CHANGES 357 KB
Newer Older
Mark Andrews's avatar
Mark Andrews committed
1 2 3 4 5 6 7 8 9
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
10 11
3343.	[placeholder]

12 13 14 15
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

16 17 18 19
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Curtis Blackburn's avatar
Curtis Blackburn committed
20 21 22 23 24 25 26 27
3340.	[func]		Added new 'fast' zone file format, which is an image 
			of a zone database that can be loaded directly into 
			memory via mmap(), allowing much faster zone loading. 
			(Note: Because of pointer sizes and other 
			considerations, this file format is platform-dependent; 
			'fast' zone files cannot always be transfered from one 
			server to another.) [RT #25419]

28 29 30
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

31 32 33
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

34 35 36
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

37 38 39
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

40 41 42
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

43 44 45
3334.	[bug]		Hold a zone table reference while performing a
			asyncronous load of a zone. [RT #28326]

46
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
47
			named to not recover if it loses connectivity.
48 49
			[RT #29623]

Mark Andrews's avatar
add #  
Mark Andrews committed
50
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
51

Mark Andrews's avatar
Mark Andrews committed
52
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
53 54
			rdataslabs. [RT #29644]
			
Vernon Schryver's avatar
Vernon Schryver committed
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
3330.	[func]		Fix missing signatures on NOERROR results despite
			RPZ rewriting.  Also 
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


70 71 72 73 74 75
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Evan Hunt's avatar
Evan Hunt committed
76 77 78
3328.   [bug]           Fixed inconsistent data checking in dst_parse.c.
                        [RT #29401]

Evan Hunt's avatar
Evan Hunt committed
79 80 81 82 83
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

110 111 112 113
3318.	[tuning]	Reduce the amount of work performed while holding a
			bucket lock when finshed with a fetch context.
			[RT #29239]

Evan Hunt's avatar
Evan Hunt committed
114
3317.	[protocol]	Add ECDSA support (RFC 6605). [RT #21918]
115

116 117 118
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

119 120 121 122 123
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

124 125 126
3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

127 128
3313.	[protocol]	Add TLSA record type. [RT #28989]

129 130 131
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

132 133 134
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

135 136
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

137 138 139
3309.	[bug]		resolver.c:fctx_finddone() was not threadsafe.
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
140 141
3308.	[placeholder]

142 143
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
144

145 146 147 148
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

149 150
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
151

152 153
3303.	[bug]		named could die when reloading. [RT #28606]

154 155 156 157
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

158 159 160
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

161 162 163
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

164 165 166
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

167 168 169 170
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

171 172
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

173 174 175
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

176 177 178
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

179 180 181
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

182 183
3293.	[func]		nsupdate: list supported type. [RT #28261]

184 185 186
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

187 188 189
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

190 191
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

192 193
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

194 195 196
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

197 198
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

199 200 201
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

202 203 204 205
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

206 207 208
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

209 210 211
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

212
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:  
Mark Andrews committed
213 214
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
215

216 217 218 219
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

220 221 222
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
223
3279.	[bug]		Hold a internal reference to the zone while performing
224 225 226
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
227
3278.	[bug]		Make sure automatic key maintenance is started
228 229 230
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
231
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
232 233 234 235

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

236
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
237
			option had been misspelled as '-clear'.  (To avoid
238 239
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
240
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
241

Mark Andrews's avatar
Mark Andrews committed
242 243 244
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
245 246 247 248

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

249 250 251 252
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
253
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
254

255 256 257
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

258 259
3269.	[port]		darwin 11 and later now built threaded by default.

