CHANGES 370 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
2
3
4
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
5
	 		[RT #32365]
Curtis Blackburn's avatar
Curtis Blackburn committed
6
			
7
8
9
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
10
11
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
12

13
14
15
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
16
17
18
19
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

20
21
22
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

23
24
25
26
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

27
28
29
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
30
31
32
33
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

34
35
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
36
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
37
38
39

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
40

41
42
43
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

44
45
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

46
47
48
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

49
50
51
52
53
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT 32232]

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

54
55
56
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

57
58
3460.	[bug]		Only link against readline where needed. [RT #29810]

59
60
61
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

62
63
64
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

65
66
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
67
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
68

69
70
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

71
72
3454.	[port]		sparc64: improve atomic support. [RT #25182]

73
74
75
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
76
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
77

78
79
80
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

81
82
83
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

84
85
86
87
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
88
89
90
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

91
92
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

93
94
95
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

96
97
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
98

99
3444.	[bug]		The NOQNAME proof was not being returned from cached
100
101
			insecure responses. [RT #21409]

102
103
104
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

105
106
107
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

108
109
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

110
111
112
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
113
114
3439.	[placeholder]

115
116
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
117
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
118
119
			buffers with constant data. [RT #32064]

120
121
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

122
123
124
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

125
126
127
128
129
130
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

131
132
133
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
134
135
136
137
138
139
140
141
142
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

143
144
145
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

146
147
148
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

149
150
151
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
152
153
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
154
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
155
156
			addresses instead of names. [RT #31641]

157
158
159
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

160
161
162
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

163
164
165
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

166
167
168
169
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
170
3422.	[bug]		Added a clear error message for when the SOA does not
171
172
			match the referral. [RT #31281]

173
174
175
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

176
177
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

178
179
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
180
181
182
183
184
185
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
186
187
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
188
3417.	[placeholder]
189

190
191
192
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

Mark Andrews's avatar
Mark Andrews committed
193
3415.	[bug]		named could die with a REQUIRE failure if a valdation
194
195
			was canceled. [RT #31804]

196
197
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

198
199
200
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

201
202
203
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]

204
205
206
3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
			to UDP. [RT #31690]

207
208
3410.	[bug]		Addressed Coverity warnings. [RT #31626]

Evan Hunt's avatar
Evan Hunt committed
209
210
211
212
213
3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
			from X.509 certificates, for use with DANE
			(DNS-based Authentication of Named Entities).
			[RT #30513]

214
215
216
217
218
3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
			are now legal in slave zones as long as
			inline-signing is in use. [RT #31078]

Mark Andrews's avatar
Mark Andrews committed
219
220
3407.	[placeholder]

221
222
3406.	[bug]		mem.c: Fix compilation errors when building with
			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Mark Andrews's avatar
Mark Andrews committed
223
			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
224

225
226
3405.	[bug]		Handle time going backwards in acache. [RT #31253]

227
3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
Mark Andrews's avatar
Mark Andrews committed
228
			RRSIG and NSEC records from nodes that used to be
229
230
			in-zone but are now below a zone cut. [RT #31556]

Evan Hunt's avatar
Evan Hunt committed
231
232
3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]

Evan Hunt's avatar
Evan Hunt committed
233
3402.	[test]		The IPv6 interface numbers used for system
Mark Andrews's avatar
Mark Andrews committed
234
			tests were incorrect on some platforms. [RT #25085]
Curtis Blackburn's avatar
Curtis Blackburn committed
235

Evan Hunt's avatar
Evan Hunt committed
236
237
3401.	[bug]		Addressed Coverity warnings. [RT #31484]

Evan Hunt's avatar
Evan Hunt committed
238
239
240
241
3400.	[cleanup]	"named -V" can now report a source ID string, defined
			in the "srcid" file in the build tree and normally set
			to the most recent git hash.  [RT #31494]

242
243
244
3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
			clash.  [RT #31515]

245
246
247
248
3398.	[bug]		SOA parameters were not being updated with inline
			signed zones if the zone was modified while the
			server was offline. [RT #29272]

249
3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
Mark Andrews's avatar
Mark Andrews committed
250

