CHANGES 399 KB
Newer Older
1 2 3
3735.	[cleanup]	Merged the libiscpk11 library into libisc
			to simplify dependencies. [RT #35205]

4 5
3734.	[bug]		Improve building with libtool. [RT #35314]

6 7
3733.	[func]		Improve interface scanning support.  Interface
			information will be automatically updated if the
Mark Andrews's avatar
Mark Andrews committed
8 9
			OS supports routing sockets (MacOS, *BSD, Linux).
			Use "automatic-interface-scan no;" to disable.
10 11 12

			Add "rndc scan" to trigger a scan. [RT #23027]

13 14 15
3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
			driver to dump core on 64-bit systems. [RT #35324]

Evan Hunt's avatar
Evan Hunt committed
16 17 18 19 20 21 22 23 24 25
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]

Evan Hunt's avatar
Evan Hunt committed
26 27 28 29
3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

Francis Dupont's avatar
Francis Dupont committed
30
3729.	[bug]		dnssec-keygen could set the publication date
Evan Hunt's avatar
Evan Hunt committed
31 32 33
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

34 35 36
3728.	[doc]		Expanded native-PKCS#11 documentation,
			specifically pkcs11: URI labels. [RT #35287]

Evan Hunt's avatar
Evan Hunt committed
37 38 39
3727.	[func]		The isc_bitstring API is no longer used and
			has been removed from libisc. [RT #35284]

40 41 42 43
3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]

Evan Hunt's avatar
Evan Hunt committed
44 45 46 47
3725.	[contrib]	Updated zkt and nslint to newest versions,
			cleaned up and rearranged the contrib
			directory, and added a README.

Evan Hunt's avatar
Evan Hunt committed
48 49
	--- 9.10.0a2 released ---

Evan Hunt's avatar
Evan Hunt committed
50 51 52 53
3724.	[bug]		win32: Fixed a bug that prevented dig and
			host from exiting properly after completing
			a UDP query. [RT #35288]

54 55 56
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]

Tinderbox User's avatar
Tinderbox User committed
57
3722.	[bug]		Using geoip ACLs in a blackhole statement
58 59
			could cause a segfault. [RT #35272]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
60
3721.	[doc]		Improved documentation of the EDNS processing
Evan Hunt's avatar
Evan Hunt committed
61 62
			enhancements introduced in change #3593. [RT #35275]

63 64
3720.	[bug]		Address compiler warnings. [RT #35261]

65 66
3719.	[bug]		Address memory leak in in peer.c. [RT #35255]

67 68
3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]

69 70 71 72 73 74 75
3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
			probing to see if it is possible to set dscp values
			on a per packet basis. [RT #35252]

3716.	[bug]		The dns_request code was setting dcsp values when not
			requested.  [RT #35252]

76 77 78 79 80
3715.	[bug]		The region and city databases could fail to
			initialize when using some versions of libGeoIP,
			causing assertion failures when named was
			configured to use them. [RT #35427]

81 82 83 84
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

85 86 87 88
3713.	[bug]		Save memory by not storing "also-notify" addresses
			in zone objects that are configured not to send
			notify requests. [RT #35195]

Evan Hunt's avatar
Evan Hunt committed
89 90 91 92
3712.	[placeholder]

3711.	[placeholder]

93 94 95 96
3710.	[bug]		Address double dns_zone_detach when switching to
			using automatic empty zones from regular zones.
			[RT #35177]

Evan Hunt's avatar
Evan Hunt committed
97 98 99 100
3709.	[port]		Use built-in versions of strptime() and timegm()
			on all platforms to avoid portability issues.
			[RT #35183]

101 102 103
3708.	[bug]		Address a portentry locking issue in dispatch.c.
			[RT #35128]

104 105 106 107 108 109 110 111 112 113
3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
			on a missing resolv.conf file and initializes the
			structure as if it had been configured with:

				nameserver ::1
				nameserver 127.0.0.1

			Note: Callers will need to be updated to treat
			ISC_R_FILENOTFOUND as a qualified success or else
			they will leak memory. The following code fragment
Evan Hunt's avatar
Evan Hunt committed
114
			will work with both old and new versions without
115 116 117 118 119 120 121 122 123 124 125 126 127
			changing the behaviour of the existing code.

			resconf = NULL;
			result = irs_resconf_load(mctx, "/etc/resolv.conf",
						  &resconf);
			if (result != ISC_SUCCESS) {
				if (resconf != NULL)
					irs_resconf_destroy(&resconf);
				....
			}

			[RT #35194]

128 129 130
3706.	[contrib]	queryperf: Fixed a possible integer overflow when
			printing results. [RT #35182]

Evan Hunt's avatar
Evan Hunt committed
131 132 133 134 135 136 137 138 139 140
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]

141 142
3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]

Evan Hunt's avatar
Evan Hunt committed
143 144 145 146 147 148 149
3703.	[func]		To improve recursive resolver performance, cache
			records which are still being requested by clients
			can now be automatically refreshed from the
			authoritative server before they expire, reducing
			or eliminating the time window in which no answer
			is available in the cache. See the "prefetch" option
			for more details. [RT #35041]
150

