CHANGES 288 KB
Newer Older
1
2
3
4
5
2741.	[func]		Allow the dnssec-keygen progress messages to be
			suppressed (dnssec-keygen -q).  Automatically 
			suppress the progress messages when stdin is not
			a tty. [RT #20474]

6
7
8
2740.	[func]		Identify bad answers from GTLD servers and treat them
			as referrals. [RT #18884]

9
10
11
2739.	[cleanup]	Clean up API for initializing and clearing trust
			anchors for a view. [RT #20211]

12
13
14
2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
			test. [RT #20453]

15
16
17
2737.	[func]		UPDATE requests can leak existance information.
			[RT #17261]

18
19
20
21
2736.	[func]		Improve the performance of NSEC signed zones with
			more than a normal amount of glue below a delegation.
			[RT #20191]

22
23
24
25
26
2735.	[bug]		dnssec-signzone could fail to read keys
			that were specified on the command line with
			full paths, but weren't in the current
			directory. [RT #20421]

27
28
2734.	[port]		cygwin: arpaname did not compile. [RT #20473]

29
30
2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]

31
32
33
34
35
36
2732.	[func]		Add optional filter-aaaa-on-v4 option, available
			if built with './configure --enable-filter-aaaa'.
			Filters out AAAA answers to clients connecting
			via IPv4.  (This is NOT recommended for general
			use.) [RT #20339]

37
38
39
40
41
42
2731.	[func]		Additional work on change 2709.  The key parser
			will now ignore unrecognized fields when the
			minor version number of the private key format
			has been increased.  It will reject any key with
			the major version number increased. [RT #20310]

43
44
45
46
47
48
49
2730.	[func]		Have dnssec-keygen display a progress indication
			a la 'openssl genrsa' on standard error. Note
			when the first '.' is followed by a long stop
			one has the choice between slow generation vs.
			poor random quality, i.e., '-r /dev/urandom'.
			[RT #20284]

50
51
52
2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
			TTL. [RT #20451]

53
54
55
56
2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
			dnssec-signzone now warn immediately if asked to
			write into a nonexistent directory. [RT #20278]

57
58
59
2727.	[func]		The 'key-directory' option can now specify a relative
			path. [RT #20154]

60
61
62
2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
			RSASHA256 and RSASHA512. [RT #20023]

63
64
65
2725.	[doc]		Added information about the file "managed-keys.bind"
			to the ARM. [RT #20235]

66
67
68
2724.	[bug]		Updates to a existing node in secure zone using NSEC
			were failing. [RT #20448]

69
70
71
72
2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
			isc_base64_totext(), didn't always mark regions of
			memory as fully consumed after conversion.  [RT #20445]

73
74
75
76
2722.	[bug]		Ensure that the memory associated with the name of
			a node in a rbt tree is not altered during the life
			of the node. [RT #20431]

77
78
79
2721.	[port]		Have dst__entropy_status() prime the random number
			generator. [RT #20369]

80
81
82
2720.	[bug]		RFC 5011 trust anchor updates could trigger an
			assert if the DNSKEY record was unsigned. [RT #20406]

83
84
85
2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
			[RT #20392]

86
87
88
2718.	[bug]		The space calculations in opensslrsa_todns() were
			incorrect. [RT #20394]

89
90
91
92
93
2717.	[bug]		named failed to update the NSEC/NSEC3 record when
			the last private type record was removed as a result
			of completing the signing the zone with a key.
			[RT #20399]

94
95
2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]

Evan Hunt's avatar
Evan Hunt committed
96
97
	--- 9.7.0b1 released ---

98
99
100
101
2715.	[bug]		Require OpenSSL support to be explicitly disabled.
			[RT #20288]

2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
102
103
			flags.

104
105
106
2713.	[bug]		powerpc: atomic operations missing asm("ics") /
			__isync() calls.

107
108
109
110
111
112
113
114
115
2712.	[func]		New 'auto-dnssec' zone option allows zone signing
			to be fully automated in zones configured for
			dynamic DNS.  'auto-dnssec allow;' permits a zone
			to be signed by creating keys for it in the
			key-directory and using 'rndc sign <zone>'.
			'auto-dnssec maintain;' allows that too, plus it
			also keeps the zone's DNSSEC keys up to date
			according to their timing metadata. [RT #19943]
			
116
117
118
2711.	[port]		win32: Add the bin/pkcs11 tools into the full
			build. [RT #20372]

119
120
121
122
123
2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
			zone option cause a zone to be signed with only KSKs
			signing the DNSKEY RRset, not ZSKs.  This reduces
			the size of a DNSKEY answer.  [RT #20340]

124
125
126
127
128
129
2709.	[func]		Added some data fields, currently unused, to the
			private key file format, to allow implementation
			of explicit key rollover in a future release
			without impairing backward or forward compatibility.
			[RT #20310]

130
131
132
133
134
135
136
137
138
139
140
141
142
2708.	[func]		Insecure to secure and NSEC3 parameter changes via
			update are now fully supported and no longer require
			defines to enable.  We now no longer overload the
			NSEC3PARAM flag field, nor the NSEC OPT bit at the
			apex.  Secure to insecure changes are controlled by
			by the named.conf option 'secure-to-insecure'.

