CHANGES 237 KB
Newer Older
1 2
2276.	[bug]		Install <dst/gssapi.h>.  [RT# 17359]

3 4 5
2275.	[func]		Add support to dig to perform IXFR queries over UDP.
			[RT #17235]

6 7
2274.	[func]		Log zone transfer statistics. [RT #17161]

8 9 10
2273.	[bug]		Adjust log level to WARNING when saving inconsistant
			stub/slave master and journal files. [RT# 17279]

11 12 13
2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
			[RT #17262]

Michael Graff's avatar
Michael Graff committed
14 15
2271.	[bug]		Fix a memory leak in http server code [RT #17100]

16 17 18
2270.	[bug]		dns_db_closeversion() version->writer could be reset
			before it is tested. [RT #17290]

19 20
2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]

21 22 23
2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
			list.

24 25
	--- 9.5.0b1 released ---

26 27 28 29
2267.   [bug]           Radix tree node_num value could be set incorrectly,
                        causing positive ACL matches to look like negative
                        ones.  [RT #17311]

30 31 32
2266.	[bug]		client.c:get_clientmctx() returned the same mctx
			once the pool of mctx's was filled. [RT #17218]

33 34 35
2265.	[bug]		Test that the memory context's basic_table is non NULL
			before freeing.  [RT #17265]

36 37
2264.	[bug]		Server prefix length was being ignored. [RT #17308]

38 39 40
2263.	[bug]		"named-checkconf -z" failed to set default value
			for "check-integrity".  [RT #17306]

41 42 43
2262.	[bug]		Error status from all but the last view could be
			lost. [RT #17292]

44 45
2261.   [bug]           Fix memory leak with "any" and "none" ACLs [RT #17272]

46
2260.	[bug]		Reported wrong clients-per-query when increasing the
47
                        value. [RT #17236]
Mark Andrews's avatar
Mark Andrews committed
48

49 50
2259.	[placeholder]

Mark Andrews's avatar
Mark Andrews committed
51 52
	--- 9.5.0a7 released ---

53 54 55
2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
			[RT #17241]

56 57 58
2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
			calling it. [RT #17222]

59 60 61
2256.	[bug]		win32: Correctly register the installation location of
			bindevt.dll. [RT #17159]

62 63
2255.	[bug]		L.ROOT-SERVERS.NET is now 199.7.83.42.

64 65 66 67 68
2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
			when reading timer->idle allowing it to see
			intermediate values as timer->idle was reset by
			isc_timer_touch(). [RT #17243]

Mark Andrews's avatar
Mark Andrews committed
69
2253.	[func]	 	"max-cache-size" defaults to 32M.
Mark Andrews's avatar
Mark Andrews committed
70 71
			"max-acache-size" defaults to 16M.

72
2252.   [bug]           Fixed errors in sortlist code [RT #17216]
73

74 75 76 77 78 79 80
2251.	[placeholder]

2250.	[func]		New flag 'memstatistics' to state whether the
			memory statistics file should be written or not.
			Additionally named's -m option will cause the
			statistics file to be written. [RT #17113]
			
81 82 83
2249.   [bug]           Only set Authentic Data bit if client requested
                        DNSSEC, per RFC 3655 [RT #17175]

84 85
2248.   [cleanup]       Fix several errors reported by Coverity. [RT #17160]

86 87
2247.	[doc]		Sort doc/misc/options. [RT #17067]

88 89 90
2246.	[bug]		Make the startup of test servers (ans.pl) more
			robust. [RT #17147]

91 92 93
2245.	[bug]		Validating lack of DS records at trust anchors wasn't
			working. [RT #17151]

94 95 96 97
2244.	[func]		Allow the check of nameserver names against the
			SOA MNAME field to be disabled by specifying
			'notify-to-soa yes;'.  [RT #17073]

98 99 100
2243.	[func]		Configuration files without a newline at the end now
			parse without error. [RT #17120]

101 102 103 104
2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
			library could require a source of random data.
			[RT #17127]

105 106 107 108 109 110 111 112
2241.	[func]		nsupdate: add a interative 'help' command. [RT #17099]

2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
			a number of INSIST()s into plain fatal() errors
			which report the triggering result code.
			The 'key' command wasn't disabling GSS-TSIG.
			[RT #17099]

113 114
2239.	[func]		Ship a prebuilt bin/named/bind9.xsl.h. [RT #17114]

115 116 117
2238.	[bug]		It was possible to trigger a REQUIRE when a
			validation was cancelled. [RT #17106]

118 119
2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]

Mark Andrews's avatar
Mark Andrews committed
120
2236.	[bug]		dnssec-signzone failed to preserve the case of
Mark Andrews's avatar
Mark Andrews committed
121
			of wildcard owner names. [RT #17085]
122

123 124
2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]

Evan Hunt's avatar
Evan Hunt committed
125 126
2234.   [port]          Correct some compiler warnings on SCO OSr5 [RT #17134]
  
