CHANGES 300 KB
Newer Older
1
2
3
2955.	[bug]		The size of a memory allocation was not always properly
			recorded. [RT #20927]

4
5
6
2854.	[func]		nsupdate will now preserve the entered case of domain
			names in update requests it sends. [RT #20928]

7
8
9
2854.	[func]		dig: allow the final soa record in a axfr response to
			be suppressed, dig +onesoa. [RT #20929]

10
11
2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]

12
13
2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

14
15
16
2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
			source as it produced bad nroff.  [RT #21007]

17
2850.	[bug]		If isc_heap_insert() failed due to memory shortage
18
			the heap would have corrupted entries. [RT #20951]
19

20
21
22
2849.	[bug]		Don't treat errors from the xml2 library as fatal.
			[RT #20945]

23
24
25
2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
			README.rfc5011 into the ARM. [RT #20899]

26
27
2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]

28
29
30
2846.	[bug]		EOF on unix domain sockets was not being handled
			correctly. [RT #20731]

Evan Hunt's avatar
sync    
Evan Hunt committed
31
2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
32

33
34
35
2844.	[doc]		notify-delay default in ARM was wrong.  It should have
			been five (5) seconds.

Francis Dupont's avatar
sync    
Francis Dupont committed
36
2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
37
38
39
40
41
42
43
44
			creating key files if there is a chance that the new
			key ID will collide with an existing one after
			either of the keys has been revoked.  (To override
			this in the case of dnssec-keyfromlabel, use the -y
			option.  dnssec-keygen will simply create a
			different, noncolliding key, so an override is
			not necessary.) [RT #20838]

Francis Dupont's avatar
sync    
Francis Dupont committed
45
2842.	[func]		Added "smartsign" and improved "autosign" and
46
47
			"dnssec" regression tests. [RT #20865]

Francis Dupont's avatar
sync    
Francis Dupont committed
48
2841.	[bug]		Change 2836 was not complete. [RT #20883]
49

Francis Dupont's avatar
sync    
Francis Dupont committed
50
2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
51
52
			[RT #20760]

Francis Dupont's avatar
sync    
Francis Dupont committed
53
2839.	[bug]		A KSK revoked by named could not be deleted.
54
55
			[RT #20881]

Francis Dupont's avatar
sync    
Francis Dupont committed
56
57
2838.	[placeholder]

58
59
60
2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]

61
62
63
2836.	[bug]		Keys that were scheduled to become active could
			be delayed. [RT #20874]

64
65
66
67
68
69
70
2835.	[bug]		Key inactivity dates were inadvertently stored in
			the private key file with the outdated tag
			"Unpublish" rather than "Inactive".  This has been
			fixed; however, any existing keys that had Inactive
			dates set will now need to have them reset, using
			'dnssec-settime -I'. [RT #20868]

71
72
73
74
75
76
77
78
79
80
2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

81
82
83
2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
			[RT #20851]

84
85
86
2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
			to avoid redefinition in some OSes [RT 20831]

87
88
89
90
91
2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

92
93
94
2830.	[bug]		Changing the OPTOUT setting could take multiple
			passes. [RT #20813]

95
96
97
2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
			[RT #20808]

98
99
100
2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

101
102
2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

103
104
105
2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
			being released.  [RT #20740]

106
107
108
109
2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
			was in the process of being created was not properly
			recorded in the zone. [RT #20786]

110
111
112
2824.	[bug]		"rndc sign" was not being run by the correct task.
			[RT #20759]

113
114
2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]

115
116
117
2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
			[RT #20802]

118
119
120
2821.	[doc]		Add note that named-checkconf doesn't automatically
			read rndc.key and bind.keys [RT #20758]

121
122
123
124
125
2820.	[func]		Handle read access failure of OpenSSL configuration
			file more user friendly (PKCS#11 engine patch).
			[RT #20668]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
126
127
			[RT #20771]

128
129
130
2818.	[cleanup]	rndc could return an incorrect error code 
			when a zone was not found. [RT #20767]

131
132
133
2817.	[cleanup]	Removed unnecessary isc_tasc_endexclusive() calls.
			[RT #20768]

134
135
136
2816.	[bug]		previous_closest_nsec() could fail to return
			data for NSEC3 nodes [RT #29730]

137
138
139
2815.	[bug]		Exclusively lock the task when freezing a zone.
			[RT #19838]

140
141
142
2814.	[func]		Provide a definitive error message when a master
			zone is not loaded. [RT #20757]
 
143
144
145
146
147
148
2813.	[bug]		Better handling of unreadable DNSSEC key files.
			[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT 20748]

149
150
151
2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
			output. [RT #20733]

152
153
154
2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
			to insecure. [RT #20746]

155
156
157
2809.	[cleanup]	Restored accidentally-deleted text in usage output
			in dnssec-settime and dnssec-revoke [RT #20739]

158
2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
Mark Andrews's avatar
Mark Andrews committed
159
			atomic.h is correctly installed by the architecture
160
			specific subdirectories.  [RT #20722]
161

162
163
164
2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
			keys. [RT #20720]

Evan Hunt's avatar
Evan Hunt committed
165
166
	--- 9.7.0rc1 released ---

167
168
169
2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
			when it had changed. [RT #20703]

170
171
172
173
2805.	[bug]		Fixed namespace problems encountered when building
			external programs using non-exported BIND9 libraries
			(i.e., built without --enable-exportlib). [RT #20679]

174
175
176
2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
			or as a result of a scheduled key change. [RT #20700]

177
178
179
180
181
2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
			and genrandom under windows. [RT #20670]

