CHANGES 305 KB
Newer Older
Mark Andrews's avatar
Mark Andrews committed
1
2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
2

3 4 5
2905.	[port]		aix: set use_atomic=yes with native compiler.
			[RT #21402]

6 7 8 9 10
2904.   [bug]           When using DLV, sub-zones of the zones in the DLV,
			could be incorrectly marked as insecure instead of
			secure leading to negative proofs failing.  This was
			a unintended outcome from change 2890. [RT# 21392]

11 12 13
2903.	[bug]		managed-keys-directory missing from namedconf.c.
			[RT #21370]

14 15
2902.	[func]		Add regression test for change 2897. [RT #21040]

16 17
2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

18 19 20 21
2900.	[bug]		The placeholder negative caching element was not
			properly constructed triggering a INSIST in 
			dns_ncache_towire(). [RT #21346]
			
22 23
2899.	[port]		win32: Support linking against OpenSSL 1.0.0.

24 25 26
2898.	[bug]		nslookup leaked memory when -domain=value was 
			specified. [RT #21301]

27 28 29
2897.	[bug]		NSEC3 chains could be left behind when transitioning
			to insecure. [RT #21040]
			
30 31 32
2896.	[bug]		"rndc sign" failed to properly update the zone
			when adding a DNSKEY for publication only. [RT #21045]

33 34 35
2895.	[func]		genrandom: add support for the generation of multiple
			files.  [RT #20917]

36 37
2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]

38 39 40
2893.	[bug]		Improve managed keys support.  New named.conf option
			managed-keys-directory. [RT #20924]

41 42
2892.	[bug]		Handle REVOKED keys better. [RT #20961]

43 44 45
2891.	[maint]		Update empty-zones list to match
			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

46 47 48
2890.	[bug]		Handle the introduction of new trusted-keys and
			DS, DLV RRsets better. [RT #21097]

Mark Andrews's avatar
Mark Andrews committed
49
2889.	[bug]		Elements of the grammar where not properly reported.
50 51
			[RT #21046]

52 53
2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]

54 55 56 57 58 59
2887.	[bug]		Report the keytag times in UTC in the .key file,
			local time is presented as a comment within the
			comment.  [RT #21223]

2886.	[bug]		ctime() is not thread safe. [RT #21223]

60 61 62
2885.	[bug]		Improve -fno-strict-aliasing support probing in
			configure. [RT #21080]

63 64 65
2884.	[bug]		Insufficient valadation in dns_name_getlabelsequence().
			[RT #21283]

66 67 68
2883.	[bug]		'dig +short' failed to handle really large datasets.
			[RT #21113]

69 70 71
2882.	[bug]		Remove memory context from list of active contexts
			before clearing 'magic'. [RT #21274]

72 73 74
2881.	[bug]		Reduce the amount of time the rbtdb write lock
			is held when closing a version. [RT #21198]

75 76 77
2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
			consistent. [RT #21078]

78 79 80
2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
			[RT #21106]

81 82 83
2878.	[func]		Incrementally write the master file after performing
			a AXFR.  [RT #21010]

84 85 86
2877.	[bug]		The validator failed to skip obviously mismatching
			RRSIGs. [RT #21138]

87 88 89
2876.	[bug]		Named could return SERVFAIL for negative responses
			from unsigned zones. [RT #21131]

90 91 92
2875.	[bug]		dns_time64_fromtext() could accept non digits.
			[RT #21033]

93 94 95 96
2874.	[bug]		Cache lack of EDNS support only after the server
			successfully responds to the query using plain DNS.
			[RT #20930]

97 98 99
2873.	[bug]		Canceling a dynamic update via the dns/client module
			could trigger an assertion failure. [RT #21133]

100 101 102 103
2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
			require one of IPv4 or IPv6 rather than both.
			[RT #21122]

104 105 106 107
2871.	[bug]		Type mismatch in mem_api.c between the definition and
			the header file, causing build failure with
			--enable-exportlib. [RT #21138]

Mark Andrews's avatar
Mark Andrews committed
108
2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
109

110 111 112
2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
			[RT #20877]

113 114 115 116
2868.	[cleanup]	Run "make clean" at the end of configure to ensure
			any changes made by configure are integrated.
			Use --with-make-clean=no to disable.  [RT #20994]

117 118 119
2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
			don't like it.  [RT #20986]

120 121 122
2866.	[bug]		Windows does not like the TSIG name being compressed.
			[RT #20986]

123 124
2865.	[bug]		memset to zero event.data.  [RT #20986]

