CHANGES 406 KB
Newer Older
1 2 3 4 5
3781.	[tuning]	Use adaptive mutex locks when available; this
			has been found to improve performance under load
			on many systems. "configure --with-locktype=standard"
			restores conventional mutex locks. [RT #32576]

6 7 8
3780.	[bug]		$GENERATE handled negative numbers incorrectly. 
			[RT #25528]

Evan Hunt's avatar
Evan Hunt committed
9 10 11
3779.	[cleanup]	Clarify the error message when using an option
			that was not enabled at compile time. [RT #35504]

12 13 14
3778.	[bug]		Log a warning when the wrong address family is
			used in "listen-on" or "listen-on-v6". [RT #17848]

Evan Hunt's avatar
Evan Hunt committed
15 16 17
3777.	[bug]		EDNS EXPIRE code could dump core when processing
			DLZ queries. [RT #35493]

Evan Hunt's avatar
Evan Hunt committed
18
3776.	[func]		"rndc -q" suppresses output from successful
Evan Hunt's avatar
Evan Hunt committed
19
			rndc commands. Errors are printed on stderr.
Tinderbox User's avatar
Tinderbox User committed
20
			[RT #21393]
Evan Hunt's avatar
Evan Hunt committed
21

22 23 24 25
3775.	[bug]		dlz_dlopen driver could return the wrong error
			code on API version mismatch, leading to a segfault.
			[RT #35495]

Evan Hunt's avatar
Evan Hunt committed
26 27 28
3774.	[func]		When using "request-nsid", log the NSID value in
			printable form as well as hex. [RT #20864]

29 30 31 32
3773.	[func]		"host", "nslookup" and "nsupdate" now have
			options to print the version number and exit.
			[RT #26057]

33 34 35 36
3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
			(Based in part on a contribution from Tim Tessier.)
			[RT #20822]

37 38 39
3771.	[cleanup]	Adjusted log level for "using built-in key"
			messages. [RT #24383]

40 41 42 43
3770.	[bug]		"dig +trace" could fail with an assertion when it
			needed to fall back to TCP due to a truncated
			response. [RT #24660]

44 45 46
3769.	[doc]		Improved documentation of "rndc signing -list".
			[RT #30652]

47 48 49
3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
			algorithm. [RT #34000]

Evan Hunt's avatar
Evan Hunt committed
50 51 52
3767.	[func]		Log explicitly when using rndc.key to configure
			command channel. [RT #35316]

Evan Hunt's avatar
Evan Hunt committed
53 54 55
3766.	[cleanup]	Fixed problems with building outside the source
			tree when using native PKCS#11. [RT #35459]

56 57 58
3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
			named when dumping an empty keynode. [RT #35469]

59 60 61 62 63
3764.	[bug]		The dnssec-keygen/settime -S and -i options
			(to set up a successor key and set the prepublication
			interval) were missing from dnssec-keyfromlabel.
			[RT #35394]

Evan Hunt's avatar
Evan Hunt committed
64 65 66
3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
			re-fetch them when restarting validation. [RT #35476]

67 68 69
3762.	[bug]		Address build problems with --pkcs11-native +
			--with-openssl with ECDSA support. [RT #35467]

70 71 72
3761.	[bug]		Address dangling reference bug in dns_keytable_add.
			[RT #35471]

73 74 75 76 77 78 79
3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
			[RT #35433]

3759.	[port]		Enable delve on Windows. [RT #35441]

3758.	[port]		Enable export library APIs on windows. [RT #35382]

80 81 82
3757.	[port]		Enable Python tools (dnssec-coverage,
			dnssec-checkds) to run on Windows. [RT #34355]

83 84 85 86
3756.	[bug]		GSSAPI Kerberos realm checking was broken in
			check_config leading to spurious messages being
			logged.  [RT #35443]

Mark Andrews's avatar
Mark Andrews committed
87 88
	--- 9.10.0b1 released ---

89 90 91
3755.	[func]		Add stats counters for known EDNS options + others.
			[RT #35447]

Evan Hunt's avatar
Evan Hunt committed
92 93 94 95
3754.	[cleanup]	win32: Installer now places files in the
			Program Files area rather than system services.
			[RT #35361]

96 97
3753.	[bug]		allow-notify was ignoring keys. [RT #35425]

98 99 100 101
3752.	[bug]		Address potential REQUIRE failure if
			DNS_STYLEFLAG_COMMENTDATA is set when printing out
			a rdataset.

