CHANGES 418 KB
Newer Older
1
2
3
3886.	[bug]		rbtdb_write_header should use a once to initialize
			FILE_VERSION. [RT #36374]

4
5
6
3885.	[port]		Use 'open()' rather than 'file()' to open files in
			python.

Evan Hunt's avatar
Evan Hunt committed
7
8
3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]

Evan Hunt's avatar
Evan Hunt committed
9
10
3883.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
11
12
13
14
15
16
17
18
3882.	[func]		By default, negative trust anchors will be tested
			periodically to see whether data below them can be
			validated, and if so, they will be allowed to
			expire early. The "rndc nta -force" option
			overrides this behvaior.  The default NTA lifetime
			and the recheck frequency can be configured by the
			"nta-lifetime" and "nta-recheck" options. [RT #36146]

19
20
21
3881.	[bug]		Address memory leak with UPDATE error handling.
			[RT #36303]

22
23
24
25
3880.	[test]		Update ans.pl to work with new TSIG support in
			Net::DNS; add additional Net::DNS version prerequisite
			checks. [RT #36327]

26
27
28
3879.	[func]		Add version printing option to various BIND utilities.
			[RT #10686]

29
30
31
3878.	[bug]		Using the incorrect filename for a DLZ module
			caused a segmentation fault on startup. [RT #36286]

Evan Hunt's avatar
Evan Hunt committed
32
33
34
35
3877.	[bug]		Inserting and deleting parent and child nodes
			in response policy zones could trigger an assertion
			failure. [RT #36272]

36
37
38
3876.	[bug]		Improve efficiency of DLZ redirect zones by
			suppressing unnecessary database lookups. [RT #35835]

Evan Hunt's avatar
Evan Hunt committed
39
40
41
3875.	[cleanup]	Clarify log message when unable to read private
			key files. [RT #24702]

42
43
44
3874.	[test]		Check that only "check-names master" is needed for
			updates to be accepted.

45
46
3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]

47
48
3872.	[bug]		Address issues found by static analysis. [RT #36209]

49
50
51
3871.	[bug]		Don't publish an activated key automatically before
			its publish time. [RT #35063]

52
53
54
55
56
57
3870.	[func]		Updated the random number generator used in
			the resolver to use the updated ChaCha based one
			(similar to OpenBSD's changes). Also moved the
			RNG to libisc and added unit tests for it.
			[RT #35942]

58
59
60
3869.	[doc]		Document that in-view zones cannot be used for
			response policy zones. [RT #35941]

61
62
63
64
3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
			potentially leaving over memory cleaner running.
			[RT #35270]

Evan Hunt's avatar
Evan Hunt committed
65
66
67
68
69
70
71
72
73
3867.	[func]		"rndc nta" can now be used to set a temporary
			negative trust anchor, which disables DNSSEC
			validation below a specified name for a specified
			period of time (not exceeding 24 hours).  This
			can be used when validation for a domain is known
			to be failing due to a configuration error on
			the part of the domain owner rather than a
			spoofing attack. [RT #29358]

74
75
76
3866.	[bug]		Named could die on disk full in generate_session_key.
			[RT #36119]

77
78
79
3865.	[test]		Improved testability of the red-black tree
			implementation and added unit tests. [RT #35904]

80
81
82
3864.	[bug]		RPZ didn't work well when being used as forwarder.
			[RT #36060]

83
84
85
86
3863.	[bug]		The "E" flag was missing from the query log as a
			unintended side effect of code rearrangement to
			support EDNS EXPIRE. [RT #36117]

87
88
89
3862.	[cleanup]	Return immediately if we are not going to log the
			message in ns_client_dumpmessage.

