CHANGES 403 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2
	--- 9.10.0b1 released ---

Evan Hunt's avatar
Evan Hunt committed
3 4 5 6
3751.	[tuning]	The default setting for the -U option (setting
			the number of UDP listeners per interface) has
			been adjusted to improve performance. [RT #35417]

7 8 9 10 11 12 13
3750.	[experimental]	Partially implement EDNS EXPIRE option as described
			in draft-andrews-dnsext-expire-00.  Retrivial of
			remaining time to expiry from slave zones is supported.

			EXPIRE uses an experimental option code (65002) and
			is subject to change. [RT #35416]

Evan Hunt's avatar
Evan Hunt committed
14 15
3749.	[func]		"dig +subnet" sends an EDNS client subnet option
			containing the specified address/prefix when
Evan Hunt's avatar
Evan Hunt committed
16 17
			querying. (Thanks to Wilmer van der Gaast.)
			[RT #35415]
Evan Hunt's avatar
Evan Hunt committed
18

Evan Hunt's avatar
Evan Hunt committed
19
3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
20

21 22 23
3747.	[bug]		A race condition could lead to a core dump when
			destroying a resolver fetch object. [RT #35385]

Evan Hunt's avatar
Evan Hunt committed
24 25 26
3746.	[func]		New "max-zone-ttl" option enforces maximum
			TTLs for zones. If loading a zone containing a
			higher TTL, the load fails. DDNS updates with
Tinderbox User's avatar
Tinderbox User committed
27
			higher TTLs are accepted but the TTL is truncated.
Evan Hunt's avatar
Evan Hunt committed
28 29 30
			(Note: Currently supported for master zones only;
			inline-signing slaves will be added.) [RT #38405]

31 32 33 34 35
3745.	[func]		"configure --with-tuning=large" adjusts various
			compiled-in constants and default settings to
			values suited to large servers with abundant
			memory. [RT #29538]

36
3744.	[experimental]	SIT: send and process Source Identity Tokens
Mark Andrews's avatar
add 3rd  
Mark Andrews committed
37
			(similar to DNS Cookies by Donald Eastlake 3rd),
Evan Hunt's avatar
Evan Hunt committed
38 39
			which are designed to help clients detect off-path
			spoofed responses and for servers to identify
Tinderbox User's avatar
Tinderbox User committed
40
			legitimate clients.
41

Evan Hunt's avatar
Evan Hunt committed
42
			SIT uses an experimental EDNS option code (65001).
Mark Andrews's avatar
Mark Andrews committed
43 44
			[This will be changed to a IANA assigned value if
			 the experiment is deemed a success.]
45

Evan Hunt's avatar
Evan Hunt committed
46 47
			SIT can be enabled via "configure --enable-sit" (or
			--enable-developer). It is enabled by default in
Tinderbox User's avatar
Tinderbox User committed
48 49 50 51 52 53 54 55
			Windows.

			Servers can be configured to send smaller responses
			to clients that have not identified themselves via
			SIT.  RRL processing has also been updated;
			legitimate clients are not subject to rate
			limiting. [RT #35389]

56 57 58 59 60
3743.	[bug]		delegation-only flag wasn't working in forward zone
			declarations despite being documented.  This is
			needed to support turning off forwarding and turning
			on delegation only at the same name.  [RT #35392]

Mark Andrews's avatar
Mark Andrews committed
61 62
3742.	[port]		linux: libcap support: declare curval at start of
			block. [RT #35387]
63

Evan Hunt's avatar
Evan Hunt committed
64 65 66 67 68 69 70 71 72
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
			troubleshooting of DNSSEC problems. (Note: not yet
			available on win32.) [RT #32406]

73 74 75
3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

76 77 78
3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

79 80
3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]

81 82 83
3737.	[bug]		'rndc retransfer' could trigger a assertion failure
			with inline zones. [RT #35353]

84 85 86
3736.	[bug]		nsupdate: When specifying a server by name,
			fall back to alternate addresses if the first
			address for that name is not reachable. [RT #25784]
Tinderbox User's avatar
Tinderbox User committed
87

88 89 90
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

91 92
3734.	[bug]		Improve building with libtool. [RT #35314]

93 94
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
95 96
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
97 98 99

			Add "rndc scan" to trigger a scan. [RT #23027]

100 101 102
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
103 104 105 106 107 108 109 110 111 112
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
113 114 115 116
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
117
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
118 119 120
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

121 122 123
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
124 125 126
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

127 128 129 130
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
131 132 133 134
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
135 136
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
137 138 139 140
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

141 142 143
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
144
3722.	[bug]		Using geoip ACLs in a blackhole statement
145 146
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
147
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
148 149
			enhancements introduced in change #3593. [RT #35275]