			Warning: If you had previously enabled support by
			adding defines at compile time to BIND 9.6 you should
			ensure that all changes that are in progress have
			completed prior to upgrading to BIND 9.7.  BIND 9.7
			is not backwards compatible.

143
144
145
146
147
148
149
2707.	[func]		dnssec-keyfromlabel no longer require engine name
			to be specified in the label if there is a default
			engine or the -E option has been used.  Also, it
			now uses default algorithms as dnssec-keygen does
			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
			[RT #20371]

150
151
152
2706.	[bug]		Loading a zone with a very large NSEC3 salt could
			trigger an assert. [RT #20368]

Evan Hunt's avatar
Evan Hunt committed
153
154
2705.	[placeholder]

155
156
157
2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
			with their SOA serial.  [RT #19387]

Francis Dupont's avatar
Francis Dupont committed
158
159
160
161
2703.	[func]		Introduce an OpenSSL "engine" argument with -E
			for all binaries which can take benefit of
			crypto hardware. [RT #20230]

Francis Dupont's avatar
Francis Dupont committed
162
163
2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

164
165
166
2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
			supported TSIG key algorithm. [RT #18046]

167
168
169
2700.	[doc]		The match-mapped-addresses option is discouraged.
			[RT #12252]

170
171
2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]

Evan Hunt's avatar
Evan Hunt committed
172
173
2698.	[placeholder]

174
175
176
177
2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
			S_IFREG are defined after including <isc/stat.h>.
			[RT #20309]

178
179
180
2696.	[bug]		named failed to successfully process some valid
			acl constructs. [RT #20308]

181
182
183
184
185
186
187
2695.	[func]		DHCP/DDNS - update fdwatch code for use by
			DHCP.  Modify the api to isc_sockfdwatch_t (the
			callback funciton for isc_socket_fdwatchcreate)
			to include information about the direction (read
			or write) and add isc_socket_fdwatchpoke.
			[RT #20253]

Mark Andrews's avatar
Mark Andrews committed
188
2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
189
190
			[RT #19970]

Mark Andrews's avatar
Mark Andrews committed
191
2693.	[port]		Add some noreturn attributes. [RT #20257]
Francis Dupont's avatar
Francis Dupont committed
192

Mark Andrews's avatar
Mark Andrews committed
193
2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
194

195
196
197
198
199
2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
			chain when re-signing a previously-signed zone.
			Use -u to modify NSEC3 parameters or switch
			between NSEC and NSEC3. [RT #20304]

200
2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
201
202
			[RT #20315]

203
204
2689.	[bug]		Correctly handle snprintf result. [RT #20306]

205
206
207
2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
			to decide to fetch the destination address. [RT #20305]

Mark Andrews's avatar
number    
Mark Andrews committed
208
2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
209
210
211
			Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]

Mark Andrews's avatar
number    
Mark Andrews committed
212
2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
Mark Andrews's avatar
Mark Andrews committed
213
			signing with NSEC3 and vice versa. [RT #20301]
214

Francis Dupont's avatar
Francis Dupont committed
215
216
2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

217
218
219
2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
			+adflag and +cdflag.  [RT #19305]

220
221
222
223
2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
			the NSEC3 parameters used to sign the zone change.
			[RT #20246]

224
225
226
2682.	[bug]		"configure --enable-symtable=all" failed to
			build. [RT #20282]

227
2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
228
			decoded. [RT #20269]
229

Francis Dupont's avatar
Francis Dupont committed
230
2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
231

232
233
234
2679.	[func]		dig -k can now accept TSIG keys in named.conf
			format.  [RT #20031]

235
236
237
2678.	[func]		Treat DS queries as if "minimal-response yes;"
			was set. [RT #20258]

238
239
240
241
242
243
244
245
246
247
248
2677.	[func]		Changes to key metadata behavior:
			- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
249
			[RT #20247]
250

251
252
253
2676.	[bug]		--with-export-installdir should have been
			--with-export-includedir. [RT #20252]

254
2675.	[bug]		dnssec-signzone could crash if the key directory
255
256
                        did not exist. [RT #20232]

Evan Hunt's avatar
Evan Hunt committed
257
258
259
260
261
262
263
264
265
	--- 9.7.0a3 released ---

2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
			without openssl. [RT #20231]

2673.	[bug]		The managed-keys.bind zone file could fail to
			load due to a spurious result from sync_keyzone()
			[RT #20045]

266
267
268
2672.	[bug]		Don't enable searching in 'host' when doing reverse
			lookups. [RT #20218]

Francis Dupont's avatar
Francis Dupont committed
269
270
271
272
273
2671.	[bug]		Add support for PKCS#11 providers not returning
			the public exponent in RSA private keys
			(OpenCryptoki for instance) in
			dnssec-keyfromlabel. [RT #19294]

274
275
276
2670.	[bug]		Unexpected connect failures failed to log enough
			information to be useful. [RT #20205]

277
278
279
2669.	[func]		Update PKCS#11 support to support Keyper HSM.
			Update PKCS#11 patch to be against openssl-0.9.8i.

