CHANGES revision 275672
14006. [security] A flaw in delegation handling could be exploited 2 to put named into an infinite loop. This has 3 been addressed by placing limits on the number 4 of levels of recursion named will allow (default 7), 5 and the number of iterative queries that it will 6 send (default 50) before terminating a recursive 7 query (CVE-2014-8500). 8 9 The recursion depth limit is configured via the 10 "max-recursion-depth" option. [RT #35780] 11 12 --- 9.9.5 released --- 13 14 --- 9.9.5rc2 released --- 15 163710. [bug] Address double dns_zone_detach when switching to 17 using automatic empty zones from regular zones. 18 [RT #35177] 19 203709. [port] Use built-in versions of strptime() and timegm() 21 on all platforms to avoid portability issues. 22 [RT #35183] 23 243708. [bug] Address a portentry locking issue in dispatch.c. 25 [RT #35128] 26 273707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND 28 on a missing resolv.conf file and initializes the 29 structure as if it had been configured with: 30 31 nameserver ::1 32 nameserver 127.0.0.1 33 34 Note: Callers will need to be updated to treat 35 ISC_R_FILENOTFOUND as a qualified success or else 36 they will leak memory. The following code fragment 37 will work with both old and new versions without 38 changing the behaviour of the existing code. 39 40 resconf = NULL; 41 result = irs_resconf_load(mctx, "/etc/resolv.conf", 42 &resconf); 43 if (result != ISC_SUCCESS) { 44 if (resconf != NULL) 45 irs_resconf_destroy(&resconf); 46 .... 47 } 48 49 [RT #35194] 50 513706. [contrib] queryperf: Fixed a possible integer overflow when 52 printing results. [RT #35182] 53 543704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] 55 56 --- 9.9.5rc1 released --- 57 583701. [func] named-checkconf can now obscure shared secrets 59 when printing by specifying '-x'. [RT #34465] 60 613699. [bug] Improvements to statistics channel XSL stylesheet: 62 the stylesheet can now be cached by the browser; 63 section headers are omitted from the stats display 64 when there is no data in those sections to be 65 displayed; counters are now right-justified for 66 easier readability. (Only available with 67 configure --enable-newstats.) [RT #35117] 68 693698. [cleanup] Replaced all uses of memcpy() with memmove(). 70 [RT #35120] 71 723697. [bug] Handle "." as a search list element when IDN support 73 is enabled. [RT #35133] 74 753696. [bug] dig failed to handle AXFR style IXFR responses which 76 span multiple messages. [RT #35137] 77 783695. [bug] Address a possible race in dispatch.c. [RT #35107] 79 803694. [bug] Warn when a key-directory is configured for a zone, 81 but does not exist or is not a directory. [RT #35108] 82 833693. [security] memcpy was incorrectly called with overlapping 84 ranges resulting in malformed names being generated 85 on some platforms. This could cause INSIST failures 86 when serving NSEC3 signed zones (CVE-2014-0591). 87 [RT #35120] 88 893692. [bug] Two calls to dns_db_getoriginnode were fatal if there 90 was no data at the node. [RT #35080] 91 923690. [bug] Iterative responses could be missed when the source 93 port for an upstream query was the same as the 94 listener port (53). [RT #34925] 95 963689. [bug] Fixed a bug causing an insecure delegation from one 97 static-stub zone to another to fail with a broken 98 trust chain. [RT #35081] 99 100 --- 9.9.5b1 released --- 101 1023688. [bug] loadnode could return a freed node on out of memory. 103 [RT #35106] 104 1053687. [bug] Address null pointer dereference in zone_xfrdone. 106 [RT #35042] 107 1083686. [func] "dnssec-signzone -Q" drops signatures from keys 109 that are still published but no longer active. 110 [RT #34990] 111 1123685. [bug] "rndc refresh" didn't work correctly with slave 113 zones using inline-signing. [RT #35105] 114 1153683. [cleanup] Add a more detailed "not found" message to rndc 116 commands which specify a zone name. [RT #35059] 117 1183682. [bug] Correct the behavior of rndc retransfer to allow 119 inline-signing slave zones to retain NSEC3 parameters 120 instead of reverting to NSEC. [RT #34745] 121 1223681. [port] Update the Windows build system to support feature 123 selection and WIN64 builds. This is a work in 124 progress. [RT #34160] 125 1263679. [bug] dig could fail to clean up TCP sockets still 127 waiting on connect(). [RT #35074] 128 1293678. [port] Update config.guess and config.sub. [RT #35060] 130 1313677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple 132 times. [RT #35073] 133 1343676. [bug] "named-checkconf -z" now checks zones of type 135 hint and redirect as well as master. [RT #35046] 136 1373675. [misc] Provide a place for third parties to add version 138 information for their extensions in the version 139 file by setting the EXTENSIONS variable. 140 1413674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026] 142 1433672. [func] Local address can now be specified when using 144 dns_client API. [RT #34811] 145 1463671. [bug] Don't allow dnssec-importkey overwrite a existing 147 non-imported private key. 148 1493670. [bug] Address read after free in server side of 150 lwres_getrrsetbyname. [RT #29075] 151 1523669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001] 153 1543668. [bug] Fix cast in lex.c which could see 0xff treated as eof. 155 [RT #34993] 156 1573667. [test] dig: add support to keep the TCP socket open between 158 successive queries (+[no]keepopen). [RT #34918] 159 1603665. [bug] Failure to release lock on error in receive_secure_db. 161 [RT #34944] 162 1633664. [bug] Updated OpenSSL PKCS#11 patches to fix active list 164 locking and other bugs. [RT #34855] 165 1663663. [bug] Address bugs in dns_rdata_fromstruct and 167 dns_rdata_tostruct for WKS and ISDN types. [RT #34910] 168 1693662. [bug] 'host' could die if a UDP query timed out. [RT #34870] 170 1713661. [bug] Address lock order reversal deadlock with inline zones. 172 [RT #34856] 173 1743660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config". 175 [RT #23825] 176 1773659. [port] solaris: don't add explict dependancies/rules for 178 python programs as make won't use the implicit rules. 179 [RT #34835] 180 1813658. [port] linux: Address platform specific compilation issue 182 when libcap-devel is installed. [RT #34838] 183 1843657. [port] Some readline clones don't accept NULL pointers when 185 calling add_history. [RT #34842] 186 1873656. [security] Treat an all zero netmask as invalid when generating 188 the localnets acl. (The prior behavior could 189 allow unexpected matches when using some versions 190 of Winsock: CVE-2013-6320.) [RT #34687] 191 1923655. [cleanup] Simplify TCP message processing when requesting a 193 zone transfer. [RT #34825] 194 1953654. [bug] Address race condition with manual notify requests. 196 [RT #34806] 197 1983653. [func] Create delegations for all "children" of empty zones 199 except "forward first". [RT #34826] 200 2013651. [tuning] Adjust when a master server is deemed unreachable. 202 [RT #27075] 203 2043650. [tuning] Use separate rate limiting queues for refresh and 205 notify requests. [RT #30589] 206 2073649. [cleanup] Include a comment in .nzf files, giving the name of 208 the associated view. [RT #34765] 209 2103648. [test] Updated the ATF test framework to version 0.17. 211 [RT #25627] 212 2133647. [bug] Address a race condition when shutting down a zone. 214 [RT #34750] 215 2163646. [bug] Journal filename string could be set incorrectly, 217 causing garbage in log messages. [RT #34738] 218 2193645. [protocol] Use case sensitive compression when responding to 220 queries. [RT #34737] 221 2223644. [protocol] Check that EDNS subnet client options are well formed. 223 [RT #34718] 224 2253642. [func] Allow externally generated DNSKEY to be imported 226 into the DNSKEY management framework. A new tool 227 dnssec-importkey is used to do this. [RT #34698] 228 2293641. [bug] Handle changes to sig-validity-interval settings 230 better. [RT #34625] 231 2323640. [bug] ndots was not being checked when searching. Only 233 continue searching on NXDOMAIN responses. Add the 234 ability to specify ndots to nslookup. [RT #34711] 235 2363639. [bug] Treat type 65533 (KEYDATA) as opaque except when used 237 in a key zone. [RT #34238] 238 239 --- 9.9.4 released --- 240 2413643. [doc] Clarify RRL "slip" documentation. 242 2433638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is 244 encountered. [RT #34668] 245 246 --- 9.9.4rc2 released --- 247 2483637. [bug] 'allow-query-on' was checking the source address 249 rather than the destination address. [RT #34590] 250 2513636. [bug] Automatic empty zones now behave better with 252 forward only "zones" beneath them. [RT #34583] 253 2543635. [bug] Signatures were not being removed from a zone with 255 only KSK keys for a algorithm. [RT #34439] 256 2573634. [func] Report build-id in rndc status. Report build-id 258 when building from a git repository. [RT #20422] 259 2603633. [cleanup] Refactor OPT processing in named to make it easier 261 to support new EDNS options. [RT #34414] 262 2633632. [bug] Signature from newly inactive keys were not being 264 removed. [RT #32178] 265 2663631. [bug] Remove spurious warning about missing signatures when 267 qtype is SIG. [RT #34600] 268 2693630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033] 270 2713627. [bug] RPZ changes were not effective on slaves. [RT #34450] 272 2733625. [bug] Don't send notify messages to machines outside of the 274 test setup. 275 2763623. [bug] zone-statistics was only effective in new statistics. 277 [RT #34466] 278 279 --- 9.9.4rc1 released --- 280 2813621. [security] Incorrect bounds checking on private type 'keydata' 282 can lead to a remotely triggerable REQUIRE failure 283 (CVE-2013-4854). [RT #34238] 284 2853617. [bug] Named was failing to answer queries during 286 "rndc reload" [RT #34098] 287 2883616. [bug] Change #3613 was incomplete. [RT #34177] 289 2903615. [cleanup] "configure" now finishes by printing a summary 291 of optional BIND features and whether they are 292 active or inactive. ("configure --enable-full-report" 293 increases the verbosity of the summary.) [RT #31777] 294 2953614. [port] Check for <linux/types.h>. [RT #34162] 296 2973613. [bug] named could crash when deleting inline-signing 298 zones with "rndc delzone". [RT #34066] 299 3003611. [bug] Improved resistance to a theoretical authentication 301 attack based on differential timing. [RT #33939] 302 3033610. [cleanup] win32: Some executables had been omitted from the 304 installer. [RT #34116] 305 3063608. [port] win32: added todos.pl script to ensure all text files 307 the win32 build depends on are converted to DOS 308 newline format. [RT #22067] 309 3103607. [bug] dnssec-keygen had broken 'Invalid keyfile' error 311 message. [RT #34045] 312 313 --- 9.9.4b1 released --- 314 3153605. [port] win32: Addressed several compatibility issues 316 with newer versions of Visual Studio. [RT #33916] 317 3183603. [bug] Install <isc/stat.h>. [RT #33956] 319 3203601. [bug] Added to PKCS#11 openssl patches a value len 321 attribute in DH derive key. [RT #33928] 322 3233600. [cleanup] dig: Fixed a typo in the warning output when receiving 324 an oversized response. [RT #33910] 325 3263599. [tuning] Check for pointer equivalence in name comparisons. 327 [RT #18125] 328 3293596. [port] Updated win32 build documentation, added 330 dnssec-verify. [RT #22067] 331 3323594. [maint] Update config.guess and config.sub. [RT #33816] 333 3343592. [doc] Moved documentation of rndc command options to the 335 rndc man page. [RT #33506] 336 3373590. [bug] When using RRL on recursive servers, defer 338 rate-limiting until after recursion is complete; 339 also, use correct rcode for slipped NXDOMAIN 340 responses. [RT #33604] 341 3423588. [bug] dig: addressed a memory leak in the sigchase code 343 that could cause a shutdown crash. [RT #33733] 344 3453587. [func] 'named -g' now checks the logging configuration but 346 does not use it. [RT #33473] 347 3483586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706] 349 3503584. [security] Caching data from an incompletely signed zone could 351 trigger an assertion failure in resolver.c 352 (CVE-2013-3919). [RT #33690] 353 3543583. [bug] Address memory leak in GSS-API processing [RT #33574] 355 3563582. [bug] Silence false positive warning regarding missing file 357 directive for inline slave zones. [RT #33662] 358 3593581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029] 360 3613580. [bug] Addressed a possible race in acache.c [RT #33602] 362 3633579. [maint] Updates to PKCS#11 openssl patches, supporting 364 versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463] 365 3663578. [bug] 'rndc -c file' now fails if 'file' does not exist. 367 [RT #33571] 368 3693577. [bug] Handle zero TTL values better. [RT #33411] 370 3713576. [bug] Address a shutdown race when validating. [RT #33573] 372 3733575. [func] Changed the logging category for RRL events from 374 'queries' to 'query-errors'. [RT #33540] 375 3763574. [doc] The 'hostname' keyword was missing from server-id 377 description in the named.conf man page. [RT #33476] 378 3793573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled 380 zone names containing punctuation marks and other 381 nonstandard characters. [RT #33419] 382 3833571. [bug] Address race condition in dns_client_startresolve(). 384 [RT #33234] 385 3863566. [func] Log when forwarding updates to master. [RT #33240] 387 3883554. [bug] RRL failed to correctly rate-limit upward 389 referrals and failed to count dropped error 390 responses in the statistics. [RT #33225] 391 3923545. [bug] RRL slip behavior was incorrect when set to 1. 393 [RT #33111] 394 3953518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit 396 so that all dns_rrl_rtype_t enum values fit regardless 397 of whether it is teated as signed or unsigned by 398 the compiler. [RT #32792] 399 4003494. [func] DNS RRL: Blunt the impact of DNS reflection and 401 amplification attacks by rate-limiting substantially- 402 identical responses. To enable, use "configure 403 --enable-rrl". [RT #28130] 404 405 --- 9.9.3 released --- 406 4073568. [cleanup] Add a product description line to the version file, 408 to be reported by named -v/-V. [RT #33366] 409 4103567. [bug] Silence clang static analyzer warnings. [RT #33365] 411 4123563. [contrib] zone2sqlite failed with some table names. [RT #33375] 413 4143561. [bug] dig: issue a warning if an EDNS query returns FORMERR 415 or NOTIMP. Adjust usage message. [RT #33363] 416 417 --- 9.9.3rc2 released --- 418 4193560. [bug] isc-config.sh did not honor includedir and libdir 420 when set via configure. [RT #33345] 421 4223559. [func] Check that both forms of Sender Policy Framework 423 records exist or do not exist. [RT #33355] 424 4253558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331] 426 4273557. [bug] Reloading redirect zones was broken. [RT #33292] 428 4293556. [maint] Added AAAA for D.ROOT-SERVERS.NET. 430 4313555. [bug] Address theoretical race conditions in acache.c 432 (change #3553 was incomplete). [RT #33252] 433 4343553. [bug] Address suspected double free in acache. [RT #33252] 435 4363552. [bug] Wrong getopt option string for 'nsupdate -r'. 437 [RT #33280] 438 4393549. [doc] Documentation for "request-nsid" was missing. 440 [RT #33153] 441 4423548. [bug] The NSID request code in resolver.c was broken 443 resulting in invalid EDNS options being sent. 444 [RT #33153] 445 4463547. [bug] Some malformed unknown rdata records were not properly 447 detected and rejected. [RT #33129] 448 449 --- 9.9.3rc1 released --- 450 4513546. [func] Add EUI48 and EUI64 types. [RT #33082] 452 4533544. [contrib] check5011.pl: Script to report the status of 454 managed keys as recorded in managed-keys.bind. 455 Contributed by Tony Finch <dot@dotat.at> 456 4573543. [bug] Update socket structure before attaching to socket 458 manager after accept. [RT #33084] 459 4603541. [bug] Parts of libdns were not properly initialized when 461 built in libexport mode. [RT #33028] 462 4633540. [test] libt_api: t_info and t_assert were not thread safe. 464 4653539. [port] win32: timestamp format didn't match other platforms. 466 4673538. [test] Running "make test" now requires loopback interfaces 468 to be set up. [RT #32452] 469 4703537. [tuning] Slave zones, when updated, now send NOTIFY messages 471 to peers before being dumped to disk rather than 472 after. [RT #27242] 473 4743535. [bug] Minor win32 cleanups. [RT #32962] 475 4763534. [bug] Extra text after an embedded NULL was ignored when 477 parsing zone files. [RT #32699] 478 4793533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960] 480 4813532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960] 482 4833531. [bug] win32: A uninitialized value could be returned on out 484 of memory. [RT #32960] 485 4863530. [contrib] Better RTT tracking in queryperf. [RT #30128] 487 4883528. [func] New "dnssec-coverage" command scans the timing 489 metadata for a set of DNSSEC keys and reports if a 490 lapse in signing coverage has been scheduled 491 inadvertently. (Note: This tool depends on python; 492 it will not be built or installed on systems that 493 do not have a python interpreter.) [RT #28098] 494 4953527. [compat] Add a URI to allow applications to explicitly 496 request a particular XML schema from the statistics 497 channel, returning 404 if not supported. [RT #32481] 498 4993526. [cleanup] Set up dependencies for unit tests correctly during 500 build. [RT #32803] 501 5023521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249] 503 5043520. [bug] 'mctx' was not being referenced counted in some places 505 where it should have been. [RT #32794] 506 507 --- 9.9.3b2 released --- 508 5093517. [bug] Reorder destruction to avoid shutdown race. [RT #32777] 510 5113515. [port] '%T' is not portable in strftime(). [RT #32763] 512 5133514. [bug] The ranges for valid key sizes in ddns-confgen and 514 rndc-confgen were too constrained. Keys up to 512 515 bits are now allowed for most algorithms, and up 516 to 1024 bits for hmac-sha384 and hmac-sha512. 517 [RT #32753] 518 5193511. [doc] Improve documentation of redirect zones. [RT #32756] 520 5213509. [cleanup] Added a product line to version file to allow for 522 easy naming of different products (BIND 523 vs BIND ESV, for example). [RT #32755] 524 5253508. [contrib] queryperf was incorrectly rejecting the -T option. 526 [RT #32338] 527 5283507. [bug] Statistics channel XSL (when built with 529 --enable-newstats) had a glitch when attempting 530 to chart query data before any queries had been 531 received. [RT #32620] 532 5333505. [bug] When setting "max-cache-size" and "max-acache-size", 534 larger values than 4 gigabytes could not be set 535 explicitly, though larger sizes were available 536 when setting cache size to 0. This has been 537 corrected; the full range is now available. 538 [RT #32358] 539 5403503. [doc] Clarify size_spec syntax. [RT #32449] 541 5423501. [func] zone-statistics now takes three options: full, 543 terse, and none. "yes" and "no" are retained as 544 synonyms for full and terse, respectively. [RT #29165] 545 5463500. [security] Support NAPTR regular expression validation on 547 all platforms without using libregex, which 548 can be vulnerable to memory exhaustion attack 549 (CVE-2013-2266). [RT #32688] 550 5513499. [doc] Corrected ARM documentation of built-in zones. 552 [RT #32694] 553 5543498. [bug] zone statistics for zones which matched a potential 555 empty zone could have their zone-statistics setting 556 overridden. 557 5583496. [func] Improvements to RPZ performance. The "response-policy" 559 syntax now includes a "min-ns-dots" clause, with 560 default 1, to exclude top-level domains from 561 NSIP and NSDNAME checking. --enable-rpz-nsip and 562 --enable-rpz-nsdname are now the default. [RT #32251] 563 5643493. [contrib] Added BDBHPT dynamically-lodable DLZ module, 565 contributed by Mark Goldfinch. [RT #32549] 566 5673492. [bug] Fixed a regression in zone loading performance 568 due to lock contention. [RT #30399] 569 5703491. [bug] Slave zones using inline-signing must specify a 571 file name. [RT #31946] 572 5733489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT. 574 When cloning a rdataset do not copy the link contents. 575 [RT #32651] 576 5773488. [bug] Use after free error with DH generated keys. [RT #32649] 578 5793487. [bug] Change 3444 was not complete. There was a additional 580 place where the NOQNAME proof needed to be saved. 581 [RT #32629] 582 5833486. [bug] named could crash when using TKEY-negotiated keys 584 that had been deleted and then recreated. [RT #32506] 585 5863485. [cleanup] Only compile openssl_gostlink.c if we support GOST. 587 5883483. [bug] Corrected XSL code in use with --enable-newstats. 589 [RT #32587] 590 5913481. [cleanup] Removed use of const const in atf. 592 5933480. [bug] Silence logging noise when setting up zone 594 statistics. [RT #32525] 595 5963479. [bug] Address potential memory leaks in gssapi support 597 code. [RT #32405] 598 5993478. [port] Fix a build failure in strict C99 environments 600 [RT #32475] 601 6023474. [bug] nsupdate could assert when the local and remote 603 address families didn't match. [RT #22897] 604 6053473. [bug] dnssec-signzone/verify could incorrectly report 606 an error condition due to an empty node above an 607 opt-out delegation lacking an NSEC3. [RT #32072] 608 6093471. [bug] The number of UDP dispatches now defaults to 610 the number of CPUs even if -n has been set to 611 a higher value. [RT #30964] 612 6133470. [bug] Slave zones could fail to dump when successfully 614 refreshing after an initial failure. [RT #31276] 615 616 --- 9.9.3b1 released --- 617 6183468. [security] RPZ rules to generate A records (but not AAAA records) 619 could trigger an assertion failure when used in 620 conjunction with DNS64 (CVE-2012-5689). [RT #32141] 621 6223467. [bug] Added checks in dnssec-keygen and dnssec-settime 623 to check for delete date < inactive date. [RT #31719] 624 6253466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check 626 in DLZ example driver. [RT #32275] 627 6283465. [bug] Handle isolated reserved ports. [RT #31778] 629 6303464. [maint] Updates to PKCS#11 openssl patches, supporting 631 versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749] 632 6333463. [doc] Clarify managed-keys syntax in ARM. [RT #32232] 634 6353462. [doc] Clarify server selection behavior of dig when using 636 -4 or -6 options. [RT #32181] 637 6383461. [bug] Negative responses could incorrectly have AD=1 639 set. [RT #32237] 640 6413460. [bug] Only link against readline where needed. [RT #29810] 642 6433458. [bug] Return FORMERR when presented with a overly long 644 domain named in a request. [RT #29682] 645 6463457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836] 647 6483456. [port] g++47: ATF failed to compile. [RT #32012] 649 6503455. [contrib] queryperf: fix getopt option list. [RT #32338] 651 6523454. [port] sparc64: improve atomic support. [RT #25182] 653 6543453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;' 655 failed. [RT #31960] 656 6573452. [bug] Accept duplicate singleton records. [RT #32329] 658 6593451. [port] Increase per thread stack size from 64K to 1M. 660 [RT #32230] 661 6623450. [bug] Stop logfileconfig system test spam system logs. 663 [RT #32315] 664 6653449. [bug] gen.c: use the pre-processor to construct format 666 strings so that compiler can perform sanity checks; 667 check the snprintf results. [RT #17576] 668 6693448. [bug] The allow-query-on ACL was not processed correctly. 670 [RT #29486] 671 6723447. [port] Add support for libxml2-2.9.x [RT #32231] 673 6743446. [port] win32: Add source ID (see change #3400) to build. 675 [RT #31683] 676 6773445. [bug] Warn about zone files with blank owner names 678 immediately after $ORIGIN directives. [RT #31848] 679 6803444. [bug] The NOQNAME proof was not being returned from cached 681 insecure responses. [RT #21409] 682 6833443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly 684 rejected when generating keys. [RT #31927] 685 6863442. [port] Net::DNS 0.69 introduced a non backwards compatible 687 change. [RT #32216] 688 6893441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13. 690 6913440. [bug] Reorder get_key_struct to not trigger a assertion when 692 cleaning up due to out of memory error. [RT #32131] 693 6943439. [bug] contrib/dlz error checking fixes. [RT #32102] 695 6963438. [bug] Don't accept unknown data escape in quotes. [RT #32031] 697 6983437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize 699 buffers with constant data. [RT #32064] 700 7013436. [bug] Check malloc/calloc return values. [RT #32088] 702 7033435. [bug] Cross compilation support in configure was broken. 704 [RT #32078] 705 7063431. [bug] ddns-confgen: Some valid key algorithms were 707 not accepted. [RT #31927] 708 7093430. [bug] win32: isc_time_formatISO8601 was missing the 710 'T' between the date and time. [RT #32044] 711 7123429. [bug] dns_zone_getserial2 could a return success without 713 returning a valid serial. [RT #32007] 714 7153428. [cleanup] dig: Add timezone to date output. [RT #2269] 716 7173427. [bug] dig +trace incorrectly displayed name server 718 addresses instead of names. [RT #31641] 719 7203426. [bug] dnssec-checkds: Clearer output when records are not 721 found. [RT #31968] 722 7233425. [bug] "acacheentry" reference counting was broken resulting 724 in use after free. [RT #31908] 725 7263424. [func] dnssec-dsfromkey now emits the hash without spaces. 727 [RT #31951] 728 7293423. [bug] "rndc signing -nsec3param" didn't accept the full 730 range of possible values. Address portability issues. 731 [RT #31938] 732 7333422. [bug] Added a clear error message for when the SOA does not 734 match the referral. [RT #31281] 735 7363421. [bug] Named loops when re-signing if all keys are offline. 737 [RT #31916] 738 7393420. [bug] Address VPATH compilation issues. [RT #31879] 740 7413419. [bug] Memory leak on validation cancel. [RT #31869] 742 7433417. [func] Optional new XML schema (version 3.0) for the 744 statistics channel adds query type statistics at the 745 zone level, and flattens the XML tree and uses 746 compressed format to optimize parsing. Includes new XSL 747 that permits charting via the Google Charts API on 748 browsers that support javascript in XSL. To enable, 749 build with "configure --enable-newstats". [RT #30023] 750 7513416. [bug] Named could die on shutdown if running with 128 UDP 752 dispatches per interface. [RT #31743] 753 7543415. [bug] named could die with a REQUIRE failure if a validation 755 was canceled. [RT #31804] 756 7573414. [bug] Address locking issues found by Coverity. [RT #31626] 758 7593412. [bug] Copy timeval structure from control message data. 760 [RT #31548] 761 7623411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition 763 to UDP. [RT #31690] 764 7653410. [bug] Addressed Coverity warnings. [RT #31626] 766 7673409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's 768 from X.509 certificates, for use with DANE 769 (DNS-based Authentication of Named Entities). 770 [RT #30513] 771 7723408. [bug] Some DNSSEC-related options (update-check-ksk, 773 dnssec-loadkeys-interval, dnssec-dnskey-kskonly) 774 are now legal in slave zones as long as 775 inline-signing is in use. [RT #31078] 776 7773406. [bug] mem.c: Fix compilation errors when building with 778 ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled. 779 Also, ISC_MEM_DEBUG is no longer optional. [RT #31559] 780 7813405. [bug] Handle time going backwards in acache. [RT #31253] 782 7833404. [bug] dnssec-signzone: When re-signing a zone, remove 784 RRSIG and NSEC records from nodes that used to be 785 in-zone but are now below a zone cut. [RT #31556] 786 7873403. [bug] Silence noisy OpenSSL logging. [RT #31497] 788 7893402. [test] The IPv6 interface numbers used for system 790 tests were incorrect on some platforms. [RT #25085] 791 7923401. [bug] Addressed Coverity warnings. [RT #31484] 793 7943400. [cleanup] "named -V" can now report a source ID string, defined 795 in the "srcid" file in the build tree and normally set 796 to the most recent git hash. [RT #31494] 797 7983399. [port] netbsd: rename 'bool' parameter to avoid namespace 799 clash. [RT #31515] 800 8013398. [bug] SOA parameters were not being updated with inline 802 signed zones if the zone was modified while the 803 server was offline. [RT #29272] 804 8053397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298] 806 8073396. [bug] OPT records were incorrectly removed from signed, 808 truncated responses. [RT #31439] 809 8103395. [protocol] Add RFC 6598 reverse zones to built in empty zones 811 list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. 812 [RT #31336] 813 8143394. [bug] Adjust 'successfully validated after lower casing 815 signer' log level and category. [RT #31414] 816 8173393. [bug] 'host -C' could core dump if REFUSED was received. 818 [RT #31381] 819 8203391. [bug] A DNSKEY lookup that encountered a CNAME failed. 821 [RT #31262] 822 8233390. [bug] Silence clang compiler warnings. [RT #30417] 824 8253389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275] 826 8273388. [bug] Fixed several Coverity warnings. 828 Note: This change includes a fix for a bug that 829 was subsequently determined to be an exploitable 830 security vulnerability, CVE-2012-5688: named could 831 die on specific queries with dns64 enabled. 832 [RT #30996] 833 8343386. [bug] Address locking violation when generating new NSEC / 835 NSEC3 chains. [RT #31224] 836 8373385. [bug] named-checkconf didn't detect missing master lists 838 in also-notify clauses. [RT #30810] 839 8403384. [bug] Improved logging of crypto errors. [RT #30963] 841 8423382. [bug] SOA query from slave used use-v6-udp-ports range, 843 if set, regardless of the address family in use. 844 [RT #24173] 845 8463381. [contrib] Update queryperf to support more RR types. 847 [RT #30762] 848 8493380. [bug] named could die if a nonexistent master list was 850 referenced in a also-notify. [RT #31004] 851 8523379. [bug] isc_interval_zero and isc_time_epoch should be 853 "const (type)* const". [RT #31069] 854 8553378. [bug] Handle missing 'managed-keys-directory' better. 856 [RT #30625] 857 8583377. [bug] Removed spurious newline from NSEC3 multiline 859 output. [RT #31044] 860 8613376. [bug] Lack of EDNS support was being recorded without a 862 successful response. [RT #30811] 863 8643375. [func] Check that 'rndc dumpdb' works on a empty cache. 865 [RT #30808] 866 8673374. [bug] isc_parse_uint32 failed to return a range error on 868 systems with 64 bit longs. [RT #30232] 869 8703372. [bug] Silence spurious "deleted from unreachable cache" 871 messages. [RT #30501] 872 8733371. [bug] AD=1 should behave like DO=1 when deciding whether to 874 add NS RRsets to the additional section or not. 875 [RT #30479] 876 8773316. [tuning] Improved locking performance when recursing. 878 [RT #28836] 879 8803315. [tuning] Use multiple dispatch objects for sending upstream 881 queries; this can improve performance on busy 882 multiprocessor systems by reducing lock contention. 883 [RT #28605] 884 885 --- 9.9.2 released --- 886 8873383. [security] A certain combination of records in the RBT could 888 cause named to hang while populating the additional 889 section of a response. [RT #31090] 890 8913373. [bug] win32: open raw files in binary mode. [RT #30944] 892 8933364. [security] Named could die on specially crafted record. 894 [RT #30416] 895 896 --- 9.9.2rc1 released --- 897 8983370. [bug] Address use after free while shutting down. [RT #30241] 899 9003369. [bug] nsupdate terminated unexpectedly in interactive mode 901 if built with readline support. [RT #29550] 902 9033368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h> 904 were not C++ safe. 905 9063367. [bug] dns_dnsseckey_create() result was not being checked. 907 [RT #30685] 908 9093366. [bug] Fixed Read-After-Write dependency violation for IA64 910 atomic operations. [RT #25181] 911 9123365. [bug] Removed spurious newlines from log messages in 913 zone.c [RT #30675] 914 9153363. [bug] Need to allow "forward" and "fowarders" options 916 in static-stub zones; this had been overlooked. 917 [RT #30482] 918 9193362. [bug] Setting some option values to 0 in named.conf 920 could trigger an assertion failure on startup. 921 [RT #27730] 922 9233361. [bug] "rndc signing -nsec3param" didn't work correctly 924 when salt was set to '-' (no salt). [RT #30099] 925 9263360. [bug] 'host -w' could die. [RT #18723] 927 9283359. [bug] An improperly-formed TSIG secret could cause a 929 memory leak. [RT #30607] 930 9313357. [port] Add support for libxml2-2.8.x [RT #30440] 932 9333356. [bug] Cap the TTL of signed RRsets when RRSIGs are 934 approaching their expiry, so they don't remain 935 in caches after expiry. [RT #26429] 936 9373355. [port] Use more portable awk in verify system test. 938 9393354. [func] Improve OpenSSL error logging. [RT #29932] 940 941 --- 9.9.2b1 released --- 942 9433353. [bug] Use a single task for task exclusive operations. 944 [RT #29872] 945 9463352. [bug] Ensure that learned server attributes timeout of the 947 adb cache. [RT #29856] 948 9493351. [bug] isc_mem_put and isc_mem_putanddetach didn't report 950 caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX 951 memory debugging flags are set. [RT #30243] 952 9533350. [bug] Memory read overrun in isc___mem_reallocate if 954 ISC_MEM_DEBUGCTX memory debugging flag is set. 955 [RT #30240] 956 9573349. [bug] Change #3345 was incomplete. [RT #30233] 958 9593348. [bug] Prevent RRSIG data from being cached if a negative 960 record matching the covering type exists at a higher 961 trust level. Such data already can't be retrieved from 962 the cache since change 3218 -- this prevents it 963 being inserted into the cache as well. [RT #26809] 964 9653347. [bug] dnssec-settime: Issue a warning when writing a new 966 private key file would cause a change in the 967 permissions of the existing file. [RT #27724] 968 9693346. [security] Bad-cache data could be used before it was 970 initialized, causing an assert. [RT #30025] 971 9723345. [bug] Addressed race condition when removing the last item 973 or inserting the first item in an ISC_QUEUE. 974 [RT #29539] 975 9763344. [func] New "dnssec-checkds" command checks a zone to 977 determine which DS records should be published 978 in the parent zone, or which DLV records should be 979 published in a DLV zone, and queries the DNS to 980 ensure that it exists. (Note: This tool depends 981 on python; it will not be built or installed on 982 systems that do not have a python interpreter.) 983 [RT #28099] 984 9853342. [bug] Change #3314 broke saving of stub zones to disk 986 resulting in excessive cpu usage in some cases. 987 [RT #29952] 988 9893341. [func] New "dnssec-verify" command checks a signed zone 990 to ensure correctness of signatures and of NSEC/NSEC3 991 chains. [RT #23673] 992 9933339. [func] Allow the maximum supported rsa exponent size to be 994 specified: "max-rsa-exponent-size <value>;" [RT #29228] 995 9963338. [bug] Address race condition in units tests: asyncload_zone 997 and asyncload_zt. [RT #26100] 998 9993337. [bug] Change #3294 broke support for the multiple keys 1000 in controls. [RT #29694] 1001 10023335. [func] nslookup: return a nonzero exit code when unable 1003 to get an answer. [RT #29492] 1004 10053334. [bug] Hold a zone table reference while performing a 1006 asynchronous load of a zone. [RT #28326] 1007 10083333. [bug] Setting resolver-query-timeout too low can cause 1009 named to not recover if it loses connectivity. 1010 [RT #29623] 1011 10123332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 1013 10143331. [security] dns_rdataslab_fromrdataset could produce bad 1015 rdataslabs. [RT #29644] 1016 10173330. [func] Fix missing signatures on NOERROR results despite 1018 RPZ rewriting. Also 1019 - add optional "recursive-only yes|no" to the 1020 response-policy statement 1021 - add optional "max-policy-ttl" to the response-policy 1022 statement to limit the false data that 1023 "recursive-only no" can introduce into 1024 resolvers' caches 1025 - add a RPZ performance test to bin/tests/system/rpz 1026 when queryperf is available. 1027 - the encoding of PASSTHRU action to "rpz-passthru". 1028 (The old encoding is still accepted.) 1029 [RT #26172] 1030 1031 10323329. [bug] Handle RRSIG signer-name case consistently: We 1033 generate RRSIG records with the signer-name in 1034 lower case. We accept them with any case, but if 1035 they fail to validate, we try again in lower case. 1036 [RT #27451] 1037 10383328. [bug] Fixed inconsistent data checking in dst_parse.c. 1039 [RT #29401] 1040 10413317. [func] Add ECDSA support (RFC 6605). [RT #21918] 1042 1043 --- 9.9.1 released --- 1044 10453318. [tuning] Reduce the amount of work performed while holding a 1046 bucket lock when finished with a fetch context. 1047 [RT #29239] 1048 10493314. [bug] The masters list could be updated while stub_callback 1050 or refresh_callback were using it. [RT #26732] 1051 10523313. [protocol] Add TLSA record type. [RT #28989] 1053 10543312. [bug] named-checkconf didn't detect a bad dns64 clients acl. 1055 [RT #27631] 1056 10573311. [bug] Abort the zone dump if zone->db is NULL in 1058 zone.c:zone_gotwritehandle. [RT #29028] 1059 10603310. [test] Increase table size for mutex profiling. [RT #28809] 1061 10623309. [bug] resolver.c:fctx_finddone() was not thread safe. 1063 [RT #27995] 1064 10653307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS. 1066 [RT #28956] 1067 10683306. [bug] Improve DNS64 reverse zone performance. [RT #28563] 1069 10703305. [func] Add wire format lookup method to sdb. [RT #28563] 1071 10723304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps. 1073 [RT #28571] 1074 10753303. [bug] named could die when reloading. [RT #28606] 1076 10773302. [bug] dns_dnssec_findmatchingkeys could fail to find 1078 keys if the zone name contained character that 1079 required special mappings. [RT #28600] 1080 10813301. [contrib] Update queryperf to build on darwin. Add -R flag 1082 for non-recursive queries. [RT #28565] 1083 10843300. [bug] Named could die if gssapi was enabled in named.conf 1085 but was not compiled in. [RT #28338] 1086 10873299. [bug] Make SDB handle errors from database drivers better. 1088 [RT #28534] 1089 10903298. [bug] Named could dereference a NULL pointer in 1091 zmgr_start_xfrin_ifquota if the zone was being removed. 1092 [RT #28419] 1093 10943297. [bug] Named could die on a malformed master file. [RT #28467] 1095 10963296. [bug] Named could die with a INSIST failure in 1097 client.c:exit_check. [RT #28346] 1098 10993295. [bug] Adjust isc_time_secondsastimet range check to be more 1100 portable. [RT # 26542] 1101 11023294. [bug] isccc/cc.c:table_fromwire failed to free alist on 1103 error. [RT #28265] 1104 11053291. [port] Fixed a build error on systems without ENOTSUP. 1106 [RT #28200] 1107 11083290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169] 1109 11103273. [bug] AAAA responses could be returned in the additional 1111 section even when filter-aaaa-on-v4 was in use. 1112 [RT #27292] 1113 1114 --- 9.9.0 released --- 1115 1116 --- 9.9.0rc4 released --- 1117 11183289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036] 1119 11203288. [bug] dlz_destroy() function wasn't correctly registered 1121 by the DLZ dlopen driver. [RT #28056] 1122 11233287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028] 1124 11253286. [bug] Managed key maintenance timer could fail to start 1126 after 'rndc reconfig'. [RT #26786] 1127 1128 --- 9.9.0rc3 released --- 1129 11303285. [bug] val-frdataset was incorrectly disassociated in 1131 proveunsecure after calling startfinddlvsep. 1132 [RT #27928] 1133 11343284. [bug] Address race conditions with the handling of 1135 rbtnode.deadlink. [RT #27738] 1136 11373283. [bug] Raw zones with with more than 512 records in a RRset 1138 failed to load. [RT #27863] 1139 11403282. [bug] Restrict the TTL of NS RRset to no more than that 1141 of the old NS RRset when replacing it. 1142 [RT #27792] [RT #27884] 1143 11443281. [bug] SOA refresh queries could be treated as cancelled 1145 despite succeeding over the loopback interface. 1146 [RT #27782] 1147 11483280. [bug] Potential double free of a rdataset on out of memory 1149 with DNS64. [RT #27762] 1150 11513279. [bug] Hold a internal reference to the zone while performing 1152 a asynchronous load. Address potential memory leak 1153 if the asynchronous is cancelled. [RT #27750] 1154 11553278. [bug] Make sure automatic key maintenance is started 1156 when "auto-dnssec maintain" is turned on during 1157 "rndc reconfig". [RT #26805] 1158 11593277. [bug] win32: isc_socket_dup is not implemented. [RT #27696] 1160 11613276. [bug] win32: ns_os_openfile failed to return NULL on 1162 safe_open failure. [RT #27696] 1163 11643275. [bug] Corrected rndc -h output; the 'rndc sync -clean' 1165 option had been misspelled as '-clear'. (To avoid 1166 future confusion, both options now work.) [RT #27173] 1167 11683271. [port] darwin: mksymtbl is not always stable, loop several 1169 times before giving up. mksymtbl was using non 1170 portable perl to covert 64 bit hex strings. [RT #27653] 1171 1172 --- 9.9.0rc2 released --- 1173 11743270. [bug] "rndc reload" didn't reuse existing zones correctly 1175 when inline-signing was in use. [RT #27650] 1176 11773269. [port] darwin 11 and later now built threaded by default. 1178 11793268. [bug] Convert RRSIG expiry times to 64 timestamps to work 1180 out the earliest expiry time. [RT #23311] 1181 11823267. [bug] Memory allocation failures could be mis-reported as 1183 unexpected error. New ISC_R_UNSET result code. 1184 [RT #27336] 1185 11863266. [bug] The maximum number of NSEC3 iterations for a 1187 DNSKEY RRset was not being properly computed. 1188 [RT #26543] 1189 11903265. [bug] Corrected a problem with lock ordering in the 1191 inline-signing code. [RT #27557] 1192 11933264. [bug] Automatic regeneration of signatures in an 1194 inline-signing zone could stall when the server 1195 was restarted. [RT #27344] 1196 11973263. [bug] "rndc sync" did not affect the unsigned side of an 1198 inline-signing zone. [RT #27337] 1199 12003262. [bug] Signed responses were handled incorrectly by RPZ. 1201 [RT #27316] 1202 12033261. [func] RRset ordering now defaults to random. [RT #27174] 1204 12053260. [bug] "rrset-order cyclic" could appear not to rotate 1206 for some query patterns. [RT #27170/27185] 1207 1208 --- 9.9.0rc1 released --- 1209 12103259. [bug] named-compilezone: Suppress "dump zone to <file>" 1211 message when writing to stdout. [RT #27109] 1212 12133258. [test] Add "forcing full sign with unreadable keys" test. 1214 [RT #27153] 1215 12163257. [bug] Do not generate a error message when calling fsync() 1217 in a pipe or socket. [RT #27109] 1218 12193256. [bug] Disable empty zones for lwresd -C. [RT #27139] 1220 12213255. [func] No longer require that a empty zones be explicitly 1222 enabled or that a empty zone is disabled for 1223 RFC 1918 empty zones to be configured. [RT #27139] 1224 12253254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels. 1226 [RT #22249] 1227 12283253. [bug] Return DNS_R_SYNTAX when the input to a text field is 1229 too long. [RT #26956] 1230 12313252. [bug] When master zones using inline-signing were 1232 updated while the server was offline, the source 1233 zone could fall out of sync with the signed 1234 copy. They can now resynchronize. [RT #26676] 1235 12363251. [bug] Enforce a upper bound (65535 bytes) on the amount of 1237 memory dns_sdlz_putrr() can allocate per record to 1238 prevent run away memory consumption on ISC_R_NOSPACE. 1239 [RT #26956] 1240 12413250. [func] 'configure --enable-developer'; turn on various 1242 configure options, normally off by default, that 1243 we want developers to build and test with. [RT #27103] 1244 12453249. [bug] Update log message when saving slave zones files for 1246 analysis after load failures. [RT #27087] 1247 12483248. [bug] Configure options --enable-fixed-rrset and 1249 --enable-exportlib were incompatible with each 1250 other. [RT #27087] 1251 12523247. [bug] 'raw' format zones failed to preserve load order 1253 breaking 'fixed' sort order. [RT #27087] 1254 12553246. [bug] Named failed to start with a empty also-notify list. 1256 [RT #27087] 1257 12583245. [bug] Don't report a error unchanged serials unless there 1259 were other changes when thawing a zone with 1260 ixfr-fromdifferences. [RT #26845] 1261 12623244. [func] Added readline support to nslookup and nsupdate. 1263 Also simplified nsupdate syntax to make "update" 1264 and "prereq" optional. [RT #24659] 1265 12663243. [port] freebsd,netbsd,bsdi: the thread defaults were not 1267 being properly set. 1268 12693242. [func] Extended the header of raw-format master files to 1270 include the serial number of the zone from which 1271 they were generated, if different (as in the case 1272 of inline-signing zones). This is to be used in 1273 inline-signing zones, to track changes between the 1274 unsigned and signed versions of the zone, which may 1275 have different serial numbers. 1276 1277 (Note: raw zonefiles generated by this version of 1278 BIND are no longer compatible with prior versions. 1279 To generate a backward-compatible raw zonefile 1280 using dnssec-signzone or named-compilezone, specify 1281 output format "raw=0" instead of simply "raw".) 1282 [RT #26587] 1283 12843241. [bug] Address race conditions in the resolver code. 1285 [RT #26889] 1286 12873240. [bug] DNSKEY state change events could be missed. [RT #26874] 1288 12893239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent 1290 timestamp. [RT #26883] 1291 12923238. [bug] keyrdata was not being reinitialized in 1293 lib/dns/rbtdb.c:iszonesecure. [RT#26913] 1294 12953237. [bug] dig -6 didn't work with +trace. [RT #26906] 1296 12973236. [bug] Backed out changes #3182 and #3202, related to 1298 EDNS(0) fallback behavior. [RT #26416] 1299 13003235. [func] dns_db_diffx, a extended dns_db_diff which returns 1301 the generated diff and optionally writes it to a 1302 journal. [RT #26386] 1303 13043234. [bug] 'make depend' produced invalid makefiles. [RT #26830] 1305 13063233. [bug] 'rndc freeze/thaw' didn't work for inline zones. 1307 [RT #26632] 1308 13093232. [bug] Zero zone->curmaster before return in 1310 dns_zone_setmasterswithkeys(). [RT #26732] 1311 13123231. [bug] named could fail to send a incompressible zone. 1313 [RT #26796] 1314 13153230. [bug] 'dig axfr' failed to properly handle a multi-message 1316 axfr with a serial of 0. [RT #26796] 1317 13183229. [bug] Fix local variable to struct var assignment 1319 found by CLANG warning. 1320 13213228. [tuning] Dynamically grow symbol table to improve zone 1322 loading performance. [RT #26523] 1323 13243227. [bug] Interim fix to make WKS's use of getprotobyname() 1325 and getservbyname() self thread safe. [RT #26232] 1326 13273226. [bug] Address minor resource leakages. [RT #26624] 1328 13293225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed" 1330 messages. [RT #26507] 1331 13323224. [bug] 'rndc signing' argument parsing was broken. [RT #26684] 1333 13343223. [bug] 'task_test privilege_drop' generated false positives. 1335 [RT #26766] 1336 13373222. [cleanup] Replace dns_journal_{get,set}_bitws with 1338 dns_journal_{get,set}_sourceserial. [RT #26634] 1339 13403221. [bug] Fixed a potential core dump on shutdown due to 1341 referencing fetch context after it's been freed. 1342 [RT #26720] 1343 1344 --- 9.9.0b2 released --- 1345 13463220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() 1347 could fail to set the database version correctly, 1348 causing an assertion failure. [RT #26180] 1349 13503219. [bug] Disable NOEDNS caching following a timeout. 1351 13523218. [security] Cache lookup could return RRSIG data associated with 1353 nonexistent records, leading to an assertion 1354 failure. [RT #26590] 1355 13563217. [cleanup] Fix build problem with --disable-static. [RT #26476] 1357 13583216. [bug] resolver.c:validated() was not thread-safe. [RT #26478] 1359 13603215. [bug] 'rndc recursing' could cause a core dump. [RT #26495] 1361 13623214. [func] Add 'named -U' option to set the number of UDP 1363 listener threads per interface. [RT #26485] 1364 13653213. [doc] Clarify ixfr-from-differences behavior. [RT #25188] 1366 13673212. [bug] rbtdb.c: failed to remove a node from the deadnodes 1368 list prior to adding a reference to it leading a 1369 possible assertion failure. [RT #23219] 1370 13713211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full" 1372 option prints in single-line-per-record format. 1373 [RT #20287] 1374 13753210. [bug] Canceling the oldest query due to recursive-client 1376 overload could trigger an assertion failure. [RT #26463] 1377 13783209. [func] Add "dnssec-lookaside 'no'". [RT #24858] 1379 13803208. [bug] 'dig -y' handle unknown tsig algorithm better. 1381 [RT #25522] 1382 13833207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444] 1384 13853206. [cleanup] Add ISC information to log at start time. [RT #25484] 1386 13873205. [func] Upgrade dig's defaults to better reflect modern 1388 nameserver behavior. Enable "dig +adflag" and 1389 "dig +edns=0" by default. Enable "+dnssec" when 1390 running "dig +trace". [RT #23497] 1391 13923204. [bug] When a master server that has been marked as 1393 unreachable sends a NOTIFY, mark it reachable 1394 again. [RT #25960] 1395 13963203. [bug] Increase log level to 'info' for validation failures 1397 from expired or not-yet-valid RRSIGs. [RT #21796] 1398 13993202. [bug] NOEDNS caching on timeout was too aggressive. 1400 [RT #26416] 1401 14023201. [func] 'rndc querylog' can now be given an on/off parameter 1403 instead of only being used as a toggle. [RT #18351] 1404 14053200. [doc] Some rndc functions were undocumented or were 1406 missing from 'rndc -h' output. [RT #25555] 1407 14083199. [func] When logging client information, include the name 1409 being queried. [RT #25944] 1410 14113198. [doc] Clarified that dnssec-settime can alter keyfile 1412 permissions. [RT #24866] 1413 14143197. [bug] Don't try to log the filename and line number when 1415 the config parser can't open a file. [RT #22263] 1416 14173196. [bug] nsupdate: return nonzero exit code when target zone 1418 doesn't exist. [RT #25783] 1419 14203195. [cleanup] Silence "file not found" warnings when loading 1421 managed-keys zone. [RT #26340] 1422 14233194. [doc] Updated RFC references in the 'empty-zones-enable' 1424 documentation. [RT #25203] 1425 14263193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to 1427 dnssec.h. [RT #26415] 1428 14293192. [bug] A query structure could be used after being freed. 1430 [RT #22208] 1431 14323191. [bug] Print NULL records using "unknown" format. [RT #26392] 1433 14343190. [bug] Underflow in error handling in isc_mutexblock_init. 1435 [RT #26397] 1436 14373189. [test] Added a summary report after system tests. [RT #25517] 1438 14393188. [bug] zone.c:zone_refreshkeys() could fail to detach 1440 references correctly when errors occurred, causing 1441 a hang on shutdown. [RT #26372] 1442 14433187. [port] win32: support for Visual Studio 2008. [RT #26356] 1444 1445 --- 9.9.0b1 released --- 1446 14473186. [bug] Version/db mis-match in rpz code. [RT #26180] 1448 14493185. [func] New 'rndc signing' option for auto-dnssec zones: 1450 - 'rndc signing -list' displays the current 1451 state of signing operations 1452 - 'rndc signing -clear' clears the signing state 1453 records for keys that have fully signed the zone 1454 - 'rndc signing -nsec3param' sets the NSEC3 1455 parameters for the zone 1456 The 'rndc keydone' syntax is removed. [RT #23729] 1457 14583184. [bug] named had excessive cpu usage when a redirect zone was 1459 configured. [RT #26013] 1460 14613183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] 1462 14633182. [bug] Auth servers behind firewalls which block packets 1464 greater than 512 bytes may cause other servers to 1465 perform poorly. Now, adb retains edns information 1466 and caches noedns servers. [RT #23392/24964] 1467 14683181. [func] Inline-signing is now supported for master zones. 1469 [RT #26224] 1470 14713180. [func] Local copies of slave zones are now saved in raw 1472 format by default, to improve startup performance. 1473 'masterfile-format text;' can be used to override 1474 the default, if desired. [RT #25867] 1475 14763179. [port] kfreebsd: build issues. [RT #26273] 1477 14783178. [bug] A race condition introduced by change #3163 could 1479 cause an assertion failure on shutdown. [RT #26271] 1480 14813177. [func] 'rndc keydone', remove the indicator record that 1482 named has finished signing the zone with the 1483 corresponding key. [RT #26206] 1484 14853176. [doc] Corrected example code and added a README to the 1486 sample external DLZ module in contrib/dlz/example. 1487 [RT #26215] 1488 14893175. [bug] Fix how DNSSEC positive wildcard responses from a 1490 NSEC3 signed zone are validated. Stop sending a 1491 unnecessary NSEC3 record when generating such 1492 responses. [RT #26200] 1493 14943174. [bug] Always compute to revoked key tag from scratch. 1495 [RT #26186] 1496 14973173. [port] Correctly validate root DS responses. [RT #25726] 1498 14993172. [port] darwin 10.* and freebsd [89] are now built threaded by 1500 default. 