CHANGES 428 KB
Newer Older
1
2
3
3985.	[doc]		Describe how +ndots and +search interact in dig.
			[RT #37529]

4
5
6
3984.	[func]		Accept 256 byte long PINs in native PKCS#11
			crypto. [RT #37410]

7
8
9
10
11
3983.	[bug]		Change #3940 was incomplete: negative trust anchors
			could be set to last up to a week, but the
			"nta-lifetime" and "nta-recheck" options were
			still limted to one day. [RT #37522]

Evan Hunt's avatar
Evan Hunt committed
12
13
14
3982.	[doc]		Include release notes in product documentation.
			[RT #37272]

15
16
17
3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
			[RT #37467]

18
19
20
3980.	[bug]		Improve --with-tuning=large by self tuning of SO_RCVBUF
			size. [RT #37187]

Evan Hunt's avatar
Evan Hunt committed
21
3979.	[bug]		Negative trust anchor fetches were not properly
22
23
			managed. [RT #37488]

24
25
26
3978.	[test]		Added a unit test for Diffie-Hellman key
			computation, completing change #3974. [RT #37477]

27
28
29
3977.	[cleanup]	"rndc secroots" reported a "not found" error when
			there were no negative trust anchors set. [RT #37506]

30
31
32
33
34
3976.	[bug]		When refreshing managed-key trust anchors, clear
			any cached trust so that they will always be
			revalidated with the current set of secure
			roots. [RT #37506]

35
36
37
3975.	[bug]		Don't populate or use the bad cache for queries that
			don't request or use recursion. [RT #37466]

38
3974.	[bug]		Handle DH_compute_key() failure correctly in
39
40
			openssldh_link.c. [RT #37477]

41
42
43
3973.	[func]		Added hooks for Google/Great Performance Tools
			CPU Profiler, including in real time. [RT #37339]

44
45
3972.	[bug]		Fix host's usage statement. [RT #37397]

46
47
48
3971.	[bug]		Reduce the cascasding failures due to a bad $TTL line
			in named-checkconf / named-checkzone. [RT #37138]

49
3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
Tinderbox User's avatar
Tinderbox User committed
50
			[RT #37237]
Evan Hunt's avatar
Evan Hunt committed
51

Evan Hunt's avatar
Evan Hunt committed
52
53
3969.	[test]		Added 'delv' system test. [RT #36901]

54
55
56
3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
			[RT #37308]

57
58
59
3967.	[test]		Add test for inlined signed zone in multiple views
			with different DNSKEY sets. [RT #35759]

60
61
62
3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
			[RT #35746]

63
64
65
3965.	[func]		Log outgoing packets and improve packet logging to
			support logging the remote address. [RT #36624]

66
67
68
3964.	[func]		nsupdate now performs check-names processing.
			[RT #36266]

Evan Hunt's avatar
Evan Hunt committed
69
70
71
3963.	[test]		Added NXRRSET test cases to the "dlzexternal"
			system test. [RT #37344]

72
73
74
3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
			conditions. [RT #34663]

75
76
77
3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
			BADSIG.  [RT #37216]

78
79
3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]

80
81
82
3959.	[bug]		Updates could be lost if they arrived immediately
			after a rndc thaw. [RT #37233]

83
84
85
3958.	[bug]		Detect when writeable files have multiple references
			in named.conf. [RT #37172]

86
87
88
3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
			and ECDSAP384SHA384. [RT #37183]

89
90
91
92
93
94
95
3956.	[func]		Notify messages are now rate limited by notify-rate and
			startup-notify-rate instead of serial-query-rate.
			[RT #24454]

3955.	[bug]		Notify messages due to changes are no longer queued
			behind startup notify messages. [RT #24454]

96
97
3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]

98
99
3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]

100
101
102
3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
			two name pointers were the same. [RT #37176]

103
104
105
3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
			to dig (+ednsflags=#). [RT #37142]

106
107
108
3950.	[port]		Changed the bin/python Makefile to work around a
			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]

109
110
111
112
113
114
115
3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
			building).  Add support for limiting the EDNS version
			advertised to servers: server { edns-version 0; };
			Log the EDNS version received in the query log.
			[RT #35864]

116
117
118
3948.	[port]		solaris: RCVBUFSIZE was too large on Solaris with
			--with-tuning=large. [RT #37059]

119
120
121
3947.	[cleanup]	Set the executable bit on libraries when using
			libtool. [RT #36786]

Evan Hunt's avatar
Evan Hunt committed
122
123
124
3946.	[cleanup]	Improved "configure" search for a python interpreter.
			[RT #36992]

125
126
127
3945.	[bug]		Invalid wildcard expansions could be incorrectly
			accepted by the validator. [RT #37093]

Evan Hunt's avatar
Evan Hunt committed
128
129
3944.	[test]		Added a regression test for "server-id". [RT #37057]

