CHANGES

2409.	[func]		Only log that we disabled EDNS processing if we were
			subsequently successful.  [RT #18029]

2408.	[bug]		A duplicate TCP dispatch event could be sent, which
			could then trigger an assertion failure in
			resquery_response().  [RT #18275]

2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]

2406.	[bug]		Sockets could be closed too early, leading to
			inconsistent states in the socket module. [RT #18298]

2405.   [cleanup]       The default value for dnssec-validation was changed to
                        "yes" in 9.5.0-P1 and all subsequent releases; this
                        was inadvertently omitted from CHANGES at the time.

2404.	[port]		hpux: files unlimited support.

2403.	[bug]		TSIG context leak. [RT #18341]

2402.	[port]		Support Solaris 2.11 and over. [RT #18362]

2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
			(from accept() or fcntl() system calls). [RT #18358]

2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
			[RT #18297]

2399.	[placeholder]

2398.	[placeholder]

2397.	[bug]		gssapi_functions had too many elements. [RT #18355]

2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
			[RT #18336]

2395.	[port]		Avoid warning and no effect from "files unlimited"
			on Linux when running as root. [RT #18335]

2394.	[bug]		Default configuration options set the limit for
			open files to 'unlimited' as described in the
			documentation. [RT #18331]

2393.	[bug]		nested acls containing keys could trigger an
			assertion in acl.c. [RT #18166]

2392.	[bug]		remove 'grep -q' from acl test script, some platforms
			don't support it. [RT #18253]

2391.	[port]		hpux: cover additional recvmsg() error codes.
			[RT #18301]

2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
			[RT #18301].

2389.	[bug]		Move the "working directory writable" check to after
			the ns_os_changeuser() call. [RT #18326]

2388.	[bug]		Avoid using tables for layout purposes in
			statistics XSL [RT #18159].

2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
			[RT #18147] [RT #18258]

2386.	[func]		Add warning about too small 'open files' limit.
			[RT #18269]

2385.	[bug]		A condition variable in socket.c could leak in
			rare error handling [RT #17968].

2384.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949, #18098]

2383.	[bug]		named could double queries when they resulted in
			SERVFAIL due to overkilling EDNS0 failure detection.
			[RT #18182]

2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
			to ARM.

2381.	[port]		dlz/mysql: support multiple install layouts for
			mysql.  <prefix>/include/{,mysql/}mysql.h and
			<prefix>/lib/{,mysql/}. [RT #18152]

2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
			proofs which, in turn, caused validation failures
			for insecure zones immediately below a secure zone
			the server was authoritative for. [RT #18112] 

2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
			TLDs and supported RRs with TTLs [RT #17972]

2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
			[RT #18169]

2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]

2376.	[bug]		Change #2144 was not complete.

2375.	[placeholder]

2374.	[bug]		"blackhole" ACLs could cause named to segfault due
			to some uninitialized memory. [RT #18095]

2373.	[bug]		Default values of zone ACLs were re-parsed each time a
			new zone was configured, causing an overconsumption
			of memory. [RT #18092]

2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]

2371.	[doc]		Add +nsid option to dig man page. [RT #18039]

2370.	[bug]		"rndc freeze" could trigger an assertion in named
			when called on a nonexistent zone. [RT #18050]

2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
			[RT #18054]

2368.	[port]		Linux: use libcap for capability management if
			possible. [RT# 18026]

2367.	[bug]		Improve counting of dns_resstatscounter_retry
			[RT #18030]

2366.	[bug]		Adb shutdown race. [RT #18021]

2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
			spurious results. [RT #18000]

2364.	[bug]		named could trigger a assertion when serving a
			malformed signed zone. [RT #17828]

2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
			[RT #17513]

2362.   [cleanup]	Make "rrset-order fixed" a compile-time option.
			settable by "./configure --enable-fixed-rrset".
			Disabled by default. [RT #17977]

2361.	[bug]		"recursion" statistics counter could be counted
			multiple times for a single query.  [RT #17990]

2360.	[bug]		Fix a condition where we release a database version
			(which may acquire a lock) while holding the lock.

