CHANGES

1586.	[func]		"check-names" is now implemented.

1585.	[placeholder]	rt10497

1584.	[placeholder]	rt10461

1583.	[placeholder]	rt10452

1582.	[bug]		rrset-order failed to work on RRsets with more
			than 32 elements. [RT #10381]

1581.	[func]		Disable DNSSEC support by default.  To enable
			DNSSEC specify "enable-dnssec yes;" in named.conf.

1580.	[placeholder]	rt3746a

1579.	[placeholder]	rt3746a

1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
			[RT #10346]

1577.	[placeholder]	rt10331

1576.	[bug]		Race condition in dns_dispatch_addresponse().
			[RT# 10272]

1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]

1574.	[bug]		Don't attempt to open the controls socket(s) when
			running tests. [RT #9091]


1573.	[port]		linux: update to libtool 1.5.2 so that
			"make install DESTDIR=/xx" works with
			"configure --with-libtool".  [RT #9941]

1572.	[bug]		nsupdate: sign the soa query to find the enclosing
			zone if the server is specified. [RT #10148]

1571.	[bug]		rbt:hash_node() could fail leaving the hash table
			in an inconsistant state.  [RT #10208]

1570.	[placeholder]	rt10202

1569.	[placeholder]	rt10236

1568.	[placeholder]	rt10236

1567.	[bug]		B.ROOT-SERVERS.NET is now 192.228.79.201.

1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
			This also solved the problem that match-destinations
			for IPv6 addresses did not work on these systems.
			[RT #10221]

1565.	[bug]		CD flag should be copied to outgoing queries unless
			the query is under a secure entry point in which case
			CD should be set.

1564.	[func]		Attempt to provide a fallback entropy source to be
			used if named is running chrooted and named is unable
			to open entropy source within the chroot area.
			[RT #10133]

1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
			nor an IPv6 dispatch. [RT #10230]

1562.	[bug]		isc_socket_create() and isc_socket_accept() could
			leak memory under error conditions. [RT #10230]

1561.	[bug]		It was possible to release the same name twice if
			named ran out of memory. [RT #10197]

1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
			and EAI_NONAME to the same value.

1559.	[placeholder]	rt10194

1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
			child zones for which we don't have a supported
			algorithm.  Such child zones are treated as unsigned.

1557.	[func]		Implement missing DNSSEC tests for
			* NOQNAME proof with wildcard answers.
			* NOWILDARD proof with NXDOMAIN.
			Cache and return NOQNAME with wildcard answers.

1556.   [bug]		nsupdate now treats all names as fully qualified.
			[RT #6427]

1555.	[func]		'rrset-order cyclic' no longer has a random starting
			point. [RT #7572]

1554.	[bug]		dig, host, nsloolup failed when no nameservers
			were specified in /etc/resolv.conf. [RT #8232]

1553.	[bug]		The windows socket code could stop accepting
			connections. [RT#10115]

1552.	[bug]		Accept NOTIFY requests from mapped masters if
			matched-mapped is set. [RT #10049]

1551.	[port]		Open "/dev/null" before calling chroot().

1550.	[port]		Call tzset(), if available, before calling chroot().

1549.	[func]		named-checkzone can now write out the zone contents
			in a easily parsable format (-D and -o).

1548.	[bug]		When parsing APL records it was possible to silently
			accept out of range ADDRESSFAMILY values. [RT# 9979]

1547.	[bug]		Named wasted memory recording duplicate lame zone
			entries. [RT #9341]

1546.	[bug]		We were rejecting valid secure CNAME to negative
			answers.

1545.	[bug]		It was possible to leak memory if named was unable to
			bind to the specified transfer source and TSIG was
			being used. [RT #10120]

1544.	[bug]		Named would logged a single entry to a file despite it
			being over the specified size limit.
			
1543.	[bug]		Logging using "versions unlimited" did not work.

1542.	[placeholder]

1541.	[func]		NSEC now uses new bitmap format.

1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
			[RT #8934]

1539.	[bug]		Open UDP sockets for notify-source and transfer-source
			that use reserved ports at startup. [RT #9475]

1538.	[placeholder]	rt9997

1537.	[func]		New option "querylog".  If set specify whether query
			logging	is to be enabled or disabled at startup.

1536.	[bug]		Windows socket code failed to log a error description
			when returning ISC_R_UNEXPECTED. [RT #9998]

1535.	[placeholder]

1534.	[bug]		Race condition when priming cache. [RT# 9940]

1533.	[func]		Warn if both "recusion no;" and "allow-recursion"
			are active. [RT# 4389]

1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
			requires <sys/param.h>.

