CHANGES 317 KB
Newer Older
1
2
3
2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
			[RT #22589]

4
5
6
2995.	[bug]		The Kerberos realm was not being correctly extracted
			from the signer's identity. [RT #22770]

7
8
9
10
2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
			do not use threads on earlier versions.  Also kill
			the unproven-pthreads, mit-pthreads, and ptl2 support.

11
12
2993.	[func]		Dynamically grow adb hash tables. [RT #21186]

13
14
15
2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
			for looking at a secure delegation. [RT #22059]

16
17
18
2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
			dynamic zones. [RT #22365]

19
20
21
22
2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
			interval validity when the interval is set to 0.
			[RT #22761]

23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
2989.	[func]		Added support for writable DLZ zones. (Contributed
			by Andrew Tridgell of the Samba project.) [RT #22629]

2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
			of external DLZ drivers that can be loaded as
			shared objects at runtime rather than linked with
			named.  Currently this is switched on via a
			compile-time option, "configure --with-dlz-dlopen".
			Note: the syntax for configuring DLZ zones
			is likely to be refined in future releases.
			(Contributed by Andrew Tridgell of the Samba
			project.) [RT #22629]

2987.	[func]		Improve ease of configuring TKEY/GSS updates by
			adding a "tkey-gssapi-keytab" option.  If set,
			updates will be allowed with any key matching
			a principal in the specified keytab file.
			"tkey-gssapi-credential" is no longer required
			and is expected to be deprecated.  (Contributed
			by Andrew Tridgell of the Samba project.)
			[RT #22629]

Mark Andrews's avatar
Mark Andrews committed
45
46
47
48
2986.	[func]		Add new zone type "static-stub".  It's like a stub
			zone, but the nameserver names and/or their IP
			addresses are statically configured. [RT #21474]

49
50
2985.	[bug]		Add a regression test for change #2896. [RT #21324]

51
52
53
2984.	[bug]		Don't run MX checks when the target of the MX record
			is ".".  [RT #22645]

54
55
2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]

johnd's avatar
   
johnd committed
56
57
	--- 9.8.0a1 released ---

58
59
60
61
62
63
64
2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
			increment the reference count.

			Note: dns_tsigkey_createfromkey() callers should now
			always call dst_key_free() rather than setting it
			to NULL on success. [RT #22672]

65
66
2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]

67
68
69
2980.	[bug]		named didn't properly handle UPDATES that changed the
			TTL of the NSEC3PARAM RRset. [RT #22363]

70
71
72
73
2979.	[bug]		named could deadlock during shutdown if two
			"rndc stop" commands were issued at the same
			time. [RT #22108]

74
75
2978.	[port]		hpux: look for <devpoll.h> [RT #21919]

76
77
78
2977.	[bug]		'nsupdate -l' report if the session key is missing.
			[RT #21670]

Mark Andrews's avatar
Mark Andrews committed
79
2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
Mark Andrews's avatar
Mark Andrews committed
80
			key. [RT #22573]
81
			
82
83
84
85
2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() aquired the
			wrong lock which could lead to server deadlock.
			[RT #22614]

86
87
88
89
90
2974.	[bug]		Some vaild UPDATE requests could fail due to a
			consistency check examining the existing version
			of the zone rather than the new version resulting
			from the UPDATE. [RT #22413]

91
92
93
94
95
2973.	[bug]		bind.keys.h was being removed by the "make clean"
			at the end of configure resulting in build failures
			where there is very old version of perl installed.
			Move it to "make maintainer-clean". [RT #22230]

96
97
2972.	[bug]		win32: address windows socket errors. [RT #21906]

98
99
100
101
2971.	[bug]		Fixed a bug that caused journal files not to be
			compacted on Windows systems as a result of
			non-POSIX-compliant rename() semantics. [RT #22434]

102
103
104
105
2970.	[security]	Adding a NO DATA negative cache entry failed to clear
			any matching RRSIG records.  A subsequent lookup of
			of NO DATA cache entry could trigger a INSIST when the
			unexpected RRSIG was also returned with the NO DATA
Mark Andrews's avatar
Mark Andrews committed
106
107
108
			cache entry.

			CVE-2010-3613, VU#706148. [RT #22288]
109

110
111
112
2969.	[security]	Fix acl type processing so that allow-query works
			in options and view statements.  Also add a new
			set of tests to verify proper functioning.
Mark Andrews's avatar
Mark Andrews committed
113
114

			CVE-2010-3615, VU#510208. [RT #22418]
115

116
117
118
2968.	[security]	Named could fail to prove a data set was insecure
			before marking it as insecure.  One set of conditions
			that can trigger this occurs naturally when rolling
Mark Andrews's avatar
Mark Andrews committed
119
120
121
			DNSKEY algorithms.

			CVE-2010-3614, VU#837744. [RT #22309]
122

123
124
125
2967.	[bug]		'host -D' now turns on debugging messages earlier.
			[RT #22361]

126
127
128
129
130
2966.	[bug]		isc_print_vsnprintf() failed to check if there was
			space available in the buffer when adding a left
			justified character with a non zero width,
			(e.g. "%-1c"). [RT #22270]

131
132
133
2965.	[func]		Test HMAC functions using test data from RFC 2104 and
			RFC 4634. [RT #21702]

Mark Andrews's avatar
Mark Andrews committed
134
135
2964.	[placeholder]

136
137
138
2963.	[security]	The allow-query acl was being applied instead of the
			allow-query-cache acl to cache lookups. [RT #22114]

Mark Andrews's avatar
Mark Andrews committed
139
2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
140
141
			[RT #22062]

142
143
144
2961.	[bug]		Be still more selective about the non-authoritative
			answers we apply change 2748 to. [RT #22074]