125 126 127
2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
			[RT #21050]

128 129 130
2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
			[RT #21056]

131 132 133
2862.	[bug]		nsupdate didn't default to the parent zone when
			updating DS records. [RT #20896]

134 135 136 137 138
2861.	[doc]		dnssec-settime man pages didn't correctly document the
			inactivation time. [RT #21039]

2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]

Mark Andrews's avatar
Mark Andrews committed
139
2859.	[bug]		When cancelling validation it was possible to leak
140 141
			memory. [RT #20800]

Mark Andrews's avatar
Mark Andrews committed
142
2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
143 144
			[RT #20772]

Mark Andrews's avatar
Mark Andrews committed
145
2857.	[bug]		named-checkconf did not fail on a bad trusted key.
146 147
			[RT #20705]

Mark Andrews's avatar
Mark Andrews committed
148
2856.	[bug]		The size of a memory allocation was not always properly
149 150
			recorded. [RT #20927]

Mark Andrews's avatar
Mark Andrews committed
151
2855.	[func]		nsupdate will now preserve the entered case of domain
152 153
			names in update requests it sends. [RT #20928]

154 155 156
2854.	[func]		dig: allow the final soa record in a axfr response to
			be suppressed, dig +onesoa. [RT #20929]

157 158
2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]

159 160
2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

161 162 163
2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
			source as it produced bad nroff.  [RT #21007]

164
2850.	[bug]		If isc_heap_insert() failed due to memory shortage
165
			the heap would have corrupted entries. [RT #20951]
166

167 168 169
2849.	[bug]		Don't treat errors from the xml2 library as fatal.
			[RT #20945]

170 171 172
2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
			README.rfc5011 into the ARM. [RT #20899]

173 174
2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]

175 176 177
2846.	[bug]		EOF on unix domain sockets was not being handled
			correctly. [RT #20731]

Evan Hunt's avatar
sync  
Evan Hunt committed
178
2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
179

180 181 182
2844.	[doc]		notify-delay default in ARM was wrong.  It should have
			been five (5) seconds.

Francis Dupont's avatar
sync  
Francis Dupont committed
183
2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
184 185 186 187 188
			creating key files if there is a chance that the new
			key ID will collide with an existing one after
			either of the keys has been revoked.  (To override
			this in the case of dnssec-keyfromlabel, use the -y
			option.  dnssec-keygen will simply create a
Mark Andrews's avatar
Mark Andrews committed
189
			different, non-colliding key, so an override is
190 191
			not necessary.) [RT #20838]

Francis Dupont's avatar
sync  
Francis Dupont committed
192
2842.	[func]		Added "smartsign" and improved "autosign" and
193 194
			"dnssec" regression tests. [RT #20865]

Francis Dupont's avatar
sync  
Francis Dupont committed
195
2841.	[bug]		Change 2836 was not complete. [RT #20883]
196

Francis Dupont's avatar
sync  
Francis Dupont committed
197
2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
198 199
			[RT #20760]

Francis Dupont's avatar
sync  
Francis Dupont committed
200
2839.	[bug]		A KSK revoked by named could not be deleted.
201 202
			[RT #20881]

Francis Dupont's avatar
sync  
Francis Dupont committed
203 204
2838.	[placeholder]

205 206 207
2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]

208 209 210
2836.	[bug]		Keys that were scheduled to become active could
			be delayed. [RT #20874]

211 212 213 214 215 216 217
2835.	[bug]		Key inactivity dates were inadvertently stored in
			the private key file with the outdated tag
			"Unpublish" rather than "Inactive".  This has been
			fixed; however, any existing keys that had Inactive
			dates set will now need to have them reset, using
			'dnssec-settime -I'. [RT #20868]

218 219 220 221 222 223 224 225 226 227
2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

228 229 230
2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
			[RT #20851]

231 232 233
2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
			to avoid redefinition in some OSes [RT 20831]

234 235 236 237 238
2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

239 240 241
2830.	[bug]		Changing the OPTOUT setting could take multiple
			passes. [RT #20813]

242 243 244
2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
			[RT #20808]

245 246 247
2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

248 249
2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

250 251 252
2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
			being released.  [RT #20740]

253 254 255 256
2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
			was in the process of being created was not properly
			recorded in the zone. [RT #20786]

257 258 259
2824.	[bug]		"rndc sign" was not being run by the correct task.
			[RT #20759]

260 261
2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]

262 263 264
2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
			[RT #20802]

265 266 267
2821.	[doc]		Add note that named-checkconf doesn't automatically
			read rndc.key and bind.keys [RT #20758]

