CHANGES 418 KB
Newer Older
1
2
3
3889.	[port]		hurd: configure fixes as per:
			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540

4
5
6
3888.	[func]		'rndc status' now reports the number of automatic
			zones. [RT #36015]

7
8
9
3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
			they are easier to use in a debugger. [RT #36373]

10
11
12
3886.	[bug]		rbtdb_write_header should use a once to initialize
			FILE_VERSION. [RT #36374]

13
14
15
3885.	[port]		Use 'open()' rather than 'file()' to open files in
			python.

Evan Hunt's avatar
Evan Hunt committed
16
17
3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]

Evan Hunt's avatar
Evan Hunt committed
18
19
3883.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
20
21
22
23
24
25
26
27
3882.	[func]		By default, negative trust anchors will be tested
			periodically to see whether data below them can be
			validated, and if so, they will be allowed to
			expire early. The "rndc nta -force" option
			overrides this behvaior.  The default NTA lifetime
			and the recheck frequency can be configured by the
			"nta-lifetime" and "nta-recheck" options. [RT #36146]

28
29
30
3881.	[bug]		Address memory leak with UPDATE error handling.
			[RT #36303]

31
32
33
34
3880.	[test]		Update ans.pl to work with new TSIG support in
			Net::DNS; add additional Net::DNS version prerequisite
			checks. [RT #36327]

35
36
37
3879.	[func]		Add version printing option to various BIND utilities.
			[RT #10686]

38
39
40
3878.	[bug]		Using the incorrect filename for a DLZ module
			caused a segmentation fault on startup. [RT #36286]

Evan Hunt's avatar
Evan Hunt committed
41
42
43
44
3877.	[bug]		Inserting and deleting parent and child nodes
			in response policy zones could trigger an assertion
			failure. [RT #36272]

45
46
47
3876.	[bug]		Improve efficiency of DLZ redirect zones by
			suppressing unnecessary database lookups. [RT #35835]

Evan Hunt's avatar
Evan Hunt committed
48
49
50
3875.	[cleanup]	Clarify log message when unable to read private
			key files. [RT #24702]

51
52
53
3874.	[test]		Check that only "check-names master" is needed for
			updates to be accepted.

54
55
3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]

56
57
3872.	[bug]		Address issues found by static analysis. [RT #36209]

58
59
60
3871.	[bug]		Don't publish an activated key automatically before
			its publish time. [RT #35063]

61
62
63
64
65
66
3870.	[func]		Updated the random number generator used in
			the resolver to use the updated ChaCha based one
			(similar to OpenBSD's changes). Also moved the
			RNG to libisc and added unit tests for it.
			[RT #35942]

67
68
69
3869.	[doc]		Document that in-view zones cannot be used for
			response policy zones. [RT #35941]

70
71
72
73
3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
			potentially leaving over memory cleaner running.
			[RT #35270]

Evan Hunt's avatar
Evan Hunt committed
74
75
76
77
78
79
80
81
82
3867.	[func]		"rndc nta" can now be used to set a temporary
			negative trust anchor, which disables DNSSEC
			validation below a specified name for a specified
			period of time (not exceeding 24 hours).  This
			can be used when validation for a domain is known
			to be failing due to a configuration error on
			the part of the domain owner rather than a
			spoofing attack. [RT #29358]

83
84
85
3866.	[bug]		Named could die on disk full in generate_session_key.
			[RT #36119]

86
87
88
3865.	[test]		Improved testability of the red-black tree
			implementation and added unit tests. [RT #35904]

89
90
91
3864.	[bug]		RPZ didn't work well when being used as forwarder.
			[RT #36060]

92
93
94
95
3863.	[bug]		The "E" flag was missing from the query log as a
			unintended side effect of code rearrangement to
			support EDNS EXPIRE. [RT #36117]

96
97
98
3862.	[cleanup]	Return immediately if we are not going to log the
			message in ns_client_dumpmessage.

