1 --- 9.11.37 released --- 2 35817. [security] The rules for acceptance of records into the cache 4 have been tightened to prevent the possibility of 5 poisoning if forwarders send records outside 6 the configured bailiwick. (CVE-2021-25220) [GL #2950] 7 8 --- 9.11.36 released --- 9 105736. [security] The "lame-ttl" option is now forcibly set to 0. This 11 effectively disables the lame server cache, as it could 12 previously be abused by an attacker to significantly 13 degrade resolver performance. (CVE-2021-25219) 14 [GL #2899] 15 165716. [bug] Multiple library names were mistakenly passed to the 17 krb5-config utility when ./configure was invoked with 18 the --with-gssapi=[/path/to/]krb5-config option. This 19 has been fixed by invoking krb5-config separately for 20 each required library. [GL #2866] 21 22 --- 9.11.35 released --- 23 245685. [bug] named failed to check the opcode of responses when 25 performing zone refreshes, stub zone updates, and UPDATE 26 forwarding. This has been fixed. [GL #2762] 27 28 --- 9.11.34 released --- 29 30 --- 9.11.33 released --- 31 32 --- 9.11.32 released --- 33 345631. [protocol] Update the implementation of the ZONEMD RR type to match 35 RFC 8976. [GL #2658] 36 375630. [func] Treat DNSSEC responses containing NSEC3 records with 38 iteration counts greater than 150 as insecure. 39 [GL #2445] 40 415629. [func] Reduce the maximum supported number of NSEC3 iterations 42 that can be configured for a zone to 150. [GL #2642] 43 44 --- 9.11.31 released --- 45 465621. [bug] Due to a backporting mistake in change 5609, named 47 binaries built against a Kerberos/GSSAPI library whose 48 header files did not define the GSS_SPNEGO_MECHANISM 49 preprocessor macro were not able to start if their 50 configuration included the "tkey-gssapi-credential" 51 option. This has been fixed. [GL #2634] 52 53 --- 9.11.30 released --- 54 555617. [security] A specially crafted GSS-TSIG query could cause a buffer 56 overflow in the ISC implementation of SPNEGO. 57 (CVE-2021-25216) [GL #2604] 58 595616. [security] named crashed when a DNAME record placed in the ANSWER 60 section during DNAME chasing turned out to be the final 61 answer to a client query. (CVE-2021-25215) [GL #2540] 62 635615. [security] Insufficient IXFR checks could result in named serving a 64 zone without an SOA record at the apex, leading to a 65 RUNTIME_CHECK assertion failure when the zone was 66 subsequently refreshed. This has been fixed by adding an 67 owner name check for all SOA records which are included 68 in a zone transfer. (CVE-2021-25214) [GL #2467] 69 705614. [bug] Ensure all resources are properly cleaned up when a call 71 to gss_accept_sec_context() fails. [GL #2620] 72 735609. [func] The ISC implementation of SPNEGO was removed from BIND 9 74 source code. It was no longer necessary as all major 75 contemporary Kerberos/GSSAPI libraries include support 76 for SPNEGO. [GL #2607] 77 78 --- 9.11.29 released --- 79 805586. [bug] An invalid direction field in a LOC record resulted in 81 an INSIST failure when a zone file containing such a 82 record was loaded. [GL #2499] 83 84 --- 9.11.28 released --- 85 865562. [security] Fix off-by-one bug in ISC SPNEGO implementation. 87 (CVE-2020-8625) [GL #2354] 88 89 --- 9.11.27 released --- 90 915559. [bug] The --with-maxminddb=PATH form of the build-time option 92 enabling support for libmaxminddb was not working 93 correctly. This has been fixed. [GL #2366] 94 955557. [bug] Prevent RBTDB instances from being destroyed by multiple 96 threads at the same time. [GL #2317] 97 985548. [bug] named exited with an assertion failure upon startup when 99 compiled with --disable-threads and --with-epoll. 100 [GL !4454] 101 1025547. [bug] BIND 9 failed to build with --disable-threads and 103 --with-geoip2. [GL #2324] 104 105 --- 9.11.26 released --- 106 1075544. [func] Restore the default value of "nocookie-udp-size" to 4096 108 bytes. [GL #2250] 109 1105541. [func] Adjust the "max-recursion-queries" default from 75 to 111 100. [GL #2305] 112 1135540. [port] Fix building with native PKCS#11 support for AEP Keyper. 114 [GL #2315] 115 1165539. [bug] Tighten handling of missing DNS COOKIE responses over 117 UDP by falling back to TCP. [GL #2275] 118 1195534. [bug] The CNAME synthesized from a DNAME was incorrectly 120 followed when the QTYPE was CNAME or ANY. [GL #2280] 121 122 --- 9.11.25 released --- 123 1245527. [bug] A NULL pointer dereference occurred when creating an NTA 125 recheck query failed. [GL #2244] 126 1275523. [bug] The initial lookup in a zone transitioning to/from a 128 signed state could fail if the DNSKEY RRset was not 129 found. [GL #2236] 130 1315518. [bug] Stub zones now work correctly with primary servers using 132 "minimal-responses yes". [GL #1736] 133 134 --- 9.11.24 released --- 135 1365516. [func] The default EDNS buffer size has been changed from 4096 137 to 1232 bytes. [GL #2183] 138 1395513. [doc] The ARM section describing the "rrset-order" statement 140 was rewritten to make it unambiguous and up-to-date with 141 the source code. [GL #2139] 142 1435510. [bug] Implement the attach/detach semantics for dns_message_t 144 to fix a data race in accessing an already-destroyed 145 fctx->rmessage. [GL #2124] 146 1475506. [bug] Properly handle failed sysconf() calls, so we don't 148 report invalid memory size. [GL #2166] 149 150 --- 9.11.23 released --- 151 1525497. [bug] 'dig +bufsize=0' failed to disable EDNS. [GL #2054] 153 1545496. [bug] Address a TSAN report by ensuring each rate limiter 155 object holds a reference to its task. [GL #2081] 156 1575492. [bug] Tighten LOC parsing to reject a period (".") and/or "m" 158 as a value. Fix handling of negative altitudes which are 159 not whole meters. [GL #2074] 160 1615489. [bug] Named erroneously accepted certain invalid resource 162 records that were incorrectly processed after 163 subsequently being written to disk and loaded back, as 164 the wire format differed. Such records include: CERT, 165 IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and 166 X25. [GL !3953] 167 1685488. [bug] NTA code needed to have a weak reference on its 169 associated view to prevent the latter from being deleted 170 while NTA tests were being performed. [GL #2067] 171 172 --- 9.11.22 released --- 173 1745481. [security] "update-policy" rules of type "subdomain" were 175 incorrectly treated as "zonesub" rules, which allowed 176 keys used in "subdomain" rules to update names outside 177 of the specified subdomains. The problem was fixed by 178 making sure "subdomain" rules are again processed as 179 described in the ARM. (CVE-2020-8624) [GL #2055] 180 1815480. [security] When BIND 9 was compiled with native PKCS#11 support, it 182 was possible to trigger an assertion failure in code 183 determining the number of bits in the PKCS#11 RSA public 184 key with a specially crafted packet. (CVE-2020-8623) 185 [GL #2037] 186 1875476. [security] It was possible to trigger an assertion failure when 188 verifying the response to a TSIG-signed request. 189 (CVE-2020-8622) [GL #2028] 190 1915475. [bug] Wildcard RPZ passthru rules could incorrectly be 192 overridden by other rules that were loaded from RPZ 193 zones which appeared later in the "response-policy" 194 statement. This has been fixed. [GL #1619] 195 1965474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE 197 when it should have. [GL !3880] 198 1995465. [func] Added fallback to built-in trust-anchors, managed-keys, 200 or trusted-keys if the bindkeys-file (bind.keys) cannot 201 be parsed. [GL #1235] 202 2035463. [bug] Address a potential NULL pointer dereference when out of 204 memory in dnstap.c. [GL #2010] 205 2065462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976] 207 208 --- 9.11.21 released --- 209 2105458. [bug] Prevent a theoretically possible NULL dereference caused 211 by a data race between zone_maintenance() and 212 dns_zone_setview_helper(). [GL #1627] 213 2145455. [bug] named could crash when cleaning dead nodes in 215 lib/dns/rbtdb.c that were being reused. [GL #1968] 216 2175447. [bug] IPv6 addresses ending in "::" could break YAML 218 parsing. A "0" is now appended to such addresses 219 in YAML output from dig, mdig, delv, and dnstap-read. 220 [GL #1952] 221 2225446. [bug] The validator could fail to accept a properly signed 223 RRset if an unsupported algorithm appeared earlier in 224 the DNSKEY RRset than a supported algorithm. It could 225 also stop if it detected a malformed public key. 226 [GL #1689] 227 2285440. [test] Properly handle missing kyua. [GL #1950] 229 230 --- 9.11.20 released --- 231 2325437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr(). 233 [GL #1808] 234 2355434. [security] It was possible to trigger an INSIST in 236 lib/dns/rbtdb.c:new_reference() with a particular zone 237 content and query patterns. (CVE-2020-8619) [GL #1111] 238 [GL #1718] 239 2405433. [test] Prevent the resolver system test for change #5395 241 (max-recursion-queries) from failing on systems without 242 IPv6 support. [GL #1873] 243 2445428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr 245 has been destroyed. Thanks to Petr Menšík. [GL !3316] 246 2475427. [bug] Fix a regression in address/prefix length checking that 248 should have been a warning instead of an error. 249 [GL #1849] 250 2515415. [test] Address race in dnssec system test that led to 252 test failures. [GL #1852] 253 2545413. [test] Address race in autosign system test that led to 255 test failures. [GL #1852] 256 2575412. [bug] 'provide-ixfr no;' failed to return up-to-date responses 258 when the serial was greater than or equal to the 259 current serial. [GL #1714] 260 2615409. [performance] When looking up NSEC3 data in a zone database, skip the 262 check for empty non-terminal nodes; the NSEC3 tree does 263 not have any. [GL #1834] 264 2655408. [protocol] Print Extended DNS Errors if present in OPT record. 266 [GL #1835] 267 2685405. [bug] 'named-checkconf -p' could include spurious text in 269 server-addresses statements due to an uninitialized DSCP 270 value. [GL #1812] 271 272 --- 9.11.19 released --- 273 2745404. [bug] 'named-checkconf -z' could incorrectly indicate 275 success if errors were found in one view but not in a 276 subsequent one. [GL #1807] 277 2785398. [bug] Named could fail to restart if a zone with a double 279 quote (") in its name was added with 'rndc addzone'. 280 [GL #1695] 281 2825395. [security] Further limit the number of queries that can be 283 triggered from a request. Root and TLD servers 284 are no longer exempt from max-recursion-queries. 285 Fetches for missing name server address records 286 are limited to 4 for any domain. (CVE-2020-8616) 287 [GL #1388] 288 2895394. [cleanup] Named formerly attempted to change the effective UID and 290 GID in named_os_openfile(), which could trigger a 291 spurious log message if they were already set to the 292 desired values. This has been fixed. [GL #1042] 293 [GL #1090] 294 2955390. [security] Replaying a TSIG BADTIME response as a request could 296 trigger an assertion failure. (CVE-2020-8617) 297 [GL #1703] 298 2995387. [func] Warn about AXFR streams with inconsistent message IDs. 300 [GL #1674] 301 302 --- 9.11.18 released --- 303 3045380. [contrib] Fix building MySQL DLZ modules against MySQL 8 305 libraries. [GL #1678] 306 3075379. [doc] Clean up serve-stale related options that leaked into 308 the BIND 9.11 release. [GL !3265] 309 3105378. [bug] Receiving invalid DNS data was triggering an assertion 311 failure in nslookup. [GL #1652] 312 3135377. [feature] Detect atomic operations support on ppc64le. Thanks to 314 Petr Menšík. [GL !3295] 315 3165376. [bug] Fix ineffective DNS rebinding protection when BIND is 317 configured as a forwarding DNS server. Thanks to Tobias 318 Klein. [GL #1574] 319 3205368. [bug] Named failed to restart if 'rndc addzone' names 321 contained special characters (e.g. '/'). [GL #1655] 322 323 --- 9.11.17 released --- 324 3255358. [bug] Inline master zones whose master files were touched 326 but otherwise unchanged and were subsequently reloaded 327 may have stopped re-signing. [GL !3135] 328 3295357. [bug] Newly added RRSIG records with expiry times before 330 the previous earliest expiry times might not be 331 re-signed in time. This was a side effect of 5315. 332 [GL !3137] 333 334 --- 9.11.16 released --- 335 3365353. [doc] Document port and dscp parameters in forwarders 337 configuration option. [GL #914] 338 3395352. [bug] Correctly handle catalog zone entries containing 340 characters that aren't legal in filenames. [GL #1592] 341 3425351. [bug] CDS / CDNSKEY consistency checks failed to handle 343 removal records. [GL #1554] 344 3455350. [bug] When a view was configured with class CHAOS, 346 dns_view_findzonecut() could incorrectly return 347 success for non-existent records. [GL #1540] 348 3495348. [bug] dnssec-settime -Psync was not being honoured. 350 [GL !2925] 351 352 --- 9.11.15 released --- 353 3545339. [bug] With some libmaxminddb versions, named could erroneously 355 match an IP address not belonging to any subnet defined 356 in a given GeoIP2 database to one of the existing 357 entries in that database. [GL #1552] 358 3595338. [bug] Fix line spacing in `rndc secroots`. 360 Thanks to Tony Finch. [GL !2478] 361 3625337. [func] 'named -V' now reports maxminddb and protobuf-c 363 versions. [GL !2686] 364 365 --- 9.11.14 released --- 366 3675330. [bug] 'configure --without-python' was ineffective if 368 PYTHON was set in the environment. [GL #1434] 369 3705329. [bug] Reconfiguring named caused memory to be leaked when any 371 GeoIP2 database was in use. [GL #1445] 372 3735328. [bug] rbtdb.c:rdataset_{get,set}ownercase failed to obtain 374 a node lock. [GL #1417] 375 3765327. [func] Added a statistics counter to track queries 377 dropped because the recursive-clients quota was 378 exceeded. [GL #1399] 379 3805326. [bug] Add Python dependency on 'distutils.core' to configure. 381 'distutils.core' is required for installation. 382 [GL #1397] 383 3845322. [bug] Conditional compilation of lock_callback was 385 inconsistent with conditional use of the function 386 when forcing BIND to build with older and unsupported 387 versions of OpenSSL. [GL #1386] 388 3895321. [bug] Obtain write lock before updating version->records 390 and version->bytes. [GL #1341] 391 392 --- 9.11.13 released --- 393 3945315. [bug] Apply the initial RRSIG expiration spread fixed 395 to all dynamically created records in the zone 396 including NSEC3. Also fix the signature clusters 397 when the server has been offline for prolonged 398 period of times. [GL #1256] 399 4005314. [func] Added a new statistics variable "tcp-highwater" 401 that reports the maximum number of simultaneous TCP 402 clients BIND has handled while running. [GL #1206] 403 4045313. [bug] The default GeoIP2 database location did not match 405 the ARM. 'named -V' now reports the default 406 location. [GL #1301] 407 4085310. [bug] TCP failures were affecting EDNS statistics. [GL #1059] 409 4105309. [bug] "geoip-use-ecs yes;" was not working for GeoIP2. 411 [GL #1275] 412 4135308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal() 414 at ERROR level in receive_secure_serial(). [GL #1288] 415 4165307. [bug] Fix hang when named-compilezone output is sent to pipe. 417 Thanks to Tony Finch. [GL !2481] 418 4195306. [security] Set a limit on the number of concurrently served 420 pipelined TCP queries. (CVE-2019-6477) [GL #1264] 421 4225302. [bug] Fix checking that "dnstap-output" is defined when 423 "dnstap" is specified in a view. [GL #1281] 424 4255301. [bug] Detect partial prefixes / incomplete IPv4 address in 426 acls. [GL #1143] 427 428 --- 9.11.12 released --- 429 4305296. [bug] Address various issues reported by cppcheck. [GL !2421] 431 4325294. [func] Fallback to ACE name on output in locale, which does not 433 support converting it to unicode. [GL #846] 434 4355293. [bug] On Windows, named crashed upon any attempt to fetch XML 436 statistics from it. [GL #1245] 437 4385292. [bug] Queue 'rndc nsec3param' requests while signing inline 439 zone changes. [GL #1205] 440 441 --- 9.11.11 released --- 442 4435291. [cleanup] Revert change #4825 as it was not appropriate for 9.11. 444 [GL #1213] 445 4465290. [bug] Address potential NULL pointer dereference in 447 isc_ht_find. [GL #1211] 448 4495287. [bug] Address potential NULL pointer dereference. [GL #1208] 450 4515286. [contrib] Address potential NULL pointer dereferences in 452 dlz_mysqldyn_mod.c. [GL #1207] 453 4545285. [port] win32: implement "-T maxudpXXX". [GL #837] 455 4565282. [bug] Fixed a bug in searching for possible wildcard matches 457 for query names in the RPZ summary database. [GL #1146] 458 4595281. [cleanup] Don't escape commas when reporting named's command 460 line. [GL #1189] 461 4625280. [protocol] Add support for displaying EDNS option LLQ. [GL #1201] 463 4645279. [bug] When loading, reject zones containing CDS or CDNSKEY 465 RRsets at the zone apex if they would cause DNSSEC 466 validation failures if published in the parent zone 467 as the DS RRset. [GL #1187] 468 469 --- 9.11.10 released --- 470 4715275. [bug] Mark DS records included in referral messages 472 with trust level "pending" so that they can be 473 validated and cached immediately, with no need to 474 re-query. [GL #964] 475 4765273. [bug] Check that bits [64..71] of a dns64 prefix are zero. 477 [GL #1159] 478 4795269. [port] cygwin: can return ETIMEDOUT on connect() with a 480 non-blocking socket. [GL #1133] 481 4825268. [bug] named could crash during configuration if 483 configured to use "geoip continent" ACLs with 484 legacy GeoIP. [GL #1163] 485 4865266. [bug] named-checkconf failed to report dnstap-output 487 missing from named.conf when dnstap was specified. 488 [GL #1136] 489 4905265. [bug] DNS64 and RPZ nodata (CNAME *.) rules interacted badly 491 [GL #1106] 492 4935264. [func] New DNS Cookie algorithm - siphash24 - has been added to 494 BIND 9. [GL #605] 495 496 --- 9.11.9 released --- 497 4985260. [bug] dnstap-read was producing malformed output for large 499 packets. [GL #1093] 500 5015258. [func] Added support for the GeoIP2 API from MaxMind, 502 when BIND is compiled using "configure --with-geoip2". 503 The legacy GeoIP API can be enabled by using 504 "configure --with-geoip" instead. These options 505 cannot be used together. 506 507 Certain geoip ACL settings that were available with 508 legacy GeoIP are not available when using GeoIP2. 509 See the ARM for details. [GL #182] 510 5115257. [bug] Some statistics data was not being displayed. 512 Add shading to the zone tables. [GL #1030] 513 5145256. [bug] Ensure that glue records are included in root 515 priming responses if "minimal-responses" is not 516 set to "yes". [GL #1092] 517 5185255. [bug] Errors encountered while reloading inline-signing 519 zones could be ignored, causing the zone content to 520 be left in an incompletely updated state rather than 521 reverted. [GL #1109] 522 5235253. [port] Support platforms that don't define ULLONG_MAX. 524 [GL #1098] 525 5265249. [bug] Fix a possible underflow in recursion clients 527 statistics when hitting recursive clients 528 soft quota. [GL #1067] 529 530 --- 9.11.8 released --- 531 5325244. [security] Fixed a race condition in dns_dispatch_getnext() 533 that could cause an assertion failure if a 534 significant number of incoming packets were 535 rejected. (CVE-2019-6471) [GL #942] 536 5375241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs. 538 [GL #225] 539 5405237. [bug] Recurse to find the root server list with 'dig +trace'. 541 [GL #1028] 542 543 --- 9.11.7 released --- 544 5455233. [bug] Negative trust anchors did not work with "forward only;" 546 to validating resolvers. [GL #997] 547 5485232. [bug] Fix a high-load race/crash in isc_socket_cancel(). 549 [GL #834] 550 5515231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG. 552 [GL #960] 553 5545229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852] 555 5565228. [cleanup] If trusted-keys and managed-keys are configured 557 simultaneously for the same name, the key cannot 558 be rolled automatically. This configuration now 559 logs a warning. [GL #868] 560 5615224. [bug] Only test provide-ixfr on TCP streams. [GL #991] 562 5635222. [bug] 'delv -t ANY' could leak memory. [GL #983] 564 5655221. [test] Enable parallel execution of system tests on 566 Windows. [GL !4101] 567 5685218. [bug] Conditionally include <dlfcn.h>. [GL #995] 569 5705214. [bug] win32: named now removes its lock file upon shutdown. 571 [GL #979] 572 5735213. [bug] win32: Eliminated a race which allowed named.exe running 574 as a service to be killed prematurely during shutdown. 575 [GL #978] 576 5775210. [bug] When dnstap is enabled and recursion is not 578 available, incoming queries are now logged 579 as "auth". Previously, this depended on whether 580 recursion was requested by the client, not on 581 whether recursion was available. [GL #963] 582 5835209. [bug] When update-check-ksk is true, add_sigs was not 584 considering offline keys, leaving record sets signed 585 with the incorrect type key. [GL #763] 586 5875208. [test] Run valid rdata wire encodings through totext+fromtext 588 and tofmttext+fromtext methods to check these methods. 589 [GL #899] 590 5915207. [test] Check delv and dig TTL values. [GL #965] 592 5935205. [bug] Enforce that a DS hash exists. [GL #899] 594 5955204. [test] Check that dns_rdata_fromtext() produces a record that 596 will be accepted by dns_rdata_fromwire(). [GL #852] 597 5985203. [bug] Enforce whether key rdata exists or not in KEY, 599 DNSKEY, CDNSKEY and RKEY. [GL #899] 600 6015197. [bug] dig could die in best effort mode on multiple SIG(0) 602 records. Similarly on multiple OPT and multiple TSIG 603 records. [GL #920] 604 6055194. [bug] Enforce non empty ZOMEMD hash. [GL #899] 606 6075193. [bug] EID and NIMLOC failed to do multi-line output 608 correctly. [GL #899] 609 6105192. [bug] configure --fips-mode failed. [GL #946] 611 6125191. [port] Darwin: dlzexternal/driver.so was not building. 613 [GL #948] 614 6155189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945] 616 6175187. [test] Set time zone before running any tests in dnstap_test. 618 [GL #940] 619 6205185. [bug] PKCS11 build could fail if ECDSA is not supported. 621 [GL #935] 622 6235184. [bug] Missing unlocks in sdlz.c. [GL #936] 624 6255182. [bug] Fix a high-load race/crash in handling of 626 isc_socket_close() in resolver. [GL #834] 627 6285180. [bug] delv now honors the operating system's preferred 629 ephemeral port range. [GL #925] 630 6315179. [cleanup] Replace some vague type declarations with the more 632 specific dns_secalg_t and dns_dsdigest_t. 633 Thanks to Tony Finch. [GL !1498] 634 6355178. [bug] Handle EDQUOT (disk quota) and ENOSPC (disk full) 636 errors when writing files. [GL #902] 637 6385176. [tests] Remove a dependency on libxml in statschannel system 639 test. [GL #926] 640 6415175. [bug] Fixed a problem with file input in dnssec-keymgr, 642 dnssec-coverage and dnssec-checkds when using 643 python3. [GL #882] 644 6455174. [doc] Tidy dnssec-keygen manual. [GL !1557] 646 6475172. [bug] nsupdate now honors the operating system's preferred 648 ephemeral port range. [GL #905] 649 6505170. [test] Added --with-dlz-filesystem to feature-test. [GL !1587] 651 6525168. [test] Do not crash on shutdown when RPZ fails to load. Also, 653 keep previous version of the database if RPZ fails to 654 load. [GL #813] 655 6565167. [bug] nxdomain-redirect could sometimes lookup the wrong 657 redirect name. [GL #892] 658 659 --- 9.11.6-P1 released --- 660 6615200. [security] tcp-clients settings could be exceeded in some cases, 662 which could lead to exhaustion of file descriptors. 663 (CVE-2018-5743) [GL #615] 664 665 --- 9.11.6 released --- 666 667 --- 9.11.6rc1 released --- 668 6695166. [port] openbsd: Threads are now enabled by default. [GL !1548] 670 6715164. [bug] Correct errno to result translation in dlz filesystem 672 modules. [GL #884] 673 6745163. [cleanup] Out-of-tree builds failed --enable-dnstap. [GL #836] 675 6765162. [cleanup] Improve dnssec-keymgr manual. Thanks to Tony Finch. 677 [GL !1518] 678 6795160. [contrib] Added DNAME support to the DLZ LDAP schema. Also 680 fixed a compilation bug affecting several DLZ 681 modules. [GL #872] 682 6835159. [bug] dnssec-coverage was incorrectly ignoring 684 names specified on the command line without 685 trailing dots. [GL !1478] 686 6875158. [protocol] Add support for AMTRELAY and ZONEMD. [GL #867] 688 6895157. [bug] Nslookup now errors out if there are extra command 690 line arguments. [GL #207] 691 6925154. [bug] dig: process_opt could be called twice on the same 693 message leading to a assertion failure. [GL #860] 694 6955148. [bug] named did not sign the TKEY response. [GL #821] 696 6975147. [bug] dnssec-keymgr: Add a five-minute margin to better 698 handle key events close to 'now'. [GL #848] 699 7005146. [bug] Removed an unnecessary assert that could be 701 triggered from PKCS#11 modules during 702 deconstruction. [GL #841] 703 7045143. [bug] dnssec-keymgr and dnssec-coverage failed to find 705 key files for zone names ending in ".". [GL #560] 706 7075141. [security] Zone transfer controls for writable DLZ zones were 708 not effective as the allowzonexfr method was not being 709 called for such zones. (CVE-2019-6465) [GL #790] 710 7115140. [bug] Don't immediately mark existing keys as inactive and 712 deleted when running dnssec-keymgr for the first 713 time. [GL #117] 714 7155139. [bug] If possible, don't use forwarders when priming. 716 This ensures we can get root server IP addresses 717 from priming query response glue, which may not 718 be present if the forwarding server is returning 719 minimal responses. [GL #752] 720 7215134. [bug] win32: WSAStartup was not called before getservbyname 722 was called. [GL #590] 723 7245133. [bug] 'rndc managed-keys' didn't handle class and view 725 correctly and failed to add new lines between each 726 view. [GL !1327] 727 7285128. [bug] Refreshkeytime was not being updated for managed 729 keys zones. [GL #784] 730 7315127. [bug] rcode.c:maybe_numeric failed to handle NUL in text 732 regions. [GL #807] 733 7345126. [bug] Named incorrectly accepted empty base64 and hex encoded 735 fields when reading master files. [GL #807] 736 7375125. [bug] Allow for up to 100 records or 64k of data when caching 738 a negative response. [GL #804] 739 7405124. [bug] Named could incorrectly return FORMERR rather than 741 SERVFAIL. [GL #804] 742 7435123. [bug] dig could hang indefinitely after encountering an error 744 before creating a TCP socket. [GL #692] 745 7465122. [bug] In a "forward first;" configuration, a forwarder 747 timeout did not prevent that forwarder from being 748 queried again after falling back to full recursive 749 resolution. [GL #315] 750 7515121. [contrib] dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none 752 matching zone names. [GL !1299] 753 7545118. [security] Named could crash if it is managing a key with 755 `managed-keys` and the authoritative zone is rolling 756 the key to an unsupported algorithm. (CVE-2018-5745) 757 [GL #780] 758 7595112. [bug] Named/named-checkconf could dump core if there was 760 a missing masters clause and a bad notify clause. 761 [GL #779] 762 7635111. [bug] Occluded DNSKEY records could make it into the 764 delegating NSEC/NSEC3 bitmap. [GL #742] 765 7665110. [security] Named leaked memory if there were multiple Key Tag 767 EDNS options present. (CVE-2018-5744) [GL #772] 768 7695108. [bug] Named could fail to determine bottom of zone when 770 removing out of date keys leading to invalid NSEC 771 and NSEC3 records being added to the zone. [GL #771] 772 7735107. [bug] 'host -U' did not work. [GL #769] 774 7755104. [cleanup] Log clearer informational message when a catz zone 776 is overridden by a zone in named.conf. 777 Thanks to Tony Finch. [GL !1157] 778 7795103. [bug] Add missing design by contract tests to dns_catz*. 780 [GL #748] 781 7825102. [bug] dnssec-coverage failed to use the default TTL when 783 checking KSK deletion times leading to a exception. 784 [GL #585] 785 7865101. [bug] Fix default installation path for Python modules. 787 [GL #730] 788 7895098. [func] Failed memory allocations are now fatal. [GL #674] 790 7915097. [cleanup] Remove embedded ATF unit testing framework 792 from BIND source distribution. [GL !875] 793 7945095. [test] Converted all unit tests from ATF to CMocka; 795 removed the source code for the ATF libraries. 796 Build with "configure --with-cmocka" to enable 797 unit testing. [GL #620] 798 7995094. [func] Add 'dig -r' to disable reading of .digrc. [GL !970] 800 8015092. [bug] Address memory leak on SIGTERM in nsupdate when using 802 GSS-TSIG. [GL #558] 803 8045090. [bug] dig and mdig failed to properly pre-parse dash value 805 pairs when value was a separate argument and started 806 with a dash. [GL #584] 807 8085088. [bug] dig/host/nslookup could crash when interrupted close to 809 a query timeout. [GL #599] 810 8115087. [test] Check that result tables are complete. [GL #676] 812 8135086. [func] Log of RPZ now includes the QTYPE and QCLASS. [GL #623] 814 8155084. [func] Add configure time detection of Utimaco HSM 816 and disable runtime md5/sha1 detection when it 817 compiled with it. [GL #656] 818 8195079. [func] Disable IDN processing in dig and nslookup 820 when not on a tty. [GL #653] 821 8225078. [cleanup] Require python components to be explicitly disabled if 823 python is not available on unix platforms. [GL #601] 824 8255076. [bug] "require-server-cookie" was not effective if 826 "rate-limit" was configured. [GL #617] 827 8285072. [bug] Add unit tests for isc_buffer_copyregion() and fix its 829 behavior for auto-reallocated buffers. [GL #644] 830 8315071. [bug] Comparison of NXT records was broken. [GL #631] 832 8335070. [bug] Record types which support a empty rdata field were 834 not handling the empty rdata field case. [GL #638] 835 8365066. [cleanup] Allow unquoted strings to be used as a zone names 837 in response-policy statements. [GL #641] 838 8395065. [bug] Only set IPV6_USE_MIN_MTU on IPv6. [GL #553] 840 8415064. [test] Initialize TZ environment variable before calling 842 dns_test_begin in dnstap_test. [GL #624] 843 8445061. [protocol] Add support for EID and NIMLOC. [GL #626] 845 8465060. [bug] GID, UID and UINFO could not be loaded using unknown 847 record format. [GL #627] 848 8495059. [bug] Display a per-view list of zones in the web interface. 850 [GL #427] 851 8525057. [protocol] Add support for ATMA. [GL #619] 853 8545051. [doc] Documentation incorrectly stated that the 855 "server-addresses" static-stub zone option accepts 856 custom port numbers. [GL #582] 857 8585042. [test] Make the chained delegations in reclimit behave 859 like they would in a regular name server. [GL #578] 860 8615041. [test] The chain test contains a incomplete delegation. 862 [GL #568] 863 8645039. [bug] Named could fail to preserve owner name case of new 865 RRset. [GL #420] 866 8674887. [test] Enable the rpzrecurse test to run on Windows. 868 [RT #47093] 869 870 --- 9.11.5 released --- 871 872 --- 9.11.5rc1 released --- 873 8745038. [bug] Chaosnet addresses were compared incorrectly. 875 [GL #562] 876 8775034. [bug] A race between threads could prevent zone maintenance 878 scheduled immediately after zone load from being 879 performed. [GL #542] 880 8815033. [bug] When adding NTAs to multiple views using "rndc nta", 882 the text returned via rndc was incorrectly terminated 883 after the first line, making it look as if only one 884 NTA had been added. Also, it was not possible to 885 differentiate between views with the same name but 886 different classes; this has been corrected with the 887 addition of a "-class" option. [GL #105] 888 8895032. [func] Add krb5-selfsub and ms-selfsub update policy rules. 890 [GL #511] 891 8925030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash 893 on architectures with strict alignment. [GL #521] 894 8955028. [bug] Spread the initial RRSIG expiration times over the 896 entire working sig-validity-interval when signing a 897 zone in named to even out re-signing and transfer 898 loads. [GL #418] 899 9005026. [bug] rndc reconfig should not touch already loaded zones. 901 [GL #276] 902 9035022. [doc] Update ms-self, ms-subdomain, krb5-self, and 904 krb5-subdomain documentation. [GL !708] 905 9065021. [bug] dig returned a non-zero exit code when it received a 907 reply over TCP after a retry. [GL #487] 908 9095019. [cleanup] A message is now logged when ixfr-from-differences is 910 set at zone level for an inline-signed zone. [GL #470] 911 9125018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c. 913 [GL !588] 914 9155017. [bug] lib/isc/pk11.c failed to unlink the session before 916 releasing the lock which is unsafe. [GL !589] 917 9185016. [bug] Named could assert with overlapping filter-aaaa and 919 dns64 acls. [GL #445] 920 9215015. [bug] Reloading all zones caused zone maintenance to cease 922 for inline-signed zones. [GL #435] 923 9245014. [bug] Signatures loaded from the journal for the signed 925 version of an inline-signed zone were not scheduled for 926 refresh. [GL #482] 927 9285012. [bug] Fix lock order reversal in pk11_initialize. [GL !590] 929 9305009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL 931 error queue was not logged. [GL #476] 932 9335008. [bug] "rndc signing -nsec3param ..." requests were silently 934 ignored for zones which were not yet loaded or 935 transferred. [GL #468] 936 9375007. [cleanup] Replace custom ISC boolean and integer data types 938 with C99 stdint.h and stdbool.h types. [GL #9] 939 9405005. [bug] dnssec-verify, and dnssec-signzone at the verification 941 step, failed on some validly signed zones. [GL #442] 942 9435004. [bug] 'rndc reconfig' could cause inline zones to stop 944 re-signing. [GL #439] 945 9465003. [bug] dns_acl_isinsecure did not handle geoip elements. 947 [GL #406] 948 9495002. [bug] mdig: Handle malformed +ednsopt option, support 100 950 +ednsopt options per query rather than 100 total and 951 address memory leaks if +ednsopt was specified. 952 [GL #410] 953 9545001. [bug] Fix refcount errors on error paths. [GL !563] 955 9564996. [bug] dig: Handle malformed +ednsopt option. [GL #403] 957 9584995. [test] Add tests for "tcp-self" update policy. [GL !282] 959 9604994. [bug] Trust anchor telemetry queries were not being sent 961 upstream for locally served zones. [GL #392] 962 9634992. [bug] The wrong address was being logged for trust anchor 964 telemetry queries. [GL #379] 965 9664990. [bug] Prevent a possible NULL reference in pkcs11-keygen. 967 [GL #401] 968 969 --- 9.11.4-P1 released --- 970 9714997. [security] named could crash during recursive processing 972 of DNAME records when "deny-answer-aliases" was 973 in use. (CVE-2018-5740) [GL #387] 974 975 --- 9.11.4 released --- 976 977 --- 9.11.4rc2 released --- 978 9794984. [bug] Improve handling of very large incremental 980 zone transfers to prevent journal corruption. [GL #339] 981 9824983. [cleanup] Remove the deprecated flag from "answer-cookie"; 983 it will be allowed to persist into 9.13. [GL #275]. 984 9854982. [cleanup] Return FORMERR if the question section is empty 986 and no COOKIE option is present; this restores 987 older behavior except in the newly specified 988 COOKIE case. [GL #260] 989 9904981. [bug] Fix race in cmsg buffer usage in socket code. 991 [GL #180] 992 9934980. [bug] Named-checkconf failed to detect bad in-view targets. 994 [GL #288] 995 9964979. [bug] Non-libcap builds were not checking whether all 997 requested capabilities are present in the permitted 998 capability set. [GL #321] 999 10004977. [func] When starting up, log the same details that 1001 would be reported by 'named -V'. [GL #247] 1002 10034975. [bug] The server cookie computation for sha1 and sha256 did 1004 not match the method described in RFC 7873. [GL #356] 1005 10064972. [func] Declare the 'rdata' argument for dns_rdata_tostruct() 1007 to be const. [GL #341] 1008 10094971. [bug] dnssec-signzone and dnssec-verify did not treat records 1010 below a DNAME as out-of-zone data. [GL #298] 1011 10124969. [cleanup] Refactor zone logging functions. [GL #269] 1013 1014 --- 9.11.4rc1 released --- 1015 10164968. [bug] If glue records are signed, attempt to validate them. 1017 [GL #209] 1018 10194966. [func] Add the ability to not return a DNS COOKIE option 1020 when one is present in the request (answer-cookie no;). 1021 [GL #173] 1022 10234965. [func] Add support for marking options as deprecated. 1024 [GL #322] 1025 10264964. [bug] Reduce the probability of double signature when deleting 1027 a DNSKEY by checking if the node is otherwise signed 1028 by the algorithm of the key to be deleted. [GL #240] 1029 10304963. [test] ifconfig.sh now uses "ip" instead of "ifconfig", 1031 if available, to configure the test interfaces on 1032 linux. [GL #302] 1033 10344962. [cleanup] Move 'named -T' processing to its own function. 1035 [GL #316] 1036 10374960. [security] When recursion is enabled, but the "allow-recursion" 1038 and "allow-query-cache" ACLs are not specified, 1039 they should be limited to local networks, 1040 but were inadvertently set to match the default 1041 "allow-query", thus allowing remote queries. 1042 (CVE-2018-5738) [GL #309] 1043 10444958. [bug] Remove redundant space from NSEC3 record. [GL #281] 1045 10464955. [cleanup] Silence cppcheck warnings in lib/dns/master.c. 1047 [GL #286] 1048 10494951. [protocol] Add "HOME.ARPA" to list of built in empty zones as 1050 per RFC 8375. [GL #273] 1051 10524950. [bug] ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238] 1053 10544949. [bug] lib/isc/print.c failed to handle floating point 1055 output correctly. [GL #261] 1056 10574946. [bug] Additional glue was not being returned by resolver 1058 for unsigned zones since change 4596. [GL #209] 1059 10604939. [test] Add basic unit tests for update_sigs(). [GL #135] 1061 10624935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0 1063 call were added). [GL #191] 1064 10654933. [bug] Not creating signing keys for an inline signed zone 1066 prevented changes applied to the raw zone from being 1067 reflected in the secure zone until signing keys were 1068 made available. [GL #159] 1069 10704932. [bug] Bumped signed serial of an inline signed zone was 1071 logged even when an error occurred while updating 1072 signatures. [GL #159] 1073 10744930. [bug] Remove a bogus check in nslookup command line 1075 argument processing. [GL #206] 1076 10774926. [func] Add root key sentinel support. To disable, add 1078 'root-key-sentinel no;' to named.conf. [GL #37] 1079 10804922. [bug] dnstap: Log the destination address of client 1081 packets rather than the interface address. 1082 [GL #197] 1083 10844921. [cleanup] Add dns_fixedname_initname() and refactor the caller 1085 code to make usage of the new function, as a part of 1086 refactoring dns_fixedname_*() macros were turned into 1087 functions. [GL #183] 1088 10894918. [bug] Fix double free after keygen error in dnssec-keygen 1090 when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex 1091 fails. [GL #109] 1092 10934915. [func] Implement IDNA2008 support in dig by adding support 1094 for libidn2. New dig option +idnin has been added, 1095 which allows to process invalid domain names much 1096 like dig without IDN support. libidn2 version 2.0 1097 or higher is needed for +idnout enabled by default. 1098 10994913. [test] Re-implemented older unit tests in bin/tests as ATF, 1100 removed the lib/tests unit testing library. [GL #115] 1101 11024911. [test] Improved the reliability of the 'mkeys' system test. 1103 [GL #128] 1104 11054910. [func] Update util/check-changes to work on release branches. 1106 [GL #113] 1107 11084909. [bug] named-checkconf did not detect in-view zone collisions. 1109 [GL #125] 1110 11114908. [test] Eliminated unnecessary waiting in the allow_query 1112 system test. Also changed its name to allow-query. 1113 [GL #81] 1114 11154907. [test] Improved the reliability of the 'notify' system 1116 test. [GL #59] 1117 11184905. [bug] irs_resconf_load() ignored resolv.conf syntax errors 1119 when "domain" or "search" options were present in that 1120 file. [GL #110] 1121 11224903. [bug] "check-mx fail;" did not prevent MX records containing 1123 IP addresses from being added to a zone by a dynamic 1124 update. [GL #112] 1125 11264902. [test] Improved the reliability of the 'ixfr' system 1127 test. [GL #66] 1128 11294899. [test] Convert most of the remaining system tests to be able 1130 to run in parallel, continuing the work from change 1131 #4895. To take advantage of this, use "make -jN check", 1132 where N is the number of processors to use. [GL #91] 1133 11344896. [test] cacheclean system test was not robust. [GL #82] 1135 11364895. [test] Allow some system tests to run in parallel. 1137 [RT #46602] 1138 11394893. [bug] Address various issues reported by cppcheck. [GL #51] 1140 11414892. [bug] named could leak memory when "rndc reload" was invoked 1142 before all zone loading actions triggered by a previous 1143 "rndc reload" command were completed. [RT #47076] 1144 11454699. [func] Multiple cookie-secret clauses can now be specified. 1146 The first one specified is used to generate new 1147 server cookies. [RT #45672] 1148 1149 --- 9.11.3 released --- 1150 1151 --- 9.11.3rc2 released --- 1152 11534904. [bug] Temporarily revert change #4859. [GL #124] 1154 1155 --- 9.11.3rc1 released --- 1156 11574889. [func] Warn about the use of old root keys without the new 1158 root key being present. Warn about dlv.isc.org's 1159 key being present. Warn about both managed and 1160 trusted root keys being present. [RT #43670] 1161 11624888. [test] Initialize sockets correctly in sample-update so 1163 that the nsupdate system test will run on Windows. 1164 [RT #47097] 1165 11664886. [doc] Document dig -u in manpage. [RT #47150] 1167 11684885. [security] update-policy rules that otherwise ignore the name 1169 field now require that it be set to "." to ensure 1170 that any type list present is properly interpreted. 1171 [RT #47126] 1172 11734882. [bug] Address potential memory leak in 1174 dns_update_signaturesinc. [RT #47084] 1175 11764881. [bug] Only include dst_openssl.h when OpenSSL is required. 1177 [RT #47068] 1178 11794879. [bug] dns_rdata_caa:value_len field was too small. 1180 [RT #47086] 1181 11824878. [bug] List 'ply' as a requirement for the 'isc' python 1183 package. [RT #47065] 1184 11854811. [bug] Revert api changes to use <isc/buffer.h> inline 1186 macros. Provide a alternative mechanism to turn 1187 on the use of inline macros when building BIND. 1188 [RT #46520] 1189 1190 --- 9.11.3b1 released --- 1191 11924876. [bug] Address deadlock with accessing a keytable. [RT #47000] 1193 11944875. [bug] Address compile failures on older systems. [RT #47015] 1195 11964874. [bug] Wrong time display when reporting new keywarntime. 1197 [RT #47042] 1198 11994873. [doc] Grammars for named.conf included in the ARM are now 1200 automatically generated by the configuration parser 1201 itself. As a side effect of the work needed to 1202 separate zone type grammars from each other, this 1203 also makes checking of zone statements in 1204 named-checkconf more correct and consistent. 1205 [RT #36957] 1206 12074872. [bug] Don't permit loading meta RR types such as TKEY 1208 from master files. [RT #47009] 1209 12104871. [bug] Fix configure glitch in detecting stdatomic.h 1211 support on systems with multiple compilers. 1212 [RT #46959] 1213 12144870. [test] Update included ATF library to atf-0.21 preserving 1215 the ATF tool. [RT #46967] 1216 12174869. [bug] Address some cases where NULL with zero length could 1218 be passed to memmove which is undefined behaviour and 1219 can lead to bad optimisation. [RT #46888] 1220 12214867. [cleanup] Normalize rndc on/off commands (validation and 1222 querylog) so they accept the same synonyms 1223 for on/off (yes/no, true/false, enable/disable). 1224 Thanks to Tony Finch. [RT #47022] 1225 12264866. [port] DST library initialization verifies MD5 (when MD5 1227 was not disabled) and SHA-1 hash and HMAC support. 1228 [RT #46764] 1229 12304864. [bug] named acting as a slave for a catalog zone crashed if 1231 the latter contained a master definition without an IP 1232 address. [RT #45999] 1233 12344863. [bug] Fix various other bugs reported by Valgrind's 1235 memcheck tool. [RT #46978] 1236 12374862. [bug] The rdata flags for RRSIG were not being properly set 1238 when constructing a rdataslab. [RT #46978] 1239 12404861. [bug] The isc_crc64 unit test was not endian independent. 1241 [RT #46973] 1242 12434860. [bug] isc_int8_t should be signed char. [RT #46973] 1244 12454859. [bug] A loop was possible when attempting to validate 1246 unsigned CNAME responses from secure zones; 1247 this caused a delay in returning SERVFAIL and 1248 also increased the chances of encountering 1249 CVE-2017-3145. [RT #46839] 1250 12514858. [security] Addresses could be referenced after being freed 1252 in resolver.c, causing an assertion failure. 1253 (CVE-2017-3145) [RT #46839] 1254 12554857. [bug] Maintain attach/detach semantics for event->db, 1256 event->node, event->rdataset and event->sigrdataset 1257 in query.c. [RT #46891] 1258 12594856. [bug] 'rndc zonestatus' reported the wrong underlying type 1260 for a inline slave zone. [RT #46875] 1261 12624852. [bug] Handle strftime() failing in isc_time_formatISO8601ms. 1263 Add REQUIRE's and INSIST's to isc_time_formattimestamp, 1264 isc_time_formathttptimestamp, isc_time_formatISO8601, 1265 isc_time_formatISO8601ms. [RT #46892] 1266 12674851. [port] Support using kyua as well as atf-run to run the unit 1268 tests. [RT #46853] 1269 12704850. [bug] Named failed to restart with multiple added zones in 1271 lmdb database. [RT #46889] 1272 12734849. [bug] Duplicate zones could appear in the .nzf file if 1274 addzone failed. [RT #46435] 1275 12764846. [test] Adjust timing values in runtime system test. Address 1277 named.pid removal races in runtime system test. 1278 [RT #46800] 1279 12804844. [test] Address memory leaks in libatf-c. [RT #46798] 1281 12824843. [bug] dnssec-signzone free hashlist on exit. [RT #46791] 1283 12844842. [bug] Conditionally compile opensslecdsa_link.c to avoid 1285 warnings about unused function. [RT #46790] 1286 12874841. [bug] Address -fsanitize=undefined warnings. [RT #46786] 1288 12894840. [test] Add tests to cover fallback to using ZSK on inactive 1290 KSK. [RT #46787] 1291 12924839. [bug] zone.c:zone_sign was not properly determining 1293 if there were active KSK and ZSK keys for 1294 a algorithm when update-check-ksk is true 1295 (default) leaving records unsigned with one or 1296 more DNSKEY algorithms. [RT #46774] 1297 12984838. [bug] zone.c:add_sigs was not properly determining 1299 if there were active KSK and ZSK keys for 1300 a algorithm when update-check-ksk is true 1301 (default) leaving records unsigned with one or 1302 more DNSKEY algorithms. [RT #46754] 1303 13044837. [bug] dns_update_signatures{inc} (add_sigs) was not 1305 properly determining if there were active KSK and 1306 ZSK keys for a algorithm when update-check-ksk is 1307 true (default) leaving records unsigned when there 1308 were multiple DNSKEY algorithms for the zone. 1309 [RT #46743] 1310 13114836. [bug] Zones created using "rndc addzone" could 1312 temporarily fail to inherit an "allow-transfer" 1313 ACL that had been configured in the options 1314 statement. [RT #46603] 1315 13164835. [cleanup] Clean up and refactor LMDB-related code. [RT #46718] 1317 13184834. [port] Fix LMDB support on OpenBSD. [RT #46718] 1319 13204833. [bug] isc_event_free should check that the event is not 1321 linked when called. [RT #46725] 1322 13234832. [bug] Events were not being removed from zone->rss_events. 1324 [RT #46725] 1325 13264831. [bug] Convert the RRSIG expirytime to 64 bits for 1327 comparisons in diff.c:resign. [RT #46710] 1328 13294830. [bug] Failure to configure ATF when requested did not cause 1330 an error in top-level configure script. [RT #46655] 1331 13324829. [bug] isc_heap_delete did not zero the index value when 1333 the heap was created with a callback to do that. 1334 [RT #46709] 1335 13364828. [bug] Do not use thread-local storage for storing LMDB reader 1337 locktable slots. [RT #46556] 1338 13394827. [misc] Add a precommit check script util/checklibs.sh 1340 [RT #46215] 1341 13424826. [cleanup] Prevent potential build failures in bin/confgen/ and 1343 bin/named/ when using parallel make. [RT #46648] 1344 13454825. [bug] Prevent a bogus "error during managed-keys processing 1346 (no more)" warning from being logged. [RT #46645] 1347 13484823. [test] Refactor reclimit system test to improve its 1349 reliability and speed. [RT #46632] 1350 13514822. [bug] Use resign_sooner in dns_db_setsigningtime. [RT #46473] 1352 13534821. [bug] When resigning ensure that the SOA's expire time is 1354 always later that the resigning time of other records. 1355 [RT #46473] 1356 13574820. [bug] dns_db_subtractrdataset should transfer the resigning 1358 information to the new header. [RT #46473] 1359 13604819. [bug] Fully backout the transaction when adding a RRset 1361 to the resigning / removal heaps fails. [RT #46473] 1362 13634818. [test] The logfileconfig system test could intermittently 1364 report false negatives on some platforms. [RT #46615] 1365 13664817. [cleanup] Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE. 1367 [RT #45433] 1368 13694816. [bug] Don't use a common array for storing EDNS options 1370 in DiG as it could fill up. [RT #45611] 1371 13724815. [bug] rbt_test.c:insert_and_delete needed to call 1373 dns_rbt_addnode instead of dns_rbt_addname. [RT #46553] 1374 13754814. [cleanup] Use AS_HELP_STRING for consistent help text. [RT #46521] 1376 13774812. [bug] Minor improvements to stability and consistency of code 1378 handling managed keys. [RT #46468] 1379 13804810. [test] The chain system test failed if the IPv6 interfaces 1381 were not configured. [RT #46508] 1382 13834809. [port] Check at configure time whether -latomic is needed 1384 for stdatomic.h. [RT #46324] 1385 13864808. [bug] Properly test for zlib.h. [RT #46504] 1387 13884805. [bug] TCP4Active and TCP6Active weren't being updated 1389 correctly. [RT #46454] 1390 13914804. [port] win32: access() does not work on directories as 1392 required by POSIX. Supply a alternative in 1393 isc_file_isdirwritable. [RT #46394] 1394 13954803. [bug] Backport parts of RT #45293 and RT #46267, specifically 1396 the fix for RT #46055 and mkeys system test 1397 improvements. [RT #46430] 1398 13994800. [bug] When processing delzone, write one zone config per 1400 line to the NZF. [RT #46323] 1401 14024799. [cleanup] Improve clarity of keytable unit tests. [RT #46407] 1403 14044792. [bug] Fix map file header correctness check. [RT #38418] 1405 14064791. [doc] Fixed outdated documentation about export libraries. 1407 [RT #46341] 1408 14094790. [bug] nsupdate could trigger a require when sending a 1410 update to the second address of the server. 1411 [RT #45731] 1412 14134788. [cleanup] When using "update-policy local", log a warning 1414 when an update matching the session key is received 1415 from a remote host. [RT #46213] 1416 14174787. [cleanup] Turn nsec3param_salt_totext() into a public function, 1418 dns_nsec3param_salttotext(), and add unit tests for it. 1419 [RT #46289] 1420 14214783. [test] dnssec: 'check that NOTIFY is sent at the end of 1422 NSEC3 chain generation failed' required more time 1423 on some machines for the IXFR to complete. [RT #46388] 1424 14254782. [test] dnssec: 'checking positive and negative validation 1426 with negative trust anchors' required more time to 1427 complete on some machines. [RT #46386] 1428 14294781. [maint] B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889] 1430 14314780. [bug] When answering ANY queries, don't include the NS 1432 RRset in the authority section if it was already 1433 in the answer section. [RT #44543] 1434 14354779. [bug] Expire NTA at the start of the second. Don't update 1436 the expiry value if the record has already expired 1437 after a successful check. [RT #46368] 1438 14394777. [cleanup] Removed a redundant call to configure_view_acl(). 1440 [RT #46369] 1441 14424776. [bug] Improve portability of ht_test. [RT #46333] 1443 14444775. [bug] Address Coverity warnings in ht_test.c [RT #46281] 1445 14464774. [bug] <isc/util.h> was incorrectly included in several 1447 header files. [RT #46311] 1448 14494773. [doc] Fixed generating Doxygen documentation for functions 1450 annotated using certain macros. Miscellaneous 1451 Doxygen-related cleanups. [RT #46276] 1452 14534771. [bug] When sending RFC 5011 refresh queries, disregard 1454 cached DNSKEY rrsets. [RT #46251] 1455 14564770. [bug] Cache additional data from priming queries as glue. 1457 Previously they were ignored as unsigned 1458 non-answer data from a secure zone, and never 1459 actually got added to the cache, causing hints 1460 to be used frequently for root-server 1461 addresses, which triggered re-priming. [RT #45241] 1462 14634769. [bug] Enforce the requirement that the managed keys 1464 directory (specified by "managed-keys-directory", 1465 and defaulting to the working directory if not 1466 specified) must be writable. [RT #46077] 1467 14684766. [cleanup] Address Coverity warnings. [RT #46150] 1469 14704763. [contrib] Improve compatibility when building MySQL DLZ 1471 module by using mysql_config if available. 1472 [RT #45558] 1473 14744762. [func] "update-policy local" is now restricted to updates 1475 from local addresses. (Previously, other addresses 1476 were allowed so long as updates were signed by the 1477 local session key.) [RT #45492] 1478 14794761. [protocol] Add support for DOA. [RT #45612] 1480 14814759. [func] Add logging channel "trust-anchor-telemetry" to 1482 record trust-anchor-telemetry in incoming requests. 1483 Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options 1484 are logged. [RT #46124] 1485 14864758. [doc] Remove documentation of unimplemented "topology". 1487 [RT #46161] 1488 14894756. [bug] Interrupting dig could lead to an INSIST failure after 1490 certain errors were encountered while querying a host 1491 whose name resolved to more than one address. Change 1492 4537 increased the odds of triggering this issue by 1493 causing dig to hang indefinitely when certain error 1494 paths were evaluated. dig now also retries TCP queries 1495 (once) if the server gracefully closes the connection 1496 before sending a response. [RT #42832, #45159] 1497 14984755. [cleanup] Silence unnecessary log message when NZF file doesn't 1499 exist. [RT #46186] 1500 15014754. [bug] dns_zone_setview needs a two stage commit to properly 1502 handle errors. [RT #45841] 1503 15044753. [contrib] Software obtainable from known upstream locations 1505 (i.e., zkt, nslint, query-loc) has been removed. 1506 Links to these and other packages can be found at 1507 https://www.isc.org/community/tools [RT #46182] 1508 15094752. [test] Add unit test for isc_net_pton. [RT #46171] 1510 15114749. [func] The ISC DLV service has been shut down, and all 1512 DLV records have been removed from dlv.isc.org. 1513 - Removed references to ISC DLV in documentation 1514 - Removed DLV key from bind.keys 1515 - No longer use ISC DLV by default in delv 1516 [RT #46155] 1517 15184748. [cleanup] Sprintf to snprintf coversions. [RT #46132] 1519 15204746. [cleanup] Add configured prefixes to configure summary 1521 output. [RT #46153] 1522 15234745. [test] Add color-coded pass/fail messages to system 1524 tests when running on terminals that support them. 1525 [RT #45977] 1526 15274744. [bug] Suppress trust-anchor-telemetry queries if 1528 validation is disabled. [RT #46131] 1529 15304741. [bug] Make isc_refcount_current() atomically read the 1531 counter value. [RT #46074] 1532 15334740. [cleanup] Avoid triggering format-truncated warnings. [RT #46107] 1534 15354739. [cleanup] Address clang static analysis warnings. [RT #45952] 1536 15374738. [port] win32: strftime mishandles %Z. [RT #46039] 1538 15394737. [cleanup] Address Coverity warnings. [RT #46012] 1540 15414736. [cleanup] (a) Added comments to NSEC3-related functions in 1542 lib/dns/zone.c. (b) Refactored NSEC3 salt formatting 1543 code. (c) Minor tweaks to lock and result handling. 1544 [RT #46053] 1545 15464735. [bug] Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078] 1547 15484734. [contrib] Added sample configuration for DNS-over-TLS in 1549 contrib/dnspriv. 1550 15514731. [bug] Fix use after free when closing an LMDB. [RT #46000] 1552 15534730. [bug] Fix out of bounds access in DHCID totext() method. 1554 [RT #46001] 1555 15564729. [bug] Don't use memset() to wipe memory, as it may be 1557 removed by compiler optimizations when the 1558 memset() occurs on automatic stack allocation 1559 just before function return. [RT #45947] 1560 15614728. [func] Use C11's stdatomic.h instead of isc_atomic 1562 where available. [RT #40668] 1563 15644727. [bug] Retransferring an inline-signed slave using NSEC3 1565 around the time its NSEC3 salt was changed could result 1566 in an infinite signing loop. [RT #45080] 1567 15684726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN 1569 from being logged on FreeBSD if the kernel does not 1570 support it. Notify the user when the kernel does 1571 support TCP_FASTOPEN, but it is disabled by sysctl. 1572 Add a new configure option, --disable-tcp-fastopen, to 1573 disable use of TCP_FASTOPEN altogether. [RT #44754] 1574 15754725. [bug] Nsupdate: "recvsoa" was incorrectly reported for 1576 failures in sending the update message. The correct 1577 location to be reported is "update_completed". 1578 [RT #46014] 1579 15804723. [bug] Statistics counter DNSTAPdropped was misidentified 1581 as DNSSECdropped. [RT #46002] 1582 15834722. [cleanup] Clean up uses of strcpy() and strcat() in favor of 1584 strlcpy() and strlcat() for safety. [RT #45981] 1585 15864719. [bug] Address PVS static analyzer warnings. [RT #45946] 1587 15884717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1, 1589 FORMERR if TC=0, and log the error correctly. 1590 [RT #45836] 1591 15924715. [bug] TreeMemMax was mis-identified as a second HeapMemMax 1593 in the Json cache statistics. [RT #45980] 1594 15954714. [port] openbsd/libressl: add support for building with 1596 --enable-openssl-hash. [RT #45982] 1597 15984713. [cleanup] Minor revisions to RPZ code to reduce 1599 differences with the development branch. [RT #46037] 1600 16014712. [bug] "dig +domain" and "dig +search" didn't retain the 1602 search domain when retrying with TCP. [RT #45547] 1603 16044711. [test] Some RR types were missing from genzones.sh. 1605 [RT #45782] 1606 16074709. [cleanup] Use dns_name_fullhash() to hash names for RRL. 1608 [RT #45435] 1609 16104703. [bug] BINDInstall.exe was missing some buffer length checks. 1611 [RT #45898] 1612 16134698. [port] Add --with-python-install-dir configure option to allow 1614 specifying a nonstandard installation directory for 1615 Python modules. [RT #45407] 1616 16174697. [bug] Restore workaround for Microsoft Windows TSIG hash 1618 computation bug. [RT #45854] 1619 16204696. [port] Enable filter-aaaa support by default on Windows 1621 builds. [RT #45883] 1622 16234695. [bug] cookie-secrets were not being properly checked by 1624 named-checkconf. [RT #45886] 1625 16264692. [bug] Fix build failures with libressl introduced in 4676. 1627 [RT #45879] 1628 16294690. [bug] Command line options -4/-6 were handled inconsistently 1630 between tools. [RT #45632] 1631 16324689. [cleanup] Turn on minimal responses for CDNSKEY and CDS in 1633 addition to DNSKEY and DS. Thanks to Tony Finch. 1634 [RT #45690] 1635 16364688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in 1637 messages. [RT #44804] 1638 16394686. [bug] dnssec-settime -p could print a bogus warning about 1640 key deletion scheduled before its inactivation when a 1641 key had an inactivation date set but no deletion date 1642 set. [RT #45807] 1643 16444685. [bug] dnssec-settime incorrectly calculated publication and 1645 activation dates for a successor key. [RT #45806] 1646 16474684. [bug] delv could send bogus DNS queries when an explicit 1648 server address was specified on the command line along 1649 with -4/-6. [RT #45804] 1650 16514683. [bug] Prevent nsupdate from immediately exiting on invalid 1652 user input in interactive mode. [RT #28194] 1653 16544682. [bug] Don't report errors on records below a DNAME. 1655 [RT #44880] 1656 16574680. [bug] Fix failing over to another master server address when 1658 nsupdate is used with GSS-API. [RT #45380] 1659 16604679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record 1661 not at top of zone and -o is not used. [RT #45519] 1662 16634678. [bug] geoip-use-ecs has the wrong type when geoip support 1664 is disabled at configure time. [RT #45763] 1665 16664677. [cleanup] Split up the main function in dig to better support 1667 the iOS app version. [RT #45508] 1668 16694676. [cleanup] Allow BIND to be built using OpenSSL 1.0.X with 1670 deprecated functions removed. [RT #45706] 1671 16724675. [cleanup] Don't use C++ keyword class. [RT #45726] 1673 16744673. [port] Silence GCC 7 warnings. [RT #45592] 1675 16764671. [bug] Fix a race condition that could cause the 1677 resolver to crash with assertion failure when 1678 chasing DS in specific conditions with a very 1679 short RTT to the upstream nameserver. [RT #45168] 1680 16814670. [cleanup] Ensure that a request MAC is never sent back 1682 in an XFR response unless the signature was 1683 verified. [RT #45494] 1684 16854668. [bug] Use localtime_r and gmtime_r for thread safety. 1686 [RT #45664] 1687 16884667. [cleanup] Refactor RDATA unit tests. [RT #45610] 1689 16904666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9) 1691 could cause a parser error when reading the policy 1692 file. This now works correctly so long as the domain 1693 name is quoted. [RT #45641] 1694 16954665. [protocol] Added support for ED25519 and ED448 DNSSEC signing 1696 algorithms (RFC 8080). (Note: these algorithms 1697 depend on code currently in the development branch 1698 of OpenSSL which has not yet been released.) 1699 [RT #44696] 1700 17014663. [cleanup] Clarify error message printed by dnssec-dsfromkey. 1702 [RT #21731] 1703 17044662. [performance] Improve cache memory cleanup of zero TTL records 1705 by putting them at the tail of LRU header lists. 1706 [RT #45274] 1707 17084661. [bug] A race condition could occur if a zone was reloaded 1709 while resigning, triggering a crash in 1710 rbtdb.c:closeversion(). [RT #45276] 1711 17124660. [bug] Remove spurious "peer" from Windows socket log 1713 messages. [RT #45617] 1714 17154659. [bug] Remove spurious log message about lmdb-mapsize 1716 not being supported when parsing builtin 1717 configuration file. [RT #45618] 1718 17194658. [bug] Clean up build directory created by "setup.py install" 1720 immediately. [RT #45628] 1721 17224657. [bug] rrchecker system test result could be improperly 1723 determined. [RT #45602] 1724 17254656. [bug] Apply "port" and "dscp" values specified in catalog 1726 zone's "default-masters" option to the generated 1727 configuration of its member zones. [RT #45545] 1728 17294655. [bug] Lack of seccomp could be falsely reported. [RT #45599] 1730 17314654. [cleanup] Don't use C++ keywords delete, new and namespace. 1732 [RT #45538] 1733 17344652. [bug] Nsupdate could attempt to use a zeroed address on 1735 server timeout. [RT #45417] 1736 17374651. [test] Silence coverity warnings in tsig_test.c. [RT #45528] 1738 17394605. [performance] (partial backport) Improve general query 1740 performance. Improves performance of owner case 1741 restoration, hash function, etc. Uses inline 1742 buffer implementation by default. [RT #45637] 1743 1744 --- 9.11.2 released --- 1745 1746 --- 9.11.2rc2 released --- 1747 17484653. [bug] Reorder includes to move @DST_OPENSSL_INC@ and 1749 @ISC_OPENSSL_INC@ after shipped include directories. 1750 [RT #45581] 1751 1752 --- 9.11.2rc1 released --- 1753 17544649. [bug] The wrong zone was logged when a catalog zone is added. 1755 [RT #45520] 1756 17574648. [bug] "rndc reconfig" on a slave no longer causes all member 1758 zones of configured catalog zones to be removed from 1759 configuration. [RT #45310] 1760 17614647. [bug] Change 4643 broke verification of TSIG signed TCP 1762 message sequences where not all the messages contain 1763 TSIG records. These may be used in AXFR and IXFR 1764 responses. [RT #45509] 1765 17664645. [bug] Fix PKCS#11 RSA parsing when MD5 is disabled. 1767 [RT #45300] 1768 1769 --- 9.11.2b1 released --- 1770 17714643. [security] An error in TSIG handling could permit unauthorized 1772 zone transfers or zone updates. (CVE-2017-3142) 1773 (CVE-2017-3143) [RT #45383] 1774 17754642. [cleanup] Add more logging of RFC 5011 events affecting the 1776 status of managed keys: newly observed keys, 1777 deletion of revoked keys, etc. [RT #45354] 1778 17794641. [cleanup] Parallel builds (make -j) could fail with --with-atf / 1780 --enable-developer. [RT #45373] 1781 17824640. [bug] If query_findversion failed in query_getdb due to 1783 memory failure the error status was incorrectly 1784 discarded. [RT #45331] 1785 17864639. [bug] Fix a regression in --with-tuning reporting introduced 1787 by change 4488. [RT #45396] 1788 17894638. [bug] Reloading or reconfiguring named could fail on 1790 some platforms when LMDB was in use. [RT #45203] 1791 17924636. [bug] Normalize rpz policy zone names when checking for 1793 existence. [RT #45358] 1794 17954635. [bug] Fix RPZ NSDNAME logging that was logging 1796 failures as NSIP. [RT #45052] 1797 17984634. [contrib] check5011.pl needs to handle optional space before 1799 semi-colon in +multi-line output. [RT #45352] 1800 18014633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET. 1802 18034632. [security] The BIND installer on Windows used an unquoted 1804 service path, which can enable privilege escalation. 1805 (CVE-2017-3141) [RT #45229] 1806 18074631. [security] Some RPZ configurations could go into an infinite 1808 query loop when encountering responses with TTL=0. 1809 (CVE-2017-3140) [RT #45181] 1810 18114630. [bug] "dyndb" is dependent on dlopen existing / being 1812 enabled. [RT #45291] 1813 18144629. [bug] dns_client_startupdate could not be called with a 1815 running client. [RT #45277] 1816 18174628. [bug] Fixed a potential reference leak in query_getdb(). 1818 [RT #45247] 1819 18204626. [test] Added more tests for handling of different record 1821 ordering in CNAME and DNAME responses. [QA #430] 1822 18234625. [bug] Running "rndc addzone" and "rndc delzone" at close 1824 to the same time could trigger a deadlock if using 1825 LMDB. [RT #45209] 1826 18274623. [bug] Use --with-protobuf-c and --with-libfstrm to find 1828 protoc-c and fstrm_capture. [RT #45187] 1829 18304622. [bug] Remove unnecessary escaping of semicolon in CAA and 1831 URI records. [RT #45216] 1832 18334621. [port] Force alignment of oid arrays to silence loader 1834 warnings. [RT #45131] 1835 18364620. [port] Handle EPFNOSUPPORT being returned when probing 1837 to see if a socket type is supported. [RT #45214] 1838 18394619. [bug] Call isc_mem_put instead of isc_mem_free in 1840 bin/named/server.c:setup_newzones. [RT #45202] 1841 18424618. [bug] Check isc_mem_strdup results in dns_view_setnewzones. 1843 Add logging for lmdb call failures. [RT #45204] 1844 18454617. [test] Update rndc system test to be more delay tolerant. 1846 [RT #45177] 1847 18484616. [bug] When using LMDB, zones deleted using "rndc delzone" 1849 were not correctly removed from the new-zone 1850 database. [RT #45185] 1851 18524615. [bug] AD could be set on truncated answer with no records 1853 present in the answer and authority sections. 1854 [RT #45140] 1855 18564614. [test] Fixed an error in the sockaddr unit test. [RT #45146] 1857 18584612. [bug] Silence 'may be use uninitalised' warning and simplify 1859 the code in lwres/getaddinfo:process_answer. 1860 [RT #45158] 1861 18624611. [bug] The default LMDB mapsize was too low and caused 1863 errors after few thousand zones were added using 1864 rndc addzone. A new config option "lmdb-mapsize" 1865 has been introduced to configure the LMDB 1866 mapsize depending on operational needs. 1867 [RT #44954] 1868 18694609. [cleanup] Rearrange makefiles to enable parallel execution 1870 (i.e. "make -j"). [RT #45078] 1871 18724608. [func] DiG now warns about .local queries which are reserved 1873 for Multicast DNS. [RT #44783] 1874 18754606. [port] Stop using experimental "Experimental keys on scalar" 1876 feature of perl as it has been removed. [RT #45012] 1877 18784604. [bug] Don't use ERR_load_crypto_strings() when building 1879 with OpenSSL 1.1.0. [RT #45117] 1880 18814603. [doc] Automatically generate named.conf(5) man page 1882 from doc/misc/options. Thanks to Tony Finch. 1883 [RT #43525] 1884 18854602. [func] Threads are now set to human-readable 1886 names to assist debugging, when supported by 1887 the OS. [RT #43234] 1888 18894601. [bug] Reject incorrect RSA key lengths during key 1890 generation and and sign/verify context 1891 creation. [RT #45043] 1892 18934600. [bug] Adjust RPZ trigger counts only when the entry 1894 being deleted exists. [RT #43386] 1895 18964599. [bug] Fix inconsistencies in inline signing time 1897 comparison that were introduced with the 1898 introduction of rdatasetheader->resign_lsb. 1899 [RT #42112] 1900 19014597. [bug] The validator now ignores SHA-1 DS digest type 1902 when a DS record with SHA-384 digest type is 1903 present and is a supported digest type. 1904 [RT #45017] 1905 19064596. [bug] Validate glue before adding it to the additional 1907 section. This also fixes incorrect TTL capping 1908 when the RRSIG expired earlier than the TTL. 1909 [RT #45062] 1910 19114593. [doc] Update README using markdown, remove outdated FAQ 1912 file in favor of the knowledge base. 1913 19144592. [bug] A race condition on shutdown could trigger an 1915 assertion failure in dispatch.c. [RT #43822] 1916 19174591. [port] Addressed some python 3 compatibility issues. 1918 Thanks to Ville Skytta. [RT #44955] [RT #44956] 1919 19204590. [bug] Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being 1921 properly detected. [RT #44871] 1922 19234589. [cleanup] "configure -q" is now silent. [RT #44829] 1924 19254588. [bug] nsupdate could send queries for TKEY to the wrong 1926 server when using GSSAPI. Thanks to Tomas Hozza. 1927 [RT #39893] 1928 19294587. [bug] named-checkzone failed to handle occulted data below 1930 DNAMEs correctly. [RT #44877] 1931 19324586. [func] dig, host and nslookup now use TCP for ANY queries. 1933 [RT #44687] 1934 19354585. [port] win32: Set CompileAS value. [RT #42474] 1936 19374584. [bug] A number of memory usage statistics were not properly 1938 reported when they exceeded 4G. [RT #44750] 1939 19404574. [bug] Dig leaked memory with multiple +subnet options. 1941 [RT #44683] 1942 19434555. [func] dig +ednsopt: EDNS options can now be specified by 1944 name in addition to numeric value. [RT #44461] 1945 1946 --- 9.11.1 released --- 1947 1948 --- 9.11.1rc3 released --- 1949 19504582. [security] 'rndc ""' could trigger a assertion failure in named. 1951 (CVE-2017-3138) [RT #44924] 1952 19534581. [port] Linux: Add getpid and getrandom to the list of system 1954 calls named uses for seccomp. [RT #44883] 1955 19564580. [bug] 4578 introduced a regression when handling CNAME to 1957 referral below the current domain. [RT #44850] 1958 1959 --- 9.11.1rc2 released --- 1960 19614578. [security] Some chaining (CNAME or DNAME) responses to upstream 1962 queries could trigger assertion failures. 1963 (CVE-2017-3137) [RT #44734] 1964 19654575. [security] DNS64 with "break-dnssec yes;" can result in an 1966 assertion failure. (CVE-2017-3136) [RT #44653] 1967 1968 --- 9.11.1rc1 released --- 1969 19704571. [bug] Out-of-tree builds of backtrace_test failed. 1971 19724570. [cleanup] named did not correctly fall back to the built-in 1973 initializing keys if the bind.keys file was present 1974 but empty. [RT #44531] 1975 19764569. [func] Store both local and remote addresses in dnstap 1977 logging, and modify dnstap-read output format to 1978 print them. [RT #43595] 1979 19804568. [contrib] Added a --with-bind option to the dnsperf configure 1981 script to specify BIND prefix path. 1982 19834567. [port] Call getprotobyname and getservbyname prior to calling 1984 chroot so that shared libraries get loaded. [RT #44537] 1985 19864565. [cleanup] The inline macro versions of isc_buffer_put*() 1987 did not implement automatic buffer reallocation. 1988 [RT #44216] 1989 19904564. [maint] Update the built in managed keys to include the 1991 upcoming root KSK. [RT #44579] 1992 19934563. [bug] Modified zones would occasionally fail to reload. 1994 [RT #39424] 1995 19964561. [port] Silence a warning in strict C99 compilers. [RT #44414] 1997 19984560. [bug] mdig: add -m option to enable memory debugging rather 1999 than having it on all the time. [RT #44509] 2000 20014559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES 2002 was turned off. [RT #44509] 2003 20044558. [bug] Synthesised CNAME before matching DNAME was still 2005 being cached when it should not have been. [RT #44318] 2006 20074557. [security] Combining dns64 and rpz can result in dereferencing 2008 a NULL pointer (read). (CVE-2017-3135) [RT#44434] 2009 20104554. [bug] Remove double unlock in dns_dispatchmgr_setudp. 2011 [RT #44336] 2012 20134553. [bug] Named could deadlock there were multiple changes to 2014 NSEC/NSEC3 parameters for a zone being processed at 2015 the same time. [RT #42770] 2016 20174552. [bug] Named could trigger a assertion when sending notify 2018 messages. [RT #44019] 2019 20204551. [test] Add system tests for integrity checks of MX and 2021 SRV records. [RT #43953] 2022 20234550. [cleanup] Increased the number of available master file 2024 output style flags from 32 to 64. [RT #44043] 2025 20264547. [port] Add support for --enable-native-pkcs11 on the AEP 2027 Keyper HSM. [RT #42463] 2028 2029 --- 9.11.1b1 released --- 2030 20314545. [func] Expand YAML output from dnstap-read to include 2032 a detailed breakdown of the DNS message contents. 2033 [RT #43642] 2034 20354544. [bug] Add message/payload size to dnstap-read YAML output. 2036 [RT #43622] 2037 20384543. [bug] dns_client_startupdate now delays sending the update 2039 request until isc_app_ctxrun has been called. 2040 [RT #43976] 2041 20424541. [bug] rndc addzone should properly reject non master/slave 2043 zones. [RT #43665] 2044 20454540. [bug] Correctly handle ecs entries in dns_acl_isinsecure. 2046 [RT #43601] 2047 20484539. [bug] Referencing a nonexistent zone with RPZ could lead 2049 to a assertion failure when configuring. [RT #43787] 2050 20514538. [bug] Call dns_client_startresolve from client->task. 2052 [RT #43896] 2053 20544537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576] 2055 20564536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared 2057 when reusing the event structure. [RT #43885] 2058 20594535. [bug] Address race condition in setting / testing of 2060 DNS_REQUEST_F_SENDING. [RT #43889] 2061 20624534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879] 2063 20644533. [bug] dns_client_update should terminate on prerequisite 2065 failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET) 2066 and also on BADZONE. [RT #43865] 2067 20684532. [contrib] Make gen-data-queryperf.py python 3 compatible. 2069 [RT #43836] 2070 20714531. [security] 'is_zone' was not being properly updated by redirect2 2072 and subsequently preserved leading to an assertion 2073 failure. (CVE-2016-9778) [RT #43837] 2074 20754530. [bug] Change 4489 broke the handling of CNAME -> DNAME 2076 in responses resulting in SERVFAIL being returned. 2077 [RT #43779] 2078 20794529. [cleanup] Silence noisy log warning when DSCP probe fails 2080 due to firewall rules. [RT #43847] 2081 20824528. [bug] Only set the flag bits for the i/o we are waiting 2083 for on EPOLLERR or EPOLLHUP. [RT #43617] 2084 20854527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831] 2086 20874526. [doc] Corrected errors and improved formatting of 2088 grammar definitions in the ARM. [RT #43739] 2089 20904525. [doc] Fixed outdated documentation on managed-keys. 2091 [RT #43810] 2092 20934524. [bug] The net zero test was broken causing IPv4 servers 2094 with addresses ending in .0 to be rejected. [RT #43776] 2095 20964523. [doc] Expand config doc for <querysource4> and 2097 <querysource6>. [RT #43768] 2098 20994522. [bug] Handle big gaps in log file version numbers better. 2100 [RT #38688] 2101 21024521. [cleanup] Log it as an error if an entropy source is not 2103 found and there is no fallback available. [RT #43659] 2104 21054520. [cleanup] Alphabetize more of the grammar when printing it 2106 out. Fix unbalanced indenting. [RT #43755] 2107 21084519. [port] win32: handle ERROR_MORE_DATA. [RT #43534] 2109 21104517. [security] Named could mishandle authority sections that were 2111 missing RRSIGs triggering an assertion failure. 2112 (CVE-2016-9444) [RT # 43632] 2113 21144516. [bug] isc_socketmgr_renderjson was missing from the 2115 windows build. [RT #43602] 2116 21174515. [port] FreeBSD: Find readline headers when they are in 2118 edit/readline/ instead of readline/. [RT #43658] 2119 21204514. [port] NetBSD: strip -WL, from ld command line. [RT #43204] 2121 21224513. [cleanup] Minimum Python versions are now 2.7 and 3.2. 