CHANGES

 787.	[bug]		The DNSSEC tools failed to downcase domain
			names when mapping them into file names.

 786.	[bug]		When DNSSEC signing/verifying data, owner names were
			not properly downcased.

 785.	[bug]		A race condition in the resolver could cause
			an assertion failure. [RT #673, #872, #1048]

 784.	[bug]		nsupdate and other programs would not quit properly
			if some signals were blocked by the caller. [RT #1081]

 783.	[bug]		Following CNAMEs could cause an assertion failure
			when either using an sdb database or under very
			rare conditions.

 782.	[feature]	Implement the serial-query-rate option.

 781.	[func]		Avoid error packet loops by dropping duplicate FORMERR
			responses. [RT #1006]

 780.	[bug]		Error handling code dealing with out of memory or
			other rare errors could lead to assertion failures
			by calling functions on unitialized names. [RT #1065]

 779.	[func]		Added the "minimal-responses" option.

 778.	[bug]		When starting cache cleaning, cleaning_timer_action()
			returned without first pausing the iterator, which
			could cause deadlock. [RT #998]

 777.	[bug]		An empty forwarders list in a zone failed to override
			global forwarders. [RT #995]

 776.	[func]		Improved error reporting in denied messages. [RT #252]

 775.	[placeholder]

 774.	[func]		max-cache-size is implemented.

 773.	[func]		Added isc_rwlock_trylock() to attempt to lock without
			blocking.

 772.	[bug]		Owner names could be incorrectly omitted from cache
			dumps in the presence of negative caching entries.
			[RT #991]

 771.	[cleanup]	TSIG errors related to unsynchronized clocks
			are logged better. [RT #919]

 770.	[func]		Add the "edns yes_or_no" statement to the server
			clause. [RT #524]

 769.	[func]		Improved error reporting when parsing rdata. [RT #740]

 768.	[bug]		The server did not emit an SOA when a CNAME
			or DNAME chain ended in NXDOMAIN in an
			authoritative zone.

 767.	[placeholder]

 766.	[bug]		A few cases in query_find() could leak fname.
			This would trigger the mpctx->allocated == 0
			assertion when the server exited.
			[RT #739, #776, #798, #812, #818, #821, #845,
			#892, #935, #966]

 765.	[func]		ACL names are once again case insensitive, like
			in BIND 8. [RT #252]

 764.	[func]		Configuration files now allow "include" directives
			in more places, such as inside the "view" statement.
			[RT #377, #728, #860]

 763.	[func]		Configuration files no longer have reserved words.
			[RT #731, #753]

 762.	[cleanup]	The named.conf and rndc.conf file parsers have
			been completely rewritten.

 761.	[bug]		_REENTRANT was still defined when building with
			--disable-threads.

 760.	[contrib]	Significant enhancements to the pgsql sdb driver.

 759.	[bug]		The resolver didn't turn off "avoid fetches" mode
			when restarting, possibly causing resolution
			to fail when it should not.  This bug only affected
			platforms which support both IPv4 and IPv6. [RT #927]

 758.	[bug]		The "avoid fetches" code did not treat negative
			cache entries correctly, causing fetches that would
			be useful to be avoided.  This bug only affected
			platforms which support both IPv4 and IPv6. [RT #927]

 757.	[func]		Log zone transfers.

 756.	[bug]		dns_zone_load() could "return" success when no master
			file was configured.

 755.	[bug]		Fix incorrectly formatted log messages in zone.c.

 754.	[bug]		Certain failure conditions sending UDP packets
			could cause the server to retry the transmission
			indefinitely. [RT #902]

 753.	[bug]		dig, host, and nslookup would fail to contact a
			remote server if getaddrinfo() returned an IPv6
			address on a system that doesn't support IPv6.
			[RT #917]

 752.	[func]		Correct bad tv_usec elements returned by
			gettimeofday().

 751.	[func]		Log successful zone loads / transfers.	[RT #898]

 750.	[bug]		A query should not match a DNAME whose trust level
			is pending.  [RT #916]

 749.	[bug]		When a query matched a DNAME in a secure zone, the
			server did not return the signature of the DNAME.
			[RT #915]

 748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
			[RT #781]

 747.	[bug]		The code to determine whether an IXFR was possible
			did not properly check for a database that could
			not have a journal. [RT #865, #908]

 746.	[bug]		The sdb didn't clone rdatasets properly, causing
			a crash when the server followed delegations. [RT #905]

 745.	[func]		Report the owner name of records that fail
			semantic checks while loading.

 744.	[bug]		When returning DNS_R_CNAME or DNS_R_DNAME as the
			result of an ANY or SIG query, the resolver failed
			to setup the return event's rdatasets, causing an
			assertion failure in the query code.  [RT #881]

 743.	[bug]		Receiving a large number of certain malformed
			answers could cause named to stop responding.
			[RT #861]

 742.	[placeholder]

 741.	[port]		Support openssl-engine. [RT #709]

 740.	[port]		Handle openssl library mismatches slightly better.