99
3861.	[security]	Missing isc_buffer_availablelength check results
Mark Andrews's avatar
Mark Andrews committed
100
101
			in a REQUIRE assertion when printing out a packet
			(CVE-2014-3859).  [RT #36078]
102

103
104
105
106
3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
			at run time as it is limited to {OPEN_MAX}.
			[RT #35878]

Mark Andrews's avatar
Mark Andrews committed
107
108
3859.	[placeholder]

109
110
111
3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
			[RT #35968]

112
113
114
3857.	[bug]		Make it harder for a incorrect NOEDNS classification
			to be made. [RT #36020]

115
3856.	[bug]		Configuring libjson without also configuring libxml
Evan Hunt's avatar
Evan Hunt committed
116
			resulted in a REQUIRE assertion when retrieving
117
118
			statistics using json. [RT #36009]

119
120
121
3855.	[bug]		Limit smoothed round trip time aging to no more than
			once a second. [RT #32909]

122
3854.	[cleanup]	Report unrecognized options, if any, in the final
Tinderbox User's avatar
Tinderbox User committed
123
			configure summary. [RT #36014]
124

125
3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
126
127
			the handling of a rdataset with no records. [RT #35968]

128
129
130
131
132
133
3852.	[func]		Increase the default number of clients available
			for servicing lightweight resolver queries, and
			make them configurable via the "lwres-tasks" and
			"lwres-clients" options.  (Thanks to Tomas Hozza.)
			[RT #35857]

134
135
3851.	[func]		Allow libseccomp based system-call filtering
			on Linux; use "configure --enable-seccomp" to
136
			turn it on.  Thanks to Loganaden Velvindron
Tinderbox User's avatar
Tinderbox User committed
137
			of AFRINIC for the contribution. [RT #35347]
138

139
3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
140
141
			[RT #35979]

142
143
3849.	[doc]		Alphabetized dig's +options. [RT #35992]

144
145
146
3848.	[bug]		Adjust 'statistics-channels specified but not effective'
			error message to account for JSON support. [RT #36008]

147
148
149
3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
			there is not support available.

150
151
152
3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
			ixfr query. [RT #35980]

Mark Andrews's avatar
Mark Andrews committed
153
154
3845.	[placeholder]

Francis Dupont's avatar
Francis Dupont committed
155
3844.	[bug]		Use the x64 version of the Microsoft Visual C++
156
			Redistributable when built for 64 bit Windows.
Mark Andrews's avatar
Mark Andrews committed
157
			[RT #35973]
158

159
160
161
3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
			[RT #35969]

162
163
3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]

164
165
166
3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
			[RT #35924]

167
168
169
3840.	[port]		Check for arc4random_addrandom() before using it;
			it's been removed from OpenBSD 5.5. [RT #35907]

170
171
172
3839.	[test]		Use only posix-compatible shell in system tests.
			[RT #35625]

173
174
3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.

175
176
3837.	[security]	A NULL pointer is passed to query_prefetch resulting
			a REQUIRE assertion failure when a fetch is actually
177
			initiated (CVE-2014-3214).  [RT #35899]
178

179
180
3836.	[bug]		Address C++ keyword usage in header file.

181
3835.	[bug]		Geoip ACL elements didn't work correctly when
Tinderbox User's avatar
Tinderbox User committed
182
			referenced via named or nested ACLs. [RT #35879]
183

184
185
186
187
3834.	[bug]		The re-signing heaps were not being updated soon enough
			leading to multiple re-generations of the same RRSIG
			when a zone transfer was in progress. [RT #35273]

Mark Andrews's avatar
Mark Andrews committed
188
3833.	[bug]		Cross compiling was broken due to calling genrandom at
189
190
			build time. [RT #35869]

191
192
193
194
195
3832.	[func]		"named -L <filename>" causes named to send log
			messages to the specified file by default instead
			of to the system log. (Thanks to Tony Finch.)
			[RT #35845]

