "named -V" 5280 output. [RT #41452] 5281 52824307. [bug] "dig +subnet" and "mdig +subnet" could send 5283 incorrectly-formatted Client Subnet options 5284 if the prefix length was not divisible by 8. 5285 Also fixed a memory leak in "mdig". [RT #45178] 5286 52874306. [maint] Added a PKCS#11 openssl patch supporting 5288 version 1.0.2f [RT #38312] 5289 52904305. [bug] dnssec-signzone was not removing unnecessary rrsigs 5291 from the zone's apex. [RT #41483] 5292 52934304. [port] xfer system test failed as 'tail -n +value' is not 5294 portable. [RT #41315] 5295 52964303. [bug] "dig +subnet" was unable to send a prefix length of 5297 zero, as it was incorrectly changed to 32 for v4 5298 prefixes or 128 for v6 prefixes. In addition to 5299 fixing this, "dig +subnet=0" has been added as a 5300 short form for 0.0.0.0/0. The same changes have 5301 also been made in "mdig". [RT #41553] 5302 53034302. [port] win32: fixed a build error in VS 2015. [RT #41426] 5304 53054301. [bug] dnssec-settime -p [DP]sync was not working. [RT #41534] 5306 53074300. [bug] A flag could be set in the wrong field when setting 5308 up non-recursive queries; this could cause the 5309 SERVFAIL cache to cache responses it shouldn't. 5310 New querytrace logging has been added which 5311 identified this error. [RT #41155] 5312 53134299. [bug] Check that exactly totallen bytes are read when 5314 reading a RRset from raw files in both single read 5315 and incremental modes. [RT #41402] 5316 53174298. [bug] dns_rpz_add errors in loadzone were not being 5318 propagated up the call stack. [RT #41425] 5319 53204297. [test] Ensure delegations in RPZ zones fail robustly. 5321 [RT #41518] 5322 53234296. [bug] TCP packet sizes were calculated incorrectly in the 5324 stats channel; they could be counted in the wrong 5325 histogram bucket. [RT #40587] 5326 53274295. [bug] An unchecked result in dns_message_pseudosectiontotext() 5328 could allow incorrect text formatting of EDNS EXPIRE 5329 options. [RT #41437] 5330 53314294. [bug] Fixed a regression in which "rndc stop -p" failed 5332 to print the PID. [RT #41513] 5333 53344293. [bug] Address memory leak on priming query creation failure. 5335 [RT #41512] 5336 53374292. [placeholder] 5338 53394291. [cleanup] Added a required include to dns/forward.h. [RT #41474] 5340 53414290. [func] The timers returned by the statistics channel 5342 (indicating current time, server boot time, and 5343 most recent reconfiguration time) are now reported 5344 with millisecond accuracy. [RT #40082] 5345 53464289. [bug] The server could crash due to memory being used 5347 after it was freed if a zone transfer timed out. 5348 [RT #41297] 5349 53504288. [bug] Fixed a regression in resolver.c:possibly_mark() 5351 which caused known-bogus servers to be queried 5352 anyway. [RT #41321] 5353 53544287. [bug] Silence an overly noisy log message when message 5355 parsing fails. [RT #41374] 5356 53574286. [security] render_ecs errors were mishandled when printing out 5358 a OPT record resulting in a assertion failure. 5359 (CVE-2015-8705) [RT #41397] 5360 53614285. [security] Specific APL data could trigger a INSIST. 5362 (CVE-2015-8704) [RT #41396] 5363 53644284. [bug] Some GeoIP options were incorrectly documented 5365 using abbreviated forms which were not accepted by 5366 named. The code has been updated to allow both 5367 long and abbreviated forms. [RT #41381] 5368 53694283. [bug] OPENSSL_config is no longer re-callable. [RT #41348] 5370 53714282. [func] 'dig +[no]mapped' determine whether the use of mapped 5372 IPv4 addresses over IPv6 is permitted or not. The 5373 default is +mapped. [RT #41307] 5374 53754281. [bug] Teach dns_message_totext about BADCOOKIE. [RT #41257] 5376 53774280. [performance] Use optimal message sizes to improve compression 5378 in AXFRs. This reduces network traffic. [RT #40996] 5379 53804279. [test] Don't use fixed ports when unit testing. [RT #41194] 5381 53824278. [bug] 'delv +short +[no]split[=##]' didn't work as expected. 5383 [RT #41238] 5384 53854277. [performance] Improve performance of the RBT, the central zone 5386 datastructure: The aux hashtable was improved, 5387 hash function was updated to perform more 5388 uniform mapping, uppernode was added to 5389 dns_rbtnode, and other cleanups and performance 5390 improvements were made. [RT #41165] 5391 53924276. [protocol] Add support for SMIMEA. [RT #40513] 5393 53944275. [performance] Lazily initialize dns_compress->table only when 5395 compression is enabled. [RT #41189] 5396 53974274. [performance] Speed up typemap processing from text. [RT #41196] 5398 53994273. [bug] Only call dns_test_begin() and dns_test_end() once each 5400 in nsec3_test as it fails with GOST if called multiple 5401 times. 5402 54034272. [bug] dig: the +norrcomments option didn't work with +multi. 5404 [RT #41234] 5405 54064271. [test] Unit tests could deadlock in isc__taskmgr_pause(). 5407 [RT #41235] 5408 54094270. [security] Update allowed OpenSSL versions as named is 5410 potentially vulnerable to CVE-2015-3193. 5411 54124269. [bug] Zones using "map" format master files currently 5413 don't work as policy zones. This limitation has 5414 now been documented; attempting to use such zones 5415 in "response-policy" statements is now a 5416 configuration error. [RT #38321] 5417 54184268. [func] "rndc status" now reports the path to the 5419 configuration file. [RT #36470] 5420 54214267. [test] Check sdlz error handling. [RT #41142] 5422 54234266. [placeholder] 5424 54254265. [bug] Address unchecked isc_mem_get calls. [RT #41187] 5426 54274264. [bug] Check const of strchr/strrchr assignments match 5428 argument's const status. [RT #41150] 5429 54304263. [contrib] Address compiler warnings in mysqldyn module. 5431 [RT #41130] 5432 54334262. [bug] Fixed a bug in epoll socket code that caused 5434 sockets to not be registered for ready 5435 notification in some cases, causing named to not 5436 read from or write to them, resulting in what 5437 appear to the user as blocked connections. 5438 [RT #41067] 5439 54404261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. 5441 [RT #40556] 5442 54434260. [security] Insufficient testing when parsing a message allowed 5444 records with an incorrect class to be be accepted, 5445 triggering a REQUIRE failure when those records 5446 were subsequently cached. (CVE-2015-8000) [RT #40987] 5447 54484259. [func] Add an option for non-destructive control channel 5449 access using a "read-only" clause. In such 5450 cases, a restricted set of rndc commands are 5451 allowed for querying information from named. 5452 [RT #40498] 5453 54544258. [bug] Limit rndc query message sizes to 32 KiB. This should 5455 not break any legitimate rndc commands, but will 5456 prevent a rogue rndc query from allocating too 5457 much memory. [RT #41073] 5458 54594257. [cleanup] Python scripts reported incorrect version. [RT #41080] 5460 54614256. [bug] Allow rndc command arguments to be quoted so as 5462 to allow spaces. [RT #36665] 5463 54644255. [performance] Add 'message-compression' option to disable DNS 5465 compression in responses. [RT #40726] 5466 54674254. [bug] Address missing lock when getting zone's serial. 5468 [RT #41072] 5469 54704253. [security] Address fetch context reference count handling error 5471 on socket error. (CVE-2015-8461) [RT#40945] 5472 54734252. [func] Add support for automating the generation CDS and 5474 CDNSKEY rrsets to named and dnssec-signzone. 5475 [RT #40424] 5476 54774251. [bug] NTAs were deleted when the server was reconfigured 5478 or reloaded. [RT #41058] 5479 54804250. [func] Log the TSIG key in use during inbound zone 5481 transfers. [RT #41075] 5482 54834249. [func] Improve error reporting of TSIG / SIG(0) records in 5484 the wrong location. [RT #41030] 5485 54864248. [performance] Add an isc_atomic_storeq() function, use it in 5487 stats counters to improve performance. 5488 [RT #39972] [RT #39979] 5489 54904247. [port] Require both HAVE_JSON and JSON_C_VERSION to be 5491 defined to report json library version. [RT #41045] 5492 54934246. [test] Ensure the statschannel system test runs when BIND 5494 is not built with libjson. [RT #40944] 5495 54964245. [placeholder] 5497 54984244. [bug] The parser was not reporting that use-ixfr is obsolete. 5499 [RT #41010] 5500 55014243. [func] Improved stats reporting from Timothe Litt. [RT #38941] 5502 55034242. [bug] Replace the client if not already replaced when 5504 prefetching. [RT #41001] 5505 55064241. [doc] Improved the TSIG, TKEY, and SIG(0) sections in 5507 the ARM. [RT #40955] 5508 55094240. [port] Fix LibreSSL compatibility. [RT #40977] 5510 55114239. [func] Changed default servfail-ttl value to 1 second from 10. 5512 Also, the maximum value is now 30 instead of 300. 5513 [RT #37556] 5514 55154238. [bug] Don't send to servers on net zero (0.0.0.0/8). 5516 [RT #40947] 5517 55184237. [doc] Upgraded documentation toolchain to use DocBook 5 5519 and dblatex. [RT #40766] 5520 55214236. [performance] On machines with 2 or more processors (CPU), the 5522 default value for the number of UDP listeners 5523 has been changed to the number of detected 5524 processors minus one. [RT #40761] 5525 55264235. [func] Added support in named for "dnstap", a fast method of 5527 capturing and logging DNS traffic, and a new command 5528 "dnstap-read" to read a dnstap log file. Use 5529 "configure --enable-dnstap" to enable this 5530 feature (note that this requires libprotobuf-c 5531 and libfstrm). See the ARM for configuration details. 5532 5533 Thanks to Robert Edmonds of Farsight Security. 5534 [RT #40211] 5535 55364234. [func] Add deflate compression in statistics channel HTTP 5537 server. [RT #40861] 5538 55394233. [test] Add tests for CDS and CDNSKEY with delegation-only. 5540 [RT #40597] 5541 55424232. [contrib] Address unchecked memory allocation calls in 5543 query-loc and zone2ldap. [RT #40789] 5544 55454231. [contrib] Address unchecked calloc call in dlz_mysqldyn_mod.c. 5546 [RT #40840] 5547 55484230. [contrib] dlz_wildcard_dynamic.c:dlz_create could return a 5549 uninitialized result. [RT #40839] 5550 55514229. [bug] A variable could be used uninitialized in 5552 dns_update_signaturesinc. [RT #40784] 5553 55544228. [bug] Address race condition in dns_client_destroyrestrans. 5555 [RT #40605] 5556 55574227. [bug] Silence static analysis warnings. [RT #40828] 5558 55594226. [bug] Address a theoretical shutdown race in 5560 zone.c:notify_send_queue(). [RT #38958] 5561 55624225. [port] freebsd/openbsd: Use '${CC} -shared' for building 5563 shared libraries. [RT #39557] 5564 55654224. [func] Added support for "dyndb", a new interface for loading 5566 zone data from an external database, developed by 5567 Red Hat for the FreeIPA project. 5568 5569 DynDB drivers fully implement the BIND database 5570 API, and are capable of significantly better 5571 performance and functionality than DLZ drivers, 5572 while taking advantage of advanced database 5573 features not available in BIND such as multi-master 5574 replication. 5575 5576 Thanks to Adam Tkac and Petr Spacek of Red Hat. 5577 [RT #35271] 5578 55794223. [func] Add support for setting max-cache-size to percentage 5580 of available physical memory, set default to 90%. 5581 [RT #38442] 5582 55834222. [func] Bias IPv6 servers when selecting the next server to 5584 query. [RT #40836] 5585 55864221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create. 5587 [RT #40583] 5588 55894220. [doc] Improve documentation for zone-statistics. 5590 [RT #36955] 5591 55924219. [bug] Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK, 5593 EGAIN when these soft error are not retried for 5594 isc_socket_send*(). 5595 55964218. [bug] Potential null pointer dereference on out of memory 5597 if mmap is not supported. [RT #40777] 5598 55994217. [protocol] Add support for CSYNC. [RT #40532] 5600 56014216. [cleanup] Silence static analysis warnings. [RT #40649] 5602 56034215. [bug] nsupdate: skip to next request on GSSTKEY create 5604 failure. [RT #40685] 5605 56064214. [protocol] Add support for TALINK. [RT #40544] 5607 56084213. [bug] Don't reuse a cache across multiple classes. 5609 [RT #40205] 5610 56114212. [func] Re-query if we get a bad client cookie returned over 5612 UDP. [RT #40748] 5613 56144211. [bug] Ensure that lwresd gets at least one task to work 5615 with if enabled. [RT #40652] 5616 56174210. [cleanup] Silence use after free false positive. [RT #40743] 5618 56194209. [bug] Address resource leaks in dlz modules. [RT #40654] 5620 56214208. [bug] Address null pointer dereferences on out of memory. 5622 [RT #40764] 5623 56244207. [bug] Handle class mismatches with raw zone files. 5625 [RT #40746] 5626 56274206. [bug] contrib: fixed a possible NULL dereference in 5628 DLZ wildcard module. [RT #40745] 5629 56304205. [bug] 'named-checkconf -p' could include unwanted spaces 5631 when printing tuples with unset optional fields. 5632 [RT #40731] 5633 56344204. [bug] 'dig +trace' failed to lookup the correct type if 5635 the initial root NS query was retried. [RT #40296] 5636 56374203. [test] The rrchecker system test now tests conversion 5638 to and from unknown-type format. [RT #40584] 5639 56404202. [bug] isccc_cc_fromwire() could return an incorrect 5641 result. [RT #40614] 5642 56434201. [func] The default preferred-glue is now the address record 5644 type of the transport the query was received 5645 over. [RT #40468] 5646 56474200. [cleanup] win32: update BINDinstall to be BIND release 5648 independent. [RT #38915] 5649 56504199. [protocol] Add support for NINFO, RKEY, SINK, TA. 5651 [RT #40545] [RT #40547] [RT #40561] [RT #40563] 5652 56534198. [placeholder] 5654 56554197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses. 5656 [RT #40603] 5657 56584196. [doc] Improve how "enum + other" types are documented. 5659 [RT #40608] 5660 56614195. [bug] 'max-zone-ttl unlimited;' was broken. [RT #40608] 5662 56634194. [bug] named-checkconf -p failed to properly print a port 5664 range. [RT #40634] 5665 56664193. [bug] Handle broken servers that return BADVERS incorrectly. 5667 [RT #40427] 5668 56694192. [bug] The default rrset-order of random was not always being 5670 applied. [RT #40456] 5671 56724191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones 5673 as per RFC 6763. [RT #37889] 5674 56754190. [protocol] Accept Active Directory gc._msdcs.<forest> name as 5676 valid with check-names. <forest> still needs to be 5677 LDH. [RT #40399] 5678 56794189. [cleanup] Don't exit on overly long tokens in named.conf. 5680 [RT #40418] 5681 56824188. [bug] Support HTTP/1.0 client properly on the statistics 5683 channel. [RT #40261] 5684 56854187. [func] When any RR type implementation doesn't 5686 implement totext() for the RDATA's wire 5687 representation and returns ISC_R_NOTIMPLEMENTED, 5688 such RDATA is now printed in unknown 5689 presentation format (RFC 3597). RR types affected 5690 include LOC(29) and APL(42). [RT #40317]. 5691 56924186. [bug] Fixed an RPZ bug where a QNAME would be matched 5693 against a policy RR with wildcard owner name 5694 (trigger) where the QNAME was the wildcard owner 5695 name's parent. For example, the bug caused a query 5696 with QNAME "example.com" to match a policy RR with 5697 "*.example.com" as trigger. [RT #40357] 5698 56994185. [bug] Fixed an RPZ bug where a policy RR with wildcard 5700 owner name (trigger) would prevent another policy RR 5701 with its parent owner name from being 5702 loaded. For example, the bug caused a policy RR 5703 with trigger "example.com" to not have any 5704 effect when a previous policy RR with trigger 5705 "*.example.com" existed in that RPZ zone. 5706 [RT #40357] 5707 57084184. [bug] Fixed a possible memory leak in name compression 5709 when rendering long messages. (Also, improved 5710 wire_test for testing such messages.) [RT #40375] 5711 57124183. [cleanup] Use timing-safe memory comparisons in cryptographic 5713 code. Also, the timing-safe comparison functions have 5714 been renamed to avoid possible confusion with 5715 memcmp(). Thanks to Loganaden Velvindron of 5716 AFRINIC. [RT #40148] 5717 57184182. [cleanup] Use mnemonics for RR class and type comparisons. 5719 [RT #40297] 5720 57214181. [bug] Queued notify messages could be dequeued from the 5722 wrong rate limiter queue. [RT #40350] 5723 57244180. [bug] Error responses in pipelined queries could 5725 cause a crash in client.c. [RT #40289] 5726 57274179. [bug] Fix double frees in getaddrinfo() in libirs. 5728 [RT #40209] 5729 57304178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from 5731 text. [RT #40274] 5732 57334177. [bug] Fix assertion failure in parsing NSAP records from 5734 text. [RT #40285] 5735 57364176. [bug] Address race issues with lwresd. [RT #40284] 5737 57384175. [bug] TKEY with GSS-API keys needed bigger buffers. 5739 [RT #40333] 5740 57414174. [bug] "dnssec-coverage -r" didn't handle time unit 5742 suffixes correctly. [RT #38444] 5743 57444173. [bug] dig +sigchase was not properly matching the trusted 5745 key. [RT #40188] 5746 57474172. [bug] Named / named-checkconf didn't handle a view of CLASS0. 5748 [RT #40265] 5749 57504171. [bug] Fixed incorrect class checks in TSIG RR 5751 implementation. [RT #40287] 5752 57534170. [security] An incorrect boundary check in the OPENPGPKEY 5754 rdatatype could trigger an assertion failure. 5755 (CVE-2015-5986) [RT #40286] 5756 57574169. [test] Added a 'wire_test -d' option to read input as 5758 raw binary data, for use as a fuzzing harness. 5759 [RT #40312] 5760 57614168. [security] A buffer accounting error could trigger an 5762 assertion failure when parsing certain malformed 5763 DNSSEC keys. (CVE-2015-5722) [RT #40212] 5764 57654167. [func] Update rndc's usage output to include recently added 5766 commands. Thanks to Tony Finch for submitting a 5767 patch. [RT #40010] 5768 57694166. [func] Print informative output from rndc showzone when 5770 allow-new-zones is not enabled for a view. Thanks to 5771 Tony Finch for submitting a patch. [RT #40009] 5772 57734165. [security] A failure to reset a value to NULL in tkey.c could 5774 result in an assertion failure. (CVE-2015-5477) 5775 [RT #40046] 5776 57774164. [bug] Don't rename slave files and journals on out of memory. 5778 [RT #40033] 5779 57804163. [bug] Address compiler warnings. [RT #40024] 5781 57824162. [bug] httpdmgr->flags was not being initialized. [RT #40017] 5783 57844161. [test] Add JSON test for traffic size stats; also test 5785 for consistency between "rndc stats" and the XML 5786 and JSON statistics channel contents. [RT #38700] 5787 57884160. [placeholder] 5789 57904159. [cleanup] Alphabetize dig's help output. [RT #39966] 5791 57924158. [placeholder] 5793 57944157. [placeholder] 5795 57964156. [func] Added statistics counters to track the sizes 5797 of incoming queries and outgoing responses in 5798 histogram buckets, as specified in RSSAC002. 5799 [RT #39049] 5800 58014155. [func] Allow RPZ rewrite logging to be configured on a 5802 per-zone basis using a newly introduced log clause in 5803 the response-policy option. [RT #39754] 5804 58054154. [bug] A OPT record should be included with the FORMERR 5806 response when there is a malformed EDNS option. 5807 [RT #39647] 5808 58094153. [bug] Dig should zero non significant +subnet bits. Check 5810 that non significant ECS bits are zero on receipt. 5811 [RT #39647] 5812 58134152. [func] Implement DNS COOKIE option. This replaces the 5814 experimental SIT option of BIND 9.10. The following 5815 named.conf directives are available: send-cookie, 5816 cookie-secret, cookie-algorithm, nocookie-udp-size 5817 and require-server-cookie. The following dig options 5818 are available: +[no]cookie[=value] and +[no]badcookie. 5819 [RT #39928] 5820 58214151. [bug] 'rndc flush' could cause a deadlock. [RT #39835] 5822 58234150. [bug] win32: listen-on-v6 { any; }; was not working. Apply 5824 minimal fix. [RT #39667] 5825 58264149. [bug] Fixed a race condition in the getaddrinfo() 5827 implementation in libirs, which caused the delv 5828 utility to crash with an assertion failure when using 5829 the '@server' syntax with a hostname argument. 5830 [RT #39899] 5831 58324148. [bug] Fix a bug when printing zone names with '/' character 5833 in XML and JSON statistics output. [RT #39873] 5834 58354147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6 5836 was returning referrals rather than nodata responses 5837 when the AAAA records were filtered. [RT #39843] 5838 58394146. [bug] Address reference leak that could prevent a clean 5840 shutdown. [RT #37125] 5841 58424145. [bug] Not all unassociated adb entries where being printed. 5843 [RT #37125] 5844 58454144. [func] Add statistics counters for nxdomain redirections. 5846 [RT #39790] 5847 58484143. [placeholder] 5849 58504142. [bug] rndc addzone with view specified saved NZF config 5851 that could not be read back by named. This has now 5852 been fixed. [RT #39845] 5853 58544141. [bug] A formatting bug caused rndc zonestatus to print 5855 negative numbers for large serial values. This has 5856 now been fixed. [RT #39854] 5857 58584140. [cleanup] Remove redundant nzf_remove() call during delzone. 5859 [RT #39844] 5860 58614139. [doc] Fix rpz-client-ip documentation. [RT #39783] 5862 58634138. [security] An uninitialized value in validator.c could result 5864 in an assertion failure. (CVE-2015-4620) [RT #39795] 5865 58664137. [bug] Make rndc reconfig report configuration errors the 5867 same way rndc reload does. [RT #39635] 5868 58694136. [bug] Stale statistics counters with the leading 5870 '#' prefix (such as #NXDOMAIN) were not being 5871 updated correctly. This has been fixed. [RT #39141] 5872 58734135. [cleanup] Log expired NTA at startup. [RT #39680] 5874 58754134. [cleanup] Include client-ip rules when logging the number 5876 of RPZ rules of each type. [RT #39670] 5877 58784133. [port] Update how various json libraries are handled. 5879 [RT #39646] 5880 58814132. [cleanup] dig: added +rd as a synonym for +recurse, 5882 added +class as an unabbreviated alternative 5883 to +cl. [RT #39686] 5884 58854131. [bug] Addressed further problems with reloading RPZ 5886 zones. [RT #39649] 5887 58884130. [bug] The compatibility shim for *printf() misprinted some 5889 large numbers. [RT #39586] 5890 58914129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532] 5892 58934128. [bug] Address issues raised by Coverity 7.6. [RT #39537] 5894 58954127. [protocol] CDS and CDNSKEY need to be signed by the key signing 5896 key as per RFC 7344, Section 4.1. [RT #37215] 5897 58984126. [bug] Addressed a regression introduced in change #4121. 5899 [RT #39611] 5900 59014125. [test] Added tests for dig, renamed delv test to digdelv. 5902 [RT #39490] 5903 59044124. [func] Log errors or warnings encountered when parsing the 5905 internal default configuration. Clarify the logging 5906 of errors and warnings encountered in rndc 5907 addzone or modzone parameters. [RT #39440] 5908 59094123. [port] Added %z (size_t) format options to the portable 5910 internal printf/sprintf implementation. [RT #39586] 5911 59124122. [bug] The server could match a shorter prefix than what was 5913 available in CLIENT-IP policy triggers, and so, an 5914 unexpected action could be taken. This has been 5915 corrected. [RT #39481] 5916 59174121. [bug] On servers with one or more policy zones 5918 configured as slaves, if a policy zone updated 5919 during regular operation (rather than at 5920 startup) using a full zone reload, such as via 5921 AXFR, a bug could allow the RPZ summary data to 5922 fall out of sync, potentially leading to an 5923 assertion failure in rpz.c when further 5924 incremental updates were made to the zone, such 5925 as via IXFR. [RT #39567] 5926 59274120. [bug] A bug in RPZ could cause the server to crash if 5928 policy zones were updated while recursion was 5929 pending for RPZ processing of an active query. 5930 [RT #39415] 5931 59324119. [test] Allow dig to set the message opcode. [RT #39550] 5933 59344118. [bug] Teach isc-config.sh about irs. [RT #39213] 5935 59364117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534. 5937 59384116. [bug] Fix a bug in RPZ that could cause some policy 5939 zones that did not specifically require 5940 recursion to be treated as if they did; 5941 consequently, setting qname-wait-recurse no; was 5942 sometimes ineffective. [RT #39229] 5943 59444115. [func] "rndc -r" now prints the result code (e.g., 5945 ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after 5946 running the requested command. [RT #38913] 5947 59484114. [bug] Fix a regression in radix tree implementation 5949 introduced by ECS code. This bug was never 5950 released, but it was reported by a user testing 5951 master. [RT #38983] 5952 59534113. [test] Check for Net::DNS is some system test 5954 prerequisites. [RT #39369] 5955 59564112. [bug] Named failed to load when "root-delegation-only" 5957 was used without a list of domains to exclude. 5958 [RT #39380] 5959 59604111. [doc] Alphabetize rndc man page. [RT #39360] 5961 59624110. [bug] Address memory leaks / null pointer dereferences 5963 on out of memory. [RT #39310] 5964 59654109. [port] linux: support reading the local port range from 5966 net.ipv4.ip_local_port_range. [RT # 39379] 5967 59684108. [func] An additional NXDOMAIN redirect method (option 5969 "nxdomain-redirect") has been added, allowing 5970 redirection to a specified DNS namespace instead 5971 of a single redirect zone. [RT #37989] 5972 59734107. [bug] Address potential deadlock when updating zone content. 5974 [RT #39269] 5975 59764106. [port] Improve readline support. [RT #38938] 5977 59784105. [port] Misc fixes for Microsoft Visual Studio 5979 2015 CTP6 in 64 bit mode. [RT #39308] 5980 59814104. [bug] Address uninitialized elements. [RT #39252] 5982 59834103. [port] Misc fixes for Microsoft Visual Studio 5984 2015 CTP6. [RT #39267] 5985 59864102. [bug] Fix a use after free bug introduced in change 5987 #4094. [RT #39281] 5988 59894101. [bug] dig: the +split and +rrcomments options didn't 5990 work with +short. [RT #39291] 5991 59924100. [bug] Inherited owernames on the line immediately following 5993 a $INCLUDE were not working. [RT #39268] 5994 59954099. [port] clang: make unknown commandline options hard errors 5996 when determining what options are supported. 5997 [RT #39273] 5998 59994098. [bug] Address use-after-free issue when using a 6000 predecessor key with dnssec-settime. [RT #39272] 6001 60024097. [func] Add additional logging about xfrin transfer status. 6003 [RT #39170] 6004 60054096. [bug] Fix a use after free of query->sendevent. 6006 [RT #39132] 6007 60084095. [bug] zone->options2 was not being properly initialized. 6009 [RT #39228] 6010 60114094. [bug] A race during shutdown or reconfiguration could 6012 cause an assertion in mem.c. [RT #38979] 6013 60144093. [func] Dig now learns the SIT value from truncated 6015 responses when it retries over TCP. [RT #39047] 6016 60174092. [bug] 'in-view' didn't work for zones beneath a empty zone. 6018 [RT #39173] 6019 60204091. [cleanup] Some cleanups in isc mem code. [RT #38896] 6021 60224090. [bug] Fix a crash while parsing malformed CAA RRs in 6023 presentation format, i.e., from text such as 6024 from master files. Thanks to John Van de 6025 Meulebrouck Brendgard for discovering and 6026 reporting this problem. [RT #39003] 6027 60284089. [bug] Send notifies immediately for slave zones during 6029 startup. [RT #38843] 6030 60314088. [port] Fixed errors when building with libressl. [RT #38899] 6032 60334087. [bug] Fix a crash due to use-after-free due to sequencing 6034 of tasks actions. [RT #38495] 6035 60364086. [bug] Fix out-of-srcdir build with native pkcs11. [RT #38831] 6037 60384085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set. 6039 [RT #38828] 6040 60414084. [bug] Fix a possible race in updating stats counters. 6042 [RT #38826] 6043 60444083. [cleanup] Print the number of CPUs and UDP listeners 6045 consistently in the log and in "rndc status" 6046 output; indicate whether threads are supported 6047 in "named -V" output. [RT #38811] 6048 60494082. [bug] Incrementally sign large inline zone deltas. 6050 [RT #37927] 6051 60524081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759] 6053 60544080. [func] Completed change #4022, adding a "lock-file" option 6055 to named.conf to override the default lock file, 6056 in addition to the "named -X <filename>" command 6057 line option. Setting the lock file to "none" 6058 using either method disables the check completely. 6059 [RT #37908] 6060 60614079. [func] Preserve the case of the owner name of records to 6062 the RRset level. [RT #37442] 6063 60644078. [bug] Handle the case where CMSG_SPACE(sizeof(int)) != 6065 CMSG_SPACE(sizeof(char)). [RT #38621] 6066 60674077. [test] Add static-stub regression test for DS NXDOMAIN 6068 return making the static stub disappear. [RT #38564] 6069 60704076. [bug] Named could crash on shutdown with outstanding 6071 reload / reconfig events. [RT #38622] 6072 60734075. [placeholder] 6074 60754074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708] 6076 60774073. [cleanup] Add libjson-c version number reporting to 6078 "named -V"; normalize version number formatting. 6079 [RT #38056] 6080 60814072. [func] Add a --enable-querytrace configure switch for 6082 very verbose query trace logging. (This option 6083 has a negative performance impact and should be 6084 used only for debugging.) [RT #37520] 6085 60864071. [cleanup] Initialize pthread mutex attrs just once, instead of 6087 doing it per mutex creation. [RT #38547] 6088 60894070. [bug] Fix a segfault in nslookup in a query such as 6090 "nslookup isc.org AMS.SNS-PB.ISC.ORG -all". 6091 [RT #38548] 6092 60934069. [doc] Reorganize options in the nsupdate man page. 6094 [RT #38515] 6095 60964068. [bug] Omit unknown serial number from JSON zone statistics. 6097 [RT #38604] 6098 60994067. [cleanup] Reduce noise from RRL when query logging is 6100 disabled. [RT #38648] 6101 61024066. [doc] Reorganize options in the dig man page. [RT #38516] 6103 61044065. [test] Additional RFC 5011 tests. [RT #38569] 6105 61064064. [contrib] dnssec-keyset.sh: Generates a specified number 6107 of DNSSEC keys with timing set to implement a 6108 pre-publication key rollover strategy. Thanks 6109 to Jeffry A. Spain. [RT #38459] 6110 61114063. [bug] Asynchronous zone loads were not handled 6112 correctly when the zone load was already in 6113 progress; this could trigger a crash in zt.c. 6114 [RT #37573] 6115 61164062. [bug] Fix an out-of-bounds read in RPZ code. If the 6117 read succeeded, it doesn't result in a bug 6118 during operation. If the read failed, named 6119 could segfault. [RT #38559] 6120 61214061. [bug] Handle timeout in legacy system test. [RT #38573] 6122 61234060. [bug] dns_rdata_freestruct could be called on a 6124 uninitialized structure when handling a error. 6125 [RT #38568] 6126 61274059. [bug] Addressed valgrind warnings. [RT #38549] 6128 61294058. [bug] UDP dispatches could use the wrong pseudorandom 6130 number generator context. [RT #38578] 6131 61324057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field. 6133 [RT #38565] 6134 61354056. [bug] Expanded automatic testing of trust anchor 6136 management and fixed several small bugs including 6137 a memory leak and a possible loss of key state 6138 information. [RT #38458] 6139 61404055. [func] "rndc managed-keys" can be used to check status 6141 of trust anchors or to force keys to be refreshed, 6142 Also, the managed keys data file has easier-to-read 6143 comments. [RT #38458] 6144 61454054. [func] Added a new tool 'mdig', a lightweight clone of 6146 dig able to send multiple pipelined queries. 6147 [RT #38261] 6148 61494053. [security] Revoking a managed trust anchor and supplying 6150 an untrusted replacement could cause named 6151 to crash with an assertion failure. 6152 (CVE-2015-1349) [RT #38344] 6153 61544052. [bug] Fix a leak of query fetchlock. [RT #38454] 6155 61564051. [bug] Fix a leak of pthread_mutexattr_t. [RT #38454] 6157 61584050. [bug] RPZ could send spurious SERVFAILs in response 6159 to duplicate queries. [RT #38510] 6160 61614049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491] 6162 61634048. [bug] adb hash table was not being grown. [RT #38470] 6164 61654047. [cleanup] "named -V" now reports the current running versions 6166 of OpenSSL and the libxml2 libraries, in addition to 6167 the versions that were in use at build time. 6168 61694046. [bug] Accounting of "total use" in memory context 6170 statistics was not correct. [RT #38370] 6171 61724045. [bug] Skip to next master on dns_request_createvia4 failure. 6173 [RT #25185] 6174 61754044. [bug] Change 3955 was not complete, resulting in an assertion 6176 failure if the timing was just right. [RT #38352] 6177 61784043. [func] "rndc modzone" can be used to modify the 6179 configuration of an existing zone, using similar 6180 syntax to "rndc addzone". [RT #37895] 6181 61824042. [bug] zone.c:iszonesecure was being called too late. 6183 [RT #38371] 6184 61854041. [func] TCP sockets can now be shared while connecting. 6186 (This will be used to enable client-side support 6187 of pipelined queries.) [RT #38231] 6188 61894040. [func] Added server-side support for pipelined TCP 6190 queries. Clients may continue sending queries via 6191 TCP while previous queries are being processed 6192 in parallel. (The new "keep-response-order" 6193 option allows clients to be specified for which 6194 the old behavior will still be used.) [RT #37821] 6195 61964039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381] 6197 61984038. [bug] Add 'rpz' flag to node and use it to determine whether 6199 to call dns_rpz_delete. This should prevent unbalanced 6200 add / delete calls. [RT #36888] 6201 62024037. [bug] also-notify was ignoring the tsig key when checking 6203 for duplicates resulting in some expected notify 6204 messages not being sent. [RT #38369] 6205 62064036. [bug] Make call to open a temporary file name safe during 6207 NZF creation. [RT #38331] 6208 62094035. [bug] Close temporary and NZF FILE pointers before moving 6210 the former into the latter's place, as required on 6211 Windows. [RT #38332] 6212 62134034. [func] When added, negative trust anchors (NTA) are now 6214 saved to files (viewname.nta), in order to 6215 persist across restarts of the named server. 6216 [RT #37087] 6217 62184033. [bug] Missing out of memory check in request.c:req_send. 6219 [RT #38311] 6220 62214032. [bug] Built-in "empty" zones did not correctly inherit the 6222 "allow-transfer" ACL from the options or view. 6223 [RT #38310] 6224 62254031. [bug] named-checkconf -z failed to report a missing file 6226 with a hint zone. [RT #38294] 6227 62284030. [func] "rndc delzone" is now applicable to zones that were 6229 configured in named.conf, as well as zones that 6230 were added via "rndc addzone". (Note, however, that 6231 if named.conf is not also modified, the deleted zone 6232 will return when named is reloaded.) [RT #37887] 6233 62344029. [func] "rndc showzone" displays the current configuration 6235 of a specified zone. [RT #37887] 6236 62374028. [bug] $GENERATE with a zero step was not being caught as a 6238 error. A $GENERATE with a / but no step was not being 6239 caught as a error. [RT #38262] 6240 62414027. [port] Net::DNS 0.81 compatibility. [RT #38165] 6242 62434026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173] 6244 62454025. [port] bsdi: failed to build. [RT #38047] 6246 62474024. [bug] dns_rdata_opt_first, dns_rdata_opt_next, 6248 dns_rdata_opt_current, dns_rdata_txt_first, 6249 dns_rdata_txt_next and dns_rdata_txt_current were 6250 documented but not implemented. These have now been 6251 implemented. 6252 6253 dns_rdata_spf_first, dns_rdata_spf_next and 6254 dns_rdata_spf_current were documented but not 6255 implemented. The prototypes for these 6256 functions have been removed. [RT #38068] 6257 62584023. [bug] win32: socket handling with explicit ports and 6259 invoking named with -4 was broken for some 6260 configurations. [RT #38068] 6261 62624022. [func] Stop multiple spawns of named by limiting number of 6263 processes to 1. This is done by using a lockfile and 6264 checking whether we can listen on any configured 6265 TCP interfaces. [RT #37908] 6266 62674021. [bug] Adjust max-recursion-queries to accommodate 6268 the need for more queries when the cache is 6269 empty. [RT #38104] 6270 62714020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery 6272 resulting in updates being sent to the wrong server. 6273 [RT #37925] 6274 62754019. [func] If named is not configured to validate the answer 6276 then allow fallback to plain DNS on timeout even 6277 when we know the server supports EDNS. [RT #37978] 6278 62794018. [placeholder] 6280 62814017. [test] Add system test to check lookups to legacy servers 6282 with broken DNS behavior. [RT #37965] 6283 62844016. [bug] Fix a dig segfault due to bad linked list usage. 6285 [RT #37591] 6286 62874015. [bug] Nameservers that are skipped due to them being 6288 CNAMEs were not being logged. They are now logged 6289 to category 'cname' as per BIND 8. [RT #37935] 6290 62914014. [bug] When including a master file origin_changed was 6292 not being properly set leading to a potentially 6293 spurious 'inherited owner' warning. [RT #37919] 6294 62954013. [func] Add a new tcp-only option to server (config) / 6296 peer (struct) to use TCP transport to send 6297 queries (in place of UDP transport with a 6298 TCP fallback on truncated (TC set) response). 6299 [RT #37800] 6300 63014012. [cleanup] Check returned status of OpenSSL digest and HMAC 6302 functions when they return one. Note this applies 6303 only to FIPS capable OpenSSL libraries put in 6304 FIPS mode and MD5. [RT #37944] 6305 63064011. [bug] master's list port and dscp inheritance was not 6307 properly implemented. [RT #37792] 6308 63094010. [cleanup] Clear the prefetchable state when initiating a 6310 prefetch. [RT #37399] 6311 63124009. [func] delv: added a +tcp option. [RT #37855] 6313 63144008. [contrib] Updated zkt to latest version (1.1.3). [RT #37886] 6315 63164007. [doc] Remove acl forward reference restriction. [RT #37772] 6317 63184006. [security] A flaw in delegation handling could be exploited 6319 to put named into an infinite loop. This has 6320 been addressed by placing limits on the number 6321 of levels of recursion named will allow (default 7), 6322 and the number of iterative queries that it will 6323 send (default 50) before terminating a recursive 6324 query (CVE-2014-8500). 6325 6326 The recursion depth limit is configured via the 6327 "max-recursion-depth" option, and the query limit 6328 via the "max-recursion-queries" option. [RT #37580] 6329 63304005. [func] The buffer used for returning text from rndc 6331 commands is now dynamically resizable, allowing 6332 arbitrarily large amounts of text to be sent back 6333 to the client. (Prior to this change, it was 6334 possible for the output of "rndc tsig-list" to be 6335 truncated.) [RT #37731] 6336 63374004. [bug] When delegations had AAAA glue but not A, a 6338 reference could be leaked causing an assertion 6339 failure on shutdown. [RT #37796] 6340 63414003. [security] When geoip-directory was reconfigured during 6342 named run-time, the previously loaded GeoIP 6343 data could remain, potentially causing wrong 6344 ACLs to be used or wrong results to be served 6345 based on geolocation (CVE-2014-8680). [RT #37720] 6346 63474002. [security] Lookups in GeoIP databases that were not 6348 loaded could cause an assertion failure 6349 (CVE-2014-8680). [RT #37679] 6350 63514001. [security] The caching of GeoIP lookups did not always 6352 handle address families correctly, potentially 6353 resulting in an assertion failure (CVE-2014-8680). 6354 [RT #37672] 6355 63564000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET 6357 from the redirect zone. [RT #37722] 6358 63593999. [func] "mkeys" and "nzf" files are now named after 6360 their corresponding views, unless the view name 6361 contains characters that would be incompatible 6362 with use in a filename (i.e., slash, backslash, 6363 or capital letters). If a view name does contain 6364 these characters, the files will still be named 6365 using a cryptographic hash of the view name. 6366 Regardless of this, if a file using the old name 6367 format is found to exist, it will continue to be 6368 used. [RT #37704] 6369 63703998. [bug] isc_radix_search was returning matches that were 6371 too precise. [RT #37680] 6372 63733997. [protocol] Add OPENGPGKEY record. [RT# 37671] 6374 63753996. [bug] Address use after free on out of memory error in 6376 keyring_add. [RT #37639] 6377 63783995. [bug] receive_secure_serial holds the zone lock for too 6379 long. [RT #37626] 6380 63813994. [func] Dig now supports setting the last unassigned DNS 6382 header flag bit (dig +zflag). [RT #37421] 6383 63843993. [func] Dig now supports EDNS negotiation by default. 6385 (dig +[no]ednsnegotiation). 6386 6387 Note: This is disabled by default in BIND 9.10 6388 and enabled by default in BIND 9.11. [RT #37604] 6389 63903992. [func] DiG can now send queries without questions 6391 (dig +header-only). [RT #37599] 6392 63933991. [func] Add the ability to buffer logging output by specifying 6394 "buffered yes;" when defining a channel. [RT #26561] 6395 63963990. [test] Add tests for unknown DNSSEC algorithm handling. 6397 [RT #37541] 6398 63993989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748] 6400 64013988. [func] Allow the zone serial of a dynamically updatable 6402 zone to be updated via "rndc signing -serial". 6403 [RT #37404] 6404 64053987. [port] Handle future Visual Studio 14 incompatible changes. 6406 [RT #37380] 6407 64083986. [doc] Add the BIND version number to page footers 6409 in the ARM. [RT #37398] 6410 64113985. [doc] Describe how +ndots and +search interact in dig. 6412 [RT #37529] 6413 64143984. [func] Accept 256 byte long PINs in native PKCS#11 6415 crypto. [RT #37410] 6416 64173983. [bug] Change #3940 was incomplete: negative trust anchors 6418 could be set to last up to a week, but the 6419 "nta-lifetime" and "nta-recheck" options were 6420 still limited to one day. [RT #37522] 6421 64223982. [doc] Include release notes in product documentation. 6423 [RT #37272] 6424 64253981. [bug] Cache DS/NXDOMAIN independently of other query types. 6426 [RT #37467] 6427 64283980. [bug] Improve --with-tuning=large by self tuning of SO_RCVBUF 6429 size. [RT #37187] 6430 64313979. [bug] Negative trust anchor fetches were not properly 6432 managed. [RT #37488] 6433 64343978. [test] Added a unit test for Diffie-Hellman key 6435 computation, completing change #3974. [RT #37477] 6436 64373977. [cleanup] "rndc secroots" reported a "not found" error when 6438 there were no negative trust anchors set. [RT #37506] 6439 64403976. [bug] When refreshing managed-key trust anchors, clear 6441 any cached trust so that they will always be 6442 revalidated with the current set of secure 6443 roots. [RT #37506] 6444 64453975. [bug] Don't populate or use the bad cache for queries that 6446 don't request or use recursion. [RT #37466] 6447 64483974. [bug] Handle DH_compute_key() failure correctly in 6449 openssldh_link.c. [RT #37477] 6450 64513973. [test] Added hooks for Google Performance Tools CPU profiler, 6452 including real-time/wall-clock profiling. Use 6453 "configure --with-gperftools-profiler" to enable. 6454 [RT #37339] 6455 64563972. [bug] Fix host's usage statement. [RT #37397] 6457 64583971. [bug] Reduce the cascading failures due to a bad $TTL line 6459 in named-checkconf / named-checkzone. [RT #37138] 6460 64613970. [contrib] Fixed a use after free bug in the SDB LDAP driver. 6462 [RT #37237] 6463 64643969. [test] Added 'delv' system test. [RT #36901] 6465 64663968. [bug] Silence spurious log messages when using 'named -[46]'. 6467 [RT #37308] 6468 64693967. [test] Add test for inlined signed zone in multiple views 6470 with different DNSKEY sets. [RT #35759] 6471 64723966. [bug] Missing dns_db_closeversion call in receive_secure_db. 6473 [RT #35746] 6474 64753965. [func] Log outgoing packets and improve packet logging to 6476 support logging the remote address. [RT #36624] 6477 64783964. [func] nsupdate now performs check-names processing. 6479 [RT #36266] 6480 64813963. [test] Added NXRRSET test cases to the "dlzexternal" 6482 system test. [RT #37344] 6483 64843962. [bug] 'dig +topdown +trace +sigchase' address unhandled error 6485 conditions. [RT #34663] 6486 64873961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with 6488 BADSIG. [RT #37216] 6489 64903960. [bug] 'dig +sigchase' could loop forever. [RT #37220] 6491 64923959. [bug] Updates could be lost if they arrived immediately 6493 after a rndc thaw. [RT #37233] 6494 64953958. [bug] Detect when writeable files have multiple references 6496 in named.conf. [RT #37172] 6497 64983957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 6499 and ECDSAP384SHA384. [RT #37183] 6500 65013956. [func] Notify messages are now rate limited by notify-rate and 6502 startup-notify-rate instead of serial-query-rate. 6503 [RT #24454] 6504 65053955. [bug] Notify messages due to changes are no longer queued 6506 behind startup notify messages. [RT #24454] 6507 65083954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112] 6509 65103953. [bug] Don't escape semi-colon in TXT fields. [RT #37159] 6511 65123952. [bug] dns_name_fullcompare failed to set *nlabelsp when the 6513 two name pointers were the same. [RT #37176] 6514 65153951. [func] Add the ability to set yet-to-be-defined EDNS flags 6516 to dig (+ednsflags=#). [RT #37142] 6517 65183950. [port] Changed the bin/python Makefile to work around a 6519 bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] 6520 65213949. [experimental] Experimental support for draft-andrews-edns1 by sending 6522 EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when 6523 building). Add support for limiting the EDNS version 6524 advertised to servers: server { edns-version 0; }; 6525 Log the EDNS version received in the query log. 6526 [RT #35864] 6527 65283948. [port] solaris: RCVBUFSIZE was too large on Solaris with 6529 --with-tuning=large. [RT #37059] 6530 65313947. [cleanup] Set the executable bit on libraries when using 6532 libtool. [RT #36786] 6533 65343946. [cleanup] Improved "configure" search for a python interpreter. 6535 [RT #36992] 6536 65373945. [bug] Invalid wildcard expansions could be incorrectly 6538 accepted by the validator. [RT #37093] 6539 65403944. [test] Added a regression test for "server-id". [RT #37057] 6541 65423943. [func] SERVFAIL responses can now be cached for a 6543 limited time (configured by "servfail-ttl", 6544 default 10 seconds, limit 30). This can reduce 6545 the frequency of retries when an authoritative 6546 server is known to be failing, e.g., due to 6547 ongoing DNSSEC validation problems. [RT #21347] 6548 65493942. [bug] Wildcard responses from a optout range should be 6550 marked as insecure. [RT #37072] 6551 65523941. [doc] Include the BIND version number in the ARM. [RT #37067] 6553 65543940. [func] "rndc nta" now allows negative trust anchors to be 6555 set for up to one week. [RT #37069] 6556 65573939. [func] Improve UPDATE forwarding performance by allowing TCP 6558 connections to be shared. [RT #37039] 6559 65603938. [func] Added quotas to be used in recursive resolvers 6561 that are under high query load for names in zones 6562 whose authoritative servers are nonresponsive or 6563 are experiencing a denial of service attack. 6564 6565 - "fetches-per-server" limits the number of 6566 simultaneous queries that can be sent to any 6567 single authoritative server. The configured 6568 value is a starting point; it is automatically 6569 adjusted downward if the server is partially or 6570 completely non-responsive. The algorithm used to 6571 adjust the quota can be configured via the 6572 "fetch-quota-params" option. 6573 - "fetches-per-zone" limits the number of 6574 simultaneous queries that can be sent for names 6575 within a single domain. (Note: Unlike 6576 "fetches-per-server", this value is not 6577 self-tuning.) 6578 - New stats counters have been added to count 6579 queries spilled due to these quotas. 6580 6581 See the ARM for details of these options. [RT #37125] 6582 65833937. [func] Added some debug logging to better indicate the 6584 conditions causing SERVFAILs when resolving. 6585 [RT #35538] 6586 65873936. [func] Added authoritative support for the EDNS Client 6588 Subnet (ECS) option. 6589 6590 ACLs can now include "ecs" elements which specify 6591 an address or network prefix; if an ECS option is 6592 included in a DNS query, then the address encoded 6593 in the option will be matched against "ecs" ACL 6594 elements. 6595 6596 Also, if an ECS address is included in a query, 6597 then it will be used instead of the client source 6598 address when matching "geoip" ACL elements. This 6599 behavior can be overridden with "geoip-use-ecs no;". 6600 (Note: to enable "geoip" ACLs, use "configure 6601 --with-geoip". This requires libGeoIP version 6602 1.5.0 or higher.) 6603 6604 When "ecs" or "geoip" ACL elements are used to 6605 select a view for a query, the response will include 6606 an ECS option to indicate which client network the 6607 answer is valid for. 6608 6609 (Thanks to Vincent Bernat.) [RT #36781] 6610 66113935. [bug] "geoip asnum" ACL elements would not match unless 6612 the full organization name was specified. They 6613 can now match against the AS number alone (e.g., 6614 AS1234). [RT #36945] 6615 66163934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve 6617 sit-secret documentation. [RT #36980] 6618 66193933. [bug] Corrected the implementation of dns_rdata_casecompare() 6620 for the HIP rdata type. [RT #36911] 6621 66223932. [test] Improved named-checkconf tests. [RT #36911] 6623 66243931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879] 6625 66263930. [bug] "rndc nta -r" could cause a server hang if the 6627 NTA was not found. [RT #36909] 6628 66293929. [bug] 'host -a' needed to clear idnoptions. [RT #36963] 6630 66313928. [test] Improve rndc system test. [RT #36898] 6632 66333927. [bug] dig: report PKCS#11 error codes correctly when 6634 compiled with --enable-native-pkcs11. [RT #36956] 6635 66363926. [doc] Added doc for geoip-directory. [RT #36877] 6637 66383925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917] 6639 66403924. [bug] Improve 'rndc addzone' error reporting. [RT #35187] 6641 66423923. [bug] Sanity check the xml2-config output. [RT #22246] 6643 66443922. [bug] When resigning, dnssec-signzone was removing 6645 all signatures from delegation nodes. It now 6646 retains DS and (if applicable) NSEC signatures. 6647 [RT #36946] 6648 66493921. [bug] AD was inappropriately set on RPZ responses. [RT #36833] 6650 66513920. [doc] Added doc for masterfile-style. [RT #36823] 6652 66533919. [bug] dig: continue to next line if a address lookup fails 6654 in batch mode. [RT #36755] 6655 66563918. [doc] Update check-spf documentation. [RT #36910] 6657 66583917. [bug] dig, nslookup and host now continue on names that are 6659 too long after applying a search list elements. 6660 [RT #36892] 6661 66623916. [contrib] zone2sqlite checked wrong result code. Address 6663 compiler warnings. [RT #36931] 6664 66653915. [bug] Address a assertion if a route event arrived while 6666 shutting down. [RT #36887] 6667 66683914. [bug] Allow the URI target and CAA value fields to 6669 be zero length. [RT #36737] 6670 66713913. [bug] Address race issue in dispatch. [RT #36731] 6672 66733912. [bug] Address some unrecoverable lookup failures. [RT #36330] 6674 66753911. [func] Implement EDNS EXPIRE option client side, allowing 6676 a slave server to set the expiration timer correctly 6677 when transferring zone data from another slave 6678 server. [RT #35925] 6679 66803910. [bug] Fix races to free event during shutdown. [RT #36720] 6681 66823909. [bug] When computing the number of elements required for a 6683 acl count_acl_elements could have a short count leading 6684 to a assertion failure. Also zero out new acl elements 6685 in dns_acl_merge. [RT #36675] 6686 66873908. [bug] rndc now differentiates between a zone in multiple 6688 views and a zone that doesn't exist at all. [RT #36691] 6689 66903907. [cleanup] Alphabetize rndc help. [RT #36683] 6691 66923906. [protocol] Update URI record format to comply with 6693 draft-faltstrom-uri-08. [RT #36642] 6694 66953905. [bug] Address deadlock between view.c and adb.c. [RT #36341] 6696 66973904. [func] Add the RPZ SOA to the additional section. [RT36507] 6698 66993903. [bug] Improve the accuracy of DiG's reported round trip 6700 time. [RT 36611] 6701 67023902. [bug] liblwres wasn't handling link-local addresses in 6703 nameserver clauses in resolv.conf. [RT #36039] 6704 67053901. [protocol] Added support for CAA record type (RFC 6844). 6706 [RT #36625] 6707 67083900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637] 6709 67103899. [bug] "request-ixfr" is only applicable to slave and redirect 6711 zones. [RT #36608] 6712 67133898. [bug] Too small a buffer in tohexstr() calls in test code. 6714 [RT #36598] 6715 67163897. [bug] RPZ summary information was not properly being updated 6717 after a AXFR resulting in changes sometimes being 6718 ignored. [RT #35885] 6719 67203896. [bug] Address performance issues with DSCP code on some 6721 platforms. [RT #36534] 6722 67233895. [func] Add the ability to set the DSCP code point to dig. 6724 [RT #36546] 6725 67263894. [bug] Buffers in isc_print_vsnprintf were not properly 6727 initialized leading to potential overflows when 6728 printing out quad values. [RT #36505] 6729 67303893. [bug] Peer DSCP values could be returned without being set. 6731 [RT #36538] 6732 67333892. [bug] Setting '-t aaaa' in .digrc had unintended side 6734 effects. [RT #36452] 6735 67363891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM} 6737 to install python programs. 6738 67393890. [bug] RRSIG sets that were not loaded in a single transaction 6740 at start up where not being correctly added to 6741 re-signing heaps. [RT #36302] 6742 67433889. [port] hurd: configure fixes as per: 6744 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540 6745 67463888. [func] 'rndc status' now reports the number of automatic 6747 zones. [RT #36015] 6748 67493887. [cleanup] Make all static symbols in rbtdb64 end in "64" so 6750 they are easier to use in a debugger. [RT #36373] 6751 67523886. [bug] rbtdb_write_header should use a once to initialize 6753 FILE_VERSION. [RT #36374] 6754 67553885. [port] Use 'open()' rather than 'file()' to open files in 6756 python. 6757 67583884. [protocol] Add CDS and CDNSKEY record types. [RT #36333] 6759 67603883. [placeholder] 6761 67623882. [func] By default, negative trust anchors will be tested 6763 periodically to see whether data below them can be 6764 validated, and if so, they will be allowed to 6765 expire early. The "rndc nta -force" option 6766 overrides this behavior. The default NTA lifetime 6767 and the recheck frequency can be configured by the 6768 "nta-lifetime" and "nta-recheck" options. [RT #36146] 6769 67703881. [bug] Address memory leak with UPDATE error handling. 6771 [RT #36303] 6772 67733880. [test] Update ans.pl to work with new TSIG support in 6774 Net::DNS; add additional Net::DNS version prerequisite 6775 checks. [RT #36327] 6776 67773879. [func] Add version printing option to various BIND utilities. 6778 [RT #10686] 6779 67803878. [bug] Using the incorrect filename for a DLZ module 6781 caused a segmentation fault on startup. [RT #36286] 6782 67833877. [bug] Inserting and deleting parent and child nodes 6784 in response policy zones could trigger an assertion 6785 failure. [RT #36272] 6786 67873876. [bug] Improve efficiency of DLZ redirect zones by 6788 suppressing unnecessary database lookups. [RT #35835] 6789 67903875. [cleanup] Clarify log message when unable to read private 6791 key files. [RT #24702] 6792 67933874. [test] Check that only "check-names master" is needed for 6794 updates to be accepted. 6795 67963873. [protocol] Only warn for SPF without TXT spf record. [RT #36210] 6797 67983872. [bug] Address issues found by static analysis. [RT #36209] 6799 68003871. [bug] Don't publish an activated key automatically before 6801 its publish time. [RT #35063] 6802 68033870. [func] Updated the random number generator used in 6804 the resolver to use the updated ChaCha based one 6805 (similar to OpenBSD's changes). Also moved the 6806 RNG to libisc and added unit tests for it. 6807 [RT #35942] 6808 68093869. [doc] Document that in-view zones cannot be used for 6810 response policy zones. [RT #35941] 6811 68123868. [bug] isc_mem_setwater incorrectly cleared hi_called 6813 potentially leaving over memory cleaner running. 6814 [RT #35270] 6815 68163867. [func] "rndc nta" can now be used to set a temporary 6817 negative trust anchor, which disables DNSSEC 6818 validation below a specified name for a specified 6819 period of time (not exceeding 24 hours). This 6820 can be used when validation for a domain is known 6821 to be failing due to a configuration error on 6822 the part of the domain owner rather than a 6823 spoofing attack. [RT #29358] 6824 68253866. [bug] Named could die on disk full in generate_session_key. 6826 [RT #36119] 6827 68283865. [test] Improved testability of the red-black tree 6829 implementation and added unit tests. [RT #35904] 6830 68313864. [bug] RPZ didn't work well when being used as forwarder. 6832 [RT #36060] 6833 68343863. [bug] The "E" flag was missing from the query log as a 6835 unintended side effect of code rearrangement to 6836 support EDNS EXPIRE. [RT #36117] 6837 68383862. [cleanup] Return immediately if we are not going to log the 6839 message in ns_client_dumpmessage. 6840 68413861. [security] Missing isc_buffer_availablelength check results 6842 in a REQUIRE assertion when printing out a packet 6843 (CVE-2014-3859). [RT #36078] 6844 68453860. [bug] ioctl(DP_POLL) array size needs to be determined 6846 at run time as it is limited to {OPEN_MAX}. 6847 [RT #35878] 6848 68493859. [placeholder] 6850 68513858. [bug] Disable GCC 4.9 "delete null pointer check". 6852 [RT #35968] 6853 68543857. [bug] Make it harder for a incorrect NOEDNS classification 6855 to be made. [RT #36020] 6856 68573856. [bug] Configuring libjson without also configuring libxml 6858 resulted in a REQUIRE assertion when retrieving 6859 statistics using json. [RT #36009] 6860 68613855. [bug] Limit smoothed round trip time aging to no more than 6862 once a second. [RT #32909] 6863 68643854. [cleanup] Report unrecognized options, if any, in the final 6865 configure summary. [RT #36014] 6866 68673853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out 6868 the handling of a rdataset with no records. [RT #35968] 6869 68703852. [func] Increase the default number of clients available 6871 for servicing lightweight resolver queries, and 6872 make them configurable via the "lwres-tasks" and 6873 "lwres-clients" options. (Thanks to Tomas Hozza.) 6874 [RT #35857] 6875 68763851. [func] Allow libseccomp based system-call filtering 6877 on Linux; use "configure --enable-seccomp" to 6878 turn it on. Thanks to Loganaden Velvindron 6879 of AFRINIC for the contribution. [RT #35347] 6880 68813850. [bug] Disabling forwarding could trigger a REQUIRE assertion. 6882 [RT #35979] 6883 68843849. [doc] Alphabetized dig's +options. [RT #35992] 6885 68863848. [bug] Adjust 'statistics-channels specified but not effective' 6887 error message to account for JSON support. [RT #36008] 6888 68893847. [bug] 'configure --with-dlz-postgres' failed to fail when 6890 there is not support available. 6891 68923846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP 6893 ixfr query. [RT #35980] 6894 68953845. [placeholder] 6896 68973844. [bug] Use the x64 version of the Microsoft Visual C++ 6898 Redistributable when built for 64 bit Windows. 6899 [RT #35973] 6900 69013843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire. 6902 [RT #35969] 6903 69043842. [bug] Adjust RRL log-only logging category. [RT #35945] 6905 69063841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt. 6907 [RT #35924] 6908 69093840. [port] Check for arc4random_addrandom() before using it; 6910 it's been removed from OpenBSD 5.5. [RT #35907] 6911 69123839. [test] Use only posix-compatible shell in system tests. 6913 [RT #35625] 6914 69153838. [protocol] EDNS EXPIRE as been assigned a code point of 9. 6916 69173837. [security] A NULL pointer is passed to query_prefetch resulting 6918 a REQUIRE assertion failure when a fetch is actually 6919 initiated (CVE-2014-3214). [RT #35899] 6920 69213836. [bug] Address C++ keyword usage in header file. 6922 69233835. [bug] Geoip ACL elements didn't work correctly when 6924 referenced via named or nested ACLs. [RT #35879] 6925 69263834. [bug] The re-signing heaps were not being updated soon enough 6927 leading to multiple re-generations of the same RRSIG 6928 when a zone transfer was in progress. [RT #35273] 6929 69303833. [bug] Cross compiling was broken due to calling genrandom at 6931 build time. [RT #35869] 6932 69333832. [func] "named -L <filename>" causes named to send log 6934 messages to the specified file by default instead 6935 of to the system log. (Thanks to Tony Finch.) 6936 [RT #35845] 6937 69383831. [cleanup] Reduce logging noise when EDNS state changes occur. 6939 [RT #35843] 6940 69413830. [func] When query logging is enabled, log query errors at 6942 the same level ('info') as the queries themselves. 6943 [RT #35844] 6944 69453829. [func] "dig +ttlunits" causes dig to print TTL values 6946 with time-unit suffixes: w, d, h, m, s for 6947 weeks, days, hours, minutes, and seconds. (Thanks 6948 to Tony Finch.) [RT #35823] 6949 69503828. [func] "dnssec-signzone -N date" updates serial number 6951 to the current date in YYYYMMDDNN format. 6952 [RT #35800] 6953 69543827. [placeholder] 6955 69563826. [bug] Corrected bad INSIST logic in isc_radix_remove(). 6957 [RT #35870] 6958 69593825. [bug] Address sign extension bug in isc_regex_validate. 6960 [RT #35758] 6961 69623824. [bug] A collision between two flag values could cause 6963 problems with cache cleaning when SIT was enabled. 6964 [RT #35858] 6965 69663823. [func] Log the rpz cname target when rewriting. [RT #35667] 6967 69683822. [bug] Log the correct type of static-stub zones when 6969 removing them. [RT #35842] 6970 69713821. [contrib] Added a new "mysqldyn" DLZ module with dynamic 6972 update and transaction support. Thanks to Marty 6973 Lee for the contribution. [RT #35656] 6974 69753820. [func] The DLZ API doesn't pass the database version to 6976 the lookup() function; this can cause DLZ modules 6977 that allow dynamic updates to mishandle prerequisite 6978 checks. This has been corrected by adding a 6979 'dbversion' field to the dns_clientinfo_t 6980 structure. [RT #35656] 6981 69823819. [bug] NSEC3 hashes need to be able to be entered and 6983 displayed without padding. This is not a issue for 6984 currently defined algorithms but may be for future 6985 hash algorithms. [RT #27925] 6986 69873818. [bug] Stop lying to the optimizer that 'void *arg' is a 6988 constant in isc_event_allocate. 6989 69903817. [func] The "delve" command is now spelled "delv" to avoid 6991 a namespace collision with the Xapian project. 6992 [RT #35801] 6993 69943816. [func] "dig +qr" now reports query size. (Thanks to 6995 Tony Finch.) [RT #35822] 6996 69973815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808] 6998 69993814. [func] The "masterfile-style" zone option controls the 7000 formatting of dumped zone files. Options are 7001 "relative" (multiline format) and "full" (one 7002 record per line). The default is "relative". 7003 [RT #20798] 7004 70053813. [func] "host" now recognizes the "timeout", "attempts" and 7006 "debug" options when set in /etc/resolv.conf. 7007 (Thanks to Adam Tkac at RedHat.) [RT #21885] 7008 70093812. [func] Dig now supports sending arbitrary EDNS options from 7010 the command line (+ednsopt=code[:value]). [RT #35584] 7011 70123811. [func] "serial-update-method date;" sets serial number 7013 on dynamic update to today's date in YYYYMMDDNN 7014 format. (Thanks to Bradley Forschinger.) [RT #24903] 7015 70163810. [bug] Work around broken nameservers that fail to ignore 7017 unknown EDNS options. [RT #35766] 7018 70193809. [doc] Fix SIT and NSID documentation. 7020 70213808. [doc] Clean up "prefetch" documentation. [RT #35751] 7022 70233807. [bug] Fix sign extension bug in dns_name_fromtext when 7024 lowercase is set. [RT #35743] 7025 70263806. [test] Improved system test portability. [RT #35625] 7027 70283805. [contrib] Added contrib/perftcpdns, a performance testing tool 7029 for DNS over TCP. [RT #35710] 7030 7031 --- 9.10.0rc1 released --- 7032 70333804. [bug] Corrected a race condition in dispatch.c in which 7034 portentry could be reset leading to an assertion 7035 failure in socket_search(). (Change #3708 7036 addressed the same issue but was incomplete.) 7037 [RT #35128] 7038 70393803. [bug] "named-checkconf -z" incorrectly rejected zones 7040 using alternate data sources for not having a "file" 7041 option. [RT #35685] 7042 70433802. [bug] Various header files were not being installed. 7044 70453801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615] 7046 70473800. [bug] A pending event on the route socket could cause an 7048 assertion failure when shutting down named. [RT #35674] 7049 70503799. [bug] Improve named's command line error reporting. 