2123 [RT #43566] 2124 21254512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in. 2126 [RT #43556] 2127 21284511. [bug] win32: mdig.exe-BNFT was missing Configure. [RT #43554] 2129 21304510. [security] Named mishandled some responses where covering RRSIG 2131 records are returned without the requested data 2132 resulting in a assertion failure. (CVE-2016-9147) 2133 [RT #43548] 2134 21354509. [test] Make the rrl system test more reliable on slower 2136 machines by using mdig instead of dig. [RT #43280] 2137 21384508. [security] Named incorrectly tried to cache TKEY records which 2139 could trigger a assertion failure when there was 2140 a class mismatch. (CVE-2016-9131) [RT #43522] 2141 21424507. [bug] Named could incorrectly log 'allows updates by IP 2143 address, which is insecure' [RT #43432] 2144 21454505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494] 2146 21474504. [security] Allow the maximum number of records in a zone to 2148 be specified. This provides a control for issues 2149 raised in CVE-2016-6170. [RT #42143] 2150 21514503. [cleanup] "make uninstall" now removes files installed by 2152 BIND. (This currently excludes Python files 2153 due to lack of support in setup.py.) [RT #42192] 2154 21554502. [func] Report multiple and experimental options when printing 2156 grammar. [RT #43134] 2157 21584500. [bug] Support modifier I64 in isc__print_printf. [RT #43526] 2159 21604499. [port] MacOSX: silence deprecated function warning 2161 by using arc4random_stir() when available 2162 instead of arc4random_addrandom(). [RT #43503] 2163 21644498. [test] Simplify prerequisite checks in system tests. 2165 [RT #43516] 2166 21674497. [port] Add support for OpenSSL 1.1.0. [RT #41284] 2168 21694496. [func] dig: add +idnout to control whether labels are 2170 display in punycode or not. Requires idn support 2171 to be enabled at compile time. [RT #43398] 2172 21734495. [bug] A isc_mutex_init call was not being checked. 2174 [RT #43391] 2175 21764494. [bug] Look for <editline/readline.h>. [RT #43429] 2177 21784493. [bug] bin/tests/system/dyndb/driver/Makefile.in should use 2179 SO_TARGETS. [RT# 43336] 2180 21814492. [bug] irs_resconf_load failed to initialize sortlistnxt 2182 causing bad writes if resolv.conf contained a 2183 sortlist directive. [RT #43459] 2184 21854491. [bug] Improve message emitted when testing whether sendmsg 2186 works with TOS/TCLASS fails. [RT #43483] 2187 21884490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET. 2189 21904489. [security] It was possible to trigger assertions when processing 2191 a response containing a DNAME answer. (CVE-2016-8864) 2192 [RT #43465] 2193 21944488. [port] Darwin: use -framework for Kerberos. [RT #43418] 2195 21964487. [test] Make system tests work on Windows. [RT #42931] 2197 21984486. [bug] Look in $prefix/lib/pythonX.Y/site-packages for 2199 the python modules we install. [RT #43330] 2200 22014485. [bug] Failure to find readline when requested should be 2202 fatal to configure. [RT #43328] 2203 22044484. [func] Check prefixes in acls to make sure the address and 2205 prefix lengths are consistent. Warn only in 2206 BIND 9.11 and earlier. [RT #43367] 2207 22084483. [bug] Address use before require check and remove extraneous 2209 dns_message_gettsigkey call in dns_tsig_sign. 2210 [RT #43374] 2211 22124482. [cleanup] Change #4455 was incomplete. [RT #43252] 2213 22144478. [func] Add +continue option to mdig, allow continue on socket 2215 errors. [RT #43281] 2216 22174477. [test] Fix mkeys test timing issues. [RT #41028] 2218 22194476. [test] Fix reclimit test on slower machines. [RT #43283] 2220 22214475. [doc] Update named-checkconf documentation. [RT #43153] 2222 22234474. [bug] win32: call WSAStartup in fromtext_in_wks so that 2224 getprotobyname and getservbyname work. [RT #43197] 2225 22264473. [bug] Only call fsync / _commit on regular files. [RT #43196] 2227 22284472. [bug] Named could fail to find the correct NSEC3 records when 2229 a zone was updated between looking for the answer and 2230 looking for the NSEC3 records proving nonexistence 2231 of the answer. [RT #43247] 2232 2233 --- 9.11.0 released --- 2234 2235 --- 9.11.0rc3 released --- 2236 22374471. [cleanup] Render client/query logging format consistent for 2238 ease of log file parsing. (Note that this affects 2239 "querylog" format: there is now an additional field 2240 indicating the client object address.) [RT #43238] 2241 22424470. [bug] Reset message with intent parse before 2243 calling dns_dispatch_getnext. [RT #43229] 2244 2245 --- 9.11.0rc2 released --- 2246 22474468. [bug] Address ECS option handling issues. [RT #43191] 2248 22494467. [security] It was possible to trigger an assertion when 2250 rendering a message. (CVE-2016-2776) [RT #43139] 2251 22524466. [bug] Interface scanning didn't work on a Windows system 2253 without a non local IPv6 addresses. [RT #43130] 2254 22554465. [bug] Don't use "%z" as Windows doesn't support it. 2256 [RT #43131] 2257 22584464. [bug] Fix windows python support. [RT #43173] 2259 22604463. [bug] The dnstap system test failed on some systems. 2261 [RT #43129] 2262 22634462. [bug] Don't describe a returned EDNS COOKIE as "good" 2264 when there isn't a valid server cookie. [RT #43167] 2265 22664461. [bug] win32: not all external data was properly marked 2267 as external data for windows dll. [RT #43161] 2268 2269 --- 9.11.0rc1 released --- 2270 22714460. [test] Add system test for dnstap using unix domain sockets. 2272 [RT #42926] 2273 22744459. [bug] TCP client objects created to handle pipeline queries 2275 were not cleaned up correctly, causing uncontrolled 2276 memory growth. [RT #43106] 2277 22784458. [cleanup] Update assertions to be more correct, and also remove 2279 use of a reserved word. [RT #43090] 2280 22814457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET. 2282 22834456. [doc] Add DOCTYPE and lang attribute to <html> tags. 2284 [RT #42587] 2285 22864455. [cleanup] Allow dyndb modules to correctly log the filename 2287 and line number when processing configuration text 2288 from named.conf. [RT #43050] 2289 22904454. [bug] 'rndc dnstap -reopen' had a race issue. [RT #43089] 2291 22924453. [bug] Prefetching of DS records failed to update their 2293 RRSIGs. [RT #42865] 2294 22954452. [bug] The default key manager policy file is now 2296 <sysdir>/dnssec-policy.conf (usually 2297 /etc/dnssec-policy.conf). [RT #43064] 2298 22994451. [cleanup] Log more useful information if a PKCS#11 provider 2300 library cannot be loaded. [RT #43076] 2301 23024450. [port] Provide more nuanced HSM support which better matches 2303 the specific PKCS11 providers capabilities. [RT #42458] 2304 23054449. [test] Fix catalog zones test on slower systems. [RT #42997] 2306 23074448. [bug] win32: ::1 was not being found when iterating 2308 interfaces. [RT #42993] 2309 23104447. [tuning] Allow the fstrm_iothr_init() options to be set using 2311 named.conf to control how dnstap manages the data 2312 flow. [RT #42974] 2313 23144446. [bug] The cache_find() and _findrdataset() functions 2315 could find rdatasets that had been marked stale. 2316 [RT #42853] 2317 23184445. [cleanup] isc_errno_toresult() can now be used to call the 2319 formerly private function isc__errno2result(). 2320 [RT #43050] 2321 23224444. [bug] Fixed some issues related to dyndb: A bug caused 2323 braces to be omitted when passing configuration text 2324 from named.conf to a dyndb driver, and there was a 2325 use-after-free in the sample dyndb driver. [RT #43050] 2326 23274443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on 2328 TCP sockets. [RT #42864] 2329 23304442. [bug] Fix RPZ CIDR tree insertion bug that corrupted 2331 tree data structure with overlapping networks 2332 (longest prefix match was ineffective). 2333 [RT #43035] 2334 23354441. [cleanup] Alphabetize host's help output. [RT #43031] 2336 23374440. [func] Enable TCP fast open support when available on the 2338 server side. [RT #42866] 2339 23404439. [bug] Address race conditions getting ownernames of nodes. 2341 [RT #43005] 2342 23434438. [func] Use LIFO rather than FIFO when processing startup 2344 notify and refresh queries. [RT #42825] 2345 23464437. [func] Minimal-responses now has two additional modes 2347 no-auth and no-auth-recursive which suppress 2348 adding the NS records to the authority section 2349 as well as the associated address records for the 2350 nameservers. [RT #42005] 2351 23524436. [func] Return TLSA records as additional data for MX and SRV 2353 lookups. [RT #42894] 2354 23554435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message 2356 will not fit into a single IPv4 encapsulated IPv6 2357 UDP packet when transmitted over a Ethernet link. 2358 [RT #42871] 2359 23604434. [protocol] Return EDNS EXPIRE option for master zones in addition 2361 to slave zones. [RT #43008] 2362 23634433. [cleanup] Report an error when passing an invalid option or 2364 view name to "rndc dumpdb". [RT #42958] 2365 23664432. [test] Hide rndc output on expected failures in logfileconfig 2367 system test. [RT #27996] 2368 23694431. [bug] named-checkconf now checks the rate-limit clause. 2370 [RT #42970] 2371 23724430. [bug] Lwresd died if a search list was not defined. 2373 Found by 0x710DDDD At Alibaba Security. [RT #42895] 2374 23754429. [bug] Address potential use after free on fclose() error. 2376 [RT #42976] 2377 23784428. [bug] The "test dispatch getnext" unit test could fail 2379 in a threaded build. [RT #42979] 2380 23814427. [bug] The "query" and "response" parameters to the 2382 "dnstap" option had their functions reversed. 2383 2384 --- 9.11.0b3 released --- 2385 23864426. [bug] Addressed Coverity warnings. [RT #42908] 2387 23884425. [bug] arpaname, dnstap-read and named-rrchecker were not 2389 being installed into ${prefix}/bin. Tidy up 2390 installation issues with CHANGE 4421. [RT #42910] 2391 23924424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries 2393 to provide feedback to the trust-anchor administrators 2394 about how key rollovers are progressing as per 2395 draft-ietf-dnsop-edns-key-tag-02. This can be 2396 disabled using 'trust-anchor-telemetry no;'. 2397 [RT #40583] 2398 23994423. [maint] Added missing IPv6 address 2001:500:84::b for 2400 B.ROOT-SERVERS.NET. [RT #42898] 2401 24024422. [port] Silence clang warnings in dig.c and dighost.c. 2403 [RT #42451] 2404 24054421. [func] When built with LMDB (Lightning Memory-mapped 2406 Database), named will now use a database to store 2407 the configuration for zones added by "rndc addzone" 2408 instead of using a flat NZF file. This improves 2409 performance of "rndc delzone" and "rndc modzone" 2410 significantly. Existing NZF files will 2411 automatically by converted to NZD databases. 2412 To view the contents of an NZD or to roll back to 2413 NZF format, use "named-nzd2nzf". To disable 2414 this feature, use "configure --without-lmdb". 2415 [RT #39837] 2416 24174420. [func] nslookup now looks for AAAA as well as A by default. 2418 [RT #40420] 2419 24204419. [bug] Don't cause undefined result if the label of an 2421 entry in catalog zone is changed. [RT #42708] 2422 24234418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879] 2424 24254417. [bug] dnssec-keymgr could fail to create successor keys 2426 if the prepublication interval was set to a value 2427 smaller than the default. [RT #42820] 2428 24294416. [bug] dnssec-keymgr: Domain names in policy files could 2430 fail to match due to trailing dots. [RT #42807] 2431 24324415. [bug] dnssec-keymgr: Expired/deleted keys were not always 2433 excluded. [RT #42884] 2434 24354414. [bug] Corrected a bug in the MIPS implementation of 2436 isc_atomic_xadd(). [RT #41965] 2437 24384413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED 2439 was returned. [RT #42733] 2440 2441 --- 9.11.0b2 released --- 2442 24434412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was 2444 removed. [RT #42721] 2445 24464411. [func] "rndc dnstap -roll" automatically rolls the 2447 dnstap output file; the previous version is 2448 saved with ".0" suffix, and earlier versions 2449 with ".1" and so on. An optional numeric argument 2450 indicates how many prior files to save. [RT #42830] 2451 24524410. [bug] Address use after free and memory leak with dnstap. 2453 [RT #42746] 2454 24554409. [bug] DNS64 should exclude mapped addresses by default when 2456 an exclude acl is not defined. [RT #42810] 2457 24584408. [func] Continue waiting for expected response when we the 2459 response we get does not match the request. [RT #41026] 2460 24614407. [performance] Use GCC builtin for clz in RPZ lookup code. 2462 [RT #42818] 2463 24644406. [security] getrrsetbyname with a non absolute name could 2465 trigger an infinite recursion bug in lwresd 2466 and named with lwres configured if when combined 2467 with a search list entry the resulting name is 2468 too long. (CVE-2016-2775) [RT #42694] 2469 24704405. [bug] Change 4342 introduced a regression where you could 2471 not remove a delegation in a NSEC3 signed zone using 2472 OPTOUT via nsupdate. [RT #42702] 2473 24744404. [misc] Allow krb5-config to be used when configuring gssapi. 2475 [RT #42580] 2476 24774403. [bug] Rename variables and arguments that shadow: basename, 2478 clone and gai_error. 2479 24804402. [bug] protoc-c is now a hard requirement for --enable-dnstap. 2481 2482 --- 9.11.0b1 released --- 2483 24844401. [misc] Change LICENSE to MPL 2.0. 2485 24864400. [bug] ttl policy was not being inherited in policy.py. 2487 [RT #42718] 2488 24894399. [bug] policy.py 'ECCGOST', 'ECDSAP256SHA256', and 2490 'ECDSAP384SHA384' don't have settable keysize. 2491 [RT #42718] 2492 24934398. [bug] Correct spelling of ECDSAP256SHA256 in policy.py. 2494 [RT #42718] 2495 24964397. [bug] Update Windows python support. [RT #42538] 2497 24984396. [func] dnssec-keymgr now takes a '-r randomfile' option. 2499 [RT #42455] 2500 25014395. [bug] Improve out-of-tree installation of python modules. 2502 [RT #42586] 2503 25044394. [func] Add rndc command "dnstap-reopen" to close and 2505 reopen dnstap output files. [RT #41803] 2506 25074393. [bug] Address potential NULL pointer dereferences in 2508 dnstap code. 2509 25104392. [func] Collect statistics for RSSAC02v3 traffic-volume, 2511 traffic-sizes and rcode-volume reporting. [RT #41475] 2512 25134391. [contrib] Fix leaks in contrib DLZ code. [RT #42707] 2514 25154390. [doc] Description of masters with TSIG, allow-query and 2516 allow-transfer options in catalog zones. [RT #42692] 2517 25184389. [test] Rewritten test suite for catalog zones. [RT #42676] 2519 25204388. [func] Support for master entries with TSIG keys in catalog 2521 zones. [RT #42577] 2522 25234387. [bug] Change 4336 was not complete leading to SERVFAIL 2524 being return as NS records expired. [RT #42683] 2525 25264386. [bug] Remove shadowed overmem function/variable. [RT #42706] 2527 25284385. [func] Add support for allow-query and allow-transfer ACLs 2529 to catalog zones. [RT #42578] 2530 25314384. [bug] Change 4256 accidentally disabled logging of the 2532 rndc command. [RT #42654] 2533 25344383. [bug] Correct spelling error in stats channel description of 2535 "EDNS client subnet option received". [RT #42633] 2536 25374382. [bug] rndc {addzone,modzone,delzone,showzone} should all 2538 compare the zone name using a canonical format. 2539 [RT #42630] 2540 25414381. [bug] Missing "zone-directory" option in catalog zone 2542 definition caused BIND to crash. [RT #42579] 2543 2544 --- 9.11.0a3 released --- 2545 25464380. [experimental] Added a "zone-directory" option to "catalog-zones" 2547 syntax, allowing local masterfiles for slaves 2548 that are provisioned by catalog zones to be stored 2549 in a directory other than the server's working 2550 directory. [RT #42527] 2551 25524379. [bug] An INSIST could be triggered if a zone contains 2553 RRSIG records with expiry fields that loop 2554 using serial number arithmetic. [RT #40571] 2555 25564378. [contrib] #include <isc/string.h> for strlcat in zone2ldap.c. 2557 [RT #42525] 2558 25594377. [bug] Don't reuse zero TTL responses beyond the current 2560 client set (excludes ANY/SIG/RRSIG queries). 2561 [RT #42142] 2562 25634376. [experimental] Added support for Catalog Zones, a new method for 2564 provisioning secondary servers in which a list of 2565 zones to be served is stored in a DNS zone and can 2566 be propagated to slaves via AXFR/IXFR. [RT #41581] 2567 25684375. [func] Add support for automatic reallocation of isc_buffer 2569 to isc_buffer_put* functions. [RT #42394] 2570 25714374. [bug] Use SAVE/RESTORE macros in query.c to reduce the 2572 probability of reference counting errors as seen 2573 in 4365. [RT #42405] 2574 25754373. [bug] Address undefined behavior in getaddrinfo. [RT #42479] 2576 25774372. [bug] Address undefined behavior in libt_api. [RT #42480] 2578 25794371. [func] New "minimal-any" option reduces the size of UDP 2580 responses for qtype ANY by returning a single 2581 arbitrarily selected RRset instead of all RRsets. 2582 Thanks to Tony Finch. [RT #41615] 2583 25844370. [bug] Address python3 compatibility issues with RNDC module. 2585 [RT #42499] [RT #42506] 2586 2587 --- 9.11.0a2 released --- 2588 25894369. [bug] Fix 'make' and 'make install' out-of-tree python 2590 support. [RT #42484] 2591 25924368. [bug] Fix a crash when calling "rndc stats" on some 2593 Windows builds because some Visual Studio compilers 2594 generated crashing code for the "%z" printf() 2595 format specifier. [RT #42380] 2596 25974367. [bug] Remove unnecessary assignment of loadtime in 2598 zone_touched. [RT #42440] 2599 26004366. [bug] Address race condition when updating rbtnode bit 2601 fields. [RT #42379] 2602 26034365. [bug] Address zone reference counting errors involving 2604 nxdomain-redirect. [RT #42258] 2605 26064364. [port] freebsd: add -Wl,-E to loader flags [RT #41690] 2607 26084363. [port] win32: Disable explicit triggering UAC when running 2609 BINDInstall. 2610 26114362. [func] Changed rndc reconfig behavior so that newly added 2612 zones are loaded asynchronously and the loading does 2613 not block the server. [RT #41934] 2614 26154361. [cleanup] Where supported, file modification times returned 2616 by isc_file_getmodtime() are now accurate to the 2617 nanosecond. [RT #41968] 2618 26194360. [bug] Silence spurious 'bad key type' message when there is 2620 a existing TSIG key. [RT #42195] 2621 26224359. [bug] Inherited 'also-notify' lists were not being checked 2623 by named-checkconf. [RT #42174] 2624 26254358. [test] Added American Fuzzy Lop harness that allows 2626 feeding fuzzed packets into BIND. 2627 [RT #41723] 2628 26294357. [func] Add the python RNDC module. [RT #42093] 2630 26314356. [func] Add the ability to specify whether to wait for 2632 nameserver addresses to be looked up or not to 2633 RPZ with a new modifying directive 'nsip-wait-recurse'. 2634 [RT #35009] 2635 26364355. [func] "pkcs11-list" now displays the extractability 2637 attribute of private or secret keys stored in 2638 an HSM, as either "true", "false", or "never" 2639 Thanks to Daniel Stirnimann. [RT #36557] 2640 26414354. [bug] Check that the received HMAC length matches the 2642 expected length prior to check the contents on the 2643 control channel. This prevents a OOB read error. 2644 This was reported by Lian Yihan, <lianyihan@360.cn>. 2645 [RT #42215] 2646 26474353. [cleanup] Update PKCS#11 header files. [RT #42175] 2648 26494352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service 2650 is scheduled to be disabled in 2017. A warning is 2651 now logged when named is configured to use it, 2652 either explicitly or via "dnssec-lookaside auto;" 2653 [RT #42207] 2654 26554351. [bug] 'dig +noignore' didn't work. [RT #42273] 2656 26574350. [contrib] Declare result in dlz_filesystem_dynamic.c. 2658 26594349. [contrib] kasp2policy: A python script to create a DNSSEC 2660 policy file from an OpenDNSSEC KASP XML file. 2661 26624348. [func] dnssec-keymgr: A new python-based DNSSEC key 2663 management utility, which reads a policy definition 2664 file and can create or update DNSSEC keys as needed 2665 to ensure that a zone's keys match policy, roll over 2666 correctly on schedule, etc. Thanks to Sebastian 2667 Castro for assistance in development. [RT #39211] 2668 26694347. [port] Corrected a build error on x86_64 Solaris. [RT #42150] 2670 26714346. [bug] Fixed a regression introduced in change #4337 which 2672 caused signed domains with revoked KSKs to fail 2673 validation. [RT #42147] 2674 26754345. [contrib] perftcpdns mishandled the return values from 2676 clock_nanosleep. [RT #42131] 2677 26784344. [port] Address openssl version differences. [RT #42059] 2679 26804343. [bug] dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>. 2681 [RT #42090] 2682 26834342. [bug] 'rndc flushtree' could fail to clean the tree if there 2684 wasn't a node at the specified name. [RT #41846] 2685 2686 --- 9.11.0a1 released --- 2687 26884341. [bug] Correct the handling of ECS options with 2689 address family 0. [RT #41377] 2690 26914340. [performance] Implement adaptive read-write locks, reducing the 2692 overhead of locks that are only held briefly. 2693 [RT #37329] 2694 26954339. [test] Use "mdig" to test pipelined queries. [RT #41929] 2696 26974338. [bug] Reimplement change 4324 as it wasn't properly doing 2698 all the required book keeping. [RT #41941] 2699 27004337. [bug] The previous change exposed a latent flaw in 2701 key refresh queries for managed-keys when 2702 a cached DNSKEY had TTL 0. [RT #41986] 2703 27044336. [bug] Don't emit records with zero ttl unless the records 2705 were learnt with a zero ttl. [RT #41687] 2706 27074335. [bug] zone->view could be detached too early. [RT #41942] 2708 27094334. [func] 'named -V' now reports zlib version. [RT #41913] 2710 27114333. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42 and 2712 2001:500:9f::42. 2713 27144332. [placeholder] 2715 27164331. [func] When loading managed signed zones detect if the 2717 RRSIG's inception time is in the future and regenerate 2718 the RRSIG immediately. [RT #41808] 2719 27204330. [protocol] Identify the PAD option as "PAD" when printing out 2721 a message. 2722 27234329. [func] Warn about a common misconfiguration when forwarding 2724 RFC 1918 zones. [RT #41441] 2725 27264328. [performance] Add dns_name_fromwire() benchmark test. [RT #41694] 2727 27284327. [func] Log query and depth counters during fetches when 2729 querytrace (./configure --enable-querytrace) is 2730 enabled (helps in diagnosing). [RT #41787] 2731 27324326. [protocol] Add support for AVC. [RT #41819] 2733 27344325. [func] Add a line to "rndc status" indicating the 2735 hostname and operating system details. [RT #41610] 2736 27374324. [bug] When deleting records from a zone database, interior 2738 nodes could be left empty but not deleted, damaging 2739 search performance afterward. [RT #40997] 2740 27414323. [bug] Improve HTTP header processing on statschannel. 2742 [RT #41674] 2743 27444322. [security] Duplicate EDNS COOKIE options in a response could 2745 trigger an assertion failure. (CVE-2016-2088) 2746 [RT #41809] 2747 27484321. [bug] Zones using mapped files containing out-of-zone data 2749 could return SERVFAIL instead of the expected NODATA 2750 or NXDOMAIN results. [RT #41596] 2751 27524320. [bug] Insufficient memory allocation when handling 2753 "none" ACL could cause an assertion failure in 2754 named when parsing ACL configuration. [RT #41745] 2755 27564319. [security] Fix resolver assertion failure due to improper 2757 DNAME handling when parsing fetch reply messages. 2758 (CVE-2016-1286) [RT #41753] 2759 27604318. [security] Malformed control messages can trigger assertions 2761 in named and rndc. (CVE-2016-1285) [RT #41666] 2762 27634317. [bug] Age all unused servers on fetch timeout. [RT #41597] 2764 27654316. [func] Add option to tools to print RRs in unknown 2766 presentation format [RT #41595]. 2767 27684315. [bug] Check that configured view class isn't a meta class. 2769 [RT #41572]. 2770 27714314. [contrib] Added 'dnsperf-2.1.0.0-1', a set of performance 2772 testing tools provided by Nominum, Inc. 2773 27744313. [bug] Handle ns_client_replace failures in test mode. 2775 [RT #41190] 2776 27774312. [bug] dig's unknown DNS and EDNS flags (MBZ value) logging 2778 was not consistent. [RT #41600] 2779 27804311. [bug] Prevent "rndc delzone" from being used on 2781 response-policy zones. [RT #41593] 2782 27834310. [performance] Use __builtin_expect() where available to annotate 2784 conditions with known behavior. [RT #41411] 2785 27864309. [cleanup] Remove the spurious "none" filename from log messages 2787 when processing built-in configuration. [RT #41594] 2788 27894308. [func] Added operating system details to "named -V" 2790 output. [RT #41452] 2791 27924307. [bug] "dig +subnet" and "mdig +subnet" could send 2793 incorrectly-formatted Client Subnet options 2794 if the prefix length was not divisible by 8. 2795 Also fixed a memory leak in "mdig". [RT #45178] 2796 27974306. [maint] Added a PKCS#11 openssl patch supporting 2798 version 1.0.2f [RT #38312] 2799 28004305. [bug] dnssec-signzone was not removing unnecessary rrsigs 2801 from the zone's apex. [RT #41483] 2802 28034304. [port] xfer system test failed as 'tail -n +value' is not 2804 portable. [RT #41315] 2805 28064303. [bug] "dig +subnet" was unable to send a prefix length of 2807 zero, as it was incorrectly changed to 32 for v4 2808 prefixes or 128 for v6 prefixes. In addition to 2809 fixing this, "dig +subnet=0" has been added as a 2810 short form for 0.0.0.0/0. The same changes have 2811 also been made in "mdig". [RT #41553] 2812 28134302. [port] win32: fixed a build error in VS 2015. [RT #41426] 2814 28154301. [bug] dnssec-settime -p [DP]sync was not working. [RT #41534] 2816 28174300. [bug] A flag could be set in the wrong field when setting 2818 up non-recursive queries; this could cause the 2819 SERVFAIL cache to cache responses it shouldn't. 2820 New querytrace logging has been added which 2821 identified this error. [RT #41155] 2822 28234299. [bug] Check that exactly totallen bytes are read when 2824 reading a RRset from raw files in both single read 2825 and incremental modes. [RT #41402] 2826 28274298. [bug] dns_rpz_add errors in loadzone were not being 2828 propagated up the call stack. [RT #41425] 2829 28304297. [test] Ensure delegations in RPZ zones fail robustly. 2831 [RT #41518] 2832 28334296. [bug] TCP packet sizes were calculated incorrectly in the 2834 stats channel; they could be counted in the wrong 2835 histogram bucket. [RT #40587] 2836 28374295. [bug] An unchecked result in dns_message_pseudosectiontotext() 2838 could allow incorrect text formatting of EDNS EXPIRE 2839 options. [RT #41437] 2840 28414294. [bug] Fixed a regression in which "rndc stop -p" failed 2842 to print the PID. [RT #41513] 2843 28444293. [bug] Address memory leak on priming query creation failure. 2845 [RT #41512] 2846 28474292. [placeholder] 2848 28494291. [cleanup] Added a required include to dns/forward.h. [RT #41474] 2850 28514290. [func] The timers returned by the statistics channel 2852 (indicating current time, server boot time, and 2853 most recent reconfiguration time) are now reported 2854 with millisecond accuracy. [RT #40082] 2855 28564289. [bug] The server could crash due to memory being used 2857 after it was freed if a zone transfer timed out. 2858 [RT #41297] 2859 28604288. [bug] Fixed a regression in resolver.c:possibly_mark() 2861 which caused known-bogus servers to be queried 2862 anyway. [RT #41321] 2863 28644287. [bug] Silence an overly noisy log message when message 2865 parsing fails. [RT #41374] 2866 28674286. [security] render_ecs errors were mishandled when printing out 2868 a OPT record resulting in a assertion failure. 2869 (CVE-2015-8705) [RT #41397] 2870 28714285. [security] Specific APL data could trigger a INSIST. 2872 (CVE-2015-8704) [RT #41396] 2873 28744284. [bug] Some GeoIP options were incorrectly documented 2875 using abbreviated forms which were not accepted by 2876 named. The code has been updated to allow both 2877 long and abbreviated forms. [RT #41381] 2878 28794283. [bug] OPENSSL_config is no longer re-callable. [RT #41348] 2880 28814282. [func] 'dig +[no]mapped' determine whether the use of mapped 2882 IPv4 addresses over IPv6 is permitted or not. The 2883 default is +mapped. [RT #41307] 2884 28854281. [bug] Teach dns_message_totext about BADCOOKIE. [RT #41257] 2886 28874280. [performance] Use optimal message sizes to improve compression 2888 in AXFRs. This reduces network traffic. [RT #40996] 2889 28904279. [test] Don't use fixed ports when unit testing. [RT #41194] 2891 28924278. [bug] 'delv +short +[no]split[=##]' didn't work as expected. 2893 [RT #41238] 2894 28954277. [performance] Improve performance of the RBT, the central zone 2896 datastructure: The aux hashtable was improved, 2897 hash function was updated to perform more 2898 uniform mapping, uppernode was added to 2899 dns_rbtnode, and other cleanups and performance 2900 improvements were made. [RT #41165] 2901 29024276. [protocol] Add support for SMIMEA. [RT #40513] 2903 29044275. [performance] Lazily initialize dns_compress->table only when 2905 compression is enabled. [RT #41189] 2906 29074274. [performance] Speed up typemap processing from text. [RT #41196] 2908 29094273. [bug] Only call dns_test_begin() and dns_test_end() once each 2910 in nsec3_test as it fails with GOST if called multiple 2911 times. 2912 29134272. [bug] dig: the +norrcomments option didn't work with +multi. 2914 [RT #41234] 2915 29164271. [test] Unit tests could deadlock in isc__taskmgr_pause(). 2917 [RT #41235] 2918 29194270. [security] Update allowed OpenSSL versions as named is 2920 potentially vulnerable to CVE-2015-3193. 2921 29224269. [bug] Zones using "map" format master files currently 2923 don't work as policy zones. This limitation has 2924 now been documented; attempting to use such zones 2925 in "response-policy" statements is now a 2926 configuration error. [RT #38321] 2927 29284268. [func] "rndc status" now reports the path to the 2929 configuration file. [RT #36470] 2930 29314267. [test] Check sdlz error handling. [RT #41142] 2932 29334266. [placeholder] 2934 29354265. [bug] Address unchecked isc_mem_get calls. [RT #41187] 2936 29374264. [bug] Check const of strchr/strrchr assignments match 2938 argument's const status. [RT #41150] 2939 29404263. [contrib] Address compiler warnings in mysqldyn module. 2941 [RT #41130] 2942 29434262. [bug] Fixed a bug in epoll socket code that caused 2944 sockets to not be registered for ready 2945 notification in some cases, causing named to not 2946 read from or write to them, resulting in what 2947 appear to the user as blocked connections. 2948 [RT #41067] 2949 29504261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. 2951 [RT #40556] 2952 29534260. [security] Insufficient testing when parsing a message allowed 2954 records with an incorrect class to be be accepted, 2955 triggering a REQUIRE failure when those records 2956 were subsequently cached. (CVE-2015-8000) [RT #40987] 2957 29584259. [func] Add an option for non-destructive control channel 2959 access using a "read-only" clause. In such 2960 cases, a restricted set of rndc commands are 2961 allowed for querying information from named. 2962 [RT #40498] 2963 29644258. [bug] Limit rndc query message sizes to 32 KiB. This should 2965 not break any legitimate rndc commands, but will 2966 prevent a rogue rndc query from allocating too 2967 much memory. [RT #41073] 2968 29694257. [cleanup] Python scripts reported incorrect version. [RT #41080] 2970 29714256. [bug] Allow rndc command arguments to be quoted so as 2972 to allow spaces. [RT #36665] 2973 29744255. [performance] Add 'message-compression' option to disable DNS 2975 compression in responses. [RT #40726] 2976 29774254. [bug] Address missing lock when getting zone's serial. 2978 [RT #41072] 2979 29804253. [security] Address fetch context reference count handling error 2981 on socket error. (CVE-2015-8461) [RT#40945] 2982 29834252. [func] Add support for automating the generation CDS and 2984 CDNSKEY rrsets to named and dnssec-signzone. 2985 [RT #40424] 2986 29874251. [bug] NTAs were deleted when the server was reconfigured 2988 or reloaded. [RT #41058] 2989 29904250. [func] Log the TSIG key in use during inbound zone 2991 transfers. [RT #41075] 2992 29934249. [func] Improve error reporting of TSIG / SIG(0) records in 2994 the wrong location. [RT #41030] 2995 29964248. [performance] Add an isc_atomic_storeq() function, use it in 2997 stats counters to improve performance. 2998 [RT #39972] [RT #39979] 2999 30004247. [port] Require both HAVE_JSON and JSON_C_VERSION to be 3001 defined to report json library version. [RT #41045] 3002 30034246. [test] Ensure the statschannel system test runs when BIND 3004 is not built with libjson. [RT #40944] 3005 30064245. [placeholder] 3007 30084244. [bug] The parser was not reporting that use-ixfr is obsolete. 3009 [RT #41010] 3010 30114243. [func] Improved stats reporting from Timothe Litt. [RT #38941] 3012 30134242. [bug] Replace the client if not already replaced when 3014 prefetching. [RT #41001] 3015 30164241. [doc] Improved the TSIG, TKEY, and SIG(0) sections in 3017 the ARM. [RT #40955] 3018 30194240. [port] Fix LibreSSL compatibility. [RT #40977] 3020 30214239. [func] Changed default servfail-ttl value to 1 second from 10. 3022 Also, the maximum value is now 30 instead of 300. 3023 [RT #37556] 3024 30254238. [bug] Don't send to servers on net zero (0.0.0.0/8). 3026 [RT #40947] 3027 30284237. [doc] Upgraded documentation toolchain to use DocBook 5 3029 and dblatex. [RT #40766] 3030 30314236. [performance] On machines with 2 or more processors (CPU), the 3032 default value for the number of UDP listeners 3033 has been changed to the number of detected 3034 processors minus one. [RT #40761] 3035 30364235. [func] Added support in named for "dnstap", a fast method of 3037 capturing and logging DNS traffic, and a new command 3038 "dnstap-read" to read a dnstap log file. Use 3039 "configure --enable-dnstap" to enable this 3040 feature (note that this requires libprotobuf-c 3041 and libfstrm). See the ARM for configuration details. 3042 3043 Thanks to Robert Edmonds of Farsight Security. 3044 [RT #40211] 3045 30464234. [func] Add deflate compression in statistics channel HTTP 3047 server. [RT #40861] 3048 30494233. [test] Add tests for CDS and CDNSKEY with delegation-only. 3050 [RT #40597] 3051 30524232. [contrib] Address unchecked memory allocation calls in 3053 query-loc and zone2ldap. [RT #40789] 3054 30554231. [contrib] Address unchecked calloc call in dlz_mysqldyn_mod.c. 3056 [RT #40840] 3057 30584230. [contrib] dlz_wildcard_dynamic.c:dlz_create could return a 3059 uninitialized result. [RT #40839] 3060 30614229. [bug] A variable could be used uninitialized in 3062 dns_update_signaturesinc. [RT #40784] 3063 30644228. [bug] Address race condition in dns_client_destroyrestrans. 3065 [RT #40605] 3066 30674227. [bug] Silence static analysis warnings. [RT #40828] 3068 30694226. [bug] Address a theoretical shutdown race in 3070 zone.c:notify_send_queue(). [RT #38958] 3071 30724225. [port] freebsd/openbsd: Use '${CC} -shared' for building 3073 shared libraries. [RT #39557] 3074 30754224. [func] Added support for "dyndb", a new interface for loading 3076 zone data from an external database, developed by 3077 Red Hat for the FreeIPA project. 3078 3079 DynDB drivers fully implement the BIND database 3080 API, and are capable of significantly better 3081 performance and functionality than DLZ drivers, 3082 while taking advantage of advanced database 3083 features not available in BIND such as multi-master 3084 replication. 3085 3086 Thanks to Adam Tkac and Petr Spacek of Red Hat. 3087 [RT #35271] 3088 30894223. [func] Add support for setting max-cache-size to percentage 3090 of available physical memory, set default to 90%. 3091 [RT #38442] 3092 30934222. [func] Bias IPv6 servers when selecting the next server to 3094 query. [RT #40836] 3095 30964221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create. 3097 [RT #40583] 3098 30994220. [doc] Improve documentation for zone-statistics. 3100 [RT #36955] 3101 31024219. [bug] Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK, 3103 EGAIN when these soft error are not retried for 3104 isc_socket_send*(). 3105 31064218. [bug] Potential null pointer dereference on out of memory 3107 if mmap is not supported. [RT #40777] 3108 31094217. [protocol] Add support for CSYNC. [RT #40532] 3110 31114216. [cleanup] Silence static analysis warnings. [RT #40649] 3112 31134215. [bug] nsupdate: skip to next request on GSSTKEY create 3114 failure. [RT #40685] 3115 31164214. [protocol] Add support for TALINK. [RT #40544] 3117 31184213. [bug] Don't reuse a cache across multiple classes. 3119 [RT #40205] 3120 31214212. [func] Re-query if we get a bad client cookie returned over 3122 UDP. [RT #40748] 3123 31244211. [bug] Ensure that lwresd gets at least one task to work 3125 with if enabled. [RT #40652] 3126 31274210. [cleanup] Silence use after free false positive. [RT #40743] 3128 31294209. [bug] Address resource leaks in dlz modules. [RT #40654] 3130 31314208. [bug] Address null pointer dereferences on out of memory. 3132 [RT #40764] 3133 31344207. [bug] Handle class mismatches with raw zone files. 3135 [RT #40746] 3136 31374206. [bug] contrib: fixed a possible NULL dereference in 3138 DLZ wildcard module. [RT #40745] 3139 31404205. [bug] 'named-checkconf -p' could include unwanted spaces 3141 when printing tuples with unset optional fields. 3142 [RT #40731] 3143 31444204. [bug] 'dig +trace' failed to lookup the correct type if 3145 the initial root NS query was retried. [RT #40296] 3146 31474203. [test] The rrchecker system test now tests conversion 3148 to and from unknown-type format. [RT #40584] 3149 31504202. [bug] isccc_cc_fromwire() could return an incorrect 3151 result. [RT #40614] 3152 31534201. [func] The default preferred-glue is now the address record 3154 type of the transport the query was received 3155 over. [RT #40468] 3156 31574200. [cleanup] win32: update BINDinstall to be BIND release 3158 independent. [RT #38915] 3159 31604199. [protocol] Add support for NINFO, RKEY, SINK, TA. 3161 [RT #40545] [RT #40547] [RT #40561] [RT #40563] 3162 31634198. [placeholder] 3164 31654197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses. 3166 [RT #40603] 3167 31684196. [doc] Improve how "enum + other" types are documented. 3169 [RT #40608] 3170 31714195. [bug] 'max-zone-ttl unlimited;' was broken. [RT #40608] 3172 31734194. [bug] named-checkconf -p failed to properly print a port 3174 range. [RT #40634] 3175 31764193. [bug] Handle broken servers that return BADVERS incorrectly. 3177 [RT #40427] 3178 31794192. [bug] The default rrset-order of random was not always being 3180 applied. [RT #40456] 3181 31824191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones 3183 as per RFC 6763. [RT #37889] 3184 31854190. [protocol] Accept Active Directory gc._msdcs.<forest> name as 3186 valid with check-names. <forest> still needs to be 3187 LDH. [RT #40399] 3188 31894189. [cleanup] Don't exit on overly long tokens in named.conf. 3190 [RT #40418] 3191 31924188. [bug] Support HTTP/1.0 client properly on the statistics 3193 channel. [RT #40261] 3194 31954187. [func] When any RR type implementation doesn't 3196 implement totext() for the RDATA's wire 3197 representation and returns ISC_R_NOTIMPLEMENTED, 3198 such RDATA is now printed in unknown 3199 presentation format (RFC 3597). RR types affected 3200 include LOC(29) and APL(42). [RT #40317]. 3201 32024186. [bug] Fixed an RPZ bug where a QNAME would be matched 3203 against a policy RR with wildcard owner name 3204 (trigger) where the QNAME was the wildcard owner 3205 name's parent. For example, the bug caused a query 3206 with QNAME "example.com" to match a policy RR with 3207 "*.example.com" as trigger. [RT #40357] 3208 32094185. [bug] Fixed an RPZ bug where a policy RR with wildcard 3210 owner name (trigger) would prevent another policy RR 3211 with its parent owner name from being 3212 loaded. For example, the bug caused a policy RR 3213 with trigger "example.com" to not have any 3214 effect when a previous policy RR with trigger 3215 "*.example.com" existed in that RPZ zone. 3216 [RT #40357] 3217 32184184. [bug] Fixed a possible memory leak in name compression 3219 when rendering long messages. (Also, improved 3220 wire_test for testing such messages.) [RT #40375] 3221 32224183. [cleanup] Use timing-safe memory comparisons in cryptographic 3223 code. Also, the timing-safe comparison functions have 3224 been renamed to avoid possible confusion with 3225 memcmp(). Thanks to Loganaden Velvindron of 3226 AFRINIC. [RT #40148] 3227 32284182. [cleanup] Use mnemonics for RR class and type comparisons. 3229 [RT #40297] 3230 32314181. [bug] Queued notify messages could be dequeued from the 3232 wrong rate limiter queue. [RT #40350] 3233 32344180. [bug] Error responses in pipelined queries could 3235 cause a crash in client.c. [RT #40289] 3236 32374179. [bug] Fix double frees in getaddrinfo() in libirs. 3238 [RT #40209] 3239 32404178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from 3241 text. [RT #40274] 3242 32434177. [bug] Fix assertion failure in parsing NSAP records from 3244 text. [RT #40285] 3245 32464176. [bug] Address race issues with lwresd. [RT #40284] 3247 32484175. [bug] TKEY with GSS-API keys needed bigger buffers. 3249 [RT #40333] 3250 32514174. [bug] "dnssec-coverage -r" didn't handle time unit 3252 suffixes correctly. [RT #38444] 3253 32544173. [bug] dig +sigchase was not properly matching the trusted 3255 key. [RT #40188] 3256 32574172. [bug] Named / named-checkconf didn't handle a view of CLASS0. 3258 [RT #40265] 3259 32604171. [bug] Fixed incorrect class checks in TSIG RR 3261 implementation. [RT #40287] 3262 32634170. [security] An incorrect boundary check in the OPENPGPKEY 3264 rdatatype could trigger an assertion failure. 3265 (CVE-2015-5986) [RT #40286] 3266 32674169. [test] Added a 'wire_test -d' option to read input as 3268 raw binary data, for use as a fuzzing harness. 3269 [RT #40312] 3270 32714168. [security] A buffer accounting error could trigger an 3272 assertion failure when parsing certain malformed 3273 DNSSEC keys. (CVE-2015-5722) [RT #40212] 3274 32754167. [func] Update rndc's usage output to include recently added 3276 commands. Thanks to Tony Finch for submitting a 3277 patch. [RT #40010] 3278 32794166. [func] Print informative output from rndc showzone when 3280 allow-new-zones is not enabled for a view. Thanks to 3281 Tony Finch for submitting a patch. [RT #40009] 3282 32834165. [security] A failure to reset a value to NULL in tkey.c could 3284 result in an assertion failure. (CVE-2015-5477) 3285 [RT #40046] 3286 32874164. [bug] Don't rename slave files and journals on out of memory. 3288 [RT #40033] 3289 32904163. [bug] Address compiler warnings. [RT #40024] 3291 32924162. [bug] httpdmgr->flags was not being initialized. [RT #40017] 3293 32944161. [test] Add JSON test for traffic size stats; also test 3295 for consistency between "rndc stats" and the XML 3296 and JSON statistics channel contents. [RT #38700] 3297 32984160. [placeholder] 3299 33004159. [cleanup] Alphabetize dig's help output. [RT #39966] 3301 33024158. [placeholder] 3303 33044157. [placeholder] 3305 33064156. [func] Added statistics counters to track the sizes 3307 of incoming queries and outgoing responses in 3308 histogram buckets, as specified in RSSAC002. 3309 [RT #39049] 3310 33114155. [func] Allow RPZ rewrite logging to be configured on a 3312 per-zone basis using a newly introduced log clause in 3313 the response-policy option. [RT #39754] 3314 33154154. [bug] A OPT record should be included with the FORMERR 3316 response when there is a malformed EDNS option. 3317 [RT #39647] 3318 33194153. [bug] Dig should zero non significant +subnet bits. Check 3320 that non significant ECS bits are zero on receipt. 3321 [RT #39647] 3322 33234152. [func] Implement DNS COOKIE option. This replaces the 3324 experimental SIT option of BIND 9.10. The following 3325 named.conf directives are available: send-cookie, 3326 cookie-secret, cookie-algorithm, nocookie-udp-size 3327 and require-server-cookie. The following dig options 3328 are available: +[no]cookie[=value] and +[no]badcookie. 3329 [RT #39928] 3330 33314151. [bug] 'rndc flush' could cause a deadlock. [RT #39835] 3332 33334150. [bug] win32: listen-on-v6 { any; }; was not working. Apply 3334 minimal fix. [RT #39667] 3335 33364149. [bug] Fixed a race condition in the getaddrinfo() 3337 implementation in libirs, which caused the delv 3338 utility to crash with an assertion failure when using 3339 the '@server' syntax with a hostname argument. 3340 [RT #39899] 3341 33424148. [bug] Fix a bug when printing zone names with '/' character 3343 in XML and JSON statistics output. [RT #39873] 3344 33454147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6 3346 was returning referrals rather than nodata responses 3347 when the AAAA records were filtered. [RT #39843] 3348 33494146. [bug] Address reference leak that could prevent a clean 3350 shutdown. [RT #37125] 3351 33524145. [bug] Not all unassociated adb entries where being printed. 3353 [RT #37125] 3354 33554144. [func] Add statistics counters for nxdomain redirections. 3356 [RT #39790] 3357 33584143. [placeholder] 3359 33604142. [bug] rndc addzone with view specified saved NZF config 3361 that could not be read back by named. This has now 3362 been fixed. [RT #39845] 3363 33644141. [bug] A formatting bug caused rndc zonestatus to print 3365 negative numbers for large serial values. This has 3366 now been fixed. [RT #39854] 3367 33684140. [cleanup] Remove redundant nzf_remove() call during delzone. 3369 [RT #39844] 3370 33714139. [doc] Fix rpz-client-ip documentation. [RT #39783] 3372 33734138. [security] An uninitialized value in validator.c could result 3374 in an assertion failure. (CVE-2015-4620) [RT #39795] 3375 33764137. [bug] Make rndc reconfig report configuration errors the 3377 same way rndc reload does. [RT #39635] 3378 33794136. [bug] Stale statistics counters with the leading 3380 '#' prefix (such as #NXDOMAIN) were not being 3381 updated correctly. This has been fixed. [RT #39141] 3382 33834135. [cleanup] Log expired NTA at startup. [RT #39680] 3384 33854134. [cleanup] Include client-ip rules when logging the number 3386 of RPZ rules of each type. [RT #39670] 3387 33884133. [port] Update how various json libraries are handled. 3389 [RT #39646] 3390 33914132. [cleanup] dig: added +rd as a synonym for +recurse, 3392 added +class as an unabbreviated alternative 3393 to +cl. [RT #39686] 3394 33954131. [bug] Addressed further problems with reloading RPZ 3396 zones. [RT #39649] 3397 33984130. [bug] The compatibility shim for *printf() misprinted some 3399 large numbers. [RT #39586] 3400 34014129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532] 3402 34034128. [bug] Address issues raised by Coverity 7.6. [RT #39537] 3404 34054127. [protocol] CDS and CDNSKEY need to be signed by the key signing 3406 key as per RFC 7344, Section 4.1. [RT #37215] 3407 34084126. [bug] Addressed a regression introduced in change #4121. 3409 [RT #39611] 3410 34114125. [test] Added tests for dig, renamed delv test to digdelv. 3412 [RT #39490] 3413 34144124. [func] Log errors or warnings encountered when parsing the 3415 internal default configuration. Clarify the logging 3416 of errors and warnings encountered in rndc 3417 addzone or modzone parameters. [RT #39440] 3418 34194123. [port] Added %z (size_t) format options to the portable 3420 internal printf/sprintf implementation. [RT #39586] 3421 34224122. [bug] The server could match a shorter prefix than what was 3423 available in CLIENT-IP policy triggers, and so, an 3424 unexpected action could be taken. This has been 3425 corrected. [RT #39481] 3426 34274121. [bug] On servers with one or more policy zones 3428 configured as slaves, if a policy zone updated 3429 during regular operation (rather than at 3430 startup) using a full zone reload, such as via 3431 AXFR, a bug could allow the RPZ summary data to 3432 fall out of sync, potentially leading to an 3433 assertion failure in rpz.c when further 3434 incremental updates were made to the zone, such 3435 as via IXFR. [RT #39567] 3436 34374120. [bug] A bug in RPZ could cause the server to crash if 3438 policy zones were updated while recursion was 3439 pending for RPZ processing of an active query. 3440 [RT #39415] 3441 34424119. [test] Allow dig to set the message opcode. [RT #39550] 3443 34444118. [bug] Teach isc-config.sh about irs. [RT #39213] 3445 34464117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534. 3447 34484116. [bug] Fix a bug in RPZ that could cause some policy 3449 zones that did not specifically require 3450 recursion to be treated as if they did; 3451 consequently, setting qname-wait-recurse no; was 3452 sometimes ineffective. [RT #39229] 3453 34544115. [func] "rndc -r" now prints the result code (e.g., 3455 ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after 3456 running the requested command. [RT #38913] 3457 34584114. [bug] Fix a regression in radix tree implementation 3459 introduced by ECS code. This bug was never 3460 released, but it was reported by a user testing 3461 master. [RT #38983] 3462 34634113. [test] Check for Net::DNS is some system test 3464 prerequisites. [RT #39369] 3465 34664112. [bug] Named failed to load when "root-delegation-only" 3467 was used without a list of domains to exclude. 3468 [RT #39380] 3469 34704111. [doc] Alphabetize rndc man page. [RT #39360] 3471 34724110. [bug] Address memory leaks / null pointer dereferences 3473 on out of memory. [RT #39310] 3474 34754109. [port] linux: support reading the local port range from 3476 net.ipv4.ip_local_port_range. [RT # 39379] 3477 34784108. [func] An additional NXDOMAIN redirect method (option 3479 "nxdomain-redirect") has been added, allowing 3480 redirection to a specified DNS namespace instead 3481 of a single redirect zone. [RT #37989] 3482 34834107. [bug] Address potential deadlock when updating zone content. 3484 [RT #39269] 3485 34864106. [port] Improve readline support. [RT #38938] 3487 34884105. [port] Misc fixes for Microsoft Visual Studio 3489 2015 CTP6 in 64 bit mode. [RT #39308] 3490 34914104. [bug] Address uninitialized elements. [RT #39252] 3492 34934103. [port] Misc fixes for Microsoft Visual Studio 3494 2015 CTP6. [RT #39267] 3495 34964102. [bug] Fix a use after free bug introduced in change 3497 #4094. [RT #39281] 3498 34994101. [bug] dig: the +split and +rrcomments options didn't 3500 work with +short. [RT #39291] 3501 35024100. [bug] Inherited owernames on the line immediately following 3503 a $INCLUDE were not working. [RT #39268] 3504 35054099. [port] clang: make unknown commandline options hard errors 3506 when determining what options are supported. 3507 [RT #39273] 3508 35094098. [bug] Address use-after-free issue when using a 3510 predecessor key with dnssec-settime. [RT #39272] 3511 35124097. [func] Add additional logging about xfrin transfer status. 3513 [RT #39170] 3514 35154096. [bug] Fix a use after free of query->sendevent. 3516 [RT #39132] 3517 35184095. [bug] zone->options2 was not being properly initialized. 3519 [RT #39228] 3520 35214094. [bug] A race during shutdown or reconfiguration could 3522 cause an assertion in mem.c. [RT #38979] 3523 35244093. [func] Dig now learns the SIT value from truncated 3525 responses when it retries over TCP. [RT #39047] 3526 35274092. [bug] 'in-view' didn't work for zones beneath a empty zone. 3528 [RT #39173] 3529 35304091. [cleanup] Some cleanups in isc mem code. [RT #38896] 3531 35324090. [bug] Fix a crash while parsing malformed CAA RRs in 3533 presentation format, i.e., from text such as 3534 from master files. Thanks to John Van de 3535 Meulebrouck Brendgard for discovering and 3536 reporting this problem. [RT #39003] 3537 35384089. [bug] Send notifies immediately for slave zones during 3539 startup. [RT #38843] 3540 35414088. [port] Fixed errors when building with libressl. [RT #38899] 3542 35434087. [bug] Fix a crash due to use-after-free due to sequencing 3544 of tasks actions. [RT #38495] 3545 35464086. [bug] Fix out-of-srcdir build with native pkcs11. [RT #38831] 3547 35484085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set. 3549 [RT #38828] 3550 35514084. [bug] Fix a possible race in updating stats counters. 3552 [RT #38826] 3553 35544083. [cleanup] Print the number of CPUs and UDP listeners 3555 consistently in the log and in "rndc status" 3556 output; indicate whether threads are supported 3557 in "named -V" output. [RT #38811] 3558 35594082. [bug] Incrementally sign large inline zone deltas. 3560 [RT #37927] 3561 35624081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759] 3563 35644080. [func] Completed change #4022, adding a "lock-file" option 3565 to named.conf to override the default lock file, 3566 in addition to the "named -X <filename>" command 3567 line option. Setting the lock file to "none" 3568 using either method disables the check completely. 3569 [RT #37908] 3570 35714079. [func] Preserve the case of the owner name of records to 3572 the RRset level. [RT #37442] 3573 35744078. [bug] Handle the case where CMSG_SPACE(sizeof(int)) != 3575 CMSG_SPACE(sizeof(char)). [RT #38621] 3576 35774077. [test] Add static-stub regression test for DS NXDOMAIN 3578 return making the static stub disappear. [RT #38564] 3579 35804076. [bug] Named could crash on shutdown with outstanding 3581 reload / reconfig events. [RT #38622] 3582 35834075. [placeholder] 3584 35854074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708] 3586 35874073. [cleanup] Add libjson-c version number reporting to 3588 "named -V"; normalize version number formatting. 3589 [RT #38056] 3590 35914072. [func] Add a --enable-querytrace configure switch for 3592 very verbose query trace logging. (This option 3593 has a negative performance impact and should be 3594 used only for debugging.) [RT #37520] 3595 35964071. [cleanup] Initialize pthread mutex attrs just once, instead of 3597 doing it per mutex creation. [RT #38547] 3598 35994070. [bug] Fix a segfault in nslookup in a query such as 3600 "nslookup isc.org AMS.SNS-PB.ISC.ORG -all". 3601 [RT #38548] 3602 36034069. [doc] Reorganize options in the nsupdate man page. 3604 [RT #38515] 3605 36064068. [bug] Omit unknown serial number from JSON zone statistics. 3607 [RT #38604] 3608 36094067. [cleanup] Reduce noise from RRL when query logging is 3610 disabled. [RT #38648] 3611 36124066. [doc] Reorganize options in the dig man page. [RT #38516] 3613 36144065. [test] Additional RFC 5011 tests. [RT #38569] 3615 36164064. [contrib] dnssec-keyset.sh: Generates a specified number 3617 of DNSSEC keys with timing set to implement a 3618 pre-publication key rollover strategy. Thanks 3619 to Jeffry A. Spain. [RT #38459] 3620 36214063. [bug] Asynchronous zone loads were not handled 3622 correctly when the zone load was already in 3623 progress; this could trigger a crash in zt.c. 3624 [RT #37573] 3625 36264062. [bug] Fix an out-of-bounds read in RPZ code. If the 3627 read succeeded, it doesn't result in a bug 3628 during operation. If the read failed, named 3629 could segfault. [RT #38559] 3630 36314061. [bug] Handle timeout in legacy system test. [RT #38573] 3632 36334060. [bug] dns_rdata_freestruct could be called on a 3634 uninitialized structure when handling a error. 3635 [RT #38568] 3636 36374059. [bug] Addressed valgrind warnings. [RT #38549] 3638 36394058. [bug] UDP dispatches could use the wrong pseudorandom 3640 number generator context. [RT #38578] 3641 36424057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field. 3643 [RT #38565] 3644 36454056. [bug] Expanded automatic testing of trust anchor 3646 management and fixed several small bugs including 3647 a memory leak and a possible loss of key state 3648 information. [RT #38458] 3649 36504055. [func] "rndc managed-keys" can be used to check status 3651 of trust anchors or to force keys to be refreshed, 3652 Also, the managed keys data file has easier-to-read 3653 comments. [RT #38458] 3654 36554054. [func] Added a new tool 'mdig', a lightweight clone of 3656 dig able to send multiple pipelined queries. 3657 [RT #38261] 3658 36594053. [security] Revoking a managed trust anchor and supplying 3660 an untrusted replacement could cause named 3661 to crash with an assertion failure. 3662 (CVE-2015-1349) [RT #38344] 3663 36644052. [bug] Fix a leak of query fetchlock. [RT #38454] 3665 36664051. [bug] Fix a leak of pthread_mutexattr_t. [RT #38454] 3667 36684050. [bug] RPZ could send spurious SERVFAILs in response 3669 to duplicate queries. [RT #38510] 3670 36714049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491] 3672 36734048. [bug] adb hash table was not being grown. [RT #38470] 3674 36754047. [cleanup] "named -V" now reports the current running versions 3676 of OpenSSL and the libxml2 libraries, in addition to 3677 the versions that were in use at build time. 3678 36794046. [bug] Accounting of "total use" in memory context 3680 statistics was not correct. [RT #38370] 3681 36824045. [bug] Skip to next master on dns_request_createvia4 failure. 3683 [RT #25185] 3684 36854044. [bug] Change 3955 was not complete, resulting in an assertion 3686 failure if the timing was just right. [RT #38352] 3687 36884043. [func] "rndc modzone" can be used to modify the 3689 configuration of an existing zone, using similar 3690 syntax to "rndc addzone". [RT #37895] 3691 36924042. [bug] zone.c:iszonesecure was being called too late. 3693 [RT #38371] 3694 36954041. [func] TCP sockets can now be shared while connecting. 3696 (This will be used to enable client-side support 3697 of pipelined queries.) [RT #38231] 3698 36994040. [func] Added server-side support for pipelined TCP 3700 queries. Clients may continue sending queries via 3701 TCP while previous queries are being processed 3702 in parallel. (The new "keep-response-order" 3703 option allows clients to be specified for which 3704 the old behavior will still be used.) [RT #37821] 3705 37064039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381] 3707 37084038. [bug] Add 'rpz' flag to node and use it to determine whether 3709 to call dns_rpz_delete. This should prevent unbalanced 3710 add / delete calls. [RT #36888] 3711 37124037. [bug] also-notify was ignoring the tsig key when checking 3713 for duplicates resulting in some expected notify 3714 messages not being sent. [RT #38369] 3715 37164036. [bug] Make call to open a temporary file name safe during 3717 NZF creation. [RT #38331] 3718 37194035. [bug] Close temporary and NZF FILE pointers before moving 3720 the former into the latter's place, as required on 3721 Windows. [RT #38332] 3722 37234034. [func] When added, negative trust anchors (NTA) are now 3724 saved to files (viewname.nta), in order to 3725 persist across restarts of the named server. 3726 [RT #37087] 3727 37284033. [bug] Missing out of memory check in request.c:req_send. 3729 [RT #38311] 3730 37314032. [bug] Built-in "empty" zones did not correctly inherit the 3732 "allow-transfer" ACL from the options or view. 3733 [RT #38310] 3734 37354031. [bug] named-checkconf -z failed to report a missing file 3736 with a hint zone. [RT #38294] 3737 37384030. [func] "rndc delzone" is now applicable to zones that were 3739 configured in named.conf, as well as zones that 3740 were added via "rndc addzone". (Note, however, that 3741 if named.conf is not also modified, the deleted zone 3742 will return when named is reloaded.) [RT #37887] 3743 37444029. [func] "rndc showzone" displays the current configuration 3745 of a specified zone. [RT #37887] 3746 37474028. [bug] $GENERATE with a zero step was not being caught as a 3748 error. A $GENERATE with a / but no step was not being 3749 caught as a error. [RT #38262] 3750 37514027. [port] Net::DNS 0.81 compatibility. [RT #38165] 3752 37534026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173] 3754 37554025. [port] bsdi: failed to build. [RT #38047] 3756 37574024. [bug] dns_rdata_opt_first, dns_rdata_opt_next, 3758 dns_rdata_opt_current, dns_rdata_txt_first, 3759 dns_rdata_txt_next and dns_rdata_txt_current were 3760 documented but not implemented. These have now been 3761 implemented. 3762 3763 dns_rdata_spf_first, dns_rdata_spf_next and 3764 dns_rdata_spf_current were documented but not 3765 implemented. The prototypes for these 3766 functions have been removed. [RT #38068] 3767 37684023. [bug] win32: socket handling with explicit ports and 3769 invoking named with -4 was broken for some 3770 configurations. [RT #38068] 3771 37724022. [func] Stop multiple spawns of named by limiting number of 3773 processes to 1. This is done by using a lockfile and 3774 checking whether we can listen on any configured 3775 TCP interfaces. [RT #37908] 3776 37774021. [bug] Adjust max-recursion-queries to accommodate 3778 the need for more queries when the cache is 3779 empty. [RT #38104] 3780 37814020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery 3782 resulting in updates being sent to the wrong server. 3783 [RT #37925] 3784 37854019. [func] If named is not configured to validate the answer 3786 then allow fallback to plain DNS on timeout even 3787 when we know the server supports EDNS. [RT #37978] 3788 37894018. [placeholder] 3790 37914017. [test] Add system test to check lookups to legacy servers 3792 with broken DNS behavior. [RT #37965] 3793 37944016. [bug] Fix a dig segfault due to bad linked list usage. 3795 [RT #37591] 3796 37974015. [bug] Nameservers that are skipped due to them being 3798 CNAMEs were not being logged. They are now logged 3799 to category 'cname' as per BIND 8. [RT #37935] 3800 38014014. [bug] When including a master file origin_changed was 3802 not being properly set leading to a potentially 3803 spurious 'inherited owner' warning. [RT #37919] 3804 38054013. [func] Add a new tcp-only option to server (config) / 3806 peer (struct) to use TCP transport to send 3807 queries (in place of UDP transport with a 3808 TCP fallback on truncated (TC set) response). 3809 [RT #37800] 3810 38114012. [cleanup] Check returned status of OpenSSL digest and HMAC 3812 functions when they return one. Note this applies 3813 only to FIPS capable OpenSSL libraries put in 3814 FIPS mode and MD5. [RT #37944] 3815 38164011. [bug] master's list port and dscp inheritance was not 3817 properly implemented. [RT #37792] 3818 38194010. [cleanup] Clear the prefetchable state when initiating a 3820 prefetch. [RT #37399] 3821 38224009. [func] delv: added a +tcp option. [RT #37855] 3823 38244008. [contrib] Updated zkt to latest version (1.1.3). [RT #37886] 3825 38264007. [doc] Remove acl forward reference restriction. [RT #37772] 3827 38284006. [security] A flaw in delegation handling could be exploited 3829 to put named into an infinite loop. This has 3830 been addressed by placing limits on the number 3831 of levels of recursion named will allow (default 7), 3832 and the number of iterative queries that it will 3833 send (default 50) before terminating a recursive 3834 query (CVE-2014-8500). 3835 3836 The recursion depth limit is configured via the 3837 "max-recursion-depth" option, and the query limit 3838 via the "max-recursion-queries" option. [RT #37580] 3839 38404005. [func] The buffer used for returning text from rndc 3841 commands is now dynamically resizable, allowing 3842 arbitrarily large amounts of text to be sent back 3843 to the client. (Prior to this change, it was 3844 possible for the output of "rndc tsig-list" to be 3845 truncated.) [RT #37731] 3846 38474004. [bug] When delegations had AAAA glue but not A, a 3848 reference could be leaked causing an assertion 3849 failure on shutdown. [RT #37796] 3850 38514003. [security] When geoip-directory was reconfigured during 3852 named run-time, the previously loaded GeoIP 3853 data could remain, potentially causing wrong 3854 ACLs to be used or wrong results to be served 3855 based on geolocation (CVE-2014-8680). [RT #37720] 3856 38574002. [security] Lookups in GeoIP databases that were not 3858 loaded could cause an assertion failure 3859 (CVE-2014-8680). [RT #37679] 3860 38614001. [security] The caching of GeoIP lookups did not always 3862 handle address families correctly, potentially 3863 resulting in an assertion failure (CVE-2014-8680). 3864 [RT #37672] 3865 38664000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET 3867 from the redirect zone. [RT #37722] 3868 38693999. [func] "mkeys" and "nzf" files are now named after 3870 their corresponding views, unless the view name 3871 contains characters that would be incompatible 3872 with use in a filename (i.e., slash, backslash, 3873 or capital letters). If a view name does contain 3874 these characters, the files will still be named 3875 using a cryptographic hash of the view name. 3876 Regardless of this, if a file using the old name 3877 format is found to exist, it will continue to be 3878 used. [RT #37704] 3879 38803998. [bug] isc_radix_search was returning matches that were 3881 too precise. [RT #37680] 3882 38833997. [protocol] Add OPENGPGKEY record. [RT# 37671] 3884 38853996. [bug] Address use after free on out of memory error in 3886 keyring_add. [RT #37639] 3887 38883995. [bug] receive_secure_serial holds the zone lock for too 3889 long. [RT #37626] 3890 38913994. [func] Dig now supports setting the last unassigned DNS 3892 header flag bit (dig +zflag). [RT #37421] 3893 38943993. [func] Dig now supports EDNS negotiation by default. 3895 (dig +[no]ednsnegotiation). 3896 3897 Note: This is disabled by default in BIND 9.10 3898 and enabled by default in BIND 9.11. [RT #37604] 3899 39003992. [func] DiG can now send queries without questions 3901 (dig +header-only). [RT #37599] 3902 39033991. [func] Add the ability to buffer logging output by specifying 3904 "buffered yes;" when defining a channel. [RT #26561] 3905 39063990. [test] Add tests for unknown DNSSEC algorithm handling. 3907 [RT #37541] 3908 39093989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748] 3910 39113988. [func] Allow the zone serial of a dynamically updatable 3912 zone to be updated via "rndc signing -serial". 3913 [RT #37404] 3914 39153987. [port] Handle future Visual Studio 14 incompatible changes. 3916 [RT #37380] 3917 39183986. [doc] Add the BIND version number to page footers 3919 in the ARM. [RT #37398] 3920 39213985. [doc] Describe how +ndots and +search interact in dig. 3922 [RT #37529] 3923 39243984. [func] Accept 256 byte long PINs in native PKCS#11 3925 crypto. [RT #37410] 3926 39273983. [bug] Change #3940 was incomplete: negative trust anchors 3928 could be set to last up to a week, but the 3929 "nta-lifetime" and "nta-recheck" options were 3930 still limited to one day. [RT #37522] 3931 39323982. [doc] Include release notes in product documentation. 3933 [RT #37272] 3934 39353981. [bug] Cache DS/NXDOMAIN independently of other query types. 3936 [RT #37467] 3937 39383980. [bug] Improve --with-tuning=large by self tuning of SO_RCVBUF 3939 size. [RT #37187] 3940 39413979. [bug] Negative trust anchor fetches were not properly 3942 managed. [RT #37488] 3943 39443978. [test] Added a unit test for Diffie-Hellman key 3945 computation, completing change #3974. [RT #37477] 3946 39473977. [cleanup] "rndc secroots" reported a "not found" error when 3948 there were no negative trust anchors set. [RT #37506] 3949 39503976. [bug] When refreshing managed-key trust anchors, clear 3951 any cached trust so that they will always be 3952 revalidated with the current set of secure 3953 roots. [RT #37506] 3954 39553975. [bug] Don't populate or use the bad cache for queries that 3956 don't request or use recursion. [RT #37466] 3957 39583974. [bug] Handle DH_compute_key() failure correctly in 3959 openssldh_link.c. [RT #37477] 3960 39613973. [test] Added hooks for Google Performance Tools CPU profiler, 3962 including real-time/wall-clock profiling. Use 3963 "configure --with-gperftools-profiler" to enable. 3964 [RT #37339] 3965 39663972. [bug] Fix host's usage statement. [RT #37397] 3967 39683971. [bug] Reduce the cascading failures due to a bad $TTL line 3969 in named-checkconf / named-checkzone. [RT #37138] 3970 39713970. [contrib] Fixed a use after free bug in the SDB LDAP driver. 3972 [RT #37237] 3973 39743969. [test] Added 'delv' system test. [RT #36901] 3975 39763968. [bug] Silence spurious log messages when using 'named -[46]'. 3977 [RT #37308] 3978 39793967. [test] Add test for inlined signed zone in multiple views 3980 with different DNSKEY sets. [RT #35759] 3981 39823966. [bug] Missing dns_db_closeversion call in receive_secure_db. 3983 [RT #35746] 3984 39853965. [func] Log outgoing packets and improve packet logging to 3986 support logging the remote address. [RT #36624] 3987 39883964. [func] nsupdate now performs check-names processing. 3989 [RT #36266] 3990 39913963. [test] Added NXRRSET test cases to the "dlzexternal" 3992 system test. [RT #37344] 3993 39943962. [bug] 'dig +topdown +trace +sigchase' address unhandled error 3995 conditions. [RT #34663] 3996 39973961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with 3998 BADSIG. [RT #37216] 3999 40003960. [bug] 'dig +sigchase' could loop forever. [RT #37220] 4001 40023959. [bug] Updates could be lost if they arrived immediately 4003 after a rndc thaw. [RT #37233] 4004 40053958. [bug] Detect when writeable files have multiple references 4006 in named.conf. [RT #37172] 4007 40083957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 4009 and ECDSAP384SHA384. [RT #37183] 4010 40113956. [func] Notify messages are now rate limited by notify-rate and 4012 startup-notify-rate instead of serial-query-rate. 4013 [RT #24454] 4014 40153955. [bug] Notify messages due to changes are no longer queued 4016 behind startup notify messages. [RT #24454] 4017 40183954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112] 4019 40203953. [bug] Don't escape semi-colon in TXT fields. [RT #37159] 4021 40223952. [bug] dns_name_fullcompare failed to set *nlabelsp when the 4023 two name pointers were the same. [RT #37176] 4024 40253951. [func] Add the ability to set yet-to-be-defined EDNS flags 4026 to dig (+ednsflags=#). [RT #37142] 4027 40283950. [port] Changed the bin/python Makefile to work around a 4029 bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] 4030 40313949. [experimental] Experimental support for draft-andrews-edns1 by sending 4032 EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when 4033 building). Add support for limiting the EDNS version 4034 advertised to servers: server { edns-version 0; }; 4035 Log the EDNS version received in the query log. 4036 [RT #35864] 4037 40383948. [port] solaris: RCVBUFSIZE was too large on Solaris with 4039 --with-tuning=large. [RT #37059] 4040 40413947. [cleanup] Set the executable bit on libraries when using 4042 libtool. [RT #36786] 4043 40443946. [cleanup] Improved "configure" search for a python interpreter. 4045 [RT #36992] 4046 40473945. [bug] Invalid wildcard expansions could be incorrectly 4048 accepted by the validator. [RT #37093] 4049 40503944. [test] Added a regression test for "server-id". [RT #37057] 4051 40523943. [func] SERVFAIL responses can now be cached for a 4053 limited time (configured by "servfail-ttl", 4054 default 10 seconds, limit 30). This can reduce 4055 the frequency of retries when an authoritative 4056 server is known to be failing, e.g., due to 4057 ongoing DNSSEC validation problems. [RT #21347] 4058 40593942. [bug] Wildcard responses from a optout range should be 4060 marked as insecure. [RT #37072] 4061 40623941. [doc] Include the BIND version number in the ARM. [RT #37067] 4063 40643940. [func] "rndc nta" now allows negative trust anchors to be 4065 set for up to one week. [RT #37069] 4066 40673939. [func] Improve UPDATE forwarding performance by allowing TCP 4068 connections to be shared. [RT #37039] 4069 40703938. [func] Added quotas to be used in recursive resolvers 4071 that are under high query load for names in zones 4072 whose authoritative servers are nonresponsive or 4073 are experiencing a denial of service attack. 4074 4075 - "fetches-per-server" limits the number of 4076 simultaneous queries that can be sent to any 4077 single authoritative server. The configured 4078 value is a starting point; it is automatically 4079 adjusted downward if the server is partially or 4080 completely non-responsive. The algorithm used to 4081 adjust the quota can be configured via the 4082 "fetch-quota-params" option. 4083 - "fetches-per-zone" limits the number of 4084 simultaneous queries that can be sent for names 4085 within a single domain. (Note: Unlike 4086 "fetches-per-server", this value is not 4087 self-tuning.) 4088 - New stats counters have been added to count 4089 queries spilled due to these quotas. 4090 4091 See the ARM for details of these options. [RT #37125] 4092 40933937. [func] Added some debug logging to better indicate the 4094 conditions causing SERVFAILs when resolving. 4095 [RT #35538] 4096 40973936. [func] Added authoritative support for the EDNS Client 4098 Subnet (ECS) option. 4099 4100 ACLs can now include "ecs" elements which specify 4101 an address or network prefix; if an ECS option is 4102 included in a DNS query, then the address encoded 4103 in the option will be matched against "ecs" ACL 4104 elements. 4105 4106 Also, if an ECS address is included in a query, 4107 then it will be used instead of the client source 4108 address when matching "geoip" ACL elements. This 4109 behavior can be overridden with "geoip-use-ecs no;". 4110 (Note: to enable "geoip" ACLs, use "configure 4111 --with-geoip". This requires libGeoIP version 4112 1.5.0 or higher.) 4113 4114 When "ecs" or "geoip" ACL elements are used to 4115 select a view for a query, the response will include 4116 an ECS option to indicate which client network the 4117 answer is valid for. 4118 4119 (Thanks to Vincent Bernat.) [RT #36781] 4120 41213935. [bug] "geoip asnum" ACL elements would not match unless 4122 the full organization name was specified. They 4123 can now match against the AS number alone (e.g., 4124 AS1234). [RT #36945] 4125 41263934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve 4127 sit-secret documentation. [RT #36980] 4128 41293933. [bug] Corrected the implementation of dns_rdata_casecompare() 4130 for the HIP rdata type. [RT #36911] 4131 41323932. [test] Improved named-checkconf tests. [RT #36911] 4133 41343931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879] 4135 41363930. [bug] "rndc nta -r" could cause a server hang if the 4137 NTA was not found. [RT #36909] 4138 41393929. [bug] 'host -a' needed to clear idnoptions. [RT #36963] 4140 41413928. [test] Improve rndc system test. [RT #36898] 4142 41433927. [bug] dig: report PKCS#11 error codes correctly when 4144 compiled with --enable-native-pkcs11. [RT #36956] 4145 41463926. [doc] Added doc for geoip-directory. [RT #36877] 4147 41483925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917] 4149 41503924. [bug] Improve 'rndc addzone' error reporting. [RT #35187] 4151 41523923. [bug] Sanity check the xml2-config output. [RT #22246] 4153 41543922. [bug] When resigning, dnssec-signzone was removing 4155 all signatures from delegation nodes. It now 4156 retains DS and (if applicable) NSEC signatures. 4157 [RT #36946] 4158 41593921. [bug] AD was inappropriately set on RPZ responses. [RT #36833] 4160 41613920. [doc] Added doc for masterfile-style. [RT #36823] 4162 41633919. [bug] dig: continue to next line if a address lookup fails 4164 in batch mode. [RT #36755] 4165 41663918. [doc] Update check-spf documentation. [RT #36910] 4167 41683917. [bug] dig, nslookup and host now continue on names that are 4169 too long after applying a search list elements. 4170 [RT #36892] 4171 41723916. [contrib] zone2sqlite checked wrong result code. Address 4173 compiler warnings. [RT #36931] 4174 41753915. [bug] Address a assertion if a route event arrived while 4176 shutting down. [RT #36887] 4177 41783914. [bug] Allow the URI target and CAA value fields to 4179 be zero length. [RT #36737] 4180 41813913. [bug] Address race issue in dispatch. [RT #36731] 4182 41833912. [bug] Address some unrecoverable lookup failures. [RT #36330] 4184 41853911. [func] Implement EDNS EXPIRE option client side, allowing 4186 a slave server to set the expiration timer correctly 4187 when transferring zone data from another slave 4188 server. [RT #35925] 4189 41903910. [bug] Fix races to free event during shutdown. [RT #36720] 4191 41923909. [bug] When computing the number of elements required for a 4193 acl count_acl_elements could have a short count leading 4194 to a assertion failure. Also zero out new acl elements 4195 in dns_acl_merge. [RT #36675] 4196 41973908. [bug] rndc now differentiates between a zone in multiple 4198 views and a zone that doesn't exist at all. [RT #36691] 4199 42003907. [cleanup] Alphabetize rndc help. [RT #36683] 4201 42023906. [protocol] Update URI record format to comply with 4203 draft-faltstrom-uri-08. [RT #36642] 4204 42053905. [bug] Address deadlock between view.c and adb.c. [RT #36341] 4206 42073904. [func] Add the RPZ SOA to the additional section. [RT36507] 4208 42093903. [bug] Improve the accuracy of DiG's reported round trip 4210 time. [RT 36611] 4211 42123902. [bug] liblwres wasn't handling link-local addresses in 4213 nameserver clauses in resolv.conf. [RT #36039] 4214 42153901. [protocol] Added support for CAA record type (RFC 6844). 4216 [RT #36625] 4217 42183900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637] 4219 42203899. [bug] "request-ixfr" is only applicable to slave and redirect 4221 zones. [RT #36608] 4222 42233898. [bug] Too small a buffer in tohexstr() calls in test code. 4224 [RT #36598] 4225 42263897. [bug] RPZ summary information was not properly being updated 4227 after a AXFR resulting in changes sometimes being 4228 ignored. [RT #35885] 4229 42303896. [bug] Address performance issues with DSCP code on some 4231 platforms. [RT #36534] 4232 42333895. [func] Add the ability to set the DSCP code point to dig. 4234 [RT #36546] 4235 42363894. [bug] Buffers in isc_print_vsnprintf were not properly 4237 initialized leading to potential overflows when 4238 printing out quad values. [RT #36505] 4239 42403893. [bug] Peer DSCP values could be returned without being set. 4241 [RT #36538] 4242 42433892. [bug] Setting '-t aaaa' in .digrc had unintended side 4244 effects. [RT #36452] 4245 42463891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM} 4247 to install python programs. 