Evan Hunt's avatar
Evan Hunt committed
196
197
198
3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
			[RT #35843]

199
200
201
202
3830.	[func]		When query logging is enabled, log query errors at
			the same level ('info') as the queries themselves.
			[RT #35844]

Evan Hunt's avatar
Evan Hunt committed
203
204
205
206
207
3829.	[func]		"dig +ttlunits" causes dig to print TTL values
			with time-unit suffixes: w, d, h, m, s for
			weeks, days, hours, minutes, and seconds. (Thanks
			to Tony Finch.) [RT #35823]

208
3828.	[func]		"dnssec-signzone -N date" updates serial number
Evan Hunt's avatar
Evan Hunt committed
209
210
211
			to the current date in YYYYMMDDNN format.
			[RT #35800]

212
213
3827.	[placeholder]

214
3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
215
216
			[RT #35870]

217
218
219
3825.	[bug]		Address sign extension bug in isc_regex_validate.
			[RT #35758]

220
221
222
223
3824.	[bug]		A collision between two flag values could cause
			problems with cache cleaning when SIT was enabled.
			[RT #35858]

224
225
3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]

226
227
228
3822.	[bug]		Log the correct type of static-stub zones when
			removing them. [RT #35842]

229
230
231
232
233
234
235
236
237
238
239
3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
			update and transaction support. Thanks to Marty
			Lee for the contribution. [RT #35656]

3820.	[func]		The DLZ API doesn't pass the database version to
			the lookup() function; this can cause DLZ modules
			that allow dynamic updates to mishandle prerequisite
			checks. This has been corrected by adding a
			'dbversion' field to the dns_clientinfo_t
			structure. [RT #35656]

240
241
242
243
3819.	[bug]		NSEC3 hashes need to be able to be entered and
			displayed without padding.  This is not a issue for
			currently defined algorithms but may be for future
			hash algorithms. [RT #27925]
Tinderbox User's avatar
Tinderbox User committed
244

245
246
247
3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
			constant in isc_event_allocate.

248
249
250
251
3817.	[func]		The "delve" command is now spelled "delv" to avoid
			a namespace collision with the Xapian project.
			[RT #35801]

252
253
254
3816.	[func]		"dig +qr" now reports query size. (Thanks to
			Tony Finch.) [RT #35822]

255
256
3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]

Evan Hunt's avatar
Evan Hunt committed
257
258
259
260
261
262
3814.	[func]		The "masterfile-style" zone option controls the
			formatting of dumped zone files. Options are
			"relative" (multiline format) and "full" (one
			record per line). The default is "relative".
			[RT #20798]

263
264
265
266
3813.	[func]		"host" now recognizes the "timeout", "attempts" and
			"debug" options when set in /etc/resolv.conf.
			(Thanks to Adam Tkac at RedHat.) [RT #21885]

267
3812.	[func]		Dig now supports sending arbitrary EDNS options from
268
269
			the command line (+ednsopt=code[:value]). [RT #35584]

270
271
272
273
3811.	[func]		"serial-update-method date;" sets serial number
			on dynamic update to today's date in YYYYMMDDNN
			format. (Thanks to Bradley Forschinger.) [RT #24903]

274
275
276
3810.	[bug]		Work around broken nameservers that fail to ignore
			unknown EDNS options. [RT #35766]

Tinderbox User's avatar
Tinderbox User committed
277
3809.	[doc]		Fix SIT and NSID documentation.
278

Evan Hunt's avatar
Evan Hunt committed
279
280
3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]

281
3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
Mark Andrews's avatar
Mark Andrews committed
282
283
			lowercase is set. [RT #35743]

284
285
3806.	[test]		Improved system test portability. [RT #35625]

Evan Hunt's avatar
Evan Hunt committed
286
287
288
3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
			for DNS over TCP. [RT #35710]

Evan Hunt's avatar
Evan Hunt committed
289
290
	--- 9.10.0rc1 released ---

Mark Andrews's avatar
Mark Andrews committed
291
3804.	[bug]		Corrected a race condition in dispatch.c in which
Mark Andrews's avatar
Mark Andrews committed
292
293
294
295
			portentry could be reset leading to an assertion
			failure in socket_search(). (Change #3708
			addressed the same issue but was incomplete.)
			[RT #35128]
Evan Hunt's avatar
Evan Hunt committed
296

297
298
299
300
3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
			using alternate data sources for not having a "file"
			option. [RT #35685]

301
302
3802.	[bug]		Various header files were not being installed.

