CHANGES

1791.	[placeholder]	rt13230

1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
			allow parallel make to succeed.

1789.	[bug]		Prerequisite test for tkey and dnssec could fail
			with "configure --with-libtool".

1788.	[bug]		libbind9.la/libbind9.so needs to link against
			libisccfg.la/libisccfg.so.

1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.

1786.	[port]		AIX: libt_api needs to be taught to look for
			T_testlist in the main executable (--with-libtool).
			[RT #13239]

1785.	[bug]		libbind9.la/libbind9.so needs to link against
			libisc.la/libisc.so.

1784.	[cleanup]	"libtool -allow-undefined" is the default.
			Leave hooks in configure to allow it to be set
			if needed in the future.

1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
			source tree.

1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
			__evOptMonoTime.  [RT #13219]

1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]

1780.	[bug]		Update libtool to 1.5.10.

1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.

1778.   [port]   	HUX 11.11: fix broken IN6ADDR_ANY_INIT and
			IN6ADDR_LOOPBACK_INIT macros.

1777.   [port]   	OSF 5.1: fix broken IN6ADDR_ANY_INIT and
			IN6ADDR_LOOPBACK_INIT macros.

1776.   [port]   	Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
                        IN6ADDR_LOOPBACK_INIT macros.

1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]

1774.	[port]		Aix: Silence compiler warnings / build failures.
			[RT #13154]

1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]

1772.	[placeholder]

1771.	[placeholder]

1770.	[bug]		named-checkconf failed to report missing a missing
			file clause for rbt{64} master/hint zones. [RT#13009]

1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
			/MT ==> /MD.

1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
			rdataset. [RT #12907]

1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
			support for (struct in6_pktinfo) failed.  [RT #13077]

1766.	[bug]		Update the master file timestamp on successful refresh
			as well as the journal's timestamp. [RT# 13062]

1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]

1764.	[bug]		dns_zone_replacedb failed to emit a error message
			if there was no SOA record in the replacment db.
			[RT #13016]

1763.	[func]		Perform sanity checks on NS records which refer to
			'in zone' names. [RT #13002]

1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
			even when it failed. [RT #12995]

1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
			[RT #12971]

1760.	[bug]		Host / net unreachable was not penalising rtt
			estimates. [RT #12970]

1759.	[bug]		Named failed to startup if the OS supported IPv6
			but had no IPv6 interfaces configured. [RT #12942]

1758.	[placeholder]	rt12933

1757.	[func]		host now can turn on memory debugging flags with '-m'.

1756.	[func]		named-checkconf now checks the logging configuration.
			[RT #12352]

1755.	[func]		allow-update is now settable at the options / view
			level. [RT #6636]

1754.	[bug]		We wern't always attempting to query the parent
			server for the DS records at the zone cut.
			[RT #12774]

1753.	[bug]		Don't serve a slave zone which has no NS records.
			[RT #12894]

1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
			as some fork() implementations unblock the signals
			that are blocked by isc_app_start(). [RT #12810]

1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]

1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
			[RT #12864]

1749.	[bug]		'check-names response ignore;' failed to ignore.
			[RT #12866]

1748.	[func]		dig now returns the byte count for axfr/ixfr.
			
1747.	[bug]		BIND 8 compatability: named/named-checkconf failed
			to parse "host-statistics-max" in named.conf.

1746.	[func]		Make public the function to read a key file,
			dst_key_read_public(). [RT #12450]

1745.	[bug]		Dig/host/nslookup accept replies from link locals
			regardless of scope if no scope was specified when
			query was sent. [RT #12745]

1744.	[bug]		If tuple2msgname() failed to convert a tuple to
			a name a REQUIRE could be triggered. [RT #12796]

1743.	[bug]		If isc_taskmgr_create() was not able to create the
			requested number of worker threads then destruction
			of the manager would trigger an INSIST() failure.
			[RT #12790]
			
1742.	[bug]		Deleting all records at a node then adding a
			previously existing record, in a single UPDATE
			transaction, failed to leave / regenerate the
			associated RRSIG records. [RT #12788]

1741.	[bug]		Deleting all records at a node in a secure zone
			using a update-policy grant failed. [RT #12787]

1740.	[bug]		Replace rbt's hash algorithm as it performed badly
			with certain zones. [RT #12729]
			
			NOTE: a hash context now needs to be established
			via isc_hash_create() if the application was not
			already doing this.