 739.	[port]		Look for /dev/random in configure, rather than
			assuming it will be there for only a predefined
			set of OSes.

 738.	[bug]		If a non-threadsafe sdb driver supported AXFR and
			received an AXFR request, it would deadlock or die
			with an assertion failure. [RT #852]

 737.	[port]		stdtime.c failed to compile on certain platforms.

 736.	[func]		New functions isc_task_{begin,end}exclusive().

 735.	[doc]		Add BIND 4 migration notes.

 734.	[bug]		An attempt to re-lock the zone lock could occur if
			the server was shutdown during a zone tranfer.
			[RT #830]

 733.	[bug]		Reference counts of dns_acl_t objects need to be
			locked but were not. [RT #801, #821]

 732.	[bug]		Glue with 0 TTL could also cause SERVFAIL.  [RT #828]

 731.	[bug]		Certain zone errors could cause named-checkzone to
			fail ungracefully.  [RT #819]

 730.	[bug]		lwres_getaddrinfo() returns the correct result when
			it fails to contact a server. [RT #768]

 729.	[port]		pthread_setconcurrency() needs to be called on Solaris.

 728.	[bug]		Fix comment processing on master file directives.
			[RT# 757]

 727.	[port]		Work around OS bug where accept() succeeds but
			fails to fill in the peer address of the accepted
			connection, by treating it as an error rather than
			an assertion failure. [RT #809]

 726.	[func]		Implement the "trace" and "notrace" commands in rndc.

 725.	[bug]		Installing man pages could fail.

 724.	[func]		New libisc functions isc_netaddr_any(),
			isc_netaddr_any6().

 723.	[bug]		Referrals whose NS RRs had a 0 TTL caused the resolver
			to return DNS_R_SERVFAIL.  [RT #783]

 722.	[func]		Allow incremental loads to be canceled.

 721.	[cleanup]	Load manager and dns_master_loadfilequota() are no
			more.

 720.	[bug]		Server could enter infinite loop in
			dispatch.c:do_cancel(). [RT #733]

 719.	[bug]		Rapid reloads could trigger an assertion failure.
			[RT #743, #763]

 718.	[cleanup]	"internal" is no longer a reserved word in named.conf.
			[RT #753, #731]

 717.	[bug]		Certain TKEY processing failure modes could
			reference an uninitialized variable, causing the
			server to crash. [RT #750]

 716.	[bug]		The first line of a $INCLUDE master file was lost if
			an origin was specified. [RT #744]

 715.	[bug]		Resolving some A6 chains could cause an assertion
			failure in adb.c. [RT #738]

 714.	[bug]		Preserve interval timers across reloads unless changed.
			[RT# 729]

 713.	[func]		named-checkconf takes '-t directory' similar to named.
			[RT #726]

 712.	[bug]		Sending a large signed update message caused an
			assertion failure. [RT #718]

 711.	[bug]		The libisc and liblwres implementations of
			inet_ntop contained an off by one error.

 710.	[func]		The forwarders statement now takes an optional
			port. [RT #418]

 709.	[bug]		ANY or SIG queries for data with a TTL of 0
			would return SERVFAIL. [RT #620]

 708.	[bug]		When building with --with-openssl, the openssl headers
			included with BIND 9 should not be used. [RT #702]

 707.	[func]		The "filename" argument to named-checkzone is no
			longer optional, to reduce confusion. [RT #612]

 706.	[bug]		Zones with an explicit "allow-update { none; };"
			were considered dynamic and therefore not reloaded
			on SIGHUP or "rndc reload".

 705.	[port]		Work out resource limit type for use where rlim_t is
			not available. [RT #695]

 704.	[port]		RLIMIT_NOFILE is not available on all platforms.
			[RT #695]

 703.	[port]		sys/select.h is needed on older platforms. [RT #695]

 702.	[func]		If the address 0.0.0.0 is seen in resolv.conf,
			use 127.0.0.1 instead. [RT #693]

 701.	[func]		Root hints are now fully optional.  Class IN
			views use compiled-in hints by default, as
			before.  Non-IN views with no root hints now
			provide authoritative service but not recursion.
			A warning is logged if a view has neither root
			hints nor authoritative data for the root. [RT #696]

 700.	[bug]		$GENERATE range check was wrong. [RT #688]

 699.	[bug]		The lexer mishandled empty quoted strings. [RT #694]

 698.	[bug]		Aborting nsupdate with ^C would lead to several
			race conditions.

