CHANGES 331 KB
Newer Older
1 2 3 4
3119.	[bug]		When rolling to a new DNSSEC key, a private-type
			record could be created and never marked complete.
			[RT #23253]

5 6 7
3118.	[bug]		nsupdate could dump core on shutdown when using
			SIG(0) keys. [RT #24604]

8 9 10 11
3117.	[cleanup]	Remove doc and parser references to the
			never-implemented 'auto-dnssec create' option.
			[RT #24533]

12 13 14 15 16 17
3116.	[func]		New 'dnssec-update-mode' option controls updates
			of DNSSEC records in signed dynamic zones.  Set to
			'no-resign' to disable automatic RRSIG regeneration
			while retaining the ability to sign new or changed
			data. [RT #24533]

18 19
3115.	[bug]		Named could fail to return requested data when
			following a CNAME that points into the same zone.
20
			[RT #24455]
21

22 23
3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
			inactive and there is no replacement key. [RT #23136]
Scott Mann's avatar
Scott Mann committed
24

25 26 27
3113.	[doc]		Document the relationship between serial-query-rate
			and NOTIFY messages.

28 29 30 31 32
3112.	[doc]		Add missing descriptions of the update policy name
			types "ms-self", "ms-subdomain", "krb5-self" and
			"krb5-subdomain", which allow machines to update
			their own records, to the BIND 9 ARM.

33 34 35 36
3111.   [bug]           Improved consistency checks for dnssec-enable and
                        dnssec-validation, added test cases to the
                        checkconf system test. [RT #24398]

37 38 39
3110.	[bug]		dnssec-signzone: Wrong error message could appear
			when attempting to sign with no KSK. [RT #24369]

40 41 42 43 44 45 46
3109.	[func]		The also-notify option now uses the same syntax
			as a zone's masters clause.  This means it is
			now possible to specify a TSIG key to use when
			sending notifies to a given server, or to include
			an explicit named masters list in an also-notfiy
			statement.  [RT #23508]

47 48 49 50 51 52 53
3108.	[cleanup]	dnssec-signzone: Clarified some error and
			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
			code (use -P instead). [RT #20852]
			
3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
			when using -x. [RT #20852]

54 55 56
3106.	[func]		When logging client requests, include the name of
			the TSIG key if any. [RT #23619]

57 58 59 60 61
3105.   [bug]           GOST support can be suppressed by "configure
                        --without-gost" [RT #24367]

3104.   [bug]           Better support for cross-compiling. [RT #24367]

62 63 64 65
3103.	[bug]		Configuring 'dnssec-validation auto' in a view
			instead of in the options statement could trigger
			an assertion failure in named-checkconf. [RT #24382]

66 67 68 69 70 71 72 73 74
3102.	[func]		New 'dnssec-loadkeys-interval' option configures
			how often, in minutes, to check the key repository
			for updates when using automatic key maintenance.
			Default is every 60 minutes (formerly hard-coded
			to 12 hours). [RT #23744]
			
3101.	[bug]		Zones using automatic key maintenance could fail
			to check the key repository for updates. [RT #23744]

75 76 77 78
3100.	[security]	Certain response policy zone configurations could
			trigger an INSIST when receiving a query of type
			RRSIG. [RT #24280]

79 80 81 82 83 84
3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
			not compiled with --with-dlz-filesystem.  [RT #24146]

3098.	[bug]		DLZ zones were answering without setting the AA bit.
			[RT #24146]

85 86 87
3097.	[test]		Add a tool to test handling of malformed packets.
			[RT #24096]

88 89 90
3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
			dst_gssapi_acceptctx(). [RT #24004]

91 92 93
3095.	[bug]		Handle isolated reserved ports in the port range.
			[RT #23957]

94 95
3094.	[doc]		Expand dns64 documentation.

96 97
3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]

98 99 100 101 102
3092.	[bug]		Signatures for records at the zone apex could go
			stale due to an incorrect timer setting. [RT #23769]

3091.	[bug]		Fixed a bug in which zone keys that were published
			and then subsequently activated could fail to trigger
103
			automatic signing. [RT #22911]
104

105 106
3090.	[func]		Make --with-gssapi default [RT #23738]

107 108 109
3089.	[func]		dnssec-dsfromkey now supports reading keys from
			standard input "dnssec-dsfromkey -f -". [RT# 20662]

110 111 112 113
3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
			and add setup.sh in order to resolve changing
			named.conf issue.  [RT #23687]

114 115 116
3087.	[bug]		DDNS updates using SIG(0) with update-policy match
			type "external" could cause a crash. [RT #23735]

117 118 119 120 121
3086.	[bug]		Running dnssec-settime -f on an old-style key will
			now force an update to the new key format even if no
			other change has been specified, using "-P now -A now"
			as default values.  [RT #22474]

122 123 124 125 126
3085.	[func]		New '-R' option in dnssec-signzone forces removal
			of signatures which have not yet expired but
			were generated by a key that no longer exists.
			[RT #22471]

127 128 129 130 131 132
3084.	[func]		A new command "rndc sync" dumps pending changes in
			a dynamic zone to disk; "rndc sync -clean" also
			removes the journal file after syncing.  Also,
			"rndc freeze" no longer removes journal files.
			[RT #22473]