303
304
3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]

305
306
307
3800.	[bug]		A pending event on the route socket could cause an
			assertion failure when shutting down named. [RT #35674]

308
309
310
3799.	[bug]		Improve named's command line error reporting.
			[RT #35603]

311
312
313
3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
			time. [RT #35659]

314
315
3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]

316
317
3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]

318
319
320
3795.	[bug]		Make named-checkconf detect raw masterfiles for
			hint zones and reject them. [RT #35268]

321
322
3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.

323
324
325
3793.	[bug]		zone.c:save_nsec3param() could assert when out of
			memory. [RT #35621]

326
327
328
3792.	[func]		Provide links to the alternate statistics views when
			displaying in a browser.  [RT #35605]

Mark Andrews's avatar
Mark Andrews committed
329
330
3791.	[placeholder]

331
332
333
334
3790.	[bug]		Handle broken nameservers that send BADVERS in
			response to unknown EDNS options.  Maintain
			statistics on BADVERS responses.

335
336
3789.	[bug]		Null pointer dereference on rbt creation failure.

337
338
339
3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
			mistake.

Evan Hunt's avatar
Evan Hunt committed
340
341
	--- 9.10.0b2 released ---

342
343
344
345
3787.	[bug]		The code that checks whether "auto-dnssec" is
			allowed was ignoring "allow-update" ACLs set at
			the options or view level. [RT #29536]

346
347
348
3786.	[func]		Provide more detailed error codes when using
			native PKCS#11. "pkcs11-tokens" now fails robustly
			rather than asserting when run against an HSM with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
349
			an incomplete PKCS#11 API implementation. [RT #35479]
350

Jeremy C. Reed's avatar
Jeremy C. Reed committed
351
3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
352
353
			input (only compiled with -DDEBUG). [RT #35544]

Evan Hunt's avatar
Evan Hunt committed
354
355
356
357
358
3784.	[bug]		Using "rrset-order fixed" when it had not been
			enabled at compile time caused inconsistent
			results. It now works as documented, defaulting
			to cyclic mode. [RT #28104]

Evan Hunt's avatar
Evan Hunt committed
359
360
361
362
363
3783.	[func]		"tsig-keygen" is now available as an alternate
			command name for "ddns-confgen".  It generates
			a TSIG key in named.conf format without comments.
			[RT #35503]

Mark Andrews's avatar
Mark Andrews committed
364
3782.	[func]		Specifying "auto" as the salt when using
Evan Hunt's avatar
Evan Hunt committed
365
366
367
			"rndc signing -nsec3param" causes named to
			generate a 64-bit salt at random. [RT #35322]

368
369
370
371
372
3781.	[tuning]	Use adaptive mutex locks when available; this
			has been found to improve performance under load
			on many systems. "configure --with-locktype=standard"
			restores conventional mutex locks. [RT #32576]

Tinderbox User's avatar
Tinderbox User committed
373
3780.	[bug]		$GENERATE handled negative numbers incorrectly.
374
375
			[RT #25528]

Evan Hunt's avatar
Evan Hunt committed
376
377
378
3779.	[cleanup]	Clarify the error message when using an option
			that was not enabled at compile time. [RT #35504]

379
380
381
3778.	[bug]		Log a warning when the wrong address family is
			used in "listen-on" or "listen-on-v6". [RT #17848]

Evan Hunt's avatar
Evan Hunt committed
382
383
384
3777.	[bug]		EDNS EXPIRE code could dump core when processing
			DLZ queries. [RT #35493]