2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]

182
183
184
185
186
187
188
189
190
191
192
193
2801.	[func]		Detect and report records that are different according
			to DNSSEC but are sematically equal according to plain
			DNS.  Apply plain DNS comparisons rather than DNSSEC
			comparisons when processing UPDATE requests.
			dnssec-signzone now removes such semantically duplicate
			records prior to signing the RRset.

			named-checkzone -r {ignore|warn|fail} (default warn)
			named-compilezone -r {ignore|warn|fail} (default warn)
			
			named.conf: check-dup-records {ignore|warn|fail};

194
195
196
197
198
2800.	[func]		Reject zones which have NS records which refer to
			CNAMEs, DNAMEs or don't have address record (class IN
			only).  Reject UPDATEs which would cause the zone
			to fail the above checks if committed. [RT #20678]

199
200
201
202
2799.	[cleanup]	Changed the "secure-to-insecure" option to
			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

203
204
205
2798.	[bug]		Addressed bugs in managed-keys initialization 
			and rollover. [RT #20683]

206
207
208
2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
			[RT #20613]

209
210
211
2796.	[bug]		Missing dns_rdataset_disassociate() call in
			dns_nsec3_delnsec3sx(). [RT #20681]

212
213
214
2795.	[cleanup]	Add text to differentiate "update with no effect"
			log messages. [RT #18889]

215
216
2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]

Evan Hunt's avatar
Evan Hunt committed
217
218
219
220
221
2793.	[func]		Add "autosign" and "metadata" tests to the
			automatic tests. [RT #19946]

2792.	[func]		"filter-aaaa-on-v4" can now be set in view
			options (if compiled in).  [RT #20635]
222

Mark Andrews's avatar
Mark Andrews committed
223
224
2791.	[bug]		The installation of isc-config.sh was broken.
			[RT #20667]
225

Mark Andrews's avatar
rt#    
Mark Andrews committed
226
2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
227

228
229
2789.   [bug]           Fixed an INSIST in dispatch.c [RT #20576]

230
231
232
2788.	[bug]		dnssec-signzone could sign with keys that were
			not requested [RT #20625]

233
234
235
2787.	[bug]		Spurious log message when zone keys were
			dynamically reconfigured. [RT #20659]

236
237
2786.	[bug]		Additional could be promoted to answer. [RT #20663]

238
239
240
241
	--- 9.7.0b3 released ---

2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]

242
2784.	[bug]		TC was not always being set when required glue was
Mark Andrews's avatar
rt#    
Mark Andrews committed
243
			dropped. [RT #20655]
244

245
246
247
2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
			buffer size of 512 or less.  [RT #20654]

248
249
250
2782.	[port]		win32: use getaddrinfo() for hostname lookups.
			[RT #20650]

251
252
2781.	[bug]		Inactive keys could be used for signing. [RT #20649]

253
254
255
256
257
258
259
260
2780.	[bug]		dnssec-keygen -A none didn't properly unset the
			activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

261
262
2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.

263
264
2776.	[bug]		Change #2762 was not correct. [RT #20647]

265
266
267
2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
			in dnssec-keyfromlabel. [RT #20643]

268
269
270
2774.	[bug]		Existing cache DB wasn't being reused after
			reconfiguration. [RT #20629]

271
272
273
2773.	[bug]		In autosigned zones, the SOA could be signed
			with the KSK. [RT #20628]

274
275
276
277
2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

278
279
280
2771.	[bug]		dnssec-signzone: DNSKEY records could be
			corrupted when importing from key files [RT #20624]

281
282
283
2770.	[cleanup]	Add log messages to resolver.c to indicate events
			causing FORMERR responses. [RT #20526]

284
285
2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]

286
287
2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]

288
289
290
291
2767.	[bug]		named could crash on startup if a zone was
			configured with auto-dnssec and there was no
			key-directory. [RT #20615]

292
293
294
295
2766.	[bug]		isc_socket_fdwatchpoke() should only update the
			socketmgr state if the socket is not pending on a
			read or write.  [RT #20603]

296
297
298
2765.	[bug]		Skip masters for which the TSIG key cannot be found.
			[RT #20595]

299
300
2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

301
302
2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]

303
304
305
2762.	[bug]		DLV validation failed with a local slave DLV zone.
			[RT #20577]

306
307
308
309
2761.	[cleanup]	Enable internal symbol table for backtrace only for
			systems that are known to work.  Currently, BSD
			variants, Linux and Solaris are supported. [RT# 20202]

310
311
2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]

Mark Andrews's avatar
Mark Andrews committed
312
2759.	[doc]		Add information about .jbk/.jnw files to
313
314
			the ARM. [RT #20303]

315
316
317
318
2758.	[bug]		win32: Added a workaround for a windows 2008 bug
			that could cause the UDP client handler to shut
			down. [RT #19176]

319
320
321
2757.	[bug]		dig: assertion failure could occur in connect
			timeout. [RT #20599]

322
323
2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]

Evan Hunt's avatar
Evan Hunt committed
324
325
2755.	[placeholder]

326
327
328
2754.	[bug]		Secure-to-insecure transitions failed when zone
			was signed with NSEC3. [RT #20587]

329
2753.	[bug]		Removed an unnecessary warning that could appear when
Mark Andrews's avatar
rt#    
Mark Andrews committed
330
			building an NSEC chain. [RT #20589]
331

332
333
2752.	[bug]		Locking violation. [RT #20587]

334
335
2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

336
337
338
2750.	[bug]		dig: assertion failure could occur when a server
			didn't have an address. [RT #20579]

339
340
341
2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
			for NSEC3 signed zones. [RT #20452]

342
343
344
2748.	[func]		Identify bad answers from GTLD servers and treat them
			as referrals. [RT #18884]

345
346
347
2747.	[bug]		Journal roll forwards failed to set the re-signing
			time of RRSIGs correctly. [RT #20541]

348
349
350
2746.	[port]		hpux: address signed/unsigned expansion mismatch of
			dns_rbtnode_t.nsec. [RT #20542]

351
352
353
2745.	[bug]		configure script didn't probe the return type of
			gai_strerror(3) correctly. [RT #20573]

354
355
2744.	[func]		Log if a query was over TCP. [RT #19961]

Mark Andrews's avatar
Mark Andrews committed
356
2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
357
358
			for a insecure delegation.