133 134 135
3083.	[bug]		NOTIFY messages were not being sent when generating
			a NSEC3 chain incrementally. [RT #23702]

136 137
3082.	[port]		strtok_r is threads only. [RT #23747]

138 139 140
3081.	[bug]		Failure of DNAME substitution did not return
			YXDOMAIN. [RT #23591]

141 142 143
3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
			[RT #23587]

144 145 146
3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
			[RT #23572]

147 148 149
3078.	[func]		Added a new include file with function typedefs
			for the DLZ "dlopen" driver. [RT #23629]

150 151 152
3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
			dns_zone_attach(), use zone->irefs instead. [RT #23303]

153 154 155 156 157
3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
			dnssec-keyfromlabel sets the default TTL of the
			key.  When possible, automatic signing will use that
			TTL when the key is published.  [RT #23304]

158 159 160 161
3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
			timestamp when determining which keys are active.
			[RT #23642]

162 163 164 165
3074.	[bug]		Make the adb cache read through for zone data and
			glue learn for zone named is authoritative for.
			[RT #22842]

166 167 168
3073.	[bug]		managed-keys changes were not properly being recorded.
			[RT #20256]

169 170 171
3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
			[RT #20256]

172 173 174
3071.	[bug]		has_nsec could be used unintialised in
			update.c:next_active. [RT #20256]

175 176 177
3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
			[RT #20256]

178 179 180
3069.	[cleanup]	Silence warnings messages from clang static analysis.
			[RT #20256]

181 182 183
3068.	[bug]		Named failed to build with a OpenSSL without engine
			support. [RT #23473]

184 185 186
3067.	[bug]		ixfr-from-differences {master|slave}; failed to
			select the master/slave zones.  [RT #23580]

187 188 189
3066.	[func]		The DLZ "dlopen" driver is now built by default,
			no longer requiring a configure option.  To
			disable it, use "configure --without-dlopen".
Mark Andrews's avatar
Mark Andrews committed
190
			Driver also supported on win32.  [RT #23467]
191

192 193 194
3065.	[bug]		RRSIG could have time stamps too far in the future.
			[RT #23356]

195 196 197
3064.	[bug]		powerpc: add sync instructions to the end of atomic
			operations. [RT #23469]

198 199
3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]

200 201 202 203 204 205 206 207 208 209 210 211
3062.	[func]		Made several changes to enhance human readability
			of DNSSEC data in dig output and in generated
			zone files:
			 - DNSKEY record comments are more verbose, no
			   longer used in multiline mode only
			 - multiline RRSIG records reformatted
			 - multiline output mode for NSEC3PARAM records
			 - "dig +norrcomments" suppresses DNSKEY comments
			 - "dig +split=X" breaks hex/base64 records into
			   fields of width X; "dig +nosplit" disables this.
			[RT #22820]

212 213 214
3061.	[func]		New option "dnssec-signzone -D", only write out
			generated DNSSEC records. [RT #22896]

215 216 217 218
3060.	[func]		New option "dnssec-signzone -X <date>" allows
			specification of a separate expiration date
			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]

219 220
3059.	[test]		Added a regression test for change #3023.

221 222
3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
			reload to fail, if a log file specified in the conf
Mark Andrews's avatar
s/(/[/  
Mark Andrews committed
223
			file isn't a plain file. [RT #22771]
Mark Andrews's avatar
Mark Andrews committed
224

225 226 227
3057.	[bug]		"rndc secroots" would abort after the first error
			and so could miss some views. [RT #23488]

228 229
3056.	[func]		Added support for URI resource record. [RT #23386]

230 231
3055.	[placeholder]

232 233 234
3054.	[bug]		Added elliptic curve support check in
			GOST OpenSSL engine detection. [RT #23485]

235 236 237 238
3053.	[bug]		Under a sustained high query load with a finite
			max-cache-size, it was possible for cache memory
			to be exhausted and not recovered. [RT #23371]

239 240
3052.	[test]		Fixed last autosign test report. [RT #23256]

Mark Andrews's avatar
Mark Andrews committed
241
3051.	[bug]		NS records obsure DNAME records at the bottom of the
242 243
			zone if both are present. [RT #23035]

244 245 246 247
3050.	[bug]		The autosign system test was timing dependent.
			Wait for the initial autosigning to complete
			before running the rest of the test. [RT #23035]

Mark Andrews's avatar
Mark Andrews committed
248
3049.	[bug]		Save and restore the gid when creating creating
249 250 251
			named.pid at startup. [RT #23290]

3048.	[bug]		Fully separate view key mangement. [RT #23419]
252

253 254 255 256
3047.	[bug]		DNSKEY NODATA responses not cached fixed in
			validator.c. Tests added to dnssec system test.
			[RT #22908]

257 258 259
3046.	[bug]		Use RRSIG original TTL to compute validated RRset
			and RRSIG TTL. [RT #23332]

260
3045.	[removed]	Replaced by change #3050.
261

262 263 264
3044.	[bug]		Hold the socket manager lock while freeing the socket.
			[RT #23333]

