CHANGES 278 KB
Newer Older
1 2 3
2660.	[func]		Add a new set of DNS libraries for non-BIND9
			applications.  See README.libdns. [RT #19369]

4 5 6
2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

7 8 9
2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

10 11 12
2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

13 14 15 16
2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
			nsupdate and relevent dlls.  [RT #19998]

17 18 19
2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

20 21 22
2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

23 24 25
2653.	[bug]		Treat ENGINE_load_private_key() failures as key
			not found rather than out of memory.  [RT #18033]

26 27 28
2652.	[func]		Provide more detail about what record is being
			deleted. [RT #20061]

29 30 31
2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

32 33 34
2650.	[bug]		Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

35 36
2649.	[bug]		Set the domain for forward only zones. [RT #19944]

37 38
2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

39 40 41
2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
			added. [RT #19913]

42 43
2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

44 45 46
2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

47 48 49 50 51 52
	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

53 54 55
2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

56 57 58
2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

59 60 61
2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

62 63
2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]
Mark Andrews's avatar
Mark Andrews committed
64

65 66
2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

Mark Andrews's avatar
Mark Andrews committed
67
2638.	[bug]		Install arpaname. [RT #19957]
68

Mark Andrews's avatar
Mark Andrews committed
69
2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
70 71
			[RT #19959]

72 73 74 75 76 77
2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
78
			  they are scheduled to be published, activated,
79 80 81 82 83 84 85 86 87
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

88 89 90
2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

91 92 93
2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

94 95
2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

Mark Andrews's avatar
Mark Andrews committed
96 97 98
2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

99 100 101
2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

102 103 104 105
2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
			zone.  [RT #19875]

106 107 108
2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
			
109 110 111 112
2628.	[port]		linux: Allow /var/run/named/named.pid to be opened 
			at startup with reduced capabilities in operation.
			[RT #19884]

113 114 115
2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

116 117 118
2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

119 120
2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]

121 122 123
2624.	[func]		'named-checkconf -p' will print out the parsed
			configuration. [RT #18871]

124 125
2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

126 127
2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
 
128 129
2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

Mark Andrews's avatar
Mark Andrews committed
130
2620.	[bug]		Delay thawing the zone until the reload of it has
131 132
			completed successfully.  [RT #19750]

133 134 135 136 137 138
2619.	[func]		Add support for RFC 5011, automatic trust anchor
			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

139 140 141
2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

142 143
2617.	[bug]		ifconfig.sh failed to emit an error message when
			run from the wrong location. [RT #19375]
144

Mark Andrews's avatar
Mark Andrews committed
145 146
2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]
147

148 149 150
2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

Mark Andrews's avatar
Mark Andrews committed
151
2614.	[port]		win32: 'named -v' should automatically be executed
152 153
			in the foreground. [RT #19844]

154 155
2613.	[placeholder]

156 157 158 159 160 161 162 163 164 165 166
	--- 9.7.0a1 released ---

2612.	[func]		Add default values for the arguments to
			dnssec-keygen.  Without arguments, it will now
			generate a 1024-bit RSASHA1 zone-signing key,
			or with the -f KSK option, a 2048-bit RSASHA1
			key-signing key. [RT #19300]

2611.	[func]		Add -l option to dnssec-dsfromkey to generate 
			DLV records instead of DS records. [RT #19300]

167 168
2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]

169 170 171 172 173 174 175 176 177 178 179 180
2609.	[func]		Simplify the configuration of dynamic zones:
			- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]
			
181 182 183 184 185 186 187 188 189
2608.	[func]		Perform post signing verification checks in
			dnssec-signzone.  These can be disabled with -P.

			The post sign verification test ensures that for each
			algorithm in use there is at least one non revoked
			self signed KSK key.  That all revoked KSK keys are
			self signed.  That all records in the zone are signed
			by the algorithm.  [RT #19653]

190 191 192 193
2607.	[bug]		named could incorrectly delete NSEC3 records for
			empty nodes when processing a update request.
			[RT #19749]

194 195 196
2606.	[bug]		"delegation-only" was not being accepted in
			delegation-only type zones. [RT #19717]

197 198 199
2605.	[bug]		Accept DS responses from delegation only zones.
			[RT # 19296]

200 201 202 203 204
2604.	[func]		Add support for DNS rebinding attack prevention through
			new options, deny-answer-addresses and
			deny-answer-aliases.  Based on contributed code from
			JD Nurmi, Google. [RT #18192]

205 206 207 208
2603.	[port]		win32: handle .exe extension of named-checkzone and
			named-comilezone argv[0] names under windows.
			[RT #19767]

209 210 211
2602.	[port]		win32: fix debugging command line build of libisccfg.
			[RT #19767]

212 213 214
2601.	[doc]		Mention file creation mode mask in the
			named manual page.