268 269 270 271 272
2820.	[func]		Handle read access failure of OpenSSL configuration
			file more user friendly (PKCS#11 engine patch).
			[RT #20668]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
273 274
			[RT #20771]

275 276 277
2818.	[cleanup]	rndc could return an incorrect error code 
			when a zone was not found. [RT #20767]

Mark Andrews's avatar
Mark Andrews committed
278
2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
279 280
			[RT #20768]

281 282 283
2816.	[bug]		previous_closest_nsec() could fail to return
			data for NSEC3 nodes [RT #29730]

284 285 286
2815.	[bug]		Exclusively lock the task when freezing a zone.
			[RT #19838]

287 288 289
2814.	[func]		Provide a definitive error message when a master
			zone is not loaded. [RT #20757]
 
290 291 292 293 294 295
2813.	[bug]		Better handling of unreadable DNSSEC key files.
			[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT 20748]

296 297 298
2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
			output. [RT #20733]

299 300 301
2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
			to insecure. [RT #20746]

302 303 304
2809.	[cleanup]	Restored accidentally-deleted text in usage output
			in dnssec-settime and dnssec-revoke [RT #20739]

305
2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
Mark Andrews's avatar
Mark Andrews committed
306
			atomic.h is correctly installed by the architecture
307
			specific subdirectories.  [RT #20722]
308

309 310 311
2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
			keys. [RT #20720]

Evan Hunt's avatar
Evan Hunt committed
312 313
	--- 9.7.0rc1 released ---

314 315 316
2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
			when it had changed. [RT #20703]

317 318 319 320
2805.	[bug]		Fixed namespace problems encountered when building
			external programs using non-exported BIND9 libraries
			(i.e., built without --enable-exportlib). [RT #20679]

321 322 323
2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
			or as a result of a scheduled key change. [RT #20700]

324 325 326 327 328
2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
			and genrandom under windows. [RT #20670]

2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]

329 330 331 332 333 334 335 336 337 338 339 340
2801.	[func]		Detect and report records that are different according
			to DNSSEC but are sematically equal according to plain
			DNS.  Apply plain DNS comparisons rather than DNSSEC
			comparisons when processing UPDATE requests.
			dnssec-signzone now removes such semantically duplicate
			records prior to signing the RRset.

			named-checkzone -r {ignore|warn|fail} (default warn)
			named-compilezone -r {ignore|warn|fail} (default warn)
			
			named.conf: check-dup-records {ignore|warn|fail};

341 342 343 344 345
2800.	[func]		Reject zones which have NS records which refer to
			CNAMEs, DNAMEs or don't have address record (class IN
			only).  Reject UPDATEs which would cause the zone
			to fail the above checks if committed. [RT #20678]

346 347 348 349
2799.	[cleanup]	Changed the "secure-to-insecure" option to
			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

350 351 352
2798.	[bug]		Addressed bugs in managed-keys initialization 
			and rollover. [RT #20683]

353 354 355
2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
			[RT #20613]

356 357 358
2796.	[bug]		Missing dns_rdataset_disassociate() call in
			dns_nsec3_delnsec3sx(). [RT #20681]

359 360 361
2795.	[cleanup]	Add text to differentiate "update with no effect"
			log messages. [RT #18889]

362 363
2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]

Evan Hunt's avatar
Evan Hunt committed
364 365 366 367 368
2793.	[func]		Add "autosign" and "metadata" tests to the
			automatic tests. [RT #19946]

2792.	[func]		"filter-aaaa-on-v4" can now be set in view
			options (if compiled in).  [RT #20635]
369

Mark Andrews's avatar
Mark Andrews committed
370 371
2791.	[bug]		The installation of isc-config.sh was broken.
			[RT #20667]
372

Mark Andrews's avatar
rt#  
Mark Andrews committed
373
2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
374

375 376
2789.   [bug]           Fixed an INSIST in dispatch.c [RT #20576]

377 378 379
2788.	[bug]		dnssec-signzone could sign with keys that were
			not requested [RT #20625]

380 381 382
2787.	[bug]		Spurious log message when zone keys were
			dynamically reconfigured. [RT #20659]

383 384
2786.	[bug]		Additional could be promoted to answer. [RT #20663]

385 386 387 388
	--- 9.7.0b3 released ---

2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]

389
2784.	[bug]		TC was not always being set when required glue was
Mark Andrews's avatar
rt#  
Mark Andrews committed
390
			dropped. [RT #20655]
391

392 393 394
2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
			buffer size of 512 or less.  [RT #20654]

395 396 397
2782.	[port]		win32: use getaddrinfo() for hostname lookups.
			[RT #20650]

398 399
2781.	[bug]		Inactive keys could be used for signing. [RT #20649]

400 401 402 403 404 405 406 407
2780.	[bug]		dnssec-keygen -A none didn't properly unset the
			activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

408 409
2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.