4248 42493890. [bug] RRSIG sets that were not loaded in a single transaction 4250 at start up where not being correctly added to 4251 re-signing heaps. [RT #36302] 4252 42533889. [port] hurd: configure fixes as per: 4254 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540 4255 42563888. [func] 'rndc status' now reports the number of automatic 4257 zones. [RT #36015] 4258 42593887. [cleanup] Make all static symbols in rbtdb64 end in "64" so 4260 they are easier to use in a debugger. [RT #36373] 4261 42623886. [bug] rbtdb_write_header should use a once to initialize 4263 FILE_VERSION. [RT #36374] 4264 42653885. [port] Use 'open()' rather than 'file()' to open files in 4266 python. 4267 42683884. [protocol] Add CDS and CDNSKEY record types. [RT #36333] 4269 42703883. [placeholder] 4271 42723882. [func] By default, negative trust anchors will be tested 4273 periodically to see whether data below them can be 4274 validated, and if so, they will be allowed to 4275 expire early. The "rndc nta -force" option 4276 overrides this behavior. The default NTA lifetime 4277 and the recheck frequency can be configured by the 4278 "nta-lifetime" and "nta-recheck" options. [RT #36146] 4279 42803881. [bug] Address memory leak with UPDATE error handling. 4281 [RT #36303] 4282 42833880. [test] Update ans.pl to work with new TSIG support in 4284 Net::DNS; add additional Net::DNS version prerequisite 4285 checks. [RT #36327] 4286 42873879. [func] Add version printing option to various BIND utilities. 4288 [RT #10686] 4289 42903878. [bug] Using the incorrect filename for a DLZ module 4291 caused a segmentation fault on startup. [RT #36286] 4292 42933877. [bug] Inserting and deleting parent and child nodes 4294 in response policy zones could trigger an assertion 4295 failure. [RT #36272] 4296 42973876. [bug] Improve efficiency of DLZ redirect zones by 4298 suppressing unnecessary database lookups. [RT #35835] 4299 43003875. [cleanup] Clarify log message when unable to read private 4301 key files. [RT #24702] 4302 43033874. [test] Check that only "check-names master" is needed for 4304 updates to be accepted. 4305 43063873. [protocol] Only warn for SPF without TXT spf record. [RT #36210] 4307 43083872. [bug] Address issues found by static analysis. [RT #36209] 4309 43103871. [bug] Don't publish an activated key automatically before 4311 its publish time. [RT #35063] 4312 43133870. [func] Updated the random number generator used in 4314 the resolver to use the updated ChaCha based one 4315 (similar to OpenBSD's changes). Also moved the 4316 RNG to libisc and added unit tests for it. 4317 [RT #35942] 4318 43193869. [doc] Document that in-view zones cannot be used for 4320 response policy zones. [RT #35941] 4321 43223868. [bug] isc_mem_setwater incorrectly cleared hi_called 4323 potentially leaving over memory cleaner running. 4324 [RT #35270] 4325 43263867. [func] "rndc nta" can now be used to set a temporary 4327 negative trust anchor, which disables DNSSEC 4328 validation below a specified name for a specified 4329 period of time (not exceeding 24 hours). This 4330 can be used when validation for a domain is known 4331 to be failing due to a configuration error on 4332 the part of the domain owner rather than a 4333 spoofing attack. [RT #29358] 4334 43353866. [bug] Named could die on disk full in generate_session_key. 4336 [RT #36119] 4337 43383865. [test] Improved testability of the red-black tree 4339 implementation and added unit tests. [RT #35904] 4340 43413864. [bug] RPZ didn't work well when being used as forwarder. 4342 [RT #36060] 4343 43443863. [bug] The "E" flag was missing from the query log as a 4345 unintended side effect of code rearrangement to 4346 support EDNS EXPIRE. [RT #36117] 4347 43483862. [cleanup] Return immediately if we are not going to log the 4349 message in ns_client_dumpmessage. 4350 43513861. [security] Missing isc_buffer_availablelength check results 4352 in a REQUIRE assertion when printing out a packet 4353 (CVE-2014-3859). [RT #36078] 4354 43553860. [bug] ioctl(DP_POLL) array size needs to be determined 4356 at run time as it is limited to {OPEN_MAX}. 4357 [RT #35878] 4358 43593859. [placeholder] 4360 43613858. [bug] Disable GCC 4.9 "delete null pointer check". 4362 [RT #35968] 4363 43643857. [bug] Make it harder for a incorrect NOEDNS classification 4365 to be made. [RT #36020] 4366 43673856. [bug] Configuring libjson without also configuring libxml 4368 resulted in a REQUIRE assertion when retrieving 4369 statistics using json. [RT #36009] 4370 43713855. [bug] Limit smoothed round trip time aging to no more than 4372 once a second. [RT #32909] 4373 43743854. [cleanup] Report unrecognized options, if any, in the final 4375 configure summary. [RT #36014] 4376 43773853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out 4378 the handling of a rdataset with no records. [RT #35968] 4379 43803852. [func] Increase the default number of clients available 4381 for servicing lightweight resolver queries, and 4382 make them configurable via the "lwres-tasks" and 4383 "lwres-clients" options. (Thanks to Tomas Hozza.) 4384 [RT #35857] 4385 43863851. [func] Allow libseccomp based system-call filtering 4387 on Linux; use "configure --enable-seccomp" to 4388 turn it on. Thanks to Loganaden Velvindron 4389 of AFRINIC for the contribution. [RT #35347] 4390 43913850. [bug] Disabling forwarding could trigger a REQUIRE assertion. 4392 [RT #35979] 4393 43943849. [doc] Alphabetized dig's +options. [RT #35992] 4395 43963848. [bug] Adjust 'statistics-channels specified but not effective' 4397 error message to account for JSON support. [RT #36008] 4398 43993847. [bug] 'configure --with-dlz-postgres' failed to fail when 4400 there is not support available. 4401 44023846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP 4403 ixfr query. [RT #35980] 4404 44053845. [placeholder] 4406 44073844. [bug] Use the x64 version of the Microsoft Visual C++ 4408 Redistributable when built for 64 bit Windows. 4409 [RT #35973] 4410 44113843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire. 4412 [RT #35969] 4413 44143842. [bug] Adjust RRL log-only logging category. [RT #35945] 4415 44163841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt. 4417 [RT #35924] 4418 44193840. [port] Check for arc4random_addrandom() before using it; 4420 it's been removed from OpenBSD 5.5. [RT #35907] 4421 44223839. [test] Use only posix-compatible shell in system tests. 4423 [RT #35625] 4424 44253838. [protocol] EDNS EXPIRE as been assigned a code point of 9. 4426 44273837. [security] A NULL pointer is passed to query_prefetch resulting 4428 a REQUIRE assertion failure when a fetch is actually 4429 initiated (CVE-2014-3214). [RT #35899] 4430 44313836. [bug] Address C++ keyword usage in header file. 4432 44333835. [bug] Geoip ACL elements didn't work correctly when 4434 referenced via named or nested ACLs. [RT #35879] 4435 44363834. [bug] The re-signing heaps were not being updated soon enough 4437 leading to multiple re-generations of the same RRSIG 4438 when a zone transfer was in progress. [RT #35273] 4439 44403833. [bug] Cross compiling was broken due to calling genrandom at 4441 build time. [RT #35869] 4442 44433832. [func] "named -L <filename>" causes named to send log 4444 messages to the specified file by default instead 4445 of to the system log. (Thanks to Tony Finch.) 4446 [RT #35845] 4447 44483831. [cleanup] Reduce logging noise when EDNS state changes occur. 4449 [RT #35843] 4450 44513830. [func] When query logging is enabled, log query errors at 4452 the same level ('info') as the queries themselves. 4453 [RT #35844] 4454 44553829. [func] "dig +ttlunits" causes dig to print TTL values 4456 with time-unit suffixes: w, d, h, m, s for 4457 weeks, days, hours, minutes, and seconds. (Thanks 4458 to Tony Finch.) [RT #35823] 4459 44603828. [func] "dnssec-signzone -N date" updates serial number 4461 to the current date in YYYYMMDDNN format. 4462 [RT #35800] 4463 44643827. [placeholder] 4465 44663826. [bug] Corrected bad INSIST logic in isc_radix_remove(). 4467 [RT #35870] 4468 44693825. [bug] Address sign extension bug in isc_regex_validate. 4470 [RT #35758] 4471 44723824. [bug] A collision between two flag values could cause 4473 problems with cache cleaning when SIT was enabled. 4474 [RT #35858] 4475 44763823. [func] Log the rpz cname target when rewriting. [RT #35667] 4477 44783822. [bug] Log the correct type of static-stub zones when 4479 removing them. [RT #35842] 4480 44813821. [contrib] Added a new "mysqldyn" DLZ module with dynamic 4482 update and transaction support. Thanks to Marty 4483 Lee for the contribution. [RT #35656] 4484 44853820. [func] The DLZ API doesn't pass the database version to 4486 the lookup() function; this can cause DLZ modules 4487 that allow dynamic updates to mishandle prerequisite 4488 checks. This has been corrected by adding a 4489 'dbversion' field to the dns_clientinfo_t 4490 structure. [RT #35656] 4491 44923819. [bug] NSEC3 hashes need to be able to be entered and 4493 displayed without padding. This is not a issue for 4494 currently defined algorithms but may be for future 4495 hash algorithms. [RT #27925] 4496 44973818. [bug] Stop lying to the optimizer that 'void *arg' is a 4498 constant in isc_event_allocate. 4499 45003817. [func] The "delve" command is now spelled "delv" to avoid 4501 a namespace collision with the Xapian project. 4502 [RT #35801] 4503 45043816. [func] "dig +qr" now reports query size. (Thanks to 4505 Tony Finch.) [RT #35822] 4506 45073815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808] 4508 45093814. [func] The "masterfile-style" zone option controls the 4510 formatting of dumped zone files. Options are 4511 "relative" (multiline format) and "full" (one 4512 record per line). The default is "relative". 4513 [RT #20798] 4514 45153813. [func] "host" now recognizes the "timeout", "attempts" and 4516 "debug" options when set in /etc/resolv.conf. 4517 (Thanks to Adam Tkac at RedHat.) [RT #21885] 4518 45193812. [func] Dig now supports sending arbitrary EDNS options from 4520 the command line (+ednsopt=code[:value]). [RT #35584] 4521 45223811. [func] "serial-update-method date;" sets serial number 4523 on dynamic update to today's date in YYYYMMDDNN 4524 format. (Thanks to Bradley Forschinger.) [RT #24903] 4525 45263810. [bug] Work around broken nameservers that fail to ignore 4527 unknown EDNS options. [RT #35766] 4528 45293809. [doc] Fix SIT and NSID documentation. 4530 45313808. [doc] Clean up "prefetch" documentation. [RT #35751] 4532 45333807. [bug] Fix sign extension bug in dns_name_fromtext when 4534 lowercase is set. [RT #35743] 4535 45363806. [test] Improved system test portability. [RT #35625] 4537 45383805. [contrib] Added contrib/perftcpdns, a performance testing tool 4539 for DNS over TCP. [RT #35710] 4540 4541 --- 9.10.0rc1 released --- 4542 45433804. [bug] Corrected a race condition in dispatch.c in which 4544 portentry could be reset leading to an assertion 4545 failure in socket_search(). (Change #3708 4546 addressed the same issue but was incomplete.) 4547 [RT #35128] 4548 45493803. [bug] "named-checkconf -z" incorrectly rejected zones 4550 using alternate data sources for not having a "file" 4551 option. [RT #35685] 4552 45533802. [bug] Various header files were not being installed. 4554 45553801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615] 4556 45573800. [bug] A pending event on the route socket could cause an 4558 assertion failure when shutting down named. [RT #35674] 4559 45603799. [bug] Improve named's command line error reporting. 4561 [RT #35603] 4562 45633798. [bug] 'rndc zonestatus' was reporting the wrong re-signing 4564 time. [RT #35659] 4565 45663797. [port] netbsd: geoip support probing was broken. [RT #35642] 4567 45683796. [bug] Register dns and pkcs#11 error codes. [RT #35629] 4569 45703795. [bug] Make named-checkconf detect raw masterfiles for 4571 hint zones and reject them. [RT #35268] 4572 45733794. [maint] Added AAAA for C.ROOT-SERVERS.NET. 4574 45753793. [bug] zone.c:save_nsec3param() could assert when out of 4576 memory. [RT #35621] 4577 45783792. [func] Provide links to the alternate statistics views when 4579 displaying in a browser. [RT #35605] 4580 45813791. [placeholder] 4582 45833790. [bug] Handle broken nameservers that send BADVERS in 4584 response to unknown EDNS options. Maintain 4585 statistics on BADVERS responses. 4586 45873789. [bug] Null pointer dereference on rbt creation failure. 4588 45893788. [bug] dns_peer_getrequestsit was returning request_nsid by 4590 mistake. 4591 4592 --- 9.10.0b2 released --- 4593 45943787. [bug] The code that checks whether "auto-dnssec" is 4595 allowed was ignoring "allow-update" ACLs set at 4596 the options or view level. [RT #29536] 4597 45983786. [func] Provide more detailed error codes when using 4599 native PKCS#11. "pkcs11-tokens" now fails robustly 4600 rather than asserting when run against an HSM with 4601 an incomplete PKCS#11 API implementation. [RT #35479] 4602 46033785. [bug] Debugging code dumphex didn't accept arbitrarily long 4604 input (only compiled with -DDEBUG). [RT #35544] 4605 46063784. [bug] Using "rrset-order fixed" when it had not been 4607 enabled at compile time caused inconsistent 4608 results. It now works as documented, defaulting 4609 to cyclic mode. [RT #28104] 4610 46113783. [func] "tsig-keygen" is now available as an alternate 4612 command name for "ddns-confgen". It generates 4613 a TSIG key in named.conf format without comments. 4614 [RT #35503] 4615 46163782. [func] Specifying "auto" as the salt when using 4617 "rndc signing -nsec3param" causes named to 4618 generate a 64-bit salt at random. [RT #35322] 4619 46203781. [tuning] Use adaptive mutex locks when available; this 4621 has been found to improve performance under load 4622 on many systems. "configure --with-locktype=standard" 4623 restores conventional mutex locks. [RT #32576] 4624 46253780. [bug] $GENERATE handled negative numbers incorrectly. 4626 [RT #25528] 4627 46283779. [cleanup] Clarify the error message when using an option 4629 that was not enabled at compile time. [RT #35504] 4630 46313778. [bug] Log a warning when the wrong address family is 4632 used in "listen-on" or "listen-on-v6". [RT #17848] 4633 46343777. [bug] EDNS EXPIRE code could dump core when processing 4635 DLZ queries. [RT #35493] 4636 46373776. [func] "rndc -q" suppresses output from successful 4638 rndc commands. Errors are printed on stderr. 4639 [RT #21393] 4640 46413775. [bug] dlz_dlopen driver could return the wrong error 4642 code on API version mismatch, leading to a segfault. 4643 [RT #35495] 4644 46453774. [func] When using "request-nsid", log the NSID value in 4646 printable form as well as hex. [RT #20864] 4647 46483773. [func] "host", "nslookup" and "nsupdate" now have 4649 options to print the version number and exit. 4650 [RT #26057] 4651 46523772. [contrib] Added sqlite3 dynamically-loadable DLZ module. 4653 (Based in part on a contribution from Tim Tessier.) 4654 [RT #20822] 4655 46563771. [cleanup] Adjusted log level for "using built-in key" 4657 messages. [RT #24383] 4658 46593770. [bug] "dig +trace" could fail with an assertion when it 4660 needed to fall back to TCP due to a truncated 4661 response. [RT #24660] 4662 46633769. [doc] Improved documentation of "rndc signing -list". 4664 [RT #30652] 4665 46663768. [bug] "dnssec-checkds" was missing the SHA-384 digest 4667 algorithm. [RT #34000] 4668 46693767. [func] Log explicitly when using rndc.key to configure 4670 command channel. [RT #35316] 4671 46723766. [cleanup] Fixed problems with building outside the source 4673 tree when using native PKCS#11. [RT #35459] 4674 46753765. [bug] Fixed a bug in "rndc secroots" that could crash 4676 named when dumping an empty keynode. [RT #35469] 4677 46783764. [bug] The dnssec-keygen/settime -S and -i options 4679 (to set up a successor key and set the prepublication 4680 interval) were missing from dnssec-keyfromlabel. 4681 [RT #35394] 4682 46833763. [bug] delve: Cache DNSSEC records to avoid the need to 4684 re-fetch them when restarting validation. [RT #35476] 4685 46863762. [bug] Address build problems with --pkcs11-native + 4687 --with-openssl with ECDSA support. [RT #35467] 4688 46893761. [bug] Address dangling reference bug in dns_keytable_add. 4690 [RT #35471] 4691 46923760. [bug] Improve SIT with native PKCS#11 and on Windows. 4693 [RT #35433] 4694 46953759. [port] Enable delve on Windows. [RT #35441] 4696 46973758. [port] Enable export library APIs on Windows. [RT #35382] 4698 46993757. [port] Enable Python tools (dnssec-coverage, 4700 dnssec-checkds) to run on Windows. [RT #34355] 4701 47023756. [bug] GSSAPI Kerberos realm checking was broken in 4703 check_config leading to spurious messages being 4704 logged. [RT #35443] 4705 4706 --- 9.10.0b1 released --- 4707 47083755. [func] Add stats counters for known EDNS options + others. 4709 [RT #35447] 4710 47113754. [cleanup] win32: Installer now places files in the 4712 Program Files area rather than system services. 4713 [RT #35361] 4714 47153753. [bug] allow-notify was ignoring keys. [RT #35425] 4716 47173752. [bug] Address potential REQUIRE failure if 4718 DNS_STYLEFLAG_COMMENTDATA is set when printing out 4719 a rdataset. 4720 47213751. [tuning] The default setting for the -U option (setting 4722 the number of UDP listeners per interface) has 4723 been adjusted to improve performance. [RT #35417] 4724 47253750. [experimental] Partially implement EDNS EXPIRE option as described 4726 in draft-andrews-dnsext-expire-00. Retrieval of 4727 the remaining time until expiry for slave zones 4728 is supported. 4729 4730 EXPIRE uses an experimental option code (65002), 4731 which is subject to change. [RT #35416] 4732 47333749. [func] "dig +subnet" sends an EDNS client subnet option 4734 containing the specified address/prefix when 4735 querying. (Thanks to Wilmer van der Gaast.) 4736 [RT #35415] 4737 47383748. [test] Use delve to test dns_client interfaces. [RT #35383] 4739 47403747. [bug] A race condition could lead to a core dump when 4741 destroying a resolver fetch object. [RT #35385] 4742 47433746. [func] New "max-zone-ttl" option enforces maximum 4744 TTLs for zones. If loading a zone containing a 4745 higher TTL, the load fails. DDNS updates with 4746 higher TTLs are accepted but the TTL is truncated. 4747 (Note: Currently supported for master zones only; 4748 inline-signing slaves will be added.) [RT #38405] 4749 47503745. [func] "configure --with-tuning=large" adjusts various 4751 compiled-in constants and default settings to 4752 values suited to large servers with abundant 4753 memory. [RT #29538] 4754 47553744. [experimental] SIT: send and process Source Identity Tokens 4756 (similar to DNS Cookies by Donald Eastlake 3rd), 4757 which are designed to help clients detect off-path 4758 spoofed responses and for servers to identify 4759 legitimate clients. 4760 4761 SIT uses an experimental EDNS option code (65001), 4762 which will be changed to an IANA-assigned value 4763 if the experiment is deemed a success. 4764 4765 SIT can be enabled via "configure --enable-sit" (or 4766 --enable-developer). It is enabled by default in 4767 Windows. 4768 4769 Servers can be configured to send smaller responses 4770 to clients that have not identified themselves via 4771 SIT. RRL processing has also been updated; 4772 legitimate clients are not subject to rate 4773 limiting. [RT #35389] 4774 47753743. [bug] delegation-only flag wasn't working in forward zone 4776 declarations despite being documented. This is 4777 needed to support turning off forwarding and turning 4778 on delegation only at the same name. [RT #35392] 4779 47803742. [port] linux: libcap support: declare curval at start of 4781 block. [RT #35387] 4782 47833741. [func] "delve" (domain entity lookup and validation engine): 4784 A new tool with dig-like semantics for performing DNS 4785 lookups, with internal DNSSEC validation, using the 4786 same resolver and validator logic as named. This 4787 allows easy validation of DNSSEC data in environments 4788 with untrustworthy resolvers, and assists with 4789 troubleshooting of DNSSEC problems. [RT #32406] 4790 47913740. [contrib] Minor fixes to configure --with-dlz-bdb, 4792 --with-dlz-postgres and --with-dlz-odbc. [RT #35340] 4793 47943739. [func] Added per-zone stats counters to track TCP and 4795 UDP queries. [RT #35375] 4796 47973738. [bug] --enable-openssl-hash failed to build. [RT #35343] 4798 47993737. [bug] 'rndc retransfer' could trigger a assertion failure 4800 with inline zones. [RT #35353] 4801 48023736. [bug] nsupdate: When specifying a server by name, 4803 fall back to alternate addresses if the first 4804 address for that name is not reachable. [RT #25784] 4805 48063735. [cleanup] Merged the libiscpk11 library into libisc 4807 to simplify dependencies. [RT #35205] 4808 48093734. [bug] Improve building with libtool. [RT #35314] 4810 48113733. [func] Improve interface scanning support. Interface 4812 information will be automatically updated if the 4813 OS supports routing sockets (MacOS, *BSD, Linux). 4814 Use "automatic-interface-scan no;" to disable. 4815 4816 Add "rndc scan" to trigger a scan. [RT #23027] 4817 48183732. [contrib] Fixed a type mismatch causing the ODBC DLZ 4819 driver to dump core on 64-bit systems. [RT #35324] 4820 48213731. [func] Added a "no-case-compress" ACL, which causes 4822 named to use case-insensitive compression 4823 (disabling change #3645) for specified 4824 clients. (This is useful when dealing 4825 with broken client implementations that 4826 use case-sensitive name comparisons, 4827 rejecting responses that fail to match the 4828 capitalization of the query that was sent.) 4829 [RT #35300] 4830 48313730. [cleanup] Added "never" as a synonym for "none" when 4832 configuring key event dates in the dnssec tools. 4833 [RT #35277] 4834 48353729. [bug] dnssec-keygen could set the publication date 4836 incorrectly when only the activation date was 4837 specified on the command line. [RT #35278] 4838 48393728. [doc] Expanded native-PKCS#11 documentation, 4840 specifically pkcs11: URI labels. [RT #35287] 4841 48423727. [func] The isc_bitstring API is no longer used and 4843 has been removed from libisc. [RT #35284] 4844 48453726. [cleanup] Clarified the error message when attempting 4846 to configure more than 32 response-policy zones. 4847 [RT #35283] 4848 48493725. [contrib] Updated zkt and nslint to newest versions, 4850 cleaned up and rearranged the contrib 4851 directory, and added a README. 4852 4853 --- 9.10.0a2 released --- 4854 48553724. [bug] win32: Fixed a bug that prevented dig and 4856 host from exiting properly after completing 4857 a UDP query. [RT #35288] 4858 48593723. [cleanup] Imported keys are now handled the same way 4860 regardless of DNSSEC algorithm. [RT #35215] 4861 48623722. [bug] Using geoip ACLs in a blackhole statement 4863 could cause a segfault. [RT #35272] 4864 48653721. [doc] Improved documentation of the EDNS processing 4866 enhancements introduced in change #3593. [RT #35275] 4867 48683720. [bug] Address compiler warnings. [RT #35261] 4869 48703719. [bug] Address memory leak in in peer.c. [RT #35255] 4871 48723718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260] 4873 48743717. [port] hpux: Treat EOPNOTSUPP as a expected error code when 4875 probing to see if it is possible to set dscp values 4876 on a per packet basis. [RT #35252] 4877 48783716. [bug] The dns_request code was setting dcsp values when not 4879 requested. [RT #35252] 4880 48813715. [bug] The region and city databases could fail to 4882 initialize when using some versions of libGeoIP, 4883 causing assertion failures when named was 4884 configured to use them. [RT #35427] 4885 48863714. [test] System tests that need to test for cryptography 4887 support before running can now use a common 4888 "testcrypto.sh" script to do so. [RT #35213] 4889 48903713. [bug] Save memory by not storing "also-notify" addresses 4891 in zone objects that are configured not to send 4892 notify requests. [RT #35195] 4893 48943712. [placeholder] 4895 48963711. [placeholder] 4897 48983710. [bug] Address double dns_zone_detach when switching to 4899 using automatic empty zones from regular zones. 4900 [RT #35177] 4901 49023709. [port] Use built-in versions of strptime() and timegm() 4903 on all platforms to avoid portability issues. 4904 [RT #35183] 4905 49063708. [bug] Address a portentry locking issue in dispatch.c. 4907 [RT #35128] 4908 49093707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND 4910 on a missing resolv.conf file and initializes the 4911 structure as if it had been configured with: 4912 4913 nameserver ::1 4914 nameserver 127.0.0.1 4915 4916 Note: Callers will need to be updated to treat 4917 ISC_R_FILENOTFOUND as a qualified success or else 4918 they will leak memory. The following code fragment 4919 will work with both old and new versions without 4920 changing the behaviour of the existing code. 4921 4922 resconf = NULL; 4923 result = irs_resconf_load(mctx, "/etc/resolv.conf", 4924 &resconf); 4925 if (result != ISC_SUCCESS) { 4926 if (resconf != NULL) 4927 irs_resconf_destroy(&resconf); 4928 .... 4929 } 4930 4931 [RT #35194] 4932 49333706. [contrib] queryperf: Fixed a possible integer overflow when 4934 printing results. [RT #35182] 4935 49363705. [func] "configure --enable-native-pkcs11" enables BIND 4937 to use the PKCS#11 API for all cryptographic 4938 functions, so that it can drive a hardware service 4939 module directly without the need to use a modified 4940 OpenSSL as intermediary (so long as the HSM's vendor 4941 provides a complete-enough implementation of the 4942 PKCS#11 interface). This has been tested successfully 4943 with the Thales nShield HSM and with SoftHSMv2 from 4944 the OpenDNSSEC project. [RT #29031] 4945 49463704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] 4947 49483703. [func] To improve recursive resolver performance, cache 4949 records which are still being requested by clients 4950 can now be automatically refreshed from the 4951 authoritative server before they expire, reducing 4952 or eliminating the time window in which no answer 4953 is available in the cache. See the "prefetch" option 4954 for more details. [RT #35041] 4955 49563702. [func] 'dnssec-coverage -l' option specifies a length 4957 of time to check for coverage; events further into 4958 the future are ignored. 'dnssec-coverage -z' 4959 checks only ZSK events, and 'dnssec-coverage -k' 4960 checks only KSK events. (Thanks to Peter Palfrader.) 4961 [RT #35168] 4962 49633701. [func] named-checkconf can now obscure shared secrets 4964 when printing by specifying '-x'. [RT #34465] 4965 49663700. [func] Allow access to subgroups of XML statistics via 4967 special URLs http://<server>:<port>/xml/v3/server, 4968 /zones, /net, /tasks, /mem, and /status. [RT #35115] 4969 49703699. [bug] Improvements to statistics channel XSL stylesheet: 4971 the stylesheet can now be cached by the browser; 4972 section headers are omitted from the stats display 4973 when there is no data in those sections to be 4974 displayed; counters are now right-justified for 4975 easier readability. [RT #35117] 4976 49773698. [cleanup] Replaced all uses of memcpy() with memmove(). 4978 [RT #35120] 4979 49803697. [bug] Handle "." as a search list element when IDN support 4981 is enabled. [RT #35133] 4982 49833696. [bug] dig failed to handle AXFR style IXFR responses which 4984 span multiple messages. [RT #35137] 4985 49863695. [bug] Address a possible race in dispatch.c. [RT #35107] 4987 49883694. [bug] Warn when a key-directory is configured for a zone, 4989 but does not exist or is not a directory. [RT #35108] 4990 49913693. [security] memcpy was incorrectly called with overlapping 4992 ranges resulting in malformed names being generated 4993 on some platforms. This could cause INSIST failures 4994 when serving NSEC3 signed zones (CVE-2014-0591). 4995 [RT #35120] 4996 49973692. [bug] Two calls to dns_db_getoriginnode were fatal if there 4998 was no data at the node. [RT #35080] 4999 50003691. [contrib] Address null pointer dereference in LDAP and 5001 MySQL DLZ modules. 5002 50033690. [bug] Iterative responses could be missed when the source 5004 port for an upstream query was the same as the 5005 listener port (53). [RT #34925] 5006 50073689. [bug] Fixed a bug causing an insecure delegation from one 5008 static-stub zone to another to fail with a broken 5009 trust chain. [RT #35081] 5010 50113688. [bug] loadnode could return a freed node on out of memory. 5012 [RT #35106] 5013 50143687. [bug] Address null pointer dereference in zone_xfrdone. 5015 [RT #35042] 5016 50173686. [func] "dnssec-signzone -Q" drops signatures from keys 5018 that are still published but no longer active. 5019 [RT #34990] 5020 50213685. [bug] "rndc refresh" didn't work correctly with slave 5022 zones using inline-signing. [RT #35105] 5023 50243684. [bug] The list of included files would grow on reload. 5025 [RT 35090] 5026 50273683. [cleanup] Add a more detailed "not found" message to rndc 5028 commands which specify a zone name. [RT #35059] 5029 50303682. [bug] Correct the behavior of rndc retransfer to allow 5031 inline-signing slave zones to retain NSEC3 parameters 5032 instead of reverting to NSEC. [RT #34745] 5033 50343681. [port] Update the Windows build system to support feature 5035 selection and WIN64 builds. This is a work in 5036 progress. [RT #34160] 5037 50383680. [bug] Ensure buffer space is available in "rndc zonestatus". 5039 [RT #35084] 5040 50413679. [bug] dig could fail to clean up TCP sockets still 5042 waiting on connect(). [RT #35074] 5043 50443678. [port] Update config.guess and config.sub. [RT #35060] 5045 50463677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple 5047 times. [RT #35073] 5048 50493676. [bug] "named-checkconf -z" now checks zones of type 5050 hint and redirect as well as master. [RT #35046] 5051 50523675. [misc] Provide a place for third parties to add version 5053 information for their extensions in the version 5054 file by setting the EXTENSIONS variable. 5055 5056 --- 9.10.0a1 released --- 5057 50583674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026] 5059 50603673. [func] New "in-view" zone option allows direct sharing 5061 of zones between views. [RT #32968] 5062 50633672. [func] Local address can now be specified when using 5064 dns_client API. [RT #34811] 5065 50663671. [bug] Don't allow dnssec-importkey overwrite a existing 5067 non-imported private key. 5068 50693670. [bug] Address read after free in server side of 5070 lwres_getrrsetbyname. [RT #29075] 5071 50723669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001] 5073 50743668. [bug] Fix cast in lex.c which could see 0xff treated as eof. 5075 [RT #34993] 5076 50773667. [test] dig: add support to keep the TCP socket open between 5078 successive queries (+[no]keepopen). [RT #34918] 5079 50803666. [func] Add a tool, named-rrchecker, for checking the syntax 5081 of individual resource records. This tool is intended 5082 to be called by provisioning systems so that the front 5083 end does not need to be upgraded to support new DNS 5084 record types. [RT #34778] 5085 50863665. [bug] Failure to release lock on error in receive_secure_db. 5087 [RT #34944] 5088 50893664. [bug] Updated OpenSSL PKCS#11 patches to fix active list 5090 locking and other bugs. [RT #34855] 5091 50923663. [bug] Address bugs in dns_rdata_fromstruct and 5093 dns_rdata_tostruct for WKS and ISDN types. [RT #34910] 5094 50953662. [bug] 'host' could die if a UDP query timed out. [RT #34870] 5096 50973661. [bug] Address lock order reversal deadlock with inline zones. 5098 [RT #34856] 5099 51003660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config". 5101 [RT #23825] 5102 51033659. [port] solaris: don't add explicit dependencies/rules for 5104 python programs as make won't use the implicit rules. 5105 [RT #34835] 5106 51073658. [port] linux: Address platform specific compilation issue 5108 when libcap-devel is installed. [RT #34838] 5109 51103657. [port] Some readline clones don't accept NULL pointers when 5111 calling add_history. [RT #34842] 5112 51133656. [security] Treat an all zero netmask as invalid when generating 5114 the localnets acl. (The prior behavior could 5115 allow unexpected matches when using some versions 5116 of Winsock: CVE-2013-6320.) [RT #34687] 5117 51183655. [cleanup] Simplify TCP message processing when requesting a 5119 zone transfer. [RT #34825] 5120 51213654. [bug] Address race condition with manual notify requests. 5122 [RT #34806] 5123 51243653. [func] Create delegations for all "children" of empty zones 5125 except "forward first". [RT #34826] 5126 51273652. [bug] Address bug with rpz-drop policy. [RT #34816] 5128 51293651. [tuning] Adjust when a master server is deemed unreachable. 5130 [RT #27075] 5131 51323650. [tuning] Use separate rate limiting queues for refresh and 5133 notify requests. [RT #30589] 5134 51353649. [cleanup] Include a comment in .nzf files, giving the name of 5136 the associated view. [RT #34765] 5137 51383648. [test] Updated the ATF test framework to version 0.17. 5139 [RT #25627] 5140 51413647. [bug] Address a race condition when shutting down a zone. 5142 [RT #34750] 5143 51443646. [bug] Journal filename string could be set incorrectly, 5145 causing garbage in log messages. [RT #34738] 5146 51473645. [protocol] Use case sensitive compression when responding to 5148 queries. [RT #34737] 5149 51503644. [protocol] Check that EDNS subnet client options are well formed. 5151 [RT #34718] 5152 51533643. [doc] Clarify RRL "slip" documentation. 5154 51553642. [func] Allow externally generated DNSKEY to be imported 5156 into the DNSKEY management framework. A new tool 5157 dnssec-importkey is used to do this. [RT #34698] 5158 51593641. [bug] Handle changes to sig-validity-interval settings 5160 better. [RT #34625] 5161 51623640. [bug] ndots was not being checked when searching. Only 5163 continue searching on NXDOMAIN responses. Add the 5164 ability to specify ndots to nslookup. [RT #34711] 5165 51663639. [bug] Treat type 65533 (KEYDATA) as opaque except when used 5167 in a key zone. [RT #34238] 5168 51693638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is 5170 encountered. [RT #34668] 5171 51723637. [bug] 'allow-query-on' was checking the source address 5173 rather than the destination address. [RT #34590] 5174 51753636. [bug] Automatic empty zones now behave better with 5176 forward only "zones" beneath them. [RT #34583] 5177 51783635. [bug] Signatures were not being removed from a zone with 5179 only KSK keys for a algorithm. [RT #34439] 5180 51813634. [func] Report build-id in rndc status. Report build-id 5182 when building from a git repository. [RT #20422] 5183 51843633. [cleanup] Refactor OPT processing in named to make it easier 5185 to support new EDNS options. [RT #34414] 5186 51873632. [bug] Signature from newly inactive keys were not being 5188 removed. [RT #32178] 5189 51903631. [bug] Remove spurious warning about missing signatures when 5191 qtype is SIG. [RT #34600] 5192 51933630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033] 5194 51953629. [func] Allow the printing of cryptographic fields in DNSSEC 5196 records by dig to be suppressed (dig +nocrypto). 5197 [RT #34534] 5198 51993628. [func] Report DNSKEY key id's when dumping the cache. 5200 [RT #34533] 5201 52023627. [bug] RPZ changes were not effective on slaves. [RT #34450] 5203 52043626. [func] dig: NSID output now easier to read. [RT #21160] 5205 52063625. [bug] Don't send notify messages to machines outside of the 5207 test setup. 5208 52093624. [bug] Look for 'json_object_new_int64' when looking for a 5210 the json library. [RT #34449] 5211 52123623. [placeholder] 5213 52143622. [tuning] Eliminate an unnecessary lock when incrementing 5215 cache statistics. [RT #34339] 5216 52173621. [security] Incorrect bounds checking on private type 'keydata' 5218 can lead to a remotely triggerable REQUIRE failure 5219 (CVE-2013-4854). [RT #34238] 5220 52213620. [func] Added "rpz-client-ip" policy triggers, enabling 5222 RPZ responses to be configured on the basis of 5223 the client IP address; this can be used, for 5224 example, to blacklist misbehaving recursive 5225 or stub resolvers. [RT #33605] 5226 52273619. [bug] Fixed a bug in RPZ with "recursive-only no;" 5228 [RT #33776] 5229 52303618. [func] "rndc reload" now checks modification times of 5231 include files as well as master files to determine 5232 whether to skip reloading a zone. [RT #33936] 5233 52343617. [bug] Named was failing to answer queries during 5235 "rndc reload" [RT #34098] 5236 52373616. [bug] Change #3613 was incomplete. [RT #34177] 5238 52393615. [cleanup] "configure" now finishes by printing a summary 5240 of optional BIND features and whether they are 5241 active or inactive. ("configure --enable-full-report" 5242 increases the verbosity of the summary.) [RT #31777] 5243 52443614. [port] Check for <linux/types.h>. [RT #34162] 5245 52463613. [bug] named could crash when deleting inline-signing 5247 zones with "rndc delzone". [RT #34066] 5248 52493612. [port] Check whether to use -ljson or -ljson-c. [RT #34115] 5250 52513611. [bug] Improved resistance to a theoretical authentication 5252 attack based on differential timing. [RT #33939] 5253 52543610. [cleanup] win32: Some executables had been omitted from the 5255 installer. [RT #34116] 5256 52573609. [bug] Corrected a possible deadlock in applications using 5258 the export version of the isc_app API. [RT #33967] 5259 52603608. [port] win32: added todos.pl script to ensure all text files 5261 the win32 build depends on are converted to DOS 5262 newline format. [RT #22067] 5263 52643607. [bug] dnssec-keygen had broken 'Invalid keyfile' error 5265 message. [RT #34045] 5266 52673606. [func] "rndc flushtree" now flushes matching 5268 records in the address database and bad cache 5269 as well as the DNS cache. (Previously only the 5270 DNS cache was flushed.) [RT #33970] 5271 52723605. [port] win32: Addressed several compatibility issues 5273 with newer versions of Visual Studio. [RT #33916] 5274 52753604. [bug] Fixed a compile-time error when building with 5276 JSON but not XML. [RT #33959] 5277 52783603. [bug] Install <isc/stat.h>. [RT #33956] 5279 52803602. [contrib] Added DLZ Perl module, allowing Perl scripts to 5281 integrate with named and serve DNS data. 5282 (Contributed by John Eaglesham of Yahoo.) 5283 52843601. [bug] Added to PKCS#11 openssl patches a value len 5285 attribute in DH derive key. [RT #33928] 5286 52873600. [cleanup] dig: Fixed a typo in the warning output when receiving 5288 an oversized response. [RT #33910] 5289 52903599. [tuning] Check for pointer equivalence in name comparisons. 5291 [RT #18125] 5292 52933598. [cleanup] Improved portability of map file code. [RT #33820] 5294 52953597. [bug] Ensure automatic-resigning heaps are reconstructed 5296 when loading zones in map format. [RT #33381] 5297 52983596. [port] Updated win32 build documentation, added 5299 dnssec-verify. [RT #22067] 5300 53013595. [port] win32: Fix build problems introduced by change #3550. 5302 [RT #33807] 5303 53043594. [maint] Update config.guess and config.sub. [RT #33816] 5305 53063593. [func] Update EDNS processing to better track remote server 5307 capabilities. [RT #30655] 5308 53093592. [doc] Moved documentation of rndc command options to the 5310 rndc man page. [RT #33506] 5311 53123591. [func] Use CRC-64 to detect map file corruption at load 5313 time. [RT #33746] 5314 53153590. [bug] When using RRL on recursive servers, defer 5316 rate-limiting until after recursion is complete; 5317 also, use correct rcode for slipped NXDOMAIN 5318 responses. [RT #33604] 5319 53203589. [func] Report serial numbers in when starting zone transfers. 5321 Report accepted NOTIFY requests including serial. 5322 [RT #33037] 5323 53243588. [bug] dig: addressed a memory leak in the sigchase code 5325 that could cause a shutdown crash. [RT #33733] 5326 53273587. [func] 'named -g' now checks the logging configuration but 5328 does not use it. [RT #33473] 5329 53303586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706] 5331 53323585. [func] "rndc delzone -clean" option removes zone files 5333 when deleting a zone. [RT #33570] 5334 53353584. [security] Caching data from an incompletely signed zone could 5336 trigger an assertion failure in resolver.c 5337 (CVE-2013-3919). [RT #33690] 5338 53393583. [bug] Address memory leak in GSS-API processing [RT #33574] 5340 53413582. [bug] Silence false positive warning regarding missing file 5342 directive for inline slave zones. [RT #33662] 5343 53443581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029] 5345 53463580. [bug] Addressed a possible race in acache.c [RT #33602] 5347 53483579. [maint] Updates to PKCS#11 openssl patches, supporting 5349 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463] 5350 53513578. [bug] 'rndc -c file' now fails if 'file' does not exist. 5352 [RT #33571] 5353 53543577. [bug] Handle zero TTL values better. [RT #33411] 5355 53563576. [bug] Address a shutdown race when validating. [RT #33573] 5357 53583575. [func] Changed the logging category for RRL events from 5359 'queries' to 'query-errors'. [RT #33540] 5360 53613574. [doc] The 'hostname' keyword was missing from server-id 5362 description in the named.conf man page. [RT #33476] 5363 53643573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled 5365 zone names containing punctuation marks and other 5366 nonstandard characters. [RT #33419] 5367 53683572. [func] Threads are now enabled by default on most 5369 operating systems. [RT #25483] 5370 53713571. [bug] Address race condition in dns_client_startresolve(). 5372 [RT #33234] 5373 53743570. [bug] Check internal pointers are valid when loading map 5375 files. [RT #33403] 5376 53773569. [contrib] Ported mysql DLZ driver to dynamically-loadable 5378 module, and added multithread support. [RT #33394] 5379 53803568. [cleanup] Add a product description line to the version file, 5381 to be reported by named -v/-V. [RT #33366] 5382 53833567. [bug] Silence clang static analyzer warnings. [RT #33365] 5384 53853566. [func] Log when forwarding updates to master. [RT #33240] 5386 53873565. [placeholder] 5388 53893564. [bug] Improved handling of corrupted map files. [RT #33380] 5390 53913563. [contrib] zone2sqlite failed with some table names. [RT #33375] 5392 53933562. [func] Update map file header format to include a SHA-1 hash 5394 of the database content, so that corrupted map files 5395 can be rejected at load time. [RT #32459] 5396 53973561. [bug] dig: issue a warning if an EDNS query returns FORMERR 5398 or NOTIMP. Adjust usage message. [RT #33363] 5399 54003560. [bug] isc-config.sh did not honor includedir and libdir 5401 when set via configure. [RT #33345] 5402 54033559. [func] Check that both forms of Sender Policy Framework 5404 records exist or do not exist. [RT #33355] 5405 54063558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331] 5407 54083557. [bug] Reloading redirect zones was broken. [RT #33292] 5409 54103556. [maint] Added AAAA for D.ROOT-SERVERS.NET. 5411 54123555. [bug] Address theoretical race conditions in acache.c 5413 (change #3553 was incomplete). [RT #33252] 5414 54153554. [bug] RRL failed to correctly rate-limit upward 5416 referrals and failed to count dropped error 5417 responses in the statistics. [RT #33225] 5418 54193553. [bug] Address suspected double free in acache. [RT #33252] 5420 54213552. [bug] Wrong getopt option string for 'nsupdate -r'. 5422 [RT #33280] 5423 54243551. [bug] resolver.querydscp[46] were uninitialized. [RT #32686] 5425 54263550. [func] Unified the internal and export versions of the 5427 BIND libraries, allowing external clients to use 5428 the same libraries as BIND. [RT #33131] 5429 54303549. [doc] Documentation for "request-nsid" was missing. 5431 [RT #33153] 5432 54333548. [bug] The NSID request code in resolver.c was broken 5434 resulting in invalid EDNS options being sent. 5435 [RT #33153] 5436 54373547. [bug] Some malformed unknown rdata records were not properly 5438 detected and rejected. [RT #33129] 5439 54403546. [func] Add EUI48 and EUI64 types. [RT #33082] 5441 54423545. [bug] RRL slip behavior was incorrect when set to 1. 5443 [RT #33111] 5444 54453544. [contrib] check5011.pl: Script to report the status of 5446 managed keys as recorded in managed-keys.bind. 5447 Contributed by Tony Finch <dot@dotat.at> 5448 54493543. [bug] Update socket structure before attaching to socket 5450 manager after accept. [RT #33084] 5451 54523542. [placeholder] 5453 54543541. [bug] Parts of libdns were not properly initialized when 5455 built in libexport mode. [RT #33028] 5456 54573540. [test] libt_api: t_info and t_assert were not thread safe. 5458 54593539. [port] win32: timestamp format didn't match other platforms. 5460 54613538. [test] Running "make test" now requires loopback interfaces 5462 to be set up. [RT #32452] 5463 54643537. [tuning] Slave zones, when updated, now send NOTIFY messages 5465 to peers before being dumped to disk rather than 5466 after. [RT #27242] 5467 54683536. [func] Add support for setting Differentiated Services Code 5469 Point (DSCP) values in named. Most configuration 5470 options which take a "port" option (e.g., 5471 listen-on, forwarders, also-notify, masters, 5472 notify-source, etc) can now also take a "dscp" 5473 option specifying a code point for use with 5474 outgoing traffic, if supported by the underlying 5475 OS. [RT #27596] 5476 54773535. [bug] Minor win32 cleanups. [RT #32962] 5478 54793534. [bug] Extra text after an embedded NULL was ignored when 5480 parsing zone files. [RT #32699] 5481 54823533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960] 5483 54843532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960] 5485 54863531. [bug] win32: A uninitialized value could be returned on out 5487 of memory. [RT #32960] 5488 54893530. [contrib] Better RTT tracking in queryperf. [RT #30128] 5490 54913529. [func] Named now listens on both IPv4 and IPv6 interfaces 5492 by default. Named previously only listened on IPv4 5493 interfaces by default unless named was running in 5494 IPv6 only mode. [RT #32945] 5495 54963528. [func] New "dnssec-coverage" command scans the timing 5497 metadata for a set of DNSSEC keys and reports if a 5498 lapse in signing coverage has been scheduled 5499 inadvertently. (Note: This tool depends on python; 5500 it will not be built or installed on systems that 5501 do not have a python interpreter.) [RT #28098] 5502 55033527. [compat] Add a URI to allow applications to explicitly 5504 request a particular XML schema from the statistics 5505 channel, returning 404 if not supported. [RT #32481] 5506 55073526. [cleanup] Set up dependencies for unit tests correctly during 5508 build. [RT #32803] 5509 55103525. [func] Support for additional signing algorithms in rndc: 5511 hmac-sha1, -sha224, -sha256, -sha384, and -sha512. 5512 The -A option to rndc-confgen can be used to 5513 select the algorithm for the generated key. 5514 (The default is still hmac-md5; this may 5515 change in a future release.) [RT #20363] 5516 55173524. [func] Added an alternate statistics channel in JSON format, 5518 when the server is built with the json-c library: 5519 http://[address]:[port]/json. [RT #32630] 5520 55213523. [contrib] Ported filesystem and ldap DLZ drivers to 5522 dynamically-loadable modules, and added the 5523 "wildcard" module based on a contribution from 5524 Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569] 5525 55263522. [bug] DLZ lookups could fail to return SERVFAIL when 5527 they ought to. [RT #32685] 5528 55293521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249] 5530 55313520. [bug] 'mctx' was not being referenced counted in some places 5532 where it should have been. [RT #32794] 5533 55343519. [func] Full replay protection via four-way handshake is 5535 now mandatory for rndc clients. Very old versions 5536 of rndc will no longer work. [RT #32798] 5537 55383518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit 5539 so that all dns_rrl_rtype_t enum values fit regardless 5540 of whether it is treated as signed or unsigned by 5541 the compiler. [RT #32792] 5542 55433517. [bug] Reorder destruction to avoid shutdown race. [RT #32777] 5544 55453516. [placeholder] 5546 55473515. [port] '%T' is not portable in strftime(). [RT #32763] 5548 55493514. [bug] The ranges for valid key sizes in ddns-confgen and 5550 rndc-confgen were too constrained. Keys up to 512 5551 bits are now allowed for most algorithms, and up 5552 to 1024 bits for hmac-sha384 and hmac-sha512. 5553 [RT #32753] 5554 55553513. [func] "dig -u" prints times in microseconds rather than 5556 milliseconds. [RT #32704] 5557 55583512. [func] "rndc validation check" reports the current status 5559 of DNSSEC validation. [RT #21397] 5560 55613511. [doc] Improve documentation of redirect zones. [RT #32756] 5562 55633510. [func] "rndc status" and XML statistics channel now report 5564 server start and reconfiguration times. [RT #21048] 5565 55663509. [cleanup] Added a product line to version file to allow for 5567 easy naming of different products (BIND 5568 vs BIND ESV, for example). [RT #32755] 5569 55703508. [contrib] queryperf was incorrectly rejecting the -T option. 5571 [RT #32338] 5572 55733507. [bug] Statistics channel XSL had a glitch when attempting 5574 to chart query data before any queries had been 5575 received. [RT #32620] 5576 55773506. [func] When setting "max-cache-size" and "max-acache-size", 5578 the keyword "unlimited" is no longer defined as equal 5579 to 4 gigabytes (except on 32-bit platforms); it 5580 means literally unlimited. [RT #32358] 5581 55823505. [bug] When setting "max-cache-size" and "max-acache-size", 5583 larger values than 4 gigabytes could not be set 5584 explicitly, though larger sizes were available 5585 when setting cache size to 0. This has been 5586 corrected; the full range is now available. 5587 [RT #32358] 5588 55893504. [func] Add support for ACLs based on geographic location, 5590 using MaxMind GeoIP databases. Based on code 5591 contributed by Ken Brownfield <kb@slide.com>. 5592 [RT #30681] 5593 55943503. [doc] Clarify size_spec syntax. [RT #32449] 5595 55963502. [func] zone-statistics: "no" is now a synonym for "none", 5597 instead of "terse". [RT #29165] 5598 55993501. [func] zone-statistics now takes three options: full, 5600 terse, and none. "yes" and "no" are retained as 5601 synonyms for full and terse, respectively. [RT #29165] 5602 56033500. [security] Support NAPTR regular expression validation on 5604 all platforms without using libregex, which 5605 can be vulnerable to memory exhaustion attack 5606 (CVE-2013-2266). [RT #32688] 5607 56083499. [doc] Corrected ARM documentation of built-in zones. 5609 [RT #32694] 5610 56113498. [bug] zone statistics for zones which matched a potential 5612 empty zone could have their zone-statistics setting 5613 overridden. 5614 56153497. [func] When deleting a slave/stub zone using 'rndc delzone' 5616 report the files that were being used so they can 5617 be cleaned up if desired. [RT #27899] 5618 56193496. [placeholder] 5620 56213495. [func] Support multiple response-policy zones (up to 32), 5622 while improving RPZ performance. "response-policy" 5623 syntax now includes a "min-ns-dots" clause, with 5624 default 1, to exclude top-level domains from 5625 NSIP and NSDNAME checking. --enable-rpz-nsip and 5626 --enable-rpz-nsdname are now the default. [RT #32251] 5627 56283494. [func] DNS RRL: Blunt the impact of DNS reflection and 5629 amplification attacks by rate-limiting substantially- 5630 identical responses. [RT #28130] 5631 56323493. [contrib] Added BDBHPT dynamically-loadable DLZ module, 5633 contributed by Mark Goldfinch. [RT #32549] 5634 56353492. [bug] Fixed a regression in zone loading performance 5636 due to lock contention. [RT #30399] 5637 56383491. [bug] Slave zones using inline-signing must specify a 5639 file name. [RT #31946] 5640 56413490. [bug] When logging RDATA during update, truncate if it's 5642 too long. [RT #32365] 5643 56443489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT. 5645 dns_dlzcreate() failed to properly initialize 5646 dlzdb.link. When cloning a rdataset do not copy 5647 the link contents. [RT #32651] 5648 56493488. [bug] Use after free error with DH generated keys. [RT #32649] 5650 56513487. [bug] Change 3444 was not complete. There was a additional 5652 place where the NOQNAME proof needed to be saved. 5653 [RT #32629] 5654 56553486. [bug] named could crash when using TKEY-negotiated keys 5656 that had been deleted and then recreated. [RT #32506] 5657 56583485. [cleanup] Only compile openssl_gostlink.c if we support GOST. 5659 56603484. [bug] Some statistics were incorrectly rendered in XML. 5661 [RT #32587] 5662 56633483. [placeholder] 5664 56653482. [func] dig +nssearch now prints name servers that don't 5666 have address records (missing AAAA or A, or the name 5667 doesn't exist). [RT #29348] 5668 56693481. [cleanup] Removed use of const const in atf. 5670 56713480. [bug] Silence logging noise when setting up zone 5672 statistics. [RT #32525] 5673 56743479. [bug] Address potential memory leaks in gssapi support 5675 code. [RT #32405] 5676 56773478. [port] Fix a build failure in strict C99 environments 5678 [RT #32475] 5679 56803477. [func] Expand logging when adding records via DDNS update 5681 [RT #32365] 5682 56833476. [bug] "rndc zonestatus" could report a spurious "not 5684 found" error on inline-signing zones. [RT #29226] 5685 56863475. [cleanup] Changed name of 'map' zone file format (previously 5687 'fast'). [RT #32458] 5688 56893474. [bug] nsupdate could assert when the local and remote 5690 address families didn't match. [RT #22897] 5691 56923473. [bug] dnssec-signzone/verify could incorrectly report 5693 an error condition due to an empty node above an 5694 opt-out delegation lacking an NSEC3. [RT #32072] 5695 56963472. [bug] The active-connections counter in the socket 5697 statistics could underflow. [RT #31747] 5698 56993471. [bug] The number of UDP dispatches now defaults to 5700 the number of CPUs even if -n has been set to 5701 a higher value. [RT #30964] 5702 57033470. [bug] Slave zones could fail to dump when successfully 5704 refreshing after an initial failure. [RT #31276] 5705 57063469. [bug] Handle DLZ lookup failures more gracefully. Improve 5707 backward compatibility between versions of DLZ dlopen 5708 API. [RT #32275] 5709 57103468. [security] RPZ rules to generate A records (but not AAAA records) 5711 could trigger an assertion failure when used in 5712 conjunction with DNS64 (CVE-2012-5689). [RT #32141] 5713 57143467. [bug] Added checks in dnssec-keygen and dnssec-settime 5715 to check for delete date < inactive date. [RT #31719] 5716 57173466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check 5718 in DLZ example driver. [RT #32275] 5719 57203465. [bug] Handle isolated reserved ports. [RT #31778] 5721 57223464. [maint] Updates to PKCS#11 openssl patches, supporting 5723 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749] 5724 57253463. [doc] Clarify managed-keys syntax in ARM. [RT #32232] 5726 57273462. [doc] Clarify server selection behavior of dig when using 5728 -4 or -6 options. [RT #32181] 5729 57303461. [bug] Negative responses could incorrectly have AD=1 5731 set. [RT #32237] 5732 57333460. [bug] Only link against readline where needed. [RT #29810] 5734 57353459. [func] Added -J option to named-checkzone/named-compilezone 5736 to specify the path to the journal file. [RT #30958] 5737 57383458. [bug] Return FORMERR when presented with a overly long 5739 domain named in a request. [RT #29682] 5740 57413457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836] 5742 57433456. [port] g++47: ATF failed to compile. [RT #32012] 5744 57453455. [contrib] queryperf: fix getopt option list. [RT #32338] 5746 57473454. [port] sparc64: improve atomic support. [RT #25182] 5748 57493453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;' 5750 failed. [RT #31960] 5751 57523452. [bug] Accept duplicate singleton records. [RT #32329] 5753 57543451. [port] Increase per thread stack size from 64K to 1M. 5755 [RT #32230] 5756 57573450. [bug] Stop logfileconfig system test spam system logs. 5758 [RT #32315] 5759 57603449. [bug] gen.c: use the pre-processor to construct format 5761 strings so that compiler can perform sanity checks; 5762 check the snprintf results. [RT #17576] 5763 57643448. [bug] The allow-query-on ACL was not processed correctly. 5765 [RT #29486] 5766 57673447. [port] Add support for libxml2-2.9.x [RT #32231] 5768 57693446. [port] win32: Add source ID (see change #3400) to build. 5770 [RT #31683] 5771 57723445. [bug] Warn about zone files with blank owner names 5773 immediately after $ORIGIN directives. [RT #31848] 5774 57753444. [bug] The NOQNAME proof was not being returned from cached 5776 insecure responses. [RT #21409] 5777 57783443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly 5779 rejected when generating keys. [RT #31927] 5780 57813442. [port] Net::DNS 0.69 introduced a non backwards compatible 5782 change. [RT #32216] 5783 57843441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13. 5785 57863440. [bug] Reorder get_key_struct to not trigger a assertion when 5787 cleaning up due to out of memory error. [RT #32131] 5788 57893439. [placeholder] 5790 57913438. [bug] Don't accept unknown data escape in quotes. [RT #32031] 5792 57933437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize 5794 buffers with constant data. [RT #32064] 5795 57963436. [bug] Check malloc/calloc return values. [RT #32088] 5797 57983435. [bug] Cross compilation support in configure was broken. 5799 [RT #32078] 5800 58013434. [bug] Pass client info to the DLZ findzone() entry 5802 point in addition to lookup(). This makes it 5803 possible for a database to answer differently 5804 whether it's authoritative for a name depending 5805 on the address of the client. [RT #31775] 5806 58073433. [bug] dlz_findzone() did not correctly handle 5808 ISC_R_NOMORE. [RT #31172] 5809 58103432. [func] Multiple DLZ databases can now be configured. 5811 DLZ databases are searched in the order configured, 5812 unless set to "search no", in which case a 5813 zone can be configured to be retrieved from a 5814 particular DLZ database by using a "dlz <name>" 5815 option in the zone statement. DLZ databases can 5816 support type "master" and "redirect" zones. 5817 [RT #27597] 5818 58193431. [bug] ddns-confgen: Some valid key algorithms were 5820 not accepted. [RT #31927] 5821 58223430. [bug] win32: isc_time_formatISO8601 was missing the 5823 'T' between the date and time. [RT #32044] 5824 58253429. [bug] dns_zone_getserial2 could a return success without 5826 returning a valid serial. [RT #32007] 5827 58283428. [cleanup] dig: Add timezone to date output. [RT #2269] 5829 58303427. [bug] dig +trace incorrectly displayed name server 5831 addresses instead of names. [RT #31641] 5832 58333426. [bug] dnssec-checkds: Clearer output when records are not 5834 found. [RT #31968] 5835 58363425. [bug] "acacheentry" reference counting was broken resulting 5837 in use after free. [RT #31908] 5838 58393424. [func] dnssec-dsfromkey now emits the hash without spaces. 5840 [RT #31951] 5841 58423423. [bug] "rndc signing -nsec3param" didn't accept the full 5843 range of possible values. Address portability issues. 5844 [RT #31938] 5845 58463422. [bug] Added a clear error message for when the SOA does not 5847 match the referral. [RT #31281] 5848 58493421. [bug] Named loops when re-signing if all keys are offline. 5850 [RT #31916] 5851 58523420. [bug] Address VPATH compilation issues. [RT #31879] 5853 58543419. [bug] Memory leak on validation cancel. [RT #31869] 5855 58563418. [func] New XML schema (version 3.0) for the statistics channel 5857 adds query type statistics at the zone level, and 5858 flattens the XML tree and uses compressed format to 5859 optimize parsing. Includes new XSL that permits 5860 charting via the Google Charts API on browsers that 5861 support javascript in XSL. The old XML schema has been 5862 deprecated. [RT #30023] 5863 58643417. [placeholder] 5865 58663416. [bug] Named could die on shutdown if running with 128 UDP 5867 dispatches per interface. [RT #31743] 5868 58693415. [bug] named could die with a REQUIRE failure if a validation 5870 was canceled. [RT #31804] 5871 58723414. [bug] Address locking issues found by Coverity. [RT #31626] 5873 58743413. [func] Record the number of DNS64 AAAA RRsets that have been 5875 synthesized. [RT #27636] 5876 58773412. [bug] Copy timeval structure from control message data. 5878 [RT #31548] 5879 58803411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition 5881 to UDP. [RT #31690] 5882 58833410. [bug] Addressed Coverity warnings. [RT #31626] 5884 58853409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's 5886 from X.509 certificates, for use with DANE 5887 (DNS-based Authentication of Named Entities). 5888 [RT #30513] 5889 58903408. [bug] Some DNSSEC-related options (update-check-ksk, 5891 dnssec-loadkeys-interval, dnssec-dnskey-kskonly) 5892 are now legal in slave zones as long as 5893 inline-signing is in use. [RT #31078] 5894 58953407. [placeholder] 5896 58973406. [bug] mem.c: Fix compilation errors when building with 5898 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled. 5899 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559] 5900 59013405. [bug] Handle time going backwards in acache. [RT #31253] 5902 59033404. [bug] dnssec-signzone: When re-signing a zone, remove 5904 RRSIG and NSEC records from nodes that used to be 5905 in-zone but are now below a zone cut. [RT #31556] 5906 59073403. [bug] Silence noisy OpenSSL logging. [RT #31497] 5908 59093402. [test] The IPv6 interface numbers used for system 5910 tests were incorrect on some platforms. [RT #25085] 5911 59123401. [bug] Addressed Coverity warnings. [RT #31484] 5913 59143400. [cleanup] "named -V" can now report a source ID string, defined 5915 in the "srcid" file in the build tree and normally set 5916 to the most recent git hash. [RT #31494] 5917 59183399. [port] netbsd: rename 'bool' parameter to avoid namespace 5919 clash. [RT #31515] 5920 59213398. [bug] SOA parameters were not being updated with inline 5922 signed zones if the zone was modified while the 5923 server was offline. [RT #29272] 5924 59253397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298] 5926 59273396. [bug] OPT records were incorrectly removed from signed, 5928 truncated responses. [RT #31439] 5929 59303395. [protocol] Add RFC 6598 reverse zones to built in empty zones 5931 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. 5932 [RT #31336] 5933 59343394. [bug] Adjust 'successfully validated after lower casing 5935 signer' log level and category. [RT #31414] 5936 59373393. [bug] 'host -C' could core dump if REFUSED was received. 5938 [RT #31381] 5939 59403392. [func] Keep statistics on REFUSED responses. [RT #31412] 5941 59423391. [bug] A DNSKEY lookup that encountered a CNAME failed. 5943 [RT #31262] 5944 59453390. [bug] Silence clang compiler warnings. [RT #30417] 5946 59473389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275] 5948 59493388. [bug] Fixed several Coverity warnings. 5950 Note: This change includes a fix for a bug that 5951 was subsequently determined to be an exploitable 5952 security vulnerability, CVE-2012-5688: named could 5953 die on specific queries with dns64 enabled. 5954 [RT #30996] 5955 59563387. [func] DS digest can be disabled at runtime with 5957 disable-ds-digests. [RT #21581] 5958 59593386. [bug] Address locking violation when generating new NSEC / 5960 NSEC3 chains. [RT #31224] 5961 59623385. [bug] named-checkconf didn't detect missing master lists 5963 in also-notify clauses. [RT #30810] 5964 59653384. [bug] Improved logging of crypto errors. [RT #30963] 5966 59673383. [security] A certain combination of records in the RBT could 5968 cause named to hang while populating the additional 5969 section of a response. [RT #31090] 5970 59713382. [bug] SOA query from slave used use-v6-udp-ports range, 5972 if set, regardless of the address family in use. 5973 [RT #24173] 5974 59753381. [contrib] Update queryperf to support more RR types. 5976 [RT #30762] 5977 59783380. [bug] named could die if a nonexistent master list was 5979 referenced in a also-notify. [RT #31004] 5980 59813379. [bug] isc_interval_zero and isc_time_epoch should be 5982 "const (type)* const". [RT #31069] 5983 59843378. [bug] Handle missing 'managed-keys-directory' better. 5985 [RT #30625] 5986 59873377. [bug] Removed spurious newline from NSEC3 multiline 5988 output. [RT #31044] 5989 59903376. [bug] Lack of EDNS support was being recorded without a 5991 successful response. [RT #30811] 5992 59933375. [bug] 'rndc dumpdb' failed on empty caches. [RT #30808] 5994 59953374. [bug] isc_parse_uint32 failed to return a range error on 5996 systems with 64 bit longs. [RT #30232] 5997 59983373. [bug] win32: open raw files in binary mode. [RT #30944] 5999 60003372. [bug] Silence spurious "deleted from unreachable cache" 6001 messages. [RT #30501] 6002 60033371. [bug] AD=1 should behave like DO=1 when deciding whether to 6004 add NS RRsets to the additional section or not. 6005 [RT #30479] 6006 60073370. [bug] Address use after free while shutting down. [RT #30241] 6008 60093369. [bug] nsupdate terminated unexpectedly in interactive mode 6010 if built with readline support. [RT #29550] 6011 60123368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h> 6013 were not C++ safe. 6014 60153367. [bug] dns_dnsseckey_create() result was not being checked. 6016 [RT #30685] 6017 60183366. [bug] Fixed Read-After-Write dependency violation for IA64 6019 atomic operations. [RT #25181] 6020 60213365. [bug] Removed spurious newlines from log messages in 6022 zone.c [RT #30675] 6023 60243364. [security] Named could die on specially crafted record. 6025 [RT #30416] 6026 60273363. [bug] Need to allow "forward" and "fowarders" options 6028 in static-stub zones; this had been overlooked. 6029 [RT #30482] 6030 60313362. [bug] Setting some option values to 0 in named.conf 6032 could trigger an assertion failure on startup. 6033 [RT #27730] 6034 60353361. [bug] "rndc signing -nsec3param" didn't work correctly 6036 when salt was set to '-' (no salt). [RT #30099] 6037 60383360. [bug] 'host -w' could die. [RT #18723] 6039 60403359. [bug] An improperly-formed TSIG secret could cause a 6041 memory leak. [RT #30607] 6042 60433358. [placeholder] 6044 60453357. [port] Add support for libxml2-2.8.x [RT #30440] 6046 60473356. [bug] Cap the TTL of signed RRsets when RRSIGs are 6048 approaching their expiry, so they don't remain 6049 in caches after expiry. [RT #26429] 6050 60513355. [port] Use more portable awk in verify system test. 6052 60533354. [func] Improve OpenSSL error logging. [RT #29932] 6054 60553353. [bug] Use a single task for task exclusive operations. 6056 [RT #29872] 6057 60583352. [bug] Ensure that learned server attributes timeout of the 6059 adb cache. [RT #29856] 6060 60613351. [bug] isc_mem_put and isc_mem_putanddetach didn't report 6062 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX 6063 memory debugging flags are set. [RT #30243] 6064 60653350. [bug] Memory read overrun in isc___mem_reallocate if 6066 ISC_MEM_DEBUGCTX memory debugging flag is set. 6067 [RT #30240] 6068 60693349. [bug] Change #3345 was incomplete. [RT #30233] 6070 60713348. [bug] Prevent RRSIG data from being cached if a negative 6072 record matching the covering type exists at a higher 6073 trust level. Such data already can't be retrieved from 6074 the cache since change 3218 -- this prevents it 6075 being inserted into the cache as well. [RT #26809] 6076 60773347. [bug] dnssec-settime: Issue a warning when writing a new 6078 private key file would cause a change in the 6079 permissions of the existing file. [RT #27724] 6080 60813346. [security] Bad-cache data could be used before it was 6082 initialized, causing an assert. [RT #30025] 6083 60843345. [bug] Addressed race condition when removing the last item 6085 or inserting the first item in an ISC_QUEUE. 6086 [RT #29539] 6087 60883344. [func] New "dnssec-checkds" command checks a zone to 6089 determine which DS records should be published 6090 in the parent zone, or which DLV records should be 6091 published in a DLV zone, and queries the DNS to 6092 ensure that it exists. (Note: This tool depends 6093 on python; it will not be built or installed on 6094 systems that do not have a python interpreter.) 6095 [RT #28099] 6096 60973343. [placeholder] 6098 60993342. [bug] Change #3314 broke saving of stub zones to disk 6100 resulting in excessive cpu usage in some cases. 6101 [RT #29952] 6102 61033341. [func] New "dnssec-verify" command checks a signed zone 6104 to ensure correctness of signatures and of NSEC/NSEC3 6105 chains. [RT #23673] 6106 61073340. [func] Added new 'map' zone file format, which is an image 6108 of a zone database that can be loaded directly into 6109 memory via mmap(), allowing much faster zone loading. 6110 (Note: Because of pointer sizes and other 6111 considerations, this file format is platform-dependent; 6112 'map' zone files cannot always be transferred from one 6113 server to another.) [RT #25419] 6114 61153339. [func] Allow the maximum supported rsa exponent size to be 6116 specified: "max-rsa-exponent-size <value>;" [RT #29228] 6117 61183338. [bug] Address race condition in units tests: asyncload_zone 6119 and asyncload_zt. [RT #26100] 6120 61213337. [bug] Change #3294 broke support for the multiple keys 6122 in controls. [RT #29694] 6123 61243336. [func] Maintain statistics for RRsets tagged as "stale". 6125 [RT #29514] 6126 61273335. [func] nslookup: return a nonzero exit code when unable 6128 to get an answer. [RT #29492] 6129 61303334. [bug] Hold a zone table reference while performing a 6131 asynchronous load of a zone. [RT #28326] 6132 61333333. [bug] Setting resolver-query-timeout too low can cause 6134 named to not recover if it loses connectivity. 6135 [RT #29623] 6136 61373332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 6138 61393331. [security] dns_rdataslab_fromrdataset could produce bad 6140 rdataslabs. [RT #29644] 6141 61423330. [func] Fix missing signatures on NOERROR results despite 6143 RPZ rewriting. Also 6144 - add optional "recursive-only yes|no" to the 6145 response-policy statement 6146 - add optional "max-policy-ttl" to the response-policy 6147 statement to limit the false data that 6148 "recursive-only no" can introduce into 6149 resolvers' caches 6150 - add a RPZ performance test to bin/tests/system/rpz 6151 when queryperf is available. 6152 - the encoding of PASSTHRU action to "rpz-passthru". 6153 (The old encoding is still accepted.) 6154 [RT #26172] 6155 6156 61573329. [bug] Handle RRSIG signer-name case consistently: We 6158 generate RRSIG records with the signer-name in 6159 lower case. We accept them with any case, but if 6160 they fail to validate, we try again in lower case. 6161 [RT #27451] 6162 61633328. [bug] Fixed inconsistent data checking in dst_parse.c. 6164 [RT #29401] 6165 61663327. [func] Added 'filter-aaaa-on-v6' option; this is similar 6167 to 'filter-aaaa-on-v4' but applies to IPv6 6168 connections. (Use "configure --enable-filter-aaaa" 6169 to enable this option.) [RT #27308] 6170 61713326. [func] Added task list statistics: task model, worker 6172 threads, quantum, tasks running, tasks ready. 6173 [RT #27678] 6174 61753325. [func] Report cache statistics: memory use, number of 6176 nodes, number of hash buckets, hit and miss counts. 6177 [RT #27056] 6178 61793324. [test] Add better tests for ADB stats [RT #27057] 6180 61813323. [func] Report the number of buckets the resolver is using. 6182 [RT #27020] 6183 61843322. [func] Monitor the number of active TCP and UDP dispatches. 6185 [RT #27055] 6186 61873321. [func] Monitor the number of recursive fetches and the 6188 number of open sockets, and report these values in 6189 the statistics channel. [RT #27054] 6190 61913320. [func] Added support for monitoring of recursing client 6192 count. [RT #27009] 6193 61943319. [func] Added support for monitoring of ADB entry count and 6195 hash size. [RT #27057] 6196 61973318. [tuning] Reduce the amount of work performed while holding a 6198 bucket lock when finished with a fetch context. 6199 [RT #29239] 6200 62013317. [func] Add ECDSA support (RFC 6605). [RT #21918] 6202 62033316. [tuning] Improved locking performance when recursing. 6204 [RT #28836] 6205 62063315. [tuning] Use multiple dispatch objects for sending upstream 6207 queries; this can improve performance on busy 6208 multiprocessor systems by reducing lock contention. 6209 [RT #28605] 6210 62113314. [bug] The masters list could be updated while stub_callback 6212 or refresh_callback were using it. [RT #26732] 6213 62143313. [protocol] Add TLSA record type. [RT #28989] 6215 62163312. [bug] named-checkconf didn't detect a bad dns64 clients acl. 6217 [RT #27631] 6218 62193311. [bug] Abort the zone dump if zone->db is NULL in 6220 zone.c:zone_gotwritehandle. [RT #29028] 6221 62223310. [test] Increase table size for mutex profiling. [RT #28809] 6223 62243309. [bug] resolver.c:fctx_finddone() was not thread safe. 6225 [RT #27995] 6226 62273308. [placeholder] 6228 62293307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS. 6230 [RT #28956] 6231 62323306. [bug] Improve DNS64 reverse zone performance. [RT #28563] 6233 62343305. [func] Add wire format lookup method to sdb. [RT #28563] 6235 62363304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps. 6237 [RT #28571] 6238 62393303. [bug] named could die when reloading. [RT #28606] 6240 62413302. [bug] dns_dnssec_findmatchingkeys could fail to find 6242 keys if the zone name contained character that 6243 required special mappings. [RT #28600] 6244 62453301. [contrib] Update queryperf to build on darwin. Add -R flag 6246 for non-recursive queries. [RT #28565] 6247 62483300. [bug] Named could die if gssapi was enabled in named.conf 6249 but was not compiled in. [RT #28338] 6250 62513299. [bug] Make SDB handle errors from database drivers better. 6252 [RT #28534] 6253 62543298. [bug] Named could dereference a NULL pointer in 6255 zmgr_start_xfrin_ifquota if the zone was being removed. 6256 [RT #28419] 6257 62583297. [bug] Named could die on a malformed master file. [RT #28467] 6259 62603296. [bug] Named could die with a INSIST failure in 6261 client.c:exit_check. [RT #28346] 6262 62633295. [bug] Adjust isc_time_secondsastimet range check to be more 6264 portable. [RT # 26542] 6265 62663294. [bug] isccc/cc.c:table_fromwire failed to free alist on 6267 error. [RT #28265] 6268 62693293. [func] nsupdate: list supported type. [RT #28261] 6270 62713292. [func] Log messages in the axfr stream at debug 10. 6272 [RT #28040] 6273 62743291. [port] Fixed a build error on systems without ENOTSUP. 6275 [RT #28200] 6276 62773290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169] 6278 62793289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036] 6280 62813288. [bug] dlz_destroy() function wasn't correctly registered 6282 by the DLZ dlopen driver. [RT #28056] 6283 62843287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028] 6285 62863286. [bug] Managed key maintenance timer could fail to start 6287 after 'rndc reconfig'. [RT #26786] 6288 62893285. [bug] val-frdataset was incorrectly disassociated in 6290 proveunsecure after calling startfinddlvsep. 6291 [RT #27928] 6292 62933284. [bug] Address race conditions with the handling of 6294 rbtnode.deadlink. [RT #27738] 6295 62963283. [bug] Raw zones with with more than 512 records in a RRset 6297 failed to load. [RT #27863] 6298 62993282. [bug] Restrict the TTL of NS RRset to no more than that 6300 of the old NS RRset when replacing it. 6301 [RT #27792] [RT #27884] 6302 63033281. [bug] SOA refresh queries could be treated as cancelled 6304 despite succeeding over the loopback interface. 6305 [RT #27782] 6306 63073280. [bug] Potential double free of a rdataset on out of memory 6308 with DNS64. [RT #27762] 6309 63103279. [bug] Hold a internal reference to the zone while performing 6311 a asynchronous load. Address potential memory leak 6312 if the asynchronous is cancelled. [RT #27750] 6313 63143278. [bug] Make sure automatic key maintenance is started 6315 when "auto-dnssec maintain" is turned on during 6316 "rndc reconfig". [RT #26805] 6317 63183277. [bug] win32: isc_socket_dup is not implemented. [RT #27696] 6319 63203276. [bug] win32: ns_os_openfile failed to return NULL on 6321 safe_open failure. [RT #27696] 6322 63233275. [bug] Corrected rndc -h output; the 'rndc sync -clean' 6324 option had been misspelled as '-clear'. (To avoid 6325 future confusion, both options now work.) [RT #27173] 6326 63273274. [placeholder] 6328 63293273. [bug] AAAA responses could be returned in the additional 6330 section even when filter-aaaa-on-v4 was in use. 6331 [RT #27292] 6332 63333272. [func] New "rndc zonestatus" command prints information 6334 about the specified zone. [RT #21671] 6335 63363271. [port] darwin: mksymtbl is not always stable, loop several 6337 times before giving up. mksymtbl was using non 6338 portable perl to covert 64 bit hex strings. [RT #27653] 6339 6340 --- 9.9.0rc2 released --- 6341 63423270. [bug] "rndc reload" didn't reuse existing zones correctly 6343 when inline-signing was in use. [RT #27650] 6344 63453269. [port] darwin 11 and later now built threaded by default. 6346 63473268. [bug] Convert RRSIG expiry times to 64 timestamps to work 6348 out the earliest expiry time. [RT #23311] 6349 63503267. [bug] Memory allocation failures could be mis-reported as 6351 unexpected error. New ISC_R_UNSET result code. 6352 [RT #27336] 6353 63543266. [bug] The maximum number of NSEC3 iterations for a 6355 DNSKEY RRset was not being properly computed. 