7051 [RT #35603] 7052 70533798. [bug] 'rndc zonestatus' was reporting the wrong re-signing 7054 time. [RT #35659] 7055 70563797. [port] netbsd: geoip support probing was broken. [RT #35642] 7057 70583796. [bug] Register dns and pkcs#11 error codes. [RT #35629] 7059 70603795. [bug] Make named-checkconf detect raw masterfiles for 7061 hint zones and reject them. [RT #35268] 7062 70633794. [maint] Added AAAA for C.ROOT-SERVERS.NET. 7064 70653793. [bug] zone.c:save_nsec3param() could assert when out of 7066 memory. [RT #35621] 7067 70683792. [func] Provide links to the alternate statistics views when 7069 displaying in a browser. [RT #35605] 7070 70713791. [placeholder] 7072 70733790. [bug] Handle broken nameservers that send BADVERS in 7074 response to unknown EDNS options. Maintain 7075 statistics on BADVERS responses. 7076 70773789. [bug] Null pointer dereference on rbt creation failure. 7078 70793788. [bug] dns_peer_getrequestsit was returning request_nsid by 7080 mistake. 7081 7082 --- 9.10.0b2 released --- 7083 70843787. [bug] The code that checks whether "auto-dnssec" is 7085 allowed was ignoring "allow-update" ACLs set at 7086 the options or view level. [RT #29536] 7087 70883786. [func] Provide more detailed error codes when using 7089 native PKCS#11. "pkcs11-tokens" now fails robustly 7090 rather than asserting when run against an HSM with 7091 an incomplete PKCS#11 API implementation. [RT #35479] 7092 70933785. [bug] Debugging code dumphex didn't accept arbitrarily long 7094 input (only compiled with -DDEBUG). [RT #35544] 7095 70963784. [bug] Using "rrset-order fixed" when it had not been 7097 enabled at compile time caused inconsistent 7098 results. It now works as documented, defaulting 7099 to cyclic mode. [RT #28104] 7100 71013783. [func] "tsig-keygen" is now available as an alternate 7102 command name for "ddns-confgen". It generates 7103 a TSIG key in named.conf format without comments. 7104 [RT #35503] 7105 71063782. [func] Specifying "auto" as the salt when using 7107 "rndc signing -nsec3param" causes named to 7108 generate a 64-bit salt at random. [RT #35322] 7109 71103781. [tuning] Use adaptive mutex locks when available; this 7111 has been found to improve performance under load 7112 on many systems. "configure --with-locktype=standard" 7113 restores conventional mutex locks. [RT #32576] 7114 71153780. [bug] $GENERATE handled negative numbers incorrectly. 7116 [RT #25528] 7117 71183779. [cleanup] Clarify the error message when using an option 7119 that was not enabled at compile time. [RT #35504] 7120 71213778. [bug] Log a warning when the wrong address family is 7122 used in "listen-on" or "listen-on-v6". [RT #17848] 7123 71243777. [bug] EDNS EXPIRE code could dump core when processing 7125 DLZ queries. [RT #35493] 7126 71273776. [func] "rndc -q" suppresses output from successful 7128 rndc commands. Errors are printed on stderr. 7129 [RT #21393] 7130 71313775. [bug] dlz_dlopen driver could return the wrong error 7132 code on API version mismatch, leading to a segfault. 7133 [RT #35495] 7134 71353774. [func] When using "request-nsid", log the NSID value in 7136 printable form as well as hex. [RT #20864] 7137 71383773. [func] "host", "nslookup" and "nsupdate" now have 7139 options to print the version number and exit. 7140 [RT #26057] 7141 71423772. [contrib] Added sqlite3 dynamically-loadable DLZ module. 7143 (Based in part on a contribution from Tim Tessier.) 7144 [RT #20822] 7145 71463771. [cleanup] Adjusted log level for "using built-in key" 7147 messages. [RT #24383] 7148 71493770. [bug] "dig +trace" could fail with an assertion when it 7150 needed to fall back to TCP due to a truncated 7151 response. [RT #24660] 7152 71533769. [doc] Improved documentation of "rndc signing -list". 7154 [RT #30652] 7155 71563768. [bug] "dnssec-checkds" was missing the SHA-384 digest 7157 algorithm. [RT #34000] 7158 71593767. [func] Log explicitly when using rndc.key to configure 7160 command channel. [RT #35316] 7161 71623766. [cleanup] Fixed problems with building outside the source 7163 tree when using native PKCS#11. [RT #35459] 7164 71653765. [bug] Fixed a bug in "rndc secroots" that could crash 7166 named when dumping an empty keynode. [RT #35469] 7167 71683764. [bug] The dnssec-keygen/settime -S and -i options 7169 (to set up a successor key and set the prepublication 7170 interval) were missing from dnssec-keyfromlabel. 7171 [RT #35394] 7172 71733763. [bug] delve: Cache DNSSEC records to avoid the need to 7174 re-fetch them when restarting validation. [RT #35476] 7175 71763762. [bug] Address build problems with --pkcs11-native + 7177 --with-openssl with ECDSA support. [RT #35467] 7178 71793761. [bug] Address dangling reference bug in dns_keytable_add. 7180 [RT #35471] 7181 71823760. [bug] Improve SIT with native PKCS#11 and on Windows. 7183 [RT #35433] 7184 71853759. [port] Enable delve on Windows. [RT #35441] 7186 71873758. [port] Enable export library APIs on Windows. [RT #35382] 7188 71893757. [port] Enable Python tools (dnssec-coverage, 7190 dnssec-checkds) to run on Windows. [RT #34355] 7191 71923756. [bug] GSSAPI Kerberos realm checking was broken in 7193 check_config leading to spurious messages being 7194 logged. [RT #35443] 7195 7196 --- 9.10.0b1 released --- 7197 71983755. [func] Add stats counters for known EDNS options + others. 7199 [RT #35447] 7200 72013754. [cleanup] win32: Installer now places files in the 7202 Program Files area rather than system services. 7203 [RT #35361] 7204 72053753. [bug] allow-notify was ignoring keys. [RT #35425] 7206 72073752. [bug] Address potential REQUIRE failure if 7208 DNS_STYLEFLAG_COMMENTDATA is set when printing out 7209 a rdataset. 7210 72113751. [tuning] The default setting for the -U option (setting 7212 the number of UDP listeners per interface) has 7213 been adjusted to improve performance. [RT #35417] 7214 72153750. [experimental] Partially implement EDNS EXPIRE option as described 7216 in draft-andrews-dnsext-expire-00. Retrieval of 7217 the remaining time until expiry for slave zones 7218 is supported. 7219 7220 EXPIRE uses an experimental option code (65002), 7221 which is subject to change. [RT #35416] 7222 72233749. [func] "dig +subnet" sends an EDNS client subnet option 7224 containing the specified address/prefix when 7225 querying. (Thanks to Wilmer van der Gaast.) 7226 [RT #35415] 7227 72283748. [test] Use delve to test dns_client interfaces. [RT #35383] 7229 72303747. [bug] A race condition could lead to a core dump when 7231 destroying a resolver fetch object. [RT #35385] 7232 72333746. [func] New "max-zone-ttl" option enforces maximum 7234 TTLs for zones. If loading a zone containing a 7235 higher TTL, the load fails. DDNS updates with 7236 higher TTLs are accepted but the TTL is truncated. 7237 (Note: Currently supported for master zones only; 7238 inline-signing slaves will be added.) [RT #38405] 7239 72403745. [func] "configure --with-tuning=large" adjusts various 7241 compiled-in constants and default settings to 7242 values suited to large servers with abundant 7243 memory. [RT #29538] 7244 72453744. [experimental] SIT: send and process Source Identity Tokens 7246 (similar to DNS Cookies by Donald Eastlake 3rd), 7247 which are designed to help clients detect off-path 7248 spoofed responses and for servers to identify 7249 legitimate clients. 7250 7251 SIT uses an experimental EDNS option code (65001), 7252 which will be changed to an IANA-assigned value 7253 if the experiment is deemed a success. 7254 7255 SIT can be enabled via "configure --enable-sit" (or 7256 --enable-developer). It is enabled by default in 7257 Windows. 7258 7259 Servers can be configured to send smaller responses 7260 to clients that have not identified themselves via 7261 SIT. RRL processing has also been updated; 7262 legitimate clients are not subject to rate 7263 limiting. [RT #35389] 7264 72653743. [bug] delegation-only flag wasn't working in forward zone 7266 declarations despite being documented. This is 7267 needed to support turning off forwarding and turning 7268 on delegation only at the same name. [RT #35392] 7269 72703742. [port] linux: libcap support: declare curval at start of 7271 block. [RT #35387] 7272 72733741. [func] "delve" (domain entity lookup and validation engine): 7274 A new tool with dig-like semantics for performing DNS 7275 lookups, with internal DNSSEC validation, using the 7276 same resolver and validator logic as named. This 7277 allows easy validation of DNSSEC data in environments 7278 with untrustworthy resolvers, and assists with 7279 troubleshooting of DNSSEC problems. [RT #32406] 7280 72813740. [contrib] Minor fixes to configure --with-dlz-bdb, 7282 --with-dlz-postgres and --with-dlz-odbc. [RT #35340] 7283 72843739. [func] Added per-zone stats counters to track TCP and 7285 UDP queries. [RT #35375] 7286 72873738. [bug] --enable-openssl-hash failed to build. [RT #35343] 7288 72893737. [bug] 'rndc retransfer' could trigger a assertion failure 7290 with inline zones. [RT #35353] 7291 72923736. [bug] nsupdate: When specifying a server by name, 7293 fall back to alternate addresses if the first 7294 address for that name is not reachable. [RT #25784] 7295 72963735. [cleanup] Merged the libiscpk11 library into libisc 7297 to simplify dependencies. [RT #35205] 7298 72993734. [bug] Improve building with libtool. [RT #35314] 7300 73013733. [func] Improve interface scanning support. Interface 7302 information will be automatically updated if the 7303 OS supports routing sockets (MacOS, *BSD, Linux). 7304 Use "automatic-interface-scan no;" to disable. 7305 7306 Add "rndc scan" to trigger a scan. [RT #23027] 7307 73083732. [contrib] Fixed a type mismatch causing the ODBC DLZ 7309 driver to dump core on 64-bit systems. [RT #35324] 7310 73113731. [func] Added a "no-case-compress" ACL, which causes 7312 named to use case-insensitive compression 7313 (disabling change #3645) for specified 7314 clients. (This is useful when dealing 7315 with broken client implementations that 7316 use case-sensitive name comparisons, 7317 rejecting responses that fail to match the 7318 capitalization of the query that was sent.) 7319 [RT #35300] 7320 73213730. [cleanup] Added "never" as a synonym for "none" when 7322 configuring key event dates in the dnssec tools. 7323 [RT #35277] 7324 73253729. [bug] dnssec-keygen could set the publication date 7326 incorrectly when only the activation date was 7327 specified on the command line. [RT #35278] 7328 73293728. [doc] Expanded native-PKCS#11 documentation, 7330 specifically pkcs11: URI labels. [RT #35287] 7331 73323727. [func] The isc_bitstring API is no longer used and 7333 has been removed from libisc. [RT #35284] 7334 73353726. [cleanup] Clarified the error message when attempting 7336 to configure more than 32 response-policy zones. 7337 [RT #35283] 7338 73393725. [contrib] Updated zkt and nslint to newest versions, 7340 cleaned up and rearranged the contrib 7341 directory, and added a README. 7342 7343 --- 9.10.0a2 released --- 7344 73453724. [bug] win32: Fixed a bug that prevented dig and 7346 host from exiting properly after completing 7347 a UDP query. [RT #35288] 7348 73493723. [cleanup] Imported keys are now handled the same way 7350 regardless of DNSSEC algorithm. [RT #35215] 7351 73523722. [bug] Using geoip ACLs in a blackhole statement 7353 could cause a segfault. [RT #35272] 7354 73553721. [doc] Improved documentation of the EDNS processing 7356 enhancements introduced in change #3593. [RT #35275] 7357 73583720. [bug] Address compiler warnings. [RT #35261] 7359 73603719. [bug] Address memory leak in in peer.c. [RT #35255] 7361 73623718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260] 7363 73643717. [port] hpux: Treat EOPNOTSUPP as a expected error code when 7365 probing to see if it is possible to set dscp values 7366 on a per packet basis. [RT #35252] 7367 73683716. [bug] The dns_request code was setting dcsp values when not 7369 requested. [RT #35252] 7370 73713715. [bug] The region and city databases could fail to 7372 initialize when using some versions of libGeoIP, 7373 causing assertion failures when named was 7374 configured to use them. [RT #35427] 7375 73763714. [test] System tests that need to test for cryptography 7377 support before running can now use a common 7378 "testcrypto.sh" script to do so. [RT #35213] 7379 73803713. [bug] Save memory by not storing "also-notify" addresses 7381 in zone objects that are configured not to send 7382 notify requests. [RT #35195] 7383 73843712. [placeholder] 7385 73863711. [placeholder] 7387 73883710. [bug] Address double dns_zone_detach when switching to 7389 using automatic empty zones from regular zones. 7390 [RT #35177] 7391 73923709. [port] Use built-in versions of strptime() and timegm() 7393 on all platforms to avoid portability issues. 7394 [RT #35183] 7395 73963708. [bug] Address a portentry locking issue in dispatch.c. 7397 [RT #35128] 7398 73993707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND 7400 on a missing resolv.conf file and initializes the 7401 structure as if it had been configured with: 7402 7403 nameserver ::1 7404 nameserver 127.0.0.1 7405 7406 Note: Callers will need to be updated to treat 7407 ISC_R_FILENOTFOUND as a qualified success or else 7408 they will leak memory. The following code fragment 7409 will work with both old and new versions without 7410 changing the behaviour of the existing code. 7411 7412 resconf = NULL; 7413 result = irs_resconf_load(mctx, "/etc/resolv.conf", 7414 &resconf); 7415 if (result != ISC_SUCCESS) { 7416 if (resconf != NULL) 7417 irs_resconf_destroy(&resconf); 7418 .... 7419 } 7420 7421 [RT #35194] 7422 74233706. [contrib] queryperf: Fixed a possible integer overflow when 7424 printing results. [RT #35182] 7425 74263705. [func] "configure --enable-native-pkcs11" enables BIND 7427 to use the PKCS#11 API for all cryptographic 7428 functions, so that it can drive a hardware service 7429 module directly without the need to use a modified 7430 OpenSSL as intermediary (so long as the HSM's vendor 7431 provides a complete-enough implementation of the 7432 PKCS#11 interface). This has been tested successfully 7433 with the Thales nShield HSM and with SoftHSMv2 from 7434 the OpenDNSSEC project. [RT #29031] 7435 74363704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] 7437 74383703. [func] To improve recursive resolver performance, cache 7439 records which are still being requested by clients 7440 can now be automatically refreshed from the 7441 authoritative server before they expire, reducing 7442 or eliminating the time window in which no answer 7443 is available in the cache. See the "prefetch" option 7444 for more details. [RT #35041] 7445 74463702. [func] 'dnssec-coverage -l' option specifies a length 7447 of time to check for coverage; events further into 7448 the future are ignored. 'dnssec-coverage -z' 7449 checks only ZSK events, and 'dnssec-coverage -k' 7450 checks only KSK events. (Thanks to Peter Palfrader.) 7451 [RT #35168] 7452 74533701. [func] named-checkconf can now obscure shared secrets 7454 when printing by specifying '-x'. [RT #34465] 7455 74563700. [func] Allow access to subgroups of XML statistics via 7457 special URLs http://<server>:<port>/xml/v3/server, 7458 /zones, /net, /tasks, /mem, and /status. [RT #35115] 7459 74603699. [bug] Improvements to statistics channel XSL stylesheet: 7461 the stylesheet can now be cached by the browser; 7462 section headers are omitted from the stats display 7463 when there is no data in those sections to be 7464 displayed; counters are now right-justified for 7465 easier readability. [RT #35117] 7466 74673698. [cleanup] Replaced all uses of memcpy() with memmove(). 7468 [RT #35120] 7469 74703697. [bug] Handle "." as a search list element when IDN support 7471 is enabled. [RT #35133] 7472 74733696. [bug] dig failed to handle AXFR style IXFR responses which 7474 span multiple messages. [RT #35137] 7475 74763695. [bug] Address a possible race in dispatch.c. [RT #35107] 7477 74783694. [bug] Warn when a key-directory is configured for a zone, 7479 but does not exist or is not a directory. [RT #35108] 7480 74813693. [security] memcpy was incorrectly called with overlapping 7482 ranges resulting in malformed names being generated 7483 on some platforms. This could cause INSIST failures 7484 when serving NSEC3 signed zones (CVE-2014-0591). 7485 [RT #35120] 7486 74873692. [bug] Two calls to dns_db_getoriginnode were fatal if there 7488 was no data at the node. [RT #35080] 7489 74903691. [contrib] Address null pointer dereference in LDAP and 7491 MySQL DLZ modules. 7492 74933690. [bug] Iterative responses could be missed when the source 7494 port for an upstream query was the same as the 7495 listener port (53). [RT #34925] 7496 74973689. [bug] Fixed a bug causing an insecure delegation from one 7498 static-stub zone to another to fail with a broken 7499 trust chain. [RT #35081] 7500 75013688. [bug] loadnode could return a freed node on out of memory. 7502 [RT #35106] 7503 75043687. [bug] Address null pointer dereference in zone_xfrdone. 7505 [RT #35042] 7506 75073686. [func] "dnssec-signzone -Q" drops signatures from keys 7508 that are still published but no longer active. 7509 [RT #34990] 7510 75113685. [bug] "rndc refresh" didn't work correctly with slave 7512 zones using inline-signing. [RT #35105] 7513 75143684. [bug] The list of included files would grow on reload. 7515 [RT 35090] 7516 75173683. [cleanup] Add a more detailed "not found" message to rndc 7518 commands which specify a zone name. [RT #35059] 7519 75203682. [bug] Correct the behavior of rndc retransfer to allow 7521 inline-signing slave zones to retain NSEC3 parameters 7522 instead of reverting to NSEC. [RT #34745] 7523 75243681. [port] Update the Windows build system to support feature 7525 selection and WIN64 builds. This is a work in 7526 progress. [RT #34160] 7527 75283680. [bug] Ensure buffer space is available in "rndc zonestatus". 7529 [RT #35084] 7530 75313679. [bug] dig could fail to clean up TCP sockets still 7532 waiting on connect(). [RT #35074] 7533 75343678. [port] Update config.guess and config.sub. [RT #35060] 7535 75363677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple 7537 times. [RT #35073] 7538 75393676. [bug] "named-checkconf -z" now checks zones of type 7540 hint and redirect as well as master. [RT #35046] 7541 75423675. [misc] Provide a place for third parties to add version 7543 information for their extensions in the version 7544 file by setting the EXTENSIONS variable. 7545 7546 --- 9.10.0a1 released --- 7547 75483674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026] 7549 75503673. [func] New "in-view" zone option allows direct sharing 7551 of zones between views. [RT #32968] 7552 75533672. [func] Local address can now be specified when using 7554 dns_client API. [RT #34811] 7555 75563671. [bug] Don't allow dnssec-importkey overwrite a existing 7557 non-imported private key. 7558 75593670. [bug] Address read after free in server side of 7560 lwres_getrrsetbyname. [RT #29075] 7561 75623669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001] 7563 75643668. [bug] Fix cast in lex.c which could see 0xff treated as eof. 7565 [RT #34993] 7566 75673667. [test] dig: add support to keep the TCP socket open between 7568 successive queries (+[no]keepopen). [RT #34918] 7569 75703666. [func] Add a tool, named-rrchecker, for checking the syntax 7571 of individual resource records. This tool is intended 7572 to be called by provisioning systems so that the front 7573 end does not need to be upgraded to support new DNS 7574 record types. [RT #34778] 7575 75763665. [bug] Failure to release lock on error in receive_secure_db. 7577 [RT #34944] 7578 75793664. [bug] Updated OpenSSL PKCS#11 patches to fix active list 7580 locking and other bugs. [RT #34855] 7581 75823663. [bug] Address bugs in dns_rdata_fromstruct and 7583 dns_rdata_tostruct for WKS and ISDN types. [RT #34910] 7584 75853662. [bug] 'host' could die if a UDP query timed out. [RT #34870] 7586 75873661. [bug] Address lock order reversal deadlock with inline zones. 7588 [RT #34856] 7589 75903660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config". 7591 [RT #23825] 7592 75933659. [port] solaris: don't add explicit dependencies/rules for 7594 python programs as make won't use the implicit rules. 7595 [RT #34835] 7596 75973658. [port] linux: Address platform specific compilation issue 7598 when libcap-devel is installed. [RT #34838] 7599 76003657. [port] Some readline clones don't accept NULL pointers when 7601 calling add_history. [RT #34842] 7602 76033656. [security] Treat an all zero netmask as invalid when generating 7604 the localnets acl. (The prior behavior could 7605 allow unexpected matches when using some versions 7606 of Winsock: CVE-2013-6320.) [RT #34687] 7607 76083655. [cleanup] Simplify TCP message processing when requesting a 7609 zone transfer. [RT #34825] 7610 76113654. [bug] Address race condition with manual notify requests. 7612 [RT #34806] 7613 76143653. [func] Create delegations for all "children" of empty zones 7615 except "forward first". [RT #34826] 7616 76173652. [bug] Address bug with rpz-drop policy. [RT #34816] 7618 76193651. [tuning] Adjust when a master server is deemed unreachable. 7620 [RT #27075] 7621 76223650. [tuning] Use separate rate limiting queues for refresh and 7623 notify requests. [RT #30589] 7624 76253649. [cleanup] Include a comment in .nzf files, giving the name of 7626 the associated view. [RT #34765] 7627 76283648. [test] Updated the ATF test framework to version 0.17. 7629 [RT #25627] 7630 76313647. [bug] Address a race condition when shutting down a zone. 7632 [RT #34750] 7633 76343646. [bug] Journal filename string could be set incorrectly, 7635 causing garbage in log messages. [RT #34738] 7636 76373645. [protocol] Use case sensitive compression when responding to 7638 queries. [RT #34737] 7639 76403644. [protocol] Check that EDNS subnet client options are well formed. 7641 [RT #34718] 7642 76433643. [doc] Clarify RRL "slip" documentation. 7644 76453642. [func] Allow externally generated DNSKEY to be imported 7646 into the DNSKEY management framework. A new tool 7647 dnssec-importkey is used to do this. [RT #34698] 7648 76493641. [bug] Handle changes to sig-validity-interval settings 7650 better. [RT #34625] 7651 76523640. [bug] ndots was not being checked when searching. Only 7653 continue searching on NXDOMAIN responses. Add the 7654 ability to specify ndots to nslookup. [RT #34711] 7655 76563639. [bug] Treat type 65533 (KEYDATA) as opaque except when used 7657 in a key zone. [RT #34238] 7658 76593638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is 7660 encountered. [RT #34668] 7661 76623637. [bug] 'allow-query-on' was checking the source address 7663 rather than the destination address. [RT #34590] 7664 76653636. [bug] Automatic empty zones now behave better with 7666 forward only "zones" beneath them. [RT #34583] 7667 76683635. [bug] Signatures were not being removed from a zone with 7669 only KSK keys for a algorithm. [RT #34439] 7670 76713634. [func] Report build-id in rndc status. Report build-id 7672 when building from a git repository. [RT #20422] 7673 76743633. [cleanup] Refactor OPT processing in named to make it easier 7675 to support new EDNS options. [RT #34414] 7676 76773632. [bug] Signature from newly inactive keys were not being 7678 removed. [RT #32178] 7679 76803631. [bug] Remove spurious warning about missing signatures when 7681 qtype is SIG. [RT #34600] 7682 76833630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033] 7684 76853629. [func] Allow the printing of cryptographic fields in DNSSEC 7686 records by dig to be suppressed (dig +nocrypto). 7687 [RT #34534] 7688 76893628. [func] Report DNSKEY key id's when dumping the cache. 7690 [RT #34533] 7691 76923627. [bug] RPZ changes were not effective on slaves. [RT #34450] 7693 76943626. [func] dig: NSID output now easier to read. [RT #21160] 7695 76963625. [bug] Don't send notify messages to machines outside of the 7697 test setup. 7698 76993624. [bug] Look for 'json_object_new_int64' when looking for a 7700 the json library. [RT #34449] 7701 77023623. [placeholder] 7703 77043622. [tuning] Eliminate an unnecessary lock when incrementing 7705 cache statistics. [RT #34339] 7706 77073621. [security] Incorrect bounds checking on private type 'keydata' 7708 can lead to a remotely triggerable REQUIRE failure 7709 (CVE-2013-4854). [RT #34238] 7710 77113620. [func] Added "rpz-client-ip" policy triggers, enabling 7712 RPZ responses to be configured on the basis of 7713 the client IP address; this can be used, for 7714 example, to blacklist misbehaving recursive 7715 or stub resolvers. [RT #33605] 7716 77173619. [bug] Fixed a bug in RPZ with "recursive-only no;" 7718 [RT #33776] 7719 77203618. [func] "rndc reload" now checks modification times of 7721 include files as well as master files to determine 7722 whether to skip reloading a zone. [RT #33936] 7723 77243617. [bug] Named was failing to answer queries during 7725 "rndc reload" [RT #34098] 7726 77273616. [bug] Change #3613 was incomplete. [RT #34177] 7728 77293615. [cleanup] "configure" now finishes by printing a summary 7730 of optional BIND features and whether they are 7731 active or inactive. ("configure --enable-full-report" 7732 increases the verbosity of the summary.) [RT #31777] 7733 77343614. [port] Check for <linux/types.h>. [RT #34162] 7735 77363613. [bug] named could crash when deleting inline-signing 7737 zones with "rndc delzone". [RT #34066] 7738 77393612. [port] Check whether to use -ljson or -ljson-c. [RT #34115] 7740 77413611. [bug] Improved resistance to a theoretical authentication 7742 attack based on differential timing. [RT #33939] 7743 77443610. [cleanup] win32: Some executables had been omitted from the 7745 installer. [RT #34116] 7746 77473609. [bug] Corrected a possible deadlock in applications using 7748 the export version of the isc_app API. [RT #33967] 7749 77503608. [port] win32: added todos.pl script to ensure all text files 7751 the win32 build depends on are converted to DOS 7752 newline format. [RT #22067] 7753 77543607. [bug] dnssec-keygen had broken 'Invalid keyfile' error 7755 message. [RT #34045] 7756 77573606. [func] "rndc flushtree" now flushes matching 7758 records in the address database and bad cache 7759 as well as the DNS cache. (Previously only the 7760 DNS cache was flushed.) [RT #33970] 7761 77623605. [port] win32: Addressed several compatibility issues 7763 with newer versions of Visual Studio. [RT #33916] 7764 77653604. [bug] Fixed a compile-time error when building with 7766 JSON but not XML. [RT #33959] 7767 77683603. [bug] Install <isc/stat.h>. [RT #33956] 7769 77703602. [contrib] Added DLZ Perl module, allowing Perl scripts to 7771 integrate with named and serve DNS data. 7772 (Contributed by John Eaglesham of Yahoo.) 7773 77743601. [bug] Added to PKCS#11 openssl patches a value len 7775 attribute in DH derive key. [RT #33928] 7776 77773600. [cleanup] dig: Fixed a typo in the warning output when receiving 7778 an oversized response. [RT #33910] 7779 77803599. [tuning] Check for pointer equivalence in name comparisons. 7781 [RT #18125] 7782 77833598. [cleanup] Improved portability of map file code. [RT #33820] 7784 77853597. [bug] Ensure automatic-resigning heaps are reconstructed 7786 when loading zones in map format. [RT #33381] 7787 77883596. [port] Updated win32 build documentation, added 7789 dnssec-verify. [RT #22067] 7790 77913595. [port] win32: Fix build problems introduced by change #3550. 7792 [RT #33807] 7793 77943594. [maint] Update config.guess and config.sub. [RT #33816] 7795 77963593. [func] Update EDNS processing to better track remote server 7797 capabilities. [RT #30655] 7798 77993592. [doc] Moved documentation of rndc command options to the 7800 rndc man page. [RT #33506] 7801 78023591. [func] Use CRC-64 to detect map file corruption at load 7803 time. [RT #33746] 7804 78053590. [bug] When using RRL on recursive servers, defer 7806 rate-limiting until after recursion is complete; 7807 also, use correct rcode for slipped NXDOMAIN 7808 responses. [RT #33604] 7809 78103589. [func] Report serial numbers in when starting zone transfers. 7811 Report accepted NOTIFY requests including serial. 7812 [RT #33037] 7813 78143588. [bug] dig: addressed a memory leak in the sigchase code 7815 that could cause a shutdown crash. [RT #33733] 7816 78173587. [func] 'named -g' now checks the logging configuration but 7818 does not use it. [RT #33473] 7819 78203586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706] 7821 78223585. [func] "rndc delzone -clean" option removes zone files 7823 when deleting a zone. [RT #33570] 7824 78253584. [security] Caching data from an incompletely signed zone could 7826 trigger an assertion failure in resolver.c 7827 (CVE-2013-3919). [RT #33690] 7828 78293583. [bug] Address memory leak in GSS-API processing [RT #33574] 7830 78313582. [bug] Silence false positive warning regarding missing file 7832 directive for inline slave zones. [RT #33662] 7833 78343581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029] 7835 78363580. [bug] Addressed a possible race in acache.c [RT #33602] 7837 78383579. [maint] Updates to PKCS#11 openssl patches, supporting 7839 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463] 7840 78413578. [bug] 'rndc -c file' now fails if 'file' does not exist. 7842 [RT #33571] 7843 78443577. [bug] Handle zero TTL values better. [RT #33411] 7845 78463576. [bug] Address a shutdown race when validating. [RT #33573] 7847 78483575. [func] Changed the logging category for RRL events from 7849 'queries' to 'query-errors'. [RT #33540] 7850 78513574. [doc] The 'hostname' keyword was missing from server-id 7852 description in the named.conf man page. [RT #33476] 7853 78543573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled 7855 zone names containing punctuation marks and other 7856 nonstandard characters. [RT #33419] 7857 78583572. [func] Threads are now enabled by default on most 7859 operating systems. [RT #25483] 7860 78613571. [bug] Address race condition in dns_client_startresolve(). 7862 [RT #33234] 7863 78643570. [bug] Check internal pointers are valid when loading map 7865 files. [RT #33403] 7866 78673569. [contrib] Ported mysql DLZ driver to dynamically-loadable 7868 module, and added multithread support. [RT #33394] 7869 78703568. [cleanup] Add a product description line to the version file, 7871 to be reported by named -v/-V. [RT #33366] 7872 78733567. [bug] Silence clang static analyzer warnings. [RT #33365] 7874 78753566. [func] Log when forwarding updates to master. [RT #33240] 7876 78773565. [placeholder] 7878 78793564. [bug] Improved handling of corrupted map files. [RT #33380] 7880 78813563. [contrib] zone2sqlite failed with some table names. [RT #33375] 7882 78833562. [func] Update map file header format to include a SHA-1 hash 7884 of the database content, so that corrupted map files 7885 can be rejected at load time. [RT #32459] 7886 78873561. [bug] dig: issue a warning if an EDNS query returns FORMERR 7888 or NOTIMP. Adjust usage message. [RT #33363] 7889 78903560. [bug] isc-config.sh did not honor includedir and libdir 7891 when set via configure. [RT #33345] 7892 78933559. [func] Check that both forms of Sender Policy Framework 7894 records exist or do not exist. [RT #33355] 7895 78963558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331] 7897 78983557. [bug] Reloading redirect zones was broken. [RT #33292] 7899 79003556. [maint] Added AAAA for D.ROOT-SERVERS.NET. 7901 79023555. [bug] Address theoretical race conditions in acache.c 7903 (change #3553 was incomplete). [RT #33252] 7904 79053554. [bug] RRL failed to correctly rate-limit upward 7906 referrals and failed to count dropped error 7907 responses in the statistics. [RT #33225] 7908 79093553. [bug] Address suspected double free in acache. [RT #33252] 7910 79113552. [bug] Wrong getopt option string for 'nsupdate -r'. 7912 [RT #33280] 7913 79143551. [bug] resolver.querydscp[46] were uninitialized. [RT #32686] 7915 79163550. [func] Unified the internal and export versions of the 7917 BIND libraries, allowing external clients to use 7918 the same libraries as BIND. [RT #33131] 7919 79203549. [doc] Documentation for "request-nsid" was missing. 7921 [RT #33153] 7922 79233548. [bug] The NSID request code in resolver.c was broken 7924 resulting in invalid EDNS options being sent. 7925 [RT #33153] 7926 79273547. [bug] Some malformed unknown rdata records were not properly 7928 detected and rejected. [RT #33129] 7929 79303546. [func] Add EUI48 and EUI64 types. [RT #33082] 7931 79323545. [bug] RRL slip behavior was incorrect when set to 1. 7933 [RT #33111] 7934 79353544. [contrib] check5011.pl: Script to report the status of 7936 managed keys as recorded in managed-keys.bind. 7937 Contributed by Tony Finch <dot@dotat.at> 7938 79393543. [bug] Update socket structure before attaching to socket 7940 manager after accept. [RT #33084] 7941 79423542. [placeholder] 7943 79443541. [bug] Parts of libdns were not properly initialized when 7945 built in libexport mode. [RT #33028] 7946 79473540. [test] libt_api: t_info and t_assert were not thread safe. 7948 79493539. [port] win32: timestamp format didn't match other platforms. 7950 79513538. [test] Running "make test" now requires loopback interfaces 7952 to be set up. [RT #32452] 7953 79543537. [tuning] Slave zones, when updated, now send NOTIFY messages 7955 to peers before being dumped to disk rather than 7956 after. [RT #27242] 7957 79583536. [func] Add support for setting Differentiated Services Code 7959 Point (DSCP) values in named. Most configuration 7960 options which take a "port" option (e.g., 7961 listen-on, forwarders, also-notify, masters, 7962 notify-source, etc) can now also take a "dscp" 7963 option specifying a code point for use with 7964 outgoing traffic, if supported by the underlying 7965 OS. [RT #27596] 7966 79673535. [bug] Minor win32 cleanups. [RT #32962] 7968 79693534. [bug] Extra text after an embedded NULL was ignored when 7970 parsing zone files. [RT #32699] 7971 79723533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960] 7973 79743532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960] 7975 79763531. [bug] win32: A uninitialized value could be returned on out 7977 of memory. [RT #32960] 7978 79793530. [contrib] Better RTT tracking in queryperf. [RT #30128] 7980 79813529. [func] Named now listens on both IPv4 and IPv6 interfaces 7982 by default. Named previously only listened on IPv4 7983 interfaces by default unless named was running in 7984 IPv6 only mode. [RT #32945] 7985 79863528. [func] New "dnssec-coverage" command scans the timing 7987 metadata for a set of DNSSEC keys and reports if a 7988 lapse in signing coverage has been scheduled 7989 inadvertently. (Note: This tool depends on python; 7990 it will not be built or installed on systems that 7991 do not have a python interpreter.) [RT #28098] 7992 79933527. [compat] Add a URI to allow applications to explicitly 7994 request a particular XML schema from the statistics 7995 channel, returning 404 if not supported. [RT #32481] 7996 79973526. [cleanup] Set up dependencies for unit tests correctly during 7998 build. [RT #32803] 7999 80003525. [func] Support for additional signing algorithms in rndc: 8001 hmac-sha1, -sha224, -sha256, -sha384, and -sha512. 8002 The -A option to rndc-confgen can be used to 8003 select the algorithm for the generated key. 8004 (The default is still hmac-md5; this may 8005 change in a future release.) [RT #20363] 8006 80073524. [func] Added an alternate statistics channel in JSON format, 8008 when the server is built with the json-c library: 8009 http://[address]:[port]/json. [RT #32630] 8010 80113523. [contrib] Ported filesystem and ldap DLZ drivers to 8012 dynamically-loadable modules, and added the 8013 "wildcard" module based on a contribution from 8014 Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569] 8015 80163522. [bug] DLZ lookups could fail to return SERVFAIL when 8017 they ought to. [RT #32685] 8018 80193521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249] 8020 80213520. [bug] 'mctx' was not being referenced counted in some places 8022 where it should have been. [RT #32794] 8023 80243519. [func] Full replay protection via four-way handshake is 8025 now mandatory for rndc clients. Very old versions 8026 of rndc will no longer work. [RT #32798] 8027 80283518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit 8029 so that all dns_rrl_rtype_t enum values fit regardless 8030 of whether it is treated as signed or unsigned by 8031 the compiler. [RT #32792] 8032 80333517. [bug] Reorder destruction to avoid shutdown race. [RT #32777] 8034 80353516. [placeholder] 8036 80373515. [port] '%T' is not portable in strftime(). [RT #32763] 8038 80393514. [bug] The ranges for valid key sizes in ddns-confgen and 8040 rndc-confgen were too constrained. Keys up to 512 8041 bits are now allowed for most algorithms, and up 8042 to 1024 bits for hmac-sha384 and hmac-sha512. 8043 [RT #32753] 8044 80453513. [func] "dig -u" prints times in microseconds rather than 8046 milliseconds. [RT #32704] 8047 80483512. [func] "rndc validation check" reports the current status 8049 of DNSSEC validation. [RT #21397] 8050 80513511. [doc] Improve documentation of redirect zones. [RT #32756] 8052 80533510. [func] "rndc status" and XML statistics channel now report 8054 server start and reconfiguration times. [RT #21048] 8055 80563509. [cleanup] Added a product line to version file to allow for 8057 easy naming of different products (BIND 8058 vs BIND ESV, for example). [RT #32755] 8059 80603508. [contrib] queryperf was incorrectly rejecting the -T option. 8061 [RT #32338] 8062 80633507. [bug] Statistics channel XSL had a glitch when attempting 8064 to chart query data before any queries had been 8065 received. [RT #32620] 8066 80673506. [func] When setting "max-cache-size" and "max-acache-size", 8068 the keyword "unlimited" is no longer defined as equal 8069 to 4 gigabytes (except on 32-bit platforms); it 8070 means literally unlimited. [RT #32358] 8071 80723505. [bug] When setting "max-cache-size" and "max-acache-size", 8073 larger values than 4 gigabytes could not be set 8074 explicitly, though larger sizes were available 8075 when setting cache size to 0. This has been 8076 corrected; the full range is now available. 8077 [RT #32358] 8078 80793504. [func] Add support for ACLs based on geographic location, 8080 using MaxMind GeoIP databases. Based on code 8081 contributed by Ken Brownfield <kb@slide.com>. 8082 [RT #30681] 8083 80843503. [doc] Clarify size_spec syntax. [RT #32449] 8085 80863502. [func] zone-statistics: "no" is now a synonym for "none", 8087 instead of "terse". [RT #29165] 8088 80893501. [func] zone-statistics now takes three options: full, 8090 terse, and none. "yes" and "no" are retained as 8091 synonyms for full and terse, respectively. [RT #29165] 8092 80933500. [security] Support NAPTR regular expression validation on 8094 all platforms without using libregex, which 8095 can be vulnerable to memory exhaustion attack 8096 (CVE-2013-2266). [RT #32688] 8097 80983499. [doc] Corrected ARM documentation of built-in zones. 8099 [RT #32694] 8100 81013498. [bug] zone statistics for zones which matched a potential 8102 empty zone could have their zone-statistics setting 8103 overridden. 8104 81053497. [func] When deleting a slave/stub zone using 'rndc delzone' 8106 report the files that were being used so they can 8107 be cleaned up if desired. [RT #27899] 8108 81093496. [placeholder] 8110 81113495. [func] Support multiple response-policy zones (up to 32), 8112 while improving RPZ performance. "response-policy" 8113 syntax now includes a "min-ns-dots" clause, with 8114 default 1, to exclude top-level domains from 8115 NSIP and NSDNAME checking. --enable-rpz-nsip and 8116 --enable-rpz-nsdname are now the default. [RT #32251] 8117 81183494. [func] DNS RRL: Blunt the impact of DNS reflection and 8119 amplification attacks by rate-limiting substantially- 8120 identical responses. [RT #28130] 8121 81223493. [contrib] Added BDBHPT dynamically-loadable DLZ module, 8123 contributed by Mark Goldfinch. [RT #32549] 8124 81253492. [bug] Fixed a regression in zone loading performance 8126 due to lock contention. [RT #30399] 8127 81283491. [bug] Slave zones using inline-signing must specify a 8129 file name. [RT #31946] 8130 81313490. [bug] When logging RDATA during update, truncate if it's 8132 too long. [RT #32365] 8133 81343489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT. 8135 dns_dlzcreate() failed to properly initialize 8136 dlzdb.link. When cloning a rdataset do not copy 8137 the link contents. [RT #32651] 8138 81393488. [bug] Use after free error with DH generated keys. [RT #32649] 8140 81413487. [bug] Change 3444 was not complete. There was a additional 8142 place where the NOQNAME proof needed to be saved. 8143 [RT #32629] 8144 81453486. [bug] named could crash when using TKEY-negotiated keys 8146 that had been deleted and then recreated. [RT #32506] 8147 81483485. [cleanup] Only compile openssl_gostlink.c if we support GOST. 8149 81503484. [bug] Some statistics were incorrectly rendered in XML. 8151 [RT #32587] 8152 81533483. [placeholder] 8154 81553482. [func] dig +nssearch now prints name servers that don't 8156 have address records (missing AAAA or A, or the name 8157 doesn't exist). [RT #29348] 8158 81593481. [cleanup] Removed use of const const in atf. 8160 81613480. [bug] Silence logging noise when setting up zone 8162 statistics. [RT #32525] 8163 81643479. [bug] Address potential memory leaks in gssapi support 8165 code. [RT #32405] 8166 81673478. [port] Fix a build failure in strict C99 environments 8168 [RT #32475] 8169 81703477. [func] Expand logging when adding records via DDNS update 8171 [RT #32365] 8172 81733476. [bug] "rndc zonestatus" could report a spurious "not 8174 found" error on inline-signing zones. [RT #29226] 8175 81763475. [cleanup] Changed name of 'map' zone file format (previously 8177 'fast'). [RT #32458] 8178 81793474. [bug] nsupdate could assert when the local and remote 8180 address families didn't match. [RT #22897] 8181 81823473. [bug] dnssec-signzone/verify could incorrectly report 8183 an error condition due to an empty node above an 8184 opt-out delegation lacking an NSEC3. [RT #32072] 8185 81863472. [bug] The active-connections counter in the socket 8187 statistics could underflow. [RT #31747] 8188 81893471. [bug] The number of UDP dispatches now defaults to 8190 the number of CPUs even if -n has been set to 8191 a higher value. [RT #30964] 8192 81933470. [bug] Slave zones could fail to dump when successfully 8194 refreshing after an initial failure. [RT #31276] 8195 81963469. [bug] Handle DLZ lookup failures more gracefully. Improve 8197 backward compatibility between versions of DLZ dlopen 8198 API. [RT #32275] 8199 82003468. [security] RPZ rules to generate A records (but not AAAA records) 8201 could trigger an assertion failure when used in 8202 conjunction with DNS64 (CVE-2012-5689). [RT #32141] 8203 82043467. [bug] Added checks in dnssec-keygen and dnssec-settime 8205 to check for delete date < inactive date. [RT #31719] 8206 82073466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check 8208 in DLZ example driver. [RT #32275] 8209 82103465. [bug] Handle isolated reserved ports. [RT #31778] 8211 82123464. [maint] Updates to PKCS#11 openssl patches, supporting 8213 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749] 8214 82153463. [doc] Clarify managed-keys syntax in ARM. [RT #32232] 8216 82173462. [doc] Clarify server selection behavior of dig when using 8218 -4 or -6 options. [RT #32181] 8219 82203461. [bug] Negative responses could incorrectly have AD=1 8221 set. [RT #32237] 8222 82233460. [bug] Only link against readline where needed. [RT #29810] 8224 82253459. [func] Added -J option to named-checkzone/named-compilezone 8226 to specify the path to the journal file. [RT #30958] 8227 82283458. [bug] Return FORMERR when presented with a overly long 8229 domain named in a request. [RT #29682] 8230 82313457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836] 8232 82333456. [port] g++47: ATF failed to compile. [RT #32012] 8234 82353455. [contrib] queryperf: fix getopt option list. [RT #32338] 8236 82373454. [port] sparc64: improve atomic support. [RT #25182] 8238 82393453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;' 8240 failed. [RT #31960] 8241 82423452. [bug] Accept duplicate singleton records. [RT #32329] 8243 82443451. [port] Increase per thread stack size from 64K to 1M. 8245 [RT #32230] 8246 82473450. [bug] Stop logfileconfig system test spam system logs. 8248 [RT #32315] 8249 82503449. [bug] gen.c: use the pre-processor to construct format 8251 strings so that compiler can perform sanity checks; 8252 check the snprintf results. [RT #17576] 8253 82543448. [bug] The allow-query-on ACL was not processed correctly. 8255 [RT #29486] 8256 82573447. [port] Add support for libxml2-2.9.x [RT #32231] 8258 82593446. [port] win32: Add source ID (see change #3400) to build. 8260 [RT #31683] 8261 82623445. [bug] Warn about zone files with blank owner names 8263 immediately after $ORIGIN directives. [RT #31848] 8264 82653444. [bug] The NOQNAME proof was not being returned from cached 8266 insecure responses. [RT #21409] 8267 82683443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly 8269 rejected when generating keys. [RT #31927] 8270 82713442. [port] Net::DNS 0.69 introduced a non backwards compatible 8272 change. [RT #32216] 8273 82743441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13. 8275 82763440. [bug] Reorder get_key_struct to not trigger a assertion when 8277 cleaning up due to out of memory error. [RT #32131] 8278 82793439. [placeholder] 8280 82813438. [bug] Don't accept unknown data escape in quotes. [RT #32031] 8282 82833437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize 8284 buffers with constant data. [RT #32064] 8285 82863436. [bug] Check malloc/calloc return values. [RT #32088] 8287 82883435. [bug] Cross compilation support in configure was broken. 8289 [RT #32078] 8290 82913434. [bug] Pass client info to the DLZ findzone() entry 8292 point in addition to lookup(). This makes it 8293 possible for a database to answer differently 8294 whether it's authoritative for a name depending 8295 on the address of the client. [RT #31775] 8296 82973433. [bug] dlz_findzone() did not correctly handle 8298 ISC_R_NOMORE. [RT #31172] 8299 83003432. [func] Multiple DLZ databases can now be configured. 8301 DLZ databases are searched in the order configured, 8302 unless set to "search no", in which case a 8303 zone can be configured to be retrieved from a 8304 particular DLZ database by using a "dlz <name>" 8305 option in the zone statement. DLZ databases can 8306 support type "master" and "redirect" zones. 8307 [RT #27597] 8308 83093431. [bug] ddns-confgen: Some valid key algorithms were 8310 not accepted. [RT #31927] 8311 83123430. [bug] win32: isc_time_formatISO8601 was missing the 8313 'T' between the date and time. [RT #32044] 8314 83153429. [bug] dns_zone_getserial2 could a return success without 8316 returning a valid serial. [RT #32007] 8317 83183428. [cleanup] dig: Add timezone to date output. [RT #2269] 8319 83203427. [bug] dig +trace incorrectly displayed name server 8321 addresses instead of names. [RT #31641] 8322 83233426. [bug] dnssec-checkds: Clearer output when records are not 8324 found. [RT #31968] 8325 83263425. [bug] "acacheentry" reference counting was broken resulting 8327 in use after free. [RT #31908] 8328 83293424. [func] dnssec-dsfromkey now emits the hash without spaces. 8330 [RT #31951] 8331 83323423. [bug] "rndc signing -nsec3param" didn't accept the full 8333 range of possible values. Address portability issues. 8334 [RT #31938] 8335 83363422. [bug] Added a clear error message for when the SOA does not 8337 match the referral. [RT #31281] 8338 83393421. [bug] Named loops when re-signing if all keys are offline. 8340 [RT #31916] 8341 83423420. [bug] Address VPATH compilation issues. [RT #31879] 8343 83443419. [bug] Memory leak on validation cancel. [RT #31869] 8345 83463418. [func] New XML schema (version 3.0) for the statistics channel 8347 adds query type statistics at the zone level, and 8348 flattens the XML tree and uses compressed format to 8349 optimize parsing. Includes new XSL that permits 8350 charting via the Google Charts API on browsers that 8351 support javascript in XSL. The old XML schema has been 8352 deprecated. [RT #30023] 8353 83543417. [placeholder] 8355 83563416. [bug] Named could die on shutdown if running with 128 UDP 8357 dispatches per interface. [RT #31743] 8358 83593415. [bug] named could die with a REQUIRE failure if a validation 8360 was canceled. [RT #31804] 8361 83623414. [bug] Address locking issues found by Coverity. [RT #31626] 8363 83643413. [func] Record the number of DNS64 AAAA RRsets that have been 8365 synthesized. [RT #27636] 8366 83673412. [bug] Copy timeval structure from control message data. 8368 [RT #31548] 8369 83703411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition 8371 to UDP. [RT #31690] 8372 83733410. [bug] Addressed Coverity warnings. [RT #31626] 8374 83753409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's 8376 from X.509 certificates, for use with DANE 8377 (DNS-based Authentication of Named Entities). 8378 [RT #30513] 8379 83803408. [bug] Some DNSSEC-related options (update-check-ksk, 8381 dnssec-loadkeys-interval, dnssec-dnskey-kskonly) 8382 are now legal in slave zones as long as 8383 inline-signing is in use. [RT #31078] 8384 83853407. [placeholder] 8386 83873406. [bug] mem.c: Fix compilation errors when building with 8388 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled. 8389 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559] 8390 83913405. [bug] Handle time going backwards in acache. [RT #31253] 8392 83933404. [bug] dnssec-signzone: When re-signing a zone, remove 8394 RRSIG and NSEC records from nodes that used to be 8395 in-zone but are now below a zone cut. [RT #31556] 8396 83973403. [bug] Silence noisy OpenSSL logging. [RT #31497] 8398 83993402. [test] The IPv6 interface numbers used for system 8400 tests were incorrect on some platforms. [RT #25085] 8401 84023401. [bug] Addressed Coverity warnings. [RT #31484] 8403 84043400. [cleanup] "named -V" can now report a source ID string, defined 8405 in the "srcid" file in the build tree and normally set 8406 to the most recent git hash. [RT #31494] 8407 84083399. [port] netbsd: rename 'bool' parameter to avoid namespace 8409 clash. [RT #31515] 8410 84113398. [bug] SOA parameters were not being updated with inline 8412 signed zones if the zone was modified while the 8413 server was offline. [RT #29272] 8414 84153397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298] 8416 84173396. [bug] OPT records were incorrectly removed from signed, 8418 truncated responses. [RT #31439] 8419 84203395. [protocol] Add RFC 6598 reverse zones to built in empty zones 8421 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. 8422 [RT #31336] 8423 84243394. [bug] Adjust 'successfully validated after lower casing 8425 signer' log level and category. [RT #31414] 8426 84273393. [bug] 'host -C' could core dump if REFUSED was received. 8428 [RT #31381] 8429 84303392. [func] Keep statistics on REFUSED responses. [RT #31412] 8431 84323391. [bug] A DNSKEY lookup that encountered a CNAME failed. 8433 [RT #31262] 8434 84353390. [bug] Silence clang compiler warnings. [RT #30417] 8436 84373389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275] 8438 84393388. [bug] Fixed several Coverity warnings. 8440 Note: This change includes a fix for a bug that 8441 was subsequently determined to be an exploitable 8442 security vulnerability, CVE-2012-5688: named could 8443 die on specific queries with dns64 enabled. 8444 [RT #30996] 8445 84463387. [func] DS digest can be disabled at runtime with 8447 disable-ds-digests. [RT #21581] 8448 84493386. [bug] Address locking violation when generating new NSEC / 8450 NSEC3 chains. [RT #31224] 8451 84523385. [bug] named-checkconf didn't detect missing master lists 8453 in also-notify clauses. [RT #30810] 8454 84553384. [bug] Improved logging of crypto errors. [RT #30963] 8456 84573383. [security] A certain combination of records in the RBT could 8458 cause named to hang while populating the additional 8459 section of a response. [RT #31090] 8460 84613382. [bug] SOA query from slave used use-v6-udp-ports range, 8462 if set, regardless of the address family in use. 8463 [RT #24173] 8464 84653381. [contrib] Update queryperf to support more RR types. 8466 [RT #30762] 8467 84683380. [bug] named could die if a nonexistent master list was 8469 referenced in a also-notify. [RT #31004] 8470 84713379. [bug] isc_interval_zero and isc_time_epoch should be 8472 "const (type)* const". [RT #31069] 8473 84743378. [bug] Handle missing 'managed-keys-directory' better. 8475 [RT #30625] 8476 84773377. [bug] Removed spurious newline from NSEC3 multiline 8478 output. [RT #31044] 8479 84803376. [bug] Lack of EDNS support was being recorded without a 8481 successful response. [RT #30811] 8482 84833375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808] 8484 84853374. [bug] isc_parse_uint32 failed to return a range error on 8486 systems with 64 bit longs. [RT #30232] 8487 84883373. [bug] win32: open raw files in binary mode. [RT #30944] 8489 84903372. [bug] Silence spurious "deleted from unreachable cache" 8491 messages. [RT #30501] 8492 84933371. [bug] AD=1 should behave like DO=1 when deciding whether to 8494 add NS RRsets to the additional section or not. 8495 [RT #30479] 8496 84973370. [bug] Address use after free while shutting down. [RT #30241] 8498 84993369. [bug] nsupdate terminated unexpectedly in interactive mode 8500 if built with readline support. [RT #29550] 8501 85023368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h> 8503 were not C++ safe. 8504 85053367. [bug] dns_dnsseckey_create() result was not being checked. 8506 [RT #30685] 8507 85083366. [bug] Fixed Read-After-Write dependency violation for IA64 8509 atomic operations. [RT #25181] 8510 85113365. [bug] Removed spurious newlines from log messages in 8512 zone.c [RT #30675] 8513 85143364. [security] Named could die on specially crafted record. 8515 [RT #30416] 8516 85173363. [bug] Need to allow "forward" and "fowarders" options 8518 in static-stub zones; this had been overlooked. 8519 [RT #30482] 8520 85213362. [bug] Setting some option values to 0 in named.conf 8522 could trigger an assertion failure on startup. 8523 [RT #27730] 8524 85253361. [bug] "rndc signing -nsec3param" didn't work correctly 8526 when salt was set to '-' (no salt). [RT #30099] 8527 85283360. [bug] 'host -w' could die. [RT #18723] 8529 85303359. [bug] An improperly-formed TSIG secret could cause a 8531 memory leak. [RT #30607] 8532 85333358. [placeholder] 8534 85353357. [port] Add support for libxml2-2.8.x [RT #30440] 8536 85373356. [bug] Cap the TTL of signed RRsets when RRSIGs are 8538 approaching their expiry, so they don't remain 8539 in caches after expiry. [RT #26429] 8540 85413355. [port] Use more portable awk in verify system test. 8542 85433354. [func] Improve OpenSSL error logging. [RT #29932] 8544 85453353. [bug] Use a single task for task exclusive operations. 8546 [RT #29872] 8547 85483352. [bug] Ensure that learned server attributes timeout of the 8549 adb cache. [RT #29856] 8550 85513351. [bug] isc_mem_put and isc_mem_putanddetach didn't report 8552 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX 8553 memory debugging flags are set. [RT #30243] 8554 85553350. [bug] Memory read overrun in isc___mem_reallocate if 8556 ISC_MEM_DEBUGCTX memory debugging flag is set. 8557 [RT #30240] 8558 85593349. [bug] Change #3345 was incomplete. [RT #30233] 8560 85613348. [bug] Prevent RRSIG data from being cached if a negative 8562 record matching the covering type exists at a higher 8563 trust level. Such data already can't be retrieved from 8564 the cache since change 3218 -- this prevents it 8565 being inserted into the cache as well. [RT #26809] 8566 85673347. [bug] dnssec-settime: Issue a warning when writing a new 8568 private key file would cause a change in the 8569 permissions of the existing file. [RT #27724] 8570 85713346. [security] Bad-cache data could be used before it was 8572 initialized, causing an assert. [RT #30025] 8573 85743345. [bug] Addressed race condition when removing the last item 8575 or inserting the first item in an ISC_QUEUE. 8576 [RT #29539] 8577 85783344. [func] New "dnssec-checkds" command checks a zone to 8579 determine which DS records should be published 8580 in the parent zone, or which DLV records should be 8581 published in a DLV zone, and queries the DNS to 8582 ensure that it exists. (Note: This tool depends 8583 on python; it will not be built or installed on 8584 systems that do not have a python interpreter.) 8585 [RT #28099] 8586 85873343. [placeholder] 8588 85893342. [bug] Change #3314 broke saving of stub zones to disk 8590 resulting in excessive cpu usage in some cases. 8591 [RT #29952] 8592 85933341. [func] New "dnssec-verify" command checks a signed zone 8594 to ensure correctness of signatures and of NSEC/NSEC3 8595 chains. [RT #23673] 8596 85973340. [func] Added new 'map' zone file format, which is an image 8598 of a zone database that can be loaded directly into 8599 memory via mmap(), allowing much faster zone loading. 8600 (Note: Because of pointer sizes and other 8601 considerations, this file format is platform-dependent; 8602 'map' zone files cannot always be transferred from one 8603 server to another.) [RT #25419] 8604 86053339. [func] Allow the maximum supported rsa exponent size to be 8606 specified: "max-rsa-exponent-size <value>;" [RT #29228] 8607 86083338. [bug] Address race condition in units tests: asyncload_zone 8609 and asyncload_zt. [RT #26100] 8610 86113337. [bug] Change #3294 broke support for the multiple keys 8612 in controls. [RT #29694] 8613 86143336. [func] Maintain statistics for RRsets tagged as "stale". 8615 [RT #29514] 8616 86173335. [func] nslookup: return a nonzero exit code when unable 8618 to get an answer. [RT #29492] 8619 86203334. [bug] Hold a zone table reference while performing a 8621 asynchronous load of a zone. [RT #28326] 8622 86233333. [bug] Setting resolver-query-timeout too low can cause 8624 named to not recover if it loses connectivity. 8625 [RT #29623] 8626 86273332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 8628 86293331. [security] dns_rdataslab_fromrdataset could produce bad 8630 rdataslabs. [RT #29644] 8631 86323330. [func] Fix missing signatures on NOERROR results despite 8633 RPZ rewriting. Also 8634 - add optional "recursive-only yes|no" to the 8635 response-policy statement 8636 - add optional "max-policy-ttl" to the response-policy 8637 statement to limit the false data that 8638 "recursive-only no" can introduce into 8639 resolvers' caches 8640 - add a RPZ performance test to bin/tests/system/rpz 8641 when queryperf is available. 8642 - the encoding of PASSTHRU action to "rpz-passthru". 8643 (The old encoding is still accepted.) 8644 [RT #26172] 8645 8646 86473329. [bug] Handle RRSIG signer-name case consistently: We 8648 generate RRSIG records with the signer-name in 8649 lower case. We accept them with any case, but if 8650 they fail to validate, we try again in lower case. 8651 [RT #27451] 8652 86533328. [bug] Fixed inconsistent data checking in dst_parse.c. 8654 [RT #29401] 8655 86563327. [func] Added 'filter-aaaa-on-v6' option; this is similar 8657 to 'filter-aaaa-on-v4' but applies to IPv6 8658 connections. (Use "configure --enable-filter-aaaa" 8659 to enable this option.) [RT #27308] 8660 86613326. [func] Added task list statistics: task model, worker 8662 threads, quantum, tasks running, tasks ready. 8663 [RT #27678] 8664 86653325. [func] Report cache statistics: memory use, number of 8666 nodes, number of hash buckets, hit and miss counts. 8667 [RT #27056] 8668 86693324. [test] Add better tests for ADB stats [RT #27057] 8670 86713323. [func] Report the number of buckets the resolver is using. 8672 [RT #27020] 8673 86743322. [func] Monitor the number of active TCP and UDP dispatches. 8675 [RT #27055] 8676 86773321. [func] Monitor the number of recursive fetches and the 8678 number of open sockets, and report these values in 8679 the statistics channel. [RT #27054] 8680 86813320. [func] Added support for monitoring of recursing client 8682 count. [RT #27009] 8683 86843319. [func] Added support for monitoring of ADB entry count and 8685 hash size. [RT #27057] 8686 86873318. [tuning] Reduce the amount of work performed while holding a 8688 bucket lock when finished with a fetch context. 8689 [RT #29239] 8690 86913317. [func] Add ECDSA support (RFC 6605). [RT #21918] 8692 86933316. [tuning] Improved locking performance when recursing. 8694 [RT #28836] 8695 86963315. [tuning] Use multiple dispatch objects for sending upstream 8697 queries; this can improve performance on busy 8698 multiprocessor systems by reducing lock contention. 8699 [RT #28605] 8700 87013314. [bug] The masters list could be updated while stub_callback 8702 or refresh_callback were using it. [RT #26732] 8703 87043313. [protocol] Add TLSA record type. [RT #28989] 8705 87063312. [bug] named-checkconf didn't detect a bad dns64 clients acl. 8707 [RT #27631] 8708 87093311. [bug] Abort the zone dump if zone->db is NULL in 8710 zone.c:zone_gotwritehandle. [RT #29028] 8711 87123310. [test] Increase table size for mutex profiling. [RT #28809] 8713 87143309. [bug] resolver.c:fctx_finddone() was not thread safe. 8715 [RT #27995] 8716 87173308. [placeholder] 8718 87193307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS. 8720 [RT #28956] 8721 87223306. [bug] Improve DNS64 reverse zone performance. [RT #28563] 8723 87243305. [func] Add wire format lookup method to sdb. [RT #28563] 8725 87263304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps. 8727 [RT #28571] 8728 87293303. [bug] named could die when reloading. [RT #28606] 8730 87313302. [bug] dns_dnssec_findmatchingkeys could fail to find 8732 keys if the zone name contained character that 8733 required special mappings. [RT #28600] 8734 87353301. [contrib] Update queryperf to build on darwin. Add -R flag 8736 for non-recursive queries. [RT #28565] 8737 87383300. [bug] Named could die if gssapi was enabled in named.conf 8739 but was not compiled in. [RT #28338] 8740 87413299. [bug] Make SDB handle errors from database drivers better. 8742 [RT #28534] 8743 87443298. [bug] Named could dereference a NULL pointer in 8745 zmgr_start_xfrin_ifquota if the zone was being removed. 8746 [RT #28419] 8747 87483297. [bug] Named could die on a malformed master file. [RT #28467] 8749 87503296. [bug] Named could die with a INSIST failure in 8751 client.c:exit_check. [RT #28346] 8752 87533295. [bug] Adjust isc_time_secondsastimet range check to be more 8754 portable. [RT # 26542] 8755 87563294. [bug] isccc/cc.c:table_fromwire failed to free alist on 8757 error. [RT #28265] 8758 87593293. [func] nsupdate: list supported type. [RT #28261] 8760 87613292. [func] Log messages in the axfr stream at debug 10. 8762 [RT #28040] 8763 87643291. [port] Fixed a build error on systems without ENOTSUP. 8765 [RT #28200] 8766 87673290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169] 8768 87693289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036] 8770 87713288. [bug] dlz_destroy() function wasn't correctly registered 8772 by the DLZ dlopen driver. [RT #28056] 8773 87743287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028] 8775 87763286. [bug] Managed key maintenance timer could fail to start 8777 after 'rndc reconfig'. [RT #26786] 8778 87793285. [bug] val-frdataset was incorrectly disassociated in 8780 proveunsecure after calling startfinddlvsep. 8781 [RT #27928] 8782 87833284. [bug] Address race conditions with the handling of 8784 rbtnode.deadlink. [RT #27738] 8785 87863283. [bug] Raw zones with with more than 512 records in a RRset 8787 failed to load. [RT #27863] 8788 87893282. [bug] Restrict the TTL of NS RRset to no more than that 8790 of the old NS RRset when replacing it. 8791 [RT #27792] [RT #27884] 8792 87933281. [bug] SOA refresh queries could be treated as cancelled 8794 despite succeeding over the loopback interface. 8795 [RT #27782] 8796 87973280. [bug] Potential double free of a rdataset on out of memory 8798 with DNS64. [RT #27762] 8799 88003279. [bug] Hold a internal reference to the zone while performing 8801 a asynchronous load. Address potential memory leak 8802 if the asynchronous is cancelled. [RT #27750] 8803 88043278. [bug] Make sure automatic key maintenance is started 8805 when "auto-dnssec maintain" is turned on during 8806 "rndc reconfig". [RT #26805] 8807 88083277. [bug] win32: isc_socket_dup is not implemented. [RT #27696] 8809 88103276. [bug] win32: ns_os_openfile failed to return NULL on 8811 safe_open failure. [RT #27696] 8812 88133275. [bug] Corrected rndc -h output; the 'rndc sync -clean' 8814 option had been misspelled as '-clear'. (To avoid 8815 future confusion, both options now work.) [RT #27173] 8816 88173274. [placeholder] 8818 88193273. [bug] AAAA responses could be returned in the additional 8820 section even when filter-aaaa-on-v4 was in use. 8821 [RT #27292] 8822 88233272. [func] New "rndc zonestatus" command prints information 8824 about the specified zone. [RT #21671] 8825 88263271. [port] darwin: mksymtbl is not always stable, loop several 8827 times before giving up. mksymtbl was using non 8828 portable perl to covert 64 bit hex strings. [RT #27653] 8829 8830 --- 9.9.0rc2 released --- 8831 88323270. [bug] "rndc reload" didn't reuse existing zones correctly 8833 when inline-signing was in use. [RT #27650] 8834 88353269. [port] darwin 11 and later now built threaded by default. 