1739.	[bug]		dns_rbt_deletetree() could incorrectly return
			ISC_R_QUOTA.  [RT #12695]

1738.	[bug]		Enable overrun checking by default. [RT #12695]

1737.	[bug]		named failed if more than 16 masters were specified.
			[RT #12627]

1736.	[bug]		dst_key_fromnamedfile() could fail to read a
			public key. [RT #12687]
			
1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
			[RE #12688]

1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
			[RT #12588]

1733.	[bug]		Return non-zero exit status on initial load failure.
			[RT #12658]

1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
			[RT #12467]

1731.	[port]		darwin: relax version test in ifconfig.sh.
			[RT #12581]

1730.	[port]		Determine the length type used by the socket API.
			[RT #12581]

1729.	[func]		Improve check-names error messages.

1728.	[doc]		Update check-names documentation.

1727.	[bug]		named-checkzone: check-names support didn't match
			documentation.

1726.	[port]		aix5: add support for aix5

1725.	[port]		linux: update error message on interaction of threads,
			capabilities and setuid support (named -u). [RT #12541]

1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
			[RT #12557]

1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]

1722.	[bug]		Don't commit the journal on malformed ixfr streams.
			[RT #12519]

1721.	[bug]		Error message from the journal processing were not
			always identifing the relevent journal. [RT #12519]

1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
			negative response. [RT #12506]

1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
			negative response. [RT #12506]

1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
			responses when looking for the zone / master server.
			[RT #12506]

1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
			"ifconfig.sh down" didn't work for Solaris 9.

1716.	[doc]		named.conf(5) was being installed in the wrong
			location.  [RT# 12441]

1715.	[func]		'dig +trace' now randomly selects the next servers
			to try.  Report if there is a bad delegation.

1714.	[bug]		dig/host/nslookup were only trying the first
			address when a nameserver was specified by name.
			[RT #12286]

1713.	[port]		linux: extend capset failure message to say:
			please ensure that the capset kernel module is
			loaded.  see insmod(8)

1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.

1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.

1710.	[func]		'rndc notify zone [class [view]]' resend the NOTIFY
			messages for the specified zone. [RT #9479]

1709.	[port]		solaris: add SMF support from Sun.

1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
			for conformance to the name space convention.  Binary
			backward compatibility to the old function name is
			provided. [RT #12376]

1707.	[contrib]	sdb/ldap updated to version 1.0-beta.

1706.	[bug]		'rndc stop' failed to cause zones to be flushed
			sometimes. [RT #12328]

1705.	[func]		Allow the journal's name to be changed via named.conf.

1704.	[port]		lwres needed a snprintf() implementation for
			platforms without snprintf().  Add missing
			"#include <isc/print.h>". [RT #12321]

1703.	[bug]		named would loop sending NOTIFY messages when it
			failed to receive a response. [RT #12322]

1702.	[bug]		also-notify should not be applied to builtin zones.
			[RT #12323]

1701.	[doc]		A minimal named.conf man page.

1700.	[func]		nslookup is no longer to be treated as deprecated.
			Remove "deprecated" warning message.  Add man page.

1699.	[bug]		dnssec-signzone can generate "not exact" errors
			when resigning. [RT #12281]

1698.	[doc]		Use reserved IPv6 documentation prefix.

1697.	[bug]		xxx-source{,-v6} was not effective when it
			specified one of listening addresses and a
			different port than the listening port. [RT #12257]

1696.	[bug]		dnssec-signzone failed to clean out nodes that
			consisted of only NSEC and RRSIG records.
			[RT #12154]

1695.	[bug]		DS records when forwarding require special handling.
			[RT #12133]

1694.	[bug]		Report if the builtin views of "_default" / "_bind"
			are defined in named.conf. [RT #12023]

1693.	[bug]		max-journal-size was not effective for master zones
			with ixfr-from-differences set. [RT# 12024]

1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
			/usr/lib. [RT #11971]

1691.	[bug]		sdb's attachversion was not complete. [RT #11990]

1690.	[bug]		Delay detaching view from the client until UPDATE
			processing completes when shutting down. [RT #11714]

1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
			contained gratuitous semicolons. [RT #11707]

1688.	[bug]		LDFLAGS was not supported.

1687.	[bug]		Race condition in dispatch. [RT #10272]

1686.	[bug]		Named sent a extraneous NOTIFY when it received a
			redundant UPDATE request. [RT #11943]

1685.	[bug]		Change #1679 loop tests weren't quite right.