Evan Hunt's avatar
Evan Hunt committed
102 103 104 105
3751.	[tuning]	The default setting for the -U option (setting
			the number of UDP listeners per interface) has
			been adjusted to improve performance. [RT #35417]

106
3750.	[experimental]	Partially implement EDNS EXPIRE option as described
Jeremy C. Reed's avatar
Jeremy C. Reed committed
107
			in draft-andrews-dnsext-expire-00.  Retrieval of
Evan Hunt's avatar
Evan Hunt committed
108 109
			the remaining time until expiry for slave zones
			is supported.
110

Evan Hunt's avatar
Evan Hunt committed
111 112
			EXPIRE uses an experimental option code (65002),
			which is subject to change. [RT #35416]
113

Evan Hunt's avatar
Evan Hunt committed
114 115
3749.	[func]		"dig +subnet" sends an EDNS client subnet option
			containing the specified address/prefix when
Evan Hunt's avatar
Evan Hunt committed
116 117
			querying. (Thanks to Wilmer van der Gaast.)
			[RT #35415]
Evan Hunt's avatar
Evan Hunt committed
118

Evan Hunt's avatar
Evan Hunt committed
119
3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
120

121 122 123
3747.	[bug]		A race condition could lead to a core dump when
			destroying a resolver fetch object. [RT #35385]

Evan Hunt's avatar
Evan Hunt committed
124 125 126
3746.	[func]		New "max-zone-ttl" option enforces maximum
			TTLs for zones. If loading a zone containing a
			higher TTL, the load fails. DDNS updates with
Tinderbox User's avatar
Tinderbox User committed
127
			higher TTLs are accepted but the TTL is truncated.
Evan Hunt's avatar
Evan Hunt committed
128 129 130
			(Note: Currently supported for master zones only;
			inline-signing slaves will be added.) [RT #38405]

131 132 133 134 135
3745.	[func]		"configure --with-tuning=large" adjusts various
			compiled-in constants and default settings to
			values suited to large servers with abundant
			memory. [RT #29538]

136
3744.	[experimental]	SIT: send and process Source Identity Tokens
Mark Andrews's avatar
add 3rd  
Mark Andrews committed
137
			(similar to DNS Cookies by Donald Eastlake 3rd),
Evan Hunt's avatar
Evan Hunt committed
138 139
			which are designed to help clients detect off-path
			spoofed responses and for servers to identify
Tinderbox User's avatar
Tinderbox User committed
140
			legitimate clients.
141

Evan Hunt's avatar
Evan Hunt committed
142
			SIT uses an experimental EDNS option code (65001),
Jeremy C. Reed's avatar
Jeremy C. Reed committed
143
			which will be changed to an IANA-assigned value
Evan Hunt's avatar
Evan Hunt committed
144
			if the experiment is deemed a success.
145

Evan Hunt's avatar
Evan Hunt committed
146 147
			SIT can be enabled via "configure --enable-sit" (or
			--enable-developer). It is enabled by default in
Tinderbox User's avatar
Tinderbox User committed
148 149 150 151 152 153 154 155
			Windows.

			Servers can be configured to send smaller responses
			to clients that have not identified themselves via
			SIT.  RRL processing has also been updated;
			legitimate clients are not subject to rate
			limiting. [RT #35389]

156 157 158 159 160
3743.	[bug]		delegation-only flag wasn't working in forward zone
			declarations despite being documented.  This is
			needed to support turning off forwarding and turning
			on delegation only at the same name.  [RT #35392]

Mark Andrews's avatar
Mark Andrews committed
161 162
3742.	[port]		linux: libcap support: declare curval at start of
			block. [RT #35387]
163

Evan Hunt's avatar
Evan Hunt committed
164 165 166 167 168 169
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
170
			troubleshooting of DNSSEC problems. [RT #32406]
Evan Hunt's avatar
Evan Hunt committed
171