260 261 262
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

263 264 265 266
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

267 268 269 270
3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

Evan Hunt's avatar
Evan Hunt committed
271 272
3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]
273

274 275 276 277 278 279 280
3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

281 282 283
3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

284 285
3261.	[func]		RRset ordering now defaults to random. [RT #27174]

286 287
3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]
288

Evan Hunt's avatar
Evan Hunt committed
289 290
	--- 9.9.0rc1 released ---

291 292 293
3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

294 295 296
3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

297 298 299
3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

300 301 302 303 304 305
3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

306 307 308
3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

309 310 311
3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

312 313 314 315 316
3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

317 318 319 320 321
3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

322 323 324 325
3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

326 327 328 329 330 331 332 333 334 335 336 337 338
3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

339 340 341 342
3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

343
3244.	[func]		Added readline support to nslookup and nsupdate.
Mark Andrews's avatar
Mark Andrews committed
344
			Also simplified nsupdate syntax to make "update"
345 346
			and "prereq" optional. [RT #24659]

347 348 349
3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

Mark Andrews's avatar
Mark Andrews committed
350
3242.	[func]		Extended the header of raw-format master files to
351 352 353 354 355 356
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.
Mark Andrews's avatar
Mark Andrews committed
357

358
			(Note: raw zonefiles generated by this version of
Mark Andrews's avatar
Mark Andrews committed
359
			BIND are no longer compatble with prior versions.
360 361 362 363 364
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

365 366 367
3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

368 369
3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

370 371 372 373
3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
374 375
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

376 377
3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

Evan Hunt's avatar
Evan Hunt committed
378 379 380
3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

381 382 383 384
3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

385 386
3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

387 388 389
3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

390 391 392
3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

393 394 395
3231.	[bug]		named could fail to send a uncompressable zone.
			[RT #26796]

Mark Andrews's avatar
[ -> ]  
Mark Andrews committed
396
3230.	[bug]		'dig axfr' failed to properly handle a multi-message
397 398
			axfr with a serial of 0. [RT #26796]

399 400 401
3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

Mark Andrews's avatar
Mark Andrews committed
402 403
3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]
404

405 406 407
3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

408 409
3226.	[bug]		Address minor resource leakages. [RT #26624]

410 411 412
3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

413 414
3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

415 416 417
3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

418 419 420
3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

421 422 423 424
3221.	[bug]		Fixed a potential coredump on shutdown due to
			referencing fetch context after it's been freed.
			[RT #26720]

Mark Andrews's avatar
Mark Andrews committed
425 426
	--- 9.9.0b2 released ---

427
3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
Mark Andrews's avatar
Mark Andrews committed
428 429
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
430

Mark Andrews's avatar
Mark Andrews committed
431 432
3219.	[bug]		Disable NOEDNS caching following a timeout.

433 434 435 436
3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

437 438 439
3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
440

441 442
3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

443 444
3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]
Mark Andrews's avatar
Mark Andrews committed
445

446 447
3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

Mark Andrews's avatar
Mark Andrews committed
448 449 450
3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]
451

452 453 454 455
3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

456 457 458
3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

459
3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
460

461 462 463
3208.	[bug]		'dig -y' handle unknown tsig alorithm better.
			[RT #25522]

464 465
3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

466 467
3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

468 469 470 471 472
3205.	[func]		Upgrade dig's defaults to better reflect modern
			nameserver behaviour.  Enable "dig +adflag" and
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]

473
3204.	[bug]		When a master server that has been marked as
Evan Hunt's avatar
typo  
Evan Hunt committed
474
			unreachable sends a NOTIFY, mark it reachable
475 476
			again. [RT #25960]

477 478 479
3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

480 481 482
3202.	[bug]		NOEDNS caching on timeout was too agressive.
			[RT #26416]

483 484 485
3201.	[func]		'rndc querylog' can now be given an on/off parameter
			instead of only being used as a toggle. [RT #18351]

486 487 488
3200.	[doc]		Some rndc functions were undocumented or were
			missing from 'rndc -h' output. [RT #25555]

489 490 491
3199.	[func]		When logging client information, include the name
			being queried. [RT #25944]

492 493 494
3198.	[doc]		Clarified that dnssec-settime can alter keyfile
			permissions. [RT #24866]

Mark Andrews's avatar
Mark Andrews committed
495
3197.	[bug]		Don't try to log the filename and line number when
496 497
			the config parser can't open a file. [RT #22263]