215 216 217
2600.	[doc]		ARM: miscellaneous reformatting for different
			page widths. [RT #19574]

218 219 220
2599.	[bug]		Address rapid memory growth when validation fails.
			[RT #19654]

Francis Dupont's avatar
Francis Dupont committed
221 222
2598.	[func]		Reserve the -F flag. [RT #19657]

223 224 225
2597.	[bug]		Handle a validation failure with a insecure delegation
			from a NSEC3 signed master/slave zone.  [RT #19464]

226 227 228 229
2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
			long, leading to inefficient memory usage or rejecting
			newer cache entries in the worst case. [RT #19563]

230 231
2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]

Jeremy Reed's avatar
Jeremy Reed committed
232 233
2594.	[func]		Have rndc warn if using its default configuration
			file when the key file also exists. [RT #19424]
234

235 236
2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]

237 238
2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]

239 240 241
2591.	[bug]		named could die when processing a update in
			removed_orphaned_ds(). [RT #19507]

Mark Andrews's avatar
Mark Andrews committed
242 243
2590.	[func]		Report zone/class of "update with no effect".
			[RT #19542]
244

245 246 247
2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
		        [RT #19626]

248 249 250 251 252
2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
			of bind(2) call.  This should be rare and mostly
			harmless, but may cause interference with other
			processes that happen to use the same port. [RT #19642]

253 254 255 256
2587.	[func]		Improve logging by reporting serial numbers for
			when zone serial has gone backwards or unchanged.
			[RT #19506]

257 258 259
2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
			or SDB. [RT #19577]

260 261 262 263
2585.	[bug]		Uninitialized socket name could be referenced via a
			statistics channel, triggering an assertion failure in
			XML rendering. [RT #19427]

264 265 266
2584.	[bug]		alpha: gcc optimization could break atomic operations.
			[RT #19227]

267 268 269
2583.	[port]		netbsd: provide a control to not add the compile
			date to the version string, -DNO_VERSION_DATE.

270 271 272
2582.	[bug]		Don't emit warning log message when we attempt to
			remove non-existant journal. [RT #19516]

273 274 275
2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
			Requires MySQL 5.0.19 or later. [RT #19084]

276 277 278
2580.	[bug]		UpdateRej statistics counter could be incremented twice
			for one rejection. [RT #19476]

279 280 281
2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
			algorithms. [RT #19479]

Mark Andrews's avatar
Mark Andrews committed
282
2578.	[bug]		Changed default sig-signing-type to 65534, because
283 284
			65535 turns out to be reserved.  [RT #19477]

285 286
2577.	[doc]		Clarified some statistics counters. [RT #19454]

287 288
2576.	[bug]		NSEC record were not being correctly signed when
			a zone transitions from insecure to secure.
Mark Andrews's avatar
Mark Andrews committed
289
			Handle such incorrectly signed zones. [RT #19114]
290

291 292 293 294 295
2575.	[func]		New functions dns_name_fromstring() and
			dns_name_tostring(), to simplify conversion
			of a string to a dns_name structure and vice
			versa. [RT #19451]

296 297
2574.	[doc]		Document nsupdate -g and -o. [RT #19351]

298 299 300
2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
			single transaction in a signed zone failed. [RT #19397]

301 302 303 304 305 306 307 308 309 310 311 312
2572.	[func]		Simplify DLV configuration, with a new option
			"dnssec-lookaside auto;"  This is the equivalent
			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
			plus setting a trusted-key for dlv.isc.org.

			Note: The trusted key is hard-coded into named,
			but is also stored in (and can be overridden
			by) $sysconfdir/bind.keys.  As the ISC DLV key
			rolls over it can be kept up to date by replacing
			the bind.keys file with a key downloaded from
			https://www.isc.org/solutions/dlv. [RT #18685]

313 314 315 316
2571.	[func]		Add a new tool "arpaname" which translates IP addresses
			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
			[RT #18976]

317 318 319
2570.	[func]		Log the destination address the query was sent to.
			[RT #19209]

320 321 322 323
2569.	[func]		Move journalprint, nsec3hash, and genrandom
			commands from bin/tests into bin/tools; 
			"make install" will put them in $sbindir. [RT #19301]

Mark Andrews's avatar
Mark Andrews committed
324 325
2568.	[bug]		Report when the write to indicate a otherwise
			successful start fails. [RT #19360]
326

327
2567.	[bug]		dst__privstruct_writefile() could miss write errors.
328 329
			write_public_key() could miss write errors.
			dnssec-dsfromkey could miss write errors.
330 331
			[RT #19360]

332 333 334 335 336
2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
			response arrives from a zone thought to be secure:
			"insecurity proof failed" instead of "not
			insecure". [RT #19400]

337 338 339 340
2565.	[func]		Add support for HIP record.  Includes new functions
			dns_rdata_hip_first(), dns_rdata_hip_next()
			and dns_rdata_hip_current().  [RT #19384]

341 342
2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
			[RT #19405]
343

344 345 346
2563.	[bug]		Dig could leak a socket causing it to wait forever
			to exit. [RT #19359]

Jeremy Reed's avatar
Jeremy Reed committed
347
2562.	[doc]		ARM: miscellaneous improvements, reorganization,
348 349
			and some new content.

