CHANGES 221 KB
Newer Older
1 2 3
2122.	[func]		Experimental http server and statistics support
			for named via xml.

4 5 6
2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
			second timeout. [RT #16553]

7 8
2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]

9 10 11 12
2119.	[compat]	libbind: allow res_init() to succeed enough to
			return the default domain even if it was unable
			to allocate memory.

13 14 15 16
2118.	[bug]		Handle response with long chains of domain name
			compression pointers which point to other compression
			pointers. [RT #16427]

17 18 19 20 21 22 23
2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
			which could lead to validation failures.  named didn't
			handle negative DS responses that were in the process
			of being validated.  Check CNAME bit before accepting
			NODATA proof. To be able to ignore a child NSEC there
			must be SOA (and NS) set in the bitmap. [RT #16399]

24 25 26
2116.	[bug]		'rndc reload' could cause the cache to continually
			be cleaned. [RT #16401]

27 28 29
2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
			number of masters for a zone was reduced. [RT #16444]

30
2114.	[bug]		dig/host/nslookup: searches for names with multiple
Mark Andrews's avatar
Mark Andrews committed
31
			labels were failing. [RT #16447]
32

33 34 35
2113.	[bug]		nsupdate: if a zone is specified it should be used
			for server discover. [RT# 16455]

36 37
2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]

38 39 40
2111.	[bug]		Fix a number of errors reported by Coverity.
			[RT #16507]

41 42 43
2110.	[bug]		"minimal-response yes;" interacted badly with BIND 8
			priming queries. [RT #16491]

44 45
2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]

46 47
2108.	[func]		DHCID support. [RT #16456]

48 49
2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]

50 51
2106.	[func]		'rndc status' now reports named's version. [RT #16426]

52 53
2105.	[func]		GSS-TSIG support (RFC 3645).

54 55
2104.	[port]		Fix Solaris SMF error message.

56 57 58
2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
			under Solaris.

59 60
2102.	[port]		Silence solaris 10 warnings.

61 62 63
2101.	[bug]		OpenSSL version checks were not quite right.
			[RT #16476]

64 65 66
2100.	[port]		win32: copy libeay32.dll to Build\Debug.
			Copy Debug\named-checkzone to Debug\named-compilezone.

67 68
2099.	[port]		win32: more manifiest issues.

69 70 71
2098.	[bug]           Race in rbtdb.c:no_references(), which occasionally
			triggered an INSIST failure about the node lock
			reference.  [RT #16411]
72

73 74 75
2097.	[bug]		named could reference a destroyed memory context
			after being reloaded / reconfigured. [RT #16428]

76 77 78
2096.	[bug]		libbind: handle applications that fail to detect
			res_init() failures better.

79 80 81
2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
			net_cidr_ntop_ipv6(). [RT #16388]
 
82 83
2094.	[contrib]	Update named-bootconf.  [RT# 16404]

84 85
2093.	[bug]		named-checkzone -s was broken.

86 87 88 89
2092.	[bug]		win32: dig, host, nslookup.  Use registry config
			if resolv.conf does not exist or no nameservers
			listed. [RT #15877] 

90 91
2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]

92 93 94
2090.	[port]		win32: Visual C++ 2005 command line manifest support.
			[RT #16417]

95 96 97 98 99 100 101 102
2089.	[security]	Raise the minimum safe OpenSSL versions to
			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
			prior to these have known security flaws which
			are (potentially) exploitable in named. [RT #16391]

2088.	[security]	Change the default RSA exponent from 3 to 65537.
			[RT #16391]

103 104 105
2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
			[RT #16382]

106 107 108
2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
			[RT #16403]

109 110
2085.	[doc]		win32: added index.html and README to zip. [RT #16201]

111 112
2084.	[contrib]	dbus update for 9.3.3rc2.

113 114
2083.	[port]		win32: Visual C++ 2005 support.

115 116
2082.	[doc]		Document 'cache-file' as a test only option.

117 118 119
2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
			[RT #16360]

120 121 122
2080.	[port]		libbind: res_init.c did not compile on older versions
			of Solaris. [RT #16363]

123 124 125
2079.	[bug]		The lame cache was not handling multiple types
			correctly. [RT #16361]

126 127 128 129 130 131
2078.	[bug]		dnssec-checkzone output style "default" was badly
			named.  It is now called "relative". [RT #16326]

2077.	[bug]		'dnssec-signzone -O raw' wasn't outputing the
			complete signed zone. [RT #16326]

132 133 134
2076.	[bug]		Several files were missing #include <config.h>
			causing build failures on OSF. [RT #16341]

135 136 137
2075.	[bug]		The spillat timer event hander could leak memory.
			[RT #16357]

Mark Andrews's avatar
Mark Andrews committed
138
2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
139 140 141
			dns_request_createraw2() and dns_request_createraw3()
			failed to send multiple UDP requests. [RT #16349]

142 143 144
2073.	[bug]		Incorrect semantics check for update policy "wildcard".
			[RT #16353]

145 146 147
2072.	[bug]		We were not generating valid HMAC SHA digests.
			[RT #16320]

