CHANGES 629 KB
Newer Older
1 2 3
5618.	[bug]		Don't roll keys when the private key file is offline.
			[GL #2596]

4 5 6 7 8 9
5617.	[placeholder]

5616.	[placeholder]

5615.	[placeholder]

Michał Kępień's avatar
Michał Kępień committed
10 11 12
5614.	[bug]		Ensure all resources are properly cleaned up when a call
			to gss_accept_sec_context() fails. [GL #2620]

13 14 15 16 17 18
5613.	[bug]		It was possible to write an invalid transaction header
			in the journal file for a managed-keys database after
			upgrading. This has been fixed. Invalid headers in
			existing journal files are detected and named is able
			to recover from them. [GL #2600]

Evan Hunt's avatar
Evan Hunt committed
19 20 21 22 23 24 25
5612.	[bug]		Continued refactoring of the network manager:
			- allow recovery from read and connect timeout events
			- ensure that calls to isc_nm_*connect() always
			  return the connection status via a callback
			  function.
			[GL #2401]

26 27 28
5611.	[func]		Set "stale-answer-client-timeout" to "off" by default.
			[GL #2608]

29 30 31 32 33
5610.	[bug]		Prevent a crash which could happen when a lookup
			triggered by "stale-answer-client-timeout" was attempted
			right after recursion for a client query finished.
			[GL #2594]

34 35 36
5609.	[func]		GSSAPI support no longer uses the ISC SPNEGO
			implementation. [GL #2607]

Diego Fronza's avatar
Diego Fronza committed
37 38 39 40
5608.	[bug]		Dig now honors +retry=0 and +tries=1 when queries
			are sent over TCP (+tcp) and the remote server closes
			the connection prematurely. [GL #2490]

41 42 43 44
5607.	[bug]		Rekey after 'rndc dnssec -checkds' or 'rndc dnssec
			-rollover' command is received, because such a command
			may influence the next key event. [GL #2488]

45 46 47 48 49
5606.	[bug]		CDS/CDNSKEY DELETE records were not removed when a zone
			transitioned from secure to insecure. "named-checkzone"
			should not complain if such records exist in an
			unsigned zone. [GL #2517]

Evan Hunt's avatar
Evan Hunt committed
50
5605.	[bug]		"dig -u" now uses CLOCK_REALTIME for more accurate
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
51 52
			time reporting. [GL #2592]

Evan Hunt's avatar
Evan Hunt committed
53
5604.	[experimental]	A "filter-a.so" plugin, which is similar to the
54 55 56 57
			"filter-aaaa.so" plugin but which omits A records
			instead of AAAA records, has been added. Thanks to
			'@treysis' (GitLab). [GL #2585]

Evan Hunt's avatar
Evan Hunt committed
58 59
5603.	[placeholder]

60 61 62
5602.	[bug]		Fix the TCPDNS and TLSDNS timers, so TCP initial
			and idle timers work correctly. [GL #2573]

63 64 65 66 67
5601.	[bug]		Dynamic zones with dnssec-policy could not be thawed
			because KASP zones were always considered dynamic;
			previously, dynamic KASP zones did not check whether
			updates were disabled. This has been fixed. [GL #2523]

68 69 70 71
5600.	[bug]		Load a certificate chain file so that the full chain is
			sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
			clients that require full chain verification. [GL #2514]

Matthijs Mekking's avatar
Matthijs Mekking committed
72 73 74
5599.	[bug]		Fix a crash when transferring a zone over TLS,
			after "named" previously skipped a master. [GL #2562]

Mark Andrews's avatar
Mark Andrews committed
75 76 77
5598.	[port]		Cast (char) to (unsigned char) when calling ctype
			tests. [GL #2567]

Michal Nowak's avatar
Michal Nowak committed
78 79
	--- 9.17.11 released ---

80 81 82 83 84 85
5597.	[bug]		When serve-stale was enabled and starting the recursive
			resolution process for a query failed, a named instance
			could crash if it was configured as both a recursive and
			authoritative server. This problem was introduced by
			change 5573 and has now been fixed. [GL #2565]

86 87 88
5596.	[func]		Client-side support for DNS-over-HTTPS (DoH) has been
			added to dig. "dig +https" can now query a server via
			HTTP/2. [GL #1641]
Evan Hunt's avatar
Evan Hunt committed
89

Michal Nowak's avatar
Michal Nowak committed
90 91 92 93 94 95 96
5595.	[cleanup]	Public header files for BIND 9 libraries no longer
			directly include third-party library headers. This
			prevents the need to include paths to third-party header
			files in CFLAGS whenever BIND 9 public header files are
			used, which could cause build-time issues on hosts with
			older versions of BIND 9 installed. [GL #2357]

Mark Andrews's avatar
Mark Andrews committed
97 98 99
5594.	[bug]		Building with --enable-dnsrps --enable-dnsrps-dl failed.
			[GL #2298]

100 101 102 103 104
5593.	[bug]		Journal files written by older versions of named can now
			be read when loading zones, so that journal
			incompatibility does not cause problems on upgrade.
			Outdated journals are updated to the new format after
			loading. [GL #2505]
Evan Hunt's avatar
Evan Hunt committed
105

106 107 108 109
5592.	[bug]		Prevent hazard pointer table overflows on machines with
			many cores, by allowing the thread IDs (serving as
			indices into hazard pointer tables) of finished threads
			to be reused by those created later. [GL #2396]
Ondřej Surý's avatar
Ondřej Surý committed
110

111 112 113 114
5591.	[bug]		Fix a crash that occurred when
			"stale-answer-client-timeout" was triggered without any
			(stale) data available in the cache to answer the query.
			[GL #2503]
115

116 117 118 119 120
5590.	[bug]		NSEC3 records were not immediately created for dynamic
			zones using NSEC3 with "dnssec-policy", resulting in
			such zones going bogus. Add code to process the
			NSEC3PARAM queue at zone load time so that NSEC3 records
			for such zones are created immediately. [GL #2498]
121