 697.	[bug]		nsupdate was not compatible with the undocumented
			BIND 8 behavior of ignoring TTLs in "update delete"
			commands. [RT #693]

 696.	[bug]		lwresd would die with an assertion failure when passed
			a zero-length name.  [RT #692]

 695.	[bug]		If the resolver attempted to query a blackholed or
			bogus server, the resolution would fail immediately.

 694.	[bug]		$GENERATE did not produce the last entry.
			[RT #682, #683]

 693.	[bug]		An empty lwres statement in named.conf caused
			the server to crash while loading.

 692.	[bug]		Deal with systems that have getaddrinfo() but not
			gai_strerror(). [RT #679]

 691.	[bug]		Configuring per-view forwarders caused an assertion
			failure. [RT #675, #734]

 690.	[func]		$GENERATE now supports DNAME. [RT #654]

 689.	[doc]		man pages are now installed. [RT #210]

 688.	[func]		"make tags" now works on systems with the
			"Exuberant Ctags" etags.

 687.	[bug]		Only say we have IPv6, with sufficent functionality,
			if it has actually been tested.  [RT #586]

 686.	[bug]		dig and nslookup can now be properly aborted during
			blocking operations. [RT #568]

 685.	[bug]		nslookup should use the search list/domain options
			from resolv.conf by default. [RT #405, #630]

 684.	[bug]		Memory leak with view forwarders. [RT #656]

 683.	[bug]		File descriptor leak in isc_lex_openfile().

 682.	[bug]		nslookup displayed SOA records incorrectly. [RT #665]

 681.	[bug]		$GENERATE specifying output format was broken. [RT #653]

 680.	[bug]		dns_rdata_fromstruct() mishandled options bigger
			than 255 octets.

 679.	[bug]		$INCLUDE could leak memory and file descriptors on
			reload. [RT #639]

 678.	[bug]		"transfer-format one-answer;" could trigger an assertion
			failure. [RT #646]

 677.	[bug]		dnssec-signzone would occasionally use the wrong ttl
			for database operations and fail. [RT #643]

 676.	[bug]		Log messages about lame servers to category
			'lame-servers' rather than 'resolver', so as not
			to be gratuitously incompatible with BIND 8.

 675.	[bug]		TKEY queries could cause the server to leak
			memory.

 674.	[func]		Allow messages to be TSIG signed / verified using
			a offset from the current time.

 673.	[func]		The server can now convert RFC1886-style recursive
			lookup requests into RFC2874-style lookups, when 
			enabled using the new option "allow-v6-synthesis".

 672.	[bug]		The wrong time was in the "time signed" field when
			replying with BADTIME error.

 671.	[bug]		The message code was failing to parse a message with
			no question section and a TSIG record. [RT #628]

 670.	[bug]		The lwres replacements for getaddrinfo and
			getipnodebyname didn't properly check for the
			existence of the sockaddr sa_len field.

 669.	[func]		dnssec-keygen now makes the public key file
			non-world-readable for symmetric keys. [RT #403]

 668.	[func]		named-checkzone now reports multiple errors in master
			files.

 667.	[bug]		On Linux, running named with the -u option and a
			non-world-readable configuration file didn't work.
			[RT #626]

 666.	[bug]		If a request sent by dig is longer than 512 bytes,
			use TCP.

 665.	[bug]		Signed responses were not sent when the size of the
			TSIG + question exceeded the maximum message size.
			[RT #628]

 664.	[bug]		The t_tasks and t_timers module tests are now skipped
			when building without threads, since they require
			threads.

 663.	[func]		Accept a size_spec, not just an integer, in the
			(unimplemented and ignored) max-ixfr-log-size option
			for compatibility with recent versions of BIND 8.
			[RT #613]

 662.	[bug]		dns_rdata_fromtext() failed to log certain errors.

 661.	[bug]		Certain UDP IXFR requests caused an assertion failure
			(mpctx->allocated == 0). [RT #355, #394, #623]

 660.	[port]		Detect multiple CPUs on HP-UX and IRIX.

 659.	[performance]	Rewrite the name compression code to be much faster.

 658.	[cleanup]	Remove all vestiges of 16 bit global compression.

 657.	[bug]		When a listen-on statement in an lwres block does not
			specify a port, use 921, not 53.  Also update the
			listen-on documentation. [RT #616]

 656.	[func]		Treat an unescaped newline in a quoted string as
			an error.  This means that TXT records with missing
			close quotes should have meaningful errors printed.

 655.	[bug]		Improve error reporting on unexpected eof when loading
			zones. [RT #611]

 654.	[bug]		Origin was being forgotten in TCP retries in dig.
			[RT #574]

 653.	[bug]		+defname option in dig was reversed in sense.  
			[RT #549]

 652.	[bug]		zone_saveunique() did not report the new name.

 651.	[func]		The AD bit in responses now has the meaning
			specified in <draft-ietf-dnsext-ad-is-secure>.