Evan Hunt's avatar
Evan Hunt committed
385
3776.	[func]		"rndc -q" suppresses output from successful
Evan Hunt's avatar
Evan Hunt committed
386
			rndc commands. Errors are printed on stderr.
Tinderbox User's avatar
Tinderbox User committed
387
			[RT #21393]
Evan Hunt's avatar
Evan Hunt committed
388

389
390
391
392
3775.	[bug]		dlz_dlopen driver could return the wrong error
			code on API version mismatch, leading to a segfault.
			[RT #35495]

Evan Hunt's avatar
Evan Hunt committed
393
394
395
3774.	[func]		When using "request-nsid", log the NSID value in
			printable form as well as hex. [RT #20864]

396
397
398
399
3773.	[func]		"host", "nslookup" and "nsupdate" now have
			options to print the version number and exit.
			[RT #26057]

400
401
402
403
3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
			(Based in part on a contribution from Tim Tessier.)
			[RT #20822]

404
405
406
3771.	[cleanup]	Adjusted log level for "using built-in key"
			messages. [RT #24383]

407
408
409
410
3770.	[bug]		"dig +trace" could fail with an assertion when it
			needed to fall back to TCP due to a truncated
			response. [RT #24660]

411
412
413
3769.	[doc]		Improved documentation of "rndc signing -list".
			[RT #30652]

414
415
416
3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
			algorithm. [RT #34000]

Evan Hunt's avatar
Evan Hunt committed
417
418
419
3767.	[func]		Log explicitly when using rndc.key to configure
			command channel. [RT #35316]

Evan Hunt's avatar
Evan Hunt committed
420
421
422
3766.	[cleanup]	Fixed problems with building outside the source
			tree when using native PKCS#11. [RT #35459]

423
424
425
3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
			named when dumping an empty keynode. [RT #35469]

426
427
428
429
430
3764.	[bug]		The dnssec-keygen/settime -S and -i options
			(to set up a successor key and set the prepublication
			interval) were missing from dnssec-keyfromlabel.
			[RT #35394]

Evan Hunt's avatar
Evan Hunt committed
431
432
433
3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
			re-fetch them when restarting validation. [RT #35476]

434
435
436
3762.	[bug]		Address build problems with --pkcs11-native +
			--with-openssl with ECDSA support. [RT #35467]

437
438
439
3761.	[bug]		Address dangling reference bug in dns_keytable_add.
			[RT #35471]

440
441
442
443
444
3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
			[RT #35433]

3759.	[port]		Enable delve on Windows. [RT #35441]

Evan Hunt's avatar
Evan Hunt committed
445
3758.	[port]		Enable export library APIs on Windows. [RT #35382]
446

447
448
449
3757.	[port]		Enable Python tools (dnssec-coverage,
			dnssec-checkds) to run on Windows. [RT #34355]

450
451
452
453
3756.	[bug]		GSSAPI Kerberos realm checking was broken in
			check_config leading to spurious messages being
			logged.  [RT #35443]

Mark Andrews's avatar
Mark Andrews committed
454
455
	--- 9.10.0b1 released ---

456
457
458
3755.	[func]		Add stats counters for known EDNS options + others.
			[RT #35447]

Evan Hunt's avatar
Evan Hunt committed
459
460
461
462
3754.	[cleanup]	win32: Installer now places files in the
			Program Files area rather than system services.
			[RT #35361]

463
464
3753.	[bug]		allow-notify was ignoring keys. [RT #35425]

465
466
467
468
3752.	[bug]		Address potential REQUIRE failure if
			DNS_STYLEFLAG_COMMENTDATA is set when printing out
			a rdataset.