2359.	[bug]		Fix NSID bug. [RT #17942]

2358.	[doc]		Update host's default query description. [RT #17934]

2357.	[port]		Don't use OpenSSL's engine support in versions before
			OpenSSL 0.9.7f. [RT #17922]

2356.	[bug]		Built in mutex profiler was not scalable enough.
			[RT #17436]

2355.	[func]		Extend the number statistics counters available.
			[RT #17590]

2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
			[RT #17927]

2353.	[func]		Add support for Name Server ID (RFC 5001).
			'dig +nsid' requests NSID from server.
			'request-nsid yes;' causes recursive server to send
			NSID requests to upstream servers.  Server responds
			to NSID requests with the string configured by
			'server-id' option.  [RT #17091]

2352.	[bug]		Various GSS_API fixups. [RT #17729]

2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]

2350.	[port]		win32: IPv6 support. [RT #17797]

2349.	[func]		Provide incremental re-signing support for secure
			dynamic zones. [RT #1091]

2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
			Documentation is in the new README.pkcs11 file.
			[RT #16844]

2347.	[bug]		Delete now traverses the RB tree in the canonical
			order. [RT #17451]

2346.	[func]		Memory statistics now cover all active memory contexts
			in increased detail. [RT #17580]

2345.	[bug]		named-checkconf failed to detect when forwarders
			were set at both the options/view level and in
			a root zone. [RT #17671]

2344.	[bug]		Improve "logging{ file ...; };" documentation.
			[RT #17888]

2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
			created in ADB. [RT #17837]

2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]

2341.	[bug]		libbind: add missing -I../include for off source
			tree builds. [RT #17606]

2340.	[port]		openbsd: interface configuration. [RT #17700]

2339.	[port]		tru64: support for libbind. [RT #17589]

2338.	[bug]		check_ds() could be called with a non DS rdataset.
			[RT #17598]

2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]

2336.	[func]		If "named -6" is specified then listen on all IPv6
			interfaces if there are not listen-on-v6 clauses in
			named.conf.  [RT #17581]

2335.	[port]		sunos:  libbind and *printf() support for long long. 
			[RT #17513]

2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
			bug in fromstruct_txt(). [RT #17609]
			
2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
			[RT #17608]

2332.	[contrib]	query-loc-0.4.0. [RT #17602]

2331.	[bug]		Failure to regenerate any signatures was not being
			reported nor being past back to the UPDATE client.
			[RT #17570]

2330.	[bug]		Remove potential race condition when handling
			over memory events. [RT #17572]

			WARNING: API CHANGE: over memory callback
			function now needs to call isc_mem_waterack().
			See <isc/mem.h> for details.

2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.

2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
			M.ROOT-SERVERS.NET.

2327.	[bug]		It was possible to dereference a NULL pointer in
			rbtdb.c.  Implement dead node processing in zones as
			we do for caches. [RT #17312]

2326.	[bug]		It was possible to trigger a INSIST in the acache
			processing.

2325.	[port]		Linux: use capset() function if available. [RT #17557]

2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]

2323.	[port]		tru64: namespace clash. [RT #17547]

2322.	[port]		MacOS: work around the limitation of setrlimit()
			for RLIMIT_NOFILE. [RT #17526]

2321.	[placeholder]

2320.	[func]		Make statistics counters thread-safe for platforms
			that support certain atomic operations. [RT #17466]

2319.	[bug]		Silence Coverity warnings in 
			lib/dns/rdata/in_1/apl_42.c. [RT #17469]

2318.	[port]		sunos fixes for libbind.  [RT #17514]

2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]

2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
			[RT #17513]

2315.   [bug]           Used incorrect address family for mapped IPv4
                        addresses in acl.c. [RT #17519]

2314.	[bug]		Uninitialized memory use on error path in
			bin/named/lwdnoop.c.  [RT #17476]

2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
			[RT #17447] [RT #17478]

2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
			[RT #17458]

2311.   [bug]           IPv6 addresses could match IPv4 ACL entries and
                        vice versa. [RT #17462]

2310.	[bug]		dig, host, nslookup: flush stdout before emitting
			debug/fatal messages.  [RT #17501]

2309.   [cleanup]       Fix Coverity warnings in lib/dns/acl.c and iptable.c.
                        [RT #17455]

2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
			[RT #17495]

2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]

2306.	[bug]		Remove potential race from lib/dns/resolver.c.
			[RT #17470]

2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.

