CHANGES 377 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2 3 4 5 6 7 8 9
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

10 11
3535.	[bug]		Minor win32 cleanups. [RT #32962]

12 13 14
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

15 16 17 18
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

19 20 21
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
22 23
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

24 25 26 27 28
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
29 30 31 32 33 34 35
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

36 37 38 39
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

40 41 42
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

43 44 45 46 47 48 49
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

50 51 52 53
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
			http://[address]:[port]/json.  [RT #32630]

54 55 56 57 58
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

59 60 61
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

62 63
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

64 65 66
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

67 68 69 70
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

71 72 73 74 75
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

76 77
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
78 79
3516.	[placeholder]

80 81
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
82 83 84 85 86 87
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

88 89 90
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
91 92 93
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
94 95
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

96 97 98
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

99 100 101 102
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

103 104 105
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

106 107 108 109
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

110 111 112 113 114 115 116 117 118 119 120 121
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
122 123 124 125
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
126

Evan Hunt's avatar
Evan Hunt committed
127 128
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

129 130 131
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

132 133 134 135
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

136 137 138
3500.	[port]		Support NAPTR regular expression validation on
			all platforms.  [RT #32688]

Evan Hunt's avatar
Evan Hunt committed
139 140 141
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

142 143 144 145
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

146 147 148 149
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
150 151
3496.	[placeholder]

152
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
153
			while improving RPZ performance.  "response-policy"
154 155 156
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
157
			--enable-rpz-nsdname are now the default. [RT #32251]
158

Evan Hunt's avatar
Evan Hunt committed
159 160 161 162
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

163 164
3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
165

166 167 168
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

169 170 171
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

172
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
173
			too long. [RT #32365]
174

175 176 177 178 179
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

180 181
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

182 183
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
184
			[RT #32629]
185

Evan Hunt's avatar
Evan Hunt committed
186 187 188
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

189 190
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

191 192 193
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
194 195
3483.	[placeholder]

196 197 198 199
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

200 201
3481.	[cleanup]	removed use of const const in atf

Evan Hunt's avatar
Evan Hunt committed
202 203 204
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

205 206 207
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
208 209 210 211
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
212 213
			[RT #32365]

214 215 216
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
217 218
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
219

220 221 222
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
223 224 225 226
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

227 228 229
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

230 231 232 233
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

234 235 236
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
237 238 239 240
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

241 242
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
243
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
244 245 246

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
247

248 249 250
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

251 252
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

253 254 255
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

256
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
257 258 259 260

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

261 262 263
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

264 265
3460.	[bug]		Only link against readline where needed. [RT #29810]

266 267 268
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

269 270 271
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

272 273
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
274
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
275

276 277
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

278 279
3454.	[port]		sparc64: improve atomic support. [RT #25182]

280 281 282
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
283
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
284

285 286 287
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

288 289 290
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

291 292 293 294
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
295 296 297
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

298 299
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

300 301 302
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

303 304
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
305

306
3444.	[bug]		The NOQNAME proof was not being returned from cached
307 308
			insecure responses. [RT #21409]

309 310 311
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

312 313 314
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

315 316
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

317 318 319
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
320 321
3439.	[placeholder]

322 323
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
324
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
325 326
			buffers with constant data. [RT #32064]

327 328
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

329 330 331
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

332 333 334 335 336 337
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

338 339 340
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
341 342 343 344 345 346 347 348 349
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

350 351 352
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

353 354 355
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

356 357 358
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
359 360
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
361
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
362 363
			addresses instead of names. [RT #31641]

364 365 366
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

367 368 369
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

370 371 372
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

373 374 375 376
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
377
3422.	[bug]		Added a clear error message for when the SOA does not
378 379
			match the referral. [RT #31281]

380 381 382
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

383 384
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

385 386
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
387 388 389 390 391 392
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
393 394
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
395
3417.	[placeholder]
396

397 398 399
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

Mark Andrews's avatar
Mark Andrews committed
400
3415.	[bug]		named could die with a REQUIRE failure if a valdation
401 402
			was canceled. [RT #31804]

403 404
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

405 406 407
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

408 409 410
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

411 412 413
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

414 415
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
416 417 418 419 420
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

421 422 423 424 425
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
426 427
3407.	[placeholder]

428 429
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
430
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
431

432 433
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

434
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
435
			RRSIG and NSEC records from nodes that used to be
436 437
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
438 439
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
440
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
441
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
442