145
146
147
2960.	[func]		Check that named accepts non-authoritative answers.
			[RT #21594]

148
149
150
151
152
153
2959.	[func]		Check that named starts with a missing masterfile.
			[RT #22076]

2958.	[bug]		named failed to start with a missing master file.
			[RT #22076]

154
155
156
157
2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
			the API for RAND_bytes() and RAND_pseudo_bytes()
			respectively. [RT #21962]

158
159
2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]

160
161
2955.	[func]		Provide more detail in the recursing log. [RT #22043]

162
163
164
2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
			build_sqldbinstance failure. [RT #21623]

165
166
167
168
2953.	[bug]		Silence spurious "expected covering NSEC3, got an
			exact match" message when returning a wildcard
			no data response. [RT #21744]

169
170
171
2952.	[port]		win32: named-checkzone and named-checkconf failed
			to initialise winsock. [RT #21932]

172
173
174
175
2951.	[bug]		named failed to generate a correct signed response
			in a optout, delegation only zone with no secure
			delegations. [RT #22007]

176
177
178
179
2950.	[bug]		named failed to perform a SOA up to date check when
			falling back to TCP on UDP timeouts when
			ixfr-from-differences was set. [RT #21595]
			
180
181
182
2949.	[bug]		dns_view_setnewzones() contained a memory leak if
			it was called multiple times. [RT #21942]

183
184
185
186
2948.	[port]		MacOS: provide a mechanism to configure the test 
			interfaces at reboot. See bin/tests/system/README
			for details.

Mark Andrews's avatar
Mark Andrews committed
187
188
2947.	[placeholder]

189
190
191
2946.	[doc]		Document the default values for the minimum and maximum
			zone refresh and retry values in the ARM. [RT #21886]

192
193
194
195
196
2945.	[doc]		Update empty-zones list in ARM. [RT #21772]

2944.	[maint]		Remove ORCHID prefix from built in empty zones.
			[RT #21772]

197
198
199
200
201
2943.	[func]		Add support to load new keys into managed zones
			without signing immediately with "rndc loadkeys".
			Add support to link keys with "dnssec-keygen -S"
			and "dnssec-settime -S".  [RT #21351]

202
203
204
2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
			[RT #21610]

205
206
207
2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
			DNAME at the zone apex.  [RT #21610]

208
209
210
2940.	[port]		Remove connection aborted error message on
			Windows. [RT #21549]

211
212
213
2939.	[func]		Check that named successfully skips NSEC3 records
			that fail to match the NSEC3PARAM record currently
			in use. [RT# 21868]
Mark Andrews's avatar
Mark Andrews committed
214

215
216
217
218
219
220
2938.	[bug]		When generating signed responses, from a signed zone
			that uses NSEC3, named would use a uninitialised
			pointer if it needed to skip a NSEC3 record because
			it didn't match the selected NSEC3PARAM record for
			zone. [RT# 21868]

221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
2937.	[bug]		Worked around an apparent race condition in over
			memory conditions.  Without this fix a DNS cache DB or
			ADB could incorrectly stay in an over memory state,
			effectively refusing further caching, which
			subsequently made a BIND 9 caching server unworkable.
			This fix prevents this problem from happening by
			polling the state of the memory context, rather than
			making a copy of the state, which appeared to cause
			a race.  This is a "workaround" in that it doesn't
			solve the possible race per se, but several experiments
			proved this change solves the symptom.  Also, the
			polling overhead hasn't been reported to be an issue.
			This bug should only affect a caching server that
			specifies a finite max-cache-size.  It's also quite
			likely that the bug happens only when enabling threads,
			but it's not confirmed yet. [RT #21818]

238
239
240
241
242
243
244
245
246
247
248
249
2936.	[func]		Improved configuration syntax and multiple-view
			support for addzone/delzone feature (see change
			#2930).  Removed "new-zone-file" option, replaced
			with "allow-new-zones (yes|no)".  The new-zone-file
			for each view is now created automatically, with
			a filename generated from a hash of the view name.
			It is no longer necessary to "include" the
			new-zone-file in named.conf; this happens
			automatically.  Zones that were not added via
			"rndc addzone" can no longer be removed with
			"rndc delzone". [RT #19447]

250
251
252
2935.	[bug]		nsupdate: improve 'file not found' error message.
			[RT #21871]

253
254
255
2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
			[RT #21871]

256
257
258
259
260
2933.	[bug]		'dig +nsid' used stack memory after it went out of
			scope.  This could potentially result in a unknown,
			potentially malformed, EDNS option being sent instead
			of the desired NSID option. [RT #21781]

261
262
263
2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
			[RT #21597]

264
2931.	[bug]		Temporarily and partially disable change 2864
Mark Andrews's avatar
Mark Andrews committed
265
			because it would cause infinite attempts of RRSIG
266
267
268
269
			queries.  This is an urgent care fix; we'll
			revisit the issue and complete the fix later.
			[RT #21710]

270
271
272
273
274
275
276
277
278
279
280
2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
			allow dynamic addition and deletion of zones.
			To enable this feature, specify a "new-zone-file"
			option at the view or options level in named.conf.
			Zone configuration information for the new zones
			will be written into that file.  To make the new
			zones persist after a restart, "include" the file
			into named.conf in the appropriate view.  (Note:
			This feature is not yet documented, and its syntax
			is expected to change.) [RT #19447]

281
282
283
284
285
286
287
288
289
2929.	[bug]		Improved handling of GSS security contexts: 
			 - added LRU expiration for generated TSIGs
			 - added the ability to use a non-default realm
                         - added new "realm" keyword in nsupdate
			 - limited lifetime of generated keys to 1 hour
			   or the lifetime of the context (whichever is
			   smaller)
			[RT #19737]