8836 88373268. [bug] Convert RRSIG expiry times to 64 timestamps to work 8838 out the earliest expiry time. [RT #23311] 8839 88403267. [bug] Memory allocation failures could be mis-reported as 8841 unexpected error. New ISC_R_UNSET result code. 8842 [RT #27336] 8843 88443266. [bug] The maximum number of NSEC3 iterations for a 8845 DNSKEY RRset was not being properly computed. 8846 [RT #26543] 8847 88483265. [bug] Corrected a problem with lock ordering in the 8849 inline-signing code. [RT #27557] 8850 88513264. [bug] Automatic regeneration of signatures in an 8852 inline-signing zone could stall when the server 8853 was restarted. [RT #27344] 8854 88553263. [bug] "rndc sync" did not affect the unsigned side of an 8856 inline-signing zone. [RT #27337] 8857 88583262. [bug] Signed responses were handled incorrectly by RPZ. 8859 [RT #27316] 8860 88613261. [func] RRset ordering now defaults to random. [RT #27174] 8862 88633260. [bug] "rrset-order cyclic" could appear not to rotate 8864 for some query patterns. [RT #27170/27185] 8865 8866 --- 9.9.0rc1 released --- 8867 88683259. [bug] named-compilezone: Suppress "dump zone to <file>" 8869 message when writing to stdout. [RT #27109] 8870 88713258. [test] Add "forcing full sign with unreadable keys" test. 8872 [RT #27153] 8873 88743257. [bug] Do not generate a error message when calling fsync() 8875 in a pipe or socket. [RT #27109] 8876 88773256. [bug] Disable empty zones for lwresd -C. [RT #27139] 8878 88793255. [func] No longer require that a empty zones be explicitly 8880 enabled or that a empty zone is disabled for 8881 RFC 1918 empty zones to be configured. [RT #27139] 8882 88833254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels. 8884 [RT #22249] 8885 88863253. [bug] Return DNS_R_SYNTAX when the input to a text field is 8887 too long. [RT #26956] 8888 88893252. [bug] When master zones using inline-signing were 8890 updated while the server was offline, the source 8891 zone could fall out of sync with the signed 8892 copy. They can now resynchronize. [RT #26676] 8893 88943251. [bug] Enforce a upper bound (65535 bytes) on the amount of 8895 memory dns_sdlz_putrr() can allocate per record to 8896 prevent run away memory consumption on ISC_R_NOSPACE. 8897 [RT #26956] 8898 88993250. [func] 'configure --enable-developer'; turn on various 8900 configure options, normally off by default, that 8901 we want developers to build and test with. [RT #27103] 8902 89033249. [bug] Update log message when saving slave zones files for 8904 analysis after load failures. [RT #27087] 8905 89063248. [bug] Configure options --enable-fixed-rrset and 8907 --enable-exportlib were incompatible with each 8908 other. [RT #27087] 8909 89103247. [bug] 'raw' format zones failed to preserve load order 8911 breaking 'fixed' sort order. [RT #27087] 8912 89133246. [bug] Named failed to start with a empty also-notify list. 8914 [RT #27087] 8915 89163245. [bug] Don't report a error unchanged serials unless there 8917 were other changes when thawing a zone with 8918 ixfr-fromdifferences. [RT #26845] 8919 89203244. [func] Added readline support to nslookup and nsupdate. 8921 Also simplified nsupdate syntax to make "update" 8922 and "prereq" optional. [RT #24659] 8923 89243243. [port] freebsd,netbsd,bsdi: the thread defaults were not 8925 being properly set. 8926 89273242. [func] Extended the header of raw-format master files to 8928 include the serial number of the zone from which 8929 they were generated, if different (as in the case 8930 of inline-signing zones). This is to be used in 8931 inline-signing zones, to track changes between the 8932 unsigned and signed versions of the zone, which may 8933 have different serial numbers. 8934 8935 (Note: raw zonefiles generated by this version of 8936 BIND are no longer compatible with prior versions. 8937 To generate a backward-compatible raw zonefile 8938 using dnssec-signzone or named-compilezone, specify 8939 output format "raw=0" instead of simply "raw".) 8940 [RT #26587] 8941 89423241. [bug] Address race conditions in the resolver code. 8943 [RT #26889] 8944 89453240. [bug] DNSKEY state change events could be missed. [RT #26874] 8946 89473239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent 8948 timestamp. [RT #26883] 8949 89503238. [bug] keyrdata was not being reinitialized in 8951 lib/dns/rbtdb.c:iszonesecure. [RT #26913] 8952 89533237. [bug] dig -6 didn't work with +trace. [RT #26906] 8954 89553236. [bug] Backed out changes #3182 and #3202, related to 8956 EDNS(0) fallback behavior. [RT #26416] 8957 89583235. [func] dns_db_diffx, a extended dns_db_diff which returns 8959 the generated diff and optionally writes it to a 8960 journal. [RT #26386] 8961 89623234. [bug] 'make depend' produced invalid makefiles. [RT #26830] 8963 89643233. [bug] 'rndc freeze/thaw' didn't work for inline zones. 8965 [RT #26632] 8966 89673232. [bug] Zero zone->curmaster before return in 8968 dns_zone_setmasterswithkeys(). [RT #26732] 8969 89703231. [bug] named could fail to send a incompressible zone. 8971 [RT #26796] 8972 89733230. [bug] 'dig axfr' failed to properly handle a multi-message 8974 axfr with a serial of 0. [RT #26796] 8975 89763229. [bug] Fix local variable to struct var assignment 8977 found by CLANG warning. 8978 89793228. [tuning] Dynamically grow symbol table to improve zone 8980 loading performance. [RT #26523] 8981 89823227. [bug] Interim fix to make WKS's use of getprotobyname() 8983 and getservbyname() self thread safe. [RT #26232] 8984 89853226. [bug] Address minor resource leakages. [RT #26624] 8986 89873225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed" 8988 messages. [RT #26507] 8989 89903224. [bug] 'rndc signing' argument parsing was broken. [RT #26684] 8991 89923223. [bug] 'task_test privilege_drop' generated false positives. 8993 [RT #26766] 8994 89953222. [cleanup] Replace dns_journal_{get,set}_bitws with 8996 dns_journal_{get,set}_sourceserial. [RT #26634] 8997 89983221. [bug] Fixed a potential core dump on shutdown due to 8999 referencing fetch context after it's been freed. 9000 [RT #26720] 9001 9002 --- 9.9.0b2 released --- 9003 90043220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() 9005 could fail to set the database version correctly, 9006 causing an assertion failure. [RT #26180] 9007 90083219. [bug] Disable NOEDNS caching following a timeout. 9009 90103218. [security] Cache lookup could return RRSIG data associated with 9011 nonexistent records, leading to an assertion 9012 failure. [RT #26590] 9013 90143217. [cleanup] Fix build problem with --disable-static. [RT #26476] 9015 90163216. [bug] resolver.c:validated() was not thread-safe. [RT #26478] 9017 90183215. [bug] 'rndc recursing' could cause a core dump. [RT #26495] 9019 90203214. [func] Add 'named -U' option to set the number of UDP 9021 listener threads per interface. [RT #26485] 9022 90233213. [doc] Clarify ixfr-from-differences behavior. [RT #25188] 9024 90253212. [bug] rbtdb.c: failed to remove a node from the deadnodes 9026 list prior to adding a reference to it leading a 9027 possible assertion failure. [RT #23219] 9028 90293211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full" 9030 option prints in single-line-per-record format. 9031 [RT #20287] 9032 90333210. [bug] Canceling the oldest query due to recursive-client 9034 overload could trigger an assertion failure. [RT #26463] 9035 90363209. [func] Add "dnssec-lookaside 'no'". [RT #24858] 9037 90383208. [bug] 'dig -y' handle unknown tsig algorithm better. 9039 [RT #25522] 9040 90413207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444] 9042 90433206. [cleanup] Add ISC information to log at start time. [RT #25484] 9044 90453205. [func] Upgrade dig's defaults to better reflect modern 9046 nameserver behavior. Enable "dig +adflag" and 9047 "dig +edns=0" by default. Enable "+dnssec" when 9048 running "dig +trace". [RT #23497] 9049 90503204. [bug] When a master server that has been marked as 9051 unreachable sends a NOTIFY, mark it reachable 9052 again. [RT #25960] 9053 90543203. [bug] Increase log level to 'info' for validation failures 9055 from expired or not-yet-valid RRSIGs. [RT #21796] 9056 90573202. [bug] NOEDNS caching on timeout was too aggressive. 9058 [RT #26416] 9059 90603201. [func] 'rndc querylog' can now be given an on/off parameter 9061 instead of only being used as a toggle. [RT #18351] 9062 90633200. [doc] Some rndc functions were undocumented or were 9064 missing from 'rndc -h' output. [RT #25555] 9065 90663199. [func] When logging client information, include the name 9067 being queried. [RT #25944] 9068 90693198. [doc] Clarified that dnssec-settime can alter keyfile 9070 permissions. [RT #24866] 9071 90723197. [bug] Don't try to log the filename and line number when 9073 the config parser can't open a file. [RT #22263] 9074 90753196. [bug] nsupdate: return nonzero exit code when target zone 9076 doesn't exist. [RT #25783] 9077 90783195. [cleanup] Silence "file not found" warnings when loading 9079 managed-keys zone. [RT #26340] 9080 90813194. [doc] Updated RFC references in the 'empty-zones-enable' 9082 documentation. [RT #25203] 9083 90843193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to 9085 dnssec.h. [RT #26415] 9086 90873192. [bug] A query structure could be used after being freed. 9088 [RT #22208] 9089 90903191. [bug] Print NULL records using "unknown" format. [RT #26392] 9091 90923190. [bug] Underflow in error handling in isc_mutexblock_init. 9093 [RT #26397] 9094 90953189. [test] Added a summary report after system tests. [RT #25517] 9096 90973188. [bug] zone.c:zone_refreshkeys() could fail to detach 9098 references correctly when errors occurred, causing 9099 a hang on shutdown. [RT #26372] 9100 91013187. [port] win32: support for Visual Studio 2008. [RT #26356] 9102 9103 --- 9.9.0b1 released --- 9104 91053186. [bug] Version/db mismatch in rpz code. [RT #26180] 9106 91073185. [func] New 'rndc signing' option for auto-dnssec zones: 9108 - 'rndc signing -list' displays the current 9109 state of signing operations 9110 - 'rndc signing -clear' clears the signing state 9111 records for keys that have fully signed the zone 9112 - 'rndc signing -nsec3param' sets the NSEC3 9113 parameters for the zone 9114 The 'rndc keydone' syntax is removed. [RT #23729] 9115 91163184. [bug] named had excessive cpu usage when a redirect zone was 9117 configured. [RT #26013] 9118 91193183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] 9120 91213182. [bug] Auth servers behind firewalls which block packets 9122 greater than 512 bytes may cause other servers to 9123 perform poorly. Now, adb retains edns information 9124 and caches noedns servers. [RT #23392/24964] 9125 91263181. [func] Inline-signing is now supported for master zones. 9127 [RT #26224] 9128 91293180. [func] Local copies of slave zones are now saved in raw 9130 format by default, to improve startup performance. 9131 'masterfile-format text;' can be used to override 9132 the default, if desired. [RT #25867] 9133 91343179. [port] kfreebsd: build issues. [RT #26273] 9135 91363178. [bug] A race condition introduced by change #3163 could 9137 cause an assertion failure on shutdown. [RT #26271] 9138 91393177. [func] 'rndc keydone', remove the indicator record that 9140 named has finished signing the zone with the 9141 corresponding key. [RT #26206] 9142 91433176. [doc] Corrected example code and added a README to the 9144 sample external DLZ module in contrib/dlz/example. 9145 [RT #26215] 9146 91473175. [bug] Fix how DNSSEC positive wildcard responses from a 9148 NSEC3 signed zone are validated. Stop sending a 9149 unnecessary NSEC3 record when generating such 9150 responses. [RT #26200] 9151 91523174. [bug] Always compute to revoked key tag from scratch. 9153 [RT #26186] 9154 91553173. [port] Correctly validate root DS responses. [RT #25726] 9156 91573172. [port] darwin 10.* and freebsd [89] are now built threaded by 9158 default. 9159 91603171. [bug] Exclusively lock the task when adding a zone using 9161 'rndc addzone'. [RT #25600] 9162 9163 --- 9.9.0a3 released --- 9164 91653170. [func] RPZ update: 9166 - fix precedence among competing rules 9167 - improve ARM text including documenting rule precedence 9168 - try to rewrite CNAME chains until first hit 9169 - new "rpz" logging channel 9170 - RDATA for CNAME rules can include wildcards 9171 - replace "NO-OP" named.conf policy override with 9172 "PASSTHRU" and add "DISABLED" override ("NO-OP" 9173 is still recognized) 9174 [RT #25172] 9175 91763169. [func] Catch db/version mis-matches when calling dns_db_*(). 9177 [RT #26017] 9178 91793168. [bug] Nxdomain redirection could trigger an assert with 9180 a ANY query. [RT #26017] 9181 91823167. [bug] Negative answers from forwarders were not being 9183 correctly tagged making them appear to not be cached. 9184 [RT #25380] 9185 91863166. [bug] Upgrading a zone to support inline-signing failed. 9187 [RT #26014] 9188 91893165. [bug] dnssec-signzone could generate new signatures when 9190 resigning, even when valid signatures were already 9191 present. [RT #26025] 9192 91933164. [func] Enable DLZ modules to retrieve client information, 9194 so that responses can be changed depending on the 9195 source address of the query. [RT #25768] 9196 91973163. [bug] Use finer-grained locking in client.c to address 9198 concurrency problems with large numbers of threads. 9199 [RT #26044] 9200 92013162. [test] start.pl: modified to allow for "named.args" in 9202 ns*/ subdirectory to override stock arguments to 9203 named. Largely from RT #26044, but no separate ticket. 9204 92053161. [bug] zone.c:del_sigs failed to always reset rdata leading 9206 assertion failures. [RT #25880] 9207 92083160. [bug] When printing out a NSEC3 record in multiline form 9209 the newline was not being printed causing type codes 9210 to be run together. [RT #25873] 9211 92123159. [bug] On some platforms, named could assert on startup 9213 when running in a chrooted environment without 9214 /proc. [RT #25863] 9215 92163158. [bug] Recursive servers would prefer a particular UDP 9217 socket instead of using all available sockets. 9218 [RT #26038] 9219 92203157. [tuning] Reduce the time spent in "rndc reconfig" by parsing 9221 the config file before pausing the server. [RT #21373] 9222 92233156. [placeholder] 9224 9225 --- 9.9.0a2 released --- 9226 92273155. [bug] Fixed a build failure when using contrib DLZ 9228 drivers (e.g., mysql, postgresql, etc). [RT #25710] 9229 92303154. [bug] Attempting to print an empty rdataset could trigger 9231 an assert. [RT #25452] 9232 92333153. [func] Extend request-ixfr to zone level and remove the 9234 side effect of forcing an AXFR. [RT #25156] 9235 92363152. [cleanup] Some versions of gcc and clang failed due to 9237 incorrect use of __builtin_expect. [RT #25183] 9238 92393151. [bug] Queries for type RRSIG or SIG could be handled 9240 incorrectly. [RT #21050] 9241 92423150. [func] Improved startup and reconfiguration time by 9243 enabling zones to load in multiple threads. [RT #25333] 9244 92453149. [placeholder] 9246 92473148. [bug] Processing of normal queries could be stalled when 9248 forwarding a UPDATE message. [RT #24711] 9249 92503147. [func] Initial inline signing support. [RT #23657] 9251 9252 --- 9.9.0a1 released --- 9253 92543146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598] 9255 92563145. [test] Capture output of ATF unit tests in "./atf.out" if 9257 there were any errors while running them. [RT #25527] 9258 92593144. [bug] dns_dbiterator_seek() could trigger an assert when 9260 used with a nonexistent database node. [RT #25358] 9261 92623143. [bug] Silence clang compiler warnings. [RT #25174] 9263 92643142. [bug] NAPTR is class agnostic. [RT #25429] 9265 92663141. [bug] Silence spurious "zone serial (0) unchanged" messages 9267 associated with empty zones. [RT #25079] 9268 92693140. [func] New command "rndc flushtree <name>" clears the 9270 specified name from the server cache along with 9271 all names under it. [RT #19970] 9272 92733139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321 9274 for the hashing algorithms (md5, sha1 - sha512, and 9275 their hmac counterparts). [RT #25067] 9276 92773138. [bug] Address memory leaks and out-of-order operations when 9278 shutting named down. [RT #25210] 9279 92803137. [func] Improve hardware scalability by allowing multiple 9281 worker threads to process incoming UDP packets. 9282 This can significantly increase query throughput 9283 on some systems. [RT #22992] 9284 92853136. [func] Add RFC 1918 reverse zones to the list of built-in 9286 empty zones switched on by the 'empty-zones-enable' 9287 option. [RT #24990] 9288 92893135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing. 9290 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307 9291 [RT #24950] 9292 92933134. [bug] Improve the accuracy of dnssec-signzone's signing 9294 statistics. [RT #16030] 9295 92963133. [bug] Change #3114 was incomplete. [RT #24577] 9297 92983132. [placeholder] 9299 93003131. [tuning] Improve scalability by allocating one zone task 9301 per 100 zones at startup time, rather than using a 9302 fixed-size task table. [RT #24406] 9303 93043130. [func] Support alternate methods for managing a dynamic 9305 zone's serial number. Two methods are currently 9306 defined using serial-update-method, "increment" 9307 (default) and "unixtime". [RT #23849] 9308 93093129. [bug] Named could crash on 'rndc reconfig' when 9310 allow-new-zones was set to yes and named ACLs 9311 were used. [RT #22739] 9312 93133128. [func] Inserting an NSEC3PARAM via dynamic update in an 9314 auto-dnssec zone that has not been signed yet 9315 will cause it to be signed with the specified NSEC3 9316 parameters when keys are activated. The 9317 NSEC3PARAM record will not appear in the zone until 9318 it is signed, but the parameters will be stored. 9319 [RT #23684] 9320 93213127. [bug] 'rndc thaw' will now remove a zone's journal file 9322 if the zone serial number has been changed and 9323 ixfr-from-differences is not in use. [RT #24687] 9324 93253126. [security] Using DNAME record to generate replacements caused 9326 RPZ to exit with a assertion failure. [RT #24766] 9327 93283125. [security] Using wildcard CNAME records as a replacement with 9329 RPZ caused named to exit with a assertion failure. 9330 [RT #24715] 9331 93323124. [bug] Use an rdataset attribute flag to indicate 9333 negative-cache records rather than using rrtype 0; 9334 this will prevent problems when that rrtype is 9335 used in actual DNS packets. [RT #24777] 9336 93373123. [security] Change #2912 exposed a latent flaw in 9338 dns_rdataset_totext() that could cause named to 9339 crash with an assertion failure. [RT #24777] 9340 93413122. [cleanup] dnssec-settime: corrected usage message. [RT #24664] 9342 93433121. [security] An authoritative name server sending a negative 9344 response containing a very large RRset could 9345 trigger an off-by-one error in the ncache code 9346 and crash named. [RT #24650] 9347 93483120. [bug] Named could fail to validate zones listed in a DLV 9349 that validated insecure without using DLV and had 9350 DS records in the parent zone. [RT #24631] 9351 93523119. [bug] When rolling to a new DNSSEC key, a private-type 9353 record could be created and never marked complete. 9354 [RT #23253] 9355 93563118. [bug] nsupdate could dump core on shutdown when using 9357 SIG(0) keys. [RT #24604] 9358 93593117. [cleanup] Remove doc and parser references to the 9360 never-implemented 'auto-dnssec create' option. 9361 [RT #24533] 9362 93633116. [func] New 'dnssec-update-mode' option controls updates 9364 of DNSSEC records in signed dynamic zones. Set to 9365 'no-resign' to disable automatic RRSIG regeneration 9366 while retaining the ability to sign new or changed 9367 data. [RT #24533] 9368 93693115. [bug] Named could fail to return requested data when 9370 following a CNAME that points into the same zone. 9371 [RT #24455] 9372 93733114. [bug] Retain expired RRSIGs in dynamic zones if key is 9374 inactive and there is no replacement key. [RT #23136] 9375 93763113. [doc] Document the relationship between serial-query-rate 9377 and NOTIFY messages. 9378 93793112. [doc] Add missing descriptions of the update policy name 9380 types "ms-self", "ms-subdomain", "krb5-self" and 9381 "krb5-subdomain", which allow machines to update 9382 their own records, to the BIND 9 ARM. 9383 93843111. [bug] Improved consistency checks for dnssec-enable and 9385 dnssec-validation, added test cases to the 9386 checkconf system test. [RT #24398] 9387 93883110. [bug] dnssec-signzone: Wrong error message could appear 9389 when attempting to sign with no KSK. [RT #24369] 9390 93913109. [func] The also-notify option now uses the same syntax 9392 as a zone's masters clause. This means it is 9393 now possible to specify a TSIG key to use when 9394 sending notifies to a given server, or to include 9395 an explicit named masters list in an also-notify 9396 statement. [RT #23508] 9397 93983108. [cleanup] dnssec-signzone: Clarified some error and 9399 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES 9400 code (use -P instead). [RT #20852] 9401 94023107. [bug] dnssec-signzone: Report the correct number of ZSKs 9403 when using -x. [RT #20852] 9404 94053106. [func] When logging client requests, include the name of 9406 the TSIG key if any. [RT #23619] 9407 94083105. [bug] GOST support can be suppressed by "configure 9409 --without-gost" [RT #24367] 9410 94113104. [bug] Better support for cross-compiling. [RT #24367] 9412 94133103. [bug] Configuring 'dnssec-validation auto' in a view 9414 instead of in the options statement could trigger 9415 an assertion failure in named-checkconf. [RT #24382] 9416 94173102. [func] New 'dnssec-loadkeys-interval' option configures 9418 how often, in minutes, to check the key repository 9419 for updates when using automatic key maintenance. 9420 Default is every 60 minutes (formerly hard-coded 9421 to 12 hours). [RT #23744] 9422 94233101. [bug] Zones using automatic key maintenance could fail 9424 to check the key repository for updates. [RT #23744] 9425 94263100. [security] Certain response policy zone configurations could 9427 trigger an INSIST when receiving a query of type 9428 RRSIG. [RT #24280] 9429 94303099. [test] "dlz" system test now runs but gives R:SKIPPED if 9431 not compiled with --with-dlz-filesystem. [RT #24146] 9432 94333098. [bug] DLZ zones were answering without setting the AA bit. 9434 [RT #24146] 9435 94363097. [test] Add a tool to test handling of malformed packets. 9437 [RT #24096] 9438 94393096. [bug] Set KRB5_KTNAME before calling log_cred() in 9440 dst_gssapi_acceptctx(). [RT #24004] 9441 94423095. [bug] Handle isolated reserved ports in the port range. 9443 [RT #23957] 9444 94453094. [doc] Expand dns64 documentation. 9446 94473093. [bug] Fix gssapi/kerberos dependencies [RT #23836] 9448 94493092. [bug] Signatures for records at the zone apex could go 9450 stale due to an incorrect timer setting. [RT #23769] 9451 94523091. [bug] Fixed a bug in which zone keys that were published 9453 and then subsequently activated could fail to trigger 9454 automatic signing. [RT #22911] 9455 94563090. [func] Make --with-gssapi default [RT #23738] 9457 94583089. [func] dnssec-dsfromkey now supports reading keys from 9459 standard input "dnssec-dsfromkey -f -". [RT #20662] 9460 94613088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf 9462 and add setup.sh in order to resolve changing 9463 named.conf issue. [RT #23687] 9464 94653087. [bug] DDNS updates using SIG(0) with update-policy match 9466 type "external" could cause a crash. [RT #23735] 9467 94683086. [bug] Running dnssec-settime -f on an old-style key will 9469 now force an update to the new key format even if no 9470 other change has been specified, using "-P now -A now" 9471 as default values. [RT #22474] 9472 94733085. [func] New '-R' option in dnssec-signzone forces removal 9474 of signatures which have not yet expired but 9475 were generated by a key that no longer exists. 9476 [RT #22471] 9477 94783084. [func] A new command "rndc sync" dumps pending changes in 9479 a dynamic zone to disk; "rndc sync -clean" also 9480 removes the journal file after syncing. Also, 9481 "rndc freeze" no longer removes journal files. 9482 [RT #22473] 9483 94843083. [bug] NOTIFY messages were not being sent when generating 9485 a NSEC3 chain incrementally. [RT #23702] 9486 94873082. [port] strtok_r is threads only. [RT #23747] 9488 94893081. [bug] Failure of DNAME substitution did not return 9490 YXDOMAIN. [RT #23591] 9491 94923080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS. 9493 [RT #23587] 9494 94953079. [bug] Handle isc_event_allocate failures in t_tasks. 9496 [RT #23572] 9497 94983078. [func] Added a new include file with function typedefs 9499 for the DLZ "dlopen" driver. [RT #23629] 9500 95013077. [bug] zone.c:zone_refreshkeys() incorrectly called 9502 dns_zone_attach(), use zone->irefs instead. [RT #23303] 9503 95043076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and 9505 dnssec-keyfromlabel sets the default TTL of the 9506 key. When possible, automatic signing will use that 9507 TTL when the key is published. [RT #23304] 9508 95093075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent 9510 timestamp when determining which keys are active. 9511 [RT #23642] 9512 95133074. [bug] Make the adb cache read through for zone data and 9514 glue learn for zone named is authoritative for. 9515 [RT #22842] 9516 95173073. [bug] managed-keys changes were not properly being recorded. 9518 [RT #20256] 9519 95203072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. 9521 [RT #20256] 9522 95233071. [bug] has_nsec could be used uninitialized in 9524 update.c:next_active. [RT #20256] 9525 95263070. [bug] dnssec-signzone potential NULL pointer dereference. 9527 [RT #20256] 9528 95293069. [cleanup] Silence warnings messages from clang static analysis. 9530 [RT #20256] 9531 95323068. [bug] Named failed to build with a OpenSSL without engine 9533 support. [RT #23473] 9534 95353067. [bug] ixfr-from-differences {master|slave}; failed to 9536 select the master/slave zones. [RT #23580] 9537 95383066. [func] The DLZ "dlopen" driver is now built by default, 9539 no longer requiring a configure option. To 9540 disable it, use "configure --without-dlopen". 9541 Driver also supported on win32. [RT #23467] 9542 95433065. [bug] RRSIG could have time stamps too far in the future. 9544 [RT #23356] 9545 95463064. [bug] powerpc: add sync instructions to the end of atomic 9547 operations. [RT #23469] 9548 95493063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402] 9550 95513062. [func] Made several changes to enhance human readability 9552 of DNSSEC data in dig output and in generated 9553 zone files: 9554 - DNSKEY record comments are more verbose, no 9555 longer used in multiline mode only 9556 - multiline RRSIG records reformatted 9557 - multiline output mode for NSEC3PARAM records 9558 - "dig +norrcomments" suppresses DNSKEY comments 9559 - "dig +split=X" breaks hex/base64 records into 9560 fields of width X; "dig +nosplit" disables this. 9561 [RT #22820] 9562 95633061. [func] New option "dnssec-signzone -D", only write out 9564 generated DNSSEC records. [RT #22896] 9565 95663060. [func] New option "dnssec-signzone -X <date>" allows 9567 specification of a separate expiration date 9568 for DNSKEY RRSIGs and other RRSIGs. [RT #22141] 9569 95703059. [test] Added a regression test for change #3023. 9571 95723058. [bug] Cause named to terminate at startup or rndc reconfig/ 9573 reload to fail, if a log file specified in the conf 9574 file isn't a plain file. [RT #22771] 9575 95763057. [bug] "rndc secroots" would abort after the first error 9577 and so could miss some views. [RT #23488] 9578 95793056. [func] Added support for URI resource record. [RT #23386] 9580 95813055. [placeholder] 9582 95833054. [bug] Added elliptic curve support check in 9584 GOST OpenSSL engine detection. [RT #23485] 9585 95863053. [bug] Under a sustained high query load with a finite 9587 max-cache-size, it was possible for cache memory 9588 to be exhausted and not recovered. [RT #23371] 9589 95903052. [test] Fixed last autosign test report. [RT #23256] 9591 95923051. [bug] NS records obscure DNAME records at the bottom of the 9593 zone if both are present. [RT #23035] 9594 95953050. [bug] The autosign system test was timing dependent. 9596 Wait for the initial autosigning to complete 9597 before running the rest of the test. [RT #23035] 9598 95993049. [bug] Save and restore the gid when creating creating 9600 named.pid at startup. [RT #23290] 9601 96023048. [bug] Fully separate view key management. [RT #23419] 9603 96043047. [bug] DNSKEY NODATA responses not cached fixed in 9605 validator.c. Tests added to dnssec system test. 9606 [RT #22908] 9607 96083046. [bug] Use RRSIG original TTL to compute validated RRset 9609 and RRSIG TTL. [RT #23332] 9610 96113045. [removed] Replaced by change #3050. 9612 96133044. [bug] Hold the socket manager lock while freeing the socket. 9614 [RT #23333] 9615 96163043. [test] Merged in the NetBSD ATF test framework (currently 9617 version 0.12) for development of future unit tests. 9618 Use configure --with-atf to build ATF internally 9619 or configure --with-atf=prefix to use an external 9620 copy. [RT #23209] 9621 96223042. [bug] dig +trace could fail attempting to use IPv6 9623 addresses on systems with only IPv4 connectivity. 9624 [RT #23297] 9625 96263041. [bug] dnssec-signzone failed to generate new signatures on 9627 ttl changes. [RT #23330] 9628 96293040. [bug] Named failed to validate insecure zones where a node 9630 with a CNAME existed between the trust anchor and the 9631 top of the zone. [RT #23338] 9632 96333039. [func] Redirect on NXDOMAIN support. [RT #23146] 9634 96353038. [bug] Install <dns/rpz.h>. [RT #23342] 9636 96373037. [doc] Update COPYRIGHT to contain all the individual 9638 copyright notices that cover various parts. 9639 96403036. [bug] Check built-in zone arguments to see if the zone 9641 is re-usable or not. [RT #21914] 9642 96433035. [cleanup] Simplify by using strlcpy. [RT #22521] 9644 96453034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521] 9646 96473033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET). 9648 [RT #22521] 9649 96503032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521] 9651 96523031. [bug] dns_rdataclass_format() handle a zero sized buffer. 9653 [RT #22521] 9654 96553030. [bug] dns_rdatatype_format() handle a zero sized buffer. 9656 [RT #22521] 9657 96583029. [bug] isc_netaddr_format() handle a zero sized buffer. 9659 [RT #22521] 9660 96613028. [bug] isc_sockaddr_format() handle a zero sized buffer. 9662 [RT #22521] 9663 96643027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to 9665 catch NULL pointer dereferences before they happen. 9666 [RT #22521] 9667 96683026. [bug] lib/isc/httpd.c: check that we have enough space 9669 after calling grow_headerspace() and if not 9670 re-call grow_headerspace() until we do. [RT #22521] 9671 96723025. [bug] Fixed a possible deadlock due to zone resigning. 9673 [RT #22964] 9674 96753024. [func] RTT Banding removed due to minor security increase 9676 but major impact on resolver latency. [RT #23310] 9677 96783023. [bug] Named could be left in an inconsistent state when 9679 receiving multiple AXFR response messages that were 9680 not all TSIG-signed. [RT #23254] 9681 96823022. [bug] Fixed rpz SERVFAILs after failed zone transfers 9683 [RT #23246] 9684 96853021. [bug] Change #3010 was incomplete. [RT #22296] 9686 96873020. [bug] auto-dnssec failed to correctly update the zone when 9688 changing the DNSKEY RRset. [RT #23232] 9689 96903019. [test] Test: check apex NSEC3 records after adding DNSKEY 9691 record via UPDATE. [RT #23229] 9692 96933018. [bug] Named failed to check for the "none;" acl when deciding 9694 if a zone may need to be re-signed. [RT #23120] 9695 96963017. [doc] dnssec-keyfromlabel -I was not properly documented. 9697 [RT #22887] 9698 96993016. [bug] rndc usage missing '-b'. [RT #22937] 9700 97013015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and 9702 IN6_IS_ADDR_SITELOCAL macros. [RT #22724] 9703 97043014. [placeholder] 9705 97063013. [bug] The DNS64 ttl was not always being set as expected. 9707 [RT #23034] 9708 97093012. [bug] Remove DNSKEY TTL change pairs before generating 9710 signing records for any remaining DNSKEY changes. 9711 [RT #22590] 9712 97133011. [func] Change the default query timeout from 30 seconds 9714 to 10. Allow setting this in named.conf using the new 9715 'resolver-query-timeout' option, which specifies a max 9716 time in seconds. 0 means 'default' and anything longer 9717 than 30 will be silently set to 30. [RT #22852] 9718 97193010. [bug] Fixed a bug where "rndc reconfig" stopped the timer 9720 for refreshing managed-keys. [RT #22296] 9721 97223009. [bug] clients-per-query code didn't work as expected with 9723 particular query patterns. [RT #22972] 9724 9725 --- 9.8.0b1 released --- 9726 97273008. [func] Response policy zones (RPZ) support. [RT #21726] 9728 97293007. [bug] Named failed to preserve the case of domain names in 9730 rdata which is not compressible when writing master 9731 files. [RT #22863] 9732 97333006. [func] Allow dynamically generated TSIG keys to be preserved 9734 across restarts of named. Initially this is for 9735 TSIG keys generated using GSSAPI. [RT #22639] 9736 97373005. [port] Solaris: Work around the lack of 9738 gsskrb5_register_acceptor_identity() by setting 9739 the KRB5_KTNAME environment variable to the 9740 contents of tkey-gssapi-keytab. Also fixed 9741 test errors on MacOSX. [RT #22853] 9742 97433004. [func] DNS64 reverse support. [RT #22769] 9744 97453003. [experimental] Added update-policy match type "external", 9746 enabling named to defer the decision of whether to 9747 allow a dynamic update to an external daemon. 9748 (Contributed by Andrew Tridgell.) [RT #22758] 9749 97503002. [bug] isc_mutex_init_errcheck() failed to destroy attr. 9751 [RT #22766] 9752 97533001. [func] Added a default trust anchor for the root zone, which 9754 can be switched on by setting "dnssec-validation auto;" 9755 in the named.conf options. [RT #21727] 9756 97573000. [bug] More TKEY/GSS fixes: 9758 - nsupdate can now get the default realm from 9759 the user's Kerberos principal 9760 - corrected gsstest compilation flags 9761 - improved documentation 9762 - fixed some NULL dereferences 9763 [RT #22795] 9764 97652999. [func] Add GOST support (RFC 5933). [RT #20639] 9766 97672998. [func] Add isc_task_beginexclusive and isc_task_endexclusive 9768 to the task api. [RT #22776] 9769 97702997. [func] named -V now reports the OpenSSL and libxml2 versions 9771 it was compiled against. [RT #22687] 9772 97732996. [security] Temporarily disable SO_ACCEPTFILTER support. 9774 [RT #22589] 9775 97762995. [bug] The Kerberos realm was not being correctly extracted 9777 from the signer's identity. [RT #22770] 9778 97792994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and 9780 do not use threads on earlier versions. Also kill 9781 the unproven-pthreads, mit-pthreads, and ptl2 support. 9782 97832993. [func] Dynamically grow adb hash tables. [RT #21186] 9784 97852992. [contrib] contrib/check-secure-delegation.pl: A simple tool 9786 for looking at a secure delegation. [RT #22059] 9787 97882991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for 9789 dynamic zones. [RT #22365] 9790 97912990. [bug] 'dnssec-settime -S' no longer tests prepublication 9792 interval validity when the interval is set to 0. 9793 [RT #22761] 9794 97952989. [func] Added support for writable DLZ zones. (Contributed 9796 by Andrew Tridgell of the Samba project.) [RT #22629] 9797 97982988. [experimental] Added a "dlopen" DLZ driver, allowing the creation 9799 of external DLZ drivers that can be loaded as 9800 shared objects at runtime rather than linked with 9801 named. Currently this is switched on via a 9802 compile-time option, "configure --with-dlz-dlopen". 9803 Note: the syntax for configuring DLZ zones 9804 is likely to be refined in future releases. 9805 (Contributed by Andrew Tridgell of the Samba 9806 project.) [RT #22629] 9807 98082987. [func] Improve ease of configuring TKEY/GSS updates by 9809 adding a "tkey-gssapi-keytab" option. If set, 9810 updates will be allowed with any key matching 9811 a principal in the specified keytab file. 9812 "tkey-gssapi-credential" is no longer required 9813 and is expected to be deprecated. (Contributed 9814 by Andrew Tridgell of the Samba project.) 9815 [RT #22629] 9816 98172986. [func] Add new zone type "static-stub". It's like a stub 9818 zone, but the nameserver names and/or their IP 9819 addresses are statically configured. [RT #21474] 9820 98212985. [bug] Add a regression test for change #2896. [RT #21324] 9822 98232984. [bug] Don't run MX checks when the target of the MX record 9824 is ".". [RT #22645] 9825 98262983. [bug] Include "loadkeys" in rndc help output. [RT #22493] 9827 9828 --- 9.8.0a1 released --- 9829 98302982. [bug] Reference count dst keys. dst_key_attach() can be used 9831 increment the reference count. 9832 9833 Note: dns_tsigkey_createfromkey() callers should now 9834 always call dst_key_free() rather than setting it 9835 to NULL on success. [RT #22672] 9836 98372981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991] 9838 98392980. [bug] named didn't properly handle UPDATES that changed the 9840 TTL of the NSEC3PARAM RRset. [RT #22363] 9841 98422979. [bug] named could deadlock during shutdown if two 9843 "rndc stop" commands were issued at the same 9844 time. [RT #22108] 9845 98462978. [port] hpux: look for <devpoll.h> [RT #21919] 9847 98482977. [bug] 'nsupdate -l' report if the session key is missing. 9849 [RT #21670] 9850 98512976. [bug] named could die on exit after negotiating a GSS-TSIG 9852 key. [RT #22573] 9853 98542975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the 9855 wrong lock which could lead to server deadlock. 9856 [RT #22614] 9857 98582974. [bug] Some valid UPDATE requests could fail due to a 9859 consistency check examining the existing version 9860 of the zone rather than the new version resulting 9861 from the UPDATE. [RT #22413] 9862 98632973. [bug] bind.keys.h was being removed by the "make clean" 9864 at the end of configure resulting in build failures 9865 where there is very old version of perl installed. 9866 Move it to "make maintainer-clean". [RT #22230] 9867 98682972. [bug] win32: address windows socket errors. [RT #21906] 9869 98702971. [bug] Fixed a bug that caused journal files not to be 9871 compacted on Windows systems as a result of 9872 non-POSIX-compliant rename() semantics. [RT #22434] 9873 98742970. [security] Adding a NO DATA negative cache entry failed to clear 9875 any matching RRSIG records. A subsequent lookup of 9876 of NO DATA cache entry could trigger a INSIST when the 9877 unexpected RRSIG was also returned with the NO DATA 9878 cache entry. 9879 9880 CVE-2010-3613, VU#706148. [RT #22288] 9881 98822969. [security] Fix acl type processing so that allow-query works 9883 in options and view statements. Also add a new 9884 set of tests to verify proper functioning. 9885 9886 CVE-2010-3615, VU#510208. [RT #22418] 9887 98882968. [security] Named could fail to prove a data set was insecure 9889 before marking it as insecure. One set of conditions 9890 that can trigger this occurs naturally when rolling 9891 DNSKEY algorithms. 9892 9893 CVE-2010-3614, VU#837744. [RT #22309] 9894 98952967. [bug] 'host -D' now turns on debugging messages earlier. 9896 [RT #22361] 9897 98982966. [bug] isc_print_vsnprintf() failed to check if there was 9899 space available in the buffer when adding a left 9900 justified character with a non zero width, 9901 (e.g. "%-1c"). [RT #22270] 9902 99032965. [func] Test HMAC functions using test data from RFC 2104 and 9904 RFC 4634. [RT #21702] 9905 99062964. [placeholder] 9907 99082963. [security] The allow-query acl was being applied instead of the 9909 allow-query-cache acl to cache lookups. [RT #22114] 9910 99112962. [port] win32: add more dependencies to BINDBuild.dsw. 9912 [RT #22062] 9913 99142961. [bug] Be still more selective about the non-authoritative 9915 answers we apply change 2748 to. [RT #22074] 9916 99172960. [func] Check that named accepts non-authoritative answers. 9918 [RT #21594] 9919 99202959. [func] Check that named starts with a missing masterfile. 9921 [RT #22076] 9922 99232958. [bug] named failed to start with a missing master file. 9924 [RT #22076] 9925 99262957. [bug] entropy_get() and entropy_getpseudo() failed to match 9927 the API for RAND_bytes() and RAND_pseudo_bytes() 9928 respectively. [RT #21962] 9929 99302956. [port] Enable atomic operations on the PowerPC64. [RT #21899] 9931 99322955. [func] Provide more detail in the recursing log. [RT #22043] 9933 99342954. [bug] contrib: dlz_mysql_driver.c bad error handling on 9935 build_sqldbinstance failure. [RT #21623] 9936 99372953. [bug] Silence spurious "expected covering NSEC3, got an 9938 exact match" message when returning a wildcard 9939 no data response. [RT #21744] 9940 99412952. [port] win32: named-checkzone and named-checkconf failed 9942 to initialize winsock. [RT #21932] 9943 99442951. [bug] named failed to generate a correct signed response 9945 in a optout, delegation only zone with no secure 9946 delegations. [RT #22007] 9947 99482950. [bug] named failed to perform a SOA up to date check when 9949 falling back to TCP on UDP timeouts when 9950 ixfr-from-differences was set. [RT #21595] 9951 99522949. [bug] dns_view_setnewzones() contained a memory leak if 9953 it was called multiple times. [RT #21942] 9954 99552948. [port] MacOS: provide a mechanism to configure the test 9956 interfaces at reboot. See bin/tests/system/README 9957 for details. 9958 99592947. [placeholder] 9960 99612946. [doc] Document the default values for the minimum and maximum 9962 zone refresh and retry values in the ARM. [RT #21886] 9963 99642945. [doc] Update empty-zones list in ARM. [RT #21772] 9965 99662944. [maint] Remove ORCHID prefix from built in empty zones. 9967 [RT #21772] 9968 99692943. [func] Add support to load new keys into managed zones 9970 without signing immediately with "rndc loadkeys". 9971 Add support to link keys with "dnssec-keygen -S" 9972 and "dnssec-settime -S". [RT #21351] 9973 99742942. [contrib] zone2sqlite failed to setup the entropy sources. 9975 [RT #21610] 9976 99772941. [bug] sdb and sdlz (dlz's zone database) failed to support 9978 DNAME at the zone apex. [RT #21610] 9979 99802940. [port] Remove connection aborted error message on 9981 Windows. [RT #21549] 9982 99832939. [func] Check that named successfully skips NSEC3 records 9984 that fail to match the NSEC3PARAM record currently 9985 in use. [RT #21868] 9986 99872938. [bug] When generating signed responses, from a signed zone 9988 that uses NSEC3, named would use a uninitialized 9989 pointer if it needed to skip a NSEC3 record because 9990 it didn't match the selected NSEC3PARAM record for 9991 zone. [RT #21868] 9992 99932937. [bug] Worked around an apparent race condition in over 9994 memory conditions. Without this fix a DNS cache DB or 9995 ADB could incorrectly stay in an over memory state, 9996 effectively refusing further caching, which 9997 subsequently made a BIND 9 caching server unworkable. 9998 This fix prevents this problem from happening by 9999 polling the state of the memory context, rather than 10000 making a copy of the state, which appeared to cause 10001 a race. This is a "workaround" in that it doesn't 10002 solve the possible race per se, but several experiments 10003 proved this change solves the symptom. Also, the 10004 polling overhead hasn't been reported to be an issue. 10005 This bug should only affect a caching server that 10006 specifies a finite max-cache-size. It's also quite 10007 likely that the bug happens only when enabling threads, 10008 but it's not confirmed yet. [RT #21818] 10009 100102936. [func] Improved configuration syntax and multiple-view 10011 support for addzone/delzone feature (see change 10012 #2930). Removed "new-zone-file" option, replaced 10013 with "allow-new-zones (yes|no)". The new-zone-file 10014 for each view is now created automatically, with 10015 a filename generated from a hash of the view name. 10016 It is no longer necessary to "include" the 10017 new-zone-file in named.conf; this happens 10018 automatically. Zones that were not added via 10019 "rndc addzone" can no longer be removed with 10020 "rndc delzone". [RT #19447] 10021 100222935. [bug] nsupdate: improve 'file not found' error message. 10023 [RT #21871] 10024 100252934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c. 10026 [RT #21871] 10027 100282933. [bug] 'dig +nsid' used stack memory after it went out of 10029 scope. This could potentially result in a unknown, 10030 potentially malformed, EDNS option being sent instead 10031 of the desired NSID option. [RT #21781] 10032 100332932. [cleanup] Corrected a numbering error in the "dnssec" test. 10034 [RT #21597] 10035 100362931. [bug] Temporarily and partially disable change 2864 10037 because it would cause infinite attempts of RRSIG 10038 queries. This is an urgent care fix; we'll 10039 revisit the issue and complete the fix later. 10040 [RT #21710] 10041 100422930. [experimental] New "rndc addzone" and "rndc delzone" commands 10043 allow dynamic addition and deletion of zones. 10044 To enable this feature, specify a "new-zone-file" 10045 option at the view or options level in named.conf. 10046 Zone configuration information for the new zones 10047 will be written into that file. To make the new 10048 zones persist after a restart, "include" the file 10049 into named.conf in the appropriate view. (Note: 10050 This feature is not yet documented, and its syntax 10051 is expected to change.) [RT #19447] 10052 100532929. [bug] Improved handling of GSS security contexts: 10054 - added LRU expiration for generated TSIGs 10055 - added the ability to use a non-default realm 10056 - added new "realm" keyword in nsupdate 10057 - limited lifetime of generated keys to 1 hour 10058 or the lifetime of the context (whichever is 10059 smaller) 10060 [RT #19737] 10061 100622928. [bug] Be more selective about the non-authoritative 10063 answer we apply change 2748 to. [RT #21594] 10064 100652927. [placeholder] 10066 100672926. [placeholder] 10068 100692925. [bug] Named failed to accept uncachable negative responses 10070 from insecure zones. [RT #21555] 10071 100722924. [func] 'rndc secroots' dump a combined summary of the 10073 current managed keys combined with trusted keys. 10074 [RT #20904] 10075 100762923. [bug] 'dig +trace' could drop core after "connection 10077 timeout". [RT #21514] 10078 100792922. [contrib] Update zkt to version 1.0. 10080 100812921. [bug] The resolver could attempt to destroy a fetch context 10082 too soon. [RT #19878] 10083 100842920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively 10085 to IPv4 clients. New acl 'filter-aaaa' (default any). 10086 100872919. [func] Add autosign-ksk and autosign-zsk virtual time tests. 10088 [RT #20840] 10089 100902918. [maint] Add AAAA address for I.ROOT-SERVERS.NET. 10091 100922917. [func] Virtual time test framework. [RT #20801] 10093 100942916. [func] Add framework to use IPv6 in tests. 10095 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7 10096 100972915. [cleanup] Be smarter about which objects we attempt to compile 10098 based on configure options. [RT #21444] 10099 101002914. [bug] Make the "autosign" system test more portable. 10101 [RT #20997] 10102 101032913. [func] Add pkcs#11 system tests. [RT #20784] 10104 101052912. [func] Windows clients don't like UPDATE responses that clear 10106 the zone section. [RT #20986] 10107 101082911. [bug] dnssec-signzone didn't handle out of zone records well. 10109 [RT #21367] 10110 101112910. [func] Sanity check Kerberos credentials. [RT #20986] 10112 101132909. [bug] named-checkconf -p could die if "update-policy local;" 10114 was specified in named.conf. [RT #21416] 10115 101162908. [bug] It was possible for re-signing to stop after removing 10117 a DNSKEY. [RT #21384] 10118 101192907. [bug] The export version of libdns had undefined references. 10120 [RT #21444] 10121 101222906. [bug] Address RFC 5011 implementation issues. [RT #20903] 10123 101242905. [port] aix: set use_atomic=yes with native compiler. 10125 [RT #21402] 10126 101272904. [bug] When using DLV, sub-zones of the zones in the DLV, 10128 could be incorrectly marked as insecure instead of 10129 secure leading to negative proofs failing. This was 10130 a unintended outcome from change 2890. [RT #21392] 10131 101322903. [bug] managed-keys-directory missing from namedconf.c. 10133 [RT #21370] 10134 101352902. [func] Add regression test for change 2897. [RT #21040] 10136 101372901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316] 10138 101392900. [bug] The placeholder negative caching element was not 10140 properly constructed triggering a INSIST in 10141 dns_ncache_towire(). [RT #21346] 10142 101432899. [port] win32: Support linking against OpenSSL 1.0.0. 10144 101452898. [bug] nslookup leaked memory when -domain=value was 10146 specified. [RT #21301] 10147 101482897. [bug] NSEC3 chains could be left behind when transitioning 10149 to insecure. [RT #21040] 10150 101512896. [bug] "rndc sign" failed to properly update the zone 10152 when adding a DNSKEY for publication only. [RT #21045] 10153 101542895. [func] genrandom: add support for the generation of multiple 10155 files. [RT #20917] 10156 101572894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294] 10158 101592893. [bug] Improve managed keys support. New named.conf option 10160 managed-keys-directory. [RT #20924] 10161 101622892. [bug] Handle REVOKED keys better. [RT #20961] 10163 101642891. [maint] Update empty-zones list to match 10165 draft-ietf-dnsop-default-local-zones-13. [RT #21099] 10166 101672890. [bug] Handle the introduction of new trusted-keys and 10168 DS, DLV RRsets better. [RT #21097] 10169 101702889. [bug] Elements of the grammar where not properly reported. 10171 [RT #21046] 10172 101732888. [bug] Only the first EDNS option was displayed. [RT #21273] 10174 101752887. [bug] Report the keytag times in UTC in the .key file, 10176 local time is presented as a comment within the 10177 comment. [RT #21223] 10178 101792886. [bug] ctime() is not thread safe. [RT #21223] 10180 101812885. [bug] Improve -fno-strict-aliasing support probing in 10182 configure. [RT #21080] 10183 101842884. [bug] Insufficient validation in dns_name_getlabelsequence(). 10185 [RT #21283] 10186 101872883. [bug] 'dig +short' failed to handle really large datasets. 10188 [RT #21113] 10189 101902882. [bug] Remove memory context from list of active contexts 10191 before clearing 'magic'. [RT #21274] 10192 101932881. [bug] Reduce the amount of time the rbtdb write lock 10194 is held when closing a version. [RT #21198] 10195 101962880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke 10197 consistent. [RT #21078] 10198 101992879. [contrib] DLZ bdbhpt driver fails to close correct cursor. 10200 [RT #21106] 10201 102022878. [func] Incrementally write the master file after performing 10203 a AXFR. [RT #21010] 10204 102052877. [bug] The validator failed to skip obviously mismatching 10206 RRSIGs. [RT #21138] 10207 102082876. [bug] Named could return SERVFAIL for negative responses 10209 from unsigned zones. [RT #21131] 10210 102112875. [bug] dns_time64_fromtext() could accept non digits. 10212 [RT #21033] 10213 102142874. [bug] Cache lack of EDNS support only after the server 10215 successfully responds to the query using plain DNS. 10216 [RT #20930] 10217 102182873. [bug] Canceling a dynamic update via the dns/client module 10219 could trigger an assertion failure. [RT #21133] 10220 102212872. [bug] Modify dns/client.c:dns_client_createx() to only 10222 require one of IPv4 or IPv6 rather than both. 10223 [RT #21122] 10224 102252871. [bug] Type mismatch in mem_api.c between the definition and 10226 the header file, causing build failure with 10227 --enable-exportlib. [RT #21138] 10228 102292870. [maint] Add AAAA address for L.ROOT-SERVERS.NET. 10230 102312869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 10232 [RT #20877] 10233 102342868. [cleanup] Run "make clean" at the end of configure to ensure 10235 any changes made by configure are integrated. 10236 Use --with-make-clean=no to disable. [RT #20994] 10237 102382867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers 10239 don't like it. [RT #20986] 10240 102412866. [bug] Windows does not like the TSIG name being compressed. 10242 [RT #20986] 10243 102442865. [bug] memset to zero event.data. [RT #20986] 10245 102462864. [bug] Direct SIG/RRSIG queries were not handled correctly. 10247 [RT #21050] 10248 102492863. [port] linux: disable IPv6 PMTUD and use network minimum MTU. 10250 [RT #21056] 10251 102522862. [bug] nsupdate didn't default to the parent zone when 10253 updating DS records. [RT #20896] 10254 102552861. [doc] dnssec-settime man pages didn't correctly document the 10256 inactivation time. [RT #21039] 10257 102582860. [bug] named-checkconf's usage was out of date. [RT #21039] 10259 102602859. [bug] When canceling validation it was possible to leak 10261 memory. [RT #20800] 10262 102632858. [bug] RTT estimates were not being adjusted on ICMP errors. 10264 [RT #20772] 10265 102662857. [bug] named-checkconf did not fail on a bad trusted key. 10267 [RT #20705] 10268 102692856. [bug] The size of a memory allocation was not always properly 10270 recorded. [RT #20927] 10271 102722855. [func] nsupdate will now preserve the entered case of domain 10273 names in update requests it sends. [RT #20928] 10274 102752854. [func] dig: allow the final soa record in a axfr response to 10276 be suppressed, dig +onesoa. [RT #20929] 10277 102782853. [bug] add_sigs() could run out of scratch space. [RT #21015] 10279 102802852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 10281 102822851. [doc] nslookup.1, removed <informalexample> from the docbook 10283 source as it produced bad nroff. [RT #21007] 10284 102852850. [bug] If isc_heap_insert() failed due to memory shortage 10286 the heap would have corrupted entries. [RT #20951] 10287 102882849. [bug] Don't treat errors from the xml2 library as fatal. 10289 [RT #20945] 10290 102912848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and 10292 README.rfc5011 into the ARM. [RT #20899] 10293 102942847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] 10295 102962846. [bug] EOF on unix domain sockets was not being handled 10297 correctly. [RT #20731] 10298 102992845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] 10300 103012844. [doc] notify-delay default in ARM was wrong. It should have 10302 been five (5) seconds. 10303 103042843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from 10305 creating key files if there is a chance that the new 10306 key ID will collide with an existing one after 10307 either of the keys has been revoked. (To override 10308 this in the case of dnssec-keyfromlabel, use the -y 10309 option. dnssec-keygen will simply create a 10310 different, non-colliding key, so an override is 10311 not necessary.) [RT #20838] 10312 103132842. [func] Added "smartsign" and improved "autosign" and 10314 "dnssec" regression tests. [RT #20865] 10315 103162841. [bug] Change 2836 was not complete. [RT #20883] 10317 103182840. [bug] Temporary fixed pkcs11-destroy usage check. 10319 [RT #20760] 10320 103212839. [bug] A KSK revoked by named could not be deleted. 10322 [RT #20881] 10323 103242838. [placeholder] 10325 103262837. [port] Prevent Linux spurious warnings about fwrite(). 10327 [RT #20812] 10328 103292836. [bug] Keys that were scheduled to become active could 10330 be delayed. [RT #20874] 10331 103322835. [bug] Key inactivity dates were inadvertently stored in 10333 the private key file with the outdated tag 10334 "Unpublish" rather than "Inactive". This has been 10335 fixed; however, any existing keys that had Inactive 10336 dates set will now need to have them reset, using 10337 'dnssec-settime -I'. [RT #20868] 10338 103392834. [bug] HMAC-SHA* keys that were longer than the algorithm 10340 digest length were used incorrectly, leading to 10341 interoperability problems with other DNS 10342 implementations. This has been corrected. 10343 (Note: If an oversize key is in use, and 10344 compatibility is needed with an older release of 10345 BIND, the new tool "isc-hmac-fixup" can convert 10346 the key secret to a form that will work with all 10347 versions.) [RT #20751] 10348 103492833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. 10350 [RT #20851] 10351 103522832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c 10353 to avoid redefinition in some OSs [RT 20831] 10354 103552831. [security] Do not attempt to validate or cache 10356 out-of-bailiwick data returned with a secure 10357 answer; it must be re-fetched from its original 10358 source and validated in that context. [RT #20819] 10359 103602830. [bug] Changing the OPTOUT setting could take multiple 10361 passes. [RT #20813] 10362 103632829. [bug] Fixed potential node inconsistency in rbtdb.c. 10364 [RT #20808] 10365 103662828. [security] Cached CNAME or DNAME RR could be returned to clients 10367 without DNSSEC validation. [RT #20737] 10368 103692827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 10370 103712826. [bug] NSEC3->NSEC transitions could fail due to a lock not 10372 being released. [RT #20740] 10373 103742825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that 10375 was in the process of being created was not properly 10376 recorded in the zone. [RT #20786] 10377 103782824. [bug] "rndc sign" was not being run by the correct task. 10379 [RT #20759] 10380 103812823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] 10382 103832822. [bug] rbtdb.c:loadnode() could return the wrong result. 10384 [RT #20802] 10385 103862821. [doc] Add note that named-checkconf doesn't automatically 10387 read rndc.key and bind.keys [RT #20758] 10388 103892820. [func] Handle read access failure of OpenSSL configuration 10390 file more user friendly (PKCS#11 engine patch). 10391 [RT #20668] 10392 103932819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define. 10394 [RT #20771] 10395 103962818. [cleanup] rndc could return an incorrect error code 10397 when a zone was not found. [RT #20767] 10398 103992817. [cleanup] Removed unnecessary isc_task_endexclusive() calls. 10400 [RT #20768] 10401 104022816. [bug] previous_closest_nsec() could fail to return 10403 data for NSEC3 nodes [RT #29730] 10404 104052815. [bug] Exclusively lock the task when freezing a zone. 10406 [RT #19838] 10407 104082814. [func] Provide a definitive error message when a master 10409 zone is not loaded. [RT #20757] 10410 104112813. [bug] Better handling of unreadable DNSSEC key files. 10412 [RT #20710] 10413 104142812. [bug] Make sure updates can't result in a zone with 10415 NSEC-only keys and NSEC3 records. [RT #20748] 10416 104172811. [cleanup] Add "rndc sign" to list of commands in rndc usage 10418 output. [RT #20733] 10419 104202810. [doc] Clarified the process of transitioning an NSEC3 zone 10421 to insecure. [RT #20746] 10422 104232809. [cleanup] Restored accidentally-deleted text in usage output 10424 in dnssec-settime and dnssec-revoke [RT #20739] 10425 104262808. [bug] Remove the attempt to install atomic.h from lib/isc. 10427 atomic.h is correctly installed by the architecture 10428 specific subdirectories. [RT #20722] 10429 104302807. [bug] Fixed a possible ASSERT when reconfiguring zone 10431 keys. [RT #20720] 10432 10433 --- 9.7.0rc1 released --- 10434 104352806. [bug] "rdnc sign" could delay re-signing the DNSKEY 10436 when it had changed. [RT #20703] 10437 104382805. [bug] Fixed namespace problems encountered when building 10439 external programs using non-exported BIND9 libraries 10440 (i.e., built without --enable-exportlib). [RT #20679] 10441 104422804. [bug] Send notifies when a zone is signed with "rndc sign" 10443 or as a result of a scheduled key change. [RT #20700] 10444 104452803. [port] win32: Install named-journalprint, nsec3hash, arpaname 10446 and genrandom under windows. [RT #20670] 10447 104482802. [cleanup] Rename journalprint to named-journalprint. [RT #20670] 10449 104502801. [func] Detect and report records that are different according 10451 to DNSSEC but are semantically equal according to plain 10452 DNS. Apply plain DNS comparisons rather than DNSSEC 10453 comparisons when processing UPDATE requests. 10454 dnssec-signzone now removes such semantically duplicate 10455 records prior to signing the RRset. 10456 10457 named-checkzone -r {ignore|warn|fail} (default warn) 10458 named-compilezone -r {ignore|warn|fail} (default warn) 10459 10460 named.conf: check-dup-records {ignore|warn|fail}; 10461 104622800. [func] Reject zones which have NS records which refer to 10463 CNAMEs, DNAMEs or don't have address record (class IN 10464 only). Reject UPDATEs which would cause the zone 10465 to fail the above checks if committed. [RT #20678] 10466 104672799. [cleanup] Changed the "secure-to-insecure" option to 10468 "dnssec-secure-to-insecure", and "dnskey-ksk-only" 10469 to "dnssec-dnskey-kskonly", for clarity. [RT #20586] 10470 104712798. [bug] Addressed bugs in managed-keys initialization 10472 and rollover. [RT #20683] 10473 104742797. [bug] Don't decrement the dispatch manager's maxbuffers. 10475 [RT #20613] 10476 104772796. [bug] Missing dns_rdataset_disassociate() call in 10478 dns_nsec3_delnsec3sx(). [RT #20681] 10479 104802795. [cleanup] Add text to differentiate "update with no effect" 10481 log messages. [RT #18889] 10482 104832794. [bug] Install <isc/namespace.h>. [RT #20677] 10484 104852793. [func] Add "autosign" and "metadata" tests to the 10486 automatic tests. [RT #19946] 10487 104882792. [func] "filter-aaaa-on-v4" can now be set in view 10489 options (if compiled in). [RT #20635] 10490 104912791. [bug] The installation of isc-config.sh was broken. 10492 [RT #20667] 10493 104942790. [bug] Handle DS queries to stub zones. [RT #20440] 10495 104962789. [bug] Fixed an INSIST in dispatch.c [RT #20576] 10497 104982788. [bug] dnssec-signzone could sign with keys that were 10499 not requested [RT #20625] 10500 105012787. [bug] Spurious log message when zone keys were 10502 dynamically reconfigured. [RT #20659] 10503 105042786. [bug] Additional could be promoted to answer. [RT #20663] 10505 10506 --- 9.7.0b3 released --- 10507 105082785. [bug] Revoked keys could fail to self-sign [RT #20652] 10509 105102784. [bug] TC was not always being set when required glue was 10511 dropped. [RT #20655] 10512 105132783. [func] Return minimal responses to EDNS/UDP queries with a UDP 10514 buffer size of 512 or less. [RT #20654] 10515 105162782. [port] win32: use getaddrinfo() for hostname lookups. 10517 [RT #20650] 10518 105192781. [bug] Inactive keys could be used for signing. [RT #20649] 10520 105212780. [bug] dnssec-keygen -A none didn't properly unset the 10522 activation date in all cases. [RT #20648] 10523 105242779. [bug] Dynamic key revocation could fail. [RT #20644] 10525 105262778. [bug] dnssec-signzone could fail when a key was revoked 10527 without deleting the unrevoked version. [RT #20638] 10528 105292777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 10530 105312776. [bug] Change #2762 was not correct. [RT #20647] 10532 105332775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible 10534 in dnssec-keyfromlabel. [RT #20643] 10535 105362774. [bug] Existing cache DB wasn't being reused after 10537 reconfiguration. [RT #20629] 10538 105392773. [bug] In autosigned zones, the SOA could be signed 10540 with the KSK. [RT #20628] 10541 105422772. [security] When validating, track whether pending data was from 10543 the additional section or not and only return it if 10544 validates as secure. [RT #20438] 10545 105462771. [bug] dnssec-signzone: DNSKEY records could be 10547 corrupted when importing from key files [RT #20624] 10548 105492770. [cleanup] Add log messages to resolver.c to indicate events 10550 causing FORMERR responses. [RT #20526] 10551 105522769. [cleanup] Change #2742 was incomplete. [RT #19589] 10553 105542768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 10555 105562767. [bug] named could crash on startup if a zone was 10557 configured with auto-dnssec and there was no 10558 key-directory. [RT #20615] 10559 105602766. [bug] isc_socket_fdwatchpoke() should only update the 10561 socketmgr state if the socket is not pending on a 10562 read or write. [RT #20603] 10563 105642765. [bug] Skip masters for which the TSIG key cannot be found. 