Mark Andrews's avatar
Mark Andrews committed
498 499
3196.	[bug]		nsupdate: return nonzero exit code when target zone
			doesn't exist. [RT #25783]
500

501 502 503
3195.	[cleanup]	Silence "file not found" warnings when loading
			managed-keys zone. [RT #26340]

504 505 506
3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
			documentation. [RT #25203]

507 508 509
3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
			dnssec.h. [RT #26415]

510 511 512
3192.	[bug]		A query structure could be used after being freed.
			[RT #22208]

513 514
3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]

515 516 517
3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
			[RT #26397]

518
3189.	[test]		Added a summary report after system tests. [RT #25517]
Mark Andrews's avatar
Mark Andrews committed
519

520 521 522 523
3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
			references correctly when errors occurred, causing
			a hang on shutdown. [RT #26372]

Mark Andrews's avatar
Mark Andrews committed
524
3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
525

Mark Andrews's avatar
9.9.0b1  
Mark Andrews committed
526 527
	--- 9.9.0b1 released ---

528 529
3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]

530 531 532 533
3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
			 - 'rndc signing -list' displays the current
			   state of signing operations
			 - 'rndc signing -clear' clears the signing state
Mark Andrews's avatar
Mark Andrews committed
534
			   records for keys that have fully signed the zone
535 536 537 538
			 - 'rndc signing -nsec3param' sets the NSEC3
			   parameters for the zone
			The 'rndc keydone' syntax is removed. [RT #23729]

Mark Andrews's avatar
Mark Andrews committed
539
3184.	[bug]		named had excessive cpu usage when a redirect zone was
540 541
			configured. [RT #26013]

542 543
3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]

Mark Andrews's avatar
Mark Andrews committed
544
3182.	[bug]		Auth servers behind firewalls which block packets
545 546 547 548
			greater than 512 bytes may cause other servers to
			perform poorly. Now, adb retains edns information
			and caches noedns servers. [RT #23392/24964]

549 550 551
3181.	[func]		Inline-signing is now supported for master zones.
			[RT #26224]

552 553 554 555 556
3180.	[func]		Local copies of slave zones are now saved in raw
			format by default, to improve startup performance.
			'masterfile-format text;' can be used to override
			the default, if desired. [RT #25867]

557 558
3179.	[port]		kfreebsd: build issues. [RT #26273]

559 560 561
3178.	[bug]		A race condition introduced by change #3163 could
			cause an assertion failure on shutdown. [RT #26271]

562 563 564 565
3177.	[func]		'rndc keydone', remove the indicator record that
			named has finished signing the zone with the
			corresponding key.  [RT #26206]

566 567 568 569
3176.	[doc]		Corrected example code and added a README to the
			sample external DLZ module in contrib/dlz/example.
			[RT #26215]

Mark Andrews's avatar
Mark Andrews committed
570
3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
571 572 573 574
			NSEC3 signed zone are validated.  Stop sending a
			unnecessary NSEC3 record when generating such
			responses. [RT #26200]

575
3174.	[bug]		Always compute to revoked key tag from scratch.
576
			[RT #26186]
577

578 579
3173.	[port]		Correctly validate root DS responses. [RT #25726]

Mark Andrews's avatar
Mark Andrews committed
580
3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
581 582
			default.

583 584 585
3171.	[bug]		Exclusively lock the task when adding a zone using
			'rndc addzone'.  [RT #25600]

Mark Andrews's avatar
9.9.0a3  
Mark Andrews committed
586 587
	--- 9.9.0a3 released ---

Mark Andrews's avatar
Mark Andrews committed
588 589 590 591 592
3170.	[func]		RPZ update:
			- fix precedence among competing rules
			- improve ARM text including documenting rule precedence
			- try to rewrite CNAME chains until first hit
			- new "rpz" logging channel
593 594
			- RDATA for CNAME rules can include wildcards
			- replace "NO-OP" named.conf policy override with
Evan Hunt's avatar
Evan Hunt committed
595
			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
Mark Andrews's avatar
Mark Andrews committed
596 597
			  is still recognized)
			[RT #25172]
Mark Andrews's avatar
Mark Andrews committed
598