290
291
292
2928.	[bug]		Be more selective about the non-authoritative
			answer we apply change 2748 to. [RT #21594]

293
294
2927.	[placeholder]

Mark Andrews's avatar
Mark Andrews committed
295
2926.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
296
h
297
298
299
2925.	[bug]		Named failed to accept uncachable negative responses
			from insecure zones. [RT# 21555]

300
301
302
303
2924.	[func]		'rndc  secroots'  dump a combined summary of the
			current managed keys combined with trusted keys.
			[RT #20904]

Mark Andrews's avatar
Mark Andrews committed
304
2923.	[bug]		'dig +trace' could drop core after "connection
305
306
			timeout". [RT #21514]

Mark Andrews's avatar
Mark Andrews committed
307
2922.	[contrib]	Update zkt to version 1.0.
308

309
2921.	[bug]		The resolver could attempt to destroy a fetch context
Mark Andrews's avatar
Mark Andrews committed
310
			too soon.  [RT #19878]
311

312
313
314
2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
			to IPv4 clients.  New acl 'filter-aaaa' (default any).

315
316
317
2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
			[RT #20840]

318
319
2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.

320
321
2917.	[func]		Virtual time test framework. [RT #20801]

322
323
324
2916.	[func]		Add framework to use IPv6 in tests.
			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7

325
326
327
2915.	[cleanup]	Be smarter about which objects we attempt to compile
			based on configure options. [RT #21444]

328
329
330
2914.	[bug]		Make the "autosign" system test more portable.
			[RT #20997]

331
332
2913.	[func]		Add pkcs#11 system tests. [RT #20784]

333
334
335
2912.	[func]		Windows clients don't like UPDATE responses that clear
			the zone section. [RT #20986]

336
337
338
2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
			[RT #21367]

339
340
2910.	[func]		Sanity check Kerberos credentials. [RT #20986]

341
2909.	[bug]		named-checkconf -p could die if "update-policy local;"
342
343
			was specified in named.conf. [RT #21416]

344
345
346
2908.	[bug]		It was possible for re-signing to stop after removing
			a DNSKEY. [RT #21384]

347
348
349
2907.	[bug]		The export version of libdns had undefined references.
			[RT #21444]

Mark Andrews's avatar
Mark Andrews committed
350
2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
351

352
353
354
2905.	[port]		aix: set use_atomic=yes with native compiler.
			[RT #21402]

355
356
357
358
359
2904.   [bug]           When using DLV, sub-zones of the zones in the DLV,
			could be incorrectly marked as insecure instead of
			secure leading to negative proofs failing.  This was
			a unintended outcome from change 2890. [RT# 21392]

360
361
362
2903.	[bug]		managed-keys-directory missing from namedconf.c.
			[RT #21370]

363
364
2902.	[func]		Add regression test for change 2897. [RT #21040]

365
366
2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

367
368
369
370
2900.	[bug]		The placeholder negative caching element was not
			properly constructed triggering a INSIST in 
			dns_ncache_towire(). [RT #21346]
			
371
372
2899.	[port]		win32: Support linking against OpenSSL 1.0.0.

373
374
375
2898.	[bug]		nslookup leaked memory when -domain=value was 
			specified. [RT #21301]

376
377
378
2897.	[bug]		NSEC3 chains could be left behind when transitioning
			to insecure. [RT #21040]
			
379
380
381
2896.	[bug]		"rndc sign" failed to properly update the zone
			when adding a DNSKEY for publication only. [RT #21045]

382
383
384
2895.	[func]		genrandom: add support for the generation of multiple
			files.  [RT #20917]

385
386
2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]

387
388
389
2893.	[bug]		Improve managed keys support.  New named.conf option
			managed-keys-directory. [RT #20924]

390
391
2892.	[bug]		Handle REVOKED keys better. [RT #20961]

392
393
394
2891.	[maint]		Update empty-zones list to match
			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

395
396
397
2890.	[bug]		Handle the introduction of new trusted-keys and
			DS, DLV RRsets better. [RT #21097]

Mark Andrews's avatar
Mark Andrews committed
398
2889.	[bug]		Elements of the grammar where not properly reported.
399
400
			[RT #21046]

401
402
2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]

403
404
405
406
407
408
2887.	[bug]		Report the keytag times in UTC in the .key file,
			local time is presented as a comment within the
			comment.  [RT #21223]

2886.	[bug]		ctime() is not thread safe. [RT #21223]

409
410
411
2885.	[bug]		Improve -fno-strict-aliasing support probing in
			configure. [RT #21080]

Mark Andrews's avatar
Mark Andrews committed
412
2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
413
414
			[RT #21283]

415
416
417
2883.	[bug]		'dig +short' failed to handle really large datasets.
			[RT #21113]

418
419
420
2882.	[bug]		Remove memory context from list of active contexts
			before clearing 'magic'. [RT #21274]

421
422
423
2881.	[bug]		Reduce the amount of time the rbtdb write lock
			is held when closing a version. [RT #21198]

424
425
426
2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
			consistent. [RT #21078]

427
428
429
2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
			[RT #21106]

430
431
432
2878.	[func]		Incrementally write the master file after performing
			a AXFR.  [RT #21010]

433
434
435
2877.	[bug]		The validator failed to skip obviously mismatching
			RRSIGs. [RT #21138]

436
437
438
2876.	[bug]		Named could return SERVFAIL for negative responses
			from unsigned zones. [RT #21131]

439
440
441
2875.	[bug]		dns_time64_fromtext() could accept non digits.
			[RT #21033]

442
443
444
445
2874.	[bug]		Cache lack of EDNS support only after the server
			successfully responds to the query using plain DNS.
			[RT #20930]