1684.	[func]		ixfr-from-differences now takes master and slave in
			addition to yes and no at the options and view levels.

1683.	[bug]		dig +sigchase could leak memory. [RT #11445]

1682.	[port]		Update configure test for (long long) printf format.
			[RT #5066]

1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
			isc_socket_bind(). [RT #11742]

1680.	[func]		rndc: the source address can now be specified.

1679.	[bug]		When there was a single nameserver with multiple
			addresses for a zone not all addresses were tried.
			[RT #11706]

1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.

1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.

1676.	[func]		New option "allow-query-cache".  This lets
			allow-query be used to specify the default zone
			access level rather than having to have every
			zone override the global value.  allow-query-cache
			can be set at both the options and view levels.
			If allow-query-cache is not set allow-query applies.

1675.	[bug]		named would sometimes add extra NSEC records to
			the authority section.
			
1674.	[port]		linux: increase buffer size used to scan
			/proc/net/if_inet6.

1673.	[port]		linux: issue a error messages if IPv6 interface
			scans fails.

1672.	[cleanup]	Tests which only function in a threaded build
			now return R:THREADONLY (rather than R:UNTESTED)
			in a non-threaded build.

1671.	[contrib]	queryperf: add NAPTR to the list of known types.

1670.	[func]		Log UPDATE requests to slave zones without an acl as
			"disabled" at debug level 3. [RT# 11657]

1669.	[placeholder]

1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.

1667.	[port]		linux: not all versions have IF_NAMESIZE.

1666.	[bug]		The optional port on hostnames in dual-stack-servers
			was being ignored.

1665.	[func]		rndc now allows addresses to be set in the
			server clauses.

1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.

1663.	[func]		Look for OpenSSL by default.

1662.	[bug]		Change #1658 failed to change one use of 'type'
			to 'keytype'.

1661.	[bug]		Restore dns_name_concatenate() call in
			adb.c:set_target().  [RT #11582]

1660.	[bug]		win32: connection_reset_fix() was being called
			unconditionally.  [RT #11595]

1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
			DNSKEY, NXT vs NSEC and SIG vs RRSIG.

1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
			and DH.  Tighten which options apply to KEY and
			DNSKEY records.

1657.	[doc]		ARM: document query log output.

1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
			DNSKEY and RRSIG.  [RT #11542]

1655.	[bug]		Logging multiple versions w/o a size was broken.
			[RT #11446]

1654.	[bug]		isc_result_totext() contained array bounds read
			error.

1653.	[func]		Add key type checking to dst_key_fromfilename(),
			DST_TYPE_KEY should be used to read TSIG, TKEY and
			SIG(0) keys.

1652.	[bug]		TKEY still uses KEY.

1651.	[bug]		dig: process multiple dash options.

1650.	[bug]		dig, nslookup: flush standard out after each command.

1649.	[bug]		Silence "unexpected non-minimal diff" message.
			[RT #11206]

1648.	[func]		Update dnssec-lookaside named.conf syntax to support
			multiple dnssec-lookaside namespaces (not yet
			implemented).  

1647.	[bug]		It was possible trigger a INSIST when chasing a DS
			record that required walking back over a empty node.
			[RT #11445]

1646.	[bug]		win32: logging file versions didn't work with
			non-UNC filenames.  [RT#11486]

1645.	[bug]		named could trigger a REQUIRE failure if multiple
			masters with keys are specified.

1644.	[bug]		Update the journal modification time after a
			sucessfull refresh query. [RT #11436]

1643.	[bug]		dns_db_closeversion() could leak memory / node
			references. [RT #11163]

1642.	[port]		Support OpenSSL implementations which don't have
			DSA support. [RT #11360]

1641.	[bug]		Update the check-names description in ARM. [RT #11389]

1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
			incorrectly closing the socket.  [RT #11291]

1639.	[func]		Initial dlv system test.

1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
			failure if the journal open failed. [RT #11347]
			
1637.	[bug]		Node reference leak on error in addnoqname().

1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
			a error had occured.  The database version no longer
			matched the version of the database that was dumped.

1635.	[bug]		Memory leak on error in query_addds().