 650.	[bug]		SIG(0) records were being generated and verified
			incorrectly. [RT #606]

 649.	[bug]		It was possible to join to an already running fctx
			after it had "cloned" its events, but before it sent
			them.  In this case, the event of the newly joined
			fetch would not contain the answer, and would
			trigger the INSIST() in fctx_sendevents().  In
			BIND 9.0, this bug did not trigger an INSIST(), but
			caused the fetch to fail with a SERVFAIL result.
			[RT #588, #597, #605, #607]

 648.	[port]		Add support for pre-RFC2133 IPv6 implementations.

 647.	[bug]		Resolver queries sent after following multiple
			referrals had excessively long retransmission
			timeouts due to incorrectly counting the referrals
			as "restarts".

 646.	[bug]		The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
			didn't _cleanly_ fix the problem it was trying to fix.

 645.	[port]		BSD/OS 3.0 needs pthread_init(). [RT #603]

 644.	[bug]		#622 needed more work. [RT #562]

 643.	[bug]		xfrin error messages made more verbose, added class
			of the zone.  [RT# 599]

 642.	[bug]		Break the exit_check() race in the zone module.
			[RT #598]

	--- 9.1.0b2 released ---

 641.	[bug]		$GENERATE caused a uninitialized link to be used.
			[RT #595]

 640.	[bug]		Memory leak in error path could cause
			"mpctx->allocated == 0" failure. [RT #584]

 639.	[bug]		Reading entropy from the keyboard would sometimes fail.
			[RT #591]

 638.	[port]		lib/isc/random.c needed to explicitly include time.h
			to get a prototype for time() when pthreads was not
			being used. [RT #592]

 637.	[port]		Use isc_u?int64_t instead of (unsigned) long long in
			lib/isc/print.c.  Also allow lib/isc/print.c to
			be compiled even if the platform does not need it.
			[RT #592]

 636.	[port]		Shut up MSVC++ about a possible loss of precision
			in the ISC__BUFFER_PUTUINT*() macros. [RT #592]

 635.	[bug]		Reloading a server with a configured blackhole list
			would cause an assertion. [RT #590]

 634.	[bug]		A log file will completely stop being written when
			it reaches the maximum size in all cases, not just
			when versioning is also enabled. [RT #570]

 633.	[port]		Cope with rlim_t missing on BSD/OS systems. [RT #575]

 632.	[bug]		The index array of the journal file was 
			corrupted as it was written to disk.

 631.	[port]		Build without thread support on systems without
			pthreads.

 630.	[bug]		Locking failure in zone code. [RT #582]

 629.	[bug]		9.1.0b1 dereferenced a null pointer and crashed
			when responding to a UDP IXFR request.

 628.	[bug]		If the root hints contained only AAAA addresses,
			named would be unable to perform resolution.

 627.	[bug]		The EDNS0 blackhole detection code of change 324
			waited for three retransmissions to each server,
			which takes much too long when a domain has many
			name servers and all of them drop EDNS0 queries.
			Now we retry without EDNS0 after three consecutive
			timeouts, even if they are all from different
			servers. [RT #143]

 626.	[bug]		The lightweight resolver daemon no longer crashes
			when asked for a SIG rrset. [RT #558]

 625.	[func]		Zones now inherit their class from the enclosing view.

 624.	[bug]		The zone object could get timer events after it had
			been destroyed, causing a server crash. [RT #571]

 623.	[func]		Added "named-checkconf" and "named-checkzone" program
			for syntax checking named.conf files and zone files,
			respectively.

 622.	[bug]		A canceled request could be destroyed before
			dns_request_destroy() was called. [RT #562]

 621.	[port]		Disable IPv6 at runtime if IPv6 sockets are unusable.
			This mostly affects Red Hat Linux 7.0, which has
			conflicts between libc and the kernel.

 620.	[bug]		dns_master_load*inc() now require 'task' and 'load'
			to be non-null.	 Also 'done' will not be called if
			dns_master_load*inc() fails immediately. [RT #565]

 618.	[bug]		Queries to a signed zone could sometimes cause
			an assertion failure.

 617.	[bug]		When using dynamic update to add a new RR to an
			existing RRset with a different TTL, the journal
			entries generated from the update did not include
			explicit deletions and re-additions of the existing
			RRs to update their TTL to the new value.

 616.	[func]		dnssec-signzone -t output now includes performance
			statistics.

 615.	[bug]		dnssec-signzone did not like child keysets signed 
			by multiple keys.

 614.	[bug]		Checks for uninitialized link fields were prone
			to false positives, causing assertion failures.
			The checks are now disabled by default and may
			be re-enabled by defining ISC_LIST_CHECKINIT.