1531.	[port]		AIX more libtool fixes.

1530.	[bug]		It was possible to trigger a INSIST() failure if a
			slave master file was removed at just the correct
			moment. [RT #9462]

1529.	[bug]		"notify explict;" failed to log that NOTIFY messages
			were being sent for the zone.

1528.	[cleanup]	Simplify some dns_name_ functions based on the
			deprecation of bitstring labels.

1527.	[cleanup]	Reduce the number of gettimeofday() calls without
			losing necessary timer granularity.

1526.	[placeholder]

1525.	[bug]		dns_cache_create() could trigger a REQUIRE
			failure in isc_mem_put() during error cleanup.
			[RT# 9360]

1524.	[port]		AIX needs to be able to resolve all symbols when
			creating shared libraries (--with-libtool).

1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]

1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
			[RT# 9286]

1521.	[bug]		dns_view_createresolver() failed to check the
			result from isc_mem_create(). [RT# 9294]

1520.	[protocol]	Add SSHFP (SSH Finger Print) type.

1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
			length of the new bitmap.

1518.   [bug]           dns_nsec_buildrdata(), and hence dns_nsec_build(),
			contained a off-by-one error when working out the
			number of octets in the bitmap.

1517.   [port]          Support for IPv6 interface scanning on HP/UX and
                        TrueUNIX 5.1.

1516.   [func]          Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.

1515.   [func]          Allow transfer source to be set in a server statement.
                        [RT #6496]

1514.   [bug]           named: isc_hash_destroy() was being called too early.
                        [RT #9160]

1513.   [doc]           Add "US" to root-delgation-only exclude list.

1512.   [bug]           Extend the delegation-only logging to return query
                        type, class and responding nameserver.

1511.   [bug]           delegation-only was generating false positives
                        on negative answers from subzones.

1510.   [func]          New view option "root-delegation-only".  Apply
                        delegation-only check to all TLDs and root.
                        Note there are some TLDs that are NOT delegation
                        only (e.g. DE, LV, US and MUSEUM) these can be excluded
                        from the checks by using exclude.

                        root-delegation-only exclude {
                                "DE"; "LV"; "US"; "MUSEUM";
                        };

1509.   [bug]           Hint zones should accept delegation-only.  Forward
                        zone should not accept delegation-only.

1508.   [bug]           Don't apply delegation-only checks to answers from
                        forwarders.

1507.   [bug]           Handle BIND 8 style returns to NS queries to parents
                        when making delegation-only checks.

1506.   [bug]           Wrong return type for dns_view_isdelegationonly().

1505.   [bug]           Uninitialised rdataset in sdb. [RT #8750]

1504.   [func]          New zone type "delegation-only".

1503.   [port]          win32: install libeay32.dll outside of system32.

1502.   [bug]           nsupdate: adjust timeouts for UPDATE requests over TCP.

1501.   [func]          Allow TCP queue length to be specified via
                        named.conf, tcp-listen-queue.

1500.   [bug]           host failed to lookup MX records.  Also look up
                        AAAA records.

1499.   [bug]           isc_random need to be seeded better if arc4random()
                        is not used.

1498.   [port]          bsdos: 5.x support.

1497.   [placeholder]

1496.   [port]          test for pthread_attr_setstacksize().

1495.   [cleanup]       Replace hash functions with universal hash.

1494.   [security]      Turn on RSA BLINDING as a precaution.

1493.   [placeholder]

1492.   [cleanup]       Preserve rwlock quota context when upgrading /
                        downgrading. [RT #5599]

1491.   [bug]           dns_master_dump*() would produce extraneous $ORIGIN
                        lines. [RT #6206]

1490.   [bug]           Accept reading state as well as working state in
                        ns_client_next(). [RT #6813]

1489.   [compat]        Treat 'allow-update' on slave zones as a warning.
                        [RT #3469]

1488.   [bug]           Don't override trust levels for glue addresses.
                        [RT #5764]

1487.   [bug]           A REQUIRE() failure could be triggered if a zone was
                        queued for transfer and the zone was then removed.
                        [RT #6189]

1486.   [bug]           isc_print_snprintf() '%%' consumed one too many format
                        characters. [RT# 8230]

1485.   [bug]           gen failed to handle high type values. [RT #6225]

1484.   [bug]           The number of records reported after a AXFR was wrong.
                        [RT #6229]

1483.   [bug]           dig axfr failed if the message id in the answer failed
                        to match that in the request.  Only the id in the first
                        message is required to match. [RT #8138]

1482.   [bug]           named could fail to start if the kernel supports
                        IPv6 but no interfaces are configured.  Similarly
                        for IPv4. [RT #6229]

1481.   [bug]           Refresh and stub queries failed to use masters keys
                        if specified. [RT #7391]

1480.   [bug]           Provide replay protection for rndc commands.  Full
                        replay protection requires both rndc and named to
                        be updated.  Partial replay protection (limited
                        exposure after restart) is provided if just named
                        is updated.