151 152 153 154 155 156 157
3702.	[func]		'dnssec-coverage -l' option specifies a length
			of time to check for coverage; events further into
			the future are ignored.  'dnssec-coverage -z'
			checks only ZSK events, and 'dnssec-coverage -k'
			checks only KSK events.  (Thanks to Peter Palfrader.)
			[RT #35168]

Mark Andrews's avatar
Mark Andrews committed
158
3701.	[func]		named-checkconf can now obscure shared secrets
Mark Andrews's avatar
Mark Andrews committed
159
			when printing by specifying '-x'. [RT #34465]
160

Evan Hunt's avatar
Evan Hunt committed
161 162 163 164 165 166 167 168 169 170 171
3700.	[func]		Allow access to subgroups of XML statistics via
			special URLs http://<server>:<port>/xml/v3/server,
			/zones, /net, /tasks, /mem, and /status.  [RT #35115]

3699.	[bug]		Improvements to statistics channel XSL stylesheet:
			the stylesheet can now be cached by the browser;
			section headers are omitted from the stats display
			when there is no data in those sections to be
			displayed; counters are now right-justified for
			easier readability. [RT #35117]

172 173 174
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

175 176 177
3697.	[bug]		Handle "." as a search list element when IDN support
			is enabled. [RT #35133]

178 179 180
3696.	[bug]		dig failed to handle AXFR style IXFR responses which
			span multiple messages. [RT #35137]

Evan Hunt's avatar
Evan Hunt committed
181 182
3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]

183
3694.	[bug]		Warn when a key-directory is configured for a zone,
Evan Hunt's avatar
typo  
Evan Hunt committed
184
			but does not exist or is not a directory. [RT #35108]
185

186
3693.	[security]	memcpy was incorrectly called with overlapping
187 188
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
189 190
			when serving NSEC3 signed zones (CVE-2014-0591).
			[RT #35120]
191

192 193 194
3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
			was no data at the node. [RT #35080]

195 196 197
3691.	[contrib]	Address null pointer dereference in LDAP and
			MySQL DLZ modules.

198 199 200 201
3690.	[bug]		Iterative responses could be missed when the source
			port for an upstream query was the same as the
			listener port (53). [RT #34925]

202 203 204 205
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

206 207 208
3688.	[bug]		loadnode could return a freed node on out of memory.
			[RT #35106]

209 210 211
3687.	[bug]		Address null pointer dereference in zone_xfrdone.
			[RT #35042]

Evan Hunt's avatar
Evan Hunt committed
212 213 214 215
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]

216 217 218
3685.	[bug]		"rndc refresh" didn't work correctly with slave
			zones using inline-signing. [RT #35105]

219 220 221
3684.	[bug]		The list of included files would grow on reload.
			[RT 35090]

222 223 224
3683.	[cleanup]	Add a more detailed "not found" message to rndc
			commands which specify a zone name. [RT #35059]

225
3682.	[bug]		Correct the behavior of rndc retransfer to allow
Tinderbox User's avatar
Tinderbox User committed
226
			inline-signing slave zones to retain NSEC3 parameters
227
			instead of reverting to NSEC. [RT #34745]
228

229 230 231 232
3681.	[port]		Update the Windows build system to support feature
			selection and WIN64 builds.  This is a work in
			progress. [RT #34160]

233 234 235
3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
			[RT #35084]

236 237 238
3679.	[bug]		dig could fail to clean up TCP sockets still
			waiting on connect(). [RT #35074]

239 240
3678.	[port]		Update config.guess and config.sub. [RT #35060]

241 242 243
3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
			times.  [RT #35073]

244 245 246
3676.	[bug]		"named-checkconf -z" now checks zones of type
			hint and redirect as well as master. [RT #35046]

247 248 249 250
3675.	[misc]		Provide a place for third parties to add version
			information for their extensions in the version
			file by setting the EXTENSIONS variable.

Evan Hunt's avatar
Evan Hunt committed
251 252
	--- 9.10.0a1 released ---

253 254
3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]

Evan Hunt's avatar
Evan Hunt committed
255 256 257
3673.	[func]		New "in-view" zone option allows direct sharing
			of zones between views. [RT #32968]

258 259 260
3672.	[func]		Local address can now be specified when using
			dns_client API. [RT #34811]

261 262 263
3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
			non-imported private key.