 613.	[bug]		"rndc reload zone" now reloads primary zones.
			It previously only updated slave and stub zones,
			if an SOA query indicated an out of date serial.

 612.	[cleanup]	Shutup a ridiculously noisy HP-UX compiler that
			complains relentlessly about how its treatment
			of 'const' has changed as well as how casting
			sometimes tightens alignment constraints.

 611.	[func]		allow-notify can be used to permit processing of
			notify messages from hosts other than a slave's
			masters.

 610.	[func]		rndc dumpdb is now supported.

 609.	[bug]		getrrsetbyname() would crash lwresd if the server
			found more SIGs than answers. [RT #554]

 608.	[func]		dnssec-signzone now adds a comment to the zone
			with the time the file was signed.

 607.	[bug]		nsupdate would fail if it encountered a CNAME or
			DNAME in a response to an SOA query. [RT #515]

 606.	[bug]		Compiling with --disable-threads failed due
			to isc_thread_self() being incorrectly defined
			as an integer rather than a function.

 605.	[func]		New function isc_lex_getlasttokentext().

 604.	[bug]		The named.conf parser could print incorrect line
			numbers when long comments were present.

 603.	[bug]		Make dig handle multiple types or classes on the same
			query more correctly.

 602.	[func]		Cope automatically with UnixWare's broken
			IN6_IS_ADDR_* macros. [RT #539]

 601.	[func]		Return a non-zero exit code if an update fails
			in nsupdate.

 600.	[bug]		Reverse lookups sometimes failed in dig, etc...

 599.	[func]		Added four new functions to the libisc log API to
			support i18n messages.	isc_log_iwrite(),
			isc_log_ivwrite(), isc_log_iwrite1() and
			isc_log_ivwrite1() were added.

 598.	[bug]		An update-policy statement would cause the server
			to assert while loading. [RT #536]

 597.	[func]		dnssec-signzone is now multithreaded.

 596.	[bug]		DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
			not mutually exclusive.

 595.	[port]		On Linux 2.2, socket() returns EINVAL when it
			should return EAFNOSUPPORT.  Work around this.
			[RT #531]

 594.	[func]		sdb drivers are now assumed to not be thread-safe
			unless the DNS_SDBFLAG_THREADSAFE flag is supplied.

 593.	[bug]		If a secure zone was missing all its NXTs and
			a dynamic update was attempted, the server entered
			an infinite loop.

 592.	[bug]		The sig-validity-interval option now specifies a
			number of days, not seconds.  This matches the
			documentation. [RT #529]

	--- 9.1.0b1 released ---

 591.	[bug]		Work around non-reentrancy in openssl by disabling
			precomputation in keys.

 590.	[doc]		There are now man pages for the lwres library in
			doc/man/lwres.

 589.	[bug]		The server could deadlock if a zone was updated 
			while being transferred out.

 588.	[bug]		ctx->in_use was not being correctly initalised when
			when pushing a file for $INCLUDE. [RT #523]

 587.	[func]		A warning is now printed if the "allow-update"
			option allows updates based on the source IP
			address, to alert users to the fact that this
			is insecure and becoming increasingly so as
			servers capable of update forwarding are being
			deployed.

 586.	[bug]		multiple views with the same name were fatal. [RT #516]

 585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
			now support 'exact' additions in a similar manner to
			dns_db_subtractrdataset() and dns_rdataslab_subtract().

 584.	[func]		You can now say 'notify explicit'; to suppress
			notification of the servers listed in NS records
			and notify only those servers listed in the
			'also-notify' option.

 583.	[func]		"rndc querylog" will now toggle logging of
			queries, like "ndc querylog" in BIND 8.

 582.	[bug]		dns_zone_idetach() failed to lock the zone.
			[RT #199, #463]

 581.	[bug]		log severity was not being correctly processed.
			[RT #485]

 580.	[func]		Ignore trailing garbage on incoming DNS packets,
			for interoperability with broken server
			implementations. [RT #491]

 579.	[bug]		nsupdate did not take a filename to read update from.
			[RT #492]

 578.	[func]		New config option "notify-source", to specify the
			source address for notify messages.

 577.	[func]		Log illegal RDATA combinations. e.g. multiple
			singlton types, cname and other data.

 576.	[doc]		isc_log_create() description did not match reality.

 575.	[bug]		isc_log_create() was not setting internal state
			correctly to reflect the default channels created.

 574.	[bug]		TSIG signed queries sent by the resolver would fail to
			have their responses validated and would leak memory.

 573.	[bug]		The journal files of IXFRed slave zones were
			inadvertantly discarded on server reload, causing
			"journal out of sync with zone" errors on subsequent
			reloads. [RT #482]

 572.	[bug]		Quoted strings were not accepted as key names in
			address match lists.