127 128 129 130
2233.   [func]          Add support for O(1) ACL processing, based on
                        radix tree code originally written by kevin
                        brintnall. [RT #16288]

131 132 133
2232.	[bug]		dns_adb_findaddrinfo() could fail and return
			ISC_R_SUCCESS. [RT #17137]

134 135 136
2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
			[RT #17088]

137 138 139
2230.	[bug]		We could INSIST reading a corrupted journal.
			[RT #17132]

Mark Andrews's avatar
Mark Andrews committed
140
2229.	[bug]		Null pointer dereference on query pool creation
141 142
			failure. [RT #17133]

Mark Andrews's avatar
Mark Andrews committed
143
2228.	[contrib]	contrib: Change 2188 was incomplete.
144

145 146
2227.	[cleanup]	Tidied up the FAQ. [RT #17121]

Mark Andrews's avatar
Mark Andrews committed
147 148
2226.	[placeholder]

149 150 151
2225.	[bug]		More support for systems with no IPv4 addresses.
		        [RT #17111]

152 153 154 155 156
2224.	[bug]		Defer journal compaction if a xfrin is in progress.
			[RT #17119]

2223.	[bug]		Make a new journal when compacting. [RT #17119]

157 158 159
2222.	[func]		named-checkconf now checks server key references.
		        [RT #17097]

160
2221.	[bug]		Set the event result code to reflect the actual
Mark Andrews's avatar
Mark Andrews committed
161 162 163
			record turned to caller when a cache update is
			rejected due to a more credible answer existing.
			[RT #17017]
164

165 166 167
2220.	[bug]		win32: Address a race condition in final shutdown of
			the Windows socket code. [RT #17028]
			
168
2219.	[bug]		Apply zone consistancy checks to additions, not
Mark Andrews's avatar
Mark Andrews committed
169
			removals, when updating. [RT #17049]
170

171 172 173
2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
			[RT #16976]

174 175
2217.	[func]		Adjust update log levels. [RT #17092]

176 177 178
2216.	[cleanup]	Fix a number of errors reported by Coverity.
		        [RT #17094]

179 180
2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]

181 182 183 184
2214.	[bug]		Deregister OpenSSL lock callback when cleaning
			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
			is called before the locks are destroyed. [RT #17098]

185 186 187
2213.	[bug]		SIG0 diagnostic failure messages were looking at the
			wrong status code. [RT #17101]

Mark Andrews's avatar
Mark Andrews committed
188
2212.	[func]		'host -m' now causes memory statistics and active
189 190
			memory to be printed at exit. [RT 17028]

191 192 193
2211.	[func]		Update "dynamic update temporarily disabled" message.
			[RT #17065]

194 195 196
2210.	[bug]		Deleting class specific records via UPDATE could
			fail.  [RT #17074]

197 198 199 200
2209.	[port]		osx: linking against user supplied static OpenSSL
			libraries failed as the system ones were still being
			found. [RT #17078]

201 202 203
2208.	[port]		win32: make sure both build methods produce the
			same output. [RT #17058]

204 205
2207.	[port]		Some implementations of getaddrinfo() fail to set
			ai_canonname correctly. [RT #17061]
Mark Andrews's avatar
Mark Andrews committed
206 207 208

	--- 9.5.0a6 released ---

209 210 211 212 213 214 215 216 217 218 219 220 221 222 223
2206.	[security]	"allow-query-cache" and "allow-recursion" now
			cross inherit from each other.

			If allow-query-cache is not set in named.conf then
			allow-recursion is used if set, otherwise allow-query
			is used if set, otherwise the default (localnets;
			localhost;) is used.

			If allow-recursion is not set in named.conf then
			allow-query-cache is used if set, otherwise allow-query
			is used if set, otherwise the default (localnets;
			localhost;) is used.

			[RT #16987]
	
224 225
2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]

Mark Andrews's avatar
Mark Andrews committed
226
2204.	[bug]		"rndc flushanme name unknown-view" caused named
227
			to crash. [RT #16984]
Mark Andrews's avatar
9.5.0a6  
Mark Andrews committed
228

229 230 231
2203.	[security]	Query id generation was cryptographically weak.
			[RT # 16915]

232 233 234
2202.	[security]	The default acls for allow-query-cache and
			allow-recursion were not being applied. [RT #16960]

Mark Andrews's avatar
Mark Andrews committed
235
2201.	[bug]		The build failed in a separate object directory.
236 237
			[RT #16943]

238 239 240
2200.	[bug]		The search for cached NSEC records was stopping to
			early leading to excessive DLV queries. [RT #16930]

241 242 243
2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
			[RT #16911]

244 245 246
2198.	[bug]		win32: RegCloseKey() could be called when
			RegOpenKeyEx() failed. [RT #16911]

247 248 249 250
2197.	[bug]		Add INSIST to catch negative responses which are
			not setting the event result code appropriately.
			[RT #16909]

