CHANGES 403 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
2
	--- 9.10.0b1 released ---

3
4
5
6
7
8
9
3750.	[experimental]	Partially implement EDNS EXPIRE option as described
			in draft-andrews-dnsext-expire-00.  Retrivial of
			remaining time to expiry from slave zones is supported.

			EXPIRE uses an experimental option code (65002) and
			is subject to change. [RT #35416]

Evan Hunt's avatar
Evan Hunt committed
10
11
3749.	[func]		"dig +subnet" sends an EDNS client subnet option
			containing the specified address/prefix when
Evan Hunt's avatar
Evan Hunt committed
12
13
			querying. (Thanks to Wilmer van der Gaast.)
			[RT #35415]
Evan Hunt's avatar
Evan Hunt committed
14

Evan Hunt's avatar
Evan Hunt committed
15
3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
16

17
18
19
3747.	[bug]		A race condition could lead to a core dump when
			destroying a resolver fetch object. [RT #35385]

Evan Hunt's avatar
Evan Hunt committed
20
21
22
3746.	[func]		New "max-zone-ttl" option enforces maximum
			TTLs for zones. If loading a zone containing a
			higher TTL, the load fails. DDNS updates with
Tinderbox User's avatar
Tinderbox User committed
23
			higher TTLs are accepted but the TTL is truncated.
Evan Hunt's avatar
Evan Hunt committed
24
25
26
			(Note: Currently supported for master zones only;
			inline-signing slaves will be added.) [RT #38405]

27
28
29
30
31
3745.	[func]		"configure --with-tuning=large" adjusts various
			compiled-in constants and default settings to
			values suited to large servers with abundant
			memory. [RT #29538]

32
3744.	[experimental]	SIT: send and process Source Identity Tokens
Mark Andrews's avatar
add 3rd    
Mark Andrews committed
33
			(similar to DNS Cookies by Donald Eastlake 3rd),
Evan Hunt's avatar
Evan Hunt committed
34
35
			which are designed to help clients detect off-path
			spoofed responses and for servers to identify
Tinderbox User's avatar
Tinderbox User committed
36
			legitimate clients.
37

Evan Hunt's avatar
Evan Hunt committed
38
			SIT uses an experimental EDNS option code (65001).
Mark Andrews's avatar
Mark Andrews committed
39
40
			[This will be changed to a IANA assigned value if
			 the experiment is deemed a success.]
41

Evan Hunt's avatar
Evan Hunt committed
42
43
			SIT can be enabled via "configure --enable-sit" (or
			--enable-developer). It is enabled by default in
Tinderbox User's avatar
Tinderbox User committed
44
45
46
47
48
49
50
51
			Windows.

			Servers can be configured to send smaller responses
			to clients that have not identified themselves via
			SIT.  RRL processing has also been updated;
			legitimate clients are not subject to rate
			limiting. [RT #35389]

52
53
54
55
56
3743.	[bug]		delegation-only flag wasn't working in forward zone
			declarations despite being documented.  This is
			needed to support turning off forwarding and turning
			on delegation only at the same name.  [RT #35392]

Mark Andrews's avatar
Mark Andrews committed
57
58
3742.	[port]		linux: libcap support: declare curval at start of
			block. [RT #35387]
59

Evan Hunt's avatar
Evan Hunt committed
60
61
62
63
64
65
66
67
68
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
			troubleshooting of DNSSEC problems. (Note: not yet
			available on win32.) [RT #32406]

69
70
71
3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

72
73
74
3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

75
76
3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]

77
78
79
3737.	[bug]		'rndc retransfer' could trigger a assertion failure
			with inline zones. [RT #35353]

80
81
82
3736.	[bug]		nsupdate: When specifying a server by name,
			fall back to alternate addresses if the first
			address for that name is not reachable. [RT #25784]
Tinderbox User's avatar
Tinderbox User committed
83

84
85
86
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

87
88
3734.	[bug]		Improve building with libtool. [RT #35314]

89
90
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
91
92
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
93
94
95

			Add "rndc scan" to trigger a scan. [RT #23027]