6356 [RT #26543] 6357 63583265. [bug] Corrected a problem with lock ordering in the 6359 inline-signing code. [RT #27557] 6360 63613264. [bug] Automatic regeneration of signatures in an 6362 inline-signing zone could stall when the server 6363 was restarted. [RT #27344] 6364 63653263. [bug] "rndc sync" did not affect the unsigned side of an 6366 inline-signing zone. [RT #27337] 6367 63683262. [bug] Signed responses were handled incorrectly by RPZ. 6369 [RT #27316] 6370 63713261. [func] RRset ordering now defaults to random. [RT #27174] 6372 63733260. [bug] "rrset-order cyclic" could appear not to rotate 6374 for some query patterns. [RT #27170/27185] 6375 6376 --- 9.9.0rc1 released --- 6377 63783259. [bug] named-compilezone: Suppress "dump zone to <file>" 6379 message when writing to stdout. [RT #27109] 6380 63813258. [test] Add "forcing full sign with unreadable keys" test. 6382 [RT #27153] 6383 63843257. [bug] Do not generate a error message when calling fsync() 6385 in a pipe or socket. [RT #27109] 6386 63873256. [bug] Disable empty zones for lwresd -C. [RT #27139] 6388 63893255. [func] No longer require that a empty zones be explicitly 6390 enabled or that a empty zone is disabled for 6391 RFC 1918 empty zones to be configured. [RT #27139] 6392 63933254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels. 6394 [RT #22249] 6395 63963253. [bug] Return DNS_R_SYNTAX when the input to a text field is 6397 too long. [RT #26956] 6398 63993252. [bug] When master zones using inline-signing were 6400 updated while the server was offline, the source 6401 zone could fall out of sync with the signed 6402 copy. They can now resynchronize. [RT #26676] 6403 64043251. [bug] Enforce a upper bound (65535 bytes) on the amount of 6405 memory dns_sdlz_putrr() can allocate per record to 6406 prevent run away memory consumption on ISC_R_NOSPACE. 6407 [RT #26956] 6408 64093250. [func] 'configure --enable-developer'; turn on various 6410 configure options, normally off by default, that 6411 we want developers to build and test with. [RT #27103] 6412 64133249. [bug] Update log message when saving slave zones files for 6414 analysis after load failures. [RT #27087] 6415 64163248. [bug] Configure options --enable-fixed-rrset and 6417 --enable-exportlib were incompatible with each 6418 other. [RT #27087] 6419 64203247. [bug] 'raw' format zones failed to preserve load order 6421 breaking 'fixed' sort order. [RT #27087] 6422 64233246. [bug] Named failed to start with a empty also-notify list. 6424 [RT #27087] 6425 64263245. [bug] Don't report a error unchanged serials unless there 6427 were other changes when thawing a zone with 6428 ixfr-fromdifferences. [RT #26845] 6429 64303244. [func] Added readline support to nslookup and nsupdate. 6431 Also simplified nsupdate syntax to make "update" 6432 and "prereq" optional. [RT #24659] 6433 64343243. [port] freebsd,netbsd,bsdi: the thread defaults were not 6435 being properly set. 6436 64373242. [func] Extended the header of raw-format master files to 6438 include the serial number of the zone from which 6439 they were generated, if different (as in the case 6440 of inline-signing zones). This is to be used in 6441 inline-signing zones, to track changes between the 6442 unsigned and signed versions of the zone, which may 6443 have different serial numbers. 6444 6445 (Note: raw zonefiles generated by this version of 6446 BIND are no longer compatible with prior versions. 6447 To generate a backward-compatible raw zonefile 6448 using dnssec-signzone or named-compilezone, specify 6449 output format "raw=0" instead of simply "raw".) 6450 [RT #26587] 6451 64523241. [bug] Address race conditions in the resolver code. 6453 [RT #26889] 6454 64553240. [bug] DNSKEY state change events could be missed. [RT #26874] 6456 64573239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent 6458 timestamp. [RT #26883] 6459 64603238. [bug] keyrdata was not being reinitialized in 6461 lib/dns/rbtdb.c:iszonesecure. [RT #26913] 6462 64633237. [bug] dig -6 didn't work with +trace. [RT #26906] 6464 64653236. [bug] Backed out changes #3182 and #3202, related to 6466 EDNS(0) fallback behavior. [RT #26416] 6467 64683235. [func] dns_db_diffx, a extended dns_db_diff which returns 6469 the generated diff and optionally writes it to a 6470 journal. [RT #26386] 6471 64723234. [bug] 'make depend' produced invalid makefiles. [RT #26830] 6473 64743233. [bug] 'rndc freeze/thaw' didn't work for inline zones. 6475 [RT #26632] 6476 64773232. [bug] Zero zone->curmaster before return in 6478 dns_zone_setmasterswithkeys(). [RT #26732] 6479 64803231. [bug] named could fail to send a incompressible zone. 6481 [RT #26796] 6482 64833230. [bug] 'dig axfr' failed to properly handle a multi-message 6484 axfr with a serial of 0. [RT #26796] 6485 64863229. [bug] Fix local variable to struct var assignment 6487 found by CLANG warning. 6488 64893228. [tuning] Dynamically grow symbol table to improve zone 6490 loading performance. [RT #26523] 6491 64923227. [bug] Interim fix to make WKS's use of getprotobyname() 6493 and getservbyname() self thread safe. [RT #26232] 6494 64953226. [bug] Address minor resource leakages. [RT #26624] 6496 64973225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed" 6498 messages. [RT #26507] 6499 65003224. [bug] 'rndc signing' argument parsing was broken. [RT #26684] 6501 65023223. [bug] 'task_test privilege_drop' generated false positives. 6503 [RT #26766] 6504 65053222. [cleanup] Replace dns_journal_{get,set}_bitws with 6506 dns_journal_{get,set}_sourceserial. [RT #26634] 6507 65083221. [bug] Fixed a potential core dump on shutdown due to 6509 referencing fetch context after it's been freed. 6510 [RT #26720] 6511 6512 --- 9.9.0b2 released --- 6513 65143220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() 6515 could fail to set the database version correctly, 6516 causing an assertion failure. [RT #26180] 6517 65183219. [bug] Disable NOEDNS caching following a timeout. 6519 65203218. [security] Cache lookup could return RRSIG data associated with 6521 nonexistent records, leading to an assertion 6522 failure. [RT #26590] 6523 65243217. [cleanup] Fix build problem with --disable-static. [RT #26476] 6525 65263216. [bug] resolver.c:validated() was not thread-safe. [RT #26478] 6527 65283215. [bug] 'rndc recursing' could cause a core dump. [RT #26495] 6529 65303214. [func] Add 'named -U' option to set the number of UDP 6531 listener threads per interface. [RT #26485] 6532 65333213. [doc] Clarify ixfr-from-differences behavior. [RT #25188] 6534 65353212. [bug] rbtdb.c: failed to remove a node from the deadnodes 6536 list prior to adding a reference to it leading a 6537 possible assertion failure. [RT #23219] 6538 65393211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full" 6540 option prints in single-line-per-record format. 6541 [RT #20287] 6542 65433210. [bug] Canceling the oldest query due to recursive-client 6544 overload could trigger an assertion failure. [RT #26463] 6545 65463209. [func] Add "dnssec-lookaside 'no'". [RT #24858] 6547 65483208. [bug] 'dig -y' handle unknown tsig algorithm better. 6549 [RT #25522] 6550 65513207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444] 6552 65533206. [cleanup] Add ISC information to log at start time. [RT #25484] 6554 65553205. [func] Upgrade dig's defaults to better reflect modern 6556 nameserver behavior. Enable "dig +adflag" and 6557 "dig +edns=0" by default. Enable "+dnssec" when 6558 running "dig +trace". [RT #23497] 6559 65603204. [bug] When a master server that has been marked as 6561 unreachable sends a NOTIFY, mark it reachable 6562 again. [RT #25960] 6563 65643203. [bug] Increase log level to 'info' for validation failures 6565 from expired or not-yet-valid RRSIGs. [RT #21796] 6566 65673202. [bug] NOEDNS caching on timeout was too aggressive. 6568 [RT #26416] 6569 65703201. [func] 'rndc querylog' can now be given an on/off parameter 6571 instead of only being used as a toggle. [RT #18351] 6572 65733200. [doc] Some rndc functions were undocumented or were 6574 missing from 'rndc -h' output. [RT #25555] 6575 65763199. [func] When logging client information, include the name 6577 being queried. [RT #25944] 6578 65793198. [doc] Clarified that dnssec-settime can alter keyfile 6580 permissions. [RT #24866] 6581 65823197. [bug] Don't try to log the filename and line number when 6583 the config parser can't open a file. [RT #22263] 6584 65853196. [bug] nsupdate: return nonzero exit code when target zone 6586 doesn't exist. [RT #25783] 6587 65883195. [cleanup] Silence "file not found" warnings when loading 6589 managed-keys zone. [RT #26340] 6590 65913194. [doc] Updated RFC references in the 'empty-zones-enable' 6592 documentation. [RT #25203] 6593 65943193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to 6595 dnssec.h. [RT #26415] 6596 65973192. [bug] A query structure could be used after being freed. 6598 [RT #22208] 6599 66003191. [bug] Print NULL records using "unknown" format. [RT #26392] 6601 66023190. [bug] Underflow in error handling in isc_mutexblock_init. 6603 [RT #26397] 6604 66053189. [test] Added a summary report after system tests. [RT #25517] 6606 66073188. [bug] zone.c:zone_refreshkeys() could fail to detach 6608 references correctly when errors occurred, causing 6609 a hang on shutdown. [RT #26372] 6610 66113187. [port] win32: support for Visual Studio 2008. [RT #26356] 6612 6613 --- 9.9.0b1 released --- 6614 66153186. [bug] Version/db mismatch in rpz code. [RT #26180] 6616 66173185. [func] New 'rndc signing' option for auto-dnssec zones: 6618 - 'rndc signing -list' displays the current 6619 state of signing operations 6620 - 'rndc signing -clear' clears the signing state 6621 records for keys that have fully signed the zone 6622 - 'rndc signing -nsec3param' sets the NSEC3 6623 parameters for the zone 6624 The 'rndc keydone' syntax is removed. [RT #23729] 6625 66263184. [bug] named had excessive cpu usage when a redirect zone was 6627 configured. [RT #26013] 6628 66293183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] 6630 66313182. [bug] Auth servers behind firewalls which block packets 6632 greater than 512 bytes may cause other servers to 6633 perform poorly. Now, adb retains edns information 6634 and caches noedns servers. [RT #23392/24964] 6635 66363181. [func] Inline-signing is now supported for master zones. 6637 [RT #26224] 6638 66393180. [func] Local copies of slave zones are now saved in raw 6640 format by default, to improve startup performance. 6641 'masterfile-format text;' can be used to override 6642 the default, if desired. [RT #25867] 6643 66443179. [port] kfreebsd: build issues. [RT #26273] 6645 66463178. [bug] A race condition introduced by change #3163 could 6647 cause an assertion failure on shutdown. [RT #26271] 6648 66493177. [func] 'rndc keydone', remove the indicator record that 6650 named has finished signing the zone with the 6651 corresponding key. [RT #26206] 6652 66533176. [doc] Corrected example code and added a README to the 6654 sample external DLZ module in contrib/dlz/example. 6655 [RT #26215] 6656 66573175. [bug] Fix how DNSSEC positive wildcard responses from a 6658 NSEC3 signed zone are validated. Stop sending a 6659 unnecessary NSEC3 record when generating such 6660 responses. [RT #26200] 6661 66623174. [bug] Always compute to revoked key tag from scratch. 6663 [RT #26186] 6664 66653173. [port] Correctly validate root DS responses. [RT #25726] 6666 66673172. [port] darwin 10.* and freebsd [89] are now built threaded by 6668 default. 6669 66703171. [bug] Exclusively lock the task when adding a zone using 6671 'rndc addzone'. [RT #25600] 6672 6673 --- 9.9.0a3 released --- 6674 66753170. [func] RPZ update: 6676 - fix precedence among competing rules 6677 - improve ARM text including documenting rule precedence 6678 - try to rewrite CNAME chains until first hit 6679 - new "rpz" logging channel 6680 - RDATA for CNAME rules can include wildcards 6681 - replace "NO-OP" named.conf policy override with 6682 "PASSTHRU" and add "DISABLED" override ("NO-OP" 6683 is still recognized) 6684 [RT #25172] 6685 66863169. [func] Catch db/version mis-matches when calling dns_db_*(). 6687 [RT #26017] 6688 66893168. [bug] Nxdomain redirection could trigger an assert with 6690 a ANY query. [RT #26017] 6691 66923167. [bug] Negative answers from forwarders were not being 6693 correctly tagged making them appear to not be cached. 6694 [RT #25380] 6695 66963166. [bug] Upgrading a zone to support inline-signing failed. 6697 [RT #26014] 6698 66993165. [bug] dnssec-signzone could generate new signatures when 6700 resigning, even when valid signatures were already 6701 present. [RT #26025] 6702 67033164. [func] Enable DLZ modules to retrieve client information, 6704 so that responses can be changed depending on the 6705 source address of the query. [RT #25768] 6706 67073163. [bug] Use finer-grained locking in client.c to address 6708 concurrency problems with large numbers of threads. 6709 [RT #26044] 6710 67113162. [test] start.pl: modified to allow for "named.args" in 6712 ns*/ subdirectory to override stock arguments to 6713 named. Largely from RT #26044, but no separate ticket. 6714 67153161. [bug] zone.c:del_sigs failed to always reset rdata leading 6716 assertion failures. [RT #25880] 6717 67183160. [bug] When printing out a NSEC3 record in multiline form 6719 the newline was not being printed causing type codes 6720 to be run together. [RT #25873] 6721 67223159. [bug] On some platforms, named could assert on startup 6723 when running in a chrooted environment without 6724 /proc. [RT #25863] 6725 67263158. [bug] Recursive servers would prefer a particular UDP 6727 socket instead of using all available sockets. 6728 [RT #26038] 6729 67303157. [tuning] Reduce the time spent in "rndc reconfig" by parsing 6731 the config file before pausing the server. [RT #21373] 6732 67333156. [placeholder] 6734 6735 --- 9.9.0a2 released --- 6736 67373155. [bug] Fixed a build failure when using contrib DLZ 6738 drivers (e.g., mysql, postgresql, etc). [RT #25710] 6739 67403154. [bug] Attempting to print an empty rdataset could trigger 6741 an assert. [RT #25452] 6742 67433153. [func] Extend request-ixfr to zone level and remove the 6744 side effect of forcing an AXFR. [RT #25156] 6745 67463152. [cleanup] Some versions of gcc and clang failed due to 6747 incorrect use of __builtin_expect. [RT #25183] 6748 67493151. [bug] Queries for type RRSIG or SIG could be handled 6750 incorrectly. [RT #21050] 6751 67523150. [func] Improved startup and reconfiguration time by 6753 enabling zones to load in multiple threads. [RT #25333] 6754 67553149. [placeholder] 6756 67573148. [bug] Processing of normal queries could be stalled when 6758 forwarding a UPDATE message. [RT #24711] 6759 67603147. [func] Initial inline signing support. [RT #23657] 6761 6762 --- 9.9.0a1 released --- 6763 67643146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598] 6765 67663145. [test] Capture output of ATF unit tests in "./atf.out" if 6767 there were any errors while running them. [RT #25527] 6768 67693144. [bug] dns_dbiterator_seek() could trigger an assert when 6770 used with a nonexistent database node. [RT #25358] 6771 67723143. [bug] Silence clang compiler warnings. [RT #25174] 6773 67743142. [bug] NAPTR is class agnostic. [RT #25429] 6775 67763141. [bug] Silence spurious "zone serial (0) unchanged" messages 6777 associated with empty zones. [RT #25079] 6778 67793140. [func] New command "rndc flushtree <name>" clears the 6780 specified name from the server cache along with 6781 all names under it. [RT #19970] 6782 67833139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321 6784 for the hashing algorithms (md5, sha1 - sha512, and 6785 their hmac counterparts). [RT #25067] 6786 67873138. [bug] Address memory leaks and out-of-order operations when 6788 shutting named down. [RT #25210] 6789 67903137. [func] Improve hardware scalability by allowing multiple 6791 worker threads to process incoming UDP packets. 6792 This can significantly increase query throughput 6793 on some systems. [RT #22992] 6794 67953136. [func] Add RFC 1918 reverse zones to the list of built-in 6796 empty zones switched on by the 'empty-zones-enable' 6797 option. [RT #24990] 6798 67993135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing. 6800 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307 6801 [RT #24950] 6802 68033134. [bug] Improve the accuracy of dnssec-signzone's signing 6804 statistics. [RT #16030] 6805 68063133. [bug] Change #3114 was incomplete. [RT #24577] 6807 68083132. [placeholder] 6809 68103131. [tuning] Improve scalability by allocating one zone task 6811 per 100 zones at startup time, rather than using a 6812 fixed-size task table. [RT #24406] 6813 68143130. [func] Support alternate methods for managing a dynamic 6815 zone's serial number. Two methods are currently 6816 defined using serial-update-method, "increment" 6817 (default) and "unixtime". [RT #23849] 6818 68193129. [bug] Named could crash on 'rndc reconfig' when 6820 allow-new-zones was set to yes and named ACLs 6821 were used. [RT #22739] 6822 68233128. [func] Inserting an NSEC3PARAM via dynamic update in an 6824 auto-dnssec zone that has not been signed yet 6825 will cause it to be signed with the specified NSEC3 6826 parameters when keys are activated. The 6827 NSEC3PARAM record will not appear in the zone until 6828 it is signed, but the parameters will be stored. 6829 [RT #23684] 6830 68313127. [bug] 'rndc thaw' will now remove a zone's journal file 6832 if the zone serial number has been changed and 6833 ixfr-from-differences is not in use. [RT #24687] 6834 68353126. [security] Using DNAME record to generate replacements caused 6836 RPZ to exit with a assertion failure. [RT #24766] 6837 68383125. [security] Using wildcard CNAME records as a replacement with 6839 RPZ caused named to exit with a assertion failure. 6840 [RT #24715] 6841 68423124. [bug] Use an rdataset attribute flag to indicate 6843 negative-cache records rather than using rrtype 0; 6844 this will prevent problems when that rrtype is 6845 used in actual DNS packets. [RT #24777] 6846 68473123. [security] Change #2912 exposed a latent flaw in 6848 dns_rdataset_totext() that could cause named to 6849 crash with an assertion failure. [RT #24777] 6850 68513122. [cleanup] dnssec-settime: corrected usage message. [RT #24664] 6852 68533121. [security] An authoritative name server sending a negative 6854 response containing a very large RRset could 6855 trigger an off-by-one error in the ncache code 6856 and crash named. [RT #24650] 6857 68583120. [bug] Named could fail to validate zones listed in a DLV 6859 that validated insecure without using DLV and had 6860 DS records in the parent zone. [RT #24631] 6861 68623119. [bug] When rolling to a new DNSSEC key, a private-type 6863 record could be created and never marked complete. 6864 [RT #23253] 6865 68663118. [bug] nsupdate could dump core on shutdown when using 6867 SIG(0) keys. [RT #24604] 6868 68693117. [cleanup] Remove doc and parser references to the 6870 never-implemented 'auto-dnssec create' option. 6871 [RT #24533] 6872 68733116. [func] New 'dnssec-update-mode' option controls updates 6874 of DNSSEC records in signed dynamic zones. Set to 6875 'no-resign' to disable automatic RRSIG regeneration 6876 while retaining the ability to sign new or changed 6877 data. [RT #24533] 6878 68793115. [bug] Named could fail to return requested data when 6880 following a CNAME that points into the same zone. 6881 [RT #24455] 6882 68833114. [bug] Retain expired RRSIGs in dynamic zones if key is 6884 inactive and there is no replacement key. [RT #23136] 6885 68863113. [doc] Document the relationship between serial-query-rate 6887 and NOTIFY messages. 6888 68893112. [doc] Add missing descriptions of the update policy name 6890 types "ms-self", "ms-subdomain", "krb5-self" and 6891 "krb5-subdomain", which allow machines to update 6892 their own records, to the BIND 9 ARM. 6893 68943111. [bug] Improved consistency checks for dnssec-enable and 6895 dnssec-validation, added test cases to the 6896 checkconf system test. [RT #24398] 6897 68983110. [bug] dnssec-signzone: Wrong error message could appear 6899 when attempting to sign with no KSK. [RT #24369] 6900 69013109. [func] The also-notify option now uses the same syntax 6902 as a zone's masters clause. This means it is 6903 now possible to specify a TSIG key to use when 6904 sending notifies to a given server, or to include 6905 an explicit named masters list in an also-notify 6906 statement. [RT #23508] 6907 69083108. [cleanup] dnssec-signzone: Clarified some error and 6909 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES 6910 code (use -P instead). [RT #20852] 6911 69123107. [bug] dnssec-signzone: Report the correct number of ZSKs 6913 when using -x. [RT #20852] 6914 69153106. [func] When logging client requests, include the name of 6916 the TSIG key if any. [RT #23619] 6917 69183105. [bug] GOST support can be suppressed by "configure 6919 --without-gost" [RT #24367] 6920 69213104. [bug] Better support for cross-compiling. [RT #24367] 6922 69233103. [bug] Configuring 'dnssec-validation auto' in a view 6924 instead of in the options statement could trigger 6925 an assertion failure in named-checkconf. [RT #24382] 6926 69273102. [func] New 'dnssec-loadkeys-interval' option configures 6928 how often, in minutes, to check the key repository 6929 for updates when using automatic key maintenance. 6930 Default is every 60 minutes (formerly hard-coded 6931 to 12 hours). [RT #23744] 6932 69333101. [bug] Zones using automatic key maintenance could fail 6934 to check the key repository for updates. [RT #23744] 6935 69363100. [security] Certain response policy zone configurations could 6937 trigger an INSIST when receiving a query of type 6938 RRSIG. [RT #24280] 6939 69403099. [test] "dlz" system test now runs but gives R:SKIPPED if 6941 not compiled with --with-dlz-filesystem. [RT #24146] 6942 69433098. [bug] DLZ zones were answering without setting the AA bit. 6944 [RT #24146] 6945 69463097. [test] Add a tool to test handling of malformed packets. 6947 [RT #24096] 6948 69493096. [bug] Set KRB5_KTNAME before calling log_cred() in 6950 dst_gssapi_acceptctx(). [RT #24004] 6951 69523095. [bug] Handle isolated reserved ports in the port range. 6953 [RT #23957] 6954 69553094. [doc] Expand dns64 documentation. 6956 69573093. [bug] Fix gssapi/kerberos dependencies [RT #23836] 6958 69593092. [bug] Signatures for records at the zone apex could go 6960 stale due to an incorrect timer setting. [RT #23769] 6961 69623091. [bug] Fixed a bug in which zone keys that were published 6963 and then subsequently activated could fail to trigger 6964 automatic signing. [RT #22911] 6965 69663090. [func] Make --with-gssapi default [RT #23738] 6967 69683089. [func] dnssec-dsfromkey now supports reading keys from 6969 standard input "dnssec-dsfromkey -f -". [RT #20662] 6970 69713088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf 6972 and add setup.sh in order to resolve changing 6973 named.conf issue. [RT #23687] 6974 69753087. [bug] DDNS updates using SIG(0) with update-policy match 6976 type "external" could cause a crash. [RT #23735] 6977 69783086. [bug] Running dnssec-settime -f on an old-style key will 6979 now force an update to the new key format even if no 6980 other change has been specified, using "-P now -A now" 6981 as default values. [RT #22474] 6982 69833085. [func] New '-R' option in dnssec-signzone forces removal 6984 of signatures which have not yet expired but 6985 were generated by a key that no longer exists. 6986 [RT #22471] 6987 69883084. [func] A new command "rndc sync" dumps pending changes in 6989 a dynamic zone to disk; "rndc sync -clean" also 6990 removes the journal file after syncing. Also, 6991 "rndc freeze" no longer removes journal files. 6992 [RT #22473] 6993 69943083. [bug] NOTIFY messages were not being sent when generating 6995 a NSEC3 chain incrementally. [RT #23702] 6996 69973082. [port] strtok_r is threads only. [RT #23747] 6998 69993081. [bug] Failure of DNAME substitution did not return 7000 YXDOMAIN. [RT #23591] 7001 70023080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS. 7003 [RT #23587] 7004 70053079. [bug] Handle isc_event_allocate failures in t_tasks. 7006 [RT #23572] 7007 70083078. [func] Added a new include file with function typedefs 7009 for the DLZ "dlopen" driver. [RT #23629] 7010 70113077. [bug] zone.c:zone_refreshkeys() incorrectly called 7012 dns_zone_attach(), use zone->irefs instead. [RT #23303] 7013 70143076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and 7015 dnssec-keyfromlabel sets the default TTL of the 7016 key. When possible, automatic signing will use that 7017 TTL when the key is published. [RT #23304] 7018 70193075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent 7020 timestamp when determining which keys are active. 7021 [RT #23642] 7022 70233074. [bug] Make the adb cache read through for zone data and 7024 glue learn for zone named is authoritative for. 7025 [RT #22842] 7026 70273073. [bug] managed-keys changes were not properly being recorded. 7028 [RT #20256] 7029 70303072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. 7031 [RT #20256] 7032 70333071. [bug] has_nsec could be used uninitialized in 7034 update.c:next_active. [RT #20256] 7035 70363070. [bug] dnssec-signzone potential NULL pointer dereference. 7037 [RT #20256] 7038 70393069. [cleanup] Silence warnings messages from clang static analysis. 7040 [RT #20256] 7041 70423068. [bug] Named failed to build with a OpenSSL without engine 7043 support. [RT #23473] 7044 70453067. [bug] ixfr-from-differences {master|slave}; failed to 7046 select the master/slave zones. [RT #23580] 7047 70483066. [func] The DLZ "dlopen" driver is now built by default, 7049 no longer requiring a configure option. To 7050 disable it, use "configure --without-dlopen". 7051 Driver also supported on win32. [RT #23467] 7052 70533065. [bug] RRSIG could have time stamps too far in the future. 7054 [RT #23356] 7055 70563064. [bug] powerpc: add sync instructions to the end of atomic 7057 operations. [RT #23469] 7058 70593063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402] 7060 70613062. [func] Made several changes to enhance human readability 7062 of DNSSEC data in dig output and in generated 7063 zone files: 7064 - DNSKEY record comments are more verbose, no 7065 longer used in multiline mode only 7066 - multiline RRSIG records reformatted 7067 - multiline output mode for NSEC3PARAM records 7068 - "dig +norrcomments" suppresses DNSKEY comments 7069 - "dig +split=X" breaks hex/base64 records into 7070 fields of width X; "dig +nosplit" disables this. 7071 [RT #22820] 7072 70733061. [func] New option "dnssec-signzone -D", only write out 7074 generated DNSSEC records. [RT #22896] 7075 70763060. [func] New option "dnssec-signzone -X <date>" allows 7077 specification of a separate expiration date 7078 for DNSKEY RRSIGs and other RRSIGs. [RT #22141] 7079 70803059. [test] Added a regression test for change #3023. 7081 70823058. [bug] Cause named to terminate at startup or rndc reconfig/ 7083 reload to fail, if a log file specified in the conf 7084 file isn't a plain file. [RT #22771] 7085 70863057. [bug] "rndc secroots" would abort after the first error 7087 and so could miss some views. [RT #23488] 7088 70893056. [func] Added support for URI resource record. [RT #23386] 7090 70913055. [placeholder] 7092 70933054. [bug] Added elliptic curve support check in 7094 GOST OpenSSL engine detection. [RT #23485] 7095 70963053. [bug] Under a sustained high query load with a finite 7097 max-cache-size, it was possible for cache memory 7098 to be exhausted and not recovered. [RT #23371] 7099 71003052. [test] Fixed last autosign test report. [RT #23256] 7101 71023051. [bug] NS records obscure DNAME records at the bottom of the 7103 zone if both are present. [RT #23035] 7104 71053050. [bug] The autosign system test was timing dependent. 7106 Wait for the initial autosigning to complete 7107 before running the rest of the test. [RT #23035] 7108 71093049. [bug] Save and restore the gid when creating creating 7110 named.pid at startup. [RT #23290] 7111 71123048. [bug] Fully separate view key management. [RT #23419] 7113 71143047. [bug] DNSKEY NODATA responses not cached fixed in 7115 validator.c. Tests added to dnssec system test. 7116 [RT #22908] 7117 71183046. [bug] Use RRSIG original TTL to compute validated RRset 7119 and RRSIG TTL. [RT #23332] 7120 71213045. [removed] Replaced by change #3050. 7122 71233044. [bug] Hold the socket manager lock while freeing the socket. 7124 [RT #23333] 7125 71263043. [test] Merged in the NetBSD ATF test framework (currently 7127 version 0.12) for development of future unit tests. 7128 Use configure --with-atf to build ATF internally 7129 or configure --with-atf=prefix to use an external 7130 copy. [RT #23209] 7131 71323042. [bug] dig +trace could fail attempting to use IPv6 7133 addresses on systems with only IPv4 connectivity. 7134 [RT #23297] 7135 71363041. [bug] dnssec-signzone failed to generate new signatures on 7137 ttl changes. [RT #23330] 7138 71393040. [bug] Named failed to validate insecure zones where a node 7140 with a CNAME existed between the trust anchor and the 7141 top of the zone. [RT #23338] 7142 71433039. [func] Redirect on NXDOMAIN support. [RT #23146] 7144 71453038. [bug] Install <dns/rpz.h>. [RT #23342] 7146 71473037. [doc] Update COPYRIGHT to contain all the individual 7148 copyright notices that cover various parts. 7149 71503036. [bug] Check built-in zone arguments to see if the zone 7151 is re-usable or not. [RT #21914] 7152 71533035. [cleanup] Simplify by using strlcpy. [RT #22521] 7154 71553034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521] 7156 71573033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET). 7158 [RT #22521] 7159 71603032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521] 7161 71623031. [bug] dns_rdataclass_format() handle a zero sized buffer. 7163 [RT #22521] 7164 71653030. [bug] dns_rdatatype_format() handle a zero sized buffer. 7166 [RT #22521] 7167 71683029. [bug] isc_netaddr_format() handle a zero sized buffer. 7169 [RT #22521] 7170 71713028. [bug] isc_sockaddr_format() handle a zero sized buffer. 7172 [RT #22521] 7173 71743027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to 7175 catch NULL pointer dereferences before they happen. 7176 [RT #22521] 7177 71783026. [bug] lib/isc/httpd.c: check that we have enough space 7179 after calling grow_headerspace() and if not 7180 re-call grow_headerspace() until we do. [RT #22521] 7181 71823025. [bug] Fixed a possible deadlock due to zone resigning. 7183 [RT #22964] 7184 71853024. [func] RTT Banding removed due to minor security increase 7186 but major impact on resolver latency. [RT #23310] 7187 71883023. [bug] Named could be left in an inconsistent state when 7189 receiving multiple AXFR response messages that were 7190 not all TSIG-signed. [RT #23254] 7191 71923022. [bug] Fixed rpz SERVFAILs after failed zone transfers 7193 [RT #23246] 7194 71953021. [bug] Change #3010 was incomplete. [RT #22296] 7196 71973020. [bug] auto-dnssec failed to correctly update the zone when 7198 changing the DNSKEY RRset. [RT #23232] 7199 72003019. [test] Test: check apex NSEC3 records after adding DNSKEY 7201 record via UPDATE. [RT #23229] 7202 72033018. [bug] Named failed to check for the "none;" acl when deciding 7204 if a zone may need to be re-signed. [RT #23120] 7205 72063017. [doc] dnssec-keyfromlabel -I was not properly documented. 7207 [RT #22887] 7208 72093016. [bug] rndc usage missing '-b'. [RT #22937] 7210 72113015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and 7212 IN6_IS_ADDR_SITELOCAL macros. [RT #22724] 7213 72143014. [placeholder] 7215 72163013. [bug] The DNS64 ttl was not always being set as expected. 7217 [RT #23034] 7218 72193012. [bug] Remove DNSKEY TTL change pairs before generating 7220 signing records for any remaining DNSKEY changes. 7221 [RT #22590] 7222 72233011. [func] Change the default query timeout from 30 seconds 7224 to 10. Allow setting this in named.conf using the new 7225 'resolver-query-timeout' option, which specifies a max 7226 time in seconds. 0 means 'default' and anything longer 7227 than 30 will be silently set to 30. [RT #22852] 7228 72293010. [bug] Fixed a bug where "rndc reconfig" stopped the timer 7230 for refreshing managed-keys. [RT #22296] 7231 72323009. [bug] clients-per-query code didn't work as expected with 7233 particular query patterns. [RT #22972] 7234 7235 --- 9.8.0b1 released --- 7236 72373008. [func] Response policy zones (RPZ) support. [RT #21726] 7238 72393007. [bug] Named failed to preserve the case of domain names in 7240 rdata which is not compressible when writing master 7241 files. [RT #22863] 7242 72433006. [func] Allow dynamically generated TSIG keys to be preserved 7244 across restarts of named. Initially this is for 7245 TSIG keys generated using GSSAPI. [RT #22639] 7246 72473005. [port] Solaris: Work around the lack of 7248 gsskrb5_register_acceptor_identity() by setting 7249 the KRB5_KTNAME environment variable to the 7250 contents of tkey-gssapi-keytab. Also fixed 7251 test errors on MacOSX. [RT #22853] 7252 72533004. [func] DNS64 reverse support. [RT #22769] 7254 72553003. [experimental] Added update-policy match type "external", 7256 enabling named to defer the decision of whether to 7257 allow a dynamic update to an external daemon. 7258 (Contributed by Andrew Tridgell.) [RT #22758] 7259 72603002. [bug] isc_mutex_init_errcheck() failed to destroy attr. 7261 [RT #22766] 7262 72633001. [func] Added a default trust anchor for the root zone, which 7264 can be switched on by setting "dnssec-validation auto;" 7265 in the named.conf options. [RT #21727] 7266 72673000. [bug] More TKEY/GSS fixes: 7268 - nsupdate can now get the default realm from 7269 the user's Kerberos principal 7270 - corrected gsstest compilation flags 7271 - improved documentation 7272 - fixed some NULL dereferences 7273 [RT #22795] 7274 72752999. [func] Add GOST support (RFC 5933). [RT #20639] 7276 72772998. [func] Add isc_task_beginexclusive and isc_task_endexclusive 7278 to the task api. [RT #22776] 7279 72802997. [func] named -V now reports the OpenSSL and libxml2 versions 7281 it was compiled against. [RT #22687] 7282 72832996. [security] Temporarily disable SO_ACCEPTFILTER support. 7284 [RT #22589] 7285 72862995. [bug] The Kerberos realm was not being correctly extracted 7287 from the signer's identity. [RT #22770] 7288 72892994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and 7290 do not use threads on earlier versions. Also kill 7291 the unproven-pthreads, mit-pthreads, and ptl2 support. 7292 72932993. [func] Dynamically grow adb hash tables. [RT #21186] 7294 72952992. [contrib] contrib/check-secure-delegation.pl: A simple tool 7296 for looking at a secure delegation. [RT #22059] 7297 72982991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for 7299 dynamic zones. [RT #22365] 7300 73012990. [bug] 'dnssec-settime -S' no longer tests prepublication 7302 interval validity when the interval is set to 0. 7303 [RT #22761] 7304 73052989. [func] Added support for writable DLZ zones. (Contributed 7306 by Andrew Tridgell of the Samba project.) [RT #22629] 7307 73082988. [experimental] Added a "dlopen" DLZ driver, allowing the creation 7309 of external DLZ drivers that can be loaded as 7310 shared objects at runtime rather than linked with 7311 named. Currently this is switched on via a 7312 compile-time option, "configure --with-dlz-dlopen". 7313 Note: the syntax for configuring DLZ zones 7314 is likely to be refined in future releases. 7315 (Contributed by Andrew Tridgell of the Samba 7316 project.) [RT #22629] 7317 73182987. [func] Improve ease of configuring TKEY/GSS updates by 7319 adding a "tkey-gssapi-keytab" option. If set, 7320 updates will be allowed with any key matching 7321 a principal in the specified keytab file. 7322 "tkey-gssapi-credential" is no longer required 7323 and is expected to be deprecated. (Contributed 7324 by Andrew Tridgell of the Samba project.) 7325 [RT #22629] 7326 73272986. [func] Add new zone type "static-stub". It's like a stub 7328 zone, but the nameserver names and/or their IP 7329 addresses are statically configured. [RT #21474] 7330 73312985. [bug] Add a regression test for change #2896. [RT #21324] 7332 73332984. [bug] Don't run MX checks when the target of the MX record 7334 is ".". [RT #22645] 7335 73362983. [bug] Include "loadkeys" in rndc help output. [RT #22493] 7337 7338 --- 9.8.0a1 released --- 7339 73402982. [bug] Reference count dst keys. dst_key_attach() can be used 7341 increment the reference count. 7342 7343 Note: dns_tsigkey_createfromkey() callers should now 7344 always call dst_key_free() rather than setting it 7345 to NULL on success. [RT #22672] 7346 73472981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991] 7348 73492980. [bug] named didn't properly handle UPDATES that changed the 7350 TTL of the NSEC3PARAM RRset. [RT #22363] 7351 73522979. [bug] named could deadlock during shutdown if two 7353 "rndc stop" commands were issued at the same 7354 time. [RT #22108] 7355 73562978. [port] hpux: look for <devpoll.h> [RT #21919] 7357 73582977. [bug] 'nsupdate -l' report if the session key is missing. 7359 [RT #21670] 7360 73612976. [bug] named could die on exit after negotiating a GSS-TSIG 7362 key. [RT #22573] 7363 73642975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the 7365 wrong lock which could lead to server deadlock. 7366 [RT #22614] 7367 73682974. [bug] Some valid UPDATE requests could fail due to a 7369 consistency check examining the existing version 7370 of the zone rather than the new version resulting 7371 from the UPDATE. [RT #22413] 7372 73732973. [bug] bind.keys.h was being removed by the "make clean" 7374 at the end of configure resulting in build failures 7375 where there is very old version of perl installed. 7376 Move it to "make maintainer-clean". [RT #22230] 7377 73782972. [bug] win32: address windows socket errors. [RT #21906] 7379 73802971. [bug] Fixed a bug that caused journal files not to be 7381 compacted on Windows systems as a result of 7382 non-POSIX-compliant rename() semantics. [RT #22434] 7383 73842970. [security] Adding a NO DATA negative cache entry failed to clear 7385 any matching RRSIG records. A subsequent lookup of 7386 of NO DATA cache entry could trigger a INSIST when the 7387 unexpected RRSIG was also returned with the NO DATA 7388 cache entry. 7389 7390 CVE-2010-3613, VU#706148. [RT #22288] 7391 73922969. [security] Fix acl type processing so that allow-query works 7393 in options and view statements. Also add a new 7394 set of tests to verify proper functioning. 7395 7396 CVE-2010-3615, VU#510208. [RT #22418] 7397 73982968. [security] Named could fail to prove a data set was insecure 7399 before marking it as insecure. One set of conditions 7400 that can trigger this occurs naturally when rolling 7401 DNSKEY algorithms. 7402 7403 CVE-2010-3614, VU#837744. [RT #22309] 7404 74052967. [bug] 'host -D' now turns on debugging messages earlier. 7406 [RT #22361] 7407 74082966. [bug] isc_print_vsnprintf() failed to check if there was 7409 space available in the buffer when adding a left 7410 justified character with a non zero width, 7411 (e.g. "%-1c"). [RT #22270] 7412 74132965. [func] Test HMAC functions using test data from RFC 2104 and 7414 RFC 4634. [RT #21702] 7415 74162964. [placeholder] 7417 74182963. [security] The allow-query acl was being applied instead of the 7419 allow-query-cache acl to cache lookups. [RT #22114] 7420 74212962. [port] win32: add more dependencies to BINDBuild.dsw. 7422 [RT #22062] 7423 74242961. [bug] Be still more selective about the non-authoritative 7425 answers we apply change 2748 to. [RT #22074] 7426 74272960. [func] Check that named accepts non-authoritative answers. 7428 [RT #21594] 7429 74302959. [func] Check that named starts with a missing masterfile. 7431 [RT #22076] 7432 74332958. [bug] named failed to start with a missing master file. 7434 [RT #22076] 7435 74362957. [bug] entropy_get() and entropy_getpseudo() failed to match 7437 the API for RAND_bytes() and RAND_pseudo_bytes() 7438 respectively. [RT #21962] 7439 74402956. [port] Enable atomic operations on the PowerPC64. [RT #21899] 7441 74422955. [func] Provide more detail in the recursing log. [RT #22043] 7443 74442954. [bug] contrib: dlz_mysql_driver.c bad error handling on 7445 build_sqldbinstance failure. [RT #21623] 7446 74472953. [bug] Silence spurious "expected covering NSEC3, got an 7448 exact match" message when returning a wildcard 7449 no data response. [RT #21744] 7450 74512952. [port] win32: named-checkzone and named-checkconf failed 7452 to initialize winsock. [RT #21932] 7453 74542951. [bug] named failed to generate a correct signed response 7455 in a optout, delegation only zone with no secure 7456 delegations. [RT #22007] 7457 74582950. [bug] named failed to perform a SOA up to date check when 7459 falling back to TCP on UDP timeouts when 7460 ixfr-from-differences was set. [RT #21595] 7461 74622949. [bug] dns_view_setnewzones() contained a memory leak if 7463 it was called multiple times. [RT #21942] 7464 74652948. [port] MacOS: provide a mechanism to configure the test 7466 interfaces at reboot. See bin/tests/system/README 7467 for details. 7468 74692947. [placeholder] 7470 74712946. [doc] Document the default values for the minimum and maximum 7472 zone refresh and retry values in the ARM. [RT #21886] 7473 74742945. [doc] Update empty-zones list in ARM. [RT #21772] 7475 74762944. [maint] Remove ORCHID prefix from built in empty zones. 7477 [RT #21772] 7478 74792943. [func] Add support to load new keys into managed zones 7480 without signing immediately with "rndc loadkeys". 7481 Add support to link keys with "dnssec-keygen -S" 7482 and "dnssec-settime -S". [RT #21351] 7483 74842942. [contrib] zone2sqlite failed to setup the entropy sources. 7485 [RT #21610] 7486 74872941. [bug] sdb and sdlz (dlz's zone database) failed to support 7488 DNAME at the zone apex. [RT #21610] 7489 74902940. [port] Remove connection aborted error message on 7491 Windows. [RT #21549] 7492 74932939. [func] Check that named successfully skips NSEC3 records 7494 that fail to match the NSEC3PARAM record currently 7495 in use. [RT #21868] 7496 74972938. [bug] When generating signed responses, from a signed zone 7498 that uses NSEC3, named would use a uninitialized 7499 pointer if it needed to skip a NSEC3 record because 7500 it didn't match the selected NSEC3PARAM record for 7501 zone. [RT #21868] 7502 75032937. [bug] Worked around an apparent race condition in over 7504 memory conditions. Without this fix a DNS cache DB or 7505 ADB could incorrectly stay in an over memory state, 7506 effectively refusing further caching, which 7507 subsequently made a BIND 9 caching server unworkable. 7508 This fix prevents this problem from happening by 7509 polling the state of the memory context, rather than 7510 making a copy of the state, which appeared to cause 7511 a race. This is a "workaround" in that it doesn't 7512 solve the possible race per se, but several experiments 7513 proved this change solves the symptom. Also, the 7514 polling overhead hasn't been reported to be an issue. 7515 This bug should only affect a caching server that 7516 specifies a finite max-cache-size. It's also quite 7517 likely that the bug happens only when enabling threads, 7518 but it's not confirmed yet. [RT #21818] 7519 75202936. [func] Improved configuration syntax and multiple-view 7521 support for addzone/delzone feature (see change 7522 #2930). Removed "new-zone-file" option, replaced 7523 with "allow-new-zones (yes|no)". The new-zone-file 7524 for each view is now created automatically, with 7525 a filename generated from a hash of the view name. 7526 It is no longer necessary to "include" the 7527 new-zone-file in named.conf; this happens 7528 automatically. Zones that were not added via 7529 "rndc addzone" can no longer be removed with 7530 "rndc delzone". [RT #19447] 7531 75322935. [bug] nsupdate: improve 'file not found' error message. 7533 [RT #21871] 7534 75352934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c. 7536 [RT #21871] 7537 75382933. [bug] 'dig +nsid' used stack memory after it went out of 7539 scope. This could potentially result in a unknown, 7540 potentially malformed, EDNS option being sent instead 7541 of the desired NSID option. [RT #21781] 7542 75432932. [cleanup] Corrected a numbering error in the "dnssec" test. 7544 [RT #21597] 7545 75462931. [bug] Temporarily and partially disable change 2864 7547 because it would cause infinite attempts of RRSIG 7548 queries. This is an urgent care fix; we'll 7549 revisit the issue and complete the fix later. 7550 [RT #21710] 7551 75522930. [experimental] New "rndc addzone" and "rndc delzone" commands 7553 allow dynamic addition and deletion of zones. 7554 To enable this feature, specify a "new-zone-file" 7555 option at the view or options level in named.conf. 7556 Zone configuration information for the new zones 7557 will be written into that file. To make the new 7558 zones persist after a restart, "include" the file 7559 into named.conf in the appropriate view. (Note: 7560 This feature is not yet documented, and its syntax 7561 is expected to change.) [RT #19447] 7562 75632929. [bug] Improved handling of GSS security contexts: 7564 - added LRU expiration for generated TSIGs 7565 - added the ability to use a non-default realm 7566 - added new "realm" keyword in nsupdate 7567 - limited lifetime of generated keys to 1 hour 7568 or the lifetime of the context (whichever is 7569 smaller) 7570 [RT #19737] 7571 75722928. [bug] Be more selective about the non-authoritative 7573 answer we apply change 2748 to. [RT #21594] 7574 75752927. [placeholder] 7576 75772926. [placeholder] 7578 75792925. [bug] Named failed to accept uncachable negative responses 7580 from insecure zones. [RT #21555] 7581 75822924. [func] 'rndc secroots' dump a combined summary of the 7583 current managed keys combined with trusted keys. 7584 [RT #20904] 7585 75862923. [bug] 'dig +trace' could drop core after "connection 7587 timeout". [RT #21514] 7588 75892922. [contrib] Update zkt to version 1.0. 7590 75912921. [bug] The resolver could attempt to destroy a fetch context 7592 too soon. [RT #19878] 7593 75942920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively 7595 to IPv4 clients. New acl 'filter-aaaa' (default any). 7596 75972919. [func] Add autosign-ksk and autosign-zsk virtual time tests. 7598 [RT #20840] 7599 76002918. [maint] Add AAAA address for I.ROOT-SERVERS.NET. 7601 76022917. [func] Virtual time test framework. [RT #20801] 7603 76042916. [func] Add framework to use IPv6 in tests. 7605 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7 7606 76072915. [cleanup] Be smarter about which objects we attempt to compile 7608 based on configure options. [RT #21444] 7609 76102914. [bug] Make the "autosign" system test more portable. 7611 [RT #20997] 7612 76132913. [func] Add pkcs#11 system tests. [RT #20784] 7614 76152912. [func] Windows clients don't like UPDATE responses that clear 7616 the zone section. [RT #20986] 7617 76182911. [bug] dnssec-signzone didn't handle out of zone records well. 7619 [RT #21367] 7620 76212910. [func] Sanity check Kerberos credentials. [RT #20986] 7622 76232909. [bug] named-checkconf -p could die if "update-policy local;" 7624 was specified in named.conf. [RT #21416] 7625 76262908. [bug] It was possible for re-signing to stop after removing 7627 a DNSKEY. [RT #21384] 7628 76292907. [bug] The export version of libdns had undefined references. 7630 [RT #21444] 7631 76322906. [bug] Address RFC 5011 implementation issues. [RT #20903] 7633 76342905. [port] aix: set use_atomic=yes with native compiler. 7635 [RT #21402] 7636 76372904. [bug] When using DLV, sub-zones of the zones in the DLV, 7638 could be incorrectly marked as insecure instead of 7639 secure leading to negative proofs failing. This was 7640 a unintended outcome from change 2890. [RT #21392] 7641 76422903. [bug] managed-keys-directory missing from namedconf.c. 7643 [RT #21370] 7644 76452902. [func] Add regression test for change 2897. [RT #21040] 7646 76472901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316] 7648 76492900. [bug] The placeholder negative caching element was not 7650 properly constructed triggering a INSIST in 7651 dns_ncache_towire(). [RT #21346] 7652 76532899. [port] win32: Support linking against OpenSSL 1.0.0. 7654 76552898. [bug] nslookup leaked memory when -domain=value was 7656 specified. [RT #21301] 7657 76582897. [bug] NSEC3 chains could be left behind when transitioning 7659 to insecure. [RT #21040] 7660 76612896. [bug] "rndc sign" failed to properly update the zone 7662 when adding a DNSKEY for publication only. [RT #21045] 7663 76642895. [func] genrandom: add support for the generation of multiple 7665 files. [RT #20917] 7666 76672894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294] 7668 76692893. [bug] Improve managed keys support. New named.conf option 7670 managed-keys-directory. [RT #20924] 7671 76722892. [bug] Handle REVOKED keys better. [RT #20961] 7673 76742891. [maint] Update empty-zones list to match 7675 draft-ietf-dnsop-default-local-zones-13. [RT #21099] 7676 76772890. [bug] Handle the introduction of new trusted-keys and 7678 DS, DLV RRsets better. [RT #21097] 7679 76802889. [bug] Elements of the grammar where not properly reported. 7681 [RT #21046] 7682 76832888. [bug] Only the first EDNS option was displayed. [RT #21273] 7684 76852887. [bug] Report the keytag times in UTC in the .key file, 7686 local time is presented as a comment within the 7687 comment. [RT #21223] 7688 76892886. [bug] ctime() is not thread safe. [RT #21223] 7690 76912885. [bug] Improve -fno-strict-aliasing support probing in 7692 configure. [RT #21080] 7693 76942884. [bug] Insufficient validation in dns_name_getlabelsequence(). 7695 [RT #21283] 7696 76972883. [bug] 'dig +short' failed to handle really large datasets. 7698 [RT #21113] 7699 77002882. [bug] Remove memory context from list of active contexts 7701 before clearing 'magic'. [RT #21274] 7702 77032881. [bug] Reduce the amount of time the rbtdb write lock 7704 is held when closing a version. [RT #21198] 7705 77062880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke 7707 consistent. [RT #21078] 7708 77092879. [contrib] DLZ bdbhpt driver fails to close correct cursor. 7710 [RT #21106] 7711 77122878. [func] Incrementally write the master file after performing 7713 a AXFR. [RT #21010] 7714 77152877. [bug] The validator failed to skip obviously mismatching 7716 RRSIGs. [RT #21138] 7717 77182876. [bug] Named could return SERVFAIL for negative responses 7719 from unsigned zones. [RT #21131] 7720 77212875. [bug] dns_time64_fromtext() could accept non digits. 7722 [RT #21033] 7723 77242874. [bug] Cache lack of EDNS support only after the server 7725 successfully responds to the query using plain DNS. 7726 [RT #20930] 7727 77282873. [bug] Canceling a dynamic update via the dns/client module 7729 could trigger an assertion failure. [RT #21133] 7730 77312872. [bug] Modify dns/client.c:dns_client_createx() to only 7732 require one of IPv4 or IPv6 rather than both. 7733 [RT #21122] 7734 77352871. [bug] Type mismatch in mem_api.c between the definition and 7736 the header file, causing build failure with 7737 --enable-exportlib. [RT #21138] 7738 77392870. [maint] Add AAAA address for L.ROOT-SERVERS.NET. 7740 77412869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 7742 [RT #20877] 7743 77442868. [cleanup] Run "make clean" at the end of configure to ensure 7745 any changes made by configure are integrated. 7746 Use --with-make-clean=no to disable. [RT #20994] 7747 77482867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers 7749 don't like it. [RT #20986] 7750 77512866. [bug] Windows does not like the TSIG name being compressed. 7752 [RT #20986] 7753 77542865. [bug] memset to zero event.data. [RT #20986] 7755 77562864. [bug] Direct SIG/RRSIG queries were not handled correctly. 7757 [RT #21050] 7758 77592863. [port] linux: disable IPv6 PMTUD and use network minimum MTU. 7760 [RT #21056] 7761 77622862. [bug] nsupdate didn't default to the parent zone when 7763 updating DS records. [RT #20896] 7764 77652861. [doc] dnssec-settime man pages didn't correctly document the 7766 inactivation time. [RT #21039] 7767 77682860. [bug] named-checkconf's usage was out of date. [RT #21039] 7769 77702859. [bug] When canceling validation it was possible to leak 7771 memory. [RT #20800] 7772 77732858. [bug] RTT estimates were not being adjusted on ICMP errors. 7774 [RT #20772] 7775 77762857. [bug] named-checkconf did not fail on a bad trusted key. 7777 [RT #20705] 7778 77792856. [bug] The size of a memory allocation was not always properly 7780 recorded. [RT #20927] 7781 77822855. [func] nsupdate will now preserve the entered case of domain 7783 names in update requests it sends. [RT #20928] 7784 77852854. [func] dig: allow the final soa record in a axfr response to 7786 be suppressed, dig +onesoa. [RT #20929] 7787 77882853. [bug] add_sigs() could run out of scratch space. [RT #21015] 7789 77902852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 7791 77922851. [doc] nslookup.1, removed <informalexample> from the docbook 7793 source as it produced bad nroff. [RT #21007] 7794 77952850. [bug] If isc_heap_insert() failed due to memory shortage 7796 the heap would have corrupted entries. [RT #20951] 7797 77982849. [bug] Don't treat errors from the xml2 library as fatal. 7799 [RT #20945] 7800 78012848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and 7802 README.rfc5011 into the ARM. [RT #20899] 7803 78042847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] 7805 78062846. [bug] EOF on unix domain sockets was not being handled 7807 correctly. [RT #20731] 7808 78092845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] 7810 78112844. [doc] notify-delay default in ARM was wrong. It should have 7812 been five (5) seconds. 7813 78142843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from 7815 creating key files if there is a chance that the new 7816 key ID will collide with an existing one after 7817 either of the keys has been revoked. (To override 7818 this in the case of dnssec-keyfromlabel, use the -y 7819 option. dnssec-keygen will simply create a 7820 different, non-colliding key, so an override is 7821 not necessary.) [RT #20838] 7822 78232842. [func] Added "smartsign" and improved "autosign" and 7824 "dnssec" regression tests. [RT #20865] 7825 78262841. [bug] Change 2836 was not complete. [RT #20883] 7827 78282840. [bug] Temporary fixed pkcs11-destroy usage check. 7829 [RT #20760] 7830 78312839. [bug] A KSK revoked by named could not be deleted. 7832 [RT #20881] 7833 78342838. [placeholder] 7835 78362837. [port] Prevent Linux spurious warnings about fwrite(). 7837 [RT #20812] 7838 78392836. [bug] Keys that were scheduled to become active could 7840 be delayed. [RT #20874] 7841 78422835. [bug] Key inactivity dates were inadvertently stored in 7843 the private key file with the outdated tag 7844 "Unpublish" rather than "Inactive". This has been 7845 fixed; however, any existing keys that had Inactive 7846 dates set will now need to have them reset, using 7847 'dnssec-settime -I'. [RT #20868] 7848 78492834. [bug] HMAC-SHA* keys that were longer than the algorithm 7850 digest length were used incorrectly, leading to 7851 interoperability problems with other DNS 7852 implementations. This has been corrected. 7853 (Note: If an oversize key is in use, and 7854 compatibility is needed with an older release of 7855 BIND, the new tool "isc-hmac-fixup" can convert 7856 the key secret to a form that will work with all 7857 versions.) [RT #20751] 7858 78592833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. 7860 [RT #20851] 7861 78622832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c 7863 to avoid redefinition in some OSs [RT 20831] 7864 78652831. [security] Do not attempt to validate or cache 7866 out-of-bailiwick data returned with a secure 7867 answer; it must be re-fetched from its original 7868 source and validated in that context. [RT #20819] 7869 78702830. [bug] Changing the OPTOUT setting could take multiple 7871 passes. [RT #20813] 7872 78732829. [bug] Fixed potential node inconsistency in rbtdb.c. 7874 [RT #20808] 7875 78762828. [security] Cached CNAME or DNAME RR could be returned to clients 7877 without DNSSEC validation. [RT #20737] 7878 78792827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 7880 78812826. [bug] NSEC3->NSEC transitions could fail due to a lock not 7882 being released. [RT #20740] 7883 78842825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that 7885 was in the process of being created was not properly 7886 recorded in the zone. [RT #20786] 7887 78882824. [bug] "rndc sign" was not being run by the correct task. 7889 [RT #20759] 7890 78912823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] 7892 78932822. [bug] rbtdb.c:loadnode() could return the wrong result. 7894 [RT #20802] 7895 78962821. [doc] Add note that named-checkconf doesn't automatically 7897 read rndc.key and bind.keys [RT #20758] 7898 78992820. [func] Handle read access failure of OpenSSL configuration 7900 file more user friendly (PKCS#11 engine patch). 7901 [RT #20668] 7902 79032819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define. 7904 [RT #20771] 7905 79062818. [cleanup] rndc could return an incorrect error code 7907 when a zone was not found. [RT #20767] 7908 79092817. [cleanup] Removed unnecessary isc_task_endexclusive() calls. 7910 [RT #20768] 7911 79122816. [bug] previous_closest_nsec() could fail to return 7913 data for NSEC3 nodes [RT #29730] 7914 79152815. [bug] Exclusively lock the task when freezing a zone. 7916 [RT #19838] 7917 79182814. [func] Provide a definitive error message when a master 7919 zone is not loaded. [RT #20757] 7920 79212813. [bug] Better handling of unreadable DNSSEC key files. 7922 [RT #20710] 7923 79242812. [bug] Make sure updates can't result in a zone with 7925 NSEC-only keys and NSEC3 records. [RT #20748] 7926 79272811. [cleanup] Add "rndc sign" to list of commands in rndc usage 7928 output. [RT #20733] 7929 79302810. [doc] Clarified the process of transitioning an NSEC3 zone 7931 to insecure. [RT #20746] 7932 79332809. [cleanup] Restored accidentally-deleted text in usage output 7934 in dnssec-settime and dnssec-revoke [RT #20739] 7935 79362808. [bug] Remove the attempt to install atomic.h from lib/isc. 7937 atomic.h is correctly installed by the architecture 7938 specific subdirectories. [RT #20722] 7939 79402807. [bug] Fixed a possible ASSERT when reconfiguring zone 7941 keys. [RT #20720] 7942 7943 --- 9.7.0rc1 released --- 7944 79452806. [bug] "rdnc sign" could delay re-signing the DNSKEY 7946 when it had changed. [RT #20703] 7947 79482805. [bug] Fixed namespace problems encountered when building 7949 external programs using non-exported BIND9 libraries 7950 (i.e., built without --enable-exportlib). [RT #20679] 7951 79522804. [bug] Send notifies when a zone is signed with "rndc sign" 7953 or as a result of a scheduled key change. [RT #20700] 7954 79552803. [port] win32: Install named-journalprint, nsec3hash, arpaname 7956 and genrandom under windows. [RT #20670] 7957 79582802. [cleanup] Rename journalprint to named-journalprint. [RT #20670] 7959 79602801. [func] Detect and report records that are different according 7961 to DNSSEC but are semantically equal according to plain 7962 DNS. Apply plain DNS comparisons rather than DNSSEC 7963 comparisons when processing UPDATE requests. 7964 dnssec-signzone now removes such semantically duplicate 7965 records prior to signing the RRset. 7966 7967 named-checkzone -r {ignore|warn|fail} (default warn) 7968 named-compilezone -r {ignore|warn|fail} (default warn) 7969 7970 named.conf: check-dup-records {ignore|warn|fail}; 7971 79722800. [func] Reject zones which have NS records which refer to 7973 CNAMEs, DNAMEs or don't have address record (class IN 7974 only). Reject UPDATEs which would cause the zone 7975 to fail the above checks if committed. [RT #20678] 7976 79772799. [cleanup] Changed the "secure-to-insecure" option to 7978 "dnssec-secure-to-insecure", and "dnskey-ksk-only" 7979 to "dnssec-dnskey-kskonly", for clarity. [RT #20586] 7980 79812798. [bug] Addressed bugs in managed-keys initialization 7982 and rollover. [RT #20683] 7983 79842797. [bug] Don't decrement the dispatch manager's maxbuffers. 7985 [RT #20613] 7986 79872796. [bug] Missing dns_rdataset_disassociate() call in 7988 dns_nsec3_delnsec3sx(). [RT #20681] 7989 79902795. [cleanup] Add text to differentiate "update with no effect" 7991 log messages. [RT #18889] 7992 79932794. [bug] Install <isc/namespace.h>. [RT #20677] 7994 79952793. [func] Add "autosign" and "metadata" tests to the 7996 automatic tests. [RT #19946] 7997 79982792. [func] "filter-aaaa-on-v4" can now be set in view 7999 options (if compiled in). [RT #20635] 8000 80012791. [bug] The installation of isc-config.sh was broken. 8002 [RT #20667] 8003 80042790. [bug] Handle DS queries to stub zones. [RT #20440] 8005 80062789. [bug] Fixed an INSIST in dispatch.c [RT #20576] 8007 80082788. [bug] dnssec-signzone could sign with keys that were 8009 not requested [RT #20625] 8010 80112787. [bug] Spurious log message when zone keys were 8012 dynamically reconfigured. [RT #20659] 8013 80142786. [bug] Additional could be promoted to answer. [RT #20663] 8015 8016 --- 9.7.0b3 released --- 8017 80182785. [bug] Revoked keys could fail to self-sign [RT #20652] 8019 80202784. [bug] TC was not always being set when required glue was 8021 dropped. [RT #20655] 8022 80232783. [func] Return minimal responses to EDNS/UDP queries with a UDP 8024 buffer size of 512 or less. [RT #20654] 8025 80262782. [port] win32: use getaddrinfo() for hostname lookups. 8027 [RT #20650] 8028 80292781. [bug] Inactive keys could be used for signing. [RT #20649] 8030 80312780. [bug] dnssec-keygen -A none didn't properly unset the 8032 activation date in all cases. [RT #20648] 8033 80342779. [bug] Dynamic key revocation could fail. [RT #20644] 8035 80362778. [bug] dnssec-signzone could fail when a key was revoked 8037 without deleting the unrevoked version. [RT #20638] 8038 80392777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 8040 80412776. [bug] Change #2762 was not correct. [RT #20647] 8042 80432775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible 8044 in dnssec-keyfromlabel. [RT #20643] 8045 80462774. [bug] Existing cache DB wasn't being reused after 8047 reconfiguration. [RT #20629] 8048 80492773. [bug] In autosigned zones, the SOA could be signed 8050 with the KSK. [RT #20628] 8051 80522772. [security] When validating, track whether pending data was from 8053 the additional section or not and only return it if 8054 validates as secure. [RT #20438] 8055 80562771. [bug] dnssec-signzone: DNSKEY records could be 8057 corrupted when importing from key files [RT #20624] 8058 80592770. [cleanup] Add log messages to resolver.c to indicate events 8060 causing FORMERR responses. [RT #20526] 8061 80622769. [cleanup] Change #2742 was incomplete. [RT #19589] 8063 80642768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 8065 80662767. [bug] named could crash on startup if a zone was 8067 configured with auto-dnssec and there was no 8068 key-directory. [RT #20615] 8069 80702766. [bug] isc_socket_fdwatchpoke() should only update the 8071 socketmgr state if the socket is not pending on a 8072 read or write. [RT #20603] 8073 80742765. [bug] Skip masters for which the TSIG key cannot be found. 8075 [RT #20595] 8076 80772764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 8078 80792763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 8080 80812762. [bug] DLV validation failed with a local slave DLV zone. 8082 [RT #20577] 8083 80842761. [cleanup] Enable internal symbol table for backtrace only for 8085 systems that are known to work. Currently, BSD 8086 variants, Linux and Solaris are supported. [RT #20202] 8087 80882760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 8089 80902759. [doc] Add information about .jbk/.jnw files to 8091 the ARM. [RT #20303] 8092 80932758. [bug] win32: Added a workaround for a windows 2008 bug 8094 that could cause the UDP client handler to shut 8095 down. [RT #19176] 8096 80972757. [bug] dig: assertion failure could occur in connect 8098 timeout. [RT #20599] 8099 81002756. [bug] Fixed corrupt logfile message in update.c. [RT #20597] 8101 81022755. [placeholder] 8103 81042754. [bug] Secure-to-insecure transitions failed when zone 8105 was signed with NSEC3. [RT #20587] 8106 81072753. [bug] Removed an unnecessary warning that could appear when 8108 building an NSEC chain. [RT #20589] 8109 81102752. [bug] Locking violation. [RT #20587] 8111 81122751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 8113 81142750. [bug] dig: assertion failure could occur when a server 8115 didn't have an address. [RT #20579] 8116 81172749. [bug] ixfr-from-differences generated a non-minimal ixfr 8118 for NSEC3 signed zones. [RT #20452] 8119 81202748. [func] Identify bad answers from GTLD servers and treat them 8121 as referrals. [RT #18884] 8122 81232747. [bug] Journal roll forwards failed to set the re-signing 8124 time of RRSIGs correctly. [RT #20541] 8125 81262746. [port] hpux: address signed/unsigned expansion mismatch of 8127 dns_rbtnode_t.nsec. [RT #20542] 8128 81292745. [bug] configure script didn't probe the return type of 8130 gai_strerror(3) correctly. [RT #20573] 8131 81322744. [func] Log if a query was over TCP. [RT #19961] 8133 81342743. [bug] RRSIG could be incorrectly set in the NSEC3 record 8135 for a insecure delegation. 8136 8137 --- 9.7.0b2 released --- 8138 81392742. [cleanup] Clarify some DNSSEC-related log messages in 8140 validator.c. [RT #19589] 8141 81422741. [func] Allow the dnssec-keygen progress messages to be 8143 suppressed (dnssec-keygen -q). Automatically 8144 suppress the progress messages when stdin is not 8145 a tty. [RT #20474] 8146 81472740. [placeholder] 8148 81492739. [cleanup] Clean up API for initializing and clearing trust 8150 anchors for a view. [RT #20211] 8151 81522738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system 8153 test. [RT #20453] 8154 81552737. [func] UPDATE requests can leak existence information. 8156 [RT #17261] 8157 81582736. [func] Improve the performance of NSEC signed zones with 8159 more than a normal amount of glue below a delegation. 8160 [RT #20191] 8161 81622735. [bug] dnssec-signzone could fail to read keys 8163 that were specified on the command line with 8164 full paths, but weren't in the current 8165 directory. [RT #20421] 8166 81672734. [port] cygwin: arpaname did not compile. [RT #20473] 8168 81692733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355] 8170 81712732. [func] Add optional filter-aaaa-on-v4 option, available 8172 if built with './configure --enable-filter-aaaa'. 8173 Filters out AAAA answers to clients connecting 8174 via IPv4. (This is NOT recommended for general 8175 use.) [RT #20339] 8176 81772731. [func] Additional work on change 2709. The key parser 8178 will now ignore unrecognized fields when the 8179 minor version number of the private key format 8180 has been increased. It will reject any key with 8181 the major version number increased. [RT #20310] 8182 81832730. [func] Have dnssec-keygen display a progress indication 8184 a la 'openssl genrsa' on standard error. Note 8185 when the first '.' is followed by a long stop 8186 one has the choice between slow generation vs. 8187 poor random quality, i.e., '-r /dev/urandom'. 8188 [RT #20284] 8189 81902729. [func] When constructing a CNAME from a DNAME use the DNAME 8191 TTL. [RT #20451] 8192 81932728. [bug] dnssec-keygen, dnssec-keyfromlabel and 8194 dnssec-signzone now warn immediately if asked to 8195 write into a nonexistent directory. [RT #20278] 8196 81972727. [func] The 'key-directory' option can now specify a relative 8198 path. [RT #20154] 8199 82002726. [func] Added support for SHA-2 DNSSEC algorithms, 8201 RSASHA256 and RSASHA512. [RT #20023] 8202 82032725. [doc] Added information about the file "managed-keys.bind" 8204 to the ARM. [RT #20235] 8205 82062724. [bug] Updates to a existing node in secure zone using NSEC 8207 were failing. [RT #20448] 8208 82092723. [bug] isc_base32_totext(), isc_base32hex_totext(), and 8210 isc_base64_totext(), didn't always mark regions of 8211 memory as fully consumed after conversion. [RT #20445] 8212 82132722. [bug] Ensure that the memory associated with the name of 8214 a node in a rbt tree is not altered during the life 8215 of the node. [RT #20431] 8216 82172721. [port] Have dst__entropy_status() prime the random number 8218 generator. [RT #20369] 8219 82202720. [bug] RFC 5011 trust anchor updates could trigger an 8221 assert if the DNSKEY record was unsigned. [RT #20406] 8222 82232719. [func] Skip trusted/managed keys for unsupported algorithms. 8224 [RT #20392] 8225 82262718. [bug] The space calculations in opensslrsa_todns() were 8227 incorrect. [RT #20394] 8228 82292717. [bug] named failed to update the NSEC/NSEC3 record when 8230 the last private type record was removed as a result 8231 of completing the signing the zone with a key. 8232 [RT #20399] 8233 82342716. [bug] nslookup debug mode didn't return the ttl. [RT #20414] 8235 8236 --- 9.7.0b1 released --- 8237 82382715. [bug] Require OpenSSL support to be explicitly disabled. 8239 [RT #20288] 8240 82412714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler 8242 flags. 8243 82442713. [bug] powerpc: atomic operations missing asm("ics") / 8245 __isync() calls. 8246 82472712. [func] New 'auto-dnssec' zone option allows zone signing 8248 to be fully automated in zones configured for 8249 dynamic DNS. 'auto-dnssec allow;' permits a zone 8250 to be signed by creating keys for it in the 8251 key-directory and using 'rndc sign <zone>'. 8252 'auto-dnssec maintain;' allows that too, plus it 8253 also keeps the zone's DNSSEC keys up to date 8254 according to their timing metadata. [RT #19943] 8255 82562711. [port] win32: Add the bin/pkcs11 tools into the full 8257 build. [RT #20372] 8258 82592710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only' 8260 zone option cause a zone to be signed with only KSKs 8261 signing the DNSKEY RRset, not ZSKs. This reduces 8262 the size of a DNSKEY answer. [RT #20340] 8263 82642709. [func] Added some data fields, currently unused, to the 8265 private key file format, to allow implementation 8266 of explicit key rollover in a future release 8267 without impairing backward or forward compatibility. 8268 [RT #20310] 8269 82702708. [func] Insecure to secure and NSEC3 parameter changes via 8271 update are now fully supported and no longer require 8272 defines to enable. We now no longer overload the 8273 NSEC3PARAM flag field, nor the NSEC OPT bit at the 8274 apex. Secure to insecure changes are controlled by 8275 by the named.conf option 'secure-to-insecure'. 8276 8277 Warning: If you had previously enabled support by 8278 adding defines at compile time to BIND 9.6 you should 8279 ensure that all changes that are in progress have 8280 completed prior to upgrading to BIND 9.7. BIND 9.7 8281 is not backwards compatible. 8282 82832707. [func] dnssec-keyfromlabel no longer require engine name 8284 to be specified in the label if there is a default 8285 engine or the -E option has been used. Also, it 8286 now uses default algorithms as dnssec-keygen does 8287 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used). 8288 [RT #20371] 8289 82902706. [bug] Loading a zone with a very large NSEC3 salt could 8291 trigger an assert. [RT #20368] 8292 82932705. [placeholder] 8294 82952704. [bug] Serial of dynamic and stub zones could be inconsistent 8296 with their SOA serial. [RT #19387] 8297 82982703. [func] Introduce an OpenSSL "engine" argument with -E 8299 for all binaries which can take benefit of 8300 crypto hardware. [RT #20230] 8301 83022702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all] 8303 83042701. [doc] Correction to ARM: hmac-md5 is no longer the only 8305 supported TSIG key algorithm. [RT #18046] 8306 83072700. [doc] The match-mapped-addresses option is discouraged. 8308 [RT #12252] 8309 83102699. [bug] Missing lock in rbtdb.c. [RT #20037] 8311 83122698. [placeholder] 8313 83142697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and 8315 S_IFREG are defined after including <isc/stat.h>. 8316 [RT #20309] 8317 83182696. [bug] named failed to successfully process some valid 8319 acl constructs. [RT #20308] 8320 83212695. [func] DHCP/DDNS - update fdwatch code for use by 8322 DHCP. Modify the api to isc_sockfdwatch_t (the 8323 callback function for isc_socket_fdwatchcreate) 8324 to include information about the direction (read 8325 or write) and add isc_socket_fdwatchpoke. 8326 [RT #20253] 8327 83282694. [bug] Reduce default NSEC3 iterations from 100 to 10. 8329 [RT #19970] 8330 83312693. [port] Add some noreturn attributes. [RT #20257] 8332 83332692. [port] win32: 32/64 bit cleanups. [RT #20335] 8334 83352691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 8336 chain when re-signing a previously-signed zone. 8337 Use -u to modify NSEC3 parameters or switch 8338 between NSEC and NSEC3. [RT #20304] 8339 83402690. [bug] win32: fix isc_thread_key_getspecific() prototype. 8341 [RT #20315] 8342 83432689. [bug] Correctly handle snprintf result. [RT #20306] 8344 83452688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, 8346 to decide to fetch the destination address. [RT #20305] 8347 83482687. [bug] Fixed dnssec-signzone -S handling of revoked keys. 8349 Also, added warnings when revoking a ZSK, as this is 8350 not defined by protocol (but is legal). [RT #19943] 8351 83522686. [bug] dnssec-signzone should clean the old NSEC chain when 8353 signing with NSEC3 and vice versa. [RT #20301] 8354 83552685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 8356 83572684. [cleanup] dig: formalize +ad and +cd as synonyms for 8358 +adflag and +cdflag. [RT #19305] 8359 83602683. [bug] dnssec-signzone should clean out old NSEC3 chains when 8361 the NSEC3 parameters used to sign the zone change. 8362 [RT #20246] 8363 83642682. [bug] "configure --enable-symtable=all" failed to 8365 build. [RT #20282] 8366 83672681. [bug] IPSECKEY RR of gateway type 3 was not correctly 8368 decoded. [RT #20269] 8369 83702680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067] 8371 83722679. [func] dig -k can now accept TSIG keys in named.conf 8373 format. [RT #20031] 8374 83752678. [func] Treat DS queries as if "minimal-response yes;" 8376 was set. [RT #20258] 8377 83782677. [func] Changes to key metadata behavior: 8379 - Keys without "publish" or "active" dates set will 8380 no longer be used for smart signing. However, 8381 those dates will be set to "now" by default when 8382 a key is created; to generate a key but not use 8383 it yet, use dnssec-keygen -G. 8384 - New "inactive" date (dnssec-keygen/settime -I) 8385 sets the time when a key is no longer used for 8386 signing but is still published. 8387 - The "unpublished" date (-U) is deprecated in 8388 favor of "deleted" (-D). 8389 [RT #20247] 8390 83912676. [bug] --with-export-installdir should have been 8392 --with-export-includedir. [RT #20252] 8393 83942675. [bug] dnssec-signzone could crash if the key directory 8395 did not exist. [RT #20232] 8396 8397 --- 9.7.0a3 released --- 8398 83992674. [bug] "dnssec-lookaside auto;" crashed if named was built 8400 without openssl. [RT #20231] 8401 84022673. [bug] The managed-keys.bind zone file could fail to 8403 load due to a spurious result from sync_keyzone() 8404 [RT #20045] 8405 84062672. [bug] Don't enable searching in 'host' when doing reverse 8407 lookups. [RT #20218] 8408 84092671. [bug] Add support for PKCS#11 providers not returning 8410 the public exponent in RSA private keys 8411 (OpenCryptoki for instance) in 8412 dnssec-keyfromlabel. [RT #19294] 8413 84142670. [bug] Unexpected connect failures failed to log enough 8415 information to be useful. [RT #20205] 8416 84172669. [func] Update PKCS#11 support to support Keyper HSM. 8418 Update PKCS#11 patch to be against openssl-0.9.8i. 8419 84202668. [func] Several improvements to dnssec-* tools, including: 8421 - dnssec-keygen and dnssec-settime can now set key 8422 metadata fields 0 (to unset a value, use "none") 8423 - dnssec-revoke sets the revocation date in 8424 addition to the revoke bit 8425 - dnssec-settime can now print individual metadata 8426 fields instead of always printing all of them, 8427 and can print them in unix epoch time format for 8428 use by scripts 8429 [RT #19942] 8430 84312667. [func] Add support for logging stack backtrace on assertion 8432 failure (not available for all platforms). [RT #19780] 8433 84342666. [func] Added an 'options' argument to dns_name_fromstring() 8435 (API change from 9.7.0a2). [RT #20196] 8436 84372665. [func] Clarify syntax for managed-keys {} statement, add 8438 ARM documentation about RFC 5011 support. [RT #19874] 8439 84402664. [bug] create_keydata() and minimal_update() in zone.c 8441 didn't properly check return values for some 8442 functions. [RT #19956] 8443 84442663. [func] win32: allow named to run as a service using 8445 "NT AUTHORITY\LocalService" as the account. [RT #19977] 8446 84472662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() 8448 returned a misleading error code when lwresd was 8449 down. [RT #20028] 8450 84512661. [bug] Check whether socket fd exceeds FD_SETSIZE when 8452 creating lwres context. [RT #20029] 8453 84542660. [func] Add a new set of DNS libraries for non-BIND9 8455 applications. See README.libdns. [RT #19369] 8456 84572659. [doc] Clarify dnssec-keygen doc: key name must match zone 8458 name for DNSSEC keys. [RT #19938] 8459 84602658. [bug] dnssec-settime and dnssec-revoke didn't process 8461 key file paths correctly. [RT #20078] 8462 84632657. [cleanup] Lower "journal file <path> does not exist, creating it" 8464 log level to debug 1. [RT #20058] 8465 84662656. [func] win32: add a "tools only" check box to the installer 8467 which causes it to only install dig, host, nslookup, 8468 nsupdate and relevant DLLs. [RT #19998] 8469 84702655. [doc] Document that key-directory does not affect 8471 bind.keys, rndc.key or session.key. [RT #20155] 8472 84732654. [bug] Improve error reporting on duplicated names for 8474 deny-answer-xxx. [RT #20164] 8475 84762653. [bug] Treat ENGINE_load_private_key() failures as key 8477 not found rather than out of memory. [RT #18033] 8478 84792652. [func] Provide more detail about what record is being 8480 deleted. [RT #20061] 8481 84822651. [bug] Dates could print incorrectly in K*.key files on 8483 64-bit systems. [RT #20076] 8484 84852650. [bug] Assertion failure in dnssec-signzone when trying 8486 to read keyset-* files. [RT #20075] 8487 84882649. [bug] Set the domain for forward only zones. [RT #19944] 8489 84902648. [port] win32: isc_time_seconds() was broken. [RT #19900] 8491 84922647. [bug] Remove unnecessary SOA updates when a new KSK is 8493 added. [RT #19913] 8494 84952646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 8496 84972645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms 8498 which default to 64 bits. [RT #19927] 8499 8500 --- 9.7.0a2 released --- 8501 85022644. [bug] Change #2628 caused a regression on some systems; 8503 named was unable to write the PID file and would 8504 fail on startup. [RT #20001] 8505 85062643. [bug] Stub zones interacted badly with NSEC3 support. 