90
3861.	[security]	Missing isc_buffer_availablelength check results
Mark Andrews's avatar
Mark Andrews committed
91
92
			in a REQUIRE assertion when printing out a packet
			(CVE-2014-3859).  [RT #36078]
93

94
95
96
97
3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
			at run time as it is limited to {OPEN_MAX}.
			[RT #35878]

Mark Andrews's avatar
Mark Andrews committed
98
99
3859.	[placeholder]

100
101
102
3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
			[RT #35968]

103
104
105
3857.	[bug]		Make it harder for a incorrect NOEDNS classification
			to be made. [RT #36020]

106
3856.	[bug]		Configuring libjson without also configuring libxml
Evan Hunt's avatar
Evan Hunt committed
107
			resulted in a REQUIRE assertion when retrieving
108
109
			statistics using json. [RT #36009]

110
111
112
3855.	[bug]		Limit smoothed round trip time aging to no more than
			once a second. [RT #32909]

113
3854.	[cleanup]	Report unrecognized options, if any, in the final
Tinderbox User's avatar
Tinderbox User committed
114
			configure summary. [RT #36014]
115

116
3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
117
118
			the handling of a rdataset with no records. [RT #35968]

119
120
121
122
123
124
3852.	[func]		Increase the default number of clients available
			for servicing lightweight resolver queries, and
			make them configurable via the "lwres-tasks" and
			"lwres-clients" options.  (Thanks to Tomas Hozza.)
			[RT #35857]

125
126
3851.	[func]		Allow libseccomp based system-call filtering
			on Linux; use "configure --enable-seccomp" to
127
			turn it on.  Thanks to Loganaden Velvindron
Tinderbox User's avatar
Tinderbox User committed
128
			of AFRINIC for the contribution. [RT #35347]
129

130
3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
131
132
			[RT #35979]

133
134
3849.	[doc]		Alphabetized dig's +options. [RT #35992]

135
136
137
3848.	[bug]		Adjust 'statistics-channels specified but not effective'
			error message to account for JSON support. [RT #36008]

138
139
140
3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
			there is not support available.

141
142
143
3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
			ixfr query. [RT #35980]

Mark Andrews's avatar
Mark Andrews committed
144
145
3845.	[placeholder]

Francis Dupont's avatar
Francis Dupont committed
146
3844.	[bug]		Use the x64 version of the Microsoft Visual C++
147
			Redistributable when built for 64 bit Windows.
Mark Andrews's avatar
Mark Andrews committed
148
			[RT #35973]
149

150
151
152
3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
			[RT #35969]

153
154
3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]

155
156
157
3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
			[RT #35924]

158
159
160
3840.	[port]		Check for arc4random_addrandom() before using it;
			it's been removed from OpenBSD 5.5. [RT #35907]

161
162
163
3839.	[test]		Use only posix-compatible shell in system tests.
			[RT #35625]

164
165
3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.

166
167
3837.	[security]	A NULL pointer is passed to query_prefetch resulting
			a REQUIRE assertion failure when a fetch is actually
168
			initiated (CVE-2014-3214).  [RT #35899]
169

170
171
3836.	[bug]		Address C++ keyword usage in header file.

172
3835.	[bug]		Geoip ACL elements didn't work correctly when
Tinderbox User's avatar
Tinderbox User committed
173
			referenced via named or nested ACLs. [RT #35879]
174

175
176
177
178
3834.	[bug]		The re-signing heaps were not being updated soon enough
			leading to multiple re-generations of the same RRSIG
			when a zone transfer was in progress. [RT #35273]

Mark Andrews's avatar
Mark Andrews committed
179
3833.	[bug]		Cross compiling was broken due to calling genrandom at
180
181
			build time. [RT #35869]

182
183
184
185
186
3832.	[func]		"named -L <filename>" causes named to send log
			messages to the specified file by default instead
			of to the system log. (Thanks to Tony Finch.)
			[RT #35845]

Evan Hunt's avatar
Evan Hunt committed
187
188
189
3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
			[RT #35843]

190
191
192
193
3830.	[func]		When query logging is enabled, log query errors at
			the same level ('info') as the queries themselves.
			[RT #35844]