172 173 174
3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

175 176 177
3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

178 179
3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]

180 181 182
3737.	[bug]		'rndc retransfer' could trigger a assertion failure
			with inline zones. [RT #35353]

183 184 185
3736.	[bug]		nsupdate: When specifying a server by name,
			fall back to alternate addresses if the first
			address for that name is not reachable. [RT #25784]
Tinderbox User's avatar
Tinderbox User committed
186

187 188 189
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

190 191
3734.	[bug]		Improve building with libtool. [RT #35314]

192 193
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
194 195
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
196 197 198

			Add "rndc scan" to trigger a scan. [RT #23027]

199 200 201
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
202 203 204 205 206 207 208 209 210 211
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
212 213 214 215
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
216
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
217 218 219
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

220 221 222
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
223 224 225
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

226 227 228 229
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
230 231 232 233
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
234 235
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
236 237 238 239
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

240 241 242
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
243
3722.	[bug]		Using geoip ACLs in a blackhole statement
244 245
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
246
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
247 248
			enhancements introduced in change #3593. [RT #35275]

249 250
3720.	[bug]		Address compiler warnings. [RT #35261]

251 252
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

253 254
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

255 256 257 258 259 260 261
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

262 263 264 265 266
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

267 268 269 270
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

271 272 273 274
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
275 276 277 278
3712.	[placeholder]

3711.	[placeholder]

279 280 281 282
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
283 284 285 286
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

287 288 289
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

290 291 292 293 294 295 296 297 298 299
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
300
			will work with both old and new versions without
301 302 303 304 305 306 307 308 309 310 311 312 313
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

314 315 316
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
317 318 319 320 321 322 323 324 325 326
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

327 328
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
329 330 331 332 333 334 335
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
336

337 338 339 340 341 342 343
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
344
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
345
			when printing by specifying '-x'. [RT #34465]
346

Evan Hunt's avatar
Evan Hunt committed
347 348 349 350 351 352 353 354 355 356 357
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

358 359 360
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

361 362 363
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

364 365 366
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
367 368
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

369
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo  
Evan Hunt committed
370
			but does not exist or is not a directory. [RT #35108]
371

372
3693.	[security]	memcpy was incorrectly called with overlapping
373 374
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
375 376
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
377

378 379 380
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

381 382 383
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

384 385 386 387
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

388 389 390 391
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

392 393 394
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

395 396 397
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
398 399 400 401
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

402 403 404
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

405 406 407
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

408 409 410
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

411
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
412
			inline-signing slave zones to retain NSEC3 parameters
413
			instead of reverting to NSEC. [RT #34745]
414

415 416 417 418
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

419 420 421
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

422 423 424
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

425 426
3678.	[port]		Update config.guess and config.sub. [RT #35060]

427 428 429
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

430 431 432
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

433 434 435 436
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
437 438
	--- 9.10.0a1 released ---

439 440
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
441 442 443
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

444 445 446
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

447 448 449
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

450 451 452
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

453 454
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

455 456 457
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
458
3667.	[test]		dig: add support to keep the TCP socket open between
459 460
			successive queries (+[no]keepopen).  [RT #34918]

461 462 463 464 465 466
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

467 468 469
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

470 471 472
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

473 474 475
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
476
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
477

478 479 480
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

481 482 483
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

484
3659.	[port]		solaris: don't add explict dependencies/rules for
485 486 487
			python programs as make won't use the implicit rules.
			[RT #34835]

488 489 490
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

491 492 493
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

494 495 496 497
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
498

499 500 501
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

502 503 504
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

505 506 507
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

508 509
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

510 511 512
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

513 514 515
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
516 517 518
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
519 520 521
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

522 523 524
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
525
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
526
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
527

528 529 530
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

531 532 533
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
534 535
3643.	[doc]		Clarify RRL "slip" documentation.