Evan Hunt's avatar
Evan Hunt committed
359
360
	--- 9.7.0b2 released ---

361
362
363
2742.	[cleanup]	Clarify some DNSSEC-related log messages in
			validator.c. [RT #19589]

364
2741.	[func]		Allow the dnssec-keygen progress messages to be
Mark Andrews's avatar
Mark Andrews committed
365
			suppressed (dnssec-keygen -q).  Automatically
366
367
368
			suppress the progress messages when stdin is not
			a tty. [RT #20474]

Evan Hunt's avatar
Evan Hunt committed
369
2740.	[placeholder]
370

371
372
373
2739.	[cleanup]	Clean up API for initializing and clearing trust
			anchors for a view. [RT #20211]

374
375
376
2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
			test. [RT #20453]

377
378
379
2737.	[func]		UPDATE requests can leak existance information.
			[RT #17261]

380
381
382
383
2736.	[func]		Improve the performance of NSEC signed zones with
			more than a normal amount of glue below a delegation.
			[RT #20191]

384
385
386
387
388
2735.	[bug]		dnssec-signzone could fail to read keys
			that were specified on the command line with
			full paths, but weren't in the current
			directory. [RT #20421]

389
390
2734.	[port]		cygwin: arpaname did not compile. [RT #20473]

391
392
2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]

393
394
395
396
397
398
2732.	[func]		Add optional filter-aaaa-on-v4 option, available
			if built with './configure --enable-filter-aaaa'.
			Filters out AAAA answers to clients connecting
			via IPv4.  (This is NOT recommended for general
			use.) [RT #20339]

399
400
401
402
403
404
2731.	[func]		Additional work on change 2709.  The key parser
			will now ignore unrecognized fields when the
			minor version number of the private key format
			has been increased.  It will reject any key with
			the major version number increased. [RT #20310]

405
406
407
408
409
410
411
2730.	[func]		Have dnssec-keygen display a progress indication
			a la 'openssl genrsa' on standard error. Note
			when the first '.' is followed by a long stop
			one has the choice between slow generation vs.
			poor random quality, i.e., '-r /dev/urandom'.
			[RT #20284]

412
413
414
2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
			TTL. [RT #20451]

415
416
417
418
2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
			dnssec-signzone now warn immediately if asked to
			write into a nonexistent directory. [RT #20278]

419
420
421
2727.	[func]		The 'key-directory' option can now specify a relative
			path. [RT #20154]

422
423
424
2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
			RSASHA256 and RSASHA512. [RT #20023]

425
426
427
2725.	[doc]		Added information about the file "managed-keys.bind"
			to the ARM. [RT #20235]

428
429
430
2724.	[bug]		Updates to a existing node in secure zone using NSEC
			were failing. [RT #20448]

431
432
433
434
2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
			isc_base64_totext(), didn't always mark regions of
			memory as fully consumed after conversion.  [RT #20445]

435
436
437
438
2722.	[bug]		Ensure that the memory associated with the name of
			a node in a rbt tree is not altered during the life
			of the node. [RT #20431]

439
440
441
2721.	[port]		Have dst__entropy_status() prime the random number
			generator. [RT #20369]

442
443
444
2720.	[bug]		RFC 5011 trust anchor updates could trigger an
			assert if the DNSKEY record was unsigned. [RT #20406]

445
446
447
2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
			[RT #20392]

448
449
450
2718.	[bug]		The space calculations in opensslrsa_todns() were
			incorrect. [RT #20394]

451
452
453
454
455
2717.	[bug]		named failed to update the NSEC/NSEC3 record when
			the last private type record was removed as a result
			of completing the signing the zone with a key.
			[RT #20399]

456
457
2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]

Evan Hunt's avatar
Evan Hunt committed
458
459
	--- 9.7.0b1 released ---

460
461
462
463
2715.	[bug]		Require OpenSSL support to be explicitly disabled.
			[RT #20288]

2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
464
465
			flags.

466
467
468
2713.	[bug]		powerpc: atomic operations missing asm("ics") /
			__isync() calls.

469
470
471
472
473
474
475
476
2712.	[func]		New 'auto-dnssec' zone option allows zone signing
			to be fully automated in zones configured for
			dynamic DNS.  'auto-dnssec allow;' permits a zone
			to be signed by creating keys for it in the
			key-directory and using 'rndc sign <zone>'.
			'auto-dnssec maintain;' allows that too, plus it
			also keeps the zone's DNSSEC keys up to date
			according to their timing metadata. [RT #19943]
Mark Andrews's avatar
Mark Andrews committed
477

478
479
480
2711.	[port]		win32: Add the bin/pkcs11 tools into the full
			build. [RT #20372]

481
482
483
484
485
2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
			zone option cause a zone to be signed with only KSKs
			signing the DNSKEY RRset, not ZSKs.  This reduces
			the size of a DNSKEY answer.  [RT #20340]

486
487
488
489
490
491
2709.	[func]		Added some data fields, currently unused, to the
			private key file format, to allow implementation
			of explicit key rollover in a future release
			without impairing backward or forward compatibility.
			[RT #20310]

492
493
494
495
496
497
498
499
500
501
502
503
504
2708.	[func]		Insecure to secure and NSEC3 parameter changes via
			update are now fully supported and no longer require
			defines to enable.  We now no longer overload the
			NSEC3PARAM flag field, nor the NSEC OPT bit at the
			apex.  Secure to insecure changes are controlled by
			by the named.conf option 'secure-to-insecure'.