265 266 267 268 269 270
3043.	[test]		Merged in the NetBSD ATF test framework (currently
			version 0.12) for development of future unit tests.
                        Use configure --with-atf to build ATF internally
                        or configure --with-atf=prefix to use an external
                        copy.  [RT #23209]

271 272
3042.	[bug]		dig +trace could fail attempting to use IPv6
			addresses on systems with only IPv4 connectivity.
273
			[RT #23297]
274

275 276 277
3041.	[bug]		dnssec-signzone failed to generate new signatures on
			ttl changes. [RT #23330]

278 279 280 281
3040.	[bug]		Named failed to validate insecure zones where a node
			with a CNAME existed between the trust anchor and the
			top of the zone. [RT #23338]

Mark Andrews's avatar
Mark Andrews committed
282
3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
283

Mark Andrews's avatar
Mark Andrews committed
284
3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
285

Mark Andrews's avatar
Mark Andrews committed
286
3037.	[doc]		Update COPYRIGHT to contain all the individual
287 288
			copyright notices that cover various parts.

Mark Andrews's avatar
Mark Andrews committed
289
3036.	[bug]		Check built-in zone arguments to see if the zone
290 291
			is re-usable or not. [RT #21914]

Mark Andrews's avatar
Mark Andrews committed
292
3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
293

294 295
3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]

296 297 298
3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
			[RT #22521]

299 300
3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]

301 302 303
3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
			[RT #22521]

304 305 306
3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
			[RT #22521]

307 308 309
3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
			[RT #22521]

310 311 312
3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
			[RT #22521]

313 314 315 316
3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
			catch NULL pointer dereferences before they happen.
			[RT #22521]

317 318 319
3026.	[bug]		lib/isc/httpd.c: check that we have enough space
			after calling grow_headerspace() and if not
			re-call grow_headerspace() until we do. [RT #22521]
Mark Andrews's avatar
Mark Andrews committed
320

321 322 323
3025.	[bug]		Fixed a possible deadlock due to zone resigning.
			[RT #22964]

Mark Andrews's avatar
Mark Andrews committed
324
3024.	[func]		RTT Banding removed due to minor security increase
Michael Graff's avatar
Michael Graff committed
325
			but major impact on resolver latency. [RT #23310]
Michael Graff's avatar
Michael Graff committed
326

327 328 329 330
3023.	[bug]		Named could be left in an inconsistent state when
			receiving multiple AXFR response messages that were
			not all TSIG-signed. [RT #23254]

Mark Andrews's avatar
Mark Andrews committed
331
3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
Mark Andrews's avatar
Mark Andrews committed
332
			[RT #23246]
333

334 335
3021.	[bug]		Change #3010 was incomplete. [RT #22296]

336 337 338
3020.	[bug]		auto-dnssec failed to correctly update the zone when
			changing the DNSKEY RRset. [RT #23232]

Evan Hunt's avatar
Evan Hunt committed
339
3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
340 341
			record via UPDATE. [RT #23229]

342
3018.	[bug]		Named failed to check for the "none;" acl when deciding
Mark Andrews's avatar
Mark Andrews committed
343
			if a zone may need to be re-signed. [RT #23120]
344

345 346 347
3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
			[RT #22887]

348 349
3016.	[bug]		rndc usage missing '-b'. [RT #22937]

350 351 352
3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]

Mark Andrews's avatar
Mark Andrews committed
353 354
3014.	[placeholder]

355 356 357
3013.	[bug]		The DNS64 ttl was not always being set as expected.
			[RT #23034]

358
3012.	[bug]		Remove DNSKEY TTL change pairs before generating
Mark Andrews's avatar
Mark Andrews committed
359
			signing records for any remaining DNSKEY changes.
360 361
			[RT #22590]

362 363 364 365 366
3011.	[func]		Change the default query timeout from 30 seconds
			to 10.  Allow setting this in named.conf using the new
			'resolver-query-timeout' option, which specifies a max
			time in seconds.  0 means 'default' and anything longer
			than 30 will be silently set to 30. [RT #22852]
Mark Andrews's avatar
Mark Andrews committed
367

368 369 370
3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
			for refreshing managed-keys. [RT #22296]

371 372
3009.	[bug]		clients-per-query code didn't work as expected with
			particular query patterns. [RT #22972]
Mark Andrews's avatar
9.8.0b1  
Mark Andrews committed
373 374 375

	--- 9.8.0b1 released ---

376 377
3008.	[func]		Response policy zones (RPZ) support. [RT #21726]

378
3007.	[bug]		Named failed to preserve the case of domain names in
Mark Andrews's avatar
Mark Andrews committed
379
			rdata which is not compressible when writing master
380 381
			files.  [RT #22863]

382 383 384 385
3006.	[func]		Allow dynamically generated TSIG keys to be preserved
			across restarts of named.  Initially this is for
			TSIG keys generated using GSSAPI. [RT #22639]

386 387 388 389 390 391
3005.	[port]		Solaris: Work around the lack of
			gsskrb5_register_acceptor_identity() by setting
			the KRB5_KTNAME environment variable to the
			contents of tkey-gssapi-keytab.  Also fixed
			test errors on MacOSX.  [RT #22853]

392 393
3004.	[func]		DNS64 reverse support. [RT #22769]