148 149 150
2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
			[RT #16324]

151 152 153
2070.	[bug]		The remote address was not always displayed when
			reporting dispatch failures. [RT #16315]

154 155
2069.	[bug]		Cross compiling was not working. [RT #16330]

156 157 158
2068.	[cleanup]	Lower incremental tuning message to debug 1.
			[RT #16319]

159 160 161
2067.	[bug]		'rndc' could close the socket too early triggering
			a INSIST under Windows. [RT #16317]

162
2066.	[security]	Handle SIG queries gracefully. [RT #16300]
Mark Andrews's avatar
Mark Andrews committed
163

164 165 166
2065.	[bug]		libbind: probe for HPUX prototypes for
			endprotoent_r() and endservent_r().  [RT 16313]

167 168
2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]

169 170 171
2063.	[bug]		Change #1955 introduced a bug which caused the first
			'rndc flush' call to not free memory. [RT #16244]

Mark Andrews's avatar
Mark Andrews committed
172
2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
173 174
			been returned by the socket code. [RT #16307]

175 176
2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]

177 178 179
2060.	[bug]		Enabling DLZ support could leave views partially
			configured. [RT #16295]

180 181 182
2059.	[bug]		Search into cache rbtdb could trigger an INSIST
			failure while cleaning up a stale rdataset.
			[RT #16292]
183

184
2058.	[bug]		Adjust how we calculate rtt estimates in the presence
Mark Andrews's avatar
Mark Andrews committed
185
			of authoritative servers that drop EDNS and/or CD
186 187 188
			requests.  Also fallback to EDNS/512 and plain DNS
			faster for zones with less than 3 servers.  [RT #16187]

189 190 191
2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
			and allow-recursion. [RT #16290]

192 193 194
2056.	[bug]		dig: ixfr= was not being treated case insensitively
			at all times. [RT #15955]

195 196 197
2055.	[bug]		Missing goto after dropping multicast query.
			[RT #15944]

198 199 200
2054.	[port]		freebsd: do not explicitly link against -lpthread.
			[RT #16170]

201 202
2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]

203 204 205
2052.	[bug]		'rndc' improve connect failed message to report
			the failing address. [RT #15978]

206 207
2051.	[port]		More strtol() fixes. [RT #16249]

208 209 210
2050.	[bug]		Parsing of NSAP records was not case insensitive.
			[RT #16287]

211 212 213 214 215
2049.	[bug]		Restore SOA before AXFR when falling back from
			a attempted IXFR when transfering in a zone.
			Allow a initial SOA query before attempting
			a AXFR to be requested. [RT #16156]

216 217 218 219 220
2048.	[bug]		It was possible to loop forever when using
			avoid-v4-udp-ports / avoid-v6-udp-ports when
			the OS always returned the same local port.
			[RT #16182]

221 222 223
2047.	[bug]		Failed to initialise the interface flags to zero.
			[RT #16245]

224
2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
225
			cleanup [RT #16247].
226

227
2045.	[func]		Use lock buckets for acache entries to limit memory
228
			consumption. [RT #16183]
229

230
2044.	[port]		Add support for atomic operations for Itanium.
231
			[RT #16179]
232

233 234 235
2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
			for interactive sessions. [RT#16148]

236 237 238
2042.	[bug]		named-checkconf was incorrectly rejecting the
			logging category "config". [RT #16117]

239 240 241
2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
			set of libraries to be linked. [RT #16129]

242 243
2040.	[bug]		rbtdb no_references() could trigger an INSIST
			failure with --enable-atomic.  [RT #16022]
244

245
2039.	[func]		Check that all buffers passed to the socket code
Mark Andrews's avatar
Mark Andrews committed
246
			have been retrieved when the socket event is freed.
247 248 249 250 251
			[RT #16122]

2038.	[bug]		dig/nslookup/host was unlinking from wrong list
			when handling errors. [RT #16122]

252 253 254 255
2037.	[func]		When unlinking the first or last element in a list
			check that the list head points to the element to
			be unlinked. [RT #15959]

256 257 258
2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
			[RT #16075]

259 260 261 262
2035.	[func]		Make falling back to TCP on UDP refresh failure
			optional. Default "try-tcp-refresh yes;" for BIND 8
			compatibility. [RT #16123]

263 264
2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]

265 266 267
2033.	[bug]		We wern't creating multiple client memory contexts
			on demand as expected. [RT #16095]

268 269
2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]

270 271 272
2031.	[bug]		Emit a error message when "rndc refresh" is called on
			a non slave/stub zone. [RT # 16073]

273 274 275
2030.	[bug]		We were being overly conservative when disabling
			openssl engine support. [RT #16030]

276 277 278
2029.	[bug]		host printed out the server multiple times when
			specified on the command line. [RT #15992]

Mark Andrews's avatar
Mark Andrews committed
279
2028.	[port]		linux: socket.c compatability for old systems.
280 281
			[RT #16015]

Mark Andrews's avatar
Mark Andrews committed
282
2027.	[port]		libbind: Solaris x86 support. [RT #16020]
283