1501 15023171. [bug] Exclusively lock the task when adding a zone using 1503 'rndc addzone'. [RT #25600] 1504 1505 --- 9.9.0a3 released --- 1506 15073170. [func] RPZ update: 1508 - fix precedence among competing rules 1509 - improve ARM text including documenting rule precedence 1510 - try to rewrite CNAME chains until first hit 1511 - new "rpz" logging channel 1512 - RDATA for CNAME rules can include wildcards 1513 - replace "NO-OP" named.conf policy override with 1514 "PASSTHRU" and add "DISABLED" override ("NO-OP" 1515 is still recognized) 1516 [RT #25172] 1517 15183169. [func] Catch db/version mis-matches when calling dns_db_*(). 1519 [RT #26017] 1520 15213168. [bug] Nxdomain redirection could trigger an assert with 1522 a ANY query. [RT #26017] 1523 15243167. [bug] Negative answers from forwarders were not being 1525 correctly tagged making them appear to not be cached. 1526 [RT #25380] 1527 15283166. [bug] Upgrading a zone to support inline-signing failed. 1529 [RT #26014] 1530 15313165. [bug] dnssec-signzone could generate new signatures when 1532 resigning, even when valid signatures were already 1533 present. [RT #26025] 1534 15353164. [func] Enable DLZ modules to retrieve client information, 1536 so that responses can be changed depending on the 1537 source address of the query. [RT #25768] 1538 15393163. [bug] Use finer-grained locking in client.c to address 1540 concurrency problems with large numbers of threads. 1541 [RT #26044] 1542 15433162. [test] start.pl: modified to allow for "named.args" in 1544 ns*/ subdirectory to override stock arguments to 1545 named. Largely from RT#26044, but no separate ticket. 1546 15473161. [bug] zone.c:del_sigs failed to always reset rdata leading 1548 assertion failures. [RT #25880] 1549 15503160. [bug] When printing out a NSEC3 record in multiline form 1551 the newline was not being printed causing type codes 1552 to be run together. [RT #25873] 1553 15543159. [bug] On some platforms, named could assert on startup 1555 when running in a chrooted environment without 1556 /proc. [RT #25863] 1557 15583158. [bug] Recursive servers would prefer a particular UDP 1559 socket instead of using all available sockets. 1560 [RT #26038] 1561 15623157. [tuning] Reduce the time spent in "rndc reconfig" by parsing 1563 the config file before pausing the server. [RT #21373] 1564 15653156. [placeholder] 1566 1567 --- 9.9.0a2 released --- 1568 15693155. [bug] Fixed a build failure when using contrib DLZ 1570 drivers (e.g., mysql, postgresql, etc). [RT #25710] 1571 15723154. [bug] Attempting to print an empty rdataset could trigger 1573 an assert. [RT #25452] 1574 15753153. [func] Extend request-ixfr to zone level and remove the 1576 side effect of forcing an AXFR. [RT #25156] 1577 15783152. [cleanup] Some versions of gcc and clang failed due to 1579 incorrect use of __builtin_expect. [RT #25183] 1580 15813151. [bug] Queries for type RRSIG or SIG could be handled 1582 incorrectly. [RT #21050] 1583 15843150. [func] Improved startup and reconfiguration time by 1585 enabling zones to load in multiple threads. [RT #25333] 1586 15873149. [placeholder] 1588 15893148. [bug] Processing of normal queries could be stalled when 1590 forwarding a UPDATE message. [RT #24711] 1591 15923147. [func] Initial inline signing support. [RT #23657] 1593 1594 --- 9.9.0a1 released --- 1595 15963146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598] 1597 15983145. [test] Capture output of ATF unit tests in "./atf.out" if 1599 there were any errors while running them. [RT #25527] 1600 16013144. [bug] dns_dbiterator_seek() could trigger an assert when 1602 used with a nonexistent database node. [RT #25358] 1603 16043143. [bug] Silence clang compiler warnings. [RT #25174] 1605 16063142. [bug] NAPTR is class agnostic. [RT #25429] 1607 16083141. [bug] Silence spurious "zone serial (0) unchanged" messages 1609 associated with empty zones. [RT #25079] 1610 16113140. [func] New command "rndc flushtree <name>" clears the 1612 specified name from the server cache along with 1613 all names under it. [RT #19970] 1614 16153139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321 1616 for the hashing algorithms (md5, sha1 - sha512, and 1617 their hmac counterparts). [RT #25067] 1618 16193138. [bug] Address memory leaks and out-of-order operations when 1620 shutting named down. [RT #25210] 1621 16223137. [func] Improve hardware scalability by allowing multiple 1623 worker threads to process incoming UDP packets. 1624 This can significantly increase query throughput 1625 on some systems. [RT #22992] 1626 16273136. [func] Add RFC 1918 reverse zones to the list of built-in 1628 empty zones switched on by the 'empty-zones-enable' 1629 option. [RT #24990] 1630 16313135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing. 1632 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307 1633 [RT #24950] 1634 16353134. [bug] Improve the accuracy of dnssec-signzone's signing 1636 statistics. [RT #16030] 1637 16383133. [bug] Change #3114 was incomplete. [RT #24577] 1639 16403132. [placeholder] 1641 16423131. [tuning] Improve scalability by allocating one zone task 1643 per 100 zones at startup time, rather than using a 1644 fixed-size task table. [RT #24406] 1645 16463130. [func] Support alternate methods for managing a dynamic 1647 zone's serial number. Two methods are currently 1648 defined using serial-update-method, "increment" 1649 (default) and "unixtime". [RT #23849] 1650 16513129. [bug] Named could crash on 'rndc reconfig' when 1652 allow-new-zones was set to yes and named ACLs 1653 were used. [RT #22739] 1654 16553128. [func] Inserting an NSEC3PARAM via dynamic update in an 1656 auto-dnssec zone that has not been signed yet 1657 will cause it to be signed with the specified NSEC3 1658 parameters when keys are activated. The 1659 NSEC3PARAM record will not appear in the zone until 1660 it is signed, but the parameters will be stored. 1661 [RT #23684] 1662 16633127. [bug] 'rndc thaw' will now remove a zone's journal file 1664 if the zone serial number has been changed and 1665 ixfr-from-differences is not in use. [RT #24687] 1666 16673126. [security] Using DNAME record to generate replacements caused 1668 RPZ to exit with a assertion failure. [RT #24766] 1669 16703125. [security] Using wildcard CNAME records as a replacement with 1671 RPZ caused named to exit with a assertion failure. 1672 [RT #24715] 1673 16743124. [bug] Use an rdataset attribute flag to indicate 1675 negative-cache records rather than using rrtype 0; 1676 this will prevent problems when that rrtype is 1677 used in actual DNS packets. [RT #24777] 1678 16793123. [security] Change #2912 exposed a latent flaw in 1680 dns_rdataset_totext() that could cause named to 1681 crash with an assertion failure. [RT #24777] 1682 16833122. [cleanup] dnssec-settime: corrected usage message. [RT #24664] 1684 16853121. [security] An authoritative name server sending a negative 1686 response containing a very large RRset could 1687 trigger an off-by-one error in the ncache code 1688 and crash named. [RT #24650] 1689 16903120. [bug] Named could fail to validate zones listed in a DLV 1691 that validated insecure without using DLV and had 1692 DS records in the parent zone. [RT #24631] 1693 16943119. [bug] When rolling to a new DNSSEC key, a private-type 1695 record could be created and never marked complete. 1696 [RT #23253] 1697 16983118. [bug] nsupdate could dump core on shutdown when using 1699 SIG(0) keys. [RT #24604] 1700 17013117. [cleanup] Remove doc and parser references to the 1702 never-implemented 'auto-dnssec create' option. 1703 [RT #24533] 1704 17053116. [func] New 'dnssec-update-mode' option controls updates 1706 of DNSSEC records in signed dynamic zones. Set to 1707 'no-resign' to disable automatic RRSIG regeneration 1708 while retaining the ability to sign new or changed 1709 data. [RT #24533] 1710 17113115. [bug] Named could fail to return requested data when 1712 following a CNAME that points into the same zone. 1713 [RT #24455] 1714 17153114. [bug] Retain expired RRSIGs in dynamic zones if key is 1716 inactive and there is no replacement key. [RT #23136] 1717 17183113. [doc] Document the relationship between serial-query-rate 1719 and NOTIFY messages. 1720 17213112. [doc] Add missing descriptions of the update policy name 1722 types "ms-self", "ms-subdomain", "krb5-self" and 1723 "krb5-subdomain", which allow machines to update 1724 their own records, to the BIND 9 ARM. 1725 17263111. [bug] Improved consistency checks for dnssec-enable and 1727 dnssec-validation, added test cases to the 1728 checkconf system test. [RT #24398] 1729 17303110. [bug] dnssec-signzone: Wrong error message could appear 1731 when attempting to sign with no KSK. [RT #24369] 1732 17333109. [func] The also-notify option now uses the same syntax 1734 as a zone's masters clause. This means it is 1735 now possible to specify a TSIG key to use when 1736 sending notifies to a given server, or to include 1737 an explicit named masters list in an also-notfiy 1738 statement. [RT #23508] 1739 17403108. [cleanup] dnssec-signzone: Clarified some error and 1741 warning messages; removed #ifdef ALLOW_KSKLESS_ZONES 1742 code (use -P instead). [RT #20852] 1743 17443107. [bug] dnssec-signzone: Report the correct number of ZSKs 1745 when using -x. [RT #20852] 1746 17473106. [func] When logging client requests, include the name of 1748 the TSIG key if any. [RT #23619] 1749 17503105. [bug] GOST support can be suppressed by "configure 1751 --without-gost" [RT #24367] 1752 17533104. [bug] Better support for cross-compiling. [RT #24367] 1754 17553103. [bug] Configuring 'dnssec-validation auto' in a view 1756 instead of in the options statement could trigger 1757 an assertion failure in named-checkconf. [RT #24382] 1758 17593102. [func] New 'dnssec-loadkeys-interval' option configures 1760 how often, in minutes, to check the key repository 1761 for updates when using automatic key maintenance. 1762 Default is every 60 minutes (formerly hard-coded 1763 to 12 hours). [RT #23744] 1764 17653101. [bug] Zones using automatic key maintenance could fail 1766 to check the key repository for updates. [RT #23744] 1767 17683100. [security] Certain response policy zone configurations could 1769 trigger an INSIST when receiving a query of type 1770 RRSIG. [RT #24280] 1771 17723099. [test] "dlz" system test now runs but gives R:SKIPPED if 1773 not compiled with --with-dlz-filesystem. [RT #24146] 1774 17753098. [bug] DLZ zones were answering without setting the AA bit. 1776 [RT #24146] 1777 17783097. [test] Add a tool to test handling of malformed packets. 1779 [RT #24096] 1780 17813096. [bug] Set KRB5_KTNAME before calling log_cred() in 1782 dst_gssapi_acceptctx(). [RT #24004] 1783 17843095. [bug] Handle isolated reserved ports in the port range. 1785 [RT #23957] 1786 17873094. [doc] Expand dns64 documentation. 1788 17893093. [bug] Fix gssapi/kerberos dependencies [RT #23836] 1790 17913092. [bug] Signatures for records at the zone apex could go 1792 stale due to an incorrect timer setting. [RT #23769] 1793 17943091. [bug] Fixed a bug in which zone keys that were published 1795 and then subsequently activated could fail to trigger 1796 automatic signing. [RT #22911] 1797 17983090. [func] Make --with-gssapi default [RT #23738] 1799 18003089. [func] dnssec-dsfromkey now supports reading keys from 1801 standard input "dnssec-dsfromkey -f -". [RT# 20662] 1802 18033088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf 1804 and add setup.sh in order to resolve changing 1805 named.conf issue. [RT #23687] 1806 18073087. [bug] DDNS updates using SIG(0) with update-policy match 1808 type "external" could cause a crash. [RT #23735] 1809 18103086. [bug] Running dnssec-settime -f on an old-style key will 1811 now force an update to the new key format even if no 1812 other change has been specified, using "-P now -A now" 1813 as default values. [RT #22474] 1814 18153085. [func] New '-R' option in dnssec-signzone forces removal 1816 of signatures which have not yet expired but 1817 were generated by a key that no longer exists. 1818 [RT #22471] 1819 18203084. [func] A new command "rndc sync" dumps pending changes in 1821 a dynamic zone to disk; "rndc sync -clean" also 1822 removes the journal file after syncing. Also, 1823 "rndc freeze" no longer removes journal files. 1824 [RT #22473] 1825 18263083. [bug] NOTIFY messages were not being sent when generating 1827 a NSEC3 chain incrementally. [RT #23702] 1828 18293082. [port] strtok_r is threads only. [RT #23747] 1830 18313081. [bug] Failure of DNAME substitution did not return 1832 YXDOMAIN. [RT #23591] 1833 18343080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS. 1835 [RT #23587] 1836 18373079. [bug] Handle isc_event_allocate failures in t_tasks. 1838 [RT #23572] 1839 18403078. [func] Added a new include file with function typedefs 1841 for the DLZ "dlopen" driver. [RT #23629] 1842 18433077. [bug] zone.c:zone_refreshkeys() incorrectly called 1844 dns_zone_attach(), use zone->irefs instead. [RT #23303] 1845 18463076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and 1847 dnssec-keyfromlabel sets the default TTL of the 1848 key. When possible, automatic signing will use that 1849 TTL when the key is published. [RT #23304] 1850 18513075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent 1852 timestamp when determining which keys are active. 1853 [RT #23642] 1854 18553074. [bug] Make the adb cache read through for zone data and 1856 glue learn for zone named is authoritative for. 1857 [RT #22842] 1858 18593073. [bug] managed-keys changes were not properly being recorded. 1860 [RT #20256] 1861 18623072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. 1863 [RT #20256] 1864 18653071. [bug] has_nsec could be used uninitialized in 1866 update.c:next_active. [RT #20256] 1867 18683070. [bug] dnssec-signzone potential NULL pointer dereference. 1869 [RT #20256] 1870 18713069. [cleanup] Silence warnings messages from clang static analysis. 1872 [RT #20256] 1873 18743068. [bug] Named failed to build with a OpenSSL without engine 1875 support. [RT #23473] 1876 18773067. [bug] ixfr-from-differences {master|slave}; failed to 1878 select the master/slave zones. [RT #23580] 1879 18803066. [func] The DLZ "dlopen" driver is now built by default, 1881 no longer requiring a configure option. To 1882 disable it, use "configure --without-dlopen". 1883 Driver also supported on win32. [RT #23467] 1884 18853065. [bug] RRSIG could have time stamps too far in the future. 1886 [RT #23356] 1887 18883064. [bug] powerpc: add sync instructions to the end of atomic 1889 operations. [RT #23469] 1890 18913063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402] 1892 18933062. [func] Made several changes to enhance human readability 1894 of DNSSEC data in dig output and in generated 1895 zone files: 1896 - DNSKEY record comments are more verbose, no 1897 longer used in multiline mode only 1898 - multiline RRSIG records reformatted 1899 - multiline output mode for NSEC3PARAM records 1900 - "dig +norrcomments" suppresses DNSKEY comments 1901 - "dig +split=X" breaks hex/base64 records into 1902 fields of width X; "dig +nosplit" disables this. 1903 [RT #22820] 1904 19053061. [func] New option "dnssec-signzone -D", only write out 1906 generated DNSSEC records. [RT #22896] 1907 19083060. [func] New option "dnssec-signzone -X <date>" allows 1909 specification of a separate expiration date 1910 for DNSKEY RRSIGs and other RRSIGs. [RT #22141] 1911 19123059. [test] Added a regression test for change #3023. 1913 19143058. [bug] Cause named to terminate at startup or rndc reconfig/ 1915 reload to fail, if a log file specified in the conf 1916 file isn't a plain file. [RT #22771] 1917 19183057. [bug] "rndc secroots" would abort after the first error 1919 and so could miss some views. [RT #23488] 1920 19213056. [func] Added support for URI resource record. [RT #23386] 1922 19233055. [placeholder] 1924 19253054. [bug] Added elliptic curve support check in 1926 GOST OpenSSL engine detection. [RT #23485] 1927 19283053. [bug] Under a sustained high query load with a finite 1929 max-cache-size, it was possible for cache memory 1930 to be exhausted and not recovered. [RT #23371] 1931 19323052. [test] Fixed last autosign test report. [RT #23256] 1933 19343051. [bug] NS records obscure DNAME records at the bottom of the 1935 zone if both are present. [RT #23035] 1936 19373050. [bug] The autosign system test was timing dependent. 1938 Wait for the initial autosigning to complete 1939 before running the rest of the test. [RT #23035] 1940 19413049. [bug] Save and restore the gid when creating creating 1942 named.pid at startup. [RT #23290] 1943 19443048. [bug] Fully separate view key management. [RT #23419] 1945 19463047. [bug] DNSKEY NODATA responses not cached fixed in 1947 validator.c. Tests added to dnssec system test. 1948 [RT #22908] 1949 19503046. [bug] Use RRSIG original TTL to compute validated RRset 1951 and RRSIG TTL. [RT #23332] 1952 19533045. [removed] Replaced by change #3050. 1954 19553044. [bug] Hold the socket manager lock while freeing the socket. 1956 [RT #23333] 1957 19583043. [test] Merged in the NetBSD ATF test framework (currently 1959 version 0.12) for development of future unit tests. 1960 Use configure --with-atf to build ATF internally 1961 or configure --with-atf=prefix to use an external 1962 copy. [RT #23209] 1963 19643042. [bug] dig +trace could fail attempting to use IPv6 1965 addresses on systems with only IPv4 connectivity. 1966 [RT #23297] 1967 19683041. [bug] dnssec-signzone failed to generate new signatures on 1969 ttl changes. [RT #23330] 1970 19713040. [bug] Named failed to validate insecure zones where a node 1972 with a CNAME existed between the trust anchor and the 1973 top of the zone. [RT #23338] 1974 19753039. [func] Redirect on NXDOMAIN support. [RT #23146] 1976 19773038. [bug] Install <dns/rpz.h>. [RT #23342] 1978 19793037. [doc] Update COPYRIGHT to contain all the individual 1980 copyright notices that cover various parts. 1981 19823036. [bug] Check built-in zone arguments to see if the zone 1983 is re-usable or not. [RT #21914] 1984 19853035. [cleanup] Simplify by using strlcpy. [RT #22521] 1986 19873034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521] 1988 19893033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET). 1990 [RT #22521] 1991 19923032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521] 1993 19943031. [bug] dns_rdataclass_format() handle a zero sized buffer. 1995 [RT #22521] 1996 19973030. [bug] dns_rdatatype_format() handle a zero sized buffer. 1998 [RT #22521] 1999 20003029. [bug] isc_netaddr_format() handle a zero sized buffer. 2001 [RT #22521] 2002 20033028. [bug] isc_sockaddr_format() handle a zero sized buffer. 2004 [RT #22521] 2005 20063027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to 2007 catch NULL pointer dereferences before they happen. 2008 [RT #22521] 2009 20103026. [bug] lib/isc/httpd.c: check that we have enough space 2011 after calling grow_headerspace() and if not 2012 re-call grow_headerspace() until we do. [RT #22521] 2013 20143025. [bug] Fixed a possible deadlock due to zone resigning. 2015 [RT #22964] 2016 20173024. [func] RTT Banding removed due to minor security increase 2018 but major impact on resolver latency. [RT #23310] 2019 20203023. [bug] Named could be left in an inconsistent state when 2021 receiving multiple AXFR response messages that were 2022 not all TSIG-signed. [RT #23254] 2023 20243022. [bug] Fixed rpz SERVFAILs after failed zone transfers 2025 [RT #23246] 2026 20273021. [bug] Change #3010 was incomplete. [RT #22296] 2028 20293020. [bug] auto-dnssec failed to correctly update the zone when 2030 changing the DNSKEY RRset. [RT #23232] 2031 20323019. [test] Test: check apex NSEC3 records after adding DNSKEY 2033 record via UPDATE. [RT #23229] 2034 20353018. [bug] Named failed to check for the "none;" acl when deciding 2036 if a zone may need to be re-signed. [RT #23120] 2037 20383017. [doc] dnssec-keyfromlabel -I was not properly documented. 2039 [RT #22887] 2040 20413016. [bug] rndc usage missing '-b'. [RT #22937] 2042 20433015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and 2044 IN6_IS_ADDR_SITELOCAL macros. [RT #22724] 2045 20463014. [placeholder] 2047 20483013. [bug] The DNS64 ttl was not always being set as expected. 2049 [RT #23034] 2050 20513012. [bug] Remove DNSKEY TTL change pairs before generating 2052 signing records for any remaining DNSKEY changes. 2053 [RT #22590] 2054 20553011. [func] Change the default query timeout from 30 seconds 2056 to 10. Allow setting this in named.conf using the new 2057 'resolver-query-timeout' option, which specifies a max 2058 time in seconds. 0 means 'default' and anything longer 2059 than 30 will be silently set to 30. [RT #22852] 2060 20613010. [bug] Fixed a bug where "rndc reconfig" stopped the timer 2062 for refreshing managed-keys. [RT #22296] 2063 20643009. [bug] clients-per-query code didn't work as expected with 2065 particular query patterns. [RT #22972] 2066 2067 --- 9.8.0b1 released --- 2068 20693008. [func] Response policy zones (RPZ) support. [RT #21726] 2070 20713007. [bug] Named failed to preserve the case of domain names in 2072 rdata which is not compressible when writing master 2073 files. [RT #22863] 2074 20753006. [func] Allow dynamically generated TSIG keys to be preserved 2076 across restarts of named. Initially this is for 2077 TSIG keys generated using GSSAPI. [RT #22639] 2078 20793005. [port] Solaris: Work around the lack of 2080 gsskrb5_register_acceptor_identity() by setting 2081 the KRB5_KTNAME environment variable to the 2082 contents of tkey-gssapi-keytab. Also fixed 2083 test errors on MacOSX. [RT #22853] 2084 20853004. [func] DNS64 reverse support. [RT #22769] 2086 20873003. [experimental] Added update-policy match type "external", 2088 enabling named to defer the decision of whether to 2089 allow a dynamic update to an external daemon. 2090 (Contributed by Andrew Tridgell.) [RT #22758] 2091 20923002. [bug] isc_mutex_init_errcheck() failed to destroy attr. 2093 [RT #22766] 2094 20953001. [func] Added a default trust anchor for the root zone, which 2096 can be switched on by setting "dnssec-validation auto;" 2097 in the named.conf options. [RT #21727] 2098 20993000. [bug] More TKEY/GSS fixes: 2100 - nsupdate can now get the default realm from 2101 the user's Kerberos principal 2102 - corrected gsstest compilation flags 2103 - improved documentation 2104 - fixed some NULL dereferences 2105 [RT #22795] 2106 21072999. [func] Add GOST support (RFC 5933). [RT #20639] 2108 21092998. [func] Add isc_task_beginexclusive and isc_task_endexclusive 2110 to the task api. [RT #22776] 2111 21122997. [func] named -V now reports the OpenSSL and libxml2 verions 2113 it was compiled against. [RT #22687] 2114 21152996. [security] Temporarily disable SO_ACCEPTFILTER support. 2116 [RT #22589] 2117 21182995. [bug] The Kerberos realm was not being correctly extracted 2119 from the signer's identity. [RT #22770] 2120 21212994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and 2122 do not use threads on earlier versions. Also kill 2123 the unproven-pthreads, mit-pthreads, and ptl2 support. 2124 21252993. [func] Dynamically grow adb hash tables. [RT #21186] 2126 21272992. [contrib] contrib/check-secure-delegation.pl: A simple tool 2128 for looking at a secure delegation. [RT #22059] 2129 21302991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for 2131 dynamic zones. [RT #22365] 2132 21332990. [bug] 'dnssec-settime -S' no longer tests prepublication 2134 interval validity when the interval is set to 0. 2135 [RT #22761] 2136 21372989. [func] Added support for writable DLZ zones. (Contributed 2138 by Andrew Tridgell of the Samba project.) [RT #22629] 2139 21402988. [experimental] Added a "dlopen" DLZ driver, allowing the creation 2141 of external DLZ drivers that can be loaded as 2142 shared objects at runtime rather than linked with 2143 named. Currently this is switched on via a 2144 compile-time option, "configure --with-dlz-dlopen". 2145 Note: the syntax for configuring DLZ zones 2146 is likely to be refined in future releases. 2147 (Contributed by Andrew Tridgell of the Samba 2148 project.) [RT #22629] 2149 21502987. [func] Improve ease of configuring TKEY/GSS updates by 2151 adding a "tkey-gssapi-keytab" option. If set, 2152 updates will be allowed with any key matching 2153 a principal in the specified keytab file. 2154 "tkey-gssapi-credential" is no longer required 2155 and is expected to be deprecated. (Contributed 2156 by Andrew Tridgell of the Samba project.) 2157 [RT #22629] 2158 21592986. [func] Add new zone type "static-stub". It's like a stub 2160 zone, but the nameserver names and/or their IP 2161 addresses are statically configured. [RT #21474] 2162 21632985. [bug] Add a regression test for change #2896. [RT #21324] 2164 21652984. [bug] Don't run MX checks when the target of the MX record 2166 is ".". [RT #22645] 2167 21682983. [bug] Include "loadkeys" in rndc help output. [RT #22493] 2169 2170 --- 9.8.0a1 released --- 2171 21722982. [bug] Reference count dst keys. dst_key_attach() can be used 2173 increment the reference count. 2174 2175 Note: dns_tsigkey_createfromkey() callers should now 2176 always call dst_key_free() rather than setting it 2177 to NULL on success. [RT #22672] 2178 21792981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991] 2180 21812980. [bug] named didn't properly handle UPDATES that changed the 2182 TTL of the NSEC3PARAM RRset. [RT #22363] 2183 21842979. [bug] named could deadlock during shutdown if two 2185 "rndc stop" commands were issued at the same 2186 time. [RT #22108] 2187 21882978. [port] hpux: look for <devpoll.h> [RT #21919] 2189 21902977. [bug] 'nsupdate -l' report if the session key is missing. 2191 [RT #21670] 2192 21932976. [bug] named could die on exit after negotiating a GSS-TSIG 2194 key. [RT #22573] 2195 21962975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the 2197 wrong lock which could lead to server deadlock. 2198 [RT #22614] 2199 22002974. [bug] Some valid UPDATE requests could fail due to a 2201 consistency check examining the existing version 2202 of the zone rather than the new version resulting 2203 from the UPDATE. [RT #22413] 2204 22052973. [bug] bind.keys.h was being removed by the "make clean" 2206 at the end of configure resulting in build failures 2207 where there is very old version of perl installed. 2208 Move it to "make maintainer-clean". [RT #22230] 2209 22102972. [bug] win32: address windows socket errors. [RT #21906] 2211 22122971. [bug] Fixed a bug that caused journal files not to be 2213 compacted on Windows systems as a result of 2214 non-POSIX-compliant rename() semantics. [RT #22434] 2215 22162970. [security] Adding a NO DATA negative cache entry failed to clear 2217 any matching RRSIG records. A subsequent lookup of 2218 of NO DATA cache entry could trigger a INSIST when the 2219 unexpected RRSIG was also returned with the NO DATA 2220 cache entry. 2221 2222 CVE-2010-3613, VU#706148. [RT #22288] 2223 22242969. [security] Fix acl type processing so that allow-query works 2225 in options and view statements. Also add a new 2226 set of tests to verify proper functioning. 2227 2228 CVE-2010-3615, VU#510208. [RT #22418] 2229 22302968. [security] Named could fail to prove a data set was insecure 2231 before marking it as insecure. One set of conditions 2232 that can trigger this occurs naturally when rolling 2233 DNSKEY algorithms. 2234 2235 CVE-2010-3614, VU#837744. [RT #22309] 2236 22372967. [bug] 'host -D' now turns on debugging messages earlier. 2238 [RT #22361] 2239 22402966. [bug] isc_print_vsnprintf() failed to check if there was 2241 space available in the buffer when adding a left 2242 justified character with a non zero width, 2243 (e.g. "%-1c"). [RT #22270] 2244 22452965. [func] Test HMAC functions using test data from RFC 2104 and 2246 RFC 4634. [RT #21702] 2247 22482964. [placeholder] 2249 22502963. [security] The allow-query acl was being applied instead of the 2251 allow-query-cache acl to cache lookups. [RT #22114] 2252 22532962. [port] win32: add more dependencies to BINDBuild.dsw. 2254 [RT #22062] 2255 22562961. [bug] Be still more selective about the non-authoritative 2257 answers we apply change 2748 to. [RT #22074] 2258 22592960. [func] Check that named accepts non-authoritative answers. 2260 [RT #21594] 2261 22622959. [func] Check that named starts with a missing masterfile. 2263 [RT #22076] 2264 22652958. [bug] named failed to start with a missing master file. 2266 [RT #22076] 2267 22682957. [bug] entropy_get() and entropy_getpseudo() failed to match 2269 the API for RAND_bytes() and RAND_pseudo_bytes() 2270 respectively. [RT #21962] 2271 22722956. [port] Enable atomic operations on the PowerPC64. [RT #21899] 2273 22742955. [func] Provide more detail in the recursing log. [RT #22043] 2275 22762954. [bug] contrib: dlz_mysql_driver.c bad error handling on 2277 build_sqldbinstance failure. [RT #21623] 2278 22792953. [bug] Silence spurious "expected covering NSEC3, got an 2280 exact match" message when returning a wildcard 2281 no data response. [RT #21744] 2282 22832952. [port] win32: named-checkzone and named-checkconf failed 2284 to initialize winsock. [RT #21932] 2285 22862951. [bug] named failed to generate a correct signed response 2287 in a optout, delegation only zone with no secure 2288 delegations. [RT #22007] 2289 22902950. [bug] named failed to perform a SOA up to date check when 2291 falling back to TCP on UDP timeouts when 2292 ixfr-from-differences was set. [RT #21595] 2293 22942949. [bug] dns_view_setnewzones() contained a memory leak if 2295 it was called multiple times. [RT #21942] 2296 22972948. [port] MacOS: provide a mechanism to configure the test 2298 interfaces at reboot. See bin/tests/system/README 2299 for details. 2300 23012947. [placeholder] 2302 23032946. [doc] Document the default values for the minimum and maximum 2304 zone refresh and retry values in the ARM. [RT #21886] 2305 23062945. [doc] Update empty-zones list in ARM. [RT #21772] 2307 23082944. [maint] Remove ORCHID prefix from built in empty zones. 2309 [RT #21772] 2310 23112943. [func] Add support to load new keys into managed zones 2312 without signing immediately with "rndc loadkeys". 2313 Add support to link keys with "dnssec-keygen -S" 2314 and "dnssec-settime -S". [RT #21351] 2315 23162942. [contrib] zone2sqlite failed to setup the entropy sources. 2317 [RT #21610] 2318 23192941. [bug] sdb and sdlz (dlz's zone database) failed to support 2320 DNAME at the zone apex. [RT #21610] 2321 23222940. [port] Remove connection aborted error message on 2323 Windows. [RT #21549] 2324 23252939. [func] Check that named successfully skips NSEC3 records 2326 that fail to match the NSEC3PARAM record currently 2327 in use. [RT# 21868] 2328 23292938. [bug] When generating signed responses, from a signed zone 2330 that uses NSEC3, named would use a uninitialized 2331 pointer if it needed to skip a NSEC3 record because 2332 it didn't match the selected NSEC3PARAM record for 2333 zone. [RT# 21868] 2334 23352937. [bug] Worked around an apparent race condition in over 2336 memory conditions. Without this fix a DNS cache DB or 2337 ADB could incorrectly stay in an over memory state, 2338 effectively refusing further caching, which 2339 subsequently made a BIND 9 caching server unworkable. 2340 This fix prevents this problem from happening by 2341 polling the state of the memory context, rather than 2342 making a copy of the state, which appeared to cause 2343 a race. This is a "workaround" in that it doesn't 2344 solve the possible race per se, but several experiments 2345 proved this change solves the symptom. Also, the 2346 polling overhead hasn't been reported to be an issue. 2347 This bug should only affect a caching server that 2348 specifies a finite max-cache-size. It's also quite 2349 likely that the bug happens only when enabling threads, 2350 but it's not confirmed yet. [RT #21818] 2351 23522936. [func] Improved configuration syntax and multiple-view 2353 support for addzone/delzone feature (see change 2354 #2930). Removed "new-zone-file" option, replaced 2355 with "allow-new-zones (yes|no)". The new-zone-file 2356 for each view is now created automatically, with 2357 a filename generated from a hash of the view name. 2358 It is no longer necessary to "include" the 2359 new-zone-file in named.conf; this happens 2360 automatically. Zones that were not added via 2361 "rndc addzone" can no longer be removed with 2362 "rndc delzone". [RT #19447] 2363 23642935. [bug] nsupdate: improve 'file not found' error message. 2365 [RT #21871] 2366 23672934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c. 2368 [RT #21871] 2369 23702933. [bug] 'dig +nsid' used stack memory after it went out of 2371 scope. This could potentially result in a unknown, 2372 potentially malformed, EDNS option being sent instead 2373 of the desired NSID option. [RT #21781] 2374 23752932. [cleanup] Corrected a numbering error in the "dnssec" test. 2376 [RT #21597] 2377 23782931. [bug] Temporarily and partially disable change 2864 2379 because it would cause infinite attempts of RRSIG 2380 queries. This is an urgent care fix; we'll 2381 revisit the issue and complete the fix later. 2382 [RT #21710] 2383 23842930. [experimental] New "rndc addzone" and "rndc delzone" commands 2385 allow dynamic addition and deletion of zones. 2386 To enable this feature, specify a "new-zone-file" 2387 option at the view or options level in named.conf. 2388 Zone configuration information for the new zones 2389 will be written into that file. To make the new 2390 zones persist after a restart, "include" the file 2391 into named.conf in the appropriate view. (Note: 2392 This feature is not yet documented, and its syntax 2393 is expected to change.) [RT #19447] 2394 23952929. [bug] Improved handling of GSS security contexts: 2396 - added LRU expiration for generated TSIGs 2397 - added the ability to use a non-default realm 2398 - added new "realm" keyword in nsupdate 2399 - limited lifetime of generated keys to 1 hour 2400 or the lifetime of the context (whichever is 2401 smaller) 2402 [RT #19737] 2403 24042928. [bug] Be more selective about the non-authoritative 2405 answer we apply change 2748 to. [RT #21594] 2406 24072927. [placeholder] 2408 24092926. [placeholder] 2410 24112925. [bug] Named failed to accept uncachable negative responses 2412 from insecure zones. [RT# 21555] 2413 24142924. [func] 'rndc secroots' dump a combined summary of the 2415 current managed keys combined with trusted keys. 2416 [RT #20904] 2417 24182923. [bug] 'dig +trace' could drop core after "connection 2419 timeout". [RT #21514] 2420 24212922. [contrib] Update zkt to version 1.0. 2422 24232921. [bug] The resolver could attempt to destroy a fetch context 2424 too soon. [RT #19878] 2425 24262920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively 2427 to IPv4 clients. New acl 'filter-aaaa' (default any). 2428 24292919. [func] Add autosign-ksk and autosign-zsk virtual time tests. 2430 [RT #20840] 2431 24322918. [maint] Add AAAA address for I.ROOT-SERVERS.NET. 2433 24342917. [func] Virtual time test framework. [RT #20801] 2435 24362916. [func] Add framework to use IPv6 in tests. 2437 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7 2438 24392915. [cleanup] Be smarter about which objects we attempt to compile 2440 based on configure options. [RT #21444] 2441 24422914. [bug] Make the "autosign" system test more portable. 2443 [RT #20997] 2444 24452913. [func] Add pkcs#11 system tests. [RT #20784] 2446 24472912. [func] Windows clients don't like UPDATE responses that clear 2448 the zone section. [RT #20986] 2449 24502911. [bug] dnssec-signzone didn't handle out of zone records well. 2451 [RT #21367] 2452 24532910. [func] Sanity check Kerberos credentials. [RT #20986] 2454 24552909. [bug] named-checkconf -p could die if "update-policy local;" 2456 was specified in named.conf. [RT #21416] 2457 24582908. [bug] It was possible for re-signing to stop after removing 2459 a DNSKEY. [RT #21384] 2460 24612907. [bug] The export version of libdns had undefined references. 2462 [RT #21444] 2463 24642906. [bug] Address RFC 5011 implementation issues. [RT #20903] 2465 24662905. [port] aix: set use_atomic=yes with native compiler. 2467 [RT #21402] 2468 24692904. [bug] When using DLV, sub-zones of the zones in the DLV, 2470 could be incorrectly marked as insecure instead of 2471 secure leading to negative proofs failing. This was 2472 a unintended outcome from change 2890. [RT# 21392] 2473 24742903. [bug] managed-keys-directory missing from namedconf.c. 2475 [RT #21370] 2476 24772902. [func] Add regression test for change 2897. [RT #21040] 2478 24792901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316] 2480 24812900. [bug] The placeholder negative caching element was not 2482 properly constructed triggering a INSIST in 2483 dns_ncache_towire(). [RT #21346] 2484 24852899. [port] win32: Support linking against OpenSSL 1.0.0. 2486 24872898. [bug] nslookup leaked memory when -domain=value was 2488 specified. [RT #21301] 2489 24902897. [bug] NSEC3 chains could be left behind when transitioning 2491 to insecure. [RT #21040] 2492 24932896. [bug] "rndc sign" failed to properly update the zone 2494 when adding a DNSKEY for publication only. [RT #21045] 2495 24962895. [func] genrandom: add support for the generation of multiple 2497 files. [RT #20917] 2498 24992894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294] 2500 25012893. [bug] Improve managed keys support. New named.conf option 2502 managed-keys-directory. [RT #20924] 2503 25042892. [bug] Handle REVOKED keys better. [RT #20961] 2505 25062891. [maint] Update empty-zones list to match 2507 draft-ietf-dnsop-default-local-zones-13. [RT# 21099] 2508 25092890. [bug] Handle the introduction of new trusted-keys and 2510 DS, DLV RRsets better. [RT #21097] 2511 25122889. [bug] Elements of the grammar where not properly reported. 2513 [RT #21046] 2514 25152888. [bug] Only the first EDNS option was displayed. [RT #21273] 2516 25172887. [bug] Report the keytag times in UTC in the .key file, 2518 local time is presented as a comment within the 2519 comment. [RT #21223] 2520 25212886. [bug] ctime() is not thread safe. [RT #21223] 2522 25232885. [bug] Improve -fno-strict-aliasing support probing in 2524 configure. [RT #21080] 2525 25262884. [bug] Insufficient validation in dns_name_getlabelsequence(). 2527 [RT #21283] 2528 25292883. [bug] 'dig +short' failed to handle really large datasets. 2530 [RT #21113] 2531 25322882. [bug] Remove memory context from list of active contexts 2533 before clearing 'magic'. [RT #21274] 2534 25352881. [bug] Reduce the amount of time the rbtdb write lock 2536 is held when closing a version. [RT #21198] 2537 25382880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke 2539 consistent. [RT #21078] 2540 25412879. [contrib] DLZ bdbhpt driver fails to close correct cursor. 2542 [RT #21106] 2543 25442878. [func] Incrementally write the master file after performing 2545 a AXFR. [RT #21010] 2546 25472877. [bug] The validator failed to skip obviously mismatching 2548 RRSIGs. [RT #21138] 2549 25502876. [bug] Named could return SERVFAIL for negative responses 2551 from unsigned zones. [RT #21131] 2552 25532875. [bug] dns_time64_fromtext() could accept non digits. 2554 [RT #21033] 2555 25562874. [bug] Cache lack of EDNS support only after the server 2557 successfully responds to the query using plain DNS. 2558 [RT #20930] 2559 25602873. [bug] Canceling a dynamic update via the dns/client module 2561 could trigger an assertion failure. [RT #21133] 2562 25632872. [bug] Modify dns/client.c:dns_client_createx() to only 2564 require one of IPv4 or IPv6 rather than both. 2565 [RT #21122] 2566 25672871. [bug] Type mismatch in mem_api.c between the definition and 2568 the header file, causing build failure with 2569 --enable-exportlib. [RT #21138] 2570 25712870. [maint] Add AAAA address for L.ROOT-SERVERS.NET. 2572 25732869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 2574 [RT #20877] 2575 25762868. [cleanup] Run "make clean" at the end of configure to ensure 2577 any changes made by configure are integrated. 2578 Use --with-make-clean=no to disable. [RT #20994] 2579 25802867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers 2581 don't like it. [RT #20986] 2582 25832866. [bug] Windows does not like the TSIG name being compressed. 2584 [RT #20986] 2585 25862865. [bug] memset to zero event.data. [RT #20986] 2587 25882864. [bug] Direct SIG/RRSIG queries were not handled correctly. 2589 [RT #21050] 2590 25912863. [port] linux: disable IPv6 PMTUD and use network minimum MTU. 2592 [RT #21056] 2593 25942862. [bug] nsupdate didn't default to the parent zone when 2595 updating DS records. [RT #20896] 2596 25972861. [doc] dnssec-settime man pages didn't correctly document the 2598 inactivation time. [RT #21039] 2599 26002860. [bug] named-checkconf's usage was out of date. [RT #21039] 2601 26022859. [bug] When canceling validation it was possible to leak 2603 memory. [RT #20800] 2604 26052858. [bug] RTT estimates were not being adjusted on ICMP errors. 2606 [RT #20772] 2607 26082857. [bug] named-checkconf did not fail on a bad trusted key. 2609 [RT #20705] 2610 26112856. [bug] The size of a memory allocation was not always properly 2612 recorded. [RT #20927] 2613 26142855. [func] nsupdate will now preserve the entered case of domain 2615 names in update requests it sends. [RT #20928] 2616 26172854. [func] dig: allow the final soa record in a axfr response to 2618 be suppressed, dig +onesoa. [RT #20929] 2619 26202853. [bug] add_sigs() could run out of scratch space. [RT #21015] 2621 26222852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 2623 26242851. [doc] nslookup.1, removed <informalexample> from the docbook 2625 source as it produced bad nroff. [RT #21007] 2626 26272850. [bug] If isc_heap_insert() failed due to memory shortage 2628 the heap would have corrupted entries. [RT #20951] 2629 26302849. [bug] Don't treat errors from the xml2 library as fatal. 2631 [RT #20945] 2632 26332848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and 2634 README.rfc5011 into the ARM. [RT #20899] 2635 26362847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] 2637 26382846. [bug] EOF on unix domain sockets was not being handled 2639 correctly. [RT #20731] 2640 26412845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] 2642 26432844. [doc] notify-delay default in ARM was wrong. It should have 2644 been five (5) seconds. 2645 26462843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from 2647 creating key files if there is a chance that the new 2648 key ID will collide with an existing one after 2649 either of the keys has been revoked. (To override 2650 this in the case of dnssec-keyfromlabel, use the -y 2651 option. dnssec-keygen will simply create a 2652 different, non-colliding key, so an override is 2653 not necessary.) [RT #20838] 2654 26552842. [func] Added "smartsign" and improved "autosign" and 2656 "dnssec" regression tests. [RT #20865] 2657 26582841. [bug] Change 2836 was not complete. [RT #20883] 2659 26602840. [bug] Temporary fixed pkcs11-destroy usage check. 2661 [RT #20760] 2662 26632839. [bug] A KSK revoked by named could not be deleted. 2664 [RT #20881] 2665 26662838. [placeholder] 2667 26682837. [port] Prevent Linux spurious warnings about fwrite(). 2669 [RT #20812] 2670 26712836. [bug] Keys that were scheduled to become active could 2672 be delayed. [RT #20874] 2673 26742835. [bug] Key inactivity dates were inadvertently stored in 2675 the private key file with the outdated tag 2676 "Unpublish" rather than "Inactive". This has been 2677 fixed; however, any existing keys that had Inactive 2678 dates set will now need to have them reset, using 2679 'dnssec-settime -I'. [RT #20868] 2680 26812834. [bug] HMAC-SHA* keys that were longer than the algorithm 2682 digest length were used incorrectly, leading to 2683 interoperability problems with other DNS 2684 implementations. This has been corrected. 2685 (Note: If an oversize key is in use, and 2686 compatibility is needed with an older release of 2687 BIND, the new tool "isc-hmac-fixup" can convert 2688 the key secret to a form that will work with all 2689 versions.) [RT #20751] 2690 26912833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. 2692 [RT #20851] 2693 26942832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c 2695 to avoid redefinition in some OSs [RT 20831] 2696 26972831. [security] Do not attempt to validate or cache 2698 out-of-bailiwick data returned with a secure 2699 answer; it must be re-fetched from its original 2700 source and validated in that context. [RT #20819] 2701 27022830. [bug] Changing the OPTOUT setting could take multiple 2703 passes. [RT #20813] 2704 27052829. [bug] Fixed potential node inconsistency in rbtdb.c. 2706 [RT #20808] 2707 27082828. [security] Cached CNAME or DNAME RR could be returned to clients 2709 without DNSSEC validation. [RT #20737] 2710 27112827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2712 27132826. [bug] NSEC3->NSEC transitions could fail due to a lock not 2714 being released. [RT #20740] 2715 27162825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that 2717 was in the process of being created was not properly 2718 recorded in the zone. [RT #20786] 2719 27202824. [bug] "rndc sign" was not being run by the correct task. 2721 [RT #20759] 2722 27232823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] 2724 27252822. [bug] rbtdb.c:loadnode() could return the wrong result. 2726 [RT #20802] 2727 27282821. [doc] Add note that named-checkconf doesn't automatically 2729 read rndc.key and bind.keys [RT #20758] 2730 27312820. [func] Handle read access failure of OpenSSL configuration 2732 file more user friendly (PKCS#11 engine patch). 2733 [RT #20668] 2734 27352819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define. 2736 [RT #20771] 2737 27382818. [cleanup] rndc could return an incorrect error code 2739 when a zone was not found. [RT #20767] 2740 27412817. [cleanup] Removed unnecessary isc_task_endexclusive() calls. 2742 [RT #20768] 2743 27442816. [bug] previous_closest_nsec() could fail to return 2745 data for NSEC3 nodes [RT #29730] 2746 27472815. [bug] Exclusively lock the task when freezing a zone. 2748 [RT #19838] 2749 27502814. [func] Provide a definitive error message when a master 2751 zone is not loaded. [RT #20757] 2752 27532813. [bug] Better handling of unreadable DNSSEC key files. 2754 [RT #20710] 2755 27562812. [bug] Make sure updates can't result in a zone with 2757 NSEC-only keys and NSEC3 records. [RT #20748] 2758 27592811. [cleanup] Add "rndc sign" to list of commands in rndc usage 2760 output. [RT #20733] 2761 27622810. [doc] Clarified the process of transitioning an NSEC3 zone 2763 to insecure. [RT #20746] 2764 27652809. [cleanup] Restored accidentally-deleted text in usage output 2766 in dnssec-settime and dnssec-revoke [RT #20739] 2767 27682808. [bug] Remove the attempt to install atomic.h from lib/isc. 2769 atomic.h is correctly installed by the architecture 2770 specific subdirectories. [RT #20722] 2771 27722807. [bug] Fixed a possible ASSERT when reconfiguring zone 2773 keys. [RT #20720] 2774 2775 --- 9.7.0rc1 released --- 2776 27772806. [bug] "rdnc sign" could delay re-signing the DNSKEY 2778 when it had changed. [RT #20703] 2779 27802805. [bug] Fixed namespace problems encountered when building 2781 external programs using non-exported BIND9 libraries 2782 (i.e., built without --enable-exportlib). [RT #20679] 2783 27842804. [bug] Send notifies when a zone is signed with "rndc sign" 2785 or as a result of a scheduled key change. [RT #20700] 2786 27872803. [port] win32: Install named-journalprint, nsec3hash, arpaname 2788 and genrandom under windows. [RT #20670] 2789 27902802. [cleanup] Rename journalprint to named-journalprint. [RT #20670] 2791 27922801. [func] Detect and report records that are different according 2793 to DNSSEC but are semantically equal according to plain 2794 DNS. Apply plain DNS comparisons rather than DNSSEC 2795 comparisons when processing UPDATE requests. 2796 dnssec-signzone now removes such semantically duplicate 2797 records prior to signing the RRset. 2798 2799 named-checkzone -r {ignore|warn|fail} (default warn) 2800 named-compilezone -r {ignore|warn|fail} (default warn) 2801 2802 named.conf: check-dup-records {ignore|warn|fail}; 2803 28042800. [func] Reject zones which have NS records which refer to 2805 CNAMEs, DNAMEs or don't have address record (class IN 2806 only). Reject UPDATEs which would cause the zone 2807 to fail the above checks if committed. [RT #20678] 2808 28092799. [cleanup] Changed the "secure-to-insecure" option to 2810 "dnssec-secure-to-insecure", and "dnskey-ksk-only" 2811 to "dnssec-dnskey-kskonly", for clarity. [RT #20586] 2812 28132798. [bug] Addressed bugs in managed-keys initialization 2814 and rollover. [RT #20683] 2815 28162797. [bug] Don't decrement the dispatch manager's maxbuffers. 2817 [RT #20613] 2818 28192796. [bug] Missing dns_rdataset_disassociate() call in 2820 dns_nsec3_delnsec3sx(). [RT #20681] 2821 28222795. [cleanup] Add text to differentiate "update with no effect" 2823 log messages. [RT #18889] 2824 28252794. [bug] Install <isc/namespace.h>. [RT #20677] 2826 28272793. [func] Add "autosign" and "metadata" tests to the 2828 automatic tests. [RT #19946] 2829 28302792. [func] "filter-aaaa-on-v4" can now be set in view 2831 options (if compiled in). [RT #20635] 2832 28332791. [bug] The installation of isc-config.sh was broken. 2834 [RT #20667] 2835 28362790. [bug] Handle DS queries to stub zones. [RT #20440] 2837 28382789. [bug] Fixed an INSIST in dispatch.c [RT #20576] 2839 28402788. [bug] dnssec-signzone could sign with keys that were 2841 not requested [RT #20625] 2842 28432787. [bug] Spurious log message when zone keys were 2844 dynamically reconfigured. [RT #20659] 2845 28462786. [bug] Additional could be promoted to answer. [RT #20663] 2847 2848 --- 9.7.0b3 released --- 2849 28502785. [bug] Revoked keys could fail to self-sign [RT #20652] 2851 28522784. [bug] TC was not always being set when required glue was 2853 dropped. [RT #20655] 2854 28552783. [func] Return minimal responses to EDNS/UDP queries with a UDP 2856 buffer size of 512 or less. [RT #20654] 2857 28582782. [port] win32: use getaddrinfo() for hostname lookups. 2859 [RT #20650] 2860 28612781. [bug] Inactive keys could be used for signing. [RT #20649] 2862 28632780. [bug] dnssec-keygen -A none didn't properly unset the 2864 activation date in all cases. [RT #20648] 2865 28662779. [bug] Dynamic key revocation could fail. [RT #20644] 2867 28682778. [bug] dnssec-signzone could fail when a key was revoked 2869 without deleting the unrevoked version. [RT #20638] 2870 28712777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 2872 28732776. [bug] Change #2762 was not correct. [RT #20647] 2874 28752775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible 2876 in dnssec-keyfromlabel. [RT #20643] 2877 28782774. [bug] Existing cache DB wasn't being reused after 2879 reconfiguration. [RT #20629] 2880 28812773. [bug] In autosigned zones, the SOA could be signed 2882 with the KSK. [RT #20628] 2883 28842772. [security] When validating, track whether pending data was from 2885 the additional section or not and only return it if 2886 validates as secure. [RT #20438] 2887 28882771. [bug] dnssec-signzone: DNSKEY records could be 2889 corrupted when importing from key files [RT #20624] 2890 28912770. [cleanup] Add log messages to resolver.c to indicate events 2892 causing FORMERR responses. [RT #20526] 2893 28942769. [cleanup] Change #2742 was incomplete. [RT #19589] 2895 28962768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 2897 28982767. [bug] named could crash on startup if a zone was 2899 configured with auto-dnssec and there was no 2900 key-directory. [RT #20615] 2901 29022766. [bug] isc_socket_fdwatchpoke() should only update the 2903 socketmgr state if the socket is not pending on a 2904 read or write. [RT #20603] 2905 29062765. [bug] Skip masters for which the TSIG key cannot be found. 2907 [RT #20595] 2908 29092764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 2910 29112763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 2912 29132762. [bug] DLV validation failed with a local slave DLV zone. 2914 [RT #20577] 2915 29162761. [cleanup] Enable internal symbol table for backtrace only for 2917 systems that are known to work. Currently, BSD 2918 variants, Linux and Solaris are supported. [RT# 20202] 2919 29202760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 2921 29222759. [doc] Add information about .jbk/.jnw files to 2923 the ARM. [RT #20303] 2924 29252758. [bug] win32: Added a workaround for a windows 2008 bug 2926 that could cause the UDP client handler to shut 2927 down. [RT #19176] 2928 29292757. [bug] dig: assertion failure could occur in connect 2930 timeout. [RT #20599] 2931 29322756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597] 2933 29342755. [placeholder] 2935 29362754. [bug] Secure-to-insecure transitions failed when zone 2937 was signed with NSEC3. [RT #20587] 2938 29392753. [bug] Removed an unnecessary warning that could appear when 2940 building an NSEC chain. [RT #20589] 2941 29422752. [bug] Locking violation. [RT #20587] 2943 29442751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 2945 29462750. [bug] dig: assertion failure could occur when a server 2947 didn't have an address. [RT #20579] 2948 29492749. [bug] ixfr-from-differences generated a non-minimal ixfr 2950 for NSEC3 signed zones. [RT #20452] 2951 29522748. [func] Identify bad answers from GTLD servers and treat them 2953 as referrals. [RT #18884] 2954 29552747. [bug] Journal roll forwards failed to set the re-signing 2956 time of RRSIGs correctly. [RT #20541] 2957 29582746. [port] hpux: address signed/unsigned expansion mismatch of 2959 dns_rbtnode_t.nsec. [RT #20542] 2960 29612745. [bug] configure script didn't probe the return type of 2962 gai_strerror(3) correctly. [RT #20573] 2963 29642744. [func] Log if a query was over TCP. [RT #19961] 2965 29662743. [bug] RRSIG could be incorrectly set in the NSEC3 record 2967 for a insecure delegation. 