394
3003.	[experimental]	Added update-policy match type "external",
Mark Andrews's avatar
Mark Andrews committed
395
			enabling named to defer the decision of whether to
396 397 398
			allow a dynamic update to an external daemon.
			(Contributed by Andrew Tridgell.) [RT #22758]

399 400 401
3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
			[RT #22766]

402 403 404 405
3001.	[func]		Added a default trust anchor for the root zone, which
			can be switched on by setting "dnssec-validation auto;"
			in the named.conf options. [RT #21727]

Evan Hunt's avatar
Evan Hunt committed
406 407 408 409 410 411 412 413
3000.	[bug]		More TKEY/GSS fixes:
			 - nsupdate can now get the default realm from
			   the user's Kerberos principal
			 - corrected gsstest compilation flags
			 - improved documentation
			 - fixed some NULL dereferences
			[RT #22795]

414 415
2999.	[func]		Add GOST support (RFC 5933). [RT #20639]

416 417 418
2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
			to the task api. [RT #22776]

419 420 421
2997.	[func]		named -V now reports the OpenSSL and libxml2 verions
			it was compiled against. [RT #22687]

422 423 424
2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
			[RT #22589]

425 426 427
2995.	[bug]		The Kerberos realm was not being correctly extracted
			from the signer's identity. [RT #22770]

428 429 430 431
2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
			do not use threads on earlier versions.  Also kill
			the unproven-pthreads, mit-pthreads, and ptl2 support.

432 433
2993.	[func]		Dynamically grow adb hash tables. [RT #21186]

434 435 436
2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
			for looking at a secure delegation. [RT #22059]

437 438 439
2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
			dynamic zones. [RT #22365]

440 441 442 443
2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
			interval validity when the interval is set to 0.
			[RT #22761]

444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465
2989.	[func]		Added support for writable DLZ zones. (Contributed
			by Andrew Tridgell of the Samba project.) [RT #22629]

2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
			of external DLZ drivers that can be loaded as
			shared objects at runtime rather than linked with
			named.  Currently this is switched on via a
			compile-time option, "configure --with-dlz-dlopen".
			Note: the syntax for configuring DLZ zones
			is likely to be refined in future releases.
			(Contributed by Andrew Tridgell of the Samba
			project.) [RT #22629]

2987.	[func]		Improve ease of configuring TKEY/GSS updates by
			adding a "tkey-gssapi-keytab" option.  If set,
			updates will be allowed with any key matching
			a principal in the specified keytab file.
			"tkey-gssapi-credential" is no longer required
			and is expected to be deprecated.  (Contributed
			by Andrew Tridgell of the Samba project.)
			[RT #22629]

Mark Andrews's avatar
Mark Andrews committed
466 467 468 469
2986.	[func]		Add new zone type "static-stub".  It's like a stub
			zone, but the nameserver names and/or their IP
			addresses are statically configured. [RT #21474]

470 471
2985.	[bug]		Add a regression test for change #2896. [RT #21324]

472 473 474
2984.	[bug]		Don't run MX checks when the target of the MX record
			is ".".  [RT #22645]

475 476
2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]

johnd's avatar
 
johnd committed
477 478
	--- 9.8.0a1 released ---

479 480 481 482 483 484 485
2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
			increment the reference count.

			Note: dns_tsigkey_createfromkey() callers should now
			always call dst_key_free() rather than setting it
			to NULL on success. [RT #22672]

486 487
2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]

488 489 490
2980.	[bug]		named didn't properly handle UPDATES that changed the
			TTL of the NSEC3PARAM RRset. [RT #22363]

491 492 493 494
2979.	[bug]		named could deadlock during shutdown if two
			"rndc stop" commands were issued at the same
			time. [RT #22108]

495 496
2978.	[port]		hpux: look for <devpoll.h> [RT #21919]

497 498 499
2977.	[bug]		'nsupdate -l' report if the session key is missing.
			[RT #21670]

Mark Andrews's avatar
Mark Andrews committed
500
2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
Mark Andrews's avatar
Mark Andrews committed
501
			key. [RT #22573]
Mark Andrews's avatar
Mark Andrews committed
502

Mark Andrews's avatar
Mark Andrews committed
503
2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
504 505 506
			wrong lock which could lead to server deadlock.
			[RT #22614]

Mark Andrews's avatar
Mark Andrews committed
507
2974.	[bug]		Some valid UPDATE requests could fail due to a
508 509 510 511
			consistency check examining the existing version
			of the zone rather than the new version resulting
			from the UPDATE. [RT #22413]

512 513 514 515 516
2973.	[bug]		bind.keys.h was being removed by the "make clean"
			at the end of configure resulting in build failures
			where there is very old version of perl installed.
			Move it to "make maintainer-clean". [RT #22230]

517 518
2972.	[bug]		win32: address windows socket errors. [RT #21906]

519 520 521 522
2971.	[bug]		Fixed a bug that caused journal files not to be
			compacted on Windows systems as a result of
			non-POSIX-compliant rename() semantics. [RT #22434]

523 524 525 526
2970.	[security]	Adding a NO DATA negative cache entry failed to clear
			any matching RRSIG records.  A subsequent lookup of
			of NO DATA cache entry could trigger a INSIST when the
			unexpected RRSIG was also returned with the NO DATA
Mark Andrews's avatar
Mark Andrews committed
527 528 529
			cache entry.