Mark Andrews's avatar
Mark Andrews committed
122 123
5589.	[placeholder]

124 125 126
5588.	[func]		Add a new "purge-keys" option for "dnssec-policy". This
			option determines the period of time for which key files
			are retained after they become obsolete. [GL #2408]
127

Michał Kępień's avatar
Michał Kępień committed
128
5587.	[bug]		A standalone libtool script no longer needs to be
129 130
			present in PATH to build BIND 9 from a source tarball
			prepared using "make dist". [GL #2504]
Michał Kępień's avatar
Michał Kępień committed
131

Mark Andrews's avatar
Mark Andrews committed
132
5586.	[bug]		An invalid direction field in a LOC record resulted in
133 134
			an INSIST failure when a zone file containing such a
			record was loaded. [GL #2499]
Mark Andrews's avatar
Mark Andrews committed
135

136
5585.	[func]		Memory contexts and memory pool implementations were
Ondřej Surý's avatar
Ondřej Surý committed
137 138 139
			refactored to reduce lock contention for shared memory
			contexts by replacing mutexes with atomic operations.
			The internal memory allocator was simplified so that it
140 141 142
			is only a thin wrapper around the system allocator. This
			change made the "-M external" named option redundant and
			it was therefore removed. [GL #2433]
Ondřej Surý's avatar
Ondřej Surý committed
143

144 145 146
5584.	[bug]		No longer set the IP_DONTFRAG option on UDP sockets, to
			prevent dropping outgoing packets exceeding
			"max-udp-size". [GL #2466]
147

148
5583.	[func]		Changes to DNS-over-HTTPS (DoH) configuration syntax:
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
149
			- When "http" is specified in "listen-on" or
150 151 152 153 154 155 156 157 158
			  "listen-on-v6" statements, "tls" must also now be
			  specified. If an unencrypted connection is desired
			  (for example, when running behind a reverse proxy),
			  use "tls none".
			- "http default" can now be specified in "listen-on" and
			  "listen-on-v6" statements to use the default HTTP
			  endpoint of "/dns-query". It is no longer necessary to
			  include an "http" statement in named.conf unless
			  overriding this value.
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
159 160
			[GL #2472]

Mark Andrews's avatar
Mark Andrews committed
161
5582.	[bug]		BIND 9 failed to build when static OpenSSL libraries
162 163 164 165
			were used and the pkg-config files for libssl and/or
			libcrypto were unavailable. This has been fixed by
			ensuring that the correct linking order for libssl and
			libcrypto is always used. [GL #2402]
Mark Andrews's avatar
Mark Andrews committed
166

167 168
5581.	[bug]		Fix a memory leak that occurred when inline-signed zones
			were added to the configuration, followed by a
Diego Fronza's avatar
Diego Fronza committed
169 170
			reconfiguration of named. [GL #2041]

Michal Nowak's avatar
Michal Nowak committed
171 172 173 174 175
5580.	[test]		The system test framework no longer differentiates
			between SKIPPED and UNTESTED system test results. Any
			system test which is not run is now marked as SKIPPED.
			[GL !4517]

176 177 178 179 180
5579.	[bug]		If an invalid key name (e.g. "a..b") was specified in a
			primaries list in named.conf, the wrong size was passed
			to isc_mem_put(), resulting in the returned memory being
			put on the wrong free list. This prevented named from
			starting up. [GL #2460]
Mark Andrews's avatar
Mark Andrews committed
181

Michał Kępień's avatar
Michał Kępień committed
182 183
	--- 9.17.10 released ---

Mark Andrews's avatar
Mark Andrews committed
184
5578.	[protocol]	Make "check-names" accept A records below "_spf",
185
			"_spf_rate", and "_spf_verify" labels in order to cater
Mark Andrews's avatar
Mark Andrews committed
186
			for the "exists" SPF mechanism specified in RFC 7208
187
			section 5.7 and appendix D.1. [GL #2377]
Mark Andrews's avatar
Mark Andrews committed
188

189 190 191
5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
			correctly implementing Equation (2) of the "Flexible and
			Robust Key Rollover" paper. [GL #2375]
192

Evan Hunt's avatar
Evan Hunt committed
193 194 195 196 197 198
5576.	[experimental]	Initial server-side implementation of DNS-over-HTTPS
			(DoH). Support for both TLS-encrypted and unencrypted
			HTTP/2 connections has been added to the network manager
			and integrated into named. (Note: there is currently no
			client-side support for DNS-over-HTTPS; this will be
			added to dig in a future release.) [GL #1144]
199

200 201
5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
			"Inactive" and/or "Delete" timing metadata to be
202 203
			possible active keys. This has been fixed. [GL #2406]

204 205 206 207 208
5574.	[func]		Incoming zone transfers can now use TLS. Addresses in a
			"primaries" list take an optional "tls" argument,
			specifying either a previously configured "tls" block or
			"ephemeral"; SOA queries and zone transfer requests are
			then sent via TLS. [GL #2392]
Evan Hunt's avatar
Evan Hunt committed
209

210 211 212 213 214
5573.	[func]		When serve-stale is enabled and stale data is available,
			named now returns stale answers upon encountering any
			unexpected error in the query resolution process.
			However, the "stale-refresh-time" window is still only
			started upon a timeout. [GL #2434]
215

216
5572.	[bug]		Address potential double free in generatexml().
217 218
			[GL #2420]

219 220 221
5571.	[bug]		named failed to start when its configuration included a
			zone with a non-builtin "allow-update" ACL attached.
			[GL #2413]
Mark Andrews's avatar
Mark Andrews committed
222

223 224 225
5570.	[bug]		Improve performance of the DNSSEC verification code by
			reducing the number of repeated calls to
			dns_dnssec_keyfromrdata(). [GL #2073]
Mark Andrews's avatar
Mark Andrews committed
226