1634.	[bug]		named didn't supply a useful error message when it
			detected duplicate views.  [RT #11208]

1633.	[bug]		named should return NOTIMP to update requests to a
			slaves without a allow-update-forwarding acl specified.
			[RT #11331]

1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
			messages. [RT #11288]

1631.	[bug]		dns_journal_compact() could sometimes corrupt the
			journal. [RT #11124]

1630.	[contrib]	queryperf: add support for IPv6 transport.

1629.	[func]		dig now supports IPv6 scoped addresses with the
			extended format in the local-server part. [RT #8753]

1628.	[bug]		Typo in Compaq Trucluster support. [RT# 11264]

1627.	[bug]		win32: sockets were not being closed when the
			last external reference was removed. [RT# 11179]

1626.	[bug]		--enable-getifaddrs was broken. [RT#11259]

1625.	[bug]		named failed to load/transfer RFC2535 signed zones
			which contained CNAMES. [RT# 11237]

1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]

1623.	[bug]		A serial number of zero was being displayed in the
			"sending notifies" log message when also-notify was
			used. [RT #11177]

1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
			available, and suppress wildcard binding if not.

1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
			[RT# 11156]

1620.	[func]		When loading a zone report if it is signed. [RT #11149]

1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
			[RT# 11118]

1618.	[bug]		Fencepost errors in dns_name_ishostname() and
			dns_name_ismailbox() could trigger a INSIST().

1617.	[port]		win32: VC++ 6.0 support.

1616.	[compat]	Ensure that named's version is visible in the core
			dump. [RT #11127]

1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
			it is defined.

1614.	[port]		win32: silence resource limit messages. [RT# 11101]

1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
			[RT #11119]

1612.	[bug]		check-names at the option/view level could trigger
			an INSIST. [RT# 11116]

1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
			no active IPv6 interfaces.

1610.	[bug]		On dual stack machines "dig -b" failed to set the
			address type to be looked up with "@server".
			[RT #11069]

1609.	[func]		dig now has support to chase DNSSEC signature chains.
			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.

			DNSSEC validation code in dig coded by Olivier Courtay
			(olivier.courtay@irisa.fr) for the IDsA project
			(http://idsa.irisa.fr).

1608.	[func]		dig and host now accept -4/-6 to select IP transport
			to use when making queries.

1607.	[bug]		dig, host and nslookup were still using random()
			to generate query ids. [RT# 11013]

1606.	[bug]	 	DLV insecurity proof was failing.

1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.

1604.	[bug]		A xfrout_ctx_create() failure would result in
			xfrout_ctx_destroy() being called with a
			partially initaliased structure.
			
1603.	[bug]		nsupdate: set interactive based on isatty().
			[RT# 10929]

1602.	[bug]		Logging to a file failed unless a size was specified.
			[RT# 10925]

1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
			"allow-recursion" active' warning from view "_bind".
			[RT# 10920]

1600.	[bug]		Duplicate zone pre-load checks were not case
			insensitive.

1599.	[bug]		Fix memory leak on error path when checking named.conf.

1598.	[func]		Specify that certain parts of the namespace must
			be secure (dnssec-must-be-secure).

1597.	[placeholder]	rt6496a

1596.	[func]		Accept 'notify-source' style syntax for query-source.

1595.	[func]		New notify type 'master-only'.  Enable notify for
			master zones only.

1594.	[bug]		'rndc dumpdb' could prevent named from answering
			queries while the dump was in progress.  [RT #10565]

1593.	[bug]		rndc should return "unknown command" to unknown
			commands. [RT# 10642]

1592.	[bug]		configure_view() could leak a dispatch. [RT# 10675]

1591.	[bug]		libbind: updated to BIND 8.4.5.

1590.	[port]		netbsd: update thread support.

1589.	[func]		DNSSEC lookaside validation.

1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]

1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
			[RT #10590]

1586.	[func]		"check-names" is now implemented.

1585.	[placeholder]

1584.	[bug]		"make test" failed with a read only source tree.
			[RT #10461]

1583.	[bug]		Records add via UPDATE failed to get the correct trust
			level. [RT #10452]

1582.	[bug]		rrset-order failed to work on RRsets with more
			than 32 elements. [RT #10381]

1581.	[func]		Disable DNSSEC support by default.  To enable
			DNSSEC specify "dnssec-enable yes;" in named.conf.

1580.	[bug]		Zone destruction on final detach takes a long time.
			[RT #3746]

1579.	[bug]		Multiple task managers could not be created.

