CHANGES

2660.	[func]		Add a new set of DNS libraries for non-BIND9
			applications.  See README.libdns. [RT #19369]

2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
			nsupdate and relevent dlls.  [RT #19998]

2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

2653.	[bug]		Treat ENGINE_load_private_key() failures as key
			not found rather than out of memory.  [RT #18033]

2652.	[func]		Provide more detail about what record is being
			deleted. [RT #20061]

2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

2650.	[bug]		Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

2649.	[bug]		Set the domain for forward only zones. [RT #19944]

2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
			added. [RT #19913]

2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]

2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

2638.	[bug]		Install arpaname. [RT #19957]

2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
			[RT #19959]

2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
			  they are scheduled to be published, activated,
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
			zone.  [RT #19875]

2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
			
2628.	[port]		linux: Allow /var/run/named/named.pid to be opened 
			at startup with reduced capabilities in operation.
			[RT #19884]

2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]

2624.	[func]		'named-checkconf -p' will print out the parsed
			configuration. [RT #18871]

2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
 
2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

2620.	[bug]		Delay thawing the zone until the reload of it has
			completed successfully.  [RT #19750]

2619.	[func]		Add support for RFC 5011, automatic trust anchor
			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

2617.	[bug]		ifconfig.sh failed to emit an error message when
			run from the wrong location. [RT #19375]

2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]

2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

2614.	[port]		win32: 'named -v' should automatically be executed
			in the foreground. [RT #19844]

2613.	[placeholder]

	--- 9.7.0a1 released ---

2612.	[func]		Add default values for the arguments to
			dnssec-keygen.  Without arguments, it will now
			generate a 1024-bit RSASHA1 zone-signing key,
			or with the -f KSK option, a 2048-bit RSASHA1
			key-signing key. [RT #19300]

2611.	[func]		Add -l option to dnssec-dsfromkey to generate 
			DLV records instead of DS records. [RT #19300]

2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]

2609.	[func]		Simplify the configuration of dynamic zones:
			- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]
			
2608.	[func]		Perform post signing verification checks in
			dnssec-signzone.  These can be disabled with -P.

			The post sign verification test ensures that for each
			algorithm in use there is at least one non revoked
			self signed KSK key.  That all revoked KSK keys are
			self signed.  That all records in the zone are signed
			by the algorithm.  [RT #19653]

2607.	[bug]		named could incorrectly delete NSEC3 records for
			empty nodes when processing a update request.
			[RT #19749]

2606.	[bug]		"delegation-only" was not being accepted in
			delegation-only type zones. [RT #19717]

2605.	[bug]		Accept DS responses from delegation only zones.
			[RT # 19296]

2604.	[func]		Add support for DNS rebinding attack prevention through
			new options, deny-answer-addresses and
			deny-answer-aliases.  Based on contributed code from
			JD Nurmi, Google. [RT #18192]

2603.	[port]		win32: handle .exe extension of named-checkzone and
			named-comilezone argv[0] names under windows.
			[RT #19767]

2602.	[port]		win32: fix debugging command line build of libisccfg.
			[RT #19767]

2601.	[doc]		Mention file creation mode mask in the
			named manual page.

2600.	[doc]		ARM: miscellaneous reformatting for different
			page widths. [RT #19574]

2599.	[bug]		Address rapid memory growth when validation fails.
			[RT #19654]

2598.	[func]		Reserve the -F flag. [RT #19657]

2597.	[bug]		Handle a validation failure with a insecure delegation
			from a NSEC3 signed master/slave zone.  [RT #19464]

2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
			long, leading to inefficient memory usage or rejecting
			newer cache entries in the worst case. [RT #19563]

2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]

2594.	[func]		Have rndc warn if using its default configuration
			file when the key file also exists. [RT #19424]

2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]

2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]

2591.	[bug]		named could die when processing a update in
			removed_orphaned_ds(). [RT #19507]

2590.	[func]		Report zone/class of "update with no effect".
			[RT #19542]

2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
		        [RT #19626]