Evan Hunt's avatar
Evan Hunt committed
194
195
196
197
198
3829.	[func]		"dig +ttlunits" causes dig to print TTL values
			with time-unit suffixes: w, d, h, m, s for
			weeks, days, hours, minutes, and seconds. (Thanks
			to Tony Finch.) [RT #35823]

199
3828.	[func]		"dnssec-signzone -N date" updates serial number
Evan Hunt's avatar
Evan Hunt committed
200
201
202
			to the current date in YYYYMMDDNN format.
			[RT #35800]

203
204
3827.	[placeholder]

205
3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
206
207
			[RT #35870]

208
209
210
3825.	[bug]		Address sign extension bug in isc_regex_validate.
			[RT #35758]

211
212
213
214
3824.	[bug]		A collision between two flag values could cause
			problems with cache cleaning when SIT was enabled.
			[RT #35858]

215
216
3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]

217
218
219
3822.	[bug]		Log the correct type of static-stub zones when
			removing them. [RT #35842]

220
221
222
223
224
225
226
227
228
229
230
3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
			update and transaction support. Thanks to Marty
			Lee for the contribution. [RT #35656]

3820.	[func]		The DLZ API doesn't pass the database version to
			the lookup() function; this can cause DLZ modules
			that allow dynamic updates to mishandle prerequisite
			checks. This has been corrected by adding a
			'dbversion' field to the dns_clientinfo_t
			structure. [RT #35656]

231
232
233
234
3819.	[bug]		NSEC3 hashes need to be able to be entered and
			displayed without padding.  This is not a issue for
			currently defined algorithms but may be for future
			hash algorithms. [RT #27925]
Tinderbox User's avatar
Tinderbox User committed
235

236
237
238
3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
			constant in isc_event_allocate.

239
240
241
242
3817.	[func]		The "delve" command is now spelled "delv" to avoid
			a namespace collision with the Xapian project.
			[RT #35801]

243
244
245
3816.	[func]		"dig +qr" now reports query size. (Thanks to
			Tony Finch.) [RT #35822]

246
247
3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]

Evan Hunt's avatar
Evan Hunt committed
248
249
250
251
252
253
3814.	[func]		The "masterfile-style" zone option controls the
			formatting of dumped zone files. Options are
			"relative" (multiline format) and "full" (one
			record per line). The default is "relative".
			[RT #20798]

254
255
256
257
3813.	[func]		"host" now recognizes the "timeout", "attempts" and
			"debug" options when set in /etc/resolv.conf.
			(Thanks to Adam Tkac at RedHat.) [RT #21885]

258
3812.	[func]		Dig now supports sending arbitrary EDNS options from
259
260
			the command line (+ednsopt=code[:value]). [RT #35584]

261
262
263
264
3811.	[func]		"serial-update-method date;" sets serial number
			on dynamic update to today's date in YYYYMMDDNN
			format. (Thanks to Bradley Forschinger.) [RT #24903]

265
266
267
3810.	[bug]		Work around broken nameservers that fail to ignore
			unknown EDNS options. [RT #35766]

Tinderbox User's avatar
Tinderbox User committed
268
3809.	[doc]		Fix SIT and NSID documentation.
269

Evan Hunt's avatar
Evan Hunt committed
270
271
3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]

272
3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
Mark Andrews's avatar
Mark Andrews committed
273
274
			lowercase is set. [RT #35743]

275
276
3806.	[test]		Improved system test portability. [RT #35625]

Evan Hunt's avatar
Evan Hunt committed
277
278
279
3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
			for DNS over TCP. [RT #35710]

Evan Hunt's avatar
Evan Hunt committed
280
281
	--- 9.10.0rc1 released ---

Mark Andrews's avatar
Mark Andrews committed
282
3804.	[bug]		Corrected a race condition in dispatch.c in which
Mark Andrews's avatar
Mark Andrews committed
283
284
285
286
			portentry could be reset leading to an assertion
			failure in socket_search(). (Change #3708
			addressed the same issue but was incomplete.)
			[RT #35128]
Evan Hunt's avatar
Evan Hunt committed
287

288
289
290
291
3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
			using alternate data sources for not having a "file"
			option. [RT #35685]

292
293
3802.	[bug]		Various header files were not being installed.