2968 2969 --- 9.7.0b2 released --- 2970 29712742. [cleanup] Clarify some DNSSEC-related log messages in 2972 validator.c. [RT #19589] 2973 29742741. [func] Allow the dnssec-keygen progress messages to be 2975 suppressed (dnssec-keygen -q). Automatically 2976 suppress the progress messages when stdin is not 2977 a tty. [RT #20474] 2978 29792740. [placeholder] 2980 29812739. [cleanup] Clean up API for initializing and clearing trust 2982 anchors for a view. [RT #20211] 2983 29842738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system 2985 test. [RT #20453] 2986 29872737. [func] UPDATE requests can leak existence information. 2988 [RT #17261] 2989 29902736. [func] Improve the performance of NSEC signed zones with 2991 more than a normal amount of glue below a delegation. 2992 [RT #20191] 2993 29942735. [bug] dnssec-signzone could fail to read keys 2995 that were specified on the command line with 2996 full paths, but weren't in the current 2997 directory. [RT #20421] 2998 29992734. [port] cygwin: arpaname did not compile. [RT #20473] 3000 30012733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355] 3002 30032732. [func] Add optional filter-aaaa-on-v4 option, available 3004 if built with './configure --enable-filter-aaaa'. 3005 Filters out AAAA answers to clients connecting 3006 via IPv4. (This is NOT recommended for general 3007 use.) [RT #20339] 3008 30092731. [func] Additional work on change 2709. The key parser 3010 will now ignore unrecognized fields when the 3011 minor version number of the private key format 3012 has been increased. It will reject any key with 3013 the major version number increased. [RT #20310] 3014 30152730. [func] Have dnssec-keygen display a progress indication 3016 a la 'openssl genrsa' on standard error. Note 3017 when the first '.' is followed by a long stop 3018 one has the choice between slow generation vs. 3019 poor random quality, i.e., '-r /dev/urandom'. 3020 [RT #20284] 3021 30222729. [func] When constructing a CNAME from a DNAME use the DNAME 3023 TTL. [RT #20451] 3024 30252728. [bug] dnssec-keygen, dnssec-keyfromlabel and 3026 dnssec-signzone now warn immediately if asked to 3027 write into a nonexistent directory. [RT #20278] 3028 30292727. [func] The 'key-directory' option can now specify a relative 3030 path. [RT #20154] 3031 30322726. [func] Added support for SHA-2 DNSSEC algorithms, 3033 RSASHA256 and RSASHA512. [RT #20023] 3034 30352725. [doc] Added information about the file "managed-keys.bind" 3036 to the ARM. [RT #20235] 3037 30382724. [bug] Updates to a existing node in secure zone using NSEC 3039 were failing. [RT #20448] 3040 30412723. [bug] isc_base32_totext(), isc_base32hex_totext(), and 3042 isc_base64_totext(), didn't always mark regions of 3043 memory as fully consumed after conversion. [RT #20445] 3044 30452722. [bug] Ensure that the memory associated with the name of 3046 a node in a rbt tree is not altered during the life 3047 of the node. [RT #20431] 3048 30492721. [port] Have dst__entropy_status() prime the random number 3050 generator. [RT #20369] 3051 30522720. [bug] RFC 5011 trust anchor updates could trigger an 3053 assert if the DNSKEY record was unsigned. [RT #20406] 3054 30552719. [func] Skip trusted/managed keys for unsupported algorithms. 3056 [RT #20392] 3057 30582718. [bug] The space calculations in opensslrsa_todns() were 3059 incorrect. [RT #20394] 3060 30612717. [bug] named failed to update the NSEC/NSEC3 record when 3062 the last private type record was removed as a result 3063 of completing the signing the zone with a key. 3064 [RT #20399] 3065 30662716. [bug] nslookup debug mode didn't return the ttl. [RT #20414] 3067 3068 --- 9.7.0b1 released --- 3069 30702715. [bug] Require OpenSSL support to be explicitly disabled. 3071 [RT #20288] 3072 30732714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler 3074 flags. 3075 30762713. [bug] powerpc: atomic operations missing asm("ics") / 3077 __isync() calls. 3078 30792712. [func] New 'auto-dnssec' zone option allows zone signing 3080 to be fully automated in zones configured for 3081 dynamic DNS. 'auto-dnssec allow;' permits a zone 3082 to be signed by creating keys for it in the 3083 key-directory and using 'rndc sign <zone>'. 3084 'auto-dnssec maintain;' allows that too, plus it 3085 also keeps the zone's DNSSEC keys up to date 3086 according to their timing metadata. [RT #19943] 3087 30882711. [port] win32: Add the bin/pkcs11 tools into the full 3089 build. [RT #20372] 3090 30912710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only' 3092 zone option cause a zone to be signed with only KSKs 3093 signing the DNSKEY RRset, not ZSKs. This reduces 3094 the size of a DNSKEY answer. [RT #20340] 3095 30962709. [func] Added some data fields, currently unused, to the 3097 private key file format, to allow implementation 3098 of explicit key rollover in a future release 3099 without impairing backward or forward compatibility. 3100 [RT #20310] 3101 31022708. [func] Insecure to secure and NSEC3 parameter changes via 3103 update are now fully supported and no longer require 3104 defines to enable. We now no longer overload the 3105 NSEC3PARAM flag field, nor the NSEC OPT bit at the 3106 apex. Secure to insecure changes are controlled by 3107 by the named.conf option 'secure-to-insecure'. 3108 3109 Warning: If you had previously enabled support by 3110 adding defines at compile time to BIND 9.6 you should 3111 ensure that all changes that are in progress have 3112 completed prior to upgrading to BIND 9.7. BIND 9.7 3113 is not backwards compatible. 3114 31152707. [func] dnssec-keyfromlabel no longer require engine name 3116 to be specified in the label if there is a default 3117 engine or the -E option has been used. Also, it 3118 now uses default algorithms as dnssec-keygen does 3119 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used). 3120 [RT #20371] 3121 31222706. [bug] Loading a zone with a very large NSEC3 salt could 3123 trigger an assert. [RT #20368] 3124 31252705. [placeholder] 3126 31272704. [bug] Serial of dynamic and stub zones could be inconsistent 3128 with their SOA serial. [RT #19387] 3129 31302703. [func] Introduce an OpenSSL "engine" argument with -E 3131 for all binaries which can take benefit of 3132 crypto hardware. [RT #20230] 3133 31342702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all] 3135 31362701. [doc] Correction to ARM: hmac-md5 is no longer the only 3137 supported TSIG key algorithm. [RT #18046] 3138 31392700. [doc] The match-mapped-addresses option is discouraged. 3140 [RT #12252] 3141 31422699. [bug] Missing lock in rbtdb.c. [RT #20037] 3143 31442698. [placeholder] 3145 31462697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and 3147 S_IFREG are defined after including <isc/stat.h>. 3148 [RT #20309] 3149 31502696. [bug] named failed to successfully process some valid 3151 acl constructs. [RT #20308] 3152 31532695. [func] DHCP/DDNS - update fdwatch code for use by 3154 DHCP. Modify the api to isc_sockfdwatch_t (the 3155 callback function for isc_socket_fdwatchcreate) 3156 to include information about the direction (read 3157 or write) and add isc_socket_fdwatchpoke. 3158 [RT #20253] 3159 31602694. [bug] Reduce default NSEC3 iterations from 100 to 10. 3161 [RT #19970] 3162 31632693. [port] Add some noreturn attributes. [RT #20257] 3164 31652692. [port] win32: 32/64 bit cleanups. [RT #20335] 3166 31672691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 3168 chain when re-signing a previously-signed zone. 3169 Use -u to modify NSEC3 parameters or switch 3170 between NSEC and NSEC3. [RT #20304] 3171 31722690. [bug] win32: fix isc_thread_key_getspecific() prototype. 3173 [RT #20315] 3174 31752689. [bug] Correctly handle snprintf result. [RT #20306] 3176 31772688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, 3178 to decide to fetch the destination address. [RT #20305] 3179 31802687. [bug] Fixed dnssec-signzone -S handling of revoked keys. 3181 Also, added warnings when revoking a ZSK, as this is 3182 not defined by protocol (but is legal). [RT #19943] 3183 31842686. [bug] dnssec-signzone should clean the old NSEC chain when 3185 signing with NSEC3 and vice versa. [RT #20301] 3186 31872685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 3188 31892684. [cleanup] dig: formalize +ad and +cd as synonyms for 3190 +adflag and +cdflag. [RT #19305] 3191 31922683. [bug] dnssec-signzone should clean out old NSEC3 chains when 3193 the NSEC3 parameters used to sign the zone change. 3194 [RT #20246] 3195 31962682. [bug] "configure --enable-symtable=all" failed to 3197 build. [RT #20282] 3198 31992681. [bug] IPSECKEY RR of gateway type 3 was not correctly 3200 decoded. [RT #20269] 3201 32022680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067] 3203 32042679. [func] dig -k can now accept TSIG keys in named.conf 3205 format. [RT #20031] 3206 32072678. [func] Treat DS queries as if "minimal-response yes;" 3208 was set. [RT #20258] 3209 32102677. [func] Changes to key metadata behavior: 3211 - Keys without "publish" or "active" dates set will 3212 no longer be used for smart signing. However, 3213 those dates will be set to "now" by default when 3214 a key is created; to generate a key but not use 3215 it yet, use dnssec-keygen -G. 3216 - New "inactive" date (dnssec-keygen/settime -I) 3217 sets the time when a key is no longer used for 3218 signing but is still published. 3219 - The "unpublished" date (-U) is deprecated in 3220 favor of "deleted" (-D). 3221 [RT #20247] 3222 32232676. [bug] --with-export-installdir should have been 3224 --with-export-includedir. [RT #20252] 3225 32262675. [bug] dnssec-signzone could crash if the key directory 3227 did not exist. [RT #20232] 3228 3229 --- 9.7.0a3 released --- 3230 32312674. [bug] "dnssec-lookaside auto;" crashed if named was built 3232 without openssl. [RT #20231] 3233 32342673. [bug] The managed-keys.bind zone file could fail to 3235 load due to a spurious result from sync_keyzone() 3236 [RT #20045] 3237 32382672. [bug] Don't enable searching in 'host' when doing reverse 3239 lookups. [RT #20218] 3240 32412671. [bug] Add support for PKCS#11 providers not returning 3242 the public exponent in RSA private keys 3243 (OpenCryptoki for instance) in 3244 dnssec-keyfromlabel. [RT #19294] 3245 32462670. [bug] Unexpected connect failures failed to log enough 3247 information to be useful. [RT #20205] 3248 32492669. [func] Update PKCS#11 support to support Keyper HSM. 3250 Update PKCS#11 patch to be against openssl-0.9.8i. 3251 32522668. [func] Several improvements to dnssec-* tools, including: 3253 - dnssec-keygen and dnssec-settime can now set key 3254 metadata fields 0 (to unset a value, use "none") 3255 - dnssec-revoke sets the revocation date in 3256 addition to the revoke bit 3257 - dnssec-settime can now print individual metadata 3258 fields instead of always printing all of them, 3259 and can print them in unix epoch time format for 3260 use by scripts 3261 [RT #19942] 3262 32632667. [func] Add support for logging stack backtrace on assertion 3264 failure (not available for all platforms). [RT #19780] 3265 32662666. [func] Added an 'options' argument to dns_name_fromstring() 3267 (API change from 9.7.0a2). [RT #20196] 3268 32692665. [func] Clarify syntax for managed-keys {} statement, add 3270 ARM documentation about RFC 5011 support. [RT #19874] 3271 32722664. [bug] create_keydata() and minimal_update() in zone.c 3273 didn't properly check return values for some 3274 functions. [RT #19956] 3275 32762663. [func] win32: allow named to run as a service using 3277 "NT AUTHORITY\LocalService" as the account. [RT #19977] 3278 32792662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() 3280 returned a misleading error code when lwresd was 3281 down. [RT #20028] 3282 32832661. [bug] Check whether socket fd exceeds FD_SETSIZE when 3284 creating lwres context. [RT #20029] 3285 32862660. [func] Add a new set of DNS libraries for non-BIND9 3287 applications. See README.libdns. [RT #19369] 3288 32892659. [doc] Clarify dnssec-keygen doc: key name must match zone 3290 name for DNSSEC keys. [RT #19938] 3291 32922658. [bug] dnssec-settime and dnssec-revoke didn't process 3293 key file paths correctly. [RT #20078] 3294 32952657. [cleanup] Lower "journal file <path> does not exist, creating it" 3296 log level to debug 1. [RT #20058] 3297 32982656. [func] win32: add a "tools only" check box to the installer 3299 which causes it to only install dig, host, nslookup, 3300 nsupdate and relevant DLLs. [RT #19998] 3301 33022655. [doc] Document that key-directory does not affect 3303 bind.keys, rndc.key or session.key. [RT #20155] 3304 33052654. [bug] Improve error reporting on duplicated names for 3306 deny-answer-xxx. [RT #20164] 3307 33082653. [bug] Treat ENGINE_load_private_key() failures as key 3309 not found rather than out of memory. [RT #18033] 3310 33112652. [func] Provide more detail about what record is being 3312 deleted. [RT #20061] 3313 33142651. [bug] Dates could print incorrectly in K*.key files on 3315 64-bit systems. [RT #20076] 3316 33172650. [bug] Assertion failure in dnssec-signzone when trying 3318 to read keyset-* files. [RT #20075] 3319 33202649. [bug] Set the domain for forward only zones. [RT #19944] 3321 33222648. [port] win32: isc_time_seconds() was broken. [RT #19900] 3323 33242647. [bug] Remove unnecessary SOA updates when a new KSK is 3325 added. [RT #19913] 3326 33272646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 3328 33292645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms 3330 which default to 64 bits. [RT #19927] 3331 3332 --- 9.7.0a2 released --- 3333 33342644. [bug] Change #2628 caused a regression on some systems; 3335 named was unable to write the PID file and would 3336 fail on startup. [RT #20001] 3337 33382643. [bug] Stub zones interacted badly with NSEC3 support. 3339 [RT #19777] 3340 33412642. [bug] nsupdate could dump core on solaris when reading 3342 improperly formatted key files. [RT #20015] 3343 33442641. [bug] Fixed an error in parsing update-policy syntax, 3345 added a regression test to check it. [RT #20007] 3346 33472640. [security] A specially crafted update packet will cause named 3348 to exit. [RT #20000] 3349 33502639. [bug] Silence compiler warnings in gssapi code. [RT #19954] 3351 33522638. [bug] Install arpaname. [RT #19957] 3353 33542637. [func] Rationalize dnssec-signzone's signwithkey() calling. 3355 [RT #19959] 3356 33572636. [func] Simplify zone signing and key maintenance with the 3358 dnssec-* tools. Major changes: 3359 - all dnssec-* tools now take a -K option to 3360 specify a directory in which key files will be 3361 stored 3362 - DNSSEC can now store metadata indicating when 3363 they are scheduled to be published, activated, 3364 revoked or removed; these values can be set by 3365 dnssec-keygen or overwritten by the new 3366 dnssec-settime command 3367 - dnssec-signzone -S (for "smart") option reads key 3368 metadata and uses it to determine automatically 3369 which keys to publish to the zone, use for 3370 signing, revoke, or remove from the zone 3371 [RT #19816] 3372 33732635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. 3374 [RT #19716] 3375 33762634. [port] win32: Add support for libxml2, enable 3377 statschannel. [RT #19773] 3378 33792633. [bug] Handle 15 bit rand() functions. [RT #19783] 3380 33812632. [func] util/kit.sh: warn if documentation appears to be out of 3382 date. [RT #19922] 3383 33842631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). 3385 [RT #19926 ] 3386 33872630. [func] Improved syntax for DDNS autoconfiguration: use 3388 "update-policy local;" to switch on local DDNS in a 3389 zone. (The "ddns-autoconf" option has been removed.) 3390 [RT #19875] 3391 33922629. [port] Check for seteuid()/setegid(), use setresuid()/ 3393 setresgid() if not present. [RT #19932] 3394 33952628. [port] linux: Allow /var/run/named/named.pid to be opened 3396 at startup with reduced capabilities in operation. 3397 [RT #19884] 3398 33992627. [bug] Named aborted if the same key was included in 3400 trusted-keys more than once. [RT #19918] 3401 34022626. [bug] Multiple trusted-keys could trigger an assertion 3403 failure. [RT #19914] 3404 34052625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865] 3406 34072624. [func] 'named-checkconf -p' will print out the parsed 3408 configuration. [RT #18871] 3409 34102623. [bug] Named started searches for DS non-optimally. [RT #19915] 3411 34122622. [bug] Printing of named.conf grammar was broken. [RT #19919] 3413 34142621. [doc] Made copyright boilerplate consistent. [RT #19833] 3415 34162620. [bug] Delay thawing the zone until the reload of it has 3417 completed successfully. [RT #19750] 3418 34192619. [func] Add support for RFC 5011, automatic trust anchor 3420 maintenance. The new "managed-keys" statement can 3421 be used in place of "trusted-keys" for zones which 3422 support this protocol. (Note: this syntax is 3423 expected to change prior to 9.7.0 final.) [RT #19248] 3424 34252618. [bug] The sdb and sdlz db_interator_seek() methods could 3426 loop infinitely. [RT #19847] 3427 34282617. [bug] ifconfig.sh failed to emit an error message when 3429 run from the wrong location. [RT #19375] 3430 34312616. [bug] 'host' used the nameservers from resolv.conf even 3432 when a explicit nameserver was specified. [RT #19852] 3433 34342615. [bug] "__attribute__((unused))" was in the wrong place 3435 for ia64 gcc builds. [RT #19854] 3436 34372614. [port] win32: 'named -v' should automatically be executed 3438 in the foreground. [RT #19844] 3439 34402613. [placeholder] 3441 3442 --- 9.7.0a1 released --- 3443 34442612. [func] Add default values for the arguments to 3445 dnssec-keygen. Without arguments, it will now 3446 generate a 1024-bit RSASHA1 zone-signing key, 3447 or with the -f KSK option, a 2048-bit RSASHA1 3448 key-signing key. [RT #19300] 3449 34502611. [func] Add -l option to dnssec-dsfromkey to generate 3451 DLV records instead of DS records. [RT #19300] 3452 34532610. [port] sunos: Change #2363 was not complete. [RT #19796] 3454 34552609. [func] Simplify the configuration of dynamic zones: 3456 - add ddns-confgen command to generate 3457 configuration text for named.conf 3458 - add zone option "ddns-autoconf yes;", which 3459 causes named to generate a TSIG session key 3460 and allow updates to the zone using that key 3461 - add '-l' (localhost) option to nsupdate, which 3462 causes nsupdate to connect to a locally-running 3463 named process using the session key generated 3464 by named 3465 [RT #19284] 3466 34672608. [func] Perform post signing verification checks in 3468 dnssec-signzone. These can be disabled with -P. 3469 3470 The post sign verification test ensures that for each 3471 algorithm in use there is at least one non revoked 3472 self signed KSK key. That all revoked KSK keys are 3473 self signed. That all records in the zone are signed 3474 by the algorithm. [RT #19653] 3475 34762607. [bug] named could incorrectly delete NSEC3 records for 3477 empty nodes when processing a update request. 3478 [RT #19749] 3479 34802606. [bug] "delegation-only" was not being accepted in 3481 delegation-only type zones. [RT #19717] 3482 34832605. [bug] Accept DS responses from delegation only zones. 3484 [RT # 19296] 3485 34862604. [func] Add support for DNS rebinding attack prevention through 3487 new options, deny-answer-addresses and 3488 deny-answer-aliases. Based on contributed code from 3489 JD Nurmi, Google. [RT #18192] 3490 34912603. [port] win32: handle .exe extension of named-checkzone and 3492 named-comilezone argv[0] names under windows. 3493 [RT #19767] 3494 34952602. [port] win32: fix debugging command line build of libisccfg. 3496 [RT #19767] 3497 34982601. [doc] Mention file creation mode mask in the 3499 named manual page. 3500 35012600. [doc] ARM: miscellaneous reformatting for different 3502 page widths. [RT #19574] 3503 35042599. [bug] Address rapid memory growth when validation fails. 3505 [RT #19654] 3506 35072598. [func] Reserve the -F flag. [RT #19657] 3508 35092597. [bug] Handle a validation failure with a insecure delegation 3510 from a NSEC3 signed master/slave zone. [RT #19464] 3511 35122596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay 3513 long, leading to inefficient memory usage or rejecting 3514 newer cache entries in the worst case. [RT #19563] 3515 35162595. [bug] Fix unknown extended rcodes in dig. [RT #19625] 3517 35182594. [func] Have rndc warn if using its default configuration 3519 file when the key file also exists. [RT #19424] 3520 35212593. [bug] Improve a corner source of SERVFAILs [RT #19632] 3522 35232592. [bug] Treat "any" as a type in nsupdate. [RT #19455] 3524 35252591. [bug] named could die when processing a update in 3526 removed_orphaned_ds(). [RT #19507] 3527 35282590. [func] Report zone/class of "update with no effect". 3529 [RT #19542] 3530 35312589. [bug] dns_db_unregister() failed to clear '*dbimp'. 3532 [RT #19626] 3533 35342588. [bug] SO_REUSEADDR could be set unconditionally after failure 3535 of bind(2) call. This should be rare and mostly 3536 harmless, but may cause interference with other 3537 processes that happen to use the same port. [RT #19642] 3538 35392587. [func] Improve logging by reporting serial numbers for 3540 when zone serial has gone backwards or unchanged. 3541 [RT #19506] 3542 35432586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB 3544 or SDB. [RT #19577] 3545 35462585. [bug] Uninitialized socket name could be referenced via a 3547 statistics channel, triggering an assertion failure in 3548 XML rendering. [RT #19427] 3549 35502584. [bug] alpha: gcc optimization could break atomic operations. 3551 [RT #19227] 3552 35532583. [port] netbsd: provide a control to not add the compile 3554 date to the version string, -DNO_VERSION_DATE. 3555 35562582. [bug] Don't emit warning log message when we attempt to 3557 remove non-existent journal. [RT #19516] 3558 35592581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection. 3560 Requires MySQL 5.0.19 or later. [RT #19084] 3561 35622580. [bug] UpdateRej statistics counter could be incremented twice 3563 for one rejection. [RT #19476] 3564 35652579. [bug] DNSSEC lookaside validation failed to handle unknown 3566 algorithms. [RT #19479] 3567 35682578. [bug] Changed default sig-signing-type to 65534, because 3569 65535 turns out to be reserved. [RT #19477] 3570 35712577. [doc] Clarified some statistics counters. [RT #19454] 3572 35732576. [bug] NSEC record were not being correctly signed when 3574 a zone transitions from insecure to secure. 3575 Handle such incorrectly signed zones. [RT #19114] 3576 35772575. [func] New functions dns_name_fromstring() and 3578 dns_name_tostring(), to simplify conversion 3579 of a string to a dns_name structure and vice 3580 versa. [RT #19451] 3581 35822574. [doc] Document nsupdate -g and -o. [RT #19351] 3583 35842573. [bug] Replacing a non-CNAME record with a CNAME record in a 3585 single transaction in a signed zone failed. [RT #19397] 3586 35872572. [func] Simplify DLV configuration, with a new option 3588 "dnssec-lookaside auto;" This is the equivalent 3589 of "dnssec-lookaside . trust-anchor dlv.isc.org;" 3590 plus setting a trusted-key for dlv.isc.org. 3591 3592 Note: The trusted key is hard-coded into named, 3593 but is also stored in (and can be overridden 3594 by) $sysconfdir/bind.keys. As the ISC DLV key 3595 rolls over it can be kept up to date by replacing 3596 the bind.keys file with a key downloaded from 3597 https://www.isc.org/solutions/dlv. [RT #18685] 3598 35992571. [func] Add a new tool "arpaname" which translates IP addresses 3600 to the corresponding IN-ADDR.ARPA or IP6.ARPA name. 3601 [RT #18976] 3602 36032570. [func] Log the destination address the query was sent to. 3604 [RT #19209] 3605 36062569. [func] Move journalprint, nsec3hash, and genrandom 3607 commands from bin/tests into bin/tools; 3608 "make install" will put them in $sbindir. [RT #19301] 3609 36102568. [bug] Report when the write to indicate a otherwise 3611 successful start fails. [RT #19360] 3612 36132567. [bug] dst__privstruct_writefile() could miss write errors. 3614 write_public_key() could miss write errors. 3615 dnssec-dsfromkey could miss write errors. 3616 [RT #19360] 3617 36182566. [cleanup] Clarify logged message when an insecure DNSSEC 3619 response arrives from a zone thought to be secure: 3620 "insecurity proof failed" instead of "not 3621 insecure". [RT #19400] 3622 36232565. [func] Add support for HIP record. Includes new functions 3624 dns_rdata_hip_first(), dns_rdata_hip_next() 3625 and dns_rdata_hip_current(). [RT #19384] 3626 36272564. [bug] Only take EDNS fallback steps when processing timeouts. 3628 [RT #19405] 3629 36302563. [bug] Dig could leak a socket causing it to wait forever 3631 to exit. [RT #19359] 3632 36332562. [doc] ARM: miscellaneous improvements, reorganization, 3634 and some new content. 3635 36362561. [doc] Add isc-config.sh(1) man page. [RT #16378] 3637 36382560. [bug] Add #include <config.h> to iptable.c. [RT #18258] 3639 36402559. [bug] dnssec-dsfromkey could compute bad DS records when 3641 reading from a K* files. [RT #19357] 3642 36432558. [func] Set the ownership of missing directories created 3644 for pid-file if -u has been specified on the command 3645 line. [RT #19328] 3646 36472557. [cleanup] PCI compliance: 3648 * new libisc log module file 3649 * isc_dir_chroot() now also changes the working 3650 directory to "/". 3651 * additional INSISTs 3652 * additional logging when files can't be removed. 3653 36542556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the 3655 error checks in the correct order resulting in the 3656 wrong error code sometimes being returned. [RT #19249] 3657 36582555. [func] dig: when emitting a hex dump also display the 3659 corresponding characters. [RT #19258] 3660 36612554. [bug] Validation of uppercase queries from NSEC3 zones could 3662 fail. [RT #19297] 3663 36642553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 3665 36662552. [bug] zero-no-soa-ttl-cache was not being honored. 3667 [RT #19340] 3668 36692551. [bug] Potential Reference leak on return. [RT #19341] 3670 36712550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>. 3672 [RT #19343] 3673 36742549. [port] linux: define NR_OPEN if not currently defined. 3675 [RT #19344] 3676 36772548. [bug] Install iterated_hash.h. [RT #19335] 3678 36792547. [bug] openssl_link.c:mem_realloc() could reference an 3680 out-of-range area of the source buffer. New public 3681 function isc_mem_reallocate() was introduced to address 3682 this bug. [RT #19313] 3683 36842546. [func] Add --enable-openssl-hash configure flag to use 3685 OpenSSL (in place of internal routine) for hash 3686 functions (MD5, SHA[12] and HMAC). [RT #18815] 3687 36882545. [doc] ARM: Legal hostname checking (check-names) is 3689 for SRV RDATA too. [RT #19304] 3690 36912544. [cleanup] Removed unused structure members in adb.c. [RT #19225] 3692 36932543. [contrib] Update contrib/zkt to version 0.98. [RT #19113] 3694 36952542. [doc] Update the description of dig +adflag. [RT #19290] 3696 36972541. [bug] Conditionally update dispatch manager statistics. 3698 [RT #19247] 3699 37002540. [func] Add a nibble mode to $GENERATE. [RT #18872] 3701 37022539. [security] Update the interaction between recursion, allow-query, 3703 allow-query-cache and allow-recursion. [RT #19198] 3704 37052538. [bug] cache/ADB memory could grow over max-cache-size, 3706 especially with threads and smaller max-cache-size 3707 values. [RT #19240] 3708 37092537. [func] Added more statistics counters including those on socket 3710 I/O events and query RTT histograms. [RT #18802] 3711 37122536. [cleanup] Silence some warnings when -Werror=format-security is 3713 specified. [RT #19083] 3714 37152535. [bug] dig +showsearch and +trace interacted badly. [RT #19091] 3716 37172534. [func] Check NAPTR records regular expressions and 3718 replacement strings to ensure they are syntactically 3719 valid and consistent. [RT #18168] 3720 37212533. [doc] ARM: document @ (at-sign). [RT #17144] 3722 37232532. [bug] dig: check the question section of the response to 3724 see if it matches the asked question. [RT #18495] 3725 37262531. [bug] Change #2207 was incomplete. [RT #19098] 3727 37282530. [bug] named failed to reject insecure to secure transitions 3729 via UPDATE. [RT #19101] 3730 37312529. [cleanup] Upgrade libtool to silence complaints from recent 3732 version of autoconf. [RT #18657] 3733 37342528. [cleanup] Silence spurious configure warning about 3735 --datarootdir [RT #19096] 3736 37372527. [placeholder] 3738 37392526. [func] New named option "attach-cache" that allows multiple 3740 views to share a single cache to save memory and 3741 improve lookup efficiency. Based on contributed code 3742 from Barclay Osborn, Google. [RT #18905] 3743 37442525. [func] New logging category "query-errors" to provide detailed 3745 internal information about query failures, especially 3746 about server failures. [RT #19027] 3747 37482524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129] 3749 37502523. [bug] Random type rdata freed by dns_nsec_typepresent(). 3751 [RT #19112] 3752 37532522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal(). 3754 37552521. [bug] Improve epoll cross compilation support. [RT #19047] 3756 37572520. [bug] Update xml statistics version number to 2.0 as change 3758 #2388 made the schema incompatible to the previous 3759 version. [RT #19080] 3760 37612519. [bug] dig/host with -4 or -6 didn't work if more than two 3762 nameserver addresses of the excluded address family 3763 preceded in resolv.conf. [RT #19081] 3764 37652518. [func] Add support for the new CERT types from RFC 4398. 3766 [RT #19077] 3767 37682517. [bug] dig +trace with -4 or -6 failed when it chose a 3769 nameserver address of the excluded address type. 3770 [RT #18843] 3771 37722516. [bug] glue sort for responses was performed even when not 3773 needed. [RT #19039] 3774 37752515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel. 3776 [RT #19063] 3777 37782514. [bug] dig/host failed with -4 or -6 when resolv.conf contains 3779 a nameserver of the excluded address family. 3780 [RT #18848] 3781 37822513. [bug] Fix windows cli build. [RT #19062] 3783 37842512. [func] Print a summary of the cached records which make up 3785 the negative response. [RT #18885] 3786 37872511. [cleanup] dns_rdata_tofmttext() add const to linebreak. 3788 [RT #18885] 3789 37902510. [bug] "dig +sigchase" could trigger REQUIRE failures. 3791 [RT #19033] 3792 37932509. [bug] Specifying a fixed query source port was broken. 3794 [RT #19051] 3795 37962508. [placeholder] 3797 37982507. [func] Log the recursion quota values when killing the 3799 oldest query or refusing to recurse due to quota. 3800 [RT #19022] 3801 38022506. [port] solaris: Check at configure time if 3803 hack_shutup_pthreadonceinit is needed. [RT #19037] 3804 38052505. [port] Treat amd64 similarly to x86_64 when determining 3806 atomic operation support. [RT #19031] 3807 38082504. [bug] Address race condition in the socket code. [RT #18899] 3809 38102503. [port] linux: improve compatibility with Linux Standard 3811 Base. [RT #18793] 3812 38132502. [cleanup] isc_radix: Improve compliance with coding style, 3814 document function in <isc/radix.h>. [RT #18534] 3815 38162501. [func] $GENERATE now supports all rdata types. Multi-field 3817 rdata types need to be quoted. See the ARM for 3818 details. [RT #18368] 3819 38202500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent 3821 function. [RT #18582] 3822 38232499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash. 3824 [RT #18837] 3825 3826 --- 9.6.0rc1 released --- 3827 38282498. [bug] Removed a bogus function argument used with 3829 ISC_SOCKET_USE_POLLWATCH: it could cause compiler 3830 warning or crash named with the debug 1 level 3831 of logging. [RT #18917] 3832 38332497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure 3834 delegation. 3835 38362496. [bug] Add sanity length checks to NSID option. [RT #18813] 3837 38382495. [bug] Tighten RRSIG checks. [RT #18795] 3839 38402494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being 3841 installed. [RT #18826] 3842 38432493. [bug] The linux capabilities code was not correctly cleaning 3844 up after itself. [RT #18767] 3845 38462492. [func] Rndc status now reports the number of cpus discovered 3847 and the number of worker threads when running 3848 multi-threaded. [RT #18273] 3849 38502491. [func] Attempt to re-use a local port if we are already using 3851 the port. [RT #18548] 3852 38532490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO 3854 is cleared when IPV6_V6ONLY is set. [RT #18785] 3855 38562489. [port] solaris: Workaround Solaris's kernel bug about 3857 /dev/poll: 3858 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 3859 Define ISC_SOCKET_USE_POLLWATCH at build time to enable 3860 this workaround. [RT #18870] 3861 38622488. [func] Added a tool, dnssec-dsfromkey, to generate DS records 3863 from keyset and .key files. [RT #18694] 3864 38652487. [bug] Give TCP connections longer to complete. [RT #18675] 3866 38672486. [func] The default locations for named.pid and lwresd.pid 3868 are now /var/run/named/named.pid and 3869 /var/run/lwresd/lwresd.pid respectively. 3870 3871 This allows the owner of the containing directory 3872 to be set, for "named -u" support, and allows there 3873 to be a permanent symbolic link in the path, for 3874 "named -t" support. [RT #18306] 3875 38762485. [bug] Change update's the handling of obscured RRSIG 3877 records. Not all orphaned DS records were being 3878 removed. [RT #18828] 3879 38802484. [bug] It was possible to trigger a REQUIRE failure when 3881 adding NSEC3 proofs to the response in 3882 query_addwildcardproof(). [RT #18828] 3883 38842483. [port] win32: chroot() is not supported. [RT #18805] 3885 38862482. [port] libxml2: support versions 2.7.* in addition 3887 to 2.6.*. [RT #18806] 3888 3889 --- 9.6.0b1 released --- 3890 38912481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain 3892 collisions. [RT #18812] 3893 38942480. [bug] named could fail to emit all the required NSEC3 3895 records. [RT #18812] 3896 38972479. [bug] xfrout:covers was not properly initialized. [RT #18801] 3898 38992478. [bug] 'addresses' could be used uninitialized in 3900 configure_forward(). [RT #18800] 3901 39022477. [bug] dig: the global option to print the command line is 3903 +cmd not print_cmd. Update the output to reflect 3904 this. [RT #17008] 3905 39062476. [doc] ARM: improve documentation for max-journal-size and 3907 ixfr-from-differences. [RT #15909] [RT #18541] 3908 39092475. [bug] LRU cache cleanup under overmem condition could purge 3910 particular entries more aggressively. [RT #17628] 3911 39122474. [bug] ACL structures could be allocated with insufficient 3913 space, causing an array overrun. [RT #18765] 3914 39152473. [port] linux: raise the limit on open files to the possible 3916 maximum value before spawning threads; 'files' 3917 specified in named.conf doesn't seem to work with 3918 threads as expected. [RT #18784] 3919 39202472. [port] linux: check the number of available cpu's before 3921 calling chroot as it depends on "/proc". [RT #16923] 3922 39232471. [bug] named-checkzone was not reporting missing mandatory 3924 glue when sibling checks were disabled. [RT #18768] 3925 39262470. [bug] Elements of the isc_radix_node_t could be incorrectly 3927 overwritten. [RT# 18719] 3928 39292469. [port] solaris: Work around Solaris's select() limitations. 3930 [RT #18769] 3931 39322468. [bug] Resolver could try unreachable servers multiple times. 3933 [RT #18739] 3934 39352467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 3936 39372466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. 3938 [RT #18302] 3939 39402465. [bug] Adb's handling of lame addresses was different 3941 for IPv4 and IPv6. [RT #18738] 3942 39432464. [port] linux: check that a capability is present before 3944 trying to set it. [RT #18135] 3945 39462463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket 3947 API and glibc hides parts of the IPv6 Advanced Socket 3948 API as a result. This is stupid as it breaks how the 3949 two halves (Basic and Advanced) of the IPv6 Socket API 3950 were designed to be used but we have to live with it. 3951 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket 3952 API. [RT #18388] 3953 39542462. [doc] Document -m (enable memory usage debugging) 3955 option for dig. [RT #18757] 3956 39572461. [port] sunos: Change #2363 was not complete. [RT #17513] 3958 3959 --- 9.6.0a1 released --- 3960 39612460. [bug] Don't call dns_db_getnsec3parameters() on the cache. 3962 [RT #18697] 3963 39642459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448] 3965 39662458. [doc] ARM: update and correction for max-cache-size. 3967 [RT #18294] 3968 39692457. [tuning] max-cache-size is reverted to 0, the previous 3970 default. It should be safe because expired cache 3971 entries are also purged. [RT #18684] 3972 39732456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any 3974 address, regardless of family. They now correctly 3975 distinguish IPv4 from IPv6. [RT #18559] 3976 39772455. [bug] Stop metadata being transferred via axfr/ixfr. 3978 [RT #18639] 3979 39802454. [func] nsupdate: you can now set a default ttl. [RT #18317] 3981 39822453. [bug] Remove NULL pointer dereference in dns_journal_print(). 3983 [RT #18316] 3984 39852452. [func] Improve bin/test/journalprint. [RT #18316] 3986 39872451. [port] solaris: handle runtime linking better. [RT #18356] 3988 39892450. [doc] Fix lwresd docbook problem for manual page. 3990 [RT #18672] 3991 39922449. [placeholder] 3993 39942448. [func] Add NSEC3 support. [RT #15452] 3995 39962447. [cleanup] libbind has been split out as a separate product. 3997 39982446. [func] Add a new log message about build options on startup. 3999 A new command-line option '-V' for named is also 4000 provided to show this information. [RT# 18645] 4001 40022445. [doc] ARM out-of-date on empty reverse zones (list includes 4003 RFC1918 address, but these are not yet compiled in). 4004 [RT #18578] 4005 40062444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery 4007 (clear DF) for UDP responses and requests. 4008 40092443. [bug] win32: UDP connect() would not generate an event, 4010 and so connected UDP sockets would never clean up. 4011 Fix this by doing an immediate WSAConnect() rather 4012 than an io completion port type for UDP. 4013 40142442. [bug] A lock could be destroyed twice. [RT# 18626] 4015 40162441. [bug] isc_radix_insert() could copy radix tree nodes 4017 incompletely. [RT #18573] 4018 40192440. [bug] named-checkconf used an incorrect test to determine 4020 if an ACL was set to none. 4021 40222439. [bug] Potential NULL dereference in dns_acl_isanyornone(). 4023 [RT #18559] 4024 40252438. [bug] Timeouts could be logged incorrectly under win32. 4026 40272437. [bug] Sockets could be closed too early, leading to 4028 inconsistent states in the socket module. [RT #18298] 4029 40302436. [security] win32: UDP client handler can be shutdown. [RT #18576] 4031 40322435. [bug] Fixed an ACL memory leak affecting win32. 4033 40342434. [bug] Fixed a minor error-reporting bug in 4035 lib/isc/win32/socket.c. 4036 40372433. [tuning] Set initial timeout to 800ms. 4038 40392432. [bug] More Windows socket handling improvements. Stop 4040 using I/O events and use IO Completion Ports 4041 throughout. Rewrite the receive path logic to make 4042 it easier to support multiple simultaneous 4043 requesters in the future. Add stricter consistency 4044 checking as a compile-time option (define 4045 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off). 4046 40472431. [bug] Acl processing could leak memory. [RT #18323] 4048 40492430. [bug] win32: isc_interval_set() could round down to 4050 zero if the input was less than NS_INTERVAL 4051 nanoseconds. Round up instead. [RT #18549] 4052 40532429. [doc] nsupdate should be in section 1 of the man pages. 4054 [RT #18283] 4055 40562428. [bug] dns_iptable_merge() mishandled merges of negative 4057 tables. [RT #18409] 4058 40592427. [func] Treat DNSKEY queries as if "minimal-response yes;" 4060 was set. [RT #18528] 4061 40622426. [bug] libbind: inet_net_pton() can sometimes return the 4063 wrong value if excessively large net masks are 4064 supplied. [RT #18512] 4065 40662425. [bug] named didn't detect unavailable query source addresses 4067 at load time. [RT #18536] 4068 40692424. [port] configure now probes for a working epoll 4070 implementation. Allow the use of kqueue, 4071 epoll and /dev/poll to be selected at compile 4072 time. [RT #18277] 4073 40742423. [security] Randomize server selection on queries, so as to 4075 make forgery a little more difficult. Instead of 4076 always preferring the server with the lowest RTT, 4077 pick a server with RTT within the same 128 4078 millisecond band. [RT #18441] 4079 40802422. [bug] Handle the special return value of a empty node as 4081 if it was a NXRRSET in the validator. [RT #18447] 4082 40832421. [func] Add new command line option '-S' for named to specify 4084 the max number of sockets. [RT #18493] 4085 Use caution: this option may not work for some 4086 operating systems without rebuilding named. 4087 40882420. [bug] Windows socket handling cleanup. Let the io 4089 completion event send out canceled read/write 4090 done events, which keeps us from writing to memory 4091 we no longer have ownership of. Add debugging 4092 socket_log() function. Rework TCP socket handling 4093 to not leak sockets. 4094 40952419. [cleanup] Document that isc_socket_create() and isc_socket_open() 4096 should not be used for isc_sockettype_fdwatch sockets. 4097 [RT #18521] 4098 40992418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure 4100 [RT #18430] 4101 41022417. [bug] Connecting UDP sockets for outgoing queries could 4103 unexpectedly fail with an 'address already in use' 4104 error. [RT #18411] 4105 41062416. [func] Log file descriptors that cause exceeding the 4107 internal maximum. [RT #18460] 4108 41092415. [bug] 'rndc dumpdb' could trigger various assertion failures 4110 in rbtdb.c. [RT #18455] 4111 41122414. [bug] A masterdump context held the database lock too long, 4113 causing various troubles such as dead lock and 4114 recursive lock acquisition. [RT #18311, #18456] 4115 41162413. [bug] Fixed an unreachable code path in socket.c. [RT #18442] 4117 41182412. [bug] win32: address a resource leak. [RT #18374] 4119 41202411. [bug] Allow using a larger number of sockets than FD_SETSIZE 4121 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS 4122 at compilation time. [RT #18433] 4123 4124 Note: with changes #2469 and #2421 above, there is no 4125 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time 4126 any more. 4127 41282410. [bug] Correctly delete m_versionInfo. [RT #18432] 4129 41302409. [bug] Only log that we disabled EDNS processing if we were 4131 subsequently successful. [RT #18029] 4132 41332408. [bug] A duplicate TCP dispatch event could be sent, which 4134 could then trigger an assertion failure in 4135 resquery_response(). [RT #18275] 4136 41372407. [port] hpux: test for sys/dyntune.h. [RT #18421] 4138 41392406. [placeholder] 4140 41412405. [cleanup] The default value for dnssec-validation was changed to 4142 "yes" in 9.5.0-P1 and all subsequent releases; this 4143 was inadvertently omitted from CHANGES at the time. 4144 41452404. [port] hpux: files unlimited support. 4146 41472403. [bug] TSIG context leak. [RT #18341] 4148 41492402. [port] Support Solaris 2.11 and over. [RT #18362] 4150 41512401. [bug] Expect to get E[MN]FILE errno internal_accept() 4152 (from accept() or fcntl() system calls). [RT #18358] 4153 41542400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails. 4155 [RT #18297] 4156 41572399. [placeholder] 4158 41592398. [bug] Improve file descriptor management. New, 4160 temporary, named.conf option reserved-sockets, 4161 default 512. [RT #18344] 4162 41632397. [bug] gssapi_functions had too many elements. [RT #18355] 4164 41652396. [bug] Don't set SO_REUSEADDR for randomized ports. 4166 [RT #18336] 4167 41682395. [port] Avoid warning and no effect from "files unlimited" 4169 on Linux when running as root. [RT #18335] 4170 41712394. [bug] Default configuration options set the limit for 4172 open files to 'unlimited' as described in the 4173 documentation. [RT #18331] 4174 41752393. [bug] nested acls containing keys could trigger an 4176 assertion in acl.c. [RT #18166] 4177 41782392. [bug] remove 'grep -q' from acl test script, some platforms 4179 don't support it. [RT #18253] 4180 41812391. [port] hpux: cover additional recvmsg() error codes. 4182 [RT #18301] 4183 41842390. [bug] dispatch.c could make a false warning on 'odd socket'. 4185 [RT #18301]. 4186 41872389. [bug] Move the "working directory writable" check to after 4188 the ns_os_changeuser() call. [RT #18326] 4189 41902388. [bug] Avoid using tables for layout purposes in 4191 statistics XSL [RT #18159]. 4192 41932387. [bug] Silence compiler warnings in lib/isc/radix.c. 4194 [RT #18147] [RT #18258] 4195 41962386. [func] Add warning about too small 'open files' limit. 4197 [RT #18269] 4198 41992385. [bug] A condition variable in socket.c could leak in 4200 rare error handling [RT #17968]. 4201 42022384. [security] Fully randomize UDP query ports to improve 4203 forgery resilience. [RT #17949, #18098] 4204 42052383. [bug] named could double queries when they resulted in 4206 SERVFAIL due to overkilling EDNS0 failure detection. 4207 [RT #18182] 4208 42092382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP 4210 to ARM. 4211 42122381. [port] dlz/mysql: support multiple install layouts for 4213 mysql. <prefix>/include/{,mysql/}mysql.h and 4214 <prefix>/lib/{,mysql/}. [RT #18152] 4215 42162380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET 4217 proofs which, in turn, caused validation failures 4218 for insecure zones immediately below a secure zone 4219 the server was authoritative for. [RT #18112] 4220 42212379. [contrib] queryperf/gen-data-queryperf.py: removed redundant 4222 TLDs and supported RRs with TTLs [RT #17972] 4223 42242378. [bug] gssapi_functions{} had a redundant member in BIND 9.5. 4225 [RT #18169] 4226 42272377. [bug] Address race condition in dnssec-signzone. [RT #18142] 4228 42292376. [bug] Change #2144 was not complete. 4230 42312375. [placeholder] 4232 42332374. [bug] "blackhole" ACLs could cause named to segfault due 4234 to some uninitialized memory. [RT #18095] 4235 42362373. [bug] Default values of zone ACLs were re-parsed each time a 4237 new zone was configured, causing an overconsumption 4238 of memory. [RT #18092] 4239 42402372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] 4241 42422371. [doc] Add +nsid option to dig man page. [RT #18039] 4243 42442370. [bug] "rndc freeze" could trigger an assertion in named 4245 when called on a nonexistent zone. [RT #18050] 4246 42472369. [bug] libbind: Array bounds overrun on read in bitncmp(). 4248 [RT #18054] 4249 42502368. [port] Linux: use libcap for capability management if 4251 possible. [RT# 18026] 4252 42532367. [bug] Improve counting of dns_resstatscounter_retry 4254 [RT #18030] 4255 42562366. [bug] Adb shutdown race. [RT #18021] 4257 42582365. [bug] Fix a bug that caused dns_acl_isany() to return 4259 spurious results. [RT #18000] 4260 42612364. [bug] named could trigger a assertion when serving a 4262 malformed signed zone. [RT #17828] 4263 42642363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". 4265 [RT #17513] 4266 42672362. [cleanup] Make "rrset-order fixed" a compile-time option. 4268 settable by "./configure --enable-fixed-rrset". 4269 Disabled by default. [RT #17977] 4270 42712361. [bug] "recursion" statistics counter could be counted 4272 multiple times for a single query. [RT #17990] 4273 42742360. [bug] Fix a condition where we release a database version 4275 (which may acquire a lock) while holding the lock. 4276 42772359. [bug] Fix NSID bug. [RT #17942] 4278 42792358. [doc] Update host's default query description. [RT #17934] 4280 42812357. [port] Don't use OpenSSL's engine support in versions before 4282 OpenSSL 0.9.7f. [RT #17922] 4283 42842356. [bug] Built in mutex profiler was not scalable enough. 4285 [RT #17436] 4286 42872355. [func] Extend the number statistics counters available. 4288 [RT #17590] 4289 42902354. [bug] Failed to initialize some rdatasetheader_t elements. 4291 [RT #17927] 4292 42932353. [func] Add support for Name Server ID (RFC 5001). 4294 'dig +nsid' requests NSID from server. 4295 'request-nsid yes;' causes recursive server to send 4296 NSID requests to upstream servers. Server responds 4297 to NSID requests with the string configured by 4298 'server-id' option. [RT #17091] 4299 43002352. [bug] Various GSS_API fixups. [RT #17729] 4301 43022351. [bug] convertxsl.pl generated very long lines. [RT #17906] 4303 43042350. [port] win32: IPv6 support. [RT #17797] 4305 43062349. [func] Provide incremental re-signing support for secure 4307 dynamic zones. [RT #1091] 4308 43092348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support. 4310 Documentation is in the new README.pkcs11 file. 4311 New tool, dnssec-keyfromlabel, which takes the 4312 label of a key pair in a HSM and constructs a DNS 4313 key pair for use by named and dnssec-signzone. 4314 [RT #16844] 4315 43162347. [bug] Delete now traverses the RB tree in the canonical 4317 order. [RT #17451] 4318 43192346. [func] Memory statistics now cover all active memory contexts 4320 in increased detail. [RT #17580] 4321 43222345. [bug] named-checkconf failed to detect when forwarders 4323 were set at both the options/view level and in 4324 a root zone. [RT #17671] 4325 43262344. [bug] Improve "logging{ file ...; };" documentation. 4327 [RT #17888] 4328 43292343. [bug] (Seemingly) duplicate IPv6 entries could be 4330 created in ADB. [RT #17837] 4331 43322342. [func] Use getifaddrs() if available under Linux. [RT #17224] 4333 43342341. [bug] libbind: add missing -I../include for off source 4335 tree builds. [RT #17606] 4336 43372340. [port] openbsd: interface configuration. [RT #17700] 4338 43392339. [port] tru64: support for libbind. [RT #17589] 4340 43412338. [bug] check_ds() could be called with a non DS rdataset. 4342 [RT #17598] 4343 43442337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] 4345 43462336. [func] If "named -6" is specified then listen on all IPv6 4347 interfaces if there are not listen-on-v6 clauses in 4348 named.conf. [RT #17581] 4349 43502335. [port] sunos: libbind and *printf() support for long long. 4351 [RT #17513] 4352 43532334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one 4354 bug in fromstruct_txt(). [RT #17609] 4355 43562333. [bug] Fix off by one error in isc_time_nowplusinterval(). 4357 [RT #17608] 4358 43592332. [contrib] query-loc-0.4.0. [RT #17602] 4360 43612331. [bug] Failure to regenerate any signatures was not being 4362 reported nor being past back to the UPDATE client. 4363 [RT #17570] 4364 43652330. [bug] Remove potential race condition when handling 4366 over memory events. [RT #17572] 4367 4368 WARNING: API CHANGE: over memory callback 4369 function now needs to call isc_mem_waterack(). 4370 See <isc/mem.h> for details. 4371 43722329. [bug] Clearer help text for dig's '-x' and '-i' options. 4373 43742328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, 4375 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, 4376 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and 4377 M.ROOT-SERVERS.NET. 4378 43792327. [bug] It was possible to dereference a NULL pointer in 4380 rbtdb.c. Implement dead node processing in zones as 4381 we do for caches. [RT #17312] 4382 43832326. [bug] It was possible to trigger a INSIST in the acache 4384 processing. 4385 43862325. [port] Linux: use capset() function if available. [RT #17557] 4387 43882324. [bug] Fix IPv6 matching against "any;". [RT #17533] 4389 43902323. [port] tru64: namespace clash. [RT #17547] 4391 43922322. [port] MacOS: work around the limitation of setrlimit() 4393 for RLIMIT_NOFILE. [RT #17526] 4394 43952321. [placeholder] 4396 43972320. [func] Make statistics counters thread-safe for platforms 4398 that support certain atomic operations. [RT #17466] 4399 44002319. [bug] Silence Coverity warnings in 4401 lib/dns/rdata/in_1/apl_42.c. [RT #17469] 4402 44032318. [port] sunos fixes for libbind. [RT #17514] 4404 44052317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518] 4406 44072316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c. 4408 [RT #17513] 4409 44102315. [bug] Used incorrect address family for mapped IPv4 4411 addresses in acl.c. [RT #17519] 4412 44132314. [bug] Uninitialized memory use on error path in 4414 bin/named/lwdnoop.c. [RT #17476] 4415 44162313. [cleanup] Silence Coverity warnings. Handle private stacks. 