2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
			of bind(2) call.  This should be rare and mostly
			harmless, but may cause interference with other
			processes that happen to use the same port. [RT #19642]

2587.	[func]		Improve logging by reporting serial numbers for
			when zone serial has gone backwards or unchanged.
			[RT #19506]

2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
			or SDB. [RT #19577]

2585.	[bug]		Uninitialized socket name could be referenced via a
			statistics channel, triggering an assertion failure in
			XML rendering. [RT #19427]

2584.	[bug]		alpha: gcc optimization could break atomic operations.
			[RT #19227]

2583.	[port]		netbsd: provide a control to not add the compile
			date to the version string, -DNO_VERSION_DATE.

2582.	[bug]		Don't emit warning log message when we attempt to
			remove non-existant journal. [RT #19516]

2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
			Requires MySQL 5.0.19 or later. [RT #19084]

2580.	[bug]		UpdateRej statistics counter could be incremented twice
			for one rejection. [RT #19476]

2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
			algorithms. [RT #19479]

2578.	[bug]		Changed default sig-signing-type to 65534, because
			65535 turns out to be reserved.  [RT #19477]

2577.	[doc]		Clarified some statistics counters. [RT #19454]

2576.	[bug]		NSEC record were not being correctly signed when
			a zone transitions from insecure to secure.
			Handle such incorrectly signed zones. [RT #19114]

2575.	[func]		New functions dns_name_fromstring() and
			dns_name_tostring(), to simplify conversion
			of a string to a dns_name structure and vice
			versa. [RT #19451]

2574.	[doc]		Document nsupdate -g and -o. [RT #19351]

2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
			single transaction in a signed zone failed. [RT #19397]

2572.	[func]		Simplify DLV configuration, with a new option
			"dnssec-lookaside auto;"  This is the equivalent
			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
			plus setting a trusted-key for dlv.isc.org.

			Note: The trusted key is hard-coded into named,
			but is also stored in (and can be overridden
			by) $sysconfdir/bind.keys.  As the ISC DLV key
			rolls over it can be kept up to date by replacing
			the bind.keys file with a key downloaded from
			https://www.isc.org/solutions/dlv. [RT #18685]

2571.	[func]		Add a new tool "arpaname" which translates IP addresses
			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
			[RT #18976]

2570.	[func]		Log the destination address the query was sent to.
			[RT #19209]

2569.	[func]		Move journalprint, nsec3hash, and genrandom
			commands from bin/tests into bin/tools; 
			"make install" will put them in $sbindir. [RT #19301]

2568.	[bug]		Report when the write to indicate a otherwise
			successful start fails. [RT #19360]

2567.	[bug]		dst__privstruct_writefile() could miss write errors.
			write_public_key() could miss write errors.
			dnssec-dsfromkey could miss write errors.
			[RT #19360]

2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
			response arrives from a zone thought to be secure:
			"insecurity proof failed" instead of "not
			insecure". [RT #19400]

2565.	[func]		Add support for HIP record.  Includes new functions
			dns_rdata_hip_first(), dns_rdata_hip_next()
			and dns_rdata_hip_current().  [RT #19384]

2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
			[RT #19405]

2563.	[bug]		Dig could leak a socket causing it to wait forever
			to exit. [RT #19359]

2562.	[doc]		ARM: miscellaneous improvements, reorganization,
			and some new content.

2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]

2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]

2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
			reading from a K* files.  [RT #19357]

2558.	[func]		Set the ownership of missing directories created
			for pid-file if -u has been specified on the command
			line. [RT #19328]

2557.	[cleanup]	PCI compliance:
			* new libisc log module file
			* isc_dir_chroot() now also changes the working
			  directory to "/".
			* additional INSISTs
			* additional logging when files can't be removed.