251
252
253
3396.	[bug]		OPT records were incorrectly removed from signed,
			truncated responses. [RT #31439]

254
255
256
257
3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
			[RT #31336]

Mark Andrews's avatar
Mark Andrews committed
258
3394.	[bug]		Adjust 'successfully validated after lower casing
259
260
			signer' log level and category. [RT #31414]

261
262
263
3393.	[bug]		'host -C' could core dump if REFUSED was received.
			[RT #31381]

264
265
3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]

Mark Andrews's avatar
Mark Andrews committed
266
267
3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
			[RT #31262]
268

269
270
3390.	[bug]		Silence clang compiler warnings. [RT #30417]

271
272
3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]

273
274
275
276
277
278
3388.	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
Evan Hunt's avatar
Evan Hunt committed
279

280
281
3387.	[func]		DS digest can be disabled at runtime with
			disable-ds-digests. [RT #21581]
282

283
284
285
3386.	[bug]		Address locking violation when generating new NSEC /
			NSEC3 chains. [RT #31224]

286
287
288
3385.	[bug]		named-checkconf didn't detect missing master lists
			in also-notify clauses. [RT #30810]

Evan Hunt's avatar
Evan Hunt committed
289
290
3384.	[bug]		Improved logging of crypto errors. [RT #30963]

Evan Hunt's avatar
typo    
Evan Hunt committed
291
3383.	[security]	A certain combination of records in the RBT could
Mark Andrews's avatar
Mark Andrews committed
292
293
			cause named to hang while populating the additional
			section of a response. [RT #31090]
Evan Hunt's avatar
Evan Hunt committed
294

Evan Hunt's avatar
Evan Hunt committed
295
296
297
298
3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
			if set, regardless of the address family in use.
			[RT #24173]

Evan Hunt's avatar
Evan Hunt committed
299
300
301
3381.	[contrib]	Update queryperf to support more RR types.
			[RT #30762]

302
303
304
3380.	[bug]		named could die if a non-existant master list was
			referenced in a also-notify. [RT #31004]

305
306
307
3379.	[bug]		isc_interval_zero and isc_time_epoch should be
			"const (type)* const". [RT #31069]

308
309
310
3378.	[bug]		Handle missing 'managed-keys-directory' better.
			[RT #30625]

Evan Hunt's avatar
Evan Hunt committed
311
312
313
3377.	[bug]		Removed spurious newline from NSEC3 multiline
			output. [RT #31044]

314
315
316
3376.	[bug]		Lack of EDNS support was being recorded without a
			successful response. [RT #30811]

317
318
3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]

Mark Andrews's avatar
Mark Andrews committed
319
320
3374.	[bug]		isc_parse_uint32 failed to return a range error on
			systems with 64 bit longs. [RT #30232]
321

Mark Andrews's avatar
Mark Andrews committed
322
3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
323

324
325
326
3372.	[bug]		Silence spurious "deleted from unreachable cache"
			messages.  [RT #30501]

327
328
329
330
3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
			add NS RRsets to the additional section or not.
			[RT #30479]

331
332
333
3370.	[bug]		Address use after free while shutting down. [RT #30241]

3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
334
335
			if built with readline support. [RT #29550]

336
3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
Evan Hunt's avatar
Evan Hunt committed
337
			were not C++ safe.
338

339
340
341
3367.	[bug]		dns_dnsseckey_create() result was not being checked.
			[RT #30685]

Mark Andrews's avatar
Mark Andrews committed
342
3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
343
344
			atomic operations. [RT #25181]

345
346
347
3365.	[bug]		Removed spurious newlines from log messages in
			zone.c [RT #30675]

348
349
350
3364.	[security]	Named could die on specially crafted record.
			[RT #30416]

351
352
353
354
3363.	[bug]		Need to allow "forward" and "fowarders" options
			in static-stub zones; this had been overlooked.
			[RT #30482]

355
356
357
358
3362.	[bug]		Setting some option values to 0 in named.conf
			could trigger an assertion failure on startup.
			[RT #27730]

359
360
3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
			when salt was set to '-' (no salt). [RT #30099]
Mark Andrews's avatar
Mark Andrews committed
361

362
363
3360.	[bug]		'host -w' could die.  [RT #18723]

364
3359.	[bug]		An improperly-formed TSIG secret could cause a
Mark Andrews's avatar
Mark Andrews committed
365
			memory leak. [RT #30607]
366

Mark Andrews's avatar
Mark Andrews committed
367
368
3358.	[placeholder]

369
370
3357.	[port]		Add support for libxml2-2.8.x [RT #30440]

Mark Andrews's avatar
Mark Andrews committed
371
3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
372
373
374
			approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]

375
376
3355.	[port]		Use more portable awk in verify system test.