251
2196.	[port]		win32: yield processor while waiting for once to
252
			to complete. [RT #16958]
253

254 255 256
2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
			when generating DNSKEYs. [RT #16954]

257
2194.	[bug]		Close journal before calling 'done' in xfrin.c.
Mark Andrews's avatar
9.5.0a5  
Mark Andrews committed
258 259 260

	--- 9.5.0a5 released ---

Mark Andrews's avatar
Mark Andrews committed
261 262 263
2193.	[port]		win32: BINDInstall.exe is now linked statically.
			[RT #16906]

264 265 266 267
2192.	[port]		win32: use vcredist_x86.exe to install Visual
			Studio's redistributable dlls if building with
			Visual Stdio 2005 or later.

268 269 270
2191.	[func]		named-checkzone now allows dumping to stdout (-).
			named-checkconf now has -h for help.
			named-checkzone now has -h for help.
Mark Andrews's avatar
Mark Andrews committed
271
			rndc now has -h for help.
272 273 274
			Better handling of '-?' for usage summaries.
			[RT #16707]

275 276 277 278
2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
			more visible.  New logging category "edns-disabled".
			[RT #16871]

279 280
2189.	[bug]		Handle socket() returning EINTR. [RT #15949]

Mark Andrews's avatar
Mark Andrews committed
281
2188.	[contrib]	queryperf: autoconf changes to make the search for
282 283
			libresolv or libbind more robust. [RT #16299]

284 285 286 287
2187.	[bug]		query_addds(), query_addwildcardproof() and
			query_addnxrrsetnsec() should take a version
			arguement. [RT #16368]

288 289 290
2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
			independently of IPv6. [RT #16482]

291 292 293
2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
			memchr(). [RT #16463]

294 295 296
2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
			[RT #16830]

297 298 299
2183.	[bug]		dnssec-signzone didn't handle offline private keys
			well.  [RT #16832]

300 301 302 303
2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
			could return ISC_R_SUCCESS when they ran out of
			memory. [RT #16365]

304 305
2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]

306 307 308
2180.	[cleanup]	Remove bit test from 'compress_test' as they
			are no longer needed. [RT #16497]

309 310 311
2179.	[func]		'rndc command zone' will now find 'zone' if it is
			unique to all the views. [RT #16821]

312 313 314
2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
			a reference leak. [RT #16867]

315 316
2177.	[bug]		Array bounds overrun on read (rcodetext) at
			debug level 10+. [RT #16798]
317

318 319 320
2176.	[contrib]	dbus update to handle race condition during
			initialisation (Bugzilla 235809). [RT #16842]

Mark Andrews's avatar
Mark Andrews committed
321
2175.	[bug]		win32: windows broadcast condition variable support
322 323
			was broken. [RT #16592]

324 325 326
2174.	[bug]		I/O errors should always be fatal when reading
			master files. [RT #16825]

327 328
2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
			need to ship Microsoft.VC80.MFCLOC.
Mark Andrews's avatar
9.5.0a4  
Mark Andrews committed
329 330 331

	--- 9.5.0a4 released ---

332 333 334
2172.	[bug]		query_addsoa() was being called with a non zone db.
			[RT #16834]

335 336 337 338
2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
			servers are not DS aware (DS queries to the parent
			return a referral to the child).

339 340
2170.	[func]		Add acache processing to test suite. [RT #16711]

341 342 343
2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
			given name and not the last name searched for.
			[RT #16763]
344

345 346 347
2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
			as fatal errors. [RT #16785]

348 349
2167.	[bug]		When re-using a automatic zone named failed to
			attach it to the new view. [RT #16786]
Evan Hunt's avatar
9.5.0a3  
Evan Hunt committed
350 351 352

	--- 9.5.0a3 released ---

353 354 355 356
2166.	[bug]		When running in batch mode, dig could misinterpret
			a server address as a name to be looked up, causing
			unexpected output. [RT #16743]

357 358 359 360 361
2165.	[func]		Allow the destination address of a query to determine
			if we will answer the query or recurse.
			allow-query-on, allow-recursion-on and
			allow-query-cache-on. [RT #16291]

362 363 364 365
2164.	[bug]		The code to determine how named-checkzone / 
			named-compilezone was called failed under windows.
			[RT #16764]

366 367 368 369
2163.	[bug]		If only one of query-source and query-source-v6
			specified a port the query pools code broke (change
			2129).  [RT #16768]

370 371 372
2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
			time. [RT #16665]

373 374 375
2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
			[RT #16698]

376 377 378
2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
			from getifaddrs(). [RT #16708]

Mark Andrews's avatar
9.5.0a2  
Mark Andrews committed
379 380
	--- 9.5.0a2 released ---

Mark Andrews's avatar
Mark Andrews committed
381 382
2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]