150 151
3720.	[bug]		Address compiler warnings. [RT #35261]

152 153
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

154 155
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

156 157 158 159 160 161 162
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

163 164 165 166 167
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

168 169 170 171
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

172 173 174 175
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
176 177 178 179
3712.	[placeholder]

3711.	[placeholder]

180 181 182 183
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
184 185 186 187
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

188 189 190
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

191 192 193 194 195 196 197 198 199 200
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
201
			will work with both old and new versions without
202 203 204 205 206 207 208 209 210 211 212 213 214
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

215 216 217
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
218 219 220 221 222 223 224 225 226 227
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

228 229
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
230 231 232 233 234 235 236
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
237

238 239 240 241 242 243 244
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
245
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
246
			when printing by specifying '-x'. [RT #34465]
247

Evan Hunt's avatar
Evan Hunt committed
248 249 250 251 252 253 254 255 256 257 258
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

259 260 261
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

262 263 264
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

265 266 267
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
268 269
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

270
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo  
Evan Hunt committed
271
			but does not exist or is not a directory. [RT #35108]
272

273
3693.	[security]	memcpy was incorrectly called with overlapping
274 275
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
276 277
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
278

279 280 281
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

282 283 284
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

285 286 287 288
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

289 290 291 292
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

293 294 295
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

296 297 298
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
299 300 301 302
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

303 304 305
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

306 307 308
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

309 310 311
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

312
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
313
			inline-signing slave zones to retain NSEC3 parameters
314
			instead of reverting to NSEC. [RT #34745]
315

316 317 318 319
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

320 321 322
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

323 324 325
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

326 327
3678.	[port]		Update config.guess and config.sub. [RT #35060]

328 329 330
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

331 332 333
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

334 335 336 337
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
338 339
	--- 9.10.0a1 released ---

340 341
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
342 343 344
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

345 346 347
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

348 349 350
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

351 352 353
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

354 355
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

356 357 358
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
359
3667.	[test]		dig: add support to keep the TCP socket open between
360 361
			successive queries (+[no]keepopen).  [RT #34918]

362 363 364 365 366 367
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

368 369 370
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

371 372 373
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

374 375 376
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
377
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
378

379 380 381
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

382 383 384
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

385
3659.	[port]		solaris: don't add explict dependencies/rules for
386 387 388
			python programs as make won't use the implicit rules.
			[RT #34835]

389 390 391
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

392 393 394
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

395 396 397 398
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
399

400 401 402
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

403 404 405
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

406 407 408
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

409 410
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

411 412 413
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

414 415 416
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
417 418 419
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
420 421 422
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

423 424 425
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
426
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
427
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
428

429 430 431
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

432 433 434
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
435 436
3643.	[doc]		Clarify RRL "slip" documentation.

437 438
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
439
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
440

441 442
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
443

444 445 446 447
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

448 449 450
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
451
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
452 453
			encountered. [RT #34668]

454 455 456
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

457 458 459
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

460
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
461
			only KSK keys for a algorithm. [RT #34439]
462

463 464 465
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

466 467 468
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

469 470 471
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

472 473 474
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

475 476
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

477 478 479 480
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

481 482 483
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

484 485
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

486 487
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

488 489 490
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

491 492 493
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
494 495
3623.	[placeholder]

496 497 498
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

499 500 501 502
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
503 504 505 506 507 508 509 510 511
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
512 513 514 515
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

516 517 518
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
519 520
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
521 522 523 524 525
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
526 527
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
528
3613.	[bug]		named could crash when deleting inline-signing
529 530
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
531
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
532

Evan Hunt's avatar
Evan Hunt committed
533 534 535
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

536 537 538
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

539 540 541
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

542 543 544 545
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

546 547 548
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

549 550
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
551 552
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
553

Evan Hunt's avatar
Evan Hunt committed
554 555 556
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

557 558 559
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

560 561
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
562 563 564 565
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

566 567 568
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

569 570 571
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

572 573 574
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

575 576
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

577 578 579
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
580
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
581
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
582

Evan Hunt's avatar
Evan Hunt committed
583 584 585
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

586 587
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

588 589 590
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

591 592 593
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

594 595 596
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

597 598 599 600 601
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

602 603 604 605
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

606 607 608
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

609 610 611
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
612
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
613

614 615 616
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

617
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
618 619
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
620

621 622
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

623 624 625
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

626 627
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
628 629
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

630 631 632
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

633 634 635
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

636 637
3577.	[bug]		Handle zero TTL values better. [RT #33411]