294
295
3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]

296
297
298
3800.	[bug]		A pending event on the route socket could cause an
			assertion failure when shutting down named. [RT #35674]

299
300
301
3799.	[bug]		Improve named's command line error reporting.
			[RT #35603]

302
303
304
3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
			time. [RT #35659]

305
306
3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]

307
308
3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]

309
310
311
3795.	[bug]		Make named-checkconf detect raw masterfiles for
			hint zones and reject them. [RT #35268]

312
313
3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.

314
315
316
3793.	[bug]		zone.c:save_nsec3param() could assert when out of
			memory. [RT #35621]

317
318
319
3792.	[func]		Provide links to the alternate statistics views when
			displaying in a browser.  [RT #35605]

Mark Andrews's avatar
Mark Andrews committed
320
321
3791.	[placeholder]

322
323
324
325
3790.	[bug]		Handle broken nameservers that send BADVERS in
			response to unknown EDNS options.  Maintain
			statistics on BADVERS responses.

326
327
3789.	[bug]		Null pointer dereference on rbt creation failure.

328
329
330
3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
			mistake.

Evan Hunt's avatar
Evan Hunt committed
331
332
	--- 9.10.0b2 released ---

333
334
335
336
3787.	[bug]		The code that checks whether "auto-dnssec" is
			allowed was ignoring "allow-update" ACLs set at
			the options or view level. [RT #29536]

337
338
339
3786.	[func]		Provide more detailed error codes when using
			native PKCS#11. "pkcs11-tokens" now fails robustly
			rather than asserting when run against an HSM with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
340
			an incomplete PKCS#11 API implementation. [RT #35479]
341

Jeremy C. Reed's avatar
Jeremy C. Reed committed
342
3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
343
344
			input (only compiled with -DDEBUG). [RT #35544]

Evan Hunt's avatar
Evan Hunt committed
345
346
347
348
349
3784.	[bug]		Using "rrset-order fixed" when it had not been
			enabled at compile time caused inconsistent
			results. It now works as documented, defaulting
			to cyclic mode. [RT #28104]

Evan Hunt's avatar
Evan Hunt committed
350
351
352
353
354
3783.	[func]		"tsig-keygen" is now available as an alternate
			command name for "ddns-confgen".  It generates
			a TSIG key in named.conf format without comments.
			[RT #35503]

Mark Andrews's avatar
Mark Andrews committed
355
3782.	[func]		Specifying "auto" as the salt when using
Evan Hunt's avatar
Evan Hunt committed
356
357
358
			"rndc signing -nsec3param" causes named to
			generate a 64-bit salt at random. [RT #35322]

359
360
361
362
363
3781.	[tuning]	Use adaptive mutex locks when available; this
			has been found to improve performance under load
			on many systems. "configure --with-locktype=standard"
			restores conventional mutex locks. [RT #32576]

Tinderbox User's avatar
Tinderbox User committed
364
3780.	[bug]		$GENERATE handled negative numbers incorrectly.
365
366
			[RT #25528]

Evan Hunt's avatar
Evan Hunt committed
367
368
369
3779.	[cleanup]	Clarify the error message when using an option
			that was not enabled at compile time. [RT #35504]

370
371
372
3778.	[bug]		Log a warning when the wrong address family is
			used in "listen-on" or "listen-on-v6". [RT #17848]

Evan Hunt's avatar
Evan Hunt committed
373
374
375
3777.	[bug]		EDNS EXPIRE code could dump core when processing
			DLZ queries. [RT #35493]