227
5569.	[bug]		Emit useful error message when "rndc retransfer" is
Mark Andrews's avatar
Mark Andrews committed
228 229
			applied to a zone of inappropriate type. [GL #2342]

230 231 232
5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
			keys. [GL #2178]

Mark Andrews's avatar
Mark Andrews committed
233
5567.	[bug]		Dig now reports unknown dash options while pre-parsing
234 235 236
			the options. This prevents "-multi" instead of "+multi"
			from reporting memory usage before ending option parsing
			with "Invalid option: -lti". [GL #2403]
Mark Andrews's avatar
Mark Andrews committed
237

238 239
5566.	[func]		Add "stale-answer-client-timeout" option, which is the
			amount of time a recursive resolver waits before
Mark Andrews's avatar
Mark Andrews committed
240 241
			attempting to answer the query using stale data from
			cache. [GL #2247]
Diego Fronza's avatar
Diego Fronza committed
242

243 244 245 246
5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
			BIND 9 version number, in an effort to tightly couple
			internal libraries with a specific release. [GL #2387]

247 248 249
5564.	[cleanup]	Network manager's TLSDNS module was refactored to use
			libuv and libssl directly instead of a stack of TCP/TLS
			sockets. [GL #2335]
Evan Hunt's avatar
Evan Hunt committed
250

Matthijs Mekking's avatar
Matthijs Mekking committed
251
5563.	[cleanup]	Changed several obsolete configuration options to
252 253 254
			ancient, making them fatal errors. Also cleaned up the
			number of clause flags in the configuration parser.
			[GL #1086]
Matthijs Mekking's avatar
Matthijs Mekking committed
255

Ondřej Surý's avatar
Ondřej Surý committed
256 257
5562.	[placeholder]

258 259
5561.	[bug]		KASP incorrectly set signature validity to the value of
			the DNSKEY signature validity. This is now fixed.
260 261
			[GL #2383]

262 263
5560.	[func]		The default value of "max-stale-ttl" has been changed
			from 12 hours to 1 day and the default value of
264 265
			"stale-answer-ttl" has been changed from 1 second to 30
			seconds, following RFC 8767 recommendations. [GL #2248]
266

Michał Kępień's avatar
Michał Kępień committed
267 268
	--- 9.17.9 released ---

269 270 271 272
5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
			enabling support for libmaxminddb was not working
			correctly. This has been fixed. [GL #2366]

273 274 275
5558.	[bug]		Asynchronous hook modules could trigger an assertion
			failure when the fetch handle was detached too late.
			Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
276

277
5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
278
			threads at the same time. [GL #2317]
Mark Andrews's avatar
Mark Andrews committed
279

280 281
5556.	[bug]		Further tweak newline printing in dnssec-signzone and
			dnssec-verify. [GL #2359]
282

Mark Andrews's avatar
Mark Andrews committed
283 284
5555.	[placeholder]

285 286
5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
			between log messages. [GL #2359]
Mark Andrews's avatar
Mark Andrews committed
287

288 289
5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
			turn off DNSSEC maintenance. [GL #2341]
290

291 292 293 294
5552.	[func]		When switching to "dnssec-policy none;", named now
			permits a safe transition to insecure mode and publishes
			the CDS and CDNSKEY DELETE records, as described in RFC
			8078. [GL #1750]
295

296 297 298
5551.	[bug]		named no longer attempts to assign threads to CPUs
			outside the CPU affinity set. Thanks to Ole Bjørn
			Hessen. [GL #2245]
299

300 301
5550.	[func]		dnssec-signzone and named now log a warning when falling
			back to the "increment" SOA serial method. [GL #2058]
302

303 304
5549.	[protocol]	ipv4only.arpa is now served when DNS64 is configured.
			[GL #385]
Mark Andrews's avatar
Mark Andrews committed
305

306 307 308 309
5548.	[placeholder]

5547.	[placeholder]

Michał Kępień's avatar
Michał Kępień committed
310 311
	--- 9.17.8 released ---

312 313
5546.	[placeholder]

314 315 316
5545.	[func]		OS support for load-balanced sockets is no longer
			required to receive incoming queries in multiple netmgr
			threads. [GL #2137]
317

318 319
5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
			bytes. [GL #2250]
320

321 322
5543.	[bug]		Fix UDP performance issues caused by making netmgr
			callbacks asynchronous-only. [GL #2320]
Ondřej Surý's avatar
Ondřej Surý committed
323

324 325 326
5542.	[bug]		Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
			[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
			[GL #2321]
327

328 329 330
5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
			100. [GL #2305]

Mark Andrews's avatar
Mark Andrews committed
331 332 333
5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
			[GL #2315]

Mark Andrews's avatar
Mark Andrews committed
334 335 336
5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
			UDP by falling back to TCP. [GL #2275]

337 338 339 340 341
5538.	[func]		Add NSEC3 support to KASP. A new option for
			"dnssec-policy", "nsec3param", can be used to set the
			desired NSEC3 parameters. NSEC3 salt collisions are
			automatically prevented during resalting. Salt
			generation is now logged with zone context. [GL #1620]
342

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
343 344 345
5537.	[func]		The query plugin mechanism has been extended
			to support asynchronous operations. For example, a
			plugin can now trigger recursion and resume
346
			processing when it is complete. Thanks to Jinmei
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
347 348
			Tatuya at Infoblox. [GL #2141]

Mark Andrews's avatar
Mark Andrews committed
349 350 351
5536.	[func]		Dig can now report the DNS64 prefixes in use
			(+dns64prefix). [GL #1154]

Evan Hunt's avatar
Evan Hunt committed
352
5535.	[bug]		dig/nslookup/host could crash on shutdown after an
353
			interrupt. [GL #2287] [GL #2288]
Evan Hunt's avatar
Evan Hunt committed
354