Mark Andrews's avatar
Mark Andrews committed
446
2873.	[bug]		Cancelling a dynamic update via the dns/client module
447
448
			could trigger an assertion failure. [RT #21133]

449
450
451
452
2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
			require one of IPv4 or IPv6 rather than both.
			[RT #21122]

453
454
455
456
2871.	[bug]		Type mismatch in mem_api.c between the definition and
			the header file, causing build failure with
			--enable-exportlib. [RT #21138]

Mark Andrews's avatar
Mark Andrews committed
457
2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
458

459
460
461
2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
			[RT #20877]

462
463
464
465
2868.	[cleanup]	Run "make clean" at the end of configure to ensure
			any changes made by configure are integrated.
			Use --with-make-clean=no to disable.  [RT #20994]

466
467
468
2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
			don't like it.  [RT #20986]

469
470
471
2866.	[bug]		Windows does not like the TSIG name being compressed.
			[RT #20986]

472
473
2865.	[bug]		memset to zero event.data.  [RT #20986]

474
475
476
2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
			[RT #21050]

477
478
479
2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
			[RT #21056]

480
481
482
2862.	[bug]		nsupdate didn't default to the parent zone when
			updating DS records. [RT #20896]

483
484
485
486
487
2861.	[doc]		dnssec-settime man pages didn't correctly document the
			inactivation time. [RT #21039]

2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]

Mark Andrews's avatar
Mark Andrews committed
488
2859.	[bug]		When cancelling validation it was possible to leak
489
490
			memory. [RT #20800]

Mark Andrews's avatar
Mark Andrews committed
491
2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
492
493
			[RT #20772]

Mark Andrews's avatar
Mark Andrews committed
494
2857.	[bug]		named-checkconf did not fail on a bad trusted key.
495
496
			[RT #20705]

Mark Andrews's avatar
Mark Andrews committed
497
2856.	[bug]		The size of a memory allocation was not always properly
498
499
			recorded. [RT #20927]

Mark Andrews's avatar
Mark Andrews committed
500
2855.	[func]		nsupdate will now preserve the entered case of domain
501
502
			names in update requests it sends. [RT #20928]

503
504
505
2854.	[func]		dig: allow the final soa record in a axfr response to
			be suppressed, dig +onesoa. [RT #20929]

506
507
2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]

508
509
2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

510
511
512
2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
			source as it produced bad nroff.  [RT #21007]

513
2850.	[bug]		If isc_heap_insert() failed due to memory shortage
514
			the heap would have corrupted entries. [RT #20951]
515

516
517
518
2849.	[bug]		Don't treat errors from the xml2 library as fatal.
			[RT #20945]

519
520
521
2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
			README.rfc5011 into the ARM. [RT #20899]

522
523
2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]

524
525
526
2846.	[bug]		EOF on unix domain sockets was not being handled
			correctly. [RT #20731]

Evan Hunt's avatar
sync    
Evan Hunt committed
527
2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
528

529
530
531
2844.	[doc]		notify-delay default in ARM was wrong.  It should have
			been five (5) seconds.

Francis Dupont's avatar
sync    
Francis Dupont committed
532
2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
533
534
535
536
537
			creating key files if there is a chance that the new
			key ID will collide with an existing one after
			either of the keys has been revoked.  (To override
			this in the case of dnssec-keyfromlabel, use the -y
			option.  dnssec-keygen will simply create a
Mark Andrews's avatar
Mark Andrews committed
538
			different, non-colliding key, so an override is
539
540
			not necessary.) [RT #20838]

Francis Dupont's avatar
sync    
Francis Dupont committed
541
2842.	[func]		Added "smartsign" and improved "autosign" and
542
543
			"dnssec" regression tests. [RT #20865]

Francis Dupont's avatar
sync    
Francis Dupont committed
544
2841.	[bug]		Change 2836 was not complete. [RT #20883]
545

Francis Dupont's avatar
sync    
Francis Dupont committed
546
2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
547
548
			[RT #20760]

Francis Dupont's avatar
sync    
Francis Dupont committed
549
2839.	[bug]		A KSK revoked by named could not be deleted.
550
551
			[RT #20881]

Francis Dupont's avatar
sync    
Francis Dupont committed
552
553
2838.	[placeholder]

554
555
556
2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]

557
558
559
2836.	[bug]		Keys that were scheduled to become active could
			be delayed. [RT #20874]

560
561
562
563
564
565
566
2835.	[bug]		Key inactivity dates were inadvertently stored in
			the private key file with the outdated tag
			"Unpublish" rather than "Inactive".  This has been
			fixed; however, any existing keys that had Inactive
			dates set will now need to have them reset, using
			'dnssec-settime -I'. [RT #20868]

567
568
569
570
571
572
573
574
575
576
2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

577
578
579
2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
			[RT #20851]

580
2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
Mark Andrews's avatar
Mark Andrews committed
581
			to avoid redefinition in some OSs [RT 20831]
582

583
584
585
586
587
2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

588
589
590
2830.	[bug]		Changing the OPTOUT setting could take multiple
			passes. [RT #20813]

591
592
593
2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
			[RT #20808]

594
595
596
2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

597
598
2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

599
600
601
2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
			being released.  [RT #20740]

602
603
604
605
2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
			was in the process of being created was not properly
			recorded in the zone. [RT #20786]

606
607
608
2824.	[bug]		"rndc sign" was not being run by the correct task.
			[RT #20759]

609
610
2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]

611
612
613
2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
			[RT #20802]

614
615
616
2821.	[doc]		Add note that named-checkconf doesn't automatically
			read rndc.key and bind.keys [RT #20758]