280
281
282
283
284
285
286
287
288
289
290
2668.	[func]		Several improvements to dnssec-* tools, including:
			- dnssec-keygen and dnssec-settime can now set key
			  metadata fields 0 (to unset a value, use "none")
			- dnssec-revoke sets the revocation date in
			  addition to the revoke bit
			- dnssec-settime can now print individual metadata
			  fields instead of always printing all of them,
			  and can print them in unix epoch time format for
			  use by scripts
			[RT #19942]

291
292
293
2667.	[func]		Add support for logging stack backtrace on assertion
			failure (not available for all platforms). [RT #19780]

294
295
296
2666.	[func]		Added an 'options' argument to dns_name_fromstring()
			(API change from 9.7.0a2). [RT #20196]

297
298
299
2665.	[func]		Clarify syntax for managed-keys {} statement, add
			ARM documentation about RFC 5011 support. [RT #19874]

300
2664.	[bug]		create_keydata() and minimal_update() in zone.c
301
302
303
			didn't properly check return values for some
			functions.  [RT #19956]

304
305
306
2663.	[func]		win32:  allow named to run as a service using
			"NT AUTHORITY\LocalService" as the account. [RT #19977]

307
2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
308
309
310
311
312
313
			returned a misleading error code when lwresd was
			down. [RT #20028]

2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
			creating lwres context. [RT #20029]

314
315
316
2660.	[func]		Add a new set of DNS libraries for non-BIND9
			applications.  See README.libdns. [RT #19369]

317
318
319
2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

320
321
322
2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

323
324
325
2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

326
327
2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
Evan Hunt's avatar
Evan Hunt committed
328
			nsupdate and relevant DLLs.  [RT #19998]
329

330
331
332
2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

333
334
335
2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

336
337
338
2653.	[bug]		Treat ENGINE_load_private_key() failures as key
			not found rather than out of memory.  [RT #18033]

339
340
341
2652.	[func]		Provide more detail about what record is being
			deleted. [RT #20061]

342
343
344
2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

345
346
347
2650.	[bug]		Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

348
349
2649.	[bug]		Set the domain for forward only zones. [RT #19944]

350
351
2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

352
353
354
2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
			added. [RT #19913]

355
356
2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

357
358
359
2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

360
361
362
363
364
365
	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

366
367
368
2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

369
370
371
2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

372
373
374
2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

375
376
2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]
Mark Andrews's avatar
Mark Andrews committed
377

378
379
2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

Mark Andrews's avatar
Mark Andrews committed
380
2638.	[bug]		Install arpaname. [RT #19957]
381

Mark Andrews's avatar
Mark Andrews committed
382
2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
383
384
			[RT #19959]

385
386
387
388
389
390
2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
391
			  they are scheduled to be published, activated,
392
393
394
395
396
397
398
399
400
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

401
402
403
2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

404
405
406
2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

407
408
2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

Mark Andrews's avatar
Mark Andrews committed
409
410
411
2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

412
413
414
2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

415
416
2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
417
418
			zone. (The "ddns-autoconf" option has been removed.)
                        [RT #19875]
419

420
421
2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
422
423

2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
424
425
426
			at startup with reduced capabilities in operation.
			[RT #19884]

427
428
429
2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

430
431
432
2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

433
434
2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]

435
436
437
2624.	[func]		'named-checkconf -p' will print out the parsed
			configuration. [RT #18871]

438
439
2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

440
2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
441

442
443
2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

Mark Andrews's avatar
Mark Andrews committed
444
2620.	[bug]		Delay thawing the zone until the reload of it has
445
446
			completed successfully.  [RT #19750]

447
448
449
450
451
452
2619.	[func]		Add support for RFC 5011, automatic trust anchor
			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

453
454
455
2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

456
457
2617.	[bug]		ifconfig.sh failed to emit an error message when
			run from the wrong location. [RT #19375]
458

Mark Andrews's avatar
Mark Andrews committed
459
460
2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]
461

462
463
464
2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

Mark Andrews's avatar
Mark Andrews committed
465
2614.	[port]		win32: 'named -v' should automatically be executed
466
467
			in the foreground. [RT #19844]

468
469
2613.	[placeholder]

470
471
472
473
474
475
476
477
	--- 9.7.0a1 released ---

2612.	[func]		Add default values for the arguments to
			dnssec-keygen.  Without arguments, it will now
			generate a 1024-bit RSASHA1 zone-signing key,
			or with the -f KSK option, a 2048-bit RSASHA1
			key-signing key. [RT #19300]

478
2611.	[func]		Add -l option to dnssec-dsfromkey to generate
479
480
			DLV records instead of DS records. [RT #19300]

481
482
2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]

483
484
485
486
487
488
489
490
491
492
493
2609.	[func]		Simplify the configuration of dynamic zones:
			- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]
494

495
496
497
498
499
500
501
502
503
2608.	[func]		Perform post signing verification checks in
			dnssec-signzone.  These can be disabled with -P.