536 537
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
538
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
539

540 541
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
542

543 544 545 546
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

547 548 549
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
550
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
551 552
			encountered. [RT #34668]

553 554 555
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

556 557 558
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

559
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
560
			only KSK keys for a algorithm. [RT #34439]
561

562 563 564
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

565 566 567
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

568 569 570
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

571 572 573
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

574 575
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

576 577 578 579
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

580 581 582
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

583 584
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

585 586
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

587 588 589
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

590 591 592
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
593 594
3623.	[placeholder]

595 596 597
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

598 599 600 601
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
602 603 604 605 606 607 608 609 610
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
611 612 613 614
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

615 616 617
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
618 619
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
620 621 622 623 624
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
625 626
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
627
3613.	[bug]		named could crash when deleting inline-signing
628 629
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
630
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
631

Evan Hunt's avatar
Evan Hunt committed
632 633 634
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

635 636 637
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

638 639 640
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

641 642 643 644
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

645 646 647
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

648 649
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
650 651
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
652

Evan Hunt's avatar
Evan Hunt committed
653 654 655
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

656 657 658
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

659 660
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
661 662 663 664
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

665 666 667
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

668 669 670
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

671 672 673
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

674 675
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

676 677 678
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
679
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
680
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
681

Evan Hunt's avatar
Evan Hunt committed
682 683 684
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

685 686
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

687 688 689
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

690 691 692
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

693 694 695
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

696 697 698 699 700
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

701 702 703 704
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

705 706 707
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

708 709 710
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
711
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
712

713 714 715
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

716
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
717 718
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
719

720 721
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

722 723 724
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

725 726
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
727 728
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

729 730 731
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

732 733 734
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

735 736
3577.	[bug]		Handle zero TTL values better. [RT #33411]

737 738
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

739 740 741
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

742 743 744
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
745 746 747
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
748

Evan Hunt's avatar
Evan Hunt committed
749 750 751
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

752 753 754
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

755
3570.	[bug]		Check internal pointers are valid when loading map
756
			files. [RT #33403]
757

Evan Hunt's avatar
Evan Hunt committed
758 759 760
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
761 762 763
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
764 765
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
766 767
3566.	[func]		Log when forwarding updates to master. [RT #33240]

768
3565.	[placeholder]
769

770 771
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
772 773
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
774 775 776 777
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

778 779
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
780

781
3560.	[bug]		isc-config.sh did not honor includedir and libdir
782 783
			when set via configure. [RT #33345]

784 785 786
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

787 788
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

789 790
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
791 792
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

793 794 795
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
796 797 798 799
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

800 801
3553.	[bug]		Address suspected double free in acache. [RT #33252]

802
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
803
			[RT #33280]
804

805 806
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

807 808 809 810
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
811 812 813
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

814 815 816 817
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

818 819 820
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

821 822
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
823 824 825
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
826 827 828 829
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

830
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo  
Mark Andrews committed
831
			manager after accept. [RT #33084]
832

Mark Andrews's avatar
Mark Andrews committed
833 834
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
835 836
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
837

Evan Hunt's avatar
Evan Hunt committed
838
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
839

840 841
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
842 843
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
844

845 846 847 848
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
849 850 851 852 853 854 855 856 857
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

858 859
3535.	[bug]		Minor win32 cleanups. [RT #32962]

860 861 862
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

863 864 865 866
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

867 868 869
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
870 871
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

872 873 874 875 876
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
877 878 879 880 881 882 883
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

884 885 886 887
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

888 889 890
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

891 892 893 894 895 896 897
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

898 899
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
900
			http://[address]:[port]/json. [RT #32630]
901

902 903 904 905 906
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

907 908 909
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

910 911
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

912 913 914
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

915 916 917 918
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

919 920 921 922 923
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

924 925
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
926 927
3516.	[placeholder]

928 929
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
930 931 932 933 934 935
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

936 937 938
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
939 940 941
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
942 943
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

944 945 946
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

947 948 949 950
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

951 952 953
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

954 955 956 957
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

958 959 960 961 962 963 964 965 966 967 968 969
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
970 971 972 973
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
974

Evan Hunt's avatar
Evan Hunt committed
975 976
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

977 978 979
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

980 981 982 983
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
984 985 986 987
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
988

Evan Hunt's avatar
Evan Hunt committed
989 990 991
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