Evan Hunt's avatar
Evan Hunt committed
469
470
471
472
3751.	[tuning]	The default setting for the -U option (setting
			the number of UDP listeners per interface) has
			been adjusted to improve performance. [RT #35417]

473
3750.	[experimental]	Partially implement EDNS EXPIRE option as described
Jeremy C. Reed's avatar
Jeremy C. Reed committed
474
			in draft-andrews-dnsext-expire-00.  Retrieval of
Evan Hunt's avatar
Evan Hunt committed
475
476
			the remaining time until expiry for slave zones
			is supported.
477

Evan Hunt's avatar
Evan Hunt committed
478
479
			EXPIRE uses an experimental option code (65002),
			which is subject to change. [RT #35416]
480

Evan Hunt's avatar
Evan Hunt committed
481
482
3749.	[func]		"dig +subnet" sends an EDNS client subnet option
			containing the specified address/prefix when
Evan Hunt's avatar
Evan Hunt committed
483
484
			querying. (Thanks to Wilmer van der Gaast.)
			[RT #35415]
Evan Hunt's avatar
Evan Hunt committed
485

Evan Hunt's avatar
Evan Hunt committed
486
3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
487

488
489
490
3747.	[bug]		A race condition could lead to a core dump when
			destroying a resolver fetch object. [RT #35385]

Evan Hunt's avatar
Evan Hunt committed
491
492
493
3746.	[func]		New "max-zone-ttl" option enforces maximum
			TTLs for zones. If loading a zone containing a
			higher TTL, the load fails. DDNS updates with
Tinderbox User's avatar
Tinderbox User committed
494
			higher TTLs are accepted but the TTL is truncated.
Evan Hunt's avatar
Evan Hunt committed
495
496
497
			(Note: Currently supported for master zones only;
			inline-signing slaves will be added.) [RT #38405]

498
499
500
501
502
3745.	[func]		"configure --with-tuning=large" adjusts various
			compiled-in constants and default settings to
			values suited to large servers with abundant
			memory. [RT #29538]

503
3744.	[experimental]	SIT: send and process Source Identity Tokens
Mark Andrews's avatar
add 3rd    
Mark Andrews committed
504
			(similar to DNS Cookies by Donald Eastlake 3rd),
Evan Hunt's avatar
Evan Hunt committed
505
506
			which are designed to help clients detect off-path
			spoofed responses and for servers to identify
Tinderbox User's avatar
Tinderbox User committed
507
			legitimate clients.
508

Evan Hunt's avatar
Evan Hunt committed
509
			SIT uses an experimental EDNS option code (65001),
Jeremy C. Reed's avatar
Jeremy C. Reed committed
510
			which will be changed to an IANA-assigned value
Evan Hunt's avatar
Evan Hunt committed
511
			if the experiment is deemed a success.
512

Evan Hunt's avatar
Evan Hunt committed
513
514
			SIT can be enabled via "configure --enable-sit" (or
			--enable-developer). It is enabled by default in
Tinderbox User's avatar
Tinderbox User committed
515
516
517
518
519
520
521
522
			Windows.

			Servers can be configured to send smaller responses
			to clients that have not identified themselves via
			SIT.  RRL processing has also been updated;
			legitimate clients are not subject to rate
			limiting. [RT #35389]

523
524
525
526
527
3743.	[bug]		delegation-only flag wasn't working in forward zone
			declarations despite being documented.  This is
			needed to support turning off forwarding and turning
			on delegation only at the same name.  [RT #35392]

Mark Andrews's avatar
Mark Andrews committed
528
529
3742.	[port]		linux: libcap support: declare curval at start of
			block. [RT #35387]
530

Evan Hunt's avatar
Evan Hunt committed
531
532
533
534
535
536
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
537
			troubleshooting of DNSSEC problems. [RT #32406]
Evan Hunt's avatar
Evan Hunt committed
538

539
540
541
3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

542
543
544
3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

545
546
3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]

547
548
549
3737.	[bug]		'rndc retransfer' could trigger a assertion failure
			with inline zones. [RT #35353]

550
551
552
3736.	[bug]		nsupdate: When specifying a server by name,
			fall back to alternate addresses if the first
			address for that name is not reachable. [RT #25784]
Tinderbox User's avatar
Tinderbox User committed
553