			Warning: If you had previously enabled support by
			adding defines at compile time to BIND 9.6 you should
			ensure that all changes that are in progress have
			completed prior to upgrading to BIND 9.7.  BIND 9.7
			is not backwards compatible.

505
506
507
508
509
510
511
2707.	[func]		dnssec-keyfromlabel no longer require engine name
			to be specified in the label if there is a default
			engine or the -E option has been used.  Also, it
			now uses default algorithms as dnssec-keygen does
			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
			[RT #20371]

512
513
514
2706.	[bug]		Loading a zone with a very large NSEC3 salt could
			trigger an assert. [RT #20368]

Evan Hunt's avatar
Evan Hunt committed
515
516
2705.	[placeholder]

517
518
519
2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
			with their SOA serial.  [RT #19387]

Francis Dupont's avatar
Francis Dupont committed
520
521
522
523
2703.	[func]		Introduce an OpenSSL "engine" argument with -E
			for all binaries which can take benefit of
			crypto hardware. [RT #20230]

Francis Dupont's avatar
Francis Dupont committed
524
525
2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

526
527
528
2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
			supported TSIG key algorithm. [RT #18046]

529
530
531
2700.	[doc]		The match-mapped-addresses option is discouraged.
			[RT #12252]

532
533
2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]

Evan Hunt's avatar
Evan Hunt committed
534
535
2698.	[placeholder]

536
537
538
539
2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
			S_IFREG are defined after including <isc/stat.h>.
			[RT #20309]

540
541
542
2696.	[bug]		named failed to successfully process some valid
			acl constructs. [RT #20308]

543
544
545
546
547
548
549
2695.	[func]		DHCP/DDNS - update fdwatch code for use by
			DHCP.  Modify the api to isc_sockfdwatch_t (the
			callback funciton for isc_socket_fdwatchcreate)
			to include information about the direction (read
			or write) and add isc_socket_fdwatchpoke.
			[RT #20253]

Mark Andrews's avatar
Mark Andrews committed
550
2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
551
552
			[RT #19970]

Mark Andrews's avatar
Mark Andrews committed
553
2693.	[port]		Add some noreturn attributes. [RT #20257]
Francis Dupont's avatar
Francis Dupont committed
554

Mark Andrews's avatar
Mark Andrews committed
555
2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
556

557
558
559
560
561
2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
			chain when re-signing a previously-signed zone.
			Use -u to modify NSEC3 parameters or switch
			between NSEC and NSEC3. [RT #20304]

562
2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
563
564
			[RT #20315]

565
566
2689.	[bug]		Correctly handle snprintf result. [RT #20306]

567
568
569
2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
			to decide to fetch the destination address. [RT #20305]

Mark Andrews's avatar
number    
Mark Andrews committed
570
2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
571
572
573
			Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]

Mark Andrews's avatar
number    
Mark Andrews committed
574
2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
Mark Andrews's avatar
Mark Andrews committed
575
			signing with NSEC3 and vice versa. [RT #20301]
576

Francis Dupont's avatar
Francis Dupont committed
577
578
2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

579
580
581
2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
			+adflag and +cdflag.  [RT #19305]

582
583
584
585
2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
			the NSEC3 parameters used to sign the zone change.
			[RT #20246]

586
587
588
2682.	[bug]		"configure --enable-symtable=all" failed to
			build. [RT #20282]

589
2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
590
			decoded. [RT #20269]
591

Francis Dupont's avatar
Francis Dupont committed
592
2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
593

594
595
596
2679.	[func]		dig -k can now accept TSIG keys in named.conf
			format.  [RT #20031]

597
598
599
2678.	[func]		Treat DS queries as if "minimal-response yes;"
			was set. [RT #20258]

600
601
602
603
604
605
606
607
608
609
610
2677.	[func]		Changes to key metadata behavior:
			- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
611
			[RT #20247]
612

613
614
615
2676.	[bug]		--with-export-installdir should have been
			--with-export-includedir. [RT #20252]

616
2675.	[bug]		dnssec-signzone could crash if the key directory
617
618
                        did not exist. [RT #20232]

Evan Hunt's avatar
Evan Hunt committed
619
620
621
622
623
624
625
626
627
	--- 9.7.0a3 released ---

2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
			without openssl. [RT #20231]

2673.	[bug]		The managed-keys.bind zone file could fail to
			load due to a spurious result from sync_keyzone()
			[RT #20045]

628
629
630
2672.	[bug]		Don't enable searching in 'host' when doing reverse
			lookups. [RT #20218]

Francis Dupont's avatar
Francis Dupont committed
631
632
633
634
635
2671.	[bug]		Add support for PKCS#11 providers not returning
			the public exponent in RSA private keys
			(OpenCryptoki for instance) in
			dnssec-keyfromlabel. [RT #19294]

636
637
638
2670.	[bug]		Unexpected connect failures failed to log enough
			information to be useful. [RT #20205]

639
640
641
2669.	[func]		Update PKCS#11 support to support Keyper HSM.
			Update PKCS#11 patch to be against openssl-0.9.8i.