Mark Andrews's avatar
Mark Andrews committed
350
2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
351

Mark Andrews's avatar
Mark Andrews committed
352
2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
353

354 355 356
2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
			reading from a K* files.  [RT #19357]

357 358 359 360
2558.	[func]		Set the ownership of missing directories created
			for pid-file if -u has been specified on the command
			line. [RT #19328]

Mark Andrews's avatar
Mark Andrews committed
361
2557.	[cleanup]	PCI compliance:
Mark Andrews's avatar
Mark Andrews committed
362 363 364 365 366 367
			* new libisc log module file
			* isc_dir_chroot() now also changes the working
			  directory to "/".
			* additional INSISTs
			* additional logging when files can't be removed.

Mark Andrews's avatar
Mark Andrews committed
368
2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
369 370 371
			error checks in the correct order resulting in the
			wrong error code sometimes being returned. [RT #19249]
			
Mark Andrews's avatar
Mark Andrews committed
372
2555.	[func]		dig: when emitting a hex dump also display the
373 374
			corresponding characters. [RT #19258]

375 376 377
2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
			fail. [RT #19297]

378 379
2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]

380 381 382
2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
			[RT #19340]

383 384
2551.	[bug]		Potential Reference leak on return. [RT #19341]

385 386 387
2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
			[RT #19343]

388 389 390
2549.	[port]		linux: define NR_OPEN if not currently defined.
			[RT #19344]

391 392
2548.	[bug]		Install iterated_hash.h. [RT #19335]

393 394 395 396 397
2547.	[bug]		openssl_link.c:mem_realloc() could reference an
			out-of-range area of the source buffer.  New public
			function isc_mem_reallocate() was introduced to address
			this bug. [RT #19313]

Francis Dupont's avatar
Francis Dupont committed
398 399 400 401
2546.	[func]		Add --enable-openssl-hash configure flag to use
			OpenSSL (in place of internal routine) for hash
			functions (MD5, SHA[12] and HMAC). [RT #18815]

402 403 404
2545.	[doc]		ARM: Legal hostname checking (check-names) is
			for SRV RDATA too. [RT #19304]

405 406
2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]

407 408
2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]

Mark Andrews's avatar
Mark Andrews committed
409
2542.	[doc]		Update the description of dig +adflag. [RT #19290]
410

411 412 413
2541.	[bug]		Conditionally update dispatch manager statistics.
			[RT #19247]

414 415
2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]

416 417 418
2539.	[security]	Update the interaction between recursion, allow-query,
			allow-query-cache and allow-recursion.  [RT #19198]

419 420 421 422
2538.	[bug]		cache/ADB memory could grow over max-cache-size,
			especially with threads and smaller max-cache-size
			values. [RT #19240]

423
2537.	[func]		Added more statistics counters including those on socket
424
			I/O events and query RTT histograms. [RT #18802]
425

426 427 428
2536.	[cleanup]	Silence some warnings when -Werror=format-security is
			specified. [RT #19083]

Mark Andrews's avatar
Mark Andrews committed
429
2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
430

431
2534.	[func]		Check NAPTR records regular expressions and
Mark Andrews's avatar
Mark Andrews committed
432
			replacement strings to ensure they are syntactically
433 434
			valid and consistant. [RT #18168]

435 436
2533.	[doc]		ARM: document @ (at-sign). [RT #17144]

437 438 439
2532.	[bug]		dig: check the question section of the response to
			see if it matches the asked question. [RT #18495]

440 441
2531.	[bug]		Change #2207 was incomplete. [RT #19098]

442 443 444
2530.	[bug]		named failed to reject insecure to secure transitions
			via UPDATE. [RT #19101]

445 446 447
2529.	[cleanup]	Upgrade libtool to silence complaints from recent
			version of autoconf. [RT #18657]

448 449 450
2528.   [cleanup]       Silence spurious configure warning about
                        --datarootdir [RT #19096]

451 452
2527.	[placeholder]

453 454
2526.	[func]		New named option "attach-cache" that allows multiple
			views to share a single cache to save memory and
455 456
			improve lookup efficiency.  Based on contributed code
			from Barclay Osborn, Google. [RT #18905]
457

458 459 460 461
2525.	[func]		New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

462 463
2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]

464 465 466
2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
			[RT #19112]