383 384 385
2158.	[bug]		ns_client_isself() failed to initialise key
			leading to a REQUIRE failure. [RT #16688]

386 387 388 389 390 391 392 393
2157.	[func]		dns_db_transfernode() created. [RT #16685]

2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
			resolver.c:validated() and resolver.c:cache_name().
			Fix a memory leak in rbtdb.c:free_noqname().
			Make lookup.c:lookup_find() robust against
			event leaks. [RT #16685]

394 395 396
2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
			[RT #16694]

397 398 399
2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
			matched in acls by omitting the scope. [RT #16599]

400 401
2153.	[bug]		nsupdate could leak memory. [RT #16691]

402 403 404
2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
			dighost.c:get_trusted_key(). [RT #16678]

405 406 407
2151.	[bug]		Missing newline in usage message for journalprint.
			[RT #16679]

408 409 410 411
2150.	[bug]		'rrset-order cyclic' uniformly distribute the
			starting point for the first response for a given
			RRset. [RT #16655]

412 413 414 415
2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
			if there were still active memory contexts.
			[RT #16672]

416 417
2148.	[func]		Add positive logging for rndc commands. [RT #14623]

418 419 420
2147.	[bug]		libbind: remove potential buffer overflow from
			hmac_link.c. [RT #16437]

421 422 423
2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
			SO_BSDCOMPAT" message. [RT #16641]

424 425 426
2145.	[bug]		Check DS/DLV digest lengths for known digests.
			[RT #16622]

427 428 429
2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
			[RT #16619]

430 431 432 433
2143.	[bug]		We failed to restart the IPv6 client when the
			kernel failed to return the destination the
			packet was sent to. [RT #16613]

Mark Andrews's avatar
Mark Andrews committed
434
2142.	[bug]		Handle master files with a modification time that
435 436
			matches the epoch. [RT# 16612]

437 438 439
2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
			equivalent of LDH checks).  [RT #16609]

440 441 442
2140.	[bug]		libbind: missing unlock on pthread_key_create()
			failures. [RT #16654]

443 444 445
2139.	[bug]		dns_view_find() was being called with wrong type
			in adb.c. [RT #16670]

446 447
2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]

448
2137.	[port]		Mips little endian and/or mips 64 bit are now
Mark Andrews's avatar
Mark Andrews committed
449
			supported for atomic operations. [RT#16648]
450

451 452 453
2136.	[bug]		nslookup/host looped if there was no search list
			and the host didn't exist. [RT #16657]

454 455
2135.	[bug]		Uninitialised rdataset in sdlz.c. [RT# 16656]

456 457
2134.	[func]		Additional statistics support. [RT #16666]

458 459 460
2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
			assembler syntaxes. [RT #16647]

461 462 463
2132.	[bug]		Missing unlock on out of memory in
			dns_dispatchmgr_setudp().

464 465
2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]

466 467
2130.	[func]		Log if CD or DO were set. [RT #16640]

468 469 470 471
2129.	[func]		Provide a pool of UDP sockets for queries to be
			made over. See use-queryport-pool, queryport-pool-ports
			and queryport-pool-updateinterval.  [RT #16415]

472 473
2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]

474 475
2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]

Mark Andrews's avatar
Mark Andrews committed
476
2126.	[security]	Serialise validation of type ANY responses. [RT #16555]
477

478 479 480
2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
			was defined. [RT #16574]

Mark Andrews's avatar
Mark Andrews committed
481
2124.	[security]	It was possible to dereference a freed fetch
482
			context. [RT #16584]
Mark Andrews's avatar
9.5.0a1  
Mark Andrews committed
483 484 485

	--- 9.5.0a1 released ---

486 487 488
2123.	[func]		Use Doxygen to generate internal documention.
			[RT #11398]

489 490 491
2122.	[func]		Experimental http server and statistics support
			for named via xml.

492 493 494
2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
			second timeout. [RT #16553]

495 496
2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]

497 498 499 500
2119.	[compat]	libbind: allow res_init() to succeed enough to
			return the default domain even if it was unable
			to allocate memory.

501 502 503 504
2118.	[bug]		Handle response with long chains of domain name
			compression pointers which point to other compression
			pointers. [RT #16427]

505 506 507 508 509 510 511
2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
			which could lead to validation failures.  named didn't
			handle negative DS responses that were in the process
			of being validated.  Check CNAME bit before accepting
			NODATA proof. To be able to ignore a child NSEC there
			must be SOA (and NS) set in the bitmap. [RT #16399]

512 513 514
2116.	[bug]		'rndc reload' could cause the cache to continually
			be cleaned. [RT #16401]

515 516 517
2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
			number of masters for a zone was reduced. [RT #16444]

518
2114.	[bug]		dig/host/nslookup: searches for names with multiple
Mark Andrews's avatar
Mark Andrews committed
519
			labels were failing. [RT #16447]
520

521 522 523
2113.	[bug]		nsupdate: if a zone is specified it should be used
			for server discover. [RT# 16455]

524 525
2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]

526 527 528
2111.	[bug]		Fix a number of errors reported by Coverity.
			[RT #16507]

529 530 531
2110.	[bug]		"minimal-response yes;" interacted badly with BIND 8
			priming queries. [RT #16491]

532 533
2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]

534 535
2108.	[func]		DHCID support. [RT #16456]

536 537
2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]

538 539
2106.	[func]		'rndc status' now reports named's version. [RT #16426]

540 541
2105.	[func]		GSS-TSIG support (RFC 3645).