			CVE-2010-3613, VU#706148. [RT #22288]
530

531 532 533
2969.	[security]	Fix acl type processing so that allow-query works
			in options and view statements.  Also add a new
			set of tests to verify proper functioning.
Mark Andrews's avatar
Mark Andrews committed
534 535

			CVE-2010-3615, VU#510208. [RT #22418]
536

537 538 539
2968.	[security]	Named could fail to prove a data set was insecure
			before marking it as insecure.  One set of conditions
			that can trigger this occurs naturally when rolling
Mark Andrews's avatar
Mark Andrews committed
540 541 542
			DNSKEY algorithms.

			CVE-2010-3614, VU#837744. [RT #22309]
543

544 545 546
2967.	[bug]		'host -D' now turns on debugging messages earlier.
			[RT #22361]

547 548 549 550 551
2966.	[bug]		isc_print_vsnprintf() failed to check if there was
			space available in the buffer when adding a left
			justified character with a non zero width,
			(e.g. "%-1c"). [RT #22270]

552 553 554
2965.	[func]		Test HMAC functions using test data from RFC 2104 and
			RFC 4634. [RT #21702]

Mark Andrews's avatar
Mark Andrews committed
555 556
2964.	[placeholder]

557 558 559
2963.	[security]	The allow-query acl was being applied instead of the
			allow-query-cache acl to cache lookups. [RT #22114]

Mark Andrews's avatar
Mark Andrews committed
560
2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
561 562
			[RT #22062]

563 564 565
2961.	[bug]		Be still more selective about the non-authoritative
			answers we apply change 2748 to. [RT #22074]

566 567 568
2960.	[func]		Check that named accepts non-authoritative answers.
			[RT #21594]

569 570 571 572 573 574
2959.	[func]		Check that named starts with a missing masterfile.
			[RT #22076]

2958.	[bug]		named failed to start with a missing master file.
			[RT #22076]

575 576 577 578
2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
			the API for RAND_bytes() and RAND_pseudo_bytes()
			respectively. [RT #21962]

579 580
2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]

581 582
2955.	[func]		Provide more detail in the recursing log. [RT #22043]

583 584 585
2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
			build_sqldbinstance failure. [RT #21623]

586 587 588 589
2953.	[bug]		Silence spurious "expected covering NSEC3, got an
			exact match" message when returning a wildcard
			no data response. [RT #21744]

590 591 592
2952.	[port]		win32: named-checkzone and named-checkconf failed
			to initialise winsock. [RT #21932]

593 594 595 596
2951.	[bug]		named failed to generate a correct signed response
			in a optout, delegation only zone with no secure
			delegations. [RT #22007]

597 598 599
2950.	[bug]		named failed to perform a SOA up to date check when
			falling back to TCP on UDP timeouts when
			ixfr-from-differences was set. [RT #21595]
Mark Andrews's avatar
Mark Andrews committed
600

601 602 603
2949.	[bug]		dns_view_setnewzones() contained a memory leak if
			it was called multiple times. [RT #21942]

Mark Andrews's avatar
Mark Andrews committed
604
2948.	[port]		MacOS: provide a mechanism to configure the test
605 606 607
			interfaces at reboot. See bin/tests/system/README
			for details.

Mark Andrews's avatar
Mark Andrews committed
608 609
2947.	[placeholder]

610 611 612
2946.	[doc]		Document the default values for the minimum and maximum
			zone refresh and retry values in the ARM. [RT #21886]

613 614 615 616 617
2945.	[doc]		Update empty-zones list in ARM. [RT #21772]

2944.	[maint]		Remove ORCHID prefix from built in empty zones.
			[RT #21772]

618 619 620 621 622
2943.	[func]		Add support to load new keys into managed zones
			without signing immediately with "rndc loadkeys".
			Add support to link keys with "dnssec-keygen -S"
			and "dnssec-settime -S".  [RT #21351]

623 624 625
2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
			[RT #21610]

626 627 628
2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
			DNAME at the zone apex.  [RT #21610]

629 630 631
2940.	[port]		Remove connection aborted error message on
			Windows. [RT #21549]

632 633 634
2939.	[func]		Check that named successfully skips NSEC3 records
			that fail to match the NSEC3PARAM record currently
			in use. [RT# 21868]
Mark Andrews's avatar
Mark Andrews committed
635

636 637 638 639 640 641
2938.	[bug]		When generating signed responses, from a signed zone
			that uses NSEC3, named would use a uninitialised
			pointer if it needed to skip a NSEC3 record because
			it didn't match the selected NSEC3PARAM record for
			zone. [RT# 21868]

642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658
2937.	[bug]		Worked around an apparent race condition in over
			memory conditions.  Without this fix a DNS cache DB or
			ADB could incorrectly stay in an over memory state,
			effectively refusing further caching, which
			subsequently made a BIND 9 caching server unworkable.
			This fix prevents this problem from happening by
			polling the state of the memory context, rather than
			making a copy of the state, which appeared to cause
			a race.  This is a "workaround" in that it doesn't
			solve the possible race per se, but several experiments
			proved this change solves the symptom.  Also, the
			polling overhead hasn't been reported to be an issue.
			This bug should only affect a caching server that
			specifies a finite max-cache-size.  It's also quite
			likely that the bug happens only when enabling threads,
			but it's not confirmed yet. [RT #21818]