284 285 286
2026.	[bug]		Rate limit the two recursive client exceeded messages.
			[RT #16044]

287 288
2025.	[func]		Update "zone serial unchanged" message. [RT #16026]

289 290 291
2024.	[bug]		named emited spurious "zone serial unchanged"
			messages on reload. [RT #16027]

292 293 294
2023.	[bug]		"make install" should create ${localstatedir}/run and
			${sysconfdir} if they do not exist. [RT #16033]

295 296 297 298 299
2022.	[bug]		If dnssec validation is disabled only assert CD if
			CD was requested. [RT #16037]

2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]

300 301
2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]

302 303 304
2019.	[tuning]	Reduce the amount of work performed per quantum
			when cleaning the cache. [RT #15986]

305 306 307 308
2018.	[bug]		Checking if the HMAC MD5 private file was broken.
			[RT #15960]

2017.	[bug]		allow-query default was not correct. [RT #15946]
309

310 311 312 313
2016.	[bug]		Return a partial answer if recursion is not
			allowed but requested and we had the answer
			to the original qname. [RT #15945]

314 315 316 317 318 319
2015.	[cleanup]	use-additional-cache is now acache-enable for
			consistancy.  Default acache-enable off in BIND 9.4
			as it requires memory usage to be configured.
			It may be enabled by default in BIND 9.5 once we
			have more experience with it.

Shane Kerr's avatar
Shane Kerr committed
320 321 322
2014.	[func]		Statistics about acache now recorded and sent
			to log. [RT #15976]

323 324 325
2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
			responses more gracefully. [RT #15941]

326 327 328
2012.	[func]		Don't insert new acache entries if acache is full.
			[RT #15970]

329 330 331 332
2011.	[func]		dnssec-signzone can now update the SOA record of
			the signed zone, either as an increment or as the
			system time(). [RT #15633]

333 334
2010.	[placeholder]	rt15958

335 336
2009.	[bug]		libbind: coverity fixes. [RT #15808]

337 338 339 340 341 342 343
2008.	[func]		It is now posssible to enable/disable DNSSEC
			validation from rndc.  This is useful for the
			mobile hosts where the current connection point
			breaks DNSSEC (firewall/proxy).  [RT #15592]

				rndc validation newstate [view]

344 345 346 347
2007.	[func]		It is now possible to explicitly enable DNSSEC
			validation.  default dnssec-validation no; to
			be changed to yes in 9.5.0.  [RT #15674]

348 349 350 351 352 353 354 355 356 357 358
2006.	[security]	Allow-query-cache and allow-recursion now default
			to the builtin acls "localnets" and "localhost".

			This is being done to make caching servers less
			attractive as reflective amplifying targets for
			spoofed traffic.  This still leave authoritative
			servers exposed.

			The best fix is for full BCP 38 deployment to
			remove spoofed traffic.

359 360 361 362
2005.	[bug]		libbind: Retransmission timeouts should be
			based on which attempt it is to the nameserver
			and not the nameserver itself. [RT #13548]

363 364 365 366
2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
			dst_context_destroy() when cleaning up after a
			error. [RT #15835]

367 368 369 370 371
2003.	[bug]		libbind: The DNS name/address lookup functions could
			occasionally follow a random pointer due to
			structures not being completely zeroed. [RT #15806]

2002.	[bug]		libbind: tighten the constraints on when
372 373
			struct addrinfo._ai_pad exists.  [RT #15783]

374 375 376 377
2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
			New zone option "update-check-ksk yes;".  [RT #15817]

2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
378

379 380
1999.	[func]		Implement "rrset-order fixed". [RT #13662]

381 382 383 384
1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
			This allows named to connect to entropy gathering
			daemons that use fifos instead of sockets. [RT #15840]

385 386 387 388
1997.	[bug]		Named was failing to replace negative cache entries
			when a positive one for the type was learnt.
			[RT #15818]

389 390 391
1996.	[bug]		nsupdate: if a zone has been specified it should
			appear in the output of 'show'. [RT #15797]

392 393 394
1995.	[bug]		'host' was reporting multiple "is an alias" messages.
			[RT #15702]

395 396
1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]

397 398 399 400
1993.	[bug]		Log messsage, via syslog, were missing the space
			after the timestamp if "print-time yes" was specified.
			[RT #15844]

Mark Andrews's avatar
Mark Andrews committed
401
1992.	[bug]		Not all incoming zone transfer messages included the
402 403
			view.  [RT #15825]

404 405 406 407
1991.	[cleanup]	The configuration data, once read, should be treated
			as readonly.  Expand the use of const to enforce this
			at compile time. [RT #15813]

408 409 410 411
1990.	[bug]		libbind:  isc's override of broken gettimeofday()
			implementions was not always effective.
			[RT #15709]

412 413 414
1989.	[bug]		win32: don't check the service password when
			re-installing. [RT #15882]

415 416 417
1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
			[RT #15878]

418 419
1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]

420 421
1986.	[func]		Report when a zone is removed. [RT #15849]

422 423 424 425 426 427 428 429 430 431 432
1985.	[protocol]	DLV has now been assigned a official type code of
			32769. [RT #15807]

			Note: care should be taken to ensure you upgrade
			both named and dnssec-signzone at the same time for
			zones with DLV records where named is the master
			server for the zone.  Also any zones that contain
			DLV records should be removed when upgrading a slave
			zone.  You do not however have to upgrade all
			servers for a zone with DLV records simultaniously.

433 434 435
1984.	[func]		dig, nslookup and host now advertise a 4096 byte
			EDNS UDP buffer size by default. [RT #15855]

436 437 438
1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
			[RT #12895]

439 440 441 442
1982.	[bug]		DNSKEY was being accepted on the parent side of
			a delegation.  KEY is still accepted there for
			RFC 3007 validated updates. [RT #15620]

443 444 445
1981.	[bug]		win32: condition.c:wait() could fail to reattain
			the mutex lock.

446 447 448
1980.	[func]		dnssec-signzone: output the SOA record as the
			first record in the signed zone. [RT #15758]

449 450 451
1979.	[port]		linux: allow named to drop core after changing
			user ids. [RT #15753]

452 453 454
1978.	[port]		Handle systems which have a broken recvmsg().
			[RT #15742]

455 456
1977.	[bug]		Silence noisy log message. [RT #15704]

457 458
1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]

459 460 461
1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
			hex strings with comments. [RT #15814]

462 463 464
1974.	[doc]		List each of the zone types and associated zone
			options seperately in the ARM.

465 466 467
1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
			HMACSHA512 support. [RT #13606]

468 469 470
1972.	[contrib]	DBUS dynamic forwarders integation from
			Jason Vas Dias <jvdias@redhat.com>.

471
1971.	[port]		linux: make detection of missing IF_NAMESIZE more
472
			robust. [RT #15443]
473

474 475 476
1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
			unsigned SOA query. [RT #15775]

477 478 479
1969.	[bug]		win32: the socket code was freeing the socket
			structure too early. [RT #15776]

480 481
1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]

482 483
1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]

Mark Andrews's avatar
Mark Andrews committed
484
1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
485 486
			[RT #15727]

487 488 489
1965.	[func]		Suppress spurious "recusion requested but not
			available" warning with 'dig +qr'. [RT #15780].

490 491
1964.	[func]		Seperate out MX and SRV to CNAME checks. [RT #15723]

492 493 494
1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
			[RT #15586]

495 496 497
1962.	[bug]		Named failed to clear old update-policy when it
			was removed. [RT #15491]

498 499 500
1961.	[bug]		Check the port and address of responses forwarded
			to dispatch. [RT #15474]

501 502 503
1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
			[RT #15465]

504 505 506 507
1959.	[func]		Control the zeroing of the negative response TTL to
			a soa query.  Defaults "zero-no-soa-ttl yes;" and
			"zero-no-soa-ttl-cache no;". [RT #15460]

508 509 510
1958.	[bug]		Named failed to update the zone's secure state
			until the zone was reloaded. [RT #15412]

511 512 513
1957.	[bug]		Dig mishandled responses to class ANY queries.
			[RT #15402]

514 515 516 517
1956.	[bug]		Improve cross compile support, 'gen' is now built
			by native compiler.  See README for additional
			cross compile support information. [RT #15148]

518 519
1955.	[bug]		Pre-allocate the cache cleaning interator. [RT #14998]

Mark Andrews's avatar
Mark Andrews committed
520
1954.	[func]		Named now falls back to advertising EDNS with a
521 522 523
			512 byte receive buffer if the initial EDNS queries
			fail.  [RT #14852]

Mark Andrews's avatar
Mark Andrews committed
524
1953.	[func]		The maximum EDNS UDP response named will send can
525 526 527 528
			now be set in named.conf (max-udp-size).  This is
			independent of the advertised receive buffer
			(edns-udp-size). [RT #14852]

529 530 531
1952.	[port]		hpux: tell the linker to build a runtime link
			path "-Wl,+b:". [RT #14816].

532 533 534 535
1951.	[security]	Drop queries from particular well known ports.
			Don't return FORMERR to queries from particular
			well known ports.  [RT #15636]
			
536 537 538 539
1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
			a TCP socket. This prevents the source address being
			set for TCP connections. [RT #15628]

540 541
1949.	[func]		Addition memory leakage checks. [RT #15544]

542 543 544 545
1948.	[bug]		If was possible to trigger a REQUIRE failure in
			xfrin.c:maybe_free() if named ran out of memory.
			[RT #15568]

546 547 548 549 550
1947.	[func]		It is now possible to configure named to accept
			expired RRSIGs.  Default "dnssec-accept-expired no;".
			Setting "dnssec-accept-expired yes;" leaves named
			vulnerable to replay attacks.  [RT #14685]

551 552 553
1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
			when using forwarders. [RT #15549]

554
1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
Mark Andrews's avatar
Mark Andrews committed
555
			To generate a RSAMD5 key you must explicitly request
556 557
			RSAMD5. [RT #13780]
			
558 559 560
1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
			[RT #15522]

Mark Andrews's avatar
Mark Andrews committed
561
1943.	[bug]		Set the loadtime after rolling forward the journal.
562 563
			[RT #15647]

564 565 566 567
1942.	[bug]		If the name of a DNSKEY match that of one in
			trusted-keys do not attempt to validate the DNSKEY
			using the parents DS RRset. [RT #15649]

568 569 570
1941.	[bug]		ncache_adderesult() should set eresult even if no
			rdataset is passed to it. [RT #15642]

571 572 573
1940.	[bug]		Fixed a number of error conditions reported by
			Coverity.