1479.   [bug]           cfg_create_tuple() failed to handle out of
                        memory cleanup.  parse_list() would leak memory
                        on syntax errors.

1478.   [port]          ifconfig.sh didn't account for other virtual
                        interfaces.  It now takes a optional arguement
                        to specify the first interface number. [RT #3907]

1477.   [bug]           memory leak using stub zones and TSIG.

1476.   [placeholder]

1475.   [port]          Probe for old sprintf().

1474.   [port]          Provide strtoul() and memmove() for platforms
                        without them.

1473.   [bug]           create_map() and create_string() failed to handle out
                        of memory cleanup.  [RT #6813]

1472.   [contrib]       idnkit-1.0 from JPNIC, replaces mdnkit.

1471.   [bug]           libbind: updated to BIND 8.4.0.

1470.   [bug]           Incorrect length passed to snprintf. [RT #5966]

1469.   [func]          Log end of outgoing zone transfer at same level
                        as the start of transfer is logged. [RT #4441]

1468.   [func]          Internal zones are no longer counted for
                        'rndc status'.  [RT #4706]

1467.   [func]          $GENERATES now supports optional class and ttl.

1466.   [bug]           lwresd configuration errors resulted in memory
                        and lock leaks.  [RT #5228]

1465.   [bug]           isc_base64_decodestring() and isc_base64_tobuffer()
                        failed to check that trailing bits were zero allowing
                        some invalid base64 strings to be accepted.  [RT #5397]

1464.   [bug]           Preserve "out of zone" data for outgoing zone
                        transfers. [RT #5192]

1463.   [bug]           dns_rdata_from{wire,struct}() failed to catch bad
                        NXT bit maps. [RT #5577]

1462.   [bug]           parse_sizeval() failed to check the token type.
                        [RT #5586]

1461.   [bug]           Remove deadlock from rbtdb code. [RT #5599]

1460.   [bug]           inet_pton() failed to reject certain malformed
                        IPv6 literals.

1459.   [placeholder]

1458.   [cleanup]       sprintf() -> snprintf().

1457.   [port]          Provide strlcat() and strlcpy() for platforms without
                        them.

1456.   [contrib]       gen-data-queryperf.py from Stephane Bortzmeyer.

1455.   [bug]           <netaddr> missing from server grammar in
                        doc/misc/options. [RT #5616]

1454.   [port]          Use getifaddrs() if available for interface scanning.
                        --disable-getifaddrs to override.  Glibc currently
                        has a getifaddrs() that does not support IPv6.
                        Use --enable-getifaddrs=glibc to force the use of
                        this version under linux machines.

1453.   [doc]           ARM: $GENERATE example wasn't accurate. [RT #5298]

1452.   [placeholder]

1451.   [bug]           rndc-confgen didn't exit with a error code for all
                        failures. [RT #5209]

1450.   [bug]           Fetching expired glue failed under certain
                        circumstances.  [RT #5124]

1449.   [bug]           query_addbestns() didn't handle running out of memory
                        gracefully.

1448.   [bug]           Handle empty wildcards labels.

1447.   [bug]           We were casting (unsigned int) to and from (void *).
                        rdataset->private4 is now rdataset->privateuint4
                        to reflect a type change.

1446.   [func]          Implemented undocumented alternate transfer sources
                        from BIND 8.  See use-alt-transfer-source,
                        alt-transfer-source and alt-transfer-source-v6.

                        SECURITY: use-alt-transfer-source is ENABLED unless
                        you are using views.  This may cause a security risk
                        resulting in accidental disclosure of wrong zone
                        content if the master supplying different source
                        content based on IP address.  If you are not certain
                        ISC recommends setting use-alt-transfer-source no;

1445.   [bug]           DNS_ADBFIND_STARTATROOT broke stub zones.  This has
                        been replaced with DNS_ADBFIND_STARTATZONE which
                        causes the search to start using the closest zone.