542 543
2104.	[port]		Fix Solaris SMF error message.

544 545 546
2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
			under Solaris.

547 548
2102.	[port]		Silence solaris 10 warnings.

549 550 551
2101.	[bug]		OpenSSL version checks were not quite right.
			[RT #16476]

552 553 554
2100.	[port]		win32: copy libeay32.dll to Build\Debug.
			Copy Debug\named-checkzone to Debug\named-compilezone.

555 556
2099.	[port]		win32: more manifiest issues.

Mark Andrews's avatar
Mark Andrews committed
557
2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
558 559
			triggered an INSIST failure about the node lock
			reference.  [RT #16411]
560

561 562 563
2097.	[bug]		named could reference a destroyed memory context
			after being reloaded / reconfigured. [RT #16428]

564 565 566
2096.	[bug]		libbind: handle applications that fail to detect
			res_init() failures better.

567 568 569
2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
			net_cidr_ntop_ipv6(). [RT #16388]
 
570 571
2094.	[contrib]	Update named-bootconf.  [RT# 16404]

572 573
2093.	[bug]		named-checkzone -s was broken.

574 575 576 577
2092.	[bug]		win32: dig, host, nslookup.  Use registry config
			if resolv.conf does not exist or no nameservers
			listed. [RT #15877] 

578 579
2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]

580 581 582
2090.	[port]		win32: Visual C++ 2005 command line manifest support.
			[RT #16417]

583 584 585 586 587 588 589 590
2089.	[security]	Raise the minimum safe OpenSSL versions to
			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
			prior to these have known security flaws which
			are (potentially) exploitable in named. [RT #16391]

2088.	[security]	Change the default RSA exponent from 3 to 65537.
			[RT #16391]

591 592 593
2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
			[RT #16382]

594 595 596
2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
			[RT #16403]

597 598
2085.	[doc]		win32: added index.html and README to zip. [RT #16201]

599 600
2084.	[contrib]	dbus update for 9.3.3rc2.

601 602
2083.	[port]		win32: Visual C++ 2005 support.

603 604
2082.	[doc]		Document 'cache-file' as a test only option.

605 606 607
2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
			[RT #16360]

608 609 610
2080.	[port]		libbind: res_init.c did not compile on older versions
			of Solaris. [RT #16363]

611 612 613
2079.	[bug]		The lame cache was not handling multiple types
			correctly. [RT #16361]

614 615 616 617 618 619
2078.	[bug]		dnssec-checkzone output style "default" was badly
			named.  It is now called "relative". [RT #16326]

2077.	[bug]		'dnssec-signzone -O raw' wasn't outputing the
			complete signed zone. [RT #16326]

620 621 622
2076.	[bug]		Several files were missing #include <config.h>
			causing build failures on OSF. [RT #16341]

623 624 625
2075.	[bug]		The spillat timer event hander could leak memory.
			[RT #16357]

Mark Andrews's avatar
Mark Andrews committed
626
2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
627 628 629
			dns_request_createraw2() and dns_request_createraw3()
			failed to send multiple UDP requests. [RT #16349]

630 631 632
2073.	[bug]		Incorrect semantics check for update policy "wildcard".
			[RT #16353]

633 634 635
2072.	[bug]		We were not generating valid HMAC SHA digests.
			[RT #16320]

636 637 638
2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
			[RT #16324]

639 640 641
2070.	[bug]		The remote address was not always displayed when
			reporting dispatch failures. [RT #16315]

642 643
2069.	[bug]		Cross compiling was not working. [RT #16330]

644 645 646
2068.	[cleanup]	Lower incremental tuning message to debug 1.
			[RT #16319]

647 648 649
2067.	[bug]		'rndc' could close the socket too early triggering
			a INSIST under Windows. [RT #16317]

650
2066.	[security]	Handle SIG queries gracefully. [RT #16300]
Mark Andrews's avatar
Mark Andrews committed
651

652 653 654
2065.	[bug]		libbind: probe for HPUX prototypes for
			endprotoent_r() and endservent_r().  [RT 16313]

655 656
2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]

657 658 659
2063.	[bug]		Change #1955 introduced a bug which caused the first
			'rndc flush' call to not free memory. [RT #16244]

Mark Andrews's avatar
Mark Andrews committed
660
2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
661 662
			been returned by the socket code. [RT #16307]

663 664
2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]