Evan Hunt's avatar
Evan Hunt committed
599
3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
600 601
			[RT #26017]

Mark Andrews's avatar
9.9.0a3  
Mark Andrews committed
602
3168.	[bug]		Nxdomain redirection could trigger an assert with
603 604
			a ANY query. [RT #26017]

605 606 607 608
3167.	[bug]		Negative answers from forwarders were not being
			correctly tagged making them appear to not be cached.
			[RT #25380]

609 610 611
3166.	[bug]		Upgrading a zone to support inline-signing failed.
			[RT #26014]

612 613 614 615
3165.	[bug]		dnssec-signzone could generate new signatures when
			resigning, even when valid signatures were already
			present. [RT #26025]

616 617 618 619
3164.	[func]		Enable DLZ modules to retrieve client information,
			so that responses can be changed depending on the
			source address of the query. [RT #25768]

620 621 622 623
3163.	[bug]		Use finer-grained locking in client.c to address
			concurrency problems with large numbers of threads.
			[RT #26044]

Scott Mann's avatar
Scott Mann committed
624 625 626 627
3162.	[test]		start.pl: modified to allow for "named.args" in
			ns*/ subdirectory to override stock arguments to
			named. Largely from RT#26044, but no separate ticket.

628 629 630
3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
			assertion failures. [RT #25880]

631 632 633
3160.	[bug]		When printing out a NSEC3 record in multiline form
			the newline was not being printed causing type codes
			to be run together. [RT #25873]
Mark Andrews's avatar
Mark Andrews committed
634

635 636 637 638 639 640 641 642
3159.	[bug]		On some platforms, named could assert on startup
			when running in a chrooted environment without
			/proc. [RT #25863]

3158.	[bug]		Recursive servers would prefer a particular UDP
			socket instead of using all available sockets.
			[RT #26038]

643 644 645
3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
			the config file before pausing the server. [RT #21373]

Evan Hunt's avatar
Evan Hunt committed
646
3156.	[placeholder]
Mark Andrews's avatar
9.9.0b2  
Mark Andrews committed
647 648 649

	--- 9.9.0a2 released ---

650 651 652
3155.	[bug]		Fixed a build failure when using contrib DLZ
			drivers (e.g., mysql, postgresql, etc). [RT #25710]

653 654 655
3154.	[bug]		Attempting to print an empty rdataset could trigger
			an assert. [RT #25452]

656
3153.	[func]		Extend request-ixfr to zone level and remove the
Scott Mann's avatar
Scott Mann committed
657
			side effect of forcing an AXFR. [RT #25156]
658

659 660 661
3152.	[cleanup]	Some versions of gcc and clang failed due to
			incorrect use of __builtin_expect. [RT #25183]

662
3151.	[bug]		Queries for type RRSIG or SIG could be handled
Mark Andrews's avatar
Mark Andrews committed
663
			incorrectly.  [RT #21050]
664

665 666 667 668 669
3150.	[func]		Improved startup and reconfiguration time by
			enabling zones to load in multiple threads. [RT #25333]

3149.	[placeholder]

670 671 672
3148.	[bug]		Processing of normal queries could be stalled when
			forwarding a UPDATE message. [RT #24711]

673 674
3147.	[func]		Initial inline signing support.  [RT #23657]

Evan Hunt's avatar
Evan Hunt committed
675 676
	--- 9.9.0a1 released ---

Mark Andrews's avatar
Mark Andrews committed
677
3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
Evan Hunt's avatar
Evan Hunt committed
678

679 680 681
3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
			there were any errors while running them. [RT #25527]

682 683 684
3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
			used with a nonexistent database node. [RT #25358]

685 686
3143.	[bug]		Silence clang compiler warnings. [RT #25174]