96
97
98
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
99
100
101
102
103
104
105
106
107
108
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
109
110
111
112
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
113
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
114
115
116
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

117
118
119
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
120
121
122
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

123
124
125
126
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
127
128
129
130
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
131
132
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
133
134
135
136
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

137
138
139
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
140
3722.	[bug]		Using geoip ACLs in a blackhole statement
141
142
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
143
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
144
145
			enhancements introduced in change #3593. [RT #35275]

146
147
3720.	[bug]		Address compiler warnings. [RT #35261]

148
149
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

150
151
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

152
153
154
155
156
157
158
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

159
160
161
162
163
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

164
165
166
167
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

168
169
170
171
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
172
173
174
175
3712.	[placeholder]

3711.	[placeholder]

176
177
178
179
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
180
181
182
183
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

184
185
186
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

187
188
189
190
191
192
193
194
195
196
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
197
			will work with both old and new versions without
198
199
200
201
202
203
204
205
206
207
208
209
210
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

211
212
213
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
214
215
216
217
218
219
220
221
222
223
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

224
225
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
226
227
228
229
230
231
232
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
233

234
235
236
237
238
239
240
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
241
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
242
			when printing by specifying '-x'. [RT #34465]
243

Evan Hunt's avatar
Evan Hunt committed
244
245
246
247
248
249
250
251
252
253
254
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

255
256
257
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

258
259
260
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

261
262
263
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
264
265
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

266
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo    
Evan Hunt committed
267
			but does not exist or is not a directory. [RT #35108]
268

269
3693.	[security]	memcpy was incorrectly called with overlapping
270
271
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
272
273
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
274

275
276
277
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

278
279
280
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

281
282
283
284
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

285
286
287
288
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

289
290
291
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

292
293
294
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
295
296
297
298
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

299
300
301
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

302
303
304
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

305
306
307
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

308
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
309
			inline-signing slave zones to retain NSEC3 parameters
310
			instead of reverting to NSEC. [RT #34745]
311

312
313
314
315
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

316
317
318
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

319
320
321
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

322
323
3678.	[port]		Update config.guess and config.sub. [RT #35060]

324
325
326
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

327
328
329
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

330
331
332
333
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
334
335
	--- 9.10.0a1 released ---

336
337
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
338
339
340
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

341
342
343
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

344
345
346
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

347
348
349
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

350
351
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

352
353
354
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
355
3667.	[test]		dig: add support to keep the TCP socket open between
356
357
			successive queries (+[no]keepopen).  [RT #34918]

358
359
360
361
362
363
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

364
365
366
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

367
368
369
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

370
371
372
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
373
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
374

375
376
377
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

378
379
380
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

381
3659.	[port]		solaris: don't add explict dependencies/rules for
382
383
384
			python programs as make won't use the implicit rules.
			[RT #34835]

385
386
387
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

388
389
390
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

391
392
393
394
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
395

396
397
398
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

399
400
401
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

402
403
404
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

405
406
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

407
408
409
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

410
411
412
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
413
414
415
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
416
417
418
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

419
420
421
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
422
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
423
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
424

425
426
427
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

428
429
430
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
431
432
3643.	[doc]		Clarify RRL "slip" documentation.

433
434
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
435
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
436

437
438
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
439

440
441
442
443
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

444
445
446
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
447
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
448
449
			encountered. [RT #34668]

450
451
452
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

453
454
455
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

456
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
457
			only KSK keys for a algorithm. [RT #34439]
458

459
460
461
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

462
463
464
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

465
466
467
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

468
469
470
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

471
472
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

473
474
475
476
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

477
478
479
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

480
481
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

482
483
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

484
485
486
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

487
488
489
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
490
491
3623.	[placeholder]

492
493
494
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

495
496
497
498
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
499
500
501
502
503
504
505
506
507
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
508
509
510
511
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

512
513
514
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
515
516
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
517
518
519
520
521
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
522
523
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
524
3613.	[bug]		named could crash when deleting inline-signing
525
526
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
527
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
528

Evan Hunt's avatar
Evan Hunt committed
529
530
531
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