Evan Hunt's avatar
Evan Hunt committed
130
131
132
133
134
3943.	[func]		SERVFAIL responses can now be cached for a
			limited time (configured by "servfail-ttl",
			default 10 seconds, limit 30). This can reduce
			the frequency of retries when an authoritative
			server is known to be failing, e.g., due to
Tinderbox User's avatar
Tinderbox User committed
135
			ongoing DNSSEC validation problems. [RT #21347]
Evan Hunt's avatar
Evan Hunt committed
136

137
138
139
3942.	[bug]		Wildcard responses from a optout range should be
			marked as insecure. [RT #37072]

Evan Hunt's avatar
Evan Hunt committed
140
141
3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]

142
143
144
3940.	[func]		"rndc nta" now allows negative trust anchors to be
			set for up to one week. [RT #37069]

145
146
147
3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
			connections to be shared. [RT #37039]

Evan Hunt's avatar
Evan Hunt committed
148
149
3938.	[placeholder]

150
151
152
153
3937.	[func]		Added some debug logging to better indicate the
			conditions causing SERVFAILs when resolving.
			[RT #35538]

Evan Hunt's avatar
Evan Hunt committed
154
155
156
157
158
159
160
161
162
163
164
165
166
3936.	[func]		Added authoritative support for the EDNS Client
			Subnet (ECS) option.

			ACLs can now include "ecs" elements which specify
			an address or network prefix; if an ECS option is
			included in a DNS query, then the address encoded
			in the option will be matched against "ecs" ACL
			elements.

			Also, if an ECS address is included in a query,
			then it will be used instead of the client source
			address when matching "geoip" ACL elements.  This
			behavior can be overridden with "geoip-use-ecs no;".
167
168
169
			(Note: to enable "geoip" ACLs, use "configure
			--with-geoip". This requires libGeoIP version
			1.5.0 or higher.)
Evan Hunt's avatar
Evan Hunt committed
170
171
172
173
174
175
176
177

			When "ecs" or "geoip" ACL elements are used to
			select a view for a query, the response will include
			an ECS option to indicate which client network the
			answer is valid for.

			(Thanks to Vincent Bernat.) [RT #36781]

Evan Hunt's avatar
Evan Hunt committed
178
179
180
181
182
3935.	[bug]		"geoip asnum" ACL elements would not match unless
			the full organization name was specified.  They
			can now match against the AS number alone (e.g.,
			AS1234). [RT #36945]

183
3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
Mark Andrews's avatar
Mark Andrews committed
184
			sit-secret documentation. [RT #36980]
185

186
187
188
189
190
3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
			for the HIP rdata type.  [RT #36911]

3932.	[test]		Improved named-checkconf tests. [RT #36911]

Mark Andrews's avatar
Mark Andrews committed
191
3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
192

Evan Hunt's avatar
Evan Hunt committed
193
194
195
3930.	[bug]		"rndc nta -r" could cause a server hang if the
			NTA was not found. [RT #36909]

196
197
3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]

Evan Hunt's avatar
Evan Hunt committed
198
199
3928.	[test]		Improve rndc system test. [RT #36898]

200
201
202
3927.	[bug]		dig: report PKCS#11 error codes correctly when
			compiled with --enable-native-pkcs11. [RT #36956]

203
204
3926.	[doc]		Added doc for geoip-directory. [RT #36877]

205
206
3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]

Mark Andrews's avatar
add [    
Mark Andrews committed
207
3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
208

209
210
3923.	[bug]		Sanity check the xml2-config output. [RT #22246]

211
212
3922.	[bug]		When resigning, dnssec-signzone was removing
			all signatures from delegation nodes. It now
213
			retains DS and (if applicable) NSEC signatures.
214
215
			[RT #36946]

Mark Andrews's avatar
Mark Andrews committed
216
3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
217

218
3920.	[doc]		Added doc for masterfile-style. [RT #36823]
Evan Hunt's avatar
Evan Hunt committed
219

220
221
3919.	[bug]		dig: continue to next line if a address lookup fails
			in batch mode. [RT #36755]
Tinderbox User's avatar
Tinderbox User committed
222

223
224
3918.	[doc]		Update check-spf documentation. [RT #36910]

225
226
227
228
3917.	[bug]		dig, nslookup and host now continue on names that are
			too long after applying a search list elements.
			[RT #36892]

229
230
231
232
3916.	[contrib]	zone2sqlite checked wrong result code.  Address
			compiler warnings. [RT #36931]

3915.	[bug]		Address a assertion if a route event arrived while
233
234
			shutting down. [RT #36887]

235
236
237
3914.	[bug]		Allow the URI target and CAA value fields to
			be zero length. [RT #36737]

238
239
3913.	[bug]		Address race issue in dispatch. [RT #36731]

240
241
3912.	[bug]		Address some unrecoverable lookup failures. [RT #36330]

242
3911.	[func]		Implement EDNS EXPIRE option client side, allowing
Evan Hunt's avatar
Evan Hunt committed
243
244
245
			a slave server to set the expiration timer correctly
			when transferring zone data from another slave
			server. [RT #35925]
246