			The post sign verification test ensures that for each
			algorithm in use there is at least one non revoked
			self signed KSK key.  That all revoked KSK keys are
			self signed.  That all records in the zone are signed
			by the algorithm.  [RT #19653]

504
505
506
507
2607.	[bug]		named could incorrectly delete NSEC3 records for
			empty nodes when processing a update request.
			[RT #19749]

508
509
510
2606.	[bug]		"delegation-only" was not being accepted in
			delegation-only type zones. [RT #19717]

511
512
513
2605.	[bug]		Accept DS responses from delegation only zones.
			[RT # 19296]

514
515
516
517
518
2604.	[func]		Add support for DNS rebinding attack prevention through
			new options, deny-answer-addresses and
			deny-answer-aliases.  Based on contributed code from
			JD Nurmi, Google. [RT #18192]

519
520
521
522
2603.	[port]		win32: handle .exe extension of named-checkzone and
			named-comilezone argv[0] names under windows.
			[RT #19767]

523
524
525
2602.	[port]		win32: fix debugging command line build of libisccfg.
			[RT #19767]

526
527
528
2601.	[doc]		Mention file creation mode mask in the
			named manual page.

529
530
531
2600.	[doc]		ARM: miscellaneous reformatting for different
			page widths. [RT #19574]

532
533
534
2599.	[bug]		Address rapid memory growth when validation fails.
			[RT #19654]

Francis Dupont's avatar
Francis Dupont committed
535
536
2598.	[func]		Reserve the -F flag. [RT #19657]

537
538
539
2597.	[bug]		Handle a validation failure with a insecure delegation
			from a NSEC3 signed master/slave zone.  [RT #19464]

540
541
542
543
2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
			long, leading to inefficient memory usage or rejecting
			newer cache entries in the worst case. [RT #19563]

544
545
2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]

Jeremy Reed's avatar
Jeremy Reed committed
546
547
2594.	[func]		Have rndc warn if using its default configuration
			file when the key file also exists. [RT #19424]
548

549
550
2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]

551
552
2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]

553
554
555
2591.	[bug]		named could die when processing a update in
			removed_orphaned_ds(). [RT #19507]

Mark Andrews's avatar
Mark Andrews committed
556
557
2590.	[func]		Report zone/class of "update with no effect".
			[RT #19542]
558

559
2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
560
			[RT #19626]
561

562
563
564
565
566
2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
			of bind(2) call.  This should be rare and mostly
			harmless, but may cause interference with other
			processes that happen to use the same port. [RT #19642]

567
568
569
570
2587.	[func]		Improve logging by reporting serial numbers for
			when zone serial has gone backwards or unchanged.
			[RT #19506]

571
572
573
2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
			or SDB. [RT #19577]

574
575
576
577
2585.	[bug]		Uninitialized socket name could be referenced via a
			statistics channel, triggering an assertion failure in
			XML rendering. [RT #19427]

578
579
580
2584.	[bug]		alpha: gcc optimization could break atomic operations.
			[RT #19227]

581
582
583
2583.	[port]		netbsd: provide a control to not add the compile
			date to the version string, -DNO_VERSION_DATE.

584
585
586
2582.	[bug]		Don't emit warning log message when we attempt to
			remove non-existant journal. [RT #19516]

587
588
589
2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
			Requires MySQL 5.0.19 or later. [RT #19084]

590
591
592
2580.	[bug]		UpdateRej statistics counter could be incremented twice
			for one rejection. [RT #19476]

593
594
595
2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
			algorithms. [RT #19479]

Mark Andrews's avatar
Mark Andrews committed
596
2578.	[bug]		Changed default sig-signing-type to 65534, because
597
598
			65535 turns out to be reserved.  [RT #19477]

599
600
2577.	[doc]		Clarified some statistics counters. [RT #19454]

601
602
2576.	[bug]		NSEC record were not being correctly signed when
			a zone transitions from insecure to secure.
Mark Andrews's avatar
Mark Andrews committed
603
			Handle such incorrectly signed zones. [RT #19114]
604

605
606
607
608
609
2575.	[func]		New functions dns_name_fromstring() and
			dns_name_tostring(), to simplify conversion
			of a string to a dns_name structure and vice
			versa. [RT #19451]

610
611
2574.	[doc]		Document nsupdate -g and -o. [RT #19351]

612
613
614
2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
			single transaction in a signed zone failed. [RT #19397]

615
616
617
618
619
620
621
622
623
624
625
626
2572.	[func]		Simplify DLV configuration, with a new option
			"dnssec-lookaside auto;"  This is the equivalent
			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
			plus setting a trusted-key for dlv.isc.org.

			Note: The trusted key is hard-coded into named,
			but is also stored in (and can be overridden
			by) $sysconfdir/bind.keys.  As the ISC DLV key
			rolls over it can be kept up to date by replacing
			the bind.keys file with a key downloaded from
			https://www.isc.org/solutions/dlv. [RT #18685]

627
628
629
630
2571.	[func]		Add a new tool "arpaname" which translates IP addresses
			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
			[RT #18976]

631
632
633
2570.	[func]		Log the destination address the query was sent to.
			[RT #19209]

634
2569.	[func]		Move journalprint, nsec3hash, and genrandom
635
			commands from bin/tests into bin/tools;
636
637
			"make install" will put them in $sbindir. [RT #19301]

Mark Andrews's avatar
Mark Andrews committed
638
639
2568.	[bug]		Report when the write to indicate a otherwise
			successful start fails. [RT #19360]
640

641
2567.	[bug]		dst__privstruct_writefile() could miss write errors.
642
643
			write_public_key() could miss write errors.
			dnssec-dsfromkey could miss write errors.
644
645
			[RT #19360]

646
647
648
649
650
2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
			response arrives from a zone thought to be secure:
			"insecurity proof failed" instead of "not
			insecure". [RT #19400]

651
652
653
654
2565.	[func]		Add support for HIP record.  Includes new functions
			dns_rdata_hip_first(), dns_rdata_hip_next()
			and dns_rdata_hip_current().  [RT #19384]

655
656
2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
			[RT #19405]
657

658
659
660
2563.	[bug]		Dig could leak a socket causing it to wait forever
			to exit. [RT #19359]

Jeremy Reed's avatar
Jeremy Reed committed
661
2562.	[doc]		ARM: miscellaneous improvements, reorganization,
662
663
			and some new content.