665 666 667
2060.	[bug]		Enabling DLZ support could leave views partially
			configured. [RT #16295]

668 669 670
2059.	[bug]		Search into cache rbtdb could trigger an INSIST
			failure while cleaning up a stale rdataset.
			[RT #16292]
671

672
2058.	[bug]		Adjust how we calculate rtt estimates in the presence
Mark Andrews's avatar
Mark Andrews committed
673
			of authoritative servers that drop EDNS and/or CD
674 675 676
			requests.  Also fallback to EDNS/512 and plain DNS
			faster for zones with less than 3 servers.  [RT #16187]

677 678 679
2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
			and allow-recursion. [RT #16290]

680 681 682
2056.	[bug]		dig: ixfr= was not being treated case insensitively
			at all times. [RT #15955]

683 684 685
2055.	[bug]		Missing goto after dropping multicast query.
			[RT #15944]

686 687 688
2054.	[port]		freebsd: do not explicitly link against -lpthread.
			[RT #16170]

689 690
2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]

691 692 693
2052.	[bug]		'rndc' improve connect failed message to report
			the failing address. [RT #15978]

694 695
2051.	[port]		More strtol() fixes. [RT #16249]

696 697 698
2050.	[bug]		Parsing of NSAP records was not case insensitive.
			[RT #16287]

699 700 701 702 703
2049.	[bug]		Restore SOA before AXFR when falling back from
			a attempted IXFR when transfering in a zone.
			Allow a initial SOA query before attempting
			a AXFR to be requested. [RT #16156]

704 705 706 707 708
2048.	[bug]		It was possible to loop forever when using
			avoid-v4-udp-ports / avoid-v6-udp-ports when
			the OS always returned the same local port.
			[RT #16182]

709 710 711
2047.	[bug]		Failed to initialise the interface flags to zero.
			[RT #16245]

712
2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
713
			cleanup [RT #16247].
714

715
2045.	[func]		Use lock buckets for acache entries to limit memory
716
			consumption. [RT #16183]
717

718
2044.	[port]		Add support for atomic operations for Itanium.
719
			[RT #16179]
720

721 722 723
2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
			for interactive sessions. [RT#16148]

724 725 726
2042.	[bug]		named-checkconf was incorrectly rejecting the
			logging category "config". [RT #16117]

727 728 729
2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
			set of libraries to be linked. [RT #16129]

730 731
2040.	[bug]		rbtdb no_references() could trigger an INSIST
			failure with --enable-atomic.  [RT #16022]
732

733
2039.	[func]		Check that all buffers passed to the socket code
Mark Andrews's avatar
Mark Andrews committed
734
			have been retrieved when the socket event is freed.
735 736 737 738 739
			[RT #16122]

2038.	[bug]		dig/nslookup/host was unlinking from wrong list
			when handling errors. [RT #16122]

740 741 742 743
2037.	[func]		When unlinking the first or last element in a list
			check that the list head points to the element to
			be unlinked. [RT #15959]

744 745 746
2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
			[RT #16075]

747 748 749 750
2035.	[func]		Make falling back to TCP on UDP refresh failure
			optional. Default "try-tcp-refresh yes;" for BIND 8
			compatibility. [RT #16123]

751 752
2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]

753 754 755
2033.	[bug]		We wern't creating multiple client memory contexts
			on demand as expected. [RT #16095]

756 757
2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]

758 759 760
2031.	[bug]		Emit a error message when "rndc refresh" is called on
			a non slave/stub zone. [RT # 16073]

761 762 763
2030.	[bug]		We were being overly conservative when disabling
			openssl engine support. [RT #16030]

764 765 766
2029.	[bug]		host printed out the server multiple times when
			specified on the command line. [RT #15992]

Mark Andrews's avatar
Mark Andrews committed
767
2028.	[port]		linux: socket.c compatability for old systems.
768 769
			[RT #16015]

Mark Andrews's avatar
Mark Andrews committed
770
2027.	[port]		libbind: Solaris x86 support. [RT #16020]
771

772 773 774
2026.	[bug]		Rate limit the two recursive client exceeded messages.
			[RT #16044]

775 776
2025.	[func]		Update "zone serial unchanged" message. [RT #16026]

777 778 779
2024.	[bug]		named emited spurious "zone serial unchanged"
			messages on reload. [RT #16027]

780 781 782
2023.	[bug]		"make install" should create ${localstatedir}/run and
			${sysconfdir} if they do not exist. [RT #16033]

783 784 785 786 787
2022.	[bug]		If dnssec validation is disabled only assert CD if
			CD was requested. [RT #16037]

2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]

788 789
2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]

790 791 792
2019.	[tuning]	Reduce the amount of work performed per quantum
			when cleaning the cache. [RT #15986]

793 794 795 796
2018.	[bug]		Checking if the HMAC MD5 private file was broken.
			[RT #15960]

2017.	[bug]		allow-query default was not correct. [RT #15946]
797

798 799 800 801
2016.	[bug]		Return a partial answer if recursion is not
			allowed but requested and we had the answer
			to the original qname. [RT #15945]

802 803 804 805 806 807
2015.	[cleanup]	use-additional-cache is now acache-enable for
			consistancy.  Default acache-enable off in BIND 9.4
			as it requires memory usage to be configured.
			It may be enabled by default in BIND 9.5 once we
			have more experience with it.