247
3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
248

Evan Hunt's avatar
Evan Hunt committed
249
3909.	[bug]		When computing the number of elements required for a
250
251
252
253
			acl count_acl_elements could have a short count leading
			to a assertion failure.  Also zero out new acl elements
			in dns_acl_merge.  [RT #36675]

254
255
256
3908.	[bug]		rndc now differentiates between a zone in multiple
			views and a zone that doesn't exist at all. [RT #36691]

Mark Andrews's avatar
Mark Andrews committed
257
3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
258

259
260
261
3906.	[protocol]	Update URI record format to comply with
			draft-faltstrom-uri-08. [RT #36642]

Mark Andrews's avatar
Mark Andrews committed
262
263
3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]

264
265
3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]

Mark Andrews's avatar
Mark Andrews committed
266
267
268
3903.	[bug]		Improve the accuracy of DiG's reported round trip
			time. [RT 36611]

Evan Hunt's avatar
Evan Hunt committed
269
3902.	[bug]		liblwres wasn't handling link-local addresses in
Mark Andrews's avatar
Mark Andrews committed
270
271
			nameserver clauses in resolv.conf. [RT #36039]

272
3901.	[protocol]	Added support for CAA record type (RFC 6844).
Evan Hunt's avatar
Evan Hunt committed
273
274
			[RT #36625]

275
276
3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]

277
278
279
3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
			zones. [RT #36608]

Evan Hunt's avatar
Evan Hunt committed
280
3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
281
282
			[RT #36598]

283
284
285
286
3897.	[bug]		RPZ summary information was not properly being updated
			after a AXFR resulting in changes sometimes being
			ignored.  [RT #35885]

287
288
289
3896.	[bug]		Address performance issues with DSCP code on some
			platforms. [RT #36534]

290
291
292
3895.	[func]		Add the ability to set the DSCP code point to dig.
			[RT #36546]

293
294
295
296
3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
			initialized leading to potential overflows when
			printing out quad values. [RT #36505]

297
298
299
3893.	[bug]		Peer DSCP values could be returned without being set.
			[RT #36538]

300
301
302
3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
			effects. [RT #36452]

303
304
305
3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
			to install python programs.

306
307
308
309
3890.	[bug]		RRSIG sets that were not loaded in a single transaction
			at start up where not being correctly added to
			re-signing heaps.  [RT #36302]

310
311
312
3889.	[port]		hurd: configure fixes as per:
			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540

313
314
315
3888.	[func]		'rndc status' now reports the number of automatic
			zones. [RT #36015]

316
317
318
3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
			they are easier to use in a debugger. [RT #36373]

319
320
321
3886.	[bug]		rbtdb_write_header should use a once to initialize
			FILE_VERSION. [RT #36374]

322
323
324
3885.	[port]		Use 'open()' rather than 'file()' to open files in
			python.

Evan Hunt's avatar
Evan Hunt committed
325
326
3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]

Evan Hunt's avatar
Evan Hunt committed
327
328
3883.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
329
330
331
332
3882.	[func]		By default, negative trust anchors will be tested
			periodically to see whether data below them can be
			validated, and if so, they will be allowed to
			expire early. The "rndc nta -force" option
Mark Andrews's avatar
Mark Andrews committed
333
			overrides this behavior.  The default NTA lifetime
Evan Hunt's avatar
Evan Hunt committed
334
335
336
			and the recheck frequency can be configured by the
			"nta-lifetime" and "nta-recheck" options. [RT #36146]

337
338
339
3881.	[bug]		Address memory leak with UPDATE error handling.
			[RT #36303]

340
341
342
343
3880.	[test]		Update ans.pl to work with new TSIG support in
			Net::DNS; add additional Net::DNS version prerequisite
			checks. [RT #36327]

344
345
346
3879.	[func]		Add version printing option to various BIND utilities.
			[RT #10686]

347
348
349
3878.	[bug]		Using the incorrect filename for a DLZ module
			caused a segmentation fault on startup. [RT #36286]

Evan Hunt's avatar
Evan Hunt committed
350
351
352
353
3877.	[bug]		Inserting and deleting parent and child nodes
			in response policy zones could trigger an assertion
			failure. [RT #36272]

354
355
356
3876.	[bug]		Improve efficiency of DLZ redirect zones by
			suppressing unnecessary database lookups. [RT #35835]

Evan Hunt's avatar
Evan Hunt committed
357
358
359
3875.	[cleanup]	Clarify log message when unable to read private
			key files. [RT #24702]

360
361
362
3874.	[test]		Check that only "check-names master" is needed for
			updates to be accepted.