Evan Hunt's avatar
Evan Hunt committed
376
3776.	[func]		"rndc -q" suppresses output from successful
Evan Hunt's avatar
Evan Hunt committed
377
			rndc commands. Errors are printed on stderr.
Tinderbox User's avatar
Tinderbox User committed
378
			[RT #21393]
Evan Hunt's avatar
Evan Hunt committed
379

380
381
382
383
3775.	[bug]		dlz_dlopen driver could return the wrong error
			code on API version mismatch, leading to a segfault.
			[RT #35495]

Evan Hunt's avatar
Evan Hunt committed
384
385
386
3774.	[func]		When using "request-nsid", log the NSID value in
			printable form as well as hex. [RT #20864]

387
388
389
390
3773.	[func]		"host", "nslookup" and "nsupdate" now have
			options to print the version number and exit.
			[RT #26057]

391
392
393
394
3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
			(Based in part on a contribution from Tim Tessier.)
			[RT #20822]

395
396
397
3771.	[cleanup]	Adjusted log level for "using built-in key"
			messages. [RT #24383]

398
399
400
401
3770.	[bug]		"dig +trace" could fail with an assertion when it
			needed to fall back to TCP due to a truncated
			response. [RT #24660]

402
403
404
3769.	[doc]		Improved documentation of "rndc signing -list".
			[RT #30652]

405
406
407
3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
			algorithm. [RT #34000]

Evan Hunt's avatar
Evan Hunt committed
408
409
410
3767.	[func]		Log explicitly when using rndc.key to configure
			command channel. [RT #35316]

Evan Hunt's avatar
Evan Hunt committed
411
412
413
3766.	[cleanup]	Fixed problems with building outside the source
			tree when using native PKCS#11. [RT #35459]

414
415
416
3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
			named when dumping an empty keynode. [RT #35469]

417
418
419
420
421
3764.	[bug]		The dnssec-keygen/settime -S and -i options
			(to set up a successor key and set the prepublication
			interval) were missing from dnssec-keyfromlabel.
			[RT #35394]

Evan Hunt's avatar
Evan Hunt committed
422
423
424
3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
			re-fetch them when restarting validation. [RT #35476]

425
426
427
3762.	[bug]		Address build problems with --pkcs11-native +
			--with-openssl with ECDSA support. [RT #35467]

428
429
430
3761.	[bug]		Address dangling reference bug in dns_keytable_add.
			[RT #35471]

431
432
433
434
435
3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
			[RT #35433]

3759.	[port]		Enable delve on Windows. [RT #35441]

Evan Hunt's avatar
Evan Hunt committed
436
3758.	[port]		Enable export library APIs on Windows. [RT #35382]
437

438
439
440
3757.	[port]		Enable Python tools (dnssec-coverage,
			dnssec-checkds) to run on Windows. [RT #34355]

441
442
443
444
3756.	[bug]		GSSAPI Kerberos realm checking was broken in
			check_config leading to spurious messages being
			logged.  [RT #35443]

Mark Andrews's avatar
Mark Andrews committed
445
446
	--- 9.10.0b1 released ---

447
448
449
3755.	[func]		Add stats counters for known EDNS options + others.
			[RT #35447]

Evan Hunt's avatar
Evan Hunt committed
450
451
452
453
3754.	[cleanup]	win32: Installer now places files in the
			Program Files area rather than system services.
			[RT #35361]

454
455
3753.	[bug]		allow-notify was ignoring keys. [RT #35425]

456
457
458
459
3752.	[bug]		Address potential REQUIRE failure if
			DNS_STYLEFLAG_COMMENTDATA is set when printing out
			a rdataset.