410 411
2776.	[bug]		Change #2762 was not correct. [RT #20647]

412 413 414
2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
			in dnssec-keyfromlabel. [RT #20643]

415 416 417
2774.	[bug]		Existing cache DB wasn't being reused after
			reconfiguration. [RT #20629]

418 419 420
2773.	[bug]		In autosigned zones, the SOA could be signed
			with the KSK. [RT #20628]

421 422 423 424
2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

425 426 427
2771.	[bug]		dnssec-signzone: DNSKEY records could be
			corrupted when importing from key files [RT #20624]

428 429 430
2770.	[cleanup]	Add log messages to resolver.c to indicate events
			causing FORMERR responses. [RT #20526]

431 432
2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]

433 434
2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]

435 436 437 438
2767.	[bug]		named could crash on startup if a zone was
			configured with auto-dnssec and there was no
			key-directory. [RT #20615]

439 440 441 442
2766.	[bug]		isc_socket_fdwatchpoke() should only update the
			socketmgr state if the socket is not pending on a
			read or write.  [RT #20603]

443 444 445
2765.	[bug]		Skip masters for which the TSIG key cannot be found.
			[RT #20595]

446 447
2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

448 449
2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]

450 451 452
2762.	[bug]		DLV validation failed with a local slave DLV zone.
			[RT #20577]

453 454 455 456
2761.	[cleanup]	Enable internal symbol table for backtrace only for
			systems that are known to work.  Currently, BSD
			variants, Linux and Solaris are supported. [RT# 20202]

457 458
2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]

Mark Andrews's avatar
Mark Andrews committed
459
2759.	[doc]		Add information about .jbk/.jnw files to
460 461
			the ARM. [RT #20303]

462 463 464 465
2758.	[bug]		win32: Added a workaround for a windows 2008 bug
			that could cause the UDP client handler to shut
			down. [RT #19176]

466 467 468
2757.	[bug]		dig: assertion failure could occur in connect
			timeout. [RT #20599]

469 470
2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]

Evan Hunt's avatar
Evan Hunt committed
471 472
2755.	[placeholder]

473 474 475
2754.	[bug]		Secure-to-insecure transitions failed when zone
			was signed with NSEC3. [RT #20587]

476
2753.	[bug]		Removed an unnecessary warning that could appear when
Mark Andrews's avatar
rt#  
Mark Andrews committed
477
			building an NSEC chain. [RT #20589]
478

479 480
2752.	[bug]		Locking violation. [RT #20587]

481 482
2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

483 484 485
2750.	[bug]		dig: assertion failure could occur when a server
			didn't have an address. [RT #20579]

486 487 488
2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
			for NSEC3 signed zones. [RT #20452]

489 490 491
2748.	[func]		Identify bad answers from GTLD servers and treat them
			as referrals. [RT #18884]

492 493 494
2747.	[bug]		Journal roll forwards failed to set the re-signing
			time of RRSIGs correctly. [RT #20541]

495 496 497
2746.	[port]		hpux: address signed/unsigned expansion mismatch of
			dns_rbtnode_t.nsec. [RT #20542]

498 499 500
2745.	[bug]		configure script didn't probe the return type of
			gai_strerror(3) correctly. [RT #20573]

501 502
2744.	[func]		Log if a query was over TCP. [RT #19961]

Mark Andrews's avatar
Mark Andrews committed
503
2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
504 505
			for a insecure delegation.

Evan Hunt's avatar
Evan Hunt committed
506 507
	--- 9.7.0b2 released ---

508 509 510
2742.	[cleanup]	Clarify some DNSSEC-related log messages in
			validator.c. [RT #19589]

511
2741.	[func]		Allow the dnssec-keygen progress messages to be
Mark Andrews's avatar
Mark Andrews committed
512
			suppressed (dnssec-keygen -q).  Automatically
513 514 515
			suppress the progress messages when stdin is not
			a tty. [RT #20474]

Evan Hunt's avatar
Evan Hunt committed
516
2740.	[placeholder]
517

518 519 520
2739.	[cleanup]	Clean up API for initializing and clearing trust
			anchors for a view. [RT #20211]