264 265 266
3670.	[bug]		Address read after free in server side of
			lwres_getrrsetbyname. [RT #29075]

267 268
3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]

269 270 271
3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
			[RT #34993]

Mark Andrews's avatar
Mark Andrews committed
272
3667.	[test]		dig: add support to keep the TCP socket open between
273 274
			successive queries (+[no]keepopen).  [RT #34918]

275 276 277 278 279 280
3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
			of individual resource records.  This tool is intended
			to be called by provisioning systems so that the front
			end does not need to be upgraded to support new DNS
			record types. [RT #34778]

281 282 283
3665.	[bug]		Failure to release lock on error in receive_secure_db.
			[RT #34944]

284 285 286
3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
			locking and other bugs. [RT #34855]

287 288 289
3663.	[bug]		Address bugs in dns_rdata_fromstruct and
			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]

Mark Andrews's avatar
Mark Andrews committed
290
3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
291

292 293 294
3661.	[bug]		Address lock order reversal deadlock with inline zones.
			[RT #34856]

295 296 297
3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
			[RT #23825]

298
3659.	[port]		solaris: don't add explict dependencies/rules for
299 300 301
			python programs as make won't use the implicit rules.
			[RT #34835]

302 303 304
3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]

305 306 307
3657.	[port]		Some readline clones don't accept NULL pointers when
			calling add_history. [RT #34842]

308 309 310 311
3656.	[security]	Treat an all zero netmask as invalid when generating
			the localnets acl. (The prior behavior could
			allow unexpected matches when using some versions
			of Winsock: CVE-2013-6320.) [RT #34687]
312

313 314 315
3655.	[cleanup]	Simplify TCP message processing when requesting a
			zone transfer.  [RT #34825]

316 317 318
3654.	[bug]		Address race condition with manual notify requests.
			[RT #34806]

319 320 321
3653.	[func]		Create delegations for all "children" of empty zones
			except "forward first". [RT #34826]

322 323
3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]

324 325 326
3651.	[tuning]	Adjust when a master server is deemed unreachable.
			[RT #27075]

327 328 329
3650.	[tuning]	Use separate rate limiting queues for refresh and
			notify requests. [RT #30589]

Evan Hunt's avatar
Evan Hunt committed
330 331 332
3649.	[cleanup]	Include a comment in .nzf files, giving the name of
			the associated view. [RT #34765]

Evan Hunt's avatar
Evan Hunt committed
333 334 335
3648.	[test]		Updated the ATF test framework to version 0.17.
			[RT #25627]

336 337 338
3647.	[bug]		Address a race condition when shutting down a zone.
			[RT #34750]

Evan Hunt's avatar
Evan Hunt committed
339
3646.	[bug]		Journal filename string could be set incorrectly,
Mark Andrews's avatar
Mark Andrews committed
340
			causing garbage in log messages. [RT #34738]
Evan Hunt's avatar
Evan Hunt committed
341

342 343 344
3645.	[protocol]	Use case sensitive compression when responding to
			queries. [RT #34737]

345 346 347
3644.	[protocol]	Check that EDNS subnet client options are well formed.
			[RT #34718]

Evan Hunt's avatar
Evan Hunt committed
348 349
3643.	[doc]		Clarify RRL "slip" documentation.

350 351
3642.	[func]		Allow externally generated DNSKEY to be imported
			into the DNSKEY management framework.  A new tool
Mark Andrews's avatar
Mark Andrews committed
352
			dnssec-importkey is used to do this. [RT #34698]
Mark Andrews's avatar
Mark Andrews committed
353

354 355
3641.	[bug]		Handle changes to sig-validity-interval settings
			better. [RT #34625]
Mark Andrews's avatar
Mark Andrews committed
356

357 358 359 360
3640.	[bug]		ndots was not being checked when searching.  Only
			continue searching on NXDOMAIN responses.  Add the
			ability to specify ndots to nslookup. [RT #34711]

361 362 363
3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
			in a key zone. [RT #34238]

Mark Andrews's avatar
Mark Andrews committed
364
3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
365 366
			encountered. [RT #34668]

367 368 369
3637.	[bug]		'allow-query-on' was checking the source address
			rather than the destination address. [RT #34590]

370 371 372
3636.	[bug]		Automatic empty zones now behave better with
			forward only "zones" beneath them. [RT #34583]

373
3635.	[bug]		Signatures were not being removed from a zone with
Jeremy C. Reed's avatar
Jeremy C. Reed committed
374
			only KSK keys for a algorithm. [RT #34439]
375

376 377 378
3634.	[func]		Report build-id in rndc status. Report build-id
			when building from a git repository. [RT #20422]

379 380 381
3633.	[cleanup]	Refactor OPT processing in named to make it easier
			to support new EDNS options. [RT #34414]

382 383 384
3632.	[bug]		Signature from newly inactive keys were not being
			removed. [RT #32178]

385 386 387
3631.	[bug]		Remove spurious warning about missing signatures when
			qtype is SIG. [RT #34600]

388 389
3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]

390 391 392 393
3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
			records by dig to be suppressed (dig +nocrypto).
			[RT #34534]

394 395 396
3628.	[func]		Report DNSKEY key id's when dumping the cache.
			[RT #34533]

397 398
3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]

399 400
3626.	[func]		dig: NSID output now easier to read. [RT #21160]

401 402 403
3625.	[bug]		Don't send notify messages to machines outside of the
			test setup.