Evan Hunt's avatar
Evan Hunt committed
460
461
462
463
3751.	[tuning]	The default setting for the -U option (setting
			the number of UDP listeners per interface) has
			been adjusted to improve performance. [RT #35417]

464
3750.	[experimental]	Partially implement EDNS EXPIRE option as described
Jeremy C. Reed's avatar
Jeremy C. Reed committed
465
			in draft-andrews-dnsext-expire-00.  Retrieval of
Evan Hunt's avatar
Evan Hunt committed
466
467
			the remaining time until expiry for slave zones
			is supported.
468

Evan Hunt's avatar
Evan Hunt committed
469
470
			EXPIRE uses an experimental option code (65002),
			which is subject to change. [RT #35416]
471

Evan Hunt's avatar
Evan Hunt committed
472
473
3749.	[func]		"dig +subnet" sends an EDNS client subnet option
			containing the specified address/prefix when
Evan Hunt's avatar
Evan Hunt committed
474
475
			querying. (Thanks to Wilmer van der Gaast.)
			[RT #35415]
Evan Hunt's avatar
Evan Hunt committed
476

Evan Hunt's avatar
Evan Hunt committed
477
3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
478

479
480
481
3747.	[bug]		A race condition could lead to a core dump when
			destroying a resolver fetch object. [RT #35385]

Evan Hunt's avatar
Evan Hunt committed
482
483
484
3746.	[func]		New "max-zone-ttl" option enforces maximum
			TTLs for zones. If loading a zone containing a
			higher TTL, the load fails. DDNS updates with
Tinderbox User's avatar
Tinderbox User committed
485
			higher TTLs are accepted but the TTL is truncated.
Evan Hunt's avatar
Evan Hunt committed
486
487
488
			(Note: Currently supported for master zones only;
			inline-signing slaves will be added.) [RT #38405]

489
490
491
492
493
3745.	[func]		"configure --with-tuning=large" adjusts various
			compiled-in constants and default settings to
			values suited to large servers with abundant
			memory. [RT #29538]

494
3744.	[experimental]	SIT: send and process Source Identity Tokens
Mark Andrews's avatar
add 3rd    
Mark Andrews committed
495
			(similar to DNS Cookies by Donald Eastlake 3rd),
Evan Hunt's avatar
Evan Hunt committed
496
497
			which are designed to help clients detect off-path
			spoofed responses and for servers to identify
Tinderbox User's avatar
Tinderbox User committed
498
			legitimate clients.
499

Evan Hunt's avatar
Evan Hunt committed
500
			SIT uses an experimental EDNS option code (65001),
Jeremy C. Reed's avatar
Jeremy C. Reed committed
501
			which will be changed to an IANA-assigned value
Evan Hunt's avatar
Evan Hunt committed
502
			if the experiment is deemed a success.
503

Evan Hunt's avatar
Evan Hunt committed
504
505
			SIT can be enabled via "configure --enable-sit" (or
			--enable-developer). It is enabled by default in
Tinderbox User's avatar
Tinderbox User committed
506
507
508
509
510
511
512
513
			Windows.

			Servers can be configured to send smaller responses
			to clients that have not identified themselves via
			SIT.  RRL processing has also been updated;
			legitimate clients are not subject to rate
			limiting. [RT #35389]

514
515
516
517
518
3743.	[bug]		delegation-only flag wasn't working in forward zone
			declarations despite being documented.  This is
			needed to support turning off forwarding and turning
			on delegation only at the same name.  [RT #35392]

Mark Andrews's avatar
Mark Andrews committed
519
520
3742.	[port]		linux: libcap support: declare curval at start of
			block. [RT #35387]
521

Evan Hunt's avatar
Evan Hunt committed
522
523
524
525
526
527
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
528
			troubleshooting of DNSSEC problems. [RT #32406]
Evan Hunt's avatar
Evan Hunt committed
529

530
531
532
3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

533
534
535
3739.	[func]		Added per-zone stats counters to track TCP and
			UDP queries. [RT #35375]

536
537
3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]

538
539
540
3737.	[bug]		'rndc retransfer' could trigger a assertion failure
			with inline zones. [RT #35353]

541
542
543
3736.	[bug]		nsupdate: When specifying a server by name,
			fall back to alternate addresses if the first
			address for that name is not reachable. [RT #25784]
Tinderbox User's avatar
Tinderbox User committed
544