Evan Hunt's avatar
Evan Hunt committed
443 444
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
445 446 447 448
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

449 450 451
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

452 453 454 455
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

456
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
457

458 459 460
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

461 462 463 464
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
465
3394.	[bug]		Adjust 'successfully validated after lower casing
466 467
			signer' log level and category. [RT #31414]

468 469 470
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

471 472
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
473 474
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
475

476 477
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

478 479
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

480 481 482 483 484 485
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
486

487 488
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
489

490 491 492
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

493 494 495
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
496 497
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo  
Evan Hunt committed
498
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
499 500
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
501

Evan Hunt's avatar
Evan Hunt committed
502 503 504 505
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
506 507 508
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

509 510 511
3380.	[bug]		named could die if a non-existant master list was
			referenced in a also-notify. [RT #31004]

512 513 514
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

515 516 517
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
518 519 520
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

521 522 523
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

524 525
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
526 527
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
528

Mark Andrews's avatar
Mark Andrews committed
529
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
530

531 532 533
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

534 535 536 537
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

538 539 540
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
541 542
			if built with readline support. [RT #29550]

543
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
544
			were not C++ safe.
545

546 547 548
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
549
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
550 551
			atomic operations. [RT #25181]

552 553 554
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

555 556 557
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

558 559 560 561
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

562 563 564 565
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

566 567
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
568

569 570
3360.	[bug]		'host -w' could die.  [RT #18723]

571
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
572
			memory leak. [RT #30607]
573

Mark Andrews's avatar
Mark Andrews committed
574 575
3358.	[placeholder]

576 577
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
578
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
579 580 581
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

582 583
3355.	[port]		Use more portable awk in verify system test.

584 585
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

586 587 588
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

589 590 591
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

592 593 594 595
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

596 597 598 599
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
600 601
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
602 603 604 605
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
606
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
607 608 609

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
610
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
611

Evan Hunt's avatar
Evan Hunt committed
612 613 614
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

615 616 617 618
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
619 620 621 622 623 624 625 626 627
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
628 629
3343.	[placeholder]

630 631 632 633
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

634 635 636 637
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
638
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
639 640 641 642
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
643
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
644 645
			server to another.) [RT #25419]

646 647 648
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

649 650 651
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

652 653 654
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

655 656 657
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

658 659 660
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

661
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
662
			asynchronous load of a zone. [RT #28326]
663

664
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
665
			named to not recover if it loses connectivity.
666 667
			[RT #29623]

Mark Andrews's avatar
add #  
Mark Andrews committed
668
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
669

Mark Andrews's avatar
Mark Andrews committed
670
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
671
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
672

Vernon Schryver's avatar
Vernon Schryver committed
673
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
674
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
675 676 677 678 679 680 681 682 683 684 685 686 687
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


688 689 690 691 692 693
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
694 695
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
696

Evan Hunt's avatar
Evan Hunt committed
697 698 699 700 701
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

728
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
729
			bucket lock when finished with a fetch context.
730 731
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
732
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
733

734 735 736
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

737 738 739 740 741
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

742 743 744
3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

745 746
3313.	[protocol]	Add TLSA record type. [RT #28989]

747 748 749
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

750 751 752
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

753 754
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
755
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
756 757
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
758 759
3308.	[placeholder]

760 761
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
762

763 764 765 766
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

767 768
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
769

770 771
3303.	[bug]		named could die when reloading. [RT #28606]

772 773 774 775
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

776 777 778
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

779 780 781
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

782 783 784
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

785 786 787 788
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

789 790
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

791 792 793
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

794 795 796
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

797 798 799
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

800 801
3293.	[func]		nsupdate: list supported type. [RT #28261]

802 803 804
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

805 806 807
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

808 809
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

810 811
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

812 813 814
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

815 816
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

817 818 819
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

820 821 822 823
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

824 825 826
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

827 828 829
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

830
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:  
Mark Andrews committed
831 832
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
833

834 835 836 837
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

838 839 840
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
841
3279.	[bug]		Hold a internal reference to the zone while performing
842 843 844
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
845
3278.	[bug]		Make sure automatic key maintenance is started
846 847 848
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
849
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
850 851 852 853

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

854
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
855
			option had been misspelled as '-clear'.  (To avoid
856 857
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
858
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
859

Mark Andrews's avatar
Mark Andrews committed
860 861 862
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
863 864 865 866

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

867 868 869 870
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
871
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
872

873 874 875
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

876 877
3269.	[port]		darwin 11 and later now built threaded by default.