521 522 523
2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
			test. [RT #20453]

524 525 526
2737.	[func]		UPDATE requests can leak existance information.
			[RT #17261]

527 528 529 530
2736.	[func]		Improve the performance of NSEC signed zones with
			more than a normal amount of glue below a delegation.
			[RT #20191]

531 532 533 534 535
2735.	[bug]		dnssec-signzone could fail to read keys
			that were specified on the command line with
			full paths, but weren't in the current
			directory. [RT #20421]

536 537
2734.	[port]		cygwin: arpaname did not compile. [RT #20473]

538 539
2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]

540 541 542 543 544 545
2732.	[func]		Add optional filter-aaaa-on-v4 option, available
			if built with './configure --enable-filter-aaaa'.
			Filters out AAAA answers to clients connecting
			via IPv4.  (This is NOT recommended for general
			use.) [RT #20339]

546 547 548 549 550 551
2731.	[func]		Additional work on change 2709.  The key parser
			will now ignore unrecognized fields when the
			minor version number of the private key format
			has been increased.  It will reject any key with
			the major version number increased. [RT #20310]

552 553 554 555 556 557 558
2730.	[func]		Have dnssec-keygen display a progress indication
			a la 'openssl genrsa' on standard error. Note
			when the first '.' is followed by a long stop
			one has the choice between slow generation vs.
			poor random quality, i.e., '-r /dev/urandom'.
			[RT #20284]

559 560 561
2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
			TTL. [RT #20451]

562 563 564 565
2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
			dnssec-signzone now warn immediately if asked to
			write into a nonexistent directory. [RT #20278]

566 567 568
2727.	[func]		The 'key-directory' option can now specify a relative
			path. [RT #20154]

569 570 571
2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
			RSASHA256 and RSASHA512. [RT #20023]

572 573 574
2725.	[doc]		Added information about the file "managed-keys.bind"
			to the ARM. [RT #20235]

575 576 577
2724.	[bug]		Updates to a existing node in secure zone using NSEC
			were failing. [RT #20448]

578 579 580 581
2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
			isc_base64_totext(), didn't always mark regions of
			memory as fully consumed after conversion.  [RT #20445]

582 583 584 585
2722.	[bug]		Ensure that the memory associated with the name of
			a node in a rbt tree is not altered during the life
			of the node. [RT #20431]

586 587 588
2721.	[port]		Have dst__entropy_status() prime the random number
			generator. [RT #20369]

589 590 591
2720.	[bug]		RFC 5011 trust anchor updates could trigger an
			assert if the DNSKEY record was unsigned. [RT #20406]

592 593 594
2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
			[RT #20392]

595 596 597
2718.	[bug]		The space calculations in opensslrsa_todns() were
			incorrect. [RT #20394]

598 599 600 601 602
2717.	[bug]		named failed to update the NSEC/NSEC3 record when
			the last private type record was removed as a result
			of completing the signing the zone with a key.
			[RT #20399]

603 604
2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]

Evan Hunt's avatar
Evan Hunt committed
605 606
	--- 9.7.0b1 released ---

607 608 609 610
2715.	[bug]		Require OpenSSL support to be explicitly disabled.
			[RT #20288]

2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
611 612
			flags.

613 614 615
2713.	[bug]		powerpc: atomic operations missing asm("ics") /
			__isync() calls.

616 617 618 619 620 621 622 623
2712.	[func]		New 'auto-dnssec' zone option allows zone signing
			to be fully automated in zones configured for
			dynamic DNS.  'auto-dnssec allow;' permits a zone
			to be signed by creating keys for it in the
			key-directory and using 'rndc sign <zone>'.
			'auto-dnssec maintain;' allows that too, plus it
			also keeps the zone's DNSSEC keys up to date
			according to their timing metadata. [RT #19943]
Mark Andrews's avatar
Mark Andrews committed
624

625 626 627
2711.	[port]		win32: Add the bin/pkcs11 tools into the full
			build. [RT #20372]

628 629 630 631 632
2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
			zone option cause a zone to be signed with only KSKs
			signing the DNSKEY RRset, not ZSKs.  This reduces
			the size of a DNSKEY answer.  [RT #20340]

633 634 635 636 637 638
2709.	[func]		Added some data fields, currently unused, to the
			private key file format, to allow implementation
			of explicit key rollover in a future release
			without impairing backward or forward compatibility.
			[RT #20310]

639 640 641 642 643 644 645 646 647 648 649 650 651
2708.	[func]		Insecure to secure and NSEC3 parameter changes via
			update are now fully supported and no longer require
			defines to enable.  We now no longer overload the
			NSEC3PARAM flag field, nor the NSEC OPT bit at the
			apex.  Secure to insecure changes are controlled by
			by the named.conf option 'secure-to-insecure'.