8507 [RT #19777] 8508 85092642. [bug] nsupdate could dump core on solaris when reading 8510 improperly formatted key files. [RT #20015] 8511 85122641. [bug] Fixed an error in parsing update-policy syntax, 8513 added a regression test to check it. [RT #20007] 8514 85152640. [security] A specially crafted update packet will cause named 8516 to exit. [RT #20000] 8517 85182639. [bug] Silence compiler warnings in gssapi code. [RT #19954] 8519 85202638. [bug] Install arpaname. [RT #19957] 8521 85222637. [func] Rationalize dnssec-signzone's signwithkey() calling. 8523 [RT #19959] 8524 85252636. [func] Simplify zone signing and key maintenance with the 8526 dnssec-* tools. Major changes: 8527 - all dnssec-* tools now take a -K option to 8528 specify a directory in which key files will be 8529 stored 8530 - DNSSEC can now store metadata indicating when 8531 they are scheduled to be published, activated, 8532 revoked or removed; these values can be set by 8533 dnssec-keygen or overwritten by the new 8534 dnssec-settime command 8535 - dnssec-signzone -S (for "smart") option reads key 8536 metadata and uses it to determine automatically 8537 which keys to publish to the zone, use for 8538 signing, revoke, or remove from the zone 8539 [RT #19816] 8540 85412635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. 8542 [RT #19716] 8543 85442634. [port] win32: Add support for libxml2, enable 8545 statschannel. [RT #19773] 8546 85472633. [bug] Handle 15 bit rand() functions. [RT #19783] 8548 85492632. [func] util/kit.sh: warn if documentation appears to be out of 8550 date. [RT #19922] 8551 85522631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). 8553 [RT #19926 ] 8554 85552630. [func] Improved syntax for DDNS autoconfiguration: use 8556 "update-policy local;" to switch on local DDNS in a 8557 zone. (The "ddns-autoconf" option has been removed.) 8558 [RT #19875] 8559 85602629. [port] Check for seteuid()/setegid(), use setresuid()/ 8561 setresgid() if not present. [RT #19932] 8562 85632628. [port] linux: Allow /var/run/named/named.pid to be opened 8564 at startup with reduced capabilities in operation. 8565 [RT #19884] 8566 85672627. [bug] Named aborted if the same key was included in 8568 trusted-keys more than once. [RT #19918] 8569 85702626. [bug] Multiple trusted-keys could trigger an assertion 8571 failure. [RT #19914] 8572 85732625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865] 8574 85752624. [func] 'named-checkconf -p' will print out the parsed 8576 configuration. [RT #18871] 8577 85782623. [bug] Named started searches for DS non-optimally. [RT #19915] 8579 85802622. [bug] Printing of named.conf grammar was broken. [RT #19919] 8581 85822621. [doc] Made copyright boilerplate consistent. [RT #19833] 8583 85842620. [bug] Delay thawing the zone until the reload of it has 8585 completed successfully. [RT #19750] 8586 85872619. [func] Add support for RFC 5011, automatic trust anchor 8588 maintenance. The new "managed-keys" statement can 8589 be used in place of "trusted-keys" for zones which 8590 support this protocol. (Note: this syntax is 8591 expected to change prior to 9.7.0 final.) [RT #19248] 8592 85932618. [bug] The sdb and sdlz db_interator_seek() methods could 8594 loop infinitely. [RT #19847] 8595 85962617. [bug] ifconfig.sh failed to emit an error message when 8597 run from the wrong location. [RT #19375] 8598 85992616. [bug] 'host' used the nameservers from resolv.conf even 8600 when a explicit nameserver was specified. [RT #19852] 8601 86022615. [bug] "__attribute__((unused))" was in the wrong place 8603 for ia64 gcc builds. [RT #19854] 8604 86052614. [port] win32: 'named -v' should automatically be executed 8606 in the foreground. [RT #19844] 8607 86082613. [placeholder] 8609 8610 --- 9.7.0a1 released --- 8611 86122612. [func] Add default values for the arguments to 8613 dnssec-keygen. Without arguments, it will now 8614 generate a 1024-bit RSASHA1 zone-signing key, 8615 or with the -f KSK option, a 2048-bit RSASHA1 8616 key-signing key. [RT #19300] 8617 86182611. [func] Add -l option to dnssec-dsfromkey to generate 8619 DLV records instead of DS records. [RT #19300] 8620 86212610. [port] sunos: Change #2363 was not complete. [RT #19796] 8622 86232609. [func] Simplify the configuration of dynamic zones: 8624 - add ddns-confgen command to generate 8625 configuration text for named.conf 8626 - add zone option "ddns-autoconf yes;", which 8627 causes named to generate a TSIG session key 8628 and allow updates to the zone using that key 8629 - add '-l' (localhost) option to nsupdate, which 8630 causes nsupdate to connect to a locally-running 8631 named process using the session key generated 8632 by named 8633 [RT #19284] 8634 86352608. [func] Perform post signing verification checks in 8636 dnssec-signzone. These can be disabled with -P. 8637 8638 The post sign verification test ensures that for each 8639 algorithm in use there is at least one non revoked 8640 self signed KSK key. That all revoked KSK keys are 8641 self signed. That all records in the zone are signed 8642 by the algorithm. [RT #19653] 8643 86442607. [bug] named could incorrectly delete NSEC3 records for 8645 empty nodes when processing a update request. 8646 [RT #19749] 8647 86482606. [bug] "delegation-only" was not being accepted in 8649 delegation-only type zones. [RT #19717] 8650 86512605. [bug] Accept DS responses from delegation only zones. 8652 [RT # 19296] 8653 86542604. [func] Add support for DNS rebinding attack prevention through 8655 new options, deny-answer-addresses and 8656 deny-answer-aliases. Based on contributed code from 8657 JD Nurmi, Google. [RT #18192] 8658 86592603. [port] win32: handle .exe extension of named-checkzone and 8660 named-comilezone argv[0] names under windows. 8661 [RT #19767] 8662 86632602. [port] win32: fix debugging command line build of libisccfg. 8664 [RT #19767] 8665 86662601. [doc] Mention file creation mode mask in the 8667 named manual page. 8668 86692600. [doc] ARM: miscellaneous reformatting for different 8670 page widths. [RT #19574] 8671 86722599. [bug] Address rapid memory growth when validation fails. 8673 [RT #19654] 8674 86752598. [func] Reserve the -F flag. [RT #19657] 8676 86772597. [bug] Handle a validation failure with a insecure delegation 8678 from a NSEC3 signed master/slave zone. [RT #19464] 8679 86802596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay 8681 long, leading to inefficient memory usage or rejecting 8682 newer cache entries in the worst case. [RT #19563] 8683 86842595. [bug] Fix unknown extended rcodes in dig. [RT #19625] 8685 86862594. [func] Have rndc warn if using its default configuration 8687 file when the key file also exists. [RT #19424] 8688 86892593. [bug] Improve a corner source of SERVFAILs [RT #19632] 8690 86912592. [bug] Treat "any" as a type in nsupdate. [RT #19455] 8692 86932591. [bug] named could die when processing a update in 8694 removed_orphaned_ds(). [RT #19507] 8695 86962590. [func] Report zone/class of "update with no effect". 8697 [RT #19542] 8698 86992589. [bug] dns_db_unregister() failed to clear '*dbimp'. 8700 [RT #19626] 8701 87022588. [bug] SO_REUSEADDR could be set unconditionally after failure 8703 of bind(2) call. This should be rare and mostly 8704 harmless, but may cause interference with other 8705 processes that happen to use the same port. [RT #19642] 8706 87072587. [func] Improve logging by reporting serial numbers for 8708 when zone serial has gone backwards or unchanged. 8709 [RT #19506] 8710 87112586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB 8712 or SDB. [RT #19577] 8713 87142585. [bug] Uninitialized socket name could be referenced via a 8715 statistics channel, triggering an assertion failure in 8716 XML rendering. [RT #19427] 8717 87182584. [bug] alpha: gcc optimization could break atomic operations. 8719 [RT #19227] 8720 87212583. [port] netbsd: provide a control to not add the compile 8722 date to the version string, -DNO_VERSION_DATE. 8723 87242582. [bug] Don't emit warning log message when we attempt to 8725 remove non-existent journal. [RT #19516] 8726 87272581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection. 8728 Requires MySQL 5.0.19 or later. [RT #19084] 8729 87302580. [bug] UpdateRej statistics counter could be incremented twice 8731 for one rejection. [RT #19476] 8732 87332579. [bug] DNSSEC lookaside validation failed to handle unknown 8734 algorithms. [RT #19479] 8735 87362578. [bug] Changed default sig-signing-type to 65534, because 8737 65535 turns out to be reserved. [RT #19477] 8738 87392577. [doc] Clarified some statistics counters. [RT #19454] 8740 87412576. [bug] NSEC record were not being correctly signed when 8742 a zone transitions from insecure to secure. 8743 Handle such incorrectly signed zones. [RT #19114] 8744 87452575. [func] New functions dns_name_fromstring() and 8746 dns_name_tostring(), to simplify conversion 8747 of a string to a dns_name structure and vice 8748 versa. [RT #19451] 8749 87502574. [doc] Document nsupdate -g and -o. [RT #19351] 8751 87522573. [bug] Replacing a non-CNAME record with a CNAME record in a 8753 single transaction in a signed zone failed. [RT #19397] 8754 87552572. [func] Simplify DLV configuration, with a new option 8756 "dnssec-lookaside auto;" This is the equivalent 8757 of "dnssec-lookaside . trust-anchor dlv.isc.org;" 8758 plus setting a trusted-key for dlv.isc.org. 8759 8760 Note: The trusted key is hard-coded into named, 8761 but is also stored in (and can be overridden 8762 by) $sysconfdir/bind.keys. As the ISC DLV key 8763 rolls over it can be kept up to date by replacing 8764 the bind.keys file with a key downloaded from 8765 https://www.isc.org/solutions/dlv. [RT #18685] 8766 87672571. [func] Add a new tool "arpaname" which translates IP addresses 8768 to the corresponding IN-ADDR.ARPA or IP6.ARPA name. 8769 [RT #18976] 8770 87712570. [func] Log the destination address the query was sent to. 8772 [RT #19209] 8773 87742569. [func] Move journalprint, nsec3hash, and genrandom 8775 commands from bin/tests into bin/tools; 8776 "make install" will put them in $sbindir. [RT #19301] 8777 87782568. [bug] Report when the write to indicate a otherwise 8779 successful start fails. [RT #19360] 8780 87812567. [bug] dst__privstruct_writefile() could miss write errors. 8782 write_public_key() could miss write errors. 8783 dnssec-dsfromkey could miss write errors. 8784 [RT #19360] 8785 87862566. [cleanup] Clarify logged message when an insecure DNSSEC 8787 response arrives from a zone thought to be secure: 8788 "insecurity proof failed" instead of "not 8789 insecure". [RT #19400] 8790 87912565. [func] Add support for HIP record. Includes new functions 8792 dns_rdata_hip_first(), dns_rdata_hip_next() 8793 and dns_rdata_hip_current(). [RT #19384] 8794 87952564. [bug] Only take EDNS fallback steps when processing timeouts. 8796 [RT #19405] 8797 87982563. [bug] Dig could leak a socket causing it to wait forever 8799 to exit. [RT #19359] 8800 88012562. [doc] ARM: miscellaneous improvements, reorganization, 8802 and some new content. 8803 88042561. [doc] Add isc-config.sh(1) man page. [RT #16378] 8805 88062560. [bug] Add #include <config.h> to iptable.c. [RT #18258] 8807 88082559. [bug] dnssec-dsfromkey could compute bad DS records when 8809 reading from a K* files. [RT #19357] 8810 88112558. [func] Set the ownership of missing directories created 8812 for pid-file if -u has been specified on the command 8813 line. [RT #19328] 8814 88152557. [cleanup] PCI compliance: 8816 * new libisc log module file 8817 * isc_dir_chroot() now also changes the working 8818 directory to "/". 8819 * additional INSISTs 8820 * additional logging when files can't be removed. 8821 88222556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the 8823 error checks in the correct order resulting in the 8824 wrong error code sometimes being returned. [RT #19249] 8825 88262555. [func] dig: when emitting a hex dump also display the 8827 corresponding characters. [RT #19258] 8828 88292554. [bug] Validation of uppercase queries from NSEC3 zones could 8830 fail. [RT #19297] 8831 88322553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 8833 88342552. [bug] zero-no-soa-ttl-cache was not being honored. 8835 [RT #19340] 8836 88372551. [bug] Potential Reference leak on return. [RT #19341] 8838 88392550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>. 8840 [RT #19343] 8841 88422549. [port] linux: define NR_OPEN if not currently defined. 8843 [RT #19344] 8844 88452548. [bug] Install iterated_hash.h. [RT #19335] 8846 88472547. [bug] openssl_link.c:mem_realloc() could reference an 8848 out-of-range area of the source buffer. New public 8849 function isc_mem_reallocate() was introduced to address 8850 this bug. [RT #19313] 8851 88522546. [func] Add --enable-openssl-hash configure flag to use 8853 OpenSSL (in place of internal routine) for hash 8854 functions (MD5, SHA[12] and HMAC). [RT #18815] 8855 88562545. [doc] ARM: Legal hostname checking (check-names) is 8857 for SRV RDATA too. [RT #19304] 8858 88592544. [cleanup] Removed unused structure members in adb.c. [RT #19225] 8860 88612543. [contrib] Update contrib/zkt to version 0.98. [RT #19113] 8862 88632542. [doc] Update the description of dig +adflag. [RT #19290] 8864 88652541. [bug] Conditionally update dispatch manager statistics. 8866 [RT #19247] 8867 88682540. [func] Add a nibble mode to $GENERATE. [RT #18872] 8869 88702539. [security] Update the interaction between recursion, allow-query, 8871 allow-query-cache and allow-recursion. [RT #19198] 8872 88732538. [bug] cache/ADB memory could grow over max-cache-size, 8874 especially with threads and smaller max-cache-size 8875 values. [RT #19240] 8876 88772537. [func] Added more statistics counters including those on socket 8878 I/O events and query RTT histograms. [RT #18802] 8879 88802536. [cleanup] Silence some warnings when -Werror=format-security is 8881 specified. [RT #19083] 8882 88832535. [bug] dig +showsearch and +trace interacted badly. [RT #19091] 8884 88852534. [func] Check NAPTR records regular expressions and 8886 replacement strings to ensure they are syntactically 8887 valid and consistent. [RT #18168] 8888 88892533. [doc] ARM: document @ (at-sign). [RT #17144] 8890 88912532. [bug] dig: check the question section of the response to 8892 see if it matches the asked question. [RT #18495] 8893 88942531. [bug] Change #2207 was incomplete. [RT #19098] 8895 88962530. [bug] named failed to reject insecure to secure transitions 8897 via UPDATE. [RT #19101] 8898 88992529. [cleanup] Upgrade libtool to silence complaints from recent 8900 version of autoconf. [RT #18657] 8901 89022528. [cleanup] Silence spurious configure warning about 8903 --datarootdir [RT #19096] 8904 89052527. [placeholder] 8906 89072526. [func] New named option "attach-cache" that allows multiple 8908 views to share a single cache to save memory and 8909 improve lookup efficiency. Based on contributed code 8910 from Barclay Osborn, Google. [RT #18905] 8911 89122525. [func] New logging category "query-errors" to provide detailed 8913 internal information about query failures, especially 8914 about server failures. [RT #19027] 8915 89162524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129] 8917 89182523. [bug] Random type rdata freed by dns_nsec_typepresent(). 8919 [RT #19112] 8920 89212522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal(). 8922 89232521. [bug] Improve epoll cross compilation support. [RT #19047] 8924 89252520. [bug] Update xml statistics version number to 2.0 as change 8926 #2388 made the schema incompatible to the previous 8927 version. [RT #19080] 8928 89292519. [bug] dig/host with -4 or -6 didn't work if more than two 8930 nameserver addresses of the excluded address family 8931 preceded in resolv.conf. [RT #19081] 8932 89332518. [func] Add support for the new CERT types from RFC 4398. 8934 [RT #19077] 8935 89362517. [bug] dig +trace with -4 or -6 failed when it chose a 8937 nameserver address of the excluded address type. 8938 [RT #18843] 8939 89402516. [bug] glue sort for responses was performed even when not 8941 needed. [RT #19039] 8942 89432515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel. 8944 [RT #19063] 8945 89462514. [bug] dig/host failed with -4 or -6 when resolv.conf contains 8947 a nameserver of the excluded address family. 8948 [RT #18848] 8949 89502513. [bug] Fix windows cli build. [RT #19062] 8951 89522512. [func] Print a summary of the cached records which make up 8953 the negative response. [RT #18885] 8954 89552511. [cleanup] dns_rdata_tofmttext() add const to linebreak. 8956 [RT #18885] 8957 89582510. [bug] "dig +sigchase" could trigger REQUIRE failures. 8959 [RT #19033] 8960 89612509. [bug] Specifying a fixed query source port was broken. 8962 [RT #19051] 8963 89642508. [placeholder] 8965 89662507. [func] Log the recursion quota values when killing the 8967 oldest query or refusing to recurse due to quota. 8968 [RT #19022] 8969 89702506. [port] solaris: Check at configure time if 8971 hack_shutup_pthreadonceinit is needed. [RT #19037] 8972 89732505. [port] Treat amd64 similarly to x86_64 when determining 8974 atomic operation support. [RT #19031] 8975 89762504. [bug] Address race condition in the socket code. [RT #18899] 8977 89782503. [port] linux: improve compatibility with Linux Standard 8979 Base. [RT #18793] 8980 89812502. [cleanup] isc_radix: Improve compliance with coding style, 8982 document function in <isc/radix.h>. [RT #18534] 8983 89842501. [func] $GENERATE now supports all rdata types. Multi-field 8985 rdata types need to be quoted. See the ARM for 8986 details. [RT #18368] 8987 89882500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent 8989 function. [RT #18582] 8990 89912499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash. 8992 [RT #18837] 8993 8994 --- 9.6.0rc1 released --- 8995 89962498. [bug] Removed a bogus function argument used with 8997 ISC_SOCKET_USE_POLLWATCH: it could cause compiler 8998 warning or crash named with the debug 1 level 8999 of logging. [RT #18917] 9000 90012497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure 9002 delegation. 9003 90042496. [bug] Add sanity length checks to NSID option. [RT #18813] 9005 90062495. [bug] Tighten RRSIG checks. [RT #18795] 9007 90082494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being 9009 installed. [RT #18826] 9010 90112493. [bug] The linux capabilities code was not correctly cleaning 9012 up after itself. [RT #18767] 9013 90142492. [func] Rndc status now reports the number of cpus discovered 9015 and the number of worker threads when running 9016 multi-threaded. [RT #18273] 9017 90182491. [func] Attempt to re-use a local port if we are already using 9019 the port. [RT #18548] 9020 90212490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO 9022 is cleared when IPV6_V6ONLY is set. [RT #18785] 9023 90242489. [port] solaris: Workaround Solaris's kernel bug about 9025 /dev/poll: 9026 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 9027 Define ISC_SOCKET_USE_POLLWATCH at build time to enable 9028 this workaround. [RT #18870] 9029 90302488. [func] Added a tool, dnssec-dsfromkey, to generate DS records 9031 from keyset and .key files. [RT #18694] 9032 90332487. [bug] Give TCP connections longer to complete. [RT #18675] 9034 90352486. [func] The default locations for named.pid and lwresd.pid 9036 are now /var/run/named/named.pid and 9037 /var/run/lwresd/lwresd.pid respectively. 9038 9039 This allows the owner of the containing directory 9040 to be set, for "named -u" support, and allows there 9041 to be a permanent symbolic link in the path, for 9042 "named -t" support. [RT #18306] 9043 90442485. [bug] Change update's the handling of obscured RRSIG 9045 records. Not all orphaned DS records were being 9046 removed. [RT #18828] 9047 90482484. [bug] It was possible to trigger a REQUIRE failure when 9049 adding NSEC3 proofs to the response in 9050 query_addwildcardproof(). [RT #18828] 9051 90522483. [port] win32: chroot() is not supported. [RT #18805] 9053 90542482. [port] libxml2: support versions 2.7.* in addition 9055 to 2.6.*. [RT #18806] 9056 9057 --- 9.6.0b1 released --- 9058 90592481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain 9060 collisions. [RT #18812] 9061 90622480. [bug] named could fail to emit all the required NSEC3 9063 records. [RT #18812] 9064 90652479. [bug] xfrout:covers was not properly initialized. [RT #18801] 9066 90672478. [bug] 'addresses' could be used uninitialized in 9068 configure_forward(). [RT #18800] 9069 90702477. [bug] dig: the global option to print the command line is 9071 +cmd not print_cmd. Update the output to reflect 9072 this. [RT #17008] 9073 90742476. [doc] ARM: improve documentation for max-journal-size and 9075 ixfr-from-differences. [RT #15909] [RT #18541] 9076 90772475. [bug] LRU cache cleanup under overmem condition could purge 9078 particular entries more aggressively. [RT #17628] 9079 90802474. [bug] ACL structures could be allocated with insufficient 9081 space, causing an array overrun. [RT #18765] 9082 90832473. [port] linux: raise the limit on open files to the possible 9084 maximum value before spawning threads; 'files' 9085 specified in named.conf doesn't seem to work with 9086 threads as expected. [RT #18784] 9087 90882472. [port] linux: check the number of available cpu's before 9089 calling chroot as it depends on "/proc". [RT #16923] 9090 90912471. [bug] named-checkzone was not reporting missing mandatory 9092 glue when sibling checks were disabled. [RT #18768] 9093 90942470. [bug] Elements of the isc_radix_node_t could be incorrectly 9095 overwritten. [RT #18719] 9096 90972469. [port] solaris: Work around Solaris's select() limitations. 9098 [RT #18769] 9099 91002468. [bug] Resolver could try unreachable servers multiple times. 9101 [RT #18739] 9102 91032467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 9104 91052466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. 9106 [RT #18302] 9107 91082465. [bug] Adb's handling of lame addresses was different 9109 for IPv4 and IPv6. [RT #18738] 9110 91112464. [port] linux: check that a capability is present before 9112 trying to set it. [RT #18135] 9113 91142463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket 9115 API and glibc hides parts of the IPv6 Advanced Socket 9116 API as a result. This is stupid as it breaks how the 9117 two halves (Basic and Advanced) of the IPv6 Socket API 9118 were designed to be used but we have to live with it. 9119 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket 9120 API. [RT #18388] 9121 91222462. [doc] Document -m (enable memory usage debugging) 9123 option for dig. [RT #18757] 9124 91252461. [port] sunos: Change #2363 was not complete. [RT #17513] 9126 9127 --- 9.6.0a1 released --- 9128 91292460. [bug] Don't call dns_db_getnsec3parameters() on the cache. 9130 [RT #18697] 9131 91322459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448] 9133 91342458. [doc] ARM: update and correction for max-cache-size. 9135 [RT #18294] 9136 91372457. [tuning] max-cache-size is reverted to 0, the previous 9138 default. It should be safe because expired cache 9139 entries are also purged. [RT #18684] 9140 91412456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any 9142 address, regardless of family. They now correctly 9143 distinguish IPv4 from IPv6. [RT #18559] 9144 91452455. [bug] Stop metadata being transferred via axfr/ixfr. 9146 [RT #18639] 9147 91482454. [func] nsupdate: you can now set a default ttl. [RT #18317] 9149 91502453. [bug] Remove NULL pointer dereference in dns_journal_print(). 9151 [RT #18316] 9152 91532452. [func] Improve bin/test/journalprint. [RT #18316] 9154 91552451. [port] solaris: handle runtime linking better. [RT #18356] 9156 91572450. [doc] Fix lwresd docbook problem for manual page. 9158 [RT #18672] 9159 91602449. [placeholder] 9161 91622448. [func] Add NSEC3 support. [RT #15452] 9163 91642447. [cleanup] libbind has been split out as a separate product. 9165 91662446. [func] Add a new log message about build options on startup. 9167 A new command-line option '-V' for named is also 9168 provided to show this information. [RT #18645] 9169 91702445. [doc] ARM out-of-date on empty reverse zones (list includes 9171 RFC1918 address, but these are not yet compiled in). 9172 [RT #18578] 9173 91742444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery 9175 (clear DF) for UDP responses and requests. 9176 91772443. [bug] win32: UDP connect() would not generate an event, 9178 and so connected UDP sockets would never clean up. 9179 Fix this by doing an immediate WSAConnect() rather 9180 than an io completion port type for UDP. 9181 91822442. [bug] A lock could be destroyed twice. [RT #18626] 9183 91842441. [bug] isc_radix_insert() could copy radix tree nodes 9185 incompletely. [RT #18573] 9186 91872440. [bug] named-checkconf used an incorrect test to determine 9188 if an ACL was set to none. 9189 91902439. [bug] Potential NULL dereference in dns_acl_isanyornone(). 9191 [RT #18559] 9192 91932438. [bug] Timeouts could be logged incorrectly under win32. 9194 91952437. [bug] Sockets could be closed too early, leading to 9196 inconsistent states in the socket module. [RT #18298] 9197 91982436. [security] win32: UDP client handler can be shutdown. [RT #18576] 9199 92002435. [bug] Fixed an ACL memory leak affecting win32. 9201 92022434. [bug] Fixed a minor error-reporting bug in 9203 lib/isc/win32/socket.c. 9204 92052433. [tuning] Set initial timeout to 800ms. 9206 92072432. [bug] More Windows socket handling improvements. Stop 9208 using I/O events and use IO Completion Ports 9209 throughout. Rewrite the receive path logic to make 9210 it easier to support multiple simultaneous 9211 requesters in the future. Add stricter consistency 9212 checking as a compile-time option (define 9213 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off). 9214 92152431. [bug] Acl processing could leak memory. [RT #18323] 9216 92172430. [bug] win32: isc_interval_set() could round down to 9218 zero if the input was less than NS_INTERVAL 9219 nanoseconds. Round up instead. [RT #18549] 9220 92212429. [doc] nsupdate should be in section 1 of the man pages. 9222 [RT #18283] 9223 92242428. [bug] dns_iptable_merge() mishandled merges of negative 9225 tables. [RT #18409] 9226 92272427. [func] Treat DNSKEY queries as if "minimal-response yes;" 9228 was set. [RT #18528] 9229 92302426. [bug] libbind: inet_net_pton() can sometimes return the 9231 wrong value if excessively large net masks are 9232 supplied. [RT #18512] 9233 92342425. [bug] named didn't detect unavailable query source addresses 9235 at load time. [RT #18536] 9236 92372424. [port] configure now probes for a working epoll 9238 implementation. Allow the use of kqueue, 9239 epoll and /dev/poll to be selected at compile 9240 time. [RT #18277] 9241 92422423. [security] Randomize server selection on queries, so as to 9243 make forgery a little more difficult. Instead of 9244 always preferring the server with the lowest RTT, 9245 pick a server with RTT within the same 128 9246 millisecond band. [RT #18441] 9247 92482422. [bug] Handle the special return value of a empty node as 9249 if it was a NXRRSET in the validator. [RT #18447] 9250 92512421. [func] Add new command line option '-S' for named to specify 9252 the max number of sockets. [RT #18493] 9253 Use caution: this option may not work for some 9254 operating systems without rebuilding named. 9255 92562420. [bug] Windows socket handling cleanup. Let the io 9257 completion event send out canceled read/write 9258 done events, which keeps us from writing to memory 9259 we no longer have ownership of. Add debugging 9260 socket_log() function. Rework TCP socket handling 9261 to not leak sockets. 9262 92632419. [cleanup] Document that isc_socket_create() and isc_socket_open() 9264 should not be used for isc_sockettype_fdwatch sockets. 9265 [RT #18521] 9266 92672418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure 9268 [RT #18430] 9269 92702417. [bug] Connecting UDP sockets for outgoing queries could 9271 unexpectedly fail with an 'address already in use' 9272 error. [RT #18411] 9273 92742416. [func] Log file descriptors that cause exceeding the 9275 internal maximum. [RT #18460] 9276 92772415. [bug] 'rndc dumpdb' could trigger various assertion failures 9278 in rbtdb.c. [RT #18455] 9279 92802414. [bug] A masterdump context held the database lock too long, 9281 causing various troubles such as dead lock and 9282 recursive lock acquisition. [RT #18311, #18456] 9283 92842413. [bug] Fixed an unreachable code path in socket.c. [RT #18442] 9285 92862412. [bug] win32: address a resource leak. [RT #18374] 9287 92882411. [bug] Allow using a larger number of sockets than FD_SETSIZE 9289 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS 9290 at compilation time. [RT #18433] 9291 9292 Note: with changes #2469 and #2421 above, there is no 9293 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time 9294 any more. 9295 92962410. [bug] Correctly delete m_versionInfo. [RT #18432] 9297 92982409. [bug] Only log that we disabled EDNS processing if we were 9299 subsequently successful. [RT #18029] 9300 93012408. [bug] A duplicate TCP dispatch event could be sent, which 9302 could then trigger an assertion failure in 9303 resquery_response(). [RT #18275] 9304 93052407. [port] hpux: test for sys/dyntune.h. [RT #18421] 9306 93072406. [placeholder] 9308 93092405. [cleanup] The default value for dnssec-validation was changed to 9310 "yes" in 9.5.0-P1 and all subsequent releases; this 9311 was inadvertently omitted from CHANGES at the time. 9312 93132404. [port] hpux: files unlimited support. 9314 93152403. [bug] TSIG context leak. [RT #18341] 9316 93172402. [port] Support Solaris 2.11 and over. [RT #18362] 9318 93192401. [bug] Expect to get E[MN]FILE errno internal_accept() 9320 (from accept() or fcntl() system calls). [RT #18358] 9321 93222400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails. 9323 [RT #18297] 9324 93252399. [placeholder] 9326 93272398. [bug] Improve file descriptor management. New, 9328 temporary, named.conf option reserved-sockets, 9329 default 512. [RT #18344] 9330 93312397. [bug] gssapi_functions had too many elements. [RT #18355] 9332 93332396. [bug] Don't set SO_REUSEADDR for randomized ports. 9334 [RT #18336] 9335 93362395. [port] Avoid warning and no effect from "files unlimited" 9337 on Linux when running as root. [RT #18335] 9338 93392394. [bug] Default configuration options set the limit for 9340 open files to 'unlimited' as described in the 9341 documentation. [RT #18331] 9342 93432393. [bug] nested acls containing keys could trigger an 9344 assertion in acl.c. [RT #18166] 9345 93462392. [bug] remove 'grep -q' from acl test script, some platforms 9347 don't support it. [RT #18253] 9348 93492391. [port] hpux: cover additional recvmsg() error codes. 9350 [RT #18301] 9351 93522390. [bug] dispatch.c could make a false warning on 'odd socket'. 9353 [RT #18301]. 9354 93552389. [bug] Move the "working directory writable" check to after 9356 the ns_os_changeuser() call. [RT #18326] 9357 93582388. [bug] Avoid using tables for layout purposes in 9359 statistics XSL [RT #18159]. 9360 93612387. [bug] Silence compiler warnings in lib/isc/radix.c. 9362 [RT #18147] [RT #18258] 9363 93642386. [func] Add warning about too small 'open files' limit. 9365 [RT #18269] 9366 93672385. [bug] A condition variable in socket.c could leak in 9368 rare error handling [RT #17968]. 9369 93702384. [security] Fully randomize UDP query ports to improve 9371 forgery resilience. [RT #17949, #18098] 9372 93732383. [bug] named could double queries when they resulted in 9374 SERVFAIL due to overkilling EDNS0 failure detection. 9375 [RT #18182] 9376 93772382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP 9378 to ARM. 9379 93802381. [port] dlz/mysql: support multiple install layouts for 9381 mysql. <prefix>/include/{,mysql/}mysql.h and 9382 <prefix>/lib/{,mysql/}. [RT #18152] 9383 93842380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET 9385 proofs which, in turn, caused validation failures 9386 for insecure zones immediately below a secure zone 9387 the server was authoritative for. [RT #18112] 9388 93892379. [contrib] queryperf/gen-data-queryperf.py: removed redundant 9390 TLDs and supported RRs with TTLs [RT #17972] 9391 93922378. [bug] gssapi_functions{} had a redundant member in BIND 9.5. 9393 [RT #18169] 9394 93952377. [bug] Address race condition in dnssec-signzone. [RT #18142] 9396 93972376. [bug] Change #2144 was not complete. 9398 93992375. [placeholder] 9400 94012374. [bug] "blackhole" ACLs could cause named to segfault due 9402 to some uninitialized memory. [RT #18095] 9403 94042373. [bug] Default values of zone ACLs were re-parsed each time a 9405 new zone was configured, causing an overconsumption 9406 of memory. [RT #18092] 9407 94082372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] 9409 94102371. [doc] Add +nsid option to dig man page. [RT #18039] 9411 94122370. [bug] "rndc freeze" could trigger an assertion in named 9413 when called on a nonexistent zone. [RT #18050] 9414 94152369. [bug] libbind: Array bounds overrun on read in bitncmp(). 9416 [RT #18054] 9417 94182368. [port] Linux: use libcap for capability management if 9419 possible. [RT #18026] 9420 94212367. [bug] Improve counting of dns_resstatscounter_retry 9422 [RT #18030] 9423 94242366. [bug] Adb shutdown race. [RT #18021] 9425 94262365. [bug] Fix a bug that caused dns_acl_isany() to return 9427 spurious results. [RT #18000] 9428 94292364. [bug] named could trigger a assertion when serving a 9430 malformed signed zone. [RT #17828] 9431 94322363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". 9433 [RT #17513] 9434 94352362. [cleanup] Make "rrset-order fixed" a compile-time option. 9436 settable by "./configure --enable-fixed-rrset". 9437 Disabled by default. [RT #17977] 9438 94392361. [bug] "recursion" statistics counter could be counted 9440 multiple times for a single query. [RT #17990] 9441 94422360. [bug] Fix a condition where we release a database version 9443 (which may acquire a lock) while holding the lock. 9444 94452359. [bug] Fix NSID bug. [RT #17942] 9446 94472358. [doc] Update host's default query description. [RT #17934] 9448 94492357. [port] Don't use OpenSSL's engine support in versions before 9450 OpenSSL 0.9.7f. [RT #17922] 9451 94522356. [bug] Built in mutex profiler was not scalable enough. 9453 [RT #17436] 9454 94552355. [func] Extend the number statistics counters available. 9456 [RT #17590] 9457 94582354. [bug] Failed to initialize some rdatasetheader_t elements. 9459 [RT #17927] 9460 94612353. [func] Add support for Name Server ID (RFC 5001). 9462 'dig +nsid' requests NSID from server. 9463 'request-nsid yes;' causes recursive server to send 9464 NSID requests to upstream servers. Server responds 9465 to NSID requests with the string configured by 9466 'server-id' option. [RT #17091] 9467 94682352. [bug] Various GSS_API fixups. [RT #17729] 9469 94702351. [bug] convertxsl.pl generated very long lines. [RT #17906] 9471 94722350. [port] win32: IPv6 support. [RT #17797] 9473 94742349. [func] Provide incremental re-signing support for secure 9475 dynamic zones. [RT #1091] 9476 94772348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support. 9478 Documentation is in the new README.pkcs11 file. 9479 New tool, dnssec-keyfromlabel, which takes the 9480 label of a key pair in a HSM and constructs a DNS 9481 key pair for use by named and dnssec-signzone. 9482 [RT #16844] 9483 94842347. [bug] Delete now traverses the RB tree in the canonical 9485 order. [RT #17451] 9486 94872346. [func] Memory statistics now cover all active memory contexts 9488 in increased detail. [RT #17580] 9489 94902345. [bug] named-checkconf failed to detect when forwarders 9491 were set at both the options/view level and in 9492 a root zone. [RT #17671] 9493 94942344. [bug] Improve "logging{ file ...; };" documentation. 9495 [RT #17888] 9496 94972343. [bug] (Seemingly) duplicate IPv6 entries could be 9498 created in ADB. [RT #17837] 9499 95002342. [func] Use getifaddrs() if available under Linux. [RT #17224] 9501 95022341. [bug] libbind: add missing -I../include for off source 9503 tree builds. [RT #17606] 9504 95052340. [port] openbsd: interface configuration. [RT #17700] 9506 95072339. [port] tru64: support for libbind. [RT #17589] 9508 95092338. [bug] check_ds() could be called with a non DS rdataset. 9510 [RT #17598] 9511 95122337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] 9513 95142336. [func] If "named -6" is specified then listen on all IPv6 9515 interfaces if there are not listen-on-v6 clauses in 9516 named.conf. [RT #17581] 9517 95182335. [port] sunos: libbind and *printf() support for long long. 9519 [RT #17513] 9520 95212334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one 9522 bug in fromstruct_txt(). [RT #17609] 9523 95242333. [bug] Fix off by one error in isc_time_nowplusinterval(). 9525 [RT #17608] 9526 95272332. [contrib] query-loc-0.4.0. [RT #17602] 9528 95292331. [bug] Failure to regenerate any signatures was not being 9530 reported nor being past back to the UPDATE client. 9531 [RT #17570] 9532 95332330. [bug] Remove potential race condition when handling 9534 over memory events. [RT #17572] 9535 9536 WARNING: API CHANGE: over memory callback 9537 function now needs to call isc_mem_waterack(). 9538 See <isc/mem.h> for details. 9539 95402329. [bug] Clearer help text for dig's '-x' and '-i' options. 9541 95422328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, 9543 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, 9544 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and 9545 M.ROOT-SERVERS.NET. 9546 95472327. [bug] It was possible to dereference a NULL pointer in 9548 rbtdb.c. Implement dead node processing in zones as 9549 we do for caches. [RT #17312] 9550 95512326. [bug] It was possible to trigger a INSIST in the acache 9552 processing. 9553 95542325. [port] Linux: use capset() function if available. [RT #17557] 9555 95562324. [bug] Fix IPv6 matching against "any;". [RT #17533] 9557 95582323. [port] tru64: namespace clash. [RT #17547] 9559 95602322. [port] MacOS: work around the limitation of setrlimit() 9561 for RLIMIT_NOFILE. [RT #17526] 9562 95632321. [placeholder] 9564 95652320. [func] Make statistics counters thread-safe for platforms 9566 that support certain atomic operations. [RT #17466] 9567 95682319. [bug] Silence Coverity warnings in 9569 lib/dns/rdata/in_1/apl_42.c. [RT #17469] 9570 95712318. [port] sunos fixes for libbind. [RT #17514] 9572 95732317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518] 9574 95752316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c. 9576 [RT #17513] 9577 95782315. [bug] Used incorrect address family for mapped IPv4 9579 addresses in acl.c. [RT #17519] 9580 95812314. [bug] Uninitialized memory use on error path in 9582 bin/named/lwdnoop.c. [RT #17476] 9583 95842313. [cleanup] Silence Coverity warnings. Handle private stacks. 9585 [RT #17447] [RT #17478] 9586 95872312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. 9588 [RT #17458] 9589 95902311. [bug] IPv6 addresses could match IPv4 ACL entries and 9591 vice versa. [RT #17462] 9592 95932310. [bug] dig, host, nslookup: flush stdout before emitting 9594 debug/fatal messages. [RT #17501] 9595 95962309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c. 9597 [RT #17455] 9598 95992308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. 9600 [RT #17495] 9601 96022307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496] 9603 96042306. [bug] Remove potential race from lib/dns/resolver.c. 9605 [RT #17470] 9606 96072305. [security] inet_network() buffer overflow. CVE-2008-0122. 9608 96092304. [bug] Check returns from all dns_rdata_tostruct() calls. 9610 [RT #17460] 9611 96122303. [bug] Remove unnecessary code from bin/named/lwdgnba.c. 9613 [RT #17471] 9614 96152302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472] 9616 96172301. [bug] Remove resource leak and fix error messages in 9618 bin/tests/system/lwresd/lwtest.c. [RT #17474] 9619 96202300. [bug] Fixed failure to close open file in 9621 bin/tests/names/t_names.c. [RT #17473] 9622 96232299. [bug] Remove unnecessary NULL check in 9624 bin/nsupdate/nsupdate.c. [RT #17475] 9625 96262298. [bug] isc_mutex_lock() failure not caught in 9627 bin/tests/timers/t_timers.c. [RT #17468] 9628 96292297. [bug] isc_entropy_createfilesource() failure not caught in 9630 bin/tests/dst/t_dst.c. [RT #17467] 9631 96322296. [port] Allow docbook stylesheet location to be specified to 9633 configure. [RT #17457] 9634 96352295. [bug] Silence static overrun error in bin/named/lwaddr.c. 9636 [RT #17459] 9637 96382294. [func] Allow the experimental statistics channels to have 9639 multiple connections and ACL. 9640 Note: the stats-server and stats-server-v6 options 9641 available in the previous beta releases are replaced 9642 with the generic statistics-channels statement. 9643 96442293. [func] Add ACL regression test. [RT #17375] 9645 96462292. [bug] Log if the working directory is not writable. 9647 [RT #17312] 9648 96492291. [bug] PR_SET_DUMPABLE may be set too late. Also report 9650 failure to set PR_SET_DUMPABLE. [RT #17312] 9651 96522290. [bug] Let AD in the query signal that the client wants AD 9653 set in the response. [RT #17301] 9654 96552289. [func] named-checkzone now reports the out-of-zone CNAME 9656 found. [RT #17309] 9657 96582288. [port] win32: mark service as running when we have finished 9659 loading. [RT #17441] 9660 96612287. [bug] Use 'volatile' if the compiler supports it. [RT #17413] 9662 96632286. [func] Allow a TCP connection to be used as a weak 9664 authentication method for reverse zones. 9665 New update-policy methods tcp-self and 6to4-self. 9666 [RT #17378] 9667 96682285. [func] Test framework for client memory context management. 9669 [RT #17377] 9670 96712284. [bug] Memory leak in UPDATE prerequisite processing. 9672 [RT #17377] 9673 96742283. [bug] TSIG keys were not attaching to the memory 9675 context. TSIG keys should use the rings 9676 memory context rather than the clients memory 9677 context. [RT #17377] 9678 96792282. [bug] Acl code fixups. [RT #17346] [RT #17374] 9680 96812281. [bug] Attempts to use undefined acls were not being logged. 9682 [RT #17307] 9683 96842280. [func] Allow the experimental http server to be reached 9685 over IPv6 as well as IPv4. [RT #17332] 9686 96872279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, 9688 to protect applications from receiving spurious 9689 SIGPIPE signals when using the resolver. 9690 96912278. [bug] win32: handle the case where Windows returns no 9692 search list or DNS suffix. [RT #17354] 9693 96942277. [bug] Empty zone names were not correctly being caught at 9695 in the post parse checks. [RT #17357] 9696 96972276. [bug] Install <dst/gssapi.h>. [RT #17359] 9698 96992275. [func] Add support to dig to perform IXFR queries over UDP. 9700 [RT #17235] 9701 97022274. [func] Log zone transfer statistics. [RT #17336] 9703 97042273. [bug] Adjust log level to WARNING when saving inconsistent 9705 stub/slave master and journal files. [RT #17279] 9706 97072272. [bug] Handle illegal dnssec-lookaside trust-anchor names. 9708 [RT #17262] 9709 97102271. [bug] Fix a memory leak in http server code [RT #17100] 9711 97122270. [bug] dns_db_closeversion() version->writer could be reset 9713 before it is tested. [RT #17290] 9714 97152269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232] 9716 97172268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones 9718 list. 9719 9720 --- 9.5.0b1 released --- 9721 97222267. [bug] Radix tree node_num value could be set incorrectly, 9723 causing positive ACL matches to look like negative 9724 ones. [RT #17311] 9725 97262266. [bug] client.c:get_clientmctx() returned the same mctx 9727 once the pool of mctx's was filled. [RT #17218] 9728 97292265. [bug] Test that the memory context's basic_table is non NULL 9730 before freeing. [RT #17265] 9731 97322264. [bug] Server prefix length was being ignored. [RT #17308] 9733 97342263. [bug] "named-checkconf -z" failed to set default value 9735 for "check-integrity". [RT #17306] 9736 97372262. [bug] Error status from all but the last view could be 9738 lost. [RT #17292] 9739 97402261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272] 9741 97422260. [bug] Reported wrong clients-per-query when increasing the 9743 value. [RT #17236] 9744 97452259. [placeholder] 9746 9747 --- 9.5.0a7 released --- 9748 97492258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. 9750 [RT #17241] 9751 97522257. [bug] win32: Use the full path to vcredist_x86.exe when 9753 calling it. [RT #17222] 9754 97552256. [bug] win32: Correctly register the installation location of 9756 bindevt.dll. [RT #17159] 9757 97582255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. 9759 97602254. [bug] timer.c:dispatch() failed to lock timer->lock 9761 when reading timer->idle allowing it to see 9762 intermediate values as timer->idle was reset by 9763 isc_timer_touch(). [RT #17243] 9764 97652253. [func] "max-cache-size" defaults to 32M. 9766 "max-acache-size" defaults to 16M. 9767 97682252. [bug] Fixed errors in sortlist code [RT #17216] 9769 97702251. [placeholder] 9771 97722250. [func] New flag 'memstatistics' to state whether the 9773 memory statistics file should be written or not. 9774 Additionally named's -m option will cause the 9775 statistics file to be written. [RT #17113] 9776 97772249. [bug] Only set Authentic Data bit if client requested 9778 DNSSEC, per RFC 3655 [RT #17175] 9779 97802248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 9781 97822247. [doc] Sort doc/misc/options. [RT #17067] 9783 97842246. [bug] Make the startup of test servers (ans.pl) more 9785 robust. [RT #17147] 9786 97872245. [bug] Validating lack of DS records at trust anchors wasn't 9788 working. [RT #17151] 9789 97902244. [func] Allow the check of nameserver names against the 9791 SOA MNAME field to be disabled by specifying 9792 'notify-to-soa yes;'. [RT #17073] 9793 97942243. [func] Configuration files without a newline at the end now 9795 parse without error. [RT #17120] 9796 97972242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos 9798 library could require a source of random data. 9799 [RT #17127] 9800 98012241. [func] nsupdate: add a interactive 'help' command. [RT #17099] 9802 98032240. [bug] Cleanup nsupdates GSS-TSIG support. Convert 9804 a number of INSIST()s into plain fatal() errors 9805 which report the triggering result code. 9806 The 'key' command wasn't disabling GSS-TSIG. 9807 [RT #17099] 9808 98092239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114] 9810 98112238. [bug] It was possible to trigger a REQUIRE when a 9812 validation was canceled. [RT #17106] 9813 98142237. [bug] libbind: res_init() was not thread aware. [RT #17123] 9815 98162236. [bug] dnssec-signzone failed to preserve the case of 9817 of wildcard owner names. [RT #17085] 9818 98192235. [bug] <isc/atomic.h> was not being installed. [RT #17135] 9820 98212234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] 9822 98232233. [func] Add support for O(1) ACL processing, based on 9824 radix tree code originally written by Kevin 9825 Brintnall. [RT #16288] 9826 98272232. [bug] dns_adb_findaddrinfo() could fail and return 9828 ISC_R_SUCCESS. [RT #17137] 9829 98302231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken. 9831 [RT #17088] 9832 98332230. [bug] We could INSIST reading a corrupted journal. 9834 [RT #17132] 9835 98362229. [bug] Null pointer dereference on query pool creation 9837 failure. [RT #17133] 9838 98392228. [contrib] contrib: Change 2188 was incomplete. 9840 98412227. [cleanup] Tidied up the FAQ. [RT #17121] 9842 98432226. [placeholder] 9844 98452225. [bug] More support for systems with no IPv4 addresses. 9846 [RT #17111] 9847 98482224. [bug] Defer journal compaction if a xfrin is in progress. 9849 [RT #17119] 9850 98512223. [bug] Make a new journal when compacting. [RT #17119] 9852 98532222. [func] named-checkconf now checks server key references. 9854 [RT #17097] 9855 98562221. [bug] Set the event result code to reflect the actual 9857 record turned to caller when a cache update is 9858 rejected due to a more credible answer existing. 9859 [RT #17017] 9860 98612220. [bug] win32: Address a race condition in final shutdown of 9862 the Windows socket code. [RT #17028] 9863 98642219. [bug] Apply zone consistency checks to additions, not 9865 removals, when updating. [RT #17049] 9866 98672218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 9868 [RT #16976] 9869 98702217. [func] Adjust update log levels. [RT #17092] 9871 98722216. [cleanup] Fix a number of errors reported by Coverity. 9873 [RT #17094] 9874 98752215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] 9876 98772214. [bug] Deregister OpenSSL lock callback when cleaning 9878 up. Reorder OpenSSL cleanup so that RAND_cleanup() 9879 is called before the locks are destroyed. [RT #17098] 9880 98812213. [bug] SIG0 diagnostic failure messages were looking at the 9882 wrong status code. [RT #17101] 9883 98842212. [func] 'host -m' now causes memory statistics and active 9885 memory to be printed at exit. [RT 17028] 9886 98872211. [func] Update "dynamic update temporarily disabled" message. 9888 [RT #17065] 9889 98902210. [bug] Deleting class specific records via UPDATE could 9891 fail. [RT #17074] 9892 98932209. [port] osx: linking against user supplied static OpenSSL 9894 libraries failed as the system ones were still being 9895 found. [RT #17078] 9896 98972208. [port] win32: make sure both build methods produce the 9898 same output. [RT #17058] 9899 99002207. [port] Some implementations of getaddrinfo() fail to set 9901 ai_canonname correctly. [RT #17061] 9902 9903 --- 9.5.0a6 released --- 9904 99052206. [security] "allow-query-cache" and "allow-recursion" now 9906 cross inherit from each other. 9907 9908 If allow-query-cache is not set in named.conf then 9909 allow-recursion is used if set, otherwise allow-query 9910 is used if set, otherwise the default (localnets; 9911 localhost;) is used. 9912 9913 If allow-recursion is not set in named.conf then 9914 allow-query-cache is used if set, otherwise allow-query 9915 is used if set, otherwise the default (localnets; 9916 localhost;) is used. 9917 9918 [RT #16987] 9919 99202205. [bug] libbind: change #2119 broke thread support. [RT #16982] 9921 99222204. [bug] "rndc flushname name unknown-view" caused named 9923 to crash. [RT #16984] 9924 99252203. [security] Query id generation was cryptographically weak. 9926 [RT # 16915] 9927 99282202. [security] The default acls for allow-query-cache and 9929 allow-recursion were not being applied. [RT #16960] 9930 99312201. [bug] The build failed in a separate object directory. 9932 [RT #16943] 9933 99342200. [bug] The search for cached NSEC records was stopping to 9935 early leading to excessive DLV queries. [RT #16930] 9936 99372199. [bug] win32: don't call WSAStartup() while loading dlls. 9938 [RT #16911] 9939 99402198. [bug] win32: RegCloseKey() could be called when 9941 RegOpenKeyEx() failed. [RT #16911] 9942 99432197. [bug] Add INSIST to catch negative responses which are 9944 not setting the event result code appropriately. 9945 [RT #16909] 9946 99472196. [port] win32: yield processor while waiting for once to 9948 to complete. [RT #16958] 9949 99502195. [func] dnssec-keygen now defaults to nametype "ZONE" 9951 when generating DNSKEYs. [RT #16954] 9952 99532194. [bug] Close journal before calling 'done' in xfrin.c. 9954 9955 --- 9.5.0a5 released --- 9956 99572193. [port] win32: BINDInstall.exe is now linked statically. 9958 [RT #16906] 9959 99602192. [port] win32: use vcredist_x86.exe to install Visual 9961 Studio's redistributable dlls if building with 9962 Visual Stdio 2005 or later. 9963 99642191. [func] named-checkzone now allows dumping to stdout (-). 9965 named-checkconf now has -h for help. 9966 named-checkzone now has -h for help. 9967 rndc now has -h for help. 9968 Better handling of '-?' for usage summaries. 9969 [RT #16707] 9970 99712190. [func] Make fallback to plain DNS from EDNS due to timeouts 9972 more visible. New logging category "edns-disabled". 9973 [RT #16871] 9974 99752189. [bug] Handle socket() returning EINTR. [RT #15949] 9976 99772188. [contrib] queryperf: autoconf changes to make the search for 9978 libresolv or libbind more robust. [RT #16299] 9979 99802187. [bug] query_addds(), query_addwildcardproof() and 9981 query_addnxrrsetnsec() should take a version 9982 argument. [RT #16368] 9983 99842186. [port] cygwin: libbind: check for struct sockaddr_storage 9985 independently of IPv6. [RT #16482] 9986 99872185. [port] sunos: libbind: check for ssize_t, memmove() and 9988 memchr(). [RT #16463] 9989 99902184. [bug] bind9.xsl.h didn't build out of the source tree. 9991 [RT #16830] 9992 99932183. [bug] dnssec-signzone didn't handle offline private keys 9994 well. [RT #16832] 9995 99962182. [bug] dns_dispatch_createtcp() and dispatch_createudp() 9997 could return ISC_R_SUCCESS when they ran out of 9998 memory. [RT #16365] 9999 100002181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] 10001 100022180. [cleanup] Remove bit test from 'compress_test' as they 10003 are no longer needed. [RT #16497] 10004 100052179. [func] 'rndc command zone' will now find 'zone' if it is 10006 unique to all the views. [RT #16821] 10007 100082178. [bug] 'rndc reload' of a slave or stub zone resulted in 10009 a reference leak. [RT #16867] 10010 100112177. [bug] Array bounds overrun on read (rcodetext) at 10012 debug level 10+. [RT #16798] 10013 100142176. [contrib] dbus update to handle race condition during 10015 initialization (Bugzilla 235809). [RT #16842] 10016 100172175. [bug] win32: windows broadcast condition variable support 10018 was broken. [RT #16592] 10019 100202174. [bug] I/O errors should always be fatal when reading 10021 master files. [RT #16825] 10022 100232173. [port] win32: When compiling with MSVS 2005 SP1 we also 10024 need to ship Microsoft.VC80.MFCLOC. 10025 10026 --- 9.5.0a4 released --- 10027 100282172. [bug] query_addsoa() was being called with a non zone db. 10029 [RT #16834] 10030 100312171. [bug] Handle breaks in DNSSEC trust chains where the parent 10032 servers are not DS aware (DS queries to the parent 10033 return a referral to the child). 10034 100352170. [func] Add acache processing to test suite. [RT #16711] 10036 100372169. [bug] host, nslookup: when reporting NXDOMAIN report the 10038 given name and not the last name searched for. 10039 [RT #16763] 10040 100412168. [bug] nsupdate: in non-interactive mode treat syntax errors 10042 as fatal errors. [RT #16785] 10043 100442167. [bug] When re-using a automatic zone named failed to 10045 attach it to the new view. [RT #16786] 10046 10047 --- 9.5.0a3 released --- 10048 100492166. [bug] When running in batch mode, dig could misinterpret 10050 a server address as a name to be looked up, causing 10051 unexpected output. [RT #16743] 10052 100532165. [func] Allow the destination address of a query to determine 10054 if we will answer the query or recurse. 10055 allow-query-on, allow-recursion-on and 10056 allow-query-cache-on. [RT #16291] 10057 100582164. [bug] The code to determine how named-checkzone / 10059 named-compilezone was called failed under windows. 10060 [RT #16764] 10061 100622163. [bug] If only one of query-source and query-source-v6 10063 specified a port the query pools code broke (change 10064 2129). [RT #16768] 10065 100662162. [func] Allow "rrset-order fixed" to be disabled at compile 10067 time. [RT #16665] 10068 100692161. [bug] Fix which log messages are emitted for 'rndc flush'. 10070 [RT #16698] 10071 100722160. [bug] libisc wasn't handling NULL ifa_addr pointers returned 10073 from getifaddrs(). [RT #16708] 10074 10075 --- 9.5.0a2 released --- 10076 100772159. [bug] Array bounds overrun in acache processing. [RT #16710] 10078 100792158. [bug] ns_client_isself() failed to initialize key 10080 leading to a REQUIRE failure. [RT #16688] 10081 100822157. [func] dns_db_transfernode() created. [RT #16685] 10083 100842156. [bug] Fix node reference leaks in lookup.c:lookup_find(), 10085 resolver.c:validated() and resolver.c:cache_name(). 10086 Fix a memory leak in rbtdb.c:free_noqname(). 10087 Make lookup.c:lookup_find() robust against 10088 event leaks. [RT #16685] 10089 100902155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. 10091 [RT #16694] 10092 100932154. [func] Scoped (e.g. IPv6 link-local) addresses may now be 10094 matched in acls by omitting the scope. [RT #16599] 10095 100962153. [bug] nsupdate could leak memory. [RT #16691] 10097 100982152. [cleanup] Use sizeof(buf) instead of fixed number in 10099 dighost.c:get_trusted_key(). [RT #16678] 10100 101012151. [bug] Missing newline in usage message for journalprint. 10102 [RT #16679] 10103 101042150. [bug] 'rrset-order cyclic' uniformly distribute the 10105 starting point for the first response for a given 10106 RRset. [RT #16655] 10107 101082149. [bug] isc_mem_checkdestroyed() failed to abort on 10109 if there were still active memory contexts. 10110 [RT #16672] 10111 101122148. [func] Add positive logging for rndc commands. [RT #14623] 10113 101142147. [bug] libbind: remove potential buffer overflow from 10115 hmac_link.c. [RT #16437] 10116 101172146. [cleanup] Silence Linux's spurious "obsolete setsockopt 10118 SO_BSDCOMPAT" message. [RT #16641] 10119 101202145. [bug] Check DS/DLV digest lengths for known digests. 10121 [RT #16622] 10122 101232144. [cleanup] Suppress logging of SERVFAIL from forwarders. 10124 [RT #16619] 10125 101262143. [bug] We failed to restart the IPv6 client when the 10127 kernel failed to return the destination the 10128 packet was sent to. [RT #16613] 10129 101302142. [bug] Handle master files with a modification time that 10131 matches the epoch. [RT #16612] 10132 101332141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN 10134 equivalent of LDH checks). [RT #16609] 10135 101362140. [bug] libbind: missing unlock on pthread_key_create() 10137 failures. [RT #16654] 10138 101392139. [bug] dns_view_find() was being called with wrong type 10140 in adb.c. [RT #16670] 10141 101422138. [bug] Lock order reversal in resolver.c. [RT #16653] 10143 101442137. [port] Mips little endian and/or mips 64 bit are now 10145 supported for atomic operations. [RT #16648] 10146 101472136. [bug] nslookup/host looped if there was no search list 10148 and the host didn't exist. [RT #16657] 10149 101502135. [bug] Uninitialized rdataset in sdlz.c. [RT #16656] 10151 101522134. [func] Additional statistics support. [RT #16666] 10153 101542133. [port] powerpc: Support both IBM and MacOS Power PC 10155 assembler syntaxes. [RT #16647] 10156 101572132. [bug] Missing unlock on out of memory in 10158 dns_dispatchmgr_setudp(). 10159 101602131. [contrib] dlz/mysql: AXFR was broken. [RT #16630] 10161 101622130. [func] Log if CD or DO were set. [RT #16640] 10163 101642129. [func] Provide a pool of UDP sockets for queries to be 10165 made over. See use-queryport-pool, queryport-pool-ports 10166 and queryport-pool-updateinterval. [RT #16415] 10167 101682128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] 10169 101702127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] 10171 101722126. [security] Serialize validation of type ANY responses. [RT #16555] 10173 101742125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ 10175 was defined. [RT #16574] 10176 101772124. [security] It was possible to dereference a freed fetch 10178 context. [RT #16584] 10179 10180 --- 9.5.0a1 released --- 10181 101822123. [func] Use Doxygen to generate internal documentation. 10183 [RT #11398] 10184 101852122. [func] Experimental http server and statistics support 10186 for named via xml. 10187 101882121. [func] Add a 10 slot dead masters cache (LRU) with a 600 10189 second timeout. [RT #16553] 10190 101912120. [doc] Fix markup on nsupdate man page. [RT #16556] 10192 101932119. [compat] libbind: allow res_init() to succeed enough to 10194 return the default domain even if it was unable 10195 to allocate memory. 10196 101972118. [bug] Handle response with long chains of domain name 10198 compression pointers which point to other compression 10199 pointers. [RT #16427] 10200 102012117. [bug] DNSSEC fixes: named could fail to cache NSEC records 10202 which could lead to validation failures. named didn't 10203 handle negative DS responses that were in the process 10204 of being validated. Check CNAME bit before accepting 10205 NODATA proof. To be able to ignore a child NSEC there 10206 must be SOA (and NS) set in the bitmap. [RT #16399] 10207 102082116. [bug] 'rndc reload' could cause the cache to continually 10209 be cleaned. [RT #16401] 10210 102112115. [bug] 'rndc reconfig' could trigger a INSIST if the 10212 number of masters for a zone was reduced. [RT #16444] 10213 102142114. [bug] dig/host/nslookup: searches for names with multiple 10215 labels were failing. [RT #16447] 10216 102172113. [bug] nsupdate: if a zone is specified it should be used 10218 for server discover. [RT #16455] 10219 102202112. [security] Warn if weak RSA exponent is used. [RT #16460] 10221 102222111. [bug] Fix a number of errors reported by Coverity. 10223 [RT #16507] 10224 102252110. [bug] "minimal-responses yes;" interacted badly with BIND 8 10226 priming queries. [RT #16491] 10227 102282109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] 10229 102302108. [func] DHCID support. [RT #16456] 10231 102322107. [bug] dighost.c: more cleanup of buffers. [RT #16499] 10233 102342106. [func] 'rndc status' now reports named's version. [RT #16426] 10235 102362105. [func] GSS-TSIG support (RFC 3645). 10237 102382104. [port] Fix Solaris SMF error message. 10239 102402103. [port] Add /usr/sfw to list of locations for OpenSSL 10241 under Solaris. 10242 102432102. [port] Silence Solaris 10 warnings. 10244 102452101. [bug] OpenSSL version checks were not quite right. 10246 [RT #16476] 10247 102482100. [port] win32: copy libeay32.dll to Build\Debug. 10249 Copy Debug\named-checkzone to Debug\named-compilezone. 10250 102512099. [port] win32: more manifest issues. 10252 102532098. [bug] Race in rbtdb.c:no_references(), which occasionally 10254 triggered an INSIST failure about the node lock 10255 reference. [RT #16411] 10256 102572097. [bug] named could reference a destroyed memory context 10258 after being reloaded / reconfigured. [RT #16428] 10259 102602096. [bug] libbind: handle applications that fail to detect 10261 res_init() failures better. 10262 102632095. [port] libbind: always prototype inet_cidr_ntop_ipv6() and 10264 net_cidr_ntop_ipv6(). [RT #16388] 10265 102662094. [contrib] Update named-bootconf. [RT #16404] 10267 102682093. [bug] named-checkzone -s was broken. 10269 102702092. [bug] win32: dig, host, nslookup. Use registry config 10271 if resolv.conf does not exist or no nameservers 10272 listed. [RT #15877] 10273 102742091. [port] dighost.c: race condition on cleanup. [RT #16417] 10275 102762090. [port] win32: Visual C++ 2005 command line manifest support. 10277 [RT #16417] 10278 102792089. [security] Raise the minimum safe OpenSSL versions to 10280 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions 10281 prior to these have known security flaws which 10282 are (potentially) exploitable in named. [RT #16391] 10283 102842088. [security] Change the default RSA exponent from 3 to 65537. 10285 [RT #16391] 10286 102872087. [port] libisc failed to compile on OS's w/o a vsnprintf. 10288 [RT #16382] 10289 102902086. [port] libbind: FreeBSD now has get*by*_r() functions. 10291 [RT #16403] 10292 102932085. [doc] win32: added index.html and README to zip. [RT #16201] 10294 102952084. [contrib] dbus update for 9.3.3rc2. 10296 102972083. [port] win32: Visual C++ 2005 support. 10298 102992082. [doc] Document 'cache-file' as a test only option. 10300 103012081. [port] libbind: minor 64-bit portability fix in memcluster.c. 10302 [RT #16360] 10303 103042080. [port] libbind: res_init.c did not compile on older versions 10305 of Solaris. [RT #16363] 10306 103072079. [bug] The lame cache was not handling multiple types 10308 correctly. [RT #16361] 10309 103102078. [bug] dnssec-checkzone output style "default" was badly 10311 named. It is now called "relative". [RT #16326] 10312 103132077. [bug] 'dnssec-signzone -O raw' wasn't outputting the 10314 complete signed zone. [RT #16326] 10315 103162076. [bug] Several files were missing #include <config.h> 10317 causing build failures on OSF. [RT #16341] 10318 103192075. [bug] The spillat timer event handler could leak memory. 10320 [RT #16357] 10321 103222074. [bug] dns_request_createvia2(), dns_request_createvia3(), 10323 dns_request_createraw2() and dns_request_createraw3() 10324 failed to send multiple UDP requests. [RT #16349] 10325 103262073. [bug] Incorrect semantics check for update policy "wildcard". 10327 [RT #16353] 10328 103292072. [bug] We were not generating valid HMAC SHA digests. 10330 [RT #16320] 10331 103322071. [port] Test whether gcc accepts -fno-strict-aliasing. 10333 [RT #16324] 10334 103352070. [bug] The remote address was not always displayed when 10336 reporting dispatch failures. [RT #16315] 10337 103382069. [bug] Cross compiling was not working. [RT #16330] 10339 103402068. [cleanup] Lower incremental tuning message to debug 1. 10341 [RT #16319] 10342 103432067. [bug] 'rndc' could close the socket too early triggering 10344 a INSIST under Windows. [RT #16317] 10345 103462066. [security] Handle SIG queries gracefully. [RT #16300] 10347 103482065. [bug] libbind: probe for HPUX prototypes for 10349 endprotoent_r() and endservent_r(). [RT 16313] 10350 103512064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 10352 103532063. [bug] Change #1955 introduced a bug which caused the first 10354 'rndc flush' call to not free memory. [RT #16244] 10355 103562062. [bug] 'dig +nssearch' was reusing a buffer before it had 10357 been returned by the socket code. [RT #16307] 10358 103592061. [bug] Accept expired wildcard message reversed. [RT #16296] 10360 103612060. [bug] Enabling DLZ support could leave views partially 10362 configured. [RT #16295] 10363 103642059. [bug] Search into cache rbtdb could trigger an INSIST 10365 failure while cleaning up a stale rdataset. 10366 [RT #16292] 10367 103682058. [bug] Adjust how we calculate rtt estimates in the presence 10369 of authoritative servers that drop EDNS and/or CD 10370 requests. Also fallback to EDNS/512 and plain DNS 10371 faster for zones with less than 3 servers. [RT #16187] 10372 103732057. [bug] Make setting "ra" dependent on both allow-query-cache 10374 and allow-recursion. [RT #16290] 10375 103762056. [bug] dig: ixfr= was not being treated case insensitively 10377 at all times. [RT #15955] 10378 103792055. [bug] Missing goto after dropping multicast query. 10380 [RT #15944] 10381 103822054. [port] freebsd: do not explicitly link against -lpthread. 10383 [RT #16170] 10384 103852053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 10386 103872052. [bug] 'rndc' improve connect failed message to report 10388 the failing address. [RT #15978] 10389 103902051. [port] More strtol() fixes. [RT #16249] 10391 103922050. [bug] Parsing of NSAP records was not case insensitive. 10393 [RT #16287] 10394 103952049. [bug] Restore SOA before AXFR when falling back from 10396 a attempted IXFR when transferring in a zone. 10397 Allow a initial SOA query before attempting 10398 a AXFR to be requested. [RT #16156] 10399 104002048. [bug] It was possible to loop forever when using 10401 avoid-v4-udp-ports / avoid-v6-udp-ports when 10402 the OS always returned the same local port. 10403 [RT #16182] 10404 104052047. [bug] Failed to initialize the interface flags to zero. 10406 [RT #16245] 10407 104082046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate 10409 cleanup [RT #16247]. 10410 104112045. [func] Use lock buckets for acache entries to limit memory 10412 consumption. [RT #16183] 10413 104142044. [port] Add support for atomic operations for Itanium. 10415 [RT #16179] 10416 104172043. [port] nsupdate/nslookup: Force the flushing of the prompt 10418 for interactive sessions. [RT #16148] 10419 104202042. [bug] named-checkconf was incorrectly rejecting the 10421 logging category "config". [RT #16117] 10422 104232041. [bug] "configure --with-dlz-bdb=yes" produced a bad 10424 set of libraries to be linked. [RT #16129] 10425 104262040. [bug] rbtdb no_references() could trigger an INSIST 10427 failure with --enable-atomic. [RT #16022] 10428 104292039. [func] Check that all buffers passed to the socket code 10430 have been retrieved when the socket event is freed. 10431 [RT #16122] 10432 104332038. [bug] dig/nslookup/host was unlinking from wrong list 10434 when handling errors. [RT #16122] 10435 104362037. [func] When unlinking the first or last element in a list 10437 check that the list head points to the element to 10438 be unlinked. [RT #15959] 10439 104402036. [bug] 'rndc recursing' could cause trigger a REQUIRE. 10441 [RT #16075] 10442 104432035. [func] Make falling back to TCP on UDP refresh failure 10444 optional. Default "try-tcp-refresh yes;" for BIND 8 10445 compatibility. [RT #16123] 10446 104472034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] 10448 104492033. [bug] We weren't creating multiple client memory contexts 10450 on demand as expected. [RT #16095] 10451 104522032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] 10453 104542031. [bug] Emit a error message when "rndc refresh" is called on 10455 a non slave/stub zone. [RT # 16073] 10456 104572030. [bug] We were being overly conservative when disabling 10458 openssl engine support. [RT #16030] 10459 104602029. [bug] host printed out the server multiple times when 10461 specified on the command line. [RT #15992] 10462 104632028. [port] linux: socket.c compatibility for old systems. 10464 [RT #16015] 10465 104662027. [port] libbind: Solaris x86 support. [RT #16020] 10467 104682026. [bug] Rate limit the two recursive client exceeded messages. 10469 [RT #16044] 10470 104712025. [func] Update "zone serial unchanged" message. [RT #16026] 10472 104732024. [bug] named emitted spurious "zone serial unchanged" 10474 messages on reload. [RT #16027] 10475 104762023. [bug] "make install" should create ${localstatedir}/run and 10477 ${sysconfdir} if they do not exist. [RT #16033] 10478 104792022. [bug] If dnssec validation is disabled only assert CD if 10480 CD was requested. [RT #16037] 10481 104822021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037] 10483 104842020. [bug] rdataset_setadditional() could leak memory. [RT #16034] 10485 104862019. [tuning] Reduce the amount of work performed per quantum 10487 when cleaning the cache. [RT #15986] 10488 104892018. [bug] Checking if the HMAC MD5 private file was broken. 10490 [RT #15960] 10491 104922017. [bug] allow-query default was not correct. [RT #15946] 10493 104942016. [bug] Return a partial answer if recursion is not 10495 allowed but requested and we had the answer 10496 to the original qname. [RT #15945] 10497 104982015. [cleanup] use-additional-cache is now acache-enable for 10499 consistency. Default acache-enable off in BIND 9.4 10500 as it requires memory usage to be configured. 10501 It may be enabled by default in BIND 9.5 once we 10502 have more experience with it. 10503 105042014. [func] Statistics about acache now recorded and sent 10505 to log. [RT #15976] 10506 105072013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR 10508 responses more gracefully. [RT #15941] 10509 105102012. [func] Don't insert new acache entries if acache is full. 10511 [RT #15970] 10512 105132011. [func] dnssec-signzone can now update the SOA record of 10514 the signed zone, either as an increment or as the 10515 system time(). [RT #15633] 10516 105172010. [placeholder] rt15958 10518 105192009. [bug] libbind: Coverity fixes. [RT #15808] 10520 105212008. [func] It is now possible to enable/disable DNSSEC 10522 validation from rndc. This is useful for the 10523 mobile hosts where the current connection point 10524 breaks DNSSEC (firewall/proxy). [RT #15592] 10525 10526 rndc validation newstate [view] 10527 105282007. [func] It is now possible to explicitly enable DNSSEC 10529 validation. default dnssec-validation no; to 10530 be changed to yes in 9.5.0. [RT #15674] 10531 105322006. [security] Allow-query-cache and allow-recursion now default 10533 to the built in acls "localnets" and "localhost". 10534 10535 This is being done to make caching servers less 10536 attractive as reflective amplifying targets for 10537 spoofed traffic. This still leave authoritative 10538 servers exposed. 10539 10540 The best fix is for full BCP 38 deployment to 10541 remove spoofed traffic. 10542 105432005. [bug] libbind: Retransmission timeouts should be 10544 based on which attempt it is to the nameserver 10545 and not the nameserver itself. [RT #13548] 10546 105472004. [bug] dns_tsig_sign() could pass a NULL pointer to 10548 dst_context_destroy() when cleaning up after a 10549 error. [RT #15835] 10550 105512003. [bug] libbind: The DNS name/address lookup functions could 10552 occasionally follow a random pointer due to 10553 structures not being completely zeroed. [RT #15806] 10554 105552002. [bug] libbind: tighten the constraints on when 10556 struct addrinfo._ai_pad exists. [RT #15783] 10557 105582001. [func] Check the KSK flag when updating a secure dynamic zone. 10559 New zone option "update-check-ksk yes;". [RT #15817] 10560 105612000. [bug] memmove()/strtol() fix was incomplete. [RT #15812] 10562 105631999. [func] Implement "rrset-order fixed". [RT #13662] 10564 105651998. [bug] Restrict handling of fifos as sockets to just SunOS. 10566 This allows named to connect to entropy gathering 10567 daemons that use fifos instead of sockets. [RT #15840] 10568 105691997. [bug] Named was failing to replace negative cache entries 10570 when a positive one for the type was learnt. 10571 [RT #15818] 10572 105731996. [bug] nsupdate: if a zone has been specified it should 10574 appear in the output of 'show'. [RT #15797] 10575 105761995. [bug] 'host' was reporting multiple "is an alias" messages. 10577 [RT #15702] 10578 105791994. [port] OpenSSL 0.9.8 support. [RT #15694] 10580 105811993. [bug] Log messages, via syslog, were missing the space 10582 after the timestamp if "print-time yes" was specified. 10583 [RT #15844] 10584 105851992. [bug] Not all incoming zone transfer messages included the 10586 view. [RT #15825] 10587 105881991. [cleanup] The configuration data, once read, should be treated 10589 as read only. Expand the use of const to enforce this 10590 at compile time. [RT #15813] 10591 105921990. [bug] libbind: isc's override of broken gettimeofday() 10593 implementations was not always effective. 10594 [RT #15709] 10595 105961989. [bug] win32: don't check the service password when 10597 re-installing. [RT #15882] 10598 105991988. [bug] Remove a bus error from the SHA256/SHA512 support. 10600 [RT #15878] 10601 106021987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 10603 106041986. [func] Report when a zone is removed. [RT #15849] 10605 106061985. [protocol] DLV has now been assigned a official type code of 10607 32769. [RT #15807] 10608 10609 Note: care should be taken to ensure you upgrade 10610 both named and dnssec-signzone at the same time for 10611 zones with DLV records where named is the master 10612 server for the zone. Also any zones that contain 10613 DLV records should be removed when upgrading a slave 10614 zone. You do not however have to upgrade all 10615 servers for a zone with DLV records simultaneously. 10616 106171984. [func] dig, nslookup and host now advertise a 4096 byte 10618 EDNS UDP buffer size by default. [RT #15855] 10619 106201983. [func] Two new update policies. "selfsub" and "selfwild". 10621 [RT #12895] 10622 106231982. [bug] DNSKEY was being accepted on the parent side of 10624 a delegation. KEY is still accepted there for 10625 RFC 3007 validated updates. [RT #15620] 10626 106271981. [bug] win32: condition.c:wait() could fail to reattain 10628 the mutex lock. 10629 106301980. [func] dnssec-signzone: output the SOA record as the 10631 first record in the signed zone. [RT #15758] 10632 106331979. [port] linux: allow named to drop core after changing 10634 user ids. [RT #15753] 10635 106361978. [port] Handle systems which have a broken recvmsg(). 10637 [RT #15742] 10638 106391977. [bug] Silence noisy log message. [RT #15704] 10640 106411976. [bug] Handle systems with no IPv4 addresses. [RT #15695] 10642 106431975. [bug] libbind: isc_gethexstring() could misparse multi-line 10644 hex strings with comments. [RT #15814] 10645 106461974. [doc] List each of the zone types and associated zone 10647 options separately in the ARM. 10648 106491973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and 10650 HMACSHA512 support. [RT #13606] 10651 106521972. [contrib] DBUS dynamic forwarders integration from 10653 Jason Vas Dias <jvdias@redhat.com>. 