CHANGES 384 KB
Newer Older
1
2
3
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

4
5
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
6
7
8
9
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

10
11
12
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

13
14
15
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

16
17
18
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

19
20
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

21
22
23
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
24
25
26
3596.	[port]		Updated win32 build documentation, added
                        dnssec-verify. [RT #22067]

Evan Hunt's avatar
Evan Hunt committed
27
28
29
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

30
31
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

32
33
34
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

35
36
37
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

38
39
40
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

41
42
43
44
45
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

46
47
48
49
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

50
51
52
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

53
54
55
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

56
57
3586.	[buf]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]

58
59
60
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

61
62
63
3584.	[security]	Caching data from an incompletely signed zone could
			trigger an assertion failure in resolver.c [RT #33690]

64
65
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

66
67
68
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

69
70
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
71
72
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

73
74
75
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

76
77
78
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

79
80
3577.	[bug]		Handle zero TTL values better. [RT #33411]

81
82
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

83
84
85
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

86
87
88
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
89
90
91
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
92

Evan Hunt's avatar
Evan Hunt committed
93
94
95
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

96
97
98
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

99
3570.	[bug]		Check internal pointers are valid when loading map
100
			files. [RT #33403]
101

Evan Hunt's avatar
Evan Hunt committed
102
103
104
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
105
106
107
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
108
109
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
110
111
3566.	[func]		Log when forwarding updates to master. [RT #33240]

112
3565.	[placeholder]
113

114
115
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
116
117
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
118
119
120
121
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

122
123
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
124

125
3560.	[bug]		isc-config.sh did not honor includedir and libdir
126
127
			when set via configure. [RT #33345]

128
129
130
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

131
132
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

133
134
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
135
136
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

137
138
139
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
140
141
142
143
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

144
145
3553.	[bug]		Address suspected double free in acache. [RT #33252]

146
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
147
			[RT #33280]
148

149
150
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

151
152
153
154
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
155
156
157
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

158
159
160
161
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

162
163
164
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

165
166
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
167
168
169
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
170
171
172
173
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

174
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
175
			manager after accept. [RT #33084]
176

Mark Andrews's avatar
Mark Andrews committed
177
178
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
179
180
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
181

Evan Hunt's avatar
Evan Hunt committed
182
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
183

184
185
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
186
187
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
188

189
190
191
192
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
193
194
195
196
197
198
199
200
201
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

202
203
3535.	[bug]		Minor win32 cleanups. [RT #32962]

204
205
206
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

207
208
209
210
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

211
212
213
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
214
215
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

216
217
218
219
220
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
221
222
223
224
225
226
227
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

228
229
230
231
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

232
233
234
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

235
236
237
238
239
240
241
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

242
243
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
244
			http://[address]:[port]/json. [RT #32630]
245

246
247
248
249
250
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

251
252
253
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

254
255
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

256
257
258
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

259
260
261
262
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

263
264
265
266
267
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

268
269
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
270
271
3516.	[placeholder]

272
273
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
274
275
276
277
278
279
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

280
281
282
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
283
284
285
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
286
287
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

288
289
290
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

291
292
293
294
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

295
296
297
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

298
299
300
301
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

302
303
304
305
306
307
308
309
310
311
312
313
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
314
315
316
317
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
318

Evan Hunt's avatar
Evan Hunt committed
319
320
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

321
322
323
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

324
325
326
327
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
328
329
330
331
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
332

Evan Hunt's avatar
Evan Hunt committed
333
334
335
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

336
337
338
339
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

340
341
342
343
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
344
345
3496.	[placeholder]

346
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
347
			while improving RPZ performance.  "response-policy"
348
349
350
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
351
			--enable-rpz-nsdname are now the default. [RT #32251]
352

Evan Hunt's avatar
Evan Hunt committed
353
354
355
356
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

357
358
3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
359

360
361
362
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

363
364
365
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

366
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
367
			too long. [RT #32365]
368

369
370
371
372
373
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

374
375
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

376
377
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
378
			[RT #32629]
379

Evan Hunt's avatar
Evan Hunt committed
380
381
382
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

383
384
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

385
386
387
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
388
389
3483.	[placeholder]

390
391
392
393
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

394
3481.	[cleanup]	Removed use of const const in atf.
395

Evan Hunt's avatar
Evan Hunt committed
396
397
398
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

399
400
401
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
402
403
404
405
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
406
407
			[RT #32365]

408
409
410
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
411
412
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
413

414
415
416
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
417
418
419
420
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

421
422
423
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

424
425
426
427
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

428
429
430
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
431
432
433
434
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

435
436
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
437
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
438
439
440

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
441

442
443
444
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

445
446
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

447
448
449
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

450
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
451
452
453
454

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

455
456
457
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

458
459
3460.	[bug]		Only link against readline where needed. [RT #29810]

460
461
462
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

463
464
465
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

466
467
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
468
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
469

470
471
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

472
473
3454.	[port]		sparc64: improve atomic support. [RT #25182]

474
475
476
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
477
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
478

479
480
481
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

482
483
484
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

485
486
487
488
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
489
490
491
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