			Warning: If you had previously enabled support by
			adding defines at compile time to BIND 9.6 you should
			ensure that all changes that are in progress have
			completed prior to upgrading to BIND 9.7.  BIND 9.7
			is not backwards compatible.

652 653 654 655 656 657 658
2707.	[func]		dnssec-keyfromlabel no longer require engine name
			to be specified in the label if there is a default
			engine or the -E option has been used.  Also, it
			now uses default algorithms as dnssec-keygen does
			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
			[RT #20371]

659 660 661
2706.	[bug]		Loading a zone with a very large NSEC3 salt could
			trigger an assert. [RT #20368]

Evan Hunt's avatar
Evan Hunt committed
662 663
2705.	[placeholder]

664 665 666
2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
			with their SOA serial.  [RT #19387]

Francis Dupont's avatar
Francis Dupont committed
667 668 669 670
2703.	[func]		Introduce an OpenSSL "engine" argument with -E
			for all binaries which can take benefit of
			crypto hardware. [RT #20230]

Francis Dupont's avatar
Francis Dupont committed
671 672
2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

673 674 675
2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
			supported TSIG key algorithm. [RT #18046]

676 677 678
2700.	[doc]		The match-mapped-addresses option is discouraged.
			[RT #12252]

679 680
2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]

Evan Hunt's avatar
Evan Hunt committed
681 682
2698.	[placeholder]

683 684 685 686
2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
			S_IFREG are defined after including <isc/stat.h>.
			[RT #20309]

687 688 689
2696.	[bug]		named failed to successfully process some valid
			acl constructs. [RT #20308]

690 691 692 693 694 695 696
2695.	[func]		DHCP/DDNS - update fdwatch code for use by
			DHCP.  Modify the api to isc_sockfdwatch_t (the
			callback funciton for isc_socket_fdwatchcreate)
			to include information about the direction (read
			or write) and add isc_socket_fdwatchpoke.
			[RT #20253]

Mark Andrews's avatar
Mark Andrews committed
697
2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
698 699
			[RT #19970]

Mark Andrews's avatar
Mark Andrews committed
700
2693.	[port]		Add some noreturn attributes. [RT #20257]
Francis Dupont's avatar
Francis Dupont committed
701

Mark Andrews's avatar
Mark Andrews committed
702
2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
703

704 705 706 707 708
2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
			chain when re-signing a previously-signed zone.
			Use -u to modify NSEC3 parameters or switch
			between NSEC and NSEC3. [RT #20304]

709
2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
710 711
			[RT #20315]

712 713
2689.	[bug]		Correctly handle snprintf result. [RT #20306]

714 715 716
2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
			to decide to fetch the destination address. [RT #20305]

Mark Andrews's avatar
number  
Mark Andrews committed
717
2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
718 719 720
			Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]

Mark Andrews's avatar
number  
Mark Andrews committed
721
2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
Mark Andrews's avatar
Mark Andrews committed
722
			signing with NSEC3 and vice versa. [RT #20301]
723

Francis Dupont's avatar
Francis Dupont committed
724 725
2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

726 727 728
2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
			+adflag and +cdflag.  [RT #19305]

729 730 731 732
2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
			the NSEC3 parameters used to sign the zone change.
			[RT #20246]

733 734 735
2682.	[bug]		"configure --enable-symtable=all" failed to
			build. [RT #20282]

736
2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
737
			decoded. [RT #20269]
738

Francis Dupont's avatar
Francis Dupont committed
739
2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
740

741 742 743
2679.	[func]		dig -k can now accept TSIG keys in named.conf
			format.  [RT #20031]

744 745 746
2678.	[func]		Treat DS queries as if "minimal-response yes;"
			was set. [RT #20258]

747 748 749 750 751 752 753 754 755 756 757
2677.	[func]		Changes to key metadata behavior:
			- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
758
			[RT #20247]
759

760 761 762
2676.	[bug]		--with-export-installdir should have been
			--with-export-includedir. [RT #20252]

763
2675.	[bug]		dnssec-signzone could crash if the key directory
764 765
                        did not exist. [RT #20232]

Evan Hunt's avatar
Evan Hunt committed
766 767 768 769 770 771 772 773 774
	--- 9.7.0a3 released ---