532
533
534
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

535
536
537
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

538
539
540
541
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

542
543
544
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

545
546
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
547
548
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
549

Evan Hunt's avatar
Evan Hunt committed
550
551
552
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

553
554
555
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

556
557
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
558
559
560
561
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

562
563
564
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

565
566
567
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

568
569
570
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

571
572
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

573
574
575
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
576
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
577
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
578

Evan Hunt's avatar
Evan Hunt committed
579
580
581
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

582
583
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

584
585
586
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

587
588
589
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

590
591
592
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

593
594
595
596
597
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

598
599
600
601
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

602
603
604
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

605
606
607
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
608
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
609

610
611
612
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

613
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
614
615
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
616

617
618
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

619
620
621
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

622
623
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
624
625
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

626
627
628
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

629
630
631
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

632
633
3577.	[bug]		Handle zero TTL values better. [RT #33411]

634
635
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

636
637
638
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

639
640
641
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
642
643
644
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
645

Evan Hunt's avatar
Evan Hunt committed
646
647
648
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

649
650
651
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

652
3570.	[bug]		Check internal pointers are valid when loading map
653
			files. [RT #33403]
654

Evan Hunt's avatar
Evan Hunt committed
655
656
657
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
658
659
660
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
661
662
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
663
664
3566.	[func]		Log when forwarding updates to master. [RT #33240]

665
3565.	[placeholder]
666

667
668
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
669
670
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
671
672
673
674
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

675
676
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
677

678
3560.	[bug]		isc-config.sh did not honor includedir and libdir
679
680
			when set via configure. [RT #33345]

681
682
683
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

684
685
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

686
687
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
688
689
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

690
691
692
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
693
694
695
696
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

697
698
3553.	[bug]		Address suspected double free in acache. [RT #33252]

699
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
700
			[RT #33280]
701

702
703
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

704
705
706
707
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
708
709
710
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

711
712
713
714
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

715
716
717
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

718
719
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
720
721
722
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
723
724
725
726
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

727
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
728
			manager after accept. [RT #33084]
729

Mark Andrews's avatar
Mark Andrews committed
730
731
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
732
733
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
734

Evan Hunt's avatar
Evan Hunt committed
735
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
736

737
738
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
739
740
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
741

742
743
744
745
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
746
747
748
749
750
751
752
753
754
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

755
756
3535.	[bug]		Minor win32 cleanups. [RT #32962]

757
758
759
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

760
761
762
763
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

764
765
766
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
767
768
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

769
770
771
772
773
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
774
775
776
777
778
779
780
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

781
782
783
784
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

785
786
787
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

788
789
790
791
792
793
794
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

795
796
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
797
			http://[address]:[port]/json. [RT #32630]
798

799
800
801
802
803
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

804
805
806
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

807
808
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

809
810
811
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

812
813
814
815
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

816
817
818
819
820
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

821
822
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
823
824
3516.	[placeholder]

825
826
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
827
828
829
830
831
832
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

833
834
835
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
836
837
838
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
839
840
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

841
842
843
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

844
845
846
847
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

848
849
850
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

851
852
853
854
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

855
856
857
858
859
860
861
862
863
864
865
866
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
867
868
869
870
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
871

Evan Hunt's avatar
Evan Hunt committed
872
873
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

874
875
876
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

877
878
879
880
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
881
882
883
884
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
885

Evan Hunt's avatar
Evan Hunt committed
886
887
888
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

889
890
891
892
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

893
894
895
896
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
897
898
3496.	[placeholder]

899
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
900
			while improving RPZ performance.  "response-policy"
901
902
903
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
904
			--enable-rpz-nsdname are now the default. [RT #32251]
905

Evan Hunt's avatar
Evan Hunt committed
906
907
908
909
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

910
3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
911
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
912

913
914
915
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

916
917
918
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

919
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
920
			too long. [RT #32365]
921

922
923
924
925
926
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

927
928
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

929
930
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
931
			[RT #32629]
932

Evan Hunt's avatar
Evan Hunt committed
933
934
935
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

