CHANGES 388 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
2
3643.	[doc]		Clarify RRL "slip" documentation.

3
4
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
5
			dnssec-importkey is used to do this. [RT #34698]
6
			
7
8
9
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
			
10
11
12
13
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

14
15
16
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

17
18
19
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is 
			encountered. [RT #34668]

20
21
22
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

23
24
25
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

26
27
28
3635.	[bug]		Signatures were not being removed from a zone with
			only KSK keys for a algorithm. [RT #24439]

29
30
31
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

32
33
34
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

35
36
37
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

38
39
40
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

41
42
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

43
44
45
46
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

47
48
49
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

50
51
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

52
53
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

54
55
56
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

57
58
59
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
60
61
3623.	[placeholder]

62
63
64
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

65
66
67
68
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
69
70
71
72
73
74
75
76
77
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
78
79
80
81
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

82
83
84
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
85
86
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
87
88
89
90
91
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
92
93
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
94
3613.	[bug]		named could crash when deleting inline-signing
95
96
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
97
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
98

Evan Hunt's avatar
Evan Hunt committed
99
100
101
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

102
103
104
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

105
106
107
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

108
109
110
111
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

112
113
114
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

115
116
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
117
118
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
119

Evan Hunt's avatar
Evan Hunt committed
120
121
122
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

123
124
125
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

126
127
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
128
129
130
131
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

132
133
134
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

135
136
137
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

138
139
140
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

141
142
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

143
144
145
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
146
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
147
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
148

Evan Hunt's avatar
Evan Hunt committed
149
150
151
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

152
153
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

154
155
156
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

157
158
159
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

160
161
162
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

163
164
165
166
167
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

168
169
170
171
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

172
173
174
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

175
176
177
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
178
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
179

180
181
182
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

183
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
184
185
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
186

187
188
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

189
190
191
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

192
193
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
194
195
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

196
197
198
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

199
200
201
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

202
203
3577.	[bug]		Handle zero TTL values better. [RT #33411]

204
205
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

206
207
208
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

209
210
211
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
212
213
214
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
215

Evan Hunt's avatar
Evan Hunt committed
216
217
218
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

219
220
221
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

222
3570.	[bug]		Check internal pointers are valid when loading map
223
			files. [RT #33403]
224

Evan Hunt's avatar
Evan Hunt committed
225
226
227
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
228
229
230
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
231
232
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
233
234
3566.	[func]		Log when forwarding updates to master. [RT #33240]

235
3565.	[placeholder]
236

237
238
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
239
240
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
241
242
243
244
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

245
246
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
247

248
3560.	[bug]		isc-config.sh did not honor includedir and libdir
249
250
			when set via configure. [RT #33345]

251
252
253
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

254
255
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

256
257
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
258
259
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

260
261
262
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
263
264
265
266
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

267
268
3553.	[bug]		Address suspected double free in acache. [RT #33252]

269
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
270
			[RT #33280]
271

272
273
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

274
275
276
277
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
278
279
280
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

281
282
283
284
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

285
286
287
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

288
289
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
290
291
292
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
293
294
295
296
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

297
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
298
			manager after accept. [RT #33084]
299

Mark Andrews's avatar
Mark Andrews committed
300
301
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
302
303
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
304

Evan Hunt's avatar
Evan Hunt committed
305
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
306

307
308
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
309
310
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
311

312
313
314
315
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
316
317
318
319
320
321
322
323
324
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

325
326
3535.	[bug]		Minor win32 cleanups. [RT #32962]

327
328
329
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

330
331
332
333
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

334
335
336
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
337
338
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

339
340
341
342
343
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
344
345
346
347
348
349
350
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

351
352
353
354
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

355
356
357
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

358
359
360
361
362
363
364
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

365
366
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
367
			http://[address]:[port]/json. [RT #32630]
368

369
370
371
372
373
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

374
375
376
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

377
378
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

379
380
381
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

382
383
384
385
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

386
387
388
389
390
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

391
392
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
393
394
3516.	[placeholder]

395
396
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
397
398
399
400
401
402
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

403
404
405
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
406
407
408
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
409
410
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

411
412
413
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

414
415
416
417
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

418
419
420
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

421
422
423
424
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

425
426
427
428
429
430
431
432
433
434
435
436
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
437
438
439
440
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
441