2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
			without openssl. [RT #20231]

2673.	[bug]		The managed-keys.bind zone file could fail to
			load due to a spurious result from sync_keyzone()
			[RT #20045]

775 776 777
2672.	[bug]		Don't enable searching in 'host' when doing reverse
			lookups. [RT #20218]

Francis Dupont's avatar
Francis Dupont committed
778 779 780 781 782
2671.	[bug]		Add support for PKCS#11 providers not returning
			the public exponent in RSA private keys
			(OpenCryptoki for instance) in
			dnssec-keyfromlabel. [RT #19294]

783 784 785
2670.	[bug]		Unexpected connect failures failed to log enough
			information to be useful. [RT #20205]

786 787 788
2669.	[func]		Update PKCS#11 support to support Keyper HSM.
			Update PKCS#11 patch to be against openssl-0.9.8i.

789 790 791 792 793 794 795 796 797 798 799
2668.	[func]		Several improvements to dnssec-* tools, including:
			- dnssec-keygen and dnssec-settime can now set key
			  metadata fields 0 (to unset a value, use "none")
			- dnssec-revoke sets the revocation date in
			  addition to the revoke bit
			- dnssec-settime can now print individual metadata
			  fields instead of always printing all of them,
			  and can print them in unix epoch time format for
			  use by scripts
			[RT #19942]

800 801 802
2667.	[func]		Add support for logging stack backtrace on assertion
			failure (not available for all platforms). [RT #19780]

803 804 805
2666.	[func]		Added an 'options' argument to dns_name_fromstring()
			(API change from 9.7.0a2). [RT #20196]

806 807 808
2665.	[func]		Clarify syntax for managed-keys {} statement, add
			ARM documentation about RFC 5011 support. [RT #19874]

809
2664.	[bug]		create_keydata() and minimal_update() in zone.c
810 811 812
			didn't properly check return values for some
			functions.  [RT #19956]

813 814 815
2663.	[func]		win32:  allow named to run as a service using
			"NT AUTHORITY\LocalService" as the account. [RT #19977]

816
2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
817 818 819 820 821 822
			returned a misleading error code when lwresd was
			down. [RT #20028]

2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
			creating lwres context. [RT #20029]

823 824 825
2660.	[func]		Add a new set of DNS libraries for non-BIND9
			applications.  See README.libdns. [RT #19369]

826 827 828
2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

829 830 831
2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

832 833 834
2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

835 836
2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
Evan Hunt's avatar
Evan Hunt committed
837
			nsupdate and relevant DLLs.  [RT #19998]
838

839 840 841
2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

842 843 844
2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

845 846 847
2653.	[bug]		Treat ENGINE_load_private_key() failures as key
			not found rather than out of memory.  [RT #18033]

848 849 850
2652.	[func]		Provide more detail about what record is being
			deleted. [RT #20061]

851 852 853
2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

854 855 856
2650.	[bug]		Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

857 858
2649.	[bug]		Set the domain for forward only zones. [RT #19944]

859 860
2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

861 862 863
2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
			added. [RT #19913]

864 865
2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

866 867 868
2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

869 870 871 872 873 874
	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

875 876 877
2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

878 879 880
2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

881 882 883
2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

884 885
2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]
Mark Andrews's avatar
Mark Andrews committed
886

887 888
2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

Mark Andrews's avatar
Mark Andrews committed
889
2638.	[bug]		Install arpaname. [RT #19957]
890

Mark Andrews's avatar
Mark Andrews committed
891
2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
892 893
			[RT #19959]

894 895 896 897 898 899
2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
900
			  they are scheduled to be published, activated,
901 902 903 904 905 906 907 908 909
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

910 911 912
2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

913 914 915
2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

916 917
2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

Mark Andrews's avatar
Mark Andrews committed
918 919 920
2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

921 922 923
2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

924 925
2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
926 927
			zone. (The "ddns-autoconf" option has been removed.)
                        [RT #19875]
928

929 930
2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
931 932

2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
933 934 935
			at startup with reduced capabilities in operation.
			[RT #19884]

936 937 938
2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

939 940 941
2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

942 943
2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]

944 945 946
2624.	[func]		'named-checkconf -p' will print out the parsed
			configuration. [RT #18871]

947 948
2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

949
2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
950

951 952
2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

Mark Andrews's avatar
Mark Andrews committed
953
2620.	[bug]		Delay thawing the zone until the reload of it has
954 955
			completed successfully.  [RT #19750]

956 957 958 959 960 961
2619.	[func]		Add support for RFC 5011, automatic trust anchor
			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