 571.	[bug]		It was possible to create an rdataset of singleton
			type which had more than one rdata.  [RT #154]
			[RT #279]

 570.	[bug]		rbtdb.c allowed zones containing nodes which had
			both a CNAME and "other data". [RT #154]

 569.	[func]		The DNSSEC AD bit will not be set on queries which
			have not requested a DNSSEC response.

 568.	[func]		Add sample simple database drivers in contrib/sdb.

 567.	[bug]		Setting the zone transfer timeout to zero caused an
			assertion failure. [RT #302]

 566.	[func]		New public function dns_timer_setidle().

 565.	[func]		Log queries more like BIND 8: query logging is now
			done to category "queries", level "info". [RT #169]

 564.	[func]		Add sortlist support to lwresd.

 563.	[func]		New public functions dns_rdatatype_format() and
			dns_rdataclass_format(), for convenient formatting
			of rdata type/class mnemonics in log messages.

 562.	[cleanup]	Moved lib/dns/*conf.c to bin/named where they belong.

 561.	[func]		The 'datasize', 'stacksize', 'coresize' and 'files'
			clauses of the options{} statement are now implemented.

 560.	[bug]		dns_name_split did not properly the resulting prefix
			when a maximal length bitstring label was split which
			was preceded by another bitstring label. [RT #429]

 559.	[bug]		dns_name_split did not properly create the suffix
			when splitting within a maximal length bitstring label.

 558.	[func]		New functions, isc_resource_getlimit and
			isc_resource_setlimit.

 557.	[func]		Symbolic constants for libisc integral types.

 556.	[func]		The DNSSEC OK bit in the EDNS extended flags
			is now implemented.  Responses to queries without
			this bit set will not contain any DNSSEC records.

 555.	[bug]		A slave server attempting a zone transfer could 
			crash with an assertion failure on certain
			malformed responses from the master. [RT #457]

 554.	[bug]		In some cases, not all of the dnssec tools were
			properly installed.

 553.	[bug]		Incoming zone transfers deferred due to quota 
			were not started when quota was increased but 
			only when a transfer in progress finished. [RT #456]

 552.	[bug]		We were not correctly detecting the end of all c-style
			comments.  [RT #455]

 551.	[func]		Implemented the 'sortlist' option.

 550.	[func]		Support unknown rdata types and classes.

 549.	[bug]		"make" did not immediately abort the build when a
			subdirectory make failed [RT #450].

 548.	[func]		The lexer now ungets tokens more correctly.

 546.	[func]		Option 'lame-ttl' is now implemented.

 545.	[func]		Name limit and counting options removed from dig;
			they didn't work properly, and cannot be correctly
			implemented without significant changes.

 544.	[func]		Add statistics option, enable statistics-file option,
			add RNDC option "dump-statistics" to write out a
			query statistics file.

 543.	[doc]		The 'port' option is now documented.

 542.	[func]		Add support for update forwarding as required for
			full compliance with RFC2136.  It is turned off
			by default and can be enabled using the
			'allow-update-forwarding' option.

 541.	[func]		Add bogus server support.

 540.	[func]		Add dialup support.

 539.	[func]		Support the blackhole option.

 538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().

 536.	[func]		Use transfer-source{-v6} when sending refresh queries.
			Transfer-source{-v6} now take a optional port
			parameter for setting the UDP source port.  The port
			parameter is ignored for TCP.

 535.	[func]		Use transfer-source{-v6} when forwarding update
			requests.

 534.	[func]		Ancestors have been removed from RBT chains.  Ancestor
			information can be discerned via node parent pointers.

 533.	[func]		Incorporated name hashing into the RBT database to
			improve search speed.

 532.	[func]		Implement DNS UPDATE pseudo records using
			DNS_RDATA_UPDATE flag.

 531.	[func]		Rdata really should be initalized before being assigned
			to (dns_rdata_fromwire(), dns_rdata_fromtext(),
			dns_rdata_clone(), dns_rdata_fromregion()),
			check that it is.

 530.	[func]		New function dns_rdata_invalidate().

 529.	[bug]		521 contained a bug which caused zones to always
			reload.	 [RT #410]
	
 528.	[func]		The ISC_LIST_XXXX macros now perform sanity checks
			on their arguements.  ISC_LIST_XXXXUNSAFE can be use
			to skip the checks however use with caution.

 527.	[func]		New function dns_rdata_clone().

 526.	[bug]		nsupdate incorrectly refused to add RRs with a TTL
			of 0.

 525.	[func]		New arguments 'options' for dns_db_subtractrdataset(),
			and 'flags' for dns_rdataslab_subtract() allowing you
			to request that the RR's must exist prior to deletion.
			DNS_R_NOTEXACT is returned if the condition is not met.

 524.	[func]		The 'forward' and 'forwarders' statement in
			non-forward zones should work now.