554
555
556
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

557
558
3734.	[bug]		Improve building with libtool. [RT #35314]

559
560
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
561
562
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
563
564
565

			Add "rndc scan" to trigger a scan. [RT #23027]

566
567
568
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
569
570
571
572
573
574
575
576
577
578
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
579
580
581
582
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
583
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
584
585
586
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

587
588
589
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
590
591
592
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

593
594
595
596
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
597
598
599
600
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
601
602
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
603
604
605
606
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

607
608
609
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
610
3722.	[bug]		Using geoip ACLs in a blackhole statement
611
612
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
613
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
614
615
			enhancements introduced in change #3593. [RT #35275]

616
617
3720.	[bug]		Address compiler warnings. [RT #35261]

618
619
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

620
621
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

622
623
624
625
626
627
628
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

629
630
631
632
633
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

634
635
636
637
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

638
639
640
641
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
642
643
644
645
3712.	[placeholder]

3711.	[placeholder]

646
647
648
649
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
650
651
652
653
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

654
655
656
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

657
658
659
660
661
662
663
664
665
666
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
667
			will work with both old and new versions without
668
669
670
671
672
673
674
675
676
677
678
679
680
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

681
682
683
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
684
685
686
687
688
689
690
691
692
693
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

694
695
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
696
697
698
699
700
701
702
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
703

704
705
706
707
708
709
710
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
711
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
712
			when printing by specifying '-x'. [RT #34465]
713

Evan Hunt's avatar
Evan Hunt committed
714
715
716
717
718
719
720
721
722
723
724
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

725
726
727
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

728
729
730
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

731
732
733
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
734
735
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

736
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo    
Evan Hunt committed
737
			but does not exist or is not a directory. [RT #35108]
738

739
3693.	[security]	memcpy was incorrectly called with overlapping
740
741
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
742
743
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
744

745
746
747
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

748
749
750
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

751
752
753
754
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

755
756
757
758
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

759
760
761
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

762
763
764
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
765
766
767
768
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

769
770
771
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

772
773
774
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

775
776
777
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

778
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
779
			inline-signing slave zones to retain NSEC3 parameters
780
			instead of reverting to NSEC. [RT #34745]
781

782
783
784
785
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

786
787
788
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

789
790
791
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

792
793
3678.	[port]		Update config.guess and config.sub. [RT #35060]

794
795
796
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

797
798
799
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

800
801
802
803
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
804
805
	--- 9.10.0a1 released ---

806
807
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
808
809
810
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

811
812
813
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

814
815
816
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

817
818
819
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

820
821
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

822
823
824
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
825
3667.	[test]		dig: add support to keep the TCP socket open between
826
827
			successive queries (+[no]keepopen).  [RT #34918]

828
829
830
831
832
833
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

834
835
836
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

837
838
839
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

840
841
842
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
843
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
844

845
846
847
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

848
849
850
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

851
3659.	[port]		solaris: don't add explicit dependencies/rules for
852
853
854
			python programs as make won't use the implicit rules.
			[RT #34835]

855
856
857
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

858
859
860
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

861
862
863
864
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
865

866
867
868
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

869
870
871
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

872
873
874
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

875
876
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

877
878
879
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

880
881
882
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
883
884
885
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
886
887
888
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

889
890
891
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
892
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
893
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
894

895
896
897
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

898
899
900
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
901
902
3643.	[doc]		Clarify RRL "slip" documentation.