377
378
3354.	[func]		Improve OpenSSL error logging. [RT #29932]

379
380
381
3353.	[bug]		Use a single task for task exclusive operations.
			[RT #29872]

382
383
384
3352.	[bug]		Ensure that learned server attributes timeout of the
			adb cache. [RT #29856]

385
386
387
388
3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
			memory debugging flags are set. [RT #30243]

389
390
391
392
3350.	[bug]		Memory read overrun in isc___mem_reallocate if
			ISC_MEM_DEBUGCTX memory debugging flag is set.
			[RT #30240]

Mark Andrews's avatar
Mark Andrews committed
393
394
3349.	[bug]		Change #3345 was incomplete. [RT #30233]

Mark Andrews's avatar
Mark Andrews committed
395
396
397
398
3348.	[bug]		Prevent RRSIG data from being cached if a negative
			record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
Mark Andrews's avatar
Mark Andrews committed
399
			being inserted into the cache as well. [RT #26809]
Mark Andrews's avatar
Mark Andrews committed
400
401
402

3347.	[bug]		dnssec-settime: Issue a warning when writing a new
			private key file would cause a change in the
Evan Hunt's avatar
Evan Hunt committed
403
			permissions of the existing file. [RT #27724]
Curtis Blackburn's avatar
Curtis Blackburn committed
404

Evan Hunt's avatar
Evan Hunt committed
405
406
407
3346.	[security]	Bad-cache data could be used before it was
			initialized, causing an assert. [RT #30025]

408
409
410
411
3345.	[bug]		Addressed race condition when removing the last item
			or inserting the first item in an ISC_QUEUE.
			[RT #29539]

Mark Andrews's avatar
Mark Andrews committed
412
413
414
415
416
417
418
419
420
3344.	[func]		New "dnssec-checkds" command checks a zone to
			determine which DS records should be published
			in the parent zone, or which DLV records should be
			published in a DLV zone, and queries the DNS to
			ensure that it exists. (Note: This tool depends
			on python; it will not be built or installed on
			systems that do not have a python interpreter.)
			[RT #28099]

Mark Andrews's avatar
Mark Andrews committed
421
422
3343.	[placeholder]

423
424
425
426
3342.	[bug]		Change #3314 broke saving of stub zones to disk
			resulting in excessive cpu usage in some cases.
			[RT #29952]

427
428
429
430
3341.	[func]		New "dnssec-verify" command checks a signed zone
			to ensure correctness of signatures and of NSEC/NSEC3
			chains. [RT #23673]

Evan Hunt's avatar
Evan Hunt committed
431
3340.	[func]		Added new 'map' zone file format, which is an image
Mark Andrews's avatar
Mark Andrews committed
432
433
434
435
			of a zone database that can be loaded directly into
			memory via mmap(), allowing much faster zone loading.
			(Note: Because of pointer sizes and other
			considerations, this file format is platform-dependent;
Evan Hunt's avatar
Evan Hunt committed
436
			'map' zone files cannot always be transferred from one
Curtis Blackburn's avatar
Curtis Blackburn committed
437
438
			server to another.) [RT #25419]

439
440
441
3339.	[func]		Allow the maximum supported rsa exponent size to be
			specified: "max-rsa-exponent-size <value>;" [RT #29228]

442
443
444
3338.	[bug]		Address race condition in units tests: asyncload_zone
			and asyncload_zt. [RT #26100]

445
446
447
3337.	[bug]		Change #3294 broke support for the multiple keys
			in controls. [RT #29694]

448
449
450
3336.	[func]		Maintain statistics for RRsets tagged as "stale".
			[RT #29514]