659 660 661 662 663 664 665 666 667 668 669 670
2936.	[func]		Improved configuration syntax and multiple-view
			support for addzone/delzone feature (see change
			#2930).  Removed "new-zone-file" option, replaced
			with "allow-new-zones (yes|no)".  The new-zone-file
			for each view is now created automatically, with
			a filename generated from a hash of the view name.
			It is no longer necessary to "include" the
			new-zone-file in named.conf; this happens
			automatically.  Zones that were not added via
			"rndc addzone" can no longer be removed with
			"rndc delzone". [RT #19447]

671 672 673
2935.	[bug]		nsupdate: improve 'file not found' error message.
			[RT #21871]

674 675 676
2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
			[RT #21871]

677 678 679 680 681
2933.	[bug]		'dig +nsid' used stack memory after it went out of
			scope.  This could potentially result in a unknown,
			potentially malformed, EDNS option being sent instead
			of the desired NSID option. [RT #21781]

682 683 684
2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
			[RT #21597]

685
2931.	[bug]		Temporarily and partially disable change 2864
Mark Andrews's avatar
Mark Andrews committed
686
			because it would cause infinite attempts of RRSIG
687 688 689 690
			queries.  This is an urgent care fix; we'll
			revisit the issue and complete the fix later.
			[RT #21710]

691 692 693 694 695 696 697 698 699 700 701
2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
			allow dynamic addition and deletion of zones.
			To enable this feature, specify a "new-zone-file"
			option at the view or options level in named.conf.
			Zone configuration information for the new zones
			will be written into that file.  To make the new
			zones persist after a restart, "include" the file
			into named.conf in the appropriate view.  (Note:
			This feature is not yet documented, and its syntax
			is expected to change.) [RT #19447]

Mark Andrews's avatar
Mark Andrews committed
702
2929.	[bug]		Improved handling of GSS security contexts:
703 704 705 706 707 708 709 710
			 - added LRU expiration for generated TSIGs
			 - added the ability to use a non-default realm
                         - added new "realm" keyword in nsupdate
			 - limited lifetime of generated keys to 1 hour
			   or the lifetime of the context (whichever is
			   smaller)
			[RT #19737]

711 712 713
2928.	[bug]		Be more selective about the non-authoritative
			answer we apply change 2748 to. [RT #21594]

714 715
2927.	[placeholder]

Mark Andrews's avatar
Mark Andrews committed
716
2926.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
717

718 719 720
2925.	[bug]		Named failed to accept uncachable negative responses
			from insecure zones. [RT# 21555]

721 722 723 724
2924.	[func]		'rndc  secroots'  dump a combined summary of the
			current managed keys combined with trusted keys.
			[RT #20904]

Mark Andrews's avatar
Mark Andrews committed
725
2923.	[bug]		'dig +trace' could drop core after "connection
726 727
			timeout". [RT #21514]

Mark Andrews's avatar
Mark Andrews committed
728
2922.	[contrib]	Update zkt to version 1.0.
729

730
2921.	[bug]		The resolver could attempt to destroy a fetch context
Mark Andrews's avatar
Mark Andrews committed
731
			too soon.  [RT #19878]
732

733 734 735
2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
			to IPv4 clients.  New acl 'filter-aaaa' (default any).

736 737 738
2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
			[RT #20840]

739 740
2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.

741 742
2917.	[func]		Virtual time test framework. [RT #20801]

743 744 745
2916.	[func]		Add framework to use IPv6 in tests.
			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7

746 747 748
2915.	[cleanup]	Be smarter about which objects we attempt to compile
			based on configure options. [RT #21444]

749 750 751
2914.	[bug]		Make the "autosign" system test more portable.
			[RT #20997]

752 753
2913.	[func]		Add pkcs#11 system tests. [RT #20784]

754 755 756
2912.	[func]		Windows clients don't like UPDATE responses that clear
			the zone section. [RT #20986]

757 758 759
2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
			[RT #21367]

760 761
2910.	[func]		Sanity check Kerberos credentials. [RT #20986]

762
2909.	[bug]		named-checkconf -p could die if "update-policy local;"
763 764
			was specified in named.conf. [RT #21416]

765 766 767
2908.	[bug]		It was possible for re-signing to stop after removing
			a DNSKEY. [RT #21384]

768 769 770
2907.	[bug]		The export version of libdns had undefined references.
			[RT #21444]

Mark Andrews's avatar
Mark Andrews committed
771
2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
772

773 774 775
2905.	[port]		aix: set use_atomic=yes with native compiler.
			[RT #21402]

Mark Andrews's avatar
Mark Andrews committed
776
2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
777 778 779 780
			could be incorrectly marked as insecure instead of
			secure leading to negative proofs failing.  This was
			a unintended outcome from change 2890. [RT# 21392]

781 782 783
2903.	[bug]		managed-keys-directory missing from namedconf.c.
			[RT #21370]

784 785
2902.	[func]		Add regression test for change 2897. [RT #21040]

786 787
2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

788
2900.	[bug]		The placeholder negative caching element was not
Mark Andrews's avatar
Mark Andrews committed
789
			properly constructed triggering a INSIST in
790
			dns_ncache_towire(). [RT #21346]
Mark Andrews's avatar
Mark Andrews committed
791

792 793
2899.	[port]		win32: Support linking against OpenSSL 1.0.0.

