CHANGES 382 KB
Newer Older
1 2 3 4 5
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

6 7 8 9
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

10 11 12
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

13 14 15
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

16 17
3586.	[buf]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]

18 19 20
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

21 22 23
3584.	[security]	Caching data from an incompletely signed zone could
			trigger an assertion failure in resolver.c [RT #33690]

24 25
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

26 27 28
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

29 30
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
31 32
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

33 34 35
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

36 37 38
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

39 40
3577.	[bug]		Handle zero TTL values better. [RT #33411]

41 42
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

43 44 45
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

46 47 48
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
49 50 51
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
52

Evan Hunt's avatar
Evan Hunt committed
53 54 55
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

56 57 58
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

59
3570.	[bug]		Check internal pointers are valid when loading map
60
			files. [RT #33403]
61

Evan Hunt's avatar
Evan Hunt committed
62 63 64
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
65 66 67
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
68 69
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
70 71
3566.	[func]		Log when forwarding updates to master. [RT #33240]

72
3565.	[placeholder]
73

74 75
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
76 77
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
78 79 80 81
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

82 83
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
84

85
3560.	[bug]		isc-config.sh did not honor includedir and libdir
86 87
			when set via configure. [RT #33345]

88 89 90
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

91 92
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

93 94
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
95 96
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

97 98 99
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
100 101 102 103
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

104 105
3553.	[bug]		Address suspected double free in acache. [RT #33252]

106
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
107
			[RT #33280]
108

109 110
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

111 112 113 114
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
115 116 117
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

118 119 120 121
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

122 123 124
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

125 126
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
127 128 129
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
130 131 132 133
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

134
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo  
Mark Andrews committed
135
			manager after accept. [RT #33084]
136

Mark Andrews's avatar
Mark Andrews committed
137 138
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
139 140
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
141

Evan Hunt's avatar
Evan Hunt committed
142
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
143

144 145
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
146 147
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
148

149 150 151 152
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
153 154 155 156 157 158 159 160 161
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

162 163
3535.	[bug]		Minor win32 cleanups. [RT #32962]

164 165 166
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

167 168 169 170
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

171 172 173
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
174 175
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

176 177 178 179 180
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
181 182 183 184 185 186 187
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

188 189 190 191
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

192 193 194
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

195 196 197 198 199 200 201
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

202 203
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
204
			http://[address]:[port]/json. [RT #32630]
205

206 207 208 209 210
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

211 212 213
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

214 215
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

216 217 218
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

219 220 221 222
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

223 224 225 226 227
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

228 229
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
230 231
3516.	[placeholder]

232 233
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
234 235 236 237 238 239
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

240 241 242
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
243 244 245
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
246 247
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

248 249 250
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

251 252 253 254
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

255 256 257
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

258 259 260 261
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

262 263 264 265 266 267 268 269 270 271 272 273
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
274 275 276 277
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
278

Evan Hunt's avatar
Evan Hunt committed
279 280
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

281 282 283
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

284 285 286 287
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
288 289 290 291
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
292

Evan Hunt's avatar
Evan Hunt committed
293 294 295
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

296 297 298 299
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

300 301 302 303
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
304 305
3496.	[placeholder]

306
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
307
			while improving RPZ performance.  "response-policy"
308 309 310
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
311
			--enable-rpz-nsdname are now the default. [RT #32251]
312

Evan Hunt's avatar
Evan Hunt committed
313 314 315 316
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

317 318
3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
319

320 321 322
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

323 324 325
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

326
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
327
			too long. [RT #32365]
328

329 330 331 332 333
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

334 335
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

336 337
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
338
			[RT #32629]
339

Evan Hunt's avatar
Evan Hunt committed
340 341 342
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

343 344
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

345 346 347
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
348 349
3483.	[placeholder]

350 351 352 353
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

354
3481.	[cleanup]	Removed use of const const in atf.
355

Evan Hunt's avatar
Evan Hunt committed
356 357 358
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

359 360 361
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
362 363 364 365
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
366 367
			[RT #32365]

368 369 370
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
371 372
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
373

374 375 376
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
377 378 379 380
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

381 382 383
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

384 385 386 387
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

388 389 390
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
391 392 393 394
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

395 396
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
397
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
398 399 400

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
401

402 403 404
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

405 406
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

407 408 409
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

410
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
411 412 413 414

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

415 416 417
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

418 419
3460.	[bug]		Only link against readline where needed. [RT #29810]

420 421 422
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

423 424 425
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

426 427
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
428
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
429

430 431
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

432 433
3454.	[port]		sparc64: improve atomic support. [RT #25182]

434 435 436
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
437
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
438

439 440 441
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

442 443 444
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

445 446 447 448
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
449 450 451
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

452 453
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

454 455 456
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

457 458
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
459

460
3444.	[bug]		The NOQNAME proof was not being returned from cached
461 462
			insecure responses. [RT #21409]

463 464 465
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

466 467 468
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

469 470
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

471 472 473
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
474 475
3439.	[placeholder]

476 477
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
478
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
479 480
			buffers with constant data. [RT #32064]

481 482
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

483 484 485
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

486 487 488 489 490 491
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

492 493 494
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
495 496 497 498 499 500 501 502 503
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

504 505 506
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

507 508 509
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

510 511 512
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
513 514
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
515
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
516 517
			addresses instead of names. [RT #31641]

518 519 520
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

521 522 523
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

524 525 526
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

527 528 529 530
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
531
3422.	[bug]		Added a clear error message for when the SOA does not
532 533
			match the referral. [RT #31281]