451
452
453
3335.	[func]		nslookup: return a nonzero exit code when unable
			to get an answer. [RT #29492]

454
3334.	[bug]		Hold a zone table reference while performing a
Mark Andrews's avatar
Mark Andrews committed
455
			asynchronous load of a zone. [RT #28326]
456

457
3333.	[bug]		Setting resolver-query-timeout too low can cause
Mark Andrews's avatar
Mark Andrews committed
458
			named to not recover if it loses connectivity.
459
460
			[RT #29623]

Mark Andrews's avatar
add #    
Mark Andrews committed
461
3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
462

Mark Andrews's avatar
Mark Andrews committed
463
3331.	[security]	dns_rdataslab_fromrdataset could produce bad
464
			rdataslabs. [RT #29644]
Mark Andrews's avatar
Mark Andrews committed
465

Vernon Schryver's avatar
Vernon Schryver committed
466
3330.	[func]		Fix missing signatures on NOERROR results despite
Mark Andrews's avatar
Mark Andrews committed
467
			RPZ rewriting.  Also
Vernon Schryver's avatar
Vernon Schryver committed
468
469
470
471
472
473
474
475
476
477
478
479
480
			 - add optional "recursive-only yes|no" to the
			   response-policy statement
			 - add optional "max-policy-ttl" to the response-policy
			    statement to limit the false data that
			    "recursive-only no" can introduce into
			    resolvers' caches
			 - add a RPZ performance test to bin/tests/system/rpz
			     when queryperf is available.
			 - the encoding of PASSTHRU action to "rpz-passthru".
			     (The old encoding is still accepted.)
		       [RT #26172]


481
482
483
484
485
486
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]

Mark Andrews's avatar
Mark Andrews committed
487
488
3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
			[RT #29401]
Evan Hunt's avatar
Evan Hunt committed
489

Evan Hunt's avatar
Evan Hunt committed
490
491
492
493
494
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]

495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
3326.	[func]		Added task list statistics: task model, worker
			threads, quantum, tasks running, tasks ready.
			[RT #27678]

3325.	[func]		Report cache statistics: memory use, number of
			nodes, number of hash buckets, hit and miss counts.
			[RT #27056]

3324.	[test]		Add better tests for ADB stats [RT #27057]

3323.	[func]		Report the number of buckets the resolver is using.
			[RT #27020]

3322.	[func]		Monitor the number of active TCP and UDP dispatches.
			[RT #27055]

3321.	[func]		Monitor the number of recursive fetches and the
			number of open sockets, and report these values in
			the statistics channel. [RT #27054]

3320.	[func]		Added support for monitoring of recursing client
			count. [RT #27009]

3319.	[func]		Added support for monitoring of ADB entry count and
			hash size. [RT #27057]

521
3318.	[tuning]	Reduce the amount of work performed while holding a
Mark Andrews's avatar
Mark Andrews committed
522
			bucket lock when finished with a fetch context.
523
524
			[RT #29239]

Mark Andrews's avatar
Mark Andrews committed
525
3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
526

527
528
529
3316.	[tuning]	Improved locking performance when recursing.
			[RT #28836]

530
531
532
533
534
3315.	[tuning]	Use multiple dispatch objects for sending upstream
			queries; this can improve performance on busy
			multiprocessor systems by reducing lock contention.
			[RT #28605]

535
536
537
3314.	[bug]		The masters list could be updated while refesh_callback
			and stub_callback were using it. [RT #26732]

538
539
3313.	[protocol]	Add TLSA record type. [RT #28989]

540
541
542
3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
			[RT #27631]

543
544
545
3311.	[bug]		Abort the zone dump if zone->db is NULL in
			zone.c:zone_gotwritehandle. [RT #29028]

546
547
3310.	[test]		Increase table size for mutex profiling. [RT #28809]

Mark Andrews's avatar
Mark Andrews committed
548
3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
549
550
			[RT #27995]

Mark Andrews's avatar
Mark Andrews committed
551
552
3308.	[placeholder]

553
554
3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
			[RT #28956]
555

556
557
558
559
3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]

3305.	[func]		Add wire format lookup method to sdb. [RT #28563]

560
561
3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
			[RT #28571]
562