Mark Andrews's avatar
Mark Andrews committed
664
2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
665

Mark Andrews's avatar
Mark Andrews committed
666
2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
667

668
669
670
2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
			reading from a K* files.  [RT #19357]

671
672
673
674
2558.	[func]		Set the ownership of missing directories created
			for pid-file if -u has been specified on the command
			line. [RT #19328]

Mark Andrews's avatar
Mark Andrews committed
675
2557.	[cleanup]	PCI compliance:
Mark Andrews's avatar
Mark Andrews committed
676
677
678
679
680
681
			* new libisc log module file
			* isc_dir_chroot() now also changes the working
			  directory to "/".
			* additional INSISTs
			* additional logging when files can't be removed.

Mark Andrews's avatar
Mark Andrews committed
682
2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
683
684
			error checks in the correct order resulting in the
			wrong error code sometimes being returned. [RT #19249]
685

Mark Andrews's avatar
Mark Andrews committed
686
2555.	[func]		dig: when emitting a hex dump also display the
687
688
			corresponding characters. [RT #19258]

689
690
691
2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
			fail. [RT #19297]

692
693
2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]

694
695
696
2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
			[RT #19340]

697
698
2551.	[bug]		Potential Reference leak on return. [RT #19341]

699
700
701
2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
			[RT #19343]

702
703
704
2549.	[port]		linux: define NR_OPEN if not currently defined.
			[RT #19344]

705
706
2548.	[bug]		Install iterated_hash.h. [RT #19335]

707
708
709
710
711
2547.	[bug]		openssl_link.c:mem_realloc() could reference an
			out-of-range area of the source buffer.  New public
			function isc_mem_reallocate() was introduced to address
			this bug. [RT #19313]

Francis Dupont's avatar
Francis Dupont committed
712
713
714
715
2546.	[func]		Add --enable-openssl-hash configure flag to use
			OpenSSL (in place of internal routine) for hash
			functions (MD5, SHA[12] and HMAC). [RT #18815]

716
717
718
2545.	[doc]		ARM: Legal hostname checking (check-names) is
			for SRV RDATA too. [RT #19304]

719
720
2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]

721
722
2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]

Mark Andrews's avatar
Mark Andrews committed
723
2542.	[doc]		Update the description of dig +adflag. [RT #19290]
724

725
726
727
2541.	[bug]		Conditionally update dispatch manager statistics.
			[RT #19247]

728
729
2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]

730
731
732
2539.	[security]	Update the interaction between recursion, allow-query,
			allow-query-cache and allow-recursion.  [RT #19198]

733
734
735
736
2538.	[bug]		cache/ADB memory could grow over max-cache-size,
			especially with threads and smaller max-cache-size
			values. [RT #19240]

737
2537.	[func]		Added more statistics counters including those on socket
738
			I/O events and query RTT histograms. [RT #18802]
739

740
741
742
2536.	[cleanup]	Silence some warnings when -Werror=format-security is
			specified. [RT #19083]

Mark Andrews's avatar
Mark Andrews committed
743
2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
744

745
2534.	[func]		Check NAPTR records regular expressions and
Mark Andrews's avatar
Mark Andrews committed
746
			replacement strings to ensure they are syntactically
747
748
			valid and consistant. [RT #18168]

749
750
2533.	[doc]		ARM: document @ (at-sign). [RT #17144]

751
752
753
2532.	[bug]		dig: check the question section of the response to
			see if it matches the asked question. [RT #18495]

754
755
2531.	[bug]		Change #2207 was incomplete. [RT #19098]

756
757
758
2530.	[bug]		named failed to reject insecure to secure transitions
			via UPDATE. [RT #19101]

759
760
761
2529.	[cleanup]	Upgrade libtool to silence complaints from recent
			version of autoconf. [RT #18657]

762
763
2528.   [cleanup]	Silence spurious configure warning about
			--datarootdir [RT #19096]
764

765
766
2527.	[placeholder]

767
768
2526.	[func]		New named option "attach-cache" that allows multiple
			views to share a single cache to save memory and
769
770
			improve lookup efficiency.  Based on contributed code
			from Barclay Osborn, Google. [RT #18905]
771

772
773
774
775
2525.	[func]		New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

776
777
2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]

778
779
780
2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
			[RT #19112]

Francis Dupont's avatar
Francis Dupont committed
781
2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
Mark Andrews's avatar
Mark Andrews committed
782

783
784
2521.	[bug]		Improve epoll cross compilation support. [RT #19047]