992 993 994 995
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

996 997 998 999
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
1000 1001
3496.	[placeholder]

1002
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
1003
			while improving RPZ performance.  "response-policy"
1004 1005 1006
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
1007
			--enable-rpz-nsdname are now the default. [RT #32251]
1008

Evan Hunt's avatar
Evan Hunt committed
1009 1010 1011 1012
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

1013
3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
1014
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
1015

1016 1017 1018
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

1019 1020 1021
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

1022
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
1023
			too long. [RT #32365]
1024

1025 1026 1027 1028 1029
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

1030 1031
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

1032 1033
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
1034
			[RT #32629]
1035

Evan Hunt's avatar
Evan Hunt committed
1036 1037 1038
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

1039 1040
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

1041 1042 1043
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
1044 1045
3483.	[placeholder]

1046 1047 1048 1049
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

1050
3481.	[cleanup]	Removed use of const const in atf.
1051

Evan Hunt's avatar
Evan Hunt committed
1052 1053 1054
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

1055 1056 1057
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
1058 1059 1060 1061
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
1062 1063
			[RT #32365]

1064 1065 1066
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
1067 1068
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
1069

1070 1071 1072
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
1073 1074 1075 1076
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

1077 1078 1079
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

1080 1081 1082 1083
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

1084 1085 1086
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
1087 1088 1089 1090
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

1091 1092
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
1093
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
1094 1095 1096

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
1097

1098 1099 1100
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

1101 1102
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

1103 1104 1105
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

1106
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
1107 1108 1109 1110

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

1111 1112 1113
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

1114 1115
3460.	[bug]		Only link against readline where needed. [RT #29810]

1116 1117 1118
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

1119 1120 1121
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

1122 1123
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
1124
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
1125

1126 1127
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

1128 1129
3454.	[port]		sparc64: improve atomic support. [RT #25182]

1130 1131 1132
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
1133
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
1134

1135 1136 1137
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

1138 1139 1140
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

1141 1142 1143 1144
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
1145 1146 1147
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

1148 1149
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

1150 1151 1152
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

1153 1154
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
1155

1156
3444.	[bug]		The NOQNAME proof was not being returned from cached
1157 1158
			insecure responses. [RT #21409]

1159 1160 1161
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

1162 1163 1164
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

1165 1166
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

1167 1168 1169
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
1170 1171
3439.	[placeholder]

1172 1173
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
1174
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
1175 1176
			buffers with constant data. [RT #32064]

1177 1178
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

1179 1180 1181
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

1182 1183 1184 1185 1186 1187
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

1188 1189 1190
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
1191 1192 1193 1194 1195 1196 1197 1198 1199
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

1200 1201 1202
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

1203 1204 1205
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

1206 1207 1208
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
1209 1210
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
1211
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
1212 1213
			addresses instead of names. [RT #31641]

1214 1215 1216
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

1217 1218 1219
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

1220 1221 1222
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

1223 1224 1225 1226
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
1227
3422.	[bug]		Added a clear error message for when the SOA does not
1228 1229
			match the referral. [RT #31281]

1230 1231 1232
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

1233 1234
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

1235 1236
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
1237 1238 1239 1240 1241 1242
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
1243 1244
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
1245
3417.	[placeholder]
1246

1247 1248 1249
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

1250
3415.	[bug]		named could die with a REQUIRE failure if a validation
1251 1252
			was canceled. [RT #31804]

1253 1254
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

1255 1256 1257
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

1258 1259 1260
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

1261 1262 1263
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

1264 1265
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
1266 1267 1268 1269 1270
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

1271 1272 1273 1274 1275
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
1276 1277
3407.	[placeholder]

1278 1279
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
1280
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
1281

1282 1283
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

1284
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
1285
			RRSIG and NSEC records from nodes that used to be
1286 1287
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
1288 1289
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
1290
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
1291
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
1292

Evan Hunt's avatar
Evan Hunt committed
1293 1294
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
1295 1296 1297 1298
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

1299 1300 1301
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

1302 1303 1304 1305
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

1306
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
1307

1308 1309 1310
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]