1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
			[RT #10346]

1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
			workaround code. [RT #10331]

1576.	[bug]		Race condition in dns_dispatch_addresponse().
			[RT# 10272]

1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]

1574.	[bug]		Don't attempt to open the controls socket(s) when
			running tests. [RT #9091]

1573.	[port]		linux: update to libtool 1.5.2 so that
			"make install DESTDIR=/xx" works with
			"configure --with-libtool".  [RT #9941]

1572.	[bug]		nsupdate: sign the soa query to find the enclosing
			zone if the server is specified. [RT #10148]

1571.	[bug]		rbt:hash_node() could fail leaving the hash table
			in an inconsistent state.  [RT #10208]

1570.	[bug]		nsupdate failed to handle classes other than IN.
			New keyword 'class' which sets the default class.
			[RT #10202]

1569.	[func]		nsupdate new command 'answer' which displays the
			complete answer message to the last update.

1568.	[bug]		nsupdate now reports that the update failed in
			interactive mode. [RT# 10236]

1567.	[bug]		B.ROOT-SERVERS.NET is now 192.228.79.201.

1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
			This also solved the problem that match-destinations
			for IPv6 addresses did not work on these systems.
			[RT #10221]

1565.	[bug]		CD flag should be copied to outgoing queries unless
			the query is under a secure entry point in which case
			CD should be set.

1564.	[func]		Attempt to provide a fallback entropy source to be
			used if named is running chrooted and named is unable
			to open entropy source within the chroot area.
			[RT #10133]

1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
			nor an IPv6 dispatch. [RT #10230]

1562.	[bug]		isc_socket_create() and isc_socket_accept() could
			leak memory under error conditions. [RT #10230]

1561.	[bug]		It was possible to release the same name twice if
			named ran out of memory. [RT #10197]

1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
			and EAI_NONAME to the same value.

1559.	[port]		named should ignore SIGFSZ.

1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
			child zones for which we don't have a supported
			algorithm.  Such child zones are treated as unsigned.

1557.	[func]		Implement missing DNSSEC tests for
			* NOQNAME proof with wildcard answers.
			* NOWILDARD proof with NXDOMAIN.
			Cache and return NOQNAME with wildcard answers.

1556.	[bug]		nsupdate now treats all names as fully qualified.
			[RT #6427]

1555.	[func]		'rrset-order cyclic' no longer has a random starting
			point. [RT #7572]

1554.	[bug]		dig, host, nslookup failed when no nameservers
			were specified in /etc/resolv.conf. [RT #8232]

1553.	[bug]		The windows socket code could stop accepting
			connections. [RT#10115]

1552.	[bug]		Accept NOTIFY requests from mapped masters if
			matched-mapped is set. [RT #10049]

1551.	[port]		Open "/dev/null" before calling chroot().

1550.	[port]		Call tzset(), if available, before calling chroot().

1549.	[func]		named-checkzone can now write out the zone contents
			in a easily parsable format (-D and -o).

1548.	[bug]		When parsing APL records it was possible to silently
			accept out of range ADDRESSFAMILY values. [RT# 9979]

1547.	[bug]		Named wasted memory recording duplicate lame zone
			entries. [RT #9341]

1546.	[bug]		We were rejecting valid secure CNAME to negative
			answers.

1545.	[bug]		It was possible to leak memory if named was unable to
			bind to the specified transfer source and TSIG was
			being used. [RT #10120]

1544.	[bug]		Named would logged a single entry to a file despite it
			being over the specified size limit.

1543.	[bug]		Logging using "versions unlimited" did not work.

1542.	[placeholder]

1541.	[func]		NSEC now uses new bitmap format.

1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
			[RT #8934]

1539.	[bug]		Open UDP sockets for notify-source and transfer-source
			that use reserved ports at startup. [RT #9475]

1538.	[placeholder]	rt9997

1537.	[func]		New option "querylog".  If set specify whether query
			logging is to be enabled or disabled at startup.

1536.	[bug]		Windows socket code failed to log a error description
			when returning ISC_R_UNEXPECTED. [RT #9998]

1535.	[placeholder]

1534.	[bug]		Race condition when priming cache. [RT# 9940]

1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
			are active. [RT# 4389]

1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
			requires <sys/param.h>.

1531.	[port]		AIX more libtool fixes.

1530.	[bug]		It was possible to trigger a INSIST() failure if a
			slave master file was removed at just the correct
			moment. [RT #9462]

1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
			were being sent for the zone. [RT# 9442]

1528.	[cleanup]	Simplify some dns_name_ functions based on the
			deprecation of bitstring labels.