785
786
787
2520.	[bug]		Update xml statistics version number to 2.0 as change
			#2388 made the schema incompatible to the previous
			version. [RT #19080]
788

789
790
791
792
2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
			nameserver addresses of the excluded address family
			preceded in resolv.conf. [RT #19081]

793
794
795
2518.	[func]		Add support for the new CERT types from RFC 4398.
			[RT #19077]

796
2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
Mark Andrews's avatar
Mark Andrews committed
797
			nameserver address of the excluded address type.
798
799
			[RT #18843]

800
801
802
2516.	[bug]		glue sort for responses was performed even when not
			needed. [RT #19039]

803
804
805
2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
			[RT #19063]

806
2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
807
			a nameserver of the excluded address family.
808
809
810
			[RT #18848]

2513.	[bug]		Fix windows cli build. [RT #19062]
811

812
813
814
2512.	[func]		Print a summary of the cached records which make up
			the negative response.  [RT #18885]

815
816
817
2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
			[RT #18885]

Mark Andrews's avatar
reword    
Mark Andrews committed
818
819
2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
			[RT #19033]
820

821
822
823
2509.	[bug]		Specifying a fixed query source port was broken.
			[RT #19051]

824
825
2508.	[placeholder]

826
827
828
829
2507.	[func]		Log the recursion quota values when killing the
			oldest query or refusing to recurse due to quota.
			[RT #19022]

830
2506.	[port]		solaris: Check at configure time if
831
832
			hack_shutup_pthreadonceinit is needed. [RT #19037]

833
834
835
2505.	[port]		Treat amd64 similarly to x86_64 when determining
			atomic operation support. [RT #19031]

836
837
2504.	[bug]		Address race condition in the socket code. [RT #18899]

838
839
840
2503.	[port]		linux: improve compatibility with Linux Standard
			Base. [RT #18793]

841
842
843
2502.	[cleanup]	isc_radix: Improve compliance with coding style,
			document function in <isc/radix.h>. [RT #18534]

844
845
846
847
2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
			rdata types need to be quoted.  See the ARM for
			details. [RT #18368]

Francis Dupont's avatar
Francis Dupont committed
848
2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
849
850
			function. [RT #18582]

851
852
2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
			[RT #18837]
Mark Andrews's avatar
Mark Andrews committed
853
854
855

	--- 9.6.0rc1 released ---

856
857
858
859
860
2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

861
862
863
2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
			delegation.

864
865
2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]

866
867
2495.	[bug]		Tighten RRSIG checks. [RT #18795]

868
869
870
2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
			installed. [RT #18826]

871
2493.	[bug]		The linux capabilities code was not correctly cleaning
872
873
			up after itself. [RT #18767]

Mark Andrews's avatar
Mark Andrews committed
874
2492.	[func]		Rndc status now reports the number of cpus discovered
875
876
877
			and the number of worker threads when running
			multi-threaded. [RT #18273]

878
879
880
2491.	[func]		Attempt to re-use a local port if we are already using
			the port. [RT #18548]

881
882
883
2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
			is cleared when IPV6_V6ONLY is set. [RT #18785]

884
885
886
887
888
889
2489.	[port]		solaris: Workaround Solaris's kernel bug about
			/dev/poll:
			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
			this workaround. [RT #18870]

890
891
892
2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
			from keyset and .key files. [RT #18694]

893
894
2487.	[bug]		Give TCP connections longer to complete. [RT #18675]

895
896
897
898
899
900
901
902
903
2486.	[func]		The default locations for named.pid and lwresd.pid
			are now /var/run/named/named.pid and
			/var/run/lwresd/lwresd.pid respectively.

			This allows the owner of the containing directory
			to be set, for "named -u" support, and allows there
			to be a permanent symbolic link in the path, for
			"named -t" support.  [RT #18306]

904
2485.	[bug]		Change update's the handling of obscured RRSIG
905
			records.  Not all orphaned DS records were being
906
907
			removed. [RT #18828]

908
909
910
911
2484.	[bug]		It was possible to trigger a REQUIRE failure when
			adding NSEC3 proofs to the response in
			query_addwildcardproof().  [RT #18828]

Francis Dupont's avatar
Francis Dupont committed
912
913
2483.	[port]		win32: chroot() is not supported. [RT #18805]

Francis Dupont's avatar
Francis Dupont committed
914
915
2482.	[port]		libxml2: support versions 2.7.* in addition
			to 2.6.*. [RT #18806]
Mark Andrews's avatar
9.6.0b1    
Mark Andrews committed
916
917
918

	--- 9.6.0b1 released ---

919
920
921
922
923
924
2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
			collisions.  [RT #18812]

2480.	[bug]		named could fail to emit all the required NSEC3
			records.  [RT #18812]

925
2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
926

927
2478.	[bug]		'addresses' could be used uninitialized in
Mark Andrews's avatar
Mark Andrews committed
928
			configure_forward(). [RT #18800]
929

930
2477.	[bug]		dig: the global option to print the command line is
931
932
933
			+cmd not print_cmd.  Update the output to reflect
			this. [RT #17008]

934
935
936
2476.	[doc]		ARM: improve documentation for max-journal-size and
			ixfr-from-differences. [RT #15909] [RT #18541]