404 405 406
3624.	[bug]		Look for 'json_object_new_int64' when looking for a
			the json library. [RT #34449]

Mark Andrews's avatar
Mark Andrews committed
407 408
3623.	[placeholder]

409 410 411
3622.	[tuning]	Eliminate an unnecessary lock when incrementing
			cache statistics. [RT #34339]

412 413 414 415
3621.	[security]	Incorrect bounds checking on private type 'keydata'
			can lead to a remotely triggerable REQUIRE failure
			(CVE-2013-4854). [RT #34238]

Evan Hunt's avatar
Evan Hunt committed
416 417 418 419 420 421 422 423 424
3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
			RPZ responses to be configured on the basis of
			the client IP address; this can be used, for
			example, to blacklist misbehaving recursive
			or stub resolvers. [RT #33605]

3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
			[RT #33776]

Evan Hunt's avatar
Evan Hunt committed
425 426 427 428
3618.	[func]		"rndc reload" now checks modification times of
			include files as well as master files to determine
			whether to skip reloading a zone. [RT #33936]

429 430 431
3617.	[bug]		Named was failing to answer queries during
			"rndc reload" [RT #34098]

Evan Hunt's avatar
Evan Hunt committed
432 433
3616.	[bug]		Change #3613 was incomplete. [RT #34177]

Evan Hunt's avatar
Evan Hunt committed
434 435 436 437 438
3615.	[cleanup]	"configure" now finishes by printing a summary
			of optional BIND features and whether they are
			active or inactive. ("configure --enable-full-report"
			increases the verbosity of the summary.) [RT #31777]

Evan Hunt's avatar
Evan Hunt committed
439 440
3614.	[port]		Check for <linux/types.h>. [RT #34162]

Evan Hunt's avatar
Evan Hunt committed
441
3613.	[bug]		named could crash when deleting inline-signing
442 443
			zones with "rndc delzone". [RT #34066]

Evan Hunt's avatar
Evan Hunt committed
444
3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
445

Evan Hunt's avatar
Evan Hunt committed
446 447 448
3611.	[bug]		Improved resistance to a theoretical authentication
			attack based on differential timing.  [RT #33939]

449 450 451
3610.	[cleanup]	win32: Some executables had been omitted from the
			installer. [RT #34116]

452 453 454
3609.	[bug]		Corrected a possible deadlock in applications using
			the export version of the isc_app API. [RT #33967]

455 456 457 458
3608.	[port]		win32: added todos.pl script to ensure all text files
			the win32 build depends on are converted to DOS
			newline format. [RT #22067]

459 460 461
3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
			message. [RT #34045]

462 463
3606.	[func]		"rndc flushtree" now flushes matching
			records in the address database and bad cache
Mark Andrews's avatar
Mark Andrews committed
464 465
			as well as the DNS cache. (Previously only the
			DNS cache was flushed.) [RT #33970]
466

Evan Hunt's avatar
Evan Hunt committed
467 468 469
3605.	[port]		win32: Addressed several compatibility issues
			with newer versions of Visual Studio. [RT #33916]

470 471 472
3604.	[bug]		Fixed a compile-time error when building with
			JSON but not XML. [RT #33959]

473 474
3603.	[bug]		Install <isc/stat.h>. [RT #33956]

Evan Hunt's avatar
Evan Hunt committed
475 476 477 478
3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
			integrate with named and serve DNS data.
			(Contributed by John Eaglesham of Yahoo.)

479 480 481
3601.	[bug]		Added to PKCS#11 openssl patches a value len
			attribute in DH derive key. [RT #33928]

482 483 484
3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
			an oversized response. [RT #33910]

485 486 487
3599.	[tuning]	Check for pointer equivalence in name comparisons.
			[RT #18125]

488 489
3598.	[cleanup]	Improved portability of map file code. [RT #33820]

490 491 492
3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]

Evan Hunt's avatar
Evan Hunt committed
493
3596.	[port]		Updated win32 build documentation, added
Mark Andrews's avatar
Mark Andrews committed
494
			dnssec-verify. [RT #22067]
Evan Hunt's avatar
Evan Hunt committed
495

Evan Hunt's avatar
Evan Hunt committed
496 497 498
3595.	[port]		win32: Fix build problems introduced by change #3550.
			[RT #33807]

499 500
3594.	[maint]		Update config.guess and config.sub. [RT #33816]

501 502 503
3593.	[func]		Update EDNS processing to better track remote server
			capabilities. [RT #30655]

504 505 506
3592.	[doc]		Moved documentation of rndc command options to the
			rndc man page. [RT #33506]

507 508 509
3591.	[func]		Use CRC-64 to detect map file corruption at load
			time. [RT #33746]

510 511 512 513 514
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]

515 516 517 518
3589.	[func]		Report serial numbers in when starting zone transfers.
			Report accepted NOTIFY requests including serial.
			[RT# 33037]

519 520 521
3588.	[bug]		dig: addressed a memory leak in the sigchase code
			that could cause a shutdown crash.  [RT #33733]

522 523 524
3587.	[func]		'named -g' now checks the logging configuration but
			does not use it. [RT #33473]

Jeremy C. Reed's avatar
Jeremy C. Reed committed
525
3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
526

527 528 529
3585.	[func]		"rndc delzone -clean" option removes zone files
			when deleting a zone. [RT #33570]

530
3584.	[security]	Caching data from an incompletely signed zone could
Mark Andrews's avatar
Mark Andrews committed
531 532
			trigger an assertion failure in resolver.c
			(CVE-2013-3919). [RT #33690]
533