10565 [RT #20595] 10566 105672764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 10568 105692763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 10570 105712762. [bug] DLV validation failed with a local slave DLV zone. 10572 [RT #20577] 10573 105742761. [cleanup] Enable internal symbol table for backtrace only for 10575 systems that are known to work. Currently, BSD 10576 variants, Linux and Solaris are supported. [RT #20202] 10577 105782760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 10579 105802759. [doc] Add information about .jbk/.jnw files to 10581 the ARM. [RT #20303] 10582 105832758. [bug] win32: Added a workaround for a windows 2008 bug 10584 that could cause the UDP client handler to shut 10585 down. [RT #19176] 10586 105872757. [bug] dig: assertion failure could occur in connect 10588 timeout. [RT #20599] 10589 105902756. [bug] Fixed corrupt logfile message in update.c. [RT #20597] 10591 105922755. [placeholder] 10593 105942754. [bug] Secure-to-insecure transitions failed when zone 10595 was signed with NSEC3. [RT #20587] 10596 105972753. [bug] Removed an unnecessary warning that could appear when 10598 building an NSEC chain. [RT #20589] 10599 106002752. [bug] Locking violation. [RT #20587] 10601 106022751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 10603 106042750. [bug] dig: assertion failure could occur when a server 10605 didn't have an address. [RT #20579] 10606 106072749. [bug] ixfr-from-differences generated a non-minimal ixfr 10608 for NSEC3 signed zones. [RT #20452] 10609 106102748. [func] Identify bad answers from GTLD servers and treat them 10611 as referrals. [RT #18884] 10612 106132747. [bug] Journal roll forwards failed to set the re-signing 10614 time of RRSIGs correctly. [RT #20541] 10615 106162746. [port] hpux: address signed/unsigned expansion mismatch of 10617 dns_rbtnode_t.nsec. [RT #20542] 10618 106192745. [bug] configure script didn't probe the return type of 10620 gai_strerror(3) correctly. [RT #20573] 10621 106222744. [func] Log if a query was over TCP. [RT #19961] 10623 106242743. [bug] RRSIG could be incorrectly set in the NSEC3 record 10625 for a insecure delegation. 10626 10627 --- 9.7.0b2 released --- 10628 106292742. [cleanup] Clarify some DNSSEC-related log messages in 10630 validator.c. [RT #19589] 10631 106322741. [func] Allow the dnssec-keygen progress messages to be 10633 suppressed (dnssec-keygen -q). Automatically 10634 suppress the progress messages when stdin is not 10635 a tty. [RT #20474] 10636 106372740. [placeholder] 10638 106392739. [cleanup] Clean up API for initializing and clearing trust 10640 anchors for a view. [RT #20211] 10641 106422738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system 10643 test. [RT #20453] 10644 106452737. [func] UPDATE requests can leak existence information. 10646 [RT #17261] 10647 106482736. [func] Improve the performance of NSEC signed zones with 10649 more than a normal amount of glue below a delegation. 10650 [RT #20191] 10651 106522735. [bug] dnssec-signzone could fail to read keys 10653 that were specified on the command line with 10654 full paths, but weren't in the current 10655 directory. [RT #20421] 10656 106572734. [port] cygwin: arpaname did not compile. [RT #20473] 10658 106592733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355] 10660 106612732. [func] Add optional filter-aaaa-on-v4 option, available 10662 if built with './configure --enable-filter-aaaa'. 10663 Filters out AAAA answers to clients connecting 10664 via IPv4. (This is NOT recommended for general 10665 use.) [RT #20339] 10666 106672731. [func] Additional work on change 2709. The key parser 10668 will now ignore unrecognized fields when the 10669 minor version number of the private key format 10670 has been increased. It will reject any key with 10671 the major version number increased. [RT #20310] 10672 106732730. [func] Have dnssec-keygen display a progress indication 10674 a la 'openssl genrsa' on standard error. Note 10675 when the first '.' is followed by a long stop 10676 one has the choice between slow generation vs. 10677 poor random quality, i.e., '-r /dev/urandom'. 10678 [RT #20284] 10679 106802729. [func] When constructing a CNAME from a DNAME use the DNAME 10681 TTL. [RT #20451] 10682 106832728. [bug] dnssec-keygen, dnssec-keyfromlabel and 10684 dnssec-signzone now warn immediately if asked to 10685 write into a nonexistent directory. [RT #20278] 10686 106872727. [func] The 'key-directory' option can now specify a relative 10688 path. [RT #20154] 10689 106902726. [func] Added support for SHA-2 DNSSEC algorithms, 10691 RSASHA256 and RSASHA512. [RT #20023] 10692 106932725. [doc] Added information about the file "managed-keys.bind" 10694 to the ARM. [RT #20235] 10695 106962724. [bug] Updates to a existing node in secure zone using NSEC 10697 were failing. [RT #20448] 10698 106992723. [bug] isc_base32_totext(), isc_base32hex_totext(), and 10700 isc_base64_totext(), didn't always mark regions of 10701 memory as fully consumed after conversion. [RT #20445] 10702 107032722. [bug] Ensure that the memory associated with the name of 10704 a node in a rbt tree is not altered during the life 10705 of the node. [RT #20431] 10706 107072721. [port] Have dst__entropy_status() prime the random number 10708 generator. [RT #20369] 10709 107102720. [bug] RFC 5011 trust anchor updates could trigger an 10711 assert if the DNSKEY record was unsigned. [RT #20406] 10712 107132719. [func] Skip trusted/managed keys for unsupported algorithms. 10714 [RT #20392] 10715 107162718. [bug] The space calculations in opensslrsa_todns() were 10717 incorrect. [RT #20394] 10718 107192717. [bug] named failed to update the NSEC/NSEC3 record when 10720 the last private type record was removed as a result 10721 of completing the signing the zone with a key. 10722 [RT #20399] 10723 107242716. [bug] nslookup debug mode didn't return the ttl. [RT #20414] 10725 10726 --- 9.7.0b1 released --- 10727 107282715. [bug] Require OpenSSL support to be explicitly disabled. 10729 [RT #20288] 10730 107312714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler 10732 flags. 10733 107342713. [bug] powerpc: atomic operations missing asm("ics") / 10735 __isync() calls. 10736 107372712. [func] New 'auto-dnssec' zone option allows zone signing 10738 to be fully automated in zones configured for 10739 dynamic DNS. 'auto-dnssec allow;' permits a zone 10740 to be signed by creating keys for it in the 10741 key-directory and using 'rndc sign <zone>'. 10742 'auto-dnssec maintain;' allows that too, plus it 10743 also keeps the zone's DNSSEC keys up to date 10744 according to their timing metadata. [RT #19943] 10745 107462711. [port] win32: Add the bin/pkcs11 tools into the full 10747 build. [RT #20372] 10748 107492710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only' 10750 zone option cause a zone to be signed with only KSKs 10751 signing the DNSKEY RRset, not ZSKs. This reduces 10752 the size of a DNSKEY answer. [RT #20340] 10753 107542709. [func] Added some data fields, currently unused, to the 10755 private key file format, to allow implementation 10756 of explicit key rollover in a future release 10757 without impairing backward or forward compatibility. 10758 [RT #20310] 10759 107602708. [func] Insecure to secure and NSEC3 parameter changes via 10761 update are now fully supported and no longer require 10762 defines to enable. We now no longer overload the 10763 NSEC3PARAM flag field, nor the NSEC OPT bit at the 10764 apex. Secure to insecure changes are controlled by 10765 by the named.conf option 'secure-to-insecure'. 10766 10767 Warning: If you had previously enabled support by 10768 adding defines at compile time to BIND 9.6 you should 10769 ensure that all changes that are in progress have 10770 completed prior to upgrading to BIND 9.7. BIND 9.7 10771 is not backwards compatible. 10772 107732707. [func] dnssec-keyfromlabel no longer require engine name 10774 to be specified in the label if there is a default 10775 engine or the -E option has been used. Also, it 10776 now uses default algorithms as dnssec-keygen does 10777 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used). 10778 [RT #20371] 10779 107802706. [bug] Loading a zone with a very large NSEC3 salt could 10781 trigger an assert. [RT #20368] 10782 107832705. [placeholder] 10784 107852704. [bug] Serial of dynamic and stub zones could be inconsistent 10786 with their SOA serial. [RT #19387] 10787 107882703. [func] Introduce an OpenSSL "engine" argument with -E 10789 for all binaries which can take benefit of 10790 crypto hardware. [RT #20230] 10791 107922702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all] 10793 107942701. [doc] Correction to ARM: hmac-md5 is no longer the only 10795 supported TSIG key algorithm. [RT #18046] 10796 107972700. [doc] The match-mapped-addresses option is discouraged. 10798 [RT #12252] 10799 108002699. [bug] Missing lock in rbtdb.c. [RT #20037] 10801 108022698. [placeholder] 10803 108042697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and 10805 S_IFREG are defined after including <isc/stat.h>. 10806 [RT #20309] 10807 108082696. [bug] named failed to successfully process some valid 10809 acl constructs. [RT #20308] 10810 108112695. [func] DHCP/DDNS - update fdwatch code for use by 10812 DHCP. Modify the api to isc_sockfdwatch_t (the 10813 callback function for isc_socket_fdwatchcreate) 10814 to include information about the direction (read 10815 or write) and add isc_socket_fdwatchpoke. 10816 [RT #20253] 10817 108182694. [bug] Reduce default NSEC3 iterations from 100 to 10. 10819 [RT #19970] 10820 108212693. [port] Add some noreturn attributes. [RT #20257] 10822 108232692. [port] win32: 32/64 bit cleanups. [RT #20335] 10824 108252691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 10826 chain when re-signing a previously-signed zone. 10827 Use -u to modify NSEC3 parameters or switch 10828 between NSEC and NSEC3. [RT #20304] 10829 108302690. [bug] win32: fix isc_thread_key_getspecific() prototype. 10831 [RT #20315] 10832 108332689. [bug] Correctly handle snprintf result. [RT #20306] 10834 108352688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, 10836 to decide to fetch the destination address. [RT #20305] 10837 108382687. [bug] Fixed dnssec-signzone -S handling of revoked keys. 10839 Also, added warnings when revoking a ZSK, as this is 10840 not defined by protocol (but is legal). [RT #19943] 10841 108422686. [bug] dnssec-signzone should clean the old NSEC chain when 10843 signing with NSEC3 and vice versa. [RT #20301] 10844 108452685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 10846 108472684. [cleanup] dig: formalize +ad and +cd as synonyms for 10848 +adflag and +cdflag. [RT #19305] 10849 108502683. [bug] dnssec-signzone should clean out old NSEC3 chains when 10851 the NSEC3 parameters used to sign the zone change. 10852 [RT #20246] 10853 108542682. [bug] "configure --enable-symtable=all" failed to 10855 build. [RT #20282] 10856 108572681. [bug] IPSECKEY RR of gateway type 3 was not correctly 10858 decoded. [RT #20269] 10859 108602680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067] 10861 108622679. [func] dig -k can now accept TSIG keys in named.conf 10863 format. [RT #20031] 10864 108652678. [func] Treat DS queries as if "minimal-response yes;" 10866 was set. [RT #20258] 10867 108682677. [func] Changes to key metadata behavior: 10869 - Keys without "publish" or "active" dates set will 10870 no longer be used for smart signing. However, 10871 those dates will be set to "now" by default when 10872 a key is created; to generate a key but not use 10873 it yet, use dnssec-keygen -G. 10874 - New "inactive" date (dnssec-keygen/settime -I) 10875 sets the time when a key is no longer used for 10876 signing but is still published. 10877 - The "unpublished" date (-U) is deprecated in 10878 favor of "deleted" (-D). 10879 [RT #20247] 10880 108812676. [bug] --with-export-installdir should have been 10882 --with-export-includedir. [RT #20252] 10883 108842675. [bug] dnssec-signzone could crash if the key directory 10885 did not exist. [RT #20232] 10886 10887 --- 9.7.0a3 released --- 10888 108892674. [bug] "dnssec-lookaside auto;" crashed if named was built 10890 without openssl. [RT #20231] 10891 108922673. [bug] The managed-keys.bind zone file could fail to 10893 load due to a spurious result from sync_keyzone() 10894 [RT #20045] 10895 108962672. [bug] Don't enable searching in 'host' when doing reverse 10897 lookups. [RT #20218] 10898 108992671. [bug] Add support for PKCS#11 providers not returning 10900 the public exponent in RSA private keys 10901 (OpenCryptoki for instance) in 10902 dnssec-keyfromlabel. [RT #19294] 10903 109042670. [bug] Unexpected connect failures failed to log enough 10905 information to be useful. [RT #20205] 10906 109072669. [func] Update PKCS#11 support to support Keyper HSM. 10908 Update PKCS#11 patch to be against openssl-0.9.8i. 10909 109102668. [func] Several improvements to dnssec-* tools, including: 10911 - dnssec-keygen and dnssec-settime can now set key 10912 metadata fields 0 (to unset a value, use "none") 10913 - dnssec-revoke sets the revocation date in 10914 addition to the revoke bit 10915 - dnssec-settime can now print individual metadata 10916 fields instead of always printing all of them, 10917 and can print them in unix epoch time format for 10918 use by scripts 10919 [RT #19942] 10920 109212667. [func] Add support for logging stack backtrace on assertion 10922 failure (not available for all platforms). [RT #19780] 10923 109242666. [func] Added an 'options' argument to dns_name_fromstring() 10925 (API change from 9.7.0a2). [RT #20196] 10926 109272665. [func] Clarify syntax for managed-keys {} statement, add 10928 ARM documentation about RFC 5011 support. [RT #19874] 10929 109302664. [bug] create_keydata() and minimal_update() in zone.c 10931 didn't properly check return values for some 10932 functions. [RT #19956] 10933 109342663. [func] win32: allow named to run as a service using 10935 "NT AUTHORITY\LocalService" as the account. [RT #19977] 10936 109372662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() 10938 returned a misleading error code when lwresd was 10939 down. [RT #20028] 10940 109412661. [bug] Check whether socket fd exceeds FD_SETSIZE when 10942 creating lwres context. [RT #20029] 10943 109442660. [func] Add a new set of DNS libraries for non-BIND9 10945 applications. See README.libdns. [RT #19369] 10946 109472659. [doc] Clarify dnssec-keygen doc: key name must match zone 10948 name for DNSSEC keys. [RT #19938] 10949 109502658. [bug] dnssec-settime and dnssec-revoke didn't process 10951 key file paths correctly. [RT #20078] 10952 109532657. [cleanup] Lower "journal file <path> does not exist, creating it" 10954 log level to debug 1. [RT #20058] 10955 109562656. [func] win32: add a "tools only" check box to the installer 10957 which causes it to only install dig, host, nslookup, 10958 nsupdate and relevant DLLs. [RT #19998] 10959 109602655. [doc] Document that key-directory does not affect 10961 bind.keys, rndc.key or session.key. [RT #20155] 10962 109632654. [bug] Improve error reporting on duplicated names for 10964 deny-answer-xxx. [RT #20164] 10965 109662653. [bug] Treat ENGINE_load_private_key() failures as key 10967 not found rather than out of memory. [RT #18033] 10968 109692652. [func] Provide more detail about what record is being 10970 deleted. [RT #20061] 10971 109722651. [bug] Dates could print incorrectly in K*.key files on 10973 64-bit systems. [RT #20076] 10974 109752650. [bug] Assertion failure in dnssec-signzone when trying 10976 to read keyset-* files. [RT #20075] 10977 109782649. [bug] Set the domain for forward only zones. [RT #19944] 10979 109802648. [port] win32: isc_time_seconds() was broken. [RT #19900] 10981 109822647. [bug] Remove unnecessary SOA updates when a new KSK is 10983 added. [RT #19913] 10984 109852646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 10986 109872645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms 10988 which default to 64 bits. [RT #19927] 10989 10990 --- 9.7.0a2 released --- 10991 109922644. [bug] Change #2628 caused a regression on some systems; 10993 named was unable to write the PID file and would 10994 fail on startup. [RT #20001] 10995 109962643. [bug] Stub zones interacted badly with NSEC3 support. 10997 [RT #19777] 10998 109992642. [bug] nsupdate could dump core on solaris when reading 11000 improperly formatted key files. [RT #20015] 11001 110022641. [bug] Fixed an error in parsing update-policy syntax, 11003 added a regression test to check it. [RT #20007] 11004 110052640. [security] A specially crafted update packet will cause named 11006 to exit. [RT #20000] 11007 110082639. [bug] Silence compiler warnings in gssapi code. [RT #19954] 11009 110102638. [bug] Install arpaname. [RT #19957] 11011 110122637. [func] Rationalize dnssec-signzone's signwithkey() calling. 11013 [RT #19959] 11014 110152636. [func] Simplify zone signing and key maintenance with the 11016 dnssec-* tools. Major changes: 11017 - all dnssec-* tools now take a -K option to 11018 specify a directory in which key files will be 11019 stored 11020 - DNSSEC can now store metadata indicating when 11021 they are scheduled to be published, activated, 11022 revoked or removed; these values can be set by 11023 dnssec-keygen or overwritten by the new 11024 dnssec-settime command 11025 - dnssec-signzone -S (for "smart") option reads key 11026 metadata and uses it to determine automatically 11027 which keys to publish to the zone, use for 11028 signing, revoke, or remove from the zone 11029 [RT #19816] 11030 110312635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. 11032 [RT #19716] 11033 110342634. [port] win32: Add support for libxml2, enable 11035 statschannel. [RT #19773] 11036 110372633. [bug] Handle 15 bit rand() functions. [RT #19783] 11038 110392632. [func] util/kit.sh: warn if documentation appears to be out of 11040 date. [RT #19922] 11041 110422631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). 11043 [RT #19926 ] 11044 110452630. [func] Improved syntax for DDNS autoconfiguration: use 11046 "update-policy local;" to switch on local DDNS in a 11047 zone. (The "ddns-autoconf" option has been removed.) 11048 [RT #19875] 11049 110502629. [port] Check for seteuid()/setegid(), use setresuid()/ 11051 setresgid() if not present. [RT #19932] 11052 110532628. [port] linux: Allow /var/run/named/named.pid to be opened 11054 at startup with reduced capabilities in operation. 11055 [RT #19884] 11056 110572627. [bug] Named aborted if the same key was included in 11058 trusted-keys more than once. [RT #19918] 11059 110602626. [bug] Multiple trusted-keys could trigger an assertion 11061 failure. [RT #19914] 11062 110632625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865] 11064 110652624. [func] 'named-checkconf -p' will print out the parsed 11066 configuration. [RT #18871] 11067 110682623. [bug] Named started searches for DS non-optimally. [RT #19915] 11069 110702622. [bug] Printing of named.conf grammar was broken. [RT #19919] 11071 110722621. [doc] Made copyright boilerplate consistent. [RT #19833] 11073 110742620. [bug] Delay thawing the zone until the reload of it has 11075 completed successfully. [RT #19750] 11076 110772619. [func] Add support for RFC 5011, automatic trust anchor 11078 maintenance. The new "managed-keys" statement can 11079 be used in place of "trusted-keys" for zones which 11080 support this protocol. (Note: this syntax is 11081 expected to change prior to 9.7.0 final.) [RT #19248] 11082 110832618. [bug] The sdb and sdlz db_interator_seek() methods could 11084 loop infinitely. [RT #19847] 11085 110862617. [bug] ifconfig.sh failed to emit an error message when 11087 run from the wrong location. [RT #19375] 11088 110892616. [bug] 'host' used the nameservers from resolv.conf even 11090 when a explicit nameserver was specified. [RT #19852] 11091 110922615. [bug] "__attribute__((unused))" was in the wrong place 11093 for ia64 gcc builds. [RT #19854] 11094 110952614. [port] win32: 'named -v' should automatically be executed 11096 in the foreground. [RT #19844] 11097 110982613. [placeholder] 11099 11100 --- 9.7.0a1 released --- 11101 111022612. [func] Add default values for the arguments to 11103 dnssec-keygen. Without arguments, it will now 11104 generate a 1024-bit RSASHA1 zone-signing key, 11105 or with the -f KSK option, a 2048-bit RSASHA1 11106 key-signing key. [RT #19300] 11107 111082611. [func] Add -l option to dnssec-dsfromkey to generate 11109 DLV records instead of DS records. [RT #19300] 11110 111112610. [port] sunos: Change #2363 was not complete. [RT #19796] 11112 111132609. [func] Simplify the configuration of dynamic zones: 11114 - add ddns-confgen command to generate 11115 configuration text for named.conf 11116 - add zone option "ddns-autoconf yes;", which 11117 causes named to generate a TSIG session key 11118 and allow updates to the zone using that key 11119 - add '-l' (localhost) option to nsupdate, which 11120 causes nsupdate to connect to a locally-running 11121 named process using the session key generated 11122 by named 11123 [RT #19284] 11124 111252608. [func] Perform post signing verification checks in 11126 dnssec-signzone. These can be disabled with -P. 11127 11128 The post sign verification test ensures that for each 11129 algorithm in use there is at least one non revoked 11130 self signed KSK key. That all revoked KSK keys are 11131 self signed. That all records in the zone are signed 11132 by the algorithm. [RT #19653] 11133 111342607. [bug] named could incorrectly delete NSEC3 records for 11135 empty nodes when processing a update request. 11136 [RT #19749] 11137 111382606. [bug] "delegation-only" was not being accepted in 11139 delegation-only type zones. [RT #19717] 11140 111412605. [bug] Accept DS responses from delegation only zones. 11142 [RT # 19296] 11143 111442604. [func] Add support for DNS rebinding attack prevention through 11145 new options, deny-answer-addresses and 11146 deny-answer-aliases. Based on contributed code from 11147 JD Nurmi, Google. [RT #18192] 11148 111492603. [port] win32: handle .exe extension of named-checkzone and 11150 named-comilezone argv[0] names under windows. 11151 [RT #19767] 11152 111532602. [port] win32: fix debugging command line build of libisccfg. 11154 [RT #19767] 11155 111562601. [doc] Mention file creation mode mask in the 11157 named manual page. 11158 111592600. [doc] ARM: miscellaneous reformatting for different 11160 page widths. [RT #19574] 11161 111622599. [bug] Address rapid memory growth when validation fails. 11163 [RT #19654] 11164 111652598. [func] Reserve the -F flag. [RT #19657] 11166 111672597. [bug] Handle a validation failure with a insecure delegation 11168 from a NSEC3 signed master/slave zone. [RT #19464] 11169 111702596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay 11171 long, leading to inefficient memory usage or rejecting 11172 newer cache entries in the worst case. [RT #19563] 11173 111742595. [bug] Fix unknown extended rcodes in dig. [RT #19625] 11175 111762594. [func] Have rndc warn if using its default configuration 11177 file when the key file also exists. [RT #19424] 11178 111792593. [bug] Improve a corner source of SERVFAILs [RT #19632] 11180 111812592. [bug] Treat "any" as a type in nsupdate. [RT #19455] 11182 111832591. [bug] named could die when processing a update in 11184 removed_orphaned_ds(). [RT #19507] 11185 111862590. [func] Report zone/class of "update with no effect". 11187 [RT #19542] 11188 111892589. [bug] dns_db_unregister() failed to clear '*dbimp'. 11190 [RT #19626] 11191 111922588. [bug] SO_REUSEADDR could be set unconditionally after failure 11193 of bind(2) call. This should be rare and mostly 11194 harmless, but may cause interference with other 11195 processes that happen to use the same port. [RT #19642] 11196 111972587. [func] Improve logging by reporting serial numbers for 11198 when zone serial has gone backwards or unchanged. 11199 [RT #19506] 11200 112012586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB 11202 or SDB. [RT #19577] 11203 112042585. [bug] Uninitialized socket name could be referenced via a 11205 statistics channel, triggering an assertion failure in 11206 XML rendering. [RT #19427] 11207 112082584. [bug] alpha: gcc optimization could break atomic operations. 11209 [RT #19227] 11210 112112583. [port] netbsd: provide a control to not add the compile 11212 date to the version string, -DNO_VERSION_DATE. 11213 112142582. [bug] Don't emit warning log message when we attempt to 11215 remove non-existent journal. [RT #19516] 11216 112172581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection. 11218 Requires MySQL 5.0.19 or later. [RT #19084] 11219 112202580. [bug] UpdateRej statistics counter could be incremented twice 11221 for one rejection. [RT #19476] 11222 112232579. [bug] DNSSEC lookaside validation failed to handle unknown 11224 algorithms. [RT #19479] 11225 112262578. [bug] Changed default sig-signing-type to 65534, because 11227 65535 turns out to be reserved. [RT #19477] 11228 112292577. [doc] Clarified some statistics counters. [RT #19454] 11230 112312576. [bug] NSEC record were not being correctly signed when 11232 a zone transitions from insecure to secure. 11233 Handle such incorrectly signed zones. [RT #19114] 11234 112352575. [func] New functions dns_name_fromstring() and 11236 dns_name_tostring(), to simplify conversion 11237 of a string to a dns_name structure and vice 11238 versa. [RT #19451] 11239 112402574. [doc] Document nsupdate -g and -o. [RT #19351] 11241 112422573. [bug] Replacing a non-CNAME record with a CNAME record in a 11243 single transaction in a signed zone failed. [RT #19397] 11244 112452572. [func] Simplify DLV configuration, with a new option 11246 "dnssec-lookaside auto;" This is the equivalent 11247 of "dnssec-lookaside . trust-anchor dlv.isc.org;" 11248 plus setting a trusted-key for dlv.isc.org. 11249 11250 Note: The trusted key is hard-coded into named, 11251 but is also stored in (and can be overridden 11252 by) $sysconfdir/bind.keys. As the ISC DLV key 11253 rolls over it can be kept up to date by replacing 11254 the bind.keys file with a key downloaded from 11255 https://www.isc.org/solutions/dlv. [RT #18685] 11256 112572571. [func] Add a new tool "arpaname" which translates IP addresses 11258 to the corresponding IN-ADDR.ARPA or IP6.ARPA name. 11259 [RT #18976] 11260 112612570. [func] Log the destination address the query was sent to. 11262 [RT #19209] 11263 112642569. [func] Move journalprint, nsec3hash, and genrandom 11265 commands from bin/tests into bin/tools; 11266 "make install" will put them in $sbindir. [RT #19301] 11267 112682568. [bug] Report when the write to indicate a otherwise 11269 successful start fails. [RT #19360] 11270 112712567. [bug] dst__privstruct_writefile() could miss write errors. 11272 write_public_key() could miss write errors. 11273 dnssec-dsfromkey could miss write errors. 11274 [RT #19360] 11275 112762566. [cleanup] Clarify logged message when an insecure DNSSEC 11277 response arrives from a zone thought to be secure: 11278 "insecurity proof failed" instead of "not 11279 insecure". [RT #19400] 11280 112812565. [func] Add support for HIP record. Includes new functions 11282 dns_rdata_hip_first(), dns_rdata_hip_next() 11283 and dns_rdata_hip_current(). [RT #19384] 11284 112852564. [bug] Only take EDNS fallback steps when processing timeouts. 11286 [RT #19405] 11287 112882563. [bug] Dig could leak a socket causing it to wait forever 11289 to exit. [RT #19359] 11290 112912562. [doc] ARM: miscellaneous improvements, reorganization, 11292 and some new content. 11293 112942561. [doc] Add isc-config.sh(1) man page. [RT #16378] 11295 112962560. [bug] Add #include <config.h> to iptable.c. [RT #18258] 11297 112982559. [bug] dnssec-dsfromkey could compute bad DS records when 11299 reading from a K* files. [RT #19357] 11300 113012558. [func] Set the ownership of missing directories created 11302 for pid-file if -u has been specified on the command 11303 line. [RT #19328] 11304 113052557. [cleanup] PCI compliance: 11306 * new libisc log module file 11307 * isc_dir_chroot() now also changes the working 11308 directory to "/". 11309 * additional INSISTs 11310 * additional logging when files can't be removed. 11311 113122556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the 11313 error checks in the correct order resulting in the 11314 wrong error code sometimes being returned. [RT #19249] 11315 113162555. [func] dig: when emitting a hex dump also display the 11317 corresponding characters. [RT #19258] 11318 113192554. [bug] Validation of uppercase queries from NSEC3 zones could 11320 fail. [RT #19297] 11321 113222553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 11323 113242552. [bug] zero-no-soa-ttl-cache was not being honored. 11325 [RT #19340] 11326 113272551. [bug] Potential Reference leak on return. [RT #19341] 11328 113292550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>. 11330 [RT #19343] 11331 113322549. [port] linux: define NR_OPEN if not currently defined. 11333 [RT #19344] 11334 113352548. [bug] Install iterated_hash.h. [RT #19335] 11336 113372547. [bug] openssl_link.c:mem_realloc() could reference an 11338 out-of-range area of the source buffer. New public 11339 function isc_mem_reallocate() was introduced to address 11340 this bug. [RT #19313] 11341 113422546. [func] Add --enable-openssl-hash configure flag to use 11343 OpenSSL (in place of internal routine) for hash 11344 functions (MD5, SHA[12] and HMAC). [RT #18815] 11345 113462545. [doc] ARM: Legal hostname checking (check-names) is 11347 for SRV RDATA too. [RT #19304] 11348 113492544. [cleanup] Removed unused structure members in adb.c. [RT #19225] 11350 113512543. [contrib] Update contrib/zkt to version 0.98. [RT #19113] 11352 113532542. [doc] Update the description of dig +adflag. [RT #19290] 11354 113552541. [bug] Conditionally update dispatch manager statistics. 11356 [RT #19247] 11357 113582540. [func] Add a nibble mode to $GENERATE. [RT #18872] 11359 113602539. [security] Update the interaction between recursion, allow-query, 11361 allow-query-cache and allow-recursion. [RT #19198] 11362 113632538. [bug] cache/ADB memory could grow over max-cache-size, 11364 especially with threads and smaller max-cache-size 11365 values. [RT #19240] 11366 113672537. [func] Added more statistics counters including those on socket 11368 I/O events and query RTT histograms. [RT #18802] 11369 113702536. [cleanup] Silence some warnings when -Werror=format-security is 11371 specified. [RT #19083] 11372 113732535. [bug] dig +showsearch and +trace interacted badly. [RT #19091] 11374 113752534. [func] Check NAPTR records regular expressions and 11376 replacement strings to ensure they are syntactically 11377 valid and consistent. [RT #18168] 11378 113792533. [doc] ARM: document @ (at-sign). [RT #17144] 11380 113812532. [bug] dig: check the question section of the response to 11382 see if it matches the asked question. [RT #18495] 11383 113842531. [bug] Change #2207 was incomplete. [RT #19098] 11385 113862530. [bug] named failed to reject insecure to secure transitions 11387 via UPDATE. [RT #19101] 11388 113892529. [cleanup] Upgrade libtool to silence complaints from recent 11390 version of autoconf. [RT #18657] 11391 113922528. [cleanup] Silence spurious configure warning about 11393 --datarootdir [RT #19096] 11394 113952527. [placeholder] 11396 113972526. [func] New named option "attach-cache" that allows multiple 11398 views to share a single cache to save memory and 11399 improve lookup efficiency. Based on contributed code 11400 from Barclay Osborn, Google. [RT #18905] 11401 114022525. [func] New logging category "query-errors" to provide detailed 11403 internal information about query failures, especially 11404 about server failures. [RT #19027] 11405 114062524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129] 11407 114082523. [bug] Random type rdata freed by dns_nsec_typepresent(). 11409 [RT #19112] 11410 114112522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal(). 11412 114132521. [bug] Improve epoll cross compilation support. [RT #19047] 11414 114152520. [bug] Update xml statistics version number to 2.0 as change 11416 #2388 made the schema incompatible to the previous 11417 version. [RT #19080] 11418 114192519. [bug] dig/host with -4 or -6 didn't work if more than two 11420 nameserver addresses of the excluded address family 11421 preceded in resolv.conf. [RT #19081] 11422 114232518. [func] Add support for the new CERT types from RFC 4398. 11424 [RT #19077] 11425 114262517. [bug] dig +trace with -4 or -6 failed when it chose a 11427 nameserver address of the excluded address type. 11428 [RT #18843] 11429 114302516. [bug] glue sort for responses was performed even when not 11431 needed. [RT #19039] 11432 114332515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel. 11434 [RT #19063] 11435 114362514. [bug] dig/host failed with -4 or -6 when resolv.conf contains 11437 a nameserver of the excluded address family. 11438 [RT #18848] 11439 114402513. [bug] Fix windows cli build. [RT #19062] 11441 114422512. [func] Print a summary of the cached records which make up 11443 the negative response. [RT #18885] 11444 114452511. [cleanup] dns_rdata_tofmttext() add const to linebreak. 11446 [RT #18885] 11447 114482510. [bug] "dig +sigchase" could trigger REQUIRE failures. 11449 [RT #19033] 11450 114512509. [bug] Specifying a fixed query source port was broken. 11452 [RT #19051] 11453 114542508. [placeholder] 11455 114562507. [func] Log the recursion quota values when killing the 11457 oldest query or refusing to recurse due to quota. 11458 [RT #19022] 11459 114602506. [port] solaris: Check at configure time if 11461 hack_shutup_pthreadonceinit is needed. [RT #19037] 11462 114632505. [port] Treat amd64 similarly to x86_64 when determining 11464 atomic operation support. [RT #19031] 11465 114662504. [bug] Address race condition in the socket code. [RT #18899] 11467 114682503. [port] linux: improve compatibility with Linux Standard 11469 Base. [RT #18793] 11470 114712502. [cleanup] isc_radix: Improve compliance with coding style, 11472 document function in <isc/radix.h>. [RT #18534] 11473 114742501. [func] $GENERATE now supports all rdata types. Multi-field 11475 rdata types need to be quoted. See the ARM for 11476 details. [RT #18368] 11477 114782500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent 11479 function. [RT #18582] 11480 114812499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash. 11482 [RT #18837] 11483 11484 --- 9.6.0rc1 released --- 11485 114862498. [bug] Removed a bogus function argument used with 11487 ISC_SOCKET_USE_POLLWATCH: it could cause compiler 11488 warning or crash named with the debug 1 level 11489 of logging. [RT #18917] 11490 114912497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure 11492 delegation. 11493 114942496. [bug] Add sanity length checks to NSID option. [RT #18813] 11495 114962495. [bug] Tighten RRSIG checks. [RT #18795] 11497 114982494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being 11499 installed. [RT #18826] 11500 115012493. [bug] The linux capabilities code was not correctly cleaning 11502 up after itself. [RT #18767] 11503 115042492. [func] Rndc status now reports the number of cpus discovered 11505 and the number of worker threads when running 11506 multi-threaded. [RT #18273] 11507 115082491. [func] Attempt to re-use a local port if we are already using 11509 the port. [RT #18548] 11510 115112490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO 11512 is cleared when IPV6_V6ONLY is set. [RT #18785] 11513 115142489. [port] solaris: Workaround Solaris's kernel bug about 11515 /dev/poll: 11516 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 11517 Define ISC_SOCKET_USE_POLLWATCH at build time to enable 11518 this workaround. [RT #18870] 11519 115202488. [func] Added a tool, dnssec-dsfromkey, to generate DS records 11521 from keyset and .key files. [RT #18694] 11522 115232487. [bug] Give TCP connections longer to complete. [RT #18675] 11524 115252486. [func] The default locations for named.pid and lwresd.pid 11526 are now /var/run/named/named.pid and 11527 /var/run/lwresd/lwresd.pid respectively. 11528 11529 This allows the owner of the containing directory 11530 to be set, for "named -u" support, and allows there 11531 to be a permanent symbolic link in the path, for 11532 "named -t" support. [RT #18306] 11533 115342485. [bug] Change update's the handling of obscured RRSIG 11535 records. Not all orphaned DS records were being 11536 removed. [RT #18828] 11537 115382484. [bug] It was possible to trigger a REQUIRE failure when 11539 adding NSEC3 proofs to the response in 11540 query_addwildcardproof(). [RT #18828] 11541 115422483. [port] win32: chroot() is not supported. [RT #18805] 11543 115442482. [port] libxml2: support versions 2.7.* in addition 11545 to 2.6.*. [RT #18806] 11546 11547 --- 9.6.0b1 released --- 11548 115492481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain 11550 collisions. [RT #18812] 11551 115522480. [bug] named could fail to emit all the required NSEC3 11553 records. [RT #18812] 11554 115552479. [bug] xfrout:covers was not properly initialized. [RT #18801] 11556 115572478. [bug] 'addresses' could be used uninitialized in 11558 configure_forward(). [RT #18800] 11559 115602477. [bug] dig: the global option to print the command line is 11561 +cmd not print_cmd. Update the output to reflect 11562 this. [RT #17008] 11563 115642476. [doc] ARM: improve documentation for max-journal-size and 11565 ixfr-from-differences. [RT #15909] [RT #18541] 11566 115672475. [bug] LRU cache cleanup under overmem condition could purge 11568 particular entries more aggressively. [RT #17628] 11569 115702474. [bug] ACL structures could be allocated with insufficient 11571 space, causing an array overrun. [RT #18765] 11572 115732473. [port] linux: raise the limit on open files to the possible 11574 maximum value before spawning threads; 'files' 11575 specified in named.conf doesn't seem to work with 11576 threads as expected. [RT #18784] 11577 115782472. [port] linux: check the number of available cpu's before 11579 calling chroot as it depends on "/proc". [RT #16923] 11580 115812471. [bug] named-checkzone was not reporting missing mandatory 11582 glue when sibling checks were disabled. [RT #18768] 11583 115842470. [bug] Elements of the isc_radix_node_t could be incorrectly 11585 overwritten. [RT #18719] 11586 115872469. [port] solaris: Work around Solaris's select() limitations. 11588 [RT #18769] 11589 115902468. [bug] Resolver could try unreachable servers multiple times. 11591 [RT #18739] 11592 115932467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 11594 115952466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. 11596 [RT #18302] 11597 115982465. [bug] Adb's handling of lame addresses was different 11599 for IPv4 and IPv6. [RT #18738] 11600 116012464. [port] linux: check that a capability is present before 11602 trying to set it. [RT #18135] 11603 116042463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket 11605 API and glibc hides parts of the IPv6 Advanced Socket 11606 API as a result. This is stupid as it breaks how the 11607 two halves (Basic and Advanced) of the IPv6 Socket API 11608 were designed to be used but we have to live with it. 11609 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket 11610 API. [RT #18388] 11611 116122462. [doc] Document -m (enable memory usage debugging) 11613 option for dig. [RT #18757] 11614 116152461. [port] sunos: Change #2363 was not complete. [RT #17513] 11616 11617 --- 9.6.0a1 released --- 11618 116192460. [bug] Don't call dns_db_getnsec3parameters() on the cache. 11620 [RT #18697] 11621 116222459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448] 11623 116242458. [doc] ARM: update and correction for max-cache-size. 11625 [RT #18294] 11626 116272457. [tuning] max-cache-size is reverted to 0, the previous 11628 default. It should be safe because expired cache 11629 entries are also purged. [RT #18684] 11630 116312456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any 11632 address, regardless of family. They now correctly 11633 distinguish IPv4 from IPv6. [RT #18559] 11634 116352455. [bug] Stop metadata being transferred via axfr/ixfr. 11636 [RT #18639] 11637 116382454. [func] nsupdate: you can now set a default ttl. [RT #18317] 11639 116402453. [bug] Remove NULL pointer dereference in dns_journal_print(). 11641 [RT #18316] 11642 116432452. [func] Improve bin/test/journalprint. [RT #18316] 11644 116452451. [port] solaris: handle runtime linking better. [RT #18356] 11646 116472450. [doc] Fix lwresd docbook problem for manual page. 11648 [RT #18672] 11649 116502449. [placeholder] 11651 116522448. [func] Add NSEC3 support. [RT #15452] 11653 116542447. [cleanup] libbind has been split out as a separate product. 11655 116562446. [func] Add a new log message about build options on startup. 11657 A new command-line option '-V' for named is also 11658 provided to show this information. [RT #18645] 11659 116602445. [doc] ARM out-of-date on empty reverse zones (list includes 11661 RFC1918 address, but these are not yet compiled in). 11662 [RT #18578] 11663 116642444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery 11665 (clear DF) for UDP responses and requests. 11666 116672443. [bug] win32: UDP connect() would not generate an event, 11668 and so connected UDP sockets would never clean up. 11669 Fix this by doing an immediate WSAConnect() rather 11670 than an io completion port type for UDP. 11671 116722442. [bug] A lock could be destroyed twice. [RT #18626] 11673 116742441. [bug] isc_radix_insert() could copy radix tree nodes 11675 incompletely. [RT #18573] 11676 116772440. [bug] named-checkconf used an incorrect test to determine 11678 if an ACL was set to none. 11679 116802439. [bug] Potential NULL dereference in dns_acl_isanyornone(). 11681 [RT #18559] 11682 116832438. [bug] Timeouts could be logged incorrectly under win32. 11684 116852437. [bug] Sockets could be closed too early, leading to 11686 inconsistent states in the socket module. [RT #18298] 11687 116882436. [security] win32: UDP client handler can be shutdown. [RT #18576] 11689 116902435. [bug] Fixed an ACL memory leak affecting win32. 11691 116922434. [bug] Fixed a minor error-reporting bug in 11693 lib/isc/win32/socket.c. 11694 116952433. [tuning] Set initial timeout to 800ms. 11696 116972432. [bug] More Windows socket handling improvements. Stop 11698 using I/O events and use IO Completion Ports 11699 throughout. Rewrite the receive path logic to make 11700 it easier to support multiple simultaneous 11701 requesters in the future. Add stricter consistency 11702 checking as a compile-time option (define 11703 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off). 11704 117052431. [bug] Acl processing could leak memory. [RT #18323] 11706 117072430. [bug] win32: isc_interval_set() could round down to 11708 zero if the input was less than NS_INTERVAL 11709 nanoseconds. Round up instead. [RT #18549] 11710 117112429. [doc] nsupdate should be in section 1 of the man pages. 11712 [RT #18283] 11713 117142428. [bug] dns_iptable_merge() mishandled merges of negative 11715 tables. [RT #18409] 11716 117172427. [func] Treat DNSKEY queries as if "minimal-response yes;" 11718 was set. [RT #18528] 11719 117202426. [bug] libbind: inet_net_pton() can sometimes return the 11721 wrong value if excessively large net masks are 11722 supplied. [RT #18512] 11723 117242425. [bug] named didn't detect unavailable query source addresses 11725 at load time. [RT #18536] 11726 117272424. [port] configure now probes for a working epoll 11728 implementation. Allow the use of kqueue, 11729 epoll and /dev/poll to be selected at compile 11730 time. [RT #18277] 11731 117322423. [security] Randomize server selection on queries, so as to 11733 make forgery a little more difficult. Instead of 11734 always preferring the server with the lowest RTT, 11735 pick a server with RTT within the same 128 11736 millisecond band. [RT #18441] 11737 117382422. [bug] Handle the special return value of a empty node as 11739 if it was a NXRRSET in the validator. [RT #18447] 11740 117412421. [func] Add new command line option '-S' for named to specify 11742 the max number of sockets. [RT #18493] 11743 Use caution: this option may not work for some 11744 operating systems without rebuilding named. 11745 117462420. [bug] Windows socket handling cleanup. Let the io 11747 completion event send out canceled read/write 11748 done events, which keeps us from writing to memory 11749 we no longer have ownership of. Add debugging 11750 socket_log() function. Rework TCP socket handling 11751 to not leak sockets. 11752 117532419. [cleanup] Document that isc_socket_create() and isc_socket_open() 11754 should not be used for isc_sockettype_fdwatch sockets. 11755 [RT #18521] 11756 117572418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure 11758 [RT #18430] 11759 117602417. [bug] Connecting UDP sockets for outgoing queries could 11761 unexpectedly fail with an 'address already in use' 11762 error. [RT #18411] 11763 117642416. [func] Log file descriptors that cause exceeding the 11765 internal maximum. [RT #18460] 11766 117672415. [bug] 'rndc dumpdb' could trigger various assertion failures 11768 in rbtdb.c. [RT #18455] 11769 117702414. [bug] A masterdump context held the database lock too long, 11771 causing various troubles such as dead lock and 11772 recursive lock acquisition. [RT #18311, #18456] 11773 117742413. [bug] Fixed an unreachable code path in socket.c. [RT #18442] 11775 117762412. [bug] win32: address a resource leak. [RT #18374] 11777 117782411. [bug] Allow using a larger number of sockets than FD_SETSIZE 11779 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS 11780 at compilation time. [RT #18433] 11781 11782 Note: with changes #2469 and #2421 above, there is no 11783 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time 11784 any more. 11785 117862410. [bug] Correctly delete m_versionInfo. [RT #18432] 11787 117882409. [bug] Only log that we disabled EDNS processing if we were 11789 subsequently successful. [RT #18029] 11790 117912408. [bug] A duplicate TCP dispatch event could be sent, which 11792 could then trigger an assertion failure in 11793 resquery_response(). [RT #18275] 11794 117952407. [port] hpux: test for sys/dyntune.h. [RT #18421] 11796 117972406. [placeholder] 11798 117992405. [cleanup] The default value for dnssec-validation was changed to 11800 "yes" in 9.5.0-P1 and all subsequent releases; this 11801 was inadvertently omitted from CHANGES at the time. 11802 118032404. [port] hpux: files unlimited support. 11804 118052403. [bug] TSIG context leak. [RT #18341] 11806 118072402. [port] Support Solaris 2.11 and over. [RT #18362] 11808 118092401. [bug] Expect to get E[MN]FILE errno internal_accept() 11810 (from accept() or fcntl() system calls). [RT #18358] 11811 118122400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails. 11813 [RT #18297] 11814 118152399. [placeholder] 11816 118172398. [bug] Improve file descriptor management. New, 11818 temporary, named.conf option reserved-sockets, 11819 default 512. [RT #18344] 11820 118212397. [bug] gssapi_functions had too many elements. [RT #18355] 11822 118232396. [bug] Don't set SO_REUSEADDR for randomized ports. 11824 [RT #18336] 11825 118262395. [port] Avoid warning and no effect from "files unlimited" 11827 on Linux when running as root. [RT #18335] 11828 118292394. [bug] Default configuration options set the limit for 11830 open files to 'unlimited' as described in the 11831 documentation. [RT #18331] 11832 118332393. [bug] nested acls containing keys could trigger an 11834 assertion in acl.c. [RT #18166] 11835 118362392. [bug] remove 'grep -q' from acl test script, some platforms 11837 don't support it. [RT #18253] 11838 118392391. [port] hpux: cover additional recvmsg() error codes. 11840 [RT #18301] 11841 118422390. [bug] dispatch.c could make a false warning on 'odd socket'. 11843 [RT #18301]. 11844 118452389. [bug] Move the "working directory writable" check to after 11846 the ns_os_changeuser() call. [RT #18326] 11847 118482388. [bug] Avoid using tables for layout purposes in 11849 statistics XSL [RT #18159]. 11850 118512387. [bug] Silence compiler warnings in lib/isc/radix.c. 11852 [RT #18147] [RT #18258] 11853 118542386. [func] Add warning about too small 'open files' limit. 11855 [RT #18269] 11856 118572385. [bug] A condition variable in socket.c could leak in 11858 rare error handling [RT #17968]. 11859 118602384. [security] Fully randomize UDP query ports to improve 11861 forgery resilience. [RT #17949, #18098] 11862 118632383. [bug] named could double queries when they resulted in 11864 SERVFAIL due to overkilling EDNS0 failure detection. 11865 [RT #18182] 11866 118672382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP 11868 to ARM. 11869 118702381. [port] dlz/mysql: support multiple install layouts for 11871 mysql. <prefix>/include/{,mysql/}mysql.h and 11872 <prefix>/lib/{,mysql/}. [RT #18152] 11873 118742380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET 11875 proofs which, in turn, caused validation failures 11876 for insecure zones immediately below a secure zone 11877 the server was authoritative for. [RT #18112] 11878 118792379. [contrib] queryperf/gen-data-queryperf.py: removed redundant 11880 TLDs and supported RRs with TTLs [RT #17972] 11881 118822378. [bug] gssapi_functions{} had a redundant member in BIND 9.5. 11883 [RT #18169] 11884 118852377. [bug] Address race condition in dnssec-signzone. [RT #18142] 11886 118872376. [bug] Change #2144 was not complete. 11888 118892375. [placeholder] 11890 118912374. [bug] "blackhole" ACLs could cause named to segfault due 11892 to some uninitialized memory. [RT #18095] 11893 118942373. [bug] Default values of zone ACLs were re-parsed each time a 11895 new zone was configured, causing an overconsumption 11896 of memory. [RT #18092] 11897 118982372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] 11899 119002371. [doc] Add +nsid option to dig man page. [RT #18039] 11901 119022370. [bug] "rndc freeze" could trigger an assertion in named 11903 when called on a nonexistent zone. [RT #18050] 11904 119052369. [bug] libbind: Array bounds overrun on read in bitncmp(). 11906 [RT #18054] 11907 119082368. [port] Linux: use libcap for capability management if 11909 possible. [RT #18026] 11910 119112367. [bug] Improve counting of dns_resstatscounter_retry 11912 [RT #18030] 11913 119142366. [bug] Adb shutdown race. [RT #18021] 11915 119162365. [bug] Fix a bug that caused dns_acl_isany() to return 11917 spurious results. [RT #18000] 11918 119192364. [bug] named could trigger a assertion when serving a 11920 malformed signed zone. [RT #17828] 11921 119222363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". 11923 [RT #17513] 11924 119252362. [cleanup] Make "rrset-order fixed" a compile-time option. 11926 settable by "./configure --enable-fixed-rrset". 11927 Disabled by default. [RT #17977] 11928 119292361. [bug] "recursion" statistics counter could be counted 11930 multiple times for a single query. [RT #17990] 11931 119322360. [bug] Fix a condition where we release a database version 11933 (which may acquire a lock) while holding the lock. 11934 119352359. [bug] Fix NSID bug. [RT #17942] 11936 119372358. [doc] Update host's default query description. [RT #17934] 11938 119392357. [port] Don't use OpenSSL's engine support in versions before 11940 OpenSSL 0.9.7f. [RT #17922] 11941 119422356. [bug] Built in mutex profiler was not scalable enough. 11943 [RT #17436] 11944 119452355. [func] Extend the number statistics counters available. 11946 [RT #17590] 11947 119482354. [bug] Failed to initialize some rdatasetheader_t elements. 11949 [RT #17927] 11950 119512353. [func] Add support for Name Server ID (RFC 5001). 11952 'dig +nsid' requests NSID from server. 11953 'request-nsid yes;' causes recursive server to send 11954 NSID requests to upstream servers. Server responds 11955 to NSID requests with the string configured by 11956 'server-id' option. [RT #17091] 11957 119582352. [bug] Various GSS_API fixups. [RT #17729] 11959 119602351. [bug] convertxsl.pl generated very long lines. [RT #17906] 11961 119622350. [port] win32: IPv6 support. [RT #17797] 11963 119642349. [func] Provide incremental re-signing support for secure 11965 dynamic zones. [RT #1091] 11966 119672348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support. 11968 Documentation is in the new README.pkcs11 file. 11969 New tool, dnssec-keyfromlabel, which takes the 11970 label of a key pair in a HSM and constructs a DNS 11971 key pair for use by named and dnssec-signzone. 11972 [RT #16844] 11973 119742347. [bug] Delete now traverses the RB tree in the canonical 11975 order. [RT #17451] 11976 119772346. [func] Memory statistics now cover all active memory contexts 11978 in increased detail. [RT #17580] 11979 119802345. [bug] named-checkconf failed to detect when forwarders 11981 were set at both the options/view level and in 11982 a root zone. [RT #17671] 11983 119842344. [bug] Improve "logging{ file ...; };" documentation. 11985 [RT #17888] 11986 119872343. [bug] (Seemingly) duplicate IPv6 entries could be 11988 created in ADB. [RT #17837] 11989 119902342. [func] Use getifaddrs() if available under Linux. [RT #17224] 11991 119922341. [bug] libbind: add missing -I../include for off source 11993 tree builds. [RT #17606] 11994 119952340. [port] openbsd: interface configuration. [RT #17700] 11996 119972339. [port] tru64: support for libbind. [RT #17589] 11998 119992338. [bug] check_ds() could be called with a non DS rdataset. 12000 [RT #17598] 12001 120022337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] 12003 120042336. [func] If "named -6" is specified then listen on all IPv6 12005 interfaces if there are not listen-on-v6 clauses in 12006 named.conf. [RT #17581] 12007 120082335. [port] sunos: libbind and *printf() support for long long. 12009 [RT #17513] 12010 120112334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one 12012 bug in fromstruct_txt(). [RT #17609] 12013 120142333. [bug] Fix off by one error in isc_time_nowplusinterval(). 12015 [RT #17608] 12016 120172332. [contrib] query-loc-0.4.0. [RT #17602] 12018 120192331. [bug] Failure to regenerate any signatures was not being 12020 reported nor being past back to the UPDATE client. 12021 [RT #17570] 12022 120232330. [bug] Remove potential race condition when handling 12024 over memory events. [RT #17572] 12025 12026 WARNING: API CHANGE: over memory callback 12027 function now needs to call isc_mem_waterack(). 12028 See <isc/mem.h> for details. 12029 120302329. [bug] Clearer help text for dig's '-x' and '-i' options. 12031 120322328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, 12033 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, 12034 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and 12035 M.ROOT-SERVERS.NET. 12036 120372327. [bug] It was possible to dereference a NULL pointer in 12038 rbtdb.c. Implement dead node processing in zones as 12039 we do for caches. [RT #17312] 12040 120412326. [bug] It was possible to trigger a INSIST in the acache 12042 processing. 12043 120442325. [port] Linux: use capset() function if available. [RT #17557] 12045 120462324. [bug] Fix IPv6 matching against "any;". [RT #17533] 12047 120482323. [port] tru64: namespace clash. [RT #17547] 12049 120502322. [port] MacOS: work around the limitation of setrlimit() 12051 for RLIMIT_NOFILE. [RT #17526] 12052 120532321. [placeholder] 12054 120552320. [func] Make statistics counters thread-safe for platforms 12056 that support certain atomic operations. [RT #17466] 12057 120582319. [bug] Silence Coverity warnings in 12059 lib/dns/rdata/in_1/apl_42.c. [RT #17469] 12060 120612318. [port] sunos fixes for libbind. [RT #17514] 12062 120632317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518] 12064 120652316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c. 12066 [RT #17513] 12067 120682315. [bug] Used incorrect address family for mapped IPv4 12069 addresses in acl.c. [RT #17519] 12070 120712314. [bug] Uninitialized memory use on error path in 12072 bin/named/lwdnoop.c. [RT #17476] 12073 120742313. [cleanup] Silence Coverity warnings. Handle private stacks. 12075 [RT #17447] [RT #17478] 12076 120772312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. 12078 [RT #17458] 12079 120802311. [bug] IPv6 addresses could match IPv4 ACL entries and 12081 vice versa. [RT #17462] 12082 120832310. [bug] dig, host, nslookup: flush stdout before emitting 12084 debug/fatal messages. [RT #17501] 12085 120862309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c. 12087 [RT #17455] 12088 120892308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. 12090 [RT #17495] 12091 120922307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496] 12093 120942306. [bug] Remove potential race from lib/dns/resolver.c. 12095 [RT #17470] 12096 120972305. [security] inet_network() buffer overflow. CVE-2008-0122. 12098 120992304. [bug] Check returns from all dns_rdata_tostruct() calls. 12100 [RT #17460] 12101 121022303. [bug] Remove unnecessary code from bin/named/lwdgnba.c. 12103 [RT #17471] 12104 121052302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472] 12106 121072301. [bug] Remove resource leak and fix error messages in 12108 bin/tests/system/lwresd/lwtest.c. [RT #17474] 12109 121102300. [bug] Fixed failure to close open file in 12111 bin/tests/names/t_names.c. [RT #17473] 12112 121132299. [bug] Remove unnecessary NULL check in 12114 bin/nsupdate/nsupdate.c. [RT #17475] 12115 121162298. [bug] isc_mutex_lock() failure not caught in 12117 bin/tests/timers/t_timers.c. [RT #17468] 12118 121192297. [bug] isc_entropy_createfilesource() failure not caught in 12120 bin/tests/dst/t_dst.c. [RT #17467] 12121 121222296. [port] Allow docbook stylesheet location to be specified to 12123 configure. [RT #17457] 12124 121252295. [bug] Silence static overrun error in bin/named/lwaddr.c. 12126 [RT #17459] 12127 121282294. [func] Allow the experimental statistics channels to have 12129 multiple connections and ACL. 12130 Note: the stats-server and stats-server-v6 options 12131 available in the previous beta releases are replaced 12132 with the generic statistics-channels statement. 12133 121342293. [func] Add ACL regression test. [RT #17375] 12135 121362292. [bug] Log if the working directory is not writable. 12137 [RT #17312] 12138 121392291. [bug] PR_SET_DUMPABLE may be set too late. Also report 12140 failure to set PR_SET_DUMPABLE. [RT #17312] 12141 121422290. [bug] Let AD in the query signal that the client wants AD 12143 set in the response. [RT #17301] 12144 121452289. [func] named-checkzone now reports the out-of-zone CNAME 12146 found. [RT #17309] 12147 121482288. [port] win32: mark service as running when we have finished 12149 loading. [RT #17441] 12150 121512287. [bug] Use 'volatile' if the compiler supports it. [RT #17413] 12152 121532286. [func] Allow a TCP connection to be used as a weak 12154 authentication method for reverse zones. 12155 New update-policy methods tcp-self and 6to4-self. 12156 [RT #17378] 12157 121582285. [func] Test framework for client memory context management. 12159 [RT #17377] 12160 121612284. [bug] Memory leak in UPDATE prerequisite processing. 12162 [RT #17377] 12163 121642283. [bug] TSIG keys were not attaching to the memory 12165 context. TSIG keys should use the rings 12166 memory context rather than the clients memory 12167 context. [RT #17377] 12168 121692282. [bug] Acl code fixups. [RT #17346] [RT #17374] 12170 121712281. [bug] Attempts to use undefined acls were not being logged. 12172 [RT #17307] 12173 121742280. [func] Allow the experimental http server to be reached 12175 over IPv6 as well as IPv4. [RT #17332] 12176 121772279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, 12178 to protect applications from receiving spurious 12179 SIGPIPE signals when using the resolver. 12180 121812278. [bug] win32: handle the case where Windows returns no 12182 search list or DNS suffix. [RT #17354] 12183 121842277. [bug] Empty zone names were not correctly being caught at 12185 in the post parse checks. [RT #17357] 12186 121872276. [bug] Install <dst/gssapi.h>. [RT #17359] 12188 121892275. [func] Add support to dig to perform IXFR queries over UDP. 12190 [RT #17235] 12191 121922274. [func] Log zone transfer statistics. [RT #17336] 12193 121942273. [bug] Adjust log level to WARNING when saving inconsistent 12195 stub/slave master and journal files. [RT #17279] 12196 121972272. [bug] Handle illegal dnssec-lookaside trust-anchor names. 12198 [RT #17262] 12199 122002271. [bug] Fix a memory leak in http server code [RT #17100] 12201 122022270. [bug] dns_db_closeversion() version->writer could be reset 12203 before it is tested. [RT #17290] 12204 122052269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232] 12206 122072268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones 12208 list. 12209 12210 --- 9.5.0b1 released --- 12211 122122267. [bug] Radix tree node_num value could be set incorrectly, 12213 causing positive ACL matches to look like negative 12214 ones. [RT #17311] 12215 122162266. [bug] client.c:get_clientmctx() returned the same mctx 12217 once the pool of mctx's was filled. [RT #17218] 12218 122192265. [bug] Test that the memory context's basic_table is non NULL 12220 before freeing. [RT #17265] 12221 122222264. [bug] Server prefix length was being ignored. [RT #17308] 12223 122242263. [bug] "named-checkconf -z" failed to set default value 12225 for "check-integrity". [RT #17306] 12226 122272262. [bug] Error status from all but the last view could be 12228 lost. [RT #17292] 12229 122302261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272] 12231 122322260. [bug] Reported wrong clients-per-query when increasing the 12233 value. [RT #17236] 12234 122352259. [placeholder] 12236 12237 --- 9.5.0a7 released --- 12238 122392258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. 12240 [RT #17241] 12241 122422257. [bug] win32: Use the full path to vcredist_x86.exe when 12243 calling it. [RT #17222] 12244 122452256. [bug] win32: Correctly register the installation location of 12246 bindevt.dll. [RT #17159] 12247 122482255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. 12249 122502254. [bug] timer.c:dispatch() failed to lock timer->lock 12251 when reading timer->idle allowing it to see 12252 intermediate values as timer->idle was reset by 12253 isc_timer_touch(). [RT #17243] 12254 122552253. [func] "max-cache-size" defaults to 32M. 12256 "max-acache-size" defaults to 16M. 12257 122582252. [bug] Fixed errors in sortlist code [RT #17216] 12259 122602251. [placeholder] 12261 122622250. [func] New flag 'memstatistics' to state whether the 12263 memory statistics file should be written or not. 12264 Additionally named's -m option will cause the 12265 statistics file to be written. [RT #17113] 12266 122672249. [bug] Only set Authentic Data bit if client requested 12268 DNSSEC, per RFC 3655 [RT #17175] 12269 122702248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 12271 122722247. [doc] Sort doc/misc/options. [RT #17067] 12273 122742246. [bug] Make the startup of test servers (ans.pl) more 12275 robust. [RT #17147] 12276 122772245. [bug] Validating lack of DS records at trust anchors wasn't 12278 working. [RT #17151] 12279 122802244. [func] Allow the check of nameserver names against the 12281 SOA MNAME field to be disabled by specifying 12282 'notify-to-soa yes;'. [RT #17073] 12283 122842243. [func] Configuration files without a newline at the end now 12285 parse without error. [RT #17120] 12286 122872242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos 12288 library could require a source of random data. 12289 [RT #17127] 12290 122912241. [func] nsupdate: add a interactive 'help' command. [RT #17099] 12292 122932240. [bug] Cleanup nsupdates GSS-TSIG support. Convert 12294 a number of INSIST()s into plain fatal() errors 12295 which report the triggering result code. 12296 The 'key' command wasn't disabling GSS-TSIG. 12297 [RT #17099] 12298 122992239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114] 12300 123012238. [bug] It was possible to trigger a REQUIRE when a 12302 validation was canceled. [RT #17106] 12303 123042237. [bug] libbind: res_init() was not thread aware. [RT #17123] 12305 123062236. [bug] dnssec-signzone failed to preserve the case of 12307 of wildcard owner names. [RT #17085] 12308 123092235. [bug] <isc/atomic.h> was not being installed. [RT #17135] 12310 123112234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] 12312 123132233. [func] Add support for O(1) ACL processing, based on 12314 radix tree code originally written by Kevin 12315 Brintnall. [RT #16288] 12316 123172232. [bug] dns_adb_findaddrinfo() could fail and return 12318 ISC_R_SUCCESS. [RT #17137] 12319 123202231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken. 12321 [RT #17088] 12322 123232230. [bug] We could INSIST reading a corrupted journal. 12324 [RT #17132] 12325 123262229. [bug] Null pointer dereference on query pool creation 12327 failure. [RT #17133] 12328 123292228. [contrib] contrib: Change 2188 was incomplete. 12330 123312227. [cleanup] Tidied up the FAQ. [RT #17121] 12332 123332226. [placeholder] 12334 123352225. [bug] More support for systems with no IPv4 addresses. 12336 [RT #17111] 12337 123382224. [bug] Defer journal compaction if a xfrin is in progress. 12339 [RT #17119] 12340 123412223. [bug] Make a new journal when compacting. [RT #17119] 12342 123432222. [func] named-checkconf now checks server key references. 12344 [RT #17097] 12345 123462221. [bug] Set the event result code to reflect the actual 12347 record turned to caller when a cache update is 12348 rejected due to a more credible answer existing. 12349 [RT #17017] 12350 123512220. [bug] win32: Address a race condition in final shutdown of 12352 the Windows socket code. [RT #17028] 12353 123542219. [bug] Apply zone consistency checks to additions, not 12355 removals, when updating. [RT #17049] 12356 123572218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 12358 [RT #16976] 12359 123602217. [func] Adjust update log levels. [RT #17092] 12361 123622216. [cleanup] Fix a number of errors reported by Coverity. 