2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
			[RT #17460]

2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
			[RT #17471]

2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]

2301.	[bug]		Remove resource leak and fix error messages in
			bin/tests/system/lwresd/lwtest.c. [RT #17474]

2300.	[bug]		Fixed failure to close open file in 
			bin/tests/names/t_names.c. [RT #17473]

2299.	[bug]		Remove unnecessary NULL check in
			bin/nsupdate/nsupdate.c. [RT #17475]

2298.	[bug]		isc_mutex_lock() failure not caught in
			bin/tests/timers/t_timers.c. [RT #17468]

2297.	[bug]		isc_entropy_createfilesource() failure not caught in
			bin/tests/dst/t_dst.c. [RT #17467]

2296.	[port]		Allow docbook stylesheet location to be specified to
			configure. [RT #17457]

2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
			[RT #17459]

2294.	[func]		Allow the experimental statistics channels to have
			multiple connections and ACL.
			Note: the stats-server and stats-server-v6 options
			available in the previous beta releases are replaced
			with the generic statistics-channels statement.

2293.	[func]		Add ACL regression test. [RT #17375]

2292.	[bug]		Log if the working directory is not writable.
			[RT #17312]

2291.   [bug]           PR_SET_DUMPABLE may be set too late.  Also report
			failure to set PR_SET_DUMPABLE. [RT #17312]

2290.	[bug]		Let AD in the query signal that the client wants AD
			set in the response. [RT #17301]

2289.	[func]		named-checkzone now reports the out-of-zone CNAME
			found. [RT #17309]

2288.	[port]		win32: mark service as running when we have finished
			loading.  [RT #17441]

2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]

2286.	[func]		Allow a TCP connection to be used as a weak
			authentication method for reverse zones.
			New update-policy methods tcp-self and 6to4-self.
			[RT #17378]

2285.	[func]		Test framework for client memory context management.
			[RT #17377]

2284.	[bug]		Memory leak in UPDATE prerequisite processing.
			[RT #17377]

2283.	[bug]		TSIG keys were not attaching to the memory
			context.  TSIG keys should use the rings
			memory context rather than the clients memory
			context. [RT #17377]

2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]

2281.	[bug]		Attempts to use undefined acls were not being logged.
			[RT #17307]

2280.	[func]		Allow the experimental http server to be reached
			over IPv6 as well as IPv4. [RT #17332]

2279.   [bug]           Use setsockopt(SO_NOSIGPIPE), when available,
			to protect applications from receiving spurious
			SIGPIPE signals when using the resolver.

2278.	[bug]		win32: handle the case where Windows returns no
			search list or DNS suffix. [RT #17354]

2277.	[bug]		Empty zone names were not correctly being caught at
			in the post parse checks. [RT #17357]

2276.	[bug]		Install <dst/gssapi.h>.  [RT# 17359]

2275.	[func]		Add support to dig to perform IXFR queries over UDP.
			[RT #17235]

2274.	[func]		Log zone transfer statistics. [RT #17336]

2273.	[bug]		Adjust log level to WARNING when saving inconsistent
			stub/slave master and journal files. [RT# 17279]

2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
			[RT #17262]

2271.	[bug]		Fix a memory leak in http server code [RT #17100]

2270.	[bug]		dns_db_closeversion() version->writer could be reset
			before it is tested. [RT #17290]

2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]

2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
			list.

	--- 9.5.0b1 released ---

2267.   [bug]           Radix tree node_num value could be set incorrectly,
                        causing positive ACL matches to look like negative
                        ones.  [RT #17311]

2266.	[bug]		client.c:get_clientmctx() returned the same mctx
			once the pool of mctx's was filled. [RT #17218]

2265.	[bug]		Test that the memory context's basic_table is non NULL
			before freeing.  [RT #17265]

2264.	[bug]		Server prefix length was being ignored. [RT #17308]

2263.	[bug]		"named-checkconf -z" failed to set default value
			for "check-integrity".  [RT #17306]

2262.	[bug]		Error status from all but the last view could be
			lost. [RT #17292]

2261.   [bug]           Fix memory leak with "any" and "none" ACLs [RT #17272]

2260.	[bug]		Reported wrong clients-per-query when increasing the
                        value. [RT #17236]

2259.	[placeholder]

	--- 9.5.0a7 released ---

2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
			[RT #17241]

2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
			calling it. [RT #17222]

2256.	[bug]		win32: Correctly register the installation location of
			bindevt.dll. [RT #17159]

2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.