Francis Dupont's avatar
Francis Dupont committed
467
2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
Mark Andrews's avatar
Mark Andrews committed
468

469 470
2521.	[bug]		Improve epoll cross compilation support. [RT #19047]

471 472 473
2520.	[bug]		Update xml statistics version number to 2.0 as change
			#2388 made the schema incompatible to the previous
			version. [RT #19080]
474

475 476 477 478
2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
			nameserver addresses of the excluded address family
			preceded in resolv.conf. [RT #19081]

479 480 481
2518.	[func]		Add support for the new CERT types from RFC 4398.
			[RT #19077]

482
2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
Mark Andrews's avatar
Mark Andrews committed
483
			nameserver address of the excluded address type.
484 485
			[RT #18843]

486 487 488
2516.	[bug]		glue sort for responses was performed even when not
			needed. [RT #19039]

489 490 491
2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
			[RT #19063]

492
2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
493
			a nameserver of the excluded address family.
494 495 496
			[RT #18848]

2513.	[bug]		Fix windows cli build. [RT #19062]
497

498 499 500
2512.	[func]		Print a summary of the cached records which make up
			the negative response.  [RT #18885]

501 502 503
2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
			[RT #18885]

Mark Andrews's avatar
reword  
Mark Andrews committed
504 505
2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
			[RT #19033]
506

507 508 509
2509.	[bug]		Specifying a fixed query source port was broken.
			[RT #19051]

510 511
2508.	[placeholder]

512 513 514 515
2507.	[func]		Log the recursion quota values when killing the
			oldest query or refusing to recurse due to quota.
			[RT #19022]

516 517 518
2506.	[port]		solaris: Check at configure time if 
			hack_shutup_pthreadonceinit is needed. [RT #19037]

519 520 521
2505.	[port]		Treat amd64 similarly to x86_64 when determining
			atomic operation support. [RT #19031]

522 523
2504.	[bug]		Address race condition in the socket code. [RT #18899]

524 525 526
2503.	[port]		linux: improve compatibility with Linux Standard
			Base. [RT #18793]

527 528 529
2502.	[cleanup]	isc_radix: Improve compliance with coding style,
			document function in <isc/radix.h>. [RT #18534]

530 531 532 533
2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
			rdata types need to be quoted.  See the ARM for
			details. [RT #18368]

Francis Dupont's avatar
Francis Dupont committed
534
2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
535 536
			function. [RT #18582]

537 538
2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
			[RT #18837]
Mark Andrews's avatar
Mark Andrews committed
539 540 541

	--- 9.6.0rc1 released ---

542 543 544 545 546
2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

547 548 549
2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
			delegation.

550 551
2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]

552 553
2495.	[bug]		Tighten RRSIG checks. [RT #18795]

554 555 556
2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
			installed. [RT #18826]

557
2493.	[bug]		The linux capabilities code was not correctly cleaning
558 559
			up after itself. [RT #18767]

Mark Andrews's avatar
Mark Andrews committed
560
2492.	[func]		Rndc status now reports the number of cpus discovered
561 562 563
			and the number of worker threads when running
			multi-threaded. [RT #18273]

564 565 566
2491.	[func]		Attempt to re-use a local port if we are already using
			the port. [RT #18548]

567 568 569
2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
			is cleared when IPV6_V6ONLY is set. [RT #18785]

570 571 572 573 574 575
2489.	[port]		solaris: Workaround Solaris's kernel bug about
			/dev/poll:
			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
			this workaround. [RT #18870]

576 577 578
2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
			from keyset and .key files. [RT #18694]

579 580
2487.	[bug]		Give TCP connections longer to complete. [RT #18675]

581 582 583 584 585 586 587 588 589
2486.	[func]		The default locations for named.pid and lwresd.pid
			are now /var/run/named/named.pid and
			/var/run/lwresd/lwresd.pid respectively.

			This allows the owner of the containing directory
			to be set, for "named -u" support, and allows there
			to be a permanent symbolic link in the path, for
			"named -t" support.  [RT #18306]

590
2485.	[bug]		Change update's the handling of obscured RRSIG
591
			records.  Not all orphaned DS records were being
592 593
			removed. [RT #18828]

594 595 596 597
2484.	[bug]		It was possible to trigger a REQUIRE failure when
			adding NSEC3 proofs to the response in
			query_addwildcardproof().  [RT #18828]

Francis Dupont's avatar
Francis Dupont committed
598 599
2483.	[port]		win32: chroot() is not supported. [RT #18805]

Francis Dupont's avatar
Francis Dupont committed
600 601
2482.	[port]		libxml2: support versions 2.7.* in addition
			to 2.6.*. [RT #18806]
Mark Andrews's avatar
9.6.0b1  
Mark Andrews committed
602 603 604