534 535
3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]

536 537 538
3582.	[bug]		Silence false positive warning regarding missing file
			directive for inline slave zones.  [RT #33662]

539 540
3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]

Evan Hunt's avatar
Evan Hunt committed
541 542
3580.	[bug]		Addressed a possible race in acache.c [RT #33602]

543 544 545
3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]

546 547 548
3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
			[RT #33571]

549 550
3577.	[bug]		Handle zero TTL values better. [RT #33411]

551 552
3576.	[bug]		Address a shutdown race when validating. [RT #33573]

553 554 555
3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

556 557 558
3574.	[doc]		The 'hostname' keyword was missing from server-id
			description in the named.conf man page. [RT #33476]

Evan Hunt's avatar
Evan Hunt committed
559 560 561
3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
			zone names containing punctuation marks and other
			nonstandard characters. [RT #33419]
562

Evan Hunt's avatar
Evan Hunt committed
563 564 565
3572.	[func]		Threads are now enabled by default on most
			operating systems. [RT #25483]

566 567 568
3571.	[bug]		Address race condition in dns_client_startresolve().
			[RT #33234]

569
3570.	[bug]		Check internal pointers are valid when loading map
570
			files. [RT #33403]
571

Evan Hunt's avatar
Evan Hunt committed
572 573 574
3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
			module, and added multithread support. [RT #33394]

Evan Hunt's avatar
Evan Hunt committed
575 576 577
3568.	[cleanup]	Add a product description line to the version file,
			to be reported by named -v/-V. [RT #33366]

Evan Hunt's avatar
Evan Hunt committed
578 579
3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]

Evan Hunt's avatar
Evan Hunt committed
580 581
3566.	[func]		Log when forwarding updates to master. [RT #33240]

582
3565.	[placeholder]
583

584 585
3564.	[bug]		Improved handling of corrupted map files. [RT #33380]

Evan Hunt's avatar
Evan Hunt committed
586 587
3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]

Evan Hunt's avatar
Evan Hunt committed
588 589 590 591
3562.	[func]		Update map file header format to include a SHA-1 hash
			of the database content, so that corrupted map files
			can be rejected at load time. [RT #32459]

592 593
3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
			or NOTIMP.  Adjust usage message. [RT #33363]
594

595
3560.	[bug]		isc-config.sh did not honor includedir and libdir
596 597
			when set via configure. [RT #33345]

598 599 600
3559.	[func]		Check that both forms of Sender Policy Framework
			records exist or do not exist. [RT #33355]

601 602
3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]

603 604
3557.	[bug]		Reloading redirect zones was broken. [RT #33292]

Evan Hunt's avatar
Evan Hunt committed
605 606
3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.

607 608 609
3555.	[bug]		Address theoretical race conditions in acache.c
			(change #3553 was incomplete). [RT #33252]

Evan Hunt's avatar
Evan Hunt committed
610 611 612 613
3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

614 615
3553.	[bug]		Address suspected double free in acache. [RT #33252]

616
3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
617
			[RT #33280]
618

619 620
3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]

621 622 623 624
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]

Evan Hunt's avatar
Evan Hunt committed
625 626 627
3549.	[doc]		Documentation for "request-nsid" was missing.
			[RT #33153]

628 629 630 631
3548.	[bug]		The NSID request code in resolver.c was broken
			resulting in invalid EDNS options being sent.
			[RT #33153]

632 633 634
3547.	[bug]		Some malformed unknown rdata records were not properly
			detected and rejected. [RT #33129]

635 636
3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]

Evan Hunt's avatar
Evan Hunt committed
637 638 639
3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

Evan Hunt's avatar
Evan Hunt committed
640 641 642 643
3544.	[contrib]	check5011.pl: Script to report the status of
			managed keys as recorded in managed-keys.bind.
			Contributed by Tony Finch <dot@dotat.at>

644
3543.	[bug]		Update socket structure before attaching to socket
Mark Andrews's avatar
typo  
Mark Andrews committed
645
			manager after accept. [RT #33084]
646

Mark Andrews's avatar
Mark Andrews committed
647 648
3542.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
649 650
3541.	[bug]		Parts of libdns were not properly initialized when
			built in libexport mode. [RT #33028]
651

Evan Hunt's avatar
Evan Hunt committed
652
3540.	[test]		libt_api: t_info and t_assert were not thread safe.
653

654 655
3539.	[port]		win32: timestamp format didn't match other platforms.