10654 106551971. [port] linux: make detection of missing IF_NAMESIZE more 10656 robust. [RT #15443] 10657 106581970. [bug] nsupdate: adjust UDP timeout when falling back to 10659 unsigned SOA query. [RT #15775] 10660 106611969. [bug] win32: the socket code was freeing the socket 10662 structure too early. [RT #15776] 10663 106641968. [bug] Missing lock in resolver.c:validated(). [RT #15739] 10665 106661967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779] 10667 106681966. [bug] Don't set CD when we have fallen back to plain DNS. 10669 [RT #15727] 10670 106711965. [func] Suppress spurious "recursion requested but not 10672 available" warning with 'dig +qr'. [RT #15780]. 10673 106741964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] 10675 106761963. [port] Tru64 4.0E doesn't support send() and recv(). 10677 [RT #15586] 10678 106791962. [bug] Named failed to clear old update-policy when it 10680 was removed. [RT #15491] 10681 106821961. [bug] Check the port and address of responses forwarded 10683 to dispatch. [RT #15474] 10684 106851960. [bug] Update code should set NSEC ttls from SOA MINIMUM. 10686 [RT #15465] 10687 106881959. [func] Control the zeroing of the negative response TTL to 10689 a soa query. Defaults "zero-no-soa-ttl yes;" and 10690 "zero-no-soa-ttl-cache no;". [RT #15460] 10691 106921958. [bug] Named failed to update the zone's secure state 10693 until the zone was reloaded. [RT #15412] 10694 106951957. [bug] Dig mishandled responses to class ANY queries. 10696 [RT #15402] 10697 106981956. [bug] Improve cross compile support, 'gen' is now built 10699 by native compiler. See README for additional 10700 cross compile support information. [RT #15148] 10701 107021955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998] 10703 107041954. [func] Named now falls back to advertising EDNS with a 10705 512 byte receive buffer if the initial EDNS queries 10706 fail. [RT #14852] 10707 107081953. [func] The maximum EDNS UDP response named will send can 10709 now be set in named.conf (max-udp-size). This is 10710 independent of the advertised receive buffer 10711 (edns-udp-size). [RT #14852] 10712 107131952. [port] hpux: tell the linker to build a runtime link 10714 path "-Wl,+b:". [RT #14816]. 10715 107161951. [security] Drop queries from particular well known ports. 10717 Don't return FORMERR to queries from particular 10718 well known ports. [RT #15636] 10719 107201950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() 10721 a TCP socket. This prevents the source address being 10722 set for TCP connections. [RT #15628] 10723 107241949. [func] Addition memory leakage checks. [RT #15544] 10725 107261948. [bug] If was possible to trigger a REQUIRE failure in 10727 xfrin.c:maybe_free() if named ran out of memory. 10728 [RT #15568] 10729 107301947. [func] It is now possible to configure named to accept 10731 expired RRSIGs. Default "dnssec-accept-expired no;". 10732 Setting "dnssec-accept-expired yes;" leaves named 10733 vulnerable to replay attacks. [RT #14685] 10734 107351946. [bug] resume_dslookup() could trigger a REQUIRE failure 10736 when using forwarders. [RT #15549] 10737 107381945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. 10739 To generate a RSAMD5 key you must explicitly request 10740 RSAMD5. [RT #13780] 10741 107421944. [cleanup] isc_hash_create() does not need a read/write lock. 10743 [RT #15522] 10744 107451943. [bug] Set the loadtime after rolling forward the journal. 10746 [RT #15647] 10747 107481942. [bug] If the name of a DNSKEY match that of one in 10749 trusted-keys do not attempt to validate the DNSKEY 10750 using the parents DS RRset. [RT #15649] 10751 107521941. [bug] ncache_adderesult() should set eresult even if no 10753 rdataset is passed to it. [RT #15642] 10754 107551940. [bug] Fixed a number of error conditions reported by 10756 Coverity. 10757 107581939. [bug] The resolver could dereference a null pointer after 10759 validation if all the queries have timed out. 10760 [RT #15528] 10761 107621938. [bug] The validator was not correctly handling unsecure 10763 negative responses at or below a SEP. [RT #15528] 10764 107651937. [bug] sdlz doesn't handle RRSIG records. [RT #15564] 10766 107671936. [bug] The validator could leak memory. [RT #15544] 10768 107691935. [bug] 'acache' was DO sensitive. [RT #15430] 10770 107711934. [func] Validate pending NS RRsets, in the authority section, 10772 prior to returning them if it can be done without 10773 requiring DNSKEYs to be fetched. [RT #15430] 10774 107751933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534] 10776 107771932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] 10778 107791931. [bug] Per-client mctx could require a huge amount of memory, 10780 particularly for a busy caching server. [RT #15519] 10781 107821930. [port] HPUX: ia64 support. [RT #15473] 10783 107841929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. 10785 107861928. [bug] Race in rbtdb.c:currentversion(). [RT #15517] 10787 107881927. [bug] Access to soanode or nsnode in rbtdb violated the 10789 lock order rule and could cause a dead lock. 10790 [RT #15518] 10791 107921926. [bug] The Windows installer did not check for empty 10793 passwords. BINDinstall was being installed in 10794 the wrong place. [RT #15483] 10795 107961925. [port] All outer level AC_TRY_RUNs need cross compiling 10797 defaults. [RT #15469] 10798 107991924. [port] libbind: hpux ia64 support. [RT #15473] 10800 108011923. [bug] ns_client_detach() called too early. [RT #15499] 10802 108031922. [bug] check-tool.c:setup_logging() missing call to 10804 dns_log_setcontext(). 10805 108061921. [bug] Client memory contexts were not using internal 10807 malloc. [RT #15434] 10808 108091920. [bug] The cache rbtdb lock array was too small to 10810 have the desired performance characteristics. 10811 [RT #15454] 10812 108131919. [contrib] queryperf: a set of new features: collecting/printing 10814 response delays, printing intermediate results, and 10815 adjusting query rate for the "target" qps. 10816 108171918. [bug] Memory leak when checking acls. [RT #15391] 10818 108191917. [doc] funcsynopsisinfo wasn't being treated as verbatim 10820 when generating man pages. [RT #15385] 10821 108221916. [func] Integrate contributed IDN code from JPNIC. [RT #15383] 10823 108241915. [bug] dig +ndots was broken. [RT #15215] 10825 108261914. [protocol] DS is required to accept mnemonic algorithms 10827 (RFC 4034). Still emit numeric algorithms for 10828 compatibility with RFC 3658. [RT #15354] 10829 108301913. [func] Integrate contributed DLZ code into named. [RT #11382] 10831 108321912. [port] aix: atomic locking for powerpc. [RT #15020] 10833 108341911. [bug] Update windows socket code. [RT #14965] 10835 108361910. [bug] dig's +sigchase code overhauled. [RT #14933] 10837 108381909. [bug] The DLV code has been re-worked to make no longer 10839 query order sensitive. [RT #14933] 10840 108411908. [func] dig now warns if 'RA' is not set in the answer when 10842 'RD' was set in the query. host/nslookup skip servers 10843 that fail to set 'RA' when 'RD' is set unless a server 10844 is explicitly set. [RT #15005] 10845 108461907. [func] host/nslookup now continue (default)/fail on SERVFAIL. 10847 [RT #15006] 10848 108491906. [func] dig now has a '-q queryname' and '+showsearch' options. 10850 [RT #15034] 10851 108521905. [bug] Strings returned from cfg_obj_asstring() should be 10853 treated as read-only. The prototype for 10854 cfg_obj_asstring() has been updated to reflect this. 10855 [RT #15256] 10856 108571904. [func] Automatic empty zone creation for D.F.IP6.ARPA and 10858 friends. Note: RFC 1918 zones are not yet covered by 10859 this but are likely to be in a future release. 10860 10861 New options: empty-server, empty-contact, 10862 empty-zones-enable and disable-empty-zone. 10863 108641903. [func] ISC string copy API. 10865 108661902. [func] Attempt to make the amount of work performed in a 10867 iteration self tuning. The covers nodes clean from 10868 the cache per iteration, nodes written to disk when 10869 rewriting a master file and nodes destroyed per 10870 iteration when destroying a zone or a cache. 10871 [RT #14996] 10872 108731901. [cleanup] Don't add DNSKEY records to the additional section. 10874 108751900. [bug] ixfr-from-differences failed to ensure that the 10876 serial number increased. [RT #15036] 10877 108781899. [func] named-checkconf now validates update-policy entries. 10879 [RT #14963] 10880 108811898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and 10882 ISC_NETADDR_FORMATSIZE to allow for scope details. 10883 108841897. [func] x86 and x86_64 now have separate atomic locking 10885 implementations. 10886 108871896. [bug] Recursive clients soft quota support wasn't working 10888 as expected. [RT #15103] 10889 108901895. [bug] A escaped character is, potentially, converted to 10891 the output character set too early. [RT #14666] 10892 108931894. [doc] Review ARM for BIND 9.4. 10894 108951893. [port] Use uintptr_t if available. [RT #14606] 10896 108971892. [func] Support for SPF rdata type. [RT #15033] 10898 108991891. [port] freebsd: pthread_mutex_init can fail if it runs out 10900 of memory. [RT #14995] 10901 109021890. [func] Raise the UDP receive buffer size to 32k if it is 10903 less than 32k. [RT #14953] 10904 109051889. [port] sunos: non blocking i/o support. [RT #14951] 10906 109071888. [func] Support for IPSECKEY rdata type. [RT #14967] 10908 109091887. [bug] The cache could delete expired records too fast for 10910 clients with a virtual time in the past. [RT #14991] 10911 109121886. [bug] fctx_create() could return success even though it 10913 failed. [RT #14993] 10914 109151885. [func] dig: report the number of extra bytes still left in 10916 the packet after processing all the records. 10917 109181884. [cleanup] dighost.c: move external declarations into <dig/dig.h>. 10919 109201883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug 10921 levels. [RT #14962] 10922 109231882. [func] Limit the number of recursive clients that can be 10924 waiting for a single query (<qname,qtype,qclass>) to 10925 resolve. New options clients-per-query and 10926 max-clients-per-query. 10927 109281881. [func] Add a system test for named-checkconf. [RT #14931] 10929 109301880. [func] The lame cache is now done on a <qname,qclass,qtype> 10931 basis as some servers only appear to be lame for 10932 certain query types. [RT #14916] 10933 109341879. [func] "USE INTERNAL MALLOC" is now runtime selectable. 10935 [RT #14892] 10936 109371878. [func] Detect duplicates of UDP queries we are recursing on 10938 and drop them. New stats category "duplicate". 10939 [RT #2471] 10940 109411877. [bug] Fix unreasonably low quantum on call to 10942 dns_rbt_destroy2(). Remove unnecessary unhash_node() 10943 call. [RT #14919] 10944 109451876. [func] Additional memory debugging support to track size 10946 and mctx arguments. [RT #14814] 10947 109481875. [bug] process_dhtkey() was using the wrong memory context 10949 to free some memory. [RT #14890] 10950 109511874. [port] sunos: portability fixes. [RT #14814] 10952 109531873. [port] win32: isc__errno2result() now reports its caller. 10954 [RT #13753] 10955 109561872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] 10957 109581871. [placeholder] 10959 109601870. [func] Added framework for handling multiple EDNS versions. 10961 [RT #14873] 10962 109631869. [func] dig can now specify the EDNS version when making 10964 a query. [RT #14873] 10965 109661868. [func] edns-udp-size can now be overridden on a per 10967 server basis. [RT #14851] 10968 109691867. [bug] It was possible to trigger a INSIST in 10970 dlv_validatezonekey(). [RT #14846] 10971 109721866. [bug] resolv.conf parse errors were being ignored by 10973 dig/host/nslookup. [RT #14841] 10974 109751865. [bug] Silently ignore nameservers in /etc/resolv.conf with 10976 bad addresses. [RT #14841] 10977 109781864. [bug] Don't try the alternative transfer source if you 10979 got a answer / transfer with the main source 10980 address. [RT #14802] 10981 109821863. [bug] rrset-order "fixed" error messages not complete. 10983 109841862. [func] Add additional zone data constancy checks. 10985 named-checkzone has extended checking of NS, MX and 10986 SRV record and the hosts they reference. 10987 named has extended post zone load checks. 10988 New zone options: check-mx and integrity-check. 10989 [RT #4940] 10990 109911861. [bug] dig could trigger a INSIST on certain malformed 10992 responses. [RT #14801] 10993 109941860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was 10995 incorrectly set. [RT #14775] 10996 109971859. [func] Add support for CH A record. [RT #14695] 10998 109991858. [bug] The flush-zones-on-shutdown option wasn't being 11000 parsed. [RT #14686] 11001 110021857. [bug] named could trigger a INSIST() if reconfigured / 11003 reloaded too fast. [RT #14673] 11004 110051856. [doc] Switch Docbook toolchain from DSSSL to XSL. 11006 [RT #11398] 11007 110081855. [bug] ixfr-from-differences was failing to detect changes 11009 of ttl due to dns_diff_subtract() was ignoring the ttl 11010 of records. [RT #14616] 11011 110121854. [bug] lwres also needs to know the print format for 11013 (long long). [RT #13754] 11014 110151853. [bug] Rework how DLV interacts with proveunsecure(). 11016 [RT #13605] 11017 110181852. [cleanup] Remove last vestiges of dnssec-signkey and 11019 dnssec-makekeyset (removed from Makefile years ago). 11020 110211851. [doc] Doxygen comment markup. [RT #11398] 11022 110231850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] 11024 110251849. [doc] All forms of the man pages (docbook, man, html) should 11026 have consistent copyright dates. 11027 110281848. [bug] Improve SMF integration. [RT #13238] 11029 110301847. [bug] isc_ondestroy_init() is called too late in 11031 dns_rbtdb_create()/dns_rbtdb64_create(). 11032 [RT #13661] 11033 110341846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer 11035 <bortzmeyer@nic.fr>. 11036 110371845. [bug] Improve error reporting to distinguish between 11038 accept()/fcntl() and socket()/fcntl() errors. 11039 [RT #13745] 11040 110411844. [bug] inet_pton() accepted more that 4 hexadecimal digits 11042 for each 16 bit piece of the IPv6 address. The text 11043 representation of a IPv6 address has been tightened 11044 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). 11045 [RT #5662] 11046 110471843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps 11048 when CFLAGS contains "-I /usr/local/include" 11049 resulting in old header files being used. 11050 110511842. [port] cmsg_len() could produce incorrect results on 11052 some platform. [RT #13744] 11053 110541841. [bug] "dig +nssearch" now makes a recursive query to 11055 find the list of nameservers to query. [RT #13694] 11056 110571840. [func] dnssec-signzone can now randomize signature end times 11058 (dnssec-signzone -j jitter). [RT #13609] 11059 110601839. [bug] <isc/hash.h> was not being installed. 11061 110621838. [cleanup] Don't allow Linux capabilities to be inherited. 11063 [RT #13707] 11064 110651837. [bug] Compile time option ISC_FACILITY was not effective 11066 for 'named -u <user>'. [RT #13714] 11067 110681836. [cleanup] Silence compiler warnings in hash_test.c. 11069 110701835. [bug] Update dnssec-signzone's usage message. [RT #13657] 11071 110721834. [bug] Bad memset in rdata_test.c. [RT #13658] 11073 110741833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] 11075 110761832. [bug] named fails to return BADKEY on unknown TSIG algorithm. 11077 [RT #13620] 11078 110791831. [doc] Update named-checkzone documentation. [RT #13604] 11080 110811830. [bug] adb lame cache has sense of test reversed. [RT #13600] 11082 110831829. [bug] win32: "pid-file none;" broken. [RT #13563] 11084 110851828. [bug] isc_rwlock_init() failed to properly cleanup if it 11086 encountered a error. [RT #13549] 11087 110881827. [bug] host: update usage message for '-a'. [RT #37116] 11089 110901826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out 11091 of memory error. [RT #13537] 11092 110931825. [bug] Missing UNLOCK() on out of memory error from in 11094 rbtdb.c:subtractrdataset(). [RT #13519] 11095 110961824. [bug] Memory leak on dns_zone_setdbtype() failure. 11097 [RT #13510] 11098 110991823. [bug] Wrong macro used to check for point to point interface. 11100 [RT #13418] 11101 111021822. [bug] check-names test for RT was reversed. [RT #13382] 11103 111041821. [placeholder] 11105 111061820. [bug] Gracefully handle acl loops. [RT #13659] 11107 111081819. [bug] The validator needed to check both the algorithm and 11109 digest types of the DS to determine if it could be 11110 used to introduce a secure zone. [RT #13593] 11111 111121818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] 11113 111141817. [func] Add support for additional zone file formats for 11115 improving loading performance. The masterfile-format 11116 option in named.conf can be used to specify a 11117 non-default format. A separate command 11118 named-compilezone was provided to generate zone files 11119 in the new format. Additionally, the -I and -O options 11120 for dnssec-signzone specify the input and output 11121 formats. 11122 111231816. [port] UnixWare: failed to compile lib/isc/unix/net.c. 11124 [RT #13597] 11125 111261815. [bug] nsupdate triggered a REQUIRE if the server was set 11127 without also setting the zone and it encountered 11128 a CNAME and was using TSIG. [RT #13086] 11129 111301814. [func] UNIX domain controls are now supported. 11131 111321813. [func] Restructured the data locking framework using 11133 architecture dependent atomic operations (when 11134 available), improving response performance on 11135 multi-processor machines significantly. 11136 x86, x86_64, alpha, powerpc, and mips are currently 11137 supported. 11138 111391812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect. 11140 [RT #13453] 11141 111421811. [func] Preserve the case of domain names in rdata during 11143 zone transfers. [RT #13547] 11144 111451810. [bug] configure, lib/bind/configure make different default 11146 decisions about whether to do a threaded build. 11147 [RT #13212] 11148 111491809. [bug] "make distclean" failed for libbind if the platform 11150 is not supported. 11151 111521808. [bug] zone.c:notify_zone() contained a race condition, 11153 zone->db could change underneath it. [RT #13511] 11154 111551807. [bug] When forwarding (forward only) set the active domain 11156 from the forward zone name. [RT #13526] 11157 111581806. [bug] The resolver returned the wrong result when a CNAME / 11159 DNAME was encountered when fetching glue from a 11160 secure namespace. [RT #13501] 11161 111621805. [bug] Pending status was not being cleared when DLV was 11163 active. [RT #13501] 11164 111651804. [bug] Ensure that if we are queried for glue that it fits 11166 in the additional section or TC is set to tell the 11167 client to retry using TCP. [RT #10114] 11168 111691803. [bug] dnssec-signzone sometimes failed to remove old 11170 RRSIGs. [RT #13483] 11171 111721802. [bug] Handle connection resets better. [RT #11280] 11173 111741801. [func] Report differences between hints and real NS rrset 11175 and associated address records. 11176 111771800. [bug] Changes #1719 allowed a INSIST to be triggered. 11178 [RT #13428] 11179 111801799. [bug] 'rndc flushname' failed to flush negative cache 11181 entries. [RT #13438] 11182 111831798. [func] The server syntax has been extended to support a 11184 range of servers. [RT #11132] 11185 111861797. [func] named-checkconf now check acls to verify that they 11187 only refer to existing acls. [RT #13101] 11188 111891796. [func] "rndc freeze/thaw" now freezes/thaws all zones. 11190 111911795. [bug] "rndc dumpdb" was not fully documented. Minor 11192 formatting issues with "rndc dumpdb -all". [RT #13396] 11193 111941794. [func] Named and named-checkzone can now both check for 11195 non-terminal wildcard records. 11196 111971793. [func] Extend adjusting TTL warning messages. [RT #13378] 11198 111991792. [func] New zone option "notify-delay". Specify a minimum 11200 delay between sets of NOTIFY messages. 11201 112021791. [bug] 'host -t a' still printed out AAAA and MX records. 11203 [RT #13230] 11204 112051790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should 11206 allow parallel make to succeed. 11207 112081789. [bug] Prerequisite test for tkey and dnssec could fail 11209 with "configure --with-libtool". 11210 112111788. [bug] libbind9.la/libbind9.so needs to link against 11212 libisccfg.la/libisccfg.so. 11213 112141787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings. 11215 112161786. [port] AIX: libt_api needs to be taught to look for 11217 T_testlist in the main executable (--with-libtool). 11218 [RT #13239] 11219 112201785. [bug] libbind9.la/libbind9.so needs to link against 11221 libisc.la/libisc.so. 11222 112231784. [cleanup] "libtool -allow-undefined" is the default. 11224 Leave hooks in configure to allow it to be set 11225 if needed in the future. 11226 112271783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the 11228 source tree. 11229 112301782. [port] OSX: --with-libtool + --enable-libbind broke on 11231 __evOptMonoTime. [RT #13219] 11232 112331781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810] 11234 112351780. [bug] Update libtool to 1.5.10. 11236 112371779. [port] OSF 5.1: libtool didn't handle -pthread correctly. 11238 112391778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and 11240 IN6ADDR_LOOPBACK_INIT macros. 11241 112421777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and 11243 IN6ADDR_LOOPBACK_INIT macros. 11244 112451776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and 11246 IN6ADDR_LOOPBACK_INIT macros. 11247 112481775. [bug] Only compile getnetent_r.c when threaded. [RT #13205] 11249 112501774. [port] Aix: Silence compiler warnings / build failures. 11251 [RT #13154] 11252 112531773. [bug] Fast retry on host / net unreachable. [RT #13153] 11254 112551772. [placeholder] 11256 112571771. [placeholder] 11258 112591770. [bug] named-checkconf failed to report missing a missing 11260 file clause for rbt{64} master/hint zones. [RT #13009] 11261 112621769. [port] win32: change compiler flags /MTd ==> /MDd, 11263 /MT ==> /MD. 11264 112651768. [bug] nsecnoexistnodata() could be called with a non-NSEC 11266 rdataset. [RT #12907] 11267 112681767. [port] Builds on IPv6 platforms without IPv6 Advanced API 11269 support for (struct in6_pktinfo) failed. [RT #13077] 11270 112711766. [bug] Update the master file timestamp on successful refresh 11272 as well as the journal's timestamp. [RT #13062] 11273 112741765. [bug] configure --with-openssl=auto failed. [RT #12937] 11275 112761764. [bug] dns_zone_replacedb failed to emit a error message 11277 if there was no SOA record in the replacement db. 11278 [RT #13016] 11279 112801763. [func] Perform sanity checks on NS records which refer to 11281 'in zone' names. [RT #13002] 11282 112831762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS 11284 even when it failed. [RT #12995] 11285 112861761. [bug] 'rndc dumpdb' didn't report unassociated entries. 11287 [RT #12971] 11288 112891760. [bug] Host / net unreachable was not penalising rtt 11290 estimates. [RT #12970] 11291 112921759. [bug] Named failed to startup if the OS supported IPv6 11293 but had no IPv6 interfaces configured. [RT #12942] 11294 112951758. [func] Don't send notify messages to self. [RT #12933] 11296 112971757. [func] host now can turn on memory debugging flags with '-m'. 11298 112991756. [func] named-checkconf now checks the logging configuration. 11300 [RT #12352] 11301 113021755. [func] allow-update is now settable at the options / view 11303 level. [RT #6636] 11304 113051754. [bug] We weren't always attempting to query the parent 11306 server for the DS records at the zone cut. 11307 [RT #12774] 11308 113091753. [bug] Don't serve a slave zone which has no NS records. 11310 [RT #12894] 11311 113121752. [port] Move isc_app_start() to after ns_os_daemonise() 11313 as some fork() implementations unblock the signals 11314 that are blocked by isc_app_start(). [RT #12810] 11315 113161751. [bug] --enable-getifaddrs failed under linux. [RT #12867] 11317 113181750. [port] lib/bind/make/rules.in:subdirs was not bash friendly. 11319 [RT #12864] 11320 113211749. [bug] 'check-names response ignore;' failed to ignore. 11322 [RT #12866] 11323 113241748. [func] dig now returns the byte count for axfr/ixfr. 11325 113261747. [bug] BIND 8 compatibility: named/named-checkconf failed 11327 to parse "host-statistics-max" in named.conf. 11328 113291746. [func] Make public the function to read a key file, 11330 dst_key_read_public(). [RT #12450] 11331 113321745. [bug] Dig/host/nslookup accept replies from link locals 11333 regardless of scope if no scope was specified when 11334 query was sent. [RT #12745] 11335 113361744. [bug] If tuple2msgname() failed to convert a tuple to 11337 a name a REQUIRE could be triggered. [RT #12796] 11338 113391743. [bug] If isc_taskmgr_create() was not able to create the 11340 requested number of worker threads then destruction 11341 of the manager would trigger an INSIST() failure. 11342 [RT #12790] 11343 113441742. [bug] Deleting all records at a node then adding a 11345 previously existing record, in a single UPDATE 11346 transaction, failed to leave / regenerate the 11347 associated RRSIG records. [RT #12788] 11348 113491741. [bug] Deleting all records at a node in a secure zone 11350 using a update-policy grant failed. [RT #12787] 11351 113521740. [bug] Replace rbt's hash algorithm as it performed badly 11353 with certain zones. [RT #12729] 11354 11355 NOTE: a hash context now needs to be established 11356 via isc_hash_create() if the application was not 11357 already doing this. 11358 113591739. [bug] dns_rbt_deletetree() could incorrectly return 11360 ISC_R_QUOTA. [RT #12695] 11361 113621738. [bug] Enable overrun checking by default. [RT #12695] 11363 113641737. [bug] named failed if more than 16 masters were specified. 11365 [RT #12627] 11366 113671736. [bug] dst_key_fromnamedfile() could fail to read a 11368 public key. [RT #12687] 11369 113701735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. 11371 [RE #12688] 11372 113731734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path. 11374 [RT #12588] 11375 113761733. [bug] Return non-zero exit status on initial load failure. 11377 [RT #12658] 11378 113791732. [bug] 'rrset-order name "*"' wasn't being applied to ".". 11380 [RT #12467] 11381 113821731. [port] darwin: relax version test in ifconfig.sh. 11383 [RT #12581] 11384 113851730. [port] Determine the length type used by the socket API. 11386 [RT #12581] 11387 113881729. [func] Improve check-names error messages. 11389 113901728. [doc] Update check-names documentation. 11391 113921727. [bug] named-checkzone: check-names support didn't match 11393 documentation. 11394 113951726. [port] aix5: add support for aix5. 11396 113971725. [port] linux: update error message on interaction of threads, 11398 capabilities and setuid support (named -u). [RT #12541] 11399 114001724. [bug] Look for DNSKEY records with "dig +sigtrace". 11401 [RT #12557] 11402 114031723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493] 11404 114051722. [bug] Don't commit the journal on malformed ixfr streams. 11406 [RT #12519] 11407 114081721. [bug] Error message from the journal processing were not 11409 always identifying the relevant journal. [RT #12519] 11410 114111720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1 11412 negative response. [RT #12506] 11413 114141719. [bug] named was not correctly caching a RFC 2308 Type 1 11415 negative response. [RT #12506] 11416 114171718. [bug] nsupdate was not handling RFC 2308 Type 3 negative 11418 responses when looking for the zone / master server. 11419 [RT #12506] 11420 114211717. [port] solaris: ifconfig.sh did not support Solaris 10. 11422 "ifconfig.sh down" didn't work for Solaris 9. 11423 114241716. [doc] named.conf(5) was being installed in the wrong 11425 location. [RT #12441] 11426 114271715. [func] 'dig +trace' now randomly selects the next servers 11428 to try. Report if there is a bad delegation. 11429 114301714. [bug] dig/host/nslookup were only trying the first 11431 address when a nameserver was specified by name. 11432 [RT #12286] 11433 114341713. [port] linux: extend capset failure message to say: 11435 please ensure that the capset kernel module is 11436 loaded. see insmod(8) 11437 114381712. [bug] Missing FULLCHECK for "trusted-key" in dig. 11439 114401711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'. 11441 114421710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY 11443 messages for the specified zone. [RT #9479] 11444 114451709. [port] solaris: add SMF support from Sun. 11446 114471708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash() 11448 for conformance to the name space convention. Binary 11449 backward compatibility to the old function name is 11450 provided. [RT #12376] 11451 114521707. [contrib] sdb/ldap updated to version 1.0-beta. 11453 114541706. [bug] 'rndc stop' failed to cause zones to be flushed 11455 sometimes. [RT #12328] 11456 114571705. [func] Allow the journal's name to be changed via named.conf. 11458 114591704. [port] lwres needed a snprintf() implementation for 11460 platforms without snprintf(). Add missing 11461 "#include <isc/print.h>". [RT #12321] 11462 114631703. [bug] named would loop sending NOTIFY messages when it 11464 failed to receive a response. [RT #12322] 11465 114661702. [bug] also-notify should not be applied to built in zones. 11467 [RT #12323] 11468 114691701. [doc] A minimal named.conf man page. 11470 114711700. [func] nslookup is no longer to be treated as deprecated. 11472 Remove "deprecated" warning message. Add man page. 11473 114741699. [bug] dnssec-signzone can generate "not exact" errors 11475 when resigning. [RT #12281] 11476 114771698. [doc] Use reserved IPv6 documentation prefix. 11478 114791697. [bug] xxx-source{,-v6} was not effective when it 11480 specified one of listening addresses and a 11481 different port than the listening port. [RT #12257] 11482 114831696. [bug] dnssec-signzone failed to clean out nodes that 11484 consisted of only NSEC and RRSIG records. 11485 [RT #12154] 11486 114871695. [bug] DS records when forwarding require special handling. 11488 [RT #12133] 11489 114901694. [bug] Report if the builtin views of "_default" / "_bind" 11491 are defined in named.conf. [RT #12023] 11492 114931693. [bug] max-journal-size was not effective for master zones 11494 with ixfr-from-differences set. [RT #12024] 11495 114961692. [bug] Don't set -I, -L and -R flags when libcrypto is in 11497 /usr/lib. [RT #11971] 11498 114991691. [bug] sdb's attachversion was not complete. [RT #11990] 11500 115011690. [bug] Delay detaching view from the client until UPDATE 11502 processing completes when shutting down. [RT #11714] 11503 115041689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros 11505 contained gratuitous semicolons. [RT #11707] 11506 115071688. [bug] LDFLAGS was not supported. 11508 115091687. [bug] Race condition in dispatch. [RT #10272] 11510 115111686. [bug] Named sent a extraneous NOTIFY when it received a 11512 redundant UPDATE request. [RT #11943] 11513 115141685. [bug] Change #1679 loop tests weren't quite right. 11515 115161684. [func] ixfr-from-differences now takes master and slave in 11517 addition to yes and no at the options and view levels. 11518 115191683. [bug] dig +sigchase could leak memory. [RT #11445] 11520 115211682. [port] Update configure test for (long long) printf format. 11522 [RT #5066] 11523 115241681. [bug] Only set SO_REUSEADDR when a port is specified in 11525 isc_socket_bind(). [RT #11742] 11526 115271680. [func] rndc: the source address can now be specified. 11528 115291679. [bug] When there was a single nameserver with multiple 11530 addresses for a zone not all addresses were tried. 11531 [RT #11706] 11532 115331678. [bug] RRSIG should use TYPEXXXXX for unknown types. 11534 115351677. [bug] dig: +aaonly didn't work, +aaflag undocumented. 11536 115371676. [func] New option "allow-query-cache". This lets 11538 allow-query be used to specify the default zone 11539 access level rather than having to have every 11540 zone override the global value. allow-query-cache 11541 can be set at both the options and view levels. 11542 If allow-query-cache is not set allow-query applies. 11543 115441675. [bug] named would sometimes add extra NSEC records to 11545 the authority section. 11546 115471674. [port] linux: increase buffer size used to scan 11548 /proc/net/if_inet6. 11549 115501673. [port] linux: issue a error messages if IPv6 interface 11551 scans fails. 11552 115531672. [cleanup] Tests which only function in a threaded build 11554 now return R:THREADONLY (rather than R:UNTESTED) 11555 in a non-threaded build. 11556 115571671. [contrib] queryperf: add NAPTR to the list of known types. 11558 115591670. [func] Log UPDATE requests to slave zones without an acl as 11560 "disabled" at debug level 3. [RT #11657] 11561 115621669. [placeholder] 11563 115641668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. 11565 115661667. [port] linux: not all versions have IF_NAMESIZE. 11567 115681666. [bug] The optional port on hostnames in dual-stack-servers 11569 was being ignored. 11570 115711665. [func] rndc now allows addresses to be set in the 11572 server clauses. 11573 115741664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 11575 115761663. [func] Look for OpenSSL by default. 11577 115781662. [bug] Change #1658 failed to change one use of 'type' 11579 to 'keytype'. 11580 115811661. [bug] Restore dns_name_concatenate() call in 11582 adb.c:set_target(). [RT #11582] 11583 115841660. [bug] win32: connection_reset_fix() was being called 11585 unconditionally. [RT #11595] 11586 115871659. [cleanup] Cleanup some messages that were referring to KEY vs 11588 DNSKEY, NXT vs NSEC and SIG vs RRSIG. 11589 115901658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 11591 and DH. Tighten which options apply to KEY and 11592 DNSKEY records. 11593 115941657. [doc] ARM: document query log output. 11595 115961656. [doc] Update DNSSEC description in ARM to cover DS, NSEC 11597 DNSKEY and RRSIG. [RT #11542] 11598 115991655. [bug] Logging multiple versions w/o a size was broken. 11600 [RT #11446] 11601 116021654. [bug] isc_result_totext() contained array bounds read 11603 error. 11604 116051653. [func] Add key type checking to dst_key_fromfilename(), 11606 DST_TYPE_KEY should be used to read TSIG, TKEY and 11607 SIG(0) keys. 11608 116091652. [bug] TKEY still uses KEY. 11610 116111651. [bug] dig: process multiple dash options. 11612 116131650. [bug] dig, nslookup: flush standard out after each command. 11614 116151649. [bug] Silence "unexpected non-minimal diff" message. 11616 [RT #11206] 11617 116181648. [func] Update dnssec-lookaside named.conf syntax to support 11619 multiple dnssec-lookaside namespaces (not yet 11620 implemented). 11621 116221647. [bug] It was possible trigger a INSIST when chasing a DS 11623 record that required walking back over a empty node. 11624 [RT #11445] 11625 116261646. [bug] win32: logging file versions didn't work with 11627 non-UNC filenames. [RT #11486] 11628 116291645. [bug] named could trigger a REQUIRE failure if multiple 11630 masters with keys are specified. 11631 116321644. [bug] Update the journal modification time after a 11633 successful refresh query. [RT #11436] 11634 116351643. [bug] dns_db_closeversion() could leak memory / node 11636 references. [RT #11163] 11637 116381642. [port] Support OpenSSL implementations which don't have 11639 DSA support. [RT #11360] 11640 116411641. [bug] Update the check-names description in ARM. [RT #11389] 11642 116431640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was 11644 incorrectly closing the socket. [RT #11291] 11645 116461639. [func] Initial dlv system test. 11647 116481638. [bug] "ixfr-from-differences" could generate a REQUIRE 11649 failure if the journal open failed. [RT #11347] 11650 116511637. [bug] Node reference leak on error in addnoqname(). 11652 116531636. [bug] The dump done callback could get ISC_R_SUCCESS even if 11654 a error had occurred. The database version no longer 11655 matched the version of the database that was dumped. 11656 116571635. [bug] Memory leak on error in query_addds(). 11658 116591634. [bug] named didn't supply a useful error message when it 11660 detected duplicate views. [RT #11208] 11661 116621633. [bug] named should return NOTIMP to update requests to a 11663 slaves without a allow-update-forwarding acl specified. 11664 [RT #11331] 11665 116661632. [bug] nsupdate failed to send prerequisite only UPDATE 11667 messages. [RT #11288] 11668 116691631. [bug] dns_journal_compact() could sometimes corrupt the 11670 journal. [RT #11124] 11671 116721630. [contrib] queryperf: add support for IPv6 transport. 11673 116741629. [func] dig now supports IPv6 scoped addresses with the 11675 extended format in the local-server part. [RT #8753] 11676 116771628. [bug] Typo in Compaq Trucluster support. [RT #11264] 11678 116791627. [bug] win32: sockets were not being closed when the 11680 last external reference was removed. [RT #11179] 11681 116821626. [bug] --enable-getifaddrs was broken. [RT #11259] 11683 116841625. [bug] named failed to load/transfer RFC2535 signed zones 11685 which contained CNAMES. [RT #11237] 11686 116871624. [bug] zonemgr_putio() call should be locked. [RT #11163] 11688 116891623. [bug] A serial number of zero was being displayed in the 11690 "sending notifies" log message when also-notify was 11691 used. [RT #11177] 11692 116931622. [func] probe the system to see if IPV6_(RECV)PKTINFO is 11694 available, and suppress wildcard binding if not. 11695 116961621. [bug] match-destinations did not work for IPv6 TCP queries. 11697 [RT #11156] 11698 116991620. [func] When loading a zone report if it is signed. [RT #11149] 11700 117011619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). 11702 [RT #11118] 11703 117041618. [bug] Fencepost errors in dns_name_ishostname() and 11705 dns_name_ismailbox() could trigger a INSIST(). 11706 117071617. [port] win32: VC++ 6.0 support. 11708 117091616. [compat] Ensure that named's version is visible in the core 11710 dump. [RT #11127] 11711 117121615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if 11713 it is defined. 11714 117151614. [port] win32: silence resource limit messages. [RT #11101] 11716 117171613. [bug] Builds would fail on machines w/o a if_nametoindex(). 11718 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. 11719 [RT #11119] 11720 117211612. [bug] check-names at the option/view level could trigger 11722 an INSIST. [RT #11116] 11723 117241611. [bug] solaris: IPv6 interface scanning failed to cope with 11725 no active IPv6 interfaces. 11726 117271610. [bug] On dual stack machines "dig -b" failed to set the 11728 address type to be looked up with "@server". 11729 [RT #11069] 11730 117311609. [func] dig now has support to chase DNSSEC signature chains. 11732 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. 11733 11734 DNSSEC validation code in dig coded by Olivier Courtay 11735 (olivier.courtay@irisa.fr) for the IDsA project 11736 (http://idsa.irisa.fr). 11737 117381608. [func] dig and host now accept -4/-6 to select IP transport 11739 to use when making queries. 11740 117411607. [bug] dig, host and nslookup were still using random() 11742 to generate query ids. [RT #11013] 11743 117441606. [bug] DLV insecurity proof was failing. 11745 117461605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 11747 117481604. [bug] A xfrout_ctx_create() failure would result in 11749 xfrout_ctx_destroy() being called with a 11750 partially initialized structure. 11751 117521603. [bug] nsupdate: set interactive based on isatty(). 11753 [RT #10929] 11754 117551602. [bug] Logging to a file failed unless a size was specified. 11756 [RT #10925] 11757 117581601. [bug] Silence spurious warning 'both "recursion no;" and 11759 "allow-recursion" active' warning from view "_bind". 11760 [RT #10920] 11761 117621600. [bug] Duplicate zone pre-load checks were not case 11763 insensitive. 11764 117651599. [bug] Fix memory leak on error path when checking named.conf. 11766 117671598. [func] Specify that certain parts of the namespace must 11768 be secure (dnssec-must-be-secure). 11769 117701597. [func] Allow notify-source and query-source to be specified 11771 on a per server basis similar to transfer-source. 11772 [RT #6496] 11773 117741596. [func] Accept 'notify-source' style syntax for query-source. 11775 117761595. [func] New notify type 'master-only'. Enable notify for 11777 master zones only. 11778 117791594. [bug] 'rndc dumpdb' could prevent named from answering 11780 queries while the dump was in progress. [RT #10565] 11781 117821593. [bug] rndc should return "unknown command" to unknown 11783 commands. [RT #10642] 11784 117851592. [bug] configure_view() could leak a dispatch. [RT #10675] 11786 117871591. [bug] libbind: updated to BIND 8.4.5. 11788 117891590. [port] netbsd: update thread support. 11790 117911589. [func] DNSSEC lookaside validation. 11792 117931588. [bug] win32: TCP sockets could become blocked. [RT #10115] 11794 117951587. [bug] dns_message_settsigkey() failed to clear existing key. 11796 [RT #10590] 11797 117981586. [func] "check-names" is now implemented. 11799 118001585. [placeholder] 11801 118021584. [bug] "make test" failed with a read only source tree. 11803 [RT #10461] 11804 118051583. [bug] Records add via UPDATE failed to get the correct trust 11806 level. [RT #10452] 11807 118081582. [bug] rrset-order failed to work on RRsets with more 11809 than 32 elements. [RT #10381] 11810 118111581. [func] Disable DNSSEC support by default. To enable 11812 DNSSEC specify "dnssec-enable yes;" in named.conf. 11813 118141580. [bug] Zone destruction on final detach takes a long time. 11815 [RT #3746] 11816 118171579. [bug] Multiple task managers could not be created. 11818 118191578. [bug] Don't use CLASS E IPv4 addresses when resolving. 11820 [RT #10346] 11821 118221577. [bug] Use isc_uint32_t in ultrasparc optimizer bug 11823 workaround code. [RT #10331] 11824 118251576. [bug] Race condition in dns_dispatch_addresponse(). 11826 [RT #10272] 11827 118281575. [func] Log TSIG name on TSIG verify failure. [RT #4404] 11829 118301574. [bug] Don't attempt to open the controls socket(s) when 11831 running tests. [RT #9091] 11832 118331573. [port] linux: update to libtool 1.5.2 so that 11834 "make install DESTDIR=/xx" works with 11835 "configure --with-libtool". [RT #9941] 11836 118371572. [bug] nsupdate: sign the soa query to find the enclosing 11838 zone if the server is specified. [RT #10148] 11839 118401571. [bug] rbt:hash_node() could fail leaving the hash table 11841 in an inconsistent state. [RT #10208] 11842 118431570. [bug] nsupdate failed to handle classes other than IN. 11844 New keyword 'class' which sets the default class. 11845 [RT #10202] 11846 118471569. [func] nsupdate new command 'answer' which displays the 11848 complete answer message to the last update. 11849 118501568. [bug] nsupdate now reports that the update failed in 11851 interactive mode. [RT #10236] 11852 118531567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. 11854 118551566. [port] Support for the cmsg framework on Solaris and HP/UX. 11856 This also solved the problem that match-destinations 11857 for IPv6 addresses did not work on these systems. 11858 [RT #10221] 11859 118601565. [bug] CD flag should be copied to outgoing queries unless 11861 the query is under a secure entry point in which case 11862 CD should be set. 11863 118641564. [func] Attempt to provide a fallback entropy source to be 11865 used if named is running chrooted and named is unable 11866 to open entropy source within the chroot area. 11867 [RT #10133] 11868 118691563. [bug] Gracefully fail when unable to obtain neither an IPv4 11870 nor an IPv6 dispatch. [RT #10230] 11871 118721562. [bug] isc_socket_create() and isc_socket_accept() could 11873 leak memory under error conditions. [RT #10230] 11874 118751561. [bug] It was possible to release the same name twice if 11876 named ran out of memory. [RT #10197] 11877 118781560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA 11879 and EAI_NONAME to the same value. 11880 118811559. [port] named should ignore SIGFSZ. 11882 118831558. [func] New DNSSEC 'disable-algorithms'. Support entry into 11884 child zones for which we don't have a supported 11885 algorithm. Such child zones are treated as unsigned. 11886 118871557. [func] Implement missing DNSSEC tests for 11888 * NOQNAME proof with wildcard answers. 11889 * NOWILDARD proof with NXDOMAIN. 11890 Cache and return NOQNAME with wildcard answers. 11891 118921556. [bug] nsupdate now treats all names as fully qualified. 11893 [RT #6427] 11894 118951555. [func] 'rrset-order cyclic' no longer has a random starting 11896 point per query. [RT #7572] 11897 118981554. [bug] dig, host, nslookup failed when no nameservers 11899 were specified in /etc/resolv.conf. [RT #8232] 11900 119011553. [bug] The windows socket code could stop accepting 11902 connections. [RT #10115] 11903 119041552. [bug] Accept NOTIFY requests from mapped masters if 11905 matched-mapped is set. [RT #10049] 11906 119071551. [port] Open "/dev/null" before calling chroot(). 11908 119091550. [port] Call tzset(), if available, before calling chroot(). 11910 119111549. [func] named-checkzone can now write out the zone contents 11912 in a easily parsable format (-D and -o). 11913 119141548. [bug] When parsing APL records it was possible to silently 11915 accept out of range ADDRESSFAMILY values. [RT #9979] 11916 119171547. [bug] Named wasted memory recording duplicate lame zone 11918 entries. [RT #9341] 11919 119201546. [bug] We were rejecting valid secure CNAME to negative 11921 answers. 11922 119231545. [bug] It was possible to leak memory if named was unable to 11924 bind to the specified transfer source and TSIG was 11925 being used. [RT #10120] 11926 119271544. [bug] Named would logged a single entry to a file despite it 11928 being over the specified size limit. 11929 119301543. [bug] Logging using "versions unlimited" did not work. 11931 119321542. [placeholder] 11933 119341541. [func] NSEC now uses new bitmap format. 11935 119361540. [bug] "rndc reload <dynamiczone>" was silently accepted. 11937 [RT #8934] 11938 119391539. [bug] Open UDP sockets for notify-source and transfer-source 11940 that use reserved ports at startup. [RT #9475] 11941 119421538. [placeholder] rt9997 11943 119441537. [func] New option "querylog". If set specify whether query 11945 logging is to be enabled or disabled at startup. 11946 119471536. [bug] Windows socket code failed to log a error description 11948 when returning ISC_R_UNEXPECTED. [RT #9998] 11949 119501535. [placeholder] 11951 119521534. [bug] Race condition when priming cache. [RT #9940] 11953 119541533. [func] Warn if both "recursion no;" and "allow-recursion" 11955 are active. [RT #4389] 11956 119571532. [port] netbsd: the configure test for <sys/sysctl.h> 11958 requires <sys/param.h>. 11959 119601531. [port] AIX more libtool fixes. 11961 119621530. [bug] It was possible to trigger a INSIST() failure if a 11963 slave master file was removed at just the correct 11964 moment. [RT #9462] 11965 119661529. [bug] "notify explicit;" failed to log that NOTIFY messages 11967 were being sent for the zone. [RT #9442] 11968 119691528. [cleanup] Simplify some dns_name_ functions based on the 11970 deprecation of bitstring labels. 11971 119721527. [cleanup] Reduce the number of gettimeofday() calls without 11973 losing necessary timer granularity. 11974 119751526. [func] Implemented "additional section caching (or acache)", 11976 an internal cache framework for additional section 11977 content to improve response performance. Several 11978 configuration options were provided to control the 11979 behavior. 11980 119811525. [bug] dns_cache_create() could trigger a REQUIRE 11982 failure in isc_mem_put() during error cleanup. 11983 [RT #9360] 11984 119851524. [port] AIX needs to be able to resolve all symbols when 11986 creating shared libraries (--with-libtool). 11987 119881523. [bug] Fix race condition in rbtdb. [RT #9189] 11989 119901522. [bug] dns_db_findnode() relax the requirements on 'name'. 11991 [RT #9286] 11992 119931521. [bug] dns_view_createresolver() failed to check the 11994 result from isc_mem_create(). [RT #9294] 11995 119961520. [protocol] Add SSHFP (SSH Finger Print) type. 11997 119981519. [bug] dnssec-signzone:nsec_setbit() computed the wrong 11999 length of the new bitmap. 12000 120011518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(), 12002 contained a off-by-one error when working out the 12003 number of octets in the bitmap. 12004 120051517. [port] Support for IPv6 interface scanning on HP/UX and 12006 TrueUNIX 5.1. 12007 120081516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 12009 120101515. [func] Allow transfer source to be set in a server statement. 12011 [RT #6496] 12012 120131514. [bug] named: isc_hash_destroy() was being called too early. 12014 [RT #9160] 12015 120161513. [doc] Add "US" to root-delegation-only exclude list. 12017 120181512. [bug] Extend the delegation-only logging to return query 12019 type, class and responding nameserver. 12020 120211511. [bug] delegation-only was generating false positives 12022 on negative answers from sub-zones. 12023 120241510. [func] New view option "root-delegation-only". Apply 12025 delegation-only check to all TLDs and root. 12026 Note there are some TLDs that are NOT delegation 12027 only (e.g. DE, LV, US and MUSEUM) these can be excluded 12028 from the checks by using exclude. 12029 12030 root-delegation-only exclude { 12031 "DE"; "LV"; "US"; "MUSEUM"; 12032 }; 12033 120341509. [bug] Hint zones should accept delegation-only. Forward 12035 zone should not accept delegation-only. 12036 120371508. [bug] Don't apply delegation-only checks to answers from 12038 forwarders. 12039 120401507. [bug] Handle BIND 8 style returns to NS queries to parents 12041 when making delegation-only checks. 12042 120431506. [bug] Wrong return type for dns_view_isdelegationonly(). 12044 120451505. [bug] Uninitialized rdataset in sdb. [RT #8750] 12046 120471504. [func] New zone type "delegation-only". 12048 120491503. [port] win32: install libeay32.dll outside of system32. 12050 120511502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP. 12052 120531501. [func] Allow TCP queue length to be specified via 12054 named.conf, tcp-listen-queue. 12055 120561500. [bug] host failed to lookup MX records. Also look up 12057 AAAA records. 12058 120591499. [bug] isc_random need to be seeded better if arc4random() 12060 is not used. 12061 120621498. [port] bsdos: 5.x support. 12063 120641497. [placeholder] 12065 120661496. [port] test for pthread_attr_setstacksize(). 12067 120681495. [cleanup] Replace hash functions with universal hash. 12069 120701494. [security] Turn on RSA BLINDING as a precaution. 12071 120721493. [placeholder] 12073 120741492. [cleanup] Preserve rwlock quota context when upgrading / 12075 downgrading. [RT #5599] 12076 120771491. [bug] dns_master_dump*() would produce extraneous $ORIGIN 12078 lines. [RT #6206] 12079 120801490. [bug] Accept reading state as well as working state in 12081 ns_client_next(). [RT #6813] 12082 120831489. [compat] Treat 'allow-update' on slave zones as a warning. 12084 [RT #3469] 12085 120861488. [bug] Don't override trust levels for glue addresses. 12087 [RT #5764] 12088 120891487. [bug] A REQUIRE() failure could be triggered if a zone was 12090 queued for transfer and the zone was then removed. 12091 [RT #6189] 12092 120931486. [bug] isc_print_snprintf() '%%' consumed one too many format 12094 characters. [RT #8230] 12095 120961485. [bug] gen failed to handle high type values. [RT #6225] 12097 120981484. [bug] The number of records reported after a AXFR was wrong. 12099 [RT #6229] 12100 121011483. [bug] dig axfr failed if the message id in the answer failed 12102 to match that in the request. Only the id in the first 12103 message is required to match. [RT #8138] 12104 121051482. [bug] named could fail to start if the kernel supports 12106 IPv6 but no interfaces are configured. Similarly 12107 for IPv4. [RT #6229] 12108 121091481. [bug] Refresh and stub queries failed to use masters keys 12110 if specified. [RT #7391] 12111 121121480. [bug] Provide replay protection for rndc commands. Full 12113 replay protection requires both rndc and named to 12114 be updated. Partial replay protection (limited 12115 exposure after restart) is provided if just named 12116 is updated. 12117 121181479. [bug] cfg_create_tuple() failed to handle out of 12119 memory cleanup. parse_list() would leak memory 12120 on syntax errors. 12121 121221478. [port] ifconfig.sh didn't account for other virtual 12123 interfaces. It now takes a optional argument 12124 to specify the first interface number. [RT #3907] 12125 121261477. [bug] memory leak using stub zones and TSIG. 12127 121281476. [placeholder] 12129 121301475. [port] Probe for old sprintf(). 12131 121321474. [port] Provide strtoul() and memmove() for platforms 12133 without them. 12134 121351473. [bug] create_map() and create_string() failed to handle out 12136 of memory cleanup. [RT #6813] 12137 121381472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit. 12139 121401471. [bug] libbind: updated to BIND 8.4.0. 12141 121421470. [bug] Incorrect length passed to snprintf. [RT #5966] 12143 121441469. [func] Log end of outgoing zone transfer at same level 12145 as the start of transfer is logged. [RT #4441] 12146 121471468. [func] Internal zones are no longer counted for 12148 'rndc status'. [RT #4706] 12149 121501467. [func] $GENERATES now supports optional class and ttl. 12151 121521466. [bug] lwresd configuration errors resulted in memory 12153 and lock leaks. [RT #5228] 12154 121551465. [bug] isc_base64_decodestring() and isc_base64_tobuffer() 12156 failed to check that trailing bits were zero allowing 12157 some invalid base64 strings to be accepted. [RT #5397] 12158 121591464. [bug] Preserve "out of zone" data for outgoing zone 12160 transfers. [RT #5192] 12161 121621463. [bug] dns_rdata_from{wire,struct}() failed to catch bad 12163 NXT bit maps. [RT #5577] 12164 121651462. [bug] parse_sizeval() failed to check the token type. 12166 [RT #5586] 12167 121681461. [bug] Remove deadlock from rbtdb code. [RT #5599] 12169 121701460. [bug] inet_pton() failed to reject certain malformed 12171 IPv6 literals. 12172 121731459. [placeholder] 12174 121751458. [cleanup] sprintf() -> snprintf(). 12176 121771457. [port] Provide strlcat() and strlcpy() for platforms without 12178 them. 12179 121801456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer. 12181 121821455. [bug] <netaddr> missing from server grammar in 12183 doc/misc/options. [RT #5616] 12184 121851454. [port] Use getifaddrs() if available for interface scanning. 12186 --disable-getifaddrs to override. Glibc currently 12187 has a getifaddrs() that does not support IPv6. 12188 Use --enable-getifaddrs=glibc to force the use of 12189 this version under linux machines. 12190 121911453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298] 12192 121931452. [placeholder] 12194 121951451. [bug] rndc-confgen didn't exit with a error code for all 12196 failures. [RT #5209] 12197 121981450. [bug] Fetching expired glue failed under certain 12199 circumstances. [RT #5124] 12200 122011449. [bug] query_addbestns() didn't handle running out of memory 12202 gracefully. 12203 122041448. [bug] Handle empty wildcards labels. 12205 122061447. [bug] We were casting (unsigned int) to and from (void *). 12207 rdataset->private4 is now rdataset->privateuint4 12208 to reflect a type change. 12209 122101446. [func] Implemented undocumented alternate transfer sources 12211 from BIND 8. See use-alt-transfer-source, 12212 alt-transfer-source and alt-transfer-source-v6. 12213 12214 SECURITY: use-alt-transfer-source is ENABLED unless 12215 you are using views. This may cause a security risk 12216 resulting in accidental disclosure of wrong zone 12217 content if the master supplying different source 12218 content based on IP address. If you are not certain 12219 ISC recommends setting use-alt-transfer-source no; 12220 122211445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has 12222 been replaced with DNS_ADBFIND_STARTATZONE which 12223 causes the search to start using the closest zone. 12224 122251444. [func] dns_view_findzonecut2() allows you to specify if the 12226 cache should be searched for zone cuts. 12227 122281443. [func] Masters lists can now be specified and referenced 12229 in zone masters clauses and other masters lists. 12230 122311442. [func] New functions for manipulating port lists: 12232 dns_portlist_create(), dns_portlist_add(), 12233 dns_portlist_remove(), dns_portlist_match(), 12234 dns_portlist_attach() and dns_portlist_detach(). 12235 122361441. [func] It is now possible to tell dig to bind to a specific 12237 source port. 12238 122391440. [func] It is now possible to tell named to avoid using 12240 certain source ports (avoid-v4-udp-ports, 12241 avoid-v6-udp-ports). 12242 122431439. [bug] Named could return NOERROR with certain NOTIFY 12244 failures. Return NOTAUTH if the NOTIFY zone is 12245 not being served. 12246 122471438. [func] Log TSIG (if any) when logging NOTIFY requests. 12248 122491437. [bug] Leave space for stdio to work in. [RT #5033] 12250 122511436. [func] dns_zonemgr_resumexfrs() can be used to restart 12252 stalled transfers. 12253 122541435. [bug] zmgr_resume_xfrs() was being called read locked 12255 rather than write locked. zmgr_resume_xfrs() 12256 was not being called if the zone was being 12257 shutdown. 12258 122591434. [bug] "rndc reconfig" failed to initiate the initial 12260 zone transfer of new slave zones. 12261 122621433. [bug] named could trigger a REQUIRE failure if it could 12263 not get a file descriptor when attempting to write 12264 a master file. [RT #4347] 12265 122661432. [func] The advertised EDNS UDP buffer size can now be set 12267 via named.conf (edns-udp-size). 12268 122691431. [bug] isc_print_snprintf() "%s" with precision could walk off 12270 end of argument. [RT #5191] 12271 122721430. [port] linux: IPv6 interface scanning support. 12273 122741429. [bug] Prevent the cache getting locked to old servers. 12275 122761428. [placeholder] 12277 122781427. [bug] Race condition in adb with threaded build. 12279 122801426. [placeholder] 12281 122821425. [port] linux/libbind: define __USE_MISC when testing *_r() 12283 function prototypes in netdb.h. [RT #4921] 12284 122851424. [bug] EDNS version not being correctly printed. 12286 122871423. [contrib] queryperf: added A6 and SRV. 12288 122891422. [func] Log name/type/class when denying a query. [RT #4663] 12290 122911421. [func] Differentiate updates that don't succeed due to 12292 prerequisites (unsuccessful) vs other reasons 12293 (failed). 12294 122951420. [port] solaris: work around gcc optimizer bug. 12296 122971419. [port] openbsd: use /dev/arandom. [RT #4950] 12298 122991418. [bug] 'rndc reconfig' did not cause new slaves to load. 12300 123011417. [func] ID.SERVER/CHAOS is now a built in zone. 12302 See "server-id" for how to configure. 12303 123041416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 12305 [RT #4715] 12306 123071415. [func] DS TTL now derived from NS ttl. NXT TTL now derived 12308 from SOA MINIMUM. 12309 123101414. [func] Support for KSK flag. 12311 123121413. [func] Explicitly request the (re-)generation of DS records 12313 from keysets (dnssec-signzone -g). 12314 123151412. [func] You can now specify servers to be tried if a nameserver 12316 has IPv6 address and you only support IPv4 or the 12317 reverse. See dual-stack-servers. 12318 123191411. [bug] empty nodes should stop wildcard matches. [RT #4802] 12320 123211410. [func] Handle records that live in the parent zone, e.g. DS. 12322 123231409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC. 12324 123251408. [bug] "make distclean" was not complete. [RT #4700] 12326 123271407. [bug] lfsr incorrectly implements the shift register. 12328 [RT #4617] 12329 123301406. [bug] dispatch initializes one of the LFSR's with a incorrect 12331 polynomial. [RT #4617] 12332 123331405. [func] Use arc4random() if available. 12334 123351404. [bug] libbind: ns_name_ntol() could overwrite a zero length 12336 buffer. 12337 123381403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset 12339 dnssec-signkey now report their version in the 12340 usage message. 12341 123421402. [cleanup] A6 has been moved to experimental and is no longer 12343 fully supported. 12344 123451401. [bug] adb wasn't clearing state when the timer expired. 12346 123471400. [bug] Block the addition of wildcard NS records by IXFR 12348 or UPDATE. [RT #3502] 12349 123501399. [bug] Use serial number arithmetic when testing SIG 12351 timestamps. [RT #4268] 12352 123531398. [doc] ARM: notify-also should have been also-notify. 12354 [RT #4345] 12355 123561397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. 12357 123581396. [func] dnssec-signzone: adjust the default signing time by 12359 1 hour to allow for clock skew. 12360 123611395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't 12362 have a working implementation. [RT #4079] 12363 123641394. [func] It is now possible to check if a particular element is 12365 in a acl. Remove duplicate entries from the localnets 12366 acl. 12367 123681393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY 12369 is not available in the kernel to prevent accidentally 12370 listening on IPv4 interfaces. 12371 123721392. [bug] named-checkzone: update usage. 12373 123741391. [func] Add support for IPv6 scoped addresses in named. 12375 123761390. [func] host now supports ixfr. 12377 123781389. [bug] named could fail to rotate long log files. [RT #3666] 12379 123801388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before 12381 defining HAVE_IFLIST_SYSCTL. [RT #3770] 12382 123831387. [bug] named could crash due to an access to invalid memory 12384 space (which caused an assertion failure) in 12385 incremental cleaning. [RT #3588] 12386 123871386. [bug] named-checkzone -z stopped on errors in a zone. 12388 [RT #3653] 12389 123901385. [bug] Setting serial-query-rate to 10 would trigger a 12391 REQUIRE failure. 12392 123931384. [bug] host was incompatible with BIND 8 in its exit code and 12394 in the output with the -l option. [RT #3536] 12395 123961383. [func] Track the serial number in a IXFR response and log if 12397 a mismatch occurs. This is a more specific error than 12398 "not exact". [RT #3445] 12399 124001382. [bug] make install failed with --enable-libbind. [RT #3656] 12401 124021381. [bug] named failed to correctly process answers that 12403 contained DNAME records where the resulting CNAME 12404 resulted in a negative answer. 12405 124061380. [func] 'rndc recursing' dump recursing queries to 12407 'recursing-file = "named.recursing";'. 12408 124091379. [func] 'rndc status' now reports tcp and recursion quota 12410 states. 12411 124121378. [func] Improved positive feedback for 'rndc {reload|refresh}. 12413 124141377. [func] dns_zone_load{new}() now reports if the zone was 12415 loaded, queued for loading to up to date. 12416 124171376. [func] New function dns_zone_logc() to log to specified 12418 category. 12419 124201375. [func] 'rndc dumpdb' now dumps the adb cache along with the 12421 data cache. 12422 124231374. [func] dns_adb_dump() now logs the lame zones associated 12424 with each server. 12425 124261373. [bug] Recovery from expired glue failed under certain 12427 circumstances. 12428 124291372. [bug] named crashes with an assertion failure on exit when 12430 sharing the same port for listening and querying, and 12431 changing listening addresses several times. [RT #3509] 12432 124331371. [bug] notify-source-v6, transfer-source-v6 and 12434 query-source-v6 with explicit addresses and using the 12435 same ports as named was listening on could interfere 12436 with named's ability to answer queries sent to those 12437 addresses. 12438 124391370. [bug] dig '+[no]recurse' was incorrectly documented. 12440 124411369. [bug] Adding an NS record as the lexicographically last 12442 record in a secure zone didn't work. 12443 124441368. [func] remove support for bitstring labels. 12445 124461367. [func] Use response times to select forwarders. 12447 124481366. [contrib] queryperf usage was incomplete. Add '-h' for help. 12449 124501365. [func] "localhost" and "localnets" acls now include IPv6 12451 addresses / prefixes. 12452 124531364. [func] Log file name when unable to open memory statistics 12454 and dump database files. [RT #3437] 12455 124561363. [func] Listen-on-v6 now supports specific addresses. 12457 124581362. [bug] remove IFF_RUNNING test when scanning interfaces. 12459 124601361. [func] log the reason for rejecting a server when resolving 12461 queries. 12462 124631360. [bug] --enable-libbind would fail when not built in the 12464 source tree for certain OS's. 12465 124661359. [security] Support patches OpenSSL libraries. 12467 http://www.cert.org/advisories/CA-2002-23.html 12468 124691358. [bug] It was possible to trigger a INSIST when debugging 12470 large dynamic updates. [RT #3390] 12471 124721357. [bug] nsupdate was extremely wasteful of memory. 12473 124741356. [tuning] Reduce the number of events / quantum for zone tasks. 12475 124761355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME. 12477 124781354. [doc] lwres man pages had illegal nroff. 12479 124801353. [contrib] sdb/ldap to version 0.9. 12481 124821352. [bug] dig, host, nslookup when falling back to TCP use the 12483 current search entry (if any). [RT #3374] 12484 124851351. [bug] lwres_getipnodebyname() returned the wrong name 12486 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED 12487 was set. 12488 124891350. [bug] dns_name_fromtext() failed to handle too many labels 12490 gracefully. 12491 124921349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). 12493 http://www.cert.org/advisories/CA-2002-23.html 12494 124951348. [port] win32: Rewrote code to use I/O Completion Ports 12496 in socket.c and eliminating a host of socket 12497 errors. Performance is enhanced. 12498 124991347. [placeholder] 12500 125011346. [placeholder] 12502 125031345. [port] Use a explicit -Wformat with gcc. Not all versions 12504 include it in -Wall. 12505 125061344. [func] Log if the serial number on the master has gone 12507 backwards. 12508 If you have multiple machines specified in the masters 12509 clause you may want to set 'multi-master yes;' to 12510 suppress this warning. 12511 125121343. [func] Log successful notifies received (info). Adjust log 12513 level for failed notifies to notice. 12514 125151342. [func] Log remote address with TCP dispatch failures. 12516 125171341. [func] Allow a rate limiter to be stalled. 12518 125191340. [bug] Delay and spread out the startup refresh load. 12520 125211339. [func] dig, host and nslookup now use IP6.ARPA for nibble 12522 lookups. Bit string lookups are no longer attempted. 12523 125241338. [placeholder] 12525 125261337. [placeholder] 12527 125281336. [func] Nibble lookups under IP6.ARPA are now supported by 12529 dns_byaddr_create(). dns_byaddr_createptrname() is 12530 deprecated, use dns_byaddr_createptrname2() instead. 12531 125321335. [bug] When performing a nonexistence proof, the validator 12533 should discard parent NXTs from higher in the DNS. 12534 125351334. [bug] When signing/verifying rdatasets, duplicate rdatas 12536 need to be suppressed. 12537 125381333. [contrib] queryperf now reports a summary of returned 12539 rcodes (-c), rcodes are printed in mnemonic form (-v). 12540 125411332. [func] Report the current serial with periodic commits when 12542 rolling forward the journal. 12543 125441331. [func] Generate DNSSEC wildcard proofs. 12545 125461330. [bug] When processing events (non-threaded) only allow 12547 the task one chance to use to use its quantum. 12548 125491329. [func] named-checkzone will now check if nameservers that 12550 appear to be IP addresses. Available modes "fail", 12551 "warn" (default) and "ignore" the results of the 12552 check. 12553 125541328. [bug] The validator could incorrectly verify an invalid 12555 negative proof. 12556 125571327. [bug] The validator would incorrectly mark data as insecure 12558 when seeing a bogus signature before a correct 12559 signature. 12560 125611326. [bug] DNAME/CNAME signatures were not being cached when 12562 validation was not being performed. [RT #3284] 12563 125641325. [bug] If the tcpquota was exhausted it was possible to 12565 to trigger a INSIST() failure. 12566 125671324. [port] darwin: ifconfig.sh now supports darwin. 12568 125691323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205] 12570 125711322. [bug] dnssec-signzone usage message was misleading. 12572 125731321. [bug] If the last RRset in a zone is glue, dnssec-signzone 12574 would incorrectly duplicate its output and sign it. 12575 125761320. [doc] query-source-v6 was missing from options section. 12577 [RT #3218] 12578 125791319. [func] libbind: log attempts to exploit #1318. 12580 125811318. [bug] libbind: Remote buffer overrun. 12582 125831317. [port] libbind: TrueUNIX 5.1 does not like __align as a 12584 element name. 12585 125861316. [bug] libbind: gethostans() could get out of sync parsing 12587 the response if there was a very long CNAME chain. 12588 125891315. [bug] Options should apply to the internal _bind view. 12590 125911314. [port] Handle ECONNRESET from sendmsg() [unix]. 12592 125931313. [func] Query log now says if the query was signed (S) or 12594 if EDNS was used (E). 12595 125961312. [func] Log TSIG key used w/ outgoing zone transfers. 12597 125981311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159] 12599 126001310. [bug] 'rndc stop' failed to cause zones to be flushed 12601 sometimes. [RT #3157] 12602 126031309. [func] Log that a zone transfer was covered by a TSIG. 12604 126051308. [func] DS (delegation signer) support. 12606 126071307. [bug] nsupdate: allow white space base64 key data. 12608 126091306. [bug] Badly encoded LOC record when the size, horizontal 12610 precision or vertical precision was 0.1m. 12611 126121305. [bug] Document that internal zones are included in the 12613 rndc status results. 12614 126151304. [func] New function: dns_zone_name(). 12616 126171303. [func] Option 'flush-zones-on-shutdown <boolean>;'. 12618 126191302. [func] Extended rndc dumpdb to support dumping of zones and 12620 view selection: 'dumpdb [-all|-zones|-cache] [view]'. 12621 126221301. [func] New category 'update-security'. 12623 126241300. [port] Compaq Trucluster support. 12625 126261299. [bug] Set AI_ADDRCONFIG when looking up addresses 12627 via getaddrinfo() (affects dig, host, nslookup, rndc 12628 and nsupdate). 12629 126301298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile 12631 could be left with a trailing "\" after configure 12632 has been run. 12633 126341297. [port] linux: make handling EINVAL from socket() no longer 12635 conditional on #ifdef LINUX. 12636 126371296. [bug] isc_log_closefilelogs() needed to lock the log 12638 context. 12639 126401295. [bug] isc_log_setdebuglevel() needed to lock the log 12641 context. 12642 126431294. [func] libbind: no longer attempts bit string labels for 12644 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT 12645 for nibble style resolution. 12646 126471293. [func] Entropy can now be retrieved from EGDs. [RT #2438] 12648 126491292. [func] Enable IPv6 support when using ioctl style interface 12650 scanning and OS supports SIOCGLIFADDR using struct 12651 if_laddrreq. 12652 126531291. [func] Enable IPv6 support when using sysctl style interface 12654 scanning. 12655 126561290. [func] "dig axfr" now reports the number of messages 12657 as well as the number of records. 12658 126591289. [port] See if -ldl is required for OpenSSL? [RT #2672] 12660 126611288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better 12662 reflect written requirements. 12663 126641287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding 12665 a rdataset to a zone db in the rbtdb implementation of 12666 addrdataset. 12667 126681286. [bug] dns_name_downcase() enforce requirement that 12669 target != NULL or name->buffer != NULL. 12670 126711285. [func] lwres: probe the system to see what address families 12672 are currently in use. 12673 126741284. [bug] The RTT estimate on unused servers was not aged. 12675 [RT #2569] 12676 126771283. [func] Use "dataready" accept filter if available. 12678 126791282. [port] libbind: hpux 11.11 interface scanning. 12680 126811281. [func] Log zone when unable to get private keys to update 12682 zone. Log zone when NXT records are missing from 12683 secure zone. 12684 126851280. [bug] libbind: escape '(' and ')' when converting to 12686 presentation form. 12687 126881279. [port] Darwin uses (unsigned long) for size_t. [RT #2590] 12689 126901278. [func] dig: now supports +[no]cl +[no]ttlid. 12691 126921277. [func] You can now create your own customized printing 12693 styles: dns_master_stylecreate() and 12694 dns_master_styledestroy(). 12695 126961276. [bug] libbind: const pointer conflicts in res_debug.c. 12697 126981275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN. 12699 127001274. [bug] Memory leak in lwres_gnbarequest_parse(). 12701 127021273. [port] libbind: solaris: 64 bit binary compatibility. 12703 127041272. [contrib] Berkeley DB 4.0 sdb implementation from 12705 Nuno Miguel Rodrigues <nmr@co.sapo.pt>. 12706 127071271. [bug] "recursion available: {denied,approved}" was too 12708 confusing. 12709 127101270. [bug] Check that system inet_pton() and inet_ntop() support 12711 AF_INET6. 12712 127131269. [port] Openserver: ifconfig.sh support. 12714 127151268. [port] Openserver: the value FD_SETSIZE depends on whether 12716 <sys/param.h> is included or not. Be consistent. 12717 127181267. [func] isc_file_openunique() now creates file using mode 12719 0666 rather than 0600. 12720 127211266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE, 12722 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE 12723 are not C++ compatible, use *_TYPE versions instead. 12724 127251265. [bug] libbind: LINK_INIT and UNLINK were not compatible with 12726 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead. 12727 127281264. [placeholder] 12729 127301263. [bug] Reference after free error if dns_dispatchmgr_create() 12731 failed. 12732 127331262. [bug] ns_server_destroy() failed to set *serverp to NULL. 12734 127351261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide 12736 support for compressed TSIG owner names. 12737 127381260. [func] libbind: res_update can now update IPv6 servers, 12739 new function res_findzonecut2(). 12740 127411259. [bug] libbind: get_salen() IPv6 support was broken for OSs 12742 w/o sa_len. 12743 127441258. [bug] libbind: res_nametotype() and res_nametoclass() were 12745 broken. 12746 127471257. [bug] Failure to write pid-file should not be fatal on 12748 reload. [RT #2861] 12749 127501256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support. 12751 127521255. [bug] When verifying that an NXT proves nonexistence, check 12753 the rcode of the message and only do the matching NXT 12754 check. That is, for NXDOMAIN responses, check that 12755 the name is in the range between the NXT owner and 12756 next name, and for NOERROR NODATA responses, check 12757 that the type is not present in the NXT bitmap. 12758 127591254. [func] preferred-glue option from BIND 8.3. 12760 127611253. [bug] The dnssec system test failed to remove the correct 12762 files. 12763 127641252. [bug] Dig, host and nslookup were not checking the address 12765 the answer was coming from against the address it was 12766 sent to. [RT #2692] 12767 127681251. [port] win32: a make file contained absolute version specific 12769 references. 12770 127711250. [func] Nsupdate will report the address the update was 12772 sent to. 12773 127741249. [bug] Missing masters clause was not handled gracefully. 12775 [RT #2703] 12776 127771248. [bug] DESTDIR was not being propagated between makes. 12778 127791247. [bug] Don't reset the interface index for link/site local 12780 addresses. [RT #2576] 12781 127821246. [func] New functions isc_sockaddr_issitelocal(), 12783 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal() 12784 and isc_netaddr_islinklocal(). 12785 127861245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for 12787 accept(). 12788 127891244. [bug] Receiving a TCP message from a blackhole address would 12790 prevent further messages being received over that 12791 interface. 12792 127931243. [bug] It was possible to trigger a REQUIRE() in 12794 dns_message_findtype(). [RT #2659] 12795 127961242. [bug] named-checkzone failed if a journal existed. [RT #2657] 12797 127981241. [bug] Drop received UDP messages with a zero source port 12799 as these are invariably forged. [RT #2621] 12800 128011240. [bug] It was possible to leak zone references by 12802 specifying an incorrect zone to rndc. 12803 128041239. [bug] Under certain circumstances named could continue to 12805 use a name after it had been freed triggering 12806 INSIST() failures. [RT #2614] 12807 128081238. [bug] It is possible to lockup the server when shutting down 12809 if notifies were being processed. [RT #2591] 12810 128111237. [bug] nslookup: "set q=type" failed. 12812 128131236. [bug] dns_rdata{class,type}_fromtext() didn't handle non 12814 NULL terminated text regions. [RT #2588] 12815 128161235. [func] Report 'out of memory' errors from openssl. 12817 128181234. [bug] contrib/sdb: 'zonetodb' failed to call 12819 dns_result_register(). DNS_R_SEENINCLUDE should not 12820 be fatal. 