	--- 9.6.0b1 released ---

605 606 607 608 609 610
2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
			collisions.  [RT #18812]

2480.	[bug]		named could fail to emit all the required NSEC3
			records.  [RT #18812]

611
2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
612

613
2478.	[bug]		'addresses' could be used uninitialized in
Mark Andrews's avatar
Mark Andrews committed
614
			configure_forward(). [RT #18800]
615 616
	
2477.	[bug]		dig: the global option to print the command line is
617 618 619
			+cmd not print_cmd.  Update the output to reflect
			this. [RT #17008]

620 621 622
2476.	[doc]		ARM: improve documentation for max-journal-size and
			ixfr-from-differences. [RT #15909] [RT #18541]

623
2475.	[bug]		LRU cache cleanup under overmem condition could purge
Mark Andrews's avatar
Mark Andrews committed
624
			particular entries more aggressively. [RT #17628]
625

626 627 628
2474.	[bug]		ACL structures could be allocated with insufficient
			space, causing an array overrun. [RT #18765]

629 630 631 632 633
2473.	[port]		linux: raise the limit on open files to the possible
			maximum value before spawning threads; 'files'
		        specified in named.conf doesn't seem to work with
			threads as expected. [RT #18784]

634
2472.	[port]		linux: check the number of available cpu's before
Mark Andrews's avatar
Mark Andrews committed
635
			calling chroot as it depends on "/proc". [RT #16923]
636

Mark Andrews's avatar
Mark Andrews committed
637
2471.	[bug]		named-checkzone was not reporting missing mandatory
638 639
			glue when sibling checks were disabled. [RT #18768]

640
2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
Mark Andrews's avatar
Mark Andrews committed
641
			overwritten.  [RT# 18719]
642

643 644 645
2469.	[port]		solaris: Work around Solaris's select() limitations.
			[RT #18769]

646 647 648
2468.	[bug]		Resolver could try unreachable servers multiple times.
			[RT #18739]

649 650
2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]

651 652 653
2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
			[RT #18302]

654 655 656
2465.	[bug]		Adb's handling of lame addresses was different
			for IPv4 and IPv6. [RT #18738]

657 658 659
2464.	[port]		linux: check that a capability is present before
			trying to set it. [RT #18135]

660 661 662
2463.   [port]          linux: POSIX doesn't include the IPv6 Advanced Socket
			API and glibc hides parts of the IPv6 Advanced Socket
			API as a result.  This is stupid as it breaks how the
663 664
			two halves (Basic and Advanced) of the IPv6 Socket API
			were designed to be used but we have to live with it.
665 666 667
			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
			API. [RT #18388]

668 669 670
2462.	[doc]		Document -m (enable memory usage debugging)
			option for dig. [RT #18757]

671 672
2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]

Mark Andrews's avatar
Mark Andrews committed
673 674 675 676 677
	--- 9.6.0a1 released ---

2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
			[RT #18697]

678 679
2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]

680 681 682
2458.	[doc]		ARM: update and correction for max-cache-size.
			[RT #18294]

683 684
2457.	[tuning]	max-cache-size is reverted to 0, the previous
			default.  It should be safe because expired cache
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
685
			entries are also purged. [RT #18684]
686

687 688 689 690
2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
			address, regardless of family.  They now correctly
			distinguish IPv4 from IPv6.  [RT #18559]
                        
Mark Andrews's avatar
Mark Andrews committed
691
2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
692 693
			[RT #18639]

694 695
2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]

696 697 698 699 700
2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
			[RT #18316]

2452.	[func]		Improve bin/test/journalprint. [RT #18316]

701 702
2451.	[port]		solaris: handle runtime linking better. [RT #18356]

703 704 705
2450.	[doc]		Fix lwresd docbook problem for manual page.
			[RT #18672]

Mark Andrews's avatar
Mark Andrews committed
706 707
2449.	[placeholder]

708 709
2448.	[func]		Add NSEC3 support. [RT #15452]

Mark Andrews's avatar
Mark Andrews committed
710
2447.	[cleanup]	libbind has been split out as a separate product.
711

712 713 714 715
2446.	[func]		Add a new log message about build options on startup.
			A new command-line option '-V' for named is also
			provided to show this information. [RT# 18645]

716 717 718 719
2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
			RFC1918 address, but these are not yet compiled in).
			[RT #18578]

Mark Andrews's avatar
Mark Andrews committed
720
2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
721 722
			(clear DF) for UDP responses and requests.

723 724 725 726 727
2443.	[bug]		win32: UDP connect() would not generate an event,
			and so connected UDP sockets would never clean up.
			Fix this by doing an immediate WSAConnect() rather
			than an io completion port type for UDP.