545
546
547
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

548
549
3734.	[bug]		Improve building with libtool. [RT #35314]

550
551
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
552
553
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
554
555
556

			Add "rndc scan" to trigger a scan. [RT #23027]

557
558
559
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
560
561
562
563
564
565
566
567
568
569
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
570
571
572
573
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
574
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
575
576
577
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

578
579
580
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
581
582
583
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

584
585
586
587
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
588
589
590
591
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
592
593
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
594
595
596
597
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

598
599
600
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
601
3722.	[bug]		Using geoip ACLs in a blackhole statement
602
603
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
604
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
605
606
			enhancements introduced in change #3593. [RT #35275]

607
608
3720.	[bug]		Address compiler warnings. [RT #35261]

609
610
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

611
612
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

613
614
615
616
617
618
619
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

620
621
622
623
624
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

625
626
627
628
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

629
630
631
632
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
633
634
635
636
3712.	[placeholder]

3711.	[placeholder]

637
638
639
640
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
641
642
643
644
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

645
646
647
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

648
649
650
651
652
653
654
655
656
657
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
658
			will work with both old and new versions without
659
660
661
662
663
664
665
666
667
668
669
670
671
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

672
673
674
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
675
676
677
678
679
680
681
682
683
684
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

685
686
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
687
688
689
690
691
692
693
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
694

695
696
697
698
699
700
701
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
702
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
703
			when printing by specifying '-x'. [RT #34465]
704

Evan Hunt's avatar
Evan Hunt committed
705
706
707
708
709
710
711
712
713
714
715
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

716
717
718
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

719
720
721
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

722
723
724
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
725
726
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

727
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo    
Evan Hunt committed
728
			but does not exist or is not a directory. [RT #35108]
729

730
3693.	[security]	memcpy was incorrectly called with overlapping
731
732
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
733
734
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
735

736
737
738
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

739
740
741
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

742
743
744
745
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

746
747
748
749
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

750
751
752
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

753
754
755
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
756
757
758
759
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

760
761
762
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

763
764
765
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

766
767
768
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

769
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
770
			inline-signing slave zones to retain NSEC3 parameters
771
			instead of reverting to NSEC. [RT #34745]
772

773
774
775
776
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

777
778
779
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

780
781
782
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

783
784
3678.	[port]		Update config.guess and config.sub. [RT #35060]

785
786
787
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

788
789
790
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

791
792
793
794
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
795
796
	--- 9.10.0a1 released ---

797
798
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
799
800
801
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

802
803
804
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

805
806
807
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

808
809
810
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

811
812
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

813
814
815
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
816
3667.	[test]		dig: add support to keep the TCP socket open between
817
818
			successive queries (+[no]keepopen).  [RT #34918]

819
820
821
822
823
824
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

825
826
827
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

828
829
830
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

831
832
833
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
834
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
835

836
837
838
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

839
840
841
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

842
3659.	[port]		solaris: don't add explicit dependencies/rules for
843
844
845
			python programs as make won't use the implicit rules.
			[RT #34835]

846
847
848
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

849
850
851
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

852
853
854
855
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
856

857
858
859
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

860
861
862
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

863
864
865
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

866
867
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

868
869
870
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

871
872
873
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
874
875
876
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
877
878
879
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

880
881
882
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
883
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
884
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
885

886
887
888
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

889
890
891
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
892
893
3643.	[doc]		Clarify RRL "slip" documentation.