563
564
3303.	[bug]		named could die when reloading. [RT #28606]

565
566
567
568
3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
			keys if the zone name contained character that
			required special mappings. [RT #28600]

569
570
571
3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
			for non-recursive queries. [RT #28565]

572
573
574
3300.	[bug]		Named could die if gssapi was enabled in named.conf
			but was not compiled in. [RT #28338]

575
576
577
3299.	[bug]		Make SDB handle errors from database drivers better.
			[RT #28534]

578
579
580
581
3298.	[bug]		Named could dereference a NULL pointer in
			zmgr_start_xfrin_ifquota if the zone was being removed.
			[RT #28419]

582
583
3297.	[bug]		Named could die on a malformed master file. [RT #28467]

584
585
586
3296.	[bug]		Named could die with a INSIST failure in
			client.c:exit_check. [RT #28346]

587
588
589
3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
			portable. [RT # 26542]

590
591
592
3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
			error. [RT #28265]

593
594
3293.	[func]		nsupdate: list supported type. [RT #28261]

595
596
597
3292.	[func]		Log messages in the axfr stream at debug 10.
			[RT #28040]

598
599
600
3291.	[port]		Fixed a build error on systems without ENOTSUP.
			[RT #28200]

601
602
3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]

603
604
3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]

605
606
607
3288.	[bug]		dlz_destroy() function wasn't correctly registered
			by the DLZ dlopen driver. [RT #28056]

608
609
3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]

610
611
612
3286.	[bug]		Managed key maintenance timer could fail to start
			after 'rndc reconfig'. [RT #26786]

613
614
615
616
3285.	[bug]		val-frdataset was incorrectly disassociated in
			proveunsecure after calling startfinddlvsep.
			[RT #27928]

617
618
619
3284.	[bug]		Address race conditions with the handling of
			rbtnode.deadlink. [RT #27738]

620
621
622
3283.	[bug]		Raw zones with with more than 512 records in a RRset
			failed to load. [RT #27863]

623
3282.	[bug]		Restrict the TTL of NS RRset to no more than that
Mark Andrews's avatar
extend:    
Mark Andrews committed
624
625
			of the old NS RRset when replacing it.
			[RT #27792] [RT #27884]
626

627
628
629
630
3281.	[bug]		SOA refresh queries could be treated as cancelled
			despite succeeding over the loopback interface.
			[RT #27782]

631
632
633
3280.	[bug]		Potential double free of a rdataset on out of memory
			with DNS64. [RT #27762]

Mark Andrews's avatar
Mark Andrews committed
634
3279.	[bug]		Hold a internal reference to the zone while performing
635
636
637
			a asynchronous load.  Address potential memory leak
			if the asynchronous is cancelled. [RT #27750]

Mark Andrews's avatar
Mark Andrews committed
638
3278.	[bug]		Make sure automatic key maintenance is started
639
640
641
			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

Mark Andrews's avatar
Mark Andrews committed
642
3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
643
644
645
646

3276.	[bug]		win32: ns_os_openfile failed to return NULL on
			safe_open failure. [RT #27696]

647
3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
648
			option had been misspelled as '-clear'.  (To avoid
649
650
			future confusion, both options now work.) [RT #27173]

Mark Andrews's avatar
Mark Andrews committed
651
3274.	[placeholder]
Mark Andrews's avatar
Mark Andrews committed
652

Mark Andrews's avatar
Mark Andrews committed
653
654
655
3273.	[bug]		AAAA responses could be returned in the additional
			section even when filter-aaaa-on-v4 was in use.
			[RT #27292]
656
657
658
659

3272.	[func]		New "rndc zonestatus" command prints information
			about the specified zone. [RT #21671]

660
661
662
663
3271.	[port]		darwin: mksymtbl is not always stable, loop several
			times before giving up.  mksymtbl was using non
			portable perl to covert 64 bit hex strings. [RT #27653]

Evan Hunt's avatar
Evan Hunt committed
664
	--- 9.9.0rc2 released ---
Evan Hunt's avatar
Evan Hunt committed
665

666
667
668
3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
			when inline-signing was in use. [RT #27650]

669
670
3269.	[port]		darwin 11 and later now built threaded by default.