937
2475.	[bug]		LRU cache cleanup under overmem condition could purge
Mark Andrews's avatar
Mark Andrews committed
938
			particular entries more aggressively. [RT #17628]
939

940
941
942
2474.	[bug]		ACL structures could be allocated with insufficient
			space, causing an array overrun. [RT #18765]

943
944
2473.	[port]		linux: raise the limit on open files to the possible
			maximum value before spawning threads; 'files'
945
			specified in named.conf doesn't seem to work with
946
947
			threads as expected. [RT #18784]

948
2472.	[port]		linux: check the number of available cpu's before
Mark Andrews's avatar
Mark Andrews committed
949
			calling chroot as it depends on "/proc". [RT #16923]
950

Mark Andrews's avatar
Mark Andrews committed
951
2471.	[bug]		named-checkzone was not reporting missing mandatory
952
953
			glue when sibling checks were disabled. [RT #18768]

954
2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
Mark Andrews's avatar
Mark Andrews committed
955
			overwritten.  [RT# 18719]
956

957
958
959
2469.	[port]		solaris: Work around Solaris's select() limitations.
			[RT #18769]

960
961
962
2468.	[bug]		Resolver could try unreachable servers multiple times.
			[RT #18739]

963
964
2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]

965
966
967
2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
			[RT #18302]

968
969
970
2465.	[bug]		Adb's handling of lame addresses was different
			for IPv4 and IPv6. [RT #18738]

971
972
973
2464.	[port]		linux: check that a capability is present before
			trying to set it. [RT #18135]

974
2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
975
976
			API and glibc hides parts of the IPv6 Advanced Socket
			API as a result.  This is stupid as it breaks how the
977
978
			two halves (Basic and Advanced) of the IPv6 Socket API
			were designed to be used but we have to live with it.
979
980
981
			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
			API. [RT #18388]

982
983
984
2462.	[doc]		Document -m (enable memory usage debugging)
			option for dig. [RT #18757]

985
986
2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]

Mark Andrews's avatar
Mark Andrews committed
987
988
989
990
991
	--- 9.6.0a1 released ---

2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
			[RT #18697]

992
993
2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]

994
995
996
2458.	[doc]		ARM: update and correction for max-cache-size.
			[RT #18294]

997
998
2457.	[tuning]	max-cache-size is reverted to 0, the previous
			default.  It should be safe because expired cache
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
999
			entries are also purged. [RT #18684]
1000

1001
1002
1003
2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
			address, regardless of family.  They now correctly
			distinguish IPv4 from IPv6.  [RT #18559]
1004

Mark Andrews's avatar
Mark Andrews committed
1005
2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
1006
1007
			[RT #18639]

1008
1009
2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]

1010
1011
1012
1013
1014
2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
			[RT #18316]

2452.	[func]		Improve bin/test/journalprint. [RT #18316]

1015
1016
2451.	[port]		solaris: handle runtime linking better. [RT #18356]

1017
1018
1019
2450.	[doc]		Fix lwresd docbook problem for manual page.
			[RT #18672]

Mark Andrews's avatar
Mark Andrews committed
1020
1021
2449.	[placeholder]

1022
1023
2448.	[func]		Add NSEC3 support. [RT #15452]

Mark Andrews's avatar
Mark Andrews committed
1024
2447.	[cleanup]	libbind has been split out as a separate product.
1025

1026
1027
1028
1029
2446.	[func]		Add a new log message about build options on startup.
			A new command-line option '-V' for named is also
			provided to show this information. [RT# 18645]

1030
1031
1032
1033
2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
			RFC1918 address, but these are not yet compiled in).
			[RT #18578]

Mark Andrews's avatar
Mark Andrews committed
1034
2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
1035
1036
			(clear DF) for UDP responses and requests.

1037
1038
1039
1040
1041
2443.	[bug]		win32: UDP connect() would not generate an event,
			and so connected UDP sockets would never clean up.
			Fix this by doing an immediate WSAConnect() rather
			than an io completion port type for UDP.

1042
1043
2442.	[bug]		A lock could be destroyed twice. [RT# 18626]

1044
2441.	[bug]		isc_radix_insert() could copy radix tree nodes
1045
1046
1047
1048
1049
1050
1051
1052
			incompletely. [RT #18573]

2440.   [bug]		named-checkconf used an incorrect test to determine
			if an ACL was set to none.

2439.   [bug]		Potential NULL dereference in dns_acl_isanyornone().
			[RT #18559]

1053
2438.   [bug]		Timeouts could be logged incorrectly under win32.
Evan Hunt's avatar
Evan Hunt committed
1054

Evan Hunt's avatar
Evan Hunt committed
1055
1056
1057
2437.	[bug]		Sockets could be closed too early, leading to
			inconsistent states in the socket module. [RT #18298]

1058
2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
Mark Andrews's avatar
Mark Andrews committed
1059

1060
1061
2435.	[bug]		Fixed an ACL memory leak affecting win32.

1062
1063
2434.	[bug]		Fixed a minor error-reporting bug in
			lib/isc/win32/socket.c.
Evan Hunt's avatar
Evan Hunt committed
1064

1065
1066
2433.	[tuning]	Set initial timeout to 800ms.

