1 --- 9.8.3-P1 released --- 2 33331. [security] dns_rdataslab_fromrdataset could produce bad 4 rdataslabs. [RT #29644] 5 6 --- 9.8.3 released --- 7 83318. [tuning] Reduce the amount of work performed while holding a 9 bucket lock when finshed with a fetch context. 10 [RT #29239] 11 123314. [bug] The masters list could be updated while refesh_callback 13 and stub_callback were using it. [RT #26732] 14 153313. [protocol] Add TLSA record type. [RT #28989] 16 173312. [bug] named-checkconf didn't detect a bad dns64 clients acl. 18 [RT #27631] 19 203311. [bug] Abort the zone dump if zone->db is NULL in 21 zone.c:zone_gotwritehandle. [RT #29028] 22 233310. [test] Increase table size for mutex profiling. [RT #28809] 24 253309. [bug] resolver.c:fctx_finddone() was not threadsafe. 26 [RT #27995] 27 283307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS. 29 [RT #28956] 30 313306. [bug] Improve DNS64 reverse zone performance. [RT #28563] 32 333305. [func] Add wire format lookup method to sdb. [RT #28563] 34 353304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps. 36 [RT #28571] 37 383302. [bug] dns_dnssec_findmatchingkeys could fail to find 39 keys if the zone name contained character that 40 required special mappings. [RT #28600] 41 423301. [contrib] Update queryperf to build on darwin. Add -R flag 43 for non-recursive queries. [RT #28565] 44 453300. [bug] Named could die if gssapi was enabled in named.conf 46 but was not compiled in. [RT #28338] 47 483299. [bug] Make SDB handle errors from database drivers better. 49 [RT #28534] 50 513232. [bug] Zero zone->curmaster before return in 52 dns_zone_setmasterswithkeys(). [RT #26732] 53 543183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] 55 563197. [bug] Don't try to log the filename and line number when 57 the config parser can't open a file. [RT #22263] 58 59 --- 9.8.2 released --- 60 613298. [bug] Named could dereference a NULL pointer in 62 zmgr_start_xfrin_ifquota if the zone was being removed. 63 [RT #28419] 64 653297. [bug] Named could die on a malformed master file. [RT #28467] 66 673295. [bug] Adjust isc_time_secondsastimet range check to be more 68 portable. [RT # 26542] 69 703294. [bug] isccc/cc.c:table_fromwire failed to free alist on 71 error. [RT #28265] 72 733291. [port] Fixed a build error on systems without ENOTSUP. 74 [RT #28200] 75 763290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169] 77 783288. [bug] dlz_destroy() function wasn't correctly registered 79 by the DLZ dlopen driver. [RT #28056] 80 813287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028] 82 833286. [bug] Managed key maintenance timer could fail to start 84 after 'rndc reconfig'. [RT #26786] 85 86 --- 9.8.2rc2 released --- 87 883285. [bug] val-frdataset was incorrectly disassociated in 89 proveunsecure after calling startfinddlvsep. 90 [RT #27928] 91 923284. [bug] Address race conditions with the handling of 93 rbtnode.deadlink. [RT #27738] 94 953283. [bug] Raw zones with with more than 512 records in a RRset 96 failed to load. [RT #27863] 97 983282. [bug] Restrict the TTL of NS RRset to no more than that 99 of the old NS RRset when replacing it. 100 [RT #27792] [RT #27884] 101 1023281. [bug] SOA refresh queries could be treated as cancelled 103 despite succeeding over the loopback interface. 104 [RT #27782] 105 1063280. [bug] Potential double free of a rdataset on out of memory 107 with DNS64. [RT #27762] 108 1093278. [bug] Make sure automatic key maintenance is started 110 when "auto-dnssec maintain" is turned on during 111 "rndc reconfig". [RT #26805] 112 1133276. [bug] win32: ns_os_openfile failed to return NULL on 114 safe_open failure. [RT #27696] 115 1163274. [bug] Log when a zone is not reusable. Only set loadtime 117 on successful loads. [RT #27650] 118 1193273. [bug] AAAA responses could be returned in the additional 120 section even when filter-aaaa-on-v4 was in use. 121 [RT #27292] 122 1233271. [port] darwin: mksymtbl is not always stable, loop several 124 times before giving up. mksymtbl was using non 125 portable perl to covert 64 bit hex strings. [RT #27653] 126 1273268. [bug] Convert RRSIG expiry times to 64 timestamps to work 128 out the earliest expiry time. [RT #23311] 129 1303267. [bug] Memory allocation failures could be mis-reported as 131 unexpected error. New ISC_R_UNSET result code. 132 [RT #27336] 133 1343266. [bug] The maximum number of NSEC3 iterations for a 135 DNSKEY RRset was not being properly computed. 136 [RT #26543] 137 1383262. [bug] Signed responses were handled incorrectly by RPZ. 139 [RT #27316] 140 141 --- 9.8.2rc1 released --- 142 1433260. [bug] "rrset-order cyclic" could appear not to rotate 144 for some query patterns. [RT #27170/27185] 145 1463259. [bug] named-compilezone: Suppress "dump zone to <file>" 147 message when writing to stdout. [RT #27109] 148 1493258. [test] Add "forcing full sign with unreadable keys" test. 150 [RT #27153] 151 1523257. [bug] Do not generate a error message when calling fsync() 153 in a pipe or socket. [RT #27109] 154 1553256. [bug] Disable empty zones for lwresd -C. [RT #27139] 156 1573254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels. 158 [RT #22249] 159 1603253. [bug] Return DNS_R_SYNTAX when the input to a text field is 161 too long. [RT #26956] 162 1633251. [bug] Enforce a upper bound (65535 bytes) on the amount of 164 memory dns_sdlz_putrr() can allocate per record to 165 prevent run away memory consumption on ISC_R_NOSPACE. 166 [RT #26956] 167 1683250. [func] 'configure --enable-developer'; turn on various 169 configure options, normally off by default, that 170 we want developers to build and test with. [RT #27103] 171 1723249. [bug] Update log message when saving slave zones files for 173 analysis after load failures. [RT #27087] 174 1753248. [bug] Configure options --enable-fixed-rrset and 176 --enable-exportlib were incompatible with each 177 other. [RT #27087] 178 1793247. [bug] 'raw' format zones failed to preserve load order 180 breaking 'fixed' sort order. [RT #27087] 181 1823243. [port] netbsd,bsdi: the thread defaults were not being 183 properly set. 184 1853241. [bug] Address race conditions in the resolver code. 186 [RT #26889] 187 1883240. [bug] DNSKEY state change events could be missed. [RT #26874] 189 1903239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent 191 timestamp. [RT #26883] 192 1933238. [bug] keyrdata was not being reinitialized in 194 lib/dns/rbtdb.c:iszonesecure. [RT#26913] 195 1963237. [bug] dig -6 didn't work with +trace. [RT #26906] 197 198 --- 9.8.2b1 released --- 199 2003234. [bug] 'make depend' produced invalid makefiles. [RT #26830] 201 2023231. [bug] named could fail to send a uncompressable zone. 203 [RT #26796] 204 2053230. [bug] 'dig axfr' failed to properly handle a multi-message 206 axfr with a serial of 0. [RT #26796] 207 2083229. [bug] Fix local variable to struct var assignment 209 found by CLANG warning. 210 2113228. [tuning] Dynamically grow symbol table to improve zone 212 loading performance. [RT #26523] 213 2143227. [bug] Interim fix to make WKS's use of getprotobyname() 215 and getservbyname() self thread safe. [RT #26232] 216 2173226. [bug] Address minor resource leakages. [RT #26624] 218 2193221. [bug] Fixed a potential coredump on shutdown due to 220 referencing fetch context after it's been freed. 221 [RT #26720] 222 2233220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() 224 could fail to set the database version correctly, 225 causing an assertion failure. [RT #26180] 226 2273218. [security] Cache lookup could return RRSIG data associated with 228 nonexistent records, leading to an assertion 229 failure. [RT #26590] 230 2313217. [cleanup] Fix build problem with --disable-static. [RT #26476] 232 2333216. [bug] resolver.c:validated() was not thread-safe. [RT #26478] 234 2353213. [doc] Clarify ixfr-from-differences behavior. [RT #25188] 236 2373212. [bug] rbtdb.c: failed to remove a node from the deadnodes 238 list prior to adding a reference to it leading a 239 possible assertion failure. [RT #23219] 240 2413209. [func] Add "dnssec-lookaside 'no'". [RT #24858] 242 2433208. [bug] 'dig -y' handle unknown tsig alorithm better. 244 [RT #25522] 245 2463207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444] 247 2483206. [cleanup] Add ISC information to log at start time. [RT #25484] 249 2503204. [bug] When a master server that has been marked as 251 unreachable sends a NOTIFY, mark it reachable 252 again. [RT #25960] 253 2543203. [bug] Increase log level to 'info' for validation failures 255 from expired or not-yet-valid RRSIGs. [RT #21796] 256 2573200. [doc] Some rndc functions were undocumented or were 258 missing from 'rndc -h' output. [RT #25555] 259 2603198. [doc] Clarified that dnssec-settime can alter keyfile 261 permissions. [RT #24866] 262 2633196. [bug] nsupdate: return nonzero exit code when target zone 264 doesn't exist. [RT #25783] 265 2663195. [cleanup] Silence "file not found" warnings when loading 267 managed-keys zone. [RT #26340] 268 2693194. [doc] Updated RFC references in the 'empty-zones-enable' 270 documentation. [RT #25203] 271 2723193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to 273 dnssec.h. [RT #26415] 274 2753192. [bug] A query structure could be used after being freed. 276 [RT #22208] 277 2783191. [bug] Print NULL records using "unknown" format. [RT #26392] 279 2803190. [bug] Underflow in error handling in isc_mutexblock_init. 281 [RT #26397] 282 2833189. [test] Added a summary report after system tests. [RT #25517] 284 2853188. [bug] zone.c:zone_refreshkeys() could fail to detach 286 references correctly when errors occurred, causing 287 a hang on shutdown. [RT #26372] 288 2893187. [port] win32: support for Visual Studio 2008. [RT #26356] 290 2913186. [bug] Version/db mis-match in rpz code. [RT #26180] 292 2933179. [port] kfreebsd: build issues. [RT #26273] 294 2953175. [bug] Fix how DNSSEC positive wildcard responses from a 296 NSEC3 signed zone are validated. Stop sending a 297 unnecessary NSEC3 record when generating such 298 responses. [RT #26200] 299 3003174. [bug] Always compute to revoked key tag from scratch. 301 [RT #26186] 302 3033173. [port] Correctly validate root DS responses. [RT #25726] 304 3053171. [bug] Exclusively lock the task when adding a zone using 306 'rndc addzone'. [RT #25600] 307 3083170. [func] RPZ update: 309 - fix precedence among competing rules 310 - improve ARM text including documenting rule precedence 311 - try to rewrite CNAME chains until first hit 312 - new "rpz" logging channel 313 - RDATA for CNAME rules can include wildcards 314 - replace "NO-OP" named.conf policy override with 315 "PASSTHRU" and add "DISABLED" override ("NO-OP" 316 is still recognized) 317 [RT #25172] 318 3193169. [func] Catch db/version mis-matches when calling dns_db_*(). 320 [RT #26017] 321 3223167. [bug] Negative answers from forwarders were not being 323 correctly tagged making them appear to not be cached. 324 [RT #25380] 325 3263162. [test] start.pl: modified to allow for "named.args" in 327 ns*/ subdirectory to override stock arguments to 328 named. Largely from RT#26044, but no separate ticket. 329 3303161. [bug] zone.c:del_sigs failed to always reset rdata leading 331 assertion failures. [RT #25880] 332 3333157. [tuning] Reduce the time spent in "rndc reconfig" by parsing 334 the config file before pausing the server. [RT #21373] 335 3363155. [bug] Fixed a build failure when using contrib DLZ 337 drivers (e.g., mysql, postgresql, etc). [RT #25710] 338 3393154. [bug] Attempting to print an empty rdataset could trigger 340 an assert. [RT #25452] 341 3423152. [cleanup] Some versions of gcc and clang failed due to 343 incorrect use of __builtin_expect. [RT #25183] 344 3453151. [bug] Queries for type RRSIG or SIG could be handled 346 incorrectly. [RT #21050] 347 3483148. [bug] Processing of normal queries could be stalled when 349 forwarding a UPDATE message. [RT #24711] 350 3513146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598] 352 3533145. [test] Capture output of ATF unit tests in "./atf.out" if 354 there were any errors while running them. [RT #25527] 355 3563144. [bug] dns_dbiterator_seek() could trigger an assert when 357 used with a nonexistent database node. [RT #25358] 358 3593143. [bug] Silence clang compiler warnings. [RT #25174] 360 3613139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321 362 for the hashing algorithms (md5, sha1 - sha512, and 363 their hmac counterparts). [RT #25067] 364 365 --- 9.8.1 released --- 366 367 --- 9.8.1rc1 released --- 368 3693141. [bug] Silence spurious "zone serial (0) unchanged" messages 370 associated with empty zones. [RT #25079] 371 3723138. [bug] Address memory leaks and out-of-order operations when 373 shutting named down. [RT #25210] 374 3753136. [func] Add RFC 1918 reverse zones to the list of built-in 376 empty zones switched on by the 'empty-zones-enable' 377 option. [RT #24990] 378 379 Note: empty-zones-enable must be "yes;" or a empty 380 zone needs to be disabled in named.conf for RFC 1918 381 zones to be activated. This requirement may be 382 removed in future releases. 383 3843135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing. 385 See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307 386 [RT #24950] 387 3883134. [bug] Improve the accuracy of dnssec-signzone's signing 389 statistics. [RT #16030] 390 391 --- 9.8.1b3 released --- 392 3933133. [bug] Change #3114 was incomplete. [RT #24577] 394 3953131. [tuning] Improve scalability by allocating one zone task 396 per 100 zones at startup time, rather than using a 397 fixed-size task table. [RT #24406] 398 3993129. [bug] Named could crash on 'rndc reconfig' when 400 allow-new-zones was set to yes and named ACLs 401 were used. [RT #22739] 402 403 --- 9.8.1b2 released --- 404 4053126. [security] Using DNAME record to generate replacements caused 406 RPZ to exit with a assertion failure. [RT #24766] 407 4083125. [security] Using wildcard CNAME records as a replacement with 409 RPZ caused named to exit with a assertion failure. 410 [RT #24715] 411 4123124. [bug] Use an rdataset attribute flag to indicate 413 negative-cache records rather than using rrtype 0; 414 this will prevent problems when that rrtype is 415 used in actual DNS packets. [RT #24777] 416 4173123. [security] Change #2912 exposed a latent flaw in 418 dns_rdataset_totext() that could cause named to 419 crash with an assertion failure. [RT #24777] 420 4213122. [cleanup] dnssec-settime: corrected usage message. [RT #24664] 422 4233121. [security] An authoritative name server sending a negative 424 response containing a very large RRset could 425 trigger an off-by-one error in the ncache code 426 and crash named. [RT #24650] 427 4283120. [bug] Named could fail to validate zones listed in a DLV 429 that validated insecure without using DLV and had 430 DS records in the parent zone. [RT #24631] 431 4323119. [bug] When rolling to a new DNSSEC key, a private-type 433 record could be created and never marked complete. 434 [RT #23253] 435 4363118. [bug] nsupdate could dump core on shutdown when using 437 SIG(0) keys. [RT #24604] 438 4393117. [cleanup] Remove doc and parser references to the 440 never-implemented 'auto-dnssec create' option. 441 [RT #24533] 442 4433115. [bug] Named could fail to return requested data when 444 following a CNAME that points into the same zone. 445 [RT #24455] 446 4473114. [bug] Retain expired RRSIGs in dynamic zones if key is 448 inactive and there is no replacement key. [RT #23136] 449 4503113. [doc] Document the relationship between serial-query-rate 451 and NOTIFY messages. 452 453 --- 9.8.1b1 released --- 454 4553112. [doc] Add missing descriptions of the update policy name 456 types "ms-self", "ms-subdomain", "krb5-self" and 457 "krb5-subdomain", which allow machines to update 458 their own records, to the BIND 9 ARM. 459 4603111. [bug] Improved consistency checks for dnssec-enable and 461 dnssec-validation, added test cases to the 462 checkconf system test. [RT #24398] 463 4643110. [bug] dnssec-signzone: Wrong error message could appear 465 when attempting to sign with no KSK. [RT #24369] 466 4673107. [bug] dnssec-signzone: Report the correct number of ZSKs 468 when using -x. [RT #20852] 469 4703105. [bug] GOST support can be suppressed by "configure 471 --without-gost" [RT #24367] 472 4733104. [bug] Better support for cross-compiling. [RT #24367] 474 4753103. [bug] Configuring 'dnssec-validation auto' in a view 476 instead of in the options statement could trigger 477 an assertion failure in named-checkconf. [RT #24382] 478 4793101. [bug] Zones using automatic key maintenance could fail 480 to check the key repository for updates. [RT #23744] 481 4823100. [security] Certain response policy zone configurations could 483 trigger an INSIST when receiving a query of type 484 RRSIG. [RT #24280] 485 4863099. [test] "dlz" system test now runs but gives R:SKIPPED if 487 not compiled with --with-dlz-filesystem. [RT #24146] 488 4893098. [bug] DLZ zones were answering without setting the AA bit. 490 [RT #24146] 491 4923097. [test] Add a tool to test handling of malformed packets. 493 [RT #24096] 494 4953096. [bug] Set KRB5_KTNAME before calling log_cred() in 496 dst_gssapi_acceptctx(). [RT #24004] 497 4983095. [bug] Handle isolated reserved ports in the port range. 499 [RT #23957] 500 5013094. [doc] Expand dns64 documentation. 502 5033093. [bug] Fix gssapi/kerberos dependencies [RT #23836] 504 5053092. [bug] Signatures for records at the zone apex could go 506 stale due to an incorrect timer setting. [RT #23769] 507 5083091. [bug] Fixed a bug in which zone keys that were published 509 and then subsequently activated could fail to trigger 510 automatic signing. [RT #22911] 511 5123090. [func] Make --with-gssapi default [RT #23738] 513 5143088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf 515 and add setup.sh in order to resolve changing 516 named.conf issue. [RT #23687] 517 5183087. [bug] DDNS updates using SIG(0) with update-policy match 519 type "external" could cause a crash. [RT #23735] 520 5213086. [bug] Running dnssec-settime -f on an old-style key will 522 now force an update to the new key format even if no 523 other change has been specified, using "-P now -A now" 524 as default values. [RT #22474] 525 5263083. [bug] NOTIFY messages were not being sent when generating 527 a NSEC3 chain incrementally. [RT #23702] 528 5293082. [port] strtok_r is threads only. [RT #23747] 530 5313081. [bug] Failure of DNAME substitution did not return 532 YXDOMAIN. [RT #23591] 533 5343080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS. 535 [RT #23587] 536 5373079. [bug] Handle isc_event_allocate failures in t_tasks. 538 [RT #23572] 539 5403078. [func] Added a new include file with function typedefs 541 for the DLZ "dlopen" driver. [RT #23629] 542 5433077. [bug] zone.c:zone_refreshkeys() incorrectly called 544 dns_zone_attach(), use zone->irefs instead. [RT #23303] 545 5463075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant 547 timestamp when determining which keys are active. 548 [RT #23642] 549 5503074. [bug] Make the adb cache read through for zone data and 551 glue learn for zone named is authoritative for. 552 [RT #22842] 553 5543073. [bug] managed-keys changes were not properly being recorded. 555 [RT #20256] 556 5573072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. 558 [RT #20256] 559 5603071. [bug] has_nsec could be used unintialised in 561 update.c:next_active. [RT #20256] 562 5633070. [bug] dnssec-signzone potential NULL pointer dereference. 564 [RT #20256] 565 5663069. [cleanup] Silence warnings messages from clang static analysis. 567 [RT #20256] 568 5693068. [bug] Named failed to build with a OpenSSL without engine 570 support. [RT #23473] 571 5723067. [bug] ixfr-from-differences {master|slave}; failed to 573 select the master/slave zones. [RT #23580] 574 5753066. [func] The DLZ "dlopen" driver is now built by default, 576 no longer requiring a configure option. To 577 disable it, use "configure --without-dlopen". 578 (Note: driver not supported on win32.) [RT #23467] 579 5803065. [bug] RRSIG could have time stamps too far in the future. 581 [RT #23356] 582 5833064. [bug] powerpc: add sync instructions to the end of atomic 584 operations. [RT #23469] 585 5863063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402] 587 5883059. [test] Added a regression test for change #3023. 589 5903058. [bug] Cause named to terminate at startup or rndc reconfig/ 591 reload to fail, if a log file specified in the conf 592 file isn't a plain file. [RT #22771] 593 5943057. [bug] "rndc secroots" would abort after the first error 595 and so could miss some views. [RT #23488] 596 5973054. [bug] Added elliptic curve support check in 598 GOST OpenSSL engine detection. [RT #23485] 599 6003053. [bug] Under a sustained high query load with a finite 601 max-cache-size, it was possible for cache memory 602 to be exhausted and not recovered. [RT #23371] 603 6043052. [test] Fixed last autosign test report. [RT #23256] 605 6063051. [bug] NS records obsure DNAME records at the bottom of the 607 zone if both are present. [RT #23035] 608 6093050. [bug] The autosign system test was timing dependent. 610 Wait for the initial autosigning to complete 611 before running the rest of the test. [RT #23035] 612 6133049. [bug] Save and restore the gid when creating creating 614 named.pid at startup. [RT #23290] 615 6163048. [bug] Fully separate view key mangement. [RT #23419] 617 6183047. [bug] DNSKEY NODATA responses not cached fixed in 619 validator.c. Tests added to dnssec system test. 620 [RT #22908] 621 6223046. [bug] Use RRSIG original TTL to compute validated RRset 623 and RRSIG TTL. [RT #23332] 624 6253044. [bug] Hold the socket manager lock while freeing the socket. 626 [RT #23333] 627 6283043. [test] Merged in the NetBSD ATF test framework (currently 629 version 0.12) for development of future unit tests. 630 Use configure --with-atf to build ATF internally 631 or configure --with-atf=prefix to use an external 632 copy. [RT #23209] 633 6343042. [bug] dig +trace could fail attempting to use IPv6 635 addresses on systems with only IPv4 connectivity. 636 [RT #23297] 637 6383041. [bug] dnssec-signzone failed to generate new signatures on 639 ttl changes. [RT #23330] 640 6413040. [bug] Named failed to validate insecure zones where a node 642 with a CNAME existed between the trust anchor and the 643 top of the zone. [RT #23338] 644 6453038. [bug] Install <dns/rpz.h>. [RT #23342] 646 6473037. [doc] Update COPYRIGHT to contain all the individual 648 copyright notices that cover various parts. 649 6503036. [bug] Check built-in zone arguments to see if the zone 651 is re-usable or not. [RT #21914] 652 6533035. [cleanup] Simplify by using strlcpy. [RT #22521] 654 6553034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521] 656 6573033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET). 658 [RT #22521] 659 6603032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521] 661 6623031. [bug] dns_rdataclass_format() handle a zero sized buffer. 663 [RT #22521] 664 6653030. [bug] dns_rdatatype_format() handle a zero sized buffer. 666 [RT #22521] 667 6683029. [bug] isc_netaddr_format() handle a zero sized buffer. 669 [RT #22521] 670 6713028. [bug] isc_sockaddr_format() handle a zero sized buffer. 672 [RT #22521] 673 6743027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to 675 catch NULL pointer dereferences before they happen. 676 [RT #22521] 677 6783026. [bug] lib/isc/httpd.c: check that we have enough space 679 after calling grow_headerspace() and if not 680 re-call grow_headerspace() until we do. [RT #22521] 681 682 --- 9.8.0 released --- 683 6843025. [bug] Fixed a possible deadlock due to zone resigning. 685 [RT #22964] 686 6873024. [func] RTT Banding removed due to minor security increase 688 but major impact on resolver latency. [RT #23310] 689 6903023. [bug] Named could be left in an inconsistent state when 691 receiving multiple AXFR response messages that were 692 not all TSIG-signed. [RT #23254] 693 6943022. [bug] Fixed rpz SERVFAILs after failed zone transfers 695 [RT #23246] 696 6973021. [bug] Change #3010 was incomplete. [RT #22296] 698 6993020. [bug] auto-dnssec failed to correctly update the zone when 700 changing the DNSKEY RRset. [RT #23232] 701 7023019. [test] Test: check apex NSEC3 records after adding DNSKEY 703 record via UPDATE. [RT #23229] 704 705 --- 9.8.0rc1 released --- 706 7073018. [bug] Named failed to check for the "none;" acl when deciding 708 if a zone may need to be re-signed. [RT #23120] 709 7103017. [doc] dnssec-keyfromlabel -I was not properly documented. 711 [RT #22887] 712 7133016. [bug] rndc usage missing '-b'. [RT #22937] 714 7153015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and 716 IN6_IS_ADDR_SITELOCAL macros. [RT #22724] 717 7183013. [bug] The DNS64 ttl was not always being set as expected. 719 [RT #23034] 720 7213012. [bug] Remove DNSKEY TTL change pairs before generating 722 signing records for any remaining DNSKEY changes. 723 [RT #22590] 724 7253011. [func] Allow setting this in named.conf using the new 726 'resolver-query-timeout' option, which specifies a max 727 time in seconds. 0 means 'default' and anything longer 728 than 30 will be silently set to 30. [RT #22852] 729 7303010. [bug] Fixed a bug where "rndc reconfig" stopped the timer 731 for refreshing managed-keys. [RT #22296] 732 7333009. [bug] clients-per-query code didn't work as expected with 734 particular query patterns. [RT #22972] 735 736 --- 9.8.0b1 released --- 737 7383008. [func] Response policy zones (RPZ) support. [RT #21726] 739 7403007. [bug] Named failed to preserve the case of domain names in 741 rdata which is not compressible when writing master 742 files. [RT #22863] 743 7443006. [func] Allow dynamically generated TSIG keys to be preserved 745 across restarts of named. Initially this is for 746 TSIG keys generated using GSSAPI. [RT #22639] 747 7483005. [port] Solaris: Work around the lack of 749 gsskrb5_register_acceptor_identity() by setting 750 the KRB5_KTNAME environment variable to the 751 contents of tkey-gssapi-keytab. Also fixed 752 test errors on MacOSX. [RT #22853] 753 7543004. [func] DNS64 reverse support. [RT #22769] 755 7563003. [experimental] Added update-policy match type "external", 757 enabling named to defer the decision of whether to 758 allow a dynamic update to an external daemon. 759 (Contributed by Andrew Tridgell.) [RT #22758] 760 7613002. [bug] isc_mutex_init_errcheck() failed to destroy attr. 762 [RT #22766] 763 7643001. [func] Added a default trust anchor for the root zone, which 765 can be switched on by setting "dnssec-validation auto;" 766 in the named.conf options. [RT #21727] 767 7683000. [bug] More TKEY/GSS fixes: 769 - nsupdate can now get the default realm from 770 the user's Kerberos principal 771 - corrected gsstest compilation flags 772 - improved documentation 773 - fixed some NULL dereferences 774 [RT #22795] 775 7762999. [func] Add GOST support (RFC 5933). [RT #20639] 777 7782998. [func] Add isc_task_beginexclusive and isc_task_endexclusive 779 to the task api. [RT #22776] 780 7812997. [func] named -V now reports the OpenSSL and libxml2 verions 782 it was compiled against. [RT #22687] 783 7842996. [security] Temporarily disable SO_ACCEPTFILTER support. 785 [RT #22589] 786 7872995. [bug] The Kerberos realm was not being correctly extracted 788 from the signer's identity. [RT #22770] 789 7902994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and 791 do not use threads on earlier versions. Also kill 792 the unproven-pthreads, mit-pthreads, and ptl2 support. 793 7942993. [func] Dynamically grow adb hash tables. [RT #21186] 795 7962992. [contrib] contrib/check-secure-delegation.pl: A simple tool 797 for looking at a secure delegation. [RT #22059] 798 7992991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for 800 dynamic zones. [RT #22365] 801 8022990. [bug] 'dnssec-settime -S' no longer tests prepublication 803 interval validity when the interval is set to 0. 804 [RT #22761] 805 8062989. [func] Added support for writable DLZ zones. (Contributed 807 by Andrew Tridgell of the Samba project.) [RT #22629] 808 8092988. [experimental] Added a "dlopen" DLZ driver, allowing the creation 810 of external DLZ drivers that can be loaded as 811 shared objects at runtime rather than linked with 812 named. Currently this is switched on via a 813 compile-time option, "configure --with-dlz-dlopen". 814 Note: the syntax for configuring DLZ zones 815 is likely to be refined in future releases. 816 (Contributed by Andrew Tridgell of the Samba 817 project.) [RT #22629] 818 8192987. [func] Improve ease of configuring TKEY/GSS updates by 820 adding a "tkey-gssapi-keytab" option. If set, 821 updates will be allowed with any key matching 822 a principal in the specified keytab file. 823 "tkey-gssapi-credential" is no longer required 824 and is expected to be deprecated. (Contributed 825 by Andrew Tridgell of the Samba project.) 826 [RT #22629] 827 8282986. [func] Add new zone type "static-stub". It's like a stub 829 zone, but the nameserver names and/or their IP 830 addresses are statically configured. [RT #21474] 831 8322985. [bug] Add a regression test for change #2896. [RT #21324] 833 8342984. [bug] Don't run MX checks when the target of the MX record 835 is ".". [RT #22645] 836 8372983. [bug] Include "loadkeys" in rndc help output. [RT #22493] 838 839 --- 9.8.0a1 released --- 840 8412982. [bug] Reference count dst keys. dst_key_attach() can be used 842 increment the reference count. 843 844 Note: dns_tsigkey_createfromkey() callers should now 845 always call dst_key_free() rather than setting it 846 to NULL on success. [RT #22672] 847 8482981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991] 849 8502980. [bug] named didn't properly handle UPDATES that changed the 851 TTL of the NSEC3PARAM RRset. [RT #22363] 852 8532979. [bug] named could deadlock during shutdown if two 854 "rndc stop" commands were issued at the same 855 time. [RT #22108] 856 8572978. [port] hpux: look for <devpoll.h> [RT #21919] 858 8592977. [bug] 'nsupdate -l' report if the session key is missing. 860 [RT #21670] 861 8622976. [bug] named could die on exit after negotiating a GSS-TSIG 863 key. [RT #22573] 864 8652975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the 866 wrong lock which could lead to server deadlock. 867 [RT #22614] 868 8692974. [bug] Some valid UPDATE requests could fail due to a 870 consistency check examining the existing version 871 of the zone rather than the new version resulting 872 from the UPDATE. [RT #22413] 873 8742973. [bug] bind.keys.h was being removed by the "make clean" 875 at the end of configure resulting in build failures 876 where there is very old version of perl installed. 877 Move it to "make maintainer-clean". [RT #22230] 878 8792972. [bug] win32: address windows socket errors. [RT #21906] 880 8812971. [bug] Fixed a bug that caused journal files not to be 882 compacted on Windows systems as a result of 883 non-POSIX-compliant rename() semantics. [RT #22434] 884 8852970. [security] Adding a NO DATA negative cache entry failed to clear 886 any matching RRSIG records. A subsequent lookup of 887 of NO DATA cache entry could trigger a INSIST when the 888 unexpected RRSIG was also returned with the NO DATA 889 cache entry. 890 891 CVE-2010-3613, VU#706148. [RT #22288] 892 8932969. [security] Fix acl type processing so that allow-query works 894 in options and view statements. Also add a new 895 set of tests to verify proper functioning. 896 897 CVE-2010-3615, VU#510208. [RT #22418] 898 8992968. [security] Named could fail to prove a data set was insecure 900 before marking it as insecure. One set of conditions 901 that can trigger this occurs naturally when rolling 902 DNSKEY algorithms. 903 904 CVE-2010-3614, VU#837744. [RT #22309] 905 9062967. [bug] 'host -D' now turns on debugging messages earlier. 907 [RT #22361] 908 9092966. [bug] isc_print_vsnprintf() failed to check if there was 910 space available in the buffer when adding a left 911 justified character with a non zero width, 912 (e.g. "%-1c"). [RT #22270] 913 9142965. [func] Test HMAC functions using test data from RFC 2104 and 915 RFC 4634. [RT #21702] 916 9172964. [placeholder] 918 9192963. [security] The allow-query acl was being applied instead of the 920 allow-query-cache acl to cache lookups. [RT #22114] 921 9222962. [port] win32: add more dependencies to BINDBuild.dsw. 923 [RT #22062] 924 9252961. [bug] Be still more selective about the non-authoritative 926 answers we apply change 2748 to. [RT #22074] 927 9282960. [func] Check that named accepts non-authoritative answers. 929 [RT #21594] 930 9312959. [func] Check that named starts with a missing masterfile. 932 [RT #22076] 933 9342958. [bug] named failed to start with a missing master file. 935 [RT #22076] 936 9372957. [bug] entropy_get() and entropy_getpseudo() failed to match 938 the API for RAND_bytes() and RAND_pseudo_bytes() 939 respectively. [RT #21962] 940 9412956. [port] Enable atomic operations on the PowerPC64. [RT #21899] 942 9432955. [func] Provide more detail in the recursing log. [RT #22043] 944 9452954. [bug] contrib: dlz_mysql_driver.c bad error handling on 946 build_sqldbinstance failure. [RT #21623] 947 9482953. [bug] Silence spurious "expected covering NSEC3, got an 949 exact match" message when returning a wildcard 950 no data response. [RT #21744] 951 9522952. [port] win32: named-checkzone and named-checkconf failed 953 to initialise winsock. [RT #21932] 954 9552951. [bug] named failed to generate a correct signed response 956 in a optout, delegation only zone with no secure 957 delegations. [RT #22007] 958 9592950. [bug] named failed to perform a SOA up to date check when 960 falling back to TCP on UDP timeouts when 961 ixfr-from-differences was set. [RT #21595] 962 9632949. [bug] dns_view_setnewzones() contained a memory leak if 964 it was called multiple times. [RT #21942] 965 9662948. [port] MacOS: provide a mechanism to configure the test 967 interfaces at reboot. See bin/tests/system/README 968 for details. 969 9702947. [placeholder] 971 9722946. [doc] Document the default values for the minimum and maximum 973 zone refresh and retry values in the ARM. [RT #21886] 974 9752945. [doc] Update empty-zones list in ARM. [RT #21772] 976 9772944. [maint] Remove ORCHID prefix from built in empty zones. 978 [RT #21772] 979 9802943. [func] Add support to load new keys into managed zones 981 without signing immediately with "rndc loadkeys". 982 Add support to link keys with "dnssec-keygen -S" 983 and "dnssec-settime -S". [RT #21351] 984 9852942. [contrib] zone2sqlite failed to setup the entropy sources. 986 [RT #21610] 987 9882941. [bug] sdb and sdlz (dlz's zone database) failed to support 989 DNAME at the zone apex. [RT #21610] 990 9912940. [port] Remove connection aborted error message on 992 Windows. [RT #21549] 993 9942939. [func] Check that named successfully skips NSEC3 records 995 that fail to match the NSEC3PARAM record currently 996 in use. [RT# 21868] 997 9982938. [bug] When generating signed responses, from a signed zone 999 that uses NSEC3, named would use a uninitialised 1000 pointer if it needed to skip a NSEC3 record because 1001 it didn't match the selected NSEC3PARAM record for 1002 zone. [RT# 21868] 1003 10042937. [bug] Worked around an apparent race condition in over 1005 memory conditions. Without this fix a DNS cache DB or 1006 ADB could incorrectly stay in an over memory state, 1007 effectively refusing further caching, which 1008 subsequently made a BIND 9 caching server unworkable. 1009 This fix prevents this problem from happening by 1010 polling the state of the memory context, rather than 1011 making a copy of the state, which appeared to cause 1012 a race. This is a "workaround" in that it doesn't 1013 solve the possible race per se, but several experiments 1014 proved this change solves the symptom. Also, the 1015 polling overhead hasn't been reported to be an issue. 1016 This bug should only affect a caching server that 1017 specifies a finite max-cache-size. It's also quite 1018 likely that the bug happens only when enabling threads, 1019 but it's not confirmed yet. [RT #21818] 1020 10212936. [func] Improved configuration syntax and multiple-view 1022 support for addzone/delzone feature (see change 1023 #2930). Removed "new-zone-file" option, replaced 1024 with "allow-new-zones (yes|no)". The new-zone-file 1025 for each view is now created automatically, with 1026 a filename generated from a hash of the view name. 1027 It is no longer necessary to "include" the 1028 new-zone-file in named.conf; this happens 1029 automatically. Zones that were not added via 1030 "rndc addzone" can no longer be removed with 1031 "rndc delzone". [RT #19447] 1032 10332935. [bug] nsupdate: improve 'file not found' error message. 1034 [RT #21871] 1035 10362934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c. 1037 [RT #21871] 1038 10392933. [bug] 'dig +nsid' used stack memory after it went out of 1040 scope. This could potentially result in a unknown, 1041 potentially malformed, EDNS option being sent instead 1042 of the desired NSID option. [RT #21781] 1043 10442932. [cleanup] Corrected a numbering error in the "dnssec" test. 1045 [RT #21597] 1046 10472931. [bug] Temporarily and partially disable change 2864 1048 because it would cause infinite attempts of RRSIG 1049 queries. This is an urgent care fix; we'll 1050 revisit the issue and complete the fix later. 1051 [RT #21710] 1052 10532930. [experimental] New "rndc addzone" and "rndc delzone" commads 1054 allow dynamic addition and deletion of zones. 1055 To enable this feature, specify a "new-zone-file" 1056 option at the view or options level in named.conf. 1057 Zone configuration information for the new zones 1058 will be written into that file. To make the new 1059 zones persist after a restart, "include" the file 1060 into named.conf in the appropriate view. (Note: 1061 This feature is not yet documented, and its syntax 1062 is expected to change.) [RT #19447] 1063 10642929. [bug] Improved handling of GSS security contexts: 1065 - added LRU expiration for generated TSIGs 1066 - added the ability to use a non-default realm 1067 - added new "realm" keyword in nsupdate 1068 - limited lifetime of generated keys to 1 hour 1069 or the lifetime of the context (whichever is 1070 smaller) 1071 [RT #19737] 1072 10732928. [bug] Be more selective about the non-authoritative 1074 answer we apply change 2748 to. [RT #21594] 1075 10762927. [placeholder] 1077 10782926. [placeholder] 1079 10802925. [bug] Named failed to accept uncachable negative responses 1081 from insecure zones. [RT# 21555] 1082 10832924. [func] 'rndc secroots' dump a combined summary of the 1084 current managed keys combined with trusted keys. 1085 [RT #20904] 1086 10872923. [bug] 'dig +trace' could drop core after "connection 1088 timeout". [RT #21514] 1089 10902922. [contrib] Update zkt to version 1.0. 1091 10922921. [bug] The resolver could attempt to destroy a fetch context 1093 too soon. [RT #19878] 1094 10952920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively 1096 to IPv4 clients. New acl 'filter-aaaa' (default any). 1097 10982919. [func] Add autosign-ksk and autosign-zsk virtual time tests. 1099 [RT #20840] 1100 11012918. [maint] Add AAAA address for I.ROOT-SERVERS.NET. 1102 11032917. [func] Virtual time test framework. [RT #20801] 1104 11052916. [func] Add framework to use IPv6 in tests. 1106 fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7 1107 11082915. [cleanup] Be smarter about which objects we attempt to compile 1109 based on configure options. [RT #21444] 1110 11112914. [bug] Make the "autosign" system test more portable. 1112 [RT #20997] 1113 11142913. [func] Add pkcs#11 system tests. [RT #20784] 1115 11162912. [func] Windows clients don't like UPDATE responses that clear 1117 the zone section. [RT #20986] 1118 11192911. [bug] dnssec-signzone didn't handle out of zone records well. 1120 [RT #21367] 1121 11222910. [func] Sanity check Kerberos credentials. [RT #20986] 1123 11242909. [bug] named-checkconf -p could die if "update-policy local;" 1125 was specified in named.conf. [RT #21416] 1126 11272908. [bug] It was possible for re-signing to stop after removing 1128 a DNSKEY. [RT #21384] 1129 11302907. [bug] The export version of libdns had undefined references. 1131 [RT #21444] 1132 11332906. [bug] Address RFC 5011 implementation issues. [RT #20903] 1134 11352905. [port] aix: set use_atomic=yes with native compiler. 1136 [RT #21402] 1137 11382904. [bug] When using DLV, sub-zones of the zones in the DLV, 1139 could be incorrectly marked as insecure instead of 1140 secure leading to negative proofs failing. This was 1141 a unintended outcome from change 2890. [RT# 21392] 1142 11432903. [bug] managed-keys-directory missing from namedconf.c. 1144 [RT #21370] 1145 11462902. [func] Add regression test for change 2897. [RT #21040] 1147 11482901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316] 1149 11502900. [bug] The placeholder negative caching element was not 1151 properly constructed triggering a INSIST in 1152 dns_ncache_towire(). [RT #21346] 1153 11542899. [port] win32: Support linking against OpenSSL 1.0.0. 1155 11562898. [bug] nslookup leaked memory when -domain=value was 1157 specified. [RT #21301] 1158 11592897. [bug] NSEC3 chains could be left behind when transitioning 1160 to insecure. [RT #21040] 1161 11622896. [bug] "rndc sign" failed to properly update the zone 1163 when adding a DNSKEY for publication only. [RT #21045] 1164 11652895. [func] genrandom: add support for the generation of multiple 1166 files. [RT #20917] 1167 11682894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294] 1169 11702893. [bug] Improve managed keys support. New named.conf option 1171 managed-keys-directory. [RT #20924] 1172 11732892. [bug] Handle REVOKED keys better. [RT #20961] 1174 11752891. [maint] Update empty-zones list to match 1176 draft-ietf-dnsop-default-local-zones-13. [RT# 21099] 1177 11782890. [bug] Handle the introduction of new trusted-keys and 1179 DS, DLV RRsets better. [RT #21097] 1180 11812889. [bug] Elements of the grammar where not properly reported. 1182 [RT #21046] 1183 11842888. [bug] Only the first EDNS option was displayed. [RT #21273] 1185 11862887. [bug] Report the keytag times in UTC in the .key file, 1187 local time is presented as a comment within the 1188 comment. [RT #21223] 1189 11902886. [bug] ctime() is not thread safe. [RT #21223] 1191 11922885. [bug] Improve -fno-strict-aliasing support probing in 1193 configure. [RT #21080] 1194 11952884. [bug] Insufficient validation in dns_name_getlabelsequence(). 1196 [RT #21283] 1197 11982883. [bug] 'dig +short' failed to handle really large datasets. 1199 [RT #21113] 1200 12012882. [bug] Remove memory context from list of active contexts 1202 before clearing 'magic'. [RT #21274] 1203 12042881. [bug] Reduce the amount of time the rbtdb write lock 1205 is held when closing a version. [RT #21198] 1206 12072880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke 1208 consistent. [RT #21078] 1209 12102879. [contrib] DLZ bdbhpt driver fails to close correct cursor. 1211 [RT #21106] 1212 12132878. [func] Incrementally write the master file after performing 1214 a AXFR. [RT #21010] 1215 12162877. [bug] The validator failed to skip obviously mismatching 1217 RRSIGs. [RT #21138] 1218 12192876. [bug] Named could return SERVFAIL for negative responses 1220 from unsigned zones. [RT #21131] 1221 12222875. [bug] dns_time64_fromtext() could accept non digits. 1223 [RT #21033] 1224 12252874. [bug] Cache lack of EDNS support only after the server 1226 successfully responds to the query using plain DNS. 1227 [RT #20930] 1228 12292873. [bug] Cancelling a dynamic update via the dns/client module 1230 could trigger an assertion failure. [RT #21133] 1231 12322872. [bug] Modify dns/client.c:dns_client_createx() to only 1233 require one of IPv4 or IPv6 rather than both. 1234 [RT #21122] 1235 12362871. [bug] Type mismatch in mem_api.c between the definition and 1237 the header file, causing build failure with 1238 --enable-exportlib. [RT #21138] 1239 12402870. [maint] Add AAAA address for L.ROOT-SERVERS.NET. 1241 12422869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 1243 [RT #20877] 1244 12452868. [cleanup] Run "make clean" at the end of configure to ensure 1246 any changes made by configure are integrated. 1247 Use --with-make-clean=no to disable. [RT #20994] 1248 12492867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers 1250 don't like it. [RT #20986] 1251 12522866. [bug] Windows does not like the TSIG name being compressed. 1253 [RT #20986] 1254 12552865. [bug] memset to zero event.data. [RT #20986] 1256 12572864. [bug] Direct SIG/RRSIG queries were not handled correctly. 1258 [RT #21050] 1259 12602863. [port] linux: disable IPv6 PMTUD and use network minimum MTU. 1261 [RT #21056] 1262 12632862. [bug] nsupdate didn't default to the parent zone when 1264 updating DS records. [RT #20896] 1265 12662861. [doc] dnssec-settime man pages didn't correctly document the 1267 inactivation time. [RT #21039] 1268 12692860. [bug] named-checkconf's usage was out of date. [RT #21039] 1270 12712859. [bug] When cancelling validation it was possible to leak 1272 memory. [RT #20800] 1273 12742858. [bug] RTT estimates were not being adjusted on ICMP errors. 1275 [RT #20772] 1276 12772857. [bug] named-checkconf did not fail on a bad trusted key. 1278 [RT #20705] 1279 12802856. [bug] The size of a memory allocation was not always properly 1281 recorded. [RT #20927] 1282 12832855. [func] nsupdate will now preserve the entered case of domain 1284 names in update requests it sends. [RT #20928] 1285 12862854. [func] dig: allow the final soa record in a axfr response to 1287 be suppressed, dig +onesoa. [RT #20929] 1288 12892853. [bug] add_sigs() could run out of scratch space. [RT #21015] 1290 12912852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 1292 12932851. [doc] nslookup.1, removed <informalexample> from the docbook 1294 source as it produced bad nroff. [RT #21007] 1295 12962850. [bug] If isc_heap_insert() failed due to memory shortage 1297 the heap would have corrupted entries. [RT #20951] 1298 12992849. [bug] Don't treat errors from the xml2 library as fatal. 1300 [RT #20945] 1301 13022848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and 1303 README.rfc5011 into the ARM. [RT #20899] 1304 13052847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] 1306 13072846. [bug] EOF on unix domain sockets was not being handled 1308 correctly. [RT #20731] 1309 13102845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] 1311 13122844. [doc] notify-delay default in ARM was wrong. It should have 1313 been five (5) seconds. 1314 13152843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from 1316 creating key files if there is a chance that the new 1317 key ID will collide with an existing one after 1318 either of the keys has been revoked. (To override 1319 this in the case of dnssec-keyfromlabel, use the -y 1320 option. dnssec-keygen will simply create a 1321 different, non-colliding key, so an override is 1322 not necessary.) [RT #20838] 1323 13242842. [func] Added "smartsign" and improved "autosign" and 1325 "dnssec" regression tests. [RT #20865] 1326 13272841. [bug] Change 2836 was not complete. [RT #20883] 1328 13292840. [bug] Temporary fixed pkcs11-destroy usage check. 