355
5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
356 357
			followed when the QTYPE was CNAME or ANY. [GL #2280]

Michał Kępień's avatar
Michał Kępień committed
358 359
	--- 9.17.7 released ---

360 361 362 363
5533.	[func]		Add the "stale-refresh-time" option, a time window that
			starts after a failed lookup, during which a stale RRset
			is served directly from cache before a new attempt to
			refresh it is made. [GL #2066]
364

Michal Nowak's avatar
Michal Nowak committed
365 366 367 368 369
5532.	[cleanup]	Unused header files were removed:
			bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
			lib/isccfg/include/isccfg/dnsconf.h and code related
			to those files. [GL #1913]

370
5531.	[func]		Add support for DNS over TLS (DoT) to dig and named.
371 372
			dig output now includes the transport protocol used.
			[GL #1816] [GL #1840]
Witold Krecicki's avatar
Witold Krecicki committed
373

374 375
5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
			requests. [GL #2252]
Mark Andrews's avatar
Mark Andrews committed
376

377 378
5529.	[func]		The network manager API is now used by named to send
			zone transfer requests. [GL #2016]
Evan Hunt's avatar
Evan Hunt committed
379

380 381 382 383
5528.	[func]		Convert dig, host, and nslookup to use the network
			manager API. As a side effect of this change, "dig
			+unexpected" no longer works, and has been disabled.
			[GL #2140]
Evan Hunt's avatar
Evan Hunt committed
384

385 386
5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
			recheck query failed. [GL #2244]
Mark Andrews's avatar
Mark Andrews committed
387

388 389
5526.	[bug]		Fix a race/NULL dereference in TCPDNS read. [GL #2227]

Michał Kępień's avatar
Michał Kępień committed
390 391
5525.	[placeholder]

392 393 394
5524.	[func]		Added functionality to the network manager to support
			outgoing DNS queries in addition to incoming ones.
			[GL #2235]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
395

396 397 398
5523.	[bug]		The initial lookup in a zone transitioning to/from a
			signed state could fail if the DNSKEY RRset was not
			found. [GL #2236]
Mark Andrews's avatar
Mark Andrews committed
399

400
5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
401

402
5521.	[func]		All use of libltdl was dropped. libuv's shared library
Ondřej Surý's avatar
Ondřej Surý committed
403 404
			handling interface is now used instead. [GL !4278]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
405 406 407 408
5520.	[bug]		Fixed a number of shutdown races, reference counting
			errors, and spurious log messages that could occur
			in the network manager. [GL #2221]

Michal Nowak's avatar
Michal Nowak committed
409 410 411 412
5519.	[cleanup]	Unused source code was removed: lib/dns/dbtable.c,
			lib/dns/portlist.c, lib/isc/bufferlist.c, and code
			related to those files. [GL #2060]

413 414
5518.	[bug]		Stub zones now work correctly with primary servers using
			"minimal-responses yes". [GL #1736]
Diego Fronza's avatar
Diego Fronza committed
415

416 417
5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
			[GL #2208]
418

Michał Kępień's avatar
Michał Kępień committed
419 420
	--- 9.17.6 released ---

421
5516.	[func]		The default EDNS buffer size has been changed from 4096
422 423 424
			to 1232 bytes, the EDNS buffer size probing has been
			removed, and named now sets the DF (Don't Fragment) flag
			on outgoing UDP packets. [GL #2183]
425

426 427
5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a manual
			rollover for a specific key. [GL #1749]
428

429 430 431
5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
			[GL #2171]

Michał Kępień's avatar
Michał Kępień committed
432 433 434 435 436 437 438 439
5513.	[doc]		The ARM section describing the "rrset-order" statement
			was rewritten to make it unambiguous and up-to-date with
			the source code. [GL #2139]

5512.	[bug]		"rrset-order" rules using "order none" were causing
			named to crash despite named-checkconf treating them as
			valid. [GL #2139]

Mark Andrews's avatar
Mark Andrews committed
440 441 442
5511.	[bug]		'dig -u +yaml' failed to display timestamps to the
			microsecond. [GL #2190]

443
5510.	[bug]		Implement the attach/detach semantics for dns_message_t
444
			to fix a data race in accessing an already-destroyed
445 446
			fctx->rmessage. [GL #2124]

Michał Kępień's avatar
Michał Kępień committed
447 448 449
5509.	[bug]		filter-aaaa: named crashed upon shutdown if it was in
			the process of recursing for A RRsets. [GL #1040]

450 451 452 453
5508.	[func]		Added new parameter "-expired" for "rndc dumpdb" that
			also prints expired RRsets (awaiting cleanup) to the
			dump file. [GL #1870]

Mark Andrews's avatar
Mark Andrews committed
454 455 456
5507.	[bug]		Named could compute incorrect SIG(0) responses.
			[GL #2109]

457 458 459
5506.	[bug]		Properly handle failed sysconf() calls, so we don't
			report invalid memory size. [GL #2166]

Michał Kępień's avatar
Michał Kępień committed
460 461 462
5505.	[bug]		Updating contents of a mixed-case RPZ could cause some
			rules to be ignored. [GL #2169]

Michał Kępień's avatar
Michał Kępień committed
463 464 465 466
5504.	[func]		The "glue-cache" option has been marked as deprecated.
			The glue cache feature will be permanently enabled in a
			future release. [GL #2146]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
467 468 469 470
5503.	[bug]		Cleaned up reference counting of network manager
			handles, now using isc_nmhandle_attach() and _detach()
			instead of _ref() and _unref(). [GL #2122]

Michał Kępień's avatar
Michał Kępień committed
471 472
	--- 9.17.5 released ---

473 474
5502.	[func]		'dig +bufsize=0' no longer disables EDNS. [GL #2054]

475 476
5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]

Matthijs Mekking's avatar
Matthijs Mekking committed
477 478 479
5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
			[GL #2103]