671
672
673
3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
			out the earliest expiry time. [RT #23311]

674
675
676
677
3267.	[bug]		Memory allocation failures could be mis-reported as
			unexpected error.  New ISC_R_UNSET result code.
			[RT #27336]

678
679
680
681
3266.	[bug]		The maximum number of NSEC3 iterations for a
			DNSKEY RRset was not being properly computed.
			[RT #26543]

Evan Hunt's avatar
Evan Hunt committed
682
683
3265.	[bug]		Corrected a problem with lock ordering in the
			inline-signing code. [RT #27557]
684

685
686
687
688
689
690
691
3264.	[bug]		Automatic regeneration of signatures in an
			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

692
693
694
3262.	[bug]		Signed responses were handled incorrectly by RPZ.
			[RT #27316]

695
696
3261.	[func]		RRset ordering now defaults to random. [RT #27174]

697
698
3260.	[bug]		"rrset-order cyclic" could appear not to rotate
			for some query patterns.  [RT #27170/27185]
699

Evan Hunt's avatar
Evan Hunt committed
700
701
	--- 9.9.0rc1 released ---

702
703
704
3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
			message when writing to stdout. [RT #27109]

705
706
707
3258.	[test]		Add "forcing full sign with unreadable keys" test.
			[RT #27153]

708
709
710
3257.	[bug]		Do not generate a error message when calling fsync()
			in a pipe or socket. [RT #27109]

711
712
713
714
715
716
3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]

3255.	[func]		No longer require that a empty zones be explicitly
			enabled or that a empty zone is disabled for
			RFC 1918 empty zones to be configured. [RT #27139]

717
718
719
3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
			[RT #22249]

720
721
722
3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
			too long. [RT #26956]

723
724
725
726
727
3252.	[bug]		When master zones using inline-signing were
			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

728
729
730
731
732
3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
			memory dns_sdlz_putrr() can allocate per record to
			prevent run away memory consumption on ISC_R_NOSPACE.
			[RT #26956]

733
734
735
736
3250.	[func]		'configure --enable-developer'; turn on various
			configure options, normally off by default, that
			we want developers to build and test with. [RT #27103]

737
738
739
740
741
742
743
744
745
746
747
748
749
3249.	[bug]		Update log message when saving slave zones files for
			analysis after load failures. [RT #27087]

3248.	[bug]		Configure options --enable-fixed-rrset and
			--enable-exportlib were incompatible with each
			other. [RT #27087]

3247.	[bug]		'raw' format zones failed to preserve load order
			breaking 'fixed' sort order. [RT #27087]

3246.	[bug]		Named failed to start with a empty also-notify list.
			[RT #27087]

750
751
752
753
3245.	[bug]		Don't report a error unchanged serials unless there
			were other changes when thawing a zone with
			ixfr-fromdifferences. [RT #26845]

754
3244.	[func]		Added readline support to nslookup and nsupdate.
Mark Andrews's avatar
Mark Andrews committed
755
			Also simplified nsupdate syntax to make "update"
756
757
			and "prereq" optional. [RT #24659]

758
759
760
3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
			being properly set.

Mark Andrews's avatar
Mark Andrews committed
761
3242.	[func]		Extended the header of raw-format master files to
762
763
764
765
766
767
			include the serial number of the zone from which
			they were generated, if different (as in the case
			of inline-signing zones).  This is to be used in
			inline-signing zones, to track changes between the
			unsigned and signed versions of the zone, which may
			have different serial numbers.
Mark Andrews's avatar
Mark Andrews committed
768

769
			(Note: raw zonefiles generated by this version of
Mark Andrews's avatar
Mark Andrews committed
770
			BIND are no longer compatible with prior versions.
771
772
773
774
775
			To generate a backward-compatible raw zonefile
			using dnssec-signzone or named-compilezone, specify
			output format "raw=0" instead of simply "raw".)
			[RT #26587]

776
777
778
3241.	[bug]		Address race conditions in the resolver code.
			[RT #26889]

779
780
3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]

781
782
783
784
3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
			timestamp. [RT #26883]

3238.	[bug]		keyrdata was not being reinitialized in
785
786
			lib/dns/rbtdb.c:iszonesecure. [RT#26913]