4417 [RT #17447] [RT #17478] 4418 44192312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. 4420 [RT #17458] 4421 44222311. [bug] IPv6 addresses could match IPv4 ACL entries and 4423 vice versa. [RT #17462] 4424 44252310. [bug] dig, host, nslookup: flush stdout before emitting 4426 debug/fatal messages. [RT #17501] 4427 44282309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c. 4429 [RT #17455] 4430 44312308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. 4432 [RT #17495] 4433 44342307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496] 4435 44362306. [bug] Remove potential race from lib/dns/resolver.c. 4437 [RT #17470] 4438 44392305. [security] inet_network() buffer overflow. CVE-2008-0122. 4440 44412304. [bug] Check returns from all dns_rdata_tostruct() calls. 4442 [RT #17460] 4443 44442303. [bug] Remove unnecessary code from bin/named/lwdgnba.c. 4445 [RT #17471] 4446 44472302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472] 4448 44492301. [bug] Remove resource leak and fix error messages in 4450 bin/tests/system/lwresd/lwtest.c. [RT #17474] 4451 44522300. [bug] Fixed failure to close open file in 4453 bin/tests/names/t_names.c. [RT #17473] 4454 44552299. [bug] Remove unnecessary NULL check in 4456 bin/nsupdate/nsupdate.c. [RT #17475] 4457 44582298. [bug] isc_mutex_lock() failure not caught in 4459 bin/tests/timers/t_timers.c. [RT #17468] 4460 44612297. [bug] isc_entropy_createfilesource() failure not caught in 4462 bin/tests/dst/t_dst.c. [RT #17467] 4463 44642296. [port] Allow docbook stylesheet location to be specified to 4465 configure. [RT #17457] 4466 44672295. [bug] Silence static overrun error in bin/named/lwaddr.c. 4468 [RT #17459] 4469 44702294. [func] Allow the experimental statistics channels to have 4471 multiple connections and ACL. 4472 Note: the stats-server and stats-server-v6 options 4473 available in the previous beta releases are replaced 4474 with the generic statistics-channels statement. 4475 44762293. [func] Add ACL regression test. [RT #17375] 4477 44782292. [bug] Log if the working directory is not writable. 4479 [RT #17312] 4480 44812291. [bug] PR_SET_DUMPABLE may be set too late. Also report 4482 failure to set PR_SET_DUMPABLE. [RT #17312] 4483 44842290. [bug] Let AD in the query signal that the client wants AD 4485 set in the response. [RT #17301] 4486 44872289. [func] named-checkzone now reports the out-of-zone CNAME 4488 found. [RT #17309] 4489 44902288. [port] win32: mark service as running when we have finished 4491 loading. [RT #17441] 4492 44932287. [bug] Use 'volatile' if the compiler supports it. [RT #17413] 4494 44952286. [func] Allow a TCP connection to be used as a weak 4496 authentication method for reverse zones. 4497 New update-policy methods tcp-self and 6to4-self. 4498 [RT #17378] 4499 45002285. [func] Test framework for client memory context management. 4501 [RT #17377] 4502 45032284. [bug] Memory leak in UPDATE prerequisite processing. 4504 [RT #17377] 4505 45062283. [bug] TSIG keys were not attaching to the memory 4507 context. TSIG keys should use the rings 4508 memory context rather than the clients memory 4509 context. [RT #17377] 4510 45112282. [bug] Acl code fixups. [RT #17346] [RT #17374] 4512 45132281. [bug] Attempts to use undefined acls were not being logged. 4514 [RT #17307] 4515 45162280. [func] Allow the experimental http server to be reached 4517 over IPv6 as well as IPv4. [RT #17332] 4518 45192279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, 4520 to protect applications from receiving spurious 4521 SIGPIPE signals when using the resolver. 4522 45232278. [bug] win32: handle the case where Windows returns no 4524 search list or DNS suffix. [RT #17354] 4525 45262277. [bug] Empty zone names were not correctly being caught at 4527 in the post parse checks. [RT #17357] 4528 45292276. [bug] Install <dst/gssapi.h>. [RT# 17359] 4530 45312275. [func] Add support to dig to perform IXFR queries over UDP. 4532 [RT #17235] 4533 45342274. [func] Log zone transfer statistics. [RT #17336] 4535 45362273. [bug] Adjust log level to WARNING when saving inconsistent 4537 stub/slave master and journal files. [RT# 17279] 4538 45392272. [bug] Handle illegal dnssec-lookaside trust-anchor names. 4540 [RT #17262] 4541 45422271. [bug] Fix a memory leak in http server code [RT #17100] 4543 45442270. [bug] dns_db_closeversion() version->writer could be reset 4545 before it is tested. [RT #17290] 4546 45472269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232] 4548 45492268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones 4550 list. 4551 4552 --- 9.5.0b1 released --- 4553 45542267. [bug] Radix tree node_num value could be set incorrectly, 4555 causing positive ACL matches to look like negative 4556 ones. [RT #17311] 4557 45582266. [bug] client.c:get_clientmctx() returned the same mctx 4559 once the pool of mctx's was filled. [RT #17218] 4560 45612265. [bug] Test that the memory context's basic_table is non NULL 4562 before freeing. [RT #17265] 4563 45642264. [bug] Server prefix length was being ignored. [RT #17308] 4565 45662263. [bug] "named-checkconf -z" failed to set default value 4567 for "check-integrity". [RT #17306] 4568 45692262. [bug] Error status from all but the last view could be 4570 lost. [RT #17292] 4571 45722261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272] 4573 45742260. [bug] Reported wrong clients-per-query when increasing the 4575 value. [RT #17236] 4576 45772259. [placeholder] 4578 4579 --- 9.5.0a7 released --- 4580 45812258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. 4582 [RT #17241] 4583 45842257. [bug] win32: Use the full path to vcredist_x86.exe when 4585 calling it. [RT #17222] 4586 45872256. [bug] win32: Correctly register the installation location of 4588 bindevt.dll. [RT #17159] 4589 45902255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. 4591 45922254. [bug] timer.c:dispatch() failed to lock timer->lock 4593 when reading timer->idle allowing it to see 4594 intermediate values as timer->idle was reset by 4595 isc_timer_touch(). [RT #17243] 4596 45972253. [func] "max-cache-size" defaults to 32M. 4598 "max-acache-size" defaults to 16M. 4599 46002252. [bug] Fixed errors in sortlist code [RT #17216] 4601 46022251. [placeholder] 4603 46042250. [func] New flag 'memstatistics' to state whether the 4605 memory statistics file should be written or not. 4606 Additionally named's -m option will cause the 4607 statistics file to be written. [RT #17113] 4608 46092249. [bug] Only set Authentic Data bit if client requested 4610 DNSSEC, per RFC 3655 [RT #17175] 4611 46122248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 4613 46142247. [doc] Sort doc/misc/options. [RT #17067] 4615 46162246. [bug] Make the startup of test servers (ans.pl) more 4617 robust. [RT #17147] 4618 46192245. [bug] Validating lack of DS records at trust anchors wasn't 4620 working. [RT #17151] 4621 46222244. [func] Allow the check of nameserver names against the 4623 SOA MNAME field to be disabled by specifying 4624 'notify-to-soa yes;'. [RT #17073] 4625 46262243. [func] Configuration files without a newline at the end now 4627 parse without error. [RT #17120] 4628 46292242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos 4630 library could require a source of random data. 4631 [RT #17127] 4632 46332241. [func] nsupdate: add a interactive 'help' command. [RT #17099] 4634 46352240. [bug] Cleanup nsupdates GSS-TSIG support. Convert 4636 a number of INSIST()s into plain fatal() errors 4637 which report the triggering result code. 4638 The 'key' command wasn't disabling GSS-TSIG. 4639 [RT #17099] 4640 46412239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114] 4642 46432238. [bug] It was possible to trigger a REQUIRE when a 4644 validation was canceled. [RT #17106] 4645 46462237. [bug] libbind: res_init() was not thread aware. [RT #17123] 4647 46482236. [bug] dnssec-signzone failed to preserve the case of 4649 of wildcard owner names. [RT #17085] 4650 46512235. [bug] <isc/atomic.h> was not being installed. [RT #17135] 4652 46532234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] 4654 46552233. [func] Add support for O(1) ACL processing, based on 4656 radix tree code originally written by Kevin 4657 Brintnall. [RT #16288] 4658 46592232. [bug] dns_adb_findaddrinfo() could fail and return 4660 ISC_R_SUCCESS. [RT #17137] 4661 46622231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken. 4663 [RT #17088] 4664 46652230. [bug] We could INSIST reading a corrupted journal. 4666 [RT #17132] 4667 46682229. [bug] Null pointer dereference on query pool creation 4669 failure. [RT #17133] 4670 46712228. [contrib] contrib: Change 2188 was incomplete. 4672 46732227. [cleanup] Tidied up the FAQ. [RT #17121] 4674 46752226. [placeholder] 4676 46772225. [bug] More support for systems with no IPv4 addresses. 4678 [RT #17111] 4679 46802224. [bug] Defer journal compaction if a xfrin is in progress. 4681 [RT #17119] 4682 46832223. [bug] Make a new journal when compacting. [RT #17119] 4684 46852222. [func] named-checkconf now checks server key references. 4686 [RT #17097] 4687 46882221. [bug] Set the event result code to reflect the actual 4689 record turned to caller when a cache update is 4690 rejected due to a more credible answer existing. 4691 [RT #17017] 4692 46932220. [bug] win32: Address a race condition in final shutdown of 4694 the Windows socket code. [RT #17028] 4695 46962219. [bug] Apply zone consistency checks to additions, not 4697 removals, when updating. [RT #17049] 4698 46992218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 4700 [RT #16976] 4701 47022217. [func] Adjust update log levels. [RT #17092] 4703 47042216. [cleanup] Fix a number of errors reported by Coverity. 4705 [RT #17094] 4706 47072215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] 4708 47092214. [bug] Deregister OpenSSL lock callback when cleaning 4710 up. Reorder OpenSSL cleanup so that RAND_cleanup() 4711 is called before the locks are destroyed. [RT #17098] 4712 47132213. [bug] SIG0 diagnostic failure messages were looking at the 4714 wrong status code. [RT #17101] 4715 47162212. [func] 'host -m' now causes memory statistics and active 4717 memory to be printed at exit. [RT 17028] 4718 47192211. [func] Update "dynamic update temporarily disabled" message. 4720 [RT #17065] 4721 47222210. [bug] Deleting class specific records via UPDATE could 4723 fail. [RT #17074] 4724 47252209. [port] osx: linking against user supplied static OpenSSL 4726 libraries failed as the system ones were still being 4727 found. [RT #17078] 4728 47292208. [port] win32: make sure both build methods produce the 4730 same output. [RT #17058] 4731 47322207. [port] Some implementations of getaddrinfo() fail to set 4733 ai_canonname correctly. [RT #17061] 4734 4735 --- 9.5.0a6 released --- 4736 47372206. [security] "allow-query-cache" and "allow-recursion" now 4738 cross inherit from each other. 4739 4740 If allow-query-cache is not set in named.conf then 4741 allow-recursion is used if set, otherwise allow-query 4742 is used if set, otherwise the default (localnets; 4743 localhost;) is used. 4744 4745 If allow-recursion is not set in named.conf then 4746 allow-query-cache is used if set, otherwise allow-query 4747 is used if set, otherwise the default (localnets; 4748 localhost;) is used. 4749 4750 [RT #16987] 4751 47522205. [bug] libbind: change #2119 broke thread support. [RT #16982] 4753 47542204. [bug] "rndc flushanme name unknown-view" caused named 4755 to crash. [RT #16984] 4756 47572203. [security] Query id generation was cryptographically weak. 4758 [RT # 16915] 4759 47602202. [security] The default acls for allow-query-cache and 4761 allow-recursion were not being applied. [RT #16960] 4762 47632201. [bug] The build failed in a separate object directory. 4764 [RT #16943] 4765 47662200. [bug] The search for cached NSEC records was stopping to 4767 early leading to excessive DLV queries. [RT #16930] 4768 47692199. [bug] win32: don't call WSAStartup() while loading dlls. 4770 [RT #16911] 4771 47722198. [bug] win32: RegCloseKey() could be called when 4773 RegOpenKeyEx() failed. [RT #16911] 4774 47752197. [bug] Add INSIST to catch negative responses which are 4776 not setting the event result code appropriately. 4777 [RT #16909] 4778 47792196. [port] win32: yield processor while waiting for once to 4780 to complete. [RT #16958] 4781 47822195. [func] dnssec-keygen now defaults to nametype "ZONE" 4783 when generating DNSKEYs. [RT #16954] 4784 47852194. [bug] Close journal before calling 'done' in xfrin.c. 4786 4787 --- 9.5.0a5 released --- 4788 47892193. [port] win32: BINDInstall.exe is now linked statically. 4790 [RT #16906] 4791 47922192. [port] win32: use vcredist_x86.exe to install Visual 4793 Studio's redistributable dlls if building with 4794 Visual Stdio 2005 or later. 4795 47962191. [func] named-checkzone now allows dumping to stdout (-). 4797 named-checkconf now has -h for help. 4798 named-checkzone now has -h for help. 4799 rndc now has -h for help. 4800 Better handling of '-?' for usage summaries. 4801 [RT #16707] 4802 48032190. [func] Make fallback to plain DNS from EDNS due to timeouts 4804 more visible. New logging category "edns-disabled". 4805 [RT #16871] 4806 48072189. [bug] Handle socket() returning EINTR. [RT #15949] 4808 48092188. [contrib] queryperf: autoconf changes to make the search for 4810 libresolv or libbind more robust. [RT #16299] 4811 48122187. [bug] query_addds(), query_addwildcardproof() and 4813 query_addnxrrsetnsec() should take a version 4814 argument. [RT #16368] 4815 48162186. [port] cygwin: libbind: check for struct sockaddr_storage 4817 independently of IPv6. [RT #16482] 4818 48192185. [port] sunos: libbind: check for ssize_t, memmove() and 4820 memchr(). [RT #16463] 4821 48222184. [bug] bind9.xsl.h didn't build out of the source tree. 4823 [RT #16830] 4824 48252183. [bug] dnssec-signzone didn't handle offline private keys 4826 well. [RT #16832] 4827 48282182. [bug] dns_dispatch_createtcp() and dispatch_createudp() 4829 could return ISC_R_SUCCESS when they ran out of 4830 memory. [RT #16365] 4831 48322181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] 4833 48342180. [cleanup] Remove bit test from 'compress_test' as they 4835 are no longer needed. [RT #16497] 4836 48372179. [func] 'rndc command zone' will now find 'zone' if it is 4838 unique to all the views. [RT #16821] 4839 48402178. [bug] 'rndc reload' of a slave or stub zone resulted in 4841 a reference leak. [RT #16867] 4842 48432177. [bug] Array bounds overrun on read (rcodetext) at 4844 debug level 10+. [RT #16798] 4845 48462176. [contrib] dbus update to handle race condition during 4847 initialization (Bugzilla 235809). [RT #16842] 4848 48492175. [bug] win32: windows broadcast condition variable support 4850 was broken. [RT #16592] 4851 48522174. [bug] I/O errors should always be fatal when reading 4853 master files. [RT #16825] 4854 48552173. [port] win32: When compiling with MSVS 2005 SP1 we also 4856 need to ship Microsoft.VC80.MFCLOC. 4857 4858 --- 9.5.0a4 released --- 4859 48602172. [bug] query_addsoa() was being called with a non zone db. 4861 [RT #16834] 4862 48632171. [bug] Handle breaks in DNSSEC trust chains where the parent 4864 servers are not DS aware (DS queries to the parent 4865 return a referral to the child). 4866 48672170. [func] Add acache processing to test suite. [RT #16711] 4868 48692169. [bug] host, nslookup: when reporting NXDOMAIN report the 4870 given name and not the last name searched for. 4871 [RT #16763] 4872 48732168. [bug] nsupdate: in non-interactive mode treat syntax errors 4874 as fatal errors. [RT #16785] 4875 48762167. [bug] When re-using a automatic zone named failed to 4877 attach it to the new view. [RT #16786] 4878 4879 --- 9.5.0a3 released --- 4880 48812166. [bug] When running in batch mode, dig could misinterpret 4882 a server address as a name to be looked up, causing 4883 unexpected output. [RT #16743] 4884 48852165. [func] Allow the destination address of a query to determine 4886 if we will answer the query or recurse. 4887 allow-query-on, allow-recursion-on and 4888 allow-query-cache-on. [RT #16291] 4889 48902164. [bug] The code to determine how named-checkzone / 4891 named-compilezone was called failed under windows. 4892 [RT #16764] 4893 48942163. [bug] If only one of query-source and query-source-v6 4895 specified a port the query pools code broke (change 4896 2129). [RT #16768] 4897 48982162. [func] Allow "rrset-order fixed" to be disabled at compile 4899 time. [RT #16665] 4900 49012161. [bug] Fix which log messages are emitted for 'rndc flush'. 4902 [RT #16698] 4903 49042160. [bug] libisc wasn't handling NULL ifa_addr pointers returned 4905 from getifaddrs(). [RT #16708] 4906 4907 --- 9.5.0a2 released --- 4908 49092159. [bug] Array bounds overrun in acache processing. [RT #16710] 4910 49112158. [bug] ns_client_isself() failed to initialize key 4912 leading to a REQUIRE failure. [RT #16688] 4913 49142157. [func] dns_db_transfernode() created. [RT #16685] 4915 49162156. [bug] Fix node reference leaks in lookup.c:lookup_find(), 4917 resolver.c:validated() and resolver.c:cache_name(). 4918 Fix a memory leak in rbtdb.c:free_noqname(). 4919 Make lookup.c:lookup_find() robust against 4920 event leaks. [RT #16685] 4921 49222155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. 4923 [RT #16694] 4924 49252154. [func] Scoped (e.g. IPv6 link-local) addresses may now be 4926 matched in acls by omitting the scope. [RT #16599] 4927 49282153. [bug] nsupdate could leak memory. [RT #16691] 4929 49302152. [cleanup] Use sizeof(buf) instead of fixed number in 4931 dighost.c:get_trusted_key(). [RT #16678] 4932 49332151. [bug] Missing newline in usage message for journalprint. 4934 [RT #16679] 4935 49362150. [bug] 'rrset-order cyclic' uniformly distribute the 4937 starting point for the first response for a given 4938 RRset. [RT #16655] 4939 49402149. [bug] isc_mem_checkdestroyed() failed to abort on 4941 if there were still active memory contexts. 4942 [RT #16672] 4943 49442148. [func] Add positive logging for rndc commands. [RT #14623] 4945 49462147. [bug] libbind: remove potential buffer overflow from 4947 hmac_link.c. [RT #16437] 4948 49492146. [cleanup] Silence Linux's spurious "obsolete setsockopt 4950 SO_BSDCOMPAT" message. [RT #16641] 4951 49522145. [bug] Check DS/DLV digest lengths for known digests. 4953 [RT #16622] 4954 49552144. [cleanup] Suppress logging of SERVFAIL from forwarders. 4956 [RT #16619] 4957 49582143. [bug] We failed to restart the IPv6 client when the 4959 kernel failed to return the destination the 4960 packet was sent to. [RT #16613] 4961 49622142. [bug] Handle master files with a modification time that 4963 matches the epoch. [RT# 16612] 4964 49652141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN 4966 equivalent of LDH checks). [RT #16609] 4967 49682140. [bug] libbind: missing unlock on pthread_key_create() 4969 failures. [RT #16654] 4970 49712139. [bug] dns_view_find() was being called with wrong type 4972 in adb.c. [RT #16670] 4973 49742138. [bug] Lock order reversal in resolver.c. [RT #16653] 4975 49762137. [port] Mips little endian and/or mips 64 bit are now 4977 supported for atomic operations. [RT#16648] 4978 49792136. [bug] nslookup/host looped if there was no search list 4980 and the host didn't exist. [RT #16657] 4981 49822135. [bug] Uninitialized rdataset in sdlz.c. [RT# 16656] 4983 49842134. [func] Additional statistics support. [RT #16666] 4985 49862133. [port] powerpc: Support both IBM and MacOS Power PC 4987 assembler syntaxes. [RT #16647] 4988 49892132. [bug] Missing unlock on out of memory in 4990 dns_dispatchmgr_setudp(). 4991 49922131. [contrib] dlz/mysql: AXFR was broken. [RT #16630] 4993 49942130. [func] Log if CD or DO were set. [RT #16640] 4995 49962129. [func] Provide a pool of UDP sockets for queries to be 4997 made over. See use-queryport-pool, queryport-pool-ports 4998 and queryport-pool-updateinterval. [RT #16415] 4999 50002128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] 5001 50022127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] 5003 50042126. [security] Serialize validation of type ANY responses. [RT #16555] 5005 50062125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ 5007 was defined. [RT #16574] 5008 50092124. [security] It was possible to dereference a freed fetch 5010 context. [RT #16584] 5011 5012 --- 9.5.0a1 released --- 5013 50142123. [func] Use Doxygen to generate internal documentation. 5015 [RT #11398] 5016 50172122. [func] Experimental http server and statistics support 5018 for named via xml. 5019 50202121. [func] Add a 10 slot dead masters cache (LRU) with a 600 5021 second timeout. [RT #16553] 5022 50232120. [doc] Fix markup on nsupdate man page. [RT #16556] 5024 50252119. [compat] libbind: allow res_init() to succeed enough to 5026 return the default domain even if it was unable 5027 to allocate memory. 5028 50292118. [bug] Handle response with long chains of domain name 5030 compression pointers which point to other compression 5031 pointers. [RT #16427] 5032 50332117. [bug] DNSSEC fixes: named could fail to cache NSEC records 5034 which could lead to validation failures. named didn't 5035 handle negative DS responses that were in the process 5036 of being validated. Check CNAME bit before accepting 5037 NODATA proof. To be able to ignore a child NSEC there 5038 must be SOA (and NS) set in the bitmap. [RT #16399] 5039 50402116. [bug] 'rndc reload' could cause the cache to continually 5041 be cleaned. [RT #16401] 5042 50432115. [bug] 'rndc reconfig' could trigger a INSIST if the 5044 number of masters for a zone was reduced. [RT #16444] 5045 50462114. [bug] dig/host/nslookup: searches for names with multiple 5047 labels were failing. [RT #16447] 5048 50492113. [bug] nsupdate: if a zone is specified it should be used 5050 for server discover. [RT# 16455] 5051 50522112. [security] Warn if weak RSA exponent is used. [RT #16460] 5053 50542111. [bug] Fix a number of errors reported by Coverity. 5055 [RT #16507] 5056 50572110. [bug] "minimal-responses yes;" interacted badly with BIND 8 5058 priming queries. [RT #16491] 5059 50602109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] 5061 50622108. [func] DHCID support. [RT #16456] 5063 50642107. [bug] dighost.c: more cleanup of buffers. [RT #16499] 5065 50662106. [func] 'rndc status' now reports named's version. [RT #16426] 5067 50682105. [func] GSS-TSIG support (RFC 3645). 5069 50702104. [port] Fix Solaris SMF error message. 5071 50722103. [port] Add /usr/sfw to list of locations for OpenSSL 5073 under Solaris. 5074 50752102. [port] Silence Solaris 10 warnings. 5076 50772101. [bug] OpenSSL version checks were not quite right. 5078 [RT #16476] 5079 50802100. [port] win32: copy libeay32.dll to Build\Debug. 5081 Copy Debug\named-checkzone to Debug\named-compilezone. 5082 50832099. [port] win32: more manifest issues. 5084 50852098. [bug] Race in rbtdb.c:no_references(), which occasionally 5086 triggered an INSIST failure about the node lock 5087 reference. [RT #16411] 5088 50892097. [bug] named could reference a destroyed memory context 5090 after being reloaded / reconfigured. [RT #16428] 5091 50922096. [bug] libbind: handle applications that fail to detect 5093 res_init() failures better. 5094 50952095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and 5096 net_cidr_ntop_ipv6(). [RT #16388] 5097 50982094. [contrib] Update named-bootconf. [RT# 16404] 5099 51002093. [bug] named-checkzone -s was broken. 5101 51022092. [bug] win32: dig, host, nslookup. Use registry config 5103 if resolv.conf does not exist or no nameservers 5104 listed. [RT #15877] 5105 51062091. [port] dighost.c: race condition on cleanup. [RT #16417] 5107 51082090. [port] win32: Visual C++ 2005 command line manifest support. 5109 [RT #16417] 5110 51112089. [security] Raise the minimum safe OpenSSL versions to 5112 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions 5113 prior to these have known security flaws which 5114 are (potentially) exploitable in named. [RT #16391] 5115 51162088. [security] Change the default RSA exponent from 3 to 65537. 5117 [RT #16391] 5118 51192087. [port] libisc failed to compile on OS's w/o a vsnprintf. 5120 [RT #16382] 5121 51222086. [port] libbind: FreeBSD now has get*by*_r() functions. 5123 [RT #16403] 5124 51252085. [doc] win32: added index.html and README to zip. [RT #16201] 5126 51272084. [contrib] dbus update for 9.3.3rc2. 5128 51292083. [port] win32: Visual C++ 2005 support. 5130 51312082. [doc] Document 'cache-file' as a test only option. 5132 51332081. [port] libbind: minor 64-bit portability fix in memcluster.c. 5134 [RT #16360] 5135 51362080. [port] libbind: res_init.c did not compile on older versions 5137 of Solaris. [RT #16363] 5138 51392079. [bug] The lame cache was not handling multiple types 5140 correctly. [RT #16361] 5141 51422078. [bug] dnssec-checkzone output style "default" was badly 5143 named. It is now called "relative". [RT #16326] 5144 51452077. [bug] 'dnssec-signzone -O raw' wasn't outputting the 5146 complete signed zone. [RT #16326] 5147 51482076. [bug] Several files were missing #include <config.h> 5149 causing build failures on OSF. [RT #16341] 5150 51512075. [bug] The spillat timer event hander could leak memory. 5152 [RT #16357] 5153 51542074. [bug] dns_request_createvia2(), dns_request_createvia3(), 5155 dns_request_createraw2() and dns_request_createraw3() 5156 failed to send multiple UDP requests. [RT #16349] 5157 51582073. [bug] Incorrect semantics check for update policy "wildcard". 5159 [RT #16353] 5160 51612072. [bug] We were not generating valid HMAC SHA digests. 5162 [RT #16320] 5163 51642071. [port] Test whether gcc accepts -fno-strict-aliasing. 5165 [RT #16324] 5166 51672070. [bug] The remote address was not always displayed when 5168 reporting dispatch failures. [RT #16315] 5169 51702069. [bug] Cross compiling was not working. [RT #16330] 5171 51722068. [cleanup] Lower incremental tuning message to debug 1. 5173 [RT #16319] 5174 51752067. [bug] 'rndc' could close the socket too early triggering 5176 a INSIST under Windows. [RT #16317] 5177 51782066. [security] Handle SIG queries gracefully. [RT #16300] 5179 51802065. [bug] libbind: probe for HPUX prototypes for 5181 endprotoent_r() and endservent_r(). [RT 16313] 5182 51832064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 5184 51852063. [bug] Change #1955 introduced a bug which caused the first 5186 'rndc flush' call to not free memory. [RT #16244] 5187 51882062. [bug] 'dig +nssearch' was reusing a buffer before it had 5189 been returned by the socket code. [RT #16307] 5190 51912061. [bug] Accept expired wildcard message reversed. [RT #16296] 5192 51932060. [bug] Enabling DLZ support could leave views partially 5194 configured. [RT #16295] 5195 51962059. [bug] Search into cache rbtdb could trigger an INSIST 5197 failure while cleaning up a stale rdataset. 5198 [RT #16292] 5199 52002058. [bug] Adjust how we calculate rtt estimates in the presence 5201 of authoritative servers that drop EDNS and/or CD 5202 requests. Also fallback to EDNS/512 and plain DNS 5203 faster for zones with less than 3 servers. [RT #16187] 5204 52052057. [bug] Make setting "ra" dependent on both allow-query-cache 5206 and allow-recursion. [RT #16290] 5207 52082056. [bug] dig: ixfr= was not being treated case insensitively 5209 at all times. [RT #15955] 5210 52112055. [bug] Missing goto after dropping multicast query. 5212 [RT #15944] 5213 52142054. [port] freebsd: do not explicitly link against -lpthread. 5215 [RT #16170] 5216 52172053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 5218 52192052. [bug] 'rndc' improve connect failed message to report 5220 the failing address. [RT #15978] 5221 52222051. [port] More strtol() fixes. [RT #16249] 5223 52242050. [bug] Parsing of NSAP records was not case insensitive. 5225 [RT #16287] 5226 52272049. [bug] Restore SOA before AXFR when falling back from 5228 a attempted IXFR when transferring in a zone. 5229 Allow a initial SOA query before attempting 5230 a AXFR to be requested. [RT #16156] 5231 52322048. [bug] It was possible to loop forever when using 5233 avoid-v4-udp-ports / avoid-v6-udp-ports when 5234 the OS always returned the same local port. 5235 [RT #16182] 5236 52372047. [bug] Failed to initialize the interface flags to zero. 5238 [RT #16245] 5239 52402046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate 5241 cleanup [RT #16247]. 5242 52432045. [func] Use lock buckets for acache entries to limit memory 5244 consumption. [RT #16183] 5245 52462044. [port] Add support for atomic operations for Itanium. 5247 [RT #16179] 5248 52492043. [port] nsupdate/nslookup: Force the flushing of the prompt 5250 for interactive sessions. [RT#16148] 5251 52522042. [bug] named-checkconf was incorrectly rejecting the 5253 logging category "config". [RT #16117] 5254 52552041. [bug] "configure --with-dlz-bdb=yes" produced a bad 5256 set of libraries to be linked. [RT #16129] 5257 52582040. [bug] rbtdb no_references() could trigger an INSIST 5259 failure with --enable-atomic. [RT #16022] 5260 52612039. [func] Check that all buffers passed to the socket code 5262 have been retrieved when the socket event is freed. 5263 [RT #16122] 5264 52652038. [bug] dig/nslookup/host was unlinking from wrong list 5266 when handling errors. [RT #16122] 5267 52682037. [func] When unlinking the first or last element in a list 5269 check that the list head points to the element to 5270 be unlinked. [RT #15959] 5271 52722036. [bug] 'rndc recursing' could cause trigger a REQUIRE. 5273 [RT #16075] 5274 52752035. [func] Make falling back to TCP on UDP refresh failure 5276 optional. Default "try-tcp-refresh yes;" for BIND 8 5277 compatibility. [RT #16123] 5278 52792034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] 5280 52812033. [bug] We weren't creating multiple client memory contexts 5282 on demand as expected. [RT #16095] 5283 52842032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] 5285 52862031. [bug] Emit a error message when "rndc refresh" is called on 5287 a non slave/stub zone. [RT # 16073] 5288 52892030. [bug] We were being overly conservative when disabling 5290 openssl engine support. [RT #16030] 5291 52922029. [bug] host printed out the server multiple times when 5293 specified on the command line. [RT #15992] 5294 52952028. [port] linux: socket.c compatibility for old systems. 5296 [RT #16015] 5297 52982027. [port] libbind: Solaris x86 support. [RT #16020] 5299 53002026. [bug] Rate limit the two recursive client exceeded messages. 5301 [RT #16044] 5302 53032025. [func] Update "zone serial unchanged" message. [RT #16026] 5304 53052024. [bug] named emitted spurious "zone serial unchanged" 5306 messages on reload. [RT #16027] 5307 53082023. [bug] "make install" should create ${localstatedir}/run and 5309 ${sysconfdir} if they do not exist. [RT #16033] 5310 53112022. [bug] If dnssec validation is disabled only assert CD if 5312 CD was requested. [RT #16037] 5313 53142021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037] 5315 53162020. [bug] rdataset_setadditional() could leak memory. [RT #16034] 5317 53182019. [tuning] Reduce the amount of work performed per quantum 5319 when cleaning the cache. [RT #15986] 5320 53212018. [bug] Checking if the HMAC MD5 private file was broken. 5322 [RT #15960] 5323 53242017. [bug] allow-query default was not correct. [RT #15946] 5325 53262016. [bug] Return a partial answer if recursion is not 5327 allowed but requested and we had the answer 5328 to the original qname. [RT #15945] 5329 53302015. [cleanup] use-additional-cache is now acache-enable for 5331 consistency. Default acache-enable off in BIND 9.4 5332 as it requires memory usage to be configured. 5333 It may be enabled by default in BIND 9.5 once we 5334 have more experience with it. 5335 53362014. [func] Statistics about acache now recorded and sent 5337 to log. [RT #15976] 5338 53392013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR 5340 responses more gracefully. [RT #15941] 5341 53422012. [func] Don't insert new acache entries if acache is full. 5343 [RT #15970] 5344 53452011. [func] dnssec-signzone can now update the SOA record of 5346 the signed zone, either as an increment or as the 5347 system time(). [RT #15633] 5348 53492010. [placeholder] rt15958 5350 53512009. [bug] libbind: Coverity fixes. [RT #15808] 5352 53532008. [func] It is now possible to enable/disable DNSSEC 5354 validation from rndc. This is useful for the 5355 mobile hosts where the current connection point 5356 breaks DNSSEC (firewall/proxy). [RT #15592] 5357 5358 rndc validation newstate [view] 5359 53602007. [func] It is now possible to explicitly enable DNSSEC 5361 validation. default dnssec-validation no; to 5362 be changed to yes in 9.5.0. [RT #15674] 5363 53642006. [security] Allow-query-cache and allow-recursion now default 5365 to the built in acls "localnets" and "localhost". 5366 5367 This is being done to make caching servers less 5368 attractive as reflective amplifying targets for 5369 spoofed traffic. This still leave authoritative 5370 servers exposed. 5371 5372 The best fix is for full BCP 38 deployment to 5373 remove spoofed traffic. 5374 53752005. [bug] libbind: Retransmission timeouts should be 5376 based on which attempt it is to the nameserver 5377 and not the nameserver itself. [RT #13548] 5378 53792004. [bug] dns_tsig_sign() could pass a NULL pointer to 5380 dst_context_destroy() when cleaning up after a 5381 error. [RT #15835] 5382 53832003. [bug] libbind: The DNS name/address lookup functions could 5384 occasionally follow a random pointer due to 5385 structures not being completely zeroed. [RT #15806] 5386 53872002. [bug] libbind: tighten the constraints on when 5388 struct addrinfo._ai_pad exists. [RT #15783] 5389 53902001. [func] Check the KSK flag when updating a secure dynamic zone. 5391 New zone option "update-check-ksk yes;". [RT #15817] 5392 53932000. [bug] memmove()/strtol() fix was incomplete. [RT #15812] 5394 53951999. [func] Implement "rrset-order fixed". [RT #13662] 5396 53971998. [bug] Restrict handling of fifos as sockets to just SunOS. 5398 This allows named to connect to entropy gathering 5399 daemons that use fifos instead of sockets. [RT #15840] 5400 54011997. [bug] Named was failing to replace negative cache entries 5402 when a positive one for the type was learnt. 5403 [RT #15818] 5404 54051996. [bug] nsupdate: if a zone has been specified it should 5406 appear in the output of 'show'. [RT #15797] 5407 54081995. [bug] 'host' was reporting multiple "is an alias" messages. 5409 [RT #15702] 5410 54111994. [port] OpenSSL 0.9.8 support. [RT #15694] 5412 54131993. [bug] Log messages, via syslog, were missing the space 5414 after the timestamp if "print-time yes" was specified. 5415 [RT #15844] 5416 54171992. [bug] Not all incoming zone transfer messages included the 5418 view. [RT #15825] 5419 54201991. [cleanup] The configuration data, once read, should be treated 5421 as read only. Expand the use of const to enforce this 5422 at compile time. [RT #15813] 5423 54241990. [bug] libbind: isc's override of broken gettimeofday() 5425 implementations was not always effective. 5426 [RT #15709] 5427 54281989. [bug] win32: don't check the service password when 5429 re-installing. [RT #15882] 5430 54311988. [bug] Remove a bus error from the SHA256/SHA512 support. 5432 [RT #15878] 5433 54341987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 5435 54361986. [func] Report when a zone is removed. [RT #15849] 5437 54381985. [protocol] DLV has now been assigned a official type code of 5439 32769. [RT #15807] 5440 5441 Note: care should be taken to ensure you upgrade 5442 both named and dnssec-signzone at the same time for 5443 zones with DLV records where named is the master 5444 server for the zone. Also any zones that contain 5445 DLV records should be removed when upgrading a slave 5446 zone. You do not however have to upgrade all 5447 servers for a zone with DLV records simultaneously. 5448 54491984. [func] dig, nslookup and host now advertise a 4096 byte 5450 EDNS UDP buffer size by default. [RT #15855] 5451 54521983. [func] Two new update policies. "selfsub" and "selfwild". 5453 [RT #12895] 5454 54551982. [bug] DNSKEY was being accepted on the parent side of 5456 a delegation. KEY is still accepted there for 5457 RFC 3007 validated updates. [RT #15620] 5458 54591981. [bug] win32: condition.c:wait() could fail to reattain 5460 the mutex lock. 5461 54621980. [func] dnssec-signzone: output the SOA record as the 5463 first record in the signed zone. [RT #15758] 5464 54651979. [port] linux: allow named to drop core after changing 5466 user ids. [RT #15753] 5467 54681978. [port] Handle systems which have a broken recvmsg(). 5469 [RT #15742] 5470 54711977. [bug] Silence noisy log message. [RT #15704] 5472 54731976. [bug] Handle systems with no IPv4 addresses. [RT #15695] 5474 54751975. [bug] libbind: isc_gethexstring() could misparse multi-line 5476 hex strings with comments. [RT #15814] 5477 54781974. [doc] List each of the zone types and associated zone 5479 options separately in the ARM. 5480 54811973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and 5482 HMACSHA512 support. [RT #13606] 5483 54841972. [contrib] DBUS dynamic forwarders integration from 5485 Jason Vas Dias <jvdias@redhat.com>. 5486 54871971. [port] linux: make detection of missing IF_NAMESIZE more 5488 robust. [RT #15443] 5489 54901970. [bug] nsupdate: adjust UDP timeout when falling back to 5491 unsigned SOA query. [RT #15775] 5492 54931969. [bug] win32: the socket code was freeing the socket 5494 structure too early. [RT #15776] 5495 54961968. [bug] Missing lock in resolver.c:validated(). [RT #15739] 5497 54981967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779] 5499 55001966. [bug] Don't set CD when we have fallen back to plain DNS. 5501 [RT #15727] 5502 55031965. [func] Suppress spurious "recursion requested but not 5504 available" warning with 'dig +qr'. [RT #15780]. 5505 55061964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] 5507 55081963. [port] Tru64 4.0E doesn't support send() and recv(). 5509 [RT #15586] 5510 55111962. [bug] Named failed to clear old update-policy when it 5512 was removed. [RT #15491] 5513 55141961. [bug] Check the port and address of responses forwarded 5515 to dispatch. [RT #15474] 5516 55171960. [bug] Update code should set NSEC ttls from SOA MINIMUM. 5518 [RT #15465] 5519 55201959. [func] Control the zeroing of the negative response TTL to 5521 a soa query. Defaults "zero-no-soa-ttl yes;" and 5522 "zero-no-soa-ttl-cache no;". [RT #15460] 5523 55241958. [bug] Named failed to update the zone's secure state 5525 until the zone was reloaded. [RT #15412] 5526 55271957. [bug] Dig mishandled responses to class ANY queries. 5528 [RT #15402] 5529 55301956. [bug] Improve cross compile support, 'gen' is now built 5531 by native compiler. See README for additional 5532 cross compile support information. [RT #15148] 5533 55341955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998] 5535 55361954. [func] Named now falls back to advertising EDNS with a 5537 512 byte receive buffer if the initial EDNS queries 5538 fail. [RT #14852] 5539 55401953. [func] The maximum EDNS UDP response named will send can 5541 now be set in named.conf (max-udp-size). This is 5542 independent of the advertised receive buffer 5543 (edns-udp-size). [RT #14852] 5544 55451952. [port] hpux: tell the linker to build a runtime link 5546 path "-Wl,+b:". [RT #14816]. 5547 55481951. [security] Drop queries from particular well known ports. 5549 Don't return FORMERR to queries from particular 5550 well known ports. [RT #15636] 5551 55521950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() 5553 a TCP socket. This prevents the source address being 5554 set for TCP connections. [RT #15628] 5555 55561949. [func] Addition memory leakage checks. [RT #15544] 5557 55581948. [bug] If was possible to trigger a REQUIRE failure in 5559 xfrin.c:maybe_free() if named ran out of memory. 5560 [RT #15568] 5561 55621947. [func] It is now possible to configure named to accept 5563 expired RRSIGs. Default "dnssec-accept-expired no;". 5564 Setting "dnssec-accept-expired yes;" leaves named 5565 vulnerable to replay attacks. [RT #14685] 5566 55671946. [bug] resume_dslookup() could trigger a REQUIRE failure 5568 when using forwarders. [RT #15549] 5569 55701945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. 5571 To generate a RSAMD5 key you must explicitly request 5572 RSAMD5. [RT #13780] 5573 55741944. [cleanup] isc_hash_create() does not need a read/write lock. 5575 [RT #15522] 5576 55771943. [bug] Set the loadtime after rolling forward the journal. 5578 [RT #15647] 5579 55801942. [bug] If the name of a DNSKEY match that of one in 5581 trusted-keys do not attempt to validate the DNSKEY 5582 using the parents DS RRset. [RT #15649] 5583 55841941. [bug] ncache_adderesult() should set eresult even if no 5585 rdataset is passed to it. [RT #15642] 5586 55871940. [bug] Fixed a number of error conditions reported by 5588 Coverity. 5589 55901939. [bug] The resolver could dereference a null pointer after 5591 validation if all the queries have timed out. 5592 [RT #15528] 5593 55941938. [bug] The validator was not correctly handling unsecure 5595 negative responses at or below a SEP. [RT #15528] 5596 55971937. [bug] sdlz doesn't handle RRSIG records. [RT #15564] 5598 55991936. [bug] The validator could leak memory. [RT #15544] 5600 56011935. [bug] 'acache' was DO sensitive. [RT #15430] 5602 56031934. [func] Validate pending NS RRsets, in the authority section, 5604 prior to returning them if it can be done without 5605 requiring DNSKEYs to be fetched. [RT #15430] 5606 56071933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534] 5608 56091932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] 5610 56111931. [bug] Per-client mctx could require a huge amount of memory, 5612 particularly for a busy caching server. [RT #15519] 5613 56141930. [port] HPUX: ia64 support. [RT #15473] 5615 56161929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. 5617 56181928. [bug] Race in rbtdb.c:currentversion(). [RT #15517] 5619 56201927. [bug] Access to soanode or nsnode in rbtdb violated the 5621 lock order rule and could cause a dead lock. 5622 [RT# 15518] 5623 56241926. [bug] The Windows installer did not check for empty 5625 passwords. BINDinstall was being installed in 5626 the wrong place. [RT #15483] 5627 56281925. [port] All outer level AC_TRY_RUNs need cross compiling 5629 defaults. [RT #15469] 5630 56311924. [port] libbind: hpux ia64 support. [RT #15473] 5632 56331923. [bug] ns_client_detach() called too early. [RT #15499] 5634 56351922. [bug] check-tool.c:setup_logging() missing call to 5636 dns_log_setcontext(). 5637 56381921. [bug] Client memory contexts were not using internal 5639 malloc. [RT# 15434] 5640 56411920. [bug] The cache rbtdb lock array was too small to 5642 have the desired performance characteristics. 5643 [RT #15454] 5644 56451919. [contrib] queryperf: a set of new features: collecting/printing 5646 response delays, printing intermediate results, and 5647 adjusting query rate for the "target" qps. 5648 56491918. [bug] Memory leak when checking acls. [RT #15391] 5650 56511917. [doc] funcsynopsisinfo wasn't being treated as verbatim 5652 when generating man pages. [RT #15385] 5653 56541916. [func] Integrate contributed IDN code from JPNIC. [RT #15383] 5655 56561915. [bug] dig +ndots was broken. [RT #15215] 5657 56581914. [protocol] DS is required to accept mnemonic algorithms 5659 (RFC 4034). Still emit numeric algorithms for 5660 compatibility with RFC 3658. [RT #15354] 5661 56621913. [func] Integrate contributed DLZ code into named. [RT #11382] 5663 56641912. [port] aix: atomic locking for powerpc. [RT #15020] 5665 56661911. [bug] Update windows socket code. [RT #14965] 5667 56681910. [bug] dig's +sigchase code overhauled. [RT #14933] 5669 56701909. [bug] The DLV code has been re-worked to make no longer 5671 query order sensitive. [RT #14933] 5672 56731908. [func] dig now warns if 'RA' is not set in the answer when 5674 'RD' was set in the query. host/nslookup skip servers 5675 that fail to set 'RA' when 'RD' is set unless a server 5676 is explicitly set. [RT #15005] 5677 56781907. [func] host/nslookup now continue (default)/fail on SERVFAIL. 5679 [RT #15006] 5680 56811906. [func] dig now has a '-q queryname' and '+showsearch' options. 5682 [RT #15034] 5683 56841905. [bug] Strings returned from cfg_obj_asstring() should be 5685 treated as read-only. The prototype for 5686 cfg_obj_asstring() has been updated to reflect this. 5687 [RT #15256] 5688 56891904. [func] Automatic empty zone creation for D.F.IP6.ARPA and 5690 friends. Note: RFC 1918 zones are not yet covered by 5691 this but are likely to be in a future release. 5692 5693 New options: empty-server, empty-contact, 5694 empty-zones-enable and disable-empty-zone. 5695 56961903. [func] ISC string copy API. 5697 56981902. [func] Attempt to make the amount of work performed in a 5699 iteration self tuning. The covers nodes clean from 5700 the cache per iteration, nodes written to disk when 5701 rewriting a master file and nodes destroyed per 5702 iteration when destroying a zone or a cache. 5703 [RT #14996] 5704 57051901. [cleanup] Don't add DNSKEY records to the additional section. 5706 57071900. [bug] ixfr-from-differences failed to ensure that the 5708 serial number increased. [RT #15036] 5709 57101899. [func] named-checkconf now validates update-policy entries. 5711 [RT #14963] 5712 57131898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and 5714 ISC_NETADDR_FORMATSIZE to allow for scope details. 5715 57161897. [func] x86 and x86_64 now have separate atomic locking 5717 implementations. 5718 57191896. [bug] Recursive clients soft quota support wasn't working 5720 as expected. [RT #15103] 5721 57221895. [bug] A escaped character is, potentially, converted to 5723 the output character set too early. [RT #14666] 5724 57251894. [doc] Review ARM for BIND 9.4. 5726 57271893. [port] Use uintptr_t if available. [RT #14606] 5728 57291892. [func] Support for SPF rdata type. [RT #15033] 5730 57311891. [port] freebsd: pthread_mutex_init can fail if it runs out 5732 of memory. [RT #14995] 5733 57341890. [func] Raise the UDP receive buffer size to 32k if it is 5735 less than 32k. [RT #14953] 5736 57371889. [port] sunos: non blocking i/o support. [RT #14951] 5738 57391888. [func] Support for IPSECKEY rdata type. [RT #14967] 5740 57411887. [bug] The cache could delete expired records too fast for 5742 clients with a virtual time in the past. [RT #14991] 5743 57441886. [bug] fctx_create() could return success even though it 5745 failed. [RT #14993] 5746 57471885. [func] dig: report the number of extra bytes still left in 5748 the packet after processing all the records. 5749 57501884. [cleanup] dighost.c: move external declarations into <dig/dig.h>. 5751 57521883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug 5753 levels. [RT #14962] 5754 57551882. [func] Limit the number of recursive clients that can be 5756 waiting for a single query (<qname,qtype,qclass>) to 5757 resolve. New options clients-per-query and 5758 max-clients-per-query. 5759 57601881. [func] Add a system test for named-checkconf. [RT #14931] 5761 57621880. [func] The lame cache is now done on a <qname,qclass,qtype> 5763 basis as some servers only appear to be lame for 5764 certain query types. [RT #14916] 5765 57661879. [func] "USE INTERNAL MALLOC" is now runtime selectable. 5767 [RT #14892] 5768 57691878. [func] Detect duplicates of UDP queries we are recursing on 5770 and drop them. New stats category "duplicate". 5771 [RT #2471] 5772 57731877. [bug] Fix unreasonably low quantum on call to 5774 dns_rbt_destroy2(). Remove unnecessary unhash_node() 5775 call. [RT #14919] 5776 57771876. [func] Additional memory debugging support to track size 5778 and mctx arguments. [RT #14814] 5779 57801875. [bug] process_dhtkey() was using the wrong memory context 5781 to free some memory. [RT #14890] 5782 57831874. [port] sunos: portability fixes. [RT #14814] 5784 57851873. [port] win32: isc__errno2result() now reports its caller. 5786 [RT #13753] 5787 57881872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] 5789 57901871. [placeholder] 5791 57921870. [func] Added framework for handling multiple EDNS versions. 5793 [RT #14873] 5794 57951869. [func] dig can now specify the EDNS version when making 5796 a query. [RT #14873] 5797 57981868. [func] edns-udp-size can now be overridden on a per 5799 server basis. [RT #14851] 5800 58011867. [bug] It was possible to trigger a INSIST in 5802 dlv_validatezonekey(). [RT #14846] 5803 58041866. [bug] resolv.conf parse errors were being ignored by 5805 dig/host/nslookup. [RT #14841] 5806 58071865. [bug] Silently ignore nameservers in /etc/resolv.conf with 5808 bad addresses. [RT #14841] 5809 58101864. [bug] Don't try the alternative transfer source if you 5811 got a answer / transfer with the main source 5812 address. [RT #14802] 5813 58141863. [bug] rrset-order "fixed" error messages not complete. 5815 58161862. [func] Add additional zone data constancy checks. 5817 named-checkzone has extended checking of NS, MX and 5818 SRV record and the hosts they reference. 5819 named has extended post zone load checks. 5820 New zone options: check-mx and integrity-check. 5821 [RT #4940] 5822 58231861. [bug] dig could trigger a INSIST on certain malformed 5824 responses. [RT #14801] 5825 58261860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was 5827 incorrectly set. [RT #14775] 5828 58291859. [func] Add support for CH A record. [RT #14695] 5830 58311858. [bug] The flush-zones-on-shutdown option wasn't being 5832 parsed. [RT #14686] 5833 58341857. [bug] named could trigger a INSIST() if reconfigured / 5835 reloaded too fast. [RT #14673] 5836 58371856. [doc] Switch Docbook toolchain from DSSSL to XSL. 5838 [RT #11398] 5839 58401855. [bug] ixfr-from-differences was failing to detect changes 5841 of ttl due to dns_diff_subtract() was ignoring the ttl 5842 of records. [RT #14616] 5843 58441854. [bug] lwres also needs to know the print format for 5845 (long long). [RT #13754] 5846 58471853. [bug] Rework how DLV interacts with proveunsecure(). 5848 [RT #13605] 5849 58501852. [cleanup] Remove last vestiges of dnssec-signkey and 5851 dnssec-makekeyset (removed from Makefile years ago). 5852 58531851. [doc] Doxygen comment markup. [RT #11398] 5854 58551850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] 5856 58571849. [doc] All forms of the man pages (docbook, man, html) should 5858 have consistent copyright dates. 5859 58601848. [bug] Improve SMF integration. [RT #13238] 5861 58621847. [bug] isc_ondestroy_init() is called too late in 5863 dns_rbtdb_create()/dns_rbtdb64_create(). 5864 [RT #13661] 5865 58661846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer 5867 <bortzmeyer@nic.fr>. 5868 58691845. [bug] Improve error reporting to distinguish between 5870 accept()/fcntl() and socket()/fcntl() errors. 5871 [RT #13745] 5872 58731844. [bug] inet_pton() accepted more that 4 hexadecimal digits 5874 for each 16 bit piece of the IPv6 address. The text 5875 representation of a IPv6 address has been tightened 5876 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). 5877 [RT #5662] 5878 58791843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps 5880 when CFLAGS contains "-I /usr/local/include" 5881 resulting in old header files being used. 5882 58831842. [port] cmsg_len() could produce incorrect results on 5884 some platform. [RT #13744] 5885 58861841. [bug] "dig +nssearch" now makes a recursive query to 5887 find the list of nameservers to query. [RT #13694] 5888 58891840. [func] dnssec-signzone can now randomize signature end times 5890 (dnssec-signzone -j jitter). [RT #13609] 5891 58921839. [bug] <isc/hash.h> was not being installed. 5893 58941838. [cleanup] Don't allow Linux capabilities to be inherited. 5895 [RT #13707] 5896 58971837. [bug] Compile time option ISC_FACILITY was not effective 5898 for 'named -u <user>'. [RT #13714] 5899 59001836. [cleanup] Silence compiler warnings in hash_test.c. 5901 59021835. [bug] Update dnssec-signzone's usage message. [RT #13657] 5903 59041834. [bug] Bad memset in rdata_test.c. [RT #13658] 5905 59061833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] 5907 59081832. [bug] named fails to return BADKEY on unknown TSIG algorithm. 5909 [RT #13620] 5910 59111831. [doc] Update named-checkzone documentation. [RT#13604] 5912 59131830. [bug] adb lame cache has sence of test reversed. [RT #13600] 5914 59151829. [bug] win32: "pid-file none;" broken. [RT #13563] 5916 59171828. [bug] isc_rwlock_init() failed to properly cleanup if it 5918 encountered a error. [RT #13549] 5919 59201827. [bug] host: update usage message for '-a'. [RT #37116] 5921 59221826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out 5923 of memory error. [RT #13537] 5924 59251825. [bug] Missing UNLOCK() on out of memory error from in 5926 rbtdb.c:subtractrdataset(). [RT #13519] 5927 59281824. [bug] Memory leak on dns_zone_setdbtype() failure. 5929 [RT #13510] 5930 59311823. [bug] Wrong macro used to check for point to point interface. 