492
493
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

494
495
496
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

497
498
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
499

500
3444.	[bug]		The NOQNAME proof was not being returned from cached
501
502
			insecure responses. [RT #21409]

503
504
505
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

506
507
508
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

509
510
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

511
512
513
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
514
515
3439.	[placeholder]

516
517
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
518
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
519
520
			buffers with constant data. [RT #32064]

521
522
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

523
524
525
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

526
527
528
529
530
531
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

532
533
534
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
535
536
537
538
539
540
541
542
543
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

544
545
546
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

547
548
549
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

550
551
552
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
553
554
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
555
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
556
557
			addresses instead of names. [RT #31641]

558
559
560
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

561
562
563
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

564
565
566
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

567
568
569
570
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
571
3422.	[bug]		Added a clear error message for when the SOA does not
572
573
			match the referral. [RT #31281]

574
575
576
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

577
578
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

579
580
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
581
582
583
584
585
586
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
587
588
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
589
3417.	[placeholder]
590

591
592
593
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

594
3415.	[bug]		named could die with a REQUIRE failure if a validation
595
596
			was canceled. [RT #31804]

597
598
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

599
600
601
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

602
603
604
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

605
606
607
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

608
609
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
610
611
612
613
614
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

615
616
617
618
619
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
620
621
3407.	[placeholder]

622
623
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
624
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
625

626
627
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

628
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
629
			RRSIG and NSEC records from nodes that used to be
630
631
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
632
633
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
634
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
635
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
636

Evan Hunt's avatar
Evan Hunt committed
637
638
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
639
640
641
642
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

643
644
645
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

646
647
648
649
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

650
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
651

652
653
654
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

655
656
657
658
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
659
3394.	[bug]		Adjust 'successfully validated after lower casing
660
661
			signer' log level and category. [RT #31414]

662
663
664
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

665
666
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
667
668
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
669

670
671
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

672
673
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

674
675
676
677
678
679
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
680

681
682
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
683

684
685
686
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

687
688
689
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
690
691
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
692
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
693
694
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
695

Evan Hunt's avatar
Evan Hunt committed
696
697
698
699
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
700
701
702
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

703
3380.	[bug]		named could die if a nonexistent master list was
704
705
			referenced in a also-notify. [RT #31004]

706
707
708
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

709
710
711
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
712
713
714
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

715
716
717
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

718
719
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
720
721
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
722

Mark Andrews's avatar
Mark Andrews committed
723
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
724

725
726
727
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

728
729
730
731
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

732
733
734
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
735
736
			if built with readline support. [RT #29550]

737
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
738
			were not C++ safe.
739

740
741
742
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
743
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
744
745
			atomic operations. [RT #25181]

746
747
748
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

749
750
751
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

752
753
754
755
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

756
757
758
759
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

760
761
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
762

763
764
3360.	[bug]		'host -w' could die.  [RT #18723]

765
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
766
			memory leak. [RT #30607]
767

Mark Andrews's avatar
Mark Andrews committed
768
769
3358.	[placeholder]

770
771
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
772
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
773
774
775
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

776
777
3355.	[port]		Use more portable awk in verify system test.

778
779
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

780
781
782
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

783
784
785
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

786
787
788
789
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

790
791
792
793
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
794
795
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
796
797
798
799
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
800
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
801
802
803

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
804
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
805

Evan Hunt's avatar
Evan Hunt committed
806
807
808
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

809
810
811
812
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
813
814
815
816
817
818
819
820
821
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
822
823
3343.	[placeholder]

824
825
826
827
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

828
829
830
831
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
832
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
833
834
835
836
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
837
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
838
839
			server to another.) [RT #25419]

840
841
842
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

843
844
845
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

846
847
848
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

849
850
851
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

852
853
854
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

855
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
856
			asynchronous load of a zone. [RT #28326]
857

858
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
859
			named to not recover if it loses connectivity.
860
861
			[RT #29623]

Mark Andrews's avatar
add #    
Mark Andrews committed
862
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
863

Mark Andrews's avatar
Mark Andrews committed
864
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
865
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
866

Vernon Schryver's avatar
Vernon Schryver committed
867
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
868
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
869
870
871
872
873
874
875
876
877
878
879
880
881
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


882
883
884
885
886
887
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
888
889
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
890

Evan Hunt's avatar
Evan Hunt committed
891
892
893
894
895
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

922
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
923
			bucket lock when finished with a fetch context.
924
925
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
926
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
927

928
929
930
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

931
932
933
934
935
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

936
937
3314.	[bug]		The masters list could be updated while stub_callback
			or refresh_callback were using it. [RT #26732]
938

939
940
3313.	[protocol]	Add TLSA record type. [RT #28989]

941
942
943
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

944
945
946
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

947
948
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
949
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
950
951
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
952
953
3308.	[placeholder]

954
955
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
956

957
958
959
960
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

961
962
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
963

964
965
3303.	[bug]		named could die when reloading. [RT #28606]

966
967
968
969
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

970
971
972
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

973
974
975
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

976
977
978
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

979
980
981
982
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

983
984
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

985
986
987
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

988
989
990
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

991
992
993
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

994
995
3293.	[func]		nsupdate: list supported type. [RT #28261]

996
997
998
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

999
1000
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]