480
5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
481
			[GL #1748]
482

483 484 485
5498.	[test]		The --with-gperftools-profiler configure option was
			removed. [GL !4045]

Mark Andrews's avatar
Mark Andrews committed
486 487
5497.	[placeholder]

488 489
5496.	[bug]		Address a TSAN report by ensuring each rate limiter
			object holds a reference to its task. [GL #2081]
Mark Andrews's avatar
Mark Andrews committed
490

491
5495.	[bug]		With query minimization enabled, named failed to
492 493
			resolve ip6.arpa. names that had extra labels to the
			left of the IPv6 part. [GL #1847]
494

495 496 497
5494.	[bug]		Silence the EPROTO syslog message on older systems.
			[GL #1928]

498
5493.	[bug]		Fix off-by-one error when calculating new hash table
499 500
			size. [GL #2104]

501 502 503
5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
			as a value. Fix handling of negative altitudes which are
			not whole meters. [GL #2074]
Mark Andrews's avatar
Mark Andrews committed
504

Mark Andrews's avatar
Mark Andrews committed
505 506 507
5491.	[bug]		rbtversion->glue_table_size could be read without the
			appropriate lock being held. [GL #2080]

508 509
5490.	[func]		Refactor readline support to use pkg-config and add
			support for the editline library. [GL !3942]
Ondřej Surý's avatar
Ondřej Surý committed
510

511 512 513 514
5489.	[bug]		Named erroneously accepted certain invalid resource
			records that were incorrectly processed after
			subsequently being written to disk and loaded back, as
			the wire format differed. Such records include: CERT,
Mark Andrews's avatar
Mark Andrews committed
515 516 517
			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
			X25. [GL !3953]

518 519 520
5488.	[bug]		NTA code needed to have a weak reference on its
			associated view to prevent the latter from being deleted
			while NTA tests were being performed. [GL #2067]
521

522 523 524
5487.	[cleanup]	Update managed keys log messages to be less confusing.
			[GL #2027]

525 526 527
5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
			named that the DS record for a given zone or key has
			been updated in the parent zone. [GL #1613]
528

Michał Kępień's avatar
Michał Kępień committed
529 530
	--- 9.17.4 released ---

Michał Kępień's avatar
Michał Kępień committed
531 532
5485.	[placeholder]

533 534
5484.	[func]		Expire zero TTL records quickly rather than using them
			for stale answers. [GL #1829]
535 536 537 538 539

5483.	[func]		Keeping "stale" answers in cache has been disabled by
			default and can be re-enabled with a new configuration
			option "stale-cache-enable". [GL #1712]

540 541 542 543
5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
			not yet finished after adding a new IPv6 address to the
			system, BIND 9 would fail to bind to IPv6 addresses in a
			tentative state. [GL #2038]
544

545 546 547 548 549 550
5481.	[security]	"update-policy" rules of type "subdomain" were
			incorrectly treated as "zonesub" rules, which allowed
			keys used in "subdomain" rules to update names outside
			of the specified subdomains. The problem was fixed by
			making sure "subdomain" rules are again processed as
			described in the ARM. (CVE-2020-8624) [GL #2055]
551

552 553 554 555 556
5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
			was possible to trigger an assertion failure in code
			determining the number of bits in the PKCS#11 RSA public
			key with a specially crafted packet. (CVE-2020-8623)
			[GL #2037]
557

558 559 560
5479.	[security]	named could crash in certain query resolution scenarios
			where QNAME minimization and forwarding were both
			enabled. (CVE-2020-8621) [GL #1997]
561

562 563 564
5478.	[security]	It was possible to trigger an assertion failure by
			sending a specially crafted large TCP DNS message.
			(CVE-2020-8620) [GL #1996]
565

566 567 568 569
5477.	[bug]		The idle timeout for connected TCP sockets, which was
			previously set to a high fixed value, is now derived
			from the client query processing timeout configured for
			a resolver. [GL #2024]
Michał Kępień's avatar
Michał Kępień committed
570

571 572 573
5476.	[security]	It was possible to trigger an assertion failure when
			verifying the response to a TSIG-signed request.
			(CVE-2020-8622) [GL #2028]
Mark Andrews's avatar
Mark Andrews committed
574

575 576 577 578
5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
			overridden by other rules that were loaded from RPZ
			zones which appeared later in the "response-policy"
			statement. This has been fixed. [GL #1619]
Diego Fronza's avatar
Diego Fronza committed
579

Mark Andrews's avatar
Mark Andrews committed
580 581 582
5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
			when it should have. [GL !3880]

583 584 585 586 587 588
5473.	[func]		The RBT hash table implementation has been changed
			to use a faster hash function (HalfSipHash2-4) and
			Fibonacci hashing for better distribution. Setting
			"max-cache-size" now preallocates a fixed-size hash
			table so that rehashing does not cause resolution
			brownouts while the hash table is grown. [GL #1775]
589

Evan Hunt's avatar
Evan Hunt committed
590 591 592
5472.	[func]		The statistics channel has been updated to use the
			new network manager. [GL #2022]

593 594 595 596 597
5471.	[bug]		The introduction of KASP support inadvertently caused
			the second field of "sig-validity-interval" to always be
			calculated in hours, even in cases when it should have
			been calculated in days. This has been fixed. (Thanks to
			Tony Finch.) [GL !3735]
Mark Andrews's avatar
Mark Andrews committed
598

599 600
5470.	[port]		gsskrb5_register_acceptor_identity() is now only called
			if gssapi_krb5.h is present. [GL #1995]
601

602 603 604 605
5469.	[port]		On illumos, a constant called SEC is already defined in
			<sys/time.h>, which conflicts with an identically named
			constant in libbind9. This conflict has been resolved.
			[GL #1993]
606

607
5468.	[bug]		Addressed potential double unlock in process_fd().
Mark Andrews's avatar
Mark Andrews committed
608 609
			[GL #2005]

Evan Hunt's avatar
Evan Hunt committed
610 611 612
5467.	[func]		The control channel and the rndc utility have been
			updated to use the new network manager. To support
			this, the network manager was updated to enable
613
			the initiation of client TCP connections. Its
Evan Hunt's avatar
Evan Hunt committed
614 615
			internal reference counting has been refactored.