638 639
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

640 641 642
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

643 644 645
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
646 647 648
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
649

Evan Hunt's avatar
Evan Hunt committed
650 651 652
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

653 654 655
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

656
3570.	[bug]		Check internal pointers are valid when loading map
657
			files. [RT #33403]
658

Evan Hunt's avatar
Evan Hunt committed
659 660 661
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
662 663 664
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
665 666
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
667 668
3566.	[func]		Log when forwarding updates to master. [RT #33240]

669
3565.	[placeholder]
670

671 672
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
673 674
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
675 676 677 678
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

679 680
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
681

682
3560.	[bug]		isc-config.sh did not honor includedir and libdir
683 684
			when set via configure. [RT #33345]

685 686 687
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

688 689
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

690 691
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
692 693
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

694 695 696
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
697 698 699 700
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

701 702
3553.	[bug]		Address suspected double free in acache. [RT #33252]

703
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
704
			[RT #33280]
705

706 707
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

708 709 710 711
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
712 713 714
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

715 716 717 718
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

719 720 721
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

722 723
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
724 725 726
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
727 728 729 730
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

731
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo  
Mark Andrews committed
732
			manager after accept. [RT #33084]
733

Mark Andrews's avatar
Mark Andrews committed
734 735
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
736 737
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
738

Evan Hunt's avatar
Evan Hunt committed
739
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
740

741 742
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
743 744
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
745

746 747 748 749
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
750 751 752 753 754 755 756 757 758
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

759 760
3535.	[bug]		Minor win32 cleanups. [RT #32962]

761 762 763
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

764 765 766 767
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

768 769 770
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
771 772
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

773 774 775 776 777
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
778 779 780 781 782 783 784
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

785 786 787 788
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

789 790 791
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

792 793 794 795 796 797 798
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

799 800
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
801
			http://[address]:[port]/json. [RT #32630]
802

803 804 805 806 807
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

808 809 810
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

811 812
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

813 814 815
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

816 817 818 819
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

820 821 822 823 824
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

825 826
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
827 828
3516.	[placeholder]

829 830
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
831 832 833 834 835 836
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

837 838 839
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
840 841 842
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
843 844
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

845 846 847
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

848 849 850 851
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

852 853 854
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

855 856 857 858
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

859 860 861 862 863 864 865 866 867 868 869 870
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
871 872 873 874
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
875

Evan Hunt's avatar
Evan Hunt committed
876 877
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

878 879 880
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

881 882 883 884
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
885 886 887 888
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
889

Evan Hunt's avatar
Evan Hunt committed
890 891 892
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

893 894 895 896
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

897 898 899 900
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
901 902
3496.	[placeholder]

903
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
904
			while improving RPZ performance.  "response-policy"
905 906 907
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
908
			--enable-rpz-nsdname are now the default. [RT #32251]
909

Evan Hunt's avatar
Evan Hunt committed
910 911 912 913
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

914
3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
915
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
916

917 918 919
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

920 921 922
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

923
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
924
			too long. [RT #32365]
925

926 927 928 929 930
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

931 932
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

933 934
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
935
			[RT #32629]
936

Evan Hunt's avatar
Evan Hunt committed
937 938 939
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

940 941
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

942 943 944
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
945 946
3483.	[placeholder]

947 948 949 950
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

951
3481.	[cleanup]	Removed use of const const in atf.
952

Evan Hunt's avatar
Evan Hunt committed
953 954 955
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

956 957 958
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
959 960 961 962
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
963 964
			[RT #32365]

965 966 967
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
968 969
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
970

971 972 973
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
974 975 976 977
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

978 979 980
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

981 982 983 984
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

985 986 987
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
988 989 990 991
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

992 993
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
994
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
995 996 997

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
998

999 1000 1001
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

1002 1003
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

1004 1005 1006
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

1007
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
1008 1009 1010 1011

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

1012 1013 1014
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

1015 1016
3460.	[bug]		Only link against readline where needed. [RT #29810]

1017 1018 1019
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

1020 1021 1022
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

1023 1024
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
1025
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
1026

1027 1028
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

1029 1030
3454.	[port]		sparc64: improve atomic support. [RT #25182]

1031 1032 1033
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
1034
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
1035

1036 1037 1038
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

1039 1040 1041
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

1042 1043 1044 1045
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
1046 1047 1048
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

1049 1050
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

1051 1052 1053
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

1054 1055
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
1056

1057
3444.	[bug]		The NOQNAME proof was not being returned from cached
1058 1059
			insecure responses. [RT #21409]

1060 1061 1062
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

1063 1064 1065
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

1066 1067
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

1068 1069 1070
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
1071 1072
3439.	[placeholder]