5932 [RT#13418] 5933 59341822. [bug] check-names test for RT was reversed. [RT #13382] 5935 59361821. [placeholder] 5937 59381820. [bug] Gracefully handle acl loops. [RT #13659] 5939 59401819. [bug] The validator needed to check both the algorithm and 5941 digest types of the DS to determine if it could be 5942 used to introduce a secure zone. [RT #13593] 5943 59441818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] 5945 59461817. [func] Add support for additional zone file formats for 5947 improving loading performance. The masterfile-format 5948 option in named.conf can be used to specify a 5949 non-default format. A separate command 5950 named-compilezone was provided to generate zone files 5951 in the new format. Additionally, the -I and -O options 5952 for dnssec-signzone specify the input and output 5953 formats. 5954 59551816. [port] UnixWare: failed to compile lib/isc/unix/net.c. 5956 [RT #13597] 5957 59581815. [bug] nsupdate triggered a REQUIRE if the server was set 5959 without also setting the zone and it encountered 5960 a CNAME and was using TSIG. [RT #13086] 5961 59621814. [func] UNIX domain controls are now supported. 5963 59641813. [func] Restructured the data locking framework using 5965 architecture dependent atomic operations (when 5966 available), improving response performance on 5967 multi-processor machines significantly. 5968 x86, x86_64, alpha, powerpc, and mips are currently 5969 supported. 5970 59711812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect. 5972 [RT #13453] 5973 59741811. [func] Preserve the case of domain names in rdata during 5975 zone transfers. [RT #13547] 5976 59771810. [bug] configure, lib/bind/configure make different default 5978 decisions about whether to do a threaded build. 5979 [RT #13212] 5980 59811809. [bug] "make distclean" failed for libbind if the platform 5982 is not supported. 5983 59841808. [bug] zone.c:notify_zone() contained a race condition, 5985 zone->db could change underneath it. [RT #13511] 5986 59871807. [bug] When forwarding (forward only) set the active domain 5988 from the forward zone name. [RT #13526] 5989 59901806. [bug] The resolver returned the wrong result when a CNAME / 5991 DNAME was encountered when fetching glue from a 5992 secure namespace. [RT #13501] 5993 59941805. [bug] Pending status was not being cleared when DLV was 5995 active. [RT #13501] 5996 59971804. [bug] Ensure that if we are queried for glue that it fits 5998 in the additional section or TC is set to tell the 5999 client to retry using TCP. [RT #10114] 6000 60011803. [bug] dnssec-signzone sometimes failed to remove old 6002 RRSIGs. [RT #13483] 6003 60041802. [bug] Handle connection resets better. [RT #11280] 6005 60061801. [func] Report differences between hints and real NS rrset 6007 and associated address records. 6008 60091800. [bug] Changes #1719 allowed a INSIST to be triggered. 6010 [RT #13428] 6011 60121799. [bug] 'rndc flushname' failed to flush negative cache 6013 entries. [RT #13438] 6014 60151798. [func] The server syntax has been extended to support a 6016 range of servers. [RT #11132] 6017 60181797. [func] named-checkconf now check acls to verify that they 6019 only refer to existing acls. [RT #13101] 6020 60211796. [func] "rndc freeze/thaw" now freezes/thaws all zones. 6022 60231795. [bug] "rndc dumpdb" was not fully documented. Minor 6024 formating issues with "rndc dumpdb -all". [RT #13396] 6025 60261794. [func] Named and named-checkzone can now both check for 6027 non-terminal wildcard records. 6028 60291793. [func] Extend adjusting TTL warning messages. [RT #13378] 6030 60311792. [func] New zone option "notify-delay". Specify a minimum 6032 delay between sets of NOTIFY messages. 6033 60341791. [bug] 'host -t a' still printed out AAAA and MX records. 6035 [RT #13230] 6036 60371790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should 6038 allow parallel make to succeed. 6039 60401789. [bug] Prerequisite test for tkey and dnssec could fail 6041 with "configure --with-libtool". 6042 60431788. [bug] libbind9.la/libbind9.so needs to link against 6044 libisccfg.la/libisccfg.so. 6045 60461787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings. 6047 60481786. [port] AIX: libt_api needs to be taught to look for 6049 T_testlist in the main executable (--with-libtool). 6050 [RT #13239] 6051 60521785. [bug] libbind9.la/libbind9.so needs to link against 6053 libisc.la/libisc.so. 6054 60551784. [cleanup] "libtool -allow-undefined" is the default. 6056 Leave hooks in configure to allow it to be set 6057 if needed in the future. 6058 60591783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the 6060 source tree. 6061 60621782. [port] OSX: --with-libtool + --enable-libbind broke on 6063 __evOptMonoTime. [RT #13219] 6064 60651781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810] 6066 60671780. [bug] Update libtool to 1.5.10. 6068 60691779. [port] OSF 5.1: libtool didn't handle -pthread correctly. 6070 60711778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and 6072 IN6ADDR_LOOPBACK_INIT macros. 6073 60741777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and 6075 IN6ADDR_LOOPBACK_INIT macros. 6076 60771776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and 6078 IN6ADDR_LOOPBACK_INIT macros. 6079 60801775. [bug] Only compile getnetent_r.c when threaded. [RT #13205] 6081 60821774. [port] Aix: Silence compiler warnings / build failures. 6083 [RT #13154] 6084 60851773. [bug] Fast retry on host / net unreachable. [RT #13153] 6086 60871772. [placeholder] 6088 60891771. [placeholder] 6090 60911770. [bug] named-checkconf failed to report missing a missing 6092 file clause for rbt{64} master/hint zones. [RT#13009] 6093 60941769. [port] win32: change compiler flags /MTd ==> /MDd, 6095 /MT ==> /MD. 6096 60971768. [bug] nsecnoexistnodata() could be called with a non-NSEC 6098 rdataset. [RT #12907] 6099 61001767. [port] Builds on IPv6 platforms without IPv6 Advanced API 6101 support for (struct in6_pktinfo) failed. [RT #13077] 6102 61031766. [bug] Update the master file timestamp on successful refresh 6104 as well as the journal's timestamp. [RT# 13062] 6105 61061765. [bug] configure --with-openssl=auto failed. [RT #12937] 6107 61081764. [bug] dns_zone_replacedb failed to emit a error message 6109 if there was no SOA record in the replacement db. 6110 [RT #13016] 6111 61121763. [func] Perform sanity checks on NS records which refer to 6113 'in zone' names. [RT #13002] 6114 61151762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS 6116 even when it failed. [RT #12995] 6117 61181761. [bug] 'rndc dumpdb' didn't report unassociated entries. 6119 [RT #12971] 6120 61211760. [bug] Host / net unreachable was not penalising rtt 6122 estimates. [RT #12970] 6123 61241759. [bug] Named failed to startup if the OS supported IPv6 6125 but had no IPv6 interfaces configured. [RT #12942] 6126 61271758. [func] Don't send notify messages to self. [RT #12933] 6128 61291757. [func] host now can turn on memory debugging flags with '-m'. 6130 61311756. [func] named-checkconf now checks the logging configuration. 6132 [RT #12352] 6133 61341755. [func] allow-update is now settable at the options / view 6135 level. [RT #6636] 6136 61371754. [bug] We weren't always attempting to query the parent 6138 server for the DS records at the zone cut. 6139 [RT #12774] 6140 61411753. [bug] Don't serve a slave zone which has no NS records. 6142 [RT #12894] 6143 61441752. [port] Move isc_app_start() to after ns_os_daemonise() 6145 as some fork() implementations unblock the signals 6146 that are blocked by isc_app_start(). [RT #12810] 6147 61481751. [bug] --enable-getifaddrs failed under linux. [RT #12867] 6149 61501750. [port] lib/bind/make/rules.in:subdirs was not bash friendly. 6151 [RT #12864] 6152 61531749. [bug] 'check-names response ignore;' failed to ignore. 6154 [RT #12866] 6155 61561748. [func] dig now returns the byte count for axfr/ixfr. 6157 61581747. [bug] BIND 8 compatibility: named/named-checkconf failed 6159 to parse "host-statistics-max" in named.conf. 6160 61611746. [func] Make public the function to read a key file, 6162 dst_key_read_public(). [RT #12450] 6163 61641745. [bug] Dig/host/nslookup accept replies from link locals 6165 regardless of scope if no scope was specified when 6166 query was sent. [RT #12745] 6167 61681744. [bug] If tuple2msgname() failed to convert a tuple to 6169 a name a REQUIRE could be triggered. [RT #12796] 6170 61711743. [bug] If isc_taskmgr_create() was not able to create the 6172 requested number of worker threads then destruction 6173 of the manager would trigger an INSIST() failure. 6174 [RT #12790] 6175 61761742. [bug] Deleting all records at a node then adding a 6177 previously existing record, in a single UPDATE 6178 transaction, failed to leave / regenerate the 6179 associated RRSIG records. [RT #12788] 6180 61811741. [bug] Deleting all records at a node in a secure zone 6182 using a update-policy grant failed. [RT #12787] 6183 61841740. [bug] Replace rbt's hash algorithm as it performed badly 6185 with certain zones. [RT #12729] 6186 6187 NOTE: a hash context now needs to be established 6188 via isc_hash_create() if the application was not 6189 already doing this. 6190 61911739. [bug] dns_rbt_deletetree() could incorrectly return 6192 ISC_R_QUOTA. [RT #12695] 6193 61941738. [bug] Enable overrun checking by default. [RT #12695] 6195 61961737. [bug] named failed if more than 16 masters were specified. 6197 [RT #12627] 6198 61991736. [bug] dst_key_fromnamedfile() could fail to read a 6200 public key. [RT #12687] 6201 62021735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. 6203 [RE #12688] 6204 62051734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path. 6206 [RT #12588] 6207 62081733. [bug] Return non-zero exit status on initial load failure. 6209 [RT #12658] 6210 62111732. [bug] 'rrset-order name "*"' wasn't being applied to ".". 6212 [RT #12467] 6213 62141731. [port] darwin: relax version test in ifconfig.sh. 6215 [RT #12581] 6216 62171730. [port] Determine the length type used by the socket API. 6218 [RT #12581] 6219 62201729. [func] Improve check-names error messages. 6221 62221728. [doc] Update check-names documentation. 6223 62241727. [bug] named-checkzone: check-names support didn't match 6225 documentation. 6226 62271726. [port] aix5: add support for aix5. 6228 62291725. [port] linux: update error message on interaction of threads, 6230 capabilities and setuid support (named -u). [RT #12541] 6231 62321724. [bug] Look for DNSKEY records with "dig +sigtrace". 6233 [RT #12557] 6234 62351723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493] 6236 62371722. [bug] Don't commit the journal on malformed ixfr streams. 6238 [RT #12519] 6239 62401721. [bug] Error message from the journal processing were not 6241 always identifying the relevant journal. [RT #12519] 6242 62431720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1 6244 negative response. [RT #12506] 6245 62461719. [bug] named was not correctly caching a RFC 2308 Type 1 6247 negative response. [RT #12506] 6248 62491718. [bug] nsupdate was not handling RFC 2308 Type 3 negative 6250 responses when looking for the zone / master server. 6251 [RT #12506] 6252 62531717. [port] solaris: ifconfig.sh did not support Solaris 10. 6254 "ifconfig.sh down" didn't work for Solaris 9. 6255 62561716. [doc] named.conf(5) was being installed in the wrong 6257 location. [RT# 12441] 6258 62591715. [func] 'dig +trace' now randomly selects the next servers 6260 to try. Report if there is a bad delegation. 6261 62621714. [bug] dig/host/nslookup were only trying the first 6263 address when a nameserver was specified by name. 6264 [RT #12286] 6265 62661713. [port] linux: extend capset failure message to say: 6267 please ensure that the capset kernel module is 6268 loaded. see insmod(8) 6269 62701712. [bug] Missing FULLCHECK for "trusted-key" in dig. 6271 62721711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'. 6273 62741710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY 6275 messages for the specified zone. [RT #9479] 6276 62771709. [port] solaris: add SMF support from Sun. 6278 62791708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash() 6280 for conformance to the name space convention. Binary 6281 backward compatibility to the old function name is 6282 provided. [RT #12376] 6283 62841707. [contrib] sdb/ldap updated to version 1.0-beta. 6285 62861706. [bug] 'rndc stop' failed to cause zones to be flushed 6287 sometimes. [RT #12328] 6288 62891705. [func] Allow the journal's name to be changed via named.conf. 6290 62911704. [port] lwres needed a snprintf() implementation for 6292 platforms without snprintf(). Add missing 6293 "#include <isc/print.h>". [RT #12321] 6294 62951703. [bug] named would loop sending NOTIFY messages when it 6296 failed to receive a response. [RT #12322] 6297 62981702. [bug] also-notify should not be applied to built in zones. 6299 [RT #12323] 6300 63011701. [doc] A minimal named.conf man page. 6302 63031700. [func] nslookup is no longer to be treated as deprecated. 6304 Remove "deprecated" warning message. Add man page. 6305 63061699. [bug] dnssec-signzone can generate "not exact" errors 6307 when resigning. [RT #12281] 6308 63091698. [doc] Use reserved IPv6 documentation prefix. 6310 63111697. [bug] xxx-source{,-v6} was not effective when it 6312 specified one of listening addresses and a 6313 different port than the listening port. [RT #12257] 6314 63151696. [bug] dnssec-signzone failed to clean out nodes that 6316 consisted of only NSEC and RRSIG records. 6317 [RT #12154] 6318 63191695. [bug] DS records when forwarding require special handling. 6320 [RT #12133] 6321 63221694. [bug] Report if the builtin views of "_default" / "_bind" 6323 are defined in named.conf. [RT #12023] 6324 63251693. [bug] max-journal-size was not effective for master zones 6326 with ixfr-from-differences set. [RT# 12024] 6327 63281692. [bug] Don't set -I, -L and -R flags when libcrypto is in 6329 /usr/lib. [RT #11971] 6330 63311691. [bug] sdb's attachversion was not complete. [RT #11990] 6332 63331690. [bug] Delay detaching view from the client until UPDATE 6334 processing completes when shutting down. [RT #11714] 6335 63361689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros 6337 contained gratuitous semicolons. [RT #11707] 6338 63391688. [bug] LDFLAGS was not supported. 6340 63411687. [bug] Race condition in dispatch. [RT #10272] 6342 63431686. [bug] Named sent a extraneous NOTIFY when it received a 6344 redundant UPDATE request. [RT #11943] 6345 63461685. [bug] Change #1679 loop tests weren't quite right. 6347 63481684. [func] ixfr-from-differences now takes master and slave in 6349 addition to yes and no at the options and view levels. 6350 63511683. [bug] dig +sigchase could leak memory. [RT #11445] 6352 63531682. [port] Update configure test for (long long) printf format. 6354 [RT #5066] 6355 63561681. [bug] Only set SO_REUSEADDR when a port is specified in 6357 isc_socket_bind(). [RT #11742] 6358 63591680. [func] rndc: the source address can now be specified. 6360 63611679. [bug] When there was a single nameserver with multiple 6362 addresses for a zone not all addresses were tried. 6363 [RT #11706] 6364 63651678. [bug] RRSIG should use TYPEXXXXX for unknown types. 6366 63671677. [bug] dig: +aaonly didn't work, +aaflag undocumented. 6368 63691676. [func] New option "allow-query-cache". This lets 6370 allow-query be used to specify the default zone 6371 access level rather than having to have every 6372 zone override the global value. allow-query-cache 6373 can be set at both the options and view levels. 6374 If allow-query-cache is not set allow-query applies. 6375 63761675. [bug] named would sometimes add extra NSEC records to 6377 the authority section. 6378 63791674. [port] linux: increase buffer size used to scan 6380 /proc/net/if_inet6. 6381 63821673. [port] linux: issue a error messages if IPv6 interface 6383 scans fails. 6384 63851672. [cleanup] Tests which only function in a threaded build 6386 now return R:THREADONLY (rather than R:UNTESTED) 6387 in a non-threaded build. 6388 63891671. [contrib] queryperf: add NAPTR to the list of known types. 6390 63911670. [func] Log UPDATE requests to slave zones without an acl as 6392 "disabled" at debug level 3. [RT# 11657] 6393 63941669. [placeholder] 6395 63961668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. 6397 63981667. [port] linux: not all versions have IF_NAMESIZE. 6399 64001666. [bug] The optional port on hostnames in dual-stack-servers 6401 was being ignored. 6402 64031665. [func] rndc now allows addresses to be set in the 6404 server clauses. 6405 64061664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 6407 64081663. [func] Look for OpenSSL by default. 6409 64101662. [bug] Change #1658 failed to change one use of 'type' 6411 to 'keytype'. 6412 64131661. [bug] Restore dns_name_concatenate() call in 6414 adb.c:set_target(). [RT #11582] 6415 64161660. [bug] win32: connection_reset_fix() was being called 6417 unconditionally. [RT #11595] 6418 64191659. [cleanup] Cleanup some messages that were referring to KEY vs 6420 DNSKEY, NXT vs NSEC and SIG vs RRSIG. 6421 64221658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 6423 and DH. Tighten which options apply to KEY and 6424 DNSKEY records. 6425 64261657. [doc] ARM: document query log output. 6427 64281656. [doc] Update DNSSEC description in ARM to cover DS, NSEC 6429 DNSKEY and RRSIG. [RT #11542] 6430 64311655. [bug] Logging multiple versions w/o a size was broken. 6432 [RT #11446] 6433 64341654. [bug] isc_result_totext() contained array bounds read 6435 error. 6436 64371653. [func] Add key type checking to dst_key_fromfilename(), 6438 DST_TYPE_KEY should be used to read TSIG, TKEY and 6439 SIG(0) keys. 6440 64411652. [bug] TKEY still uses KEY. 6442 64431651. [bug] dig: process multiple dash options. 6444 64451650. [bug] dig, nslookup: flush standard out after each command. 6446 64471649. [bug] Silence "unexpected non-minimal diff" message. 6448 [RT #11206] 6449 64501648. [func] Update dnssec-lookaside named.conf syntax to support 6451 multiple dnssec-lookaside namespaces (not yet 6452 implemented). 6453 64541647. [bug] It was possible trigger a INSIST when chasing a DS 6455 record that required walking back over a empty node. 6456 [RT #11445] 6457 64581646. [bug] win32: logging file versions didn't work with 6459 non-UNC filenames. [RT#11486] 6460 64611645. [bug] named could trigger a REQUIRE failure if multiple 6462 masters with keys are specified. 6463 64641644. [bug] Update the journal modification time after a 6465 successful refresh query. [RT #11436] 6466 64671643. [bug] dns_db_closeversion() could leak memory / node 6468 references. [RT #11163] 6469 64701642. [port] Support OpenSSL implementations which don't have 6471 DSA support. [RT #11360] 6472 64731641. [bug] Update the check-names description in ARM. [RT #11389] 6474 64751640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was 6476 incorrectly closing the socket. [RT #11291] 6477 64781639. [func] Initial dlv system test. 6479 64801638. [bug] "ixfr-from-differences" could generate a REQUIRE 6481 failure if the journal open failed. [RT #11347] 6482 64831637. [bug] Node reference leak on error in addnoqname(). 6484 64851636. [bug] The dump done callback could get ISC_R_SUCCESS even if 6486 a error had occurred. The database version no longer 6487 matched the version of the database that was dumped. 6488 64891635. [bug] Memory leak on error in query_addds(). 6490 64911634. [bug] named didn't supply a useful error message when it 6492 detected duplicate views. [RT #11208] 6493 64941633. [bug] named should return NOTIMP to update requests to a 6495 slaves without a allow-update-forwarding acl specified. 6496 [RT #11331] 6497 64981632. [bug] nsupdate failed to send prerequisite only UPDATE 6499 messages. [RT #11288] 6500 65011631. [bug] dns_journal_compact() could sometimes corrupt the 6502 journal. [RT #11124] 6503 65041630. [contrib] queryperf: add support for IPv6 transport. 6505 65061629. [func] dig now supports IPv6 scoped addresses with the 6507 extended format in the local-server part. [RT #8753] 6508 65091628. [bug] Typo in Compaq Trucluster support. [RT# 11264] 6510 65111627. [bug] win32: sockets were not being closed when the 6512 last external reference was removed. [RT# 11179] 6513 65141626. [bug] --enable-getifaddrs was broken. [RT#11259] 6515 65161625. [bug] named failed to load/transfer RFC2535 signed zones 6517 which contained CNAMES. [RT# 11237] 6518 65191624. [bug] zonemgr_putio() call should be locked. [RT# 11163] 6520 65211623. [bug] A serial number of zero was being displayed in the 6522 "sending notifies" log message when also-notify was 6523 used. [RT #11177] 6524 65251622. [func] probe the system to see if IPV6_(RECV)PKTINFO is 6526 available, and suppress wildcard binding if not. 6527 65281621. [bug] match-destinations did not work for IPv6 TCP queries. 6529 [RT# 11156] 6530 65311620. [func] When loading a zone report if it is signed. [RT #11149] 6532 65331619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). 6534 [RT# 11118] 6535 65361618. [bug] Fencepost errors in dns_name_ishostname() and 6537 dns_name_ismailbox() could trigger a INSIST(). 6538 65391617. [port] win32: VC++ 6.0 support. 6540 65411616. [compat] Ensure that named's version is visible in the core 6542 dump. [RT #11127] 6543 65441615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if 6545 it is defined. 6546 65471614. [port] win32: silence resource limit messages. [RT# 11101] 6548 65491613. [bug] Builds would fail on machines w/o a if_nametoindex(). 6550 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. 6551 [RT #11119] 6552 65531612. [bug] check-names at the option/view level could trigger 6554 an INSIST. [RT# 11116] 6555 65561611. [bug] solaris: IPv6 interface scanning failed to cope with 6557 no active IPv6 interfaces. 6558 65591610. [bug] On dual stack machines "dig -b" failed to set the 6560 address type to be looked up with "@server". 6561 [RT #11069] 6562 65631609. [func] dig now has support to chase DNSSEC signature chains. 6564 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. 6565 6566 DNSSEC validation code in dig coded by Olivier Courtay 6567 (olivier.courtay@irisa.fr) for the IDsA project 6568 (http://idsa.irisa.fr). 6569 65701608. [func] dig and host now accept -4/-6 to select IP transport 6571 to use when making queries. 6572 65731607. [bug] dig, host and nslookup were still using random() 6574 to generate query ids. [RT# 11013] 6575 65761606. [bug] DLV insecurity proof was failing. 6577 65781605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 6579 65801604. [bug] A xfrout_ctx_create() failure would result in 6581 xfrout_ctx_destroy() being called with a 6582 partially initialized structure. 6583 65841603. [bug] nsupdate: set interactive based on isatty(). 6585 [RT# 10929] 6586 65871602. [bug] Logging to a file failed unless a size was specified. 6588 [RT# 10925] 6589 65901601. [bug] Silence spurious warning 'both "recursion no;" and 6591 "allow-recursion" active' warning from view "_bind". 6592 [RT# 10920] 6593 65941600. [bug] Duplicate zone pre-load checks were not case 6595 insensitive. 6596 65971599. [bug] Fix memory leak on error path when checking named.conf. 6598 65991598. [func] Specify that certain parts of the namespace must 6600 be secure (dnssec-must-be-secure). 6601 66021597. [func] Allow notify-source and query-source to be specified 6603 on a per server basis similar to transfer-source. 6604 [RT #6496] 6605 66061596. [func] Accept 'notify-source' style syntax for query-source. 6607 66081595. [func] New notify type 'master-only'. Enable notify for 6609 master zones only. 6610 66111594. [bug] 'rndc dumpdb' could prevent named from answering 6612 queries while the dump was in progress. [RT #10565] 6613 66141593. [bug] rndc should return "unknown command" to unknown 6615 commands. [RT# 10642] 6616 66171592. [bug] configure_view() could leak a dispatch. [RT# 10675] 6618 66191591. [bug] libbind: updated to BIND 8.4.5. 6620 66211590. [port] netbsd: update thread support. 6622 66231589. [func] DNSSEC lookaside validation. 6624 66251588. [bug] win32: TCP sockets could become blocked. [RT #10115] 6626 66271587. [bug] dns_message_settsigkey() failed to clear existing key. 6628 [RT #10590] 6629 66301586. [func] "check-names" is now implemented. 6631 66321585. [placeholder] 6633 66341584. [bug] "make test" failed with a read only source tree. 6635 [RT #10461] 6636 66371583. [bug] Records add via UPDATE failed to get the correct trust 6638 level. [RT #10452] 6639 66401582. [bug] rrset-order failed to work on RRsets with more 6641 than 32 elements. [RT #10381] 6642 66431581. [func] Disable DNSSEC support by default. To enable 6644 DNSSEC specify "dnssec-enable yes;" in named.conf. 6645 66461580. [bug] Zone destruction on final detach takes a long time. 6647 [RT #3746] 6648 66491579. [bug] Multiple task managers could not be created. 6650 66511578. [bug] Don't use CLASS E IPv4 addresses when resolving. 6652 [RT #10346] 6653 66541577. [bug] Use isc_uint32_t in ultrasparc optimizer bug 6655 workaround code. [RT #10331] 6656 66571576. [bug] Race condition in dns_dispatch_addresponse(). 6658 [RT# 10272] 6659 66601575. [func] Log TSIG name on TSIG verify failure. [RT #4404] 6661 66621574. [bug] Don't attempt to open the controls socket(s) when 6663 running tests. [RT #9091] 6664 66651573. [port] linux: update to libtool 1.5.2 so that 6666 "make install DESTDIR=/xx" works with 6667 "configure --with-libtool". [RT #9941] 6668 66691572. [bug] nsupdate: sign the soa query to find the enclosing 6670 zone if the server is specified. [RT #10148] 6671 66721571. [bug] rbt:hash_node() could fail leaving the hash table 6673 in an inconsistent state. [RT #10208] 6674 66751570. [bug] nsupdate failed to handle classes other than IN. 6676 New keyword 'class' which sets the default class. 6677 [RT #10202] 6678 66791569. [func] nsupdate new command 'answer' which displays the 6680 complete answer message to the last update. 6681 66821568. [bug] nsupdate now reports that the update failed in 6683 interactive mode. [RT# 10236] 6684 66851567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. 6686 66871566. [port] Support for the cmsg framework on Solaris and HP/UX. 6688 This also solved the problem that match-destinations 6689 for IPv6 addresses did not work on these systems. 6690 [RT #10221] 6691 66921565. [bug] CD flag should be copied to outgoing queries unless 6693 the query is under a secure entry point in which case 6694 CD should be set. 6695 66961564. [func] Attempt to provide a fallback entropy source to be 6697 used if named is running chrooted and named is unable 6698 to open entropy source within the chroot area. 6699 [RT #10133] 6700 67011563. [bug] Gracefully fail when unable to obtain neither an IPv4 6702 nor an IPv6 dispatch. [RT #10230] 6703 67041562. [bug] isc_socket_create() and isc_socket_accept() could 6705 leak memory under error conditions. [RT #10230] 6706 67071561. [bug] It was possible to release the same name twice if 6708 named ran out of memory. [RT #10197] 6709 67101560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA 6711 and EAI_NONAME to the same value. 6712 67131559. [port] named should ignore SIGFSZ. 6714 67151558. [func] New DNSSEC 'disable-algorithms'. Support entry into 6716 child zones for which we don't have a supported 6717 algorithm. Such child zones are treated as unsigned. 6718 67191557. [func] Implement missing DNSSEC tests for 6720 * NOQNAME proof with wildcard answers. 6721 * NOWILDARD proof with NXDOMAIN. 6722 Cache and return NOQNAME with wildcard answers. 6723 67241556. [bug] nsupdate now treats all names as fully qualified. 6725 [RT #6427] 6726 67271555. [func] 'rrset-order cyclic' no longer has a random starting 6728 point per query. [RT #7572] 6729 67301554. [bug] dig, host, nslookup failed when no nameservers 6731 were specified in /etc/resolv.conf. [RT #8232] 6732 67331553. [bug] The windows socket code could stop accepting 6734 connections. [RT#10115] 6735 67361552. [bug] Accept NOTIFY requests from mapped masters if 6737 matched-mapped is set. [RT #10049] 6738 67391551. [port] Open "/dev/null" before calling chroot(). 6740 67411550. [port] Call tzset(), if available, before calling chroot(). 6742 67431549. [func] named-checkzone can now write out the zone contents 6744 in a easily parsable format (-D and -o). 6745 67461548. [bug] When parsing APL records it was possible to silently 6747 accept out of range ADDRESSFAMILY values. [RT# 9979] 6748 67491547. [bug] Named wasted memory recording duplicate lame zone 6750 entries. [RT #9341] 6751 67521546. [bug] We were rejecting valid secure CNAME to negative 6753 answers. 6754 67551545. [bug] It was possible to leak memory if named was unable to 6756 bind to the specified transfer source and TSIG was 6757 being used. [RT #10120] 6758 67591544. [bug] Named would logged a single entry to a file despite it 6760 being over the specified size limit. 6761 67621543. [bug] Logging using "versions unlimited" did not work. 6763 67641542. [placeholder] 6765 67661541. [func] NSEC now uses new bitmap format. 6767 67681540. [bug] "rndc reload <dynamiczone>" was silently accepted. 6769 [RT #8934] 6770 67711539. [bug] Open UDP sockets for notify-source and transfer-source 6772 that use reserved ports at startup. [RT #9475] 6773 67741538. [placeholder] rt9997 6775 67761537. [func] New option "querylog". If set specify whether query 6777 logging is to be enabled or disabled at startup. 6778 67791536. [bug] Windows socket code failed to log a error description 6780 when returning ISC_R_UNEXPECTED. [RT #9998] 6781 67821535. [placeholder] 6783 67841534. [bug] Race condition when priming cache. [RT# 9940] 6785 67861533. [func] Warn if both "recursion no;" and "allow-recursion" 6787 are active. [RT# 4389] 6788 67891532. [port] netbsd: the configure test for <sys/sysctl.h> 6790 requires <sys/param.h>. 6791 67921531. [port] AIX more libtool fixes. 6793 67941530. [bug] It was possible to trigger a INSIST() failure if a 6795 slave master file was removed at just the correct 6796 moment. [RT #9462] 6797 67981529. [bug] "notify explicit;" failed to log that NOTIFY messages 6799 were being sent for the zone. [RT# 9442] 6800 68011528. [cleanup] Simplify some dns_name_ functions based on the 6802 deprecation of bitstring labels. 6803 68041527. [cleanup] Reduce the number of gettimeofday() calls without 6805 losing necessary timer granularity. 6806 68071526. [func] Implemented "additional section caching (or acache)", 6808 an internal cache framework for additional section 6809 content to improve response performance. Several 6810 configuration options were provided to control the 6811 behavior. 6812 68131525. [bug] dns_cache_create() could trigger a REQUIRE 6814 failure in isc_mem_put() during error cleanup. 6815 [RT# 9360] 6816 68171524. [port] AIX needs to be able to resolve all symbols when 6818 creating shared libraries (--with-libtool). 6819 68201523. [bug] Fix race condition in rbtdb. [RT# 9189] 6821 68221522. [bug] dns_db_findnode() relax the requirements on 'name'. 6823 [RT# 9286] 6824 68251521. [bug] dns_view_createresolver() failed to check the 6826 result from isc_mem_create(). [RT# 9294] 6827 68281520. [protocol] Add SSHFP (SSH Finger Print) type. 6829 68301519. [bug] dnssec-signzone:nsec_setbit() computed the wrong 6831 length of the new bitmap. 6832 68331518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(), 6834 contained a off-by-one error when working out the 6835 number of octets in the bitmap. 6836 68371517. [port] Support for IPv6 interface scanning on HP/UX and 6838 TrueUNIX 5.1. 6839 68401516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 6841 68421515. [func] Allow transfer source to be set in a server statement. 6843 [RT #6496] 6844 68451514. [bug] named: isc_hash_destroy() was being called too early. 6846 [RT #9160] 6847 68481513. [doc] Add "US" to root-delegation-only exclude list. 6849 68501512. [bug] Extend the delegation-only logging to return query 6851 type, class and responding nameserver. 6852 68531511. [bug] delegation-only was generating false positives 6854 on negative answers from sub-zones. 6855 68561510. [func] New view option "root-delegation-only". Apply 6857 delegation-only check to all TLDs and root. 6858 Note there are some TLDs that are NOT delegation 6859 only (e.g. DE, LV, US and MUSEUM) these can be excluded 6860 from the checks by using exclude. 6861 6862 root-delegation-only exclude { 6863 "DE"; "LV"; "US"; "MUSEUM"; 6864 }; 6865 68661509. [bug] Hint zones should accept delegation-only. Forward 6867 zone should not accept delegation-only. 6868 68691508. [bug] Don't apply delegation-only checks to answers from 6870 forwarders. 6871 68721507. [bug] Handle BIND 8 style returns to NS queries to parents 6873 when making delegation-only checks. 6874 68751506. [bug] Wrong return type for dns_view_isdelegationonly(). 6876 68771505. [bug] Uninitialized rdataset in sdb. [RT #8750] 6878 68791504. [func] New zone type "delegation-only". 6880 68811503. [port] win32: install libeay32.dll outside of system32. 6882 68831502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP. 6884 68851501. [func] Allow TCP queue length to be specified via 6886 named.conf, tcp-listen-queue. 6887 68881500. [bug] host failed to lookup MX records. Also look up 6889 AAAA records. 6890 68911499. [bug] isc_random need to be seeded better if arc4random() 6892 is not used. 6893 68941498. [port] bsdos: 5.x support. 6895 68961497. [placeholder] 6897 68981496. [port] test for pthread_attr_setstacksize(). 6899 69001495. [cleanup] Replace hash functions with universal hash. 6901 69021494. [security] Turn on RSA BLINDING as a precaution. 6903 69041493. [placeholder] 6905 69061492. [cleanup] Preserve rwlock quota context when upgrading / 6907 downgrading. [RT #5599] 6908 69091491. [bug] dns_master_dump*() would produce extraneous $ORIGIN 6910 lines. [RT #6206] 6911 69121490. [bug] Accept reading state as well as working state in 6913 ns_client_next(). [RT #6813] 6914 69151489. [compat] Treat 'allow-update' on slave zones as a warning. 6916 [RT #3469] 6917 69181488. [bug] Don't override trust levels for glue addresses. 6919 [RT #5764] 6920 69211487. [bug] A REQUIRE() failure could be triggered if a zone was 6922 queued for transfer and the zone was then removed. 6923 [RT #6189] 6924 69251486. [bug] isc_print_snprintf() '%%' consumed one too many format 6926 characters. [RT# 8230] 6927 69281485. [bug] gen failed to handle high type values. [RT #6225] 6929 69301484. [bug] The number of records reported after a AXFR was wrong. 6931 [RT #6229] 6932 69331483. [bug] dig axfr failed if the message id in the answer failed 6934 to match that in the request. Only the id in the first 6935 message is required to match. [RT #8138] 6936 69371482. [bug] named could fail to start if the kernel supports 6938 IPv6 but no interfaces are configured. Similarly 6939 for IPv4. [RT #6229] 6940 69411481. [bug] Refresh and stub queries failed to use masters keys 6942 if specified. [RT #7391] 6943 69441480. [bug] Provide replay protection for rndc commands. Full 6945 replay protection requires both rndc and named to 6946 be updated. Partial replay protection (limited 6947 exposure after restart) is provided if just named 6948 is updated. 6949 69501479. [bug] cfg_create_tuple() failed to handle out of 6951 memory cleanup. parse_list() would leak memory 6952 on syntax errors. 6953 69541478. [port] ifconfig.sh didn't account for other virtual 6955 interfaces. It now takes a optional argument 6956 to specify the first interface number. [RT #3907] 6957 69581477. [bug] memory leak using stub zones and TSIG. 6959 69601476. [placeholder] 6961 69621475. [port] Probe for old sprintf(). 6963 69641474. [port] Provide strtoul() and memmove() for platforms 6965 without them. 6966 69671473. [bug] create_map() and create_string() failed to handle out 6968 of memory cleanup. [RT #6813] 6969 69701472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit. 6971 69721471. [bug] libbind: updated to BIND 8.4.0. 6973 69741470. [bug] Incorrect length passed to snprintf. [RT #5966] 6975 69761469. [func] Log end of outgoing zone transfer at same level 6977 as the start of transfer is logged. [RT #4441] 6978 69791468. [func] Internal zones are no longer counted for 6980 'rndc status'. [RT #4706] 6981 69821467. [func] $GENERATES now supports optional class and ttl. 6983 69841466. [bug] lwresd configuration errors resulted in memory 6985 and lock leaks. [RT #5228] 6986 69871465. [bug] isc_base64_decodestring() and isc_base64_tobuffer() 6988 failed to check that trailing bits were zero allowing 6989 some invalid base64 strings to be accepted. [RT #5397] 6990 69911464. [bug] Preserve "out of zone" data for outgoing zone 6992 transfers. [RT #5192] 6993 69941463. [bug] dns_rdata_from{wire,struct}() failed to catch bad 6995 NXT bit maps. [RT #5577] 6996 69971462. [bug] parse_sizeval() failed to check the token type. 6998 [RT #5586] 6999 70001461. [bug] Remove deadlock from rbtdb code. [RT #5599] 7001 70021460. [bug] inet_pton() failed to reject certain malformed 7003 IPv6 literals. 7004 70051459. [placeholder] 7006 70071458. [cleanup] sprintf() -> snprintf(). 7008 70091457. [port] Provide strlcat() and strlcpy() for platforms without 7010 them. 7011 70121456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer. 7013 70141455. [bug] <netaddr> missing from server grammar in 7015 doc/misc/options. [RT #5616] 7016 70171454. [port] Use getifaddrs() if available for interface scanning. 7018 --disable-getifaddrs to override. Glibc currently 7019 has a getifaddrs() that does not support IPv6. 7020 Use --enable-getifaddrs=glibc to force the use of 7021 this version under linux machines. 7022 70231453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298] 7024 70251452. [placeholder] 7026 70271451. [bug] rndc-confgen didn't exit with a error code for all 7028 failures. [RT #5209] 7029 70301450. [bug] Fetching expired glue failed under certain 7031 circumstances. [RT #5124] 7032 70331449. [bug] query_addbestns() didn't handle running out of memory 7034 gracefully. 7035 70361448. [bug] Handle empty wildcards labels. 7037 70381447. [bug] We were casting (unsigned int) to and from (void *). 7039 rdataset->private4 is now rdataset->privateuint4 7040 to reflect a type change. 7041 70421446. [func] Implemented undocumented alternate transfer sources 7043 from BIND 8. See use-alt-transfer-source, 7044 alt-transfer-source and alt-transfer-source-v6. 7045 7046 SECURITY: use-alt-transfer-source is ENABLED unless 7047 you are using views. This may cause a security risk 7048 resulting in accidental disclosure of wrong zone 7049 content if the master supplying different source 7050 content based on IP address. If you are not certain 7051 ISC recommends setting use-alt-transfer-source no; 7052 70531445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has 7054 been replaced with DNS_ADBFIND_STARTATZONE which 7055 causes the search to start using the closest zone. 7056 70571444. [func] dns_view_findzonecut2() allows you to specify if the 7058 cache should be searched for zone cuts. 7059 70601443. [func] Masters lists can now be specified and referenced 7061 in zone masters clauses and other masters lists. 7062 70631442. [func] New functions for manipulating port lists: 7064 dns_portlist_create(), dns_portlist_add(), 7065 dns_portlist_remove(), dns_portlist_match(), 7066 dns_portlist_attach() and dns_portlist_detach(). 7067 70681441. [func] It is now possible to tell dig to bind to a specific 7069 source port. 7070 70711440. [func] It is now possible to tell named to avoid using 7072 certain source ports (avoid-v4-udp-ports, 7073 avoid-v6-udp-ports). 7074 70751439. [bug] Named could return NOERROR with certain NOTIFY 7076 failures. Return NOTAUTH if the NOTIFY zone is 7077 not being served. 7078 70791438. [func] Log TSIG (if any) when logging NOTIFY requests. 7080 70811437. [bug] Leave space for stdio to work in. [RT #5033] 7082 70831436. [func] dns_zonemgr_resumexfrs() can be used to restart 7084 stalled transfers. 7085 70861435. [bug] zmgr_resume_xfrs() was being called read locked 7087 rather than write locked. zmgr_resume_xfrs() 7088 was not being called if the zone was being 7089 shutdown. 7090 70911434. [bug] "rndc reconfig" failed to initiate the initial 7092 zone transfer of new slave zones. 7093 70941433. [bug] named could trigger a REQUIRE failure if it could 7095 not get a file descriptor when attempting to write 7096 a master file. [RT #4347] 7097 70981432. [func] The advertised EDNS UDP buffer size can now be set 7099 via named.conf (edns-udp-size). 7100 71011431. [bug] isc_print_snprintf() "%s" with precision could walk off 7102 end of argument. [RT #5191] 7103 71041430. [port] linux: IPv6 interface scanning support. 7105 71061429. [bug] Prevent the cache getting locked to old servers. 7107 71081428. [placeholder] 7109 71101427. [bug] Race condition in adb with threaded build. 7111 71121426. [placeholder] 7113 71141425. [port] linux/libbind: define __USE_MISC when testing *_r() 7115 function prototypes in netdb.h. [RT #4921] 7116 71171424. [bug] EDNS version not being correctly printed. 7118 71191423. [contrib] queryperf: added A6 and SRV. 7120 71211422. [func] Log name/type/class when denying a query. [RT #4663] 7122 71231421. [func] Differentiate updates that don't succeed due to 7124 prerequisites (unsuccessful) vs other reasons 7125 (failed). 7126 71271420. [port] solaris: work around gcc optimizer bug. 7128 71291419. [port] openbsd: use /dev/arandom. [RT #4950] 7130 71311418. [bug] 'rndc reconfig' did not cause new slaves to load. 7132 71331417. [func] ID.SERVER/CHAOS is now a built in zone. 7134 See "server-id" for how to configure. 7135 71361416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 7137 [RT #4715] 7138 71391415. [func] DS TTL now derived from NS ttl. NXT TTL now derived 7140 from SOA MINIMUM. 7141 71421414. [func] Support for KSK flag. 7143 71441413. [func] Explicitly request the (re-)generation of DS records 7145 from keysets (dnssec-signzone -g). 7146 71471412. [func] You can now specify servers to be tried if a nameserver 7148 has IPv6 address and you only support IPv4 or the 7149 reverse. See dual-stack-servers. 7150 71511411. [bug] empty nodes should stop wildcard matches. [RT #4802] 7152 71531410. [func] Handle records that live in the parent zone, e.g. DS. 7154 71551409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC. 7156 71571408. [bug] "make distclean" was not complete. [RT #4700] 7158 71591407. [bug] lfsr incorrectly implements the shift register. 7160 [RT #4617] 7161 71621406. [bug] dispatch initializes one of the LFSR's with a incorrect 7163 polynomial. [RT #4617] 7164 71651405. [func] Use arc4random() if available. 7166 71671404. [bug] libbind: ns_name_ntol() could overwrite a zero length 7168 buffer. 7169 71701403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset 7171 dnssec-signkey now report their version in the 7172 usage message. 7173 71741402. [cleanup] A6 has been moved to experimental and is no longer 7175 fully supported. 7176 71771401. [bug] adb wasn't clearing state when the timer expired. 7178 71791400. [bug] Block the addition of wildcard NS records by IXFR 7180 or UPDATE. [RT #3502] 7181 71821399. [bug] Use serial number arithmetic when testing SIG 7183 timestamps. [RT #4268] 7184 71851398. [doc] ARM: notify-also should have been also-notify. 7186 [RT #4345] 7187 71881397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. 7189 71901396. [func] dnssec-signzone: adjust the default signing time by 7191 1 hour to allow for clock skew. 7192 71931395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't 7194 have a working implementation. [RT #4079] 7195 71961394. [func] It is now possible to check if a particular element is 7197 in a acl. Remove duplicate entries from the localnets 7198 acl. 7199 72001393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY 7201 is not available in the kernel to prevent accidently 7202 listening on IPv4 interfaces. 7203 72041392. [bug] named-checkzone: update usage. 7205 72061391. [func] Add support for IPv6 scoped addresses in named. 7207 72081390. [func] host now supports ixfr. 7209 72101389. [bug] named could fail to rotate long log files. [RT #3666] 7211 72121388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before 7213 defining HAVE_IFLIST_SYSCTL. [RT #3770] 7214 72151387. [bug] named could crash due to an access to invalid memory 7216 space (which caused an assertion failure) in 7217 incremental cleaning. [RT #3588] 7218 72191386. [bug] named-checkzone -z stopped on errors in a zone. 7220 [RT #3653] 7221 72221385. [bug] Setting serial-query-rate to 10 would trigger a 7223 REQUIRE failure. 7224 72251384. [bug] host was incompatible with BIND 8 in its exit code and 7226 in the output with the -l option. [RT #3536] 7227 72281383. [func] Track the serial number in a IXFR response and log if 7229 a mismatch occurs. This is a more specific error than 7230 "not exact". [RT #3445] 7231 72321382. [bug] make install failed with --enable-libbind. [RT #3656] 7233 72341381. [bug] named failed to correctly process answers that 7235 contained DNAME records where the resulting CNAME 7236 resulted in a negative answer. 7237 72381380. [func] 'rndc recursing' dump recursing queries to 7239 'recursing-file = "named.recursing";'. 7240 72411379. [func] 'rndc status' now reports tcp and recursion quota 7242 states. 7243 72441378. [func] Improved positive feedback for 'rndc {reload|refresh}. 7245 72461377. [func] dns_zone_load{new}() now reports if the zone was 7247 loaded, queued for loading to up to date. 7248 72491376. [func] New function dns_zone_logc() to log to specified 7250 category. 7251 72521375. [func] 'rndc dumpdb' now dumps the adb cache along with the 7253 data cache. 7254 72551374. [func] dns_adb_dump() now logs the lame zones associated 7256 with each server. 7257 72581373. [bug] Recovery from expired glue failed under certain 7259 circumstances. 7260 72611372. [bug] named crashes with an assertion failure on exit when 7262 sharing the same port for listening and querying, and 7263 changing listening addresses several times. [RT# 3509] 7264 72651371. [bug] notify-source-v6, transfer-source-v6 and 7266 query-source-v6 with explicit addresses and using the 7267 same ports as named was listening on could interfere 7268 with named's ability to answer queries sent to those 7269 addresses. 7270 72711370. [bug] dig '+[no]recurse' was incorrectly documented. 7272 72731369. [bug] Adding an NS record as the lexicographically last 7274 record in a secure zone didn't work. 7275 72761368. [func] remove support for bitstring labels. 7277 72781367. [func] Use response times to select forwarders. 7279 72801366. [contrib] queryperf usage was incomplete. Add '-h' for help. 7281 72821365. [func] "localhost" and "localnets" acls now include IPv6 7283 addresses / prefixes. 7284 72851364. [func] Log file name when unable to open memory statistics 7286 and dump database files. [RT# 3437] 7287 72881363. [func] Listen-on-v6 now supports specific addresses. 7289 72901362. [bug] remove IFF_RUNNING test when scanning interfaces. 7291 72921361. [func] log the reason for rejecting a server when resolving 7293 queries. 7294 72951360. [bug] --enable-libbind would fail when not built in the 7296 source tree for certain OS's. 7297 72981359. [security] Support patches OpenSSL libraries. 7299 http://www.cert.org/advisories/CA-2002-23.html 7300 73011358. [bug] It was possible to trigger a INSIST when debugging 7302 large dynamic updates. [RT #3390] 7303 73041357. [bug] nsupdate was extremely wasteful of memory. 7305 73061356. [tuning] Reduce the number of events / quantum for zone tasks. 7307 73081355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME. 7309 73101354. [doc] lwres man pages had illegal nroff. 7311 73121353. [contrib] sdb/ldap to version 0.9. 7313 73141352. [bug] dig, host, nslookup when falling back to TCP use the 7315 current search entry (if any). [RT #3374] 7316 73171351. [bug] lwres_getipnodebyname() returned the wrong name 7318 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED 7319 was set. 7320 73211350. [bug] dns_name_fromtext() failed to handle too many labels 7322 gracefully. 7323 73241349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). 7325 http://www.cert.org/advisories/CA-2002-23.html 7326 73271348. [port] win32: Rewrote code to use I/O Completion Ports 7328 in socket.c and eliminating a host of socket 7329 errors. Performance is enhanced. 7330 73311347. [placeholder] 7332 73331346. [placeholder] 7334 73351345. [port] Use a explicit -Wformat with gcc. Not all versions 7336 include it in -Wall. 7337 73381344. [func] Log if the serial number on the master has gone 7339 backwards. 7340 If you have multiple machines specified in the masters 7341 clause you may want to set 'multi-master yes;' to 7342 suppress this warning. 7343 73441343. [func] Log successful notifies received (info). Adjust log 7345 level for failed notifies to notice. 7346 73471342. [func] Log remote address with TCP dispatch failures. 7348 73491341. [func] Allow a rate limiter to be stalled. 7350 73511340. [bug] Delay and spread out the startup refresh load. 7352 73531339. [func] dig, host and nslookup now use IP6.ARPA for nibble 7354 lookups. Bit string lookups are no longer attempted. 7355 73561338. [placeholder] 7357 73581337. [placeholder] 7359 73601336. [func] Nibble lookups under IP6.ARPA are now supported by 7361 dns_byaddr_create(). dns_byaddr_createptrname() is 7362 deprecated, use dns_byaddr_createptrname2() instead. 7363 73641335. [bug] When performing a nonexistence proof, the validator 7365 should discard parent NXTs from higher in the DNS. 7366 73671334. [bug] When signing/verifying rdatasets, duplicate rdatas 7368 need to be suppressed. 7369 73701333. [contrib] queryperf now reports a summary of returned 7371 rcodes (-c), rcodes are printed in mnemonic form (-v). 7372 73731332. [func] Report the current serial with periodic commits when 7374 rolling forward the journal. 7375 73761331. [func] Generate DNSSEC wildcard proofs. 7377 73781330. [bug] When processing events (non-threaded) only allow 7379 the task one chance to use to use its quantum. 7380 73811329. [func] named-checkzone will now check if nameservers that 7382 appear to be IP addresses. Available modes "fail", 7383 "warn" (default) and "ignore" the results of the 7384 check. 7385 73861328. [bug] The validator could incorrectly verify an invalid 7387 negative proof. 7388 73891327. [bug] The validator would incorrectly mark data as insecure 7390 when seeing a bogus signature before a correct 7391 signature. 7392 73931326. [bug] DNAME/CNAME signatures were not being cached when 7394 validation was not being performed. [RT #3284] 7395 73961325. [bug] If the tcpquota was exhausted it was possible to 7397 to trigger a INSIST() failure. 7398 73991324. [port] darwin: ifconfig.sh now supports darwin. 7400 74011323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205] 7402 74031322. [bug] dnssec-signzone usage message was misleading. 7404 74051321. [bug] If the last RRset in a zone is glue, dnssec-signzone 7406 would incorrectly duplicate its output and sign it. 7407 74081320. [doc] query-source-v6 was missing from options section. 7409 [RT #3218] 7410 74111319. [func] libbind: log attempts to exploit #1318. 7412 74131318. [bug] libbind: Remote buffer overrun. 7414 74151317. [port] libbind: TrueUNIX 5.1 does not like __align as a 7416 element name. 7417 74181316. [bug] libbind: gethostans() could get out of sync parsing 7419 the response if there was a very long CNAME chain. 7420 74211315. [bug] Options should apply to the internal _bind view. 7422 74231314. [port] Handle ECONNRESET from sendmsg() [unix]. 7424 74251313. [func] Query log now says if the query was signed (S) or 7426 if EDNS was used (E). 7427 74281312. [func] Log TSIG key used w/ outgoing zone transfers. 7429 74301311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159] 7431 74321310. [bug] 'rndc stop' failed to cause zones to be flushed 7433 sometimes. [RT #3157] 7434 74351309. [func] Log that a zone transfer was covered by a TSIG. 7436 74371308. [func] DS (delegation signer) support. 7438 74391307. [bug] nsupdate: allow white space base64 key data. 7440 74411306. [bug] Badly encoded LOC record when the size, horizontal 7442 precision or vertical precision was 0.1m. 7443 74441305. [bug] Document that internal zones are included in the 7445 rndc status results. 7446 74471304. [func] New function: dns_zone_name(). 7448 74491303. [func] Option 'flush-zones-on-shutdown <boolean>;'. 7450 74511302. [func] Extended rndc dumpdb to support dumping of zones and 7452 view selection: 'dumpdb [-all|-zones|-cache] [view]'. 7453 74541301. [func] New category 'update-security'. 7455 74561300. [port] Compaq Trucluster support. 7457 74581299. [bug] Set AI_ADDRCONFIG when looking up addresses 7459 via getaddrinfo() (affects dig, host, nslookup, rndc 7460 and nsupdate). 7461 74621298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile 7463 could be left with a trailing "\" after configure 7464 has been run. 7465 74661297. [port] linux: make handling EINVAL from socket() no longer 7467 conditional on #ifdef LINUX. 