787
788
3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]

Evan Hunt's avatar
Evan Hunt committed
789
790
791
3236.	[bug]		Backed out changes #3182 and #3202, related to
			EDNS(0) fallback behavior. [RT #26416]

792
793
794
795
3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
			the generated diff and optionally writes it to a
			journal. [RT #26386]

796
797
3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]

798
799
800
3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
			[RT #26632]

801
802
803
3232.	[bug]		Zero zone->curmaster before return in
			dns_zone_setmasterswithkeys(). [RT #26732]

Mark Andrews's avatar
Mark Andrews committed
804
3231.	[bug]		named could fail to send a incompressible zone.
805
806
			[RT #26796]

Mark Andrews's avatar
[ -> ]    
Mark Andrews committed
807
3230.	[bug]		'dig axfr' failed to properly handle a multi-message
808
809
			axfr with a serial of 0. [RT #26796]

810
811
812
3229.	[bug]		Fix local variable to struct var assignment
			found by CLANG warning.

Mark Andrews's avatar
Mark Andrews committed
813
814
3228.	[tuning]	Dynamically grow symbol table to improve zone
			loading performance. [RT #26523]
815

816
817
818
3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
			and getservbyname() self thread safe. [RT #26232]

819
820
3226.	[bug]		Address minor resource leakages. [RT #26624]

821
822
823
3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
			messages. [RT #26507]

824
825
3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]

826
827
828
3223.	[bug]		'task_test privilege_drop' generated false positives.
			[RT #26766]

829
830
831
3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
			dns_journal_{get,set}_sourceserial. [RT #26634]

Mark Andrews's avatar
Mark Andrews committed
832
3221.	[bug]		Fixed a potential core dump on shutdown due to
833
834
835
			referencing fetch context after it's been freed.
			[RT #26720]

Mark Andrews's avatar
Mark Andrews committed
836
837
	--- 9.9.0b2 released ---

838
3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
Mark Andrews's avatar
Mark Andrews committed
839
840
			could fail to set the database version correctly,
			causing an assertion failure. [RT #26180]
841

Mark Andrews's avatar
Mark Andrews committed
842
843
3219.	[bug]		Disable NOEDNS caching following a timeout.

844
845
846
847
3218.	[security]	Cache lookup could return RRSIG data associated with
			nonexistent records, leading to an assertion
			failure. [RT #26590]

848
849
850
3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]

3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
851

852
853
3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]

854
855
3214.	[func]		Add 'named -U' option to set the number of UDP
			listener threads per interface. [RT #26485]
Mark Andrews's avatar
Mark Andrews committed
856

857
858
3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]

Mark Andrews's avatar
Mark Andrews committed
859
860
861
3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
			list prior to adding a reference to it leading a
			possible assertion failure. [RT #23219]
862

863
864
865
866
3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
			option prints in single-line-per-record format.
			[RT #20287]

867
868
869
3210.	[bug]		Canceling the oldest query due to recursive-client
			overload could trigger an assertion failure. [RT #26463]

870
3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
871

Mark Andrews's avatar
Mark Andrews committed
872
3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
873
874
			[RT #25522]

875
876
3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]

877
878
3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]

879
3205.	[func]		Upgrade dig's defaults to better reflect modern
Mark Andrews's avatar
Mark Andrews committed
880
			nameserver behavior.  Enable "dig +adflag" and
881
882
883
			"dig +edns=0" by default.  Enable "+dnssec" when
			running "dig +trace". [RT #23497]

884
3204.	[bug]		When a master server that has been marked as
Evan Hunt's avatar
typo    
Evan Hunt committed
885
			unreachable sends a NOTIFY, mark it reachable
886
887
			again. [RT #25960]

888
889
890
3203.	[bug]		Increase log level to 'info' for validation failures
			from expired or not-yet-valid RRSIGs. [RT #21796]

Mark Andrews's avatar
Mark Andrews committed
891
3202.	[bug]		NOEDNS caching on timeout was too aggressive.
892
893
			[RT #26416]

894
895
896
3201.	[func]		'rndc querylog' can now be given an on/off parameter
			instead of only being used as a toggle. [RT #18351]