616
			Note: As a side effect of this change, rndc cannot
Evan Hunt's avatar
Evan Hunt committed
617 618 619 620 621
			currently be used with UNIX-domain sockets, and its
			default timeout has changed from 60 seconds to 30.
			These will be addressed in a future release.
			[GL #1759]

622 623 624
5466.	[bug]		Addressed an error in recursive clients stats reporting.
			[GL #1719]

625 626
5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
			or trusted-keys if the bindkeys-file (bind.keys) cannot
627 628
			be parsed. [GL #1235]

629 630 631
5464.	[bug]		Requesting more than 128 files to be saved when rolling
			dnstap log files caused a buffer overflow. This has been
			fixed. [GL #1989]
Mark Andrews's avatar
Mark Andrews committed
632

Mark Andrews's avatar
Mark Andrews committed
633 634
5463.	[placeholder]

Michał Kępień's avatar
Michał Kępień committed
635 636
5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]

637 638 639 640
5461.	[bug]		The STALE rdataset header attribute was updated while
			the write lock was not being held, leading to incorrect
			statistics. The header attributes are now converted to
			use atomic operations. [GL #1475]
Mark Andrews's avatar
Mark Andrews committed
641

642 643 644 645 646
5460.	[cleanup]	tsig-keygen was previously an alias for
			ddns-confgen and was documented in the ddns-confgen
			man page. This has been reversed; tsig-keygen is
			now the primary name. [GL #1998]

647 648
5459.	[bug]		Fixed bad isc_mem_put() size when an invalid type was
			specified in an "update-policy" rule. [GL #1990]
649

Michał Kępień's avatar
Michał Kępień committed
650 651
	--- 9.17.3 released ---

Michał Kępień's avatar
Michał Kępień committed
652 653 654 655
5458.	[bug]		Prevent a theoretically possible NULL dereference caused
			by a data race between zone_maintenance() and
			dns_zone_setview_helper(). [GL #1627]

656 657
5457.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
658 659
5456.	[func]		Added "primaries" as a synonym for "masters" in
			named.conf, and "primary-only" as a synonym for
660 661
			"master-only" in the parameters to "notify", to bring
			terminology up-to-date with RFC 8499. [GL #1948]
Evan Hunt's avatar
Evan Hunt committed
662

663 664
5455.	[bug]		named could crash when cleaning dead nodes in
			lib/dns/rbtdb.c that were being reused. [GL #1968]
665

666 667 668
5454.	[bug]		Address a startup crash that occurred when the server
			was under load and the root zone had not yet been
			loaded. [GL #1862]
Witold Krecicki's avatar
Witold Krecicki committed
669

670 671
5453.	[bug]		named crashed on shutdown when a new rndc connection was
			received during shutdown. [GL #1747]
672

673 674
5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
			queries. [GL #1936]
Evan Hunt's avatar
Evan Hunt committed
675

676 677
5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]

Evan Hunt's avatar
Evan Hunt committed
678 679
5450.	[placeholder]

Evan Hunt's avatar
Evan Hunt committed
680 681 682 683 684
5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]

5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
			[GL #1937]

685 686 687 688 689
5447.	[bug]		IPv6 addresses ending in "::" could break YAML
			parsing. A "0" is now appended to such addresses
			in YAML output from dig, mdig, delv, and dnstap-read.
			[GL #1952]

Mark Andrews's avatar
Mark Andrews committed
690 691
5446.	[bug]		The validator could fail to accept a properly signed
			RRset if an unsupported algorithm appeared earlier in
692
			the DNSKEY RRset than a supported algorithm. It could
Mark Andrews's avatar
Mark Andrews committed
693 694 695
			also stop if it detected a malformed public key.
			[GL #1689]

696 697
5445.	[cleanup]	Disable and disallow static linking. [GL #1933]

698 699
5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
			saved files to <value>. [GL !3728]
Mark Andrews's avatar
Mark Andrews committed
700

701 702 703 704
5443.	[bug]		The "primary" and "secondary" keywords, when used
			as parameters for "check-names", were not
			processed correctly and were being ignored. [GL #1949]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
705 706 707
5442.	[func]		Add support for outgoing TCP connections in netmgr.
			[GL #1958]

Mark Andrews's avatar
Mark Andrews committed
708 709
5441.	[placeholder]

710 711
5440.	[placeholder]

712 713
5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
			a non-thread-safe manner. [GL #1926]
Mark Andrews's avatar
Mark Andrews committed
714

Michał Kępień's avatar
Michał Kępień committed
715 716
	--- 9.17.2 released ---

Witold Krecicki's avatar
Witold Krecicki committed
717 718
5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]

719 720
5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
			[GL #1808]
Witold Krecicki's avatar
Witold Krecicki committed
721

Mark Andrews's avatar
Mark Andrews committed
722 723 724
5436.	[security]	It was possible to trigger an INSIST when determining
			whether a record would fit into a TCP message buffer.
			(CVE-2020-8618) [GL #1850]
Mark Andrews's avatar
Mark Andrews committed
725

Mark Andrews's avatar
Mark Andrews committed
726 727
5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
			test. [GL #1718]
Mark Andrews's avatar
Mark Andrews committed
728

Mark Andrews's avatar
Mark Andrews committed
729 730 731 732
5434.	[security]	It was possible to trigger an INSIST in
			lib/dns/rbtdb.c:new_reference() with a particular zone
			content and query patterns. (CVE-2020-8619) [GL #1111]
			[GL #1718]
Mark Andrews's avatar
Mark Andrews committed
733