Shane Kerr's avatar
Shane Kerr committed
808 809 810
2014.	[func]		Statistics about acache now recorded and sent
			to log. [RT #15976]

811 812 813
2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
			responses more gracefully. [RT #15941]

814 815 816
2012.	[func]		Don't insert new acache entries if acache is full.
			[RT #15970]

817 818 819 820
2011.	[func]		dnssec-signzone can now update the SOA record of
			the signed zone, either as an increment or as the
			system time(). [RT #15633]

821 822
2010.	[placeholder]	rt15958

823 824
2009.	[bug]		libbind: coverity fixes. [RT #15808]

825 826 827 828 829 830 831
2008.	[func]		It is now posssible to enable/disable DNSSEC
			validation from rndc.  This is useful for the
			mobile hosts where the current connection point
			breaks DNSSEC (firewall/proxy).  [RT #15592]

				rndc validation newstate [view]

832 833 834 835
2007.	[func]		It is now possible to explicitly enable DNSSEC
			validation.  default dnssec-validation no; to
			be changed to yes in 9.5.0.  [RT #15674]

836 837 838 839 840 841 842 843 844 845 846
2006.	[security]	Allow-query-cache and allow-recursion now default
			to the builtin acls "localnets" and "localhost".

			This is being done to make caching servers less
			attractive as reflective amplifying targets for
			spoofed traffic.  This still leave authoritative
			servers exposed.

			The best fix is for full BCP 38 deployment to
			remove spoofed traffic.

847 848 849 850
2005.	[bug]		libbind: Retransmission timeouts should be
			based on which attempt it is to the nameserver
			and not the nameserver itself. [RT #13548]

851 852 853 854
2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
			dst_context_destroy() when cleaning up after a
			error. [RT #15835]

855 856 857 858 859
2003.	[bug]		libbind: The DNS name/address lookup functions could
			occasionally follow a random pointer due to
			structures not being completely zeroed. [RT #15806]

2002.	[bug]		libbind: tighten the constraints on when
860 861
			struct addrinfo._ai_pad exists.  [RT #15783]

862 863 864 865
2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
			New zone option "update-check-ksk yes;".  [RT #15817]

2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
866

867 868
1999.	[func]		Implement "rrset-order fixed". [RT #13662]

869 870 871 872
1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
			This allows named to connect to entropy gathering
			daemons that use fifos instead of sockets. [RT #15840]

873 874 875 876
1997.	[bug]		Named was failing to replace negative cache entries
			when a positive one for the type was learnt.
			[RT #15818]

877 878 879
1996.	[bug]		nsupdate: if a zone has been specified it should
			appear in the output of 'show'. [RT #15797]

880 881 882
1995.	[bug]		'host' was reporting multiple "is an alias" messages.
			[RT #15702]

883 884
1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]

885 886 887 888
1993.	[bug]		Log messsage, via syslog, were missing the space
			after the timestamp if "print-time yes" was specified.
			[RT #15844]

Mark Andrews's avatar
Mark Andrews committed
889
1992.	[bug]		Not all incoming zone transfer messages included the
890 891
			view.  [RT #15825]

892 893 894 895
1991.	[cleanup]	The configuration data, once read, should be treated
			as readonly.  Expand the use of const to enforce this
			at compile time. [RT #15813]

896 897 898 899
1990.	[bug]		libbind:  isc's override of broken gettimeofday()
			implementions was not always effective.
			[RT #15709]

900 901 902
1989.	[bug]		win32: don't check the service password when
			re-installing. [RT #15882]

903 904 905
1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
			[RT #15878]

906 907
1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]

908 909
1986.	[func]		Report when a zone is removed. [RT #15849]

910 911 912 913 914 915 916 917 918 919 920
1985.	[protocol]	DLV has now been assigned a official type code of
			32769. [RT #15807]

			Note: care should be taken to ensure you upgrade
			both named and dnssec-signzone at the same time for
			zones with DLV records where named is the master
			server for the zone.  Also any zones that contain
			DLV records should be removed when upgrading a slave
			zone.  You do not however have to upgrade all
			servers for a zone with DLV records simultaniously.

921 922 923
1984.	[func]		dig, nslookup and host now advertise a 4096 byte
			EDNS UDP buffer size by default. [RT #15855]

924 925 926
1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
			[RT #12895]

927 928 929 930
1982.	[bug]		DNSKEY was being accepted on the parent side of
			a delegation.  KEY is still accepted there for
			RFC 3007 validated updates. [RT #15620]

931 932 933
1981.	[bug]		win32: condition.c:wait() could fail to reattain
			the mutex lock.