617
618
619
620
621
2820.	[func]		Handle read access failure of OpenSSL configuration
			file more user friendly (PKCS#11 engine patch).
			[RT #20668]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
622
623
			[RT #20771]

624
625
626
2818.	[cleanup]	rndc could return an incorrect error code 
			when a zone was not found. [RT #20767]

Mark Andrews's avatar
Mark Andrews committed
627
2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
628
629
			[RT #20768]

630
631
632
2816.	[bug]		previous_closest_nsec() could fail to return
			data for NSEC3 nodes [RT #29730]

633
634
635
2815.	[bug]		Exclusively lock the task when freezing a zone.
			[RT #19838]

636
637
638
2814.	[func]		Provide a definitive error message when a master
			zone is not loaded. [RT #20757]
 
639
640
641
642
643
644
2813.	[bug]		Better handling of unreadable DNSSEC key files.
			[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT 20748]

645
646
647
2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
			output. [RT #20733]

648
649
650
2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
			to insecure. [RT #20746]

651
652
653
2809.	[cleanup]	Restored accidentally-deleted text in usage output
			in dnssec-settime and dnssec-revoke [RT #20739]

654
2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
Mark Andrews's avatar
Mark Andrews committed
655
			atomic.h is correctly installed by the architecture
656
			specific subdirectories.  [RT #20722]
657

658
659
660
2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
			keys. [RT #20720]

Evan Hunt's avatar
Evan Hunt committed
661
662
	--- 9.7.0rc1 released ---

663
664
665
2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
			when it had changed. [RT #20703]

666
667
668
669
2805.	[bug]		Fixed namespace problems encountered when building
			external programs using non-exported BIND9 libraries
			(i.e., built without --enable-exportlib). [RT #20679]

670
671
672
2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
			or as a result of a scheduled key change. [RT #20700]

673
674
675
676
677
2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
			and genrandom under windows. [RT #20670]

2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]

678
2801.	[func]		Detect and report records that are different according
Mark Andrews's avatar
Mark Andrews committed
679
			to DNSSEC but are semantically equal according to plain
680
681
682
683
684
685
686
687
688
689
			DNS.  Apply plain DNS comparisons rather than DNSSEC
			comparisons when processing UPDATE requests.
			dnssec-signzone now removes such semantically duplicate
			records prior to signing the RRset.

			named-checkzone -r {ignore|warn|fail} (default warn)
			named-compilezone -r {ignore|warn|fail} (default warn)
			
			named.conf: check-dup-records {ignore|warn|fail};

690
691
692
693
694
2800.	[func]		Reject zones which have NS records which refer to
			CNAMEs, DNAMEs or don't have address record (class IN
			only).  Reject UPDATEs which would cause the zone
			to fail the above checks if committed. [RT #20678]

695
696
697
698
2799.	[cleanup]	Changed the "secure-to-insecure" option to
			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

699
700
701
2798.	[bug]		Addressed bugs in managed-keys initialization 
			and rollover. [RT #20683]

702
703
704
2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
			[RT #20613]

705
706
707
2796.	[bug]		Missing dns_rdataset_disassociate() call in
			dns_nsec3_delnsec3sx(). [RT #20681]

708
709
710
2795.	[cleanup]	Add text to differentiate "update with no effect"
			log messages. [RT #18889]

711
712
2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]

Evan Hunt's avatar
Evan Hunt committed
713
714
715
716
717
2793.	[func]		Add "autosign" and "metadata" tests to the
			automatic tests. [RT #19946]

2792.	[func]		"filter-aaaa-on-v4" can now be set in view
			options (if compiled in).  [RT #20635]
718

Mark Andrews's avatar
Mark Andrews committed
719
720
2791.	[bug]		The installation of isc-config.sh was broken.
			[RT #20667]
721

Mark Andrews's avatar
rt#    
Mark Andrews committed
722
2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
723

724
725
2789.   [bug]           Fixed an INSIST in dispatch.c [RT #20576]

726
727
728
2788.	[bug]		dnssec-signzone could sign with keys that were
			not requested [RT #20625]

729
730
731
2787.	[bug]		Spurious log message when zone keys were
			dynamically reconfigured. [RT #20659]

732
733
2786.	[bug]		Additional could be promoted to answer. [RT #20663]

734
735
736
737
	--- 9.7.0b3 released ---

2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]

738
2784.	[bug]		TC was not always being set when required glue was
Mark Andrews's avatar
rt#    
Mark Andrews committed
739
			dropped. [RT #20655]
740

741
742
743
2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
			buffer size of 512 or less.  [RT #20654]

744
745
746
2782.	[port]		win32: use getaddrinfo() for hostname lookups.
			[RT #20650]

747
748
2781.	[bug]		Inactive keys could be used for signing. [RT #20649]

749
750
751
2780.	[bug]		dnssec-keygen -A none didn't properly unset the
			activation date in all cases. [RT #20648]

Mark Andrews's avatar
Mark Andrews committed
752
2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
753
754
755
756

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

757
758
2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.