2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
			error checks in the correct order resulting in the
			wrong error code sometimes being returned. [RT #19249]
			
2555.	[func]		dig: when emitting a hex dump also display the
			corresponding characters. [RT #19258]

2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
			fail. [RT #19297]

2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]

2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
			[RT #19340]

2551.	[bug]		Potential Reference leak on return. [RT #19341]

2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
			[RT #19343]

2549.	[port]		linux: define NR_OPEN if not currently defined.
			[RT #19344]

2548.	[bug]		Install iterated_hash.h. [RT #19335]

2547.	[bug]		openssl_link.c:mem_realloc() could reference an
			out-of-range area of the source buffer.  New public
			function isc_mem_reallocate() was introduced to address
			this bug. [RT #19313]

2546.	[func]		Add --enable-openssl-hash configure flag to use
			OpenSSL (in place of internal routine) for hash
			functions (MD5, SHA[12] and HMAC). [RT #18815]

2545.	[doc]		ARM: Legal hostname checking (check-names) is
			for SRV RDATA too. [RT #19304]

2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]

2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]

2542.	[doc]		Update the description of dig +adflag. [RT #19290]

2541.	[bug]		Conditionally update dispatch manager statistics.
			[RT #19247]

2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]

2539.	[security]	Update the interaction between recursion, allow-query,
			allow-query-cache and allow-recursion.  [RT #19198]

2538.	[bug]		cache/ADB memory could grow over max-cache-size,
			especially with threads and smaller max-cache-size
			values. [RT #19240]

2537.	[func]		Added more statistics counters including those on socket
			I/O events and query RTT histograms. [RT #18802]

2536.	[cleanup]	Silence some warnings when -Werror=format-security is
			specified. [RT #19083]

2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]

2534.	[func]		Check NAPTR records regular expressions and
			replacement strings to ensure they are syntactically
			valid and consistant. [RT #18168]

2533.	[doc]		ARM: document @ (at-sign). [RT #17144]

2532.	[bug]		dig: check the question section of the response to
			see if it matches the asked question. [RT #18495]

2531.	[bug]		Change #2207 was incomplete. [RT #19098]

2530.	[bug]		named failed to reject insecure to secure transitions
			via UPDATE. [RT #19101]

2529.	[cleanup]	Upgrade libtool to silence complaints from recent
			version of autoconf. [RT #18657]

2528.   [cleanup]       Silence spurious configure warning about
                        --datarootdir [RT #19096]

2527.	[placeholder]

2526.	[func]		New named option "attach-cache" that allows multiple
			views to share a single cache to save memory and
			improve lookup efficiency.  Based on contributed code
			from Barclay Osborn, Google. [RT #18905]

2525.	[func]		New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]

2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
			[RT #19112]

2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().

2521.	[bug]		Improve epoll cross compilation support. [RT #19047]

2520.	[bug]		Update xml statistics version number to 2.0 as change
			#2388 made the schema incompatible to the previous
			version. [RT #19080]

2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
			nameserver addresses of the excluded address family
			preceded in resolv.conf. [RT #19081]

2518.	[func]		Add support for the new CERT types from RFC 4398.
			[RT #19077]

2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
			nameserver address of the excluded address type.
			[RT #18843]

2516.	[bug]		glue sort for responses was performed even when not
			needed. [RT #19039]

2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
			[RT #19063]

2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
			a nameserver of the excluded address family.
			[RT #18848]

2513.	[bug]		Fix windows cli build. [RT #19062]

2512.	[func]		Print a summary of the cached records which make up
			the negative response.  [RT #18885]

2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
			[RT #18885]

2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
			[RT #19033]

2509.	[bug]		Specifying a fixed query source port was broken.
			[RT #19051]

2508.	[placeholder]

2507.	[func]		Log the recursion quota values when killing the
			oldest query or refusing to recurse due to quota.
			[RT #19022]

2506.	[port]		solaris: Check at configure time if 
			hack_shutup_pthreadonceinit is needed. [RT #19037]

2505.	[port]		Treat amd64 similarly to x86_64 when determining
			atomic operation support. [RT #19031]

2504.	[bug]		Address race condition in the socket code. [RT #18899]

2503.	[port]		linux: improve compatibility with Linux Standard
			Base. [RT #18793]

2502.	[cleanup]	isc_radix: Improve compliance with coding style,
			document function in <isc/radix.h>. [RT #18534]

2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
			rdata types need to be quoted.  See the ARM for
			details. [RT #18368]

2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
			function. [RT #18582]

2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
			[RT #18837]

	--- 9.6.0rc1 released ---

2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
			delegation.