Mark Andrews's avatar
Mark Andrews committed
734 735
5433.	[placeholder]

736 737
5432.	[bug]		Check the question section when processing AXFR, IXFR,
			and SOA replies when transferring a zone in. [GL #1683]
738

Mark Andrews's avatar
Mark Andrews committed
739 740 741 742
5431.	[func]		Reject DS records at the zone apex when loading
			master files. Log but otherwise ignore attempts to
			add DS records at the zone apex via UPDATE. [GL #1798]

743 744
5430.	[doc]		Update docs - with netmgr, a separate listening socket
			is created for each IPv6 interface (just as with IPv4).
745 746
			[GL #1782]

Michal Nowak's avatar
Michal Nowak committed
747 748 749
5429.	[cleanup]	Move BIND binaries which are neither daemons nor
			administrative programs to $bindir. [GL #1724]

750
5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
Ondřej Surý's avatar
Ondřej Surý committed
751 752
			has been destroyed. Thanks to Petr Menšík. [GL !3316]

753 754
5427.	[placeholder]

755
5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
Ondřej Surý's avatar
Ondřej Surý committed
756 757
			fails. [GL #1911]

758
5425.	[func]		The default value of "max-stale-ttl" has been changed
Ondřej Surý's avatar
Ondřej Surý committed
759 760
			from 1 week to 12 hours. [GL #1877]

761
5424.	[bug]		With KASP, when creating a successor key, the "goal"
762
			state of the current active key (predecessor) was not
763
			changed and thus never removed from the zone. [GL #1846]
764

765 766 767
5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
			returned true if any other key in the keyring had a
			successor. [GL #1845]
768

769
5422.	[bug]		When using dnssec-policy, print correct key timing
Matthijs Mekking's avatar
Matthijs Mekking committed
770 771
			metadata. [GL #1843]

772 773 774
5421.	[bug]		Fix a race that could cause named to crash when looking
			up the nodename of an RBT node if the tree was modified.
			[GL #1857]
Evan Hunt's avatar
Evan Hunt committed
775

776
5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
Witold Krecicki's avatar
Witold Krecicki committed
777 778
			that caused a memory leak on FreeBSD. [GL #1893]

779 780 781 782 783
5419.	[func]		Add new dig command line option, "+qid=<num>", which
			allows the query ID to be set to an arbitrary value.
			Add a new ./configure option, --enable-singletrace,
			which allows trace logging of a single query when QID is
			set to 0. [GL #1851]
Evan Hunt's avatar
Evan Hunt committed
784

785
5418.	[bug]		delv failed to parse deprecated trusted-keys-style
Mark Andrews's avatar
Mark Andrews committed
786 787
			trust anchors. [GL #1860]

Michał Kępień's avatar
Michał Kępień committed
788 789 790 791
5417.	[cleanup]	The code determining the advertised UDP buffer size in
			outgoing EDNS queries has been refactored to improve its
			clarity. [GL #1868]

792 793
5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
			[GL #1859]
794

Mark Andrews's avatar
Mark Andrews committed
795 796 797
5415.	[test]		Address race in dnssec system test that led to
			test failures. [GL #1852]

Mark Andrews's avatar
Mark Andrews committed
798 799 800 801
5414.	[test]		Adjust time allowed for journal truncation to occur
			in nsupdate system test to avoid test failure.
			[GL #1855]

Mark Andrews's avatar
Mark Andrews committed
802
5413.	[test]		Address race in autosign system test that led to
Mark Andrews's avatar
Mark Andrews committed
803 804
			test failures. [GL #1852]

805
5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
Mark Andrews's avatar
Mark Andrews committed
806 807 808
			when the serial was greater than or equal to the
			current serial. [GL #1714]

809 810 811
5411.	[cleanup]	TCP accept code has been refactored to use a single
			accept() and pass the accepted socket to child threads
			for processing. [GL !3320]
Witold Krecicki's avatar
Witold Krecicki committed
812

813 814 815
5410.	[func]		Add the ability to specify per-type record count limits,
			which are enforced when adding records via UPDATE, in an
			"update-policy" statement. [GL #1657]
Mark Andrews's avatar
Mark Andrews committed
816

817 818 819
5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
			check for empty non-terminal nodes; the NSEC3 tree does
			not have any. [GL #1834]
Evan Hunt's avatar
CHANGES  
Evan Hunt committed
820

Mark Andrews's avatar
Mark Andrews committed
821 822 823
5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
			[GL #1835]

824 825
5407.	[func]		Zone timers are now exported via statistics channel.
			Thanks to Paul Frieden, Verizon Media. [GL #1232]
Ondřej Surý's avatar
Ondřej Surý committed
826

827 828 829
5406.	[func]		Add a new logging category, "rpz-passthru", which allows
			RPZ passthru actions to be logged in a separate channel.
			[GL #54]
Diego Fronza's avatar
Diego Fronza committed
830

831 832 833
5405.	[bug]		'named-checkconf -p' could include spurious text in
			server-addresses statements due to an uninitialized DSCP
			value. [GL #1812]
834

835 836 837 838
5404.	[bug]		'named-checkconf -z' could incorrectly indicate
			success if errors were found in one view but not in a
			subsequent one. [GL #1807]

839 840
5403.	[func]		Do not set UDP receive/send buffer sizes - use system
			defaults. [GL #1713]
Witold Krecicki's avatar
Witold Krecicki committed
841

842 843 844
5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
			Enable use of SO_REUSEADDR on all platforms which
			support it. [GL !3365]
Ondřej Surý's avatar
Ondřej Surý committed
845

Michał Kępień's avatar
Michał Kępień committed
846 847 848 849 850
5401.	[bug]		The number of input queues allocated during dnstap
			initialization was too low, which could prevent some
			dnstap data from being logged. [GL #1795]