Mark Andrews's avatar
Mark Andrews committed
794
2898.	[bug]		nslookup leaked memory when -domain=value was
795 796
			specified. [RT #21301]

797 798
2897.	[bug]		NSEC3 chains could be left behind when transitioning
			to insecure. [RT #21040]
Mark Andrews's avatar
Mark Andrews committed
799

800 801 802
2896.	[bug]		"rndc sign" failed to properly update the zone
			when adding a DNSKEY for publication only. [RT #21045]

803 804 805
2895.	[func]		genrandom: add support for the generation of multiple
			files.  [RT #20917]

806 807
2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]

808 809 810
2893.	[bug]		Improve managed keys support.  New named.conf option
			managed-keys-directory. [RT #20924]

811 812
2892.	[bug]		Handle REVOKED keys better. [RT #20961]

813 814 815
2891.	[maint]		Update empty-zones list to match
			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

816 817 818
2890.	[bug]		Handle the introduction of new trusted-keys and
			DS, DLV RRsets better. [RT #21097]

Mark Andrews's avatar
Mark Andrews committed
819
2889.	[bug]		Elements of the grammar where not properly reported.
820 821
			[RT #21046]

822 823
2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]

824 825 826 827 828 829
2887.	[bug]		Report the keytag times in UTC in the .key file,
			local time is presented as a comment within the
			comment.  [RT #21223]

2886.	[bug]		ctime() is not thread safe. [RT #21223]

830 831 832
2885.	[bug]		Improve -fno-strict-aliasing support probing in
			configure. [RT #21080]

Mark Andrews's avatar
Mark Andrews committed
833
2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
834 835
			[RT #21283]

836 837 838
2883.	[bug]		'dig +short' failed to handle really large datasets.
			[RT #21113]

839 840 841
2882.	[bug]		Remove memory context from list of active contexts
			before clearing 'magic'. [RT #21274]

842 843 844
2881.	[bug]		Reduce the amount of time the rbtdb write lock
			is held when closing a version. [RT #21198]

845 846 847
2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
			consistent. [RT #21078]

848 849 850
2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
			[RT #21106]

851 852 853
2878.	[func]		Incrementally write the master file after performing
			a AXFR.  [RT #21010]

854 855 856
2877.	[bug]		The validator failed to skip obviously mismatching
			RRSIGs. [RT #21138]

857 858 859
2876.	[bug]		Named could return SERVFAIL for negative responses
			from unsigned zones. [RT #21131]

860 861 862
2875.	[bug]		dns_time64_fromtext() could accept non digits.
			[RT #21033]

863 864 865 866
2874.	[bug]		Cache lack of EDNS support only after the server
			successfully responds to the query using plain DNS.
			[RT #20930]

Mark Andrews's avatar
Mark Andrews committed
867
2873.	[bug]		Cancelling a dynamic update via the dns/client module
868 869
			could trigger an assertion failure. [RT #21133]

870 871 872 873
2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
			require one of IPv4 or IPv6 rather than both.
			[RT #21122]

874 875 876 877
2871.	[bug]		Type mismatch in mem_api.c between the definition and
			the header file, causing build failure with
			--enable-exportlib. [RT #21138]

Mark Andrews's avatar
Mark Andrews committed
878
2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
879

880 881 882
2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
			[RT #20877]

883 884 885 886
2868.	[cleanup]	Run "make clean" at the end of configure to ensure
			any changes made by configure are integrated.
			Use --with-make-clean=no to disable.  [RT #20994]

887 888 889
2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
			don't like it.  [RT #20986]

890 891 892
2866.	[bug]		Windows does not like the TSIG name being compressed.
			[RT #20986]

893 894
2865.	[bug]		memset to zero event.data.  [RT #20986]

895 896 897
2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
			[RT #21050]

898 899 900
2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
			[RT #21056]

901 902 903
2862.	[bug]		nsupdate didn't default to the parent zone when
			updating DS records. [RT #20896]

904 905 906 907 908
2861.	[doc]		dnssec-settime man pages didn't correctly document the
			inactivation time. [RT #21039]

2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]

Mark Andrews's avatar
Mark Andrews committed
909
2859.	[bug]		When cancelling validation it was possible to leak
910 911
			memory. [RT #20800]

Mark Andrews's avatar
Mark Andrews committed
912
2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
913 914
			[RT #20772]

Mark Andrews's avatar
Mark Andrews committed
915
2857.	[bug]		named-checkconf did not fail on a bad trusted key.
916 917
			[RT #20705]

Mark Andrews's avatar
Mark Andrews committed
918
2856.	[bug]		The size of a memory allocation was not always properly
919 920
			recorded. [RT #20927]

Mark Andrews's avatar
Mark Andrews committed
921
2855.	[func]		nsupdate will now preserve the entered case of domain
922 923
			names in update requests it sends. [RT #20928]