2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]

2495.	[bug]		Tighten RRSIG checks. [RT #18795]

2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
			installed. [RT #18826]

2493.	[bug]		The linux capabilities code was not correctly cleaning
			up after itself. [RT #18767]

2492.	[func]		Rndc status now reports the number of cpus discovered
			and the number of worker threads when running
			multi-threaded. [RT #18273]

2491.	[func]		Attempt to re-use a local port if we are already using
			the port. [RT #18548]

2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
			is cleared when IPV6_V6ONLY is set. [RT #18785]

2489.	[port]		solaris: Workaround Solaris's kernel bug about
			/dev/poll:
			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
			this workaround. [RT #18870]

2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
			from keyset and .key files. [RT #18694]

2487.	[bug]		Give TCP connections longer to complete. [RT #18675]

2486.	[func]		The default locations for named.pid and lwresd.pid
			are now /var/run/named/named.pid and
			/var/run/lwresd/lwresd.pid respectively.

			This allows the owner of the containing directory
			to be set, for "named -u" support, and allows there
			to be a permanent symbolic link in the path, for
			"named -t" support.  [RT #18306]

2485.	[bug]		Change update's the handling of obscured RRSIG
			records.  Not all orphaned DS records were being
			removed. [RT #18828]

2484.	[bug]		It was possible to trigger a REQUIRE failure when
			adding NSEC3 proofs to the response in
			query_addwildcardproof().  [RT #18828]

2483.	[port]		win32: chroot() is not supported. [RT #18805]

2482.	[port]		libxml2: support versions 2.7.* in addition
			to 2.6.*. [RT #18806]

	--- 9.6.0b1 released ---

2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
			collisions.  [RT #18812]

2480.	[bug]		named could fail to emit all the required NSEC3
			records.  [RT #18812]

2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]

2478.	[bug]		'addresses' could be used uninitialized in
			configure_forward(). [RT #18800]
	
2477.	[bug]		dig: the global option to print the command line is
			+cmd not print_cmd.  Update the output to reflect
			this. [RT #17008]

2476.	[doc]		ARM: improve documentation for max-journal-size and
			ixfr-from-differences. [RT #15909] [RT #18541]

2475.	[bug]		LRU cache cleanup under overmem condition could purge
			particular entries more aggressively. [RT #17628]

2474.	[bug]		ACL structures could be allocated with insufficient
			space, causing an array overrun. [RT #18765]

2473.	[port]		linux: raise the limit on open files to the possible
			maximum value before spawning threads; 'files'
		        specified in named.conf doesn't seem to work with
			threads as expected. [RT #18784]

2472.	[port]		linux: check the number of available cpu's before
			calling chroot as it depends on "/proc". [RT #16923]

2471.	[bug]		named-checkzone was not reporting missing mandatory
			glue when sibling checks were disabled. [RT #18768]

2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
			overwritten.  [RT# 18719]

2469.	[port]		solaris: Work around Solaris's select() limitations.
			[RT #18769]

2468.	[bug]		Resolver could try unreachable servers multiple times.
			[RT #18739]

2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]

2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
			[RT #18302]

2465.	[bug]		Adb's handling of lame addresses was different
			for IPv4 and IPv6. [RT #18738]

2464.	[port]		linux: check that a capability is present before
			trying to set it. [RT #18135]

2463.   [port]          linux: POSIX doesn't include the IPv6 Advanced Socket
			API and glibc hides parts of the IPv6 Advanced Socket
			API as a result.  This is stupid as it breaks how the
			two halves (Basic and Advanced) of the IPv6 Socket API
			were designed to be used but we have to live with it.
			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
			API. [RT #18388]