Evan Hunt's avatar
Evan Hunt committed
656 657
3538.	[test]		Running "make test" now requires loopback interfaces
			to be set up. [RT #32452]
658

659 660 661 662
3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
			to peers before being dumped to disk rather than
			after. [RT #27242]

Evan Hunt's avatar
Evan Hunt committed
663 664 665 666 667 668 669 670 671
3536.	[func]		Add support for setting Differentiated Services Code
			Point (DSCP) values in named.  Most configuration
			options which take a "port" option (e.g.,
			listen-on, forwarders, also-notify, masters,
			notify-source, etc) can now also take a "dscp"
			option specifying a code point for use with
			outgoing traffic, if supported by the underlying
			OS. [RT #27596]

672 673
3535.	[bug]		Minor win32 cleanups. [RT #32962]

674 675 676
3534.	[bug]		Extra text after an embedded NULL was ignored when
			parsing zone files. [RT #32699]

677 678 679 680
3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]

3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]

681 682 683
3531.	[bug]		win32: A uninitialized value could be returned on out
			of memory. [RT #32960]

Evan Hunt's avatar
Evan Hunt committed
684 685
3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]

686 687 688 689 690
3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
			by default.  Named previously only listened on IPv4
			interfaces by default unless named was running in
			IPv6 only mode.  [RT #32945]

Evan Hunt's avatar
Evan Hunt committed
691 692 693 694 695 696 697
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]

698 699 700 701
3527.	[compat]	Add a URI to allow applications to explicitly
			request a particular XML schema from the statistics
			channel, returning 404 if not supported. [RT #32481]

702 703 704
3526.	[cleanup]	Set up dependencies for unit tests correctly during
			build. [RT #32803]

705 706 707 708 709 710 711
3525.	[func]		Support for additional signing algorithms in rndc:
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
			The -A option to rndc-confgen can be used to
			select the algorithm for the generated key.
			(The default is still hmac-md5; this may
			change in a future release.) [RT #20363]

712 713
3524.	[func]		Added an alternate statistics channel in JSON format,
			when the server is built with the json-c library:
Evan Hunt's avatar
Evan Hunt committed
714
			http://[address]:[port]/json. [RT #32630]
715

716 717 718 719 720
3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
			dynamically-loadable modules, and added the
			"wildcard" module based on a contribution from
			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]

721 722 723
3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
			they ought to. [RT #32685]

724 725
3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]

726 727 728
3520.	[bug]		'mctx' was not being referenced counted in some places
			where it should have been.  [RT #32794]

729 730 731 732
3519.	[func]		Full replay protection via four-way handshake is
			now mandatory for rndc clients. Very old versions
			of rndc will no longer work. [RT #32798]

733 734 735 736 737
3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

738 739
3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]

Evan Hunt's avatar
Evan Hunt committed
740 741
3516.	[placeholder]

742 743
3515.	[port]		'%T' is not portable in strftime(). [RT #32763]

Evan Hunt's avatar
Evan Hunt committed
744 745 746 747 748 749
3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

750 751 752
3513.	[func]		"dig -u" prints times in microseconds rather than
			milliseconds. [RT #32704]

Evan Hunt's avatar
Evan Hunt committed
753 754 755
3512.	[func]		"rndc validation check" reports the current status
			of DNSSEC validation. [RT #21397]

Evan Hunt's avatar
Evan Hunt committed
756 757
3511.	[doc]		Improve documentation of redirect zones. [RT #32756]

758 759 760
3510.	[func]		"rndc status" and XML statistics channel now report
			server start and reconfiguration times. [RT #21048]

761 762 763 764
3509.	[cleanup]	Added a product line to version file to allow for
			easy naming of different products (BIND
			vs BIND ESV, for example). [RT #32755]

765 766 767
3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
			[RT #32338]

768 769 770 771
3507.	[bug]		Statistics channel XSL had a glitch when attempting
			to chart query data before any queries had been
			received. [RT #32620]

772 773 774 775 776 777 778 779 780 781 782 783
3506.	[func]		When setting "max-cache-size" and "max-acache-size",
			the keyword "unlimited" is no longer defined as equal
			to 4 gigabytes (except on 32-bit platforms); it
			means literally unlimited. [RT #32358]

3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
			larger values than 4 gigabytes could not be set
			explicitly, though larger sizes were available
			when setting cache size to 0. This has been
			corrected; the full range is now available.
			[RT #32358]

Evan Hunt's avatar
Evan Hunt committed
784 785 786 787
3504.	[func]		Add support for ACLs based on geographic location,
			using MaxMind GeoIP databases. Based on code
			contributed by Ken Brownfield <kb@slide.com>.
			[RT #30681]
Mark Andrews's avatar
Mark Andrews committed
788

Evan Hunt's avatar
Evan Hunt committed
789 790
3503.	[doc]		Clarify size_spec syntax. [RT #32449]

791 792 793
3502.	[func]		zone-statistics: "no" is now a synonym for "none",
			instead of "terse". [RT #29165]

794 795 796 797
3501.	[func]		zone-statistics now takes three options: full,
			terse, and none. "yes" and "no" are retained as
			synonyms for full and terse, respectively. [RT #29165]

Evan Hunt's avatar
Evan Hunt committed
798 799 800 801
3500.	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
802

Evan Hunt's avatar
Evan Hunt committed
803 804 805
3499.	[doc]		Corrected ARM documentation of built-in zones.
			[RT #32694]

806 807 808 809
3498.	[bug]		zone statistics for zones which matched a potential
			empty zone could have their zone-statistics setting
			overridden.