924 925 926
2854.	[func]		dig: allow the final soa record in a axfr response to
			be suppressed, dig +onesoa. [RT #20929]

927 928
2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]

929 930
2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

931 932 933
2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
			source as it produced bad nroff.  [RT #21007]

934
2850.	[bug]		If isc_heap_insert() failed due to memory shortage
935
			the heap would have corrupted entries. [RT #20951]
936

937 938 939
2849.	[bug]		Don't treat errors from the xml2 library as fatal.
			[RT #20945]

940 941 942
2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
			README.rfc5011 into the ARM. [RT #20899]

943 944
2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]

945 946 947
2846.	[bug]		EOF on unix domain sockets was not being handled
			correctly. [RT #20731]

Evan Hunt's avatar
sync  
Evan Hunt committed
948
2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
949

950 951 952
2844.	[doc]		notify-delay default in ARM was wrong.  It should have
			been five (5) seconds.

Francis Dupont's avatar
sync  
Francis Dupont committed
953
2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
954 955 956 957 958
			creating key files if there is a chance that the new
			key ID will collide with an existing one after
			either of the keys has been revoked.  (To override
			this in the case of dnssec-keyfromlabel, use the -y
			option.  dnssec-keygen will simply create a
Mark Andrews's avatar
Mark Andrews committed
959
			different, non-colliding key, so an override is
960 961
			not necessary.) [RT #20838]

Francis Dupont's avatar
sync  
Francis Dupont committed
962
2842.	[func]		Added "smartsign" and improved "autosign" and
963 964
			"dnssec" regression tests. [RT #20865]

Francis Dupont's avatar
sync  
Francis Dupont committed
965
2841.	[bug]		Change 2836 was not complete. [RT #20883]
966

Francis Dupont's avatar
sync  
Francis Dupont committed
967
2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
968 969
			[RT #20760]

Francis Dupont's avatar
sync  
Francis Dupont committed
970
2839.	[bug]		A KSK revoked by named could not be deleted.
971 972
			[RT #20881]

Francis Dupont's avatar
sync  
Francis Dupont committed
973 974
2838.	[placeholder]

975 976 977
2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]

978 979 980
2836.	[bug]		Keys that were scheduled to become active could
			be delayed. [RT #20874]

981 982 983 984 985 986 987
2835.	[bug]		Key inactivity dates were inadvertently stored in
			the private key file with the outdated tag
			"Unpublish" rather than "Inactive".  This has been
			fixed; however, any existing keys that had Inactive
			dates set will now need to have them reset, using
			'dnssec-settime -I'. [RT #20868]

988 989 990 991 992 993 994 995 996 997
2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

998 999 1000
2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
			[RT #20851]

1001
2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
Mark Andrews's avatar
Mark Andrews committed
1002
			to avoid redefinition in some OSs [RT 20831]
1003

1004 1005 1006 1007 1008
2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

1009 1010 1011
2830.	[bug]		Changing the OPTOUT setting could take multiple
			passes. [RT #20813]

1012 1013 1014
2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
			[RT #20808]

1015 1016 1017
2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

1018 1019
2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

1020 1021 1022
2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
			being released.  [RT #20740]

1023 1024 1025 1026
2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
			was in the process of being created was not properly
			recorded in the zone. [RT #20786]

1027 1028 1029
2824.	[bug]		"rndc sign" was not being run by the correct task.
			[RT #20759]

1030 1031
2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]

1032 1033 1034
2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
			[RT #20802]

1035 1036 1037
2821.	[doc]		Add note that named-checkconf doesn't automatically
			read rndc.key and bind.keys [RT #20758]

1038 1039 1040 1041 1042
2820.	[func]		Handle read access failure of OpenSSL configuration
			file more user friendly (PKCS#11 engine patch).
			[RT #20668]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
1043 1044
			[RT #20771]

Mark Andrews's avatar
Mark Andrews committed
1045
2818.	[cleanup]	rndc could return an incorrect error code
1046 1047
			when a zone was not found. [RT #20767]

Mark Andrews's avatar
Mark Andrews committed
1048
2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
1049 1050
			[RT #20768]

1051 1052 1053
2816.	[bug]		previous_closest_nsec() could fail to return
			data for NSEC3 nodes [RT #29730]

1054 1055 1056
2815.	[bug]		Exclusively lock the task when freezing a zone.
			[RT #19838]

1057 1058
2814.	[func]		Provide a definitive error message when a master
			zone is not loaded. [RT #20757]
Mark Andrews's avatar
Mark Andrews committed
1059

1060 1061 1062 1063
2813.	[bug]		Better handling of unreadable DNSSEC key files.
			[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
Mark Andrews's avatar
Mark Andrews committed
1064
			NSEC-only keys and NSEC3 records. [RT #20748]
1065

1066 1067 1068
2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
			output. [RT #20733]

1069 1070 1071
2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
			to insecure. [RT #20746]

1072 1073 1074
2809.	[cleanup]	Restored accidentally-deleted text in usage output
			in dnssec-settime and dnssec-revoke [RT #20739]

1075
2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
Mark Andrews's avatar
Mark Andrews committed
1076
			atomic.h is correctly installed by the architecture