 523.	[doc]		The source to the Administrator Reference Manual is
			now an XML file using the DocBook DTD, and is included
			in the distribution.  The plain text version of the
			ARM is temporarily unavailable while we figure out
			how to generate readable plain text from the XML.

 522.	[func]		The lightweight resolver daemon can now use
			a real configuration file, and its functionality
			can be provided by a name server.  Also, the -p and -P
			options to lwresd have been reversed.

 521.	[bug]		Detect master files which contain $INCLUDE and always
			reload. [RT #196]

 520.	[bug]		Upgraded libtool to 1.3.5, which makes shared
			library builds almost work on AIX (and possibly 
			others).

 519.	[bug]		dns_name_split() would improperly split some bitstring
			labels, zeroing a few of the least signficant bits in
			the prefix part.  When such an improperly created
			prefix was returned to the RBT database, the bogus
			label was dutifully stored, corrupting the tree.
			[RT #369]

 518.	[bug]		The resolver did not realize that a DNAME which was
			"the answer" to the client's query was "the answer",
			and such queries would fail. [RT #399]

 517.	[bug]		The resolver's DNAME code would trigger an assertion
			if there was more than one DNAME in the chain.
			[RT #399]

 516.	[bug]		Cache lookups which had a NULL node pointer, e.g.
			those by dns_view_find(), and which would match a
			DNAME, would trigger an INSIST(!search.need_cleanup)
			assertion. [RT #399]

 515.	[bug]		The ssu table was not being attached / detached
			by dns_zone_[sg]etssutable. [RT#397]

 514.	[func]		Retry refresh and notify queries if they timeout.
			[RT #388]

 513.	[func]		New functionality added to rdnc and server to allow
			individual zones to be refreshed or reloaded.

 512.	[bug]		The zone transfer code could throw an execption with
			an invalid IXFR stream.

 511.	[bug]		The message code could throw an assertion on an
			out of memory failure. [RT #392]

 510.	[bug]		Remove spurious view notify warning. [RT #376]

 509.	[func]		Add support for write of zone files on shutdown.

 508.	[func]		dns_message_parse() can now do a best-effort
			attempt, which should allow dig to print more invalid
			messages.

 507.	[func]		New functions dns_zone_flush(), dns_zt_flushanddetach()
			and dns_view_flushanddetach().

 506.	[func]		Do not fail to start on errors in zone files.

 505.	[bug]		nsupdate was printing "unknown result code". [RT #373]

 504.	[bug]		The zone was not being marked as dirty when updated via
			IXFR.

 503.	[bug]		dumptime was not being set along with
			DNS_ZONEFLG_NEEDDUMP.

 502.	[func]		On a SERVFAIL reply, DiG will now try the next server
			in the list, unless the +fail option is specified.

 501.	[bug]		Incorrect port numbers were being displayed by
			nslookup.  [RT #352]

 500.	[func]		Nearly useless +details option removed from DiG.

 499.	[func]		In DiG, specifying a class with -c or type with -t
			changes command-line parsing so that classes and
			types are only recognized if following -c or -t.
			This allows hosts with the same name as a class or
			type to be looked up.

 498.	[doc]		There is now a man page for "dig" 
			in doc/man/bin/dig.1.

 497.	[bug]		The error messages printed when an IP match list
			contained a network address with a nonzero host
			part where not sufficiently detailed. [RT #365]

 496.	[bug]		named didn't sanity check numeric parameters. [RT #361]

 495.	[bug]		nsupdate was unable to handle large records. [RT #368]

 494.	[func]		Do not cache NXDOMAIN responses for SOA queries.

 493.	[func]		Return non-cachable (ttl = 0) NXDOMAIN responses
			for SOA queries.  This makes it easier to locate
			the containing zone without polluting intermediate
			caches.

 492.	[bug]		attempting to reload a zone caused the server fail
			to shutdown cleanly. [RT #360]

 491.	[bug]		nsupdate would segfault when sending certain
			prerequisites with empty RDATA. [RT #356]

 490.	[func]		When a slave/stub zone has not yet successfully
			obtained an SOA containing the zone's configured
			retry time, perform the SOA query retries using
			exponential backoff. [RT #337]

 489.	[func]		The zone manager now has a "i/o" queue.

 488.	[bug]		Locks weren't properly destroyed in some cases.

 487.	[port]		flockfile() is not defined on all systems.

 486.	[bug]		nslookup: "set all" and "server" commands showed
			the incorrect port number if a port other than 53
			was specified. [RT #352]

 485.	[func]		When dig had more than one server to query, it would
			send all of the messages at the same time.  Add
			rate limiting of the transmitted messages.

 484.	[bug]		When the server was reloaded after removing addresses 
			from the named.conf "listen-on" statement, sockets
			were still listening on the removed addresses due
			to reference count loops. [RT #325]

 483.	[bug]		nslookup: "set all" showed a "search" option but it 
			was not settable.