1330 [RT #20760] 1331 13322839. [bug] A KSK revoked by named could not be deleted. 1333 [RT #20881] 1334 13352838. [placeholder] 1336 13372837. [port] Prevent Linux spurious warnings about fwrite(). 1338 [RT #20812] 1339 13402836. [bug] Keys that were scheduled to become active could 1341 be delayed. [RT #20874] 1342 13432835. [bug] Key inactivity dates were inadvertently stored in 1344 the private key file with the outdated tag 1345 "Unpublish" rather than "Inactive". This has been 1346 fixed; however, any existing keys that had Inactive 1347 dates set will now need to have them reset, using 1348 'dnssec-settime -I'. [RT #20868] 1349 13502834. [bug] HMAC-SHA* keys that were longer than the algorithm 1351 digest length were used incorrectly, leading to 1352 interoperability problems with other DNS 1353 implementations. This has been corrected. 1354 (Note: If an oversize key is in use, and 1355 compatibility is needed with an older release of 1356 BIND, the new tool "isc-hmac-fixup" can convert 1357 the key secret to a form that will work with all 1358 versions.) [RT #20751] 1359 13602833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. 1361 [RT #20851] 1362 13632832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c 1364 to avoid redefinition in some OSs [RT 20831] 1365 13662831. [security] Do not attempt to validate or cache 1367 out-of-bailiwick data returned with a secure 1368 answer; it must be re-fetched from its original 1369 source and validated in that context. [RT #20819] 1370 13712830. [bug] Changing the OPTOUT setting could take multiple 1372 passes. [RT #20813] 1373 13742829. [bug] Fixed potential node inconsistency in rbtdb.c. 1375 [RT #20808] 1376 13772828. [security] Cached CNAME or DNAME RR could be returned to clients 1378 without DNSSEC validation. [RT #20737] 1379 13802827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 1381 13822826. [bug] NSEC3->NSEC transitions could fail due to a lock not 1383 being released. [RT #20740] 1384 13852825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that 1386 was in the process of being created was not properly 1387 recorded in the zone. [RT #20786] 1388 13892824. [bug] "rndc sign" was not being run by the correct task. 1390 [RT #20759] 1391 13922823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] 1393 13942822. [bug] rbtdb.c:loadnode() could return the wrong result. 1395 [RT #20802] 1396 13972821. [doc] Add note that named-checkconf doesn't automatically 1398 read rndc.key and bind.keys [RT #20758] 1399 14002820. [func] Handle read access failure of OpenSSL configuration 1401 file more user friendly (PKCS#11 engine patch). 1402 [RT #20668] 1403 14042819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define. 1405 [RT #20771] 1406 14072818. [cleanup] rndc could return an incorrect error code 1408 when a zone was not found. [RT #20767] 1409 14102817. [cleanup] Removed unnecessary isc_task_endexclusive() calls. 1411 [RT #20768] 1412 14132816. [bug] previous_closest_nsec() could fail to return 1414 data for NSEC3 nodes [RT #29730] 1415 14162815. [bug] Exclusively lock the task when freezing a zone. 1417 [RT #19838] 1418 14192814. [func] Provide a definitive error message when a master 1420 zone is not loaded. [RT #20757] 1421 14222813. [bug] Better handling of unreadable DNSSEC key files. 1423 [RT #20710] 1424 14252812. [bug] Make sure updates can't result in a zone with 1426 NSEC-only keys and NSEC3 records. [RT #20748] 1427 14282811. [cleanup] Add "rndc sign" to list of commands in rndc usage 1429 output. [RT #20733] 1430 14312810. [doc] Clarified the process of transitioning an NSEC3 zone 1432 to insecure. [RT #20746] 1433 14342809. [cleanup] Restored accidentally-deleted text in usage output 1435 in dnssec-settime and dnssec-revoke [RT #20739] 1436 14372808. [bug] Remove the attempt to install atomic.h from lib/isc. 1438 atomic.h is correctly installed by the architecture 1439 specific subdirectories. [RT #20722] 1440 14412807. [bug] Fixed a possible ASSERT when reconfiguring zone 1442 keys. [RT #20720] 1443 1444 --- 9.7.0rc1 released --- 1445 14462806. [bug] "rdnc sign" could delay re-signing the DNSKEY 1447 when it had changed. [RT #20703] 1448 14492805. [bug] Fixed namespace problems encountered when building 1450 external programs using non-exported BIND9 libraries 1451 (i.e., built without --enable-exportlib). [RT #20679] 1452 14532804. [bug] Send notifies when a zone is signed with "rndc sign" 1454 or as a result of a scheduled key change. [RT #20700] 1455 14562803. [port] win32: Install named-journalprint, nsec3hash, arpaname 1457 and genrandom under windows. [RT #20670] 1458 14592802. [cleanup] Rename journalprint to named-journalprint. [RT #20670] 1460 14612801. [func] Detect and report records that are different according 1462 to DNSSEC but are semantically equal according to plain 1463 DNS. Apply plain DNS comparisons rather than DNSSEC 1464 comparisons when processing UPDATE requests. 1465 dnssec-signzone now removes such semantically duplicate 1466 records prior to signing the RRset. 1467 1468 named-checkzone -r {ignore|warn|fail} (default warn) 1469 named-compilezone -r {ignore|warn|fail} (default warn) 1470 1471 named.conf: check-dup-records {ignore|warn|fail}; 1472 14732800. [func] Reject zones which have NS records which refer to 1474 CNAMEs, DNAMEs or don't have address record (class IN 1475 only). Reject UPDATEs which would cause the zone 1476 to fail the above checks if committed. [RT #20678] 1477 14782799. [cleanup] Changed the "secure-to-insecure" option to 1479 "dnssec-secure-to-insecure", and "dnskey-ksk-only" 1480 to "dnssec-dnskey-kskonly", for clarity. [RT #20586] 1481 14822798. [bug] Addressed bugs in managed-keys initialization 1483 and rollover. [RT #20683] 1484 14852797. [bug] Don't decrement the dispatch manager's maxbuffers. 1486 [RT #20613] 1487 14882796. [bug] Missing dns_rdataset_disassociate() call in 1489 dns_nsec3_delnsec3sx(). [RT #20681] 1490 14912795. [cleanup] Add text to differentiate "update with no effect" 1492 log messages. [RT #18889] 1493 14942794. [bug] Install <isc/namespace.h>. [RT #20677] 1495 14962793. [func] Add "autosign" and "metadata" tests to the 1497 automatic tests. [RT #19946] 1498 14992792. [func] "filter-aaaa-on-v4" can now be set in view 1500 options (if compiled in). [RT #20635] 1501 15022791. [bug] The installation of isc-config.sh was broken. 1503 [RT #20667] 1504 15052790. [bug] Handle DS queries to stub zones. [RT #20440] 1506 15072789. [bug] Fixed an INSIST in dispatch.c [RT #20576] 1508 15092788. [bug] dnssec-signzone could sign with keys that were 1510 not requested [RT #20625] 1511 15122787. [bug] Spurious log message when zone keys were 1513 dynamically reconfigured. [RT #20659] 1514 15152786. [bug] Additional could be promoted to answer. [RT #20663] 1516 1517 --- 9.7.0b3 released --- 1518 15192785. [bug] Revoked keys could fail to self-sign [RT #20652] 1520 15212784. [bug] TC was not always being set when required glue was 1522 dropped. [RT #20655] 1523 15242783. [func] Return minimal responses to EDNS/UDP queries with a UDP 1525 buffer size of 512 or less. [RT #20654] 1526 15272782. [port] win32: use getaddrinfo() for hostname lookups. 1528 [RT #20650] 1529 15302781. [bug] Inactive keys could be used for signing. [RT #20649] 1531 15322780. [bug] dnssec-keygen -A none didn't properly unset the 1533 activation date in all cases. [RT #20648] 1534 15352779. [bug] Dynamic key revocation could fail. [RT #20644] 1536 15372778. [bug] dnssec-signzone could fail when a key was revoked 1538 without deleting the unrevoked version. [RT #20638] 1539 15402777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 1541 15422776. [bug] Change #2762 was not correct. [RT #20647] 1543 15442775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible 1545 in dnssec-keyfromlabel. [RT #20643] 1546 15472774. [bug] Existing cache DB wasn't being reused after 1548 reconfiguration. [RT #20629] 1549 15502773. [bug] In autosigned zones, the SOA could be signed 1551 with the KSK. [RT #20628] 1552 15532772. [security] When validating, track whether pending data was from 1554 the additional section or not and only return it if 1555 validates as secure. [RT #20438] 1556 15572771. [bug] dnssec-signzone: DNSKEY records could be 1558 corrupted when importing from key files [RT #20624] 1559 15602770. [cleanup] Add log messages to resolver.c to indicate events 1561 causing FORMERR responses. [RT #20526] 1562 15632769. [cleanup] Change #2742 was incomplete. [RT #19589] 1564 15652768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 1566 15672767. [bug] named could crash on startup if a zone was 1568 configured with auto-dnssec and there was no 1569 key-directory. [RT #20615] 1570 15712766. [bug] isc_socket_fdwatchpoke() should only update the 1572 socketmgr state if the socket is not pending on a 1573 read or write. [RT #20603] 1574 15752765. [bug] Skip masters for which the TSIG key cannot be found. 1576 [RT #20595] 1577 15782764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 1579 15802763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 1581 15822762. [bug] DLV validation failed with a local slave DLV zone. 1583 [RT #20577] 1584 15852761. [cleanup] Enable internal symbol table for backtrace only for 1586 systems that are known to work. Currently, BSD 1587 variants, Linux and Solaris are supported. [RT# 20202] 1588 15892760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 1590 15912759. [doc] Add information about .jbk/.jnw files to 1592 the ARM. [RT #20303] 1593 15942758. [bug] win32: Added a workaround for a windows 2008 bug 1595 that could cause the UDP client handler to shut 1596 down. [RT #19176] 1597 15982757. [bug] dig: assertion failure could occur in connect 1599 timeout. [RT #20599] 1600 16012756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597] 1602 16032755. [placeholder] 1604 16052754. [bug] Secure-to-insecure transitions failed when zone 1606 was signed with NSEC3. [RT #20587] 1607 16082753. [bug] Removed an unnecessary warning that could appear when 1609 building an NSEC chain. [RT #20589] 1610 16112752. [bug] Locking violation. [RT #20587] 1612 16132751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 1614 16152750. [bug] dig: assertion failure could occur when a server 1616 didn't have an address. [RT #20579] 1617 16182749. [bug] ixfr-from-differences generated a non-minimal ixfr 1619 for NSEC3 signed zones. [RT #20452] 1620 16212748. [func] Identify bad answers from GTLD servers and treat them 1622 as referrals. [RT #18884] 1623 16242747. [bug] Journal roll forwards failed to set the re-signing 1625 time of RRSIGs correctly. [RT #20541] 1626 16272746. [port] hpux: address signed/unsigned expansion mismatch of 1628 dns_rbtnode_t.nsec. [RT #20542] 1629 16302745. [bug] configure script didn't probe the return type of 1631 gai_strerror(3) correctly. [RT #20573] 1632 16332744. [func] Log if a query was over TCP. [RT #19961] 1634 16352743. [bug] RRSIG could be incorrectly set in the NSEC3 record 1636 for a insecure delegation. 1637 1638 --- 9.7.0b2 released --- 1639 16402742. [cleanup] Clarify some DNSSEC-related log messages in 1641 validator.c. [RT #19589] 1642 16432741. [func] Allow the dnssec-keygen progress messages to be 1644 suppressed (dnssec-keygen -q). Automatically 1645 suppress the progress messages when stdin is not 1646 a tty. [RT #20474] 1647 16482740. [placeholder] 1649 16502739. [cleanup] Clean up API for initializing and clearing trust 1651 anchors for a view. [RT #20211] 1652 16532738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system 1654 test. [RT #20453] 1655 16562737. [func] UPDATE requests can leak existence information. 1657 [RT #17261] 1658 16592736. [func] Improve the performance of NSEC signed zones with 1660 more than a normal amount of glue below a delegation. 1661 [RT #20191] 1662 16632735. [bug] dnssec-signzone could fail to read keys 1664 that were specified on the command line with 1665 full paths, but weren't in the current 1666 directory. [RT #20421] 1667 16682734. [port] cygwin: arpaname did not compile. [RT #20473] 1669 16702733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355] 1671 16722732. [func] Add optional filter-aaaa-on-v4 option, available 1673 if built with './configure --enable-filter-aaaa'. 1674 Filters out AAAA answers to clients connecting 1675 via IPv4. (This is NOT recommended for general 1676 use.) [RT #20339] 1677 16782731. [func] Additional work on change 2709. The key parser 1679 will now ignore unrecognized fields when the 1680 minor version number of the private key format 1681 has been increased. It will reject any key with 1682 the major version number increased. [RT #20310] 1683 16842730. [func] Have dnssec-keygen display a progress indication 1685 a la 'openssl genrsa' on standard error. Note 1686 when the first '.' is followed by a long stop 1687 one has the choice between slow generation vs. 1688 poor random quality, i.e., '-r /dev/urandom'. 1689 [RT #20284] 1690 16912729. [func] When constructing a CNAME from a DNAME use the DNAME 1692 TTL. [RT #20451] 1693 16942728. [bug] dnssec-keygen, dnssec-keyfromlabel and 1695 dnssec-signzone now warn immediately if asked to 1696 write into a nonexistent directory. [RT #20278] 1697 16982727. [func] The 'key-directory' option can now specify a relative 1699 path. [RT #20154] 1700 17012726. [func] Added support for SHA-2 DNSSEC algorithms, 1702 RSASHA256 and RSASHA512. [RT #20023] 1703 17042725. [doc] Added information about the file "managed-keys.bind" 1705 to the ARM. [RT #20235] 1706 17072724. [bug] Updates to a existing node in secure zone using NSEC 1708 were failing. [RT #20448] 1709 17102723. [bug] isc_base32_totext(), isc_base32hex_totext(), and 1711 isc_base64_totext(), didn't always mark regions of 1712 memory as fully consumed after conversion. [RT #20445] 1713 17142722. [bug] Ensure that the memory associated with the name of 1715 a node in a rbt tree is not altered during the life 1716 of the node. [RT #20431] 1717 17182721. [port] Have dst__entropy_status() prime the random number 1719 generator. [RT #20369] 1720 17212720. [bug] RFC 5011 trust anchor updates could trigger an 1722 assert if the DNSKEY record was unsigned. [RT #20406] 1723 17242719. [func] Skip trusted/managed keys for unsupported algorithms. 1725 [RT #20392] 1726 17272718. [bug] The space calculations in opensslrsa_todns() were 1728 incorrect. [RT #20394] 1729 17302717. [bug] named failed to update the NSEC/NSEC3 record when 1731 the last private type record was removed as a result 1732 of completing the signing the zone with a key. 1733 [RT #20399] 1734 17352716. [bug] nslookup debug mode didn't return the ttl. [RT #20414] 1736 1737 --- 9.7.0b1 released --- 1738 17392715. [bug] Require OpenSSL support to be explicitly disabled. 1740 [RT #20288] 1741 17422714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler 1743 flags. 1744 17452713. [bug] powerpc: atomic operations missing asm("ics") / 1746 __isync() calls. 1747 17482712. [func] New 'auto-dnssec' zone option allows zone signing 1749 to be fully automated in zones configured for 1750 dynamic DNS. 'auto-dnssec allow;' permits a zone 1751 to be signed by creating keys for it in the 1752 key-directory and using 'rndc sign <zone>'. 1753 'auto-dnssec maintain;' allows that too, plus it 1754 also keeps the zone's DNSSEC keys up to date 1755 according to their timing metadata. [RT #19943] 1756 17572711. [port] win32: Add the bin/pkcs11 tools into the full 1758 build. [RT #20372] 1759 17602710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only' 1761 zone option cause a zone to be signed with only KSKs 1762 signing the DNSKEY RRset, not ZSKs. This reduces 1763 the size of a DNSKEY answer. [RT #20340] 1764 17652709. [func] Added some data fields, currently unused, to the 1766 private key file format, to allow implementation 1767 of explicit key rollover in a future release 1768 without impairing backward or forward compatibility. 1769 [RT #20310] 1770 17712708. [func] Insecure to secure and NSEC3 parameter changes via 1772 update are now fully supported and no longer require 1773 defines to enable. We now no longer overload the 1774 NSEC3PARAM flag field, nor the NSEC OPT bit at the 1775 apex. Secure to insecure changes are controlled by 1776 by the named.conf option 'secure-to-insecure'. 1777 1778 Warning: If you had previously enabled support by 1779 adding defines at compile time to BIND 9.6 you should 1780 ensure that all changes that are in progress have 1781 completed prior to upgrading to BIND 9.7. BIND 9.7 1782 is not backwards compatible. 1783 17842707. [func] dnssec-keyfromlabel no longer require engine name 1785 to be specified in the label if there is a default 1786 engine or the -E option has been used. Also, it 1787 now uses default algorithms as dnssec-keygen does 1788 (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used). 1789 [RT #20371] 1790 17912706. [bug] Loading a zone with a very large NSEC3 salt could 1792 trigger an assert. [RT #20368] 1793 17942705. [placeholder] 1795 17962704. [bug] Serial of dynamic and stub zones could be inconsistent 1797 with their SOA serial. [RT #19387] 1798 17992703. [func] Introduce an OpenSSL "engine" argument with -E 1800 for all binaries which can take benefit of 1801 crypto hardware. [RT #20230] 1802 18032702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all] 1804 18052701. [doc] Correction to ARM: hmac-md5 is no longer the only 1806 supported TSIG key algorithm. [RT #18046] 1807 18082700. [doc] The match-mapped-addresses option is discouraged. 1809 [RT #12252] 1810 18112699. [bug] Missing lock in rbtdb.c. [RT #20037] 1812 18132698. [placeholder] 1814 18152697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and 1816 S_IFREG are defined after including <isc/stat.h>. 1817 [RT #20309] 1818 18192696. [bug] named failed to successfully process some valid 1820 acl constructs. [RT #20308] 1821 18222695. [func] DHCP/DDNS - update fdwatch code for use by 1823 DHCP. Modify the api to isc_sockfdwatch_t (the 1824 callback functon for isc_socket_fdwatchcreate) 1825 to include information about the direction (read 1826 or write) and add isc_socket_fdwatchpoke. 1827 [RT #20253] 1828 18292694. [bug] Reduce default NSEC3 iterations from 100 to 10. 1830 [RT #19970] 1831 18322693. [port] Add some noreturn attributes. [RT #20257] 1833 18342692. [port] win32: 32/64 bit cleanups. [RT #20335] 1835 18362691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 1837 chain when re-signing a previously-signed zone. 1838 Use -u to modify NSEC3 parameters or switch 1839 between NSEC and NSEC3. [RT #20304] 1840 18412690. [bug] win32: fix isc_thread_key_getspecific() prototype. 1842 [RT #20315] 1843 18442689. [bug] Correctly handle snprintf result. [RT #20306] 1845 18462688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, 1847 to decide to fetch the destination address. [RT #20305] 1848 18492687. [bug] Fixed dnssec-signzone -S handling of revoked keys. 1850 Also, added warnings when revoking a ZSK, as this is 1851 not defined by protocol (but is legal). [RT #19943] 1852 18532686. [bug] dnssec-signzone should clean the old NSEC chain when 1854 signing with NSEC3 and vice versa. [RT #20301] 1855 18562685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 1857 18582684. [cleanup] dig: formalize +ad and +cd as synonyms for 1859 +adflag and +cdflag. [RT #19305] 1860 18612683. [bug] dnssec-signzone should clean out old NSEC3 chains when 1862 the NSEC3 parameters used to sign the zone change. 1863 [RT #20246] 1864 18652682. [bug] "configure --enable-symtable=all" failed to 1866 build. [RT #20282] 1867 18682681. [bug] IPSECKEY RR of gateway type 3 was not correctly 1869 decoded. [RT #20269] 1870 18712680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067] 1872 18732679. [func] dig -k can now accept TSIG keys in named.conf 1874 format. [RT #20031] 1875 18762678. [func] Treat DS queries as if "minimal-response yes;" 1877 was set. [RT #20258] 1878 18792677. [func] Changes to key metadata behavior: 1880 - Keys without "publish" or "active" dates set will 1881 no longer be used for smart signing. However, 1882 those dates will be set to "now" by default when 1883 a key is created; to generate a key but not use 1884 it yet, use dnssec-keygen -G. 1885 - New "inactive" date (dnssec-keygen/settime -I) 1886 sets the time when a key is no longer used for 1887 signing but is still published. 1888 - The "unpublished" date (-U) is deprecated in 1889 favour of "deleted" (-D). 1890 [RT #20247] 1891 18922676. [bug] --with-export-installdir should have been 1893 --with-export-includedir. [RT #20252] 1894 18952675. [bug] dnssec-signzone could crash if the key directory 1896 did not exist. [RT #20232] 1897 1898 --- 9.7.0a3 released --- 1899 19002674. [bug] "dnssec-lookaside auto;" crashed if named was built 1901 without openssl. [RT #20231] 1902 19032673. [bug] The managed-keys.bind zone file could fail to 1904 load due to a spurious result from sync_keyzone() 1905 [RT #20045] 1906 19072672. [bug] Don't enable searching in 'host' when doing reverse 1908 lookups. [RT #20218] 1909 19102671. [bug] Add support for PKCS#11 providers not returning 1911 the public exponent in RSA private keys 1912 (OpenCryptoki for instance) in 1913 dnssec-keyfromlabel. [RT #19294] 1914 19152670. [bug] Unexpected connect failures failed to log enough 1916 information to be useful. [RT #20205] 1917 19182669. [func] Update PKCS#11 support to support Keyper HSM. 1919 Update PKCS#11 patch to be against openssl-0.9.8i. 1920 19212668. [func] Several improvements to dnssec-* tools, including: 1922 - dnssec-keygen and dnssec-settime can now set key 1923 metadata fields 0 (to unset a value, use "none") 1924 - dnssec-revoke sets the revocation date in 1925 addition to the revoke bit 1926 - dnssec-settime can now print individual metadata 1927 fields instead of always printing all of them, 1928 and can print them in unix epoch time format for 1929 use by scripts 1930 [RT #19942] 1931 19322667. [func] Add support for logging stack backtrace on assertion 1933 failure (not available for all platforms). [RT #19780] 1934 19352666. [func] Added an 'options' argument to dns_name_fromstring() 1936 (API change from 9.7.0a2). [RT #20196] 1937 19382665. [func] Clarify syntax for managed-keys {} statement, add 1939 ARM documentation about RFC 5011 support. [RT #19874] 1940 19412664. [bug] create_keydata() and minimal_update() in zone.c 1942 didn't properly check return values for some 1943 functions. [RT #19956] 1944 19452663. [func] win32: allow named to run as a service using 1946 "NT AUTHORITY\LocalService" as the account. [RT #19977] 1947 19482662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() 1949 returned a misleading error code when lwresd was 1950 down. [RT #20028] 1951 19522661. [bug] Check whether socket fd exceeds FD_SETSIZE when 1953 creating lwres context. [RT #20029] 1954 19552660. [func] Add a new set of DNS libraries for non-BIND9 1956 applications. See README.libdns. [RT #19369] 1957 19582659. [doc] Clarify dnssec-keygen doc: key name must match zone 1959 name for DNSSEC keys. [RT #19938] 1960 19612658. [bug] dnssec-settime and dnssec-revoke didn't process 1962 key file paths correctly. [RT #20078] 1963 19642657. [cleanup] Lower "journal file <path> does not exist, creating it" 1965 log level to debug 1. [RT #20058] 1966 19672656. [func] win32: add a "tools only" check box to the installer 1968 which causes it to only install dig, host, nslookup, 1969 nsupdate and relevant DLLs. [RT #19998] 1970 19712655. [doc] Document that key-directory does not affect 1972 bind.keys, rndc.key or session.key. [RT #20155] 1973 19742654. [bug] Improve error reporting on duplicated names for 1975 deny-answer-xxx. [RT #20164] 1976 19772653. [bug] Treat ENGINE_load_private_key() failures as key 1978 not found rather than out of memory. [RT #18033] 1979 19802652. [func] Provide more detail about what record is being 1981 deleted. [RT #20061] 1982 19832651. [bug] Dates could print incorrectly in K*.key files on 1984 64-bit systems. [RT #20076] 1985 19862650. [bug] Assertion failure in dnssec-signzone when trying 1987 to read keyset-* files. [RT #20075] 1988 19892649. [bug] Set the domain for forward only zones. [RT #19944] 1990 19912648. [port] win32: isc_time_seconds() was broken. [RT #19900] 1992 19932647. [bug] Remove unnecessary SOA updates when a new KSK is 1994 added. [RT #19913] 1995 19962646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 1997 19982645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms 1999 which default to 64 bits. [RT #19927] 2000 2001 --- 9.7.0a2 released --- 2002 20032644. [bug] Change #2628 caused a regression on some systems; 2004 named was unable to write the PID file and would 2005 fail on startup. [RT #20001] 2006 20072643. [bug] Stub zones interacted badly with NSEC3 support. 2008 [RT #19777] 2009 20102642. [bug] nsupdate could dump core on solaris when reading 2011 improperly formatted key files. [RT #20015] 2012 20132641. [bug] Fixed an error in parsing update-policy syntax, 2014 added a regression test to check it. [RT #20007] 2015 20162640. [security] A specially crafted update packet will cause named 2017 to exit. [RT #20000] 2018 20192639. [bug] Silence compiler warnings in gssapi code. [RT #19954] 2020 20212638. [bug] Install arpaname. [RT #19957] 2022 20232637. [func] Rationalize dnssec-signzone's signwithkey() calling. 2024 [RT #19959] 2025 20262636. [func] Simplify zone signing and key maintenance with the 2027 dnssec-* tools. Major changes: 2028 - all dnssec-* tools now take a -K option to 2029 specify a directory in which key files will be 2030 stored 2031 - DNSSEC can now store metadata indicating when 2032 they are scheduled to be published, activated, 2033 revoked or removed; these values can be set by 2034 dnssec-keygen or overwritten by the new 2035 dnssec-settime command 2036 - dnssec-signzone -S (for "smart") option reads key 2037 metadata and uses it to determine automatically 2038 which keys to publish to the zone, use for 2039 signing, revoke, or remove from the zone 2040 [RT #19816] 2041 20422635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. 2043 [RT #19716] 2044 20452634. [port] win32: Add support for libxml2, enable 2046 statschannel. [RT #19773] 2047 20482633. [bug] Handle 15 bit rand() functions. [RT #19783] 2049 20502632. [func] util/kit.sh: warn if documentation appears to be out of 2051 date. [RT #19922] 2052 20532631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). 2054 [RT #19926 ] 2055 20562630. [func] Improved syntax for DDNS autoconfiguration: use 2057 "update-policy local;" to switch on local DDNS in a 2058 zone. (The "ddns-autoconf" option has been removed.) 2059 [RT #19875] 2060 20612629. [port] Check for seteuid()/setegid(), use setresuid()/ 2062 setresgid() if not present. [RT #19932] 2063 20642628. [port] linux: Allow /var/run/named/named.pid to be opened 2065 at startup with reduced capabilities in operation. 2066 [RT #19884] 2067 20682627. [bug] Named aborted if the same key was included in 2069 trusted-keys more than once. [RT #19918] 2070 20712626. [bug] Multiple trusted-keys could trigger an assertion 2072 failure. [RT #19914] 2073 20742625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865] 2075 20762624. [func] 'named-checkconf -p' will print out the parsed 2077 configuration. [RT #18871] 2078 20792623. [bug] Named started searches for DS non-optimally. [RT #19915] 2080 20812622. [bug] Printing of named.conf grammar was broken. [RT #19919] 2082 20832621. [doc] Made copyright boilerplate consistent. [RT #19833] 2084 20852620. [bug] Delay thawing the zone until the reload of it has 2086 completed successfully. [RT #19750] 2087 20882619. [func] Add support for RFC 5011, automatic trust anchor 2089 maintenance. The new "managed-keys" statement can 2090 be used in place of "trusted-keys" for zones which 2091 support this protocol. (Note: this syntax is 2092 expected to change prior to 9.7.0 final.) [RT #19248] 2093 20942618. [bug] The sdb and sdlz db_interator_seek() methods could 2095 loop infinitely. [RT #19847] 2096 20972617. [bug] ifconfig.sh failed to emit an error message when 2098 run from the wrong location. [RT #19375] 2099 21002616. [bug] 'host' used the nameservers from resolv.conf even 2101 when a explicit nameserver was specified. [RT #19852] 2102 21032615. [bug] "__attribute__((unused))" was in the wrong place 2104 for ia64 gcc builds. [RT #19854] 2105 21062614. [port] win32: 'named -v' should automatically be executed 2107 in the foreground. [RT #19844] 2108 21092613. [placeholder] 2110 2111 --- 9.7.0a1 released --- 2112 21132612. [func] Add default values for the arguments to 2114 dnssec-keygen. Without arguments, it will now 2115 generate a 1024-bit RSASHA1 zone-signing key, 2116 or with the -f KSK option, a 2048-bit RSASHA1 2117 key-signing key. [RT #19300] 2118 21192611. [func] Add -l option to dnssec-dsfromkey to generate 2120 DLV records instead of DS records. [RT #19300] 2121 21222610. [port] sunos: Change #2363 was not complete. [RT #19796] 2123 21242609. [func] Simplify the configuration of dynamic zones: 2125 - add ddns-confgen command to generate 2126 configuration text for named.conf 2127 - add zone option "ddns-autoconf yes;", which 2128 causes named to generate a TSIG session key 2129 and allow updates to the zone using that key 2130 - add '-l' (localhost) option to nsupdate, which 2131 causes nsupdate to connect to a locally-running 2132 named process using the session key generated 2133 by named 2134 [RT #19284] 2135 21362608. [func] Perform post signing verification checks in 2137 dnssec-signzone. These can be disabled with -P. 2138 2139 The post sign verification test ensures that for each 2140 algorithm in use there is at least one non revoked 2141 self signed KSK key. That all revoked KSK keys are 2142 self signed. That all records in the zone are signed 2143 by the algorithm. [RT #19653] 2144 21452607. [bug] named could incorrectly delete NSEC3 records for 2146 empty nodes when processing a update request. 2147 [RT #19749] 2148 21492606. [bug] "delegation-only" was not being accepted in 2150 delegation-only type zones. [RT #19717] 2151 21522605. [bug] Accept DS responses from delegation only zones. 2153 [RT # 19296] 2154 21552604. [func] Add support for DNS rebinding attack prevention through 2156 new options, deny-answer-addresses and 2157 deny-answer-aliases. Based on contributed code from 2158 JD Nurmi, Google. [RT #18192] 2159 21602603. [port] win32: handle .exe extension of named-checkzone and 2161 named-comilezone argv[0] names under windows. 2162 [RT #19767] 2163 21642602. [port] win32: fix debugging command line build of libisccfg. 2165 [RT #19767] 2166 21672601. [doc] Mention file creation mode mask in the 2168 named manual page. 2169 21702600. [doc] ARM: miscellaneous reformatting for different 2171 page widths. [RT #19574] 2172 21732599. [bug] Address rapid memory growth when validation fails. 2174 [RT #19654] 2175 21762598. [func] Reserve the -F flag. [RT #19657] 2177 21782597. [bug] Handle a validation failure with a insecure delegation 2179 from a NSEC3 signed master/slave zone. [RT #19464] 2180 21812596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay 2182 long, leading to inefficient memory usage or rejecting 2183 newer cache entries in the worst case. [RT #19563] 2184 21852595. [bug] Fix unknown extended rcodes in dig. [RT #19625] 2186 21872594. [func] Have rndc warn if using its default configuration 2188 file when the key file also exists. [RT #19424] 2189 21902593. [bug] Improve a corner source of SERVFAILs [RT #19632] 2191 21922592. [bug] Treat "any" as a type in nsupdate. [RT #19455] 2193 21942591. [bug] named could die when processing a update in 2195 removed_orphaned_ds(). [RT #19507] 2196 21972590. [func] Report zone/class of "update with no effect". 2198 [RT #19542] 2199 22002589. [bug] dns_db_unregister() failed to clear '*dbimp'. 2201 [RT #19626] 2202 22032588. [bug] SO_REUSEADDR could be set unconditionally after failure 2204 of bind(2) call. This should be rare and mostly 2205 harmless, but may cause interference with other 2206 processes that happen to use the same port. [RT #19642] 2207 22082587. [func] Improve logging by reporting serial numbers for 2209 when zone serial has gone backwards or unchanged. 2210 [RT #19506] 2211 22122586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB 2213 or SDB. [RT #19577] 2214 22152585. [bug] Uninitialized socket name could be referenced via a 2216 statistics channel, triggering an assertion failure in 2217 XML rendering. [RT #19427] 2218 22192584. [bug] alpha: gcc optimization could break atomic operations. 2220 [RT #19227] 2221 22222583. [port] netbsd: provide a control to not add the compile 2223 date to the version string, -DNO_VERSION_DATE. 2224 22252582. [bug] Don't emit warning log message when we attempt to 2226 remove non-existent journal. [RT #19516] 2227 22282581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection. 2229 Requires MySQL 5.0.19 or later. [RT #19084] 2230 22312580. [bug] UpdateRej statistics counter could be incremented twice 2232 for one rejection. [RT #19476] 2233 22342579. [bug] DNSSEC lookaside validation failed to handle unknown 2235 algorithms. [RT #19479] 2236 22372578. [bug] Changed default sig-signing-type to 65534, because 2238 65535 turns out to be reserved. [RT #19477] 2239 22402577. [doc] Clarified some statistics counters. [RT #19454] 2241 22422576. [bug] NSEC record were not being correctly signed when 2243 a zone transitions from insecure to secure. 2244 Handle such incorrectly signed zones. [RT #19114] 2245 22462575. [func] New functions dns_name_fromstring() and 2247 dns_name_tostring(), to simplify conversion 2248 of a string to a dns_name structure and vice 2249 versa. [RT #19451] 2250 22512574. [doc] Document nsupdate -g and -o. [RT #19351] 2252 22532573. [bug] Replacing a non-CNAME record with a CNAME record in a 2254 single transaction in a signed zone failed. [RT #19397] 2255 22562572. [func] Simplify DLV configuration, with a new option 2257 "dnssec-lookaside auto;" This is the equivalent 2258 of "dnssec-lookaside . trust-anchor dlv.isc.org;" 2259 plus setting a trusted-key for dlv.isc.org. 2260 2261 Note: The trusted key is hard-coded into named, 2262 but is also stored in (and can be overridden 2263 by) $sysconfdir/bind.keys. As the ISC DLV key 2264 rolls over it can be kept up to date by replacing 2265 the bind.keys file with a key downloaded from 2266 https://www.isc.org/solutions/dlv. [RT #18685] 2267 22682571. [func] Add a new tool "arpaname" which translates IP addresses 2269 to the corresponding IN-ADDR.ARPA or IP6.ARPA name. 2270 [RT #18976] 2271 22722570. [func] Log the destination address the query was sent to. 2273 [RT #19209] 2274 22752569. [func] Move journalprint, nsec3hash, and genrandom 2276 commands from bin/tests into bin/tools; 2277 "make install" will put them in $sbindir. [RT #19301] 2278 22792568. [bug] Report when the write to indicate a otherwise 2280 successful start fails. [RT #19360] 2281 22822567. [bug] dst__privstruct_writefile() could miss write errors. 2283 write_public_key() could miss write errors. 2284 dnssec-dsfromkey could miss write errors. 2285 [RT #19360] 2286 22872566. [cleanup] Clarify logged message when an insecure DNSSEC 2288 response arrives from a zone thought to be secure: 2289 "insecurity proof failed" instead of "not 2290 insecure". [RT #19400] 2291 22922565. [func] Add support for HIP record. Includes new functions 2293 dns_rdata_hip_first(), dns_rdata_hip_next() 2294 and dns_rdata_hip_current(). [RT #19384] 2295 22962564. [bug] Only take EDNS fallback steps when processing timeouts. 2297 [RT #19405] 2298 22992563. [bug] Dig could leak a socket causing it to wait forever 2300 to exit. [RT #19359] 2301 23022562. [doc] ARM: miscellaneous improvements, reorganization, 2303 and some new content. 2304 23052561. [doc] Add isc-config.sh(1) man page. [RT #16378] 2306 23072560. [bug] Add #include <config.h> to iptable.c. [RT #18258] 2308 23092559. [bug] dnssec-dsfromkey could compute bad DS records when 2310 reading from a K* files. [RT #19357] 2311 23122558. [func] Set the ownership of missing directories created 2313 for pid-file if -u has been specified on the command 2314 line. [RT #19328] 2315 23162557. [cleanup] PCI compliance: 2317 * new libisc log module file 2318 * isc_dir_chroot() now also changes the working 2319 directory to "/". 2320 * additional INSISTs 2321 * additional logging when files can't be removed. 2322 23232556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the 2324 error checks in the correct order resulting in the 2325 wrong error code sometimes being returned. [RT #19249] 2326 23272555. [func] dig: when emitting a hex dump also display the 2328 corresponding characters. [RT #19258] 2329 23302554. [bug] Validation of uppercase queries from NSEC3 zones could 2331 fail. [RT #19297] 2332 23332553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 2334 23352552. [bug] zero-no-soa-ttl-cache was not being honoured. 2336 [RT #19340] 2337 23382551. [bug] Potential Reference leak on return. [RT #19341] 2339 23402550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>. 2341 [RT #19343] 2342 23432549. [port] linux: define NR_OPEN if not currently defined. 2344 [RT #19344] 2345 23462548. [bug] Install iterated_hash.h. [RT #19335] 2347 23482547. [bug] openssl_link.c:mem_realloc() could reference an 2349 out-of-range area of the source buffer. New public 2350 function isc_mem_reallocate() was introduced to address 2351 this bug. [RT #19313] 2352 23532546. [func] Add --enable-openssl-hash configure flag to use 2354 OpenSSL (in place of internal routine) for hash 2355 functions (MD5, SHA[12] and HMAC). [RT #18815] 2356 23572545. [doc] ARM: Legal hostname checking (check-names) is 2358 for SRV RDATA too. [RT #19304] 2359 23602544. [cleanup] Removed unused structure members in adb.c. [RT #19225] 2361 23622543. [contrib] Update contrib/zkt to version 0.98. [RT #19113] 2363 23642542. [doc] Update the description of dig +adflag. [RT #19290] 2365 23662541. [bug] Conditionally update dispatch manager statistics. 2367 [RT #19247] 2368 23692540. [func] Add a nibble mode to $GENERATE. [RT #18872] 2370 23712539. [security] Update the interaction between recursion, allow-query, 2372 allow-query-cache and allow-recursion. [RT #19198] 2373 23742538. [bug] cache/ADB memory could grow over max-cache-size, 2375 especially with threads and smaller max-cache-size 2376 values. [RT #19240] 2377 23782537. [func] Added more statistics counters including those on socket 2379 I/O events and query RTT histograms. [RT #18802] 2380 23812536. [cleanup] Silence some warnings when -Werror=format-security is 2382 specified. [RT #19083] 2383 23842535. [bug] dig +showsearch and +trace interacted badly. [RT #19091] 2385 23862534. [func] Check NAPTR records regular expressions and 2387 replacement strings to ensure they are syntactically 2388 valid and consistant. [RT #18168] 2389 23902533. [doc] ARM: document @ (at-sign). [RT #17144] 2391 23922532. [bug] dig: check the question section of the response to 2393 see if it matches the asked question. [RT #18495] 2394 23952531. [bug] Change #2207 was incomplete. [RT #19098] 2396 23972530. [bug] named failed to reject insecure to secure transitions 2398 via UPDATE. [RT #19101] 2399 24002529. [cleanup] Upgrade libtool to silence complaints from recent 2401 version of autoconf. [RT #18657] 2402 24032528. [cleanup] Silence spurious configure warning about 2404 --datarootdir [RT #19096] 2405 24062527. [placeholder] 2407 24082526. [func] New named option "attach-cache" that allows multiple 2409 views to share a single cache to save memory and 2410 improve lookup efficiency. Based on contributed code 2411 from Barclay Osborn, Google. [RT #18905] 2412 24132525. [func] New logging category "query-errors" to provide detailed 2414 internal information about query failures, especially 2415 about server failures. [RT #19027] 2416 24172524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129] 2418 24192523. [bug] Random type rdata freed by dns_nsec_typepresent(). 2420 [RT #19112] 2421 24222522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal(). 2423 24242521. [bug] Improve epoll cross compilation support. [RT #19047] 2425 24262520. [bug] Update xml statistics version number to 2.0 as change 2427 #2388 made the schema incompatible to the previous 2428 version. [RT #19080] 2429 24302519. [bug] dig/host with -4 or -6 didn't work if more than two 2431 nameserver addresses of the excluded address family 2432 preceded in resolv.conf. [RT #19081] 2433 24342518. [func] Add support for the new CERT types from RFC 4398. 2435 [RT #19077] 2436 24372517. [bug] dig +trace with -4 or -6 failed when it chose a 2438 nameserver address of the excluded address type. 2439 [RT #18843] 2440 24412516. [bug] glue sort for responses was performed even when not 2442 needed. [RT #19039] 2443 24442515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel. 2445 [RT #19063] 2446 24472514. [bug] dig/host failed with -4 or -6 when resolv.conf contains 2448 a nameserver of the excluded address family. 2449 [RT #18848] 2450 24512513. [bug] Fix windows cli build. [RT #19062] 2452 24532512. [func] Print a summary of the cached records which make up 2454 the negative response. [RT #18885] 2455 24562511. [cleanup] dns_rdata_tofmttext() add const to linebreak. 2457 [RT #18885] 2458 24592510. [bug] "dig +sigchase" could trigger REQUIRE failures. 2460 [RT #19033] 2461 24622509. [bug] Specifying a fixed query source port was broken. 2463 [RT #19051] 2464 24652508. [placeholder] 2466 24672507. [func] Log the recursion quota values when killing the 2468 oldest query or refusing to recurse due to quota. 2469 [RT #19022] 2470 24712506. [port] solaris: Check at configure time if 2472 hack_shutup_pthreadonceinit is needed. [RT #19037] 2473 24742505. [port] Treat amd64 similarly to x86_64 when determining 2475 atomic operation support. [RT #19031] 2476 24772504. [bug] Address race condition in the socket code. [RT #18899] 2478 24792503. [port] linux: improve compatibility with Linux Standard 2480 Base. [RT #18793] 2481 24822502. [cleanup] isc_radix: Improve compliance with coding style, 2483 document function in <isc/radix.h>. [RT #18534] 2484 24852501. [func] $GENERATE now supports all rdata types. Multi-field 2486 rdata types need to be quoted. See the ARM for 2487 details. [RT #18368] 2488 24892500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent 2490 function. [RT #18582] 2491 24922499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash. 2493 [RT #18837] 2494 2495 --- 9.6.0rc1 released --- 2496 24972498. [bug] Removed a bogus function argument used with 2498 ISC_SOCKET_USE_POLLWATCH: it could cause compiler 2499 warning or crash named with the debug 1 level 2500 of logging. [RT #18917] 2501 25022497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure 2503 delegation. 2504 25052496. [bug] Add sanity length checks to NSID option. [RT #18813] 2506 25072495. [bug] Tighten RRSIG checks. [RT #18795] 2508 25092494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being 2510 installed. [RT #18826] 2511 25122493. [bug] The linux capabilities code was not correctly cleaning 2513 up after itself. [RT #18767] 2514 25152492. [func] Rndc status now reports the number of cpus discovered 2516 and the number of worker threads when running 2517 multi-threaded. [RT #18273] 2518 25192491. [func] Attempt to re-use a local port if we are already using 2520 the port. [RT #18548] 2521 25222490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO 2523 is cleared when IPV6_V6ONLY is set. [RT #18785] 2524 25252489. [port] solaris: Workaround Solaris's kernel bug about 2526 /dev/poll: 2527 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 2528 Define ISC_SOCKET_USE_POLLWATCH at build time to enable 2529 this workaround. [RT #18870] 2530 25312488. [func] Added a tool, dnssec-dsfromkey, to generate DS records 2532 from keyset and .key files. [RT #18694] 2533 25342487. [bug] Give TCP connections longer to complete. [RT #18675] 2535 25362486. [func] The default locations for named.pid and lwresd.pid 2537 are now /var/run/named/named.pid and 2538 /var/run/lwresd/lwresd.pid respectively. 2539 2540 This allows the owner of the containing directory 2541 to be set, for "named -u" support, and allows there 2542 to be a permanent symbolic link in the path, for 2543 "named -t" support. [RT #18306] 2544 25452485. [bug] Change update's the handling of obscured RRSIG 2546 records. Not all orphaned DS records were being 2547 removed. [RT #18828] 2548 25492484. [bug] It was possible to trigger a REQUIRE failure when 2550 adding NSEC3 proofs to the response in 2551 query_addwildcardproof(). [RT #18828] 2552 25532483. [port] win32: chroot() is not supported. [RT #18805] 2554 25552482. [port] libxml2: support versions 2.7.* in addition 2556 to 2.6.*. [RT #18806] 2557 2558 --- 9.6.0b1 released --- 2559 25602481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain 2561 collisions. [RT #18812] 2562 25632480. [bug] named could fail to emit all the required NSEC3 2564 records. [RT #18812] 2565 25662479. [bug] xfrout:covers was not properly initialized. [RT #18801] 2567 25682478. [bug] 'addresses' could be used uninitialized in 2569 configure_forward(). [RT #18800] 2570 25712477. [bug] dig: the global option to print the command line is 2572 +cmd not print_cmd. Update the output to reflect 2573 this. [RT #17008] 2574 25752476. [doc] ARM: improve documentation for max-journal-size and 2576 ixfr-from-differences. [RT #15909] [RT #18541] 2577 25782475. [bug] LRU cache cleanup under overmem condition could purge 2579 particular entries more aggressively. [RT #17628] 2580 25812474. [bug] ACL structures could be allocated with insufficient 2582 space, causing an array overrun. [RT #18765] 2583 25842473. [port] linux: raise the limit on open files to the possible 2585 maximum value before spawning threads; 'files' 2586 specified in named.conf doesn't seem to work with 2587 threads as expected. [RT #18784] 2588 25892472. [port] linux: check the number of available cpu's before 2590 calling chroot as it depends on "/proc". [RT #16923] 2591 25922471. [bug] named-checkzone was not reporting missing mandatory 2593 glue when sibling checks were disabled. [RT #18768] 2594 25952470. [bug] Elements of the isc_radix_node_t could be incorrectly 2596 overwritten. [RT# 18719] 2597 25982469. [port] solaris: Work around Solaris's select() limitations. 2599 [RT #18769] 2600 26012468. [bug] Resolver could try unreachable servers multiple times. 2602 [RT #18739] 2603 26042467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 2605 26062466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. 