2462.	[doc]		Document -m (enable memory usage debugging)
			option for dig. [RT #18757]

2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]

	--- 9.6.0a1 released ---

2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
			[RT #18697]

2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]

2458.	[doc]		ARM: update and correction for max-cache-size.
			[RT #18294]

2457.	[tuning]	max-cache-size is reverted to 0, the previous
			default.  It should be safe because expired cache
			entries are also purged. [RT #18684]

2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
			address, regardless of family.  They now correctly
			distinguish IPv4 from IPv6.  [RT #18559]
                        
2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
			[RT #18639]

2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]

2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
			[RT #18316]

2452.	[func]		Improve bin/test/journalprint. [RT #18316]

2451.	[port]		solaris: handle runtime linking better. [RT #18356]

2450.	[doc]		Fix lwresd docbook problem for manual page.
			[RT #18672]

2449.	[placeholder]

2448.	[func]		Add NSEC3 support. [RT #15452]

2447.	[cleanup]	libbind has been split out as a separate product.

2446.	[func]		Add a new log message about build options on startup.
			A new command-line option '-V' for named is also
			provided to show this information. [RT# 18645]

2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
			RFC1918 address, but these are not yet compiled in).
			[RT #18578]

2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
			(clear DF) for UDP responses and requests.

2443.	[bug]		win32: UDP connect() would not generate an event,
			and so connected UDP sockets would never clean up.
			Fix this by doing an immediate WSAConnect() rather
			than an io completion port type for UDP.

2442.	[bug]		A lock could be destroyed twice. [RT# 18626]

2441.   [bug]           isc_radix_insert() could copy radix tree nodes
			incompletely. [RT #18573]

2440.   [bug]		named-checkconf used an incorrect test to determine
			if an ACL was set to none.

2439.   [bug]		Potential NULL dereference in dns_acl_isanyornone().
			[RT #18559]

2438.   [bug]		Timeouts could be logged incorrectly under win32.

2437.	[bug]		Sockets could be closed too early, leading to
			inconsistent states in the socket module. [RT #18298]

2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]

2435.	[bug]		Fixed an ACL memory leak affecting win32.

2434.	[bug]		Fixed a minor error-reporting bug in
			lib/isc/win32/socket.c.

2433.	[tuning]	Set initial timeout to 800ms.

2432.   [bug]		More Windows socket handling improvements.  Stop
			using I/O events and use IO Completion Ports
			throughout.  Rewrite the receive path logic to make
			it easier to support multiple simultaneous
			requesters in the future.  Add stricter consistency
			checking as a compile-time option (define
			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).

2431.	[bug]		Acl processing could leak memory. [RT #18323]

2430.	[bug]		win32: isc_interval_set() could round down to
			zero if the input was less than NS_INTERVAL
			nanoseconds.  Round up instead. [RT #18549]

2429.	[doc]		nsupdate should be in section 1 of the man pages.
			[RT #18283]

2428.	[bug]		dns_iptable_merge() mishandled merges of negative
			tables. [RT #18409]

2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
			was set. [RT #18528]

2426.	[bug]		libbind: inet_net_pton() can sometimes return the
			wrong value if excessively large net masks are
			supplied. [RT #18512]

2425.	[bug]		named didn't detect unavailable query source addresses
			at load time. [RT #18536]

2424.	[port]		configure now probes for a working epoll
			implementation.  Allow the use of kqueue,
			epoll and /dev/poll to be selected at compile
			time. [RT #18277]
			
2423.   [security]	Randomize server selection on queries, so as to
                        make forgery a little more difficult.  Instead of
                        always preferring the server with the lowest RTT,
                        pick a server with RTT within the same 128
                        millisecond band.  [RT #18441]

2422.	[bug]		Handle the special return value of a empty node as
			if it was a NXRRSET in the validator. [RT #18447]

2421.	[func]		Add new command line option '-S' for named to specify
			the max number of sockets. [RT #18493]
			Use caution: this option may not work for some
			operating systems without rebuilding named.