897
898
899
3200.	[doc]		Some rndc functions were undocumented or were
			missing from 'rndc -h' output. [RT #25555]

900
901
902
3199.	[func]		When logging client information, include the name
			being queried. [RT #25944]

903
904
905
3198.	[doc]		Clarified that dnssec-settime can alter keyfile
			permissions. [RT #24866]

Mark Andrews's avatar
Mark Andrews committed
906
3197.	[bug]		Don't try to log the filename and line number when
907
908
			the config parser can't open a file. [RT #22263]

Mark Andrews's avatar
Mark Andrews committed
909
910
3196.	[bug]		nsupdate: return nonzero exit code when target zone
			doesn't exist. [RT #25783]
911

912
913
914
3195.	[cleanup]	Silence "file not found" warnings when loading
			managed-keys zone. [RT #26340]

915
916
917
3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
			documentation. [RT #25203]

918
919
920
3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
			dnssec.h. [RT #26415]

921
922
923
3192.	[bug]		A query structure could be used after being freed.
			[RT #22208]

924
925
3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]

926
927
928
3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
			[RT #26397]

929
3189.	[test]		Added a summary report after system tests. [RT #25517]
Mark Andrews's avatar
Mark Andrews committed
930

931
932
933
934
3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
			references correctly when errors occurred, causing
			a hang on shutdown. [RT #26372]

Mark Andrews's avatar
Mark Andrews committed
935
3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
936

Mark Andrews's avatar
9.9.0b1    
Mark Andrews committed
937
938
	--- 9.9.0b1 released ---

939
940
3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]

941
942
943
944
3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
			 - 'rndc signing -list' displays the current
			   state of signing operations
			 - 'rndc signing -clear' clears the signing state
Mark Andrews's avatar
Mark Andrews committed
945
			   records for keys that have fully signed the zone
946
947
948
949
			 - 'rndc signing -nsec3param' sets the NSEC3
			   parameters for the zone
			The 'rndc keydone' syntax is removed. [RT #23729]

Mark Andrews's avatar
Mark Andrews committed
950
3184.	[bug]		named had excessive cpu usage when a redirect zone was
951
952
			configured. [RT #26013]

953
954
3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]

Mark Andrews's avatar
Mark Andrews committed
955
3182.	[bug]		Auth servers behind firewalls which block packets
956
957
958
959
			greater than 512 bytes may cause other servers to
			perform poorly. Now, adb retains edns information
			and caches noedns servers. [RT #23392/24964]

960
961
962
3181.	[func]		Inline-signing is now supported for master zones.
			[RT #26224]

963
964
965
966
967
3180.	[func]		Local copies of slave zones are now saved in raw
			format by default, to improve startup performance.
			'masterfile-format text;' can be used to override
			the default, if desired. [RT #25867]

968
969
3179.	[port]		kfreebsd: build issues. [RT #26273]

970
971
972
3178.	[bug]		A race condition introduced by change #3163 could
			cause an assertion failure on shutdown. [RT #26271]

973
974
975
976
3177.	[func]		'rndc keydone', remove the indicator record that
			named has finished signing the zone with the
			corresponding key.  [RT #26206]

977
978
979
980
3176.	[doc]		Corrected example code and added a README to the
			sample external DLZ module in contrib/dlz/example.
			[RT #26215]

Mark Andrews's avatar
Mark Andrews committed
981
3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
982
983
984
985
			NSEC3 signed zone are validated.  Stop sending a
			unnecessary NSEC3 record when generating such
			responses. [RT #26200]

986
3174.	[bug]		Always compute to revoked key tag from scratch.
987
			[RT #26186]
988

989
990
3173.	[port]		Correctly validate root DS responses. [RT #25726]

Mark Andrews's avatar
Mark Andrews committed
991
3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
992
993
			default.

994
995
996
3171.	[bug]		Exclusively lock the task when adding a zone using
			'rndc addzone'.  [RT #25600]

Mark Andrews's avatar
9.9.0a3    
Mark Andrews committed
997
998
	--- 9.9.0a3 released ---

Mark Andrews's avatar
Mark Andrews committed
999
1000
3170.	[func]		RPZ update:
			- fix precedence among competing rules