878 879 880
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

881 882 883 884
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

885 886 887 888
3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

Evan Hunt's avatar
Evan Hunt committed
889 890
3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]
891

892 893 894 895 896 897 898
3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

899 900 901
3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

902 903
3261.	[func]		RRset ordering now defaults to random. [RT #27174]

904 905
3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]
906

Evan Hunt's avatar
Evan Hunt committed
907 908
	--- 9.9.0rc1 released ---

909 910 911
3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

912 913 914
3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

915 916 917
3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

918 919 920 921 922 923
3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

924 925 926
3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

927 928 929
3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

930 931 932 933 934
3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

935 936 937 938 939
3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

940 941 942 943
3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

944 945 946 947 948 949 950 951 952 953 954 955 956
3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

957 958 959 960
3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

961
3244.	[func]		Added readline support to nslookup and nsupdate.
Mark Andrews's avatar
Mark Andrews committed
962
			Also simplified nsupdate syntax to make "update"
963 964
			and "prereq" optional. [RT #24659]

965 966 967
3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

Mark Andrews's avatar
Mark Andrews committed
968
3242.	[func]		Extended the header of raw-format master files to
969 970 971 972 973 974
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.
Mark Andrews's avatar
Mark Andrews committed
975

976
			(Note: raw zonefiles generated by this version of
Mark Andrews's avatar
Mark Andrews committed
977
			BIND are no longer compatible with prior versions.
978 979 980 981 982
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

983 984 985
3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

986 987
3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

988 989 990 991
3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
992 993
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

994 995
3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

Evan Hunt's avatar
Evan Hunt committed
996 997 998
3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

999 1000 1001 1002
3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

1003 1004
3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

1005 1006 1007
3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

1008 1009 1010
3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

Mark Andrews's avatar
Mark Andrews committed
1011
3231.	[bug]		named could fail to send a incompressible zone.
1012 1013
			[RT #26796]

Mark Andrews's avatar
[ -> ]  
Mark Andrews committed
1014
3230.	[bug]		'dig axfr' failed to properly handle a multi-message
1015 1016
			axfr with a serial of 0. [RT #26796]

1017 1018 1019
3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

Mark Andrews's avatar
Mark Andrews committed
1020 1021
3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]
1022

1023 1024 1025
3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

1026 1027
3226.	[bug]		Address minor resource leakages. [RT #26624]

1028 1029 1030
3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

1031 1032
3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

1033 1034 1035
3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

1036 1037 1038
3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

Mark Andrews's avatar
Mark Andrews committed
1039
3221.	[bug]		Fixed a potential core dump on shutdown due to
1040 1041 1042
			referencing fetch context after it's been freed.
			[RT #26720]

Mark Andrews's avatar
Mark Andrews committed
1043 1044
	--- 9.9.0b2 released ---

1045
3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
Mark Andrews's avatar
Mark Andrews committed
1046 1047
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
1048

Mark Andrews's avatar
Mark Andrews committed
1049 1050
3219.	[bug]		Disable NOEDNS caching following a timeout.

1051 1052 1053 1054
3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

1055 1056 1057
3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
1058

1059 1060
3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

1061 1062
3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]
Mark Andrews's avatar
Mark Andrews committed
1063

1064 1065
3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

Mark Andrews's avatar
Mark Andrews committed
1066 1067 1068
3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]
1069

1070 1071 1072 1073
3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

1074 1075 1076
3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

1077
3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
1078

Mark Andrews's avatar
Mark Andrews committed
1079
3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
1080 1081
			[RT #25522]

1082 1083
3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

1084 1085
3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

1086
3205.	[func]		Upgrade dig's defaults to better reflect modern
Mark Andrews's avatar
Mark Andrews committed
1087
			nameserver behavior.  Enable "dig +adflag" and
1088 1089 1090
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]

1091
3204.	[bug]		When a master server that has been marked as
Evan Hunt's avatar
typo  
Evan Hunt committed
1092
			unreachable sends a NOTIFY, mark it reachable
1093 1094
			again. [RT #25960]

1095 1096 1097
3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

Mark Andrews's avatar
Mark Andrews committed
1098
3202.	[bug]		NOEDNS caching on timeout was too aggressive.
1099 1100
			[RT #26416]

1101 1102 1103
3201.	[func]		'rndc querylog' can now be given an on/off parameter
			instead of only being used as a toggle. [RT #18351]

1104 1105