962 963 964
2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

965 966
2617.	[bug]		ifconfig.sh failed to emit an error message when
			run from the wrong location. [RT #19375]
967

Mark Andrews's avatar
Mark Andrews committed
968 969
2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]
970

971 972 973
2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

Mark Andrews's avatar
Mark Andrews committed
974
2614.	[port]		win32: 'named -v' should automatically be executed
975 976
			in the foreground. [RT #19844]

977 978
2613.	[placeholder]

979 980 981 982 983 984 985 986
	--- 9.7.0a1 released ---

2612.	[func]		Add default values for the arguments to
			dnssec-keygen.  Without arguments, it will now
			generate a 1024-bit RSASHA1 zone-signing key,
			or with the -f KSK option, a 2048-bit RSASHA1
			key-signing key. [RT #19300]

987
2611.	[func]		Add -l option to dnssec-dsfromkey to generate
988 989
			DLV records instead of DS records. [RT #19300]

990 991
2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]

992 993 994 995 996 997 998 999 1000 1001 1002
2609.	[func]		Simplify the configuration of dynamic zones:
			- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]
1003

1004 1005 1006 1007 1008 1009 1010 1011 1012
2608.	[func]		Perform post signing verification checks in
			dnssec-signzone.  These can be disabled with -P.

			The post sign verification test ensures that for each
			algorithm in use there is at least one non revoked
			self signed KSK key.  That all revoked KSK keys are
			self signed.  That all records in the zone are signed
			by the algorithm.  [RT #19653]

1013 1014 1015 1016
2607.	[bug]		named could incorrectly delete NSEC3 records for
			empty nodes when processing a update request.
			[RT #19749]

1017 1018 1019
2606.	[bug]		"delegation-only" was not being accepted in
			delegation-only type zones. [RT #19717]

1020 1021 1022
2605.	[bug]		Accept DS responses from delegation only zones.
			[RT # 19296]

1023 1024 1025 1026 1027
2604.	[func]		Add support for DNS rebinding attack prevention through
			new options, deny-answer-addresses and
			deny-answer-aliases.  Based on contributed code from
			JD Nurmi, Google. [RT #18192]

1028 1029 1030 1031
2603.	[port]		win32: handle .exe extension of named-checkzone and
			named-comilezone argv[0] names under windows.
			[RT #19767]

1032 1033 1034
2602.	[port]		win32: fix debugging command line build of libisccfg.
			[RT #19767]

1035 1036 1037
2601.	[doc]		Mention file creation mode mask in the
			named manual page.

1038 1039 1040
2600.	[doc]		ARM: miscellaneous reformatting for different
			page widths. [RT #19574]

1041 1042 1043
2599.	[bug]		Address rapid memory growth when validation fails.
			[RT #19654]

Francis Dupont's avatar
Francis Dupont committed
1044 1045
2598.	[func]		Reserve the -F flag. [RT #19657]

1046 1047 1048
2597.	[bug]		Handle a validation failure with a insecure delegation
			from a NSEC3 signed master/slave zone.  [RT #19464]

1049 1050 1051 1052
2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
			long, leading to inefficient memory usage or rejecting
			newer cache entries in the worst case. [RT #19563]

1053 1054
2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]

Jeremy Reed's avatar
Jeremy Reed committed
1055 1056
2594.	[func]		Have rndc warn if using its default configuration
			file when the key file also exists. [RT #19424]
1057

1058 1059
2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]

1060 1061
2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]

1062 1063 1064
2591.	[bug]		named could die when processing a update in
			removed_orphaned_ds(). [RT #19507]

Mark Andrews's avatar
Mark Andrews committed
1065 1066
2590.	[func]		Report zone/class of "update with no effect".
			[RT #19542]
1067

1068
2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
1069
			[RT #19626]
1070

1071 1072 1073 1074 1075
2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
			of bind(2) call.  This should be rare and mostly
			harmless, but may cause interference with other
			processes that happen to use the same port. [RT #19642]

1076 1077 1078 1079
2587.	[func]		Improve logging by reporting serial numbers for
			when zone serial has gone backwards or unchanged.
			[RT #19506]

1080 1081 1082
2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
			or SDB. [RT #19577]

1083 1084 1085 1086
2585.	[bug]		Uninitialized socket name could be referenced via a
			statistics channel, triggering an assertion failure in
			XML rendering. [RT #19427]

1087 1088 1089
2584.	[bug]		alpha: gcc optimization could break atomic operations.
			[RT #19227]