728 729
2442.	[bug]		A lock could be destroyed twice. [RT# 18626]

730 731 732 733 734 735 736 737 738
2441.   [bug]           isc_radix_insert() could copy radix tree nodes
			incompletely. [RT #18573]

2440.   [bug]		named-checkconf used an incorrect test to determine
			if an ACL was set to none.

2439.   [bug]		Potential NULL dereference in dns_acl_isanyornone().
			[RT #18559]

739
2438.   [bug]		Timeouts could be logged incorrectly under win32.
Evan Hunt's avatar
Evan Hunt committed
740

Evan Hunt's avatar
Evan Hunt committed
741 742 743
2437.	[bug]		Sockets could be closed too early, leading to
			inconsistent states in the socket module. [RT #18298]

744
2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
Mark Andrews's avatar
Mark Andrews committed
745

746 747
2435.	[bug]		Fixed an ACL memory leak affecting win32.

748 749
2434.	[bug]		Fixed a minor error-reporting bug in
			lib/isc/win32/socket.c.
Evan Hunt's avatar
Evan Hunt committed
750

751 752
2433.	[tuning]	Set initial timeout to 800ms.

753 754 755 756
2432.   [bug]		More Windows socket handling improvements.  Stop
			using I/O events and use IO Completion Ports
			throughout.  Rewrite the receive path logic to make
			it easier to support multiple simultaneous
Mark Andrews's avatar
Mark Andrews committed
757
			requesters in the future.  Add stricter consistency
758 759
			checking as a compile-time option (define
			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
Evan Hunt's avatar
Evan Hunt committed
760

761 762
2431.	[bug]		Acl processing could leak memory. [RT #18323]

763 764 765 766
2430.	[bug]		win32: isc_interval_set() could round down to
			zero if the input was less than NS_INTERVAL
			nanoseconds.  Round up instead. [RT #18549]

767 768 769
2429.	[doc]		nsupdate should be in section 1 of the man pages.
			[RT #18283]

770 771 772
2428.	[bug]		dns_iptable_merge() mishandled merges of negative
			tables. [RT #18409]

773 774 775
2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
			was set. [RT #18528]

776
2426.	[bug]		libbind: inet_net_pton() can sometimes return the
Mark Andrews's avatar
Mark Andrews committed
777
			wrong value if excessively large net masks are
778 779
			supplied. [RT #18512]

780 781 782
2425.	[bug]		named didn't detect unavailable query source addresses
			at load time. [RT #18536]

783 784 785 786 787
2424.	[port]		configure now probes for a working epoll
			implementation.  Allow the use of kqueue,
			epoll and /dev/poll to be selected at compile
			time. [RT #18277]
			
788
2423.   [security]	Randomize server selection on queries, so as to
Evan Hunt's avatar
Evan Hunt committed
789 790 791 792 793 794
                        make forgery a little more difficult.  Instead of
                        always preferring the server with the lowest RTT,
                        pick a server with RTT within the same 128
                        millisecond band.  [RT #18441]

2422.	[bug]		Handle the special return value of a empty node as
795 796
			if it was a NXRRSET in the validator. [RT #18447]

Evan Hunt's avatar
Evan Hunt committed
797
2421.	[func]		Add new command line option '-S' for named to specify
798 799 800 801
			the max number of sockets. [RT #18493]
			Use caution: this option may not work for some
			operating systems without rebuilding named.

802
2420.   [bug]		Windows socket handling cleanup.  Let the io
803
			completion event send out canceled read/write
Mark Andrews's avatar
Mark Andrews committed
804
			done events, which keeps us from writing to memory
805 806 807
			we no longer have ownership of.  Add debugging
			socket_log() function.  Rework TCP socket handling
			to not leak sockets.
Evan Hunt's avatar
Evan Hunt committed
808

809 810 811 812
2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
			should not be used for isc_sockettype_fdwatch sockets.
			[RT #18521]

813 814 815
2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
			[RT #18430]

816 817 818 819
2417.	[bug]		Connecting UDP sockets for outgoing queries could
			unexpectedly fail with an 'address already in use'
			error. [RT #18411]

820 821 822
2416.	[func]		Log file descriptors that cause exceeding the
			internal maximum. [RT #18460]

823 824 825
2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
			in rbtdb.c. [RT #18455]

826 827 828 829
2414.	[bug]		A masterdump context held the database lock too long,
			causing various troubles such as dead lock and
			recursive lock acquisition. [RT #18311, #18456]

830 831
2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]

832
2412.	[bug]		win32: address a resource leak. [RT #18374]
833

834 835 836 837
2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
			at compilation time.  [RT #18433]

838 839 840 841
			Note: with changes #2469 and #2421 above, there is no
			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
			any more.