574 575 576 577 578 579 580
1939.	[bug]		The resolver could dereference a null pointer after
			validation if all the queries have timed out.
			[RT #15528]

1938.	[bug]		The validator was not correctly handling unsecure
			negative responses at or below a SEP. [RT #15528]

581 582
1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]

Mark Andrews's avatar
Mark Andrews committed
583
1936.	[bug]		The validator could leak memory. [RT #15544]
584

585 586 587 588 589 590
1935.	[bug]		'acache' was DO sensitive. [RT #15430]

1934.	[func]		Validate pending NS RRsets, in the authority section,
			prior to returning them if it can be done without
			requiring DNSKEYs to be fetched.  [RT #15430]

Mark Andrews's avatar
Mark Andrews committed
591
1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
592

593 594
1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]

595 596
1931.	[bug]		Per-client mctx could require a huge amount of memory,
			particularly for a busy caching server. [RT #15519]
597

598 599 600 601
1930.	[port]		HPUX: ia64 support. [RT #15473]

1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.

602 603
1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]

604 605 606
1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
			lock order rule and could cause a dead lock.
			[RT# 15518]
607

608
1926.	[bug]		The Windows installer did not check for empty
609 610
			passwords.  BINDinstall was being installed in
			the wrong place. [RT #15483]
611

612 613 614
1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
			defaults. [RT #15469]

615 616
1924.	[port]		libbind: hpux ia64 support. [RT #15473]

617 618
1923.	[bug]		ns_client_detach() called too early. [RT #15499]

619 620 621
1922.	[bug]		check-tool.c:setup_logging() missing call to
			dns_log_setcontext().

Mark Andrews's avatar
Mark Andrews committed
622
1921.	[bug]		Client memory contexts were not using internal
623 624
			malloc. [RT# 15434]

Mark Andrews's avatar
update  
Mark Andrews committed
625
1920.	[bug]		The cache rbtdb lock array was too small to
626 627 628
			have the desired performance characteristics.
			[RT #15454]

629 630 631
1919.	[contrib]	queryperf: a set of new features: collecting/printing
			response delays, printing intermediate results, and
			adjusting query rate for the "target" qps.
632

633 634
1918.	[bug]		Memory leak when checking acls. [RT #15391]

635 636 637
1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
			when generating man pages. [RT #15385]

638 639
1916.	[func]		Integrate contibuted IDN code from JPNIC. [RT #15383]

640 641
1915.	[bug]		dig +ndots was broken. [RT #15215]

642 643 644 645
1914.	[protocol]	DS is required to accept mnemonic algorithms
			(RFC 4034).  Still emit numeric algorithms for
			compatability with RFC 3658. [RT #15354]

646 647
1913.	[func]		Integrate contibuted DLZ code into named. [RT #11382]

Mark Andrews's avatar
Mark Andrews committed
648
1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
649

Mark Andrews's avatar
Mark Andrews committed
650
1911.	[bug]		Update windows socket code. [RT #14965]
651

Mark Andrews's avatar
Mark Andrews committed
652
1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
653

Mark Andrews's avatar
Mark Andrews committed
654
1909.	[bug]		The DLV code has been re-worked to make no longer
655 656
			query order sensitive. [RT #14933]

Mark Andrews's avatar
Mark Andrews committed
657
1908.	[func]		dig now warns if 'RA' is not set in the answer when
658 659 660 661
			'RD' was set in the query.  host/nslookup skip servers
			that fail to set 'RA' when 'RD' is set unless a server
			is explicitly set.  [RT #15005]

Mark Andrews's avatar
Mark Andrews committed
662
1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
663 664
			[RT #15006]

Mark Andrews's avatar
Mark Andrews committed
665
1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
666 667
			[RT #15034]

Mark Andrews's avatar
Mark Andrews committed
668
1905.	[bug]		Strings returned from cfg_obj_asstring() should be
669 670 671 672
			treated as read-only.  The prototype for 
			cfg_obj_asstring() has been updated to reflect this.
			[RT #15256]

Mark Andrews's avatar
Mark Andrews committed
673
1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
674 675 676 677 678 679
			friends.  Note: RFC 1918 zones are not yet covered by
			this but are likely to be in a future release.

			New options: empty-server, empty-contact,
			empty-zones-enable and disable-empty-zone.