2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
			when reading timer->idle allowing it to see
			intermediate values as timer->idle was reset by
			isc_timer_touch(). [RT #17243]

2253.	[func]	 	"max-cache-size" defaults to 32M.
			"max-acache-size" defaults to 16M.

2252.   [bug]           Fixed errors in sortlist code [RT #17216]

2251.	[placeholder]

2250.	[func]		New flag 'memstatistics' to state whether the
			memory statistics file should be written or not.
			Additionally named's -m option will cause the
			statistics file to be written. [RT #17113]
			
2249.   [bug]           Only set Authentic Data bit if client requested
                        DNSSEC, per RFC 3655 [RT #17175]

2248.   [cleanup]       Fix several errors reported by Coverity. [RT #17160]

2247.	[doc]		Sort doc/misc/options. [RT #17067]

2246.	[bug]		Make the startup of test servers (ans.pl) more
			robust. [RT #17147]

2245.	[bug]		Validating lack of DS records at trust anchors wasn't
			working. [RT #17151]

2244.	[func]		Allow the check of nameserver names against the
			SOA MNAME field to be disabled by specifying
			'notify-to-soa yes;'.  [RT #17073]

2243.	[func]		Configuration files without a newline at the end now
			parse without error. [RT #17120]

2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
			library could require a source of random data.
			[RT #17127]

2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]

2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
			a number of INSIST()s into plain fatal() errors
			which report the triggering result code.
			The 'key' command wasn't disabling GSS-TSIG.
			[RT #17099]

2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]

2238.	[bug]		It was possible to trigger a REQUIRE when a
			validation was canceled. [RT #17106]

2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]

2236.	[bug]		dnssec-signzone failed to preserve the case of
			of wildcard owner names. [RT #17085]

2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]

2234.   [port]          Correct some compiler warnings on SCO OSr5 [RT #17134]
  
2233.   [func]          Add support for O(1) ACL processing, based on
                        radix tree code originally written by Kevin
                        Brintnall. [RT #16288]

2232.	[bug]		dns_adb_findaddrinfo() could fail and return
			ISC_R_SUCCESS. [RT #17137]

2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
			[RT #17088]

2230.	[bug]		We could INSIST reading a corrupted journal.
			[RT #17132]

2229.	[bug]		Null pointer dereference on query pool creation
			failure. [RT #17133]

2228.	[contrib]	contrib: Change 2188 was incomplete.

2227.	[cleanup]	Tidied up the FAQ. [RT #17121]

2226.	[placeholder]

2225.	[bug]		More support for systems with no IPv4 addresses.
		        [RT #17111]

2224.	[bug]		Defer journal compaction if a xfrin is in progress.
			[RT #17119]

2223.	[bug]		Make a new journal when compacting. [RT #17119]

2222.	[func]		named-checkconf now checks server key references.
		        [RT #17097]

2221.	[bug]		Set the event result code to reflect the actual
			record turned to caller when a cache update is
			rejected due to a more credible answer existing.
			[RT #17017]

2220.	[bug]		win32: Address a race condition in final shutdown of
			the Windows socket code. [RT #17028]
			
2219.	[bug]		Apply zone consistency checks to additions, not
			removals, when updating. [RT #17049]

2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
			[RT #16976]

2217.	[func]		Adjust update log levels. [RT #17092]

2216.	[cleanup]	Fix a number of errors reported by Coverity.
		        [RT #17094]

2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]

2214.	[bug]		Deregister OpenSSL lock callback when cleaning
			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
			is called before the locks are destroyed. [RT #17098]

2213.	[bug]		SIG0 diagnostic failure messages were looking at the
			wrong status code. [RT #17101]

2212.	[func]		'host -m' now causes memory statistics and active
			memory to be printed at exit. [RT 17028]

2211.	[func]		Update "dynamic update temporarily disabled" message.
			[RT #17065]

2210.	[bug]		Deleting class specific records via UPDATE could
			fail.  [RT #17074]

2209.	[port]		osx: linking against user supplied static OpenSSL
			libraries failed as the system ones were still being
			found. [RT #17078]

2208.	[port]		win32: make sure both build methods produce the
			same output. [RT #17058]

2207.	[port]		Some implementations of getaddrinfo() fail to set
			ai_canonname correctly. [RT #17061]

	--- 9.5.0a6 released ---

2206.	[security]	"allow-query-cache" and "allow-recursion" now
			cross inherit from each other.