687 688
3142.	[bug]		NAPTR is class agnostic. [RT #25429]

689 690 691
3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
			associated with empty zones. [RT #25079]

Mark Andrews's avatar
Mark Andrews committed
692
3140.	[func]		New command "rndc flushtree <name>" clears the
693 694 695
			specified name from the server cache along with
			all names under it. [RT #19970]

Evan Hunt's avatar
Evan Hunt committed
696 697
3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
			for the hashing algorithms (md5, sha1 - sha512, and
Mark Andrews's avatar
Mark Andrews committed
698
			their hmac counterparts).  [RT #25067]
699

700 701 702
3138.	[bug]		Address memory leaks and out-of-order operations when
			shutting named down. [RT #25210]

703 704 705 706 707
3137.	[func]		Improve hardware scalability by allowing multiple
			worker threads to process incoming UDP packets.
			This can significantly increase query throughput
			on some systems.  [RT #22992]

Mark Andrews's avatar
Mark Andrews committed
708
3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
709 710 711
			empty zones switched on by the 'empty-zones-enable'
			option. [RT #24990]

712 713 714 715
3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
			[RT #24950]

716 717 718
3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
			statistics. [RT #16030]

719 720
3133.	[bug]		Change #3114 was incomplete. [RT #24577]

Evan Hunt's avatar
Evan Hunt committed
721 722
3132.	[placeholder]

723
3131.	[tuning]	Improve scalability by allocating one zone task
724 725 726
			per 100 zones at startup time, rather than using a
			fixed-size task table. [RT #24406]

727 728 729 730 731
3130.	[func]		Support alternate methods for managing a dynamic
			zone's serial number.  Two methods are currently
			defined using serial-update-method, "increment"
			(default) and "unixtime".  [RT #23849]

732 733
3129.	[bug]		Named could crash on 'rndc reconfig' when
			allow-new-zones was set to yes and named ACLs
Mark Andrews's avatar
typo  
Mark Andrews committed
734
			were used. [RT #22739]
735

736 737 738 739 740 741 742 743
3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
			auto-dnssec zone that has not been signed yet
			will cause it to be signed with the specified NSEC3
			parameters when keys are activated.  The
			NSEC3PARAM record will not appear in the zone until
			it is signed, but the parameters will be stored.
			[RT #23684]

744 745 746 747
3127.	[bug]		'rndc thaw' will now remove a zone's journal file
			if the zone serial number has been changed and
			ixfr-from-differences is not in use.  [RT #24687]

748
3126.	[security]	Using DNAME record to generate replacements caused
749
			RPZ to exit with a assertion failure. [RT #24766]
750

751 752 753 754
3125.	[security]	Using wildcard CNAME records as a replacement with
			RPZ caused named to exit with a assertion failure.
			[RT #24715]

755 756 757 758 759 760 761 762 763
3124.	[bug]		Use an rdataset attribute flag to indicate
			negative-cache records rather than using rrtype 0;
			this will prevent problems when that rrtype is
			used in actual DNS packets. [RT #24777]

3123.	[security]	Change #2912 exposed a latent flaw in
			dns_rdataset_totext() that could cause named to
			crash with an assertion failure. [RT #24777]

764 765
3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]

Mark Andrews's avatar
Mark Andrews committed
766 767 768 769
3121.	[security]	An authoritative name server sending a negative
			response containing a very large RRset could
			trigger an off-by-one error in the ncache code
			and crash named. [RT #24650]
770

Mark Andrews's avatar
Mark Andrews committed
771
3120.	[bug]		Named could fail to validate zones listed in a DLV
772 773 774
			that validated insecure without using DLV and had
			DS records in the parent zone. [RT #24631]

775 776 777 778
3119.	[bug]		When rolling to a new DNSSEC key, a private-type
			record could be created and never marked complete.
			[RT #23253]

779 780 781
3118.	[bug]		nsupdate could dump core on shutdown when using
			SIG(0) keys. [RT #24604]