894
895
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
896
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
897

898
899
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
900

901
902
903
904
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

905
906
907
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
908
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
909
910
			encountered. [RT #34668]

911
912
913
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

914
915
916
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

917
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
918
			only KSK keys for a algorithm. [RT #34439]
919

920
921
922
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

923
924
925
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

926
927
928
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

929
930
931
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

932
933
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

934
935
936
937
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

938
939
940
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

941
942
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

943
944
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

945
946
947
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

948
949
950
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
951
952
3623.	[placeholder]

953
954
955
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

956
957
958
959
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
960
961
962
963
964
965
966
967
968
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
969
970
971
972
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

973
974
975
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
976
977
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
978
979
980
981
982
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
983
984
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
985
3613.	[bug]		named could crash when deleting inline-signing
986
987
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
988
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
989

Evan Hunt's avatar
Evan Hunt committed
990
991
992
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

993
994
995
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

996
997
998
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

999
1000
1001
1002
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

1003
1004
1005
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

1006
1007
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
1008
1009
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
1010

Evan Hunt's avatar
Evan Hunt committed
1011
1012
1013
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

1014
1015
1016
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

1017
1018
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
1019
1020
1021
1022
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

1023
1024
1025
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

1026
1027
1028
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

1029
1030
1031
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

1032
1033
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

1034
1035
1036
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
1037
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
1038
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
1039

Evan Hunt's avatar
Evan Hunt committed
1040
1041
1042
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

1043
1044
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

1045
1046
1047
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

1048
1049
1050
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

1051
1052
1053
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

1054
1055
1056
1057
1058
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

1059
1060
1061
1062
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

1063
1064
1065
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

1066
1067
1068
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
1069
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
1070

1071
1072
1073
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

1074
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
1075
1076
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
1077

1078
1079
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

1080
1081
1082
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

1083
1084
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
1085
1086
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

1087
1088
1089
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

1090
1091
1092
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

1093
1094
3577.	[bug]		Handle zero TTL values better. [RT #33411]

1095
1096
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

1097
1098
1099
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

1100
1101
1102
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
1103
1104
1105
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
1106

Evan Hunt's avatar
Evan Hunt committed
1107
1108
1109
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

1110
1111
1112
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

1113
3570.	[bug]		Check internal pointers are valid when loading map
1114
			files. [RT #33403]
1115

Evan Hunt's avatar
Evan Hunt committed
1116
1117
1118
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
1119
1120
1121
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
1122
1123
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
1124
1125
3566.	[func]		Log when forwarding updates to master. [RT #33240]

1126
3565.	[placeholder]
1127

1128
1129
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
1130
1131
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
1132
1133
1134
1135
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

1136
1137
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
1138

1139
3560.	[bug]		isc-config.sh did not honor includedir and libdir
1140
1141
			when set via configure. [RT #33345]

1142
1143
1144
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

1145
1146
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

1147
1148
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
1149
1150
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

1151
1152
1153
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
1154
1155
1156
1157
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

1158
1159
3553.	[bug]		Address suspected double free in acache. [RT #33252]

1160
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
1161
			[RT #33280]
1162

1163
1164
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

1165
1166
1167
1168
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
1169
1170
1171
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

1172
1173
1174
1175
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

1176
1177
1178
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

1179
1180
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
1181
1182
1183
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
1184
1185
1186
1187
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

1188
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo    
Mark Andrews committed
1189
			manager after accept. [RT #33084]
1190

Mark Andrews's avatar
Mark Andrews committed
1191
1192
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
1193
1194
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
1195

Evan Hunt's avatar
Evan Hunt committed
1196
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
1197

1198
1199
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
1200
1201
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
1202

1203
1204
1205
1206
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
1207
1208
1209
1210
1211
1212
1213
1214
1215
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

1216
1217
3535.	[bug]		Minor win32 cleanups. [RT #32962]

1218
1219
1220
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

1221
1222
1223
1224
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

1225
1226
1227
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
1228
1229
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

1230
1231
1232
1233
1234
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
1235
1236
1237
1238
1239
1240
1241
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

1242
1243
1244
1245
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

1246
1247
1248
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

1249
1250
1251
1252
1253
1254
1255
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

1256
1257
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
1258
			http://[address]:[port]/json. [RT #32630]
1259

1260
1261
1262
1263
1264
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

1265
1266
1267
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

1268
1269
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

1270
1271
1272
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

1273
1274
1275
1276
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

1277
1278
1279
1280
1281
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]