Evan Hunt's avatar
Evan Hunt committed
442
443
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

444
445
446
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

447
448
449
450
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
451
452
453
454
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
455

Evan Hunt's avatar
Evan Hunt committed
456
457
458
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

459
460
461
462
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

463
464
465
466
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
467
468
3496.	[placeholder]

469
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
470
			while improving RPZ performance.  "response-policy"
471
472
473
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
474
			--enable-rpz-nsdname are now the default. [RT #32251]
475

Evan Hunt's avatar
Evan Hunt committed
476
477
478
479
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

480
481
3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
482

483
484
485
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

486
487
488
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

489
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
490
			too long. [RT #32365]
491

492
493
494
495
496
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

497
498
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

499
500
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
501
			[RT #32629]
502

Evan Hunt's avatar
Evan Hunt committed
503
504
505
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

506
507
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

508
509
510
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
511
512
3483.	[placeholder]

513
514
515
516
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

517
3481.	[cleanup]	Removed use of const const in atf.
518

Evan Hunt's avatar
Evan Hunt committed
519
520
521
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

522
523
524
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
525
526
527
528
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
529
530
			[RT #32365]

531
532
533
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
534
535
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
536

537
538
539
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
540
541
542
543
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

544
545
546
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

547
548
549
550
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

551
552
553
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
554
555
556
557
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

558
559
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
560
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
561
562
563

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
564

565
566
567
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

568
569
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

570
571
572
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

573
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
574
575
576
577

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

578
579
580
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

581
582
3460.	[bug]		Only link against readline where needed. [RT #29810]

583
584
585
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

586
587
588
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

589
590
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
591
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
592

593
594
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

595
596
3454.	[port]		sparc64: improve atomic support. [RT #25182]

597
598
599
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
600
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
601

602
603
604
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

605
606
607
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

608
609
610
611
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
612
613
614
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

615
616
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

617
618
619
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

620
621
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
622

623
3444.	[bug]		The NOQNAME proof was not being returned from cached
624
625
			insecure responses. [RT #21409]

626
627
628
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

629
630
631
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

632
633
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

634
635
636
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
637
638
3439.	[placeholder]

639
640
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
641
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
642
643
			buffers with constant data. [RT #32064]

644
645
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

646
647
648
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

649
650
651
652
653
654
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

655
656
657
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
658
659
660
661
662
663
664
665
666
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

667
668
669
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

670
671
672
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

673
674
675
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
676
677
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
678
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
679
680
			addresses instead of names. [RT #31641]

681
682
683
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

684
685
686
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

687
688
689
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

690
691
692
693
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
694
3422.	[bug]		Added a clear error message for when the SOA does not
695
696
			match the referral. [RT #31281]

697
698
699
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

700
701
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

702
703
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
704
705
706
707
708
709
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
710
711
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
712
3417.	[placeholder]
713

714
715
716
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

717
3415.	[bug]		named could die with a REQUIRE failure if a validation
718
719
			was canceled. [RT #31804]

720
721
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

722
723
724
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

725
726
727
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

728
729
730
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

731
732
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
733
734
735
736
737
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

738
739
740
741
742
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
743
744
3407.	[placeholder]

745
746
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
747
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
748

749
750
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

751
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
752
			RRSIG and NSEC records from nodes that used to be
753
754
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
755
756
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
757
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
758
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
759

Evan Hunt's avatar
Evan Hunt committed
760
761
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
762
763
764
765
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

766
767
768
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

769
770
771
772
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

773
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
774

775
776
777
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

778
779
780
781
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
782
3394.	[bug]		Adjust 'successfully validated after lower casing
783
784
			signer' log level and category. [RT #31414]

785
786
787
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

788
789
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
790
791
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
792

793
794
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

795
796
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

797
798
799
800
801
802
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
803

804
805
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
806

807
808
809
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

810
811
812
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
813
814
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
815
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
816
817
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
818

Evan Hunt's avatar
Evan Hunt committed
819
820
821
822
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
823
824
825
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

826
3380.	[bug]		named could die if a nonexistent master list was
827
828
			referenced in a also-notify. [RT #31004]