2607 [RT #18302] 2608 26092465. [bug] Adb's handling of lame addresses was different 2610 for IPv4 and IPv6. [RT #18738] 2611 26122464. [port] linux: check that a capability is present before 2613 trying to set it. [RT #18135] 2614 26152463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket 2616 API and glibc hides parts of the IPv6 Advanced Socket 2617 API as a result. This is stupid as it breaks how the 2618 two halves (Basic and Advanced) of the IPv6 Socket API 2619 were designed to be used but we have to live with it. 2620 Define _GNU_SOURCE to pull in the IPv6 Advanced Socket 2621 API. [RT #18388] 2622 26232462. [doc] Document -m (enable memory usage debugging) 2624 option for dig. [RT #18757] 2625 26262461. [port] sunos: Change #2363 was not complete. [RT #17513] 2627 2628 --- 9.6.0a1 released --- 2629 26302460. [bug] Don't call dns_db_getnsec3parameters() on the cache. 2631 [RT #18697] 2632 26332459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448] 2634 26352458. [doc] ARM: update and correction for max-cache-size. 2636 [RT #18294] 2637 26382457. [tuning] max-cache-size is reverted to 0, the previous 2639 default. It should be safe because expired cache 2640 entries are also purged. [RT #18684] 2641 26422456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any 2643 address, regardless of family. They now correctly 2644 distinguish IPv4 from IPv6. [RT #18559] 2645 26462455. [bug] Stop metadata being transferred via axfr/ixfr. 2647 [RT #18639] 2648 26492454. [func] nsupdate: you can now set a default ttl. [RT #18317] 2650 26512453. [bug] Remove NULL pointer dereference in dns_journal_print(). 2652 [RT #18316] 2653 26542452. [func] Improve bin/test/journalprint. [RT #18316] 2655 26562451. [port] solaris: handle runtime linking better. [RT #18356] 2657 26582450. [doc] Fix lwresd docbook problem for manual page. 2659 [RT #18672] 2660 26612449. [placeholder] 2662 26632448. [func] Add NSEC3 support. [RT #15452] 2664 26652447. [cleanup] libbind has been split out as a separate product. 2666 26672446. [func] Add a new log message about build options on startup. 2668 A new command-line option '-V' for named is also 2669 provided to show this information. [RT# 18645] 2670 26712445. [doc] ARM out-of-date on empty reverse zones (list includes 2672 RFC1918 address, but these are not yet compiled in). 2673 [RT #18578] 2674 26752444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery 2676 (clear DF) for UDP responses and requests. 2677 26782443. [bug] win32: UDP connect() would not generate an event, 2679 and so connected UDP sockets would never clean up. 2680 Fix this by doing an immediate WSAConnect() rather 2681 than an io completion port type for UDP. 2682 26832442. [bug] A lock could be destroyed twice. [RT# 18626] 2684 26852441. [bug] isc_radix_insert() could copy radix tree nodes 2686 incompletely. [RT #18573] 2687 26882440. [bug] named-checkconf used an incorrect test to determine 2689 if an ACL was set to none. 2690 26912439. [bug] Potential NULL dereference in dns_acl_isanyornone(). 2692 [RT #18559] 2693 26942438. [bug] Timeouts could be logged incorrectly under win32. 2695 26962437. [bug] Sockets could be closed too early, leading to 2697 inconsistent states in the socket module. [RT #18298] 2698 26992436. [security] win32: UDP client handler can be shutdown. [RT #18576] 2700 27012435. [bug] Fixed an ACL memory leak affecting win32. 2702 27032434. [bug] Fixed a minor error-reporting bug in 2704 lib/isc/win32/socket.c. 2705 27062433. [tuning] Set initial timeout to 800ms. 2707 27082432. [bug] More Windows socket handling improvements. Stop 2709 using I/O events and use IO Completion Ports 2710 throughout. Rewrite the receive path logic to make 2711 it easier to support multiple simultaneous 2712 requesters in the future. Add stricter consistency 2713 checking as a compile-time option (define 2714 ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off). 2715 27162431. [bug] Acl processing could leak memory. [RT #18323] 2717 27182430. [bug] win32: isc_interval_set() could round down to 2719 zero if the input was less than NS_INTERVAL 2720 nanoseconds. Round up instead. [RT #18549] 2721 27222429. [doc] nsupdate should be in section 1 of the man pages. 2723 [RT #18283] 2724 27252428. [bug] dns_iptable_merge() mishandled merges of negative 2726 tables. [RT #18409] 2727 27282427. [func] Treat DNSKEY queries as if "minimal-response yes;" 2729 was set. [RT #18528] 2730 27312426. [bug] libbind: inet_net_pton() can sometimes return the 2732 wrong value if excessively large net masks are 2733 supplied. [RT #18512] 2734 27352425. [bug] named didn't detect unavailable query source addresses 2736 at load time. [RT #18536] 2737 27382424. [port] configure now probes for a working epoll 2739 implementation. Allow the use of kqueue, 2740 epoll and /dev/poll to be selected at compile 2741 time. [RT #18277] 2742 27432423. [security] Randomize server selection on queries, so as to 2744 make forgery a little more difficult. Instead of 2745 always preferring the server with the lowest RTT, 2746 pick a server with RTT within the same 128 2747 millisecond band. [RT #18441] 2748 27492422. [bug] Handle the special return value of a empty node as 2750 if it was a NXRRSET in the validator. [RT #18447] 2751 27522421. [func] Add new command line option '-S' for named to specify 2753 the max number of sockets. [RT #18493] 2754 Use caution: this option may not work for some 2755 operating systems without rebuilding named. 2756 27572420. [bug] Windows socket handling cleanup. Let the io 2758 completion event send out canceled read/write 2759 done events, which keeps us from writing to memory 2760 we no longer have ownership of. Add debugging 2761 socket_log() function. Rework TCP socket handling 2762 to not leak sockets. 2763 27642419. [cleanup] Document that isc_socket_create() and isc_socket_open() 2765 should not be used for isc_sockettype_fdwatch sockets. 2766 [RT #18521] 2767 27682418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure 2769 [RT #18430] 2770 27712417. [bug] Connecting UDP sockets for outgoing queries could 2772 unexpectedly fail with an 'address already in use' 2773 error. [RT #18411] 2774 27752416. [func] Log file descriptors that cause exceeding the 2776 internal maximum. [RT #18460] 2777 27782415. [bug] 'rndc dumpdb' could trigger various assertion failures 2779 in rbtdb.c. [RT #18455] 2780 27812414. [bug] A masterdump context held the database lock too long, 2782 causing various troubles such as dead lock and 2783 recursive lock acquisition. [RT #18311, #18456] 2784 27852413. [bug] Fixed an unreachable code path in socket.c. [RT #18442] 2786 27872412. [bug] win32: address a resource leak. [RT #18374] 2788 27892411. [bug] Allow using a larger number of sockets than FD_SETSIZE 2790 for select(). To enable this, set ISC_SOCKET_MAXSOCKETS 2791 at compilation time. [RT #18433] 2792 2793 Note: with changes #2469 and #2421 above, there is no 2794 need to tweak ISC_SOCKET_MAXSOCKETS at compilation time 2795 any more. 2796 27972410. [bug] Correctly delete m_versionInfo. [RT #18432] 2798 27992409. [bug] Only log that we disabled EDNS processing if we were 2800 subsequently successful. [RT #18029] 2801 28022408. [bug] A duplicate TCP dispatch event could be sent, which 2803 could then trigger an assertion failure in 2804 resquery_response(). [RT #18275] 2805 28062407. [port] hpux: test for sys/dyntune.h. [RT #18421] 2807 28082406. [placeholder] 2809 28102405. [cleanup] The default value for dnssec-validation was changed to 2811 "yes" in 9.5.0-P1 and all subsequent releases; this 2812 was inadvertently omitted from CHANGES at the time. 2813 28142404. [port] hpux: files unlimited support. 2815 28162403. [bug] TSIG context leak. [RT #18341] 2817 28182402. [port] Support Solaris 2.11 and over. [RT #18362] 2819 28202401. [bug] Expect to get E[MN]FILE errno internal_accept() 2821 (from accept() or fcntl() system calls). [RT #18358] 2822 28232400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails. 2824 [RT #18297] 2825 28262399. [placeholder] 2827 28282398. [bug] Improve file descriptor management. New, 2829 temporary, named.conf option reserved-sockets, 2830 default 512. [RT #18344] 2831 28322397. [bug] gssapi_functions had too many elements. [RT #18355] 2833 28342396. [bug] Don't set SO_REUSEADDR for randomized ports. 2835 [RT #18336] 2836 28372395. [port] Avoid warning and no effect from "files unlimited" 2838 on Linux when running as root. [RT #18335] 2839 28402394. [bug] Default configuration options set the limit for 2841 open files to 'unlimited' as described in the 2842 documentation. [RT #18331] 2843 28442393. [bug] nested acls containing keys could trigger an 2845 assertion in acl.c. [RT #18166] 2846 28472392. [bug] remove 'grep -q' from acl test script, some platforms 2848 don't support it. [RT #18253] 2849 28502391. [port] hpux: cover additional recvmsg() error codes. 2851 [RT #18301] 2852 28532390. [bug] dispatch.c could make a false warning on 'odd socket'. 2854 [RT #18301]. 2855 28562389. [bug] Move the "working directory writable" check to after 2857 the ns_os_changeuser() call. [RT #18326] 2858 28592388. [bug] Avoid using tables for layout purposes in 2860 statistics XSL [RT #18159]. 2861 28622387. [bug] Silence compiler warnings in lib/isc/radix.c. 2863 [RT #18147] [RT #18258] 2864 28652386. [func] Add warning about too small 'open files' limit. 2866 [RT #18269] 2867 28682385. [bug] A condition variable in socket.c could leak in 2869 rare error handling [RT #17968]. 2870 28712384. [security] Fully randomize UDP query ports to improve 2872 forgery resilience. [RT #17949, #18098] 2873 28742383. [bug] named could double queries when they resulted in 2875 SERVFAIL due to overkilling EDNS0 failure detection. 2876 [RT #18182] 2877 28782382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP 2879 to ARM. 2880 28812381. [port] dlz/mysql: support multiple install layouts for 2882 mysql. <prefix>/include/{,mysql/}mysql.h and 2883 <prefix>/lib/{,mysql/}. [RT #18152] 2884 28852380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET 2886 proofs which, in turn, caused validation failures 2887 for insecure zones immediately below a secure zone 2888 the server was authoritative for. [RT #18112] 2889 28902379. [contrib] queryperf/gen-data-queryperf.py: removed redundant 2891 TLDs and supported RRs with TTLs [RT #17972] 2892 28932378. [bug] gssapi_functions{} had a redundant member in BIND 9.5. 2894 [RT #18169] 2895 28962377. [bug] Address race condition in dnssec-signzone. [RT #18142] 2897 28982376. [bug] Change #2144 was not complete. 2899 29002375. [placeholder] 2901 29022374. [bug] "blackhole" ACLs could cause named to segfault due 2903 to some uninitialized memory. [RT #18095] 2904 29052373. [bug] Default values of zone ACLs were re-parsed each time a 2906 new zone was configured, causing an overconsumption 2907 of memory. [RT #18092] 2908 29092372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] 2910 29112371. [doc] Add +nsid option to dig man page. [RT #18039] 2912 29132370. [bug] "rndc freeze" could trigger an assertion in named 2914 when called on a nonexistent zone. [RT #18050] 2915 29162369. [bug] libbind: Array bounds overrun on read in bitncmp(). 2917 [RT #18054] 2918 29192368. [port] Linux: use libcap for capability management if 2920 possible. [RT# 18026] 2921 29222367. [bug] Improve counting of dns_resstatscounter_retry 2923 [RT #18030] 2924 29252366. [bug] Adb shutdown race. [RT #18021] 2926 29272365. [bug] Fix a bug that caused dns_acl_isany() to return 2928 spurious results. [RT #18000] 2929 29302364. [bug] named could trigger a assertion when serving a 2931 malformed signed zone. [RT #17828] 2932 29332363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". 2934 [RT #17513] 2935 29362362. [cleanup] Make "rrset-order fixed" a compile-time option. 2937 settable by "./configure --enable-fixed-rrset". 2938 Disabled by default. [RT #17977] 2939 29402361. [bug] "recursion" statistics counter could be counted 2941 multiple times for a single query. [RT #17990] 2942 29432360. [bug] Fix a condition where we release a database version 2944 (which may acquire a lock) while holding the lock. 2945 29462359. [bug] Fix NSID bug. [RT #17942] 2947 29482358. [doc] Update host's default query description. [RT #17934] 2949 29502357. [port] Don't use OpenSSL's engine support in versions before 2951 OpenSSL 0.9.7f. [RT #17922] 2952 29532356. [bug] Built in mutex profiler was not scalable enough. 2954 [RT #17436] 2955 29562355. [func] Extend the number statistics counters available. 2957 [RT #17590] 2958 29592354. [bug] Failed to initialize some rdatasetheader_t elements. 2960 [RT #17927] 2961 29622353. [func] Add support for Name Server ID (RFC 5001). 2963 'dig +nsid' requests NSID from server. 2964 'request-nsid yes;' causes recursive server to send 2965 NSID requests to upstream servers. Server responds 2966 to NSID requests with the string configured by 2967 'server-id' option. [RT #17091] 2968 29692352. [bug] Various GSS_API fixups. [RT #17729] 2970 29712351. [bug] convertxsl.pl generated very long lines. [RT #17906] 2972 29732350. [port] win32: IPv6 support. [RT #17797] 2974 29752349. [func] Provide incremental re-signing support for secure 2976 dynamic zones. [RT #1091] 2977 29782348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support. 2979 Documentation is in the new README.pkcs11 file. 2980 New tool, dnssec-keyfromlabel, which takes the 2981 label of a key pair in a HSM and constructs a DNS 2982 key pair for use by named and dnssec-signzone. 2983 [RT #16844] 2984 29852347. [bug] Delete now traverses the RB tree in the canonical 2986 order. [RT #17451] 2987 29882346. [func] Memory statistics now cover all active memory contexts 2989 in increased detail. [RT #17580] 2990 29912345. [bug] named-checkconf failed to detect when forwarders 2992 were set at both the options/view level and in 2993 a root zone. [RT #17671] 2994 29952344. [bug] Improve "logging{ file ...; };" documentation. 2996 [RT #17888] 2997 29982343. [bug] (Seemingly) duplicate IPv6 entries could be 2999 created in ADB. [RT #17837] 3000 30012342. [func] Use getifaddrs() if available under Linux. [RT #17224] 3002 30032341. [bug] libbind: add missing -I../include for off source 3004 tree builds. [RT #17606] 3005 30062340. [port] openbsd: interface configuration. [RT #17700] 3007 30082339. [port] tru64: support for libbind. [RT #17589] 3009 30102338. [bug] check_ds() could be called with a non DS rdataset. 3011 [RT #17598] 3012 30132337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] 3014 30152336. [func] If "named -6" is specified then listen on all IPv6 3016 interfaces if there are not listen-on-v6 clauses in 3017 named.conf. [RT #17581] 3018 30192335. [port] sunos: libbind and *printf() support for long long. 3020 [RT #17513] 3021 30222334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one 3023 bug in fromstruct_txt(). [RT #17609] 3024 30252333. [bug] Fix off by one error in isc_time_nowplusinterval(). 3026 [RT #17608] 3027 30282332. [contrib] query-loc-0.4.0. [RT #17602] 3029 30302331. [bug] Failure to regenerate any signatures was not being 3031 reported nor being past back to the UPDATE client. 3032 [RT #17570] 3033 30342330. [bug] Remove potential race condition when handling 3035 over memory events. [RT #17572] 3036 3037 WARNING: API CHANGE: over memory callback 3038 function now needs to call isc_mem_waterack(). 3039 See <isc/mem.h> for details. 3040 30412329. [bug] Clearer help text for dig's '-x' and '-i' options. 3042 30432328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, 3044 F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, 3045 J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and 3046 M.ROOT-SERVERS.NET. 3047 30482327. [bug] It was possible to dereference a NULL pointer in 3049 rbtdb.c. Implement dead node processing in zones as 3050 we do for caches. [RT #17312] 3051 30522326. [bug] It was possible to trigger a INSIST in the acache 3053 processing. 3054 30552325. [port] Linux: use capset() function if available. [RT #17557] 3056 30572324. [bug] Fix IPv6 matching against "any;". [RT #17533] 3058 30592323. [port] tru64: namespace clash. [RT #17547] 3060 30612322. [port] MacOS: work around the limitation of setrlimit() 3062 for RLIMIT_NOFILE. [RT #17526] 3063 30642321. [placeholder] 3065 30662320. [func] Make statistics counters thread-safe for platforms 3067 that support certain atomic operations. [RT #17466] 3068 30692319. [bug] Silence Coverity warnings in 3070 lib/dns/rdata/in_1/apl_42.c. [RT #17469] 3071 30722318. [port] sunos fixes for libbind. [RT #17514] 3073 30742317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518] 3075 30762316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c. 3077 [RT #17513] 3078 30792315. [bug] Used incorrect address family for mapped IPv4 3080 addresses in acl.c. [RT #17519] 3081 30822314. [bug] Uninitialized memory use on error path in 3083 bin/named/lwdnoop.c. [RT #17476] 3084 30852313. [cleanup] Silence Coverity warnings. Handle private stacks. 3086 [RT #17447] [RT #17478] 3087 30882312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. 3089 [RT #17458] 3090 30912311. [bug] IPv6 addresses could match IPv4 ACL entries and 3092 vice versa. [RT #17462] 3093 30942310. [bug] dig, host, nslookup: flush stdout before emitting 3095 debug/fatal messages. [RT #17501] 3096 30972309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c. 3098 [RT #17455] 3099 31002308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. 3101 [RT #17495] 3102 31032307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496] 3104 31052306. [bug] Remove potential race from lib/dns/resolver.c. 3106 [RT #17470] 3107 31082305. [security] inet_network() buffer overflow. CVE-2008-0122. 3109 31102304. [bug] Check returns from all dns_rdata_tostruct() calls. 3111 [RT #17460] 3112 31132303. [bug] Remove unnecessary code from bin/named/lwdgnba.c. 3114 [RT #17471] 3115 31162302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472] 3117 31182301. [bug] Remove resource leak and fix error messages in 3119 bin/tests/system/lwresd/lwtest.c. [RT #17474] 3120 31212300. [bug] Fixed failure to close open file in 3122 bin/tests/names/t_names.c. [RT #17473] 3123 31242299. [bug] Remove unnecessary NULL check in 3125 bin/nsupdate/nsupdate.c. [RT #17475] 3126 31272298. [bug] isc_mutex_lock() failure not caught in 3128 bin/tests/timers/t_timers.c. [RT #17468] 3129 31302297. [bug] isc_entropy_createfilesource() failure not caught in 3131 bin/tests/dst/t_dst.c. [RT #17467] 3132 31332296. [port] Allow docbook stylesheet location to be specified to 3134 configure. [RT #17457] 3135 31362295. [bug] Silence static overrun error in bin/named/lwaddr.c. 3137 [RT #17459] 3138 31392294. [func] Allow the experimental statistics channels to have 3140 multiple connections and ACL. 3141 Note: the stats-server and stats-server-v6 options 3142 available in the previous beta releases are replaced 3143 with the generic statistics-channels statement. 3144 31452293. [func] Add ACL regression test. [RT #17375] 3146 31472292. [bug] Log if the working directory is not writable. 3148 [RT #17312] 3149 31502291. [bug] PR_SET_DUMPABLE may be set too late. Also report 3151 failure to set PR_SET_DUMPABLE. [RT #17312] 3152 31532290. [bug] Let AD in the query signal that the client wants AD 3154 set in the response. [RT #17301] 3155 31562289. [func] named-checkzone now reports the out-of-zone CNAME 3157 found. [RT #17309] 3158 31592288. [port] win32: mark service as running when we have finished 3160 loading. [RT #17441] 3161 31622287. [bug] Use 'volatile' if the compiler supports it. [RT #17413] 3163 31642286. [func] Allow a TCP connection to be used as a weak 3165 authentication method for reverse zones. 3166 New update-policy methods tcp-self and 6to4-self. 3167 [RT #17378] 3168 31692285. [func] Test framework for client memory context management. 3170 [RT #17377] 3171 31722284. [bug] Memory leak in UPDATE prerequisite processing. 3173 [RT #17377] 3174 31752283. [bug] TSIG keys were not attaching to the memory 3176 context. TSIG keys should use the rings 3177 memory context rather than the clients memory 3178 context. [RT #17377] 3179 31802282. [bug] Acl code fixups. [RT #17346] [RT #17374] 3181 31822281. [bug] Attempts to use undefined acls were not being logged. 3183 [RT #17307] 3184 31852280. [func] Allow the experimental http server to be reached 3186 over IPv6 as well as IPv4. [RT #17332] 3187 31882279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, 3189 to protect applications from receiving spurious 3190 SIGPIPE signals when using the resolver. 3191 31922278. [bug] win32: handle the case where Windows returns no 3193 search list or DNS suffix. [RT #17354] 3194 31952277. [bug] Empty zone names were not correctly being caught at 3196 in the post parse checks. [RT #17357] 3197 31982276. [bug] Install <dst/gssapi.h>. [RT# 17359] 3199 32002275. [func] Add support to dig to perform IXFR queries over UDP. 3201 [RT #17235] 3202 32032274. [func] Log zone transfer statistics. [RT #17336] 3204 32052273. [bug] Adjust log level to WARNING when saving inconsistent 3206 stub/slave master and journal files. [RT# 17279] 3207 32082272. [bug] Handle illegal dnssec-lookaside trust-anchor names. 3209 [RT #17262] 3210 32112271. [bug] Fix a memory leak in http server code [RT #17100] 3212 32132270. [bug] dns_db_closeversion() version->writer could be reset 3214 before it is tested. [RT #17290] 3215 32162269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232] 3217 32182268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones 3219 list. 3220 3221 --- 9.5.0b1 released --- 3222 32232267. [bug] Radix tree node_num value could be set incorrectly, 3224 causing positive ACL matches to look like negative 3225 ones. [RT #17311] 3226 32272266. [bug] client.c:get_clientmctx() returned the same mctx 3228 once the pool of mctx's was filled. [RT #17218] 3229 32302265. [bug] Test that the memory context's basic_table is non NULL 3231 before freeing. [RT #17265] 3232 32332264. [bug] Server prefix length was being ignored. [RT #17308] 3234 32352263. [bug] "named-checkconf -z" failed to set default value 3236 for "check-integrity". [RT #17306] 3237 32382262. [bug] Error status from all but the last view could be 3239 lost. [RT #17292] 3240 32412261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272] 3242 32432260. [bug] Reported wrong clients-per-query when increasing the 3244 value. [RT #17236] 3245 32462259. [placeholder] 3247 3248 --- 9.5.0a7 released --- 3249 32502258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. 3251 [RT #17241] 3252 32532257. [bug] win32: Use the full path to vcredist_x86.exe when 3254 calling it. [RT #17222] 3255 32562256. [bug] win32: Correctly register the installation location of 3257 bindevt.dll. [RT #17159] 3258 32592255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. 3260 32612254. [bug] timer.c:dispatch() failed to lock timer->lock 3262 when reading timer->idle allowing it to see 3263 intermediate values as timer->idle was reset by 3264 isc_timer_touch(). [RT #17243] 3265 32662253. [func] "max-cache-size" defaults to 32M. 3267 "max-acache-size" defaults to 16M. 3268 32692252. [bug] Fixed errors in sortlist code [RT #17216] 3270 32712251. [placeholder] 3272 32732250. [func] New flag 'memstatistics' to state whether the 3274 memory statistics file should be written or not. 3275 Additionally named's -m option will cause the 3276 statistics file to be written. [RT #17113] 3277 32782249. [bug] Only set Authentic Data bit if client requested 3279 DNSSEC, per RFC 3655 [RT #17175] 3280 32812248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 3282 32832247. [doc] Sort doc/misc/options. [RT #17067] 3284 32852246. [bug] Make the startup of test servers (ans.pl) more 3286 robust. [RT #17147] 3287 32882245. [bug] Validating lack of DS records at trust anchors wasn't 3289 working. [RT #17151] 3290 32912244. [func] Allow the check of nameserver names against the 3292 SOA MNAME field to be disabled by specifying 3293 'notify-to-soa yes;'. [RT #17073] 3294 32952243. [func] Configuration files without a newline at the end now 3296 parse without error. [RT #17120] 3297 32982242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos 3299 library could require a source of random data. 3300 [RT #17127] 3301 33022241. [func] nsupdate: add a interactive 'help' command. [RT #17099] 3303 33042240. [bug] Cleanup nsupdates GSS-TSIG support. Convert 3305 a number of INSIST()s into plain fatal() errors 3306 which report the triggering result code. 3307 The 'key' command wasn't disabling GSS-TSIG. 3308 [RT #17099] 3309 33102239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114] 3311 33122238. [bug] It was possible to trigger a REQUIRE when a 3313 validation was canceled. [RT #17106] 3314 33152237. [bug] libbind: res_init() was not thread aware. [RT #17123] 3316 33172236. [bug] dnssec-signzone failed to preserve the case of 3318 of wildcard owner names. [RT #17085] 3319 33202235. [bug] <isc/atomic.h> was not being installed. [RT #17135] 3321 33222234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] 3323 33242233. [func] Add support for O(1) ACL processing, based on 3325 radix tree code originally written by Kevin 3326 Brintnall. [RT #16288] 3327 33282232. [bug] dns_adb_findaddrinfo() could fail and return 3329 ISC_R_SUCCESS. [RT #17137] 3330 33312231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken. 3332 [RT #17088] 3333 33342230. [bug] We could INSIST reading a corrupted journal. 3335 [RT #17132] 3336 33372229. [bug] Null pointer dereference on query pool creation 3338 failure. [RT #17133] 3339 33402228. [contrib] contrib: Change 2188 was incomplete. 3341 33422227. [cleanup] Tidied up the FAQ. [RT #17121] 3343 33442226. [placeholder] 3345 33462225. [bug] More support for systems with no IPv4 addresses. 3347 [RT #17111] 3348 33492224. [bug] Defer journal compaction if a xfrin is in progress. 3350 [RT #17119] 3351 33522223. [bug] Make a new journal when compacting. [RT #17119] 3353 33542222. [func] named-checkconf now checks server key references. 3355 [RT #17097] 3356 33572221. [bug] Set the event result code to reflect the actual 3358 record turned to caller when a cache update is 3359 rejected due to a more credible answer existing. 3360 [RT #17017] 3361 33622220. [bug] win32: Address a race condition in final shutdown of 3363 the Windows socket code. [RT #17028] 3364 33652219. [bug] Apply zone consistency checks to additions, not 3366 removals, when updating. [RT #17049] 3367 33682218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 3369 [RT #16976] 3370 33712217. [func] Adjust update log levels. [RT #17092] 3372 33732216. [cleanup] Fix a number of errors reported by Coverity. 3374 [RT #17094] 3375 33762215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] 3377 33782214. [bug] Deregister OpenSSL lock callback when cleaning 3379 up. Reorder OpenSSL cleanup so that RAND_cleanup() 3380 is called before the locks are destroyed. [RT #17098] 3381 33822213. [bug] SIG0 diagnostic failure messages were looking at the 3383 wrong status code. [RT #17101] 3384 33852212. [func] 'host -m' now causes memory statistics and active 3386 memory to be printed at exit. [RT 17028] 3387 33882211. [func] Update "dynamic update temporarily disabled" message. 3389 [RT #17065] 3390 33912210. [bug] Deleting class specific records via UPDATE could 3392 fail. [RT #17074] 3393 33942209. [port] osx: linking against user supplied static OpenSSL 3395 libraries failed as the system ones were still being 3396 found. [RT #17078] 3397 33982208. [port] win32: make sure both build methods produce the 3399 same output. [RT #17058] 3400 34012207. [port] Some implementations of getaddrinfo() fail to set 3402 ai_canonname correctly. [RT #17061] 3403 3404 --- 9.5.0a6 released --- 3405 34062206. [security] "allow-query-cache" and "allow-recursion" now 3407 cross inherit from each other. 3408 3409 If allow-query-cache is not set in named.conf then 3410 allow-recursion is used if set, otherwise allow-query 3411 is used if set, otherwise the default (localnets; 3412 localhost;) is used. 3413 3414 If allow-recursion is not set in named.conf then 3415 allow-query-cache is used if set, otherwise allow-query 3416 is used if set, otherwise the default (localnets; 3417 localhost;) is used. 3418 3419 [RT #16987] 3420 34212205. [bug] libbind: change #2119 broke thread support. [RT #16982] 3422 34232204. [bug] "rndc flushanme name unknown-view" caused named 3424 to crash. [RT #16984] 3425 34262203. [security] Query id generation was cryptographically weak. 3427 [RT # 16915] 3428 34292202. [security] The default acls for allow-query-cache and 3430 allow-recursion were not being applied. [RT #16960] 3431 34322201. [bug] The build failed in a separate object directory. 3433 [RT #16943] 3434 34352200. [bug] The search for cached NSEC records was stopping to 3436 early leading to excessive DLV queries. [RT #16930] 3437 34382199. [bug] win32: don't call WSAStartup() while loading dlls. 3439 [RT #16911] 3440 34412198. [bug] win32: RegCloseKey() could be called when 3442 RegOpenKeyEx() failed. [RT #16911] 3443 34442197. [bug] Add INSIST to catch negative responses which are 3445 not setting the event result code appropriately. 3446 [RT #16909] 3447 34482196. [port] win32: yield processor while waiting for once to 3449 to complete. [RT #16958] 3450 34512195. [func] dnssec-keygen now defaults to nametype "ZONE" 3452 when generating DNSKEYs. [RT #16954] 3453 34542194. [bug] Close journal before calling 'done' in xfrin.c. 3455 3456 --- 9.5.0a5 released --- 3457 34582193. [port] win32: BINDInstall.exe is now linked statically. 3459 [RT #16906] 3460 34612192. [port] win32: use vcredist_x86.exe to install Visual 3462 Studio's redistributable dlls if building with 3463 Visual Stdio 2005 or later. 3464 34652191. [func] named-checkzone now allows dumping to stdout (-). 3466 named-checkconf now has -h for help. 3467 named-checkzone now has -h for help. 3468 rndc now has -h for help. 3469 Better handling of '-?' for usage summaries. 3470 [RT #16707] 3471 34722190. [func] Make fallback to plain DNS from EDNS due to timeouts 3473 more visible. New logging category "edns-disabled". 3474 [RT #16871] 3475 34762189. [bug] Handle socket() returning EINTR. [RT #15949] 3477 34782188. [contrib] queryperf: autoconf changes to make the search for 3479 libresolv or libbind more robust. [RT #16299] 3480 34812187. [bug] query_addds(), query_addwildcardproof() and 3482 query_addnxrrsetnsec() should take a version 3483 argument. [RT #16368] 3484 34852186. [port] cygwin: libbind: check for struct sockaddr_storage 3486 independently of IPv6. [RT #16482] 3487 34882185. [port] sunos: libbind: check for ssize_t, memmove() and 3489 memchr(). [RT #16463] 3490 34912184. [bug] bind9.xsl.h didn't build out of the source tree. 3492 [RT #16830] 3493 34942183. [bug] dnssec-signzone didn't handle offline private keys 3495 well. [RT #16832] 3496 34972182. [bug] dns_dispatch_createtcp() and dispatch_createudp() 3498 could return ISC_R_SUCCESS when they ran out of 3499 memory. [RT #16365] 3500 35012181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] 3502 35032180. [cleanup] Remove bit test from 'compress_test' as they 3504 are no longer needed. [RT #16497] 3505 35062179. [func] 'rndc command zone' will now find 'zone' if it is 3507 unique to all the views. [RT #16821] 3508 35092178. [bug] 'rndc reload' of a slave or stub zone resulted in 3510 a reference leak. [RT #16867] 3511 35122177. [bug] Array bounds overrun on read (rcodetext) at 3513 debug level 10+. [RT #16798] 3514 35152176. [contrib] dbus update to handle race condition during 3516 initialization (Bugzilla 235809). [RT #16842] 3517 35182175. [bug] win32: windows broadcast condition variable support 3519 was broken. [RT #16592] 3520 35212174. [bug] I/O errors should always be fatal when reading 3522 master files. [RT #16825] 3523 35242173. [port] win32: When compiling with MSVS 2005 SP1 we also 3525 need to ship Microsoft.VC80.MFCLOC. 3526 3527 --- 9.5.0a4 released --- 3528 35292172. [bug] query_addsoa() was being called with a non zone db. 3530 [RT #16834] 3531 35322171. [bug] Handle breaks in DNSSEC trust chains where the parent 3533 servers are not DS aware (DS queries to the parent 3534 return a referral to the child). 3535 35362170. [func] Add acache processing to test suite. [RT #16711] 3537 35382169. [bug] host, nslookup: when reporting NXDOMAIN report the 3539 given name and not the last name searched for. 3540 [RT #16763] 3541 35422168. [bug] nsupdate: in non-interactive mode treat syntax errors 3543 as fatal errors. [RT #16785] 3544 35452167. [bug] When re-using a automatic zone named failed to 3546 attach it to the new view. [RT #16786] 3547 3548 --- 9.5.0a3 released --- 3549 35502166. [bug] When running in batch mode, dig could misinterpret 3551 a server address as a name to be looked up, causing 3552 unexpected output. [RT #16743] 3553 35542165. [func] Allow the destination address of a query to determine 3555 if we will answer the query or recurse. 3556 allow-query-on, allow-recursion-on and 3557 allow-query-cache-on. [RT #16291] 3558 35592164. [bug] The code to determine how named-checkzone / 3560 named-compilezone was called failed under windows. 3561 [RT #16764] 3562 35632163. [bug] If only one of query-source and query-source-v6 3564 specified a port the query pools code broke (change 3565 2129). [RT #16768] 3566 35672162. [func] Allow "rrset-order fixed" to be disabled at compile 3568 time. [RT #16665] 3569 35702161. [bug] Fix which log messages are emitted for 'rndc flush'. 3571 [RT #16698] 3572 35732160. [bug] libisc wasn't handling NULL ifa_addr pointers returned 3574 from getifaddrs(). [RT #16708] 3575 3576 --- 9.5.0a2 released --- 3577 35782159. [bug] Array bounds overrun in acache processing. [RT #16710] 3579 35802158. [bug] ns_client_isself() failed to initialize key 3581 leading to a REQUIRE failure. [RT #16688] 3582 35832157. [func] dns_db_transfernode() created. [RT #16685] 3584 35852156. [bug] Fix node reference leaks in lookup.c:lookup_find(), 3586 resolver.c:validated() and resolver.c:cache_name(). 3587 Fix a memory leak in rbtdb.c:free_noqname(). 3588 Make lookup.c:lookup_find() robust against 3589 event leaks. [RT #16685] 3590 35912155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. 3592 [RT #16694] 3593 35942154. [func] Scoped (e.g. IPv6 link-local) addresses may now be 3595 matched in acls by omitting the scope. [RT #16599] 3596 35972153. [bug] nsupdate could leak memory. [RT #16691] 3598 35992152. [cleanup] Use sizeof(buf) instead of fixed number in 3600 dighost.c:get_trusted_key(). [RT #16678] 3601 36022151. [bug] Missing newline in usage message for journalprint. 3603 [RT #16679] 3604 36052150. [bug] 'rrset-order cyclic' uniformly distribute the 3606 starting point for the first response for a given 3607 RRset. [RT #16655] 3608 36092149. [bug] isc_mem_checkdestroyed() failed to abort on 3610 if there were still active memory contexts. 3611 [RT #16672] 3612 36132148. [func] Add positive logging for rndc commands. [RT #14623] 3614 36152147. [bug] libbind: remove potential buffer overflow from 3616 hmac_link.c. [RT #16437] 3617 36182146. [cleanup] Silence Linux's spurious "obsolete setsockopt 3619 SO_BSDCOMPAT" message. [RT #16641] 3620 36212145. [bug] Check DS/DLV digest lengths for known digests. 3622 [RT #16622] 3623 36242144. [cleanup] Suppress logging of SERVFAIL from forwarders. 3625 [RT #16619] 3626 36272143. [bug] We failed to restart the IPv6 client when the 3628 kernel failed to return the destination the 3629 packet was sent to. [RT #16613] 3630 36312142. [bug] Handle master files with a modification time that 3632 matches the epoch. [RT# 16612] 3633 36342141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN 3635 equivalent of LDH checks). [RT #16609] 3636 36372140. [bug] libbind: missing unlock on pthread_key_create() 3638 failures. [RT #16654] 3639 36402139. [bug] dns_view_find() was being called with wrong type 3641 in adb.c. [RT #16670] 3642 36432138. [bug] Lock order reversal in resolver.c. [RT #16653] 3644 36452137. [port] Mips little endian and/or mips 64 bit are now 3646 supported for atomic operations. [RT#16648] 3647 36482136. [bug] nslookup/host looped if there was no search list 3649 and the host didn't exist. [RT #16657] 3650 36512135. [bug] Uninitialized rdataset in sdlz.c. [RT# 16656] 3652 36532134. [func] Additional statistics support. [RT #16666] 3654 36552133. [port] powerpc: Support both IBM and MacOS Power PC 3656 assembler syntaxes. [RT #16647] 3657 36582132. [bug] Missing unlock on out of memory in 3659 dns_dispatchmgr_setudp(). 3660 36612131. [contrib] dlz/mysql: AXFR was broken. [RT #16630] 3662 36632130. [func] Log if CD or DO were set. [RT #16640] 3664 36652129. [func] Provide a pool of UDP sockets for queries to be 3666 made over. See use-queryport-pool, queryport-pool-ports 3667 and queryport-pool-updateinterval. [RT #16415] 3668 36692128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] 3670 36712127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] 3672 36732126. [security] Serialize validation of type ANY responses. [RT #16555] 3674 36752125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ 3676 was defined. [RT #16574] 3677 36782124. [security] It was possible to dereference a freed fetch 3679 context. [RT #16584] 3680 3681 --- 9.5.0a1 released --- 3682 36832123. [func] Use Doxygen to generate internal documentation. 3684 [RT #11398] 3685 36862122. [func] Experimental http server and statistics support 3687 for named via xml. 3688 36892121. [func] Add a 10 slot dead masters cache (LRU) with a 600 3690 second timeout. [RT #16553] 3691 36922120. [doc] Fix markup on nsupdate man page. [RT #16556] 3693 36942119. [compat] libbind: allow res_init() to succeed enough to 3695 return the default domain even if it was unable 3696 to allocate memory. 3697 36982118. [bug] Handle response with long chains of domain name 3699 compression pointers which point to other compression 3700 pointers. [RT #16427] 3701 37022117. [bug] DNSSEC fixes: named could fail to cache NSEC records 3703 which could lead to validation failures. named didn't 3704 handle negative DS responses that were in the process 3705 of being validated. Check CNAME bit before accepting 3706 NODATA proof. To be able to ignore a child NSEC there 3707 must be SOA (and NS) set in the bitmap. [RT #16399] 3708 37092116. [bug] 'rndc reload' could cause the cache to continually 3710 be cleaned. [RT #16401] 3711 37122115. [bug] 'rndc reconfig' could trigger a INSIST if the 3713 number of masters for a zone was reduced. [RT #16444] 3714 37152114. [bug] dig/host/nslookup: searches for names with multiple 3716 labels were failing. [RT #16447] 3717 37182113. [bug] nsupdate: if a zone is specified it should be used 3719 for server discover. [RT# 16455] 3720 37212112. [security] Warn if weak RSA exponent is used. [RT #16460] 3722 37232111. [bug] Fix a number of errors reported by Coverity. 3724 [RT #16507] 3725 37262110. [bug] "minimal-responses yes;" interacted badly with BIND 8 3727 priming queries. [RT #16491] 3728 37292109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] 3730 37312108. [func] DHCID support. [RT #16456] 3732 37332107. [bug] dighost.c: more cleanup of buffers. [RT #16499] 3734 37352106. [func] 'rndc status' now reports named's version. [RT #16426] 3736 37372105. [func] GSS-TSIG support (RFC 3645). 3738 37392104. [port] Fix Solaris SMF error message. 3740 37412103. [port] Add /usr/sfw to list of locations for OpenSSL 3742 under Solaris. 3743 37442102. [port] Silence Solaris 10 warnings. 3745 37462101. [bug] OpenSSL version checks were not quite right. 3747 [RT #16476] 3748 37492100. [port] win32: copy libeay32.dll to Build\Debug. 3750 Copy Debug\named-checkzone to Debug\named-compilezone. 3751 37522099. [port] win32: more manifest issues. 3753 37542098. [bug] Race in rbtdb.c:no_references(), which occasionally 3755 triggered an INSIST failure about the node lock 3756 reference. [RT #16411] 3757 37582097. [bug] named could reference a destroyed memory context 3759 after being reloaded / reconfigured. [RT #16428] 3760 37612096. [bug] libbind: handle applications that fail to detect 3762 res_init() failures better. 3763 37642095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and 3765 net_cidr_ntop_ipv6(). [RT #16388] 3766 37672094. [contrib] Update named-bootconf. [RT# 16404] 3768 37692093. [bug] named-checkzone -s was broken. 3770 37712092. [bug] win32: dig, host, nslookup. Use registry config 3772 if resolv.conf does not exist or no nameservers 3773 listed. [RT #15877] 3774 37752091. [port] dighost.c: race condition on cleanup. [RT #16417] 3776 37772090. [port] win32: Visual C++ 2005 command line manifest support. 3778 [RT #16417] 3779 37802089. [security] Raise the minimum safe OpenSSL versions to 3781 OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions 3782 prior to these have known security flaws which 3783 are (potentially) exploitable in named. [RT #16391] 3784 37852088. [security] Change the default RSA exponent from 3 to 65537. 3786 [RT #16391] 3787 37882087. [port] libisc failed to compile on OS's w/o a vsnprintf. 3789 [RT #16382] 3790 37912086. [port] libbind: FreeBSD now has get*by*_r() functions. 3792 [RT #16403] 3793 37942085. [doc] win32: added index.html and README to zip. [RT #16201] 3795 37962084. [contrib] dbus update for 9.3.3rc2. 3797 37982083. [port] win32: Visual C++ 2005 support. 3799 38002082. [doc] Document 'cache-file' as a test only option. 3801 38022081. [port] libbind: minor 64-bit portability fix in memcluster.c. 3803 [RT #16360] 3804 38052080. [port] libbind: res_init.c did not compile on older versions 3806 of Solaris. [RT #16363] 3807 38082079. [bug] The lame cache was not handling multiple types 3809 correctly. [RT #16361] 3810 38112078. [bug] dnssec-checkzone output style "default" was badly 3812 named. It is now called "relative". [RT #16326] 3813 38142077. [bug] 'dnssec-signzone -O raw' wasn't outputting the 3815 complete signed zone. [RT #16326] 3816 38172076. [bug] Several files were missing #include <config.h> 3818 causing build failures on OSF. [RT #16341] 3819 38202075. [bug] The spillat timer event hander could leak memory. 3821 [RT #16357] 3822 38232074. [bug] dns_request_createvia2(), dns_request_createvia3(), 3824 dns_request_createraw2() and dns_request_createraw3() 3825 failed to send multiple UDP requests. [RT #16349] 3826 38272073. [bug] Incorrect semantics check for update policy "wildcard". 3828 [RT #16353] 3829 38302072. [bug] We were not generating valid HMAC SHA digests. 3831 [RT #16320] 3832 38332071. [port] Test whether gcc accepts -fno-strict-aliasing. 3834 [RT #16324] 3835 38362070. [bug] The remote address was not always displayed when 3837 reporting dispatch failures. [RT #16315] 3838 38392069. [bug] Cross compiling was not working. [RT #16330] 3840 38412068. [cleanup] Lower incremental tuning message to debug 1. 3842 [RT #16319] 3843 38442067. [bug] 'rndc' could close the socket too early triggering 3845 a INSIST under Windows. [RT #16317] 3846 38472066. [security] Handle SIG queries gracefully. [RT #16300] 3848 38492065. [bug] libbind: probe for HPUX prototypes for 3850 endprotoent_r() and endservent_r(). [RT 16313] 3851 38522064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 3853 38542063. [bug] Change #1955 introduced a bug which caused the first 3855 'rndc flush' call to not free memory. [RT #16244] 3856 38572062. [bug] 'dig +nssearch' was reusing a buffer before it had 3858 been returned by the socket code. [RT #16307] 3859 38602061. [bug] Accept expired wildcard message reversed. [RT #16296] 3861 38622060. [bug] Enabling DLZ support could leave views partially 3863 configured. [RT #16295] 3864 38652059. [bug] Search into cache rbtdb could trigger an INSIST 3866 failure while cleaning up a stale rdataset. 3867 [RT #16292] 3868 38692058. [bug] Adjust how we calculate rtt estimates in the presence 3870 of authoritative servers that drop EDNS and/or CD 3871 requests. Also fallback to EDNS/512 and plain DNS 3872 faster for zones with less than 3 servers. [RT #16187] 3873 38742057. [bug] Make setting "ra" dependent on both allow-query-cache 3875 and allow-recursion. [RT #16290] 3876 38772056. [bug] dig: ixfr= was not being treated case insensitively 3878 at all times. [RT #15955] 3879 38802055. [bug] Missing goto after dropping multicast query. 3881 [RT #15944] 3882 38832054. [port] freebsd: do not explicitly link against -lpthread. 3884 [RT #16170] 3885 38862053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 3887 38882052. [bug] 'rndc' improve connect failed message to report 3889 the failing address. [RT #15978] 3890 38912051. [port] More strtol() fixes. [RT #16249] 3892 38932050. [bug] Parsing of NSAP records was not case insensitive. 3894 [RT #16287] 3895 38962049. [bug] Restore SOA before AXFR when falling back from 3897 a attempted IXFR when transferring in a zone. 3898 Allow a initial SOA query before attempting 3899 a AXFR to be requested. [RT #16156] 3900 39012048. [bug] It was possible to loop forever when using 3902 avoid-v4-udp-ports / avoid-v6-udp-ports when 3903 the OS always returned the same local port. 3904 [RT #16182] 3905 39062047. [bug] Failed to initialize the interface flags to zero. 3907 [RT #16245] 3908 39092046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate 3910 cleanup [RT #16247]. 3911 39122045. [func] Use lock buckets for acache entries to limit memory 3913 consumption. [RT #16183] 3914 39152044. [port] Add support for atomic operations for Itanium. 3916 [RT #16179] 3917 39182043. [port] nsupdate/nslookup: Force the flushing of the prompt 3919 for interactive sessions. [RT#16148] 3920 39212042. [bug] named-checkconf was incorrectly rejecting the 3922 logging category "config". [RT #16117] 3923 39242041. [bug] "configure --with-dlz-bdb=yes" produced a bad 3925 set of libraries to be linked. [RT #16129] 3926 39272040. [bug] rbtdb no_references() could trigger an INSIST 3928 failure with --enable-atomic. [RT #16022] 3929 39302039. [func] Check that all buffers passed to the socket code 3931 have been retrieved when the socket event is freed. 3932 [RT #16122] 3933 39342038. [bug] dig/nslookup/host was unlinking from wrong list 3935 when handling errors. [RT #16122] 3936 39372037. [func] When unlinking the first or last element in a list 3938 check that the list head points to the element to 3939 be unlinked. [RT #15959] 3940 39412036. [bug] 'rndc recursing' could cause trigger a REQUIRE. 3942 [RT #16075] 3943 39442035. [func] Make falling back to TCP on UDP refresh failure 3945 optional. Default "try-tcp-refresh yes;" for BIND 8 3946 compatibility. [RT #16123] 3947 39482034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] 3949 39502033. [bug] We weren't creating multiple client memory contexts 3951 on demand as expected. [RT #16095] 3952 39532032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] 3954 39552031. [bug] Emit a error message when "rndc refresh" is called on 3956 a non slave/stub zone. [RT # 16073] 3957 39582030. [bug] We were being overly conservative when disabling 3959 openssl engine support. [RT #16030] 3960 39612029. [bug] host printed out the server multiple times when 3962 specified on the command line. [RT #15992] 3963 39642028. [port] linux: socket.c compatibility for old systems. 