5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
Ondřej Surý's avatar
Ondřej Surý committed
851 852
			[GL #1763]

Ondřej Surý's avatar
Ondřej Surý committed
853 854 855
5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
			[GL #1534]

856 857 858
5398.	[bug]		Named could fail to restart if a zone with a double
			quote (") in its name was added with 'rndc addzone'.
			[GL #1695]
Mark Andrews's avatar
Mark Andrews committed
859

Ondřej Surý's avatar
Ondřej Surý committed
860 861 862
5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
			Thanks to Aaron Thompson. [GL !3326]

863 864 865
5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
			libuv. [GL #1797]
Witold Krecicki's avatar
Witold Krecicki committed
866

Mark Andrews's avatar
Mark Andrews committed
867 868 869 870 871 872
5395.	[security]	Further limit the number of queries that can be
			triggered from a request.  Root and TLD servers
			are no longer exempt from max-recursion-queries.
			Fetches for missing name server address records
			are limited to 4 for any domain. (CVE-2020-8616)
			[GL #1388]
Evan Hunt's avatar
Evan Hunt committed
873

874 875 876 877 878
5394.	[cleanup]	Named formerly attempted to change the effective UID and
			GID in named_os_openfile(), which could trigger a
			spurious log message if they were already set to the
			desired values. This has been fixed. [GL #1042]
			[GL #1090]
Ondřej Surý's avatar
Ondřej Surý committed
879

880
5393.	[cleanup]	Unused and/or redundant APIs were removed from libirs.
Ondřej Surý's avatar
Ondřej Surý committed
881 882
			[GL #1758]

Evan Hunt's avatar
CHANGES  
Evan Hunt committed
883 884 885 886
5392.	[bug]		It was possible for named to crash during shutdown
			or reconfiguration if an RPZ zone was still being
			updated. [GL #1779]

887 888 889
5391.	[func]		The BIND 9 build system has been changed to use a
			typical autoconf+automake+libtool stack. When building
			from the Git repository, run "autoreconf -fi" first.
Mark Andrews's avatar
Mark Andrews committed
890
			[GL #4]
Ondřej Surý's avatar
Ondřej Surý committed
891

Mark Andrews's avatar
Mark Andrews committed
892 893 894
5390.	[security]	Replaying a TSIG BADTIME response as a request could
			trigger an assertion failure. (CVE-2020-8617)
			[GL #1703]
Mark Andrews's avatar
Mark Andrews committed
895

896
5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
Ondřej Surý's avatar
Ondřej Surý committed
897 898 899
			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
			Thanks to Aaron Thompson. [GL !3391]

900
5388.	[func]		Reject AXFR streams where the message ID is not
901 902 903
			consistent. [GL #1674]

5387.	[placeholder]
904

905 906
5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
			[GL #1737]
907

Michał Kępień's avatar
Michał Kępień committed
908 909 910
5385.	[func]		Make ISC rwlock implementation the default again.
			[GL #1753]

911 912 913
5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
			implicitly set to "yes". Now "inline-signing" is only
			set to "yes" if the zone is not dynamic. [GL #1709]
Matthijs Mekking's avatar
Matthijs Mekking committed
914

Tinderbox User's avatar
Tinderbox User committed
915 916
	--- 9.17.1 released ---

917
5383.	[func]		Add a quota attach function with a callback and clean up
918 919 920 921 922
			the isc_quota API. [GL !3280]

5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
			isc_stdtime() function. [GL #1679]

923 924 925
5381.	[bug]		Fix logging API data race by adding rwlock and caching
			logging levels in stdatomic variables to restore
			performance to original levels. [GL #1675] [GL #1717]
926

927
5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
928 929
			libraries. [GL #1678]

930
5379.	[placeholder]
931

932 933
5378.	[bug]		Receiving invalid DNS data was triggering an assertion
			failure in nslookup. [GL #1652]
934

Ondřej Surý's avatar
Ondřej Surý committed
935 936
5377.	[placeholder]

937 938 939
5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
			configured as a forwarding DNS server. Thanks to Tobias
			Klein. [GL #1574]
Ondřej Surý's avatar
Ondřej Surý committed
940

941
5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
942

943
5374.	[bug]		Statistics counters tracking recursive clients and
Ondřej Surý's avatar
Ondřej Surý committed
944 945
			active connections could underflow. [GL #1087]

946 947 948 949 950 951 952 953 954 955 956 957 958 959
5373.	[bug]		Collecting statistics for DNSSEC signing operations
			(change 5254) caused an array of significant size (over
			100 kB) to be allocated for each configured zone. Each
			of these arrays is tracking all possible key IDs; this
			could trigger an out-of-memory condition on servers with
			a high enough number of zones configured. Fixed by
			tracking up to four keys per zone and rotating counters
			when keys are replaced. This fixes the immediate problem
			of high memory usage, but should be improved in a future
			release by growing or shrinking the number of keys to
			track upon key rollover events. [GL #1179]

5372.	[bug]		Fix migration from existing DNSSEC key files
			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
960

Evan Hunt's avatar
Evan Hunt committed
961 962 963 964 965
5371.	[bug]		Improve incremental updates of the RPZ summary
			database to reduce delays that could occur when
			a policy zone update included a large number of
			record deletions. [GL #1447]

966 967 968 969 970
5370.	[bug]		Deactivation of a netmgr handle associated with a
			socket could be skipped in some circumstances.
			Fixed by deactivating the netmgr handle before
			scheduling the asynchronous close routine. [GL #1700]

971 972 973
5369.	[func]		Add the ability to specify whether to wait for
			nameserver domain names to be looked up, with a new RPZ
			modifying directive 'nsdname-wait-recurse'. [GL #1138]
Diego Fronza's avatar
Diego Fronza committed
974

Mark Andrews's avatar
Mark Andrews committed
975 976