2420.   [bug]		Windows socket handling cleanup.  Let the io
			completion event send out canceled read/write
			done events, which keeps us from writing to memory
			we no longer have ownership of.  Add debugging
			socket_log() function.  Rework TCP socket handling
			to not leak sockets.

2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
			should not be used for isc_sockettype_fdwatch sockets.
			[RT #18521]

2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
			[RT #18430]

2417.	[bug]		Connecting UDP sockets for outgoing queries could
			unexpectedly fail with an 'address already in use'
			error. [RT #18411]

2416.	[func]		Log file descriptors that cause exceeding the
			internal maximum. [RT #18460]

2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
			in rbtdb.c. [RT #18455]

2414.	[bug]		A masterdump context held the database lock too long,
			causing various troubles such as dead lock and
			recursive lock acquisition. [RT #18311, #18456]

2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]

2412.	[bug]		win32: address a resource leak. [RT #18374]

2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
			at compilation time.  [RT #18433]

			Note: with changes #2469 and #2421 above, there is no
			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
			any more.

2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]

2409.	[bug]		Only log that we disabled EDNS processing if we were
			subsequently successful.  [RT #18029]

2408.	[bug]		A duplicate TCP dispatch event could be sent, which
			could then trigger an assertion failure in
			resquery_response().  [RT #18275]

2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]

2406.	[placeholder]

2405.   [cleanup]       The default value for dnssec-validation was changed to
                        "yes" in 9.5.0-P1 and all subsequent releases; this
                        was inadvertently omitted from CHANGES at the time.

2404.	[port]		hpux: files unlimited support.

2403.	[bug]		TSIG context leak. [RT #18341]

2402.	[port]		Support Solaris 2.11 and over. [RT #18362]

2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
			(from accept() or fcntl() system calls). [RT #18358]

2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
			[RT #18297]

2399.	[placeholder]

2398.	[bug]           Improve file descriptor management.  New,
			temporary, named.conf option reserved-sockets,
			default 512. [RT #18344]

2397.	[bug]		gssapi_functions had too many elements. [RT #18355]

2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
			[RT #18336]

2395.	[port]		Avoid warning and no effect from "files unlimited"
			on Linux when running as root. [RT #18335]

2394.	[bug]		Default configuration options set the limit for
			open files to 'unlimited' as described in the
			documentation. [RT #18331]

2393.	[bug]		nested acls containing keys could trigger an
			assertion in acl.c. [RT #18166]

2392.	[bug]		remove 'grep -q' from acl test script, some platforms
			don't support it. [RT #18253]

2391.	[port]		hpux: cover additional recvmsg() error codes.
			[RT #18301]

2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
			[RT #18301].

2389.	[bug]		Move the "working directory writable" check to after
			the ns_os_changeuser() call. [RT #18326]

2388.	[bug]		Avoid using tables for layout purposes in
			statistics XSL [RT #18159].

2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
			[RT #18147] [RT #18258]

2386.	[func]		Add warning about too small 'open files' limit.
			[RT #18269]

2385.	[bug]		A condition variable in socket.c could leak in
			rare error handling [RT #17968].

2384.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949, #18098]

2383.	[bug]		named could double queries when they resulted in
			SERVFAIL due to overkilling EDNS0 failure detection.
			[RT #18182]

2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
			to ARM.

2381.	[port]		dlz/mysql: support multiple install layouts for
			mysql.  <prefix>/include/{,mysql/}mysql.h and
			<prefix>/lib/{,mysql/}. [RT #18152]

2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
			proofs which, in turn, caused validation failures
			for insecure zones immediately below a secure zone
			the server was authoritative for. [RT #18112] 

2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
			TLDs and supported RRs with TTLs [RT #17972]

2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
			[RT #18169]

2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]

2376.	[bug]		Change #2144 was not complete.