12363 [RT #17094] 12364 123652215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] 12366 123672214. [bug] Deregister OpenSSL lock callback when cleaning 12368 up. Reorder OpenSSL cleanup so that RAND_cleanup() 12369 is called before the locks are destroyed. [RT #17098] 12370 123712213. [bug] SIG0 diagnostic failure messages were looking at the 12372 wrong status code. [RT #17101] 12373 123742212. [func] 'host -m' now causes memory statistics and active 12375 memory to be printed at exit. [RT 17028] 12376 123772211. [func] Update "dynamic update temporarily disabled" message. 12378 [RT #17065] 12379 123802210. [bug] Deleting class specific records via UPDATE could 12381 fail. [RT #17074] 12382 123832209. [port] osx: linking against user supplied static OpenSSL 12384 libraries failed as the system ones were still being 12385 found. [RT #17078] 12386 123872208. [port] win32: make sure both build methods produce the 12388 same output. [RT #17058] 12389 123902207. [port] Some implementations of getaddrinfo() fail to set 12391 ai_canonname correctly. [RT #17061] 12392 12393 --- 9.5.0a6 released --- 12394 123952206. [security] "allow-query-cache" and "allow-recursion" now 12396 cross inherit from each other. 12397 12398 If allow-query-cache is not set in named.conf then 12399 allow-recursion is used if set, otherwise allow-query 12400 is used if set, otherwise the default (localnets; 12401 localhost;) is used. 12402 12403 If allow-recursion is not set in named.conf then 12404 allow-query-cache is used if set, otherwise allow-query 12405 is used if set, otherwise the default (localnets; 12406 localhost;) is used. 12407 12408 [RT #16987] 12409 124102205. [bug] libbind: change #2119 broke thread support. [RT #16982] 12411 124122204. [bug] "rndc flushname name unknown-view" caused named 12413 to crash. [RT #16984] 12414 124152203. [security] Query id generation was cryptographically weak. 12416 [RT # 16915] 12417 124182202. [security] The default acls for allow-query-cache and 12419 allow-recursion were not being applied. [RT #16960] 12420 124212201. [bug] The build failed in a separate object directory. 12422 [RT #16943] 12423 124242200. [bug] The search for cached NSEC records was stopping to 12425 early leading to excessive DLV queries. [RT #16930] 12426 124272199. [bug] win32: don't call WSAStartup() while loading dlls. 12428 [RT #16911] 12429 124302198. [bug] win32: RegCloseKey() could be called when 12431 RegOpenKeyEx() failed. [RT #16911] 12432 124332197. [bug] Add INSIST to catch negative responses which are 12434 not setting the event result code appropriately. 12435 [RT #16909] 12436 124372196. [port] win32: yield processor while waiting for once to 12438 to complete. [RT #16958] 12439 124402195. [func] dnssec-keygen now defaults to nametype "ZONE" 12441 when generating DNSKEYs. [RT #16954] 12442 124432194. [bug] Close journal before calling 'done' in xfrin.c. 12444 12445 --- 9.5.0a5 released --- 12446 124472193. [port] win32: BINDInstall.exe is now linked statically. 12448 [RT #16906] 12449 124502192. [port] win32: use vcredist_x86.exe to install Visual 12451 Studio's redistributable dlls if building with 12452 Visual Stdio 2005 or later. 12453 124542191. [func] named-checkzone now allows dumping to stdout (-). 12455 named-checkconf now has -h for help. 12456 named-checkzone now has -h for help. 12457 rndc now has -h for help. 12458 Better handling of '-?' for usage summaries. 12459 [RT #16707] 12460 124612190. [func] Make fallback to plain DNS from EDNS due to timeouts 12462 more visible. New logging category "edns-disabled". 12463 [RT #16871] 12464 124652189. [bug] Handle socket() returning EINTR. [RT #15949] 12466 124672188. [contrib] queryperf: autoconf changes to make the search for 12468 libresolv or libbind more robust. [RT #16299] 12469 124702187. [bug] query_addds(), query_addwildcardproof() and 12471 query_addnxrrsetnsec() should take a version 12472 argument. [RT #16368] 12473 124742186. [port] cygwin: libbind: check for struct sockaddr_storage 12475 independently of IPv6. [RT #16482] 12476 124772185. [port] sunos: libbind: check for ssize_t, memmove() and 12478 memchr(). [RT #16463] 12479 124802184. [bug] bind9.xsl.h didn't build out of the source tree. 12481 [RT #16830] 12482 124832183. [bug] dnssec-signzone didn't handle offline private keys 12484 well. [RT #16832] 12485 124862182. [bug] dns_dispatch_createtcp() and dispatch_createudp() 12487 could return ISC_R_SUCCESS when they ran out of 12488 memory. [RT #16365] 12489 124902181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] 12491 124922180. [cleanup] Remove bit test from 'compress_test' as they 12493 are no longer needed. [RT #16497] 12494 124952179. [func] 'rndc command zone' will now find 'zone' if it is 12496 unique to all the views. [RT #16821] 12497 124982178. [bug] 'rndc reload' of a slave or stub zone resulted in 12499 a reference leak. [RT #16867] 12500 125012177. [bug] Array bounds overrun on read (rcodetext) at 12502 debug level 10+. [RT #16798] 12503 125042176. [contrib] dbus update to handle race condition during 12505 initialization (Bugzilla 235809). [RT #16842] 12506 125072175. [bug] win32: windows broadcast condition variable support 12508 was broken. [RT #16592] 12509 125102174. [bug] I/O errors should always be fatal when reading 12511 master files. [RT #16825] 12512 125132173. [port] win32: When compiling with MSVS 2005 SP1 we also 12514 need to ship Microsoft.VC80.MFCLOC. 12515 12516 --- 9.5.0a4 released --- 12517 125182172. [bug] query_addsoa() was being called with a non zone db. 12519 [RT #16834] 12520 125212171. [bug] Handle breaks in DNSSEC trust chains where the parent 12522 servers are not DS aware (DS queries to the parent 12523 return a referral to the child). 12524 125252170. [func] Add acache processing to test suite. [RT #16711] 12526 125272169. [bug] host, nslookup: when reporting NXDOMAIN report the 12528 given name and not the last name searched for. 12529 [RT #16763] 12530 125312168. [bug] nsupdate: in non-interactive mode treat syntax errors 12532 as fatal errors. [RT #16785] 12533 125342167. [bug] When re-using a automatic zone named failed to 12535 attach it to the new view. [RT #16786] 12536 12537 --- 9.5.0a3 released --- 12538 125392166. [bug] When running in batch mode, dig could misinterpret 12540 a server address as a name to be looked up, causing 12541 unexpected output. [RT #16743] 12542 125432165. [func] Allow the destination address of a query to determine 12544 if we will answer the query or recurse. 12545 allow-query-on, allow-recursion-on and 12546 allow-query-cache-on. [RT #16291] 12547 125482164. [bug] The code to determine how named-checkzone / 12549 named-compilezone was called failed under windows. 12550 [RT #16764] 12551 125522163. [bug] If only one of query-source and query-source-v6 12553 specified a port the query pools code broke (change 12554 2129). [RT #16768] 12555 125562162. [func] Allow "rrset-order fixed" to be disabled at compile 12557 time. [RT #16665] 12558 125592161. [bug] Fix which log messages are emitted for 'rndc flush'. 12560 [RT #16698] 12561 125622160. [bug] libisc wasn't handling NULL ifa_addr pointers returned 12563 from getifaddrs(). [RT #16708] 12564 12565 --- 9.5.0a2 released --- 12566 125672159. [bug] Array bounds overrun in acache processing. [RT #16710] 12568 125692158. [bug] ns_client_isself() failed to initialize key 12570 leading to a REQUIRE failure. [RT #16688] 12571 125722157. [func] dns_db_transfernode() created. [RT #16685] 12573 125742156. [bug] Fix node reference leaks in lookup.c:lookup_find(), 12575 resolver.c:validated() and resolver.c:cache_name(). 12576 Fix a memory leak in rbtdb.c:free_noqname(). 12577 Make lookup.c:lookup_find() robust against 12578 event leaks. [RT #16685] 12579 125802155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. 12581 [RT #16694] 12582 125832154. [func] Scoped (e.g. IPv6 link-local) addresses may now be 12584 matched in acls by omitting the scope. [RT #16599] 12585 125862153. [bug] nsupdate could leak memory. [RT #16691] 12587 125882152. [cleanup] Use sizeof(buf) instead of fixed number in 12589 dighost.c:get_trusted_key(). [RT #16678] 12590 125912151. [bug] Missing newline in usage message for journalprint. 12592 [RT #16679] 12593 125942150. [bug] 'rrset-order cyclic' uniformly distribute the 12595 starting point for the first response for a given 12596 RRset. [RT #16655] 12597 125982149. [bug] isc_mem_checkdestroyed() failed to abort on 12599 if there were still active memory contexts. 12600 [RT #16672] 12601 126022148. [func] Add positive logging for rndc commands. [RT #14623] 12603 126042147. [bug] libbind: remove potential buffer overflow from 12605 hmac_link.c. [RT #16437] 12606 126072146. [cleanup] Silence Linux's spurious "obsolete setsockopt 12608 SO_BSDCOMPAT" message. [RT #16641] 12609 126102145. [bug] Check DS/DLV digest lengths for known digests. 12611 [RT #16622] 12612 126132144. [cleanup] Suppress logging of SERVFAIL from forwarders. 12614 [RT #16619] 12615 126162143. [bug] We failed to restart the IPv6 client when the 12617 kernel failed to return the destination the 12618 packet was sent to. [RT #16613] 12619 126202142. [bug] Handle master files with a modification time that 12621 matches the epoch. [RT #16612] 12622 126232141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN 12624 equivalent of LDH checks). [RT #16609] 12625 126262140. [bug] libbind: missing unlock on pthread_key_create() 12627 failures. [RT #16654] 12628 126292139. [bug] dns_view_find() was being called with wrong type 12630 in adb.c. [RT #16670] 12631 126322138. [bug] Lock order reversal in resolver.c. [RT #16653] 12633 126342137. [port] Mips little endian and/or mips 64 bit are now 12635 supported for atomic operations. [RT #16648] 12636 126372136. [bug] nslookup/host looped if there was no search list 12638 and the host didn't exist. [RT #16657] 12639 126402135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656] 12641 126422134. [func] Additional statistics support. [RT #16666] 12643 126442133. [port] powerpc: Support both IBM and MacOS Power PC 12645 assembler syntaxes. [RT #16647] 12646 126472132. [bug] Missing unlock on out of memory in 12648 dns_dispatchmgr_setudp(). 12649 126502131. [contrib] dlz/mysql: AXFR was broken. [RT #16630] 12651 126522130. [func] Log if CD or DO were set. [RT #16640] 12653 126542129. [func] Provide a pool of UDP sockets for queries to be 12655 made over. See use-queryport-pool, queryport-pool-ports 12656 and queryport-pool-updateinterval. [RT #16415] 12657 126582128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] 12659 126602127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] 12661 126622126. [security] Serialize validation of type ANY responses. [RT #16555] 12663 126642125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ 12665 was defined. [RT #16574] 12666 126672124. [security] It was possible to dereference a freed fetch 12668 context. [RT #16584] 12669 12670 --- 9.5.0a1 released --- 12671 126722123. [func] Use Doxygen to generate internal documentation. 12673 [RT #11398] 12674 126752122. [func] Experimental http server and statistics support 12676 for named via xml. 12677 126782121. [func] Add a 10 slot dead masters cache (LRU) with a 600 12679 second timeout. [RT #16553] 12680 126812120. [doc] Fix markup on nsupdate man page. [RT #16556] 12682 126832119. [compat] libbind: allow res_init() to succeed enough to 12684 return the default domain even if it was unable 12685 to allocate memory. 12686 126872118. [bug] Handle response with long chains of domain name 12688 compression pointers which point to other compression 12689 pointers. [RT #16427] 12690 126912117. [bug] DNSSEC fixes: named could fail to cache NSEC records 12692 which could lead to validation failures. named didn't 12693 handle negative DS responses that were in the process 12694 of being validated. Check CNAME bit before accepting 12695 NODATA proof. To be able to ignore a child NSEC there 12696 must be SOA (and NS) set in the bitmap. [RT #16399] 12697 126982116. [bug] 'rndc reload' could cause the cache to continually 12699 be cleaned. [RT #16401] 12700 127012115. [bug] 'rndc reconfig' could trigger a INSIST if the 12702 number of masters for a zone was reduced. [RT #16444] 12703 127042114. [bug] dig/host/nslookup: searches for names with multiple 12705 labels were failing. [RT #16447] 12706 127072113. [bug] nsupdate: if a zone is specified it should be used 12708 for server discover. [RT #16455] 12709 127102112. [security] Warn if weak RSA exponent is used. [RT #16460] 12711 127122111. [bug] Fix a number of errors reported by Coverity. 12713 [RT #16507] 12714 127152110. [bug] "minimal-responses yes;" interacted badly with BIND 8 12716 priming queries. [RT #16491] 12717 127182109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] 12719 127202108. [func] DHCID support. [RT #16456] 12721 127222107. [bug] dighost.c: more cleanup of buffers. [RT #16499] 12723 127242106. [func] 'rndc status' now reports named's version. [RT #16426] 12725 127262105. [func] GSS-TSIG support (RFC 3645). 12727 127282104. [port] Fix Solaris SMF error message. 12729 127302103. [port] Add /usr/sfw to list of locations for OpenSSL 12731 under Solaris. 12732 127332102. [port] Silence Solaris 10 warnings. 12734 127352101. [bug] OpenSSL version checks were not quite right. 12736 [RT #16476] 12737 127382100. [port] win32: copy libeay32.dll to Build\Debug. 12739 Copy Debug\named-checkzone to Debug\named-compilezone. 12740 127412099. [port] win32: more manifest issues. 12742 127432098. [bug] Race in rbtdb.c:no_references(), which occasionally 12744 triggered an INSIST failure about the node lock 12745 reference. [RT #16411] 12746 127472097. [bug] named could reference a destroyed memory context 12748 after being reloaded / reconfigured. [RT #16428] 12749 127502096. [bug] libbind: handle applications that fail to detect 12751 res_init() failures better. 12752 127532095. [port] libbind: always prototype inet_cidr_ntop_ipv6() and 12754 net_cidr_ntop_ipv6(). [RT #16388] 12755 127562094. [contrib] Update named-bootconf. [RT #16404] 12757 127582093. [bug] named-checkzone -s was broken. 12759 127602092. [bug] win32: dig, host, nslookup. Use registry config 12761 if resolv.conf does not exist or no nameservers 12762 listed. [RT #15877] 12763 127642091. [port] dighost.c: race condition on cleanup. [RT #16417] 12765 127662090. [port] win32: Visual C++ 2005 command line manifest support. 12767 [RT #16417] 12768 127692089. [security] Raise the minimum safe OpenSSL versions to 12770 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions 12771 prior to these have known security flaws which 12772 are (potentially) exploitable in named. [RT #16391] 12773 127742088. [security] Change the default RSA exponent from 3 to 65537. 12775 [RT #16391] 12776 127772087. [port] libisc failed to compile on OS's w/o a vsnprintf. 12778 [RT #16382] 12779 127802086. [port] libbind: FreeBSD now has get*by*_r() functions. 12781 [RT #16403] 12782 127832085. [doc] win32: added index.html and README to zip. [RT #16201] 12784 127852084. [contrib] dbus update for 9.3.3rc2. 12786 127872083. [port] win32: Visual C++ 2005 support. 12788 127892082. [doc] Document 'cache-file' as a test only option. 12790 127912081. [port] libbind: minor 64-bit portability fix in memcluster.c. 12792 [RT #16360] 12793 127942080. [port] libbind: res_init.c did not compile on older versions 12795 of Solaris. [RT #16363] 12796 127972079. [bug] The lame cache was not handling multiple types 12798 correctly. [RT #16361] 12799 128002078. [bug] dnssec-checkzone output style "default" was badly 12801 named. It is now called "relative". [RT #16326] 12802 128032077. [bug] 'dnssec-signzone -O raw' wasn't outputting the 12804 complete signed zone. [RT #16326] 12805 128062076. [bug] Several files were missing #include <config.h> 12807 causing build failures on OSF. [RT #16341] 12808 128092075. [bug] The spillat timer event handler could leak memory. 12810 [RT #16357] 12811 128122074. [bug] dns_request_createvia2(), dns_request_createvia3(), 12813 dns_request_createraw2() and dns_request_createraw3() 12814 failed to send multiple UDP requests. [RT #16349] 12815 128162073. [bug] Incorrect semantics check for update policy "wildcard". 12817 [RT #16353] 12818 128192072. [bug] We were not generating valid HMAC SHA digests. 12820 [RT #16320] 12821 128222071. [port] Test whether gcc accepts -fno-strict-aliasing. 12823 [RT #16324] 12824 128252070. [bug] The remote address was not always displayed when 12826 reporting dispatch failures. [RT #16315] 12827 128282069. [bug] Cross compiling was not working. [RT #16330] 12829 128302068. [cleanup] Lower incremental tuning message to debug 1. 12831 [RT #16319] 12832 128332067. [bug] 'rndc' could close the socket too early triggering 12834 a INSIST under Windows. [RT #16317] 12835 128362066. [security] Handle SIG queries gracefully. [RT #16300] 12837 128382065. [bug] libbind: probe for HPUX prototypes for 12839 endprotoent_r() and endservent_r(). [RT 16313] 12840 128412064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 12842 128432063. [bug] Change #1955 introduced a bug which caused the first 12844 'rndc flush' call to not free memory. [RT #16244] 12845 128462062. [bug] 'dig +nssearch' was reusing a buffer before it had 12847 been returned by the socket code. [RT #16307] 12848 128492061. [bug] Accept expired wildcard message reversed. [RT #16296] 12850 128512060. [bug] Enabling DLZ support could leave views partially 12852 configured. [RT #16295] 12853 128542059. [bug] Search into cache rbtdb could trigger an INSIST 12855 failure while cleaning up a stale rdataset. 12856 [RT #16292] 12857 128582058. [bug] Adjust how we calculate rtt estimates in the presence 12859 of authoritative servers that drop EDNS and/or CD 12860 requests. Also fallback to EDNS/512 and plain DNS 12861 faster for zones with less than 3 servers. [RT #16187] 12862 128632057. [bug] Make setting "ra" dependent on both allow-query-cache 12864 and allow-recursion. [RT #16290] 12865 128662056. [bug] dig: ixfr= was not being treated case insensitively 12867 at all times. [RT #15955] 12868 128692055. [bug] Missing goto after dropping multicast query. 12870 [RT #15944] 12871 128722054. [port] freebsd: do not explicitly link against -lpthread. 12873 [RT #16170] 12874 128752053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 12876 128772052. [bug] 'rndc' improve connect failed message to report 12878 the failing address. [RT #15978] 12879 128802051. [port] More strtol() fixes. [RT #16249] 12881 128822050. [bug] Parsing of NSAP records was not case insensitive. 12883 [RT #16287] 12884 128852049. [bug] Restore SOA before AXFR when falling back from 12886 a attempted IXFR when transferring in a zone. 12887 Allow a initial SOA query before attempting 12888 a AXFR to be requested. [RT #16156] 12889 128902048. [bug] It was possible to loop forever when using 12891 avoid-v4-udp-ports / avoid-v6-udp-ports when 12892 the OS always returned the same local port. 12893 [RT #16182] 12894 128952047. [bug] Failed to initialize the interface flags to zero. 12896 [RT #16245] 12897 128982046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate 12899 cleanup [RT #16247]. 12900 129012045. [func] Use lock buckets for acache entries to limit memory 12902 consumption. [RT #16183] 12903 129042044. [port] Add support for atomic operations for Itanium. 12905 [RT #16179] 12906 129072043. [port] nsupdate/nslookup: Force the flushing of the prompt 12908 for interactive sessions. [RT #16148] 12909 129102042. [bug] named-checkconf was incorrectly rejecting the 12911 logging category "config". [RT #16117] 12912 129132041. [bug] "configure --with-dlz-bdb=yes" produced a bad 12914 set of libraries to be linked. [RT #16129] 12915 129162040. [bug] rbtdb no_references() could trigger an INSIST 12917 failure with --enable-atomic. [RT #16022] 12918 129192039. [func] Check that all buffers passed to the socket code 12920 have been retrieved when the socket event is freed. 12921 [RT #16122] 12922 129232038. [bug] dig/nslookup/host was unlinking from wrong list 12924 when handling errors. [RT #16122] 12925 129262037. [func] When unlinking the first or last element in a list 12927 check that the list head points to the element to 12928 be unlinked. [RT #15959] 12929 129302036. [bug] 'rndc recursing' could cause trigger a REQUIRE. 12931 [RT #16075] 12932 129332035. [func] Make falling back to TCP on UDP refresh failure 12934 optional. Default "try-tcp-refresh yes;" for BIND 8 12935 compatibility. [RT #16123] 12936 129372034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] 12938 129392033. [bug] We weren't creating multiple client memory contexts 12940 on demand as expected. [RT #16095] 12941 129422032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] 12943 129442031. [bug] Emit a error message when "rndc refresh" is called on 12945 a non slave/stub zone. [RT # 16073] 12946 129472030. [bug] We were being overly conservative when disabling 12948 openssl engine support. [RT #16030] 12949 129502029. [bug] host printed out the server multiple times when 12951 specified on the command line. [RT #15992] 12952 129532028. [port] linux: socket.c compatibility for old systems. 12954 [RT #16015] 12955 129562027. [port] libbind: Solaris x86 support. [RT #16020] 12957 129582026. [bug] Rate limit the two recursive client exceeded messages. 12959 [RT #16044] 12960 129612025. [func] Update "zone serial unchanged" message. [RT #16026] 12962 129632024. [bug] named emitted spurious "zone serial unchanged" 12964 messages on reload. [RT #16027] 12965 129662023. [bug] "make install" should create ${localstatedir}/run and 12967 ${sysconfdir} if they do not exist. [RT #16033] 12968 129692022. [bug] If dnssec validation is disabled only assert CD if 12970 CD was requested. [RT #16037] 12971 129722021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037] 12973 129742020. [bug] rdataset_setadditional() could leak memory. [RT #16034] 12975 129762019. [tuning] Reduce the amount of work performed per quantum 12977 when cleaning the cache. [RT #15986] 12978 129792018. [bug] Checking if the HMAC MD5 private file was broken. 12980 [RT #15960] 12981 129822017. [bug] allow-query default was not correct. [RT #15946] 12983 129842016. [bug] Return a partial answer if recursion is not 12985 allowed but requested and we had the answer 12986 to the original qname. [RT #15945] 12987 129882015. [cleanup] use-additional-cache is now acache-enable for 12989 consistency. Default acache-enable off in BIND 9.4 12990 as it requires memory usage to be configured. 12991 It may be enabled by default in BIND 9.5 once we 12992 have more experience with it. 12993 129942014. [func] Statistics about acache now recorded and sent 12995 to log. [RT #15976] 12996 129972013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR 12998 responses more gracefully. [RT #15941] 12999 130002012. [func] Don't insert new acache entries if acache is full. 13001 [RT #15970] 13002 130032011. [func] dnssec-signzone can now update the SOA record of 13004 the signed zone, either as an increment or as the 13005 system time(). [RT #15633] 13006 130072010. [placeholder] rt15958 13008 130092009. [bug] libbind: Coverity fixes. [RT #15808] 13010 130112008. [func] It is now possible to enable/disable DNSSEC 13012 validation from rndc. This is useful for the 13013 mobile hosts where the current connection point 13014 breaks DNSSEC (firewall/proxy). [RT #15592] 13015 13016 rndc validation newstate [view] 13017 130182007. [func] It is now possible to explicitly enable DNSSEC 13019 validation. default dnssec-validation no; to 13020 be changed to yes in 9.5.0. [RT #15674] 13021 130222006. [security] Allow-query-cache and allow-recursion now default 13023 to the built in acls "localnets" and "localhost". 13024 13025 This is being done to make caching servers less 13026 attractive as reflective amplifying targets for 13027 spoofed traffic. This still leave authoritative 13028 servers exposed. 13029 13030 The best fix is for full BCP 38 deployment to 13031 remove spoofed traffic. 13032 130332005. [bug] libbind: Retransmission timeouts should be 13034 based on which attempt it is to the nameserver 13035 and not the nameserver itself. [RT #13548] 13036 130372004. [bug] dns_tsig_sign() could pass a NULL pointer to 13038 dst_context_destroy() when cleaning up after a 13039 error. [RT #15835] 13040 130412003. [bug] libbind: The DNS name/address lookup functions could 13042 occasionally follow a random pointer due to 13043 structures not being completely zeroed. [RT #15806] 13044 130452002. [bug] libbind: tighten the constraints on when 13046 struct addrinfo._ai_pad exists. [RT #15783] 13047 130482001. [func] Check the KSK flag when updating a secure dynamic zone. 13049 New zone option "update-check-ksk yes;". [RT #15817] 13050 130512000. [bug] memmove()/strtol() fix was incomplete. [RT #15812] 13052 130531999. [func] Implement "rrset-order fixed". [RT #13662] 13054 130551998. [bug] Restrict handling of fifos as sockets to just SunOS. 13056 This allows named to connect to entropy gathering 13057 daemons that use fifos instead of sockets. [RT #15840] 13058 130591997. [bug] Named was failing to replace negative cache entries 13060 when a positive one for the type was learnt. 13061 [RT #15818] 13062 130631996. [bug] nsupdate: if a zone has been specified it should 13064 appear in the output of 'show'. [RT #15797] 13065 130661995. [bug] 'host' was reporting multiple "is an alias" messages. 13067 [RT #15702] 13068 130691994. [port] OpenSSL 0.9.8 support. [RT #15694] 13070 130711993. [bug] Log messages, via syslog, were missing the space 13072 after the timestamp if "print-time yes" was specified. 13073 [RT #15844] 13074 130751992. [bug] Not all incoming zone transfer messages included the 13076 view. [RT #15825] 13077 130781991. [cleanup] The configuration data, once read, should be treated 13079 as read only. Expand the use of const to enforce this 13080 at compile time. [RT #15813] 13081 130821990. [bug] libbind: isc's override of broken gettimeofday() 13083 implementations was not always effective. 13084 [RT #15709] 13085 130861989. [bug] win32: don't check the service password when 13087 re-installing. [RT #15882] 13088 130891988. [bug] Remove a bus error from the SHA256/SHA512 support. 13090 [RT #15878] 13091 130921987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 13093 130941986. [func] Report when a zone is removed. [RT #15849] 13095 130961985. [protocol] DLV has now been assigned a official type code of 13097 32769. [RT #15807] 13098 13099 Note: care should be taken to ensure you upgrade 13100 both named and dnssec-signzone at the same time for 13101 zones with DLV records where named is the master 13102 server for the zone. Also any zones that contain 13103 DLV records should be removed when upgrading a slave 13104 zone. You do not however have to upgrade all 13105 servers for a zone with DLV records simultaneously. 13106 131071984. [func] dig, nslookup and host now advertise a 4096 byte 13108 EDNS UDP buffer size by default. [RT #15855] 13109 131101983. [func] Two new update policies. "selfsub" and "selfwild". 13111 [RT #12895] 13112 131131982. [bug] DNSKEY was being accepted on the parent side of 13114 a delegation. KEY is still accepted there for 13115 RFC 3007 validated updates. [RT #15620] 13116 131171981. [bug] win32: condition.c:wait() could fail to reattain 13118 the mutex lock. 13119 131201980. [func] dnssec-signzone: output the SOA record as the 13121 first record in the signed zone. [RT #15758] 13122 131231979. [port] linux: allow named to drop core after changing 13124 user ids. [RT #15753] 13125 131261978. [port] Handle systems which have a broken recvmsg(). 13127 [RT #15742] 13128 131291977. [bug] Silence noisy log message. [RT #15704] 13130 131311976. [bug] Handle systems with no IPv4 addresses. [RT #15695] 13132 131331975. [bug] libbind: isc_gethexstring() could misparse multi-line 13134 hex strings with comments. [RT #15814] 13135 131361974. [doc] List each of the zone types and associated zone 13137 options separately in the ARM. 13138 131391973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and 13140 HMACSHA512 support. [RT #13606] 13141 131421972. [contrib] DBUS dynamic forwarders integration from 13143 Jason Vas Dias <jvdias@redhat.com>. 13144 131451971. [port] linux: make detection of missing IF_NAMESIZE more 13146 robust. [RT #15443] 13147 131481970. [bug] nsupdate: adjust UDP timeout when falling back to 13149 unsigned SOA query. [RT #15775] 13150 131511969. [bug] win32: the socket code was freeing the socket 13152 structure too early. [RT #15776] 13153 131541968. [bug] Missing lock in resolver.c:validated(). [RT #15739] 13155 131561967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779] 13157 131581966. [bug] Don't set CD when we have fallen back to plain DNS. 13159 [RT #15727] 13160 131611965. [func] Suppress spurious "recursion requested but not 13162 available" warning with 'dig +qr'. [RT #15780]. 13163 131641964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] 13165 131661963. [port] Tru64 4.0E doesn't support send() and recv(). 13167 [RT #15586] 13168 131691962. [bug] Named failed to clear old update-policy when it 13170 was removed. [RT #15491] 13171 131721961. [bug] Check the port and address of responses forwarded 13173 to dispatch. [RT #15474] 13174 131751960. [bug] Update code should set NSEC ttls from SOA MINIMUM. 13176 [RT #15465] 13177 131781959. [func] Control the zeroing of the negative response TTL to 13179 a soa query. Defaults "zero-no-soa-ttl yes;" and 13180 "zero-no-soa-ttl-cache no;". [RT #15460] 13181 131821958. [bug] Named failed to update the zone's secure state 13183 until the zone was reloaded. [RT #15412] 13184 131851957. [bug] Dig mishandled responses to class ANY queries. 13186 [RT #15402] 13187 131881956. [bug] Improve cross compile support, 'gen' is now built 13189 by native compiler. See README for additional 13190 cross compile support information. [RT #15148] 13191 131921955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998] 13193 131941954. [func] Named now falls back to advertising EDNS with a 13195 512 byte receive buffer if the initial EDNS queries 13196 fail. [RT #14852] 13197 131981953. [func] The maximum EDNS UDP response named will send can 13199 now be set in named.conf (max-udp-size). This is 13200 independent of the advertised receive buffer 13201 (edns-udp-size). [RT #14852] 13202 132031952. [port] hpux: tell the linker to build a runtime link 13204 path "-Wl,+b:". [RT #14816]. 13205 132061951. [security] Drop queries from particular well known ports. 13207 Don't return FORMERR to queries from particular 13208 well known ports. [RT #15636] 13209 132101950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() 13211 a TCP socket. This prevents the source address being 13212 set for TCP connections. [RT #15628] 13213 132141949. [func] Addition memory leakage checks. [RT #15544] 13215 132161948. [bug] If was possible to trigger a REQUIRE failure in 13217 xfrin.c:maybe_free() if named ran out of memory. 13218 [RT #15568] 13219 132201947. [func] It is now possible to configure named to accept 13221 expired RRSIGs. Default "dnssec-accept-expired no;". 13222 Setting "dnssec-accept-expired yes;" leaves named 13223 vulnerable to replay attacks. [RT #14685] 13224 132251946. [bug] resume_dslookup() could trigger a REQUIRE failure 13226 when using forwarders. [RT #15549] 13227 132281945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. 13229 To generate a RSAMD5 key you must explicitly request 13230 RSAMD5. [RT #13780] 13231 132321944. [cleanup] isc_hash_create() does not need a read/write lock. 13233 [RT #15522] 13234 132351943. [bug] Set the loadtime after rolling forward the journal. 13236 [RT #15647] 13237 132381942. [bug] If the name of a DNSKEY match that of one in 13239 trusted-keys do not attempt to validate the DNSKEY 13240 using the parents DS RRset. [RT #15649] 13241 132421941. [bug] ncache_adderesult() should set eresult even if no 13243 rdataset is passed to it. [RT #15642] 13244 132451940. [bug] Fixed a number of error conditions reported by 13246 Coverity. 13247 132481939. [bug] The resolver could dereference a null pointer after 13249 validation if all the queries have timed out. 13250 [RT #15528] 13251 132521938. [bug] The validator was not correctly handling unsecure 13253 negative responses at or below a SEP. [RT #15528] 13254 132551937. [bug] sdlz doesn't handle RRSIG records. [RT #15564] 13256 132571936. [bug] The validator could leak memory. [RT #15544] 13258 132591935. [bug] 'acache' was DO sensitive. [RT #15430] 13260 132611934. [func] Validate pending NS RRsets, in the authority section, 13262 prior to returning them if it can be done without 13263 requiring DNSKEYs to be fetched. [RT #15430] 13264 132651933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534] 13266 132671932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] 13268 132691931. [bug] Per-client mctx could require a huge amount of memory, 13270 particularly for a busy caching server. [RT #15519] 13271 132721930. [port] HPUX: ia64 support. [RT #15473] 13273 132741929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. 13275 132761928. [bug] Race in rbtdb.c:currentversion(). [RT #15517] 13277 132781927. [bug] Access to soanode or nsnode in rbtdb violated the 13279 lock order rule and could cause a dead lock. 13280 [RT #15518] 13281 132821926. [bug] The Windows installer did not check for empty 13283 passwords. BINDinstall was being installed in 13284 the wrong place. [RT #15483] 13285 132861925. [port] All outer level AC_TRY_RUNs need cross compiling 13287 defaults. [RT #15469] 13288 132891924. [port] libbind: hpux ia64 support. [RT #15473] 13290 132911923. [bug] ns_client_detach() called too early. [RT #15499] 13292 132931922. [bug] check-tool.c:setup_logging() missing call to 13294 dns_log_setcontext(). 13295 132961921. [bug] Client memory contexts were not using internal 13297 malloc. [RT #15434] 13298 132991920. [bug] The cache rbtdb lock array was too small to 13300 have the desired performance characteristics. 13301 [RT #15454] 13302 133031919. [contrib] queryperf: a set of new features: collecting/printing 13304 response delays, printing intermediate results, and 13305 adjusting query rate for the "target" qps. 13306 133071918. [bug] Memory leak when checking acls. [RT #15391] 13308 133091917. [doc] funcsynopsisinfo wasn't being treated as verbatim 13310 when generating man pages. [RT #15385] 13311 133121916. [func] Integrate contributed IDN code from JPNIC. [RT #15383] 13313 133141915. [bug] dig +ndots was broken. [RT #15215] 13315 133161914. [protocol] DS is required to accept mnemonic algorithms 13317 (RFC 4034). Still emit numeric algorithms for 13318 compatibility with RFC 3658. [RT #15354] 13319 133201913. [func] Integrate contributed DLZ code into named. [RT #11382] 13321 133221912. [port] aix: atomic locking for powerpc. [RT #15020] 13323 133241911. [bug] Update windows socket code. [RT #14965] 13325 133261910. [bug] dig's +sigchase code overhauled. [RT #14933] 13327 133281909. [bug] The DLV code has been re-worked to make no longer 13329 query order sensitive. [RT #14933] 13330 133311908. [func] dig now warns if 'RA' is not set in the answer when 13332 'RD' was set in the query. host/nslookup skip servers 13333 that fail to set 'RA' when 'RD' is set unless a server 13334 is explicitly set. [RT #15005] 13335 133361907. [func] host/nslookup now continue (default)/fail on SERVFAIL. 13337 [RT #15006] 13338 133391906. [func] dig now has a '-q queryname' and '+showsearch' options. 13340 [RT #15034] 13341 133421905. [bug] Strings returned from cfg_obj_asstring() should be 13343 treated as read-only. The prototype for 13344 cfg_obj_asstring() has been updated to reflect this. 13345 [RT #15256] 13346 133471904. [func] Automatic empty zone creation for D.F.IP6.ARPA and 13348 friends. Note: RFC 1918 zones are not yet covered by 13349 this but are likely to be in a future release. 13350 13351 New options: empty-server, empty-contact, 13352 empty-zones-enable and disable-empty-zone. 13353 133541903. [func] ISC string copy API. 13355 133561902. [func] Attempt to make the amount of work performed in a 13357 iteration self tuning. The covers nodes clean from 13358 the cache per iteration, nodes written to disk when 13359 rewriting a master file and nodes destroyed per 13360 iteration when destroying a zone or a cache. 13361 [RT #14996] 13362 133631901. [cleanup] Don't add DNSKEY records to the additional section. 13364 133651900. [bug] ixfr-from-differences failed to ensure that the 13366 serial number increased. [RT #15036] 13367 133681899. [func] named-checkconf now validates update-policy entries. 13369 [RT #14963] 13370 133711898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and 13372 ISC_NETADDR_FORMATSIZE to allow for scope details. 13373 133741897. [func] x86 and x86_64 now have separate atomic locking 13375 implementations. 13376 133771896. [bug] Recursive clients soft quota support wasn't working 13378 as expected. [RT #15103] 13379 133801895. [bug] A escaped character is, potentially, converted to 13381 the output character set too early. [RT #14666] 13382 133831894. [doc] Review ARM for BIND 9.4. 13384 133851893. [port] Use uintptr_t if available. [RT #14606] 13386 133871892. [func] Support for SPF rdata type. [RT #15033] 13388 133891891. [port] freebsd: pthread_mutex_init can fail if it runs out 13390 of memory. [RT #14995] 13391 133921890. [func] Raise the UDP receive buffer size to 32k if it is 13393 less than 32k. [RT #14953] 13394 133951889. [port] sunos: non blocking i/o support. [RT #14951] 13396 133971888. [func] Support for IPSECKEY rdata type. [RT #14967] 13398 133991887. [bug] The cache could delete expired records too fast for 13400 clients with a virtual time in the past. [RT #14991] 13401 134021886. [bug] fctx_create() could return success even though it 13403 failed. [RT #14993] 13404 134051885. [func] dig: report the number of extra bytes still left in 13406 the packet after processing all the records. 13407 134081884. [cleanup] dighost.c: move external declarations into <dig/dig.h>. 13409 134101883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug 13411 levels. [RT #14962] 13412 134131882. [func] Limit the number of recursive clients that can be 13414 waiting for a single query (<qname,qtype,qclass>) to 13415 resolve. New options clients-per-query and 13416 max-clients-per-query. 13417 134181881. [func] Add a system test for named-checkconf. [RT #14931] 13419 134201880. [func] The lame cache is now done on a <qname,qclass,qtype> 13421 basis as some servers only appear to be lame for 13422 certain query types. [RT #14916] 13423 134241879. [func] "USE INTERNAL MALLOC" is now runtime selectable. 13425 [RT #14892] 13426 134271878. [func] Detect duplicates of UDP queries we are recursing on 13428 and drop them. New stats category "duplicate". 13429 [RT #2471] 13430 134311877. [bug] Fix unreasonably low quantum on call to 13432 dns_rbt_destroy2(). Remove unnecessary unhash_node() 13433 call. [RT #14919] 13434 134351876. [func] Additional memory debugging support to track size 13436 and mctx arguments. [RT #14814] 13437 134381875. [bug] process_dhtkey() was using the wrong memory context 13439 to free some memory. [RT #14890] 13440 134411874. [port] sunos: portability fixes. [RT #14814] 13442 134431873. [port] win32: isc__errno2result() now reports its caller. 13444 [RT #13753] 13445 134461872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] 13447 134481871. [placeholder] 13449 134501870. [func] Added framework for handling multiple EDNS versions. 13451 [RT #14873] 13452 134531869. [func] dig can now specify the EDNS version when making 13454 a query. [RT #14873] 13455 134561868. [func] edns-udp-size can now be overridden on a per 13457 server basis. [RT #14851] 13458 134591867. [bug] It was possible to trigger a INSIST in 13460 dlv_validatezonekey(). [RT #14846] 13461 134621866. [bug] resolv.conf parse errors were being ignored by 13463 dig/host/nslookup. [RT #14841] 13464 134651865. [bug] Silently ignore nameservers in /etc/resolv.conf with 13466 bad addresses. [RT #14841] 13467 134681864. [bug] Don't try the alternative transfer source if you 13469 got a answer / transfer with the main source 13470 address. [RT #14802] 13471 134721863. [bug] rrset-order "fixed" error messages not complete. 13473 134741862. [func] Add additional zone data constancy checks. 13475 named-checkzone has extended checking of NS, MX and 13476 SRV record and the hosts they reference. 13477 named has extended post zone load checks. 13478 New zone options: check-mx and integrity-check. 13479 [RT #4940] 13480 134811861. [bug] dig could trigger a INSIST on certain malformed 13482 responses. [RT #14801] 13483 134841860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was 13485 incorrectly set. [RT #14775] 13486 134871859. [func] Add support for CH A record. [RT #14695] 13488 134891858. [bug] The flush-zones-on-shutdown option wasn't being 13490 parsed. [RT #14686] 13491 134921857. [bug] named could trigger a INSIST() if reconfigured / 13493 reloaded too fast. [RT #14673] 13494 134951856. [doc] Switch Docbook toolchain from DSSSL to XSL. 13496 [RT #11398] 13497 134981855. [bug] ixfr-from-differences was failing to detect changes 13499 of ttl due to dns_diff_subtract() was ignoring the ttl 13500 of records. [RT #14616] 13501 135021854. [bug] lwres also needs to know the print format for 13503 (long long). [RT #13754] 13504 135051853. [bug] Rework how DLV interacts with proveunsecure(). 13506 [RT #13605] 13507 135081852. [cleanup] Remove last vestiges of dnssec-signkey and 13509 dnssec-makekeyset (removed from Makefile years ago). 13510 135111851. [doc] Doxygen comment markup. [RT #11398] 13512 135131850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] 13514 135151849. [doc] All forms of the man pages (docbook, man, html) should 13516 have consistent copyright dates. 13517 135181848. [bug] Improve SMF integration. [RT #13238] 13519 135201847. [bug] isc_ondestroy_init() is called too late in 13521 dns_rbtdb_create()/dns_rbtdb64_create(). 13522 [RT #13661] 13523 135241846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer 13525 <bortzmeyer@nic.fr>. 13526 135271845. [bug] Improve error reporting to distinguish between 13528 accept()/fcntl() and socket()/fcntl() errors. 13529 [RT #13745] 13530 135311844. [bug] inet_pton() accepted more that 4 hexadecimal digits 13532 for each 16 bit piece of the IPv6 address. The text 13533 representation of a IPv6 address has been tightened 13534 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). 13535 [RT #5662] 13536 135371843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps 13538 when CFLAGS contains "-I /usr/local/include" 13539 resulting in old header files being used. 13540 135411842. [port] cmsg_len() could produce incorrect results on 13542 some platform. [RT #13744] 13543 135441841. [bug] "dig +nssearch" now makes a recursive query to 13545 find the list of nameservers to query. [RT #13694] 13546 135471840. [func] dnssec-signzone can now randomize signature end times 13548 (dnssec-signzone -j jitter). [RT #13609] 13549 135501839. [bug] <isc/hash.h> was not being installed. 13551 135521838. [cleanup] Don't allow Linux capabilities to be inherited. 13553 [RT #13707] 13554 135551837. [bug] Compile time option ISC_FACILITY was not effective 13556 for 'named -u <user>'. [RT #13714] 13557 135581836. [cleanup] Silence compiler warnings in hash_test.c. 13559 135601835. [bug] Update dnssec-signzone's usage message. [RT #13657] 13561 135621834. [bug] Bad memset in rdata_test.c. [RT #13658] 13563 135641833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] 13565 135661832. [bug] named fails to return BADKEY on unknown TSIG algorithm. 13567 [RT #13620] 13568 135691831. [doc] Update named-checkzone documentation. [RT #13604] 13570 135711830. [bug] adb lame cache has sense of test reversed. [RT #13600] 13572 135731829. [bug] win32: "pid-file none;" broken. [RT #13563] 13574 135751828. [bug] isc_rwlock_init() failed to properly cleanup if it 13576 encountered a error. [RT #13549] 13577 135781827. [bug] host: update usage message for '-a'. [RT #37116] 13579 135801826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out 13581 of memory error. [RT #13537] 13582 135831825. [bug] Missing UNLOCK() on out of memory error from in 13584 rbtdb.c:subtractrdataset(). [RT #13519] 13585 135861824. [bug] Memory leak on dns_zone_setdbtype() failure. 13587 [RT #13510] 13588 135891823. [bug] Wrong macro used to check for point to point interface. 13590 [RT #13418] 13591 135921822. [bug] check-names test for RT was reversed. [RT #13382] 13593 135941821. [placeholder] 13595 135961820. [bug] Gracefully handle acl loops. [RT #13659] 13597 135981819. [bug] The validator needed to check both the algorithm and 13599 digest types of the DS to determine if it could be 13600 used to introduce a secure zone. [RT #13593] 13601 136021818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] 13603 136041817. [func] Add support for additional zone file formats for 13605 improving loading performance. The masterfile-format 13606 option in named.conf can be used to specify a 13607 non-default format. A separate command 13608 named-compilezone was provided to generate zone files 13609 in the new format. Additionally, the -I and -O options 13610 for dnssec-signzone specify the input and output 13611 formats. 13612 136131816. [port] UnixWare: failed to compile lib/isc/unix/net.c. 13614 [RT #13597] 13615 136161815. [bug] nsupdate triggered a REQUIRE if the server was set 13617 without also setting the zone and it encountered 13618 a CNAME and was using TSIG. [RT #13086] 13619 136201814. [func] UNIX domain controls are now supported. 13621 136221813. [func] Restructured the data locking framework using 13623 architecture dependent atomic operations (when 13624 available), improving response performance on 13625 multi-processor machines significantly. 13626 x86, x86_64, alpha, powerpc, and mips are currently 13627 supported. 13628 136291812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect. 13630 [RT #13453] 13631 136321811. [func] Preserve the case of domain names in rdata during 13633 zone transfers. [RT #13547] 13634 136351810. [bug] configure, lib/bind/configure make different default 13636 decisions about whether to do a threaded build. 13637 [RT #13212] 13638 136391809. [bug] "make distclean" failed for libbind if the platform 13640 is not supported. 13641 136421808. [bug] zone.c:notify_zone() contained a race condition, 13643 zone->db could change underneath it. [RT #13511] 13644 136451807. [bug] When forwarding (forward only) set the active domain 13646 from the forward zone name. [RT #13526] 13647 136481806. [bug] The resolver returned the wrong result when a CNAME / 13649 DNAME was encountered when fetching glue from a 13650 secure namespace. [RT #13501] 13651 136521805. [bug] Pending status was not being cleared when DLV was 13653 active. [RT #13501] 13654 136551804. [bug] Ensure that if we are queried for glue that it fits 13656 in the additional section or TC is set to tell the 13657 client to retry using TCP. [RT #10114] 13658 136591803. [bug] dnssec-signzone sometimes failed to remove old 13660 RRSIGs. [RT #13483] 13661 136621802. [bug] Handle connection resets better. [RT #11280] 13663 136641801. [func] Report differences between hints and real NS rrset 13665 and associated address records. 13666 136671800. [bug] Changes #1719 allowed a INSIST to be triggered. 13668 [RT #13428] 13669 136701799. [bug] 'rndc flushname' failed to flush negative cache 13671 entries. [RT #13438] 13672 136731798. [func] The server syntax has been extended to support a 13674 range of servers. [RT #11132] 13675 136761797. [func] named-checkconf now check acls to verify that they 13677 only refer to existing acls. [RT #13101] 13678 136791796. [func] "rndc freeze/thaw" now freezes/thaws all zones. 13680 136811795. [bug] "rndc dumpdb" was not fully documented. Minor 13682 formatting issues with "rndc dumpdb -all". [RT #13396] 13683 136841794. [func] Named and named-checkzone can now both check for 13685 non-terminal wildcard records. 13686 136871793. [func] Extend adjusting TTL warning messages. [RT #13378] 13688 136891792. [func] New zone option "notify-delay". Specify a minimum 13690 delay between sets of NOTIFY messages. 13691 136921791. [bug] 'host -t a' still printed out AAAA and MX records. 13693 [RT #13230] 13694 136951790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should 13696 allow parallel make to succeed. 13697 136981789. [bug] Prerequisite test for tkey and dnssec could fail 13699 with "configure --with-libtool". 13700 137011788. [bug] libbind9.la/libbind9.so needs to link against 13702 libisccfg.la/libisccfg.so. 13703 137041787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings. 13705 137061786. [port] AIX: libt_api needs to be taught to look for 13707 T_testlist in the main executable (--with-libtool). 13708 [RT #13239] 13709 137101785. [bug] libbind9.la/libbind9.so needs to link against 13711 libisc.la/libisc.so. 13712 137131784. [cleanup] "libtool -allow-undefined" is the default. 13714 Leave hooks in configure to allow it to be set 13715 if needed in the future. 13716 137171783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the 13718 source tree. 13719 137201782. [port] OSX: --with-libtool + --enable-libbind broke on 13721 __evOptMonoTime. [RT #13219] 13722 137231781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810] 13724 137251780. [bug] Update libtool to 1.5.10. 13726 137271779. [port] OSF 5.1: libtool didn't handle -pthread correctly. 13728 137291778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and 13730 IN6ADDR_LOOPBACK_INIT macros. 13731 137321777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and 13733 IN6ADDR_LOOPBACK_INIT macros. 13734 137351776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and 13736 IN6ADDR_LOOPBACK_INIT macros. 13737 137381775. [bug] Only compile getnetent_r.c when threaded. [RT #13205] 13739 137401774. [port] Aix: Silence compiler warnings / build failures. 13741 [RT #13154] 13742 137431773. [bug] Fast retry on host / net unreachable. [RT #13153] 13744 137451772. [placeholder] 13746 137471771. [placeholder] 13748 137491770. [bug] named-checkconf failed to report missing a missing 13750 file clause for rbt{64} master/hint zones. [RT #13009] 13751 137521769. [port] win32: change compiler flags /MTd ==> /MDd, 13753 /MT ==> /MD. 13754 137551768. [bug] nsecnoexistnodata() could be called with a non-NSEC 13756 rdataset. [RT #12907] 13757 137581767. [port] Builds on IPv6 platforms without IPv6 Advanced API 13759 support for (struct in6_pktinfo) failed. [RT #13077] 13760 137611766. [bug] Update the master file timestamp on successful refresh 13762 as well as the journal's timestamp. [RT #13062] 13763 137641765. [bug] configure --with-openssl=auto failed. [RT #12937] 13765 137661764. [bug] dns_zone_replacedb failed to emit a error message 13767 if there was no SOA record in the replacement db. 13768 [RT #13016] 13769 137701763. [func] Perform sanity checks on NS records which refer to 13771 'in zone' names. [RT #13002] 13772 137731762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS 13774 even when it failed. [RT #12995] 13775 137761761. [bug] 'rndc dumpdb' didn't report unassociated entries. 13777 [RT #12971] 13778 137791760. [bug] Host / net unreachable was not penalising rtt 13780 estimates. [RT #12970] 13781 137821759. [bug] Named failed to startup if the OS supported IPv6 13783 but had no IPv6 interfaces configured. [RT #12942] 13784 137851758. [func] Don't send notify messages to self. [RT #12933] 13786 137871757. [func] host now can turn on memory debugging flags with '-m'. 13788 137891756. [func] named-checkconf now checks the logging configuration. 13790 [RT #12352] 13791 137921755. [func] allow-update is now settable at the options / view 13793 level. [RT #6636] 13794 137951754. [bug] We weren't always attempting to query the parent 13796 server for the DS records at the zone cut. 13797 [RT #12774] 13798 137991753. [bug] Don't serve a slave zone which has no NS records. 13800 [RT #12894] 13801 138021752. [port] Move isc_app_start() to after ns_os_daemonise() 13803 as some fork() implementations unblock the signals 13804 that are blocked by isc_app_start(). [RT #12810] 13805 138061751. [bug] --enable-getifaddrs failed under linux. [RT #12867] 13807 138081750. [port] lib/bind/make/rules.in:subdirs was not bash friendly. 13809 [RT #12864] 13810 138111749. [bug] 'check-names response ignore;' failed to ignore. 13812 [RT #12866] 13813 138141748. [func] dig now returns the byte count for axfr/ixfr. 13815 138161747. [bug] BIND 8 compatibility: named/named-checkconf failed 13817 to parse "host-statistics-max" in named.conf. 13818 138191746. [func] Make public the function to read a key file, 13820 dst_key_read_public(). [RT #12450] 13821 138221745. [bug] Dig/host/nslookup accept replies from link locals 13823 regardless of scope if no scope was specified when 13824 query was sent. [RT #12745] 13825 138261744. [bug] If tuple2msgname() failed to convert a tuple to 13827 a name a REQUIRE could be triggered. [RT #12796] 13828 138291743. [bug] If isc_taskmgr_create() was not able to create the 13830 requested number of worker threads then destruction 13831 of the manager would trigger an INSIST() failure. 13832 [RT #12790] 13833 138341742. [bug] Deleting all records at a node then adding a 13835 previously existing record, in a single UPDATE 13836 transaction, failed to leave / regenerate the 13837 associated RRSIG records. [RT #12788] 13838 138391741. [bug] Deleting all records at a node in a secure zone 13840 using a update-policy grant failed. [RT #12787] 13841 138421740. [bug] Replace rbt's hash algorithm as it performed badly 13843 with certain zones. [RT #12729] 13844 13845 NOTE: a hash context now needs to be established 13846 via isc_hash_create() if the application was not 13847 already doing this. 13848 138491739. [bug] dns_rbt_deletetree() could incorrectly return 13850 ISC_R_QUOTA. [RT #12695] 13851 138521738. [bug] Enable overrun checking by default. [RT #12695] 13853 138541737. [bug] named failed if more than 16 masters were specified. 13855 [RT #12627] 13856 138571736. [bug] dst_key_fromnamedfile() could fail to read a 13858 public key. [RT #12687] 13859 138601735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. 13861 [RE #12688] 13862 138631734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path. 13864 [RT #12588] 13865 138661733. [bug] Return non-zero exit status on initial load failure. 13867 [RT #12658] 13868 138691732. [bug] 'rrset-order name "*"' wasn't being applied to ".". 13870 [RT #12467] 13871 138721731. [port] darwin: relax version test in ifconfig.sh. 13873 [RT #12581] 13874 138751730. [port] Determine the length type used by the socket API. 13876 [RT #12581] 13877 138781729. [func] Improve check-names error messages. 13879 138801728. [doc] Update check-names documentation. 13881 138821727. [bug] named-checkzone: check-names support didn't match 13883 documentation. 13884 138851726. [port] aix5: add support for aix5. 13886 138871725. [port] linux: update error message on interaction of threads, 13888 capabilities and setuid support (named -u). [RT #12541] 13889 138901724. [bug] Look for DNSKEY records with "dig +sigtrace". 13891 [RT #12557] 13892 138931723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493] 13894 138951722. [bug] Don't commit the journal on malformed ixfr streams. 13896 [RT #12519] 13897 138981721. [bug] Error message from the journal processing were not 13899 always identifying the relevant journal. [RT #12519] 13900 139011720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1 13902 negative response. [RT #12506] 13903 139041719. [bug] named was not correctly caching a RFC 2308 Type 1 13905 negative response. [RT #12506] 13906 139071718. [bug] nsupdate was not handling RFC 2308 Type 3 negative 13908 responses when looking for the zone / master server. 13909 [RT #12506] 13910 139111717. [port] solaris: ifconfig.sh did not support Solaris 10. 13912 "ifconfig.sh down" didn't work for Solaris 9. 13913 139141716. [doc] named.conf(5) was being installed in the wrong 13915 location. [RT #12441] 13916 139171715. [func] 'dig +trace' now randomly selects the next servers 13918 to try. Report if there is a bad delegation. 13919 139201714. [bug] dig/host/nslookup were only trying the first 13921 address when a nameserver was specified by name. 13922 [RT #12286] 13923 139241713. [port] linux: extend capset failure message to say: 13925 please ensure that the capset kernel module is 13926 loaded. see insmod(8) 13927 139281712. [bug] Missing FULLCHECK for "trusted-key" in dig. 13929 139301711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'. 13931 139321710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY 13933 messages for the specified zone. [RT #9479] 13934 139351709. [port] solaris: add SMF support from Sun. 13936 139371708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash() 13938 for conformance to the name space convention. Binary 13939 backward compatibility to the old function name is 13940 provided. [RT #12376] 13941 139421707. [contrib] sdb/ldap updated to version 1.0-beta. 13943 139441706. [bug] 'rndc stop' failed to cause zones to be flushed 13945 sometimes. [RT #12328] 13946 139471705. [func] Allow the journal's name to be changed via named.conf. 13948 139491704. [port] lwres needed a snprintf() implementation for 13950 platforms without snprintf(). Add missing 13951 "#include <isc/print.h>". [RT #12321] 13952 139531703. [bug] named would loop sending NOTIFY messages when it 13954 failed to receive a response. [RT #12322] 13955 139561702. [bug] also-notify should not be applied to built in zones. 13957 [RT #12323] 13958 139591701. [doc] A minimal named.conf man page. 13960 139611700. [func] nslookup is no longer to be treated as deprecated. 13962 Remove "deprecated" warning message. Add man page. 13963 139641699. [bug] dnssec-signzone can generate "not exact" errors 13965 when resigning. [RT #12281] 13966 139671698. [doc] Use reserved IPv6 documentation prefix. 13968 139691697. [bug] xxx-source{,-v6} was not effective when it 13970 specified one of listening addresses and a 13971 different port than the listening port. [RT #12257] 13972 139731696. [bug] dnssec-signzone failed to clean out nodes that 13974 consisted of only NSEC and RRSIG records. 13975 [RT #12154] 13976 139771695. [bug] DS records when forwarding require special handling. 13978 [RT #12133] 13979 139801694. [bug] Report if the builtin views of "_default" / "_bind" 13981 are defined in named.conf. [RT #12023] 13982 139831693. [bug] max-journal-size was not effective for master zones 13984 with ixfr-from-differences set. [RT #12024] 13985 139861692. [bug] Don't set -I, -L and -R flags when libcrypto is in 13987 /usr/lib. [RT #11971] 13988 139891691. [bug] sdb's attachversion was not complete. [RT #11990] 13990 139911690. [bug] Delay detaching view from the client until UPDATE 13992 processing completes when shutting down. [RT #11714] 13993 139941689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros 13995 contained gratuitous semicolons. [RT #11707] 13996 139971688. [bug] LDFLAGS was not supported. 13998 139991687. [bug] Race condition in dispatch. [RT #10272] 14000 140011686. [bug] Named sent a extraneous NOTIFY when it received a 14002 redundant UPDATE request. [RT #11943] 14003 140041685. [bug] Change #1679 loop tests weren't quite right. 14005 140061684. [func] ixfr-from-differences now takes master and slave in 14007 addition to yes and no at the options and view levels. 14008 140091683. [bug] dig +sigchase could leak memory. [RT #11445] 14010 140111682. [port] Update configure test for (long long) printf format. 14012 [RT #5066] 14013 140141681. [bug] Only set SO_REUSEADDR when a port is specified in 14015 isc_socket_bind(). [RT #11742] 14016 140171680. [func] rndc: the source address can now be specified. 14018 140191679. [bug] When there was a single nameserver with multiple 14020 addresses for a zone not all addresses were tried. 14021 [RT #11706] 14022 140231678. [bug] RRSIG should use TYPEXXXXX for unknown types. 14024 140251677. [bug] dig: +aaonly didn't work, +aaflag undocumented. 14026 140271676. [func] New option "allow-query-cache". This lets 14028 allow-query be used to specify the default zone 14029 access level rather than having to have every 14030 zone override the global value. allow-query-cache 14031 can be set at both the options and view levels. 14032 If allow-query-cache is not set allow-query applies. 14033 140341675. [bug] named would sometimes add extra NSEC records to 14035 the authority section. 14036 140371674. [port] linux: increase buffer size used to scan 14038 /proc/net/if_inet6. 14039 140401673. [port] linux: issue a error messages if IPv6 interface 14041 scans fails. 14042 140431672. [cleanup] Tests which only function in a threaded build 14044 now return R:THREADONLY (rather than R:UNTESTED) 14045 in a non-threaded build. 14046 140471671. [contrib] queryperf: add NAPTR to the list of known types. 14048 140491670. [func] Log UPDATE requests to slave zones without an acl as 14050 "disabled" at debug level 3. [RT #11657] 14051 140521669. [placeholder] 14053 140541668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. 14055 140561667. [port] linux: not all versions have IF_NAMESIZE. 14057 140581666. [bug] The optional port on hostnames in dual-stack-servers 14059 was being ignored. 14060 140611665. [func] rndc now allows addresses to be set in the 14062 server clauses. 14063 140641664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 14065 140661663. [func] Look for OpenSSL by default. 14067 140681662. [bug] Change #1658 failed to change one use of 'type' 14069 to 'keytype'. 14070 140711661. [bug] Restore dns_name_concatenate() call in 14072 adb.c:set_target(). [RT #11582] 14073 140741660. [bug] win32: connection_reset_fix() was being called 14075 unconditionally. [RT #11595] 14076 140771659. [cleanup] Cleanup some messages that were referring to KEY vs 14078 DNSKEY, NXT vs NSEC and SIG vs RRSIG. 14079 140801658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 14081 and DH. Tighten which options apply to KEY and 14082 DNSKEY records. 14083 140841657. [doc] ARM: document query log output. 14085 140861656. [doc] Update DNSSEC description in ARM to cover DS, NSEC 14087 DNSKEY and RRSIG. [RT #11542] 14088 140891655. [bug] Logging multiple versions w/o a size was broken. 14090 [RT #11446] 14091 140921654. [bug] isc_result_totext() contained array bounds read 14093 error. 14094 140951653. [func] Add key type checking to dst_key_fromfilename(), 14096 DST_TYPE_KEY should be used to read TSIG, TKEY and 14097 SIG(0) keys. 14098 140991652. [bug] TKEY still uses KEY. 14100 141011651. [bug] dig: process multiple dash options. 14102 141031650. [bug] dig, nslookup: flush standard out after each command. 14104 141051649. [bug] Silence "unexpected non-minimal diff" message. 14106 [RT #11206] 14107 141081648. [func] Update dnssec-lookaside named.conf syntax to support 14109 multiple dnssec-lookaside namespaces (not yet 14110 implemented). 14111 141121647. [bug] It was possible trigger a INSIST when chasing a DS 14113 record that required walking back over a empty node. 14114 [RT #11445] 14115 141161646. [bug] win32: logging file versions didn't work with 14117 non-UNC filenames. [RT #11486] 14118 141191645. [bug] named could trigger a REQUIRE failure if multiple 14120 masters with keys are specified. 14121 141221644. [bug] Update the journal modification time after a 14123 successful refresh query. [RT #11436] 14124 141251643. [bug] dns_db_closeversion() could leak memory / node 14126 references. [RT #11163] 14127 141281642. [port] Support OpenSSL implementations which don't have 14129 DSA support. [RT #11360] 14130 141311641. [bug] Update the check-names description in ARM. [RT #11389] 14132 141331640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was 14134 incorrectly closing the socket. [RT #11291] 14135 141361639. [func] Initial dlv system test. 14137 141381638. [bug] "ixfr-from-differences" could generate a REQUIRE 14139 failure if the journal open failed. [RT #11347] 14140 141411637. [bug] Node reference leak on error in addnoqname(). 14142 141431636. [bug] The dump done callback could get ISC_R_SUCCESS even if 14144 a error had occurred. The database version no longer 14145 matched the version of the database that was dumped. 14146 141471635. [bug] Memory leak on error in query_addds(). 14148 141491634. [bug] named didn't supply a useful error message when it 14150 detected duplicate views. [RT #11208] 14151 141521633. [bug] named should return NOTIMP to update requests to a 14153 slaves without a allow-update-forwarding acl specified. 14154 [RT #11331] 14155 141561632. [bug] nsupdate failed to send prerequisite only UPDATE 14157 messages. [RT #11288] 14158 141591631. [bug] dns_journal_compact() could sometimes corrupt the 14160 journal. [RT #11124] 14161 141621630. [contrib] queryperf: add support for IPv6 transport. 