3965 [RT #16015] 3966 39672027. [port] libbind: Solaris x86 support. [RT #16020] 3968 39692026. [bug] Rate limit the two recursive client exceeded messages. 3970 [RT #16044] 3971 39722025. [func] Update "zone serial unchanged" message. [RT #16026] 3973 39742024. [bug] named emitted spurious "zone serial unchanged" 3975 messages on reload. [RT #16027] 3976 39772023. [bug] "make install" should create ${localstatedir}/run and 3978 ${sysconfdir} if they do not exist. [RT #16033] 3979 39802022. [bug] If dnssec validation is disabled only assert CD if 3981 CD was requested. [RT #16037] 3982 39832021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037] 3984 39852020. [bug] rdataset_setadditional() could leak memory. [RT #16034] 3986 39872019. [tuning] Reduce the amount of work performed per quantum 3988 when cleaning the cache. [RT #15986] 3989 39902018. [bug] Checking if the HMAC MD5 private file was broken. 3991 [RT #15960] 3992 39932017. [bug] allow-query default was not correct. [RT #15946] 3994 39952016. [bug] Return a partial answer if recursion is not 3996 allowed but requested and we had the answer 3997 to the original qname. [RT #15945] 3998 39992015. [cleanup] use-additional-cache is now acache-enable for 4000 consistency. Default acache-enable off in BIND 9.4 4001 as it requires memory usage to be configured. 4002 It may be enabled by default in BIND 9.5 once we 4003 have more experience with it. 4004 40052014. [func] Statistics about acache now recorded and sent 4006 to log. [RT #15976] 4007 40082013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR 4009 responses more gracefully. [RT #15941] 4010 40112012. [func] Don't insert new acache entries if acache is full. 4012 [RT #15970] 4013 40142011. [func] dnssec-signzone can now update the SOA record of 4015 the signed zone, either as an increment or as the 4016 system time(). [RT #15633] 4017 40182010. [placeholder] rt15958 4019 40202009. [bug] libbind: Coverity fixes. [RT #15808] 4021 40222008. [func] It is now possible to enable/disable DNSSEC 4023 validation from rndc. This is useful for the 4024 mobile hosts where the current connection point 4025 breaks DNSSEC (firewall/proxy). [RT #15592] 4026 4027 rndc validation newstate [view] 4028 40292007. [func] It is now possible to explicitly enable DNSSEC 4030 validation. default dnssec-validation no; to 4031 be changed to yes in 9.5.0. [RT #15674] 4032 40332006. [security] Allow-query-cache and allow-recursion now default 4034 to the built in acls "localnets" and "localhost". 4035 4036 This is being done to make caching servers less 4037 attractive as reflective amplifying targets for 4038 spoofed traffic. This still leave authoritative 4039 servers exposed. 4040 4041 The best fix is for full BCP 38 deployment to 4042 remove spoofed traffic. 4043 40442005. [bug] libbind: Retransmission timeouts should be 4045 based on which attempt it is to the nameserver 4046 and not the nameserver itself. [RT #13548] 4047 40482004. [bug] dns_tsig_sign() could pass a NULL pointer to 4049 dst_context_destroy() when cleaning up after a 4050 error. [RT #15835] 4051 40522003. [bug] libbind: The DNS name/address lookup functions could 4053 occasionally follow a random pointer due to 4054 structures not being completely zeroed. [RT #15806] 4055 40562002. [bug] libbind: tighten the constraints on when 4057 struct addrinfo._ai_pad exists. [RT #15783] 4058 40592001. [func] Check the KSK flag when updating a secure dynamic zone. 4060 New zone option "update-check-ksk yes;". [RT #15817] 4061 40622000. [bug] memmove()/strtol() fix was incomplete. [RT #15812] 4063 40641999. [func] Implement "rrset-order fixed". [RT #13662] 4065 40661998. [bug] Restrict handling of fifos as sockets to just SunOS. 4067 This allows named to connect to entropy gathering 4068 daemons that use fifos instead of sockets. [RT #15840] 4069 40701997. [bug] Named was failing to replace negative cache entries 4071 when a positive one for the type was learnt. 4072 [RT #15818] 4073 40741996. [bug] nsupdate: if a zone has been specified it should 4075 appear in the output of 'show'. [RT #15797] 4076 40771995. [bug] 'host' was reporting multiple "is an alias" messages. 4078 [RT #15702] 4079 40801994. [port] OpenSSL 0.9.8 support. [RT #15694] 4081 40821993. [bug] Log messages, via syslog, were missing the space 4083 after the timestamp if "print-time yes" was specified. 4084 [RT #15844] 4085 40861992. [bug] Not all incoming zone transfer messages included the 4087 view. [RT #15825] 4088 40891991. [cleanup] The configuration data, once read, should be treated 4090 as read only. Expand the use of const to enforce this 4091 at compile time. [RT #15813] 4092 40931990. [bug] libbind: isc's override of broken gettimeofday() 4094 implementations was not always effective. 4095 [RT #15709] 4096 40971989. [bug] win32: don't check the service password when 4098 re-installing. [RT #15882] 4099 41001988. [bug] Remove a bus error from the SHA256/SHA512 support. 4101 [RT #15878] 4102 41031987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 4104 41051986. [func] Report when a zone is removed. [RT #15849] 4106 41071985. [protocol] DLV has now been assigned a official type code of 4108 32769. [RT #15807] 4109 4110 Note: care should be taken to ensure you upgrade 4111 both named and dnssec-signzone at the same time for 4112 zones with DLV records where named is the master 4113 server for the zone. Also any zones that contain 4114 DLV records should be removed when upgrading a slave 4115 zone. You do not however have to upgrade all 4116 servers for a zone with DLV records simultaneously. 4117 41181984. [func] dig, nslookup and host now advertise a 4096 byte 4119 EDNS UDP buffer size by default. [RT #15855] 4120 41211983. [func] Two new update policies. "selfsub" and "selfwild". 4122 [RT #12895] 4123 41241982. [bug] DNSKEY was being accepted on the parent side of 4125 a delegation. KEY is still accepted there for 4126 RFC 3007 validated updates. [RT #15620] 4127 41281981. [bug] win32: condition.c:wait() could fail to reattain 4129 the mutex lock. 4130 41311980. [func] dnssec-signzone: output the SOA record as the 4132 first record in the signed zone. [RT #15758] 4133 41341979. [port] linux: allow named to drop core after changing 4135 user ids. [RT #15753] 4136 41371978. [port] Handle systems which have a broken recvmsg(). 4138 [RT #15742] 4139 41401977. [bug] Silence noisy log message. [RT #15704] 4141 41421976. [bug] Handle systems with no IPv4 addresses. [RT #15695] 4143 41441975. [bug] libbind: isc_gethexstring() could misparse multi-line 4145 hex strings with comments. [RT #15814] 4146 41471974. [doc] List each of the zone types and associated zone 4148 options separately in the ARM. 4149 41501973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and 4151 HMACSHA512 support. [RT #13606] 4152 41531972. [contrib] DBUS dynamic forwarders integration from 4154 Jason Vas Dias <jvdias@redhat.com>. 4155 41561971. [port] linux: make detection of missing IF_NAMESIZE more 4157 robust. [RT #15443] 4158 41591970. [bug] nsupdate: adjust UDP timeout when falling back to 4160 unsigned SOA query. [RT #15775] 4161 41621969. [bug] win32: the socket code was freeing the socket 4163 structure too early. [RT #15776] 4164 41651968. [bug] Missing lock in resolver.c:validated(). [RT #15739] 4166 41671967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779] 4168 41691966. [bug] Don't set CD when we have fallen back to plain DNS. 4170 [RT #15727] 4171 41721965. [func] Suppress spurious "recursion requested but not 4173 available" warning with 'dig +qr'. [RT #15780]. 4174 41751964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] 4176 41771963. [port] Tru64 4.0E doesn't support send() and recv(). 4178 [RT #15586] 4179 41801962. [bug] Named failed to clear old update-policy when it 4181 was removed. [RT #15491] 4182 41831961. [bug] Check the port and address of responses forwarded 4184 to dispatch. [RT #15474] 4185 41861960. [bug] Update code should set NSEC ttls from SOA MINIMUM. 4187 [RT #15465] 4188 41891959. [func] Control the zeroing of the negative response TTL to 4190 a soa query. Defaults "zero-no-soa-ttl yes;" and 4191 "zero-no-soa-ttl-cache no;". [RT #15460] 4192 41931958. [bug] Named failed to update the zone's secure state 4194 until the zone was reloaded. [RT #15412] 4195 41961957. [bug] Dig mishandled responses to class ANY queries. 4197 [RT #15402] 4198 41991956. [bug] Improve cross compile support, 'gen' is now built 4200 by native compiler. See README for additional 4201 cross compile support information. [RT #15148] 4202 42031955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998] 4204 42051954. [func] Named now falls back to advertising EDNS with a 4206 512 byte receive buffer if the initial EDNS queries 4207 fail. [RT #14852] 4208 42091953. [func] The maximum EDNS UDP response named will send can 4210 now be set in named.conf (max-udp-size). This is 4211 independent of the advertised receive buffer 4212 (edns-udp-size). [RT #14852] 4213 42141952. [port] hpux: tell the linker to build a runtime link 4215 path "-Wl,+b:". [RT #14816]. 4216 42171951. [security] Drop queries from particular well known ports. 4218 Don't return FORMERR to queries from particular 4219 well known ports. [RT #15636] 4220 42211950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() 4222 a TCP socket. This prevents the source address being 4223 set for TCP connections. [RT #15628] 4224 42251949. [func] Addition memory leakage checks. [RT #15544] 4226 42271948. [bug] If was possible to trigger a REQUIRE failure in 4228 xfrin.c:maybe_free() if named ran out of memory. 4229 [RT #15568] 4230 42311947. [func] It is now possible to configure named to accept 4232 expired RRSIGs. Default "dnssec-accept-expired no;". 4233 Setting "dnssec-accept-expired yes;" leaves named 4234 vulnerable to replay attacks. [RT #14685] 4235 42361946. [bug] resume_dslookup() could trigger a REQUIRE failure 4237 when using forwarders. [RT #15549] 4238 42391945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. 4240 To generate a RSAMD5 key you must explicitly request 4241 RSAMD5. [RT #13780] 4242 42431944. [cleanup] isc_hash_create() does not need a read/write lock. 4244 [RT #15522] 4245 42461943. [bug] Set the loadtime after rolling forward the journal. 4247 [RT #15647] 4248 42491942. [bug] If the name of a DNSKEY match that of one in 4250 trusted-keys do not attempt to validate the DNSKEY 4251 using the parents DS RRset. [RT #15649] 4252 42531941. [bug] ncache_adderesult() should set eresult even if no 4254 rdataset is passed to it. [RT #15642] 4255 42561940. [bug] Fixed a number of error conditions reported by 4257 Coverity. 4258 42591939. [bug] The resolver could dereference a null pointer after 4260 validation if all the queries have timed out. 4261 [RT #15528] 4262 42631938. [bug] The validator was not correctly handling unsecure 4264 negative responses at or below a SEP. [RT #15528] 4265 42661937. [bug] sdlz doesn't handle RRSIG records. [RT #15564] 4267 42681936. [bug] The validator could leak memory. [RT #15544] 4269 42701935. [bug] 'acache' was DO sensitive. [RT #15430] 4271 42721934. [func] Validate pending NS RRsets, in the authority section, 4273 prior to returning them if it can be done without 4274 requiring DNSKEYs to be fetched. [RT #15430] 4275 42761933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534] 4277 42781932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] 4279 42801931. [bug] Per-client mctx could require a huge amount of memory, 4281 particularly for a busy caching server. [RT #15519] 4282 42831930. [port] HPUX: ia64 support. [RT #15473] 4284 42851929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. 4286 42871928. [bug] Race in rbtdb.c:currentversion(). [RT #15517] 4288 42891927. [bug] Access to soanode or nsnode in rbtdb violated the 4290 lock order rule and could cause a dead lock. 4291 [RT# 15518] 4292 42931926. [bug] The Windows installer did not check for empty 4294 passwords. BINDinstall was being installed in 4295 the wrong place. [RT #15483] 4296 42971925. [port] All outer level AC_TRY_RUNs need cross compiling 4298 defaults. [RT #15469] 4299 43001924. [port] libbind: hpux ia64 support. [RT #15473] 4301 43021923. [bug] ns_client_detach() called too early. [RT #15499] 4303 43041922. [bug] check-tool.c:setup_logging() missing call to 4305 dns_log_setcontext(). 4306 43071921. [bug] Client memory contexts were not using internal 4308 malloc. [RT# 15434] 4309 43101920. [bug] The cache rbtdb lock array was too small to 4311 have the desired performance characteristics. 4312 [RT #15454] 4313 43141919. [contrib] queryperf: a set of new features: collecting/printing 4315 response delays, printing intermediate results, and 4316 adjusting query rate for the "target" qps. 4317 43181918. [bug] Memory leak when checking acls. [RT #15391] 4319 43201917. [doc] funcsynopsisinfo wasn't being treated as verbatim 4321 when generating man pages. [RT #15385] 4322 43231916. [func] Integrate contributed IDN code from JPNIC. [RT #15383] 4324 43251915. [bug] dig +ndots was broken. [RT #15215] 4326 43271914. [protocol] DS is required to accept mnemonic algorithms 4328 (RFC 4034). Still emit numeric algorithms for 4329 compatibility with RFC 3658. [RT #15354] 4330 43311913. [func] Integrate contributed DLZ code into named. [RT #11382] 4332 43331912. [port] aix: atomic locking for powerpc. [RT #15020] 4334 43351911. [bug] Update windows socket code. [RT #14965] 4336 43371910. [bug] dig's +sigchase code overhauled. [RT #14933] 4338 43391909. [bug] The DLV code has been re-worked to make no longer 4340 query order sensitive. [RT #14933] 4341 43421908. [func] dig now warns if 'RA' is not set in the answer when 4343 'RD' was set in the query. host/nslookup skip servers 4344 that fail to set 'RA' when 'RD' is set unless a server 4345 is explicitly set. [RT #15005] 4346 43471907. [func] host/nslookup now continue (default)/fail on SERVFAIL. 4348 [RT #15006] 4349 43501906. [func] dig now has a '-q queryname' and '+showsearch' options. 4351 [RT #15034] 4352 43531905. [bug] Strings returned from cfg_obj_asstring() should be 4354 treated as read-only. The prototype for 4355 cfg_obj_asstring() has been updated to reflect this. 4356 [RT #15256] 4357 43581904. [func] Automatic empty zone creation for D.F.IP6.ARPA and 4359 friends. Note: RFC 1918 zones are not yet covered by 4360 this but are likely to be in a future release. 4361 4362 New options: empty-server, empty-contact, 4363 empty-zones-enable and disable-empty-zone. 4364 43651903. [func] ISC string copy API. 4366 43671902. [func] Attempt to make the amount of work performed in a 4368 iteration self tuning. The covers nodes clean from 4369 the cache per iteration, nodes written to disk when 4370 rewriting a master file and nodes destroyed per 4371 iteration when destroying a zone or a cache. 4372 [RT #14996] 4373 43741901. [cleanup] Don't add DNSKEY records to the additional section. 4375 43761900. [bug] ixfr-from-differences failed to ensure that the 4377 serial number increased. [RT #15036] 4378 43791899. [func] named-checkconf now validates update-policy entries. 4380 [RT #14963] 4381 43821898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and 4383 ISC_NETADDR_FORMATSIZE to allow for scope details. 4384 43851897. [func] x86 and x86_64 now have separate atomic locking 4386 implementations. 4387 43881896. [bug] Recursive clients soft quota support wasn't working 4389 as expected. [RT #15103] 4390 43911895. [bug] A escaped character is, potentially, converted to 4392 the output character set too early. [RT #14666] 4393 43941894. [doc] Review ARM for BIND 9.4. 4395 43961893. [port] Use uintptr_t if available. [RT #14606] 4397 43981892. [func] Support for SPF rdata type. [RT #15033] 4399 44001891. [port] freebsd: pthread_mutex_init can fail if it runs out 4401 of memory. [RT #14995] 4402 44031890. [func] Raise the UDP receive buffer size to 32k if it is 4404 less than 32k. [RT #14953] 4405 44061889. [port] sunos: non blocking i/o support. [RT #14951] 4407 44081888. [func] Support for IPSECKEY rdata type. [RT #14967] 4409 44101887. [bug] The cache could delete expired records too fast for 4411 clients with a virtual time in the past. [RT #14991] 4412 44131886. [bug] fctx_create() could return success even though it 4414 failed. [RT #14993] 4415 44161885. [func] dig: report the number of extra bytes still left in 4417 the packet after processing all the records. 4418 44191884. [cleanup] dighost.c: move external declarations into <dig/dig.h>. 4420 44211883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug 4422 levels. [RT #14962] 4423 44241882. [func] Limit the number of recursive clients that can be 4425 waiting for a single query (<qname,qtype,qclass>) to 4426 resolve. New options clients-per-query and 4427 max-clients-per-query. 4428 44291881. [func] Add a system test for named-checkconf. [RT #14931] 4430 44311880. [func] The lame cache is now done on a <qname,qclass,qtype> 4432 basis as some servers only appear to be lame for 4433 certain query types. [RT #14916] 4434 44351879. [func] "USE INTERNAL MALLOC" is now runtime selectable. 4436 [RT #14892] 4437 44381878. [func] Detect duplicates of UDP queries we are recursing on 4439 and drop them. New stats category "duplicate". 4440 [RT #2471] 4441 44421877. [bug] Fix unreasonably low quantum on call to 4443 dns_rbt_destroy2(). Remove unnecessary unhash_node() 4444 call. [RT #14919] 4445 44461876. [func] Additional memory debugging support to track size 4447 and mctx arguments. [RT #14814] 4448 44491875. [bug] process_dhtkey() was using the wrong memory context 4450 to free some memory. [RT #14890] 4451 44521874. [port] sunos: portability fixes. [RT #14814] 4453 44541873. [port] win32: isc__errno2result() now reports its caller. 4455 [RT #13753] 4456 44571872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] 4458 44591871. [placeholder] 4460 44611870. [func] Added framework for handling multiple EDNS versions. 4462 [RT #14873] 4463 44641869. [func] dig can now specify the EDNS version when making 4465 a query. [RT #14873] 4466 44671868. [func] edns-udp-size can now be overridden on a per 4468 server basis. [RT #14851] 4469 44701867. [bug] It was possible to trigger a INSIST in 4471 dlv_validatezonekey(). [RT #14846] 4472 44731866. [bug] resolv.conf parse errors were being ignored by 4474 dig/host/nslookup. [RT #14841] 4475 44761865. [bug] Silently ignore nameservers in /etc/resolv.conf with 4477 bad addresses. [RT #14841] 4478 44791864. [bug] Don't try the alternative transfer source if you 4480 got a answer / transfer with the main source 4481 address. [RT #14802] 4482 44831863. [bug] rrset-order "fixed" error messages not complete. 4484 44851862. [func] Add additional zone data constancy checks. 4486 named-checkzone has extended checking of NS, MX and 4487 SRV record and the hosts they reference. 4488 named has extended post zone load checks. 4489 New zone options: check-mx and integrity-check. 4490 [RT #4940] 4491 44921861. [bug] dig could trigger a INSIST on certain malformed 4493 responses. [RT #14801] 4494 44951860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was 4496 incorrectly set. [RT #14775] 4497 44981859. [func] Add support for CH A record. [RT #14695] 4499 45001858. [bug] The flush-zones-on-shutdown option wasn't being 4501 parsed. [RT #14686] 4502 45031857. [bug] named could trigger a INSIST() if reconfigured / 4504 reloaded too fast. [RT #14673] 4505 45061856. [doc] Switch Docbook toolchain from DSSSL to XSL. 4507 [RT #11398] 4508 45091855. [bug] ixfr-from-differences was failing to detect changes 4510 of ttl due to dns_diff_subtract() was ignoring the ttl 4511 of records. [RT #14616] 4512 45131854. [bug] lwres also needs to know the print format for 4514 (long long). [RT #13754] 4515 45161853. [bug] Rework how DLV interacts with proveunsecure(). 4517 [RT #13605] 4518 45191852. [cleanup] Remove last vestiges of dnssec-signkey and 4520 dnssec-makekeyset (removed from Makefile years ago). 4521 45221851. [doc] Doxygen comment markup. [RT #11398] 4523 45241850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] 4525 45261849. [doc] All forms of the man pages (docbook, man, html) should 4527 have consistent copyright dates. 4528 45291848. [bug] Improve SMF integration. [RT #13238] 4530 45311847. [bug] isc_ondestroy_init() is called too late in 4532 dns_rbtdb_create()/dns_rbtdb64_create(). 4533 [RT #13661] 4534 45351846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer 4536 <bortzmeyer@nic.fr>. 4537 45381845. [bug] Improve error reporting to distinguish between 4539 accept()/fcntl() and socket()/fcntl() errors. 4540 [RT #13745] 4541 45421844. [bug] inet_pton() accepted more that 4 hexadecimal digits 4543 for each 16 bit piece of the IPv6 address. The text 4544 representation of a IPv6 address has been tightened 4545 to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). 4546 [RT #5662] 4547 45481843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps 4549 when CFLAGS contains "-I /usr/local/include" 4550 resulting in old header files being used. 4551 45521842. [port] cmsg_len() could produce incorrect results on 4553 some platform. [RT #13744] 4554 45551841. [bug] "dig +nssearch" now makes a recursive query to 4556 find the list of nameservers to query. [RT #13694] 4557 45581840. [func] dnssec-signzone can now randomize signature end times 4559 (dnssec-signzone -j jitter). [RT #13609] 4560 45611839. [bug] <isc/hash.h> was not being installed. 4562 45631838. [cleanup] Don't allow Linux capabilities to be inherited. 4564 [RT #13707] 4565 45661837. [bug] Compile time option ISC_FACILITY was not effective 4567 for 'named -u <user>'. [RT #13714] 4568 45691836. [cleanup] Silence compiler warnings in hash_test.c. 4570 45711835. [bug] Update dnssec-signzone's usage message. [RT #13657] 4572 45731834. [bug] Bad memset in rdata_test.c. [RT #13658] 4574 45751833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] 4576 45771832. [bug] named fails to return BADKEY on unknown TSIG algorithm. 4578 [RT #13620] 4579 45801831. [doc] Update named-checkzone documentation. [RT#13604] 4581 45821830. [bug] adb lame cache has sence of test reversed. [RT #13600] 4583 45841829. [bug] win32: "pid-file none;" broken. [RT #13563] 4585 45861828. [bug] isc_rwlock_init() failed to properly cleanup if it 4587 encountered a error. [RT #13549] 4588 45891827. [bug] host: update usage message for '-a'. [RT #37116] 4590 45911826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out 4592 of memory error. [RT #13537] 4593 45941825. [bug] Missing UNLOCK() on out of memory error from in 4595 rbtdb.c:subtractrdataset(). [RT #13519] 4596 45971824. [bug] Memory leak on dns_zone_setdbtype() failure. 4598 [RT #13510] 4599 46001823. [bug] Wrong macro used to check for point to point interface. 4601 [RT#13418] 4602 46031822. [bug] check-names test for RT was reversed. [RT #13382] 4604 46051821. [placeholder] 4606 46071820. [bug] Gracefully handle acl loops. [RT #13659] 4608 46091819. [bug] The validator needed to check both the algorithm and 4610 digest types of the DS to determine if it could be 4611 used to introduce a secure zone. [RT #13593] 4612 46131818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] 4614 46151817. [func] Add support for additional zone file formats for 4616 improving loading performance. The masterfile-format 4617 option in named.conf can be used to specify a 4618 non-default format. A separate command 4619 named-compilezone was provided to generate zone files 4620 in the new format. Additionally, the -I and -O options 4621 for dnssec-signzone specify the input and output 4622 formats. 4623 46241816. [port] UnixWare: failed to compile lib/isc/unix/net.c. 4625 [RT #13597] 4626 46271815. [bug] nsupdate triggered a REQUIRE if the server was set 4628 without also setting the zone and it encountered 4629 a CNAME and was using TSIG. [RT #13086] 4630 46311814. [func] UNIX domain controls are now supported. 4632 46331813. [func] Restructured the data locking framework using 4634 architecture dependent atomic operations (when 4635 available), improving response performance on 4636 multi-processor machines significantly. 4637 x86, x86_64, alpha, powerpc, and mips are currently 4638 supported. 4639 46401812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect. 4641 [RT #13453] 4642 46431811. [func] Preserve the case of domain names in rdata during 4644 zone transfers. [RT #13547] 4645 46461810. [bug] configure, lib/bind/configure make different default 4647 decisions about whether to do a threaded build. 4648 [RT #13212] 4649 46501809. [bug] "make distclean" failed for libbind if the platform 4651 is not supported. 4652 46531808. [bug] zone.c:notify_zone() contained a race condition, 4654 zone->db could change underneath it. [RT #13511] 4655 46561807. [bug] When forwarding (forward only) set the active domain 4657 from the forward zone name. [RT #13526] 4658 46591806. [bug] The resolver returned the wrong result when a CNAME / 4660 DNAME was encountered when fetching glue from a 4661 secure namespace. [RT #13501] 4662 46631805. [bug] Pending status was not being cleared when DLV was 4664 active. [RT #13501] 4665 46661804. [bug] Ensure that if we are queried for glue that it fits 4667 in the additional section or TC is set to tell the 4668 client to retry using TCP. [RT #10114] 4669 46701803. [bug] dnssec-signzone sometimes failed to remove old 4671 RRSIGs. [RT #13483] 4672 46731802. [bug] Handle connection resets better. [RT #11280] 4674 46751801. [func] Report differences between hints and real NS rrset 4676 and associated address records. 4677 46781800. [bug] Changes #1719 allowed a INSIST to be triggered. 4679 [RT #13428] 4680 46811799. [bug] 'rndc flushname' failed to flush negative cache 4682 entries. [RT #13438] 4683 46841798. [func] The server syntax has been extended to support a 4685 range of servers. [RT #11132] 4686 46871797. [func] named-checkconf now check acls to verify that they 4688 only refer to existing acls. [RT #13101] 4689 46901796. [func] "rndc freeze/thaw" now freezes/thaws all zones. 4691 46921795. [bug] "rndc dumpdb" was not fully documented. Minor 4693 formating issues with "rndc dumpdb -all". [RT #13396] 4694 46951794. [func] Named and named-checkzone can now both check for 4696 non-terminal wildcard records. 4697 46981793. [func] Extend adjusting TTL warning messages. [RT #13378] 4699 47001792. [func] New zone option "notify-delay". Specify a minimum 4701 delay between sets of NOTIFY messages. 4702 47031791. [bug] 'host -t a' still printed out AAAA and MX records. 4704 [RT #13230] 4705 47061790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should 4707 allow parallel make to succeed. 4708 47091789. [bug] Prerequisite test for tkey and dnssec could fail 4710 with "configure --with-libtool". 4711 47121788. [bug] libbind9.la/libbind9.so needs to link against 4713 libisccfg.la/libisccfg.so. 4714 47151787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings. 4716 47171786. [port] AIX: libt_api needs to be taught to look for 4718 T_testlist in the main executable (--with-libtool). 4719 [RT #13239] 4720 47211785. [bug] libbind9.la/libbind9.so needs to link against 4722 libisc.la/libisc.so. 4723 47241784. [cleanup] "libtool -allow-undefined" is the default. 4725 Leave hooks in configure to allow it to be set 4726 if needed in the future. 4727 47281783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the 4729 source tree. 4730 47311782. [port] OSX: --with-libtool + --enable-libbind broke on 4732 __evOptMonoTime. [RT #13219] 4733 47341781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810] 4735 47361780. [bug] Update libtool to 1.5.10. 4737 47381779. [port] OSF 5.1: libtool didn't handle -pthread correctly. 4739 47401778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and 4741 IN6ADDR_LOOPBACK_INIT macros. 4742 47431777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and 4744 IN6ADDR_LOOPBACK_INIT macros. 4745 47461776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and 4747 IN6ADDR_LOOPBACK_INIT macros. 4748 47491775. [bug] Only compile getnetent_r.c when threaded. [RT #13205] 4750 47511774. [port] Aix: Silence compiler warnings / build failures. 4752 [RT #13154] 4753 47541773. [bug] Fast retry on host / net unreachable. [RT #13153] 4755 47561772. [placeholder] 4757 47581771. [placeholder] 4759 47601770. [bug] named-checkconf failed to report missing a missing 4761 file clause for rbt{64} master/hint zones. [RT#13009] 4762 47631769. [port] win32: change compiler flags /MTd ==> /MDd, 4764 /MT ==> /MD. 4765 47661768. [bug] nsecnoexistnodata() could be called with a non-NSEC 4767 rdataset. [RT #12907] 4768 47691767. [port] Builds on IPv6 platforms without IPv6 Advanced API 4770 support for (struct in6_pktinfo) failed. [RT #13077] 4771 47721766. [bug] Update the master file timestamp on successful refresh 4773 as well as the journal's timestamp. [RT# 13062] 4774 47751765. [bug] configure --with-openssl=auto failed. [RT #12937] 4776 47771764. [bug] dns_zone_replacedb failed to emit a error message 4778 if there was no SOA record in the replacement db. 4779 [RT #13016] 4780 47811763. [func] Perform sanity checks on NS records which refer to 4782 'in zone' names. [RT #13002] 4783 47841762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS 4785 even when it failed. [RT #12995] 4786 47871761. [bug] 'rndc dumpdb' didn't report unassociated entries. 4788 [RT #12971] 4789 47901760. [bug] Host / net unreachable was not penalising rtt 4791 estimates. [RT #12970] 4792 47931759. [bug] Named failed to startup if the OS supported IPv6 4794 but had no IPv6 interfaces configured. [RT #12942] 4795 47961758. [func] Don't send notify messages to self. [RT #12933] 4797 47981757. [func] host now can turn on memory debugging flags with '-m'. 4799 48001756. [func] named-checkconf now checks the logging configuration. 4801 [RT #12352] 4802 48031755. [func] allow-update is now settable at the options / view 4804 level. [RT #6636] 4805 48061754. [bug] We weren't always attempting to query the parent 4807 server for the DS records at the zone cut. 4808 [RT #12774] 4809 48101753. [bug] Don't serve a slave zone which has no NS records. 4811 [RT #12894] 4812 48131752. [port] Move isc_app_start() to after ns_os_daemonise() 4814 as some fork() implementations unblock the signals 4815 that are blocked by isc_app_start(). [RT #12810] 4816 48171751. [bug] --enable-getifaddrs failed under linux. [RT #12867] 4818 48191750. [port] lib/bind/make/rules.in:subdirs was not bash friendly. 4820 [RT #12864] 4821 48221749. [bug] 'check-names response ignore;' failed to ignore. 4823 [RT #12866] 4824 48251748. [func] dig now returns the byte count for axfr/ixfr. 4826 48271747. [bug] BIND 8 compatibility: named/named-checkconf failed 4828 to parse "host-statistics-max" in named.conf. 4829 48301746. [func] Make public the function to read a key file, 4831 dst_key_read_public(). [RT #12450] 4832 48331745. [bug] Dig/host/nslookup accept replies from link locals 4834 regardless of scope if no scope was specified when 4835 query was sent. [RT #12745] 4836 48371744. [bug] If tuple2msgname() failed to convert a tuple to 4838 a name a REQUIRE could be triggered. [RT #12796] 4839 48401743. [bug] If isc_taskmgr_create() was not able to create the 4841 requested number of worker threads then destruction 4842 of the manager would trigger an INSIST() failure. 4843 [RT #12790] 4844 48451742. [bug] Deleting all records at a node then adding a 4846 previously existing record, in a single UPDATE 4847 transaction, failed to leave / regenerate the 4848 associated RRSIG records. [RT #12788] 4849 48501741. [bug] Deleting all records at a node in a secure zone 4851 using a update-policy grant failed. [RT #12787] 4852 48531740. [bug] Replace rbt's hash algorithm as it performed badly 4854 with certain zones. [RT #12729] 4855 4856 NOTE: a hash context now needs to be established 4857 via isc_hash_create() if the application was not 4858 already doing this. 4859 48601739. [bug] dns_rbt_deletetree() could incorrectly return 4861 ISC_R_QUOTA. [RT #12695] 4862 48631738. [bug] Enable overrun checking by default. [RT #12695] 4864 48651737. [bug] named failed if more than 16 masters were specified. 4866 [RT #12627] 4867 48681736. [bug] dst_key_fromnamedfile() could fail to read a 4869 public key. [RT #12687] 4870 48711735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. 4872 [RE #12688] 4873 48741734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path. 4875 [RT #12588] 4876 48771733. [bug] Return non-zero exit status on initial load failure. 4878 [RT #12658] 4879 48801732. [bug] 'rrset-order name "*"' wasn't being applied to ".". 4881 [RT #12467] 4882 48831731. [port] darwin: relax version test in ifconfig.sh. 4884 [RT #12581] 4885 48861730. [port] Determine the length type used by the socket API. 4887 [RT #12581] 4888 48891729. [func] Improve check-names error messages. 4890 48911728. [doc] Update check-names documentation. 4892 48931727. [bug] named-checkzone: check-names support didn't match 4894 documentation. 4895 48961726. [port] aix5: add support for aix5. 4897 48981725. [port] linux: update error message on interaction of threads, 4899 capabilities and setuid support (named -u). [RT #12541] 4900 49011724. [bug] Look for DNSKEY records with "dig +sigtrace". 4902 [RT #12557] 4903 49041723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493] 4905 49061722. [bug] Don't commit the journal on malformed ixfr streams. 4907 [RT #12519] 4908 49091721. [bug] Error message from the journal processing were not 4910 always identifying the relevant journal. [RT #12519] 4911 49121720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1 4913 negative response. [RT #12506] 4914 49151719. [bug] named was not correctly caching a RFC 2308 Type 1 4916 negative response. [RT #12506] 4917 49181718. [bug] nsupdate was not handling RFC 2308 Type 3 negative 4919 responses when looking for the zone / master server. 4920 [RT #12506] 4921 49221717. [port] solaris: ifconfig.sh did not support Solaris 10. 4923 "ifconfig.sh down" didn't work for Solaris 9. 4924 49251716. [doc] named.conf(5) was being installed in the wrong 4926 location. [RT# 12441] 4927 49281715. [func] 'dig +trace' now randomly selects the next servers 4929 to try. Report if there is a bad delegation. 4930 49311714. [bug] dig/host/nslookup were only trying the first 4932 address when a nameserver was specified by name. 4933 [RT #12286] 4934 49351713. [port] linux: extend capset failure message to say: 4936 please ensure that the capset kernel module is 4937 loaded. see insmod(8) 4938 49391712. [bug] Missing FULLCHECK for "trusted-key" in dig. 4940 49411711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'. 4942 49431710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY 4944 messages for the specified zone. [RT #9479] 4945 49461709. [port] solaris: add SMF support from Sun. 4947 49481708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash() 4949 for conformance to the name space convention. Binary 4950 backward compatibility to the old function name is 4951 provided. [RT #12376] 4952 49531707. [contrib] sdb/ldap updated to version 1.0-beta. 4954 49551706. [bug] 'rndc stop' failed to cause zones to be flushed 4956 sometimes. [RT #12328] 4957 49581705. [func] Allow the journal's name to be changed via named.conf. 4959 49601704. [port] lwres needed a snprintf() implementation for 4961 platforms without snprintf(). Add missing 4962 "#include <isc/print.h>". [RT #12321] 4963 49641703. [bug] named would loop sending NOTIFY messages when it 4965 failed to receive a response. [RT #12322] 4966 49671702. [bug] also-notify should not be applied to built in zones. 4968 [RT #12323] 4969 49701701. [doc] A minimal named.conf man page. 4971 49721700. [func] nslookup is no longer to be treated as deprecated. 4973 Remove "deprecated" warning message. Add man page. 4974 49751699. [bug] dnssec-signzone can generate "not exact" errors 4976 when resigning. [RT #12281] 4977 49781698. [doc] Use reserved IPv6 documentation prefix. 4979 49801697. [bug] xxx-source{,-v6} was not effective when it 4981 specified one of listening addresses and a 4982 different port than the listening port. [RT #12257] 4983 49841696. [bug] dnssec-signzone failed to clean out nodes that 4985 consisted of only NSEC and RRSIG records. 4986 [RT #12154] 4987 49881695. [bug] DS records when forwarding require special handling. 4989 [RT #12133] 4990 49911694. [bug] Report if the builtin views of "_default" / "_bind" 4992 are defined in named.conf. [RT #12023] 4993 49941693. [bug] max-journal-size was not effective for master zones 4995 with ixfr-from-differences set. [RT# 12024] 4996 49971692. [bug] Don't set -I, -L and -R flags when libcrypto is in 4998 /usr/lib. [RT #11971] 4999 50001691. [bug] sdb's attachversion was not complete. [RT #11990] 5001 50021690. [bug] Delay detaching view from the client until UPDATE 5003 processing completes when shutting down. [RT #11714] 5004 50051689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros 5006 contained gratuitous semicolons. [RT #11707] 5007 50081688. [bug] LDFLAGS was not supported. 5009 50101687. [bug] Race condition in dispatch. [RT #10272] 5011 50121686. [bug] Named sent a extraneous NOTIFY when it received a 5013 redundant UPDATE request. [RT #11943] 5014 50151685. [bug] Change #1679 loop tests weren't quite right. 5016 50171684. [func] ixfr-from-differences now takes master and slave in 5018 addition to yes and no at the options and view levels. 5019 50201683. [bug] dig +sigchase could leak memory. [RT #11445] 5021 50221682. [port] Update configure test for (long long) printf format. 5023 [RT #5066] 5024 50251681. [bug] Only set SO_REUSEADDR when a port is specified in 5026 isc_socket_bind(). [RT #11742] 5027 50281680. [func] rndc: the source address can now be specified. 5029 50301679. [bug] When there was a single nameserver with multiple 5031 addresses for a zone not all addresses were tried. 5032 [RT #11706] 5033 50341678. [bug] RRSIG should use TYPEXXXXX for unknown types. 5035 50361677. [bug] dig: +aaonly didn't work, +aaflag undocumented. 5037 50381676. [func] New option "allow-query-cache". This lets 5039 allow-query be used to specify the default zone 5040 access level rather than having to have every 5041 zone override the global value. allow-query-cache 5042 can be set at both the options and view levels. 5043 If allow-query-cache is not set allow-query applies. 5044 50451675. [bug] named would sometimes add extra NSEC records to 5046 the authority section. 5047 50481674. [port] linux: increase buffer size used to scan 5049 /proc/net/if_inet6. 5050 50511673. [port] linux: issue a error messages if IPv6 interface 5052 scans fails. 5053 50541672. [cleanup] Tests which only function in a threaded build 5055 now return R:THREADONLY (rather than R:UNTESTED) 5056 in a non-threaded build. 5057 50581671. [contrib] queryperf: add NAPTR to the list of known types. 5059 50601670. [func] Log UPDATE requests to slave zones without an acl as 5061 "disabled" at debug level 3. [RT# 11657] 5062 50631669. [placeholder] 5064 50651668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. 5066 50671667. [port] linux: not all versions have IF_NAMESIZE. 5068 50691666. [bug] The optional port on hostnames in dual-stack-servers 5070 was being ignored. 5071 50721665. [func] rndc now allows addresses to be set in the 5073 server clauses. 5074 50751664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 5076 50771663. [func] Look for OpenSSL by default. 5078 50791662. [bug] Change #1658 failed to change one use of 'type' 5080 to 'keytype'. 5081 50821661. [bug] Restore dns_name_concatenate() call in 5083 adb.c:set_target(). [RT #11582] 5084 50851660. [bug] win32: connection_reset_fix() was being called 5086 unconditionally. [RT #11595] 5087 50881659. [cleanup] Cleanup some messages that were referring to KEY vs 5089 DNSKEY, NXT vs NSEC and SIG vs RRSIG. 5090 50911658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 5092 and DH. Tighten which options apply to KEY and 5093 DNSKEY records. 5094 50951657. [doc] ARM: document query log output. 5096 50971656. [doc] Update DNSSEC description in ARM to cover DS, NSEC 5098 DNSKEY and RRSIG. [RT #11542] 5099 51001655. [bug] Logging multiple versions w/o a size was broken. 5101 [RT #11446] 5102 51031654. [bug] isc_result_totext() contained array bounds read 5104 error. 5105 51061653. [func] Add key type checking to dst_key_fromfilename(), 5107 DST_TYPE_KEY should be used to read TSIG, TKEY and 5108 SIG(0) keys. 5109 51101652. [bug] TKEY still uses KEY. 5111 51121651. [bug] dig: process multiple dash options. 5113 51141650. [bug] dig, nslookup: flush standard out after each command. 5115 51161649. [bug] Silence "unexpected non-minimal diff" message. 5117 [RT #11206] 5118 51191648. [func] Update dnssec-lookaside named.conf syntax to support 5120 multiple dnssec-lookaside namespaces (not yet 5121 implemented). 5122 51231647. [bug] It was possible trigger a INSIST when chasing a DS 5124 record that required walking back over a empty node. 5125 [RT #11445] 5126 51271646. [bug] win32: logging file versions didn't work with 5128 non-UNC filenames. [RT#11486] 5129 51301645. [bug] named could trigger a REQUIRE failure if multiple 5131 masters with keys are specified. 5132 51331644. [bug] Update the journal modification time after a 5134 successful refresh query. [RT #11436] 5135 51361643. [bug] dns_db_closeversion() could leak memory / node 5137 references. [RT #11163] 5138 51391642. [port] Support OpenSSL implementations which don't have 5140 DSA support. [RT #11360] 5141 51421641. [bug] Update the check-names description in ARM. [RT #11389] 5143 51441640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was 5145 incorrectly closing the socket. [RT #11291] 5146 51471639. [func] Initial dlv system test. 5148 51491638. [bug] "ixfr-from-differences" could generate a REQUIRE 5150 failure if the journal open failed. [RT #11347] 5151 51521637. [bug] Node reference leak on error in addnoqname(). 5153 51541636. [bug] The dump done callback could get ISC_R_SUCCESS even if 5155 a error had occurred. The database version no longer 5156 matched the version of the database that was dumped. 5157 51581635. [bug] Memory leak on error in query_addds(). 5159 51601634. [bug] named didn't supply a useful error message when it 5161 detected duplicate views. [RT #11208] 5162 51631633. [bug] named should return NOTIMP to update requests to a 5164 slaves without a allow-update-forwarding acl specified. 5165 [RT #11331] 5166 51671632. [bug] nsupdate failed to send prerequisite only UPDATE 5168 messages. [RT #11288] 5169 51701631. [bug] dns_journal_compact() could sometimes corrupt the 5171 journal. [RT #11124] 5172 51731630. [contrib] queryperf: add support for IPv6 transport. 5174 51751629. [func] dig now supports IPv6 scoped addresses with the 5176 extended format in the local-server part. [RT #8753] 5177 51781628. [bug] Typo in Compaq Trucluster support. [RT# 11264] 5179 51801627. [bug] win32: sockets were not being closed when the 5181 last external reference was removed. [RT# 11179] 5182 51831626. [bug] --enable-getifaddrs was broken. [RT#11259] 5184 51851625. [bug] named failed to load/transfer RFC2535 signed zones 5186 which contained CNAMES. [RT# 11237] 5187 51881624. [bug] zonemgr_putio() call should be locked. [RT# 11163] 5189 51901623. [bug] A serial number of zero was being displayed in the 5191 "sending notifies" log message when also-notify was 5192 used. [RT #11177] 5193 51941622. [func] probe the system to see if IPV6_(RECV)PKTINFO is 5195 available, and suppress wildcard binding if not. 5196 51971621. [bug] match-destinations did not work for IPv6 TCP queries. 5198 [RT# 11156] 5199 52001620. [func] When loading a zone report if it is signed. [RT #11149] 5201 52021619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). 5203 [RT# 11118] 5204 52051618. [bug] Fencepost errors in dns_name_ishostname() and 5206 dns_name_ismailbox() could trigger a INSIST(). 5207 52081617. [port] win32: VC++ 6.0 support. 5209 52101616. [compat] Ensure that named's version is visible in the core 5211 dump. [RT #11127] 5212 52131615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if 5214 it is defined. 5215 52161614. [port] win32: silence resource limit messages. [RT# 11101] 5217 52181613. [bug] Builds would fail on machines w/o a if_nametoindex(). 5219 Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. 5220 [RT #11119] 5221 52221612. [bug] check-names at the option/view level could trigger 5223 an INSIST. [RT# 11116] 5224 52251611. [bug] solaris: IPv6 interface scanning failed to cope with 5226 no active IPv6 interfaces. 5227 52281610. [bug] On dual stack machines "dig -b" failed to set the 5229 address type to be looked up with "@server". 5230 [RT #11069] 5231 52321609. [func] dig now has support to chase DNSSEC signature chains. 5233 Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. 5234 5235 DNSSEC validation code in dig coded by Olivier Courtay 5236 (olivier.courtay@irisa.fr) for the IDsA project 5237 (http://idsa.irisa.fr). 5238 52391608. [func] dig and host now accept -4/-6 to select IP transport 5240 to use when making queries. 5241 52421607. [bug] dig, host and nslookup were still using random() 5243 to generate query ids. [RT# 11013] 5244 52451606. [bug] DLV insecurity proof was failing. 5246 52471605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 5248 52491604. [bug] A xfrout_ctx_create() failure would result in 5250 xfrout_ctx_destroy() being called with a 5251 partially initialized structure. 5252 52531603. [bug] nsupdate: set interactive based on isatty(). 5254 [RT# 10929] 5255 52561602. [bug] Logging to a file failed unless a size was specified. 5257 [RT# 10925] 5258 52591601. [bug] Silence spurious warning 'both "recursion no;" and 5260 "allow-recursion" active' warning from view "_bind". 5261 [RT# 10920] 5262 52631600. [bug] Duplicate zone pre-load checks were not case 5264 insensitive. 5265 52661599. [bug] Fix memory leak on error path when checking named.conf. 5267 52681598. [func] Specify that certain parts of the namespace must 5269 be secure (dnssec-must-be-secure). 5270 52711597. [func] Allow notify-source and query-source to be specified 5272 on a per server basis similar to transfer-source. 5273 [RT #6496] 5274 52751596. [func] Accept 'notify-source' style syntax for query-source. 5276 52771595. [func] New notify type 'master-only'. Enable notify for 5278 master zones only. 5279 52801594. [bug] 'rndc dumpdb' could prevent named from answering 5281 queries while the dump was in progress. [RT #10565] 5282 52831593. [bug] rndc should return "unknown command" to unknown 5284 commands. [RT# 10642] 5285 52861592. [bug] configure_view() could leak a dispatch. [RT# 10675] 5287 52881591. [bug] libbind: updated to BIND 8.4.5. 