7468 74691296. [bug] isc_log_closefilelogs() needed to lock the log 7470 context. 7471 74721295. [bug] isc_log_setdebuglevel() needed to lock the log 7473 context. 7474 74751294. [func] libbind: no longer attempts bit string labels for 7476 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT 7477 for nibble style resolution. 7478 74791293. [func] Entropy can now be retrieved from EGDs. [RT #2438] 7480 74811292. [func] Enable IPv6 support when using ioctl style interface 7482 scanning and OS supports SIOCGLIFADDR using struct 7483 if_laddrreq. 7484 74851291. [func] Enable IPv6 support when using sysctl style interface 7486 scanning. 7487 74881290. [func] "dig axfr" now reports the number of messages 7489 as well as the number of records. 7490 74911289. [port] See if -ldl is required for OpenSSL? [RT #2672] 7492 74931288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better 7494 reflect written requirements. 7495 74961287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding 7497 a rdataset to a zone db in the rbtdb implementation of 7498 addrdataset. 7499 75001286. [bug] dns_name_downcase() enforce requirement that 7501 target != NULL or name->buffer != NULL. 7502 75031285. [func] lwres: probe the system to see what address families 7504 are currently in use. 7505 75061284. [bug] The RTT estimate on unused servers was not aged. 7507 [RT #2569] 7508 75091283. [func] Use "dataready" accept filter if available. 7510 75111282. [port] libbind: hpux 11.11 interface scanning. 7512 75131281. [func] Log zone when unable to get private keys to update 7514 zone. Log zone when NXT records are missing from 7515 secure zone. 7516 75171280. [bug] libbind: escape '(' and ')' when converting to 7518 presentation form. 7519 75201279. [port] Darwin uses (unsigned long) for size_t. [RT #2590] 7521 75221278. [func] dig: now supports +[no]cl +[no]ttlid. 7523 75241277. [func] You can now create your own customized printing 7525 styles: dns_master_stylecreate() and 7526 dns_master_styledestroy(). 7527 75281276. [bug] libbind: const pointer conflicts in res_debug.c. 7529 75301275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN. 7531 75321274. [bug] Memory leak in lwres_gnbarequest_parse(). 7533 75341273. [port] libbind: solaris: 64 bit binary compatibility. 7535 75361272. [contrib] Berkeley DB 4.0 sdb implementation from 7537 Nuno Miguel Rodrigues <nmr@co.sapo.pt>. 7538 75391271. [bug] "recursion available: {denied,approved}" was too 7540 confusing. 7541 75421270. [bug] Check that system inet_pton() and inet_ntop() support 7543 AF_INET6. 7544 75451269. [port] Openserver: ifconfig.sh support. 7546 75471268. [port] Openserver: the value FD_SETSIZE depends on whether 7548 <sys/param.h> is included or not. Be consistent. 7549 75501267. [func] isc_file_openunique() now creates file using mode 7551 0666 rather than 0600. 7552 75531266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE, 7554 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE 7555 are not C++ compatible, use *_TYPE versions instead. 7556 75571265. [bug] libbind: LINK_INIT and UNLINK were not compatible with 7558 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead. 7559 75601264. [placeholder] 7561 75621263. [bug] Reference after free error if dns_dispatchmgr_create() 7563 failed. 7564 75651262. [bug] ns_server_destroy() failed to set *serverp to NULL. 7566 75671261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide 7568 support for compressed TSIG owner names. 7569 75701260. [func] libbind: res_update can now update IPv6 servers, 7571 new function res_findzonecut2(). 7572 75731259. [bug] libbind: get_salen() IPv6 support was broken for OSs 7574 w/o sa_len. 7575 75761258. [bug] libbind: res_nametotype() and res_nametoclass() were 7577 broken. 7578 75791257. [bug] Failure to write pid-file should not be fatal on 7580 reload. [RT #2861] 7581 75821256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support. 7583 75841255. [bug] When verifying that an NXT proves nonexistence, check 7585 the rcode of the message and only do the matching NXT 7586 check. That is, for NXDOMAIN responses, check that 7587 the name is in the range between the NXT owner and 7588 next name, and for NOERROR NODATA responses, check 7589 that the type is not present in the NXT bitmap. 7590 75911254. [func] preferred-glue option from BIND 8.3. 7592 75931253. [bug] The dnssec system test failed to remove the correct 7594 files. 7595 75961252. [bug] Dig, host and nslookup were not checking the address 7597 the answer was coming from against the address it was 7598 sent to. [RT# 2692] 7599 76001251. [port] win32: a make file contained absolute version specific 7601 references. 7602 76031250. [func] Nsupdate will report the address the update was 7604 sent to. 7605 76061249. [bug] Missing masters clause was not handled gracefully. 7607 [RT #2703] 7608 76091248. [bug] DESTDIR was not being propagated between makes. 7610 76111247. [bug] Don't reset the interface index for link/site local 7612 addresses. [RT #2576] 7613 76141246. [func] New functions isc_sockaddr_issitelocal(), 7615 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal() 7616 and isc_netaddr_islinklocal(). 7617 76181245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for 7619 accept(). 7620 76211244. [bug] Receiving a TCP message from a blackhole address would 7622 prevent further messages being received over that 7623 interface. 7624 76251243. [bug] It was possible to trigger a REQUIRE() in 7626 dns_message_findtype(). [RT #2659] 7627 76281242. [bug] named-checkzone failed if a journal existed. [RT #2657] 7629 76301241. [bug] Drop received UDP messages with a zero source port 7631 as these are invariably forged. [RT #2621] 7632 76331240. [bug] It was possible to leak zone references by 7634 specifying an incorrect zone to rndc. 7635 76361239. [bug] Under certain circumstances named could continue to 7637 use a name after it had been freed triggering 7638 INSIST() failures. [RT #2614] 7639 76401238. [bug] It is possible to lockup the server when shutting down 7641 if notifies were being processed. [RT #2591] 7642 76431237. [bug] nslookup: "set q=type" failed. 7644 76451236. [bug] dns_rdata{class,type}_fromtext() didn't handle non 7646 NULL terminated text regions. [RT #2588] 7647 76481235. [func] Report 'out of memory' errors from openssl. 7649 76501234. [bug] contrib/sdb: 'zonetodb' failed to call 7651 dns_result_register(). DNS_R_SEENINCLUDE should not 7652 be fatal. 7653 76541233. [bug] The flags field of a KEY record can be expressed in 7655 hex as well as decimal. 7656 76571232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL. 7658 76591231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL. 7660 76611230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken. 7662 76631229. [bug] named would crash if it received a TSIG signed 7664 query as part of an AXFR response. [RT #2570] 7665 76661228. [bug] 'make install' did not depend on 'make all'. [RT #2559] 7667 76681227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER 7669 if a number was expected and some other token was 7670 found. [RT#2532] 7671 76721226. [func] Use EDNS for zone refresh queries. [RT #2551] 7673 76741225. [func] dns_message_setopt() no longer requires that 7675 dns_message_renderbegin() to have been called. 7676 76771224. [bug] 'rrset-order' and 'sortlist' should be additive 7678 not exclusive. 7679 76801223. [func] 'rrset-order' partially works 'cyclic' and 'random' 7681 are supported. 7682 76831222. [bug] Specifying 'port *' did not always result in a system 7684 selected (non-reserved) port being used. [RT #2537] 7685 76861221. [bug] Zone types 'master', 'slave' and 'stub' were not being 7687 compared case insensitively. [RT #2542] 7688 76891220. [func] Support for APL rdata type. 7690 76911219. [func] Named now reports the TSIG extended error code when 7692 signature verification fails. [RT #1651] 7693 76941218. [bug] Named incorrectly returned SERVFAIL rather than 7695 NOTAUTH when there was a TSIG BADTIME error. [RT #2519] 7696 76971217. [func] Report locations of previous key definition when a 7698 duplicate is detected. 7699 77001216. [bug] Multiple server clauses for the same server were not 7701 reported. [RT #2514] 7702 77031215. [port] solaris: add support to ifconfig.sh for x86 2.5.1 7704 77051214. [bug] Win32: isc_file_renameunique() could leave zero length 7706 files behind. 7707 77081213. [func] Report view associated with client if it is not a 7709 standard view (_default or _bind). 7710 77111212. [port] libbind: 64k answer buffers were causing stack space 7712 to be exceeded for certain OS. Use heap space instead. 7713 77141211. [bug] dns_name_fromtext() incorrectly handled certain 7715 valid octal bitlabels. [RT #2483] 7716 77171210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped / 7718 compatible addresses. [RT #2461] 7719 77201209. [bug] Dig, host, nslookup were not checking the message ids 7721 on the responses. [RT #2454] 7722 77231208. [bug] dns_master_load*() failed to log a error message if 7724 an error was detected when parsing the ownername of 7725 a record. [RT #2448] 7726 77271207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with 7728 an invalid pointer. 7729 77301206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should 7731 trigger a non-EDNS retry. 7732 77331205. [bug] OPT, TSIG and TKEY cannot be used to set the "class" 7734 of the message. [RT #2449] 7735 77361204. [bug] libbind: res_nupdate() failed to update the name 7737 server addresses before sending the update. 7738 77391203. [func] Report locations of previous acl and zone definitions 7740 when a duplicate is detected. 7741 77421202. [func] New functions: cfg_obj_line() and cfg_obj_file(). 7743 77441201. [bug] Require that if 'callbacks' is passed to 7745 dns_rdata_fromtext(), callbacks->error and 7746 callbacks->warn are initialized. 7747 77481200. [bug] Log 'errno' that we are unable to convert to 7749 isc_result_t. [RT #2404] 7750 77511199. [doc] ARM reference to RFC 2157 should have been RFC 1918. 7752 [RT #2436] 7753 77541198. [bug] OPT printing style was not consistent with the way the 7755 header fields are printed. The DO bit was not reported 7756 if set. Report if any of the MBZ bits are set. 7757 77581197. [bug] Attempts to define the same acl multiple times were not 7759 detected. 7760 77611196. [contrib] update mdnkit to 2.2.3. 7762 77631195. [bug] Attempts to redefine builtin acls should be caught. 7764 [RT #2403] 7765 77661194. [bug] Not all duplicate zone definitions were being detected 7767 at the named.conf checking stage. [RT #2431] 7768 77691193. [bug] dig +besteffort parsing didn't handle packet 7770 truncation. dns_message_parse() has new flag 7771 DNS_MESSAGE_IGNORETRUNCATION. 7772 77731192. [bug] The seconds fields in LOC records were restricted 7774 to three decimal places. More decimal places should 7775 be allowed but warned about. 7776 77771191. [bug] A dynamic update removing the last non-apex name in 7778 a secure zone would fail. [RT #2399] 7779 77801190. [func] Add the "rndc freeze" and "rndc unfreeze" commands. 7781 [RT #2394] 7782 77831189. [bug] On some systems, malloc(0) returns NULL, which 7784 could cause the caller to report an out of memory 7785 error. [RT #2398] 7786 77871188. [bug] Dynamic updates of a signed zone would fail if 7788 some of the zone private keys were unavailable. 7789 77901187. [bug] named was incorrectly returning DNSSEC records 7791 in negative responses when the DO bit was not set. 7792 77931186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the 7794 EOL token when reading to end of line. 7795 77961185. [bug] libbind: don't assume statp->_u._ext.ext is valid 7797 unless RES_INIT is set when calling res_*init(). 7798 77991184. [bug] libbind: call res_ndestroy() if RES_INIT is set 7800 when res_*init() is called. 7801 78021183. [bug] Handle ENOSR error when writing to the internal 7803 control pipe. [RT #2395] 7804 78051182. [bug] The server could throw an assertion failure when 7806 constructing a negative response packet. 7807 78081181. [func] Add the "key-directory" configuration statement, 7809 which allows the server to look for online signing 7810 keys in alternate directories. 7811 78121180. [func] dnssec-keygen should always generate keys with 7813 protocol 3 (DNSSEC), since it's less confusing 7814 that way. 7815 78161179. [func] Add SIG(0) support to nsupdate. 7817 78181178. [bug] Follow and cache (if appropriate) A6 and other 7819 data chains to completion in the additional section. 7820 78211177. [func] Report view when loading zones if it is not a 7822 standard view (_default or _bind). [RT #2270] 7823 78241176. [doc] Document that allow-v6-synthesis is only performed 7825 for clients that are supplied recursive service. 7826 [RT #2260] 7827 78281175. [bug] named-checkzone and named-checkconf failed to call 7829 dns_result_register() at startup which could 7830 result in runtime exceptions when printing 7831 "out of memory" errors. [RT #2335] 7832 78331174. [bug] Win32: add WSAECONNRESET to the expected errors 7834 from connect(). [RT #2308] 7835 78361173. [bug] Potential memory leaks in isc_log_create() and 7837 isc_log_settag(). [RT #2336] 7838 78391172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to 7840 table of RR types in ARM. 7841 78421171. [func] Added function isc_region_compare(), updated files in 7843 lib/dns to use this function instead of local one. 7844 78451170. [bug] Don't attempt to print the token when a I/O error 7846 occurs when parsing named.conf. [RT #2275] 7847 78481169. [func] Identify recursive queries in the query log. 7849 78501168. [bug] Empty also-notify clauses were not handled. [RT #2309] 7851 78521167. [contrib] nslint-2.1a3 (from author). 7853 78541166. [bug] "Not Implemented" should be reported as NOTIMP, 7855 not NOTIMPL. [RT #2281] 7856 78571165. [bug] We were rejecting notify-source{-v6} in zone clauses. 7858 78591164. [bug] Empty masters clauses in slave / stub zones were not 7860 handled gracefully. [RT #2262] 7861 78621163. [func] isc_time_formattimestamp() now includes the year. 7863 78641162. [bug] The allow-notify option was not accepted in slave 7865 zone statements. 7866 78671161. [bug] named-checkzone looped on unbalanced brackets. 7868 [RT #2248] 7869 78701160. [bug] Generating Diffie-Hellman keys longer than 1024 7871 bits could fail. [RT #2241] 7872 78731159. [bug] MD and MF are not permitted to be loaded by RFC1123. 7874 78751158. [func] Report the client's address when logging notify 7876 messages. 7877 78781157. [func] match-clients and match-destinations now accept 7879 keys. [RT #2045] 7880 78811156. [port] The configure test for strsep() incorrectly 7882 succeeded on certain patched versions of 7883 AIX 4.3.3. [RT #2190] 7884 78851155. [func] Recover from master files being removed from under 7886 us. 7887 78881154. [bug] Don't attempt to obtain the netmask of a interface 7889 if there is no address configured. [RT #2176] 7890 78911153. [func] 'rndc {stop|halt} -p' now reports the process id 7892 of the instance of named being shutdown. 7893 78941152. [bug] libbind: read buffer overflows. 7895 78961151. [bug] nslookup failed to check that the arguments to 7897 the port, timeout, and retry options were 7898 valid integers and in range. [RT #2099] 7899 79001150. [bug] named incorrectly accepted TTL values 7901 containing plus or minus signs, such as 7902 1d+1h-1s. 7903 79041149. [func] New function isc_parse_uint32(). 7905 79061148. [func] 'rndc-confgen -a' now provides positive feedback. 7907 79081147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by 7909 the OS. listen-on-v6 { any; }; should no longer 7910 result in IPv4 queries be accepted. Similarly 7911 control { inet :: ... }; should no longer result 7912 in IPv4 connections being accepted. This can be 7913 overridden at compile time by defining 7914 ISC_ALLOW_MAPPED=1. 7915 79161146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if 7917 supported by the OS by a new function 7918 isc_socket_ipv6only(). 7919 79201145. [func] "host" no longer reports a NOERROR/NODATA response 7921 by printing nothing. [RT #2065] 7922 79231144. [bug] rndc-confgen would crash if both the -a and -t 7924 options were specified. [RT #2159] 7925 79261143. [bug] When a trusted-keys statement was present and named 7927 was built without crypto support, it would leak memory. 7928 79291142. [bug] dnssec-signzone would fail to delete temporary files 7930 in some failure cases. [RT #2144] 7931 79321141. [bug] When named rejected a control message, it would 7933 leak a file descriptor and memory. It would also 7934 fail to respond, causing rndc to hang. 7935 [RT #2139, #2164] 7936 79371140. [bug] rndc-confgen did not accept IPv6 addresses as arguments 7938 to the -s option. [RT #2138] 7939 79401139. [func] It is now possible to flush a given name from the 7941 cache(s) via 'rndc flushname name [view]'. [RT #2051] 7942 79431138. [func] It is now possible to flush a given name from the 7944 cache by calling the new function 7945 dns_cache_flushname(). 7946 79471137. [func] It is now possible to flush a given name from the 7948 ADB by calling the new function dns_adb_flushname(). 7949 79501136. [bug] CNAME records synthesized from DNAMEs did not 7951 have a TTL of zero as required by RFC2672. 7952 [RT #2129] 7953 79541135. [func] You can now override the default syslog() facility for 7955 named/lwresd at compile time. [RT #1982] 7956 79571134. [bug] Multi-threaded servers could deadlock in ferror() 7958 when reloading zone files. [RT #1951, #1998] 7959 79601133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on 7961 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106] 7962 79631132. [func] Improve UPDATE prerequisite failure diagnostic messages. 7964 79651131. [bug] The match-destinations view option did not work with 7966 IPv6 destinations. [RT #2073, #2074] 7967 79681130. [bug] Log messages reporting an out-of-range serial number 7969 did not include the out-of-range number but the 7970 following token. [RT #2076] 7971 79721129. [bug] Multi-threaded servers could crash under heavy 7973 resolution load due to a race condition. [RT #2018] 7974 79751128. [func] sdb drivers can now provide RR data in either text 7976 or wire format, the latter using the new functions 7977 dns_sdb_putrdata() and dns_sdb_putnamedrdata(). 7978 79791127. [func] rndc: If the server to contact has multiple addresses, 7980 try all of them. 7981 79821126. [bug] The server could access a freed event if shut 7983 down while a client start event was pending 7984 delivery. [RT #2061] 7985 79861125. [bug] rndc: -k option was missing from usage message. 7987 [RT #2057] 7988 79891124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail 7990 are now documented. [RT #2052] 7991 79921123. [bug] dig +[no]fail did not match description. [RT #2052] 7993 79941122. [tuning] Resolution timeout reduced from 90 to 30 seconds. 7995 [RT #2046] 7996 79971121. [bug] The server could attempt to access a NULL zone 7998 table if shut down while resolving. 7999 [RT #1587, #2054] 8000 80011120. [bug] Errors in options were not fatal. [RT #2002] 8002 80031119. [func] Added support in Win32 for NTFS file/directory ACL's 8004 for access control. 8005 80061118. [bug] On multi-threaded servers, a race condition 8007 could cause an assertion failure in resolver.c 8008 during resolver shutdown. [RT #2029] 8009 80101117. [port] The configure check for in6addr_loopback incorrectly 8011 succeeded on AIX 4.3 when compiling with -O2 8012 because the test code was optimized away. 8013 [RT #2016] 8014 80151116. [bug] Setting transfers in a server clause, transfers-in, 8016 or transfers-per-ns to a value greater than 8017 2147483647 disabled transfers. [RT #2002] 8018 80191115. [func] Set maximum values for cleaning-interval, 8020 heartbeat-interval, interface-interval, 8021 max-transfer-idle-in, max-transfer-idle-out, 8022 max-transfer-time-in, max-transfer-time-out, 8023 statistics-interval of 28 days and 8024 sig-validity-interval of 3660 days. [RT #2002] 8025 80261114. [port] Ignore more accept() errors. [RT #2021] 8027 80281113. [bug] The allow-update-forwarding option was ignored 8029 when specified in a view. [RT #2014] 8030 80311112. [placeholder] 8032 80331111. [bug] Multi-threaded servers could deadlock processing 8034 recursive queries due to a locking hierarchy 8035 violation in adb.c. [RT #2017] 8036 80371110. [bug] dig should only accept valid abbreviations of +options. 8038 [RT #2003] 8039 80401109. [bug] nsupdate accepted illegal ttl values. 8041 80421108. [bug] On Win32, rndc was hanging when named was not running 8043 due to failure to select for exceptional conditions 8044 in select(). [RT #1870] 8045 80461107. [bug] nsupdate could catch an assertion failure if an 8047 invalid domain name was given as the argument to 8048 the "zone" command. 8049 80501106. [bug] After seeing an out of range TTL, nsupdate would 8051 treat all TTLs as out of range. [RT #2001] 8052 80531105. [port] OpenUNIX 8 enable threads by default. [RT #1970] 8054 80551104. [bug] Invalid arguments to the transfer-format option 8056 could cause an assertion failure. [RT #1995] 8057 80581103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970] 8059 80601102. [doc] Note that query logging is enabled by directing the 8061 queries category to a channel. 8062 80631101. [bug] Array bounds read error in lwres_gai_strerror. 8064 80651100. [bug] libbind: DNSSEC key ids were computed incorrectly. 8066 80671099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused 8068 compile time errors. 8069 80701098. [bug] libbind: HMAC-MD5 key files are now mode 0600. 8071 80721097. [func] libbind: RES_PRF_TRUNC for dig. 8073 80741096. [func] libbind: "DNSSEC OK" (DO) support. 8075 80761095. [func] libbind: resolver option: no-tld-query. disables 8077 trying unqualified as a tld. no_tld_query is also 8078 supported for FreeBSD compatibility. 8079 80801094. [func] libbind: add support gcc's format string checking. 8081 80821093. [doc] libbind: miscellaneous nroff fixes. 8083 80841092. [bug] libbind: get*by*() failed to check if res_init() had 8085 been called. 8086 80871091. [bug] libbind: misplaced va_end(). 8088 80891090. [bug] libbind: dns_ho.c:add_hostent() was not returning 8090 the amount of memory consumed resulting in garbage 8091 address being returned. Alignment calculations were 8092 wasting space. We weren't suppressing duplicate 8093 addresses. 8094 80951089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6 8096 support. 8097 80981088. [port] libbind: MPE/iX C.70 (incomplete) 8099 81001087. [bug] libbind: struct __res_state too large on 64 bit arch. 8101 81021086. [port] libbind: sunos: old sprintf. 8103 81041085. [port] libbind: solaris: sys_nerr and sys_errlist do not 8105 exist when compiling in 64 bit mode. 8106 81071084. [cleanup] libbind: gai_strerror() rewritten. 8108 81091083. [bug] The default control channel listened on the 8110 wildcard address, not the loopback as documented. 8111 [RT #1975] 8112 81131082. [bug] The -g option to named incorrectly caused logging 8114 to be sent to syslog in addition to stderr. 8115 [RT #1974] 8116 81171081. [bug] Multicast queries were incorrectly identified 8118 based on the source address, not the destination 8119 address. 8120 81211080. [bug] BIND 8 compatibility: accept bare IP prefixes 8122 as the second element of a two-element top level 8123 sort list statement. [RT #1964] 8124 81251079. [bug] BIND 8 compatibility: accept bare elements at top 8126 level of sort list treating them as if they were 8127 a single element list. [RT #1963] 8128 81291078. [bug] We failed to correct bad tv_usec values in one case. 8130 [RT #1966] 8131 81321077. [func] Do not accept further recursive clients when 8133 the total number of recursive lookups being 8134 processed exceeds max-recursive-clients, even 8135 if some of the lookups are internally generated. 8136 [RT #1915, #1938] 8137 81381076. [bug] A badly defined global key could trigger an assertion 8139 on load/reload if views were used. [RT #1947] 8140 81411075. [bug] Out-of-range network prefix lengths were not 8142 reported. [RT #1954] 8143 81441074. [bug] Running out of memory in dump_rdataset() could 8145 cause an assertion failure. [RT #1946] 8146 81471073. [bug] The ADB cache cleaning should also be space driven. 8148 [RT #1915, #1938] 8149 81501072. [bug] The TCP client quota could be exceeded when 8151 recursion occurred. [RT #1937] 8152 81531071. [bug] Sockets listening for TCP DNS connections 8154 specified an excessive listen backlog. [RT #1937] 8155 81561070. [bug] Copy DNSSEC OK (DO) to response as specified by 8157 draft-ietf-dnsext-dnssec-okbit-03.txt. 8158 81591069. [placeholder] 8160 81611068. [bug] errno could be overwritten by catgets(). [RT #1921] 8162 81631067. [func] Allow quotas to be soft, isc_quota_soft(). 8164 81651066. [bug] Provide a thread safe wrapper for strerror(). 8166 [RT #1689] 8167 81681065. [func] Runtime support to select new / old style interface 8169 scanning using ioctls. 8170 81711064. [bug] Do not shut down active network interfaces if we 8172 are unable to scan the interface list. [RT #1921] 8173 81741063. [bug] libbind: "make install" was failing on IRIX. 8175 [RT #1919] 8176 81771062. [bug] If the control channel listener socket was shut 8178 down before server exit, the listener object could 8179 be freed twice. [RT #1916] 8180 81811061. [bug] If periodic cache cleaning happened to start 8182 while cleaning due to reaching the configured 8183 maximum cache size was in progress, the server 8184 could catch an assertion failure. [RT #1912] 8185 81861060. [func] Move refresh, stub and notify UDP retry processing 8187 into dns_request. 8188 81891059. [func] dns_request now support will now retry UDP queries, 8190 dns_request_createvia2() and dns_request_createraw2(). 8191 81921058. [func] Limited lifetime ticker timers are now available, 8193 isc_timertype_limited. 8194 81951057. [bug] Reloading the server after adding a "file" clause 8196 to a zone statement could cause the server to 8197 crash due to a typo in change 1016. 8198 81991056. [bug] Rndc could catch an assertion failure on SIGINT due 8200 to an uninitialized variable. [RT #1908] 8201 82021055. [func] Version and hostname queries can now be disabled 8203 using "version none;" and "hostname none;", 8204 respectively. 8205 82061054. [bug] On Win32, cfg_categories and cfg_modules need to be 8207 exported from the libisccfg DLL. 8208 82091053. [bug] Dig did not increase its timeout when receiving 8210 AXFRs unless the +time option was used. [RT #1904] 8211 82121052. [bug] Journals were not being created in binary mode 8213 resulting in "journal format not recognized" error 8214 under Win32. [RT #1889] 8215 82161051. [bug] Do not ignore a network interface completely just 8217 because it has a noncontiguous netmask. Instead, 8218 omit it from the localnets ACL and issue a warning. 8219 [RT #1891] 8220 82211050. [bug] Log messages reporting malformed IP addresses in 8222 address lists such as that of the forwarders option 8223 failed to include the correct error code, file 8224 name, and line number. [RT #1890] 8225 82261049. [func] "pid-file none;" will disable writing a pid file. 8227 [RT #1848] 8228 82291048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1 8230 didn't work. 8231 82321047. [bug] named was incorrectly refusing all requests signed 8233 with a TSIG key derived from an unsigned TKEY 8234 negotiation with a NOERROR response. [RT #1886] 8235 82361046. [bug] The help message for the --with-openssl configure 8237 option was inaccurate. [RT #1880] 8238 82391045. [bug] It was possible to skip saving glue for a nameserver 8240 for a stub zone. 8241 82421044. [bug] Specifying allow-transfer, notify-source, or 8243 notify-source-v6 in a stub zone was not treated 8244 as an error. 8245 82461043. [bug] Specifying a transfer-source or transfer-source-v6 8247 option in the zone statement for a master zone was 8248 not treated as an error. [RT #1876] 8249 82501042. [bug] The "config" logging category did not work properly. 8251 [RT #1873] 8252 82531041. [bug] Dig/host/nslookup could catch an assertion failure 8254 on SIGINT due to an uninitialized variable. [RT #1867] 8255 82561040. [bug] Multiple listen-on-v6 options with different ports 8257 were not accepted. [RT #1875] 8258 82591039. [bug] Negative responses with CNAMEs in the answer section 8260 were cached incorrectly. [RT #1862] 8261 82621038. [bug] In servers configured with a tkey-domain option, 8263 TKEY queries with an owner name other than the root 8264 could cause an assertion failure. [RT #1866, #1869] 8265 82661037. [bug] Negative responses whose authority section contain 8267 SOA or NS records whose owner names are not equal 8268 equal to or parents of the query name should be 8269 rejected. [RT #1862] 8270 82711036. [func] Silently drop requests received via multicast as 8272 long as there is no final multicast DNS standard. 8273 82741035. [bug] If we respond to multicast queries (which we 8275 currently do not), respond from a unicast address 8276 as specified in RFC 1123. [RT #137] 8277 82781034. [bug] Ignore the RD bit on multicast queries as specified 8279 in RFC 1123. [RT #137] 8280 82811033. [bug] Always respond to requests with an unsupported opcode 8282 with NOTIMP, even if we don't have a matching view 8283 or cannot determine the class. 8284 82851032. [func] hostname.bind/txt/chaos now returns the name of 8286 the machine hosting the nameserver. This is useful 8287 in diagnosing problems with anycast servers. 8288 82891031. [bug] libbind.a: isc__gettimeofday() infinite recursion. 8290 [RT #1858] 8291 82921030. [bug] On systems with no resolv.conf file, nsupdate 8293 exited with an error rather than defaulting 8294 to using the loopback address. [RT #1836] 8295 82961029. [bug] Some named.conf errors did not cause the loading 8297 of the configuration file to return a failure 8298 status even though they were logged. [RT #1847] 8299 83001028. [bug] On Win32, dig/host/nslookup looked for resolv.conf 8301 in the wrong directory. [RT #1833] 8302 83031027. [bug] RRs having the reserved type 0 should be rejected. 8304 [RT #1471] 8305 83061026. [placeholder] 8307 83081025. [bug] Don't use multicast addresses to resolve iterative 8309 queries. [RT #101] 8310 83111024. [port] Compilation failed on HP-UX 11.11 due to 8312 incompatible use of the SIOCGLIFCONF macro 8313 name. [RT #1831] 8314 83151023. [func] Accept hints without TTLs. 8316 83171022. [bug] Don't report empty root hints as "extra data". 8318 [RT #1802] 8319 83201021. [bug] On Win32, log message timestamps were one month 8321 later than they should have been, and the server 8322 would exhibit unspecified behavior in December. 8323 83241020. [bug] IXFR log messages did not distinguish between 8325 true IXFRs, AXFR-style IXFRs, and mere version 8326 polls. [RT #1811] 8327 83281019. [bug] The value of the lame-ttl option was limited to 18000 8329 seconds, not 1800 seconds as documented. [RT #1803] 8330 83311018. [bug] The default log channel was not always initialized 8332 correctly. [RT #1813] 8333 83341017. [bug] When specifying TSIG keys to dig and nsupdate using 8335 the -k option, they must be HMAC-MD5 keys. [RT #1810] 8336 83371016. [bug] Slave zones with no backup file were re-transferred 8338 on every server reload. 8339 83401015. [bug] Log channels that had a "versions" option but no 8341 "size" option failed to create numbered log 8342 files. [RT #1783] 8343 83441014. [bug] Some queries would cause statistics counters to 8345 increment more than once or not at all. [RT #1321] 8346 83471013. [bug] It was possible to cancel a query twice when marking 8348 a server as bogus or by having a blackhole acl. 8349 [RT #1776] 8350 83511012. [bug] The -p option to named did not behave as documented. 8352 83531011. [cleanup] Removed isc_dir_current(). 8354 83551010. [bug] The server could attempt to execute a command channel 8356 command after initiating server shutdown, causing 8357 an assertion failure. [RT #1766] 8358 83591009. [port] OpenUNIX 8 support. [RT #1728] 8360 83611008. [port] libtool.m4, ltmain.sh from libtool-1.4.2. 8362 83631007. [port] config.guess, config.sub from autoconf-2.52. 8364 83651006. [bug] If a KEY RR was found missing during DNSSEC validation, 8366 an assertion failure could subsequently be triggered 8367 in the resolver. [RT #1763] 8368 83691005. [bug] Don't copy nonzero RCODEs from request to response. 8370 [RT #1765] 8371 83721004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770] 8373 83741003. [func] Add the +retry option to dig. 8375 83761002. [bug] When reporting an unknown class name in named.conf, 8377 including the file name and line number. [RT #1759] 8378 83791001. [bug] win32 socket code doio_recv was not catching a 8380 WSACONNRESET error when a client was timing out 8381 the request and closing its socket. [RT #1745] 8382 83831000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias 8384 for class "HS". [RT #1759] 8385 8386 999. [func] "rndc retransfer zone [class [view]]" added. 8387 [RT #1752] 8388 8389 998. [func] named-checkzone now has arguments to specify the 8390 chroot directory (-t) and working directory (-w). 8391 [RT #1755] 8392 8393 997. [func] Add support for RSA-SHA1 keys (RFC3110). 8394 8395 996. [func] Issue warning if the configuration filename contains 8396 the chroot path. 8397 8398 995. [bug] dig, host, nslookup: using a raw IPv6 address as a 8399 target address should be fatal on a IPv4 only system. 8400 8401 994. [func] Treat non-authoritative responses to queries for type 8402 NS as referrals even if the NS records are in the 8403 answer section, because BIND 8 servers incorrectly 8404 send them that way. This is necessary for DNSSEC 8405 validation of the NS records of a secure zone to 8406 succeed when the parent is a BIND 8 server. [RT #1706] 8407 8408 993. [func] dig: -v now reports the version. 8409 8410 992. [doc] dig: ~/.digrc is now documented. 8411 8412 991. [func] Lower UDP refresh timeout messages to level 8413 debug 1. 8414 8415 990. [bug] The rndc-confgen man page was not installed. 8416 8417 989. [bug] Report filename if $INCLUDE fails for file related 8418 errors. [RT #1736] 8419 8420 988. [bug] 'additional-from-auth no;' did not work reliably 8421 in the case of queries answered from the cache. 8422 [RT #1436] 8423 8424 987. [bug] "dig -help" didn't show "+[no]stats". 8425 8426 986. [bug] "dig +noall" failed to clear stats and command 8427 printing. 8428 8429 985. [func] Consider network interfaces to be up iff they have 8430 a nonzero IP address rather than based on the 8431 IFF_UP flag. [RT #1160] 8432 8433 984. [bug] Multi-threading should be enabled by default on 8434 Solaris 2.7 and newer, but it wasn't. 8435 8436 983. [func] The server now supports generating IXFR difference 8437 sequences for non-dynamic zones by comparing zone 8438 versions, when enabled using the new config 8439 option "ixfr-from-differences". [RT #1727] 8440 8441 982. [func] If "memstatistics-file" is set in options the memory 8442 statistics will be written to it. 8443 8444 981. [func] The dnssec tools can now take multiple '-r randomfile' 8445 arguments. 8446 8447 980. [bug] Incoming zone transfers restarting after an error 8448 could trigger an assertion failure. [RT #1692] 8449 8450 979. [func] Incremental master file dumping. dns_master_dumpinc(), 8451 dns_master_dumptostreaminc(), dns_dumpctx_attach(), 8452 dns_dumpctx_detach(), dns_dumpctx_cancel(), 8453 dns_dumpctx_db() and dns_dumpctx_version(). 8454 8455 978. [bug] dns_db_attachversion() had an invalid REQUIRE() 8456 condition. 8457 8458 977. [bug] Improve "not at top of zone" error message. 8459 8460 976. [func] named-checkconf can now test load master zones 8461 (named-checkconf -z). [RT #1468] 8462 8463 975. [bug] "max-cache-size default;" as a view option 8464 caused an assertion failure. 8465 8466 974. [bug] "max-cache-size unlimited;" as a global option 8467 was not accepted. 8468 8469 973. [bug] Failed to log the question name when logging: 8470 "bad zone transfer request: non-authoritative zone 8471 (NOTAUTH)". 8472 8473 972. [bug] The file modification time code in zone.c was using the 8474 wrong epoch. [RT #1667] 8475 8476 971. [placeholder] 8477 8478 970. [func] 'max-journal-size' can now be used to set a target 8479 size for a journal. 8480 8481 969. [func] dig now supports the undocumented dig 8 feature 8482 of allowing arbitrary labels, not just dotted 8483 decimal quads, with the -x option. This can be 8484 used to conveniently look up RFC2317 names as in 8485 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598] 8486 8487 968. [bug] On win32, the isc_time_now() function was unnecessarily 8488 calling strtime(). [RT #1671] 8489 8490 967. [bug] On win32, the link for bindevt was not including the 8491 required resource file to enable the event viewer 8492 to interpret the error messages in the event log, 8493 [RT #1668] 8494 8495 966. [placeholder] 8496 8497 965. [bug] Including data other than root server NS and A 8498 records in the root hint file could cause a rbtdb 8499 node reference leak. [RT #1581, #1618] 8500 8501 964. [func] Warn if data other than root server NS and A records 8502 are found in the root hint file. [RT #1581, #1618] 8503 8504 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] 8505 8506 962. [bug] libbind: bad "#undef", don't attempt to install 8507 non-existent nlist.h. [RT #1640] 8508 8509 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 8510 was not defined. [RT #1482] 8511 8512 960. [port] liblwres failed to build on systems with support for 8513 getrrsetbyname() in the OS. [RT #1592] 8514 8515 959. [port] On FreeBSD, determine the number of CPUs by calling 8516 sysctlbyname(). [RT #1584] 8517 8518 958. [port] ssize_t is not available on all platforms. [RT #1607] 8519 8520 957. [bug] sys/select.h inclusion was broken on older platforms. 8521 [RT #1607] 8522 8523 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile 8524 in named/win32/os.c due to code changes in 8525 change #953. win32 .make file for rndc-confgen 8526 updated to add include path for os.h header. 8527 8528 --- 9.2.0rc1 released --- 8529 8530 955. [bug] When using views, the zone's class was not being 8531 inherited from the view's class. [RT #1583] 8532 8533 954. [bug] When requesting AXFRs or IXFRs using dig, host, or 8534 nslookup, the RD bit should not be set as zone 8535 transfers are inherently non-recursive. [RT #1575] 8536 8537 953. [func] The /var/run/named.key file from change #843 8538 has been replaced by /etc/rndc.key. Both 8539 named and rndc will look for this file and use 8540 it to configure a default control channel key 8541 if not already configured using a different 8542 method (rndc.conf / controls). Unlike 8543 named.key, rndc.key is not created automatically; 8544 it must be created by manually running 8545 "rndc-confgen -a". 8546 8547 952. [bug] The server required manual intervention to serve the 8548 affected zones if it died between creating a journal 8549 and committing the first change to it. 8550 8551 951. [bug] CFLAGS was not passed to the linker when 8552 linking some of the test programs under 8553 bin/tests. [RT #1555]. 8554 8555 950. [bug] Explicit TTLs did not properly override $TTL 8556 due to a bug in change 834. [RT #1558] 8557 8558 949. [bug] host was unable to print records larger than 512 8559 bytes. [RT #1557] 8560 8561 --- 9.2.0b2 released --- 8562 8563 948. [port] Integrated support for building on Windows NT / 8564 Windows 2000. 8565 8566 947. [bug] dns_rdata_soa_t had a badly named element "mname" which 8567 was really the RNAME field from RFC1035. To avoid 8568 confusion and silent errors that would occur it the 8569 "origin" and "mname" elements were given their correct 8570 names "mname" and "rname" respectively, the "mname" 8571 element is renamed to "contact". 8572 8573 946. [cleanup] doc/misc/options is now machine-generated from the 8574 configuration parser syntax tables, and therefore 8575 more likely to be correct. 8576 8577 945. [func] Add the new view-specific options 8578 "match-destinations" and "match-recursive-only". 8579 8580 944. [func] Check for expired signatures on load. 8581 8582 943. [bug] The server could crash when receiving a command 8583 via rndc if the configuration file listed only 8584 nonexistent keys in the controls statement. [RT #1530] 8585 8586 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly 8587 defined on some platforms. 8588 8589 941. [bug] The configuration checker crashed if a slave 8590 zone didn't contain a masters statement. [RT #1514] 8591 8592 940. [bug] Double zone locking failure on error path. [RT #1510] 8593 8594 --- 9.2.0b1 released --- 8595 8596 939. [port] Add the --disable-linux-caps option to configure for 8597 systems that manage capabilities outside of named. 8598 [RT #1503] 8599 8600 938. [placeholder] 8601 8602 937. [bug] A race when shutting down a zone could trigger a 8603 INSIST() failure. [RT #1034] 8604 8605 936. [func] Warn about IPv4 addresses that are not complete 8606 dotted quads. [RT #1084] 8607 8608 935. [bug] inet_pton failed to reject leading zeros. 8609 8610 934. [port] Deal with systems where accept() spuriously returns 8611 ECONNRESET. 8612 8613 933. [bug] configure failed doing libbind on platforms not 8614 supported by BIND 8. [RT #1496] 8615 8616 --- 9.2.0a3 released --- 8617 8618 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM, 8619 when installing isc-config.sh. 8620 [RT #198, #1466] 8621 8622 931. [bug] The controls statement only attempted to verify 8623 messages using the first key in the key list. 8624 (9.2.0a1/a2 only). 8625 8626 930. [func] Query performance testing tool added as 8627 contrib/queryperf. 8628 8629 929. [placeholder] 8630 8631 928. [bug] nsupdate would send empty update packets if the 8632 send (or empty line) command was run after 8633 another send but before any new updates or 8634 prerequisites were specified. It should simply 8635 ignore this command. 8636 8637 927. [bug] Don't hold the zone lock for the entire dump to disk. 8638 [RT #1423] 8639 8640 926. [bug] The resolver could deadlock with the ADB when 8641 shutting down (multi-threaded builds only). 8642 [RT #1324] 8643 8644 925. [cleanup] Remove openssl from the distribution; require that 8645 --with-openssl be specified if DNSSEC is needed. 8646 8647 924. [port] Extend support for pre-RFC2133 IPv6 implementation. 8648 [RT #987] 8649 8650 923. [bug] Multiline TSIG secrets (and other multiline strings) 8651 were not accepted in named.conf. [RT #1469] 8652 8653 922. [func] Added two new lwres_getrrsetbyname() result codes, 8654 ERR_NONAME and ERR_NODATA. 8655 8656 921. [bug] lwres returned an incorrect error code if it received 8657 a truncated message. 8658 8659 920. [func] Increase the lwres receive buffer size to 16K. 8660 [RT #1451] 8661 8662 919. [placeholder] 8663 8664 918. [func] In nsupdate, TSIG errors are no longer treated as 8665 fatal errors. 8666 8667 917. [func] New nsupdate command 'key', allowing TSIG keys to 8668 be specified in the nsupdate command stream rather 8669 than the command line. 8670 8671 916. [bug] Specifying type ixfr to dig without specifying 8672 a serial number failed in unexpected ways. 8673 8674 915. [func] The named-checkconf and named-checkzone programs 8675 now have a '-v' option for printing their version. 8676 [RT #1151] 8677 8678 914. [bug] Global 'server' statements were rejected when 8679 using views, even though they were accepted 8680 in 9.1. [RT #1368] 8681 8682 913. [bug] Cache cleaning was not sufficiently aggressive. 8683 [RT #1441, #1444] 8684 8685 912. [bug] Attempts to set the 'additional-from-cache' or 8686 'additional-from-auth' option to 'no' in a 8687 server with recursion enabled will now 8688 be ignored and cause a warning message. 8689 [RT #1145] 8690 8691 911. [placeholder] 8692 8693 910. [port] Some pre-RFC2133 IPv6 implementations do not define 8694 IN6ADDR_ANY_INIT. [RT #1416] 8695 8696 909. [placeholder] 8697 8698 908. [func] New program, rndc-confgen, to simplify setting up rndc. 8699 8700 907. [func] The ability to get entropy from either the 8701 random device, a user-provided file or from 8702 the keyboard was migrated from the DNSSEC tools 8703 to libisc as isc_entropy_usebestsource(). 8704 8705 906. [port] Separated the system independent portion of 8706 lib/isc/unix/entropy.c into lib/isc/entropy.c 8707 and added lib/isc/win32/entropy.c. 8708 8709 905. [bug] Configuring a forward "zone" for the root domain 8710 did not work. [RT #1418] 8711 8712 904. [bug] The server would leak memory if attempting to use 8713 an expired TSIG key. [RT #1406] 8714 8715 903. [bug] dig should not crash when receiving a TCP packet 8716 of length 0. 8717 8718 902. [bug] The -d option was ignored if both -t and -g were also 8719 specified. 8720 8721 901. [placeholder] 8722 8723 900. [bug] A config.guess update changed the system identification 8724 string of FreeBSD systems; configure and 8725 bin/tests/system/ifconfig.sh now recognize the new 8726 string. 8727 8728 --- 9.2.0a2 released --- 8729 8730 899. [bug] lib/dns/soa.c failed to compile on many platforms 8731 due to inappropriate use of a void value. 8732 [RT #1372, #1373, #1386, #1387, #1395] 8733 8734 898. [bug] "dig" failed to set a nonzero exit status 8735 on UDP query timeout. [RT #1323] 8736 8737 897. [bug] A config.guess update changed the system identification 8738 string of UnixWare systems; configure now recognizes 8739 the new string. 8740 8741 896. [bug] If a configuration file is set on named's command line 8742 and it has a relative pathname, the current directory 8743 (after any possible jailing resulting from named -t) 8744 will be prepended to it so that reloading works 8745 properly even when a directory option is present. 8746 8747 895. [func] New function, isc_dir_current(), akin to POSIX's 8748 getcwd(). 8749 8750 894. [bug] When using the DNSSEC tools, a message intended to warn 8751 when the keyboard was being used because of the lack 8752 of a suitable random device was not being printed. 8753 8754 893. [func] Removed isc_file_test() and added isc_file_exists() 8755 for the basic functionality that was being added 8756 with isc_file_test(). 8757 8758 892. [placeholder] 8759 8760 891. [bug] Return an error when a SIG(0) signed response to 8761 an unsigned query is seen. This should actually 8762 do the verification, but it's not currently 8763 possible. [RT #1391] 8764 8765 890. [cleanup] The man pages no longer require the mandoc macros 8766 and should now format cleanly using most versions of 8767 nroff, and HTML versions of the man pages have been 8768 added. Both are generated from DocBook source. 8769 8770 889. [port] Eliminated blank lines before .TH in nroff man 8771 pages since they cause problems with some versions 8772 of nroff. [RT #1390] 8773 8774 888. [bug] Don't die when using TKEY to delete a nonexistent 8775 TSIG key. [RT #1392] 8776 8777 887. [port] Detect broken compilers that can't call static 8778 functions from inline functions. [RT #1212] 8779 8780 886. [placeholder] 8781 8782 885. [placeholder] 8783 8784 884. [placeholder] 8785 8786 883. [placeholder] 8787 8788 882. [placeholder] 8789 8790 881. [placeholder] 8791 8792 880. [placeholder] 8793 8794 879. [placeholder] 8795 8796 878. [placeholder] 8797 8798 877. [placeholder] 8799 8800 876. [placeholder] 8801 8802 875. [placeholder] 8803 8804 874. [placeholder] 8805 8806 873. [placeholder] 8807 8808 872. [placeholder] 8809 8810 871. [placeholder] 8811 8812 870. [placeholder] 8813 8814 869. [placeholder] 8815 8816 868. [placeholder] 8817 8818 867. [placeholder] 8819 8820 866. [func] Close debug only file channels when debug is set to 8821 zero. [RT #1246] 8822 8823 865. [bug] The new configuration parser did not allow 8824 the optional debug level in a "severity debug" 8825 clause of a logging channel to be omitted. 8826 This is now allowed and treated as "severity 8827 debug 1;" like it does in BIND 8.2.4, not as 8828 "severity debug 0;" like it did in BIND 9.1. 8829 [RT #1367] 8830 8831 864. [cleanup] Multi-threading is now enabled by default on 8832 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX. 8833 8834 863. [bug] If an error occurred while an outgoing zone transfer 8835 was starting up, the server could access a domain 8836 name that had already been freed when logging a 8837 message saying that the transfer was starting. 8838 [RT #1383] 8839 8840 862. [bug] Use after realloc(), non portable pointer arithmetic in 8841 grmerge(). 8842 8843 861. [port] Add support for Mac OS X, by making it equivalent 8844 to Darwin. This was derived from the config.guess 8845 file shipped with Mac OS X. [RT #1355] 8846 8847 860. [func] Drop cross class glue in zone transfers. 8848 8849 859. [bug] Cache cleaning now won't swamp the CPU if there 8850 is a persistent over limit condition. 8851 8852 858. [func] isc_mem_setwater() no longer requires that when the 8853 callback function is non-NULL then its hi_water 8854 argument must be greater than its lo_water argument 8855 (they can now be equal) or that they be non-zero. 8856 8857 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for 8858 structs, for our friends in EBCDIC-land. 8859 8860 856. [func] Allow partial rdatasets to be returned in answer and 8861 authority sections to help non-TCP capable clients 8862 recover from truncation. [RT #1301] 8863 8864 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings. 8865 8866 854. [bug] The config parser didn't properly handle config 8867 options that were specified in units of time other 8868 than seconds. [RT #1372] 8869 8870 853. [bug] configure_view_acl() failed to detach existing acls. 8871 [RT #1374] 8872 8873 852. [bug] Handle responses from servers which do not know 8874 about IXFR. 8875 8876 851. [cleanup] The obsolete support-ixfr option was not properly 8877 ignored. 8878 8879 --- 9.2.0a1 released --- 8880 8881 850. [bug] dns_rbt_findnode() would not find nodes that were 8882 split on a bitstring label somewhere other than in 8883 the last label of the node. [RT #1351] 8884 8885 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined. 8886 8887 848. [func] A minimum max-cache-size of two megabytes is enforced 8888 by the cache cleaner. 8889 8890 847. [func] Added isc_file_test(), which currently only has 8891 some very basic functionality to test for the 8892 existence of a file, whether a pathname is absolute, 8893 or whether a pathname is the fundamental representation 8894 of the current directory. It is intended that this 8895 function can be expanded to test other things a 8896 programmer might want to know about a file. 8897 8898 846. [func] A non-zero 'param' to dst_key_generate() when making an 8899 hmac-md5 key means that good entropy is not required. 8900 8901 845. [bug] The access rights on the public file of a symmetric 8902 key are now restricted as soon as the file is opened, 8903 rather than after it has been written and closed. 8904 8905 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined, 8906 just as <lwres/net.h> does. 8907 8908 843. [func] If no controls statement is present in named.conf, 8909 or if any inet phrase of a controls statement is 8910 lacking a keys clause, then a key will be automatically 8911 generated by named and an rndc.conf-style file 8912 named named.key will be written that uses it. rndc 8913 will use this file only if its normal configuration 8914 file, or one provided on the command line, does not 8915 exist. 8916 8917 842. [func] 'rndc flush' now takes an optional view. 8918 8919 841. [bug] When sdb modules were not declared threadsafe, their 8920 create and destroy functions were not serialized. 8921 8922 840. [bug] The config file parser could print the wrong file 8923 name if an error was detected after an included file 8924 was parsed. [RT #1353] 8925 8926 839. [func] Dump packets for which there was no view or that the 8927 class could not be determined to category "unmatched". 8928 8929 838. [port] UnixWare 7.x.x is now suported by 8930 bin/tests/system/ifconfig.sh. 8931 8932 837. [cleanup] Multi-threading is now enabled by default only on 8933 OSF1, Solaris 2.7 and newer, and AIX. 8934 8935 836. [func] Upgraded libtool to 1.4. 8936 8937 835. [bug] The dispatcher could enter a busy loop if 8938 it got an I/O error receiving on a UDP socket. 8939 [RT #1293] 8940 8941 834. [func] Accept (but warn about) master files beginning with 8942 an SOA record without an explicit TTL field and 8943 lacking a $TTL directive, by using the SOA MINTTL 8944 as a default TTL. This is for backwards compatibility 8945 with old versions of BIND 8, which accepted such 8946 files without warning although they are illegal 8947 according to RFC1035. 8948 8949 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to 8950 <dns/soa.h>, and extended them to support 8951 all the integer-valued fields of the SOA RR. 8952 8953 832. [bug] The default location for named.conf in named-checkconf 8954 should depend on --sysconfdir like it does in named. 8955 [RT #1258] 8956 8957 831. [placeholder] 8958 8959 830. [func] Implement 'rndc status'. 8960 8961 829. [bug] The DNS_R_ZONECUT result code should only be returned 8962 when an ANY query is made with DNS_DBFIND_GLUEOK set. 8963 In all other ANY query cases, returning the delegation 8964 is better. 