1444.   [func]          dns_view_findzonecut2() allows you to specify if the
                        cache should be searched for zone cuts.

1443.   [func]          Masters lists can now be specified and referenced
                        in zone masters clauses and other masters lists.

1442.   [func]          New functions for manipulating port lists:
                        dns_portlist_create(), dns_portlist_add(),
                        dns_portlist_remove(), dns_portlist_match(),
                        dns_portlist_attach() and dns_portlist_detach().

1441.   [func]          It is now possible to tell dig to bind to a specific
                        source port.

1440.   [func]          It is now possible to tell named to avoid using
                        certain source ports (avoid-v4-udp-ports,
                        avoid-v6-udp-ports).

1439.   [bug]           Named could return NOERROR with certain NOTIFY
                        failures.  Return NOTAUTH if the NOTIFY zone is
                        not being served.

1438.   [func]          Log TSIG (if any) when logging NOTIFY requests.

1437.   [bug]           Leave space for stdio to work in. [RT #5033]

1436.   [func]          dns_zonemgr_resumexfrs() can be used to restart
                        stalled transfers.

1435.   [bug]           zmgr_resume_xfrs() was being called read locked
                        rather than write locked.  zmgr_resume_xfrs()
                        was not being called if the zone was being
                        shutdown.

1434.   [bug]           "rndc reconfig" failed to initiate the initial
                        zone transfer of new slave zones.

1433.   [bug]           named could trigger a REQUIRE failure if it could
                        not get a file descriptor when attempting to write
                        a master file. [RT #4347]

1432.   [func]          The advertised EDNS UDP buffer size can now be set
                        via named.conf (edns-udp-size).

1431.   [bug]           isc_print_snprintf() "%s" with precision could walk off
                        end of argument. [RT #5191]

1430.   [port]          linux: IPv6 interface scanning support.

1429.   [bug]           Prevent the cache getting locked to old servers.

1428.   [placeholder]

1427.   [bug]           Race condition in adb with threaded build.

1426.   [placeholder]

1425.   [port]          linux/libbind: define __USE_MISC when testing *_r()
                        function prototypes in netdb.h.  [RT #4921]

1424.   [bug]           EDNS version not being correctly printed.

1423.   [contrib]       queryperf: added A6 and SRV.

1422.   [func]          Log name/type/class when denying a query.  [RT #4663]

1421.   [func]          Differentiate updates that don't succeed due to
                        prerequisites (unsuccessful) vs other reasons
                        (failed).

1420.   [port]          solaris: work around gcc optimiser bug.

1419.   [port]          openbsd: use /dev/arandom. [RT #4950]

1418.   [bug]           'rndc reconfig' did not cause new slaves to load.

1417.   [func]          ID.SERVER/CHAOS is now a built in zone.
                        See "server-id" for how to configure.

1416.   [bug]           Empty node should return NOERROR NODATA, not NXDOMAIN.
                        [RT #4715]

1415.   [func]          DS TTL now derived from NS ttl.  NXT TTL now derived
                        from SOA MINIMUM.

1414.   [func]          Support for KSK flag.

1413.   [func]          Explictly request the (re-)generation of DS records from
                        keysets (dnssec-signzone -g).

1412.   [func]          You can now specify servers to be tried if a nameserver
                        has IPv6 address and you only support IPv4 or the
                        reverse. See dual-stack-servers.

1411.   [bug]           empty nodes should stop wildcard matches. [RT #4802]

1410.   [func]          handle records that live in the parent zone, e.g. DS.

1409.   [bug]           DS should have attribute DNS_RDATATYPEATTR_DNSSEC.

1408.   [bug]           distclean was not complete. [RT #4700]

1407.   [bug]           lfsr incorrectly implements the shift register.
                        [RT #4617]

1406.   [bug]           dispatch initialises one of the LFSR's with a incorrect
                        polynomial.  [RT #4617]

1405.   [func]          Use arc4random() if available.

1404.   [bug]           libbind: ns_name_ntol() could overwrite a zero length
                        buffer.

1403.   [func]          dnssec-signzone, dnssec-keygen, dnssec-makekeyset
                        dnssec-signkey now report their version in the
                        usage message.

1402.   [cleanup]       A6 has been moved to experimental and is no longer
                        fully supported.

1401.   [bug]           adb wasn't clearing state when the timer expired.