5289 52901590. [port] netbsd: update thread support. 5291 52921589. [func] DNSSEC lookaside validation. 5293 52941588. [bug] win32: TCP sockets could become blocked. [RT #10115] 5295 52961587. [bug] dns_message_settsigkey() failed to clear existing key. 5297 [RT #10590] 5298 52991586. [func] "check-names" is now implemented. 5300 53011585. [placeholder] 5302 53031584. [bug] "make test" failed with a read only source tree. 5304 [RT #10461] 5305 53061583. [bug] Records add via UPDATE failed to get the correct trust 5307 level. [RT #10452] 5308 53091582. [bug] rrset-order failed to work on RRsets with more 5310 than 32 elements. [RT #10381] 5311 53121581. [func] Disable DNSSEC support by default. To enable 5313 DNSSEC specify "dnssec-enable yes;" in named.conf. 5314 53151580. [bug] Zone destruction on final detach takes a long time. 5316 [RT #3746] 5317 53181579. [bug] Multiple task managers could not be created. 5319 53201578. [bug] Don't use CLASS E IPv4 addresses when resolving. 5321 [RT #10346] 5322 53231577. [bug] Use isc_uint32_t in ultrasparc optimizer bug 5324 workaround code. [RT #10331] 5325 53261576. [bug] Race condition in dns_dispatch_addresponse(). 5327 [RT# 10272] 5328 53291575. [func] Log TSIG name on TSIG verify failure. [RT #4404] 5330 53311574. [bug] Don't attempt to open the controls socket(s) when 5332 running tests. [RT #9091] 5333 53341573. [port] linux: update to libtool 1.5.2 so that 5335 "make install DESTDIR=/xx" works with 5336 "configure --with-libtool". [RT #9941] 5337 53381572. [bug] nsupdate: sign the soa query to find the enclosing 5339 zone if the server is specified. [RT #10148] 5340 53411571. [bug] rbt:hash_node() could fail leaving the hash table 5342 in an inconsistent state. [RT #10208] 5343 53441570. [bug] nsupdate failed to handle classes other than IN. 5345 New keyword 'class' which sets the default class. 5346 [RT #10202] 5347 53481569. [func] nsupdate new command 'answer' which displays the 5349 complete answer message to the last update. 5350 53511568. [bug] nsupdate now reports that the update failed in 5352 interactive mode. [RT# 10236] 5353 53541567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. 5355 53561566. [port] Support for the cmsg framework on Solaris and HP/UX. 5357 This also solved the problem that match-destinations 5358 for IPv6 addresses did not work on these systems. 5359 [RT #10221] 5360 53611565. [bug] CD flag should be copied to outgoing queries unless 5362 the query is under a secure entry point in which case 5363 CD should be set. 5364 53651564. [func] Attempt to provide a fallback entropy source to be 5366 used if named is running chrooted and named is unable 5367 to open entropy source within the chroot area. 5368 [RT #10133] 5369 53701563. [bug] Gracefully fail when unable to obtain neither an IPv4 5371 nor an IPv6 dispatch. [RT #10230] 5372 53731562. [bug] isc_socket_create() and isc_socket_accept() could 5374 leak memory under error conditions. [RT #10230] 5375 53761561. [bug] It was possible to release the same name twice if 5377 named ran out of memory. [RT #10197] 5378 53791560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA 5380 and EAI_NONAME to the same value. 5381 53821559. [port] named should ignore SIGFSZ. 5383 53841558. [func] New DNSSEC 'disable-algorithms'. Support entry into 5385 child zones for which we don't have a supported 5386 algorithm. Such child zones are treated as unsigned. 5387 53881557. [func] Implement missing DNSSEC tests for 5389 * NOQNAME proof with wildcard answers. 5390 * NOWILDARD proof with NXDOMAIN. 5391 Cache and return NOQNAME with wildcard answers. 5392 53931556. [bug] nsupdate now treats all names as fully qualified. 5394 [RT #6427] 5395 53961555. [func] 'rrset-order cyclic' no longer has a random starting 5397 point per query. [RT #7572] 5398 53991554. [bug] dig, host, nslookup failed when no nameservers 5400 were specified in /etc/resolv.conf. [RT #8232] 5401 54021553. [bug] The windows socket code could stop accepting 5403 connections. [RT#10115] 5404 54051552. [bug] Accept NOTIFY requests from mapped masters if 5406 matched-mapped is set. [RT #10049] 5407 54081551. [port] Open "/dev/null" before calling chroot(). 5409 54101550. [port] Call tzset(), if available, before calling chroot(). 5411 54121549. [func] named-checkzone can now write out the zone contents 5413 in a easily parsable format (-D and -o). 5414 54151548. [bug] When parsing APL records it was possible to silently 5416 accept out of range ADDRESSFAMILY values. [RT# 9979] 5417 54181547. [bug] Named wasted memory recording duplicate lame zone 5419 entries. [RT #9341] 5420 54211546. [bug] We were rejecting valid secure CNAME to negative 5422 answers. 5423 54241545. [bug] It was possible to leak memory if named was unable to 5425 bind to the specified transfer source and TSIG was 5426 being used. [RT #10120] 5427 54281544. [bug] Named would logged a single entry to a file despite it 5429 being over the specified size limit. 5430 54311543. [bug] Logging using "versions unlimited" did not work. 5432 54331542. [placeholder] 5434 54351541. [func] NSEC now uses new bitmap format. 5436 54371540. [bug] "rndc reload <dynamiczone>" was silently accepted. 5438 [RT #8934] 5439 54401539. [bug] Open UDP sockets for notify-source and transfer-source 5441 that use reserved ports at startup. [RT #9475] 5442 54431538. [placeholder] rt9997 5444 54451537. [func] New option "querylog". If set specify whether query 5446 logging is to be enabled or disabled at startup. 5447 54481536. [bug] Windows socket code failed to log a error description 5449 when returning ISC_R_UNEXPECTED. [RT #9998] 5450 54511535. [placeholder] 5452 54531534. [bug] Race condition when priming cache. [RT# 9940] 5454 54551533. [func] Warn if both "recursion no;" and "allow-recursion" 5456 are active. [RT# 4389] 5457 54581532. [port] netbsd: the configure test for <sys/sysctl.h> 5459 requires <sys/param.h>. 5460 54611531. [port] AIX more libtool fixes. 5462 54631530. [bug] It was possible to trigger a INSIST() failure if a 5464 slave master file was removed at just the correct 5465 moment. [RT #9462] 5466 54671529. [bug] "notify explicit;" failed to log that NOTIFY messages 5468 were being sent for the zone. [RT# 9442] 5469 54701528. [cleanup] Simplify some dns_name_ functions based on the 5471 deprecation of bitstring labels. 5472 54731527. [cleanup] Reduce the number of gettimeofday() calls without 5474 losing necessary timer granularity. 5475 54761526. [func] Implemented "additional section caching (or acache)", 5477 an internal cache framework for additional section 5478 content to improve response performance. Several 5479 configuration options were provided to control the 5480 behavior. 5481 54821525. [bug] dns_cache_create() could trigger a REQUIRE 5483 failure in isc_mem_put() during error cleanup. 5484 [RT# 9360] 5485 54861524. [port] AIX needs to be able to resolve all symbols when 5487 creating shared libraries (--with-libtool). 5488 54891523. [bug] Fix race condition in rbtdb. [RT# 9189] 5490 54911522. [bug] dns_db_findnode() relax the requirements on 'name'. 5492 [RT# 9286] 5493 54941521. [bug] dns_view_createresolver() failed to check the 5495 result from isc_mem_create(). [RT# 9294] 5496 54971520. [protocol] Add SSHFP (SSH Finger Print) type. 5498 54991519. [bug] dnssec-signzone:nsec_setbit() computed the wrong 5500 length of the new bitmap. 5501 55021518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(), 5503 contained a off-by-one error when working out the 5504 number of octets in the bitmap. 5505 55061517. [port] Support for IPv6 interface scanning on HP/UX and 5507 TrueUNIX 5.1. 5508 55091516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 5510 55111515. [func] Allow transfer source to be set in a server statement. 5512 [RT #6496] 5513 55141514. [bug] named: isc_hash_destroy() was being called too early. 5515 [RT #9160] 5516 55171513. [doc] Add "US" to root-delegation-only exclude list. 5518 55191512. [bug] Extend the delegation-only logging to return query 5520 type, class and responding nameserver. 5521 55221511. [bug] delegation-only was generating false positives 5523 on negative answers from sub-zones. 5524 55251510. [func] New view option "root-delegation-only". Apply 5526 delegation-only check to all TLDs and root. 5527 Note there are some TLDs that are NOT delegation 5528 only (e.g. DE, LV, US and MUSEUM) these can be excluded 5529 from the checks by using exclude. 5530 5531 root-delegation-only exclude { 5532 "DE"; "LV"; "US"; "MUSEUM"; 5533 }; 5534 55351509. [bug] Hint zones should accept delegation-only. Forward 5536 zone should not accept delegation-only. 5537 55381508. [bug] Don't apply delegation-only checks to answers from 5539 forwarders. 5540 55411507. [bug] Handle BIND 8 style returns to NS queries to parents 5542 when making delegation-only checks. 5543 55441506. [bug] Wrong return type for dns_view_isdelegationonly(). 5545 55461505. [bug] Uninitialized rdataset in sdb. [RT #8750] 5547 55481504. [func] New zone type "delegation-only". 5549 55501503. [port] win32: install libeay32.dll outside of system32. 5551 55521502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP. 5553 55541501. [func] Allow TCP queue length to be specified via 5555 named.conf, tcp-listen-queue. 5556 55571500. [bug] host failed to lookup MX records. Also look up 5558 AAAA records. 5559 55601499. [bug] isc_random need to be seeded better if arc4random() 5561 is not used. 5562 55631498. [port] bsdos: 5.x support. 5564 55651497. [placeholder] 5566 55671496. [port] test for pthread_attr_setstacksize(). 5568 55691495. [cleanup] Replace hash functions with universal hash. 5570 55711494. [security] Turn on RSA BLINDING as a precaution. 5572 55731493. [placeholder] 5574 55751492. [cleanup] Preserve rwlock quota context when upgrading / 5576 downgrading. [RT #5599] 5577 55781491. [bug] dns_master_dump*() would produce extraneous $ORIGIN 5579 lines. [RT #6206] 5580 55811490. [bug] Accept reading state as well as working state in 5582 ns_client_next(). [RT #6813] 5583 55841489. [compat] Treat 'allow-update' on slave zones as a warning. 5585 [RT #3469] 5586 55871488. [bug] Don't override trust levels for glue addresses. 5588 [RT #5764] 5589 55901487. [bug] A REQUIRE() failure could be triggered if a zone was 5591 queued for transfer and the zone was then removed. 5592 [RT #6189] 5593 55941486. [bug] isc_print_snprintf() '%%' consumed one too many format 5595 characters. [RT# 8230] 5596 55971485. [bug] gen failed to handle high type values. [RT #6225] 5598 55991484. [bug] The number of records reported after a AXFR was wrong. 5600 [RT #6229] 5601 56021483. [bug] dig axfr failed if the message id in the answer failed 5603 to match that in the request. Only the id in the first 5604 message is required to match. [RT #8138] 5605 56061482. [bug] named could fail to start if the kernel supports 5607 IPv6 but no interfaces are configured. Similarly 5608 for IPv4. [RT #6229] 5609 56101481. [bug] Refresh and stub queries failed to use masters keys 5611 if specified. [RT #7391] 5612 56131480. [bug] Provide replay protection for rndc commands. Full 5614 replay protection requires both rndc and named to 5615 be updated. Partial replay protection (limited 5616 exposure after restart) is provided if just named 5617 is updated. 5618 56191479. [bug] cfg_create_tuple() failed to handle out of 5620 memory cleanup. parse_list() would leak memory 5621 on syntax errors. 5622 56231478. [port] ifconfig.sh didn't account for other virtual 5624 interfaces. It now takes a optional argument 5625 to specify the first interface number. [RT #3907] 5626 56271477. [bug] memory leak using stub zones and TSIG. 5628 56291476. [placeholder] 5630 56311475. [port] Probe for old sprintf(). 5632 56331474. [port] Provide strtoul() and memmove() for platforms 5634 without them. 5635 56361473. [bug] create_map() and create_string() failed to handle out 5637 of memory cleanup. [RT #6813] 5638 56391472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit. 5640 56411471. [bug] libbind: updated to BIND 8.4.0. 5642 56431470. [bug] Incorrect length passed to snprintf. [RT #5966] 5644 56451469. [func] Log end of outgoing zone transfer at same level 5646 as the start of transfer is logged. [RT #4441] 5647 56481468. [func] Internal zones are no longer counted for 5649 'rndc status'. [RT #4706] 5650 56511467. [func] $GENERATES now supports optional class and ttl. 5652 56531466. [bug] lwresd configuration errors resulted in memory 5654 and lock leaks. [RT #5228] 5655 56561465. [bug] isc_base64_decodestring() and isc_base64_tobuffer() 5657 failed to check that trailing bits were zero allowing 5658 some invalid base64 strings to be accepted. [RT #5397] 5659 56601464. [bug] Preserve "out of zone" data for outgoing zone 5661 transfers. [RT #5192] 5662 56631463. [bug] dns_rdata_from{wire,struct}() failed to catch bad 5664 NXT bit maps. [RT #5577] 5665 56661462. [bug] parse_sizeval() failed to check the token type. 5667 [RT #5586] 5668 56691461. [bug] Remove deadlock from rbtdb code. [RT #5599] 5670 56711460. [bug] inet_pton() failed to reject certain malformed 5672 IPv6 literals. 5673 56741459. [placeholder] 5675 56761458. [cleanup] sprintf() -> snprintf(). 5677 56781457. [port] Provide strlcat() and strlcpy() for platforms without 5679 them. 5680 56811456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer. 5682 56831455. [bug] <netaddr> missing from server grammar in 5684 doc/misc/options. [RT #5616] 5685 56861454. [port] Use getifaddrs() if available for interface scanning. 5687 --disable-getifaddrs to override. Glibc currently 5688 has a getifaddrs() that does not support IPv6. 5689 Use --enable-getifaddrs=glibc to force the use of 5690 this version under linux machines. 5691 56921453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298] 5693 56941452. [placeholder] 5695 56961451. [bug] rndc-confgen didn't exit with a error code for all 5697 failures. [RT #5209] 5698 56991450. [bug] Fetching expired glue failed under certain 5700 circumstances. [RT #5124] 5701 57021449. [bug] query_addbestns() didn't handle running out of memory 5703 gracefully. 5704 57051448. [bug] Handle empty wildcards labels. 5706 57071447. [bug] We were casting (unsigned int) to and from (void *). 5708 rdataset->private4 is now rdataset->privateuint4 5709 to reflect a type change. 5710 57111446. [func] Implemented undocumented alternate transfer sources 5712 from BIND 8. See use-alt-transfer-source, 5713 alt-transfer-source and alt-transfer-source-v6. 5714 5715 SECURITY: use-alt-transfer-source is ENABLED unless 5716 you are using views. This may cause a security risk 5717 resulting in accidental disclosure of wrong zone 5718 content if the master supplying different source 5719 content based on IP address. If you are not certain 5720 ISC recommends setting use-alt-transfer-source no; 5721 57221445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has 5723 been replaced with DNS_ADBFIND_STARTATZONE which 5724 causes the search to start using the closest zone. 5725 57261444. [func] dns_view_findzonecut2() allows you to specify if the 5727 cache should be searched for zone cuts. 5728 57291443. [func] Masters lists can now be specified and referenced 5730 in zone masters clauses and other masters lists. 5731 57321442. [func] New functions for manipulating port lists: 5733 dns_portlist_create(), dns_portlist_add(), 5734 dns_portlist_remove(), dns_portlist_match(), 5735 dns_portlist_attach() and dns_portlist_detach(). 5736 57371441. [func] It is now possible to tell dig to bind to a specific 5738 source port. 5739 57401440. [func] It is now possible to tell named to avoid using 5741 certain source ports (avoid-v4-udp-ports, 5742 avoid-v6-udp-ports). 5743 57441439. [bug] Named could return NOERROR with certain NOTIFY 5745 failures. Return NOTAUTH if the NOTIFY zone is 5746 not being served. 5747 57481438. [func] Log TSIG (if any) when logging NOTIFY requests. 5749 57501437. [bug] Leave space for stdio to work in. [RT #5033] 5751 57521436. [func] dns_zonemgr_resumexfrs() can be used to restart 5753 stalled transfers. 5754 57551435. [bug] zmgr_resume_xfrs() was being called read locked 5756 rather than write locked. zmgr_resume_xfrs() 5757 was not being called if the zone was being 5758 shutdown. 5759 57601434. [bug] "rndc reconfig" failed to initiate the initial 5761 zone transfer of new slave zones. 5762 57631433. [bug] named could trigger a REQUIRE failure if it could 5764 not get a file descriptor when attempting to write 5765 a master file. [RT #4347] 5766 57671432. [func] The advertised EDNS UDP buffer size can now be set 5768 via named.conf (edns-udp-size). 5769 57701431. [bug] isc_print_snprintf() "%s" with precision could walk off 5771 end of argument. [RT #5191] 5772 57731430. [port] linux: IPv6 interface scanning support. 5774 57751429. [bug] Prevent the cache getting locked to old servers. 5776 57771428. [placeholder] 5778 57791427. [bug] Race condition in adb with threaded build. 5780 57811426. [placeholder] 5782 57831425. [port] linux/libbind: define __USE_MISC when testing *_r() 5784 function prototypes in netdb.h. [RT #4921] 5785 57861424. [bug] EDNS version not being correctly printed. 5787 57881423. [contrib] queryperf: added A6 and SRV. 5789 57901422. [func] Log name/type/class when denying a query. [RT #4663] 5791 57921421. [func] Differentiate updates that don't succeed due to 5793 prerequisites (unsuccessful) vs other reasons 5794 (failed). 5795 57961420. [port] solaris: work around gcc optimizer bug. 5797 57981419. [port] openbsd: use /dev/arandom. [RT #4950] 5799 58001418. [bug] 'rndc reconfig' did not cause new slaves to load. 5801 58021417. [func] ID.SERVER/CHAOS is now a built in zone. 5803 See "server-id" for how to configure. 5804 58051416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 5806 [RT #4715] 5807 58081415. [func] DS TTL now derived from NS ttl. NXT TTL now derived 5809 from SOA MINIMUM. 5810 58111414. [func] Support for KSK flag. 5812 58131413. [func] Explicitly request the (re-)generation of DS records 5814 from keysets (dnssec-signzone -g). 5815 58161412. [func] You can now specify servers to be tried if a nameserver 5817 has IPv6 address and you only support IPv4 or the 5818 reverse. See dual-stack-servers. 5819 58201411. [bug] empty nodes should stop wildcard matches. [RT #4802] 5821 58221410. [func] Handle records that live in the parent zone, e.g. DS. 5823 58241409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC. 5825 58261408. [bug] "make distclean" was not complete. [RT #4700] 5827 58281407. [bug] lfsr incorrectly implements the shift register. 5829 [RT #4617] 5830 58311406. [bug] dispatch initializes one of the LFSR's with a incorrect 5832 polynomial. [RT #4617] 5833 58341405. [func] Use arc4random() if available. 5835 58361404. [bug] libbind: ns_name_ntol() could overwrite a zero length 5837 buffer. 5838 58391403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset 5840 dnssec-signkey now report their version in the 5841 usage message. 5842 58431402. [cleanup] A6 has been moved to experimental and is no longer 5844 fully supported. 5845 58461401. [bug] adb wasn't clearing state when the timer expired. 5847 58481400. [bug] Block the addition of wildcard NS records by IXFR 5849 or UPDATE. [RT #3502] 5850 58511399. [bug] Use serial number arithmetic when testing SIG 5852 timestamps. [RT #4268] 5853 58541398. [doc] ARM: notify-also should have been also-notify. 5855 [RT #4345] 5856 58571397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. 5858 58591396. [func] dnssec-signzone: adjust the default signing time by 5860 1 hour to allow for clock skew. 5861 58621395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't 5863 have a working implementation. [RT #4079] 5864 58651394. [func] It is now possible to check if a particular element is 5866 in a acl. Remove duplicate entries from the localnets 5867 acl. 5868 58691393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY 5870 is not available in the kernel to prevent accidently 5871 listening on IPv4 interfaces. 5872 58731392. [bug] named-checkzone: update usage. 5874 58751391. [func] Add support for IPv6 scoped addresses in named. 5876 58771390. [func] host now supports ixfr. 5878 58791389. [bug] named could fail to rotate long log files. [RT #3666] 5880 58811388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before 5882 defining HAVE_IFLIST_SYSCTL. [RT #3770] 5883 58841387. [bug] named could crash due to an access to invalid memory 5885 space (which caused an assertion failure) in 5886 incremental cleaning. [RT #3588] 5887 58881386. [bug] named-checkzone -z stopped on errors in a zone. 5889 [RT #3653] 5890 58911385. [bug] Setting serial-query-rate to 10 would trigger a 5892 REQUIRE failure. 5893 58941384. [bug] host was incompatible with BIND 8 in its exit code and 5895 in the output with the -l option. [RT #3536] 5896 58971383. [func] Track the serial number in a IXFR response and log if 5898 a mismatch occurs. This is a more specific error than 5899 "not exact". [RT #3445] 5900 59011382. [bug] make install failed with --enable-libbind. [RT #3656] 5902 59031381. [bug] named failed to correctly process answers that 5904 contained DNAME records where the resulting CNAME 5905 resulted in a negative answer. 5906 59071380. [func] 'rndc recursing' dump recursing queries to 5908 'recursing-file = "named.recursing";'. 5909 59101379. [func] 'rndc status' now reports tcp and recursion quota 5911 states. 5912 59131378. [func] Improved positive feedback for 'rndc {reload|refresh}. 5914 59151377. [func] dns_zone_load{new}() now reports if the zone was 5916 loaded, queued for loading to up to date. 5917 59181376. [func] New function dns_zone_logc() to log to specified 5919 category. 5920 59211375. [func] 'rndc dumpdb' now dumps the adb cache along with the 5922 data cache. 5923 59241374. [func] dns_adb_dump() now logs the lame zones associated 5925 with each server. 5926 59271373. [bug] Recovery from expired glue failed under certain 5928 circumstances. 5929 59301372. [bug] named crashes with an assertion failure on exit when 5931 sharing the same port for listening and querying, and 5932 changing listening addresses several times. [RT# 3509] 5933 59341371. [bug] notify-source-v6, transfer-source-v6 and 5935 query-source-v6 with explicit addresses and using the 5936 same ports as named was listening on could interfere 5937 with named's ability to answer queries sent to those 5938 addresses. 5939 59401370. [bug] dig '+[no]recurse' was incorrectly documented. 5941 59421369. [bug] Adding an NS record as the lexicographically last 5943 record in a secure zone didn't work. 5944 59451368. [func] remove support for bitstring labels. 5946 59471367. [func] Use response times to select forwarders. 5948 59491366. [contrib] queryperf usage was incomplete. Add '-h' for help. 5950 59511365. [func] "localhost" and "localnets" acls now include IPv6 5952 addresses / prefixes. 5953 59541364. [func] Log file name when unable to open memory statistics 5955 and dump database files. [RT# 3437] 5956 59571363. [func] Listen-on-v6 now supports specific addresses. 5958 59591362. [bug] remove IFF_RUNNING test when scanning interfaces. 5960 59611361. [func] log the reason for rejecting a server when resolving 5962 queries. 5963 59641360. [bug] --enable-libbind would fail when not built in the 5965 source tree for certain OS's. 5966 59671359. [security] Support patches OpenSSL libraries. 5968 http://www.cert.org/advisories/CA-2002-23.html 5969 59701358. [bug] It was possible to trigger a INSIST when debugging 5971 large dynamic updates. [RT #3390] 5972 59731357. [bug] nsupdate was extremely wasteful of memory. 5974 59751356. [tuning] Reduce the number of events / quantum for zone tasks. 5976 59771355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME. 5978 59791354. [doc] lwres man pages had illegal nroff. 5980 59811353. [contrib] sdb/ldap to version 0.9. 5982 59831352. [bug] dig, host, nslookup when falling back to TCP use the 5984 current search entry (if any). [RT #3374] 5985 59861351. [bug] lwres_getipnodebyname() returned the wrong name 5987 when given a IPv4 literal, af=AF_INET6 and AI_MAPPED 5988 was set. 5989 59901350. [bug] dns_name_fromtext() failed to handle too many labels 5991 gracefully. 5992 59931349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). 5994 http://www.cert.org/advisories/CA-2002-23.html 5995 59961348. [port] win32: Rewrote code to use I/O Completion Ports 5997 in socket.c and eliminating a host of socket 5998 errors. Performance is enhanced. 5999 60001347. [placeholder] 6001 60021346. [placeholder] 6003 60041345. [port] Use a explicit -Wformat with gcc. Not all versions 6005 include it in -Wall. 6006 60071344. [func] Log if the serial number on the master has gone 6008 backwards. 6009 If you have multiple machines specified in the masters 6010 clause you may want to set 'multi-master yes;' to 6011 suppress this warning. 6012 60131343. [func] Log successful notifies received (info). Adjust log 6014 level for failed notifies to notice. 6015 60161342. [func] Log remote address with TCP dispatch failures. 6017 60181341. [func] Allow a rate limiter to be stalled. 6019 60201340. [bug] Delay and spread out the startup refresh load. 6021 60221339. [func] dig, host and nslookup now use IP6.ARPA for nibble 6023 lookups. Bit string lookups are no longer attempted. 6024 60251338. [placeholder] 6026 60271337. [placeholder] 6028 60291336. [func] Nibble lookups under IP6.ARPA are now supported by 6030 dns_byaddr_create(). dns_byaddr_createptrname() is 6031 deprecated, use dns_byaddr_createptrname2() instead. 6032 60331335. [bug] When performing a nonexistence proof, the validator 6034 should discard parent NXTs from higher in the DNS. 6035 60361334. [bug] When signing/verifying rdatasets, duplicate rdatas 6037 need to be suppressed. 6038 60391333. [contrib] queryperf now reports a summary of returned 6040 rcodes (-c), rcodes are printed in mnemonic form (-v). 6041 60421332. [func] Report the current serial with periodic commits when 6043 rolling forward the journal. 6044 60451331. [func] Generate DNSSEC wildcard proofs. 6046 60471330. [bug] When processing events (non-threaded) only allow 6048 the task one chance to use to use its quantum. 6049 60501329. [func] named-checkzone will now check if nameservers that 6051 appear to be IP addresses. Available modes "fail", 6052 "warn" (default) and "ignore" the results of the 6053 check. 6054 60551328. [bug] The validator could incorrectly verify an invalid 6056 negative proof. 6057 60581327. [bug] The validator would incorrectly mark data as insecure 6059 when seeing a bogus signature before a correct 6060 signature. 6061 60621326. [bug] DNAME/CNAME signatures were not being cached when 6063 validation was not being performed. [RT #3284] 6064 60651325. [bug] If the tcpquota was exhausted it was possible to 6066 to trigger a INSIST() failure. 6067 60681324. [port] darwin: ifconfig.sh now supports darwin. 6069 60701323. [port] linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205] 6071 60721322. [bug] dnssec-signzone usage message was misleading. 6073 60741321. [bug] If the last RRset in a zone is glue, dnssec-signzone 6075 would incorrectly duplicate its output and sign it. 6076 60771320. [doc] query-source-v6 was missing from options section. 6078 [RT #3218] 6079 60801319. [func] libbind: log attempts to exploit #1318. 6081 60821318. [bug] libbind: Remote buffer overrun. 6083 60841317. [port] libbind: TrueUNIX 5.1 does not like __align as a 6085 element name. 6086 60871316. [bug] libbind: gethostans() could get out of sync parsing 6088 the response if there was a very long CNAME chain. 6089 60901315. [bug] Options should apply to the internal _bind view. 6091 60921314. [port] Handle ECONNRESET from sendmsg() [unix]. 6093 60941313. [func] Query log now says if the query was signed (S) or 6095 if EDNS was used (E). 6096 60971312. [func] Log TSIG key used w/ outgoing zone transfers. 6098 60991311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159] 6100 61011310. [bug] 'rndc stop' failed to cause zones to be flushed 6102 sometimes. [RT #3157] 6103 61041309. [func] Log that a zone transfer was covered by a TSIG. 6105 61061308. [func] DS (delegation signer) support. 6107 61081307. [bug] nsupdate: allow white space base64 key data. 6109 61101306. [bug] Badly encoded LOC record when the size, horizontal 6111 precision or vertical precision was 0.1m. 6112 61131305. [bug] Document that internal zones are included in the 6114 rndc status results. 6115 61161304. [func] New function: dns_zone_name(). 6117 61181303. [func] Option 'flush-zones-on-shutdown <boolean>;'. 6119 61201302. [func] Extended rndc dumpdb to support dumping of zones and 6121 view selection: 'dumpdb [-all|-zones|-cache] [view]'. 6122 61231301. [func] New category 'update-security'. 6124 61251300. [port] Compaq Trucluster support. 6126 61271299. [bug] Set AI_ADDRCONFIG when looking up addresses 6128 via getaddrinfo() (affects dig, host, nslookup, rndc 6129 and nsupdate). 6130 61311298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile 6132 could be left with a trailing "\" after configure 6133 has been run. 6134 61351297. [port] linux: make handling EINVAL from socket() no longer 6136 conditional on #ifdef LINUX. 6137 61381296. [bug] isc_log_closefilelogs() needed to lock the log 6139 context. 6140 61411295. [bug] isc_log_setdebuglevel() needed to lock the log 6142 context. 6143 61441294. [func] libbind: no longer attempts bit string labels for 6145 IPv6 reverse resolution. Try IP6.ARPA then IP6.INT 6146 for nibble style resolution. 6147 61481293. [func] Entropy can now be retrieved from EGDs. [RT #2438] 6149 61501292. [func] Enable IPv6 support when using ioctl style interface 6151 scanning and OS supports SIOCGLIFADDR using struct 6152 if_laddrreq. 6153 61541291. [func] Enable IPv6 support when using sysctl style interface 6155 scanning. 6156 61571290. [func] "dig axfr" now reports the number of messages 6158 as well as the number of records. 6159 61601289. [port] See if -ldl is required for OpenSSL? [RT #2672] 6161 61621288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better 6163 reflect written requirements. 6164 61651287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding 6166 a rdataset to a zone db in the rbtdb implementation of 6167 addrdataset. 6168 61691286. [bug] dns_name_downcase() enforce requirement that 6170 target != NULL or name->buffer != NULL. 6171 61721285. [func] lwres: probe the system to see what address families 6173 are currently in use. 6174 61751284. [bug] The RTT estimate on unused servers was not aged. 6176 [RT #2569] 6177 61781283. [func] Use "dataready" accept filter if available. 6179 61801282. [port] libbind: hpux 11.11 interface scanning. 6181 61821281. [func] Log zone when unable to get private keys to update 6183 zone. Log zone when NXT records are missing from 6184 secure zone. 6185 61861280. [bug] libbind: escape '(' and ')' when converting to 6187 presentation form. 6188 61891279. [port] Darwin uses (unsigned long) for size_t. [RT #2590] 6190 61911278. [func] dig: now supports +[no]cl +[no]ttlid. 6192 61931277. [func] You can now create your own customized printing 6194 styles: dns_master_stylecreate() and 6195 dns_master_styledestroy(). 6196 61971276. [bug] libbind: const pointer conflicts in res_debug.c. 6198 61991275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN. 6200 62011274. [bug] Memory leak in lwres_gnbarequest_parse(). 6202 62031273. [port] libbind: solaris: 64 bit binary compatibility. 6204 62051272. [contrib] Berkeley DB 4.0 sdb implementation from 6206 Nuno Miguel Rodrigues <nmr@co.sapo.pt>. 6207 62081271. [bug] "recursion available: {denied,approved}" was too 6209 confusing. 6210 62111270. [bug] Check that system inet_pton() and inet_ntop() support 6212 AF_INET6. 6213 62141269. [port] Openserver: ifconfig.sh support. 6215 62161268. [port] Openserver: the value FD_SETSIZE depends on whether 6217 <sys/param.h> is included or not. Be consistent. 6218 62191267. [func] isc_file_openunique() now creates file using mode 6220 0666 rather than 0600. 6221 62221266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE, 6223 __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE 6224 are not C++ compatible, use *_TYPE versions instead. 6225 62261265. [bug] libbind: LINK_INIT and UNLINK were not compatible with 6227 C++, use LINK_INIT_TYPE and UNLINK_TYPE instead. 6228 62291264. [placeholder] 6230 62311263. [bug] Reference after free error if dns_dispatchmgr_create() 6232 failed. 6233 62341262. [bug] ns_server_destroy() failed to set *serverp to NULL. 6235 62361261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide 6237 support for compressed TSIG owner names. 6238 62391260. [func] libbind: res_update can now update IPv6 servers, 6240 new function res_findzonecut2(). 6241 62421259. [bug] libbind: get_salen() IPv6 support was broken for OSs 6243 w/o sa_len. 6244 62451258. [bug] libbind: res_nametotype() and res_nametoclass() were 6246 broken. 6247 62481257. [bug] Failure to write pid-file should not be fatal on 6249 reload. [RT #2861] 6250 62511256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support. 6252 62531255. [bug] When verifying that an NXT proves nonexistence, check 6254 the rcode of the message and only do the matching NXT 6255 check. That is, for NXDOMAIN responses, check that 6256 the name is in the range between the NXT owner and 6257 next name, and for NOERROR NODATA responses, check 6258 that the type is not present in the NXT bitmap. 6259 62601254. [func] preferred-glue option from BIND 8.3. 6261 62621253. [bug] The dnssec system test failed to remove the correct 6263 files. 6264 62651252. [bug] Dig, host and nslookup were not checking the address 6266 the answer was coming from against the address it was 6267 sent to. [RT# 2692] 6268 62691251. [port] win32: a make file contained absolute version specific 6270 references. 6271 62721250. [func] Nsupdate will report the address the update was 6273 sent to. 6274 62751249. [bug] Missing masters clause was not handled gracefully. 6276 [RT #2703] 6277 62781248. [bug] DESTDIR was not being propagated between makes. 6279 62801247. [bug] Don't reset the interface index for link/site local 6281 addresses. [RT #2576] 6282 62831246. [func] New functions isc_sockaddr_issitelocal(), 6284 isc_sockaddr_islinklocal(), isc_netaddr_issitelocal() 6285 and isc_netaddr_islinklocal(). 6286 62871245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for 6288 accept(). 6289 62901244. [bug] Receiving a TCP message from a blackhole address would 6291 prevent further messages being received over that 6292 interface. 6293 62941243. [bug] It was possible to trigger a REQUIRE() in 6295 dns_message_findtype(). [RT #2659] 6296 62971242. [bug] named-checkzone failed if a journal existed. [RT #2657] 6298 62991241. [bug] Drop received UDP messages with a zero source port 6300 as these are invariably forged. [RT #2621] 6301 63021240. [bug] It was possible to leak zone references by 6303 specifying an incorrect zone to rndc. 6304 63051239. [bug] Under certain circumstances named could continue to 6306 use a name after it had been freed triggering 6307 INSIST() failures. [RT #2614] 6308 63091238. [bug] It is possible to lockup the server when shutting down 6310 if notifies were being processed. [RT #2591] 6311 63121237. [bug] nslookup: "set q=type" failed. 6313 63141236. [bug] dns_rdata{class,type}_fromtext() didn't handle non 6315 NULL terminated text regions. [RT #2588] 6316 63171235. [func] Report 'out of memory' errors from openssl. 6318 63191234. [bug] contrib/sdb: 'zonetodb' failed to call 6320 dns_result_register(). DNS_R_SEENINCLUDE should not 6321 be fatal. 6322 63231233. [bug] The flags field of a KEY record can be expressed in 6324 hex as well as decimal. 6325 63261232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL. 6327 63281231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL. 6329 63301230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken. 6331 63321229. [bug] named would crash if it received a TSIG signed 6333 query as part of an AXFR response. [RT #2570] 6334 63351228. [bug] 'make install' did not depend on 'make all'. [RT #2559] 6336 63371227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER 6338 if a number was expected and some other token was 6339 found. [RT#2532] 6340 63411226. [func] Use EDNS for zone refresh queries. [RT #2551] 6342 63431225. [func] dns_message_setopt() no longer requires that 6344 dns_message_renderbegin() to have been called. 6345 63461224. [bug] 'rrset-order' and 'sortlist' should be additive 6347 not exclusive. 6348 63491223. [func] 'rrset-order' partially works 'cyclic' and 'random' 6350 are supported. 6351 63521222. [bug] Specifying 'port *' did not always result in a system 6353 selected (non-reserved) port being used. [RT #2537] 6354 63551221. [bug] Zone types 'master', 'slave' and 'stub' were not being 6356 compared case insensitively. [RT #2542] 6357 63581220. [func] Support for APL rdata type. 6359 63601219. [func] Named now reports the TSIG extended error code when 6361 signature verification fails. [RT #1651] 6362 63631218. [bug] Named incorrectly returned SERVFAIL rather than 6364 NOTAUTH when there was a TSIG BADTIME error. [RT #2519] 6365 63661217. [func] Report locations of previous key definition when a 6367 duplicate is detected. 6368 63691216. [bug] Multiple server clauses for the same server were not 6370 reported. [RT #2514] 6371 63721215. [port] solaris: add support to ifconfig.sh for x86 2.5.1 6373 63741214. [bug] Win32: isc_file_renameunique() could leave zero length 6375 files behind. 6376 63771213. [func] Report view associated with client if it is not a 6378 standard view (_default or _bind). 6379 63801212. [port] libbind: 64k answer buffers were causing stack space 6381 to be exceeded for certain OS. Use heap space instead. 6382 63831211. [bug] dns_name_fromtext() incorrectly handled certain 6384 valid octal bitlabels. [RT #2483] 6385 63861210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped / 6387 compatible addresses. [RT #2461] 6388 63891209. [bug] Dig, host, nslookup were not checking the message ids 6390 on the responses. [RT #2454] 6391 63921208. [bug] dns_master_load*() failed to log a error message if 6393 an error was detected when parsing the ownername of 6394 a record. [RT #2448] 6395 63961207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with 6397 an invalid pointer. 6398 63991206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should 6400 trigger a non-EDNS retry. 6401 64021205. [bug] OPT, TSIG and TKEY cannot be used to set the "class" 6403 of the message. [RT #2449] 6404 64051204. [bug] libbind: res_nupdate() failed to update the name 6406 server addresses before sending the update. 6407 64081203. [func] Report locations of previous acl and zone definitions 6409 when a duplicate is detected. 6410 64111202. [func] New functions: cfg_obj_line() and cfg_obj_file(). 6412 64131201. [bug] Require that if 'callbacks' is passed to 6414 dns_rdata_fromtext(), callbacks->error and 6415 callbacks->warn are initialized. 6416 64171200. [bug] Log 'errno' that we are unable to convert to 6418 isc_result_t. [RT #2404] 6419 64201199. [doc] ARM reference to RFC 2157 should have been RFC 1918. 6421 [RT #2436] 6422 64231198. [bug] OPT printing style was not consistent with the way the 6424 header fields are printed. The DO bit was not reported 6425 if set. Report if any of the MBZ bits are set. 6426 64271197. [bug] Attempts to define the same acl multiple times were not 6428 detected. 6429 64301196. [contrib] update mdnkit to 2.2.3. 6431 64321195. [bug] Attempts to redefine builtin acls should be caught. 6433 [RT #2403] 6434 64351194. [bug] Not all duplicate zone definitions were being detected 6436 at the named.conf checking stage. [RT #2431] 6437 64381193. [bug] dig +besteffort parsing didn't handle packet 6439 truncation. dns_message_parse() has new flag 6440 DNS_MESSAGE_IGNORETRUNCATION. 6441 64421192. [bug] The seconds fields in LOC records were restricted 6443 to three decimal places. More decimal places should 6444 be allowed but warned about. 6445 64461191. [bug] A dynamic update removing the last non-apex name in 6447 a secure zone would fail. [RT #2399] 6448 64491190. [func] Add the "rndc freeze" and "rndc unfreeze" commands. 6450 [RT #2394] 6451 64521189. [bug] On some systems, malloc(0) returns NULL, which 6453 could cause the caller to report an out of memory 6454 error. [RT #2398] 6455 64561188. [bug] Dynamic updates of a signed zone would fail if 6457 some of the zone private keys were unavailable. 6458 64591187. [bug] named was incorrectly returning DNSSEC records 6460 in negative responses when the DO bit was not set. 6461 64621186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the 6463 EOL token when reading to end of line. 6464 64651185. [bug] libbind: don't assume statp->_u._ext.ext is valid 6466 unless RES_INIT is set when calling res_*init(). 6467 64681184. [bug] libbind: call res_ndestroy() if RES_INIT is set 6469 when res_*init() is called. 6470 64711183. [bug] Handle ENOSR error when writing to the internal 6472 control pipe. [RT #2395] 6473 64741182. [bug] The server could throw an assertion failure when 6475 constructing a negative response packet. 6476 64771181. [func] Add the "key-directory" configuration statement, 6478 which allows the server to look for online signing 6479 keys in alternate directories. 6480 64811180. [func] dnssec-keygen should always generate keys with 6482 protocol 3 (DNSSEC), since it's less confusing 6483 that way. 6484 64851179. [func] Add SIG(0) support to nsupdate. 6486 64871178. [bug] Follow and cache (if appropriate) A6 and other 6488 data chains to completion in the additional section. 6489 64901177. [func] Report view when loading zones if it is not a 6491 standard view (_default or _bind). [RT #2270] 6492 64931176. [doc] Document that allow-v6-synthesis is only performed 6494 for clients that are supplied recursive service. 6495 [RT #2260] 6496 64971175. [bug] named-checkzone and named-checkconf failed to call 6498 dns_result_register() at startup which could 6499 result in runtime exceptions when printing 6500 "out of memory" errors. [RT #2335] 6501 65021174. [bug] Win32: add WSAECONNRESET to the expected errors 6503 from connect(). [RT #2308] 6504 65051173. [bug] Potential memory leaks in isc_log_create() and 6506 isc_log_settag(). [RT #2336] 6507 65081172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to 6509 table of RR types in ARM. 6510 65111171. [func] Added function isc_region_compare(), updated files in 6512 lib/dns to use this function instead of local one. 6513 65141170. [bug] Don't attempt to print the token when a I/O error 6515 occurs when parsing named.conf. [RT #2275] 6516 65171169. [func] Identify recursive queries in the query log. 6518 65191168. [bug] Empty also-notify clauses were not handled. [RT #2309] 6520 65211167. [contrib] nslint-2.1a3 (from author). 6522 65231166. [bug] "Not Implemented" should be reported as NOTIMP, 6524 not NOTIMPL. [RT #2281] 6525 65261165. [bug] We were rejecting notify-source{-v6} in zone clauses. 6527 65281164. [bug] Empty masters clauses in slave / stub zones were not 6529 handled gracefully. [RT #2262] 6530 65311163. [func] isc_time_formattimestamp() now includes the year. 6532 65331162. [bug] The allow-notify option was not accepted in slave 6534 zone statements. 6535 65361161. [bug] named-checkzone looped on unbalanced brackets. 6537 [RT #2248] 6538 65391160. [bug] Generating Diffie-Hellman keys longer than 1024 6540 bits could fail. [RT #2241] 6541 65421159. [bug] MD and MF are not permitted to be loaded by RFC1123. 6543 65441158. [func] Report the client's address when logging notify 6545 messages. 6546 65471157. [func] match-clients and match-destinations now accept 6548 keys. [RT #2045] 6549 65501156. [port] The configure test for strsep() incorrectly 6551 succeeded on certain patched versions of 6552 AIX 4.3.3. [RT #2190] 6553 65541155. [func] Recover from master files being removed from under 6555 us. 6556 65571154. [bug] Don't attempt to obtain the netmask of a interface 6558 if there is no address configured. [RT #2176] 6559 65601153. [func] 'rndc {stop|halt} -p' now reports the process id 6561 of the instance of named being shutdown. 6562 65631152. [bug] libbind: read buffer overflows. 6564 65651151. [bug] nslookup failed to check that the arguments to 6566 the port, timeout, and retry options were 6567 valid integers and in range. [RT #2099] 6568 65691150. [bug] named incorrectly accepted TTL values 6570 containing plus or minus signs, such as 6571 1d+1h-1s. 6572 65731149. [func] New function isc_parse_uint32(). 6574 65751148. [func] 'rndc-confgen -a' now provides positive feedback. 6576 65771147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by 6578 the OS. listen-on-v6 { any; }; should no longer 6579 result in IPv4 queries be accepted. Similarly 6580 control { inet :: ... }; should no longer result 6581 in IPv4 connections being accepted. This can be 6582 overridden at compile time by defining 6583 ISC_ALLOW_MAPPED=1. 6584 65851146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if 6586 supported by the OS by a new function 6587 isc_socket_ipv6only(). 6588 65891145. [func] "host" no longer reports a NOERROR/NODATA response 6590 by printing nothing. [RT #2065] 6591 65921144. [bug] rndc-confgen would crash if both the -a and -t 6593 options were specified. [RT #2159] 6594 65951143. [bug] When a trusted-keys statement was present and named 6596 was built without crypto support, it would leak memory. 6597 65981142. [bug] dnssec-signzone would fail to delete temporary files 6599 in some failure cases. [RT #2144] 6600 66011141. [bug] When named rejected a control message, it would 6602 leak a file descriptor and memory. It would also 6603 fail to respond, causing rndc to hang. 6604 [RT #2139, #2164] 6605 66061140. [bug] rndc-confgen did not accept IPv6 addresses as arguments 6607 to the -s option. [RT #2138] 6608 66091139. [func] It is now possible to flush a given name from the 6610 cache(s) via 'rndc flushname name [view]'. [RT #2051] 6611 66121138. [func] It is now possible to flush a given name from the 6613 cache by calling the new function 6614 dns_cache_flushname(). 6615 66161137. [func] It is now possible to flush a given name from the 6617 ADB by calling the new function dns_adb_flushname(). 6618 66191136. [bug] CNAME records synthesized from DNAMEs did not 6620 have a TTL of zero as required by RFC2672. 6621 [RT #2129] 6622 66231135. [func] You can now override the default syslog() facility for 6624 named/lwresd at compile time. [RT #1982] 6625 66261134. [bug] Multi-threaded servers could deadlock in ferror() 6627 when reloading zone files. [RT #1951, #1998] 6628 66291133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on 6630 platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106] 6631 66321132. [func] Improve UPDATE prerequisite failure diagnostic messages. 