CHANGES

3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

3535.	[bug]		Minor win32 cleanups. [RT #32962]

3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
			http://[address]:[port]/json.  [RT #32630]

3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

3516.	[placeholder]

3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]

3503.	[doc]		Clarify size_spec syntax. [RT #32449]

3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

3500.	[port]		Support NAPTR regular expression validation on
			all platforms.  [RT #32688]

3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

3496.	[placeholder]

3495.	[func]		Support multiple response-policy zones (up to 32),
			while improving RPZ performance.  "response-policy"
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
			--enable-rpz-nsdname are now the default. [RT #32251]

3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]

3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

3490.	[bug]		When logging RDATA during update, truncate if it's
			too long. [RT #32365]

3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
			[RT #32629]

3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

3483.	[placeholder]

3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

3481.	[cleanup]	removed use of const const in atf

3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
			[RT #32365]

3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]

3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]

3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

3465.	[bug]		Handle isolated reserved ports. [RT #31778]

3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

3460.	[bug]		Only link against readline where needed. [RT #29810]

3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

3456.	[port]		g++47: ATF failed to compile. [RT #32012]

3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

3454.	[port]		sparc64: improve atomic support. [RT #25182]

3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

3452.	[bug]		Accept duplicate singleton records. [RT #32329]

3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]

3444.	[bug]		The NOQNAME proof was not being returned from cached
			insecure responses. [RT #21409]

3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

3439.	[placeholder]

3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
			buffers with constant data. [RT #32064]

3436.	[bug]		Check malloc/calloc return values. [RT #32088]

3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

3427.	[bug]		dig +trace incorrectly displayed name server
			addresses instead of names. [RT #31641]

3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

3422.	[bug]		Added a clear error message for when the SOA does not
			match the referral. [RT #31281]

3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

3420.	[bug]		Address VPATH compilation issues. [RT #31879]

3419.	[bug]		Memory leak on validation cancel. [RT #31869]

3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
			deprecated. [RT #30023]

3417.	[placeholder]

3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

3415.	[bug]		named could die with a REQUIRE failure if a valdation
			was canceled. [RT #31804]

3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

3410.	[bug]		Addressed Coverity warnings. [RT #31626]

3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

3407.	[placeholder]

3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]

3405.	[bug]		Handle time going backwards in acache. [RT #31253]

3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
			RRSIG and NSEC records from nodes that used to be
			in-zone but are now below a zone cut. [RT #31556]

3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

3402.	[test]		The IPv6 interface numbers used for system
			tests were incorrect on some platforms. [RT #25085]

3401.	[bug]		Addressed Coverity warnings. [RT #31484]

3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]

3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

3394.	[bug]		Adjust 'successfully validated after lower casing
			signer' log level and category. [RT #31414]

3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]

3390.	[bug]		Silence clang compiler warnings. [RT #30417]

3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]

3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]

3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

3384.	[bug]		Improved logging of crypto errors. [RT #30963]

3383.	[security]	A certain combination of records in the RBT could
			cause named to hang while populating the additional
			section of a response. [RT #31090]

3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

3380.	[bug]		named could die if a non-existant master list was
			referenced in a also-notify. [RT #31004]

3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]

3373.	[bug]		win32: open raw files in binary mode. [RT #30944]

3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
			if built with readline support. [RT #29550]

3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
			were not C++ safe.

3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
			atomic operations. [RT #25181]

3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]

3360.	[bug]		'host -w' could die.  [RT #18723]

3359.	[bug]		An improperly-formed TSIG secret could cause a
			memory leak. [RT #30607]

3358.	[placeholder]

3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

3355.	[port]		Use more portable awk in verify system test.

3354.	[func]		Improve OpenSSL error logging. [RT #29932]

3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

3349.	[bug]		Change #3345 was incomplete. [RT #30233]

3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
			being inserted into the cache as well. [RT #26809]

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
			permissions of the existing file. [RT #27724]

3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

3343.	[placeholder]

3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

3340.	[func]		Added new 'map' zone file format, which is an image
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
			'map' zone files cannot always be transferred from one
			server to another.) [RT #25419]

3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

3334.	[bug]		Hold a zone table reference while performing a
			asynchronous load of a zone. [RT #28326]

3333.	[bug]		Setting resolver-query-timeout too low can cause
			named to not recover if it loses connectivity.
			[RT #29623]

3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]

3331.	[security]	dns_rdataslab_fromrdataset could produce bad
			rdataslabs. [RT #29644]

3330.	[func]		Fix missing signatures on NOERROR results despite
			RPZ rewriting.  Also
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]

3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

3318.	[tuning]	Reduce the amount of work performed while holding a
			bucket lock when finished with a fetch context.
			[RT #29239]

3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]

3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

3313.	[protocol]	Add TLSA record type. [RT #28989]

3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

3310.	[test]		Increase table size for mutex profiling. [RT #28809]

3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
			[RT #27995]

3308.	[placeholder]

3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]

3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]

3303.	[bug]		named could die when reloading. [RT #28606]

3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

3297.	[bug]		Named could die on a malformed master file. [RT #28467]

3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

3293.	[func]		nsupdate: list supported type. [RT #28261]

3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

3282.	[bug]		Restrict the TTL of NS RRset to no more than that
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]

3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

3279.	[bug]		Hold a internal reference to the zone while performing
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

3278.	[bug]		Make sure automatic key maintenance is started
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
			option had been misspelled as '-clear'.  (To avoid
			future confusion, both options now work.) [RT #27173]

3274.	[placeholder]

3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

	--- 9.9.0rc2 released ---

3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

3269.	[port]		darwin 11 and later now built threaded by default.

3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]

3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

3261.	[func]		RRset ordering now defaults to random. [RT #27174]

3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]

	--- 9.9.0rc1 released ---

3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

3244.	[func]		Added readline support to nslookup and nsupdate.
			Also simplified nsupdate syntax to make "update"
			and "prereq" optional. [RT #24659]

3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

3242.	[func]		Extended the header of raw-format master files to
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.

			(Note: raw zonefiles generated by this version of
			BIND are no longer compatible with prior versions.
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

3231.	[bug]		named could fail to send a incompressible zone.
			[RT #26796]

3230.	[bug]		'dig axfr' failed to properly handle a multi-message
			axfr with a serial of 0. [RT #26796]

3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]

3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

3226.	[bug]		Address minor resource leakages. [RT #26624]

3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

3221.	[bug]		Fixed a potential core dump on shutdown due to
			referencing fetch context after it's been freed.
			[RT #26720]

	--- 9.9.0b2 released ---

3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]

3219.	[bug]		Disable NOEDNS caching following a timeout.

3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]

3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]

3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]

3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]

3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
			[RT #25522]

3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

3205.	[func]		Upgrade dig's defaults to better reflect modern
			nameserver behavior.  Enable "dig +adflag" and
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]

3204.	[bug]		When a master server that has been marked as
			unreachable sends a NOTIFY, mark it reachable
			again. [RT #25960]

3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

3202.	[bug]		NOEDNS caching on timeout was too aggressive.
			[RT #26416]

3201.	[func]		'rndc querylog' can now be given an on/off parameter
			instead of only being used as a toggle. [RT #18351]