			If allow-query-cache is not set in named.conf then
			allow-recursion is used if set, otherwise allow-query
			is used if set, otherwise the default (localnets;
			localhost;) is used.

			If allow-recursion is not set in named.conf then
			allow-query-cache is used if set, otherwise allow-query
			is used if set, otherwise the default (localnets;
			localhost;) is used.

			[RT #16987]
	
2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]

2204.	[bug]		"rndc flushanme name unknown-view" caused named
			to crash. [RT #16984]

2203.	[security]	Query id generation was cryptographically weak.
			[RT # 16915]

2202.	[security]	The default acls for allow-query-cache and
			allow-recursion were not being applied. [RT #16960]

2201.	[bug]		The build failed in a separate object directory.
			[RT #16943]

2200.	[bug]		The search for cached NSEC records was stopping to
			early leading to excessive DLV queries. [RT #16930]

2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
			[RT #16911]

2198.	[bug]		win32: RegCloseKey() could be called when
			RegOpenKeyEx() failed. [RT #16911]

2197.	[bug]		Add INSIST to catch negative responses which are
			not setting the event result code appropriately.
			[RT #16909]

2196.	[port]		win32: yield processor while waiting for once to
			to complete. [RT #16958]

2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
			when generating DNSKEYs. [RT #16954]

2194.	[bug]		Close journal before calling 'done' in xfrin.c.

	--- 9.5.0a5 released ---

2193.	[port]		win32: BINDInstall.exe is now linked statically.
			[RT #16906]

2192.	[port]		win32: use vcredist_x86.exe to install Visual
			Studio's redistributable dlls if building with
			Visual Stdio 2005 or later.

2191.	[func]		named-checkzone now allows dumping to stdout (-).
			named-checkconf now has -h for help.
			named-checkzone now has -h for help.
			rndc now has -h for help.
			Better handling of '-?' for usage summaries.
			[RT #16707]

2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
			more visible.  New logging category "edns-disabled".
			[RT #16871]

2189.	[bug]		Handle socket() returning EINTR. [RT #15949]

2188.	[contrib]	queryperf: autoconf changes to make the search for
			libresolv or libbind more robust. [RT #16299]

2187.	[bug]		query_addds(), query_addwildcardproof() and
			query_addnxrrsetnsec() should take a version
			argument. [RT #16368]

2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
			independently of IPv6. [RT #16482]

2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
			memchr(). [RT #16463]

2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
			[RT #16830]

2183.	[bug]		dnssec-signzone didn't handle offline private keys
			well.  [RT #16832]

2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
			could return ISC_R_SUCCESS when they ran out of
			memory. [RT #16365]

2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]

2180.	[cleanup]	Remove bit test from 'compress_test' as they
			are no longer needed. [RT #16497]

2179.	[func]		'rndc command zone' will now find 'zone' if it is
			unique to all the views. [RT #16821]

2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
			a reference leak. [RT #16867]

2177.	[bug]		Array bounds overrun on read (rcodetext) at
			debug level 10+. [RT #16798]

2176.	[contrib]	dbus update to handle race condition during
			initialization (Bugzilla 235809). [RT #16842]

2175.	[bug]		win32: windows broadcast condition variable support
			was broken. [RT #16592]

2174.	[bug]		I/O errors should always be fatal when reading
			master files. [RT #16825]

2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
			need to ship Microsoft.VC80.MFCLOC.

	--- 9.5.0a4 released ---

2172.	[bug]		query_addsoa() was being called with a non zone db.
			[RT #16834]

2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
			servers are not DS aware (DS queries to the parent
			return a referral to the child).

