CHANGES 375 KB
Newer Older
1 2 3
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

4 5
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

6 7 8
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

9 10 11 12
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

13 14 15 16 17
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

18 19
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
20 21
3516.	[placeholder]

22 23
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
24 25 26 27 28 29
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

30 31 32
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
33 34 35
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
36 37
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

38 39 40
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

41 42 43 44
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

45 46 47
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

48 49 50 51
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

52 53 54 55 56 57 58 59 60 61 62 63
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
64 65 66 67
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
68

Evan Hunt's avatar
Evan Hunt committed
69 70
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

71 72 73
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

74 75 76 77
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

78 79 80
3500.	[port]		Support NAPTR regular expression validation on
			all platforms.  [RT #32688]

Evan Hunt's avatar
Evan Hunt committed
81 82 83
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

84 85 86 87
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

88 89 90 91
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
92 93
3496.	[placeholder]

94
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
95
			while improving RPZ performance.  "response-policy"
96 97 98
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
99
			--enable-rpz-nsdname are now the default. [RT #32251]
100

Evan Hunt's avatar
Evan Hunt committed
101 102 103 104
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

105 106
3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
107

108 109 110
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

111 112 113
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

114
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
115
			too long. [RT #32365]
116

117 118 119 120 121
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

122 123
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

124 125
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
126
			[RT #32629]
127

Evan Hunt's avatar
Evan Hunt committed
128 129 130
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

131 132
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

133 134 135
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
136 137
3483.	[placeholder]

138 139 140 141
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

142 143
3481.	[cleanup]	removed use of const const in atf

Evan Hunt's avatar
Evan Hunt committed
144 145 146
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

147 148 149
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
150 151 152 153
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
154 155
			[RT #32365]

156 157 158
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
159 160
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
161

162 163 164
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
165 166 167 168
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

169 170 171
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

172 173 174 175
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

176 177 178
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
179 180 181 182
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

183 184
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
185
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
186 187 188

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
189

190 191 192
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

193 194
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

195 196 197
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

198
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
199 200 201 202

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

203 204 205
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

206 207
3460.	[bug]		Only link against readline where needed. [RT #29810]

208 209 210
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

211 212 213
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

214 215
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
216
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
217

218 219
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

220 221
3454.	[port]		sparc64: improve atomic support. [RT #25182]

222 223 224
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
225
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
226

227 228 229
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

230 231 232
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

233 234 235 236
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
237 238 239
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

240 241
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

242 243 244
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

245 246
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
247

248
3444.	[bug]		The NOQNAME proof was not being returned from cached
249 250
			insecure responses. [RT #21409]

251 252 253
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

254 255 256
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

257 258
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

259 260 261
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
262 263
3439.	[placeholder]

264 265
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
266
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
267 268
			buffers with constant data. [RT #32064]

269 270
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

271 272 273
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

274 275 276 277 278 279
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

280 281 282
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
283 284 285 286 287 288 289 290 291
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

292 293 294
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

295 296 297
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

298 299 300
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
301 302
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
303
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
304 305
			addresses instead of names. [RT #31641]

306 307 308
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

309 310 311
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

312 313 314
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

315 316 317 318
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
319
3422.	[bug]		Added a clear error message for when the SOA does not
320 321
			match the referral. [RT #31281]

322 323 324
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

325 326
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

327 328
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
329 330 331 332 333 334
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
335 336
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
337
3417.	[placeholder]
338

339 340 341
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

Mark Andrews's avatar
Mark Andrews committed
342
3415.	[bug]		named could die with a REQUIRE failure if a valdation
343 344
			was canceled. [RT #31804]

345 346
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

347 348 349
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

350 351 352
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

353 354 355
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

356 357
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
358 359 360 361 362
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

363 364 365 366 367
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
368 369
3407.	[placeholder]

370 371
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
372
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
373

374 375
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

376
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
377
			RRSIG and NSEC records from nodes that used to be
378 379
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
380 381
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
382
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
383
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
384

Evan Hunt's avatar
Evan Hunt committed
385 386
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
387 388 389 390
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

391 392 393
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

394 395 396 397
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

398
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
399

400 401 402
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

403 404 405 406
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
407
3394.	[bug]		Adjust 'successfully validated after lower casing
408 409
			signer' log level and category. [RT #31414]