Mark Andrews's avatar
Mark Andrews committed
680
1903.	[func]		ISC string copy API.
681

Mark Andrews's avatar
Mark Andrews committed
682
1902.	[func]		Attempt to make the amount of work performed in a
683 684 685 686 687 688
			iteration self tuning.  The covers nodes clean from
			the cache per iteration, nodes written to disk when
			rewriting a master file and nodes destroyed per
			iteration when destroying a zone or a cache.
			[RT #14996]

Mark Andrews's avatar
Mark Andrews committed
689
1901.	[cleanup]	Don't add DNSKEY records to the additional section.
690

Mark Andrews's avatar
Mark Andrews committed
691
1900.	[bug]		ixfr-from-differences failed to ensure that the
692 693
			serial number increased. [RT #15036]

Mark Andrews's avatar
Mark Andrews committed
694
1899.	[func]		named-checkconf now validates update-policy entries.
695 696
			[RT #14963]

Mark Andrews's avatar
Mark Andrews committed
697
1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
698 699
			ISC_NETADDR_FORMATSIZE to allow for scope details.

Mark Andrews's avatar
Mark Andrews committed
700
1897.	[func]		x86 and x86_64 now have seperate atomic locking
701 702
			implementations.

Mark Andrews's avatar
Mark Andrews committed
703
1896.	[bug]		Recursive clients soft quota support wasn't working
704 705
			as expected. [RT #15103]

Mark Andrews's avatar
Mark Andrews committed
706
1895.	[bug]		A escaped character is, potentially, converted to
707 708
			the output character set too early. [RT #14666]

Mark Andrews's avatar
Mark Andrews committed
709
1894.	[doc]		Review ARM for BIND 9.4.
710

Mark Andrews's avatar
Mark Andrews committed
711
1893.	[port]		Use uintptr_t if available. [RT #14606]
712

Mark Andrews's avatar
Mark Andrews committed
713
1892.	[func]		Support for SPF rdata type. [RT #15033]
714

Mark Andrews's avatar
Mark Andrews committed
715
1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
716 717
			of memory. [RT #14995]

Mark Andrews's avatar
Mark Andrews committed
718
1890.	[func]		Raise the UDP recieve buffer size to 32k if it is
719 720
			less than 32k. [RT #14953]

Mark Andrews's avatar
Mark Andrews committed
721
1889.	[port]		sunos: non blocking i/o support. [RT #14951]
722

Mark Andrews's avatar
Mark Andrews committed
723
1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
724

Mark Andrews's avatar
Mark Andrews committed
725
1887.	[bug]		The cache could delete expired records too fast for
726 727
			clients with a virtual time in the past. [RT #14991]

Mark Andrews's avatar
Mark Andrews committed
728
1886.	[bug]		fctx_create() could return success even though it
729 730
			failed. [RT #14993]

Mark Andrews's avatar
Mark Andrews committed
731
1885.	[func]		dig: report the number of extra bytes still left in
732 733
			the packet after processing all the records.

Mark Andrews's avatar
Mark Andrews committed
734
1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
735

Mark Andrews's avatar
Mark Andrews committed
736
1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
737 738
			levels. [RT #14962]

Mark Andrews's avatar
Mark Andrews committed
739
1882.	[func]		Limit the number of recursive clients that can be
740 741 742 743
			waiting for a single query (<qname,qtype,qclass>) to
			resolve.  New options clients-per-query and
			max-clients-per-query.

Mark Andrews's avatar
Mark Andrews committed
744
1881.	[func]		Add a system test for named-checkconf. [RT #14931]
745

Mark Andrews's avatar
Mark Andrews committed
746
1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
747 748 749
			basis as some servers only appear to be lame for
			certain query types.  [RT #14916]

Mark Andrews's avatar
Mark Andrews committed
750
1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
751 752
			[RT #14892]

Mark Andrews's avatar
Mark Andrews committed
753
1878.	[func]		Detect duplicates of UDP queries we are recursing on
754
			and drop them.  New stats category "duplicates".
755
			[RT #2471]
756

Mark Andrews's avatar
Mark Andrews committed
757
1877.	[bug]		Fix unreasonably low quantum on call to
758 759 760
			dns_rbt_destroy2().  Remove unnecessay unhash_node()
			call. [RT #14919]

Mark Andrews's avatar
Mark Andrews committed
761
1876.	[func]		Additional memory debugging support to track size
Mark Andrews's avatar
Mark Andrews committed
762
			and mctx arguments. [RT #14814]
763

Mark Andrews's avatar
Mark Andrews committed
764
1875.	[bug]		process_dhtkey() was using the wrong memory context
765 766
			to free some memory. [RT #14890]

Mark Andrews's avatar
Mark Andrews committed
767
1874.	[port]		sunos: portability fixes. [RT #14814]
768

Mark Andrews's avatar
Mark Andrews committed
769
1873.	[port]		win32: isc__errno2result() now reports its caller.
770 771
			[RT #13753]

Mark Andrews's avatar
Mark Andrews committed
772
1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
773