936
937
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

938
939
940
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
941
942
3483.	[placeholder]

943
944
945
946
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

947
3481.	[cleanup]	Removed use of const const in atf.
948

Evan Hunt's avatar
Evan Hunt committed
949
950
951
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

952
953
954
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
955
956
957
958
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
959
960
			[RT #32365]

961
962
963
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
964
965
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
966

967
968
969
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
970
971
972
973
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

974
975
976
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

977
978
979
980
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

981
982
983
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
984
985
986
987
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

988
989
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
990
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
991
992
993

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
994

995
996
997
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

998
999
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

1000
1001
1002
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

1003
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
1004
1005
1006
1007

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

1008
1009
1010
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

1011
1012
3460.	[bug]		Only link against readline where needed. [RT #29810]

1013
1014
1015
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

1016
1017
1018
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

1019
1020
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
1021
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
1022

1023
1024
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

1025
1026
3454.	[port]		sparc64: improve atomic support. [RT #25182]

1027
1028
1029
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
1030
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
1031

1032
1033
1034
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

1035
1036
1037
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

1038
1039
1040
1041
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
1042
1043
1044
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

1045
1046
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

1047
1048
1049
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

1050
1051
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
1052

1053
3444.	[bug]		The NOQNAME proof was not being returned from cached
1054
1055
			insecure responses. [RT #21409]

1056
1057
1058
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

1059
1060
1061
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

1062
1063
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

1064
1065
1066
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
1067
1068
3439.	[placeholder]

1069
1070
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
1071
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
1072
1073
			buffers with constant data. [RT #32064]

1074
1075
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

1076
1077
1078
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

1079
1080
1081
1082
1083
1084
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

1085
1086
1087
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
1088
1089
1090
1091
1092
1093
1094
1095
1096
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

1097
1098
1099
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

1100
1101
1102
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

1103
1104
1105
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
1106
1107
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
1108
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
1109
1110
			addresses instead of names. [RT #31641]

1111
1112
1113
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

1114
1115
1116
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

1117
1118
1119
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

1120
1121
1122
1123
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
1124
3422.	[bug]		Added a clear error message for when the SOA does not
1125
1126
			match the referral. [RT #31281]

1127
1128
1129
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

1130
1131
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

1132
1133
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
1134
1135
1136
1137
1138
1139
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
1140
1141
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
1142
3417.	[placeholder]
1143

1144
1145
1146
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

1147
3415.	[bug]		named could die with a REQUIRE failure if a validation
1148
1149
			was canceled. [RT #31804]

1150
1151
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

1152
1153
1154
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

1155
1156
1157
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

1158
1159
1160
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

1161
1162
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
1163
1164
1165
1166
1167
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

1168
1169
1170
1171
1172
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
1173
1174
3407.	[placeholder]

1175
1176
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
1177
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
1178

1179
1180
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

1181
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
1182
			RRSIG and NSEC records from nodes that used to be
1183
1184
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
1185
1186
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
1187
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
1188
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
1189

Evan Hunt's avatar
Evan Hunt committed
1190
1191
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
1192
1193
1194
1195
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

1196
1197
1198
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

1199
1200
1201
1202
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

1203
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
1204

1205
1206
1207
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

1208
1209
1210
1211
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
1212
3394.	[bug]		Adjust 'successfully validated after lower casing
1213
1214
			signer' log level and category. [RT #31414]

1215
1216
1217
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

1218
1219
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
1220
1221
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
1222

1223
1224
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

1225
1226
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

1227
1228
1229
1230
1231
1232
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
1233

1234
1235
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
1236

1237
1238
1239
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

1240
1241
1242
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
1243
1244
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
1245
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
1246
1247
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
1248

Evan Hunt's avatar
Evan Hunt committed
1249
1250
1251
1252
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
1253
1254
1255
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

1256
3380.	[bug]		named could die if a nonexistent master list was
1257
1258
			referenced in a also-notify. [RT #31004]

1259
1260
1261
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

1262
1263
1264
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
1265
1266
1267
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

1268
1269
1270
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

1271
1272
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar