CHANGES 285 KB
Newer Older
1 2
	--- 9.7.0b1 released ---

3 4 5
2713.	[bug]		powerpc: atomic operations missing asm("ics") /
			__isync() calls.

6 7 8 9 10 11 12 13 14
2712.	[func]		New 'auto-dnssec' zone option allows zone signing
			to be fully automated in zones configured for
			dynamic DNS.  'auto-dnssec allow;' permits a zone
			to be signed by creating keys for it in the
			key-directory and using 'rndc sign <zone>'.
			'auto-dnssec maintain;' allows that too, plus it
			also keeps the zone's DNSSEC keys up to date
			according to their timing metadata. [RT #19943]
			
15 16 17
2711.	[port]		win32: Add the bin/pkcs11 tools into the full
			build. [RT #20372]

18 19 20 21 22
2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
			zone option cause a zone to be signed with only KSKs
			signing the DNSKEY RRset, not ZSKs.  This reduces
			the size of a DNSKEY answer.  [RT #20340]

23 24 25 26 27 28
2709.	[func]		Added some data fields, currently unused, to the
			private key file format, to allow implementation
			of explicit key rollover in a future release
			without impairing backward or forward compatibility.
			[RT #20310]

29 30 31 32 33 34 35 36 37 38 39 40 41
2708.	[func]		Insecure to secure and NSEC3 parameter changes via
			update are now fully supported and no longer require
			defines to enable.  We now no longer overload the
			NSEC3PARAM flag field, nor the NSEC OPT bit at the
			apex.  Secure to insecure changes are controlled by
			by the named.conf option 'secure-to-insecure'.

			Warning: If you had previously enabled support by
			adding defines at compile time to BIND 9.6 you should
			ensure that all changes that are in progress have
			completed prior to upgrading to BIND 9.7.  BIND 9.7
			is not backwards compatible.

42 43 44 45 46 47 48
2707.	[func]		dnssec-keyfromlabel no longer require engine name
			to be specified in the label if there is a default
			engine or the -E option has been used.  Also, it
			now uses default algorithms as dnssec-keygen does
			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
			[RT #20371]

49 50 51
2706.	[bug]		Loading a zone with a very large NSEC3 salt could
			trigger an assert. [RT #20368]

Evan Hunt's avatar
Evan Hunt committed
52 53
2705.	[placeholder]

54 55 56
2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
			with their SOA serial.  [RT #19387]

Francis Dupont's avatar
Francis Dupont committed
57 58 59 60
2703.	[func]		Introduce an OpenSSL "engine" argument with -E
			for all binaries which can take benefit of
			crypto hardware. [RT #20230]

Francis Dupont's avatar
Francis Dupont committed
61 62
2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

63 64 65
2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
			supported TSIG key algorithm. [RT #18046]

66 67 68
2700.	[doc]		The match-mapped-addresses option is discouraged.
			[RT #12252]

69 70
2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]

Evan Hunt's avatar
Evan Hunt committed
71 72
2698.	[placeholder]

73 74 75 76
2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
			S_IFREG are defined after including <isc/stat.h>.
			[RT #20309]

77 78 79
2696.	[bug]		named failed to successfully process some valid
			acl constructs. [RT #20308]

80 81 82 83 84 85 86
2695.	[func]		DHCP/DDNS - update fdwatch code for use by
			DHCP.  Modify the api to isc_sockfdwatch_t (the
			callback funciton for isc_socket_fdwatchcreate)
			to include information about the direction (read
			or write) and add isc_socket_fdwatchpoke.
			[RT #20253]

Mark Andrews's avatar
Mark Andrews committed
87
2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
88 89
			[RT #19970]

Mark Andrews's avatar
Mark Andrews committed
90
2693.	[port]		Add some noreturn attributes. [RT #20257]
Francis Dupont's avatar
Francis Dupont committed
91

Mark Andrews's avatar
Mark Andrews committed
92
2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
93

94 95 96 97 98
2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
			chain when re-signing a previously-signed zone.
			Use -u to modify NSEC3 parameters or switch
			between NSEC and NSEC3. [RT #20304]

99
2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
100 101
			[RT #20315]

102 103
2689.	[bug]		Correctly handle snprintf result. [RT #20306]

104 105 106
2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
			to decide to fetch the destination address. [RT #20305]

Mark Andrews's avatar
number  
Mark Andrews committed
107
2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
108 109 110
			Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]

Mark Andrews's avatar
number  
Mark Andrews committed
111
2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
Mark Andrews's avatar
Mark Andrews committed
112
			signing with NSEC3 and vice versa. [RT #20301]
113

Francis Dupont's avatar
Francis Dupont committed
114 115
2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

116 117 118
2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
			+adflag and +cdflag.  [RT #19305]

119 120 121 122
2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
			the NSEC3 parameters used to sign the zone change.
			[RT #20246]

123 124 125
2682.	[bug]		"configure --enable-symtable=all" failed to
			build. [RT #20282]

126
2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
127
			decoded. [RT #20269]
128

Francis Dupont's avatar
Francis Dupont committed
129
2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
130

131 132 133
2679.	[func]		dig -k can now accept TSIG keys in named.conf
			format.  [RT #20031]

134 135 136
2678.	[func]		Treat DS queries as if "minimal-response yes;"
			was set. [RT #20258]

137 138 139 140 141 142 143 144 145 146 147
2677.	[func]		Changes to key metadata behavior:
			- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
148
			[RT #20247]
149

150 151 152
2676.	[bug]		--with-export-installdir should have been
			--with-export-includedir. [RT #20252]

153
2675.	[bug]		dnssec-signzone could crash if the key directory
154 155
                        did not exist. [RT #20232]

Evan Hunt's avatar
Evan Hunt committed
156 157 158 159 160 161 162 163 164
	--- 9.7.0a3 released ---

2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
			without openssl. [RT #20231]

2673.	[bug]		The managed-keys.bind zone file could fail to
			load due to a spurious result from sync_keyzone()
			[RT #20045]

165 166 167
2672.	[bug]		Don't enable searching in 'host' when doing reverse
			lookups. [RT #20218]

Francis Dupont's avatar
Francis Dupont committed
168 169 170 171 172
2671.	[bug]		Add support for PKCS#11 providers not returning
			the public exponent in RSA private keys
			(OpenCryptoki for instance) in
			dnssec-keyfromlabel. [RT #19294]

173 174 175
2670.	[bug]		Unexpected connect failures failed to log enough
			information to be useful. [RT #20205]

176 177 178
2669.	[func]		Update PKCS#11 support to support Keyper HSM.
			Update PKCS#11 patch to be against openssl-0.9.8i.

179 180 181 182 183 184 185 186 187 188 189
2668.	[func]		Several improvements to dnssec-* tools, including:
			- dnssec-keygen and dnssec-settime can now set key
			  metadata fields 0 (to unset a value, use "none")
			- dnssec-revoke sets the revocation date in
			  addition to the revoke bit
			- dnssec-settime can now print individual metadata
			  fields instead of always printing all of them,
			  and can print them in unix epoch time format for
			  use by scripts
			[RT #19942]

190 191 192
2667.	[func]		Add support for logging stack backtrace on assertion
			failure (not available for all platforms). [RT #19780]

193 194 195
2666.	[func]		Added an 'options' argument to dns_name_fromstring()
			(API change from 9.7.0a2). [RT #20196]

196 197 198
2665.	[func]		Clarify syntax for managed-keys {} statement, add
			ARM documentation about RFC 5011 support. [RT #19874]

199
2664.	[bug]		create_keydata() and minimal_update() in zone.c
200 201 202
			didn't properly check return values for some
			functions.  [RT #19956]

203 204 205
2663.	[func]		win32:  allow named to run as a service using
			"NT AUTHORITY\LocalService" as the account. [RT #19977]

206
2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
207 208 209 210 211 212
			returned a misleading error code when lwresd was
			down. [RT #20028]

2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
			creating lwres context. [RT #20029]

213 214 215
2660.	[func]		Add a new set of DNS libraries for non-BIND9
			applications.  See README.libdns. [RT #19369]

216 217 218
2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

219 220 221
2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

222 223 224
2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

225 226
2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
Evan Hunt's avatar
Evan Hunt committed
227
			nsupdate and relevant DLLs.  [RT #19998]
228

229 230 231
2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

232 233 234
2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

235 236 237
2653.	[bug]		Treat ENGINE_load_private_key() failures as key
			not found rather than out of memory.  [RT #18033]

238 239 240
2652.	[func]		Provide more detail about what record is being
			deleted. [RT #20061]

241 242 243
2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

244 245 246
2650.	[bug]		Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

247 248
2649.	[bug]		Set the domain for forward only zones. [RT #19944]

249 250
2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

251 252 253
2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
			added. [RT #19913]

254 255
2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

256 257 258
2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

259 260 261 262 263 264
	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

265 266 267
2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

268 269 270
2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

271 272 273
2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

274 275
2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]
Mark Andrews's avatar
Mark Andrews committed
276

277 278
2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

Mark Andrews's avatar
Mark Andrews committed
279
2638.	[bug]		Install arpaname. [RT #19957]
280

Mark Andrews's avatar
Mark Andrews committed
281
2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
282 283
			[RT #19959]

284 285 286 287 288 289
2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
290
			  they are scheduled to be published, activated,
291 292 293 294 295 296 297 298 299
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

300 301 302
2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

303 304 305
2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

306 307
2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

Mark Andrews's avatar
Mark Andrews committed
308 309 310
2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

311 312 313
2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

314 315
2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
316 317
			zone. (The "ddns-autoconf" option has been removed.)
                        [RT #19875]
318

319 320
2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
321 322

2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
323 324 325
			at startup with reduced capabilities in operation.
			[RT #19884]

326 327 328
2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

329 330 331
2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

332 333
2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]

334 335 336
2624.	[func]		'named-checkconf -p' will print out the parsed
			configuration. [RT #18871]

337 338
2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

339
2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
340

341 342
2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

Mark Andrews's avatar
Mark Andrews committed
343
2620.	[bug]		Delay thawing the zone until the reload of it has
344 345
			completed successfully.  [RT #19750]

346 347 348 349 350 351
2619.	[func]		Add support for RFC 5011, automatic trust anchor
			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

352 353 354
2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

355 356
2617.	[bug]		ifconfig.sh failed to emit an error message when
			run from the wrong location. [RT #19375]
357

Mark Andrews's avatar
Mark Andrews committed
358 359
2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]
360

361 362 363
2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

Mark Andrews's avatar
Mark Andrews committed
364
2614.	[port]		win32: 'named -v' should automatically be executed
365 366
			in the foreground. [RT #19844]

367 368
2613.	[placeholder]

369 370 371 372 373 374 375 376
	--- 9.7.0a1 released ---

2612.	[func]		Add default values for the arguments to
			dnssec-keygen.  Without arguments, it will now
			generate a 1024-bit RSASHA1 zone-signing key,
			or with the -f KSK option, a 2048-bit RSASHA1
			key-signing key. [RT #19300]

377
2611.	[func]		Add -l option to dnssec-dsfromkey to generate
378 379
			DLV records instead of DS records. [RT #19300]

380 381
2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]

382 383 384 385 386 387 388 389 390 391 392
2609.	[func]		Simplify the configuration of dynamic zones:
			- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]
393

394 395 396 397 398 399 400 401 402
2608.	[func]		Perform post signing verification checks in
			dnssec-signzone.  These can be disabled with -P.

			The post sign verification test ensures that for each
			algorithm in use there is at least one non revoked
			self signed KSK key.  That all revoked KSK keys are
			self signed.  That all records in the zone are signed
			by the algorithm.  [RT #19653]

403 404 405 406
2607.	[bug]		named could incorrectly delete NSEC3 records for
			empty nodes when processing a update request.
			[RT #19749]

407 408 409
2606.	[bug]		"delegation-only" was not being accepted in
			delegation-only type zones. [RT #19717]

410 411 412
2605.	[bug]		Accept DS responses from delegation only zones.
			[RT # 19296]

413 414 415 416 417
2604.	[func]		Add support for DNS rebinding attack prevention through
			new options, deny-answer-addresses and
			deny-answer-aliases.  Based on contributed code from
			JD Nurmi, Google. [RT #18192]

418 419 420 421
2603.	[port]		win32: handle .exe extension of named-checkzone and
			named-comilezone argv[0] names under windows.
			[RT #19767]

422 423 424
2602.	[port]		win32: fix debugging command line build of libisccfg.
			[RT #19767]

425 426 427
2601.	[doc]		Mention file creation mode mask in the
			named manual page.

428 429 430
2600.	[doc]		ARM: miscellaneous reformatting for different
			page widths. [RT #19574]

431 432 433
2599.	[bug]		Address rapid memory growth when validation fails.
			[RT #19654]

Francis Dupont's avatar
Francis Dupont committed
434 435
2598.	[func]		Reserve the -F flag. [RT #19657]

436 437 438
2597.	[bug]		Handle a validation failure with a insecure delegation
			from a NSEC3 signed master/slave zone.  [RT #19464]

439 440 441 442
2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
			long, leading to inefficient memory usage or rejecting
			newer cache entries in the worst case. [RT #19563]

443 444
2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]

Jeremy Reed's avatar
Jeremy Reed committed
445 446
2594.	[func]		Have rndc warn if using its default configuration
			file when the key file also exists. [RT #19424]
447

448 449
2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]

450 451
2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]

452 453 454
2591.	[bug]		named could die when processing a update in
			removed_orphaned_ds(). [RT #19507]

Mark Andrews's avatar
Mark Andrews committed
455 456
2590.	[func]		Report zone/class of "update with no effect".
			[RT #19542]
457

458
2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
459
			[RT #19626]
460

461 462 463 464 465
2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
			of bind(2) call.  This should be rare and mostly
			harmless, but may cause interference with other
			processes that happen to use the same port. [RT #19642]

466 467 468 469
2587.	[func]		Improve logging by reporting serial numbers for
			when zone serial has gone backwards or unchanged.
			[RT #19506]

470 471 472
2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
			or SDB. [RT #19577]

473 474 475 476
2585.	[bug]		Uninitialized socket name could be referenced via a
			statistics channel, triggering an assertion failure in
			XML rendering. [RT #19427]

477 478 479
2584.	[bug]		alpha: gcc optimization could break atomic operations.
			[RT #19227]

480 481 482
2583.	[port]		netbsd: provide a control to not add the compile
			date to the version string, -DNO_VERSION_DATE.

483 484 485
2582.	[bug]		Don't emit warning log message when we attempt to
			remove non-existant journal. [RT #19516]

486 487 488
2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
			Requires MySQL 5.0.19 or later. [RT #19084]

489 490 491
2580.	[bug]		UpdateRej statistics counter could be incremented twice
			for one rejection. [RT #19476]

492 493 494
2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
			algorithms. [RT #19479]

Mark Andrews's avatar
Mark Andrews committed
495
2578.	[bug]		Changed default sig-signing-type to 65534, because
496 497
			65535 turns out to be reserved.  [RT #19477]

498 499
2577.	[doc]		Clarified some statistics counters. [RT #19454]

500 501
2576.	[bug]		NSEC record were not being correctly signed when
			a zone transitions from insecure to secure.
Mark Andrews's avatar
Mark Andrews committed
502
			Handle such incorrectly signed zones. [RT #19114]
503

504 505 506 507 508
2575.	[func]		New functions dns_name_fromstring() and
			dns_name_tostring(), to simplify conversion
			of a string to a dns_name structure and vice
			versa. [RT #19451]

509 510
2574.	[doc]		Document nsupdate -g and -o. [RT #19351]

511 512 513
2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
			single transaction in a signed zone failed. [RT #19397]

514 515 516 517 518 519 520 521 522 523 524 525
2572.	[func]		Simplify DLV configuration, with a new option
			"dnssec-lookaside auto;"  This is the equivalent
			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
			plus setting a trusted-key for dlv.isc.org.

			Note: The trusted key is hard-coded into named,
			but is also stored in (and can be overridden
			by) $sysconfdir/bind.keys.  As the ISC DLV key
			rolls over it can be kept up to date by replacing
			the bind.keys file with a key downloaded from
			https://www.isc.org/solutions/dlv. [RT #18685]

526 527 528 529
2571.	[func]		Add a new tool "arpaname" which translates IP addresses
			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
			[RT #18976]

530 531 532
2570.	[func]		Log the destination address the query was sent to.
			[RT #19209]

533
2569.	[func]		Move journalprint, nsec3hash, and genrandom
534
			commands from bin/tests into bin/tools;
535 536
			"make install" will put them in $sbindir. [RT #19301]

Mark Andrews's avatar
Mark Andrews committed
537 538
2568.	[bug]		Report when the write to indicate a otherwise
			successful start fails. [RT #19360]
539

540
2567.	[bug]		dst__privstruct_writefile() could miss write errors.
541 542
			write_public_key() could miss write errors.
			dnssec-dsfromkey could miss write errors.
543 544
			[RT #19360]

545 546 547 548 549
2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
			response arrives from a zone thought to be secure:
			"insecurity proof failed" instead of "not
			insecure". [RT #19400]

550 551 552 553
2565.	[func]		Add support for HIP record.  Includes new functions
			dns_rdata_hip_first(), dns_rdata_hip_next()
			and dns_rdata_hip_current().  [RT #19384]

554 555
2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
			[RT #19405]
556

557 558 559
2563.	[bug]		Dig could leak a socket causing it to wait forever
			to exit. [RT #19359]

Jeremy Reed's avatar
Jeremy Reed committed
560
2562.	[doc]		ARM: miscellaneous improvements, reorganization,
561 562
			and some new content.

Mark Andrews's avatar
Mark Andrews committed
563
2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
564

Mark Andrews's avatar
Mark Andrews committed
565
2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
566

567 568 569
2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
			reading from a K* files.  [RT #19357]

570 571 572 573
2558.	[func]		Set the ownership of missing directories created
			for pid-file if -u has been specified on the command
			line. [RT #19328]

Mark Andrews's avatar
Mark Andrews committed
574
2557.	[cleanup]	PCI compliance:
Mark Andrews's avatar
Mark Andrews committed
575 576 577 578 579 580
			* new libisc log module file
			* isc_dir_chroot() now also changes the working
			  directory to "/".
			* additional INSISTs
			* additional logging when files can't be removed.

Mark Andrews's avatar
Mark Andrews committed
581
2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
582 583
			error checks in the correct order resulting in the
			wrong error code sometimes being returned. [RT #19249]
584

Mark Andrews's avatar
Mark Andrews committed
585
2555.	[func]		dig: when emitting a hex dump also display the
586 587
			corresponding characters. [RT #19258]

588 589 590
2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
			fail. [RT #19297]

591 592
2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]

593 594 595
2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
			[RT #19340]

596 597
2551.	[bug]		Potential Reference leak on return. [RT #19341]

598 599 600
2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
			[RT #19343]

601 602 603
2549.	[port]		linux: define NR_OPEN if not currently defined.
			[RT #19344]

604 605
2548.	[bug]		Install iterated_hash.h. [RT #19335]

606 607 608 609 610
2547.	[bug]		openssl_link.c:mem_realloc() could reference an
			out-of-range area of the source buffer.  New public
			function isc_mem_reallocate() was introduced to address
			this bug. [RT #19313]

Francis Dupont's avatar
Francis Dupont committed
611 612 613 614
2546.	[func]		Add --enable-openssl-hash configure flag to use
			OpenSSL (in place of internal routine) for hash
			functions (MD5, SHA[12] and HMAC). [RT #18815]

615 616 617
2545.	[doc]		ARM: Legal hostname checking (check-names) is
			for SRV RDATA too. [RT #19304]

618 619
2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]

620 621
2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]

Mark Andrews's avatar
Mark Andrews committed
622
2542.	[doc]		Update the description of dig +adflag. [RT #19290]
623

624 625 626
2541.	[bug]		Conditionally update dispatch manager statistics.
			[RT #19247]

627 628
2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]

629 630 631
2539.	[security]	Update the interaction between recursion, allow-query,
			allow-query-cache and allow-recursion.  [RT #19198]

632 633 634 635
2538.	[bug]		cache/ADB memory could grow over max-cache-size,
			especially with threads and smaller max-cache-size
			values. [RT #19240]

636
2537.	[func]		Added more statistics counters including those on socket
637
			I/O events and query RTT histograms. [RT #18802]
638

639 640 641
2536.	[cleanup]	Silence some warnings when -Werror=format-security is
			specified. [RT #19083]

Mark Andrews's avatar
Mark Andrews committed
642
2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
643

644
2534.	[func]		Check NAPTR records regular expressions and
Mark Andrews's avatar
Mark Andrews committed
645
			replacement strings to ensure they are syntactically
646 647
			valid and consistant. [RT #18168]

648 649
2533.	[doc]		ARM: document @ (at-sign). [RT #17144]

650 651 652
2532.	[bug]		dig: check the question section of the response to
			see if it matches the asked question. [RT #18495]

653 654
2531.	[bug]		Change #2207 was incomplete. [RT #19098]

655 656 657
2530.	[bug]		named failed to reject insecure to secure transitions
			via UPDATE. [RT #19101]

658 659 660
2529.	[cleanup]	Upgrade libtool to silence complaints from recent
			version of autoconf. [RT #18657]

661 662
2528.   [cleanup]	Silence spurious configure warning about
			--datarootdir [RT #19096]
663

664 665
2527.	[placeholder]

666 667
2526.	[func]		New named option "attach-cache" that allows multiple
			views to share a single cache to save memory and
668 669
			improve lookup efficiency.  Based on contributed code
			from Barclay Osborn, Google. [RT #18905]
670

671 672 673 674
2525.	[func]		New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

675 676
2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]

677 678 679
2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
			[RT #19112]

Francis Dupont's avatar
Francis Dupont committed
680
2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
Mark Andrews's avatar
Mark Andrews committed
681

682 683
2521.	[bug]		Improve epoll cross compilation support. [RT #19047]

684 685 686
2520.	[bug]		Update xml statistics version number to 2.0 as change
			#2388 made the schema incompatible to the previous
			version. [RT #19080]
687

688 689 690 691
2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
			nameserver addresses of the excluded address family
			preceded in resolv.conf. [RT #19081]

692 693 694
2518.	[func]		Add support for the new CERT types from RFC 4398.
			[RT #19077]

695
2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
Mark Andrews's avatar
Mark Andrews committed
696
			nameserver address of the excluded address type.
697 698
			[RT #18843]

699 700 701
2516.	[bug]		glue sort for responses was performed even when not
			needed. [RT #19039]

702 703 704
2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
			[RT #19063]

705
2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
706
			a nameserver of the excluded address family.
707 708 709
			[RT #18848]

2513.	[bug]		Fix windows cli build. [RT #19062]
710

711 712 713
2512.	[func]		Print a summary of the cached records which make up
			the negative response.  [RT #18885]

714 715 716
2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
			[RT #18885]

Mark Andrews's avatar
reword  
Mark Andrews committed
717 718
2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
			[RT #19033]
719

720 721 722
2509.	[bug]		Specifying a fixed query source port was broken.
			[RT #19051]

723 724
2508.	[placeholder]

725 726 727 728
2507.	[func]		Log the recursion quota values when killing the
			oldest query or refusing to recurse due to quota.
			[RT #19022]

729
2506.	[port]		solaris: Check at configure time if
730 731
			hack_shutup_pthreadonceinit is needed. [RT #19037]

732 733 734
2505.	[port]		Treat amd64 similarly to x86_64 when determining
			atomic operation support. [RT #19031]

735 736
2504.	[bug]		Address race condition in the socket code. [RT #18899]

737 738 739
2503.	[port]		linux: improve compatibility with Linux Standard
			Base. [RT #18793]

740 741 742
2502.	[cleanup]	isc_radix: Improve compliance with coding style,
			document function in <isc/radix.h>. [RT #18534]

743 744 745 746
2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
			rdata types need to be quoted.  See the ARM for
			details. [RT #18368]

Francis Dupont's avatar
Francis Dupont committed
747
2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
748 749
			function. [RT #18582]

750 751
2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
			[RT #18837]
Mark Andrews's avatar
Mark Andrews committed
752 753 754

	--- 9.6.0rc1 released ---

755 756 757 758 759
2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

760 761 762
2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
			delegation.

763 764
2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]

765 766
2495.	[bug]		Tighten RRSIG checks. [RT #18795]

767 768 769
2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
			installed. [RT #18826]

770
2493.	[bug]		The linux capabilities code was not correctly cleaning
771 772
			up after itself. [RT #18767]

Mark Andrews's avatar
Mark Andrews committed
773
2492.	[func]		Rndc status now reports the number of cpus discovered
774 775 776
			and the number of worker threads when running
			multi-threaded. [RT #18273]

777 778 779
2491.	[func]		Attempt to re-use a local port if we are already using
			the port. [RT #18548]

780 781 782
2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
			is cleared when IPV6_V6ONLY is set. [RT #18785]

783 784 785 786 787 788
2489.	[port]		solaris: Workaround Solaris's kernel bug about
			/dev/poll:
			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
			this workaround. [RT #18870]

789 790 791
2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
			from keyset and .key files. [RT #18694]

792 793
2487.	[bug]		Give TCP connections longer to complete. [RT #18675]

794 795 796 797 798 799 800 801 802
2486.	[func]		The default locations for named.pid and lwresd.pid
			are now /var/run/named/named.pid and
			/var/run/lwresd/lwresd.pid respectively.

			This allows the owner of the containing directory
			to be set, for "named -u" support, and allows there
			to be a permanent symbolic link in the path, for
			"named -t" support.  [RT #18306]

803
2485.	[bug]		Change update's the handling of obscured RRSIG
804
			records.  Not all orphaned DS records were being
805 806
			removed. [RT #18828]

807 808 809 810
2484.	[bug]		It was possible to trigger a REQUIRE failure when
			adding NSEC3 proofs to the response in
			query_addwildcardproof().  [RT #18828]

Francis Dupont's avatar
Francis Dupont committed
811 812
2483.	[port]		win32: chroot() is not supported. [RT #18805]

Francis Dupont's avatar
Francis Dupont committed
813 814
2482.	[port]		libxml2: support versions 2.7.* in addition
			to 2.6.*. [RT #18806]
Mark Andrews's avatar
9.6.0b1  
Mark Andrews committed
815 816 817

	--- 9.6.0b1 released ---

818 819 820 821 822 823
2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
			collisions.  [RT #18812]

2480.	[bug]		named could fail to emit all the required NSEC3
			records.  [RT #18812]

824
2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
825

826
2478.	[bug]		'addresses' could be used uninitialized in
Mark Andrews's avatar
Mark Andrews committed
827
			configure_forward(). [RT #18800]
828

829
2477.	[bug]		dig: the global option to print the command line is
830 831 832
			+cmd not print_cmd.  Update the output to reflect
			this. [RT #17008]

833 834 835
2476.	[doc]		ARM: improve documentation for max-journal-size and
			ixfr-from-differences. [RT #15909] [RT #18541]

836
2475.	[bug]		LRU cache cleanup under overmem condition could purge
Mark Andrews's avatar
Mark Andrews committed
837
			particular entries more aggressively. [RT #17628]
838

839 840 841
2474.	[bug]		ACL structures could be allocated with insufficient
			space, causing an array overrun. [RT #18765]

842 843
2473.	[port]		linux: raise the limit on open files to the possible
			maximum value before spawning threads; 'files'
844
			specified in named.conf doesn't seem to work with
845 846
			threads as expected. [RT #18784]

847
2472.	[port]		linux: check the number of available cpu's before
Mark Andrews's avatar
Mark Andrews committed
848
			calling chroot as it depends on "/proc". [RT #16923]
849

Mark Andrews's avatar
Mark Andrews committed
850
2471.	[bug]		named-checkzone was not reporting missing mandatory
851 852
			glue when sibling checks were disabled. [RT #18768]

853
2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
Mark Andrews's avatar
Mark Andrews committed
854
			overwritten.  [RT# 18719]
855

856 857 858
2469.	[port]		solaris: Work around Solaris's select() limitations.
			[RT #18769]

859 860 861
2468.	[bug]		Resolver could try unreachable servers multiple times.
			[RT #18739]

862 863
2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]

864 865 866
2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
			[RT #18302]

867 868 869
2465.	[bug]		Adb's handling of lame addresses was different
			for IPv4 and IPv6. [RT #18738]

870 871 872
2464.	[port]		linux: check that a capability is present before
			trying to set it. [RT #18135]

873
2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
874 875
			API and glibc hides parts of the IPv6 Advanced Socket
			API as a result.  This is stupid as it breaks how the
876 877
			two halves (Basic and Advanced) of the IPv6 Socket API
			were designed to be used but we have to live with it.
878 879 880
			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
			API. [RT #18388]

881 882 883
2462.	[doc]		Document -m (enable memory usage debugging)
			option for dig. [RT #18757]

884 885
2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]

Mark Andrews's avatar
Mark Andrews committed
886 887 888 889 890
	--- 9.6.0a1 released ---

2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
			[RT #18697]

891 892
2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]

893 894 895
2458.	[doc]		ARM: update and correction for max-cache-size.
			[RT #18294]

896 897
2457.	[tuning]	max-cache-size is reverted to 0, the previous
			default.  It should be safe because expired cache
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
898
			entries are also purged. [RT #18684]
899

900 901 902
2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
			address, regardless of family.  They now correctly
			distinguish IPv4 from IPv6.  [RT #18559]
903

Mark Andrews's avatar
Mark Andrews committed
904
2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
905 906
			[RT #18639]

907 908
2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]

909 910 911 912 913
2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
			[RT #18316]

2452.	[func]		Improve bin/test/journalprint. [RT #18316]

914 915
2451.	[port]		solaris: handle runtime linking better. [RT #18356]

916 917 918
2450.	[doc]		Fix lwresd docbook problem for manual page.
			[RT #18672]

Mark Andrews's avatar
Mark Andrews committed
919 920
2449.	[placeholder]

921 922
2448.	[func]		Add NSEC3 support. [RT #15452]

Mark Andrews's avatar
Mark Andrews committed
923
2447.	[cleanup]	libbind has been split out as a separate product.
924

925 926 927 928
2446.	[func]		Add a new log message about build options on startup.
			A new command-line option '-V' for named is also
			provided to show this information. [RT# 18645]

929 930 931 932
2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
			RFC1918 address, but these are not yet compiled in).
			[RT #18578]

Mark Andrews's avatar
Mark Andrews committed
933
2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
934 935
			(clear DF) for UDP responses and requests.