Mark Andrews's avatar
Mark Andrews committed
774
1871.	[placeholder]
775

Mark Andrews's avatar
Mark Andrews committed
776
1870.	[func]		Added framework for handling multiple EDNS versions.
777
			[RT #14873]
778

Mark Andrews's avatar
Mark Andrews committed
779
1869.	[func]		dig can now specify the EDNS version when making
780
			a query. [RT #14873]
781

782 783
1868.	[func]		edns-udp-size can now be overridden on a per
			server basis. [RT #14851]
Mark Andrews's avatar
Mark Andrews committed
784

785 786
1867.	[bug]		It was possible to trigger a INSIST in
			dlv_validatezonekey(). [RT #14846]
Mark Andrews's avatar
Mark Andrews committed
787

788 789
1866.	[bug]		resolv.conf parse errors were being ignored by
			dig/host/nslookup. [RT #14841]
Mark Andrews's avatar
Mark Andrews committed
790

791 792
1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
			bad addresses. [RT #14841]
Mark Andrews's avatar
Mark Andrews committed
793

794 795 796
1864.	[bug]		Don't try the alternative transfer source if you
			got a answer / transfer with the main source
			address. [RT #14802]
Mark Andrews's avatar
Mark Andrews committed
797

798 799
1863.	[bug]		rrset-order "fixed" error messages not complete.

800 801 802 803 804 805 806
1862.	[func]		Add additional zone data constancy checks.
			named-checkzone has extended checking of NS, MX and 
			SRV record and the hosts they reference.
			named has extended post zone load checks.
			New zone options: check-mx and integrity-check. 
			[RT #4940]

807 808
1861.	[bug]		dig could trigger a INSIST on certain malformed
			responses. [RT #14801]
Mark Andrews's avatar
Mark Andrews committed
809

810 811
1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
			incorrectly set. [RT #14775]
Mark Andrews's avatar
Mark Andrews committed
812

813
1859.	[func]		Add support for CH A record. [RT #14695]
Mark Andrews's avatar
Mark Andrews committed
814

815 816 817
1858.	[bug]		The flush-zones-on-shutdown option wasn't being
			parsed. [RT #14686]

818 819
1857.	[bug]		named could trigger a INSIST() if reconfigured /
			reloaded too fast.  [RT #14673]
Mark Andrews's avatar
Mark Andrews committed
820

Rob Austein's avatar
regen  
Rob Austein committed
821 822 823
1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
			[RT #11398]

824 825 826
1855.	[bug]		ixfr-from-differences was failing to detect changes
			of ttl due to dns_diff_subtract() was ignoring the ttl
			of records.  [RT #14616]
Mark Andrews's avatar
Mark Andrews committed
827

828 829 830
1854.	[bug]		lwres also needs to know the print format for
			(long long).  [RT #13754]

831 832 833
1853.	[bug]		Rework how DLV interacts with proveunsecure().
			[RT #13605]

834 835 836
1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
			dnssec-makekeyset (removed from Makefile years ago).

837 838
1851.	[doc]		Doxygen comment markup. [RT #11398]

839 840
1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]

841 842 843
1849.	[doc]		All forms of the man pages (docbook, man, html) should
			have consistant copyright dates.

844 845
1848.	[bug]		Improve SMF integration. [RT #13238]

846
1847.	[bug]		isc_ondestroy_init() is called too late in
Mark Andrews's avatar
Mark Andrews committed
847
			dns_rbtdb_create()/dns_rbtdb64_create(). 
848 849
			[RT #13661]
			
850 851 852
1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
			<bortzmeyer@nic.fr>.

853 854 855
1845.	[bug]		Improve error reporting to distingish between
			accept()/fcntl() and socket()/fcntl() errors.
			[RT #13745]
Mark Andrews's avatar
Mark Andrews committed
856

857 858 859 860 861 862
1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
			for each 16 bit piece of the IPv6 address.  The text
			representation of a IPv6 address has been tighted
			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
			[RT #5662]

863 864 865 866 867
1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
			when CFLAGS contains "-I /usr/local/include"
			resulting in old header files being used.

1842.	[port]		cmsg_len() could produce incorrect results on
868 869
			some platform. [RT #13744]

870 871
1841.	[bug]		"dig +nssearch" now makes a recursive query to
			find the list of nameservers to query. [RT #13694]
Mark Andrews's avatar
Mark Andrews committed
872

Mark Andrews's avatar
Mark Andrews committed
873
1840.	[func]		dnssec-signzone can now randomize signature end times
874 875
			(dnssec-signzone -j jitter). [RT #13609]

876 877
1839.	[bug]		<isc/hash.h> was not being installed.

878 879
1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
			[RT #13707]
Mark Andrews's avatar
Mark Andrews committed
880

881 882
1837.	[bug]		Compile time option ISC_FACILITY was not effective
			for 'named -u <user>'.  [RT #13714]
Mark Andrews's avatar
Mark Andrews committed
883

884 885
1836.	[cleanup]	Silence compiler warnings in hash_test.c.