12821 128221233. [bug] The flags field of a KEY record can be expressed in 12823 hex as well as decimal. 12824 128251232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL. 12826 128271231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL. 12828 128291230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken. 12830 128311229. [bug] named would crash if it received a TSIG signed 12832 query as part of an AXFR response. [RT #2570] 12833 128341228. [bug] 'make install' did not depend on 'make all'. [RT #2559] 12835 128361227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER 12837 if a number was expected and some other token was 12838 found. [RT #2532] 12839 128401226. [func] Use EDNS for zone refresh queries. [RT #2551] 12841 128421225. [func] dns_message_setopt() no longer requires that 12843 dns_message_renderbegin() to have been called. 12844 128451224. [bug] 'rrset-order' and 'sortlist' should be additive 12846 not exclusive. 12847 128481223. [func] 'rrset-order' partially works 'cyclic' and 'random' 12849 are supported. 12850 128511222. [bug] Specifying 'port *' did not always result in a system 12852 selected (non-reserved) port being used. [RT #2537] 12853 128541221. [bug] Zone types 'master', 'slave' and 'stub' were not being 12855 compared case insensitively. [RT #2542] 12856 128571220. [func] Support for APL rdata type. 12858 128591219. [func] Named now reports the TSIG extended error code when 12860 signature verification fails. [RT #1651] 12861 128621218. [bug] Named incorrectly returned SERVFAIL rather than 12863 NOTAUTH when there was a TSIG BADTIME error. [RT #2519] 12864 128651217. [func] Report locations of previous key definition when a 12866 duplicate is detected. 12867 128681216. [bug] Multiple server clauses for the same server were not 12869 reported. [RT #2514] 12870 128711215. [port] solaris: add support to ifconfig.sh for x86 2.5.1 12872 128731214. [bug] Win32: isc_file_renameunique() could leave zero length 12874 files behind. 12875 128761213. [func] Report view associated with client if it is not a 12877 standard view (_default or _bind). 12878 128791212. [port] libbind: 64k answer buffers were causing stack space 12880 to be exceeded for certain OS. Use heap space instead. 12881 128821211. [bug] dns_name_fromtext() incorrectly handled certain 12883 valid octal bitlabels. [RT #2483] 12884 128851210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped / 12886 compatible addresses. [RT #2461] 12887 128881209. [bug] Dig, host, nslookup were not checking the message ids 12889 on the responses. [RT #2454] 12890 128911208. [bug] dns_master_load*() failed to log a error message if 12892 an error was detected when parsing the owner name of 12893 a record. [RT #2448] 12894 128951207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with 12896 an invalid pointer. 12897 128981206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should 12899 trigger a non-EDNS retry. 12900 129011205. [bug] OPT, TSIG and TKEY cannot be used to set the "class" 12902 of the message. [RT #2449] 12903 129041204. [bug] libbind: res_nupdate() failed to update the name 12905 server addresses before sending the update. 12906 129071203. [func] Report locations of previous acl and zone definitions 12908 when a duplicate is detected. 12909 129101202. [func] New functions: cfg_obj_line() and cfg_obj_file(). 12911 129121201. [bug] Require that if 'callbacks' is passed to 12913 dns_rdata_fromtext(), callbacks->error and 12914 callbacks->warn are initialized. 12915 129161200. [bug] Log 'errno' that we are unable to convert to 12917 isc_result_t. [RT #2404] 12918 129191199. [doc] ARM reference to RFC 2157 should have been RFC 1918. 12920 [RT #2436] 12921 129221198. [bug] OPT printing style was not consistent with the way the 12923 header fields are printed. The DO bit was not reported 12924 if set. Report if any of the MBZ bits are set. 12925 129261197. [bug] Attempts to define the same acl multiple times were not 12927 detected. 12928 129291196. [contrib] update mdnkit to 2.2.3. 12930 129311195. [bug] Attempts to redefine builtin acls should be caught. 12932 [RT #2403] 12933 129341194. [bug] Not all duplicate zone definitions were being detected 12935 at the named.conf checking stage. [RT #2431] 12936 129371193. [bug] dig +besteffort parsing didn't handle packet 12938 truncation. dns_message_parse() has new flag 12939 DNS_MESSAGE_IGNORETRUNCATION. 12940 129411192. [bug] The seconds fields in LOC records were restricted 12942 to three decimal places. More decimal places should 12943 be allowed but warned about. 12944 129451191. [bug] A dynamic update removing the last non-apex name in 12946 a secure zone would fail. [RT #2399] 12947 129481190. [func] Add the "rndc freeze" and "rndc unfreeze" commands. 12949 [RT #2394] 12950 129511189. [bug] On some systems, malloc(0) returns NULL, which 12952 could cause the caller to report an out of memory 12953 error. [RT #2398] 12954 129551188. [bug] Dynamic updates of a signed zone would fail if 12956 some of the zone private keys were unavailable. 12957 129581187. [bug] named was incorrectly returning DNSSEC records 12959 in negative responses when the DO bit was not set. 12960 129611186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the 12962 EOL token when reading to end of line. 12963 129641185. [bug] libbind: don't assume statp->_u._ext.ext is valid 12965 unless RES_INIT is set when calling res_*init(). 12966 129671184. [bug] libbind: call res_ndestroy() if RES_INIT is set 12968 when res_*init() is called. 12969 129701183. [bug] Handle ENOSR error when writing to the internal 12971 control pipe. [RT #2395] 12972 129731182. [bug] The server could throw an assertion failure when 12974 constructing a negative response packet. 12975 129761181. [func] Add the "key-directory" configuration statement, 12977 which allows the server to look for online signing 12978 keys in alternate directories. 12979 129801180. [func] dnssec-keygen should always generate keys with 12981 protocol 3 (DNSSEC), since it's less confusing 12982 that way. 12983 129841179. [func] Add SIG(0) support to nsupdate. 12985 129861178. [bug] Follow and cache (if appropriate) A6 and other 12987 data chains to completion in the additional section. 12988 129891177. [func] Report view when loading zones if it is not a 12990 standard view (_default or _bind). [RT #2270] 12991 129921176. [doc] Document that allow-v6-synthesis is only performed 12993 for clients that are supplied recursive service. 12994 [RT #2260] 12995 129961175. [bug] named-checkzone and named-checkconf failed to call 12997 dns_result_register() at startup which could 12998 result in runtime exceptions when printing 12999 "out of memory" errors. [RT #2335] 13000 130011174. [bug] Win32: add WSAECONNRESET to the expected errors 13002 from connect(). [RT #2308] 13003 130041173. [bug] Potential memory leaks in isc_log_create() and 13005 isc_log_settag(). [RT #2336] 13006 130071172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to 13008 table of RR types in ARM. 13009 130101171. [func] Added function isc_region_compare(), updated files in 13011 lib/dns to use this function instead of local one. 13012 130131170. [bug] Don't attempt to print the token when a I/O error 13014 occurs when parsing named.conf. [RT #2275] 13015 130161169. [func] Identify recursive queries in the query log. 13017 130181168. [bug] Empty also-notify clauses were not handled. [RT #2309] 13019 130201167. [contrib] nslint-2.1a3 (from author). 13021 130221166. [bug] "Not Implemented" should be reported as NOTIMP, 13023 not NOTIMPL. [RT #2281] 13024 130251165. [bug] We were rejecting notify-source{-v6} in zone clauses. 13026 130271164. [bug] Empty masters clauses in slave / stub zones were not 13028 handled gracefully. [RT #2262] 13029 130301163. [func] isc_time_formattimestamp() now includes the year. 13031 130321162. [bug] The allow-notify option was not accepted in slave 13033 zone statements. 13034 130351161. [bug] named-checkzone looped on unbalanced brackets. 13036 [RT #2248] 13037 130381160. [bug] Generating Diffie-Hellman keys longer than 1024 13039 bits could fail. [RT #2241] 13040 130411159. [bug] MD and MF are not permitted to be loaded by RFC1123. 13042 130431158. [func] Report the client's address when logging notify 13044 messages. 13045 130461157. [func] match-clients and match-destinations now accept 13047 keys. [RT #2045] 13048 130491156. [port] The configure test for strsep() incorrectly 13050 succeeded on certain patched versions of 13051 AIX 4.3.3. [RT #2190] 13052 130531155. [func] Recover from master files being removed from under 13054 us. 13055 130561154. [bug] Don't attempt to obtain the netmask of a interface 13057 if there is no address configured. [RT #2176] 13058 130591153. [func] 'rndc {stop|halt} -p' now reports the process id 13060 of the instance of named being shutdown. 13061 130621152. [bug] libbind: read buffer overflows. 13063 130641151. [bug] nslookup failed to check that the arguments to 13065 the port, timeout, and retry options were 13066 valid integers and in range. [RT #2099] 13067 130681150. [bug] named incorrectly accepted TTL values 13069 containing plus or minus signs, such as 13070 1d+1h-1s. 13071 130721149. [func] New function isc_parse_uint32(). 13073 130741148. [func] 'rndc-confgen -a' now provides positive feedback. 13075 130761147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by 13077 the OS. listen-on-v6 { any; }; should no longer 13078 result in IPv4 queries be accepted. Similarly 13079 control { inet :: ... }; should no longer result 13080 in IPv4 connections being accepted. This can be 13081 overridden at compile time by defining 13082 ISC_ALLOW_MAPPED=1. 13083 130841146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if 13085 supported by the OS by a new function 13086 isc_socket_ipv6only(). 13087 130881145. [func] "host" no longer reports a NOERROR/NODATA response 13089 by printing nothing. [RT #2065] 13090 130911144. [bug] rndc-confgen would crash if both the -a and -t 13092 options were specified. [RT #2159] 13093 130941143. [bug] When a trusted-keys statement was present and named 13095 was built without crypto support, it would leak memory. 13096 130971142. [bug] dnssec-signzone would fail to delete temporary files 13098 in some failure cases. [RT #2144] 13099 131001141. [bug] When named rejected a control message, it would 13101 leak a file descriptor and memory. It would also 13102 fail to respond, causing rndc to hang. 13103 [RT #2139, #2164] 13104 131051140. [bug] rndc-confgen did not accept IPv6 addresses as arguments 13106 to the -s option. [RT #2138] 13107 131081139. [func] It is now possible to flush a given name from the 13109 cache(s) via 'rndc flushname name [view]'. [RT #2051] 13110 131111138. [func] It is now possible to flush a given name from the 13112 cache by calling the new function 13113 dns_cache_flushname(). 13114 131151137. [func] It is now possible to flush a given name from the 13116 ADB by calling the new function dns_adb_flushname(). 13117 131181136. [bug] CNAME records synthesized from DNAMEs did not 13119 have a TTL of zero as required by RFC2672. 13120 [RT #2129] 13121 131221135. [func] You can now override the default syslog() facility for 13123 named/lwresd at compile time. [RT #1982] 13124 131251134. [bug] Multi-threaded servers could deadlock in ferror() 13126 when reloading zone files. [RT #1951, #1998] 13127 131281133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on 13129 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106] 13130 131311132. [func] Improve UPDATE prerequisite failure diagnostic messages. 13132 131331131. [bug] The match-destinations view option did not work with 13134 IPv6 destinations. [RT #2073, #2074] 13135 131361130. [bug] Log messages reporting an out-of-range serial number 13137 did not include the out-of-range number but the 13138 following token. [RT #2076] 13139 131401129. [bug] Multi-threaded servers could crash under heavy 13141 resolution load due to a race condition. [RT #2018] 13142 131431128. [func] sdb drivers can now provide RR data in either text 13144 or wire format, the latter using the new functions 13145 dns_sdb_putrdata() and dns_sdb_putnamedrdata(). 13146 131471127. [func] rndc: If the server to contact has multiple addresses, 13148 try all of them. 13149 131501126. [bug] The server could access a freed event if shut 13151 down while a client start event was pending 13152 delivery. [RT #2061] 13153 131541125. [bug] rndc: -k option was missing from usage message. 13155 [RT #2057] 13156 131571124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail 13158 are now documented. [RT #2052] 13159 131601123. [bug] dig +[no]fail did not match description. [RT #2052] 13161 131621122. [tuning] Resolution timeout reduced from 90 to 30 seconds. 13163 [RT #2046] 13164 131651121. [bug] The server could attempt to access a NULL zone 13166 table if shut down while resolving. 13167 [RT #1587, #2054] 13168 131691120. [bug] Errors in options were not fatal. [RT #2002] 13170 131711119. [func] Added support in Win32 for NTFS file/directory ACL's 13172 for access control. 13173 131741118. [bug] On multi-threaded servers, a race condition 13175 could cause an assertion failure in resolver.c 13176 during resolver shutdown. [RT #2029] 13177 131781117. [port] The configure check for in6addr_loopback incorrectly 13179 succeeded on AIX 4.3 when compiling with -O2 13180 because the test code was optimized away. 13181 [RT #2016] 13182 131831116. [bug] Setting transfers in a server clause, transfers-in, 13184 or transfers-per-ns to a value greater than 13185 2147483647 disabled transfers. [RT #2002] 13186 131871115. [func] Set maximum values for cleaning-interval, 13188 heartbeat-interval, interface-interval, 13189 max-transfer-idle-in, max-transfer-idle-out, 13190 max-transfer-time-in, max-transfer-time-out, 13191 statistics-interval of 28 days and 13192 sig-validity-interval of 3660 days. [RT #2002] 13193 131941114. [port] Ignore more accept() errors. [RT #2021] 13195 131961113. [bug] The allow-update-forwarding option was ignored 13197 when specified in a view. [RT #2014] 13198 131991112. [placeholder] 13200 132011111. [bug] Multi-threaded servers could deadlock processing 13202 recursive queries due to a locking hierarchy 13203 violation in adb.c. [RT #2017] 13204 132051110. [bug] dig should only accept valid abbreviations of +options. 13206 [RT #2003] 13207 132081109. [bug] nsupdate accepted illegal ttl values. 13209 132101108. [bug] On Win32, rndc was hanging when named was not running 13211 due to failure to select for exceptional conditions 13212 in select(). [RT #1870] 13213 132141107. [bug] nsupdate could catch an assertion failure if an 13215 invalid domain name was given as the argument to 13216 the "zone" command. 13217 132181106. [bug] After seeing an out of range TTL, nsupdate would 13219 treat all TTLs as out of range. [RT #2001] 13220 132211105. [port] OpenUNIX 8 enable threads by default. [RT #1970] 13222 132231104. [bug] Invalid arguments to the transfer-format option 13224 could cause an assertion failure. [RT #1995] 13225 132261103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970] 13227 132281102. [doc] Note that query logging is enabled by directing the 13229 queries category to a channel. 13230 132311101. [bug] Array bounds read error in lwres_gai_strerror. 13232 132331100. [bug] libbind: DNSSEC key ids were computed incorrectly. 13234 132351099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused 13236 compile time errors. 13237 132381098. [bug] libbind: HMAC-MD5 key files are now mode 0600. 13239 132401097. [func] libbind: RES_PRF_TRUNC for dig. 13241 132421096. [func] libbind: "DNSSEC OK" (DO) support. 13243 132441095. [func] libbind: resolver option: no-tld-query. disables 13245 trying unqualified as a tld. no_tld_query is also 13246 supported for FreeBSD compatibility. 13247 132481094. [func] libbind: add support gcc's format string checking. 13249 132501093. [doc] libbind: miscellaneous nroff fixes. 13251 132521092. [bug] libbind: get*by*() failed to check if res_init() had 13253 been called. 13254 132551091. [bug] libbind: misplaced va_end(). 13256 132571090. [bug] libbind: dns_ho.c:add_hostent() was not returning 13258 the amount of memory consumed resulting in garbage 13259 address being returned. Alignment calculations were 13260 wasting space. We weren't suppressing duplicate 13261 addresses. 13262 132631089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6 13264 support. 13265 132661088. [port] libbind: MPE/iX C.70 (incomplete) 13267 132681087. [bug] libbind: struct __res_state too large on 64 bit arch. 13269 132701086. [port] libbind: sunos: old sprintf. 13271 132721085. [port] libbind: solaris: sys_nerr and sys_errlist do not 13273 exist when compiling in 64 bit mode. 13274 132751084. [cleanup] libbind: gai_strerror() rewritten. 13276 132771083. [bug] The default control channel listened on the 13278 wildcard address, not the loopback as documented. 13279 [RT #1975] 13280 132811082. [bug] The -g option to named incorrectly caused logging 13282 to be sent to syslog in addition to stderr. 13283 [RT #1974] 13284 132851081. [bug] Multicast queries were incorrectly identified 13286 based on the source address, not the destination 13287 address. 13288 132891080. [bug] BIND 8 compatibility: accept bare IP prefixes 13290 as the second element of a two-element top level 13291 sort list statement. [RT #1964] 13292 132931079. [bug] BIND 8 compatibility: accept bare elements at top 13294 level of sort list treating them as if they were 13295 a single element list. [RT #1963] 13296 132971078. [bug] We failed to correct bad tv_usec values in one case. 13298 [RT #1966] 13299 133001077. [func] Do not accept further recursive clients when 13301 the total number of recursive lookups being 13302 processed exceeds max-recursive-clients, even 13303 if some of the lookups are internally generated. 13304 [RT #1915, #1938] 13305 133061076. [bug] A badly defined global key could trigger an assertion 13307 on load/reload if views were used. [RT #1947] 13308 133091075. [bug] Out-of-range network prefix lengths were not 13310 reported. [RT #1954] 13311 133121074. [bug] Running out of memory in dump_rdataset() could 13313 cause an assertion failure. [RT #1946] 13314 133151073. [bug] The ADB cache cleaning should also be space driven. 13316 [RT #1915, #1938] 13317 133181072. [bug] The TCP client quota could be exceeded when 13319 recursion occurred. [RT #1937] 13320 133211071. [bug] Sockets listening for TCP DNS connections 13322 specified an excessive listen backlog. [RT #1937] 13323 133241070. [bug] Copy DNSSEC OK (DO) to response as specified by 13325 draft-ietf-dnsext-dnssec-okbit-03.txt. 13326 133271069. [placeholder] 13328 133291068. [bug] errno could be overwritten by catgets(). [RT #1921] 13330 133311067. [func] Allow quotas to be soft, isc_quota_soft(). 13332 133331066. [bug] Provide a thread safe wrapper for strerror(). 13334 [RT #1689] 13335 133361065. [func] Runtime support to select new / old style interface 13337 scanning using ioctls. 13338 133391064. [bug] Do not shut down active network interfaces if we 13340 are unable to scan the interface list. [RT #1921] 13341 133421063. [bug] libbind: "make install" was failing on IRIX. 13343 [RT #1919] 13344 133451062. [bug] If the control channel listener socket was shut 13346 down before server exit, the listener object could 13347 be freed twice. [RT #1916] 13348 133491061. [bug] If periodic cache cleaning happened to start 13350 while cleaning due to reaching the configured 13351 maximum cache size was in progress, the server 13352 could catch an assertion failure. [RT #1912] 13353 133541060. [func] Move refresh, stub and notify UDP retry processing 13355 into dns_request. 13356 133571059. [func] dns_request now support will now retry UDP queries, 13358 dns_request_createvia2() and dns_request_createraw2(). 13359 133601058. [func] Limited lifetime ticker timers are now available, 13361 isc_timertype_limited. 13362 133631057. [bug] Reloading the server after adding a "file" clause 13364 to a zone statement could cause the server to 13365 crash due to a typo in change 1016. 13366 133671056. [bug] Rndc could catch an assertion failure on SIGINT due 13368 to an uninitialized variable. [RT #1908] 13369 133701055. [func] Version and hostname queries can now be disabled 13371 using "version none;" and "hostname none;", 13372 respectively. 13373 133741054. [bug] On Win32, cfg_categories and cfg_modules need to be 13375 exported from the libisccfg DLL. 13376 133771053. [bug] Dig did not increase its timeout when receiving 13378 AXFRs unless the +time option was used. [RT #1904] 13379 133801052. [bug] Journals were not being created in binary mode 13381 resulting in "journal format not recognized" error 13382 under Win32. [RT #1889] 13383 133841051. [bug] Do not ignore a network interface completely just 13385 because it has a noncontiguous netmask. Instead, 13386 omit it from the localnets ACL and issue a warning. 13387 [RT #1891] 13388 133891050. [bug] Log messages reporting malformed IP addresses in 13390 address lists such as that of the forwarders option 13391 failed to include the correct error code, file 13392 name, and line number. [RT #1890] 13393 133941049. [func] "pid-file none;" will disable writing a pid file. 13395 [RT #1848] 13396 133971048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1 13398 didn't work. 13399 134001047. [bug] named was incorrectly refusing all requests signed 13401 with a TSIG key derived from an unsigned TKEY 13402 negotiation with a NOERROR response. [RT #1886] 13403 134041046. [bug] The help message for the --with-openssl configure 13405 option was inaccurate. [RT #1880] 13406 134071045. [bug] It was possible to skip saving glue for a nameserver 13408 for a stub zone. 13409 134101044. [bug] Specifying allow-transfer, notify-source, or 13411 notify-source-v6 in a stub zone was not treated 13412 as an error. 13413 134141043. [bug] Specifying a transfer-source or transfer-source-v6 13415 option in the zone statement for a master zone was 13416 not treated as an error. [RT #1876] 13417 134181042. [bug] The "config" logging category did not work properly. 13419 [RT #1873] 13420 134211041. [bug] Dig/host/nslookup could catch an assertion failure 13422 on SIGINT due to an uninitialized variable. [RT #1867] 13423 134241040. [bug] Multiple listen-on-v6 options with different ports 13425 were not accepted. [RT #1875] 13426 134271039. [bug] Negative responses with CNAMEs in the answer section 13428 were cached incorrectly. [RT #1862] 13429 134301038. [bug] In servers configured with a tkey-domain option, 13431 TKEY queries with an owner name other than the root 13432 could cause an assertion failure. [RT #1866, #1869] 13433 134341037. [bug] Negative responses whose authority section contain 13435 SOA or NS records whose owner names are not equal 13436 equal to or parents of the query name should be 13437 rejected. [RT #1862] 13438 134391036. [func] Silently drop requests received via multicast as 13440 long as there is no final multicast DNS standard. 13441 134421035. [bug] If we respond to multicast queries (which we 13443 currently do not), respond from a unicast address 13444 as specified in RFC 1123. [RT #137] 13445 134461034. [bug] Ignore the RD bit on multicast queries as specified 13447 in RFC 1123. [RT #137] 13448 134491033. [bug] Always respond to requests with an unsupported opcode 13450 with NOTIMP, even if we don't have a matching view 13451 or cannot determine the class. 13452 134531032. [func] hostname.bind/txt/chaos now returns the name of 13454 the machine hosting the nameserver. This is useful 13455 in diagnosing problems with anycast servers. 13456 134571031. [bug] libbind.a: isc__gettimeofday() infinite recursion. 13458 [RT #1858] 13459 134601030. [bug] On systems with no resolv.conf file, nsupdate 13461 exited with an error rather than defaulting 13462 to using the loopback address. [RT #1836] 13463 134641029. [bug] Some named.conf errors did not cause the loading 13465 of the configuration file to return a failure 13466 status even though they were logged. [RT #1847] 13467 134681028. [bug] On Win32, dig/host/nslookup looked for resolv.conf 13469 in the wrong directory. [RT #1833] 13470 134711027. [bug] RRs having the reserved type 0 should be rejected. 13472 [RT #1471] 13473 134741026. [placeholder] 13475 134761025. [bug] Don't use multicast addresses to resolve iterative 13477 queries. [RT #101] 13478 134791024. [port] Compilation failed on HP-UX 11.11 due to 13480 incompatible use of the SIOCGLIFCONF macro 13481 name. [RT #1831] 13482 134831023. [func] Accept hints without TTLs. 13484 134851022. [bug] Don't report empty root hints as "extra data". 13486 [RT #1802] 13487 134881021. [bug] On Win32, log message timestamps were one month 13489 later than they should have been, and the server 13490 would exhibit unspecified behavior in December. 13491 134921020. [bug] IXFR log messages did not distinguish between 13493 true IXFRs, AXFR-style IXFRs, and mere version 13494 polls. [RT #1811] 13495 134961019. [bug] The value of the lame-ttl option was limited to 18000 13497 seconds, not 1800 seconds as documented. [RT #1803] 13498 134991018. [bug] The default log channel was not always initialized 13500 correctly. [RT #1813] 13501 135021017. [bug] When specifying TSIG keys to dig and nsupdate using 13503 the -k option, they must be HMAC-MD5 keys. [RT #1810] 13504 135051016. [bug] Slave zones with no backup file were re-transferred 13506 on every server reload. 13507 135081015. [bug] Log channels that had a "versions" option but no 13509 "size" option failed to create numbered log 13510 files. [RT #1783] 13511 135121014. [bug] Some queries would cause statistics counters to 13513 increment more than once or not at all. [RT #1321] 13514 135151013. [bug] It was possible to cancel a query twice when marking 13516 a server as bogus or by having a blackhole acl. 13517 [RT #1776] 13518 135191012. [bug] The -p option to named did not behave as documented. 13520 135211011. [cleanup] Removed isc_dir_current(). 13522 135231010. [bug] The server could attempt to execute a command channel 13524 command after initiating server shutdown, causing 13525 an assertion failure. [RT #1766] 13526 135271009. [port] OpenUNIX 8 support. [RT #1728] 13528 135291008. [port] libtool.m4, ltmain.sh from libtool-1.4.2. 13530 135311007. [port] config.guess, config.sub from autoconf-2.52. 13532 135331006. [bug] If a KEY RR was found missing during DNSSEC validation, 13534 an assertion failure could subsequently be triggered 13535 in the resolver. [RT #1763] 13536 135371005. [bug] Don't copy nonzero RCODEs from request to response. 13538 [RT #1765] 13539 135401004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770] 13541 135421003. [func] Add the +retry option to dig. 13543 135441002. [bug] When reporting an unknown class name in named.conf, 13545 including the file name and line number. [RT #1759] 13546 135471001. [bug] win32 socket code doio_recv was not catching a 13548 WSACONNRESET error when a client was timing out 13549 the request and closing its socket. [RT #1745] 13550 135511000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias 13552 for class "HS". [RT #1759] 13553 13554 999. [func] "rndc retransfer zone [class [view]]" added. 13555 [RT #1752] 13556 13557 998. [func] named-checkzone now has arguments to specify the 13558 chroot directory (-t) and working directory (-w). 13559 [RT #1755] 13560 13561 997. [func] Add support for RSA-SHA1 keys (RFC3110). 13562 13563 996. [func] Issue warning if the configuration filename contains 13564 the chroot path. 13565 13566 995. [bug] dig, host, nslookup: using a raw IPv6 address as a 13567 target address should be fatal on a IPv4 only system. 13568 13569 994. [func] Treat non-authoritative responses to queries for type 13570 NS as referrals even if the NS records are in the 13571 answer section, because BIND 8 servers incorrectly 13572 send them that way. This is necessary for DNSSEC 13573 validation of the NS records of a secure zone to 13574 succeed when the parent is a BIND 8 server. [RT #1706] 13575 13576 993. [func] dig: -v now reports the version. 13577 13578 992. [doc] dig: ~/.digrc is now documented. 13579 13580 991. [func] Lower UDP refresh timeout messages to level 13581 debug 1. 13582 13583 990. [bug] The rndc-confgen man page was not installed. 13584 13585 989. [bug] Report filename if $INCLUDE fails for file related 13586 errors. [RT #1736] 13587 13588 988. [bug] 'additional-from-auth no;' did not work reliably 13589 in the case of queries answered from the cache. 13590 [RT #1436] 13591 13592 987. [bug] "dig -help" didn't show "+[no]stats". 13593 13594 986. [bug] "dig +noall" failed to clear stats and command 13595 printing. 13596 13597 985. [func] Consider network interfaces to be up iff they have 13598 a nonzero IP address rather than based on the 13599 IFF_UP flag. [RT #1160] 13600 13601 984. [bug] Multi-threading should be enabled by default on 13602 Solaris 2.7 and newer, but it wasn't. 13603 13604 983. [func] The server now supports generating IXFR difference 13605 sequences for non-dynamic zones by comparing zone 13606 versions, when enabled using the new config 13607 option "ixfr-from-differences". [RT #1727] 13608 13609 982. [func] If "memstatistics-file" is set in options the memory 13610 statistics will be written to it. 13611 13612 981. [func] The dnssec tools can now take multiple '-r randomfile' 13613 arguments. 13614 13615 980. [bug] Incoming zone transfers restarting after an error 13616 could trigger an assertion failure. [RT #1692] 13617 13618 979. [func] Incremental master file dumping. dns_master_dumpinc(), 13619 dns_master_dumptostreaminc(), dns_dumpctx_attach(), 13620 dns_dumpctx_detach(), dns_dumpctx_cancel(), 13621 dns_dumpctx_db() and dns_dumpctx_version(). 13622 13623 978. [bug] dns_db_attachversion() had an invalid REQUIRE() 13624 condition. 13625 13626 977. [bug] Improve "not at top of zone" error message. 13627 13628 976. [func] named-checkconf can now test load master zones 13629 (named-checkconf -z). [RT #1468] 13630 13631 975. [bug] "max-cache-size default;" as a view option 13632 caused an assertion failure. 13633 13634 974. [bug] "max-cache-size unlimited;" as a global option 13635 was not accepted. 13636 13637 973. [bug] Failed to log the question name when logging: 13638 "bad zone transfer request: non-authoritative zone 13639 (NOTAUTH)". 13640 13641 972. [bug] The file modification time code in zone.c was using the 13642 wrong epoch. [RT #1667] 13643 13644 971. [placeholder] 13645 13646 970. [func] 'max-journal-size' can now be used to set a target 13647 size for a journal. 13648 13649 969. [func] dig now supports the undocumented dig 8 feature 13650 of allowing arbitrary labels, not just dotted 13651 decimal quads, with the -x option. This can be 13652 used to conveniently look up RFC2317 names as in 13653 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598] 13654 13655 968. [bug] On win32, the isc_time_now() function was unnecessarily 13656 calling strtime(). [RT #1671] 13657 13658 967. [bug] On win32, the link for bindevt was not including the 13659 required resource file to enable the event viewer 13660 to interpret the error messages in the event log, 13661 [RT #1668] 13662 13663 966. [placeholder] 13664 13665 965. [bug] Including data other than root server NS and A 13666 records in the root hint file could cause a rbtdb 13667 node reference leak. [RT #1581, #1618] 13668 13669 964. [func] Warn if data other than root server NS and A records 13670 are found in the root hint file. [RT #1581, #1618] 13671 13672 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] 13673 13674 962. [bug] libbind: bad "#undef", don't attempt to install 13675 non-existent nlist.h. [RT #1640] 13676 13677 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 13678 was not defined. [RT #1482] 13679 13680 960. [port] liblwres failed to build on systems with support for 13681 getrrsetbyname() in the OS. [RT #1592] 13682 13683 959. [port] On FreeBSD, determine the number of CPUs by calling 13684 sysctlbyname(). [RT #1584] 13685 13686 958. [port] ssize_t is not available on all platforms. [RT #1607] 13687 13688 957. [bug] sys/select.h inclusion was broken on older platforms. 13689 [RT #1607] 13690 13691 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile 13692 in named/win32/os.c due to code changes in 13693 change #953. win32 .make file for rndc-confgen 13694 updated to add include path for os.h header. 13695 13696 --- 9.2.0rc1 released --- 13697 13698 955. [bug] When using views, the zone's class was not being 13699 inherited from the view's class. [RT #1583] 13700 13701 954. [bug] When requesting AXFRs or IXFRs using dig, host, or 13702 nslookup, the RD bit should not be set as zone 13703 transfers are inherently non-recursive. [RT #1575] 13704 13705 953. [func] The /var/run/named.key file from change #843 13706 has been replaced by /etc/rndc.key. Both 13707 named and rndc will look for this file and use 13708 it to configure a default control channel key 13709 if not already configured using a different 13710 method (rndc.conf / controls). Unlike 13711 named.key, rndc.key is not created automatically; 13712 it must be created by manually running 13713 "rndc-confgen -a". 13714 13715 952. [bug] The server required manual intervention to serve the 13716 affected zones if it died between creating a journal 13717 and committing the first change to it. 13718 13719 951. [bug] CFLAGS was not passed to the linker when 13720 linking some of the test programs under 13721 bin/tests. [RT #1555]. 13722 13723 950. [bug] Explicit TTLs did not properly override $TTL 13724 due to a bug in change 834. [RT #1558] 13725 13726 949. [bug] host was unable to print records larger than 512 13727 bytes. [RT #1557] 13728 13729 --- 9.2.0b2 released --- 13730 13731 948. [port] Integrated support for building on Windows NT / 13732 Windows 2000. 13733 13734 947. [bug] dns_rdata_soa_t had a badly named element "mname" which 13735 was really the RNAME field from RFC1035. To avoid 13736 confusion and silent errors that would occur it the 13737 "origin" and "mname" elements were given their correct 13738 names "mname" and "rname" respectively, the "mname" 13739 element is renamed to "contact". 13740 13741 946. [cleanup] doc/misc/options is now machine-generated from the 13742 configuration parser syntax tables, and therefore 13743 more likely to be correct. 13744 13745 945. [func] Add the new view-specific options 13746 "match-destinations" and "match-recursive-only". 13747 13748 944. [func] Check for expired signatures on load. 13749 13750 943. [bug] The server could crash when receiving a command 13751 via rndc if the configuration file listed only 13752 nonexistent keys in the controls statement. [RT #1530] 13753 13754 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly 13755 defined on some platforms. 13756 13757 941. [bug] The configuration checker crashed if a slave 13758 zone didn't contain a masters statement. [RT #1514] 13759 13760 940. [bug] Double zone locking failure on error path. [RT #1510] 13761 13762 --- 9.2.0b1 released --- 13763 13764 939. [port] Add the --disable-linux-caps option to configure for 13765 systems that manage capabilities outside of named. 13766 [RT #1503] 13767 13768 938. [placeholder] 13769 13770 937. [bug] A race when shutting down a zone could trigger a 13771 INSIST() failure. [RT #1034] 13772 13773 936. [func] Warn about IPv4 addresses that are not complete 13774 dotted quads. [RT #1084] 13775 13776 935. [bug] inet_pton failed to reject leading zeros. 13777 13778 934. [port] Deal with systems where accept() spuriously returns 13779 ECONNRESET. 13780 13781 933. [bug] configure failed doing libbind on platforms not 13782 supported by BIND 8. [RT #1496] 13783 13784 --- 9.2.0a3 released --- 13785 13786 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM, 13787 when installing isc-config.sh. 13788 [RT #198, #1466] 13789 13790 931. [bug] The controls statement only attempted to verify 13791 messages using the first key in the key list. 13792 (9.2.0a1/a2 only). 13793 13794 930. [func] Query performance testing tool added as 13795 contrib/queryperf. 13796 13797 929. [placeholder] 13798 13799 928. [bug] nsupdate would send empty update packets if the 13800 send (or empty line) command was run after 13801 another send but before any new updates or 13802 prerequisites were specified. It should simply 13803 ignore this command. 13804 13805 927. [bug] Don't hold the zone lock for the entire dump to disk. 13806 [RT #1423] 13807 13808 926. [bug] The resolver could deadlock with the ADB when 13809 shutting down (multi-threaded builds only). 13810 [RT #1324] 13811 13812 925. [cleanup] Remove openssl from the distribution; require that 13813 --with-openssl be specified if DNSSEC is needed. 13814 13815 924. [port] Extend support for pre-RFC2133 IPv6 implementation. 13816 [RT #987] 13817 13818 923. [bug] Multiline TSIG secrets (and other multiline strings) 13819 were not accepted in named.conf. [RT #1469] 13820 13821 922. [func] Added two new lwres_getrrsetbyname() result codes, 13822 ERR_NONAME and ERR_NODATA. 13823 13824 921. [bug] lwres returned an incorrect error code if it received 13825 a truncated message. 13826 13827 920. [func] Increase the lwres receive buffer size to 16K. 13828 [RT #1451] 13829 13830 919. [placeholder] 13831 13832 918. [func] In nsupdate, TSIG errors are no longer treated as 13833 fatal errors. 13834 13835 917. [func] New nsupdate command 'key', allowing TSIG keys to 13836 be specified in the nsupdate command stream rather 13837 than the command line. 13838 13839 916. [bug] Specifying type ixfr to dig without specifying 13840 a serial number failed in unexpected ways. 13841 13842 915. [func] The named-checkconf and named-checkzone programs 13843 now have a '-v' option for printing their version. 13844 [RT #1151] 13845 13846 914. [bug] Global 'server' statements were rejected when 13847 using views, even though they were accepted 13848 in 9.1. [RT #1368] 13849 13850 913. [bug] Cache cleaning was not sufficiently aggressive. 13851 [RT #1441, #1444] 13852 13853 912. [bug] Attempts to set the 'additional-from-cache' or 13854 'additional-from-auth' option to 'no' in a 13855 server with recursion enabled will now 13856 be ignored and cause a warning message. 13857 [RT #1145] 13858 13859 911. [placeholder] 13860 13861 910. [port] Some pre-RFC2133 IPv6 implementations do not define 13862 IN6ADDR_ANY_INIT. [RT #1416] 13863 13864 909. [placeholder] 13865 13866 908. [func] New program, rndc-confgen, to simplify setting up rndc. 13867 13868 907. [func] The ability to get entropy from either the 13869 random device, a user-provided file or from 13870 the keyboard was migrated from the DNSSEC tools 13871 to libisc as isc_entropy_usebestsource(). 13872 13873 906. [port] Separated the system independent portion of 13874 lib/isc/unix/entropy.c into lib/isc/entropy.c 13875 and added lib/isc/win32/entropy.c. 13876 13877 905. [bug] Configuring a forward "zone" for the root domain 13878 did not work. [RT #1418] 13879 13880 904. [bug] The server would leak memory if attempting to use 13881 an expired TSIG key. [RT #1406] 13882 13883 903. [bug] dig should not crash when receiving a TCP packet 13884 of length 0. 13885 13886 902. [bug] The -d option was ignored if both -t and -g were also 13887 specified. 13888 13889 901. [placeholder] 13890 13891 900. [bug] A config.guess update changed the system identification 13892 string of FreeBSD systems; configure and 13893 bin/tests/system/ifconfig.sh now recognize the new 13894 string. 13895 13896 --- 9.2.0a2 released --- 13897 13898 899. [bug] lib/dns/soa.c failed to compile on many platforms 13899 due to inappropriate use of a void value. 13900 [RT #1372, #1373, #1386, #1387, #1395] 13901 13902 898. [bug] "dig" failed to set a nonzero exit status 13903 on UDP query timeout. [RT #1323] 13904 13905 897. [bug] A config.guess update changed the system identification 13906 string of UnixWare systems; configure now recognizes 13907 the new string. 13908 13909 896. [bug] If a configuration file is set on named's command line 13910 and it has a relative pathname, the current directory 13911 (after any possible jailing resulting from named -t) 13912 will be prepended to it so that reloading works 13913 properly even when a directory option is present. 13914 13915 895. [func] New function, isc_dir_current(), akin to POSIX's 13916 getcwd(). 13917 13918 894. [bug] When using the DNSSEC tools, a message intended to warn 13919 when the keyboard was being used because of the lack 13920 of a suitable random device was not being printed. 13921 13922 893. [func] Removed isc_file_test() and added isc_file_exists() 13923 for the basic functionality that was being added 13924 with isc_file_test(). 13925 13926 892. [placeholder] 13927 13928 891. [bug] Return an error when a SIG(0) signed response to 13929 an unsigned query is seen. This should actually 13930 do the verification, but it's not currently 13931 possible. [RT #1391] 13932 13933 890. [cleanup] The man pages no longer require the mandoc macros 13934 and should now format cleanly using most versions of 13935 nroff, and HTML versions of the man pages have been 13936 added. Both are generated from DocBook source. 13937 13938 889. [port] Eliminated blank lines before .TH in nroff man 13939 pages since they cause problems with some versions 13940 of nroff. [RT #1390] 13941 13942 888. [bug] Don't die when using TKEY to delete a nonexistent 13943 TSIG key. [RT #1392] 13944 13945 887. [port] Detect broken compilers that can't call static 13946 functions from inline functions. [RT #1212] 13947 13948 886. [placeholder] 13949 13950 885. [placeholder] 13951 13952 884. [placeholder] 13953 13954 883. [placeholder] 13955 13956 882. [placeholder] 13957 13958 881. [placeholder] 13959 13960 880. [placeholder] 13961 13962 879. [placeholder] 13963 13964 878. [placeholder] 13965 13966 877. [placeholder] 13967 13968 876. [placeholder] 13969 13970 875. [placeholder] 13971 13972 874. [placeholder] 13973 13974 873. [placeholder] 13975 13976 872. [placeholder] 13977 13978 871. [placeholder] 13979 13980 870. [placeholder] 13981 13982 869. [placeholder] 13983 13984 868. [placeholder] 13985 13986 867. [placeholder] 13987 13988 866. [func] Close debug only file channels when debug is set to 13989 zero. [RT #1246] 13990 13991 865. [bug] The new configuration parser did not allow 13992 the optional debug level in a "severity debug" 13993 clause of a logging channel to be omitted. 13994 This is now allowed and treated as "severity 13995 debug 1;" like it does in BIND 8.2.4, not as 13996 "severity debug 0;" like it did in BIND 9.1. 13997 [RT #1367] 13998 13999 864. [cleanup] Multi-threading is now enabled by default on 14000 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX. 14001 14002 863. [bug] If an error occurred while an outgoing zone transfer 14003 was starting up, the server could access a domain 14004 name that had already been freed when logging a 14005 message saying that the transfer was starting. 14006 [RT #1383] 14007 14008 862. [bug] Use after realloc(), non portable pointer arithmetic in 14009 grmerge(). 14010 14011 861. [port] Add support for Mac OS X, by making it equivalent 14012 to Darwin. This was derived from the config.guess 14013 file shipped with Mac OS X. [RT #1355] 14014 14015 860. [func] Drop cross class glue in zone transfers. 14016 14017 859. [bug] Cache cleaning now won't swamp the CPU if there 14018 is a persistent over limit condition. 14019 14020 858. [func] isc_mem_setwater() no longer requires that when the 14021 callback function is non-NULL then its hi_water 14022 argument must be greater than its lo_water argument 14023 (they can now be equal) or that they be non-zero. 14024 14025 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for 14026 structs, for our friends in EBCDIC-land. 14027 14028 856. [func] Allow partial rdatasets to be returned in answer and 14029 authority sections to help non-TCP capable clients 14030 recover from truncation. [RT #1301] 14031 14032 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings. 14033 14034 854. [bug] The config parser didn't properly handle config 14035 options that were specified in units of time other 14036 than seconds. [RT #1372] 14037 14038 853. [bug] configure_view_acl() failed to detach existing acls. 14039 [RT #1374] 14040 14041 852. [bug] Handle responses from servers which do not know 14042 about IXFR. 14043 14044 851. [cleanup] The obsolete support-ixfr option was not properly 14045 ignored. 14046 14047 --- 9.2.0a1 released --- 14048 14049 850. [bug] dns_rbt_findnode() would not find nodes that were 14050 split on a bitstring label somewhere other than in 14051 the last label of the node. [RT #1351] 14052 14053 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined. 14054 14055 848. [func] A minimum max-cache-size of two megabytes is enforced 14056 by the cache cleaner. 14057 14058 847. [func] Added isc_file_test(), which currently only has 14059 some very basic functionality to test for the 14060 existence of a file, whether a pathname is absolute, 14061 or whether a pathname is the fundamental representation 14062 of the current directory. It is intended that this 14063 function can be expanded to test other things a 14064 programmer might want to know about a file. 14065 14066 846. [func] A non-zero 'param' to dst_key_generate() when making an 14067 hmac-md5 key means that good entropy is not required. 14068 14069 845. [bug] The access rights on the public file of a symmetric 14070 key are now restricted as soon as the file is opened, 14071 rather than after it has been written and closed. 14072 14073 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined, 14074 just as <lwres/net.h> does. 14075 14076 843. [func] If no controls statement is present in named.conf, 14077 or if any inet phrase of a controls statement is 14078 lacking a keys clause, then a key will be automatically 14079 generated by named and an rndc.conf-style file 14080 named named.key will be written that uses it. rndc 14081 will use this file only if its normal configuration 14082 file, or one provided on the command line, does not 14083 exist. 14084 14085 842. [func] 'rndc flush' now takes an optional view. 14086 14087 841. [bug] When sdb modules were not declared threadsafe, their 14088 create and destroy functions were not serialized. 14089 14090 840. [bug] The config file parser could print the wrong file 14091 name if an error was detected after an included file 14092 was parsed. [RT #1353] 14093 14094 839. [func] Dump packets for which there was no view or that the 14095 class could not be determined to category "unmatched". 14096 14097 838. [port] UnixWare 7.x.x is now supported by 14098 bin/tests/system/ifconfig.sh. 14099 14100 837. [cleanup] Multi-threading is now enabled by default only on 14101 OSF1, Solaris 2.7 and newer, and AIX. 14102 14103 836. [func] Upgraded libtool to 1.4. 14104 14105 835. [bug] The dispatcher could enter a busy loop if 14106 it got an I/O error receiving on a UDP socket. 14107 [RT #1293] 14108 14109 834. [func] Accept (but warn about) master files beginning with 14110 an SOA record without an explicit TTL field and 14111 lacking a $TTL directive, by using the SOA MINTTL 14112 as a default TTL. This is for backwards compatibility 14113 with old versions of BIND 8, which accepted such 14114 files without warning although they are illegal 14115 according to RFC1035. 14116 14117 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to 14118 <dns/soa.h>, and extended them to support 14119 all the integer-valued fields of the SOA RR. 14120 14121 832. [bug] The default location for named.conf in named-checkconf 14122 should depend on --sysconfdir like it does in named. 14123 [RT #1258] 14124 14125 831. [placeholder] 14126 14127 830. [func] Implement 'rndc status'. 14128 14129 829. [bug] The DNS_R_ZONECUT result code should only be returned 14130 when an ANY query is made with DNS_DBFIND_GLUEOK set. 14131 In all other ANY query cases, returning the delegation 14132 is better. 14133 14134 828. [bug] The errno value from recvfrom() could be overwritten 14135 by logging code. [RT #1293] 14136 14137 827. [bug] When an IXFR protocol error occurs, the slave 14138 should retry with AXFR. 14139 14140 826. [bug] Some IXFR protocol errors were not detected. 14141 14142 825. [bug] zone.c:ns_query() detached from the wrong zone 14143 reference. [RT #1264] 14144 14145 824. [bug] Correct line numbers reported by dns_master_load(). 14146 [RT #1263] 14147 14148 823. [func] The output of "dig -h" now goes to stdout so that it 14149 can easily be piped through "more". [RT #1254] 14150 14151 822. [bug] Sending nxrrset prerequisites would crash nsupdate. 14152 [RT #1248] 14153 14154 821. [bug] The program name used when logging to syslog should 14155 be stripped of leading path components. 14156 [RT #1178, #1232] 14157 14158 820. [bug] Name server address lookups failed to follow 14159 A6 chains into the glue of local authoritative 14160 zones. 14161 14162 819. [bug] In certain cases, the resolver's attempts to 14163 restart an address lookup at the root could cause 14164 the fetch to deadlock (with itself) instead of 14165 restarting. [RT #1225] 14166 14167 818. [bug] Certain pathological responses to ANY queries could 14168 cause an assertion failure. [RT #1218] 14169 14170 817. [func] Adjust timeouts for dialup zone queries. 14171 14172 816. [bug] Report potential problems with log file accessibility 14173 at configuration time, since such problems can't 14174 reliably be reported at the time they actually occur. 14175 14176 815. [bug] If a log file was specified with a path separator 14177 character (i.e. "/") in its name and the directory 14178 did not exist, the log file's name was treated as 14179 though it were the directory name. [RT #1189] 14180 14181 814. [bug] Socket objects left over from accept() failures 14182 were incorrectly destroyed, causing corruption 14183 of socket manager data structures. 14184 14185 813. [bug] File descriptors exceeding FD_SETSIZE were handled 14186 badly. [RT #1192] 14187 14188 812. [bug] dig sometimes printed incomplete IXFR responses 14189 due to an uninitialized variable. [RT #1188] 14190 14191 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194] 14192 14193 810. [bug] The signer name in SIG records was not properly 14194 down-cased when signing/verifying records. [RT #1186] 14195 14196 809. [bug] Configuring a non-local address as a transfer-source 14197 could cause an assertion failure during load. 14198 14199 808. [func] Add 'rndc flush' to flush the server's cache. 14200 14201 807. [bug] When setting up TCP connections for incoming zone 14202 transfers, the transfer-source port was not 14203 ignored like it should be. 14204 14205 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up 14206 the calling stack to the zone maintenance level, 14207 causing zones to not reload when an included file was 14208 touched but the top-level zone file was not. 14209 14210 805. [bug] When using "forward only", missing root hints should 14211 not cause queries to fail. [RT #1143] 14212 14213 804. [bug] Attempting to obtain entropy could fail in some 14214 situations. This would be most common on systems 14215 with user-space threads. [RT #1131] 14216 14217 803. [bug] Treat all SIG queries as if they have the CD bit set, 14218 otherwise no data will be returned [RT #749] 14219 14220 802. [bug] DNSSEC key tags were computed incorrectly in almost 14221 all cases. [RT #1146] 14222 14223 801. [bug] nsupdate should treat lines beginning with ';' as 14224 comments. [RT #1139] 14225 14226 800. [bug] dnssec-signzone produced incorrect statistics for 14227 large zones. [RT #1133] 14228 14229 799. [bug] The ADB didn't find AAAA glue in a zone unless A6 14230 glue was also present. 14231 14232 798. [bug] nsupdate should be able to reject bad input lines 14233 and continue. [RT #1130] 14234 14235 797. [func] Issue a warning if the 'directory' option contains 14236 a relative path. [RT #269] 14237 14238 796. [func] When a size limit is associated with a log file, 14239 only roll it when the size is reached, not every 14240 time the log file is opened. [RT #1096] 14241 14242 795. [func] Add the +multiline option to dig. [RT #1095] 14243 14244 794. [func] Implement the "port" and "default-port" statements 14245 in rndc.conf. 14246 14247 793. [cleanup] The DNSSEC tools could create filenames that were 14248 illegal or contained shell meta-characters. They 14249 now use a different text encoding of names that 14250 doesn't have these problems. [RT #1101] 14251 14252 792. [cleanup] Replace the OMAPI command channel protocol with a 14253 simpler one. 14254 14255 791. [bug] The command channel now works over IPv6. 14256 14257 790. [bug] Wildcards created using dynamic update or IXFR 14258 could fail to match. [RT #1111] 14259 14260 789. [bug] The "localhost" and "localnets" ACLs did not match 14261 when used as the second element of a two-element 14262 sortlist item. 14263 14264 788. [func] Add the "match-mapped-addresses" option, which 14265 causes IPv6 v4mapped addresses to be treated as 14266 IPv4 addresses for the purpose of acl matching. 14267 14268 787. [bug] The DNSSEC tools failed to downcase domain 14269 names when mapping them into file names. 14270 14271 786. [bug] When DNSSEC signing/verifying data, owner names were 14272 not properly down-cased. 14273 14274 785. [bug] A race condition in the resolver could cause 14275 an assertion failure. [RT #673, #872, #1048] 14276 14277 784. [bug] nsupdate and other programs would not quit properly 14278 if some signals were blocked by the caller. [RT #1081] 14279 14280 783. [bug] Following CNAMEs could cause an assertion failure 14281 when either using an sdb database or under very 14282 rare conditions. 14283 14284 782. [func] Implement the "serial-query-rate" option. 14285 14286 781. [func] Avoid error packet loops by dropping duplicate FORMERR 14287 responses. [RT #1006] 14288 14289 780. [bug] Error handling code dealing with out of memory or 14290 other rare errors could lead to assertion failures 14291 by calling functions on uninitialized names. [RT #1065] 14292 14293 779. [func] Added the "minimal-responses" option. 14294 14295 778. [bug] When starting cache cleaning, cleaning_timer_action() 14296 returned without first pausing the iterator, which 14297 could cause deadlock. [RT #998] 14298 14299 777. [bug] An empty forwarders list in a zone failed to override 14300 global forwarders. [RT #995] 14301 14302 776. [func] Improved error reporting in denied messages. [RT #252] 14303 14304 775. [placeholder] 14305 14306 774. [func] max-cache-size is implemented. 14307 14308 773. [func] Added isc_rwlock_trylock() to attempt to lock without 14309 blocking. 14310 14311 772. [bug] Owner names could be incorrectly omitted from cache 14312 dumps in the presence of negative caching entries. 14313 [RT #991] 14314 14315 771. [cleanup] TSIG errors related to unsynchronized clocks 14316 are logged better. [RT #919] 14317 14318 770. [func] Add the "edns yes_or_no" statement to the server 14319 clause. [RT #524] 14320 14321 769. [func] Improved error reporting when parsing rdata. [RT #740] 14322 14323 768. [bug] The server did not emit an SOA when a CNAME 14324 or DNAME chain ended in NXDOMAIN in an 14325 authoritative zone. 14326 14327 767. [placeholder] 14328 14329 766. [bug] A few cases in query_find() could leak fname. 14330 This would trigger the mpctx->allocated == 0 14331 assertion when the server exited. 14332 [RT #739, #776, #798, #812, #818, #821, #845, 14333 #892, #935, #966] 14334 14335 765. [func] ACL names are once again case insensitive, like 14336 in BIND 8. [RT #252] 14337 14338 764. [func] Configuration files now allow "include" directives 14339 in more places, such as inside the "view" statement. 14340 [RT #377, #728, #860] 14341 14342 763. [func] Configuration files no longer have reserved words. 14343 [RT #731, #753] 14344 14345 762. [cleanup] The named.conf and rndc.conf file parsers have 14346 been completely rewritten. 14347 14348 761. [bug] _REENTRANT was still defined when building with 14349 --disable-threads. 14350 14351 760. [contrib] Significant enhancements to the pgsql sdb driver. 14352 14353 759. [bug] The resolver didn't turn off "avoid fetches" mode 14354 when restarting, possibly causing resolution 14355 to fail when it should not. This bug only affected 14356 platforms which support both IPv4 and IPv6. [RT #927] 14357 14358 758. [bug] The "avoid fetches" code did not treat negative 14359 cache entries correctly, causing fetches that would 14360 be useful to be avoided. This bug only affected 14361 platforms which support both IPv4 and IPv6. [RT #927] 14362 14363 757. [func] Log zone transfers. 14364 14365 756. [bug] dns_zone_load() could "return" success when no master 14366 file was configured. 14367 14368 755. [bug] Fix incorrectly formatted log messages in zone.c. 14369 14370 754. [bug] Certain failure conditions sending UDP packets 14371 could cause the server to retry the transmission 14372 indefinitely. [RT #902] 14373 14374 753. [bug] dig, host, and nslookup would fail to contact a 14375 remote server if getaddrinfo() returned an IPv6 14376 address on a system that doesn't support IPv6. 14377 [RT #917] 14378 14379 752. [func] Correct bad tv_usec elements returned by 14380 gettimeofday(). 14381 14382 751. [func] Log successful zone loads / transfers. [RT #898] 14383 14384 750. [bug] A query should not match a DNAME whose trust level 14385 is pending. [RT #916] 14386 14387 749. [bug] When a query matched a DNAME in a secure zone, the 14388 server did not return the signature of the DNAME. 14389 [RT #915] 14390 14391 748. [doc] List supported RFCs in doc/misc/rfc-compliance. 14392 [RT #781] 14393 14394 747. [bug] The code to determine whether an IXFR was possible 14395 did not properly check for a database that could 14396 not have a journal. [RT #865, #908] 14397 14398 746. [bug] The sdb didn't clone rdatasets properly, causing 14399 a crash when the server followed delegations. [RT #905] 14400 14401 745. [func] Report the owner name of records that fail 14402 semantic checks while loading. 14403 14404 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the 14405 result of an ANY or SIG query, the resolver failed 14406 to setup the return event's rdatasets, causing an 14407 assertion failure in the query code. [RT #881] 14408 14409 743. [bug] Receiving a large number of certain malformed 14410 answers could cause named to stop responding. 14411 [RT #861] 14412 14413 742. [placeholder] 14414 14415 741. [port] Support openssl-engine. [RT #709] 14416 14417 740. [port] Handle openssl library mismatches slightly better. 14418 14419 739. [port] Look for /dev/random in configure, rather than 14420 assuming it will be there for only a predefined 14421 set of OSes. 14422 14423 738. [bug] If a non-threadsafe sdb driver supported AXFR and 14424 received an AXFR request, it would deadlock or die 14425 with an assertion failure. [RT #852] 14426 14427 737. [port] stdtime.c failed to compile on certain platforms. 14428 14429 736. [func] New functions isc_task_{begin,end}exclusive(). 14430 14431 735. [doc] Add BIND 4 migration notes. 14432 14433 734. [bug] An attempt to re-lock the zone lock could occur if 14434 the server was shutdown during a zone transfer. 14435 [RT #830] 14436 14437 733. [bug] Reference counts of dns_acl_t objects need to be 14438 locked but were not. [RT #801, #821] 14439 14440 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828] 14441 14442 731. [bug] Certain zone errors could cause named-checkzone to 14443 fail ungracefully. [RT #819] 14444 14445 730. [bug] lwres_getaddrinfo() returns the correct result when 14446 it fails to contact a server. [RT #768] 14447 14448 729. [port] pthread_setconcurrency() needs to be called on Solaris. 14449 14450 728. [bug] Fix comment processing on master file directives. 14451 [RT #757] 14452 14453 727. [port] Work around OS bug where accept() succeeds but 14454 fails to fill in the peer address of the accepted 14455 connection, by treating it as an error rather than 14456 an assertion failure. [RT #809] 14457 14458 726. [func] Implement the "trace" and "notrace" commands in rndc. 14459 14460 725. [bug] Installing man pages could fail. 14461 14462 724. [func] New libisc functions isc_netaddr_any(), 14463 isc_netaddr_any6(). 14464 14465 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver 14466 to return DNS_R_SERVFAIL. [RT #783] 14467 14468 722. [func] Allow incremental loads to be canceled. 14469 14470 721. [cleanup] Load manager and dns_master_loadfilequota() are no 14471 more. 14472 14473 720. [bug] Server could enter infinite loop in 14474 dispatch.c:do_cancel(). [RT #733] 14475 14476 719. [bug] Rapid reloads could trigger an assertion failure. 14477 [RT #743, #763] 14478 14479 718. [cleanup] "internal" is no longer a reserved word in named.conf. 14480 [RT #753, #731] 14481 14482 717. [bug] Certain TKEY processing failure modes could 14483 reference an uninitialized variable, causing the 14484 server to crash. [RT #750] 14485 14486 716. [bug] The first line of a $INCLUDE master file was lost if 14487 an origin was specified. [RT #744] 14488 14489 715. [bug] Resolving some A6 chains could cause an assertion 14490 failure in adb.c. [RT #738] 14491 14492 714. [bug] Preserve interval timers across reloads unless changed. 14493 [RT #729] 14494 14495 713. [func] named-checkconf takes '-t directory' similar to named. 14496 [RT #726] 14497 14498 712. [bug] Sending a large signed update message caused an 14499 assertion failure. [RT #718] 14500 14501 711. [bug] The libisc and liblwres implementations of 14502 inet_ntop contained an off by one error. 14503 14504 710. [func] The forwarders statement now takes an optional 14505 port. [RT #418] 14506 14507 709. [bug] ANY or SIG queries for data with a TTL of 0 14508 would return SERVFAIL. [RT #620] 14509 14510 708. [bug] When building with --with-openssl, the openssl headers 14511 included with BIND 9 should not be used. [RT #702] 14512 14513 707. [func] The "filename" argument to named-checkzone is no 14514 longer optional, to reduce confusion. [RT #612] 14515 14516 706. [bug] Zones with an explicit "allow-update { none; };" 14517 were considered dynamic and therefore not reloaded 14518 on SIGHUP or "rndc reload". 14519 14520 705. [port] Work out resource limit type for use where rlim_t is 14521 not available. [RT #695] 14522 14523 704. [port] RLIMIT_NOFILE is not available on all platforms. 14524 [RT #695] 14525 14526 703. [port] sys/select.h is needed on older platforms. [RT #695] 14527 14528 702. [func] If the address 0.0.0.0 is seen in resolv.conf, 14529 use 127.0.0.1 instead. [RT #693] 14530 14531 701. [func] Root hints are now fully optional. Class IN 14532 views use compiled-in hints by default, as 14533 before. Non-IN views with no root hints now 14534 provide authoritative service but not recursion. 14535 A warning is logged if a view has neither root 14536 hints nor authoritative data for the root. [RT #696] 14537 14538 700. [bug] $GENERATE range check was wrong. [RT #688] 14539 14540 699. [bug] The lexer mishandled empty quoted strings. [RT #694] 14541 14542 698. [bug] Aborting nsupdate with ^C would lead to several 14543 race conditions. 14544 14545 697. [bug] nsupdate was not compatible with the undocumented 14546 BIND 8 behavior of ignoring TTLs in "update delete" 14547 commands. [RT #693] 14548 14549 696. [bug] lwresd would die with an assertion failure when passed 14550 a zero-length name. [RT #692] 14551 14552 695. [bug] If the resolver attempted to query a blackholed or 14553 bogus server, the resolution would fail immediately. 14554 14555 694. [bug] $GENERATE did not produce the last entry. 14556 [RT #682, #683] 14557 14558 693. [bug] An empty lwres statement in named.conf caused 14559 the server to crash while loading. 14560 14561 692. [bug] Deal with systems that have getaddrinfo() but not 14562 gai_strerror(). [RT #679] 14563 14564 691. [bug] Configuring per-view forwarders caused an assertion 14565 failure. [RT #675, #734] 14566 14567 690. [func] $GENERATE now supports DNAME. [RT #654] 14568 14569 689. [doc] man pages are now installed. [RT #210] 14570 14571 688. [func] "make tags" now works on systems with the 14572 "Exuberant Ctags" etags. 14573 14574 687. [bug] Only say we have IPv6, with sufficient functionality, 14575 if it has actually been tested. [RT #586] 14576 14577 686. [bug] dig and nslookup can now be properly aborted during 14578 blocking operations. [RT #568] 14579 14580 685. [bug] nslookup should use the search list/domain options 14581 from resolv.conf by default. [RT #405, #630] 14582 14583 684. [bug] Memory leak with view forwarders. [RT #656] 14584 14585 683. [bug] File descriptor leak in isc_lex_openfile(). 14586 14587 682. [bug] nslookup displayed SOA records incorrectly. [RT #665] 14588 14589 681. [bug] $GENERATE specifying output format was broken. [RT #653] 14590 14591 680. [bug] dns_rdata_fromstruct() mishandled options bigger 14592 than 255 octets. 14593 14594 679. [bug] $INCLUDE could leak memory and file descriptors on 14595 reload. [RT #639] 14596 14597 678. [bug] "transfer-format one-answer;" could trigger an assertion 14598 failure. [RT #646] 14599 14600 677. [bug] dnssec-signzone would occasionally use the wrong ttl 14601 for database operations and fail. [RT #643] 14602 14603 676. [bug] Log messages about lame servers to category 14604 'lame-servers' rather than 'resolver', so as not 14605 to be gratuitously incompatible with BIND 8. 14606 14607 675. [bug] TKEY queries could cause the server to leak 14608 memory. 14609 14610 674. [func] Allow messages to be TSIG signed / verified using 14611 a offset from the current time. 14612 14613 673. [func] The server can now convert RFC1886-style recursive 14614 lookup requests into RFC2874-style lookups, when 14615 enabled using the new option "allow-v6-synthesis". 14616 14617 672. [bug] The wrong time was in the "time signed" field when 14618 replying with BADTIME error. 14619 14620 671. [bug] The message code was failing to parse a message with 14621 no question section and a TSIG record. [RT #628] 14622 14623 670. [bug] The lwres replacements for getaddrinfo and 14624 getipnodebyname didn't properly check for the 14625 existence of the sockaddr sa_len field. 14626 14627 669. [bug] dnssec-keygen now makes the public key file 14628 non-world-readable for symmetric keys. [RT #403] 14629 14630 668. [func] named-checkzone now reports multiple errors in master 14631 files. 14632 14633 667. [bug] On Linux, running named with the -u option and a 14634 non-world-readable configuration file didn't work. 14635 [RT #626] 14636 14637 666. [bug] If a request sent by dig is longer than 512 bytes, 14638 use TCP. 14639 14640 665. [bug] Signed responses were not sent when the size of the 14641 TSIG + question exceeded the maximum message size. 14642 [RT #628] 14643 14644 664. [bug] The t_tasks and t_timers module tests are now skipped 14645 when building without threads, since they require 14646 threads. 14647 14648 663. [func] Accept a size_spec, not just an integer, in the 14649 (unimplemented and ignored) max-ixfr-log-size option 14650 for compatibility with recent versions of BIND 8. 14651 [RT #613] 14652 14653 662. [bug] dns_rdata_fromtext() failed to log certain errors. 14654 14655 661. [bug] Certain UDP IXFR requests caused an assertion failure 14656 (mpctx->allocated == 0). [RT #355, #394, #623] 14657 14658 660. [port] Detect multiple CPUs on HP-UX and IRIX. 14659 14660 659. [performance] Rewrite the name compression code to be much faster. 14661 14662 658. [cleanup] Remove all vestiges of 16 bit global compression. 14663 14664 657. [bug] When a listen-on statement in an lwres block does not 14665 specify a port, use 921, not 53. Also update the 14666 listen-on documentation. [RT #616] 14667 14668 656. [func] Treat an unescaped newline in a quoted string as 14669 an error. This means that TXT records with missing 14670 close quotes should have meaningful errors printed. 14671 14672 655. [bug] Improve error reporting on unexpected eof when loading 14673 zones. [RT #611] 14674 14675 654. [bug] Origin was being forgotten in TCP retries in dig. 14676 [RT #574] 14677 14678 653. [bug] +defname option in dig was reversed in sense. 14679 [RT #549] 14680 14681 652. [bug] zone_saveunique() did not report the new name. 14682 14683 651. [func] The AD bit in responses now has the meaning 14684 specified in <draft-ietf-dnsext-ad-is-secure>. 14685 14686 650. [bug] SIG(0) records were being generated and verified 14687 incorrectly. [RT #606] 14688 14689 649. [bug] It was possible to join to an already running fctx 14690 after it had "cloned" its events, but before it sent 14691 them. In this case, the event of the newly joined 14692 fetch would not contain the answer, and would 14693 trigger the INSIST() in fctx_sendevents(). In 14694 BIND 9.0, this bug did not trigger an INSIST(), but 14695 caused the fetch to fail with a SERVFAIL result. 14696 [RT #588, #597, #605, #607] 14697 14698 648. [port] Add support for pre-RFC2133 IPv6 implementations. 14699 14700 647. [bug] Resolver queries sent after following multiple 14701 referrals had excessively long retransmission 14702 timeouts due to incorrectly counting the referrals 14703 as "restarts". 14704 14705 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h 14706 didn't _cleanly_ fix the problem it was trying to fix. 14707 14708 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603] 14709 14710 644. [bug] #622 needed more work. [RT #562] 14711 14712 643. [bug] xfrin error messages made more verbose, added class 14713 of the zone. [RT #599] 14714 14715 642. [bug] Break the exit_check() race in the zone module. 14716 [RT #598] 14717 14718 --- 9.1.0b2 released --- 14719 14720 641. [bug] $GENERATE caused a uninitialized link to be used. 14721 [RT #595] 14722 14723 640. [bug] Memory leak in error path could cause 14724 "mpctx->allocated == 0" failure. [RT #584] 14725 14726 639. [bug] Reading entropy from the keyboard would sometimes fail. 14727 [RT #591] 14728 14729 638. [port] lib/isc/random.c needed to explicitly include time.h 14730 to get a prototype for time() when pthreads was not 14731 being used. [RT #592] 14732 14733 637. [port] Use isc_u?int64_t instead of (unsigned) long long in 14734 lib/isc/print.c. Also allow lib/isc/print.c to 14735 be compiled even if the platform does not need it. 14736 [RT #592] 14737 14738 636. [port] Shut up MSVC++ about a possible loss of precision 14739 in the ISC__BUFFER_PUTUINT*() macros. [RT #592] 14740 14741 635. [bug] Reloading a server with a configured blackhole list 14742 would cause an assertion. [RT #590] 14743 14744 634. [bug] A log file will completely stop being written when 14745 it reaches the maximum size in all cases, not just 14746 when versioning is also enabled. [RT #570] 14747 14748 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575] 14749 14750 632. [bug] The index array of the journal file was 14751 corrupted as it was written to disk. 14752 14753 631. [port] Build without thread support on systems without 14754 pthreads. 14755 14756 630. [bug] Locking failure in zone code. [RT #582] 14757 14758 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed 14759 when responding to a UDP IXFR request. 14760 14761 628. [bug] If the root hints contained only AAAA addresses, 14762 named would be unable to perform resolution. 14763 14764 627. [bug] The EDNS0 blackhole detection code of change 324 14765 waited for three retransmissions to each server, 14766 which takes much too long when a domain has many 14767 name servers and all of them drop EDNS0 queries. 14768 Now we retry without EDNS0 after three consecutive 14769 timeouts, even if they are all from different 14770 servers. [RT #143] 14771 14772 626. [bug] The lightweight resolver daemon no longer crashes 14773 when asked for a SIG rrset. [RT #558] 14774 14775 625. [func] Zones now inherit their class from the enclosing view. 14776 14777 624. [bug] The zone object could get timer events after it had 14778 been destroyed, causing a server crash. [RT #571] 14779 14780 623. [func] Added "named-checkconf" and "named-checkzone" program 14781 for syntax checking named.conf files and zone files, 14782 respectively. 14783 14784 622. [bug] A canceled request could be destroyed before 14785 dns_request_destroy() was called. [RT #562] 14786 14787 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable. 14788 This mostly affects Red Hat Linux 7.0, which has 14789 conflicts between libc and the kernel. 14790 14791 620. [bug] dns_master_load*inc() now require 'task' and 'load' 14792 to be non-null. Also 'done' will not be called if 14793 dns_master_load*inc() fails immediately. [RT #565] 14794 14795 619. [placeholder] 14796 14797 618. [bug] Queries to a signed zone could sometimes cause 14798 an assertion failure. 14799 14800 617. [bug] When using dynamic update to add a new RR to an 14801 existing RRset with a different TTL, the journal 14802 entries generated from the update did not include 14803 explicit deletions and re-additions of the existing 14804 RRs to update their TTL to the new value. 14805 14806 616. [func] dnssec-signzone -t output now includes performance 14807 statistics. 14808 14809 615. [bug] dnssec-signzone did not like child keysets signed 14810 by multiple keys. 14811 14812 614. [bug] Checks for uninitialized link fields were prone 14813 to false positives, causing assertion failures. 14814 The checks are now disabled by default and may 14815 be re-enabled by defining ISC_LIST_CHECKINIT. 14816 14817 613. [bug] "rndc reload zone" now reloads primary zones. 14818 It previously only updated slave and stub zones, 14819 if an SOA query indicated an out of date serial. 14820 14821 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that 14822 complains relentlessly about how its treatment 14823 of 'const' has changed as well as how casting 14824 sometimes tightens alignment constraints. 14825 14826 611. [func] allow-notify can be used to permit processing of 14827 notify messages from hosts other than a slave's 14828 masters. 14829 14830 610. [func] rndc dumpdb is now supported. 14831 14832 609. [bug] getrrsetbyname() would crash lwresd if the server 14833 found more SIGs than answers. [RT #554] 14834 14835 608. [func] dnssec-signzone now adds a comment to the zone 14836 with the time the file was signed. 14837 14838 607. [bug] nsupdate would fail if it encountered a CNAME or 14839 DNAME in a response to an SOA query. [RT #515] 14840 14841 606. [bug] Compiling with --disable-threads failed due 14842 to isc_thread_self() being incorrectly defined 14843 as an integer rather than a function. 14844 14845 605. [func] New function isc_lex_getlasttokentext(). 14846 14847 604. [bug] The named.conf parser could print incorrect line 14848 numbers when long comments were present. 14849 14850 603. [bug] Make dig handle multiple types or classes on the same 14851 query more correctly. 14852 14853 602. [func] Cope automatically with UnixWare's broken 14854 IN6_IS_ADDR_* macros. [RT #539] 14855 14856 601. [func] Return a non-zero exit code if an update fails 14857 in nsupdate. 14858 14859 600. [bug] Reverse lookups sometimes failed in dig, etc... 14860 14861 599. [func] Added four new functions to the libisc log API to 14862 support i18n messages. isc_log_iwrite(), 14863 isc_log_ivwrite(), isc_log_iwrite1() and 14864 isc_log_ivwrite1() were added. 14865 14866 598. [bug] An update-policy statement would cause the server 14867 to assert while loading. [RT #536] 14868 14869 597. [func] dnssec-signzone is now multi-threaded. 14870 14871 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are 14872 not mutually exclusive. 14873 14874 595. [port] On Linux 2.2, socket() returns EINVAL when it 14875 should return EAFNOSUPPORT. Work around this. 14876 [RT #531] 14877 14878 594. [func] sdb drivers are now assumed to not be thread-safe 14879 unless the DNS_SDBFLAG_THREADSAFE flag is supplied. 14880 14881 593. [bug] If a secure zone was missing all its NXTs and 14882 a dynamic update was attempted, the server entered 14883 an infinite loop. 14884 14885 592. [bug] The sig-validity-interval option now specifies a 14886 number of days, not seconds. This matches the 14887 documentation. [RT #529] 14888 14889 --- 9.1.0b1 released --- 14890 14891 591. [bug] Work around non-reentrancy in openssl by disabling 14892 pre-computation in keys. 14893 14894 590. [doc] There are now man pages for the lwres library in 14895 doc/man/lwres. 14896 14897 589. [bug] The server could deadlock if a zone was updated 14898 while being transferred out. 14899 14900 588. [bug] ctx->in_use was not being correctly initialized when 14901 when pushing a file for $INCLUDE. [RT #523] 14902 14903 587. [func] A warning is now printed if the "allow-update" 14904 option allows updates based on the source IP 14905 address, to alert users to the fact that this 14906 is insecure and becoming increasingly so as 14907 servers capable of update forwarding are being 14908 deployed. 14909 14910 586. [bug] multiple views with the same name were fatal. [RT #516] 14911 14912 585. [func] dns_db_addrdataset() and dns_rdataslab_merge() 14913 now support 'exact' additions in a similar manner to 14914 dns_db_subtractrdataset() and dns_rdataslab_subtract(). 14915 14916 584. [func] You can now say 'notify explicit'; to suppress 14917 notification of the servers listed in NS records 14918 and notify only those servers listed in the 14919 'also-notify' option. 14920 14921 583. [func] "rndc querylog" will now toggle logging of 14922 queries, like "ndc querylog" in BIND 8. 14923 14924 582. [bug] dns_zone_idetach() failed to lock the zone. 14925 [RT #199, #463] 14926 14927 581. [bug] log severity was not being correctly processed. 