534 535 536
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

537 538
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

539 540
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
541 542 543 544 545 546
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
547 548
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
549
3417.	[placeholder]
550

551 552 553
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

554
3415.	[bug]		named could die with a REQUIRE failure if a validation
555 556
			was canceled. [RT #31804]

557 558
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

559 560 561
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

562 563 564
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

565 566 567
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

568 569
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
570 571 572 573 574
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

575 576 577 578 579
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
580 581
3407.	[placeholder]

582 583
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
584
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
585

586 587
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

588
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
589
			RRSIG and NSEC records from nodes that used to be
590 591
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
592 593
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
594
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
595
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
596

Evan Hunt's avatar
Evan Hunt committed
597 598
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
599 600 601 602
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

603 604 605
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

606 607 608 609
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

610
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
611

612 613 614
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

615 616 617 618
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
619
3394.	[bug]		Adjust 'successfully validated after lower casing
620 621
			signer' log level and category. [RT #31414]

622 623 624
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

625 626
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
627 628
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
629

630 631
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

632 633
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

634 635 636 637 638 639
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
640

641 642
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
643

644 645 646
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

647 648 649
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
650 651
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo  
Evan Hunt committed
652
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
653 654
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
655

Evan Hunt's avatar
Evan Hunt committed
656 657 658 659
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
660 661 662
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

663
3380.	[bug]		named could die if a nonexistent master list was
664 665
			referenced in a also-notify. [RT #31004]

666 667 668
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

669 670 671
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
672 673 674
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

675 676 677
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

678 679
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
680 681
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
682

Mark Andrews's avatar
Mark Andrews committed
683
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
684

685 686 687
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

688 689 690 691
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

692 693 694
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
695 696
			if built with readline support. [RT #29550]

697
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
698
			were not C++ safe.
699

700 701 702
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
703
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
704 705
			atomic operations. [RT #25181]

706 707 708
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

709 710 711
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

712 713 714 715
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

716 717 718 719
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

720 721
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
722

723 724
3360.	[bug]		'host -w' could die.  [RT #18723]

725
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
726
			memory leak. [RT #30607]
727

Mark Andrews's avatar
Mark Andrews committed
728 729
3358.	[placeholder]

730 731
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
732
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
733 734 735
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

736 737
3355.	[port]		Use more portable awk in verify system test.

738 739
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

740 741 742
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

743 744 745
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

746 747 748 749
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

750 751 752 753
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
754 755
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
756 757 758 759
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
760
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
761 762 763

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
764
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
765

Evan Hunt's avatar
Evan Hunt committed
766 767 768
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

769 770 771 772
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
773 774 775 776 777 778 779 780 781
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
782 783
3343.	[placeholder]

784 785 786 787
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

788 789 790 791
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
792
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
793 794 795 796
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
797
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
798 799
			server to another.) [RT #25419]

800 801 802
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

803 804 805
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

806 807 808
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

809 810 811
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

812 813 814
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

815
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
816
			asynchronous load of a zone. [RT #28326]
817

818
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
819
			named to not recover if it loses connectivity.
820 821
			[RT #29623]

Mark Andrews's avatar
add #  
Mark Andrews committed
822
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
823

Mark Andrews's avatar
Mark Andrews committed
824
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
825
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
826

Vernon Schryver's avatar
Vernon Schryver committed
827
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
828
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
829 830 831 832 833 834 835 836 837 838 839 840 841
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


842 843 844 845 846 847
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
848 849
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
850

Evan Hunt's avatar
Evan Hunt committed
851 852 853 854 855
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

882
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
883
			bucket lock when finished with a fetch context.
884 885
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
886
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
887

888 889 890
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

891 892 893 894 895
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

896 897
3314.	[bug]		The masters list could be updated while stub_callback
			or refresh_callback were using it. [RT #26732]
898

899 900
3313.	[protocol]	Add TLSA record type. [RT #28989]

901 902 903
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

904 905 906
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

907 908
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
909
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
910 911
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
912 913
3308.	[placeholder]

914 915
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
916

917 918 919 920
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

921 922
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
923

924 925
3303.	[bug]		named could die when reloading. [RT #28606]

926 927 928 929
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

930 931 932
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

933 934 935
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

936 937 938
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

939 940 941 942
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

943 944
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

945 946 947
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

948 949 950
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

951 952 953
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

954 955
3293.	[func]		nsupdate: list supported type. [RT #28261]

956 957 958
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

959 960 961
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

962 963
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

964 965
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

966 967 968
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

969 970
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

971 972 973
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

974 975 976 977
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

978 979 980
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

981 982 983
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

984
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:  
Mark Andrews committed
985 986
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
987

988 989 990 991
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

992 993 994
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
995
3279.	[bug]		Hold a internal reference to the zone while performing
996 997 998
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
999
3278.	[bug]		Make sure automatic key maintenance is started
1000 1001 1002
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
1003
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
1004 1005 1006 1007

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

1008
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
1009
			option had been misspelled as '-clear'.  (To avoid
1010 1011
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
1012
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
1013

Mark Andrews's avatar
Mark Andrews committed
1014 1015 1016
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
1017 1018 1019 1020

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

1021 1022 1023 1024
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
1025
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
1026

1027 1028 1029
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

1030 1031
3269.	[port]		darwin 11 and later now built threaded by default.

1032 1033 1034
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

1035 1036 1037 1038
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

Mark Andrews's avatar