6633 66341131. [bug] The match-destinations view option did not work with 6635 IPv6 destinations. [RT #2073, #2074] 6636 66371130. [bug] Log messages reporting an out-of-range serial number 6638 did not include the out-of-range number but the 6639 following token. [RT #2076] 6640 66411129. [bug] Multi-threaded servers could crash under heavy 6642 resolution load due to a race condition. [RT #2018] 6643 66441128. [func] sdb drivers can now provide RR data in either text 6645 or wire format, the latter using the new functions 6646 dns_sdb_putrdata() and dns_sdb_putnamedrdata(). 6647 66481127. [func] rndc: If the server to contact has multiple addresses, 6649 try all of them. 6650 66511126. [bug] The server could access a freed event if shut 6652 down while a client start event was pending 6653 delivery. [RT #2061] 6654 66551125. [bug] rndc: -k option was missing from usage message. 6656 [RT #2057] 6657 66581124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail 6659 are now documented. [RT #2052] 6660 66611123. [bug] dig +[no]fail did not match description. [RT #2052] 6662 66631122. [tuning] Resolution timeout reduced from 90 to 30 seconds. 6664 [RT #2046] 6665 66661121. [bug] The server could attempt to access a NULL zone 6667 table if shut down while resolving. 6668 [RT #1587, #2054] 6669 66701120. [bug] Errors in options were not fatal. [RT #2002] 6671 66721119. [func] Added support in Win32 for NTFS file/directory ACL's 6673 for access control. 6674 66751118. [bug] On multi-threaded servers, a race condition 6676 could cause an assertion failure in resolver.c 6677 during resolver shutdown. [RT #2029] 6678 66791117. [port] The configure check for in6addr_loopback incorrectly 6680 succeeded on AIX 4.3 when compiling with -O2 6681 because the test code was optimized away. 6682 [RT #2016] 6683 66841116. [bug] Setting transfers in a server clause, transfers-in, 6685 or transfers-per-ns to a value greater than 6686 2147483647 disabled transfers. [RT #2002] 6687 66881115. [func] Set maximum values for cleaning-interval, 6689 heartbeat-interval, interface-interval, 6690 max-transfer-idle-in, max-transfer-idle-out, 6691 max-transfer-time-in, max-transfer-time-out, 6692 statistics-interval of 28 days and 6693 sig-validity-interval of 3660 days. [RT #2002] 6694 66951114. [port] Ignore more accept() errors. [RT #2021] 6696 66971113. [bug] The allow-update-forwarding option was ignored 6698 when specified in a view. [RT #2014] 6699 67001112. [placeholder] 6701 67021111. [bug] Multi-threaded servers could deadlock processing 6703 recursive queries due to a locking hierarchy 6704 violation in adb.c. [RT #2017] 6705 67061110. [bug] dig should only accept valid abbreviations of +options. 6707 [RT #2003] 6708 67091109. [bug] nsupdate accepted illegal ttl values. 6710 67111108. [bug] On Win32, rndc was hanging when named was not running 6712 due to failure to select for exceptional conditions 6713 in select(). [RT #1870] 6714 67151107. [bug] nsupdate could catch an assertion failure if an 6716 invalid domain name was given as the argument to 6717 the "zone" command. 6718 67191106. [bug] After seeing an out of range TTL, nsupdate would 6720 treat all TTLs as out of range. [RT #2001] 6721 67221105. [port] OpenUNIX 8 enable threads by default. [RT #1970] 6723 67241104. [bug] Invalid arguments to the transfer-format option 6725 could cause an assertion failure. [RT #1995] 6726 67271103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970] 6728 67291102. [doc] Note that query logging is enabled by directing the 6730 queries category to a channel. 6731 67321101. [bug] Array bounds read error in lwres_gai_strerror. 6733 67341100. [bug] libbind: DNSSEC key ids were computed incorrectly. 6735 67361099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused 6737 compile time errors. 6738 67391098. [bug] libbind: HMAC-MD5 key files are now mode 0600. 6740 67411097. [func] libbind: RES_PRF_TRUNC for dig. 6742 67431096. [func] libbind: "DNSSEC OK" (DO) support. 6744 67451095. [func] libbind: resolver option: no-tld-query. disables 6746 trying unqualified as a tld. no_tld_query is also 6747 supported for FreeBSD compatibility. 6748 67491094. [func] libbind: add support gcc's format string checking. 6750 67511093. [doc] libbind: miscellaneous nroff fixes. 6752 67531092. [bug] libbind: get*by*() failed to check if res_init() had 6754 been called. 6755 67561091. [bug] libbind: misplaced va_end(). 6757 67581090. [bug] libbind: dns_ho.c:add_hostent() was not returning 6759 the amount of memory consumed resulting in garbage 6760 address being returned. Alignment calculations were 6761 wasting space. We weren't suppressing duplicate 6762 addresses. 6763 67641089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6 6765 support. 6766 67671088. [port] libbind: MPE/iX C.70 (incomplete) 6768 67691087. [bug] libbind: struct __res_state too large on 64 bit arch. 6770 67711086. [port] libbind: sunos: old sprintf. 6772 67731085. [port] libbind: solaris: sys_nerr and sys_errlist do not 6774 exist when compiling in 64 bit mode. 6775 67761084. [cleanup] libbind: gai_strerror() rewritten. 6777 67781083. [bug] The default control channel listened on the 6779 wildcard address, not the loopback as documented. 6780 [RT #1975] 6781 67821082. [bug] The -g option to named incorrectly caused logging 6783 to be sent to syslog in addition to stderr. 6784 [RT #1974] 6785 67861081. [bug] Multicast queries were incorrectly identified 6787 based on the source address, not the destination 6788 address. 6789 67901080. [bug] BIND 8 compatibility: accept bare IP prefixes 6791 as the second element of a two-element top level 6792 sort list statement. [RT #1964] 6793 67941079. [bug] BIND 8 compatibility: accept bare elements at top 6795 level of sort list treating them as if they were 6796 a single element list. [RT #1963] 6797 67981078. [bug] We failed to correct bad tv_usec values in one case. 6799 [RT #1966] 6800 68011077. [func] Do not accept further recursive clients when 6802 the total number of recursive lookups being 6803 processed exceeds max-recursive-clients, even 6804 if some of the lookups are internally generated. 6805 [RT #1915, #1938] 6806 68071076. [bug] A badly defined global key could trigger an assertion 6808 on load/reload if views were used. [RT #1947] 6809 68101075. [bug] Out-of-range network prefix lengths were not 6811 reported. [RT #1954] 6812 68131074. [bug] Running out of memory in dump_rdataset() could 6814 cause an assertion failure. [RT #1946] 6815 68161073. [bug] The ADB cache cleaning should also be space driven. 6817 [RT #1915, #1938] 6818 68191072. [bug] The TCP client quota could be exceeded when 6820 recursion occurred. [RT #1937] 6821 68221071. [bug] Sockets listening for TCP DNS connections 6823 specified an excessive listen backlog. [RT #1937] 6824 68251070. [bug] Copy DNSSEC OK (DO) to response as specified by 6826 draft-ietf-dnsext-dnssec-okbit-03.txt. 6827 68281069. [placeholder] 6829 68301068. [bug] errno could be overwritten by catgets(). [RT #1921] 6831 68321067. [func] Allow quotas to be soft, isc_quota_soft(). 6833 68341066. [bug] Provide a thread safe wrapper for strerror(). 6835 [RT #1689] 6836 68371065. [func] Runtime support to select new / old style interface 6838 scanning using ioctls. 6839 68401064. [bug] Do not shut down active network interfaces if we 6841 are unable to scan the interface list. [RT #1921] 6842 68431063. [bug] libbind: "make install" was failing on IRIX. 6844 [RT #1919] 6845 68461062. [bug] If the control channel listener socket was shut 6847 down before server exit, the listener object could 6848 be freed twice. [RT #1916] 6849 68501061. [bug] If periodic cache cleaning happened to start 6851 while cleaning due to reaching the configured 6852 maximum cache size was in progress, the server 6853 could catch an assertion failure. [RT #1912] 6854 68551060. [func] Move refresh, stub and notify UDP retry processing 6856 into dns_request. 6857 68581059. [func] dns_request now support will now retry UDP queries, 6859 dns_request_createvia2() and dns_request_createraw2(). 6860 68611058. [func] Limited lifetime ticker timers are now available, 6862 isc_timertype_limited. 6863 68641057. [bug] Reloading the server after adding a "file" clause 6865 to a zone statement could cause the server to 6866 crash due to a typo in change 1016. 6867 68681056. [bug] Rndc could catch an assertion failure on SIGINT due 6869 to an uninitialized variable. [RT #1908] 6870 68711055. [func] Version and hostname queries can now be disabled 6872 using "version none;" and "hostname none;", 6873 respectively. 6874 68751054. [bug] On Win32, cfg_categories and cfg_modules need to be 6876 exported from the libisccfg DLL. 6877 68781053. [bug] Dig did not increase its timeout when receiving 6879 AXFRs unless the +time option was used. [RT #1904] 6880 68811052. [bug] Journals were not being created in binary mode 6882 resulting in "journal format not recognized" error 6883 under Win32. [RT #1889] 6884 68851051. [bug] Do not ignore a network interface completely just 6886 because it has a noncontiguous netmask. Instead, 6887 omit it from the localnets ACL and issue a warning. 6888 [RT #1891] 6889 68901050. [bug] Log messages reporting malformed IP addresses in 6891 address lists such as that of the forwarders option 6892 failed to include the correct error code, file 6893 name, and line number. [RT #1890] 6894 68951049. [func] "pid-file none;" will disable writing a pid file. 6896 [RT #1848] 6897 68981048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1 6899 didn't work. 6900 69011047. [bug] named was incorrectly refusing all requests signed 6902 with a TSIG key derived from an unsigned TKEY 6903 negotiation with a NOERROR response. [RT #1886] 6904 69051046. [bug] The help message for the --with-openssl configure 6906 option was inaccurate. [RT #1880] 6907 69081045. [bug] It was possible to skip saving glue for a nameserver 6909 for a stub zone. 6910 69111044. [bug] Specifying allow-transfer, notify-source, or 6912 notify-source-v6 in a stub zone was not treated 6913 as an error. 6914 69151043. [bug] Specifying a transfer-source or transfer-source-v6 6916 option in the zone statement for a master zone was 6917 not treated as an error. [RT #1876] 6918 69191042. [bug] The "config" logging category did not work properly. 6920 [RT #1873] 6921 69221041. [bug] Dig/host/nslookup could catch an assertion failure 6923 on SIGINT due to an uninitialized variable. [RT #1867] 6924 69251040. [bug] Multiple listen-on-v6 options with different ports 6926 were not accepted. [RT #1875] 6927 69281039. [bug] Negative responses with CNAMEs in the answer section 6929 were cached incorrectly. [RT #1862] 6930 69311038. [bug] In servers configured with a tkey-domain option, 6932 TKEY queries with an owner name other than the root 6933 could cause an assertion failure. [RT #1866, #1869] 6934 69351037. [bug] Negative responses whose authority section contain 6936 SOA or NS records whose owner names are not equal 6937 equal to or parents of the query name should be 6938 rejected. [RT #1862] 6939 69401036. [func] Silently drop requests received via multicast as 6941 long as there is no final multicast DNS standard. 6942 69431035. [bug] If we respond to multicast queries (which we 6944 currently do not), respond from a unicast address 6945 as specified in RFC 1123. [RT #137] 6946 69471034. [bug] Ignore the RD bit on multicast queries as specified 6948 in RFC 1123. [RT #137] 6949 69501033. [bug] Always respond to requests with an unsupported opcode 6951 with NOTIMP, even if we don't have a matching view 6952 or cannot determine the class. 6953 69541032. [func] hostname.bind/txt/chaos now returns the name of 6955 the machine hosting the nameserver. This is useful 6956 in diagnosing problems with anycast servers. 6957 69581031. [bug] libbind.a: isc__gettimeofday() infinite recursion. 6959 [RT #1858] 6960 69611030. [bug] On systems with no resolv.conf file, nsupdate 6962 exited with an error rather than defaulting 6963 to using the loopback address. [RT #1836] 6964 69651029. [bug] Some named.conf errors did not cause the loading 6966 of the configuration file to return a failure 6967 status even though they were logged. [RT #1847] 6968 69691028. [bug] On Win32, dig/host/nslookup looked for resolv.conf 6970 in the wrong directory. [RT #1833] 6971 69721027. [bug] RRs having the reserved type 0 should be rejected. 6973 [RT #1471] 6974 69751026. [placeholder] 6976 69771025. [bug] Don't use multicast addresses to resolve iterative 6978 queries. [RT #101] 6979 69801024. [port] Compilation failed on HP-UX 11.11 due to 6981 incompatible use of the SIOCGLIFCONF macro 6982 name. [RT #1831] 6983 69841023. [func] Accept hints without TTLs. 6985 69861022. [bug] Don't report empty root hints as "extra data". 6987 [RT #1802] 6988 69891021. [bug] On Win32, log message timestamps were one month 6990 later than they should have been, and the server 6991 would exhibit unspecified behavior in December. 6992 69931020. [bug] IXFR log messages did not distinguish between 6994 true IXFRs, AXFR-style IXFRs, and mere version 6995 polls. [RT #1811] 6996 69971019. [bug] The value of the lame-ttl option was limited to 18000 6998 seconds, not 1800 seconds as documented. [RT #1803] 6999 70001018. [bug] The default log channel was not always initialized 7001 correctly. [RT #1813] 7002 70031017. [bug] When specifying TSIG keys to dig and nsupdate using 7004 the -k option, they must be HMAC-MD5 keys. [RT #1810] 7005 70061016. [bug] Slave zones with no backup file were re-transferred 7007 on every server reload. 7008 70091015. [bug] Log channels that had a "versions" option but no 7010 "size" option failed to create numbered log 7011 files. [RT #1783] 7012 70131014. [bug] Some queries would cause statistics counters to 7014 increment more than once or not at all. [RT #1321] 7015 70161013. [bug] It was possible to cancel a query twice when marking 7017 a server as bogus or by having a blackhole acl. 7018 [RT #1776] 7019 70201012. [bug] The -p option to named did not behave as documented. 7021 70221011. [cleanup] Removed isc_dir_current(). 7023 70241010. [bug] The server could attempt to execute a command channel 7025 command after initiating server shutdown, causing 7026 an assertion failure. [RT #1766] 7027 70281009. [port] OpenUNIX 8 support. [RT #1728] 7029 70301008. [port] libtool.m4, ltmain.sh from libtool-1.4.2. 7031 70321007. [port] config.guess, config.sub from autoconf-2.52. 7033 70341006. [bug] If a KEY RR was found missing during DNSSEC validation, 7035 an assertion failure could subsequently be triggered 7036 in the resolver. [RT #1763] 7037 70381005. [bug] Don't copy nonzero RCODEs from request to response. 7039 [RT #1765] 7040 70411004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770] 7042 70431003. [func] Add the +retry option to dig. 7044 70451002. [bug] When reporting an unknown class name in named.conf, 7046 including the file name and line number. [RT #1759] 7047 70481001. [bug] win32 socket code doio_recv was not catching a 7049 WSACONNRESET error when a client was timing out 7050 the request and closing its socket. [RT #1745] 7051 70521000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias 7053 for class "HS". [RT #1759] 7054 7055 999. [func] "rndc retransfer zone [class [view]]" added. 7056 [RT #1752] 7057 7058 998. [func] named-checkzone now has arguments to specify the 7059 chroot directory (-t) and working directory (-w). 7060 [RT #1755] 7061 7062 997. [func] Add support for RSA-SHA1 keys (RFC3110). 7063 7064 996. [func] Issue warning if the configuration filename contains 7065 the chroot path. 7066 7067 995. [bug] dig, host, nslookup: using a raw IPv6 address as a 7068 target address should be fatal on a IPv4 only system. 7069 7070 994. [func] Treat non-authoritative responses to queries for type 7071 NS as referrals even if the NS records are in the 7072 answer section, because BIND 8 servers incorrectly 7073 send them that way. This is necessary for DNSSEC 7074 validation of the NS records of a secure zone to 7075 succeed when the parent is a BIND 8 server. [RT #1706] 7076 7077 993. [func] dig: -v now reports the version. 7078 7079 992. [doc] dig: ~/.digrc is now documented. 7080 7081 991. [func] Lower UDP refresh timeout messages to level 7082 debug 1. 7083 7084 990. [bug] The rndc-confgen man page was not installed. 7085 7086 989. [bug] Report filename if $INCLUDE fails for file related 7087 errors. [RT #1736] 7088 7089 988. [bug] 'additional-from-auth no;' did not work reliably 7090 in the case of queries answered from the cache. 7091 [RT #1436] 7092 7093 987. [bug] "dig -help" didn't show "+[no]stats". 7094 7095 986. [bug] "dig +noall" failed to clear stats and command 7096 printing. 7097 7098 985. [func] Consider network interfaces to be up iff they have 7099 a nonzero IP address rather than based on the 7100 IFF_UP flag. [RT #1160] 7101 7102 984. [bug] Multi-threading should be enabled by default on 7103 Solaris 2.7 and newer, but it wasn't. 7104 7105 983. [func] The server now supports generating IXFR difference 7106 sequences for non-dynamic zones by comparing zone 7107 versions, when enabled using the new config 7108 option "ixfr-from-differences". [RT #1727] 7109 7110 982. [func] If "memstatistics-file" is set in options the memory 7111 statistics will be written to it. 7112 7113 981. [func] The dnssec tools can now take multiple '-r randomfile' 7114 arguments. 7115 7116 980. [bug] Incoming zone transfers restarting after an error 7117 could trigger an assertion failure. [RT #1692] 7118 7119 979. [func] Incremental master file dumping. dns_master_dumpinc(), 7120 dns_master_dumptostreaminc(), dns_dumpctx_attach(), 7121 dns_dumpctx_detach(), dns_dumpctx_cancel(), 7122 dns_dumpctx_db() and dns_dumpctx_version(). 7123 7124 978. [bug] dns_db_attachversion() had an invalid REQUIRE() 7125 condition. 7126 7127 977. [bug] Improve "not at top of zone" error message. 7128 7129 976. [func] named-checkconf can now test load master zones 7130 (named-checkconf -z). [RT #1468] 7131 7132 975. [bug] "max-cache-size default;" as a view option 7133 caused an assertion failure. 7134 7135 974. [bug] "max-cache-size unlimited;" as a global option 7136 was not accepted. 7137 7138 973. [bug] Failed to log the question name when logging: 7139 "bad zone transfer request: non-authoritative zone 7140 (NOTAUTH)". 7141 7142 972. [bug] The file modification time code in zone.c was using the 7143 wrong epoch. [RT #1667] 7144 7145 971. [placeholder] 7146 7147 970. [func] 'max-journal-size' can now be used to set a target 7148 size for a journal. 7149 7150 969. [func] dig now supports the undocumented dig 8 feature 7151 of allowing arbitrary labels, not just dotted 7152 decimal quads, with the -x option. This can be 7153 used to conveniently look up RFC2317 names as in 7154 "dig -x 10.0.0.0-127". [RT #827, #1576, #1598] 7155 7156 968. [bug] On win32, the isc_time_now() function was unnecessarily 7157 calling strtime(). [RT #1671] 7158 7159 967. [bug] On win32, the link for bindevt was not including the 7160 required resource file to enable the event viewer 7161 to interpret the error messages in the event log, 7162 [RT #1668] 7163 7164 966. [placeholder] 7165 7166 965. [bug] Including data other than root server NS and A 7167 records in the root hint file could cause a rbtdb 7168 node reference leak. [RT #1581, #1618] 7169 7170 964. [func] Warn if data other than root server NS and A records 7171 are found in the root hint file. [RT #1581, #1618] 7172 7173 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] 7174 7175 962. [bug] libbind: bad "#undef", don't attempt to install 7176 non-existent nlist.h. [RT #1640] 7177 7178 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 7179 was not defined. [RT #1482] 7180 7181 960. [port] liblwres failed to build on systems with support for 7182 getrrsetbyname() in the OS. [RT #1592] 7183 7184 959. [port] On FreeBSD, determine the number of CPUs by calling 7185 sysctlbyname(). [RT #1584] 7186 7187 958. [port] ssize_t is not available on all platforms. [RT #1607] 7188 7189 957. [bug] sys/select.h inclusion was broken on older platforms. 7190 [RT #1607] 7191 7192 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile 7193 in named/win32/os.c due to code changes in 7194 change #953. win32 .make file for rndc-confgen 7195 updated to add include path for os.h header. 7196 7197 --- 9.2.0rc1 released --- 7198 7199 955. [bug] When using views, the zone's class was not being 7200 inherited from the view's class. [RT #1583] 7201 7202 954. [bug] When requesting AXFRs or IXFRs using dig, host, or 7203 nslookup, the RD bit should not be set as zone 7204 transfers are inherently non-recursive. [RT #1575] 7205 7206 953. [func] The /var/run/named.key file from change #843 7207 has been replaced by /etc/rndc.key. Both 7208 named and rndc will look for this file and use 7209 it to configure a default control channel key 7210 if not already configured using a different 7211 method (rndc.conf / controls). Unlike 7212 named.key, rndc.key is not created automatically; 7213 it must be created by manually running 7214 "rndc-confgen -a". 7215 7216 952. [bug] The server required manual intervention to serve the 7217 affected zones if it died between creating a journal 7218 and committing the first change to it. 7219 7220 951. [bug] CFLAGS was not passed to the linker when 7221 linking some of the test programs under 7222 bin/tests. [RT #1555]. 7223 7224 950. [bug] Explicit TTLs did not properly override $TTL 7225 due to a bug in change 834. [RT #1558] 7226 7227 949. [bug] host was unable to print records larger than 512 7228 bytes. [RT #1557] 7229 7230 --- 9.2.0b2 released --- 7231 7232 948. [port] Integrated support for building on Windows NT / 7233 Windows 2000. 7234 7235 947. [bug] dns_rdata_soa_t had a badly named element "mname" which 7236 was really the RNAME field from RFC1035. To avoid 7237 confusion and silent errors that would occur it the 7238 "origin" and "mname" elements were given their correct 7239 names "mname" and "rname" respectively, the "mname" 7240 element is renamed to "contact". 7241 7242 946. [cleanup] doc/misc/options is now machine-generated from the 7243 configuration parser syntax tables, and therefore 7244 more likely to be correct. 7245 7246 945. [func] Add the new view-specific options 7247 "match-destinations" and "match-recursive-only". 7248 7249 944. [func] Check for expired signatures on load. 7250 7251 943. [bug] The server could crash when receiving a command 7252 via rndc if the configuration file listed only 7253 nonexistent keys in the controls statement. [RT #1530] 7254 7255 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly 7256 defined on some platforms. 7257 7258 941. [bug] The configuration checker crashed if a slave 7259 zone didn't contain a masters statement. [RT #1514] 7260 7261 940. [bug] Double zone locking failure on error path. [RT #1510] 7262 7263 --- 9.2.0b1 released --- 7264 7265 939. [port] Add the --disable-linux-caps option to configure for 7266 systems that manage capabilities outside of named. 7267 [RT #1503] 7268 7269 938. [placeholder] 7270 7271 937. [bug] A race when shutting down a zone could trigger a 7272 INSIST() failure. [RT #1034] 7273 7274 936. [func] Warn about IPv4 addresses that are not complete 7275 dotted quads. [RT #1084] 7276 7277 935. [bug] inet_pton failed to reject leading zeros. 7278 7279 934. [port] Deal with systems where accept() spuriously returns 7280 ECONNRESET. 7281 7282 933. [bug] configure failed doing libbind on platforms not 7283 supported by BIND 8. [RT #1496] 7284 7285 --- 9.2.0a3 released --- 7286 7287 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM, 7288 when installing isc-config.sh. 7289 [RT #198, #1466] 7290 7291 931. [bug] The controls statement only attempted to verify 7292 messages using the first key in the key list. 7293 (9.2.0a1/a2 only). 7294 7295 930. [func] Query performance testing tool added as 7296 contrib/queryperf. 7297 7298 929. [placeholder] 7299 7300 928. [bug] nsupdate would send empty update packets if the 7301 send (or empty line) command was run after 7302 another send but before any new updates or 7303 prerequisites were specified. It should simply 7304 ignore this command. 7305 7306 927. [bug] Don't hold the zone lock for the entire dump to disk. 7307 [RT #1423] 7308 7309 926. [bug] The resolver could deadlock with the ADB when 7310 shutting down (multi-threaded builds only). 7311 [RT #1324] 7312 7313 925. [cleanup] Remove openssl from the distribution; require that 7314 --with-openssl be specified if DNSSEC is needed. 7315 7316 924. [port] Extend support for pre-RFC2133 IPv6 implementation. 7317 [RT #987] 7318 7319 923. [bug] Multiline TSIG secrets (and other multiline strings) 7320 were not accepted in named.conf. [RT #1469] 7321 7322 922. [func] Added two new lwres_getrrsetbyname() result codes, 7323 ERR_NONAME and ERR_NODATA. 7324 7325 921. [bug] lwres returned an incorrect error code if it received 7326 a truncated message. 7327 7328 920. [func] Increase the lwres receive buffer size to 16K. 7329 [RT #1451] 7330 7331 919. [placeholder] 7332 7333 918. [func] In nsupdate, TSIG errors are no longer treated as 7334 fatal errors. 7335 7336 917. [func] New nsupdate command 'key', allowing TSIG keys to 7337 be specified in the nsupdate command stream rather 7338 than the command line. 7339 7340 916. [bug] Specifying type ixfr to dig without specifying 7341 a serial number failed in unexpected ways. 7342 7343 915. [func] The named-checkconf and named-checkzone programs 7344 now have a '-v' option for printing their version. 7345 [RT #1151] 7346 7347 914. [bug] Global 'server' statements were rejected when 7348 using views, even though they were accepted 7349 in 9.1. [RT #1368] 7350 7351 913. [bug] Cache cleaning was not sufficiently aggressive. 7352 [RT #1441, #1444] 7353 7354 912. [bug] Attempts to set the 'additional-from-cache' or 7355 'additional-from-auth' option to 'no' in a 7356 server with recursion enabled will now 7357 be ignored and cause a warning message. 7358 [RT #1145] 7359 7360 911. [placeholder] 7361 7362 910. [port] Some pre-RFC2133 IPv6 implementations do not define 7363 IN6ADDR_ANY_INIT. [RT #1416] 7364 7365 909. [placeholder] 7366 7367 908. [func] New program, rndc-confgen, to simplify setting up rndc. 7368 7369 907. [func] The ability to get entropy from either the 7370 random device, a user-provided file or from 7371 the keyboard was migrated from the DNSSEC tools 7372 to libisc as isc_entropy_usebestsource(). 7373 7374 906. [port] Separated the system independent portion of 7375 lib/isc/unix/entropy.c into lib/isc/entropy.c 7376 and added lib/isc/win32/entropy.c. 7377 7378 905. [bug] Configuring a forward "zone" for the root domain 7379 did not work. [RT #1418] 7380 7381 904. [bug] The server would leak memory if attempting to use 7382 an expired TSIG key. [RT #1406] 7383 7384 903. [bug] dig should not crash when receiving a TCP packet 7385 of length 0. 7386 7387 902. [bug] The -d option was ignored if both -t and -g were also 7388 specified. 7389 7390 901. [placeholder] 7391 7392 900. [bug] A config.guess update changed the system identification 7393 string of FreeBSD systems; configure and 7394 bin/tests/system/ifconfig.sh now recognize the new 7395 string. 7396 7397 --- 9.2.0a2 released --- 7398 7399 899. [bug] lib/dns/soa.c failed to compile on many platforms 7400 due to inappropriate use of a void value. 7401 [RT #1372, #1373, #1386, #1387, #1395] 7402 7403 898. [bug] "dig" failed to set a nonzero exit status 7404 on UDP query timeout. [RT #1323] 7405 7406 897. [bug] A config.guess update changed the system identification 7407 string of UnixWare systems; configure now recognizes 7408 the new string. 7409 7410 896. [bug] If a configuration file is set on named's command line 7411 and it has a relative pathname, the current directory 7412 (after any possible jailing resulting from named -t) 7413 will be prepended to it so that reloading works 7414 properly even when a directory option is present. 7415 7416 895. [func] New function, isc_dir_current(), akin to POSIX's 7417 getcwd(). 7418 7419 894. [bug] When using the DNSSEC tools, a message intended to warn 7420 when the keyboard was being used because of the lack 7421 of a suitable random device was not being printed. 7422 7423 893. [func] Removed isc_file_test() and added isc_file_exists() 7424 for the basic functionality that was being added 7425 with isc_file_test(). 7426 7427 892. [placeholder] 7428 7429 891. [bug] Return an error when a SIG(0) signed response to 7430 an unsigned query is seen. This should actually 7431 do the verification, but it's not currently 7432 possible. [RT #1391] 7433 7434 890. [cleanup] The man pages no longer require the mandoc macros 7435 and should now format cleanly using most versions of 7436 nroff, and HTML versions of the man pages have been 7437 added. Both are generated from DocBook source. 7438 7439 889. [port] Eliminated blank lines before .TH in nroff man 7440 pages since they cause problems with some versions 7441 of nroff. [RT #1390] 7442 7443 888. [bug] Don't die when using TKEY to delete a nonexistent 7444 TSIG key. [RT #1392] 7445 7446 887. [port] Detect broken compilers that can't call static 7447 functions from inline functions. [RT #1212] 7448 7449 886. [placeholder] 7450 7451 885. [placeholder] 7452 7453 884. [placeholder] 7454 7455 883. [placeholder] 7456 7457 882. [placeholder] 7458 7459 881. [placeholder] 7460 7461 880. [placeholder] 7462 7463 879. [placeholder] 7464 7465 878. [placeholder] 7466 7467 877. [placeholder] 7468 7469 876. [placeholder] 7470 7471 875. [placeholder] 7472 7473 874. [placeholder] 7474 7475 873. [placeholder] 7476 7477 872. [placeholder] 7478 7479 871. [placeholder] 7480 7481 870. [placeholder] 7482 7483 869. [placeholder] 7484 7485 868. [placeholder] 7486 7487 867. [placeholder] 7488 7489 866. [func] Close debug only file channels when debug is set to 7490 zero. [RT #1246] 7491 7492 865. [bug] The new configuration parser did not allow 7493 the optional debug level in a "severity debug" 7494 clause of a logging channel to be omitted. 7495 This is now allowed and treated as "severity 7496 debug 1;" like it does in BIND 8.2.4, not as 7497 "severity debug 0;" like it did in BIND 9.1. 7498 [RT #1367] 7499 7500 864. [cleanup] Multi-threading is now enabled by default on 7501 OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX. 7502 7503 863. [bug] If an error occurred while an outgoing zone transfer 7504 was starting up, the server could access a domain 7505 name that had already been freed when logging a 7506 message saying that the transfer was starting. 7507 [RT #1383] 7508 7509 862. [bug] Use after realloc(), non portable pointer arithmetic in 7510 grmerge(). 7511 7512 861. [port] Add support for Mac OS X, by making it equivalent 7513 to Darwin. This was derived from the config.guess 7514 file shipped with Mac OS X. [RT #1355] 7515 7516 860. [func] Drop cross class glue in zone transfers. 7517 7518 859. [bug] Cache cleaning now won't swamp the CPU if there 7519 is a persistent over limit condition. 7520 7521 858. [func] isc_mem_setwater() no longer requires that when the 7522 callback function is non-NULL then its hi_water 7523 argument must be greater than its lo_water argument 7524 (they can now be equal) or that they be non-zero. 7525 7526 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for 7527 structs, for our friends in EBCDIC-land. 7528 7529 856. [func] Allow partial rdatasets to be returned in answer and 7530 authority sections to help non-TCP capable clients 7531 recover from truncation. [RT #1301] 7532 7533 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings. 7534 7535 854. [bug] The config parser didn't properly handle config 7536 options that were specified in units of time other 7537 than seconds. [RT #1372] 7538 7539 853. [bug] configure_view_acl() failed to detach existing acls. 7540 [RT #1374] 7541 7542 852. [bug] Handle responses from servers which do not know 7543 about IXFR. 7544 7545 851. [cleanup] The obsolete support-ixfr option was not properly 7546 ignored. 7547 7548 --- 9.2.0a1 released --- 7549 7550 850. [bug] dns_rbt_findnode() would not find nodes that were 7551 split on a bitstring label somewhere other than in 7552 the last label of the node. [RT #1351] 7553 7554 849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined. 7555 7556 848. [func] A minimum max-cache-size of two megabytes is enforced 7557 by the cache cleaner. 7558 7559 847. [func] Added isc_file_test(), which currently only has 7560 some very basic functionality to test for the 7561 existence of a file, whether a pathname is absolute, 7562 or whether a pathname is the fundamental representation 7563 of the current directory. It is intended that this 7564 function can be expanded to test other things a 7565 programmer might want to know about a file. 7566 7567 846. [func] A non-zero 'param' to dst_key_generate() when making an 7568 hmac-md5 key means that good entropy is not required. 7569 7570 845. [bug] The access rights on the public file of a symmetric 7571 key are now restricted as soon as the file is opened, 7572 rather than after it has been written and closed. 7573 7574 844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined, 7575 just as <lwres/net.h> does. 7576 7577 843. [func] If no controls statement is present in named.conf, 7578 or if any inet phrase of a controls statement is 7579 lacking a keys clause, then a key will be automatically 7580 generated by named and an rndc.conf-style file 7581 named named.key will be written that uses it. rndc 7582 will use this file only if its normal configuration 7583 file, or one provided on the command line, does not 7584 exist. 7585 7586 842. [func] 'rndc flush' now takes an optional view. 7587 7588 841. [bug] When sdb modules were not declared threadsafe, their 7589 create and destroy functions were not serialized. 7590 7591 840. [bug] The config file parser could print the wrong file 7592 name if an error was detected after an included file 7593 was parsed. [RT #1353] 7594 7595 839. [func] Dump packets for which there was no view or that the 7596 class could not be determined to category "unmatched". 7597 7598 838. [port] UnixWare 7.x.x is now suported by 7599 bin/tests/system/ifconfig.sh. 7600 7601 837. [cleanup] Multi-threading is now enabled by default only on 7602 OSF1, Solaris 2.7 and newer, and AIX. 7603 7604 836. [func] Upgraded libtool to 1.4. 7605 7606 835. [bug] The dispatcher could enter a busy loop if 7607 it got an I/O error receiving on a UDP socket. 7608 [RT #1293] 7609 7610 834. [func] Accept (but warn about) master files beginning with 7611 an SOA record without an explicit TTL field and 7612 lacking a $TTL directive, by using the SOA MINTTL 7613 as a default TTL. This is for backwards compatibility 7614 with old versions of BIND 8, which accepted such 7615 files without warning although they are illegal 7616 according to RFC1035. 7617 7618 833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to 7619 <dns/soa.h>, and extended them to support 7620 all the integer-valued fields of the SOA RR. 7621 7622 832. [bug] The default location for named.conf in named-checkconf 7623 should depend on --sysconfdir like it does in named. 7624 [RT #1258] 7625 7626 831. [placeholder] 7627 7628 830. [func] Implement 'rndc status'. 7629 7630 829. [bug] The DNS_R_ZONECUT result code should only be returned 7631 when an ANY query is made with DNS_DBFIND_GLUEOK set. 7632 In all other ANY query cases, returning the delegation 7633 is better. 7634 7635 828. [bug] The errno value from recvfrom() could be overwritten 7636 by logging code. [RT #1293] 7637 7638 827. [bug] When an IXFR protocol error occurs, the slave 7639 should retry with AXFR. 7640 7641 826. [bug] Some IXFR protocol errors were not detected. 7642 7643 825. [bug] zone.c:ns_query() detached from the wrong zone 7644 reference. [RT #1264] 7645 7646 824. [bug] Correct line numbers reported by dns_master_load(). 7647 [RT #1263] 7648 7649 823. [func] The output of "dig -h" now goes to stdout so that it 7650 can easily be piped through "more". [RT #1254] 7651 7652 822. [bug] Sending nxrrset prerequisites would crash nsupdate. 7653 [RT #1248] 7654 7655 821. [bug] The program name used when logging to syslog should 7656 be stripped of leading path components. 7657 [RT #1178, #1232] 7658 7659 820. [bug] Name server address lookups failed to follow 7660 A6 chains into the glue of local authoritative 7661 zones. 7662 7663 819. [bug] In certain cases, the resolver's attempts to 7664 restart an address lookup at the root could cause 7665 the fetch to deadlock (with itself) instead of 7666 restarting. [RT #1225] 7667 7668 818. [bug] Certain pathological responses to ANY queries could 7669 cause an assertion failure. [RT #1218] 7670 7671 817. [func] Adjust timeouts for dialup zone queries. 7672 7673 816. [bug] Report potential problems with log file accessibility 7674 at configuration time, since such problems can't 7675 reliably be reported at the time they actually occur. 7676 7677 815. [bug] If a log file was specified with a path separator 7678 character (i.e. "/") in its name and the directory 7679 did not exist, the log file's name was treated as 7680 though it were the directory name. [RT #1189] 7681 7682 814. [bug] Socket objects left over from accept() failures 7683 were incorrectly destroyed, causing corruption 7684 of socket manager data structures. 7685 7686 813. [bug] File descriptors exceeding FD_SETSIZE were handled 7687 badly. [RT #1192] 7688 7689 812. [bug] dig sometimes printed incomplete IXFR responses 7690 due to an uninitialized variable. [RT #1188] 7691 7692 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194] 7693 7694 810. [bug] The signer name in SIG records was not properly 7695 down-cased when signing/verifying records. [RT #1186] 7696 7697 809. [bug] Configuring a non-local address as a transfer-source 7698 could cause an assertion failure during load. 7699 7700 808. [func] Add 'rndc flush' to flush the server's cache. 7701 7702 807. [bug] When setting up TCP connections for incoming zone 7703 transfers, the transfer-source port was not 7704 ignored like it should be. 7705 7706 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up 7707 the calling stack to the zone maintenance level, 7708 causing zones to not reload when an included file was 7709 touched but the top-level zone file was not. 7710 7711 805. [bug] When using "forward only", missing root hints should 7712 not cause queries to fail. [RT #1143] 7713 7714 804. [bug] Attempting to obtain entropy could fail in some 7715 situations. This would be most common on systems 7716 with user-space threads. [RT #1131] 7717 7718 803. [bug] Treat all SIG queries as if they have the CD bit set, 7719 otherwise no data will be returned [RT #749] 7720 7721 802. [bug] DNSSEC key tags were computed incorrectly in almost 7722 all cases. [RT #1146] 7723 7724 801. [bug] nsupdate should treat lines beginning with ';' as 7725 comments. [RT #1139] 7726 7727 800. [bug] dnssec-signzone produced incorrect statistics for 7728 large zones. [RT #1133] 7729 7730 799. [bug] The ADB didn't find AAAA glue in a zone unless A6 7731 glue was also present. 7732 7733 798. [bug] nsupdate should be able to reject bad input lines 7734 and continue. [RT #1130] 7735 7736 797. [func] Issue a warning if the 'directory' option contains 7737 a relative path. [RT #269] 7738 7739 796. [func] When a size limit is associated with a log file, 7740 only roll it when the size is reached, not every 7741 time the log file is opened. [RT #1096] 7742 7743 795. [func] Add the +multiline option to dig. [RT #1095] 7744 7745 794. [func] Implement the "port" and "default-port" statements 7746 in rndc.conf. 7747 7748 793. [cleanup] The DNSSEC tools could create filenames that were 7749 illegal or contained shell meta-characters. They 7750 now use a different text encoding of names that 7751 doesn't have these problems. [RT #1101] 7752 7753 792. [cleanup] Replace the OMAPI command channel protocol with a 7754 simpler one. 7755 7756 791. [bug] The command channel now works over IPv6. 7757 7758 790. [bug] Wildcards created using dynamic update or IXFR 7759 could fail to match. [RT #1111] 7760 7761 789. [bug] The "localhost" and "localnets" ACLs did not match 7762 when used as the second element of a two-element 7763 sortlist item. 7764 7765 788. [func] Add the "match-mapped-addresses" option, which 7766 causes IPv6 v4mapped addresses to be treated as 7767 IPv4 addresses for the purpose of acl matching. 7768 7769 787. [bug] The DNSSEC tools failed to downcase domain 7770 names when mapping them into file names. 7771 7772 786. [bug] When DNSSEC signing/verifying data, owner names were 7773 not properly down-cased. 7774 7775 785. [bug] A race condition in the resolver could cause 7776 an assertion failure. [RT #673, #872, #1048] 7777 7778 784. [bug] nsupdate and other programs would not quit properly 7779 if some signals were blocked by the caller. [RT #1081] 7780 7781 783. [bug] Following CNAMEs could cause an assertion failure 7782 when either using an sdb database or under very 7783 rare conditions. 7784 7785 782. [func] Implement the "serial-query-rate" option. 7786 7787 781. [func] Avoid error packet loops by dropping duplicate FORMERR 7788 responses. [RT #1006] 7789 7790 780. [bug] Error handling code dealing with out of memory or 7791 other rare errors could lead to assertion failures 7792 by calling functions on uninitialized names. [RT #1065] 7793 7794 779. [func] Added the "minimal-responses" option. 7795 7796 778. [bug] When starting cache cleaning, cleaning_timer_action() 7797 returned without first pausing the iterator, which 7798 could cause deadlock. [RT #998] 7799 7800 777. [bug] An empty forwarders list in a zone failed to override 7801 global forwarders. [RT #995] 7802 7803 776. [func] Improved error reporting in denied messages. [RT #252] 7804 7805 775. [placeholder] 7806 7807 774. [func] max-cache-size is implemented. 7808 7809 773. [func] Added isc_rwlock_trylock() to attempt to lock without 7810 blocking. 7811 7812 772. [bug] Owner names could be incorrectly omitted from cache 7813 dumps in the presence of negative caching entries. 7814 [RT #991] 7815 7816 771. [cleanup] TSIG errors related to unsynchronized clocks 7817 are logged better. [RT #919] 7818 7819 770. [func] Add the "edns yes_or_no" statement to the server 7820 clause. [RT #524] 7821 7822 769. [func] Improved error reporting when parsing rdata. [RT #740] 7823 7824 768. [bug] The server did not emit an SOA when a CNAME 7825 or DNAME chain ended in NXDOMAIN in an 7826 authoritative zone. 7827 7828 767. [placeholder] 7829 7830 766. [bug] A few cases in query_find() could leak fname. 7831 This would trigger the mpctx->allocated == 0 7832 assertion when the server exited. 7833 [RT #739, #776, #798, #812, #818, #821, #845, 7834 #892, #935, #966] 7835 7836 765. [func] ACL names are once again case insensitive, like 7837 in BIND 8. [RT #252] 7838 7839 764. [func] Configuration files now allow "include" directives 7840 in more places, such as inside the "view" statement. 7841 [RT #377, #728, #860] 7842 7843 763. [func] Configuration files no longer have reserved words. 7844 [RT #731, #753] 7845 7846 762. [cleanup] The named.conf and rndc.conf file parsers have 7847 been completely rewritten. 7848 7849 761. [bug] _REENTRANT was still defined when building with 7850 --disable-threads. 7851 7852 760. [contrib] Significant enhancements to the pgsql sdb driver. 7853 7854 759. [bug] The resolver didn't turn off "avoid fetches" mode 7855 when restarting, possibly causing resolution 7856 to fail when it should not. This bug only affected 7857 platforms which support both IPv4 and IPv6. [RT #927] 7858 7859 758. [bug] The "avoid fetches" code did not treat negative 7860 cache entries correctly, causing fetches that would 7861 be useful to be avoided. This bug only affected 7862 platforms which support both IPv4 and IPv6. [RT #927] 7863 7864 757. [func] Log zone transfers. 7865 7866 756. [bug] dns_zone_load() could "return" success when no master 7867 file was configured. 7868 7869 755. [bug] Fix incorrectly formatted log messages in zone.c. 7870 7871 754. [bug] Certain failure conditions sending UDP packets 7872 could cause the server to retry the transmission 7873 indefinitely. [RT #902] 7874 7875 753. [bug] dig, host, and nslookup would fail to contact a 7876 remote server if getaddrinfo() returned an IPv6 7877 address on a system that doesn't support IPv6. 7878 [RT #917] 7879 7880 752. [func] Correct bad tv_usec elements returned by 7881 gettimeofday(). 7882 7883 751. [func] Log successful zone loads / transfers. [RT #898] 7884 7885 750. [bug] A query should not match a DNAME whose trust level 7886 is pending. [RT #916] 7887 7888 749. [bug] When a query matched a DNAME in a secure zone, the 7889 server did not return the signature of the DNAME. 7890 [RT #915] 7891 7892 748. [doc] List supported RFCs in doc/misc/rfc-compliance. 7893 [RT #781] 7894 7895 747. [bug] The code to determine whether an IXFR was possible 7896 did not properly check for a database that could 7897 not have a journal. [RT #865, #908] 7898 7899 746. [bug] The sdb didn't clone rdatasets properly, causing 7900 a crash when the server followed delegations. [RT #905] 7901 7902 745. [func] Report the owner name of records that fail 7903 semantic checks while loading. 7904 7905 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the 7906 result of an ANY or SIG query, the resolver failed 7907 to setup the return event's rdatasets, causing an 7908 assertion failure in the query code. [RT #881] 7909 7910 743. [bug] Receiving a large number of certain malformed 7911 answers could cause named to stop responding. 7912 [RT #861] 7913 7914 742. [placeholder] 7915 7916 741. [port] Support openssl-engine. [RT #709] 7917 7918 740. [port] Handle openssl library mismatches slightly better. 7919 7920 739. [port] Look for /dev/random in configure, rather than 7921 assuming it will be there for only a predefined 7922 set of OSes. 7923 7924 738. [bug] If a non-threadsafe sdb driver supported AXFR and 7925 received an AXFR request, it would deadlock or die 7926 with an assertion failure. [RT #852] 7927 7928 737. [port] stdtime.c failed to compile on certain platforms. 7929 7930 736. [func] New functions isc_task_{begin,end}exclusive(). 7931 7932 735. [doc] Add BIND 4 migration notes. 7933 7934 734. [bug] An attempt to re-lock the zone lock could occur if 7935 the server was shutdown during a zone transfer. 7936 [RT #830] 7937 7938 733. [bug] Reference counts of dns_acl_t objects need to be 7939 locked but were not. [RT #801, #821] 7940 7941 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828] 7942 7943 731. [bug] Certain zone errors could cause named-checkzone to 7944 fail ungracefully. [RT #819] 7945 7946 730. [bug] lwres_getaddrinfo() returns the correct result when 7947 it fails to contact a server. [RT #768] 7948 7949 729. [port] pthread_setconcurrency() needs to be called on Solaris. 