410 411 412
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

413 414
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
415 416
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
417

418 419
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

420 421
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

422 423 424 425 426 427
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
428

429 430
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
431

432 433 434
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

435 436 437
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
438 439
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo  
Evan Hunt committed
440
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
441 442
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
443

Evan Hunt's avatar
Evan Hunt committed
444 445 446 447
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
448 449 450
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

451 452 453
3380.	[bug]		named could die if a non-existant master list was
			referenced in a also-notify. [RT #31004]

454 455 456
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

457 458 459
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
460 461 462
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

463 464 465
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

466 467
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
468 469
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
470

Mark Andrews's avatar
Mark Andrews committed
471
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
472

473 474 475
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

476 477 478 479
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

480 481 482
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
483 484
			if built with readline support. [RT #29550]

485
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
486
			were not C++ safe.
487

488 489 490
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
491
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
492 493
			atomic operations. [RT #25181]

494 495 496
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

497 498 499
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

500 501 502 503
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

504 505 506 507
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

508 509
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
510

511 512
3360.	[bug]		'host -w' could die.  [RT #18723]

513
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
514
			memory leak. [RT #30607]
515

Mark Andrews's avatar
Mark Andrews committed
516 517
3358.	[placeholder]

518 519
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
520
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
521 522 523
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

524 525
3355.	[port]		Use more portable awk in verify system test.

526 527
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

528 529 530
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

531 532 533
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

534 535 536 537
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

538 539 540 541
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
542 543
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
544 545 546 547
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
548
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
549 550 551

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
552
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
553

Evan Hunt's avatar
Evan Hunt committed
554 555 556
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

557 558 559 560
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
561 562 563 564 565 566 567 568 569
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
570 571
3343.	[placeholder]

572 573 574 575
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

576 577 578 579
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
580
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
581 582 583 584
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
585
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
586 587
			server to another.) [RT #25419]

588 589 590
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

591 592 593
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

594 595 596
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

597 598 599
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

600 601 602
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

603
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
604
			asynchronous load of a zone. [RT #28326]
605

606
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
607
			named to not recover if it loses connectivity.
608 609
			[RT #29623]

Mark Andrews's avatar
add #  
Mark Andrews committed
610
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
611

Mark Andrews's avatar
Mark Andrews committed
612
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
613
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
614

Vernon Schryver's avatar
Vernon Schryver committed
615
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
616
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
617 618 619 620 621 622 623 624 625 626 627 628 629
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


630 631 632 633 634 635
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
636 637
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
638

Evan Hunt's avatar
Evan Hunt committed
639 640 641 642 643
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

670
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
671
			bucket lock when finished with a fetch context.
672 673
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
674
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
675

676 677 678
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

679 680 681 682 683
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

684 685 686
3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

687 688
3313.	[protocol]	Add TLSA record type. [RT #28989]

689 690 691
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

692 693 694
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

695 696
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
697
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
698 699
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
700 701
3308.	[placeholder]

702 703
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
704

705 706 707 708
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

709 710
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
711

712 713
3303.	[bug]		named could die when reloading. [RT #28606]

714 715 716 717
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

718 719 720
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

721 722 723
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

724 725 726
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

727 728 729 730
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

731 732
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

733 734 735
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

736 737 738
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

739 740 741
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

742 743
3293.	[func]		nsupdate: list supported type. [RT #28261]

744 745 746
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

747 748 749
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

750 751
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

752 753
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

754 755 756
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

757 758
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

759 760 761
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

762 763 764 765
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

766 767 768
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

769 770 771
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

772
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:  
Mark Andrews committed
773 774
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
775

776 777 778 779
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

780 781 782
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
783
3279.	[bug]		Hold a internal reference to the zone while performing
784 785 786
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
787
3278.	[bug]		Make sure automatic key maintenance is started
788 789 790
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
791
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
792 793 794 795

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

796
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
797
			option had been misspelled as '-clear'.  (To avoid
798 799
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
800
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
801

Mark Andrews's avatar
Mark Andrews committed
802 803 804
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
805 806 807 808

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

809 810 811 812
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
813
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
814

815 816 817
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

818 819
3269.	[port]		darwin 11 and later now built threaded by default.