14163 141641629. [func] dig now supports IPv6 scoped addresses with the 14165 extended format in the local-server part. [RT #8753] 14166 141671628. [bug] Typo in Compaq Trucluster support. [RT #11264] 14168 141691627. [bug] win32: sockets were not being closed when the 14170 last external reference was removed. [RT #11179] 14171 141721626. [bug] --enable-getifaddrs was broken. [RT #11259] 14173 141741625. [bug] named failed to load/transfer RFC2535 signed zones 14175 which contained CNAMES. [RT #11237] 14176 141771624. [bug] zonemgr_putio() call should be locked. [RT #11163] 14178 141791623. [bug] A serial number of zero was being displayed in the 14180 "sending notifies" log message when also-notify was 14181 used. [RT #11177] 14182 141831622. [func] probe the system to see if IPV6_(RECV)PKTINFO is 14184 available, and suppress wildcard binding if not. 14185 141861621. [bug] match-destinations did not work for IPv6 TCP queries. 14187 [RT #11156] 14188 141891620. [func] When loading a zone report if it is signed. [RT #11149] 14190 141911619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). 14192 [RT #11118] 14193 141941618. [bug] Fencepost errors in dns_name_ishostname() and 14195 dns_name_ismailbox() could trigger a INSIST(). 14196 141971617. [port] win32: VC++ 6.0 support. 14198 141991616. [compat] Ensure that named's version is visible in the core 14200 dump. [RT #11127] 14201 142021615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if 14203 it is defined. 14204 142051614. [port] win32: silence resource limit messages. [RT #11101] 14206 142071613. [bug] Builds would fail on machines w/o a if_nametoindex(). 14208 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. 14209 [RT #11119] 14210 142111612. [bug] check-names at the option/view level could trigger 14212 an INSIST. [RT #11116] 14213 142141611. [bug] solaris: IPv6 interface scanning failed to cope with 14215 no active IPv6 interfaces. 14216 142171610. [bug] On dual stack machines "dig -b" failed to set the 14218 address type to be looked up with "@server". 14219 [RT #11069] 14220 142211609. [func] dig now has support to chase DNSSEC signature chains. 14222 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. 14223 14224 DNSSEC validation code in dig coded by Olivier Courtay 14225 (olivier.courtay@irisa.fr) for the IDsA project 14226 (http://idsa.irisa.fr). 14227 142281608. [func] dig and host now accept -4/-6 to select IP transport 14229 to use when making queries. 14230 142311607. [bug] dig, host and nslookup were still using random() 14232 to generate query ids. [RT #11013] 14233 142341606. [bug] DLV insecurity proof was failing. 14235 142361605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 14237 142381604. [bug] A xfrout_ctx_create() failure would result in 14239 xfrout_ctx_destroy() being called with a 14240 partially initialized structure. 14241 142421603. [bug] nsupdate: set interactive based on isatty(). 14243 [RT #10929] 14244 142451602. [bug] Logging to a file failed unless a size was specified. 14246 [RT #10925] 14247 142481601. [bug] Silence spurious warning 'both "recursion no;" and 14249 "allow-recursion" active' warning from view "_bind". 14250 [RT #10920] 14251 142521600. [bug] Duplicate zone pre-load checks were not case 14253 insensitive. 14254 142551599. [bug] Fix memory leak on error path when checking named.conf. 14256 142571598. [func] Specify that certain parts of the namespace must 14258 be secure (dnssec-must-be-secure). 14259 142601597. [func] Allow notify-source and query-source to be specified 14261 on a per server basis similar to transfer-source. 14262 [RT #6496] 14263 142641596. [func] Accept 'notify-source' style syntax for query-source. 14265 142661595. [func] New notify type 'master-only'. Enable notify for 14267 master zones only. 14268 142691594. [bug] 'rndc dumpdb' could prevent named from answering 14270 queries while the dump was in progress. [RT #10565] 14271 142721593. [bug] rndc should return "unknown command" to unknown 14273 commands. [RT #10642] 14274 142751592. [bug] configure_view() could leak a dispatch. [RT #10675] 14276 142771591. [bug] libbind: updated to BIND 8.4.5. 14278 142791590. [port] netbsd: update thread support. 14280 142811589. [func] DNSSEC lookaside validation. 14282 142831588. [bug] win32: TCP sockets could become blocked. [RT #10115] 14284 142851587. [bug] dns_message_settsigkey() failed to clear existing key. 14286 [RT #10590] 14287 142881586. [func] "check-names" is now implemented. 14289 142901585. [placeholder] 14291 142921584. [bug] "make test" failed with a read only source tree. 14293 [RT #10461] 14294 142951583. [bug] Records add via UPDATE failed to get the correct trust 14296 level. [RT #10452] 14297 142981582. [bug] rrset-order failed to work on RRsets with more 14299 than 32 elements. [RT #10381] 14300 143011581. [func] Disable DNSSEC support by default. To enable 14302 DNSSEC specify "dnssec-enable yes;" in named.conf. 14303 143041580. [bug] Zone destruction on final detach takes a long time. 14305 [RT #3746] 14306 143071579. [bug] Multiple task managers could not be created. 14308 143091578. [bug] Don't use CLASS E IPv4 addresses when resolving. 14310 [RT #10346] 14311 143121577. [bug] Use isc_uint32_t in ultrasparc optimizer bug 14313 workaround code. [RT #10331] 14314 143151576. [bug] Race condition in dns_dispatch_addresponse(). 14316 [RT #10272] 14317 143181575. [func] Log TSIG name on TSIG verify failure. [RT #4404] 14319 143201574. [bug] Don't attempt to open the controls socket(s) when 14321 running tests. [RT #9091] 14322 143231573. [port] linux: update to libtool 1.5.2 so that 14324 "make install DESTDIR=/xx" works with 14325 "configure --with-libtool". [RT #9941] 14326 143271572. [bug] nsupdate: sign the soa query to find the enclosing 14328 zone if the server is specified. [RT #10148] 14329 143301571. [bug] rbt:hash_node() could fail leaving the hash table 14331 in an inconsistent state. [RT #10208] 14332 143331570. [bug] nsupdate failed to handle classes other than IN. 14334 New keyword 'class' which sets the default class. 14335 [RT #10202] 14336 143371569. [func] nsupdate new command 'answer' which displays the 14338 complete answer message to the last update. 14339 143401568. [bug] nsupdate now reports that the update failed in 14341 interactive mode. [RT #10236] 14342 143431567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. 14344 143451566. [port] Support for the cmsg framework on Solaris and HP/UX. 14346 This also solved the problem that match-destinations 14347 for IPv6 addresses did not work on these systems. 14348 [RT #10221] 14349 143501565. [bug] CD flag should be copied to outgoing queries unless 14351 the query is under a secure entry point in which case 14352 CD should be set. 14353 143541564. [func] Attempt to provide a fallback entropy source to be 14355 used if named is running chrooted and named is unable 14356 to open entropy source within the chroot area. 14357 [RT #10133] 14358 143591563. [bug] Gracefully fail when unable to obtain neither an IPv4 14360 nor an IPv6 dispatch. [RT #10230] 14361 143621562. [bug] isc_socket_create() and isc_socket_accept() could 14363 leak memory under error conditions. [RT #10230] 14364 143651561. [bug] It was possible to release the same name twice if 14366 named ran out of memory. [RT #10197] 14367 143681560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA 14369 and EAI_NONAME to the same value. 14370 143711559. [port] named should ignore SIGFSZ. 14372 143731558. [func] New DNSSEC 'disable-algorithms'. Support entry into 14374 child zones for which we don't have a supported 14375 algorithm. Such child zones are treated as unsigned. 14376 143771557. [func] Implement missing DNSSEC tests for 14378 * NOQNAME proof with wildcard answers. 14379 * NOWILDARD proof with NXDOMAIN. 14380 Cache and return NOQNAME with wildcard answers. 14381 143821556. [bug] nsupdate now treats all names as fully qualified. 14383 [RT #6427] 14384 143851555. [func] 'rrset-order cyclic' no longer has a random starting 14386 point per query. [RT #7572] 14387 143881554. [bug] dig, host, nslookup failed when no nameservers 14389 were specified in /etc/resolv.conf. [RT #8232] 14390 143911553. [bug] The windows socket code could stop accepting 14392 connections. [RT #10115] 14393 143941552. [bug] Accept NOTIFY requests from mapped masters if 14395 matched-mapped is set. [RT #10049] 14396 143971551. [port] Open "/dev/null" before calling chroot(). 14398 143991550. [port] Call tzset(), if available, before calling chroot(). 14400 144011549. [func] named-checkzone can now write out the zone contents 14402 in a easily parsable format (-D and -o). 14403 144041548. [bug] When parsing APL records it was possible to silently 14405 accept out of range ADDRESSFAMILY values. [RT #9979] 14406 144071547. [bug] Named wasted memory recording duplicate lame zone 14408 entries. [RT #9341] 14409 144101546. [bug] We were rejecting valid secure CNAME to negative 14411 answers. 14412 144131545. [bug] It was possible to leak memory if named was unable to 14414 bind to the specified transfer source and TSIG was 14415 being used. [RT #10120] 14416 144171544. [bug] Named would logged a single entry to a file despite it 14418 being over the specified size limit. 14419 144201543. [bug] Logging using "versions unlimited" did not work. 14421 144221542. [placeholder] 14423 144241541. [func] NSEC now uses new bitmap format. 14425 144261540. [bug] "rndc reload <dynamiczone>" was silently accepted. 14427 [RT #8934] 14428 144291539. [bug] Open UDP sockets for notify-source and transfer-source 14430 that use reserved ports at startup. [RT #9475] 14431 144321538. [placeholder] rt9997 14433 144341537. [func] New option "querylog". If set specify whether query 14435 logging is to be enabled or disabled at startup. 14436 144371536. [bug] Windows socket code failed to log a error description 14438 when returning ISC_R_UNEXPECTED. [RT #9998] 14439 144401535. [placeholder] 14441 144421534. [bug] Race condition when priming cache. [RT #9940] 14443 144441533. [func] Warn if both "recursion no;" and "allow-recursion" 14445 are active. [RT #4389] 14446 144471532. [port] netbsd: the configure test for <sys/sysctl.h> 14448 requires <sys/param.h>. 14449 144501531. [port] AIX more libtool fixes. 14451 144521530. [bug] It was possible to trigger a INSIST() failure if a 14453 slave master file was removed at just the correct 14454 moment. [RT #9462] 14455 144561529. [bug] "notify explicit;" failed to log that NOTIFY messages 14457 were being sent for the zone. [RT #9442] 14458 144591528. [cleanup] Simplify some dns_name_ functions based on the 14460 deprecation of bitstring labels. 14461 144621527. [cleanup] Reduce the number of gettimeofday() calls without 14463 losing necessary timer granularity. 14464 144651526. [func] Implemented "additional section caching (or acache)", 14466 an internal cache framework for additional section 14467 content to improve response performance. Several 14468 configuration options were provided to control the 14469 behavior. 14470 144711525. [bug] dns_cache_create() could trigger a REQUIRE 14472 failure in isc_mem_put() during error cleanup. 14473 [RT #9360] 14474 144751524. [port] AIX needs to be able to resolve all symbols when 14476 creating shared libraries (--with-libtool). 14477 144781523. [bug] Fix race condition in rbtdb. [RT #9189] 14479 144801522. [bug] dns_db_findnode() relax the requirements on 'name'. 14481 [RT #9286] 14482 144831521. [bug] dns_view_createresolver() failed to check the 14484 result from isc_mem_create(). [RT #9294] 14485 144861520. [protocol] Add SSHFP (SSH Finger Print) type. 14487 144881519. [bug] dnssec-signzone:nsec_setbit() computed the wrong 14489 length of the new bitmap. 14490 144911518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(), 14492 contained a off-by-one error when working out the 14493 number of octets in the bitmap. 14494 144951517. [port] Support for IPv6 interface scanning on HP/UX and 14496 TrueUNIX 5.1. 14497 144981516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 14499 145001515. [func] Allow transfer source to be set in a server statement. 14501 [RT #6496] 14502 145031514. [bug] named: isc_hash_destroy() was being called too early. 14504 [RT #9160] 14505 145061513. [doc] Add "US" to root-delegation-only exclude list. 14507 145081512. [bug] Extend the delegation-only logging to return query 14509 type, class and responding nameserver. 14510 145111511. [bug] delegation-only was generating false positives 14512 on negative answers from sub-zones. 14513 145141510. [func] New view option "root-delegation-only". Apply 14515 delegation-only check to all TLDs and root. 14516 Note there are some TLDs that are NOT delegation 14517 only (e.g. DE, LV, US and MUSEUM) these can be excluded 14518 from the checks by using exclude. 14519 14520 root-delegation-only exclude { 14521 "DE"; "LV"; "US"; "MUSEUM"; 14522 }; 14523 145241509. [bug] Hint zones should accept delegation-only. Forward 14525 zone should not accept delegation-only. 14526 145271508. [bug] Don't apply delegation-only checks to answers from 14528 forwarders. 14529 145301507. [bug] Handle BIND 8 style returns to NS queries to parents 14531 when making delegation-only checks. 14532 145331506. [bug] Wrong return type for dns_view_isdelegationonly(). 14534 145351505. [bug] Uninitialized rdataset in sdb. [RT #8750] 14536 145371504. [func] New zone type "delegation-only". 14538 145391503. [port] win32: install libeay32.dll outside of system32. 14540 145411502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP. 14542 145431501. [func] Allow TCP queue length to be specified via 14544 named.conf, tcp-listen-queue. 14545 145461500. [bug] host failed to lookup MX records. Also look up 14547 AAAA records. 14548 145491499. [bug] isc_random need to be seeded better if arc4random() 14550 is not used. 14551 145521498. [port] bsdos: 5.x support. 14553 145541497. [placeholder] 14555 145561496. [port] test for pthread_attr_setstacksize(). 14557 145581495. [cleanup] Replace hash functions with universal hash. 14559 145601494. [security] Turn on RSA BLINDING as a precaution. 14561 145621493. [placeholder] 14563 145641492. [cleanup] Preserve rwlock quota context when upgrading / 14565 downgrading. [RT #5599] 14566 145671491. [bug] dns_master_dump*() would produce extraneous $ORIGIN 14568 lines. [RT #6206] 14569 145701490. [bug] Accept reading state as well as working state in 14571 ns_client_next(). [RT #6813] 14572 145731489. [compat] Treat 'allow-update' on slave zones as a warning. 14574 [RT #3469] 14575 145761488. [bug] Don't override trust levels for glue addresses. 14577 [RT #5764] 14578 145791487. [bug] A REQUIRE() failure could be triggered if a zone was 14580 queued for transfer and the zone was then removed. 14581 [RT #6189] 14582 145831486. [bug] isc_print_snprintf() '%%' consumed one too many format 14584 characters. [RT #8230] 14585 145861485. [bug] gen failed to handle high type values. [RT #6225] 14587 145881484. [bug] The number of records reported after a AXFR was wrong. 14589 [RT #6229] 14590 145911483. [bug] dig axfr failed if the message id in the answer failed 14592 to match that in the request. Only the id in the first 14593 message is required to match. [RT #8138] 14594 145951482. [bug] named could fail to start if the kernel supports 14596 IPv6 but no interfaces are configured. Similarly 14597 for IPv4. [RT #6229] 14598 145991481. [bug] Refresh and stub queries failed to use masters keys 14600 if specified. [RT #7391] 14601 146021480. [bug] Provide replay protection for rndc commands. Full 14603 replay protection requires both rndc and named to 14604 be updated. Partial replay protection (limited 14605 exposure after restart) is provided if just named 14606 is updated. 14607 146081479. [bug] cfg_create_tuple() failed to handle out of 14609 memory cleanup. parse_list() would leak memory 14610 on syntax errors. 14611 146121478. [port] ifconfig.sh didn't account for other virtual 14613 interfaces. It now takes a optional argument 14614 to specify the first interface number. [RT #3907] 14615 146161477. [bug] memory leak using stub zones and TSIG. 14617 146181476. [placeholder] 14619 146201475. [port] Probe for old sprintf(). 14621 146221474. [port] Provide strtoul() and memmove() for platforms 14623 without them. 14624 146251473. [bug] create_map() and create_string() failed to handle out 14626 of memory cleanup. [RT #6813] 14627 146281472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit. 14629 146301471. [bug] libbind: updated to BIND 8.4.0. 14631 146321470. [bug] Incorrect length passed to snprintf. [RT #5966] 14633 146341469. [func] Log end of outgoing zone transfer at same level 14635 as the start of transfer is logged. [RT #4441] 14636 146371468. [func] Internal zones are no longer counted for 14638 'rndc status'. [RT #4706] 14639 146401467. [func] $GENERATES now supports optional class and ttl. 14641 146421466. [bug] lwresd configuration errors resulted in memory 14643 and lock leaks. [RT #5228] 14644 146451465. [bug] isc_base64_decodestring() and isc_base64_tobuffer() 14646 failed to check that trailing bits were zero allowing 14647 some invalid base64 strings to be accepted. [RT #5397] 14648 146491464. [bug] Preserve "out of zone" data for outgoing zone 14650 transfers. [RT #5192] 14651 146521463. [bug] dns_rdata_from{wire,struct}() failed to catch bad 14653 NXT bit maps. [RT #5577] 14654 146551462. [bug] parse_sizeval() failed to check the token type. 14656 [RT #5586] 14657 146581461. [bug] Remove deadlock from rbtdb code. [RT #5599] 14659 146601460. [bug] inet_pton() failed to reject certain malformed 14661 IPv6 literals. 14662 146631459. [placeholder] 14664 146651458. [cleanup] sprintf() -> snprintf(). 14666 146671457. [port] Provide strlcat() and strlcpy() for platforms without 14668 them. 14669 146701456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer. 14671 146721455. [bug] <netaddr> missing from server grammar in 14673 doc/misc/options. [RT #5616] 14674 146751454. [port] Use getifaddrs() if available for interface scanning. 14676 --disable-getifaddrs to override. Glibc currently 14677 has a getifaddrs() that does not support IPv6. 14678 Use --enable-getifaddrs=glibc to force the use of 14679 this version under linux machines. 14680 146811453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298] 14682 146831452. [placeholder] 14684 146851451. [bug] rndc-confgen didn't exit with a error code for all 14686 failures. [RT #5209] 14687 146881450. [bug] Fetching expired glue failed under certain 14689 circumstances. [RT #5124] 14690 146911449. [bug] query_addbestns() didn't handle running out of memory 14692 gracefully. 14693 146941448. [bug] Handle empty wildcards labels. 14695 146961447. [bug] We were casting (unsigned int) to and from (void *). 14697 rdataset->private4 is now rdataset->privateuint4 14698 to reflect a type change. 14699 147001446. [func] Implemented undocumented alternate transfer sources 14701 from BIND 8. See use-alt-transfer-source, 14702 alt-transfer-source and alt-transfer-source-v6. 14703 14704 SECURITY: use-alt-transfer-source is ENABLED unless 14705 you are using views. This may cause a security risk 14706 resulting in accidental disclosure of wrong zone 14707 content if the master supplying different source 14708 content based on IP address. If you are not certain 14709 ISC recommends setting use-alt-transfer-source no; 14710 147111445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has 14712 been replaced with DNS_ADBFIND_STARTATZONE which 14713 causes the search to start using the closest zone. 14714 147151444. [func] dns_view_findzonecut2() allows you to specify if the 14716 cache should be searched for zone cuts. 14717 147181443. [func] Masters lists can now be specified and referenced 14719 in zone masters clauses and other masters lists. 14720 147211442. [func] New functions for manipulating port lists: 14722 dns_portlist_create(), dns_portlist_add(), 14723 dns_portlist_remove(), dns_portlist_match(), 14724 dns_portlist_attach() and dns_portlist_detach(). 14725 147261441. [func] It is now possible to tell dig to bind to a specific 14727 source port. 14728 147291440. [func] It is now possible to tell named to avoid using 14730 certain source ports (avoid-v4-udp-ports, 14731 avoid-v6-udp-ports). 14732 147331439. [bug] Named could return NOERROR with certain NOTIFY 14734 failures. Return NOTAUTH if the NOTIFY zone is 14735 not being served. 14736 147371438. [func] Log TSIG (if any) when logging NOTIFY requests. 14738 147391437. [bug] Leave space for stdio to work in. [RT #5033] 14740 147411436. [func] dns_zonemgr_resumexfrs() can be used to restart 14742 stalled transfers. 14743 147441435. [bug] zmgr_resume_xfrs() was being called read locked 14745 rather than write locked. zmgr_resume_xfrs() 14746 was not being called if the zone was being 14747 shutdown. 14748 147491434. [bug] "rndc reconfig" failed to initiate the initial 14750 zone transfer of new slave zones. 14751 147521433. [bug] named could trigger a REQUIRE failure if it could 14753 not get a file descriptor when attempting to write 14754 a master file. [RT #4347] 14755 147561432. [func] The advertised EDNS UDP buffer size can now be set 14757 via named.conf (edns-udp-size). 14758 147591431. [bug] isc_print_snprintf() "%s" with precision could walk off 14760 end of argument. [RT #5191] 14761 147621430. [port] linux: IPv6 interface scanning support. 14763 147641429. [bug] Prevent the cache getting locked to old servers. 14765 147661428. [placeholder] 14767 147681427. [bug] Race condition in adb with threaded build. 14769 147701426. [placeholder] 14771 147721425. [port] linux/libbind: define __USE_MISC when testing *_r() 14773 function prototypes in netdb.h. [RT #4921] 14774 147751424. [bug] EDNS version not being correctly printed. 14776 147771423. [contrib] queryperf: added A6 and SRV. 14778 147791422. [func] Log name/type/class when denying a query. [RT #4663] 14780 147811421. [func] Differentiate updates that don't succeed due to 14782 prerequisites (unsuccessful) vs other reasons 14783 (failed). 14784 147851420. [port] solaris: work around gcc optimizer bug. 14786 147871419. [port] openbsd: use /dev/arandom. [RT #4950] 14788 147891418. [bug] 'rndc reconfig' did not cause new slaves to load. 14790 147911417. [func] ID.SERVER/CHAOS is now a built in zone. 14792 See "server-id" for how to configure. 14793 147941416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 14795 [RT #4715] 14796 147971415. [func] DS TTL now derived from NS ttl. NXT TTL now derived 14798 from SOA MINIMUM. 14799 148001414. [func] Support for KSK flag. 14801 148021413. [func] Explicitly request the (re-)generation of DS records 14803 from keysets (dnssec-signzone -g). 14804 148051412. [func] You can now specify servers to be tried if a nameserver 14806 has IPv6 address and you only support IPv4 or the 14807 reverse. See dual-stack-servers. 14808 148091411. [bug] empty nodes should stop wildcard matches. [RT #4802] 14810 148111410. [func] Handle records that live in the parent zone, e.g. DS. 14812 148131409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC. 14814 148151408. [bug] "make distclean" was not complete. [RT #4700] 14816 148171407. [bug] lfsr incorrectly implements the shift register. 14818 [RT #4617] 14819 148201406. [bug] dispatch initializes one of the LFSR's with a incorrect 14821 polynomial. [RT #4617] 14822 148231405. [func] Use arc4random() if available. 14824 148251404. [bug] libbind: ns_name_ntol() could overwrite a zero length 14826 buffer. 14827 148281403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset 14829 dnssec-signkey now report their version in the 14830 usage message. 14831 148321402. [cleanup] A6 has been moved to experimental and is no longer 14833 fully supported. 14834 148351401. [bug] adb wasn't clearing state when the timer expired. 14836 148371400. [bug] Block the addition of wildcard NS records by IXFR 14838 or UPDATE. [RT #3502] 14839 148401399. [bug] Use serial number arithmetic when testing SIG 14841 timestamps. [RT #4268] 14842 148431398. [doc] ARM: notify-also should have been also-notify. 14844 [RT #4345] 14845 148461397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. 14847 148481396. [func] dnssec-signzone: adjust the default signing time by 14849 1 hour to allow for clock skew. 14850 148511395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't 14852 have a working implementation. [RT #4079] 14853 148541394. [func] It is now possible to check if a particular element is 14855 in a acl. Remove duplicate entries from the localnets 14856 acl. 14857 148581393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY 14859 is not available in the kernel to prevent accidentally 14860 listening on IPv4 interfaces. 14861 148621392. [bug] named-checkzone: update usage. 14863 148641391. [func] Add support for IPv6 scoped addresses in named. 14865 148661390. [func] host now supports ixfr. 14867 148681389. [bug] named could fail to rotate long log files. [RT #3666] 14869 148701388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before 14871 defining HAVE_IFLIST_SYSCTL. [RT #3770] 14872 148731387. [bug] named could crash due to an access to invalid memory 14874 space (which caused an assertion failure) in 14875 incremental cleaning. [RT #3588] 14876 148771386. [bug] named-checkzone -z stopped on errors in a zone. 14878 [RT #3653] 14879 148801385. [bug] Setting serial-query-rate to 10 would trigger a 14881 REQUIRE failure. 14882 148831384. [bug] host was incompatible with BIND 8 in its exit code and 14884 in the output with the -l option. [RT #3536] 14885 148861383. [func] Track the serial number in a IXFR response and log if 14887 a mismatch occurs. This is a more specific error than 14888 "not exact". [RT #3445] 14889 148901382. [bug] make install failed with --enable-libbind. [RT #3656] 14891 148921381. [bug] named failed to correctly process answers that 14893 contained DNAME records where the resulting CNAME 14894 resulted in a negative answer. 14895 148961380. [func] 'rndc recursing' dump recursing queries to 14897 'recursing-file = "named.recursing";'. 14898 148991379. [func] 'rndc status' now reports tcp and recursion quota 14900 states. 14901 149021378. [func] Improved positive feedback for 'rndc {reload|refresh}. 14903 149041377. [func] dns_zone_load{new}() now reports if the zone was 14905 loaded, queued for loading to up to date. 14906 149071376. [func] New function dns_zone_logc() to log to specified 14908 category. 14909 149101375. [func] 'rndc dumpdb' now dumps the adb cache along with the 14911 data cache. 14912 149131374. [func] dns_adb_dump() now logs the lame zones associated 14914 with each server. 14915 149161373. [bug] Recovery from expired glue failed under certain 14917 circumstances. 14918 149191372. [bug] named crashes with an assertion failure on exit when 14920 sharing the same port for listening and querying, and 14921 changing listening addresses several times. [RT #3509] 14922 149231371. [bug] notify-source-v6, transfer-source-v6 and 14924 query-source-v6 with explicit addresses and using the 14925 same ports as named was listening on could interfere 14926 with named's ability to answer queries sent to those 14927 addresses. 14928 149291370. [bug] dig '+[no]recurse' was incorrectly documented. 14930 149311369. [bug] Adding an NS record as the lexicographically last 14932 record in a secure zone didn't work. 14933 149341368. [func] remove support for bitstring labels. 14935 149361367. [func] Use response times to select forwarders. 14937 149381366. [contrib] queryperf usage was incomplete. Add '-h' for help. 14939 149401365. [func] "localhost" and "localnets" acls now include IPv6 14941 addresses / prefixes. 14942 149431364. [func] Log file name when unable to open memory statistics 14944 and dump database files. [RT #3437] 14945 149461363. [func] Listen-on-v6 now supports specific addresses. 14947 149481362. [bug] remove IFF_RUNNING test when scanning interfaces. 14949 149501361. [func] log the reason for rejecting a server when resolving 14951 queries. 14952 149531360. [bug] --enable-libbind would fail when not built in the 14954 source tree for certain OS's. 14955 149561359. [security] Support patches OpenSSL libraries. 14957 http://www.cert.org/advisories/CA-2002-23.html 14958 149591358. [bug] It was possible to trigger a INSIST when debugging 14960 large dynamic updates. [RT #3390] 14961 149621357. [bug] nsupdate was extremely wasteful of memory. 14963 149641356. [tuning] Reduce the number of events / quantum for zone tasks. 14965 149661355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME. 14967 149681354. [doc] lwres man pages had illegal nroff. 14969 149701353. [contrib] sdb/ldap to version 0.9. 14971 149721352. [bug] dig, host, nslookup when falling back to TCP use the 14973 current search entry (if any). [RT #3374] 14974 149751351. [bug] lwres_getipnodebyname() returned the wrong name 14976 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED 14977 was set. 14978 149791350. [bug] dns_name_fromtext() failed to handle too many labels 14980 gracefully. 14981 149821349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). 14983 http://www.cert.org/advisories/CA-2002-23.html 14984 149851348. [port] win32: Rewrote code to use I/O Completion Ports 14986 in socket.c and eliminating a host of socket 14987 errors. Performance is enhanced. 14988 149891347. [placeholder] 14990 149911346. [placeholder] 14992 149931345. [port] Use a explicit -Wformat with gcc. Not all versions 14994 include it in -Wall. 14995 149961344. [func] Log if the serial number on the master has gone 14997 backwards. 14998 If you have multiple machines specified in the masters 14999 clause you may want to set 'multi-master yes;' to 15000 suppress this warning. 15001 150021343. [func] Log successful notifies received (info). Adjust log 15003 level for failed notifies to notice. 15004 150051342. [func] Log remote address with TCP dispatch failures. 15006 150071341. [func] Allow a rate limiter to be stalled. 15008 150091340. [bug] Delay and spread out the startup refresh load. 15010 150111339. [func] dig, host and nslookup now use IP6.ARPA for nibble 15012 lookups. Bit string lookups are no longer attempted. 15013 150141338. [placeholder] 15015 150161337. [placeholder] 15017 150181336. [func] Nibble lookups under IP6.ARPA are now supported by 15019 dns_byaddr_create(). dns_byaddr_createptrname() is 15020 deprecated, use dns_byaddr_createptrname2() instead. 15021 150221335. [bug] When performing a nonexistence proof, the validator 15023 should discard parent NXTs from higher in the DNS. 15024 150251334. [bug] When signing/verifying rdatasets, duplicate rdatas 15026 need to be suppressed. 15027 150281333. [contrib] queryperf now reports a summary of returned 15029 rcodes (-c), rcodes are printed in mnemonic form (-v). 15030 150311332. [func] Report the current serial with periodic commits when 15032 rolling forward the journal. 15033 150341331. [func] Generate DNSSEC wildcard proofs. 15035 150361330. [bug] When processing events (non-threaded) only allow 15037 the task one chance to use to use its quantum. 15038 150391329. [func] named-checkzone will now check if nameservers that 15040 appear to be IP addresses. Available modes "fail", 15041 "warn" (default) and "ignore" the results of the 15042 check. 15043 150441328. [bug] The validator could incorrectly verify an invalid 15045 negative proof. 15046 150471327. [bug] The validator would incorrectly mark data as insecure 15048 when seeing a bogus signature before a correct 15049 signature. 15050 150511326. [bug] DNAME/CNAME signatures were not being cached when 15052 validation was not being performed. [RT #3284] 15053 150541325. [bug] If the tcpquota was exhausted it was possible to 15055 to trigger a INSIST() failure. 15056 150571324. [port] darwin: ifconfig.sh now supports darwin. 15058 150591323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205] 15060 150611322. [bug] dnssec-signzone usage message was misleading. 15062 150631321. [bug] If the last RRset in a zone is glue, dnssec-signzone 15064 would incorrectly duplicate its output and sign it. 15065 150661320. [doc] query-source-v6 was missing from options section. 15067 [RT #3218] 15068 150691319. [func] libbind: log attempts to exploit #1318. 15070 150711318. [bug] libbind: Remote buffer overrun. 15072 150731317. [port] libbind: TrueUNIX 5.1 does not like __align as a 15074 element name. 15075 150761316. [bug] libbind: gethostans() could get out of sync parsing 15077 the response if there was a very long CNAME chain. 15078 150791315. [bug] Options should apply to the internal _bind view. 15080 150811314. [port] Handle ECONNRESET from sendmsg() [unix]. 15082 150831313. [func] Query log now says if the query was signed (S) or 15084 if EDNS was used (E). 15085 150861312. [func] Log TSIG key used w/ outgoing zone transfers. 15087 150881311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159] 15089 150901310. [bug] 'rndc stop' failed to cause zones to be flushed 15091 sometimes. [RT #3157] 15092 150931309. [func] Log that a zone transfer was covered by a TSIG. 15094 150951308. [func] DS (delegation signer) support. 15096 150971307. [bug] nsupdate: allow white space base64 key data. 15098 150991306. [bug] Badly encoded LOC record when the size, horizontal 15100 precision or vertical precision was 0.1m. 15101 151021305. [bug] Document that internal zones are included in the 15103 rndc status results. 15104 151051304. [func] New function: dns_zone_name(). 15106 151071303. [func] Option 'flush-zones-on-shutdown <boolean>;'. 15108 151091302. [func] Extended rndc dumpdb to support dumping of zones and 15110 view selection: 'dumpdb [-all|-zones|-cache] [view]'. 15111 151121301. [func] New category 'update-security'. 15113 151141300. [port] Compaq Trucluster support. 15115 151161299. [bug] Set AI_ADDRCONFIG when looking up addresses 15117 via getaddrinfo() (affects dig, host, nslookup, rndc 15118 and nsupdate). 15119 151201298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile 15121 could be left with a trailing "\" after configure 15122 has been run. 15123 151241297. [port] linux: make handling EINVAL from socket() no longer 15125 conditional on #ifdef LINUX. 15126 151271296. [bug] isc_log_closefilelogs() needed to lock the log 15128 context. 15129 151301295. [bug] isc_log_setdebuglevel() needed to lock the log 15131 context. 15132 151331294. [func] libbind: no longer attempts bit string labels for 15134 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT 15135 for nibble style resolution. 15136 151371293. [func] Entropy can now be retrieved from EGDs. [RT #2438] 15138 151391292. [func] Enable IPv6 support when using ioctl style interface 15140 scanning and OS supports SIOCGLIFADDR using struct 15141 if_laddrreq. 15142 151431291. [func] Enable IPv6 support when using sysctl style interface 15144 scanning. 15145 151461290. [func] "dig axfr" now reports the number of messages 15147 as well as the number of records. 15148 151491289. [port] See if -ldl is required for OpenSSL? [RT #2672] 15150 151511288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better 15152 reflect written requirements. 15153 151541287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding 15155 a rdataset to a zone db in the rbtdb implementation of 15156 addrdataset. 15157 151581286. [bug] dns_name_downcase() enforce requirement that 15159 target != NULL or name->buffer != NULL. 15160 151611285. [func] lwres: probe the system to see what address families 15162 are currently in use. 15163 151641284. [bug] The RTT estimate on unused servers was not aged. 15165 [RT #2569] 15166 151671283. [func] Use "dataready" accept filter if available. 15168 151691282. [port] libbind: hpux 11.11 interface scanning. 15170 151711281. [func] Log zone when unable to get private keys to update 15172 zone. Log zone when NXT records are missing from 15173 secure zone. 15174 151751280. [bug] libbind: escape '(' and ')' when converting to 15176 presentation form. 15177 151781279. [port] Darwin uses (unsigned long) for size_t. [RT #2590] 15179 151801278. [func] dig: now supports +[no]cl +[no]ttlid. 15181 151821277. [func] You can now create your own customized printing 15183 styles: dns_master_stylecreate() and 15184 dns_master_styledestroy(). 15185 151861276. [bug] libbind: const pointer conflicts in res_debug.c. 15187 151881275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN. 15189 151901274. [bug] Memory leak in lwres_gnbarequest_parse(). 15191 151921273. [port] libbind: solaris: 64 bit binary compatibility. 15193 151941272. [contrib] Berkeley DB 4.0 sdb implementation from 15195 Nuno Miguel Rodrigues <nmr@co.sapo.pt>. 15196 151971271. [bug] "recursion available: {denied,approved}" was too 15198 confusing. 15199 152001270. [bug] Check that system inet_pton() and inet_ntop() support 15201 AF_INET6. 15202 152031269. [port] Openserver: ifconfig.sh support. 15204 152051268. [port] Openserver: the value FD_SETSIZE depends on whether 15206 <sys/param.h> is included or not. Be consistent. 15207 152081267. [func] isc_file_openunique() now creates file using mode 15209 0666 rather than 0600. 15210 152111266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE, 15212 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE 15213 are not C++ compatible, use *_TYPE versions instead. 15214 152151265. [bug] libbind: LINK_INIT and UNLINK were not compatible with 15216 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead. 15217 152181264. [placeholder] 15219 152201263. [bug] Reference after free error if dns_dispatchmgr_create() 15221 failed. 15222 152231262. [bug] ns_server_destroy() failed to set *serverp to NULL. 15224 152251261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide 15226 support for compressed TSIG owner names. 15227 152281260. [func] libbind: res_update can now update IPv6 servers, 15229 new function res_findzonecut2(). 15230 152311259. [bug] libbind: get_salen() IPv6 support was broken for OSs 15232 w/o sa_len. 15233 152341258. [bug] libbind: res_nametotype() and res_nametoclass() were 15235 broken. 15236 152371257. [bug] Failure to write pid-file should not be fatal on 15238 reload. [RT #2861] 15239 152401256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support. 15241 152421255. [bug] When verifying that an NXT proves nonexistence, check 15243 the rcode of the message and only do the matching NXT 15244 check. That is, for NXDOMAIN responses, check that 15245 the name is in the range between the NXT owner and 15246 next name, and for NOERROR NODATA responses, check 15247 that the type is not present in the NXT bitmap. 15248 152491254. [func] preferred-glue option from BIND 8.3. 15250 152511253. [bug] The dnssec system test failed to remove the correct 15252 files. 15253 152541252. [bug] Dig, host and nslookup were not checking the address 15255 the answer was coming from against the address it was 15256 sent to. [RT #2692] 15257 152581251. [port] win32: a make file contained absolute version specific 15259 references. 15260 152611250. [func] Nsupdate will report the address the update was 15262 sent to. 15263 152641249. [bug] Missing masters clause was not handled gracefully. 15265 [RT #2703] 15266 152671248. [bug] DESTDIR was not being propagated between makes. 15268 152691247. [bug] Don't reset the interface index for link/site local 15270 addresses. [RT #2576] 15271 152721246. [func] New functions isc_sockaddr_issitelocal(), 15273 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal() 15274 and isc_netaddr_islinklocal(). 15275 152761245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for 15277 accept(). 15278 152791244. [bug] Receiving a TCP message from a blackhole address would 15280 prevent further messages being received over that 15281 interface. 15282 152831243. [bug] It was possible to trigger a REQUIRE() in 15284 dns_message_findtype(). [RT #2659] 15285 152861242. [bug] named-checkzone failed if a journal existed. [RT #2657] 15287 152881241. [bug] Drop received UDP messages with a zero source port 15289 as these are invariably forged. [RT #2621] 15290 152911240. [bug] It was possible to leak zone references by 15292 specifying an incorrect zone to rndc. 15293 152941239. [bug] Under certain circumstances named could continue to 15295 use a name after it had been freed triggering 15296 INSIST() failures. [RT #2614] 15297 152981238. [bug] It is possible to lockup the server when shutting down 15299 if notifies were being processed. [RT #2591] 15300 153011237. [bug] nslookup: "set q=type" failed. 15302 153031236. [bug] dns_rdata{class,type}_fromtext() didn't handle non 15304 NULL terminated text regions. [RT #2588] 15305 153061235. [func] Report 'out of memory' errors from openssl. 15307 153081234. [bug] contrib/sdb: 'zonetodb' failed to call 15309 dns_result_register(). DNS_R_SEENINCLUDE should not 15310 be fatal. 15311 153121233. [bug] The flags field of a KEY record can be expressed in 15313 hex as well as decimal. 15314 153151232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL. 15316 153171231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL. 15318 153191230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken. 15320 153211229. [bug] named would crash if it received a TSIG signed 15322 query as part of an AXFR response. [RT #2570] 15323 153241228. [bug] 'make install' did not depend on 'make all'. [RT #2559] 15325 153261227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER 15327 if a number was expected and some other token was 15328 found. [RT #2532] 15329 153301226. [func] Use EDNS for zone refresh queries. [RT #2551] 15331 153321225. [func] dns_message_setopt() no longer requires that 15333 dns_message_renderbegin() to have been called. 15334 153351224. [bug] 'rrset-order' and 'sortlist' should be additive 15336 not exclusive. 15337 153381223. [func] 'rrset-order' partially works 'cyclic' and 'random' 15339 are supported. 15340 153411222. [bug] Specifying 'port *' did not always result in a system 15342 selected (non-reserved) port being used. [RT #2537] 15343 153441221. [bug] Zone types 'master', 'slave' and 'stub' were not being 15345 compared case insensitively. [RT #2542] 15346 153471220. [func] Support for APL rdata type. 15348 153491219. [func] Named now reports the TSIG extended error code when 15350 signature verification fails. [RT #1651] 15351 153521218. [bug] Named incorrectly returned SERVFAIL rather than 15353 NOTAUTH when there was a TSIG BADTIME error. [RT #2519] 15354 153551217. [func] Report locations of previous key definition when a 15356 duplicate is detected. 15357 153581216. [bug] Multiple server clauses for the same server were not 15359 reported. [RT #2514] 15360 153611215. [port] solaris: add support to ifconfig.sh for x86 2.5.1 15362 153631214. [bug] Win32: isc_file_renameunique() could leave zero length 15364 files behind. 15365 153661213. [func] Report view associated with client if it is not a 15367 standard view (_default or _bind). 15368 153691212. [port] libbind: 64k answer buffers were causing stack space 15370 to be exceeded for certain OS. Use heap space instead. 15371 153721211. [bug] dns_name_fromtext() incorrectly handled certain 15373 valid octal bitlabels. [RT #2483] 15374 153751210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped / 15376 compatible addresses. [RT #2461] 15377 153781209. [bug] Dig, host, nslookup were not checking the message ids 15379 on the responses. [RT #2454] 15380 153811208. [bug] dns_master_load*() failed to log a error message if 15382 an error was detected when parsing the owner name of 15383 a record. [RT #2448] 15384 153851207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with 15386 an invalid pointer. 15387 153881206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should 15389 trigger a non-EDNS retry. 15390 153911205. [bug] OPT, TSIG and TKEY cannot be used to set the "class" 15392 of the message. [RT #2449] 15393 153941204. [bug] libbind: res_nupdate() failed to update the name 15395 server addresses before sending the update. 15396 153971203. [func] Report locations of previous acl and zone definitions 15398 when a duplicate is detected. 15399 154001202. [func] New functions: cfg_obj_line() and cfg_obj_file(). 15401 154021201. [bug] Require that if 'callbacks' is passed to 15403 dns_rdata_fromtext(), callbacks->error and 15404 callbacks->warn are initialized. 15405 154061200. [bug] Log 'errno' that we are unable to convert to 15407 isc_result_t. [RT #2404] 15408 154091199. [doc] ARM reference to RFC 2157 should have been RFC 1918. 15410 [RT #2436] 15411 154121198. [bug] OPT printing style was not consistent with the way the 15413 header fields are printed. The DO bit was not reported 15414 if set. Report if any of the MBZ bits are set. 15415 154161197. [bug] Attempts to define the same acl multiple times were not 15417 detected. 15418 154191196. [contrib] update mdnkit to 2.2.3. 15420 154211195. [bug] Attempts to redefine builtin acls should be caught. 15422 [RT #2403] 15423 154241194. [bug] Not all duplicate zone definitions were being detected 15425 at the named.conf checking stage. [RT #2431] 15426 154271193. [bug] dig +besteffort parsing didn't handle packet 15428 truncation. dns_message_parse() has new flag 15429 DNS_MESSAGE_IGNORETRUNCATION. 15430 154311192. [bug] The seconds fields in LOC records were restricted 15432 to three decimal places. More decimal places should 15433 be allowed but warned about. 15434 154351191. [bug] A dynamic update removing the last non-apex name in 15436 a secure zone would fail. [RT #2399] 15437 154381190. [func] Add the "rndc freeze" and "rndc unfreeze" commands. 15439 [RT #2394] 15440 154411189. [bug] On some systems, malloc(0) returns NULL, which 15442 could cause the caller to report an out of memory 15443 error. [RT #2398] 15444 154451188. [bug] Dynamic updates of a signed zone would fail if 15446 some of the zone private keys were unavailable. 15447 154481187. [bug] named was incorrectly returning DNSSEC records 15449 in negative responses when the DO bit was not set. 15450 154511186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the 15452 EOL token when reading to end of line. 15453 154541185. [bug] libbind: don't assume statp->_u._ext.ext is valid 15455 unless RES_INIT is set when calling res_*init(). 15456 154571184. [bug] libbind: call res_ndestroy() if RES_INIT is set 15458 when res_*init() is called. 15459 154601183. [bug] Handle ENOSR error when writing to the internal 15461 control pipe. [RT #2395] 15462 154631182. [bug] The server could throw an assertion failure when 15464 constructing a negative response packet. 15465 154661181. [func] Add the "key-directory" configuration statement, 15467 which allows the server to look for online signing 15468 keys in alternate directories. 15469 154701180. [func] dnssec-keygen should always generate keys with 15471 protocol 3 (DNSSEC), since it's less confusing 15472 that way. 15473 154741179. [func] Add SIG(0) support to nsupdate. 15475 154761178. [bug] Follow and cache (if appropriate) A6 and other 15477 data chains to completion in the additional section. 15478 154791177. [func] Report view when loading zones if it is not a 15480 standard view (_default or _bind). [RT #2270] 15481 154821176. [doc] Document that allow-v6-synthesis is only performed 15483 for clients that are supplied recursive service. 15484 [RT #2260] 15485 154861175. [bug] named-checkzone and named-checkconf failed to call 15487 dns_result_register() at startup which could 15488 result in runtime exceptions when printing 15489 "out of memory" errors. [RT #2335] 15490 154911174. [bug] Win32: add WSAECONNRESET to the expected errors 15492 from connect(). [RT #2308] 15493 154941173. [bug] Potential memory leaks in isc_log_create() and 15495 isc_log_settag(). [RT #2336] 15496 154971172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to 15498 table of RR types in ARM. 15499 155001171. [func] Added function isc_region_compare(), updated files in 15501 lib/dns to use this function instead of local one. 15502 155031170. [bug] Don't attempt to print the token when a I/O error 15504 occurs when parsing named.conf. [RT #2275] 15505 155061169. [func] Identify recursive queries in the query log. 15507 155081168. [bug] Empty also-notify clauses were not handled. [RT #2309] 15509 155101167. [contrib] nslint-2.1a3 (from author). 15511 155121166. [bug] "Not Implemented" should be reported as NOTIMP, 15513 not NOTIMPL. [RT #2281] 15514 155151165. [bug] We were rejecting notify-source{-v6} in zone clauses. 15516 155171164. [bug] Empty masters clauses in slave / stub zones were not 15518 handled gracefully. [RT #2262] 15519 155201163. [func] isc_time_formattimestamp() now includes the year. 15521 155221162. [bug] The allow-notify option was not accepted in slave 15523 zone statements. 15524 155251161. [bug] named-checkzone looped on unbalanced brackets. 15526 [RT #2248] 15527 155281160. [bug] Generating Diffie-Hellman keys longer than 1024 15529 bits could fail. [RT #2241] 15530 155311159. [bug] MD and MF are not permitted to be loaded by RFC1123. 15532 155331158. [func] Report the client's address when logging notify 15534 messages. 15535 155361157. [func] match-clients and match-destinations now accept 15537 keys. [RT #2045] 15538 155391156. [port] The configure test for strsep() incorrectly 15540 succeeded on certain patched versions of 15541 AIX 4.3.3. [RT #2190] 15542 155431155. [func] Recover from master files being removed from under 15544 us. 15545 155461154. [bug] Don't attempt to obtain the netmask of a interface 15547 if there is no address configured. [RT #2176] 15548 155491153. [func] 'rndc {stop|halt} -p' now reports the process id 15550 of the instance of named being shutdown. 15551 155521152. [bug] libbind: read buffer overflows. 15553 155541151. [bug] nslookup failed to check that the arguments to 15555 the port, timeout, and retry options were 15556 valid integers and in range. [RT #2099] 15557 155581150. [bug] named incorrectly accepted TTL values 15559 containing plus or minus signs, such as 15560 1d+1h-1s. 15561 155621149. [func] New function isc_parse_uint32(). 15563 155641148. [func] 'rndc-confgen -a' now provides positive feedback. 15565 155661147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by 15567 the OS. listen-on-v6 { any; }; should no longer 15568 result in IPv4 queries be accepted. Similarly 15569 control { inet :: ... }; should no longer result 15570 in IPv4 connections being accepted. This can be 15571 overridden at compile time by defining 15572 ISC_ALLOW_MAPPED=1. 15573 155741146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if 15575 supported by the OS by a new function 15576 isc_socket_ipv6only(). 15577 155781145. [func] "host" no longer reports a NOERROR/NODATA response 15579 by printing nothing. [RT #2065] 15580 155811144. [bug] rndc-confgen would crash if both the -a and -t 15582 options were specified. [RT #2159] 15583 155841143. [bug] When a trusted-keys statement was present and named 15585 was built without crypto support, it would leak memory. 15586 155871142. [bug] dnssec-signzone would fail to delete temporary files 15588 in some failure cases. [RT #2144] 15589 155901141. [bug] When named rejected a control message, it would 15591 leak a file descriptor and memory. It would also 15592 fail to respond, causing rndc to hang. 15593 [RT #2139, #2164] 15594 155951140. [bug] rndc-confgen did not accept IPv6 addresses as arguments 15596 to the -s option. [RT #2138] 15597 155981139. [func] It is now possible to flush a given name from the 15599 cache(s) via 'rndc flushname name [view]'. [RT #2051] 15600 156011138. [func] It is now possible to flush a given name from the 15602 cache by calling the new function 15603 dns_cache_flushname(). 15604 156051137. [func] It is now possible to flush a given name from the 15606 ADB by calling the new function dns_adb_flushname(). 15607 156081136. [bug] CNAME records synthesized from DNAMEs did not 15609 have a TTL of zero as required by RFC2672. 15610 [RT #2129] 15611 156121135. [func] You can now override the default syslog() facility for 15613 named/lwresd at compile time. [RT #1982] 15614 156151134. [bug] Multi-threaded servers could deadlock in ferror() 15616 when reloading zone files. [RT #1951, #1998] 15617 156181133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on 15619 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106] 15620 156211132. [func] Improve UPDATE prerequisite failure diagnostic messages. 15622 156231131. [bug] The match-destinations view option did not work with 15624 IPv6 destinations. [RT #2073, #2074] 15625 156261130. [bug] Log messages reporting an out-of-range serial number 15627 did not include the out-of-range number but the 15628 following token. [RT #2076] 15629 156301129. [bug] Multi-threaded servers could crash under heavy 15631 resolution load due to a race condition. [RT #2018] 15632 156331128. [func] sdb drivers can now provide RR data in either text 15634 or wire format, the latter using the new functions 15635 dns_sdb_putrdata() and dns_sdb_putnamedrdata(). 15636 156371127. [func] rndc: If the server to contact has multiple addresses, 15638 try all of them. 15639 156401126. [bug] The server could access a freed event if shut 15641 down while a client start event was pending 15642 delivery. [RT #2061] 15643 156441125. [bug] rndc: -k option was missing from usage message. 15645 [RT #2057] 15646 156471124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail 15648 are now documented. [RT #2052] 15649 156501123. [bug] dig +[no]fail did not match description. [RT #2052] 15651 156521122. [tuning] Resolution timeout reduced from 90 to 30 seconds. 15653 [RT #2046] 15654 156551121. [bug] The server could attempt to access a NULL zone 15656 table if shut down while resolving. 15657 [RT #1587, #2054] 15658 156591120. [bug] Errors in options were not fatal. [RT #2002] 15660 156611119. [func] Added support in Win32 for NTFS file/directory ACL's 15662 for access control. 15663 156641118. [bug] On multi-threaded servers, a race condition 15665 could cause an assertion failure in resolver.c 15666 during resolver shutdown. [RT #2029] 15667 156681117. [port] The configure check for in6addr_loopback incorrectly 15669 succeeded on AIX 4.3 when compiling with -O2 15670 because the test code was optimized away. 15671 [RT #2016] 15672 156731116. [bug] Setting transfers in a server clause, transfers-in, 15674 or transfers-per-ns to a value greater than 15675 2147483647 disabled transfers. [RT #2002] 15676 156771115. [func] Set maximum values for cleaning-interval, 15678 heartbeat-interval, interface-interval, 15679 max-transfer-idle-in, max-transfer-idle-out, 15680 max-transfer-time-in, max-transfer-time-out, 15681 statistics-interval of 28 days and 15682 sig-validity-interval of 3660 days. [RT #2002] 15683 156841114. [port] Ignore more accept() errors. [RT #2021] 15685 156861113. [bug] The allow-update-forwarding option was ignored 15687 when specified in a view. [RT #2014] 15688 156891112. [placeholder] 15690 156911111. [bug] Multi-threaded servers could deadlock processing 15692 recursive queries due to a locking hierarchy 15693 violation in adb.c. [RT #2017] 15694 156951110. [bug] dig should only accept valid abbreviations of +options. 15696 [RT #2003] 15697 156981109. [bug] nsupdate accepted illegal ttl values. 15699 157001108. [bug] On Win32, rndc was hanging when named was not running 15701 due to failure to select for exceptional conditions 15702 in select(). [RT #1870] 15703 157041107. [bug] nsupdate could catch an assertion failure if an 15705 invalid domain name was given as the argument to 15706 the "zone" command. 15707 157081106. [bug] After seeing an out of range TTL, nsupdate would 15709 treat all TTLs as out of range. [RT #2001] 15710 157111105. [port] OpenUNIX 8 enable threads by default. [RT #1970] 15712 157131104. [bug] Invalid arguments to the transfer-format option 15714 could cause an assertion failure. [RT #1995] 15715 157161103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970] 15717 157181102. [doc] Note that query logging is enabled by directing the 15719 queries category to a channel. 15720 157211101. [bug] Array bounds read error in lwres_gai_strerror. 15722 157231100. [bug] libbind: DNSSEC key ids were computed incorrectly. 15724 157251099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused 15726 compile time errors. 15727 157281098. [bug] libbind: HMAC-MD5 key files are now mode 0600. 15729 157301097. [func] libbind: RES_PRF_TRUNC for dig. 15731 157321096. [func] libbind: "DNSSEC OK" (DO) support. 15733 157341095. [func] libbind: resolver option: no-tld-query. disables 15735 trying unqualified as a tld. no_tld_query is also 15736 supported for FreeBSD compatibility. 15737 157381094. [func] libbind: add support gcc's format string checking. 15739 157401093. [doc] libbind: miscellaneous nroff fixes. 15741 157421092. [bug] libbind: get*by*() failed to check if res_init() had 15743 been called. 15744 157451091. [bug] libbind: misplaced va_end(). 15746 157471090. [bug] libbind: dns_ho.c:add_hostent() was not returning 15748 the amount of memory consumed resulting in garbage 15749 address being returned. Alignment calculations were 15750 wasting space. We weren't suppressing duplicate 15751 addresses. 15752 157531089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6 15754 support. 15755 157561088. [port] libbind: MPE/iX C.70 (incomplete) 15757 157581087. [bug] libbind: struct __res_state too large on 64 bit arch. 15759 157601086. [port] libbind: sunos: old sprintf. 15761 157621085. [port] libbind: solaris: sys_nerr and sys_errlist do not 15763 exist when compiling in 64 bit mode. 15764 157651084. [cleanup] libbind: gai_strerror() rewritten. 15766 157671083. [bug] The default control channel listened on the 15768 wildcard address, not the loopback as documented. 15769 [RT #1975] 15770 157711082. [bug] The -g option to named incorrectly caused logging 15772 to be sent to syslog in addition to stderr. 15773 [RT #1974] 15774 157751081. [bug] Multicast queries were incorrectly identified 15776 based on the source address, not the destination 15777 address. 15778 157791080. [bug] BIND 8 compatibility: accept bare IP prefixes 15780 as the second element of a two-element top level 15781 sort list statement. [RT #1964] 15782 157831079. [bug] BIND 8 compatibility: accept bare elements at top 15784 level of sort list treating them as if they were 15785 a single element list. [RT #1963] 15786 157871078. [bug] We failed to correct bad tv_usec values in one case. 15788 [RT #1966] 15789 157901077. [func] Do not accept further recursive clients when 15791 the total number of recursive lookups being 15792 processed exceeds max-recursive-clients, even 15793 if some of the lookups are internally generated. 15794 [RT #1915, #1938] 15795 157961076. [bug] A badly defined global key could trigger an assertion 15797 on load/reload if views were used. [RT #1947] 15798 157991075. [bug] Out-of-range network prefix lengths were not 15800 reported. [RT #1954] 15801 158021074. [bug] Running out of memory in dump_rdataset() could 15803 cause an assertion failure. [RT #1946] 15804 158051073. [bug] The ADB cache cleaning should also be space driven. 15806 [RT #1915, #1938] 15807 158081072. [bug] The TCP client quota could be exceeded when 15809 recursion occurred. [RT #1937] 15810 158111071. [bug] Sockets listening for TCP DNS connections 15812 specified an excessive listen backlog. [RT #1937] 15813 158141070. [bug] Copy DNSSEC OK (DO) to response as specified by 15815 draft-ietf-dnsext-dnssec-okbit-03.txt. 15816 158171069. [placeholder] 15818 158191068. [bug] errno could be overwritten by catgets(). [RT #1921] 15820 158211067. [func] Allow quotas to be soft, isc_quota_soft(). 15822 158231066. [bug] Provide a thread safe wrapper for strerror(). 15824 [RT #1689] 15825 158261065. [func] Runtime support to select new / old style interface 15827 scanning using ioctls. 15828 158291064. [bug] Do not shut down active network interfaces if we 15830 are unable to scan the interface list. [RT #1921] 15831 158321063. [bug] libbind: "make install" was failing on IRIX. 15833 [RT #1919] 15834 158351062. [bug] If the control channel listener socket was shut 15836 down before server exit, the listener object could 15837 be freed twice. [RT #1916] 15838 158391061. [bug] If periodic cache cleaning happened to start 15840 while cleaning due to reaching the configured 15841 maximum cache size was in progress, the server 15842 could catch an assertion failure. [RT #1912] 15843 158441060. [func] Move refresh, stub and notify UDP retry processing 15845 into dns_request. 15846 158471059. [func] dns_request now support will now retry UDP queries, 15848 dns_request_createvia2() and dns_request_createraw2(). 15849 158501058. [func] Limited lifetime ticker timers are now available, 15851 isc_timertype_limited. 15852 158531057. [bug] Reloading the server after adding a "file" clause 15854 to a zone statement could cause the server to 15855 crash due to a typo in change 1016. 15856 158571056. [bug] Rndc could catch an assertion failure on SIGINT due 15858 to an uninitialized variable. [RT #1908] 15859 158601055. [func] Version and hostname queries can now be disabled 15861 using "version none;" and "hostname none;", 15862 respectively. 15863 158641054. [bug] On Win32, cfg_categories and cfg_modules need to be 15865 exported from the libisccfg DLL. 15866 158671053. [bug] Dig did not increase its timeout when receiving 15868 AXFRs unless the +time option was used. [RT #1904] 15869 158701052. [bug] Journals were not being created in binary mode 15871 resulting in "journal format not recognized" error 15872 under Win32. [RT #1889] 15873 158741051. [bug] Do not ignore a network interface completely just 15875 because it has a noncontiguous netmask. Instead, 15876 omit it from the localnets ACL and issue a warning. 15877 [RT #1891] 15878 158791050. [bug] Log messages reporting malformed IP addresses in 15880 address lists such as that of the forwarders option 15881 failed to include the correct error code, file 15882 name, and line number. [RT #1890] 15883 158841049. [func] "pid-file none;" will disable writing a pid file. 15885 [RT #1848] 15886 158871048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1 15888 didn't work. 15889 158901047. [bug] named was incorrectly refusing all requests signed 15891 with a TSIG key derived from an unsigned TKEY 15892 negotiation with a NOERROR response. [RT #1886] 15893 158941046. [bug] The help message for the --with-openssl configure 15895 option was inaccurate. [RT #1880] 15896 158971045. [bug] It was possible to skip saving glue for a nameserver 15898 for a stub zone. 15899 159001044. [bug] Specifying allow-transfer, notify-source, or 15901 notify-source-v6 in a stub zone was not treated 15902 as an error. 15903 159041043. [bug] Specifying a transfer-source or transfer-source-v6 15905 option in the zone statement for a master zone was 15906 not treated as an error. [RT #1876] 15907 159081042. [bug] The "config" logging category did not work properly. 15909 [RT #1873] 15910 159111041. [bug] Dig/host/nslookup could catch an assertion failure 15912 on SIGINT due to an uninitialized variable. [RT #1867] 15913 159141040. [bug] Multiple listen-on-v6 options with different ports 15915 were not accepted. [RT #1875] 15916 159171039. [bug] Negative responses with CNAMEs in the answer section 15918 were cached incorrectly. [RT #1862] 15919 159201038. [bug] In servers configured with a tkey-domain option, 15921 TKEY queries with an owner name other than the root 15922 could cause an assertion failure. [RT #1866, #1869] 15923 159241037. [bug] Negative responses whose authority section contain 15925 SOA or NS records whose owner names are not equal 15926 equal to or parents of the query name should be 15927 rejected. [RT #1862] 15928 159291036. [func] Silently drop requests received via multicast as 15930 long as there is no final multicast DNS standard. 15931 159321035. [bug] If we respond to multicast queries (which we 15933 currently do not), respond from a unicast address 15934 as specified in RFC 1123. [RT #137] 15935 159361034. [bug] Ignore the RD bit on multicast queries as specified 15937 in RFC 1123. [RT #137] 15938 159391033. [bug] Always respond to requests with an unsupported opcode 15940 with NOTIMP, even if we don't have a matching view 15941 or cannot determine the class. 15942 159431032. [func] hostname.bind/txt/chaos now returns the name of 15944 the machine hosting the nameserver. This is useful 15945 in diagnosing problems with anycast servers. 15946 159471031. [bug] libbind.a: isc__gettimeofday() infinite recursion. 15948 [RT #1858] 15949 159501030. [bug] On systems with no resolv.conf file, nsupdate 15951 exited with an error rather than defaulting 15952 to using the loopback address. [RT #1836] 15953 159541029. [bug] Some named.conf errors did not cause the loading 15955 of the configuration file to return a failure 15956 status even though they were logged. [RT #1847] 15957 159581028. [bug] On Win32, dig/host/nslookup looked for resolv.conf 15959 in the wrong directory. [RT #1833] 15960 159611027. [bug] RRs having the reserved type 0 should be rejected. 15962 [RT #1471] 15963 159641026. [placeholder] 15965 159661025. [bug] Don't use multicast addresses to resolve iterative 15967 queries. [RT #101] 15968 159691024. [port] Compilation failed on HP-UX 11.11 due to 15970 incompatible use of the SIOCGLIFCONF macro 15971 name. [RT #1831] 15972 159731023. [func] Accept hints without TTLs. 15974 159751022. [bug] Don't report empty root hints as "extra data". 15976 [RT #1802] 15977 159781021. [bug] On Win32, log message timestamps were one month 15979 later than they should have been, and the server 15980 would exhibit unspecified behavior in December. 