782 783 784 785
3117.	[cleanup]	Remove doc and parser references to the
			never-implemented 'auto-dnssec create' option.
			[RT #24533]

786 787 788 789 790 791
3116.	[func]		New 'dnssec-update-mode' option controls updates
			of DNSSEC records in signed dynamic zones.  Set to
			'no-resign' to disable automatic RRSIG regeneration
			while retaining the ability to sign new or changed
			data. [RT #24533]

792 793
3115.	[bug]		Named could fail to return requested data when
			following a CNAME that points into the same zone.
794
			[RT #24455]
795

796 797
3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
			inactive and there is no replacement key. [RT #23136]
Scott Mann's avatar
Scott Mann committed
798

799 800 801
3113.	[doc]		Document the relationship between serial-query-rate
			and NOTIFY messages.

802 803 804 805 806
3112.	[doc]		Add missing descriptions of the update policy name
			types "ms-self", "ms-subdomain", "krb5-self" and
			"krb5-subdomain", which allow machines to update
			their own records, to the BIND 9 ARM.

Mark Andrews's avatar
Mark Andrews committed
807 808 809
3111.	[bug]		Improved consistency checks for dnssec-enable and
			dnssec-validation, added test cases to the
			checkconf system test. [RT #24398]
810

811 812 813
3110.	[bug]		dnssec-signzone: Wrong error message could appear
			when attempting to sign with no KSK. [RT #24369]

814 815 816 817 818 819 820
3109.	[func]		The also-notify option now uses the same syntax
			as a zone's masters clause.  This means it is
			now possible to specify a TSIG key to use when
			sending notifies to a given server, or to include
			an explicit named masters list in an also-notfiy
			statement.  [RT #23508]

821 822 823
3108.	[cleanup]	dnssec-signzone: Clarified some error and
			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
			code (use -P instead). [RT #20852]
Mark Andrews's avatar
Mark Andrews committed
824

825 826 827
3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
			when using -x. [RT #20852]

828 829 830
3106.	[func]		When logging client requests, include the name of
			the TSIG key if any. [RT #23619]

Mark Andrews's avatar
Mark Andrews committed
831 832
3105.	[bug]		GOST support can be suppressed by "configure
			--without-gost" [RT #24367]
833

Mark Andrews's avatar
Mark Andrews committed
834
3104.	[bug]		Better support for cross-compiling. [RT #24367]
835

836 837 838 839
3103.	[bug]		Configuring 'dnssec-validation auto' in a view
			instead of in the options statement could trigger
			an assertion failure in named-checkconf. [RT #24382]

840 841 842 843 844
3102.	[func]		New 'dnssec-loadkeys-interval' option configures
			how often, in minutes, to check the key repository
			for updates when using automatic key maintenance.
			Default is every 60 minutes (formerly hard-coded
			to 12 hours). [RT #23744]
Mark Andrews's avatar
Mark Andrews committed
845

846 847 848
3101.	[bug]		Zones using automatic key maintenance could fail
			to check the key repository for updates. [RT #23744]

849 850 851 852
3100.	[security]	Certain response policy zone configurations could
			trigger an INSIST when receiving a query of type
			RRSIG. [RT #24280]

853 854 855 856 857 858
3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
			not compiled with --with-dlz-filesystem.  [RT #24146]

3098.	[bug]		DLZ zones were answering without setting the AA bit.
			[RT #24146]

859 860 861
3097.	[test]		Add a tool to test handling of malformed packets.
			[RT #24096]

862 863 864
3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
			dst_gssapi_acceptctx(). [RT #24004]

865 866 867
3095.	[bug]		Handle isolated reserved ports in the port range.
			[RT #23957]

868 869
3094.	[doc]		Expand dns64 documentation.