8965 8966 828. [bug] The errno value from recvfrom() could be overwritten 8967 by logging code. [RT #1293] 8968 8969 827. [bug] When an IXFR protocol error occurs, the slave 8970 should retry with AXFR. 8971 8972 826. [bug] Some IXFR protocol errors were not detected. 8973 8974 825. [bug] zone.c:ns_query() detached from the wrong zone 8975 reference. [RT #1264] 8976 8977 824. [bug] Correct line numbers reported by dns_master_load(). 8978 [RT #1263] 8979 8980 823. [func] The output of "dig -h" now goes to stdout so that it 8981 can easily be piped through "more". [RT #1254] 8982 8983 822. [bug] Sending nxrrset prerequisites would crash nsupdate. 8984 [RT #1248] 8985 8986 821. [bug] The program name used when logging to syslog should 8987 be stripped of leading path components. 8988 [RT #1178, #1232] 8989 8990 820. [bug] Name server address lookups failed to follow 8991 A6 chains into the glue of local authoritative 8992 zones. 8993 8994 819. [bug] In certain cases, the resolver's attempts to 8995 restart an address lookup at the root could cause 8996 the fetch to deadlock (with itself) instead of 8997 restarting. [RT #1225] 8998 8999 818. [bug] Certain pathological responses to ANY queries could 9000 cause an assertion failure. [RT #1218] 9001 9002 817. [func] Adjust timeouts for dialup zone queries. 9003 9004 816. [bug] Report potential problems with log file accessibility 9005 at configuration time, since such problems can't 9006 reliably be reported at the time they actually occur. 9007 9008 815. [bug] If a log file was specified with a path separator 9009 character (i.e. "/") in its name and the directory 9010 did not exist, the log file's name was treated as 9011 though it were the directory name. [RT #1189] 9012 9013 814. [bug] Socket objects left over from accept() failures 9014 were incorrectly destroyed, causing corruption 9015 of socket manager data structures. 9016 9017 813. [bug] File descriptors exceeding FD_SETSIZE were handled 9018 badly. [RT #1192] 9019 9020 812. [bug] dig sometimes printed incomplete IXFR responses 9021 due to an uninitialized variable. [RT #1188] 9022 9023 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194] 9024 9025 810. [bug] The signer name in SIG records was not properly 9026 down-cased when signing/verifying records. [RT #1186] 9027 9028 809. [bug] Configuring a non-local address as a transfer-source 9029 could cause an assertion failure during load. 9030 9031 808. [func] Add 'rndc flush' to flush the server's cache. 9032 9033 807. [bug] When setting up TCP connections for incoming zone 9034 transfers, the transfer-source port was not 9035 ignored like it should be. 9036 9037 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up 9038 the calling stack to the zone maintenance level, 9039 causing zones to not reload when an included file was 9040 touched but the top-level zone file was not. 9041 9042 805. [bug] When using "forward only", missing root hints should 9043 not cause queries to fail. [RT #1143] 9044 9045 804. [bug] Attempting to obtain entropy could fail in some 9046 situations. This would be most common on systems 9047 with user-space threads. [RT #1131] 9048 9049 803. [bug] Treat all SIG queries as if they have the CD bit set, 9050 otherwise no data will be returned [RT #749] 9051 9052 802. [bug] DNSSEC key tags were computed incorrectly in almost 9053 all cases. [RT #1146] 9054 9055 801. [bug] nsupdate should treat lines beginning with ';' as 9056 comments. [RT #1139] 9057 9058 800. [bug] dnssec-signzone produced incorrect statistics for 9059 large zones. [RT #1133] 9060 9061 799. [bug] The ADB didn't find AAAA glue in a zone unless A6 9062 glue was also present. 9063 9064 798. [bug] nsupdate should be able to reject bad input lines 9065 and continue. [RT #1130] 9066 9067 797. [func] Issue a warning if the 'directory' option contains 9068 a relative path. [RT #269] 9069 9070 796. [func] When a size limit is associated with a log file, 9071 only roll it when the size is reached, not every 9072 time the log file is opened. [RT #1096] 9073 9074 795. [func] Add the +multiline option to dig. [RT #1095] 9075 9076 794. [func] Implement the "port" and "default-port" statements 9077 in rndc.conf. 9078 9079 793. [cleanup] The DNSSEC tools could create filenames that were 9080 illegal or contained shell meta-characters. They 9081 now use a different text encoding of names that 9082 doesn't have these problems. [RT #1101] 9083 9084 792. [cleanup] Replace the OMAPI command channel protocol with a 9085 simpler one. 9086 9087 791. [bug] The command channel now works over IPv6. 9088 9089 790. [bug] Wildcards created using dynamic update or IXFR 9090 could fail to match. [RT #1111] 9091 9092 789. [bug] The "localhost" and "localnets" ACLs did not match 9093 when used as the second element of a two-element 9094 sortlist item. 9095 9096 788. [func] Add the "match-mapped-addresses" option, which 9097 causes IPv6 v4mapped addresses to be treated as 9098 IPv4 addresses for the purpose of acl matching. 9099 9100 787. [bug] The DNSSEC tools failed to downcase domain 9101 names when mapping them into file names. 9102 9103 786. [bug] When DNSSEC signing/verifying data, owner names were 9104 not properly down-cased. 9105 9106 785. [bug] A race condition in the resolver could cause 9107 an assertion failure. [RT #673, #872, #1048] 9108 9109 784. [bug] nsupdate and other programs would not quit properly 9110 if some signals were blocked by the caller. [RT #1081] 9111 9112 783. [bug] Following CNAMEs could cause an assertion failure 9113 when either using an sdb database or under very 9114 rare conditions. 9115 9116 782. [func] Implement the "serial-query-rate" option. 9117 9118 781. [func] Avoid error packet loops by dropping duplicate FORMERR 9119 responses. [RT #1006] 9120 9121 780. [bug] Error handling code dealing with out of memory or 9122 other rare errors could lead to assertion failures 9123 by calling functions on uninitialized names. [RT #1065] 9124 9125 779. [func] Added the "minimal-responses" option. 9126 9127 778. [bug] When starting cache cleaning, cleaning_timer_action() 9128 returned without first pausing the iterator, which 9129 could cause deadlock. [RT #998] 9130 9131 777. [bug] An empty forwarders list in a zone failed to override 9132 global forwarders. [RT #995] 9133 9134 776. [func] Improved error reporting in denied messages. [RT #252] 9135 9136 775. [placeholder] 9137 9138 774. [func] max-cache-size is implemented. 9139 9140 773. [func] Added isc_rwlock_trylock() to attempt to lock without 9141 blocking. 9142 9143 772. [bug] Owner names could be incorrectly omitted from cache 9144 dumps in the presence of negative caching entries. 9145 [RT #991] 9146 9147 771. [cleanup] TSIG errors related to unsynchronized clocks 9148 are logged better. [RT #919] 9149 9150 770. [func] Add the "edns yes_or_no" statement to the server 9151 clause. [RT #524] 9152 9153 769. [func] Improved error reporting when parsing rdata. [RT #740] 9154 9155 768. [bug] The server did not emit an SOA when a CNAME 9156 or DNAME chain ended in NXDOMAIN in an 9157 authoritative zone. 9158 9159 767. [placeholder] 9160 9161 766. [bug] A few cases in query_find() could leak fname. 9162 This would trigger the mpctx->allocated == 0 9163 assertion when the server exited. 9164 [RT #739, #776, #798, #812, #818, #821, #845, 9165 #892, #935, #966] 9166 9167 765. [func] ACL names are once again case insensitive, like 9168 in BIND 8. [RT #252] 9169 9170 764. [func] Configuration files now allow "include" directives 9171 in more places, such as inside the "view" statement. 9172 [RT #377, #728, #860] 9173 9174 763. [func] Configuration files no longer have reserved words. 9175 [RT #731, #753] 9176 9177 762. [cleanup] The named.conf and rndc.conf file parsers have 9178 been completely rewritten. 9179 9180 761. [bug] _REENTRANT was still defined when building with 9181 --disable-threads. 9182 9183 760. [contrib] Significant enhancements to the pgsql sdb driver. 9184 9185 759. [bug] The resolver didn't turn off "avoid fetches" mode 9186 when restarting, possibly causing resolution 9187 to fail when it should not. This bug only affected 9188 platforms which support both IPv4 and IPv6. [RT #927] 9189 9190 758. [bug] The "avoid fetches" code did not treat negative 9191 cache entries correctly, causing fetches that would 9192 be useful to be avoided. This bug only affected 9193 platforms which support both IPv4 and IPv6. [RT #927] 9194 9195 757. [func] Log zone transfers. 9196 9197 756. [bug] dns_zone_load() could "return" success when no master 9198 file was configured. 9199 9200 755. [bug] Fix incorrectly formatted log messages in zone.c. 9201 9202 754. [bug] Certain failure conditions sending UDP packets 9203 could cause the server to retry the transmission 9204 indefinitely. [RT #902] 9205 9206 753. [bug] dig, host, and nslookup would fail to contact a 9207 remote server if getaddrinfo() returned an IPv6 9208 address on a system that doesn't support IPv6. 9209 [RT #917] 9210 9211 752. [func] Correct bad tv_usec elements returned by 9212 gettimeofday(). 9213 9214 751. [func] Log successful zone loads / transfers. [RT #898] 9215 9216 750. [bug] A query should not match a DNAME whose trust level 9217 is pending. [RT #916] 9218 9219 749. [bug] When a query matched a DNAME in a secure zone, the 9220 server did not return the signature of the DNAME. 9221 [RT #915] 9222 9223 748. [doc] List supported RFCs in doc/misc/rfc-compliance. 9224 [RT #781] 9225 9226 747. [bug] The code to determine whether an IXFR was possible 9227 did not properly check for a database that could 9228 not have a journal. [RT #865, #908] 9229 9230 746. [bug] The sdb didn't clone rdatasets properly, causing 9231 a crash when the server followed delegations. [RT #905] 9232 9233 745. [func] Report the owner name of records that fail 9234 semantic checks while loading. 9235 9236 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the 9237 result of an ANY or SIG query, the resolver failed 9238 to setup the return event's rdatasets, causing an 9239 assertion failure in the query code. [RT #881] 9240 9241 743. [bug] Receiving a large number of certain malformed 9242 answers could cause named to stop responding. 9243 [RT #861] 9244 9245 742. [placeholder] 9246 9247 741. [port] Support openssl-engine. [RT #709] 9248 9249 740. [port] Handle openssl library mismatches slightly better. 9250 9251 739. [port] Look for /dev/random in configure, rather than 9252 assuming it will be there for only a predefined 9253 set of OSes. 9254 9255 738. [bug] If a non-threadsafe sdb driver supported AXFR and 9256 received an AXFR request, it would deadlock or die 9257 with an assertion failure. [RT #852] 9258 9259 737. [port] stdtime.c failed to compile on certain platforms. 9260 9261 736. [func] New functions isc_task_{begin,end}exclusive(). 9262 9263 735. [doc] Add BIND 4 migration notes. 9264 9265 734. [bug] An attempt to re-lock the zone lock could occur if 9266 the server was shutdown during a zone transfer. 9267 [RT #830] 9268 9269 733. [bug] Reference counts of dns_acl_t objects need to be 9270 locked but were not. [RT #801, #821] 9271 9272 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828] 9273 9274 731. [bug] Certain zone errors could cause named-checkzone to 9275 fail ungracefully. [RT #819] 9276 9277 730. [bug] lwres_getaddrinfo() returns the correct result when 9278 it fails to contact a server. [RT #768] 9279 9280 729. [port] pthread_setconcurrency() needs to be called on Solaris. 9281 9282 728. [bug] Fix comment processing on master file directives. 9283 [RT# 757] 9284 9285 727. [port] Work around OS bug where accept() succeeds but 9286 fails to fill in the peer address of the accepted 9287 connection, by treating it as an error rather than 9288 an assertion failure. [RT #809] 9289 9290 726. [func] Implement the "trace" and "notrace" commands in rndc. 9291 9292 725. [bug] Installing man pages could fail. 9293 9294 724. [func] New libisc functions isc_netaddr_any(), 9295 isc_netaddr_any6(). 9296 9297 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver 9298 to return DNS_R_SERVFAIL. [RT #783] 9299 9300 722. [func] Allow incremental loads to be canceled. 9301 9302 721. [cleanup] Load manager and dns_master_loadfilequota() are no 9303 more. 9304 9305 720. [bug] Server could enter infinite loop in 9306 dispatch.c:do_cancel(). [RT #733] 9307 9308 719. [bug] Rapid reloads could trigger an assertion failure. 9309 [RT #743, #763] 9310 9311 718. [cleanup] "internal" is no longer a reserved word in named.conf. 9312 [RT #753, #731] 9313 9314 717. [bug] Certain TKEY processing failure modes could 9315 reference an uninitialized variable, causing the 9316 server to crash. [RT #750] 9317 9318 716. [bug] The first line of a $INCLUDE master file was lost if 9319 an origin was specified. [RT #744] 9320 9321 715. [bug] Resolving some A6 chains could cause an assertion 9322 failure in adb.c. [RT #738] 9323 9324 714. [bug] Preserve interval timers across reloads unless changed. 9325 [RT# 729] 9326 9327 713. [func] named-checkconf takes '-t directory' similar to named. 9328 [RT #726] 9329 9330 712. [bug] Sending a large signed update message caused an 9331 assertion failure. [RT #718] 9332 9333 711. [bug] The libisc and liblwres implementations of 9334 inet_ntop contained an off by one error. 9335 9336 710. [func] The forwarders statement now takes an optional 9337 port. [RT #418] 9338 9339 709. [bug] ANY or SIG queries for data with a TTL of 0 9340 would return SERVFAIL. [RT #620] 9341 9342 708. [bug] When building with --with-openssl, the openssl headers 9343 included with BIND 9 should not be used. [RT #702] 9344 9345 707. [func] The "filename" argument to named-checkzone is no 9346 longer optional, to reduce confusion. [RT #612] 9347 9348 706. [bug] Zones with an explicit "allow-update { none; };" 9349 were considered dynamic and therefore not reloaded 9350 on SIGHUP or "rndc reload". 9351 9352 705. [port] Work out resource limit type for use where rlim_t is 9353 not available. [RT #695] 9354 9355 704. [port] RLIMIT_NOFILE is not available on all platforms. 9356 [RT #695] 9357 9358 703. [port] sys/select.h is needed on older platforms. [RT #695] 9359 9360 702. [func] If the address 0.0.0.0 is seen in resolv.conf, 9361 use 127.0.0.1 instead. [RT #693] 9362 9363 701. [func] Root hints are now fully optional. Class IN 9364 views use compiled-in hints by default, as 9365 before. Non-IN views with no root hints now 9366 provide authoritative service but not recursion. 9367 A warning is logged if a view has neither root 9368 hints nor authoritative data for the root. [RT #696] 9369 9370 700. [bug] $GENERATE range check was wrong. [RT #688] 9371 9372 699. [bug] The lexer mishandled empty quoted strings. [RT #694] 9373 9374 698. [bug] Aborting nsupdate with ^C would lead to several 9375 race conditions. 9376 9377 697. [bug] nsupdate was not compatible with the undocumented 9378 BIND 8 behavior of ignoring TTLs in "update delete" 9379 commands. [RT #693] 9380 9381 696. [bug] lwresd would die with an assertion failure when passed 9382 a zero-length name. [RT #692] 9383 9384 695. [bug] If the resolver attempted to query a blackholed or 9385 bogus server, the resolution would fail immediately. 9386 9387 694. [bug] $GENERATE did not produce the last entry. 9388 [RT #682, #683] 9389 9390 693. [bug] An empty lwres statement in named.conf caused 9391 the server to crash while loading. 9392 9393 692. [bug] Deal with systems that have getaddrinfo() but not 9394 gai_strerror(). [RT #679] 9395 9396 691. [bug] Configuring per-view forwarders caused an assertion 9397 failure. [RT #675, #734] 9398 9399 690. [func] $GENERATE now supports DNAME. [RT #654] 9400 9401 689. [doc] man pages are now installed. [RT #210] 9402 9403 688. [func] "make tags" now works on systems with the 9404 "Exuberant Ctags" etags. 9405 9406 687. [bug] Only say we have IPv6, with sufficient functionality, 9407 if it has actually been tested. [RT #586] 9408 9409 686. [bug] dig and nslookup can now be properly aborted during 9410 blocking operations. [RT #568] 9411 9412 685. [bug] nslookup should use the search list/domain options 9413 from resolv.conf by default. [RT #405, #630] 9414 9415 684. [bug] Memory leak with view forwarders. [RT #656] 9416 9417 683. [bug] File descriptor leak in isc_lex_openfile(). 9418 9419 682. [bug] nslookup displayed SOA records incorrectly. [RT #665] 9420 9421 681. [bug] $GENERATE specifying output format was broken. [RT #653] 9422 9423 680. [bug] dns_rdata_fromstruct() mishandled options bigger 9424 than 255 octets. 9425 9426 679. [bug] $INCLUDE could leak memory and file descriptors on 9427 reload. [RT #639] 9428 9429 678. [bug] "transfer-format one-answer;" could trigger an assertion 9430 failure. [RT #646] 9431 9432 677. [bug] dnssec-signzone would occasionally use the wrong ttl 9433 for database operations and fail. [RT #643] 9434 9435 676. [bug] Log messages about lame servers to category 9436 'lame-servers' rather than 'resolver', so as not 9437 to be gratuitously incompatible with BIND 8. 9438 9439 675. [bug] TKEY queries could cause the server to leak 9440 memory. 9441 9442 674. [func] Allow messages to be TSIG signed / verified using 9443 a offset from the current time. 9444 9445 673. [func] The server can now convert RFC1886-style recursive 9446 lookup requests into RFC2874-style lookups, when 9447 enabled using the new option "allow-v6-synthesis". 9448 9449 672. [bug] The wrong time was in the "time signed" field when 9450 replying with BADTIME error. 9451 9452 671. [bug] The message code was failing to parse a message with 9453 no question section and a TSIG record. [RT #628] 9454 9455 670. [bug] The lwres replacements for getaddrinfo and 9456 getipnodebyname didn't properly check for the 9457 existence of the sockaddr sa_len field. 9458 9459 669. [bug] dnssec-keygen now makes the public key file 9460 non-world-readable for symmetric keys. [RT #403] 9461 9462 668. [func] named-checkzone now reports multiple errors in master 9463 files. 9464 9465 667. [bug] On Linux, running named with the -u option and a 9466 non-world-readable configuration file didn't work. 9467 [RT #626] 9468 9469 666. [bug] If a request sent by dig is longer than 512 bytes, 9470 use TCP. 9471 9472 665. [bug] Signed responses were not sent when the size of the 9473 TSIG + question exceeded the maximum message size. 9474 [RT #628] 9475 9476 664. [bug] The t_tasks and t_timers module tests are now skipped 9477 when building without threads, since they require 9478 threads. 9479 9480 663. [func] Accept a size_spec, not just an integer, in the 9481 (unimplemented and ignored) max-ixfr-log-size option 9482 for compatibility with recent versions of BIND 8. 9483 [RT #613] 9484 9485 662. [bug] dns_rdata_fromtext() failed to log certain errors. 9486 9487 661. [bug] Certain UDP IXFR requests caused an assertion failure 9488 (mpctx->allocated == 0). [RT #355, #394, #623] 9489 9490 660. [port] Detect multiple CPUs on HP-UX and IRIX. 9491 9492 659. [performance] Rewrite the name compression code to be much faster. 9493 9494 658. [cleanup] Remove all vestiges of 16 bit global compression. 9495 9496 657. [bug] When a listen-on statement in an lwres block does not 9497 specify a port, use 921, not 53. Also update the 9498 listen-on documentation. [RT #616] 9499 9500 656. [func] Treat an unescaped newline in a quoted string as 9501 an error. This means that TXT records with missing 9502 close quotes should have meaningful errors printed. 9503 9504 655. [bug] Improve error reporting on unexpected eof when loading 9505 zones. [RT #611] 9506 9507 654. [bug] Origin was being forgotten in TCP retries in dig. 9508 [RT #574] 9509 9510 653. [bug] +defname option in dig was reversed in sense. 9511 [RT #549] 9512 9513 652. [bug] zone_saveunique() did not report the new name. 9514 9515 651. [func] The AD bit in responses now has the meaning 9516 specified in <draft-ietf-dnsext-ad-is-secure>. 9517 9518 650. [bug] SIG(0) records were being generated and verified 9519 incorrectly. [RT #606] 9520 9521 649. [bug] It was possible to join to an already running fctx 9522 after it had "cloned" its events, but before it sent 9523 them. In this case, the event of the newly joined 9524 fetch would not contain the answer, and would 9525 trigger the INSIST() in fctx_sendevents(). In 9526 BIND 9.0, this bug did not trigger an INSIST(), but 9527 caused the fetch to fail with a SERVFAIL result. 9528 [RT #588, #597, #605, #607] 9529 9530 648. [port] Add support for pre-RFC2133 IPv6 implementations. 9531 9532 647. [bug] Resolver queries sent after following multiple 9533 referrals had excessively long retransmission 9534 timeouts due to incorrectly counting the referrals 9535 as "restarts". 9536 9537 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h 9538 didn't _cleanly_ fix the problem it was trying to fix. 9539 9540 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603] 9541 9542 644. [bug] #622 needed more work. [RT #562] 9543 9544 643. [bug] xfrin error messages made more verbose, added class 9545 of the zone. [RT# 599] 9546 9547 642. [bug] Break the exit_check() race in the zone module. 9548 [RT #598] 9549 9550 --- 9.1.0b2 released --- 9551 9552 641. [bug] $GENERATE caused a uninitialized link to be used. 9553 [RT #595] 9554 9555 640. [bug] Memory leak in error path could cause 9556 "mpctx->allocated == 0" failure. [RT #584] 9557 9558 639. [bug] Reading entropy from the keyboard would sometimes fail. 9559 [RT #591] 9560 9561 638. [port] lib/isc/random.c needed to explicitly include time.h 9562 to get a prototype for time() when pthreads was not 9563 being used. [RT #592] 9564 9565 637. [port] Use isc_u?int64_t instead of (unsigned) long long in 9566 lib/isc/print.c. Also allow lib/isc/print.c to 9567 be compiled even if the platform does not need it. 9568 [RT #592] 9569 9570 636. [port] Shut up MSVC++ about a possible loss of precision 9571 in the ISC__BUFFER_PUTUINT*() macros. [RT #592] 9572 9573 635. [bug] Reloading a server with a configured blackhole list 9574 would cause an assertion. [RT #590] 9575 9576 634. [bug] A log file will completely stop being written when 9577 it reaches the maximum size in all cases, not just 9578 when versioning is also enabled. [RT #570] 9579 9580 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575] 9581 9582 632. [bug] The index array of the journal file was 9583 corrupted as it was written to disk. 9584 9585 631. [port] Build without thread support on systems without 9586 pthreads. 9587 9588 630. [bug] Locking failure in zone code. [RT #582] 9589 9590 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed 9591 when responding to a UDP IXFR request. 9592 9593 628. [bug] If the root hints contained only AAAA addresses, 9594 named would be unable to perform resolution. 9595 9596 627. [bug] The EDNS0 blackhole detection code of change 324 9597 waited for three retransmissions to each server, 9598 which takes much too long when a domain has many 9599 name servers and all of them drop EDNS0 queries. 9600 Now we retry without EDNS0 after three consecutive 9601 timeouts, even if they are all from different 9602 servers. [RT #143] 9603 9604 626. [bug] The lightweight resolver daemon no longer crashes 9605 when asked for a SIG rrset. [RT #558] 9606 9607 625. [func] Zones now inherit their class from the enclosing view. 9608 9609 624. [bug] The zone object could get timer events after it had 9610 been destroyed, causing a server crash. [RT #571] 9611 9612 623. [func] Added "named-checkconf" and "named-checkzone" program 9613 for syntax checking named.conf files and zone files, 9614 respectively. 9615 9616 622. [bug] A canceled request could be destroyed before 9617 dns_request_destroy() was called. [RT #562] 9618 9619 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable. 9620 This mostly affects Red Hat Linux 7.0, which has 9621 conflicts between libc and the kernel. 9622 9623 620. [bug] dns_master_load*inc() now require 'task' and 'load' 9624 to be non-null. Also 'done' will not be called if 9625 dns_master_load*inc() fails immediately. [RT #565] 9626 9627 619. [placeholder] 9628 9629 618. [bug] Queries to a signed zone could sometimes cause 9630 an assertion failure. 9631 9632 617. [bug] When using dynamic update to add a new RR to an 9633 existing RRset with a different TTL, the journal 9634 entries generated from the update did not include 9635 explicit deletions and re-additions of the existing 9636 RRs to update their TTL to the new value. 9637 9638 616. [func] dnssec-signzone -t output now includes performance 9639 statistics. 9640 9641 615. [bug] dnssec-signzone did not like child keysets signed 9642 by multiple keys. 9643 9644 614. [bug] Checks for uninitialized link fields were prone 9645 to false positives, causing assertion failures. 9646 The checks are now disabled by default and may 9647 be re-enabled by defining ISC_LIST_CHECKINIT. 9648 9649 613. [bug] "rndc reload zone" now reloads primary zones. 9650 It previously only updated slave and stub zones, 9651 if an SOA query indicated an out of date serial. 9652 9653 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that 9654 complains relentlessly about how its treatment 9655 of 'const' has changed as well as how casting 9656 sometimes tightens alignment constraints. 9657 9658 611. [func] allow-notify can be used to permit processing of 9659 notify messages from hosts other than a slave's 9660 masters. 9661 9662 610. [func] rndc dumpdb is now supported. 9663 9664 609. [bug] getrrsetbyname() would crash lwresd if the server 9665 found more SIGs than answers. [RT #554] 9666 9667 608. [func] dnssec-signzone now adds a comment to the zone 9668 with the time the file was signed. 9669 9670 607. [bug] nsupdate would fail if it encountered a CNAME or 9671 DNAME in a response to an SOA query. [RT #515] 9672 9673 606. [bug] Compiling with --disable-threads failed due 9674 to isc_thread_self() being incorrectly defined 9675 as an integer rather than a function. 9676 9677 605. [func] New function isc_lex_getlasttokentext(). 9678 9679 604. [bug] The named.conf parser could print incorrect line 9680 numbers when long comments were present. 9681 9682 603. [bug] Make dig handle multiple types or classes on the same 9683 query more correctly. 9684 9685 602. [func] Cope automatically with UnixWare's broken 9686 IN6_IS_ADDR_* macros. [RT #539] 9687 9688 601. [func] Return a non-zero exit code if an update fails 9689 in nsupdate. 9690 9691 600. [bug] Reverse lookups sometimes failed in dig, etc... 9692 9693 599. [func] Added four new functions to the libisc log API to 9694 support i18n messages. isc_log_iwrite(), 9695 isc_log_ivwrite(), isc_log_iwrite1() and 9696 isc_log_ivwrite1() were added. 9697 9698 598. [bug] An update-policy statement would cause the server 9699 to assert while loading. [RT #536] 9700 9701 597. [func] dnssec-signzone is now multi-threaded. 9702 9703 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are 9704 not mutually exclusive. 9705 9706 595. [port] On Linux 2.2, socket() returns EINVAL when it 9707 should return EAFNOSUPPORT. Work around this. 9708 [RT #531] 9709 9710 594. [func] sdb drivers are now assumed to not be thread-safe 9711 unless the DNS_SDBFLAG_THREADSAFE flag is supplied. 9712 9713 593. [bug] If a secure zone was missing all its NXTs and 9714 a dynamic update was attempted, the server entered 9715 an infinite loop. 9716 9717 592. [bug] The sig-validity-interval option now specifies a 9718 number of days, not seconds. This matches the 9719 documentation. [RT #529] 9720 9721 --- 9.1.0b1 released --- 9722 9723 591. [bug] Work around non-reentrancy in openssl by disabling 9724 pre-computation in keys. 9725 9726 590. [doc] There are now man pages for the lwres library in 9727 doc/man/lwres. 9728 9729 589. [bug] The server could deadlock if a zone was updated 9730 while being transferred out. 9731 9732 588. [bug] ctx->in_use was not being correctly initialized when 9733 when pushing a file for $INCLUDE. [RT #523] 9734 9735 587. [func] A warning is now printed if the "allow-update" 9736 option allows updates based on the source IP 9737 address, to alert users to the fact that this 9738 is insecure and becoming increasingly so as 9739 servers capable of update forwarding are being 9740 deployed. 9741 9742 586. [bug] multiple views with the same name were fatal. [RT #516] 9743 9744 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge() 9745 now support 'exact' additions in a similar manner to 9746 dns_db_subtractrdataset() and dns_rdataslab_subtract(). 9747 9748 584. [func] You can now say 'notify explicit'; to suppress 9749 notification of the servers listed in NS records 9750 and notify only those servers listed in the 9751 'also-notify' option. 9752 9753 583. [func] "rndc querylog" will now toggle logging of 9754 queries, like "ndc querylog" in BIND 8. 9755 9756 582. [bug] dns_zone_idetach() failed to lock the zone. 9757 [RT #199, #463] 9758 9759 581. [bug] log severity was not being correctly processed. 9760 [RT #485] 9761 9762 580. [func] Ignore trailing garbage on incoming DNS packets, 9763 for interoperability with broken server 9764 implementations. [RT #491] 9765 9766 579. [bug] nsupdate did not take a filename to read update from. 9767 [RT #492] 9768 9769 578. [func] New config option "notify-source", to specify the 9770 source address for notify messages. 9771 9772 577. [func] Log illegal RDATA combinations. e.g. multiple 9773 singleton types, cname and other data. 9774 9775 576. [doc] isc_log_create() description did not match reality. 9776 9777 575. [bug] isc_log_create() was not setting internal state 9778 correctly to reflect the default channels created. 9779 9780 574. [bug] TSIG signed queries sent by the resolver would fail to 9781 have their responses validated and would leak memory. 9782 9783 573. [bug] The journal files of IXFRed slave zones were 9784 inadvertently discarded on server reload, causing 9785 "journal out of sync with zone" errors on subsequent 9786 reloads. [RT #482] 9787 9788 572. [bug] Quoted strings were not accepted as key names in 9789 address match lists. 9790 9791 571. [bug] It was possible to create an rdataset of singleton 9792 type which had more than one rdata. [RT #154] 9793 [RT #279] 9794 9795 570. [bug] rbtdb.c allowed zones containing nodes which had 9796 both a CNAME and "other data". [RT #154] 9797 9798 569. [func] The DNSSEC AD bit will not be set on queries which 9799 have not requested a DNSSEC response. 9800 9801 568. [func] Add sample simple database drivers in contrib/sdb. 9802 9803 567. [bug] Setting the zone transfer timeout to zero caused an 9804 assertion failure. [RT #302] 9805 9806 566. [func] New public function dns_timer_setidle(). 9807 9808 565. [func] Log queries more like BIND 8: query logging is now 9809 done to category "queries", level "info". [RT #169] 9810 9811 564. [func] Add sortlist support to lwresd. 9812 9813 563. [func] New public functions dns_rdatatype_format() and 9814 dns_rdataclass_format(), for convenient formatting 9815 of rdata type/class mnemonics in log messages. 9816 9817 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong. 9818 9819 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files' 9820 clauses of the options{} statement are now implemented. 9821 9822 560. [bug] dns_name_split did not properly the resulting prefix 9823 when a maximal length bitstring label was split which 9824 was preceded by another bitstring label. [RT #429] 9825 9826 559. [bug] dns_name_split did not properly create the suffix 9827 when splitting within a maximal length bitstring label. 9828 9829 558. [func] New functions, isc_resource_getlimit and 9830 isc_resource_setlimit. 9831 9832 557. [func] Symbolic constants for libisc integral types. 9833 9834 556. [func] The DNSSEC OK bit in the EDNS extended flags 9835 is now implemented. Responses to queries without 9836 this bit set will not contain any DNSSEC records. 9837 9838 555. [bug] A slave server attempting a zone transfer could 9839 crash with an assertion failure on certain 9840 malformed responses from the master. [RT #457] 9841 9842 554. [bug] In some cases, not all of the dnssec tools were 9843 properly installed. 9844 9845 553. [bug] Incoming zone transfers deferred due to quota 9846 were not started when quota was increased but 9847 only when a transfer in progress finished. [RT #456] 9848 9849 552. [bug] We were not correctly detecting the end of all c-style 9850 comments. [RT #455] 9851 9852 551. [func] Implemented the 'sortlist' option. 9853 9854 550. [func] Support unknown rdata types and classes. 9855 9856 549. [bug] "make" did not immediately abort the build when a 9857 subdirectory make failed [RT #450]. 9858 9859 548. [func] The lexer now ungets tokens more correctly. 9860 9861 547. [placeholder] 9862 9863 546. [func] Option 'lame-ttl' is now implemented. 9864 9865 545. [func] Name limit and counting options removed from dig; 9866 they didn't work properly, and cannot be correctly 9867 implemented without significant changes. 9868 9869 544. [func] Add statistics option, enable statistics-file option, 9870 add RNDC option "dump-statistics" to write out a 9871 query statistics file. 9872 9873 543. [doc] The 'port' option is now documented. 9874 9875 542. [func] Add support for update forwarding as required for 9876 full compliance with RFC2136. It is turned off 9877 by default and can be enabled using the 9878 'allow-update-forwarding' option. 9879 9880 541. [func] Add bogus server support. 9881 9882 540. [func] Add dialup support. 9883 9884 539. [func] Support the blackhole option. 9885 9886 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo(). 9887 9888 537. [placeholder] 9889 9890 536. [func] Use transfer-source{-v6} when sending refresh queries. 9891 Transfer-source{-v6} now take a optional port 9892 parameter for setting the UDP source port. The port 9893 parameter is ignored for TCP. 9894 9895 535. [func] Use transfer-source{-v6} when forwarding update 9896 requests. 9897 9898 534. [func] Ancestors have been removed from RBT chains. Ancestor 9899 information can be discerned via node parent pointers. 9900 9901 533. [func] Incorporated name hashing into the RBT database to 9902 improve search speed. 9903 9904 532. [func] Implement DNS UPDATE pseudo records using 9905 DNS_RDATA_UPDATE flag. 9906 9907 531. [func] Rdata really should be initialized before being assigned 9908 to (dns_rdata_fromwire(), dns_rdata_fromtext(), 9909 dns_rdata_clone(), dns_rdata_fromregion()), 9910 check that it is. 9911 9912 530. [func] New function dns_rdata_invalidate(). 9913 9914 529. [bug] 521 contained a bug which caused zones to always 9915 reload. [RT #410] 9916 9917 528. [func] The ISC_LIST_XXXX macros now perform sanity checks 9918 on their arguments. ISC_LIST_XXXXUNSAFE can be use 9919 to skip the checks however use with caution. 9920 9921 527. [func] New function dns_rdata_clone(). 9922 9923 526. [bug] nsupdate incorrectly refused to add RRs with a TTL 9924 of 0. 9925 9926 525. [func] New arguments 'options' for dns_db_subtractrdataset(), 9927 and 'flags' for dns_rdataslab_subtract() allowing you 9928 to request that the RR's must exist prior to deletion. 9929 DNS_R_NOTEXACT is returned if the condition is not met. 9930 9931 524. [func] The 'forward' and 'forwarders' statement in 9932 non-forward zones should work now. 9933 9934 523. [doc] The source to the Administrator Reference Manual is 9935 now an XML file using the DocBook DTD, and is included 9936 in the distribution. The plain text version of the 9937 ARM is temporarily unavailable while we figure out 9938 how to generate readable plain text from the XML. 9939 9940 522. [func] The lightweight resolver daemon can now use 9941 a real configuration file, and its functionality 9942 can be provided by a name server. Also, the -p and -P 9943 options to lwresd have been reversed. 9944 9945 521. [bug] Detect master files which contain $INCLUDE and always 9946 reload. [RT #196] 9947 9948 520. [bug] Upgraded libtool to 1.3.5, which makes shared 9949 library builds almost work on AIX (and possibly 9950 others). 9951 9952 519. [bug] dns_name_split() would improperly split some bitstring 9953 labels, zeroing a few of the least significant bits in 9954 the prefix part. When such an improperly created 9955 prefix was returned to the RBT database, the bogus 9956 label was dutifully stored, corrupting the tree. 9957 [RT #369] 9958 9959 518. [bug] The resolver did not realize that a DNAME which was 9960 "the answer" to the client's query was "the answer", 9961 and such queries would fail. [RT #399] 9962 9963 517. [bug] The resolver's DNAME code would trigger an assertion 9964 if there was more than one DNAME in the chain. 9965 [RT #399] 9966 9967 516. [bug] Cache lookups which had a NULL node pointer, e.g. 9968 those by dns_view_find(), and which would match a 9969 DNAME, would trigger an INSIST(!search.need_cleanup) 9970 assertion. [RT #399] 9971 9972 515. [bug] The ssu table was not being attached / detached 9973 by dns_zone_[sg]etssutable. [RT#397] 9974 9975 514. [func] Retry refresh and notify queries if they timeout. 9976 [RT #388] 9977 9978 513. [func] New functionality added to rdnc and server to allow 9979 individual zones to be refreshed or reloaded. 9980 9981 512. [bug] The zone transfer code could throw an exception with 9982 an invalid IXFR stream. 9983 9984 511. [bug] The message code could throw an assertion on an 9985 out of memory failure. [RT #392] 9986 9987 510. [bug] Remove spurious view notify warning. [RT #376] 9988 9989 509. [func] Add support for write of zone files on shutdown. 9990 9991 508. [func] dns_message_parse() can now do a best-effort 9992 attempt, which should allow dig to print more invalid 9993 messages. 9994 9995 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach() 9996 and dns_view_flushanddetach(). 9997 9998 506. [func] Do not fail to start on errors in zone files. 9999 10000 505. [bug] nsupdate was printing "unknown result code". [RT #373] 10001 10002 504. [bug] The zone was not being marked as dirty when updated via 10003 IXFR. 10004 10005 503. [bug] dumptime was not being set along with 10006 DNS_ZONEFLG_NEEDDUMP. 10007 10008 502. [func] On a SERVFAIL reply, DiG will now try the next server 10009 in the list, unless the +fail option is specified. 10010 10011 501. [bug] Incorrect port numbers were being displayed by 10012 nslookup. [RT #352] 10013 10014 500. [func] Nearly useless +details option removed from DiG. 10015 10016 499. [func] In DiG, specifying a class with -c or type with -t 10017 changes command-line parsing so that classes and 10018 types are only recognized if following -c or -t. 10019 This allows hosts with the same name as a class or 10020 type to be looked up. 10021 10022 498. [doc] There is now a man page for "dig" 10023 in doc/man/bin/dig.1. 10024 10025 497. [bug] The error messages printed when an IP match list 10026 contained a network address with a nonzero host 10027 part where not sufficiently detailed. [RT #365] 10028 10029 496. [bug] named didn't sanity check numeric parameters. [RT #361] 10030 10031 495. [bug] nsupdate was unable to handle large records. [RT #368] 10032 10033 494. [func] Do not cache NXDOMAIN responses for SOA queries. 10034 10035 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses 10036 for SOA queries. This makes it easier to locate 10037 the containing zone without polluting intermediate 10038 caches. 10039 10040 492. [bug] attempting to reload a zone caused the server fail 10041 to shutdown cleanly. [RT #360] 10042 10043 491. [bug] nsupdate would segfault when sending certain 10044 prerequisites with empty RDATA. [RT #356] 10045 10046 490. [func] When a slave/stub zone has not yet successfully 10047 obtained an SOA containing the zone's configured 10048 retry time, perform the SOA query retries using 10049 exponential backoff. [RT #337] 10050 10051 489. [func] The zone manager now has a "i/o" queue. 10052 10053 488. [bug] Locks weren't properly destroyed in some cases. 10054 10055 487. [port] flockfile() is not defined on all systems. 10056 10057 486. [bug] nslookup: "set all" and "server" commands showed 10058 the incorrect port number if a port other than 53 10059 was specified. [RT #352] 10060 10061 485. [func] When dig had more than one server to query, it would 10062 send all of the messages at the same time. Add 10063 rate limiting of the transmitted messages. 10064 10065 484. [bug] When the server was reloaded after removing addresses 10066 from the named.conf "listen-on" statement, sockets 10067 were still listening on the removed addresses due 10068 to reference count loops. [RT #325] 10069 10070 483. [bug] nslookup: "set all" showed a "search" option but it 10071 was not settable. 10072 10073 482. [bug] nslookup: a plain "server" or "lserver" should be 10074 treated as a lookup. 10075 10076 481. [bug] nslookup:get_next_command() stack size could exceed 10077 per thread limit. 10078 10079 480. [bug] strtok() is not thread safe. [RT #349] 10080 10081 479. [func] The test suite can now be run by typing "make check" 10082 or "make test" at the top level. 10083 10084 478. [bug] "make install" failed if the directory specified with 10085 --prefix did not already exist. 10086 10087 477. [bug] The the isc-config.sh script could be installed before 10088 its directory was created. [RT #324] 10089 10090 476. [bug] A zone could expire while a zone transfer was in 10091 progress triggering a INSIST failure. [RT #329] 10092 10093 475. [bug] query_getzonedb() sometimes returned a non-null version 10094 on failure. This caused assertion failures when 10095 generating query responses where names subject to 10096 additional section processing pointed to a zone 10097 to which access had been denied by means of the 10098 allow-query option. [RT #336] 10099 10100 474. [bug] The mnemonic of the CHAOS class is CH according to 10101 RFC1035, but it was printed and read only as CHAOS. 10102 We now accept both forms as input, and print it 10103 as CH. [RT #305] 10104 10105 473. [bug] nsupdate overran the end of the list of name servers 10106 when no servers could be reached, typically causing 10107 it to print the error message "dns_request_create: 10108 not implemented". 10109 10110 472. [bug] Off-by-one error caused isc_time_add() to sometimes 10111 produce invalid time values. 10112 10113 471. [bug] nsupdate didn't compile on HP/UX 10.20 10114 10115 470. [func] $GENERATE is now supported. See also 10116 doc/misc/migration. 10117 10118 469. [bug] "query-source address * port 53;" now works. 10119 10120 468. [bug] dns_master_load*() failed to report file and line 10121 number in certain error conditions. 10122 10123 467. [bug] dns_master_load*() failed to log an error if 10124 pushfile() failed. 10125 10126 466. [bug] dns_master_load*() could return success when it failed. 10127 10128 465. [cleanup] Allow 0 to be set as an omapi_value_t value by 10129 omapi_value_storeint(). 10130 10131 464. [cleanup] Build with openssl's RSA code instead of dnssafe. 10132 10133 463. [bug] nsupdate sent malformed SOA queries to the second 10134 and subsequent name servers in resolv.conf if the 10135 query sent to the first one failed. 10136 10137 462. [bug] --disable-ipv6 should work now. 10138 10139 461. [bug] Specifying an unknown key in the "keys" clause of the 10140 "controls" statement caused a NULL pointer dereference. 10141 [RT #316] 10142 10143 460. [bug] Much of the DNSSEC code only worked with class IN. 10144 10145 459. [bug] Nslookup processed the "set" command incorrectly. 10146 10147 458. [bug] Nslookup didn't properly check class and type values. 10148 [RT #305] 10149 10150 457. [bug] Dig/host/hslookup didn't properly handle connect 10151 timeouts in certain situations, causing an 10152 unnecessary warning message to be printed. 10153 10154 456. [bug] Stub zones were not resetting the refresh and expire 10155 counters, loadtime or clearing the DNS_ZONE_REFRESH 10156 (refresh in progress) flag upon successful update. 10157 This disabled further refreshing of the stub zone, 10158 causing it to eventually expire. [RT #300] 10159 10160 455. [doc] Document IPv4 prefix notation does not require a 10161 dotted decimal quad but may be just dotted decimal. 10162 10163 454. [bug] Enforce dotted decimal and dotted decimal quad where 10164 documented as such in named.conf. [RT #304, RT #311] 10165 10166 453. [bug] Warn if the obsolete option "maintain-ixfr-base" 10167 is specified in named.conf. [RT #306] 10168 10169 452. [bug] Warn if the unimplemented option "statistics-file" 10170 is specified in named.conf. [RT #301] 10171 10172 451. [func] Update forwarding implemented. 10173 10174 450. [func] New function ns_client_sendraw(). 10175 10176 449. [bug] isc_bitstring_copy() only works correctly if the 10177 two bitstrings have the same lsb0 value, but this 10178 requirement was not documented, nor was there a 10179 REQUIRE for it. 10180 10181 448. [bug] Host output formatting change, to match v8. [RT #255] 10182 10183 447. [bug] Dig didn't properly retry in TCP mode after 10184 a truncated reply. [RT #277] 10185 10186 446. [bug] Confusing notify log message. [RT #298] 10187 10188 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0 10189 bitstring triggered a REQUIRE statement. The REQUIRE 10190 statement was incorrect. [RT #297] 10191 10192 444. [func] "recursion denied" messages are always logged at 10193 debug level 1, now, rather than sometimes at ERROR. 10194 This silences these warnings in the usual case, where 10195 some clients set the RD bit in all queries. 10196 10197 443. [bug] When loading a master file failed because of an 10198 unrecognized RR type name, the error message 10199 did not include the file name and line number. 10200 [RT #285] 10201 10202 442. [bug] TSIG signed messages that did not match any view 10203 crashed the server. [RT #290] 10204 10205 441. [bug] Nodes obscured by a DNAME were inaccessible even 10206 when DNS_DBFIND_GLUEOK was set. 10207 10208 440. [func] New function dns_zone_forwardupdate(). 10209 10210 439. [func] New function dns_request_createraw(). 10211 10212 438. [func] New function dns_message_getrawmessage(). 10213 10214 437. [func] Log NOTIFY activity to the notify channel. 10215 10216 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH, 10217 which sometimes happens on Linux, named would enter 10218 a busy loop. Also, unexpected socket errors were 10219 not logged at a high enough logging level to be 10220 useful in diagnosing this situation. [RT #275] 10221 10222 435. [bug] dns_zone_dump() overwrote existing zone files 10223 rather than writing to a temporary file and 10224 renaming. This could lead to empty or partial 10225 zone files being left around in certain error 10226 conditions involving the initial transfer of a 10227 slave zone, interfering with subsequent server 10228 startup. [RT #282] 10229 10230 434. [func] New function isc_file_isabsolute(). 10231 10232 433. [func] isc_base64_decodestring() now accepts newlines 10233 within the base64 data. This makes it possible 10234 to break up the key data in a "trusted-keys" 10235 statement into multiple lines. [RT #284] 10236 10237 432. [func] Added refresh/retry jitter. The actual refresh/ 10238 retry time is now a random value between 75% and 10239 100% of the configured value. 10240 10241 431. [func] Log at ISC_LOG_INFO when a zone is successfully 10242 loaded. 10243 10244 430. [bug] Rewrote the lightweight resolver client management 10245 code to handle shutdown correctly and general 10246 cleanup. 10247 10248 429. [bug] The space reserved for a TSIG record in a response 10249 was 2 bytes too short, leading to message 10250 generation failures. 10251 10252 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned 10253 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT 10254 (e.g. glue). This could cause SERVFAILs when 10255 generating negative responses in a secure zone. 10256 10257 427. [bug] Avoid going into an infinite loop when the validator 10258 gets a negative response to a key query where the 10259 records are signed by the missing key. 10260 10261 426. [bug] Attempting to generate an oversized RSA key could 10262 cause dnssec-keygen to dump core. 10263 10264 425. [bug] Warn about the auth-nxdomain default value change 10265 if there is no auth-nxdomain statement in the 10266 config file. [RT #287] 10267 10268 424. [bug] notify_createmessage() could trigger an assertion 10269 failure when creating the notify message failed, 10270 e.g. due to corrupt zones with multiple SOA records. 10271 [RT #279] 10272 10273 423. [bug] When responding to a recursive query, errors that occur 10274 after following a CNAME should cause the query to fail. 10275 [RT #274] 10276 10277 422. [func] get rid of isc_random_t, and make isc_random_get() 10278 and isc_random_jitter() use rand() internally 10279 instead of local state. Note that isc_random_*() 10280 functions are only for weak, non-critical "randomness" 10281 such as timing jitter and such. 10282 10283 421. [bug] nslookup would exit when given a blank line as input. 10284 10285 420. [bug] nslookup failed to implement the "exit" command. 10286 10287 419. [bug] The certificate type PKIX was misspelled as SKIX. 10288 10289 418. [bug] At debug levels >= 10, getting an unexpected 10290 socket receive error would crash the server 10291 while trying to log the error message. 10292 10293 417. [func] Add isc_app_block() and isc_app_unblock(), which 10294 allow an application to handle signals while 10295 blocking. 10296 10297 416. [bug] Slave zones with no master file tried to use a 10298 NULL pointer for a journal file name when they 10299 received an IXFR. [RT #273] 10300 10301 415. [bug] The logging code leaked file descriptors. 10302 10303 414. [bug] Server did not shut down until all incoming zone 10304 transfers were finished. 10305 10306 413. [bug] Notify could attempt to use the zone database after 10307 it had been unloaded. [RT#267] 10308 10309 412. [bug] named -v didn't print the version. 10310 10311 411. [bug] A typo in the HS A code caused an assertion failure. 10312 10313 410. [bug] lwres_gethostbyname() and company set lwres_h_errno 10314 to a random value on success. 10315 10316 409. [bug] If named was shut down early in the startup 10317 process, ns_omapi_shutdown() would attempt to lock 10318 an uninitialized mutex. [RT #262] 10319 10320 408. [bug] stub zones could leak memory and reference counts if 10321 all the masters were unreachable. 10322 10323 407. [bug] isc_rwlock_lock() would needlessly block 10324 readers when it reached the read quota even 10325 if no writers were waiting. 10326 10327 406. [bug] Log messages were occasionally lost or corrupted 10328 due to a race condition in isc_log_doit(). 10329 10330 405. [func] Add support for selective forwarding (forward zones) 10331 10332 404. [bug] The request library didn't completely work with IPv6. 10333 10334 403. [bug] "host" did not use the search list. 10335 10336 402. [bug] Treat undefined acls as errors, rather than 10337 warning and then later throwing an assertion. 10338 [RT #252] 10339 10340 401. [func] Added simple database API. 10341 10342 400. [bug] SIG(0) signing and verifying was done incorrectly. 10343 [RT #249] 10344 10345 399. [bug] When reloading the server with a config file 10346 containing a syntax error, it could catch an 10347 assertion failure trying to perform zone 10348 maintenance on, or sending notifies from, 10349 tentatively created zones whose views were 10350 never fully configured and lacked an address 10351 database and request manager. 10352 10353 398. [bug] "dig" sometimes caught an assertion failure when 10354 using TSIG, depending on the key length. 10355 10356 397. [func] Added utility functions dns_view_gettsig() and 10357 dns_view_getpeertsig(). 10358 10359 396. [doc] There is now a man page for "nsupdate" 10360 in doc/man/bin/nsupdate.8. 10361 10362 395. [bug] nslookup printed incorrect RR type mnemonics 10363 for RRs of type >= 21 [RT #237]. 10364 10365 394. [bug] Current name was not propagated via $INCLUDE. 10366 10367 393. [func] Initial answer while loading (awl) support. 10368 Entry points: dns_master_loadfileinc(), 10369 dns_master_loadstreaminc(), dns_master_loadbufferinc(). 10370 Note: calls to dns_master_load*inc() should be rate 10371 be rate limited so as to not use up all file 10372 descriptors. 10373 10374 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does 10375 not support the given address family requested. 10376 10377 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH. 10378 10379 390. [func] The function dns_zone_setdbtype() now takes 10380 an argc/argv style vector of words and sets 10381 both the zone database type and its arguments, 10382 making the functions dns_zone_adddbarg() 10383 and dns_zone_cleardbargs() unnecessary. 10384 10385 389. [bug] Attempting to send a request over IPv6 using 10386 dns_request_create() on a system without IPv6 10387 support caused an assertion failure [RT #235]. 10388 10389 388. [func] dig and host can now do reverse ipv6 lookups. 10390 10391 387. [func] Add dns_byaddr_createptrname(), which converts 10392 an address into the name used by a PTR query. 10393 10394 386. [bug] Missing strdup() of ACL name caused random 10395 ACL matching failures [RT #228]. 10396 10397 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(), 10398 and dns_zt_print(). 