903
904
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
905
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
906

907
908
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
909

910
911
912
913
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

914
915
916
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
917
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
918
919
			encountered. [RT #34668]

920
921
922
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

923
924
925
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

926
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
927
			only KSK keys for a algorithm. [RT #34439]
928

929
930
931
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

932
933
934
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

935
936
937
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

938
939
940
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

941
942
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

943
944
945
946
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

947
948
949
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

950
951
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

952
953
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

954
955
956
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

957
958
959
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
960
961
3623.	[placeholder]

962
963
964
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

965
966
967
968
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
969
970
971
972
973
974
975
976
977
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
978
979
980
981
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

982
983
984
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
985
986
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
987
988
989
990
991
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
992
993
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
994
3613.	[bug]		named could crash when deleting inline-signing
995
996
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
997
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
998

Evan Hunt's avatar
Evan Hunt committed
999
1000
1001
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

1002
1003
1004
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

1005
1006
1007
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

1008
1009
1010
1011
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

1012
1013
1014
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

1015
1016
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
1017
1018
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
1019

Evan Hunt's avatar
Evan Hunt committed
1020
1021
1022
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

1023
1024
1025
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

1026
1027
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
1028
1029
1030
1031
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

1032
1033
1034
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

1035
1036
1037
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

1038
1039
1040
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

1041
1042
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

1043
1044
1045
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
1046
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
1047
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
1048

Evan Hunt's avatar
Evan Hunt committed
1049
1050
1051
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

1052
1053
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

1054
1055
1056
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

1057
1058
1059
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

1060
1061
1062
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

1063
1064
1065
1066
1067
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

1068
1069
1070
1071
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

1072
1073
1074
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

1075
1076
1077
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
1078
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
1079

1080
1081
1082
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

1083
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
1084
1085
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
1086

1087
1088
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

1089
1090
1091
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

1092
1093
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
1094
1095
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

1096
1097
1098
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

1099
1100
1101
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

1102
1103
3577.	[bug]		Handle zero TTL values better. [RT #33411]

1104
1105
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

1106
1107
1108
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

1109
1110
1111
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
1112
1113
1114
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
1115

Evan Hunt's avatar
Evan Hunt committed
1116
1117
1118
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

1119
1120
1121
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

1122
3570.	[bug]		Check internal pointers are valid when loading map
1123
			files. [RT #33403]
1124

Evan Hunt's avatar
Evan Hunt committed
1125
1126
1127
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
1128
1129
1130
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
1131
1132
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
1133
1134
3566.	[func]		Log when forwarding updates to master. [RT #33240]

1135
3565.	[placeholder]
1136

1137
1138
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
1139
1140
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
1141
1142
1143
1144
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

1145
1146
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
1147

1148
3560.	[bug]		isc-config.sh did not honor includedir and libdir
1149
1150
			when set via configure. [RT #33345]

1151
1152
1153
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

1154
1155
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

1156
1157
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
1158
1159
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

1160
1161
1162
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
1163
1164
1165
1166
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

1167
1168
3553.	[bug]		Address suspected double free in acache. [RT #33252]

1169
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
1170
			[RT #33280]
1171

1172
1173
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

1174
1175
1176
1177
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
1178
1179
1180
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

1181
1182
1183
1184
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

1185
1186
1187
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

1188
1189
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
1190
1191
1192
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
1193
1194
1195
1196
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

1197
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
1198
			manager after accept. [RT #33084]
1199

Mark Andrews's avatar
Mark Andrews committed
1200
1201
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
1202
1203
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
1204

Evan Hunt's avatar
Evan Hunt committed
1205
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
1206

1207
1208
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
1209
1210
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
1211

1212
1213
1214
1215
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
1216
1217
1218
1219
1220
1221
1222
1223
1224
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

1225
1226
3535.	[bug]		Minor win32 cleanups. [RT #32962]

1227
1228
1229
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

1230
1231
1232
1233
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

1234
1235
1236
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
1237
1238
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

1239
1240
1241
1242
1243
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
1244
1245
1246
1247
1248
1249
1250
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

1251
1252
1253
1254
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

1255
1256
1257
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

1258
1259
1260
1261
1262
1263
1264
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

1265
1266
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
1267
			http://[address]:[port]/json. [RT #32630]
1268

1269
1270
1271
1272
1273
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

1274
1275
1276
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

1277
1278
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

1279
1280