759
760
2776.	[bug]		Change #2762 was not correct. [RT #20647]

761
762
763
2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
			in dnssec-keyfromlabel. [RT #20643]

764
765
766
2774.	[bug]		Existing cache DB wasn't being reused after
			reconfiguration. [RT #20629]

767
768
769
2773.	[bug]		In autosigned zones, the SOA could be signed
			with the KSK. [RT #20628]

770
771
772
773
2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

774
775
776
2771.	[bug]		dnssec-signzone: DNSKEY records could be
			corrupted when importing from key files [RT #20624]

777
778
779
2770.	[cleanup]	Add log messages to resolver.c to indicate events
			causing FORMERR responses. [RT #20526]

780
781
2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]

782
783
2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]

784
785
786
787
2767.	[bug]		named could crash on startup if a zone was
			configured with auto-dnssec and there was no
			key-directory. [RT #20615]

788
789
790
791
2766.	[bug]		isc_socket_fdwatchpoke() should only update the
			socketmgr state if the socket is not pending on a
			read or write.  [RT #20603]

792
793
794
2765.	[bug]		Skip masters for which the TSIG key cannot be found.
			[RT #20595]

795
796
2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

797
798
2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]

799
800
801
2762.	[bug]		DLV validation failed with a local slave DLV zone.
			[RT #20577]

802
803
804
805
2761.	[cleanup]	Enable internal symbol table for backtrace only for
			systems that are known to work.  Currently, BSD
			variants, Linux and Solaris are supported. [RT# 20202]

806
807
2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]

Mark Andrews's avatar
Mark Andrews committed
808
2759.	[doc]		Add information about .jbk/.jnw files to
809
810
			the ARM. [RT #20303]

811
812
813
814
2758.	[bug]		win32: Added a workaround for a windows 2008 bug
			that could cause the UDP client handler to shut
			down. [RT #19176]

815
816
817
2757.	[bug]		dig: assertion failure could occur in connect
			timeout. [RT #20599]

818
819
2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]

Evan Hunt's avatar
Evan Hunt committed
820
821
2755.	[placeholder]

822
823
824
2754.	[bug]		Secure-to-insecure transitions failed when zone
			was signed with NSEC3. [RT #20587]

825
2753.	[bug]		Removed an unnecessary warning that could appear when
Mark Andrews's avatar
rt#    
Mark Andrews committed
826
			building an NSEC chain. [RT #20589]
827

828
829
2752.	[bug]		Locking violation. [RT #20587]

830
831
2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

832
833
834
2750.	[bug]		dig: assertion failure could occur when a server
			didn't have an address. [RT #20579]

835
836
837
2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
			for NSEC3 signed zones. [RT #20452]

838
839
840
2748.	[func]		Identify bad answers from GTLD servers and treat them
			as referrals. [RT #18884]

841
842
843
2747.	[bug]		Journal roll forwards failed to set the re-signing
			time of RRSIGs correctly. [RT #20541]

844
845
846
2746.	[port]		hpux: address signed/unsigned expansion mismatch of
			dns_rbtnode_t.nsec. [RT #20542]

847
848
849
2745.	[bug]		configure script didn't probe the return type of
			gai_strerror(3) correctly. [RT #20573]

850
851
2744.	[func]		Log if a query was over TCP. [RT #19961]

Mark Andrews's avatar
Mark Andrews committed
852
2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
853
854
			for a insecure delegation.

Evan Hunt's avatar
Evan Hunt committed
855
856
	--- 9.7.0b2 released ---

857
858
859
2742.	[cleanup]	Clarify some DNSSEC-related log messages in
			validator.c. [RT #19589]

860
2741.	[func]		Allow the dnssec-keygen progress messages to be
Mark Andrews's avatar
Mark Andrews committed
861
			suppressed (dnssec-keygen -q).  Automatically
862
863
864
			suppress the progress messages when stdin is not
			a tty. [RT #20474]

Evan Hunt's avatar
Evan Hunt committed
865
2740.	[placeholder]
866

867
868
869
2739.	[cleanup]	Clean up API for initializing and clearing trust
			anchors for a view. [RT #20211]

870
871
872
2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
			test. [RT #20453]

Mark Andrews's avatar
Mark Andrews committed
873
2737.	[func]		UPDATE requests can leak existence information.
874
875
			[RT #17261]

876
877
878
879
2736.	[func]		Improve the performance of NSEC signed zones with
			more than a normal amount of glue below a delegation.
			[RT #20191]

880
881
882
883
884
2735.	[bug]		dnssec-signzone could fail to read keys
			that were specified on the command line with
			full paths, but weren't in the current
			directory. [RT #20421]

885
886
2734.	[port]		cygwin: arpaname did not compile. [RT #20473]

887
888
2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]

889
890
891
892
893
894
2732.	[func]		Add optional filter-aaaa-on-v4 option, available
			if built with './configure --enable-filter-aaaa'.
			Filters out AAAA answers to clients connecting
			via IPv4.  (This is NOT recommended for general
			use.) [RT #20339]

895
896
897
898
899
900
2731.	[func]		Additional work on change 2709.  The key parser
			will now ignore unrecognized fields when the
			minor version number of the private key format
			has been increased.  It will reject any key with
			the major version number increased. [RT #20310]

901
902
903
904
905
906
907
2730.	[func]		Have dnssec-keygen display a progress indication
			a la 'openssl genrsa' on standard error. Note
			when the first '.' is followed by a long stop
			one has the choice between slow generation vs.
			poor random quality, i.e., '-r /dev/urandom'.
			[RT #20284]

908
909
910
2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
			TTL. [RT #20451]

911
912
913
914
2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
			dnssec-signzone now warn immediately if asked to
			write into a nonexistent directory. [RT #20278]

915
916
917
2727.	[func]		The 'key-directory' option can now specify a relative
			path. [RT #20154]

918
919
920
2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
			RSASHA256 and RSASHA512. [RT #20023]

921
922
923
2725.	[doc]		Added information about the file "managed-keys.bind"
			to the ARM. [RT #20235]

924
925
926
2724.	[bug]		Updates to a existing node in secure zone using NSEC
			were failing. [RT #20448]

927
928
929
930
2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
			isc_base64_totext(), didn't always mark regions of
			memory as fully consumed after conversion.  [RT #20445]