642
643
644
645
646
647
648
649
650
651
652
2668.	[func]		Several improvements to dnssec-* tools, including:
			- dnssec-keygen and dnssec-settime can now set key
			  metadata fields 0 (to unset a value, use "none")
			- dnssec-revoke sets the revocation date in
			  addition to the revoke bit
			- dnssec-settime can now print individual metadata
			  fields instead of always printing all of them,
			  and can print them in unix epoch time format for
			  use by scripts
			[RT #19942]

653
654
655
2667.	[func]		Add support for logging stack backtrace on assertion
			failure (not available for all platforms). [RT #19780]

656
657
658
2666.	[func]		Added an 'options' argument to dns_name_fromstring()
			(API change from 9.7.0a2). [RT #20196]

659
660
661
2665.	[func]		Clarify syntax for managed-keys {} statement, add
			ARM documentation about RFC 5011 support. [RT #19874]

662
2664.	[bug]		create_keydata() and minimal_update() in zone.c
663
664
665
			didn't properly check return values for some
			functions.  [RT #19956]

666
667
668
2663.	[func]		win32:  allow named to run as a service using
			"NT AUTHORITY\LocalService" as the account. [RT #19977]

669
2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
670
671
672
673
674
675
			returned a misleading error code when lwresd was
			down. [RT #20028]

2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
			creating lwres context. [RT #20029]

676
677
678
2660.	[func]		Add a new set of DNS libraries for non-BIND9
			applications.  See README.libdns. [RT #19369]

679
680
681
2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
			name for DNSSEC keys. [RT #19938]

682
683
684
2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
			key file paths correctly. [RT #20078]

685
686
687
2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
			log level to debug 1. [RT #20058]

688
689
2656.	[func]		win32: add a "tools only" check box to the installer
			which causes it to only install dig, host, nslookup,
Evan Hunt's avatar
Evan Hunt committed
690
			nsupdate and relevant DLLs.  [RT #19998]
691

692
693
694
2655.	[doc]		Document that key-directory does not affect
			bind.keys, rndc.key or session.key.  [RT #20155]

695
696
697
2654.	[bug]		Improve error reporting on duplicated names for
			deny-answer-xxx. [RT #20164]

698
699
700
2653.	[bug]		Treat ENGINE_load_private_key() failures as key
			not found rather than out of memory.  [RT #18033]

701
702
703
2652.	[func]		Provide more detail about what record is being
			deleted. [RT #20061]

704
705
706
2651.	[bug]		Dates could print incorrectly in K*.key files on
			64-bit systems. [RT #20076]

707
708
709
2650.	[bug]		Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

710
711
2649.	[bug]		Set the domain for forward only zones. [RT #19944]

712
713
2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]

714
715
716
2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
			added. [RT #19913]

717
718
2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]

719
720
721
2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
			which default to 64 bits. [RT #19927]

722
723
724
725
726
727
	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

728
729
730
2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

731
732
733
2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

734
735
736
2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

737
738
2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]
Mark Andrews's avatar
Mark Andrews committed
739

740
741
2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

Mark Andrews's avatar
Mark Andrews committed
742
2638.	[bug]		Install arpaname. [RT #19957]
743

Mark Andrews's avatar
Mark Andrews committed
744
2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
745
746
			[RT #19959]

747
748
749
750
751
752
2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
Tatuya JINMEI 神明達哉's avatar
Tatuya JINMEI 神明達哉 committed
753
			  they are scheduled to be published, activated,
754
755
756
757
758
759
760
761
762
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

763
764
765
2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

766
767
768
2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

769
770
2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

Mark Andrews's avatar
Mark Andrews committed
771
772
773
2632.	[func]		util/kit.sh: warn if documentation appears to be out of
			date.  [RT #19922]

774
775
776
2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

777
778
2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
779
780
			zone. (The "ddns-autoconf" option has been removed.)
                        [RT #19875]
781

782
783
2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
784
785

2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
786
787
788
			at startup with reduced capabilities in operation.
			[RT #19884]

789
790
791
2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

792
793
794
2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

795
796
2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]

797
798
799
2624.	[func]		'named-checkconf -p' will print out the parsed
			configuration. [RT #18871]

800
801
2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

802
2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
803

804
805
2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

Mark Andrews's avatar
Mark Andrews committed
806
2620.	[bug]		Delay thawing the zone until the reload of it has
807
808
			completed successfully.  [RT #19750]

809
810
811
812
813
814
2619.	[func]		Add support for RFC 5011, automatic trust anchor
			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

815
816
817
2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

818
819
2617.	[bug]		ifconfig.sh failed to emit an error message when
			run from the wrong location. [RT #19375]
820

Mark Andrews's avatar
Mark Andrews committed
821
822
2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]
823

824
825
826
2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

Mark Andrews's avatar
Mark Andrews committed
827
2614.	[port]		win32: 'named -v' should automatically be executed
828
829
			in the foreground. [RT #19844]

830
831
2613.	[placeholder]

832
833
834
835
836
837
838
839
	--- 9.7.0a1 released ---

2612.	[func]		Add default values for the arguments to
			dnssec-keygen.  Without arguments, it will now
			generate a 1024-bit RSASHA1 zone-signing key,
			or with the -f KSK option, a 2048-bit RSASHA1
			key-signing key. [RT #19300]

840
2611.	[func]		Add -l option to dnssec-dsfromkey to generate
841
842
			DLV records instead of DS records. [RT #19300]

843
844
2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]

845
846
847
848
849
850
851
852
853
854
855
2609.	[func]		Simplify the configuration of dynamic zones:
			- add ddns-confgen command to generate
			  configuration text for named.conf
			- add zone option "ddns-autoconf yes;", which
			  causes named to generate a TSIG session key
			  and allow updates to the zone using that key
			- add '-l' (localhost) option to nsupdate, which
			  causes nsupdate to connect to a locally-running
			  named process using the session key generated
			  by named
			[RT #19284]
856

857
858
859
860
861
862
863
864
865
2608.	[func]		Perform post signing verification checks in
			dnssec-signzone.  These can be disabled with -P.