870 871
3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]

872 873 874 875 876
3092.	[bug]		Signatures for records at the zone apex could go
			stale due to an incorrect timer setting. [RT #23769]

3091.	[bug]		Fixed a bug in which zone keys that were published
			and then subsequently activated could fail to trigger
877
			automatic signing. [RT #22911]
878

879 880
3090.	[func]		Make --with-gssapi default [RT #23738]

881 882 883
3089.	[func]		dnssec-dsfromkey now supports reading keys from
			standard input "dnssec-dsfromkey -f -". [RT# 20662]

884 885 886 887
3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
			and add setup.sh in order to resolve changing
			named.conf issue.  [RT #23687]

888 889 890
3087.	[bug]		DDNS updates using SIG(0) with update-policy match
			type "external" could cause a crash. [RT #23735]

891 892 893 894 895
3086.	[bug]		Running dnssec-settime -f on an old-style key will
			now force an update to the new key format even if no
			other change has been specified, using "-P now -A now"
			as default values.  [RT #22474]

896 897 898 899 900
3085.	[func]		New '-R' option in dnssec-signzone forces removal
			of signatures which have not yet expired but
			were generated by a key that no longer exists.
			[RT #22471]

901 902 903 904 905 906
3084.	[func]		A new command "rndc sync" dumps pending changes in
			a dynamic zone to disk; "rndc sync -clean" also
			removes the journal file after syncing.  Also,
			"rndc freeze" no longer removes journal files.
			[RT #22473]

907 908 909
3083.	[bug]		NOTIFY messages were not being sent when generating
			a NSEC3 chain incrementally. [RT #23702]

910 911
3082.	[port]		strtok_r is threads only. [RT #23747]

912 913 914
3081.	[bug]		Failure of DNAME substitution did not return
			YXDOMAIN. [RT #23591]

915 916 917
3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
			[RT #23587]

918 919 920
3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
			[RT #23572]

921 922 923
3078.	[func]		Added a new include file with function typedefs
			for the DLZ "dlopen" driver. [RT #23629]

924 925 926
3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
			dns_zone_attach(), use zone->irefs instead. [RT #23303]

927 928 929 930 931
3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
			dnssec-keyfromlabel sets the default TTL of the
			key.  When possible, automatic signing will use that
			TTL when the key is published.  [RT #23304]

932 933 934 935
3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
			timestamp when determining which keys are active.
			[RT #23642]

936 937 938 939
3074.	[bug]		Make the adb cache read through for zone data and
			glue learn for zone named is authoritative for.
			[RT #22842]

940 941 942
3073.	[bug]		managed-keys changes were not properly being recorded.
			[RT #20256]

943 944 945
3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
			[RT #20256]

946 947 948
3071.	[bug]		has_nsec could be used unintialised in
			update.c:next_active. [RT #20256]

949 950 951
3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
			[RT #20256]

952 953 954
3069.	[cleanup]	Silence warnings messages from clang static analysis.
			[RT #20256]

955 956 957
3068.	[bug]		Named failed to build with a OpenSSL without engine
			support. [RT #23473]

958 959 960
3067.	[bug]		ixfr-from-differences {master|slave}; failed to
			select the master/slave zones.  [RT #23580]

961 962 963
3066.	[func]		The DLZ "dlopen" driver is now built by default,
			no longer requiring a configure option.  To
			disable it, use "configure --without-dlopen".
Mark Andrews's avatar
Mark Andrews committed
964
			Driver also supported on win32.  [RT #23467]
965

966 967 968
3065.	[bug]		RRSIG could have time stamps too far in the future.
			[RT #23356]

969 970 971
3064.	[bug]		powerpc: add sync instructions to the end of atomic
			operations. [RT #23469]

972 973
3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]

974 975 976 977 978 979 980 981 982 983 984 985
3062.	[func]		Made several changes to enhance human readability
			of DNSSEC data in dig output and in generated
			zone files:
			 - DNSKEY record comments are more verbose, no
			   longer used in multiline mode only
			 - multiline RRSIG records reformatted
			 - multiline output mode for NSEC3PARAM records
			 - "dig +norrcomments" suppresses DNSKEY comments
			 - "dig +split=X" breaks hex/base64 records into
			   fields of width X; "dig +nosplit" disables this.
			[RT #22820]

986 987 988
3061.	[func]		New option "dnssec-signzone -D", only write out
			generated DNSSEC records. [RT #22896]

989 990 991 992
3060.	[func]		New option "dnssec-signzone -X <date>" allows
			specification of a separate expiration date
			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]

993 994
3059.	[test]		Added a regression test for change #3023.