934 935 936
1980.	[func]		dnssec-signzone: output the SOA record as the
			first record in the signed zone. [RT #15758]

937 938 939
1979.	[port]		linux: allow named to drop core after changing
			user ids. [RT #15753]

940 941 942
1978.	[port]		Handle systems which have a broken recvmsg().
			[RT #15742]

943 944
1977.	[bug]		Silence noisy log message. [RT #15704]

945 946
1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]

947 948 949
1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
			hex strings with comments. [RT #15814]

950
1974.	[doc]		List each of the zone types and associated zone
Mark Andrews's avatar
Mark Andrews committed
951
			options separately in the ARM.
952

953 954 955
1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
			HMACSHA512 support. [RT #13606]

956 957 958
1972.	[contrib]	DBUS dynamic forwarders integation from
			Jason Vas Dias <jvdias@redhat.com>.

959
1971.	[port]		linux: make detection of missing IF_NAMESIZE more
960
			robust. [RT #15443]
961

962 963 964
1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
			unsigned SOA query. [RT #15775]

965 966 967
1969.	[bug]		win32: the socket code was freeing the socket
			structure too early. [RT #15776]

968 969
1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]

970 971
1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]

Mark Andrews's avatar
Mark Andrews committed
972
1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
973 974
			[RT #15727]

975 976 977
1965.	[func]		Suppress spurious "recusion requested but not
			available" warning with 'dig +qr'. [RT #15780].

Mark Andrews's avatar
Mark Andrews committed
978
1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
979

980 981 982
1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
			[RT #15586]

983 984 985
1962.	[bug]		Named failed to clear old update-policy when it
			was removed. [RT #15491]

986 987 988
1961.	[bug]		Check the port and address of responses forwarded
			to dispatch. [RT #15474]

989 990 991
1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
			[RT #15465]

992 993 994 995
1959.	[func]		Control the zeroing of the negative response TTL to
			a soa query.  Defaults "zero-no-soa-ttl yes;" and
			"zero-no-soa-ttl-cache no;". [RT #15460]

996 997 998
1958.	[bug]		Named failed to update the zone's secure state
			until the zone was reloaded. [RT #15412]

999 1000 1001
1957.	[bug]		Dig mishandled responses to class ANY queries.
			[RT #15402]

1002 1003 1004 1005
1956.	[bug]		Improve cross compile support, 'gen' is now built
			by native compiler.  See README for additional
			cross compile support information. [RT #15148]

1006 1007
1955.	[bug]		Pre-allocate the cache cleaning interator. [RT #14998]

Mark Andrews's avatar
Mark Andrews committed
1008
1954.	[func]		Named now falls back to advertising EDNS with a
1009 1010 1011
			512 byte receive buffer if the initial EDNS queries
			fail.  [RT #14852]

Mark Andrews's avatar
Mark Andrews committed
1012
1953.	[func]		The maximum EDNS UDP response named will send can
1013 1014 1015 1016
			now be set in named.conf (max-udp-size).  This is
			independent of the advertised receive buffer
			(edns-udp-size). [RT #14852]

1017 1018 1019
1952.	[port]		hpux: tell the linker to build a runtime link
			path "-Wl,+b:". [RT #14816].

1020 1021 1022 1023
1951.	[security]	Drop queries from particular well known ports.
			Don't return FORMERR to queries from particular
			well known ports.  [RT #15636]
			
1024 1025 1026 1027
1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
			a TCP socket. This prevents the source address being
			set for TCP connections. [RT #15628]

1028 1029
1949.	[func]		Addition memory leakage checks. [RT #15544]

1030 1031 1032 1033
1948.	[bug]		If was possible to trigger a REQUIRE failure in
			xfrin.c:maybe_free() if named ran out of memory.
			[RT #15568]

1034 1035 1036 1037 1038
1947.	[func]		It is now possible to configure named to accept
			expired RRSIGs.  Default "dnssec-accept-expired no;".
			Setting "dnssec-accept-expired yes;" leaves named
			vulnerable to replay attacks.  [RT #14685]

1039 1040 1041
1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
			when using forwarders. [RT #15549]

1042
1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
Mark Andrews's avatar
Mark Andrews committed
1043
			To generate a RSAMD5 key you must explicitly request
1044 1045
			RSAMD5. [RT #13780]
			
1046 1047 1048
1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
			[RT #15522]

Mark Andrews's avatar
Mark Andrews committed
1049
1943.	[bug]		Set the loadtime after rolling forward the journal.
1050 1051
			[RT #15647]

1052 1053 1054 1055
1942.	[bug]		If the name of a DNSKEY match that of one in
			trusted-keys do not attempt to validate the DNSKEY
			using the parents DS RRset. [RT #15649]