820 821 822
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

823 824 825 826
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

827 828 829 830
3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

Evan Hunt's avatar
Evan Hunt committed
831 832
3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]
833

834 835 836 837 838 839 840
3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

841 842 843
3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

844 845
3261.	[func]		RRset ordering now defaults to random. [RT #27174]

846 847
3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]
848

Evan Hunt's avatar
Evan Hunt committed
849 850
	--- 9.9.0rc1 released ---

851 852 853
3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

854 855 856
3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

857 858 859
3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

860 861 862 863 864 865
3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

866 867 868
3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

869 870 871
3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

872 873 874 875 876
3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

877 878 879 880 881
3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

882 883 884 885
3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

886 887 888 889 890 891 892 893 894 895 896 897 898
3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

899 900 901 902
3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

903
3244.	[func]		Added readline support to nslookup and nsupdate.
Mark Andrews's avatar
Mark Andrews committed
904
			Also simplified nsupdate syntax to make "update"
905 906
			and "prereq" optional. [RT #24659]

907 908 909
3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

Mark Andrews's avatar
Mark Andrews committed
910
3242.	[func]		Extended the header of raw-format master files to
911 912 913 914 915 916
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.
Mark Andrews's avatar
Mark Andrews committed
917

918
			(Note: raw zonefiles generated by this version of
Mark Andrews's avatar
Mark Andrews committed
919
			BIND are no longer compatible with prior versions.
920 921 922 923 924
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

925 926 927
3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

928 929
3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

930 931 932 933
3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
934 935
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

936 937
3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

Evan Hunt's avatar
Evan Hunt committed
938 939 940
3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

941 942 943 944
3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

945 946
3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

947 948 949
3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

950 951 952
3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

Mark Andrews's avatar
Mark Andrews committed
953
3231.	[bug]		named could fail to send a incompressible zone.
954 955
			[RT #26796]

Mark Andrews's avatar
[ -> ]  
Mark Andrews committed
956
3230.	[bug]		'dig axfr' failed to properly handle a multi-message
957 958
			axfr with a serial of 0. [RT #26796]

959 960 961
3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

Mark Andrews's avatar
Mark Andrews committed
962 963
3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]
964

965 966 967
3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

968 969
3226.	[bug]		Address minor resource leakages. [RT #26624]

970 971 972
3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

973 974
3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

975 976 977
3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

978 979 980
3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

Mark Andrews's avatar
Mark Andrews committed
981
3221.	[bug]		Fixed a potential core dump on shutdown due to
982 983 984
			referencing fetch context after it's been freed.
			[RT #26720]

Mark Andrews's avatar
Mark Andrews committed
985 986
	--- 9.9.0b2 released ---

987
3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
Mark Andrews's avatar
Mark Andrews committed
988 989
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
990

Mark Andrews's avatar
Mark Andrews committed
991 992
3219.	[bug]		Disable NOEDNS caching following a timeout.

993 994 995 996
3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

997 998 999
3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
1000

1001 1002
3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

1003 1004
3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]
Mark Andrews's avatar
Mark Andrews committed
1005

1006 1007
3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

Mark Andrews's avatar
Mark Andrews committed
1008 1009 1010
3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]
1011

1012 1013 1014 1015
3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

1016 1017 1018
3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

1019
3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
1020

Mark Andrews's avatar
Mark Andrews committed
1021
3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
1022 1023
			[RT #25522]

1024 1025
3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

1026 1027
3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

1028
3205.	[func]		Upgrade dig's defaults to better reflect modern
Mark Andrews's avatar
Mark Andrews committed
1029
			nameserver behavior.  Enable "dig +adflag" and
1030 1031 1032
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]

1033
3204.	[bug]		When a master server that has been marked as
Evan Hunt's avatar
typo  
Evan Hunt committed
1034
			unreachable sends a NOTIFY, mark it reachable
1035 1036
			again. [RT #25960]

1037 1038 1039
3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

Mark Andrews's avatar
Mark Andrews committed
1040
3202.	[bug]		NOEDNS caching on timeout was too aggressive.