1400.   [bug]           Block the addition of wildcard NS records by IXFR
                        or UPDATE. [RT #3502]

1399.   [bug]           Use serial number arithmetic when testing SIG
                        timestamps. [RT #4268]

1398.   [doc]           ARM: notify-also should have been also-notify.
                        [RT #4345]

1397.   [bug]           J.ROOT-SERVERS.NET is now 192.58.128.30.

1396.   [func]          dnssec-signzone: adjust the default signing time by
                        1 hour to allow for clock skew.

1395.   [port]          OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
                        have a working implementation.  [RT #4079]

1394.   [func]          It is now possible to check if a particular element is
                        in a acl.  Remove duplicate entries from the localnets
                        acl.

1393.   [port]          Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
                        is not available in the kernel to prevent accidently
                        listening on IPv4 interfaces.

1392.   [bug]           named-checkzone: update usage.

1391.   [func]          Add support for IPv6 scoped addresses in named.

1390.   [func]          host now supports ixfr.

1389.   [bug]           named could fail to rotate long log files.  [RT #3666]

1388.   [port]          irix: check for sys/sysctl.h and NET_RT_IFLIST before
                        defining HAVE_IFLIST_SYSCTL. [RT #3770]

1387.   [bug]           named could crash due to an access to invalid memory
                        space (which caused an assertion failure) in
                        incremental cleaning.  [RT #3588]

1386.   [bug]           named-checkzone -z stopped on errors in a zone.
                        [RT #3653]

1385.   [bug]           Setting serial-query-rate to 10 would trigger a
                        REQUIRE failure.

1384.   [bug]           host was incompatible with BIND 8 in its exit code and
                        in the output with the -l option.  [RT #3536]

1383.   [func]          Track the serial number in a IXFR response and log if
                        a mismatch occurs.  This is a more specific error than
                        "not exact". [RT #3445]

1382.   [bug]           make install failed with --enable-libbind. [RT #3656]

1381.   [bug]           named failed to correctly process answers that
                        contained DNAME records where the resulting CNAME
                        resulted in a negative answer.

1380.   [func]          'rndc recursing' dump recursing queries to
                        'recursing-file = "named.recursing";'.

1379.   [func]          'rndc status' now reports tcp and recursion quota
                        states.

1378.   [func]          Improved positive feedback for 'rndc {reload|refresh}.

1377.   [func]          dns_zone_load{new}() now reports if the zone was
                        loaded, queued for loading to up to date.

1376.   [func]          New function dns_zone_logc() to log to specified
                        category.

1375.   [func]          'rndc dumpdb' now dumps the adb cache along with the
                        data cache.

1374.   [func]          dns_adb_dump() now logs the lame zones associated
                        with each server.

1373.   [bug]           Recovery from expired glue failed under certain
                        circumstances.

1372.   [bug]           named crashes with an assertion failure on exit when
                        sharing the same port for listening and querying, and
                        changing listening addresses several times. [RT# 3509]

1371.   [bug]           notify-source-v6, transfer-source-v6 and
                        query-source-v6 with explicit addresses and using the
                        same ports as named was listening on could interfere
                        with nameds ability to answer queries sent to those
                        addresses.

1370.   [bug]           dig '+[no]recurse' was incorrectly documented.

1369.   [bug]           Adding an NS record as the lexicographically last
                        record in a secure zone didn't work.

1368.   [func]          remove support for bitstring labels.

1367.   [func]          Use response times to select forwarders.

1366.   [contrib]       queryperf usage was incomplete.  Add '-h' for help.

1365.   [func]          "localhost" and "localnets" acls now include IPv6
                        addresses / prefixes.

1364.   [func]          Log file name when unable to open memory statistics
                        and dump database files. [RT# 3437]

1363.   [func]          Listen-on-v6 now supports specific addresses.

1362.   [bug]           remove IFF_RUNNING test when scanning interfaces.

1361.   [func]          log the reason for rejecting a server when resolving
                        queries.

1360.   [bug]           --enable-libbind would fail when not built in the
                        source tree for certain OS's.

1359.   [security]      Support patches OpenSSL libraries.
                        http://www.cert.org/advisories/CA-2002-23.html

1358.   [bug]           It was possible to trigger a INSIST when debugging
                        large dynamic updates. [RT #3390]

1357.   [bug]           nsupdate was extremely wasteful of memory.

1356.   [tuning]        Reduce the number of events / quantum for zone tasks.

1355.   [bug]           Fix DNSSEC wildcard proof for CNAME/DNAME.