10399 10400 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead 10401 of 2147483647. 10402 10403 383. [func] When writing a master file, print the SOA and NS 10404 records (and their SIGs) before other records. 10405 10406 382. [bug] named -u failed on many Linux systems where the 10407 libc provided kernel headers do not match 10408 the current kernel. 10409 10410 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of 10411 IPV6_PKTINFO if found. [RT #229] 10412 10413 380. [bug] nsupdate didn't work with IPv6. 10414 10415 379. [func] New library function isc_sockaddr_anyofpf(). 10416 10417 378. [func] named and lwresd will log the command line arguments 10418 they were started with in the "starting ..." message. 10419 10420 377. [bug] When additional data lookups were refused due to 10421 "allow-query", the databases were still being 10422 attached causing reference leaks. 10423 10424 376. [bug] The server should always use good entropy when 10425 performing cryptographic functions needing entropy. 10426 10427 375. [bug] Per-zone "allow-query" did not properly override the 10428 view/global one for CNAME targets and additional 10429 data [RT #220]. 10430 10431 374. [bug] SOA in authoritative negative responses had wrong TTL. 10432 10433 373. [func] nslookup is now installed by "make install". 10434 10435 372. [bug] Deal with Microsoft DNS servers appending two bytes of 10436 garbage to zone transfer requests. 10437 10438 371. [bug] At high debug levels, doing an outgoing zone transfer 10439 of a very large RRset could cause an assertion failure 10440 during logging. 10441 10442 370. [bug] The error messages for roll-forward failures were 10443 overly terse. 10444 10445 369. [func] Support new named.conf options, view and zone 10446 statements: 10447 10448 max-retry-time, min-retry-time, 10449 max-refresh-time, min-refresh-time. 10450 10451 368. [func] Restructure the internal ".bind" view so that more 10452 zones can be added to it. 10453 10454 367. [bug] Allow proper selection of server on nslookup command 10455 line. 10456 10457 366. [func] Allow use of '-' batch file in dig for stdin. 10458 10459 365. [bug] nsupdate -k leaked memory. 10460 10461 364. [func] Added additional-from-{cache,auth} 10462 10463 363. [placeholder] 10464 10465 362. [bug] rndc no longer aborts if the configuration file is 10466 missing an options statement. [RT #209] 10467 10468 361. [func] When the RBT find or chain functions set the name and 10469 origin for a node that stores the root label 10470 the name is now set to an empty name, instead of ".", 10471 to simplify later use of the name and origin by 10472 dns_name_concatenate(), dns_name_totext() or 10473 dns_name_format(). 10474 10475 360. [func] dns_name_totext() and dns_name_format() now allow 10476 an empty name to be passed, which is formatted as "@". 10477 10478 359. [bug] dnssec-signzone occasionally signed glue records. 10479 10480 358. [cleanup] Rename the intermediate files used by the dnssec 10481 programs. 10482 10483 357. [bug] The zone file parser crashed if the argument 10484 to $INCLUDE was a quoted string. 10485 10486 356. [cleanup] isc_task_send no longer requires event->sender to 10487 be non-null. 10488 10489 355. [func] Added isc_dir_createunique(), similar to mkdtemp(). 10490 10491 354. [doc] Man pages for the dnssec tools are now included in 10492 the distribution, in doc/man/dnssec. 10493 10494 353. [bug] double increment in lwres/gethost.c:copytobuf(). 10495 [RT# 187] 10496 10497 352. [bug] Race condition in dns_client_t startup could cause 10498 an assertion failure. 10499 10500 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG 10501 signed query could crash the server. 10502 10503 350. [bug] Also-notify lists specified in the global options 10504 block were not correctly reference counted, causing 10505 a memory leak. 10506 10507 349. [bug] Processing a query with the CD bit set now works 10508 as expected. 10509 10510 348. [func] New boolean named.conf options 'additional-from-auth' 10511 and 'additional-from-cache' now supported in view and 10512 global options statement. 10513 10514 347. [bug] Don't crash if an argument is left off options in dig. 10515 10516 346. [placeholder] 10517 10518 345. [bug] Large-scale changes/cleanups to dig: 10519 * Significantly improve structure handling 10520 * Don't pre-load entire batch files 10521 * Add name/rr counting/limiting 10522 * Fix SIGINT handling 10523 * Shorten timeouts to match v8's behavior 10524 10525 344. [bug] When shutting down, lwresd sometimes tried 10526 to shut down its client tasks twice, 10527 triggering an assertion. 10528 10529 343. [bug] Although zone maintenance SOA queries and 10530 notify requests were signed with TSIG keys 10531 when configured for the server in case, 10532 the TSIG was not verified on the response. 10533 10534 342. [bug] The wrong name was being passed to 10535 dns_name_dup() when generating a TSIG 10536 key using TKEY. 10537 10538 341. [func] Support 'key' clause in named.conf zone masters 10539 statement to allow authentication via TSIG keys: 10540 10541 masters { 10542 10.0.0.1 port 5353 key "foo"; 10543 10.0.0.2 ; 10544 }; 10545 10546 340. [bug] The top-level COPYRIGHT file was missing from 10547 the distribution. 10548 10549 339. [bug] DNSSEC validation of the response to an ANY 10550 query at a name with a CNAME RR in a secure 10551 zone triggered an assertion failure. 10552 10553 338. [bug] lwresd logged to syslog as named, not lwresd. 10554 10555 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type 10556 on the command line. 10557 10558 336. [bug] "dig -f" used 64 k of memory for each line in 10559 the file. It now uses much less, though still 10560 proportionally to the file size. 10561 10562 335. [bug] named would occasionally attempt recursion when 10563 it was disallowed or undesired. 10564 10565 334. [func] Added hmac-md5 to libisc. 10566 10567 333. [bug] The resolver incorrectly accepted referrals to 10568 domains that were not parents of the query name, 10569 causing assertion failures. 10570 10571 332. [func] New function dns_name_reset(). 10572 10573 331. [bug] Only log "recursion denied" if RD is set. [RT #178] 10574 10575 330. [bug] Many debugging messages were partially formatted 10576 even when debugging was turned off, causing a 10577 significant decrease in query performance. 10578 10579 329. [func] omapi_auth_register() now takes a size_t argument for 10580 the length of a key's secret data. Previously 10581 OMAPI only stored secrets up to the first NUL byte. 10582 10583 328. [func] Added isc_base64_decodestring(). 10584 10585 327. [bug] rndc.conf parser wasn't correctly recognizing an IP 10586 address where a host specification was required. 10587 10588 326. [func] 'keys' in an 'inet' control statement is now 10589 required and must have at least one item in it. 10590 A "not supported" warning is now issued if a 'unix' 10591 control channel is defined. 10592 10593 325. [bug] isc_lex_gettoken was processing octal strings when 10594 ISC_LEXOPT_CNUMBER was not set. 10595 10596 324. [func] In the resolver, turn EDNS0 off if there is no 10597 response after a number of retransmissions. 10598 This is to allow queries some chance of succeeding 10599 even if all the authoritative servers of a zone 10600 silently discard EDNS0 requests instead of 10601 sending an error response like they ought to. 10602 10603 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes. 10604 Because of this, servers authoritative for a parent 10605 and grandchild zone but not authoritative for the 10606 intervening child zone did not correctly issue 10607 referrals to the servers of the child zone. 10608 10609 322. [bug] Queries for KEY RRs are now sent to the parent 10610 server before the authoritative one, making 10611 DNSSEC insecurity proofs work in many cases 10612 where they previously didn't. 10613 10614 321. [bug] When synthesizing a CNAME RR for a DNAME 10615 response, query_addcname() failed to initialize 10616 the type and class of the CNAME dns_rdata_t, 10617 causing random failures. 10618 10619 320. [func] Multiple rndc changes: parses an rndc.conf file, 10620 uses authentication to talk to named, command 10621 line syntax changed. This will all be described 10622 in the ARM. 10623 10624 319. [func] The named.conf "controls" statement is now used 10625 to configure the OMAPI command channel. 10626 10627 318. [func] dns_c_ndcctx_destroy() could never return anything 10628 except ISC_R_SUCCESS; made it have void return instead. 10629 10630 317. [func] Use callbacks from libomapi to determine if a 10631 new connection is valid, and if a key requested 10632 to be used with that connection is valid. 10633 10634 316. [bug] Generate a warning if we detect an unexpected <eof> 10635 but treat as <eol><eof>. 10636 10637 315. [bug] Handle non-empty blanks lines. [RT #163] 10638 10639 314. [func] The named.conf controls statement can now have 10640 more than one key specified for the inet clause. 10641 10642 313. [bug] When parsing resolv.conf, don't terminate on an 10643 error. Instead, parse as much as possible, but 10644 still return an error if one was found. 10645 10646 312. [bug] Increase the number of allowed elements in the 10647 resolv.conf search path from 6 to 8. If there 10648 are more than this, ignore the remainder rather 10649 than returning a failure in lwres_conf_parse. 10650 10651 311. [bug] lwres_conf_parse failed when the first line of 10652 resolv.conf was empty or a comment. 10653 10654 310. [func] Changes to named.conf "controls" statement (inet 10655 subtype only) 10656 10657 - support "keys" clause 10658 10659 controls { 10660 inet * port 1024 10661 allow { any; } keys { "foo"; } 10662 } 10663 10664 - allow "port xxx" to be left out of statement, 10665 in which case it defaults to omapi's default port 10666 of 953. 10667 10668 309. [bug] When sending a referral, the server did not look 10669 for name server addresses as glue in the zone 10670 holding the NS RRset in the case where this zone 10671 was not the same as the one where it looked for 10672 name server addresses as authoritative data. 10673 10674 308. [bug] Treat a SOA record not at top of zone as an error 10675 when loading a zone. [RT #154] 10676 10677 307. [bug] When canceling a query, the resolver didn't check for 10678 isc_socket_sendto() calls that did not yet have their 10679 completion events posted, so it could (rarely) end up 10680 destroying the query context and then want to use 10681 it again when the send event posted, triggering an 10682 assertion as it tried to cancel an already-canceled 10683 query. [RT #77] 10684 10685 306. [bug] Reading HMAC-MD5 private key files didn't work. 10686 10687 305. [bug] When reloading the server with a config file 10688 containing a syntax error, it could catch an 10689 assertion failure trying to perform zone 10690 maintenance on tentatively created zones whose 10691 views were never fully configured and lacked 10692 an address database. 10693 10694 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers 10695 are listed in resolv.conf, silently ignore them 10696 instead of returning failure. 10697 10698 303. [bug] Add additional sanity checks to differentiate a AXFR 10699 response vs a IXFR response. [RT #157] 10700 10701 302. [bug] In dig, host, and nslookup, MXNAME should be large 10702 enough to hold any legal domain name in presentation 10703 format + terminating NULL. 10704 10705 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159] 10706 10707 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work 10708 on platforms lacking IPv6 because each included their 10709 own ipv6 header file for the missing definitions. Now 10710 each library's ipv6.h defines the wrapper symbol of 10711 the other (ISC_IPV6_H and LWRES_IPV6_H). 10712 10713 299. [cleanup] Get the user and group information before changing the 10714 root directory, so the administrator does not need to 10715 keep a copy of the user and group databases in the 10716 chroot'ed environment. Suggested by Hakan Olsson. 10717 10718 298. [bug] A mutex deadlock occurred during shutdown of the 10719 interface manager under certain conditions. 10720 Digital Unix systems were the most affected. 10721 10722 297. [bug] Specifying a key name that wasn't fully qualified 10723 in certain parts of the config file could cause 10724 an assertion failure. 10725 10726 296. [bug] "make install" from a separate build directory 10727 failed unless configure had been run in the source 10728 directory, too. 10729 10730 295. [bug] When invoked with type==CNAME and a message 10731 not constructed by dns_message_parse(), 10732 dns_message_findname() failed to find anything 10733 due to checking for attribute bits that are set 10734 only in dns_message_parse(). This caused an 10735 infinite loop when constructing the response to 10736 an ANY query at a CNAME in a secure zone. 10737 10738 294. [bug] If we run out of space in while processing glue 10739 when reading a master file and commit "current name" 10740 reverts to "name_current" instead of staying as 10741 "name_glue". 10742 10743 293. [port] Add support for FreeBSD 4.0 system tests. 10744 10745 292. [bug] Due to problems with the way some operating systems 10746 handle simultaneous listening on IPv4 and IPv6 10747 addresses, the server no longer listens on IPv6 10748 addresses by default. To revert to the previous 10749 behavior, specify "listen-on-v6 { any; };" in 10750 the config file. 10751 10752 291. [func] Caching servers no longer send outgoing queries 10753 over TCP just because the incoming recursive query 10754 was a TCP one. 10755 10756 290. [cleanup] +twiddle option to dig (for testing only) removed. 10757 10758 289. [cleanup] dig is now installed in $bindir instead of $sbindir. 10759 host is now installed in $bindir. (Be sure to remove 10760 any $sbindir/dig from a previous release.) 10761 10762 288. [func] rndc is now installed by "make install" into $sbindir. 10763 10764 287. [bug] rndc now works again as "rndc 127.1 reload" (for 10765 only that task). Parsing its configuration file and 10766 using digital signatures for authentication has been 10767 disabled until named supports the "controls" statement, 10768 post-9.0.0. 10769 10770 286. [bug] On Solaris 2, when named inherited a signal state 10771 where SIGHUP had the SIG_IGN action, SIGHUP would 10772 be ignored rather than causing the server to reload 10773 its configuration. 10774 10775 285. [bug] A change made to the dst API for beta4 inadvertently 10776 broke OMAPI's creation of a dst key from an incoming 10777 message, causing an assertion to be triggered. Fixed. 10778 10779 284. [func] The DNSSEC key generation and signing tools now 10780 generate randomness from keyboard input on systems 10781 that lack /dev/random. 10782 10783 283. [cleanup] The 'lwresd' program is now a link to 'named'. 10784 10785 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is 10786 too big for an unsigned long. 10787 10788 281. [bug] Fixed list of recognized config file category names. 10789 10790 280. [func] Add isc-config.sh, which can be used to more 10791 easily build applications that link with 10792 our libraries. 10793 10794 279. [bug] Private omapi function symbols shared between 10795 two or more files in libomapi.a were not namespace 10796 protected using the ISC convention of starting with 10797 the library name and two underscores ("omapi__"...) 10798 10799 278. [bug] bin/named/logconf.c:category_fromconf() didn't take 10800 note of when isc_log_categorybyname() wasn't able 10801 to find the category name and would then apply the 10802 channel list of the unknown category to all categories. 10803 10804 277. [bug] isc_log_categorybyname() and isc_log_modulebyname() 10805 would fail to find the first member of any category 10806 or module array apart from the internal defaults. 10807 Thus, for example, the "notify" category was improperly 10808 configured by named. 10809 10810 276. [bug] dig now supports maximum sized TCP messages. 10811 10812 275. [bug] The definition of lwres_gai_strerror() was missing 10813 the lwres_ prefix. 10814 10815 274. [bug] TSIG AXFR verify failed when talking to a BIND 8 10816 server. 10817 10818 273. [func] The default for the 'transfer-format' option is 10819 now 'many-answers'. This will break zone transfers 10820 to BIND 4.9.5 and older unless there is an explicit 10821 'one-answer' configuration. 10822 10823 272. [bug] The sending of large TCP responses was canceled 10824 in mid-transmission due to a race condition 10825 caused by the failure to set the client object's 10826 "newstate" variable correctly when transitioning 10827 to the "working" state. 10828 10829 271. [func] Attempt to probe the number of cpus in named 10830 if unspecified rather than defaulting to 1. 10831 10832 270. [func] Allow maximum sized TCP answers. 10833 10834 269. [bug] Failed DNSSEC validations could cause an assertion 10835 failure by causing clone_results() to be called with 10836 with hevent->node == NULL. 10837 10838 268. [doc] A plain text version of the Administrator 10839 Reference Manual is now included in the distribution, 10840 as doc/arm/Bv9ARM.txt. 10841 10842 267. [func] Nsupdate is now provided in the distribution. 10843 10844 266. [bug] zone.c:save_nsrrset() node was not initialized. 10845 10846 265. [bug] dns_request_create() now works for TCP. 10847 10848 264. [func] Dispatch can not take TCP sockets in connecting 10849 state. Set DNS_DISPATCHATTR_CONNECTED when calling 10850 dns_dispatch_createtcp() for connected TCP sockets 10851 or call dns_dispatch_starttcp() when the socket is 10852 connected. 10853 10854 263. [func] New logging channel type 'stderr' 10855 10856 channel some-name { 10857 stderr; 10858 severity error; 10859 } 10860 10861 262. [bug] 'master' was not initialized in zone.c:stub_callback(). 10862 10863 261. [func] Add dns_zone_markdirty(). 10864 10865 260. [bug] Running named as a non-root user failed on Linux 10866 kernels new enough to support retaining capabilities 10867 after setuid(). 10868 10869 259. [func] New random-device and random-seed-file statements 10870 for global options block of named.conf. Both accept 10871 a single string argument. 10872 10873 258. [bug] Fixed printing of lwres_addr_t.address field. 10874 10875 257. [bug] The server detached the last zone manager reference 10876 too early, while it could still be in use by queries. 10877 This manifested itself as assertion failures during the 10878 shutdown process for busy name servers. [RT #133] 10879 10880 256. [func] isc_ratelimiter_t now has attach/detach semantics, and 10881 isc_ratelimiter_shutdown guarantees that the rate 10882 limiter is detached from its task. 10883 10884 255. [func] New function dns_zonemgr_attach(). 10885 10886 254. [bug] Suppress "query denied" messages on additional data 10887 lookups. 10888 10889 --- 9.0.0b4 released --- 10890 10891 253. [func] resolv.conf parser now recognizes ';' and '#' as 10892 comments (anywhere in line, not just as the beginning). 10893 10894 252. [bug] resolv.conf parser mishandled masks on sortlists. 10895 It also aborted when an unrecognized keyword was seen, 10896 now it silently ignores the entire line. 10897 10898 251. [bug] lwresd caught an assertion failure on startup. 10899 10900 250. [bug] fixed handling of size+unit when value would be too 10901 large for internal representation. 10902 10903 249. [cleanup] max-cache-size config option now takes a size-spec 10904 like 'datasize', except 'default' is not allowed. 10905 10906 248. [bug] global lame-ttl option was not being printed when 10907 config structures were written out. 10908 10909 247. [cleanup] Rename cache-size config option to max-cache-size. 10910 10911 246. [func] Rename global option cachesize to cache-size and 10912 add corresponding option to view statement. 10913 10914 245. [bug] If an uncompressed name will take more than 255 10915 bytes and the buffer is sufficiently long, 10916 dns_name_fromwire should return DNS_R_FORMERR, 10917 not ISC_R_NOSPACE. This bug caused cause the 10918 server to catch an assertion failure when it 10919 received a query for a name longer than 255 10920 bytes. 10921 10922 244. [bug] empty named.conf file and empty options statement are 10923 now parsed properly. 10924 10925 243. [func] new cachesize option for named.conf 10926 10927 242. [cleanup] fixed incorrect warning about auth-nxdomain usage. 10928 10929 241. [cleanup] nscount and soacount have been removed from the 10930 dns_master_*() argument lists. 10931 10932 240. [func] databases now come in three flavours: zone, cache 10933 and stub. 10934 10935 239. [func] If ISC_MEM_DEBUG is enabled, the variable 10936 isc_mem_debugging controls whether messages 10937 are printed or not. 10938 10939 238. [cleanup] A few more compilation warnings have been quieted: 10940 + missing sigwait prototype on BSD/OS 4.0/4.0.1. 10941 + PTHREAD_ONCE_INIT unbraced initializer warnings on 10942 Solaris 2.8. 10943 + IN6ADDR_ANY_INIT unbraced initializer warnings on 10944 BSD/OS 4.*, Linux and Solaris 2.8. 10945 10946 237. [bug] If connect() returned ENOBUFS when the resolver was 10947 initiating a TCP query, the socket didn't get 10948 destroyed, and the server did not shut down cleanly. 10949 10950 236. [func] Added new listen-on-v6 config file statement. 10951 10952 235. [func] Consider it a config file error if a listen-on 10953 statement has an IPv6 address in it, or a 10954 listen-on-v6 statement has an IPv4 address in it. 10955 10956 234. [bug] Allow a trusted-key's first field (domain-name) be 10957 either a quoted or an unquoted string, instead of 10958 requiring a quoted string. 10959 10960 233. [cleanup] Convert all config structure integer values to unsigned 10961 integer (isc_uint32_t) to match grammar. 10962 10963 232. [bug] Allow slave zones to not have a file. 10964 10965 231. [func] Support new 'port' clause in config file options 10966 section. Causes 'listen-on', 'masters' and 10967 'also-notify' statements to use its value instead of 10968 default (53). 10969 10970 230. [func] Replace the dst sign/verify API with a cleaner one. 10971 10972 229. [func] Support config file sig-validity-interval statement 10973 in options, views and zone statements (master 10974 zones only). 10975 10976 228. [cleanup] Logging messages in config module stripped of 10977 trailing period. 10978 10979 227. [cleanup] The enumerated identifiers dns_rdataclass_*, 10980 dns_rcode_*, dns_opcode_*, and dns_trust_* are 10981 also now cast to their appropriate types, as with 10982 dns_rdatatype_* in item number 225 below. 10983 10984 226. [func] dns_name_totext() now always prints the root name as 10985 '.', even when omit_final_dot is true. 10986 10987 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now 10988 cast to dns_rdatatype_t via macros of their same name 10989 so that they are of the proper integral type wherever 10990 a dns_rdatatype_t is needed. 10991 10992 224. [cleanup] The entire project builds cleanly with gcc's 10993 -Wcast-qual and -Wwrite-strings warnings enabled, 10994 which is now the default when using gcc. (Warnings 10995 from confparser.c, because of yacc's code, are 10996 unfortunately to be expected.) 10997 10998 223. [func] Several functions were re-prototyped to qualify one 10999 or more of their arguments with "const". Similarly, 11000 several functions that return pointers now have 11001 those pointers qualified with const. 11002 11003 222. [bug] The global 'also-notify' option was ignored. 11004 11005 221. [bug] An uninitialized variable was sometimes passed to 11006 dns_rdata_freestruct() when loading a zone, causing 11007 an assertion failure. 11008 11009 220. [cleanup] Set the default outgoing port in the view, and 11010 set it in sockaddrs returned from the ADB. 11011 [31-May-2000 explorer] 11012 11013 219. [bug] Signed truncated messages more correctly follow 11014 the respective specs. 11015 11016 218. [func] When an rdataset is signed, its ttl is normalized 11017 based on the signature validity period. 11018 11019 217. [func] Also-notify and trusted-keys can now be used in 11020 the 'view' statement. 11021 11022 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options 11023 now work. 11024 11025 215. [bug] Failures at certain points in request processing 11026 could cause the assertion INSIST(client->lockview 11027 == NULL) to be triggered. 11028 11029 214. [func] New public function isc_netaddr_format(), for 11030 formatting network addresses in log messages. 11031 11032 213. [bug] Don't leak memory when reloading the zone if 11033 an update-policy clause was present in the old zone. 11034 11035 212. [func] Added dns_message_get/settsigkey, to make TSIG 11036 key management reasonable. 11037 11038 211. [func] The 'key' and 'server' statements can now occur 11039 inside 'view' statements. 11040 11041 210. [bug] The 'allow-transfer' option was ignored for slave 11042 zones, and the 'transfers-per-ns' option was 11043 was ignored for all zones. 11044 11045 209. [cleanup] Upgraded openssl files to new version 0.9.5a 11046 11047 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value 11048 of an isc_offset_t. 11049 11050 207. [func] The dnssec tools properly use the logging subsystem. 11051 11052 206. [cleanup] dst now stores the key name as a dns_name_t, not 11053 a char *. 11054 11055 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692 11056 ("prototyped function redeclared without prototype") 11057 and 1552 ("variable ... set but not used") when 11058 compiling in the lib/dns/sec/{dnssafe,openssl} 11059 directories, which contain code imported from outside 11060 sources. 11061 11062 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker 11063 to quiet the warnings that "The linked output may not 11064 run on a PA 1.x system." 11065 11066 203. [func] notify and zone soa queries are now tsig signed when 11067 appropriate. 11068 11069 202. [func] isc_lex_getsourceline() changed from returning int 11070 to returning unsigned long, the type of its underlying 11071 counter. 11072 11073 201. [cleanup] Removed the test/sdig program, it has been 11074 replaced by bin/dig/dig. 11075 11076 --- 9.0.0b3 released --- 11077 11078 200. [bug] Failures in sending query responses to clients 11079 (e.g., running out of network buffers) were 11080 not logged. 11081 11082 199. [bug] isc_heap_delete() sometimes violated the heap 11083 invariant, causing timer events not to be posted 11084 when due. 11085 11086 198. [func] Dispatch managers hold memory pools which 11087 any managed dispatcher may use. This allows 11088 us to avoid dipping into the memory context for 11089 most allocations. [19-May-2000 explorer] 11090 11091 197. [bug] When an incoming AXFR or IXFR completes, the 11092 zone's internal state is refreshed from the 11093 SOA data. [19-May-2000 explorer] 11094 11095 196. [func] Dispatchers can be shared easily between views 11096 and/or interfaces. [19-May-2000 explorer] 11097 11098 195. [bug] Including the NXT record of the root domain 11099 in a negative response caused an assertion 11100 failure. 11101 11102 194. [doc] The PDF version of the Administrator's Reference 11103 Manual is no longer included in the ISC BIND9 11104 distribution. 11105 11106 193. [func] changed dst_key_free() prototype. 11107 11108 192. [bug] Zone configuration validation is now done at end 11109 of config file parsing, and before loading 11110 callbacks. 11111 11112 191. [func] Patched to compile on UnixWare 7.x. This platform 11113 is not directly supported by the ISC. 11114 11115 190. [cleanup] The DNSSEC tools have been moved to a separate 11116 directory dnssec/ and given the following new, 11117 more descriptive names: 11118 11119 dnssec-keygen 11120 dnssec-signzone 11121 dnssec-signkey 11122 dnssec-makekeyset 11123 11124 Their command line arguments have also been changed to 11125 be more consistent. dnssec-keygen now prints the 11126 name of the generated key files (sans extension) 11127 on standard output to simplify its use in automated 11128 scripts. 11129 11130 189. [func] isc_time_secondsastimet(), a new function, will ensure 11131 that the number of seconds in an isc_time_t does not 11132 exceed the range of a time_t, or return ISC_R_RANGE. 11133 Similarly, isc_time_now(), isc_time_nowplusinterval(), 11134 isc_time_add() and isc_time_subtract() now check the 11135 range for overflow/underflow. In the case of 11136 isc_time_subtract, this changed a calling requirement 11137 (ie, something that could generate an assertion) 11138 into merely a condition that returns an error result. 11139 isc_time_add() and isc_time_subtract() were void- 11140 valued before but now return isc_result_t. 11141 11142 188. [func] Log a warning message when an incoming zone transfer 11143 contains out-of-zone data. 11144 11145 187. [func] isc_ratelimiter_enqueue() has an additional argument 11146 'task'. 11147 11148 186. [func] dns_request_getresponse() has an additional argument 11149 'preserve_order'. 11150 11151 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several 11152 public functions did not have an isc__ prefix, and 11153 referred to functions that had previously been 11154 renamed. 11155 11156 184. [cleanup] Variables/functions which began with two leading 11157 underscores were made to conform to the ANSI/ISO 11158 standard, which says that such names are reserved. 11159 11160 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful 11161 for logging the program name or other identifier. 11162 11163 182. [cleanup] New command-line parameters for dnssec tools 11164 11165 181. [func] Added dst_key_buildfilename and dst_key_parsefilename 11166 11167 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE. 11168 11169 179. [func] options named.conf statement *must* now come 11170 before any zone or view statements. 11171 11172 178. [func] Post-load of named.conf check verifies a slave zone 11173 has non-empty list of masters defined. 11174 11175 177. [func] New per-zone boolean: 11176 11177 enable-zone yes | no ; 11178 11179 intended to let a zone be disabled without having 11180 to comment out the entire zone statement. 11181 11182 176. [func] New global and per-view option: 11183 11184 max-cache-ttl number 11185 11186 175. [func] New global and per-view option: 11187 11188 additional-data internal | minimal | maximal; 11189 11190 174. [func] New public function isc_sockaddr_format(), for 11191 formatting socket addresses in log messages. 11192 11193 173. [func] Keep a queue of zones waiting for zone transfer 11194 quota so that a new transfer can be dispatched 11195 immediately whenever quota becomes available. 11196 11197 172. [bug] $TTL directive was sometimes missing from dumped 11198 master files because totext_ctx_init() failed to 11199 initialize ctx->current_ttl_valid. 11200 11201 171. [cleanup] On NetBSD systems, the mit-pthreads or 11202 unproven-pthreads library is now always used 11203 unless --with-ptl2 is explicitly specified on 11204 the configure command line. The 11205 --with-mit-pthreads option is no longer needed 11206 and has been removed. 11207 11208 170. [cleanup] Remove inter server consistency checks from zone, 11209 these should return as a separate module in 9.1. 11210 dns_zone_checkservers(), dns_zone_checkparents(), 11211 dns_zone_checkchildren(), dns_zone_checkglue(). 11212 11213 Remove dns_zone_setadb(), dns_zone_setresolver(), 11214 dns_zone_setrequestmgr() these should now be found 11215 via the view. 11216 11217 169. [func] ratelimiter can now process N events per interval. 11218 11219 168. [bug] include statements in named.conf caused syntax errors 11220 due to not consuming the semicolon ending the include 11221 statement before switching input streams. 11222 11223 167. [bug] Make lack of masters for a slave zone a soft error. 11224 11225 166. [bug] Keygen was overwriting existing keys if key_id 11226 conflicted, now it will retry, and non-null keys 11227 with key_id == 0 are not generated anymore. Key 11228 was not able to generate NOAUTHCONF DSA key, 11229 increased RSA key size to 2048 bits. 11230 11231 165. [cleanup] Silence "end-of-loop condition not reached" warnings 11232 from Solaris compiler. 11233 11234 164. [func] Added functions isc_stdio_open(), isc_stdio_close(), 11235 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(), 11236 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove() 11237 to encapsulate nonportable usage of errno and sync. 11238 11239 163. [func] Added result codes ISC_R_FILENOTFOUND and 11240 ISC_R_FILEEXISTS. 11241 11242 162. [bug] Ensure proper range for arguments to ctype.h functions. 11243 11244 161. [cleanup] error in yyparse prototype that only HPUX caught. 11245 11246 160. [cleanup] getnet*() are not going to be implemented at this 11247 stage. 11248 11249 159. [func] Redefinition of config file elements is now an 11250 error (instead of a warning). 11251 11252 158. [bug] Log channel and category list copy routines 11253 weren't assigning properly to output parameter. 11254 11255 157. [port] Fix missing prototype for getopt(). 11256 11257 156. [func] Support new 'database' statement in zone. 11258 11259 database "quoted-string"; 11260 11261 155. [bug] ns_notify_start() was not detaching the found zone. 11262 11263 154. [func] The signer now logs libdns warnings to stderr even when 11264 not verbose, and in a nicer format. 11265 11266 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx' 11267 is NULL then you need to preserve the 'rdata' until 11268 you have finished using the structure as there may be 11269 references to the associated memory. If 'mctx' is 11270 non-NULL it is guaranteed that there are no references 11271 to memory associated with 'rdata'. 11272 11273 dns_rdata_freestruct() must be called if 'mctx' was 11274 non-NULL and may safely be called if 'mctx' was NULL. 11275 11276 152. [bug] keygen dumped core if domain name argument was omitted 11277 from command line. 11278 11279 151. [func] Support 'disabled' statement in zone config (causes 11280 zone to be parsed and then ignored). Currently must 11281 come after the 'type' clause. 11282 11283 150. [func] Support optional ports in masters and also-notify 11284 statements: 11285 11286 masters [ port xxx ] { y.y.y.y [ port zzz ] ; } 11287 11288 149. [cleanup] Removed unused argument 'olist' from 11289 dns_c_view_unsetordering(). 11290 11291 148. [cleanup] Stop issuing some warnings about some configuration 11292 file statements that were not implemented, but now are. 11293 11294 147. [bug] Changed yacc union size to be smaller for yaccs that 11295 put yacc-stack on the real stack. 11296 11297 146. [cleanup] More general redundant header file cleanup. Rather 11298 than continuing to itemize every header which changed, 11299 this changelog entry just notes that if a header file 11300 did not need another header file that it was including 11301 in order to provide its advertised functionality, the 11302 inclusion of the other header file was removed. See 11303 util/check-includes for how this was tested. 11304 11305 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/ 11306 ISC_LANG_ENDDECLS to header files that had function 11307 prototypes, and removed it from those that did not. 11308 11309 144. [cleanup] libdns header files too numerous to name were made 11310 to conform to the same style for multiple inclusion 11311 protection. 11312 11313 143. [func] Added function dns_rdatatype_isknown(). 11314 11315 142. [cleanup] <isc/stdtime.h> does not need <time.h> or 11316 <isc/result.h>. 11317 11318 141. [bug] Corrupt requests with multiple questions could 11319 cause an assertion failure. 11320 11321 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>. 11322 11323 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of 11324 <isc/int.h> and <isc/result.h>. 11325 11326 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and 11327 renamed isc_string_touint64. isc_strsep moved from 11328 strsep.c to string.c and renamed isc_string_separate. 11329 11330 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h> 11331 <isc/serial.h>, <isc/string.h> and <isc/offset.h> 11332 made to conform to the same style for multiple 11333 inclusion protection. 11334 11335 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>, 11336 <isc/net.h> and Win32's <isc/thread.h> needed 11337 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS. 11338 11339 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h> 11340 or <isc/boolean.h>, now uses <isc/types.h> in place 11341 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS 11342 and ISC_LANG_ENDDECLS. 11343 11344 134. [cleanup] <isc/dir.h> does not need <limits.h>. 11345 11346 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>. 11347 11348 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does 11349 need <isc/eventclass.h>. 11350 11351 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h> 11352 for ISC_R_* codes used in macros. 11353 11354 130. [cleanup] <isc/condition.h> does not need <pthread.h> or 11355 <isc/boolean.h>, and now includes <isc/types.h> 11356 instead of <isc/time.h>. 11357 11358 129. [bug] The 'default_debug' log channel was not set up when 11359 'category default' was present in the config file 11360 11361 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of 11362 ISC_LANG_ENDDECLS at end of header. 11363 11364 127. [cleanup] The contracts for the comparison routines 11365 dns_name_fullcompare(), dns_name_compare(), 11366 dns_name_rdatacompare(), and dns_rdata_compare() now 11367 specify that the order value returned is < 0, 0, or > 0 11368 instead of -1, 0, or 1. 11369 11370 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>. 11371 11372 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>, 11373 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and 11374 <isc/resultclass.h> do not need <isc/lang.h>. 11375 11376 124. [func] signer now imports parent's zone key signature 11377 and creates null keys/sets zone status bit for 11378 children when necessary 11379 11380 123. [cleanup] <isc/event.h> does not need <stddef.h>. 11381 11382 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or 11383 <isc/result.h>. 11384 11385 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or 11386 <isc/result.h>. Multiple inclusion protection 11387 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H. 11388 isc_symtab_t moved to <isc/types.h>. 11389 11390 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>, 11391 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or 11392 <isc/net.h>. 11393 11394 119. [cleanup] structure definitions for generic rdata structures do 11395 not have _generic_ in their names. 11396 11397 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting 11398 YACC crust (yyparse, etc) [2000-apr-27 explorer] 11399 11400 117. [cleanup] libdns.a changes: 11401 dns_zone_clearnotify() and dns_zone_addnotify() 11402 are replaced by dns_zone_setnotifyalso(). 11403 dns_zone_clearmasters() and dns_zone_addmaster() 11404 are replaced by dns_zone_setmasters(). 11405 11406 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t 11407 on Unix systems). 11408 11409 115. [port] Shut up the -Wmissing-declarations warning about 11410 <stdio.h>'s __sputaux on BSD/OS pre-4.1. 11411 11412 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or 11413 <isc/list.h>. 11414 11415 113. [func] Utility programs dig and host added. 11416 11417 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>. 11418 11419 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or 11420 <isc/mutex.h>. 11421 11422 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or 11423 <isc/list.h>. 11424 11425 109. [bug] "make depend" did nothing for 11426 bin/tests/{db,mem,sockaddr,tasks,timers}/. 11427 11428 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from 11429 <dns/types.h> to <dns/bit.h> and renamed to 11430 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR. 11431 11432 107. [func] Add keysigner and keysettool. 11433 11434 106. [func] Allow dnssec verifications to ignore the validity 11435 period. Used by several of the dnssec tools. 11436 11437 105. [doc] doc/dev/coding.html expanded with other 11438 implicit conventions the developers have used. 11439 11440 104. [bug] Made compress_add and compress_find static to 11441 lib/dns/compress.c. 11442 11443 103. [func] libisc buffer API changes for <isc/buffer.h>: 11444 Added: 11445 isc_buffer_base(b) (pointer) 11446 isc_buffer_current(b) (pointer) 11447 isc_buffer_active(b) (pointer) 11448 isc_buffer_used(b) (pointer) 11449 isc_buffer_length(b) (int) 11450 isc_buffer_usedlength(b) (int) 11451 isc_buffer_consumedlength(b) (int) 11452 isc_buffer_remaininglength(b) (int) 11453 isc_buffer_activelength(b) (int) 11454 isc_buffer_availablelength(b) (int) 11455 Removed: 11456 ISC_BUFFER_USEDCOUNT(b) 11457 ISC_BUFFER_AVAILABLECOUNT(b) 11458 isc_buffer_type(b) 11459 Changed names: 11460 isc_buffer_used(b, r) -> 11461 isc_buffer_usedregion(b, r) 11462 isc_buffer_available(b, r) -> 11463 isc_buffer_available_region(b, r) 11464 isc_buffer_consumed(b, r) -> 11465 isc_buffer_consumedregion(b, r) 11466 isc_buffer_active(b, r) -> 11467 isc_buffer_activeregion(b, r) 11468 isc_buffer_remaining(b, r) -> 11469 isc_buffer_remainingregion(b, r) 11470 11471 Buffer types were removed, so the ISC_BUFFERTYPE_* 11472 macros are no more, and the type argument to 11473 isc_buffer_init and isc_buffer_allocate were removed. 11474 isc_buffer_putstr is now void (instead of isc_result_t) 11475 and requires that the caller ensure that there 11476 is enough available buffer space for the string. 11477 11478 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop 11479 on BSD/OS 4.1. 11480 11481 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c. 11482 11483 100. [cleanup] <isc/random.h> does not need <isc/int.h> or 11484 <isc/mutex.h>. isc_random_t moved to <isc/types.h>. 11485 11486 99. [cleanup] Rate limiter now has separate shutdown() and 11487 destroy() functions, and it guarantees that all 11488 queued events are delivered even in the shutdown case. 11489 11490 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h> 11491 unless ISC_PLATFORM_NEEDVSNPRINTF is defined. 11492 11493 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or 11494 <isc/event.h>. 11495 11496 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>. 11497 11498 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>. 11499 11500 94. [cleanup] Some installed header files did not compile as C++. 11501 11502 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>. 11503 11504 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>, 11505 or <isc/result.h>. 11506 11507 91. [cleanup] <isc/log.h> does not need <sys/types.h> or 11508 <isc/result.h>. 11509 11510 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS 11511 from <named/listenlist.h>. 11512 11513 89. [cleanup] <isc/lex.h> does not need <stddef.h>. 11514 11515 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or 11516 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t 11517 moved to <isc/types.h>. 11518 11519 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>, 11520 <isc/mem.h> or <isc/result.h>. 11521 11522 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to 11523 <isc/types.h>. 11524 11525 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>, 11526 <isc/list.h>, <isc/mem.h>, <isc/region.h> or 11527 <isc/int.h>. 11528 11529 84. [func] allow-query ACL checks now apply to all data 11530 added to a response. 11531 11532 83. [func] If the server is authoritative for both a 11533 delegating zone and its (nonsecure) delegatee, and 11534 a query is made for a KEY RR at the top of the 11535 delegatee, then the server will look for a KEY 11536 in the delegator if it is not found in the delegatee. 11537 11538 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>. 11539 11540 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need 11541 <isc/lang.h>. 11542 11543 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>. 11544 11545 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>. 11546 11547 78. [cleanup] lwres_conftest renamed to lwresconf_test for 11548 consistency with other *_test programs. 11549 11550 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from 11551 <isc/time.h> to <isc/types.h>. 11552 11553 76. [cleanup] Rewrote keygen. 11554 11555 75. [func] Don't load a zone if its database file is older 11556 than the last time the zone was loaded. 11557 11558 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a, 11559 subsumed by file.o. 11560 11561 73. [func] New "file" API in libisc, including new function 11562 isc_file_getmodtime, isc_mktemplate renamed to 11563 isc_file_mktemplate and isc_ufile renamed to 11564 isc_file_openunique. By no means an exhaustive API, 11565 it is just what's needed for now. 11566 11567 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS 11568 added for dns_rbt_findnode, the former to disable the 11569 setting of the chain to the predecessor, and the 11570 latter to make clear when no options are set. 11571 11572 71. [cleanup] Made explicit the implicit REQUIREs of 11573 isc_time_seconds, isc_time_nanoseconds, and 11574 isc_time_subtract. 11575 11576 70. [func] isc_time_set() added. 11577 11578 69. [bug] The zone object's master and also-notify lists grew 11579 longer with each server reload. 11580 11581 68. [func] Partial support for SIG(0) on incoming messages. 11582 11583 67. [performance] Allow use of alternate (compile-time supplied) 11584 OpenSSL libraries/headers. 11585 11586 66. [func] Data in authoritative zones should have a trust level 11587 beyond secure. 11588 11589 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t 11590 from <dns/types.h>. 11591 11592 64. [func] The RBT, DB, and zone table APIs now allow the 11593 caller find the most-enclosing superdomain of 11594 a name. 11595 11596 63. [func] Generate NOTIFY messages. 11597 11598 62. [func] Add UDP refresh support. 11599 11600 61. [cleanup] Use single quotes consistently in log messages. 11601 11602 60. [func] Catch and disallow singleton types on message 11603 parse. 11604 11605 59. [bug] Cause net/host unreachable to be a hard error 11606 when sending and receiving. 11607 11608 58. [bug] bin/named/query.c could sometimes trigger the 11609 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) 11610 == 0 assertion in query_newname(). 11611 11612 57. [func] Added dns_nxt_typepresent() 11613 11614 56. [bug] SIG records were not properly returned in cached 11615 negative answers. 11616 11617 55. [bug] Responses containing multiple names in the authority 11618 section were not negatively cached. 11619 11620 54. [bug] If a fetch with sigrdataset==NULL joined one with 11621 sigrdataset!=NULL or vice versa, the resolver 11622 could catch an assertion or lose signature data, 11623 respectively. 11624 11625 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires 11626 <sys/param.h>. 11627 11628 52. [bug] rndc: taskmgr and socketmgr were not initialized 11629 to NULL. 11630 11631 51. [cleanup] dns/compress.h and dns/zt.h did not need to include 11632 dns/rbt.h; it was needed only by compress.c and zt.c. 11633 11634 50. [func] RBT deletion no longer requires a valid chain to work, 11635 and dns_rbt_deletenode was added. 11636 11637 49. [func] Each cache now has its own mctx. 11638 11639 48. [func] isc_task_create() no longer takes an mctx. 11640 isc_task_mem() has been eliminated. 11641 11642 47. [func] A number of modules now use memory context reference 11643 counting. 11644 11645 46. [func] Memory contexts are now reference counted. 11646 Added isc_mem_inuse() and isc_mem_preallocate(). 11647 Renamed isc_mem_destroy_check() to 11648 isc_mem_setdestroycheck(). 11649 11650 45. [bug] The trusted-key statement incorrectly loaded keys. 11651 11652 44. [bug] Don't include authority data if it would force us 11653 to unset the AD bit in the message. 11654 11655 43. [bug] DNSSEC verification of cached rdatasets was failing. 11656 11657 42. [cleanup] Simplified logging of messages with embedded domain 11658 names by introducing a new convenience function 11659 dns_name_format(). 11660 11661 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later 11662 to allow 'named' to run as a non-root user while 11663 retaining the ability to bind() to privileged 11664 ports. 11665 11666 40. [func] Introduced new logging category "dnssec" and 11667 logging module "dns/validator". 11668 11669 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t, 11670 and isc_lex_t to <isc/types.h>. 11671 11672 38. [bug] TSIG signed incoming zone transfers work now. 11673 11674 37. [bug] If the first RR in an incoming zone transfer was 11675 not an SOA, the server died with an assertion failure 11676 instead of just reporting an error. 11677 11678 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS 11679 11680 35. [performance] Log messages which are of a level too high to be 11681 logged by any channel in the logging configuration 11682 will not cause the log mutex to be locked. 11683 11684 34. [bug] Recursion was allowed even with 'recursion no'. 11685 11686 33. [func] The RBT now maintains a parent pointer at each node. 11687 11688 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset() 11689 prototype. 11690 11691 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@. 11692 11693 30. [func] config file grammar change to support optional 11694 class type for a view. 11695 11696 29. [func] support new config file view options: 11697 11698 auth-nxdomain recursion query-source 11699 query-source-v6 transfer-source 11700 transfer-source-v6 max-transfer-time-out 11701 max-transfer-idle-out transfer-format 11702 request-ixfr provide-ixfr cleaning-interval 11703 fetch-glue notify rfc2308-type1 lame-ttl 11704 max-ncache-ttl min-roots 11705 11706 28. [func] support lame-ttl, min-roots and serial-queries 11707 config global options. 11708 11709 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*. 11710 Including it on other platforms (eg, NetBSD) can 11711 cause a forced #error from the C preprocessor. 11712 11713 26. [func] new match-clients statement in config file view. 11714 11715 25. [bug] make install failed to install <isc/log.h> and 11716 <isc/ondestroy.h>. 11717 11718 24. [cleanup] Eliminate some unnecessary #includes of header 11719 files from header files. 11720 11721 23. [cleanup] Provide more context in log messages about client 11722 requests, using a new function ns_client_log(). 11723 11724 22. [bug] SIGs weren't returned in the answer section when 11725 the query resulted in a fetch. 11726 11727 21. [port] Look at STD_CINCLUDES after CINCLUDES during 11728 compilation, so additional system include directories 11729 can be searched but header files in the bind9 source 11730 tree with conflicting names take precedence. This 11731 avoids issues with installed versions of dnssafe and 11732 openssl. 11733 11734 20. [func] Configuration file post-load validation of zones 11735 failed if there were no zones. 11736 11737 19. [bug] dns_zone_notifyreceive() failed to unlock the zone 11738 lock in certain error cases. 11739 11740 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in 11741 configure.in to check for presence of in6addr_any. 11742 11743 17. [func] Do configuration file post-load validation of zones. 11744 11745 16. [bug] put quotes around key names on config file 11746 output to avoid possible keyword clashes. 11747 11748 15. [func] Add dns_name_dupwithoffsets(). This function is 11749 improves comparison performance for duped names. 11750 11751 14. [bug] free_rbtdb() could have 'put' unallocated memory in 11752 an unlikely error path. 11753 11754 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore 11755 out-of-zone data. 11756 11757 12. [bug] Fixed possible uninitialized variable error. 11758 11759 11. [bug] axfr_rrstream_first() didn't check the result code of 11760 db_rr_iterator_first(), possibly causing an assertion 11761 to be triggered later. 11762 11763 10. [bug] A bug in the code which makes EDNS0 OPT records in 11764 bin/named/client.c and lib/dns/resolver.c could 11765 trigger an assertion. 11766 11767 9. [cleanup] replaced bit-setting code in confctx.c and replaced 11768 repeated code with macro calls. 11769 11770 8. [bug] Shutdown of incoming zone transfer accessed 11771 freed memory. 11772 11773 7. [cleanup] removed 'listen-on' from view statement. 11774 11775 6. [bug] quote RR names when generating config file to 11776 prevent possible clash with config file keywords 11777 (such as 'key'). 11778 11779 5. [func] syntax change to named.conf file: new ssu grant/deny 11780 statements must now be enclosed by an 'update-policy' 11781 block. 11782 11783 4. [port] bin/named/unix/os.c didn't compile on systems with 11784 linux 2.3 kernel includes due to conflicts between 11785 C library includes and the kernel includes. We now 11786 get only what we need from <linux/capability.h>, and 11787 avoid pulling in other linux kernel .h files. 11788 11789 3. [bug] TKEYs go in the answer section of responses, not 11790 the additional section. 11791 11792 2. [bug] Generating cryptographic randomness failed on 11793 systems without /dev/random. 11794 11795 1. [bug] The installdirs rule in 11796 lib/isc/unix/include/isc/Makefile.in had a typo which 11797 prevented the isc directory from being created if it 11798 didn't exist. 11799 11800 --- 9.0.0b2 released --- 11801 11802# This tells Emacs to use hard tabs in this file. 11803# Local Variables: 11804# indent-tabs-mode: t 11805# End: 11806