842 843
2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]

Mark Andrews's avatar
Mark Andrews committed
844
2409.	[bug]		Only log that we disabled EDNS processing if we were
845 846
			subsequently successful.  [RT #18029]

847 848 849 850
2408.	[bug]		A duplicate TCP dispatch event could be sent, which
			could then trigger an assertion failure in
			resquery_response().  [RT #18275]

851 852
2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]

Evan Hunt's avatar
Evan Hunt committed
853
2406.	[placeholder]
854

855 856 857 858
2405.   [cleanup]       The default value for dnssec-validation was changed to
                        "yes" in 9.5.0-P1 and all subsequent releases; this
                        was inadvertently omitted from CHANGES at the time.

859 860
2404.	[port]		hpux: files unlimited support.

861 862
2403.	[bug]		TSIG context leak. [RT #18341]

863 864
2402.	[port]		Support Solaris 2.11 and over. [RT #18362]

865 866 867
2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
			(from accept() or fcntl() system calls). [RT #18358]

Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
868
2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
869 870
			[RT #18297]

871 872
2399.	[placeholder]

873
2398.	[bug]           Improve file descriptor management.  New,
874 875 876
			temporary, named.conf option reserved-sockets,
			default 512. [RT #18344]

877 878
2397.	[bug]		gssapi_functions had too many elements. [RT #18355]

879 880 881
2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
			[RT #18336]

882 883 884
2395.	[port]		Avoid warning and no effect from "files unlimited"
			on Linux when running as root. [RT #18335]

885 886 887
2394.	[bug]		Default configuration options set the limit for
			open files to 'unlimited' as described in the
			documentation. [RT #18331]
888

889 890 891 892 893
2393.	[bug]		nested acls containing keys could trigger an
			assertion in acl.c. [RT #18166]

2392.	[bug]		remove 'grep -q' from acl test script, some platforms
			don't support it. [RT #18253]
894 895

2391.	[port]		hpux: cover additional recvmsg() error codes.
896 897
			[RT #18301]

898
2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
899 900
			[RT #18301].

901
2389.	[bug]		Move the "working directory writable" check to after
Mark Andrews's avatar
Mark Andrews committed
902
			the ns_os_changeuser() call. [RT #18326]
903

904 905 906
2388.	[bug]		Avoid using tables for layout purposes in
			statistics XSL [RT #18159].

907 908 909
2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
			[RT #18147] [RT #18258]

910 911
2386.	[func]		Add warning about too small 'open files' limit.
			[RT #18269]
912

913 914 915
2385.	[bug]		A condition variable in socket.c could leak in
			rare error handling [RT #17968].

916 917 918
2384.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949, #18098]

919 920
2383.	[bug]		named could double queries when they resulted in
			SERVFAIL due to overkilling EDNS0 failure detection.
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
921
			[RT #18182]
922

923 924 925
2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
			to ARM.

926 927 928 929
2381.	[port]		dlz/mysql: support multiple install layouts for
			mysql.  <prefix>/include/{,mysql/}mysql.h and
			<prefix>/lib/{,mysql/}. [RT #18152]

930 931 932 933 934
2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
			proofs which, in turn, caused validation failures
			for insecure zones immediately below a secure zone
			the server was authoritative for. [RT #18112] 

935 936 937
2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
			TLDs and supported RRs with TTLs [RT #17972]

938 939 940
2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
			[RT #18169]

941 942
2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]

Mark Andrews's avatar
Mark Andrews committed
943
2376.	[bug]		Change #2144 was not complete.
944

945
2375.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
946 947

2374.	[bug]		"blackhole" ACLs could cause named to segfault due
948 949
			to some uninitialized memory. [RT #18095]

Mark Andrews's avatar
Mark Andrews committed
950
2373.	[bug]		Default values of zone ACLs were re-parsed each time a
951 952
			new zone was configured, causing an overconsumption
			of memory. [RT #18092]
953

Mark Andrews's avatar
Mark Andrews committed
954
2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
955

Mark Andrews's avatar
Mark Andrews committed
956
2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
957

Mark Andrews's avatar
Mark Andrews committed
958 959
2370.	[bug]		"rndc freeze" could trigger an assertion in named
			when called on a nonexistent zone. [RT #18050]
960

961 962 963
2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
			[RT #18054]

Mark Andrews's avatar
Mark Andrews committed
964 965
2368.	[port]		Linux: use libcap for capability management if
			possible. [RT# 18026]
966

Mark Andrews's avatar
Mark Andrews committed
967 968
2367.	[bug]		Improve counting of dns_resstatscounter_retry
			[RT #18030]
969

970 971
2366.	[bug]		Adb shutdown race. [RT #18021]

Mark Andrews's avatar
Mark Andrews committed
972 973
2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
			spurious results. [RT #18000]
974

975 976 977
2364.	[bug]		named could trigger a assertion when serving a
			malformed signed zone. [RT #17828]

978 979 980
2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
			[RT #17513]

Mark Andrews's avatar
Mark Andrews committed
981 982 983
2362.   [cleanup]	Make "rrset-order fixed" a compile-time option.
			settable by "./configure --enable-fixed-rrset".
			Disabled by default. [RT #17977]
984

985 986 987
2361.	[bug]		"recursion" statistics counter could be counted
			multiple times for a single query.  [RT #17990]

988 989 990
2360.	[bug]		Fix a condition where we release a database version
			(which may acquire a lock) while holding the lock.