2170.	[func]		Add acache processing to test suite. [RT #16711]

2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
			given name and not the last name searched for.
			[RT #16763]

2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
			as fatal errors. [RT #16785]

2167.	[bug]		When re-using a automatic zone named failed to
			attach it to the new view. [RT #16786]

	--- 9.5.0a3 released ---

2166.	[bug]		When running in batch mode, dig could misinterpret
			a server address as a name to be looked up, causing
			unexpected output. [RT #16743]

2165.	[func]		Allow the destination address of a query to determine
			if we will answer the query or recurse.
			allow-query-on, allow-recursion-on and
			allow-query-cache-on. [RT #16291]

2164.	[bug]		The code to determine how named-checkzone / 
			named-compilezone was called failed under windows.
			[RT #16764]

2163.	[bug]		If only one of query-source and query-source-v6
			specified a port the query pools code broke (change
			2129).  [RT #16768]

2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
			time. [RT #16665]

2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
			[RT #16698]

2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
			from getifaddrs(). [RT #16708]

	--- 9.5.0a2 released ---

2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]

2158.	[bug]		ns_client_isself() failed to initialize key
			leading to a REQUIRE failure. [RT #16688]

2157.	[func]		dns_db_transfernode() created. [RT #16685]

2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
			resolver.c:validated() and resolver.c:cache_name().
			Fix a memory leak in rbtdb.c:free_noqname().
			Make lookup.c:lookup_find() robust against
			event leaks. [RT #16685]

2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
			[RT #16694]

2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
			matched in acls by omitting the scope. [RT #16599]

2153.	[bug]		nsupdate could leak memory. [RT #16691]

2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
			dighost.c:get_trusted_key(). [RT #16678]

2151.	[bug]		Missing newline in usage message for journalprint.
			[RT #16679]

2150.	[bug]		'rrset-order cyclic' uniformly distribute the
			starting point for the first response for a given
			RRset. [RT #16655]

2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
			if there were still active memory contexts.
			[RT #16672]

2148.	[func]		Add positive logging for rndc commands. [RT #14623]

2147.	[bug]		libbind: remove potential buffer overflow from
			hmac_link.c. [RT #16437]

2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
			SO_BSDCOMPAT" message. [RT #16641]

2145.	[bug]		Check DS/DLV digest lengths for known digests.
			[RT #16622]

2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
			[RT #16619]

2143.	[bug]		We failed to restart the IPv6 client when the
			kernel failed to return the destination the
			packet was sent to. [RT #16613]

2142.	[bug]		Handle master files with a modification time that
			matches the epoch. [RT# 16612]

2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
			equivalent of LDH checks).  [RT #16609]

2140.	[bug]		libbind: missing unlock on pthread_key_create()
			failures. [RT #16654]

2139.	[bug]		dns_view_find() was being called with wrong type
			in adb.c. [RT #16670]

2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]

2137.	[port]		Mips little endian and/or mips 64 bit are now
			supported for atomic operations. [RT#16648]

2136.	[bug]		nslookup/host looped if there was no search list
			and the host didn't exist. [RT #16657]

2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT# 16656]

2134.	[func]		Additional statistics support. [RT #16666]

2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
			assembler syntaxes. [RT #16647]

2132.	[bug]		Missing unlock on out of memory in
			dns_dispatchmgr_setudp().

2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]

2130.	[func]		Log if CD or DO were set. [RT #16640]

2129.	[func]		Provide a pool of UDP sockets for queries to be
			made over. See use-queryport-pool, queryport-pool-ports
			and queryport-pool-updateinterval.  [RT #16415]

2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]

2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]

2126.	[security]	Serialize validation of type ANY responses. [RT #16555]

2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
			was defined. [RT #16574]

2124.	[security]	It was possible to dereference a freed fetch
			context. [RT #16584]

	--- 9.5.0a1 released ---

2123.	[func]		Use Doxygen to generate internal documentation.
			[RT #11398]

2122.	[func]		Experimental http server and statistics support
			for named via xml.

2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
			second timeout. [RT #16553]

2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]

2119.	[compat]	libbind: allow res_init() to succeed enough to
			return the default domain even if it was unable
			to allocate memory.

