CHANGES 402 KB
Newer Older
1
3744.	[experimental]	SIT: send and process Source Identity Tokens
Mark Andrews's avatar
add 3rd    
Mark Andrews committed
2
			(similar to DNS Cookies by Donald Eastlake 3rd),
Evan Hunt's avatar
Evan Hunt committed
3
4
5
			which are designed to help clients detect off-path
			spoofed responses and for servers to identify
                        legitimate clients.
6

Evan Hunt's avatar
Evan Hunt committed
7
			SIT uses an experimental EDNS option code (65001).
Mark Andrews's avatar
Mark Andrews committed
8
9
			[This will be changed to a IANA assigned value if
			 the experiment is deemed a success.]
10

Evan Hunt's avatar
Evan Hunt committed
11
12
13
			SIT can be enabled via "configure --enable-sit" (or
			--enable-developer). It is enabled by default in
                        Windows.
14

Evan Hunt's avatar
Evan Hunt committed
15
16
17
18
19
                        Servers can be configured to send smaller responses
                        to clients that have not identified themselves via
                        SIT.  RRL processing has also been updated;
                        legitimate clients are not subject to rate
                        limiting. [RT #35389]
20
			
21
22
23
24
25
3743.	[bug]		delegation-only flag wasn't working in forward zone
			declarations despite being documented.  This is
			needed to support turning off forwarding and turning
			on delegation only at the same name.  [RT #35392]

Mark Andrews's avatar
Mark Andrews committed
26
27
3742.	[port]		linux: libcap support: declare curval at start of
			block. [RT #35387]
28

Evan Hunt's avatar
Evan Hunt committed
29
30
31
32
33
34
35
36
37
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
			troubleshooting of DNSSEC problems. (Note: not yet
			available on win32.) [RT #32406]

38
39
40
3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

41
42
43
3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

44
45
3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]

46
47
48
3737.	[bug]		'rndc retransfer' could trigger a assertion failure
			with inline zones. [RT #35353]

49
50
51
3736.	[bug]		nsupdate: When specifying a server by name,
			fall back to alternate addresses if the first
			address for that name is not reachable. [RT #25784]
Tinderbox User's avatar
Tinderbox User committed
52

53
54
55
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

56
57
3734.	[bug]		Improve building with libtool. [RT #35314]

58
59
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
60
61
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
62
63
64

			Add "rndc scan" to trigger a scan. [RT #23027]

65
66
67
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
68
69
70
71
72
73
74
75
76
77
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
78
79
80
81
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
82
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
83
84
85
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

86
87
88
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
89
90
91
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

92
93
94
95
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
96
97
98
99
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
100
101
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
102
103
104
105
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

106
107
108
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
109
3722.	[bug]		Using geoip ACLs in a blackhole statement
110
111
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
112
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
113
114
			enhancements introduced in change #3593. [RT #35275]

115
116
3720.	[bug]		Address compiler warnings. [RT #35261]

117
118
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

119
120
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

121
122
123
124
125
126
127
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

128
129
130
131
132
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

133
134
135
136
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

137
138
139
140
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
141
142
143
144
3712.	[placeholder]

3711.	[placeholder]

145
146
147
148
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
149
150
151
152
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

153
154
155
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

156
157
158
159
160
161
162
163
164
165
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
166
			will work with both old and new versions without
167
168
169
170
171
172
173
174
175
176
177
178
179
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

180
181
182
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
183
184
185
186
187
188
189
190
191
192
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

193
194
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
195
196
197
198
199
200
201
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
202

203
204
205
206
207
208
209
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
210
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
211
			when printing by specifying '-x'. [RT #34465]
212

Evan Hunt's avatar
Evan Hunt committed
213
214
215
216
217
218
219
220
221
222
223
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

224
225
226
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

227
228
229
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

230
231
232
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
233
234
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

235
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo    
Evan Hunt committed
236
			but does not exist or is not a directory. [RT #35108]
237

238
3693.	[security]	memcpy was incorrectly called with overlapping
239
240
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
241
242
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
243

244
245
246
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

247
248
249
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

250
251
252
253
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

254
255
256
257
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

258
259
260
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

261
262
263
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
264
265
266
267
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

268
269
270
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

271
272
273
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

274
275
276
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

277
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
278
			inline-signing slave zones to retain NSEC3 parameters
279
			instead of reverting to NSEC. [RT #34745]
280

281
282
283
284
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

285
286
287
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

288
289
290
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

291
292
3678.	[port]		Update config.guess and config.sub. [RT #35060]

293
294
295
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

296
297
298
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

299
300
301
302
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
303
304
	--- 9.10.0a1 released ---

305
306
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
307
308
309
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

310
311
312
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

313
314
315
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

316
317
318
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

319
320
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

321
322
323
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
324
3667.	[test]		dig: add support to keep the TCP socket open between
325
326
			successive queries (+[no]keepopen).  [RT #34918]

327
328
329
330
331
332
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

333
334
335
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

336
337
338
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

339
340
341
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
342
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
343

344
345
346
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

347
348
349
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

350
3659.	[port]		solaris: don't add explict dependencies/rules for
351
352
353
			python programs as make won't use the implicit rules.
			[RT #34835]

354
355
356
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

357
358
359
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

360
361
362
363
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
364

365
366
367
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

368
369
370
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

371
372
373
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

374
375
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

376
377
378
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

379
380
381
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
382
383
384
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
385
386
387
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

388
389
390
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
391
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
392
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
393

394
395
396
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

397
398
399
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
400
401
3643.	[doc]		Clarify RRL "slip" documentation.

402
403
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
404
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
405

406
407
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
408

409
410
411
412
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

413
414
415
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
416
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
417
418
			encountered. [RT #34668]

419
420
421
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

422
423
424
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

425
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
426
			only KSK keys for a algorithm. [RT #34439]
427

428
429
430
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

431
432
433
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

434
435
436
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

437
438
439
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

440
441
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

442
443
444
445
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

446
447
448
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

449
450
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

451
452
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

453
454
455
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

456
457
458
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
459
460
3623.	[placeholder]

461
462
463
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

464
465
466
467
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
468
469
470
471
472
473
474
475
476
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
477
478
479
480
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

481
482
483
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
484
485
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
486
487
488
489
490
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
491
492
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
493
3613.	[bug]		named could crash when deleting inline-signing
494
495
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
496
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
497

Evan Hunt's avatar
Evan Hunt committed
498
499
500
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

501
502
503
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

504
505
506
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

507
508
509
510
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

511
512
513
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

514
515
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
516
517
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
518

Evan Hunt's avatar
Evan Hunt committed
519
520
521
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

522
523
524
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

525
526
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
527
528
529
530
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

531
532
533
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

534
535
536
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

537
538
539
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

540
541
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

542
543
544
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
545
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
546
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
547

Evan Hunt's avatar
Evan Hunt committed
548
549
550
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

551
552
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

553
554
555
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

556
557
558
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

559
560
561
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

562
563
564
565
566
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

567
568
569
570
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

571
572
573
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

574
575
576
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
577
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
578

579
580
581
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

582
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
583
584
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
585

586
587
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

588
589
590
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

591
592
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
593
594
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

595
596
597
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

598
599
600
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

601
602
3577.	[bug]		Handle zero TTL values better. [RT #33411]

603
604
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

605
606
607
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

608
609
610
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
611
612
613
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
614

Evan Hunt's avatar
Evan Hunt committed
615
616
617
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

618
619
620
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

621
3570.	[bug]		Check internal pointers are valid when loading map
622
			files. [RT #33403]
623

Evan Hunt's avatar
Evan Hunt committed
624
625
626
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
627
628
629
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
630
631
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
632
633
3566.	[func]		Log when forwarding updates to master. [RT #33240]

634
3565.	[placeholder]
635

636
637
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
638
639
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
640
641
642
643
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

644
645
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
646

647
3560.	[bug]		isc-config.sh did not honor includedir and libdir
648
649
			when set via configure. [RT #33345]

650
651
652
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

653
654
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

655
656
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
657
658
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

659
660
661
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
662
663
664
665
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

666
667
3553.	[bug]		Address suspected double free in acache. [RT #33252]

668
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
669
			[RT #33280]
670

671
672
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

673
674
675
676
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
677
678
679
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

680
681
682
683
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

684
685
686
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

687
688
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
689
690
691
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
692
693
694
695
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

696
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
697
			manager after accept. [RT #33084]
698

Mark Andrews's avatar
Mark Andrews committed
699
700
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
701
702
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
703

Evan Hunt's avatar
Evan Hunt committed
704
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
705

706
707
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
708
709
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
710

711
712
713
714
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
715
716
717
718
719
720
721
722
723
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

724
725
3535.	[bug]		Minor win32 cleanups. [RT #32962]

726
727
728
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

729
730
731
732
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

733
734
735
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
736
737
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

738
739
740
741
742
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
743
744
745
746
747
748
749
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

750
751
752
753
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

754
755
756
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

757
758
759
760
761
762
763
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

764
765
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
766
			http://[address]:[port]/json. [RT #32630]
767

768
769
770
771
772
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

773
774
775
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

776
777
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

778
779
780
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

781
782
783
784
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

785
786
787
788
789
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

790
791
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
792
793
3516.	[placeholder]

794
795
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
796
797
798
799
800
801
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

802
803
804
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
805
806
807
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
808
809
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

810
811
812
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

813
814
815
816
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

817
818
819
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

820
821
822
823
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

824
825
826
827
828
829
830
831
832
833
834
835
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
836
837
838
839
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
840