810 811 812 813
3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
			report the files that were being used so they can
			be cleaned up if desired. [RT #27899]

Evan Hunt's avatar
Evan Hunt committed
814 815
3496.	[placeholder]

816
3495.	[func]		Support multiple response-policy zones (up to 32),
Mark Andrews's avatar
Mark Andrews committed
817
			while improving RPZ performance.  "response-policy"
818 819 820
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
Mark Andrews's avatar
Mark Andrews committed
821
			--enable-rpz-nsdname are now the default. [RT #32251]
822

Evan Hunt's avatar
Evan Hunt committed
823 824 825 826
3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. [RT #28130]

827
3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
828
			contributed by Mark Goldfinch. [RT #32549]
Mark Andrews's avatar
Mark Andrews committed
829

830 831 832
3492.	[bug]		Fixed a regression in zone loading performance
			due to lock contention. [RT #30399]

833 834 835
3491.	[bug]		Slave zones using inline-signing must specify a
			file name. [RT #31946]

836
3490.	[bug]		When logging RDATA during update, truncate if it's
Mark Andrews's avatar
Mark Andrews committed
837
			too long. [RT #32365]
838

839 840 841 842 843
3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
			dns_dlzcreate() failed to properly initialize
			dlzdb.link.  When cloning a rdataset do not copy
			the link contents.  [RT #32651]

844 845
3488.	[bug]		Use after free error with DH generated keys. [RT #32649]

846 847
3487.	[bug]		Change 3444 was not complete.  There was a additional
			place where the NOQNAME proof needed to be saved.
Mark Andrews's avatar
Mark Andrews committed
848
			[RT #32629]
849

Evan Hunt's avatar
Evan Hunt committed
850 851 852
3486.	[bug]		named could crash when using TKEY-negotiated keys
			that had been deleted and then recreated. [RT #32506]

853 854
3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.

855 856 857
3484.	[bug]		Some statistics were incorrectly rendered in XML.
			[RT #32587]

Evan Hunt's avatar
Evan Hunt committed
858 859
3483.	[placeholder]

860 861 862 863
3482.	[func]		dig +nssearch now prints name servers that don't
			have address records (missing AAAA or A, or the name
			doesn't exist). [RT #29348]

864
3481.	[cleanup]	Removed use of const const in atf.
865

Evan Hunt's avatar
Evan Hunt committed
866 867 868
3480.	[bug]		Silence logging noise when setting up zone
			statistics. [RT #32525]

869 870 871
3479.	[bug]		Address potential memory leaks in gssapi support
			code. [RT #32405]

Evan Hunt's avatar
Evan Hunt committed
872 873 874 875
3478.	[port]		Fix a build failure in strict C99 environments
			[RT #32475]

3477.	[func]		Expand logging when adding records via DDNS update
Mark Andrews's avatar
Mark Andrews committed
876 877
			[RT #32365]

878 879 880
3476.	[bug]		"rndc zonestatus" could report a spurious "not
			found" error on inline-signing zones. [RT #29226]

Evan Hunt's avatar
Evan Hunt committed
881 882
3475.	[cleanup]	Changed name of 'map' zone file format (previously
			'fast'). [RT #32458]
883

884 885 886
3474.	[bug]		nsupdate could assert when the local and remote
			address families didn't match. [RT #22897]

Evan Hunt's avatar
Evan Hunt committed
887 888 889 890
3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]

891 892 893
3472.	[bug]		The active-connections counter in the socket
			statistics could underflow. [RT #31747]

894 895 896 897
3471.	[bug]		The number of UDP dispatches now defaults to
			the number of CPUs even if -n has been set to
			a higher value. [RT #30964]

898 899 900
3470.	[bug]		Slave zones could fail to dump when successfully
			refreshing after an initial failure. [RT #31276]

Evan Hunt's avatar
Evan Hunt committed
901 902 903 904
3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
			backward compatibility between versions of DLZ dlopen
			API. [RT #32275]

905 906
3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
907
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
908 909 910

3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
			to check for delete date < inactive date. [RT #31719]
911

912 913 914
3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
			in DLZ example driver. [RT #32275]

915 916
3465.	[bug]		Handle isolated reserved ports. [RT #31778]

917 918 919
3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]

920
3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
921 922 923 924

3462.	[doc]		Clarify server selection behavior of dig when using
			-4 or -6 options. [RT #32181]

925 926 927
3461.	[bug]		Negative responses could incorrectly have AD=1
			set. [RT #32237]

928 929
3460.	[bug]		Only link against readline where needed. [RT #29810]

930 931 932
3459.	[func]		Added -J option to named-checkzone/named-compilezone
			to specify the path to the journal file. [RT #30958]

933 934 935
3458.	[bug]		Return FORMERR when presented with a overly long
			domain named in a request. [RT #29682]

936 937
3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]

Evan Hunt's avatar
Evan Hunt committed
938
3456.	[port]		g++47: ATF failed to compile. [RT #32012]
939

940 941
3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]

942 943
3454.	[port]		sparc64: improve atomic support. [RT #25182]

944 945 946
3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
			failed. [RT #31960]