931
932
933
934
2722.	[bug]		Ensure that the memory associated with the name of
			a node in a rbt tree is not altered during the life
			of the node. [RT #20431]

935
936
937
2721.	[port]		Have dst__entropy_status() prime the random number
			generator. [RT #20369]

938
939
940
2720.	[bug]		RFC 5011 trust anchor updates could trigger an
			assert if the DNSKEY record was unsigned. [RT #20406]

941
942
943
2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
			[RT #20392]

944
945
946
2718.	[bug]		The space calculations in opensslrsa_todns() were
			incorrect. [RT #20394]

947
948
949
950
951
2717.	[bug]		named failed to update the NSEC/NSEC3 record when
			the last private type record was removed as a result
			of completing the signing the zone with a key.
			[RT #20399]

952
953
2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]

Evan Hunt's avatar
Evan Hunt committed
954
955
	--- 9.7.0b1 released ---

956
957
958
959
2715.	[bug]		Require OpenSSL support to be explicitly disabled.
			[RT #20288]

2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
960
961
			flags.

962
963
964
2713.	[bug]		powerpc: atomic operations missing asm("ics") /
			__isync() calls.

965
966
967
968
969
970
971
972
2712.	[func]		New 'auto-dnssec' zone option allows zone signing
			to be fully automated in zones configured for
			dynamic DNS.  'auto-dnssec allow;' permits a zone
			to be signed by creating keys for it in the
			key-directory and using 'rndc sign <zone>'.
			'auto-dnssec maintain;' allows that too, plus it
			also keeps the zone's DNSSEC keys up to date
			according to their timing metadata. [RT #19943]
Mark Andrews's avatar
Mark Andrews committed
973

974
975
976
2711.	[port]		win32: Add the bin/pkcs11 tools into the full
			build. [RT #20372]

977
978
979
980
981
2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
			zone option cause a zone to be signed with only KSKs
			signing the DNSKEY RRset, not ZSKs.  This reduces
			the size of a DNSKEY answer.  [RT #20340]

982
983
984
985
986
987
2709.	[func]		Added some data fields, currently unused, to the
			private key file format, to allow implementation
			of explicit key rollover in a future release
			without impairing backward or forward compatibility.
			[RT #20310]

988
989
990
991
992
993
994
995
996
997
998
999
1000
2708.	[func]		Insecure to secure and NSEC3 parameter changes via
			update are now fully supported and no longer require
			defines to enable.  We now no longer overload the
			NSEC3PARAM flag field, nor the NSEC OPT bit at the
			apex.  Secure to insecure changes are controlled by
			by the named.conf option 'secure-to-insecure'.

			Warning: If you had previously enabled support by
			adding defines at compile time to BIND 9.6 you should
			ensure that all changes that are in progress have
			completed prior to upgrading to BIND 9.7.  BIND 9.7
			is not backwards compatible.

1001
1002
1003
1004
1005
1006
1007
2707.	[func]		dnssec-keyfromlabel no longer require engine name
			to be specified in the label if there is a default
			engine or the -E option has been used.  Also, it
			now uses default algorithms as dnssec-keygen does
			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
			[RT #20371]

1008
1009
1010
2706.	[bug]		Loading a zone with a very large NSEC3 salt could
			trigger an assert. [RT #20368]

Evan Hunt's avatar
Evan Hunt committed
1011
1012
2705.	[placeholder]

1013
1014
1015
2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
			with their SOA serial.  [RT #19387]

Francis Dupont's avatar
Francis Dupont committed
1016
1017
1018
1019
2703.	[func]		Introduce an OpenSSL "engine" argument with -E
			for all binaries which can take benefit of
			crypto hardware. [RT #20230]

Francis Dupont's avatar
Francis Dupont committed
1020
1021
2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

1022
1023
1024
2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
			supported TSIG key algorithm. [RT #18046]

1025
1026
1027
2700.	[doc]		The match-mapped-addresses option is discouraged.
			[RT #12252]

1028
1029
2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]

Evan Hunt's avatar
Evan Hunt committed
1030
1031
2698.	[placeholder]

1032
1033
1034
1035
2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
			S_IFREG are defined after including <isc/stat.h>.
			[RT #20309]

1036
1037
1038
2696.	[bug]		named failed to successfully process some valid
			acl constructs. [RT #20308]

1039
1040
1041
1042
1043
1044
1045
2695.	[func]		DHCP/DDNS - update fdwatch code for use by
			DHCP.  Modify the api to isc_sockfdwatch_t (the
			callback funciton for isc_socket_fdwatchcreate)
			to include information about the direction (read
			or write) and add isc_socket_fdwatchpoke.
			[RT #20253]

Mark Andrews's avatar
Mark Andrews committed
1046
2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
1047
1048
			[RT #19970]

Mark Andrews's avatar
Mark Andrews committed
1049
2693.	[port]		Add some noreturn attributes. [RT #20257]
Francis Dupont's avatar
Francis Dupont committed
1050

Mark Andrews's avatar
Mark Andrews committed
1051
2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
1052

1053
1054
1055
1056
1057
2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
			chain when re-signing a previously-signed zone.
			Use -u to modify NSEC3 parameters or switch
			between NSEC and NSEC3. [RT #20304]

1058
2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
1059
1060
			[RT #20315]

1061
1062
2689.	[bug]		Correctly handle snprintf result. [RT #20306]

1063
1064
1065
2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
			to decide to fetch the destination address. [RT #20305]

Mark Andrews's avatar
number    
Mark Andrews committed
1066
2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
1067
1068
1069
			Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]

Mark Andrews's avatar
number    
Mark Andrews committed
1070
2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
Mark Andrews's avatar
Mark Andrews committed
1071
			signing with NSEC3 and vice versa. [RT #20301]
1072