2118.	[bug]		Handle response with long chains of domain name
			compression pointers which point to other compression
			pointers. [RT #16427]

2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
			which could lead to validation failures.  named didn't
			handle negative DS responses that were in the process
			of being validated.  Check CNAME bit before accepting
			NODATA proof. To be able to ignore a child NSEC there
			must be SOA (and NS) set in the bitmap. [RT #16399]

2116.	[bug]		'rndc reload' could cause the cache to continually
			be cleaned. [RT #16401]

2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
			number of masters for a zone was reduced. [RT #16444]

2114.	[bug]		dig/host/nslookup: searches for names with multiple
			labels were failing. [RT #16447]

2113.	[bug]		nsupdate: if a zone is specified it should be used
			for server discover. [RT# 16455]

2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]

2111.	[bug]		Fix a number of errors reported by Coverity.
			[RT #16507]

2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
			priming queries. [RT #16491]

2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]

2108.	[func]		DHCID support. [RT #16456]

2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]

2106.	[func]		'rndc status' now reports named's version. [RT #16426]

2105.	[func]		GSS-TSIG support (RFC 3645).

2104.	[port]		Fix Solaris SMF error message.

2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
			under Solaris.

2102.	[port]		Silence Solaris 10 warnings.

2101.	[bug]		OpenSSL version checks were not quite right.
			[RT #16476]

2100.	[port]		win32: copy libeay32.dll to Build\Debug.
			Copy Debug\named-checkzone to Debug\named-compilezone.

2099.	[port]		win32: more manifest issues.

2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
			triggered an INSIST failure about the node lock
			reference.  [RT #16411]

2097.	[bug]		named could reference a destroyed memory context
			after being reloaded / reconfigured. [RT #16428]

2096.	[bug]		libbind: handle applications that fail to detect
			res_init() failures better.

2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
			net_cidr_ntop_ipv6(). [RT #16388]
 
2094.	[contrib]	Update named-bootconf.  [RT# 16404]

2093.	[bug]		named-checkzone -s was broken.

2092.	[bug]		win32: dig, host, nslookup.  Use registry config
			if resolv.conf does not exist or no nameservers
			listed. [RT #15877] 

2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]

2090.	[port]		win32: Visual C++ 2005 command line manifest support.
			[RT #16417]

2089.	[security]	Raise the minimum safe OpenSSL versions to
			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
			prior to these have known security flaws which
			are (potentially) exploitable in named. [RT #16391]

2088.	[security]	Change the default RSA exponent from 3 to 65537.
			[RT #16391]

2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
			[RT #16382]

2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
			[RT #16403]

2085.	[doc]		win32: added index.html and README to zip. [RT #16201]

2084.	[contrib]	dbus update for 9.3.3rc2.

2083.	[port]		win32: Visual C++ 2005 support.

2082.	[doc]		Document 'cache-file' as a test only option.

2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
			[RT #16360]

2080.	[port]		libbind: res_init.c did not compile on older versions
			of Solaris. [RT #16363]

2079.	[bug]		The lame cache was not handling multiple types
			correctly. [RT #16361]

2078.	[bug]		dnssec-checkzone output style "default" was badly
			named.  It is now called "relative". [RT #16326]

2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
			complete signed zone. [RT #16326]

2076.	[bug]		Several files were missing #include <config.h>
			causing build failures on OSF. [RT #16341]

2075.	[bug]		The spillat timer event hander could leak memory.
			[RT #16357]

2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
			dns_request_createraw2() and dns_request_createraw3()
			failed to send multiple UDP requests. [RT #16349]

2073.	[bug]		Incorrect semantics check for update policy "wildcard".
			[RT #16353]

2072.	[bug]		We were not generating valid HMAC SHA digests.
			[RT #16320]

2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
			[RT #16324]

2070.	[bug]		The remote address was not always displayed when
			reporting dispatch failures. [RT #16315]

2069.	[bug]		Cross compiling was not working. [RT #16330]

2068.	[cleanup]	Lower incremental tuning message to debug 1.
			[RT #16319]

2067.	[bug]		'rndc' could close the socket too early triggering
			a INSIST under Windows. [RT #16317]

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

2065.	[bug]		libbind: probe for HPUX prototypes for
			endprotoent_r() and endservent_r().  [RT 16313]

2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]

2063.	[bug]		Change #1955 introduced a bug which caused the first
			'rndc flush' call to not free memory. [RT #16244]

2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
			been returned by the socket code. [RT #16307]

2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]

2060.	[bug]		Enabling DLZ support could leave views partially
			configured. [RT #16295]

2059.	[bug]		Search into cache rbtdb could trigger an INSIST
			failure while cleaning up a stale rdataset.
			[RT #16292]