363
364
3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]

365
366
3872.	[bug]		Address issues found by static analysis. [RT #36209]

367
368
369
3871.	[bug]		Don't publish an activated key automatically before
			its publish time. [RT #35063]

370
371
372
373
374
375
3870.	[func]		Updated the random number generator used in
			the resolver to use the updated ChaCha based one
			(similar to OpenBSD's changes). Also moved the
			RNG to libisc and added unit tests for it.
			[RT #35942]

376
377
378
3869.	[doc]		Document that in-view zones cannot be used for
			response policy zones. [RT #35941]

379
380
381
382
3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
			potentially leaving over memory cleaner running.
			[RT #35270]

Evan Hunt's avatar
Evan Hunt committed
383
384
385
386
387
388
389
390
391
3867.	[func]		"rndc nta" can now be used to set a temporary
			negative trust anchor, which disables DNSSEC
			validation below a specified name for a specified
			period of time (not exceeding 24 hours).  This
			can be used when validation for a domain is known
			to be failing due to a configuration error on
			the part of the domain owner rather than a
			spoofing attack. [RT #29358]

392
393
394
3866.	[bug]		Named could die on disk full in generate_session_key.
			[RT #36119]

395
396
397
3865.	[test]		Improved testability of the red-black tree
			implementation and added unit tests. [RT #35904]

398
399
400
3864.	[bug]		RPZ didn't work well when being used as forwarder.
			[RT #36060]

401
402
403
404
3863.	[bug]		The "E" flag was missing from the query log as a
			unintended side effect of code rearrangement to
			support EDNS EXPIRE. [RT #36117]

405
406
407
3862.	[cleanup]	Return immediately if we are not going to log the
			message in ns_client_dumpmessage.

408
3861.	[security]	Missing isc_buffer_availablelength check results
Mark Andrews's avatar
Mark Andrews committed
409
410
			in a REQUIRE assertion when printing out a packet
			(CVE-2014-3859).  [RT #36078]
411

412
413
414
415
3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
			at run time as it is limited to {OPEN_MAX}.
			[RT #35878]

Mark Andrews's avatar
Mark Andrews committed
416
417
3859.	[placeholder]

418
419
420
3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
			[RT #35968]

421
422
423
3857.	[bug]		Make it harder for a incorrect NOEDNS classification
			to be made. [RT #36020]

424
3856.	[bug]		Configuring libjson without also configuring libxml
Evan Hunt's avatar
Evan Hunt committed
425
			resulted in a REQUIRE assertion when retrieving
426
427
			statistics using json. [RT #36009]

428
429
430
3855.	[bug]		Limit smoothed round trip time aging to no more than
			once a second. [RT #32909]

431
3854.	[cleanup]	Report unrecognized options, if any, in the final
Tinderbox User's avatar
Tinderbox User committed
432
			configure summary. [RT #36014]
433

434
3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
435
436
			the handling of a rdataset with no records. [RT #35968]

437
438
439
440
441
442
3852.	[func]		Increase the default number of clients available
			for servicing lightweight resolver queries, and
			make them configurable via the "lwres-tasks" and
			"lwres-clients" options.  (Thanks to Tomas Hozza.)
			[RT #35857]

443
444
3851.	[func]		Allow libseccomp based system-call filtering
			on Linux; use "configure --enable-seccomp" to
445
			turn it on.  Thanks to Loganaden Velvindron
Tinderbox User's avatar
Tinderbox User committed
446
			of AFRINIC for the contribution. [RT #35347]
447

448
3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
449
450
			[RT #35979]

451
452
3849.	[doc]		Alphabetized dig's +options. [RT #35992]

453
454
455
3848.	[bug]		Adjust 'statistics-channels specified but not effective'
			error message to account for JSON support. [RT #36008]

456
457
458
3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
			there is not support available.

459
460
461
3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
			ixfr query. [RT #35980]

Mark Andrews's avatar
Mark Andrews committed
462
463
3845.	[placeholder]

Francis Dupont's avatar
Francis Dupont committed
464
3844.	[bug]		Use the x64 version of the Microsoft Visual C++
465
			Redistributable when built for 64 bit Windows.
Mark Andrews's avatar
Mark Andrews committed
466
			[RT #35973]
467

468
469
470
3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
			[RT #35969]

471
472
3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]

473
474
475
3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
			[RT #35924]

476
477
478
3840.	[port]		Check for arc4random_addrandom() before using it;
			it's been removed from OpenBSD 5.5. [RT #35907]

479
480
481
3839.	[test]		Use only posix-compatible shell in system tests.
			[RT #35625]

482
483
3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.

484
485
3837.	[security]	A NULL pointer is passed to query_prefetch resulting
			a REQUIRE assertion failure when a fetch is actually
486
			initiated (CVE-2014-3214).  [RT #35899]
487

488
489
3836.	[bug]		Address C++ keyword usage in header file.

490
3835.	[bug]		Geoip ACL elements didn't work correctly when
Tinderbox User's avatar
Tinderbox User committed
491
			referenced via named or nested ACLs. [RT #35879]
492

493
494
495
496
3834.	[bug]		The re-signing heaps were not being updated soon enough
			leading to multiple re-generations of the same RRSIG
			when a zone transfer was in progress. [RT #35273]

Mark Andrews's avatar
Mark Andrews committed
497
3833.	[bug]		Cross compiling was broken due to calling genrandom at
498
499
			build time. [RT #35869]

500
501
502
503
504
3832.	[func]		"named -L <filename>" causes named to send log
			messages to the specified file by default instead
			of to the system log. (Thanks to Tony Finch.)
			[RT #35845]

Evan Hunt's avatar
Evan Hunt committed
505
506
507
3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
			[RT #35843]

508
509
510
511
3830.	[func]		When query logging is enabled, log query errors at
			the same level ('info') as the queries themselves.
			[RT #35844]

Evan Hunt's avatar
Evan Hunt committed
512
513
514
515
516
3829.	[func]		"dig +ttlunits" causes dig to print TTL values
			with time-unit suffixes: w, d, h, m, s for
			weeks, days, hours, minutes, and seconds. (Thanks
			to Tony Finch.) [RT #35823]

517
3828.	[func]		"dnssec-signzone -N date" updates serial number
Evan Hunt's avatar
Evan Hunt committed
518
519
520
			to the current date in YYYYMMDDNN format.
			[RT #35800]

521
522
3827.	[placeholder]

523
3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
524
525
			[RT #35870]

526
527
528
3825.	[bug]		Address sign extension bug in isc_regex_validate.
			[RT #35758]

529
530
531
532
3824.	[bug]		A collision between two flag values could cause
			problems with cache cleaning when SIT was enabled.
			[RT #35858]

533
534
3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]

535
536
537
3822.	[bug]		Log the correct type of static-stub zones when
			removing them. [RT #35842]

538
539
540
541
542
543
544
545
546
547
548
3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
			update and transaction support. Thanks to Marty
			Lee for the contribution. [RT #35656]

3820.	[func]		The DLZ API doesn't pass the database version to
			the lookup() function; this can cause DLZ modules
			that allow dynamic updates to mishandle prerequisite
			checks. This has been corrected by adding a
			'dbversion' field to the dns_clientinfo_t
			structure. [RT #35656]

549
550
551
552
3819.	[bug]		NSEC3 hashes need to be able to be entered and
			displayed without padding.  This is not a issue for
			currently defined algorithms but may be for future
			hash algorithms. [RT #27925]
Tinderbox User's avatar
Tinderbox User committed
553

554
555
556
3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
			constant in isc_event_allocate.

557
558
559
560
3817.	[func]		The "delve" command is now spelled "delv" to avoid
			a namespace collision with the Xapian project.
			[RT #35801]

561
562
563
3816.	[func]		"dig +qr" now reports query size. (Thanks to
			Tony Finch.) [RT #35822]

564
565
3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]

Evan Hunt's avatar
Evan Hunt committed
566
567
568
569
570
571
3814.	[func]		The "masterfile-style" zone option controls the
			formatting of dumped zone files. Options are
			"relative" (multiline format) and "full" (one
			record per line). The default is "relative".
			[RT #20798]

572
573
574
575
3813.	[func]		"host" now recognizes the "timeout", "attempts" and
			"debug" options when set in /etc/resolv.conf.
			(Thanks to Adam Tkac at RedHat.) [RT #21885]

576
3812.	[func]		Dig now supports sending arbitrary EDNS options from
577
578
			the command line (+ednsopt=code[:value]). [RT #35584]

579
580
581
582
3811.	[func]		"serial-update-method date;" sets serial number
			on dynamic update to today's date in YYYYMMDDNN
			format. (Thanks to Bradley Forschinger.) [RT #24903]

583
584
585
3810.	[bug]		Work around broken nameservers that fail to ignore
			unknown EDNS options. [RT #35766]

Tinderbox User's avatar
Tinderbox User committed
586
3809.	[doc]		Fix SIT and NSID documentation.
587

Evan Hunt's avatar
Evan Hunt committed
588
589
3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]

590
3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
Mark Andrews's avatar
Mark Andrews committed
591
592
			lowercase is set. [RT #35743]

593
594
3806.	[test]		Improved system test portability. [RT #35625]

Evan Hunt's avatar
Evan Hunt committed
595
596
597
3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
			for DNS over TCP. [RT #35710]

Evan Hunt's avatar
Evan Hunt committed
598
599
	--- 9.10.0rc1 released ---

Mark Andrews's avatar
Mark Andrews committed
600
3804.	[bug]		Corrected a race condition in dispatch.c in which
Mark Andrews's avatar
Mark Andrews committed
601
602
603
604
			portentry could be reset leading to an assertion
			failure in socket_search(). (Change #3708
			addressed the same issue but was incomplete.)
			[RT #35128]
Evan Hunt's avatar
Evan Hunt committed
605

606
607
608
609
3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
			using alternate data sources for not having a "file"
			option. [RT #35685]

610
611
3802.	[bug]		Various header files were not being installed.

612
613
3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]

614
615
616
3800.	[bug]		A pending event on the route socket could cause an
			assertion failure when shutting down named. [RT #35674]

617
618
619
3799.	[bug]		Improve named's command line error reporting.
			[RT #35603]

620
621
622
3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
			time. [RT #35659]

623
624
3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]

625
626
3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]

627
628
629
3795.	[bug]		Make named-checkconf detect raw masterfiles for
			hint zones and reject them. [RT #35268]

630
631
3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.

632
633
634
3793.	[bug]		zone.c:save_nsec3param() could assert when out of
			memory. [RT #35621]

635
636
637
3792.	[func]		Provide links to the alternate statistics views when
			displaying in a browser.  [RT #35605]

Mark Andrews's avatar
Mark Andrews committed
638
639
3791.	[placeholder]

640
641
642
643
3790.	[bug]		Handle broken nameservers that send BADVERS in
			response to unknown EDNS options.  Maintain
			statistics on BADVERS responses.

644
645
3789.	[bug]		Null pointer dereference on rbt creation failure.

646
647
648
3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
			mistake.

Evan Hunt's avatar
Evan Hunt committed
649
650
	--- 9.10.0b2 released ---

651
652
653
654
3787.	[bug]		The code that checks whether "auto-dnssec" is
			allowed was ignoring "allow-update" ACLs set at
			the options or view level. [RT #29536]

655
656
657
3786.	[func]		Provide more detailed error codes when using
			native PKCS#11. "pkcs11-tokens" now fails robustly
			rather than asserting when run against an HSM with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
658
			an incomplete PKCS#11 API implementation. [RT #35479]
659

Jeremy C. Reed's avatar
Jeremy C. Reed committed
660
3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
661
662
			input (only compiled with -DDEBUG). [RT #35544]

Evan Hunt's avatar
Evan Hunt committed
663
664
665
666
667
3784.	[bug]		Using "rrset-order fixed" when it had not been
			enabled at compile time caused inconsistent
			results. It now works as documented, defaulting
			to cyclic mode. [RT #28104]

Evan Hunt's avatar
Evan Hunt committed
668
669
670
671
672
3783.	[func]		"tsig-keygen" is now available as an alternate
			command name for "ddns-confgen".  It generates
			a TSIG key in named.conf format without comments.
			[RT #35503]

Mark Andrews's avatar
Mark Andrews committed
673
3782.	[func]		Specifying "auto" as the salt when using
Evan Hunt's avatar
Evan Hunt committed
674
675
676
			"rndc signing -nsec3param" causes named to
			generate a 64-bit salt at random. [RT #35322]

677
678
679
680
681
3781.	[tuning]	Use adaptive mutex locks when available; this
			has been found to improve performance under load
			on many systems. "configure --with-locktype=standard"
			restores conventional mutex locks. [RT #32576]

Tinderbox User's avatar
Tinderbox User committed
682
3780.	[bug]		$GENERATE handled negative numbers incorrectly.
683
684
			[RT #25528]

Evan Hunt's avatar
Evan Hunt committed
685
686
687
3779.	[cleanup]	Clarify the error message when using an option
			that was not enabled at compile time. [RT #35504]

688
689
690
3778.	[bug]		Log a warning when the wrong address family is
			used in "listen-on" or "listen-on-v6". [RT #17848]

Evan Hunt's avatar
Evan Hunt committed
691
692
693
3777.	[bug]		EDNS EXPIRE code could dump core when processing
			DLZ queries. [RT #35493]

Evan Hunt's avatar
Evan Hunt committed
694
3776.	[func]		"rndc -q" suppresses output from successful
Evan Hunt's avatar
Evan Hunt committed
695
			rndc commands. Errors are printed on stderr.
Tinderbox User's avatar
Tinderbox User committed
696
			[RT #21393]
Evan Hunt's avatar
Evan Hunt committed
697

698
699
700
701
3775.	[bug]		dlz_dlopen driver could return the wrong error
			code on API version mismatch, leading to a segfault.
			[RT #35495]

Evan Hunt's avatar
Evan Hunt committed
702
703
704
3774.	[func]		When using "request-nsid", log the NSID value in
			printable form as well as hex. [RT #20864]

705
706
707
708
3773.	[func]		"host", "nslookup" and "nsupdate" now have
			options to print the version number and exit.
			[RT #26057]

709
710
711
712
3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
			(Based in part on a contribution from Tim Tessier.)
			[RT #20822]

713
714
715
3771.	[cleanup]	Adjusted log level for "using built-in key"
			messages. [RT #24383]

716
717
718
719
3770.	[bug]		"dig +trace" could fail with an assertion when it
			needed to fall back to TCP due to a truncated
			response. [RT #24660]

720
721
722
3769.	[doc]		Improved documentation of "rndc signing -list".
			[RT #30652]

723
724
725
3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
			algorithm. [RT #34000]

Evan Hunt's avatar
Evan Hunt committed
726
727
728
3767.	[func]		Log explicitly when using rndc.key to configure
			command channel. [RT #35316]

Evan Hunt's avatar
Evan Hunt committed
729
730
731
3766.	[cleanup]	Fixed problems with building outside the source
			tree when using native PKCS#11. [RT #35459]

732
733
734
3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
			named when dumping an empty keynode. [RT #35469]

735
736
737
738
739
3764.	[bug]		The dnssec-keygen/settime -S and -i options
			(to set up a successor key and set the prepublication
			interval) were missing from dnssec-keyfromlabel.
			[RT #35394]

Evan Hunt's avatar
Evan Hunt committed
740
741
742
3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
			re-fetch them when restarting validation. [RT #35476]

743
744
745
3762.	[bug]		Address build problems with --pkcs11-native +
			--with-openssl with ECDSA support. [RT #35467]

746
747
748
3761.	[bug]		Address dangling reference bug in dns_keytable_add.
			[RT #35471]

749
750
751
752
753
3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
			[RT #35433]

3759.	[port]		Enable delve on Windows. [RT #35441]

Evan Hunt's avatar
Evan Hunt committed
754
3758.	[port]		Enable export library APIs on Windows. [RT #35382]
755

756
757
758
3757.	[port]		Enable Python tools (dnssec-coverage,
			dnssec-checkds) to run on Windows. [RT #34355]

759
760
761
762
3756.	[bug]		GSSAPI Kerberos realm checking was broken in
			check_config leading to spurious messages being
			logged.  [RT #35443]

Mark Andrews's avatar
Mark Andrews committed
763
764
	--- 9.10.0b1 released ---

765
766
767
3755.	[func]		Add stats counters for known EDNS options + others.
			[RT #35447]

Evan Hunt's avatar
Evan Hunt committed
768
769
770
771
3754.	[cleanup]	win32: Installer now places files in the
			Program Files area rather than system services.
			[RT #35361]

772
773
3753.	[bug]		allow-notify was ignoring keys. [RT #35425]

774
775
776
777
3752.	[bug]		Address potential REQUIRE failure if
			DNS_STYLEFLAG_COMMENTDATA is set when printing out
			a rdataset.

Evan Hunt's avatar
Evan Hunt committed
778
779
780
781
3751.	[tuning]	The default setting for the -U option (setting
			the number of UDP listeners per interface) has
			been adjusted to improve performance. [RT #35417]

782
3750.	[experimental]	Partially implement EDNS EXPIRE option as described
Jeremy C. Reed's avatar
Jeremy C. Reed committed
783
			in draft-andrews-dnsext-expire-00.  Retrieval of
Evan Hunt's avatar
Evan Hunt committed
784
785
			the remaining time until expiry for slave zones
			is supported.
786

Evan Hunt's avatar
Evan Hunt committed
787
788
			EXPIRE uses an experimental option code (65002),
			which is subject to change. [RT #35416]
789

Evan Hunt's avatar
Evan Hunt committed
790
791
3749.	[func]		"dig +subnet" sends an EDNS client subnet option
			containing the specified address/prefix when
Evan Hunt's avatar
Evan Hunt committed
792
793
			querying. (Thanks to Wilmer van der Gaast.)
			[RT #35415]
Evan Hunt's avatar
Evan Hunt committed
794

Evan Hunt's avatar
Evan Hunt committed
795
3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
796

797
798
799
3747.	[bug]		A race condition could lead to a core dump when
			destroying a resolver fetch object. [RT #35385]

Evan Hunt's avatar
Evan Hunt committed
800
801
802
3746.	[func]		New "max-zone-ttl" option enforces maximum
			TTLs for zones. If loading a zone containing a
			higher TTL, the load fails. DDNS updates with
Tinderbox User's avatar
Tinderbox User committed
803
			higher TTLs are accepted but the TTL is truncated.
Evan Hunt's avatar
Evan Hunt committed
804
805
806
			(Note: Currently supported for master zones only;
			inline-signing slaves will be added.) [RT #38405]

807
808
809
810
811
3745.	[func]		"configure --with-tuning=large" adjusts various
			compiled-in constants and default settings to
			values suited to large servers with abundant
			memory. [RT #29538]

812
3744.	[experimental]	SIT: send and process Source Identity Tokens
Mark Andrews's avatar
add 3rd    
Mark Andrews committed
813
			(similar to DNS Cookies by Donald Eastlake 3rd),
Evan Hunt's avatar
Evan Hunt committed
814
815
			which are designed to help clients detect off-path
			spoofed responses and for servers to identify
Tinderbox User's avatar
Tinderbox User committed
816
			legitimate clients.
817

Evan Hunt's avatar
Evan Hunt committed
818
			SIT uses an experimental EDNS option code (65001),
Jeremy C. Reed's avatar
Jeremy C. Reed committed
819
			which will be changed to an IANA-assigned value
Evan Hunt's avatar
Evan Hunt committed
820
			if the experiment is deemed a success.
821

Evan Hunt's avatar
Evan Hunt committed
822
823
			SIT can be enabled via "configure --enable-sit" (or
			--enable-developer). It is enabled by default in
Tinderbox User's avatar
Tinderbox User committed
824
825
826
827
828
829
830
831
			Windows.

			Servers can be configured to send smaller responses
			to clients that have not identified themselves via
			SIT.  RRL processing has also been updated;
			legitimate clients are not subject to rate
			limiting. [RT #35389]

832
833
834
835
836
3743.	[bug]		delegation-only flag wasn't working in forward zone
			declarations despite being documented.  This is
			needed to support turning off forwarding and turning
			on delegation only at the same name.  [RT #35392]

Mark Andrews's avatar
Mark Andrews committed
837
838
3742.	[port]		linux: libcap support: declare curval at start of
			block. [RT #35387]
839

Evan Hunt's avatar
Evan Hunt committed
840
841
842
843
844
845
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
846
			troubleshooting of DNSSEC problems. [RT #32406]
Evan Hunt's avatar
Evan Hunt committed
847

848
849
850
3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

851
852
853
3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

854
855
3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]

856
857
858
3737.	[bug]		'rndc retransfer' could trigger a assertion failure
			with inline zones. [RT #35353]

859
860
861
3736.	[bug]		nsupdate: When specifying a server by name,
			fall back to alternate addresses if the first
			address for that name is not reachable. [RT #25784]
Tinderbox User's avatar
Tinderbox User committed
862

863
864
865
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

866
867
3734.	[bug]		Improve building with libtool. [RT #35314]

868
869
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
870
871
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
872
873
874

			Add "rndc scan" to trigger a scan. [RT #23027]

875
876
877
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
878
879
880
881
882
883
884
885
886
887
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
888
889
890
891
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
892
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
893
894
895
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

896
897
898
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
899
900
901
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

902
903
904
905
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
906
907
908
909
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
910
911
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
912
913
914
915
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

916
917
918
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
919
3722.	[bug]		Using geoip ACLs in a blackhole statement
920
921
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
922
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
923
924
			enhancements introduced in change #3593. [RT #35275]

925
926
3720.	[bug]		Address compiler warnings. [RT #35261]

927
928
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

929
930
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

931
932
933
934
935
936
937
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

938
939
940
941
942
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

943
944
945
946
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

947
948
949
950
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
951
952
953
954
3712.	[placeholder]

3711.	[placeholder]

955
956
957
958
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
959
960
961
962
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

963
964
965
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

966
967
968
969
970
971
972
973
974
975
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
976
			will work with both old and new versions without
977
978
979
980
981
982
983
984
985
986
987
988
989
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

990
991
992
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
993
994
995
996
997
998
999
1000
1001
1002
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

1003
1004
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
1005
1006
1007
1008
1009
1010
1011
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
1012

1013
1014
1015
1016
1017
1018
1019
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
1020
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
1021
			when printing by specifying '-x'. [RT #34465]
1022

Evan Hunt's avatar
Evan Hunt committed
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

1034
1035
1036
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

1037
1038
1039
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

1040
1041
1042
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
1043
1044
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

1045
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo    
Evan Hunt committed
1046
			but does not exist or is not a directory. [RT #35108]
1047

1048
3693.	[security]	memcpy was incorrectly called with overlapping
1049
1050
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
1051
1052
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
1053

1054
1055
1056
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

1057
1058
1059
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

1060
1061
1062
1063
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

1064
1065
1066
1067
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

1068
1069
1070
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

1071
1072
1073
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
1074
1075
1076
1077
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

1078
1079
1080
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

1081
1082
1083
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

1084
1085
1086
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

1087
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
1088
			inline-signing slave zones to retain NSEC3 parameters
1089
			instead of reverting to NSEC. [RT #34745]
1090

1091
1092
1093
1094
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

1095
1096
1097
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

1098
1099
1100
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

1101
1102
3678.	[port]		Update config.guess and config.sub. [RT #35060]

1103
1104
1105
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

1106
1107
1108
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

1109
1110
1111
1112
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
1113
1114
	--- 9.10.0a1 released ---

1115
1116
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
1117
1118
1119
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

1120
1121
1122
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

1123
1124
1125
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

1126
1127
1128
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

1129
1130
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

1131
1132
1133
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
1134
3667.	[test]		dig: add support to keep the TCP socket open between
1135
1136
			successive queries (+[no]keepopen).  [RT #34918]

1137
1138
1139
1140
1141
1142
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

1143
1144
1145
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

1146
1147
1148
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

1149
1150
1151
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
1152
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
1153

1154
1155
1156
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

1157
1158
1159
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

1160
3659.	[port]		solaris: don't add explicit dependencies/rules for
1161
1162
1163
			python programs as make won't use the implicit rules.
			[RT #34835]

1164
1165
1166
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

1167
1168
1169
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

1170
1171
1172
1173
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
1174

1175
1176
1177
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

1178
1179
1180
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

1181
1182
1183
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

1184
1185
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

1186
1187
1188
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

1189
1190
1191
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
1192
1193
1194
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
1195
1196
1197
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

1198
1199
1200
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
1201
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
1202
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
1203

1204
1205
1206
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

1207
1208
1209
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
1210
1211
3643.	[doc]		Clarify RRL "slip" documentation.

1212
1213
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
1214
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
1215

1216
1217
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
1218

1219
1220
1221
1222
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

1223
1224
1225
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
1226
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
1227
1228
			encountered. [RT #34668]

1229
1230
1231
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

1232
1233
1234
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

1235
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
1236
			only KSK keys for a algorithm. [RT #34439]
Mark Andrews's avatar