Mark Andrews's avatar
Mark Andrews committed
947
3452.	[bug]		Accept duplicate singleton records. [RT #32329]
948

949 950 951
3451.	[port]		Increase per thread stack size from 64K to 1M.
			[RT #32230]

952 953 954
3450.	[bug]		Stop logfileconfig system test spam system logs.
			[RT #32315]

955 956 957 958
3449.	[bug]		gen.c: use the pre-processor to construct format
			strings so that compiler can perform sanity checks;
			check the snprintf results. [RT #17576]

Evan Hunt's avatar
Evan Hunt committed
959 960 961
3448.	[bug]		The allow-query-on ACL was not processed correctly.
			[RT #29486]

962 963
3447.	[port]		Add support for libxml2-2.9.x [RT #32231]

964 965 966
3446.	[port]		win32: Add source ID (see change #3400) to build.
			[RT #31683]

967 968
3445.	[bug]		Warn about zone files with blank owner names
			immediately after $ORIGIN directives. [RT #31848]
969

970
3444.	[bug]		The NOQNAME proof was not being returned from cached
971 972
			insecure responses. [RT #21409]

973 974 975
3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
			rejected when generating keys. [RT #31927]

976 977 978
3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
			change. [RT #32216]

979 980
3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

981 982 983
3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
			cleaning up due to out of memory error. [RT #32131]

Mark Andrews's avatar
Mark Andrews committed
984 985
3439.	[placeholder]

986 987
3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]

Mark Andrews's avatar
Mark Andrews committed
988
3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
989 990
			buffers with constant data. [RT #32064]

991 992
3436.	[bug]		Check malloc/calloc return values. [RT #32088]

993 994 995
3435.	[bug]		Cross compilation support in configure was broken.
			[RT #32078]

996 997 998 999 1000 1001
3434.	[bug]		Pass client info to the DLZ findzone() entry
			point in addition to lookup().  This makes it
			possible for a database to answer differently
			whether it's authoritative for a name depending
			on the address of the client.  [RT #31775]

1002 1003 1004
3433.	[bug]		dlz_findzone() did not correctly handle
			ISC_R_NOMORE. [RT #31172]

Evan Hunt's avatar
Evan Hunt committed
1005 1006 1007 1008 1009 1010 1011 1012 1013
3432.	[func]		Multiple DLZ databases can now be configured.
			DLZ databases are searched in the order configured,
			unless set to "search no", in which case a
			zone can be configured to be retrieved from a
			particular DLZ database by using a "dlz <name>"
			option in the zone statement.  DLZ databases can
			support type "master" and "redirect" zones.
			[RT #27597]

1014 1015 1016
3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]

1017 1018 1019
3430.	[bug]		win32: isc_time_formatISO8601 was missing the
			'T' between the date and time. [RT #32044]

1020 1021 1022
3429.	[bug]		dns_zone_getserial2 could a return success without
			returning a valid serial. [RT #32007]

Evan Hunt's avatar
Evan Hunt committed
1023 1024
3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]

Mark Andrews's avatar
Mark Andrews committed
1025
3427.	[bug]		dig +trace incorrectly displayed name server
Evan Hunt's avatar
Evan Hunt committed
1026 1027
			addresses instead of names. [RT #31641]

1028 1029 1030
3426.	[bug]		dnssec-checkds: Clearer output when records are not
			found. [RT #31968]

1031 1032 1033
3425.	[bug]		"acacheentry" reference counting was broken resulting
			in use after free. [RT #31908]

1034 1035 1036
3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
			[RT #31951]

1037 1038 1039 1040
3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
			range of possible values.  Address portability issues.
			[RT #31938]

Mark Andrews's avatar
Mark Andrews committed
1041
3422.	[bug]		Added a clear error message for when the SOA does not
1042 1043
			match the referral. [RT #31281]

1044 1045 1046
3421.	[bug]		Named loops when re-signing if all keys are offline.
			[RT #31916]

1047 1048
3420.	[bug]		Address VPATH compilation issues. [RT #31879]

1049 1050
3419.	[bug]		Memory leak on validation cancel. [RT #31869]

Mark Andrews's avatar
Mark Andrews committed
1051 1052 1053 1054 1055 1056
3418.	[func]		New XML schema (version 3.0) for the statistics channel
			adds query type statistics at the zone level, and
			flattens the XML tree and uses compressed format to
			optimize parsing. Includes new XSL that permits
			charting via the Google Charts API on browsers that
			support javascript in XSL.  The old XML schema has been
1057 1058
			deprecated. [RT #30023]

Mark Andrews's avatar
Mark Andrews committed
1059
3417.	[placeholder]
1060

1061 1062 1063
3416.	[bug]		Named could die on shutdown if running with 128 UDP
			dispatches per interface. [RT #31743]

1064
3415.	[bug]		named could die with a REQUIRE failure if a validation
1065 1066
			was canceled. [RT #31804]

1067 1068
3414.	[bug]		Address locking issues found by Coverity. [RT #31626]

1069 1070 1071
3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
			synthesized. [RT #27636]

1072 1073 1074
3412.	[bug]		Copy timeval structure from control message data.
			[RT #31548]