 482.	[bug]		nslookup: a plain "server" or "lserver" should be
			treated as a lookup.

 481.	[bug]		nslookup:get_next_command() stack size could exceed
			per thread limit.

 480.	[bug]		strtok() is not thread safe. [RT #349]

 479.	[func]		The test suite can now be run by typing "make check"
			or "make test" at the top level.

 478.	[bug]		"make install" failed if the directory specified with
			--prefix did not already exist.

 477.	[bug]		The the isc-config.sh script could be installed before
			its directory was created. [RT #324]

 476.	[bug]		A zone could expire while a zone transfer was in
			progress triggering a INSIST failure. [RT #329]

 475.	[bug]		query_getzonedb() sometimes returned a non-null version
			on failure.  This caused assertion failures when
			generating query responses where names subject to
			additional section processing pointed to a zone
			to which access had been denied by means of the
			allow-query option. [RT #336]

 474.	[bug]		The mnemonic of the CHAOS class is CH according to
			RFC1035, but it was printed and read only as CHAOS.
			We now accept both forms as input, and print it
			as CH. [RT #305]

 473.	[bug]		nsupdate overran the end of the list of name servers
			when no servers could be reached, typically causing 
			it to print the error message "dns_request_create:
			not implemented".

 472.	[bug]		Off-by-one error caused isc_time_add() to sometimes
			produce invalid time values.

 471.	[bug]		nsupdate didn't compile on HP/UX 10.20

 470.	[feature]	$GENERATE is now supported.  See also
			doc/misc/migration.

 469.	[bug]		"query-source address * port 53;" now works.

 468.	[bug]		dns_master_load*() failed to report file and line
			number in certain error conditions.

 467.	[bug]		dns_master_load*() failed to log an error if
			pushfile() failed.

 466.	[bug]		dns_master_load*() could return success when it failed.

 465.	[cleanup]	Allow 0 to be set as an omapi_value_t value by
			omapi_value_storeint().

 464.	[cleanup]	Build with openssl's RSA code instead of dnssafe.

 463.	[bug]		nsupdate sent malformed SOA queries to the second
			and subsequent name servers in resolv.conf if the
			query sent to the first one failed.

 462.	[bug]		--disable-ipv6 should work now.

 461.	[bug]		Specifying an unknown key in the "keys" clause of the
			"controls" statement caused a NULL pointer dereference.
			[RT #316]

 460.	[bug]		Much of the DNSSEC code only worked with class IN.

 459.	[bug]		Nslookup processed the "set" command incorrectly.

 458.	[bug]		Nslookup didn't properly check class and type values.
			[RT #305]

 457.	[bug]		Dig/host/hslookup didn't properly handle connect
			timeouts in certain situations, causing an 
			unnecessary warning message to be printed.

 456.	[bug]		Stub zones were not resetting the refresh and expire
			counters, loadtime or clearing the DNS_ZONE_REFRESH
			(refresh in progress) flag upon successful update.
			This disabled further refreshing of the stub zone,
			causing it to eventually expire. [RT #300]

 455.	[doc]		Document IPv4 prefix notation does not require a
			dotted decimal quad but may be just dotted decimal.

 454.	[bug]		Enforce dotted decimal and dotted decimal quad where
			documented as such in named.conf. [RT #304, RT #311]

 453.	[bug]		Warn if the obsolete option "maintain-ixfr-base"
			is specified in named.conf. [RT #306]

 452.	[bug]		Warn if the unimplemented option "statistics-file"
			is specified in named.conf. [RT #301]

 451.	[func]		Update forwarding implememted.

 450.	[func]		New function ns_client_sendraw().

 449.	[bug]		isc_bitstring_copy() only works correctly if the
			two bitstrings have the same lsb0 value, but this
			requirement was not documented, nor was there a
			REQUIRE for it.

 448.	[bug]		Host output formatting change, to match v8. [RT #255]

 447.	[bug]		Dig didn't properly retry in TCP mode after
			a truncated reply.  [RT #277]

 446.	[bug]		Confusing notify log message. [RT #298]

 445.	[bug]		Doing a 0 bit isc_bitstring_copy() of an lsb0
			bitstring triggered a REQUIRE statement.  The REQUIRE
			statement was incorrect. [RT #297]

 444.	[func]		"recursion denied" messages are always logged at
			debug level 1, now, rather than sometimes at ERROR.
			This silences these warnings in the usual case, where
			some clients set the RD bit in all queries.

 443.	[bug]		When loading a master file failed because of an
			unrecognized RR type name, the error message
			did not include the file name and line number. 
			[RT #285]

 442.	[bug]		TSIG signed messages that did not match any view
			crashed the server. [RT #290]