936 937 938 939 940
2443.	[bug]		win32: UDP connect() would not generate an event,
			and so connected UDP sockets would never clean up.
			Fix this by doing an immediate WSAConnect() rather
			than an io completion port type for UDP.

941 942
2442.	[bug]		A lock could be destroyed twice. [RT# 18626]

943
2441.	[bug]		isc_radix_insert() could copy radix tree nodes
944 945 946 947 948 949 950 951
			incompletely. [RT #18573]

2440.   [bug]		named-checkconf used an incorrect test to determine
			if an ACL was set to none.

2439.   [bug]		Potential NULL dereference in dns_acl_isanyornone().
			[RT #18559]

952
2438.   [bug]		Timeouts could be logged incorrectly under win32.
Evan Hunt's avatar
Evan Hunt committed
953

Evan Hunt's avatar
Evan Hunt committed
954 955 956
2437.	[bug]		Sockets could be closed too early, leading to
			inconsistent states in the socket module. [RT #18298]

957
2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
Mark Andrews's avatar
Mark Andrews committed
958

959 960
2435.	[bug]		Fixed an ACL memory leak affecting win32.

961 962
2434.	[bug]		Fixed a minor error-reporting bug in
			lib/isc/win32/socket.c.
Evan Hunt's avatar
Evan Hunt committed
963

964 965
2433.	[tuning]	Set initial timeout to 800ms.

966 967 968 969
2432.   [bug]		More Windows socket handling improvements.  Stop
			using I/O events and use IO Completion Ports
			throughout.  Rewrite the receive path logic to make
			it easier to support multiple simultaneous
Mark Andrews's avatar
Mark Andrews committed
970
			requesters in the future.  Add stricter consistency
971 972
			checking as a compile-time option (define
			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
Evan Hunt's avatar
Evan Hunt committed
973

974 975
2431.	[bug]		Acl processing could leak memory. [RT #18323]

976 977 978 979
2430.	[bug]		win32: isc_interval_set() could round down to
			zero if the input was less than NS_INTERVAL
			nanoseconds.  Round up instead. [RT #18549]

980 981 982
2429.	[doc]		nsupdate should be in section 1 of the man pages.
			[RT #18283]

983 984 985
2428.	[bug]		dns_iptable_merge() mishandled merges of negative
			tables. [RT #18409]

986 987 988
2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
			was set. [RT #18528]

989
2426.	[bug]		libbind: inet_net_pton() can sometimes return the
Mark Andrews's avatar
Mark Andrews committed
990
			wrong value if excessively large net masks are
991 992
			supplied. [RT #18512]

993 994 995
2425.	[bug]		named didn't detect unavailable query source addresses
			at load time. [RT #18536]

996 997 998 999
2424.	[port]		configure now probes for a working epoll
			implementation.  Allow the use of kqueue,
			epoll and /dev/poll to be selected at compile
			time. [RT #18277]
1000

1001
2423.   [security]	Randomize server selection on queries, so as to
Evan Hunt's avatar
Evan Hunt committed
1002 1003 1004 1005 1006 1007
                        make forgery a little more difficult.  Instead of
                        always preferring the server with the lowest RTT,
                        pick a server with RTT within the same 128
                        millisecond band.  [RT #18441]

2422.	[bug]		Handle the special return value of a empty node as
1008 1009
			if it was a NXRRSET in the validator. [RT #18447]

Evan Hunt's avatar
Evan Hunt committed
1010
2421.	[func]		Add new command line option '-S' for named to specify
1011 1012 1013 1014
			the max number of sockets. [RT #18493]
			Use caution: this option may not work for some
			operating systems without rebuilding named.

1015
2420.   [bug]		Windows socket handling cleanup.  Let the io
1016
			completion event send out canceled read/write
Mark Andrews's avatar
Mark Andrews committed
1017
			done events, which keeps us from writing to memory
1018 1019 1020
			we no longer have ownership of.  Add debugging
			socket_log() function.  Rework TCP socket handling
			to not leak sockets.
Evan Hunt's avatar
Evan Hunt committed
1021

1022 1023 1024 1025