1067
1068
1069
1070
2432.   [bug]		More Windows socket handling improvements.  Stop
			using I/O events and use IO Completion Ports
			throughout.  Rewrite the receive path logic to make
			it easier to support multiple simultaneous
Mark Andrews's avatar
Mark Andrews committed
1071
			requesters in the future.  Add stricter consistency
1072
1073
			checking as a compile-time option (define
			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
Evan Hunt's avatar
Evan Hunt committed
1074

1075
1076
2431.	[bug]		Acl processing could leak memory. [RT #18323]

1077
1078
1079
1080
2430.	[bug]		win32: isc_interval_set() could round down to
			zero if the input was less than NS_INTERVAL
			nanoseconds.  Round up instead. [RT #18549]

1081
1082
1083
2429.	[doc]		nsupdate should be in section 1 of the man pages.
			[RT #18283]

1084
1085
1086
2428.	[bug]		dns_iptable_merge() mishandled merges of negative
			tables. [RT #18409]

1087
1088
1089
2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
			was set. [RT #18528]

1090
2426.	[bug]		libbind: inet_net_pton() can sometimes return the
Mark Andrews's avatar
Mark Andrews committed
1091
			wrong value if excessively large net masks are
1092
1093
			supplied. [RT #18512]

1094
1095
1096
2425.	[bug]		named didn't detect unavailable query source addresses
			at load time. [RT #18536]

1097
1098
1099
1100
2424.	[port]		configure now probes for a working epoll
			implementation.  Allow the use of kqueue,
			epoll and /dev/poll to be selected at compile
			time. [RT #18277]
1101

1102
2423.   [security]	Randomize server selection on queries, so as to
Evan Hunt's avatar
Evan Hunt committed
1103
1104
1105
1106
1107
1108
                        make forgery a little more difficult.  Instead of
                        always preferring the server with the lowest RTT,
                        pick a server with RTT within the same 128
                        millisecond band.  [RT #18441]

2422.	[bug]		Handle the special return value of a empty node as
1109
1110
			if it was a NXRRSET in the validator. [RT #18447]

Evan Hunt's avatar
Evan Hunt committed
1111
2421.	[func]		Add new command line option '-S' for named to specify
1112
1113
1114
1115
			the max number of sockets. [RT #18493]
			Use caution: this option may not work for some
			operating systems without rebuilding named.

1116
2420.   [bug]		Windows socket handling cleanup.  Let the io
1117
			completion event send out canceled read/write
Mark Andrews's avatar
Mark Andrews committed
1118
			done events, which keeps us from writing to memory
1119
1120
1121
			we no longer have ownership of.  Add debugging
			socket_log() function.  Rework TCP socket handling
			to not leak sockets.
Evan Hunt's avatar
Evan Hunt committed
1122

1123
1124
1125
1126
2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
			should not be used for isc_sockettype_fdwatch sockets.
			[RT #18521]

1127
1128
1129
2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
			[RT #18430]

1130
1131
1132
1133
2417.	[bug]		Connecting UDP sockets for outgoing queries could
			unexpectedly fail with an 'address already in use'
			error. [RT #18411]

1134
1135
1136
2416.	[func]		Log file descriptors that cause exceeding the
			internal maximum. [RT #18460]

1137
1138
1139
2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
			in rbtdb.c. [RT #18455]

1140
1141
1142
1143
2414.	[bug]		A masterdump context held the database lock too long,
			causing various troubles such as dead lock and
			recursive lock acquisition. [RT #18311, #18456]

1144
1145
2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]

1146
2412.	[bug]		win32: address a resource leak. [RT #18374]
1147

1148
1149
1150
1151
2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
			at compilation time.  [RT #18433]

1152
1153
1154
1155
			Note: with changes #2469 and #2421 above, there is no
			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
			any more.

1156
1157
2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]

Mark Andrews's avatar
Mark Andrews committed
1158
2409.	[bug]		Only log that we disabled EDNS processing if we were
1159
1160
			subsequently successful.  [RT #18029]

1161
1162
1163
1164
2408.	[bug]		A duplicate TCP dispatch event could be sent, which
			could then trigger an assertion failure in
			resquery_response().  [RT #18275]

1165
1166
2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]

Evan Hunt's avatar
Evan Hunt committed
1167
2406.	[placeholder]
1168

1169
1170
1171
2405.	[cleanup]	The default value for dnssec-validation was changed to
			"yes" in 9.5.0-P1 and all subsequent releases; this
			was inadvertently omitted from CHANGES at the time.
1172

1173
1174
2404.	[port]		hpux: files unlimited support.

1175
1176
2403.	[bug]		TSIG context leak. [RT #18341]

1177
1178
2402.	[port]		Support Solaris 2.11 and over. [RT #18362]

1179
1180
1181
2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
			(from accept() or fcntl() system calls). [RT #18358]

Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
1182
2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
1183
1184
			[RT #18297]

1185
1186
2399.	[placeholder]

1187
2398.	[bug]           Improve file descriptor management.  New,
1188
1189
1190
			temporary, named.conf option reserved-sockets,
			default 512. [RT #18344]

1191
1192
2397.	[bug]		gssapi_functions had too many elements. [RT #18355]

1193
1194
1195
2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
			[RT #18336]

Mark Andrews's avatar