886 887
1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]

888 889
1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]

890 891
1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]

892 893 894
1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
			[RT #13620]

895 896
1831.	[doc]		Update named-checkzone documentation. [RT#13604]

897 898
1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]

899 900
1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]

901 902 903
1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
			encountered a error. [RT #13549]

904 905
1827.	[bug]		host: update usage message for '-a'. [RT #37116]

906 907 908 909 910
1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
			of memory error. [RT #13537]

1825.	[bug]		Missing UNLOCK() on out of memory error from in
			rbtdb.c:subtractrdataset(). [RT #13519]
911

912 913 914
1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
			[RT #13510]

915 916 917
1823.	[bug]		Wrong macro used to check for point to point interface.
			[RT#13418]

918 919
1822.	[bug]		check-names test for RT was reversed. [RT #13382]

Mark Andrews's avatar
Mark Andrews committed
920 921
1821.	[placeholder]

922
1820.	[bug]		Gracefully handle acl loops. [RT #13659]
Mark Andrews's avatar
Mark Andrews committed
923

924 925 926 927
1819.	[bug]		The validator needed to check both the algorithm and
			digest types of the DS to determine if it could be
			used to introduce a secure zone. [RT #13593]

928 929
1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]

930
1817.	[func]		Add support for additional zone file formats for
931 932
			improving loading performance.  The masterfile-format
			option in named.conf can be used to specify a
933
			non-default format.  A separate command
934
			named-compilezone was provided to generate zone files
935 936 937
			in the new format.  Additionally, the -I and -O options
			for dnssec-signzone specify the input and output
			formats.
938

939 940
1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
			[RT #13597]
Mark Andrews's avatar
Mark Andrews committed
941

942 943 944
1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
			without also setting the zone and it encountered
			a CNAME and was using TSIG.  [RT #13086]
Mark Andrews's avatar
Mark Andrews committed
945

946
1814.	[func]		UNIX domain controls are now supported.
Mark Andrews's avatar
Mark Andrews committed
947

948 949 950 951
1813.	[func]		Restructured the data locking framework using
			architecture dependent atomic operations (when
			available), improving response performance on
			multi-processor machines significantly.
952
			x86, x86_64, alpha, powerpc, and mips are currently
953
			supported.
954

955 956 957
1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
			[RT #13453]

958 959
1811.	[func]		Preserve the case of domain names in rdata during
			zone transfers. [RT #13547]
Mark Andrews's avatar
Mark Andrews committed
960

961 962 963
1810.	[bug]		configure, lib/bind/configure make different default
			decisions about whether to do a threaded build.
			[RT #13212]
Mark Andrews's avatar
Mark Andrews committed
964

965 966
1809.	[bug]		"make distclean" failed for libbind if the platform
			is not supported.
Mark Andrews's avatar
Mark Andrews committed
967

968 969
1808.	[bug]		zone.c:notify_zone() contained a race condition,
			zone->db could change underneath it.  [RT #13511]
Mark Andrews's avatar
Mark Andrews committed
970

971 972
1807.	[bug]		When forwarding (forward only) set the active domain
			from the forward zone name. [RT #13526]
Mark Andrews's avatar
Mark Andrews committed
973

974 975 976
1806.	[bug]		The resolver returned the wrong result when a CNAME /
			DNAME was encountered when fetching glue from a
			secure namespace. [RT #13501]
Mark Andrews's avatar
Mark Andrews committed
977

978 979
1805.	[bug]		Pending status was not being cleared when DLV was
			active. [RT #13501]
Mark Andrews's avatar
Mark Andrews committed
980

981 982 983
1804.	[bug]		Ensure that if we are queried for glue that it fits
			in the additional section or TC is set to tell the
			client to retry using TCP. [RT #10114]
Mark Andrews's avatar
Mark Andrews committed
984

985 986
1803.	[bug]		dnssec-signzone sometimes failed to remove old
			RRSIGs. [RT #13483]
Mark Andrews's avatar
Mark Andrews committed
987

988
1802.	[bug]		Handle connection resets better. [RT #11280]
Mark Andrews's avatar
Mark Andrews committed
989

990 991
1801.	[func]		Report differences between hints and real NS rrset
			and associated address records.
Mark Andrews's avatar
Mark Andrews committed
992

993 994 995
1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
			[RT #13428]

996 997
1799.	[bug]		'rndc flushname' failed to flush negative cache
			entries. [RT #13438]
Mark Andrews's avatar
Mark Andrews committed
998

999 1000
1798.	[func]		The server syntax has been extended to support a
			range of servers.  [RT #11132]
Mark Andrews's avatar
Mark Andrews committed
1001

1002 1003 1004
1797.	[func]		named-checkconf now check acls to verify that they
			only refer to existing acls. [RT #13101]

1005
1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
Mark Andrews's avatar
Mark Andrews committed
1006

Mark Andrews's avatar
Mark Andrews committed
1007
1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
1008
			formating issues with "rndc dumpdb -all".  [RT #13396]
Mark Andrews's avatar
Mark Andrews committed
1009

1010 1011
1794.	[func]		Named and named-checkzone can now both check for
			non-terminal wildcard records.
<