			The post sign verification test ensures that for each
			algorithm in use there is at least one non revoked
			self signed KSK key.  That all revoked KSK keys are
			self signed.  That all records in the zone are signed
			by the algorithm.  [RT #19653]

866
867
868
869
2607.	[bug]		named could incorrectly delete NSEC3 records for
			empty nodes when processing a update request.
			[RT #19749]

870
871
872
2606.	[bug]		"delegation-only" was not being accepted in
			delegation-only type zones. [RT #19717]

873
874
875
2605.	[bug]		Accept DS responses from delegation only zones.
			[RT # 19296]

876
877
878
879
880
2604.	[func]		Add support for DNS rebinding attack prevention through
			new options, deny-answer-addresses and
			deny-answer-aliases.  Based on contributed code from
			JD Nurmi, Google. [RT #18192]

881
882
883
884
2603.	[port]		win32: handle .exe extension of named-checkzone and
			named-comilezone argv[0] names under windows.
			[RT #19767]

885
886
887
2602.	[port]		win32: fix debugging command line build of libisccfg.
			[RT #19767]

888
889
890
2601.	[doc]		Mention file creation mode mask in the
			named manual page.

891
892
893
2600.	[doc]		ARM: miscellaneous reformatting for different
			page widths. [RT #19574]

894
895
896
2599.	[bug]		Address rapid memory growth when validation fails.
			[RT #19654]

Francis Dupont's avatar
Francis Dupont committed
897
898
2598.	[func]		Reserve the -F flag. [RT #19657]

899
900
901
2597.	[bug]		Handle a validation failure with a insecure delegation
			from a NSEC3 signed master/slave zone.  [RT #19464]

902
903
904
905
2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
			long, leading to inefficient memory usage or rejecting
			newer cache entries in the worst case. [RT #19563]

906
907
2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]

Jeremy Reed's avatar
Jeremy Reed committed
908
909
2594.	[func]		Have rndc warn if using its default configuration
			file when the key file also exists. [RT #19424]
910

911
912
2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]

913
914
2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]

915
916
917
2591.	[bug]		named could die when processing a update in
			removed_orphaned_ds(). [RT #19507]

Mark Andrews's avatar
Mark Andrews committed
918
919
2590.	[func]		Report zone/class of "update with no effect".
			[RT #19542]
920

921
2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
922
			[RT #19626]
923

924
925
926
927
928
2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
			of bind(2) call.  This should be rare and mostly
			harmless, but may cause interference with other
			processes that happen to use the same port. [RT #19642]

929
930
931
932
2587.	[func]		Improve logging by reporting serial numbers for
			when zone serial has gone backwards or unchanged.
			[RT #19506]

933
934
935
2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
			or SDB. [RT #19577]

936
937
938
939
2585.	[bug]		Uninitialized socket name could be referenced via a
			statistics channel, triggering an assertion failure in
			XML rendering. [RT #19427]

940
941
942
2584.	[bug]		alpha: gcc optimization could break atomic operations.
			[RT #19227]

943
944
945
2583.	[port]		netbsd: provide a control to not add the compile
			date to the version string, -DNO_VERSION_DATE.

946
2582.	[bug]		Don't emit warning log message when we attempt to
Mark Andrews's avatar
Mark Andrews committed
947
			remove non-existent journal. [RT #19516]
948

949
950
951
2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
			Requires MySQL 5.0.19 or later. [RT #19084]

952
953
954
2580.	[bug]		UpdateRej statistics counter could be incremented twice
			for one rejection. [RT #19476]

955
956
957
2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
			algorithms. [RT #19479]

Mark Andrews's avatar
Mark Andrews committed
958
2578.	[bug]		Changed default sig-signing-type to 65534, because
959
960
			65535 turns out to be reserved.  [RT #19477]

961
962
2577.	[doc]		Clarified some statistics counters. [RT #19454]

963
964
2576.	[bug]		NSEC record were not being correctly signed when
			a zone transitions from insecure to secure.
Mark Andrews's avatar
Mark Andrews committed
965
			Handle such incorrectly signed zones. [RT #19114]
966

967
968
969
970
971
2575.	[func]		New functions dns_name_fromstring() and
			dns_name_tostring(), to simplify conversion
			of a string to a dns_name structure and vice
			versa. [RT #19451]

972
973
2574.	[doc]		Document nsupdate -g and -o. [RT #19351]

974
975
976
2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
			single transaction in a signed zone failed. [RT #19397]

977
978
979
980
981
982
983
984
985
986
987
988
2572.	[func]		Simplify DLV configuration, with a new option
			"dnssec-lookaside auto;"  This is the equivalent
			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
			plus setting a trusted-key for dlv.isc.org.