15981 159821020. [bug] IXFR log messages did not distinguish between 15983 true IXFRs, AXFR-style IXFRs, and mere version 15984 polls. [RT #1811] 15985 159861019. [bug] The value of the lame-ttl option was limited to 18000 15987 seconds, not 1800 seconds as documented. [RT #1803] 15988 159891018. [bug] The default log channel was not always initialized 15990 correctly. [RT #1813] 15991 159921017. [bug] When specifying TSIG keys to dig and nsupdate using 15993 the -k option, they must be HMAC-MD5 keys. [RT #1810] 15994 159951016. [bug] Slave zones with no backup file were re-transferred 15996 on every server reload. 15997 159981015. [bug] Log channels that had a "versions" option but no 15999 "size" option failed to create numbered log 16000 files. [RT #1783] 16001 160021014. [bug] Some queries would cause statistics counters to 16003 increment more than once or not at all. [RT #1321] 16004 160051013. [bug] It was possible to cancel a query twice when marking 16006 a server as bogus or by having a blackhole acl. 16007 [RT #1776] 16008 160091012. [bug] The -p option to named did not behave as documented. 16010 160111011. [cleanup] Removed isc_dir_current(). 16012 160131010. [bug] The server could attempt to execute a command channel 16014 command after initiating server shutdown, causing 16015 an assertion failure. [RT #1766] 16016 160171009. [port] OpenUNIX 8 support. [RT #1728] 16018 160191008. [port] libtool.m4, ltmain.sh from libtool-1.4.2. 16020 160211007. [port] config.guess, config.sub from autoconf-2.52. 16022 160231006. [bug] If a KEY RR was found missing during DNSSEC validation, 16024 an assertion failure could subsequently be triggered 16025 in the resolver. [RT #1763] 16026 160271005. [bug] Don't copy nonzero RCODEs from request to response. 16028 [RT #1765] 16029 160301004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770] 16031 160321003. [func] Add the +retry option to dig. 16033 160341002. [bug] When reporting an unknown class name in named.conf, 16035 including the file name and line number. [RT #1759] 16036 160371001. [bug] win32 socket code doio_recv was not catching a 16038 WSACONNRESET error when a client was timing out 16039 the request and closing its socket. [RT #1745] 16040 160411000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias 16042 for class "HS". [RT #1759] 16043 16044 999. [func] "rndc retransfer zone [class [view]]" added. 16045 [RT #1752] 16046 16047 998. [func] named-checkzone now has arguments to specify the 16048 chroot directory (-t) and working directory (-w). 16049 [RT #1755] 16050 16051 997. [func] Add support for RSA-SHA1 keys (RFC3110). 16052 16053 996. [func] Issue warning if the configuration filename contains 16054 the chroot path. 16055 16056 995. [bug] dig, host, nslookup: using a raw IPv6 address as a 16057 target address should be fatal on a IPv4 only system. 16058 16059 994. [func] Treat non-authoritative responses to queries for type 16060 NS as referrals even if the NS records are in the 16061 answer section, because BIND 8 servers incorrectly 16062 send them that way. This is necessary for DNSSEC 16063 validation of the NS records of a secure zone to 16064 succeed when the parent is a BIND 8 server. [RT #1706] 16065 16066 993. [func] dig: -v now reports the version. 16067 16068 992. [doc] dig: ~/.digrc is now documented. 16069 16070 991. [func] Lower UDP refresh timeout messages to level 16071 debug 1. 16072 16073 990. [bug] The rndc-confgen man page was not installed. 16074 16075 989. [bug] Report filename if $INCLUDE fails for file related 16076 errors. [RT #1736] 16077 16078 988. [bug] 'additional-from-auth no;' did not work reliably 16079 in the case of queries answered from the cache. 16080 [RT #1436] 16081 16082 987. [bug] "dig -help" didn't show "+[no]stats". 16083 16084 986. [bug] "dig +noall" failed to clear stats and command 16085 printing. 16086 16087 985. [func] Consider network interfaces to be up iff they have 16088 a nonzero IP address rather than based on the 16089 IFF_UP flag. [RT #1160] 16090 16091 984. [bug] Multi-threading should be enabled by default on 16092 Solaris 2.7 and newer, but it wasn't. 16093 16094 983. [func] The server now supports generating IXFR difference 16095 sequences for non-dynamic zones by comparing zone 16096 versions, when enabled using the new config 16097 option "ixfr-from-differences". [RT #1727] 16098 16099 982. [func] If "memstatistics-file" is set in options the memory 16100 statistics will be written to it. 16101 16102 981. [func] The dnssec tools can now take multiple '-r randomfile' 16103 arguments. 16104 16105 980. [bug] Incoming zone transfers restarting after an error 16106 could trigger an assertion failure. [RT #1692] 16107 16108 979. [func] Incremental master file dumping. dns_master_dumpinc(), 16109 dns_master_dumptostreaminc(), dns_dumpctx_attach(), 16110 dns_dumpctx_detach(), dns_dumpctx_cancel(), 16111 dns_dumpctx_db() and dns_dumpctx_version(). 16112 16113 978. [bug] dns_db_attachversion() had an invalid REQUIRE() 16114 condition. 16115 16116 977. [bug] Improve "not at top of zone" error message. 16117 16118 976. [func] named-checkconf can now test load master zones 16119 (named-checkconf -z). [RT #1468] 16120 16121 975. [bug] "max-cache-size default;" as a view option 16122 caused an assertion failure. 16123 16124 974. [bug] "max-cache-size unlimited;" as a global option 16125 was not accepted. 16126 16127 973. [bug] Failed to log the question name when logging: 16128 "bad zone transfer request: non-authoritative zone 16129 (NOTAUTH)". 16130 16131 972. [bug] The file modification time code in zone.c was using the 16132 wrong epoch. [RT #1667] 16133 16134 971. [placeholder] 16135 16136 970. [func] 'max-journal-size' can now be used to set a target 16137 size for a journal. 16138 16139 969. [func] dig now supports the undocumented dig 8 feature 16140 of allowing arbitrary labels, not just dotted 16141 decimal quads, with the -x option. This can be 16142 used to conveniently look up RFC2317 names as in 16143 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598] 16144 16145 968. [bug] On win32, the isc_time_now() function was unnecessarily 16146 calling strtime(). [RT #1671] 16147 16148 967. [bug] On win32, the link for bindevt was not including the 16149 required resource file to enable the event viewer 16150 to interpret the error messages in the event log, 16151 [RT #1668] 16152 16153 966. [placeholder] 16154 16155 965. [bug] Including data other than root server NS and A 16156 records in the root hint file could cause a rbtdb 16157 node reference leak. [RT #1581, #1618] 16158 16159 964. [func] Warn if data other than root server NS and A records 16160 are found in the root hint file. [RT #1581, #1618] 16161 16162 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] 16163 16164 962. [bug] libbind: bad "#undef", don't attempt to install 16165 non-existent nlist.h. [RT #1640] 16166 16167 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 16168 was not defined. [RT #1482] 16169 16170 960. [port] liblwres failed to build on systems with support for 16171 getrrsetbyname() in the OS. [RT #1592] 16172 16173 959. [port] On FreeBSD, determine the number of CPUs by calling 16174 sysctlbyname(). [RT #1584] 16175 16176 958. [port] ssize_t is not available on all platforms. [RT #1607] 16177 16178 957. [bug] sys/select.h inclusion was broken on older platforms. 16179 [RT #1607] 16180 16181 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile 16182 in named/win32/os.c due to code changes in 16183 change #953. win32 .make file for rndc-confgen 16184 updated to add include path for os.h header. 16185 16186 --- 9.2.0rc1 released --- 16187 16188 955. [bug] When using views, the zone's class was not being 16189 inherited from the view's class. [RT #1583] 16190 16191 954. [bug] When requesting AXFRs or IXFRs using dig, host, or 16192 nslookup, the RD bit should not be set as zone 16193 transfers are inherently non-recursive. [RT #1575] 16194 16195 953. [func] The /var/run/named.key file from change #843 16196 has been replaced by /etc/rndc.key. Both 16197 named and rndc will look for this file and use 16198 it to configure a default control channel key 16199 if not already configured using a different 16200 method (rndc.conf / controls). Unlike 16201 named.key, rndc.key is not created automatically; 16202 it must be created by manually running 16203 "rndc-confgen -a". 16204 16205 952. [bug] The server required manual intervention to serve the 16206 affected zones if it died between creating a journal 16207 and committing the first change to it. 16208 16209 951. [bug] CFLAGS was not passed to the linker when 16210 linking some of the test programs under 16211 bin/tests. [RT #1555]. 16212 16213 950. [bug] Explicit TTLs did not properly override $TTL 16214 due to a bug in change 834. [RT #1558] 16215 16216 949. [bug] host was unable to print records larger than 512 16217 bytes. [RT #1557] 16218 16219 --- 9.2.0b2 released --- 16220 16221 948. [port] Integrated support for building on Windows NT / 16222 Windows 2000. 16223 16224 947. [bug] dns_rdata_soa_t had a badly named element "mname" which 16225 was really the RNAME field from RFC1035. To avoid 16226 confusion and silent errors that would occur it the 16227 "origin" and "mname" elements were given their correct 16228 names "mname" and "rname" respectively, the "mname" 16229 element is renamed to "contact". 16230 16231 946. [cleanup] doc/misc/options is now machine-generated from the 16232 configuration parser syntax tables, and therefore 16233 more likely to be correct. 16234 16235 945. [func] Add the new view-specific options 16236 "match-destinations" and "match-recursive-only". 16237 16238 944. [func] Check for expired signatures on load. 16239 16240 943. [bug] The server could crash when receiving a command 16241 via rndc if the configuration file listed only 16242 nonexistent keys in the controls statement. [RT #1530] 16243 16244 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly 16245 defined on some platforms. 16246 16247 941. [bug] The configuration checker crashed if a slave 16248 zone didn't contain a masters statement. [RT #1514] 16249 16250 940. [bug] Double zone locking failure on error path. [RT #1510] 16251 16252 --- 9.2.0b1 released --- 16253 16254 939. [port] Add the --disable-linux-caps option to configure for 16255 systems that manage capabilities outside of named. 16256 [RT #1503] 16257 16258 938. [placeholder] 16259 16260 937. [bug] A race when shutting down a zone could trigger a 16261 INSIST() failure. [RT #1034] 16262 16263 936. [func] Warn about IPv4 addresses that are not complete 16264 dotted quads. [RT #1084] 16265 16266 935. [bug] inet_pton failed to reject leading zeros. 16267 16268 934. [port] Deal with systems where accept() spuriously returns 16269 ECONNRESET. 16270 16271 933. [bug] configure failed doing libbind on platforms not 16272 supported by BIND 8. [RT #1496] 16273 16274 --- 9.2.0a3 released --- 16275 16276 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM, 16277 when installing isc-config.sh. 16278 [RT #198, #1466] 16279 16280 931. [bug] The controls statement only attempted to verify 16281 messages using the first key in the key list. 16282 (9.2.0a1/a2 only). 16283 16284 930. [func] Query performance testing tool added as 16285 contrib/queryperf. 16286 16287 929. [placeholder] 16288 16289 928. [bug] nsupdate would send empty update packets if the 16290 send (or empty line) command was run after 16291 another send but before any new updates or 16292 prerequisites were specified. It should simply 16293 ignore this command. 16294 16295 927. [bug] Don't hold the zone lock for the entire dump to disk. 16296 [RT #1423] 16297 16298 926. [bug] The resolver could deadlock with the ADB when 16299 shutting down (multi-threaded builds only). 16300 [RT #1324] 16301 16302 925. [cleanup] Remove openssl from the distribution; require that 16303 --with-openssl be specified if DNSSEC is needed. 16304 16305 924. [port] Extend support for pre-RFC2133 IPv6 implementation. 16306 [RT #987] 16307 16308 923. [bug] Multiline TSIG secrets (and other multiline strings) 16309 were not accepted in named.conf. [RT #1469] 16310 16311 922. [func] Added two new lwres_getrrsetbyname() result codes, 16312 ERR_NONAME and ERR_NODATA. 16313 16314 921. [bug] lwres returned an incorrect error code if it received 16315 a truncated message. 16316 16317 920. [func] Increase the lwres receive buffer size to 16K. 16318 [RT #1451] 16319 16320 919. [placeholder] 16321 16322 918. [func] In nsupdate, TSIG errors are no longer treated as 16323 fatal errors. 16324 16325 917. [func] New nsupdate command 'key', allowing TSIG keys to 16326 be specified in the nsupdate command stream rather 16327 than the command line. 16328 16329 916. [bug] Specifying type ixfr to dig without specifying 16330 a serial number failed in unexpected ways. 16331 16332 915. [func] The named-checkconf and named-checkzone programs 16333 now have a '-v' option for printing their version. 16334 [RT #1151] 16335 16336 914. [bug] Global 'server' statements were rejected when 16337 using views, even though they were accepted 16338 in 9.1. [RT #1368] 16339 16340 913. [bug] Cache cleaning was not sufficiently aggressive. 16341 [RT #1441, #1444] 16342 16343 912. [bug] Attempts to set the 'additional-from-cache' or 16344 'additional-from-auth' option to 'no' in a 16345 server with recursion enabled will now 16346 be ignored and cause a warning message. 16347 [RT #1145] 16348 16349 911. [placeholder] 16350 16351 910. [port] Some pre-RFC2133 IPv6 implementations do not define 16352 IN6ADDR_ANY_INIT. [RT #1416] 16353 16354 909. [placeholder] 16355 16356 908. [func] New program, rndc-confgen, to simplify setting up rndc. 16357 16358 907. [func] The ability to get entropy from either the 16359 random device, a user-provided file or from 16360 the keyboard was migrated from the DNSSEC tools 16361 to libisc as isc_entropy_usebestsource(). 16362 16363 906. [port] Separated the system independent portion of 16364 lib/isc/unix/entropy.c into lib/isc/entropy.c 16365 and added lib/isc/win32/entropy.c. 16366 16367 905. [bug] Configuring a forward "zone" for the root domain 16368 did not work. [RT #1418] 16369 16370 904. [bug] The server would leak memory if attempting to use 16371 an expired TSIG key. [RT #1406] 16372 16373 903. [bug] dig should not crash when receiving a TCP packet 16374 of length 0. 16375 16376 902. [bug] The -d option was ignored if both -t and -g were also 16377 specified. 16378 16379 901. [placeholder] 16380 16381 900. [bug] A config.guess update changed the system identification 16382 string of FreeBSD systems; configure and 16383 bin/tests/system/ifconfig.sh now recognize the new 16384 string. 16385 16386 --- 9.2.0a2 released --- 16387 16388 899. [bug] lib/dns/soa.c failed to compile on many platforms 16389 due to inappropriate use of a void value. 16390 [RT #1372, #1373, #1386, #1387, #1395] 16391 16392 898. [bug] "dig" failed to set a nonzero exit status 16393 on UDP query timeout. [RT #1323] 16394 16395 897. [bug] A config.guess update changed the system identification 16396 string of UnixWare systems; configure now recognizes 16397 the new string. 16398 16399 896. [bug] If a configuration file is set on named's command line 16400 and it has a relative pathname, the current directory 16401 (after any possible jailing resulting from named -t) 16402 will be prepended to it so that reloading works 16403 properly even when a directory option is present. 16404 16405 895. [func] New function, isc_dir_current(), akin to POSIX's 16406 getcwd(). 16407 16408 894. [bug] When using the DNSSEC tools, a message intended to warn 16409 when the keyboard was being used because of the lack 16410 of a suitable random device was not being printed. 16411 16412 893. [func] Removed isc_file_test() and added isc_file_exists() 16413 for the basic functionality that was being added 16414 with isc_file_test(). 16415 16416 892. [placeholder] 16417 16418 891. [bug] Return an error when a SIG(0) signed response to 16419 an unsigned query is seen. This should actually 16420 do the verification, but it's not currently 16421 possible. [RT #1391] 16422 16423 890. [cleanup] The man pages no longer require the mandoc macros 16424 and should now format cleanly using most versions of 16425 nroff, and HTML versions of the man pages have been 16426 added. Both are generated from DocBook source. 16427 16428 889. [port] Eliminated blank lines before .TH in nroff man 16429 pages since they cause problems with some versions 16430 of nroff. [RT #1390] 16431 16432 888. [bug] Don't die when using TKEY to delete a nonexistent 16433 TSIG key. [RT #1392] 16434 16435 887. [port] Detect broken compilers that can't call static 16436 functions from inline functions. [RT #1212] 16437 16438 886. [placeholder] 16439 16440 885. [placeholder] 16441 16442 884. [placeholder] 16443 16444 883. [placeholder] 16445 16446 882. [placeholder] 16447 16448 881. [placeholder] 16449 16450 880. [placeholder] 16451 16452 879. [placeholder] 16453 16454 878. [placeholder] 16455 16456 877. [placeholder] 16457 16458 876. [placeholder] 16459 16460 875. [placeholder] 16461 16462 874. [placeholder] 16463 16464 873. [placeholder] 16465 16466 872. [placeholder] 16467 16468 871. [placeholder] 16469 16470 870. [placeholder] 16471 16472 869. [placeholder] 16473 16474 868. [placeholder] 16475 16476 867. [placeholder] 16477 16478 866. [func] Close debug only file channels when debug is set to 16479 zero. [RT #1246] 16480 16481 865. [bug] The new configuration parser did not allow 16482 the optional debug level in a "severity debug" 16483 clause of a logging channel to be omitted. 16484 This is now allowed and treated as "severity 16485 debug 1;" like it does in BIND 8.2.4, not as 16486 "severity debug 0;" like it did in BIND 9.1. 16487 [RT #1367] 16488 16489 864. [cleanup] Multi-threading is now enabled by default on 16490 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX. 16491 16492 863. [bug] If an error occurred while an outgoing zone transfer 16493 was starting up, the server could access a domain 16494 name that had already been freed when logging a 16495 message saying that the transfer was starting. 16496 [RT #1383] 16497 16498 862. [bug] Use after realloc(), non portable pointer arithmetic in 16499 grmerge(). 16500 16501 861. [port] Add support for Mac OS X, by making it equivalent 16502 to Darwin. This was derived from the config.guess 16503 file shipped with Mac OS X. [RT #1355] 16504 16505 860. [func] Drop cross class glue in zone transfers. 16506 16507 859. [bug] Cache cleaning now won't swamp the CPU if there 16508 is a persistent over limit condition. 16509 16510 858. [func] isc_mem_setwater() no longer requires that when the 16511 callback function is non-NULL then its hi_water 16512 argument must be greater than its lo_water argument 16513 (they can now be equal) or that they be non-zero. 16514 16515 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for 16516 structs, for our friends in EBCDIC-land. 16517 16518 856. [func] Allow partial rdatasets to be returned in answer and 16519 authority sections to help non-TCP capable clients 16520 recover from truncation. [RT #1301] 16521 16522 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings. 16523 16524 854. [bug] The config parser didn't properly handle config 16525 options that were specified in units of time other 16526 than seconds. [RT #1372] 16527 16528 853. [bug] configure_view_acl() failed to detach existing acls. 16529 [RT #1374] 16530 16531 852. [bug] Handle responses from servers which do not know 16532 about IXFR. 16533 16534 851. [cleanup] The obsolete support-ixfr option was not properly 16535 ignored. 16536 16537 --- 9.2.0a1 released --- 16538 16539 850. [bug] dns_rbt_findnode() would not find nodes that were 16540 split on a bitstring label somewhere other than in 16541 the last label of the node. [RT #1351] 16542 16543 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined. 16544 16545 848. [func] A minimum max-cache-size of two megabytes is enforced 16546 by the cache cleaner. 16547 16548 847. [func] Added isc_file_test(), which currently only has 16549 some very basic functionality to test for the 16550 existence of a file, whether a pathname is absolute, 16551 or whether a pathname is the fundamental representation 16552 of the current directory. It is intended that this 16553 function can be expanded to test other things a 16554 programmer might want to know about a file. 16555 16556 846. [func] A non-zero 'param' to dst_key_generate() when making an 16557 hmac-md5 key means that good entropy is not required. 16558 16559 845. [bug] The access rights on the public file of a symmetric 16560 key are now restricted as soon as the file is opened, 16561 rather than after it has been written and closed. 16562 16563 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined, 16564 just as <lwres/net.h> does. 16565 16566 843. [func] If no controls statement is present in named.conf, 16567 or if any inet phrase of a controls statement is 16568 lacking a keys clause, then a key will be automatically 16569 generated by named and an rndc.conf-style file 16570 named named.key will be written that uses it. rndc 16571 will use this file only if its normal configuration 16572 file, or one provided on the command line, does not 16573 exist. 16574 16575 842. [func] 'rndc flush' now takes an optional view. 16576 16577 841. [bug] When sdb modules were not declared threadsafe, their 16578 create and destroy functions were not serialized. 16579 16580 840. [bug] The config file parser could print the wrong file 16581 name if an error was detected after an included file 16582 was parsed. [RT #1353] 16583 16584 839. [func] Dump packets for which there was no view or that the 16585 class could not be determined to category "unmatched". 16586 16587 838. [port] UnixWare 7.x.x is now supported by 16588 bin/tests/system/ifconfig.sh. 16589 16590 837. [cleanup] Multi-threading is now enabled by default only on 16591 OSF1, Solaris 2.7 and newer, and AIX. 16592 16593 836. [func] Upgraded libtool to 1.4. 16594 16595 835. [bug] The dispatcher could enter a busy loop if 16596 it got an I/O error receiving on a UDP socket. 16597 [RT #1293] 16598 16599 834. [func] Accept (but warn about) master files beginning with 16600 an SOA record without an explicit TTL field and 16601 lacking a $TTL directive, by using the SOA MINTTL 16602 as a default TTL. This is for backwards compatibility 16603 with old versions of BIND 8, which accepted such 16604 files without warning although they are illegal 16605 according to RFC1035. 16606 16607 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to 16608 <dns/soa.h>, and extended them to support 16609 all the integer-valued fields of the SOA RR. 16610 16611 832. [bug] The default location for named.conf in named-checkconf 16612 should depend on --sysconfdir like it does in named. 16613 [RT #1258] 16614 16615 831. [placeholder] 16616 16617 830. [func] Implement 'rndc status'. 16618 16619 829. [bug] The DNS_R_ZONECUT result code should only be returned 16620 when an ANY query is made with DNS_DBFIND_GLUEOK set. 16621 In all other ANY query cases, returning the delegation 16622 is better. 16623 16624 828. [bug] The errno value from recvfrom() could be overwritten 16625 by logging code. [RT #1293] 16626 16627 827. [bug] When an IXFR protocol error occurs, the slave 16628 should retry with AXFR. 16629 16630 826. [bug] Some IXFR protocol errors were not detected. 16631 16632 825. [bug] zone.c:ns_query() detached from the wrong zone 16633 reference. [RT #1264] 16634 16635 824. [bug] Correct line numbers reported by dns_master_load(). 16636 [RT #1263] 16637 16638 823. [func] The output of "dig -h" now goes to stdout so that it 16639 can easily be piped through "more". [RT #1254] 16640 16641 822. [bug] Sending nxrrset prerequisites would crash nsupdate. 16642 [RT #1248] 16643 16644 821. [bug] The program name used when logging to syslog should 16645 be stripped of leading path components. 16646 [RT #1178, #1232] 16647 16648 820. [bug] Name server address lookups failed to follow 16649 A6 chains into the glue of local authoritative 16650 zones. 16651 16652 819. [bug] In certain cases, the resolver's attempts to 16653 restart an address lookup at the root could cause 16654 the fetch to deadlock (with itself) instead of 16655 restarting. [RT #1225] 16656 16657 818. [bug] Certain pathological responses to ANY queries could 16658 cause an assertion failure. [RT #1218] 16659 16660 817. [func] Adjust timeouts for dialup zone queries. 16661 16662 816. [bug] Report potential problems with log file accessibility 16663 at configuration time, since such problems can't 16664 reliably be reported at the time they actually occur. 16665 16666 815. [bug] If a log file was specified with a path separator 16667 character (i.e. "/") in its name and the directory 16668 did not exist, the log file's name was treated as 16669 though it were the directory name. [RT #1189] 16670 16671 814. [bug] Socket objects left over from accept() failures 16672 were incorrectly destroyed, causing corruption 16673 of socket manager data structures. 16674 16675 813. [bug] File descriptors exceeding FD_SETSIZE were handled 16676 badly. [RT #1192] 16677 16678 812. [bug] dig sometimes printed incomplete IXFR responses 16679 due to an uninitialized variable. [RT #1188] 16680 16681 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194] 16682 16683 810. [bug] The signer name in SIG records was not properly 16684 down-cased when signing/verifying records. [RT #1186] 16685 16686 809. [bug] Configuring a non-local address as a transfer-source 16687 could cause an assertion failure during load. 16688 16689 808. [func] Add 'rndc flush' to flush the server's cache. 16690 16691 807. [bug] When setting up TCP connections for incoming zone 16692 transfers, the transfer-source port was not 16693 ignored like it should be. 16694 16695 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up 16696 the calling stack to the zone maintenance level, 16697 causing zones to not reload when an included file was 16698 touched but the top-level zone file was not. 16699 16700 805. [bug] When using "forward only", missing root hints should 16701 not cause queries to fail. [RT #1143] 16702 16703 804. [bug] Attempting to obtain entropy could fail in some 16704 situations. This would be most common on systems 16705 with user-space threads. [RT #1131] 16706 16707 803. [bug] Treat all SIG queries as if they have the CD bit set, 16708 otherwise no data will be returned [RT #749] 16709 16710 802. [bug] DNSSEC key tags were computed incorrectly in almost 16711 all cases. [RT #1146] 16712 16713 801. [bug] nsupdate should treat lines beginning with ';' as 16714 comments. [RT #1139] 16715 16716 800. [bug] dnssec-signzone produced incorrect statistics for 16717 large zones. [RT #1133] 16718 16719 799. [bug] The ADB didn't find AAAA glue in a zone unless A6 16720 glue was also present. 16721 16722 798. [bug] nsupdate should be able to reject bad input lines 16723 and continue. [RT #1130] 16724 16725 797. [func] Issue a warning if the 'directory' option contains 16726 a relative path. [RT #269] 16727 16728 796. [func] When a size limit is associated with a log file, 16729 only roll it when the size is reached, not every 16730 time the log file is opened. [RT #1096] 16731 16732 795. [func] Add the +multiline option to dig. [RT #1095] 16733 16734 794. [func] Implement the "port" and "default-port" statements 16735 in rndc.conf. 16736 16737 793. [cleanup] The DNSSEC tools could create filenames that were 16738 illegal or contained shell meta-characters. They 16739 now use a different text encoding of names that 16740 doesn't have these problems. [RT #1101] 16741 16742 792. [cleanup] Replace the OMAPI command channel protocol with a 16743 simpler one. 16744 16745 791. [bug] The command channel now works over IPv6. 16746 16747 790. [bug] Wildcards created using dynamic update or IXFR 16748 could fail to match. [RT #1111] 16749 16750 789. [bug] The "localhost" and "localnets" ACLs did not match 16751 when used as the second element of a two-element 16752 sortlist item. 16753 16754 788. [func] Add the "match-mapped-addresses" option, which 16755 causes IPv6 v4mapped addresses to be treated as 16756 IPv4 addresses for the purpose of acl matching. 16757 16758 787. [bug] The DNSSEC tools failed to downcase domain 16759 names when mapping them into file names. 16760 16761 786. [bug] When DNSSEC signing/verifying data, owner names were 16762 not properly down-cased. 16763 16764 785. [bug] A race condition in the resolver could cause 16765 an assertion failure. [RT #673, #872, #1048] 16766 16767 784. [bug] nsupdate and other programs would not quit properly 16768 if some signals were blocked by the caller. [RT #1081] 16769 16770 783. [bug] Following CNAMEs could cause an assertion failure 16771 when either using an sdb database or under very 16772 rare conditions. 16773 16774 782. [func] Implement the "serial-query-rate" option. 16775 16776 781. [func] Avoid error packet loops by dropping duplicate FORMERR 16777 responses. [RT #1006] 16778 16779 780. [bug] Error handling code dealing with out of memory or 16780 other rare errors could lead to assertion failures 16781 by calling functions on uninitialized names. [RT #1065] 16782 16783 779. [func] Added the "minimal-responses" option. 16784 16785 778. [bug] When starting cache cleaning, cleaning_timer_action() 16786 returned without first pausing the iterator, which 16787 could cause deadlock. [RT #998] 16788 16789 777. [bug] An empty forwarders list in a zone failed to override 16790 global forwarders. [RT #995] 16791 16792 776. [func] Improved error reporting in denied messages. [RT #252] 16793 16794 775. [placeholder] 16795 16796 774. [func] max-cache-size is implemented. 16797 16798 773. [func] Added isc_rwlock_trylock() to attempt to lock without 16799 blocking. 16800 16801 772. [bug] Owner names could be incorrectly omitted from cache 16802 dumps in the presence of negative caching entries. 16803 [RT #991] 16804 16805 771. [cleanup] TSIG errors related to unsynchronized clocks 16806 are logged better. [RT #919] 16807 16808 770. [func] Add the "edns yes_or_no" statement to the server 16809 clause. [RT #524] 16810 16811 769. [func] Improved error reporting when parsing rdata. [RT #740] 16812 16813 768. [bug] The server did not emit an SOA when a CNAME 16814 or DNAME chain ended in NXDOMAIN in an 16815 authoritative zone. 16816 16817 767. [placeholder] 16818 16819 766. [bug] A few cases in query_find() could leak fname. 16820 This would trigger the mpctx->allocated == 0 16821 assertion when the server exited. 16822 [RT #739, #776, #798, #812, #818, #821, #845, 16823 #892, #935, #966] 16824 16825 765. [func] ACL names are once again case insensitive, like 16826 in BIND 8. [RT #252] 16827 16828 764. [func] Configuration files now allow "include" directives 16829 in more places, such as inside the "view" statement. 16830 [RT #377, #728, #860] 16831 16832 763. [func] Configuration files no longer have reserved words. 16833 [RT #731, #753] 16834 16835 762. [cleanup] The named.conf and rndc.conf file parsers have 16836 been completely rewritten. 16837 16838 761. [bug] _REENTRANT was still defined when building with 16839 --disable-threads. 16840 16841 760. [contrib] Significant enhancements to the pgsql sdb driver. 16842 16843 759. [bug] The resolver didn't turn off "avoid fetches" mode 16844 when restarting, possibly causing resolution 16845 to fail when it should not. This bug only affected 16846 platforms which support both IPv4 and IPv6. [RT #927] 16847 16848 758. [bug] The "avoid fetches" code did not treat negative 16849 cache entries correctly, causing fetches that would 16850 be useful to be avoided. This bug only affected 16851 platforms which support both IPv4 and IPv6. [RT #927] 16852 16853 757. [func] Log zone transfers. 16854 16855 756. [bug] dns_zone_load() could "return" success when no master 16856 file was configured. 16857 16858 755. [bug] Fix incorrectly formatted log messages in zone.c. 16859 16860 754. [bug] Certain failure conditions sending UDP packets 16861 could cause the server to retry the transmission 16862 indefinitely. [RT #902] 16863 16864 753. [bug] dig, host, and nslookup would fail to contact a 16865 remote server if getaddrinfo() returned an IPv6 16866 address on a system that doesn't support IPv6. 16867 [RT #917] 16868 16869 752. [func] Correct bad tv_usec elements returned by 16870 gettimeofday(). 16871 16872 751. [func] Log successful zone loads / transfers. [RT #898] 16873 16874 750. [bug] A query should not match a DNAME whose trust level 16875 is pending. [RT #916] 16876 16877 749. [bug] When a query matched a DNAME in a secure zone, the 16878 server did not return the signature of the DNAME. 16879 [RT #915] 16880 16881 748. [doc] List supported RFCs in doc/misc/rfc-compliance. 16882 [RT #781] 16883 16884 747. [bug] The code to determine whether an IXFR was possible 16885 did not properly check for a database that could 16886 not have a journal. [RT #865, #908] 16887 16888 746. [bug] The sdb didn't clone rdatasets properly, causing 16889 a crash when the server followed delegations. [RT #905] 16890 16891 745. [func] Report the owner name of records that fail 16892 semantic checks while loading. 16893 16894 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the 16895 result of an ANY or SIG query, the resolver failed 16896 to setup the return event's rdatasets, causing an 16897 assertion failure in the query code. [RT #881] 16898 16899 743. [bug] Receiving a large number of certain malformed 16900 answers could cause named to stop responding. 16901 [RT #861] 16902 16903 742. [placeholder] 16904 16905 741. [port] Support openssl-engine. [RT #709] 16906 16907 740. [port] Handle openssl library mismatches slightly better. 16908 16909 739. [port] Look for /dev/random in configure, rather than 16910 assuming it will be there for only a predefined 16911 set of OSes. 16912 16913 738. [bug] If a non-threadsafe sdb driver supported AXFR and 16914 received an AXFR request, it would deadlock or die 16915 with an assertion failure. [RT #852] 16916 16917 737. [port] stdtime.c failed to compile on certain platforms. 16918 16919 736. [func] New functions isc_task_{begin,end}exclusive(). 16920 16921 735. [doc] Add BIND 4 migration notes. 16922 16923 734. [bug] An attempt to re-lock the zone lock could occur if 16924 the server was shutdown during a zone transfer. 16925 [RT #830] 16926 16927 733. [bug] Reference counts of dns_acl_t objects need to be 16928 locked but were not. [RT #801, #821] 16929 16930 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828] 16931 16932 731. [bug] Certain zone errors could cause named-checkzone to 16933 fail ungracefully. [RT #819] 16934 16935 730. [bug] lwres_getaddrinfo() returns the correct result when 16936 it fails to contact a server. [RT #768] 16937 16938 729. [port] pthread_setconcurrency() needs to be called on Solaris. 16939 16940 728. [bug] Fix comment processing on master file directives. 16941 [RT #757] 16942 16943 727. [port] Work around OS bug where accept() succeeds but 16944 fails to fill in the peer address of the accepted 16945 connection, by treating it as an error rather than 16946 an assertion failure. [RT #809] 16947 16948 726. [func] Implement the "trace" and "notrace" commands in rndc. 16949 16950 725. [bug] Installing man pages could fail. 16951 16952 724. [func] New libisc functions isc_netaddr_any(), 16953 isc_netaddr_any6(). 16954 16955 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver 16956 to return DNS_R_SERVFAIL. [RT #783] 16957 16958 722. [func] Allow incremental loads to be canceled. 16959 16960 721. [cleanup] Load manager and dns_master_loadfilequota() are no 16961 more. 16962 16963 720. [bug] Server could enter infinite loop in 16964 dispatch.c:do_cancel(). [RT #733] 16965 16966 719. [bug] Rapid reloads could trigger an assertion failure. 16967 [RT #743, #763] 16968 16969 718. [cleanup] "internal" is no longer a reserved word in named.conf. 16970 [RT #753, #731] 16971 16972 717. [bug] Certain TKEY processing failure modes could 16973 reference an uninitialized variable, causing the 16974 server to crash. [RT #750] 16975 16976 716. [bug] The first line of a $INCLUDE master file was lost if 16977 an origin was specified. [RT #744] 16978 16979 715. [bug] Resolving some A6 chains could cause an assertion 16980 failure in adb.c. [RT #738] 16981 16982 714. [bug] Preserve interval timers across reloads unless changed. 16983 [RT #729] 16984 16985 713. [func] named-checkconf takes '-t directory' similar to named. 16986 [RT #726] 16987 16988 712. [bug] Sending a large signed update message caused an 16989 assertion failure. [RT #718] 16990 16991 711. [bug] The libisc and liblwres implementations of 16992 inet_ntop contained an off by one error. 16993 16994 710. [func] The forwarders statement now takes an optional 16995 port. [RT #418] 16996 16997 709. [bug] ANY or SIG queries for data with a TTL of 0 16998 would return SERVFAIL. [RT #620] 16999 17000 708. [bug] When building with --with-openssl, the openssl headers 17001 included with BIND 9 should not be used. [RT #702] 17002 17003 707. [func] The "filename" argument to named-checkzone is no 17004 longer optional, to reduce confusion. [RT #612] 17005 17006 706. [bug] Zones with an explicit "allow-update { none; };" 17007 were considered dynamic and therefore not reloaded 17008 on SIGHUP or "rndc reload". 17009 17010 705. [port] Work out resource limit type for use where rlim_t is 17011 not available. [RT #695] 17012 17013 704. [port] RLIMIT_NOFILE is not available on all platforms. 17014 [RT #695] 17015 17016 703. [port] sys/select.h is needed on older platforms. [RT #695] 17017 17018 702. [func] If the address 0.0.0.0 is seen in resolv.conf, 17019 use 127.0.0.1 instead. [RT #693] 17020 17021 701. [func] Root hints are now fully optional. Class IN 17022 views use compiled-in hints by default, as 17023 before. Non-IN views with no root hints now 17024 provide authoritative service but not recursion. 17025 A warning is logged if a view has neither root 17026 hints nor authoritative data for the root. [RT #696] 17027 17028 700. [bug] $GENERATE range check was wrong. [RT #688] 17029 17030 699. [bug] The lexer mishandled empty quoted strings. [RT #694] 17031 17032 698. [bug] Aborting nsupdate with ^C would lead to several 17033 race conditions. 17034 17035 697. [bug] nsupdate was not compatible with the undocumented 17036 BIND 8 behavior of ignoring TTLs in "update delete" 17037 commands. [RT #693] 17038 17039 696. [bug] lwresd would die with an assertion failure when passed 17040 a zero-length name. [RT #692] 17041 17042 695. [bug] If the resolver attempted to query a blackholed or 17043 bogus server, the resolution would fail immediately. 17044 17045 694. [bug] $GENERATE did not produce the last entry. 17046 [RT #682, #683] 17047 17048 693. [bug] An empty lwres statement in named.conf caused 17049 the server to crash while loading. 17050 17051 692. [bug] Deal with systems that have getaddrinfo() but not 17052 gai_strerror(). [RT #679] 17053 17054 691. [bug] Configuring per-view forwarders caused an assertion 17055 failure. [RT #675, #734] 17056 17057 690. [func] $GENERATE now supports DNAME. [RT #654] 17058 17059 689. [doc] man pages are now installed. [RT #210] 17060 17061 688. [func] "make tags" now works on systems with the 17062 "Exuberant Ctags" etags. 17063 17064 687. [bug] Only say we have IPv6, with sufficient functionality, 17065 if it has actually been tested. [RT #586] 17066 17067 686. [bug] dig and nslookup can now be properly aborted during 17068 blocking operations. [RT #568] 17069 17070 685. [bug] nslookup should use the search list/domain options 17071 from resolv.conf by default. [RT #405, #630] 17072 17073 684. [bug] Memory leak with view forwarders. [RT #656] 17074 17075 683. [bug] File descriptor leak in isc_lex_openfile(). 17076 17077 682. [bug] nslookup displayed SOA records incorrectly. [RT #665] 17078 17079 681. [bug] $GENERATE specifying output format was broken. [RT #653] 17080 17081 680. [bug] dns_rdata_fromstruct() mishandled options bigger 17082 than 255 octets. 17083 17084 679. [bug] $INCLUDE could leak memory and file descriptors on 17085 reload. [RT #639] 17086 17087 678. [bug] "transfer-format one-answer;" could trigger an assertion 17088 failure. [RT #646] 17089 17090 677. [bug] dnssec-signzone would occasionally use the wrong ttl 17091 for database operations and fail. [RT #643] 17092 17093 676. [bug] Log messages about lame servers to category 17094 'lame-servers' rather than 'resolver', so as not 17095 to be gratuitously incompatible with BIND 8. 17096 17097 675. [bug] TKEY queries could cause the server to leak 17098 memory. 17099 17100 674. [func] Allow messages to be TSIG signed / verified using 17101 a offset from the current time. 17102 17103 673. [func] The server can now convert RFC1886-style recursive 17104 lookup requests into RFC2874-style lookups, when 17105 enabled using the new option "allow-v6-synthesis". 17106 17107 672. [bug] The wrong time was in the "time signed" field when 17108 replying with BADTIME error. 17109 17110 671. [bug] The message code was failing to parse a message with 17111 no question section and a TSIG record. [RT #628] 17112 17113 670. [bug] The lwres replacements for getaddrinfo and 17114 getipnodebyname didn't properly check for the 17115 existence of the sockaddr sa_len field. 17116 17117 669. [bug] dnssec-keygen now makes the public key file 17118 non-world-readable for symmetric keys. [RT #403] 17119 17120 668. [func] named-checkzone now reports multiple errors in master 17121 files. 17122 17123 667. [bug] On Linux, running named with the -u option and a 17124 non-world-readable configuration file didn't work. 17125 [RT #626] 17126 17127 666. [bug] If a request sent by dig is longer than 512 bytes, 17128 use TCP. 17129 17130 665. [bug] Signed responses were not sent when the size of the 17131 TSIG + question exceeded the maximum message size. 17132 [RT #628] 17133 17134 664. [bug] The t_tasks and t_timers module tests are now skipped 17135 when building without threads, since they require 17136 threads. 17137 17138 663. [func] Accept a size_spec, not just an integer, in the 17139 (unimplemented and ignored) max-ixfr-log-size option 17140 for compatibility with recent versions of BIND 8. 17141 [RT #613] 17142 17143 662. [bug] dns_rdata_fromtext() failed to log certain errors. 17144 17145 661. [bug] Certain UDP IXFR requests caused an assertion failure 17146 (mpctx->allocated == 0). [RT #355, #394, #623] 17147 17148 660. [port] Detect multiple CPUs on HP-UX and IRIX. 17149 17150 659. [performance] Rewrite the name compression code to be much faster. 17151 17152 658. [cleanup] Remove all vestiges of 16 bit global compression. 17153 17154 657. [bug] When a listen-on statement in an lwres block does not 17155 specify a port, use 921, not 53. Also update the 17156 listen-on documentation. [RT #616] 17157 17158 656. [func] Treat an unescaped newline in a quoted string as 17159 an error. This means that TXT records with missing 17160 close quotes should have meaningful errors printed. 17161 17162 655. [bug] Improve error reporting on unexpected eof when loading 17163 zones. [RT #611] 17164 17165 654. [bug] Origin was being forgotten in TCP retries in dig. 17166 [RT #574] 17167 17168 653. [bug] +defname option in dig was reversed in sense. 17169 [RT #549] 17170 17171 652. [bug] zone_saveunique() did not report the new name. 17172 17173 651. [func] The AD bit in responses now has the meaning 17174 specified in <draft-ietf-dnsext-ad-is-secure>. 17175 17176 650. [bug] SIG(0) records were being generated and verified 17177 incorrectly. [RT #606] 17178 17179 649. [bug] It was possible to join to an already running fctx 17180 after it had "cloned" its events, but before it sent 17181 them. In this case, the event of the newly joined 17182 fetch would not contain the answer, and would 17183 trigger the INSIST() in fctx_sendevents(). In 17184 BIND 9.0, this bug did not trigger an INSIST(), but 17185 caused the fetch to fail with a SERVFAIL result. 17186 [RT #588, #597, #605, #607] 17187 17188 648. [port] Add support for pre-RFC2133 IPv6 implementations. 17189 17190 647. [bug] Resolver queries sent after following multiple 17191 referrals had excessively long retransmission 17192 timeouts due to incorrectly counting the referrals 17193 as "restarts". 17194 17195 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h 17196 didn't _cleanly_ fix the problem it was trying to fix. 17197 17198 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603] 17199 17200 644. [bug] #622 needed more work. [RT #562] 17201 17202 643. [bug] xfrin error messages made more verbose, added class 17203 of the zone. [RT #599] 17204 17205 642. [bug] Break the exit_check() race in the zone module. 17206 [RT #598] 17207 17208 --- 9.1.0b2 released --- 17209 17210 641. [bug] $GENERATE caused a uninitialized link to be used. 17211 [RT #595] 17212 17213 640. [bug] Memory leak in error path could cause 17214 "mpctx->allocated == 0" failure. [RT #584] 17215 17216 639. [bug] Reading entropy from the keyboard would sometimes fail. 17217 [RT #591] 17218 17219 638. [port] lib/isc/random.c needed to explicitly include time.h 17220 to get a prototype for time() when pthreads was not 17221 being used. [RT #592] 17222 17223 637. [port] Use isc_u?int64_t instead of (unsigned) long long in 17224 lib/isc/print.c. Also allow lib/isc/print.c to 17225 be compiled even if the platform does not need it. 17226 [RT #592] 17227 17228 636. [port] Shut up MSVC++ about a possible loss of precision 17229 in the ISC__BUFFER_PUTUINT*() macros. [RT #592] 17230 17231 635. [bug] Reloading a server with a configured blackhole list 17232 would cause an assertion. [RT #590] 17233 17234 634. [bug] A log file will completely stop being written when 17235 it reaches the maximum size in all cases, not just 17236 when versioning is also enabled. [RT #570] 17237 17238 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575] 17239 17240 632. [bug] The index array of the journal file was 17241 corrupted as it was written to disk. 17242 17243 631. [port] Build without thread support on systems without 17244 pthreads. 17245 17246 630. [bug] Locking failure in zone code. [RT #582] 17247 17248 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed 17249 when responding to a UDP IXFR request. 17250 17251 628. [bug] If the root hints contained only AAAA addresses, 17252 named would be unable to perform resolution. 17253 17254 627. [bug] The EDNS0 blackhole detection code of change 324 17255 waited for three retransmissions to each server, 17256 which takes much too long when a domain has many 17257 name servers and all of them drop EDNS0 queries. 17258 Now we retry without EDNS0 after three consecutive 17259 timeouts, even if they are all from different 17260 servers. [RT #143] 17261 17262 626. [bug] The lightweight resolver daemon no longer crashes 17263 when asked for a SIG rrset. [RT #558] 17264 17265 625. [func] Zones now inherit their class from the enclosing view. 17266 17267 624. [bug] The zone object could get timer events after it had 17268 been destroyed, causing a server crash. [RT #571] 17269 17270 623. [func] Added "named-checkconf" and "named-checkzone" program 17271 for syntax checking named.conf files and zone files, 17272 respectively. 17273 17274 622. [bug] A canceled request could be destroyed before 17275 dns_request_destroy() was called. [RT #562] 17276 17277 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable. 17278 This mostly affects Red Hat Linux 7.0, which has 17279 conflicts between libc and the kernel. 17280 17281 620. [bug] dns_master_load*inc() now require 'task' and 'load' 17282 to be non-null. Also 'done' will not be called if 17283 dns_master_load*inc() fails immediately. [RT #565] 17284 17285 619. [placeholder] 17286 17287 618. [bug] Queries to a signed zone could sometimes cause 17288 an assertion failure. 17289 17290 617. [bug] When using dynamic update to add a new RR to an 17291 existing RRset with a different TTL, the journal 17292 entries generated from the update did not include 17293 explicit deletions and re-additions of the existing 17294 RRs to update their TTL to the new value. 17295 17296 616. [func] dnssec-signzone -t output now includes performance 17297 statistics. 17298 17299 615. [bug] dnssec-signzone did not like child keysets signed 17300 by multiple keys. 17301 17302 614. [bug] Checks for uninitialized link fields were prone 17303 to false positives, causing assertion failures. 17304 The checks are now disabled by default and may 17305 be re-enabled by defining ISC_LIST_CHECKINIT. 17306 17307 613. [bug] "rndc reload zone" now reloads primary zones. 17308 It previously only updated slave and stub zones, 17309 if an SOA query indicated an out of date serial. 17310 17311 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that 17312 complains relentlessly about how its treatment 17313 of 'const' has changed as well as how casting 17314 sometimes tightens alignment constraints. 17315 17316 611. [func] allow-notify can be used to permit processing of 17317 notify messages from hosts other than a slave's 17318 masters. 17319 17320 610. [func] rndc dumpdb is now supported. 17321 17322 609. [bug] getrrsetbyname() would crash lwresd if the server 17323 found more SIGs than answers. [RT #554] 17324 17325 608. [func] dnssec-signzone now adds a comment to the zone 17326 with the time the file was signed. 17327 17328 607. [bug] nsupdate would fail if it encountered a CNAME or 17329 DNAME in a response to an SOA query. [RT #515] 17330 17331 606. [bug] Compiling with --disable-threads failed due 17332 to isc_thread_self() being incorrectly defined 17333 as an integer rather than a function. 17334 17335 605. [func] New function isc_lex_getlasttokentext(). 17336 17337 604. [bug] The named.conf parser could print incorrect line 17338 numbers when long comments were present. 17339 17340 603. [bug] Make dig handle multiple types or classes on the same 17341 query more correctly. 17342 17343 602. [func] Cope automatically with UnixWare's broken 17344 IN6_IS_ADDR_* macros. [RT #539] 17345 17346 601. [func] Return a non-zero exit code if an update fails 17347 in nsupdate. 17348 17349 600. [bug] Reverse lookups sometimes failed in dig, etc... 17350 17351 599. [func] Added four new functions to the libisc log API to 17352 support i18n messages. isc_log_iwrite(), 17353 isc_log_ivwrite(), isc_log_iwrite1() and 17354 isc_log_ivwrite1() were added. 17355 17356 598. [bug] An update-policy statement would cause the server 17357 to assert while loading. [RT #536] 17358 17359 597. [func] dnssec-signzone is now multi-threaded. 17360 17361 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are 17362 not mutually exclusive. 17363 17364 595. [port] On Linux 2.2, socket() returns EINVAL when it 17365 should return EAFNOSUPPORT. Work around this. 17366 [RT #531] 17367 17368 594. [func] sdb drivers are now assumed to not be thread-safe 17369 unless the DNS_SDBFLAG_THREADSAFE flag is supplied. 17370 17371 593. [bug] If a secure zone was missing all its NXTs and 17372 a dynamic update was attempted, the server entered 17373 an infinite loop. 17374 17375 592. [bug] The sig-validity-interval option now specifies a 17376 number of days, not seconds. This matches the 17377 documentation. [RT #529] 17378 17379 --- 9.1.0b1 released --- 17380 17381 591. [bug] Work around non-reentrancy in openssl by disabling 17382 pre-computation in keys. 17383 17384 590. [doc] There are now man pages for the lwres library in 17385 doc/man/lwres. 17386 17387 589. [bug] The server could deadlock if a zone was updated 17388 while being transferred out. 17389 17390 588. [bug] ctx->in_use was not being correctly initialized when 17391 when pushing a file for $INCLUDE. [RT #523] 17392 17393 587. [func] A warning is now printed if the "allow-update" 17394 option allows updates based on the source IP 17395 address, to alert users to the fact that this 17396 is insecure and becoming increasingly so as 17397 servers capable of update forwarding are being 17398 deployed. 17399 17400 586. [bug] multiple views with the same name were fatal. [RT #516] 17401 17402 585. [func] dns_db_addrdataset() and dns_rdataslab_merge() 17403 now support 'exact' additions in a similar manner to 17404 dns_db_subtractrdataset() and dns_rdataslab_subtract(). 17405 17406 584. [func] You can now say 'notify explicit'; to suppress 17407 notification of the servers listed in NS records 17408 and notify only those servers listed in the 17409 'also-notify' option. 17410 17411 583. [func] "rndc querylog" will now toggle logging of 17412 queries, like "ndc querylog" in BIND 8. 17413 17414 582. [bug] dns_zone_idetach() failed to lock the zone. 17415 [RT #199, #463] 17416 17417 581. [bug] log severity was not being correctly processed. 17418 [RT #485] 17419 17420 580. [func] Ignore trailing garbage on incoming DNS packets, 17421 for interoperability with broken server 17422 implementations. [RT #491] 17423 17424 579. [bug] nsupdate did not take a filename to read update from. 17425 [RT #492] 17426 17427 578. [func] New config option "notify-source", to specify the 17428 source address for notify messages. 17429 17430 577. [func] Log illegal RDATA combinations. e.g. multiple 17431 singleton types, cname and other data. 17432 17433 576. [doc] isc_log_create() description did not match reality. 17434 17435 575. [bug] isc_log_create() was not setting internal state 17436 correctly to reflect the default channels created. 17437 17438 574. [bug] TSIG signed queries sent by the resolver would fail to 17439 have their responses validated and would leak memory. 17440 17441 573. [bug] The journal files of IXFRed slave zones were 17442 inadvertently discarded on server reload, causing 17443 "journal out of sync with zone" errors on subsequent 17444 reloads. [RT #482] 17445 17446 572. [bug] Quoted strings were not accepted as key names in 17447 address match lists. 17448 17449 571. [bug] It was possible to create an rdataset of singleton 17450 type which had more than one rdata. [RT #154] 17451 [RT #279] 17452 17453 570. [bug] rbtdb.c allowed zones containing nodes which had 17454 both a CNAME and "other data". [RT #154] 17455 17456 569. [func] The DNSSEC AD bit will not be set on queries which 17457 have not requested a DNSSEC response. 17458 17459 568. [func] Add sample simple database drivers in contrib/sdb. 17460 17461 567. [bug] Setting the zone transfer timeout to zero caused an 17462 assertion failure. [RT #302] 17463 17464 566. [func] New public function dns_timer_setidle(). 17465 17466 565. [func] Log queries more like BIND 8: query logging is now 17467 done to category "queries", level "info". [RT #169] 17468 17469 564. [func] Add sortlist support to lwresd. 17470 17471 563. [func] New public functions dns_rdatatype_format() and 17472 dns_rdataclass_format(), for convenient formatting 17473 of rdata type/class mnemonics in log messages. 17474 17475 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong. 17476 17477 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files' 17478 clauses of the options{} statement are now implemented. 17479 17480 560. [bug] dns_name_split did not properly the resulting prefix 17481 when a maximal length bitstring label was split which 17482 was preceded by another bitstring label. [RT #429] 17483 17484 559. [bug] dns_name_split did not properly create the suffix 17485 when splitting within a maximal length bitstring label. 17486 17487 558. [func] New functions, isc_resource_getlimit and 17488 isc_resource_setlimit. 17489 17490 557. [func] Symbolic constants for libisc integral types. 17491 17492 556. [func] The DNSSEC OK bit in the EDNS extended flags 17493 is now implemented. Responses to queries without 17494 this bit set will not contain any DNSSEC records. 17495 17496 555. [bug] A slave server attempting a zone transfer could 17497 crash with an assertion failure on certain 17498 malformed responses from the master. [RT #457] 17499 17500 554. [bug] In some cases, not all of the dnssec tools were 17501 properly installed. 17502 17503 553. [bug] Incoming zone transfers deferred due to quota 17504 were not started when quota was increased but 17505 only when a transfer in progress finished. [RT #456] 17506 17507 552. [bug] We were not correctly detecting the end of all c-style 17508 comments. [RT #455] 17509 17510 551. [func] Implemented the 'sortlist' option. 17511 17512 550. [func] Support unknown rdata types and classes. 17513 17514 549. [bug] "make" did not immediately abort the build when a 17515 subdirectory make failed [RT #450]. 17516 17517 548. [func] The lexer now ungets tokens more correctly. 17518 17519 547. [placeholder] 17520 17521 546. [func] Option 'lame-ttl' is now implemented. 17522 17523 545. [func] Name limit and counting options removed from dig; 17524 they didn't work properly, and cannot be correctly 17525 implemented without significant changes. 17526 17527 544. [func] Add statistics option, enable statistics-file option, 17528 add RNDC option "dump-statistics" to write out a 17529 query statistics file. 17530 17531 543. [doc] The 'port' option is now documented. 17532 17533 542. [func] Add support for update forwarding as required for 17534 full compliance with RFC2136. It is turned off 17535 by default and can be enabled using the 17536 'allow-update-forwarding' option. 17537 17538 541. [func] Add bogus server support. 17539 17540 540. [func] Add dialup support. 17541 17542 539. [func] Support the blackhole option. 17543 17544 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo(). 17545 17546 537. [placeholder] 17547 17548 536. [func] Use transfer-source{-v6} when sending refresh queries. 17549 Transfer-source{-v6} now take a optional port 17550 parameter for setting the UDP source port. The port 17551 parameter is ignored for TCP. 17552 17553 535. [func] Use transfer-source{-v6} when forwarding update 17554 requests. 17555 17556 534. [func] Ancestors have been removed from RBT chains. Ancestor 17557 information can be discerned via node parent pointers. 17558 17559 533. [func] Incorporated name hashing into the RBT database to 17560 improve search speed. 17561 17562 532. [func] Implement DNS UPDATE pseudo records using 17563 DNS_RDATA_UPDATE flag. 17564 17565 531. [func] Rdata really should be initialized before being assigned 17566 to (dns_rdata_fromwire(), dns_rdata_fromtext(), 17567 dns_rdata_clone(), dns_rdata_fromregion()), 17568 check that it is. 17569 17570 530. [func] New function dns_rdata_invalidate(). 17571 17572 529. [bug] 521 contained a bug which caused zones to always 17573 reload. [RT #410] 17574 17575 528. [func] The ISC_LIST_XXXX macros now perform sanity checks 17576 on their arguments. ISC_LIST_XXXXUNSAFE can be use 17577 to skip the checks however use with caution. 17578 17579 527. [func] New function dns_rdata_clone(). 17580 17581 526. [bug] nsupdate incorrectly refused to add RRs with a TTL 17582 of 0. 17583 17584 525. [func] New arguments 'options' for dns_db_subtractrdataset(), 17585 and 'flags' for dns_rdataslab_subtract() allowing you 17586 to request that the RR's must exist prior to deletion. 17587 DNS_R_NOTEXACT is returned if the condition is not met. 17588 17589 524. [func] The 'forward' and 'forwarders' statement in 17590 non-forward zones should work now. 17591 17592 523. [doc] The source to the Administrator Reference Manual is 17593 now an XML file using the DocBook DTD, and is included 17594 in the distribution. The plain text version of the 17595 ARM is temporarily unavailable while we figure out 17596 how to generate readable plain text from the XML. 17597 17598 522. [func] The lightweight resolver daemon can now use 17599 a real configuration file, and its functionality 17600 can be provided by a name server. Also, the -p and -P 17601 options to lwresd have been reversed. 17602 17603 521. [bug] Detect master files which contain $INCLUDE and always 17604 reload. [RT #196] 17605 17606 520. [bug] Upgraded libtool to 1.3.5, which makes shared 17607 library builds almost work on AIX (and possibly 17608 others). 17609 17610 519. [bug] dns_name_split() would improperly split some bitstring 17611 labels, zeroing a few of the least significant bits in 17612 the prefix part. When such an improperly created 17613 prefix was returned to the RBT database, the bogus 17614 label was dutifully stored, corrupting the tree. 17615 [RT #369] 17616 17617 518. [bug] The resolver did not realize that a DNAME which was 17618 "the answer" to the client's query was "the answer", 17619 and such queries would fail. [RT #399] 17620 17621 517. [bug] The resolver's DNAME code would trigger an assertion 17622 if there was more than one DNAME in the chain. 17623 [RT #399] 17624 17625 516. [bug] Cache lookups which had a NULL node pointer, e.g. 17626 those by dns_view_find(), and which would match a 17627 DNAME, would trigger an INSIST(!search.need_cleanup) 17628 assertion. [RT #399] 17629 17630 515. [bug] The ssu table was not being attached / detached 17631 by dns_zone_[sg]etssutable. [RT #397] 17632 17633 514. [func] Retry refresh and notify queries if they timeout. 17634 [RT #388] 17635 17636 513. [func] New functionality added to rdnc and server to allow 17637 individual zones to be refreshed or reloaded. 17638 17639 512. [bug] The zone transfer code could throw an exception with 17640 an invalid IXFR stream. 17641 17642 511. [bug] The message code could throw an assertion on an 17643 out of memory failure. [RT #392] 17644 17645 510. [bug] Remove spurious view notify warning. [RT #376] 17646 17647 509. [func] Add support for write of zone files on shutdown. 17648 17649 508. [func] dns_message_parse() can now do a best-effort 17650 attempt, which should allow dig to print more invalid 17651 messages. 17652 17653 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach() 17654 and dns_view_flushanddetach(). 17655 17656 506. [func] Do not fail to start on errors in zone files. 17657 17658 505. [bug] nsupdate was printing "unknown result code". [RT #373] 17659 17660 504. [bug] The zone was not being marked as dirty when updated via 17661 IXFR. 17662 17663 503. [bug] dumptime was not being set along with 17664 DNS_ZONEFLG_NEEDDUMP. 17665 17666 502. [func] On a SERVFAIL reply, DiG will now try the next server 17667 in the list, unless the +fail option is specified. 17668 17669 501. [bug] Incorrect port numbers were being displayed by 17670 nslookup. [RT #352] 17671 17672 500. [func] Nearly useless +details option removed from DiG. 17673 17674 499. [func] In DiG, specifying a class with -c or type with -t 17675 changes command-line parsing so that classes and 17676 types are only recognized if following -c or -t. 17677 This allows hosts with the same name as a class or 17678 type to be looked up. 17679 17680 498. [doc] There is now a man page for "dig" 17681 in doc/man/bin/dig.1. 17682 17683 497. [bug] The error messages printed when an IP match list 17684 contained a network address with a nonzero host 17685 part where not sufficiently detailed. [RT #365] 17686 17687 496. [bug] named didn't sanity check numeric parameters. [RT #361] 17688 17689 495. [bug] nsupdate was unable to handle large records. [RT #368] 17690 17691 494. [func] Do not cache NXDOMAIN responses for SOA queries. 17692 17693 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses 17694 for SOA queries. This makes it easier to locate 17695 the containing zone without polluting intermediate 17696 caches. 17697 17698 492. [bug] attempting to reload a zone caused the server fail 17699 to shutdown cleanly. [RT #360] 17700 17701 491. [bug] nsupdate would segfault when sending certain 17702 prerequisites with empty RDATA. [RT #356] 17703 17704 490. [func] When a slave/stub zone has not yet successfully 17705 obtained an SOA containing the zone's configured 17706 retry time, perform the SOA query retries using 17707 exponential backoff. [RT #337] 17708 17709 489. [func] The zone manager now has a "i/o" queue. 17710 17711 488. [bug] Locks weren't properly destroyed in some cases. 17712 17713 487. [port] flockfile() is not defined on all systems. 17714 17715 486. [bug] nslookup: "set all" and "server" commands showed 17716 the incorrect port number if a port other than 53 17717 was specified. [RT #352] 17718 17719 485. [func] When dig had more than one server to query, it would 17720 send all of the messages at the same time. Add 17721 rate limiting of the transmitted messages. 17722 17723 484. [bug] When the server was reloaded after removing addresses 17724 from the named.conf "listen-on" statement, sockets 17725 were still listening on the removed addresses due 17726 to reference count loops. [RT #325] 17727 17728 483. [bug] nslookup: "set all" showed a "search" option but it 17729 was not settable. 17730 17731 482. [bug] nslookup: a plain "server" or "lserver" should be 17732 treated as a lookup. 17733 17734 481. [bug] nslookup:get_next_command() stack size could exceed 17735 per thread limit. 17736 17737 480. [bug] strtok() is not thread safe. [RT #349] 17738 17739 479. [func] The test suite can now be run by typing "make check" 17740 or "make test" at the top level. 17741 17742 478. [bug] "make install" failed if the directory specified with 17743 --prefix did not already exist. 