Francis Dupont's avatar
Francis Dupont committed
1073
1074
2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

1075
1076
1077
2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
			+adflag and +cdflag.  [RT #19305]

1078
1079
1080
1081
2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
			the NSEC3 parameters used to sign the zone change.
			[RT #20246]

1082
1083
1084
2682.	[bug]		"configure --enable-symtable=all" failed to
			build. [RT #20282]

1085
2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
1086
			decoded. [RT #20269]
1087

Francis Dupont's avatar
Francis Dupont committed
1088
2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
1089

1090
1091
1092
2679.	[func]		dig -k can now accept TSIG keys in named.conf
			format.  [RT #20031]

1093
1094
1095
2678.	[func]		Treat DS queries as if "minimal-response yes;"
			was set. [RT #20258]

1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
2677.	[func]		Changes to key metadata behavior:
			- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
1107
			[RT #20247]
1108

1109
1110
1111
2676.	[bug]		--with-export-installdir should have been
			--with-export-includedir. [RT #20252]

1112
2675.	[bug]		dnssec-signzone could crash if the key directory
1113
1114
                        did not exist. [RT #20232]

Evan Hunt's avatar
Evan Hunt committed
1115
1116
1117
1118
1119
1120
1121
1122
1123
	--- 9.7.0a3 released ---

2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
			without openssl. [RT #20231]

2673.	[bug]		The managed-keys.bind zone file could fail to
			load due to a spurious result from sync_keyzone()
			[RT #20045]

1124
1125
1126
2672.	[bug]		Don't enable searching in 'host' when doing reverse
			lookups. [RT #20218]

Francis Dupont's avatar
Francis Dupont committed
1127
1128
1129
1130
1131
2671.	[bug]		Add support for PKCS#11 providers not returning
			the public exponent in RSA private keys
			(OpenCryptoki for instance) in
			dnssec-keyfromlabel. [RT #19294]

1132
1133
1134
2670.	[bug]		Unexpected connect failures failed to log enough
			information to be useful. [RT #20205]

1135
1136
1137
2669.	[func]		Update PKCS#11 support to support Keyper HSM.
			Update PKCS#11 patch to be against openssl-0.9.8i.

1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
2668.	[func]		Several improvements to dnssec-* tools, including:
			- dnssec-keygen and dnssec-settime can now set key
			  metadata fields 0 (to unset a value, use "none")
			- dnssec-revoke sets the revocation date in
			  addition to the revoke bit
			- dnssec-settime can now print individual metadata
			  fields instead of always printing all of them,
			  and can print them in unix epoch time format for
			  use by scripts
			[RT #19942]

1149
1150
1151
2667.	[func]		Add support for logging stack backtrace on assertion
			failure (not available for all platforms). [RT #19780]

1152
1153
1154
2666.	[func]		Added an 'options' argument to dns_name_fromstring()
			(API change from 9.7.0a2). [RT #20196]

1155
1156
1157
2665.	[func]		Clarify syntax for managed-keys {} statement, add
			ARM documentation about RFC 5011 support. [RT #19874]

1158
2664.	[bug]		create_keydata() and minimal_update() in zone.c
1159
1160
1161
			didn't properly check return values for some
			functions.  [RT #19956]

1162
1163
1164
2663.	[func]		win32:  allow named to run as a service using
			"NT AUTHORITY\LocalService" as the account. [RT #19977]

1165
2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
1166
1167
1168
1169
1170
1171
			returned a misleading error code when lwresd was
			down. [RT #20028]

2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
			creating lwres context. [RT #20029]

1172
1173
1174
2660.	[func]		Add a new set of DNS libraries for non-BIND9
			applications.  See README.libdns. [RT #19369]

1175
1176
1177
2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

1178
1179
1180
2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

1181
1182
1183
2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

1184
1185
2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
Evan Hunt's avatar
Evan Hunt committed
1186
			nsupdate and relevant DLLs.  [RT #19998]
1187

1188
1189
1190
2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

1191
1192
1193
2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

1194
1195
1196
2653.	[bug]		Treat ENGINE_load_private_key() failures as key
			not found rather than out of memory.  [RT #18033]

1197
1198
1199
2652.	[func]		Provide more detail about what record is being
			deleted. [RT #20061]

1200
1201
1202
2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

1203
1204
1205
2650.	[bug]		Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

1206
1207
2649.	[bug]		Set the domain for forward only zones. [RT #19944]

1208
1209
2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

1210
1211
1212
2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
			added. [RT #19913]

1213
1214
2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

1215
1216
1217
2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

1218
1219
1220
1221
1222
1223
	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

1224
1225
1226
2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

1227
1228
1229
2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

1230
1231
1232
2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

1233
1234
2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]
Mark Andrews's avatar
Mark Andrews committed
1235

1236
1237
2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

Mark Andrews's avatar
Mark Andrews committed
1238
2638.	[bug]		Install arpaname. [RT #19957]
1239

Mark Andrews's avatar
Mark Andrews committed
1240
2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
1241
1242
			[RT #19959]

1243
1244
1245
1246
1247
1248
2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
1249
			  they are scheduled to be published, activated,
1250
1251
1252
1253
1254
1255
1256
1257
1258
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

1259
1260
1261
2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

1262
1263
1264
2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

1265
1266
2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

Mark Andrews's avatar
Mark Andrews committed
1267
1268
1269
2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

1270
1271
1272
2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

1273
1274
2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
1275
1276
			zone. (The "ddns-autoconf" option has been removed.)
                        [RT #19875]
1277

1278
1279
2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
1280
1281

2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
1282
1283
1284
			at startup with reduced capabilities in operation.
			[RT #19884]

1285
1286
1287
2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

1288
1289
1290