			Note: The trusted key is hard-coded into named,
			but is also stored in (and can be overridden
			by) $sysconfdir/bind.keys.  As the ISC DLV key
			rolls over it can be kept up to date by replacing
			the bind.keys file with a key downloaded from
			https://www.isc.org/solutions/dlv. [RT #18685]

989
990
991
992
2571.	[func]		Add a new tool "arpaname" which translates IP addresses
			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
			[RT #18976]

993
994
995
2570.	[func]		Log the destination address the query was sent to.
			[RT #19209]

996
2569.	[func]		Move journalprint, nsec3hash, and genrandom
997
			commands from bin/tests into bin/tools;
998
999
			"make install" will put them in $sbindir. [RT #19301]

Mark Andrews's avatar
Mark Andrews committed
1000
1001
2568.	[bug]		Report when the write to indicate a otherwise
			successful start fails. [RT #19360]
1002

1003
2567.	[bug]		dst__privstruct_writefile() could miss write errors.
1004
1005
			write_public_key() could miss write errors.
			dnssec-dsfromkey could miss write errors.
1006
1007
			[RT #19360]

1008
1009
1010
1011
1012
2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
			response arrives from a zone thought to be secure:
			"insecurity proof failed" instead of "not
			insecure". [RT #19400]

1013
1014
1015
1016
2565.	[func]		Add support for HIP record.  Includes new functions
			dns_rdata_hip_first(), dns_rdata_hip_next()
			and dns_rdata_hip_current().  [RT #19384]

1017
1018
2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
			[RT #19405]
1019

1020
1021
1022
2563.	[bug]		Dig could leak a socket causing it to wait forever
			to exit. [RT #19359]

Jeremy Reed's avatar
Jeremy Reed committed
1023
2562.	[doc]		ARM: miscellaneous improvements, reorganization,
1024
1025
			and some new content.

Mark Andrews's avatar
Mark Andrews committed
1026
2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
1027

Mark Andrews's avatar
Mark Andrews committed
1028
2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
1029

1030
1031
1032
2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
			reading from a K* files.  [RT #19357]

1033
1034
1035
1036
2558.	[func]		Set the ownership of missing directories created
			for pid-file if -u has been specified on the command
			line. [RT #19328]

Mark Andrews's avatar
Mark Andrews committed
1037
2557.	[cleanup]	PCI compliance:
Mark Andrews's avatar
Mark Andrews committed
1038
1039
1040
1041
1042
1043
			* new libisc log module file
			* isc_dir_chroot() now also changes the working
			  directory to "/".
			* additional INSISTs
			* additional logging when files can't be removed.

Mark Andrews's avatar
Mark Andrews committed
1044
2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
1045
1046
			error checks in the correct order resulting in the
			wrong error code sometimes being returned. [RT #19249]
1047

Mark Andrews's avatar
Mark Andrews committed
1048
2555.	[func]		dig: when emitting a hex dump also display the
1049
1050
			corresponding characters. [RT #19258]

1051
1052
1053
2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
			fail. [RT #19297]

1054
1055
2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]

1056
1057
1058
2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
			[RT #19340]

1059
1060
2551.	[bug]		Potential Reference leak on return. [RT #19341]

1061
1062
1063
2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
			[RT #19343]

1064
1065
1066
2549.	[port]		linux: define NR_OPEN if not currently defined.
			[RT #19344]

1067
1068
2548.	[bug]		Install iterated_hash.h. [RT #19335]

1069
1070
1071
1072
1073
2547.	[bug]		openssl_link.c:mem_realloc() could reference an
			out-of-range area of the source buffer.  New public
			function isc_mem_reallocate() was introduced to address
			this bug. [RT #19313]

Francis Dupont's avatar
Francis Dupont committed
1074
1075
1076
1077
2546.	[func]		Add --enable-openssl-hash configure flag to use
			OpenSSL (in place of internal routine) for hash
			functions (MD5, SHA[12] and HMAC). [RT #18815]

1078
1079
1080
2545.	[doc]		ARM: Legal hostname checking (check-names) is
			for SRV RDATA too. [RT #19304]

1081
1082
2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]

1083
1084
2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]

Mark Andrews's avatar
Mark Andrews committed
1085
2542.	[doc]		Update the description of dig +adflag. [RT #19290]
1086

1087
1088
1089
2541.	[bug]		Conditionally update dispatch manager statistics.
			[RT #19247]

1090
1091
2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]

1092
1093
1094
2539.	[security]	Update the interaction between recursion, allow-query,
			allow-query-cache and allow-recursion.  [RT #19198]

1095
1096
1097
1098
2538.	[bug]		cache/ADB memory could grow over max-cache-size,
			especially with threads and smaller max-cache-size
			values. [RT #19240]

1099
2537.	[func]		Added more statistics counters including those on socket
1100
			I/O events and query RTT histograms. [RT #18802]
1101

1102
1103
1104
2536.	[cleanup]	Silence some warnings when -Werror=format-security is
			specified. [RT #19083]

Mark Andrews's avatar
Mark Andrews committed
1105
2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
1106

1107
2534.	[func]		Check NAPTR records regular expressions and
Mark Andrews's avatar
Mark Andrews committed
1108
			replacement strings to ensure they are syntactically
1109
1110
			valid and consistant. [RT #18168]

1111
1112
2533.	[doc]		ARM: document @ (at-sign). [RT #17144]

1113
1114
1115
2532.	[bug]		dig: check the question section of the response to
			see if it matches the asked question. [RT #18495]

1116
1117
2531.	[bug]		Change #2207 was incomplete. [RT #19098]

1118
1119
1120
2530.	[bug]		named failed to reject insecure to secure transitions
			via UPDATE. [RT #19101]

1121
1122
1123
2529.	[cleanup]	Upgrade libtool to silence complaints from recent
			version of autoconf. [RT #18657]