1527.	[cleanup]	Reduce the number of gettimeofday() calls without
			losing necessary timer granularity.

1526.	[placeholder]

1525.	[bug]		dns_cache_create() could trigger a REQUIRE
			failure in isc_mem_put() during error cleanup.
			[RT# 9360]

1524.	[port]		AIX needs to be able to resolve all symbols when
			creating shared libraries (--with-libtool).

1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]

1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
			[RT# 9286]

1521.	[bug]		dns_view_createresolver() failed to check the
			result from isc_mem_create(). [RT# 9294]

1520.	[protocol]	Add SSHFP (SSH Finger Print) type.

1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
			length of the new bitmap.

1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
			contained a off-by-one error when working out the
			number of octets in the bitmap.

1517.	[port]		Support for IPv6 interface scanning on HP/UX and
			TrueUNIX 5.1.

1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.

1515.	[func]		Allow transfer source to be set in a server statement.
			[RT #6496]

1514.	[bug]		named: isc_hash_destroy() was being called too early.
			[RT #9160]

1513.	[doc]		Add "US" to root-delegation-only exclude list.

1512.	[bug]		Extend the delegation-only logging to return query
			type, class and responding nameserver.

1511.	[bug]		delegation-only was generating false positives
			on negative answers from subzones.

1510.	[func]		New view option "root-delegation-only".  Apply
			delegation-only check to all TLDs and root.
			Note there are some TLDs that are NOT delegation
			only (e.g. DE, LV, US and MUSEUM) these can be excluded
			from the checks by using exclude.

			root-delegation-only exclude {
				"DE"; "LV"; "US"; "MUSEUM";
			};

1509.	[bug]		Hint zones should accept delegation-only.  Forward
			zone should not accept delegation-only.

1508.	[bug]		Don't apply delegation-only checks to answers from
			forwarders.

1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
			when making delegation-only checks.

1506.	[bug]		Wrong return type for dns_view_isdelegationonly().

1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]

1504.	[func]		New zone type "delegation-only".

1503.	[port]		win32: install libeay32.dll outside of system32.

1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.

1501.	[func]		Allow TCP queue length to be specified via
			named.conf, tcp-listen-queue.

1500.	[bug]		host failed to lookup MX records.  Also look up
			AAAA records.

1499.	[bug]		isc_random need to be seeded better if arc4random()
			is not used.

1498.	[port]		bsdos: 5.x support.

1497.	[placeholder]

1496.	[port]		test for pthread_attr_setstacksize().

1495.	[cleanup]	Replace hash functions with universal hash.

1494.	[security]	Turn on RSA BLINDING as a precaution.

1493.	[placeholder]

1492.	[cleanup]	Preserve rwlock quota context when upgrading /
			downgrading. [RT #5599]

1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
			lines. [RT #6206]

1490.	[bug]		Accept reading state as well as working state in
			ns_client_next(). [RT #6813]

1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
			[RT #3469]

1488.	[bug]		Don't override trust levels for glue addresses.
			[RT #5764]

1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
			queued for transfer and the zone was then removed.
			[RT #6189]

1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
			characters. [RT# 8230]

1485.	[bug]		gen failed to handle high type values. [RT #6225]

1484.	[bug]		The number of records reported after a AXFR was wrong.
			[RT #6229]

1483.	[bug]		dig axfr failed if the message id in the answer failed
			to match that in the request.  Only the id in the first
			message is required to match. [RT #8138]

1482.	[bug]		named could fail to start if the kernel supports
			IPv6 but no interfaces are configured.  Similarly
			for IPv4. [RT #6229]

1481.	[bug]		Refresh and stub queries failed to use masters keys
			if specified. [RT #7391]

1480.	[bug]		Provide replay protection for rndc commands.  Full
			replay protection requires both rndc and named to
			be updated.  Partial replay protection (limited
			exposure after restart) is provided if just named
			is updated.

1479.	[bug]		cfg_create_tuple() failed to handle out of
			memory cleanup.  parse_list() would leak memory
			on syntax errors.

1478.	[port]		ifconfig.sh didn't account for other virtual
			interfaces.  It now takes a optional argument
			to specify the first interface number. [RT #3907]

1477.	[bug]		memory leak using stub zones and TSIG.

1476.	[placeholder]

1475.	[port]		Probe for old sprintf().