1354.   [doc]           lwres man pages had illegal nroff.

1353.   [contrib]       sdb/ldap to version 0.9.

1352.   [bug]           dig, host, nslookup when falling back to TCP use the
                        current search entry (if any). [RT #3374]

1351.   [bug]           lwres_getipnodebyname() returned the wrong name
                        when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
                        was set.

1350.   [bug]           dns_name_fromtext() failed to handle too many labels
                        gracefully.

1349.   [security]      Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
                        http://www.cert.org/advisories/CA-2002-23.html

1348.   [port]          win32: Rewrote code to use I/O Completion Ports
                        in socket.c and eliminating a host of socket
                        errors. Performance is enhanced.

1347.   [placeholder]

1346.   [placeholder]

1345.   [port]          Use a explicit -Wformat with gcc.  Not all versions
                        include it in -Wall.

1344.   [func]          Log if the serial number on the master has gone
                        backwards.
                        If you have multiple machines specified in the masters
                        clause you may want to set 'multi-master yes;' to
                        suppress this warning.

1343.   [func]          Log successful notifies received (info).  Adjust log
                        level for failed notifies to notice.

1342.   [func]          Log remote address with TCP dispatch failures.

1341.   [func]          Allow a rate limiter to be stalled.

1340.   [bug]           Delay and spread out the startup refresh load.

1339.   [func]          dig, host and nslookup now use IP6.ARPA for nibble
                        lookups.  Bit string lookups are no longer attempted.

1338.   [placeholder]

1337.   [placeholder]

1336.   [func]          Nibble lookups under IP6.ARPA are now supported by
                        dns_byaddr_create().  dns_byaddr_createptrname() is
                        deprecated, use dns_byaddr_createptrname2() instead.

1335.   [bug]           When performing a nonexistence proof, the validator
                        should discard parent NXTs from higher in the DNS.

1334.   [bug]           When signing/verifying rdatasets, duplicate rdatas
                        need to be suppressed.

1333.   [contrib]       queryperf now reports a summary of returned
                        rcodes (-c), rcodes are printed in mnemonic form (-v).

1332.   [func]          Report the current serial with periodic commits when
                        rolling forward the journal.

1331.   [func]          Generate DNSSEC wildcard proofs.

1330.   [bug]           When processing events (non-threaded) only allow
                        the task one chance to use to use its quantum.

1329.   [func]          named-checkzone will now check if nameservers that
                        appear to be IP addresses.  Available modes "fail",
                        "warn" (default) and "ignore" the results of the
                        check.

1328.   [bug]           The validator could incorrectly verify an invalid
                        negative proof.

1327.   [bug]           The validator would incorrectly mark data as insecure
                        when seeing a bogus signature before a correct
                        signature.

1326.   [bug]           DNAME/CNAME signatures were not being cached when
                        validation was not being performed. [RT #3284]

1325.   [bug]           If the tcpquota was exhausted it was possible to
                        to trigger a INSIST() failure.

1324.   [port]          darwin: ifconfig.sh now supports darwin.

1323.   [port]          linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]

1322.   [bug]           dnssec-signzone usage message was misleading.

1321.   [bug]           If the last RRset in a zone is glue, dnssec-signzone
                        would incorrectly duplicate its output and sign it.

1320.   [doc]           query-source-v6 was missing from options section.
                        [RT #3218]

1319.   [func]          libbind: log attempts to exploit #1318.

1318.   [bug]           libbind: Remote buffer overrun.

1317.   [port]          libbind: TrueUNIX 5.1 does not like __align as a
                        element name.

1316.   [bug]           libbind: gethostans() could get out of sync parsing
                        the response if there was a very long CNAME chain.

1315.   [bug]           Options should apply to the internal _bind view.

1314.   [port]          Handle ECONNRESET from sendmsg() [unix].

1313.   [func]          Query log now says if the query was signed (S) or
                        if EDNS was used (E).

1312.   [func]          Log TSIG key used w/ outgoing zone transfers.

1311.   [bug]           lwres_getrrsetbyname leaked memory.  [RT #3159]

1310.   [bug]           'rndc stop' failed to cause zones to be flushed
                        sometimes. [RT #3157]

1309.   [func]          Log that a zone transfer was covered by a TSIG.

1308.   [func]          DS (delegation signer) support.

1307.   [bug]           nsupdate: allow white space base64 key data.

1306.   [bug]           Badly encoded LOC record when the size, horizontal
                        precision or vertical precision was 0.1m.