991 992
2359.	[bug]		Fix NSID bug. [RT #17942]

993 994
2358.	[doc]		Update host's default query description. [RT #17934]

995 996 997
2357.	[port]		Don't use OpenSSL's engine support in versions before
			OpenSSL 0.9.7f. [RT #17922]

Mark Andrews's avatar
Mark Andrews committed
998
2356.	[bug]		Built in mutex profiler was not scalable enough.
999 1000
			[RT #17436]

1001 1002 1003
2355.	[func]		Extend the number statistics counters available.
			[RT #17590]

Mark Andrews's avatar
Mark Andrews committed
1004
2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
1005 1006
			[RT #17927]

1007 1008 1009 1010 1011 1012 1013
2353.	[func]		Add support for Name Server ID (RFC 5001).
			'dig +nsid' requests NSID from server.
			'request-nsid yes;' causes recursive server to send
			NSID requests to upstream servers.  Server responds
			to NSID requests with the string configured by
			'server-id' option.  [RT #17091]

1014 1015
2352.	[bug]		Various GSS_API fixups. [RT #17729]

1016 1017
2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]

1018 1019
2350.	[port]		win32: IPv6 support. [RT #17797]

1020 1021 1022
2349.	[func]		Provide incremental re-signing support for secure
			dynamic zones. [RT #1091]

Francis Dupont's avatar
Francis Dupont committed
1023 1024
2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
			Documentation is in the new README.pkcs11 file.
1025
			New tool, dnssec-keyfromlabel, which takes the
1026 1027 1028
			label of a key pair in a HSM and constructs a DNS
			key pair for use by named and dnssec-signzone.
			[RT #16844]
Francis Dupont's avatar
Francis Dupont committed
1029

Francis Dupont's avatar
Francis Dupont committed
1030 1031 1032
2347.	[bug]		Delete now traverses the RB tree in the canonical
			order. [RT #17451]

1033 1034 1035
2346.	[func]		Memory statistics now cover all active memory contexts
			in increased detail. [RT #17580]

1036 1037 1038 1039
2345.	[bug]		named-checkconf failed to detect when forwarders
			were set at both the options/view level and in
			a root zone. [RT #17671]

1040 1041 1042
2344.	[bug]		Improve "logging{ file ...; };" documentation.
			[RT #17888]

1043 1044 1045
2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
			created in ADB. [RT #17837]

1046 1047
2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]

1048 1049 1050
2341.	[bug]		libbind: add missing -I../include for off source
			tree builds. [RT #17606]

1051 1052
2340.	[port]		openbsd: interface configuration. [RT #17700]

1053 1054
2339.	[port]		tru64: support for libbind. [RT #17589]

Mark Andrews's avatar
Mark Andrews committed
1055
2338.	[bug]		check_ds() could be called with a non DS rdataset.
1056 1057
			[RT #17598]

Mark Andrews's avatar
Mark Andrews committed
1058
2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
1059

1060 1061 1062 1063
2336.	[func]		If "named -6" is specified then listen on all IPv6
			interfaces if there are not listen-on-v6 clauses in
			named.conf.  [RT #17581]

1064 1065 1066
2335.	[port]		sunos:  libbind and *printf() support for long long. 
			[RT #17513]

1067 1068 1069
2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
			bug in fromstruct_txt(). [RT #17609]
			
1070 1071 1072
2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
			[RT #17608]

1073 1074
2332.	[contrib]	query-loc-0.4.0. [RT #17602]

Mark Andrews's avatar
80 cols  
Mark Andrews committed
1075
2331.	[bug]		Failure to regenerate any signatures was not being
Mark Andrews's avatar
Mark Andrews committed
1076 1077
			reported nor being past back to the UPDATE client.
			[RT #17570]
1078

1079 1080 1081 1082 1083 1084 1085
2330.	[bug]		Remove potential race condition when handling
			over memory events. [RT #17572]

			WARNING: API CHANGE: over memory callback
			function now needs to call isc_mem_waterack().
			See <isc/mem.h> for details.

1086 1087
2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.

1088
2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
1089 1090 1091 1092
			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
			M.ROOT-SERVERS.NET.

Mark Andrews's avatar
Mark Andrews committed
1093
2327.	[bug]		It was possible to dereference a NULL pointer in
Mark Andrews's avatar
Mark Andrews committed