Evan Hunt's avatar
Evan Hunt committed
841
842
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

843
844
845
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

846
847
848
849
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
850
851
852
853
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
854

Evan Hunt's avatar
Evan Hunt committed
855
856
857
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

858
859
860
861
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

862
863
864
865
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
866
867
3496.	[placeholder]

868
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
869
			while improving RPZ performance.  "response-policy"
870
871
872
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
873
			--enable-rpz-nsdname are now the default. [RT #32251]
874

Evan Hunt's avatar
Evan Hunt committed
875
876
877
878
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

879
3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
880
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
881

882
883
884
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

885
886
887
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

888
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
889
			too long. [RT #32365]
890

891
892
893
894
895
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

896
897
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

898
899
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
900
			[RT #32629]
901

Evan Hunt's avatar
Evan Hunt committed
902
903
904
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

905
906
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

907
908
909
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
910
911
3483.	[placeholder]

912
913
914
915
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

916
3481.	[cleanup]	Removed use of const const in atf.
917

Evan Hunt's avatar
Evan Hunt committed
918
919
920
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

921
922
923
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
924
925
926
927
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
928
929
			[RT #32365]

930
931
932
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
933
934
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
935

936
937
938
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
939
940
941
942
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

943
944
945
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

946
947
948
949
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

950
951
952
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
953
954
955
956
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

957
958
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
959
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
960
961
962

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
963

964
965
966
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

967
968
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

969
970
971
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

972
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
973
974
975
976

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

977
978
979
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

980
981
3460.	[bug]		Only link against readline where needed. [RT #29810]

982
983
984
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

985
986
987
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

988
989
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
990
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
991

992
993
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

994
995
3454.	[port]		sparc64: improve atomic support. [RT #25182]

996
997
998
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
999
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
1000

1001
1002
1003
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

1004
1005
1006
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

1007
1008
1009
1010
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
1011
1012
1013
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

1014
1015
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

1016
1017
1018
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

1019
1020
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
1021

1022
3444.	[bug]		The NOQNAME proof was not being returned from cached
1023
1024
			insecure responses. [RT #21409]

1025
1026
1027
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

1028
1029
1030
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

1031
1032
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

1033
1034
1035
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
1036
1037
3439.	[placeholder]

1038
1039
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
1040
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
1041
1042
			buffers with constant data. [RT #32064]

1043
1044
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

1045
1046
1047
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

1048
1049
1050
1051
1052
1053
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

1054
1055
1056
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
1057
1058
1059
1060
1061
1062
1063
1064
1065
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

1066
1067
1068
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

1069
1070
1071
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

1072
1073
1074
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
1075
1076
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
1077
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
1078
1079
			addresses instead of names. [RT #31641]

1080
1081
1082
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

1083
1084
1085
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

1086
1087
1088
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

1089
1090
1091
1092
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
1093
3422.	[bug]		Added a clear error message for when the SOA does not
1094
1095
			match the referral. [RT #31281]

1096
1097
1098
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

1099
1100
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

1101
1102
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
1103
1104
1105
1106
1107
1108
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
1109
1110
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
1111
3417.	[placeholder]
1112

1113
1114
1115
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

1116
3415.	[bug]		named could die with a REQUIRE failure if a validation
1117
1118
			was canceled. [RT #31804]

1119
1120
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

1121
1122
1123
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

1124
1125
1126
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

1127
1128
1129
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

1130
1131
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
1132
1133
1134
1135
1136
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

1137
1138
1139
1140
1141
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
1142
1143
3407.	[placeholder]

1144
1145
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
1146
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
1147

1148
1149
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

1150
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
1151
			RRSIG and NSEC records from nodes that used to be
1152
1153
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
1154
1155
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
1156
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
1157
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
1158

Evan Hunt's avatar
Evan Hunt committed
1159
1160
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
1161
1162
1163
1164
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

1165
1166
1167
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

1168
1169
1170
1171
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

1172
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
1173

1174
1175
1176
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

1177
1178
1179
1180
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
1181
3394.	[bug]		Adjust 'successfully validated after lower casing
1182
1183
			signer' log level and category. [RT #31414]

1184
1185
1186
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

1187
1188
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
1189
1190
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
1191

1192
1193
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

1194
1195
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

1196
1197
1198
1199
1200
1201
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
1202

1203
1204
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
1205

1206
1207
1208
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

1209
1210
1211
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
1212
1213
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
1214
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
1215
1216
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
1217

Evan Hunt's avatar
Evan Hunt committed
1218
1219
1220
1221
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
1222
1223
1224
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

1225
3380.	[bug]		named could die if a nonexistent master list was
1226
1227
			referenced in a also-notify. [RT #31004]

Mark Andrews's avatar