7950 7951 728. [bug] Fix comment processing on master file directives. 7952 [RT# 757] 7953 7954 727. [port] Work around OS bug where accept() succeeds but 7955 fails to fill in the peer address of the accepted 7956 connection, by treating it as an error rather than 7957 an assertion failure. [RT #809] 7958 7959 726. [func] Implement the "trace" and "notrace" commands in rndc. 7960 7961 725. [bug] Installing man pages could fail. 7962 7963 724. [func] New libisc functions isc_netaddr_any(), 7964 isc_netaddr_any6(). 7965 7966 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver 7967 to return DNS_R_SERVFAIL. [RT #783] 7968 7969 722. [func] Allow incremental loads to be canceled. 7970 7971 721. [cleanup] Load manager and dns_master_loadfilequota() are no 7972 more. 7973 7974 720. [bug] Server could enter infinite loop in 7975 dispatch.c:do_cancel(). [RT #733] 7976 7977 719. [bug] Rapid reloads could trigger an assertion failure. 7978 [RT #743, #763] 7979 7980 718. [cleanup] "internal" is no longer a reserved word in named.conf. 7981 [RT #753, #731] 7982 7983 717. [bug] Certain TKEY processing failure modes could 7984 reference an uninitialized variable, causing the 7985 server to crash. [RT #750] 7986 7987 716. [bug] The first line of a $INCLUDE master file was lost if 7988 an origin was specified. [RT #744] 7989 7990 715. [bug] Resolving some A6 chains could cause an assertion 7991 failure in adb.c. [RT #738] 7992 7993 714. [bug] Preserve interval timers across reloads unless changed. 7994 [RT# 729] 7995 7996 713. [func] named-checkconf takes '-t directory' similar to named. 7997 [RT #726] 7998 7999 712. [bug] Sending a large signed update message caused an 8000 assertion failure. [RT #718] 8001 8002 711. [bug] The libisc and liblwres implementations of 8003 inet_ntop contained an off by one error. 8004 8005 710. [func] The forwarders statement now takes an optional 8006 port. [RT #418] 8007 8008 709. [bug] ANY or SIG queries for data with a TTL of 0 8009 would return SERVFAIL. [RT #620] 8010 8011 708. [bug] When building with --with-openssl, the openssl headers 8012 included with BIND 9 should not be used. [RT #702] 8013 8014 707. [func] The "filename" argument to named-checkzone is no 8015 longer optional, to reduce confusion. [RT #612] 8016 8017 706. [bug] Zones with an explicit "allow-update { none; };" 8018 were considered dynamic and therefore not reloaded 8019 on SIGHUP or "rndc reload". 8020 8021 705. [port] Work out resource limit type for use where rlim_t is 8022 not available. [RT #695] 8023 8024 704. [port] RLIMIT_NOFILE is not available on all platforms. 8025 [RT #695] 8026 8027 703. [port] sys/select.h is needed on older platforms. [RT #695] 8028 8029 702. [func] If the address 0.0.0.0 is seen in resolv.conf, 8030 use 127.0.0.1 instead. [RT #693] 8031 8032 701. [func] Root hints are now fully optional. Class IN 8033 views use compiled-in hints by default, as 8034 before. Non-IN views with no root hints now 8035 provide authoritative service but not recursion. 8036 A warning is logged if a view has neither root 8037 hints nor authoritative data for the root. [RT #696] 8038 8039 700. [bug] $GENERATE range check was wrong. [RT #688] 8040 8041 699. [bug] The lexer mishandled empty quoted strings. [RT #694] 8042 8043 698. [bug] Aborting nsupdate with ^C would lead to several 8044 race conditions. 8045 8046 697. [bug] nsupdate was not compatible with the undocumented 8047 BIND 8 behavior of ignoring TTLs in "update delete" 8048 commands. [RT #693] 8049 8050 696. [bug] lwresd would die with an assertion failure when passed 8051 a zero-length name. [RT #692] 8052 8053 695. [bug] If the resolver attempted to query a blackholed or 8054 bogus server, the resolution would fail immediately. 8055 8056 694. [bug] $GENERATE did not produce the last entry. 8057 [RT #682, #683] 8058 8059 693. [bug] An empty lwres statement in named.conf caused 8060 the server to crash while loading. 8061 8062 692. [bug] Deal with systems that have getaddrinfo() but not 8063 gai_strerror(). [RT #679] 8064 8065 691. [bug] Configuring per-view forwarders caused an assertion 8066 failure. [RT #675, #734] 8067 8068 690. [func] $GENERATE now supports DNAME. [RT #654] 8069 8070 689. [doc] man pages are now installed. [RT #210] 8071 8072 688. [func] "make tags" now works on systems with the 8073 "Exuberant Ctags" etags. 8074 8075 687. [bug] Only say we have IPv6, with sufficient functionality, 8076 if it has actually been tested. [RT #586] 8077 8078 686. [bug] dig and nslookup can now be properly aborted during 8079 blocking operations. [RT #568] 8080 8081 685. [bug] nslookup should use the search list/domain options 8082 from resolv.conf by default. [RT #405, #630] 8083 8084 684. [bug] Memory leak with view forwarders. [RT #656] 8085 8086 683. [bug] File descriptor leak in isc_lex_openfile(). 8087 8088 682. [bug] nslookup displayed SOA records incorrectly. [RT #665] 8089 8090 681. [bug] $GENERATE specifying output format was broken. [RT #653] 8091 8092 680. [bug] dns_rdata_fromstruct() mishandled options bigger 8093 than 255 octets. 8094 8095 679. [bug] $INCLUDE could leak memory and file descriptors on 8096 reload. [RT #639] 8097 8098 678. [bug] "transfer-format one-answer;" could trigger an assertion 8099 failure. [RT #646] 8100 8101 677. [bug] dnssec-signzone would occasionally use the wrong ttl 8102 for database operations and fail. [RT #643] 8103 8104 676. [bug] Log messages about lame servers to category 8105 'lame-servers' rather than 'resolver', so as not 8106 to be gratuitously incompatible with BIND 8. 8107 8108 675. [bug] TKEY queries could cause the server to leak 8109 memory. 8110 8111 674. [func] Allow messages to be TSIG signed / verified using 8112 a offset from the current time. 8113 8114 673. [func] The server can now convert RFC1886-style recursive 8115 lookup requests into RFC2874-style lookups, when 8116 enabled using the new option "allow-v6-synthesis". 8117 8118 672. [bug] The wrong time was in the "time signed" field when 8119 replying with BADTIME error. 8120 8121 671. [bug] The message code was failing to parse a message with 8122 no question section and a TSIG record. [RT #628] 8123 8124 670. [bug] The lwres replacements for getaddrinfo and 8125 getipnodebyname didn't properly check for the 8126 existence of the sockaddr sa_len field. 8127 8128 669. [bug] dnssec-keygen now makes the public key file 8129 non-world-readable for symmetric keys. [RT #403] 8130 8131 668. [func] named-checkzone now reports multiple errors in master 8132 files. 8133 8134 667. [bug] On Linux, running named with the -u option and a 8135 non-world-readable configuration file didn't work. 8136 [RT #626] 8137 8138 666. [bug] If a request sent by dig is longer than 512 bytes, 8139 use TCP. 8140 8141 665. [bug] Signed responses were not sent when the size of the 8142 TSIG + question exceeded the maximum message size. 8143 [RT #628] 8144 8145 664. [bug] The t_tasks and t_timers module tests are now skipped 8146 when building without threads, since they require 8147 threads. 8148 8149 663. [func] Accept a size_spec, not just an integer, in the 8150 (unimplemented and ignored) max-ixfr-log-size option 8151 for compatibility with recent versions of BIND 8. 8152 [RT #613] 8153 8154 662. [bug] dns_rdata_fromtext() failed to log certain errors. 8155 8156 661. [bug] Certain UDP IXFR requests caused an assertion failure 8157 (mpctx->allocated == 0). [RT #355, #394, #623] 8158 8159 660. [port] Detect multiple CPUs on HP-UX and IRIX. 8160 8161 659. [performance] Rewrite the name compression code to be much faster. 8162 8163 658. [cleanup] Remove all vestiges of 16 bit global compression. 8164 8165 657. [bug] When a listen-on statement in an lwres block does not 8166 specify a port, use 921, not 53. Also update the 8167 listen-on documentation. [RT #616] 8168 8169 656. [func] Treat an unescaped newline in a quoted string as 8170 an error. This means that TXT records with missing 8171 close quotes should have meaningful errors printed. 8172 8173 655. [bug] Improve error reporting on unexpected eof when loading 8174 zones. [RT #611] 8175 8176 654. [bug] Origin was being forgotten in TCP retries in dig. 8177 [RT #574] 8178 8179 653. [bug] +defname option in dig was reversed in sense. 8180 [RT #549] 8181 8182 652. [bug] zone_saveunique() did not report the new name. 8183 8184 651. [func] The AD bit in responses now has the meaning 8185 specified in <draft-ietf-dnsext-ad-is-secure>. 8186 8187 650. [bug] SIG(0) records were being generated and verified 8188 incorrectly. [RT #606] 8189 8190 649. [bug] It was possible to join to an already running fctx 8191 after it had "cloned" its events, but before it sent 8192 them. In this case, the event of the newly joined 8193 fetch would not contain the answer, and would 8194 trigger the INSIST() in fctx_sendevents(). In 8195 BIND 9.0, this bug did not trigger an INSIST(), but 8196 caused the fetch to fail with a SERVFAIL result. 8197 [RT #588, #597, #605, #607] 8198 8199 648. [port] Add support for pre-RFC2133 IPv6 implementations. 8200 8201 647. [bug] Resolver queries sent after following multiple 8202 referrals had excessively long retransmission 8203 timeouts due to incorrectly counting the referrals 8204 as "restarts". 8205 8206 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h 8207 didn't _cleanly_ fix the problem it was trying to fix. 8208 8209 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603] 8210 8211 644. [bug] #622 needed more work. [RT #562] 8212 8213 643. [bug] xfrin error messages made more verbose, added class 8214 of the zone. [RT# 599] 8215 8216 642. [bug] Break the exit_check() race in the zone module. 8217 [RT #598] 8218 8219 --- 9.1.0b2 released --- 8220 8221 641. [bug] $GENERATE caused a uninitialized link to be used. 8222 [RT #595] 8223 8224 640. [bug] Memory leak in error path could cause 8225 "mpctx->allocated == 0" failure. [RT #584] 8226 8227 639. [bug] Reading entropy from the keyboard would sometimes fail. 8228 [RT #591] 8229 8230 638. [port] lib/isc/random.c needed to explicitly include time.h 8231 to get a prototype for time() when pthreads was not 8232 being used. [RT #592] 8233 8234 637. [port] Use isc_u?int64_t instead of (unsigned) long long in 8235 lib/isc/print.c. Also allow lib/isc/print.c to 8236 be compiled even if the platform does not need it. 8237 [RT #592] 8238 8239 636. [port] Shut up MSVC++ about a possible loss of precision 8240 in the ISC__BUFFER_PUTUINT*() macros. [RT #592] 8241 8242 635. [bug] Reloading a server with a configured blackhole list 8243 would cause an assertion. [RT #590] 8244 8245 634. [bug] A log file will completely stop being written when 8246 it reaches the maximum size in all cases, not just 8247 when versioning is also enabled. [RT #570] 8248 8249 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575] 8250 8251 632. [bug] The index array of the journal file was 8252 corrupted as it was written to disk. 8253 8254 631. [port] Build without thread support on systems without 8255 pthreads. 8256 8257 630. [bug] Locking failure in zone code. [RT #582] 8258 8259 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed 8260 when responding to a UDP IXFR request. 8261 8262 628. [bug] If the root hints contained only AAAA addresses, 8263 named would be unable to perform resolution. 8264 8265 627. [bug] The EDNS0 blackhole detection code of change 324 8266 waited for three retransmissions to each server, 8267 which takes much too long when a domain has many 8268 name servers and all of them drop EDNS0 queries. 8269 Now we retry without EDNS0 after three consecutive 8270 timeouts, even if they are all from different 8271 servers. [RT #143] 8272 8273 626. [bug] The lightweight resolver daemon no longer crashes 8274 when asked for a SIG rrset. [RT #558] 8275 8276 625. [func] Zones now inherit their class from the enclosing view. 8277 8278 624. [bug] The zone object could get timer events after it had 8279 been destroyed, causing a server crash. [RT #571] 8280 8281 623. [func] Added "named-checkconf" and "named-checkzone" program 8282 for syntax checking named.conf files and zone files, 8283 respectively. 8284 8285 622. [bug] A canceled request could be destroyed before 8286 dns_request_destroy() was called. [RT #562] 8287 8288 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable. 8289 This mostly affects Red Hat Linux 7.0, which has 8290 conflicts between libc and the kernel. 8291 8292 620. [bug] dns_master_load*inc() now require 'task' and 'load' 8293 to be non-null. Also 'done' will not be called if 8294 dns_master_load*inc() fails immediately. [RT #565] 8295 8296 619. [placeholder] 8297 8298 618. [bug] Queries to a signed zone could sometimes cause 8299 an assertion failure. 8300 8301 617. [bug] When using dynamic update to add a new RR to an 8302 existing RRset with a different TTL, the journal 8303 entries generated from the update did not include 8304 explicit deletions and re-additions of the existing 8305 RRs to update their TTL to the new value. 8306 8307 616. [func] dnssec-signzone -t output now includes performance 8308 statistics. 8309 8310 615. [bug] dnssec-signzone did not like child keysets signed 8311 by multiple keys. 8312 8313 614. [bug] Checks for uninitialized link fields were prone 8314 to false positives, causing assertion failures. 8315 The checks are now disabled by default and may 8316 be re-enabled by defining ISC_LIST_CHECKINIT. 8317 8318 613. [bug] "rndc reload zone" now reloads primary zones. 8319 It previously only updated slave and stub zones, 8320 if an SOA query indicated an out of date serial. 8321 8322 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that 8323 complains relentlessly about how its treatment 8324 of 'const' has changed as well as how casting 8325 sometimes tightens alignment constraints. 8326 8327 611. [func] allow-notify can be used to permit processing of 8328 notify messages from hosts other than a slave's 8329 masters. 8330 8331 610. [func] rndc dumpdb is now supported. 8332 8333 609. [bug] getrrsetbyname() would crash lwresd if the server 8334 found more SIGs than answers. [RT #554] 8335 8336 608. [func] dnssec-signzone now adds a comment to the zone 8337 with the time the file was signed. 8338 8339 607. [bug] nsupdate would fail if it encountered a CNAME or 8340 DNAME in a response to an SOA query. [RT #515] 8341 8342 606. [bug] Compiling with --disable-threads failed due 8343 to isc_thread_self() being incorrectly defined 8344 as an integer rather than a function. 8345 8346 605. [func] New function isc_lex_getlasttokentext(). 8347 8348 604. [bug] The named.conf parser could print incorrect line 8349 numbers when long comments were present. 8350 8351 603. [bug] Make dig handle multiple types or classes on the same 8352 query more correctly. 8353 8354 602. [func] Cope automatically with UnixWare's broken 8355 IN6_IS_ADDR_* macros. [RT #539] 8356 8357 601. [func] Return a non-zero exit code if an update fails 8358 in nsupdate. 8359 8360 600. [bug] Reverse lookups sometimes failed in dig, etc... 8361 8362 599. [func] Added four new functions to the libisc log API to 8363 support i18n messages. isc_log_iwrite(), 8364 isc_log_ivwrite(), isc_log_iwrite1() and 8365 isc_log_ivwrite1() were added. 8366 8367 598. [bug] An update-policy statement would cause the server 8368 to assert while loading. [RT #536] 8369 8370 597. [func] dnssec-signzone is now multi-threaded. 8371 8372 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are 8373 not mutually exclusive. 8374 8375 595. [port] On Linux 2.2, socket() returns EINVAL when it 8376 should return EAFNOSUPPORT. Work around this. 8377 [RT #531] 8378 8379 594. [func] sdb drivers are now assumed to not be thread-safe 8380 unless the DNS_SDBFLAG_THREADSAFE flag is supplied. 8381 8382 593. [bug] If a secure zone was missing all its NXTs and 8383 a dynamic update was attempted, the server entered 8384 an infinite loop. 8385 8386 592. [bug] The sig-validity-interval option now specifies a 8387 number of days, not seconds. This matches the 8388 documentation. [RT #529] 8389 8390 --- 9.1.0b1 released --- 8391 8392 591. [bug] Work around non-reentrancy in openssl by disabling 8393 pre-computation in keys. 8394 8395 590. [doc] There are now man pages for the lwres library in 8396 doc/man/lwres. 8397 8398 589. [bug] The server could deadlock if a zone was updated 8399 while being transferred out. 8400 8401 588. [bug] ctx->in_use was not being correctly initialized when 8402 when pushing a file for $INCLUDE. [RT #523] 8403 8404 587. [func] A warning is now printed if the "allow-update" 8405 option allows updates based on the source IP 8406 address, to alert users to the fact that this 8407 is insecure and becoming increasingly so as 8408 servers capable of update forwarding are being 8409 deployed. 8410 8411 586. [bug] multiple views with the same name were fatal. [RT #516] 8412 8413 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge() 8414 now support 'exact' additions in a similar manner to 8415 dns_db_subtractrdataset() and dns_rdataslab_subtract(). 8416 8417 584. [func] You can now say 'notify explicit'; to suppress 8418 notification of the servers listed in NS records 8419 and notify only those servers listed in the 8420 'also-notify' option. 8421 8422 583. [func] "rndc querylog" will now toggle logging of 8423 queries, like "ndc querylog" in BIND 8. 8424 8425 582. [bug] dns_zone_idetach() failed to lock the zone. 8426 [RT #199, #463] 8427 8428 581. [bug] log severity was not being correctly processed. 8429 [RT #485] 8430 8431 580. [func] Ignore trailing garbage on incoming DNS packets, 8432 for interoperability with broken server 8433 implementations. [RT #491] 8434 8435 579. [bug] nsupdate did not take a filename to read update from. 8436 [RT #492] 8437 8438 578. [func] New config option "notify-source", to specify the 8439 source address for notify messages. 8440 8441 577. [func] Log illegal RDATA combinations. e.g. multiple 8442 singleton types, cname and other data. 8443 8444 576. [doc] isc_log_create() description did not match reality. 8445 8446 575. [bug] isc_log_create() was not setting internal state 8447 correctly to reflect the default channels created. 8448 8449 574. [bug] TSIG signed queries sent by the resolver would fail to 8450 have their responses validated and would leak memory. 8451 8452 573. [bug] The journal files of IXFRed slave zones were 8453 inadvertently discarded on server reload, causing 8454 "journal out of sync with zone" errors on subsequent 8455 reloads. [RT #482] 8456 8457 572. [bug] Quoted strings were not accepted as key names in 8458 address match lists. 8459 8460 571. [bug] It was possible to create an rdataset of singleton 8461 type which had more than one rdata. [RT #154] 8462 [RT #279] 8463 8464 570. [bug] rbtdb.c allowed zones containing nodes which had 8465 both a CNAME and "other data". [RT #154] 8466 8467 569. [func] The DNSSEC AD bit will not be set on queries which 8468 have not requested a DNSSEC response. 8469 8470 568. [func] Add sample simple database drivers in contrib/sdb. 8471 8472 567. [bug] Setting the zone transfer timeout to zero caused an 8473 assertion failure. [RT #302] 8474 8475 566. [func] New public function dns_timer_setidle(). 8476 8477 565. [func] Log queries more like BIND 8: query logging is now 8478 done to category "queries", level "info". [RT #169] 8479 8480 564. [func] Add sortlist support to lwresd. 8481 8482 563. [func] New public functions dns_rdatatype_format() and 8483 dns_rdataclass_format(), for convenient formatting 8484 of rdata type/class mnemonics in log messages. 8485 8486 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong. 8487 8488 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files' 8489 clauses of the options{} statement are now implemented. 8490 8491 560. [bug] dns_name_split did not properly the resulting prefix 8492 when a maximal length bitstring label was split which 8493 was preceded by another bitstring label. [RT #429] 8494 8495 559. [bug] dns_name_split did not properly create the suffix 8496 when splitting within a maximal length bitstring label. 8497 8498 558. [func] New functions, isc_resource_getlimit and 8499 isc_resource_setlimit. 8500 8501 557. [func] Symbolic constants for libisc integral types. 8502 8503 556. [func] The DNSSEC OK bit in the EDNS extended flags 8504 is now implemented. Responses to queries without 8505 this bit set will not contain any DNSSEC records. 8506 8507 555. [bug] A slave server attempting a zone transfer could 8508 crash with an assertion failure on certain 8509 malformed responses from the master. [RT #457] 8510 8511 554. [bug] In some cases, not all of the dnssec tools were 8512 properly installed. 8513 8514 553. [bug] Incoming zone transfers deferred due to quota 8515 were not started when quota was increased but 8516 only when a transfer in progress finished. [RT #456] 8517 8518 552. [bug] We were not correctly detecting the end of all c-style 8519 comments. [RT #455] 8520 8521 551. [func] Implemented the 'sortlist' option. 8522 8523 550. [func] Support unknown rdata types and classes. 8524 8525 549. [bug] "make" did not immediately abort the build when a 8526 subdirectory make failed [RT #450]. 8527 8528 548. [func] The lexer now ungets tokens more correctly. 8529 8530 547. [placeholder] 8531 8532 546. [func] Option 'lame-ttl' is now implemented. 8533 8534 545. [func] Name limit and counting options removed from dig; 8535 they didn't work properly, and cannot be correctly 8536 implemented without significant changes. 8537 8538 544. [func] Add statistics option, enable statistics-file option, 8539 add RNDC option "dump-statistics" to write out a 8540 query statistics file. 8541 8542 543. [doc] The 'port' option is now documented. 8543 8544 542. [func] Add support for update forwarding as required for 8545 full compliance with RFC2136. It is turned off 8546 by default and can be enabled using the 8547 'allow-update-forwarding' option. 8548 8549 541. [func] Add bogus server support. 8550 8551 540. [func] Add dialup support. 8552 8553 539. [func] Support the blackhole option. 8554 8555 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo(). 8556 8557 537. [placeholder] 8558 8559 536. [func] Use transfer-source{-v6} when sending refresh queries. 8560 Transfer-source{-v6} now take a optional port 8561 parameter for setting the UDP source port. The port 8562 parameter is ignored for TCP. 8563 8564 535. [func] Use transfer-source{-v6} when forwarding update 8565 requests. 8566 8567 534. [func] Ancestors have been removed from RBT chains. Ancestor 8568 information can be discerned via node parent pointers. 8569 8570 533. [func] Incorporated name hashing into the RBT database to 8571 improve search speed. 8572 8573 532. [func] Implement DNS UPDATE pseudo records using 8574 DNS_RDATA_UPDATE flag. 8575 8576 531. [func] Rdata really should be initialized before being assigned 8577 to (dns_rdata_fromwire(), dns_rdata_fromtext(), 8578 dns_rdata_clone(), dns_rdata_fromregion()), 8579 check that it is. 8580 8581 530. [func] New function dns_rdata_invalidate(). 8582 8583 529. [bug] 521 contained a bug which caused zones to always 8584 reload. [RT #410] 8585 8586 528. [func] The ISC_LIST_XXXX macros now perform sanity checks 8587 on their arguments. ISC_LIST_XXXXUNSAFE can be use 8588 to skip the checks however use with caution. 8589 8590 527. [func] New function dns_rdata_clone(). 8591 8592 526. [bug] nsupdate incorrectly refused to add RRs with a TTL 8593 of 0. 8594 8595 525. [func] New arguments 'options' for dns_db_subtractrdataset(), 8596 and 'flags' for dns_rdataslab_subtract() allowing you 8597 to request that the RR's must exist prior to deletion. 8598 DNS_R_NOTEXACT is returned if the condition is not met. 8599 8600 524. [func] The 'forward' and 'forwarders' statement in 8601 non-forward zones should work now. 8602 8603 523. [doc] The source to the Administrator Reference Manual is 8604 now an XML file using the DocBook DTD, and is included 8605 in the distribution. The plain text version of the 8606 ARM is temporarily unavailable while we figure out 8607 how to generate readable plain text from the XML. 8608 8609 522. [func] The lightweight resolver daemon can now use 8610 a real configuration file, and its functionality 8611 can be provided by a name server. Also, the -p and -P 8612 options to lwresd have been reversed. 8613 8614 521. [bug] Detect master files which contain $INCLUDE and always 8615 reload. [RT #196] 8616 8617 520. [bug] Upgraded libtool to 1.3.5, which makes shared 8618 library builds almost work on AIX (and possibly 8619 others). 8620 8621 519. [bug] dns_name_split() would improperly split some bitstring 8622 labels, zeroing a few of the least significant bits in 8623 the prefix part. When such an improperly created 8624 prefix was returned to the RBT database, the bogus 8625 label was dutifully stored, corrupting the tree. 8626 [RT #369] 8627 8628 518. [bug] The resolver did not realize that a DNAME which was 8629 "the answer" to the client's query was "the answer", 8630 and such queries would fail. [RT #399] 8631 8632 517. [bug] The resolver's DNAME code would trigger an assertion 8633 if there was more than one DNAME in the chain. 8634 [RT #399] 8635 8636 516. [bug] Cache lookups which had a NULL node pointer, e.g. 8637 those by dns_view_find(), and which would match a 8638 DNAME, would trigger an INSIST(!search.need_cleanup) 8639 assertion. [RT #399] 8640 8641 515. [bug] The ssu table was not being attached / detached 8642 by dns_zone_[sg]etssutable. [RT#397] 8643 8644 514. [func] Retry refresh and notify queries if they timeout. 8645 [RT #388] 8646 8647 513. [func] New functionality added to rdnc and server to allow 8648 individual zones to be refreshed or reloaded. 8649 8650 512. [bug] The zone transfer code could throw an exception with 8651 an invalid IXFR stream. 8652 8653 511. [bug] The message code could throw an assertion on an 8654 out of memory failure. [RT #392] 8655 8656 510. [bug] Remove spurious view notify warning. [RT #376] 8657 8658 509. [func] Add support for write of zone files on shutdown. 8659 8660 508. [func] dns_message_parse() can now do a best-effort 8661 attempt, which should allow dig to print more invalid 8662 messages. 8663 8664 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach() 8665 and dns_view_flushanddetach(). 8666 8667 506. [func] Do not fail to start on errors in zone files. 8668 8669 505. [bug] nsupdate was printing "unknown result code". [RT #373] 8670 8671 504. [bug] The zone was not being marked as dirty when updated via 8672 IXFR. 8673 8674 503. [bug] dumptime was not being set along with 8675 DNS_ZONEFLG_NEEDDUMP. 8676 8677 502. [func] On a SERVFAIL reply, DiG will now try the next server 8678 in the list, unless the +fail option is specified. 8679 8680 501. [bug] Incorrect port numbers were being displayed by 8681 nslookup. [RT #352] 8682 8683 500. [func] Nearly useless +details option removed from DiG. 8684 8685 499. [func] In DiG, specifying a class with -c or type with -t 8686 changes command-line parsing so that classes and 8687 types are only recognized if following -c or -t. 8688 This allows hosts with the same name as a class or 8689 type to be looked up. 8690 8691 498. [doc] There is now a man page for "dig" 8692 in doc/man/bin/dig.1. 8693 8694 497. [bug] The error messages printed when an IP match list 8695 contained a network address with a nonzero host 8696 part where not sufficiently detailed. [RT #365] 8697 8698 496. [bug] named didn't sanity check numeric parameters. [RT #361] 8699 8700 495. [bug] nsupdate was unable to handle large records. [RT #368] 8701 8702 494. [func] Do not cache NXDOMAIN responses for SOA queries. 8703 8704 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses 8705 for SOA queries. This makes it easier to locate 8706 the containing zone without polluting intermediate 8707 caches. 8708 8709 492. [bug] attempting to reload a zone caused the server fail 8710 to shutdown cleanly. [RT #360] 8711 8712 491. [bug] nsupdate would segfault when sending certain 8713 prerequisites with empty RDATA. [RT #356] 8714 8715 490. [func] When a slave/stub zone has not yet successfully 8716 obtained an SOA containing the zone's configured 8717 retry time, perform the SOA query retries using 8718 exponential backoff. [RT #337] 8719 8720 489. [func] The zone manager now has a "i/o" queue. 8721 8722 488. [bug] Locks weren't properly destroyed in some cases. 8723 8724 487. [port] flockfile() is not defined on all systems. 8725 8726 486. [bug] nslookup: "set all" and "server" commands showed 8727 the incorrect port number if a port other than 53 8728 was specified. [RT #352] 8729 8730 485. [func] When dig had more than one server to query, it would 8731 send all of the messages at the same time. Add 8732 rate limiting of the transmitted messages. 8733 8734 484. [bug] When the server was reloaded after removing addresses 8735 from the named.conf "listen-on" statement, sockets 8736 were still listening on the removed addresses due 8737 to reference count loops. [RT #325] 8738 8739 483. [bug] nslookup: "set all" showed a "search" option but it 8740 was not settable. 8741 8742 482. [bug] nslookup: a plain "server" or "lserver" should be 8743 treated as a lookup. 8744 8745 481. [bug] nslookup:get_next_command() stack size could exceed 8746 per thread limit. 8747 8748 480. [bug] strtok() is not thread safe. [RT #349] 8749 8750 479. [func] The test suite can now be run by typing "make check" 8751 or "make test" at the top level. 8752 8753 478. [bug] "make install" failed if the directory specified with 8754 --prefix did not already exist. 8755 8756 477. [bug] The the isc-config.sh script could be installed before 8757 its directory was created. [RT #324] 8758 8759 476. [bug] A zone could expire while a zone transfer was in 8760 progress triggering a INSIST failure. [RT #329] 8761 8762 475. [bug] query_getzonedb() sometimes returned a non-null version 8763 on failure. This caused assertion failures when 8764 generating query responses where names subject to 8765 additional section processing pointed to a zone 8766 to which access had been denied by means of the 8767 allow-query option. [RT #336] 8768 8769 474. [bug] The mnemonic of the CHAOS class is CH according to 8770 RFC1035, but it was printed and read only as CHAOS. 8771 We now accept both forms as input, and print it 8772 as CH. [RT #305] 8773 8774 473. [bug] nsupdate overran the end of the list of name servers 8775 when no servers could be reached, typically causing 8776 it to print the error message "dns_request_create: 8777 not implemented". 8778 8779 472. [bug] Off-by-one error caused isc_time_add() to sometimes 8780 produce invalid time values. 8781 8782 471. [bug] nsupdate didn't compile on HP/UX 10.20 8783 8784 470. [func] $GENERATE is now supported. See also 8785 doc/misc/migration. 8786 8787 469. [bug] "query-source address * port 53;" now works. 8788 8789 468. [bug] dns_master_load*() failed to report file and line 8790 number in certain error conditions. 8791 8792 467. [bug] dns_master_load*() failed to log an error if 8793 pushfile() failed. 8794 8795 466. [bug] dns_master_load*() could return success when it failed. 8796 8797 465. [cleanup] Allow 0 to be set as an omapi_value_t value by 8798 omapi_value_storeint(). 8799 8800 464. [cleanup] Build with openssl's RSA code instead of dnssafe. 8801 8802 463. [bug] nsupdate sent malformed SOA queries to the second 8803 and subsequent name servers in resolv.conf if the 8804 query sent to the first one failed. 8805 8806 462. [bug] --disable-ipv6 should work now. 8807 8808 461. [bug] Specifying an unknown key in the "keys" clause of the 8809 "controls" statement caused a NULL pointer dereference. 8810 [RT #316] 8811 8812 460. [bug] Much of the DNSSEC code only worked with class IN. 8813 8814 459. [bug] Nslookup processed the "set" command incorrectly. 8815 8816 458. [bug] Nslookup didn't properly check class and type values. 8817 [RT #305] 8818 8819 457. [bug] Dig/host/hslookup didn't properly handle connect 8820 timeouts in certain situations, causing an 8821 unnecessary warning message to be printed. 8822 8823 456. [bug] Stub zones were not resetting the refresh and expire 8824 counters, loadtime or clearing the DNS_ZONE_REFRESH 8825 (refresh in progress) flag upon successful update. 8826 This disabled further refreshing of the stub zone, 8827 causing it to eventually expire. [RT #300] 8828 8829 455. [doc] Document IPv4 prefix notation does not require a 8830 dotted decimal quad but may be just dotted decimal. 8831 8832 454. [bug] Enforce dotted decimal and dotted decimal quad where 8833 documented as such in named.conf. [RT #304, RT #311] 8834 8835 453. [bug] Warn if the obsolete option "maintain-ixfr-base" 8836 is specified in named.conf. [RT #306] 8837 8838 452. [bug] Warn if the unimplemented option "statistics-file" 8839 is specified in named.conf. [RT #301] 8840 8841 451. [func] Update forwarding implemented. 8842 8843 450. [func] New function ns_client_sendraw(). 8844 8845 449. [bug] isc_bitstring_copy() only works correctly if the 8846 two bitstrings have the same lsb0 value, but this 8847 requirement was not documented, nor was there a 8848 REQUIRE for it. 8849 8850 448. [bug] Host output formatting change, to match v8. [RT #255] 8851 8852 447. [bug] Dig didn't properly retry in TCP mode after 8853 a truncated reply. [RT #277] 8854 8855 446. [bug] Confusing notify log message. [RT #298] 8856 8857 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0 8858 bitstring triggered a REQUIRE statement. The REQUIRE 8859 statement was incorrect. [RT #297] 8860 8861 444. [func] "recursion denied" messages are always logged at 8862 debug level 1, now, rather than sometimes at ERROR. 8863 This silences these warnings in the usual case, where 8864 some clients set the RD bit in all queries. 8865 8866 443. [bug] When loading a master file failed because of an 8867 unrecognized RR type name, the error message 8868 did not include the file name and line number. 8869 [RT #285] 8870 8871 442. [bug] TSIG signed messages that did not match any view 8872 crashed the server. [RT #290] 8873 8874 441. [bug] Nodes obscured by a DNAME were inaccessible even 8875 when DNS_DBFIND_GLUEOK was set. 8876 8877 440. [func] New function dns_zone_forwardupdate(). 8878 8879 439. [func] New function dns_request_createraw(). 8880 8881 438. [func] New function dns_message_getrawmessage(). 8882 8883 437. [func] Log NOTIFY activity to the notify channel. 8884 8885 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH, 8886 which sometimes happens on Linux, named would enter 8887 a busy loop. Also, unexpected socket errors were 8888 not logged at a high enough logging level to be 8889 useful in diagnosing this situation. [RT #275] 8890 8891 435. [bug] dns_zone_dump() overwrote existing zone files 8892 rather than writing to a temporary file and 8893 renaming. This could lead to empty or partial 8894 zone files being left around in certain error 8895 conditions involving the initial transfer of a 8896 slave zone, interfering with subsequent server 8897 startup. [RT #282] 8898 8899 434. [func] New function isc_file_isabsolute(). 8900 8901 433. [func] isc_base64_decodestring() now accepts newlines 8902 within the base64 data. This makes it possible 8903 to break up the key data in a "trusted-keys" 8904 statement into multiple lines. [RT #284] 8905 8906 432. [func] Added refresh/retry jitter. The actual refresh/ 8907 retry time is now a random value between 75% and 8908 100% of the configured value. 8909 8910 431. [func] Log at ISC_LOG_INFO when a zone is successfully 8911 loaded. 8912 8913 430. [bug] Rewrote the lightweight resolver client management 8914 code to handle shutdown correctly and general 8915 cleanup. 8916 8917 429. [bug] The space reserved for a TSIG record in a response 8918 was 2 bytes too short, leading to message 8919 generation failures. 8920 8921 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned 8922 DNS_R_BADDB for nodes which had neither NXT nor SIG NXT 8923 (e.g. glue). This could cause SERVFAILs when 8924 generating negative responses in a secure zone. 8925 8926 427. [bug] Avoid going into an infinite loop when the validator 8927 gets a negative response to a key query where the 8928 records are signed by the missing key. 8929 8930 426. [bug] Attempting to generate an oversized RSA key could 8931 cause dnssec-keygen to dump core. 8932 8933 425. [bug] Warn about the auth-nxdomain default value change 8934 if there is no auth-nxdomain statement in the 8935 config file. [RT #287] 8936 8937 424. [bug] notify_createmessage() could trigger an assertion 8938 failure when creating the notify message failed, 8939 e.g. due to corrupt zones with multiple SOA records. 8940 [RT #279] 8941 8942 423. [bug] When responding to a recursive query, errors that occur 8943 after following a CNAME should cause the query to fail. 8944 [RT #274] 8945 8946 422. [func] get rid of isc_random_t, and make isc_random_get() 8947 and isc_random_jitter() use rand() internally 8948 instead of local state. Note that isc_random_*() 8949 functions are only for weak, non-critical "randomness" 8950 such as timing jitter and such. 8951 8952 421. [bug] nslookup would exit when given a blank line as input. 8953 8954 420. [bug] nslookup failed to implement the "exit" command. 8955 8956 419. [bug] The certificate type PKIX was misspelled as SKIX. 8957 8958 418. [bug] At debug levels >= 10, getting an unexpected 8959 socket receive error would crash the server 8960 while trying to log the error message. 8961 8962 417. [func] Add isc_app_block() and isc_app_unblock(), which 8963 allow an application to handle signals while 8964 blocking. 8965 8966 416. [bug] Slave zones with no master file tried to use a 8967 NULL pointer for a journal file name when they 8968 received an IXFR. [RT #273] 8969 8970 415. [bug] The logging code leaked file descriptors. 8971 8972 414. [bug] Server did not shut down until all incoming zone 8973 transfers were finished. 8974 8975 413. [bug] Notify could attempt to use the zone database after 8976 it had been unloaded. [RT#267] 8977 8978 412. [bug] named -v didn't print the version. 8979 8980 411. [bug] A typo in the HS A code caused an assertion failure. 8981 8982 410. [bug] lwres_gethostbyname() and company set lwres_h_errno 8983 to a random value on success. 8984 8985 409. [bug] If named was shut down early in the startup 8986 process, ns_omapi_shutdown() would attempt to lock 8987 an uninitialized mutex. [RT #262] 8988 8989 408. [bug] stub zones could leak memory and reference counts if 8990 all the masters were unreachable. 8991 8992 407. [bug] isc_rwlock_lock() would needlessly block 8993 readers when it reached the read quota even 8994 if no writers were waiting. 8995 8996 406. [bug] Log messages were occasionally lost or corrupted 8997 due to a race condition in isc_log_doit(). 8998 8999 405. [func] Add support for selective forwarding (forward zones) 9000 9001 404. [bug] The request library didn't completely work with IPv6. 9002 9003 403. [bug] "host" did not use the search list. 9004 9005 402. [bug] Treat undefined acls as errors, rather than 9006 warning and then later throwing an assertion. 9007 [RT #252] 9008 9009 401. [func] Added simple database API. 9010 9011 400. [bug] SIG(0) signing and verifying was done incorrectly. 9012 [RT #249] 9013 9014 399. [bug] When reloading the server with a config file 9015 containing a syntax error, it could catch an 9016 assertion failure trying to perform zone 9017 maintenance on, or sending notifies from, 9018 tentatively created zones whose views were 9019 never fully configured and lacked an address 9020 database and request manager. 9021 9022 398. [bug] "dig" sometimes caught an assertion failure when 9023 using TSIG, depending on the key length. 9024 9025 397. [func] Added utility functions dns_view_gettsig() and 9026 dns_view_getpeertsig(). 9027 9028 396. [doc] There is now a man page for "nsupdate" 9029 in doc/man/bin/nsupdate.8. 9030 9031 395. [bug] nslookup printed incorrect RR type mnemonics 9032 for RRs of type >= 21 [RT #237]. 9033 9034 394. [bug] Current name was not propagated via $INCLUDE. 9035 9036 393. [func] Initial answer while loading (awl) support. 9037 Entry points: dns_master_loadfileinc(), 9038 dns_master_loadstreaminc(), dns_master_loadbufferinc(). 9039 Note: calls to dns_master_load*inc() should be rate 9040 be rate limited so as to not use up all file 9041 descriptors. 9042 9043 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does 9044 not support the given address family requested. 9045 9046 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH. 9047 9048 390. [func] The function dns_zone_setdbtype() now takes 9049 an argc/argv style vector of words and sets 9050 both the zone database type and its arguments, 9051 making the functions dns_zone_adddbarg() 9052 and dns_zone_cleardbargs() unnecessary. 9053 9054 389. [bug] Attempting to send a request over IPv6 using 9055 dns_request_create() on a system without IPv6 9056 support caused an assertion failure [RT #235]. 9057 9058 388. [func] dig and host can now do reverse ipv6 lookups. 9059 9060 387. [func] Add dns_byaddr_createptrname(), which converts 9061 an address into the name used by a PTR query. 9062 9063 386. [bug] Missing strdup() of ACL name caused random 9064 ACL matching failures [RT #228]. 9065 9066 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(), 9067 and dns_zt_print(). 9068 9069 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead 9070 of 2147483647. 9071 9072 383. [func] When writing a master file, print the SOA and NS 9073 records (and their SIGs) before other records. 9074 9075 382. [bug] named -u failed on many Linux systems where the 9076 libc provided kernel headers do not match 9077 the current kernel. 9078 9079 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of 9080 IPV6_PKTINFO if found. [RT #229] 9081 9082 380. [bug] nsupdate didn't work with IPv6. 9083 9084 379. [func] New library function isc_sockaddr_anyofpf(). 9085 9086 378. [func] named and lwresd will log the command line arguments 9087 they were started with in the "starting ..." message. 9088 9089 377. [bug] When additional data lookups were refused due to 9090 "allow-query", the databases were still being 9091 attached causing reference leaks. 9092 9093 376. [bug] The server should always use good entropy when 9094 performing cryptographic functions needing entropy. 9095 9096 375. [bug] Per-zone "allow-query" did not properly override the 9097 view/global one for CNAME targets and additional 9098 data [RT #220]. 9099 9100 374. [bug] SOA in authoritative negative responses had wrong TTL. 9101 9102 373. [func] nslookup is now installed by "make install". 9103 9104 372. [bug] Deal with Microsoft DNS servers appending two bytes of 9105 garbage to zone transfer requests. 9106 9107 371. [bug] At high debug levels, doing an outgoing zone transfer 9108 of a very large RRset could cause an assertion failure 9109 during logging. 9110 9111 370. [bug] The error messages for roll-forward failures were 9112 overly terse. 9113 9114 369. [func] Support new named.conf options, view and zone 9115 statements: 9116 9117 max-retry-time, min-retry-time, 9118 max-refresh-time, min-refresh-time. 9119 9120 368. [func] Restructure the internal ".bind" view so that more 9121 zones can be added to it. 9122 9123 367. [bug] Allow proper selection of server on nslookup command 9124 line. 9125 9126 366. [func] Allow use of '-' batch file in dig for stdin. 9127 9128 365. [bug] nsupdate -k leaked memory. 9129 9130 364. [func] Added additional-from-{cache,auth} 9131 9132 363. [placeholder] 9133 9134 362. [bug] rndc no longer aborts if the configuration file is 9135 missing an options statement. [RT #209] 9136 9137 361. [func] When the RBT find or chain functions set the name and 9138 origin for a node that stores the root label 9139 the name is now set to an empty name, instead of ".", 9140 to simplify later use of the name and origin by 9141 dns_name_concatenate(), dns_name_totext() or 9142 dns_name_format(). 9143 9144 360. [func] dns_name_totext() and dns_name_format() now allow 9145 an empty name to be passed, which is formatted as "@". 9146 9147 359. [bug] dnssec-signzone occasionally signed glue records. 9148 9149 358. [cleanup] Rename the intermediate files used by the dnssec 9150 programs. 9151 9152 357. [bug] The zone file parser crashed if the argument 9153 to $INCLUDE was a quoted string. 9154 9155 356. [cleanup] isc_task_send no longer requires event->sender to 9156 be non-null. 9157 9158 355. [func] Added isc_dir_createunique(), similar to mkdtemp(). 9159 9160 354. [doc] Man pages for the dnssec tools are now included in 9161 the distribution, in doc/man/dnssec. 9162 9163 353. [bug] double increment in lwres/gethost.c:copytobuf(). 9164 [RT# 187] 9165 9166 352. [bug] Race condition in dns_client_t startup could cause 9167 an assertion failure. 9168 9169 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG 9170 signed query could crash the server. 9171 9172 350. [bug] Also-notify lists specified in the global options 9173 block were not correctly reference counted, causing 9174 a memory leak. 9175 9176 349. [bug] Processing a query with the CD bit set now works 9177 as expected. 9178 9179 348. [func] New boolean named.conf options 'additional-from-auth' 9180 and 'additional-from-cache' now supported in view and 9181 global options statement. 9182 9183 347. [bug] Don't crash if an argument is left off options in dig. 9184 9185 346. [placeholder] 9186 9187 345. [bug] Large-scale changes/cleanups to dig: 9188 * Significantly improve structure handling 9189 * Don't pre-load entire batch files 9190 * Add name/rr counting/limiting 9191 * Fix SIGINT handling 9192 * Shorten timeouts to match v8's behavior 9193 9194 344. [bug] When shutting down, lwresd sometimes tried 9195 to shut down its client tasks twice, 9196 triggering an assertion. 9197 9198 343. [bug] Although zone maintenance SOA queries and 9199 notify requests were signed with TSIG keys 9200 when configured for the server in case, 9201 the TSIG was not verified on the response. 9202 9203 342. [bug] The wrong name was being passed to 9204 dns_name_dup() when generating a TSIG 9205 key using TKEY. 9206 9207 341. [func] Support 'key' clause in named.conf zone masters 9208 statement to allow authentication via TSIG keys: 9209 9210 masters { 9211 10.0.0.1 port 5353 key "foo"; 9212 10.0.0.2 ; 9213 }; 9214 9215 340. [bug] The top-level COPYRIGHT file was missing from 9216 the distribution. 9217 9218 339. [bug] DNSSEC validation of the response to an ANY 9219 query at a name with a CNAME RR in a secure 9220 zone triggered an assertion failure. 9221 9222 338. [bug] lwresd logged to syslog as named, not lwresd. 9223 9224 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type 9225 on the command line. 9226 9227 336. [bug] "dig -f" used 64 k of memory for each line in 9228 the file. It now uses much less, though still 9229 proportionally to the file size. 9230 9231 335. [bug] named would occasionally attempt recursion when 9232 it was disallowed or undesired. 