1124
1125
2528.   [cleanup]	Silence spurious configure warning about
			--datarootdir [RT #19096]
1126

1127
1128
2527.	[placeholder]

1129
1130
2526.	[func]		New named option "attach-cache" that allows multiple
			views to share a single cache to save memory and
1131
1132
			improve lookup efficiency.  Based on contributed code
			from Barclay Osborn, Google. [RT #18905]
1133

1134
1135
1136
1137
2525.	[func]		New logging category "query-errors" to provide detailed
			internal information about query failures, especially
			about server failures. [RT #19027]

1138
1139
2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]

1140
1141
1142
2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
			[RT #19112]

Francis Dupont's avatar
Francis Dupont committed
1143
2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
Mark Andrews's avatar
Mark Andrews committed
1144

1145
1146
2521.	[bug]		Improve epoll cross compilation support. [RT #19047]

1147
1148
1149
2520.	[bug]		Update xml statistics version number to 2.0 as change
			#2388 made the schema incompatible to the previous
			version. [RT #19080]
1150

1151
1152
1153
1154
2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
			nameserver addresses of the excluded address family
			preceded in resolv.conf. [RT #19081]

1155
1156
1157
2518.	[func]		Add support for the new CERT types from RFC 4398.
			[RT #19077]

1158
2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
Mark Andrews's avatar
Mark Andrews committed
1159
			nameserver address of the excluded address type.
1160
1161
			[RT #18843]

1162
1163
1164
2516.	[bug]		glue sort for responses was performed even when not
			needed. [RT #19039]

1165
1166
1167
2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
			[RT #19063]

1168
2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
1169
			a nameserver of the excluded address family.
1170
1171
1172
			[RT #18848]

2513.	[bug]		Fix windows cli build. [RT #19062]
1173

1174
1175
1176
2512.	[func]		Print a summary of the cached records which make up
			the negative response.  [RT #18885]

1177
1178
1179
2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
			[RT #18885]

Mark Andrews's avatar
reword    
Mark Andrews committed
1180
1181
2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
			[RT #19033]
1182

1183
1184
1185
2509.	[bug]		Specifying a fixed query source port was broken.
			[RT #19051]

1186
1187
2508.	[placeholder]

1188
1189
1190
1191
2507.	[func]		Log the recursion quota values when killing the
			oldest query or refusing to recurse due to quota.
			[RT #19022]

1192
2506.	[port]		solaris: Check at configure time if
1193
1194
			hack_shutup_pthreadonceinit is needed. [RT #19037]

1195
1196
1197
2505.	[port]		Treat amd64 similarly to x86_64 when determining
			atomic operation support. [RT #19031]

1198
1199
2504.	[bug]		Address race condition in the socket code. [RT #18899]

1200
1201
1202
2503.	[port]		linux: improve compatibility with Linux Standard
			Base. [RT #18793]

1203
1204
1205
2502.	[cleanup]	isc_radix: Improve compliance with coding style,
			document function in <isc/radix.h>. [RT #18534]

1206
1207
1208
1209
2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
			rdata types need to be quoted.  See the ARM for
			details. [RT #18368]

Francis Dupont's avatar
Francis Dupont committed
1210
2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
1211
1212
			function. [RT #18582]

1213
1214
2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
			[RT #18837]
Mark Andrews's avatar
Mark Andrews committed
1215
1216
1217

	--- 9.6.0rc1 released ---

1218
1219
1220
1221
1222
2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

1223
1224
1225
2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
			delegation.

1226
1227
2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]

1228
1229
2495.	[bug]		Tighten RRSIG checks. [RT #18795]

1230
1231
1232
2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
			installed. [RT #18826]

1233
2493.	[bug]		The linux capabilities code was not correctly cleaning
1234
1235
			up after itself. [RT #18767]

Mark Andrews's avatar
Mark Andrews committed
1236
2492.	[func]		Rndc status now reports the number of cpus discovered
1237
1238
1239
			and the number of worker threads when running
			multi-threaded. [RT #18273]

1240
1241
1242
2491.	[func]		Attempt to re-use a local port if we are already using
			the port. [RT #18548]

1243
1244
1245
2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
			is cleared when IPV6_V6ONLY is set. [RT #18785]

1246
1247
1248
1249
1250
1251
2489.	[port]		solaris: Workaround Solaris's kernel bug about
			/dev/poll:
			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
			this workaround. [RT #18870]

1252
1253
1254
2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
			from keyset and .key files. [RT #18694]

1255
1256
2487.	[bug]		Give TCP connections longer to complete. [RT #18675]

1257
1258
1259
1260
1261
1262
1263
1264
1265
2486.	[func]		The default locations for named.pid and lwresd.pid
			are now /var/run/named/named.pid and
			/var/run/lwresd/lwresd.pid respectively.

			This allows the owner of the containing directory
			to be set, for "named -u" support, and allows there
			to be a permanent symbolic link in the path, for
			"named -t" support.  [RT #18306]

1266
2485.	[bug]		Change update's the handling of obscured RRSIG
1267
			records.  Not all orphaned DS records were being
1268
1269
			removed. [RT #18828]

1270
1271
1272
1273
2484.	[bug]		It was possible to trigger a REQUIRE failure when
			adding NSEC3 proofs to the response in
			query_addwildcardproof().  [RT #18828]

Francis Dupont's avatar
Francis Dupont committed
1274
1275
2483.	[port]		win32: chroot() is not supported. [RT #18805]

Francis Dupont's avatar
Francis Dupont committed
1276