17744 17745 477. [bug] The the isc-config.sh script could be installed before 17746 its directory was created. [RT #324] 17747 17748 476. [bug] A zone could expire while a zone transfer was in 17749 progress triggering a INSIST failure. [RT #329] 17750 17751 475. [bug] query_getzonedb() sometimes returned a non-null version 17752 on failure. This caused assertion failures when 17753 generating query responses where names subject to 17754 additional section processing pointed to a zone 17755 to which access had been denied by means of the 17756 allow-query option. [RT #336] 17757 17758 474. [bug] The mnemonic of the CHAOS class is CH according to 17759 RFC1035, but it was printed and read only as CHAOS. 17760 We now accept both forms as input, and print it 17761 as CH. [RT #305] 17762 17763 473. [bug] nsupdate overran the end of the list of name servers 17764 when no servers could be reached, typically causing 17765 it to print the error message "dns_request_create: 17766 not implemented". 17767 17768 472. [bug] Off-by-one error caused isc_time_add() to sometimes 17769 produce invalid time values. 17770 17771 471. [bug] nsupdate didn't compile on HP/UX 10.20 17772 17773 470. [func] $GENERATE is now supported. See also 17774 doc/misc/migration. 17775 17776 469. [bug] "query-source address * port 53;" now works. 17777 17778 468. [bug] dns_master_load*() failed to report file and line 17779 number in certain error conditions. 17780 17781 467. [bug] dns_master_load*() failed to log an error if 17782 pushfile() failed. 17783 17784 466. [bug] dns_master_load*() could return success when it failed. 17785 17786 465. [cleanup] Allow 0 to be set as an omapi_value_t value by 17787 omapi_value_storeint(). 17788 17789 464. [cleanup] Build with openssl's RSA code instead of dnssafe. 17790 17791 463. [bug] nsupdate sent malformed SOA queries to the second 17792 and subsequent name servers in resolv.conf if the 17793 query sent to the first one failed. 17794 17795 462. [bug] --disable-ipv6 should work now. 17796 17797 461. [bug] Specifying an unknown key in the "keys" clause of the 17798 "controls" statement caused a NULL pointer dereference. 17799 [RT #316] 17800 17801 460. [bug] Much of the DNSSEC code only worked with class IN. 17802 17803 459. [bug] Nslookup processed the "set" command incorrectly. 17804 17805 458. [bug] Nslookup didn't properly check class and type values. 17806 [RT #305] 17807 17808 457. [bug] Dig/host/hslookup didn't properly handle connect 17809 timeouts in certain situations, causing an 17810 unnecessary warning message to be printed. 17811 17812 456. [bug] Stub zones were not resetting the refresh and expire 17813 counters, loadtime or clearing the DNS_ZONE_REFRESH 17814 (refresh in progress) flag upon successful update. 17815 This disabled further refreshing of the stub zone, 17816 causing it to eventually expire. [RT #300] 17817 17818 455. [doc] Document IPv4 prefix notation does not require a 17819 dotted decimal quad but may be just dotted decimal. 17820 17821 454. [bug] Enforce dotted decimal and dotted decimal quad where 17822 documented as such in named.conf. [RT #304, RT #311] 17823 17824 453. [bug] Warn if the obsolete option "maintain-ixfr-base" 17825 is specified in named.conf. [RT #306] 17826 17827 452. [bug] Warn if the unimplemented option "statistics-file" 17828 is specified in named.conf. [RT #301] 17829 17830 451. [func] Update forwarding implemented. 17831 17832 450. [func] New function ns_client_sendraw(). 17833 17834 449. [bug] isc_bitstring_copy() only works correctly if the 17835 two bitstrings have the same lsb0 value, but this 17836 requirement was not documented, nor was there a 17837 REQUIRE for it. 17838 17839 448. [bug] Host output formatting change, to match v8. [RT #255] 17840 17841 447. [bug] Dig didn't properly retry in TCP mode after 17842 a truncated reply. [RT #277] 17843 17844 446. [bug] Confusing notify log message. [RT #298] 17845 17846 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0 17847 bitstring triggered a REQUIRE statement. The REQUIRE 17848 statement was incorrect. [RT #297] 17849 17850 444. [func] "recursion denied" messages are always logged at 17851 debug level 1, now, rather than sometimes at ERROR. 17852 This silences these warnings in the usual case, where 17853 some clients set the RD bit in all queries. 17854 17855 443. [bug] When loading a master file failed because of an 17856 unrecognized RR type name, the error message 17857 did not include the file name and line number. 17858 [RT #285] 17859 17860 442. [bug] TSIG signed messages that did not match any view 17861 crashed the server. [RT #290] 17862 17863 441. [bug] Nodes obscured by a DNAME were inaccessible even 17864 when DNS_DBFIND_GLUEOK was set. 17865 17866 440. [func] New function dns_zone_forwardupdate(). 17867 17868 439. [func] New function dns_request_createraw(). 17869 17870 438. [func] New function dns_message_getrawmessage(). 17871 17872 437. [func] Log NOTIFY activity to the notify channel. 17873 17874 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH, 17875 which sometimes happens on Linux, named would enter 17876 a busy loop. Also, unexpected socket errors were 17877 not logged at a high enough logging level to be 17878 useful in diagnosing this situation. [RT #275] 17879 17880 435. [bug] dns_zone_dump() overwrote existing zone files 17881 rather than writing to a temporary file and 17882 renaming. This could lead to empty or partial 17883 zone files being left around in certain error 17884 conditions involving the initial transfer of a 17885 slave zone, interfering with subsequent server 17886 startup. [RT #282] 17887 17888 434. [func] New function isc_file_isabsolute(). 17889 17890 433. [func] isc_base64_decodestring() now accepts newlines 17891 within the base64 data. This makes it possible 17892 to break up the key data in a "trusted-keys" 17893 statement into multiple lines. [RT #284] 17894 17895 432. [func] Added refresh/retry jitter. The actual refresh/ 17896 retry time is now a random value between 75% and 17897 100% of the configured value. 17898 17899 431. [func] Log at ISC_LOG_INFO when a zone is successfully 17900 loaded. 17901 17902 430. [bug] Rewrote the lightweight resolver client management 17903 code to handle shutdown correctly and general 17904 cleanup. 17905 17906 429. [bug] The space reserved for a TSIG record in a response 17907 was 2 bytes too short, leading to message 17908 generation failures. 17909 17910 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned 17911 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT 17912 (e.g. glue). This could cause SERVFAILs when 17913 generating negative responses in a secure zone. 17914 17915 427. [bug] Avoid going into an infinite loop when the validator 17916 gets a negative response to a key query where the 17917 records are signed by the missing key. 17918 17919 426. [bug] Attempting to generate an oversized RSA key could 17920 cause dnssec-keygen to dump core. 17921 17922 425. [bug] Warn about the auth-nxdomain default value change 17923 if there is no auth-nxdomain statement in the 17924 config file. [RT #287] 17925 17926 424. [bug] notify_createmessage() could trigger an assertion 17927 failure when creating the notify message failed, 17928 e.g. due to corrupt zones with multiple SOA records. 17929 [RT #279] 17930 17931 423. [bug] When responding to a recursive query, errors that occur 17932 after following a CNAME should cause the query to fail. 17933 [RT #274] 17934 17935 422. [func] get rid of isc_random_t, and make isc_random_get() 17936 and isc_random_jitter() use rand() internally 17937 instead of local state. Note that isc_random_*() 17938 functions are only for weak, non-critical "randomness" 17939 such as timing jitter and such. 17940 17941 421. [bug] nslookup would exit when given a blank line as input. 17942 17943 420. [bug] nslookup failed to implement the "exit" command. 17944 17945 419. [bug] The certificate type PKIX was misspelled as SKIX. 17946 17947 418. [bug] At debug levels >= 10, getting an unexpected 17948 socket receive error would crash the server 17949 while trying to log the error message. 17950 17951 417. [func] Add isc_app_block() and isc_app_unblock(), which 17952 allow an application to handle signals while 17953 blocking. 17954 17955 416. [bug] Slave zones with no master file tried to use a 17956 NULL pointer for a journal file name when they 17957 received an IXFR. [RT #273] 17958 17959 415. [bug] The logging code leaked file descriptors. 17960 17961 414. [bug] Server did not shut down until all incoming zone 17962 transfers were finished. 17963 17964 413. [bug] Notify could attempt to use the zone database after 17965 it had been unloaded. [RT #267] 17966 17967 412. [bug] named -v didn't print the version. 17968 17969 411. [bug] A typo in the HS A code caused an assertion failure. 17970 17971 410. [bug] lwres_gethostbyname() and company set lwres_h_errno 17972 to a random value on success. 17973 17974 409. [bug] If named was shut down early in the startup 17975 process, ns_omapi_shutdown() would attempt to lock 17976 an uninitialized mutex. [RT #262] 17977 17978 408. [bug] stub zones could leak memory and reference counts if 17979 all the masters were unreachable. 17980 17981 407. [bug] isc_rwlock_lock() would needlessly block 17982 readers when it reached the read quota even 17983 if no writers were waiting. 17984 17985 406. [bug] Log messages were occasionally lost or corrupted 17986 due to a race condition in isc_log_doit(). 17987 17988 405. [func] Add support for selective forwarding (forward zones) 17989 17990 404. [bug] The request library didn't completely work with IPv6. 17991 17992 403. [bug] "host" did not use the search list. 17993 17994 402. [bug] Treat undefined acls as errors, rather than 17995 warning and then later throwing an assertion. 17996 [RT #252] 17997 17998 401. [func] Added simple database API. 17999 18000 400. [bug] SIG(0) signing and verifying was done incorrectly. 18001 [RT #249] 18002 18003 399. [bug] When reloading the server with a config file 18004 containing a syntax error, it could catch an 18005 assertion failure trying to perform zone 18006 maintenance on, or sending notifies from, 18007 tentatively created zones whose views were 18008 never fully configured and lacked an address 18009 database and request manager. 18010 18011 398. [bug] "dig" sometimes caught an assertion failure when 18012 using TSIG, depending on the key length. 18013 18014 397. [func] Added utility functions dns_view_gettsig() and 18015 dns_view_getpeertsig(). 18016 18017 396. [doc] There is now a man page for "nsupdate" 18018 in doc/man/bin/nsupdate.8. 18019 18020 395. [bug] nslookup printed incorrect RR type mnemonics 18021 for RRs of type >= 21 [RT #237]. 18022 18023 394. [bug] Current name was not propagated via $INCLUDE. 18024 18025 393. [func] Initial answer while loading (awl) support. 18026 Entry points: dns_master_loadfileinc(), 18027 dns_master_loadstreaminc(), dns_master_loadbufferinc(). 18028 Note: calls to dns_master_load*inc() should be rate 18029 be rate limited so as to not use up all file 18030 descriptors. 18031 18032 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does 18033 not support the given address family requested. 18034 18035 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH. 18036 18037 390. [func] The function dns_zone_setdbtype() now takes 18038 an argc/argv style vector of words and sets 18039 both the zone database type and its arguments, 18040 making the functions dns_zone_adddbarg() 18041 and dns_zone_cleardbargs() unnecessary. 18042 18043 389. [bug] Attempting to send a request over IPv6 using 18044 dns_request_create() on a system without IPv6 18045 support caused an assertion failure [RT #235]. 18046 18047 388. [func] dig and host can now do reverse ipv6 lookups. 18048 18049 387. [func] Add dns_byaddr_createptrname(), which converts 18050 an address into the name used by a PTR query. 18051 18052 386. [bug] Missing strdup() of ACL name caused random 18053 ACL matching failures [RT #228]. 18054 18055 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(), 18056 and dns_zt_print(). 18057 18058 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead 18059 of 2147483647. 18060 18061 383. [func] When writing a master file, print the SOA and NS 18062 records (and their SIGs) before other records. 18063 18064 382. [bug] named -u failed on many Linux systems where the 18065 libc provided kernel headers do not match 18066 the current kernel. 18067 18068 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of 18069 IPV6_PKTINFO if found. [RT #229] 18070 18071 380. [bug] nsupdate didn't work with IPv6. 18072 18073 379. [func] New library function isc_sockaddr_anyofpf(). 18074 18075 378. [func] named and lwresd will log the command line arguments 18076 they were started with in the "starting ..." message. 18077 18078 377. [bug] When additional data lookups were refused due to 18079 "allow-query", the databases were still being 18080 attached causing reference leaks. 18081 18082 376. [bug] The server should always use good entropy when 18083 performing cryptographic functions needing entropy. 18084 18085 375. [bug] Per-zone "allow-query" did not properly override the 18086 view/global one for CNAME targets and additional 18087 data [RT #220]. 18088 18089 374. [bug] SOA in authoritative negative responses had wrong TTL. 18090 18091 373. [func] nslookup is now installed by "make install". 18092 18093 372. [bug] Deal with Microsoft DNS servers appending two bytes of 18094 garbage to zone transfer requests. 18095 18096 371. [bug] At high debug levels, doing an outgoing zone transfer 18097 of a very large RRset could cause an assertion failure 18098 during logging. 18099 18100 370. [bug] The error messages for roll-forward failures were 18101 overly terse. 18102 18103 369. [func] Support new named.conf options, view and zone 18104 statements: 18105 18106 max-retry-time, min-retry-time, 18107 max-refresh-time, min-refresh-time. 18108 18109 368. [func] Restructure the internal ".bind" view so that more 18110 zones can be added to it. 18111 18112 367. [bug] Allow proper selection of server on nslookup command 18113 line. 18114 18115 366. [func] Allow use of '-' batch file in dig for stdin. 18116 18117 365. [bug] nsupdate -k leaked memory. 18118 18119 364. [func] Added additional-from-{cache,auth} 18120 18121 363. [placeholder] 18122 18123 362. [bug] rndc no longer aborts if the configuration file is 18124 missing an options statement. [RT #209] 18125 18126 361. [func] When the RBT find or chain functions set the name and 18127 origin for a node that stores the root label 18128 the name is now set to an empty name, instead of ".", 18129 to simplify later use of the name and origin by 18130 dns_name_concatenate(), dns_name_totext() or 18131 dns_name_format(). 18132 18133 360. [func] dns_name_totext() and dns_name_format() now allow 18134 an empty name to be passed, which is formatted as "@". 18135 18136 359. [bug] dnssec-signzone occasionally signed glue records. 18137 18138 358. [cleanup] Rename the intermediate files used by the dnssec 18139 programs. 18140 18141 357. [bug] The zone file parser crashed if the argument 18142 to $INCLUDE was a quoted string. 18143 18144 356. [cleanup] isc_task_send no longer requires event->sender to 18145 be non-null. 18146 18147 355. [func] Added isc_dir_createunique(), similar to mkdtemp(). 18148 18149 354. [doc] Man pages for the dnssec tools are now included in 18150 the distribution, in doc/man/dnssec. 18151 18152 353. [bug] double increment in lwres/gethost.c:copytobuf(). 18153 [RT #187] 18154 18155 352. [bug] Race condition in dns_client_t startup could cause 18156 an assertion failure. 18157 18158 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG 18159 signed query could crash the server. 18160 18161 350. [bug] Also-notify lists specified in the global options 18162 block were not correctly reference counted, causing 18163 a memory leak. 18164 18165 349. [bug] Processing a query with the CD bit set now works 18166 as expected. 18167 18168 348. [func] New boolean named.conf options 'additional-from-auth' 18169 and 'additional-from-cache' now supported in view and 18170 global options statement. 18171 18172 347. [bug] Don't crash if an argument is left off options in dig. 18173 18174 346. [placeholder] 18175 18176 345. [bug] Large-scale changes/cleanups to dig: 18177 * Significantly improve structure handling 18178 * Don't pre-load entire batch files 18179 * Add name/rr counting/limiting 18180 * Fix SIGINT handling 18181 * Shorten timeouts to match v8's behavior 18182 18183 344. [bug] When shutting down, lwresd sometimes tried 18184 to shut down its client tasks twice, 18185 triggering an assertion. 18186 18187 343. [bug] Although zone maintenance SOA queries and 18188 notify requests were signed with TSIG keys 18189 when configured for the server in case, 18190 the TSIG was not verified on the response. 18191 18192 342. [bug] The wrong name was being passed to 18193 dns_name_dup() when generating a TSIG 18194 key using TKEY. 18195 18196 341. [func] Support 'key' clause in named.conf zone masters 18197 statement to allow authentication via TSIG keys: 18198 18199 masters { 18200 10.0.0.1 port 5353 key "foo"; 18201 10.0.0.2 ; 18202 }; 18203 18204 340. [bug] The top-level COPYRIGHT file was missing from 18205 the distribution. 18206 18207 339. [bug] DNSSEC validation of the response to an ANY 18208 query at a name with a CNAME RR in a secure 18209 zone triggered an assertion failure. 18210 18211 338. [bug] lwresd logged to syslog as named, not lwresd. 18212 18213 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type 18214 on the command line. 18215 18216 336. [bug] "dig -f" used 64 k of memory for each line in 18217 the file. It now uses much less, though still 18218 proportionally to the file size. 18219 18220 335. [bug] named would occasionally attempt recursion when 18221 it was disallowed or undesired. 18222 18223 334. [func] Added hmac-md5 to libisc. 18224 18225 333. [bug] The resolver incorrectly accepted referrals to 18226 domains that were not parents of the query name, 18227 causing assertion failures. 18228 18229 332. [func] New function dns_name_reset(). 18230 18231 331. [bug] Only log "recursion denied" if RD is set. [RT #178] 18232 18233 330. [bug] Many debugging messages were partially formatted 18234 even when debugging was turned off, causing a 18235 significant decrease in query performance. 18236 18237 329. [func] omapi_auth_register() now takes a size_t argument for 18238 the length of a key's secret data. Previously 18239 OMAPI only stored secrets up to the first NUL byte. 18240 18241 328. [func] Added isc_base64_decodestring(). 18242 18243 327. [bug] rndc.conf parser wasn't correctly recognizing an IP 18244 address where a host specification was required. 18245 18246 326. [func] 'keys' in an 'inet' control statement is now 18247 required and must have at least one item in it. 18248 A "not supported" warning is now issued if a 'unix' 18249 control channel is defined. 18250 18251 325. [bug] isc_lex_gettoken was processing octal strings when 18252 ISC_LEXOPT_CNUMBER was not set. 18253 18254 324. [func] In the resolver, turn EDNS0 off if there is no 18255 response after a number of retransmissions. 18256 This is to allow queries some chance of succeeding 18257 even if all the authoritative servers of a zone 18258 silently discard EDNS0 requests instead of 18259 sending an error response like they ought to. 18260 18261 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes. 18262 Because of this, servers authoritative for a parent 18263 and grandchild zone but not authoritative for the 18264 intervening child zone did not correctly issue 18265 referrals to the servers of the child zone. 18266 18267 322. [bug] Queries for KEY RRs are now sent to the parent 18268 server before the authoritative one, making 18269 DNSSEC insecurity proofs work in many cases 18270 where they previously didn't. 18271 18272 321. [bug] When synthesizing a CNAME RR for a DNAME 18273 response, query_addcname() failed to initialize 18274 the type and class of the CNAME dns_rdata_t, 18275 causing random failures. 18276 18277 320. [func] Multiple rndc changes: parses an rndc.conf file, 18278 uses authentication to talk to named, command 18279 line syntax changed. This will all be described 18280 in the ARM. 18281 18282 319. [func] The named.conf "controls" statement is now used 18283 to configure the OMAPI command channel. 18284 18285 318. [func] dns_c_ndcctx_destroy() could never return anything 18286 except ISC_R_SUCCESS; made it have void return instead. 18287 18288 317. [func] Use callbacks from libomapi to determine if a 18289 new connection is valid, and if a key requested 18290 to be used with that connection is valid. 18291 18292 316. [bug] Generate a warning if we detect an unexpected <eof> 18293 but treat as <eol><eof>. 18294 18295 315. [bug] Handle non-empty blanks lines. [RT #163] 18296 18297 314. [func] The named.conf controls statement can now have 18298 more than one key specified for the inet clause. 18299 18300 313. [bug] When parsing resolv.conf, don't terminate on an 18301 error. Instead, parse as much as possible, but 18302 still return an error if one was found. 18303 18304 312. [bug] Increase the number of allowed elements in the 18305 resolv.conf search path from 6 to 8. If there 18306 are more than this, ignore the remainder rather 18307 than returning a failure in lwres_conf_parse. 18308 18309 311. [bug] lwres_conf_parse failed when the first line of 18310 resolv.conf was empty or a comment. 18311 18312 310. [func] Changes to named.conf "controls" statement (inet 18313 subtype only) 18314 18315 - support "keys" clause 18316 18317 controls { 18318 inet * port 1024 18319 allow { any; } keys { "foo"; } 18320 } 18321 18322 - allow "port xxx" to be left out of statement, 18323 in which case it defaults to omapi's default port 18324 of 953. 18325 18326 309. [bug] When sending a referral, the server did not look 18327 for name server addresses as glue in the zone 18328 holding the NS RRset in the case where this zone 18329 was not the same as the one where it looked for 18330 name server addresses as authoritative data. 18331 18332 308. [bug] Treat a SOA record not at top of zone as an error 18333 when loading a zone. [RT #154] 18334 18335 307. [bug] When canceling a query, the resolver didn't check for 18336 isc_socket_sendto() calls that did not yet have their 18337 completion events posted, so it could (rarely) end up 18338 destroying the query context and then want to use 18339 it again when the send event posted, triggering an 18340 assertion as it tried to cancel an already-canceled 18341 query. [RT #77] 18342 18343 306. [bug] Reading HMAC-MD5 private key files didn't work. 18344 18345 305. [bug] When reloading the server with a config file 18346 containing a syntax error, it could catch an 18347 assertion failure trying to perform zone 18348 maintenance on tentatively created zones whose 18349 views were never fully configured and lacked 18350 an address database. 18351 18352 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers 18353 are listed in resolv.conf, silently ignore them 18354 instead of returning failure. 18355 18356 303. [bug] Add additional sanity checks to differentiate a AXFR 18357 response vs a IXFR response. [RT #157] 18358 18359 302. [bug] In dig, host, and nslookup, MXNAME should be large 18360 enough to hold any legal domain name in presentation 18361 format + terminating NULL. 18362 18363 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159] 18364 18365 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work 18366 on platforms lacking IPv6 because each included their 18367 own ipv6 header file for the missing definitions. Now 18368 each library's ipv6.h defines the wrapper symbol of 18369 the other (ISC_IPV6_H and LWRES_IPV6_H). 18370 18371 299. [cleanup] Get the user and group information before changing the 18372 root directory, so the administrator does not need to 18373 keep a copy of the user and group databases in the 18374 chroot'ed environment. Suggested by Hakan Olsson. 18375 18376 298. [bug] A mutex deadlock occurred during shutdown of the 18377 interface manager under certain conditions. 18378 Digital Unix systems were the most affected. 18379 18380 297. [bug] Specifying a key name that wasn't fully qualified 18381 in certain parts of the config file could cause 18382 an assertion failure. 18383 18384 296. [bug] "make install" from a separate build directory 18385 failed unless configure had been run in the source 18386 directory, too. 18387 18388 295. [bug] When invoked with type==CNAME and a message 18389 not constructed by dns_message_parse(), 18390 dns_message_findname() failed to find anything 18391 due to checking for attribute bits that are set 18392 only in dns_message_parse(). This caused an 18393 infinite loop when constructing the response to 18394 an ANY query at a CNAME in a secure zone. 18395 18396 294. [bug] If we run out of space in while processing glue 18397 when reading a master file and commit "current name" 18398 reverts to "name_current" instead of staying as 18399 "name_glue". 18400 18401 293. [port] Add support for FreeBSD 4.0 system tests. 18402 18403 292. [bug] Due to problems with the way some operating systems 18404 handle simultaneous listening on IPv4 and IPv6 18405 addresses, the server no longer listens on IPv6 18406 addresses by default. To revert to the previous 18407 behavior, specify "listen-on-v6 { any; };" in 18408 the config file. 18409 18410 291. [func] Caching servers no longer send outgoing queries 18411 over TCP just because the incoming recursive query 18412 was a TCP one. 18413 18414 290. [cleanup] +twiddle option to dig (for testing only) removed. 18415 18416 289. [cleanup] dig is now installed in $bindir instead of $sbindir. 18417 host is now installed in $bindir. (Be sure to remove 18418 any $sbindir/dig from a previous release.) 18419 18420 288. [func] rndc is now installed by "make install" into $sbindir. 18421 18422 287. [bug] rndc now works again as "rndc 127.1 reload" (for 18423 only that task). Parsing its configuration file and 18424 using digital signatures for authentication has been 18425 disabled until named supports the "controls" statement, 18426 post-9.0.0. 18427 18428 286. [bug] On Solaris 2, when named inherited a signal state 18429 where SIGHUP had the SIG_IGN action, SIGHUP would 18430 be ignored rather than causing the server to reload 18431 its configuration. 18432 18433 285. [bug] A change made to the dst API for beta4 inadvertently 18434 broke OMAPI's creation of a dst key from an incoming 18435 message, causing an assertion to be triggered. Fixed. 18436 18437 284. [func] The DNSSEC key generation and signing tools now 18438 generate randomness from keyboard input on systems 18439 that lack /dev/random. 18440 18441 283. [cleanup] The 'lwresd' program is now a link to 'named'. 18442 18443 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is 18444 too big for an unsigned long. 18445 18446 281. [bug] Fixed list of recognized config file category names. 18447 18448 280. [func] Add isc-config.sh, which can be used to more 18449 easily build applications that link with 18450 our libraries. 18451 18452 279. [bug] Private omapi function symbols shared between 18453 two or more files in libomapi.a were not namespace 18454 protected using the ISC convention of starting with 18455 the library name and two underscores ("omapi__"...) 18456 18457 278. [bug] bin/named/logconf.c:category_fromconf() didn't take 18458 note of when isc_log_categorybyname() wasn't able 18459 to find the category name and would then apply the 18460 channel list of the unknown category to all categories. 18461 18462 277. [bug] isc_log_categorybyname() and isc_log_modulebyname() 18463 would fail to find the first member of any category 18464 or module array apart from the internal defaults. 18465 Thus, for example, the "notify" category was improperly 18466 configured by named. 18467 18468 276. [bug] dig now supports maximum sized TCP messages. 18469 18470 275. [bug] The definition of lwres_gai_strerror() was missing 18471 the lwres_ prefix. 18472 18473 274. [bug] TSIG AXFR verify failed when talking to a BIND 8 18474 server. 18475 18476 273. [func] The default for the 'transfer-format' option is 18477 now 'many-answers'. This will break zone transfers 18478 to BIND 4.9.5 and older unless there is an explicit 18479 'one-answer' configuration. 18480 18481 272. [bug] The sending of large TCP responses was canceled 18482 in mid-transmission due to a race condition 18483 caused by the failure to set the client object's 18484 "newstate" variable correctly when transitioning 18485 to the "working" state. 18486 18487 271. [func] Attempt to probe the number of cpus in named 18488 if unspecified rather than defaulting to 1. 18489 18490 270. [func] Allow maximum sized TCP answers. 18491 18492 269. [bug] Failed DNSSEC validations could cause an assertion 18493 failure by causing clone_results() to be called with 18494 with hevent->node == NULL. 18495 18496 268. [doc] A plain text version of the Administrator 18497 Reference Manual is now included in the distribution, 18498 as doc/arm/Bv9ARM.txt. 18499 18500 267. [func] Nsupdate is now provided in the distribution. 18501 18502 266. [bug] zone.c:save_nsrrset() node was not initialized. 18503 18504 265. [bug] dns_request_create() now works for TCP. 18505 18506 264. [func] Dispatch can not take TCP sockets in connecting 18507 state. Set DNS_DISPATCHATTR_CONNECTED when calling 18508 dns_dispatch_createtcp() for connected TCP sockets 18509 or call dns_dispatch_starttcp() when the socket is 18510 connected. 18511 18512 263. [func] New logging channel type 'stderr' 18513 18514 channel some-name { 18515 stderr; 18516 severity error; 18517 } 18518 18519 262. [bug] 'master' was not initialized in zone.c:stub_callback(). 18520 18521 261. [func] Add dns_zone_markdirty(). 18522 18523 260. [bug] Running named as a non-root user failed on Linux 18524 kernels new enough to support retaining capabilities 18525 after setuid(). 18526 18527 259. [func] New random-device and random-seed-file statements 18528 for global options block of named.conf. Both accept 18529 a single string argument. 18530 18531 258. [bug] Fixed printing of lwres_addr_t.address field. 18532 18533 257. [bug] The server detached the last zone manager reference 18534 too early, while it could still be in use by queries. 18535 This manifested itself as assertion failures during the 18536 shutdown process for busy name servers. [RT #133] 18537 18538 256. [func] isc_ratelimiter_t now has attach/detach semantics, and 18539 isc_ratelimiter_shutdown guarantees that the rate 18540 limiter is detached from its task. 18541 18542 255. [func] New function dns_zonemgr_attach(). 18543 18544 254. [bug] Suppress "query denied" messages on additional data 18545 lookups. 18546 18547 --- 9.0.0b4 released --- 18548 18549 253. [func] resolv.conf parser now recognizes ';' and '#' as 18550 comments (anywhere in line, not just as the beginning). 18551 18552 252. [bug] resolv.conf parser mishandled masks on sortlists. 18553 It also aborted when an unrecognized keyword was seen, 18554 now it silently ignores the entire line. 18555 18556 251. [bug] lwresd caught an assertion failure on startup. 18557 18558 250. [bug] fixed handling of size+unit when value would be too 18559 large for internal representation. 18560 18561 249. [cleanup] max-cache-size config option now takes a size-spec 18562 like 'datasize', except 'default' is not allowed. 18563 18564 248. [bug] global lame-ttl option was not being printed when 18565 config structures were written out. 18566 18567 247. [cleanup] Rename cache-size config option to max-cache-size. 18568 18569 246. [func] Rename global option cachesize to cache-size and 18570 add corresponding option to view statement. 18571 18572 245. [bug] If an uncompressed name will take more than 255 18573 bytes and the buffer is sufficiently long, 18574 dns_name_fromwire should return DNS_R_FORMERR, 18575 not ISC_R_NOSPACE. This bug caused cause the 18576 server to catch an assertion failure when it 18577 received a query for a name longer than 255 18578 bytes. 18579 18580 244. [bug] empty named.conf file and empty options statement are 18581 now parsed properly. 18582 18583 243. [func] new cachesize option for named.conf 18584 18585 242. [cleanup] fixed incorrect warning about auth-nxdomain usage. 18586 18587 241. [cleanup] nscount and soacount have been removed from the 18588 dns_master_*() argument lists. 18589 18590 240. [func] databases now come in three flavours: zone, cache 18591 and stub. 18592 18593 239. [func] If ISC_MEM_DEBUG is enabled, the variable 18594 isc_mem_debugging controls whether messages 18595 are printed or not. 18596 18597 238. [cleanup] A few more compilation warnings have been quieted: 18598 + missing sigwait prototype on BSD/OS 4.0/4.0.1. 18599 + PTHREAD_ONCE_INIT unbraced initializer warnings on 18600 Solaris 2.8. 18601 + IN6ADDR_ANY_INIT unbraced initializer warnings on 18602 BSD/OS 4.*, Linux and Solaris 2.8. 18603 18604 237. [bug] If connect() returned ENOBUFS when the resolver was 18605 initiating a TCP query, the socket didn't get 18606 destroyed, and the server did not shut down cleanly. 18607 18608 236. [func] Added new listen-on-v6 config file statement. 18609 18610 235. [func] Consider it a config file error if a listen-on 18611 statement has an IPv6 address in it, or a 18612 listen-on-v6 statement has an IPv4 address in it. 18613 18614 234. [bug] Allow a trusted-key's first field (domain-name) be 18615 either a quoted or an unquoted string, instead of 18616 requiring a quoted string. 18617 18618 233. [cleanup] Convert all config structure integer values to unsigned 18619 integer (isc_uint32_t) to match grammar. 18620 18621 232. [bug] Allow slave zones to not have a file. 18622 18623 231. [func] Support new 'port' clause in config file options 18624 section. Causes 'listen-on', 'masters' and 18625 'also-notify' statements to use its value instead of 18626 default (53). 18627 18628 230. [func] Replace the dst sign/verify API with a cleaner one. 18629 18630 229. [func] Support config file sig-validity-interval statement 18631 in options, views and zone statements (master 18632 zones only). 18633 18634 228. [cleanup] Logging messages in config module stripped of 18635 trailing period. 18636 18637 227. [cleanup] The enumerated identifiers dns_rdataclass_*, 18638 dns_rcode_*, dns_opcode_*, and dns_trust_* are 18639 also now cast to their appropriate types, as with 18640 dns_rdatatype_* in item number 225 below. 18641 18642 226. [func] dns_name_totext() now always prints the root name as 18643 '.', even when omit_final_dot is true. 18644 18645 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now 18646 cast to dns_rdatatype_t via macros of their same name 18647 so that they are of the proper integral type wherever 18648 a dns_rdatatype_t is needed. 18649 18650 224. [cleanup] The entire project builds cleanly with gcc's 18651 -Wcast-qual and -Wwrite-strings warnings enabled, 18652 which is now the default when using gcc. (Warnings 18653 from confparser.c, because of yacc's code, are 18654 unfortunately to be expected.) 18655 18656 223. [func] Several functions were re-prototyped to qualify one 18657 or more of their arguments with "const". Similarly, 18658 several functions that return pointers now have 18659 those pointers qualified with const. 18660 18661 222. [bug] The global 'also-notify' option was ignored. 18662 18663 221. [bug] An uninitialized variable was sometimes passed to 18664 dns_rdata_freestruct() when loading a zone, causing 18665 an assertion failure. 18666 18667 220. [cleanup] Set the default outgoing port in the view, and 18668 set it in sockaddrs returned from the ADB. 18669 [31-May-2000 explorer] 18670 18671 219. [bug] Signed truncated messages more correctly follow 18672 the respective specs. 18673 18674 218. [func] When an rdataset is signed, its ttl is normalized 18675 based on the signature validity period. 18676 18677 217. [func] Also-notify and trusted-keys can now be used in 18678 the 'view' statement. 18679 18680 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options 18681 now work. 18682 18683 215. [bug] Failures at certain points in request processing 18684 could cause the assertion INSIST(client->lockview 18685 == NULL) to be triggered. 18686 18687 214. [func] New public function isc_netaddr_format(), for 18688 formatting network addresses in log messages. 18689 18690 213. [bug] Don't leak memory when reloading the zone if 18691 an update-policy clause was present in the old zone. 18692 18693 212. [func] Added dns_message_get/settsigkey, to make TSIG 18694 key management reasonable. 18695 18696 211. [func] The 'key' and 'server' statements can now occur 18697 inside 'view' statements. 18698 18699 210. [bug] The 'allow-transfer' option was ignored for slave 18700 zones, and the 'transfers-per-ns' option was 18701 was ignored for all zones. 18702 18703 209. [cleanup] Upgraded openssl files to new version 0.9.5a 18704 18705 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value 18706 of an isc_offset_t. 18707 18708 207. [func] The dnssec tools properly use the logging subsystem. 18709 18710 206. [cleanup] dst now stores the key name as a dns_name_t, not 18711 a char *. 18712 18713 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692 18714 ("prototyped function redeclared without prototype") 18715 and 1552 ("variable ... set but not used") when 18716 compiling in the lib/dns/sec/{dnssafe,openssl} 18717 directories, which contain code imported from outside 18718 sources. 18719 18720 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker 18721 to quiet the warnings that "The linked output may not 18722 run on a PA 1.x system." 18723 18724 203. [func] notify and zone soa queries are now tsig signed when 18725 appropriate. 18726 18727 202. [func] isc_lex_getsourceline() changed from returning int 18728 to returning unsigned long, the type of its underlying 18729 counter. 18730 18731 201. [cleanup] Removed the test/sdig program, it has been 18732 replaced by bin/dig/dig. 18733 18734 --- 9.0.0b3 released --- 18735 18736 200. [bug] Failures in sending query responses to clients 18737 (e.g., running out of network buffers) were 18738 not logged. 18739 18740 199. [bug] isc_heap_delete() sometimes violated the heap 18741 invariant, causing timer events not to be posted 18742 when due. 18743 18744 198. [func] Dispatch managers hold memory pools which 18745 any managed dispatcher may use. This allows 18746 us to avoid dipping into the memory context for 18747 most allocations. [19-May-2000 explorer] 18748 18749 197. [bug] When an incoming AXFR or IXFR completes, the 18750 zone's internal state is refreshed from the 18751 SOA data. [19-May-2000 explorer] 18752 18753 196. [func] Dispatchers can be shared easily between views 18754 and/or interfaces. [19-May-2000 explorer] 18755 18756 195. [bug] Including the NXT record of the root domain 18757 in a negative response caused an assertion 18758 failure. 18759 18760 194. [doc] The PDF version of the Administrator's Reference 18761 Manual is no longer included in the ISC BIND9 18762 distribution. 18763 18764 193. [func] changed dst_key_free() prototype. 18765 18766 192. [bug] Zone configuration validation is now done at end 18767 of config file parsing, and before loading 18768 callbacks. 18769 18770 191. [func] Patched to compile on UnixWare 7.x. This platform 18771 is not directly supported by the ISC. 18772 18773 190. [cleanup] The DNSSEC tools have been moved to a separate 18774 directory dnssec/ and given the following new, 18775 more descriptive names: 18776 18777 dnssec-keygen 18778 dnssec-signzone 18779 dnssec-signkey 18780 dnssec-makekeyset 18781 18782 Their command line arguments have also been changed to 18783 be more consistent. dnssec-keygen now prints the 18784 name of the generated key files (sans extension) 18785 on standard output to simplify its use in automated 18786 scripts. 18787 18788 189. [func] isc_time_secondsastimet(), a new function, will ensure 18789 that the number of seconds in an isc_time_t does not 18790 exceed the range of a time_t, or return ISC_R_RANGE. 18791 Similarly, isc_time_now(), isc_time_nowplusinterval(), 18792 isc_time_add() and isc_time_subtract() now check the 18793 range for overflow/underflow. In the case of 18794 isc_time_subtract, this changed a calling requirement 18795 (ie, something that could generate an assertion) 18796 into merely a condition that returns an error result. 18797 isc_time_add() and isc_time_subtract() were void- 18798 valued before but now return isc_result_t. 18799 18800 188. [func] Log a warning message when an incoming zone transfer 18801 contains out-of-zone data. 18802 18803 187. [func] isc_ratelimiter_enqueue() has an additional argument 18804 'task'. 18805 18806 186. [func] dns_request_getresponse() has an additional argument 18807 'preserve_order'. 18808 18809 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several 18810 public functions did not have an isc__ prefix, and 18811 referred to functions that had previously been 18812 renamed. 18813 18814 184. [cleanup] Variables/functions which began with two leading 18815 underscores were made to conform to the ANSI/ISO 18816 standard, which says that such names are reserved. 18817 18818 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful 18819 for logging the program name or other identifier. 18820 18821 182. [cleanup] New command-line parameters for dnssec tools 18822 18823 181. [func] Added dst_key_buildfilename and dst_key_parsefilename 18824 18825 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE. 18826 18827 179. [func] options named.conf statement *must* now come 18828 before any zone or view statements. 18829 18830 178. [func] Post-load of named.conf check verifies a slave zone 18831 has non-empty list of masters defined. 18832 18833 177. [func] New per-zone boolean: 18834 18835 enable-zone yes | no ; 18836 18837 intended to let a zone be disabled without having 18838 to comment out the entire zone statement. 18839 18840 176. [func] New global and per-view option: 18841 18842 max-cache-ttl number 18843 18844 175. [func] New global and per-view option: 18845 18846 additional-data internal | minimal | maximal; 18847 18848 174. [func] New public function isc_sockaddr_format(), for 18849 formatting socket addresses in log messages. 18850 18851 173. [func] Keep a queue of zones waiting for zone transfer 18852 quota so that a new transfer can be dispatched 18853 immediately whenever quota becomes available. 18854 18855 172. [bug] $TTL directive was sometimes missing from dumped 18856 master files because totext_ctx_init() failed to 18857 initialize ctx->current_ttl_valid. 18858 18859 171. [cleanup] On NetBSD systems, the mit-pthreads or 18860 unproven-pthreads library is now always used 18861 unless --with-ptl2 is explicitly specified on 18862 the configure command line. The 18863 --with-mit-pthreads option is no longer needed 18864 and has been removed. 18865 18866 170. [cleanup] Remove inter server consistency checks from zone, 18867 these should return as a separate module in 9.1. 18868 dns_zone_checkservers(), dns_zone_checkparents(), 18869 dns_zone_checkchildren(), dns_zone_checkglue(). 18870 18871 Remove dns_zone_setadb(), dns_zone_setresolver(), 18872 dns_zone_setrequestmgr() these should now be found 18873 via the view. 18874 18875 169. [func] ratelimiter can now process N events per interval. 18876 18877 168. [bug] include statements in named.conf caused syntax errors 18878 due to not consuming the semicolon ending the include 18879 statement before switching input streams. 18880 18881 167. [bug] Make lack of masters for a slave zone a soft error. 18882 18883 166. [bug] Keygen was overwriting existing keys if key_id 18884 conflicted, now it will retry, and non-null keys 18885 with key_id == 0 are not generated anymore. Key 18886 was not able to generate NOAUTHCONF DSA key, 18887 increased RSA key size to 2048 bits. 18888 18889 165. [cleanup] Silence "end-of-loop condition not reached" warnings 18890 from Solaris compiler. 18891 18892 164. [func] Added functions isc_stdio_open(), isc_stdio_close(), 18893 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(), 18894 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove() 18895 to encapsulate nonportable usage of errno and sync. 18896 18897 163. [func] Added result codes ISC_R_FILENOTFOUND and 18898 ISC_R_FILEEXISTS. 18899 18900 162. [bug] Ensure proper range for arguments to ctype.h functions. 18901 18902 161. [cleanup] error in yyparse prototype that only HPUX caught. 18903 18904 160. [cleanup] getnet*() are not going to be implemented at this 18905 stage. 18906 18907 159. [func] Redefinition of config file elements is now an 18908 error (instead of a warning). 18909 18910 158. [bug] Log channel and category list copy routines 18911 weren't assigning properly to output parameter. 18912 18913 157. [port] Fix missing prototype for getopt(). 18914 18915 156. [func] Support new 'database' statement in zone. 18916 18917 database "quoted-string"; 18918 18919 155. [bug] ns_notify_start() was not detaching the found zone. 18920 18921 154. [func] The signer now logs libdns warnings to stderr even when 18922 not verbose, and in a nicer format. 18923 18924 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx' 18925 is NULL then you need to preserve the 'rdata' until 18926 you have finished using the structure as there may be 18927 references to the associated memory. If 'mctx' is 18928 non-NULL it is guaranteed that there are no references 18929 to memory associated with 'rdata'. 18930 18931 dns_rdata_freestruct() must be called if 'mctx' was 18932 non-NULL and may safely be called if 'mctx' was NULL. 18933 18934 152. [bug] keygen dumped core if domain name argument was omitted 18935 from command line. 18936 18937 151. [func] Support 'disabled' statement in zone config (causes 18938 zone to be parsed and then ignored). Currently must 18939 come after the 'type' clause. 18940 18941 150. [func] Support optional ports in masters and also-notify 18942 statements: 18943 18944 masters [ port xxx ] { y.y.y.y [ port zzz ] ; } 18945 18946 149. [cleanup] Removed unused argument 'olist' from 18947 dns_c_view_unsetordering(). 18948 18949 148. [cleanup] Stop issuing some warnings about some configuration 18950 file statements that were not implemented, but now are. 18951 18952 147. [bug] Changed yacc union size to be smaller for yaccs that 18953 put yacc-stack on the real stack. 18954 18955 146. [cleanup] More general redundant header file cleanup. Rather 18956 than continuing to itemize every header which changed, 18957 this changelog entry just notes that if a header file 18958 did not need another header file that it was including 18959 in order to provide its advertised functionality, the 18960 inclusion of the other header file was removed. See 18961 util/check-includes for how this was tested. 18962 18963 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/ 18964 ISC_LANG_ENDDECLS to header files that had function 18965 prototypes, and removed it from those that did not. 18966 18967 144. [cleanup] libdns header files too numerous to name were made 18968 to conform to the same style for multiple inclusion 18969 protection. 18970 18971 143. [func] Added function dns_rdatatype_isknown(). 18972 18973 142. [cleanup] <isc/stdtime.h> does not need <time.h> or 18974 <isc/result.h>. 18975 18976 141. [bug] Corrupt requests with multiple questions could 18977 cause an assertion failure. 18978 18979 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>. 18980 18981 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of 18982 <isc/int.h> and <isc/result.h>. 18983 18984 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and 18985 renamed isc_string_touint64. isc_strsep moved from 18986 strsep.c to string.c and renamed isc_string_separate. 18987 18988 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h> 18989 <isc/serial.h>, <isc/string.h> and <isc/offset.h> 18990 made to conform to the same style for multiple 18991 inclusion protection. 18992 18993 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>, 18994 <isc/net.h> and Win32's <isc/thread.h> needed 18995 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS. 18996 18997 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h> 18998 or <isc/boolean.h>, now uses <isc/types.h> in place 18999 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS 19000 and ISC_LANG_ENDDECLS. 19001 19002 134. [cleanup] <isc/dir.h> does not need <limits.h>. 19003 19004 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>. 19005 19006 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does 19007 need <isc/eventclass.h>. 19008 19009 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h> 19010 for ISC_R_* codes used in macros. 19011 19012 130. [cleanup] <isc/condition.h> does not need <pthread.h> or 19013 <isc/boolean.h>, and now includes <isc/types.h> 19014 instead of <isc/time.h>. 19015 19016 129. [bug] The 'default_debug' log channel was not set up when 19017 'category default' was present in the config file 19018 19019 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of 19020 ISC_LANG_ENDDECLS at end of header. 19021 19022 127. [cleanup] The contracts for the comparison routines 19023 dns_name_fullcompare(), dns_name_compare(), 19024 dns_name_rdatacompare(), and dns_rdata_compare() now 19025 specify that the order value returned is < 0, 0, or > 0 19026 instead of -1, 0, or 1. 19027 19028 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>. 19029 19030 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>, 19031 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and 19032 <isc/resultclass.h> do not need <isc/lang.h>. 19033 19034 124. [func] signer now imports parent's zone key signature 19035 and creates null keys/sets zone status bit for 19036 children when necessary 19037 19038 123. [cleanup] <isc/event.h> does not need <stddef.h>. 19039 19040 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or 19041 <isc/result.h>. 19042 19043 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or 19044 <isc/result.h>. Multiple inclusion protection 19045 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H. 19046 isc_symtab_t moved to <isc/types.h>. 19047 19048 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>, 19049 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or 19050 <isc/net.h>. 19051 19052 119. [cleanup] structure definitions for generic rdata structures do 19053 not have _generic_ in their names. 19054 19055 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting 19056 YACC crust (yyparse, etc) [2000-apr-27 explorer] 19057 19058 117. [cleanup] libdns.a changes: 19059 dns_zone_clearnotify() and dns_zone_addnotify() 19060 are replaced by dns_zone_setnotifyalso(). 19061 dns_zone_clearmasters() and dns_zone_addmaster() 19062 are replaced by dns_zone_setmasters(). 19063 19064 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t 19065 on Unix systems). 19066 19067 115. [port] Shut up the -Wmissing-declarations warning about 19068 <stdio.h>'s __sputaux on BSD/OS pre-4.1. 19069 19070 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or 19071 <isc/list.h>. 19072 19073 113. [func] Utility programs dig and host added. 19074 19075 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>. 19076 19077 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or 19078 <isc/mutex.h>. 19079 19080 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or 19081 <isc/list.h>. 19082 19083 109. [bug] "make depend" did nothing for 19084 bin/tests/{db,mem,sockaddr,tasks,timers}/. 19085 19086 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from 19087 <dns/types.h> to <dns/bit.h> and renamed to 19088 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR. 19089 19090 107. [func] Add keysigner and keysettool. 19091 19092 106. [func] Allow dnssec verifications to ignore the validity 19093 period. Used by several of the dnssec tools. 19094 19095 105. [doc] doc/dev/coding.html expanded with other 19096 implicit conventions the developers have used. 19097 19098 104. [bug] Made compress_add and compress_find static to 19099 lib/dns/compress.c. 19100 19101 103. [func] libisc buffer API changes for <isc/buffer.h>: 19102 Added: 19103 isc_buffer_base(b) (pointer) 19104 isc_buffer_current(b) (pointer) 19105 isc_buffer_active(b) (pointer) 19106 isc_buffer_used(b) (pointer) 19107 isc_buffer_length(b) (int) 19108 isc_buffer_usedlength(b) (int) 19109 isc_buffer_consumedlength(b) (int) 19110 isc_buffer_remaininglength(b) (int) 19111 isc_buffer_activelength(b) (int) 19112 isc_buffer_availablelength(b) (int) 19113 Removed: 19114 ISC_BUFFER_USEDCOUNT(b) 19115 ISC_BUFFER_AVAILABLECOUNT(b) 19116 isc_buffer_type(b) 19117 Changed names: 19118 isc_buffer_used(b, r) -> 19119 isc_buffer_usedregion(b, r) 19120 isc_buffer_available(b, r) -> 19121 isc_buffer_available_region(b, r) 19122 isc_buffer_consumed(b, r) -> 19123 isc_buffer_consumedregion(b, r) 19124 isc_buffer_active(b, r) -> 19125 isc_buffer_activeregion(b, r) 19126 isc_buffer_remaining(b, r) -> 19127 isc_buffer_remainingregion(b, r) 19128 19129 Buffer types were removed, so the ISC_BUFFERTYPE_* 19130 macros are no more, and the type argument to 19131 isc_buffer_init and isc_buffer_allocate were removed. 19132 isc_buffer_putstr is now void (instead of isc_result_t) 19133 and requires that the caller ensure that there 19134 is enough available buffer space for the string. 19135 19136 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop 19137 on BSD/OS 4.1. 19138 19139 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c. 19140 19141 100. [cleanup] <isc/random.h> does not need <isc/int.h> or 19142 <isc/mutex.h>. isc_random_t moved to <isc/types.h>. 19143 19144 99. [cleanup] Rate limiter now has separate shutdown() and 19145 destroy() functions, and it guarantees that all 19146 queued events are delivered even in the shutdown case. 19147 19148 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h> 19149 unless ISC_PLATFORM_NEEDVSNPRINTF is defined. 19150 19151 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or 19152 <isc/event.h>. 19153 19154 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>. 19155 19156 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>. 19157 19158 94. [cleanup] Some installed header files did not compile as C++. 19159 19160 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>. 19161 19162 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>, 19163 or <isc/result.h>. 19164 19165 91. [cleanup] <isc/log.h> does not need <sys/types.h> or 19166 <isc/result.h>. 19167 19168 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS 19169 from <named/listenlist.h>. 19170 19171 89. [cleanup] <isc/lex.h> does not need <stddef.h>. 19172 19173 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or 19174 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t 19175 moved to <isc/types.h>. 19176 19177 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>, 19178 <isc/mem.h> or <isc/result.h>. 19179 19180 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to 19181 <isc/types.h>. 19182 19183 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>, 19184 <isc/list.h>, <isc/mem.h>, <isc/region.h> or 19185 <isc/int.h>. 19186 19187 84. [func] allow-query ACL checks now apply to all data 19188 added to a response. 19189 19190 83. [func] If the server is authoritative for both a 19191 delegating zone and its (nonsecure) delegatee, and 19192 a query is made for a KEY RR at the top of the 19193 delegatee, then the server will look for a KEY 19194 in the delegator if it is not found in the delegatee. 19195 19196 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>. 19197 19198 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need 19199 <isc/lang.h>. 19200 19201 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>. 19202 19203 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>. 19204 19205 78. [cleanup] lwres_conftest renamed to lwresconf_test for 19206 consistency with other *_test programs. 19207 19208 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from 19209 <isc/time.h> to <isc/types.h>. 19210 19211 76. [cleanup] Rewrote keygen. 19212 19213 75. [func] Don't load a zone if its database file is older 19214 than the last time the zone was loaded. 19215 19216 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a, 19217 subsumed by file.o. 19218 19219 73. [func] New "file" API in libisc, including new function 19220 isc_file_getmodtime, isc_mktemplate renamed to 19221 isc_file_mktemplate and isc_ufile renamed to 19222 isc_file_openunique. By no means an exhaustive API, 19223 it is just what's needed for now. 19224 19225 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS 19226 added for dns_rbt_findnode, the former to disable the 19227 setting of the chain to the predecessor, and the 19228 latter to make clear when no options are set. 19229 19230 71. [cleanup] Made explicit the implicit REQUIREs of 19231 isc_time_seconds, isc_time_nanoseconds, and 19232 isc_time_subtract. 19233 19234 70. [func] isc_time_set() added. 19235 19236 69. [bug] The zone object's master and also-notify lists grew 19237 longer with each server reload. 19238 19239 68. [func] Partial support for SIG(0) on incoming messages. 19240 19241 67. [performance] Allow use of alternate (compile-time supplied) 19242 OpenSSL libraries/headers. 19243 19244 66. [func] Data in authoritative zones should have a trust level 19245 beyond secure. 19246 19247 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t 19248 from <dns/types.h>. 19249 19250 64. [func] The RBT, DB, and zone table APIs now allow the 19251 caller find the most-enclosing superdomain of 19252 a name. 19253 19254 63. [func] Generate NOTIFY messages. 19255 19256 62. [func] Add UDP refresh support. 19257 19258 61. [cleanup] Use single quotes consistently in log messages. 19259 19260 60. [func] Catch and disallow singleton types on message 19261 parse. 19262 19263 59. [bug] Cause net/host unreachable to be a hard error 19264 when sending and receiving. 19265 19266 58. [bug] bin/named/query.c could sometimes trigger the 19267 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) 19268 == 0 assertion in query_newname(). 19269 19270 57. [func] Added dns_nxt_typepresent() 19271 19272 56. [bug] SIG records were not properly returned in cached 19273 negative answers. 19274 19275 55. [bug] Responses containing multiple names in the authority 19276 section were not negatively cached. 19277 19278 54. [bug] If a fetch with sigrdataset==NULL joined one with 19279 sigrdataset!=NULL or vice versa, the resolver 19280 could catch an assertion or lose signature data, 19281 respectively. 19282 19283 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires 19284 <sys/param.h>. 19285 19286 52. [bug] rndc: taskmgr and socketmgr were not initialized 19287 to NULL. 19288 19289 51. [cleanup] dns/compress.h and dns/zt.h did not need to include 19290 dns/rbt.h; it was needed only by compress.c and zt.c. 19291 19292 50. [func] RBT deletion no longer requires a valid chain to work, 19293 and dns_rbt_deletenode was added. 19294 19295 49. [func] Each cache now has its own mctx. 19296 19297 48. [func] isc_task_create() no longer takes an mctx. 19298 isc_task_mem() has been eliminated. 19299 19300 47. [func] A number of modules now use memory context reference 19301 counting. 19302 19303 46. [func] Memory contexts are now reference counted. 19304 Added isc_mem_inuse() and isc_mem_preallocate(). 19305 Renamed isc_mem_destroy_check() to 19306 isc_mem_setdestroycheck(). 19307 19308 45. [bug] The trusted-key statement incorrectly loaded keys. 19309 19310 44. [bug] Don't include authority data if it would force us 19311 to unset the AD bit in the message. 19312 19313 43. [bug] DNSSEC verification of cached rdatasets was failing. 19314 19315 42. [cleanup] Simplified logging of messages with embedded domain 19316 names by introducing a new convenience function 19317 dns_name_format(). 19318 19319 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later 19320 to allow 'named' to run as a non-root user while 19321 retaining the ability to bind() to privileged 19322 ports. 19323 19324 40. [func] Introduced new logging category "dnssec" and 19325 logging module "dns/validator". 19326 19327 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t, 19328 and isc_lex_t to <isc/types.h>. 19329 19330 38. [bug] TSIG signed incoming zone transfers work now. 19331 19332 37. [bug] If the first RR in an incoming zone transfer was 19333 not an SOA, the server died with an assertion failure 19334 instead of just reporting an error. 19335 19336 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS 19337 19338 35. [performance] Log messages which are of a level too high to be 19339 logged by any channel in the logging configuration 19340 will not cause the log mutex to be locked. 19341 19342 34. [bug] Recursion was allowed even with 'recursion no'. 19343 19344 33. [func] The RBT now maintains a parent pointer at each node. 19345 19346 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset() 19347 prototype. 19348 19349 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@. 19350 19351 30. [func] config file grammar change to support optional 19352 class type for a view. 19353 19354 29. [func] support new config file view options: 19355 19356 auth-nxdomain recursion query-source 19357 query-source-v6 transfer-source 19358 transfer-source-v6 max-transfer-time-out 19359 max-transfer-idle-out transfer-format 19360 request-ixfr provide-ixfr cleaning-interval 19361 fetch-glue notify rfc2308-type1 lame-ttl 19362 max-ncache-ttl min-roots 19363 19364 28. [func] support lame-ttl, min-roots and serial-queries 19365 config global options. 19366 19367 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*. 19368 Including it on other platforms (eg, NetBSD) can 19369 cause a forced #error from the C preprocessor. 19370 19371 26. [func] new match-clients statement in config file view. 19372 19373 25. [bug] make install failed to install <isc/log.h> and 19374 <isc/ondestroy.h>. 19375 19376 24. [cleanup] Eliminate some unnecessary #includes of header 19377 files from header files. 19378 19379 23. [cleanup] Provide more context in log messages about client 19380 requests, using a new function ns_client_log(). 19381 19382 22. [bug] SIGs weren't returned in the answer section when 19383 the query resulted in a fetch. 19384 19385 21. [port] Look at STD_CINCLUDES after CINCLUDES during 19386 compilation, so additional system include directories 19387 can be searched but header files in the bind9 source 19388 tree with conflicting names take precedence. This 19389 avoids issues with installed versions of dnssafe and 19390 openssl. 19391 19392 20. [func] Configuration file post-load validation of zones 19393 failed if there were no zones. 19394 19395 19. [bug] dns_zone_notifyreceive() failed to unlock the zone 19396 lock in certain error cases. 19397 19398 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in 19399 configure.in to check for presence of in6addr_any. 19400 19401 17. [func] Do configuration file post-load validation of zones. 19402 19403 16. [bug] put quotes around key names on config file 19404 output to avoid possible keyword clashes. 19405 19406 15. [func] Add dns_name_dupwithoffsets(). This function is 19407 improves comparison performance for duped names. 19408 19409 14. [bug] free_rbtdb() could have 'put' unallocated memory in 19410 an unlikely error path. 19411 19412 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore 19413 out-of-zone data. 19414 19415 12. [bug] Fixed possible uninitialized variable error. 19416 19417 11. [bug] axfr_rrstream_first() didn't check the result code of 19418 db_rr_iterator_first(), possibly causing an assertion 19419 to be triggered later. 19420 19421 10. [bug] A bug in the code which makes EDNS0 OPT records in 19422 bin/named/client.c and lib/dns/resolver.c could 19423 trigger an assertion. 19424 19425 9. [cleanup] replaced bit-setting code in confctx.c and replaced 19426 repeated code with macro calls. 19427 19428 8. [bug] Shutdown of incoming zone transfer accessed 19429 freed memory. 19430 19431 7. [cleanup] removed 'listen-on' from view statement. 19432 19433 6. [bug] quote RR names when generating config file to 19434 prevent possible clash with config file keywords 19435 (such as 'key'). 19436 19437 5. [func] syntax change to named.conf file: new ssu grant/deny 19438 statements must now be enclosed by an 'update-policy' 19439 block. 19440 19441 4. [port] bin/named/unix/os.c didn't compile on systems with 19442 linux 2.3 kernel includes due to conflicts between 19443 C library includes and the kernel includes. We now 19444 get only what we need from <linux/capability.h>, and 19445 avoid pulling in other linux kernel .h files. 19446 19447 3. [bug] TKEYs go in the answer section of responses, not 19448 the additional section. 19449 19450 2. [bug] Generating cryptographic randomness failed on 19451 systems without /dev/random. 19452 19453 1. [bug] The installdirs rule in 19454 lib/isc/unix/include/isc/Makefile.in had a typo which 19455 prevented the isc directory from being created if it 19456 didn't exist. 19457 19458 --- 9.0.0b2 released --- 19459 19460# This tells Emacs to use hard tabs in this file. 19461# Local Variables: 19462# indent-tabs-mode: t 19463# End: 19464