9233 9234 334. [func] Added hmac-md5 to libisc. 9235 9236 333. [bug] The resolver incorrectly accepted referrals to 9237 domains that were not parents of the query name, 9238 causing assertion failures. 9239 9240 332. [func] New function dns_name_reset(). 9241 9242 331. [bug] Only log "recursion denied" if RD is set. [RT #178] 9243 9244 330. [bug] Many debugging messages were partially formatted 9245 even when debugging was turned off, causing a 9246 significant decrease in query performance. 9247 9248 329. [func] omapi_auth_register() now takes a size_t argument for 9249 the length of a key's secret data. Previously 9250 OMAPI only stored secrets up to the first NUL byte. 9251 9252 328. [func] Added isc_base64_decodestring(). 9253 9254 327. [bug] rndc.conf parser wasn't correctly recognizing an IP 9255 address where a host specification was required. 9256 9257 326. [func] 'keys' in an 'inet' control statement is now 9258 required and must have at least one item in it. 9259 A "not supported" warning is now issued if a 'unix' 9260 control channel is defined. 9261 9262 325. [bug] isc_lex_gettoken was processing octal strings when 9263 ISC_LEXOPT_CNUMBER was not set. 9264 9265 324. [func] In the resolver, turn EDNS0 off if there is no 9266 response after a number of retransmissions. 9267 This is to allow queries some chance of succeeding 9268 even if all the authoritative servers of a zone 9269 silently discard EDNS0 requests instead of 9270 sending an error response like they ought to. 9271 9272 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes. 9273 Because of this, servers authoritative for a parent 9274 and grandchild zone but not authoritative for the 9275 intervening child zone did not correctly issue 9276 referrals to the servers of the child zone. 9277 9278 322. [bug] Queries for KEY RRs are now sent to the parent 9279 server before the authoritative one, making 9280 DNSSEC insecurity proofs work in many cases 9281 where they previously didn't. 9282 9283 321. [bug] When synthesizing a CNAME RR for a DNAME 9284 response, query_addcname() failed to initialize 9285 the type and class of the CNAME dns_rdata_t, 9286 causing random failures. 9287 9288 320. [func] Multiple rndc changes: parses an rndc.conf file, 9289 uses authentication to talk to named, command 9290 line syntax changed. This will all be described 9291 in the ARM. 9292 9293 319. [func] The named.conf "controls" statement is now used 9294 to configure the OMAPI command channel. 9295 9296 318. [func] dns_c_ndcctx_destroy() could never return anything 9297 except ISC_R_SUCCESS; made it have void return instead. 9298 9299 317. [func] Use callbacks from libomapi to determine if a 9300 new connection is valid, and if a key requested 9301 to be used with that connection is valid. 9302 9303 316. [bug] Generate a warning if we detect an unexpected <eof> 9304 but treat as <eol><eof>. 9305 9306 315. [bug] Handle non-empty blanks lines. [RT #163] 9307 9308 314. [func] The named.conf controls statement can now have 9309 more than one key specified for the inet clause. 9310 9311 313. [bug] When parsing resolv.conf, don't terminate on an 9312 error. Instead, parse as much as possible, but 9313 still return an error if one was found. 9314 9315 312. [bug] Increase the number of allowed elements in the 9316 resolv.conf search path from 6 to 8. If there 9317 are more than this, ignore the remainder rather 9318 than returning a failure in lwres_conf_parse. 9319 9320 311. [bug] lwres_conf_parse failed when the first line of 9321 resolv.conf was empty or a comment. 9322 9323 310. [func] Changes to named.conf "controls" statement (inet 9324 subtype only) 9325 9326 - support "keys" clause 9327 9328 controls { 9329 inet * port 1024 9330 allow { any; } keys { "foo"; } 9331 } 9332 9333 - allow "port xxx" to be left out of statement, 9334 in which case it defaults to omapi's default port 9335 of 953. 9336 9337 309. [bug] When sending a referral, the server did not look 9338 for name server addresses as glue in the zone 9339 holding the NS RRset in the case where this zone 9340 was not the same as the one where it looked for 9341 name server addresses as authoritative data. 9342 9343 308. [bug] Treat a SOA record not at top of zone as an error 9344 when loading a zone. [RT #154] 9345 9346 307. [bug] When canceling a query, the resolver didn't check for 9347 isc_socket_sendto() calls that did not yet have their 9348 completion events posted, so it could (rarely) end up 9349 destroying the query context and then want to use 9350 it again when the send event posted, triggering an 9351 assertion as it tried to cancel an already-canceled 9352 query. [RT #77] 9353 9354 306. [bug] Reading HMAC-MD5 private key files didn't work. 9355 9356 305. [bug] When reloading the server with a config file 9357 containing a syntax error, it could catch an 9358 assertion failure trying to perform zone 9359 maintenance on tentatively created zones whose 9360 views were never fully configured and lacked 9361 an address database. 9362 9363 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers 9364 are listed in resolv.conf, silently ignore them 9365 instead of returning failure. 9366 9367 303. [bug] Add additional sanity checks to differentiate a AXFR 9368 response vs a IXFR response. [RT #157] 9369 9370 302. [bug] In dig, host, and nslookup, MXNAME should be large 9371 enough to hold any legal domain name in presentation 9372 format + terminating NULL. 9373 9374 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159] 9375 9376 300. [bug] Using both <isc/net.h> and <lwres/net.h> didn't work 9377 on platforms lacking IPv6 because each included their 9378 own ipv6 header file for the missing definitions. Now 9379 each library's ipv6.h defines the wrapper symbol of 9380 the other (ISC_IPV6_H and LWRES_IPV6_H). 9381 9382 299. [cleanup] Get the user and group information before changing the 9383 root directory, so the administrator does not need to 9384 keep a copy of the user and group databases in the 9385 chroot'ed environment. Suggested by Hakan Olsson. 9386 9387 298. [bug] A mutex deadlock occurred during shutdown of the 9388 interface manager under certain conditions. 9389 Digital Unix systems were the most affected. 9390 9391 297. [bug] Specifying a key name that wasn't fully qualified 9392 in certain parts of the config file could cause 9393 an assertion failure. 9394 9395 296. [bug] "make install" from a separate build directory 9396 failed unless configure had been run in the source 9397 directory, too. 9398 9399 295. [bug] When invoked with type==CNAME and a message 9400 not constructed by dns_message_parse(), 9401 dns_message_findname() failed to find anything 9402 due to checking for attribute bits that are set 9403 only in dns_message_parse(). This caused an 9404 infinite loop when constructing the response to 9405 an ANY query at a CNAME in a secure zone. 9406 9407 294. [bug] If we run out of space in while processing glue 9408 when reading a master file and commit "current name" 9409 reverts to "name_current" instead of staying as 9410 "name_glue". 9411 9412 293. [port] Add support for FreeBSD 4.0 system tests. 9413 9414 292. [bug] Due to problems with the way some operating systems 9415 handle simultaneous listening on IPv4 and IPv6 9416 addresses, the server no longer listens on IPv6 9417 addresses by default. To revert to the previous 9418 behavior, specify "listen-on-v6 { any; };" in 9419 the config file. 9420 9421 291. [func] Caching servers no longer send outgoing queries 9422 over TCP just because the incoming recursive query 9423 was a TCP one. 9424 9425 290. [cleanup] +twiddle option to dig (for testing only) removed. 9426 9427 289. [cleanup] dig is now installed in $bindir instead of $sbindir. 9428 host is now installed in $bindir. (Be sure to remove 9429 any $sbindir/dig from a previous release.) 9430 9431 288. [func] rndc is now installed by "make install" into $sbindir. 9432 9433 287. [bug] rndc now works again as "rndc 127.1 reload" (for 9434 only that task). Parsing its configuration file and 9435 using digital signatures for authentication has been 9436 disabled until named supports the "controls" statement, 9437 post-9.0.0. 9438 9439 286. [bug] On Solaris 2, when named inherited a signal state 9440 where SIGHUP had the SIG_IGN action, SIGHUP would 9441 be ignored rather than causing the server to reload 9442 its configuration. 9443 9444 285. [bug] A change made to the dst API for beta4 inadvertently 9445 broke OMAPI's creation of a dst key from an incoming 9446 message, causing an assertion to be triggered. Fixed. 9447 9448 284. [func] The DNSSEC key generation and signing tools now 9449 generate randomness from keyboard input on systems 9450 that lack /dev/random. 9451 9452 283. [cleanup] The 'lwresd' program is now a link to 'named'. 9453 9454 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is 9455 too big for an unsigned long. 9456 9457 281. [bug] Fixed list of recognized config file category names. 9458 9459 280. [func] Add isc-config.sh, which can be used to more 9460 easily build applications that link with 9461 our libraries. 9462 9463 279. [bug] Private omapi function symbols shared between 9464 two or more files in libomapi.a were not namespace 9465 protected using the ISC convention of starting with 9466 the library name and two underscores ("omapi__"...) 9467 9468 278. [bug] bin/named/logconf.c:category_fromconf() didn't take 9469 note of when isc_log_categorybyname() wasn't able 9470 to find the category name and would then apply the 9471 channel list of the unknown category to all categories. 9472 9473 277. [bug] isc_log_categorybyname() and isc_log_modulebyname() 9474 would fail to find the first member of any category 9475 or module array apart from the internal defaults. 9476 Thus, for example, the "notify" category was improperly 9477 configured by named. 9478 9479 276. [bug] dig now supports maximum sized TCP messages. 9480 9481 275. [bug] The definition of lwres_gai_strerror() was missing 9482 the lwres_ prefix. 9483 9484 274. [bug] TSIG AXFR verify failed when talking to a BIND 8 9485 server. 9486 9487 273. [func] The default for the 'transfer-format' option is 9488 now 'many-answers'. This will break zone transfers 9489 to BIND 4.9.5 and older unless there is an explicit 9490 'one-answer' configuration. 9491 9492 272. [bug] The sending of large TCP responses was canceled 9493 in mid-transmission due to a race condition 9494 caused by the failure to set the client object's 9495 "newstate" variable correctly when transitioning 9496 to the "working" state. 9497 9498 271. [func] Attempt to probe the number of cpus in named 9499 if unspecified rather than defaulting to 1. 9500 9501 270. [func] Allow maximum sized TCP answers. 9502 9503 269. [bug] Failed DNSSEC validations could cause an assertion 9504 failure by causing clone_results() to be called with 9505 with hevent->node == NULL. 9506 9507 268. [doc] A plain text version of the Administrator 9508 Reference Manual is now included in the distribution, 9509 as doc/arm/Bv9ARM.txt. 9510 9511 267. [func] Nsupdate is now provided in the distribution. 9512 9513 266. [bug] zone.c:save_nsrrset() node was not initialized. 9514 9515 265. [bug] dns_request_create() now works for TCP. 9516 9517 264. [func] Dispatch can not take TCP sockets in connecting 9518 state. Set DNS_DISPATCHATTR_CONNECTED when calling 9519 dns_dispatch_createtcp() for connected TCP sockets 9520 or call dns_dispatch_starttcp() when the socket is 9521 connected. 9522 9523 263. [func] New logging channel type 'stderr' 9524 9525 channel some-name { 9526 stderr; 9527 severity error; 9528 } 9529 9530 262. [bug] 'master' was not initialized in zone.c:stub_callback(). 9531 9532 261. [func] Add dns_zone_markdirty(). 9533 9534 260. [bug] Running named as a non-root user failed on Linux 9535 kernels new enough to support retaining capabilities 9536 after setuid(). 9537 9538 259. [func] New random-device and random-seed-file statements 9539 for global options block of named.conf. Both accept 9540 a single string argument. 9541 9542 258. [bug] Fixed printing of lwres_addr_t.address field. 9543 9544 257. [bug] The server detached the last zone manager reference 9545 too early, while it could still be in use by queries. 9546 This manifested itself as assertion failures during the 9547 shutdown process for busy name servers. [RT #133] 9548 9549 256. [func] isc_ratelimiter_t now has attach/detach semantics, and 9550 isc_ratelimiter_shutdown guarantees that the rate 9551 limiter is detached from its task. 9552 9553 255. [func] New function dns_zonemgr_attach(). 9554 9555 254. [bug] Suppress "query denied" messages on additional data 9556 lookups. 9557 9558 --- 9.0.0b4 released --- 9559 9560 253. [func] resolv.conf parser now recognizes ';' and '#' as 9561 comments (anywhere in line, not just as the beginning). 9562 9563 252. [bug] resolv.conf parser mishandled masks on sortlists. 9564 It also aborted when an unrecognized keyword was seen, 9565 now it silently ignores the entire line. 9566 9567 251. [bug] lwresd caught an assertion failure on startup. 9568 9569 250. [bug] fixed handling of size+unit when value would be too 9570 large for internal representation. 9571 9572 249. [cleanup] max-cache-size config option now takes a size-spec 9573 like 'datasize', except 'default' is not allowed. 9574 9575 248. [bug] global lame-ttl option was not being printed when 9576 config structures were written out. 9577 9578 247. [cleanup] Rename cache-size config option to max-cache-size. 9579 9580 246. [func] Rename global option cachesize to cache-size and 9581 add corresponding option to view statement. 9582 9583 245. [bug] If an uncompressed name will take more than 255 9584 bytes and the buffer is sufficiently long, 9585 dns_name_fromwire should return DNS_R_FORMERR, 9586 not ISC_R_NOSPACE. This bug caused cause the 9587 server to catch an assertion failure when it 9588 received a query for a name longer than 255 9589 bytes. 9590 9591 244. [bug] empty named.conf file and empty options statement are 9592 now parsed properly. 9593 9594 243. [func] new cachesize option for named.conf 9595 9596 242. [cleanup] fixed incorrect warning about auth-nxdomain usage. 9597 9598 241. [cleanup] nscount and soacount have been removed from the 9599 dns_master_*() argument lists. 9600 9601 240. [func] databases now come in three flavours: zone, cache 9602 and stub. 9603 9604 239. [func] If ISC_MEM_DEBUG is enabled, the variable 9605 isc_mem_debugging controls whether messages 9606 are printed or not. 9607 9608 238. [cleanup] A few more compilation warnings have been quieted: 9609 + missing sigwait prototype on BSD/OS 4.0/4.0.1. 9610 + PTHREAD_ONCE_INIT unbraced initializer warnings on 9611 Solaris 2.8. 9612 + IN6ADDR_ANY_INIT unbraced initializer warnings on 9613 BSD/OS 4.*, Linux and Solaris 2.8. 9614 9615 237. [bug] If connect() returned ENOBUFS when the resolver was 9616 initiating a TCP query, the socket didn't get 9617 destroyed, and the server did not shut down cleanly. 9618 9619 236. [func] Added new listen-on-v6 config file statement. 9620 9621 235. [func] Consider it a config file error if a listen-on 9622 statement has an IPv6 address in it, or a 9623 listen-on-v6 statement has an IPv4 address in it. 9624 9625 234. [bug] Allow a trusted-key's first field (domain-name) be 9626 either a quoted or an unquoted string, instead of 9627 requiring a quoted string. 9628 9629 233. [cleanup] Convert all config structure integer values to unsigned 9630 integer (isc_uint32_t) to match grammar. 9631 9632 232. [bug] Allow slave zones to not have a file. 9633 9634 231. [func] Support new 'port' clause in config file options 9635 section. Causes 'listen-on', 'masters' and 9636 'also-notify' statements to use its value instead of 9637 default (53). 9638 9639 230. [func] Replace the dst sign/verify API with a cleaner one. 9640 9641 229. [func] Support config file sig-validity-interval statement 9642 in options, views and zone statements (master 9643 zones only). 9644 9645 228. [cleanup] Logging messages in config module stripped of 9646 trailing period. 9647 9648 227. [cleanup] The enumerated identifiers dns_rdataclass_*, 9649 dns_rcode_*, dns_opcode_*, and dns_trust_* are 9650 also now cast to their appropriate types, as with 9651 dns_rdatatype_* in item number 225 below. 9652 9653 226. [func] dns_name_totext() now always prints the root name as 9654 '.', even when omit_final_dot is true. 9655 9656 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now 9657 cast to dns_rdatatype_t via macros of their same name 9658 so that they are of the proper integral type wherever 9659 a dns_rdatatype_t is needed. 9660 9661 224. [cleanup] The entire project builds cleanly with gcc's 9662 -Wcast-qual and -Wwrite-strings warnings enabled, 9663 which is now the default when using gcc. (Warnings 9664 from confparser.c, because of yacc's code, are 9665 unfortunately to be expected.) 9666 9667 223. [func] Several functions were re-prototyped to qualify one 9668 or more of their arguments with "const". Similarly, 9669 several functions that return pointers now have 9670 those pointers qualified with const. 9671 9672 222. [bug] The global 'also-notify' option was ignored. 9673 9674 221. [bug] An uninitialized variable was sometimes passed to 9675 dns_rdata_freestruct() when loading a zone, causing 9676 an assertion failure. 9677 9678 220. [cleanup] Set the default outgoing port in the view, and 9679 set it in sockaddrs returned from the ADB. 9680 [31-May-2000 explorer] 9681 9682 219. [bug] Signed truncated messages more correctly follow 9683 the respective specs. 9684 9685 218. [func] When an rdataset is signed, its ttl is normalized 9686 based on the signature validity period. 9687 9688 217. [func] Also-notify and trusted-keys can now be used in 9689 the 'view' statement. 9690 9691 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options 9692 now work. 9693 9694 215. [bug] Failures at certain points in request processing 9695 could cause the assertion INSIST(client->lockview 9696 == NULL) to be triggered. 9697 9698 214. [func] New public function isc_netaddr_format(), for 9699 formatting network addresses in log messages. 9700 9701 213. [bug] Don't leak memory when reloading the zone if 9702 an update-policy clause was present in the old zone. 9703 9704 212. [func] Added dns_message_get/settsigkey, to make TSIG 9705 key management reasonable. 9706 9707 211. [func] The 'key' and 'server' statements can now occur 9708 inside 'view' statements. 9709 9710 210. [bug] The 'allow-transfer' option was ignored for slave 9711 zones, and the 'transfers-per-ns' option was 9712 was ignored for all zones. 9713 9714 209. [cleanup] Upgraded openssl files to new version 0.9.5a 9715 9716 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value 9717 of an isc_offset_t. 9718 9719 207. [func] The dnssec tools properly use the logging subsystem. 9720 9721 206. [cleanup] dst now stores the key name as a dns_name_t, not 9722 a char *. 9723 9724 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692 9725 ("prototyped function redeclared without prototype") 9726 and 1552 ("variable ... set but not used") when 9727 compiling in the lib/dns/sec/{dnssafe,openssl} 9728 directories, which contain code imported from outside 9729 sources. 9730 9731 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker 9732 to quiet the warnings that "The linked output may not 9733 run on a PA 1.x system." 9734 9735 203. [func] notify and zone soa queries are now tsig signed when 9736 appropriate. 9737 9738 202. [func] isc_lex_getsourceline() changed from returning int 9739 to returning unsigned long, the type of its underlying 9740 counter. 9741 9742 201. [cleanup] Removed the test/sdig program, it has been 9743 replaced by bin/dig/dig. 9744 9745 --- 9.0.0b3 released --- 9746 9747 200. [bug] Failures in sending query responses to clients 9748 (e.g., running out of network buffers) were 9749 not logged. 9750 9751 199. [bug] isc_heap_delete() sometimes violated the heap 9752 invariant, causing timer events not to be posted 9753 when due. 9754 9755 198. [func] Dispatch managers hold memory pools which 9756 any managed dispatcher may use. This allows 9757 us to avoid dipping into the memory context for 9758 most allocations. [19-May-2000 explorer] 9759 9760 197. [bug] When an incoming AXFR or IXFR completes, the 9761 zone's internal state is refreshed from the 9762 SOA data. [19-May-2000 explorer] 9763 9764 196. [func] Dispatchers can be shared easily between views 9765 and/or interfaces. [19-May-2000 explorer] 9766 9767 195. [bug] Including the NXT record of the root domain 9768 in a negative response caused an assertion 9769 failure. 9770 9771 194. [doc] The PDF version of the Administrator's Reference 9772 Manual is no longer included in the ISC BIND9 9773 distribution. 9774 9775 193. [func] changed dst_key_free() prototype. 9776 9777 192. [bug] Zone configuration validation is now done at end 9778 of config file parsing, and before loading 9779 callbacks. 9780 9781 191. [func] Patched to compile on UnixWare 7.x. This platform 9782 is not directly supported by the ISC. 9783 9784 190. [cleanup] The DNSSEC tools have been moved to a separate 9785 directory dnssec/ and given the following new, 9786 more descriptive names: 9787 9788 dnssec-keygen 9789 dnssec-signzone 9790 dnssec-signkey 9791 dnssec-makekeyset 9792 9793 Their command line arguments have also been changed to 9794 be more consistent. dnssec-keygen now prints the 9795 name of the generated key files (sans extension) 9796 on standard output to simplify its use in automated 9797 scripts. 9798 9799 189. [func] isc_time_secondsastimet(), a new function, will ensure 9800 that the number of seconds in an isc_time_t does not 9801 exceed the range of a time_t, or return ISC_R_RANGE. 9802 Similarly, isc_time_now(), isc_time_nowplusinterval(), 9803 isc_time_add() and isc_time_subtract() now check the 9804 range for overflow/underflow. In the case of 9805 isc_time_subtract, this changed a calling requirement 9806 (ie, something that could generate an assertion) 9807 into merely a condition that returns an error result. 9808 isc_time_add() and isc_time_subtract() were void- 9809 valued before but now return isc_result_t. 9810 9811 188. [func] Log a warning message when an incoming zone transfer 9812 contains out-of-zone data. 9813 9814 187. [func] isc_ratelimiter_enqueue() has an additional argument 9815 'task'. 9816 9817 186. [func] dns_request_getresponse() has an additional argument 9818 'preserve_order'. 9819 9820 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several 9821 public functions did not have an isc__ prefix, and 9822 referred to functions that had previously been 9823 renamed. 9824 9825 184. [cleanup] Variables/functions which began with two leading 9826 underscores were made to conform to the ANSI/ISO 9827 standard, which says that such names are reserved. 9828 9829 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful 9830 for logging the program name or other identifier. 9831 9832 182. [cleanup] New command-line parameters for dnssec tools 9833 9834 181. [func] Added dst_key_buildfilename and dst_key_parsefilename 9835 9836 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE. 9837 9838 179. [func] options named.conf statement *must* now come 9839 before any zone or view statements. 9840 9841 178. [func] Post-load of named.conf check verifies a slave zone 9842 has non-empty list of masters defined. 9843 9844 177. [func] New per-zone boolean: 9845 9846 enable-zone yes | no ; 9847 9848 intended to let a zone be disabled without having 9849 to comment out the entire zone statement. 9850 9851 176. [func] New global and per-view option: 9852 9853 max-cache-ttl number 9854 9855 175. [func] New global and per-view option: 9856 9857 additional-data internal | minimal | maximal; 9858 9859 174. [func] New public function isc_sockaddr_format(), for 9860 formatting socket addresses in log messages. 9861 9862 173. [func] Keep a queue of zones waiting for zone transfer 9863 quota so that a new transfer can be dispatched 9864 immediately whenever quota becomes available. 9865 9866 172. [bug] $TTL directive was sometimes missing from dumped 9867 master files because totext_ctx_init() failed to 9868 initialize ctx->current_ttl_valid. 9869 9870 171. [cleanup] On NetBSD systems, the mit-pthreads or 9871 unproven-pthreads library is now always used 9872 unless --with-ptl2 is explicitly specified on 9873 the configure command line. The 9874 --with-mit-pthreads option is no longer needed 9875 and has been removed. 9876 9877 170. [cleanup] Remove inter server consistency checks from zone, 9878 these should return as a separate module in 9.1. 9879 dns_zone_checkservers(), dns_zone_checkparents(), 9880 dns_zone_checkchildren(), dns_zone_checkglue(). 9881 9882 Remove dns_zone_setadb(), dns_zone_setresolver(), 9883 dns_zone_setrequestmgr() these should now be found 9884 via the view. 9885 9886 169. [func] ratelimiter can now process N events per interval. 9887 9888 168. [bug] include statements in named.conf caused syntax errors 9889 due to not consuming the semicolon ending the include 9890 statement before switching input streams. 9891 9892 167. [bug] Make lack of masters for a slave zone a soft error. 9893 9894 166. [bug] Keygen was overwriting existing keys if key_id 9895 conflicted, now it will retry, and non-null keys 9896 with key_id == 0 are not generated anymore. Key 9897 was not able to generate NOAUTHCONF DSA key, 9898 increased RSA key size to 2048 bits. 9899 9900 165. [cleanup] Silence "end-of-loop condition not reached" warnings 9901 from Solaris compiler. 9902 9903 164. [func] Added functions isc_stdio_open(), isc_stdio_close(), 9904 isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(), 9905 isc_stdio_flush(), isc_stdio_sync(), isc_file_remove() 9906 to encapsulate nonportable usage of errno and sync. 9907 9908 163. [func] Added result codes ISC_R_FILENOTFOUND and 9909 ISC_R_FILEEXISTS. 9910 9911 162. [bug] Ensure proper range for arguments to ctype.h functions. 9912 9913 161. [cleanup] error in yyparse prototype that only HPUX caught. 9914 9915 160. [cleanup] getnet*() are not going to be implemented at this 9916 stage. 9917 9918 159. [func] Redefinition of config file elements is now an 9919 error (instead of a warning). 9920 9921 158. [bug] Log channel and category list copy routines 9922 weren't assigning properly to output parameter. 9923 9924 157. [port] Fix missing prototype for getopt(). 9925 9926 156. [func] Support new 'database' statement in zone. 9927 9928 database "quoted-string"; 9929 9930 155. [bug] ns_notify_start() was not detaching the found zone. 9931 9932 154. [func] The signer now logs libdns warnings to stderr even when 9933 not verbose, and in a nicer format. 9934 9935 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx' 9936 is NULL then you need to preserve the 'rdata' until 9937 you have finished using the structure as there may be 9938 references to the associated memory. If 'mctx' is 9939 non-NULL it is guaranteed that there are no references 9940 to memory associated with 'rdata'. 9941 9942 dns_rdata_freestruct() must be called if 'mctx' was 9943 non-NULL and may safely be called if 'mctx' was NULL. 9944 9945 152. [bug] keygen dumped core if domain name argument was omitted 9946 from command line. 9947 9948 151. [func] Support 'disabled' statement in zone config (causes 9949 zone to be parsed and then ignored). Currently must 9950 come after the 'type' clause. 9951 9952 150. [func] Support optional ports in masters and also-notify 9953 statements: 9954 9955 masters [ port xxx ] { y.y.y.y [ port zzz ] ; } 9956 9957 149. [cleanup] Removed unused argument 'olist' from 9958 dns_c_view_unsetordering(). 9959 9960 148. [cleanup] Stop issuing some warnings about some configuration 9961 file statements that were not implemented, but now are. 9962 9963 147. [bug] Changed yacc union size to be smaller for yaccs that 9964 put yacc-stack on the real stack. 9965 9966 146. [cleanup] More general redundant header file cleanup. Rather 9967 than continuing to itemize every header which changed, 9968 this changelog entry just notes that if a header file 9969 did not need another header file that it was including 9970 in order to provide its advertised functionality, the 9971 inclusion of the other header file was removed. See 9972 util/check-includes for how this was tested. 9973 9974 145. [cleanup] Added <isc/lang.h> and ISC_LANG_BEGINDECLS/ 9975 ISC_LANG_ENDDECLS to header files that had function 9976 prototypes, and removed it from those that did not. 9977 9978 144. [cleanup] libdns header files too numerous to name were made 9979 to conform to the same style for multiple inclusion 9980 protection. 9981 9982 143. [func] Added function dns_rdatatype_isknown(). 9983 9984 142. [cleanup] <isc/stdtime.h> does not need <time.h> or 9985 <isc/result.h>. 9986 9987 141. [bug] Corrupt requests with multiple questions could 9988 cause an assertion failure. 9989 9990 140. [cleanup] <isc/time.h> does not need <time.h> or <isc/result.h>. 9991 9992 139. [cleanup] <isc/net.h> now includes <isc/types.h> instead of 9993 <isc/int.h> and <isc/result.h>. 9994 9995 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and 9996 renamed isc_string_touint64. isc_strsep moved from 9997 strsep.c to string.c and renamed isc_string_separate. 9998 9999 137. [cleanup] <isc/commandline.h>, <isc/mem.h>, <isc/print.h> 10000 <isc/serial.h>, <isc/string.h> and <isc/offset.h> 10001 made to conform to the same style for multiple 10002 inclusion protection. 10003 10004 136. [cleanup] <isc/commandline.h>, <isc/interfaceiter.h>, 10005 <isc/net.h> and Win32's <isc/thread.h> needed 10006 ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS. 10007 10008 135. [cleanup] Win32's <isc/condition.h> did not need <isc/result.h> 10009 or <isc/boolean.h>, now uses <isc/types.h> in place 10010 of <isc/time.h>, and needed ISC_LANG_BEGINDECLS 10011 and ISC_LANG_ENDDECLS. 10012 10013 134. [cleanup] <isc/dir.h> does not need <limits.h>. 10014 10015 133. [cleanup] <isc/ipv6.h> needs <isc/platform.h>. 10016 10017 132. [cleanup] <isc/app.h> does not need <isc/task.h>, but does 10018 need <isc/eventclass.h>. 10019 10020 131. [cleanup] <isc/mutex.h> and <isc/util.h> need <isc/result.h> 10021 for ISC_R_* codes used in macros. 10022 10023 130. [cleanup] <isc/condition.h> does not need <pthread.h> or 10024 <isc/boolean.h>, and now includes <isc/types.h> 10025 instead of <isc/time.h>. 10026 10027 129. [bug] The 'default_debug' log channel was not set up when 10028 'category default' was present in the config file 10029 10030 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of 10031 ISC_LANG_ENDDECLS at end of header. 10032 10033 127. [cleanup] The contracts for the comparison routines 10034 dns_name_fullcompare(), dns_name_compare(), 10035 dns_name_rdatacompare(), and dns_rdata_compare() now 10036 specify that the order value returned is < 0, 0, or > 0 10037 instead of -1, 0, or 1. 10038 10039 126. [cleanup] <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>. 10040 10041 125. [cleanup] <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>, 10042 <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and 10043 <isc/resultclass.h> do not need <isc/lang.h>. 10044 10045 124. [func] signer now imports parent's zone key signature 10046 and creates null keys/sets zone status bit for 10047 children when necessary 10048 10049 123. [cleanup] <isc/event.h> does not need <stddef.h>. 10050 10051 122. [cleanup] <isc/task.h> does not need <isc/mem.h> or 10052 <isc/result.h>. 10053 10054 121. [cleanup] <isc/symtab.h> does not need <isc/mem.h> or 10055 <isc/result.h>. Multiple inclusion protection 10056 symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H. 10057 isc_symtab_t moved to <isc/types.h>. 10058 10059 120. [cleanup] <isc/socket.h> does not need <isc/boolean.h>, 10060 <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or 10061 <isc/net.h>. 10062 10063 119. [cleanup] structure definitions for generic rdata structures do 10064 not have _generic_ in their names. 10065 10066 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting 10067 YACC crust (yyparse, etc) [2000-apr-27 explorer] 10068 10069 117. [cleanup] libdns.a changes: 10070 dns_zone_clearnotify() and dns_zone_addnotify() 10071 are replaced by dns_zone_setnotifyalso(). 10072 dns_zone_clearmasters() and dns_zone_addmaster() 10073 are replaced by dns_zone_setmasters(). 10074 10075 116. [func] Added <isc/offset.h> for isc_offset_t (aka off_t 10076 on Unix systems). 10077 10078 115. [port] Shut up the -Wmissing-declarations warning about 10079 <stdio.h>'s __sputaux on BSD/OS pre-4.1. 10080 10081 114. [cleanup] <isc/sockaddr.h> does not need <isc/buffer.h> or 10082 <isc/list.h>. 10083 10084 113. [func] Utility programs dig and host added. 10085 10086 112. [cleanup] <isc/serial.h> does not need <isc/boolean.h>. 10087 10088 111. [cleanup] <isc/rwlock.h> does not need <isc/result.h> or 10089 <isc/mutex.h>. 10090 10091 110. [cleanup] <isc/result.h> does not need <isc/boolean.h> or 10092 <isc/list.h>. 10093 10094 109. [bug] "make depend" did nothing for 10095 bin/tests/{db,mem,sockaddr,tasks,timers}/. 10096 10097 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from 10098 <dns/types.h> to <dns/bit.h> and renamed to 10099 DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR. 10100 10101 107. [func] Add keysigner and keysettool. 10102 10103 106. [func] Allow dnssec verifications to ignore the validity 10104 period. Used by several of the dnssec tools. 10105 10106 105. [doc] doc/dev/coding.html expanded with other 10107 implicit conventions the developers have used. 10108 10109 104. [bug] Made compress_add and compress_find static to 10110 lib/dns/compress.c. 10111 10112 103. [func] libisc buffer API changes for <isc/buffer.h>: 10113 Added: 10114 isc_buffer_base(b) (pointer) 10115 isc_buffer_current(b) (pointer) 10116 isc_buffer_active(b) (pointer) 10117 isc_buffer_used(b) (pointer) 10118 isc_buffer_length(b) (int) 10119 isc_buffer_usedlength(b) (int) 10120 isc_buffer_consumedlength(b) (int) 10121 isc_buffer_remaininglength(b) (int) 10122 isc_buffer_activelength(b) (int) 10123 isc_buffer_availablelength(b) (int) 10124 Removed: 10125 ISC_BUFFER_USEDCOUNT(b) 10126 ISC_BUFFER_AVAILABLECOUNT(b) 10127 isc_buffer_type(b) 10128 Changed names: 10129 isc_buffer_used(b, r) -> 10130 isc_buffer_usedregion(b, r) 10131 isc_buffer_available(b, r) -> 10132 isc_buffer_available_region(b, r) 10133 isc_buffer_consumed(b, r) -> 10134 isc_buffer_consumedregion(b, r) 10135 isc_buffer_active(b, r) -> 10136 isc_buffer_activeregion(b, r) 10137 isc_buffer_remaining(b, r) -> 10138 isc_buffer_remainingregion(b, r) 10139 10140 Buffer types were removed, so the ISC_BUFFERTYPE_* 10141 macros are no more, and the type argument to 10142 isc_buffer_init and isc_buffer_allocate were removed. 10143 isc_buffer_putstr is now void (instead of isc_result_t) 10144 and requires that the caller ensure that there 10145 is enough available buffer space for the string. 10146 10147 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop 10148 on BSD/OS 4.1. 10149 10150 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c. 10151 10152 100. [cleanup] <isc/random.h> does not need <isc/int.h> or 10153 <isc/mutex.h>. isc_random_t moved to <isc/types.h>. 10154 10155 99. [cleanup] Rate limiter now has separate shutdown() and 10156 destroy() functions, and it guarantees that all 10157 queued events are delivered even in the shutdown case. 10158 10159 98. [cleanup] <isc/print.h> does not need <stdarg.h> or <stddef.h> 10160 unless ISC_PLATFORM_NEEDVSNPRINTF is defined. 10161 10162 97. [cleanup] <isc/ondestroy.h> does not need <stddef.h> or 10163 <isc/event.h>. 10164 10165 96. [cleanup] <isc/mutex.h> does not need <isc/result.h>. 10166 10167 95. [cleanup] <isc/mutexblock.h> does not need <isc/result.h>. 10168 10169 94. [cleanup] Some installed header files did not compile as C++. 10170 10171 93. [cleanup] <isc/msgcat.h> does not need <isc/result.h>. 10172 10173 92. [cleanup] <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>, 10174 or <isc/result.h>. 10175 10176 91. [cleanup] <isc/log.h> does not need <sys/types.h> or 10177 <isc/result.h>. 10178 10179 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS 10180 from <named/listenlist.h>. 10181 10182 89. [cleanup] <isc/lex.h> does not need <stddef.h>. 10183 10184 88. [cleanup] <isc/interfaceiter.h> does not need <isc/result.h> or 10185 <isc/mem.h>. isc_interface_t and isc_interfaceiter_t 10186 moved to <isc/types.h>. 10187 10188 87. [cleanup] <isc/heap.h> does not need <isc/boolean.h>, 10189 <isc/mem.h> or <isc/result.h>. 10190 10191 86. [cleanup] isc_bufferlist_t moved from <isc/bufferlist.h> to 10192 <isc/types.h>. 10193 10194 85. [cleanup] <isc/bufferlist.h> does not need <isc/buffer.h>, 10195 <isc/list.h>, <isc/mem.h>, <isc/region.h> or 10196 <isc/int.h>. 10197 10198 84. [func] allow-query ACL checks now apply to all data 10199 added to a response. 10200 10201 83. [func] If the server is authoritative for both a 10202 delegating zone and its (nonsecure) delegatee, and 10203 a query is made for a KEY RR at the top of the 10204 delegatee, then the server will look for a KEY 10205 in the delegator if it is not found in the delegatee. 10206 10207 82. [cleanup] <isc/buffer.h> does not need <isc/list.h>. 10208 10209 81. [cleanup] <isc/int.h> and <isc/boolean.h> do not need 10210 <isc/lang.h>. 10211 10212 80. [cleanup] <isc/print.h> does not need <stdio.h> or <stdlib.h>. 10213 10214 79. [cleanup] <dns/callbacks.h> does not need <stdio.h>. 10215 10216 78. [cleanup] lwres_conftest renamed to lwresconf_test for 10217 consistency with other *_test programs. 10218 10219 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from 10220 <isc/time.h> to <isc/types.h>. 10221 10222 76. [cleanup] Rewrote keygen. 10223 10224 75. [func] Don't load a zone if its database file is older 10225 than the last time the zone was loaded. 10226 10227 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a, 10228 subsumed by file.o. 10229 10230 73. [func] New "file" API in libisc, including new function 10231 isc_file_getmodtime, isc_mktemplate renamed to 10232 isc_file_mktemplate and isc_ufile renamed to 10233 isc_file_openunique. By no means an exhaustive API, 10234 it is just what's needed for now. 10235 10236 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS 10237 added for dns_rbt_findnode, the former to disable the 10238 setting of the chain to the predecessor, and the 10239 latter to make clear when no options are set. 10240 10241 71. [cleanup] Made explicit the implicit REQUIREs of 10242 isc_time_seconds, isc_time_nanoseconds, and 10243 isc_time_subtract. 10244 10245 70. [func] isc_time_set() added. 10246 10247 69. [bug] The zone object's master and also-notify lists grew 10248 longer with each server reload. 10249 10250 68. [func] Partial support for SIG(0) on incoming messages. 10251 10252 67. [performance] Allow use of alternate (compile-time supplied) 10253 OpenSSL libraries/headers. 10254 10255 66. [func] Data in authoritative zones should have a trust level 10256 beyond secure. 10257 10258 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t 10259 from <dns/types.h>. 10260 10261 64. [func] The RBT, DB, and zone table APIs now allow the 10262 caller find the most-enclosing superdomain of 10263 a name. 10264 10265 63. [func] Generate NOTIFY messages. 10266 10267 62. [func] Add UDP refresh support. 10268 10269 61. [cleanup] Use single quotes consistently in log messages. 10270 10271 60. [func] Catch and disallow singleton types on message 10272 parse. 10273 10274 59. [bug] Cause net/host unreachable to be a hard error 10275 when sending and receiving. 10276 10277 58. [bug] bin/named/query.c could sometimes trigger the 10278 (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) 10279 == 0 assertion in query_newname(). 10280 10281 57. [func] Added dns_nxt_typepresent() 10282 10283 56. [bug] SIG records were not properly returned in cached 10284 negative answers. 10285 10286 55. [bug] Responses containing multiple names in the authority 10287 section were not negatively cached. 10288 10289 54. [bug] If a fetch with sigrdataset==NULL joined one with 10290 sigrdataset!=NULL or vice versa, the resolver 10291 could catch an assertion or lose signature data, 10292 respectively. 10293 10294 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires 10295 <sys/param.h>. 10296 10297 52. [bug] rndc: taskmgr and socketmgr were not initialized 10298 to NULL. 10299 10300 51. [cleanup] dns/compress.h and dns/zt.h did not need to include 10301 dns/rbt.h; it was needed only by compress.c and zt.c. 10302 10303 50. [func] RBT deletion no longer requires a valid chain to work, 10304 and dns_rbt_deletenode was added. 10305 10306 49. [func] Each cache now has its own mctx. 10307 10308 48. [func] isc_task_create() no longer takes an mctx. 10309 isc_task_mem() has been eliminated. 10310 10311 47. [func] A number of modules now use memory context reference 10312 counting. 10313 10314 46. [func] Memory contexts are now reference counted. 10315 Added isc_mem_inuse() and isc_mem_preallocate(). 10316 Renamed isc_mem_destroy_check() to 10317 isc_mem_setdestroycheck(). 10318 10319 45. [bug] The trusted-key statement incorrectly loaded keys. 10320 10321 44. [bug] Don't include authority data if it would force us 10322 to unset the AD bit in the message. 10323 10324 43. [bug] DNSSEC verification of cached rdatasets was failing. 10325 10326 42. [cleanup] Simplified logging of messages with embedded domain 10327 names by introducing a new convenience function 10328 dns_name_format(). 10329 10330 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later 10331 to allow 'named' to run as a non-root user while 10332 retaining the ability to bind() to privileged 10333 ports. 10334 10335 40. [func] Introduced new logging category "dnssec" and 10336 logging module "dns/validator". 10337 10338 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t, 10339 and isc_lex_t to <isc/types.h>. 10340 10341 38. [bug] TSIG signed incoming zone transfers work now. 10342 10343 37. [bug] If the first RR in an incoming zone transfer was 10344 not an SOA, the server died with an assertion failure 10345 instead of just reporting an error. 10346 10347 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS 10348 10349 35. [performance] Log messages which are of a level too high to be 10350 logged by any channel in the logging configuration 10351 will not cause the log mutex to be locked. 10352 10353 34. [bug] Recursion was allowed even with 'recursion no'. 10354 10355 33. [func] The RBT now maintains a parent pointer at each node. 10356 10357 32. [cleanup] bin/lwresd/client.c needs <string.h> for memset() 10358 prototype. 10359 10360 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@. 10361 10362 30. [func] config file grammar change to support optional 10363 class type for a view. 10364 10365 29. [func] support new config file view options: 10366 10367 auth-nxdomain recursion query-source 10368 query-source-v6 transfer-source 10369 transfer-source-v6 max-transfer-time-out 10370 max-transfer-idle-out transfer-format 10371 request-ixfr provide-ixfr cleaning-interval 10372 fetch-glue notify rfc2308-type1 lame-ttl 10373 max-ncache-ttl min-roots 10374 10375 28. [func] support lame-ttl, min-roots and serial-queries 10376 config global options. 10377 10378 27. [bug] Only include <netinet6/in6.h> on BSD/OS 4.[01]*. 10379 Including it on other platforms (eg, NetBSD) can 10380 cause a forced #error from the C preprocessor. 10381 10382 26. [func] new match-clients statement in config file view. 10383 10384 25. [bug] make install failed to install <isc/log.h> and 10385 <isc/ondestroy.h>. 10386 10387 24. [cleanup] Eliminate some unnecessary #includes of header 10388 files from header files. 10389 10390 23. [cleanup] Provide more context in log messages about client 10391 requests, using a new function ns_client_log(). 10392 10393 22. [bug] SIGs weren't returned in the answer section when 10394 the query resulted in a fetch. 10395 10396 21. [port] Look at STD_CINCLUDES after CINCLUDES during 10397 compilation, so additional system include directories 10398 can be searched but header files in the bind9 source 10399 tree with conflicting names take precedence. This 10400 avoids issues with installed versions of dnssafe and 10401 openssl. 10402 10403 20. [func] Configuration file post-load validation of zones 10404 failed if there were no zones. 10405 10406 19. [bug] dns_zone_notifyreceive() failed to unlock the zone 10407 lock in certain error cases. 10408 10409 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in 10410 configure.in to check for presence of in6addr_any. 10411 10412 17. [func] Do configuration file post-load validation of zones. 10413 10414 16. [bug] put quotes around key names on config file 10415 output to avoid possible keyword clashes. 10416 10417 15. [func] Add dns_name_dupwithoffsets(). This function is 10418 improves comparison performance for duped names. 10419 10420 14. [bug] free_rbtdb() could have 'put' unallocated memory in 10421 an unlikely error path. 10422 10423 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore 10424 out-of-zone data. 10425 10426 12. [bug] Fixed possible uninitialized variable error. 10427 10428 11. [bug] axfr_rrstream_first() didn't check the result code of 10429 db_rr_iterator_first(), possibly causing an assertion 10430 to be triggered later. 10431 10432 10. [bug] A bug in the code which makes EDNS0 OPT records in 10433 bin/named/client.c and lib/dns/resolver.c could 10434 trigger an assertion. 10435 10436 9. [cleanup] replaced bit-setting code in confctx.c and replaced 10437 repeated code with macro calls. 10438 10439 8. [bug] Shutdown of incoming zone transfer accessed 10440 freed memory. 10441 10442 7. [cleanup] removed 'listen-on' from view statement. 10443 10444 6. [bug] quote RR names when generating config file to 10445 prevent possible clash with config file keywords 10446 (such as 'key'). 10447 10448 5. [func] syntax change to named.conf file: new ssu grant/deny 10449 statements must now be enclosed by an 'update-policy' 10450 block. 10451 10452 4. [port] bin/named/unix/os.c didn't compile on systems with 10453 linux 2.3 kernel includes due to conflicts between 10454 C library includes and the kernel includes. We now 10455 get only what we need from <linux/capability.h>, and 10456 avoid pulling in other linux kernel .h files. 10457 10458 3. [bug] TKEYs go in the answer section of responses, not 10459 the additional section. 10460 10461 2. [bug] Generating cryptographic randomness failed on 10462 systems without /dev/random. 10463 10464 1. [bug] The installdirs rule in 10465 lib/isc/unix/include/isc/Makefile.in had a typo which 10466 prevented the isc directory from being created if it 10467 didn't exist. 10468 10469 --- 9.0.0b2 released --- 10470 10471# This tells Emacs to use hard tabs in this file. 10472# Local Variables: 10473# indent-tabs-mode: t 10474# End: 10475