829
830
831
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

832
833
834
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
835
836
837
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

838
839
840
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

841
842
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
843
844
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
845

Mark Andrews's avatar
Mark Andrews committed
846
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
847

848
849
850
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

851
852
853
854
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

855
856
857
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
858
859
			if built with readline support. [RT #29550]

860
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
861
			were not C++ safe.
862

863
864
865
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
866
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
867
868
			atomic operations. [RT #25181]

869
870
871
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

872
873
874
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

875
876
877
878
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

879
880
881
882
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

883
884
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
885

886
887
3360.	[bug]		'host -w' could die.  [RT #18723]

888
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
889
			memory leak. [RT #30607]
890

Mark Andrews's avatar
Mark Andrews committed
891
892
3358.	[placeholder]

893
894
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
895
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
896
897
898
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

899
900
3355.	[port]		Use more portable awk in verify system test.

901
902
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

903
904
905
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

906
907
908
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

909
910
911
912
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

913
914
915
916
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
917
918
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
919
920
921
922
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
923
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
924
925
926

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
927
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
928

Evan Hunt's avatar
Evan Hunt committed
929
930
931
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

932
933
934
935
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
936
937
938
939
940
941
942
943
944
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
945
946
3343.	[placeholder]

947
948
949
950
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

951
952
953
954
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
955
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
956
957
958
959
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
960
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
961
962
			server to another.) [RT #25419]

963
964
965
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

966
967
968
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

969
970
971
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

972
973
974
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

975
976
977
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

978
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
979
			asynchronous load of a zone. [RT #28326]
980

981
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
982
			named to not recover if it loses connectivity.
983
984
			[RT #29623]

Mark Andrews's avatar
add #    
Mark Andrews committed
985
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
986

Mark Andrews's avatar
Mark Andrews committed
987
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
988
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
989

Vernon Schryver's avatar
Vernon Schryver committed
990
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
991
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


1005
1006
1007
1008
1009
1010
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
1011
1012
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
1013

Evan Hunt's avatar
Evan Hunt committed
1014
1015
1016
1017
1018
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

1045
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
1046
			bucket lock when finished with a fetch context.
1047
1048
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
1049
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
1050

1051
1052
1053
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

1054
1055
1056
1057
1058
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

1059
1060
3314.	[bug]		The masters list could be updated while stub_callback
			or refresh_callback were using it. [RT #26732]
1061

1062
1063
3313.	[protocol]	Add TLSA record type. [RT #28989]

1064
1065
1066
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

1067
1068
1069
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

1070
1071
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
1072
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
1073
1074
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
1075
1076
3308.	[placeholder]

1077
1078
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
1079

1080
1081
1082
1083
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

1084
1085
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
1086

1087
1088
3303.	[bug]		named could die when reloading. [RT #28606]

1089
1090
1091
1092
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

1093
1094
1095
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

1096
1097
1098
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

1099
1100
1101
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

1102
1103
1104
1105
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

1106
1107
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

1108
1109
1110
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

1111
1112
1113
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

1114
1115
1116
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

1117
1118
3293.	[func]		nsupdate: list supported type. [RT #28261]

1119
1120
1121
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

1122
1123
1124
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

1125
1126
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

1127
1128
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

1129
1130
1131
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

1132
1133
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

1134
1135
1136
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

1137
1138
1139
1140
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

1141
1142
1143
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

1144
1145
1146
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

1147
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:    
Mark Andrews committed
1148
1149
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
1150

1151
1152
1153
1154
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

1155
1156
1157
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
1158
3279.	[bug]		Hold a internal reference to the zone while performing
1159
1160
1161
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
1162
3278.	[bug]		Make sure automatic key maintenance is started
1163
1164
1165
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
1166
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
1167
1168
1169
1170

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

1171
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
1172
			option had been misspelled as '-clear'.  (To avoid
1173
1174
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
1175
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
1176

Mark Andrews's avatar
Mark Andrews committed
1177
1178
1179
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
1180
1181
1182
1183

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

1184
1185
1186
1187
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
1188
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
1189

1190
1191
1192
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

1193
1194
3269.	[port]		darwin 11 and later now built threaded by default.

1195
1196
1197
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

1198
1199
1200
1201