14928 [RT #485] 14929 14930 580. [func] Ignore trailing garbage on incoming DNS packets, 14931 for interoperability with broken server 14932 implementations. [RT #491] 14933 14934 579. [bug] nsupdate did not take a filename to read update from. 14935 [RT #492] 14936 14937 578. [func] New config option "notify-source", to specify the 14938 source address for notify messages. 14939 14940 577. [func] Log illegal RDATA combinations. e.g. multiple 14941 singleton types, cname and other data. 14942 14943 576. [doc] isc_log_create() description did not match reality. 14944 14945 575. [bug] isc_log_create() was not setting internal state 14946 correctly to reflect the default channels created. 14947 14948 574. [bug] TSIG signed queries sent by the resolver would fail to 14949 have their responses validated and would leak memory. 14950 14951 573. [bug] The journal files of IXFRed slave zones were 14952 inadvertently discarded on server reload, causing 14953 "journal out of sync with zone" errors on subsequent 14954 reloads. [RT #482] 14955 14956 572. [bug] Quoted strings were not accepted as key names in 14957 address match lists. 14958 14959 571. [bug] It was possible to create an rdataset of singleton 14960 type which had more than one rdata. [RT #154] 14961 [RT #279] 14962 14963 570. [bug] rbtdb.c allowed zones containing nodes which had 14964 both a CNAME and "other data". [RT #154] 14965 14966 569. [func] The DNSSEC AD bit will not be set on queries which 14967 have not requested a DNSSEC response. 14968 14969 568. [func] Add sample simple database drivers in contrib/sdb. 14970 14971 567. [bug] Setting the zone transfer timeout to zero caused an 14972 assertion failure. [RT #302] 14973 14974 566. [func] New public function dns_timer_setidle(). 14975 14976 565. [func] Log queries more like BIND 8: query logging is now 14977 done to category "queries", level "info". [RT #169] 14978 14979 564. [func] Add sortlist support to lwresd. 14980 14981 563. [func] New public functions dns_rdatatype_format() and 14982 dns_rdataclass_format(), for convenient formatting 14983 of rdata type/class mnemonics in log messages. 14984 14985 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong. 14986 14987 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files' 14988 clauses of the options{} statement are now implemented. 14989 14990 560. [bug] dns_name_split did not properly the resulting prefix 14991 when a maximal length bitstring label was split which 14992 was preceded by another bitstring label. [RT #429] 14993 14994 559. [bug] dns_name_split did not properly create the suffix 14995 when splitting within a maximal length bitstring label. 14996 14997 558. [func] New functions, isc_resource_getlimit and 14998 isc_resource_setlimit. 14999 15000 557. [func] Symbolic constants for libisc integral types. 15001 15002 556. [func] The DNSSEC OK bit in the EDNS extended flags 15003 is now implemented. Responses to queries without 15004 this bit set will not contain any DNSSEC records. 15005 15006 555. [bug] A slave server attempting a zone transfer could 15007 crash with an assertion failure on certain 15008 malformed responses from the master. [RT #457] 15009 15010 554. [bug] In some cases, not all of the dnssec tools were 15011 properly installed. 15012 15013 553. [bug] Incoming zone transfers deferred due to quota 15014 were not started when quota was increased but 15015 only when a transfer in progress finished. [RT #456] 15016 15017 552. [bug] We were not correctly detecting the end of all c-style 15018 comments. [RT #455] 15019 15020 551. [func] Implemented the 'sortlist' option. 15021 15022 550. [func] Support unknown rdata types and classes. 15023 15024 549. [bug] "make" did not immediately abort the build when a 15025 subdirectory make failed [RT #450]. 15026 15027 548. [func] The lexer now ungets tokens more correctly. 15028 15029 547. [placeholder] 15030 15031 546. [func] Option 'lame-ttl' is now implemented. 15032 15033 545. [func] Name limit and counting options removed from dig; 15034 they didn't work properly, and cannot be correctly 15035 implemented without significant changes. 15036 15037 544. [func] Add statistics option, enable statistics-file option, 15038 add RNDC option "dump-statistics" to write out a 15039 query statistics file. 15040 15041 543. [doc] The 'port' option is now documented. 15042 15043 542. [func] Add support for update forwarding as required for 15044 full compliance with RFC2136. It is turned off 15045 by default and can be enabled using the 15046 'allow-update-forwarding' option. 15047 15048 541. [func] Add bogus server support. 15049 15050 540. [func] Add dialup support. 15051 15052 539. [func] Support the blackhole option. 15053 15054 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo(). 15055 15056 537. [placeholder] 15057 15058 536. [func] Use transfer-source{-v6} when sending refresh queries. 15059 Transfer-source{-v6} now take a optional port 15060 parameter for setting the UDP source port. The port 15061 parameter is ignored for TCP. 15062 15063 535. [func] Use transfer-source{-v6} when forwarding update 15064 requests. 15065 15066 534. [func] Ancestors have been removed from RBT chains. Ancestor 15067 information can be discerned via node parent pointers. 15068 15069 533. [func] Incorporated name hashing into the RBT database to 15070 improve search speed. 15071 15072 532. [func] Implement DNS UPDATE pseudo records using 15073 DNS_RDATA_UPDATE flag. 15074 15075 531. [func] Rdata really should be initialized before being assigned 15076 to (dns_rdata_fromwire(), dns_rdata_fromtext(), 15077 dns_rdata_clone(), dns_rdata_fromregion()), 15078 check that it is. 15079 15080 530. [func] New function dns_rdata_invalidate(). 15081 15082 529. [bug] 521 contained a bug which caused zones to always 15083 reload. [RT #410] 15084 15085 528. [func] The ISC_LIST_XXXX macros now perform sanity checks 15086 on their arguments. ISC_LIST_XXXXUNSAFE can be use 15087 to skip the checks however use with caution. 15088 15089 527. [func] New function dns_rdata_clone(). 15090 15091 526. [bug] nsupdate incorrectly refused to add RRs with a TTL 15092 of 0. 15093 15094 525. [func] New arguments 'options' for dns_db_subtractrdataset(), 15095 and 'flags' for dns_rdataslab_subtract() allowing you 15096 to request that the RR's must exist prior to deletion. 15097 DNS_R_NOTEXACT is returned if the condition is not met. 15098 15099 524. [func] The 'forward' and 'forwarders' statement in 15100 non-forward zones should work now. 15101 15102 523. [doc] The source to the Administrator Reference Manual is 15103 now an XML file using the DocBook DTD, and is included 15104 in the distribution. The plain text version of the 15105 ARM is temporarily unavailable while we figure out 15106 how to generate readable plain text from the XML. 15107 15108 522. [func] The lightweight resolver daemon can now use 15109 a real configuration file, and its functionality 15110 can be provided by a name server. Also, the -p and -P 15111 options to lwresd have been reversed. 15112 15113 521. [bug] Detect master files which contain $INCLUDE and always 15114 reload. [RT #196] 15115 15116 520. [bug] Upgraded libtool to 1.3.5, which makes shared 15117 library builds almost work on AIX (and possibly 15118 others). 15119 15120 519. [bug] dns_name_split() would improperly split some bitstring 15121 labels, zeroing a few of the least significant bits in 15122 the prefix part. When such an improperly created 15123 prefix was returned to the RBT database, the bogus 15124 label was dutifully stored, corrupting the tree. 15125 [RT #369] 15126 15127 518. [bug] The resolver did not realize that a DNAME which was 15128 "the answer" to the client's query was "the answer", 15129 and such queries would fail. [RT #399] 15130 15131 517. [bug] The resolver's DNAME code would trigger an assertion 15132 if there was more than one DNAME in the chain. 15133 [RT #399] 15134 15135 516. [bug] Cache lookups which had a NULL node pointer, e.g. 15136 those by dns_view_find(), and which would match a 15137 DNAME, would trigger an INSIST(!search.need_cleanup) 15138 assertion. [RT #399] 15139 15140 515. [bug] The ssu table was not being attached / detached 15141 by dns_zone_[sg]etssutable. [RT #397] 15142 15143 514. [func] Retry refresh and notify queries if they timeout. 15144 [RT #388] 15145 15146 513. [func] New functionality added to rdnc and server to allow 15147 individual zones to be refreshed or reloaded. 15148 15149 512. [bug] The zone transfer code could throw an exception with 15150 an invalid IXFR stream. 15151 15152 511. [bug] The message code could throw an assertion on an 15153 out of memory failure. [RT #392] 15154 15155 510. [bug] Remove spurious view notify warning. [RT #376] 15156 15157 509. [func] Add support for write of zone files on shutdown. 15158 15159 508. [func] dns_message_parse() can now do a best-effort 15160 attempt, which should allow dig to print more invalid 15161 messages. 15162 15163 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach() 15164 and dns_view_flushanddetach(). 15165 15166 506. [func] Do not fail to start on errors in zone files. 15167 15168 505. [bug] nsupdate was printing "unknown result code". [RT #373] 15169 15170 504. [bug] The zone was not being marked as dirty when updated via 15171 IXFR. 15172 15173 503. [bug] dumptime was not being set along with 15174 DNS_ZONEFLG_NEEDDUMP. 15175 15176 502. [func] On a SERVFAIL reply, DiG will now try the next server 15177 in the list, unless the +fail option is specified. 15178 15179 501. [bug] Incorrect port numbers were being displayed by 15180 nslookup. [RT #352] 15181 15182 500. [func] Nearly useless +details option removed from DiG. 15183 15184 499. [func] In DiG, specifying a class with -c or type with -t 15185 changes command-line parsing so that classes and 15186 types are only recognized if following -c or -t. 15187 This allows hosts with the same name as a class or 15188 type to be looked up. 15189 15190 498. [doc] There is now a man page for "dig" 15191 in doc/man/bin/dig.1. 15192 15193 497. [bug] The error messages printed when an IP match list 15194 contained a network address with a nonzero host 15195 part where not sufficiently detailed. [RT #365] 15196 15197 496. [bug] named didn't sanity check numeric parameters. [RT #361] 15198 15199 495. [bug] nsupdate was unable to handle large records. [RT #368] 15200 15201 494. [func] Do not cache NXDOMAIN responses for SOA queries. 15202 15203 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses 15204 for SOA queries. This makes it easier to locate 15205 the containing zone without polluting intermediate 15206 caches. 15207 15208 492. [bug] attempting to reload a zone caused the server fail 15209 to shutdown cleanly. [RT #360] 15210 15211 491. [bug] nsupdate would segfault when sending certain 15212 prerequisites with empty RDATA. [RT #356] 15213 15214 490. [func] When a slave/stub zone has not yet successfully 15215 obtained an SOA containing the zone's configured 15216 retry time, perform the SOA query retries using 15217 exponential backoff. [RT #337] 15218 15219 489. [func] The zone manager now has a "i/o" queue. 15220 15221 488. [bug] Locks weren't properly destroyed in some cases. 15222 15223 487. [port] flockfile() is not defined on all systems. 15224 15225 486. [bug] nslookup: "set all" and "server" commands showed 15226 the incorrect port number if a port other than 53 15227 was specified. [RT #352] 15228 15229 485. [func] When dig had more than one server to query, it would 15230 send all of the messages at the same time. Add 15231 rate limiting of the transmitted messages. 15232 15233 484. [bug] When the server was reloaded after removing addresses 15234 from the named.conf "listen-on" statement, sockets 15235 were still listening on the removed addresses due 15236 to reference count loops. [RT #325] 15237 15238 483. [bug] nslookup: "set all" showed a "search" option but it 15239 was not settable. 15240 15241 482. [bug] nslookup: a plain "server" or "lserver" should be 15242 treated as a lookup. 15243 15244 481. [bug] nslookup:get_next_command() stack size could exceed 15245 per thread limit. 15246 15247 480. [bug] strtok() is not thread safe. [RT #349] 15248 15249 479. [func] The test suite can now be run by typing "make check" 15250 or "make test" at the top level. 15251 15252 478. [bug] "make install" failed if the directory specified with 15253 --prefix did not already exist. 15254 15255 477. [bug] The the isc-config.sh script could be installed before 15256 its directory was created. [RT #324] 15257 15258 476. [bug] A zone could expire while a zone transfer was in 15259 progress triggering a INSIST failure. [RT #329] 15260 15261 475. [bug] query_getzonedb() sometimes returned a non-null version 15262 on failure. This caused assertion failures when 15263 generating query responses where names subject to 15264 additional section processing pointed to a zone 15265 to which access had been denied by means of the 15266 allow-query option. [RT #336] 15267 15268 474. [bug] The mnemonic of the CHAOS class is CH according to 15269 RFC1035, but it was printed and read only as CHAOS. 15270 We now accept both forms as input, and print it 15271 as CH. [RT #305] 15272 15273 473. [bug] nsupdate overran the end of the list of name servers 15274 when no servers could be reached, typically causing 15275 it to print the error message "dns_request_create: 15276 not implemented". 15277 15278 472. [bug] Off-by-one error caused isc_time_add() to sometimes 15279 produce invalid time values. 15280 15281 471. [bug] nsupdate didn't compile on HP/UX 10.20 15282 15283 470. [func] $GENERATE is now supported. See also 15284 doc/misc/migration. 15285 15286 469. [bug] "query-source address * port 53;" now works. 15287 15288 468. [bug] dns_master_load*() failed to report file and line 15289 number in certain error conditions. 15290 15291 467. [bug] dns_master_load*() failed to log an error if 15292 pushfile() failed. 15293 15294 466. [bug] dns_master_load*() could return success when it failed. 15295 15296 465. [cleanup] Allow 0 to be set as an omapi_value_t value by 15297 omapi_value_storeint(). 15298 15299 464. [cleanup] Build with openssl's RSA code instead of dnssafe. 15300 15301 463. [bug] nsupdate sent malformed SOA queries to the second 15302 and subsequent name servers in resolv.conf if the 15303 query sent to the first one failed. 15304 15305 462. [bug] --disable-ipv6 should work now. 15306 15307 461. [bug] Specifying an unknown key in the "keys" clause of the 15308 "controls" statement caused a NULL pointer dereference. 15309 [RT #316] 15310 15311 460. [bug] Much of the DNSSEC code only worked with class IN. 15312 15313 459. [bug] Nslookup processed the "set" command incorrectly. 15314 15315 458. [bug] Nslookup didn't properly check class and type values. 15316 [RT #305] 15317 15318 457. [bug] Dig/host/hslookup didn't properly handle connect 15319 timeouts in certain situations, causing an 15320 unnecessary warning message to be printed. 15321 15322 456. [bug] Stub zones were not resetting the refresh and expire 15323 counters, loadtime or clearing the DNS_ZONE_REFRESH 15324 (refresh in progress) flag upon successful update. 15325 This disabled further refreshing of the stub zone, 15326 causing it to eventually expire. [RT #300] 15327 15328 455. [doc] Document IPv4 prefix notation does not require a 15329 dotted decimal quad but may be just dotted decimal. 15330 15331 454. [bug] Enforce dotted decimal and dotted decimal quad where 15332 documented as such in named.conf. [RT #304, RT #311] 15333 15334 453. [bug] Warn if the obsolete option "maintain-ixfr-base" 15335 is specified in named.conf. [RT #306] 15336 15337 452. [bug] Warn if the unimplemented option "statistics-file" 15338 is specified in named.conf. [RT #301] 15339 15340 451. [func] Update forwarding implemented. 15341 15342 450. [func] New function ns_client_sendraw(). 15343 15344 449. [bug] isc_bitstring_copy() only works correctly if the 15345 two bitstrings have the same lsb0 value, but this 15346 requirement was not documented, nor was there a 15347 REQUIRE for it. 15348 15349 448. [bug] Host output formatting change, to match v8. [RT #255] 15350 15351 447. [bug] Dig didn't properly retry in TCP mode after 15352 a truncated reply. [RT #277] 15353 15354 446. [bug] Confusing notify log message. [RT #298] 15355 15356 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0 15357 bitstring triggered a REQUIRE statement. The REQUIRE 15358 statement was incorrect. [RT #297] 15359 15360 444. [func] "recursion denied" messages are always logged at 15361 debug level 1, now, rather than sometimes at ERROR. 15362 This silences these warnings in the usual case, where 15363 some clients set the RD bit in all queries. 15364 15365 443. [bug] When loading a master file failed because of an 15366 unrecognized RR type name, the error message 15367 did not include the file name and line number. 15368 [RT #285] 15369 15370 442. [bug] TSIG signed messages that did not match any view 15371 crashed the server. [RT #290] 15372 15373 441. [bug] Nodes obscured by a DNAME were inaccessible even 15374 when DNS_DBFIND_GLUEOK was set. 15375 15376 440. [func] New function dns_zone_forwardupdate(). 15377 15378 439. [func] New function dns_request_createraw(). 15379 15380 438. [func] New function dns_message_getrawmessage(). 15381 15382 437. [func] Log NOTIFY activity to the notify channel. 15383 15384 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH, 15385 which sometimes happens on Linux, named would enter 15386 a busy loop. Also, unexpected socket errors were 15387 not logged at a high enough logging level to be 15388 useful in diagnosing this situation. [RT #275] 15389 15390 435. [bug] dns_zone_dump() overwrote existing zone files 15391 rather than writing to a temporary file and 15392 renaming. This could lead to empty or partial 15393 zone files being left around in certain error 15394 conditions involving the initial transfer of a 15395 slave zone, interfering with subsequent server 15396 startup. [RT #282] 15397 15398 434. [func] New function isc_file_isabsolute(). 15399 15400 433. [func] isc_base64_decodestring() now accepts newlines 15401 within the base64 data. This makes it possible 15402 to break up the key data in a "trusted-keys" 15403 statement into multiple lines. [RT #284] 15404 15405 432. [func] Added refresh/retry jitter. The actual refresh/ 15406 retry time is now a random value between 75% and 15407 100% of the configured value. 15408 15409 431. [func] Log at ISC_LOG_INFO when a zone is successfully 15410 loaded. 15411 15412 430. [bug] Rewrote the lightweight resolver client management 15413 code to handle shutdown correctly and general 15414 cleanup. 15415 15416 429. [bug] The space reserved for a TSIG record in a response 15417 was 2 bytes too short, leading to message 15418 generation failures. 15419 15420 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned 15421 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT 15422 (e.g. glue). This could cause SERVFAILs when 15423 generating negative responses in a secure zone. 15424 15425 427. [bug] Avoid going into an infinite loop when the validator 15426 gets a negative response to a key query where the 15427 records are signed by the missing key. 15428 15429 426. [bug] Attempting to generate an oversized RSA key could 15430 cause dnssec-keygen to dump core. 15431 15432 425. [bug] Warn about the auth-nxdomain default value change 15433 if there is no auth-nxdomain statement in the 15434 config file. [RT #287] 15435 15436 424. [bug] notify_createmessage() could trigger an assertion 15437 failure when creating the notify message failed, 15438 e.g. due to corrupt zones with multiple SOA records. 15439 [RT #279] 15440 15441 423. [bug] When responding to a recursive query, errors that occur 15442 after following a CNAME should cause the query to fail. 15443 [RT #274] 15444 15445 422. [func] get rid of isc_random_t, and make isc_random_get() 15446 and isc_random_jitter() use rand() internally 15447 instead of local state. Note that isc_random_*() 15448 functions are only for weak, non-critical "randomness" 15449 such as timing jitter and such. 15450 15451 421. [bug] nslookup would exit when given a blank line as input. 15452 15453 420. [bug] nslookup failed to implement the "exit" command. 15454 15455 419. [bug] The certificate type PKIX was misspelled as SKIX. 15456 15457 418. [bug] At debug levels >= 10, getting an unexpected 15458 socket receive error would crash the server 15459 while trying to log the error message. 15460 15461 417. [func] Add isc_app_block() and isc_app_unblock(), which 15462 allow an application to handle signals while 15463 blocking. 15464 15465 416. [bug] Slave zones with no master file tried to use a 15466 NULL pointer for a journal file name when they 15467 received an IXFR. [RT #273] 15468 15469 415. [bug] The logging code leaked file descriptors. 15470 15471 414. [bug] Server did not shut down until all incoming zone 15472 transfers were finished. 15473 15474 413. [bug] Notify could attempt to use the zone database after 15475 it had been unloaded. [RT #267] 15476 15477 412. [bug] named -v didn't print the version. 15478 15479 411. [bug] A typo in the HS A code caused an assertion failure. 15480 15481 410. [bug] lwres_gethostbyname() and company set lwres_h_errno 15482 to a random value on success. 15483 15484 409. [bug] If named was shut down early in the startup 15485 process, ns_omapi_shutdown() would attempt to lock 15486 an uninitialized mutex. [RT #262] 15487 15488 408. [bug] stub zones could leak memory and reference counts if 15489 all the masters were unreachable. 15490 15491 407. [bug] isc_rwlock_lock() would needlessly block 15492 readers when it reached the read quota even 15493 if no writers were waiting. 15494 15495 406. [bug] Log messages were occasionally lost or corrupted 15496 due to a race condition in isc_log_doit(). 15497 15498 405. [func] Add support for selective forwarding (forward zones) 15499 15500 404. [bug] The request library didn't completely work with IPv6. 15501 15502 403. [bug] "host" did not use the search list. 15503 15504 402. [bug] Treat undefined acls as errors, rather than 15505 warning and then later throwing an assertion. 15506 [RT #252] 15507 15508 401. [func] Added simple database API. 15509 15510 400. [bug] SIG(0) signing and verifying was done incorrectly. 15511 [RT #249] 15512 15513 399. [bug] When reloading the server with a config file 15514 containing a syntax error, it could catch an 15515 assertion failure trying to perform zone 15516 maintenance on, or sending notifies from, 15517 tentatively created zones whose views were 15518 never fully configured and lacked an address 15519 database and request manager. 15520 15521 398. [bug] "dig" sometimes caught an assertion failure when 15522 using TSIG, depending on the key length. 15523 15524 397. [func] Added utility functions dns_view_gettsig() and 15525 dns_view_getpeertsig(). 15526 15527 396. [doc] There is now a man page for "nsupdate" 15528 in doc/man/bin/nsupdate.8. 15529 15530 395. [bug] nslookup printed incorrect RR type mnemonics 15531 for RRs of type >= 21 [RT #237]. 15532 15533 394. [bug] Current name was not propagated via $INCLUDE. 15534 15535 393. [func] Initial answer while loading (awl) support. 15536 Entry points: dns_master_loadfileinc(), 15537 dns_master_loadstreaminc(), dns_master_loadbufferinc(). 15538 Note: calls to dns_master_load*inc() should be rate 15539 be rate limited so as to not use up all file 15540 descriptors. 15541 15542 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does 15543 not support the given address family requested. 15544 15545 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH. 15546 15547 390. [func] The function dns_zone_setdbtype() now takes 15548 an argc/argv style vector of words and sets 15549 both the zone database type and its arguments, 15550 making the functions dns_zone_adddbarg() 15551 and dns_zone_cleardbargs() unnecessary. 15552 15553 389. [bug] Attempting to send a request over IPv6 using 15554 dns_request_create() on a system without IPv6 15555 support caused an assertion failure [RT #235]. 15556 15557 388. [func] dig and host can now do reverse ipv6 lookups. 15558 15559 387. [func] Add dns_byaddr_createptrname(), which converts 15560 an address into the name used by a PTR query. 15561 15562 386. [bug] Missing strdup() of ACL name caused random 15563 ACL matching failures [RT #228]. 15564 15565 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(), 15566 and dns_zt_print(). 15567 15568 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead 15569 of 2147483647. 15570 15571 383. [func] When writing a master file, print the SOA and NS 15572 records (and their SIGs) before other records. 15573 15574 382. [bug] named -u failed on many Linux systems where the 15575 libc provided kernel headers do not match 15576 the current kernel. 15577 15578 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of 15579 IPV6_PKTINFO if found. [RT #229] 15580 15581 380. [bug] nsupdate didn't work with IPv6. 15582 15583 379. [func] New library function isc_sockaddr_anyofpf(). 15584 15585 378. [func] named and lwresd will log the command line arguments 15586 they were started with in the "starting ..." message. 15587 15588 377. [bug] When additional data lookups were refused due to 15589 "allow-query", the databases were still being 15590 attached causing reference leaks. 15591 15592 376. [bug] The server should always use good entropy when 15593 performing cryptographic functions needing entropy. 15594 15595 375. [bug] Per-zone "allow-query" did not properly override the 15596 view/global one for CNAME targets and additional 15597 data [RT #220]. 15598 15599 374. [bug] SOA in authoritative negative responses had wrong TTL. 15600 15601 373. [func] nslookup is now installed by "make install". 15602 15603 372. [bug] Deal with Microsoft DNS servers appending two bytes of 15604 garbage to zone transfer requests. 15605 15606 371. [bug] At high debug levels, doing an outgoing zone transfer 15607 of a very large RRset could cause an assertion failure 15608 during logging. 15609 15610 370. [bug] The error messages for roll-forward failures were 15611 overly terse. 15612 15613 369. [func] Support new named.conf options, view and zone 15614 statements: 15615 15616 max-retry-time, min-retry-time, 15617 max-refresh-time, min-refresh-time. 15618 15619 368. [func] Restructure the internal ".bind" view so that more 15620 zones can be added to it. 15621 15622 367. [bug] Allow proper selection of server on nslookup command 15623 line. 15624 15625 366. [func] Allow use of '-' batch file in dig for stdin. 15626 15627 365. [bug] nsupdate -k leaked memory. 15628 15629 364. [func] Added additional-from-{cache,auth} 15630 15631 363. [placeholder] 15632 15633 362. [bug] rndc no longer aborts if the configuration file is 15634 missing an options statement. [RT #209] 15635 15636 361. [func] When the RBT find or chain functions set the name and 15637 origin for a node that stores the root label 15638 the name is now set to an empty name, instead of ".", 15639 to simplify later use of the name and origin by 15640 dns_name_concatenate(), dns_name_totext() or 15641 dns_name_format(). 15642 15643 360. [func] dns_name_totext() and dns_name_format() now allow 15644 an empty name to be passed, which is formatted as "@". 15645 15646 359. [bug] dnssec-signzone occasionally signed glue records. 15647 15648 358. [cleanup] Rename the intermediate files used by the dnssec 15649 programs. 15650 15651 357. [bug] The zone file parser crashed if the argument 15652 to $INCLUDE was a quoted string. 15653 15654 356. [cleanup] isc_task_send no longer requires event->sender to 15655 be non-null. 15656 15657 355. [func] Added isc_dir_createunique(), similar to mkdtemp(). 15658 15659 354. [doc] Man pages for the dnssec tools are now included in 15660 the distribution, in doc/man/dnssec. 15661 15662 353. [bug] double increment in lwres/gethost.c:copytobuf(). 15663 [RT #187] 15664 15665 352. [bug] Race condition in dns_client_t startup could cause 15666 an assertion failure. 15667 15668 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG 15669 signed query could crash the server. 15670 15671 350. [bug] Also-notify lists specified in the global options 15672 block were not correctly reference counted, causing 15673 a memory leak. 15674 15675 349. [bug] Processing a query with the CD bit set now works 15676 as expected. 15677 15678 348. [func] New boolean named.conf options 'additional-from-auth' 15679 and 'additional-from-cache' now supported in view and 15680 global options statement. 15681 15682 347. [bug] Don't crash if an argument is left off options in dig. 15683 15684 346. [placeholder] 15685 15686 345. [bug] Large-scale changes/cleanups to dig: 15687 * Significantly improve structure handling 15688 * Don't pre-load entire batch files 15689 * Add name/rr counting/limiting 15690 * Fix SIGINT handling 15691 * Shorten timeouts to match v8's behavior 15692 15693 344. [bug] When shutting down, lwresd sometimes tried 15694 to shut down its client tasks twice, 15695 triggering an assertion. 15696 15697 343. [bug] Although zone maintenance SOA queries and 15698 notify requests were signed with TSIG keys 15699 when configured for the server in case, 15700 the TSIG was not verified on the response. 15701 15702 342. [bug] The wrong name was being passed to 15703 dns_name_dup() when generating a TSIG 15704 key using TKEY. 15705 15706 341. [func] Support 'key' clause in named.conf zone masters 15707 statement to allow authentication via TSIG keys: 15708 15709 masters { 15710 10.0.0.1 port 5353 key "foo"; 15711 10.0.0.2 ; 15712 }; 15713 15714 340. [bug] The top-level COPYRIGHT file was missing from 15715 the distribution. 15716 15717 339. [bug] DNSSEC validation of the response to an ANY 15718 query at a name with a CNAME RR in a secure 15719 zone triggered an assertion failure. 15720 15721 338. [bug] lwresd logged to syslog as named, not lwresd. 15722 15723 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type 15724 on the command line. 15725 15726 336. [bug] "dig -f" used 64 k of memory for each line in 15727 the file. It now uses much less, though still 15728 proportionally to the file size. 15729 15730 335. [bug] named would occasionally attempt recursion when 15731 it was disallowed or undesired. 15732 15733 334. [func] Added hmac-md5 to libisc. 15734 15735 333. [bug] The resolver incorrectly accepted referrals to 15736 domains that were not parents of the query name, 15737 causing assertion failures. 15738 15739 332. [func] New function dns_name_reset(). 15740 15741 331. [bug] Only log "recursion denied" if RD is set. [RT #178] 15742 15743 330. [bug] Many debugging messages were partially formatted 15744 even when debugging was turned off, causing a 15745 significant decrease in query performance. 15746 15747 329. [func] omapi_auth_register() now takes a size_t argument for 15748 the length of a key's secret data. Previously 15749 OMAPI only stored secrets up to the first NUL byte. 15750 15751 328. [func] Added isc_base64_decodestring(). 15752 15753 327. [bug] rndc.conf parser wasn't correctly recognizing an IP 15754 address where a host specification was required. 15755 15756 326. [func] 'keys' in an 'inet' control statement is now 15757 required and must have at least one item in it. 15758 A "not supported" warning is now issued if a 'unix' 15759 control channel is defined. 15760 15761 325. [bug] isc_lex_gettoken was processing octal strings when 15762 ISC_LEXOPT_CNUMBER was not set. 15763 15764 324. [func] In the resolver, turn EDNS0 off if there is no 15765 response after a number of retransmissions. 15766 This is to allow queries some chance of succeeding 15767 even if all the authoritative servers of a zone 15768 silently discard EDNS0 requests instead of 15769 sending an error response like they ought to. 15770 15771 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes. 15772 Because of this, servers authoritative for a parent 15773 and grandchild zone but not authoritative for the 15774 intervening child zone did not correctly issue 15775 referrals to the servers of the child zone. 15776 15777 322. [bug] Queries for KEY RRs are now sent to the parent 15778 server before the authoritative one, making 15779 DNSSEC insecurity proofs work in many cases 15780 where they previously didn't. 15781 15782 321. [bug] When synthesizing a CNAME RR for a DNAME 15783 response, query_addcname() failed to initialize 15784 the type and class of the CNAME dns_rdata_t, 15785 causing random failures. 15786 15787 320. [func] Multiple rndc changes: parses an rndc.conf file, 15788 uses authentication to talk to named, command 15789 line syntax changed. This will all be described 15790 in the ARM. 15791 15792 319. [func] The named.conf "controls" statement is now used 15793 to configure the OMAPI command channel. 15794 15795 318. [func] dns_c_ndcctx_destroy() could never return anything 15796 except ISC_R_SUCCESS; made it have void return instead. 15797 15798 317. [func] Use callbacks from libomapi to determine if a 15799 new connection is valid, and if a key requested 15800 to be used with that connection is valid. 15801 15802 316. [bug] Generate a warning if we detect an unexpected <eof> 15803 but treat as <eol><eof>. 15804 15805 315. [bug] Handle non-empty blanks lines. [RT #163] 15806 15807 314. [func] The named.conf controls statement can now have 15808 more than one key specified for the inet clause. 15809 15810 313. [bug] When parsing resolv.conf, don't terminate on an 15811 error. Instead, parse as much as possible, but 15812 still return an error if one was found. 15813 15814 312. [bug] Increase the number of allowed elements in the 15815 resolv.conf search path from 6 to 8. If there 15816 are more than this, ignore the remainder rather 15817 than returning a failure in lwres_conf_parse. 15818 15819 311. [bug] lwres_conf_parse failed when the first line of 15820 resolv.conf was empty or a comment. 15821 15822 310. [func] Changes to named.conf "controls" statement (inet 15823 subtype only) 15824 15825 - support "keys" clause 15826 15827 controls { 15828 inet * port 1024 15829 allow { any; } keys { "foo"; } 15830 } 15831 15832 - allow "port xxx" to be left out of statement, 15833 in which case it defaults to omapi's default port 15834 of 953. 15835 15836 309. [bug] When sending a referral, the server did not look 15837 for name server addresses as glue in the zone 15838 holding the NS RRset in the case where this zone 15839 was not the same as the one where it looked for 15840 name server addresses as authoritative data. 15841 15842 308. [bug] Treat a SOA record not at top of zone as an error 15843 when loading a zone. [RT #154] 15844 15845 307. [bug] When canceling a query, the resolver didn't check for 15846 isc_socket_sendto() calls that did not yet have their 15847 completion events posted, so it could (rarely) end up 15848 destroying the query context and then want to use 15849 it again when the send event posted, triggering an 15850 assertion as it tried to cancel an already-canceled 15851 query. [RT #77] 15852 15853 306. [bug] Reading HMAC-MD5 private key files didn't work. 15854 15855 305. [bug] When reloading the server with a config file 15856 containing a syntax error, it could catch an 15857 assertion failure trying to perform zone 15858 maintenance on tentatively created zones whose 15859 views were never fully configured and lacked 15860 an address database. 15861 15862 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers 15863 are listed in resolv.conf, silently ignore them 15864 instead of returning failure. 15865 15866 303. [bug] Add additional sanity checks to differentiate a AXFR 15867 response vs a IXFR response. [RT #157] 15868 15869 302. [bug] In dig, host, and nslookup, MXNAME should be large 15870 enough to hold any legal domain name in presentation 15871 format + terminating NULL. 15872 15873 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159] 15874 15875 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work 15876 on platforms lacking IPv6 because each included their 15877 own ipv6 header file for the missing definitions. Now 15878 each library's ipv6.h defines the wrapper symbol of 15879 the other (ISC_IPV6_H and LWRES_IPV6_H). 15880 15881 299. [cleanup] Get the user and group information before changing the 15882 root directory, so the administrator does not need to 15883 keep a copy of the user and group databases in the 15884 chroot'ed environment. Suggested by Hakan Olsson. 15885 15886 298. [bug] A mutex deadlock occurred during shutdown of the 15887 interface manager under certain conditions. 15888 Digital Unix systems were the most affected. 15889 15890 297. [bug] Specifying a key name that wasn't fully qualified 15891 in certain parts of the config file could cause 15892 an assertion failure. 15893 15894 296. [bug] "make install" from a separate build directory 15895 failed unless configure had been run in the source 15896 directory, too. 15897 15898 295. [bug] When invoked with type==CNAME and a message 15899 not constructed by dns_message_parse(), 15900 dns_message_findname() failed to find anything 15901 due to checking for attribute bits that are set 15902 only in dns_message_parse(). This caused an 15903 infinite loop when constructing the response to 15904 an ANY query at a CNAME in a secure zone. 15905 15906 294. [bug] If we run out of space in while processing glue 15907 when reading a master file and commit "current name" 15908 reverts to "name_current" instead of staying as 15909 "name_glue". 15910 15911 293. [port] Add support for FreeBSD 4.0 system tests. 15912 15913 292. [bug] Due to problems with the way some operating systems 15914 handle simultaneous listening on IPv4 and IPv6 15915 addresses, the server no longer listens on IPv6 15916 addresses by default. To revert to the previous 15917 behavior, specify "listen-on-v6 { any; };" in 15918 the config file. 15919 15920 291. [func] Caching servers no longer send outgoing queries 15921 over TCP just because the incoming recursive query 15922 was a TCP one. 15923 15924 290. [cleanup] +twiddle option to dig (for testing only) removed. 15925 15926 289. [cleanup] dig is now installed in $bindir instead of $sbindir. 15927 host is now installed in $bindir. (Be sure to remove 15928 any $sbindir/dig from a previous release.) 15929 15930 288. [func] rndc is now installed by "make install" into $sbindir. 15931 15932 287. [bug] rndc now works again as "rndc 127.1 reload" (for 15933 only that task). Parsing its configuration file and 15934 using digital signatures for authentication has been 15935 disabled until named supports the "controls" statement, 15936 post-9.0.0. 15937 15938 286. [bug] On Solaris 2, when named inherited a signal state 15939 where SIGHUP had the SIG_IGN action, SIGHUP would 15940 be ignored rather than causing the server to reload 15941 its configuration. 15942 15943 285. [bug] A change made to the dst API for beta4 inadvertently 15944 broke OMAPI's creation of a dst key from an incoming 15945 message, causing an assertion to be triggered. Fixed. 15946 15947 284. [func] The DNSSEC key generation and signing tools now 15948 generate randomness from keyboard input on systems 15949 that lack /dev/random. 15950 15951 283. [cleanup] The 'lwresd' program is now a link to 'named'. 15952 15953 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is 15954 too big for an unsigned long. 15955 15956 281. [bug] Fixed list of recognized config file category names. 15957 15958 280. [func] Add isc-config.sh, which can be used to more 15959 easily build applications that link with 15960 our libraries. 15961 15962 279. [bug] Private omapi function symbols shared between 15963 two or more files in libomapi.a were not namespace 15964 protected using the ISC convention of starting with 15965 the library name and two underscores ("omapi__"...) 15966 15967 278. [bug] bin/named/logconf.c:category_fromconf() didn't take 15968 note of when isc_log_categorybyname() wasn't able 15969 to find the category name and would then apply the 15970 channel list of the unknown category to all categories. 15971 15972 277. [bug] isc_log_categorybyname() and isc_log_modulebyname() 15973 would fail to find the first member of any category 15974 or module array apart from the internal defaults. 15975 Thus, for example, the "notify" category was improperly 15976 configured by named. 15977 15978 276. [bug] dig now supports maximum sized TCP messages. 15979 15980 275. [bug] The definition of lwres_gai_strerror() was missing 15981 the lwres_ prefix. 15982 15983 274. [bug] TSIG AXFR verify failed when talking to a BIND 8 15984 server. 15985 15986 273. [func] The default for the 'transfer-format' option is 15987 now 'many-answers'. This will break zone transfers 15988 to BIND 4.9.5 and older unless there is an explicit 15989 'one-answer' configuration. 15990 15991 272. [bug] The sending of large TCP responses was canceled 15992 in mid-transmission due to a race condition 15993 caused by the failure to set the client object's 15994 "newstate" variable correctly when transitioning 15995 to the "working" state. 15996 15997 271. [func] Attempt to probe the number of cpus in named 15998 if unspecified rather than defaulting to 1. 15999 16000 270. [func] Allow maximum sized TCP answers. 16001 16002 269. [bug] Failed DNSSEC validations could cause an assertion 16003 failure by causing clone_results() to be called with 16004 with hevent->node == NULL. 16005 16006 268. [doc] A plain text version of the Administrator 16007 Reference Manual is now included in the distribution, 16008 as doc/arm/Bv9ARM.txt. 16009 16010 267. [func] Nsupdate is now provided in the distribution. 16011 16012 266. [bug] zone.c:save_nsrrset() node was not initialized. 16013 16014 265. [bug] dns_request_create() now works for TCP. 16015 16016 264. [func] Dispatch can not take TCP sockets in connecting 16017 state. Set DNS_DISPATCHATTR_CONNECTED when calling 16018 dns_dispatch_createtcp() for connected TCP sockets 16019 or call dns_dispatch_starttcp() when the socket is 16020 connected. 16021 16022 263. [func] New logging channel type 'stderr' 16023 16024 channel some-name { 16025 stderr; 16026 severity error; 16027 } 16028 16029 262. [bug] 'master' was not initialized in zone.c:stub_callback(). 16030 16031 261. [func] Add dns_zone_markdirty(). 16032 16033 260. [bug] Running named as a non-root user failed on Linux 16034 kernels new enough to support retaining capabilities 16035 after setuid(). 16036 16037 259. [func] New random-device and random-seed-file statements 16038 for global options block of named.conf. Both accept 16039 a single string argument. 16040 16041 258. [bug] Fixed printing of lwres_addr_t.address field. 16042 16043 257. [bug] The server detached the last zone manager reference 16044 too early, while it could still be in use by queries. 16045 This manifested itself as assertion failures during the 16046 shutdown process for busy name servers. [RT #133] 16047 16048 256. [func] isc_ratelimiter_t now has attach/detach semantics, and 16049 isc_ratelimiter_shutdown guarantees that the rate 16050 limiter is detached from its task. 16051 16052 255. [func] New function dns_zonemgr_attach(). 16053 16054 254. [bug] Suppress "query denied" messages on additional data 16055 lookups. 16056 16057 --- 9.0.0b4 released --- 16058 16059 253. [func] resolv.conf parser now recognizes ';' and '#' as 16060 comments (anywhere in line, not just as the beginning). 16061 16062 252. [bug] resolv.conf parser mishandled masks on sortlists. 16063 It also aborted when an unrecognized keyword was seen, 16064 now it silently ignores the entire line. 16065 16066 251. [bug] lwresd caught an assertion failure on startup. 16067 16068 250. [bug] fixed handling of size+unit when value would be too 16069 large for internal representation. 16070 16071 249. [cleanup] max-cache-size config option now takes a size-spec 16072 like 'datasize', except 'default' is not allowed. 16073 16074 248. [bug] global lame-ttl option was not being printed when 16075 config structures were written out. 16076 16077 247. [cleanup] Rename cache-size config option to max-cache-size. 16078 16079 246. [func] Rename global option cachesize to cache-size and 16080 add corresponding option to view statement. 16081 16082 245. [bug] If an uncompressed name will take more than 255 16083 bytes and the buffer is sufficiently long, 16084 dns_name_fromwire should return DNS_R_FORMERR, 16085 not ISC_R_NOSPACE. This bug caused cause the 16086 server to catch an assertion failure when it 16087 received a query for a name longer than 255 16088 bytes. 16089 16090 244. [bug] empty named.conf file and empty options statement are 16091 now parsed properly. 16092 16093 243. [func] new cachesize option for named.conf 16094 16095 242. [cleanup] fixed incorrect warning about auth-nxdomain usage. 16096 16097 241. [cleanup] nscount and soacount have been removed from the 16098 dns_master_*() argument lists. 16099 16100 240. [func] databases now come in three flavours: zone, cache 16101 and stub. 16102 16103 239. [func] If ISC_MEM_DEBUG is enabled, the variable 16104 isc_mem_debugging controls whether messages 16105 are printed or not. 16106 16107 238. [cleanup] A few more compilation warnings have been quieted: 16108 + missing sigwait prototype on BSD/OS 4.0/4.0.1. 16109 + PTHREAD_ONCE_INIT unbraced initializer warnings on 16110 Solaris 2.8. 16111 + IN6ADDR_ANY_INIT unbraced initializer warnings on 16112 BSD/OS 4.*, Linux and Solaris 2.8. 16113 16114 237. [bug] If connect() returned ENOBUFS when the resolver was 16115 initiating a TCP query, the socket didn't get 16116 destroyed, and the server did not shut down cleanly. 16117 16118 236. [func] Added new listen-on-v6 config file statement. 16119 16120 235. [func] Consider it a config file error if a listen-on 16121 statement has an IPv6 address in it, or a 16122 listen-on-v6 statement has an IPv4 address in it. 16123 16124 234. [bug] Allow a trusted-key's first field (domain-name) be 16125 either a quoted or an unquoted string, instead of 16126 requiring a quoted string. 16127 16128 233. [cleanup] Convert all config structure integer values to unsigned 16129 integer (isc_uint32_t) to match grammar. 16130 16131 232. [bug] Allow slave zones to not have a file. 16132 16133 231. [func] Support new 'port' clause in config file options 16134 section. Causes 'listen-on', 'masters' and 16135 'also-notify' statements to use its value instead of 16136 default (53). 16137 16138 230. [func] Replace the dst sign/verify API with a cleaner one. 16139 16140 229. [func] Support config file sig-validity-interval statement 16141 in options, views and zone statements (master 16142 zones only). 16143 16144 228. [cleanup] Logging messages in config module stripped of 16145 trailing period. 16146 16147 227. [cleanup] The enumerated identifiers dns_rdataclass_*, 16148 dns_rcode_*, dns_opcode_*, and dns_trust_* are 16149 also now cast to their appropriate types, as with 16150 dns_rdatatype_* in item number 225 below. 16151 16152 226. [func] dns_name_totext() now always prints the root name as 16153 '.', even when omit_final_dot is true. 16154 16155 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now 16156 cast to dns_rdatatype_t via macros of their same name 16157 so that they are of the proper integral type wherever 16158 a dns_rdatatype_t is needed. 16159 16160 224. [cleanup] The entire project builds cleanly with gcc's 16161 -Wcast-qual and -Wwrite-strings warnings enabled, 16162 which is now the default when using gcc. (Warnings 16163 from confparser.c, because of yacc's code, are 16164 unfortunately to be expected.) 16165 16166 223. [func] Several functions were re-prototyped to qualify one 16167 or more of their arguments with "const". Similarly, 16168 several functions that return pointers now have 16169 those pointers qualified with const. 16170 16171 222. [bug] The global 'also-notify' option was ignored. 16172 16173 221. [bug] An uninitialized variable was sometimes passed to 16174 dns_rdata_freestruct() when loading a zone, causing 16175 an assertion failure. 16176 16177 220. [cleanup] Set the default outgoing port in the view, and 16178 set it in sockaddrs returned from the ADB. 16179 [31-May-2000 explorer] 16180 16181 219. [bug] Signed truncated messages more correctly follow 16182 the respective specs. 16183 16184 218. [func] When an rdataset is signed, its ttl is normalized 16185 based on the signature validity period. 16186 16187 217. [func] Also-notify and trusted-keys can now be used in 16188 the 'view' statement. 16189 16190 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options 16191 now work. 16192 16193 215. [bug] Failures at certain points in request processing 16194 could cause the assertion INSIST(client->lockview 16195 == NULL) to be triggered. 16196 16197 214. [func] New public function isc_netaddr_format(), for 16198 formatting network addresses in log messages. 16199 16200 213. [bug] Don't leak memory when reloading the zone if 16201 an update-policy clause was present in the old zone. 16202 16203 212. [func] Added dns_message_get/settsigkey, to make TSIG 16204 key management reasonable. 16205 16206 211. [func] The 'key' and 'server' statements can now occur 16207 inside 'view' statements. 16208 16209 210. [bug] The 'allow-transfer' option was ignored for slave 16210 zones, and the 'transfers-per-ns' option was 16211 was ignored for all zones. 16212 16213 209. [cleanup] Upgraded openssl files to new version 0.9.5a 16214 16215 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value 16216 of an isc_offset_t. 16217 16218 207. [func] The dnssec tools properly use the logging subsystem. 16219 16220 206. [cleanup] dst now stores the key name as a dns_name_t, not 16221 a char *. 16222 16223 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692 16224 ("prototyped function redeclared without prototype") 16225 and 1552 ("variable ... set but not used") when 16226 compiling in the lib/dns/sec/{dnssafe,openssl} 16227 directories, which contain code imported from outside 16228 sources. 16229 16230 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker 16231 to quiet the warnings that "The linked output may not 16232 run on a PA 1.x system." 16233 16234 203. [func] notify and zone soa queries are now tsig signed when 16235 appropriate. 16236 16237 202. [func] isc_lex_getsourceline() changed from returning int 16238 to returning unsigned long, the type of its underlying 16239 counter. 16240 16241 201. [cleanup] Removed the test/sdig program, it has been 16242 replaced by bin/dig/dig. 16243 16244 --- 9.0.0b3 released --- 16245 16246 200. [bug] Failures in sending query responses to clients 16247 (e.g., running out of network buffers) were 16248 not logged. 16249 16250 199. [bug] isc_heap_delete() sometimes violated the heap 16251 invariant, causing timer events not to be posted 16252 when due. 16253 16254 198. [func] Dispatch managers hold memory pools which 16255 any managed dispatcher may use. This allows 16256 us to avoid dipping into the memory context for 16257 most allocations. [19-May-2000 explorer] 16258 16259 197. [bug] When an incoming AXFR or IXFR completes, the 16260 zone's internal state is refreshed from the 16261 SOA data. [19-May-2000 explorer] 16262 16263 196. [func] Dispatchers can be shared easily between views 16264 and/or interfaces. [19-May-2000 explorer] 16265 16266 195. [bug] Including the NXT record of the root domain 16267 in a negative response caused an assertion 16268 failure. 16269 16270 194. [doc] The PDF version of the Administrator's Reference 16271 Manual is no longer included in the ISC BIND9 16272 distribution. 16273 16274 193. [func] changed dst_key_free() prototype. 16275 16276 192. [bug] Zone configuration validation is now done at end 16277 of config file parsing, and before loading 16278 callbacks. 16279 16280 191. [func] Patched to compile on UnixWare 7.x. This platform 16281 is not directly supported by the ISC. 16282 16283 190. [cleanup] The DNSSEC tools have been moved to a separate 16284 directory dnssec/ and given the following new, 16285 more descriptive names: 16286 16287 dnssec-keygen 16288 dnssec-signzone 16289 dnssec-signkey 16290 dnssec-makekeyset 16291 16292 Their command line arguments have also been changed to 16293 be more consistent. dnssec-keygen now prints the 16294 name of the generated key files (sans extension) 16295 on standard output to simplify its use in automated 16296 scripts. 16297 16298 189. [func] isc_time_secondsastimet(), a new function, will ensure 16299 that the number of seconds in an isc_time_t does not 16300 exceed the range of a time_t, or return ISC_R_RANGE. 16301 Similarly, isc_time_now(), isc_time_nowplusinterval(), 16302 isc_time_add() and isc_time_subtract() now check the 16303 range for overflow/underflow. In the case of 16304 isc_time_subtract, this changed a calling requirement 16305 (ie, something that could generate an assertion) 16306 into merely a condition that returns an error result. 16307 isc_time_add() and isc_time_subtract() were void- 16308 valued before but now return isc_result_t. 16309 16310 188. [func] Log a warning message when an incoming zone transfer 16311 contains out-of-zone data. 16312 16313 187. [func] isc_ratelimiter_enqueue() has an additional argument 16314 'task'. 16315 16316 186. [func] dns_request_getresponse() has an additional argument 16317 'preserve_order'. 16318 16319 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several 16320 public functions did not have an isc__ prefix, and 16321 referred to functions that had previously been 16322 renamed. 16323 16324 184. [cleanup] Variables/functions which began with two leading 16325 underscores were made to conform to the ANSI/ISO 16326 standard, which says that such names are reserved. 16327 16328 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful 16329 for logging the program name or other identifier. 16330 16331 182. [cleanup] New command-line parameters for dnssec tools 16332 16333 181. [func] Added dst_key_buildfilename and dst_key_parsefilename 16334 16335 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE. 16336 16337 179. [func] options named.conf statement *must* now come 16338 before any zone or view statements. 16339 16340 178. [func] Post-load of named.conf check verifies a slave zone 16341 has non-empty list of masters defined. 16342 16343 177. [func] New per-zone boolean: 16344 16345 enable-zone yes | no ; 16346 16347 intended to let a zone be disabled without having 16348 to comment out the entire zone statement. 16349 16350 176. [func] New global and per-view option: 16351 16352 max-cache-ttl number 16353 16354 175. [func] New global and per-view option: 16355 16356 additional-data internal | minimal | maximal; 16357 16358 174. [func] New public function isc_sockaddr_format(), for 16359 formatting socket addresses in log messages. 16360 16361 173. [func] Keep a queue of zones waiting for zone transfer 16362 quota so that a new transfer can be dispatched 16363 immediately whenever quota becomes available. 16364 16365 172. [bug] $TTL directive was sometimes missing from dumped 16366 master files because totext_ctx_init() failed to 16367 initialize ctx->current_ttl_valid. 16368 16369 171. [cleanup] On NetBSD systems, the mit-pthreads or 16370 unproven-pthreads library is now always used 16371 unless --with-ptl2 is explicitly specified on 16372 the configure command line. The 16373 --with-mit-pthreads option is no longer needed 16374 and has been removed. 16375 16376 170. [cleanup] Remove inter server consistency checks from zone, 16377 these should return as a separate module in 9.1. 16378 dns_zone_checkservers(), dns_zone_checkparents(), 16379 dns_zone_checkchildren(), dns_zone_checkglue(). 16380 16381 Remove dns_zone_setadb(), dns_zone_setresolver(), 16382 dns_zone_setrequestmgr() these should now be found 16383 via the view. 16384 16385 169. [func] ratelimiter can now process N events per interval. 16386 16387 168. [bug] include statements in named.conf caused syntax errors 16388 due to not consuming the semicolon ending the include 16389 statement before switching input streams. 16390 16391 167. [bug] Make lack of masters for a slave zone a soft error. 16392 16393 166. [bug] Keygen was overwriting existing keys if key_id 16394 conflicted, now it will retry, and non-null keys 16395 with key_id == 0 are not generated anymore. Key 16396 was not able to generate NOAUTHCONF DSA key, 16397 increased RSA key size to 2048 bits. 16398 16399 165. [cleanup] Silence "end-of-loop condition not reached" warnings 16400 from Solaris compiler. 16401 16402 164. [func] Added functions isc_stdio_open(), isc_stdio_close(), 16403 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(), 16404 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove() 16405 to encapsulate nonportable usage of errno and sync. 16406 16407 163. [func] Added result codes ISC_R_FILENOTFOUND and 16408 ISC_R_FILEEXISTS. 16409 16410 162. [bug] Ensure proper range for arguments to ctype.h functions. 16411 16412 161. [cleanup] error in yyparse prototype that only HPUX caught. 16413 16414 160. [cleanup] getnet*() are not going to be implemented at this 16415 stage. 16416 16417 159. [func] Redefinition of config file elements is now an 16418 error (instead of a warning). 16419 16420 158. [bug] Log channel and category list copy routines 16421 weren't assigning properly to output parameter. 16422 16423 157. [port] Fix missing prototype for getopt(). 16424 16425 156. [func] Support new 'database' statement in zone. 16426 16427 database "quoted-string"; 16428 16429 155. [bug] ns_notify_start() was not detaching the found zone. 16430 16431 154. [func] The signer now logs libdns warnings to stderr even when 16432 not verbose, and in a nicer format. 16433 16434 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx' 16435 is NULL then you need to preserve the 'rdata' until 16436 you have finished using the structure as there may be 16437 references to the associated memory. If 'mctx' is 16438 non-NULL it is guaranteed that there are no references 16439 to memory associated with 'rdata'. 16440 16441 dns_rdata_freestruct() must be called if 'mctx' was 16442 non-NULL and may safely be called if 'mctx' was NULL. 16443 16444 152. [bug] keygen dumped core if domain name argument was omitted 16445 from command line. 16446 16447 151. [func] Support 'disabled' statement in zone config (causes 16448 zone to be parsed and then ignored). Currently must 16449 come after the 'type' clause. 16450 16451 150. [func] Support optional ports in masters and also-notify 16452 statements: 16453 16454 masters [ port xxx ] { y.y.y.y [ port zzz ] ; } 16455 16456 149. [cleanup] Removed unused argument 'olist' from 16457 dns_c_view_unsetordering(). 16458 16459 148. [cleanup] Stop issuing some warnings about some configuration 16460 file statements that were not implemented, but now are. 16461 16462 147. [bug] Changed yacc union size to be smaller for yaccs that 16463 put yacc-stack on the real stack. 16464 16465 146. [cleanup] More general redundant header file cleanup. Rather 16466 than continuing to itemize every header which changed, 16467 this changelog entry just notes that if a header file 16468 did not need another header file that it was including 16469 in order to provide its advertised functionality, the 16470 inclusion of the other header file was removed. See 16471 util/check-includes for how this was tested. 16472 16473 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/ 16474 ISC_LANG_ENDDECLS to header files that had function 16475 prototypes, and removed it from those that did not. 16476 16477 144. [cleanup] libdns header files too numerous to name were made 16478 to conform to the same style for multiple inclusion 16479 protection. 16480 16481 143. [func] Added function dns_rdatatype_isknown(). 16482 16483 142. [cleanup] <isc/stdtime.h> does not need <time.h> or 16484 <isc/result.h>. 16485 16486 141. [bug] Corrupt requests with multiple questions could 16487 cause an assertion failure. 16488 16489 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>. 16490 16491 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of 16492 <isc/int.h> and <isc/result.h>. 16493 16494 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and 16495 renamed isc_string_touint64. isc_strsep moved from 16496 strsep.c to string.c and renamed isc_string_separate. 16497 16498 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h> 16499 <isc/serial.h>, <isc/string.h> and <isc/offset.h> 16500 made to conform to the same style for multiple 16501 inclusion protection. 16502 16503 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>, 16504 <isc/net.h> and Win32's <isc/thread.h> needed 16505 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS. 16506 16507 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h> 16508 or <isc/boolean.h>, now uses <isc/types.h> in place 16509 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS 16510 and ISC_LANG_ENDDECLS. 16511 16512 134. [cleanup] <isc/dir.h> does not need <limits.h>. 16513 16514 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>. 16515 16516 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does 16517 need <isc/eventclass.h>. 16518 16519 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h> 16520 for ISC_R_* codes used in macros. 16521 16522 130. [cleanup] <isc/condition.h> does not need <pthread.h> or 16523 <isc/boolean.h>, and now includes <isc/types.h> 16524 instead of <isc/time.h>. 16525 16526 129. [bug] The 'default_debug' log channel was not set up when 16527 'category default' was present in the config file 16528 16529 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of 16530 ISC_LANG_ENDDECLS at end of header. 16531 16532 127. [cleanup] The contracts for the comparison routines 16533 dns_name_fullcompare(), dns_name_compare(), 16534 dns_name_rdatacompare(), and dns_rdata_compare() now 16535 specify that the order value returned is < 0, 0, or > 0 16536 instead of -1, 0, or 1. 16537 16538 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>. 16539 16540 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>, 16541 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and 16542 <isc/resultclass.h> do not need <isc/lang.h>. 16543 16544 124. [func] signer now imports parent's zone key signature 16545 and creates null keys/sets zone status bit for 16546 children when necessary 16547 16548 123. [cleanup] <isc/event.h> does not need <stddef.h>. 16549 16550 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or 16551 <isc/result.h>. 16552 16553 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or 16554 <isc/result.h>. Multiple inclusion protection 16555 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H. 16556 isc_symtab_t moved to <isc/types.h>. 16557 16558 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>, 16559 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or 16560 <isc/net.h>. 16561 16562 119. [cleanup] structure definitions for generic rdata structures do 16563 not have _generic_ in their names. 16564 16565 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting 16566 YACC crust (yyparse, etc) [2000-apr-27 explorer] 16567 16568 117. [cleanup] libdns.a changes: 16569 dns_zone_clearnotify() and dns_zone_addnotify() 16570 are replaced by dns_zone_setnotifyalso(). 16571 dns_zone_clearmasters() and dns_zone_addmaster() 16572 are replaced by dns_zone_setmasters(). 16573 16574 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t 16575 on Unix systems). 16576 16577 115. [port] Shut up the -Wmissing-declarations warning about 16578 <stdio.h>'s __sputaux on BSD/OS pre-4.1. 16579 16580 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or 16581 <isc/list.h>. 16582 16583 113. [func] Utility programs dig and host added. 16584 16585 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>. 16586 16587 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or 16588 <isc/mutex.h>. 16589 16590 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or 16591 <isc/list.h>. 16592 16593 109. [bug] "make depend" did nothing for 16594 bin/tests/{db,mem,sockaddr,tasks,timers}/. 16595 16596 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from 16597 <dns/types.h> to <dns/bit.h> and renamed to 16598 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR. 16599 16600 107. [func] Add keysigner and keysettool. 16601 16602 106. [func] Allow dnssec verifications to ignore the validity 16603 period. Used by several of the dnssec tools. 16604 16605 105. [doc] doc/dev/coding.html expanded with other 16606 implicit conventions the developers have used. 16607 16608 104. [bug] Made compress_add and compress_find static to 16609 lib/dns/compress.c. 16610 16611 103. [func] libisc buffer API changes for <isc/buffer.h>: 16612 Added: 16613 isc_buffer_base(b) (pointer) 16614 isc_buffer_current(b) (pointer) 16615 isc_buffer_active(b) (pointer) 16616 isc_buffer_used(b) (pointer) 16617 isc_buffer_length(b) (int) 16618 isc_buffer_usedlength(b) (int) 16619 isc_buffer_consumedlength(b) (int) 16620 isc_buffer_remaininglength(b) (int) 16621 isc_buffer_activelength(b) (int) 16622 isc_buffer_availablelength(b) (int) 16623 Removed: 16624 ISC_BUFFER_USEDCOUNT(b) 16625 ISC_BUFFER_AVAILABLECOUNT(b) 16626 isc_buffer_type(b) 16627 Changed names: 16628 isc_buffer_used(b, r) -> 16629 isc_buffer_usedregion(b, r) 16630 isc_buffer_available(b, r) -> 16631 isc_buffer_available_region(b, r) 16632 isc_buffer_consumed(b, r) -> 16633 isc_buffer_consumedregion(b, r) 16634 isc_buffer_active(b, r) -> 16635 isc_buffer_activeregion(b, r) 16636 isc_buffer_remaining(b, r) -> 16637 isc_buffer_remainingregion(b, r) 16638 16639 Buffer types were removed, so the ISC_BUFFERTYPE_* 16640 macros are no more, and the type argument to 16641 isc_buffer_init and isc_buffer_allocate were removed. 16642 isc_buffer_putstr is now void (instead of isc_result_t) 16643 and requires that the caller ensure that there 16644 is enough available buffer space for the string. 16645 16646 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop 16647 on BSD/OS 4.1. 16648 16649 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c. 16650 16651 100. [cleanup] <isc/random.h> does not need <isc/int.h> or 16652 <isc/mutex.h>. isc_random_t moved to <isc/types.h>. 16653 16654 99. [cleanup] Rate limiter now has separate shutdown() and 16655 destroy() functions, and it guarantees that all 16656 queued events are delivered even in the shutdown case. 16657 16658 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h> 16659 unless ISC_PLATFORM_NEEDVSNPRINTF is defined. 16660 16661 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or 16662 <isc/event.h>. 16663 16664 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>. 16665 16666 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>. 16667 16668 94. [cleanup] Some installed header files did not compile as C++. 16669 16670 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>. 16671 16672 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>, 16673 or <isc/result.h>. 16674 16675 91. [cleanup] <isc/log.h> does not need <sys/types.h> or 16676 <isc/result.h>. 16677 16678 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS 16679 from <named/listenlist.h>. 16680 16681 89. [cleanup] <isc/lex.h> does not need <stddef.h>. 16682 16683 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or 16684 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t 16685 moved to <isc/types.h>. 16686 16687 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>, 16688 <isc/mem.h> or <isc/result.h>. 16689 16690 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to 16691 <isc/types.h>. 16692 16693 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>, 16694 <isc/list.h>, <isc/mem.h>, <isc/region.h> or 16695 <isc/int.h>. 16696 16697 84. [func] allow-query ACL checks now apply to all data 16698 added to a response. 16699 16700 83. [func] If the server is authoritative for both a 16701 delegating zone and its (nonsecure) delegatee, and 16702 a query is made for a KEY RR at the top of the 16703 delegatee, then the server will look for a KEY 16704 in the delegator if it is not found in the delegatee. 16705 16706 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>. 16707 16708 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need 16709 <isc/lang.h>. 16710 16711 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>. 16712 16713 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>. 16714 16715 78. [cleanup] lwres_conftest renamed to lwresconf_test for 16716 consistency with other *_test programs. 16717 16718 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from 16719 <isc/time.h> to <isc/types.h>. 16720 16721 76. [cleanup] Rewrote keygen. 16722 16723 75. [func] Don't load a zone if its database file is older 16724 than the last time the zone was loaded. 16725 16726 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a, 16727 subsumed by file.o. 16728 16729 73. [func] New "file" API in libisc, including new function 16730 isc_file_getmodtime, isc_mktemplate renamed to 16731 isc_file_mktemplate and isc_ufile renamed to 16732 isc_file_openunique. By no means an exhaustive API, 16733 it is just what's needed for now. 16734 16735 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS 16736 added for dns_rbt_findnode, the former to disable the 16737 setting of the chain to the predecessor, and the 16738 latter to make clear when no options are set. 16739 16740 71. [cleanup] Made explicit the implicit REQUIREs of 16741 isc_time_seconds, isc_time_nanoseconds, and 16742 isc_time_subtract. 16743 16744 70. [func] isc_time_set() added. 16745 16746 69. [bug] The zone object's master and also-notify lists grew 16747 longer with each server reload. 16748 16749 68. [func] Partial support for SIG(0) on incoming messages. 16750 16751 67. [performance] Allow use of alternate (compile-time supplied) 16752 OpenSSL libraries/headers. 16753 16754 66. [func] Data in authoritative zones should have a trust level 16755 beyond secure. 16756 16757 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t 16758 from <dns/types.h>. 16759 16760 64. [func] The RBT, DB, and zone table APIs now allow the 16761 caller find the most-enclosing superdomain of 16762 a name. 16763 16764 63. [func] Generate NOTIFY messages. 16765 16766 62. [func] Add UDP refresh support. 16767 16768 61. [cleanup] Use single quotes consistently in log messages. 16769 16770 60. [func] Catch and disallow singleton types on message 16771 parse. 16772 16773 59. [bug] Cause net/host unreachable to be a hard error 16774 when sending and receiving. 16775 16776 58. [bug] bin/named/query.c could sometimes trigger the 16777 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) 16778 == 0 assertion in query_newname(). 16779 16780 57. [func] Added dns_nxt_typepresent() 16781 16782 56. [bug] SIG records were not properly returned in cached 16783 negative answers. 16784 16785 55. [bug] Responses containing multiple names in the authority 16786 section were not negatively cached. 16787 16788 54. [bug] If a fetch with sigrdataset==NULL joined one with 16789 sigrdataset!=NULL or vice versa, the resolver 16790 could catch an assertion or lose signature data, 16791 respectively. 16792 16793 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires 16794 <sys/param.h>. 16795 16796 52. [bug] rndc: taskmgr and socketmgr were not initialized 16797 to NULL. 16798 16799 51. [cleanup] dns/compress.h and dns/zt.h did not need to include 16800 dns/rbt.h; it was needed only by compress.c and zt.c. 16801 16802 50. [func] RBT deletion no longer requires a valid chain to work, 16803 and dns_rbt_deletenode was added. 16804 16805 49. [func] Each cache now has its own mctx. 16806 16807 48. [func] isc_task_create() no longer takes an mctx. 16808 isc_task_mem() has been eliminated. 16809 16810 47. [func] A number of modules now use memory context reference 16811 counting. 16812 16813 46. [func] Memory contexts are now reference counted. 16814 Added isc_mem_inuse() and isc_mem_preallocate(). 16815 Renamed isc_mem_destroy_check() to 16816 isc_mem_setdestroycheck(). 16817 16818 45. [bug] The trusted-key statement incorrectly loaded keys. 16819 16820 44. [bug] Don't include authority data if it would force us 16821 to unset the AD bit in the message. 16822 16823 43. [bug] DNSSEC verification of cached rdatasets was failing. 16824 16825 42. [cleanup] Simplified logging of messages with embedded domain 16826 names by introducing a new convenience function 16827 dns_name_format(). 16828 16829 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later 16830 to allow 'named' to run as a non-root user while 16831 retaining the ability to bind() to privileged 16832 ports. 16833 16834 40. [func] Introduced new logging category "dnssec" and 16835 logging module "dns/validator". 16836 16837 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t, 16838 and isc_lex_t to <isc/types.h>. 16839 16840 38. [bug] TSIG signed incoming zone transfers work now. 16841 16842 37. [bug] If the first RR in an incoming zone transfer was 16843 not an SOA, the server died with an assertion failure 16844 instead of just reporting an error. 16845 16846 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS 16847 16848 35. [performance] Log messages which are of a level too high to be 16849 logged by any channel in the logging configuration 16850 will not cause the log mutex to be locked. 16851 16852 34. [bug] Recursion was allowed even with 'recursion no'. 16853 16854 33. [func] The RBT now maintains a parent pointer at each node. 16855 16856 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset() 16857 prototype. 16858 16859 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@. 16860 16861 30. [func] config file grammar change to support optional 16862 class type for a view. 16863 16864 29. [func] support new config file view options: 16865 16866 auth-nxdomain recursion query-source 16867 query-source-v6 transfer-source 16868 transfer-source-v6 max-transfer-time-out 16869 max-transfer-idle-out transfer-format 16870 request-ixfr provide-ixfr cleaning-interval 16871 fetch-glue notify rfc2308-type1 lame-ttl 16872 max-ncache-ttl min-roots 16873 16874 28. [func] support lame-ttl, min-roots and serial-queries 16875 config global options. 16876 16877 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*. 16878 Including it on other platforms (eg, NetBSD) can 16879 cause a forced #error from the C preprocessor. 16880 16881 26. [func] new match-clients statement in config file view. 16882 16883 25. [bug] make install failed to install <isc/log.h> and 16884 <isc/ondestroy.h>. 16885 16886 24. [cleanup] Eliminate some unnecessary #includes of header 16887 files from header files. 16888 16889 23. [cleanup] Provide more context in log messages about client 16890 requests, using a new function ns_client_log(). 16891 16892 22. [bug] SIGs weren't returned in the answer section when 16893 the query resulted in a fetch. 16894 16895 21. [port] Look at STD_CINCLUDES after CINCLUDES during 16896 compilation, so additional system include directories 16897 can be searched but header files in the bind9 source 16898 tree with conflicting names take precedence. This 16899 avoids issues with installed versions of dnssafe and 16900 openssl. 16901 16902 20. [func] Configuration file post-load validation of zones 16903 failed if there were no zones. 16904 16905 19. [bug] dns_zone_notifyreceive() failed to unlock the zone 16906 lock in certain error cases. 16907 16908 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in 16909 configure.in to check for presence of in6addr_any. 16910 16911 17. [func] Do configuration file post-load validation of zones. 16912 16913 16. [bug] put quotes around key names on config file 16914 output to avoid possible keyword clashes. 16915 16916 15. [func] Add dns_name_dupwithoffsets(). This function is 16917 improves comparison performance for duped names. 16918 16919 14. [bug] free_rbtdb() could have 'put' unallocated memory in 16920 an unlikely error path. 16921 16922 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore 16923 out-of-zone data. 16924 16925 12. [bug] Fixed possible uninitialized variable error. 16926 16927 11. [bug] axfr_rrstream_first() didn't check the result code of 16928 db_rr_iterator_first(), possibly causing an assertion 16929 to be triggered later. 16930 16931 10. [bug] A bug in the code which makes EDNS0 OPT records in 16932 bin/named/client.c and lib/dns/resolver.c could 16933 trigger an assertion. 16934 16935 9. [cleanup] replaced bit-setting code in confctx.c and replaced 16936 repeated code with macro calls. 16937 16938 8. [bug] Shutdown of incoming zone transfer accessed 16939 freed memory. 16940 16941 7. [cleanup] removed 'listen-on' from view statement. 16942 16943 6. [bug] quote RR names when generating config file to 16944 prevent possible clash with config file keywords 16945 (such as 'key'). 16946 16947 5. [func] syntax change to named.conf file: new ssu grant/deny 16948 statements must now be enclosed by an 'update-policy' 16949 block. 16950 16951 4. [port] bin/named/unix/os.c didn't compile on systems with 16952 linux 2.3 kernel includes due to conflicts between 16953 C library includes and the kernel includes. We now 16954 get only what we need from <linux/capability.h>, and 16955 avoid pulling in other linux kernel .h files. 16956 16957 3. [bug] TKEYs go in the answer section of responses, not 16958 the additional section. 16959 16960 2. [bug] Generating cryptographic randomness failed on 16961 systems without /dev/random. 16962 16963 1. [bug] The installdirs rule in 16964 lib/isc/unix/include/isc/Makefile.in had a typo which 16965 prevented the isc directory from being created if it 16966 didn't exist. 16967 16968 --- 9.0.0b2 released --- 16969 16970# This tells Emacs to use hard tabs in this file. 16971# Local Variables: 16972# indent-tabs-mode: t 16973# End: 16974