2375.	[placeholder]

2374.	[bug]		"blackhole" ACLs could cause named to segfault due
			to some uninitialized memory. [RT #18095]

2373.	[bug]		Default values of zone ACLs were re-parsed each time a
			new zone was configured, causing an overconsumption
			of memory. [RT #18092]

2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]

2371.	[doc]		Add +nsid option to dig man page. [RT #18039]

2370.	[bug]		"rndc freeze" could trigger an assertion in named
			when called on a nonexistent zone. [RT #18050]

2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
			[RT #18054]

2368.	[port]		Linux: use libcap for capability management if
			possible. [RT# 18026]

2367.	[bug]		Improve counting of dns_resstatscounter_retry
			[RT #18030]

2366.	[bug]		Adb shutdown race. [RT #18021]

2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
			spurious results. [RT #18000]

2364.	[bug]		named could trigger a assertion when serving a
			malformed signed zone. [RT #17828]

2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
			[RT #17513]

2362.   [cleanup]	Make "rrset-order fixed" a compile-time option.
			settable by "./configure --enable-fixed-rrset".
			Disabled by default. [RT #17977]

2361.	[bug]		"recursion" statistics counter could be counted
			multiple times for a single query.  [RT #17990]

2360.	[bug]		Fix a condition where we release a database version
			(which may acquire a lock) while holding the lock.

2359.	[bug]		Fix NSID bug. [RT #17942]

2358.	[doc]		Update host's default query description. [RT #17934]

2357.	[port]		Don't use OpenSSL's engine support in versions before
			OpenSSL 0.9.7f. [RT #17922]

2356.	[bug]		Built in mutex profiler was not scalable enough.
			[RT #17436]

2355.	[func]		Extend the number statistics counters available.
			[RT #17590]

2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
			[RT #17927]

2353.	[func]		Add support for Name Server ID (RFC 5001).
			'dig +nsid' requests NSID from server.
			'request-nsid yes;' causes recursive server to send
			NSID requests to upstream servers.  Server responds
			to NSID requests with the string configured by
			'server-id' option.  [RT #17091]

2352.	[bug]		Various GSS_API fixups. [RT #17729]

2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]

2350.	[port]		win32: IPv6 support. [RT #17797]

2349.	[func]		Provide incremental re-signing support for secure
			dynamic zones. [RT #1091]

2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
			Documentation is in the new README.pkcs11 file.
			New tool, dnssec-keyfromlabel, which takes the
			label of a key pair in a HSM and constructs a DNS
			key pair for use by named and dnssec-signzone.
			[RT #16844]

2347.	[bug]		Delete now traverses the RB tree in the canonical
			order. [RT #17451]

2346.	[func]		Memory statistics now cover all active memory contexts
			in increased detail. [RT #17580]

2345.	[bug]		named-checkconf failed to detect when forwarders
			were set at both the options/view level and in
			a root zone. [RT #17671]

2344.	[bug]		Improve "logging{ file ...; };" documentation.
			[RT #17888]

2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
			created in ADB. [RT #17837]

2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]

2341.	[bug]		libbind: add missing -I../include for off source
			tree builds. [RT #17606]

2340.	[port]		openbsd: interface configuration. [RT #17700]

2339.	[port]		tru64: support for libbind. [RT #17589]

2338.	[bug]		check_ds() could be called with a non DS rdataset.
			[RT #17598]

2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]

2336.	[func]		If "named -6" is specified then listen on all IPv6
			interfaces if there are not listen-on-v6 clauses in
			named.conf.  [RT #17581]

2335.	[port]		sunos:  libbind and *printf() support for long long. 
			[RT #17513]

2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
			bug in fromstruct_txt(). [RT #17609]
			
2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
			[RT #17608]

2332.	[contrib]	query-loc-0.4.0. [RT #17602]

2331.	[bug]		Failure to regenerate any signatures was not being
			reported nor being past back to the UPDATE client.
			[RT #17570]

2330.	[bug]		Remove potential race condition when handling
			over memory events. [RT #17572]

			WARNING: API CHANGE: over memory callback
			function now needs to call isc_mem_waterack().
			See <isc/mem.h> for details.

2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.

2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
			M.ROOT-SERVERS.NET.

2327.	[bug]		It was possible to dereference a NULL pointer in