995 996
3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
			reload to fail, if a log file specified in the conf
Mark Andrews's avatar
s/(/[/  
Mark Andrews committed
997
			file isn't a plain file. [RT #22771]
Mark Andrews's avatar
Mark Andrews committed
998

999 1000 1001
3057.	[bug]		"rndc secroots" would abort after the first error
			and so could miss some views. [RT #23488]

1002 1003
3056.	[func]		Added support for URI resource record. [RT #23386]

1004 1005
3055.	[placeholder]

1006 1007 1008
3054.	[bug]		Added elliptic curve support check in
			GOST OpenSSL engine detection. [RT #23485]

1009 1010 1011 1012
3053.	[bug]		Under a sustained high query load with a finite
			max-cache-size, it was possible for cache memory
			to be exhausted and not recovered. [RT #23371]

1013 1014
3052.	[test]		Fixed last autosign test report. [RT #23256]

Mark Andrews's avatar
Mark Andrews committed
1015
3051.	[bug]		NS records obsure DNAME records at the bottom of the
1016 1017
			zone if both are present. [RT #23035]

1018 1019 1020 1021
3050.	[bug]		The autosign system test was timing dependent.
			Wait for the initial autosigning to complete
			before running the rest of the test. [RT #23035]

Mark Andrews's avatar
Mark Andrews committed
1022
3049.	[bug]		Save and restore the gid when creating creating
1023 1024 1025
			named.pid at startup. [RT #23290]

3048.	[bug]		Fully separate view key mangement. [RT #23419]
1026

1027 1028 1029 1030
3047.	[bug]		DNSKEY NODATA responses not cached fixed in
			validator.c. Tests added to dnssec system test.
			[RT #22908]

1031 1032 1033
3046.	[bug]		Use RRSIG original TTL to compute validated RRset
			and RRSIG TTL. [RT #23332]

1034
3045.	[removed]	Replaced by change #3050.
1035

1036 1037 1038
3044.	[bug]		Hold the socket manager lock while freeing the socket.
			[RT #23333]

1039 1040
3043.	[test]		Merged in the NetBSD ATF test framework (currently
			version 0.12) for development of future unit tests.
Mark Andrews's avatar
Mark Andrews committed
1041 1042 1043
			Use configure --with-atf to build ATF internally
			or configure --with-atf=prefix to use an external
			copy.  [RT #23209]
1044

1045 1046
3042.	[bug]		dig +trace could fail attempting to use IPv6
			addresses on systems with only IPv4 connectivity.
1047
			[RT #23297]
1048

1049 1050 1051
3041.	[bug]		dnssec-signzone failed to generate new signatures on
			ttl changes. [RT #23330]

1052 1053 1054 1055
3040.	[bug]		Named failed to validate insecure zones where a node
			with a CNAME existed between the trust anchor and the
			top of the zone. [RT #23338]

Mark Andrews's avatar
Mark Andrews committed
1056
3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
1057

Mark Andrews's avatar
Mark Andrews committed
1058
3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
1059

Mark Andrews's avatar
Mark Andrews committed
1060
3037.	[doc]		Update COPYRIGHT to contain all the individual
1061 1062
			copyright notices that cover various parts.

Mark Andrews's avatar
Mark Andrews committed
1063
3036.	[bug]		Check built-in zone arguments to see if the zone
1064 1065
			is re-usable or not. [RT #21914]

Mark Andrews's avatar
Mark Andrews committed
1066
3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
1067

1068 1069
3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]

1070 1071 1072
3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
			[RT #22521]

1073 1074
3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]